As per the developers handbook (5.3.1 step 1), prepare the vendor trees for

import of new ipfilter vendor sources by flattening them.

To keep the tags consistent with dist, the tags are also flattened.

Approved by:	glebius (Mentor)

794 files changed, 0 insertions, 133028 deletions

diff --git a/contrib/ipfilter/.cvsignore b/contrib/ipfilter/.cvsignore
deleted file mode 100644
index 616828f..0000000
--- a/contrib/ipfilter/.cvsignore
+++ /dev/null
@@ -1,28 +0,0 @@
-ipf
-sparcv7
-sparcv9
-h
-ipf-darren
-bugs
-ipftest
-patches
-state
-cbits
-CVS
-old
-new
-netinet
-import
-bak
-streams
-cvs.diff
-threads
-glibc
-hp
-windows
-ipnat
-opt_inet6.h
-ippool
-ipmon
-ip_rules.c
-ip_rules.h
diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF
deleted file mode 100644
index 404cc28..0000000
--- a/contrib/ipfilter/BNF
+++ /dev/null
@@ -1,81 +0,0 @@
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
-	      [ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
-
-insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | auth | call .
-in-out	= "in" | "out" .
-options	= [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
-tos	= "tos" decnumber | "tos" hexnumber .
-ttl	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-group	= [ "head" decnumber ] [ "group" decnumber ] .
-pps	= "pps" decnumber .
-
-onif	= "on" interface-name [ "out-via" interface-name ] .
-block	= "block" [ return-icmp[return-code] | "return-rst" ] .
-auth	= "auth" | "preauth" .
-log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-tag	= "tag" tagid .
-call	= "call" [ "now" ] function-name "/" decnumber.
-dup	= "dup-to" interface-name[":"ipaddr] .
-froute	= "fastroute" | "to" interface-name .
-replyto = "reply-to" interface-name [ ":" ipaddr ] .
-protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst	= "all" | fromto .
-fromto	= "from" object "to" object .
-
-return-icmp = "return-icmp" | "return-icmp-as-dest" .
-loglevel = facility"."priority | priority .
-object	= addr [ port-comp | port-range ] .
-addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-flags	= "flags" flag { flag } [ "/" flag { flag } ] .
-with	= "with" | "and" .
-icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "("icmp-code")" .
-keep	= "keep" "state" [ "limit" number ] | "keep" "frags" .
-
-nummask	= host-name [ "/" decnumber ] .
-host-name = ipaddr | hostname | "any" .
-ipaddr	= host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-port-num = service-name | decnumber .
-
-withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
-opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
-          "mbcast" | "opt" ipopts  .
-optname	= ipopts [ "," optname ] .
-ipopts  = optlist | "sec-class" [ secname ] .
-secname	= seclvl [ "," secname ] .
-seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
-	  "reserv-4" | "secret" | "topsecret" .
-icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
-	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
-	    "inforep" | "maskreq" | "maskrep"  | "routerad" |
-	    "routersol" | decnumber .
-icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
-	    "filter-prohib" | "host-preced" | "cutoff-preced" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
-	  "visa" | "imitd" | "eip" | "finn" .
-facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
-	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
-	   "audit" | "logalert" | "local0" | "local1" | "local2" |
-	   "local3" | "local4" | "local5" | "local6" | "local7" .
-priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
-	   "info" | "debug" . 
-
-hexnumber = "0" "x" hexstring .
-hexstring = hexdigit [ hexstring ] .
-decnumber = digit [ decnumber ] .
-
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
-	  "le" | "ge" .
-range	= "<>" | "><" .
-hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag	= "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
diff --git a/contrib/ipfilter/BSD/.cvsignore b/contrib/ipfilter/BSD/.cvsignore
deleted file mode 100644
index c149a00..0000000
--- a/contrib/ipfilter/BSD/.cvsignore
+++ /dev/null
@@ -1,22 +0,0 @@
-ipf
-ipfs
-ipfstat
-ipftest
-ipmon
-ipnat
-ipresend
-ipsend
-iptest
-vnode_if.h
-if_ipl
-i386
-amiga
-FreeBSD*
-BSDOS*
-NetBSD*
-OpenBSD*
-*_lex_var.h
-*_y.c
-*_l.c
-*_y.h
-ip_rules.*
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile
deleted file mode 100644
index fe8a4d4..0000000
--- a/contrib/ipfilter/BSD/Makefile
+++ /dev/null
@@ -1,540 +0,0 @@
-#
-# Copyright (C) 1993-1998 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-TOP=../..
-BINDEST=/usr/sbin
-SBINDEST=/sbin
-MANDIR=/usr/share/man
-SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i<NF;i++){print $$i;}}' - | sort -u
-
-CC=gcc -Wall -Wuninitialized -Wstrict-prototypes -O -Wmissing-prototypes -Wpointer-arith -Wno-sign-compare -Wno-traditional -Werror
-#UFLAGS=-fprofile-arcs -ftest-coverage
-CFLAGS=-g -I$(TOP)
-#
-# For NetBSD/FreeBSD
-#
-DEVFS!=/usr/bin/lsvfs 2>&1 | sed -n 's/.*devfs.*/-DDEVFS/p'
-CPU!=uname -m
-INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch
-DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) -fno-builtin
-IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST
-VNODESHDIR=/sys/kern
-MLD=$(ML)
-ML=mln_ipl.c
-LKM=if_ipl.o
-LKMR=ipfrule.o
-DLKM=
-OBJ=.
-DEST=$(OBJ)
-MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
-	'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
-	"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
-	"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
-	"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" "SYNC=$(SYNC)"
-LIBS=-L. -lipf $(LIBBPF)
-#
-########## ########## ########## ########## ########## ########## ##########
-#
-CP=/bin/cp
-RM=/bin/rm
-CHMOD=/bin/chmod
-INSTALL=install
-#
-MODOBJS=ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
-	ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o ip_rules.o \
-	ip_scan.o ip_sync.o
-#	ip_trafcon.o
-DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF)
-IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o bpf_filter_u.o
-IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \
-    ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \
-    ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \
-    ippool_y.o ippool_l.o ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o \
-    md5_u.o radix_u.o bpf_filter_u.o
-#   ip_syn_u.o
-#ip_trafcon_u.o
-TOOL=$(TOP)/tools
-IPNAT=ipnat.o ipnat_y.o ipnat_l.o
-IPMON=ipmon.o ipmon_y.o ipmon_l.o
-IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o
-IPTRAFCON=iptrafcon.o
-PROXYLIST=$(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_irc_pxy.c \
-	  $(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c $(TOP)/ip_rcmd_pxy.c \
-	  $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c
-FILS=ipfstat.o
-LIBSRC=$(TOP)/lib
-RANLIB=ranlib
-AROPTS=cq
-HERE!=pwd
-CCARGS=-I. $(DEBUG) $(CFLAGS) $(UFLAGS)
-KCARGS=-I. $(DEBUG) $(CFLAGS)
-#
-# Extra is option kernel things we always want in user space.
-#
-EXTRA=$(ALLOPTS)
-
-include $(TOP)/lib/Makefile
-
-build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \
-	   ippool ipscan ipsyncm ipsyncs $(LKM) $(LKMR)
-	-sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done'
-	-/bin/rm -f ../tools ./tools
-	-ln -s ../tools .
-	-ln -s ../tools ..
-
-bpf.h:
-	echo '#define DEV_BPF 1' > bpf.h
-
-$(TOP)/ip_compat.h: bpf.h
-
-machine: Makefile.kmod
-	if [ -f Makefile.kmod ] ; then \
-		make -f Makefile.kmod depend MKUPDATE=no; \
-	fi
-
-Makefile.kmod:
-	if [ -f /usr/share/mk/bsd.kmod.mk -a "`uname -s`" = "NetBSD" ] ; then \
-		rm -f Makefile.kmod; \
-		ln -s /usr/share/mk/bsd.kmod.mk Makefile.kmod; \
-	fi
-
-ipfstat: $(FILS) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
-	-o $@ $(LIBS) $(STATETOP_LIB) -lkvm
-
-ipf: $(IPF) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF)
-
-ipftest: $(IPT) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF)
-
-ipnat: $(IPNAT) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lkvm -ll
-
-ipfs: ipfs.o
-	$(CC) $(CCARGS) ipfs.o -o $@
-
-ipsyncm: ipsyncm.o $(OBJ)/libipf.a
-	$(CC) $(CCARGS) ipsyncm.o -o $@ $(LIBS)
-
-ipsyncs: ipsyncs.o $(OBJ)/libipf.a
-	$(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS)
-
-ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@
-
-ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@
-
-tests:
-	(cd test; make )
-
-ipfstat.o: $(TOOL)/ipfstat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \
-	$(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h $(TOP)/opts.h
-	$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
-	-c $(TOOL)/ipfstat.c -o $@
-
-ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \
-	$(TOP)/ip_nat.h $(TOP)/opts.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipfs.c -o $@
-
-fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \
-	    $(TOP)/opts.h $(TOP)/ip_rules.h
-	$(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -c $(TOP)/fil.c -o $@
-
-fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \
-	    $(TOP)/ip_rules.h
-	$(CC) $(KCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) \
-	    -c $(TOP)/fil.c -o $@
-
-ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipf.c -o $@
-
-ipfcomp.o: $(TOOL)/ipfcomp.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipfcomp.c -o $@
-
-ipftest.o: $(TOOL)/ipftest.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h \
-	    $(TOP)/opts.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipftest.c -o $@
-
-ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \
-	    $(TOP)/opts.h
-	$(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@
-
-ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h
-	$(CC) $(CCARGS) -c ipnat_y.c -o $@
-
-ipnat_l.o: ipnat_l.c ipnat_y.h
-	$(CC) $(CCARGS) -I. -c ipnat_l.c -o $@
-
-ipnat_y.c: $(TOOL)/ipnat_y.y
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipnat_y.h: ipnat_y.c
-
-ipnat_l.c: $(TOOL)/lexer.c $(TOP)/ip_nat.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipnat_l.h: $(TOOL)/lexer.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@
-
-ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@
-
-ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_frag.c -o $@
-
-ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h $(TOP)/ip_nat.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_state.c -o $@
-
-ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_auth.c -o $@
-
-ip_fil_u.o: $(TOP)/ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_fil.c -o $@
-
-ip_rules_u.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_rules.h
-	$(CC) $(CCARGS) $(EXTRA) -c ip_rules.c -o $@
-
-ip_scan_u.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_scan.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_scan.c -o $@
-
-ip_sync_u.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_sync.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_sync.c -o $@
-
-ip_pool_u.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_pool.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_pool.c -o $@
-
-ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_htable.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@
-
-ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@
-
-ip_trafcon_u.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_trafcon.h
-	$(CC) $(CCARGS) -c $(TOP)/ip_trafcon.c -o $@
-
-ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_log.c -o $@
-
-md5_u.o: $(TOP)/md5.c $(TOP)/md5.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/md5.c -o $@
-
-radix_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix.c -o $@
-
-bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h
-	$(CC) $(CCARGS) $(EXTRA) -c $(TOP)/bpf_filter.c -o $@
-
-if_ipl.o: $(MODOBJS) 
-	ld -r $(MODOBJS) -o $(LKM)
-	${RM} -f if_ipl
-
-ipfrule.ko.5: ip_rulesx.o $(MLR)
-	ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) ip_rulesx.o $(MLR)
-	ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/) 
-ipfrule.ko: ip_rulesx.o $(MLR)
-	gensetdefs ip_rulesx.o $(MLR)
-	$(CC) $(KCARGS) -c setdef0.c
-	$(CC) $(KCARGS) -c setdef1.c
-	ld -Bshareable -o $@ setdef0.o ip_rulesx.o $(MLR) setdef1.o
-
-ipf.ko.5 ipl.ko.5: $(MODOBJS)
-	ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) $(MODOBJS)
-	ld -Bshareable -d -warn-common -o $(LKM:S/.5$//) $(.TARGET:S/.ko/.kld/)
-
-ipf.ko ipl.ko: $(MODOBJS) 
-	gensetdefs $(MODOBJS)
-	$(CC) $(KCARGS) -c setdef0.c
-	$(CC) $(KCARGS) -c setdef1.c
-	ld -Bshareable -o $@ setdef0.o $(MODOBJS) setdef1.o
-
-ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@
-
-ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@
-
-ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h $(TOP)/ip_nat.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@
-
-ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@
-
-ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
-	$(TOP)/ip_fil.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@
-
-ip_fil.c:
-	/bin/rm -f ip_fil.c
-	ln -s $(TOP)/ip_fil_`uname -s|tr A-Z a-z`.c ip_fil.c
-
-ip_fil.o: ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h
-	$(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@
-
-ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@
-
-ip_scan.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_scan.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@
-
-ip_sync.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_sync.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@
-
-ip_pool.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_lookup.h $(TOP)/ip_pool.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_pool.c -o $@
-
-ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_lookup.h $(TOP)/ip_htable.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@
-
-ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	$(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@
-
-ip_trafcon.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
-	      $(TOP)/ip_trafcon.h
-	$(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@
-
-vnode_if.h: $(VNODESHDIR)/vnode_if.src
-	mkdir -p ../sys
-	if [ -f $(VNODESHDIR)/vnode_if.sh ] ; then \
-		sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src; \
-	fi
-	if [ -f $(VNODESHDIR)/vnode_if.pl ] ; then \
-		perl $(VNODESHDIR)/vnode_if.pl $(VNODESHDIR)/vnode_if.src; \
-	fi
-	if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi
-	rmdir ../sys
-
-ml_ipl.o: vnode_if.h $(TOP)/$(MLD) $(TOP)/ipl.h
-	-/bin/rm -f vnode_if.c
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@
-
-ip_rules.o: ip_rules.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) $(COMPIPF) -c ip_rules.c -o $@
-
-ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.c ipf
-	./ipf -cc -nf $(TOP)/rules/ip_rules
-
-$(TOP)/ip_rules.h: ip_rules.c
-	if [ ! -f $(TOP)/ip_rules.h ] ; then \
-		/bin/mv -f ip_rules.h $(TOP); \
-	else \
-		touch $(TOP)/ip_rules.h; \
-	fi
-
-ip_rulesx.o: ip_rules.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@
-
-mlf_rule.o: $(TOP)/mlf_rule.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlf_rule.c -o $@
-
-mln_rule.o: $(TOP)/mln_rule.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mln_rule.c -o $@
-
-mlo_rule.o: $(TOP)/mlo_rule.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlo_rule.c -o $@
-
-mlfk_rule.o: $(TOP)/mlfk_rule.c $(TOP)/ip_rules.h
-	$(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@
-
-ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
-	$(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@
-
-ipf_l.o: ipf_l.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h
-	$(CC) $(CCARGS) -I. -c ipf_l.c -o $@
-
-ipf_y.c: $(TOOL)/ipf_y.y $(TOP)/ipf.h $(TOP)/opts.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipf_y.h: ipf_y.c
-
-ipf_l.c: $(TOOL)/lexer.c $(TOP)/ipf.h $(TOP)/opts.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipf_l.h: $(TOOL)/lexer.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipmon: $(IPMON) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(IPMON) -o $@ $(LIBS) -ll
-
-ipmon.o: $(TOOL)/ipmon.c $(TOP)/ipmon.h
-	$(CC) $(CCARGS) $(LOGFAC) -c $(TOOL)/ipmon.c -o $@
-
-ipmon_y.o: ipmon_y.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h
-	$(CC) $(CCARGS) -c ipmon_y.c -o $@
-
-ipmon_l.o: ipmon_l.c ipmon_y.h $(TOP)/ipmon.h
-	$(CC) $(CCARGS) -I. -c ipmon_l.c -o $@
-
-ipmon_y.c: $(TOOL)/ipmon_y.y $(TOP)/ipmon.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipmon_y.h: ipmon_y.c
-
-ipmon_l.c: $(TOOL)/lexer.c $(TOP)/ipmon.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipmon_l.h: $(TOOL)/lexer.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipscan: ipscan_y.o ipscan_l.o
-	$(CC) $(DEBUG) ipscan_y.o ipscan_l.o -o $@ -ll $(LIBS) -lkvm
-
-ipscan_y.o: ipscan_y.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h
-	$(CC) $(CCARGS) -c ipscan_y.c -o $@
-
-ipscan_l.o: ipscan_l.c ipscan_y.h $(TOP)/ip_scan.h
-	$(CC) $(CCARGS) -I. -c ipscan_l.c -o $@
-
-ipscan_y.c: $(TOOL)/ipscan_y.y $(TOP)/ip_scan.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ipscan_y.h: ipscan_y.c
-
-ipscan_l.c ipscan_l.h: $(TOOL)/lexer.c $(TOP)/ip_scan.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ippool: $(IPPOOL) $(OBJ)/libipf.a
-	$(CC) $(DEBUG) -I. $(CFLAGS) $(IPPOOL) -o $@ -ll -lkvm -L. -lipf
-
-ippool.o: $(TOOL)/ippool.c $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -c $(TOOL)/ippool.c -o $@
-
-ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h
-	$(CC) $(CCARGS) -c ippool_y.c -o $@
-
-ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -I. -c ippool_l.c -o $@
-
-ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ippool_y.h: ippool_y.c
-
-ippool_l.c: $(TOOL)/lexer.c $(TOP)/ip_pool.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-ippool_l.h: $(TOOL)/lexer.h
-	(cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@)
-
-iptrafcon.o: $(TOP)/iptrafcon.c
-	$(CC) $(CCARGS) -c $< -o $@
-
-iptrafcon: $(IPTRAFCON) $(OBJ)/libipf.a
-	$(CC) $(CCARGS) $(IPTRAFCON) -o $@ $(LIBS)
-
-.y.c:
-
-.l.c:
-
-clean:
-	${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest 
-	${RM} -f ../ipscan ../ipsyncm ../ipsyncs
-	${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon
-	${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* ipfrule.kld*
-	${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h
-	${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h
-	${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h
-	${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h
-	${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h
-	${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h
-	${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h bpf.h
-	${RM} -f *.da *.gcov *.bb *.bbg tools
-
-	${MAKE} -f Makefile.ipsend ${MFLAGS} clean
-	if [ -f Makefile.kmod ] ; then \
-		${MAKE} -f Makefile.kmod ${MFLAGS} clean; \
-	fi
-	-(for i in *; do \
-		if [ -d $${i} -a -f $${i}/Makefile ] ; then \
-			cd $${i}; (make TOP=../.. clean); cd ..; \
-			/bin/rm -f $${i}/Makefile $${i}/Makefile.ipsend; \
-			/bin/rm -f $${i}/Makefile.kmod; \
-			rmdir $${i}; \
-		fi \
-	done)
-
-install:
-	for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
-		ip_frag.h ip_auth.h; do \
-		/bin/cp $(TOP)/$$i /usr/include/netinet/; \
-		$(CHMOD) 444 /usr/include/netinet/$$i; \
-	done
-	-if [ -d /lkm -a -f if_ipl.o ] ; then \
-		cp if_ipl.o /lkm; \
-	fi
-	-if [ -d /modules -a -f ipf.ko ] ; then \
-		if [ -f /modules/ipl.ko ] ; then \
-			cp ipf.ko /modules/ipl.ko; \
-		else \
-			cp ipf.ko /modules; \
-		fi \
-	fi
-	-if [ -d /modules -a -f ipfrule.ko ] ; then \
-		cp ipfrule.ko /modules; \
-	fi
-	-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
-		if [ -f /boot/kernel/ipl.ko ] ; then \
-			cp ipf.ko /boot/kernel/ipl.ko; \
-		else \
-			cp ipf.ko /boot/kernel; \
-		fi \
-	fi
-	-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
-		cp ipfrule.ko /boot/kernel; \
-	fi
-	-if [ -d /usr/lkm -a -f if_ipl.o ] ; then \
-		cp if_ipl.o /usr/lkm; \
-	fi
-	-$(INSTALL) -cs -g wheel -m 755 -o root ipscan $(SBINDEST)
-	(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
-	@for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \
-	    ippool:$(BINDEST) ipsyncm:$(BINDEST) ipsyncs:$(BINDEST) \
-	    ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
-		def="`expr $$i : '[^:]*:\(.*\)'`"; \
-		p="`expr $$i : '\([^:]*\):.*'`"; \
-		dd=; \
-		for d in $(SEARCHDIRS); do \
-			if [ -f $$d/$$p ] ; then \
-				echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
-				$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
-				dd=XXX; \
-			fi; \
-		done; \
-		if [ -z "$$dd" ] ; then \
-			echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
-			$(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \
-		fi \
-	done
-	if [ -d /etc/rc.d ] ; then \
-		$(INSTALL) -c -g wheel -m 755 -o root ../ipfadm-rcd $(SBINDEST)/ipfadm; \
-	fi
-	(cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP))
-
-coverage:
-	ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done'  | sort -k 1n -k 3n > report
-	sort -k 1n -k 3n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += ($$F[0]/100)*$$F[2];}  printf "%d of %d = %d%%\n", $$t, $$lc,($$t/$$lc)*100;' >> report
-
-clean-coverage:
-	/bin/rm -f *.gcov *.da
diff --git a/contrib/ipfilter/BSD/Makefile.ipsend b/contrib/ipfilter/BSD/Makefile.ipsend
deleted file mode 100644
index a83de1c..0000000
--- a/contrib/ipfilter/BSD/Makefile.ipsend
+++ /dev/null
@@ -1,108 +0,0 @@
-#
-# $Id: Makefile.ipsend,v 2.8 2002/05/22 16:15:36 darrenr Exp $
-#
-
-BINDEST=/usr/sbin
-SBINDEST=/sbin
-MANDIR=/usr/share/man
-
-OBJS=ipsend.o ip.o ipsopt.o iplang_y.o iplang_l.o
-IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o
-ROBJS=ipresend.o ip.o resend.o
-TOBJS=iptest.o iptests.o ip.o
-UNIXOBJS=sbpf.o sock.o 44arp.o
-OBJ=.
-LIBS=-L$(OBJ) -lipf
-
-CC=gcc -Wuninitialized -Wstrict-prototypes -O
-CFLAGS=-g -I$(TOP)
-#
-MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
-	'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
-	"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
-	"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
-	"CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)"
-#
-all build bsd-bpf : ipsend ipresend iptest
-
-iplang_y.o: $(TOP)/iplang/iplang_y.y
-	(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
-
-iplang_l.o: $(TOP)/iplang/iplang_l.l
-	(cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' )
-
-.c.o:
-	$(CC) $(DEBUG) $(CFLAGS) -c $< -o $@
-
-ipsend: $(OBJS) $(UNIXOBJS)
-	$(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll
-
-ipresend: $(ROBJS) $(UNIXOBJS)
-	$(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS)
-
-iptest: $(TOBJS) $(UNIXOBJS)
-	$(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS)
-
-clean:
-	rm -rf *.o core a.out ipsend ipresend iptest iplang_y.* iplang_l.*
-
-ipsend.o: $(TOP)/ipsend/ipsend.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@
-
-ipsopt.o: $(TOP)/ipsend/ipsopt.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@
-
-ipresend.o: $(TOP)/ipsend/ipresend.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@
-
-ip.o: $(TOP)/ipsend/ip.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@
-
-resend.o: $(TOP)/ipsend/resend.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@
-
-ipft_sn.o: $(TOP)/ipft_sn.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@
-
-ipft_pc.o: $(TOP)/ipft_pc.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@
-
-iptest.o: $(TOP)/ipsend/iptest.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@
-
-iptests.o: $(TOP)/ipsend/iptests.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@
-
-sbpf.o: $(TOP)/ipsend/sbpf.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sbpf.c -o $@
-
-snit.o: $(TOP)/ipsend/snit.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/snit.c -o $@
-
-sock.o: $(TOP)/ipsend/sock.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@
-
-arp.o: $(TOP)/ipsend/arp.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@
-
-44arp.o: $(TOP)/ipsend/44arp.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/44arp.c -o $@
-
-lsock.o: $(TOP)/ipsend/lsock.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/lsock.c -o $@
-
-slinux.o: $(TOP)/ipsend/slinux.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/slinux.c -o $@
-
-larp.o: $(TOP)/ipsend/larp.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/larp.c -o $@
-
-dlcommon.o: $(TOP)/ipsend/dlcommon.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/dlcommon.c -o $@
-
-sdlpi.o: $(TOP)/ipsend/sdlpi.c
-	$(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@
-
-install:  
-	-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)
-
diff --git a/contrib/ipfilter/BSD/ipfadm-rcd b/contrib/ipfilter/BSD/ipfadm-rcd
deleted file mode 100755
index 41f62b0..0000000
--- a/contrib/ipfilter/BSD/ipfadm-rcd
+++ /dev/null
@@ -1,350 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2006 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-prog=$0
-
-RCD=/etc/rc.conf.d
-
-# This script is an interface to the following rc.d scripts:
-# /etc/rc.d/ipfilter
-# /etc/rc.d/ipfs
-# /etc/rc.d/ipnat
-# /etc/rc.d/ipmon
-
-running=`ipf -V 2>/dev/null|sed -ne 's/Running: \(.*\)/\1/p'`
-
-usage() {
-	echo "$prog status"
-	echo "$prog ipfilter <enable|disable|reload|resync|start|status|stop>"
-	echo "$prog ipfs <enable|disable|status|start|stop>"
-	echo "$prog ipmon <enable|disable|restart|start|status|stop>"
-	echo "$prog ipnat <enable|disable|reload|start|status|stop>"
-	exit 1
-}
-
-enable() {
-	old=${RCD}/$1.old
-	new=${RCD}/$1
-	mkdir ${RCD}/$1.d
-	if [ $? -eq 0 ] ; then
-		if [ -f ${RCD}/$1 ] ; then
-			cp ${RCD}/$1 ${RCD}/$1.old
-			sed -e "s/^${1} *\=.*/${1}\=YES/" ${old} > ${new}
-			/bin/rm ${old}
-		else
-			echo "$1=YES" > ${RCD}/$1
-			chmod go-wx ${RCD}/$1
-		fi
-		rmdir ${RCD}/$1.d
-	fi
-}
-
-disable() {
-	old=${RCD}/$1.old
-	new=${RCD}/$1
-	mkdir ${RCD}/$1.d
-	if [ $? -eq 0 ] ; then
-		if [ -f ${RCD}/$1 ] ; then
-			cp ${RCD}/$1 ${RCD}/$1.old
-			sed -e "s/^${1} *\=.*/${1}\=NO/" ${old} > ${new}
-			/bin/rm ${old}
-		else
-			echo "$1=NO" > ${RCD}/$1
-			chmod go-wx ${RCD}/$1
-		fi
-		rmdir ${RCD}/$1.d
-	fi
-}
-
-status() {
-	active=`/etc/rc.d/$1 rcvar|sed -ne "s/^$""${1}\=\(.*\)$/\1/p"`
-	case $active in
-	NO)
-		return 0
-		;;
-	YES)
-		return 1
-		;;
-	esac
-	return 2
-}
-
-status_ipmon() {
-	echo -n "ipmon "
-	pid=`pgrep ipmon`
-	status ipmon
-	case $? in
-	0)
-		if [ -n "$pid" ] ; then
-			echo "disabled-but-running"
-		else
-			echo "disabled"
-		fi
-		;;
-	1)
-		if [ -n "$pid" ] ; then
-			echo "enabled"
-		else
-			echo "enabled-not-running"
-		fi
-		;;
-	2)
-		if [ -n "$pid" ] ; then
-			echo "unknown-state-running"
-		else
-			echo "unknown-state"
-		fi
-		;;
-	esac
-}
-
-status_ipfilter() {
-	if [ -z "$running" ] ; then
-		rules=
-		emsg="-not-in-kernel"
-		dmsg=
-	else
-		case $running in
-		yes)
-			emsg=
-			dmsg="-rules-loaded"
-			rules=`ipfstat -io 2>/dev/null`
-			if [ -z "$rules" ] ; then
-				rules=`ipfstat -aio 2>/dev/null`
-				if [ -z "$rules" ] ; then
-					emsg="-no-rules"
-					dmsg=
-				fi
-			fi
-			;;
-		no)
-			rules=
-			emsg="-not-running"
-			dmsg=
-			;;
-		esac
-	fi
-
-	echo -n "ipfilter "
-	status ipfilter
-	case $? in
-	0)
-		echo "disabled${dmsg}"
-		;;
-	1)
-		echo "enabled${emsg}"
-		;;
-	2)
-		if [ -n "$rules" ] ; then
-			echo "unknown${dmsg}"
-		else
-			echo "unknown-state"
-		fi
-		;;
-	esac
-}
-
-status_ipnat() {
-	if [ -z "$running" ] ; then
-		rules=
-		emsg="-not-in-kernel"
-		dmsg=
-	else
-		case $running in
-		yes)
-			emsg=
-			dmsg="-rules-loaded"
-			rules=`ipnat -l 2>/dev/null | egrep '^map|rdr' 2>/dev/null`
-			if [ -z "$rules" ] ; then
-				emsg="-no-rules"
-				dmsg=
-			fi
-			;;
-		no)
-			rules=
-			emsg="-not-running"
-			dmsg=
-			;;
-		esac
-	fi
-
-	echo -n "ipnat "
-	status ipnat
-	case $? in
-	0)
-		echo "disabled${dmsg}"
-		;;
-	1)
-		echo "enabled${dmsg}"
-		;;
-	2)
-		if [ -n "$rules" ] ; then
-			echo "unknown${dmsg}"
-		else
-			echo "unknown-state"
-		fi
-		;;
-	esac
-}
-
-status_ipfs() {
-	status ipfs
-	report ipfs $?
-}
-
-report() {
-	echo -n "$1 "
-	case $2 in
-	0)
-		echo "disabled"
-		;;
-	1)
-		echo "enabled"
-		;;
-	2)
-		echo "unknown-status"
-		;;
-	*)
-		echo "$2"
-		;;
-	esac
-}
-
-do_ipfilter() {
-	case $1 in
-	enable)
-		enable ipfilter
-		;;
-	disable)
-		disable ipfilter
-		;;
-	reload)
-		/etc/rc.d/ipfilter reload
-		;;
-	resync)
-		/etc/rc.d/ipfilter resync
-		;;
-	start)
-		/etc/rc.d/ipfilter start
-		;;
-	status)
-		status_ipfilter
-		;;
-	stop)
-		/etc/rc.d/ipfilter stop
-		;;
-	*)
-		usage
-		;;
-	esac
-}
-
-do_ipfs() {
-	case $1 in
-	enable)
-		enable ipfs
-		;;
-	disable)
-		disble ipfs
-		;;
-	start)
-		/etc/rc.d/ipfs start
-		;;
-	status)
-		status_ipfs
-		;;
-	stop)
-		/etc/rc.d/ipfs stop
-		;;
-	*)
-		usage
-		;;
-	esac
-}
-
-do_ipmon() {
-	case $1 in
-	enable)
-		enable ipmon
-		;;
-	disable)
-		disble ipmon
-		;;
-	restart)
-		/etc/rc.d/ipmon restart
-		;;
-	start)
-		/etc/rc.d/ipmon start
-		;;
-	status)
-		status_ipmon
-		;;
-	stop)
-		/etc/rc.d/ipmon stop
-		;;
-	*)
-		usage
-		;;
-	esac
-}
-
-do_ipnat() {
-	case $1 in
-	enable)
-		enable ipnat
-		;;
-	disable)
-		disable ipnat
-		;;
-	reload)
-		/etc/rc.d/ipnat reload
-		;;
-	restart)
-		/etc/rc.d/ipnat restart
-		;;
-	start)
-		/etc/rc.d/ipnat start
-		;;
-	status)
-		status_ipnat
-		;;
-	stop)
-		/etc/rc.d/ipnat stop
-		;;
-	*)
-		usage
-		;;
-	esac
-}
-
-do_status_all() {
-	status_ipfilter
-	status_ipfs
-	status_ipmon
-	status_ipnat
-}
-
-case $1 in
-status)
-	do_status_all
-	;;
-ipfilter)
-	do_ipfilter $2
-	;;
-ipfs)
-	do_ipfs $2
-	;;
-ipmon)
-	do_ipmon $2
-	;;
-ipnat)
-	do_ipnat $2
-	;;
-*)
-	usage
-	;;
-esac
-exit 0
diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade
deleted file mode 100644
index 04b257d..0000000
--- a/contrib/ipfilter/BSD/kupgrade
+++ /dev/null
@@ -1,264 +0,0 @@
-#!/bin/sh
-#
-PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
-argv0=`basename $0`
- 
-os=`uname -s`
-rev=`uname -r`
-maj=`expr $rev : '\([0-9]*\)\.'`
-min=`expr $rev : '[0-9]*\.\([0-9]*\)'`
-sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'`
-
-# try to bomb out fast if anything fails....
-set -e
-
-fullrev=`printf '%02d%02d%02d' $maj $min $sub`
-dir=`pwd`
-karch=`uname -m`
-archdir="/sys/arch/$karch"
-ipfdir=/sys/netinet
-if [ -d /sys/contrib/ipfilter ] ; then
-	ipfdir=/sys/contrib/ipfilter/netinet
-fi
-if [ -d /sys/dist/ipf ] ; then
-	ipfdir=/sys/dist/ipf/netinet
-fi
-confdir="$archdir/conf"
-if [ -f /dev/ipnat ] ; then
-	major=`ls -l /dev/ipnat | sed -e 's/.* \([0-9]*\),.*/\1/'`
-	echo "Major number for IP Filter is $major"
-else
-	major=x
-fi
- 
-if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
-	echo "Trying to build ip_rules.c and ip_rules.h"
-	make ip_rules.c
-	if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
-		echo "Please do a build of ipfilter and then run the following"
-		echo "command to build extra files:"
-		echo
-		echo "make ip_rules.c"
-		exit 1
-	fi
-fi
-
-echo -n "Installing "
-for j in auth frag nat proxy scan state sync pool htable lookup rules; do
-	for i in ip_$j.[ch]; do
-		if [ -f "$i" ] ; then
-			echo -n " $i"
-			cp $i $ipfdir
-			chmod 644 $ipfdir/$i
-		fi
-	done
-done
-
-case $os in
-SunOS)
-	case `uname -r` in
-	5.*)
-		filc=ip_fil_solaris.c
-		;;
-	4.*)
-		filc=ip_fil_sunos.c
-		;;
-	esac
-	;;
-*BSD)
-	filc=ip_fil_`echo $os | tr A-Z a-z`.c
-	case $os in
-	FreeBSD)
-		cp mlfk_ipl.c $ipfdir/
-		;;
-	*)
-		;;
-	esac
-	;;
-esac
-
-if [ -f $ipfdir/$filc ] ; then
-	echo -n "$filc -> $ipfdir/$filc "
-	cp $filc $ipfdir/$filc
-	chmod 644 $ipfdir/$filc
-fi
-if [ -f $ipfdir/ip_fil.c ] ; then
-	echo -n "$filc -> $ipfdir/ip_fil.c "
-	cp $filc $ipfdir/ip_fil.c
-	chmod 644 $ipfdir/ip_fil.c
-fi
-
-for i in ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c; do
-	echo -n " $i"
-	cp $i $ipfdir
-	chmod 644 $ipfdir/$i
-done
-echo ""
-echo -n "Installing into /usr/include/netinet"
-for j in auth compat fil frag nat proxy scan state sync pool htable lookup; do
-	i=ip_$j.h
-	if [ -f "$i" ] ; then
-		echo -n " $i"
-		cp $i /usr/include/netinet/$i
-		chmod 644 /usr/include/netinet/$i
-	fi
-done
-for j in ipl.h; do
-	if [ -f "$j" ] ; then
-		echo -n " $j"
-		cp $j /usr/include/netinet/$j
-		chmod 644 /usr/include/netinet/$j
-	fi
-done
-echo
-
-if [ -f /sys/netinet/ip_fil_compat.h ] ; then
-	echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h"
-	rm /sys/netinet/ip_fil_compat.h
-	ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h
-fi
-
-if [ $major != x ] ; then
-	if [ ! -e /dev/ipsync ] ; then
-		echo "Creating /dev/ipsync"
-		mknod /dev/ipsync c $major 4
-	fi
-
-	if [ ! -e /dev/ipsync ] ; then
-		echo "Creating /dev/ipscan"
-		mknod /dev/ipsync c $major 5
-	fi
-
-	if [ ! -e /dev/iplookup ] ; then
-		echo "Creating /dev/iplookup"
-		mknod /dev/iplookup c $major 6
-	fi
-fi
-
-set +e
-os=`uname -s`
-if [ $os = FreeBSD -a -f /sys/conf/files ] ; then
-	cd /sys/conf
-	if [ -f options ] ; then
-		if [ ! -f options.preipf4 ] ; then
-			mv options options.preipf4
-			cp -p options.preipf4 options
-		fi
-		for i in SCAN SYNC LOOKUP COMPILED; do
-			grep IPFILTER_$i options >/dev/null 2>&1
-			if [ $? -ne 0 ] ; then
-				echo >> options
-				echo "# extra option for IP Filter" >> options
-				echo "IPFILTER_$i	opt_ipfilter.h" >> options
-			fi
-		done
-	fi
-	if [ ! -f files.preipf4 ] ; then
-		mv files files.preipf4
-		cp -p files.preipf4 files
-	fi
-	for i in htable pool lookup; do
-		grep ip_$i.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo "contrib/ipfilter/netinet/ip_$i.c	optional ipfilter inet ipfilter_lookup" >> files
-		fi
-	done
-	grep ip_sync.c files >/dev/null 2>&1
-	if [ $? -ne 0 ] ; then
-		echo 'contrib/ipfilter/netinet/ip_sync.c	optional ipfilter inet ipfilter_sync' >> files
-	fi
-	grep ip_scan.c files >/dev/null 2>&1
-	if [ $? -ne 0 ] ; then
-		echo 'contrib/ipfilter/netinet/ip_scan.c	optional ipfilter inet ipfilter_scan' >> files
-	fi
-	grep ip_rules.c files >/dev/null 2>&1
-	if [ $? -ne 0 ] ; then
-		echo 'contrib/ipfilter/netinet/ip_rules.c	optional ipfilter inet ipfilter_compiled' >> files
-	fi
-fi
-if [ $os = NetBSD -a -f /sys/conf/files ] ; then
-	cd /sys/conf
-	if [ ! -f files.preipf4 ] ; then
-		mv files files.preipf4
-		cp -p files.preipf4 files
-	fi
-	if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then
-		for i in htable pool lookup; do
-			grep ip_$i.c files >/dev/null 2>&1
-			if [ $? -ne 0 ] ; then
-				echo "file	netinet/ip_$i.c	ipfilter & ipfilter_lookup" >> files
-			fi
-		done
-		grep ip_sync.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_sync.c	ipfilter & ipfilter_sync' >> files
-		fi
-		grep ip_scan.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_scan.c	ipfilter & ipfilter_scan' >> files
-		fi
-		grep ip_rules.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_rules.c	ipfilter & ipfilter_compiled' >> files
-		fi
-	fi
-fi
-if [ $os = OpenBSD -a -f /sys/conf/files ] ; then
-	cd /sys/conf
-	if [ ! -f files.preipf4 ] ; then
-		mv files files.preipf4
-		cp -p files.preipf4 files
-	fi
-	if [ $fullrev -ge 030400 ] ; then
-		for i in htable pool lookup; do
-			grep ip_$i.c files >/dev/null 2>&1
-			if [ $? -ne 0 ] ; then
-				echo "file	netinet/ip_$i.c	ipfilter & ipfilter_lookup" >> files
-			fi
-		done
-		grep ip_sync.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_sync.c	ipfilter & ipfilter_sync' >> files
-		fi
-		grep ip_scan.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_scan.c	ipfilter & ipfilter_scan' >> files
-		fi
-		grep ip_rules.c files >/dev/null 2>&1
-		if [ $? -ne 0 ] ; then
-			echo 'file	netinet/ip_rules.c	ipfilter & ipfilter_compiled' >> files
-		fi
-	fi
-fi
-
-if [ -f /usr/src/sys/modules/ipfilter/Makefile -a \
-   ! -f /usr/src/sys/modules/ipfilter/Makefile.orig ] ; then
-cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__
-*** Makefile.orig	Mon Mar 28 09:10:11 2005
---- Makefile	Mon Mar 28 09:12:51 2005
-***************
-*** 5,13 ****
-  KMOD=	ipl
-  SRCS=	mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
-! 	ip_log.c ip_fil.c fil.c
-  
-  .if !defined(NOINET6)
-  CFLAGS+= -DUSE_INET6
-  .endif
-  CFLAGS+=  -I$${.CURDIR}/../../contrib/ipfilter
-! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS
---- 5,15 ----
-  KMOD=	ipl
-  SRCS=	mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\
-! 	ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_htable.c \\
-! 	ip_sync.c ip_scan.c ip_rules.c
-  
-  .if !defined(NOINET6)
-  CFLAGS+= -DUSE_INET6
-  .endif
-  CFLAGS+=  -I$${.CURDIR}/../../contrib/ipfilter
-! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS \\
-! 	-DIPFILTER_LOOKUP -DIPFILTER_COMPILED
-__EOF__
-fi
-exit 0
diff --git a/contrib/ipfilter/BSD/make-devices b/contrib/ipfilter/BSD/make-devices
deleted file mode 100755
index d512e1c..0000000
--- a/contrib/ipfilter/BSD/make-devices
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/sh
-
-os=`uname -s`-`uname -r`
-
-case "$os" in
-	FreeBSD-2.2*)
-		major=79
-		;;
-	FreeBSD-*)
-		major=20
-		;;
-	NetBSD-*)
-		echo "see /dev/MAKEDEV"
-		exit 0
-		;;
-	OpenBSD-*)
-		echo "see /dev/MAKEDEV"
-		exit 0
-		;;
-	*)
-		;;
-esac
-
-umask 037
-mknod /dev/ipl c $major 0
-mknod /dev/ipnat c $major 1
-mknod /dev/ipstate c $major 2
-mknod /dev/ipauth c $major 3
-mknod /dev/ipsync c $major 4
-mknod /dev/ipscan c $major 5
diff --git a/contrib/ipfilter/BugReport b/contrib/ipfilter/BugReport
deleted file mode 100644
index 6994831..0000000
--- a/contrib/ipfilter/BugReport
+++ /dev/null
@@ -1,12 +0,0 @@
-Please submit this information at SourceForge using this URL:
-http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053
-
-Please also send an email to darrenr@reed.wattle.id.au.
-
-Some information that I generally find important:
---------------------------
-* IP Filter Version
-* Operating System and its Version
-* Configuration: (LKM or compiled-into-kernel)
-* Description of problem
-* How to repeat
diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5
deleted file mode 100644
index ae550f8..0000000
--- a/contrib/ipfilter/COMPILE.2.5
+++ /dev/null
@@ -1,11 +0,0 @@
-
-If you get the following error whilst compiling:
-
-In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48,
-                 from /usr/include/sys/file.h:15,
-                 from ../ip_nat.c:15:
-/usr/include/sys/psw.h:19: #error Kernel include of psw.h
-
-Remove (comment out) the line in
-/usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3include/sys/user.h
-which includes psw.h
diff --git a/contrib/ipfilter/COMPILE.Solaris2 b/contrib/ipfilter/COMPILE.Solaris2
deleted file mode 100644
index 45442c5..0000000
--- a/contrib/ipfilter/COMPILE.Solaris2
+++ /dev/null
@@ -1,19 +0,0 @@
-If you have BOTH GNU make and the normal make shipped with your system,
-DO NOT use the GNU make to build this package.  If you have any errors
-relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as
-shipped with Solaris 2.
-
-If you get the following error whilst compiling:
-
-In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48,
-                 from /usr/include/sys/file.h:15,
-                 from ../ip_nat.c:15:
-/usr/include/sys/psw.h:19: #error Kernel include of psw.h
-
-That means that you have a version of gcc build under on older release
-of Solaris 2.x
-
-You need to reinstall gcc after each Solaris upgrade; gcc creates its own
-set of modified system include files which are only valid for the exact
-release on which gcc was build.
-
diff --git a/contrib/ipfilter/FAQ.FreeBSD b/contrib/ipfilter/FAQ.FreeBSD
deleted file mode 100644
index 3b069c9..0000000
--- a/contrib/ipfilter/FAQ.FreeBSD
+++ /dev/null
@@ -1,104 +0,0 @@
-These are Instructions for Configuring A FreeBSD Box For NAT 
-After you have installed IP-Filter.
-
-You will need to change three files:
-
-/etc/rc.local
-/etc/sysconfig
-/etc/natrules
-
-You will have to:
-
-1) Load the kernel module
-2) Make the ipnat rules
-3) Load the ipnat rules
-4) Enable routing between interfaces
-5) Add static routes for the subnet ranges
-6) Configure your network interfaces
-7) reboot the computer for the changes to take effect.
-
-The FAQ was written by Chris Coleman <chris@@bbcc.ctc.edu>
-This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE
-_________________________________________________________
-1) Loading the Kernel Module
-
-If you are using a Kernal Loadable Module you need to edit your
-/etc/rc.local file and load the module at boot time.
-use the line:
-
-        modload /lkm/if_ipl.o
-
-If you are not loading a kernel module, skip this step.
-_________________________________________________________
-2) Setting up the NAT Rules
-
-Make a file called /etc/natrules
-put in the rules that you need for your system.
-
-If you want to use the whole 10 Network. Try:
-
-map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000
-
-_________________________________________________________
-Here is an explaination of each part of the command:
-
-map starts the command.
-
-fpx0 is the interface with the real internet address.
-
-10.0.0.0 is the subnet you want to use.
-
-/8 is the subnet mask.  ie 255.0.0.0
-
-208.8.0.1 is the real ip address that you use.
-
-/32 is the subnet mask 255.255.255.255, ie only use this ip address.
-
-portmap tcp/udp 10000:65000 
-        tells it to use the ports to redirect the tcp/udp calls through
-
-
-The one line should work for the whole network.
-_________________________________________________________
-3) Loading the NAT Rules:
-
-The NAT Rules will need to be loaded every time the computer
-reboots.
-
-In your /etc/rc.local put the line:
-
-ipnat -f /etc/natrules 
-
-To check and see if it is loaded, as root type
-    ipnat -ls
-_________________________________________________________
-4) Enable Routing between interfaces.
-
-Tell the kernel to route these addresses.
-
-in the rc.local file put the line:
-
-sysctl -w net.inet.ip.forwarding=1
-
-_________________________________________________________
-5) Static Routes to Subnet Ranges
-
-Now you have to add a static routes for the subnet ranges.
-Edit your /etc/sysconfig to add them at bootup.
-
-static_routes="foo"
-route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"
-
-
-_________________________________________________________
-6) Make sure that you have your interfaces configured.
-
-I have two Intel Ether Express Pro B cards.
-One is on 208.8.0.1 The other is on 10.0.0.1
-
-You need to configure these in the /etc/sysconfig
-
-network_interfaces="fxp0 fxp1"
-ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
-ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"
-_________________________________________________________
diff --git a/contrib/ipfilter/FWTK/FWTK.sed b/contrib/ipfilter/FWTK/FWTK.sed
deleted file mode 100644
index e69de29..0000000
--- a/contrib/ipfilter/FWTK/FWTK.sed
+++ /dev/null
diff --git a/contrib/ipfilter/FWTK/Index b/contrib/ipfilter/FWTK/Index
deleted file mode 100644
index f5d7043..0000000
--- a/contrib/ipfilter/FWTK/Index
+++ /dev/null
@@ -1,3 +0,0 @@
-README - Readme for ftp-gw.diff and fwtkp
-README.ipfilter - README for fwtk_transparent.diff
-fwtk_transparent.diff - patches for 2.0beta
diff --git a/contrib/ipfilter/FWTK/README b/contrib/ipfilter/FWTK/README
deleted file mode 100644
index 3ed0e2f..0000000
--- a/contrib/ipfilter/FWTK/README
+++ /dev/null
@@ -1,18 +0,0 @@
-
-There are two patch files in this directory, each allowing for the Firewall
-Toolkit to be used in a transparent proxy configuration.
-
-ftp-gw.diff	- A patch written by myself for use only with IP Filter and
-		  ftp-gw from the Firewall Toolkit.  You need to copy ip_nat.h,
-		  ip_fil.h and ip_compat.h to the ftp-gw directory to compile
-		  once this patch has been applied.
-
-fwtkp		- A set of patches written by James B. Croall (jcroall@foo.org)
-		  for use with both IP Filter and ipfwadm (for Linux) and more
-		  of the various FWTK gateway plugins, including:
-		  ftp-gw http-gw plug-gw rlogin-gw tn-gw
-
-Both patches when applied to the Firewall toolkit require the same
-configuration for IP Filter.
-
-Darren
diff --git a/contrib/ipfilter/FWTK/README.ipfilter b/contrib/ipfilter/FWTK/README.ipfilter
deleted file mode 100644
index fd461cc..0000000
--- a/contrib/ipfilter/FWTK/README.ipfilter
+++ /dev/null
@@ -1,20 +0,0 @@
-
-there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall
-(thanx for his work) which I put onto fwtk 2.0beta.
-
-Now, if you decide to do transparent proxying with ip-filter you
-have to put -DUSE_IP_FILTER to COPTS in Makefile.config.
-With Solaris 2.x you have to correctly replace the path to your
-ip_filter sources. (lib/hnam.c needs ip_nat.h)
-
-I also patched plug-gw to be configured to accept not only one
-destination with the parameter "-all-destinations" in netperm-table.
-Perhaps this is a security hole...
-
-The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1)
-and Solaris 2.5 (ip_filter 3.1.5).
-
-If you try to enhance the transparent proxy features for other
-architectures, see lib/hnam.c (getdsthost).
-
-Michael Kutzner, Michael.Kutzner@paderlinx.de
diff --git a/contrib/ipfilter/FWTK/ftp-gw.diff b/contrib/ipfilter/FWTK/ftp-gw.diff
deleted file mode 100644
index be61342..0000000
--- a/contrib/ipfilter/FWTK/ftp-gw.diff
+++ /dev/null
@@ -1,232 +0,0 @@
-*** ftp-gw.c.orig	Sun Jun 22 16:27:42 1997
---- ftp-gw.c	Sun Jun 22 17:02:16 1997
-***************
-*** 11,31 ****
---- 11,41 ----
-   */
-  static	char	RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.1 1999/08/04 17:30:30 darrenr Exp $";
-  
-+ /*
-+  * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96
-+  * darrenr@cyber.com.au
-+  */
-+ static	char	vIpFilter[] = "v3.1.11";
-  
-  #include	<stdio.h>
-  #include	<ctype.h>
-  #include	<syslog.h>
-+ #include	<unistd.h>
-+ #include	<fcntl.h>
-  #include	<sys/signal.h>
-  #include	<sys/ioctl.h>
-  #include	<sys/errno.h>
-  extern	int	errno;
-+ #ifdef	sun
-  extern	char	*sys_errlist[];
-+ #endif
-  #include	<arpa/ftp.h>
-  #include	<arpa/telnet.h>
-  #include	<sys/time.h>
-  #include	<sys/types.h>
-  #include	<sys/socket.h>
-  #include	<netinet/in.h>
-+ #include	<net/if.h>
-  
-  extern	char	*rindex();
-  extern	char	*index();
-***************
-*** 36,41 ****
---- 46,54 ----
-  
-  #include	"firewall.h"
-  
-+ #include	"ip_compat.h"
-+ #include	"ip_fil.h"
-+ #include	"ip_nat.h"
-  
-  #ifndef	BSIZ
-  #define	BSIZ	2048
-***************
-*** 83,88 ****
---- 96,103 ----
-  static	int	cmd_noop();
-  static	int	cmd_abor();
-  static	int	cmd_passthru();
-+ static	int	nat_destination();
-+ static	int	connectdest();
-  static	void	saveline();
-  static	void	flushsaved();
-  static	void	trap_sigurg();
-***************
-*** 317,323 ****
-  			if(authallflg)
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-! 			sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-  			if(say(0,xuf))
-  				exit(1);
-  		}
---- 332,341 ----
-  			if(authallflg)
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-! 			sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-! 			if(say(0,xuf))
-! 				exit(1);
-! 			sprintf(xuf,"220-%s TIS ftp-gw with IP Filter %s NAT extensions",huf,vIpFilter);
-  			if(say(0,xuf))
-  				exit(1);
-  		}
-***************
-*** 338,343 ****
---- 356,363 ----
-  				exit(1);
-  	}
-  
-+ 	nat_destination(0);
-+ 
-  	/* main loop */
-  	while(1) {
-  		FD_ZERO(&rdy);
-***************
-*** 608,619 ****
-  	static char	narg[] = "501 Missing or extra username";
-  	static char	noad[] = "501 Use user@site to connect via proxy";
-  	char		buf[1024];
-- 	char 		mbuf[512];
-  	char		*p;
-  	char		*dest;
-  	char		*user;
-  	int		x;
-- 	int		msg_int;
-  	short		port = FTPPORT;
-  
-  	/* kludgy but effective. if authorizing everything call auth instead */
---- 628,637 ----
-***************
-*** 643,648 ****
---- 661,687 ----
-  			return(sayn(0,noad,sizeof(noad)));
-  	}
-  
-+ 	if((rfd == -1) && (x = connectdest(dest,port)))
-+ 		return x;
-+ 	sprintf(buf,"USER %s",user);
-+ 	if(say(rfd,buf))
-+ 		return(1);
-+ 	x = getresp(rfd,buf,sizeof(buf),1);
-+ 	if(sendsaved(0,x))
-+ 		return(1);
-+ 	return(say(0,buf));
-+ }
-+ 
-+ static int
-+ connectdest(dest,port)
-+ char *dest;
-+ short port;
-+ {
-+ 	char		buf[1024];
-+ 	char 		mbuf[512];
-+ 	int		msg_int;
-+ 	int		x;
-+ 
-  	if(*dest == '\0')
-  		dest = "localhost";
-  
-***************
-*** 685,693 ****
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! 		sprintf(buf,"521 %s: %s",dest,ebuf);
-  		return(say(0,buf));
-  	}
-  	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-  	saveline(buf);
-  
---- 724,733 ----
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! 		sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-  		return(say(0,buf));
-  	}
-+ 
-  	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-  	saveline(buf);
-  
-***************
-*** 698,711 ****
-  		return(say(0,buf));
-  	}
-  	saveline(buf);
-! 
-! 	sprintf(buf,"USER %s",user);
-! 	if(say(rfd,buf))
-! 		return(1);
-! 	x = getresp(rfd,buf,sizeof(buf),1);
-! 	if(sendsaved(0,x))
-! 		return(1);
-! 	return(say(0,buf));
-  }
-  
-  
---- 738,745 ----
-  		return(say(0,buf));
-  	}
-  	saveline(buf);
-! 	sendsaved(0,-1);
-! 	return 0;
-  }
-  
-  
-***************
-*** 1591,1593 ****
---- 1625,1671 ----
-  	dup(nread);
-  }
-  #endif
-+ 
-+ 
-+ static int
-+ nat_destination(fd)
-+ int fd;
-+ {
-+ 	struct	sockaddr_in	laddr, faddr;
-+ 	struct	natlookup	natlookup;
-+ 	char	*dest;
-+ 	int	slen, natfd;
-+ 
-+ 	bzero((char *)&laddr, sizeof(laddr));
-+ 	bzero((char *)&faddr, sizeof(faddr));
-+ 	slen = sizeof(laddr);
-+ 	if(getsockname(fd,(struct sockaddr *)&laddr,&slen) < 0) {
-+ 		perror("getsockname");
-+ 		exit(1);
-+ 	}
-+ 	slen = sizeof(faddr);
-+ 	if(getpeername(fd,(struct sockaddr *)&faddr,&slen) < 0) {
-+ 		perror("getsockname");
-+ 		exit(1);
-+ 	}
-+ 
-+ 	natlookup.nl_inport = laddr.sin_port;
-+ 	natlookup.nl_outport = faddr.sin_port;
-+ 	natlookup.nl_inip = laddr.sin_addr;
-+ 	natlookup.nl_outip = faddr.sin_addr;
-+ 	natlookup.nl_flags = IPN_TCP;
-+ 	if((natfd = open(IPL_NAT, O_RDONLY)) < 0) {
-+ 		perror("open");
-+ 		exit(1);
-+ 	}
-+ 	if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
-+ 		syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
-+ 		close(natfd);
-+ 		if(say(0,"220 Ready"))
-+ 			exit(1);
-+ 		return 0;
-+ 	}
-+ 	close(natfd);
-+ 	return connectdest(inet_ntoa(natlookup.nl_realip),
-+ 			   ntohs(natlookup.nl_realport));
-+ }
diff --git a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
deleted file mode 100644
index 2e71938..0000000
--- a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
+++ /dev/null
@@ -1,707 +0,0 @@
-diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
-*** ./ftp-gw/ftp-gw.c	Thu Feb  5 19:05:43 1998
---- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c	Thu May 21 17:36:09 1998
-***************
-*** 44,49 ****
---- 44,51 ----
-  
-  extern	char	*optarg;
-  
-+ char *getdsthost();
-+ 
-  #include	"firewall.h"
-  
-  
-***************
-*** 88,93 ****
---- 90,97 ----
-  static	int			cmdcnt = 0;
-  static	int			timeout = PROXY_TIMEOUT;
-  
-+ static	int			do_transparent = 0;
-+ 
-  
-  static	int	cmd_user();
-  static	int	cmd_authorize();
-***************
-*** 101,106 ****
---- 105,111 ----
-  static	int	cmd_passthru();
-  static	void	saveline();
-  static	void	flushsaved();
-+ static	int	connectdest();
-  
-  #define	OP_CONN	001	/* only valid if connected */
-  #define	OP_WCON	002	/* writethrough if connected */
-***************
-*** 173,178 ****
---- 178,184 ----
-  	char		xuf[1024];
-  	char		huf[512];
-  	char		*passuser = (char *)0;	/* passed user as av */
-+ 	char		*psychic, *hotline;
-  
-  #ifndef	LOG_DAEMON
-  	openlog("ftp-gw",LOG_PID);
-***************
-*** 317,322 ****
---- 323,332 ----
-  	} else
-  		timeout = PROXY_TIMEOUT;
-  
-+ 	psychic = getdsthost(0, NULL);
-+ 	if (psychic)
-+ 		do_transparent++;
-+ 
-  	/* display a welcome file or message */
-  	if(passuser == (char *)0) {
-  		if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-***************
-*** 324,329 ****
---- 334,345 ----
-  				syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-  				exit(1);
-  			}
-+ 			if (do_transparent) {
-+ 				if (sayfile2(0, cf->argv[0], 220)) {
-+ 					syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
-+                                 	exit(1);
-+ 				}
-+ 			} else
-  			if(sayfile(0,cf->argv[0],220)) {
-  				syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
-  				exit(1);
-***************
-*** 336,341 ****
---- 352,360 ----
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-  
-+ 			if (do_transparent)
-+ 			sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
-+ 			else
-  			sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
-  			if(say(0,xuf))
-  				exit(1);
-***************
-*** 357,362 ****
---- 376,384 ----
-  				exit(1);
-  	}
-  
-+ 	if (do_transparent)
-+ 		connectdest(psychic, 21);
-+ 
-  	/* main loop */
-  	while(1) {
-  		FD_ZERO(&rdy);
-***************
-*** 653,658 ****
---- 675,696 ----
-  			return(sayn(0,noad,sizeof(noad)-1));
-  	}
-  
-+ 	if (do_transparent) {
-+ 		if((rfd == (-1)) && (x = connectdest(dest,port)))
-+ 			return x;
-+ 
-+ 		sprintf(buf,"USER %s",user);
-+ 
-+ 		if (say(rfd, buf))
-+ 			return(1);
-+ 
-+ 		x = getresp(rfd, buf, sizeof(buf), 1);
-+ 		if (sendsaved(0, x))
-+ 			return(1);
-+ 
-+ 		return(say(0, buf));
-+ 	}
-+ 
-  	if(*dest == '\0')
-  		dest = "localhost";
-  
-***************
-*** 694,705 ****
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! 		sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
-! 	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! 	saveline(buf);
-  
-  	/* we are now connected and need to try the autologin thing */
-  	x = getresp(rfd,buf,sizeof(buf),1);
---- 732,748 ----
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-!                 if (do_transparent)
-!                         sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
-!                 else
-! 			sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
-! 	if (!do_transparent) {
-! 		sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! 		saveline(buf);
-! 	}
-  
-  	/* we are now connected and need to try the autologin thing */
-  	x = getresp(rfd,buf,sizeof(buf),1);
-***************
-*** 1889,1891 ****
---- 1932,2050 ----
-  	dup(nread);
-  }
-  #endif
-+ 
-+ static int connectdest(dest, port)
-+ char *dest;
-+ short port;
-+ {
-+       char buf[1024], mbuf[512];
-+       int msg_int, x;
-+ 
-+         if(*dest == '\0')
-+                 dest = "localhost";
-+ 
-+         if(validests != (char **)0) {
-+                 char    **xp;
-+                 int     x;
-+ 
-+                 for(xp = validests; *xp != (char *)0; xp++) {
-+                         if(**xp == '!' && hostmatch(*xp + 1,dest)) {
-+                                 return(baddest(0,dest));
-+                         } else {
-+                                 if(hostmatch(*xp,dest))
-+                                         break;
-+                         }
-+                 }
-+                 if(*xp == (char *)0)
-+                         return(baddest(0,dest));
-+         }
-+ 
-+         /* Extended permissions processing goes in here for destination */
-+         if(extendperm) {
-+                 msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
-+                 if(msg_int == 1) {
-+                         sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-+                         syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                 } else {
-+                         if(msg_int == -1) {
-+                                 sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                         }
-+                 }
-+         }      
-+ 
-+         syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
-+ 
-+         if((rfd = conn_server(dest,port,0,buf)) < 0) {
-+                 char    ebuf[512];
-+ 
-+                 strcpy(ebuf,buf);
-+ 		if (do_transparent)
-+ 			sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-+ 		else
-+                 	sprintf(buf,"521 %s: %s",dest,ebuf);
-+                 rfd = -1;
-+                 return(say(0,buf));
-+         }
-+         if (!do_transparent) {
-+         	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-+         	saveline(buf);
-+ 	}
-+ 
-+         /* we are now connected and need to try the autologin thing */
-+         x = getresp(rfd,buf,sizeof(buf),1);
-+         if(x / 100 != COMPLETE) {
-+                 sendsaved(0,-1);
-+                 return(say(0,buf));
-+         }
-+         saveline(buf);
-+ 
-+       sendsaved(0,-1);
-+       return 0;
-+ }
-+ 
-+ /* quick hack */
-+ sayfile2(fd,fn,code)
-+ int     fd;
-+ char    *fn;
-+ int     code;
-+ {
-+         FILE    *f;
-+         char    buf[BUFSIZ];
-+         char    yuf[BUFSIZ];
-+         char    *c;
-+         int     x;
-+         int     saidsomething = 0;
-+ 
-+         if((f = fopen(fn,"r")) == (FILE *)0)
-+                 return(1);
-+         while(fgets(buf,sizeof(buf),f) != (char *)0) {
-+                 if((c = index(buf,'\n')) != (char *)0)
-+                         *c = '\0';
-+                 x = fgetc(f);
-+                 if(feof(f))
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                 else {
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                         ungetc(x,f);
-+                 }
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+                 saidsomething++;
-+         }
-+         fclose(f);
-+         if (!saidsomething) {
-+                 syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
-+                 sprintf(yuf, "%3.3d The file to display is empty",code);
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+         }
-+         return(0);
-+ }
-diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
-*** ./http-gw/http-gw.c	Fri Feb  6 18:32:25 1998
---- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c	Thu May 21 17:00:47 1998
-***************
-*** 27,32 ****
---- 27,35 ----
-  static char http_buffer[8192];
-  static char reason[8192];
-  static	int	checkBrowserType = 1;
-+ static	int	do_transparent = 0;
-+ 
-+ char	* getdsthost();
-  
-  static void do_logging()
-  {	char *proto = "GOPHER";
-***************
-*** 473,478 ****
---- 476,490 ----
-  	/*(NOT A SPECIAL FORM)*/
-  
-  		if((rem_type & TYPE_LOCAL)== 0){
-+                         char * psychic = getdsthost(sockfd, &def_port);
-+                         if (psychic) {
-+                                 if (strlen(psychic) <= MAXHOSTNAMELEN) {
-+                                         do_transparent ++;
-+                                         strncpy(def_httpd, psychic, strlen(psychic));
-+                                         strncpy(def_server, psychic, strlen(psychic));
-+                                 }
-+                         }
-+                         
-  /*  See if it can be forwarded */
-  
-  			if( can_forward(buf)){
-***************
-*** 1564,1570 ****
-  				    		    parse_vec[0], 
-  						    parse_vec[1],
-  				    		    ourname, ourport);
-! 				    }else{
-  					    sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-  						    parse_vec[0], parse_vec[2],
-  						    parse_vec[3], chk_type_ch,
---- 1576,1589 ----
-  				    		    parse_vec[0], 
-  						    parse_vec[1],
-  				    		    ourname, ourport);
-! 				    }
-! 				    else
-! 				    if (do_transparent) {
-! 					    sprintf(new_reply, "%s\t%s\t%s\t%s",
-! 							parse_vec[0], parse_vec[1],
-! 							parse_vec[2],parse_vec[3]);
-! 				    }
-! 				    else {
-  					    sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-  						    parse_vec[0], parse_vec[2],
-  						    parse_vec[3], chk_type_ch,
-diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
-*** ./lib/hnam.c	Tue Dec 10 13:08:48 1996
---- ../../fwtk-2.1-violated/fwtk/lib/hnam.c	Thu May 21 17:10:00 1998
-***************
-*** 23,28 ****
---- 23,33 ----
-  
-  #include	"firewall.h"
-  
-+ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
-+ #include	<net/if.h>
-+ #include	"ip_nat.h"
-+ #endif /* __FreeBSD__ */
-+ 
-  
-  char	*
-  maphostname(name)
-***************
-*** 49,52 ****
---- 54,132 ----
-  	}
-  	bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
-  	return(inet_ntoa(sin.sin_addr));
-+ }
-+ 
-+ char *getdsthost(fd, ptr)
-+ int fd;
-+ int *ptr;
-+ {
-+ 	struct sockaddr_in sin;
-+ 	struct hostent	   * hp;
-+ 	int		   sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
-+ 	char		   buf[255], hostbuf[255];
-+ #ifdef __FreeBSD__
-+ 	struct sockaddr_in rsin;
-+ 	struct natlookup   natlookup;
-+ #endif
-+ 
-+ #ifdef linux
-+ 	if (!(err = getsockname(0, &sin, &sl))) {
-+ 		if(ptr)	
-+ 			* ptr = ntohs(sin.sin_port);
-+ 
-+ 		sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
-+ 		gethostname(hostbuf, 254);
-+ 		hp = gethostbyname(hostbuf);
-+ 		while (hp->h_addr_list[i]) {
-+ 			bzero(&sin, &sl);
-+ 			memcpy(&sin.sin_addr, hp->h_addr_list[i++],
-+ 				sizeof(hp->h_addr_list[i++]));
-+ 
-+ 			if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
-+ 				local_h++;
-+ 		}
-+ 
-+ 		if(local_h)
-+ 			return(NULL);
-+ 		else
-+ 			return(buf);
-+  }
-+ #endif
-+ 
-+ #ifdef __FreeBSD__
-+ /*  The basis for this block of code is Darren Reed's
-+  *  patches to the TIS ftwk's ftp-gw.
-+  */
-+ 	bzero((char*)&sin, sizeof(sin));
-+ 	bzero((char*)&rsin, sizeof(rsin));
-+ 
-+ 	if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
-+ 		return NULL;
-+ 
-+ 	sl = sizeof(rsin);
-+ 
-+ 	if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
-+ 		return NULL;
-+ 
-+ 	natlookup.nl_inport=sin.sin_port;
-+ 	natlookup.nl_outport=rsin.sin_port;
-+ 	natlookup.nl_inip=sin.sin_addr;
-+ 	natlookup.nl_outip=rsin.sin_addr;
-+ 
-+ 	if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
-+ 		return NULL;
-+ 
-+ 	if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
-+ 		return NULL;
-+ 
-+ 	close(natfd);
-+ 
-+ 	if (ptr)
-+ 		*ptr = ntohs(natlookup.nl_inport);
-+ 
-+ 	sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
-+ #endif
-+ 
-+ 	/* No transparent proxy support */
-+ 	return(NULL);
-  }
-diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
-*** ./plug-gw/plug-gw.c	Thu Feb  5 19:07:35 1998
---- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c	Thu May 21 17:29:01 1998
-***************
-*** 43,48 ****
---- 43,50 ----
-  static	char		**validdests = (char **)0;
-  static 	int		net_write();
-  
-+ static	int		do_transparent = 0;
-+ 
-  main(ac,av)
-  int	ac;
-  char	*av[];
-***************
-*** 198,206 ****
---- 200,220 ----
-  	char		*ptr;
-  	int		state = 0;
-  	int		ssl_plug = 0;
-+ 	char		* getdsthost();
-+ 	int		pport = 0;
-  
-  	struct timeval	timo;
-  
-+ 	/* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
-+ 	 * idea ..
-+ 	 */
-+ 	dhost = getdsthost(0, &pport);
-+ 	if (dhost) {
-+ 		do_transparent++;
-+ 		portid = pport;
-+ 	}
-+ 
-+ 
-  	if(c->flags & PERM_DENY) {
-  		if (p == -1)
-  			syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
-***************
-*** 220,226 ****
-  				syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-  				exit (1);
-  			}
-! 			dhost = av[x];
-  			continue;
-  		}
-  
---- 234,241 ----
-  				syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-  				exit (1);
-  			}
-! 			if (!dhost)
-! 				dhost = av[x];
-  			continue;
-  		}
-  
-diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
-*** ./rlogin-gw/rlogin-gw.c	Thu Feb  5 19:08:38 1998
---- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c	Thu May 21 17:20:25 1998
-***************
-*** 103,108 ****
---- 103,111 ----
-  static	int		trusted = 0;
-  static	int		doX = 0;
-  static	char		*prompt;
-+ static	int		do_transparent = 0;
-+ 
-+ char			* getdsthost();
-  
-  main(ac,av)
-  int	ac;
-***************
-*** 123,128 ****
---- 126,132 ----
-  	static char	*tokav[56];
-  	int		tokac;
-  	struct timeval	timo;
-+ 	char		* psychic;
-  
-  #ifndef	LOG_NDELAY
-  	openlog("rlogin-gw",LOG_PID);
-***************
-*** 188,194 ****
-  		xforwarder = cf->argv[0];
-  	}
-  
-! 
-  
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
---- 192,203 ----
-  		xforwarder = cf->argv[0];
-  	}
-  
-! 	psychic = getdsthost(0, NULL);
-! 	if (psychic) {
-! 		do_transparent++;
-! 		strncpy(dest, psychic, 511);
-! 		dest[511] = '\0';
-! 	}
-  
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
-***************
-*** 266,271 ****
---- 275,281 ----
-  	if((p = index(rusername,'@')) != (char *)0) {
-  		char	*namp;
-  
-+ 		dest[0] = '\0';
-  		*p++ = '\0';
-  		if(*p == '\0')
-  			p = "localhost";
-***************
-*** 297,302 ****
---- 307,326 ----
-  
-  	if(dest[0] != '\0') {
-  /* Setup connection directly to remote machine */
-+ 		if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-+ 			if (cf->argc != 1) {
-+ 				syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ 				exit(1);
-+ 			}
-+ 
-+ 			if (sayfile(0, cf->argv[0])) {
-+ 				syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+ 				exit(1);
-+ 			}
-+ 		}
-+ 
-+ 		/* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
-+ 
-  		sprintf(buf,"connect %.1000s",dest);
-  		tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
-  		if (cmd_connect(tokac, tokav, buf) != 2)
-***************
-*** 535,548 ****
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! 		if(strlen(namp) > 20)
-! 			namp[20] = '\0';
-! 		if(rusername[0] != '\0')
-! 			sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! 		else
-! 			sprintf(ebuf,"Trying %s...",namp);
-! 		if(say(0,ebuf))
-! 			return(1);
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
-  	if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
---- 559,574 ----
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! 		if (!do_transparent) {
-! 			if(strlen(namp) > 20)
-! 				namp[20] = '\0';
-! 			if(rusername[0] != '\0')
-! 				sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! 			else
-! 				sprintf(ebuf,"Trying %s...",namp);
-! 			if(say(0,ebuf))
-! 				return(1);
-! 		}
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
-  	if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
-diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
-*** ./tn-gw/tn-gw.c	Thu Feb  5 19:11:36 1998
---- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c	Thu May 21 17:25:06 1998
-***************
-*** 91,96 ****
---- 91,100 ----
-  static	int			cmd_xforward();
-  static	int			cmd_timeout();
-  
-+ char				* getdsthost();
-+ 
-+ static	int			do_transparent = 0;
-+ 
-  static	int			tn3270 = 1;	/* don't do tn3270 stuff */
-  static	int			doX;
-  
-***************
-*** 144,149 ****
---- 148,155 ----
-  	char		tokbuf[BSIZ];
-  	char		*tokav[56];
-  	int		tokac;
-+ 	int		port;
-+ 	char		* psychic;
-  
-  #ifndef	LOG_DAEMON
-  	openlog("tn-gw",LOG_PID);
-***************
-*** 325,330 ****
---- 331,362 ----
-  		}
-  	}
-  
-+ 	psychic = getdsthost(0, &port);
-+ 	if (psychic) {
-+ 		if ((strlen(psychic) + 10) < 510) {
-+ 			do_transparent++;
-+ 			if (port)
-+ 				sprintf(dest, "%s:%d", psychic, port);
-+ 			else
-+ 				sprintf(dest, "%s", psychic);
-+  
-+ 			if (!welcomedone)
-+ 				if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
-+ 					if (cf->argc != 1) {
-+ 						syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ 						exit(1);
-+ 					}
-+ 
-+ 					if (sayfile(0, cf->argv[0])) {
-+ 						syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
-+ 						exit(1);
-+ 					}
-+ 
-+ 					welcomedone = 1;
-+ 				}
-+ 		}
-+ 	}
-+ 
-  	while (argc > 1) {
-  		argc--;
-  		argv++;
-***************
-*** 947,955 ****
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! 		sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! 		if(say(0,ebuf))
-! 			return(1);
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  
---- 979,989 ----
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! 		if (!do_transparent) {
-! 			sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! 			if(say(0,ebuf))
-! 				return(1);
-! 		}
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  
-***************
-*** 991,998 ****
-  
-  	syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! 	sprintf(buf, "Connected to %.512s.", dest);
-! 	say(0, buf);
-  	return(2);
-  }
-  
---- 1025,1034 ----
-  
-  	syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! 	if (!do_transparent) {
-! 		sprintf(buf, "Connected to %.512s.", dest);
-! 		say(0, buf);
-! 	}
-  	return(2);
-  }
-  
diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff
deleted file mode 100644
index a6c21fa..0000000
--- a/contrib/ipfilter/FWTK/fwtk_transparent.diff
+++ /dev/null
@@ -1,1025 +0,0 @@
-diff -cr ../TIS.orig/fwtk/Makefile.config.linux fwtk/Makefile.config.linux
-*** ../TIS.orig/fwtk/Makefile.config.linux	Sat Sep  7 05:58:21 1996
---- fwtk/Makefile.config.linux	Sun Feb  2 05:48:01 1997
-***************
-*** 13,19 ****
-  
-  
-  # Your C compiler (eg, "cc" or "gcc")
-! CC=	cc
-  
-  
-  # program to use for installation -- this may or may not preserve
---- 13,19 ----
-  
-  
-  # Your C compiler (eg, "cc" or "gcc")
-! CC=	gcc
-  
-  
-  # program to use for installation -- this may or may not preserve
-***************
-*** 24,37 ****
-  
-  # Defines for your operating system
-  #
-! DEFINES=-DLINUX
-  #DEFINES=-DSYSV -DSOLARIS
-  
-  # Options for your compiler (eg, "-g" for debugging, "-O" for
-  # optimizing, or "-g -O" for both under GCC)
-  #COPT=	-g -traditional $(DEFINES)
-! COPT=	-g $(DEFINES)
-! #COPT=	-O $(DEFINES)
-  
-  # Version of "make" you want to use
-  #MAKE=	gnumake
---- 24,37 ----
-  
-  # Defines for your operating system
-  #
-! DEFINES=-DLINUX -DUSE_IP_FILTER
-  #DEFINES=-DSYSV -DSOLARIS
-  
-  # Options for your compiler (eg, "-g" for debugging, "-O" for
-  # optimizing, or "-g -O" for both under GCC)
-  #COPT=	-g -traditional $(DEFINES)
-! #COPT=	-g $(DEFINES)
-! COPT=	-O $(DEFINES)
-  
-  # Version of "make" you want to use
-  #MAKE=	gnumake
-***************
-*** 44,50 ****
-  
-  
-  # Destination directory for installation of binaries
-! DEST=	/usr/local/etc
-  
-  
-  # Destination directory for installation of man pages
---- 44,50 ----
-  
-  
-  # Destination directory for installation of binaries
-! DEST=	/usr/local/sbin
-  
-  
-  # Destination directory for installation of man pages
-***************
-*** 72,78 ****
-  # or -Bstatic for static binaries under SunOS 4.1.x)
-  #LDFL=	-Bstatic
-  #LDFL=
-! LDFL= -g
-  
-  
-  # Location of the fwtk sources [For #include by any external tools needing it]
---- 72,79 ----
-  # or -Bstatic for static binaries under SunOS 4.1.x)
-  #LDFL=	-Bstatic
-  #LDFL=
-! #LDFL= -g
-! LDFL= -O
-  
-  
-  # Location of the fwtk sources [For #include by any external tools needing it]
-***************
-*** 81,87 ****
-  
-  
-  # Location of X libraries for X-gw
-! XLIBDIR=/usr/X11/lib
-  #XLIBDIR=/usr/local/X11R5/lib
-  
-  # X Libraries
---- 82,88 ----
-  
-  
-  # Location of X libraries for X-gw
-! XLIBDIR=/usr/X11R6/lib
-  #XLIBDIR=/usr/local/X11R5/lib
-  
-  # X Libraries
-***************
-*** 96,102 ****
-  #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11
-  
-  # Location of X include files
-! XINCLUDE=/usr/X11/include
-  #XINCLUDE=/usr/local/X11R5/include
-  
-  # Objects to include in libfwall for SYSV
---- 97,103 ----
-  #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11
-  
-  # Location of X include files
-! XINCLUDE=/usr/X11R6/include
-  #XINCLUDE=/usr/local/X11R5/include
-  
-  # Objects to include in libfwall for SYSV
-diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
-*** ../TIS.orig/fwtk/Makefile.config.solaris	Sat Sep  7 06:14:13 1996
---- fwtk/Makefile.config.solaris	Sun Feb  2 06:09:19 1997
-***************
-*** 11,30 ****
-  #
-  # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $"
-  
-  
-  # Your C compiler (eg, "cc" or "gcc")
-! CC=	cc
-  
-  
-  # program to use for installation -- this may or may not preserve
-  # old versions (or whatever). assumes that it takes parameters:
-  # copy source dest
-! CP=	cp
-  
-  
-  # Defines for your operating system
-  #
-! DEFINES=-DSYSV -DSOLARIS
-  
-  #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname		\
-  -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname	\
---- 11,34 ----
-  #
-  # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.2 2001/02/28 09:36:06 darrenr Exp $"
-  
-+ #
-+ # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c)
-+ #
-+ IPFPATH=/src/unpacked/firewall/ip_fil3.1.5
-  
-  # Your C compiler (eg, "cc" or "gcc")
-! CC=	gcc
-  
-  
-  # program to use for installation -- this may or may not preserve
-  # old versions (or whatever). assumes that it takes parameters:
-  # copy source dest
-! CP=	/usr/ucb/install -c -s
-  
-  
-  # Defines for your operating system
-  #
-! DEFINES=-DSYSV -DSOLARIS -DUSE_IP_FILTER -I$(IPFPATH)
-  
-  #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname		\
-  -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname	\
-***************
-*** 45,52 ****
-  
-  
-  # Your ranlib utility (use "touch" if you don't have ranlib)
-! RANLIB=	ranlib
-! #RANLIB=	touch
-  
-  
-  # Destination directory for installation of binaries
---- 49,56 ----
-  
-  
-  # Your ranlib utility (use "touch" if you don't have ranlib)
-! # RANLIB=	ranlib
-! RANLIB=	touch
-  
-  
-  # Destination directory for installation of binaries
-diff -cr ../TIS.orig/fwtk/firewall.h fwtk/firewall.h
-*** ../TIS.orig/fwtk/firewall.h	Sun Sep  8 05:55:26 1996
---- fwtk/firewall.h	Sun Feb  2 05:23:33 1997
-***************
-*** 47,53 ****
-  system.
-  */
-  #ifndef	PERMFILE
-! #define	PERMFILE	"/usr/local/etc/netperm-table"
-  #endif
-  
-  /*
---- 47,53 ----
-  system.
-  */
-  #ifndef	PERMFILE
-! #define	PERMFILE	"/etc/fwtk/netperm-table"
-  #endif
-  
-  /*
-***************
-*** 67,73 ****
-  
-  /* Choose a system logging facility for the firewall toolkit.  */
-  #ifndef	LFAC
-! #define	LFAC	LOG_DAEMON
-  #endif
-  
-  
---- 67,73 ----
-  
-  /* Choose a system logging facility for the firewall toolkit.  */
-  #ifndef	LFAC
-! #define	LFAC	LOG_LOCAL5
-  #endif
-  
-  
-***************
-*** 215,220 ****
-  #define	PERM_ALLOW	01
-  #define	PERM_DENY	02
-  
-! 
-  #define	_INCL_FWALL_H
-  #endif
---- 215,222 ----
-  #define	PERM_ALLOW	01
-  #define	PERM_DENY	02
-  
-! #ifdef USE_IP_FILTER
-! extern char *getdsthost(int, int*);
-! #endif
-  #define	_INCL_FWALL_H
-  #endif
-diff -cr ../TIS.orig/fwtk/ftp-gw/ftp-gw.c fwtk/ftp-gw/ftp-gw.c
-*** ../TIS.orig/fwtk/ftp-gw/ftp-gw.c	Fri Sep  6 18:55:05 1996
---- fwtk/ftp-gw/ftp-gw.c	Sat Feb  1 06:49:13 1997
-***************
-*** 50,55 ****
---- 50,59 ----
-  #ifndef	FTPPORT
-  #define	FTPPORT	21
-  #endif
-+ #ifdef USE_IP_FILTER
-+ static int do_transparent=0;
-+ static int connectdest();
-+ #endif
-  
-  static	Cfg			*confp;
-  static	char			**validests = (char **)0;
-***************
-*** 170,175 ****
---- 174,182 ----
-  	char		xuf[1024];
-  	char		huf[128];
-  	char		*passuser = (char *)0;	/* passed user as av */
-+ #ifdef USE_IP_FILTER
-+         char            *psychic, *hotline;
-+ #endif
-  
-  #ifndef	LOG_DAEMON
-  	openlog("ftp-gw",LOG_PID);
-***************
-*** 313,320 ****
-  		}
-  	} else
-  		timeout = 60*60;
-  
-- 
-  	/* display a welcome file or message */
-  	if(passuser == (char *)0) {
-  		if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
---- 320,330 ----
-  		}
-  	} else
-  		timeout = 60*60;
-+ #ifdef USE_IP_FILTER
-+ 	psychic=getdsthost(0,NULL);
-+ 	if(psychic) { do_transparent++; }
-+ #endif
-  
-  	/* display a welcome file or message */
-  	if(passuser == (char *)0) {
-  		if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-***************
-*** 322,327 ****
---- 332,345 ----
-  				syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-  				exit(1);
-  			}
-+ #ifdef USE_IP_FILTER
-+ 			if(do_transparent) {
-+ 			  if(sayfile2(0,cf->argv[0],220)) {
-+ 			    syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+ 			    exit(1);
-+ 			  }
-+ 			} else
-+ #endif /* USE_IP_FILTER */
-  			if(sayfile(0,cf->argv[0],220)) {
-  				syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-  				exit(1);
-***************
-*** 332,338 ****
-  			if(authallflg)
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-! 			sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-  			if(say(0,xuf))
-  				exit(1);
-  		}
---- 350,361 ----
-  			if(authallflg)
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-! #ifdef USE_IP_FILTER
-! 			if(do_transparent)
-! 			  sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-! 			else
-! #endif
-! 			  sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-  			if(say(0,xuf))
-  				exit(1);
-  		}
-***************
-*** 352,358 ****
-  			if(cmd_user(2,fakav,"user internal"))
-  				exit(1);
-  	}
-! 
-  	/* main loop */
-  	while(1) {
-  		FD_ZERO(&rdy);
---- 375,386 ----
-  			if(cmd_user(2,fakav,"user internal"))
-  				exit(1);
-  	}
-! #ifdef USE_IP_FILTER
-! 	if(do_transparent) {
-! 	  connectdest(psychic,21);
-! 	}
-! #endif
-! 	
-  	/* main loop */
-  	while(1) {
-  		FD_ZERO(&rdy);
-***************
-*** 676,681 ****
---- 704,719 ----
-  			return(sayn(0,noad,sizeof(noad)-1));
-  	}
-  
-+ #ifdef USE_IP_FILTER
-+ 	if(do_transparent) {
-+ 	  if((rfd==(-1)) && (x=connectdest(dest,port))) return x;
-+ 	  sprintf(buf,"USER %s",user);
-+ 	  if(say(rfd,buf)) return(1);
-+ 	  x=getresp(rfd,buf,sizeof(buf),1);
-+ 	  if(sendsaved(0,x)) return(1);
-+ 	  return(say(0,buf));
-+ 	}
-+ #endif 
-  	if(*dest == '\0')
-  		dest = "localhost";
-  
-***************
-*** 717,723 ****
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! 		sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
---- 755,766 ----
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! #ifdef USE_IP_FILTER
-! 		if(do_transparent) {
-! 		  sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-! 		} else
-! #endif
-! 		  sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
-***************
-*** 1874,1876 ****
---- 1917,2036 ----
-  	dup(nread);
-  }
-  #endif
-+ 
-+ #ifdef USE_IP_FILTER
-+ static int connectdest(dest, port)
-+ char *dest;
-+ short port;
-+ {
-+       char buf[1024], mbuf[512];
-+       int msg_int, x;
-+ 
-+         if(*dest == '\0')
-+                 dest = "localhost";
-+ 
-+         if(validests != (char **)0) {
-+                 char    **xp;
-+                 int     x;
-+ 
-+                 for(xp = validests; *xp != (char *)0; xp++) {
-+                         if(**xp == '!' && hostmatch(*xp + 1,dest)) {
-+                                 return(baddest(0,dest));
-+                         } else {
-+                                 if(hostmatch(*xp,dest))
-+                                         break;
-+                         }
-+                 }
-+                 if(*xp == (char *)0)
-+                         return(baddest(0,dest));
-+         }
-+ 
-+         /* Extended permissions processing goes in here for destination */
-+         if(extendperm) {
-+                 msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
-+                 if(msg_int == 1) {
-+                         sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-+                         syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                 } else {
-+                         if(msg_int == -1) {
-+                                 sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                         }
-+                 }
-+         }      
-+ 
-+         syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
-+ 
-+         if((rfd = conn_server(dest,port,0,buf)) < 0) {
-+                 char    ebuf[512];
-+ 
-+                 strcpy(ebuf,buf);
-+                 sprintf(buf,"521 %s: %s",dest,ebuf);
-+                 rfd = -1;
-+                 return(say(0,buf));
-+         }
-+       if(!do_transparent) {
-+               sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-+               saveline(buf);
-+       }
-+ 
-+         /* we are now connected and need to try the autologin thing */
-+         x = getresp(rfd,buf,sizeof(buf),1);
-+         if(x / 100 != COMPLETE) {
-+                 sendsaved(0,-1);
-+                 return(say(0,buf));
-+         }
-+         saveline(buf);
-+ 
-+       sendsaved(0,-1);
-+       return 0;
-+ }
-+ 
-+ 
-+ /* ok, so i'm in a hurry. english paper due RSN. */
-+ sayfile2(fd,fn,code)
-+ int     fd;
-+ char    *fn;
-+ int     code;
-+ {
-+         FILE    *f;
-+         char    buf[BUFSIZ];
-+         char    yuf[BUFSIZ];
-+         char    *c;
-+         int     x;
-+         int     saidsomething = 0;
-+ 
-+         if((f = fopen(fn,"r")) == (FILE *)0)
-+                 return(1);
-+         while(fgets(buf,sizeof(buf),f) != (char *)0) {
-+                 if((c = index(buf,'\n')) != (char *)0)
-+                         *c = '\0';
-+                 x = fgetc(f);
-+                 if(feof(f))
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                 else {
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                         ungetc(x,f);
-+                 }
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+                 saidsomething++;
-+         }
-+         fclose(f);
-+         if (!saidsomething) {
-+                 syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
-+                 sprintf(yuf, "%3.3d The file to display is empty",code);
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+         }
-+         return(0);
-+ }
-+ 
-+ #endif /* USE_IP_FILTER */
-diff -cr ../TIS.orig/fwtk/http-gw/http-gw.c fwtk/http-gw/http-gw.c
-*** ../TIS.orig/fwtk/http-gw/http-gw.c	Mon Sep  9 20:40:53 1996
---- fwtk/http-gw/http-gw.c	Sun Feb  2 06:41:18 1997
-***************
-*** 27,32 ****
---- 27,35 ----
-  static char http_buffer[8192];
-  static char reason[8192];
-  static	int	checkBrowserType = 1;
-+ #ifdef USE_IP_FILTER
-+ static  int     do_transparent=0;
-+ #endif
-  
-  static void do_logging()
-  {	char *proto = "GOPHER";
-***************
-*** 422,427 ****
---- 425,441 ----
-  	/*(NOT A SPECIAL FORM)*/
-  
-  		if((rem_type & TYPE_LOCAL)== 0){
-+ #ifdef USE_IP_FILTER
-+                         char *psychic=getdsthost(sockfd,&def_port);
-+                         if(psychic) {
-+                                 if(strlen(psychic)<=MAXHOSTNAMELEN) {
-+                                         do_transparent++;
-+                                         strncpy(def_httpd,psychic,strlen(psychic));
-+                                         strncpy(def_server,psychic,strlen(psychic));
-+                                 }
-+                         }
-+  
-+ #endif /* USE_IP_FILTER */
-  /*  See if it can be forwarded */
-  
-  			if( can_forward(buf)){
-***************
-*** 1513,1518 ****
---- 1527,1537 ----
-  				    		    parse_vec[0], 
-  						    parse_vec[1],
-  				    		    ourname, ourport);
-+ 				    }
-+ #ifdef USE_IP_FILTER
-+ 				    else if(do_transparent) {
-+ 				      sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]);
-+ #endif	/* USE_IP_FILTER */			    
-  				    }else{
-  					    sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-  						    parse_vec[0], parse_vec[2],
-diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c
-*** ../TIS.orig/fwtk/lib/hnam.c	Sat Nov  5 00:30:19 1994
---- fwtk/lib/hnam.c	Sat Feb  1 08:17:46 1997
-***************
-*** 20,25 ****
---- 20,37 ----
-  
-  extern	char	*inet_ntoa();
-  
-+ #if defined(USE_IP_FILTER)
-+ #include      <net/if.h>
-+ #ifndef LINUX
-+ #include      "ip_nat.h"
-+ #endif
-+ #if defined(SOLARIS)
-+ #include <sys/stat.h>
-+ #include <fcntl.h>
-+ #include <unistd.h>
-+ #include <sys/ioccom.h>
-+ #endif
-+ #endif /* IP_FILTER */
-  
-  #include	"firewall.h"
-  
-***************
-*** 45,47 ****
---- 57,158 ----
-  	bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
-  	return(inet_ntoa(sin.sin_addr));
-  }
-+ 
-+ 
-+ 
-+ #ifdef USE_IP_FILTER
-+ char *getdsthost(fd, ptr)
-+   int fd;
-+ int *ptr;
-+ {
-+   struct sockaddr_in sin;
-+   struct hostent *hp;
-+   int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0;
-+   static char buf[255], hostbuf[255];
-+ #if defined(__FreeBSD__) || defined(SOLARIS)
-+   struct sockaddr_in rsin;
-+   struct natlookup natlookup;
-+   int natfd;
-+ #endif
-+   
-+ #ifdef linux
-+   /* This should also work for UDP. Unfortunately, it doesn't.
-+      Maybe when the Linux UDP proxy code gets a little cleaner.
-+      */
-+   if(!(err=getsockname(0,&sin,&sl))) {
-+     if(ptr) *ptr=ntohs(sin.sin_port);
-+     sprintf(buf,"%s",inet_ntoa(sin.sin_addr));
-+     gethostname(hostbuf,254);
-+     hp=gethostbyname(hostbuf);
-+     while(hp->h_addr_list[i]) {
-+       bzero(&sin,&sl);
-+       memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++]));
-+       if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++;
-+     }
-+     if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); }
-+     else { return(buf); }
-+   }
-+ #endif
-+   
-+ #if defined(__FreeBSD__)
-+   /* The basis for this block of code is Darren Reed's
-+      patches to the TIS ftwk's ftp-gw.
-+      */
-+   bzero((char*)&sin,sizeof(sin));
-+   bzero((char*)&rsin,sizeof(rsin));
-+   if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
-+     return NULL;
-+   }
-+   sl=sizeof(rsin);
-+   if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
-+     return NULL;
-+   }
-+   natlookup.nl_inport=sin.sin_port;
-+   natlookup.nl_outport=rsin.sin_port;
-+   natlookup.nl_inip=sin.sin_addr;
-+   natlookup.nl_outip=rsin.sin_addr;
-+   if((natfd=open("/dev/ipnat",O_RDONLY))<0) {
-+     return(NULL);
-+   }
-+   if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
-+     return(NULL);
-+   }
-+   close(natfd);
-+   if(ptr) *ptr=ntohs(natlookup.nl_realport);
-+   sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
-+ #endif
-+ 
-+ #if defined(SOLARIS) /* for Solaris */
-+   /* The basis for this block of code is Darren Reed's
-+    * patches to the TIS ftwk's ftp-gw.
-+    * modified for Solaris from Michael Kutzner, Michael.Kutzner@paderlinx.de
-+    */
-+   memset((char*)&sin,  0, sizeof(sin));
-+   memset((char*)&rsin, 0, sizeof(rsin));
-+ 
-+   if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
-+     return NULL;
-+   }
-+   sl=sizeof(rsin);
-+   if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
-+     return NULL;
-+   }
-+   natlookup.nl_inport=sin.sin_port;
-+   natlookup.nl_outport=rsin.sin_port;
-+   natlookup.nl_inip=sin.sin_addr;
-+   natlookup.nl_outip=rsin.sin_addr;
-+   if( (natfd=open(IPL_NAT,O_RDONLY)) < 0) {
-+     return(NULL);
-+   }
-+   if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
-+     return(NULL);
-+   }
-+   close(natfd);
-+   if(ptr) *ptr=ntohs(natlookup.nl_realport);
-+   sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
-+ #endif
-+   
-+   /* No transparent proxy support */
-+   return(NULL);
-+ }
-+ #endif /* USE_IP_FILTER */
-diff -cr ../TIS.orig/fwtk/plug-gw/plug-gw.c fwtk/plug-gw/plug-gw.c
-*** ../TIS.orig/fwtk/plug-gw/plug-gw.c	Thu Sep  5 21:36:33 1996
---- fwtk/plug-gw/plug-gw.c	Sun Feb  2 04:50:40 1997
-***************
-*** 38,44 ****
-  static	int		timeout = PROXY_TIMEOUT;
-  static	char		**validdests = (char **)0;
-  static	Cfg		*confp;
-! 
-  main(ac,av)
-  int	ac;
-  char	*av[];
---- 38,46 ----
-  static	int		timeout = PROXY_TIMEOUT;
-  static	char		**validdests = (char **)0;
-  static	Cfg		*confp;
-! #ifdef USE_IP_FILTER
-! static	int		do_transparent=0;
-! #endif
-  main(ac,av)
-  int	ac;
-  char	*av[];
-***************
-*** 189,201 ****
-  static	char		buf[1024 * 4];
-  	void		(*op)();
-  	char		*dhost = NULL;
-  	char		hostport[1024 * 4];
-  	char		*ptr;
-  	int		state = 0;
-  	int		ssl_plug = 0;
-! 
-  	struct timeval	timo;
-  
-  	if(c->flags & PERM_DENY) {
-  		if (p == -1)
-  			syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
---- 191,215 ----
-  static	char		buf[1024 * 4];
-  	void		(*op)();
-  	char		*dhost = NULL;
-+ 	char		*transhost = NULL;
-  	char		hostport[1024 * 4];
-  	char		*ptr;
-  	int		state = 0;
-  	int		ssl_plug = 0;
-! #ifdef USE_IP_FILTER
-! 	int		pport;
-! #endif
-  	struct timeval	timo;
-  
-+ #ifdef USE_IP_FILTER
-+ 	/* Transparent plug-gw is probably a bad idea, but hey .. */
-+ 	transhost=getdsthost(0,&pport);
-+ 	if(transhost) {
-+ 	  do_transparent++;
-+ 	  portid=pport;
-+ 	}
-+ #endif
-+ 
-  	if(c->flags & PERM_DENY) {
-  		if (p == -1)
-  			syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
-***************
-*** 223,229 ****
-  			privport = 1;
-  			continue;
-  		}
-! 
-  		if (!strcmp(av[x], "-port")) {
-  			if (++x >= ac) {
-  				syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln);
---- 237,248 ----
-  			privport = 1;
-  			continue;
-  		}
-! #ifdef USE_IP_FILTER
-! 		if (!strcmp(av[x],"-all-destinations")) {
-! 		  dhost = transhost;
-! 		  continue;
-! 		}
-! #endif
-  		if (!strcmp(av[x], "-port")) {
-  			if (++x >= ac) {
-  				syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln);
-diff -cr ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c fwtk/rlogin-gw/rlogin-gw.c
-*** ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c	Fri Sep  6 18:56:33 1996
---- fwtk/rlogin-gw/rlogin-gw.c	Sun Feb  2 06:26:04 1997
-***************
-*** 40,46 ****
-  
-  extern	char	*maphostname();
-  
-! 
-  static	int	cmd_quit();
-  static	int	cmd_help();
-  static	int	cmd_connect();
---- 40,48 ----
-  
-  extern	char	*maphostname();
-  
-! #ifdef USE_IP_FILTER
-! static  int     do_transparent=0;
-! #endif
-  static	int	cmd_quit();
-  static	int	cmd_help();
-  static	int	cmd_connect();
-***************
-*** 120,125 ****
---- 122,130 ----
-  	static char	*tokav[56];
-  	int		tokac;
-  	struct timeval	timo;
-+ #ifdef USE_IP_FILTER
-+         char *psychic;
-+ #endif
-  
-  #ifndef	LOG_NDELAY
-  	openlog("rlogin-gw",LOG_PID);
-***************
-*** 186,192 ****
-  	}
-  
-  
-! 
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
-  			syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln);
---- 191,204 ----
-  	}
-  
-  
-! #ifdef USE_IP_FILTER
-!         psychic=getdsthost(0,NULL);
-!         if(psychic) {
-!                 do_transparent++;
-!                 strncpy(dest,psychic,511);
-!                 dest[511]='\0';
-!         }
-! #endif /* USE_IP_FILTER */
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
-  			syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln);
-***************
-*** 260,269 ****
-  	}
-  
-  	/* if present a host name, chop and save username and hostname */
-- 	dest[0] = '\0';
-  	if((p = index(rusername,'@')) != (char *)0) {
-  		char	*namp;
-  
-  		*p++ = '\0';
-  		if(*p == '\0')
-  			p = "localhost";
---- 272,281 ----
-  	}
-  
-  	/* if present a host name, chop and save username and hostname */
-  	if((p = index(rusername,'@')) != (char *)0) {
-  		char	*namp;
-  
-+ 		dest[0] = '\0';
-  		*p++ = '\0';
-  		if(*p == '\0')
-  			p = "localhost";
-***************
-*** 532,539 ****
---- 544,557 ----
-  			sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-  		else
-  			sprintf(ebuf,"Trying %s...",namp);
-+ #ifdef USE_IP_FILTER
-+                 if(!do_transparent) {
-+ #endif
-  		if(say(0,ebuf))
-  			return(1);
-+ #ifdef USE_IP_FILTER
-+                 }
-+ #endif
-  	} else
-  		syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
-  	if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
-diff -cr ../TIS.orig/fwtk/tn-gw/tn-gw.c fwtk/tn-gw/tn-gw.c
-*** ../TIS.orig/fwtk/tn-gw/tn-gw.c	Fri Sep  6 18:55:48 1996
---- fwtk/tn-gw/tn-gw.c	Sun Feb  2 06:06:33 1997
-***************
-*** 97,102 ****
---- 97,106 ----
-  static	int			timeout = PROXY_TIMEOUT;
-  static	char			timed_out_msg[] = "\r\nConnection closed due to inactivity";
-  
-+ #ifdef USE_IP_FILTER
-+ static int do_transparent=0;
-+ #endif 
-+ 
-  typedef	struct	{
-  	char	*name;
-  	char	*hmsg;
-***************
-*** 140,145 ****
---- 144,153 ----
-  	char		tokbuf[BSIZ];
-  	char		*tokav[56];
-  	int		tokac;
-+ #ifdef USE_IP_FILTER
-+         int port;
-+         char *psychic;
-+ #endif
-  
-  #ifndef	LOG_DAEMON
-  	openlog("tn-gw",LOG_PID);
-***************
-*** 307,313 ****
-  			exit(1);
-  		}
-  	}
-! 
-  	while (argc > 1) {
-  		argc--;
-  		argv++;
---- 315,349 ----
-  			exit(1);
-  		}
-  	}
-! #ifdef USE_IP_FILTER
-!        psychic=getdsthost(0,&port);
-!        if(psychic) {
-!                if((strlen(psychic) + 10) < 510) {
-!                        do_transparent++;
-!                        if(port)
-!                                sprintf(dest,"%s:%d",psychic,port);
-!                        else
-!                                sprintf(dest,"%s",psychic);
-!  
-!  
-!                if(!welcomedone)
-!                        if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-!                                 if(cf->argc != 1) {
-!                                         syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-!                                         exit(1);
-!                                 }
-!                                 if(sayfile(0,cf->argv[0])) {
-!                                         syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
-!                                         exit(1);
-!                                 }
-!                                 welcomedone = 1;
-!                                }
-!  
-!  
-!                }
-!        }
-!  
-! #endif /* USE_IP_FILTER */
-  	while (argc > 1) {
-  		argc--;
-  		argv++;
-***************
-*** 870,877 ****
-  
-  		syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
-  		sprintf(ebuf,"Trying %s port %d...",namp,port);
-! 		if(say(0,ebuf))
-! 			return(1);
-  	} else
-  		syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  
---- 906,920 ----
-  
-  		syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
-  		sprintf(ebuf,"Trying %s port %d...",namp,port);
-! #ifdef USE_IP_FILTER
-!                 if(!do_transparent) {
-!                         sprintf(ebuf,"Trying %s port %d...",namp,port);
-! #endif
-!                         if(say(0,ebuf))
-!                                 return(1);
-! #ifdef USE_IP_FILTER
-!                 }
-! #endif
-  	} else
-  		syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  
-***************
-*** 903,910 ****
-  
-  	syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! 	sprintf(buf, "Connected to %s.", dest);
-  	say(0, buf);
-  	return(2);
-  }
-  
---- 946,959 ----
-  
-  	syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! #ifdef USE_IP_FILTER
-!         if(!do_transparent) {
-!                 sprintf(buf, "Connected to %s.", dest);
-!                 say(0, buf);
-!         }
-! #else
-  	say(0, buf);
-+ #endif
-  	return(2);
-  }
-  
-diff -cr ../TIS.orig/fwtk/x-gw/socket.c fwtk/x-gw/socket.c
-*** ../TIS.orig/fwtk/x-gw/socket.c	Sat Sep  7 05:16:35 1996
---- fwtk/x-gw/socket.c	Sun Feb  2 05:26:44 1997
-***************
-*** 212,218 ****
-  		case AF_UNIX:	 un_name = (struct sockaddr_un *)addr;
-  				len = sizeof(un_name->sun_family)  +
-  				sizeof(un_name->sun_path)
-! #ifdef SCM_RIGHTS  /* 4.3BSD Reno and later */
-                       + sizeof(un_name->sun_len) + 1
-  #endif
-  		       ;
---- 212,218 ----
-  		case AF_UNIX:	 un_name = (struct sockaddr_un *)addr;
-  				len = sizeof(un_name->sun_family)  +
-  				sizeof(un_name->sun_path)
-! #if defined(SCM_RIGHTS)  && !defined(LINUX)/* 4.3BSD Reno and later */
-                       + sizeof(un_name->sun_len) + 1
-  #endif
-  		       ;
-Only in fwtk/x-gw: socket.c.bak
diff --git a/contrib/ipfilter/FWTK/fwtkp b/contrib/ipfilter/FWTK/fwtkp
deleted file mode 100644
index aba869d..0000000
--- a/contrib/ipfilter/FWTK/fwtkp
+++ /dev/null
@@ -1,812 +0,0 @@
-diff -c -r ./ftp-gw/ftp-gw.c ../../NEW/fwtk/ftp-gw/ftp-gw.c
-*** ./ftp-gw/ftp-gw.c   Fri Sep  6 12:55:05 1996
---- ../../NEW/fwtk/ftp-gw/ftp-gw.c      Wed Oct  9 02:51:35 1996
-***************
-*** 40,47 ****
-  
-  extern        char    *optarg;
-  
-! #include      "firewall.h"
-  
-  
-  #ifndef       BSIZ
-  #define       BSIZ    2048
---- 40,48 ----
-  
-  extern        char    *optarg;
-  
-! char *getdsthost();
-  
-+ #include      "firewall.h"
-  
-  #ifndef       BSIZ
-  #define       BSIZ    2048
-***************
-*** 84,89 ****
---- 85,92 ----
-  static        int                     cmdcnt = 0;
-  static        int                     timeout = PROXY_TIMEOUT;
-  
-+ static int do_transparent=0;
-+ 
-  
-  static        int     cmd_user();
-  static        int     cmd_authorize();
-***************
-*** 98,103 ****
---- 101,107 ----
-  static        void    saveline();
-  static        void    flushsaved();
-  static        void    trap_sigurg();
-+ static int connectdest();
-  
-  #define       OP_CONN 001     /* only valid if connected */
-  #define       OP_WCON 002     /* writethrough if connected */
-***************
-*** 170,175 ****
---- 174,180 ----
-        char            xuf[1024];
-        char            huf[128];
-        char            *passuser = (char *)0;  /* passed user as av */
-+       char *psychic, *hotline;
-  
-  #ifndef       LOG_DAEMON
-        openlog("ftp-gw",LOG_PID);
-***************
-*** 314,319 ****
---- 319,326 ----
-        } else
-                timeout = 60*60;
-  
-+         psychic=getdsthost(0,NULL);
-+         if(psychic) { do_transparent++; }
-  
-        /* display a welcome file or message */
-        if(passuser == (char *)0) {
-***************
-*** 322,327 ****
---- 329,340 ----
-                                syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-                                exit(1);
-                        }
-+                       if(do_transparent) {
-+                               if(sayfile2(0,cf->argv[0],220)) {
-+                                       syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+                                       exit(1);
-+                               }
-+                       } else
-                        if(sayfile(0,cf->argv[0],220)) {
-                                syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-                                exit(1);
-***************
-*** 332,338 ****
-                        if(authallflg)
-                                if(say(0,"220-Proxy first requires authentication"))
-                                        exit(1);
-!                       sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-                        if(say(0,xuf))
-                                exit(1);
-                }
---- 345,357 ----
-                        if(authallflg)
-                                if(say(0,"220-Proxy first requires authentication"))
-                                        exit(1);
-! /* foo */
-!                       if(do_transparent)
-!                       sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-!                       else
-!                       sprintf(xuf,"220 %s FTP Proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
-! /* foo */
-! 
-                        if(say(0,xuf))
-                                exit(1);
-                }
-***************
-*** 353,358 ****
---- 372,381 ----
-                                exit(1);
-        }
-  
-+       if(do_transparent) {
-+               connectdest(psychic,21);
-+       }
-+ 
-        /* main loop */
-        while(1) {
-                FD_ZERO(&rdy);
-***************
-*** 676,681 ****
---- 699,713 ----
-                        return(sayn(0,noad,sizeof(noad)-1));
-        }
-  
-+       if(do_transparent) {
-+               if((rfd==(-1)) && (x=connectdest(dest,port))) return x;
-+               sprintf(buf,"USER %s",user);
-+               if(say(rfd,buf)) return(1);
-+               x=getresp(rfd,buf,sizeof(buf),1);
-+               if(sendsaved(0,x)) return(1);
-+               return(say(0,buf));
-+       }
-+ 
-        if(*dest == '\0')
-                dest = "localhost";
-  
-***************
-*** 701,708 ****
-                if(msg_int == 1) {
-                        sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-                        syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-!                       say(0,mbuf);
-!                       return(1);
-                } else {
-                        if(msg_int == -1) {
-                                sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
---- 733,740 ----
-                if(msg_int == 1) {
-                        sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-                        syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-!                               say(0,mbuf);
-!                               return(1);
-                } else {
-                        if(msg_int == -1) {
-                                sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-***************
-*** 717,723 ****
-                char    ebuf[512];
-  
-                strcpy(ebuf,buf);
-!               sprintf(buf,"521 %s: %s",dest,ebuf);
-                rfd = -1;
-                return(say(0,buf));
-        }
---- 749,759 ----
-                char    ebuf[512];
-  
-                strcpy(ebuf,buf);
-!               if(do_transparent) {
-!                       sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-!               } else {
-!                       sprintf(buf,"521 %s: %s",dest,ebuf);
-!               }
-                rfd = -1;
-                return(say(0,buf));
-        }
-***************
-*** 732,737 ****
---- 768,778 ----
-        }
-        saveline(buf);
-  
-+       /* if(do_transparent) {
-+               sendsaved(0,-1);
-+               return(0);
-+       } /* EEEk. I can't remember what this does. */
-+ 
-        sprintf(buf,"USER %s",user);
-        if(say(rfd,buf))
-                return(1);
-***************
-*** 744,749 ****
---- 785,860 ----
-        return 0;
-  }
-  
-+ static int connectdest(dest, port)
-+ char *dest;
-+ short port;
-+ {
-+       char buf[1024], mbuf[512];
-+       int msg_int, x;
-+ 
-+         if(*dest == '\0')
-+                 dest = "localhost";
-+ 
-+         if(validests != (char **)0) {
-+                 char    **xp;
-+                 int     x;
-+ 
-+                 for(xp = validests; *xp != (char *)0; xp++) {
-+                         if(**xp == '!' && hostmatch(*xp + 1,dest)) {
-+                                 return(baddest(0,dest));
-+                         } else {
-+                                 if(hostmatch(*xp,dest))
-+                                         break;
-+                         }
-+                 }
-+                 if(*xp == (char *)0)
-+                         return(baddest(0,dest));
-+         }
-+ 
-+         /* Extended permissions processing goes in here for destination */
-+         if(extendperm) {
-+                 msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
-+                 if(msg_int == 1) {
-+                         sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-+                         syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                 } else {
-+                         if(msg_int == -1) {
-+                                 sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                         }
-+                 }
-+         }      
-+ 
-+         syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
-+ 
-+         if((rfd = conn_server(dest,port,0,buf)) < 0) {
-+                 char    ebuf[512];
-+ 
-+                 strcpy(ebuf,buf);
-+                 sprintf(buf,"521 %s: %s",dest,ebuf);
-+                 rfd = -1;
-+                 return(say(0,buf));
-+         }
-+       if(!do_transparent) {
-+               sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-+               saveline(buf);
-+       }
-+ 
-+         /* we are now connected and need to try the autologin thing */
-+         x = getresp(rfd,buf,sizeof(buf),1);
-+         if(x / 100 != COMPLETE) {
-+                 sendsaved(0,-1);
-+                 return(say(0,buf));
-+         }
-+         saveline(buf);
-+ 
-+       sendsaved(0,-1);
-+       return 0;
-+ }
-+ 
-  
-  
-  static        int
-***************
-*** 1053,1058 ****
---- 1164,1171 ----
-        static char             nprn[] = "500 cannot get peername";
-        char                    buf[512];
-  
-+       /* syslog(LLEV,"DEBUG: port cmd"); */
-+ 
-        if(ac < 2)
-                return(sayn(0,narg,sizeof(narg)-1));
-  
-***************
-*** 1119,1124 ****
---- 1232,1238 ----
-  #define UC(c)   (((int)c) & 0xff)
-        sprintf(buf,"PORT %d,%d,%d,%d,%d,%d\r\n",UC(k[0]),UC(k[1]),UC(k[2]),
-                UC(k[3]),UC(l[0]),UC(l[1]));
-+       /* syslog(LLEV,"DEBUG: %s",buf); */
-        s = strlen(buf);
-        if (write(rfd, buf, s) != s)
-                return 1;
-***************
-*** 1330,1335 ****
---- 1444,1450 ----
-  callback()
-  {
-        /* if we haven't gotten a valid PORT scrub the connection */
-+       /* syslog(LLEV,"DEBUG: callback()."); */
-        if((outgoing = accept(boundport,(struct sockaddr *)0,(int *)0)) < 0 || clntport.sin_port == 0)
-                goto bomb;
-        if(pasvport != -1) { /* incoming handled by PASVcallback */
-***************
-*** 1796,1801 ****
---- 1911,1960 ----
-        }
-        return(0);
-  }
-+ 
-+ /* ok, so i'm in a hurry. english paper due RSN. */
-+ sayfile2(fd,fn,code)
-+ int     fd;
-+ char    *fn;
-+ int     code;
-+ {
-+         FILE    *f;
-+         char    buf[BUFSIZ];
-+         char    yuf[BUFSIZ];
-+         char    *c;
-+         int     x;
-+         int     saidsomething = 0;
-+ 
-+         if((f = fopen(fn,"r")) == (FILE *)0)
-+                 return(1);
-+         while(fgets(buf,sizeof(buf),f) != (char *)0) {
-+                 if((c = index(buf,'\n')) != (char *)0)
-+                         *c = '\0';
-+                 x = fgetc(f);
-+                 if(feof(f))
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                 else {
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                         ungetc(x,f);
-+                 }
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+                 saidsomething++;
-+         }
-+         fclose(f);
-+         if (!saidsomething) {
-+                 syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
-+                 sprintf(yuf, "%3.3d The file to display is empty",code);
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+         }
-+         return(0);
-+ }
-+ 
-  
-  
-  porttoaddr(s,a)
-diff -c -r ./http-gw/http-gw.c ../../NEW/fwtk/http-gw/http-gw.c
-*** ./http-gw/http-gw.c Mon Sep  9 14:40:53 1996
---- ../../NEW/fwtk/http-gw/http-gw.c    Wed Oct  9 02:51:57 1996
-***************
-*** 27,32 ****
---- 27,37 ----
-  static char http_buffer[8192];
-  static char reason[8192];
-  static        int     checkBrowserType = 1;
-+ /* foo */
-+ static int do_transparent=0;
-+ /* foo */
-+ 
-+ char *getdsthost();
-  
-  static void do_logging()
-  {     char *proto = "GOPHER";
-***************
-*** 422,427 ****
---- 427,443 ----
-        /*(NOT A SPECIAL FORM)*/
-  
-                if((rem_type & TYPE_LOCAL)== 0){
-+               /* foo */
-+                       char *psychic=getdsthost(sockfd,&def_port);
-+                       if(psychic) {
-+                               if(strlen(psychic)<=MAXHOSTNAMELEN) {
-+                                       do_transparent++;
-+                                       strncpy(def_httpd,psychic,strlen(psychic));
-+                                       strncpy(def_server,psychic,strlen(psychic));
-+                               }
-+                       }
-+ 
-+               /* foo */
-  /*  See if it can be forwarded */
-  
-                        if( can_forward(buf)){
-***************
-*** 1513,1519 ****
-                                                    parse_vec[0], 
-                                                    parse_vec[1],
-                                                    ourname, ourport);
-!                                   }else{
-                                            sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-                                                    parse_vec[0], parse_vec[2],
-                                                    parse_vec[3], chk_type_ch,
---- 1529,1541 ----
-                                                    parse_vec[0], 
-                                                    parse_vec[1],
-                                                    ourname, ourport);
-!                                   }
-! /* FOO */
-! else if(do_transparent) {
-!  sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]);
-! }
-! /* FOO */
-!                                       else{
-                                            sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-                                                    parse_vec[0], parse_vec[2],
-                                                    parse_vec[3], chk_type_ch,
-diff -c -r ./lib/hnam.c ../../NEW/fwtk/lib/hnam.c
-*** ./lib/hnam.c        Fri Nov  4 18:30:19 1994
---- ../../NEW/fwtk/lib/hnam.c   Wed Oct  9 02:34:13 1996
-***************
-*** 22,27 ****
---- 22,31 ----
-  
-  
-  #include      "firewall.h"
-+ #ifdef __FreeBSD__
-+ #include      <net/if.h>
-+ #include      "ip_nat.h"
-+ #endif /* __FreeBSD__ */
-  
-  
-  char  *
-***************
-*** 44,47 ****
---- 48,115 ----
-  
-        bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
-        return(inet_ntoa(sin.sin_addr));
-+ }
-+ 
-+ char *getdsthost(fd, ptr)
-+ int fd;
-+ int *ptr;
-+ {
-+  struct sockaddr_in sin;
-+  struct hostent *hp;
-+  int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0;
-+  char buf[255], hostbuf[255];
-+ #ifdef __FreeBSD__
-+  struct sockaddr_in rsin;
-+  struct natlookup natlookup;
-+ #endif
-+ 
-+ #ifdef linux
-+ /* This should also work for UDP. Unfortunately, it doesn't.
-+    Maybe when the Linux UDP proxy code gets a little cleaner.
-+ */
-+  if(!(err=getsockname(0,&sin,&sl))) {
-+   if(ptr) *ptr=ntohs(sin.sin_port);
-+   sprintf(buf,"%s",inet_ntoa(sin.sin_addr));
-+   gethostname(hostbuf,254);
-+   hp=gethostbyname(hostbuf);
-+   while(hp->h_addr_list[i]) {
-+    bzero(&sin,&sl);
-+    memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++]));
-+    if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++;
-+   }
-+   if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); }
-+   else { return(buf); }
-+  }
-+ #endif
-+ 
-+ #ifdef __FreeBSD__
-+ /* The basis for this block of code is Darren Reed's
-+    patches to the TIS ftwk's ftp-gw.
-+ */
-+  bzero((char*)&sin,sizeof(sin));
-+  bzero((char*)&rsin,sizeof(rsin));
-+  if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
-+   return NULL;
-+  }
-+  sl=sizeof(rsin);
-+  if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
-+   return NULL;
-+  }
-+  natlookup.nl_inport=sin.sin_port;
-+  natlookup.nl_outport=rsin.sin_port;
-+  natlookup.nl_inip=sin.sin_addr;
-+  natlookup.nl_outip=rsin.sin_addr;
-+  if((natfd=open(IPL_NAT,O_RDONLY))<0) {
-+   return(NULL);
-+  }
-+  if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
-+   return(NULL);
-+  }
-+  close(natfd);
-+  if(ptr) *ptr=ntohs(natlookup.nl_realport);
-+  sprintf(buf,"%s",inet_ntoa(natlookup.nl_realip));
-+ #endif
-+ 
-+  /* No transparent proxy support */
-+  return(NULL);
-  }
-Only in ./lib: hnam.c.orig
-diff -c -r ./plug-gw/plug-gw.c ../../NEW/fwtk/plug-gw/plug-gw.c
-*** ./plug-gw/plug-gw.c Thu Sep  5 15:36:33 1996
---- ../../NEW/fwtk/plug-gw/plug-gw.c    Wed Oct  9 02:46:48 1996
-***************
-*** 39,44 ****
---- 39,48 ----
-  static        char            **validdests = (char **)0;
-  static        Cfg             *confp;
-  
-+ int do_transparent=0;
-+ 
-+ char *getdsthost();
-+ 
-  main(ac,av)
-  int   ac;
-  char  *av[];
-***************
-*** 193,201 ****
---- 197,213 ----
-        char            *ptr;
-        int             state = 0;
-        int             ssl_plug = 0;
-+       int             pport=0;
-  
-        struct timeval  timo;
-  
-+       /* Transparent plug-gw is probably a bad idea, but hey .. */
-+       dhost=getdsthost(0,&pport);
-+       if(dhost) {
-+               do_transparent++;
-+               portid=pport;
-+       }
-+ 
-        if(c->flags & PERM_DENY) {
-                if (p == -1)
-                        syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
-***************
-*** 215,221 ****
-                                syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-                                exit (1);
-                        }
-!                       dhost = av[x];
-                        continue;
-                }
-  
---- 227,234 ----
-                                syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-                                exit (1);
-                        }
-!                       if(!dhost) dhost = av[x];
-!                       /* syslog(LLEV,"DEBUG: dhost now is [%s]",dhost); */
-                        continue;
-                }
-  
-diff -c -r ./rlogin-gw/rlogin-gw.c ../../NEW/fwtk/rlogin-gw/rlogin-gw.c
-*** ./rlogin-gw/rlogin-gw.c     Fri Sep  6 12:56:33 1996
---- ../../NEW/fwtk/rlogin-gw/rlogin-gw.c        Wed Oct  9 02:49:04 1996
-***************
-*** 39,45 ****
---- 39,47 ----
-  
-  
-  extern        char    *maphostname();
-+ char *getdsthost();
-  
-+ int do_transparent=0;
-  
-  static        int     cmd_quit();
-  static        int     cmd_help();
-***************
-*** 120,125 ****
---- 122,130 ----
-        static char     *tokav[56];
-        int             tokac;
-        struct timeval  timo;
-+       /* foo */
-+       char *psychic;
-+       /* foo */
-  
-  #ifndef       LOG_NDELAY
-        openlog("rlogin-gw",LOG_PID);
-***************
-*** 185,191 ****
-                xforwarder = cf->argv[0];
-        }
-  
-! 
-  
-        if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-                if(cf->argc != 1) {
---- 190,203 ----
-                xforwarder = cf->argv[0];
-        }
-  
-!       /* foo */
-!       psychic=getdsthost(0,NULL);
-!       if(psychic) {
-!               do_transparent++;
-!               strncpy(dest,psychic,511);
-!               dest[511]='\0';
-!       }
-!       /* foo */
-  
-        if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-                if(cf->argc != 1) {
-***************
-*** 260,269 ****
-        }
-  
-        /* if present a host name, chop and save username and hostname */
-!       dest[0] = '\0';
-        if((p = index(rusername,'@')) != (char *)0) {
-                char    *namp;
-  
-                *p++ = '\0';
-                if(*p == '\0')
-                        p = "localhost";
---- 272,282 ----
-        }
-  
-        /* if present a host name, chop and save username and hostname */
-!       /* dest[0] = '\0'; */
-        if((p = index(rusername,'@')) != (char *)0) {
-                char    *namp;
-  
-+               dest[0] = '\0';
-                *p++ = '\0';
-                if(*p == '\0')
-                        p = "localhost";
-***************
-*** 293,300 ****
---- 306,326 ----
-                        goto leave;
-        }
-  
-+       /* syslog(LLEV,"DEBUG: Uh-oh, $dest = %s\n",dest); */
-+ 
-        if(dest[0] != '\0') {
-  /* Setup connection directly to remote machine */
-+               if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-+                       if(cf->argc != 1) {
-+                               syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+                               exit(1);
-+                       }
-+                       if(sayfile(0,cf->argv[0])) {
-+                               syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+                               exit(1);
-+                       }
-+               }
-+ /* Does this cmd_connect thing feel like a kludge or what? */
-                sprintf(buf,"connect %.1000s",dest);
-                tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
-                if (cmd_connect(tokac, tokav, buf) != 2)
-***************
-*** 526,539 ****
-                char    ebuf[512];
-  
-                syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
-                if(strlen(namp) > 20)
-                        namp[20] = '\0';
-                if(rusername[0] != '\0')
-                        sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-                else
-                        sprintf(ebuf,"Trying %s...",namp);
-!               if(say(0,ebuf))
-!                       return(1);
-        } else
-                syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
-        if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
---- 552,567 ----
-                char    ebuf[512];
-  
-                syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
-+               if(!do_transparent) {
-                if(strlen(namp) > 20)
-                        namp[20] = '\0';
-                if(rusername[0] != '\0')
-                        sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-                else
-                        sprintf(ebuf,"Trying %s...",namp);
-!                       if(say(0,ebuf))
-!                               return(1);
-!               }
-        } else
-                syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
-        if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
-diff -c -r ./tn-gw/tn-gw.c ../../NEW/fwtk/tn-gw/tn-gw.c
-*** ./tn-gw/tn-gw.c     Fri Sep  6 12:55:48 1996
---- ../../NEW/fwtk/tn-gw/tn-gw.c        Wed Oct  9 02:50:17 1996
-***************
-*** 87,92 ****
---- 87,94 ----
-  static        int                     cmd_xforward();
-  static        int                     cmd_timeout();
-  
-+ char *getdsthost();
-+ 
-  static        int                     tn3270 = 1;     /* don't do tn3270 stuff */
-  static        int                     doX;
-  
-***************
-*** 97,102 ****
---- 99,106 ----
-  static        int                     timeout = PROXY_TIMEOUT;
-  static        char                    timed_out_msg[] = "\r\nConnection closed due to inactivity";
-  
-+ int do_transparent=0;
-+ 
-  typedef       struct  {
-        char    *name;
-        char    *hmsg;
-***************
-*** 140,145 ****
---- 144,151 ----
-        char            tokbuf[BSIZ];
-        char            *tokav[56];
-        int             tokac;
-+       int port;
-+       char *psychic;
-  
-  #ifndef       LOG_DAEMON
-        openlog("tn-gw",LOG_PID);
-***************
-*** 308,313 ****
---- 314,346 ----
-                }
-        }
-  
-+       psychic=getdsthost(0,&port);
-+       if(psychic) {
-+               if((strlen(psychic) + 10) < 510) {
-+                       do_transparent++;
-+                       if(port)
-+                               sprintf(dest,"%s:%d",psychic,port);
-+                       else
-+                               sprintf(dest,"%s",psychic);
-+ 
-+ 
-+               if(!welcomedone)
-+                       if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-+                                if(cf->argc != 1) {
-+                                        syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+                                        exit(1);
-+                                }
-+                                if(sayfile(0,cf->argv[0])) {
-+                                        syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
-+                                        exit(1);
-+                                }
-+                                welcomedone = 1;
-+                               }
-+ 
-+ 
-+               }
-+       }
-+ 
-        while (argc > 1) {
-                argc--;
-                argv++;
-***************
-*** 864,877 ****
-                }
-        }
-  
-- 
-        if((namp = maphostname(av[1])) != (char *)0) {
-                char    ebuf[512];
-  
-                syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
-!               sprintf(ebuf,"Trying %s port %d...",namp,port);
-!               if(say(0,ebuf))
-!                       return(1);
-        } else
-                syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  
---- 897,911 ----
-                }
-        }
-  
-        if((namp = maphostname(av[1])) != (char *)0) {
-                char    ebuf[512];
-  
-                syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
-!               if(!do_transparent) {
-!                       sprintf(ebuf,"Trying %s port %d...",namp,port);
-!                       if(say(0,ebuf))
-!                               return(1);
-!               }
-        } else
-                syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-  
-***************
-*** 903,910 ****
-  
-        syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-        strncpy(dest,av[1], 511);
-!       sprintf(buf, "Connected to %s.", dest);
-!       say(0, buf);
-        return(2);
-  }
-  
---- 937,946 ----
-  
-        syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
-        strncpy(dest,av[1], 511);
-!       if(!do_transparent) {
-!               sprintf(buf, "Connected to %s.", dest);
-!               say(0, buf);
-!       }
-        return(2);
-  }
-  
-
-
diff --git a/contrib/ipfilter/FWTK/tproxy.diff b/contrib/ipfilter/FWTK/tproxy.diff
deleted file mode 100644
index 234404b..0000000
--- a/contrib/ipfilter/FWTK/tproxy.diff
+++ /dev/null
@@ -1,82 +0,0 @@
-*** tproxy.c.orig	Fri Dec 20 10:53:24 1996
---- tproxy.c	Sun Jan  3 11:33:55 1999
-***************
-*** 135,140 ****
---- 135,144 ----
-  #include	<netinet/in.h>
-  #include	<sys/signal.h>
-  #include	<syslog.h>
-+ #include	<unistd.h>
-+ #include	<fcntl.h>
-+ #include	<sys/ioctl.h>
-+ #include	<net/if.h>
-  #include	"tproxy.h"
-  
-  #ifdef AIX
-***************
-*** 147,152 ****
---- 151,159 ----
-  #define bzero(buf,size) memset(buf, '\0', size);
-  #endif /* SYSV */
-  
-+ #include "ip_compat.h"
-+ #include "ip_fil.h"
-+ #include "ip_nat.h"
-  
-  
-  /* socket to audio server */
-***************
-*** 324,329 ****
---- 331,369 ----
-  	char localbuf[2048];   
-  	void timeout();
-  	extern int errno;
-+ 	/*
-+ 	 * IP-Filter block
-+ 	 */
-+ 	struct sockaddr_in laddr, faddr;
-+ 	struct natlookup natlookup;
-+ 	int slen, natfd;
-+ 
-+ 	bzero((char *)&laddr, sizeof(laddr));
-+ 	bzero((char *)&faddr, sizeof(faddr));
-+ 	slen = sizeof(laddr);
-+ 	if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0)
-+ 		return -1;
-+ 	slen = sizeof(faddr);
-+ 	if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0)
-+ 		return -1;
-+ 	natlookup.nl_inport = laddr.sin_port;
-+ 	natlookup.nl_outport = faddr.sin_port;
-+ 	natlookup.nl_inip = laddr.sin_addr;
-+ 	natlookup.nl_outip = faddr.sin_addr;
-+ 	natlookup.nl_flags = IPN_TCP;
-+ 	if ((natfd = open(IPL_NAT, O_RDONLY)) < 0)
-+ 		return -1;
-+ 	if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
-+ 		syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
-+ 		close(natfd);
-+ 		return -1;
-+ 	}
-+ 	close(natfd);
-+ 	strcpy(hostname, inet_ntoa(natlookup.nl_realip));
-+ 	serverport = ntohs(natlookup.nl_realport);
-+ 	/*
-+ 	 * End of IP-Filter block
-+ 	 */
-  
-  	/* setup a timeout in case dialog doesn't finish */
-  	signal(SIGALRM, timeout);
-***************
-*** 337,344 ****
---- 377,386 ----
-  	 * and modify the call to (and subroutine) serverconnect() as 
-  	 * appropriate.
-  	 */
-+ #if 0
-  	strcpy(hostname, "randomhostname");
-  	serverport = 7070;
-+ #endif
-  	/* Can we connect to the server */
-  	if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) {
-  		/* errno may still be set from previous call */
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.diffs b/contrib/ipfilter/FreeBSD-2.2/files.diffs
deleted file mode 100644
index 2ada3fa..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/files.diffs
+++ /dev/null
@@ -1,24 +0,0 @@
-*** files.orig	Tue Sep  9 16:58:40 1997
---- files	Sat Apr  4 10:52:58 1998
-***************
-*** 222,227 ****
---- 222,240 ----
-  netinet/tcp_timer.c	optional inet
-  netinet/tcp_usrreq.c	optional inet
-  netinet/udp_usrreq.c	optional inet
-+ netinet/ip_fil.c	optional ipfilter inet
-+ netinet/fil.c		optional ipfilter inet
-+ netinet/ip_nat.c	optional ipfilter inet
-+ netinet/ip_frag.c	optional ipfilter inet
-+ netinet/ip_state.c	optional ipfilter inet
-+ netinet/ip_proxy.c	optional ipfilter inet
-+ netinet/mlf_ipl.c	optional ipfilter inet
-+ netinet/ip_auth.c	optional ipfilter inet
-+ netinet/ip_log.c	optional ipfilter inet
-+ netinet/ip_scan.c	optional ipfilter inet
-+ netinet/ip_sync.c	optional ipfilter inet
-+ netinet/ip_pool.c	optional ipfilter_pool inet
-+ netinet/ip_rules.c	optional ipfilter_compiled ipfilter inet
-  netipx/ipx.c		optional ipx
-  netipx/ipx_cksum.c	optional ipx
-  netipx/ipx_input.c	optional ipx
diff --git a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs b/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
deleted file mode 100644
index 82599f1..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
+++ /dev/null
@@ -1,24 +0,0 @@
-*** files.newconf.orig	Sun Jun 25 02:17:29 1995
---- files.newconf	Sun Jun 25 02:19:10 1995
-***************
-*** 161,166 ****
---- 161,179 ----
-  file	netinet/ip_input.c	inet
-  file	netinet/ip_mroute.c	inet
-  file	netinet/ip_output.c	inet
-+ file	netinet/ip_fil.c	ipfilter
-+ file	netinet/fil.c		ipfilter
-+ file	netinet/ip_nat.c	ipfilter
-+ file	netinet/ip_frag.c	ipfilter
-+ file	netinet/ip_state.c	ipfilter
-+ file	netinet/ip_proxy.c	ipfilter
-+ file	netinet/ip_auth.c	ipfilter
-+ file	netinet/ip_log.c	ipfilter
-+ file	netinet/mlf_ipl.c	ipfilter
-+ file	netinet/ip_scan.c	ipfilter
-+ file	netinet/ip_sync.c	ipfilter
-+ file	netinet/ip_pool.c	ipfilter_pool
-+ file	netinet/ip_rules.c	ipfilter_compiled
-  file	netinet/raw_ip.c	inet
-  file	netinet/tcp_debug.c	inet
-  file	netinet/tcp_input.c	inet
diff --git a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs b/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
deleted file mode 100644
index c2822d3..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/in_proto.c.diffs
+++ /dev/null
@@ -1,16 +0,0 @@
-*** /sys/netinet/in_proto.c.orig	Sat May 24 13:42:26 1997
---- /sys/netinet/in_proto.c	Sat May 24 13:42:36 1997
-***************
-*** 89,94 ****
---- 89,99 ----
-  void	eoninput(), eonctlinput(), eonprotoinit();
-  #endif /* EON */
-  
-+ #if defined(IPFILTER) && !defined(IPFILTER_LKM)
-+ void	iplinit();
-+ #define	ip_init	iplinit
-+ #endif
-+ 
-  extern	struct domain inetdomain;
-  
-  struct protosw inetsw[] = {
diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
deleted file mode 100644
index c2b2b15..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/ip_input.c.diffs
+++ /dev/null
@@ -1,32 +0,0 @@
-*** /sys/netinet/ip_input.c.orig	Sat May 24 13:37:16 1997
---- /sys/netinet/ip_input.c	Sat May 24 13:38:58 1997
-***************
-*** 74,79 ****
---- 74,82 ----
-  #ifdef IPFIREWALL
-  #include <netinet/ip_fw.h>
-  #endif
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ int	(*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ #endif
-  
-  int rsvp_on = 0;
-  static int ip_rsvp_on;
-***************
-*** 310,315 ****
---- 313,327 ----
-  	 * - Wrap: fake packet's addr/port <unimpl.>
-  	 * - Encapsulate: put it in another IP and send out. <unimp.>
-   	 */
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ 	if (fr_checkp) {
-+ 		struct mbuf *m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
-+ 			return;
-+ 		ip = mtod(m = m1, struct ip *);
-+ 	}
-+ #endif
-  
-  #ifdef COMPAT_IPFW
-  	if (ip_fw_chk_ptr) {
diff --git a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs b/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
deleted file mode 100644
index ff5ae0a..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/ip_output.c.diffs
+++ /dev/null
@@ -1,67 +0,0 @@
-*** /sys/netinet/ip_output.c.orig	Sat May 24 14:07:24 1997
---- /sys/netinet/ip_output.c	Sat May 24 15:00:29 1997
-***************
-*** 67,72 ****
---- 67,76 ----
-  #else
-  #undef COMPAT_IPFW
-  #endif
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ extern	int	(*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ #endif
-+ 
-  
-  u_short ip_id;
-  
-***************
-*** 75,81 ****
-  	__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
-  static int	ip_getmoptions
-  	__P((int, struct ip_moptions *, struct mbuf **));
-! static int	ip_optcopy __P((struct ip *, struct ip *));
-  static int	ip_pcbopts __P((struct mbuf **, struct mbuf *));
-  static int	ip_setmoptions
-  	__P((int, struct ip_moptions **, struct mbuf *));
---- 79,85 ----
-  	__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
-  static int	ip_getmoptions
-  	__P((int, struct ip_moptions *, struct mbuf **));
-! int	ip_optcopy __P((struct ip *, struct ip *));
-  static int	ip_pcbopts __P((struct mbuf **, struct mbuf *));
-  static int	ip_setmoptions
-  	__P((int, struct ip_moptions **, struct mbuf *));
-***************
-*** 338,343 ****
---- 342,356 ----
-  	 * - Wrap: fake packet's addr/port <unimpl.>
-  	 * - Encapsulate: put it in another IP and send out. <unimp.>
-  	 */ 
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ 	if (fr_checkp) {
-+ 		struct mbuf *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
-+ 			goto done;
-+ 		ip = mtod(m = m1, struct ip *);
-+ 	}
-+ #endif
-  
-  #ifdef COMPAT_IPFW
-          if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
-***************
-*** 559,565 ****
-   * Copy options from ip to jp,
-   * omitting those not copied during fragmentation.
-   */
-! static int
-  ip_optcopy(ip, jp)
-  	struct ip *ip, *jp;
-  {
---- 574,580 ----
-   * Copy options from ip to jp,
-   * omitting those not copied during fragmentation.
-   */
-! int
-  ip_optcopy(ip, jp)
-  	struct ip *ip, *jp;
-  {
diff --git a/contrib/ipfilter/FreeBSD-2.2/kinstall b/contrib/ipfilter/FreeBSD-2.2/kinstall
deleted file mode 100755
index 5a4368e..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/kinstall
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Installing "
-foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
-	   ip_*_pxy.c mlf_ipl.c ipl.h ip_compat.h ip_log.c)
-	echo -n "$i ";
-	cp $i /sys/netinet
-	chmod 644 /sys/netinet/$i
-	switch ($i)
-	case *.h:
-		/bin/cp $i /usr/include/netinet/$i
-		chmod 644 /usr/include/netinet/$i
-		breaksw 
-	endsw   
-end
-echo ""
-echo "Copying /usr/include/osreldate.h to /sys/sys"
-cp /usr/include/osreldate.h /sys/sys
-echo "Patching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
-(cd /sys/netinet; patch)
-
-if ( -f /sys/conf/files.newconf ) then
-	echo "Patching /sys/conf/files.newconf"
-	cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Patching /sys/conf/files.oldconf"
-	cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-echo "Re-config'ing $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-2.2/minstall b/contrib/ipfilter/FreeBSD-2.2/minstall
deleted file mode 100755
index 832b68e..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/minstall
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD-2.2 ) cd ..
-echo "Patching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs |  \
-(cd /sys/netinet; patch)
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-echo "Re-config'ing $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}${bak} )
-		set bak=".bak."$dot
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}$bak
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM\noptions IPFILTER_LOG"}}' \
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-2.2/unkinstall b/contrib/ipfilter/FreeBSD-2.2/unkinstall
deleted file mode 100755
index 1955f5c..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/unkinstall
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Uninstalling "
-foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
-	   ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_compat.h ip_log.c \
-	    mlf_ipl.c ipl.h)
-	echo -n "$i ";
-	/bin/rm -f /sys/netinet/$i
-end
-echo ""
-echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
-(cd /sys/netinet; patch -R)
-
-if ( -f /sys/conf/files.newconf ) then
-	echo "Unpatching /sys/conf/files.newconf"
-	cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Unpatching /sys/conf/files.oldconf"
-	cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-2.2/unminstall b/contrib/ipfilter/FreeBSD-2.2/unminstall
deleted file mode 100755
index 07aaac0..0000000
--- a/contrib/ipfilter/FreeBSD-2.2/unminstall
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs |  \
-(cd /sys/netinet; patch -R)
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
-endif
-grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3 b/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3
deleted file mode 100644
index 5c30b57..0000000
--- a/contrib/ipfilter/FreeBSD-3/INST.FreeBSD-3
+++ /dev/null
@@ -1,26 +0,0 @@
-To build a kernel with the IP filter, follow these seven steps:
-
-	1. do "make freebsd3"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3. run "FreeBSD-3/kinstall" as root
-
-	4. build a new kernel
-
-	5. install the new kernel
- 
-	6. If not using DEVFS, create devices for IP Filter as follows:
-		mknod /dev/ipl c 79 0
-		mknod /dev/ipnat c 79 1
-		mknod /dev/ipstate c 79 2
-		mknod /dev/ipauth c 79 3
-		mknod /dev/ipsync c 79 4
-		mknod /dev/ipscan c 79 5
- 
-	7. reboot
-
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/FreeBSD-3/kinstall b/contrib/ipfilter/FreeBSD-3/kinstall
deleted file mode 100755
index 20f0369..0000000
--- a/contrib/ipfilter/FreeBSD-3/kinstall
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Installing "
-foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
-	   ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
-	   ip_compat.h ip_auth.[ch] ip_log.c)
-	echo -n "$i ";
-	cp $i /sys/netinet
-	chmod 644 /sys/netinet/$i
-	switch ($i)
-	case *.h:
-		/bin/cp $i /usr/include/netinet/$i
-		chmod 644 /usr/include/netinet/$i
-		breaksw 
-	endsw   
-end
-echo ""
-echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
-ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-echo "Rewriting $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo "You will now need to run config on $newconfig and build a new kernel."
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-3/unkinstall b/contrib/ipfilter/FreeBSD-3/unkinstall
deleted file mode 100755
index 687ebc6..0000000
--- a/contrib/ipfilter/FreeBSD-3/unkinstall
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/csh -f
-#
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Uninstalling "
-foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
-	   ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
-	   ip_log.c mlf_ipl.c ipl.h)
-	echo -n "$i ";
-	/bin/rm -f /sys/netinet/$i
-end
-echo ""
-
-echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
-rm /sys/sys/osreldate.h
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
deleted file mode 100644
index 7d1b7a2..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
+++ /dev/null
@@ -1,24 +0,0 @@
-To build a kernel with the IP filter, follow these seven steps:
-
-	1. do "make freebsd4"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3. run "FreeBSD-4.0/kinstall" as root
-
-	4. build a new kernel
-
-	5. install the new kernel
- 
-	6. If not using DEVFS, create devices for IP Filter as follows:
-		mknod /dev/ipl c 79 0
-		mknod /dev/ipnat c 79 1
-		mknod /dev/ipstate c 79 2
-		mknod /dev/ipauth c 79 3
- 
-	7. reboot
-
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch
deleted file mode 100755
index c232b2c..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch
+++ /dev/null
@@ -1,61 +0,0 @@
-*** ip6_input.c.orig	Sun Feb 13 14:32:01 2000
---- ip6_input.c	Wed Apr 26 22:31:34 2000
-***************
-*** 121,126 ****
---- 121,127 ----
-  
-  extern struct	domain inet6domain;
-  extern struct	ip6protosw inet6sw[];
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-  
-  u_char	ip6_protox[IPPROTO_MAX];
-  static int	ip6qmaxlen = IFQ_MAXLEN;
-***************
-*** 302,307 ****
---- 303,317 ----
-  		ip6stat.ip6s_badvers++;
-  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-  		goto bad;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
-+ 				 0, &m1) || !m1)
-+ 			return;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
-*** ip6_output.c.orig	Fri Mar 10 01:57:16 2000
---- ip6_output.c	Wed Apr 26 22:34:34 2000
-***************
-*** 108,113 ****
---- 108,115 ----
-  #include <netinet6/ip6_fw.h>
-  #endif
-  
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ 
-  static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
-  
-  struct ip6_exthdrs {
-***************
-*** 754,759 ****
---- 756,770 ----
-  			ip6->ip6_src.s6_addr16[1] = 0;
-  		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
-  			ip6->ip6_dst.s6_addr16[1] = 0;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct  mbuf    *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
-+ 		    !m1)
-+ 			goto done;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  #ifdef IPV6FIREWALL
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
deleted file mode 100755
index c232b2c..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0
+++ /dev/null
@@ -1,61 +0,0 @@
-*** ip6_input.c.orig	Sun Feb 13 14:32:01 2000
---- ip6_input.c	Wed Apr 26 22:31:34 2000
-***************
-*** 121,126 ****
---- 121,127 ----
-  
-  extern struct	domain inet6domain;
-  extern struct	ip6protosw inet6sw[];
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-  
-  u_char	ip6_protox[IPPROTO_MAX];
-  static int	ip6qmaxlen = IFQ_MAXLEN;
-***************
-*** 302,307 ****
---- 303,317 ----
-  		ip6stat.ip6s_badvers++;
-  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-  		goto bad;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
-+ 				 0, &m1) || !m1)
-+ 			return;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
-*** ip6_output.c.orig	Fri Mar 10 01:57:16 2000
---- ip6_output.c	Wed Apr 26 22:34:34 2000
-***************
-*** 108,113 ****
---- 108,115 ----
-  #include <netinet6/ip6_fw.h>
-  #endif
-  
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ 
-  static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
-  
-  struct ip6_exthdrs {
-***************
-*** 754,759 ****
---- 756,770 ----
-  			ip6->ip6_src.s6_addr16[1] = 0;
-  		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
-  			ip6->ip6_dst.s6_addr16[1] = 0;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct  mbuf    *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
-+ 		    !m1)
-+ 			goto done;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  #ifdef IPV6FIREWALL
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
deleted file mode 100644
index 90dac19..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1
+++ /dev/null
@@ -1,63 +0,0 @@
-*** ip6_input.c.orig	Sat Jul 15 07:14:34 2000
---- ip6_input.c	Thu Oct 19 17:14:37 2000
-***************
-*** 120,125 ****
---- 120,127 ----
-  
-  extern struct domain inet6domain;
-  extern struct ip6protosw inet6sw[];
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
-+ 			     struct mbuf **));
-  
-  u_char ip6_protox[IPPROTO_MAX];
-  static int ip6qmaxlen = IFQ_MAXLEN;
-***************
-*** 289,294 ****
---- 291,305 ----
-  		ip6stat.ip6s_badvers++;
-  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-  		goto bad;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
-+ 				 0, &m1) || !m1)
-+ 			return;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
-
-*** ip6_output.c.orig	Sat Jul 15 07:14:35 2000
---- ip6_output.c	Thu Oct 19 17:13:53 2000
-***************
-*** 106,111 ****
---- 106,113 ----
-  #include <netinet6/ip6_fw.h>
-  #endif
-  
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ 
-  static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
-  
-  struct ip6_exthdrs {
-***************
-*** 787,792 ****
---- 789,803 ----
-  			ip6->ip6_src.s6_addr16[1] = 0;
-  		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
-  			ip6->ip6_dst.s6_addr16[1] = 0;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct  mbuf    *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
-+ 		    !m1)
-+ 			goto done;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  #ifdef IPV6FIREWALL
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
deleted file mode 100644
index 90dac19..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2
+++ /dev/null
@@ -1,63 +0,0 @@
-*** ip6_input.c.orig	Sat Jul 15 07:14:34 2000
---- ip6_input.c	Thu Oct 19 17:14:37 2000
-***************
-*** 120,125 ****
---- 120,127 ----
-  
-  extern struct domain inet6domain;
-  extern struct ip6protosw inet6sw[];
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
-+ 			     struct mbuf **));
-  
-  u_char ip6_protox[IPPROTO_MAX];
-  static int ip6qmaxlen = IFQ_MAXLEN;
-***************
-*** 289,294 ****
---- 291,305 ----
-  		ip6stat.ip6s_badvers++;
-  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-  		goto bad;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
-+ 				 0, &m1) || !m1)
-+ 			return;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
-
-*** ip6_output.c.orig	Sat Jul 15 07:14:35 2000
---- ip6_output.c	Thu Oct 19 17:13:53 2000
-***************
-*** 106,111 ****
---- 106,113 ----
-  #include <netinet6/ip6_fw.h>
-  #endif
-  
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ 
-  static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
-  
-  struct ip6_exthdrs {
-***************
-*** 787,792 ****
---- 789,803 ----
-  			ip6->ip6_src.s6_addr16[1] = 0;
-  		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
-  			ip6->ip6_dst.s6_addr16[1] = 0;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct  mbuf    *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
-+ 		    !m1)
-+ 			goto done;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  #ifdef IPV6FIREWALL
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall
deleted file mode 100755
index ebd6e2e..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/kinstall
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-set ipfdir=/sys/netinet
-set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-if ( -d /sys/contrib/ipfilter ) set ipfdir=/sys/contrib/ipfilter/netinet
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Installing "
-foreach i (ip_{auth,fil,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
-	   ip_*_pxy.c mlfk_ipl.c ipl.h ip_compat.h ip_log.c )
-	echo -n "$i ";
-	cp $i /sys/netinet
-	chmod 644 /sys/netinet/$i
-	switch ($i)
-	case *.h:
-		/bin/cp $i /usr/include/netinet/$i
-		chmod 644 /usr/include/netinet/$i
-		breaksw 
-	endsw   
-end
-echo ""
-echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
-ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
-
-echo ""
-echo "Patching ip6_input.c and ip6_output.c"
-cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -N)
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-grep -q IPFILTER $confdir/$newconfig
-if ($status == 0) then
-	echo "IPFilter already configured in kernel config file"
-	exit 0
-endif
-echo "Rewriting $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo "You will now need to run config on $newconfig and build a new kernel."
-exit 0
diff --git a/contrib/ipfilter/FreeBSD-4.0/unkinstall b/contrib/ipfilter/FreeBSD-4.0/unkinstall
deleted file mode 100755
index 4e9caaa..0000000
--- a/contrib/ipfilter/FreeBSD-4.0/unkinstall
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/csh -f
-#
-#
-set dir=`pwd`
-set karch=`uname -m`
-set krev=`uname -r|sed -e 's/\([0-9\.]*\)-.*/\1/'`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD* ) cd ..
-echo -n "Uninstalling "
-foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
-	   ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
-	   ip_log.c mlf_ipl.c ipl.h)
-	echo -n "$i ";
-	/bin/rm -f /sys/netinet/$i
-end
-echo ""
-
-echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
-rm /sys/sys/osreldate.h
-
-echo "Removing patch to ip6_input.c and ip6_output.c"
-cat FreeBSD-4.0/ipv6-patch-$krev | (cd /sys/netinet6; patch -R)
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD/conf.c.diffs b/contrib/ipfilter/FreeBSD/conf.c.diffs
deleted file mode 100644
index afd2880..0000000
--- a/contrib/ipfilter/FreeBSD/conf.c.diffs
+++ /dev/null
@@ -1,46 +0,0 @@
-*** conf.c.orig	Sun Jan 14 15:39:32 1996
---- conf.c	Sun Jan 14 15:48:21 1996
-***************
-*** 1128,1133 ****
---- 1128,1149 ----
-  #define	labpcioctl		nxioctl
-  #endif
-  
-+ #ifdef	IPFILTER
-+ d_open_t	iplopen;
-+ d_close_t	iplclose;
-+ d_ioctl_t	iplioctl;
-+ # ifdef	IPFILTER_LOG
-+ d_read_t	iplread;
-+ # else
-+ #define	iplread	nxread
-+ # endif
-+ #else
-+ #define	iplopen	nxopen
-+ #define	iplclose	nxclose
-+ #define	iplioctl	nxioctl
-+ #define	iplread		nxread
-+ #endif
-+ 
-  /* open, close, read, write, ioctl, stop, reset, ttys, select, mmap, strat */
-  struct cdevsw	cdevsw[] =
-  {
-***************
-*** 1199,1206 ****
-   * Otherwise, simply use the one reserved for local use.
-   */
-  	/* character device 20 is reserved for local use */
-! 	{ nxopen,	nxclose,	nxread,		nxwrite,	/*20*/
-! 	  nxioctl,	nxstop,		nxreset,	nxdevtotty,/* reserved */
-  	  nxselect,	nxmmap,		NULL },
-  	{ psmopen,	psmclose,	psmread,	nowrite,	/*21*/
-  	  psmioctl,	nostop,		nullreset,	nodevtotty,/* psm mice */
---- 1215,1222 ----
-   * Otherwise, simply use the one reserved for local use.
-   */
-  	/* character device 20 is reserved for local use */
-! 	{ iplopen,	iplclose,	iplread,	nxwrite,	/*20*/
-! 	  iplioctl,	nxstop,		nxreset,	nxdevtotty,/* reserved */
-  	  nxselect,	nxmmap,		NULL },
-  	{ psmopen,	psmclose,	psmread,	nowrite,	/*21*/
-  	  psmioctl,	nostop,		nullreset,	nodevtotty,/* psm mice */
diff --git a/contrib/ipfilter/FreeBSD/files.diffs b/contrib/ipfilter/FreeBSD/files.diffs
deleted file mode 100644
index 2f028e3..0000000
--- a/contrib/ipfilter/FreeBSD/files.diffs
+++ /dev/null
@@ -1,23 +0,0 @@
-*** files.orig	Sat Sep 30 18:01:55 1995
---- files	Sun Jan 14 14:32:25 1996
-***************
-*** 208,213 ****
---- 208,225 ----
-  netinet/tcp_timer.c	optional inet
-  netinet/tcp_usrreq.c	optional inet
-  netinet/udp_usrreq.c	optional inet
-+ netinet/ip_fil.c	optional ipfilter inet
-+ netinet/fil.c		optional ipfilter inet
-+ netinet/ip_nat.c	optional ipfilter inet
-+ netinet/ip_frag.c	optional ipfilter inet
-+ netinet/ip_state.c	optional ipfilter inet
-+ netinet/ip_auth.c	optional ipfilter inet
-+ netinet/ip_proxy.c	optional ipfilter inet
-+ netinet/ip_log.c	optional ipfilter inet
-+ netinet/ip_scan.c	optional ipfilter inet
-+ netinet/ip_sync.c	optional ipfilter inet
-+ netinet/ip_pool.c	optional ipfilter_pool ipfilter inet
-+ netinet/ip_rules.c	optional ipfilter_compiled ipfilter inet
-  netiso/clnp_debug.c	optional iso
-  netiso/clnp_er.c	optional iso
-  netiso/clnp_frag.c	optional iso
diff --git a/contrib/ipfilter/FreeBSD/files.newconf.diffs b/contrib/ipfilter/FreeBSD/files.newconf.diffs
deleted file mode 100644
index 29aea54..0000000
--- a/contrib/ipfilter/FreeBSD/files.newconf.diffs
+++ /dev/null
@@ -1,23 +0,0 @@
-*** files.newconf.orig	Sun Jun 25 02:17:29 1995
---- files.newconf	Sun Jun 25 02:19:10 1995
-***************
-*** 161,166 ****
---- 161,178 ----
-  file	netinet/ip_input.c	inet
-  file	netinet/ip_mroute.c	inet
-  file	netinet/ip_output.c	inet
-+ file	netinet/ip_fil.c	ipfilter
-+ file	netinet/fil.c		ipfilter
-+ file	netinet/ip_nat.c	ipfilter
-+ file	netinet/ip_frag.c	ipfilter
-+ file	netinet/ip_state.c	ipfilter
-+ file	netinet/ip_proxy.c	ipfilter
-+ file	netinet/ip_auth.c	ipfilter
-+ file	netinet/ip_log.c	ipfilter
-+ file	netinet/ip_scan.c	ipfilter
-+ file	netinet/ip_sync.c	ipfilter
-+ file	netinet/ip_pool.c	ipfilter_pool
-+ file	netinet/ip_rules.c	ipfilter_compiled
-  file	netinet/raw_ip.c	inet
-  file	netinet/tcp_debug.c	inet
-  file	netinet/tcp_input.c	inet
diff --git a/contrib/ipfilter/FreeBSD/files.oldconf.diffs b/contrib/ipfilter/FreeBSD/files.oldconf.diffs
deleted file mode 100644
index ed8aff9..0000000
--- a/contrib/ipfilter/FreeBSD/files.oldconf.diffs
+++ /dev/null
@@ -1,23 +0,0 @@
-*** files.oldconf.orig	Sat Apr 29 19:59:31 1995
---- files.oldconf	Sun Apr 23 17:54:18 1995
-***************
-*** 180,185 ****
---- 180,197 ----
-  netinet/tcp_timer.c	optional inet
-  netinet/tcp_usrreq.c	optional inet
-  netinet/udp_usrreq.c	optional inet
-+ netinet/ip_fil.c	optional ipfilter requires inet
-+ netinet/fil.c		optional ipfilter requires inet
-+ netinet/ip_nat.c	optional ipfilter requires inet
-+ netinet/ip_frag.c	optional ipfilter requires inet
-+ netinet/ip_state.c	optional ipfilter requires inet
-+ netinet/ip_proxy.c	optional ipfilter requires inet
-+ netinet/ip_auth.c	optional ipfilter requires inet
-+ netinet/ip_log.c	optional ipfilter requires inet
-+ netinet/ip_scan.c	optional ipfilter requires inet
-+ netinet/ip_sync.c	optional ipfilter requires inet
-+ netinet/ip_pool.c	optional ipfilter_pool requires ipfilter
-+ netinet/ip_rules.c	optional ipfilter_compiled requires ipfilter
-  netiso/clnp_debug.c	optional iso
-  netiso/clnp_er.c	optional iso
-  netiso/clnp_frag.c	optional iso
diff --git a/contrib/ipfilter/FreeBSD/filez.diffs b/contrib/ipfilter/FreeBSD/filez.diffs
deleted file mode 100644
index 9656006..0000000
--- a/contrib/ipfilter/FreeBSD/filez.diffs
+++ /dev/null
@@ -1,23 +0,0 @@
-*** files.orig	Sat Apr 29 20:00:02 1995
---- files	Sun Apr 23 17:53:58 1995
-***************
-*** 222,227 ****
---- 222,235 ----
-  file netinet/tcp_timer.c	inet
-  file netinet/tcp_usrreq.c	inet
-  file netinet/udp_usrreq.c	inet
-+ file netinet/ip_fil.c		ipfilter
-+ file netinet/fil.c		ipfilter
-+ file netinet/ip_nat.c		ipfilter
-+ file netinet/ip_frag.c	ipfilter
-+ file netinet/ip_state.c	ipfilter
-+ file netinet/ip_proxy.c	ipfilter
-+ file netinet/ip_auth.c	ipfilter
-+ file netinet/ip_log.c		ipfilter
-+ file netinet/ip_scan.c	ipfilter
-+ file netinet/ip_sync.c	ipfilter
-+ file netinet/ip_pool.c	ipfilter_pool
-+ file netinet/ip_rules.c	ipfilter_compiled
-  file netiso/clnp_debug.c	iso
-  file netiso/clnp_er.c	 	iso
-  file netiso/clnp_frag.c	 	iso
diff --git a/contrib/ipfilter/FreeBSD/in_proto.c.diffs b/contrib/ipfilter/FreeBSD/in_proto.c.diffs
deleted file mode 100644
index 052dd51..0000000
--- a/contrib/ipfilter/FreeBSD/in_proto.c.diffs
+++ /dev/null
@@ -1,16 +0,0 @@
-*** in_proto.c.orig	Wed Sep  6 20:31:34 1995
---- in_proto.c	Mon Mar 11 22:40:03 1996
-***************
-*** 81,86 ****
---- 81,91 ----
-  void	eoninput(), eonctlinput(), eonprotoinit();
-  #endif /* EON */
-  
-+ #ifdef	IPFILTER
-+ void	iplinit();
-+ #define	ip_init	iplinit
-+ #endif
-+ 
-  void rsvp_input(struct mbuf *, int);
-  void ipip_input(struct mbuf *, int);
-  
diff --git a/contrib/ipfilter/FreeBSD/ip_input.c.diffs b/contrib/ipfilter/FreeBSD/ip_input.c.diffs
deleted file mode 100644
index a70be89..0000000
--- a/contrib/ipfilter/FreeBSD/ip_input.c.diffs
+++ /dev/null
@@ -1,88 +0,0 @@
-*** /sys/netinet/ip_input.c.orig	Thu Oct 24 22:27:27 1996
---- /sys/netinet/ip_input.c	Tue Feb 18 21:18:19 1997
-***************
-*** 93,98 ****
---- 93,102 ----
-  int	ipqmaxlen = IFQ_MAXLEN;
-  struct	in_ifaddr *in_ifaddr;			/* first inet address */
-  struct	ifqueue ipintrq;
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ int	fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ int	(*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ #endif
-  
-  struct ipstat ipstat;
-  struct ipq ipq;
-***************
-*** 219,226 ****
-  		}
-  		ip = mtod(m, struct ip *);
-  	}
-! 	ip->ip_sum = in_cksum(m, hlen);
-! 	if (ip->ip_sum) {
-  		ipstat.ips_badsum++;
-  		goto bad;
-  	}
---- 223,229 ----
-  		}
-  		ip = mtod(m, struct ip *);
-  	}
-! 	if (in_cksum(m, hlen)) {
-  		ipstat.ips_badsum++;
-  		goto bad;
-  	}
-***************
-*** 267,272 ****
---- 270,288 ----
-  	       goto next;
-  	}
-  
-+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
-+ 	/*
-+ 	 * Check if we want to allow this packet to be processed.
-+ 	 * Consider it to be bad if not.
-+ 	 */
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
-+ 			goto next;
-+ 		ip = mtod(m = m1, struct ip *);
-+ 	}
-+ #endif
-  	/*
-  	 * Process options and, if not destined for us,
-  	 * ship it on.  ip_dooptions returns 1 when an
-***************
-*** 527,532 ****
---- 533,540 ----
-       * if they are completely covered, dequeue them.
-       */
-      while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) {
-+             struct mbuf *m0;
-+ 
-              i = (ip->ip_off + ip->ip_len) - q->ip_off;
-              if (i < q->ip_len) {
-                      q->ip_len -= i;
-***************
-*** 526,534 ****
-  			m_adj(dtom(q), i);
-  			break;
-  		}
-  		q = q->ipf_next;
-- 		m_freem(dtom(q->ipf_prev));
-  		ip_deq(q->ipf_prev);
-  	}
-  
-  insert:
---- 542,551 ----
-  			m_adj(dtom(q), i);
-  			break;
-  		}
-+ 		m0 = dtom(q);
-  		q = q->ipf_next;
-  		ip_deq(q->ipf_prev);
-+ 		m_freem(m0);
-  	}
-  
-  insert:
diff --git a/contrib/ipfilter/FreeBSD/ip_output.c.diffs b/contrib/ipfilter/FreeBSD/ip_output.c.diffs
deleted file mode 100644
index f1fe9ac..0000000
--- a/contrib/ipfilter/FreeBSD/ip_output.c.diffs
+++ /dev/null
@@ -1,36 +0,0 @@
-*** /sys/netinet/ip_output.c.orig	Thu Oct 24 22:27:28 1996
---- /sys/netinet/ip_output.c	Tue Feb 18 21:38:23 1997
-***************
-*** 65,70 ****
---- 65,74 ----
-  static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *));
-  static void ip_mloopback
-  	__P((struct ifnet *, struct mbuf *, struct sockaddr_in *));
-+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
-+ extern int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ #endif
-  
-  /*
-   * IP output.  The packet in mbuf chain m contains a skeletal IP
-***************
-*** 330,335 ****
---- 334,351 ----
-  		m->m_flags &= ~M_BCAST;
-  
-  sendit:
-+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
-+ 	/*
-+ 	 * looks like most checking has been done now...do a filter check
-+ 	 */
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
-+ 			goto done;
-+ 		ip = mtod(m = m1, struct ip *);
-+ 	    }
-+ #endif
-  	/*
-  	 * Check with the firewall...
-  	 */
diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall
deleted file mode 100755
index 2b67b9a..0000000
--- a/contrib/ipfilter/FreeBSD/kinstall
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD ) cd ..
-echo -n "Installing "
-foreach i (ip_{auth,fil,frag,nat,pool,proxy,scan,state,sync}.[ch] fil.c \
-	   ip_*_pxy.c ip_compat.h ip_log.c )
-	echo -n "$i ";
-	cp $i /sys/netinet
-	chmod 644 /sys/netinet/$i
-	switch ($i)
-	case *.h:
-		/bin/cp $i /usr/include/netinet/$i
-		chmod 644 /usr/include/netinet/$i
-		breaksw 
-	endsw   
-end
-echo ""
-grep iplopen $archdir/$karch/conf.c >& /dev/null
-if ( $status != 0 ) then
-	echo "Patching $archdir/$karch/conf.c"
-	cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
-endif
-grep fr_checkp /sys/netinet/ip_input.c >& /dev/null
-if ( $status != 0 ) then
-	echo "Patching ip_input.c, ip_output.c and in_proto.c"
-	cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
-	(cd /sys/netinet; patch)
-endif
-if ( -f /sys/conf/files.newconf ) then
-	echo "Patching /sys/conf/files.newconf"
-	cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD/files.diffs | (cd /sys/conf; patch)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Patching /sys/conf/files.oldconf"
-	cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-echo "Re-config'ing $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD/minstall b/contrib/ipfilter/FreeBSD/minstall
deleted file mode 100755
index 0cfe7c3..0000000
--- a/contrib/ipfilter/FreeBSD/minstall
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD ) cd ..
-echo "Patching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs |  \
-(cd /sys/netinet; patch)
-
-if ( -f /sys/conf/files.newconf ) then
-	echo "Patching /sys/conf/files.newconf"
-	cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD/files.diffs | (cd /sys/conf; patch)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Patching /sys/conf/files.oldconf"
-	cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch)
-	echo "Patching /sys/conf/files"
-	cat FreeBSD/filez.diffs | (cd /sys/conf; patch)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-echo "Re-config'ing $newconfig..."
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
-endif
-awk '{print $0;if($2=="INET"){print"options IPFILTER_LKM"}}' \
-	$confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD/unkinstall b/contrib/ipfilter/FreeBSD/unkinstall
deleted file mode 100755
index 8547fcd..0000000
--- a/contrib/ipfilter/FreeBSD/unkinstall
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD ) cd ..
-echo -n "Uninstalling "
-foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
-	   ip_compat.h ip_auth.[ch] ip_proxy.[ch] ip_ftp_pxy.c ip_log.c)
-	echo -n "$i ";
-	/bin/rm -f /sys/netinet/$i
-end
-echo ""
-echo "Unpatching $archdir/$karch/conf.c"
-cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch -R)
-echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
-(cd /sys/netinet; patch -R)
-
-if ( -f /sys/conf/files.newconf ) then
-	echo "Unpatching /sys/conf/files.newconf"
-	cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Unpatching /sys/conf/files.oldconf"
-	cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
-endif
-egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/FreeBSD/unminstall b/contrib/ipfilter/FreeBSD/unminstall
deleted file mode 100755
index a25746c..0000000
--- a/contrib/ipfilter/FreeBSD/unminstall
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/csh -f
-#
-set dir=`pwd`
-set karch=`uname -m`
-if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
-if ( -d /sys/$karch ) set archdir="/sys/$karch"
-set confdir="$archdir/conf"
-
-if ( $dir =~ */FreeBSD ) cd ..
-echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs |  \
-(cd /sys/netinet; patch -R)
-
-if ( -f /sys/conf/files.newconf ) then
-	echo "Unpatching /sys/conf/files.newconf"
-	cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD/files.diffs | (cd /sys/conf; patch -R)
-endif
-if ( -f /sys/conf/files.oldconf ) then
-	echo "Unpatching /sys/conf/files.oldconf"
-	cat FreeBSD/files.oldconf.diffs | (cd /sys/conf; patch -R)
-	echo "Unpatching /sys/conf/files"
-	cat FreeBSD/filez.diffs | (cd /sys/conf; patch -R)
-endif
-
-set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
-echo -n "Kernel configuration to update [$config] "
-set newconfig=$<
-if ( "$newconfig" != "" ) then
-	set config="$confdir/$newconfig"
-else
-	set newconfig=$config
-endif
-if ( -f $confdir/$newconfig ) then
-	mv $confdir/$newconfig $confdir/$newconfig.bak
-endif
-if ( -d $archdir/../compile/$newconfig ) then
-	set bak=".bak"
-	set dot=0
-	while ( -d $archdir/../compile/${newconfig}.${bak} )
-		set bak=".bak.$dot"
-		set dot=`expr 1 + $dot`
-	end
-	mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.$bak
-endif
-grep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
-echo 'You will now need to run "config" and build a new kernel.'
-exit 0
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
deleted file mode 100644
index b500c20..0000000
--- a/contrib/ipfilter/HISTORY
+++ /dev/null
@@ -1,2307 +0,0 @@
-#
-# NOTE: Quite a few patches and suggestions come from other sources, to whom
-#       I'm greatly indebted, even if no names are mentioned.
-#
-# Thanks to the Coombs Computing Unit at the ANU for their continued support
-# in providing a very available location for the IP Filter home page and
-# distribution center.
-#
-# Thanks also to all those who have contributed patches and other code,
-# and especially those who have found the time to port IP Filter to new
-# platforms.
-#
-4.1.28 - Release 16 October 2007
-
-backout changes (B1) & (B2) as they've caused NAT entries to persist for
-too long and possibly other side effects.
-
-Still need to compile in our own radix.c for Solaris as the one in S10U4
-has a different alignment of structure members (causes panic)
-
-keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
-
-ippool -l may only lists every 2nd pool's contents
-
-4.1.27 - Released 29 September 2007
-
-SunOS5/replace script does not deal with i386 systems that have the
-i86/amd64 directory pair.
-
-make BSD/kupgrade try to build ip_rules.[ch] before complaining
-
-Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
-
-Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
-to drive 32bit cc builds differently for sparc/i386 now.
-
-Update instructions for rebuilding FreeBSD kernels
-
-Make the target "freebsd" work for building ipfilter
-
-destroying NAT entries for blocked packets can lead to NAT table entry leak,
-provide a counter of orphan'd NAT entries to track this problem.
-
-4.1.26 - Released 24 September 2007
-
-Fix build problem for Solaris prior to S10U4
-
-4.1.25 - Released 20 September 2007
-
-stepping through structures with ioctls can lead to the wrong things
-being free'd and panics
-
-if a NAT entry (such as an rdr) is created but the packet ends up being
-blocked, tear down the NAT entry.
-
-fix fragment cache preventing keep state from functioning
-
-fix handling of \ to indicate a continued line in .conf files
-
-include port ranges in the allowed input for ipf when using "port = ()"
-
-only advance TCP state for packets on the leading edge of the window. (B1)
-
-using ipnat -l can lead to memory corruption in high stress situations
-
-track TCP sequence numbers with NAT so that it can do timeout advances
-correctly inline with state
-
-ICMP checksums for some redirect'd packets are not adjusted correctly.
-
-IPv6 address components need to be explicitly cast to a 32bit pointer
-boundary so that compilers don't try to access them as two 64bit
-pieces (no guarantee is made that an Ipv6 address is on a 64bit
-aligned address)
-
-filling up the ipauth packet queue can lead to no more packets being
-processed.
-
-locking used to deref a nat entry causes a significant performance hit
-
-m_pulldown isn't properly handled, leading to possible panics with ICMPv6
-packets
-
-IPv6 fragment handling doesn't allow for "keep frag" to work
-
-build on Solaris10 Update4 with pfhooks in the kernel
-
-logging of Ipv6 packets with extension headers fix - Miroslaw Luc
-
-4.1.24 - Released 8 July 2007
-
-patch from Stuart Remphrey to address recursive mutex lock with TCP state
-
-add hash table bucket stats display to ipnat -s
-
-give ASSERT some teeth for user compiles
-
-initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
-early on
-
-do some caddr_t cleanup, where possible
-
-fr_ref no longer tracks the number of children rules in a group for head rules
-
-make sure all BCOPY* have a value assigned to something
-
-fix possible use of icmp pointer after pullup makes it invalid
-
-resolve compile problems related to FreeBSD tree
-
-4.1.23 - Released 31 May 2007
-
-NAT was not always correctly fixing ICMP headers for errors
-
-some TCP state steps when closing do not update timeouts, leading to
-them being removed prematurely. (B2)
-
-fix compilation problems for netbsd 4.99
-
-protect enumeration of lists in the kernel from callout interrupts on
-BSD without locking
-
-fix various problems with IPv6 header checks: TCP/UDP checksum validation
-was not being done, fragmentation header parsed dangerously and routing
-header prevented others from being seen
-
-fix gcc 4.2 compiler warnings
-
-fix TCP/UDP checksum calculation for IPv6
-
-fix reference after free'ing ipftoken memory
-
-4.1.22 - Released 13 May 2007
-
-fix endless loop when flushing state/NAT by idle time
-
-4.1.21 - Released 12 May 2007
-
-show the number of states created against a rule with "-v" for ipfstat
-
-fix build problems with FreeBSD
-
-make it possible to flush the state table by idle time and TCP state
-
-fix flushing out idle connections when state/NAT tables fill
-
-print out the TCP state population with ipfstat/ipnat
-
-stop creation of state table orphans via return-*/fastroute
-
-fix printing out of rule groups - they now only appear once
-
-4.1.20 - Released 30 April 2007
-
-adjust TCP state numbers, making 11 closed (was 0) to better facilitate
-detecting closing connections that we can wipe out when a SYN arrives
-that matches the old
-
-make it compile on Solaris10 Update3
-
-structures used for ipf command ioctls weren't being freed in timeout
-fashion on solairs
-
-use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
-
-adjust TCP timeout values and introduce a time-wait specifc timeout
-to get a better TCP FSM emulation and one that can hopefully do a better
-job of cleaning up in a speedy fashion than previous
-
-refactor the automatic flushing of TCP state entries when we fill up,
-but use the same algorithm as before but now it hopefully works
-
-only 2 out of 4 interface names were being changed by ipfs when
-interface renaming was being used for state entries
-
-add ipf_proxy_debug to ipf-T
-
-matching of last fragments that had a number of bytes that wasn't a
-multiple of 8 failed
-
-some combinations of TCP flags are considered bad aren't picked up as such,
-but these may be possible with T/TCP
-
-4.1.19 - Released 22 February 2007
-
-Fix up compilation problems with NetBSD and Solaris.
-
-4.1.18 - Released 18 February 2007
-
-fix compiling on Tru64
-
-fix listing out filter rules with ipfstat (delete token at end of
-the list and detect zero rule being returned.)
-
-fix extended flushing of NAT tables (was clearing out state tables)
-
-fix null-pointer deref in hash table lookup
-
-fix NAT and stateful filtering with to/reply-to on destination interface
-
-4.1.17 - Released 20 January 2007
-
-make flushing pools that are still in use mark them for deletion and
-have attempting to recreate them clear the delete flag
-
-walking through the NAT tables with ioctls caused lock recursion
-
-fix tracking TCP window scaling in the state code
-
-4.1.16 - Released 20 December 2006
-
-allow rdr rules to only differ on the new port number
-
-when creating state entry orphans, leave them on the linked list but not
-attached to the hash table and mark them visible as orphans in "ipfstat -sl"
-
-log state removed when unloading differently to allow visible cues
-
-return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
-
-abort logging a packet if the mbuf pointer is null when ipflog is called
-
-Some NetBSD's have a selinfo.h instead of select.h
-
-SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
-
-listing accounting rules using ioctl interface wasn't possible
-
-fix leakage of state entries due to packets not matching up with NAT
-
-improve ICMP error packet matching with state/NAT
-
-fix problems with parsing and printing "-" as an interface name in ipnat.conf
-
-4.1.15 - Released 03 November 2006
-
-Add in automatic flushing of NAT, like state, table if it fills up too much
-
-Update comments in the code for NAT checksum adjustments
-
-Fix compiling on FreeBSD 5.4 and 6.0
-
-prevent panics from read/write IOs trying to use uninitialised structures
-
-Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
-the size is not staticly defined
-
-Some gcc warning message cleanup from NetBSD
-
-Missing include for <sys/filio.h> on Solaris for poll work
-
-NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h
-
-4.1.14 - Released 04 October 2006
-
-rewrite checksum alteration for ICMP packets being NAT'd to use a sane
-algorithm that can be understood...now it needs better comments
-
-fix 1 byte error in checksum validation perl script
-
-remove unused files in lib directory
-
-ipftest will say "bad-packet" if it has been freed rather than just "blocked"
-
-make it possible to load IP address pools from external files in ippool.conf
-
-update copyright messages in tools directory
-
-consolidate ioctl hanlding source code into fil.c
-
-make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem
-
-4.1.13 - Released 4 April 2006
-
-fix bug where null pointers introduced by proxies could cause a crash
-
-pass out the rule flags with SIOCAUTHW
-
-force loading NAT rules with bad proxy labels to cause an error
-
-nat_state is used unsafely in calls to fr_addstate
-
-make return-rst and return-icmp* work with auth rules
-
-4.1.12 - Released 28 March 2006
-
-poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup
-
-make the fastroute code used by ipftest invoke state/NAT
-
-move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)
-
-remove unused code in fr_fastroute
-
-fix NAT with rules that specify forward and reverise interfaces
-
-add missing ipfsync_canread() and ipfsync_canwrite()
-
-behaviour of \ on the end of a line in ipf.conf does not match older behaviour
-
-remove duplicate statistics line output with "ipfstat -s"
-
-4.1.11 - Released 19 March 2006
-
-Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org
-
-NetBSD coverity report fixes (from run 5)
-
-Possible to reacquire ipf_auth without releasing it in some circumstances
-
-Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be
-
-Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux
-
-Using auth rules to return "keep state" got broken with pushing fr_addstate
-call into fr_firewall
-
-all use of '!' in map/rdr rules to match use in ipf configs
-
-add -L command line option to ipmon to set the default syslog facility
-
-looking up a port number is more complex than needed in ipft_tx.c
-
-allow lib/getport to work when neither tcp or udp are specified in a rule
-
-remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c
-
-program in some more cases where TCP packets fail an initial in-window
-check but should be allowed to match
-
-filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
-initialise all fields, making it possible to panic
-
-simplify NAT ICMP error handling where it updates checksums
-
-rename "min" variables to "xmin" on NetBSD to avoid problems with the
-macro "min"
-
-#ifdef's for NetBSD compile incorrect for pfil interface
-
-support select/poll on NetBSD
-
-copying out a packet with an auth rule fails (EFAULT) because the wrong
-pointer is passed to copyoutptr
-
-ip_len/ip_off where byte swapped twice instead of once for packets
-going to be stored on the auth queue
-
-change timeout queue manipulation functions to make fewer mutex calls
-
-fix use of skip rules with groups
-fix coding problems discovered by the coverity project for FreeBSD
-
-update BPF program validation with FreeBSD changes
-
-4.1.10 - Released 6 December 2005
-
-Expand regression testing to cover more features
-
-Add "coverage" build target for BSD
-
-Fix building 64bit sparc target for Solaris
-
-Add IPv6 mobility header to list of accepted keywords for V6 headers
-
-Resolve locking problems on Solaris when sending RST/icmp packets
-
-#ifdef's for IPFILTER_BPF need to check if words are defined before
-using them in comparisons
-
-Add checking for SACK permitted option in TCP SYN packets
-
-Fix loading anonymous pools from inline rule configuration groups
-
-Add -C command line option to ipftest
-
-Include extra "const" from NetBSD
-
-Don't require SIOCKSTLCK for SIOCSTPUT
-
-Fix some use of "sticky" on NAT rules
-
-Fix statistical counting of deleting state for TCP connections
-
-Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
-
-Fix TCP out-of-window (OOW) problems:
-- window scaling turned off if one chose for its scale factor
-- Microsoft Windows TCP sends the "next packet" to the right of the window
-  when using SACK and filling in a hole
-
-4.1.9 - Released 13 August 2005
-
-make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF
-is defined when compiled.
-
-move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h
-
-make the BSD/upgrade script more instructive about the requiements for
-ip_rules.[ch] when it is run
-
-register for interface events on FreeBSD (>5.2.1) and NetBSD so that
-"ipf -y" is not not requried to tell ipfilter about interface changes.
-
-for "quick" rules that do "keep state", move the state adding into the rule
-evaluation so that we can detect it failing as rules are evaluated and
-continue on to the next rather than wait until we're done and it's too late
-to recover for more rule processing.
-
-mark ICMP packets advertising an MTU that's too small as being bad
-
-rework ipv6 header parsing to get better code reuse and fix logic errors
-in dealing with ipv6 packets containing fragment headers.  Also, where a
-protocol handler was doing both v4 & v6, make a seperate function for each.
-
-build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible
-
-include start of work to get IPFilter working on AIX 5.3
-
-Use FI_ICMPERR flag rather than try to compute its equivalent all the time
-
-Rewrork IPv6 extension header parsing to get better code reuse
-
-Add missing timeout on Linux
-
-Fix for locking when reading from ipsync (Frank Volf)
-
-Fix insertion/appending of rules that use a collection number
-
-Somehow turning up the spl knob to splnet disappeared on platforms that still
-use the spl interface.
-
-fix problems with "ipf -T" not listing multiple variables properly
-
-4.1.8 - Released 29 March 2005
-
-include path from Phil Dibowitz for sorting ipfstat -t output by source or
-destination port.
-
-fix a bug in printing rules where interface names could not be printed,
-even if they're in the rule structure.
-
-fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD
-
-add 2 new features to SIOCGNATL:
-- if IPN_FINDFORWARD is set, check if the respective MAP is already
-  present in the outbound table
-- if IPN_IN is set, search for a matching MAP entry instead of RDR
-  (Peter Potsma)
-
-turn off function inlining for freebsd 5.3+
-
-UDP doesn't pullup enough data which can sometimes cause a panic.
-Fix other protocols, as required, where a similar problem may exist.
-
-overhaul the timeout queue management, especially that for user defined queues
-which are now only freed in an orderly manner.
-
-4.1.7 - Released 13 March 2005
-
-Using the GRE call field is almost impossible because it is unbalanced and
-both call fields are not present in each v1 header.
-
-Fix a problem where it was possible to load duplicate rules into ipf
-
-patch from John Wehle to address problems with fastroute on solaris
-
-Copying data out for ipf -z failed because it tried to copy out to an address
-that is a kernel pointer in user space.
-
-add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
-
-synch up with NetBSD's changes
-
-fix problems parsing long lines of text in the ftp proxy where they would not
-be parsed properly and stop the session from working
-
-enhance the PPTP proxy so that it tries to decode messages in the TCP stream
-so it knows when to create and destroy the state/nat sessions for GRE.  There
-are also 4 new regression tests for it, testing map/rdr rules.
-
-impose some limits on the size of data that can be moved with SIOCSTPUT in
-the NAT code and also prevent a duplicate session entry from being created
-using this method.
-
-add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
-to check if it is possible to create an outgoing transparent NAT mapping to
-compliment the redirect being investigated.
-
-Linux requires that the checksums in the IP header get adjusted
-
-only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
-in SIOCSTPUT to prevent bad data being loaded from userspace.
-
-make the byte counting for state correct (was counting data from ICMP packet
-twice)
-
-print out the keyword "frag-body" if the flag is set.
-
-fix ipfs loading/restoring NAT sessions
-
-patch from Frank to correctly format IP addresses in ipfstat -t output
-
-parsing port numbers in ipf/ipnat was confusing as the port number was returned
-in an int that was also overloaded to be the suceess/failure.  instead, change
-the port using pass by reference and only use the return value for indicating
-success or failure.
-
-4.1.6 - Released 19 February 2005
-
-add a new timeout number to NAT (fr_defnatipage) that is used for all
-non-TCP/UDP/ICMP protocols - default 60 seconds.
-
-buffer leak with bad nat - David Gueluy
-
-fix memory leak with state entries created by proxies
-
-eliminate copying too much data into a scan buffer
-
-allow a trailing protocol name for map rules as well as rdr ones
-
-fix bug in parsing of <= and > for NAT rules (two were crossed over)
-
-FreeBSD's iplwrite hasn't kept pace with iplread's prototype
-
-expand documention on the karma of using "auto" in ipnat map rules
-
-add matching on IP protocol to ipnat map rules
-
-allow ippool definitions to contain no addresses to start with
-
-Linux NAT needs to modify the IP header checksum as it gets called after it
-has been computed by IP.
-
-UDP was missing a pullup for packet header information before examining
-the header
-
-4.1.5 - Released 9 January 2005
-
-all rules were being converted into "dup-to" rules in the kernel
-
-fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in
-complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied
-over correctly.
-
-response to CWDs
-revert ip_off back to network byte order in the ICMP error packet that
-gets generated.
-
-4.1.4 - Released 9 January 2005
-
-force NAT rules to only match ipv4 NAT rules (which all are, currently,
-by default)
-
-include state synchronisation fixes from Frank Volf
-
-make the maximum log size for internally buffered log entries accessible
-via "ipf -T"
-
-redesign start of fr_check() to avoid putting duplicate information in
-ipfilter about how much data needs to be pulled up for a protocol to be
-properly filtered.
-
-tidy up sending ICMP error messages - some bad inputs could result in
-data not being freed and/or no error returned.
-
-make the maximum size of the log buffer run-time tunable
-
-fix bug in parsing TCP header when looking for MSS option that could make
-the system hang
-
-change pool lookups that fail to find a match to return "no match"
-rather than fail.
-
-add run-time tunable debugging for proxy support code and FTP proxy.
-
-fix state table updates for entries where the first packet as an ICMPv6
-multicast message
-
-fix hang when flushing state for v4/v6 and other (v6/v4) entries are present
-too
-
-attaching filtering to ipv6 pfil hook wasn't present for solaris
-
-don't allow rules with "keep state" and "with oow"
-
-move a bunch of userland only code from fil.c to ip_fil.c
-
-make fr_coalesce() more resiliant to bad input, just returning an error
-instead of crashing, making calling it easier in many places
-
-When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer
-to the same mbuf passed in as the first arg.
-
-remove fr_unreach and use ENETUNREACH by default.
-
-printing out of tag data in ipf rules doesn't match input syntax
-
-ipftest(1) man page update
-
-ipfs command line option parsing still rejects some valid syntaxes
-
-SIGHUP handling by ipmon was not as safe as it could be
-
-fix various parsing regressions, including "<thishost>", "tcpudp", ordering
-of "keep" options
-
-patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD,
-ICMP packet length not calculated correctly in send_icmp_err, reply-to
-not printed by ipfstat, keep state with icmp passing (mtrr)
-
-patches for return-rst and return-icmp from Attila Fueloep
-(lichtscheu@gesindel.org)
-
-4.1.3 - Released 18 July 2004
-
-do some more fine tuning on NAT checksum adjustments
-
-correct IP address byte order in proxy setup for ipsec/pptp
-
-man page updates
-
-fix numerous problems with ipfs operation
-
-complete new syntax for ipmon.conf in its parser and update the sample file
-
-assign error value consistantly in fastroute code
-
-rewrite allocation of mbufs in send_reset/send_icmp_err to better use
-mbuf clusters and size calculations
-
-resolve problem with linux panic'ing because the wrong flag was being
-passed to skb_clone/skb_alloc
-
-enable use of shared/exclusive locks on freebsd5 and above
-
-do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD
-and so use mbufchainlen to get the mbuf length instead
-
-replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is
-going to be on the stack and not in userland
-
-packet buffer pointers were not refreshed & used properly in fr_check()
-
-include extra bits for OpenBSD 3.4 & 3.5.
-
-fix ipf/ipnat parsing regression problems with v3.4
-
-4.1.2 - RELEASED - 27 May 2004
-
-add state top for ipv6
-
-fix numerous parsing regressions
-
-change sample proxies to use SIOCGNATL with the new API
-
-allow macro names to contain underscores (_)
-
-split the parser into a collection of dictionaries so that keywords do
-not interfere with resolving hostnames and portnames
-
-fix ipfrule LKM loading on freebsd
-
-support mapping a fixed range of ports to a single port
-
-fix timeout queue use by proxies with private queues
-
-handle space-led ftp server replies properly
-
-fix timeout queue management
-
-fix fastroute, generation of RST & ICMP packets and operation with to/fastroute
-
-resolve further linux compatibility problems
-
-replace the use of COPYIN with BCOPYIN for platforms that provide ioctl
-args on the stack
-
-allow flushing of ipv6 rules independant of ipv4 rules
-
-correct internal ipv6 checksum calculations
-
-if a 'keep state' rule fails to create state, block the packet rather
-than let it through
-
-correct all checksums in regression tests and correct NAT code to adjust
-checksums correctly.
-
-fix ipfs -R/-W
-
-4.1.1 - RELEASED - 24 March 2004
-
-allow new connections with the same port numbers as an existing one
-in the state table if the creating packet is a SYN
-
-timeout values have drifted, incorrectly, from what they were in 3.4
-
-FreeBSD - compatibility changes for 5.2
-
-don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
-ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
-rather than per "flow"
-
-fr_cksum() returned the wrong answer for ICMP
-
-Linux:
-- get return-rst and return-icmp working
-- treat the interface name the same as if_xname on BSD
-
-adjust expectations for TCP urgent bits based on observed traffic in the
-wild
-
-openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called
-
-fix flushing of hash pool gorups (ippool -F) as well as displaying them
-(ippool -l)
-
-passing of pointers to interface structures wrong for HP-UX/Solaris with
-return-* rules.
-
-Make the solaris boot script able to run on 2.5.1
-
-ippool related files missing from Solaris packages
-
-The name /dev/ippool should be /dev/iplookup
-
-add regression testing for parsing long interface names in nat rules,
-along with mssclamp and tags.  Also add test for mssclamp operation.
-
-ttl displayed for "ipfstat -t" is wrong because ttl is not computed.
-
-parse logical interface names (Sun)
-
-unloading LKMs was only working if they were enabled.
-
-sync'ing up NAT sessions when NICs change should cause NAT rules to
-re-lookup name->pointer mappings
-
-not all of the ippool ioctl's are IOWR and they should be because they
-use the ipfobj_t for passing information in/out of the kernel.  leave the
-old values defined and handle them, for compatibility.
-
-pool stats wrong: ippoolstate used where ipoolstat should be, hash table
-  statistics not reported at all
-
-fr_running not set correctly for OpenBSD when compiled into the kernel
-
-Allow SIOCGETFF while disabled
-
-Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
-altered.  How do you say "untested" ?)
-
-4.1 - RELEASED - 12 February 2004
-
-4.0-BETA1 20 August 2003
-
-support 0/32 and 0/0 on the RHS in redirect rules
-
-where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
-for bimap rules.
-
-allow NAT rule to match 'all' interfaces with * as interface name
-
-do mapping of ICMP sequence id#'s in pings
-
-allow default age for NAT entries to be set per NAT rule
-
-provide round robin selection of destination addresses for redirect
-
-ipmon can load a configuration file with instructions on actions
-to take when a matching log entry is received
-
-now requires pfil to work on Solaris & HP-UX
-
-supports mapping outbound connections to a specific address/port
-
-support toggling of logging per ipfilter 'device'
-
-use queues to expire data rather than lists
-
-add MSN RPC proxy
-
-add IRC proxy
-
-support rules with dynamic ip addresses
-
-add ability to define a pool of addresses & networks which can then
-be placed in a single rule
-
-support passing entire packet back to user program for authentication
-
-support master/slave for state information sharing
-
-reorganise generic code into a lib directory and make libipf.a
-
-user programs enforce version matching with the kernel
-
-supports window scaling if seen at TCP session setup
-
-generates C code from filter rules to compile in or load as native
-machine code.
-
-supports loading rules comprised of BPF bytecode statements
-
-HP-UX 11 port completed
-
-and packets-per-second filtering
-
-add numerical tags to rules for filtering and display in ipmon output
-
-3.4.4 23/05/2000 - Released
-
-don't add TCP state if it is an RST packet and (attempt) to send out
-RST/ICMP packets in a manner that bypasses IP Filter.
-
-add patch to work with 4.0_STABLE delayed checksums
-
-3.4.3 20/05/2000 - Released
-
-fix ipmon -F
-
-don't truncate IPv6 packets on Solaris
-
-fix keep state for ICMP ECHO
-
-add some NAT stats and use def_nat_age rather than DEF_NAT_AGE
-
-don't make ftp proxy drop packets
-
-use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
-swapped back.
-
-fix up RST generation for non-Solaris
-
-get "short" flag right for IPv6
-
-3.4.2 - 10/5/2000 - Released
-
-Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun
-
-ignore previous NAT mappings for 0/0 and 0/32 rules
-
-bring in a completely new ftp proxy
-
-allow NAT to cause packets to be dropped.
-
-add NetBSD callout support for 1.4-current
-
-3.4.1 - 30/4/2000 - Released
-
-add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX
-
-don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined
-
-Solaris must use copyin() for all types of ioctl() args
-
-fix up screen/tty when leaving "top mode" of ipfstat
-
-linked list for maptable not setup correctly in nat_hostmap()
-
-check for maptable rather than nat_table[1] to see if malloc for maptable
-succeeded in nat_init
-
-fix handling of map NAT rules with "from/to" host specs
-
-fix printout out of source address when using "from/to" with map rules
-
-convert ip_len back to network byte order, not plen, for solaris as ip_len
-may have been changed by NAT and plen won't reflect this
-
-3.4 - 27/4/2000 - Released
-
-source address spoofing can be turned on (fr_chksrc) without using
-filter rules
-
-group numbers are now 32bits in size, up from 16bits
-
-IPv6 filtering available
-
-add frank volf's state-top patches
-
-add load splitting and round-robin attribute to redirect rules
-
-FreeBSD-4.0 support (including KLD)
-
-add top-style operation mode for ipfstat (-t)
-
-add save/restore of IP Filter state/NAT information (ipfs)
-
-further ftp proxy security checks
-
-support for adding and removing proxies at runtime
-
-3.3.13  26/04/2000 - Released
-
-Fix parsing of "range" with "portmap"
-
-Relax checking of ftp replies, slightly.
-
-Fix NAT timeouts for ICMP packets
-
-SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)
-
-3.3.12  16/03/2000 - Released
-
-tighten up ftp proxy behaviour.  sigh.  yuck.  hate.
-
-fix bug in range check for NAT where the last IP# was not used.
-
-fix problem with icmp codes > 127 in filter rules caused bad things to
-happen and in particular, where #18 caused the rule to be printed
-erroneously.
-
-fix bug with the spl level not being reset when returning EIO from
-iplioctl due to ipfilter not being initialized yet.
-
-3.3.11  04/03/2000 - Released
-
-make "or-block" work with lines that start with "log"
-
-fix up parsing and printing of rules with syslog levels in them
-
-fix from Cy Schubert for calling of apr_fini only if non-null
-
-
-3.3.10	24/02/2000 - Released
-
-* fix back from guido for state tracking interfaces
-
-* update for NetBSD pfil interface changes
-
-* if attaching fails and we can abort, then cleanup when doing so.
-
-julian@computer.org:
-* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
-* ipf.c (packetlogon): use flag to store the return value from get_flags.
-* ipmon.c (init_tabs): General cleanup so we do not have to cast
-  an int s->s_port to u_int port and try to check if the u_int port
-  is less than zero.
-
-3.3.9	15/02/2000 - Released
-
-fix scheduling of bad locking in fr_addstate() used when we attach onto
-a filter rule.
-
-fix up ip_statesync() with storing interface names in ipstate_t
-
-fix fr_running for LKM's - Eugene Polovnikov
-
-junk using pullupmsg() for solaris - it's next to useless for what we
-need to do here anyway - and implement what we require.
-
-don't call fr_delstate() in fr_checkstate(), when compiled for a user
-program, early but when we're finished with it (got fr & pass)
-
-ipnat(5) fix from Guido
-
-on solaris2, copy message and use that with filter if there is another
-copy if it being used (db_ref > 1).  bad for performance, but better
-than causing a crash.
-
-patch for solaris8-fcs compile from Casper Dik
-
-3.3.8	01/02/2000 - Released
-
-fix state handling of SYN packets.
-
-add parsing recognition of extra icmp types/codes and fix handling of
-icmp time stamps and mask requests - Frank volf
-
-3.3.7	25/01/2000 - Released
-
-sync on state information as well as NAT information when required
-
-record nat protocol in all nat log records
-
-don't reuse the IP# from an active NAT session if the IP# in the rule
-has changed dynamically.
-
-lookup the protocol for NAT log information in ipmon and pass that to
-portname.
-
-fix the bug with changing the outbound interface of a packet where it
-would lead to a panic.
-
-use fr_running instead of ipl_inited. (sysctl name change on freebsd)
-
-return EIO if someone attempts an ioctl on state/nat if ipfilter is not
-enabled.
-
-fix rule insertion bug
-
-make state flushing clean anything that's not fully established (4/4)
-
-call fr_state_flush() after we've released ipf_state so we don't generate
-a recursive mutex acquisition panic
-
-fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
-some patches to enhance parsing strength
-
-3.3.6	28/12/1999 - Released
-
-add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
-for ICMP_ECHO to only be for packet, not state entry which we don't have yet.
-
-handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()
-
-fix size of friostat for SunOS4
-
-fix bug in running off the end of a buffer in real audio proxy
-
-3.3.5	11/12/1999 - Released
-
-fix parsing of "log level" and printing it back out too
-
-<net/if_types.h> is only present on Solaris2.6/7/8
-
-use send_icmp_err rather than icmp_error to send back a frag-needed error
-when doing PMTU
-
-do not use -b with add_drv on Solaris unless $BASEDIR is set.
-
-fix problem where source address in icmp replies is reversed
-
-fix yet another problem with real audio.
-
-3.3.4	4/12/1999 - Released
-
-fix up the real audio proxy to properly setup state information and NAT
-entries, thanks to Laine Stump for testing/advice/fixes.
-
-fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
-FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
-routine.
-
-fix kinstall for BSDI
-
-support ICMP errors being allowed through for ICMP packets going out with
-keep state enabled
-
-support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
-Tel.Net Media for providing hardware for testing.
-
-patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
-ICMP responses to ICMP packets in the keep state table.
-
-add in patches for hardware checksumming under solaris
-
-Solaris install scripts now use $BASEDIR as appropriate.
-
-add Solaris8 support
-
-fix "ipf -y" on solaris so that it rescans rules also for changes in
-interface pointers
-
-let ipmon become a daemon with -D if it is using syslog
-
-fix parsing of return-icmp-as-dest(foo)
-
-add reference to ipfstat -g to ipfstat.8
-
-ipf_mutex needs to be declared for irix in ip_fil.c
-
-3.3.3	22/10/1999 - Released
-
-add -g command line option to ipfstat to show groups still define.
-
-fix problem with fragment table not recording rule pointer when called
-from state functions (fin_fr not set).
-
-fixup fastroute problems with keep state rules.
-
-load rules into inactive set first, so we don't disable things like NIS
-lookups half way through processing - found by Kevin Littlejohn
-
-fix handling of unaligned ip pointer for solaris
-
-patch for fr_newauth from Rudi Sluijtman
-
-fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short
-
-3.3.2	23/09/1999 - Released
-
-patches from Scott Presnell to fix rcmd proxy
-
-patches from Greg to fix Solaris detachment of interfaces
-
-add openbsd compatibility fixes
-
-fix free'ing already freed memory in ipfr_slowtimer()
-
-fix for deferencing invalid memory in cleaning up after a device disappears
-
-3.3.1	14/8/1999 - Released
-
-remove include file sys/user.h for irix
-
-prevent people from running buildsunos directly
-
-fix up some problems with the saving of rule pointers so that NAT saves
-that information in case it should need to call fr_addstate() from a proxy.
-
-fix up scanning for the end of FTP messages
-
-don't remove /etc/opt/ipf in postremove
-
-attempt to prevent people running buildsolaris script without doing a
-"make solaris"
-
-fix timeout losing on freebsd3
-
-3.3	7/8/1999 - Released
-
-NAT: information (rules, mappings) are stored in hash tables; setup some
-basic NAT regression testing.
-
-display version name of installed kernel code when initializing.
-
-add -V command line option to ipf, showing version (program and kernel
-module) as well as the run-status of the kernel code.
-
-fix problem with "log" rules actually affecting result of filtering.
-
-automatically use SUNWspro if available and on a 64bit Solaris system for
-compiling.
-
-add kernel proxies for rcmd(3) and RealAudio (PNA)
-
-use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
-ip_slowtimo
-
-fix IP headers generated through parsing of text information
-
-fix NAT rules to be in the correct order again.
-
-make keep-state work with to/fastroute keywords and enforce usage of those
-interfaces.
-
-update keep-state code with new algorithm from Guido
-
-add FreeBSD-3 support
-
-add return-icmp-as-dest option to retrun an ICMP packet using the original
-destination as the source rather than a local IP address
-
-add "level [facility.]<priority>" option to filter language
-
-add changes from Guido to state code.
-
-add code to return EPERM if the device is opened for writing and we're
-in securelevel 2 or greater.
-
-authentication code patches from Guido
-
-fix real audio proxy
-
-fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
-log output.
-
-fix bimap rules with hash tables
-
-update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
-if it changes on the interface - check every ip_natexpire()
-
-add redirect regression test
-
-count buckets used in the state hash table.
-
-fix sending of RST's with return-rst to use the ack number provided in
-the packet being replied to in addition to the sequence number.
-
-fix to compile as a 64bit application on solaris7-64bit
-
-add NAT IP mapping to ranges of IP addresses that aren't CIDR specified
-
-fix calculation of in_space parameter for NAT
-
-fix `wrapping' when incrementing the next ip address for use in NAT
-
-fix free'ing of kernel memory in ip_natunload on solaris
-
-fix -l/-U command line options from interfering with each other
-
-fix fastroute under solaris2 and cleanup compilation for solaris7
-
-add install scripts and compile cleanly on BSD/OS 4.0
-
-safely open files in /tmp for writing device output when testing.
-
-fix uninitialized pointer bug in NAT
-
-fix SIOCZRLST (zero list rule stats) bug with groups
-
-change some usage of u_short to u_int in function calling
-
-fix compilation for Solaris7 (SUNWspro)
-
-change solaris makefiles to build for either sparc or i386 rather than
-per-cpu (sun4u, etc).
-
-fixed bug in ipllog
-
-add patches from George Michaelson for FreeBSD 3.0
-
-add patch from Guido to provide ICMP checking for known state in the same
-manner as is done for NAT.
-
-enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
-for better PORT/PASV support with FTP.
-
-bring into main tree static nat features: map-block and "auto" portmapping.
-
-add in source host filtering for redirects (alan jones)
-
-3.2.10		22/11/98 - Released
-
-3.2.10beta9	17/11/98 - Released
-
-fix fr_tcpsum problems in handling mbufs with an odd number of bytes
-and/or split across an mbuf boundary
-
-fix NAT list entry comparisons and allow multiple entries for the same
-proxy (but on different ports).
-
-don't create duplicate NAT entries for repeated PORT commands.
-
-3.2.10beta8	14/11/98 - Released
-
-always exit an rwlock before expecting to enter it again on solaris
-
-fix loop in nat_new for pre-existing nat
-
-don't setup state for an ftp connection if creating nat fails.
-
-3.2.10beta7	05/11/98 - Released
-
-set fake window in ipft_tx.c to ensure code passes tests.
-
-cleaned up/enhanced ipnat -l/ipnat -lv output
-
-fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.
-
-Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
-than mutexes.
-
-3.2.10beta6	03/11/98 - Released
-
-fix mixed use of krwlock_t and kmutex_t on Solaris2
-
-fix FTP proxy back up, splitting pasv code out of port code.
-
-3.2.10beta5	02/11/98 - Released
-
-fixed port translation in ICMP reply handling
-
-3.2.10beta4	01/11/98 - Released
-
-increase useful statistic collection on solaris
-
-filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris
-
-disable PASV reply translation for now
-
-fail with an error if we try to load a NAT rule with a non-existant
-   proxy name - Guido
-
-fix portmap usage with 0/0 and 0/32 map rules
-
-remove ap_unload/ap_expire - automatically done when NAT is cleaned up
-
-print "STATE:CLOSED" from ipmon if the connection progresses past established
-   rather than "STATE:EXPIRED"
-
-3.2.10beta3	26/10/98 - Released
-
-fixed traceroute/nat problem
-
-rewrote nat/proxy interface
-
-ipnat now lists associated proxy sessions for each NAT where applicable
-
-3.2.10beta2	13/10/98 - Released
-
-use KRWLOCK_T in place of krwlock_t for solaris as well as irix
-
-disable use of read-write lock acquisition by default
-
-add in mb_t for linux, non-kernel
-
-some changes to progress compilation on linux with glibc
-
-change PASV as well as PORT when passed through kernel ftp proxy.
-
-don't allow window to become 0 in tcp state code
-
-make ipmon compile cleaner
-
-irix patches
-
-3.2.10beta	11/09/98 - Released
-
-stop fr_tcpsum() thinking it has run out of data when it hasn't.
-
-stop solaris panics due to fin_dp being something wild.
-
-revisit usage of ATOMIC_*()
-
-log closing state of TCP connection in "keep state"
-
-fix fake-arp table code for ipsend.
-
-ipmon now writes pid to a file.
-
-fix "ipmon -a" to actually activate all logging devices.
-
-add patches for BSDOS4.
-
-perl scripts for log analysis donated.
-
-3.2.9	22/06/98 - Released
-
-fix byte order for ICMP packets generated on Solaris
-
-fix some locking problems.
-
-fix malloc bug in NAT (introduced in 3.2.8).
-
-patch from guido for state connections that get fragmented
-
-3.2.8	08/06/98 - Released
-
-use readers/writers locks in Solaris2 in place of some mutexes.
-
-Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)
-
-3.2.7	24/05/98 - Released
-
-u_long -> u_32_t conversions
-
-patches from Bernd Ernesti for NetBSD
-
-fixup ipmon to actually handle HUP's.
-
-Linux fixes from Michael H. Warfield (mhw@wittsend.com)
-
-update for keep state patch (not security related) - Guido
-
-dumphex() uses stdout rather than log
-
-3.2.6	18/05/98 - Released
-
-fix potential security loop hole in keep state code.
-
-update examples.
-
-3.2.5	09/05/98 - Released
-
-BSD/OS 3.1 .o files added for the kernel.
-
-fix sequence # skew vs window size check.
-
-fix minimum ICMP header size check.
-
-remove references to Cybersource.
-
-fix my email address.
-
-remove ntohl in ipnat - Thomas Tornblom
-
-3.2.4	09/04/98 - Released
-
-add script to make devices for /dev on BSD boxes
-
-fixup building into the kernel for FreeBSD 2.2.5
-
-add -D command line option to ipmon to make it a daemon and SIGHUP causes
-it to close and reopen the logfile
-
-fixup make clean and make package for SunOS5 - Marc Boucher
-
-postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
-
-protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
-
-3.2.3	10/11/97 - Released
-
-fix some iplang bugs
-
-fix tcp checksum data overrun, sgi #define changes,
-avoid infinite loop when nat'ing to single IP# - Marc Boucher
-
-fixup DEVFS usage for FreeBSD
-
-fix sunos5 "make clean" cleaning up too much
-
-3.2.2	28/11/97 - Released
-
-change packet matching to return actual error, if bad packet, to facilitate
-ECONNRESET for TCP.
-
-allow ip:netmask in grammar too now - Guido
-
-assume IRIX has u_int32_t in sys/types.h (needed for R10000)
-
-rewrite parts of command line options for ipmon
-
-fix TCP urgent packet & offset testing and add LAND attack test for iptest
-
-fix grammar error in yacc grammar for iplang
-
-redirect (rdr) destination port bytes-wapped when it shouldn't be.
-
-general: fr_check now returns error code, such as EHOSTUNREACH or
-ECONNRESET (attempt to make ECONNRESET work for locally outbound
-packets).
-
-linux: enable return-rst, need to filter tcp retransmits which are sent
-       separately from normal packets
-
-memory leak plugged in ip_proxy.c
-
-BSDI compatibility patches from Guido
-
-tcp checksum fix - Marc Boucher
-
-recursive mutex and ioctl param fix - Marc Boucher
-
-3.2.1	12/11/97 - Released
-
-port to BSD/OS 3.0
-
-port to Linux 2.0.31
-
-patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher
-
-add "ipf -F s" and "ipf -F S" to flush state table entries.
-
-announce if logging is on or off when ip filter initializes.
-
-"ipf -F a" doesn't flush groups properly for Solaris.
-
-3.2		30/10/97 - Released
-
-ipnat doesn't successfully remove proxy mappings with "-rf" -
-Alexander Romanyu
-
-use K&R C function style for solaris kernel code
-
-use m_adj() to decrease packet size in ftp proxy
-
-use mbufchainlen rather than msgdsize,
-IRIX update - Marc Boucher
-
-fix NetBSD modunload bug (pfil_add_hook done twice)
-
-patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>
-
-3.2beta10	24/10/97 - Released
-
-fix fragment table entries allocated for NAT.
-
-fix tcp checksum calculations over mbuf/mblk boundaries
-
-fix panic for blen < 0 in ftp kernel proxy - marc boucher
-
-fix flushing of rules which have been grouped.
-
-3.2beta9	20/10/97 - Released
-
-some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>
-
-ftp kernel proxy patches from Marc Boucher
-
-3.2beta8	13/10/97 - Released
-
-add support for passing ICMP errors back through NAT.
-
-IRIX port update - Marc Boucher
-
-calculate correct MIN size of packet to log for UDP - Marc Boucher
-
-need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang
-
-copyright header fixups
-
-3.2beta7	23/09/97 - Released
-
-fickup problems introduced by prior merges & changes.
-
-3.2beta6	23/09/97 - Released
-
-patch for spin-reading race condition - Marc Boucher.
-
-IRIX port by Marc Boucher.
-
-compatibility updates for Linux to ipsend
-
-3.2beta5	13/09/97 - Released
-
-patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
-compiler warning things)
-
-ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
-changes.
-
-update manual pages and other documentation updates.
-
-3.2beta4	27/8/97 - Released
-
-enable setting IP and TCP options for iplang/
-
-Solaris2 patches from Marc Boucher.
-
-add groups for filter rules.
-
-3.2beta3	21/8/97 - Released
-
-patches for Solaris2 (interface panic solution ?): fix FIONREAD and
-replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>
-
-change ipsend/* and ipsd/* copyright notices to be the same as ip filter's
-
-patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>
-
-3.2beta2	6/8/97 - Released
-
-make it load on Solaris 2.3
-
-rewrote logging to remove solaris errors, introduced checking to see if the
-same packet is logged successively.
-
-fix filter cache to work when there are no rules loaded.
-
-add "raw" option to ipresend to send entire ethernet frames.
-
-nat list corruption bug - NetBSD - Klaus Klein
-
-3.2beta1	5/7/97 - Released
-
-patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
-lossage, and other NetBSD bits.
-
-NetBSD 1.2G update.
-
-fixup fwtk patches and add protocol field for SIOCGNATL.
-
-rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
-fixes:
-* rdr matched all packets of a given protocol (ignored ports).
-* severe bug in nat_delete which caused system crash/freeze.
-
-change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
-the default CC - cc, not gcc)
-
-3.2alpha9	16/6/97 - Released
-
-added "skip" keyword.
-
-implement preauthentication of packets, as outlined by Guido.
-
-Make it compile as cleanly as possible with -Wall & general code cleanup
-
-getopt returns int, not char. Bernd Ernesti
-
-3.2alpha8	13/6/97 - Released
-
-code added to support "auth" rules which require a user program to allow them
-through.  First revision and much of the code came from Guido.
-
-hex output from ipmon doesn't goto syslog when recovering from out of sync
-error.  Luke Mewburn (lukem@connect.com.au)
-
-fix solaris2.6 lookup of destination ire's.
-
-ipnat doesn't throw away unused bits (after masking), causing it to
-behave incorrectly. Carson Gaspar
-
-NAT code doesn't include inteface name when matching - Alexey Mavrin
-<lha@elco.spb.ru>
-
-replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.
-
-update install procedures to include ip_proxy.c
-
-mask out unused bits in NAT/RDR rules.
-
-use a generic type (u_32_t) for 32bit variables, rather than rely on
-u_long being such - Jason Thorpe.
-
-create a local "netinet" directory and include from ~netinet/*" rather than
-just "*" to make keeping the code working on ports easier.
-
-add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)
-
-documentation updates.
-
-NetBSD update from Jason Thorpe <thorpej@netbsd.org>
-
-allow RST's through with a matching SEQ # and 0 ACK.  Guido Van Rooij
-
-ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
-<Reinhard.Bertram@KOM.th-darmstadt.de>
-
-3.2alpha7	25/5/97 - Released
-
-add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
-
-setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
-
-split up "bsd" targets.  Now a separate netbsd/freebsd/bsd target.
-mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
-
-fix (negative) host matching in filtering.
-
-add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
-or later.
-
-make all the candidates for kernel compiling include "netinet/..." and build
-a subdirectory "netinet" when compiling and symlink all .h files into this.
-
-add install make target to Makefile.ipsend
-
-3.2alpha6	8/5/97 - Released
-
-Add "!" (not) to hostname/ip matching.
-
-Automatically add packet info to the fragment cache if it is a fragment
-and we're translating addreses for.
-
-Automatically add packet info to the fragment cache if it is a fragment
-and we're "keeping state" for the packet.
-
-Solaris2 patches - Anthony Baxter (arb@connect.com.au)
-
-change install procedure for FreeBSD 2.2 to allow building to a kernel
-which is different to the running kernel.
-
-add FIONREAD for Solaris2!
-
-when expiring NAT table entries, if we would set a time to fr_tcpclosed
-(which is 1), make it fr_tcplaskack(20) so that the state tables have a
-chance to clear up.
-
-3.2alpha5
-
-add proxying skeleton support and sample ftp transparent proxy code.
-
-add printfs at startup to tell user what is happening.
-
-add packets & bytes for EXPIRE NAT log records.
-
-fix the "install-bsd" target in the root Makefile. Chris Williams
-<psion@mv.mv.com>
-
-Fixes for FreeBSD 2.2 (and later revs) to prevent panics.  Julian Assange.
-
-3.2alpha4	2/4/97 - Released
-
-Some compiler warnings cleaned up.
-
-FreeBSD-2.2 patches for LKM completed.
-
-3.2alpha3	31/3/97 - Released
-
-ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
--a for reading all.  -n now toggles hostname resolution.
-
-Add logging of new state entries and expiration of old state entries.
-count log successes and failures.
-
-Add logging of new NAT entries and expiration of old NAT entries.
-count log successes and failures.
-
-Use u_quad_t for records of bytes & packets where kept
-(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).
-
-Fixup use of CPU and DCPU in Makefiles.
-
-Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>
-
-3.2alpha2
-
-Implement mapping to 0/32 as being an alias for automatically using the
-interface's first IP address.
-
-Implement separate minor devices for both NAT and IP state code.
-
-Fully prototype all functions.
-
-Fix Makefile problem due to attempt to fix Sun compiling problems.
-
-3.1.10		23/3/97 - Released
-
-ipfstat -a requires a -i or -o command line option too.  Print an error
-when not present rather than attempt to do something.
-
-patch updates for SunOS4 for kernel compiling.
-patch for ipmon -s (flush's syslog file which isn't good).  Andrew J. Schorr
-<schorr@ead.dsa.com>
-
-too many people hit their heads hard when compiling code into the kernel
-that doesn't let any packets through. (fil.c - IPF_NOMATCH)
-
-icmp-type parsing doesn't return any errors when it isn't constructed
-correctly.  Neil Readwin
-
-Using "-conf" with modload on SunOS4 doesn't work.
-Timothy Demarest <demarest@arraycomm.com>
-
-Need to define ARCH in makefile for SunOS4 building.  "make sunos4"
-in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
-[all SunOS targets now run buildsunos]
-
-NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
-information. ArkanoiD <ark@paranoid.convey.ru>
-
-Need to check for __FreeBSD_version being 199511 rather than 199607
-in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>
-
-3.1.9		8/3/97 - Released
-
-fixed incorrect lookup of active NAT entries.
-
-patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
-fyeung@fyeung8.netific.com (Francis Yeung)
-
-check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
-(erkki@vlsi.fi)
-
-text_readip returns the interface pointer pointing to text on stack -
-Neil Readwin
-
-fix from Pradeep Krishnan for printout rules "with not opt sec".
-
-3.1.8		18/2/97 - Released
-
-Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
-compiling warnings about reuse of m0.
-
-prevent use of return-rst and return-icmp with rules blocking packets going
-out, preventing panics in certain situations.
-
-loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>
-
-should use SPLNET/SPLX around expire routines in NAT/frag/state code.
-
-redeclared malloc in 44arp.c - 
-
-3.1.7		8/2/97 - Released
-
-Macros used for ntohs/htons supplied with gcc don't always work very well
-when the assignment is the same variable being converted.
-
-Filter matching doesn't not match rule which checks tcp flags on packets
-which are fragments - David Wilson
-
-3.1.7beta	30/1/97 - Released
-
-Fix up NAT bugs introduced in last major change (now tested), including
-nat_delete(), nat_lookupredir(), checksum changes, etc.
-
-3.1.7alpha	30/1/97 - Released
-
-Many changes to NAT code, including contributions from Laurent Joncheray
-<lpj@ans.net>
-
-Use "NO_SLEEP" when allocating memory under SunOS.
-
-Make kernel printf's nicer for BSD/SunOS4
-
-Always do a checksum for packets being filtered going out and being
-processed by fastroute.
-
-Leave kernel to play with cdevsw on *BSD systems with LKM's.
-
-ipnat.1 man page fixes.
-
-3.1.6		21/1/97 - Released
-
-Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"
-
-Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
-to free memory twice.
-
-NAT recalculates IP header checksum based on difference between IP#'s and
-port numbers - should be just IP#'s (Solaris2 only)
-
-3.1.5		13/1/97 - Released
-
-fixed setting of NAT timeouts and use different timeouts for concurrent
-TCP sessions using the same IP# mapping (when port mapping isn't used)
-
-multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
-*BSD systems.
-
-3.1.4		10/1/97	- Released
-
-add command line options -C and -F to ipnat to flush NAT list and table
-
-ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)
-
-NetBSD/FreeBSD kernel malloc changes - Daniel Carosone
-
-3.1.3		10/1/97 - Released
-
-NAT chains not constructed correctly in hash tables - Antony Y.R Lu
-(antony@hawk.ee.ncku.edu.tw)
-
-Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2
-
-man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)
-
-ICMP header checksum update now included in NAT.
-
-Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.
-
-3.1.2		4/12/96 - Released
-
-ipmon doesn't use syslog all the time when given -s option
-
-fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro
-
-check the results of hostname resolution in ipnat
-
-"make *install" fixed for subdirectories.
-
-problems with "ARCH:=" and gnu make resolved
-
-parser reports an error for lines with whitespaces only rather than skipping
-them. D.Carosone@abm.com.au (Daniel Carosone)
-
-patches for integration into NetBSD-current (post 1.2).
-
-add an option to allow non-IP packets going up/down the stream on Solaris2
-to be dropped. John Bass.
-
-3.1.2beta	21/11/96 - Released
-
-make ipsend compile on Linux 2.0.24
-
-changes to TCP kept state algorithm, making it watch state on TCP
-connections in both directions.  Also use the same algorithm for NAT TCP.
-
--Wall cleanup - Bernd Ernesti
-
-added "or-block" for "pass .. log or-block" after a suggestion from
-David Oppenheim (davido@optimation.com.au)
-
-added subdirectories for building IP Filter in SunOS5/BSD for different
-cpu architecures
-
-Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2
-
-mbuf logging not using mtod(), remove iplbusy - 3.1.1p1		1/11/96
-
-3.1.1		28/10/96 - Released
-
-Installation script fixes and deinstall scripts for IP Filter on:
-SunOS4/FreeBSD/NetBSD
-
-Man page fixes - Paul Dubois (dubois@primate.wisc.edu)
-
-Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)
-
-parsing isn't completely case insensitive - David Wilson
-(davidw@optimation.com.au)
-
-Release ipl_mutex across uiomove() calls
-
-print entire rule entries out for "ipf -z" when zero'ing per-rule stats.
-
-ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
-(ts@polynet.lviv.ua)
-
-New algorithm for setting timeouts for TCP connection (more closely follow
-TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)
-
-Track both window sizes for TCP connections through "keep state".
-
-Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
-(wezel@bio.vu.nl)
-
-3.1.1-beta2	6/10/96 - Released
-
-Solaris2 fastroute/dup-to/to now works
-
-ipmon `record' reading rewritten
-
-Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)
-
-Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
-(davidw@optimation.com.au)
-
-Michael Ryan (mike@NetworX.ie) reports the following:
-* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
-  value of 1, unlike any other implementation I've seen, which would set it
-  to zero.  The "keep state" feature of IP Filter doesn't work when receiving
-  non-zero ACK values on new connection requests.
-* */Makefile install rule doesn't install all the binaries/man pages
-* Make ipnat use "tcp/udp" instead of "tcpudp"
-* Print out "tcp/udp" properly
-* ipnat "portmap tcp" matches "portmap udp" when adding/removing
-* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't
-
-3.1.1-beta	1/9/96 - Released
-
-add better detection of TCP connections closing to TCP state monitoring.
-
-fr_addstate() not called correctly for fragments.  "keep state" and
-"keep frag" code don't work together 100% - Songqing Cai
-(songqing_cai@sterling.com)
-
-call to fr_addstate() incorrect for adding state in combination with keeping
-fragment information - Songqing Cai (songqing_cai@sterling.com)
-
-KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
-(cgull@smoke.marlboro.vt.us)
-
-make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
-(dima@best.net)
-
-3.1.1-alpha	23/8/96 - Released
-
-kernel panic's when ICMP packets go through NAT code
-
-stats aren't zero'd properly with ipf -Z
-
-ipnat doesn't show port numbers correctly all the time and also add the
-protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)
-
-fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)
-
-NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>
-
-Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)
-
-ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
-(nrh@tardis.ed.ac.uk)
-
-3.1.0		7/7/96 - Released
-
-Reformatted ipnat output to be compatible with it's input, so that
-"ipnat -l | ipnat -rf -" is possible.
-
-3.1.0beta	30/6/96 - Released
-
-NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)
-
-kernel module must not be installed stripped (Solaris2), as created by
-"make package" for Solaris2 - Peter Heimann
-(peter@i3.informatik.rwth-aachen.de)
-
-3.1.0alpha	5/6/96 - Released
-
-include examples in package for solaris2
-
-patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)
-
-removed trailing space from printouts of rules in ipf.
-
-ipresend supports the same range of inputs that ipftest does.
-
-sending a duplicate copy of a packet to another network devices is now
-supported. ("dup-to")
-
-sending a packet to an arbitary interface is now supported, irrespective
-of its actual route, with no ttl decrement.  Can also be routed without
-the ttl being decremented. ("to" and "fastroute").
-
-"call" option added to support calling a generic function if a packet is
-matched.
-
-show all (upto 4) recorded bytes from the interface name in logging from
-ipmon.
-
-support for using unix file permissions for read/write access on the device
-is now in place.
-
-recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>
-
-ipftest doesn't call initparse() for THISHOST - Catherine Allen
-(cla@connect.com.au)
-
-Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)
-
-3.0.4		10/4/96 - Released
-
-looop in `parsing' IP packets with optlen 0 for ip options.
-
-rule number not initialized and resulted in unexpected results for state
-maching.
-
-option parsing and printing bugs - Pradeep Krishnan
-
-3.0.4beta	25/3/96	- Released
-
-wouldn't parse "keep flags keep state" correctly.
-
-SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon
-
-patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
-from Thorsten Lockert <tholo@tetherless.com>
-
-b* functions in fil.c on Solaris 2.4
-
-3.0.3	17/3/96 - Released
-
-added patches to support IP Filter initialisation when compiled into the
-kernel.
-
-added -x option to ipmon to display hex dumps of logged packets.
-
-added -H option to ipftest to allow ascii-hex formatted input to specify
-arbitary IP packets.
-
-Sending TCP RSTs as a response now work for Solaris2 x86
-
-add patches to make IP Filter compile into NetBSD kernels properly.
-
-patch to stop SunOS 4.1.x kernels panicing with "data traps".
-
-ipfboot script unloads and reloads ipf module on Solaris2 if it is already
-loaded into the kernel.
-
-Installation of IP Filter as a Solaris2 package is now supported.
-
-Man pages for ipnat.4, ipnat.5 added.
-
-added some more regression tests and fixed up IP Filter to pass the new tests
-(previous versions failed some of the tests in set 12).
-
-IP option filter processing has changed so that saying "with opt lsrr" will
-check only for that one, but not mask out other options, so a packet with
-strict source routing, along with loose source routing will match all of
-"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".
-
-IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)
-
-patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)
-
-make install is incorrect - Julian Briggs (julian@lightwork.co.uk)
-
-strtol() returns 0x7fffffff for all negative numbers,
-printfr() generates incorrect output for "opt sec-class *",
-handling of "not opt xxx opt yyy" incorrect.
-- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)
-
-m_pullup() called only for input and not output; caused problems
-with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)
-
-parsing problem for "port 1" and NetBSD patches incorrect -
-Andreas Gustafsson (gson@guava.araneus.fi)
-
-3.0.2	4/2/96 - Released
-
-Corrected bug where NAT recalculates checksums for fragments.
-
-make NAT recalculate UDP checksums (rather than setting them to 0),
-if they're non-zero.
-
-DNS patches - Real Page (Real.Page@Matrox.com)
-
-alteration of checksum recalculations in NAT code and addition of
-redirection with NAT - Mike Neuman
-
-core dump, if tcp/udp is used with a port number and not service name,
-in ipf - Mike Neuman (mcn@engarde.com)
-
-initparse() call, missing to prime "<thishost>" hook - Craig Bishop
-
-3.0.1	14/1/96 - Released
-
-miscellaneous patches for Solaris2
-
-3.0	14/1/96	- Released
-
-Patch included for FDDI, from Richard Ohnemus
-(Richard_Ohnemus@dallas.csd.sterling.com)
-
-Code cleanup for release.
-
-3.0beta4 10/1/96
-
-recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop
-
-recursive mutex in sending TCP RSTs fixed, reported by Tony Becker
-
-3.0beta3 9/1/96
-
-FIxup for Solaris2.5 install and interface name bug in ipftest from
-Julian Briggs (julian@lightwork.co.uk)
-
-Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)
-
-3.0beta2 7/1/96
-
-Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
-Note, this isn't really what one would call IP account, when compared to
-process accounting, sigh.
-
-Split up ipresend into iptest/ipresend/ipsend
-
-Added another m_pullup() inside fr_check() for BSD style kernels and
-added some checks to ipllog() to not log more than is present (for short
-packets).
-
-Fixed bug where failed hostname/netname resolution goes undetecte and
-becomes 0.0.0.0 (any) (reported Guido van Rooij)
-
-3.0beta	11/11/95	- Released
-
-Rewrote the way rule testing is done, reducing the number of files needed and
-generated.
-
-SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)
-
-Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
-BSD based Unixes (panic'd)
-
-Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
-(I think someone else already told me about these but they got lost :-/)
-
-Changed Makefile structure to build object files for different operating
-systems in separate directories by default.
-
-BSDI has ef0 for first ethernet interface
-
-Allow for a "not" operator before optional keywords.
-
-The "rule number" was being incorrectly incremented every time it went through
-the loop rather than when it matched a rule.
-
-2.8.2	24/10/95	- Released
-
-Fixed up problems with "textip" for doing lots of testing.
-
-Fixed bug in detection of "short" tcp/ip packets (all reported as being short).
-
-Solaris 2.4 port now works 100%.
-
-Man page errors reported and fixed.
-
-Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).
-
-Fixed ipmon output to put a space after the log-letter.
-
-Patch from Guido van Rooij to fix parsing problem.
-
-2.8.1	15/10/95	- Released
-
-Added ttl and tos filtering.
-
-Patches for fixing up compilation and port problems (little endian)
-from Guido van Rooij <guido@IAEhv.nl>.
-
-Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.
-
-ipsend doesn't compile properly on Solaris2.4
-
-Lots of work done for Solaris2.4 to make it MT/MP safe and work.
-
-2.8	15/9/95		- Released
-
-ipmon can now send messages to syslogd (-s) and use names instead of
-numbers (-N).
-
-IP packets are now "compiled" into a structure only containing filterable
-bits.
-
-Added regression testing in the test/ subdirectory, using a new option
-(-b) with the ipftest program.
-
-Added "nomatch" return to filter results.  These are counted and show
-up in reports from ipfstat.
-
-Moved filter code out of ip_fil.c and into fil.c - there is now only one
-instance of it in the package.
-
-Added Solaris 2.4 support.
-
-Added IPSO basic security option filtering.
-
-Added name support for filtering on all 19 named IP options.
-
-Patches from Ivan Brawley to log packet contents as well as packet headers.
-
-Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>
-
-Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
-along with a new ioctl, SIOCFRENB.
-From: Dieter Dworkin Muller <dworkin@village.org>
-
-2.7.3	31/7.95		- Released
-
-Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).
-
-ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.
-
-Brought ipftest program upto date with actual filter code.
-
-Filter would cause a match to occur when it wasn't meant to if the packet
-had short headers and was missing portions that should have been there.
-Err, it would rightly not match on them, but their absence caused a match
-when it shouldn't have been.
-
-2.7.2	26/7/95		- Released
-
-Problem with filtering just SYN flagged packets reported by
-Dieter Dworkin Muller <dworkin@village.org>.  To solve this
-problem, added support for masking TCP flags for comparison "flags X/Y".
-
-2.7.1	9/7/95		- Released
-
-Added ip_dirbroadcast support for Sun ip_input.c
-
-Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
-better.
-
-2.7	7/7/95		- Released
-
-Added "return-rst" to return TCP RST's to TCP packets.
-
-Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.
-
-Added insertion of filter rules.  Use "@<#>" at the beginning of a filter
-to insert a rule at row #.
-
-Filter keeps track of how many times each rule is matched.
-
-Changed compile time things to match kernel option (IPFILTER_LKM &
-IPFILTER_LOG).
-
-Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
-(No change required for 3.6)
-
-Now includes TCP fragments which start inside the TCP header as being short.
-Added counting the number of times each rule is matched.
-
-
-2.6	11/5/95		- Released
-
-Added -n option to ipf: when supplied, no changes are made to the kernel.
-
-Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.
-
-Rewrote filtering to use a more generic mask & match procedure for
-checking if a packet matches a rule.
-
-2.5.2	27/4/95		- Released
-
-"tcp/udp" and a non-initialised pointer caused the "proto" to become
-a `random' value; added "ip#/dotted.mask" notation to the BNF.
-From Adam W. Feigin  <feigin@iis.ee.ethz.ch>
-
-2.5.1	22/3/95		- Released
-
-"tcp/udp" had a strange effect (undesired) on getserv*() functions,
-causing protocol/service lookups to fail.  Reported by Matthew Green.
-
-2.5	17/3/95		- Released
-
-Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
-output through the ipftest program.  Suggestions from:
-Michael Ciavarella (mikec@phyto.apana.org.au)
-
-Conflicts occur when "general" filter rules are used for ports and the
-lack of a "proto" when used with "port" matches other packets when only
-TCP/UDP are implied.
-Reported Matthew Green (mrg@fulcom.com.au);
-reported & fixed 6-8/3/95
-
-Added filtering of short TCP packets using "with short" 28/2/95
-(These can possibly slip by checks for the various flags).  Short UDP
-or ICMP are dropped to the floor and logged.
-
-Added filtering of fragmented packets using "with frag" 24/2/95
-
-Port to NetBSD-current completed 20/2/95, using LKM.
-
-Added logging of the rule # which caused the logging to happen and the
-interface on which the packet is currently as suggested by
-Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95
-
-2.4	9/2/95		- Released
-Fixed saving of IP headers in ICMP packets.
-
-2.3	29/1/95
-Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
-Fixed iplread() and iplsave() with help from Marc Huber.
-
-2.2	7/1/95		- Released
-Added code from Marc Huber <huber@fzi.de> to allow it to allocate
-its own major char number dynamically when modload'ing.  Fixed up
-use of <, >, <=, >= and >< for ports.
-
-2.1	21/12/94	- Released
-repackaged to include the correct ip_output.c and ip_input.c *goof*
-
-2.0	18/12/94	- Released
-added code to check for port ranges - complete.
-rewrote to work as a loadable kernel module - complete.
-
-1.1
-added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.
-
-1.0	22/04/93	- Released
-First release cut.
diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT
deleted file mode 100644
index 0ef7a3d..0000000
--- a/contrib/ipfilter/IMPORTANT
+++ /dev/null
@@ -1,11 +0,0 @@
-		****************************************
-			     IMPORTANT NOTICE
-		****************************************
-1)
-
-If you have BOTH GNU make and the normal make shipped with your system,
-DO NOT use the GNU make to build this package.
-
-Darren
-darrenr@pobox.com
-		****************************************
diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2
deleted file mode 100644
index 78f7295..0000000
--- a/contrib/ipfilter/INST.FreeBSD-2.2
+++ /dev/null
@@ -1,60 +0,0 @@
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
-	1. In /sys/i386/conf, create a new kernel config file (to be used
-	   with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
-
-	2. build the object files, telling it the name of the kernel to be
-	   used.  "freebsd22" MUST be the target, so the command would be
-	   something like this: "make freebsd22 IPFILKERN=FIREWALL"
-
-	3. do "make install-bsd"
-	   (probably has to be done as root)
-
-	4.  run "FreeBSD-2.2/minstall" as root
-
-	5. build a new kernel
-
-	6. install and reboot with the new kernel
-
-	7. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	8. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
-  under the name (IPL_NAME) from the Makefile.  It will also remove itself
-  from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-*** KERNEL INSTALL CURRENTLY UNSUPPORTED ***
-	1. do "make freebsd22"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3.  run "FreeBSD-2.2/kinstall" as root
-
-	4. build a new kernel
-
-	5a) For FreeBSD 2.2 (or later)
-	    create devices for IP Filter as follows:
-	      mknod /dev/ipl c 79 0
-	      mknod /dev/ipnat c 79 1
-	      mknod /dev/ipstate c 79 2
-	      mknod /dev/ipauth c 79 3
-
-	5b) For versions prior to FreeBSD 2.2:
-	    create devices for IP Filter as follows (assuming it was
-            installed into the device table as char dev 20):
-	      mknod /dev/ipl c 20 0
-	      mknod /dev/ipnat c 20 1
-	      mknod /dev/ipstate c 20 2
-	      mknod /dev/ipauth c 20 3
-
-	6. install and reboot with the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.BSDOS b/contrib/ipfilter/INSTALL.BSDOS
deleted file mode 100644
index 17d9602..0000000
--- a/contrib/ipfilter/INSTALL.BSDOS
+++ /dev/null
@@ -1,35 +0,0 @@
-
-BSD/OS users.
--------------
-
-First, you need to build IP Filter.  Do this from the "ip_fil3.2.x"
-directory with the command "make bsdos".  If this completes successfully,
-install the various bits and pieces with "make install-bsd".
-
-Prior to starting, it is a good idea for you to know what your kernel config
-file is (it appears that the script guesses incorrectly at present).
-
-Once you have that in mind, run the 'kinstall' script in the correct
-BSDOS3 or BSDOS4 directory.  This will attempt to patch a bunch of files
-or install the relevant .o files if you don't have kernel source.
-It will also go and install all the IP Filter .c and .h files where they
-can be find when it comes time to build the kernel.
-
-The script will then pause and ask you for your kernel configuration
-file.  After you enter this, it will add "options IPFILTER" to your
-kernel configuration file.  IF YOU WANT TO DO LOGGING, ADD
-"options IPFILTER_LOG" to your kernel configuration file NOW!
-
-Now that you've got your kernel configuration file done, use config
-to setup a new kernel build and complete with make.
-
-When the kernel rebuilt is complete, put it into / and reboot with
-your new kernel.  If IP Filter has been configured into your kernel
-correctly, you will see a message like this when your system boots:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-Upon logging in, the IP Filter commands ipfstat, et al, should all
-function properly.
-
-Darren
diff --git a/contrib/ipfilter/INSTALL.BSDOS3 b/contrib/ipfilter/INSTALL.BSDOS3
deleted file mode 100644
index 8842b98..0000000
--- a/contrib/ipfilter/INSTALL.BSDOS3
+++ /dev/null
@@ -1,44 +0,0 @@
-
-BSD/OS 3.x users.
------------------
-
-First, you will need to either:
-(a) have a source license for the kernel so you can patch some files or
-(b) obtain the relevant pre-compiled .o files (I can't supply these yet).
-
-The files which you will need patched are:
-ip_input.c, ip_output.c (maybe in_proto.c and ioconf.c.i386 too - NOT sure).
-
-First, you need to build IP Filter.  Do this from the "ip_fil3.2.x"
-directory with the command "make bsdos".  If this completes successfully,
-install the various bits and pieces with "make install-bsd".
-
-Prior to starting, it is a good idea for you to know what your kernel config
-file is (it appears that the script guesses incorrectly at present).
-
-Once you have that in mind, run the 'kinstall' script in the BSDOS3
-directory.  This will attempt to patch a bunch of files.  If you've
-obtained the relevant .o files, ignore the errors, otherwise please
-report them to me and mention which version of BSD/OS you are using
-and on what platform (Sparc, i386, etc).  It will also go and install
-all the IP Filter .c and .h files where they can be find when it comes
-time to build the kernel.
-
-The script will then pause and ask you for your kernel configuration
-file.  After you enter this, it will add "options IPFILTER" to your
-kernel configuration file.  IF YOU WANT TO DO LOGGING, ADD
-"options IPFILTER_LOG" to your kernel configuration file NOW!
-
-Now that you've got your kernel configuration file done, use config
-to setup a new kernel build and complete with make.
-
-When the kernel rebuilt is complete, put it into / and reboot with
-your new kernel.  If IP Filter has been configured into your kernel
-correctly, you will see a message like this when your system boots:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-Upon logging in, the IP Filter commands ipfstat, et al, should all
-function properly.
-
-Darren
diff --git a/contrib/ipfilter/INSTALL.FreeBSD b/contrib/ipfilter/INSTALL.FreeBSD
deleted file mode 100644
index a4a787a..0000000
--- a/contrib/ipfilter/INSTALL.FreeBSD
+++ /dev/null
@@ -1,56 +0,0 @@
-
-This file is for use with FreeBSD 4.x and 5.x only.
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
-	1. For FreeBSD version:
-		4.*	 do	make freebsd4
-		5.*	 do	make freebsd5
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3. Run "BSD/kupgrade"
-
-	4. build a new kernel
-
-	5. install and reboot with the new kernel
-
-	6. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
-  under the name (IPL_NAME) from the Makefile.  It will also remove itself
-  from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-	1. For FreeBSD version:
-		4.*	 do	make freebsd4
-		5.*	 do	make freebsd5
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3.  run "FreeBSD/kinstall" as root
-
-	4. build a new kernel
-
-	5.
-          b) If you are using FreeBSD-3 or later:
-	   create devices for IP Filter as follows (assuming it was
-           installed into the device table as char dev 20):
-	      mknod /dev/ipl c 79 0
-	      mknod /dev/ipnat c 79 1
-	      mknod /dev/ipstate c 79 2
-	      mknod /dev/ipauth c 79 3
-	      mknod /dev/ipsync c 79 4
-	      mknod /dev/ipscan c 79 5
-
-	6. install and reboot with the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.IRIX b/contrib/ipfilter/INSTALL.IRIX
deleted file mode 100644
index b64d434..0000000
--- a/contrib/ipfilter/INSTALL.IRIX
+++ /dev/null
@@ -1,108 +0,0 @@
-
-IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
-as well. Under IRIX 5.3, it has been successfully compiled and linked in the
-kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
-
-To build a kernel with the IP filter and install it on your system,
-follow these steps:
-
-	1. edit the top-level Makefile to
-		a) comment-out the IPFLKM definition.
-			This means changing the line reading:
-				IPFLKM=-DIPFILTER_LKM
-			to
-				#IPFLKM=-DIPFILTER_LKM
-		b) select the system's compiler (cc)
-			This means changing the line reading:
-				CC=gcc
-			to
-				CC=cc
-		b) enable full optimization
-			This means changing the lines reading:
-				DEBUG=-g
-				CFLAGS=-I$$(TOP)
-			to
-				DEBUG=
-				CFLAGS=-O2 -I$$(TOP)
-
-        1. do "make irix" (Warning: GNU make is not supported, so if it has
-	been installed on your system, verify your path and/or do "which make"
-	to guarantee that IRIX's /sbin/make has precedence)
-
-        2. do "make install-irix" as root
-	   (a new kernel will be automatically built)
-
-	3. determine the filtering rules and place them in /etc/ipf.conf
-	   and /etc/ipnat.conf
-
-        4. do "init 6" as root to reboot with the new kernel
-
-	After restarting, the filter should be active and behaving according to
-	the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
-
-	These files can be changed at any time, and reloaded using the
-	following command sequence:
-
-	# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
-
-
-To remove the IP Filter from your kernel, follow these steps:
-
-	1. Delete the /var/sysgen/boot/ipfilter.o file
-
-	# rm /var/sysgen/boot/ipfilter.o
-
-	2. If SGI's ipfilter.o had been previously installed, restore it
-	back to its original location
-
-	# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
-
-	3. Build a new kernel
-
-	# /etc/autoconfig
-
-	4. Delete the /etc/rc2.d/S33ipf symbolic link
-
-	# rm /etc/rc2.d/S33ipf
-
-	5. Reboot
-
-	# init 6
-
-
-ADDITIONAL NOTES:
-
-	- The IP filter uses the same kernel interface to the IP driver as
-	SGI's ipfilter. In fact, it is installed in place of SGI's
-	/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
-	to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
-	ipfilterd daemon is not running simultaneously, since this package uses
-	the same major device number.
-
-	- We have not tested IP Filter on a multiprocessor machine yet.
-	However, feel free to try it and send your experiences/patches
-	back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
-	systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
-	probably be uncommented on the DFLAGS line of IRIX/Makefile if your
-	machine has more than one processor.
-
-	- It is also possible to build IP Filter as a dynamically loadable
-	kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
-	top-level Makefile), but this is not recommended other than for testing
-	and debugging purposes, because the only possible method for dynamic
-	attachment to the IP stack (instruction patching) is highly dependent
-	on the processor architecture. The code provided has only been tested
-	with IP22 CPU boards and can sometime cause panics during loading due
-	to a potential race condition.
-
-
-CREDITS:
-
-	IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
-
-	Marc Boucher wishes to thank the
-		ICARI Institute (http://www.icari.qc.ca)
-	and
-		Aurelio Cascio <aurelio@toonboom.com>
-	for their financial support and testing facilities, respectively.
-
diff --git a/contrib/ipfilter/INSTALL.Linux b/contrib/ipfilter/INSTALL.Linux
deleted file mode 100644
index 1a5d15b..0000000
--- a/contrib/ipfilter/INSTALL.Linux
+++ /dev/null
@@ -1,50 +0,0 @@
-IP-Filter on Linux 2.0.31
--------------------------
-
-NOTE: I have *ONLY* compiled and created patches for using IP Filter on
-      Linux 2.0.31.  Any other kernel revision may need seprate patches.
-      Also, I've only tested on a x86 CPU so I can't make any guarantees
-      about it working on Sparc/Mac/Amiga.
-
-First, you should do a sanity check of your system to make sure it will
-compile IP Filter.  You will need a "libfl" and a "libelf".  If you don't
-have these, install them before proceeding.
-
-The installation and compiliation process assumes that Linux 2.0.31
-will be in the /usr/src/linux directory and that all the symbolic links
-in /usr/include match.  /usr/src/linux may be a symbolic link too, but
-it must point to a 2.0.31 kernel source tree.
-
-The first step is to make the IP Filter binaries.  Do this with a
-"make linux" from the ip_fil3.2.x directory.  If this completes with
-no errors, install IP Filter with a "make install-linux".
-
-Now that the user part of it is complete, it is time to work on the kernel.
-To start this off, run "Linux/minstall".  This will configure the devices
-you will need for the IP Filter.  Then run "Linux/kinstall".  This will
-patch your kernel source code and configuration files so you can enabled IP
-Filter.  You must now go to /usr/src/linux and configure your kernel using one
-of the available interfaces to enable IP Filter.  IP Filter will be presented
-as a three way choice "y/m/n" - select "m" to enable it.  Save your kernel
-configuration file, rebuild, install and reboot with the new kernel.
-
-When you've rebooted with the new kernel, you should be able to load
-IP Filter with the command "insmod if_ipl".  All going will, you will
-see a message like this on your console:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-indicating that IP Filter has successfully been loaded into the kernel
-and is awaiting.
-
-Darren
-
-Features Not Available on Linux, yet:
-
-- compiled into the kernel
-"<action> in on <if> to <if> ..."
-"<action> in on <if> dup-to <if> ..."
-"<action> in on <if> fastroute ..."
-"block return-rst ..."
-"map ... proxy ..." (Linux's masquerading is better at present)
-
diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD
deleted file mode 100644
index 012d6d7..0000000
--- a/contrib/ipfilter/INSTALL.NetBSD
+++ /dev/null
@@ -1,59 +0,0 @@
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
-	1. do "make netbsd"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3(a) NetBSD systems prior to 1.2:
-		run "NetBSD/minstall" as root
-	3(b) NetBSD 1.2 systems or later:
-		run "NetBSD-1.2/minstall" as root
-
-	4. build a new kernel
-
-	5. install and reboot with the new kernel
-
-	6. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
-  under the name (IPL_NAME) from the Makefile.  It will also remove itself
-  from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-	1. do "make netbsd"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3(a) NetBSD systems prior to 1.2:
-		run "NetBSD/kinstall" as root
-	3(b) NetBSD 1.2 systems or later:
-		run "NetBSD-1.2/kinstall" as root
-	3(c) If conf.c fails on the 2nd hunk of the patch, you will have to
-	     manually apply the patch.
-
-	4. build a new kernel
-
-	5. Create device files.  For NetBSD-1.2 (or later), use 49 as the
-	   major number. For NetBSD-1.1 or earlier, use 59.  Run these
-	   commands as root, substituting <major> for the appropriate number:
-
-		mknod /dev/ipl c <major> 0
-		mknod /dev/ipnat c <major> 1
-		mknod /dev/ipstate c <major> 2
-		mknod /dev/ipauth c <major> 3
-
-	   ** NOTE: both the numbers 49 and 59 should be substituted with
-		    whatever number you inserted it into conf.c as.
-
-	6. install and reboot with the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2
deleted file mode 100644
index 5ba84b9..0000000
--- a/contrib/ipfilter/INSTALL.Sol2
+++ /dev/null
@@ -1,28 +0,0 @@
-
-For those running Solaris 2.5 or later, please read COMPILE.2.5 before
-building IP Filter.
-
-Type "make solaris" to build all the required binaries.  DO NOT USE THE
-GNU make!!!
-
-Once IP Filter has been successfully compiled, you may then install it using
-the usual package method (using pkgadd), however, the package needs to be
-created, prior to pkgadd'ing.  To create the package in /var/spool/pkg, change
-directory to SunOS5 and enter the following command:
-
-make package
-
-This will build the package into SunOS5/<arch>/root, copy that to
-/var/spool/pkg as a package and then start the installation using
-pkgadd.
-
-As part of the postinstall script, it will install loadable kernel module
-as part of Solaris 2 (using add_drv) making it available for immeadiate use.
-
-IP Filter will be installed into /opt/CYBSipf (programs, manual pages and
-examples) and create a directory /etc/opt/CYBSipf with a null body file
-called "ipf.conf" using touch.  The rc scripts have been written to look
-for the configuration file here, using the installed binaries in /sbin.
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.SunOS b/contrib/ipfilter/INSTALL.SunOS
deleted file mode 100644
index 0d4dd8c..0000000
--- a/contrib/ipfilter/INSTALL.SunOS
+++ /dev/null
@@ -1,40 +0,0 @@
-
-To install as a Loadable Kernel Module (LKM):
-
-	1. do a "make solaris" in this directory
-
-	2. Run the script "SunOS4/minstall" as root.
-
-	3. change directory to SunOS4 and run "make install"
-
-	4. Reboot using the new kernel
-
-	5. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	6. do "modstat" to confirm that it has been loaded successfully.
-
-	There is no need to use mknod to create the device in /dev;
-	- upon loading the module, it will create itself with the correct
-	  values, under the name (IPL_NAME) from the Makefile.  It will
-	  also remove itself from /dev when it is modunload'd.
-
-
-To install as part of a SunOS 4.1.x kernel:
-
-	1. do a "make solaris" in this directory
-
-	2. Run the script "SunOS4/kinstall" as root.
-		NOTE: This script sets up /dev/ipl as char. device 59,0
-			in /sys/sun/conf.c
-
-	3. Run the following commands as root:
-		mknod /dev/ipl c 59 0
-		mknod /dev/ipnat c 59 1
-		mknod /dev/ipstate c 59 2
-		mknod /dev/ipauth c 59 3
-
-	4. Reboot using the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.xBSD b/contrib/ipfilter/INSTALL.xBSD
deleted file mode 100644
index b06ad4b..0000000
--- a/contrib/ipfilter/INSTALL.xBSD
+++ /dev/null
@@ -1,44 +0,0 @@
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
-	1. do "make bsd"
-
-	2. cd to the "BSD" directory and type "make install"
-
-	3. run "4bsd/minstall" as root
-
-	4. build a new kernel
-
-	5. install and reboot with the new kernel
-
-	6. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
-  under the name (IPL_NAME) from the Makefile.  It will also remove itself
-  from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-	1. do "make bsd"
-
-	2. cd to the "BSD" directory and type "make install"
-
-	3. run "4bsd/kinstall" as root
-
-	4. build a new kernel
-
-	5. create devices for IP Filter as follows (assuming it was
-	   installed into the device table as char dev 20):
-		mknod /dev/ipl c 20 0
-		mknod /dev/ipnat c 20 1
-		mknod /dev/ipstate c 20 2
-		mknod /dev/ipauth c 20 3
-
-	6. install and reboot with the new kernel
-
-Darren
-darrenr@pobox.com
diff --git a/contrib/ipfilter/IPF.KANJI b/contrib/ipfilter/IPF.KANJI
deleted file mode 100644
index 85af5ce..0000000
--- a/contrib/ipfilter/IPF.KANJI
+++ /dev/null
@@ -1,465 +0,0 @@
-IP filter $B%7%g!<%H%,%$%I(B					Dec, 1999
-
-$B%[!<%`%Z!<%8(B:	http://coombs.anu.edu.au/~avalon/ip-filter.html
-FTP:		ftp://coombs.anu.edu.au/pub/net/ip-filter/
-
-					$B30;3(B $B=c@8(B <sumio@is.s.u-tokyo.ac.jp>
-					$B;3K\(B $BBY1'(B <ymmt@is.s.u-tokyo.ac.jp>
-
------
-$B$O$8$a$K(B
-
-IP filter $B$r(B gateway $B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#(B
-$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#(B
-
-$B%$%s%9%H!<%k$NJ}K!$O!"(BINSTALL$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F(B
-$B$/$@$5$$!#(BIP filter $B$N%P!<%8%g%s(B 3.3.5 $B$O!"(B
-	     Solaris/Solaris-x86 2.3 - 8 (early access)
-	     SunOS 4.1.1 - 4.1.4
-	     NetBSD 1.0 - 1.4
-	     FreeBSD 2.0.0 - 2.2.8
-	     BSD/OS-1.1 - 4
-             IRIX 6.2
-$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#(B
-
-$B$J$*!"(B64 bit kernel $B$NAv$C$F$k(B Solaris7 $B%^%7%s$G$O!"(Bgcc $B$H$+$G%3(B
-$B%s%Q%$%k$7$?(B kernel driver $B$OF0:n$7$^$;$s!#(B
-
-$B$=$N$h$&$J>l9g$K$O!"(Bprecompiled binary $B$r(B
-ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
-(1999$BG/(B12$B7n(B14$BF|8=:_!"$^$@(B3.3.5$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s(B)
-$B$+$i<h$C$F$/$k$+!"(BWorkshop Compiler 5.0 $B$G%3%s%Q%$%k$7$F(B 64bit
-driver $B$r:n$C$F$/$@$5$$!#(B
-
------
-$B@_Dj%U%!%$%k$N5-=RJ}K!(B
-
-IP filter$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I(B
-$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r(B block $B$9$k$+(B pass $B$9$k$+!"(B
-$B$r;XDj$9$k$3$H$G9T$$$^$9!#(B
-
-$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9(B
-$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"(B
-$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#(B
-
-$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r(B
-	123.45.1.0/24
-$B$H$7$FNc$r<($7$^$9!#(B24$B$O%5%V%M%C%H%^%9%/$G$9!#(B
-
-$B$^$?!"(Bgateway $B$O(B
-	123.45.1.111	(hme0)
-$B$,(B LAN$BB&$N%$%s%?!<%U%'!<%9!"(B
-	123.45.2.10	(hme1)
-$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#(B
-
-
-===================== $B$3$3$+$i(B ====================
-########## quickly deny malicious packets
-#
-block in quick from any to any with short
-block in log quick from any to any with ipopts
-===================== $B$3$3$^$G(B ====================
-
-$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#(Bblock $B$O(B block $B$9(B
-$B$k0UL#$G!"H?BP$KDL$9>l9g$O(B pass $B$H$J$j$^$9!#(B
-
-log $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G(B
-$B$9!#%m%0$O(B /dev/ipl $B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"(B
-$B$3$N%G%P%$%9$O(B bounded buffer $B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F(B
-$B$7$^$$$^$9!#(B
-
-/dev/ipl $B$NFbMF$rFI$_=P$9$K$O(B ipmon $B$H$$$&%W%m%0%i%`$r;H$$$^$9!#(B
-ipmon $B$O(B stdout, syslog, $B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^(B
-$B$9!#5/F0;~$K(B ipmon $B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r(B rc $B%U%!%$%k(B
-$B$K=q$/$H$h$$$G$7$g$&!#(B
-
-ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
-
-${IPMONLOG} $B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#(Bsyslog $B$K=PNO(B
-$B$9$k>l9g$O!"(B-s $B%*%W%7%g%s$rIU$1$^$9!#(Bsyslog $B$K=PNO$9$k>l9g!"(B
-local0.info $B$r5-O?$9$k$h$&$K(B syslog.conf $B$rJT=8$7$F$/$@$5$$!#(B
-$BNc$($P!"(B
-
-local0.info			ifdef(`LOGHOST', /var/log/syslog, @loghost)
-
-
-quick $B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r(B
-$BD4$Y$:$K!"%"%/%7%g%s(B(block or pass)$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?(B
-$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#(B
-
-
-===================== $B$3$3$+$i(B ====================
-########## group setup
-#
-block in on hme1 all head 100
-block out on hme1 all head 150
-pass in quick on hme0 all
-pass out quick on hme0 all
-===================== $B$3$3$^$G(B ====================
-
-$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,(B
-$BN`$7$^$9!#(Bhme0 $B$O(B LAN $BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D(B
-(pass quick)$B$7$F$$$^$9!#(B
-
-all $B$H$$$&$N$O!"(Bfrom any to any $B$N>JN,7A$G$9!#(B
-
-$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k(B hme1 $B$O(B incoming $B$H(B outgoing $B$G!"(B
-$B$=$l$>$l(B group 100 $BHV$H(B 150 $BHV$KJ,N`$7$^$9!#(Bhead $B$H$$$&$N$O!"$3(B
-$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&(B
-$B0UL#$G$9!#(B
-
-
-===================== $B$3$3$+$i(B ====================
-########## deny IP spoofing
-#
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from 123.45.2.10/32 to any group 100
-block in log quick from 123.45.1.111/24 to any group 100
-#
-########## deny reserved addresses
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-===================== $B$3$3$^$G(B ====================
-
-IP $B%"%I%l%9$r2~cb$7$?%Q%1%C%H$rB(:B$K5qH]$7$F$$$^$9!#KvHx$N(B 
-group 100 $B$H$$$&$N$O(B head 100 $B$GJ,N`$5$l$?%Q%1%C%H$K$N$_%^%C%A$9(B
-$B$k%k!<%k$H$$$&0UL#$G$9!#(B
-
------
-$B$3$3$^$G$G!"4pK\E*$K(BLAN$BFb$NDL?.$OAGDL$7$@$,30It$H$NDL?.$O%G%U%)(B
-$B%k%H$G0l@Z6X;_$H$$$&@_Dj$K$J$j$^$9!#0J9_$G$O!"$=$N%G%U%)%k%H$KBP(B
-$B$9$kNc30$H$$$&7A$G!"DL$7$?$$%Q%1%C%H$r5-=R$7$F$$$-$^$9!#(B
-
-$B$^$:!"FbIt$+$i30It$X$N@\B3$K4X$9$k@_Dj$r$7$^$9!#(B
-===================== $B$3$3$+$i(B ====================
-########## OUTGOING
-#
-## allow ping out
-#
-pass out quick proto icmp from any to any keep state group 150
-#
-## allow all outgoing UDP packets except for netbios ports (137-139).
-#
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-#
-## pass all TCP connection setup packets except for netbios ports (137-139).
-#
-pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
-block out log quick proto tcp from any to any port 136 >< 140 group 170
-===================== $B$3$3$^$G(B ====================
-
-$B$3$l$O4pK\E*$KA4$F$N%Q%1%C%H$r5v$9%k!<%k$G$9!#$7$+$7!"(Bnetbios
-(137-139/udp, tcp)$B$N%]!<%H$@$1$O6X;_$7$F$$$^$9!#(Bnetbios$B$O(B Windows
-$B$N%U%!%$%k6&M-$G;H$o$l$k%]!<%H$G!"$3$N%]!<%H$,3+$$$F$$$k$H!"(B
-Windows$B$N@_Dj$K$h$C$F$O!"@$3&Cf$+$i%U%!%$%k$rFI$_=q$-$G$-$k(B
-$B62$l$,$"$j$^$9!#(B
-
-$B$3$3$G!"4JC1$K=q<0$r8+$F$*$/$H!"(B
-* $B:G=i$NC18l$G!"(Bblock$B$9$k$+(Bpass$B$9$k$+;XDj$9$k(B
-* proto $B$N8e$NC18l$G!"(Bprotocol$B$r;XDj$9$k(B(udp, tcp, icmp, etc.)$B!#(B
-* from A to B $B$G!"$I$3$+$i$I$3$X$N%Q%1%C%H$+$r;XDj$9$k(B
-* head XXX$B$r;XDj$9$k$H!"$=$N9T$G;XDj$5$l$"$?%Q%1%C%H$O!"(Bgroup
-  XXX$B$H$7$F;2>H$G$-$k(B
-* group$B$r;XDj$9$k$3$H$G!"5,B'$rE,MQ$9$k8uJd$r(B($BM=$a(Bhead$B$G@_Dj$7$?(B)
-  group$B$K8BDj$G$-$k!#(B
-
-$B$^$?!"(Bfrom A to B$B$N(BA$B$d(BB$B$O!"(BIP$B%"%I%l%9$H(Bport$B$r=q$/$3$H$,$G$-$^$9!#(B
-     from any to any port 136 >< 140
-$B$H$$$&$N$O!"(B
-  $B!VG$0U$N%]!<%H$NG$0U$N%"%I%l%9$+$i!"(B137$BHV$+$i(B139$BHV%]!<%H$NG$0U$N(B
-    $B%"%I%l%9$X$N%Q%1%C%H!W(B
-$B;XDj$7$F$$$k$3$H$K$J$j$^$9!#$^$?!"HV9f$NBe$o$j$K(B/etc/service$B$K5-(B
-$B=R$5$l$F$$$k%5!<%S%9L>$r5-=R$9$k$3$H$b$G$-$^$9!#(B
-$B$?$H$($P(B
-      from any to any port = telnet
-$B$H(B
-      from any to any port = 23
-$B$OF1$80UL#$H$J$j$^$9!#(B
-
-$B$5$F!"$3$3$G(B quick $B$NNc30$r@bL@$7$F$*$-$^$9!#(Bquick $B$NIU$$$?(B
-rule $B$,(B head $B$G?7$?$J%0%k!<%W$r:n$k>l9g!"=hM}$O$^$@$3$N;~E@(B
-$B$G$O3NDj$7$^$;$s!#0J9_!"!V(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k!W(B
-$B$N$_=hM}$9$k$H$$$&0UL#$K$J$j$^$9!#$G$9$+$i>e$N!"(B
-
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-
-$B$O!"$^$:(B 150$BHV%0%k!<%W$K%^%C%A$9$k(B UDP $B%Q%1%C%H$OAGDL$7(B
-$B$9$k!"$,!"0J2<$N(B 160$BHV$KB0$9$k%k!<%k$r$^$@=hM}$9$k!#(B
-$B$=$7$F(B2$B9TL\$G(B 160$BHV%0%k!<%W$KBP$7$F(B netbios packet $B$r(B
-block $B$7$F$$$kLu$G$9!#(B
-$B0l9TL\$K%^%C%A$7$?%Q%1%C%H$O0J2<$K$b$7(B150$BHV$N%0%k!<%W$N(B
-$B%k!<%k$,$"$C$?$H$7$F$b!"L5;k$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B
-
-----------
-$B<!$K!"30It$+$iFbIt$X$N%"%/%;%9$N@_Dj$r$7$^$9!#(B
-
-* $B%k!<%F%#%s%0>pJs(B(RIP)$B$N%Q%1%C%H$O!"A4It5v$7$^$9!#(B
-pass in quick proto udp from any to any port = 520 keep state group 100
-
-* ICMP$B$N%Q%1%C%H$OA4It5v$7$^$9!#(B
-pass in quick proto icmp from any to any group 100
-
-* $BFbIt$+$i30It$X$N(Bftp$B$r5v$9$?$a$K!"(Bftp-data port$B$+$i0lHL%]!<%H$X(B
-  $B$NG$0U$N@\B3$r<u$1IU$1$^$9!#$3$l$O(Bpassive mode$B$G$J$$(BFTP$B$N5sF0(B
-  $B$G$9!#(B
-pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
-
-  $B$7$+$7!"$3$l$O0lHL$K8@$C$FB?>/4m81$J9T0Y$G$9!#@\B3$G$-$k$N$,(B
-  1024$BHV0J9_$N0lHL%]!<%H$K8BDj$O$5$l$^$9$,!"$"$^$j$*4+$a$G$-$^$;$s!#(B
-  $B$3$N9T$r2C$($:$K!"(Bpassive mode (ftp $B$G(B pasv $B%3%^%s%I$GF~$l$k(B)
-  $B$G(B FTP $B$r$9$k$3$H$r4+$a$^$9!#$J$*!":G6a$N(B FTP client $B$O:G=i(B
-  $B$+$i(B passive mode $B$KL5>r7o$G$7$F$7$^$&$b$N$,B?$$$h$&$G$9!#(B
-  
-* sendmail$B$d(Bftpd$B$K7R$0$H!"Aj<j$,(Bident$B%]!<%H$X%"%/%;%9$7$F$/$k$3(B
-  $B$H$,$"$k$N$G!"(Bident port$B$r3+$1$^$9!#(Bident $B$ODL>o$O5/F0$5$l$F$$(B
-  $B$J$$(B daemon $B$J$N$G!"AGDL$7$7$F$b%;%-%e%j%F%#%[!<%k$K$J$k$3$H$O$"(B
-  $B$j$^$;$s(B(connection refused$B$K$J$k$@$1$G$9(B)$B!#$3$l$r3+$1$J$$$H!"(B
-  $BAj<jB&$O(B timeout $B$9$k$^$G@h$K?J$^$J$$$N$G!"(BFTP $B$d(B mail $B$NAw?.(B
-  $B$,$d$?$i$KCY$/$J$k$3$H$,$"$j$^$9!#(B
-  $B$b$7(B 113 $BHV%]!<%H$K@\B3$G$-$k$h$&$J$i!"$=$N%5!<%S%9$OB(:B$K(B
-  $BDd;_$9$k$3$H$r4+$a$^$9!#(B
-pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
-
-------
-$B<!$K!"30It$+$i(B firewall $B$X$N%"%/%;%9$r5v$9%5!<%S%9$r5-=R$7$F$$$-(B
-$B$^$9!#$^$:$O!"30It$+$i$N@\B3$r5v$7$?$$%[%9%H$K$D$$$F!"%0%k!<%WHV(B
-$B9f$r$D$1$^$9!#(B
-
-===================== $B$3$3$+$i(B ====================
-## grouping by host
-block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
-block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
-===================== $B$3$3$^$G(B ====================
-
-$B$3$l$G!"(B
-	$B30It$+$i(B 123.45.1.X $B$X$N@\B3$O(B group 110
-        $B30It$+$i(B 123.45.1.Y $B$X$N@\B3$O(B group 111
-$B$G;2>H$9$k$3$H$,$G$-$^$9!#(B
-
-$BB>$K$b5v$7$?$$%[%9%H$rA}$d$7$?$$$H$-$O!">e$HF1MM$K$7$F!"(Bhead$B$N8e(B
-$B$K!"?7$7$$?t;z(B(112, 113$B$J$I(B)$B$r3d$jEv$F$F$/$@$5$$!#(B
-
-$B$b$&0lEYCm0U$7$F$*$-$^$9$,!"(Bquick $B$H(B head $B$,F1;~$K8=$l$k%k!<%k(B
-$B0J9_$G$O!"(Bhead $B$G@k8@$5$l$?%0%k!<%W$N%k!<%k$7$+E,MQ$5$l$J$/$J$j(B
-$B$^$9!#$G$9$+$i!">e$N(B ident $B$d(B ftp data-port $B$N$h$&$K!"FbIt$N(B
-$BA4$F$N%[%9%H$K%^%C%A$9$k%k!<%k$O!"$3$N%[%9%H$K$h$k%0%k!<%WJ,$1(B
-$B$NA0$KCV$/I,MW$,$"$j$^$9!#(B
-
-
-X$B$X$O!"(Btelnet, ftp, ssh $B$r!"(BY$B$X$O!"(Bftp, http, smtp, pop $B$r5v$9$3(B
-$B$H$K$7$^$9!#(B
-
-* X(group 110)$B$X$N(Btelnet$B$r5v$7$^$9(B
-pass in quick proto tcp from any to any port = telnet keep state group 110
-
-* X$B$X$N(Bftp$B$r5v$7$^$9!#(Bftp-data port $B$b3+$1$F$*$-$^$9!#(B
-  ($BI,MW$,$"$k$+$I$&$+3NG'$O$7$F$$$^$;$s$,!"3+$1$F$$$F$b0BA4$G$7$g$&(B)$B!#(B
-pass in quick proto tcp from any to any port = ftp keep state group 110
-pass in quick proto tcp from any to any port = ftp-data keep state group 110
-
-* X$B$X$N(Bssh$B$r5v$7$^$9!#(B
-pass in quick proto tcp from any to any port = 22 keep state group 110
-
-* Y$B$X$N(Bftp$B$r5v$7$^$9!#(B
-pass in quick proto tcp from any to any port = ftp keep state group 111
-pass in quick proto tcp from any to any port = ftp-data keep state group 111
-pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
-
-  Y$B$O(B anonoymous ftp $B%5!<%P$r1?1D$7$F$$$k$?$a(B wu-ftpd $B$r;H$C$F$$(B
-  $B$^$9!#(Bwu-ftpd $B$O(B passive mode $B$N(BFTP$B$K$bBP1~$7$F$$$^$9$N$G!"$I(B
-  $B$N%]!<%H$r(BPASV$BMQ$K;H$&$+!"(Bwu-ftpd $B$N@_Dj$K=q$$$F$*$/I,MW$,$"$j(B
-  $B$^$9!#$3$3$G$O(B3000$B$+$i(B3099$BHV%]!<%H$r;HMQ$9$k$h$&$K!"(Bwu-ftpd $B$r(B
-  $B@_Dj$7$F$$$^$9!#(B
-
-  passive FTP $B$K$D$$$F2r@b$7$^$9!#(Bpassive FTP $B$O!"%/%i%$%"%s%H$,(B
-  $B%U%!%$%"%&%)!<%k$NFbB&$K$$$k>l9g$N$?$a$K3+H/$5$l$?%W%m%H%3%k$G(B
-  $B$9!#%G%U%)%k%H$G$O>e$G@bL@$7$?$h$&$K!"%G!<%?E>Aw$N$?$a!"%5!<%P(B
-  $B$N(B ftp-data port $B$+$i%/%i%$%"%s%H$K@\B3$,$$$-$^$9!#(B
-
-  passive FTP $B$G$O!"%G!<%?E>Aw$b(B client $B$+$i%5!<%P$K@\B3$9$k$h$&(B
-  $B$K$J$j$^$9!#$=$N:]!"%5!<%P$OE,Ev$J%]!<%HHV9f$r3d$j?6$C$F!"$=$3(B
-  $B$K%/%i%$%"%s%H$,@\B3$9$k$h$&;X<($7$^$9!#(B
-
-  $B$3$N$?$a!"%5!<%P$,%U%!%$%"%&%)!<%kFb$K$$$k>l9g!"E,Ev$J%]!<%HHV(B
-  $B9f$O%U%!%$%"%&%)!<%k$G$O$M$i$l$F$7$^$$$^$9!#$=$3$G!"(Bwu-ftpd $B$N(B
-  $B@_Dj$G!"3d$j?6$k%]!<%HHV9f$NHO0O$r8BDj$7$F!"$=$3$@$1%U%!%$%"(B
-  $B%&%)!<%k$K7j$r3+$1$F$$$k$o$1$G$9!#(Bwu-ftpd $B$N>l9g$O!"(Bftpaccess
-  $B$H$$$&%U%!%$%k$K(B
-
-  # passive ports <cidr> <min> <max>
-  passive ports 0.0.0.0/0 3000 3099
-
-  $B$HDI2C$9$k$3$H$G@_Dj$G$-$^$9!#(Bftpaccess(5)$B$r;2>H$7$F$/$@$5$$!#(B
-
-* Y$B$X$N(Bhttp$B$r5v$7$^$9!#(B
-pass in quick proto tcp from any to any port = 80 keep state group 111
-
-* Y$B$X$N(Bsmtp$B$r5v$7$^$9!#(B
-pass in quick proto tcp from any to any port = smtp keep state group 111
-
-* Y$B$X$N(Bpop$B$r5v$7$^$9!#(B
-pass in quick proto tcp from any to any port = 110 keep state group 111
-
-$B0J>e$N@_Dj$K$h$j!"(BX, Y $B0J30$N%^%7%s$X$N!"30It$+$i$N@\B3$O!"0l@Z(B
-$B9T$($J$/$J$j$^$9$N$G!"(Bremote exploit $BBP:v$O!"(BX, Y $B$K$N$_9T$($P$h(B
-$B$/$J$j!"4IM}$N<j4V$,7Z8:$G$-$^$9!#(B
-
-$BB>$N%W%m%H%3%k$rDL$9>l9g$b!">e$r;29M$K$7$FDL$7$?$$%]!<%HHV9f$r=q(B
-$B$/$@$1$G$9$,!"$$$/$D$+Cm0UE@$,$"$j$^$9!#0J2<$bL\$rDL$7$F$/$@$5$$!#(B
-
------
-$B$=$NB>$NCm0U(B
-
-1) gateway $B%^%7%s$N$h$&$K!"J#?t$N(BIP$B%"%I%l%9$r;}$D%^%7%s$G%5!<%S(B
-$B%9$rN)$A>e$2$k>l9g$O!"$=$l$>$l$N(BIP$B%"%I%l%9$KBP$7$F!"(Bport $B$r3+$/(B
-$BI,MW$,$"$j$^$9!#Nc$($P(B X $B$,(B IP:a $B$H(B IP:b $B$r;}$D$J$i!"(Bgroup $B$O(B a,
-b $B$=$l$>$lMQ0U$7$F!"N>J}$N%0%k!<%WMQ$K(B rule $B$rDI2C$9$kI,MW$,$"$j(B
-$B$^$9!#0J2<$NNc$G$O!"%2!<%H%&%'%$%^%7%s(B(123.45.2.10$B$H(B123.45.1.111
-$B$N(BIP$B$r;}$D(B)$B$K(BNNTP$B%5!<%P$rN)$F$F$$$^$9!#(B
-
-($BNc(B)
-#### grouping by host
-block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
-block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
-#### allow NNTP
-pass in quick proto tcp from any to any port = nntp keep state group 112
-pass in quick proto tcp from any to any port = nntp keep state group 113
-
-gateway $B$,(B2$B$D0J>e$"$k%M%C%H%o!<%/$G$O!"N>J}$N(B gateway $B$K(B IP
-filter $B$,I,MW$K$J$j!"@_Dj$O99$KJ#;($K$J$j$^$9!#$=$N$h$&$J4D6-$N(B
-$B>l9g$K$O!"%^%K%e%"%k$rFI$s$G8!F$$7$F$/$@$5$$!#(B
-
-2) NFS$B$H(Brsh$B$O%W%m%H%3%k$N4X78>e!"(Bfirewall$BD6$($OIT2DG=$G$9!#(B
-   NFS$B$NBeBX$K$D$$$F$OITL@$G$9$,!"(Brsh$B$NBeBX$H$7$F$O(Bssh$B$,;H$($^$9!#(B
-
-3) $B30It$N(BX client $B$r!"%U%!%$%"%&%)!<%kFb$N(BX$B%5!<%P$K@\B3$5$;$?$$!"(B
-   $B$H$$$&$N$O(B FAQ $B$N0l$D$G$9!#$*4+$a$N2r7h:v$O!"(Bssh $B$N(B X forwarding
-   $B5!9=$r;H$&$3$H$G$9!#(Bssh$B$G@\B3$G$-$k$J$i$P!"$3$l$O40A4$K(B secure
-   $B$GHFMQE*$JJ}K!$G$9!#(B
-
-$B$=$l$,=PMh$J$$>l9g$O!"2f!9$O@\B3$5$;$?$$%[%9%H$N%Z%"$r%f!<%6$KJs(B
-$B9p$7$F$b$i$C$F!"0J2<$N$h$&$J%k!<%k$rDI2C$7$F$$$^$9!#(B
-# X:0 $B$O(B tcp:6000 $BHV$K$J$j$^$9!#(B
-
-# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
-pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-
------
-$B:G8e$K!";D$k%Q%1%C%H$OA4$F%V%m%C%/$5$l$kLu$G$9$,!"$=$l$K$D$$$F$N(B
-$BA4$F$N%m%0$r;D$9$3$H$r4uK>$9$k>l9g!"<!$N%k!<%k$r!VI,$::G8e$K!W2C(B
-$B$($^$9!#(B
-
-## log blocked packets
-block in log quick from any to 123.45.1.111/24 group 100
-block in log quick from any to 123.45.2.10 group 100
-
-------
-$B:#Kx$N@_Dj$r$R$H$D$K$^$H$a$?%U%!%$%k$r:G8e$KE:IU$7$^$9!#(B
-
-===================== $B$3$3$+$i(B ====================
-########## Packet Filtering Rules for 123.45.1. ##########
-#
-# The following routes should be configured, if not already:
-#
-# route add 123.45.1.111 localhost 0 (hme0)	(LAN)
-# route add 123.45.2.10 localhost 0   (hme1)	(upstream)
-#
-########## quickly deny malicious packets
-#
-block in quick from any to any with short
-block in log quick from any to any with ipopts
-#
-########## group setup
-#
-block in on hme1 all head 100
-block out on hme1 all head 150
-pass in quick on hme0 all
-pass out quick on hme0 all
-#
-########## deny IP spoofing
-#
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from 123.45.2.10/32 to any group 100
-block in log quick from 123.45.1.111/24 to any group 100
-#
-########## deny reserved addresses
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-########## OUTGOING
-#
-## allow ping out
-pass out quick proto icmp from any to any keep state group 150
-#
-## allow all outgoing UDP packets except for netbios ports (137-139).
-#
-pass out quick proto udp from any to any keep state head 160 group 150
-block out log quick proto udp from any to any port 136 >< 140 group 160
-#
-## pass all TCP connection setup packets except for netbios ports (137-139).
-#
-pass out quick proto tcp from any to any flags S/SAFR keep state head 170 group 150
-block out log quick proto tcp from any to any port 136 >< 140 group 170
-#
-######### INCOMING
-## ICMP
-pass in quick proto icmp from any to any group 100
-## RIP
-pass in quick proto udp from any to any port = 520 keep state group 100
-## FTP
-pass in quick proto tcp from any port = ftp-data to any port > 1023 flags S/SA keep state group 100
-## IDENT
-pass in quick proto tcp from any to any port = 113 flags S/SA keep state group 100
-#
-## grouping by host (112 & 113 is the gateway address)
-block in log quick proto tcp from any to 123.45.1.X flags S/SA head 110 group 100
-block in log quick proto tcp from any to 123.45.1.Y flags S/SA head 111 group 100
-block in log quick proto tcp from any to 123.45.2.10 flags S/SA head 112 group 100
-block in log quick proto tcp from any to 123.45.1.111 flags S/SA head 113 group 100
-#
-## telnet, ftp, ssh, www, smtp, pop
-pass in quick proto tcp from any to any port = telnet keep state group 110
-pass in quick proto tcp from any to any port = ftp keep state group 110
-pass in quick proto tcp from any to any port = ftp-data keep state group 110
-pass in quick proto tcp from any to any port = 22 keep state group 110
-pass in quick proto tcp from any to any port = ftp keep state group 111
-pass in quick proto tcp from any to any port = ftp-data keep state group 111
-pass in quick proto tcp from any to any port 2999 >< 3100 keep state group 111
-pass in quick proto tcp from any to any port = 80 keep state group 111
-pass in quick proto tcp from any to any port = smtp keep state group 111
-pass in quick proto tcp from any to any port = 110 keep state
-group 111
-#
-## allow NNTP on the gateway
-pass in quick proto tcp from any to any port = nntp keep state group 112
-pass in quick proto tcp from any to any port = nntp keep state group 113
-#
-## X connections
-# 123.45.1.Z:0 (server) <-> A.B.C.D (client)
-pass in quick proto tcp from A.B.C.D port > 1023 to 123.45.1.Z port = 6000 flags S/SA keep state group 100
-#
-## log blocked packets
-## THIS MUST BE THE LAST RULE!
-block in log quick from any to 123.45.1.111/24 group 100
-block in log quick from any to 123.45.2.10 group 100
-===================== $B$3$3$^$G(B ====================
-
-----
-$B$3$NJ8=q$N<h$j07$$$K$D$$$F(B
-Copyright (C) 1999 TOYAMA Sumio <sumio@is.s.u-tokyo.ac.jp>
-                   and YAMAMOTO Hirotaka <ymmt@is.s.u-tokyo.ac.jp>
-
-THIS DOCUMENT IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
-IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.
-
-Permission to modify this document and to distribute it is hereby
-granted, as long as above notices and copyright notice are retained.
diff --git a/contrib/ipfilter/IPFILTER.LICENCE b/contrib/ipfilter/IPFILTER.LICENCE
deleted file mode 100644
index 41c151c..0000000
--- a/contrib/ipfilter/IPFILTER.LICENCE
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * The author accepts no responsibility for the use of this software and
- * provides it on an ``as is'' basis without express or implied warranty.
- *
- * Redistribution and use, with or without modification, in source and binary
- * forms, are permitted provided that this notice is preserved in its entirety
- * and due credit is given to the original author and the contributors.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied, in part or in whole, and put under another distribution licence
- * [including the GNU Public Licence.]
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * I hate legalese, don't you ?
- */
diff --git a/contrib/ipfilter/LICENCE b/contrib/ipfilter/LICENCE
deleted file mode 100644
index f4cc8ee..0000000
--- a/contrib/ipfilter/LICENCE
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * Copyright (C) 1993-2000 by Darren Reed.
- *
- * The author accepts no responsibility for the use of this software and
- * provides it on an ``as is'' basis without express or implied warranty.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- *
- * I hate legaleese, don't you ?
- */
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
deleted file mode 100644
index 1b2f8f5..0000000
--- a/contrib/ipfilter/Makefile
+++ /dev/null
@@ -1,409 +0,0 @@
-#
-# Copyright (C) 1993-2001 by Darren Reed.
-#
-# Redistribution and use in source and binary forms are permitted
-# provided that this notice is preserved and due credit is given
-# to the original author and the contributors.
-#
-# $Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $
-#
-SHELL=/bin/sh
-BINDEST=/usr/local/bin
-SBINDEST=/sbin
-MANDIR=/usr/local/man
-#To test prototyping
-#CC=gcc -Wstrict-prototypes -Wmissing-prototypes
-# -Wunused -Wuninitialized
-#CC=gcc
-#CC=cc -Dconst=
-DEBUG=-g
-# -O
-CFLAGS=-I$$(TOP) -D_BSD_SOURCE
-CPU=`uname -m`
-CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`
-OBJ=.
-#
-# To enable this to work as a Loadable Kernel Module...
-#
-IPFLKM=-DIPFILTER_LKM
-#
-# To enable logging of blocked/passed packets...
-#
-IPFLOG=-DIPFILTER_LOG
-#
-# To enable loading filter rules compiled to C code...
-#
-#COMPIPF=-DIPFILTER_COMPILED
-#
-# To enable synchronisation between IPFilter hosts
-#
-#SYNC=-DIPFILTER_SYNC
-#
-# To enable extended IPFilter functionality
-#
-LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN
-#
-# The facility you wish to log messages from ipmon to syslogd with.
-#
-LOGFAC=-DLOGFAC=LOG_LOCAL0
-#
-# To enable rules to be written with BPF syntax, uncomment these two lines.
-#
-# WARNING: If you're building a commercial product based on IPFilter, using
-#          this options *may* infringe at least one patent held by CheckPoint
-#          (5,606,668.)
-#
-#IPFBPF=-DIPFILTER_BPF -I/usr/local/include
-#LIBBPF=-L/usr/local/lib -lpcap
-#
-# HP-UX and Solaris require this uncommented for BPF.
-#
-#BPFILTER=bpf_filter.o
-#
-# LINUXKERNEL is the path to the top of your Linux kernel source tree.
-# By default IPFilter looks for /usr/src/linux, but you may have to change
-# it to /usr/src/linux-2.4 or similar.
-#
-LINUXKERNEL=/usr/src/linux
-LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i<NF&&i<3;i++){printf("%02d",$$(i+1));}}'`
-
-#
-# All of the compile-time options are here, used for compiling the userland
-# tools for regression testing.  Well, all except for IPFILTER_LKM, of course.
-#
-ALLOPTS=-DIPFILTER_LOG -DIPFILTER_LOOKUP \
-        -DIPFILTER_SCAN -DIPFILTER_SYNC -DIPFILTER_CKSUM
-
-#
-# Uncomment the next 3 lines if you want to view the state table a la top(1)
-# (requires that you have installed ncurses).
-#STATETOP_CFLAGS=-DSTATETOP
-#
-# Where to find the ncurses include files (if not in default path), 
-#
-#STATETOP_INC=
-#STATETOP_INC=-I/usr/local/include
-#
-# How to link the ncurses library
-#
-#STATETOP_LIB=-lncurses
-#STATETOP_LIB=-L/usr/local/lib -lncurses
-
-#
-# Uncomment this when building IPv6 capability.
-#
-#INET6=-DUSE_INET6
-#
-# For packets which don't match any pass rules or any block rules, set either
-# FR_PASS or FR_BLOCK (respectively).  It defaults to FR_PASS if left
-# undefined.  This is ignored for ipftest, which can thus return three
-# results: pass, block and nomatch.  This is the sort of "block unless
-# explicitly allowed" type #define switch.
-#
-POLICY=-DIPF_DEFAULT_PASS=FR_PASS
-#
-MFLAGS1='CFLAGS=$(CFLAGS) $(ARCHINC) $(SOLARIS2) $(SGIREV) $(INET6)' \
-	"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
-	"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
-        "LIBBPF=$(LIBBPF)" "CPUDIR=$(CPUDIR)" "IPFBPF=$(IPFBPF)" \
-        'STATETOP_CFLAGS=$(STATETOP_CFLAGS)' "BPFILTER=$(BPFILTER)" \
-        'STATETOP_INC=$(STATETOP_INC)' 'STATETOP_LIB=$(STATETOP_LIB)' \
-	"BITS=$(BITS)" "OBJ=$(OBJ)" "LOOKUP=$(LOOKUP)" "COMPIPF=$(COMPIPF)" \
-	'SYNC=$(SYNC)' 'ALLOPTS=$(ALLOPTS)' 'LIBBPF=$(LIBBPF)'
-MFLAGS=$(MFLAGS1) "IPFLKM=$(IPFLKM)"
-MACHASSERT=`/bin/ls -1 /usr/sys/*/mach_assert.h | head -1`
-#
-SHELL=/bin/sh
-#
-########## ########## ########## ########## ########## ########## ##########
-#
-CP=/bin/cp
-RM=/bin/rm
-CHMOD=/bin/chmod
-INSTALL=install
-#
-
-all:
-	@echo "Chose one of the following targets for making IP filter:"
-	@echo ""
-	@echo "solaris	- auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86"
-	@echo "netbsd	- compile for NetBSD"
-	@echo "openbsd	- compile for OpenBSD"
-	@echo "freebsd20	- compile for FreeBSD 2.0, 2.1 or earlier"
-	@echo "freebsd22	- compile for FreeBSD-2.2 or greater"
-	@echo "freebsd  - compile for all other versions of FreeBSD"
-	@echo "bsd	- compile for generic 4.4BSD systems"
-	@echo "bsdi	- compile for BSD/OS"
-	@echo "irix	- compile for SGI IRIX"
-	@echo "hpux	- compile for HP-UX 11.00"
-	@echo "osf	- compile for OSF/Tru64 5.1"
-	@echo ""
-
-tests:
-	@if [ -d test ]; then (cd test; make) \
-	else echo test directory not present, sorry; fi
-
-retest:
-	@if [ -d test ]; then (cd test; make clean && make) \
-	else echo test directory not present, sorry; fi
-
-include:
-	-mkdir -p net netinet
-	if [ ! -f netinet/done ] ; then \
-		(cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .;); \
-		(cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); \
-		touch netinet/done; \
-	fi
-	-(cd netinet; ln -s ../ip_rules.h ip_rules.h)
-	if [ ! -f net/done ] ; then \
-		(cd net; ln -s ../radix_ipf.h .; ); \
-		touch net/done; \
-	fi
-
-sunos solaris: include
-	MAKE="$(MAKE)" MAKEFLAGS="$(MAKEFLAGS)" BPFILTER=$(BPFILTER) \
-		CC="$(CC)" DEBUG="$(DEBUG)" ./buildsunos
-
-freebsd:
-	make freebsd`uname -r|cut -c1`
-
-freebsd22: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	-rm -f BSD/$(CPUDIR)/ioconf.h
-	-if [ x$(IPFILKERN) != x ] ; then \
-		if [ -f /sys/compile/$(IPFILKERN)/ioconf.h ] ; then \
-			ln -s /sys/compile/$(IPFILKERN)/ioconf.h BSD/$$y; \
-		else \
-			ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$$y; \
-		fi \
-	else \
-		x=`uname -v|sed -e 's@^.*:\(/[^: ]*\).*$$@\1/ioconf.h@'`; \
-		y=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`; \
-		if [ ! -f $$x ] ; then \
-			echo -n "Can't find ioconf.h at $$x "; \
-			exit 1;\
-		else \
-			ln -s $$x BSD/$$y ; \
-		fi \
-	fi
-	make freebsd20
-
-freebsd5 freebsd6 freebsd7: include
-	if [ x$(INET6) = x ] ; then \
-		echo "#undef INET6" > opt_inet6.h; \
-	else \
-		echo "#define INET6" > opt_inet6.h; \
-	fi
-	if [ "x$(IPFBPF)" = "x" ] ; then \
-		echo "#undef NBPF" > opt_bpf.h; \
-		echo "#undef NBPFILTER" > opt_bpf.h; \
-		echo "#undef DEV_BPF" > opt_bpf.h; \
-	else \
-		echo "#define NBPF" > opt_bpf.h; \
-		echo "#define NBPFILTER" > opt_bpf.h; \
-		echo "#define DEV_BPF" > opt_bpf.h; \
-	fi
-	if [ x$(ENABLE_PFIL) = x ] ; then \
-		echo "#undef PFIL_HOOKS" > opt_pfil.h; \
-	else \
-		echo "#define PFIL_HOOKS" > opt_pfil.h; \
-	fi
-
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
-
-freebsd4 : include
-	if [ x$(INET6) = x ] ; then \
-		echo "#undef INET6" > opt_inet6.h; \
-	else \
-		echo "#define INET6" > opt_inet6.h; \
-	fi
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "LKMR=ipfrule.ko" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
-
-freebsd3 freebsd30: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" "MLR=mlf_rule.o" LKM= LKMR=; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..)
-
-netbsd: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	@if [ ! -d /sys -o ! -d /sys/arch ] ; then \
-		echo "*****************************************************"; \
-		echo "*                                                   *"; \
-		echo "* Please extract source code to create /sys and     *";\
-		echo "* /sys/arch and run 'config GENERIC'                *"; \
-		echo "*                                                   *"; \
-		echo "*****************************************************"; \
-		exit 1; \
-	fi
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
-
-openbsd: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mlo_ipl.c" LKMR= "MLR=mlo_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
-
-freebsd20 freebsd21: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c" "MLR=mlf_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
-
-osf tru64: null include
-	make setup "TARGOS=OSF" "CPUDIR=`OSF/cpurev`"
-	(cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..)
-	(cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..)
-
-aix: null include
-	make setup "TARGOS=AIX" "CPUDIR=`AIX/cpurev`"
-	(cd AIX/`AIX/cpurev`; make build AIX=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "OSREV=`../cpurev`" BITS=`../bootbits.sh`; cd ..)
-#	(cd AIX/`AIX/cpurev`; make -f Makefile.ipsend build AIX=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..)
-
-bsd: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..)
-
-bsdi bsdos: include
-	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
-	(cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= LKMR= ; cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend build "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..)
-
-irix IRIX: include
-	make setup TARGOS=IRIX CPUDIR=`IRIX/cpurev`
-	if [ "x${SGIREV}" = "x" ] ; then \
-		make irix "SGIREV=-D_KMEMUSER -DIRIX=`IRIX/getrev`"; \
-	else \
-		(cd IRIX/`IRIX/cpurev`; smake -l -J 1 build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
-		(cd IRIX/`IRIX/cpurev`; make -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \
-	fi
-
-setup:
-	-if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi
-	-rm -f $(TARGOS)/$(CPUDIR)/Makefile $(TARGOS)/$(CPUDIR)/Makefile.ipsend
-	-ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile
-	-ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend
-	-if [ -f $(TARGOS)/Makefile.common ] ; then \
-		rm -f $(TARGOS)/$(CPUDIR)/Makefile.common; \
-		ln -s ../Makefile.common $(TARGOS)/$(CPUDIR)/Makefile.common;\
-	fi
-
-clean: clean-include
-	/bin/rm -rf h y.output
-	${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
-	vnode_if.h $(LKM) *~
-	/bin/rm -rf sparcv7 sparcv9 mdbgen_build
-	(cd SunOS4; $(MAKE) TOP=.. clean)
-	-(cd SunOS5; $(MAKE) TOP=.. clean)
-	(cd BSD; $(MAKE) TOP=.. clean)
-	(cd HPUX; $(MAKE) BITS=32 TOP=.. clean)
-	(cd Linux; $(MAKE) TOP=.. clean)
-	(cd OSF; $(MAKE) TOP=.. clean)
-	(cd AIX; $(MAKE) TOP=.. clean)
-	if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi
-	[ -d test ] && (cd test; $(MAKE) clean)
-	(cd ipsend; $(MAKE) clean)
-
-clean-include:
-	sh -c 'if [ -d netinet ] ; then cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
-	sh -c 'if [ -d net ] ; then cd net; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi'
-	${RM} -f netinet/done net/done
-
-clean-bsd: clean-include
-	(cd BSD; make TOP=.. clean)
-
-clean-hpux: clean-include
-	(cd HPUX; $(MAKE) BITS=32 clean)
-
-clean-osf: clean-include
-	(cd OSF; make clean)
-
-clean-aix: clean-include
-	(cd AIX; make clean)
-
-clean-linux: clean-include
-	(cd Linux; make clean)
-
-clean-sunos4: clean-include
-	(cd SunOS4; make clean)
-
-clean-sunos5: clean-include
-	(cd SunOS5; $(MAKE) clean)
-	/bin/rm -rf sparcv?
-
-clean-irix: clean-include
-	(cd IRIX; $(MAKE) clean)
-
-h/xti.h:
-	mkdir -p h
-	ln -s /usr/include/sys/xti.h h
-
-hpux: include h/xti.h
-	make setup CPUDIR=`HPUX/cpurev` TARGOS=HPUX
-	(cd HPUX/`HPUX/cpurev`; $(MAKE) build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
-	(cd HPUX/`HPUX/cpurev`; $(MAKE) -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..)
-
-sunos4 solaris1:
-	(cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
-	(cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..)
-
-sunos5 solaris2: null
-	(cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)"; cd ..)
-	(cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..)
-
-linux: include
-	(cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..)
-	(cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..)
-#	(cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..)
-
-install-linux: linux
-	(cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..)
-
-install-bsd:
-	(cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..)
-	(cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
-
-install-sunos4: solaris
-	(cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install)
-
-install-sunos5: solaris null
-	(cd SunOS5; $(MAKE) TOP=.. install)
-
-install-aix:
-	(cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)
-#	(cd AIX/`AIX/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
-
-install-hpux: hpux
-	(cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install)
-
-install-irix: irix
-	(cd IRIX; smake install CPU=$(CPU) TOP=.. $(DEST) $(MFLAGS) CPUDIR=`./cpurev`)
-
-install-osf install-tru64:
-	(cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..)
-
-do-cvs:
-	find . -type d -name CVS -print | xargs /bin/rm -rf
-	find . -type f -name .cvsignore -print | xargs /bin/rm -f
-	/bin/rm -f ip_msnrpc_pxy.c ip_sunrpc_pxy.c
-
-ip_rules.c ip_rules.h: rules/ip_rules tools/ipfcomp.c
-	-./ipf -n -cc -f rules/ip_rules 2>/dev/null 1>&2
-
-null:
-	@if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \
-		echo 'Do not use GNU make (gmake) to compile IPFilter'; \
-		exit 1; \
-	fi
-	-@echo make ok
-
-mdb:
-	/bin/rm -rf mdbgen_build
-	mdbgen -D_KERNEL -DIPFILTER_LOG -DIPFILTER_LOOKUP -DSUNDDI \
-	       -DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \
-	       -I/home/dr146992/pfil -I/home/dr146992/ipf -f \
-	       /usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h
-
diff --git a/contrib/ipfilter/NAT.FreeBSD b/contrib/ipfilter/NAT.FreeBSD
deleted file mode 100644
index 8a7e952..0000000
--- a/contrib/ipfilter/NAT.FreeBSD
+++ /dev/null
@@ -1,104 +0,0 @@
-These are Instructions for Configuring A FreeBSD Box For NAT 
-After you have installed IpFilter.
-
-You will need to change three files:
-
-/etc/rc.local
-/etc/rc.conf
-/etc/natrules
-
-You will have to:
-
-1) Load the kernel module
-2) Make the ipnat rules
-3) Load the ipnat rules
-4) Enable routing between interfaces
-5) Add static routes for the subnet ranges
-6) Configure your network interfaces
-7) reboot the computer for the changes to take effect.
-
-The FAQ was written by Chris Coleman <chris@@bbcc.ctc.edu>
-This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE
-_________________________________________________________
-1) Loading the Kernel Module
-
-If you are using a Kernal Loadable Module you need to edit your
-/etc/rc.local file and load the module at boot time.
-use the line:
-
-        modload /lkm/if_ipl.o
-
-If you are not loading a kernel module, skip this step.
-_________________________________________________________
-2) Setting up the NAT Rules
-
-Make a file called /etc/natrules
-put in the rules that you need for your system.
-
-If you want to use the whole 10 Network. Try:
-
-map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000
-
-_________________________________________________________
-Here is an explaination of each part of the command:
-
-map starts the command.
-
-fpx0 is the interface with the real internet address.
-
-10.0.0.0 is the subnet you want to use.
-
-/8 is the subnet mask.  ie 255.0.0.0
-
-208.8.0.1 is the real ip address that you use.
-
-/32 is the subnet mask 255.255.255.255, ie only use this ip address.
-
-portmap tcp/udp 10000:65000 
-        tells it to use the ports to redirect the tcp/udp calls through
-
-
-The one line should work for the whole network.
-_________________________________________________________
-3) Loading the NAT Rules:
-
-The NAT Rules will need to be loaded every time the computer
-reboots.
-
-In your /etc/rc.local put the line:
-
-ipnat -f /etc/natrules 
-
-To check and see if it is loaded, as root type
-    ipnat -ls
-_________________________________________________________
-4) Enable Routing between interfaces.
-
-Tell the kernel to route these addresses.
-
-in the rc.local file put the line:
-
-sysctl -w net.inet.ip.forwarding=1
-
-_________________________________________________________
-5) Static Routes to Subnet Ranges
-
-Now you have to add a static routes for the subnet ranges.
-Edit your /etc/sysconfig to add them at bootup.
-
-static_routes="foo"
-route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"
-
-
-_________________________________________________________
-6) Make sure that you have your interfaces configured.
-
-I have two Intel Ether Express Pro B cards.
-One is on 208.8.0.1 The other is on 10.0.0.1
-
-You need to configure these in the /etc/sysconfig
-
-network_interfaces="fxp0 fxp1"
-ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
-ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"
-_________________________________________________________
diff --git a/contrib/ipfilter/QNX_OCL.txt b/contrib/ipfilter/QNX_OCL.txt
deleted file mode 100644
index 6aa33ea..0000000
--- a/contrib/ipfilter/QNX_OCL.txt
+++ /dev/null
@@ -1,275 +0,0 @@
-   End User License Certificate (EULA) End User License Certificate
-   (EULA) 
-   Support Support 
-   QNX Source Licenses QNX Source Licenses 
-   License of the month
-   Confidential Source License
-   Version 1.0
-   
-QNX Open Community License Version 1.0
-
-   THIS QNX OPEN COMMUNITY LICENSE ( "THE OCL", OR "THIS AGREEMENT")
-   APPLIES TO PROGRAMS THAT QNX SOFTWARE SYSTEMS LTD. ("QSS") EXPRESSLY
-   ELECTS TO LICENSE UNDER THE OCL TERMS. IT ALSO APPLIES TO DERIVATIVE
-   WORKS CREATED UNDER THIS AGREEMENT THAT CREATORS ELECT TO LICENSE TO
-   OTHERS IN SOURCE CODE FORM. ANY USE, REPRODUCTION, MODIFICATION OR
-   DISTRIBUTION OF SUCH PROGRAMS CONSTITUTES RECIPIENT'S ACCEPTANCE OF
-   THE OCL. THE LICENSE RIGHTS GRANTED BELOW ARE CONDITIONAL UPON
-   RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT AND THE FORMATION OF A
-   BINDING CONTRACT. NOTHING ELSE GRANTS PERMISSION TO USE, REPRODUCE,
-   MODIFY OR DISTRIBUTE SUCH PROGRAMS OR THEIR DERIVATIVE WORKS. THESE
-   ACTIONS ARE OTHERWISE PROHIBITED. CONTACT QSS IF OTHER STEPS ARE
-   REQUIRED LOCALLY TO CREATE A BINDING CONTRACT.
-   
-   The OCL is intended to promote the development, use and distribution
-   of derivative works created from QSS source code. This includes
-   commercial distribution of object code versions under the terms of
-   Recipient's own license agreement and, at Recipient's option, sharing
-   of source code modifications within the QNX developer's community. The
-   license granted under the OCL is royalty free. Recipient is entitled
-   to charge royalties for object code versions of derivative works that
-   originate with Recipient. If Recipient elects to license source code
-   for its derivative works to others, then it must be licensed under the
-   OCL. The terms of the OCL are as follows:
-   
-1. DEFINITIONS
-
-   "Contribution" means:
-   
-    a. in the case of QSS: (i) the Original Program, where the Original
-       Program originates from QSS, (ii) changes and/or additions to
-       Unrestricted Open Source, where the Original Program originates
-       from Unrestricted Open Source and where such changes and/or
-       additions originate from QSS, and (iii) changes and/or additions
-       to the Program where such changes and/or additions originate from
-       QSS.
-    b. in the case of each Contributor, changes and/or additions to the
-       Program, where such changes and/or additions originate from and
-       are distributed by that particular Contributor.
-       
-   A Contribution 'originates' from a Contributor if it was added to the
-   Program by such Contributor itself or anyone acting on such
-   Contributor's behalf. Contributions do not include additions to the
-   Program which: (i) are separate modules of software distributed in
-   conjunction with the Program under their own license agreement, and
-   (ii) are not derivative works of the Program.
-   
-   "Contributor" means QSS and any other entity that distributes the
-   Program.
-   
-   "Licensed Patents " mean patent claims licensable by Contributor to
-   others, which are necessarily infringed by the use or sale of its
-   Contribution alone or when combined with the Program.
-   
-   "Unrestricted Open Source" means published source code that is
-   licensed for free use and distribution under an unrestricted licensing
-   and distribution model, such as the Berkley Software Design ("BSD")
-   and "BSD-like" licenses. It specifically excludes any source code
-   licensed under any version of the GNU General Public License (GPL) or
-   the GNU Lesser/Library GPL. All "Unrestricted Open Source" license
-   terms appear or are clearly identified in the header of any affected
-   source code for the Original Program.
-   
-   "Original Program" means the original version of the software
-   accompanying this Agreement as released by QSS, including source code,
-   object code and documentation, if any.
-   
-   "Program" means the Original Program and Contributions.
-   
-   "Recipient" means anyone who receives the Program under this
-   Agreement, including all Contributors.
-   
-2. GRANT OF RIGHTS
-
-    a. Subject to the terms of this Agreement, each Contributor hereby
-       grants Recipient a non-exclusive, worldwide, royalty-free
-       copyright license to reproduce, prepare derivative works of,
-       publicly display, publicly perform, and directly and indirectly
-       sublicense and distribute the Contribution of such Contributor, if
-       any, and such derivative works, in source code and object code
-       form.
-    b. Subject to the terms of this Agreement, each Contributor hereby
-       grants Recipient a non-exclusive, worldwide, royalty-free patent
-       license under Licensed Patents to make, use, sell, offer to sell,
-       import and otherwise transfer the Contribution of such
-       Contributor, if any, in source code and object code form. This
-       patent license shall apply to the combination of the Contribution
-       and the Program if, at the time the Contribution is added by the
-       Contributor, such addition of the Contribution causes such
-       combination to be covered by the Licensed Patents. The patent
-       license shall not apply to any other combinations which include
-       the Contribution.
-    c. Recipient understands that although each Contributor grants the
-       licenses to its Contributions set forth herein, no assurances are
-       provided by any Contributor that the Program does not infringe the
-       patent or other intellectual property rights of any other entity.
-       Each Contributor disclaims any liability to Recipient for claims
-       brought by any other entity based on infringement of intellectual
-       property rights or otherwise. As a condition to exercising the
-       rights and licenses granted hereunder, each Recipient hereby
-       assumes sole responsibility to secure any other intellectual
-       property rights needed, if any. For example, if a third party
-       patent license is required to allow Recipient to distribute the
-       Program, it is Recipient's responsibility to acquire that license
-       before distributing the Program.
-    d. Each Contributor represents that to its knowledge it has
-       sufficient copyright rights in its Contribution, if any, to grant
-       the copyright license set forth in this Agreement.
-       
-  3. REQUIREMENTS
-  
-   A Contributor may choose to distribute the Program in object code form
-   under its own license agreement, provided that:
-   
-    a. it complies with the terms and conditions of this Agreement; and
-    b. its license agreement:
-         i. effectively disclaims on behalf of all Contributors all
-            warranties and conditions, express and implied, including
-            warranties or conditions of title and non-infringement, and
-            implied warranties or conditions of merchantability and
-            fitness for a particular purpose;
-        ii. effectively excludes on behalf of all Contributors all
-            liability for damages, including direct, indirect, special,
-            incidental and consequential damages, such as lost profits;
-            and
-        iii. states that any provisions which differ from this Agreement
-            are offered by that Contributor alone and not by any other
-            party.
-       
-   If the Program is made available in source code form:
-   
-    a. it must be made available under this Agreement; and
-    b. a copy of this Agreement must be included with each copy of the
-       Program. Each Contributor must include the following in a
-       conspicuous location in the Program along with any other copyright
-       or attribution statements required by the terms of any applicable
-       Unrestricted Open Source license:
-       Copyright {date here}, QNX Software Systems Ltd. and others. All
-       Rights Reserved.
-       
-   In addition, each Contributor must identify itself as the originator
-   of its Contribution, if any, in a manner that reasonably allows
-   subsequent Recipients to identify the originator of the Contribution.
-   
-  4. COMMERCIAL DISTRIBUTION
-  
-   Commercial distributors of software may accept certain
-   responsibilities with respect to end users, business partners and the
-   like. While this license is intended to facilitate the commercial use
-   of the Program, the Contributor who includes the Program in a
-   commercial product offering should do so in a manner which does not
-   create potential liability for other Contributors. Therefore, if a
-   Contributor includes the Program in a commercial product offering,
-   such Contributor ("Commercial Contributor") hereby agrees to defend
-   and indemnify every other Contributor ("Indemnified Contributor")
-   against any losses, damages and costs (collectively "Losses") arising
-   from claims, lawsuits and other legal actions brought by a third party
-   against the Indemnified Contributor to the extent caused by the acts
-   or omissions of such Commercial Contributor in connection with its
-   distribution of the Program in a commercial product offering. The
-   obligations in this section do not apply to any claims or Losses
-   relating to any actual or alleged intellectual property infringement.
-   In order to qualify, an Indemnified Contributor must: a) promptly
-   notify the Commercial Contributor in writing of such claim, and b)
-   allow the Commercial Contributor to control, and cooperate with the
-   Commercial Contributor in, the defense and any related settlement
-   negotiations. The Indemnified Contributor may participate in any such
-   claim at its own expense.
-   
-   For example, a Contributor might include the Program in a commercial
-   product offering, Product X. That Contributor is then a Commercial
-   Contributor. If that Commercial Contributor then makes performance
-   claims, or offers warranties related to Product X, those performance
-   claims and warranties are such Commercial Contributor's responsibility
-   alone. Under this section, the Commercial Contributor would have to
-   defend claims against the other Contributors related to those
-   performance claims and warranties, and if a court requires any other
-   Contributor to pay any damages as a result, the Commercial Contributor
-   must pay those damages.
-   
-  5. NO WARRANTY
-  
-   Recipient acknowledges that there may be errors or bugs in the Program
-   and that it is imperative that Recipient conduct thorough testing to
-   identify and correct any problems prior to the productive use or
-   commercial release of any products that use the Program, and prior to
-   the release of any modifications, updates or enhancements thereto.
-   
-   EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS
-   PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-   KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY
-   WARRANTIES OR CONDITIONS OF TITLE, NON- INFRINGEMENT, MERCHANTABILITY
-   OR FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-   responsible for determining the appropriateness of using and
-   distributing the Program and assumes all risks associated with its
-   exercise of rights under this Agreement, including but not limited to
-   the risks and costs of program errors, compliance with applicable
-   laws, damage to or loss of data, programs or equipment, and
-   unavailability or interruption of operations.
-   
-  6. DISCLAIMER OF LIABILITY
-  
-   EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
-   ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
-   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
-   WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-   LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR
-   DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED
-   HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-   
-  7. GENERAL
-  
-   If any provision of this Agreement is invalid or unenforceable under
-   applicable law, it shall not affect the validity or enforceability of
-   the remainder of the terms of this Agreement, and without further
-   action by the parties hereto, such provision shall be reformed to the
-   minimum extent necessary to make such provision valid and enforceable.
-   
-   If Recipient institutes patent litigation against a Contributor with
-   respect to a patent applicable to software (including a cross-claim or
-   counterclaim in a lawsuit), then any patent licenses granted by that
-   Contributor to such recipient under this Agreement shall terminate as
-   of the date such litigation is filed. In addition, If Recipient
-   institutes patent litigation against any entity (including a
-   cross-claim or counterclaim in a lawsuit) alleging that the Program
-   itself (excluding combinations of the Program with other software or
-   hardware) infringes such Recipient's patent(s), then such Recipient's
-   rights granted under Section 2(b) shall terminate as of the date such
-   litigation is filed.
-   
-   All Recipient's rights under this Agreement shall terminate if it
-   fails to comply with any of the material terms or conditions of this
-   Agreement and does not cure such failure in a reasonable period of
-   time after becoming aware of such noncompliance. If all Recipient's
-   rights under this Agreement terminate, Recipient agrees to cease use
-   and distribution of the Program as soon as reasonably practicable.
-   However, Recipient's obligations under this Agreement and any licenses
-   granted by Recipient relating to the Program shall continue and
-   survive.
-   
-   QSS may publish new versions (including revisions) of this Agreement
-   from time to time. Each new version of the Agreement will be given a
-   distinguishing version number. The Program (including Contributions)
-   may always be distributed subject to the version of the Agreement
-   under which it was received. In addition, after a new version of the
-   Agreement is published, Contributor may elect to distribute the
-   Program (including its Contributions) under the new version. No one
-   other than QSS has the right to modify this Agreement. Except as
-   expressly stated in Sections 2(a) and 2(b) above, Recipient receives
-   no rights or licenses to the intellectual property of any Contributor
-   under this Agreement, whether expressly, by implication, estoppel or
-   otherwise. All rights in the Program not expressly granted under this
-   Agreement are reserved.
-   
-   This Agreement is governed by the laws in force in the Province of
-   Ontario, Canada without regard to the conflict of law provisions
-   therein. The parties expressly disclaim the provisions of the United
-   Nations Convention on Contracts for the International Sale of Goods.
-   No party to this Agreement will bring a legal action under this
-   Agreement more than one year after the cause of action arose. Each
-   party waives its rights to a jury trial in any resulting litigation.
-   
-   * QNX is a registered trademark of QNX Software Systems Ltd.
-   
-                         Document Version: ocl1_00
diff --git a/contrib/ipfilter/README b/contrib/ipfilter/README
deleted file mode 100644
index 8464af4..0000000
--- a/contrib/ipfilter/README
+++ /dev/null
@@ -1,101 +0,0 @@
-IP Filter - What's this about ?
-============================
-Web site: http://coombs.anu.edu.au/~avalon/ip-filter.html
-How-to: http://www.obfuscation.org/ipf/ipf-howto.txt
-
-  The idea behind this package is allow those who use Unix workstations as
-routers (a common occurance in Universities it appears) to apply packet
-filtering to packets going in and out of them.  This package has been
-tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs.
-It is also quite possible for this small kernel extension to be installed
-and used effectively on Sun workstations which don't route IP, just for
-added security.  It can also be integrated with the multicast patches.
-It has also been tested successfully on all of the modern free BSDs as
-well as BSDI, and SGI's IRIX 6.2.
-
-   The filter keeps a rule list for both inbound and outbound sides of
-the IP packet queue and a check is made as early as possible, aiming to
-stop the packet before it even gets as far as being checked for source
-route options.  In the file "BNF", a set of rules for constructing filter
-rules understood by this package is given.  The files in the directory
-"rules", "example.1" ... "example.sr" show example rules you might apply.
-
-   In practise, I've successfully isolated a workstation from all
-machines except the NFS file servers on its local subnets (yeah, ok, so
-this doesn't really increase security, because of NFS, but you get the
-drift on how it can be applied and used).  I've also successfully
-setup and maintained my own firewalls using it with TIS's Firewall Toolkit,
-including using it on an mbone router.
-
-   When using it with multicast IP, the calls to fr_check() should be
-before the packet is unwrapped and after it is encapsulated.  So the
-filter routines will see the packet as a UDP packet, protocol XYZ.
-Whether this is better or worse than having it filter on class D addresses
-is debateable, but the idea behind this package is to be able to
-discriminate between packets as they are on the 'wire', before they
-get routed anywhere, etc.
-
-   It is worth noting, that it is possible, using a small MTU and
-generating tiny fragmented IP packets to generate a TCP packet which
-doesn't contain enough information to filter on the "flags".  Filtering
-on these types of packets is possible, but under the more general case
-of the packets being "short".  ICMP and UDP packets which are too small
-(they don't contain a complete header) are dropped and logged, no questions
-asked.  When filtering on fragmented packets, the last fragment will get
-through for TCP/UDP/ICMP packets.
-
-Bugs/Problems
--------------
-If you have a problem with IP Filter on your operating system, please email
-a copy of the file "BugReport" with the details of your setup as required
-and email to darrenr@pobox.com.
-
-Some general notes.
--------------------
-   To add/delete a rule from memory, access to the device in /dev is needed,
-allowing non-root maintenaince.  The filter list in kernel memory is built
-from the kernel's heap.  Each packet coming *in* or *out* is checked against
-the appropriate list, rejects dropped, others passed through.  Thus this will
-work on an individual host, not just gateways.  Presently there is only one
-list for all interfaces, the changes required to make it a per-interface list
-require more .o replacements for the kernel.  When checking a packet, the
-packet is compared to the entire list from top to bottom, the last matching
-line being effective.
-
-
-What does what ?
-----------------
-if_fil.o  (Loadable kernel module)
-	- additional kernel routines to check an access list as to whether
-	  or not to drop or pass a packet.  It currently defaults to pass
-	  on all packets.
-
-ipfstat
-	- digs through your kernel (need to check #define VMUNIX in fils.c)
-	  and /dev/kmem for the access filter list and mini stats table.
-	  Obviously needs to be run priviledged if required.
-
-ipf
-	- reads the files passed as parameters as input files containing new
-	  filter rules to add/delete to the kernel list.  The lines are
-	  inserted in order; the first line is inserted first, and ends up
-	  first on the list.  Subsequent invocations append to the list
-	  unless specified otherwise.
-
-ipftest
-	- test the ruleset given by filename.  Reads in the ruleset and then
-	  waits for stdin.
-
-	  See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed
-	  information on what the above do.
-
-mkfilters
-	- suggests a set of filter rules to employ and suggests how to add
-	  routes to back these up.
-
-BNF
-	- BNF rule set for the filter rules
-
-Darren Reed
-darrenr@pobox.com
-http://coombs.anu.edu.au/~avalon/ip-filter.html
diff --git a/contrib/ipfilter/STYLE.TXT b/contrib/ipfilter/STYLE.TXT
deleted file mode 100644
index 384bcec..0000000
--- a/contrib/ipfilter/STYLE.TXT
+++ /dev/null
@@ -1,57 +0,0 @@
-
-Over time, I am moving all of the IPFilter code to what I consider a better
-coding style than it had before.  If you submit patches, I expect them to
-conform as appropriate.
-
-Function Comments
-=================
-Preceeding each and every function, a comment block like this should
-be present:
-
-/* ------------------------------------------------------------------------ */
-/* Function:    function-name                                               */
-/* Returns:     return-type                                                 */
-/* Parameters:  param1(I) - param1 is an input parameter                    */
-/*              p2(O)     - p2 is an output parameter passed as an arg      */
-/*              par3(IO)  - par3 is a parameter which is both input and     */
-/*                          output.  Pointers to things which are used and  */
-/*                          then get a result stored in them qualify here.  */
-/*                                                                          */
-/* Description about what the function does.  This comment should explain   */
-/* any gotchas or algorithms that are used which aren't obvious to the      */
-/* casual reader.  It should not be an excuse to not use comments inside    */
-/* the function.                                                            */
-/* ------------------------------------------------------------------------ */
-
-
-Tab spacing
-===========
-Tabs are to be at 8 characters.
-
-
-Conditions
-==========
-All expressions which evaluate to a boolean for a test condition, such as
-in an if()/while() statement must involve a boolean operation.  Since C
-has no native boolean type, this means that one of <,>,<=,>=,==,!= must
-be present.  Implied boolean evaluations are out.
-
-In code, the following is banned:
-
-if (x)
-if (!x)
-while ((a = b))
-
-and should be replaced by:
-
-if (x != 0)
-if (x == 0)
-while ((a = b) != 0)
-
-If pointers are involved, always compare with NULL, ie.:
-
-if (x != NULL)
-if (x == NULL)
-while ((a = b) != NULL)
-
-
diff --git a/contrib/ipfilter/UPGRADE_NOTICE b/contrib/ipfilter/UPGRADE_NOTICE
deleted file mode 100644
index 8b44760..0000000
--- a/contrib/ipfilter/UPGRADE_NOTICE
+++ /dev/null
@@ -1,10 +0,0 @@
-
-NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT
-      AND setup ACL's to allow untranslated address through from outside,
-
-     THIS HAS BEEN FIXED
-
-     so your ACL's will now be `broken'.  Please correct your ACL's to
-     match the the untranslated addresses (the way it was meant to work).
-
-Darren
diff --git a/contrib/ipfilter/WhatsNew40.txt b/contrib/ipfilter/WhatsNew40.txt
deleted file mode 100644
index e5b8294..0000000
--- a/contrib/ipfilter/WhatsNew40.txt
+++ /dev/null
@@ -1,90 +0,0 @@
-What's new in IPFilter 4.1
-==========================
-(Well, compared to 3.*, anyway)
-In no particular order, except headline alphabetical:
-
-Administration:
-	- Run-time support for modifying ipf table size parameters.
-	- Run-time support for tuning other ipfilter parameters.
-
-Content Scanning:
-	- Simple matching of content for TCP session startup.
-
-Firewall Synchronising:
-	- Master/slave programs available.
-
-General:
-	- All input files allow simple 'marco' definitions and expansion,
-	  including nesting.
-	- Code has been rototilled to make maintenance and enhancements
-	  eaiser for me and you.
-	- More configuration files and binaries.
-	- Takes up more memory.
-	- Probably slower.
-	- Versioned API to support changes in the ABI without breaking
-	  existing binaries (4.0 onward only.)
-	- IP-Filter framework in place for handling multiple different
-	  types of packet matching for firewalling.
-	- IP Id number rewriting available.
-	- Verification of checksums for recognised packet types.
-	- Optionally enable/disable IP forwarding when enabled/disabled.
-
-IPF:
-	- BPF syntax available for matching packets in ipf rules (1).
-	- Can convert IPv4 ipf rules into C code and either:
-	  * load them as an LKM o;
-	  * compile them statically into the kernel (where possible.)
-	- Address pools allow for simpler rules covering large numbers of
-	  addresses/networks (IPv4 only).
-	- Lookup functions available to map an IPv4 address to a group.
-	- Groups can be referenced by multiple heads for subroutine-like use.
-	- NAT/ipf rules can refer to each other via a tag, creating an implied
-	  join that forms part of the packet matching.
-	- Extra packet attributes available for filter rules:
-	  * source address/routing interface mismatch;
-	  * multicast (3);
-	  * broadcast (2,3);
-	  * state lookup partially failed;
-	  * out of the TCP window for a state connection;
-	  * NAT lookup partially failed.
-	- PPS (packets per second) matching available for ipf rules.
-	- Rule collections (cf FreeBSD numbering) supported for ipf rules.
-	- Groups can now be names rather than just numbers
-
-IPV6:
-	- understands extension headers.
-	- can filter on extension headers.
-
-Logging:
-	- ipmon now comes with a configuration file for more advanced logging
-	  behaviour.
-	- Can append arbitrary logging tags with ipf rules for easy matching.
-
-NAT:
-	- "sticky" mapping available to ensure an address translation on
-	  a per-address basis is always the same (while known) for a set
-	  IP address.
-
-Operating System Support:
-	- HP-UX 11 added.
-	- Tru64 5.1a added.
-	- Solaris/HP-UX now use pfil STREAMS module.
-	- Linux 2.4 on the way.
-
-Proxies:
-	- PPTP proxy added.
-	- IRC proxy added.
-	- RPCBIND proxy added.
-	- FTP proxy support for EPSV (IPv4 only.)
-
-Stateful Inspection:
-	- Can insist that all TCP data arrives in order.
-	- Can insist that all fragments pass through in order.
-	- The number of states created per-rule can be set where the total
-	  across all rules may exceed the maximum allowed.
-	- Can elect not to automatically match ICMP error packets.
-	- TCP sequence number rewriting supported.
-
-(1) - Requires libpcap for rule parsing
-(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
-(3) - Not supported on SunOS4
diff --git a/contrib/ipfilter/Y2K b/contrib/ipfilter/Y2K
deleted file mode 100644
index a8350a5..0000000
--- a/contrib/ipfilter/Y2K
+++ /dev/null
@@ -1,3 +0,0 @@
-IP Filter is Year 2000 (Y2K) Compliant.
-
-Darren
diff --git a/contrib/ipfilter/bpf-ipf.h b/contrib/ipfilter/bpf-ipf.h
deleted file mode 100644
index 544455e..0000000
--- a/contrib/ipfilter/bpf-ipf.h
+++ /dev/null
@@ -1,450 +0,0 @@
-/*-
- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from the Stanford/CMU enet packet filter,
- * (net/enet.c) distributed as part of 4.3BSD, and code contributed
- * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
- * Berkeley Laboratory.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
- *
- * @(#) $Header: /devel/CVS/IP-Filter/bpf-ipf.h,v 2.1 2002/10/26 12:14:26 darrenr Exp $ (LBL)
- */
-
-#ifndef BPF_MAJOR_VERSION
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* BSD style release date */
-#define BPF_RELEASE 199606
-
-typedef	int bpf_int32;
-typedef	u_int bpf_u_int32;
-
-/*
- * Alignment macros.  BPF_WORDALIGN rounds up to the next 
- * even multiple of BPF_ALIGNMENT. 
- */
-#ifndef __NetBSD__
-#define BPF_ALIGNMENT sizeof(bpf_int32)
-#else
-#define BPF_ALIGNMENT sizeof(long)
-#endif
-#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
-
-#define BPF_MAXINSNS 512
-#define BPF_MAXBUFSIZE 0x8000
-#define BPF_MINBUFSIZE 32
-
-/*
- *  Structure for BIOCSETF.
- */
-struct bpf_program {
-	u_int bf_len;
-	struct bpf_insn *bf_insns;
-};
- 
-/*
- * Struct returned by BIOCGSTATS.
- */
-struct bpf_stat {
-	u_int bs_recv;		/* number of packets received */
-	u_int bs_drop;		/* number of packets dropped */
-};
-
-/*
- * Struct return by BIOCVERSION.  This represents the version number of 
- * the filter language described by the instruction encodings below.
- * bpf understands a program iff kernel_major == filter_major &&
- * kernel_minor >= filter_minor, that is, if the value returned by the
- * running kernel has the same major number and a minor number equal
- * equal to or less than the filter being downloaded.  Otherwise, the
- * results are undefined, meaning an error may be returned or packets
- * may be accepted haphazardly.
- * It has nothing to do with the source code version.
- */
-struct bpf_version {
-	u_short bv_major;
-	u_short bv_minor;
-};
-/* Current version number of filter architecture. */
-#define BPF_MAJOR_VERSION 1
-#define BPF_MINOR_VERSION 1
-
-/*
- * BPF ioctls
- *
- * The first set is for compatibility with Sun's pcc style
- * header files.  If your using gcc, we assume that you
- * have run fixincludes so the latter set should work.
- */
-#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
-#define	BIOCGBLEN	_IOR(B,102, u_int)
-#define	BIOCSBLEN	_IOWR(B,102, u_int)
-#define	BIOCSETF	_IOW(B,103, struct bpf_program)
-#define	BIOCFLUSH	_IO(B,104)
-#define BIOCPROMISC	_IO(B,105)
-#define	BIOCGDLT	_IOR(B,106, u_int)
-#define BIOCGETIF	_IOR(B,107, struct ifreq)
-#define BIOCSETIF	_IOW(B,108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW(B,109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR(B,110, struct timeval)
-#define BIOCGSTATS	_IOR(B,111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW(B,112, u_int)
-#define BIOCVERSION	_IOR(B,113, struct bpf_version)
-#define BIOCSTCPF	_IOW(B,114, struct bpf_program)
-#define BIOCSUDPF	_IOW(B,115, struct bpf_program)
-#else
-#define	BIOCGBLEN	_IOR('B',102, u_int)
-#define	BIOCSBLEN	_IOWR('B',102, u_int)
-#define	BIOCSETF	_IOW('B',103, struct bpf_program)
-#define	BIOCFLUSH	_IO('B',104)
-#define BIOCPROMISC	_IO('B',105)
-#define	BIOCGDLT	_IOR('B',106, u_int)
-#define BIOCGETIF	_IOR('B',107, struct ifreq)
-#define BIOCSETIF	_IOW('B',108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW('B',109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR('B',110, struct timeval)
-#define BIOCGSTATS	_IOR('B',111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW('B',112, u_int)
-#define BIOCVERSION	_IOR('B',113, struct bpf_version)
-#define BIOCSTCPF	_IOW('B',114, struct bpf_program)
-#define BIOCSUDPF	_IOW('B',115, struct bpf_program)
-#endif
-
-/*
- * Structure prepended to each packet.
- */
-struct bpf_hdr {
-	struct timeval	bh_tstamp;	/* time stamp */
-	bpf_u_int32	bh_caplen;	/* length of captured portion */
-	bpf_u_int32	bh_datalen;	/* original length of packet */
-	u_short		bh_hdrlen;	/* length of bpf header (this struct
-					   plus alignment padding) */
-};
-/*
- * Because the structure above is not a multiple of 4 bytes, some compilers
- * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
- * Only the kernel needs to know about it; applications use bh_hdrlen.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-#define SIZEOF_BPF_HDR 18
-#endif
-
-/*
- * Data-link level type codes.
- */
-
-/*
- * These are the types that are the same on all platforms; on other
- * platforms, a <net/bpf.h> should be supplied that defines the additional
- * DLT_* codes appropriately for that platform (the BSDs, for example,
- * should not just pick up this version of "bpf.h"; they should also define
- * the additional DLT_* codes used by their kernels, as well as the values
- * defined here - and, if the values they use for particular DLT_ types
- * differ from those here, they should use their values, not the ones
- * here).
- */
-#define DLT_NULL	0	/* no link-layer encapsulation */
-#define DLT_EN10MB	1	/* Ethernet (10Mb) */
-#define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
-#define DLT_AX25	3	/* Amateur Radio AX.25 */
-#define DLT_PRONET	4	/* Proteon ProNET Token Ring */
-#define DLT_CHAOS	5	/* Chaos */
-#define DLT_IEEE802	6	/* IEEE 802 Networks */
-#define DLT_ARCNET	7	/* ARCNET */
-#define DLT_SLIP	8	/* Serial Line IP */
-#define DLT_PPP		9	/* Point-to-point Protocol */
-#define DLT_FDDI	10	/* FDDI */
-
-/*
- * These are values from the traditional libpcap "bpf.h".
- * Ports of this to particular platforms should replace these definitions
- * with the ones appropriate to that platform, if the values are
- * different on that platform.
- */
-#define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
-#define DLT_RAW		12	/* raw IP */
-
-/*
- * These are values from BSD/OS's "bpf.h".
- * These are not the same as the values from the traditional libpcap
- * "bpf.h"; however, these values shouldn't be generated by any
- * OS other than BSD/OS, so the correct values to use here are the
- * BSD/OS values.
- *
- * Platforms that have already assigned these values to other
- * DLT_ codes, however, should give these codes the values
- * from that platform, so that programs that use these codes will
- * continue to compile - even though they won't correctly read
- * files of these types.
- */
-#ifdef __NetBSD__
-#ifndef DLT_SLIP_BSDOS
-#define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
-#endif
-#else
-#define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
-#endif
-
-#define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
-
-/*
- * These values are defined by NetBSD; other platforms should refrain from
- * using them for other purposes, so that NetBSD savefiles with link
- * types of 50 or 51 can be read as this type on all platforms.
- */
-#define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
-#define DLT_PPP_ETHER	51	/* PPP over Ethernet */
-
-/*
- * Values between 100 and 103 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * This value was defined by libpcap 0.5; platforms that have defined
- * it with a different value should define it here with that value -
- * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
- * whatever value that happens to be, so programs will correctly
- * handle files with that link type regardless of the value of
- * DLT_C_HDLC.
- *
- * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
- * compatibility with programs written for BSD/OS.
- *
- * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
- * for source compatibility with programs written for libpcap 0.5.
- */
-#define DLT_C_HDLC	104	/* Cisco HDLC */
-#define DLT_CHDLC	DLT_C_HDLC
-
-#define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
-
-/*
- * Values between 106 and 107 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
- * that the AF_ type in the link-layer header is in network byte order.
- *
- * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
- * define it as 108 here.  If OpenBSD picks up this file, it should
- * define DLT_LOOP as 12 in its version, as per the comment above -
- * and should not use 108 as a DLT_ value.
- */
-#define DLT_LOOP	108
-
-/*
- * Values between 109 and 112 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ types
- * other than the corresponding DLT_ types.
- */
-
-/*
- * This is for Linux cooked sockets.
- */
-#define DLT_LINUX_SLL	113
-
-/*
- * Apple LocalTalk hardware.
- */
-#define DLT_LTALK	114
-
-/*
- * Acorn Econet.
- */
-#define DLT_ECONET	115
-
-/*
- * Reserved for use with OpenBSD ipfilter.
- */
-#define DLT_IPFILTER	116
-
-/*
- * Reserved for use in capture-file headers as a link-layer type
- * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
- * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
- * in capture-file headers.
- */
-#define DLT_PFLOG	117
-
-/*
- * Registered for Cisco-internal use.
- */
-#define DLT_CISCO_IOS	118
-
-/*
- * Reserved for 802.11 cards using the Prism II chips, with a link-layer
- * header including Prism monitor mode information plus an 802.11
- * header.
- */
-#define DLT_PRISM_HEADER	119
-
-/*
- * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
- * (see Doug Ambrisko's FreeBSD patches).
- */
-#define DLT_AIRONET_HEADER	120
-
-/*
- * Reserved for Siemens HiPath HDLC.
- */
-#define DLT_HHDLC		121
-
-/*
- * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
- * Don Lee <donlee@cray.com>.
- *
- * This is not for use with raw Fibre Channel, where the link-layer
- * header starts with a Fibre Channel frame header; it's for IP-over-FC,
- * where the link-layer header starts with an RFC 2625 Network_Header
- * field.
- */
-#define DLT_IP_OVER_FC		122
-
-/*
- * The instruction encodings.
- */
-/* instruction classes */
-#define BPF_CLASS(code) ((code) & 0x07)
-#define		BPF_LD		0x00
-#define		BPF_LDX		0x01
-#define		BPF_ST		0x02
-#define		BPF_STX		0x03
-#define		BPF_ALU		0x04
-#define		BPF_JMP		0x05
-#define		BPF_RET		0x06
-#define		BPF_MISC	0x07
-
-/* ld/ldx fields */
-#define BPF_SIZE(code)	((code) & 0x18)
-#define		BPF_W		0x00
-#define		BPF_H		0x08
-#define		BPF_B		0x10
-#define BPF_MODE(code)	((code) & 0xe0)
-#define		BPF_IMM 	0x00
-#define		BPF_ABS		0x20
-#define		BPF_IND		0x40
-#define		BPF_MEM		0x60
-#define		BPF_LEN		0x80
-#define		BPF_MSH		0xa0
-
-/* alu/jmp fields */
-#define BPF_OP(code)	((code) & 0xf0)
-#define		BPF_ADD		0x00
-#define		BPF_SUB		0x10
-#define		BPF_MUL		0x20
-#define		BPF_DIV		0x30
-#define		BPF_OR		0x40
-#define		BPF_AND		0x50
-#define		BPF_LSH		0x60
-#define		BPF_RSH		0x70
-#define		BPF_NEG		0x80
-#define		BPF_JA		0x00
-#define		BPF_JEQ		0x10
-#define		BPF_JGT		0x20
-#define		BPF_JGE		0x30
-#define		BPF_JSET	0x40
-#define BPF_SRC(code)	((code) & 0x08)
-#define		BPF_K		0x00
-#define		BPF_X		0x08
-
-/* ret - BPF_K and BPF_X also apply */
-#define BPF_RVAL(code)	((code) & 0x18)
-#define		BPF_A		0x10
-
-/* misc */
-#define BPF_MISCOP(code) ((code) & 0xf8)
-#define		BPF_TAX		0x00
-#define		BPF_TXA		0x80
-
-/*
- * The instruction data structure.
- */
-struct bpf_insn {
-	u_short	code;
-	u_char 	jt;
-	u_char 	jf;
-	bpf_int32 k;
-};
-
-/*
- * Macros for insn array initializers.
- */
-#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
-#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
-
-#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
-/*
- * Systems based on non-BSD kernels don't have ifnet's (or they don't mean
- * anything if it is in <net/if.h>) and won't work like this.
- */
-# if __STDC__
-extern void bpf_tap(struct ifnet *, u_char *, u_int);
-extern void bpf_mtap(struct ifnet *, struct mbuf *);
-extern void bpfattach(struct ifnet *, u_int, u_int);
-extern void bpfilterattach(int);
-# else
-extern void bpf_tap();
-extern void bpf_mtap();
-extern void bpfattach();
-extern void bpfilterattach();
-# endif /* __STDC__ */
-#endif /* BSD && (_KERNEL || KERNEL) */
-#if __STDC__ || defined(__cplusplus)
-extern int bpf_validate(struct bpf_insn *, int);
-extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
-#else
-extern int bpf_validate();
-extern u_int bpf_filter();
-#endif
-
-/*
- * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
- */
-#define BPF_MEMWORDS 16
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/contrib/ipfilter/bpf.h b/contrib/ipfilter/bpf.h
deleted file mode 100644
index 715c79a..0000000
--- a/contrib/ipfilter/bpf.h
+++ /dev/null
@@ -1,450 +0,0 @@
-/*-
- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from the Stanford/CMU enet packet filter,
- * (net/enet.c) distributed as part of 4.3BSD, and code contributed
- * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
- * Berkeley Laboratory.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
- *
- * @(#) $Header: /devel/CVS/IP-Filter/Attic/bpf.h,v 1.1.2.1 2002/11/07 13:18:35 darrenr Exp $ (LBL)
- */
-
-#ifndef BPF_MAJOR_VERSION
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* BSD style release date */
-#define BPF_RELEASE 199606
-
-typedef	int bpf_int32;
-typedef	u_int bpf_u_int32;
-
-/*
- * Alignment macros.  BPF_WORDALIGN rounds up to the next 
- * even multiple of BPF_ALIGNMENT. 
- */
-#ifndef __NetBSD__
-#define BPF_ALIGNMENT sizeof(bpf_int32)
-#else
-#define BPF_ALIGNMENT sizeof(long)
-#endif
-#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
-
-#define BPF_MAXINSNS 512
-#define BPF_MAXBUFSIZE 0x8000
-#define BPF_MINBUFSIZE 32
-
-/*
- *  Structure for BIOCSETF.
- */
-struct bpf_program {
-	u_int bf_len;
-	struct bpf_insn *bf_insns;
-};
- 
-/*
- * Struct returned by BIOCGSTATS.
- */
-struct bpf_stat {
-	u_int bs_recv;		/* number of packets received */
-	u_int bs_drop;		/* number of packets dropped */
-};
-
-/*
- * Struct return by BIOCVERSION.  This represents the version number of 
- * the filter language described by the instruction encodings below.
- * bpf understands a program iff kernel_major == filter_major &&
- * kernel_minor >= filter_minor, that is, if the value returned by the
- * running kernel has the same major number and a minor number equal
- * equal to or less than the filter being downloaded.  Otherwise, the
- * results are undefined, meaning an error may be returned or packets
- * may be accepted haphazardly.
- * It has nothing to do with the source code version.
- */
-struct bpf_version {
-	u_short bv_major;
-	u_short bv_minor;
-};
-/* Current version number of filter architecture. */
-#define BPF_MAJOR_VERSION 1
-#define BPF_MINOR_VERSION 1
-
-/*
- * BPF ioctls
- *
- * The first set is for compatibility with Sun's pcc style
- * header files.  If your using gcc, we assume that you
- * have run fixincludes so the latter set should work.
- */
-#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
-#define	BIOCGBLEN	_IOR(B,102, u_int)
-#define	BIOCSBLEN	_IOWR(B,102, u_int)
-#define	BIOCSETF	_IOW(B,103, struct bpf_program)
-#define	BIOCFLUSH	_IO(B,104)
-#define BIOCPROMISC	_IO(B,105)
-#define	BIOCGDLT	_IOR(B,106, u_int)
-#define BIOCGETIF	_IOR(B,107, struct ifreq)
-#define BIOCSETIF	_IOW(B,108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW(B,109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR(B,110, struct timeval)
-#define BIOCGSTATS	_IOR(B,111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW(B,112, u_int)
-#define BIOCVERSION	_IOR(B,113, struct bpf_version)
-#define BIOCSTCPF	_IOW(B,114, struct bpf_program)
-#define BIOCSUDPF	_IOW(B,115, struct bpf_program)
-#else
-#define	BIOCGBLEN	_IOR('B',102, u_int)
-#define	BIOCSBLEN	_IOWR('B',102, u_int)
-#define	BIOCSETF	_IOW('B',103, struct bpf_program)
-#define	BIOCFLUSH	_IO('B',104)
-#define BIOCPROMISC	_IO('B',105)
-#define	BIOCGDLT	_IOR('B',106, u_int)
-#define BIOCGETIF	_IOR('B',107, struct ifreq)
-#define BIOCSETIF	_IOW('B',108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW('B',109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR('B',110, struct timeval)
-#define BIOCGSTATS	_IOR('B',111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW('B',112, u_int)
-#define BIOCVERSION	_IOR('B',113, struct bpf_version)
-#define BIOCSTCPF	_IOW('B',114, struct bpf_program)
-#define BIOCSUDPF	_IOW('B',115, struct bpf_program)
-#endif
-
-/*
- * Structure prepended to each packet.
- */
-struct bpf_hdr {
-	struct timeval	bh_tstamp;	/* time stamp */
-	bpf_u_int32	bh_caplen;	/* length of captured portion */
-	bpf_u_int32	bh_datalen;	/* original length of packet */
-	u_short		bh_hdrlen;	/* length of bpf header (this struct
-					   plus alignment padding) */
-};
-/*
- * Because the structure above is not a multiple of 4 bytes, some compilers
- * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
- * Only the kernel needs to know about it; applications use bh_hdrlen.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-#define SIZEOF_BPF_HDR 18
-#endif
-
-/*
- * Data-link level type codes.
- */
-
-/*
- * These are the types that are the same on all platforms; on other
- * platforms, a <net/bpf.h> should be supplied that defines the additional
- * DLT_* codes appropriately for that platform (the BSDs, for example,
- * should not just pick up this version of "bpf.h"; they should also define
- * the additional DLT_* codes used by their kernels, as well as the values
- * defined here - and, if the values they use for particular DLT_ types
- * differ from those here, they should use their values, not the ones
- * here).
- */
-#define DLT_NULL	0	/* no link-layer encapsulation */
-#define DLT_EN10MB	1	/* Ethernet (10Mb) */
-#define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
-#define DLT_AX25	3	/* Amateur Radio AX.25 */
-#define DLT_PRONET	4	/* Proteon ProNET Token Ring */
-#define DLT_CHAOS	5	/* Chaos */
-#define DLT_IEEE802	6	/* IEEE 802 Networks */
-#define DLT_ARCNET	7	/* ARCNET */
-#define DLT_SLIP	8	/* Serial Line IP */
-#define DLT_PPP		9	/* Point-to-point Protocol */
-#define DLT_FDDI	10	/* FDDI */
-
-/*
- * These are values from the traditional libpcap "bpf.h".
- * Ports of this to particular platforms should replace these definitions
- * with the ones appropriate to that platform, if the values are
- * different on that platform.
- */
-#define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
-#define DLT_RAW		12	/* raw IP */
-
-/*
- * These are values from BSD/OS's "bpf.h".
- * These are not the same as the values from the traditional libpcap
- * "bpf.h"; however, these values shouldn't be generated by any
- * OS other than BSD/OS, so the correct values to use here are the
- * BSD/OS values.
- *
- * Platforms that have already assigned these values to other
- * DLT_ codes, however, should give these codes the values
- * from that platform, so that programs that use these codes will
- * continue to compile - even though they won't correctly read
- * files of these types.
- */
-#ifdef __NetBSD__
-#ifndef DLT_SLIP_BSDOS
-#define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
-#endif
-#else
-#define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
-#endif
-
-#define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
-
-/*
- * These values are defined by NetBSD; other platforms should refrain from
- * using them for other purposes, so that NetBSD savefiles with link
- * types of 50 or 51 can be read as this type on all platforms.
- */
-#define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
-#define DLT_PPP_ETHER	51	/* PPP over Ethernet */
-
-/*
- * Values between 100 and 103 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * This value was defined by libpcap 0.5; platforms that have defined
- * it with a different value should define it here with that value -
- * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
- * whatever value that happens to be, so programs will correctly
- * handle files with that link type regardless of the value of
- * DLT_C_HDLC.
- *
- * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
- * compatibility with programs written for BSD/OS.
- *
- * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
- * for source compatibility with programs written for libpcap 0.5.
- */
-#define DLT_C_HDLC	104	/* Cisco HDLC */
-#define DLT_CHDLC	DLT_C_HDLC
-
-#define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
-
-/*
- * Values between 106 and 107 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
- * that the AF_ type in the link-layer header is in network byte order.
- *
- * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
- * define it as 108 here.  If OpenBSD picks up this file, it should
- * define DLT_LOOP as 12 in its version, as per the comment above -
- * and should not use 108 as a DLT_ value.
- */
-#define DLT_LOOP	108
-
-/*
- * Values between 109 and 112 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ types
- * other than the corresponding DLT_ types.
- */
-
-/*
- * This is for Linux cooked sockets.
- */
-#define DLT_LINUX_SLL	113
-
-/*
- * Apple LocalTalk hardware.
- */
-#define DLT_LTALK	114
-
-/*
- * Acorn Econet.
- */
-#define DLT_ECONET	115
-
-/*
- * Reserved for use with OpenBSD ipfilter.
- */
-#define DLT_IPFILTER	116
-
-/*
- * Reserved for use in capture-file headers as a link-layer type
- * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
- * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
- * in capture-file headers.
- */
-#define DLT_PFLOG	117
-
-/*
- * Registered for Cisco-internal use.
- */
-#define DLT_CISCO_IOS	118
-
-/*
- * Reserved for 802.11 cards using the Prism II chips, with a link-layer
- * header including Prism monitor mode information plus an 802.11
- * header.
- */
-#define DLT_PRISM_HEADER	119
-
-/*
- * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
- * (see Doug Ambrisko's FreeBSD patches).
- */
-#define DLT_AIRONET_HEADER	120
-
-/*
- * Reserved for Siemens HiPath HDLC.
- */
-#define DLT_HHDLC		121
-
-/*
- * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
- * Don Lee <donlee@cray.com>.
- *
- * This is not for use with raw Fibre Channel, where the link-layer
- * header starts with a Fibre Channel frame header; it's for IP-over-FC,
- * where the link-layer header starts with an RFC 2625 Network_Header
- * field.
- */
-#define DLT_IP_OVER_FC		122
-
-/*
- * The instruction encodings.
- */
-/* instruction classes */
-#define BPF_CLASS(code) ((code) & 0x07)
-#define		BPF_LD		0x00
-#define		BPF_LDX		0x01
-#define		BPF_ST		0x02
-#define		BPF_STX		0x03
-#define		BPF_ALU		0x04
-#define		BPF_JMP		0x05
-#define		BPF_RET		0x06
-#define		BPF_MISC	0x07
-
-/* ld/ldx fields */
-#define BPF_SIZE(code)	((code) & 0x18)
-#define		BPF_W		0x00
-#define		BPF_H		0x08
-#define		BPF_B		0x10
-#define BPF_MODE(code)	((code) & 0xe0)
-#define		BPF_IMM 	0x00
-#define		BPF_ABS		0x20
-#define		BPF_IND		0x40
-#define		BPF_MEM		0x60
-#define		BPF_LEN		0x80
-#define		BPF_MSH		0xa0
-
-/* alu/jmp fields */
-#define BPF_OP(code)	((code) & 0xf0)
-#define		BPF_ADD		0x00
-#define		BPF_SUB		0x10
-#define		BPF_MUL		0x20
-#define		BPF_DIV		0x30
-#define		BPF_OR		0x40
-#define		BPF_AND		0x50
-#define		BPF_LSH		0x60
-#define		BPF_RSH		0x70
-#define		BPF_NEG		0x80
-#define		BPF_JA		0x00
-#define		BPF_JEQ		0x10
-#define		BPF_JGT		0x20
-#define		BPF_JGE		0x30
-#define		BPF_JSET	0x40
-#define BPF_SRC(code)	((code) & 0x08)
-#define		BPF_K		0x00
-#define		BPF_X		0x08
-
-/* ret - BPF_K and BPF_X also apply */
-#define BPF_RVAL(code)	((code) & 0x18)
-#define		BPF_A		0x10
-
-/* misc */
-#define BPF_MISCOP(code) ((code) & 0xf8)
-#define		BPF_TAX		0x00
-#define		BPF_TXA		0x80
-
-/*
- * The instruction data structure.
- */
-struct bpf_insn {
-	u_short	code;
-	u_char 	jt;
-	u_char 	jf;
-	bpf_int32 k;
-};
-
-/*
- * Macros for insn array initializers.
- */
-#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
-#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
-
-#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
-/*
- * Systems based on non-BSD kernels don't have ifnet's (or they don't mean
- * anything if it is in <net/if.h>) and won't work like this.
- */
-# if __STDC__
-extern void bpf_tap(struct ifnet *, u_char *, u_int);
-extern void bpf_mtap(struct ifnet *, struct mbuf *);
-extern void bpfattach(struct ifnet *, u_int, u_int);
-extern void bpfilterattach(int);
-# else
-extern void bpf_tap();
-extern void bpf_mtap();
-extern void bpfattach();
-extern void bpfilterattach();
-# endif /* __STDC__ */
-#endif /* BSD && (_KERNEL || KERNEL) */
-#if __STDC__ || defined(__cplusplus)
-extern int bpf_validate(struct bpf_insn *, int);
-extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
-#else
-extern int bpf_validate();
-extern u_int bpf_filter();
-#endif
-
-/*
- * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
- */
-#define BPF_MEMWORDS 16
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c
deleted file mode 100644
index a254f65..0000000
--- a/contrib/ipfilter/bpf_filter.c
+++ /dev/null
@@ -1,593 +0,0 @@
-/*-
- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from the Stanford/CMU enet packet filter,
- * (net/enet.c) distributed as part of 4.3BSD, and code contributed
- * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
- * Berkeley Laboratory.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)bpf.c	7.5 (Berkeley) 7/15/91
- */
-
-#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL))
-static const char rcsid[] =
-    "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)";
-#endif
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <net/if.h>
-
-#include "netinet/ip_compat.h"
-#include "bpf-ipf.h"
-
-
-#if (defined(__hpux) || SOLARIS) && (defined(_KERNEL) || defined(KERNEL))
-# include <sys/sysmacros.h>
-# include <sys/stream.h>
-#endif
-
-#include "pcap-ipf.h"
-
-#if !defined(KERNEL) && !defined(_KERNEL)
-#include <stdlib.h>
-#endif
-
-#define int32 bpf_int32
-#define u_int32 bpf_u_int32
-
-static int m_xword __P((mb_t *, int, int *));
-static int m_xhalf __P((mb_t *, int, int *));
-
-#ifndef LBL_ALIGN
-/*
- * XXX - IA-64?  If not, this probably won't work on Win64 IA-64
- * systems, unless LBL_ALIGN is defined elsewhere for them.
- * XXX - SuperH?  If not, this probably won't work on WinCE SuperH
- * systems, unless LBL_ALIGN is defined elsewhere for them.
- */
-#if defined(sparc) || defined(__sparc__) || defined(mips) || \
-    defined(ibm032) || defined(__alpha) || defined(__hpux) || \
-    defined(__arm__)
-#define LBL_ALIGN
-#endif
-#endif
-
-#ifndef LBL_ALIGN
-
-#define EXTRACT_SHORT(p)	((u_short)ntohs(*(u_short *)p))
-#define EXTRACT_LONG(p)		(ntohl(*(u_int32 *)p))
-#else
-#define EXTRACT_SHORT(p)\
-	((u_short)\
-		((u_short)*((u_char *)p+0)<<8|\
-		 (u_short)*((u_char *)p+1)<<0))
-#define EXTRACT_LONG(p)\
-		((u_int32)*((u_char *)p+0)<<24|\
-		 (u_int32)*((u_char *)p+1)<<16|\
-		 (u_int32)*((u_char *)p+2)<<8|\
-		 (u_int32)*((u_char *)p+3)<<0)
-#endif
-
-#define MINDEX(len, _m, _k) \
-{ \
-	len = M_LEN(m); \
-	while ((_k) >= len) { \
-		(_k) -= len; \
-		(_m) = (_m)->m_next; \
-		if ((_m) == 0) \
-			return 0; \
-		len = M_LEN(m); \
-	} \
-}
-
-static int
-m_xword(m, k, err)
-	register mb_t *m;
-	register int k, *err;
-{
-	register int len;
-	register u_char *cp, *np;
-	register mb_t *m0;
-
-	MINDEX(len, m, k);
-	cp = MTOD(m, u_char *) + k;
-	if (len - k >= 4) {
-		*err = 0;
-		return EXTRACT_LONG(cp);
-	}
-	m0 = m->m_next;
-	if (m0 == 0 || M_LEN(m0) + len - k < 4)
-		goto bad;
-	*err = 0;
-	np = MTOD(m0, u_char *);
-	switch (len - k) {
-
-	case 1:
-		return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
-
-	case 2:
-		return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1];
-
-	default:
-		return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
-	}
-    bad:
-	*err = 1;
-	return 0;
-}
-
-static int
-m_xhalf(m, k, err)
-	register mb_t *m;
-	register int k, *err;
-{
-	register int len;
-	register u_char *cp;
-	register mb_t *m0;
-
-	MINDEX(len, m, k);
-	cp = MTOD(m, u_char *) + k;
-	if (len - k >= 2) {
-		*err = 0;
-		return EXTRACT_SHORT(cp);
-	}
-	m0 = m->m_next;
-	if (m0 == 0)
-		goto bad;
-	*err = 0;
-	return (cp[0] << 8) | MTOD(m0, u_char *)[0];
- bad:
-	*err = 1;
-	return 0;
-}
-
-/*
- * Execute the filter program starting at pc on the packet p
- * wirelen is the length of the original packet
- * buflen is the amount of data present
- * For the kernel, p is assumed to be a pointer to an mbuf if buflen is 0,
- * in all other cases, p is a pointer to a buffer and buflen is its size.
- */
-u_int
-bpf_filter(pc, p, wirelen, buflen)
-	register struct bpf_insn *pc;
-	register u_char *p;
-	u_int wirelen;
-	register u_int buflen;
-{
-	register u_int32 A, X;
-	register int k;
-	int32 mem[BPF_MEMWORDS];
-	mb_t *m, *n;
-	int merr = 0;	/* XXX: GCC */
-	int len;
-
-	if (buflen == 0) {
-		m = (mb_t *)p;
-		p = MTOD(m, u_char *);
-		buflen = M_LEN(m);
-	} else
-		m = NULL;
-
-	if (pc == 0)
-		/*
-		 * No filter means accept all.
-		 */
-		return (u_int)-1;
-	A = 0;
-	X = 0;
-	--pc;
-	while (1) {
-		++pc;
-		switch (pc->code) {
-
-		default:
-			return 0;
-		case BPF_RET|BPF_K:
-			return (u_int)pc->k;
-
-		case BPF_RET|BPF_A:
-			return (u_int)A;
-
-		case BPF_LD|BPF_W|BPF_ABS:
-			k = pc->k;
-			if (k + sizeof(int32) > buflen) {
-				if (m == NULL)
-					return 0;
-				A = m_xword(m, k, &merr);
-				if (merr != 0)
-					return 0;
-				continue;
-			}
-			A = EXTRACT_LONG(&p[k]);
-			continue;
-
-		case BPF_LD|BPF_H|BPF_ABS:
-			k = pc->k;
-			if (k + sizeof(short) > buflen) {
-				if (m == NULL)
-					return 0;
-				A = m_xhalf(m, k, &merr);
-				if (merr != 0)
-					return 0;
-				continue;
-			}
-			A = EXTRACT_SHORT(&p[k]);
-			continue;
-
-		case BPF_LD|BPF_B|BPF_ABS:
-			k = pc->k;
-			if (k >= buflen) {
-				if (m == NULL)
-					return 0;
-				n = m;
-				MINDEX(len, n, k);
-				A = MTOD(n, u_char *)[k];
-				continue;
-			}
-			A = p[k];
-			continue;
-
-		case BPF_LD|BPF_W|BPF_LEN:
-			A = wirelen;
-			continue;
-
-		case BPF_LDX|BPF_W|BPF_LEN:
-			X = wirelen;
-			continue;
-
-		case BPF_LD|BPF_W|BPF_IND:
-			k = X + pc->k;
-			if (k + sizeof(int32) > buflen) {
-				if (m == NULL)
-					return 0;
-				A = m_xword(m, k, &merr);
-				if (merr != 0)
-					return 0;
-				continue;
-			}
-			A = EXTRACT_LONG(&p[k]);
-			continue;
-
-		case BPF_LD|BPF_H|BPF_IND:
-			k = X + pc->k;
-			if (k + sizeof(short) > buflen) {
-				if (m == NULL)
-					return 0;
-				A = m_xhalf(m, k, &merr);
-				if (merr != 0)
-					return 0;
-				continue;
-			}
-			A = EXTRACT_SHORT(&p[k]);
-			continue;
-
-		case BPF_LD|BPF_B|BPF_IND:
-			k = X + pc->k;
-			if (k >= buflen) {
-				if (m == NULL)
-					return 0;
-				n = m;
-				MINDEX(len, n, k);
-				A = MTOD(n, u_char *)[k];
-				continue;
-			}
-			A = p[k];
-			continue;
-
-		case BPF_LDX|BPF_MSH|BPF_B:
-			k = pc->k;
-			if (k >= buflen) {
-				if (m == NULL)
-					return 0;
-				n = m;
-				MINDEX(len, n, k);
-				X = (MTOD(n, char *)[k] & 0xf) << 2;
-				continue;
-			}
-			X = (p[pc->k] & 0xf) << 2;
-			continue;
-
-		case BPF_LD|BPF_IMM:
-			A = pc->k;
-			continue;
-
-		case BPF_LDX|BPF_IMM:
-			X = pc->k;
-			continue;
-
-		case BPF_LD|BPF_MEM:
-			A = mem[pc->k];
-			continue;
-
-		case BPF_LDX|BPF_MEM:
-			X = mem[pc->k];
-			continue;
-
-		case BPF_ST:
-			mem[pc->k] = A;
-			continue;
-
-		case BPF_STX:
-			mem[pc->k] = X;
-			continue;
-
-		case BPF_JMP|BPF_JA:
-			pc += pc->k;
-			continue;
-
-		case BPF_JMP|BPF_JGT|BPF_K:
-			pc += (A > pc->k) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JGE|BPF_K:
-			pc += (A >= pc->k) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JEQ|BPF_K:
-			pc += (A == pc->k) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JSET|BPF_K:
-			pc += (A & pc->k) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JGT|BPF_X:
-			pc += (A > X) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JGE|BPF_X:
-			pc += (A >= X) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JEQ|BPF_X:
-			pc += (A == X) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_JMP|BPF_JSET|BPF_X:
-			pc += (A & X) ? pc->jt : pc->jf;
-			continue;
-
-		case BPF_ALU|BPF_ADD|BPF_X:
-			A += X;
-			continue;
-
-		case BPF_ALU|BPF_SUB|BPF_X:
-			A -= X;
-			continue;
-
-		case BPF_ALU|BPF_MUL|BPF_X:
-			A *= X;
-			continue;
-
-		case BPF_ALU|BPF_DIV|BPF_X:
-			if (X == 0)
-				return 0;
-			A /= X;
-			continue;
-
-		case BPF_ALU|BPF_AND|BPF_X:
-			A &= X;
-			continue;
-
-		case BPF_ALU|BPF_OR|BPF_X:
-			A |= X;
-			continue;
-
-		case BPF_ALU|BPF_LSH|BPF_X:
-			A <<= X;
-			continue;
-
-		case BPF_ALU|BPF_RSH|BPF_X:
-			A >>= X;
-			continue;
-
-		case BPF_ALU|BPF_ADD|BPF_K:
-			A += pc->k;
-			continue;
-
-		case BPF_ALU|BPF_SUB|BPF_K:
-			A -= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_MUL|BPF_K:
-			A *= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_DIV|BPF_K:
-			A /= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_AND|BPF_K:
-			A &= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_OR|BPF_K:
-			A |= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_LSH|BPF_K:
-			A <<= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_RSH|BPF_K:
-			A >>= pc->k;
-			continue;
-
-		case BPF_ALU|BPF_NEG:
-			A = -A;
-			continue;
-
-		case BPF_MISC|BPF_TAX:
-			X = A;
-			continue;
-
-		case BPF_MISC|BPF_TXA:
-			A = X;
-			continue;
-		}
-	}
-}
-
-
-/*
- * Return true if the 'fcode' is a valid filter program.
- * The constraints are that each jump be forward and to a valid
- * code, that memory accesses are within valid ranges (to the
- * extent that this can be checked statically; loads of packet
- * data have to be, and are, also checked at run time), and that
- * the code terminates with either an accept or reject.
- *
- * The kernel needs to be able to verify an application's filter code.
- * Otherwise, a bogus program could easily crash the system.
- */
-int
-bpf_validate(f, len)
-	struct bpf_insn *f;
-	int len;
-{
-	u_int i, from;
-	const struct bpf_insn *p;
-
-	if (len == 0)
-		return 1;
-
-	if (len < 1 || len > BPF_MAXINSNS)
-		return 0;
-
-	for (i = 0; i < len; ++i) {
-		p = &f[i];
-		switch (BPF_CLASS(p->code)) {
-		/*
-		 * Check that memory operations use valid addresses.
-		 */
-		case BPF_LD:
-		case BPF_LDX:
-			switch (BPF_MODE(p->code)) {
-			case BPF_IMM:
-				break;
-			case BPF_ABS:
-			case BPF_IND:
-			case BPF_MSH:
-				/*
-				 * More strict check with actual packet length
-				 * is done runtime.
-				 */
-#if 0
-				if (p->k >= bpf_maxbufsize)
-					return 0;
-#endif
-				break;
-			case BPF_MEM:
-				if (p->k >= BPF_MEMWORDS)
-					return 0;
-				break;
-			case BPF_LEN:
-				break;
-			default:
-				return 0;
-			}
-			break;
-		case BPF_ST:
-		case BPF_STX:
-			if (p->k >= BPF_MEMWORDS)
-				return 0;
-			break;
-		case BPF_ALU:
-			switch (BPF_OP(p->code)) {
-			case BPF_ADD:
-			case BPF_SUB:
-			case BPF_OR:
-			case BPF_AND:
-			case BPF_LSH:
-			case BPF_RSH:
-			case BPF_NEG:
-				break;
-			case BPF_DIV:
-				/*
-				 * Check for constant division by 0.
-				 */
-				if (BPF_RVAL(p->code) == BPF_K && p->k == 0)
-					return 0;
-			default:
-				return 0;
-			}
-			break;
-		case BPF_JMP:
-			/*
-			 * Check that jumps are within the code block,
-			 * and that unconditional branches don't go
-			 * backwards as a result of an overflow.
-			 * Unconditional branches have a 32-bit offset,
-			 * so they could overflow; we check to make
-			 * sure they don't.  Conditional branches have
-			 * an 8-bit offset, and the from address is <=
-			 * BPF_MAXINSNS, and we assume that BPF_MAXINSNS
-			 * is sufficiently small that adding 255 to it
-			 * won't overflow.
-			 *
-			 * We know that len is <= BPF_MAXINSNS, and we
-			 * assume that BPF_MAXINSNS is < the maximum size
-			 * of a u_int, so that i + 1 doesn't overflow.
-			 */
-			from = i + 1;
-			switch (BPF_OP(p->code)) {
-			case BPF_JA:
-				if (from + p->k < from || from + p->k >= len)
-					return 0;
-				break;
-			case BPF_JEQ:
-			case BPF_JGT:
-			case BPF_JGE:
-			case BPF_JSET:
-				if (from + p->jt >= len || from + p->jf >= len)
-					return 0;
-				break;
-			default:
-				return 0;
-			}
-			break;
-		case BPF_RET:
-			break;
-		case BPF_MISC:
-			break;
-		default:
-			return 0;
-		}
-	}
-	return BPF_CLASS(f[len - 1].code) == BPF_RET;
-}
diff --git a/contrib/ipfilter/bsdinstall b/contrib/ipfilter/bsdinstall
deleted file mode 100755
index 7689a21..0000000
--- a/contrib/ipfilter/bsdinstall
+++ /dev/null
@@ -1,88 +0,0 @@
-#! /bin/sh
-#
-#	@(#)install.sh	4.5	(Berkeley)	10/12/83
-#
-cmd=/bin/mv
-strip=""
-chmod="chmod 755"
-if [ "`uname -s`" = "HP-UX" ] ; then
-	chown="chown root"
-	chgrp="chgrp bin"
-else
-	chown="chown -f root"
-	chgrp="chgrp -f bin"
-fi
-while true ; do
-	case $1 in
-		-s )	strip="strip"
-			shift
-			;;
-		-c )	cmd="cp"
-			shift
-			;;
-		-m )	chmod="chmod $2"
-			shift
-			shift
-			;;
-		-o )	chown="chown -f $2"
-			shift
-			shift
-			;;
-		-g )	chgrp="chgrp -f $2"
-			shift
-			shift
-			;;
-		-d )	cmd="mkdir"
-			shift
-			;;
-		* )	break
-			;;
-	esac
-done
-
-if [ ! ${2-""} ]
-then	echo "install: no destination specified"
-	exit 1
-fi
-if [ ${3-""} ]
-then	echo "install: too many files specified -> $*"
-	exit 1
-fi
-if [ $1 = $2 -o $2 = . ]
-then	echo "install: can't move $1 onto itself"
-	exit 1
-fi
-case $cmd in
-/bin/mkdir )
-	file=$2/$1
-	;;
-* )
-	if [ '!' -f $1 ]
-	then	echo "install: can't open $1"
-		exit 1
-	fi
-	if [ -d $2 ]
-	then	file=$2/$1
-	else	file=$2
-	fi
-	/bin/rm -f $file
-	;;
-esac
-
-case $cmd in
-/bin/mkdir )
-	if [ ! -d "$file" ]
-	then	$cmd $file
-	fi
-	;;
-* )
-	$cmd $1 $file
-	if [ $strip ]
-	then	$strip $file
-	fi
-	;;
-esac
-
-$chown $file
-$chgrp $file
-$chmod $file
diff --git a/contrib/ipfilter/buildlinux b/contrib/ipfilter/buildlinux
deleted file mode 100755
index 7ce043f..0000000
--- a/contrib/ipfilter/buildlinux
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-LINUX=`uname -r | perl -e '$_=<>;@F=split(/\./);printf "%02d%02d\n",$F[0],$F[1];';`
-
-case ${LINUX} in
-	0200)
-		make linuxrev "LINUXK=-DLINUX=${LINUX}"
-		;;
-	0201)
-		make linuxrev "LINUXK=-DLINUX=${LINUX}"
-		;;
-	*)
-		echo "invalid linux version $LINUX"
-		exit 1;
-		;;
-esac
-exit 0
diff --git a/contrib/ipfilter/buildsunos b/contrib/ipfilter/buildsunos
deleted file mode 100755
index 5e857e7..0000000
--- a/contrib/ipfilter/buildsunos
+++ /dev/null
@@ -1,168 +0,0 @@
-#! /bin/sh
-if [ ! -f netinet/done ] ; then
-	echo "Do NOT run this script directly, do 'make solaris'!"
-	exit 1
-fi
-# Id: buildsunos,v 2.20 2004/02/07 18:08:46 darrenr Exp
-:
-rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
-if [ -d /usr/ccs/bin ] ; then
-	PATH=/usr/ccs/bin:${PATH}
-	export PATH
-fi
-
-if [ $rev = 5 ] ; then
-	if [ ! -d ../pfil ] ; then
-		cat << __EOF__
-pfil directory in .. missing, please download pfil package and extract that
-into the parent directory.
-
-See INSTALL.Sol2 for more instructions.
-__EOF__
-		exit 1
-	fi
-	#
-	# /usr/ucb/cc will not work
-	#
-	PATH=`echo $PATH | sed -e s:/usr/ucb::g -e s/::/:/g`
-	export PATH
-
-	cpu=`uname -p`
-	cpudir=${cpu}-`uname -r`
-	solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
-	if [ ! -d SunOS5/${cpudir} -a ! -h  SunOS5/${cpudir} ] ; then
-		mkdir -p SunOS5/${cpudir}
-	fi
-	/bin/rm -f SunOS5/${cpudir}/Makefile
-	/bin/rm -f SunOS5/${cpudir}/Makefile.ipsend
-	ln -s `pwd`/SunOS5/Makefile SunOS5/${cpudir}/Makefile
-	ln -s `pwd`/SunOS5/Makefile.ipsend SunOS5/${cpudir}/Makefile.ipsend
-
-	#
-	# Default C compiler is "cc", override on make commandline
-	#
-	if [ "x$CC" = "x" ] ; then
-		if echo '' | cc -E - >/dev/null 2>&1 ; then
-			CC=cc
-		else
-			if echo '' | gcc -E - >/dev/null 2>&1 ; then
-				CC=gcc
-			else
-				echo "No working compiler found"
-				exit 1
-			fi
-		fi
-	fi
-	v=`echo '__GNUC__' | 2>&1 ${CC} -E - | 2>&1 sed -ne '/^[0-9]* *$/p'`
-	if [ x$v != x ] ; then
-		CC=gcc
-	fi
-
-	case "$CC" in
-	*gcc*)	# gcc
-		XARCH32=""
-		XARCH64="-m64 -mcmodel=medlow"
-		;;
-	*)	# Sun C
-		XARCH32="-Xa -xildoff"
-		XARCH64="$XARCH32 -xarch=v9 -xchip=ultra -dalign -xcode=abs32"
-		;;
-	esac
-
-	export CC
-
-	ISABITS=32
-
-	OBJ32=sparcv7
-	ARCHINC32=
-	OBJ64=sparcv9
-	ARCHINC64="-I/usr/include/v9"
-
-	if [ $solrev -ge 7 ] && /bin/optisa sparcv8plus > /dev/null
-	then
-		# We run Solaris 7+ on 64 bit capable hardware.
-		BUILDBOTH=true
-	else
-		BUILDBOTH=false
-		OBJ32=.
-	fi
-
-	if $BUILDBOTH
-	then
-		echo Testing compiler $CC for 64 bit object file generation.
-		t=conftest$$.c
-		trap 'rm -f $t 32.out 64.out; exit 1' 0 1 2 3 15
-		cat > $t <<-EOF
-		#include <stdio.h>
-		int main(void)
-		{
-			printf("%ld\n", (long) sizeof(long));
-			exit(0);
-		}
-		EOF
-
-		# Is it perhaps a 64 bit only compiler?
-		if $CC $XARCH32 $t -o 32.out >/dev/null 2>&1 &&
-		    [ "`./32.out`" = 4 ]
-		then :; else
-			echo $CC $XARCH32 cannot create 32 bit executables. 1>&2
-			exit 1
-		fi
-		if $CC $XARCH64 $t -o 64.out >/dev/null 2>&1 &&
-		    { out64=`./64.out 2>/dev/null` ;
-		    [ "$out64" = 8 -o "`isainfo -b`" = 32 -a "$out64" = "" ]
-		    }
-		then
-			echo "found 32/64 bit compiler" 1>&2
-			CC64=true
-		else
-			CC64=false
-		fi
-		rm -f $t 32.out 64.out
-		trap 0 1 2 3 15
-	fi
-
-	# If we're running 64 bit, we *must* build 64 bit.
-	if ([ "`isainfo -b`" = 64 ]) 2>/dev/null ; then
-		if $CC64 ; then :; else
-			echo "No 64 bit capable compiler was found" 1>&2
-			exit 1
-		fi
-		ISABITS="32 64"
-	elif $BUILDBOTH && $CC64
-	then
-		ISABITS="32 64"
-	else
-		OBJ32=.
-	fi
-else
-	cpu=`uname -m`
-	cpudir=${cpu}-`uname -r`
-fi
-
-# Default $MAKE to make
-: ${MAKE:=make}
-
-if [ $cpu = i386 ] ; then
-	if [ -n "$BPFILTER" ] ; then
-		BPF="BPFILTER=./$BPFILTER"
-	fi
-	$MAKE $MAKEFLAGS ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH32" XARCH="$XARCH32" ARCHINC="$ARCHINC32" BITS=32 OBJ=. $BPF
-	exit $?
-fi
-if [ x$solrev = x ] ; then
-	make ${1+"$@"} sunos$rev "TOP=.." "ARCH=`uname -m`"
-	exit $?
-fi
-for b in $ISABITS
-do
-    echo build $b bit binaries.
-    for v in OBJ ARCHINC XARCH
-    do
-	eval $v=\"\$$v$b\"
-    done
-    if [ -n "$BPFILTER" ] ; then
-	BPF="BPFILTER=$OBJ/$BPFILTER"
-    fi
-    $MAKE $MAKEFLAGS ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" CPU= CPUDIR=${cpudir} CC="$CC $XARCH" XARCH="$XARCH" ARCHINC="$ARCHINC" BITS=$b OBJ=$OBJ $BPF || exit $?
-done
diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c
deleted file mode 100644
index fa21fc9..0000000
--- a/contrib/ipfilter/common.c
+++ /dev/null
@@ -1,610 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c	1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern	struct	ipopt_names	ionames[], secclass[];
-extern	int	opts;
-extern	int	use_inet6;
-
-
-char	*proto = NULL;
-char	flagset[] = "FSRPAUEC";
-u_char	flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
-		    TH_ECN, TH_CWR };
-
-void fill6bits __P((int, u_32_t *));
-int count6bits __P((u_32_t *));
-
-static	char	thishost[MAXHOSTNAMELEN];
-
-
-void initparse()
-{
-	gethostname(thishost, sizeof(thishost));
-	thishost[sizeof(thishost) - 1] = '\0';
-}
-
-
-int genmask(msk, mskp)
-char *msk;
-u_32_t *mskp;
-{
-	char *endptr = NULL;
-#ifdef	USE_INET6
-	u_32_t addr;
-#endif
-	int bits;
-
-	if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) {
-		/* possibly of the form xxx.xxx.xxx.xxx
-		 * or 0xYYYYYYYY */
-#ifdef	USE_INET6
-		if (use_inet6) {
-			if (inet_pton(AF_INET6, msk, &addr) != 1)
-				return -1;
-		} else
-#endif
-		if (inet_aton(msk, (struct in_addr *)mskp) == 0)
-			return -1;
-	} else {
-		/*
-		 * set x most significant bits
-		 */
-		bits = (int)strtol(msk, &endptr, 0);
-		if ((*endptr != '\0') ||
-		    ((bits > 32) && !use_inet6) || (bits < 0) ||
-		    ((bits > 128) && use_inet6))
-			return -1;
-		if (use_inet6)
-			fill6bits(bits, mskp);
-		else {
-			if (bits == 0)
-				*mskp = 0;
-			else
-				*mskp = htonl(0xffffffff << (32 - bits));
-		}
-	}
-	return 0;
-}
-
-
-
-void fill6bits(bits, msk)
-int bits;
-u_32_t *msk;
-{
-	int i;
-	
-	for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32)
-		msk[i] = 0xffffffff;
-	
-	if (bits > 0 && i < 4)
-		msk[i++] = htonl(0xffffffff << (32 - bits));
-
-	while (i < 4)
-		msk[i++] = 0;
-}
-
-
-/*
- * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
- * found in the line segments, there is an error processing this information,
- * or there is an error processing ports information.
- */
-int	hostmask(seg, sa, msk, pp, cp, tp, linenum)
-char	***seg;
-u_32_t	*sa, *msk;
-u_short	*pp, *tp;
-int	*cp;
-int	linenum;
-{
-	struct in_addr maskaddr;
-	char *s;
-
-	/*
-	 * is it possibly hostname/num ?
-	 */
-	if ((s = index(**seg, '/')) ||
-	    ((s = index(**seg, ':')) && !index(s + 1, ':'))) {
-		*s++ = '\0';
-		if (genmask(s, msk) == -1) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
-			return -1;
-		}
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*sa &= *msk;
-		(*seg)++;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-
-	/*
-	 * look for extra segments if "mask" found in right spot
-	 */
-	if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		(*seg)++;
-		if (inet_aton(**seg, &maskaddr) == 0) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*msk = maskaddr.s_addr;
-		(*seg)++;
-		*sa &= *msk;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-
-	if (**seg) {
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		if (use_inet6) {
-			u_32_t k = 0;
-			if (sa[0] || sa[1] || sa[2] || sa[3])
-				k = 0xffffffff;
-			msk[0] = msk[1] = msk[2] = msk[3] = k;
-		}
-		else
-			*msk = *sa ? 0xffffffff : 0;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-	fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-	return -1;
-}
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-int	hostnum(ipa, host, linenum)
-u_32_t	*ipa;
-char	*host;
-int     linenum;
-{
-	struct	hostent	*hp;
-	struct	netent	*np;
-	struct	in_addr	ip;
-
-	if (!strcasecmp("any", host))
-		return 0;
-#ifdef	USE_INET6
-	if (use_inet6) {
-		if (inet_pton(AF_INET6, host, ipa) == 1)
-			return 0;
-		else
-			return -1;
-	}
-#endif
-	if (isdigit(*host) && inet_aton(host, &ip)) {
-		*ipa = ip.s_addr;
-		return 0;
-	}
-
-	if (!strcasecmp("<thishost>", host))
-		host = thishost;
-
-	if (!(hp = gethostbyname(host))) {
-		if (!(np = getnetbyname(host))) {
-			fprintf(stderr, "%d: can't resolve hostname: %s\n",
-				linenum, host);
-			return -1;
-		}
-		*ipa = htonl(np->n_net);
-		return 0;
-	}
-	*ipa = *(u_32_t *)hp->h_addr;
-	return 0;
-}
-
-
-/*
- * check for possible presence of the port fields in the line
- */
-int	ports(seg, pp, cp, tp, linenum)
-char	***seg;
-u_short	*pp, *tp;
-int	*cp;
-int     linenum;
-{
-	int	comp = -1;
-
-	if (!*seg || !**seg || !***seg)
-		return 0;
-	if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
-		(*seg)++;
-		if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
-			comp = FR_EQUAL;
-		else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
-			comp = FR_NEQUAL;
-		else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
-			comp = FR_LESST;
-		else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
-			comp = FR_GREATERT;
-		else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
-			comp = FR_LESSTE;
-		else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
-			comp = FR_GREATERTE;
-		else if (isalnum(***seg) && *(*seg + 2)) {
-			if (portnum(**seg, pp, linenum) == 0)
-				return -1;
-			(*seg)++;
-			if (!strcmp(**seg, "<>"))
-				comp = FR_OUTRANGE;
-			else if (!strcmp(**seg, "><"))
-				comp = FR_INRANGE;
-			else {
-				fprintf(stderr,
-					"%d: unknown range operator (%s)\n",
-					linenum, **seg);
-				return -1;
-			}
-			(*seg)++;
-			if (**seg == NULL) {
-				fprintf(stderr, "%d: missing 2nd port value\n",
-					linenum);
-				return -1;
-			}
-			if (portnum(**seg, tp, linenum) == 0)
-				return -1;
-		} else {
-			fprintf(stderr, "%d: unknown comparator (%s)\n",
-					linenum, **seg);
-			return -1;
-		}
-		if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
-			(*seg)++;
-			if (portnum(**seg, pp, linenum) == 0)
-				return -1;
-		}
-		*cp = comp;
-		(*seg)++;
-	}
-	return 0;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi(). Return 1 on success, 0 on failure
- */
-int	portnum(name, port, linenum)
-char	*name;
-u_short	*port;
-int     linenum;
-{
-	struct	servent	*sp, *sp2;
-	u_short	p1 = 0;
-	int i;
-
-	if (isdigit(*name)) {
-		if (ratoi(name, &i, 0, USHRT_MAX)) {
-			*port = (u_short)i;
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
-		return 0;
-	}
-	if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
-		sp = getservbyname(name, proto);
-		if (sp) {
-			*port = ntohs(sp->s_port);
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
-	if (sp)
-		p1 = sp->s_port;
-	sp2 = getservbyname(name, "udp");
-	if (!sp || !sp2) {
-		fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
-			linenum, name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		fprintf(stderr, "%d: %s %d/tcp is a different port to ",
-			linenum, name, p1);
-		fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
-		return 0;
-	}
-	*port = ntohs(p1);
-	return 1;
-}
-
-
-u_char tcp_flags(flgs, mask, linenum)
-char *flgs;
-u_char *mask;
-int    linenum;
-{
-	u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
-	char *s, *t;
-
-	if (*flgs == '0') {
-		s = strchr(flgs, '/');
-		if (s)
-			*s++ = '\0';
-		tcpf = strtol(flgs, NULL, 0);
-		fp = &tcpfm;
-	} else
-		s = flgs;
-
-	for (; *s; s++) {
-		if (*s == '/' && fp == &tcpf) {
-			fp = &tcpfm;
-			if (*(s + 1) == '0')
-				break;
-			continue;
-		}
-		if (!(t = index(flagset, *s))) {
-			fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
-			return 0;
-		}
-		*fp |= flags[t - flagset];
-	}
-
-	if (s && *s == '0')
-		tcpfm = strtol(s, NULL, 0);
-
-	if (!tcpfm) {
-		if (tcpf == TH_SYN)
-			tcpfm = 0xff & ~(TH_ECN|TH_CWR);
-		else
-			tcpfm = 0xff & ~(TH_ECN);
-	}
-	*mask = tcpfm;
-	return tcpf;
-}
-
-
-/*
- * count consecutive 1's in bit mask.  If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int	countbits(ip)
-u_32_t	ip;
-{
-	u_32_t	ipn;
-	int	cnt = 0, i, j;
-
-	ip = ipn = ntohl(ip);
-	for (i = 32; i; i--, ipn *= 2)
-		if (ipn & 0x80000000)
-			cnt++;
-		else
-			break;
-	ipn = 0;
-	for (i = 32, j = cnt; i; i--, j--) {
-		ipn *= 2;
-		if (j > 0)
-			ipn++;
-	}
-	if (ipn == ip)
-		return cnt;
-	return -1;
-}
-
-
-int count6bits(msk)
-u_32_t *msk;
-{
-	int i = 0, k;
-	u_32_t j;
-
-	for (k = 3; k >= 0; k--)
-		if (msk[k] == 0xffffffff)
-			i += 32;
-		else {
-			for (j = msk[k]; j; j <<= 1)
-				if (j & 0x80000000)
-					i++;
-		}
-	return i;
-}
-
-
-char	*portname(pr, port)
-int	pr, port;
-{
-	static	char	buf[32];
-	struct	protoent	*p = NULL;
-	struct	servent	*sv = NULL, *sv1 = NULL;
-
-	if (pr == -1) {
-		if ((sv = getservbyport(htons(port), "tcp"))) {
-			strncpy(buf, sv->s_name, sizeof(buf)-1);
-			buf[sizeof(buf)-1] = '\0';
-			sv1 = getservbyport(htons(port), "udp");
-			sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
-			     NULL : sv1;
-		}
-		if (sv)
-			return buf;
-	} else if (pr && (p = getprotobynumber(pr))) {
-		if ((sv = getservbyport(htons(port), p->p_name))) {
-			strncpy(buf, sv->s_name, sizeof(buf)-1);
-			buf[sizeof(buf)-1] = '\0';
-			return buf;
-		}
-	}
-
-	(void) sprintf(buf, "%d", port);
-	return buf;
-}
-
-
-int	ratoi(ps, pi, min, max)
-char 	*ps;
-int	*pi, min, max;
-{
-	int i;
-	char *pe;
-
-	i = (int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
-
-
-int	ratoui(ps, pi, min, max)
-char 	*ps;
-u_int	*pi, min, max;
-{
-	u_int i;
-	char *pe;
-
-	i = (u_int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
-
-
-void	printhostmask(v, addr, mask)
-int	v;
-u_32_t	*addr, *mask;
-{
-	struct in_addr ipa;
-	int ones;
-
-#ifdef USE_INET6
-	if (v == 6) {
-		ones = count6bits(mask);
-		if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3])
-			printf("any");
-		else {
-			char ipbuf[64];
-			printf("%s/%d",
-			       inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)),
-			       ones);
-		}
-	}
-	else
-#endif
-	if (!*addr && !*mask)
-		printf("any");
-	else {
-		ipa.s_addr = *addr;
-		printf("%s", inet_ntoa(ipa));
-		if ((ones = countbits(*mask)) == -1) {
-			ipa.s_addr = *mask;
-			printf("/%s", inet_ntoa(ipa));
-		} else
-			printf("/%d", ones);
-	}
-}
-
-
-void	printportcmp(pr, frp)
-int	pr;
-frpcmp_t	*frp;
-{
-	static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
-				 "<>", "><"};
-
-	if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
-		printf(" port %d %s %d", frp->frp_port,
-			     pcmp1[frp->frp_cmp], frp->frp_top);
-	else
-		printf(" port %s %s", pcmp1[frp->frp_cmp],
-			     portname(pr, frp->frp_port));
-}
-
-
-void printbuf(buf, len, zend)
-char *buf;
-int len, zend;
-{
-	char *s, c;
-	int i;
-
-	for (s = buf, i = len; i; i--) {
-		c = *s++;
-		if (isprint(c))
-			putchar(c);
-		else
-			printf("\\%03o", c);
-		if ((c == '\0') && zend)
-			break;
-	}
-}
-
-
-
-char *hostname(v, ip)
-int v;
-void *ip;
-{
-#ifdef  USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-	struct in_addr ipa;
-
-	if (v == 4) {
-		ipa.s_addr = *(u_32_t *)ip;
-		return inet_ntoa(ipa);
-	}
-#ifdef  USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
diff --git a/contrib/ipfilter/etc/etc.sed b/contrib/ipfilter/etc/etc.sed
deleted file mode 100644
index b14fc74..0000000
--- a/contrib/ipfilter/etc/etc.sed
+++ /dev/null
@@ -1,2 +0,0 @@
-	Æ
.	Ä..'!CVS
-	protocols
diff --git a/contrib/ipfilter/etc/protocols b/contrib/ipfilter/etc/protocols
deleted file mode 100644
index 30c5b76..0000000
--- a/contrib/ipfilter/etc/protocols
+++ /dev/null
@@ -1,104 +0,0 @@
-icmp		1	ICMP		# Internet Control Message
-igmp		2	IGMP		# Internet Group Management
-ggp		3	GGP		# Gateway-to-Gateway
-ip		4	IP		# IP in IP (encasulation)
-st		5	ST		# Stream
-tcp		6	TCP		# Transmission Control
-ucl		7	UCL		# UCL
-egp		8	EGP		# Exterior Gateway Protocol
-igp		9	IGP		# any private interior gateway
-bbn-rcc-mon	10	BBN-RCC-MON	# BBN RCC Monitoring
-nvp-ii		11	NVP-II		# Network Voice Protocol
-pup		12	PUP		# PUP
-argus		13	ARGUS		# ARGUS
-emcon		14	EMCON		# EMCON
-xnet		15	XNET		# Cross Net Debugger
-chaos		16	CHAOS		# Chaos
-udp		17	UDP		# User Datagram
-mux		18	MUX		# Multiplexing
-dcn-meas	19	DCN-MEAS	# DCN Measurement Subsystems
-hmp		20	HMP		# Host Monitoring
-prm		21	PRM		# Packet Radio Measurement
-xns-idp		22	XNS-IDP		# XEROX NS IDP
-trunk-1		23	TRUNK-1		# Trunk-1
-trunk-2		24	TRUNK-2		# Trunk-2
-leaf-1		25	LEAF-1		# Leaf-1
-leaf-2		26	LEAF-2		# Leaf-2
-rdp		27	RDP		# Reliable Data Protocol
-irtp		28	IRTP		# Internet Reliable Transaction
-iso-tp4		29	ISO-TP4		# ISO Transport Protocol Class 4
-netblt		30	NETBLT		# Bulk Data Transfer Protocol
-mfe-nsp		31	MFE-NSP		# MFE Network Services Protocol
-merit-inp	32	MERIT-INP	# MERIT Internodal Protocol
-sep		33	SEP		# Sequential Exchange Protocol
-3pc		34	3PC		# Third Party Connect Protocol
-idpr		35	IDPR		# Inter-Domain Policy Routing Protocol
-xtp		36	XTP		# XTP
-ddp		37	DDP		# Datagram Delivery Protocol
-idpr-cmtp	38	IDPR-CMTP	# IDPR Control Message Transport Proto
-tp++		39	TP++		# TP++ Transport Protocol
-il		40	IL		# IL Transport Protocol
-ipv6		41	IPv6		# Internet Protocol, version 6
-sip		41	SIP		# Simple Internet Protocol
-sdrp		42	SDRP		# Source Demand Routing Protocol
-ipv6-route	43	IPv6-Route	# Routing Header for IPv6
-sip-sr		43	SIP-SR		# SIP Source Route
-ipv6-frag	44	IPv6-Frag	# Fragment Hedaer for IPv6
-sip-frag	44	SIP-FRAG	# SIP Fragment
-idrp		45	IDRP		# Inter-Domain Routing Protocol
-rsvp		46	RSVP		# Reservation Protocol
-gre		47	GRE		# General Routing Encapsulation
-mhrp		48	MHRP		# Mobile Host Routing Protocol
-bna		49	BNA		# BNA
-esp		50	esp		# Encap Security Payload
-ah		51	AH		# Authentication Header
-i-nlsp		52	I-NLSP		# Integrated Net Layer Security TUBA
-swipe		53	SWIPE		# IP with Encryption
-nhrp		54	NHRP		# NBMA Next Hop Resolution Protocol
-mobile		55	MOBILE		# IP Mobility (IP tunneling)
-ipv6-icmp	58	icmpv6 IPv6-ICMP ICMPv6	# ICMP version 6
-ipv6-nonxt	59	IPv6-Nonxt	# No Next Header for IPv6
-ipv6-opts	60	IPv6-Opts	# Destination Options for IPv6
-any		61	any		# host internal protocol
-cftp		62	CFTP		# CFTP
-any		63	any		# local network
-sat-expak	64	SAT-EXPAK	# SATNET and Backroom EXPAK
-kryptolan	65	KRYPTOLAN	# Kryptolan
-rvd		66	RVD		# MIT Remote Virtual Disk Protocol
-ippc		67	IPPC		# Internet Pluribus Packet Core
-any		68	any		# distributed file system
-sat-mon		69	SAT-MON		# SATNET Monitoring
-visa		70	VISA		# VISA Protocol
-ipcv		71	IPCV		# Internet Packet Core Utility
-cpnx		72	CPNX		# Computer Protocol Network Executive
-cphb		73	CPHB		# Computer Protocol Heart Beat
-wsn		74	WSN		# Wang Span Network
-pvp		75	PVP		# Packet Video Protocol
-br-sat-mon	76	BR-SAT-MON	# Backroom SATNET Monitoring
-sun-nd		77	SUN-ND		# SUN ND PROTOCOL-Temporary
-wb-mon		78	WB-MON		# WIDEBAND Monitoring
-wb-expak	79	WB-EXPAK	# WIDEBAND EXPAK
-iso-ip		80	ISO-IP		# ISO Internet Protocol
-vmtp		81	VMTP		# VMTP
-secure-vmtp	82	SECURE-VMTP	# SECURE-VMTP
-vines		83	VINES		# VINES
-ttp		84	TTP		# TTP
-nsfnet-igp	85	NSFNET-IGP	# NSFNET-IGP
-dgp		86	DGP		# Dissimilar Gateway Protocol
-tcf		87	TCF		# TCF
-igrp		88	IGRP		# IGRP
-ospfigp		89	OSPFIGP		# OSPFIGP
-sprite-rpc	90	Sprite-RPC	# Sprite RPC Protocol
-larp		91	LARP		# Locus Address Resolution Protocol
-mtp		92	MTP		# Multicast Transport Protocol
-ax.25		93	AX.25		# AX.25 Frames
-ipip		94	IPIP		# IP-within-IP Encapsulation Protocol
-micp		95	MICP		# Mobile Internetworking Control Pro.
-scc-sp		96	SCC-SP		# Semaphore Communications Sec. Pro.
-etherip		97	ETHERIP		# Ethernet-within-IP Encapsulation
-encap		98	ENCAP		# Encapsulation Header
-any		99	any		# private encryption scheme
-gmtp		100	GMTP		# GMTP
-pim		103	PIM		# Protocol Independant Multicast
-ipcomp		108	IPCOMP		# IP Payload Compression Protocol
-reserved	255	Reserved	# 
diff --git a/contrib/ipfilter/etc/services b/contrib/ipfilter/etc/services
deleted file mode 100644
index d8aa0d5..0000000
--- a/contrib/ipfilter/etc/services
+++ /dev/null
@@ -1,2536 +0,0 @@
-tcpmux            1/tcp	# TCP Port Service Multiplexer
-tcpmux            1/udp	# TCP Port Service Multiplexer
-compressnet       2/tcp	# Management Utility
-compressnet       2/udp	# Management Utility
-compressnet       3/tcp	# Compression Process
-compressnet       3/udp	# Compression Process
-rje               5/tcp	# Remote Job Entry
-rje               5/udp	# Remote Job Entry
-echo              7/tcp	# Echo
-echo              7/udp	# Echo
-discard           9/tcp	# Discard
-discard           9/udp	# Discard
-systat           11/tcp	# Active Users
-systat           11/udp	# Active Users
-daytime          13/tcp	# Daytime (RFC 867)
-daytime          13/udp	# Daytime (RFC 867)
-qotd             17/tcp	# Quote of the Day
-qotd             17/udp	# Quote of the Day
-msp              18/tcp	# Message Send Protocol
-msp              18/udp	# Message Send Protocol
-chargen          19/tcp	# Character Generator
-chargen          19/udp	# Character Generator
-ftp              21/tcp	# File Transfer [Control]
-ftp              21/udp	# File Transfer [Control]
-ssh              22/tcp	# SSH Remote Login Protocol
-ssh              22/udp	# SSH Remote Login Protocol
-telnet           23/tcp	# Telnet
-telnet           23/udp	# Telnet
-smtp             25/tcp	# Simple Mail Transfer
-smtp             25/udp	# Simple Mail Transfer
-dsp              33/tcp	# Display Support Protocol
-dsp              33/udp	# Display Support Protocol
-time             37/tcp	# Time
-time             37/udp	# Time
-rap              38/tcp	# Route Access Protocol
-rap              38/udp	# Route Access Protocol
-rlp              39/tcp	# Resource Location Protocol
-rlp              39/udp	# Resource Location Protocol
-graphics         41/tcp	# Graphics
-graphics         41/udp	# Graphics
-name             42/tcp	# Host Name Server
-name             42/udp	# Host Name Server
-nameserver       42/tcp	# Host Name Server
-nameserver       42/udp	# Host Name Server
-nicname          43/tcp	# Who Is
-nicname          43/udp	# Who Is
-mpm              45/tcp	# Message Processing Module [recv]
-mpm              45/udp	# Message Processing Module [recv]
-auditd           48/tcp	# Digital Audit Daemon
-auditd           48/udp	# Digital Audit Daemon
-tacacs           49/tcp	# Login Host Protocol (TACACS)
-tacacs           49/udp	# Login Host Protocol (TACACS)
-domain           53/tcp	# Domain Name Server
-domain           53/udp	# Domain Name Server
-acas             62/tcp	# ACA Services
-acas             62/udp	# ACA Services
-covia            64/tcp	# Communications Integrator (CI)
-covia            64/udp	# Communications Integrator (CI)
-sql*net          66/tcp	# Oracle SQL*NET
-sql*net          66/udp	# Oracle SQL*NET
-bootps           67/tcp	# Bootstrap Protocol Server
-bootps           67/udp	# Bootstrap Protocol Server
-bootpc           68/tcp	# Bootstrap Protocol Client
-bootpc           68/udp	# Bootstrap Protocol Client
-tftp             69/tcp	# Trivial File Transfer
-tftp             69/udp	# Trivial File Transfer
-gopher           70/tcp	# Gopher
-gopher           70/udp	# Gopher
-deos             76/tcp	# Distributed External Object Store
-deos             76/udp	# Distributed External Object Store
-vettcp           78/tcp	# vettcp
-vettcp           78/udp	# vettcp
-finger           79/tcp	# Finger
-finger           79/udp	# Finger
-http             80/tcp	# World Wide Web HTTP
-http             80/udp	# World Wide Web HTTP
-www              80/tcp	# World Wide Web HTTP
-www              80/udp	# World Wide Web HTTP
-xfer             82/tcp	# XFER Utility
-xfer             82/udp	# XFER Utility
-ctf              84/tcp	# Common Trace Facility
-ctf              84/udp	# Common Trace Facility
-mfcobol          86/tcp	# Micro Focus Cobol
-mfcobol          86/udp	# Micro Focus Cobol
-kerberos         88/tcp	# Kerberos
-kerberos         88/udp	# Kerberos
-dnsix            90/tcp	# DNSIX Securit Attribute Token Map
-dnsix            90/udp	# DNSIX Securit Attribute Token Map
-npp              92/tcp	# Network Printing Protocol
-npp              92/udp	# Network Printing Protocol
-dcp              93/tcp	# Device Control Protocol
-dcp              93/udp	# Device Control Protocol
-objcall          94/tcp	# Tivoli Object Dispatcher
-objcall          94/udp	# Tivoli Object Dispatcher
-supdup           95/tcp	# SUPDUP
-supdup           95/udp	# SUPDUP
-dixie            96/tcp	# DIXIE Protocol Specification
-dixie            96/udp	# DIXIE Protocol Specification
-tacnews          98/tcp	# TAC News
-tacnews          98/udp	# TAC News
-metagram         99/tcp	# Metagram Relay
-metagram         99/udp	# Metagram Relay
-newacct         100/tcp    [unauthorized use]
-hostname        101/tcp	# NIC Host Name Server
-hostname        101/udp	# NIC Host Name Server
-gppitnp         103/tcp	# Genesis Point-to-Point Trans Net
-gppitnp         103/udp	# Genesis Point-to-Point Trans Net
-cso             105/tcp	# CCSO name server protocol
-cso             105/udp	# CCSO name server protocol
-rtelnet         107/tcp	# Remote Telnet Service
-rtelnet         107/udp	# Remote Telnet Service
-snagas          108/tcp	# SNA Gateway Access Server
-snagas          108/udp	# SNA Gateway Access Server
-pop2            109/tcp	# Post Office Protocol - Version 2
-pop2            109/udp	# Post Office Protocol - Version 2
-pop3            110/tcp	# Post Office Protocol - Version 3
-pop3            110/udp	# Post Office Protocol - Version 3
-sunrpc          111/tcp	# SUN Remote Procedure Call
-sunrpc          111/udp	# SUN Remote Procedure Call
-mcidas          112/tcp	# McIDAS Data Transmission Protocol
-mcidas          112/udp	# McIDAS Data Transmission Protocol
-ident           113/tcp
-auth            113/tcp	# Authentication Service
-auth            113/udp	# Authentication Service
-audionews       114/tcp	# Audio News Multicast
-audionews       114/udp	# Audio News Multicast
-sftp            115/tcp	# Simple File Transfer Protocol
-sftp            115/udp	# Simple File Transfer Protocol
-ansanotify      116/tcp	# ANSA REX Notify
-ansanotify      116/udp	# ANSA REX Notify
-sqlserv         118/tcp	# SQL Services
-sqlserv         118/udp	# SQL Services
-nntp            119/tcp	# Network News Transfer Protocol
-nntp            119/udp	# Network News Transfer Protocol
-cfdptkt         120/tcp	# CFDPTKT
-cfdptkt         120/udp	# CFDPTKT
-erpc            121/tcp	# Encore Expedited Remote Pro.Call
-erpc            121/udp	# Encore Expedited Remote Pro.Call
-smakynet        122/tcp	# SMAKYNET
-smakynet        122/udp	# SMAKYNET
-ntp             123/tcp	# Network Time Protocol
-ntp             123/udp	# Network Time Protocol
-ansatrader      124/tcp	# ANSA REX Trader
-ansatrader      124/udp	# ANSA REX Trader
-nxedit		126/tcp	# NXEdit
-nxedit		126/udp	# NXEdit
-pwdgen          129/tcp	# Password Generator Protocol
-pwdgen          129/udp	# Password Generator Protocol
-statsrv         133/tcp	# Statistics Service
-statsrv         133/udp	# Statistics Service
-epmap           135/tcp	# DCE endpoint resolution
-epmap           135/udp	# DCE endpoint resolution
-profile         136/tcp	# PROFILE Naming System
-profile         136/udp	# PROFILE Naming System
-imap            143/tcp	# Internet Message Access Protocol
-imap            143/udp	# Internet Message Access Protocol
-uma 		144/tcp	# Universal Management Architecture
-uma		144/udp	# Universal Management Architecture
-uaac            145/tcp	# UAAC Protocol
-uaac            145/udp	# UAAC Protocol
-jargon          148/tcp	# Jargon
-jargon          148/udp	# Jargon
-hems            151/tcp	# HEMS
-hems            151/udp	# HEMS
-bftp            152/tcp	# Background File Transfer Program
-bftp            152/udp	# Background File Transfer Program
-sgmp            153/tcp	# SGMP
-sgmp            153/udp	# SGMP
-sqlsrv          156/tcp	# SQL Service
-sqlsrv          156/udp	# SQL Service
-snmp            161/tcp	# SNMP
-snmp            161/udp	# SNMP
-snmptrap        162/tcp	# SNMPTRAP
-snmptrap        162/udp	# SNMPTRAP
-namp            167/tcp	# NAMP
-namp            167/udp	# NAMP
-rsvd            168/tcp	# RSVD
-rsvd            168/udp	# RSVD
-send            169/tcp	# SEND
-send            169/udp	# SEND
-multiplex       171/tcp	# Network Innovations Multiplex
-multiplex       171/udp	# Network Innovations Multiplex
-cl/1            172/tcp	# Network Innovations CL/1
-cl/1            172/udp	# Network Innovations CL/1
-mailq           174/tcp	# MAILQ
-mailq           174/udp	# MAILQ
-vmnet           175/tcp	# VMNET
-vmnet           175/udp	# VMNET
-xdmcp           177/tcp	# X Display Manager Control Protocol
-xdmcp           177/udp	# X Display Manager Control Protocol
-nextstep        178/tcp	# NextStep Window Server
-nextstep        178/udp	# NextStep Window Server
-bgp             179/tcp	# Border Gateway Protocol
-bgp             179/udp	# Border Gateway Protocol
-ris             180/tcp	# Intergraph
-ris             180/udp	# Intergraph
-unify           181/tcp	# Unify
-unify           181/udp	# Unify
-audit           182/tcp	# Unisys Audit SITP
-audit           182/udp	# Unisys Audit SITP
-ocbinder        183/tcp	# OCBinder
-ocbinder        183/udp	# OCBinder
-ocserver        184/tcp	# OCServer
-ocserver        184/udp	# OCServer
-kis             186/tcp	# KIS Protocol
-kis             186/udp	# KIS Protocol
-aci             187/tcp	# Application Communication Interface
-aci             187/udp	# Application Communication Interface
-mumps           188/tcp	# Plus Five's MUMPS
-mumps           188/udp	# Plus Five's MUMPS
-qft             189/tcp	# Queued File Transport
-qft             189/udp	# Queued File Transport
-gacp            190/tcp	# Gateway Access Control Protocol
-gacp            190/udp	# Gateway Access Control Protocol
-prospero        191/tcp	# Prospero Directory Service
-prospero        191/udp	# Prospero Directory Service
-srmp            193/tcp	# Spider Remote Monitoring Protocol
-srmp            193/udp	# Spider Remote Monitoring Protocol
-irc             194/tcp	# Internet Relay Chat Protocol
-irc             194/udp	# Internet Relay Chat Protocol
-dls             197/tcp	# Directory Location Service
-dls             197/udp	# Directory Location Service
-smux            199/tcp	# SMUX
-smux            199/udp	# SMUX
-src             200/tcp	# IBM System Resource Controller
-src             200/udp	# IBM System Resource Controller
-qmtp            209/tcp	# The Quick Mail Transfer Protocol
-qmtp            209/udp	# The Quick Mail Transfer Protocol
-anet            212/tcp	# ATEXSSTR
-anet            212/udp	# ATEXSSTR
-ipx             213/tcp	# IPX         
-ipx             213/udp	# IPX
-vmpwscs         214/tcp	# VM PWSCS
-vmpwscs         214/udp	# VM PWSCS
-softpc          215/tcp	# Insignia Solutions
-softpc          215/udp	# Insignia Solutions
-dbase           217/tcp	# dBASE Unix
-dbase           217/udp	# dBASE Unix
-mpp             218/tcp	# Netix Message Posting Protocol
-mpp             218/udp	# Netix Message Posting Protocol
-uarps           219/tcp	# Unisys ARPs
-uarps           219/udp	# Unisys ARPs
-imap3           220/tcp	# Interactive Mail Access Protocol v3
-imap3           220/udp	# Interactive Mail Access Protocol v3
-cdc             223/tcp	# Certificate Distribution Center
-cdc             223/udp	# Certificate Distribution Center
-masqdialer	224/tcp	# masqdialer
-masqdialer	224/udp	# masqdialer
-direct          242/tcp	# Direct
-direct          242/udp	# Direct
-dayna           244/tcp	# Dayna
-dayna           244/udp	# Dayna
-link            245/tcp	# LINK
-link            245/udp	# LINK
-dsp3270         246/tcp	# Display Systems Protocol
-dsp3270         246/udp	# Display Systems Protocol
-bhfhs		248/tcp	# bhfhs
-bhfhs		248/udp	# bhfhs
-rap             256/tcp	# RAP
-rap             256/udp	# RAP
-set             257/tcp	# Secure Electronic Transaction
-set             257/udp	# Secure Electronic Transaction
-openport        260/tcp	# Openport
-openport        260/udp	# Openport
-nsiiops 	261/tcp	# IIOP Name Service over TLS/SSL
-nsiiops		261/udp	# IIOP Name Service over TLS/SSL
-arcisdms	262/tcp	# Arcisdms
-arcisdms	262/udp	   Arcisdms
-hdap		263/tcp	# HDAP
-hdap		263/udp	# HDAP
-bgmp		264/tcp	# BGMP
-bgmp		264/udp	# BGMP
-rescap		283/tcp	# rescap
-rescap		283/udp	# rescap
-novastorbakcup	308/tcp	# Novastor Backup
-novastorbakcup	308/udp	# Novastor Backup
-entrusttime     309/tcp	# EntrustTime
-entrusttime     309/udp	# EntrustTime
-bhmds		310/tcp	# bhmds
-bhmds 		310/udp	# bhmds
-vslmp		312/tcp	# VSLMP
-vslmp		312/udp	# VSLMP
-dpsi		315/tcp	# DPSI
-dpsi		315/udp	# DPSI
-decauth		316/tcp	# decAuth
-decauth		316/udp	# decAuth
-zannet		317/tcp	# Zannet
-zannet		317/udp	# Zannet
-pip		321/tcp	# PIP
-pip		321/udp	# PIP
-rtsps		322/tcp	# RTSPS
-rtsps		322/udp	# RTSPS
-pdap            344/tcp	# Prospero Data Access Protocol
-pdap            344/udp	# Prospero Data Access Protocol
-pawserv         345/tcp	# Perf Analysis Workbench
-pawserv         345/udp	# Perf Analysis Workbench
-zserv           346/tcp	# Zebra server
-zserv           346/udp	# Zebra server
-fatserv         347/tcp	# Fatmen Server
-fatserv         347/udp	# Fatmen Server
-mftp            349/tcp	# mftp
-mftp            349/udp	# mftp
-bhoetty		351/tcp	   bhoetty (added 5/21/97)
-bhoetty		351/udp	# bhoetty
-bhoedap4	352/tcp	# bhoedap4 (added 5/21/97)
-bhoedap4	352/udp	# bhoedap4
-ndsauth		353/tcp	# NDSAUTH
-ndsauth		353/udp	# NDSAUTH
-bh611		354/tcp	   bh611
-bh611		354/udp	# bh611
-bhevent		357/tcp	   bhevent
-bhevent		357/udp	# bhevent
-shrinkwrap	358/tcp	# Shrinkwrap
-shrinkwrap	358/udp	# Shrinkwrap
-scoi2odialog	360/tcp	# scoi2odialog
-scoi2odialog	360/udp	# scoi2odialog
-semantix	361/tcp	# Semantix
-semantix	361/udp	# Semantix
-srssend		362/tcp	# SRS Send
-srssend		362/udp	# SRS Send
-dtk		365/tcp	# DTK
-dtk		365/udp	# DTK
-odmr		366/tcp	# ODMR
-odmr		366/udp	# ODMR
-mortgageware	367/tcp	# MortgageWare
-mortgageware	367/udp	# MortgageWare
-qbikgdp		368/tcp	# QbikGDP
-qbikgdp		368/udp	# QbikGDP
-rpc2portmap	369/tcp	# rpc2portmap
-rpc2portmap	369/udp	# rpc2portmap
-codaauth2	370/tcp	# codaauth2
-codaauth2	370/udp	# codaauth2
-clearcase       371/tcp	# Clearcase
-clearcase       371/udp	# Clearcase
-ulistproc       372/tcp	# ListProcessor
-ulistproc       372/udp	# ListProcessor
-hassle          375/tcp	# Hassle
-hassle          375/udp	# Hassle
-nip             376/tcp	# Amiga Envoy Network Inquiry Proto
-nip             376/udp	# Amiga Envoy Network Inquiry Proto
-tnETOS          377/tcp	# NEC Corporation
-tnETOS          377/udp	# NEC Corporation
-dsETOS          378/tcp	# NEC Corporation
-dsETOS          378/udp	# NEC Corporation
-is99c           379/tcp	# TIA/EIA/IS-99 modem client
-is99c           379/udp	# TIA/EIA/IS-99 modem client
-is99s           380/tcp	# TIA/EIA/IS-99 modem server
-is99s           380/udp	# TIA/EIA/IS-99 modem server
-arns            384/tcp	# A Remote Network Server System
-arns            384/udp	# A Remote Network Server System
-asa             386/tcp	# ASA Message Router Object Def.
-asa             386/udp	# ASA Message Router Object Def.
-aurp            387/tcp	# Appletalk Update-Based Routing Pro.
-aurp            387/udp	# Appletalk Update-Based Routing Pro.
-ldap            389/tcp	# Lightweight Directory Access Protocol
-ldap            389/udp	# Lightweight Directory Access Protocol
-uis             390/tcp	# UIS
-uis             390/udp	# UIS
-dis             393/tcp	# Data Interpretation System
-dis             393/udp	# Data Interpretation System
-netcp           395/tcp	# NETscout Control Protocol
-netcp           395/udp	# NETscout Control Protocol
-mptn            397/tcp	# Multi Protocol Trans. Net.
-mptn            397/udp	# Multi Protocol Trans. Net.
-kryptolan       398/tcp	# Kryptolan
-kryptolan       398/udp	# Kryptolan
-ups             401/tcp	# Uninterruptible Power Supply
-ups             401/udp	# Uninterruptible Power Supply
-genie           402/tcp	# Genie Protocol
-genie           402/udp	# Genie Protocol
-decap           403/tcp	# decap
-decap           403/udp	# decap
-nced            404/tcp	# nced
-nced            404/udp	# nced
-ncld            405/tcp	# ncld
-ncld            405/udp	# ncld
-imsp            406/tcp	# Interactive Mail Support Protocol
-imsp            406/udp	# Interactive Mail Support Protocol
-timbuktu        407/tcp	# Timbuktu
-timbuktu        407/udp	# Timbuktu
-decladebug      410/tcp	# DECLadebug Remote Debug Protocol
-decladebug      410/udp	# DECLadebug Remote Debug Protocol
-rmt             411/tcp	# Remote MT Protocol
-rmt             411/udp	# Remote MT Protocol
-smsp            413/tcp	# SMSP
-smsp            413/udp	# SMSP
-infoseek        414/tcp	# InfoSeek
-infoseek        414/udp	# InfoSeek
-bnet            415/tcp	# BNet
-bnet            415/udp	# BNet
-silverplatter   416/tcp	# Silverplatter
-silverplatter   416/udp	# Silverplatter
-onmux           417/tcp	# Onmux
-onmux           417/udp	# Onmux
-ariel1          419/tcp	# Ariel
-ariel1          419/udp	# Ariel
-smpte           420/tcp	# SMPTE
-smpte           420/udp	# SMPTE
-ariel2          421/tcp	# Ariel
-ariel2          421/udp	# Ariel
-ariel3          422/tcp	# Ariel
-ariel3          422/udp	# Ariel
-smartsdp        426/tcp	# smartsdp
-smartsdp        426/udp	# smartsdp
-svrloc          427/tcp	# Server Location
-svrloc          427/udp	# Server Location
-utmpsd          430/tcp	# UTMPSD
-utmpsd          430/udp	# UTMPSD
-utmpcd          431/tcp	# UTMPCD
-utmpcd          431/udp	# UTMPCD
-iasd            432/tcp	# IASD
-iasd            432/udp	# IASD
-nnsp            433/tcp	# NNSP
-nnsp            433/udp	# NNSP
-comscm          437/tcp	# comscm
-comscm          437/udp	# comscm
-dsfgw           438/tcp	# dsfgw
-dsfgw           438/udp	# dsfgw
-dasp            439/tcp	# dasp      Thomas Obermair
-dasp            439/udp	# dasp      tommy@inlab.m.eunet.de
-sgcp            440/tcp	# sgcp
-sgcp            440/udp	# sgcp
-https           443/tcp	# http protocol over TLS/SSL
-https           443/udp	# http protocol over TLS/SSL
-snpp            444/tcp	# Simple Network Paging Protocol
-snpp            444/udp	# Simple Network Paging Protocol
-tserver         450/tcp	# TServer
-tserver         450/udp	# TServer
-creativeserver  453/tcp	# CreativeServer
-creativeserver  453/udp	# CreativeServer
-contentserver   454/tcp	# ContentServer
-contentserver   454/udp	# ContentServer
-creativepartnr  455/tcp	# CreativePartnr
-creativepartnr  455/udp	# CreativePartnr
-scohelp         457/tcp	# scohelp
-scohelp         457/udp	# scohelp
-appleqtc        458/tcp	# apple quick time
-appleqtc        458/udp	# apple quick time
-skronk          460/tcp	# skronk
-skronk          460/udp	# skronk
-datasurfsrv     461/tcp	# DataRampSrv
-datasurfsrv     461/udp	# DataRampSrv
-datasurfsrvsec  462/tcp	# DataRampSrvSec
-datasurfsrvsec  462/udp	# DataRampSrvSec
-alpes           463/tcp	# alpes
-alpes           463/udp	# alpes
-kpasswd         464/tcp	# kpasswd
-kpasswd         464/udp	# kpasswd
-photuris        468/tcp	# proturis
-photuris        468/udp	# proturis
-rcp             469/tcp	# Radio Control Protocol
-rcp             469/udp	# Radio Control Protocol
-mondex          471/tcp	# Mondex
-mondex          471/udp	# Mondex
-tcp	# nethaspsrv   475/tcp	# tcpnethaspsrv
-tcp	# nethaspsrv   475/udp	# tcp	# nethaspsrv
-ss7ns           477/tcp	# ss7ns
-ss7ns           477/udp	# ss7ns
-spsc            478/tcp	# spsc
-spsc            478/udp	# spsc
-iafserver       479/tcp	# iafserver
-iafserver       479/udp	# iafserver
-iafdbase        480/tcp	# iafdbase
-iafdbase        480/udp	# iafdbase
-ph              481/tcp	# Ph service
-ph              481/udp	# Ph service
-ulpnet          483/tcp	# ulpnet
-ulpnet          483/udp	# ulpnet
-powerburst      485/tcp	# Air Soft Power Burst
-powerburst      485/udp	# Air Soft Power Burst
-avian           486/tcp	# avian
-avian           486/udp	# avian
-saft            487/tcp	# saft Simple Asynchronous File Transfer
-saft            487/udp	# saft Simple Asynchronous File Transfer
-intecourier     495/tcp	# intecourier
-intecourier     495/udp	# intecourier
-dantz           497/tcp	# dantz
-dantz           497/udp	# dantz
-siam            498/tcp	# siam
-siam            498/udp	# siam
-isakmp          500/tcp	# isakmp
-isakmp          500/udp	# isakmp
-stmf            501/tcp	# STMF
-stmf            501/udp	# STMF
-intrinsa        503/tcp	# Intrinsa
-intrinsa        503/udp	# Intrinsa
-citadel         504/tcp	# citadel
-citadel         504/udp	# citadel
-ohimsrv         506/tcp	# ohimsrv
-ohimsrv         506/udp	# ohimsrv
-crs             507/tcp	# crs
-crs             507/udp	# crs
-xvttp           508/tcp	# xvttp
-xvttp           508/udp	# xvttp
-snare           509/tcp	# snare
-snare           509/udp	# snare
-fcp             510/tcp	# FirstClass Protocol
-fcp             510/udp	# FirstClass Protocol
-passgo          511/tcp	# PassGo
-passgo          511/udp	# PassGo
-exec            512/tcp	# remote process execution;
-comsat          512/udp
-biff            512/udp	# used by mail system to notify users
-login           513/tcp	# remote login a la telnet;
-who             513/udp	# maintains data bases showing who's
-shell           514/tcp	# cmd
-syslog          514/udp
-printer         515/tcp	# spooler
-printer         515/udp	# spooler
-videotex        516/tcp	# videotex
-videotex        516/udp	# videotex
-talk            517/tcp	# like tenex link, but across
-talk            517/udp	# like tenex link, but across
-ntalk           518/tcp
-ntalk           518/udp
-utime           519/tcp	# unixtime
-utime           519/udp	# unixtime
-efs             520/tcp	# extended file name server
-router          520/udp	# local routing process (on site);
-ripng           521/tcp	# ripng
-ripng           521/udp	# ripng
-ulp             522/tcp	# ULP
-ulp             522/udp	# ULP
-ncp             524/tcp	# NCP
-ncp             524/udp	# NCP
-timed  	        525/tcp	# timeserver
-timed           525/udp	# timeserver
-tempo	        526/tcp	# newdate
-tempo	        526/udp	# newdate
-stx             527/tcp	# Stock IXChange
-stx             527/udp	# Stock IXChange
-custix          528/tcp	# Customer IXChange
-custix          528/udp	# Customer IXChange
-courier         530/tcp	# rpc
-courier         530/udp	# rpc
-conference      531/tcp	# chat
-conference      531/udp	# chat
-netnews         532/tcp	# readnews
-netnews         532/udp	# readnews
-netwall	        533/tcp	# for emergency broadcasts
-netwall	        533/udp	# for emergency broadcasts
-iiop            535/tcp	# iiop
-iiop            535/udp	# iiop
-nmsp            537/tcp	# Networked Media Streaming Protocol
-nmsp            537/udp	# Networked Media Streaming Protocol
-gdomap          538/tcp	# gdomap
-gdomap          538/udp	# gdomap
-uucp	        540/tcp	# uucpd
-uucp	        540/udp	# uucpd
-commerce        542/tcp	# commerce
-commerce        542/udp	# commerce
-klogin          543/tcp
-klogin          543/udp
-kshell 	        544/tcp	# krcmd
-kshell 	        544/udp	# krcmd
-appleqtcsrvr    545/tcp	# appleqtcsrvr
-appleqtcsrvr    545/udp	# appleqtcsrvr
-afpovertcp      548/tcp	# AFP over TCP
-afpovertcp      548/udp	# AFP over TCP
-idfp            549/tcp	# IDFP
-idfp            549/udp	# IDFP
-cybercash       551/tcp	# cybercash
-cybercash       551/udp	# cybercash
-deviceshare     552/tcp	# deviceshare
-deviceshare     552/udp	# deviceshare
-pirp            553/tcp	# pirp
-pirp            553/udp	# pirp
-rtsp            554/tcp	# Real Time Stream Control Protocol
-rtsp            554/udp	# Real Time Stream Control Protocol
-dsf             555/tcp
-dsf             555/udp
-remotefs        556/tcp	# rfs server
-remotefs        556/udp	# rfs server
-sdnskmp         558/tcp	# SDNSKMP
-sdnskmp         558/udp	# SDNSKMP
-teedtap         559/tcp	# TEEDTAP
-teedtap         559/udp	# TEEDTAP
-rmonitor        560/tcp	# rmonitord
-rmonitor        560/udp	# rmonitord
-monitor         561/tcp
-monitor         561/udp
-chshell         562/tcp	# chcmd
-chshell         562/udp	# chcmd
-nntps           563/tcp	# nntp protocol over TLS/SSL (was snntp)
-nntps           563/udp	# nntp protocol over TLS/SSL (was snntp)
-whoami          565/tcp	# whoami
-whoami          565/udp	# whoami
-streettalk      566/tcp	# streettalk
-streettalk      566/udp	# streettalk
-meter           570/tcp	# demon
-meter           570/udp	# demon
-meter	        571/tcp	# udemon
-meter	        571/udp	# udemon
-sonar           572/tcp	# sonar
-sonar           572/udp	# sonar
-vemmi           575/tcp	# VEMMI
-vemmi           575/udp	# VEMMI
-ipcd            576/tcp	# ipcd
-ipcd            576/udp	# ipcd
-vnas            577/tcp	# vnas
-vnas            577/udp	# vnas
-ipdd            578/tcp	# ipdd
-ipdd            578/udp	# ipdd
-decbsrv		579/tcp	# decbsrv
-decbsrv		579/udp	# decbsrv
-bdp		581/tcp	# Bundle Discovery Protocol
-bdp		581/udp	# Bundle Discovery Protocol
-keyserver	584/tcp	# Key Server
-keyserver	584/udp	# Key Server
-submission	587/tcp	# Submission
-submission	587/udp	# Submission
-cal		588/tcp	# CAL
-cal		588/udp	# CAL
-eyelink		589/tcp	# EyeLink
-eyelink		589/udp	# EyeLink
-tpip		594/tcp	# TPIP
-tpip		594/udp	# TPIP
-smsd		596/tcp	# SMSD
-smsd		596/udp	# SMSD
-ptcnameservice	597/tcp	# PTC Name Service
-ptcnameservice	597/udp	# PTC Name Service
-acp		599/tcp	# Aeolon Core Protocol
-acp		599/udp	# Aeolon Core Protocol
-ipcserver       600/tcp	# Sun IPC server
-ipcserver       600/udp	# Sun IPC server
-urm             606/tcp	# Cray Unified Resource Manager
-urm             606/udp	# Cray Unified Resource Manager
-nqs	        607/tcp	# nqs
-nqs	        607/udp	# nqs
-sshell		614/tcp	# SSLshell
-sshell   	614/udp	# SSLshell
-collaborator	622/tcp	# Collaborator
-collaborator	622/udp	# Collaborator
-cryptoadmin	624/tcp	# Crypto Admin
-cryptoadmin	624/udp	# Crypto Admin
-asia		626/tcp	# ASIA
-asia		626/udp	# ASIA
-qmqp		628/tcp	# QMQP
-qmqp		628/udp	# QMQP
-rda		630/tcp	# RDA
-rda		630/udp	# RDA
-ipp		631/tcp	# IPP (Internet Printing Protocol)
-ipp		631/udp	# IPP (Internet Printing Protocol)
-bmpp		632/tcp	# bmpp
-bmpp		632/udp	# bmpp
-servstat	633/tcp	# Service Status update (Sterling Software)
-servstat	633/udp	# Service Status update (Sterling Software)
-ginad           634/tcp	# ginad
-ginad           634/udp	# ginad
-rlzdbase        635/tcp	# RLZ DBase
-rlzdbase        635/udp	# RLZ DBase
-ldaps           636/tcp	# ldap protocol over TLS/SSL (was sldap)
-ldaps           636/udp	# ldap protocol over TLS/SSL (was sldap)
-lanserver       637/tcp	# lanserver
-lanserver       637/udp	# lanserver
-msdp		639/tcp	# MSDP
-msdp		639/udp	# MSDP
-repcmd		641/tcp	# repcmd
-repcmd		641/udp	# repcmd
-sanity		643/tcp	# SANity
-sanity		643/udp	# SANity
-dwr		644/tcp	# dwr
-dwr		644/udp	# dwr
-pssc		645/tcp	# PSSC
-pssc		645/udp	# PSSC
-ldp		646/tcp	# LDP
-ldp		646/udp	# LDP
-rrp		648/tcp	# Registry Registrar Protocol (RRP)
-rrp		648/udp	# Registry Registrar Protocol (RRP)
-aminet		649/tcp	# Aminet
-aminet		649/udp	# Aminet
-obex		650/tcp	# OBEX
-obex		650/udp	# OBEX
-repscmd		653/tcp	# RepCmd
-repscmd		653/udp	# RepCmd
-aodv		654/tcp	# AODV
-aodv		654/udp	# AODV
-tinc		655/tcp	# TINC
-tinc		655/udp	# TINC
-spmp		656/tcp	# SPMP
-spmp		656/udp	# SPMP
-mdqs            666/tcp
-mdqs            666/udp
-doom            666/tcp	# doom Id Software
-doom            666/udp	# doom Id Software
-disclose        667/tcp	# campaign contribution disclosures - SDR Technologies
-disclose        667/udp	# campaign contribution disclosures - SDR Technologies
-mecomm          668/tcp	# MeComm
-mecomm          668/udp	# MeComm
-meregister      669/tcp	# MeRegister
-meregister      669/udp	# MeRegister
-cimplex         673/tcp	# CIMPLEX
-cimplex         673/udp	# CIMPLEX
-acap		674/tcp	# ACAP
-acap		674/udp	# ACAP
-dctp		675/tcp	# DCTP
-dctp		675/udp	# DCTP
-vpp		677/tcp	# Virtual Presence Protocol
-vpp		677/udp	# Virtual Presence Protocol
-mrm		679/tcp	# MRM
-mrm		679/udp	# MRM
-xfr		682/tcp	# XFR
-xfr		682/udp	# XFR
-asipregistry	687/tcp	# asipregistry
-asipregistry	687/udp	# asipregistry
-elcsd	        704/tcp	# errlog copy/server daemon
-elcsd	        704/udp	# errlog copy/server daemon
-agentx	        705/tcp	# AgentX
-agentx		705/udp	# AgentX
-netviewdm1      729/tcp	# IBM NetView DM/6000 Server/Client
-netviewdm1      729/udp	# IBM NetView DM/6000 Server/Client
-netviewdm2      730/tcp	# IBM NetView DM/6000 send/tcp
-netviewdm2      730/udp	# IBM NetView DM/6000 send/tcp
-netviewdm3      731/tcp	# IBM NetView DM/6000 receive/tcp
-netviewdm3      731/udp	# IBM NetView DM/6000 receive/tcp
-netgw           741/tcp	# netGW
-netgw           741/udp	# netGW
-netrcs          742/tcp	# Network based Rev. Cont. Sys.
-netrcs          742/udp	# Network based Rev. Cont. Sys.
-flexlm          744/tcp	# Flexible License Manager
-flexlm          744/udp	# Flexible License Manager
-rfile 	        750/tcp
-loadav          750/udp
-pump	        751/tcp
-pump	        751/udp
-qrh	        752/tcp
-qrh	        752/udp
-rrh    	        753/tcp
-rrh	        753/udp
-tell	        754/tcp	    send
-tell	        754/udp	    send
-nlogin	        758/tcp
-nlogin	        758/udp
-con	        759/tcp
-con	        759/udp
-ns	        760/tcp
-ns	        760/udp
-rxe	        761/tcp
-rxe	        761/udp
-quotad	        762/tcp
-quotad	        762/udp
-cycleserv       763/tcp
-cycleserv       763/udp
-omserv	        764/tcp
-omserv	        764/udp
-webster	        765/tcp
-webster	        765/udp
-phonebook       767/tcp	   phone
-phonebook       767/udp	   phone
-vid	        769/tcp
-vid	        769/udp
-cadlock         770/tcp
-cadlock         770/udp
-rtip 	        771/tcp
-rtip 	        771/udp
-cycleserv2      772/tcp
-cycleserv2      772/udp
-submit	        773/tcp
-notify	        773/udp
-rpasswd	        774/tcp
-entomb	        775/tcp
-wpages		776/tcp
-wpages          776/udp
-wpgs		780/tcp
-wpgs		780/udp
-concert         786/tcp	# Concert
-concert         786/udp	# Concert
-qsc		787/tcp	# QSC
-qsc		787/udp	# QSC
-device		801/tcp
-device		801/udp
-rsync		873/tcp	# rsync
-rsync		873/udp	# rsync
-accessbuilder   888/tcp	# AccessBuilder
-accessbuilder   888/udp	# AccessBuilder
-cddbp           888/tcp	# CD Database Protocol
-omginitialrefs  900/tcp	# OMG Initial Refs
-omginitialrefs  900/udp	# OMG Initial Refs
-ftps		990/tcp	# ftp protocol, control, over TLS/SSL
-ftps		990/udp	# ftp protocol, control, over TLS/SSL
-nas		991/tcp	# Netnews Administration System
-nas		991/udp	# Netnews Administration System
-telnets		992/tcp	# telnet protocol over TLS/SSL
-telnets		992/udp	# telnet protocol over TLS/SSL
-imaps		993/tcp	# imap4 protocol over TLS/SSL
-imaps		993/udp	# imap4 protocol over TLS/SSL
-ircs		994/tcp	# irc protocol over TLS/SSL
-ircs		994/udp	# irc protocol over TLS/SSL
-pop3s           995/tcp	# pop3 protocol over TLS/SSL (was spop3)
-pop3s           995/udp	# pop3 protocol over TLS/SSL (was spop3)
-vsinet          996/tcp	# vsinet
-vsinet          996/udp	# vsinet
-maitrd		997/tcp
-maitrd		997/udp
-busboy		998/tcp
-puparp		998/udp
-garcon		999/tcp
-applix		999/udp	# Applix ac
-puprouter	999/tcp
-puprouter	999/udp
-cadlock		1000/tcp
-ock		1000/udp
-surf		1010/tcp	# surf
-surf		1010/udp	# surf
-blackjack	1025/tcp	# network blackjack
-blackjack	1025/udp	# network blackjack
-iad1            1030/tcp	# BBN IAD
-iad1            1030/udp	# BBN IAD
-iad2            1031/tcp	# BBN IAD
-iad2            1031/udp	# BBN IAD
-iad3            1032/tcp	# BBN IAD
-iad3            1032/udp	# BBN IAD
-neod1           1047/tcp	# Sun's NEO Object Request Broker
-neod1           1047/udp	# Sun's NEO Object Request Broker
-neod2           1048/tcp	# Sun's NEO Object Request Broker
-neod2           1048/udp	# Sun's NEO Object Request Broker
-nim             1058/tcp	# nim
-nim             1058/udp	# nim
-nimreg          1059/tcp	# nimreg
-nimreg          1059/udp	# nimreg
-socks           1080/tcp	# Socks
-socks           1080/udp	# Socks
-sunclustermgr	1097/tcp	# Sun Cluster Manager
-sunclustermgr	1097/udp	# Sun Cluster Manager
-rmiactivation	1098/tcp	# RMI Activation
-rmiactivation	1098/udp	# RMI Activation
-rmiregistry	1099/tcp	# RMI Registry
-rmiregistry	1099/udp	# RMI Registry
-lmsocialserver  1111/tcp	# LM Social Server
-lmsocialserver	1111/udp	# LM Social Server
-murray          1123/tcp	# Murray
-murray          1123/udp	# Murray
-nfa             1155/tcp	# Network File Access
-nfa             1155/udp	# Network File Access
-caiccipc	1202/tcp	# caiccipc
-caiccipc	1202/udp	# caiccipc
-lupa            1212/tcp	# lupa
-lupa            1212/udp	# lupa
-nerv		1222/tcp	# SNI R&D network
-nerv		1222/udp	# SNI R&D network
-nmsd		1239/tcp	# NMSD
-nmsd		1239/udp	# NMSD
-hermes		1248/tcp
-hermes		1248/udp
-h323hostcallsc	1300/tcp	# H323 Host Call Secure
-h323hostcallsc	1300/udp	# H323 Host Call Secure
-husky		1310/tcp	# Husky
-husky		1310/udp	# Husky
-rxmon		1311/tcp	# RxMon
-rxmon		1311/udp	# RxMon
-pdps		1314/tcp	# Photoscript Distributed Printing System
-pdps            1314/udp	# Photoscript Distributed Printing System
-pip		1321/tcp	# PIP
-pip		1321/udp	# PIP
-vpjp            1345/tcp	# VPJP
-vpjp            1345/udp	# VPJP
-sbook           1349/tcp	# Registration Network Protocol
-sbook           1349/udp	# Registration Network Protocol
-editbench       1350/tcp	# Registration Network Protocol
-editbench       1350/udp	# Registration Network Protocol
-equationbuilder 1351/tcp	# Digital Tool Works (MIT)
-equationbuilder 1351/udp	# Digital Tool Works (MIT)
-lotusnote       1352/tcp	# Lotus Note
-lotusnote       1352/udp	# Lotus Note
-relief          1353/tcp	# Relief Consulting
-relief          1353/udp	# Relief Consulting
-rightbrain      1354/tcp	# RightBrain Software
-rightbrain      1354/udp	# RightBrain Software
-cuillamartin    1356/tcp	# CuillaMartin Company
-cuillamartin    1356/udp	# CuillaMartin Company
-pegboard        1357/tcp	# Electronic PegBoard
-pegboard        1357/udp	# Electronic PegBoard
-connlcli        1358/tcp	# CONNLCLI
-connlcli        1358/udp	# CONNLCLI
-ftsrv           1359/tcp	# FTSRV
-ftsrv           1359/udp	# FTSRV
-mimer           1360/tcp	# MIMER
-mimer           1360/udp	# MIMER
-linx            1361/tcp	# LinX
-linx            1361/udp	# LinX
-timeflies       1362/tcp	# TimeFlies
-timeflies       1362/udp	# TimeFlies
-dcs             1367/tcp	# DCS
-dcs             1367/udp	# DCS
-screencast      1368/tcp	# ScreenCast
-screencast      1368/udp	# ScreenCast
-chromagrafx     1373/tcp	# Chromagrafx
-chromagrafx     1373/udp	# Chromagrafx
-molly           1374/tcp	# EPI Software Systems
-molly           1374/udp	# EPI Software Systems
-bytex           1375/tcp	# Bytex
-bytex           1375/udp	# Bytex
-cichlid         1377/tcp	# Cichlid License Manager
-cichlid         1377/udp	# Cichlid License Manager
-elan            1378/tcp	# Elan License Manager
-elan            1378/udp	# Elan License Manager
-dbreporter      1379/tcp	# Integrity Solutions
-dbreporter      1379/udp	# Integrity Solutions
-gwha            1383/tcp	# GW Hannaway Network License Manager
-gwha            1383/udp	# GW Hannaway Network License Manager
-checksum        1386/tcp	# CheckSum License Manager
-checksum        1386/udp	# CheckSum License Manager
-hiq             1410/tcp	# HiQ License Manager
-hiq             1410/udp	# HiQ License Manager
-af              1411/tcp	# AudioFile
-af              1411/udp	# AudioFile
-innosys         1412/tcp	# InnoSys
-innosys         1412/udp	# InnoSys
-dbstar          1415/tcp	# DBStar
-dbstar          1415/udp	# DBStar
-essbase         1423/tcp	# Essbase Arbor Software
-essbase         1423/udp	# Essbase Arbor Software
-hybrid          1424/tcp	# Hybrid Encryption Protocol
-hybrid          1424/udp	# Hybrid Encryption Protocol
-sais            1426/tcp	# Satellite-data Acquisition System 1
-sais            1426/udp	# Satellite-data Acquisition System 1
-mloadd          1427/tcp	# mloadd monitoring tool
-mloadd          1427/udp	# mloadd monitoring tool
-nms             1429/tcp	# Hypercom NMS
-nms             1429/udp	# Hypercom NMS
-tpdu            1430/tcp	# Hypercom TPDU
-tpdu            1430/udp	# Hypercom TPDU
-rgtp            1431/tcp	# Reverse Gossip Transport
-rgtp            1431/udp	# Reverse Gossip Transport
-saism           1436/tcp	# Satellite-data Acquisition System 2
-saism           1436/udp	# Satellite-data Acquisition System 2
-tabula          1437/tcp	# Tabula
-tabula          1437/udp	# Tabula
-peport          1449/tcp	# PEport
-peport          1449/udp	# PEport
-dwf             1450/tcp	# Tandem Distributed Workbench Facility
-dwf             1450/udp	# Tandem Distributed Workbench Facility
-infoman         1451/tcp	# IBM Information Management
-infoman         1451/udp	# IBM Information Management
-dca             1456/tcp	# DCA
-dca             1456/udp	# DCA
-proshare1       1459/tcp	# Proshare Notebook Application
-proshare1       1459/udp	# Proshare Notebook Application
-proshare2       1460/tcp	# Proshare Notebook Application
-proshare2       1460/udp	# Proshare Notebook Application
-nucleus         1463/tcp	# Nucleus
-nucleus         1463/udp	# Nucleus
-pipes           1465/tcp	# Pipes Platform
-pipes           1465/udp	# Pipes Platform  mfarlin@peerlogic.com
-csdmbase        1467/tcp	# CSDMBASE
-csdmbase        1467/udp	# CSDMBASE
-csdm            1468/tcp	# CSDM
-csdm            1468/udp	# CSDM
-uaiact          1470/tcp	# Universal Analytics
-uaiact          1470/udp	# Universal Analytics
-csdmbase        1471/tcp	# csdmbase
-csdmbase        1471/udp	# csdmbase
-csdm            1472/tcp	# csdm
-csdm            1472/udp	# csdm
-openmath        1473/tcp	# OpenMath
-openmath        1473/udp	# OpenMath
-telefinder      1474/tcp	# Telefinder
-telefinder      1474/udp	# Telefinder
-dberegister     1479/tcp	# dberegister
-dberegister     1479/udp	# dberegister
-pacerforum      1480/tcp	# PacerForum
-pacerforum      1480/udp	# PacerForum
-airs            1481/tcp	# AIRS
-airs            1481/udp	# AIRS
-afs             1483/tcp	# AFS License Manager
-afs             1483/udp	# AFS License Manager
-confluent       1484/tcp	# Confluent License Manager
-confluent       1484/udp	# Confluent License Manager
-lansource       1485/tcp	# LANSource
-lansource       1485/udp	# LANSource
-localinfosrvr   1487/tcp	# LocalInfoSrvr
-localinfosrvr   1487/udp	# LocalInfoSrvr
-docstor         1488/tcp	# DocStor
-docstor         1488/udp	# DocStor
-dmdocbroker     1489/tcp	# dmdocbroker
-dmdocbroker     1489/udp	# dmdocbroker
-anynetgateway   1491/tcp	# anynetgateway
-anynetgateway   1491/udp	# anynetgateway
-ica             1494/tcp	# ica
-ica             1494/udp	# ica
-cvc             1495/tcp	# cvc
-cvc             1495/udp	# cvc
-fhc             1499/tcp	# Federico Heinz Consultora
-fhc             1499/udp	# Federico Heinz Consultora
-saiscm          1501/tcp	# Satellite-data Acquisition System 3
-saiscm          1501/udp	# Satellite-data Acquisition System 3
-shivadiscovery  1502/tcp	# Shiva
-shivadiscovery  1502/udp	# Shiva
-funkproxy       1505/tcp	# Funk Software, Inc.
-funkproxy       1505/udp	# Funk Software, Inc.
-utcd            1506/tcp	# Universal Time daemon (utcd)
-utcd            1506/udp	# Universal Time daemon (utcd)
-symplex         1507/tcp	# symplex
-symplex         1507/udp	# symplex
-diagmond        1508/tcp	# diagmond
-diagmond        1508/udp	# diagmond
-wins            1512/tcp	# Microsoft's Windows Internet Name Service
-wins            1512/udp	# Microsoft's Windows Internet Name Service
-vpad            1516/tcp	# Virtual Places Audio data
-vpad            1516/udp	# Virtual Places Audio data
-vpac            1517/tcp	# Virtual Places Audio control
-vpac            1517/udp	# Virtual Places Audio control
-vpvd            1518/tcp	# Virtual Places Video data
-vpvd            1518/udp	# Virtual Places Video data
-vpvc            1519/tcp	# Virtual Places Video control
-vpvc            1519/udp	# Virtual Places Video control
-ingreslock	1524/tcp	# ingres
-ingreslock	1524/udp	# ingres
-orasrv          1525/tcp	# oracle
-orasrv          1525/udp	# oracle
-tlisrv          1527/tcp	# oracle
-tlisrv          1527/udp	# oracle
-mciautoreg      1528/tcp	# micautoreg
-mciautoreg      1528/udp	# micautoreg
-coauthor        1529/tcp	# oracle
-coauthor        1529/udp	# oracle
-miroconnect     1532/tcp	# miroconnect
-miroconnect     1532/udp	# miroconnect
-rds             1540/tcp	# rds
-rds             1540/udp	# rds
-rds2            1541/tcp	# rds2
-rds2            1541/udp	# rds2
-aspeclmd        1544/tcp	# aspeclmd
-aspeclmd        1544/udp	# aspeclmd
-abbaccuray      1546/tcp	# abbaccuray
-abbaccuray      1546/udp	# abbaccuray
-laplink         1547/tcp	# laplink
-laplink         1547/udp	# laplink
-shivahose       1549/tcp	# Shiva Hose
-shivasound      1549/udp	# Shiva Sound
-pciarray        1552/tcp	# pciarray
-pciarray        1552/udp	# pciarray
-livelan         1555/tcp	# livelan
-livelan         1555/udp	# livelan
-ashwin          1556/tcp	# AshWin CI Tecnologies
-ashwin          1556/udp	# AshWin CI Tecnologies
-xingmpeg        1558/tcp	# xingmpeg
-xingmpeg        1558/udp	# xingmpeg
-web2host        1559/tcp	# web2host
-web2host        1559/udp	# web2host
-facilityview    1561/tcp	# facilityview
-facilityview    1561/udp	# facilityview
-pconnectmgr     1562/tcp	# pconnectmgr
-pconnectmgr     1562/udp	# pconnectmgr
-winddlb         1565/tcp	# WinDD
-winddlb         1565/udp	# WinDD
-corelvideo      1566/tcp	# CORELVIDEO
-corelvideo      1566/udp	# CORELVIDEO
-jlicelmd        1567/tcp	# jlicelmd
-jlicelmd        1567/udp	# jlicelmd
-tsspmap         1568/tcp	# tsspmap
-tsspmap         1568/udp	# tsspmap
-ets             1569/tcp	# ets
-ets             1569/udp	# ets
-orbixd          1570/tcp	# orbixd
-orbixd          1570/udp	# orbixd
-oraclenames     1575/tcp	# oraclenames
-oraclenames     1575/udp	# oraclenames
-msims           1582/tcp	# MSIMS
-msims           1582/udp	# MSIMS
-simbaexpress    1583/tcp	# simbaexpress
-simbaexpress    1583/udp	# simbaexpress
-intv            1585/tcp	# intv
-intv            1585/udp	# intv
-vqp             1589/tcp	# VQP
-vqp             1589/udp	# VQP
-commonspace     1592/tcp	# commonspace
-commonspace     1592/udp	# commonspace
-sixtrak         1594/tcp	# sixtrak
-sixtrak         1594/udp	# sixtrak
-radio           1595/tcp	# radio
-radio           1595/udp	# radio
-picknfs         1598/tcp	# picknfs
-picknfs         1598/udp	# picknfs
-simbaservices   1599/tcp	# simbaservices
-simbaservices   1599/udp	# simbaservices
-issd		1600/tcp
-issd		1600/udp
-aas             1601/tcp	# aas
-aas             1601/udp	# aas
-inspect         1602/tcp	# inspect
-inspect         1602/udp	# inspect
-picodbc         1603/tcp	# pickodbc
-picodbc         1603/udp	# pickodbc
-icabrowser      1604/tcp	# icabrowser
-icabrowser      1604/udp	# icabrowser
-slp             1605/tcp	# Salutation Manager (Salutation Protocol)
-slp             1605/udp	# Salutation Manager (Salutation Protocol)
-stt             1607/tcp	# stt
-stt             1607/udp	# stt
-ill             1611/tcp	# Inter Library Loan
-ill             1611/udp	# Inter Library Loan
-skytelnet       1618/tcp	# skytelnet
-skytelnet       1618/udp	# skytelnet
-faxportwinport  1620/tcp	# faxportwinport
-faxportwinport  1620/udp	# faxportwinport
-softdataphone   1621/tcp	# softdataphone
-softdataphone   1621/udp	# softdataphone
-ontime          1622/tcp	# ontime
-ontime          1622/udp	# ontime
-jaleosnd        1623/tcp	# jaleosnd
-jaleosnd        1623/udp	# jaleosnd
-shockwave	1626/tcp	# Shockwave
-shockwave	1626/udp	# Shockwave
-oraclenet8cman	1630/tcp	# Oracle Net8 Cman
-oraclenet8cman	1630/udp	# Oracle Net8 Cman
-visitview	1631/tcp	# Visit view 
-visitview	1631/udp	# Visit view 
-pammratc	1632/tcp	# PAMMRATC
-pammratc	1632/udp	# PAMMRATC
-pammrpc		1633/tcp	# PAMMRPC
-pammrpc		1633/udp	# PAMMRPC
-loaprobe	1634/tcp	# Log On America Probe
-loaprobe	1634/udp	# Log On America Probe
-cncp            1636/tcp	# CableNet Control Protocol
-cncp            1636/udp	# CableNet Control Protocol
-cnap            1637/tcp	# CableNet Admin Protocol
-cnap            1637/udp	# CableNet Admin Protocol
-cnip            1638/tcp	# CableNet Info Protocol
-cnip            1638/udp	# CableNet Info Protocol
-invision        1641/tcp	# InVision
-invision        1641/udp	# InVision
-saiseh          1644/tcp	# Satellite-data Acquisition System 4
-datametrics     1645/tcp	# datametrics
-datametrics     1645/udp	# datametrics
-rsap            1647/tcp	# rsap
-rsap            1647/udp	# rsap
-kermit          1649/tcp	# kermit
-kermit          1649/udp	# kermit
-nkd		1650/tcp	# nkd
-nkd		1650/udp	# nkd
-xnmp            1652/tcp	# xnmp
-xnmp            1652/udp	# xnmp
-stargatealerts  1654/tcp	# stargatealerts
-stargatealerts  1654/udp	# stargatealerts
-sixnetudr       1658/tcp	# sixnetudr
-sixnetudr       1658/udp	# sixnetudr
-pdp             1675/tcp	# Pacific Data Products
-pdp             1675/udp	# Pacific Data Products
-netcomm1        1676/tcp	# netcomm1
-netcomm2        1676/udp	# netcomm2
-groupwise       1677/tcp	# groupwise
-groupwise       1677/udp	# groupwise
-prolink         1678/tcp	# prolink
-prolink         1678/udp	# prolink
-snaresecure     1684/tcp	# SnareSecure
-snaresecure     1684/udp	# SnareSecure
-n2nremote       1685/tcp	# n2nremote
-n2nremote       1685/udp	# n2nremote
-cvmon           1686/tcp	# cvmon
-cvmon           1686/udp	# cvmon
-firefox         1689/tcp	# firefox
-firefox         1689/udp	# firefox
-rrirtr          1693/tcp	# rrirtr
-rrirtr          1693/udp	# rrirtr
-rrimwm          1694/tcp	# rrimwm
-rrimwm          1694/udp	# rrimwm
-rrilwm          1695/tcp	# rrilwm
-rrilwm          1695/udp	# rrilwm
-rrifmm          1696/tcp	# rrifmm
-rrifmm          1696/udp	# rrifmm
-rrisat          1697/tcp	# rrisat
-rrisat          1697/udp	# rrisat
-l2f             1701/tcp	# l2f
-l2f             1701/udp	# l2f
-l2tp		1701/tcp	# l2tp
-l2tp		1701/udp	# l2tp
-deskshare       1702/tcp	# deskshare
-deskshare       1702/udp	# deskshare
-slingshot       1705/tcp	# slingshot
-slingshot       1705/udp	# slingshot
-jetform         1706/tcp	# jetform
-jetform         1706/udp	# jetform
-vdmplay         1707/tcp	# vdmplay
-vdmplay         1707/udp	# vdmplay
-centra          1709/tcp	# centra
-centra          1709/udp	# centra
-impera          1710/tcp	# impera
-impera          1710/udp	# impera
-pptconference   1711/tcp	# pptconference
-pptconference   1711/udp	# pptconference
-registrar       1712/tcp	# resource monitoring service
-registrar       1712/udp	# resource monitoring service
-conferencetalk  1713/tcp	# ConferenceTalk
-conferencetalk  1713/udp	# ConferenceTalk
-xmsg            1716/tcp	# xmsg
-xmsg            1716/udp	# xmsg
-h323gatedisc    1718/tcp	# h323gatedisc
-h323gatedisc    1718/udp	# h323gatedisc
-h323gatestat    1719/tcp	# h323gatestat
-h323gatestat    1719/udp	# h323gatestat
-h323hostcall    1720/tcp	# h323hostcall
-h323hostcall    1720/udp	# h323hostcall
-caicci          1721/tcp	# caicci
-caicci          1721/udp	# caicci
-pptp            1723/tcp	# pptp
-pptp            1723/udp	# pptp
-csbphonemaster  1724/tcp	# csbphonemaster
-csbphonemaster  1724/udp	# csbphonemaster
-iberiagames     1726/tcp	# IBERIAGAMES
-iberiagames     1726/udp	# IBERIAGAMES
-winddx          1727/tcp	# winddx
-winddx          1727/udp	# winddx
-telindus        1728/tcp	# TELINDUS
-telindus        1728/udp	# TELINDUS
-citynl          1729/tcp	# CityNL License Management
-citynl          1729/udp	# CityNL License Management
-roketz          1730/tcp	# roketz
-roketz          1730/udp	# roketz
-msiccp          1731/tcp	# MSICCP
-msiccp          1731/udp	# MSICCP
-proxim          1732/tcp	# proxim
-proxim          1732/udp	# proxim
-siipat          1733/tcp	# SIMS - SIIPAT Protocol for Alarm Transmission
-siipat          1733/udp	# SIMS - SIIPAT Protocol for Alarm Transmission
-privatechat     1735/tcp	# PrivateChat
-privatechat     1735/udp	# PrivateChat
-ultimad         1737/tcp	# ultimad
-ultimad         1737/udp	# ultimad
-gamegen1        1738/tcp	# GameGen1
-gamegen1        1738/udp	# GameGen1
-webaccess       1739/tcp	# webaccess
-webaccess       1739/udp	# webaccess
-encore          1740/tcp	# encore
-encore          1740/udp	# encore
-sslp            1750/tcp	# Simple Socket Library's PortMaster
-sslp            1750/udp	# Simple Socket Library's PortMaster
-swiftnet        1751/tcp	# SwiftNet
-swiftnet        1751/udp	# SwiftNet
-cnhrp           1757/tcp	# cnhrp
-cnhrp           1757/udp	# cnhrp
-vaultbase       1771/tcp	# vaultbase
-vaultbase       1771/udp	# vaultbase
-kmscontrol      1773/tcp	# KMSControl
-kmscontrol      1773/udp	# KMSControl
-femis           1776/tcp	# Federal Emergency Management Information System
-femis           1776/udp	# Federal Emergency Management Information System
-powerguardian   1777/tcp	# powerguardian
-powerguardian   1777/udp	# powerguardian
-pharmasoft      1779/tcp	# pharmasoft
-pharmasoft      1779/udp	# pharmasoft
-dpkeyserv       1780/tcp	# dpkeyserv
-dpkeyserv       1780/udp	# dpkeyserv
-fjris           1783/tcp	# Fujitsu Remote Install Service
-fjris           1783/udp	# Fujitsu Remote Install Service
-windlm          1785/tcp	# Wind River Systems License Manager
-windlm          1785/udp	# Wind River Systems License Manager
-psmond          1788/tcp	# psmond
-psmond          1788/udp	# psmond
-hello           1789/tcp	# hello
-hello           1789/udp	# hello
-nmsp            1790/tcp	# Narrative Media Streaming Protocol
-nmsp            1790/udp	# Narrative Media Streaming Protocol
-ea1             1791/tcp	# EA1
-ea1             1791/udp	# EA1
-uma             1797/tcp	# UMA
-uma             1797/udp	# UMA
-etp             1798/tcp	# Event Transfer Protocol
-etp             1798/udp	# Event Transfer Protocol
-netrisk		1799/tcp	# NETRISK
-netrisk		1799/udp	# NETRISK
-msmq		1801/tcp	# Microsoft Message Que
-msmq		1801/udp	# Microsoft Message Que
-concomp1	1802/tcp	# ConComp1
-concomp1	1802/udp	# ConComp1
-enl		1804/tcp	# ENL
-enl		1804/udp	# ENL
-musiconline	1806/tcp	# Musiconline
-musiconline	1806/udp	# Musiconline
-fhsp		1807/tcp	# Fujitsu Hot Standby Protocol
-fhsp		1807/udp	# Fujitsu Hot Standby Protocol
-radius          1812/tcp	# RADIUS
-radius          1812/udp	# RADIUS
-mmpft		1815/tcp	# MMPFT
-mmpft		1815/udp	# MMPFT
-harp		1816/tcp	# HARP
-harp		1816/udp	# HARP
-etftp           1818/tcp	# Enhanced Trivial File Transfer Protocol
-etftp           1818/udp	# Enhanced Trivial File Transfer Protocol
-mcagent         1820/tcp	# mcagent
-mcagent         1820/udp	# mcagent
-donnyworld      1821/tcp	# donnyworld
-donnyworld      1821/udp	# donnyworld
-ardt		1826/tcp	# ARDT
-ardt		1826/udp	# ARDT
-asi		1827/tcp	# ASI
-asi		1827/udp	# ASI
-myrtle		1831/tcp	# Myrtle
-myrtle		1831/udp	# Myrtle
-udp	# radio	1833/tcp	# udp	# radio
-udp	# radio	1833/udp	# udpradio
-ardusuni	1834/tcp	# ARDUS Unicast
-ardusuni	1834/udp	# ARDUS Unicast
-ardusmul	1835/tcp	# ARDUS Multicast
-ardusmul	1835/udp	# ARDUS Multicast
-csoft1		1837/tcp	# csoft1
-csoft1		1837/udp	# csoft1
-talnet		1838/tcp	# TALNET
-talnet		1838/udp	# TALNET
-gsi		1850/tcp	# GSI
-gsi		1850/udp	# GSI
-ctcd		1851/tcp	# ctcd
-ctcd		1851/udp	# ctcd
-msnp		1863/tcp	# MSNP
-msnp		1863/udp	# MSNP
-entp		1865/tcp	# ENTP
-entp		1865/udp	# ENTP
-canocentral0	1871/tcp	# Cano Central 0
-canocentral0	1871/udp	# Cano Central 0
-canocentral1	1872/tcp	# Cano Central 1
-canocentral1	1872/udp	# Cano Central 1
-fjmpjps		1873/tcp	# Fjmpjps
-fjmpjps		1873/udp	# Fjmpjps
-fjswapsnp	1874/tcp	# Fjswapsnp
-fjswapsnp	1874/udp	# Fjswapsnp
-mc2studios	1899/tcp	# MC2Studios
-mc2studios	1899/udp	# MC2Studios
-linkname        1903/tcp	# Local Link Name Resolution
-linkname        1903/udp	# Local Link Name Resolution
-sugp   		1905/tcp	# Secure UP.Link Gateway Protocol
-sugp            1905/udp	# Secure UP.Link Gateway Protocol
-tpmd		1906/tcp	# TPortMapperReq
-tpmd		1906/udp	# TPortMapperReq
-intrastar	1907/tcp	# IntraSTAR
-intrastar	1907/udp	# IntraSTAR
-dawn		1908/tcp	# Dawn
-dawn		1908/udp	# Dawn
-ultrabac	1910/tcp	# ultrabac
-ultrabac	1910/udp	# ultrabac
-mtp             1911/tcp	# Starlight Networks Multimedia Transport Protocol
-mtp             1911/udp	# Starlight Networks Multimedia Transport Protocol
-armadp          1913/tcp	# armadp
-armadp          1913/udp	# armadp
-facelink        1915/tcp	# FACELINK
-facelink        1915/udp	# FACELINK
-persona         1916/tcp	# Persoft Persona
-persona         1916/udp	# Persoft Persona
-noagent		1917/tcp	# nOAgent
-noagent		1917/udp	# nOAgent
-noadmin		1921/tcp	# NoAdmin
-noadmin		1921/udp	# NoAdmin
-tapestry	1922/tcp	# Tapestry
-tapestry	1922/udp	# Tapestry
-spice		1923/tcp	# SPICE
-spice		1923/udp	# SPICE
-xiip		1924/tcp	# XIIP
-xiip		1924/udp	# XIIP
-tekpls          1946/tcp	# tekpls
-tekpls          1946/udp	# tekpls
-hlserver        1947/tcp	# hlserver
-hlserver        1947/udp	# hlserver
-eye2eye         1948/tcp	# eye2eye
-eye2eye         1948/udp	# eye2eye
-ismaeasdaqlive  1949/tcp	# ISMA Easdaq Live
-ismaeasdaqlive  1949/udp	# ISMA Easdaq Live
-ismaeasdaqtest  1950/tcp	# ISMA Easdaq Test
-ismaeasdaqtest  1950/udp	# ISMA Easdaq Test
-mpnjsc		1952/tcp	# mpnjsc
-mpnjsc		1952/udp	# mpnjsc
-rapidbase	1953/tcp	# Rapid Base
-rapidbase	1953/udp	# Rapid Base
-dlsrap          1973/tcp	# Data Link Switching Remote Access Protocol
-dlsrap          1973/udp	# Data Link Switching Remote Access Protocol
-bb		1984/tcp	# BB
-bb		1984/udp	# BB
-hsrp		1985/tcp	# Hot Standby Router Protocol
-hsrp		1985/udp	# Hot Standby Router Protocol
-licensedaemon   1986/tcp	# cisco license management
-licensedaemon   1986/udp	# cisco license management
-mshnet          1989/tcp	# MHSnet system
-mshnet          1989/udp	# MHSnet system
-ipsendmsg       1992/tcp	# IPsendmsg
-ipsendmsg       1992/udp	# IPsendmsg
-callbook        2000/tcp
-callbook        2000/udp
-dc		2001/tcp
-wizard		2001/udp	# curry
-globe		2002/tcp
-globe		2002/udp
-mailbox		2004/tcp
-emce            2004/udp	# CCWS mm conf
-berknet		2005/tcp
-oracle		2005/udp
-invokator	2006/tcp
-dectalk		2007/tcp
-conf		2008/tcp
-terminaldb	2008/udp
-news		2009/tcp
-whosockami	2009/udp
-search		2010/tcp
-servserv	2011/udp
-ttyinfo		2012/tcp
-troff		2014/tcp
-cypress		2015/tcp
-bootserver	2016/tcp
-bootserver	2016/udp
-bootclient	2017/udp
-terminaldb	2018/tcp
-rellpack	2018/udp
-whosockami	2019/tcp
-about		2019/udp
-xinupageserver	2020/tcp
-xinupageserver	2020/udp
-servexec	2021/tcp
-xinuexpansion1	2021/udp
-down		2022/tcp
-xinuexpansion2	2022/udp
-xinuexpansion3	2023/tcp
-xinuexpansion3	2023/udp
-xinuexpansion4	2024/tcp
-xinuexpansion4	2024/udp
-ellpack		2025/tcp
-xribs		2025/udp
-scrabble	2026/tcp
-scrabble	2026/udp
-shadowserver	2027/tcp
-shadowserver	2027/udp
-submitserver	2028/tcp
-submitserver	2028/udp
-device2		2030/tcp
-device2		2030/udp
-blackboard      2032/tcp
-blackboard      2032/udp
-glogger		2033/tcp
-glogger		2033/udp
-scoremgr	2034/tcp
-scoremgr	2034/udp
-imsldoc		2035/tcp
-imsldoc		2035/udp
-objectmanager	2038/tcp
-objectmanager	2038/udp
-lam		2040/tcp
-lam		2040/udp
-interbase	2041/tcp
-interbase	2041/udp
-isis		2042/tcp	# isis
-isis		2042/udp	# isis
-rimsl		2044/tcp
-rimsl		2044/udp
-cdfunc		2045/tcp
-cdfunc		2045/udp
-sdfunc		2046/tcp
-sdfunc		2046/udp
-dls		2047/tcp
-dls		2047/udp
-shilp		2049/tcp
-shilp		2049/udp
-nfs             2049/tcp	# Network File System - Sun Microsystems
-nfs             2049/udp	# Network File System - Sun Microsystems
-dlsrpn          2065/tcp	# Data Link Switch Read Port Number
-dlsrpn          2065/udp	# Data Link Switch Read Port Number
-dlswpn          2067/tcp	# Data Link Switch Write Port Number
-dlswpn          2067/udp	# Data Link Switch Write Port Number
-lrp		2090/tcp	# Load Report Protocol
-lrp		2090/udp	# Load Report Protocol
-prp		2091/tcp	# PRP
-prp		2091/udp	# PRP
-descent3	2092/tcp	# Descent 3
-descent3	2092/udp	# Descent 3
-jetformpreview	2097/tcp	# Jet Form Preview
-jetformpreview	2097/udp	# Jet Form Preview
-amiganetfs	2100/tcp	# amiganetfs
-amiganetfs	2100/udp	# amiganetfs
-minipay		2105/tcp	# MiniPay
-minipay		2105/udp	# MiniPay
-mzap		2106/tcp	# MZAP
-mzap		2106/udp	# MZAP
-comcam		2108/tcp	# Comcam
-comcam		2108/udp	# Comcam
-ergolight	2109/tcp	# Ergolight
-ergolight	2109/udp	# Ergolight
-ici		2200/tcp	# ICI
-ici		2200/udp	# ICI
-ats             2201/tcp	# Advanced Training System Program
-ats             2201/udp	# Advanced Training System Program
-kali            2213/tcp	# Kali
-kali            2213/udp	# Kali
-ganymede	2220/tcp	# Ganymede
-ganymede	2220/udp	# Ganymede
-infocrypt	2233/tcp	# INFOCRYPT
-infocrypt	2233/udp	# INFOCRYPT
-directplay      2234/tcp	# DirectPlay
-directplay      2234/udp	# DirectPlay
-nani		2236/tcp	# Nani
-nani		2236/udp	# Nani
-imagequery	2239/tcp	# Image Query
-imagequery      2239/udp	# Image Query
-recipe		2240/tcp	# RECIPe
-recipe		2240/udp	# RECIPe
-ivsd            2241/tcp	# IVS Daemon
-ivsd            2241/udp	# IVS Daemon
-foliocorp       2242/tcp	# Folio Remote Server
-foliocorp       2242/udp	# Folio Remote Server
-magicom		2243/tcp	# Magicom Protocol
-magicom		2243/udp	# Magicom Protocol
-nmsserver	2244/tcp	# NMS Server
-nmsserver	2244/udp	# NMS Server
-hao		2245/tcp	# HaO
-hao		2245/udp	# HaO
-xmquery         2279/tcp	# xmquery
-xmquery         2279/udp	# xmquery
-lnvpoller       2280/tcp	# LNVPOLLER
-lnvpoller       2280/udp	# LNVPOLLER
-lnvconsole      2281/tcp	# LNVCONSOLE
-lnvconsole      2281/udp	# LNVCONSOLE
-lnvalarm        2282/tcp	# LNVALARM
-lnvalarm        2282/udp	# LNVALARM
-lnvstatus       2283/tcp	# LNVSTATUS
-lnvstatus       2283/udp	# LNVSTATUS
-lnvmaps         2284/tcp	# LNVMAPS
-lnvmaps         2284/udp	# LNVMAPS
-lnvmailmon      2285/tcp	# LNVMAILMON
-lnvmailmon      2285/udp	# LNVMAILMON
-dna		2287/tcp	# DNA
-dna		2287/udp	# DNA
-netml		2288/tcp	# NETML
-netml		2288/udp	# NETML
-cvmmon		2300/tcp	# CVMMON
-cvmmon		2300/udp	# CVMMON
-binderysupport	2302/tcp	# Bindery Support
-binderysupport	2302/udp	# Bindery Support
-pehelp          2307/tcp	# pehelp
-pehelp          2307/udp	# pehelp
-sdhelp		2308/tcp	# sdhelp
-sdhelp		2308/udp	# sdhelp
-sdserver	2309/tcp	# SD Server
-sdserver	2309/udp	# SD Server
-sdclient	2310/tcp	# SD Client
-sdclient	2310/udp	# SD Client
-messageservice	2311/tcp	# Message Service
-messageservice	2311/udp	# Message Service
-iapp		2313/tcp	# IAPP (Inter Access Point Protocol)
-iapp		2313/udp	# IAPP (Inter Access Point Protocol)
-cadencecontrol	2318/tcp	# Cadence Control
-cadencecontrol	2318/udp	# Cadence Control
-infolibria	2319/tcp	# InfoLibria
-infolibria	2319/udp	# InfoLibria
-rdlap		2321/tcp	# RDLAP over UDP
-rdlap		2321/udp	# RDLAP
-ofsd		2322/tcp	# ofsd
-ofsd		2322/udp	# ofsd
-cosmocall	2324/tcp	# Cosmocall
-cosmocall	2324/udp	# Cosmocall
-idcp		2326/tcp	# IDCP
-idcp		2326/udp	# IDCP
-xingcsm		2327/tcp	# xingcsm
-xingcsm		2327/udp	# xingcsm
-nvd		2329/tcp	# NVD
-nvd		2329/udp	# NVD
-tscchat		2330/tcp	# TSCCHAT
-tscchat		2330/udp	# TSCCHAT
-agentview	2331/tcp	# AGENTVIEW
-agentview	2331/udp	# AGENTVIEW
-snapp		2333/tcp	# SNAPP
-snapp		2333/udp	# SNAPP
-appleugcontrol  2336/tcp	# Apple UG Control
-appleugcontrol	2336/udp	# Apple UG Control
-ideesrv		2337/tcp	# ideesrv
-ideesrv		2337/udp	# ideesrv
-xiostatus	2341/tcp	# XIO Status
-xiostatus	2341/udp	# XIO Status
-fcmsys		2344/tcp	# fcmsys
-fcmsys		2344/udp	# fcmsys
-dbm		2345/tcp	# dbm
-dbm		2345/udp	# dbm
-psbserver	2350/tcp	# psbserver
-psbserver	2350/udp	# psbserver
-psrserver	2351/tcp	# psrserver
-psrserver	2351/udp	# psrserver
-pslserver	2352/tcp	# pslserver
-pslserver	2352/udp	# pslserver
-pspserver	2353/tcp	# pspserver
-pspserver	2353/udp	# pspserver
-psprserver	2354/tcp	# psprserver
-psprserver	2354/udp	# psprserver
-psdbserver	2355/tcp	# psdbserver
-psdbserver	2355/udp	# psdbserver
-gxtelmd		2356/tcp	# GXT License Managemant
-gxtelmd		2356/udp	# GXT License Managemant
-futrix		2358/tcp	# Futrix
-futrix		2358/udp	# Futrix
-flukeserver	2359/tcp	# FlukeServer
-flukeserver	2359/udp	# FlukeServer
-nexstorindltd	2360/tcp	# NexstorIndLtd
-nexstorindltd	2360/udp	# NexstorIndLtd
-tl1		2361/tcp	# TL1
-tl1		2361/udp	# TL1
-ovsessionmgr	2389/tcp	# OpenView Session Mgr
-ovsessionmgr	2389/udp	# OpenView Session Mgr
-rsmtp		2390/tcp	# RSMTP
-rsmtp		2390/udp	# RSMTP
-tacticalauth	2392/tcp	# Tactical Auth
-tacticalauth	2392/udp	# Tactical Auth
-wusage		2396/tcp	# Wusage
-wusage 		2396/udp	# Wusage
-ncl		2397/tcp	# NCL
-ncl		2397/udp	# NCL
-orbiter		2398/tcp	# Orbiter
-orbiter		2398/udp	# Orbiter
-cvspserver      2401/tcp	# cvspserver
-cvspserver      2401/udp	# cvspserver
-taskmaster2000	2402/tcp	# TaskMaster 2000 Server
-taskmaster2000	2402/udp	# TaskMaster 2000 Server
-taskmaster2000	2403/tcp	# TaskMaster 2000 Web
-taskmaster2000	2403/udp	# TaskMaster 2000 Web
-jediserver	2406/tcp	# JediServer
-jediserver	2406/udp	# JediServer
-orion		2407/tcp	# Orion
-orion		2407/udp	# Orion
-optimanet	2408/tcp	# OptimaNet
-optimanet	2408/udp	# OptimaNet
-cdn		2412/tcp	# CDN
-cdn		2412/udp	# CDN
-interlingua	2414/tcp	# Interlingua
-interlingua	2414/udp	# Interlingua
-comtest		2415/tcp	# COMTEST
-comtest		2415/udp	# COMTEST
-rmtserver	2416/tcp	# RMT Server
-rmtserver	2416/udp	# RMT Server
-cas		2418/tcp	# cas
-cas		2418/udp	# cas
-crmsbits	2422/tcp	# CRMSBITS
-crmsbits	2422/udp	# CRMSBITS
-rnrp		2423/tcp	# RNRP
-rnrp		2423/udp	# RNRP
-fjitsuappmgr	2425/tcp	# Fujitsu App Manager
-fjitsuappmgr	2425/udp	# Fujitsu App Manager
-applianttcp	2426/tcp	# Appliant TCP
-appliantudp	2426/udp	# Appliant UDP
-stgcp		2427/tcp	# Simple telephony Gateway Control Protocol
-stgcp		2427/udp	# Simple telephony Gateway Control Protocol
-ott		2428/tcp	# One Way Trip Time
-ott		2428/udp	# One Way Trip Time
-venus		2430/tcp	# venus
-venus		2430/udp	# venus
-codasrv		2432/tcp	# codasrv
-codasrv		2432/udp	# codasrv
-optilogic	2435/tcp	# OptiLogic
-optilogic	2435/udp	# OptiLogic
-topx		2436/tcp	# TOP/X
-topx		2436/udp	# TOP/X
-unicontrol	2437/tcp	# UniControl
-unicontrol	2437/udp	# UniControl
-msp		2438/tcp	# MSP
-msp		2438/udp	# MSP
-sybasedbsynch	2439/tcp	# SybaseDBSynch
-sybasedbsynch	2439/udp	# SybaseDBSynch
-spearway	2440/tcp	# Spearway Lockers
-spearway	2440/udp	# Spearway Lockser
-netangel	2442/tcp	# Netangel
-netangel	2442/udp	# Netangel
-powerclientcsf  2443/tcp	# PowerClient Central Storage Facility
-powerclientcsf  2443/udp	# PowerClient Central Storage Facility
-btpp2sectrans	2444/tcp	# BT PP2 Sectrans
-btpp2sectrans	2444/udp	# BT PP2 Sectrans
-dtn1		2445/tcp	# DTN1
-dtn1		2445/udp	# DTN1
-ovwdb		2447/tcp	# OpenView NNM daemon
-ovwdb		2447/udp	# OpenView NNM daemon
-hpppssvr	2448/tcp	# hpppsvr
-hpppssvr	2448/udp	# hpppsvr
-ratl		2449/tcp	# RATL
-ratl		2449/udp	# RATL
-netadmin	2450/tcp	# netadmin
-netadmin	2450/udp	# netadmin
-netchat		2451/tcp	# netchat
-netchat		2451/udp	# netchat
-snifferclient	2452/tcp	# SnifferClient
-snifferclient	2452/udp	# SnifferClient
-griffin		2458/tcp	# griffin
-griffin		2458/udp	# griffin
-community	2459/tcp	# Community
-community	2459/udp	# Community
-qadmifoper	2461/tcp	# qadmifoper
-qadmifoper	2461/udp	# qadmifoper
-qadmifevent	2462/tcp	# qadmifevent
-qadmifevent	2462/udp	# qadmifevent
-lbm		2465/tcp	# Load Balance Management
-lbm		2465/udp	# Load Balance Management
-lbf		2466/tcp	# Load Balance Forwarding
-lbf		2466/udp	# Load Balance Forwarding
-seaodbc		2471/tcp	# SeaODBC
-seaodbc		2471/udp	# SeaODBC
-c3		2472/tcp	# C3
-c3		2472/udp	# C3
-vitalanalysis	2474/tcp	# Vital Analysis
-vitalanalysis	2474/udp	# Vital Analysis
-lingwood	2480/tcp	# Lingwood's Detail
-lingwood	2480/udp	# Lingwood's Detail
-giop		2481/tcp	# Oracle GIOP
-giop		2481/udp	# Oracle GIOP
-ttc		2483/tcp	# Oracle TTC
-ttc		2483/udp	# Oracel TTC
-netobjects1	2485/tcp	# Net Objects1
-netobjects1	2485/udp	# Net Objects1
-netobjects2	2486/tcp	# Net Objects2
-netobjects2	2486/udp	# Net Objects2
-pns		2487/tcp	# Policy Notice Service
-pns		2487/udp	# Policy Notice Service
-tsilb		2489/tcp	# TSILB
-tsilb		2489/udp	# TSILB
-groove		2492/tcp	# GROOVE
-groove		2492/udp	# GROOVE
-dirgis		2496/tcp	# DIRGIS
-dirgis		2496/udp	# DIRGIS
-quaddb		2497/tcp	# Quad DB
-quaddb		2497/udp	# Quad DB
-unicontrol	2499/tcp	# UniControl
-unicontrol	2499/udp	# UniControl
-rtsserv         2500/tcp	# Resource Tracking system server
-rtsserv         2500/udp	# Resource Tracking system server
-rtsclient       2501/tcp	# Resource Tracking system client
-rtsclient       2501/udp	# Resource Tracking system client
-wlbs		2504/tcp	# WLBS
-wlbs		2504/udp	# WLBS
-jbroker		2506/tcp	# jbroker
-jbroker		2506/udp	# jbroker
-spock		2507/tcp	# spock
-spock		2507/udp	# spock
-datastore	2508/tcp	# datastore
-datastore	2508/udp	# datastore
-fjmpss		2509/tcp	# fjmpss
-fjmpss		2509/udp	# fjmpss
-fjappmgrbulk	2510/tcp	# fjappmgrbulk
-fjappmgrbulk	2510/udp	# fjappmgrbulk
-metastorm	2511/tcp	# Metastorm
-metastorm	2511/udp	# Metastorm
-citrixima	2512/tcp	# Citrix IMA
-citrixima	2512/udp	# Citrix IMA
-citrixadmin	2513/tcp	# Citrix ADMIN
-citrixadmin	2513/udp	# Citrix ADMIN
-maincontrol	2516/tcp	# Main Control
-maincontrol	2516/udp	# Main Control
-willy		2518/tcp	# Willy
-willy		2518/udp	# Willy
-globmsgsvc	2519/tcp	# globmsgsvc
-globmsgsvc	2519/udp	# globmsgsvc
-pvsw		2520/tcp	# pvsw
-pvsw		2520/udp	# pvsw
-adaptecmgr	2521/tcp	# Adaptec Manager
-adaptecmgr	2521/udp	# Adaptec Manager
-windb		2522/tcp	# WinDb
-windb		2522/udp	# WinDb
-iqserver	2527/tcp	# IQ Server
-iqserver	2527/udp	# IQ Server
-utsftp		2529/tcp	# UTS FTP
-utsftp		2529/udp	# UTS FTP
-vrcommerce	2530/tcp	# VR Commerce
-vrcommerce	2530/udp	# VR Commerce
-ovtopmd		2532/tcp	# OVTOPMD
-ovtopmd		2532/udp	# OVTOPMD
-snifferserver	2533/tcp	# SnifferServer
-snifferserver	2533/udp	# SnifferServer
-mdhcp		2535/tcp	# MDHCP
-mdhcp		2535/udp	# MDHCP
-btpp2audctr1	2536/tcp	# btpp2audctr1
-btpp2audctr1	2536/udp	# btpp2audctr1
-upgrade		2537/tcp	# Upgrade Protocol
-upgrade		2537/udp	# Upgrade Protocol
-vsiadmin	2539/tcp	# VSI Admin
-vsiadmin	2539/udp	# VSI Admin
-lonworks	2540/tcp	# LonWorks
-lonworks	2540/udp	# LonWorks
-lonworks2	2541/tcp	# LonWorks2
-lonworks2	2541/udp	# LonWorks2
-davinci		2542/tcp	# daVinci
-davinci		2542/udp	# daVinci
-reftek		2543/tcp	# REFTEK
-reftek		2543/udp	# REFTEK
-vytalvaultbrtp	2546/tcp	# vytalvaultbrtp
-vytalvaultbrtp	2546/udp	# vytalvaultbrtp
-vytalvaultvsmp	2547/tcp	# vytalvaultvsmp
-vytalvaultvsmp	2547/udp	# vytalvaultvsmp
-vytalvaultpipe	2548/tcp	# vytalvaultpipe
-vytalvaultpipe	2548/udp	# vytalvaultpipe
-ipass		2549/tcp	# IPASS
-ipass		2549/udp	# IPASS
-ads		2550/tcp	# ADS
-ads		2550/udp	# ADS
-efidiningport	2553/tcp	# efidiningport
-efidiningport	2553/udp	# efidiningport
-pclemultimedia	2558/tcp	# PCLE Multi Media
-pclemultimedia	2558/udp	# PCLE Multi Media
-lstp		2559/tcp	# LSTP
-lstp		2559/udp	# LSTP
-labrat		2560/tcp	# labrat
-labrat		2560/udp	# labrat
-mosaixcc	2561/tcp	# MosaixCC
-mosaixcc	2561/udp	# MosaixCC
-delibo		2562/tcp	# Delibo
-delibo		2562/udp	# Delibo
-clp		2567/tcp	# Cisco Line Protocol
-clp		2567/udp	# Cisco Line Protocol
-spamtrap	2568/tcp	# SPAM TRAP
-spamtrap	2568/udp	# SPAM TRAP
-sonuscallsig	2569/tcp	# Sonus Call Signal
-sonuscallsig	2569/udp	# Sonus Call Signal
-cecsvc		2571/tcp	# CECSVC
-cecsvc		2571/udp	# CECSVC
-ibp		2572/tcp	# IBP
-ibp		2572/udp	# IBP
-trustestablish	2573/tcp	# Trust Establish
-trustestablish	2573/udp	# Trust Establish
-hl7		2575/tcp	# HL7
-hl7		2575/udp	# HL7
-tclprodebugger	2576/tcp	# TCL Pro Debugger
-tclprodebugger	2576/udp	# TCL Pro Debugger
-scipticslsrvr	2577/tcp	# Scriptics Lsrvr
-scipticslsrvr	2577/udp	# Scriptics Lsrvr
-mpfoncl		2579/tcp	# mpfoncl
-mpfoncl		2579/udp	# mpfoncl
-tributary	2580/tcp	# Tributary
-tributary	2580/udp	# Tributary
-mon		2583/tcp	# MON
-mon		2583/udp	# MON
-cyaserv		2584/tcp	# cyaserv
-cyaserv		2584/udp	# cyaserv
-masc		2587/tcp	# MASC
-masc		2587/udp	# MASC
-privilege	2588/tcp	# Privilege
-privilege	2588/udp	# Privilege
-idotdist	2590/tcp	# idotdist
-idotdist	2590/udp	# idotdist
-maytagshuffle	2591/tcp	# Maytag Shuffle
-maytagshuffle	2591/udp	# Maytag Shuffle
-netrek          2592/tcp	# netrek
-netrek          2592/udp	# netrek
-dts		2594/tcp	# Data Base Server
-dts		2594/udp	# Data Base Server
-worldfusion1	2595/tcp	# World Fusion 1
-worldfusion1	2595/udp	# World Fusion 1
-worldfusion2	2596/tcp	# World Fusion 2
-worldfusion2	2596/udp	# World Fusion 2
-homesteadglory	2597/tcp	# Homestead Glory
-homesteadglory	2597/udp	# Homestead Glory
-citriximaclient	2598/tcp	# Citrix MA Client
-citriximaclient	2598/udp	# Citrix MA Client
-meridiandata	2599/tcp	# Meridian Data
-meridiandata	2599/udp	# Meridian Data
-hpstgmgr	2600/tcp	# HPSTGMGR
-hpstgmgr	2600/udp	# HPSTGMGR
-servicemeter	2603/tcp	# Service Meter
-servicemeter	2603/udp	# Service Meter
-netmon		2606/tcp	# Dell Netmon
-netmon		2606/udp	# Dell Netmon
-connection	2607/tcp	# Dell Connection
-connection	2607/udp	# Dell Connection
-lionhead	2611/tcp	# LIONHEAD
-lionhead	2611/udp	# LIONHEAD
-smntubootstrap	2613/tcp	# SMNTUBootstrap
-smntubootstrap	2613/udp	# SMNTUBootstrap
-neveroffline	2614/tcp	# Never Off Line
-neveroffline	2614/udp	# Never Off Line
-firepower	2615/tcp	# firepower
-firepower	2615/udp	# firepower
-cmadmin		2617/tcp	# Clinical Context Managers
-cmadmin		2617/udp	# Clinical Context Managers
-bruce		2619/tcp	# bruce
-bruce		2619/udp	# bruce
-lpsrecommender	2620/tcp	# LPSRecommender
-lpsrecommender	2620/udp	# LPSRecommender
-dict		2628/tcp	# DICT
-dict		2628/udp	# DICT
-sitaraserver	2629/tcp	# Sitara Server
-sitaraserver	2629/udp	# Sitara Server
-sitaramgmt	2630/tcp	# Sitara Management
-sitaramgmt	2630/udp	# Sitara Management
-sitaradir	2631/tcp	# Sitara Dir
-sitaradir	2631/udp	# Sitara Dir
-interintelli	2633/tcp	# InterIntelli
-interintelli	2633/udp	# InterIntelli
-backburner	2635/tcp	# Back Burner
-backburner	2635/udp	# Back Burner
-solve		2636/tcp	# Solve
-solve		2636/udp	# Solve
-imdocsvc	2637/tcp	# Import Document Service
-imdocsvc	2637/udp	# Import Document Service
-sybaseanywhere  2638/tcp	# Sybase Anywhere
-sybaseanywhere	2638/udp	# Sybase Anywhere
-aminet		2639/tcp	# AMInet
-aminet		2639/udp	# AMInet
-tragic		2642/tcp	# Tragic
-tragic		2642/udp	# Tragic
-syncserver	2647/tcp	# SyncServer
-syncserver	2647/udp	# SyncServer
-upsnotifyprot	2648/tcp	# Upsnotifyprot
-upsnotifyprot	2648/udp	# Upsnotifyprot
-vpsipport	2649/tcp	# VPSIPPORT
-vpsipport	2649/udp	# VPSIPPORT
-eristwoguns	2650/tcp	# eristwoguns
-eristwoguns	2650/udp	# eristwoguns
-ebinsite	2651/tcp	# EBInSite
-ebinsite	2651/udp	# EBInSite
-interpathpanel	2652/tcp	# InterPathPanel
-interpathpanel	2652/udp	# InterPathPanel
-sonus		2653/tcp	# Sonus
-sonus		2653/udp	# Sonus
-unglue		2655/tcp	# UNIX Nt Glue
-unglue		2655/udp	# UNIX Nt Glue
-kana		2656/tcp	# Kana
-kana		2656/udp	# Kana
-gcmonitor	2660/tcp	# GC Monitor
-gcmonitor	2660/udp	# GC Monitor
-olhost		2661/tcp	# OLHOST
-olhost		2661/udp	# OLHOST
-extensis	2666/tcp	# extensis
-extensis	2666/udp	# extensis
-toad		2669/tcp	# TOAD
-toad		2669/udp	# TOAD
-newlixreg	2671/tcp	# newlixreg
-newlixreg	2671/udp	# newlixreg
-nhserver	2672/tcp	# nhserver
-nhserver	2672/udp	# nhserver
-firstcall42	2673/tcp	# First Call 42
-firstcall42	2673/udp	# First Call 42
-ewnn		2674/tcp	# ewnn
-ewnn		2674/udp	# ewnn
-simslink	2676/tcp	# SIMSLink
-simslink	2676/udp	# SIMSLink
-gadgetgate1way	2677/tcp	# Gadget Gate 1 Way
-gadgetgate1way	2677/udp	# Gadget Gate 1 Way
-gadgetgate2way	2678/tcp	# Gadget Gate 2 Way
-gadgetgate2way	2678/udp	# Gadget Gate 2 Way
-syncserverssl	2679/tcp	# Sync Server SSL
-syncserverssl	2679/udp	# Sync Server SSL
-mpnjsomb	2681/tcp	# mpnjsomb
-mpnjsomb	2681/udp	# mpnjsomb
-srsp		2682/tcp	# SRSP
-srsp		2682/udp	# SRSP
-ncdloadbalance	2683/tcp	# NCDLoadBalance
-ncdloadbalance	2683/udp	# NCDLoadBalance
-mpnjsosv	2684/tcp	# mpnjsosv
-mpnjsosv	2684/udp	# mpnjsosv
-mpnjsocl	2685/tcp	# mpnjsocl
-mpnjsocl	2685/udp	# mpnjsocl
-mpnjsomg	2686/tcp	# mpnjsomg
-mpnjsomg	2686/udp	# mpnjsomg
-fastlynx	2689/tcp	# FastLynx
-fastlynx	2689/udp	# FastLynx
-tqdata          2700/tcp	# tqdata
-tqdata          2700/udp	# tqdata
-piccolo         2787/tcp	# piccolo - Cornerstone Software
-piccolo         2787/udp	# piccolo - Cornerstone Software
-fryeserv        2788/tcp	# NetWare Loadable Module - Seagate Software
-fryeserv        2788/udp	# NetWare Loadable Module - Seagate Software
-mao             2908/tcp	# mao
-mao             2908/udp	# mao
-tdaccess	2910/tcp	# TDAccess
-tdaccess	2910/udp	# TDAccess
-blockade	2911/tcp	# Blockade
-blockade	2911/udp	# Blockade
-epicon		2912/tcp	# Epicon
-epicon		2912/udp	# Epicon
-boosterware	2913/tcp	# Booster Ware
-boosterware	2913/udp	# Booster Ware
-gamelobby	2914/tcp	# Game Lobby
-gamelobby	2914/udp	# Game Lobby
-tksocket	2915/tcp	# TK Socket
-tksocket	2915/udp	# TK Socket
-kastenchasepad	2918/tcp	# Kasten Chase Pad
-kastenchasepad	2918/udp	# Kasten Chase Pad
-netclip		2971/tcp	# Net Clip
-netclip		2971/udp	# Net Clip
-svnetworks	2973/tcp	# SV Networks
-svnetworks	2973/udp	# SV Networks
-signal		2974/tcp	# Signal
-signal		2974/udp	# Signal
-fjmpcm		2975/tcp	# Fujitsu Configuration Management Service
-fjmpcm		2975/udp	# Fujitsu Configuration Management Service
-realsecure	2998/tcp	# Real Secure
-realsecure	2998/udp	# Real Secure
-hbci            3000/tcp	# HBCI
-hbci            3000/udp	# HBCI
-cgms		3003/tcp	# CGMS
-cgms		3003/udp	# CGMS
-csoftragent	3004/tcp	# Csoft Agent
-csoftragent	3004/udp	# Csoft Agent
-geniuslm	3005/tcp	# Genius License Manager
-geniuslm	3005/udp	# Genius License Manager
-lotusmtap	3007/tcp	# Lotus Mail Tracking Agent Protocol
-lotusmtap	3007/udp	# Lotus Mail Tracking Agent Protocol
-gw              3010/tcp	# Telerate Workstation
-twsdss		3012/tcp	# Trusted Web Client
-twsdss		3012/udp	# Trusted Web Client
-gilatskysurfer	3013/tcp	# Gilat Sky Surfer
-gilatskysurfer	3013/udp	# Gilat Sky Surfer
-cifs		3020/tcp	# CIFS
-cifs		3020/udp	# CIFS
-agriserver	3021/tcp	# AGRI Server
-agriserver	3021/udp	# AGRI Server
-csregagent	3022/tcp	# CSREGAGENT
-csregagent	3022/udp	# CSREGAGENT
-magicnotes	3023/tcp	# magicnotes
-magicnotes	3023/udp	# magicnotes
-agentvu		3031/tcp	# AgentVU
-agentvu		3031/udp	# AgentVU
-pdb		3033/tcp	# PDB
-pdb		3033/udp	# PDB
-cogitate	3039/tcp	# Cogitate, Inc.
-cogitate	3039/udp	# Cogitate, Inc.
-journee		3042/tcp	# journee
-journee		3042/udp	# journee
-brp		3043/tcp	# BRP
-brp		3043/udp	# BRP
-responsenet	3045/tcp	# ResponseNet
-responsenet	3045/udp	# ResponseNet
-hlserver        3047/tcp	# Fast Security HL Server
-hlserver        3047/udp	# Fast Security HL Server
-pctrader        3048/tcp	# Sierra Net PC Trader
-pctrader        3048/udp	# Sierra Net PC Trader
-nsws		3049/tcp	# NSWS
-nsws		3049/udp	# NSWS
-interserver	3060/tcp	# interserver
-interserver	3060/udp	# interserver
-cardbox		3105/tcp	# Cardbox
-cardbox		3105/udp	# Cardbox
-icpv2		3130/tcp	# ICPv2
-icpv2		3130/udp	# ICPv2
-netbookmark	3131/tcp	# Net Book Mark
-netbookmark	3131/udp	# Net Book Mark
-vmodem          3141/tcp	# VMODEM
-vmodem          3141/udp	# VMODEM
-seaview		3143/tcp	# Sea View
-seaview		3143/udp	# Sea View
-tarantella	3144/tcp	# Tarantella
-tarantella	3144/udp	# Tarantella
-rfio		3147/tcp	# RFIO
-rfio		3147/udp	# RFIO
-ccmail          3264/tcp	# cc:mail/lotus
-ccmail          3264/udp	# cc:mail/lotus
-verismart	3270/tcp	# Verismart
-verismart	3270/udp	# Verismart
-sxmp		3273/tcp	# Simple Extensible Multiplexed Protocol
-sxmp		3273/udp	# Simple Extensible Multiplexed Protocol
-samd		3275/tcp	# SAMD
-samd		3275/udp	# SAMD
-lkcmserver	3278/tcp	# LKCM Server
-lkcmserver	3278/udp	# LKCM Server
-admind		3279/tcp	# admind
-admind		3279/udp	# admind
-sysopt		3281/tcp	# SYSOPT
-sysopt 		3281/udp	# SYSOPT
-datusorb	3282/tcp	# Datusorb
-datusorb	3282/udp	# Datusorb
-plato		3285/tcp	# Plato
-plato		3285/udp	# Plato
-directvdata	3287/tcp	# DIRECTVDATA
-directvdata	3287/udp	# DIRECTVDATA
-cops		3288/tcp	# COPS
-cops 		3288/udp	# COPS
-enpc		3289/tcp	# ENPC
-enpc		3289/udp	# ENPC
-dyniplookup	3295/tcp	# Dynamic IP Lookup
-dyniplookup	3295/udp	# Dynamic IP Lookup
-transview	3298/tcp	# Transview
-transview	3298/udp	# Transview
-pdrncs		3299/tcp	# pdrncs
-pdrncs		3299/udp	# pdrncs
-bmcpatrolagent	3300/tcp	# BMC Patrol Agent
-bmcpatrolagent  3300/udp	# BMC Patrol Agent
-bmcpatrolrnvu	3301/tcp	# BMC Patrol Rendezvous
-bmcpatrolrnvu   3301/udp	# BMC Patrol Rendezvous
-mysql		3306/tcp	# MySQL
-mysql		3306/udp	# MySQL
-uorb		3313/tcp	# Unify Object Broker
-uorb		3313/udp	# Unify Object Broker
-uohost		3314/tcp	# Unify Object Host
-uohost		3314/udp	# Unify Object Host
-cdid		3315/tcp	# CDID
-cdid		3315/udp	# CDID
-vsaiport	3317/tcp	# VSAI PORT
-vsaiport	3317/udp	# VSAI PORT
-ssrip		3318/tcp	# Swith to Swith Routing Information Protocol
-ssrip		3318/udp	# Swith to Swith Routing Information Protocol
-officelink2000	3320/tcp	# Office Link 2000
-officelink2000	3320/udp	# Office Link 2000
-vnsstr		3321/tcp	# VNSSTR
-vnsstr		3321/udp	# VNSSTR
-sftu		3326/tcp	# SFTU
-sftu		3326/udp	# SFTU
-bbars		3327/tcp	# BBARS
-bbars		3327/udp	# BBARS
-egptlm		3328/tcp	# Eaglepoint License Manager
-egptlm		3328/udp	# Eaglepoint License Manager
-webtie		3342/tcp	# WebTIE
-webtie		3342/udp	# WebTIE
-influence	3345/tcp	# Influence
-influence	3345/udp	# Influence
-trnsprntproxy	3346/tcp	# Trnsprnt Proxy
-trnsprntproxy   3346/udp	# Trnsprnt Proxy
-chevinservices	3349/tcp	# Chevin Services
-chevinservices  3349/udp	# Chevin Services
-findviatv	3350/tcp	# FINDVIATV
-findviatv	3350/udp	# FINDVIATV
-btrieve		3351/tcp	# BTRIEVE
-btrieve		3351/udp	# BTRIEVE
-ssql		3352/tcp	# SSQL
-ssql		3352/udp	# SSQL
-fatpipe		3353/tcp	# FATPIPE
-fatpipe		3353/udp	# FATPIPE
-suitjd		3354/tcp	# SUITJD
-suitjd		3354/udp	# SUITJD
-upnotifyps	3356/tcp	# UPNOTIFYPS
-upnotifyps	3356/udp	# UPNOTIFYPS
-mpsysrmsvr	3358/tcp	# Mp Sys Rmsvr
-mpsysrmsvr	3358/udp	# Mp Sys Rmsvr
-creativeserver	3364/tcp	# Creative Server
-creativeserver	3364/udp	# Creative Server
-contentserver	3365/tcp	# Content Server
-contentserver	3365/udp	# Content Server
-creativepartnr	3366/tcp	# Creative Partner
-creativepartnr	3366/udp	# Creative Partner
-tip2		3372/tcp	# TIP 2
-tip2		3372/udp	# TIP 2
-cdborker	3376/tcp	# CD Broker
-cdbroker	3376/udp	# CD Broker
-wsicopy		3378/tcp	# WSICOPY
-wsicopy		3378/udp	# WSICOPY
-socorfs		3379/tcp	# SOCORFS
-socorfs		3379/udp	# SOCORFS
-geneous		3381/tcp	# Geneous
-geneous		3381/udp	# Geneous
-qnxnetman	3385/tcp	# qnxnetman
-qnxnetman	3385/udp	# qnxnetman
-backroomnet	3387/tcp	# Back Room Net
-backroomnet	3387/udp	# Back Room Net
-cbserver	3388/tcp	# CB Server
-cbserver	3388/udp	# CB Server
-dsc		3390/tcp	# Distributed Service Coordinator
-dsc		3390/udp	# Distributed Service Coordinator
-savant		3391/tcp	# SAVANT
-savant		3391/udp	# SAVANT
-mercantile	3398/tcp	# Mercantile
-mercantile	3398/udp	# Mercantile
-csms		3399/tcp	# CSMS
-csms		3399/udp	# CSMS
-csms2		3400/tcp	# CSMS2
-csms2		3400/udp	# CSMS2
-bmap            3421/tcp	# Bull Apprise portmapper
-bmap            3421/udp	# Bull Apprise portmapper
-mira            3454/tcp	# Apple Remote Access Protocol
-prsvp           3455/tcp	# RSVP Port
-prsvp           3455/udp	# RSVP Port
-vat             3456/tcp	# VAT default data
-vat             3456/udp	# VAT default data
-d3winosfi	3458/tcp	# D3WinOsfi
-d3winosfi	3458/udp	# DsWinOSFI
-integral	3459/tcp	# Integral
-integral 	3459/udp	# Integral
-workflow	3466/tcp	# WORKFLOW
-workflow	3466/udp	# WORKFLOW
-rcst		3467/tcp	# RCST
-rcst		3467/udp	# RCST
-ttcmremotectrl	3468/tcp	# TTCM Remote Controll
-ttcmremotectrl	3468/udp	# TTCM Remote Controll
-pluribus	3469/tcp	# Pluribus
-pluribus	3469/udp	# Pluribus
-jt400		3470/tcp	# jt400
-jt400		3470/udp	# jt400
-watcomdebug	3563/tcp	# Watcom Debug
-watcomdebug	3563/udp	# Watcom Debug
-harlequinorb	3672/tcp	# harlequinorb
-harlequinorb	3672/udp	# harlequinorb
-centerline	3987/tcp	# Centerline
-centerline	3987/udp	# Centerline
-terabase	4000/tcp	# Terabase
-terabase	4000/udp	# Terabase
-newoak		4001/tcp	# NewOak
-newoak		4001/udp	# NewOak
-netcheque       4008/tcp	# NetCheque accounting
-netcheque       4008/udp	# NetCheque accounting
-altserviceboot	4011/tcp	# Alternate Service Boot
-altserviceboot	4011/udp	# Alternate Service Boot
-taiclock	4014/tcp	# TAICLOCK
-taiclock	4014/udp	# TAICLOCK
-bre 		4096/tcp	# BRE (Bridge Relay Element)
-bre 		4096/udp	# BRE (Bridge Relay Element)
-patrolview	4097/tcp	# Patrol View
-patrolview	4097/udp	# Patrol View
-drmsfsd		4098/tcp	# drmsfsd
-drmsfsd		4098/udp	# drmsfsd
-dpcp		4099/tcp	# DPCP
-dpcp		4099/udp	# DPCP
-oirtgsvc	4141/tcp	# Workflow Server
-oirtgsvc	4141/udp	# Workflow Server
-oidocsvc	4142/tcp	# Document Server
-oidocsvc	4142/udp	# Document Server
-oidsr		4143/tcp	# Document Replication
-oidsr		4143/udp	# Document Replication
-corelccam	4300/tcp	# Corel CCam
-corelccam	4300/udp	# Corel CCam
-rwhois          4321/tcp	# Remote Who Is
-rwhois          4321/udp	# Remote Who Is
-unicall         4343/tcp	# UNICALL
-unicall         4343/udp	# UNICALL
-vinainstall 	4344/tcp	# VinaInstall
-vinainstall	4344/udp	# VinaInstall
-elanlm		4346/tcp	# ELAN LM
-elanlm		4346/udp	# ELAN LM
-lansurveyor	4347/tcp	# LAN Surveyor
-lansurveyor	4347/udp	# LAN Surveyor
-itose		4348/tcp	# ITOSE
-itose		4348/udp	# ITOSE
-fsportmap	4349/tcp	# File System Port Map
-fsportmap	4349/udp	# File System Port Map
-saris		4442/tcp	# Saris
-saris		4442/udp	# Saris
-pharos		4443/tcp	# Pharos
-pharos		4443/udp	# Pharos
-krb524          4444/tcp	# KRB524
-krb524          4444/udp	# KRB524
-upnotifyp	4445/tcp	# UPNOTIFYP
-upnotifyp 	4445/udp	# UPNOTIFYP
-privatewire     4449/tcp	# PrivateWire
-privatewire     4449/udp	# PrivateWire
-camp		4450/tcp	# Camp
-camp		4450/udp	# Camp
-ctisystemmsg    4451/tcp	# CTI System Msg
-ctisystemmsg    4451/udp	# CTI System Msg
-ctiprogramload  4452/tcp	# CTI Program Load
-ctiprogramload  4452/udp	# CTI Program Load
-nssalertmgr 	4453/tcp	# NSS Alert Manager
-nssalertmgr	4453/udp	# NSS Alert Manager
-nssagentmgr	4454/tcp	# NSS Agent Manager
-nssagentmgr 	4454/udp	# NSS Agent Manager
-prRegister	4457/tcp	# PR Register
-prRegister	4457/udp	# PR Register
-worldscores	4545/tcp	# WorldScores
-worldscores	4545/udp	# WorldScores
-piranha1	4600/tcp	# Piranha1
-piranha1	4600/udp	# Piranha1
-piranha2	4601/tcp	# Piranha2
-piranha2	4601/udp	# Piranha2
-rfa             4672/tcp	# remote file access server
-rfa             4672/udp	# remote file access server
-iims		4800/tcp	# Icona Instant Messenging System
-iims		4800/udp	# Icona Instant Messenging System
-iwec		4801/tcp	# Icona Web Embedded Chat
-iwec		4801/udp	# Icona Web Embedded Chat
-ilss		4802/tcp	# Icona License System Server
-ilss		4802/udp	# Icona License System Server
-htcp		4827/tcp	# HTCP
-htcp		4827/udp	# HTCP
-phrelay		4868/tcp	# Photon Relay
-phrelay		4868/udp	# Photon Relay
-phrelaydbg	4869/tcp	# Photon Relay Debug
-phrelaydbg	4869/udp	# Photon Relay Debug
-abbs		4885/tcp	# ABBS
-abbs		4885/udp	# ABBS
-rfe             5002/tcp	# radio free ethernet
-rfe             5002/udp	# radio free ethernet
-telelpathstart  5010/tcp	# TelepathStart
-telelpathstart  5010/udp	# TelepathStart
-telelpathattack 5011/tcp	# TelepathAttack
-telelpathattack 5011/udp	# TelepathAttack
-asnaacceler8db	5042/tcp	# asnaacceler8db
-asnaacceler8db	5042/udp	# asnaacceler8db
-mmcc            5050/tcp	# multimedia conference control tool
-mmcc            5050/udp	# multimedia conference control tool
-sip		5060/tcp	# SIP
-sip		5060/udp	# SIP
-atmp            5150/tcp	# Ascend Tunnel Management Protocol
-atmp            5150/udp	# Ascend Tunnel Management Protocol
-aol             5190/tcp	# America-Online
-aol             5190/udp	# America-Online
-padl2sim	5236/tcp
-padl2sim	5236/udp
-pk		5272/tcp	# PK
-pk		5272/udp	# PK
-cfengine 	5308/tcp	# CFengine
-cfengine	5308/udp	# CFengine
-jprinter	5309/tcp	# J Printer
-jprinter  	5309/udp	# J Printer
-outlaws		5310/tcp	# Outlaws
-outlaws		5310/udp	# Outlaws
-tmlogin		5311/tcp	# TM Login
-tmlogin		5311/udp	# TM Login
-excerpt		5400/tcp	# Excerpt Search
-excerpt		5400/udp	# Excerpt Search
-excerpts	5401/tcp	# Excerpt Search Secure
-excerpts	5401/udp	# Excerpt Search Secure
-mftp		5402/tcp	# MFTP
-mftp		5402/udp	# MFTP
-netsupport	5405/tcp	# NetSupport
-netsupport	5405/udp	# NetSupport
-actnet		5411/tcp	# ActNet
-actnet		5411/udp	# ActNet
-continuus	5412/tcp	# Continuus
-continuus	5412/udp	# Continuus
-wwiotalk	5413/tcp	# WWIOTALK
-wwiotalk	5413/udp	# WWIOTALK
-statusd		5414/tcp	# StatusD
-statusd		5414/udp	# StatusD
-mcntp		5418/tcp	# MCNTP
-mcntp		5418/udp	# MCNTP
-esinstall	5599/tcp	# Enterprise Security Remote Install
-esinstall	5599/udp	# Enterprise Security Remote Install
-esmmanager	5600/tcp	# Enterprise Security Manager
-esmmanager	5600/udp	# Enterprise Security Manager
-esmagent	5601/tcp	# Enterprise Security Agent
-esmagent	5601/udp	# Enterprise Security Agent
-pcanywheredata  5631/tcp	# pcANYWHEREdata
-pcanywheredata  5631/udp	# pcANYWHEREdata
-pcanywherestat  5632/tcp	# pcANYWHEREstat
-pcanywherestat  5632/udp	# pcANYWHEREstat
-rrac            5678/tcp	# Remote Replication Agent Connection
-rrac            5678/udp	# Remote Replication Agent Connection
-dccm            5679/tcp	# Direct Cable Connect Manager
-dccm            5679/udp	# Direct Cable Connect Manager
-proshareaudio   5713/tcp	# proshare conf audio
-proshareaudio   5713/udp	# proshare conf audio
-prosharevideo   5714/tcp	# proshare conf video
-prosharevideo   5714/udp	# proshare conf video
-prosharedata    5715/tcp	# proshare conf data
-prosharedata    5715/udp	# proshare conf data
-prosharerequest 5716/tcp	# proshare conf request
-prosharerequest 5716/udp	# proshare conf request
-prosharenotify  5717/tcp	# proshare conf notify
-prosharenotify  5717/udp	# proshare conf notify
-openmail        5729/tcp	# Openmail User Agent Layer
-openmail        5729/udp	# Openmail User Agent Layer
-openmailg       5755/tcp	# OpenMail Desk Gateway server
-openmailg       5755/udp	# OpenMail Desk Gateway server
-x500ms          5757/tcp	# OpenMail X.500 Directory Server
-x500ms          5757/udp	# OpenMail X.500 Directory Server
-openmailns      5766/tcp	# OpenMail NewMail Server
-openmailns      5766/udp	# OpenMail NewMail Server
-openmailpxy	5768/tcp	# OpenMail CMTS Server
-openmailpxy	5768/udp	# OpenMail CMTS Server
-softcm          6110/tcp	# HP SoftBench CM
-softcm          6110/udp	# HP SoftBench CM
-spc             6111/tcp	# HP SoftBench Sub-Process Control
-spc             6111/udp	# HP SoftBench Sub-Process Control
-dtspcd          6112/tcp	# dtspcd
-dtspcd          6112/udp	# dtspcd
-crip            6253/tcp	# CRIP
-crip            6253/udp	# CRIP
-boks		6500/tcp	# BoKS Master
-boks		6500/udp	# BoKS Master
-xdsxdm		6558/tcp
-xdsxdm		6558/udp
-hnmp		6790/tcp	# HNMP
-hnmp		6790/udp	# HNMP
-jmact3		6961/tcp	# JMACT3
-jmact3		6961/udp	# JMACT3
-jmevt2		6962/tcp	# jmevt2
-jmevt2		6962/udp	# jmevt2
-swismgr1	6963/tcp	# swismgr1
-swismgr1	6963/udp	# swismgr1
-swismgr2	6964/tcp	# swismgr2
-swismgr2	6964/udp	# swismgr2
-swistrap	6965/tcp	# swistrap
-swistrap	6965/udp	# swistrap
-swispol		6966/tcp	# swispol
-swispol		6966/udp	# swispol
-acmsoda         6969/tcp	# acmsoda
-acmsoda         6969/udp	# acmsoda
-dpserve		7020/tcp	# DP Serve
-dpserve		7020/udp	# DP Serve
-dpserveadmin	7021/tcp	# DP Serve Admin
-dpserveadmin	7021/udp	# DP Serve Admin
-raudio		7070/tcp	@ Real Audio
-arcp		7070/tcp	# ARCP
-arcp		7070/udp	# ARCP
-clutild		7174/tcp	# Clutild
-clutild         7174/udp	# Clutild
-fodms           7200/tcp	# FODMS FLIP
-fodms           7200/udp	# FODMS FLIP
-dlip            7201/tcp	# DLIP
-dlip            7201/udp	# DLIP
-winqedit        7395/tcp	# winqedit
-winqedit        7395/udp	# winqedit
-pmdmgr		7426/tcp	# OpenView DM Postmaster Manager
-pmdmgr 		7426/udp	# OpenView DM Postmaster Manager
-oveadmgr	7427/tcp	# OpenView DM Event Agent Manager
-oveadmgr	7427/udp	# OpenView DM Event Agent Manager
-ovladmgr	7428/tcp	# OpenView DM Log Agent Manager
-ovladmgr	7428/udp	# OpenView DM Log Agent Manager
-xmpv7		7430/tcp	# OpenView DM xmpv7 api pipe
-xmpv7		7430/udp	# OpenView DM xmpv7 api pipe
-pmd		7431/tcp	# OpenView DM ovc/xmpv3 api pipe
-pmd		7431/udp	# OpenView DM ovc/xmpv3 api pipe
-faximum		7437/tcp	# Faximum
-faximum		7437/udp	# Faximum
-pmdfmgt		7633/tcp	# PMDF Management
-pmdfmgt		7633/udp	# PMDF Management
-cbt             7777/tcp	# cbt
-cbt             7777/udp	# cbt
-supercell	7967/tcp	# Supercell
-supercell	7967/udp	# Supercell
-irdmi2          7999/tcp	# iRDMI2
-irdmi2          7999/udp	# iRDMI2
-irdmi           8000/tcp	# iRDMI
-irdmi           8000/udp	# iRDMI
-mindprint	8033/tcp	# MindPrint
-mindprint	8033/udp	# MindPrint
-trivnet1	8200/tcp	# TRIVNET
-trivnet1	8200/udp	# TRIVNET
-trivnet2	8201/tcp	# TRIVNET
-trivnet2	8201/udp	# TRIVNET
-cvd		8400/tcp	# cvd
-cvd		8400/udp	# cvd
-sabarsd		8401/tcp	# sabarsd
-sabarsd		8401/udp	# sabarsd
-abarsd		8402/tcp	# abarsd
-abarsd		8402/udp	# abarsd
-admind		8403/tcp	# admind
-admind		8403/udp	# admind
-npmp            8450/tcp	# npmp
-npmp            8450/udp	# npmp
-vp2p            8473/tcp	# Virtual Point to Point
-vp2p            8473/udp	# Virtual Point to Point
-ibus		8733/tcp	# iBus
-ibus		8733/udp	# iBus
-cslistener      9000/tcp	# CSlistener
-cslistener      9000/udp	# CSlistener
-sctp		9006/tcp	# SCTP
-sctp		9006/udp	# SCTP
-websm		9090/tcp	# WebSM
-websm		9090/udp	# WebSM
-guibase		9321/tcp	# guibase
-guibase		9321/udp	# guibase
-mpidcmgr	9343/tcp	# MpIdcMgr
-mpidcmgr	9343/udp	# MpIdcMgr
-fjdmimgr	9374/tcp	# fjdmimgr
-fjdmimgr	9374/udp	# fjdmimgr
-fjinvmgr	9396/tcp	# fjinvmgr
-fjinvmgr	9396/udp	# fjinvmgr
-mpidcagt	9397/tcp	# MpIdcAgt
-mpidcagt	9397/udp	# MpIdcAgt
-ismserver	9500/tcp	# ismserver
-ismserver	9500/udp	# ismserver
-man		9535/tcp
-man		9535/udp
-msgsys		9594/tcp	# Message System
-msgsys		9594/udp	# Message System
-pds		9595/tcp	# Ping Discovery Service
-pds		9595/udp	# Ping Discovery Service
-sd              9876/tcp	# Session Director
-sd              9876/udp	# Session Director
-monkeycom	9898/tcp	# MonkeyCom
-monkeycom	9898/udp	# MonkeyCom
-palace          9992/tcp	# Palace
-palace          9992/udp	# Palace
-palace          9993/tcp	# Palace
-palace          9993/udp	# Palace
-palace          9994/tcp	# Palace
-palace          9994/udp	# Palace
-palace          9995/tcp	# Palace
-palace          9995/udp	# Palace
-palace          9996/tcp	# Palace
-palace          9996/udp	# Palace
-palace		9997/tcp	# Palace
-palace		9997/udp	# Palace
-distinct32      9998/tcp	# Distinct32
-distinct32      9998/udp	# Distinct32
-distinct        9999/tcp	# distinct
-distinct        9999/udp	# distinct
-ndmp            10000/tcp	# Network Data Management Protocol
-ndmp            10000/udp	# Network Data Management Protocol
-amanda		10080/tcp	# Amanda
-amanda		10080/udp	# Amanda
-blocks		10288/tcp	# Blocks
-blocks		10288/udp	# Blocks
-irisa		11000/tcp	# IRISA
-irisa		11000/udp	# IRISA
-metasys		11001/tcp	# Metasys
-metasys		11001/udp	# Metasys
-vce		11111/tcp	# Viral Computing Environment (VCE)
-vce		11111/udp	# Viral Computing Environment (VCE)
-entextxid	12000/tcp	# IBM Enterprise Extender SNA XID Exchange
-entextxid	12000/udp	# IBM Enterprise Extender SNA XID Exchange
-entextnetwk	12001/tcp	# IBM Enterprise Extender SNA COS Network Priority
-entextnetwk	12001/udp	# IBM Enterprise Extender SNA COS Network Priority
-entexthigh	12002/tcp	# IBM Enterprise Extender SNA COS High Priority
-entexthigh	12002/udp	# IBM Enterprise Extender SNA COS High Priority
-entextmed	12003/tcp	# IBM Enterprise Extender SNA COS Medium Priority
-entextmed	12003/udp	# IBM Enterprise Extender SNA COS Medium Priority
-entextlow	12004/tcp	# IBM Enterprise Extender SNA COS Low Priority
-entextlow	12004/udp	# IBM Enterprise Extender SNA COS Low Priority
-tsaf            12753/tcp	# tsaf port
-tsaf            12753/udp	# tsaf port
-bprd		13720/tcp	# BPRD Protocol (VERITAS NetBackup)
-bprd		13720/udp	# BPRD Protocol (VERITAS NetBackup)
-bpbrm		13721/tcp	# BPBRM Protocol (VERITAS NetBackup)
-bpbrm		13721/udp	# BPBRM Protocol (VERITAS NetBackup)
-bpcd		13782/tcp	# VERITAS NetBackup
-bpcd		13782/udp	# VERITAS NetBackup
-vopied		13783/tcp	# VOPIED Protocol
-vopied		13783/udp	# VOPIED Protocol
-netserialext1	16360/tcp	# netserialext1
-netserialext1	16360/udp	# netserialext1
-netserialext2	16361/tcp	# netserialext2
-netserialext2	16361/udp	# netserialext2
-netserialext3	16367/tcp	# netserialext3
-netserialext3	16367/udp	# netserialext3
-netserialext4	16368/tcp	# netserialext4
-netserialext4   16368/udp	# netserialext4
-chipper		17219/tcp	# Chipper
-chipper		17219/udp	# Chipper
-biimenu         18000/tcp	# Beckman Instruments, Inc.
-biimenu         18000/udp	# Beckman Instruments, Inc.
-jcp		19541/tcp	# JCP Client
-jcp		19541/udp	# JCP Client
-dnp		20000/tcp	# DNP
-dnp		20000/udp	# DNP
-track		20670/tcp	# Track
-track		20670/udp	# Track
-webphone        21845/tcp	# webphone
-webphone        21845/udp	# webphone
-wnn6            22273/tcp	# wnn6
-wnn6            22273/udp	# wnn6
-quake           26000/tcp	# quake
-quake           26000/udp	# quake
-traceroute	33434/tcp	# traceroute use
-traceroute	33434/udp	# traceroute use
-kastenxpipe	36865/tcp	# KastenX Pipe
-kastenxpipe	36865/udp	# KastenX Pipe
-eba		45678/tcp	# EBA PRISE
-eba		45678/udp	# EBA PRISE
-dbbrowse        47557/tcp	# Databeam Corporation
-dbbrowse        47557/udp	# Databeam Corporation
-directplaysrvr	47624/tcp	# Direct Play Server
-directplaysrvr  47624/udp	# Direct Play Server
-ap              47806/tcp	# ALC Protocol
-ap              47806/udp	# ALC Protocol
-bacnet          47808/tcp	# Building Automation and Control Networks
-bacnet          47808/udp	# Building Automation and Control Networks
-nimcontroller	48000/tcp	# Nimbus Controller
-nimcontroller	48000/udp	# Nimbus Controller
-nimspooler	48001/tcp	# Nimbus Spooler
-nimspooler	48001/udp	# Nimbus Spooler
-nimhub		48002/tcp	# Nimbus Hub
-nimhub		48002/udp	# Nimbus Hub
-nimgtw		48003/tcp	# Nimbus Gateway
-nimgtw		48003/udp	# Nimbus Gateway
diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c
deleted file mode 100644
index 79afdd2..0000000
--- a/contrib/ipfilter/facpri.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <syslog.h>
-#include "facpri.h"
-
-#ifndef __STDC__
-# define	const
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp $";
-#endif
-
-typedef	struct	table	{
-	char	*name;
-	int	value;
-} table_t;
-
-table_t	facs[] = {
-	{ "kern", LOG_KERN },	{ "user", LOG_USER },
-	{ "mail", LOG_MAIL },	{ "daemon", LOG_DAEMON },
-	{ "auth", LOG_AUTH },	{ "syslog", LOG_SYSLOG },
-	{ "lpr", LOG_LPR },	{ "news", LOG_NEWS },
-	{ "uucp", LOG_UUCP },
-#if LOG_CRON == LOG_CRON2 
-	{ "cron2", LOG_CRON1 },
-#else
-	{ "cron", LOG_CRON1 },
-#endif
-#ifdef	LOG_FTP
-	{ "ftp", LOG_FTP },
-#endif
-#ifdef	LOG_AUTHPRIV
-	{ "authpriv", LOG_AUTHPRIV },
-#endif
-#ifdef	LOG_AUDIT
-	{ "audit", LOG_AUDIT },
-#endif
-#ifdef	LOG_LFMT
-	{ "logalert", LOG_LFMT },
-#endif
-#if LOG_CRON == LOG_CRON1
-	{ "cron", LOG_CRON2 },
-#else
-	{ "cron2", LOG_CRON2 },
-#endif
-#ifdef	LOG_SECURITY
-	{ "security", LOG_SECURITY },
-#endif
-	{ "local0", LOG_LOCAL0 },	{ "local1", LOG_LOCAL1 },
-	{ "local2", LOG_LOCAL2 },	{ "local3", LOG_LOCAL3 },
-	{ "local4", LOG_LOCAL4 },	{ "local5", LOG_LOCAL5 },
-	{ "local6", LOG_LOCAL6 },	{ "local7", LOG_LOCAL7 },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a facility number to its name
- */
-char *
-fac_toname(facpri)
-	int facpri;
-{
-	int	i, j, fac;
-
-	fac = facpri & LOG_FACMASK;
-	j = fac >> 3;
-	if (j < 24) {
-		if (facs[j].value == fac)
-			return facs[j].name;
-		for (i = 0; facs[i].name; i++)
-			if (fac == facs[i].value)
-				return facs[i].name;
-	}
-
-	return NULL;
-}
-
-
-/*
- * map a facility name to its number
- */
-int
-fac_findname(name)
-	char *name;
-{
-	int	i;
-
-	for (i = 0; facs[i].name; i++)
-		if (!strcmp(facs[i].name, name))
-			return facs[i].value;
-	return -1;
-}
-
-
-table_t	pris[] = {
-	{ "emerg", LOG_EMERG },		{ "alert", LOG_ALERT  },
-	{ "crit", LOG_CRIT },		{ "err", LOG_ERR  },
-	{ "warn", LOG_WARNING },	{ "notice", LOG_NOTICE  },
-	{ "info", LOG_INFO },		{ "debug", LOG_DEBUG  },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a priority name to its number
- */
-int
-pri_findname(name)
-	char *name;
-{
-	int	i;
-
-	for (i = 0; pris[i].name; i++)
-		if (!strcmp(pris[i].name, name))
-			return pris[i].value;
-	return -1;
-}
-
-
-/*
- * map a priority number to its name
- */
-char *
-pri_toname(facpri)
-	int facpri;
-{
-	int	i, pri;
-
-	pri = facpri & LOG_PRIMASK;
-	if (pris[pri].value == pri)
-		return pris[pri].name;
-	for (i = 0; pris[i].name; i++)
-		if (pri == pris[i].value)
-			return pris[i].name;
-	return NULL;
-}
diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h
deleted file mode 100644
index 7b80377..0000000
--- a/contrib/ipfilter/facpri.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * $Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp $
- */
-
-#ifndef	__FACPRI_H__
-#define	__FACPRI_H__
-
-#ifndef	__P
-# define P_DEF
-# ifdef	__STDC__
-#  define	__P(x) x
-# else
-#  define	__P(x) ()
-# endif
-#endif
-
-extern	char	*fac_toname __P((int));
-extern	int	fac_findname __P((char *));
-
-extern	char	*pri_toname __P((int));
-extern	int	pri_findname __P((char *));
-
-#ifdef P_DEF
-# undef	__P
-# undef	P_DEF
-#endif
-
-#if LOG_CRON == (9<<3)
-# define	LOG_CRON1	LOG_CRON
-# define	LOG_CRON2	(15<<3)
-#endif
-#if LOG_CRON == (15<<3)
-# define	LOG_CRON1	(9<<3)
-# define	LOG_CRON2	LOG_CRON
-#endif
-
-#endif /* __FACPRI_H__ */
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
deleted file mode 100644
index 6f3a13d..0000000
--- a/contrib/ipfilter/fil.c
+++ /dev/null
@@ -1,6209 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#if defined(__NetBSD__)
-# if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL)
-#  include "opt_ipfilter_log.h"
-# endif
-#endif
-#if defined(_KERNEL) && defined(__FreeBSD_version) && \
-    (__FreeBSD_version >= 220000)
-# if (__FreeBSD_version >= 400000)
-#  if !defined(IPFILTER_LKM)
-#   include "opt_inet6.h"
-#  endif
-#  if (__FreeBSD_version == 400019)
-#   define CSUM_DELAY_DATA
-#  endif
-# endif
-# include <sys/filio.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/fcntl.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# include <sys/file.h>
-#else
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <stddef.h>
-# include <sys/file.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux) && \
-    !defined(linux)
-# include <sys/mbuf.h>
-#else
-# if !defined(linux)
-#  include <sys/byteorder.h>
-# endif
-# if (SOLARIS2 < 5) && defined(sun)
-#  include <sys/dditypes.h>
-# endif
-#endif
-#ifdef __hpux
-# define _NET_ROUTE_INCLUDED
-#endif
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#if !defined(_KERNEL) && defined(__FreeBSD__)
-# include "radix_ipf.h"
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
-# include <sys/hashing.h>
-# include <netinet/in_var.h>
-#endif
-#include <netinet/tcp.h>
-#if !defined(__sgi) || defined(_KERNEL)
-# include <netinet/udp.h>
-# include <netinet/ip_icmp.h>
-#endif
-#ifdef __hpux
-# undef _NET_ROUTE_INCLUDED
-#endif
-#include "netinet/ip_compat.h"
-#ifdef	USE_INET6
-# include <netinet/icmp6.h>
-# if !SOLARIS && defined(_KERNEL) && !defined(__osf__) && !defined(__hpux)
-#  include <netinet6/in6_var.h>
-# endif
-#endif
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef IPFILTER_SCAN
-# include "netinet/ip_scan.h"
-#endif
-#ifdef IPFILTER_SYNC
-# include "netinet/ip_sync.h"
-#endif
-#include "netinet/ip_pool.h"
-#include "netinet/ip_htable.h"
-#ifdef IPFILTER_COMPILED
-# include "netinet/ip_rules.h"
-#endif
-#if defined(IPFILTER_BPF) && defined(_KERNEL)
-# include <net/bpf.h>
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#endif
-#include "netinet/ipl.h"
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp";
-#endif
-
-#ifndef	_KERNEL
-# include "ipf.h"
-# include "ipt.h"
-# include "bpf-ipf.h"
-extern	int	opts;
-
-# define	FR_VERBOSE(verb_pr)			verbose verb_pr
-# define	FR_DEBUG(verb_pr)			debug verb_pr
-#else /* #ifndef _KERNEL */
-# define	FR_VERBOSE(verb_pr)
-# define	FR_DEBUG(verb_pr)
-#endif /* _KERNEL */
-
-
-fr_info_t	frcache[2][8];
-struct	filterstats frstats[2] = { { 0, 0, 0, 0, 0 }, { 0, 0, 0, 0, 0 } };
-struct	frentry	*ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
-		*ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
-		*ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
-		*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } },
-		*ipnatrules[2][2] = { { NULL, NULL }, { NULL, NULL } };
-struct	frgroup *ipfgroups[IPL_LOGSIZE][2];
-char	ipfilter_version[] = IPL_VERSION;
-int	fr_refcnt = 0;
-/*
- * For fr_running:
- * 0 == loading, 1 = running, -1 = disabled, -2 = unloading
- */
-int	fr_running = 0;
-int	fr_flags = IPF_LOGGING;
-int	fr_active = 0;
-int	fr_control_forwarding = 0;
-int	fr_update_ipid = 0;
-u_short	fr_ip_id = 0;
-int	fr_chksrc = 0;	/* causes a system crash if enabled */
-int	fr_minttl = 4;
-u_long	fr_frouteok[2] = {0, 0};
-u_long	fr_userifqs = 0;
-u_long	fr_badcoalesces[2] = {0, 0};
-u_char	ipf_iss_secret[32];
-#if defined(IPFILTER_DEFAULT_BLOCK)
-int	fr_pass = FR_BLOCK|FR_NOMATCH;
-#else
-int	fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH;
-#endif
-int	fr_features = 0
-#ifdef	IPFILTER_LKM
-		| IPF_FEAT_LKM
-#endif
-#ifdef	IPFILTER_LOG
-		| IPF_FEAT_LOG
-#endif
-#ifdef	IPFILTER_LOOKUP
-		| IPF_FEAT_LOOKUP
-#endif
-#ifdef	IPFILTER_BPF
-		| IPF_FEAT_BPF
-#endif
-#ifdef	IPFILTER_COMPILED
-		| IPF_FEAT_COMPILED
-#endif
-#ifdef	IPFILTER_CKSUM
-		| IPF_FEAT_CKSUM
-#endif
-#ifdef	IPFILTER_SYNC
-		| IPF_FEAT_SYNC
-#endif
-#ifdef	IPFILTER_SCAN
-		| IPF_FEAT_SCAN
-#endif
-#ifdef	USE_INET6
-		| IPF_FEAT_IPV6
-#endif
-	;
-
-static	INLINE int	fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
-static	int		fr_portcheck __P((frpcmp_t *, u_short *));
-static	int		frflushlist __P((int, minor_t, int *, frentry_t **));
-static	ipfunc_t	fr_findfunc __P((ipfunc_t));
-static	frentry_t	*fr_firewall __P((fr_info_t *, u_32_t *));
-static	int		fr_funcinit __P((frentry_t *fr));
-static	INLINE void	frpr_esp __P((fr_info_t *));
-static	INLINE void	frpr_gre __P((fr_info_t *));
-static	INLINE void	frpr_udp __P((fr_info_t *));
-static	INLINE void	frpr_tcp __P((fr_info_t *));
-static	INLINE void	frpr_icmp __P((fr_info_t *));
-static	INLINE void	frpr_ipv4hdr __P((fr_info_t *));
-static	INLINE int	frpr_pullup __P((fr_info_t *, int));
-static	INLINE void	frpr_short __P((fr_info_t *, int));
-static	INLINE void	frpr_tcpcommon __P((fr_info_t *));
-static	INLINE void	frpr_udpcommon __P((fr_info_t *));
-static	INLINE int	fr_updateipid __P((fr_info_t *));
-#ifdef	IPFILTER_LOOKUP
-static	int		fr_grpmapinit __P((frentry_t *fr));
-static	INLINE void	*fr_resolvelookup __P((u_int, u_int, lookupfunc_t *));
-#endif
-static	void		frsynclist __P((frentry_t *, void *));
-static	ipftuneable_t	*fr_findtunebyname __P((char *));
-static	ipftuneable_t	*fr_findtunebycookie __P((void *, void **));
-
-
-/*
- * bit values for identifying presence of individual IP options
- * All of these tables should be ordered by increasing key value on the left
- * hand side to allow for binary searching of the array and include a trailer
- * with a 0 for the bitmask for linear searches to easily find the end with.
- */
-const	struct	optlist	ipopts[20] = {
-	{ IPOPT_NOP,	0x000001 },
-	{ IPOPT_RR,	0x000002 },
-	{ IPOPT_ZSU,	0x000004 },
-	{ IPOPT_MTUP,	0x000008 },
-	{ IPOPT_MTUR,	0x000010 },
-	{ IPOPT_ENCODE,	0x000020 },
-	{ IPOPT_TS,	0x000040 },
-	{ IPOPT_TR,	0x000080 },
-	{ IPOPT_SECURITY, 0x000100 },
-	{ IPOPT_LSRR,	0x000200 },
-	{ IPOPT_E_SEC,	0x000400 },
-	{ IPOPT_CIPSO,	0x000800 },
-	{ IPOPT_SATID,	0x001000 },
-	{ IPOPT_SSRR,	0x002000 },
-	{ IPOPT_ADDEXT,	0x004000 },
-	{ IPOPT_VISA,	0x008000 },
-	{ IPOPT_IMITD,	0x010000 },
-	{ IPOPT_EIP,	0x020000 },
-	{ IPOPT_FINN,	0x040000 },
-	{ 0,		0x000000 }
-};
-
-#ifdef USE_INET6
-struct optlist ip6exthdr[] = {
-	{ IPPROTO_HOPOPTS,		0x000001 },
-	{ IPPROTO_IPV6,			0x000002 },
-	{ IPPROTO_ROUTING,		0x000004 },
-	{ IPPROTO_FRAGMENT,		0x000008 },
-	{ IPPROTO_ESP,			0x000010 },
-	{ IPPROTO_AH,			0x000020 },
-	{ IPPROTO_NONE,			0x000040 },
-	{ IPPROTO_DSTOPTS,		0x000080 },
-	{ 0,				0 }
-};
-#endif
-
-struct optlist tcpopts[] = {
-	{ TCPOPT_NOP,			0x000001 },
-	{ TCPOPT_MAXSEG,		0x000002 },
-	{ TCPOPT_WINDOW,		0x000004 },
-	{ TCPOPT_SACK_PERMITTED,	0x000008 },
-	{ TCPOPT_SACK,			0x000010 },
-	{ TCPOPT_TIMESTAMP,		0x000020 },
-	{ 0,				0x000000 }
-};
-
-/*
- * bit values for identifying presence of individual IP security options
- */
-const	struct	optlist	secopt[8] = {
-	{ IPSO_CLASS_RES4,	0x01 },
-	{ IPSO_CLASS_TOPS,	0x02 },
-	{ IPSO_CLASS_SECR,	0x04 },
-	{ IPSO_CLASS_RES3,	0x08 },
-	{ IPSO_CLASS_CONF,	0x10 },
-	{ IPSO_CLASS_UNCL,	0x20 },
-	{ IPSO_CLASS_RES2,	0x40 },
-	{ IPSO_CLASS_RES1,	0x80 }
-};
-
-
-/*
- * Table of functions available for use with call rules.
- */
-static ipfunc_resolve_t fr_availfuncs[] = {
-#ifdef	IPFILTER_LOOKUP
-	{ "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
-	{ "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
-#endif
-	{ "", NULL }
-};
-
-
-/*
- * The next section of code is a a collection of small routines that set
- * fields in the fr_info_t structure passed based on properties of the
- * current packet.  There are different routines for the same protocol
- * for each of IPv4 and IPv6.  Adding a new protocol, for which there
- * will "special" inspection for setup, is now more easily done by adding
- * a new routine and expanding the frpr_ipinit*() function rather than by
- * adding more code to a growing switch statement.
- */
-#ifdef USE_INET6
-static	INLINE void	frpr_udp6 __P((fr_info_t *));
-static	INLINE void	frpr_tcp6 __P((fr_info_t *));
-static	INLINE void	frpr_icmp6 __P((fr_info_t *));
-static	INLINE void	frpr_ipv6hdr __P((fr_info_t *));
-static	INLINE void	frpr_short6 __P((fr_info_t *, int));
-static	INLINE int	frpr_hopopts6 __P((fr_info_t *));
-static	INLINE int	frpr_routing6 __P((fr_info_t *));
-static	INLINE int	frpr_dstopts6 __P((fr_info_t *));
-static	INLINE int	frpr_fragment6 __P((fr_info_t *));
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_short6                                                 */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* This is function enforces the 'is a packet too short to be legit' rule   */
-/* for IPv6 and marks the packet with FI_SHORT if so.  See function comment */
-/* for frpr_short() for more details.                                       */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_short6(fin, min)
-fr_info_t *fin;
-int min;
-{
-	fr_ip_t *fi = &fin->fin_fi;
-	int off;
-
-	off = fin->fin_off;
-	if (off == 0) {
-		if (fin->fin_plen < fin->fin_hlen + min)
-			fi->fi_flx |= FI_SHORT;
-	} else if (off < min) {
-		fi->fi_flx |= FI_SHORT;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_ipv6hdr                                                */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* Copy values from the IPv6 header into the fr_info_t struct and call the  */
-/* per-protocol analyzer if it exists.                                      */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_ipv6hdr(fin)
-fr_info_t *fin;
-{
-	int p, go = 1, i, hdrcount, coalesced;
-	ip6_t *ip6 = (ip6_t *)fin->fin_ip;
-	fr_ip_t *fi = &fin->fin_fi;
-
-	fin->fin_off = 0;
-
-	fi->fi_tos = 0;
-	fi->fi_optmsk = 0;
-	fi->fi_secmsk = 0;
-	fi->fi_auth = 0;
-
-	coalesced = (fin->fin_flx & FI_COALESCE) ? 1 : 0;
-	p = ip6->ip6_nxt;
-	fi->fi_ttl = ip6->ip6_hlim;
-	fi->fi_src.in6 = ip6->ip6_src;
-	fi->fi_dst.in6 = ip6->ip6_dst;
-	fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
-
-	hdrcount = 0;
-	while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) {
-		switch (p)
-		{
-		case IPPROTO_UDP :
-			frpr_udp6(fin);
-			go = 0;
-			break;
-
-		case IPPROTO_TCP :
-			frpr_tcp6(fin);
-			go = 0;
-			break;
-
-		case IPPROTO_ICMPV6 :
-			frpr_icmp6(fin);
-			go = 0;
-			break;
-
-		case IPPROTO_GRE :
-			frpr_gre(fin);
-			go = 0;
-			break;
-
-		case IPPROTO_HOPOPTS :
-			/*
-			 * Actually, hop by hop header is only allowed right
-			 * after IPv6 header!
-			 */
-			if (hdrcount != 0)
-				fin->fin_flx |= FI_BAD;
-
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
-			p = frpr_hopopts6(fin);
-			break;
-
-		case IPPROTO_DSTOPTS :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
-			p = frpr_dstopts6(fin);
-			break;
-
-		case IPPROTO_ROUTING :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
-			p = frpr_routing6(fin);
-			break;
-
-		case IPPROTO_ESP :
-			frpr_esp(fin);
-			/*FALLTHROUGH*/
-		case IPPROTO_AH :
-		case IPPROTO_IPV6 :
-			for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-				if (ip6exthdr[i].ol_val == p) {
-					fin->fin_flx |= ip6exthdr[i].ol_bit;
-					break;
-				}
-			go = 0;
-			break;
-
-		case IPPROTO_NONE :
-			go = 0;
-			break;
-
-		case IPPROTO_FRAGMENT :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
-			p = frpr_fragment6(fin);
-			break;
-
-		default :
-			go = 0;
-			break;
-		}
-		hdrcount++;
-
-		/*
-		 * It is important to note that at this point, for the
-		 * extension headers (go != 0), the entire header may not have
-		 * been pulled up when the code gets to this point.  This is
-		 * only done for "go != 0" because the other header handlers
-		 * will all pullup their complete header and the other
-		 * indicator of an incomplete header is that this eas just an
-		 * extension header.
-		 */
-		if ((go != 0) && (p != IPPROTO_NONE) &&
-		    (frpr_pullup(fin, 0) == -1)) {
-			p = IPPROTO_NONE;
-			go = 0;
-		}
-	}
-	fi->fi_p = p;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_hopopts6                                               */
-/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* This is function checks pending hop by hop options extension header      */
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_hopopts6(fin)
-fr_info_t *fin;
-{
-	struct ip6_ext *hdr;
-	u_short shift;
-	int i;
-
-	fin->fin_flx |= FI_V6EXTHDR;
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	if (frpr_pullup(fin, 8) == -1)
-		return IPPROTO_NONE;
-
-	hdr = fin->fin_dp;
-	shift = 8 + (hdr->ip6e_len << 3);
-	if (shift > fin->fin_dlen) {	/* Nasty extension header length? */
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_HOPOPTS) {
-			fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-			break;
-		}
-
-	fin->fin_dp = (char *)fin->fin_dp + shift;
-	fin->fin_dlen -= shift;
-
-	return hdr->ip6e_nxt;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_routing6                                               */
-/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* This is function checks pending routing extension header                 */
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_routing6(fin)
-fr_info_t *fin;
-{
-	struct ip6_ext *hdr;
-	u_short shift;
-	int i;
-
-	fin->fin_flx |= FI_V6EXTHDR;
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	if (frpr_pullup(fin, 8) == -1)
-		return IPPROTO_NONE;
-	hdr = fin->fin_dp;
-
-	shift = 8 + (hdr->ip6e_len << 3);
-	/*
-	 * Nasty extension header length?
-	 */
-	if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) ||
-	    ((shift - sizeof(struct ip6_hdr)) & 15)) {
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_ROUTING) {
-			fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-			break;
-		}
-
-	fin->fin_dp = (char *)fin->fin_dp + shift;
-	fin->fin_dlen -= shift;
-
-	return hdr->ip6e_nxt;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_fragment6                                              */
-/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* Examine the IPv6 fragment header and extract fragment offset information.*/
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_fragment6(fin)
-fr_info_t *fin;
-{
-	struct ip6_frag *frag;
-	struct ip6_ext *hdr;
-	int i;
-
-	fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR);
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	/*
-	 * Only one frgament header is allowed per IPv6 packet but it need
-	 * not be the first nor last (not possible in some cases.)
-	 */
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_FRAGMENT)
-			break;
-
-	if (fin->fin_optmsk & ip6exthdr[i].ol_bit) {
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-
-	if (frpr_pullup(fin, sizeof(*frag)) == -1)
-		return IPPROTO_NONE;
-	hdr = fin->fin_dp;
-
-	/*
-	 * Length must be zero, i.e. it has no length.
-	 */
-	if (hdr->ip6e_len != 0) {
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	frag = fin->fin_dp;
-	fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK;
-	fin->fin_off <<= 3;
-	if (fin->fin_off != 0)
-		fin->fin_flx |= FI_FRAGBODY;
-
-	fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag);
-	fin->fin_dlen -= sizeof(*frag);
-
-	return frag->ip6f_nxt;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_dstopts6                                               */
-/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              nextheader(I) - stores next header value                    */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* This is function checks pending destination options extension header     */
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_dstopts6(fin)
-fr_info_t *fin;
-{
-	struct ip6_ext *hdr;
-	u_short shift;
-	int i;
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	if (frpr_pullup(fin, 8) == -1)
-		return IPPROTO_NONE;
-	hdr = fin->fin_dp;
-
-	shift = 8 + (hdr->ip6e_len << 3);
-	if (shift > fin->fin_dlen) {	/* Nasty extension header length? */
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_DSTOPTS)
-			break;
-	fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-	fin->fin_dp = (char *)fin->fin_dp + shift;
-	fin->fin_dlen -= shift;
-
-	return hdr->ip6e_nxt;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_icmp6                                                  */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* This routine is mainly concerned with determining the minimum valid size */
-/* for an ICMPv6 packet.                                                    */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_icmp6(fin)
-fr_info_t *fin;
-{
-	int minicmpsz = sizeof(struct icmp6_hdr);
-	struct icmp6_hdr *icmp6;
-
-	if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t)) == -1)
-		return;
-
-	if (fin->fin_dlen > 1) {
-		icmp6 = fin->fin_dp;
-
-		fin->fin_data[0] = *(u_short *)icmp6;
-
-		switch (icmp6->icmp6_type)
-		{
-		case ICMP6_ECHO_REPLY :
-		case ICMP6_ECHO_REQUEST :
-			minicmpsz = ICMP6ERR_MINPKTLEN - sizeof(ip6_t);
-			break;
-		case ICMP6_DST_UNREACH :
-		case ICMP6_PACKET_TOO_BIG :
-		case ICMP6_TIME_EXCEEDED :
-		case ICMP6_PARAM_PROB :
-			if ((fin->fin_m != NULL) &&
-			    (M_LEN(fin->fin_m) < fin->fin_plen)) {
-				if (fr_coalesce(fin) != 1)
-					return;
-			}
-			fin->fin_flx |= FI_ICMPERR;
-			minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
-			break;
-		default :
-			break;
-		}
-	}
-
-	frpr_short(fin, minicmpsz);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_udp6                                                   */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* Analyse the packet for IPv6/UDP properties.                              */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_udp6(fin)
-fr_info_t *fin;
-{
-
-	fr_checkv6sum(fin);
-
-	frpr_short(fin, sizeof(struct udphdr));
-
-	frpr_udpcommon(fin);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_tcp6                                                   */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv6 Only                                                                */
-/* Analyse the packet for IPv6/TCP properties.                              */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_tcp6(fin)
-fr_info_t *fin;
-{
-
-	fr_checkv6sum(fin);
-
-	frpr_short(fin, sizeof(struct tcphdr));
-
-	frpr_tcpcommon(fin);
-}
-#endif	/* USE_INET6 */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_pullup                                                 */
-/* Returns:     int     - 0 == pullup succeeded, -1 == failure              */
-/* Parameters:  fin(I)  - pointer to packet information                     */
-/*              plen(I) - length (excluding L3 header) to pullup            */
-/*                                                                          */
-/* Short inline function to cut down on code duplication to perform a call  */
-/* to fr_pullup to ensure there is the required amount of data,             */
-/* consecutively in the packet buffer.                                      */
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_pullup(fin, plen)
-fr_info_t *fin;
-int plen;
-{
-#if defined(_KERNEL)
-	if (fin->fin_m != NULL) {
-		if (fin->fin_dp != NULL)
-			plen += (char *)fin->fin_dp -
-				((char *)fin->fin_ip + fin->fin_hlen);
-		plen += fin->fin_hlen;
-		if (M_LEN(fin->fin_m) < plen) {
-			if (fr_pullup(fin->fin_m, fin, plen) == NULL)
-				return -1;
-		}
-	}
-#endif
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_short                                                  */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              min(I) - minimum header size                                */
-/*                                                                          */
-/* Check if a packet is "short" as defined by min.  The rule we are         */
-/* applying here is that the packet must not be fragmented within the layer */
-/* 4 header.  That is, it must not be a fragment that has its offset set to */
-/* start within the layer 4 header (hdrmin) or if it is at offset 0, the    */
-/* entire layer 4 header must be present (min).                             */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_short(fin, min)
-fr_info_t *fin;
-int min;
-{
-	fr_ip_t *fi = &fin->fin_fi;
-	int off;
-
-	off = fin->fin_off;
-	if (off == 0) {
-		if (fin->fin_plen < fin->fin_hlen + min)
-			fi->fi_flx |= FI_SHORT;
-	} else if (off < min) {
-		fi->fi_flx |= FI_SHORT;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_icmp                                                   */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv4 Only                                                                */
-/* Do a sanity check on the packet for ICMP (v4).  In nearly all cases,     */
-/* except extrememly bad packets, both type and code will be present.       */
-/* The expected minimum size of an ICMP packet is very much dependant on    */
-/* the type of it.                                                          */
-/*                                                                          */
-/* XXX - other ICMP sanity checks?                                          */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_icmp(fin)
-fr_info_t *fin;
-{
-	int minicmpsz = sizeof(struct icmp);
-	icmphdr_t *icmp;
-
-	if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
-		return;
-
-	fr_checkv4sum(fin);
-
-	if (!fin->fin_off && (fin->fin_dlen > 1)) {
-		icmp = fin->fin_dp;
-
-		fin->fin_data[0] = *(u_short *)icmp;
-
-		switch (icmp->icmp_type)
-		{
-		case ICMP_ECHOREPLY :
-		case ICMP_ECHO :
-		/* Router discovery messaes - RFC 1256 */
-		case ICMP_ROUTERADVERT :
-		case ICMP_ROUTERSOLICIT :
-			minicmpsz = ICMP_MINLEN;
-			break;
-		/*
-		 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
-		 * 3 * timestamp(3 * 4)
-		 */
-		case ICMP_TSTAMP :
-		case ICMP_TSTAMPREPLY :
-			minicmpsz = 20;
-			break;
-		/*
-		 * type(1) + code(1) + cksum(2) + id(2) seq(2) +
-		 * mask(4)
-		 */
-		case ICMP_MASKREQ :
-		case ICMP_MASKREPLY :
-			minicmpsz = 12;
-			break;
-		/*
-		 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
-		 */
-		case ICMP_UNREACH :
-		case ICMP_SOURCEQUENCH :
-		case ICMP_REDIRECT :
-		case ICMP_TIMXCEED :
-		case ICMP_PARAMPROB :
-			if (fr_coalesce(fin) != 1)
-				return;
-			fin->fin_flx |= FI_ICMPERR;
-			break;
-		default :
-			break;
-		}
-
-		if (fin->fin_dlen >= 6)				/* ID field */
-			fin->fin_data[1] = icmp->icmp_id;
-	}
-
-	frpr_short(fin, minicmpsz);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_tcpcommon                                              */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* TCP header sanity checking.  Look for bad combinations of TCP flags,     */
-/* and make some checks with how they interact with other fields.           */
-/* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is     */
-/* valid and mark the packet as bad if not.                                 */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_tcpcommon(fin)
-fr_info_t *fin;
-{
-	int flags, tlen;
-	tcphdr_t *tcp;
-	fr_ip_t *fi;
-
-	fi = &fin->fin_fi;
-	fi->fi_flx |= FI_TCPUDP;
-	if (fin->fin_off != 0)
-		return;
-
-	if (frpr_pullup(fin, sizeof(*tcp)) == -1)
-		return;
-	tcp = fin->fin_dp;
-
-	if (fin->fin_dlen > 3) {
-		fin->fin_sport = ntohs(tcp->th_sport);
-		fin->fin_dport = ntohs(tcp->th_dport);
-	}
-
-	if ((fi->fi_flx & FI_SHORT) != 0)
-		return;
-
-	/*
-	 * Use of the TCP data offset *must* result in a value that is at
-	 * least the same size as the TCP header.
-	 */
-	tlen = TCP_OFF(tcp) << 2;
-	if (tlen < sizeof(tcphdr_t)) {
-		fin->fin_flx |= FI_BAD;
-		return;
-	}
-
-	flags = tcp->th_flags;
-	fin->fin_tcpf = tcp->th_flags;
-
-	/*
-	 * If the urgent flag is set, then the urgent pointer must
-	 * also be set and vice versa.  Good TCP packets do not have
-	 * just one of these set.
-	 */
-	if ((flags & TH_URG) != 0 && (tcp->th_urp == 0)) {
-		fin->fin_flx |= FI_BAD;
-	} else if ((flags & TH_URG) == 0 && (tcp->th_urp != 0)) {
-		/* Ignore this case, it shows up in "real" traffic with */
-		/* bogus values in the urgent pointer field. */
-		;
-	} else if (((flags & (TH_SYN|TH_FIN)) != 0) &&
-		   ((flags & (TH_RST|TH_ACK)) == TH_RST)) {
-		/* TH_FIN|TH_RST|TH_ACK seems to appear "naturally" */
-		fin->fin_flx |= FI_BAD;
-	} else if (!(flags & TH_ACK)) {
-		/*
-		 * If the ack bit isn't set, then either the SYN or
-		 * RST bit must be set.  If the SYN bit is set, then
-		 * we expect the ACK field to be 0.  If the ACK is
-		 * not set and if URG, PSH or FIN are set, consdier
-		 * that to indicate a bad TCP packet.
-		 */
-		if ((flags == TH_SYN) && (tcp->th_ack != 0)) {
-			/*
-			 * Cisco PIX sets the ACK field to a random value.
-			 * In light of this, do not set FI_BAD until a patch
-			 * is available from Cisco to ensure that
-			 * interoperability between existing systems is
-			 * achieved.
-			 */
-			/*fin->fin_flx |= FI_BAD*/;
-		} else if (!(flags & (TH_RST|TH_SYN))) {
-			fin->fin_flx |= FI_BAD;
-		} else if ((flags & (TH_URG|TH_PUSH|TH_FIN)) != 0) {
-			fin->fin_flx |= FI_BAD;
-		}
-	}
-
-	/*
-	 * At this point, it's not exactly clear what is to be gained by
-	 * marking up which TCP options are and are not present.  The one we
-	 * are most interested in is the TCP window scale.  This is only in
-	 * a SYN packet [RFC1323] so we don't need this here...?
-	 * Now if we were to analyse the header for passive fingerprinting,
-	 * then that might add some weight to adding this...
-	 */
-	if (tlen == sizeof(tcphdr_t))
-		return;
-
-	if (frpr_pullup(fin, tlen) == -1)
-		return;
-
-#if 0
-	ip = fin->fin_ip;
-	s = (u_char *)(tcp + 1);
-	off = IP_HL(ip) << 2;
-# ifdef _KERNEL
-	if (fin->fin_mp != NULL) {
-		mb_t *m = *fin->fin_mp;
-
-		if (off + tlen > M_LEN(m))
-			return;
-	}
-# endif
-	for (tlen -= (int)sizeof(*tcp); tlen > 0; ) {
-		opt = *s;
-		if (opt == '\0')
-			break;
-		else if (opt == TCPOPT_NOP)
-			ol = 1;
-		else {
-			if (tlen < 2)
-				break;
-			ol = (int)*(s + 1);
-			if (ol < 2 || ol > tlen)
-				break;
-		}
-
-		for (i = 9, mv = 4; mv >= 0; ) {
-			op = ipopts + i;
-			if (opt == (u_char)op->ol_val) {
-				optmsk |= op->ol_bit;
-				break;
-			}
-		}
-		tlen -= ol;
-		s += ol;
-	}
-#endif /* 0 */
-}
-
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_udpcommon                                              */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Extract the UDP source and destination ports, if present.  If compiled   */
-/* with IPFILTER_CKSUM, check to see if the UDP checksum is valid.          */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_udpcommon(fin)
-fr_info_t *fin;
-{
-	udphdr_t *udp;
-	fr_ip_t *fi;
-
-	fi = &fin->fin_fi;
-	fi->fi_flx |= FI_TCPUDP;
-
-	if (!fin->fin_off && (fin->fin_dlen > 3)) {
-		if (frpr_pullup(fin, sizeof(*udp)) == -1) {
-			fi->fi_flx |= FI_SHORT;
-			return;
-		}
-
-		udp = fin->fin_dp;
-
-		fin->fin_sport = ntohs(udp->uh_sport);
-		fin->fin_dport = ntohs(udp->uh_dport);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_tcp                                                    */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv4 Only                                                                */
-/* Analyse the packet for IPv4/TCP properties.                              */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_tcp(fin)
-fr_info_t *fin;
-{
-
-	fr_checkv4sum(fin);
-
-	frpr_short(fin, sizeof(tcphdr_t));
-
-	frpr_tcpcommon(fin);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_udp                                                    */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv4 Only                                                                */
-/* Analyse the packet for IPv4/UDP properties.                              */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_udp(fin)
-fr_info_t *fin;
-{
-
-	fr_checkv4sum(fin);
-
-	frpr_short(fin, sizeof(udphdr_t));
-
-	frpr_udpcommon(fin);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_esp                                                    */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Analyse the packet for ESP properties.                                   */
-/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits)  */
-/* even though the newer ESP packets must also have a sequence number that  */
-/* is 32bits as well, it is not possible(?) to determine the version from a */
-/* simple packet header.                                                    */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_esp(fin)
-fr_info_t *fin;
-{
-	if (frpr_pullup(fin, 8) == -1)
-		return;
-
-	if (fin->fin_v == 4)
-		frpr_short(fin, 8);
-#ifdef USE_INET6
-	else if (fin->fin_v == 6)
-		frpr_short6(fin, sizeof(grehdr_t));
-#endif
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_gre                                                    */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Analyse the packet for GRE properties.                                   */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_gre(fin)
-fr_info_t *fin;
-{
-	grehdr_t *gre;
-
-	if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
-		return;
-
-	if (fin->fin_v == 4)
-		frpr_short(fin, sizeof(grehdr_t));
-#ifdef USE_INET6
-	else if (fin->fin_v == 6)
-		frpr_short6(fin, sizeof(grehdr_t));
-#endif
-	gre = fin->fin_dp;
-	if (GRE_REV(gre->gr_flags) == 1)
-		fin->fin_data[0] = gre->gr_call;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frpr_ipv4hdr                                                */
-/* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* IPv4 Only                                                                */
-/* Analyze the IPv4 header and set fields in the fr_info_t structure.       */
-/* Check all options present and flag their presence if any exist.          */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_ipv4hdr(fin)
-fr_info_t *fin;
-{
-	u_short optmsk = 0, secmsk = 0, auth = 0;
-	int hlen, ol, mv, p, i;
-	const struct optlist *op;
-	u_char *s, opt;
-	u_short off;
-	fr_ip_t *fi;
-	ip_t *ip;
-
-	fi = &fin->fin_fi;
-	hlen = fin->fin_hlen;
-
-	ip = fin->fin_ip;
-	p = ip->ip_p;
-	fi->fi_p = p;
-	fi->fi_tos = ip->ip_tos;
-	fin->fin_id = ip->ip_id;
-	off = ip->ip_off;
-
-	/* Get both TTL and protocol */
-	fi->fi_p = ip->ip_p;
-	fi->fi_ttl = ip->ip_ttl;
-#if 0
-	(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
-#endif
-
-	/* Zero out bits not used in IPv6 address */
-	fi->fi_src.i6[1] = 0;
-	fi->fi_src.i6[2] = 0;
-	fi->fi_src.i6[3] = 0;
-	fi->fi_dst.i6[1] = 0;
-	fi->fi_dst.i6[2] = 0;
-	fi->fi_dst.i6[3] = 0;
-
-	fi->fi_saddr = ip->ip_src.s_addr;
-	fi->fi_daddr = ip->ip_dst.s_addr;
-
-	/*
-	 * set packet attribute flags based on the offset and
-	 * calculate the byte offset that it represents.
-	 */
-	if ((off & IP_MF) != 0) {
-		fi->fi_flx |= FI_FRAG;
-		if (fin->fin_dlen == 0)
-			fi->fi_flx |= FI_BAD;
-	}
-
-	off &= IP_MF|IP_OFFMASK;
-	if (off != 0) {
-		fi->fi_flx |= FI_FRAG;
-		off &= IP_OFFMASK;
-		if (off != 0) {
-			fin->fin_flx |= FI_FRAGBODY;
-			off <<= 3;
-			if (off + fin->fin_dlen > 0xffff) {
-				fi->fi_flx |= FI_BAD;
-			}
-		}
-	}
-	fin->fin_off = off;
-
-	/*
-	 * Call per-protocol setup and checking
-	 */
-	switch (p)
-	{
-	case IPPROTO_UDP :
-		frpr_udp(fin);
-		break;
-	case IPPROTO_TCP :
-		frpr_tcp(fin);
-		break;
-	case IPPROTO_ICMP :
-		frpr_icmp(fin);
-		break;
-	case IPPROTO_ESP :
-		frpr_esp(fin);
-		break;
-	case IPPROTO_GRE :
-		frpr_gre(fin);
-		break;
-	}
-
-	ip = fin->fin_ip;
-	if (ip == NULL)
-		return;
-
-	/*
-	 * If it is a standard IP header (no options), set the flag fields
-	 * which relate to options to 0.
-	 */
-	if (hlen == sizeof(*ip)) {
-		fi->fi_optmsk = 0;
-		fi->fi_secmsk = 0;
-		fi->fi_auth = 0;
-		return;
-	}
-
-	/*
-	 * So the IP header has some IP options attached.  Walk the entire
-	 * list of options present with this packet and set flags to indicate
-	 * which ones are here and which ones are not.  For the somewhat out
-	 * of date and obscure security classification options, set a flag to
-	 * represent which classification is present.
-	 */
-	fi->fi_flx |= FI_OPTIONS;
-
-	for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
-		opt = *s;
-		if (opt == '\0')
-			break;
-		else if (opt == IPOPT_NOP)
-			ol = 1;
-		else {
-			if (hlen < 2)
-				break;
-			ol = (int)*(s + 1);
-			if (ol < 2 || ol > hlen)
-				break;
-		}
-		for (i = 9, mv = 4; mv >= 0; ) {
-			op = ipopts + i;
-			if ((opt == (u_char)op->ol_val) && (ol > 4)) {
-				optmsk |= op->ol_bit;
-				if (opt == IPOPT_SECURITY) {
-					const struct optlist *sp;
-					u_char	sec;
-					int j, m;
-
-					sec = *(s + 2);	/* classification */
-					for (j = 3, m = 2; m >= 0; ) {
-						sp = secopt + j;
-						if (sec == sp->ol_val) {
-							secmsk |= sp->ol_bit;
-							auth = *(s + 3);
-							auth *= 256;
-							auth += *(s + 4);
-							break;
-						}
-						if (sec < sp->ol_val)
-							j -= m;
-						else
-							j += m;
-						m--;
-					}
-				}
-				break;
-			}
-			if (opt < op->ol_val)
-				i -= mv;
-			else
-				i += mv;
-			mv--;
-		}
-		hlen -= ol;
-		s += ol;
-	}
-
-	/*
-	 *
-	 */
-	if (auth && !(auth & 0x0100))
-		auth &= 0xff00;
-	fi->fi_optmsk = optmsk;
-	fi->fi_secmsk = secmsk;
-	fi->fi_auth = auth;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_makefrip                                                 */
-/* Returns:     void                                                        */
-/* Parameters:  hlen(I) - length of IP packet header                        */
-/*              ip(I)   - pointer to the IP header                          */
-/*              fin(IO) - pointer to packet information                     */
-/*                                                                          */
-/* Compact the IP header into a structure which contains just the info.     */
-/* which is useful for comparing IP headers with and store this information */
-/* in the fr_info_t structure pointer to by fin.  At present, it is assumed */
-/* this function will be called with either an IPv4 or IPv6 packet.         */
-/* ------------------------------------------------------------------------ */
-int	fr_makefrip(hlen, ip, fin)
-int hlen;
-ip_t *ip;
-fr_info_t *fin;
-{
-	int v;
-
-	fin->fin_nat = NULL;
-	fin->fin_state = NULL;
-	fin->fin_depth = 0;
-	fin->fin_hlen = (u_short)hlen;
-	fin->fin_ip = ip;
-	fin->fin_rule = 0xffffffff;
-	fin->fin_group[0] = -1;
-	fin->fin_group[1] = '\0';
-	fin->fin_dlen = fin->fin_plen - hlen;
-	fin->fin_dp = (char *)ip + hlen;
-
-	v = fin->fin_v;
-	if (v == 4)
-		frpr_ipv4hdr(fin);
-#ifdef	USE_INET6
-	else if (v == 6)
-		frpr_ipv6hdr(fin);
-#endif
-	if (fin->fin_ip == NULL)
-		return -1;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_portcheck                                                */
-/* Returns:     int - 1 == port matched, 0 == port match failed             */
-/* Parameters:  frp(I) - pointer to port check `expression'                 */
-/*              pop(I) - pointer to port number to evaluate                 */
-/*                                                                          */
-/* Perform a comparison of a port number against some other(s), using a     */
-/* structure with compare information stored in it.                         */
-/* ------------------------------------------------------------------------ */
-static INLINE int fr_portcheck(frp, pop)
-frpcmp_t *frp;
-u_short *pop;
-{
-	u_short tup, po;
-	int err = 1;
-
-	tup = *pop;
-	po = frp->frp_port;
-
-	/*
-	 * Do opposite test to that required and continue if that succeeds.
-	 */
-	switch (frp->frp_cmp)
-	{
-	case FR_EQUAL :
-		if (tup != po) /* EQUAL */
-			err = 0;
-		break;
-	case FR_NEQUAL :
-		if (tup == po) /* NOTEQUAL */
-			err = 0;
-		break;
-	case FR_LESST :
-		if (tup >= po) /* LESSTHAN */
-			err = 0;
-		break;
-	case FR_GREATERT :
-		if (tup <= po) /* GREATERTHAN */
-			err = 0;
-		break;
-	case FR_LESSTE :
-		if (tup > po) /* LT or EQ */
-			err = 0;
-		break;
-	case FR_GREATERTE :
-		if (tup < po) /* GT or EQ */
-			err = 0;
-		break;
-	case FR_OUTRANGE :
-		if (tup >= po && tup <= frp->frp_top) /* Out of range */
-			err = 0;
-		break;
-	case FR_INRANGE :
-		if (tup <= po || tup >= frp->frp_top) /* In range */
-			err = 0;
-		break;
-	case FR_INCRANGE :
-		if (tup < po || tup > frp->frp_top) /* Inclusive range */
-			err = 0;
-		break;
-	default :
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_tcpudpchk                                                */
-/* Returns:     int - 1 == protocol matched, 0 == check failed              */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              ft(I)  - pointer to structure with comparison data          */
-/*                                                                          */
-/* Compares the current pcket (assuming it is TCP/UDP) information with a   */
-/* structure containing information that we want to match against.          */
-/* ------------------------------------------------------------------------ */
-int fr_tcpudpchk(fin, ft)
-fr_info_t *fin;
-frtuc_t *ft;
-{
-	int err = 1;
-
-	/*
-	 * Both ports should *always* be in the first fragment.
-	 * So far, I cannot find any cases where they can not be.
-	 *
-	 * compare destination ports
-	 */
-	if (ft->ftu_dcmp)
-		err = fr_portcheck(&ft->ftu_dst, &fin->fin_dport);
-
-	/*
-	 * compare source ports
-	 */
-	if (err && ft->ftu_scmp)
-		err = fr_portcheck(&ft->ftu_src, &fin->fin_sport);
-
-	/*
-	 * If we don't have all the TCP/UDP header, then how can we
-	 * expect to do any sort of match on it ?  If we were looking for
-	 * TCP flags, then NO match.  If not, then match (which should
-	 * satisfy the "short" class too).
-	 */
-	if (err && (fin->fin_p == IPPROTO_TCP)) {
-		if (fin->fin_flx & FI_SHORT)
-			return !(ft->ftu_tcpf | ft->ftu_tcpfm);
-		/*
-		 * Match the flags ?  If not, abort this match.
-		 */
-		if (ft->ftu_tcpfm &&
-		    ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
-			FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
-				 ft->ftu_tcpfm, ft->ftu_tcpf));
-			err = 0;
-		}
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ipfcheck                                                 */
-/* Returns:     int - 0 == match, 1 == no match                             */
-/* Parameters:  fin(I)     - pointer to packet information                  */
-/*              fr(I)      - pointer to filter rule                         */
-/*              portcmp(I) - flag indicating whether to attempt matching on */
-/*                           TCP/UDP port data.                             */
-/*                                                                          */
-/* Check to see if a packet matches an IPFilter rule.  Checks of addresses, */
-/* port numbers, etc, for "standard" IPFilter rules are all orchestrated in */
-/* this function.                                                           */
-/* ------------------------------------------------------------------------ */
-static INLINE int fr_ipfcheck(fin, fr, portcmp)
-fr_info_t *fin;
-frentry_t *fr;
-int portcmp;
-{
-	u_32_t	*ld, *lm, *lip;
-	fripf_t *fri;
-	fr_ip_t *fi;
-	int i;
-
-	fi = &fin->fin_fi;
-	fri = fr->fr_ipf;
-	lip = (u_32_t *)fi;
-	lm = (u_32_t *)&fri->fri_mip;
-	ld = (u_32_t *)&fri->fri_ip;
-
-	/*
-	 * first 32 bits to check coversion:
-	 * IP version, TOS, TTL, protocol
-	 */
-	i = ((*lip & *lm) != *ld);
-	FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
-		   *lip, *lm, *ld));
-	if (i)
-		return 1;
-
-	/*
-	 * Next 32 bits is a constructed bitmask indicating which IP options
-	 * are present (if any) in this packet.
-	 */
-	lip++, lm++, ld++;
-	i |= ((*lip & *lm) != *ld);
-	FR_DEBUG(("1. %#08x & %#08x != %#08x\n",
-		   *lip, *lm, *ld));
-	if (i)
-		return 1;
-
-	lip++, lm++, ld++;
-	/*
-	 * Unrolled loops (4 each, for 32 bits) for address checks.
-	 */
-	/*
-	 * Check the source address.
-	 */
-#ifdef	IPFILTER_LOOKUP
-	if (fr->fr_satype == FRI_LOOKUP) {
-		i = (*fr->fr_srcfunc)(fr->fr_srcptr, fi->fi_v, lip);
-		if (i == -1)
-			return 1;
-		lip += 3;
-		lm += 3;
-		ld += 3;
-	} else {
-#endif
-		i = ((*lip & *lm) != *ld);
-		FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
-			   *lip, *lm, *ld));
-		if (fi->fi_v == 6) {
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-		} else {
-			lip += 3;
-			lm += 3;
-			ld += 3;
-		}
-#ifdef	IPFILTER_LOOKUP
-	}
-#endif
-	i ^= (fr->fr_flags & FR_NOTSRCIP) >> 6;
-	if (i)
-		return 1;
-
-	/*
-	 * Check the destination address.
-	 */
-	lip++, lm++, ld++;
-#ifdef	IPFILTER_LOOKUP
-	if (fr->fr_datype == FRI_LOOKUP) {
-		i = (*fr->fr_dstfunc)(fr->fr_dstptr, fi->fi_v, lip);
-		if (i == -1)
-			return 1;
-		lip += 3;
-		lm += 3;
-		ld += 3;
-	} else {
-#endif
-		i = ((*lip & *lm) != *ld);
-		FR_DEBUG(("3a. %#08x & %#08x != %#08x\n",
-			   *lip, *lm, *ld));
-		if (fi->fi_v == 6) {
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("3b. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("3c. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-			lip++, lm++, ld++;
-			i |= ((*lip & *lm) != *ld);
-			FR_DEBUG(("3d. %#08x & %#08x != %#08x\n",
-				   *lip, *lm, *ld));
-		} else {
-			lip += 3;
-			lm += 3;
-			ld += 3;
-		}
-#ifdef	IPFILTER_LOOKUP
-	}
-#endif
-	i ^= (fr->fr_flags & FR_NOTDSTIP) >> 7;
-	if (i)
-		return 1;
-	/*
-	 * IP addresses matched.  The next 32bits contains:
-	 * mast of old IP header security & authentication bits.
-	 */
-	lip++, lm++, ld++;
-	i |= ((*lip & *lm) != *ld);
-	FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
-		   *lip, *lm, *ld));
-
-	/*
-	 * Next we have 32 bits of packet flags.
-	 */
-	lip++, lm++, ld++;
-	i |= ((*lip & *lm) != *ld);
-	FR_DEBUG(("5. %#08x & %#08x != %#08x\n",
-		   *lip, *lm, *ld));
-
-	if (i == 0) {
-		/*
-		 * If a fragment, then only the first has what we're
-		 * looking for here...
-		 */
-		if (portcmp) {
-			if (!fr_tcpudpchk(fin, &fr->fr_tuc))
-				i = 1;
-		} else {
-			if (fr->fr_dcmp || fr->fr_scmp ||
-			    fr->fr_tcpf || fr->fr_tcpfm)
-				i = 1;
-			if (fr->fr_icmpm || fr->fr_icmp) {
-				if (((fi->fi_p != IPPROTO_ICMP) &&
-				     (fi->fi_p != IPPROTO_ICMPV6)) ||
-				    fin->fin_off || (fin->fin_dlen < 2))
-					i = 1;
-				else if ((fin->fin_data[0] & fr->fr_icmpm) !=
-					 fr->fr_icmp) {
-					FR_DEBUG(("i. %#x & %#x != %#x\n",
-						 fin->fin_data[0],
-						 fr->fr_icmpm, fr->fr_icmp));
-					i = 1;
-				}
-			}
-		}
-	}
-	return i;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_scanlist                                                 */
-/* Returns:     int - result flags of scanning filter list                  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              pass(I) - default result to return for filtering            */
-/*                                                                          */
-/* Check the input/output list of rules for a match to the current packet.  */
-/* If a match is found, the value of fr_flags from the rule becomes the     */
-/* return value and fin->fin_fr points to the matched rule.                 */
-/*                                                                          */
-/* This function may be called recusively upto 16 times (limit inbuilt.)    */
-/* When unwinding, it should finish up with fin_depth as 0.                 */
-/*                                                                          */
-/* Could be per interface, but this gets real nasty when you don't have,    */
-/* or can't easily change, the kernel source code to .                      */
-/* ------------------------------------------------------------------------ */
-int fr_scanlist(fin, pass)
-fr_info_t *fin;
-u_32_t pass;
-{
-	int rulen, portcmp, off, logged, skip;
-	struct frentry *fr, *fnext;
-	u_32_t passt;
-
-	/*
-	 * Do not allow nesting deeper than 16 levels.
-	 */
-	if (fin->fin_depth >= 16)
-		return pass;
-
-	fr = fin->fin_fr;
-
-	/*
-	 * If there are no rules in this list, return now.
-	 */
-	if (fr == NULL)
-		return pass;
-
-	skip = 0;
-	logged = 0;
-	portcmp = 0;
-	fin->fin_depth++;
-	fin->fin_fr = NULL;
-	off = fin->fin_off;
-
-	if ((fin->fin_flx & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
-		portcmp = 1;
-
-	for (rulen = 0; fr; fr = fnext, rulen++) {
-		fnext = fr->fr_next;
-		if (skip != 0) {
-			FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
-			skip--;
-			continue;
-		}
-
-		/*
-		 * In all checks below, a null (zero) value in the
-		 * filter struture is taken to mean a wildcard.
-		 *
-		 * check that we are working for the right interface
-		 */
-#ifdef	_KERNEL
-		if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
-			continue;
-#else
-		if (opts & (OPT_VERBOSE|OPT_DEBUG))
-			printf("\n");
-		FR_VERBOSE(("%c", FR_ISSKIP(pass) ? 's' :
-				  FR_ISPASS(pass) ? 'p' :
-				  FR_ISACCOUNT(pass) ? 'A' :
-				  FR_ISAUTH(pass) ? 'a' :
-				  (pass & FR_NOMATCH) ? 'n' :'b'));
-		if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
-			continue;
-		FR_VERBOSE((":i"));
-#endif
-
-		switch (fr->fr_type)
-		{
-		case FR_T_IPF :
-		case FR_T_IPF|FR_T_BUILTIN :
-			if (fr_ipfcheck(fin, fr, portcmp))
-				continue;
-			break;
-#if defined(IPFILTER_BPF)
-		case FR_T_BPFOPC :
-		case FR_T_BPFOPC|FR_T_BUILTIN :
-		    {
-			u_char *mc;
-			int wlen;
-
-			if (*fin->fin_mp == NULL)
-				continue;
-			if (fin->fin_v != fr->fr_v)
-				continue;
-			mc = (u_char *)fin->fin_m;
-			wlen = fin->fin_dlen + fin->fin_hlen;
-			if (!bpf_filter(fr->fr_data, mc, wlen, 0))
-				continue;
-			break;
-		    }
-#endif
-		case FR_T_CALLFUNC|FR_T_BUILTIN :
-		    {
-			frentry_t *f;
-
-			f = (*fr->fr_func)(fin, &pass);
-			if (f != NULL)
-				fr = f;
-			else
-				continue;
-			break;
-		    }
-		default :
-			break;
-		}
-
-		if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
-			if (fin->fin_nattag == NULL)
-				continue;
-			if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) == 0)
-				continue;
-		}
-		FR_VERBOSE(("=%s.%d *", fr->fr_group, rulen));
-
-		passt = fr->fr_flags;
-
-		/*
-		 * Allowing a rule with the "keep state" flag set to match
-		 * packets that have been tagged "out of window" by the TCP
-		 * state tracking is foolish as the attempt to add a new
-		 * state entry to the table will fail.
-		 */
-		if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
-			continue;
-
-		/*
-		 * If the rule is a "call now" rule, then call the function
-		 * in the rule, if it exists and use the results from that.
-		 * If the function pointer is bad, just make like we ignore
-		 * it, except for increasing the hit counter.
-		 */
-		if ((passt & FR_CALLNOW) != 0) {
-			ATOMIC_INC64(fr->fr_hits);
-			if ((fr->fr_func != NULL) &&
-			    (fr->fr_func != (ipfunc_t)-1)) {
-				frentry_t *frs;
-
-				frs = fin->fin_fr;
-				fin->fin_fr = fr;
-				fr = (*fr->fr_func)(fin, &passt);
-				if (fr == NULL) {
-					fin->fin_fr = frs;
-					continue;
-				}
-				passt = fr->fr_flags;
-				fin->fin_fr = fr;
-			}
-		} else {
-			fin->fin_fr = fr;
-		}
-
-#ifdef  IPFILTER_LOG
-		/*
-		 * Just log this packet...
-		 */
-		if ((passt & FR_LOGMASK) == FR_LOG) {
-			if (ipflog(fin, passt) == -1) {
-				if (passt & FR_LOGORBLOCK) {
-					passt &= ~FR_CMDMASK;
-					passt |= FR_BLOCK|FR_QUICK;
-				}
-				ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
-			}
-			ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
-			logged = 1;
-		}
-#endif /* IPFILTER_LOG */
-		fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
-		if (FR_ISSKIP(passt))
-			skip = fr->fr_arg;
-		else if ((passt & FR_LOGMASK) != FR_LOG)
-			pass = passt;
-		if (passt & (FR_RETICMP|FR_FAKEICMP))
-			fin->fin_icode = fr->fr_icode;
-		FR_DEBUG(("pass %#x\n", pass));
-		ATOMIC_INC64(fr->fr_hits);
-		fin->fin_rule = rulen;
-		(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
-		if (fr->fr_grp != NULL) {
-			fin->fin_fr = *fr->fr_grp;
-			pass = fr_scanlist(fin, pass);
-			if (fin->fin_fr == NULL) {
-				fin->fin_rule = rulen;
-				(void) strncpy(fin->fin_group, fr->fr_group,
-					       FR_GROUPLEN);
-				fin->fin_fr = fr;
-			}
-			if (fin->fin_flx & FI_DONTCACHE)
-				logged = 1;
-		}
-		if (pass & FR_QUICK)
-			break;
-	}
-	if (logged)
-		fin->fin_flx |= FI_DONTCACHE;
-	fin->fin_depth--;
-	return pass;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_acctpkt                                                  */
-/* Returns:     frentry_t* - always returns NULL                            */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              passp(IO) - pointer to current/new filter decision (unused) */
-/*                                                                          */
-/* Checks a packet against accounting rules, if there are any for the given */
-/* IP protocol version.                                                     */
-/*                                                                          */
-/* N.B.: this function returns NULL to match the prototype used by other    */
-/* functions called from the IPFilter "mainline" in fr_check().             */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_acctpkt(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	char group[FR_GROUPLEN];
-	frentry_t *fr, *frsave;
-	u_32_t pass, rulen;
-
-	passp = passp;
-#ifdef	USE_INET6
-	if (fin->fin_v == 6)
-		fr = ipacct6[fin->fin_out][fr_active];
-	else
-#endif
-		fr = ipacct[fin->fin_out][fr_active];
-
-	if (fr != NULL) {
-		frsave = fin->fin_fr;
-		bcopy(fin->fin_group, group, FR_GROUPLEN);
-		rulen = fin->fin_rule;
-		fin->fin_fr = fr;
-		pass = fr_scanlist(fin, FR_NOMATCH);
-		if (FR_ISACCOUNT(pass)) {
-			ATOMIC_INCL(frstats[0].fr_acct);
-		}
-		fin->fin_fr = frsave;
-		bcopy(group, fin->fin_group, FR_GROUPLEN);
-		fin->fin_rule = rulen;
-	}
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_firewall                                                 */
-/* Returns:     frentry_t* - returns pointer to matched rule, if no matches */
-/*                           were found, returns NULL.                      */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              passp(IO) - pointer to current/new filter decision (unused) */
-/*                                                                          */
-/* Applies an appropriate set of firewall rules to the packet, to see if    */
-/* there are any matches.  The first check is to see if a match can be seen */
-/* in the cache.  If not, then search an appropriate list of rules.  Once a */
-/* matching rule is found, take any appropriate actions as defined by the   */
-/* rule - except logging.                                                   */
-/* ------------------------------------------------------------------------ */
-static frentry_t *fr_firewall(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	frentry_t *fr;
-	fr_info_t *fc;
-	u_32_t pass;
-	int out;
-
-	out = fin->fin_out;
-	pass = *passp;
-
-	/*
-	 * If a packet is found in the auth table, then skip checking
-	 * the access lists for permission but we do need to consider
-	 * the result as if it were from the ACL's.
-	 */
-	fc = &frcache[out][CACHE_HASH(fin)];
-	if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
-		/*
-		 * copy cached data so we can unlock the mutex
-		 * earlier.
-		 */
-		bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
-		ATOMIC_INCL(frstats[out].fr_chit);
-		if ((fr = fin->fin_fr) != NULL) {
-			ATOMIC_INC64(fr->fr_hits);
-			pass = fr->fr_flags;
-		}
-	} else {
-#ifdef	USE_INET6
-		if (fin->fin_v == 6)
-			fin->fin_fr = ipfilter6[out][fr_active];
-		else
-#endif
-			fin->fin_fr = ipfilter[out][fr_active];
-		if (fin->fin_fr != NULL)
-			pass = fr_scanlist(fin, fr_pass);
-		if (((pass & FR_KEEPSTATE) == 0) &&
-		    ((fin->fin_flx & FI_DONTCACHE) == 0))
-			bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
-		if ((pass & FR_NOMATCH)) {
-			ATOMIC_INCL(frstats[out].fr_nom);
-		}
-		fr = fin->fin_fr;
-	}
-
-	/*
-	 * Apply packets per second rate-limiting to a rule as required.
-	 */
-	if ((fr != NULL) && (fr->fr_pps != 0) &&
-	    !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
-		pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
-		pass |= FR_BLOCK;
-		ATOMIC_INCL(frstats[out].fr_ppshit);
-	}
-
-	/*
-	 * If we fail to add a packet to the authorization queue, then we
-	 * drop the packet later.  However, if it was added then pretend
-	 * we've dropped it already.
-	 */
-	if (FR_ISAUTH(pass)) {
-		if (fr_newauth(fin->fin_m, fin) != 0) {
-#ifdef	_KERNEL
-			fin->fin_m = *fin->fin_mp = NULL;
-#else
-			;
-#endif
-			fin->fin_error = 0;
-		} else
-			fin->fin_error = ENOSPC;
-	}
-
-	if ((fr != NULL) && (fr->fr_func != NULL) &&
-	    (fr->fr_func != (ipfunc_t)-1) && !(pass & FR_CALLNOW))
-		(void) (*fr->fr_func)(fin, &pass);
-
-	/*
-	 * If a rule is a pre-auth rule, check again in the list of rules
-	 * loaded for authenticated use.  It does not particulary matter
-	 * if this search fails because a "preauth" result, from a rule,
-	 * is treated as "not a pass", hence the packet is blocked.
-	 */
-	if (FR_ISPREAUTH(pass)) {
-		if ((fin->fin_fr = ipauth) != NULL)
-			pass = fr_scanlist(fin, fr_pass);
-	}
-
-	/*
-	 * If the rule has "keep frag" and the packet is actually a fragment,
-	 * then create a fragment state entry.
-	 */
-	if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
-		if (fin->fin_flx & FI_FRAG) {
-			if (fr_newfrag(fin, pass) == -1) {
-				ATOMIC_INCL(frstats[out].fr_bnfr);
-			} else {
-				ATOMIC_INCL(frstats[out].fr_nfr);
-			}
-		} else {
-			ATOMIC_INCL(frstats[out].fr_cfr);
-		}
-	}
-
-	/*
-	 * Finally, if we've asked to track state for this packet, set it up.
-	 */
-	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
-		if (fr_addstate(fin, NULL, 0) != NULL) {
-			ATOMIC_INCL(frstats[out].fr_ads);
-		} else {
-			ATOMIC_INCL(frstats[out].fr_bads);
-			if (FR_ISPASS(pass)) {
-				pass &= ~FR_CMDMASK;
-				pass |= FR_BLOCK;
-			}
-		}
-	}
-
-	fr = fin->fin_fr;
-
-	if (passp != NULL)
-		*passp = pass;
-
-	return fr;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_check                                                    */
-/* Returns:     int -  0 == packet allowed through,                         */
-/*              User space:                                                 */
-/*                    -1 == packet blocked                                  */
-/*                     1 == packet not matched                              */
-/*                    -2 == requires authantication                         */
-/*              Kernel:                                                     */
-/*                   > 0 == filter error # for packet                       */
-/* Parameters: ip(I)   - pointer to start of IPv4/6 packet                  */
-/*             hlen(I) - length of header                                   */
-/*             ifp(I)  - pointer to interface this packet is on             */
-/*             out(I)  - 0 == packet going in, 1 == packet going out        */
-/*             mp(IO)  - pointer to caller's buffer pointer that holds this */
-/*                       IP packet.                                         */
-/* Solaris & HP-UX ONLY :                                                   */
-/*             qpi(I)  - pointer to STREAMS queue information for this      */
-/*                       interface & direction.                             */
-/*                                                                          */
-/* fr_check() is the master function for all IPFilter packet processing.    */
-/* It orchestrates: Network Address Translation (NAT), checking for packet  */
-/* authorisation (or pre-authorisation), presence of related state info.,   */
-/* generating log entries, IP packet accounting, routing of packets as      */
-/* directed by firewall rules and of course whether or not to allow the     */
-/* packet to be further processed by the kernel.                            */
-/*                                                                          */
-/* For packets blocked, the contents of "mp" will be NULL'd and the buffer  */
-/* freed.  Packets passed may be returned with the pointer pointed to by    */
-/* by "mp" changed to a new buffer.                                         */
-/* ------------------------------------------------------------------------ */
-int fr_check(ip, hlen, ifp, out
-#if defined(_KERNEL) && defined(MENTAT)
-, qif, mp)
-void *qif;
-#else
-, mp)
-#endif
-mb_t **mp;
-ip_t *ip;
-int hlen;
-void *ifp;
-int out;
-{
-	/*
-	 * The above really sucks, but short of writing a diff
-	 */
-	fr_info_t frinfo;
-	fr_info_t *fin = &frinfo;
-	u_32_t pass = fr_pass;
-	frentry_t *fr = NULL;
-	int v = IP_V(ip);
-	mb_t *mc = NULL;
-	mb_t *m;
-#ifdef USE_INET6
-	ip6_t *ip6;
-#endif
-
-	/*
-	 * The first part of fr_check() deals with making sure that what goes
-	 * into the filtering engine makes some sense.  Information about the
-	 * the packet is distilled, collected into a fr_info_t structure and
-	 * the an attempt to ensure the buffer the packet is in is big enough
-	 * to hold all the required packet headers.
-	 */
-#ifdef	_KERNEL
-# ifdef MENTAT
-	qpktinfo_t *qpi = qif;
-
-	if ((u_int)ip & 0x3)
-		return 2;
-# endif
-
-	READ_ENTER(&ipf_global);
-
-	if (fr_running <= 0) {
-		RWLOCK_EXIT(&ipf_global);
-		return 0;
-	}
-
-	bzero((char *)fin, sizeof(*fin));
-
-# ifdef MENTAT
-	if (qpi->qpi_flags & QF_GROUP)
-		fin->fin_flx |= FI_MBCAST;
-	m = qpi->qpi_m;
-	fin->fin_qfm = m;
-	fin->fin_qpi = qpi;
-# else /* MENTAT */
-
-	m = *mp;
-
-#  if defined(M_MCAST)
-	if ((m->m_flags & M_MCAST) != 0)
-		fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
-#  endif
-#  if defined(M_BCAST)
-	if ((m->m_flags & M_BCAST) != 0)
-		fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
-#  endif
-#  ifdef M_CANFASTFWD
-	/*
-	 * XXX For now, IP Filter and fast-forwarding of cached flows
-	 * XXX are mutually exclusive.  Eventually, IP Filter should
-	 * XXX get a "can-fast-forward" filter rule.
-	 */
-	m->m_flags &= ~M_CANFASTFWD;
-#  endif /* M_CANFASTFWD */
-#  ifdef CSUM_DELAY_DATA
-	/*
-	 * disable delayed checksums.
-	 */
-	if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-		in_delayed_cksum(m);
-		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
-	}
-#  endif /* CSUM_DELAY_DATA */
-# endif /* MENTAT */
-#else
-	READ_ENTER(&ipf_global);
-
-	bzero((char *)fin, sizeof(*fin));
-	m = *mp;
-#endif /* _KERNEL */
-
-	fin->fin_v = v;
-	fin->fin_m = m;
-	fin->fin_ip = ip;
-	fin->fin_mp = mp;
-	fin->fin_out = out;
-	fin->fin_ifp = ifp;
-	fin->fin_error = ENETUNREACH;
-	fin->fin_hlen = (u_short )hlen;
-	fin->fin_dp = (char *)ip + hlen;
-
-	fin->fin_ipoff = (char *)ip - MTOD(m, char *);
-
-#ifdef	USE_INET6
-	if (v == 6) {
-		ATOMIC_INCL(frstats[out].fr_ipv6);
-		/*
-		 * Jumbo grams are quite likely too big for internal buffer
-		 * structures to handle comfortably, for now, so just drop
-		 * them.
-		 */
-		ip6 = (ip6_t *)ip;
-		fin->fin_plen = ntohs(ip6->ip6_plen);
-		if (fin->fin_plen == 0) {
-			pass = FR_BLOCK|FR_NOMATCH;
-			goto filtered;
-		}
-		fin->fin_plen += sizeof(ip6_t);
-	} else
-#endif
-	{
-#if (OpenBSD >= 200311) && defined(_KERNEL)
-		ip->ip_len = ntohs(ip->ip_len);
-		ip->ip_off = ntohs(ip->ip_off);
-#endif
-		fin->fin_plen = ip->ip_len;
-	}
-
-	if (fr_makefrip(hlen, ip, fin) == -1)
-		goto finished;
-
-	/*
-	 * For at least IPv6 packets, if a m_pullup() fails then this pointer
-	 * becomes NULL and so we have no packet to free.
-	 */
-	if (*fin->fin_mp == NULL)
-		goto finished;
-
-	if (!out) {
-		if (v == 4) {
-#ifdef _KERNEL
-			if (fr_chksrc && !fr_verifysrc(fin)) {
-				ATOMIC_INCL(frstats[0].fr_badsrc);
-				fin->fin_flx |= FI_BADSRC;
-			}
-#endif
-			if (fin->fin_ip->ip_ttl < fr_minttl) {
-				ATOMIC_INCL(frstats[0].fr_badttl);
-				fin->fin_flx |= FI_LOWTTL;
-			}
-		}
-#ifdef USE_INET6
-		else  if (v == 6) {
-			ip6 = (ip6_t *)ip;
-			if (ip6->ip6_hlim < fr_minttl) {
-				ATOMIC_INCL(frstats[0].fr_badttl);
-				fin->fin_flx |= FI_LOWTTL;
-			}
-		}
-#endif
-	}
-
-	if (fin->fin_flx & FI_SHORT) {
-		ATOMIC_INCL(frstats[out].fr_short);
-	}
-
-	READ_ENTER(&ipf_mutex);
-
-	/*
-	 * Check auth now.  This, combined with the check below to see if apass
-	 * is 0 is to ensure that we don't count the packet twice, which can
-	 * otherwise occur when we reprocess it.  As it is, we only count it
-	 * after it has no auth. table matchup.  This also stops NAT from
-	 * occuring until after the packet has been auth'd.
-	 */
-	fr = fr_checkauth(fin, &pass);
-	if (!out) {
-		if (fr_checknatin(fin, &pass) == -1) {
-			RWLOCK_EXIT(&ipf_mutex);
-			goto finished;
-		}
-	}
-	if (!out)
-		(void) fr_acctpkt(fin, NULL);
-
-	if (fr == NULL)
-		if ((fin->fin_flx & (FI_FRAG|FI_BAD)) == FI_FRAG)
-			fr = fr_knownfrag(fin, &pass);
-	if (fr == NULL)
-		fr = fr_checkstate(fin, &pass);
-
-	if ((pass & FR_NOMATCH) || (fr == NULL))
-		fr = fr_firewall(fin, &pass);
-
-	fin->fin_fr = fr;
-
-	/*
-	 * Only count/translate packets which will be passed on, out the
-	 * interface.
-	 */
-	if (out && FR_ISPASS(pass)) {
-		(void) fr_acctpkt(fin, NULL);
-
-		if (fr_checknatout(fin, &pass) == -1) {
-			RWLOCK_EXIT(&ipf_mutex);
-			goto finished;
-		} else if ((fr_update_ipid != 0) && (v == 4)) {
-			if (fr_updateipid(fin) == -1) {
-				ATOMIC_INCL(frstats[1].fr_ipud);
-				pass &= ~FR_CMDMASK;
-				pass |= FR_BLOCK;
-			} else {
-				ATOMIC_INCL(frstats[0].fr_ipud);
-			}
-		}
-	}
-
-#ifdef	IPFILTER_LOG
-	if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
-		(void) fr_dolog(fin, &pass);
-	}
-#endif
-
-	if (fin->fin_state != NULL)
-		fr_statederef(fin, (ipstate_t **)&fin->fin_state);
-
-	if (fin->fin_nat != NULL)
-		fr_natderef((nat_t **)&fin->fin_nat);
-
-	/*
-	 * Only allow FR_DUP to work if a rule matched - it makes no sense to
-	 * set FR_DUP as a "default" as there are no instructions about where
-	 * to send the packet.  Use fin_m here because it may have changed
-	 * (without an update of 'm') in prior processing.
-	 */
-	if ((fr != NULL) && (pass & FR_DUP)) {
-		mc = M_DUPLICATE(fin->fin_m);
-	}
-
-	if (pass & (FR_RETRST|FR_RETICMP)) {
-		/*
-		 * Should we return an ICMP packet to indicate error
-		 * status passing through the packet filter ?
-		 * WARNING: ICMP error packets AND TCP RST packets should
-		 * ONLY be sent in repsonse to incoming packets.  Sending them
-		 * in response to outbound packets can result in a panic on
-		 * some operating systems.
-		 */
-		if (!out) {
-			if (pass & FR_RETICMP) {
-				int dst;
-
-				if ((pass & FR_RETMASK) == FR_FAKEICMP)
-					dst = 1;
-				else
-					dst = 0;
-				(void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
-				ATOMIC_INCL(frstats[0].fr_ret);
-			} else if (((pass & FR_RETMASK) == FR_RETRST) &&
-				   !(fin->fin_flx & FI_SHORT)) {
-				if (fr_send_reset(fin) == 0) {
-					ATOMIC_INCL(frstats[1].fr_ret);
-				}
-			}
-		} else {
-			if (pass & FR_RETRST)
-				fin->fin_error = ECONNRESET;
-		}
-	}
-
-	/*
-	 * If we didn't drop off the bottom of the list of rules (and thus
-	 * the 'current' rule fr is not NULL), then we may have some extra
-	 * instructions about what to do with a packet.
-	 * Once we're finished return to our caller, freeing the packet if
-	 * we are dropping it (* BSD ONLY *).
-	 * Reassign m from fin_m as we may have a new buffer, now.
-	 */
-#if defined(USE_INET6) || (defined(__sgi) && defined(_KERNEL))
-filtered:
-#endif
-	m = fin->fin_m;
-
-	if (fr != NULL) {
-		frdest_t *fdp;
-
-		fdp = &fr->fr_tifs[fin->fin_rev];
-
-		if (!out && (pass & FR_FASTROUTE)) {
-			/*
-			 * For fastroute rule, no destioation interface defined
-			 * so pass NULL as the frdest_t parameter
-			 */
-			(void) fr_fastroute(m, mp, fin, NULL);
-			m = *mp = NULL;
-		} else if ((fdp->fd_ifp != NULL) &&
-			   (fdp->fd_ifp != (struct ifnet *)-1)) {
-			/* this is for to rules: */
-			(void) fr_fastroute(m, mp, fin, fdp);
-			m = *mp = NULL;
-		}
-
-		/*
-		 * Generate a duplicated packet.
-		 */
-		if (mc != NULL)
-			(void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
-	}
-
-	/*
-	 * This late because the likes of fr_fastroute() use fin_fr.
-	 */
-	RWLOCK_EXIT(&ipf_mutex);
-
-finished:
-	if (!FR_ISPASS(pass)) {
-		ATOMIC_INCL(frstats[out].fr_block);
-		if (*mp != NULL) {
-			FREE_MB_T(*mp);
-			m = *mp = NULL;
-		}
-	} else {
-		ATOMIC_INCL(frstats[out].fr_pass);
-#if defined(_KERNEL) && defined(__sgi)
-		if ((fin->fin_hbuf != NULL) &&
-		    (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
-			COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
-		}
-#endif
-	}
-
-	RWLOCK_EXIT(&ipf_global);
-#ifdef _KERNEL
-# if OpenBSD >= 200311    
-	if (FR_ISPASS(pass) && (v == 4)) {
-		ip = fin->fin_ip;
-		ip->ip_len = ntohs(ip->ip_len);
-		ip->ip_off = ntohs(ip->ip_off);
-	}
-# endif
-	return (FR_ISPASS(pass)) ? 0 : fin->fin_error;
-#else /* _KERNEL */
-	FR_VERBOSE(("fin_flx %#x pass %#x ", fin->fin_flx, pass));
-	if ((pass & FR_NOMATCH) != 0)
-		return 1;
-
-	if ((pass & FR_RETMASK) != 0)
-		switch (pass & FR_RETMASK)
-		{
-		case FR_RETRST :
-			return 3;
-		case FR_RETICMP :
-			return 4;
-		case FR_FAKEICMP :
-			return 5;
-		}
-
-	switch (pass & FR_CMDMASK)
-	{
-	case FR_PASS :
-		return 0;
-	case FR_BLOCK :
-		return -1;
-	case FR_AUTH :
-		return -2;
-	case FR_ACCOUNT :
-		return -3;
-	case FR_PREAUTH :
-		return -4;
-	}
-	return 2;
-#endif /* _KERNEL */
-}
-
-
-#ifdef	IPFILTER_LOG
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_dolog                                                    */
-/* Returns:     frentry_t* - returns contents of fin_fr (no change made)    */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              passp(IO) - pointer to current/new filter decision (unused) */
-/*                                                                          */
-/* Checks flags set to see how a packet should be logged, if it is to be    */
-/* logged.  Adjust statistics based on its success or not.                  */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_dolog(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	u_32_t pass;
-	int out;
-
-	out = fin->fin_out;
-	pass = *passp;
-
-	if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
-		pass |= FF_LOGNOMATCH;
-		ATOMIC_INCL(frstats[out].fr_npkl);
-		goto logit;
-	} else if (((pass & FR_LOGMASK) == FR_LOGP) ||
-	    (FR_ISPASS(pass) && (fr_flags & FF_LOGPASS))) {
-		if ((pass & FR_LOGMASK) != FR_LOGP)
-			pass |= FF_LOGPASS;
-		ATOMIC_INCL(frstats[out].fr_ppkl);
-		goto logit;
-	} else if (((pass & FR_LOGMASK) == FR_LOGB) ||
-		   (FR_ISBLOCK(pass) && (fr_flags & FF_LOGBLOCK))) {
-		if ((pass & FR_LOGMASK) != FR_LOGB)
-			pass |= FF_LOGBLOCK;
-		ATOMIC_INCL(frstats[out].fr_bpkl);
-logit:
-		if (ipflog(fin, pass) == -1) {
-			ATOMIC_INCL(frstats[out].fr_skip);
-
-			/*
-			 * If the "or-block" option has been used then
-			 * block the packet if we failed to log it.
-			 */
-			if ((pass & FR_LOGORBLOCK) &&
-			    FR_ISPASS(pass)) {
-				pass &= ~FR_CMDMASK;
-				pass |= FR_BLOCK;
-			}
-		}
-		*passp = pass;
-	}
-
-	return fin->fin_fr;
-}
-#endif /* IPFILTER_LOG */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipf_cksum                                                   */
-/* Returns:     u_short - IP header checksum                                */
-/* Parameters:  addr(I) - pointer to start of buffer to checksum            */
-/*              len(I)  - length of buffer in bytes                         */
-/*                                                                          */
-/* Calculate the two's complement 16 bit checksum of the buffer passed.     */
-/*                                                                          */
-/* N.B.: addr should be 16bit aligned.                                      */
-/* ------------------------------------------------------------------------ */
-u_short ipf_cksum(addr, len)
-u_short *addr;
-int len;
-{
-	u_32_t sum = 0;
-
-	for (sum = 0; len > 1; len -= 2)
-		sum += *addr++;
-
-	/* mop up an odd byte, if necessary */
-	if (len == 1)
-		sum += *(u_char *)addr;
-
-	/*
-	 * add back carry outs from top 16 bits to low 16 bits
-	 */
-	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
-	sum += (sum >> 16);			/* add carry */
-	return (u_short)(~sum);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_cksum                                                    */
-/* Returns:     u_short - layer 4 checksum                                  */
-/* Parameters:  m(I  )     - pointer to buffer holding packet               */
-/*              ip(I)      - pointer to IP header                           */
-/*              l4proto(I) - protocol to caclulate checksum for             */
-/*              l4hdr(I)   - pointer to layer 4 header                      */
-/*                                                                          */
-/* Calculates the TCP checksum for the packet held in "m", using the data   */
-/* in the IP header "ip" to seed it.                                        */
-/*                                                                          */
-/* NB: This function assumes we've pullup'd enough for all of the IP header */
-/* and the TCP header.  We also assume that data blocks aren't allocated in */
-/* odd sizes.                                                               */
-/*                                                                          */
-/* Expects ip_len to be in host byte order when called.                     */
-/* ------------------------------------------------------------------------ */
-u_short fr_cksum(m, ip, l4proto, l4hdr)
-mb_t *m;
-ip_t *ip;
-int l4proto;
-void *l4hdr;
-{
-	u_short *sp, slen, sumsave, l4hlen, *csump;
-	u_int sum, sum2;
-	int hlen;
-#ifdef	USE_INET6
-	ip6_t *ip6;
-#endif
-
-	csump = NULL;
-	sumsave = 0;
-	l4hlen = 0;
-	sp = NULL;
-	slen = 0;
-	hlen = 0;
-	sum = 0;
-
-	/*
-	 * Add up IP Header portion
-	 */
-#ifdef	USE_INET6
-	if (IP_V(ip) == 4) {
-#endif
-		hlen = IP_HL(ip) << 2;
-		slen = ip->ip_len - hlen;
-		sum = htons((u_short)l4proto);
-		sum += htons(slen);
-		sp = (u_short *)&ip->ip_src;
-		sum += *sp++;	/* ip_src */
-		sum += *sp++;
-		sum += *sp++;	/* ip_dst */
-		sum += *sp++;
-#ifdef	USE_INET6
-	} else if (IP_V(ip) == 6) {
-		ip6 = (ip6_t *)ip;
-		hlen = sizeof(*ip6);
-		slen = ntohs(ip6->ip6_plen);
-		sum = htons((u_short)l4proto);
-		sum += htons(slen);
-		sp = (u_short *)&ip6->ip6_src;
-		sum += *sp++;	/* ip6_src */
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;	/* ip6_dst */
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-		sum += *sp++;
-	}
-#endif
-
-	switch (l4proto)
-	{
-	case IPPROTO_UDP :
-		csump = &((udphdr_t *)l4hdr)->uh_sum;
-		l4hlen = sizeof(udphdr_t);
-		break;
-
-	case IPPROTO_TCP :
-		csump = &((tcphdr_t *)l4hdr)->th_sum;
-		l4hlen = sizeof(tcphdr_t);
-		break;
-	case IPPROTO_ICMP :
-		csump = &((icmphdr_t *)l4hdr)->icmp_cksum;
-		l4hlen = 4;
-		sum = 0;
-		break;
-	default :
-		break;
-	}
-
-	if (csump != NULL) {
-		sumsave = *csump;
-		*csump = 0;
-	}
-
-	l4hlen = l4hlen;	/* LINT */
-
-#ifdef	_KERNEL
-# ifdef MENTAT
-	{
-	void *rp = m->b_rptr;
-
-	if ((unsigned char *)ip > m->b_rptr && (unsigned char *)ip < m->b_wptr)
-		m->b_rptr = (u_char *)ip;
-	sum2 = ip_cksum(m, hlen, sum);	/* hlen == offset */
-	m->b_rptr = rp;
-	sum2 = (u_short)(~sum2 & 0xffff);
-	}
-# else /* MENTAT */
-#  if defined(BSD) || defined(sun)
-#   if BSD >= 199103
-	m->m_data += hlen;
-#   else
-	m->m_off += hlen;
-#   endif
-	m->m_len -= hlen;
-	sum2 = in_cksum(m, slen);
-	m->m_len += hlen;
-#   if BSD >= 199103
-	m->m_data -= hlen;
-#   else
-	m->m_off -= hlen;
-#   endif
-	/*
-	 * Both sum and sum2 are partial sums, so combine them together.
-	 */
-	sum += ~sum2 & 0xffff;
-	while (sum > 0xffff)
-		sum = (sum & 0xffff) + (sum >> 16);
-	sum2 = ~sum & 0xffff;
-#  else /* defined(BSD) || defined(sun) */
-{
-	union {
-		u_char	c[2];
-		u_short	s;
-	} bytes;
-	u_short len = ip->ip_len;
-#   if defined(__sgi)
-	int add;
-#   endif
-
-	/*
-	 * Add up IP Header portion
-	 */
-	if (sp != (u_short *)l4hdr)
-		sp = (u_short *)l4hdr;
-
-	switch (l4proto)
-	{
-	case IPPROTO_UDP :
-		sum += *sp++;	/* sport */
-		sum += *sp++;	/* dport */
-		sum += *sp++;	/* udp length */
-		sum += *sp++;	/* checksum */
-		break;
-
-	case IPPROTO_TCP :
-		sum += *sp++;	/* sport */
-		sum += *sp++;	/* dport */
-		sum += *sp++;	/* seq */
-		sum += *sp++;
-		sum += *sp++;	/* ack */
-		sum += *sp++;
-		sum += *sp++;	/* off */
-		sum += *sp++;	/* win */
-		sum += *sp++;	/* checksum */
-		sum += *sp++;	/* urp */
-		break;
-	case IPPROTO_ICMP :
-		sum = *sp++;	/* type/code */
-		sum += *sp++;	/* checksum */
-		break;
-	}
-
-#   ifdef	__sgi
-	/*
-	 * In case we had to copy the IP & TCP header out of mbufs,
-	 * skip over the mbuf bits which are the header
-	 */
-	if ((caddr_t)ip != mtod(m, caddr_t)) {
-		hlen = (caddr_t)sp - (caddr_t)ip;
-		while (hlen) {
-			add = MIN(hlen, m->m_len);
-			sp = (u_short *)(mtod(m, caddr_t) + add);
-			hlen -= add;
-			if (add == m->m_len) {
-				m = m->m_next;
-				if (!hlen) {
-					if (!m)
-						break;
-					sp = mtod(m, u_short *);
-				}
-				PANIC((!m),("fr_cksum(1): not enough data"));
-			}
-		}
-	}
-#   endif
-
-	len -= (l4hlen + hlen);
-	if (len <= 0)
-		goto nodata;
-
-	while (len > 1) {
-		if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
-			m = m->m_next;
-			PANIC((!m),("fr_cksum(2): not enough data"));
-			sp = mtod(m, u_short *);
-		}
-		if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
-			bytes.c[0] = *(u_char *)sp;
-			m = m->m_next;
-			PANIC((!m),("fr_cksum(3): not enough data"));
-			sp = mtod(m, u_short *);
-			bytes.c[1] = *(u_char *)sp;
-			sum += bytes.s;
-			sp = (u_short *)((u_char *)sp + 1);
-		}
-		if ((u_long)sp & 1) {
-			bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
-			sum += bytes.s;
-		} else
-			sum += *sp++;
-		len -= 2;
-	}
-
-	if (len != 0)
-		sum += ntohs(*(u_char *)sp << 8);
-nodata:
-	while (sum > 0xffff)
-		sum = (sum & 0xffff) + (sum >> 16);
-	sum2 = (u_short)(~sum & 0xffff);
-}
-#  endif /*  defined(BSD) || defined(sun) */
-# endif /* MENTAT */
-#else /* _KERNEL */
-	for (; slen > 1; slen -= 2)
-	        sum += *sp++;
-	if (slen)
-		sum += ntohs(*(u_char *)sp << 8);
-	while (sum > 0xffff)
-		sum = (sum & 0xffff) + (sum >> 16);
-	sum2 = (u_short)(~sum & 0xffff);
-#endif /* _KERNEL */
-	if (csump != NULL)
-		*csump = sumsave;
-	return sum2;
-}
-
-
-#if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
-    defined(__sgi) ) && !defined(linux)
-/*
- * Copyright (c) 1982, 1986, 1988, 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp
- */
-/*
- * Copy data from an mbuf chain starting "off" bytes from the beginning,
- * continuing for "len" bytes, into the indicated buffer.
- */
-void
-m_copydata(m, off, len, cp)
-	mb_t *m;
-	int off;
-	int len;
-	caddr_t cp;
-{
-	unsigned count;
-
-	if (off < 0 || len < 0)
-		panic("m_copydata");
-	while (off > 0) {
-		if (m == 0)
-			panic("m_copydata");
-		if (off < m->m_len)
-			break;
-		off -= m->m_len;
-		m = m->m_next;
-	}
-	while (len > 0) {
-		if (m == 0)
-			panic("m_copydata");
-		count = MIN(m->m_len - off, len);
-		bcopy(mtod(m, caddr_t) + off, cp, count);
-		len -= count;
-		cp += count;
-		off = 0;
-		m = m->m_next;
-	}
-}
-
-
-/*
- * Copy data from a buffer back into the indicated mbuf chain,
- * starting "off" bytes from the beginning, extending the mbuf
- * chain if necessary.
- */
-void
-m_copyback(m0, off, len, cp)
-	struct	mbuf *m0;
-	int off;
-	int len;
-	caddr_t cp;
-{
-	int mlen;
-	struct mbuf *m = m0, *n;
-	int totlen = 0;
-
-	if (m0 == 0)
-		return;
-	while (off > (mlen = m->m_len)) {
-		off -= mlen;
-		totlen += mlen;
-		if (m->m_next == 0) {
-			n = m_getclr(M_DONTWAIT, m->m_type);
-			if (n == 0)
-				goto out;
-			n->m_len = min(MLEN, len + off);
-			m->m_next = n;
-		}
-		m = m->m_next;
-	}
-	while (len > 0) {
-		mlen = min (m->m_len - off, len);
-		bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
-		cp += mlen;
-		len -= mlen;
-		mlen += off;
-		off = 0;
-		totlen += mlen;
-		if (len == 0)
-			break;
-		if (m->m_next == 0) {
-			n = m_get(M_DONTWAIT, m->m_type);
-			if (n == 0)
-				break;
-			n->m_len = min(MLEN, len);
-			m->m_next = n;
-		}
-		m = m->m_next;
-	}
-out:
-#if 0
-	if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
-		m->m_pkthdr.len = totlen;
-#endif
-	return;
-}
-#endif /* (_KERNEL) && ( ((BSD < 199103) && !MENTAT) || __sgi) */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_findgroup                                                */
-/* Returns:     frgroup_t * - NULL = group not found, else pointer to group */
-/* Parameters:  group(I) - group name to search for                         */
-/*              unit(I)  - device to which this group belongs               */
-/*              set(I)   - which set of rules (inactive/inactive) this is   */
-/*              fgpp(O)  - pointer to place to store pointer to the pointer */
-/*                         to where to add the next (last) group or where   */
-/*                         to delete group from.                            */
-/*                                                                          */
-/* Search amongst the defined groups for a particular group number.         */
-/* ------------------------------------------------------------------------ */
-frgroup_t *fr_findgroup(group, unit, set, fgpp)
-char *group;
-minor_t unit;
-int set;
-frgroup_t ***fgpp;
-{
-	frgroup_t *fg, **fgp;
-
-	/*
-	 * Which list of groups to search in is dependant on which list of
-	 * rules are being operated on.
-	 */
-	fgp = &ipfgroups[unit][set];
-
-	while ((fg = *fgp) != NULL) {
-		if (strncmp(group, fg->fg_name, FR_GROUPLEN) == 0)
-			break;
-		else
-			fgp = &fg->fg_next;
-	}
-	if (fgpp != NULL)
-		*fgpp = fgp;
-	return fg;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_addgroup                                                 */
-/* Returns:     frgroup_t * - NULL == did not create group,                 */
-/*                            != NULL == pointer to the group               */
-/* Parameters:  num(I)   - group number to add                              */
-/*              head(I)  - rule pointer that is using this as the head      */
-/*              flags(I) - rule flags which describe the type of rule it is */
-/*              unit(I)  - device to which this group will belong to        */
-/*              set(I)   - which set of rules (inactive/inactive) this is   */
-/* Write Locks: ipf_mutex                                                   */
-/*                                                                          */
-/* Add a new group head, or if it already exists, increase the reference    */
-/* count to it.                                                             */
-/* ------------------------------------------------------------------------ */
-frgroup_t *fr_addgroup(group, head, flags, unit, set)
-char *group;
-void *head;
-u_32_t flags;
-minor_t unit;
-int set;
-{
-	frgroup_t *fg, **fgp;
-	u_32_t gflags;
-
-	if (group == NULL)
-		return NULL;
-
-	if (unit == IPL_LOGIPF && *group == '\0')
-		return NULL;
-
-	fgp = NULL;
-	gflags = flags & FR_INOUT;
-
-	fg = fr_findgroup(group, unit, set, &fgp);
-	if (fg != NULL) {
-		if (fg->fg_flags == 0)
-			fg->fg_flags = gflags;
-		else if (gflags != fg->fg_flags)
-			return NULL;
-		fg->fg_ref++;
-		return fg;
-	}
-	KMALLOC(fg, frgroup_t *);
-	if (fg != NULL) {
-		fg->fg_head = head;
-		fg->fg_start = NULL;
-		fg->fg_next = *fgp;
-		bcopy(group, fg->fg_name, FR_GROUPLEN);
-		fg->fg_flags = gflags;
-		fg->fg_ref = 1;
-		*fgp = fg;
-	}
-	return fg;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_delgroup                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  group(I) - group name to delete                             */
-/*              unit(I)  - device to which this group belongs               */
-/*              set(I)   - which set of rules (inactive/inactive) this is   */
-/* Write Locks: ipf_mutex                                                   */
-/*                                                                          */
-/* Attempt to delete a group head.                                          */
-/* Only do this when its reference count reaches 0.                         */
-/* ------------------------------------------------------------------------ */
-void fr_delgroup(group, unit, set)
-char *group;
-minor_t unit;
-int set;
-{
-	frgroup_t *fg, **fgp;
-
-	fg = fr_findgroup(group, unit, set, &fgp);
-	if (fg == NULL)
-		return;
-
-	fg->fg_ref--;
-	if (fg->fg_ref == 0) {
-		*fgp = fg->fg_next;
-		KFREE(fg);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_getrulen                                                 */
-/* Returns:     frentry_t * - NULL == not found, else pointer to rule n     */
-/* Parameters:  unit(I)  - device for which to count the rule's number      */
-/*              flags(I) - which set of rules to find the rule in           */
-/*              group(I) - group name                                       */
-/*              n(I)     - rule number to find                              */
-/*                                                                          */
-/* Find rule # n in group # g and return a pointer to it.  Return NULl if   */
-/* group # g doesn't exist or there are less than n rules in the group.     */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_getrulen(unit, group, n)
-int unit;
-char *group;
-u_32_t n;
-{
-	frentry_t *fr;
-	frgroup_t *fg;
-
-	fg = fr_findgroup(group, unit, fr_active, NULL);
-	if (fg == NULL)
-		return NULL;
-	for (fr = fg->fg_head; fr && n; fr = fr->fr_next, n--)
-		;
-	if (n != 0)
-		return NULL;
-	return fr;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_rulen                                                    */
-/* Returns:     int - >= 0 - rule number, -1 == search failed               */
-/* Parameters:  unit(I) - device for which to count the rule's number       */
-/*              fr(I)   - pointer to rule to match                          */
-/*                                                                          */
-/* Return the number for a rule on a specific filtering device.             */
-/* ------------------------------------------------------------------------ */
-int fr_rulen(unit, fr)
-int unit;
-frentry_t *fr;
-{
-	frentry_t *fh;
-	frgroup_t *fg;
-	u_32_t n = 0;
-
-	if (fr == NULL)
-		return -1;
-	fg = fr_findgroup(fr->fr_group, unit, fr_active, NULL);
-	if (fg == NULL)
-		return -1;
-	for (fh = fg->fg_head; fh; n++, fh = fh->fr_next)
-		if (fh == fr)
-			break;
-	if (fh == NULL)
-		return -1;
-	return n;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frflushlist                                                 */
-/* Returns:     int - >= 0 - number of flushed rules                        */
-/* Parameters:  set(I)   - which set of rules (inactive/inactive) this is   */
-/*              unit(I)  - device for which to flush rules                  */
-/*              flags(I) - which set of rules to flush                      */
-/*              nfreedp(O) - pointer to int where flush count is stored     */
-/*              listp(I)   - pointer to list to flush pointer               */
-/* Write Locks: ipf_mutex                                                   */
-/*                                                                          */
-/* Recursively flush rules from the list, descending groups as they are     */
-/* encountered.  if a rule is the head of a group and it has lost all its   */
-/* group members, then also delete the group reference.  nfreedp is needed  */
-/* to store the accumulating count of rules removed, whereas the returned   */
-/* value is just the number removed from the current list.  The latter is   */
-/* needed to correctly adjust reference counts on rules that define groups. */
-/*                                                                          */
-/* NOTE: Rules not loaded from user space cannot be flushed.                */
-/* ------------------------------------------------------------------------ */
-static int frflushlist(set, unit, nfreedp, listp)
-int set;
-minor_t unit;
-int *nfreedp;
-frentry_t **listp;
-{
-	int freed = 0, i;
-	frentry_t *fp;
-
-	while ((fp = *listp) != NULL) {
-		if ((fp->fr_type & FR_T_BUILTIN) ||
-		    !(fp->fr_flags & FR_COPIED)) {
-			listp = &fp->fr_next;
-			continue;
-		}
-		*listp = fp->fr_next;
-		if (fp->fr_grp != NULL) {
-			i = frflushlist(set, unit, nfreedp, fp->fr_grp);
-			fp->fr_ref -= i;
-		}
-
-		if (fp->fr_grhead != NULL) {
-			fr_delgroup(fp->fr_grhead, unit, set);
-			*fp->fr_grhead = '\0';
-		}
-
-		ASSERT(fp->fr_ref > 0);
-		fp->fr_next = NULL;
-		if (fr_derefrule(&fp) == 0)
-			freed++;
-	}
-	*nfreedp += freed;
-	return freed;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frflush                                                     */
-/* Returns:     int - >= 0 - number of flushed rules                        */
-/* Parameters:  unit(I)  - device for which to flush rules                  */
-/*              flags(I) - which set of rules to flush                      */
-/*                                                                          */
-/* Calls flushlist() for all filter rules (accounting, firewall - both IPv4 */
-/* and IPv6) as defined by the value of flags.                              */
-/* ------------------------------------------------------------------------ */
-int frflush(unit, proto, flags)
-minor_t unit;
-int proto, flags;
-{
-	int flushed = 0, set;
-
-	WRITE_ENTER(&ipf_mutex);
-	bzero((char *)frcache, sizeof(frcache));
-
-	set = fr_active;
-	if ((flags & FR_INACTIVE) == FR_INACTIVE)
-		set = 1 - set;
-
-	if (flags & FR_OUTQUE) {
-		if (proto == 0 || proto == 6) {
-			(void) frflushlist(set, unit,
-			    &flushed, &ipfilter6[1][set]);
-			(void) frflushlist(set, unit,
-			    &flushed, &ipacct6[1][set]);
-		}
-		if (proto == 0 || proto == 4) {
-			(void) frflushlist(set, unit,
-			    &flushed, &ipfilter[1][set]);
-			(void) frflushlist(set, unit,
-			    &flushed, &ipacct[1][set]);
-		}
-	}
-	if (flags & FR_INQUE) {
-		if (proto == 0 || proto == 6) {
-			(void) frflushlist(set, unit,
-			    &flushed, &ipfilter6[0][set]);
-			(void) frflushlist(set, unit,
-			    &flushed, &ipacct6[0][set]);
-		}
-		if (proto == 0 || proto == 4) {
-			(void) frflushlist(set, unit,
-			    &flushed, &ipfilter[0][set]);
-			(void) frflushlist(set, unit,
-			    &flushed, &ipacct[0][set]);
-		}
-	}
-	RWLOCK_EXIT(&ipf_mutex);
-
-	if (unit == IPL_LOGIPF) {
-		int tmp;
-
-		tmp = frflush(IPL_LOGCOUNT, proto, flags);
-		if (tmp >= 0)
-			flushed += tmp;
-	}
-	return flushed;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    memstr                                                      */
-/* Returns:     char *  - NULL if failed, != NULL pointer to matching bytes */
-/* Parameters:  src(I)  - pointer to byte sequence to match                 */
-/*              dst(I)  - pointer to byte sequence to search                */
-/*              slen(I) - match length                                      */
-/*              dlen(I) - length available to search in                     */
-/*                                                                          */
-/* Search dst for a sequence of bytes matching those at src and extend for  */
-/* slen bytes.                                                              */
-/* ------------------------------------------------------------------------ */
-char *memstr(src, dst, slen, dlen)
-char *src, *dst;
-int slen, dlen;
-{
-	char *s = NULL;
-
-	while (dlen >= slen) {
-		if (bcmp(src, dst, slen) == 0) {
-			s = dst;
-			break;
-		}
-		dst++;
-		dlen--;
-	}
-	return s;
-}
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fixskip                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  listp(IO)    - pointer to start of list with skip rule      */
-/*              rp(I)        - rule added/removed with skip in it.          */
-/*              addremove(I) - adjustment (-1/+1) to make to skip count,    */
-/*                             depending on whether a rule was just added   */
-/*                             or removed.                                  */
-/*                                                                          */
-/* Adjust all the rules in a list which would have skip'd past the position */
-/* where we are inserting to skip to the right place given the change.      */
-/* ------------------------------------------------------------------------ */
-void fr_fixskip(listp, rp, addremove)
-frentry_t **listp, *rp;
-int addremove;
-{
-	int rules, rn;
-	frentry_t *fp;
-
-	rules = 0;
-	for (fp = *listp; (fp != NULL) && (fp != rp); fp = fp->fr_next)
-		rules++;
-
-	if (!fp)
-		return;
-
-	for (rn = 0, fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
-		if (FR_ISSKIP(fp->fr_flags) && (rn + fp->fr_arg >= rules))
-			fp->fr_arg += addremove;
-}
-
-
-#ifdef	_KERNEL
-/* ------------------------------------------------------------------------ */
-/* Function:    count4bits                                                  */
-/* Returns:     int - >= 0 - number of consecutive bits in input            */
-/* Parameters:  ip(I) - 32bit IP address                                    */
-/*                                                                          */
-/* IPv4 ONLY                                                                */
-/* count consecutive 1's in bit mask.  If the mask generated by counting    */
-/* consecutive 1's is different to that passed, return -1, else return #    */
-/* of bits.                                                                 */
-/* ------------------------------------------------------------------------ */
-int	count4bits(ip)
-u_32_t	ip;
-{
-	u_32_t	ipn;
-	int	cnt = 0, i, j;
-
-	ip = ipn = ntohl(ip);
-	for (i = 32; i; i--, ipn *= 2)
-		if (ipn & 0x80000000)
-			cnt++;
-		else
-			break;
-	ipn = 0;
-	for (i = 32, j = cnt; i; i--, j--) {
-		ipn *= 2;
-		if (j > 0)
-			ipn++;
-	}
-	if (ipn == ip)
-		return cnt;
-	return -1;
-}
-
-
-# if 0
-/* ------------------------------------------------------------------------ */
-/* Function:    count6bits                                                  */
-/* Returns:     int - >= 0 - number of consecutive bits in input            */
-/* Parameters:  msk(I) - pointer to start of IPv6 bitmask                   */
-/*                                                                          */
-/* IPv6 ONLY                                                                */
-/* count consecutive 1's in bit mask.                                       */
-/* ------------------------------------------------------------------------ */
-int count6bits(msk)
-u_32_t *msk;
-{
-	int i = 0, k;
-	u_32_t j;
-
-	for (k = 3; k >= 0; k--)
-		if (msk[k] == 0xffffffff)
-			i += 32;
-		else {
-			for (j = msk[k]; j; j <<= 1)
-				if (j & 0x80000000)
-					i++;
-		}
-	return i;
-}
-# endif
-#endif /* _KERNEL */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frsynclist                                                  */
-/* Returns:     void                                                        */
-/* Parameters:  fr(I)  - start of filter list to sync interface names for   */
-/*              ifp(I) - interface pointer for limiting sync lookups        */
-/* Write Locks: ipf_mutex                                                   */
-/*                                                                          */
-/* Walk through a list of filter rules and resolve any interface names into */
-/* pointers.  Where dynamic addresses are used, also update the IP address  */
-/* used in the rule.  The interface pointer is used to limit the lookups to */
-/* a specific set of matching names if it is non-NULL.                      */
-/* ------------------------------------------------------------------------ */
-static void frsynclist(fr, ifp)
-frentry_t *fr;
-void *ifp;
-{
-	frdest_t *fdp;
-	int v, i;
-
-	for (; fr; fr = fr->fr_next) {
-		v = fr->fr_v;
-
-		/*
-		 * Lookup all the interface names that are part of the rule.
-		 */
-		for (i = 0; i < 4; i++) {
-			if ((ifp != NULL) && (fr->fr_ifas[i] != ifp))
-				continue;
-			fr->fr_ifas[i] = fr_resolvenic(fr->fr_ifnames[i], v);
-		}
-
-		if (fr->fr_type == FR_T_IPF) {
-			if (fr->fr_satype != FRI_NORMAL &&
-			    fr->fr_satype != FRI_LOOKUP) {
-				(void)fr_ifpaddr(v, fr->fr_satype,
-						 fr->fr_ifas[fr->fr_sifpidx],
-						 &fr->fr_src, &fr->fr_smsk);
-			}
-			if (fr->fr_datype != FRI_NORMAL &&
-			    fr->fr_datype != FRI_LOOKUP) {
-				(void)fr_ifpaddr(v, fr->fr_datype,
-						 fr->fr_ifas[fr->fr_difpidx],
-						 &fr->fr_dst, &fr->fr_dmsk);
-			}
-		}
-
-		fdp = &fr->fr_tifs[0];
-		if ((ifp == NULL) || (fdp->fd_ifp == ifp))
-			fr_resolvedest(fdp, v);
-
-		fdp = &fr->fr_tifs[1];
-		if ((ifp == NULL) || (fdp->fd_ifp == ifp))
-			fr_resolvedest(fdp, v);
-
-		fdp = &fr->fr_dif;
-		if ((ifp == NULL) || (fdp->fd_ifp == ifp)) {
-			fr_resolvedest(fdp, v);
-
-			fr->fr_flags &= ~FR_DUP;
-			if ((fdp->fd_ifp != (void *)-1) &&
-			    (fdp->fd_ifp != NULL))
-				fr->fr_flags |= FR_DUP;
-		}
-
-#ifdef	IPFILTER_LOOKUP
-		if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP &&
-		    fr->fr_srcptr == NULL) {
-			fr->fr_srcptr = fr_resolvelookup(fr->fr_srctype,
-							 fr->fr_srcnum,
-							 &fr->fr_srcfunc);
-		}
-		if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP &&
-		    fr->fr_dstptr == NULL) {
-			fr->fr_dstptr = fr_resolvelookup(fr->fr_dsttype,
-							 fr->fr_dstnum,
-							 &fr->fr_dstfunc);
-		}
-#endif
-	}
-}
-
-
-#ifdef	_KERNEL
-/* ------------------------------------------------------------------------ */
-/* Function:    frsync                                                      */
-/* Returns:     void                                                        */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* frsync() is called when we suspect that the interface list or            */
-/* information about interfaces (like IP#) has changed.  Go through all     */
-/* filter rules, NAT entries and the state table and check if anything      */
-/* needs to be changed/updated.                                             */
-/* ------------------------------------------------------------------------ */
-void frsync(ifp)
-void *ifp;
-{
-	int i;
-
-# if !SOLARIS
-	fr_natsync(ifp);
-	fr_statesync(ifp);
-# endif
-
-	WRITE_ENTER(&ipf_mutex);
-	frsynclist(ipacct[0][fr_active], ifp);
-	frsynclist(ipacct[1][fr_active], ifp);
-	frsynclist(ipfilter[0][fr_active], ifp);
-	frsynclist(ipfilter[1][fr_active], ifp);
-	frsynclist(ipacct6[0][fr_active], ifp);
-	frsynclist(ipacct6[1][fr_active], ifp);
-	frsynclist(ipfilter6[0][fr_active], ifp);
-	frsynclist(ipfilter6[1][fr_active], ifp);
-
-	for (i = 0; i < IPL_LOGSIZE; i++) {
-		frgroup_t *g;
-
-		for (g = ipfgroups[i][0]; g != NULL; g = g->fg_next)
-			frsynclist(g->fg_start, ifp);
-		for (g = ipfgroups[i][1]; g != NULL; g = g->fg_next)
-			frsynclist(g->fg_start, ifp);
-	}
-	RWLOCK_EXIT(&ipf_mutex);
-}
-
-
-/*
- * In the functions below, bcopy() is called because the pointer being
- * copied _from_ in this instance is a pointer to a char buf (which could
- * end up being unaligned) and on the kernel's local stack.
- */
-/* ------------------------------------------------------------------------ */
-/* Function:    copyinptr                                                   */
-/* Returns:     int - 0 = success, else failure                             */
-/* Parameters:  src(I)  - pointer to the source address                     */
-/*              dst(I)  - destination address                               */
-/*              size(I) - number of bytes to copy                           */
-/*                                                                          */
-/* Copy a block of data in from user space, given a pointer to the pointer  */
-/* to start copying from (src) and a pointer to where to store it (dst).    */
-/* NB: src - pointer to user space pointer, dst - kernel space pointer      */
-/* ------------------------------------------------------------------------ */
-int copyinptr(src, dst, size)
-void *src, *dst;
-size_t size;
-{
-	caddr_t ca;
-	int err;
-
-# if SOLARIS
-	err = COPYIN(src, (caddr_t)&ca, sizeof(ca));
-	if (err != 0)
-		return err;
-# else
-	bcopy(src, (caddr_t)&ca, sizeof(ca));
-# endif
-	err = COPYIN(ca, dst, size);
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    copyoutptr                                                  */
-/* Returns:     int - 0 = success, else failure                             */
-/* Parameters:  src(I)  - pointer to the source address                     */
-/*              dst(I)  - destination address                               */
-/*              size(I) - number of bytes to copy                           */
-/*                                                                          */
-/* Copy a block of data out to user space, given a pointer to the pointer   */
-/* to start copying from (src) and a pointer to where to store it (dst).    */
-/* NB: src - kernel space pointer, dst - pointer to user space pointer.     */
-/* ------------------------------------------------------------------------ */
-int copyoutptr(src, dst, size)
-void *src, *dst;
-size_t size;
-{
-	caddr_t ca;
-	int err;
-
-# if SOLARIS
-	err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
-	if (err != 0)
-		return err;
-# else
-	bcopy(dst, (caddr_t)&ca, sizeof(ca));
-# endif
-	err = COPYOUT(src, ca, size);
-	return err;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_lock                                                     */
-/* Returns:     (void)                                                      */
-/* Parameters:  data(I)  - pointer to lock value to set                     */
-/*              lockp(O) - pointer to location to store old lock value      */
-/*                                                                          */
-/* Get the new value for the lock integer, set it and return the old value  */
-/* in *lockp.                                                               */
-/* ------------------------------------------------------------------------ */
-void fr_lock(data, lockp)
-caddr_t data;
-int *lockp;
-{
-	int arg;
-
-	BCOPYIN(data, (caddr_t)&arg, sizeof(arg));
-	BCOPYOUT((caddr_t)lockp, data, sizeof(*lockp));
-	*lockp = arg;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_getstat                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  fiop(I)  - pointer to ipfilter stats structure              */
-/*                                                                          */
-/* Stores a copy of current pointers, counters, etc, in the friostat        */
-/* structure.                                                               */
-/* ------------------------------------------------------------------------ */
-void fr_getstat(fiop)
-friostat_t *fiop;
-{
-	int i, j;
-
-	bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
-	fiop->f_locks[IPL_LOGSTATE] = fr_state_lock;
-	fiop->f_locks[IPL_LOGNAT] = fr_nat_lock;
-	fiop->f_locks[IPL_LOGIPF] = fr_frag_lock;
-	fiop->f_locks[IPL_LOGAUTH] = fr_auth_lock;
-
-	for (i = 0; i < 2; i++)
-		for (j = 0; j < 2; j++) {
-			fiop->f_ipf[i][j] = ipfilter[i][j];
-			fiop->f_acct[i][j] = ipacct[i][j];
-			fiop->f_ipf6[i][j] = ipfilter6[i][j];
-			fiop->f_acct6[i][j] = ipacct6[i][j];
-		}
-
-	fiop->f_ticks = fr_ticks;
-	fiop->f_active = fr_active;
-	fiop->f_froute[0] = fr_frouteok[0];
-	fiop->f_froute[1] = fr_frouteok[1];
-
-	fiop->f_running = fr_running;
-	for (i = 0; i < IPL_LOGSIZE; i++) {
-		fiop->f_groups[i][0] = ipfgroups[i][0];
-		fiop->f_groups[i][1] = ipfgroups[i][1];
-	}
-#ifdef  IPFILTER_LOG
-	fiop->f_logging = 1;
-#else
-	fiop->f_logging = 0;
-#endif
-	fiop->f_defpass = fr_pass;
-	fiop->f_features = fr_features;
-	(void) strncpy(fiop->f_version, ipfilter_version,
-		       sizeof(fiop->f_version));
-}
-
-
-#ifdef	USE_INET6
-int icmptoicmp6types[ICMP_MAXTYPE+1] = {
-	ICMP6_ECHO_REPLY,	/* 0: ICMP_ECHOREPLY */
-	-1,			/* 1: UNUSED */
-	-1,			/* 2: UNUSED */
-	ICMP6_DST_UNREACH,	/* 3: ICMP_UNREACH */
-	-1,			/* 4: ICMP_SOURCEQUENCH */
-	ND_REDIRECT,		/* 5: ICMP_REDIRECT */
-	-1,			/* 6: UNUSED */
-	-1,			/* 7: UNUSED */
-	ICMP6_ECHO_REQUEST,	/* 8: ICMP_ECHO */
-	-1,			/* 9: UNUSED */
-	-1,			/* 10: UNUSED */
-	ICMP6_TIME_EXCEEDED,	/* 11: ICMP_TIMXCEED */
-	ICMP6_PARAM_PROB,	/* 12: ICMP_PARAMPROB */
-	-1,			/* 13: ICMP_TSTAMP */
-	-1,			/* 14: ICMP_TSTAMPREPLY */
-	-1,			/* 15: ICMP_IREQ */
-	-1,			/* 16: ICMP_IREQREPLY */
-	-1,			/* 17: ICMP_MASKREQ */
-	-1,			/* 18: ICMP_MASKREPLY */
-};
-
-
-int	icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
-	ICMP6_DST_UNREACH_ADDR,		/* 0: ICMP_UNREACH_NET */
-	ICMP6_DST_UNREACH_ADDR,		/* 1: ICMP_UNREACH_HOST */
-	-1,				/* 2: ICMP_UNREACH_PROTOCOL */
-	ICMP6_DST_UNREACH_NOPORT,	/* 3: ICMP_UNREACH_PORT */
-	-1,				/* 4: ICMP_UNREACH_NEEDFRAG */
-	ICMP6_DST_UNREACH_NOTNEIGHBOR,	/* 5: ICMP_UNREACH_SRCFAIL */
-	ICMP6_DST_UNREACH_ADDR,		/* 6: ICMP_UNREACH_NET_UNKNOWN */
-	ICMP6_DST_UNREACH_ADDR,		/* 7: ICMP_UNREACH_HOST_UNKNOWN */
-	-1,				/* 8: ICMP_UNREACH_ISOLATED */
-	ICMP6_DST_UNREACH_ADMIN,	/* 9: ICMP_UNREACH_NET_PROHIB */
-	ICMP6_DST_UNREACH_ADMIN,	/* 10: ICMP_UNREACH_HOST_PROHIB */
-	-1,				/* 11: ICMP_UNREACH_TOSNET */
-	-1,				/* 12: ICMP_UNREACH_TOSHOST */
-	ICMP6_DST_UNREACH_ADMIN,	/* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
-};
-int	icmpreplytype6[ICMP6_MAXTYPE + 1];
-#endif
-
-int	icmpreplytype4[ICMP_MAXTYPE + 1];
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_matchicmpqueryreply                                      */
-/* Returns:     int - 1 if "icmp" is a valid reply to "ic" else 0.          */
-/* Parameters:  v(I)    - IP protocol version (4 or 6)                      */
-/*              ic(I)   - ICMP information                                  */
-/*              icmp(I) - ICMP packet header                                */
-/*              rev(I)  - direction (0 = forward/1 = reverse) of packet     */
-/*                                                                          */
-/* Check if the ICMP packet defined by the header pointed to by icmp is a   */
-/* reply to one as described by what's in ic.  If it is a match, return 1,  */
-/* else return 0 for no match.                                              */
-/* ------------------------------------------------------------------------ */
-int fr_matchicmpqueryreply(v, ic, icmp, rev)
-int v;
-icmpinfo_t *ic;
-icmphdr_t *icmp;
-int rev;
-{
-	int ictype;
-
-	ictype = ic->ici_type;
-
-	if (v == 4) {
-		/*
-		 * If we matched its type on the way in, then when going out
-		 * it will still be the same type.
-		 */
-		if ((!rev && (icmp->icmp_type == ictype)) ||
-		    (rev && (icmpreplytype4[ictype] == icmp->icmp_type))) {
-			if (icmp->icmp_type != ICMP_ECHOREPLY)
-				return 1;
-			if (icmp->icmp_id == ic->ici_id)
-				return 1;
-		}
-	}
-#ifdef	USE_INET6
-	else if (v == 6) {
-		if ((!rev && (icmp->icmp_type == ictype)) ||
-		    (rev && (icmpreplytype6[ictype] == icmp->icmp_type))) {
-			if (icmp->icmp_type != ICMP6_ECHO_REPLY)
-				return 1;
-			if (icmp->icmp_id == ic->ici_id)
-				return 1;
-		}
-	}
-#endif
-	return 0;
-}
-
-
-#ifdef	IPFILTER_LOOKUP
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_resolvelookup                                            */
-/* Returns:     void * - NULL = failure, else success.                      */
-/* Parameters:  type(I)     - type of lookup these parameters are for.      */
-/*              number(I)   - table number to use when searching            */
-/*              funcptr(IO) - pointer to pointer for storing IP address     */
-/*                           searching function.                            */
-/*                                                                          */
-/* Search for the "table" number passed in amongst those configured for     */
-/* that particular type.  If the type is recognised then the function to    */
-/* call to do the IP address search will be change, regardless of whether   */
-/* or not the "table" number exists.                                        */
-/* ------------------------------------------------------------------------ */
-static void *fr_resolvelookup(type, number, funcptr)
-u_int type, number;
-lookupfunc_t *funcptr;
-{
-	char name[FR_GROUPLEN];
-	iphtable_t *iph;
-	ip_pool_t *ipo;
-	void *ptr;
-
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(name, sizeof(name), "%u", number);
-#else
-	(void) sprintf(name, "%u", number);
-#endif
-
-	READ_ENTER(&ip_poolrw);
-
-	switch (type)
-	{
-	case IPLT_POOL :
-# if (defined(__osf__) && defined(_KERNEL))
-		ptr = NULL;
-		*funcptr = NULL;
-# else
-		ipo = ip_pool_find(IPL_LOGIPF, name);
-		ptr = ipo;
-		if (ipo != NULL) {
-			ATOMIC_INC32(ipo->ipo_ref);
-		}
-		*funcptr = ip_pool_search;
-# endif
-		break;
-	case IPLT_HASH :
-		iph = fr_findhtable(IPL_LOGIPF, name);
-		ptr = iph;
-		if (iph != NULL) {
-			ATOMIC_INC32(iph->iph_ref);
-		}
-		*funcptr = fr_iphmfindip;
-		break;
-	default:
-		ptr = NULL;
-		*funcptr = NULL;
-		break;
-	}
-	RWLOCK_EXIT(&ip_poolrw);
-
-	return ptr;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    frrequest                                                   */
-/* Returns:     int - 0 == success, > 0 == errno value                      */
-/* Parameters:  unit(I)     - device for which this is for                  */
-/*              req(I)      - ioctl command (SIOC*)                         */
-/*              data(I)     - pointr to ioctl data                          */
-/*              set(I)      - 1 or 0 (filter set)                           */
-/*              makecopy(I) - flag indicating whether data points to a rule */
-/*                            in kernel space & hence doesn't need copying. */
-/*                                                                          */
-/* This function handles all the requests which operate on the list of      */
-/* filter rules.  This includes adding, deleting, insertion.  It is also    */
-/* responsible for creating groups when a "head" rule is loaded.  Interface */
-/* names are resolved here and other sanity checks are made on the content  */
-/* of the rule structure being loaded.  If a rule has user defined timeouts */
-/* then make sure they are created and initialised before exiting.          */
-/* ------------------------------------------------------------------------ */
-int frrequest(unit, req, data, set, makecopy)
-int unit;
-ioctlcmd_t req;
-int set, makecopy;
-caddr_t data;
-{
-	frentry_t frd, *fp, *f, **fprev, **ftail;
-	int error = 0, in, v;
-	void *ptr, *uptr;
-	u_int *p, *pp;
-	frgroup_t *fg;
-	char *group;
-
-	fg = NULL;
-	fp = &frd;
-	if (makecopy != 0) {
-		error = fr_inobj(data, fp, IPFOBJ_FRENTRY);
-		if (error)
-			return EFAULT;
-		if ((fp->fr_flags & FR_T_BUILTIN) != 0)
-			return EINVAL;
-		fp->fr_ref = 0;
-		fp->fr_flags |= FR_COPIED;
-	} else {
-		fp = (frentry_t *)data;
-		if ((fp->fr_type & FR_T_BUILTIN) == 0)
-			return EINVAL;
-		fp->fr_flags &= ~FR_COPIED;
-	}
-
-	if (((fp->fr_dsize == 0) && (fp->fr_data != NULL)) ||
-	    ((fp->fr_dsize != 0) && (fp->fr_data == NULL)))
-		return EINVAL;
-
-	v = fp->fr_v;
-	uptr = fp->fr_data;
-
-	/*
-	 * Only filter rules for IPv4 or IPv6 are accepted.
-	 */
-	if (v == 4)
-		/*EMPTY*/;
-#ifdef	USE_INET6
-	else if (v == 6)
-		/*EMPTY*/;
-#endif
-	else {
-		return EINVAL;
-	}
-
-	/*
-	 * If the rule is being loaded from user space, i.e. we had to copy it
-	 * into kernel space, then do not trust the function pointer in the
-	 * rule.
-	 */
-	if ((makecopy == 1) && (fp->fr_func != NULL)) {
-		if (fr_findfunc(fp->fr_func) == NULL)
-			return ESRCH;
-		error = fr_funcinit(fp);
-		if (error != 0)
-			return error;
-	}
-
-	ptr = NULL;
-	/*
-	 * Check that the group number does exist and that its use (in/out)
-	 * matches what the rule is.
-	 */
-	if (!strncmp(fp->fr_grhead, "0", FR_GROUPLEN))
-		*fp->fr_grhead = '\0';
-	group = fp->fr_group;
-	if (!strncmp(group, "0", FR_GROUPLEN))
-		*group = '\0';
-
-	if (FR_ISACCOUNT(fp->fr_flags))
-		unit = IPL_LOGCOUNT;
-
-	if ((req != (int)SIOCZRLST) && (*group != '\0')) {
-		fg = fr_findgroup(group, unit, set, NULL);
-		if (fg == NULL)
-			return ESRCH;
-		if (fg->fg_flags == 0)
-			fg->fg_flags = fp->fr_flags & FR_INOUT;
-		else if (fg->fg_flags != (fp->fr_flags & FR_INOUT))
-			return ESRCH;
-	}
-
-	in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-	/*
-	 * Work out which rule list this change is being applied to.
-	 */
-	ftail = NULL;
-	fprev = NULL;
-	if (unit == IPL_LOGAUTH)
-		fprev = &ipauth;
-	else if (v == 4) {
-		if (FR_ISACCOUNT(fp->fr_flags))
-			fprev = &ipacct[in][set];
-		else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
-			fprev = &ipfilter[in][set];
-	} else if (v == 6) {
-		if (FR_ISACCOUNT(fp->fr_flags))
-			fprev = &ipacct6[in][set];
-		else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) != 0)
-			fprev = &ipfilter6[in][set];
-	}
-	if (fprev == NULL)
-		return ESRCH;
-
-	if (*group != '\0') {
-		if (!fg && !(fg = fr_findgroup(group, unit, set, NULL)))
-			return ESRCH;
-		fprev = &fg->fg_start;
-	}
-
-	for (f = *fprev; (f = *fprev) != NULL; fprev = &f->fr_next)
-		if (fp->fr_collect <= f->fr_collect)
-			break;
-	ftail = fprev;
-
-	/*
-	 * Copy in extra data for the rule.
-	 */
-	if (fp->fr_dsize != 0) {
-		if (makecopy != 0) {
-			KMALLOCS(ptr, void *, fp->fr_dsize);
-			if (!ptr)
-				return ENOMEM;
-			error = COPYIN(uptr, ptr, fp->fr_dsize);
-		} else {
-			ptr = uptr;
-			error = 0;
-		}
-		if (error != 0) {
-			KFREES(ptr, fp->fr_dsize);
-			return ENOMEM;
-		}
-		fp->fr_data = ptr;
-	} else
-		fp->fr_data = NULL;
-
-	/*
-	 * Perform per-rule type sanity checks of their members.
-	 */
-	switch (fp->fr_type & ~FR_T_BUILTIN)
-	{
-#if defined(IPFILTER_BPF)
-	case FR_T_BPFOPC :
-		if (fp->fr_dsize == 0)
-			return EINVAL;
-		if (!bpf_validate(ptr, fp->fr_dsize/sizeof(struct bpf_insn))) {
-			if (makecopy && fp->fr_data != NULL) {
-				KFREES(fp->fr_data, fp->fr_dsize);
-			}
-			return EINVAL;
-		}
-		break;
-#endif
-	case FR_T_IPF :
-		if (fp->fr_dsize != sizeof(fripf_t))
-			return EINVAL;
-
-		/*
-		 * Allowing a rule with both "keep state" and "with oow" is
-		 * pointless because adding a state entry to the table will
-		 * fail with the out of window (oow) flag set.
-		 */
-		if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW))
-			return EINVAL;
-
-		switch (fp->fr_satype)
-		{
-		case FRI_BROADCAST :
-		case FRI_DYNAMIC :
-		case FRI_NETWORK :
-		case FRI_NETMASKED :
-		case FRI_PEERADDR :
-			if (fp->fr_sifpidx < 0 || fp->fr_sifpidx > 3) {
-				if (makecopy && fp->fr_data != NULL) {
-					KFREES(fp->fr_data, fp->fr_dsize);
-				}
-				return EINVAL;
-			}
-			break;
-#ifdef	IPFILTER_LOOKUP
-		case FRI_LOOKUP :
-			fp->fr_srcptr = fr_resolvelookup(fp->fr_srctype,
-							 fp->fr_srcnum,
-							 &fp->fr_srcfunc);
-			break;
-#endif
-		default :
-			break;
-		}
-
-		switch (fp->fr_datype)
-		{
-		case FRI_BROADCAST :
-		case FRI_DYNAMIC :
-		case FRI_NETWORK :
-		case FRI_NETMASKED :
-		case FRI_PEERADDR :
-			if (fp->fr_difpidx < 0 || fp->fr_difpidx > 3) {
-				if (makecopy && fp->fr_data != NULL) {
-					KFREES(fp->fr_data, fp->fr_dsize);
-				}
-				return EINVAL;
-			}
-			break;
-#ifdef	IPFILTER_LOOKUP
-		case FRI_LOOKUP :
-			fp->fr_dstptr = fr_resolvelookup(fp->fr_dsttype,
-							 fp->fr_dstnum,
-							 &fp->fr_dstfunc);
-			break;
-#endif
-		default :
-			
-			break;
-		}
-		break;
-	case FR_T_NONE :
-		break;
-	case FR_T_CALLFUNC :
-		break;
-	case FR_T_COMPIPF :
-		break;
-	default :
-		if (makecopy && fp->fr_data != NULL) {
-			KFREES(fp->fr_data, fp->fr_dsize);
-		}
-		return EINVAL;
-	}
-
-	/*
-	 * Lookup all the interface names that are part of the rule.
-	 */
-	frsynclist(fp, NULL);
-	fp->fr_statecnt = 0;
-
-	/*
-	 * Look for an existing matching filter rule, but don't include the
-	 * next or interface pointer in the comparison (fr_next, fr_ifa).
-	 * This elminates rules which are indentical being loaded.  Checksum
-	 * the constant part of the filter rule to make comparisons quicker
-	 * (this meaning no pointers are included).
-	 */
-	for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_func, pp = &fp->fr_cksum;
-	     p < pp; p++)
-		fp->fr_cksum += *p;
-	pp = (u_int *)(fp->fr_caddr + fp->fr_dsize);
-	for (p = (u_int *)fp->fr_data; p < pp; p++)
-		fp->fr_cksum += *p;
-
-	WRITE_ENTER(&ipf_mutex);
-	bzero((char *)frcache, sizeof(frcache));
-
-	for (; (f = *ftail) != NULL; ftail = &f->fr_next)
-		if ((fp->fr_cksum == f->fr_cksum) &&
-		    (f->fr_dsize == fp->fr_dsize) &&
-		    !bcmp((char *)&f->fr_func,
-			  (char *)&fp->fr_func, FR_CMPSIZ) &&
-		    (!ptr || !f->fr_data ||
-		     !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
-			break;
-
-	/*
-	 * If zero'ing statistics, copy current to caller and zero.
-	 */
-	if (req == (ioctlcmd_t)SIOCZRLST) {
-		if (f == NULL)
-			error = ESRCH;
-		else {
-			/*
-			 * Copy and reduce lock because of impending copyout.
-			 * Well we should, but if we do then the atomicity of
-			 * this call and the correctness of fr_hits and
-			 * fr_bytes cannot be guaranteed.  As it is, this code
-			 * only resets them to 0 if they are successfully
-			 * copied out into user space.
-			 */
-			bcopy((char *)f, (char *)fp, sizeof(*f));
-			/* MUTEX_DOWNGRADE(&ipf_mutex); */
-
-			/*
-			 * When we copy this rule back out, set the data
-			 * pointer to be what it was in user space.
-			 */
-			fp->fr_data = uptr;
-			error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
-
-			if (error == 0) {
-				if ((f->fr_dsize != 0) && (uptr != NULL))
-					error = COPYOUT(f->fr_data, uptr,
-							f->fr_dsize);
-				if (error == 0) {
-					f->fr_hits = 0;
-					f->fr_bytes = 0;
-				}
-			}
-		}
-
-		if ((ptr != NULL) && (makecopy != 0)) {
-			KFREES(ptr, fp->fr_dsize);
-		}
-		RWLOCK_EXIT(&ipf_mutex);
-		return error;
-	}
-
-	if (!f) {
-		if (req == (ioctlcmd_t)SIOCINAFR ||
-		    req == (ioctlcmd_t)SIOCINIFR) {
-			ftail = fprev;
-			if (fp->fr_hits != 0) {
-				while (--fp->fr_hits && (f = *ftail))
-					ftail = &f->fr_next;
-			}
-			f = NULL;
-			ptr = NULL;
-			error = 0;
-		}
-	}
-
-	/*
-	 * Request to remove a rule.
-	 */
-	if (req == (ioctlcmd_t)SIOCRMAFR || req == (ioctlcmd_t)SIOCRMIFR) {
-		if (!f)
-			error = ESRCH;
-		else {
-			/*
-			 * Do not allow activity from user space to interfere
-			 * with rules not loaded that way.
-			 */
-			if ((makecopy == 1) && !(f->fr_flags & FR_COPIED)) {
-				error = EPERM;
-				goto done;
-			}
-
-			/*
-			 * Return EBUSY if the rule is being reference by
-			 * something else (eg state information.
-			 */
-			if (f->fr_ref > 1) {
-				error = EBUSY;
-				goto done;
-			}
-#ifdef	IPFILTER_SCAN
-			if (f->fr_isctag[0] != '\0' &&
-			    (f->fr_isc != (struct ipscan *)-1))
-				ipsc_detachfr(f);
-#endif
-			if ((fg != NULL) && (fg->fg_head != NULL))
-				fg->fg_head->fr_ref--;
-			if (unit == IPL_LOGAUTH) {
-				error = fr_preauthcmd(req, f, ftail);
-				goto done;
-			}
-			if (*f->fr_grhead != '\0')
-				fr_delgroup(f->fr_grhead, unit, set);
-			fr_fixskip(fprev, f, -1);
-			*ftail = f->fr_next;
-			f->fr_next = NULL;
-			(void)fr_derefrule(&f);
-		}
-	} else {
-		/*
-		 * Not removing, so we must be adding/inserting a rule.
-		 */
-		if (f)
-			error = EEXIST;
-		else {
-			if (unit == IPL_LOGAUTH) {
-				error = fr_preauthcmd(req, fp, ftail);
-				goto done;
-			}
-			if (makecopy) {
-				KMALLOC(f, frentry_t *);
-			} else
-				f = fp;
-			if (f != NULL) {
-				if (fg != NULL && fg->fg_head!= NULL )
-					fg->fg_head->fr_ref++;
-				if (fp != f)
-					bcopy((char *)fp, (char *)f,
-					      sizeof(*f));
-				MUTEX_NUKE(&f->fr_lock);
-				MUTEX_INIT(&f->fr_lock, "filter rule lock");
-#ifdef	IPFILTER_SCAN
-				if (f->fr_isctag[0] != '\0' &&
-				    ipsc_attachfr(f))
-					f->fr_isc = (struct ipscan *)-1;
-#endif
-				f->fr_hits = 0;
-				if (makecopy != 0)
-					f->fr_ref = 1;
-				f->fr_next = *ftail;
-				*ftail = f;
-				if (req == (ioctlcmd_t)SIOCINIFR ||
-				    req == (ioctlcmd_t)SIOCINAFR)
-					fr_fixskip(fprev, f, 1);
-				f->fr_grp = NULL;
-				group = f->fr_grhead;
-				if (*group != '\0') {
-					fg = fr_addgroup(group, f, f->fr_flags,
-							 unit, set);
-					if (fg != NULL)
-						f->fr_grp = &fg->fg_start;
-				}
-			} else
-				error = ENOMEM;
-		}
-	}
-done:
-	RWLOCK_EXIT(&ipf_mutex);
-	if ((ptr != NULL) && (error != 0) && (makecopy != 0)) {
-		KFREES(ptr, fp->fr_dsize);
-	}
-	return (error);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_funcinit                                                 */
-/* Returns:     int - 0 == success, else ESRCH: cannot resolve rule details */
-/* Parameters:  fr(I) - pointer to filter rule                              */
-/*                                                                          */
-/* If a rule is a call rule, then check if the function it points to needs  */
-/* an init function to be called now the rule has been loaded.              */
-/* ------------------------------------------------------------------------ */
-static int fr_funcinit(fr)
-frentry_t *fr;
-{
-	ipfunc_resolve_t *ft;
-	int err;
-
-	err = ESRCH;
-
-	for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
-		if (ft->ipfu_addr == fr->fr_func) {
-			err = 0;
-			if (ft->ipfu_init != NULL)
-				err = (*ft->ipfu_init)(fr);
-			break;
-		}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_findfunc                                                 */
-/* Returns:     ipfunc_t - pointer to function if found, else NULL          */
-/* Parameters:  funcptr(I) - function pointer to lookup                     */
-/*                                                                          */
-/* Look for a function in the table of known functions.                     */
-/* ------------------------------------------------------------------------ */
-static ipfunc_t fr_findfunc(funcptr)
-ipfunc_t funcptr;
-{
-	ipfunc_resolve_t *ft;
-
-	for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
-		if (ft->ipfu_addr == funcptr)
-			return funcptr;
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_resolvefunc                                              */
-/* Returns:     int - 0 == success, else error                              */
-/* Parameters:  data(IO) - ioctl data pointer to ipfunc_resolve_t struct    */
-/*                                                                          */
-/* Copy in a ipfunc_resolve_t structure and then fill in the missing field. */
-/* This will either be the function name (if the pointer is set) or the     */
-/* function pointer if the name is set.  When found, fill in the other one  */
-/* so that the entire, complete, structure can be copied back to user space.*/
-/* ------------------------------------------------------------------------ */
-int fr_resolvefunc(data)
-void *data;
-{
-	ipfunc_resolve_t res, *ft;
-
-	BCOPYIN(data, &res, sizeof(res));
-
-	if (res.ipfu_addr == NULL && res.ipfu_name[0] != '\0') {
-		for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
-			if (strncmp(res.ipfu_name, ft->ipfu_name,
-				    sizeof(res.ipfu_name)) == 0) {
-				res.ipfu_addr = ft->ipfu_addr;
-				res.ipfu_init = ft->ipfu_init;
-				if (COPYOUT(&res, data, sizeof(res)) != 0)
-					return EFAULT;
-				return 0;
-			}
-	}
-	if (res.ipfu_addr != NULL && res.ipfu_name[0] == '\0') {
-		for (ft = fr_availfuncs; ft->ipfu_addr != NULL; ft++)
-			if (ft->ipfu_addr == res.ipfu_addr) {
-				(void) strncpy(res.ipfu_name, ft->ipfu_name,
-					       sizeof(res.ipfu_name));
-				res.ipfu_init = ft->ipfu_init;
-				if (COPYOUT(&res, data, sizeof(res)) != 0)
-					return EFAULT;
-				return 0;
-			}
-	}
-	return ESRCH;
-}
-
-
-#if !defined(_KERNEL) || (!defined(__NetBSD__) && !defined(__OpenBSD__) && !defined(__FreeBSD__)) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version < 490000)) || \
-    (defined(__NetBSD__) && (__NetBSD_Version__ < 105000000)) || \
-    (defined(__OpenBSD__) && (OpenBSD < 200006))
-/*
- * From: NetBSD
- * ppsratecheck(): packets (or events) per second limitation.
- */
-int
-ppsratecheck(lasttime, curpps, maxpps)
-	struct timeval *lasttime;
-	int *curpps;
-	int maxpps;	/* maximum pps allowed */
-{
-	struct timeval tv, delta;
-	int rv;
-
-	GETKTIME(&tv);
-
-	delta.tv_sec = tv.tv_sec - lasttime->tv_sec;
-	delta.tv_usec = tv.tv_usec - lasttime->tv_usec;
-	if (delta.tv_usec < 0) {
-		delta.tv_sec--;
-		delta.tv_usec += 1000000;
-	}
-
-	/*
-	 * check for 0,0 is so that the message will be seen at least once.
-	 * if more than one second have passed since the last update of
-	 * lasttime, reset the counter.
-	 *
-	 * we do increment *curpps even in *curpps < maxpps case, as some may
-	 * try to use *curpps for stat purposes as well.
-	 */
-	if ((lasttime->tv_sec == 0 && lasttime->tv_usec == 0) ||
-	    delta.tv_sec >= 1) {
-		*lasttime = tv;
-		*curpps = 0;
-		rv = 1;
-	} else if (maxpps < 0)
-		rv = 1;
-	else if (*curpps < maxpps)
-		rv = 1;
-	else
-		rv = 0;
-	*curpps = *curpps + 1;
-
-	return (rv);
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_derefrule                                                */
-/* Returns:     int   - 0 == rule freed up, else rule not freed             */
-/* Parameters:  fr(I) - pointer to filter rule                              */
-/*                                                                          */
-/* Decrement the reference counter to a rule by one.  If it reaches zero,   */
-/* free it and any associated storage space being used by it.               */
-/* ------------------------------------------------------------------------ */
-int fr_derefrule(frp)
-frentry_t **frp;
-{
-	frentry_t *fr;
-
-	fr = *frp;
-
-	MUTEX_ENTER(&fr->fr_lock);
-	fr->fr_ref--;
-	if (fr->fr_ref == 0) {
-		MUTEX_EXIT(&fr->fr_lock);
-		MUTEX_DESTROY(&fr->fr_lock);
-
-#ifdef IPFILTER_LOOKUP
-		if (fr->fr_type == FR_T_IPF && fr->fr_satype == FRI_LOOKUP)
-			ip_lookup_deref(fr->fr_srctype, fr->fr_srcptr);
-		if (fr->fr_type == FR_T_IPF && fr->fr_datype == FRI_LOOKUP)
-			ip_lookup_deref(fr->fr_dsttype, fr->fr_dstptr);
-#endif
-
-		if (fr->fr_dsize) {
-			KFREES(fr->fr_data, fr->fr_dsize);
-		}
-		if ((fr->fr_flags & FR_COPIED) != 0) {
-			KFREE(fr);
-			return 0;
-		}
-		return 1;
-	} else {
-		MUTEX_EXIT(&fr->fr_lock);
-	}
-	*frp = NULL;
-	return -1;
-}
-
-
-#ifdef	IPFILTER_LOOKUP
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_grpmapinit                                               */
-/* Returns:     int - 0 == success, else ESRCH because table entry not found*/
-/* Parameters:  fr(I) - pointer to rule to find hash table for              */
-/*                                                                          */
-/* Looks for group hash table fr_arg and stores a pointer to it in fr_ptr.  */
-/* fr_ptr is later used by fr_srcgrpmap and fr_dstgrpmap.                   */
-/* ------------------------------------------------------------------------ */
-static int fr_grpmapinit(fr)
-frentry_t *fr;
-{
-	char name[FR_GROUPLEN];
-	iphtable_t *iph;
-
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(name, sizeof(name), "%d", fr->fr_arg);
-#else
-	(void) sprintf(name, "%d", fr->fr_arg);
-#endif
-	iph = fr_findhtable(IPL_LOGIPF, name);
-	if (iph == NULL)
-		return ESRCH;
-	if ((iph->iph_flags & FR_INOUT) != (fr->fr_flags & FR_INOUT))
-		return ESRCH;
-	fr->fr_ptr = iph;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_srcgrpmap                                                */
-/* Returns:     frentry_t * - pointer to "new last matching" rule or NULL   */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              passp(IO) - pointer to current/new filter decision (unused) */
-/*                                                                          */
-/* Look for a rule group head in a hash table, using the source address as  */
-/* the key, and descend into that group and continue matching rules against */
-/* the packet.                                                              */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_srcgrpmap(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	frgroup_t *fg;
-	void *rval;
-
-	rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_src);
-	if (rval == NULL)
-		return NULL;
-
-	fg = rval;
-	fin->fin_fr = fg->fg_start;
-	(void) fr_scanlist(fin, *passp);
-	return fin->fin_fr;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_dstgrpmap                                                */
-/* Returns:     frentry_t * - pointer to "new last matching" rule or NULL   */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              passp(IO) - pointer to current/new filter decision (unused) */
-/*                                                                          */
-/* Look for a rule group head in a hash table, using the destination        */
-/* address as the key, and descend into that group and continue matching    */
-/* rules against  the packet.                                               */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_dstgrpmap(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	frgroup_t *fg;
-	void *rval;
-
-	rval = fr_iphmfindgroup(fin->fin_fr->fr_ptr, &fin->fin_dst);
-	if (rval == NULL)
-		return NULL;
-
-	fg = rval;
-	fin->fin_fr = fg->fg_start;
-	(void) fr_scanlist(fin, *passp);
-	return fin->fin_fr;
-}
-#endif /* IPFILTER_LOOKUP */
-
-/*
- * Queue functions
- * ===============
- * These functions manage objects on queues for efficient timeouts.  There are
- * a number of system defined queues as well as user defined timeouts.  It is
- * expected that a lock is held in the domain in which the queue belongs
- * (i.e. either state or NAT) when calling any of these functions that prevents
- * fr_freetimeoutqueue() from being called at the same time as any other.
- */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_addtimeoutqueue                                          */
-/* Returns:     struct ifqtq * - NULL if malloc fails, else pointer to      */
-/*                               timeout queue with given interval.         */
-/* Parameters:  parent(I)  - pointer to pointer to parent node of this list */
-/*                           of interface queues.                           */
-/*              seconds(I) - timeout value in seconds for this queue.       */
-/*                                                                          */
-/* This routine first looks for a timeout queue that matches the interval   */
-/* being requested.  If it finds one, increments the reference counter and  */
-/* returns a pointer to it.  If none are found, it allocates a new one and  */
-/* inserts it at the top of the list.                                       */
-/*                                                                          */
-/* Locking.                                                                 */
-/* It is assumed that the caller of this function has an appropriate lock   */
-/* held (exclusively) in the domain that encompases 'parent'.               */
-/* ------------------------------------------------------------------------ */
-ipftq_t *fr_addtimeoutqueue(parent, seconds)
-ipftq_t **parent;
-u_int seconds;
-{
-	ipftq_t *ifq;
-	u_int period;
-
-	period = seconds * IPF_HZ_DIVIDE;
-
-	MUTEX_ENTER(&ipf_timeoutlock);
-	for (ifq = *parent; ifq != NULL; ifq = ifq->ifq_next) {
-		if (ifq->ifq_ttl == period) {
-			/*
-			 * Reset the delete flag, if set, so the structure
-			 * gets reused rather than freed and reallocated.
-			 */
-			MUTEX_ENTER(&ifq->ifq_lock);
-			ifq->ifq_flags &= ~IFQF_DELETE;
-			ifq->ifq_ref++;
-			MUTEX_EXIT(&ifq->ifq_lock);
-			MUTEX_EXIT(&ipf_timeoutlock);
-
-			return ifq;
-		}
-	}
-
-	KMALLOC(ifq, ipftq_t *);
-	if (ifq != NULL) {
-		ifq->ifq_ttl = period;
-		ifq->ifq_head = NULL;
-		ifq->ifq_tail = &ifq->ifq_head;
-		ifq->ifq_next = *parent;
-		ifq->ifq_pnext = parent;
-		ifq->ifq_ref = 1;
-		ifq->ifq_flags = IFQF_USER;
-		*parent = ifq;
-		fr_userifqs++;
-		MUTEX_NUKE(&ifq->ifq_lock);
-		MUTEX_INIT(&ifq->ifq_lock, "ipftq mutex");
-	}
-	MUTEX_EXIT(&ipf_timeoutlock);
-	return ifq;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_deletetimeoutqueue                                       */
-/* Returns:     int    - new reference count value of the timeout queue     */
-/* Parameters:  ifq(I) - timeout queue which is losing a reference.         */
-/* Locks:       ifq->ifq_lock                                               */
-/*                                                                          */
-/* This routine must be called when we're discarding a pointer to a timeout */
-/* queue object, taking care of the reference counter.                      */
-/*                                                                          */
-/* Now that this just sets a DELETE flag, it requires the expire code to    */
-/* check the list of user defined timeout queues and call the free function */
-/* below (currently commented out) to stop memory leaking.  It is done this */
-/* way because the locking may not be sufficient to safely do a free when   */
-/* this function is called.                                                 */
-/* ------------------------------------------------------------------------ */
-int fr_deletetimeoutqueue(ifq)
-ipftq_t *ifq;
-{
-
-	ifq->ifq_ref--;
-	if ((ifq->ifq_ref == 0) && ((ifq->ifq_flags & IFQF_USER) != 0)) {
-		ifq->ifq_flags |= IFQF_DELETE;
-	}
-
-	return ifq->ifq_ref;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_freetimeoutqueue                                         */
-/* Parameters:  ifq(I) - timeout queue which is losing a reference.         */
-/* Returns:     Nil                                                         */
-/*                                                                          */
-/* Locking:                                                                 */
-/* It is assumed that the caller of this function has an appropriate lock   */
-/* held (exclusively) in the domain that encompases the callers "domain".   */
-/* The ifq_lock for this structure should not be held.                      */
-/*                                                                          */
-/* Remove a user definde timeout queue from the list of queues it is in and */
-/* tidy up after this is done.                                              */
-/* ------------------------------------------------------------------------ */
-void fr_freetimeoutqueue(ifq)
-ipftq_t *ifq;
-{
-
-
-	if (((ifq->ifq_flags & IFQF_DELETE) == 0) || (ifq->ifq_ref != 0) ||
-	    ((ifq->ifq_flags & IFQF_USER) == 0)) {
-		printf("fr_freetimeoutqueue(%lx) flags 0x%x ttl %d ref %d\n",
-		       (u_long)ifq, ifq->ifq_flags, ifq->ifq_ttl,
-		       ifq->ifq_ref);
-		return;
-	}
-
-	/*
-	 * Remove from its position in the list.
-	 */
-	*ifq->ifq_pnext = ifq->ifq_next;
-	if (ifq->ifq_next != NULL)
-		ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
-
-	MUTEX_DESTROY(&ifq->ifq_lock);
-	fr_userifqs--;
-	KFREE(ifq);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_deletequeueentry                                         */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqe(I) - timeout queue entry to delete                      */
-/*              ifq(I) - timeout queue to remove entry from                 */
-/*                                                                          */
-/* Remove a tail queue entry from its queue and make it an orphan.          */
-/* fr_deletetimeoutqueue is called to make sure the reference count on the  */
-/* queue is correct.  We can't, however, call fr_freetimeoutqueue because   */
-/* the correct lock(s) may not be held that would make it safe to do so.    */
-/* ------------------------------------------------------------------------ */
-void fr_deletequeueentry(tqe)
-ipftqent_t *tqe;
-{
-	ipftq_t *ifq;
-
-	ifq = tqe->tqe_ifq;
-	if (ifq == NULL)
-		return;
-
-	MUTEX_ENTER(&ifq->ifq_lock);
-
-	if (tqe->tqe_pnext != NULL) {
-		*tqe->tqe_pnext = tqe->tqe_next;
-		if (tqe->tqe_next != NULL)
-			tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-		else    /* we must be the tail anyway */
-			ifq->ifq_tail = tqe->tqe_pnext;
-
-		tqe->tqe_pnext = NULL;
-		tqe->tqe_ifq = NULL;
-	}
-
-	(void) fr_deletetimeoutqueue(ifq);
-
-	MUTEX_EXIT(&ifq->ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_queuefront                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqe(I) - pointer to timeout queue entry                     */
-/*                                                                          */
-/* Move a queue entry to the front of the queue, if it isn't already there. */
-/* ------------------------------------------------------------------------ */
-void fr_queuefront(tqe)
-ipftqent_t *tqe;
-{
-	ipftq_t *ifq;
-
-	ifq = tqe->tqe_ifq;
-	if (ifq == NULL)
-		return;
-
-	MUTEX_ENTER(&ifq->ifq_lock);
-	if (ifq->ifq_head != tqe) {
-		*tqe->tqe_pnext = tqe->tqe_next;
-		if (tqe->tqe_next)
-			tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-		else
-			ifq->ifq_tail = tqe->tqe_pnext;
-
-		tqe->tqe_next = ifq->ifq_head;
-		ifq->ifq_head->tqe_pnext = &tqe->tqe_next;
-		ifq->ifq_head = tqe;
-		tqe->tqe_pnext = &ifq->ifq_head;
-	}
-	MUTEX_EXIT(&ifq->ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_queueback                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqe(I) - pointer to timeout queue entry                     */
-/*                                                                          */
-/* Move a queue entry to the back of the queue, if it isn't already there.  */
-/* ------------------------------------------------------------------------ */
-void fr_queueback(tqe)
-ipftqent_t *tqe;
-{
-	ipftq_t *ifq;
-
-	ifq = tqe->tqe_ifq;
-	if (ifq == NULL)
-		return;
-	tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
-
-	MUTEX_ENTER(&ifq->ifq_lock);
-	if (tqe->tqe_next == NULL) {		/* at the end already ? */
-		MUTEX_EXIT(&ifq->ifq_lock);
-		return;
-	}
-
-	/*
-	 * Remove from list
-	 */
-	*tqe->tqe_pnext = tqe->tqe_next;
-	tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-
-	/*
-	 * Make it the last entry.
-	 */
-	tqe->tqe_next = NULL;
-	tqe->tqe_pnext = ifq->ifq_tail;
-	*ifq->ifq_tail = tqe;
-	ifq->ifq_tail = &tqe->tqe_next;
-	MUTEX_EXIT(&ifq->ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_queueappend                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqe(I)    - pointer to timeout queue entry                  */
-/*              ifq(I)    - pointer to timeout queue                        */
-/*              parent(I) - owing object pointer                            */
-/*                                                                          */
-/* Add a new item to this queue and put it on the very end.                 */
-/* ------------------------------------------------------------------------ */
-void fr_queueappend(tqe, ifq, parent)
-ipftqent_t *tqe;
-ipftq_t *ifq;
-void *parent;
-{
-
-	MUTEX_ENTER(&ifq->ifq_lock);
-	tqe->tqe_parent = parent;
-	tqe->tqe_pnext = ifq->ifq_tail;
-	*ifq->ifq_tail = tqe;
-	ifq->ifq_tail = &tqe->tqe_next;
-	tqe->tqe_next = NULL;
-	tqe->tqe_ifq = ifq;
-	tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
-	ifq->ifq_ref++;
-	MUTEX_EXIT(&ifq->ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_movequeue                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  tq(I)   - pointer to timeout queue information              */
-/*              oifp(I) - old timeout queue entry was on                    */
-/*              nifp(I) - new timeout queue to put entry on                 */
-/*                                                                          */
-/* Move a queue entry from one timeout queue to another timeout queue.      */
-/* If it notices that the current entry is already last and does not need   */
-/* to move queue, the return.                                               */
-/* ------------------------------------------------------------------------ */
-void fr_movequeue(tqe, oifq, nifq)
-ipftqent_t *tqe;
-ipftq_t *oifq, *nifq;
-{
-	/*
-	 * Is the operation here going to be a no-op ?
-	 */
-	MUTEX_ENTER(&oifq->ifq_lock);
-	if (oifq == nifq && *oifq->ifq_tail == tqe) {
-		MUTEX_EXIT(&oifq->ifq_lock);
-		return;
-	}
-
-	/*
-	 * Remove from the old queue
-	 */
-	*tqe->tqe_pnext = tqe->tqe_next;
-	if (tqe->tqe_next)
-		tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-	else
-		oifq->ifq_tail = tqe->tqe_pnext;
-	tqe->tqe_next = NULL;
-
-	/*
-	 * If we're moving from one queue to another, release the lock on the
-	 * old queue and get a lock on the new queue.  For user defined queues,
-	 * if we're moving off it, call delete in case it can now be freed.
-	 */
-	if (oifq != nifq) {
-		tqe->tqe_ifq = NULL;
-
-		(void) fr_deletetimeoutqueue(oifq);
-
-		MUTEX_EXIT(&oifq->ifq_lock);
-
-		MUTEX_ENTER(&nifq->ifq_lock);
-
-		tqe->tqe_ifq = nifq;
-		nifq->ifq_ref++;
-	}
-
-	/*
-	 * Add to the bottom of the new queue
-	 */
-	tqe->tqe_die = fr_ticks + nifq->ifq_ttl;
-	tqe->tqe_pnext = nifq->ifq_tail;
-	*nifq->ifq_tail = tqe;
-	nifq->ifq_tail = &tqe->tqe_next;
-	MUTEX_EXIT(&nifq->ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_updateipid                                               */
-/* Returns:     int - 0 == success, -1 == error (packet should be droppped) */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* When we are doing NAT, change the IP of every packet to represent a      */
-/* single sequence of packets coming from the host, hiding any host         */
-/* specific sequencing that might otherwise be revealed.  If the packet is  */
-/* a fragment, then store the 'new' IPid in the fragment cache and look up  */
-/* the fragment cache for non-leading fragments.  If a non-leading fragment */
-/* has no match in the cache, return an error.                              */
-/* ------------------------------------------------------------------------ */
-static INLINE int fr_updateipid(fin)
-fr_info_t *fin;
-{
-	u_short id, ido, sums;
-	u_32_t sumd, sum;
-	ip_t *ip;
-
-	if (fin->fin_off != 0) {
-		sum = fr_ipid_knownfrag(fin);
-		if (sum == 0xffffffff)
-			return -1;
-		sum &= 0xffff;
-		id = (u_short)sum;
-	} else {
-		id = fr_nextipid(fin);
-		if (fin->fin_off == 0 && (fin->fin_flx & FI_FRAG) != 0)
-			(void) fr_ipid_newfrag(fin, (u_32_t)id);
-	}
-
-	ip = fin->fin_ip;
-	ido = ntohs(ip->ip_id);
-	if (id == ido)
-		return 0;
-	ip->ip_id = htons(id);
-	CALC_SUMD(ido, id, sumd);	/* DESTRUCTIVE MACRO! id,ido change */
-	sum = (~ntohs(ip->ip_sum)) & 0xffff;
-	sum += sumd;
-	sum = (sum >> 16) + (sum & 0xffff);
-	sum = (sum >> 16) + (sum & 0xffff);
-	sums = ~(u_short)sum;
-	ip->ip_sum = htons(sums);
-	return 0;
-}
-
-
-#ifdef	NEED_FRGETIFNAME
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_getifname                                                */
-/* Returns:     char *    - pointer to interface name                       */
-/* Parameters:  ifp(I)    - pointer to network interface                    */
-/*              buffer(O) - pointer to where to store interface name        */
-/*                                                                          */
-/* Constructs an interface name in the buffer passed.  The buffer passed is */
-/* expected to be at least LIFNAMSIZ in bytes big.  If buffer is passed in  */
-/* as a NULL pointer then return a pointer to a static array.               */
-/* ------------------------------------------------------------------------ */
-char *fr_getifname(ifp, buffer)
-struct ifnet *ifp;
-char *buffer;
-{
-	static char namebuf[LIFNAMSIZ];
-# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
-     defined(__sgi) || defined(linux) || \
-     (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
-	int unit, space;
-	char temp[20];
-	char *s;
-# endif
-
-	if (buffer == NULL)
-		buffer = namebuf;
-	(void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
-	buffer[LIFNAMSIZ - 1] = '\0';
-# if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
-     defined(__sgi) || \
-     (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
-	for (s = buffer; *s; s++)
-		;
-	unit = ifp->if_unit;
-	space = LIFNAMSIZ - (s - buffer);
-	if (space > 0) {
-#  if defined(SNPRINTF) && defined(_KERNEL)
-		SNPRINTF(temp, sizeof(temp), "%d", unit);
-#  else
-		(void) sprintf(temp, "%d", unit);
-#  endif
-		(void) strncpy(s, temp, space);
-	}
-# endif
-	return buffer;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ioctlswitch                                              */
-/* Returns:     int     - -1 continue processing, else ioctl return value   */
-/* Parameters:  unit(I) - device unit opened                                */
-/*              data(I) - pointer to ioctl data                             */
-/*              cmd(I)  - ioctl command                                     */
-/*              mode(I) - mode value                                        */
-/*                                                                          */
-/* Based on the value of unit, call the appropriate ioctl handler or return */
-/* EIO if ipfilter is not running.   Also checks if write perms are req'd   */
-/* for the device in order to execute the ioctl.                            */
-/* ------------------------------------------------------------------------ */
-int fr_ioctlswitch(unit, data, cmd, mode)
-int unit, mode;
-ioctlcmd_t cmd;
-void *data;
-{
-	int error = 0;
-
-	switch (unit)
-	{
-	case IPL_LOGIPF :
-		error = -1;
-		break;
-	case IPL_LOGNAT :
-		if (fr_running > 0)
-			error = fr_nat_ioctl(data, cmd, mode);
-		else
-			error = EIO;
-		break;
-	case IPL_LOGSTATE :
-		if (fr_running > 0)
-			error = fr_state_ioctl(data, cmd, mode);
-		else
-			error = EIO;
-		break;
-	case IPL_LOGAUTH :
-		if (fr_running > 0) {
-			if ((cmd == (ioctlcmd_t)SIOCADAFR) ||
-			    (cmd == (ioctlcmd_t)SIOCRMAFR)) {
-				if (!(mode & FWRITE)) {
-					error = EPERM;
-				} else {
-					error = frrequest(unit, cmd, data,
-							  fr_active, 1);
-				}
-			} else {
-				error = fr_auth_ioctl(data, cmd, mode);
-			}
-		} else
-			error = EIO;
-		break;
-	case IPL_LOGSYNC :
-#ifdef IPFILTER_SYNC
-		if (fr_running > 0)
-			error = fr_sync_ioctl(data, cmd, mode);
-		else
-#endif
-			error = EIO;
-		break;
-	case IPL_LOGSCAN :
-#ifdef IPFILTER_SCAN
-		if (fr_running > 0)
-			error = fr_scan_ioctl(data, cmd, mode);
-		else
-#endif
-			error = EIO;
-		break;
-	case IPL_LOGLOOKUP :
-#ifdef IPFILTER_LOOKUP
-		if (fr_running > 0)
-			error = ip_lookup_ioctl(data, cmd, mode);
-		else
-#endif
-			error = EIO;
-		break;
-	default :
-		error = EIO;
-		break;
-	}
-
-	return error;
-}
-
-
-/*
- * This array defines the expected size of objects coming into the kernel
- * for the various recognised object types.
- */
-#define	NUM_OBJ_TYPES	14
-
-static	int	fr_objbytes[NUM_OBJ_TYPES][2] = {
-	{ 1,	sizeof(struct frentry) },		/* frentry */
-	{ 0,	sizeof(struct friostat) },
-	{ 0,	sizeof(struct fr_info) },
-	{ 0,	sizeof(struct fr_authstat) },
-	{ 0,	sizeof(struct ipfrstat) },
-	{ 0,	sizeof(struct ipnat) },
-	{ 0,	sizeof(struct natstat) },
-	{ 0,	sizeof(struct ipstate_save) },
-	{ 1,	sizeof(struct nat_save) },		/* nat_save */
-	{ 0,	sizeof(struct natlookup) },
-	{ 1,	sizeof(struct ipstate) },		/* ipstate */
-	{ 0,	sizeof(struct ips_stat) },
-	{ 0,	sizeof(struct frauth) },
-	{ 0,	sizeof(struct ipftune) }
-};
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_inobj                                                    */
-/* Returns:     int     - 0 = success, else failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              ptr(I)  - pointer to store real data in                     */
-/*              type(I) - type of structure being moved                     */
-/*                                                                          */
-/* Copy in the contents of what the ipfobj_t points to.  In future, we      */
-/* add things to check for version numbers, sizes, etc, to make it backward */
-/* compatible at the ABI for user land.                                     */
-/* ------------------------------------------------------------------------ */
-int fr_inobj(data, ptr, type)
-void *data;
-void *ptr;
-int type;
-{
-	ipfobj_t obj;
-	int error = 0;
-
-	if ((type < 0) || (type > NUM_OBJ_TYPES-1))
-		return EINVAL;
-
-	BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
-
-	if (obj.ipfo_type != type)
-		return EINVAL;
-
-#ifndef	IPFILTER_COMPAT
-	if ((fr_objbytes[type][0] & 1) != 0) {
-		if (obj.ipfo_size < fr_objbytes[type][1])
-			return EINVAL;
-	} else if (obj.ipfo_size != fr_objbytes[type][1])
-		return EINVAL;
-#else
-	if (obj.ipfo_rev != IPFILTER_VERSION)
-		/* XXX compatibility hook here */
-		;
-	if ((fr_objbytes[type][0] & 1) != 0) {
-		if (obj.ipfo_size < fr_objbytes[type][1])
-			/* XXX compatibility hook here */
-			return EINVAL;
-	} else if (obj.ipfo_size != fr_objbytes[type][1])
-		/* XXX compatibility hook here */
-		return EINVAL;
-#endif
-
-	if ((fr_objbytes[type][0] & 1) != 0) {
-		error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
-				fr_objbytes[type][1]);
-	} else {
-		error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr,
-				obj.ipfo_size);
-	}
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_inobjsz                                                  */
-/* Returns:     int     - 0 = success, else failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              ptr(I)  - pointer to store real data in                     */
-/*              type(I) - type of structure being moved                     */
-/*              sz(I)   - size of data to copy                              */
-/*                                                                          */
-/* As per fr_inobj, except the size of the object to copy in is passed in   */
-/* but it must not be smaller than the size defined for the type and the    */
-/* type must allow for varied sized objects.  The extra requirement here is */
-/* that sz must match the size of the object being passed in - this is not  */
-/* not possible nor required in fr_inobj().                                 */
-/* ------------------------------------------------------------------------ */
-int fr_inobjsz(data, ptr, type, sz)
-void *data;
-void *ptr;
-int type, sz;
-{
-	ipfobj_t obj;
-	int error;
-
-	if ((type < 0) || (type > NUM_OBJ_TYPES-1))
-		return EINVAL;
-	if (((fr_objbytes[type][0] & 1) == 0) || (sz < fr_objbytes[type][1]))
-		return EINVAL;
-
-	BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
-
-	if (obj.ipfo_type != type)
-		return EINVAL;
-
-#ifndef	IPFILTER_COMPAT
-	if (obj.ipfo_size != sz)
-		return EINVAL;
-#else
-	if (obj.ipfo_rev != IPFILTER_VERSION)
-		/* XXX compatibility hook here */
-		;
-	if (obj.ipfo_size != sz)
-		/* XXX compatibility hook here */
-		return EINVAL;
-#endif
-
-	error = COPYIN((caddr_t)obj.ipfo_ptr, (caddr_t)ptr, sz);
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_outobjsz                                                 */
-/* Returns:     int     - 0 = success, else failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              ptr(I)  - pointer to store real data in                     */
-/*              type(I) - type of structure being moved                     */
-/*              sz(I)   - size of data to copy                              */
-/*                                                                          */
-/* As per fr_outobj, except the size of the object to copy out is passed in */
-/* but it must not be smaller than the size defined for the type and the    */
-/* type must allow for varied sized objects.  The extra requirement here is */
-/* that sz must match the size of the object being passed in - this is not  */
-/* not possible nor required in fr_outobj().                                */
-/* ------------------------------------------------------------------------ */
-int fr_outobjsz(data, ptr, type, sz)
-void *data;
-void *ptr;
-int type, sz;
-{
-	ipfobj_t obj;
-	int error;
-
-	if ((type < 0) || (type > NUM_OBJ_TYPES-1) ||
-	    ((fr_objbytes[type][0] & 1) == 0) ||
-	    (sz < fr_objbytes[type][1]))
-		return EINVAL;
-
-	BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
-
-	if (obj.ipfo_type != type)
-		return EINVAL;
-
-#ifndef	IPFILTER_COMPAT
-	if (obj.ipfo_size != sz)
-		return EINVAL;
-#else
-	if (obj.ipfo_rev != IPFILTER_VERSION)
-		/* XXX compatibility hook here */
-		;
-	if (obj.ipfo_size != sz)
-		/* XXX compatibility hook here */
-		return EINVAL;
-#endif
-
-	error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, sz);
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_outobj                                                   */
-/* Returns:     int     - 0 = success, else failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              ptr(I)  - pointer to store real data in                     */
-/*              type(I) - type of structure being moved                     */
-/*                                                                          */
-/* Copy out the contents of what ptr is to where ipfobj points to.  In      */
-/* future, we add things to check for version numbers, sizes, etc, to make  */
-/* it backward  compatible at the ABI for user land.                        */
-/* ------------------------------------------------------------------------ */
-int fr_outobj(data, ptr, type)
-void *data;
-void *ptr;
-int type;
-{
-	ipfobj_t obj;
-	int error;
-
-	if ((type < 0) || (type > NUM_OBJ_TYPES-1))
-		return EINVAL;
-
-	BCOPYIN((caddr_t)data, (caddr_t)&obj, sizeof(obj));
-
-	if (obj.ipfo_type != type)
-		return EINVAL;
-
-#ifndef	IPFILTER_COMPAT
-	if ((fr_objbytes[type][0] & 1) != 0) {
-		if (obj.ipfo_size < fr_objbytes[type][1])
-			return EINVAL;
-	} else if (obj.ipfo_size != fr_objbytes[type][1])
-		return EINVAL;
-#else
-	if (obj.ipfo_rev != IPFILTER_VERSION)
-		/* XXX compatibility hook here */
-		;
-	if ((fr_objbytes[type][0] & 1) != 0) {
-		if (obj.ipfo_size < fr_objbytes[type][1])
-			/* XXX compatibility hook here */
-			return EINVAL;
-	} else if (obj.ipfo_size != fr_objbytes[type][1])
-		/* XXX compatibility hook here */
-		return EINVAL;
-#endif
-
-	error = COPYOUT((caddr_t)ptr, (caddr_t)obj.ipfo_ptr, obj.ipfo_size);
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checkl4sum                                               */
-/* Returns:     int     - 0 = good, -1 = bad, 1 = cannot check              */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* If possible, calculate the layer 4 checksum for the packet.  If this is  */
-/* not possible, return without indicating a failure or success but in a    */
-/* way that is ditinguishable.                                              */
-/* ------------------------------------------------------------------------ */
-int fr_checkl4sum(fin)
-fr_info_t *fin;
-{
-	u_short sum, hdrsum, *csump;
-	udphdr_t *udp;
-	int dosum;
-
-	if ((fin->fin_flx & FI_NOCKSUM) != 0)
-		return 0;
-
-	/*
-	 * If the TCP packet isn't a fragment, isn't too short and otherwise
-	 * isn't already considered "bad", then validate the checksum.  If
-	 * this check fails then considered the packet to be "bad".
-	 */
-	if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0)
-		return 1;
-
-	csump = NULL;
-	hdrsum = 0;
-	dosum = 0;
-	sum = 0;
-
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
-	if (dohwcksum && ((*fin->fin_mp)->b_ick_flag == ICK_VALID)) {
-		hdrsum = 0;
-		sum = 0;
-	} else {
-#endif
-		switch (fin->fin_p)
-		{
-		case IPPROTO_TCP :
-			csump = &((tcphdr_t *)fin->fin_dp)->th_sum;
-			dosum = 1;
-			break;
-
-		case IPPROTO_UDP :
-			udp = fin->fin_dp;
-			if (udp->uh_sum != 0) {
-				csump = &udp->uh_sum;
-				dosum = 1;
-			}
-			break;
-
-		case IPPROTO_ICMP :
-			csump = &((struct icmp *)fin->fin_dp)->icmp_cksum;
-			dosum = 1;
-			break;
-
-		default :
-			return 1;
-			/*NOTREACHED*/
-		}
-
-		if (csump != NULL)
-			hdrsum = *csump;
-
-		if (dosum)
-			sum = fr_cksum(fin->fin_m, fin->fin_ip,
-				       fin->fin_p, fin->fin_dp);
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
-	}
-#endif
-#if !defined(_KERNEL)
-	if (sum == hdrsum) {
-		FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum));
-	} else {
-		FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum));
-	}
-#endif
-	if (hdrsum == sum)
-		return 0;
-	return -1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ifpfillv4addr                                            */
-/* Returns:     int     - 0 = address update, -1 = address not updated      */
-/* Parameters:  atype(I)   - type of network address update to perform      */
-/*              sin(I)     - pointer to source of address information       */
-/*              mask(I)    - pointer to source of netmask information       */
-/*              inp(I)     - pointer to destination address store           */
-/*              inpmask(I) - pointer to destination netmask store           */
-/*                                                                          */
-/* Given a type of network address update (atype) to perform, copy          */
-/* information from sin/mask into inp/inpmask.  If ipnmask is NULL then no  */
-/* netmask update is performed unless FRI_NETMASKED is passed as atype, in  */
-/* which case the operation fails.  For all values of atype other than      */
-/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s  */
-/* value.                                                                   */
-/* ------------------------------------------------------------------------ */
-int fr_ifpfillv4addr(atype, sin, mask, inp, inpmask)
-int atype;
-struct sockaddr_in *sin, *mask;
-struct in_addr *inp, *inpmask;
-{
-	if (inpmask != NULL && atype != FRI_NETMASKED)
-		inpmask->s_addr = 0xffffffff;
-
-	if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
-		if (atype == FRI_NETMASKED) {
-			if (inpmask == NULL)
-				return -1;
-			inpmask->s_addr = mask->sin_addr.s_addr;
-		}
-		inp->s_addr = sin->sin_addr.s_addr & mask->sin_addr.s_addr;
-	} else {
-		inp->s_addr = sin->sin_addr.s_addr;
-	}
-	return 0;
-}
-
-
-#ifdef	USE_INET6
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ifpfillv6addr                                            */
-/* Returns:     int     - 0 = address update, -1 = address not updated      */
-/* Parameters:  atype(I)   - type of network address update to perform      */
-/*              sin(I)     - pointer to source of address information       */
-/*              mask(I)    - pointer to source of netmask information       */
-/*              inp(I)     - pointer to destination address store           */
-/*              inpmask(I) - pointer to destination netmask store           */
-/*                                                                          */
-/* Given a type of network address update (atype) to perform, copy          */
-/* information from sin/mask into inp/inpmask.  If ipnmask is NULL then no  */
-/* netmask update is performed unless FRI_NETMASKED is passed as atype, in  */
-/* which case the operation fails.  For all values of atype other than      */
-/* FRI_NETMASKED, if inpmask is non-NULL then the mask is set to an all 1s  */
-/* value.                                                                   */
-/* ------------------------------------------------------------------------ */
-int fr_ifpfillv6addr(atype, sin, mask, inp, inpmask)
-int atype;
-struct sockaddr_in6 *sin, *mask;
-struct in_addr *inp, *inpmask;
-{
-	i6addr_t *src, *dst, *and, *dmask;
-
-	src = (i6addr_t *)&sin->sin6_addr;
-	and = (i6addr_t *)&mask->sin6_addr;
-	dst = (i6addr_t *)inp;
-	dmask = (i6addr_t *)inpmask;
-
-	if (inpmask != NULL && atype != FRI_NETMASKED) {
-		dmask->i6[0] = 0xffffffff;
-		dmask->i6[1] = 0xffffffff;
-		dmask->i6[2] = 0xffffffff;
-		dmask->i6[3] = 0xffffffff;
-	}
-
-	if (atype == FRI_NETWORK || atype == FRI_NETMASKED) {
-		if (atype == FRI_NETMASKED) {
-			if (inpmask == NULL)
-				return -1;
-			dmask->i6[0] = and->i6[0];
-			dmask->i6[1] = and->i6[1];
-			dmask->i6[2] = and->i6[2];
-			dmask->i6[3] = and->i6[3];
-		}
-
-		dst->i6[0] = src->i6[0] & and->i6[0];
-		dst->i6[1] = src->i6[1] & and->i6[1];
-		dst->i6[2] = src->i6[2] & and->i6[2];
-		dst->i6[3] = src->i6[3] & and->i6[3];
-	} else {
-		dst->i6[0] = src->i6[0];
-		dst->i6[1] = src->i6[1];
-		dst->i6[2] = src->i6[2];
-		dst->i6[3] = src->i6[3];
-	}
-	return 0;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_matchtag                                                 */
-/* Returns:     0 == mismatch, 1 == match.                                  */
-/* Parameters:  tag1(I) - pointer to first tag to compare                   */
-/*              tag2(I) - pointer to second tag to compare                  */
-/*                                                                          */
-/* Returns true (non-zero) or false(0) if the two tag structures can be     */
-/* considered to be a match or not match, respectively.  The tag is 16      */
-/* bytes long (16 characters) but that is overlayed with 4 32bit ints so    */
-/* compare the ints instead, for speed. tag1 is the master of the           */
-/* comparison.  This function should only be called with both tag1 and tag2 */
-/* as non-NULL pointers.                                                    */
-/* ------------------------------------------------------------------------ */
-int fr_matchtag(tag1, tag2)
-ipftag_t *tag1, *tag2;
-{
-	if (tag1 == tag2)
-		return 1;
-
-	if ((tag1->ipt_num[0] == 0) && (tag2->ipt_num[0] == 0))
-		return 1;
-
-	if ((tag1->ipt_num[0] == tag2->ipt_num[0]) &&
-	    (tag1->ipt_num[1] == tag2->ipt_num[1]) &&
-	    (tag1->ipt_num[2] == tag2->ipt_num[2]) &&
-	    (tag1->ipt_num[3] == tag2->ipt_num[3]))
-		return 1;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_coalesce                                                 */
-/* Returns:     1 == success, -1 == failure, 0 == no change                 */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Attempt to get all of the packet data into a single, contiguous buffer.  */
-/* If this call returns a failure then the buffers have also been freed.    */
-/* ------------------------------------------------------------------------ */
-int fr_coalesce(fin)
-fr_info_t *fin;
-{
-	if ((fin->fin_flx & FI_COALESCE) != 0)
-		return 1;
-
-	/*
-	 * If the mbuf pointers indicate that there is no mbuf to work with,
-	 * return but do not indicate success or failure.
-	 */
-	if (fin->fin_m == NULL || fin->fin_mp == NULL)
-		return 0;
-
-#if defined(_KERNEL)
-	if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
-		ATOMIC_INCL(fr_badcoalesces[fin->fin_out]);
-# ifdef MENTAT
-		FREE_MB_T(*fin->fin_mp);
-# endif
-		*fin->fin_mp = NULL;
-		fin->fin_m = NULL;
-		return -1;
-	}
-#else
-	fin = fin;	/* LINT */
-#endif
-	return 1;
-}
-
-
-/*
- * The following table lists all of the tunable variables that can be
- * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt.  The format of each row
- * in the table below is as follows:
- *
- * pointer to value, name of value, minimum, maximum, size of the value's
- *     container, value attribute flags
- *
- * For convienience, IPFT_RDONLY means the value is read-only, IPFT_WRDISABLED
- * means the value can only be written to when IPFilter is loaded but disabled.
- * The obvious implication is if neither of these are set then the value can be
- * changed at any time without harm.
- */
-ipftuneable_t ipf_tuneables[] = {
-	/* filtering */
-	{ { &fr_flags },	"fr_flags",		0,	0xffffffff,
-			sizeof(fr_flags),		0 },
-	{ { &fr_active },	"fr_active",		0,	0,
-			sizeof(fr_active),		IPFT_RDONLY },
-	{ { &fr_control_forwarding },	"fr_control_forwarding",	0, 1,
-			sizeof(fr_control_forwarding),	0 },
-	{ { &fr_update_ipid },	"fr_update_ipid",	0,	1,
-			sizeof(fr_update_ipid),		0 },
-	{ { &fr_chksrc },	"fr_chksrc",		0,	1,
-			sizeof(fr_chksrc),		0 },
-	{ { &fr_pass },		"fr_pass",		0,	0xffffffff,
-			sizeof(fr_pass),		0 },
-	/* state */
-	{ { &fr_tcpidletimeout }, "fr_tcpidletimeout",	1,	0x7fffffff,
-			sizeof(fr_tcpidletimeout),	IPFT_WRDISABLED },
-	{ { &fr_tcpclosewait },	"fr_tcpclosewait",	1,	0x7fffffff,
-			sizeof(fr_tcpclosewait),	IPFT_WRDISABLED },
-	{ { &fr_tcplastack },	"fr_tcplastack",	1,	0x7fffffff,
-			sizeof(fr_tcplastack),		IPFT_WRDISABLED },
-	{ { &fr_tcptimeout },	"fr_tcptimeout",	1,	0x7fffffff,
-			sizeof(fr_tcptimeout),		IPFT_WRDISABLED },
-	{ { &fr_tcpclosed },	"fr_tcpclosed",		1,	0x7fffffff,
-			sizeof(fr_tcpclosed),		IPFT_WRDISABLED },
-	{ { &fr_tcphalfclosed }, "fr_tcphalfclosed",	1,	0x7fffffff,
-			sizeof(fr_tcphalfclosed),	IPFT_WRDISABLED },
-	{ { &fr_udptimeout },	"fr_udptimeout",	1,	0x7fffffff,
-			sizeof(fr_udptimeout),		IPFT_WRDISABLED },
-	{ { &fr_udpacktimeout }, "fr_udpacktimeout",	1,	0x7fffffff,
-			sizeof(fr_udpacktimeout),	IPFT_WRDISABLED },
-	{ { &fr_icmptimeout },	"fr_icmptimeout",	1,	0x7fffffff,
-			sizeof(fr_icmptimeout),		IPFT_WRDISABLED },
-	{ { &fr_icmpacktimeout }, "fr_icmpacktimeout",	1,	0x7fffffff,
-			sizeof(fr_icmpacktimeout),	IPFT_WRDISABLED },
-	{ { &fr_iptimeout }, "fr_iptimeout",		1,	0x7fffffff,
-			sizeof(fr_iptimeout),		IPFT_WRDISABLED },
-	{ { &fr_statemax },	"fr_statemax",		1,	0x7fffffff,
-			sizeof(fr_statemax),		0 },
-	{ { &fr_statesize },	"fr_statesize",		1,	0x7fffffff,
-			sizeof(fr_statesize),		IPFT_WRDISABLED },
-	{ { &fr_state_lock },	"fr_state_lock",	0,	1,
-			sizeof(fr_state_lock),		IPFT_RDONLY },
-	{ { &fr_state_maxbucket }, "fr_state_maxbucket", 1,	0x7fffffff,
-			sizeof(fr_state_maxbucket),	IPFT_WRDISABLED },
-	{ { &fr_state_maxbucket_reset }, "fr_state_maxbucket_reset",	0, 1,
-			sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED },
-	{ { &ipstate_logging },	"ipstate_logging",	0,	1,
-			sizeof(ipstate_logging),	0 },
-	/* nat */
-	{ { &fr_nat_lock },		"fr_nat_lock",		0,	1,
-			sizeof(fr_nat_lock),		IPFT_RDONLY },
-	{ { &ipf_nattable_sz },	"ipf_nattable_sz",	1,	0x7fffffff,
-			sizeof(ipf_nattable_sz),	IPFT_WRDISABLED },
-	{ { &ipf_nattable_max }, "ipf_nattable_max",	1,	0x7fffffff,
-			sizeof(ipf_nattable_max),	0 },
-	{ { &ipf_natrules_sz },	"ipf_natrules_sz",	1,	0x7fffffff,
-			sizeof(ipf_natrules_sz),	IPFT_WRDISABLED },
-	{ { &ipf_rdrrules_sz },	"ipf_rdrrules_sz",	1,	0x7fffffff,
-			sizeof(ipf_rdrrules_sz),	IPFT_WRDISABLED },
-	{ { &ipf_hostmap_sz },	"ipf_hostmap_sz",	1,	0x7fffffff,
-			sizeof(ipf_hostmap_sz),		IPFT_WRDISABLED },
-	{ { &fr_nat_maxbucket }, "fr_nat_maxbucket",	1,	0x7fffffff,
-			sizeof(fr_nat_maxbucket),	IPFT_WRDISABLED },
-	{ { &fr_nat_maxbucket_reset },	"fr_nat_maxbucket_reset",	0, 1,
-			sizeof(fr_nat_maxbucket_reset),	IPFT_WRDISABLED },
-	{ { &nat_logging },		"nat_logging",		0,	1,
-			sizeof(nat_logging),		0 },
-	{ { &fr_defnatage },	"fr_defnatage",		1,	0x7fffffff,
-			sizeof(fr_defnatage),		IPFT_WRDISABLED },
-	{ { &fr_defnatipage },	"fr_defnatipage",	1,	0x7fffffff,
-			sizeof(fr_defnatipage),		IPFT_WRDISABLED },
-	{ { &fr_defnaticmpage }, "fr_defnaticmpage",	1,	0x7fffffff,
-			sizeof(fr_defnaticmpage),	IPFT_WRDISABLED },
-	/* frag */
-	{ { &ipfr_size },	"ipfr_size",		1,	0x7fffffff,
-			sizeof(ipfr_size),		IPFT_WRDISABLED },
-	{ { &fr_ipfrttl },	"fr_ipfrttl",		1,	0x7fffffff,
-			sizeof(fr_ipfrttl),		IPFT_WRDISABLED },
-#ifdef IPFILTER_LOG
-	/* log */
-	{ { &ipl_suppress },	"ipl_suppress",		0,	1,
-			sizeof(ipl_suppress),		0 },
-	{ { &ipl_buffer_sz },	"ipl_buffer_sz",	0,	0,
-			sizeof(ipl_buffer_sz),		IPFT_RDONLY },
-	{ { &ipl_logmax },	"ipl_logmax",		0,	0x7fffffff,
-			sizeof(ipl_logmax),		IPFT_WRDISABLED },
-	{ { &ipl_logall },	"ipl_logall",		0,	1,
-			sizeof(ipl_logall),		0 },
-	{ { &ipl_logsize },	"ipl_logsize",		0,	0x80000,
-			sizeof(ipl_logsize),		0 },
-#endif
-	{ { NULL },		NULL,			0,	0 }
-};
-
-static ipftuneable_t *ipf_tunelist = NULL;
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_findtunebycookie                                         */
-/* Returns:     NULL = search failed, else pointer to tune struct           */
-/* Parameters:  cookie(I) - cookie value to search for amongst tuneables    */
-/*              next(O)   - pointer to place to store the cookie for the    */
-/*                          "next" tuneable, if it is desired.              */
-/*                                                                          */
-/* This function is used to walk through all of the existing tunables with  */
-/* successive calls.  It searches the known tunables for the one which has  */
-/* a matching value for "cookie" - ie its address.  When returning a match, */
-/* the next one to be found may be returned inside next.                    */
-/* ------------------------------------------------------------------------ */
-static ipftuneable_t *fr_findtunebycookie(cookie, next)
-void *cookie, **next;
-{
-	ipftuneable_t *ta, **tap;
-
-	for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
-		if (ta == cookie) {
-			if (next != NULL) {
-				/*
-				 * If the next entry in the array has a name
-				 * present, then return a pointer to it for
-				 * where to go next, else return a pointer to
-				 * the dynaminc list as a key to search there
-				 * next.  This facilitates a weak linking of
-				 * the two "lists" together.
-				 */
-				if ((ta + 1)->ipft_name != NULL)
-					*next = ta + 1;
-				else
-					*next = &ipf_tunelist;
-			}
-			return ta;
-		}
-
-	for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
-		if (tap == cookie) {
-			if (next != NULL)
-				*next = &ta->ipft_next;
-			return ta;
-		}
-
-	if (next != NULL)
-		*next = NULL;
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_findtunebyname                                           */
-/* Returns:     NULL = search failed, else pointer to tune struct           */
-/* Parameters:  name(I) - name of the tuneable entry to find.               */
-/*                                                                          */
-/* Search the static array of tuneables and the list of dynamic tuneables   */
-/* for an entry with a matching name.  If we can find one, return a pointer */
-/* to the matching structure.                                               */
-/* ------------------------------------------------------------------------ */
-static ipftuneable_t *fr_findtunebyname(name)
-char *name;
-{
-	ipftuneable_t *ta;
-
-	for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++)
-		if (!strcmp(ta->ipft_name, name)) {
-			return ta;
-		}
-
-	for (ta = ipf_tunelist; ta != NULL; ta = ta->ipft_next)
-		if (!strcmp(ta->ipft_name, name)) {
-			return ta;
-		}
-
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_addipftune                                               */
-/* Returns:     int - 0 == success, else failure                            */
-/* Parameters:  newtune - pointer to new tune struct to add to tuneables    */
-/*                                                                          */
-/* Appends the tune structure pointer to by "newtune" to the end of the     */
-/* current list of "dynamic" tuneable parameters.  Once added, the owner    */
-/* of the object is not expected to ever change "ipft_next".                */
-/* ------------------------------------------------------------------------ */
-int fr_addipftune(newtune)
-ipftuneable_t *newtune;
-{
-	ipftuneable_t *ta, **tap;
-
-	ta = fr_findtunebyname(newtune->ipft_name);
-	if (ta != NULL)
-		return EEXIST;
-
-	for (tap = &ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next)
-		;
-
-	newtune->ipft_next = NULL;
-	*tap = newtune;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_delipftune                                               */
-/* Returns:     int - 0 == success, else failure                            */
-/* Parameters:  oldtune - pointer to tune struct to remove from the list of */
-/*                        current dynamic tuneables                         */
-/*                                                                          */
-/* Search for the tune structure, by pointer, in the list of those that are */
-/* dynamically added at run time.  If found, adjust the list so that this   */
-/* structure is no longer part of it.                                       */
-/* ------------------------------------------------------------------------ */
-int fr_delipftune(oldtune)
-ipftuneable_t *oldtune;
-{
-	ipftuneable_t *ta, **tap;
-
-	for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next)
-		if (ta == oldtune) {
-			*tap = oldtune->ipft_next;
-			oldtune->ipft_next = NULL;
-			return 0;
-		}
-
-	return ESRCH;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ipftune                                                  */
-/* Returns:     int - 0 == success, else failure                            */
-/* Parameters:  cmd(I)  - ioctl command number                              */
-/*              data(I) - pointer to ioctl data structure                   */
-/*                                                                          */
-/* Implement handling of SIOCIPFGETNEXT, SIOCIPFGET and SIOCIPFSET.  These  */
-/* three ioctls provide the means to access and control global variables    */
-/* within IPFilter, allowing (for example) timeouts and table sizes to be   */
-/* changed without rebooting, reloading or recompiling.  The initialisation */
-/* and 'destruction' routines of the various components of ipfilter are all */
-/* each responsible for handling their own values being too big.            */
-/* ------------------------------------------------------------------------ */
-int fr_ipftune(cmd, data)
-ioctlcmd_t cmd;
-void *data;
-{
-	ipftuneable_t *ta;
-	ipftune_t tu;
-	void *cookie;
-	int error;
-
-	error = fr_inobj(data, &tu, IPFOBJ_TUNEABLE);
-	if (error != 0)
-		return error;
-
-	tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
-	cookie = tu.ipft_cookie;
-	ta = NULL;
-
-	switch (cmd)
-	{
-	case SIOCIPFGETNEXT :
-		/*
-		 * If cookie is non-NULL, assume it to be a pointer to the last
-		 * entry we looked at, so find it (if possible) and return a
-		 * pointer to the next one after it.  The last entry in the
-		 * the table is a NULL entry, so when we get to it, set cookie
-		 * to NULL and return that, indicating end of list, erstwhile
-		 * if we come in with cookie set to NULL, we are starting anew
-		 * at the front of the list.
-		 */
-		if (cookie != NULL) {
-			ta = fr_findtunebycookie(cookie, &tu.ipft_cookie);
-		} else {
-			ta = ipf_tuneables;
-			tu.ipft_cookie = ta + 1;
-		}
-		if (ta != NULL) {
-			/*
-			 * Entry found, but does the data pointed to by that
-			 * row fit in what we can return?
-			 */
-			if (ta->ipft_sz > sizeof(tu.ipft_un))
-				return EINVAL;
-
-			tu.ipft_vlong = 0;
-			if (ta->ipft_sz == sizeof(u_long))
-				tu.ipft_vlong = *ta->ipft_plong;
-			else if (ta->ipft_sz == sizeof(u_int))
-				tu.ipft_vint = *ta->ipft_pint;
-			else if (ta->ipft_sz == sizeof(u_short))
-				tu.ipft_vshort = *ta->ipft_pshort;
-			else if (ta->ipft_sz == sizeof(u_char))
-				tu.ipft_vchar = *ta->ipft_pchar;
-
-			tu.ipft_sz = ta->ipft_sz;
-			tu.ipft_min = ta->ipft_min;
-			tu.ipft_max = ta->ipft_max;
-			tu.ipft_flags = ta->ipft_flags;
-			bcopy(ta->ipft_name, tu.ipft_name,
-			      MIN(sizeof(tu.ipft_name),
-				  strlen(ta->ipft_name) + 1));
-		}
-		error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
-		break;
-
-	case SIOCIPFGET :
-	case SIOCIPFSET :
-		/*
-		 * Search by name or by cookie value for a particular entry
-		 * in the tuning paramter table.
-		 */
-		error = ESRCH;
-		if (cookie != NULL) {
-			ta = fr_findtunebycookie(cookie, NULL);
-			if (ta != NULL)
-				error = 0;
-		} else if (tu.ipft_name[0] != '\0') {
-			ta = fr_findtunebyname(tu.ipft_name);
-			if (ta != NULL)
-				error = 0;
-		}
-		if (error != 0)
-			break;
-
-		if (cmd == (ioctlcmd_t)SIOCIPFGET) {
-			/*
-			 * Fetch the tuning parameters for a particular value
-			 */
-			tu.ipft_vlong = 0;
-			if (ta->ipft_sz == sizeof(u_long))
-				tu.ipft_vlong = *ta->ipft_plong;
-			else if (ta->ipft_sz == sizeof(u_int))
-				tu.ipft_vint = *ta->ipft_pint;
-			else if (ta->ipft_sz == sizeof(u_short))
-				tu.ipft_vshort = *ta->ipft_pshort;
-			else if (ta->ipft_sz == sizeof(u_char))
-				tu.ipft_vchar = *ta->ipft_pchar;
-			tu.ipft_sz = ta->ipft_sz;
-			tu.ipft_min = ta->ipft_min;
-			tu.ipft_max = ta->ipft_max;
-			tu.ipft_flags = ta->ipft_flags;
-			error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
-
-		} else if (cmd == (ioctlcmd_t)SIOCIPFSET) {
-			/*
-			 * Set an internal parameter.  The hard part here is
-			 * getting the new value safely and correctly out of
-			 * the kernel (given we only know its size, not type.)
-			 */
-			u_long in;
-
-			if (((ta->ipft_flags & IPFT_WRDISABLED) != 0) &&
-			    (fr_running > 0)) {
-				error = EBUSY;
-				break;
-			}
-
-			in = tu.ipft_vlong;
-			if (in < ta->ipft_min || in > ta->ipft_max) {
-				error = EINVAL;
-				break;
-			}
-
-			if (ta->ipft_sz == sizeof(u_long)) {
-				tu.ipft_vlong = *ta->ipft_plong;
-				*ta->ipft_plong = in;
-			} else if (ta->ipft_sz == sizeof(u_int)) {
-				tu.ipft_vint = *ta->ipft_pint;
-				*ta->ipft_pint = (u_int)(in & 0xffffffff);
-			} else if (ta->ipft_sz == sizeof(u_short)) {
-				tu.ipft_vshort = *ta->ipft_pshort;
-				*ta->ipft_pshort = (u_short)(in & 0xffff);
-			} else if (ta->ipft_sz == sizeof(u_char)) {
-				tu.ipft_vchar = *ta->ipft_pchar;
-				*ta->ipft_pchar = (u_char)(in & 0xff);
-			}
-			error = fr_outobj(data, &tu, IPFOBJ_TUNEABLE);
-		}
-		break;
-
-	default :
-		error = EINVAL;
-		break;
-	}
-
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_initialise                                               */
-/* Returns:     int - 0 == success,  < 0 == failure                         */
-/* Parameters:  None.                                                       */
-/*                                                                          */
-/* Call of the initialise functions for all the various subsystems inside   */
-/* of IPFilter.  If any of them should fail, return immeadiately a failure  */
-/* BUT do not try to recover from the error here.                           */
-/* ------------------------------------------------------------------------ */
-int fr_initialise()
-{
-	int i;
-
-#ifdef IPFILTER_LOG
-	i = fr_loginit();
-	if (i < 0)
-		return -10 + i;
-#endif
-	i = fr_natinit();
-	if (i < 0)
-		return -20 + i;
-
-	i = fr_stateinit();
-	if (i < 0)
-		return -30 + i;
-
-	i = fr_authinit();
-	if (i < 0)
-		return -40 + i;
-
-	i = fr_fraginit();
-	if (i < 0)
-		return -50 + i;
-
-	i = appr_init();
-	if (i < 0)
-		return -60 + i;
-
-#ifdef IPFILTER_SYNC
-	i = ipfsync_init();
-	if (i < 0)
-		return -70 + i;
-#endif
-#ifdef IPFILTER_SCAN
-	i = ipsc_init();
-	if (i < 0)
-		return -80 + i;
-#endif
-#ifdef IPFILTER_LOOKUP
-	i = ip_lookup_init();
-	if (i < 0)
-		return -90 + i;
-#endif
-#ifdef IPFILTER_COMPILED
-	ipfrule_add();
-#endif
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_deinitialise                                             */
-/* Returns:     None.                                                       */
-/* Parameters:  None.                                                       */
-/*                                                                          */
-/* Call all the various subsystem cleanup routines to deallocate memory or  */
-/* destroy locks or whatever they've done that they need to now undo.       */
-/* The order here IS important as there are some cross references of        */
-/* internal data structures.                                                */
-/* ------------------------------------------------------------------------ */
-void fr_deinitialise()
-{
-	fr_fragunload();
-	fr_authunload();
-	fr_natunload();
-	fr_stateunload();
-#ifdef IPFILTER_SCAN
-	fr_scanunload();
-#endif
-	appr_unload();
-
-#ifdef IPFILTER_COMPILED
-	ipfrule_remove();
-#endif
-
-	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
-	(void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	(void) frflush(IPL_LOGCOUNT, 0, FR_INQUE|FR_OUTQUE);
-
-#ifdef IPFILTER_LOOKUP
-	ip_lookup_unload();
-#endif
-
-#ifdef IPFILTER_LOG
-	fr_logunload();
-#endif
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_zerostats                                                */
-/* Returns:     int - 0 = success, else failure                             */
-/* Parameters:  data(O) - pointer to pointer for copying data back to       */
-/*                                                                          */
-/* Copies the current statistics out to userspace and then zero's the       */
-/* current ones in the kernel. The lock is only held across the bzero() as  */
-/* the copyout may result in paging (ie network activity.)                  */
-/* ------------------------------------------------------------------------ */
-int	fr_zerostats(data)
-caddr_t	data;
-{
-	friostat_t fio;
-	int error;
-
-	fr_getstat(&fio);
-	error = copyoutptr(&fio, data, sizeof(fio));
-	if (error)
-		return EFAULT;
-
-	WRITE_ENTER(&ipf_mutex);
-	bzero((char *)frstats, sizeof(*frstats) * 2);
-	RWLOCK_EXIT(&ipf_mutex);
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_resolvedest                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  fdp(IO) - pointer to destination information to resolve     */
-/*              v(I)    - IP protocol version to match                      */
-/*                                                                          */
-/* Looks up an interface name in the frdest structure pointed to by fdp and */
-/* if a matching name can be found for the particular IP protocol version   */
-/* then store the interface pointer in the frdest struct.  If no match is   */
-/* found, then set the interface pointer to be -1 as NULL is considered to  */
-/* indicate there is no information at all in the structure.                */
-/* ------------------------------------------------------------------------ */
-void fr_resolvedest(fdp, v)
-frdest_t *fdp;
-int v;
-{
-	void *ifp;
-
-	ifp = NULL;
-	v = v;		/* LINT */
-
-	if (*fdp->fd_ifname != '\0') {
-		ifp = GETIFP(fdp->fd_ifname, v);
-		if (ifp == NULL)
-			ifp = (void *)-1;
-	}
-	fdp->fd_ifp = ifp;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_icmp4errortype                                           */
-/* Returns:     int - 1 == success, 0 == failure                            */
-/* Parameters:  icmptype(I) - ICMP type number                              */
-/*                                                                          */
-/* Tests to see if the ICMP type number passed is an error type or not.     */
-/* ------------------------------------------------------------------------ */
-int fr_icmp4errortype(icmptype)
-int icmptype;
-{
-
-	switch (icmptype)
-	{
-	case ICMP_SOURCEQUENCH :
-	case ICMP_PARAMPROB :
-	case ICMP_REDIRECT :
-	case ICMP_TIMXCEED :
-	case ICMP_UNREACH :
-		return 1;
-	default:
-		return 0;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_resolvenic                                               */
-/* Returns:     void* - NULL = wildcard name, -1 = failed to find NIC, else */
-/*                      pointer to interface structure for NIC              */
-/* Parameters:  name(I) - complete interface name                           */
-/*              v(I)    - IP protocol version                               */
-/*                                                                          */
-/* Look for a network interface structure that firstly has a matching name  */
-/* to that passed in and that is also being used for that IP protocol       */
-/* version (necessary on some platforms where there are separate listings   */
-/* for both IPv4 and IPv6 on the same physical NIC.                         */
-/*                                                                          */
-/* One might wonder why name gets terminated with a \0 byte in here.  The   */
-/* reason is an interface name could get into the kernel structures of ipf  */
-/* in any number of ways and so long as they all use the same sized array   */
-/* to put the name in, it makes sense to ensure it gets null terminated     */
-/* before it is used for its intended purpose - finding its match in the    */
-/* kernel's list of configured interfaces.                                  */
-/*                                                                          */
-/* NOTE: This SHOULD ONLY be used with IPFilter structures that have an     */
-/*       array for the name that is LIFNAMSIZ bytes (at least) in length.   */
-/* ------------------------------------------------------------------------ */
-void *fr_resolvenic(name, v)
-char *name;
-int v;
-{
-	void *nic;
-
-	if (name[0] == '\0')
-		return NULL;
-
-	if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) {
-		return NULL;
-	}
-
-	name[LIFNAMSIZ - 1] = '\0';
-
-	nic = GETIFP(name, v);
-	if (nic == NULL)
-		nic = (void *)-1;
-	return nic;
-}
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
deleted file mode 100644
index e21af89..0000000
--- a/contrib/ipfilter/fils.c
+++ /dev/null
@@ -1,1536 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if defined(STATETOP)
-# if defined(_BSDI_VERSION)
-#  undef STATETOP)
-# endif
-# if defined(__FreeBSD__) && \
-     (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
-#  undef STATETOP
-# endif
-# if defined(__NetBSD_Version__)
-#  if (__NetBSD_Version__ < 105000000)
-#   undef STATETOP
-#  else
-#   include <poll.h>
-#   define USE_POLL
-#  endif
-# endif
-# if defined(sun)
-#  if defined(__svr4__) || defined(__SVR4)
-#   include <sys/select.h>
-#  else
-#   undef STATETOP	/* NOT supported on SunOS4 */
-#  endif
-# endif
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <nlist.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <netinet/tcp.h>
-#if defined(STATETOP) && !defined(linux)
-# include <netinet/ip_var.h>
-# include <netinet/tcp_fsm.h>
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef STATETOP
-# include "netinet/ipl.h"
-# include <ctype.h>
-# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
-     defined(__sgi)
-#  ifdef ERR
-#   undef ERR
-#  endif
-#  include <curses.h>
-# else /* SOLARIS */
-#  include <ncurses.h>
-# endif /* SOLARIS */
-#endif /* STATETOP */
-#include "kmem.h"
-#if defined(__NetBSD__) || (__OpenBSD__)
-# include <paths.h>
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.45 2004/04/10 11:45:48 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-#define	F_IN	0
-#define	F_OUT	1
-#define	F_ACIN	2
-#define	F_ACOUT	3
-static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
-				"ipacct(in)", "ipacct(out)" };
-
-int	opts = 0;
-int	use_inet6 = 0;
-int	live_kernel = 1;
-int	state_fd = -1;
-int	auth_fd = -1;
-int	ipf_fd = -1;
-
-#ifdef STATETOP
-#define	STSTRSIZE 	80
-#define	STGROWSIZE	16
-#define	HOSTNMLEN	40
-
-#define	STSORT_PR	0
-#define	STSORT_PKTS	1
-#define	STSORT_BYTES	2
-#define	STSORT_TTL	3
-#define	STSORT_SRCIP	4
-#define	STSORT_DSTIP	5
-#define	STSORT_MAX	STSORT_DSTIP
-#define	STSORT_DEFAULT	STSORT_BYTES
-
-
-typedef struct statetop {
-	union i6addr	st_src;
-	union i6addr	st_dst;
-	u_short		st_sport;
-	u_short 	st_dport;
-	u_char		st_p;
-	u_char		st_state[2];
-	U_QUAD_T	st_pkts;
-	U_QUAD_T	st_bytes;
-	u_long		st_age;
-} statetop_t;
-#endif
-
-extern	int	main __P((int, char *[]));
-static	void	showstats __P((friostat_t *, u_32_t));
-static	void	showfrstates __P((ipfrstat_t *));
-static	void	showlist __P((friostat_t *));
-static	void	showipstates __P((ips_stat_t *));
-static	void	showauthstates __P((fr_authstat_t *));
-static	void	showgroups __P((friostat_t *));
-static	void	Usage __P((char *));
-static	void	printlist __P((frentry_t *));
-static	void	parse_ipportstr __P((const char *, struct in_addr *, int *));
-static	int	ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-static	void	ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-#ifdef STATETOP
-static	void	topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int));
-static	char	*ttl_to_string __P((long));
-static	int	sort_p __P((const void *, const void *));
-static	int	sort_pkts __P((const void *, const void *));
-static	int	sort_bytes __P((const void *, const void *));
-static	int	sort_ttl __P((const void *, const void *));
-static	int	sort_srcip __P((const void *, const void *));
-static	int	sort_dstip __P((const void *, const void *));
-#endif
-#if SOLARIS
-void showqiflist __P((char *));
-#endif
-
-
-static void Usage(name)
-char *name;
-{
-#ifdef  USE_INET6
-	fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name);
-#else
-	fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
-#endif
-	fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n");
-	fprintf(stderr, "       %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	fr_authstat_t	frauthst;
-	fr_authstat_t	*frauthstp = &frauthst;
-	friostat_t fio;
-	friostat_t *fiop = &fio;
-	ips_stat_t ipsst;
-	ips_stat_t *ipsstp = &ipsst;
-	ipfrstat_t ifrst;
-	ipfrstat_t *ifrstp = &ifrst;
-	char	*device = IPL_NAME, *memf = NULL;
-	char	*kern = NULL;
-	int	c, myoptind;
-	struct protoent *proto;
-
-	int protocol = -1;		/* -1 = wild card for any protocol */
-	int refreshtime = 1; 		/* default update time */
-	int sport = -1;			/* -1 = wild card for any source port */
-	int dport = -1;			/* -1 = wild card for any dest port */
-	int topclosed = 0;		/* do not show closed tcp sessions */
-	struct in_addr saddr, daddr;
-	u_32_t frf;
-
-	saddr.s_addr = INADDR_ANY; 	/* default any source addr */ 
-	daddr.s_addr = INADDR_ANY; 	/* default any dest addr */
-
-	/*
-	 * Parse these two arguments now lest there be any buffer overflows
-	 * in the parsing of the rest.
-	 */
-	myoptind = optind;
-	while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
-		switch (c)
-		{
-		case 'M' :
-			memf = optarg;
-			live_kernel = 0;
-			break;
-		case 'N' :
-			kern = optarg;
-			live_kernel = 0;
-			break;
-		}
-	optind = myoptind;
-
-	if (live_kernel == 1) {
-		if ((state_fd = open(IPL_STATE, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-		if ((auth_fd = open(IPL_AUTH, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-	}
-
-	if (kern != NULL || memf != NULL)
-	{
-		(void)setuid(getuid());
-		(void)setgid(getgid());
-	}
-
-	if (openkmem(kern, memf) == -1)
-		exit(-1);
-
-	(void)setuid(getuid());
-	(void)setgid(getgid());
-
-	while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
-	{
-		switch (c)
-		{
-#ifdef	USE_INET6
-		case '6' :
-			use_inet6 = 1;
-			break;
-#endif
-		case 'a' :
-			opts |= OPT_ACCNT|OPT_SHOWLIST;
-			break;
-		case 'A' :
-			device = IPAUTH_NAME;
-			opts |= OPT_AUTHSTATS;
-			break;
-		case 'C' :
-			topclosed = 1;
-			break;
-		case 'd' :
-			device = optarg;
-			break;
-		case 'D' :
-			parse_ipportstr(optarg, &daddr, &dport);
-			break;
-		case 'f' :
-			opts |= OPT_FRSTATES;
-			break;
-		case 'g' :
-			opts |= OPT_GROUPS;
-			break;
-		case 'h' :
-			opts |= OPT_HITS;
-			break;
-		case 'i' :
-			opts |= OPT_INQUE|OPT_SHOWLIST;
-			break;
-		case 'I' :
-			opts |= OPT_INACTIVE;
-			break;
-		case 'l' :
-			opts |= OPT_SHOWLIST;
-			break;
-		case 'M' :
-			break;
-		case 'N' :
-			break;
-		case 'n' :
-			opts |= OPT_SHOWLINENO;
-			break;
-		case 'o' :
-			opts |= OPT_OUTQUE|OPT_SHOWLIST;
-			break;
-		case 'P' :
-			if ((proto = getprotobyname(optarg)) != NULL) {
-				protocol = proto->p_proto;
-			} else if (!sscanf(optarg, "%ud", &protocol) ||
-					   (protocol < 0)) {
-				fprintf(stderr, "%s : Invalid protocol: %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'q' :
-#if	SOLARIS
-			showqiflist(kern);
-			exit(0);
-			break;
-#else
-			fprintf(stderr, "-q only availble on Solaris\n");
-			exit(1);
-			break;
-#endif
-		case 's' :
-			opts |= OPT_IPSTATES;
-			break;
-		case 'S' :
-			parse_ipportstr(optarg, &saddr, &sport);
-			break;
-		case 't' :
-#ifdef STATETOP
-			opts |= OPT_STATETOP;
-			break;
-#else
-			fprintf(stderr,
-				"%s : state top facility not compiled in\n",
-				argv[0]);
-			exit(-2);
-#endif
-		case 'T' :
-			if (!sscanf(optarg, "%d", &refreshtime) ||
-				    (refreshtime <= 0)) {
-				fprintf(stderr,
-					"%s : Invalid refreshtime < 1 : %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		default :
-			Usage(argv[0]);
-			break;
-		}
-	}
-
-	if (live_kernel == 1) {
-		bzero((char *)&fio, sizeof(fio));
-		bzero((char *)&ipsst, sizeof(ipsst));
-		bzero((char *)&ifrst, sizeof(ifrst));
-
-		ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
-			      &frauthstp, &frf);
-	} else
-		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
-
-	if (opts & OPT_IPSTATES) {
-		showipstates(ipsstp);
-	} else if (opts & OPT_SHOWLIST) {
-		showlist(fiop);
-		if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
-			opts &= ~OPT_OUTQUE;
-			showlist(fiop);
-		}
-	} else {
-		if (opts & OPT_FRSTATES)
-			showfrstates(ifrstp);
-#ifdef STATETOP
-		else if (opts & OPT_STATETOP)
-			topipstates(saddr, daddr, sport, dport,
-				    protocol, refreshtime, topclosed);
-#endif
-		else if (opts & OPT_AUTHSTATS)
-			showauthstates(frauthstp);
-		else if (opts & OPT_GROUPS)
-			showgroups(fiop);
-		else
-			showstats(fiop, frf);
-	}
-	return 0;
-}
-
-
-/*
- * Fill in the stats structures from the live kernel, using a combination
- * of ioctl's and copying directly from kernel memory.
- */
-int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *device;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-
-	if (!(opts & OPT_AUTHSTATS) && ioctl(ipf_fd, SIOCGETFS, fiopp) == -1) {
-		perror("ioctl(ipf:SIOCGETFS)");
-		exit(-1);
-	}
-
-	if ((opts & OPT_IPSTATES)) {
-		if ((ioctl(state_fd, SIOCGETFS, ipsstpp) == -1)) {
-			perror("ioctl(state:SIOCGETFS)");
-			exit(-1);
-		}
-	}
-	if ((opts & OPT_FRSTATES) &&
-	    (ioctl(ipf_fd, SIOCGFRST, ifrstpp) == -1)) {
-		perror("ioctl(SIOCGFRST)");
-		exit(-1);
-	}
-
-	if (opts & OPT_VERBOSE)
-		PRINTF("opts %#x name %s\n", opts, device);
-
-	if ((opts & OPT_AUTHSTATS) &&
-	    (ioctl(auth_fd, SIOCATHST, frauthstpp) == -1)) {
-		perror("ioctl(SIOCATHST)");
-		exit(-1);
-	}
-
-	if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
-		perror("ioctl(SIOCGETFF)");
-
-	return ipf_fd;
-}
-
-
-/*
- * Build up the stats structures from data held in the "core" memory.
- * This is mainly useful when looking at data in crash dumps and ioctl's
- * just won't work any more.
- */
-void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *kernel;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-	static fr_authstat_t frauthst, *frauthstp;
-	static ips_stat_t ipsst, *ipsstp;
-	static ipfrstat_t ifrst, *ifrstp;
-	static friostat_t fio, *fiop;
-
-	void *rules[2][2];
-	struct nlist deadlist[42] = {
-		{ "fr_authstats" },		/* 0 */
-		{ "fae_list" },
-		{ "ipauth" },
-		{ "fr_authlist" },
-		{ "fr_authstart" },
-		{ "fr_authend" },		/* 5 */
-		{ "fr_authnext" },
-		{ "fr_auth" },
-		{ "fr_authused" },
-		{ "fr_authsize" },
-		{ "fr_defaultauthage" },	/* 10 */
-		{ "fr_authpkts" },
-		{ "fr_auth_lock" },
-		{ "frstats" },
-		{ "ips_stats" },
-		{ "ips_num" },			/* 15 */
-		{ "ips_wild" },
-		{ "ips_list" },
-		{ "ips_table" },
-		{ "fr_statemax" },
-		{ "fr_statesize" },		/* 20 */
-		{ "fr_state_doflush" },
-		{ "fr_state_lock" },
-		{ "ipfr_heads" },
-		{ "ipfr_nattab" },
-		{ "ipfr_stats" },		/* 25 */
-		{ "ipfr_inuse" },
-		{ "fr_ipfrttl" },
-		{ "fr_frag_lock" },
-		{ "ipfr_timer_id" },
-		{ "fr_nat_lock" },		/* 30 */
-		{ "ipfilter" },
-		{ "ipfilter6" },
-		{ "ipacct" },
-		{ "ipacct6" },
-		{ "ipl_frouteok" },		/* 35 */
-		{ "fr_running" },
-		{ "ipfgroups" },
-		{ "fr_active" },
-		{ "fr_pass" },
-		{ "fr_flags" },			/* 40 */
-		{ NULL }
-	};
-
-
-	frauthstp = &frauthst;
-	ipsstp = &ipsst;
-	ifrstp = &ifrst;
-	fiop = &fio;
-
-	*frfp = 0;
-	*fiopp = fiop;
-	*ipsstpp = ipsstp;
-	*ifrstpp = ifrstp;
-	*frauthstpp = frauthstp;
-
-	bzero((char *)fiop, sizeof(*fiop));
-	bzero((char *)ipsstp, sizeof(*ipsstp));
-	bzero((char *)ifrstp, sizeof(*ifrstp));
-	bzero((char *)frauthstp, sizeof(*frauthstp));
-
-	if (nlist(kernel, deadlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	/*
-	 * This is for SIOCGETFF.
-	 */
-	kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
-
-	/*
-	 * f_locks is a combination of the lock variable from each part of
-	 * ipfilter (state, auth, nat, fragments).
-	 */
-	kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
-		sizeof(fiop->f_locks[0]));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
-		sizeof(fiop->f_locks[1]));
-	kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
-		sizeof(fiop->f_locks[2]));
-	kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
-		sizeof(fiop->f_locks[3]));
-
-	/*
-	 * Get pointers to each list of rules (active, inactive, in, out)
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
-	fiop->f_fin[0] = rules[0][0];
-	fiop->f_fin[1] = rules[0][1];
-	fiop->f_fout[0] = rules[1][0];
-	fiop->f_fout[1] = rules[1][1];
-
-	/*
-	 * Same for IPv6, except make them null if support for it is not
-	 * being compiled in.
-	 */
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
-	fiop->f_fin6[0] = rules[0][0];
-	fiop->f_fin6[1] = rules[0][1];
-	fiop->f_fout6[0] = rules[1][0];
-	fiop->f_fout6[1] = rules[1][1];
-#else
-	fiop->f_fin6[0] = NULL;
-	fiop->f_fin6[1] = NULL;
-	fiop->f_fout6[0] = NULL;
-	fiop->f_fout6[1] = NULL;
-#endif
-
-	/*
-	 * Now get accounting rules pointers.
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
-	fiop->f_acctin[0] = rules[0][0];
-	fiop->f_acctin[1] = rules[0][1];
-	fiop->f_acctout[0] = rules[1][0];
-	fiop->f_acctout[1] = rules[1][1];
-
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
-	fiop->f_acctin6[0] = rules[0][0];
-	fiop->f_acctin6[1] = rules[0][1];
-	fiop->f_acctout6[0] = rules[1][0];
-	fiop->f_acctout6[1] = rules[1][1];
-#else
-	fiop->f_acctin6[0] = NULL;
-	fiop->f_acctin6[1] = NULL;
-	fiop->f_acctout6[0] = NULL;
-	fiop->f_acctout6[1] = NULL;
-#endif
-
-	/*
-	 * A collection of "global" variables used inside the kernel which
-	 * are all collected in friostat_t via ioctl.
-	 */
-	kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
-		sizeof(fiop->f_froute));
-	kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
-		sizeof(fiop->f_running));
-	kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
-		sizeof(fiop->f_groups));
-	kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
-		sizeof(fiop->f_active));
-	kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
-		sizeof(fiop->f_defpass));
-
-	/*
-	 * Build up the state information stats structure.
-	 */
-	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
-	kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value,
-		sizeof(ipsstp->iss_active));
-	ipsstp->iss_table = (void *)deadlist[18].n_value;
-	ipsstp->iss_list = (void *)deadlist[17].n_value;
-
-	/*
-	 * Build up the authentiation information stats structure.
-	 */
-	kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
-		sizeof(*frauthstp));
-	frauthstp->fas_faelist = (void *)deadlist[1].n_value;
-
-	/*
-	 * Build up the fragment information stats structure.
-	 */
-	kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
-		sizeof(*ifrstp));
-	ifrstp->ifs_table = (void *)deadlist[23].n_value;
-	ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
-	kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
-		sizeof(ifrstp->ifs_inuse));
-}
-
-
-/*
- * Display the kernel stats for packets blocked and passed and other
- * associated running totals which are kept.
- */
-static	void	showstats(fp, frf)
-struct	friostat	*fp;
-u_32_t frf;
-{
-
-#if SOLARIS
-	PRINTF("dropped packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
-	PRINTF("non-data packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata);
-	PRINTF("no-data packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata);
-	PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
-	PRINTF("   bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-	PRINTF("copied messages:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_copy, fp->f_st[1].fr_copy);
-#endif
-#ifdef	USE_INET6
-	PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
-			fp->f_st[0].fr_ipv6[0], fp->f_st[0].fr_ipv6[1]);
-#endif
-	PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	PRINTF(" counted %lu short %lu\n", 
-			fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
-	PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	PRINTF(" counted %lu short %lu\n", 
-			fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
-	PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	PRINTF("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	PRINTF(" packets logged:\tinput %lu output %lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
-	PRINTF(" log failures:\t\tinput %lu output %lu\n",
-			fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
-	PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, fp->f_st[0].fr_cfr);
-	PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, fp->f_st[1].fr_cfr);
-	PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
-			fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
-	PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
-			fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
-	PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
-			fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
-	PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
-	PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
-	PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
-	PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
-	PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
-			fp->f_froute[0], fp->f_froute[1]);
-	PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
-
-	PRINTF("Packet log flags set: (%#x)\n", frf);
-	if (frf & FF_LOGPASS)
-		PRINTF("\tpackets passed through filter\n");
-	if (frf & FF_LOGBLOCK)
-		PRINTF("\tpackets blocked by filter\n");
-	if (frf & FF_LOGNOMATCH)
-		PRINTF("\tpackets not matched by filter\n");
-	if (!frf)
-		PRINTF("\tnone\n");
-}
-
-
-/*
- * Print out a list of rules from the kernel, starting at the one passed.
- */
-static void printlist(fp)
-frentry_t *fp;
-{
-	struct	frentry	fb;
-	int	n;
-
-	for (n = 1; fp; n++) {
-		if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
-			perror("kmemcpy");
-			return;
-		}
-		fp = &fb;
-		if (opts & OPT_OUTQUE)
-			fp->fr_flags |= FR_OUTQUE;
-		if (opts & (OPT_HITS|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_hits);
-#else
-			PRINTF("%lu ", fp->fr_hits);
-#endif
-		if (opts & (OPT_ACCNT|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
-#else
-			PRINTF("%lu ", fp->fr_bytes);
-#endif
-		if (opts & OPT_SHOWLINENO)
-			PRINTF("@%d ", n);
-		printfr(fp);
-		if (opts & OPT_VERBOSE)
-			binprint(fp);
-		if (fp->fr_grp)
-			printlist(fp->fr_grp);
-		fp = fp->fr_next;
-	}
-}
-
-/*
- * print out all of the asked for rule sets, using the stats struct as
- * the base from which to get the pointers.
- */
-static	void	showlist(fiop)
-struct	friostat	*fiop;
-{
-	struct	frentry	*fp = NULL;
-	int	i, set;
-
-	set = fiop->f_active;
-	if (opts & OPT_INACTIVE)
-		set = 1 - set;
-	if (opts & OPT_ACCNT) {
-#ifdef USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin[set];
-		} else {
-			FPRINTF(stderr, "No -i or -o given with -a\n");
-			return;
-		}
-	} else {
-#ifdef	USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin[set];
-		} else
-			return;
-	}
-	if (opts & OPT_VERBOSE)
-		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
-
-	if (opts & OPT_VERBOSE)
-		PRINTF("fp %p set %d\n", fp, set);
-	if (fp == NULL) {
-		FPRINTF(stderr, "empty list for %s%s\n",
-			(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
-		return;
-	}
-	printlist(fp);
-}
-
-
-/*
- * Display ipfilter stateful filtering information
- */
-static void showipstates(ipsp)
-ips_stat_t *ipsp;
-{
-	ipstate_t *istab[IPSTATE_SIZE];
-
-	/*
-	 * If a list of states hasn't been asked for, only print out stats
-	 */
-	if (!(opts & OPT_SHOWLIST)) {
-		PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
-			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
-		PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
-			ipsp->iss_miss);
-		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
-			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
-		PRINTF("\t%lu logged\n\t%lu log failures\n",
-			ipsp->iss_logged, ipsp->iss_logfail);
-		PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
-			ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
-		return;
-	}
-
-	if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
-		return;
-
-	/*
-	 * Print out all the state information currently held in the kernel.
-	 */
-	while (ipsp->iss_list != NULL) {
-		ipsp->iss_list = printstate(ipsp->iss_list, opts);
-	}
-}
-
-
-#if SOLARIS
-/*
- * Displays the list of interfaces of which IPFilter has taken control in
- * Solaris.
- */
-void showqiflist(kern)
-char *kern;
-{
-	struct nlist qifnlist[2] = {
-		{ "_qif_head" },
-		{ NULL }
-	};
-	qif_t qif, *qf;
-	ill_t ill;
-
-	if (kern == NULL)
-		kern = "/dev/ksyms";
-
-	if (nlist(kern, qifnlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	printf("List of interfaces bound by IPFilter:\n");
-	if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf)))
-		return;
-	while (qf) {
-		if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
-			break;
-		if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill)))
-			ill.ill_ppa = -1;
-		printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d",
-			qif.qf_name, qif.qf_hl,
-#ifdef	IP6_DL_SAP
-			(qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			, qif.qf_sap, ill.ill_ppa);
-		printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt);
-		qf = qif.qf_next;
-		putchar('\n');
-	}
-}
-#endif
-
-
-#ifdef STATETOP
-static void topipstates(saddr, daddr, sport, dport, protocol,
-		        refreshtime, topclosed)
-struct in_addr saddr;
-struct in_addr daddr;
-int sport;
-int dport;
-int protocol;
-int refreshtime;
-int topclosed;
-{
-	char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
-	int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
-	int i, j, winx, tsentry, maxx, maxy, redraw = 0;
-	ipstate_t *istab[IPSTATE_SIZE], ips;
-	ips_stat_t ipsst, *ipsstp = &ipsst;
-	statetop_t *tstable = NULL, *tp;
-	char hostnm[HOSTNMLEN];
-	struct protoent *proto;
-	int c = 0;
-	time_t t;
-#ifdef USE_POLL
-	struct pollfd set[1];
-#else
-	struct timeval selecttimeout; 
-	fd_set readfd;
-#endif
-
-	/* init ncurses stuff */
-  	initscr();
-  	cbreak();
-  	noecho();
-
-	/* init hostname */
-	gethostname(hostnm, sizeof(hostnm) - 1);
-	hostnm[sizeof(hostnm) - 1] = '\0';
-
-	/* repeat until user aborts */
-	while ( 1 ) {
-
-		/* get state table */
-		bzero((char *)&ipsst, sizeof(&ipsst));
-		if ((ioctl(state_fd, SIOCGETFS, &ipsstp) == -1)) {
-			perror("ioctl(SIOCGETFS)");
-			exit(-1);
-		}
-		if (kmemcpy((char *)istab, (u_long)ipsstp->iss_table,
-			    sizeof(ips)))
-			return;
-
-		/* clear the history */
-		tsentry = -1;
-
-		/* read the state table and store in tstable */
-		while (ipsstp->iss_list) {
-			if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list,
-				    sizeof(ips)))
-				break;
-			ipsstp->iss_list = ips.is_next;
-
-			if (((saddr.s_addr == INADDR_ANY) ||
-			     (saddr.s_addr == ips.is_saddr)) &&
-			    ((daddr.s_addr == INADDR_ANY) ||
-			     (daddr.s_addr == ips.is_daddr)) &&
-			    ((protocol < 0) || (protocol == ips.is_p)) &&
-			    (((ips.is_p != IPPROTO_TCP) &&
-			     (ips.is_p != IPPROTO_UDP)) || 
-			     (((sport < 0) ||
-			       (htons(sport) == ips.is_sport)) &&
-			      ((dport < 0) ||
-			       (htons(dport) == ips.is_dport)))) &&
-			     (topclosed || (ips.is_p != IPPROTO_TCP) ||
-			     (ips.is_state[0] < TCPS_LAST_ACK) ||
-			     (ips.is_state[1] < TCPS_LAST_ACK))) { 
-				/*
-				 * if necessary make room for this state
-				 * entry
-				 */
-				tsentry++;
-				if (!maxtsentries ||
-				    (tsentry == maxtsentries)) {
-
-					maxtsentries += STGROWSIZE;
-					tstable = realloc(tstable, maxtsentries * sizeof(statetop_t));
-					if (!tstable) {
-						perror("malloc");
-						exit(-1);
-					}
-				}
-
-				/* fill structure */
-				tp = tstable + tsentry;
-				tp->st_src = ips.is_src;
-				tp->st_dst = ips.is_dst;
-				tp->st_p = ips.is_p;
-				tp->st_state[0] = ips.is_state[0];
-				tp->st_state[1] = ips.is_state[1];
-				tp->st_pkts = ips.is_pkts;
-				tp->st_bytes = ips.is_bytes;
-				tp->st_age = ips.is_age;
-				if ((ips.is_p == IPPROTO_TCP) ||
-				    (ips.is_p == IPPROTO_UDP)) {
-					tp->st_sport = ips.is_sport;
-					tp->st_dport = ips.is_dport;
-				}
-
-			}
-		}
-
-
-		/* sort the array */
-		if (tsentry != -1)
-			switch (sorting)
-			{
-			case STSORT_PR:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_p);
-				break;
-			case STSORT_PKTS:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_pkts);
-				break;
-			case STSORT_BYTES:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_bytes);
-				break;
-			case STSORT_TTL:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_ttl);
-				break;
-			case STSORT_SRCIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_srcip);
-				break;
-			case STSORT_DSTIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_dstip);
-				break;
-			default:
-				break;
-			}
-
-		/* print title */
-		erase();
-		getmaxyx(stdscr, maxy, maxx);
-		attron(A_BOLD);
-		winx = 0;
-		move(winx,0);
-		sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
-		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
-			printw(" ");
-		printw("%s", str1);
-		attroff(A_BOLD);
-
-		/* just for fun add a clock */
-		move(winx, maxx - 8);
-		t = time(NULL);
-		strftime(str1, 80, "%T", localtime(&t));
-		printw("%s\n", str1);
-
-		/*
-		 * print the display filters, this is placed in the loop, 
-		 * because someday I might add code for changing these
-		 * while the programming is running :-)
-		 */
-		if (sport >= 0)
-			sprintf(str1, "%s,%d", inet_ntoa(saddr), sport);
-		else
-			sprintf(str1, "%s", inet_ntoa(saddr));
-
-		if (dport >= 0)
-			sprintf(str2, "%s,%d", inet_ntoa(daddr), dport);
-		else
-			sprintf(str2, "%s", inet_ntoa(daddr));
-
-		if (protocol < 0)
-			strcpy(str3, "any");
-		else if ((proto = getprotobynumber(protocol)) != NULL)
-			sprintf(str3, "%s", proto->p_name); 
-		else
-			sprintf(str3, "%d", protocol);
-
-		switch (sorting)
-		{
-		case STSORT_PR:
-			sprintf(str4, "proto");
-			break;
-		case STSORT_PKTS:
-			sprintf(str4, "# pkts");
-			break;
-		case STSORT_BYTES:
-			sprintf(str4, "# bytes");
-			break;
-		case STSORT_TTL:
-			sprintf(str4, "ttl");
-			break;
-		case STSORT_SRCIP:
-			sprintf(str4, "srcip");
-			break;
-		case STSORT_DSTIP:
-			sprintf(str4, "dstip");
-			break;
-		default:
-			sprintf(str4, "unknown");
-			break;
-		}
-
-		if (reverse)
-			strcat(str4, " (reverse)");
-
-		winx += 2;
-		move(winx,0);
-		printw("Src = %s  Dest = %s  Proto = %s  Sorted by = %s\n\n",
-		       str1, str2, str3, str4);
-
-		/* print column description */
-		winx += 2;
-		move(winx,0);
-		attron(A_BOLD);
-		printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP",
-		       "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl");
-		attroff(A_BOLD);
-
-		/* print all the entries */
-		tp = tstable;
-		if (reverse)
-			tp += tsentry;
-
-		if (tsentry > maxy - 6)
-			tsentry = maxy - 6;
-		for (i = 0; i <= tsentry; i++) {
-			/* print src/dest and port */
-			if ((tp->st_p == IPPROTO_TCP) ||
-			    (tp->st_p == IPPROTO_UDP)) {
-				sprintf(str1, "%s,%hu",
-					inet_ntoa(tp->st_src.in4),
-					ntohs(tp->st_sport));
-				sprintf(str2, "%s,%hu",
-					inet_ntoa(tp->st_dst.in4),
-					ntohs(tp->st_dport));
-			} else {
-				sprintf(str1, "%s", inet_ntoa(tp->st_src.in4));
-				sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4));
-			}
-			winx++;
-			move(winx, 0);
-			printw("%-21s %-21s", str1, str2);
-
-			/* print state */
-			sprintf(str1, "%X/%X", tp->st_state[0],
-				tp->st_state[1]);
-			printw(" %3s", str1);
-
-			/* print proto */
-			proto = getprotobynumber(tp->st_p);
-			if (proto) {
-				strncpy(str1, proto->p_name, 4);
-				str1[4] = '\0';
-			} else {
-				sprintf(str1, "%d", tp->st_p);
-			}
-			printw(" %4s", str1);
-				/* print #pkt/#bytes */
-#ifdef	USE_QUAD_T
-			printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
-				(unsigned long long) tp->st_bytes);
-#else
-			printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
-#endif
-			printw(" %9s", ttl_to_string(tp->st_age));
-
-			if (reverse)
-				tp--;
-			else
-				tp++;
-		}
-
-		/* screen data structure is filled, now update the screen */
-		if (redraw)
-			clearok(stdscr,1);
-
-		refresh();
-		if (redraw) {
-			clearok(stdscr,0);
-			redraw = 0;
-		}
-
-		/* wait for key press or a 1 second time out period */
-#ifdef USE_POLL
-		set[0].fd = 0;
-		set[0].events = POLLIN;
-		poll(set, 1, refreshtime * 1000);
-
-		/* if key pressed, read all waiting keys */
-		if (set[0].revents & POLLIN)
-#else
-		selecttimeout.tv_sec = refreshtime;
-		selecttimeout.tv_usec = 0;
-		FD_ZERO(&readfd);
-		FD_SET(0, &readfd);
-		select(1, &readfd, NULL, NULL, &selecttimeout);
-
-		/* if key pressed, read all waiting keys */
-		if (FD_ISSET(0, &readfd))
-#endif
-
-		{
-			c = wgetch(stdscr);
-			if (c == ERR)
-				continue;
-
-			if (isalpha(c) && isupper(c))
-				c = tolower(c);
-			if (c == 'l') {
-				redraw = 1;
-			} else if (c == 'q') {
-				break;	/* exits while() loop */
-			} else if (c == 'r') {
-				reverse = !reverse;
-			} else if (c == 's') {
-				sorting++;
-				if (sorting > STSORT_MAX)
-					sorting = 0;
-			}
-		}
-	} /* while */
-
-	printw("\n");
-	nocbreak();
-	endwin();
-}
-#endif
-
-
-/*
- * Show fragment cache information that's held in the kernel.
- */
-static void showfrstates(ifsp)
-ipfrstat_t *ifsp;
-{
-	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
-	frentry_t fr;
-	int i;
-
-	/*
-	 * print out the numeric statistics
-	 */
-	PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
-		ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
-	PRINTF("\t%lu no memory\n\t%lu already exist\n",
-		ifsp->ifs_nomem, ifsp->ifs_exists);
-	PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
-		return;
-
-	/*
-	 * Print out the contents (if any) of the fragment cache table.
-	 */
-	PRINTF("\n");
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i]) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
-				break;
-			PRINTF("%s -> ", hostname(4, &ifr.ipfr_src));
-			if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
-				    sizeof(fr)) == -1)
-				break; 
-			PRINTF("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = fl %#x\n",
-				hostname(4, &ifr.ipfr_dst), ntohs(ifr.ipfr_id),
-				ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_seen0, 
-				ifr.ipfr_ifp, ifr.ipfr_tos, fr.fr_flags);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
-		return;
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i]) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
-				break;
-			PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src));
-			if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
-				    sizeof(fr)) == -1)
-				break;
-			PRINTF("%s %d %d %d %#02x = %#x\n",
-				hostname(4, &ifr.ipfr_dst), ifr.ipfr_id,
-				ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
-				fr.fr_flags);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
-}
-
-
-/*
- * Show stats on how auth within IPFilter has been used
- */
-static void showauthstates(asp)
-fr_authstat_t *asp;
-{
-	frauthent_t *frap, fra;
-
-#ifdef	USE_QUAD_T
-	printf("Authorisation hits: %qu\tmisses %qu\n",
-		(unsigned long long) asp->fas_hits,
-		(unsigned long long) asp->fas_miss);
-#else
-	printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
-		asp->fas_miss);
-#endif
-	printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
-		asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
-		asp->fas_sendok);
-	printf("queok %ld\nquefail %ld\nexpire %ld\n",
-		asp->fas_queok, asp->fas_quefail, asp->fas_expire);
-
-	frap = asp->fas_faelist;
-	while (frap) {
-		if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
-			break;
-
-		printf("age %ld\t", fra.fae_age);
-		printfr(&fra.fae_fr);
-		frap = fra.fae_next;
-	}
-}
-
-
-/*
- * Display groups used for each of filter rules, accounting rules and
- * authentication, separately.
- */
-static void showgroups(fiop)
-struct friostat	*fiop;
-{
-	static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
-	frgroup_t *fp, grp;
-	int on, off, i;
-
-	on = fiop->f_active;
-	off = 1 - on;
-
-	for (i = 0; i < 3; i++) {
-		printf("%s groups (active):\n", gnames[i]);
-		for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%hu\n", grp.fg_num);
-		printf("%s groups (inactive):\n", gnames[i]);
-		for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%hu\n", grp.fg_num);
-	}
-}
-
-static void parse_ipportstr(argument, ip, port)
-const char *argument;
-struct in_addr *ip;
-int *port;
-{
-
-	char *s, *comma;
-
-	/* make working copy of argument, Theoretically you must be able
-	 * to write to optarg, but that seems very ugly to me....
-	 */
-	if ((s = malloc(strlen(argument) + 1)) == NULL)
-		perror("malloc");
-	strcpy(s, argument);
-
-	/* get port */
-	if ((comma = strchr(s, ',')) != NULL) {
-		if (!strcasecmp(s, "any")) {
-			*port = -1;
-		} else if (!sscanf(comma + 1, "%d", port) ||
-			   (*port < 0) || (*port > 65535)) {
-			fprintf(stderr, "Invalid port specfication in %s\n",
-				argument);
-			exit(-2);
-		}
-		*comma = '\0';
-	}
-
-
-	/* get ip address */
-	if (!strcasecmp(s, "any")) {
-		ip->s_addr = INADDR_ANY;
-	} else	if (!inet_aton(s, ip)) {
-		fprintf(stderr, "Invalid IP address: %s\n", s);
-		exit(-2);
-	}
-
-	/* free allocated memory */
-	free(s);
-}
-
-
-#ifdef STATETOP
-static char ttlbuf[STSTRSIZE];
-
-static char *ttl_to_string(ttl)
-long int ttl;
-{
-
-	int hours, minutes, seconds;
-
-	/* ttl is in half seconds */
-	ttl /= 2;
-
-	hours = ttl / 3600;
-	ttl = ttl % 3600;
-	minutes = ttl / 60;
-	seconds = ttl % 60;
-
-	if (hours > 0 )
-		sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
-	else
-		sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
-	return ttlbuf;
-}
-
-
-static int sort_pkts(a, b)
-const void *a;
-const void *b;
-{
-
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_pkts == bp->st_pkts)
-		return 0;
-	else if (ap->st_pkts < bp->st_pkts)
-		return 1;
-	return -1;
-}
-
-
-static int sort_bytes(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_bytes == bp->st_bytes)
-		return 0;
-	else if (ap->st_bytes < bp->st_bytes)
-		return 1;
-	return -1;
-}
-
-
-static int sort_p(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_p == bp->st_p)
-		return 0;
-	else if (ap->st_p < bp->st_p)
-		return 1;
-	return -1;
-}
-
-
-static int sort_ttl(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_age == bp->st_age)
-		return 0;
-	else if (ap->st_age < bp->st_age)
-		return 1;
-	return -1;
-}
-
-static int sort_srcip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr))
-		return 0;
-	else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr))
-		return 1;
-	return -1;
-}
-
-static int sort_dstip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr))
-		return 0;
-	else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr))
-		return 1;
-	return -1;
-}
-#endif
diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c
deleted file mode 100644
index e940280..0000000
--- a/contrib/ipfilter/inet_addr.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * ++Copyright++ 1983, 1990, 1993
- * -
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-#ifdef	__STDC__
-# ifndef __P
-#  define	__P(x)	x
-# endif
-#else
-# undef		__P
-# define	__P(x)	()
-# undef		const
-# define	const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-int inet_aton __P((const char *, struct in_addr *));
-
-/* 
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(cp, addr)
-	register const char *cp;
-	struct in_addr *addr;
-{
-	register u_long val;
-	register int base, n;
-	register char c;
-	u_int parts[4];
-	register u_int *pp = parts;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c))
-			return (0);
-		val = 0; base = 10;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else
-				base = 8;
-		}
-		for (;;) {
-			if (isascii(c) && isdigit(c)) {
-				val = (val * base) + (c - '0');
-				c = *++cp;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3)
-				return (0);
-			*pp++ = val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-
-	case 0:
-		return (0);		/* initial nondigit */
-
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr)
-		addr->s_addr = htonl(val);
-	return (1);
-}
-
-/* these are compatibility routines, not needed on recent BSD releases */
-
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
-    (defined(IRIX) && (IRIX >= 605))
-in_addr_t
-#else
-u_long
-#endif
-inet_addr(cp)
-	register const char *cp;
-{
-	struct in_addr val;
-
-	if (inet_aton(cp, &val))
-		return (val.s_addr);
-	return (0xffffffff);
-}
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
deleted file mode 100644
index b91c2e6..0000000
--- a/contrib/ipfilter/ip_auth.c
+++ /dev/null
@@ -1,804 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if !defined(_KERNEL)
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
-# include <sys/queue.h>
-#endif
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
-# include <machine/cpu.h>
-#endif
-#if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
-# include <sys/proc.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
-# define	KERNEL
-# define	_KERNEL
-# define	NOT_KERNEL
-#endif
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#ifdef	NOT_KERNEL
-# undef	_KERNEL
-# undef	KERNEL
-#endif
-#include <netinet/tcp.h>
-#if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
-extern struct ifqueue   ipintrq;		/* ip packet input queue */
-#else
-# if !defined(__hpux) && !defined(linux)
-#  if __FreeBSD_version >= 300000
-#   include <net/if_var.h>
-#   if __FreeBSD_version >= 500042
-#    define IF_QFULL _IF_QFULL
-#    define IF_DROP _IF_DROP
-#   endif /* __FreeBSD_version >= 500042 */
-#  endif
-#  include <netinet/in_var.h>
-#  include <netinet/tcp_fsm.h>
-# endif
-#endif
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_auth.h"
-#if !defined(MENTAT) && !defined(linux)
-# include <net/netisr.h>
-# ifdef __FreeBSD__
-#  include <machine/cpufunc.h>
-# endif
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include <sys/libkern.h>
-#  include <sys/systm.h>
-# endif
-#endif
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp";
-#endif
-
-
-#if SOLARIS
-extern kcondvar_t ipfauthwait;
-#endif /* SOLARIS */
-#if defined(linux) && defined(_KERNEL)
-wait_queue_head_t     fr_authnext_linux;
-#endif
-
-int	fr_authsize = FR_NUMAUTH;
-int	fr_authused = 0;
-int	fr_defaultauthage = 600;
-int	fr_auth_lock = 0;
-int	fr_auth_init = 0;
-fr_authstat_t	fr_authstats;
-static frauth_t *fr_auth = NULL;
-mb_t	**fr_authpkts = NULL;
-int	fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
-frauthent_t	*fae_list = NULL;
-frentry_t	*ipauth = NULL,
-		*fr_authlist = NULL;
-
-
-int fr_authinit()
-{
-	KMALLOCS(fr_auth, frauth_t *, fr_authsize * sizeof(*fr_auth));
-	if (fr_auth != NULL)
-		bzero((char *)fr_auth, fr_authsize * sizeof(*fr_auth));
-	else
-		return -1;
-
-	KMALLOCS(fr_authpkts, mb_t **, fr_authsize * sizeof(*fr_authpkts));
-	if (fr_authpkts != NULL)
-		bzero((char *)fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
-	else
-		return -2;
-
-	MUTEX_INIT(&ipf_authmx, "ipf auth log mutex");
-	RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock");
-#if SOLARIS && defined(_KERNEL)
-	cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
-#endif
-#if defined(linux) && defined(_KERNEL)
-	init_waitqueue_head(&fr_authnext_linux);
-#endif
-
-	fr_auth_init = 1;
-
-	return 0;
-}
-
-
-/*
- * Check if a packet has authorization.  If the packet is found to match an
- * authorization result and that would result in a feedback loop (i.e. it
- * will end up returning FR_AUTH) then return FR_BLOCK instead.
- */
-frentry_t *fr_checkauth(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	frentry_t *fr;
-	frauth_t *fra;
-	u_32_t pass;
-	u_short id;
-	ip_t *ip;
-	int i;
-
-	if (fr_auth_lock || !fr_authused)
-		return NULL;
-
-	ip = fin->fin_ip;
-	id = ip->ip_id;
-
-	READ_ENTER(&ipf_auth);
-	for (i = fr_authstart; i != fr_authend; ) {
-		/*
-		 * index becomes -2 only after an SIOCAUTHW.  Check this in
-		 * case the same packet gets sent again and it hasn't yet been
-		 * auth'd.
-		 */
-		fra = fr_auth + i;
-		if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
-		    !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
-			/*
-			 * Avoid feedback loop.
-			 */
-			if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass)))
-				pass = FR_BLOCK;
-			/*
-			 * Create a dummy rule for the stateful checking to
-			 * use and return.  Zero out any values we don't
-			 * trust from userland!
-			 */
-			if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
-			     (fin->fin_flx & FI_FRAG))) {
-				KMALLOC(fr, frentry_t *);
-				if (fr) {
-					bcopy((char *)fra->fra_info.fin_fr,
-					      (char *)fr, sizeof(*fr));
-					fr->fr_grp = NULL;
-					fr->fr_ifa = fin->fin_ifp;
-					fr->fr_func = NULL;
-					fr->fr_ref = 1;
-					fr->fr_flags = pass;
-					fr->fr_ifas[1] = NULL;
-					fr->fr_ifas[2] = NULL;
-					fr->fr_ifas[3] = NULL;
-				}
-			} else
-				fr = fra->fra_info.fin_fr;
-			fin->fin_fr = fr;
-			RWLOCK_EXIT(&ipf_auth);
-			WRITE_ENTER(&ipf_auth);
-			if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
-				fr->fr_next = fr_authlist;
-				fr_authlist = fr;
-			}
-			fr_authstats.fas_hits++;
-			fra->fra_index = -1;
-			fr_authused--;
-			if (i == fr_authstart) {
-				while (fra->fra_index == -1) {
-					i++;
-					fra++;
-					if (i == fr_authsize) {
-						i = 0;
-						fra = fr_auth;
-					}
-					fr_authstart = i;
-					if (i == fr_authend)
-						break;
-				}
-				if (fr_authstart == fr_authend) {
-					fr_authnext = 0;
-					fr_authstart = fr_authend = 0;
-				}
-			}
-			RWLOCK_EXIT(&ipf_auth);
-			if (passp != NULL)
-				*passp = pass;
-			ATOMIC_INC64(fr_authstats.fas_hits);
-			return fr;
-		}
-		i++;
-		if (i == fr_authsize)
-			i = 0;
-	}
-	fr_authstats.fas_miss++;
-	RWLOCK_EXIT(&ipf_auth);
-	ATOMIC_INC64(fr_authstats.fas_miss);
-	return NULL;
-}
-
-
-/*
- * Check if we have room in the auth array to hold details for another packet.
- * If we do, store it and wake up any user programs which are waiting to
- * hear about these events.
- */
-int fr_newauth(m, fin)
-mb_t *m;
-fr_info_t *fin;
-{
-#if defined(_KERNEL) && defined(MENTAT)
-	qpktinfo_t *qpi = fin->fin_qpi;
-#endif
-	frauth_t *fra;
-#if !defined(sparc) && !defined(m68k)
-	ip_t *ip;
-#endif
-	int i;
-
-	if (fr_auth_lock)
-		return 0;
-
-	WRITE_ENTER(&ipf_auth);
-	if (fr_authstart > fr_authend) {
-		fr_authstats.fas_nospace++;
-		RWLOCK_EXIT(&ipf_auth);
-		return 0;
-	} else {
-		if (fr_authused == fr_authsize) {
-			fr_authstats.fas_nospace++;
-			RWLOCK_EXIT(&ipf_auth);
-			return 0;
-		}
-	}
-
-	fr_authstats.fas_added++;
-	fr_authused++;
-	i = fr_authend++;
-	if (fr_authend == fr_authsize)
-		fr_authend = 0;
-	RWLOCK_EXIT(&ipf_auth);
-
-	fra = fr_auth + i;
-	fra->fra_index = i;
-	fra->fra_pass = 0;
-	fra->fra_age = fr_defaultauthage;
-	bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
-#if !defined(sparc) && !defined(m68k)
-	/*
-	 * No need to copyback here as we want to undo the changes, not keep
-	 * them.
-	 */
-	ip = fin->fin_ip;
-# if defined(MENTAT) && defined(_KERNEL)
-	if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
-# endif
-	{
-		register u_short bo;
-
-		bo = ip->ip_len;
-		ip->ip_len = htons(bo);
-		bo = ip->ip_off;
-		ip->ip_off = htons(bo);
-	}
-#endif
-#if SOLARIS && defined(_KERNEL)
-	m->b_rptr -= qpi->qpi_off;
-	fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
-	fra->fra_q = qpi->qpi_q;	/* The queue can disappear! */
-	cv_signal(&ipfauthwait);
-#else
-# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
-	if (!fin->fin_out) {
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
-	}
-# endif
-	fr_authpkts[i] = m;
-	WAKEUP(&fr_authnext,0);
-#endif
-	return 1;
-}
-
-
-int fr_auth_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	mb_t *m;
-#if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
-    (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
-	struct ifqueue *ifq;
-# ifdef USE_SPL
-	int s;
-# endif /* USE_SPL */
-#endif
-	frauth_t auth, *au = &auth, *fra;
-	int i, error = 0, len;
-	char *t;
-
-	switch (cmd)
-	{
-	case SIOCSTLCK :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
-		}
-		fr_lock(data, &fr_auth_lock);
-		break;
-
-	case SIOCATHST:
-		fr_authstats.fas_faelist = fae_list;
-		error = fr_outobj(data, &fr_authstats, IPFOBJ_AUTHSTAT);
-		break;
-
-	case SIOCIPFFL:
-		SPL_NET(s);
-		WRITE_ENTER(&ipf_auth);
-		i = fr_authflush();
-		RWLOCK_EXIT(&ipf_auth);
-		SPL_X(s);
-		error = copyoutptr((char *)&i, data, sizeof(i));
-		break;
-
-	case SIOCAUTHW:
-fr_authioctlloop:
-		error = fr_inobj(data, au, IPFOBJ_FRAUTH);
-		READ_ENTER(&ipf_auth);
-		if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
-			error = fr_outobj(data, &fr_auth[fr_authnext],
-					  IPFOBJ_FRAUTH);
-			if (auth.fra_len != 0 && auth.fra_buf != NULL) {
-				/*
-				 * Copy packet contents out to user space if
-				 * requested.  Bail on an error.
-				 */
-				m = fr_authpkts[fr_authnext];
-				len = MSGDSIZE(m);
-				if (len > auth.fra_len)
-					len = auth.fra_len;
-				auth.fra_len = len;
-				for (t = auth.fra_buf; m && (len > 0); ) {
-					i = MIN(M_LEN(m), len);
-					error = copyoutptr(MTOD(m, char *),
-							  t, i);
-					len -= i;
-					t += i;
-					if (error != 0)
-						break;
-				}
-			}
-			RWLOCK_EXIT(&ipf_auth);
-			if (error != 0)
-				break;
-			SPL_NET(s);
-			WRITE_ENTER(&ipf_auth);
-			fr_authnext++;
-			if (fr_authnext == fr_authsize)
-				fr_authnext = 0;
-			RWLOCK_EXIT(&ipf_auth);
-			SPL_X(s);
-			return 0;
-		}
-		RWLOCK_EXIT(&ipf_auth);
-		/*
-		 * We exit ipf_global here because a program that enters in
-		 * here will have a lock on it and goto sleep having this lock.
-		 * If someone were to do an 'ipf -D' the system would then
-		 * deadlock.  The catch with releasing it here is that the
-		 * caller of this function expects it to be held when we
-		 * return so we have to reacquire it in here.
-		 */
-		RWLOCK_EXIT(&ipf_global);
-
-		MUTEX_ENTER(&ipf_authmx);
-#ifdef	_KERNEL
-# if	SOLARIS
-		error = 0;
-		if (!cv_wait_sig(&ipfauthwait, &ipf_authmx.ipf_lk))
-			error = EINTR;
-# else /* SOLARIS */
-#  ifdef __hpux
-		{
-		lock_t *l;
-
-		l = get_sleep_lock(&fr_authnext);
-		error = sleep(&fr_authnext, PZERO+1);
-		spinunlock(l);
-		}
-#  else
-#   ifdef __osf__
-		error = mpsleep(&fr_authnext, PSUSP|PCATCH, "fr_authnext", 0,
-				&ipf_authmx, MS_LOCK_SIMPLE);
-#   else
-		error = SLEEP(&fr_authnext, "fr_authnext");
-#   endif /* __osf__ */
-#  endif /* __hpux */
-# endif /* SOLARIS */
-#endif
-		MUTEX_EXIT(&ipf_authmx);
-		READ_ENTER(&ipf_global);
-		if (error == 0) {
-			READ_ENTER(&ipf_auth);
-			goto fr_authioctlloop;
-		}
-		break;
-
-	case SIOCAUTHR:
-		error = fr_inobj(data, &auth, IPFOBJ_FRAUTH);
-		if (error != 0)
-			return error;
-		SPL_NET(s);
-		WRITE_ENTER(&ipf_auth);
-		i = au->fra_index;
-		fra = fr_auth + i;
-		if ((i < 0) || (i >= fr_authsize) ||
-		    (fra->fra_info.fin_id != au->fra_info.fin_id)) {
-			RWLOCK_EXIT(&ipf_auth);
-			SPL_X(s);
-			return ESRCH;
-		}
-		m = fr_authpkts[i];
-		fra->fra_index = -2;
-		fra->fra_pass = au->fra_pass;
-		fr_authpkts[i] = NULL;
-		RWLOCK_EXIT(&ipf_auth);
-#ifdef	_KERNEL
-		if ((m != NULL) && (au->fra_info.fin_out != 0)) {
-# ifdef MENTAT
-			error = !putq(fra->fra_q, m);
-# else /* MENTAT */
-#  ifdef linux
-#  else
-#   if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \
-       (defined(__sgi) && (IRIX >= 60500) || \
-       (defined(__FreeBSD__) && (__FreeBSD_version >= 470102)))
-			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
-					  NULL);
-#   else
-			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
-#   endif
-#  endif /* Linux */
-# endif /* MENTAT */
-			if (error != 0)
-				fr_authstats.fas_sendfail++;
-			else
-				fr_authstats.fas_sendok++;
-		} else if (m) {
-# ifdef MENTAT
-			error = !putq(fra->fra_q, m);
-# else /* MENTAT */
-#  ifdef linux
-#  else
-#   if __FreeBSD_version >= 501000
-			netisr_dispatch(NETISR_IP, m);
-#   else
-#    if IRIX >= 60516
-			ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd;
-#    else
-			ifq = &ipintrq;
-#    endif
-			if (IF_QFULL(ifq)) {
-				IF_DROP(ifq);
-				FREE_MB_T(m);
-				error = ENOBUFS;
-			} else {
-				IF_ENQUEUE(ifq, m);
-#    if IRIX < 60500
-				schednetisr(NETISR_IP);
-#    endif
-			}
-#   endif
-#  endif /* Linux */
-# endif /* MENTAT */
-			if (error != 0)
-				fr_authstats.fas_quefail++;
-			else
-				fr_authstats.fas_queok++;
-		} else
-			error = EINVAL;
-# ifdef MENTAT
-		if (error != 0)
-			error = EINVAL;
-# else /* MENTAT */
-		/*
-		 * If we experience an error which will result in the packet
-		 * not being processed, make sure we advance to the next one.
-		 */
-		if (error == ENOBUFS) {
-			fr_authused--;
-			fra->fra_index = -1;
-			fra->fra_pass = 0;
-			if (i == fr_authstart) {
-				while (fra->fra_index == -1) {
-					i++;
-					if (i == fr_authsize)
-						i = 0;
-					fr_authstart = i;
-					if (i == fr_authend)
-						break;
-				}
-				if (fr_authstart == fr_authend) {
-					fr_authnext = 0;
-					fr_authstart = fr_authend = 0;
-				}
-			}
-		}
-# endif /* MENTAT */
-#endif /* _KERNEL */
-		SPL_X(s);
-		break;
-
-	default :
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-
-/*
- * Free all network buffer memory used to keep saved packets.
- */
-void fr_authunload()
-{
-	register int i;
-	register frauthent_t *fae, **faep;
-	frentry_t *fr, **frp;
-	mb_t *m;
-
-	if (fr_auth != NULL) {
-		KFREES(fr_auth, fr_authsize * sizeof(*fr_auth));
-		fr_auth = NULL;
-	}
-
-	if (fr_authpkts != NULL) {
-		for (i = 0; i < fr_authsize; i++) {
-			m = fr_authpkts[i];
-			if (m != NULL) {
-				FREE_MB_T(m);
-				fr_authpkts[i] = NULL;
-			}
-		}
-		KFREES(fr_authpkts, fr_authsize * sizeof(*fr_authpkts));
-		fr_authpkts = NULL;
-	}
-
-	faep = &fae_list;
-	while ((fae = *faep) != NULL) {
-		*faep = fae->fae_next;
-		KFREE(fae);
-	}
-	ipauth = NULL;
-
-	if (fr_authlist != NULL) {
-		for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
-			if (fr->fr_ref == 1) {
-				*frp = fr->fr_next;
-				KFREE(fr);
-			} else
-				frp = &fr->fr_next;
-		}
-	}
-
-	if (fr_auth_init == 1) {
-# if SOLARIS && defined(_KERNEL)
-		cv_destroy(&ipfauthwait);
-# endif
-		MUTEX_DESTROY(&ipf_authmx);
-		RW_DESTROY(&ipf_auth);
-
-		fr_auth_init = 0;
-	}
-}
-
-
-/*
- * Slowly expire held auth records.  Timeouts are set
- * in expectation of this being called twice per second.
- */
-void fr_authexpire()
-{
-	register int i;
-	register frauth_t *fra;
-	register frauthent_t *fae, **faep;
-	register frentry_t *fr, **frp;
-	mb_t *m;
-# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
-	int s;
-# endif
-
-	if (fr_auth_lock)
-		return;
-
-	SPL_NET(s);
-	WRITE_ENTER(&ipf_auth);
-	for (i = 0, fra = fr_auth; i < fr_authsize; i++, fra++) {
-		fra->fra_age--;
-		if ((fra->fra_age == 0) && (m = fr_authpkts[i])) {
-			FREE_MB_T(m);
-			fr_authpkts[i] = NULL;
-			fr_auth[i].fra_index = -1;
-			fr_authstats.fas_expire++;
-			fr_authused--;
-		}
-	}
-
-	for (faep = &fae_list; ((fae = *faep) != NULL); ) {
-		fae->fae_age--;
-		if (fae->fae_age == 0) {
-			*faep = fae->fae_next;
-			KFREE(fae);
-			fr_authstats.fas_expire++;
-		} else
-			faep = &fae->fae_next;
-	}
-	if (fae_list != NULL)
-		ipauth = &fae_list->fae_fr;
-	else
-		ipauth = NULL;
-
-	for (frp = &fr_authlist; ((fr = *frp) != NULL); ) {
-		if (fr->fr_ref == 1) {
-			*frp = fr->fr_next;
-			KFREE(fr);
-		} else
-			frp = &fr->fr_next;
-	}
-	RWLOCK_EXIT(&ipf_auth);
-	SPL_X(s);
-}
-
-int fr_preauthcmd(cmd, fr, frptr)
-ioctlcmd_t cmd;
-frentry_t *fr, **frptr;
-{
-	frauthent_t *fae, **faep;
-	int error = 0;
-# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
-	int s;
-#endif
-
-	if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
-		return EIO;
-	
-	for (faep = &fae_list; ((fae = *faep) != NULL); ) {
-		if (&fae->fae_fr == fr)
-			break;
-		else
-			faep = &fae->fae_next;
-	}
-
-	if (cmd == (ioctlcmd_t)SIOCRMAFR) {
-		if (fr == NULL || frptr == NULL)
-			error = EINVAL;
-		else if (fae == NULL)
-			error = ESRCH;
-		else {
-			SPL_NET(s);
-			WRITE_ENTER(&ipf_auth);
-			*faep = fae->fae_next;
-			if (ipauth == &fae->fae_fr)
-				ipauth = fae_list ? &fae_list->fae_fr : NULL;
-			RWLOCK_EXIT(&ipf_auth);
-			SPL_X(s);
-
-			KFREE(fae);
-		}
-	} else if (fr != NULL && frptr != NULL) {
-		KMALLOC(fae, frauthent_t *);
-		if (fae != NULL) {
-			bcopy((char *)fr, (char *)&fae->fae_fr,
-			      sizeof(*fr));
-			SPL_NET(s);
-			WRITE_ENTER(&ipf_auth);
-			fae->fae_age = fr_defaultauthage;
-			fae->fae_fr.fr_hits = 0;
-			fae->fae_fr.fr_next = *frptr;
-			*frptr = &fae->fae_fr;
-			fae->fae_next = *faep;
-			*faep = fae;
-			ipauth = &fae_list->fae_fr;
-			RWLOCK_EXIT(&ipf_auth);
-			SPL_X(s);
-		} else
-			error = ENOMEM;
-	} else
-		error = EINVAL;
-	return error;
-}
-
-
-/*
- * Flush held packets.
- * Must already be properly SPL'ed and Locked on &ipf_auth.
- *
- */
-int fr_authflush()
-{
-	register int i, num_flushed;
-	mb_t *m;
-
-	if (fr_auth_lock)
-		return -1;
-
-	num_flushed = 0;
-
-	for (i = 0 ; i < fr_authsize; i++) {
-		m = fr_authpkts[i];
-		if (m != NULL) {
-			FREE_MB_T(m);
-			fr_authpkts[i] = NULL;
-			fr_auth[i].fra_index = -1;
-			/* perhaps add & use a flush counter inst.*/
-			fr_authstats.fas_expire++;
-			fr_authused--;
-			num_flushed++;
-		}
-	}
-
-	fr_authstart = 0;
-	fr_authend = 0;
-	fr_authnext = 0;
-
-	return num_flushed;
-}
diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h
deleted file mode 100644
index a39e7fd..0000000
--- a/contrib/ipfilter/ip_auth.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp
- *
- */
-#ifndef	__IP_AUTH_H__
-#define	__IP_AUTH_H__
-
-#define FR_NUMAUTH      32
-
-typedef struct  frauth {
-	int	fra_age;
-	int	fra_len;
-	int	fra_index;
-	u_32_t	fra_pass;
-	fr_info_t	fra_info;
-	char	*fra_buf;
-#ifdef	MENTAT
-	queue_t	*fra_q;
-#endif
-} frauth_t;
-
-typedef	struct	frauthent  {
-	struct	frentry	fae_fr;
-	struct	frauthent	*fae_next;
-	u_long	fae_age;
-} frauthent_t;
-
-typedef struct  fr_authstat {
-	U_QUAD_T	fas_hits;
-	U_QUAD_T	fas_miss;
-	u_long		fas_nospace;
-	u_long		fas_added;
-	u_long		fas_sendfail;
-	u_long		fas_sendok;
-	u_long		fas_queok;
-	u_long		fas_quefail;
-	u_long		fas_expire;
-	frauthent_t	*fas_faelist;
-} fr_authstat_t;
-
-
-extern	frentry_t	*ipauth;
-extern	struct fr_authstat	fr_authstats;
-extern	int	fr_defaultauthage;
-extern	int	fr_authstart;
-extern	int	fr_authend;
-extern	int	fr_authsize;
-extern	int	fr_authused;
-extern	int	fr_auth_lock;
-extern	frentry_t *fr_checkauth __P((fr_info_t *, u_32_t *));
-extern	void	fr_authexpire __P((void));
-extern	int	fr_authinit __P((void));
-extern	void	fr_authunload __P((void));
-extern	int	fr_authflush __P((void));
-extern	mb_t	**fr_authpkts;
-extern	int	fr_newauth __P((mb_t *, fr_info_t *));
-extern	int	fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **));
-extern	int	fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int));
-
-#endif	/* __IP_AUTH_H__ */
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
deleted file mode 100644
index 6ea3f70..0000000
--- a/contrib/ipfilter/ip_compat.h
+++ /dev/null
@@ -1,2295 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_compat.h	1.8 1/14/96
- * Id: ip_compat.h,v 2.142.2.25 2005/03/28 09:33:36 darrenr Exp
- */
-
-#ifndef	__IP_COMPAT_H__
-#define	__IP_COMPAT_H__
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)  x
-# else
-#  define	__P(x)  ()
-# endif
-#endif
-#ifndef	__STDC__
-# undef		const
-# define	const
-#endif
-
-#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__)
-# undef	KERNEL
-# undef	_KERNEL
-# undef 	__KERNEL__
-# define	KERNEL
-# define	_KERNEL
-# define 	__KERNEL__
-#endif
-
-#ifndef	SOLARIS
-#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-#if SOLARIS2 >= 8
-# ifndef	USE_INET6
-#  define	USE_INET6
-# endif
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
-    !defined(_KERNEL) && !defined(USE_INET6) && !defined(NOINET6)
-# define	USE_INET6
-#endif
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000) && \
-    !defined(_KERNEL) && !defined(USE_INET6)
-# define	USE_INET6
-# define	IPFILTER_M_IPFILTER
-#endif
-#if defined(OpenBSD) && (OpenBSD >= 200206) && \
-    !defined(_KERNEL) && !defined(USE_INET6)
-# define	USE_INET6
-#endif
-#if defined(__osf__)
-# define	USE_INET6
-#endif
-#if defined(linux) && (!defined(_KERNEL) || defined(CONFIG_IPV6))
-# define	USE_INET6
-#endif
-#if defined(HPUXREV) && (HPUXREV >= 1111)
-# define	USE_INET6
-#endif
-
-#if defined(BSD) && (BSD < 199103) && defined(__osf__)
-# undef BSD
-# define BSD 199103
-#endif
-
-#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
-# define index   strchr
-# if !defined(_KERNEL)
-#  define	bzero(a,b)	memset(a,0,b)
-#  define	bcmp		memcmp
-#  define	bcopy(a,b,c)	memmove(b,a,c)
-# endif
-#endif
-
-#ifndef LIFNAMSIZ
-# ifdef IF_NAMESIZE
-#  define	LIFNAMSIZ	IF_NAMESIZE
-# else
-#  ifdef	IFNAMSIZ
-#   define	LIFNAMSIZ	IFNAMSIZ
-#  else
-#   define	LIFNAMSIZ	16
-#  endif
-# endif
-#endif
-
-#if defined(__sgi) || defined(bsdi) || defined(__hpux) || defined(hpux)
-struct  ether_addr {
-        u_char  ether_addr_octet[6];
-};
-#endif
-
-#if defined(__sgi) && !defined(IPFILTER_LKM)
-# ifdef __STDC__
-#  define IPL_EXTERN(ep) ipfilter##ep
-# else
-#  define IPL_EXTERN(ep) ipfilter/**/ep
-# endif
-#else
-# ifdef __STDC__
-#  define IPL_EXTERN(ep) ipl##ep
-# else
-#  define IPL_EXTERN(ep) ipl/**/ep
-# endif
-#endif
-
-/*
- * This is a workaround for <sys/uio.h> troubles on FreeBSD and OpenBSD.
- */
-#ifndef linux
-# ifndef _KERNEL
-#  define ADD_KERNEL
-#  define _KERNEL
-#  define KERNEL
-# endif
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# ifdef ADD_KERNEL
-#  undef _KERNEL
-#  undef KERNEL
-# endif
-#endif
-
-
-/* ----------------------------------------------------------------------- */
-/*                                  S O L A R I S                          */
-/* ----------------------------------------------------------------------- */
-#if SOLARIS
-# define	MENTAT	1
-# include	<sys/cmn_err.h>
-# include	<sys/isa_defs.h>
-# include	<sys/stream.h>
-# include	<sys/ioccom.h>
-# include	<sys/sysmacros.h>
-# include	<sys/kmem.h>
-# if SOLARIS2 >= 10
-#  include	<sys/procset.h>
-#  include	<sys/proc.h>
-#  include	<sys/devops.h>
-#  include	<sys/ddi_impldefs.h>
-# endif
-/*
- * because Solaris 2 defines these in two places :-/
- */
-# ifndef	KERNEL
-#  define	_KERNEL
-#  undef	RES_INIT
-# endif /* _KERNEL */
-
-# if SOLARIS2 >= 8
-#  include <netinet/ip6.h>
-#  include <netinet/icmp6.h>
-# endif
-
-# include <inet/common.h>
-/* These 5 are defined in <inet/ip.h> and <netinet/ip.h> */
-# undef	IPOPT_EOL
-# undef	IPOPT_NOP
-# undef	IPOPT_LSRR
-# undef	IPOPT_RR
-# undef	IPOPT_SSRR
-# ifdef i386
-#  define _SYS_PROMIF_H
-# endif
-# include <inet/ip.h>
-# undef COPYOUT
-# include <inet/ip_ire.h>
-# ifndef	KERNEL
-#  undef	_KERNEL
-# endif
-# if SOLARIS2 >= 8
-#  define SNPRINTF	snprintf
-
-#  include <inet/ip_if.h>
-#  define	ipif_local_addr	ipif_lcl_addr
-/* Only defined in private include file */
-#  ifndef	V4_PART_OF_V6
-#   define	V4_PART_OF_V6(v6)	v6.s6_addr32[3]
-#  endif
-struct ip6_ext {
-	u_char	ip6e_nxt;
-	u_char	ip6e_len;
-};
-# endif /* SOLARIS2 >= 8 */
-
-# if SOLARIS2 >= 6
-#  include <sys/atomic.h>
-typedef	uint32_t	u_32_t;
-# else
-typedef unsigned int	u_32_t;
-# endif
-# define	U_32_T	1
-
-# ifdef _KERNEL
-#  define	KRWLOCK_T		krwlock_t
-#  define	KMUTEX_T		kmutex_t
-#  include "qif.h"
-#  include "pfil.h"
-#  if SOLARIS2 >= 6
-#   if SOLARIS2 == 6
-#    define	ATOMIC_INCL(x)		atomic_add_long((uint32_t*)&(x), 1)
-#    define	ATOMIC_DECL(x)		atomic_add_long((uint32_t*)&(x), -1)
-#   else
-#    define	ATOMIC_INCL(x)		atomic_add_long(&(x), 1)
-#    define	ATOMIC_DECL(x)		atomic_add_long(&(x), -1)
-#   endif /* SOLARIS2 == 6 */
-#   define	ATOMIC_INC64(x)		atomic_add_64((uint64_t*)&(x), 1)
-#   define	ATOMIC_INC32(x)		atomic_add_32((uint32_t*)&(x), 1)
-#   define	ATOMIC_INC16(x)		atomic_add_16((uint16_t*)&(x), 1)
-#   define	ATOMIC_DEC64(x)		atomic_add_64((uint64_t*)&(x), -1)
-#   define	ATOMIC_DEC32(x)		atomic_add_32((uint32_t*)&(x), -1)
-#   define	ATOMIC_DEC16(x)		atomic_add_16((uint16_t*)&(x), -1)
-#  else
-#   define	ATOMIC_INC(x)		{ mutex_enter(&ipf_rw); (x)++; \
-					  mutex_exit(&ipf_rw); }
-#   define	ATOMIC_DEC(x)		{ mutex_enter(&ipf_rw); (x)--; \
-					  mutex_exit(&ipf_rw); }
-#  endif /* SOLARIS2 >= 6 */
-#  define	USE_MUTEXES
-#  define	MUTEX_ENTER(x)		mutex_enter(&(x)->ipf_lk)
-#  define	READ_ENTER(x)		rw_enter(&(x)->ipf_lk, RW_READER)
-#  define	WRITE_ENTER(x)		rw_enter(&(x)->ipf_lk, RW_WRITER)
-#  define	MUTEX_DOWNGRADE(x)	rw_downgrade(&(x)->ipf_lk)
-#  define	RWLOCK_INIT(x, y)	rw_init(&(x)->ipf_lk, (y),  \
-						RW_DRIVER, NULL)
-#  define	RWLOCK_EXIT(x)		rw_exit(&(x)->ipf_lk)
-#  define	RW_DESTROY(x)		rw_destroy(&(x)->ipf_lk)
-#  define	MUTEX_INIT(x, y)	mutex_init(&(x)->ipf_lk, (y), \
-						   MUTEX_DRIVER, NULL)
-#  define	MUTEX_DESTROY(x)	mutex_destroy(&(x)->ipf_lk)
-#  define	MUTEX_NUKE(x)		bzero((x), sizeof(*(x)))
-#  define	MUTEX_EXIT(x)		mutex_exit(&(x)->ipf_lk)
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYIN(a,b,c)	(void) copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	(void) copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
-#  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
-#  define	KFREES(x,s)	kmem_free((char *)(x), (s))
-#  define	SPL_NET(x)	;
-#  define	SPL_IMP(x)	;
-#  undef	SPL_X
-#  define	SPL_X(x)	;
-#  ifdef sparc
-#   define	ntohs(x)	(x)
-#   define	ntohl(x)	(x)
-#   define	htons(x)	(x)
-#   define	htonl(x)	(x)
-#  endif /* sparc */
-#  define	KMALLOC(a,b)	(a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-#  define	KMALLOCS(a,b,c)	(a) = (b)kmem_alloc((c), KM_NOSLEEP)
-#  define	GET_MINOR(x)	getminor(x)
-extern	void	*get_unit __P((char *, int));
-#  define	GETIFP(n, v)	get_unit(n, v)
-#  define	IFNAME(x)	((qif_t *)x)->qf_name
-#  define	COPYIFNAME(x, b) \
-				(void) strncpy(b, ((qif_t *)x)->qf_name, \
-					       LIFNAMSIZ)
-#  define	GETKTIME(x)	uniqtime((struct timeval *)x)
-#  define	MSGDSIZE(x)	msgdsize(x)
-#  define	M_LEN(x)	((x)->b_wptr - (x)->b_rptr)
-#  define	M_DUPLICATE(x)	dupmsg((x))
-#  define	MTOD(m,t)	((t)((m)->b_rptr))
-#  define	MTYPE(m)	((m)->b_datap->db_type)
-#  define	FREE_MB_T(m)	freemsg(m)
-#  define	m_next		b_cont
-#  define	CACHE_HASH(x)	(((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; cmn_err(CE_PANIC, "ipf_panic"); }
-typedef mblk_t mb_t;
-# endif /* _KERNEL */
-
-# if (SOLARIS2 >= 7)
-#  ifdef lint
-#   define ALIGN32(ptr)    (ptr ? 0L : 0L)
-#   define ALIGN16(ptr)    (ptr ? 0L : 0L)
-#  else
-#   define ALIGN32(ptr)    (ptr)
-#   define ALIGN16(ptr)    (ptr)
-#  endif
-# endif
-
-# if SOLARIS2 < 6
-typedef	struct uio	uio_t;
-# endif
-typedef	int		ioctlcmd_t;
-
-# define OS_RECOGNISED 1
-
-#endif /* SOLARIS */
-
-/* ----------------------------------------------------------------------- */
-/*                                  H P U X                                */
-/* ----------------------------------------------------------------------- */
-#ifdef __hpux
-# define	MENTAT	1
-# include	<sys/sysmacros.h>
-# include	<sys/spinlock.h>
-# include	<sys/lock.h>
-# include	<sys/stream.h>
-# ifdef USE_INET6
-#  include	<netinet/if_ether.h>
-#  include	<netinet/ip6.h>
-#  include	<netinet/icmp6.h>
-typedef	struct	ip6_hdr	ip6_t;
-# endif
-
-# ifdef _KERNEL
-#  define SNPRINTF	sprintf
-#  if (HPUXREV >= 1111)
-#   define	IPL_SELECT
-#   ifdef	IPL_SELECT
-#    include	<machine/sys/user.h>
-#    include	<sys/kthread_iface.h>
-#    define	READ_COLLISION	0x01
-
-typedef	struct	iplog_select_s {
-	kthread_t	*read_waiter;
-	int		state;
-} iplog_select_t;
-#   endif
-#  endif
-
-#  define	GETKTIME(x)	uniqtime((struct timeval *)x)
-
-#  if HPUXREV == 1111
-#   include	"kern_svcs.h"
-#  else
-#   include	<sys/kern_svcs.h>
-#  endif
-#  undef	ti_flags
-#  undef	TCP_NODELAY
-#  undef	TCP_MAXSEG
-#  include <sys/reg.h>
-#  include "../netinet/ip_info.h"
-/*
- * According to /usr/include/sys/spinlock.h on HP-UX 11.00, these functions
- * are available.  Attempting to use them actually results in unresolved
- * symbols when it comes time to load the module.
- * This has been fixed!  Yipee!
- */
-#  if 1
-#   ifdef __LP64__
-#    define	ATOMIC_INCL(x)		lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), 1)
-#    define	ATOMIC_DECL(x)		lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), -1)
-#   else
-#    define	ATOMIC_INCL(x)		lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), 1)
-#    define	ATOMIC_DECL(x)		lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), -1)
-#   endif
-#   define	ATOMIC_INC64(x)		lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), 1)
-#   define	ATOMIC_INC32(x)		lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), 1)
-#   define	ATOMIC_INC16(x)		lock_and_incr_int16(&ipf_rw.ipf_lk, &(x), 1)
-#   define	ATOMIC_DEC64(x)		lock_and_incr_int64(&ipf_rw.ipf_lk, &(x), -1)
-#   define	ATOMIC_DEC32(x)		lock_and_incr_int32(&ipf_rw.ipf_lk, &(x), -1)
-#   define	ATOMIC_DEC16(x)		lock_and_incr_int16(&ipf_rw.ipf_lk, &(x), -1)
-#  else /* 0 */
-#   define	ATOMIC_INC64(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_DEC64(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_INC32(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_DEC32(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_INCL(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_DECL(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_INC(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
-					  MUTEX_EXIT(&ipf_rw); }
-#   define	ATOMIC_DEC(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
-					  MUTEX_EXIT(&ipf_rw); }
-#  endif
-#  define	ip_cksum		ip_csuma
-#  define	memcpy(a,b,c)		bcopy((caddr_t)b, (caddr_t)a, c)
-#  define	USE_MUTEXES
-#  define	MUTEX_INIT(x, y)	initlock(&(x)->ipf_lk, 0, 0, (y))
-#  define	MUTEX_ENTER(x)		spinlock(&(x)->ipf_lk)
-#  define	MUTEX_EXIT(x)		spinunlock(&(x)->ipf_lk);
-#  define	MUTEX_DESTROY(x)
-#  define	MUTEX_NUKE(x)		bzero((char *)(x), sizeof(*(x)))
-#  define	KMUTEX_T		lock_t
-#  define	kmutex_t		lock_t		/* for pfil.h */
-#  define	krwlock_t		lock_t		/* for pfil.h */
-/*
- * The read-write lock implementation in HP-UX 11.0 is crippled - it can
- * only be used by threads working in a user context!
- * This has been fixed!  Yipee! (Or at least it does in 11.00, not 11.11..)
- */
-#  if HPUXREV < 1111
-#   define	MUTEX_DOWNGRADE(x)	lock_write_to_read(x)
-#   define	KRWLOCK_T		struct rw_lock
-#   define	READ_ENTER(x)		lock_read(&(x)->ipf_lk)
-#   define	WRITE_ENTER(x)		lock_write(&(x)->ipf_lk)
-#   if HPUXREV >= 1111
-#    define	RWLOCK_INIT(x, y)	rwlock_init4(&(x)->ipf_lk, 0, RWLCK_CANSLEEP, 0, y)
-#   else
-#    define	RWLOCK_INIT(x, y)	lock_init3(&(x)->ipf_lk, 0, 1, 0, 0, y)
-#   endif
-#   define	RWLOCK_EXIT(x)		lock_done(&(x)->ipf_lk)
-#  else
-#   define	KRWLOCK_T		lock_t
-#   define	KMUTEX_T		lock_t
-#   define	READ_ENTER(x)		MUTEX_ENTER(x)
-#   define	WRITE_ENTER(x)		MUTEX_ENTER(x)
-#   define	MUTEX_DOWNGRADE(x)
-#   define	RWLOCK_INIT(x, y)	initlock(&(x)->ipf_lk, 0, 0, y)
-#   define	RWLOCK_EXIT(x)		MUTEX_EXIT(x)
-#  endif
-#  define	RW_DESTROY(x)
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  if HPUXREV >= 1111
-#   define	BCOPYIN(a,b,c)	0; bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#   define	BCOPYOUT(a,b,c)	0; bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  else
-#   define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#   define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  endif
-#  define	SPL_NET(x)	;
-#  define	SPL_IMP(x)	;
-#  undef	SPL_X
-#  define	SPL_X(x)	;
-extern	void	*get_unit __P((char *, int));
-#  define	GETIFP(n, v)	get_unit(n, v)
-#  define	IFNAME(x, b)	((ill_t *)x)->ill_name
-#  define	COPYIFNAME(x, b) \
-				(void) strncpy(b, ((qif_t *)x)->qf_name, \
-					       LIFNAMSIZ)
-#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
-#  define	SLEEP(id, n)	{ lock_t *_l = get_sleep_lock((caddr_t)id); \
-				  sleep(id, PZERO+1); \
-				  spinunlock(_l); \
-				}
-#  define	WAKEUP(id,x)	{ lock_t *_l = get_sleep_lock((caddr_t)id); \
-				  wakeup(id + x); \
-				  spinunlock(_l); \
-				}
-#  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_IOSYS, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_IOSYS, M_NOWAIT)
-#  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
-#  define	KFREES(x,s)	kmem_free((char *)(x), (s))
-#  define	MSGDSIZE(x)	msgdsize(x)
-#  define	M_LEN(x)	((x)->b_wptr - (x)->b_rptr)
-#  define	M_DUPLICATE(x)	dupmsg((x))
-#  define	MTOD(m,t)	((t)((m)->b_rptr))
-#  define	MTYPE(m)	((m)->b_datap->db_type)
-#  define	FREE_MB_T(m)	freemsg(m)
-#  define	m_next		b_cont
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-typedef mblk_t mb_t;
-
-#  define	CACHE_HASH(x)	(((qpktinfo_t *)(x)->fin_qpi)->qpi_num & 7)
-
-#  include "qif.h"
-#  include "pfil.h"
-
-# else /* _KERNEL */
-
-typedef	unsigned char uchar_t;
-
-#  ifndef	_SYS_STREAM_INCLUDED
-typedef char * mblk_t;
-typedef void * queue_t;
-typedef	u_long ulong;
-#  endif
-#  include <netinet/ip_info.h>
-
-# endif /* _KERNEL */
-
-# ifdef lint
-#  define ALIGN32(ptr)    (ptr ? 0L : 0L)
-#  define ALIGN16(ptr)    (ptr ? 0L : 0L)
-# else
-#  define ALIGN32(ptr)    (ptr)
-#  define ALIGN16(ptr)    (ptr)
-# endif
-
-typedef	struct uio	uio_t;
-typedef	int		ioctlcmd_t;
-typedef	int		minor_t;
-typedef unsigned int	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-
-#endif /* __hpux */
-
-/* ----------------------------------------------------------------------- */
-/*                                  I R I X                                */
-/* ----------------------------------------------------------------------- */
-#ifdef __sgi
-# undef		MENTAT
-# if IRIX < 60500
-typedef	struct uio	uio_t;
-# endif
-typedef	int		ioctlcmd_t;
-typedef u_int32_t       u_32_t;
-# define	U_32_T	1
-
-# ifdef INET6
-#  define USE_INET6
-# endif
-
-# define  hz HZ
-# include <sys/ksynch.h>
-# define	IPF_LOCK_PL	plhi
-# include <sys/sema.h>
-# undef kmutex_t
-typedef struct {
-	lock_t *l;
-	int pl;
-} kmutex_t;
-
-# ifdef MUTEX_INIT
-#  define	KMUTEX_T		mutex_t
-# else
-#  define	KMUTEX_T		kmutex_t
-#  define	KRWLOCK_T		kmutex_t
-# endif
-
-# ifdef _KERNEL
-#  define	ATOMIC_INC(x)		{ MUTEX_ENTER(&ipf_rw); \
-					  (x)++; MUTEX_EXIT(&ipf_rw); }
-#  define	ATOMIC_DEC(x)		{ MUTEX_ENTER(&ipf_rw); \
-					  (x)--; MUTEX_EXIT(&ipf_rw); }
-#  define	USE_MUTEXES
-#  ifdef MUTEX_INIT
-#   include <sys/atomic_ops.h>
-#   define	ATOMIC_INCL(x)		atomicAddUlong(&(x), 1)
-#   define	ATOMIC_INC64(x)		atomicAddUint64(&(x), 1)
-#   define	ATOMIC_INC32(x)		atomicAddUint(&(x), 1)
-#   define	ATOMIC_INC16		ATOMIC_INC
-#   define	ATOMIC_DECL(x)		atomicAddUlong(&(x), -1)
-#   define	ATOMIC_DEC64(x)		atomicAddUint64(&(x), -1)
-#   define	ATOMIC_DEC32(x)		atomicAddUint(&(x), -1)
-#   define	ATOMIC_DEC16		ATOMIC_DEC
-#   undef	MUTEX_INIT
-#   define	MUTEX_INIT(x, y)	mutex_init(&(x)->ipf_lk,  \
-						   MUTEX_DEFAULT, y)
-#   undef	MUTEX_ENTER
-#   define	MUTEX_ENTER(x)		mutex_lock(&(x)->ipf_lk, 0)
-#   undef	MUTEX_EXIT
-#   define	MUTEX_EXIT(x)		mutex_unlock(&(x)->ipf_lk)
-#   undef	MUTEX_DESTROY
-#   define	MUTEX_DESTROY(x)	mutex_destroy(&(x)->ipf_lk)
-#   define	MUTEX_DOWNGRADE(x)	mrdemote(&(x)->ipf_lk)
-#   define	KRWLOCK_T		mrlock_t
-#   define	RWLOCK_INIT(x, y)	mrinit(&(x)->ipf_lk, y)
-#   undef	RW_DESTROY
-#   define	RW_DESTROY(x)		mrfree(&(x)->ipf_lk)
-#   define	READ_ENTER(x)		RW_RDLOCK(&(x)->ipf_lk)
-#   define	WRITE_ENTER(x)		RW_WRLOCK(&(x)->ipf_lk)
-#   define	RWLOCK_EXIT(x)		RW_UNLOCK(&(x)->ipf_lk)
-#  else
-#   define	READ_ENTER(x)		MUTEX_ENTER(&(x)->ipf_lk)
-#   define	WRITE_ENTER(x)		MUTEX_ENTER(&(x)->ipf_lk)
-#   define	MUTEX_DOWNGRADE(x)	;
-#   define	RWLOCK_EXIT(x)		MUTEX_EXIT(&(x)->ipf_lk)
-#   define	MUTEX_EXIT(x)		UNLOCK((x)->ipf_lk.l, (x)->ipf_lk.pl);
-#   define	MUTEX_INIT(x,y)		(x)->ipf_lk.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP)
-#   define	MUTEX_DESTROY(x)	LOCK_DEALLOC((x)->ipf_lk.l)
-#   define	MUTEX_ENTER(x)		(x)->ipf_lk.pl = LOCK((x)->ipf_lk.l, \
-							      IPF_LOCK_PL);
-#  endif
-#  define	MUTEX_NUKE(x)		bzero((x), sizeof(*(x)))
-#  define	FREE_MB_T(m)	m_freem(m)
-#  define	MTOD(m,t)	mtod(m,t)
-#  define	COPYIN(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	COPYOUT(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	BCOPYIN(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	BCOPYOUT(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
-#  define	SLEEP(id, n)	sleep((id), PZERO+1)
-#  define	WAKEUP(id,x)	wakeup(id+x)
-#  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
-#  define	KFREES(x,s)	kmem_free((char *)(x), (s))
-#  define	GETIFP(n,v)	ifunit(n)
-#  include <sys/kmem.h>
-#  include <sys/ddi.h>
-#  define	KMALLOC(a,b)	(a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-#  define	KMALLOCS(a,b,c)	(a) = (b)kmem_alloc((c), KM_NOSLEEP)
-#  define	GET_MINOR(x)	getminor(x)
-#  define	USE_SPL		1
-#  define	SPL_IMP(x)	(x) = splimp()
-#  define	SPL_NET(x)	(x) = splnet()
-#  define	SPL_X(x)	(void) splx(x)
-extern	void	m_copydata __P((struct mbuf *, int, int, caddr_t));
-extern	void	m_copyback __P((struct mbuf *, int, int, caddr_t));
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-typedef struct mbuf mb_t;
-# else
-#  undef RW_DESTROY
-#  undef MUTEX_INIT
-#  undef MUTEX_DESTROY
-# endif /* _KERNEL */
-
-# define OS_RECOGNISED 1
-
-#endif /* __sgi */
-
-/* ----------------------------------------------------------------------- */
-/*                                  T R U 6 4                              */
-/* ----------------------------------------------------------------------- */
-#ifdef __osf__
-# undef		MENTAT
-
-# include <kern/lock.h>
-# include <sys/sysmacros.h>
-
-# ifdef _KERNEL
-#  define	KMUTEX_T		simple_lock_data_t
-#  define	KRWLOCK_T		lock_data_t
-#  include <net/net_globals.h>
-#  define	USE_MUTEXES
-#  define	READ_ENTER(x)		lock_read(&(x)->ipf_lk)
-#  define	WRITE_ENTER(x)		lock_write(&(x)->ipf_lk)
-#  define	MUTEX_DOWNGRADE(x)	lock_write_to_read(&(x)->ipf_lk)
-#  define	RWLOCK_INIT(x, y)	lock_init(&(x)->ipf_lk, TRUE)
-#  define	RWLOCK_EXIT(x)		lock_done(&(x)->ipf_lk)
-#  define	RW_DESTROY(x)		lock_terminate(&(x)->ipf_lk)
-#  define	MUTEX_ENTER(x)		simple_lock(&(x)->ipf_lk)
-#  define	MUTEX_INIT(x, y)	simple_lock_init(&(x)->ipf_lk)
-#  define	MUTEX_DESTROY(x)	simple_lock_terminate(&(x)->ipf_lk)
-#  define	MUTEX_EXIT(x)		simple_unlock(&(x)->ipf_lk)
-#  define	MUTEX_NUKE(x)		bzero(x, sizeof(*(x)))
-#  define	ATOMIC_INC64(x)		atomic_incq((uint64_t*)&(x))
-#  define	ATOMIC_DEC64(x)		atomic_decq((uint64_t*)&(x))
-#  define	ATOMIC_INC32(x)		atomic_incl((uint32_t*)&(x))
-#  define	ATOMIC_DEC32(x)		atomic_decl((uint32_t*)&(x))
-#  define	ATOMIC_INC16(x)		{ simple_lock(&ipf_rw); (x)++; \
-					  simple_unlock(&ipf_rw); }
-#  define	ATOMIC_DEC16(x)		{ simple_lock(&ipf_rw); (x)--; \
-					  simple_unlock(&ipf_rw); }
-#  define	ATOMIC_INCL(x)		atomic_incl((uint32_t*)&(x))
-#  define	ATOMIC_DECL(x)		atomic_decl((uint32_t*)&(x))
-#  define	ATOMIC_INC(x)		{ simple_lock(&ipf_rw); (x)++; \
-					  simple_unlock(&ipf_rw); }
-#  define	ATOMIC_DEC(x)		{ simple_lock(&ipf_rw); (x)--; \
-					  simple_unlock(&ipf_rw); }
-#  define	SPL_NET(x)		;
-#  define	SPL_IMP(x)		;
-#  undef	SPL_X
-#  define	SPL_X(x)		;
-#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a, b, d)
-#  define	FREE_MB_T(m)		m_freem(m)
-#  define	MTOD(m,t)		mtod(m,t)
-#  define	GETIFP(n, v)		ifunit(n)
-#  define	GET_MINOR		getminor
-#  define	WAKEUP(id,x)		wakeup(id + x)
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_PFILT, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_PFILT, \
-					    ((c) > 4096) ? M_WAITOK : M_NOWAIT)
-#  define	KFREE(x)	FREE((x), M_PFILT)
-#  define	KFREES(x,s)	FREE((x), M_PFILT)
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-typedef struct mbuf mb_t;
-# endif /* _KERNEL */
-
-# if (defined(_KERNEL) || defined(_NO_BITFIELDS) || (__STDC__ == 1))
-#  define	IP_V(x)		((x)->ip_vhl >> 4)
-#  define	IP_HL(x)	((x)->ip_vhl & 0xf)
-#  define	IP_V_A(x,y)	(x)->ip_vhl |= (((y) << 4) & 0xf0)
-#  define	IP_HL_A(x,y)	(x)->ip_vhl |= ((y) & 0xf)
-#  define	TCP_X2(x)	((x)->th_xoff & 0xf)
-#  define	TCP_X2_A(x,y)	(x)->th_xoff |= ((y) & 0xf)
-#  define	TCP_OFF(x)	((x)->th_xoff >> 4)
-#  define	TCP_OFF_A(x,y)	(x)->th_xoff |= (((y) << 4) & 0xf0)
-# endif
-
-/*
- * These are from's Solaris' #defines for little endian.
- */
-#define	IP6F_MORE_FRAG		0x0100
-#define	IP6F_RESERVED_MASK	0x0600
-#define	IP6F_OFF_MASK		0xf8ff
-
-struct ip6_ext {
-	u_char	ip6e_nxt;
-	u_char	ip6e_len;
-};
-
-typedef	int		ioctlcmd_t;  
-/*
- * Really, any arch where sizeof(long) != sizeof(int).
- */
-typedef unsigned int    u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-#endif /* __osf__ */
-
-/* ----------------------------------------------------------------------- */
-/*                                  N E T B S D                            */
-/* ----------------------------------------------------------------------- */
-#ifdef __NetBSD__
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include "bpfilter.h"
-#  if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000)
-#   include "opt_inet.h"
-#  endif
-#  ifdef INET6
-#   define USE_INET6
-#  endif
-#  if (__NetBSD_Version__ >= 105000000)
-#   define HAVE_M_PULLDOWN 1
-#  endif
-# endif
-
-# ifdef _KERNEL
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-typedef struct mbuf mb_t;
-# endif /* _KERNEL */
-# if (NetBSD <= 1991011) && (NetBSD >= 199606)
-#  define	IFNAME(x)	((struct ifnet *)x)->if_xname
-#  define	COPYIFNAME(x, b) \
-				(void) strncpy(b, \
-					       ((struct ifnet *)x)->if_xname, \
-					       LIFNAMSIZ)
-#  define	CACHE_HASH(x)	((((struct ifnet *)fin->fin_ifp)->if_index)&7)
-# else
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-# endif
-
-typedef	struct uio	uio_t;
-typedef	u_long		ioctlcmd_t;  
-typedef	int		minor_t;
-typedef	u_int32_t	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-#endif /* __NetBSD__ */
-
-
-/* ----------------------------------------------------------------------- */
-/*                                F R E E B S D                            */
-/* ----------------------------------------------------------------------- */
-#ifdef __FreeBSD__
-# if defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(KLD_MODULE)
-#  if (__FreeBSD_version >= 500000)                          
-#   include "opt_bpf.h"
-#  else
-#   include "bpf.h"    
-#  endif
-#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)
-#   include "opt_inet6.h"
-#  endif
-#  if defined(INET6) && !defined(USE_INET6)
-#   define USE_INET6
-#  endif
-# endif
-
-# if defined(_KERNEL)
-#  if (__FreeBSD_version >= 400000)
-/*
- * When #define'd, the 5.2.1 kernel panics when used with the ftp proxy.
- * There may be other, safe, kernels but this is not extensively tested yet.
- */
-#   define HAVE_M_PULLDOWN
-#  endif
-#  if !defined(IPFILTER_LKM) && (__FreeBSD_version >= 300000)
-#   include "opt_ipfilter.h"
-#  endif
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-
-#  if (__FreeBSD_version >= 500043)
-#   define NETBSD_PF
-#  endif
-# endif /* _KERNEL */
-
-# if (__FreeBSD_version >= 500043)
-#  include <sys/mutex.h>
-#  include <sys/sx.h>
-/*
- * Whilst the sx(9) locks on FreeBSD have the right semantics and interface
- * for what we want to use them for, despite testing showing they work -
- * with a WITNESS kernel, it generates LOR messages.
- */
-#  define	KMUTEX_T		struct mtx
-#  if 1
-#   define	KRWLOCK_T		struct mtx
-#  else
-#   define	KRWLOCK_T		struct sx
-#  endif
-# endif
-
-# if (__FreeBSD_version >= 501113)
-#  include <net/if_var.h>
-#  define	IFNAME(x)	((struct ifnet *)x)->if_xname
-#  define	COPYIFNAME(x, b) \
-				(void) strncpy(b, \
-					       ((struct ifnet *)x)->if_xname, \
-					       LIFNAMSIZ)
-# endif
-# if (__FreeBSD_version >= 500043)
-#  define	CACHE_HASH(x)	((((struct ifnet *)fin->fin_ifp)->if_index) & 7)
-# else
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-# endif
-
-# ifdef _KERNEL
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-
-#  if (__FreeBSD_version >= 500002)
-#   include <netinet/in_systm.h>
-#   include <netinet/ip.h>
-#   include <machine/in_cksum.h>
-#  endif
-
-#  if (__FreeBSD_version >= 500043)
-#   define	USE_MUTEXES
-#   define	MUTEX_ENTER(x)		mtx_lock(&(x)->ipf_lk)
-#   define	MUTEX_EXIT(x)		mtx_unlock(&(x)->ipf_lk)
-#   define	MUTEX_INIT(x,y)		mtx_init(&(x)->ipf_lk, (y), NULL,\
-						 MTX_DEF)
-#   define	MUTEX_DESTROY(x)	mtx_destroy(&(x)->ipf_lk)
-#   define	MUTEX_NUKE(x)		bzero((x), sizeof(*(x)))
-/*
- * Whilst the sx(9) locks on FreeBSD have the right semantics and interface
- * for what we want to use them for, despite testing showing they work -
- * with a WITNESS kernel, it generates LOR messages.
- */
-#   if 1
-#    define	READ_ENTER(x)		mtx_lock(&(x)->ipf_lk)
-#    define	WRITE_ENTER(x)		mtx_lock(&(x)->ipf_lk)
-#    define	RWLOCK_EXIT(x)		mtx_unlock(&(x)->ipf_lk)
-#    define	MUTEX_DOWNGRADE(x)	;
-#    define	RWLOCK_INIT(x,y)	mtx_init(&(x)->ipf_lk, (y), NULL,\
-						 MTX_DEF)
-#    define	RW_DESTROY(x)		mtx_destroy(&(x)->ipf_lk)
-#   else
-#    define	READ_ENTER(x)		sx_slock(&(x)->ipf_lk)
-#    define	WRITE_ENTER(x)		sx_xlock(&(x)->ipf_lk)
-#    define	MUTEX_DOWNGRADE(x)	sx_downgrade(&(x)->ipf_lk)
-#    define	RWLOCK_INIT(x, y)	sx_init(&(x)->ipf_lk, (y))
-#    define	RW_DESTROY(x)		sx_destroy(&(x)->ipf_lk)
-#    ifdef sx_unlock
-#     define	RWLOCK_EXIT(x)		sx_unlock(x)
-#    else
-#     define	RWLOCK_EXIT(x)		do { \
-					    if ((x)->ipf_lk.sx_cnt < 0) \
-						sx_xunlock(&(x)->ipf_lk); \
-					    else \
-						sx_sunlock(&(x)->ipf_lk); \
-					} while (0)
-#    endif
-#   endif
-#   include <machine/atomic.h>
-#   define	ATOMIC_INC(x)		{ mtx_lock(&ipf_rw.ipf_lk); (x)++; \
-					  mtx_unlock(&ipf_rw.ipf_lk); }
-#   define	ATOMIC_DEC(x)		{ mtx_lock(&ipf_rw.ipf_lk); (x)--; \
-					  mtx_unlock(&ipf_rw.ipf_lk); }
-#   define	ATOMIC_INCL(x)		atomic_add_long(&(x), 1)
-#   define	ATOMIC_INC64(x)		ATOMIC_INC(x)
-#   define	ATOMIC_INC32(x)		atomic_add_32(&(x), 1)
-#   define	ATOMIC_INC16(x)		atomic_add_16(&(x), 1)
-#   define	ATOMIC_DECL(x)		atomic_add_long(&(x), -1)
-#   define	ATOMIC_DEC64(x)		ATOMIC_DEC(x)
-#   define	ATOMIC_DEC32(x)		atomic_add_32(&(x), -1)
-#   define	ATOMIC_DEC16(x)		atomic_add_16(&(x), -1)
-#   define	SPL_X(x)	;
-#   define	SPL_NET(x)	;
-#   define	SPL_IMP(x)	;
-extern	int	in_cksum __P((struct mbuf *, int));
-#  endif /* __FreeBSD_version >= 500043 */
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-typedef struct mbuf mb_t;
-# endif /* _KERNEL */
-
-# if __FreeBSD__ < 3
-#  include <machine/spl.h>
-# else
-#  if __FreeBSD__ == 3
-#   if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
-#    define	ACTUALLY_LKM_NOT_KERNEL
-#   endif
-#  endif
-# endif
-
-# if (__FreeBSD_version >= 300000)
-typedef	u_long		ioctlcmd_t;
-# else
-typedef	int		ioctlcmd_t;
-# endif
-typedef	struct uio	uio_t;
-typedef	int		minor_t;
-typedef	u_int32_t	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-#endif /* __FreeBSD__ */
-
-
-/* ----------------------------------------------------------------------- */
-/*                                O P E N B S D                            */
-/* ----------------------------------------------------------------------- */
-#ifdef __OpenBSD__
-# ifdef INET6
-#  define USE_INET6
-# endif
-
-# ifdef _KERNEL
-#  if !defined(IPFILTER_LKM)
-#   include "bpfilter.h"
-#  endif
-#  if (OpenBSD >= 200311)
-#   define SNPRINTF	snprintf
-#   if defined(USE_INET6)
-#    include "netinet6/in6_var.h"
-#    include "netinet6/nd6.h"
-#   endif
-#  endif
-#  if (OpenBSD >= 200012)
-#   define HAVE_M_PULLDOWN 1
-#  endif
-#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-typedef struct mbuf mb_t;
-# endif /* _KERNEL */
-# if (OpenBSD >= 199603)
-#  define	IFNAME(x, b)	((struct ifnet *)x)->if_xname
-#  define	COPYIFNAME(x, b) \
-				(void) strncpy(b, \
-					       ((struct ifnet *)x)->if_xname, \
-					       LIFNAMSIZ)
-#  define	CACHE_HASH(x)	((((struct ifnet *)fin->fin_ifp)->if_index)&7)
-# else
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-# endif
-
-typedef	struct uio	uio_t;
-typedef	u_long		ioctlcmd_t;  
-typedef	int		minor_t;
-typedef	u_int32_t	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-#endif /* __OpenBSD__ */
-
-
-/* ----------------------------------------------------------------------- */
-/*                                B S D O S                                */
-/* ----------------------------------------------------------------------- */
-#ifdef _BSDI_VERSION
-# ifdef INET6
-#  define USE_INET6
-# endif
-
-# ifdef _KERNEL
-#  define	GETKTIME(x)	microtime((struct timeval *)x)
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-typedef struct mbuf mb_t;
-# endif /* _KERNEL */
-
-# if (_BSDI_VERSION >= 199701)
-typedef	u_long		ioctlcmd_t;
-# else
-typedef	int		ioctlcmd_t;
-# endif
-typedef	u_int32_t	u_32_t;
-# define	U_32_T	1
-
-#endif /* _BSDI_VERSION */
-
-
-/* ----------------------------------------------------------------------- */
-/*                                  S U N O S 4                            */
-/* ----------------------------------------------------------------------- */
-#if defined(sun) && !defined(OS_RECOGNISED) /* SunOS4 */
-# ifdef _KERNEL
-#  include	<sys/kmem_alloc.h>
-#  define	GETKTIME(x)	uniqtime((struct timeval *)x)
-#  define	MSGDSIZE(x)	mbufchainlen(x)
-#  define	M_LEN(x)	(x)->m_len
-#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-#  define	GETIFP(n, v)	ifunit(n, IFNAMSIZ)
-#  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
-#  define	KFREES(x,s)	kmem_free((char *)(x), (s))
-#  define	SLEEP(id, n)	sleep((id), PZERO+1)
-#  define	WAKEUP(id,x)	wakeup(id + x)
-#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-
-extern	void	m_copydata __P((struct mbuf *, int, int, caddr_t));
-extern	void	m_copyback __P((struct mbuf *, int, int, caddr_t));
-
-typedef struct mbuf mb_t;
-# endif
-
-typedef	struct uio	uio_t;
-typedef	int		ioctlcmd_t;  
-typedef	int		minor_t;
-typedef	unsigned int	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-
-#endif /* SunOS 4 */
-
-/* ----------------------------------------------------------------------- */
-/*                            L I N U X                                    */
-/* ----------------------------------------------------------------------- */
-#if defined(linux) && !defined(OS_RECOGNISED)
-#include <linux/config.h>
-#include <linux/version.h>
-# if LINUX >= 20600
-#  define	 HDR_T_PRIVATE	1
-# endif
-# undef USE_INET6
-# ifdef USE_INET6
-struct ip6_ext {
-	u_char	ip6e_nxt;
-	u_char	ip6e_len;
-};
-# endif
-
-# ifdef _KERNEL
-#  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
-#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
-#  define	COPYIN(a,b,c)	copy_from_user((caddr_t)(b), (caddr_t)(a), (c))
-#  define	COPYOUT(a,b,c)	copy_to_user((caddr_t)(b), (caddr_t)(a), (c))
-#  define	FREE_MB_T(m)	kfree_skb(m)
-#  define	GETKTIME(x)	do_gettimeofday((struct timeval *)x)
-#  define	SLEEP(x,s)	0, interruptible_sleep_on(x##_linux)
-#  define	WAKEUP(x,y)	wake_up(x##_linux + y)
-#  define	UIOMOVE(a,b,c,d)	uiomove(a,b,c,d)
-#  define	USE_MUTEXES
-#  define	KRWLOCK_T		rwlock_t
-#  define	KMUTEX_T		spinlock_t
-#  define	MUTEX_INIT(x,y)		spin_lock_init(&(x)->ipf_lk)
-#  define	MUTEX_ENTER(x)		spin_lock(&(x)->ipf_lk)
-#  define	MUTEX_EXIT(x)		spin_unlock(&(x)->ipf_lk)
-#  define	MUTEX_DESTROY(x)	do { } while (0)
-#  define	MUTEX_NUKE(x)		bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk))
-#  define	READ_ENTER(x)		ipf_read_enter(x)
-#  define	WRITE_ENTER(x)		ipf_write_enter(x)
-#  define	RWLOCK_INIT(x,y)	rwlock_init(&(x)->ipf_lk)
-#  define	RW_DESTROY(x)		do { } while (0)
-#  define	RWLOCK_EXIT(x)		ipf_rw_exit(x)
-#  define	MUTEX_DOWNGRADE(x)	ipf_rw_downgrade(x)
-#  define	ATOMIC_INCL(x)		MUTEX_ENTER(&ipf_rw); (x)++; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_DECL(x)		MUTEX_ENTER(&ipf_rw); (x)--; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_INC64(x)		MUTEX_ENTER(&ipf_rw); (x)++; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_INC32(x)		MUTEX_ENTER(&ipf_rw); (x)++; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_INC16(x)		MUTEX_ENTER(&ipf_rw); (x)++; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_DEC64(x)		MUTEX_ENTER(&ipf_rw); (x)--; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_DEC32(x)		MUTEX_ENTER(&ipf_rw); (x)--; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	ATOMIC_DEC16(x)		MUTEX_ENTER(&ipf_rw); (x)--; \
-					MUTEX_EXIT(&ipf_rw)
-#  define	SPL_IMP(x)		do { } while (0)
-#  define	SPL_NET(x)		do { } while (0)
-#  define	SPL_X(x)		do { } while (0)
-#  define	IFNAME(x)		((struct net_device*)x)->name
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-			  ((struct net_device *)fin->fin_ifp)->ifindex) & 7)
-typedef	struct	sk_buff	mb_t;
-extern	void	m_copydata __P((mb_t *, int, int, caddr_t));
-extern	void	m_copyback __P((mb_t *, int, int, caddr_t));
-extern	void	m_adj __P((mb_t *, int));
-extern	mb_t	*m_pullup __P((mb_t *, int));
-#  define	mbuf	sk_buff
-
-#  define	mtod(m, t)	((t)(m)->data)
-#  define	m_len		len
-#  define	m_next		next
-#  define	M_DUPLICATE(m)	skb_clone((m), in_interrupt() ? GFP_ATOMIC : \
-								GFP_KERNEL)
-#  define	MSGDSIZE(m)	(m)->len
-#  define	M_LEN(m)	(m)->len
-
-#  define	splnet(x)	;
-#  define	printf		printk
-#  define	bcopy(s,d,z)	memmove(d, s, z)
-#  define	bzero(s,z)	memset(s, 0, z)
-#  define	bcmp(a,b,z)	memcmp(a, b, z)
-
-#  define	ifnet		net_device
-#  define	if_xname	name
-#  define	if_unit		ifindex 
-
-#  define	KMALLOC(x,t)	(x) = (t)kmalloc(sizeof(*(x)), \
-				    in_interrupt() ? GFP_ATOMIC : GFP_KERNEL)
-#  define	KFREE(x)	kfree(x)
-#  define	KMALLOCS(x,t,s)	(x) = (t)kmalloc((s), \
-				    in_interrupt() ? GFP_ATOMIC : GFP_KERNEL)
-#  define	KFREES(x,s)	kfree(x)
-
-#  define GETIFP(n,v)	dev_get_by_name(n)
-
-# else
-#  include <net/ethernet.h>
-
-struct mbuf {
-};
-
-#  ifndef _NET_ROUTE_H
-struct rtentry {
-};
-#  endif
-
-struct ifnet {
-	char	if_xname[IFNAMSIZ];
-	int	if_unit;
-	int	(* if_output) __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *));
-	struct	ifaddr	*if_addrlist;
-};
-# define	IFNAME(x)	((struct ifnet *)x)->if_xname
-
-# endif	/* _KERNEL */
-
-# define	COPYIFNAME(x, b) \
-				(void) strncpy(b, \
-					       ((struct ifnet *)x)->if_xname, \
-					       LIFNAMSIZ)
-
-# include <linux/fs.h>
-# define	FWRITE	FMODE_WRITE
-# define	FREAD	FMODE_READ
-
-# define	__USE_MISC	1
-# define	__FAVOR_BSD	1
-
-typedef	struct uio {
-	struct iovec	*uio_iov;
-	void	*uio_file;
-	char	*uio_buf;
-	int	uio_iovcnt;
-	int	uio_offset;
-	size_t	uio_resid;
-	int	uio_rw;
-} uio_t;
-
-extern	int	uiomove __P((caddr_t, size_t, int, struct uio *));
-
-# define	UIO_READ	1
-# define	UIO_WRITE	2
-
-typedef	u_long		ioctlcmd_t;
-typedef	int		minor_t;
-typedef u_int32_t 	u_32_t;
-# define	U_32_T	1
-
-# define OS_RECOGNISED 1
-
-#endif
-
-
-#ifndef	OS_RECOGNISED
-#error	ip_compat.h does not recognise this platform/OS.
-#endif
-
-
-/* ----------------------------------------------------------------------- */
-/*                           G E N E R I C                                 */
-/* ----------------------------------------------------------------------- */
-#ifndef OS_RECOGNISED
-#endif
-
-/*
- * For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in
- * filter rules.
- */
-#if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0))
-# define IPFILTER_BPF
-#endif
-
-/*
- * Userland locking primitives
- */
-typedef	struct	{
-	char	*eMm_owner;
-	char	*eMm_heldin;
-	u_int	eMm_magic;
-	int	eMm_held;
-	int	eMm_heldat;
-#ifdef __hpux
-	char	eMm_fill[8];
-#endif
-} eMmutex_t;
-
-typedef	struct	{
-	char	*eMrw_owner;
-	char	*eMrw_heldin;
-	u_int	eMrw_magic;
-	short	eMrw_read;
-	short	eMrw_write;
-	int	eMrw_heldat;
-#ifdef __hpux
-	char	eMm_fill[24];
-#endif
-} eMrwlock_t;
-
-typedef union {
-#ifdef KMUTEX_T
-	struct	{
-		KMUTEX_T	ipf_slk;
-		char		*ipf_lname;
-	} ipf_lkun_s;
-#endif
-	eMmutex_t	ipf_emu;
-} ipfmutex_t;
-
-typedef union {
-#ifdef KRWLOCK_T
-	struct	{
-		KRWLOCK_T	ipf_slk;
-		char		*ipf_lname;
-		int		ipf_sr;
-		int		ipf_sw;
-		u_int		ipf_magic;
-	} ipf_lkun_s;
-#endif
-	eMrwlock_t	ipf_emu;
-} ipfrwlock_t;
-
-#define	ipf_lk		ipf_lkun_s.ipf_slk
-#define	ipf_lname	ipf_lkun_s.ipf_lname
-#define	ipf_isr		ipf_lkun_s.ipf_sr
-#define	ipf_isw		ipf_lkun_s.ipf_sw
-#define	ipf_magic	ipf_lkun_s.ipf_magic
-
-#if !defined(__GNUC__) || \
-    (defined(__FreeBSD_version) && (__FreeBSD_version >= 503000))
-# ifndef	INLINE
-#  define	INLINE
-# endif
-#else
-# define	INLINE	__inline__
-#endif
-
-#if defined(linux) && defined(_KERNEL)
-extern	INLINE	void	ipf_read_enter __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_write_enter __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_rw_exit __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_rw_downgrade __P((ipfrwlock_t *));
-#endif
-
-/*
- * In a non-kernel environment, there are a lot of macros that need to be
- * filled in to be null-ops or to point to some compatibility function,
- * somewhere in userland.
- */
-#ifndef _KERNEL
-typedef	struct	mb_s	{
-	struct	mb_s	*mb_next;
-	int		mb_len;
-	u_long		mb_buf[2048];
-} mb_t;
-# undef		m_next
-# define	m_next		mb_next
-# define	MSGDSIZE(x)	(x)->mb_len	/* XXX - from ipt.c */
-# define	M_LEN(x)	(x)->mb_len
-# define	M_DUPLICATE(x)	(x)
-# define	GETKTIME(x)	gettimeofday((struct timeval *)(x), NULL)
-# define	MTOD(m, t)	((t)(m)->mb_buf)
-# define	FREE_MB_T(x)
-# define	SLEEP(x,y)	1;
-# define	WAKEUP(x,y)	;
-# define	IPF_PANIC(x,y)	;
-# define	PANIC(x,y)	;
-# define	SPL_NET(x)	;
-# define	SPL_IMP(x)	;
-# define	SPL_X(x)	;
-# define	KMALLOC(a,b)	(a) = (b)malloc(sizeof(*a))
-# define	KMALLOCS(a,b,c)	(a) = (b)malloc(c)
-# define	KFREE(x)	free(x)
-# define	KFREES(x,s)	free(x)
-# define	GETIFP(x, v)	get_unit(x,v)
-# define	COPYIN(a,b,c)	(bcopy((a), (b), (c)), 0)
-# define	COPYOUT(a,b,c)	(bcopy((a), (b), (c)), 0)
-# define	BCOPYIN(a,b,c)	(bcopy((a), (b), (c)), 0)
-# define	BCOPYOUT(a,b,c)	(bcopy((a), (b), (c)), 0)
-# define	COPYDATA(m, o, l, b)	bcopy(MTOD((mb_t *)m, char *) + (o), \
-					      (b), (l))
-# define	COPYBACK(m, o, l, b)	bcopy((b), \
-					      MTOD((mb_t *)m, char *) + (o), \
-					      (l))
-# define	UIOMOVE(a,b,c,d)	ipfuiomove(a,b,c,d)
-extern	void	m_copydata __P((mb_t *, int, int, caddr_t));
-extern	int	ipfuiomove __P((caddr_t, int, int, struct uio *));
-# ifndef CACHE_HASH
-#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
-				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
-# endif
-
-# define	MUTEX_DESTROY(x)	eMmutex_destroy(&(x)->ipf_emu)
-# define	MUTEX_ENTER(x)		eMmutex_enter(&(x)->ipf_emu, \
-						      __FILE__, __LINE__)
-# define	MUTEX_EXIT(x)		eMmutex_exit(&(x)->ipf_emu)
-# define	MUTEX_INIT(x,y)		eMmutex_init(&(x)->ipf_emu, y)
-# define	MUTEX_NUKE(x)		bzero((x), sizeof(*(x)))
-
-# define	MUTEX_DOWNGRADE(x)	eMrwlock_downgrade(&(x)->ipf_emu, \
-							   __FILE__, __LINE__)
-# define	READ_ENTER(x)		eMrwlock_read_enter(&(x)->ipf_emu, \
-							    __FILE__, __LINE__)
-# define	RWLOCK_INIT(x, y)	eMrwlock_init(&(x)->ipf_emu, y)
-# define	RWLOCK_EXIT(x)		eMrwlock_exit(&(x)->ipf_emu)
-# define	RW_DESTROY(x)		eMrwlock_destroy(&(x)->ipf_emu)
-# define	WRITE_ENTER(x)		eMrwlock_write_enter(&(x)->ipf_emu, \
-							     __FILE__, \
-							     __LINE__)
-
-# define	USE_MUTEXES		1
-
-extern void eMmutex_destroy __P((eMmutex_t *));
-extern void eMmutex_enter __P((eMmutex_t *, char *, int));
-extern void eMmutex_exit __P((eMmutex_t *));
-extern void eMmutex_init __P((eMmutex_t *, char *));
-extern void eMrwlock_destroy __P((eMrwlock_t *));
-extern void eMrwlock_exit __P((eMrwlock_t *));
-extern void eMrwlock_init __P((eMrwlock_t *, char *));
-extern void eMrwlock_read_enter __P((eMrwlock_t *, char *, int));
-extern void eMrwlock_write_enter __P((eMrwlock_t *, char *, int));
-extern void eMrwlock_downgrade __P((eMrwlock_t *, char *, int));
-
-#endif
-
-#define	MAX_IPV4HDR	((0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8)
-
-#ifndef	IP_OFFMASK
-# define	IP_OFFMASK	0x1fff
-#endif
-
-
-/*
- * On BSD's use quad_t as a guarantee for getting at least a 64bit sized
- * object.
- */
-#if	BSD > 199306
-# define	USE_QUAD_T
-# define	U_QUAD_T	u_quad_t
-# define	QUAD_T		quad_t
-#else /* BSD > 199306 */
-# define	U_QUAD_T	u_long
-# define	QUAD_T		long
-#endif /* BSD > 199306 */
-
-
-#ifdef	USE_INET6
-# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
-     defined(__osf__) || defined(linux)
-#  include <netinet/ip6.h>
-#  include <netinet/icmp6.h>
-#  if !defined(linux)
-#   if defined(_KERNEL) && !defined(__osf__)
-#    include <netinet6/ip6_var.h>
-#   endif
-#  endif
-typedef	struct ip6_hdr	ip6_t;
-# endif
-#endif
-
-#ifndef	MAX
-# define	MAX(a,b)	(((a) > (b)) ? (a) : (b))
-#endif
-
-#if defined(_KERNEL)
-# ifdef MENTAT
-#  define	COPYDATA	mb_copydata
-#  define	COPYBACK	mb_copyback
-# else
-#  define	COPYDATA	m_copydata
-#  define	COPYBACK	m_copyback
-# endif
-# if (BSD >= 199306) || defined(__FreeBSD__)
-#  if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \
-       defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \
-       defined(_BSDI_VERSION)
-#   include <vm/vm.h>
-#  endif
-#  if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
-      (__FreeBSD_version >= 300000))
-#   if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \
-       (defined(OpenBSD) && (OpenBSD >= 200111))
-#    include <uvm/uvm_extern.h>
-#   else
-#    include <vm/vm_extern.h>
-extern  vm_map_t        kmem_map;
-#   endif
-#   include <sys/proc.h>
-#  else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-#   include <vm/vm_kern.h>
-#  endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-
-#  ifdef IPFILTER_M_IPFILTER
-#    include <sys/malloc.h>
-MALLOC_DECLARE(M_IPFILTER);
-#    define	_M_IPF		M_IPFILTER
-#  else /* IPFILTER_M_IPFILTER */
-#   ifdef M_PFIL
-#    define	_M_IPF		M_PFIL
-#   else
-#    ifdef M_IPFILTER
-#     define	_M_IPF		M_IPFILTER
-#    else
-#     define	_M_IPF		M_TEMP
-#    endif /* M_IPFILTER */
-#   endif /* M_PFIL */
-#  endif /* IPFILTER_M_IPFILTER */
-#  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), _M_IPF, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), _M_IPF, M_NOWAIT)
-#  define	KFREE(x)	FREE((x), _M_IPF)
-#  define	KFREES(x,s)	FREE((x), _M_IPF)
-#  define	UIOMOVE(a,b,c,d)	uiomove(a,b,d)
-#  define	SLEEP(id, n)	tsleep((id), PPAUSE|PCATCH, n, 0)
-#  define	WAKEUP(id,x)	wakeup(id+x)
-#  define	GETIFP(n, v)	ifunit(n)
-# endif /* (Free)BSD */
-
-# if !defined(USE_MUTEXES) && !defined(SPL_NET)
-#  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \
-      (defined(OpenBSD) && (OpenBSD >= 200006))
-#   define	SPL_NET(x)	x = splsoftnet()
-#  else
-#   define	SPL_IMP(x)	x = splimp()
-#   define	SPL_NET(x)	x = splnet()
-#  endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
-#  define	SPL_X(x)	(void) splx(x)
-# endif /* !USE_MUTEXES */
-
-# ifndef FREE_MB_T
-#  define	FREE_MB_T(m)	m_freem(m)
-# endif
-
-# ifndef MTOD
-#  define	MTOD(m,t)	mtod(m,t)
-# endif
-
-# ifndef COPYIN
-#  define	COPYIN(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	COPYOUT(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	BCOPYIN(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-#  define	BCOPYOUT(a,b,c)	(bcopy((caddr_t)(a), (caddr_t)(b), (c)), 0)
-# endif
-
-# ifndef KMALLOC
-#  define	KMALLOC(a,b)	(a) = (b)new_kmem_alloc(sizeof(*(a)), \
-							KMEM_NOSLEEP)
-#  define	KMALLOCS(a,b,c)	(a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
-# endif
-
-# ifndef	GET_MINOR
-#  define	GET_MINOR(x)	minor(x)
-# endif
-# define	PANIC(x,y)	if (x) panic y
-#endif /* _KERNEL */
-
-#ifndef	IFNAME
-# define	IFNAME(x)	((struct ifnet *)x)->if_name
-#endif
-#ifndef	COPYIFNAME
-# define	NEED_FRGETIFNAME
-extern	char	*fr_getifname __P((struct ifnet *, char *));
-# define	COPYIFNAME(x, b) \
-				fr_getifname((struct ifnet *)x, b)
-#endif
-
-#ifndef ASSERT
-# define	ASSERT(x)
-#endif
-
-/*
- * Because the ctype(3) posix definition, if used "safely" in code everywhere,
- * would mean all normal code that walks through strings needed casts.  Yuck.
- */
-#define	ISALNUM(x)	isalnum((u_char)(x))
-#define	ISALPHA(x)	isalpha((u_char)(x))
-#define	ISASCII(x)	isascii((u_char)(x))
-#define	ISDIGIT(x)	isdigit((u_char)(x))
-#define	ISPRINT(x)	isprint((u_char)(x))
-#define	ISSPACE(x)	isspace((u_char)(x))
-#define	ISUPPER(x)	isupper((u_char)(x))
-#define	ISXDIGIT(x)	isxdigit((u_char)(x))
-#define	ISLOWER(x)	islower((u_char)(x))
-#define	TOUPPER(x)	toupper((u_char)(x))
-#define	TOLOWER(x)	tolower((u_char)(x))
-
-/*
- * If mutexes aren't being used, turn all the mutex functions into null-ops.
- */
-#if !defined(USE_MUTEXES)
-# define	USE_SPL			1
-# undef		RW_DESTROY
-# undef		MUTEX_INIT
-# undef		MUTEX_NUKE
-# undef		MUTEX_DESTROY
-# define	MUTEX_ENTER(x)		;
-# define	READ_ENTER(x)		;
-# define	WRITE_ENTER(x)		;
-# define	MUTEX_DOWNGRADE(x)	;
-# define	RWLOCK_INIT(x, y)	;
-# define	RWLOCK_EXIT(x)		;
-# define	RW_DESTROY(x)		;
-# define	MUTEX_EXIT(x)		;
-# define	MUTEX_INIT(x,y)		;
-# define	MUTEX_DESTROY(x)	;
-# define	MUTEX_NUKE(x)		;
-#endif /* !USE_MUTEXES */
-#ifndef	ATOMIC_INC
-# define	ATOMIC_INC(x)		(x)++
-# define	ATOMIC_DEC(x)		(x)--
-#endif
-
-/*
- * If there are no atomic operations for bit sizes defined, define them to all
- * use a generic one that works for all sizes.
- */
-#ifndef	ATOMIC_INCL
-# define	ATOMIC_INCL		ATOMIC_INC
-# define	ATOMIC_INC64		ATOMIC_INC
-# define	ATOMIC_INC32		ATOMIC_INC
-# define	ATOMIC_INC16		ATOMIC_INC
-# define	ATOMIC_DECL		ATOMIC_DEC
-# define	ATOMIC_DEC64		ATOMIC_DEC
-# define	ATOMIC_DEC32		ATOMIC_DEC
-# define	ATOMIC_DEC16		ATOMIC_DEC
-#endif
-
-#ifndef HDR_T_PRIVATE
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	udphdr	udphdr_t;
-#endif
-typedef	struct	icmp	icmphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-typedef	struct	tcpiphdr	tcpiphdr_t;
-
-#ifndef	FR_GROUPLEN
-# define	FR_GROUPLEN	16
-#endif
-
-#ifdef offsetof
-# undef	offsetof
-#endif
-#ifndef offsetof
-# define offsetof(t,m) (int)((&((t *)0L)->m))
-#endif
-
-/*
- * This set of macros has been brought about because on Tru64 it is not
- * possible to easily assign or examine values in a structure that are
- * bit fields.
- */
-#ifndef IP_V
-# define	IP_V(x)		(x)->ip_v
-#endif
-#ifndef	IP_V_A
-# define	IP_V_A(x,y)	(x)->ip_v = (y)
-#endif
-#ifndef	IP_HL
-# define	IP_HL(x)	(x)->ip_hl
-#endif
-#ifndef	IP_HL_A
-# define	IP_HL_A(x,y)	(x)->ip_hl = (y)
-#endif
-#ifndef	TCP_X2
-# define	TCP_X2(x)	(x)->th_x2
-#endif
-#ifndef	TCP_X2_A
-# define	TCP_X2_A(x,y)	(x)->th_x2 = (y)
-#endif
-#ifndef	TCP_OFF
-# define	TCP_OFF(x)	(x)->th_off
-#endif
-#ifndef	TCP_OFF_A
-# define	TCP_OFF_A(x,y)	(x)->th_off = (y)
-#endif
-#define	IPMINLEN(i, h)	((i)->ip_len >= (IP_HL(i) * 4 + sizeof(struct h)))
-
-
-/*
- * XXX - This is one of those *awful* hacks which nobody likes
- */
-#ifdef	ultrix
-#define	A_A
-#else
-#define	A_A	&
-#endif
-
-#define	TCPF_ALL	(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|\
-			 TH_ECN|TH_CWR)
-
-#if (BSD >= 199306) && !defined(m_act)
-# define	m_act	m_nextpkt
-#endif  
-
-/*
- * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
- *
- * Basic Option
- *
- * 00000001   -   (Reserved 4)
- * 00111101   -   Top Secret
- * 01011010   -   Secret
- * 10010110   -   Confidential
- * 01100110   -   (Reserved 3)
- * 11001100   -   (Reserved 2)
- * 10101011   -   Unclassified
- * 11110001   -   (Reserved 1)
- */
-#define	IPSO_CLASS_RES4		0x01
-#define	IPSO_CLASS_TOPS		0x3d
-#define	IPSO_CLASS_SECR		0x5a
-#define	IPSO_CLASS_CONF		0x96
-#define	IPSO_CLASS_RES3		0x66
-#define	IPSO_CLASS_RES2		0xcc
-#define	IPSO_CLASS_UNCL		0xab
-#define	IPSO_CLASS_RES1		0xf1
-
-#define	IPSO_AUTH_GENSER	0x80
-#define	IPSO_AUTH_ESI		0x40
-#define	IPSO_AUTH_SCI		0x20
-#define	IPSO_AUTH_NSA		0x10
-#define	IPSO_AUTH_DOE		0x08
-#define	IPSO_AUTH_UN		0x06
-#define	IPSO_AUTH_FTE		0x01
-
-/*
- * IP option #defines
- */
-#undef	IPOPT_RR
-#define	IPOPT_RR	7 
-#undef	IPOPT_ZSU
-#define	IPOPT_ZSU	10	/* ZSU */
-#undef	IPOPT_MTUP
-#define	IPOPT_MTUP	11	/* MTUP */
-#undef	IPOPT_MTUR
-#define	IPOPT_MTUR	12	/* MTUR */
-#undef	IPOPT_ENCODE
-#define	IPOPT_ENCODE	15	/* ENCODE */
-#undef	IPOPT_TS
-#define	IPOPT_TS	68
-#undef	IPOPT_TR
-#define	IPOPT_TR	82	/* TR */
-#undef	IPOPT_SECURITY
-#define	IPOPT_SECURITY	130
-#undef	IPOPT_LSRR
-#define	IPOPT_LSRR	131
-#undef	IPOPT_E_SEC
-#define	IPOPT_E_SEC	133	/* E-SEC */
-#undef	IPOPT_CIPSO
-#define	IPOPT_CIPSO	134	/* CIPSO */
-#undef	IPOPT_SATID
-#define	IPOPT_SATID	136
-#ifndef	IPOPT_SID
-# define	IPOPT_SID	IPOPT_SATID
-#endif
-#undef	IPOPT_SSRR
-#define	IPOPT_SSRR	137
-#undef	IPOPT_ADDEXT
-#define	IPOPT_ADDEXT	147	/* ADDEXT */
-#undef	IPOPT_VISA
-#define	IPOPT_VISA	142	/* VISA */
-#undef	IPOPT_IMITD
-#define	IPOPT_IMITD	144	/* IMITD */
-#undef	IPOPT_EIP
-#define	IPOPT_EIP	145	/* EIP */
-#undef	IPOPT_RTRALRT
-#define	IPOPT_RTRALRT	148	/* RTRALRT */
-#undef	IPOPT_SDB
-#define	IPOPT_SDB	149
-#undef	IPOPT_NSAPA
-#define	IPOPT_NSAPA	150
-#undef	IPOPT_DPS
-#define	IPOPT_DPS	151
-#undef	IPOPT_UMP
-#define	IPOPT_UMP	152
-#undef	IPOPT_FINN
-#define	IPOPT_FINN	205	/* FINN */
-
-#ifndef TCPOPT_EOL
-# define TCPOPT_EOL		0
-#endif
-#ifndef TCPOPT_NOP
-# define TCPOPT_NOP		1
-#endif
-#ifndef TCPOPT_MAXSEG
-# define TCPOPT_MAXSEG		2
-#endif
-#ifndef TCPOLEN_MAXSEG
-# define TCPOLEN_MAXSEG		4
-#endif
-#ifndef TCPOPT_WINDOW
-# define TCPOPT_WINDOW		3
-#endif
-#ifndef TCPOLEN_WINDOW
-# define TCPOLEN_WINDOW		3
-#endif
-#ifndef TCPOPT_SACK_PERMITTED
-# define TCPOPT_SACK_PERMITTED	4
-#endif
-#ifndef TCPOLEN_SACK_PERMITTED
-# define TCPOLEN_SACK_PERMITTED	2
-#endif
-#ifndef TCPOPT_SACK
-# define TCPOPT_SACK		5
-#endif
-#ifndef TCPOPT_TIMESTAMP
-# define TCPOPT_TIMESTAMP	8
-#endif
-
-#ifndef	ICMP_MINLEN
-# define	ICMP_MINLEN	8
-#endif
-#ifndef	ICMP_ECHOREPLY
-# define	ICMP_ECHOREPLY	0
-#endif
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	3
-#endif
-#ifndef	ICMP_UNREACH_NET
-# define	ICMP_UNREACH_NET	0
-#endif
-#ifndef	ICMP_UNREACH_HOST
-# define	ICMP_UNREACH_HOST	1
-#endif
-#ifndef	ICMP_UNREACH_PROTOCOL
-# define	ICMP_UNREACH_PROTOCOL	2
-#endif
-#ifndef	ICMP_UNREACH_PORT
-# define	ICMP_UNREACH_PORT	3
-#endif
-#ifndef	ICMP_UNREACH_NEEDFRAG
-# define	ICMP_UNREACH_NEEDFRAG	4
-#endif
-#ifndef	ICMP_UNREACH_SRCFAIL
-# define	ICMP_UNREACH_SRCFAIL	5
-#endif
-#ifndef	ICMP_UNREACH_NET_UNKNOWN
-# define	ICMP_UNREACH_NET_UNKNOWN	6
-#endif
-#ifndef	ICMP_UNREACH_HOST_UNKNOWN
-# define	ICMP_UNREACH_HOST_UNKNOWN	7
-#endif
-#ifndef	ICMP_UNREACH_ISOLATED
-# define	ICMP_UNREACH_ISOLATED	8
-#endif
-#ifndef	ICMP_UNREACH_NET_PROHIB
-# define	ICMP_UNREACH_NET_PROHIB	9
-#endif
-#ifndef	ICMP_UNREACH_HOST_PROHIB
-# define	ICMP_UNREACH_HOST_PROHIB	10
-#endif
-#ifndef	ICMP_UNREACH_TOSNET
-# define	ICMP_UNREACH_TOSNET	11
-#endif
-#ifndef	ICMP_UNREACH_TOSHOST
-# define	ICMP_UNREACH_TOSHOST	12
-#endif
-#ifndef	ICMP_UNREACH_ADMIN_PROHIBIT
-# define	ICMP_UNREACH_ADMIN_PROHIBIT	13
-#endif
-#ifndef	ICMP_UNREACH_FILTER
-# define	ICMP_UNREACH_FILTER	13
-#endif
-#ifndef	ICMP_UNREACH_HOST_PRECEDENCE
-# define	ICMP_UNREACH_HOST_PRECEDENCE	14
-#endif
-#ifndef	ICMP_UNREACH_PRECEDENCE_CUTOFF
-# define	ICMP_UNREACH_PRECEDENCE_CUTOFF	15
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	4
-#endif
-#ifndef	ICMP_REDIRECT_NET
-# define	ICMP_REDIRECT_NET	0
-#endif
-#ifndef	ICMP_REDIRECT_HOST
-# define	ICMP_REDIRECT_HOST	1
-#endif
-#ifndef	ICMP_REDIRECT_TOSNET
-# define	ICMP_REDIRECT_TOSNET	2
-#endif
-#ifndef	ICMP_REDIRECT_TOSHOST
-# define	ICMP_REDIRECT_TOSHOST	3
-#endif
-#ifndef	ICMP_ALTHOSTADDR
-# define	ICMP_ALTHOSTADDR	6
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	11
-#endif
-#ifndef	ICMP_TIMXCEED_INTRANS
-# define	ICMP_TIMXCEED_INTRANS	0
-#endif
-#ifndef	ICMP_TIMXCEED_REASS
-# define		ICMP_TIMXCEED_REASS	1
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	12
-#endif
-#ifndef	ICMP_PARAMPROB_ERRATPTR
-# define	ICMP_PARAMPROB_ERRATPTR	0
-#endif
-#ifndef	ICMP_PARAMPROB_OPTABSENT
-# define	ICMP_PARAMPROB_OPTABSENT	1
-#endif
-#ifndef	ICMP_PARAMPROB_LENGTH
-# define	ICMP_PARAMPROB_LENGTH	2
-#endif
-#ifndef ICMP_TSTAMP
-# define	ICMP_TSTAMP	13
-#endif
-#ifndef ICMP_TSTAMPREPLY
-# define	ICMP_TSTAMPREPLY	14
-#endif
-#ifndef ICMP_IREQ
-# define	ICMP_IREQ	15
-#endif
-#ifndef ICMP_IREQREPLY
-# define	ICMP_IREQREPLY	16
-#endif
-#ifndef	ICMP_MASKREQ
-# define	ICMP_MASKREQ	17
-#endif
-#ifndef ICMP_MASKREPLY
-# define	ICMP_MASKREPLY	18
-#endif
-#ifndef	ICMP_TRACEROUTE
-# define	ICMP_TRACEROUTE	30
-#endif
-#ifndef	ICMP_DATACONVERR
-# define	ICMP_DATACONVERR	31
-#endif
-#ifndef	ICMP_MOBILE_REDIRECT
-# define	ICMP_MOBILE_REDIRECT	32
-#endif
-#ifndef	ICMP_IPV6_WHEREAREYOU
-# define	ICMP_IPV6_WHEREAREYOU	33
-#endif
-#ifndef	ICMP_IPV6_IAMHERE
-# define	ICMP_IPV6_IAMHERE	34
-#endif
-#ifndef	ICMP_MOBILE_REGREQUEST
-# define	ICMP_MOBILE_REGREQUEST	35
-#endif
-#ifndef	ICMP_MOBILE_REGREPLY
-# define	ICMP_MOBILE_REGREPLY	36
-#endif
-#ifndef	ICMP_SKIP
-# define	ICMP_SKIP	39
-#endif
-#ifndef	ICMP_PHOTURIS
-# define	ICMP_PHOTURIS	40
-#endif
-#ifndef	ICMP_PHOTURIS_UNKNOWN_INDEX
-# define	ICMP_PHOTURIS_UNKNOWN_INDEX	1
-#endif
-#ifndef	ICMP_PHOTURIS_AUTH_FAILED
-# define	ICMP_PHOTURIS_AUTH_FAILED	2
-#endif
-#ifndef	ICMP_PHOTURIS_DECRYPT_FAILED
-# define	ICMP_PHOTURIS_DECRYPT_FAILED	3
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#undef	TH_ACKMASK
-#define	TH_ACKMASK	(TH_FIN|TH_SYN|TH_RST|TH_ACK)
-
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-#ifndef IPOPT_OLEN
-# define	IPOPT_OLEN	1
-#endif
-#ifndef	IPPROTO_HOPOPTS
-# define	IPPROTO_HOPOPTS	0
-#endif
-#ifndef	IPPROTO_ENCAP
-# define	IPPROTO_ENCAP	4
-#endif
-#ifndef	IPPROTO_IPV6
-# define	IPPROTO_IPV6	41
-#endif
-#ifndef	IPPROTO_ROUTING
-# define	IPPROTO_ROUTING	43
-#endif
-#ifndef	IPPROTO_FRAGMENT
-# define	IPPROTO_FRAGMENT	44
-#endif
-#ifndef	IPPROTO_GRE
-# define	IPPROTO_GRE	47	/* GRE encaps RFC 1701 */
-#endif
-#ifndef	IPPROTO_ESP
-# define	IPPROTO_ESP	50
-#endif
-#ifndef	IPPROTO_AH
-# define	IPPROTO_AH	51
-#endif
-#ifndef	IPPROTO_ICMPV6
-# define	IPPROTO_ICMPV6	58
-#endif
-#ifndef	IPPROTO_NONE
-# define	IPPROTO_NONE	59
-#endif
-#ifndef	IPPROTO_DSTOPTS
-# define	IPPROTO_DSTOPTS	60
-#endif
-#ifndef	IPPROTO_FRAGMENT
-# define	IPPROTO_FRAGMENT	44
-#endif
-#ifndef	ICMP_ROUTERADVERT
-# define	ICMP_ROUTERADVERT	9
-#endif
-#ifndef	ICMP_ROUTERSOLICIT
-# define	ICMP_ROUTERSOLICIT	10
-#endif
-#ifndef	ICMP6_DST_UNREACH
-# define	ICMP6_DST_UNREACH	1
-#endif
-#ifndef	ICMP6_PACKET_TOO_BIG
-# define	ICMP6_PACKET_TOO_BIG	2
-#endif
-#ifndef	ICMP6_TIME_EXCEEDED
-# define	ICMP6_TIME_EXCEEDED	3
-#endif
-#ifndef	ICMP6_PARAM_PROB
-# define	ICMP6_PARAM_PROB	4
-#endif
-
-#ifndef	ICMP6_ECHO_REQUEST
-# define	ICMP6_ECHO_REQUEST	128
-#endif
-#ifndef	ICMP6_ECHO_REPLY
-# define	ICMP6_ECHO_REPLY	129
-#endif
-#ifndef	ICMP6_MEMBERSHIP_QUERY
-# define	ICMP6_MEMBERSHIP_QUERY	130
-#endif
-#ifndef	MLD6_LISTENER_QUERY
-# define	MLD6_LISTENER_QUERY	130
-#endif
-#ifndef	ICMP6_MEMBERSHIP_REPORT
-# define	ICMP6_MEMBERSHIP_REPORT	131
-#endif
-#ifndef	MLD6_LISTENER_REPORT
-# define	MLD6_LISTENER_REPORT	131
-#endif
-#ifndef	ICMP6_MEMBERSHIP_REDUCTION
-# define	ICMP6_MEMBERSHIP_REDUCTION	132
-#endif
-#ifndef	MLD6_LISTENER_DONE
-# define	MLD6_LISTENER_DONE	132
-#endif
-#ifndef	ND_ROUTER_SOLICIT
-# define	ND_ROUTER_SOLICIT	133
-#endif
-#ifndef	ND_ROUTER_ADVERT
-# define	ND_ROUTER_ADVERT	134
-#endif
-#ifndef	ND_NEIGHBOR_SOLICIT
-# define	ND_NEIGHBOR_SOLICIT	135
-#endif
-#ifndef	ND_NEIGHBOR_ADVERT
-# define	ND_NEIGHBOR_ADVERT	136
-#endif
-#ifndef	ND_REDIRECT
-# define	ND_REDIRECT	137
-#endif
-#ifndef	ICMP6_ROUTER_RENUMBERING
-# define	ICMP6_ROUTER_RENUMBERING	138
-#endif
-#ifndef	ICMP6_WRUREQUEST
-# define	ICMP6_WRUREQUEST	139
-#endif
-#ifndef	ICMP6_WRUREPLY
-# define	ICMP6_WRUREPLY		140
-#endif
-#ifndef	ICMP6_FQDN_QUERY
-# define	ICMP6_FQDN_QUERY	139
-#endif
-#ifndef	ICMP6_FQDN_REPLY
-# define	ICMP6_FQDN_REPLY	140
-#endif
-#ifndef	ICMP6_NI_QUERY
-# define	ICMP6_NI_QUERY		139
-#endif
-#ifndef	ICMP6_NI_REPLY
-# define	ICMP6_NI_REPLY		140
-#endif
-#ifndef	MLD6_MTRACE_RESP
-# define	MLD6_MTRACE_RESP	200
-#endif
-#ifndef	MLD6_MTRACE
-# define	MLD6_MTRACE		201
-#endif
-#ifndef	ICMP6_HADISCOV_REQUEST
-# define	ICMP6_HADISCOV_REQUEST	202
-#endif
-#ifndef	ICMP6_HADISCOV_REPLY
-# define	ICMP6_HADISCOV_REPLY	203
-#endif
-#ifndef	ICMP6_MOBILEPREFIX_SOLICIT
-# define	ICMP6_MOBILEPREFIX_SOLICIT	204
-#endif
-#ifndef	ICMP6_MOBILEPREFIX_ADVERT
-# define	ICMP6_MOBILEPREFIX_ADVERT	205
-#endif
-#ifndef	ICMP6_MAXTYPE
-# define	ICMP6_MAXTYPE		205
-#endif
-
-#ifndef	ICMP6_DST_UNREACH_NOROUTE
-# define	ICMP6_DST_UNREACH_NOROUTE	0
-#endif
-#ifndef	ICMP6_DST_UNREACH_ADMIN
-# define	ICMP6_DST_UNREACH_ADMIN		1
-#endif
-#ifndef	ICMP6_DST_UNREACH_NOTNEIGHBOR
-# define	ICMP6_DST_UNREACH_NOTNEIGHBOR	2
-#endif
-#ifndef	ICMP6_DST_UNREACH_BEYONDSCOPE
-# define	ICMP6_DST_UNREACH_BEYONDSCOPE	2
-#endif
-#ifndef	ICMP6_DST_UNREACH_ADDR
-# define	ICMP6_DST_UNREACH_ADDR		3
-#endif
-#ifndef	ICMP6_DST_UNREACH_NOPORT
-# define	ICMP6_DST_UNREACH_NOPORT	4
-#endif
-#ifndef	ICMP6_TIME_EXCEED_TRANSIT
-# define	ICMP6_TIME_EXCEED_TRANSIT	0
-#endif
-#ifndef	ICMP6_TIME_EXCEED_REASSEMBLY
-# define	ICMP6_TIME_EXCEED_REASSEMBLY	1
-#endif
-
-#ifndef	ICMP6_NI_SUCCESS
-# define	ICMP6_NI_SUCCESS	0
-#endif
-#ifndef	ICMP6_NI_REFUSED
-# define	ICMP6_NI_REFUSED	1
-#endif
-#ifndef	ICMP6_NI_UNKNOWN
-# define	ICMP6_NI_UNKNOWN	2
-#endif
-
-#ifndef	ICMP6_ROUTER_RENUMBERING_COMMAND
-# define	ICMP6_ROUTER_RENUMBERING_COMMAND	0
-#endif
-#ifndef	ICMP6_ROUTER_RENUMBERING_RESULT
-# define	ICMP6_ROUTER_RENUMBERING_RESULT	1
-#endif
-#ifndef	ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET
-# define	ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET	255
-#endif
-
-#ifndef	ICMP6_PARAMPROB_HEADER
-# define	ICMP6_PARAMPROB_HEADER	0
-#endif
-#ifndef	ICMP6_PARAMPROB_NEXTHEADER
-# define	ICMP6_PARAMPROB_NEXTHEADER	1
-#endif
-#ifndef	ICMP6_PARAMPROB_OPTION
-# define	ICMP6_PARAMPROB_OPTION	2
-#endif
-
-#ifndef	ICMP6_NI_SUBJ_IPV6
-# define	ICMP6_NI_SUBJ_IPV6	0
-#endif
-#ifndef	ICMP6_NI_SUBJ_FQDN
-# define	ICMP6_NI_SUBJ_FQDN	1
-#endif
-#ifndef	ICMP6_NI_SUBJ_IPV4
-# define	ICMP6_NI_SUBJ_IPV4	2
-#endif
-
-/*
- * ECN is a new addition to TCP - RFC 2481
- */
-#ifndef TH_ECN
-# define	TH_ECN	0x40
-#endif
-#ifndef TH_CWR
-# define	TH_CWR	0x80
-#endif
-#define	TH_ECNALL	(TH_ECN|TH_CWR)
-
-/*
- * TCP States
- */
-#define IPF_TCPS_CLOSED		0	/* closed */
-#define IPF_TCPS_LISTEN		1	/* listening for connection */
-#define IPF_TCPS_SYN_SENT	2	/* active, have sent syn */
-#define IPF_TCPS_SYN_RECEIVED	3	/* have send and received syn */
-#define IPF_TCPS_HALF_ESTAB	4	/* for connections not fully "up" */
-/* states < IPF_TCPS_ESTABLISHED are those where connections not established */
-#define IPF_TCPS_ESTABLISHED	5	/* established */
-#define IPF_TCPS_CLOSE_WAIT	6	/* rcvd fin, waiting for close */
-/* states > IPF_TCPS_CLOSE_WAIT are those where user has closed */
-#define IPF_TCPS_FIN_WAIT_1	7	/* have closed, sent fin */
-#define IPF_TCPS_CLOSING	8	/* closed xchd FIN; await FIN ACK */
-#define IPF_TCPS_LAST_ACK	9	/* had fin and close; await FIN ACK */
-/* states > IPF_TCPS_CLOSE_WAIT && < IPF_TCPS_FIN_WAIT_2 await ACK of FIN */
-#define IPF_TCPS_FIN_WAIT_2	10	/* have closed, fin is acked */
-#define IPF_TCPS_TIME_WAIT	11	/* in 2*msl quiet wait after close */
-#define IPF_TCP_NSTATES		12
-
-#define	TCP_MSL			120
-
-#undef	ICMP_MAX_UNREACH
-#define	ICMP_MAX_UNREACH	14
-#undef	ICMP_MAXTYPE
-#define	ICMP_MAXTYPE		18
-
-#ifndef	IFNAMSIZ
-#define	IFNAMSIZ		16
-#endif
-
-#ifndef	LOG_FTP
-# define	LOG_FTP		(11<<3)
-#endif
-#ifndef	LOG_AUTHPRIV
-# define	LOG_AUTHPRIV	(10<<3)
-#endif
-#ifndef	LOG_AUDIT
-# define	LOG_AUDIT	(13<<3)
-#endif
-#ifndef	LOG_NTP
-# define	LOG_NTP		(12<<3)
-#endif
-#ifndef	LOG_SECURITY
-# define	LOG_SECURITY	(13<<3)
-#endif
-#ifndef	LOG_LFMT
-# define	LOG_LFMT	(14<<3)
-#endif
-#ifndef	LOG_CONSOLE
-# define	LOG_CONSOLE	(14<<3)
-#endif
-
-/*
- * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
- * another IP header and then 64 bits of data, totalling 56.  Of course,
- * the last 64 bits is dependant on that being available.
- */
-#define	ICMPERR_ICMPHLEN	8
-#define	ICMPERR_IPICMPHLEN	(20 + 8)
-#define	ICMPERR_MINPKTLEN	(20 + 8 + 20)
-#define	ICMPERR_MAXPKTLEN	(20 + 8 + 20 + 8)
-#define ICMP6ERR_MINPKTLEN	(40 + 8)
-#define ICMP6ERR_IPICMPHLEN	(40 + 8 + 40)
-
-#ifndef MIN
-# define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-#ifdef IPF_DEBUG
-# define	DPRINT(x)	printf x
-#else
-# define	DPRINT(x)
-#endif
-
-#endif	/* __IP_COMPAT_H__ */
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
deleted file mode 100644
index f2006e9..0000000
--- a/contrib/ipfilter/ip_fil.c
+++ /dev/null
@@ -1,801 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.18 2007/09/09 11:32:05 darrenr Exp $";
-#endif
-
-#ifndef	SOLARIS
-#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#include <sys/param.h>
-#if defined(__FreeBSD__) && !defined(__FreeBSD_version)
-# if defined(IPFILTER_LKM)
-#  ifndef __FreeBSD_cc_version
-#   include <osreldate.h>
-#  else
-#   if __FreeBSD_cc_version < 430000
-#    include <osreldate.h>
-#   endif
-#  endif
-# endif
-#endif
-#include <sys/errno.h>
-#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL)
-# include <sys/kern_svcs.h>
-#endif
-#include <sys/types.h>
-#define _KERNEL
-#define KERNEL
-#ifdef __OpenBSD__
-struct file;
-#endif
-#include <sys/uio.h>
-#undef _KERNEL
-#undef KERNEL
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#ifdef __sgi
-# include <sys/ptimers.h>
-#endif
-#include <sys/time.h>
-#if !SOLARIS
-# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-#endif
-#ifndef linux
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <fcntl.h>
-
-#ifdef __hpux
-# define _NET_ROUTE_INCLUDED
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#ifdef __sgi
-#include <sys/debug.h>
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-# endif
-#endif
-#if defined(__FreeBSD__) || defined(SOLARIS2)
-# include "radix_ipf.h"
-#endif
-#ifndef __osf__
-# include <net/route.h>
-#endif
-#include <netinet/in.h>
-#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \
-    !defined(__hpux) && !defined(linux)
-# include <netinet/in_var.h>
-#endif
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#if defined(__osf__)
-# include <netinet/tcp_timer.h>
-#endif
-#if defined(__osf__) || defined(__hpux) || defined(__sgi)
-# include "radix_ipf_local.h"
-# define _RADIX_H_
-#endif
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <arpa/inet.h>
-#ifdef __hpux
-# undef _NET_ROUTE_INCLUDED
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef	IPFILTER_SYNC
-#include "netinet/ip_sync.h"
-#endif
-#ifdef	IPFILTER_SCAN
-#include "netinet/ip_scan.h"
-#endif
-#include "netinet/ip_pool.h"
-#ifdef IPFILTER_COMPILED
-# include "netinet/ip_rules.h"
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-#ifdef __hpux
-struct rtentry;
-#endif
-#include "md5.h"
-
-
-#if !defined(__osf__) && !defined(__linux__)
-extern	struct	protosw	inetsw[];
-#endif
-
-#include "ipt.h"
-static	struct	ifnet **ifneta = NULL;
-static	int	nifs = 0;
-
-static	void	fr_setifpaddr __P((struct ifnet *, char *));
-void	init_ifp __P((void));
-#if defined(__sgi) && (IRIX < 60500)
-static int 	no_output __P((struct ifnet *, struct mbuf *,
-			       struct sockaddr *));
-static int	write_output __P((struct ifnet *, struct mbuf *,
-				  struct sockaddr *));
-#else
-# if TRU64 >= 1885
-static int 	no_output __P((struct ifnet *, struct mbuf *,
-			       struct sockaddr *, struct rtentry *, char *));
-static int	write_output __P((struct ifnet *, struct mbuf *,
-				  struct sockaddr *, struct rtentry *, char *));
-# else
-static int 	no_output __P((struct ifnet *, struct mbuf *,
-			       struct sockaddr *, struct rtentry *));
-static int	write_output __P((struct ifnet *, struct mbuf *,
-				  struct sockaddr *, struct rtentry *));
-# endif
-#endif
-
-
-int ipfattach()
-{
-	fr_running = 1;
-	return 0;
-}
-
-
-int ipfdetach()
-{
-	fr_running = -1;
-	return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-int iplioctl(dev, cmd, data, mode)
-int dev;
-ioctlcmd_t cmd;
-caddr_t data;
-int mode;
-{
-	int error = 0, unit = 0, uid;
-	SPL_INT(s);
-
-	uid = getuid();
-	unit = dev;
-
-	SPL_NET(s);
-
-	error = fr_ioctlswitch(unit, data, cmd, mode, uid, NULL);
-	if (error != -1) {
-		SPL_X(s);
-		return error;
-	}
-
-	SPL_X(s);
-	return error;
-}
-
-
-void fr_forgetifp(ifp)
-void *ifp;
-{
-	register frentry_t *f;
-
-	WRITE_ENTER(&ipf_mutex);
-	for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-#ifdef	USE_INET6
-	for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-#endif
-	RWLOCK_EXIT(&ipf_mutex);
-	fr_natsync(ifp);
-}
-
-
-#if defined(__sgi) && (IRIX < 60500)
-static int no_output(ifp, m, s)
-#else
-# if TRU64 >= 1885
-static int no_output (ifp, m, s, rt, cp)
-char *cp;
-# else
-static int no_output(ifp, m, s, rt)
-# endif
-struct rtentry *rt;
-#endif
-struct ifnet *ifp;
-struct mbuf *m;
-struct sockaddr *s;
-{
-	return 0;
-}
-
-
-#if defined(__sgi) && (IRIX < 60500)
-static int write_output(ifp, m, s)
-#else
-# if TRU64 >= 1885
-static int write_output (ifp, m, s, rt, cp)
-char *cp;
-# else
-static int write_output(ifp, m, s, rt)
-# endif
-struct rtentry *rt;
-#endif
-struct ifnet *ifp;
-struct mbuf *m;
-struct sockaddr *s;
-{
-	char fname[32];
-	mb_t *mb;
-	ip_t *ip;
-	int fd;
-
-	mb = (mb_t *)m;
-	ip = MTOD(mb, ip_t *);
-
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-    (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	sprintf(fname, "/tmp/%s", ifp->if_xname);
-#else
-	sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
-#endif
-	fd = open(fname, O_WRONLY|O_APPEND);
-	if (fd == -1) {
-		perror("open");
-		return -1;
-	}
-	write(fd, (char *)ip, ntohs(ip->ip_len));
-	close(fd);
-	return 0;
-}
-
-
-static void fr_setifpaddr(ifp, addr)
-struct ifnet *ifp;
-char *addr;
-{
-#ifdef __sgi
-	struct in_ifaddr *ifa;
-#else
-	struct ifaddr *ifa;
-#endif
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-	if (ifp->if_addrlist.tqh_first != NULL)
-#else
-# ifdef __sgi
-	if (ifp->in_ifaddr != NULL)
-# else
-	if (ifp->if_addrlist != NULL)
-# endif
-#endif
-		return;
-
-	ifa = (struct ifaddr *)malloc(sizeof(*ifa));
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-	ifp->if_addrlist.tqh_first = ifa;
-#else
-# ifdef __sgi
-	ifp->in_ifaddr = ifa;
-# else
-	ifp->if_addrlist = ifa;
-# endif
-#endif
-
-	if (ifa != NULL) {
-		struct sockaddr_in *sin;
-
-#ifdef __sgi
-		sin = (struct sockaddr_in *)&ifa->ia_addr;
-#else
-		sin = (struct sockaddr_in *)&ifa->ifa_addr;
-#endif
-		sin->sin_addr.s_addr = inet_addr(addr);
-		if (sin->sin_addr.s_addr == 0)
-			abort();
-	}
-}
-
-struct ifnet *get_unit(name, v)
-char *name;
-int v;
-{
-	struct ifnet *ifp, **ifpp, **old_ifneta;
-	char *addr;
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-    (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-
-	if (name == NULL)
-		name = "anon0";
-
-	addr = strchr(name, '=');
-	if (addr != NULL)
-		*addr++ = '\0';
-
-	for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
-		if (!strcmp(name, ifp->if_xname)) {
-			if (addr != NULL)
-				fr_setifpaddr(ifp, addr);
-			return ifp;
-		}
-	}
-#else
-	char *s, ifname[LIFNAMSIZ+1];
-
-	if (name == NULL)
-		name = "anon0";
-
-	addr = strchr(name, '=');
-	if (addr != NULL)
-		*addr++ = '\0';
-
-	for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
-		COPYIFNAME(v, ifp, ifname);
-		if (!strcmp(name, ifname)) {
-			if (addr != NULL)
-				fr_setifpaddr(ifp, addr);
-			return ifp;
-		}
-	}
-#endif
-
-	if (!ifneta) {
-		ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
-		if (!ifneta)
-			return NULL;
-		ifneta[1] = NULL;
-		ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
-		if (!ifneta[0]) {
-			free(ifneta);
-			return NULL;
-		}
-		nifs = 1;
-	} else {
-		old_ifneta = ifneta;
-		nifs++;
-		ifneta = (struct ifnet **)realloc(ifneta,
-						  (nifs + 1) * sizeof(ifp));
-		if (!ifneta) {
-			free(old_ifneta);
-			nifs = 0;
-			return NULL;
-		}
-		ifneta[nifs] = NULL;
-		ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
-		if (!ifneta[nifs - 1]) {
-			nifs--;
-			return NULL;
-		}
-	}
-	ifp = ifneta[nifs - 1];
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-	TAILQ_INIT(&ifp->if_addrlist);
-#endif
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-    (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	(void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname));
-#else
-	for (s = name; *s && !ISDIGIT(*s); s++)
-		;
-	if (*s && ISDIGIT(*s)) {
-		ifp->if_unit = atoi(s);
-		ifp->if_name = (char *)malloc(s - name + 1);
-		(void) strncpy(ifp->if_name, name, s - name);
-		ifp->if_name[s - name] = '\0';
-	} else {
-		ifp->if_name = strdup(name);
-		ifp->if_unit = -1;
-	}
-#endif
-	ifp->if_output = (void *)no_output;
-
-	if (addr != NULL) {
-		fr_setifpaddr(ifp, addr);
-	}
-
-	return ifp;
-}
-
-
-char *get_ifname(ifp)
-struct ifnet *ifp;
-{
-	static char ifname[LIFNAMSIZ];
-
-#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	sprintf(ifname, "%s", ifp->if_xname);
-#else
-	sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit);
-#endif
-	return ifname;
-}
-
-
-
-void init_ifp()
-{
-	struct ifnet *ifp, **ifpp;
-	char fname[32];
-	int fd;
-
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-    (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
-		ifp->if_output = (void *)write_output;
-		sprintf(fname, "/tmp/%s", ifp->if_xname);
-		fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
-		if (fd == -1)
-			perror("open");
-		else
-			close(fd);
-	}
-#else
-
-	for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) {
-		ifp->if_output = write_output;
-		sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
-		fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
-		if (fd == -1)
-			perror("open");
-		else
-			close(fd);
-	}
-#endif
-}
-
-
-int fr_fastroute(m, mpp, fin, fdp)
-mb_t *m, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-	struct ifnet *ifp = fdp->fd_ifp;
-	ip_t *ip = fin->fin_ip;
-	int error = 0;
-	frentry_t *fr;
-	void *sifp;
-
-	if (!ifp)
-		return 0;	/* no routing table out here */
-
-	fr = fin->fin_fr;
-	ip->ip_sum = 0;
-
-	if (fin->fin_out == 0) {
-		sifp = fin->fin_ifp;
-		fin->fin_ifp = ifp;
-		fin->fin_out = 1;
-		(void) fr_acctpkt(fin, NULL);
-		fin->fin_fr = NULL;
-		if (!fr || !(fr->fr_flags & FR_RETMASK)) {
-			u_32_t pass;
-
-			(void) fr_checkstate(fin, &pass);
-		}
-
-		switch (fr_checknatout(fin, NULL))
-		{
-		case 0 :
-			break;
-		case 1 :
-			ip->ip_sum = 0;
-			break;
-		case -1 :
-			error = -1;
-			goto done;
-			break;
-		}
-
-		fin->fin_ifp = sifp;
-		fin->fin_out = 0;
-	}
-
-#if defined(__sgi) && (IRIX < 60500)
-	(*ifp->if_output)(ifp, (void *)ip, NULL);
-# if TRU64 >= 1885
-	(*ifp->if_output)(ifp, (void *)m, NULL, 0, 0);
-# else
-	(*ifp->if_output)(ifp, (void *)m, NULL, 0);
-# endif
-#endif
-done:
-	return error;
-}
-
-
-int fr_send_reset(fin)
-fr_info_t *fin;
-{
-	verbose("- TCP RST sent\n");
-	return 0;
-}
-
-
-int fr_send_icmp_err(type, fin, dst)
-int type;
-fr_info_t *fin;
-int dst;
-{
-	verbose("- ICMP unreachable sent\n");
-	return 0;
-}
-
-
-void frsync(ifp)
-void *ifp;
-{
-	return;
-}
-
-
-void m_freem(m)
-mb_t *m;
-{
-	return;
-}
-
-
-void m_copydata(m, off, len, cp)
-mb_t *m;
-int off, len;
-caddr_t cp;
-{
-	bcopy((char *)m + off, cp, len);
-}
-
-
-int ipfuiomove(buf, len, rwflag, uio)
-caddr_t buf;
-int len, rwflag;
-struct uio *uio;
-{
-	int left, ioc, num, offset;
-	struct iovec *io;
-	char *start;
-
-	if (rwflag == UIO_READ) {
-		left = len;
-		ioc = 0;
-
-		offset = uio->uio_offset;
-
-		while ((left > 0) && (ioc < uio->uio_iovcnt)) {
-			io = uio->uio_iov + ioc;
-			num = io->iov_len;
-			if (num > left)
-				num = left;
-			start = (char *)io->iov_base + offset;
-			if (start > (char *)io->iov_base + io->iov_len) {
-				offset -= io->iov_len;
-				ioc++;
-				continue;
-			}
-			bcopy(buf, start, num);
-			uio->uio_resid -= num;
-			uio->uio_offset += num;
-			left -= num;
-			if (left > 0)
-				ioc++;
-		}
-		if (left > 0)
-			return EFAULT;
-	}
-	return 0;
-}
-
-
-u_32_t fr_newisn(fin)
-fr_info_t *fin;
-{
-	static int iss_seq_off = 0;
-	u_char hash[16];
-	u_32_t newiss;
-	MD5_CTX ctx;
-
-	/*
-	 * Compute the base value of the ISS.  It is a hash
-	 * of (saddr, sport, daddr, dport, secret).
-	 */
-	MD5Init(&ctx);
-
-	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
-		  sizeof(fin->fin_fi.fi_src));
-	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
-		  sizeof(fin->fin_fi.fi_dst));
-	MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
-
-	/* MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret)); */
-
-	MD5Final(hash, &ctx);
-
-	memcpy(&newiss, hash, sizeof(newiss));
-
-	/*
-	 * Now increment our "timer", and add it in to
-	 * the computed value.
-	 *
-	 * XXX Use `addin'?
-	 * XXX TCP_ISSINCR too large to use?
-	 */
-	iss_seq_off += 0x00010000;
-	newiss += iss_seq_off;
-	return newiss;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_nextipid                                                 */
-/* Returns:     int - 0 == success, -1 == error (packet should be droppped) */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Returns the next IPv4 ID to use for this packet.                         */
-/* ------------------------------------------------------------------------ */
-INLINE u_short fr_nextipid(fin)
-fr_info_t *fin;
-{
-	static u_short ipid = 0;
-	u_short id;
-
-	MUTEX_ENTER(&ipf_rw);
-	id = ipid++;
-	MUTEX_EXIT(&ipf_rw);
-
-	return id;
-}
-
-
-INLINE void fr_checkv4sum(fin)
-fr_info_t *fin;
-{
-	if (fr_checkl4sum(fin) == -1)
-		fin->fin_flx |= FI_BAD;
-}
-
-
-#ifdef	USE_INET6
-INLINE void fr_checkv6sum(fin)
-fr_info_t *fin;
-{
-	if (fr_checkl4sum(fin) == -1)
-		fin->fin_flx |= FI_BAD;
-}
-#endif
-
-
-/*
- * See above for description, except that all addressing is in user space.
- */
-int copyoutptr(src, dst, size)
-void *src, *dst;
-size_t size;
-{
-	caddr_t ca;
-
-	bcopy(dst, (char *)&ca, sizeof(ca));
-	bcopy(src, ca, size);
-	return 0;
-}
-
-
-/*
- * See above for description, except that all addressing is in user space.
- */
-int copyinptr(src, dst, size)
-void *src, *dst;
-size_t size;
-{
-	caddr_t ca;
-
-	bcopy(src, (char *)&ca, sizeof(ca));
-	bcopy(ca, dst, size);
-	return 0;
-}
-
-
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
-int v, atype;
-void *ifptr;
-struct in_addr *inp, *inpmask;
-{
-	struct ifnet *ifp = ifptr;
-#ifdef __sgi
-	struct in_ifaddr *ifa;
-#else
-	struct ifaddr *ifa;
-#endif
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-	ifa = ifp->if_addrlist.tqh_first;
-#else
-# ifdef __sgi
-	ifa = (struct in_ifaddr *)ifp->in_ifaddr;
-# else
-	ifa = ifp->if_addrlist;
-# endif
-#endif
-	if (ifa != NULL) {
-		struct sockaddr_in *sin, mask;
-
-		mask.sin_addr.s_addr = 0xffffffff;
-
-#ifdef __sgi
-		sin = (struct sockaddr_in *)&ifa->ia_addr;
-#else
-		sin = (struct sockaddr_in *)&ifa->ifa_addr;
-#endif
-
-		return fr_ifpfillv4addr(atype, sin, &mask, inp, inpmask);
-	}
-	return 0;
-}
-
-
-int ipfsync()
-{
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
deleted file mode 100644
index 2aacb3f..0000000
--- a/contrib/ipfilter/ip_fil.h
+++ /dev/null
@@ -1,1368 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_fil.h,v 2.170.2.18 2005/03/28 10:47:52 darrenr Exp
- */
-
-#ifndef	__IP_FIL_H__
-#define	__IP_FIL_H__
-
-#ifndef	SOLARIS
-# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-
-#if defined(__STDC__) || defined(__GNUC__)
-# define	SIOCADAFR	_IOW('r', 60, struct ipfobj)
-# define	SIOCRMAFR	_IOW('r', 61, struct ipfobj)
-# define	SIOCSETFF	_IOW('r', 62, u_int)
-# define	SIOCGETFF	_IOR('r', 63, u_int)
-# define	SIOCGETFS	_IOWR('r', 64, struct ipfobj)
-# define	SIOCIPFFL	_IOWR('r', 65, int)
-# define	SIOCIPFFB	_IOR('r', 66, int)
-# define	SIOCADIFR	_IOW('r', 67, struct ipfobj)
-# define	SIOCRMIFR	_IOW('r', 68, struct ipfobj)
-# define	SIOCSWAPA	_IOR('r', 69, u_int)
-# define	SIOCINAFR	_IOW('r', 70, struct ipfobj)
-# define	SIOCINIFR	_IOW('r', 71, struct ipfobj)
-# define	SIOCFRENB	_IOW('r', 72, u_int)
-# define	SIOCFRSYN	_IOW('r', 73, u_int)
-# define	SIOCFRZST	_IOWR('r', 74, struct ipfobj)
-# define	SIOCZRLST	_IOWR('r', 75, struct ipfobj)
-# define	SIOCAUTHW	_IOWR('r', 76, struct ipfobj)
-# define	SIOCAUTHR	_IOWR('r', 77, struct ipfobj)
-# define	SIOCATHST	_IOWR('r', 78, struct ipfobj)
-# define	SIOCSTLCK	_IOWR('r', 79, u_int)
-# define	SIOCSTPUT	_IOWR('r', 80, struct ipfobj)
-# define	SIOCSTGET	_IOWR('r', 81, struct ipfobj)
-# define	SIOCSTGSZ	_IOWR('r', 82, struct ipfobj)
-# define	SIOCGFRST	_IOWR('r', 83, struct ipfobj)
-# define	SIOCSETLG	_IOWR('r', 84, int)
-# define	SIOCGETLG	_IOWR('r', 85, int)
-# define	SIOCFUNCL	_IOWR('r', 86, struct ipfunc_resolve)
-# define	SIOCIPFGETNEXT	_IOWR('r', 87, struct ipfobj)
-# define	SIOCIPFGET	_IOWR('r', 88, struct ipfobj)
-# define	SIOCIPFSET	_IOWR('r', 89, struct ipfobj)
-# define	SIOCIPFL6	_IOWR('r', 90, int)
-#else
-# define	SIOCADAFR	_IOW(r, 60, struct ipfobj)
-# define	SIOCRMAFR	_IOW(r, 61, struct ipfobj)
-# define	SIOCSETFF	_IOW(r, 62, u_int)
-# define	SIOCGETFF	_IOR(r, 63, u_int)
-# define	SIOCGETFS	_IOWR(r, 64, struct ipfobj)
-# define	SIOCIPFFL	_IOWR(r, 65, int)
-# define	SIOCIPFFB	_IOR(r, 66, int)
-# define	SIOCADIFR	_IOW(r, 67, struct ipfobj)
-# define	SIOCRMIFR	_IOW(r, 68, struct ipfobj)
-# define	SIOCSWAPA	_IOR(r, 69, u_int)
-# define	SIOCINAFR	_IOW(r, 70, struct ipfobj)
-# define	SIOCINIFR	_IOW(r, 71, struct ipfobj)
-# define	SIOCFRENB	_IOW(r, 72, u_int)
-# define	SIOCFRSYN	_IOW(r, 73, u_int)
-# define	SIOCFRZST	_IOWR(r, 74, struct ipfobj)
-# define	SIOCZRLST	_IOWR(r, 75, struct ipfobj)
-# define	SIOCAUTHW	_IOWR(r, 76, struct ipfobj)
-# define	SIOCAUTHR	_IOWR(r, 77, struct ipfobj)
-# define	SIOCATHST	_IOWR(r, 78, struct ipfobj)
-# define	SIOCSTLCK	_IOWR(r, 79, u_int)
-# define	SIOCSTPUT	_IOWR(r, 80, struct ipfobj)
-# define	SIOCSTGET	_IOWR(r, 81, struct ipfobj)
-# define	SIOCSTGSZ	_IOWR(r, 82, struct ipfobj)
-# define	SIOCGFRST	_IOWR(r, 83, struct ipfobj)
-# define	SIOCSETLG	_IOWR(r, 84, int)
-# define	SIOCGETLG	_IOWR(r, 85, int)
-# define	SIOCFUNCL	_IOWR(r, 86, struct ipfunc_resolve)
-# define	SIOCIPFGETNEXT	_IOWR(r, 87, struct ipfobj)
-# define	SIOCIPFGET	_IOWR(r, 88, struct ipfobj)
-# define	SIOCIPFSET	_IOWR(r, 89, struct ipfobj)
-# define	SIOCIPFL6	_IOWR(r, 90, int)
-#endif
-#define	SIOCADDFR	SIOCADAFR
-#define	SIOCDELFR	SIOCRMAFR
-#define	SIOCINSFR	SIOCINAFR
-
-
-struct ipscan;
-struct ifnet;
-
-
-typedef	int	(* lookupfunc_t) __P((void *, int, void *));
-
-/*
- * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
- * as other types of objects, depending on its qualifier.
- */
-#ifdef	USE_INET6
-typedef	union	i6addr	{
-	u_32_t	i6[4];
-	struct	in_addr	in4;
-	struct	in6_addr in6;
-	void	*vptr[2];
-	lookupfunc_t	lptr[2];
-} i6addr_t;
-#else
-typedef	union	i6addr	{
-	u_32_t	i6[4];
-	struct	in_addr	in4;
-	void	*vptr[2];
-	lookupfunc_t	lptr[2];
-} i6addr_t;
-#endif
-
-#define in4_addr	in4.s_addr
-#define	iplookupnum	i6[0]
-#define	iplookuptype	i6[1]
-/*
- * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
- */
-#define	iplookupptr	vptr[0]
-#define	iplookupfunc	lptr[1]
-
-#define	I60(x)	(((i6addr_t *)(x))->i6[0])
-#define	I61(x)	(((i6addr_t *)(x))->i6[1])
-#define	I62(x)	(((i6addr_t *)(x))->i6[2])
-#define	I63(x)	(((i6addr_t *)(x))->i6[3])
-#define	HI60(x)	ntohl(((i6addr_t *)(x))->i6[0])
-#define	HI61(x)	ntohl(((i6addr_t *)(x))->i6[1])
-#define	HI62(x)	ntohl(((i6addr_t *)(x))->i6[2])
-#define	HI63(x)	ntohl(((i6addr_t *)(x))->i6[3])
-
-#define	IP6_EQ(a,b)	((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
-			 (I61(a) == I61(b)) && (I60(a) == I60(b)))
-#define	IP6_NEQ(a,b)	((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
-			 (I61(a) != I61(b)) || (I60(a) != I60(b)))
-#define IP6_ISZERO(a)   ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
-#define IP6_NOTZERO(a)  ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
-#define	IP6_GT(a,b)	(HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \
-			  (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \
-			    (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \
-			      HI63(a) > HI63(b)))))))
-#define	IP6_LT(a,b)	(HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \
-			  (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \
-			    (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \
-			      HI63(a) < HI63(b)))))))
-#define	NLADD(n,x)	htonl(ntohl(n) + (x))
-#define	IP6_INC(a)	\
-		{ i6addr_t *_i6 = (i6addr_t *)(a); \
-		  _i6->i6[0] = NLADD(_i6->i6[0], 1); \
-		  if (_i6->i6[0] == 0) { \
-			_i6->i6[0] = NLADD(_i6->i6[1], 1); \
-			if (_i6->i6[1] == 0) { \
-				_i6->i6[0] = NLADD(_i6->i6[2], 1); \
-				if (_i6->i6[2] == 0) { \
-					_i6->i6[0] = NLADD(_i6->i6[3], 1); \
-				} \
-			} \
-		  } \
-		}
-#define	IP6_ADD(a,x,d)	\
-		{ i6addr_t *_s = (i6addr_t *)(a); \
-		  i6addr_t *_d = (i6addr_t *)(d); \
-		  _d->i6[0] = NLADD(_s->i6[0], x); \
-		  if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
-			_d->i6[1] = NLADD(_d->i6[1], 1); \
-			if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
-				_d->i6[2] = NLADD(_d->i6[2], 1); \
-				if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
-					_d->i6[3] = NLADD(_d->i6[3], 1); \
-				} \
-			} \
-		  } \
-		}
-#define	IP6_AND(a,b,d)	{ i6addr_t *_s1 = (i6addr_t *)(a); \
-			  i6addr_t *_s2 = (i6addr_t *)(d); \
-			  i6addr_t *_d = (i6addr_t *)(d); \
-			  _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
-			  _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
-			  _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
-			  _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
-			}
-#define	IP6_MERGE(a,b,c) \
-			{ i6addr_t *_d, *_s1, *_s2; \
-			  _d = (i6addr_t *)(a); \
-			  _s1 = (i6addr_t *)(b); \
-			  _s2 = (i6addr_t *)(c); \
-			  _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
-			  _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
-			  _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
-			  _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \
-			}
-
-
-typedef	struct	fr_ip	{
-	u_32_t	fi_v:4;		/* IP version */
-	u_32_t	fi_xx:4;	/* spare */
-	u_32_t	fi_tos:8;	/* IP packet TOS */
-	u_32_t	fi_ttl:8;	/* IP packet TTL */
-	u_32_t	fi_p:8;		/* IP packet protocol */
-	u_32_t	fi_optmsk;	/* bitmask composed from IP options */
-	i6addr_t fi_src;	/* source address from packet */
-	i6addr_t fi_dst;	/* destination address from packet */
-	u_short	fi_secmsk;	/* bitmask composed from IP security options */
-	u_short	fi_auth;	/* authentication code from IP sec. options */
-	u_32_t	fi_flx;		/* packet flags */
-	u_32_t	fi_tcpmsk;	/* TCP options set/reset */
-	u_32_t	fi_res1;	/* RESERVED */
-} fr_ip_t;
-
-/*
- * For use in fi_flx
- */
-#define	FI_TCPUDP	0x0001	/* TCP/UCP implied comparison*/
-#define	FI_OPTIONS	0x0002
-#define	FI_FRAG		0x0004
-#define	FI_SHORT	0x0008
-#define	FI_NATED	0x0010
-#define	FI_MULTICAST	0x0020
-#define	FI_BROADCAST	0x0040
-#define	FI_MBCAST	0x0080
-#define	FI_STATE	0x0100
-#define	FI_BADNAT	0x0200
-#define	FI_BAD		0x0400
-#define	FI_OOW		0x0800	/* Out of state window, else match */
-#define	FI_ICMPERR	0x1000
-#define	FI_FRAGBODY	0x2000
-#define	FI_BADSRC	0x4000
-#define	FI_LOWTTL	0x8000
-#define	FI_CMP		0xcfe3	/* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
-#define	FI_ICMPCMP	0x0003	/* Flags we can check for ICMP error packets */
-#define	FI_WITH		0xeffe	/* Not FI_TCPUDP */
-#define	FI_V6EXTHDR	0x10000
-#define	FI_COALESCE	0x20000
-#define	FI_NOCKSUM	0x20000000	/* don't do a L4 checksum validation */
-#define	FI_DONTCACHE	0x40000000	/* don't cache the result */
-#define	FI_IGNORE	0x80000000
-
-#define	fi_saddr	fi_src.in4.s_addr
-#define	fi_daddr	fi_dst.in4.s_addr
-#define	fi_srcnum	fi_src.iplookupnum
-#define	fi_dstnum	fi_dst.iplookupnum
-#define	fi_srctype	fi_src.iplookuptype
-#define	fi_dsttype	fi_dst.iplookuptype
-#define	fi_srcptr	fi_src.iplookupptr
-#define	fi_dstptr	fi_dst.iplookupptr
-#define	fi_srcfunc	fi_src.iplookupfunc
-#define	fi_dstfunc	fi_dst.iplookupfunc
-
-
-/*
- * These are both used by the state and NAT code to indicate that one port or
- * the other should be treated as a wildcard.
- * NOTE: When updating, check bit masks in ip_state.h and update there too.
- */
-#define	SI_W_SPORT	0x00000100
-#define	SI_W_DPORT	0x00000200
-#define	SI_WILDP	(SI_W_SPORT|SI_W_DPORT)
-#define	SI_W_SADDR	0x00000400
-#define	SI_W_DADDR	0x00000800
-#define	SI_WILDA	(SI_W_SADDR|SI_W_DADDR)
-#define	SI_NEWFR	0x00001000
-#define	SI_CLONE	0x00002000
-#define	SI_CLONED	0x00004000
-
-
-typedef	struct	fr_info	{
-	void	*fin_ifp;		/* interface packet is `on' */
-	fr_ip_t	fin_fi;		/* IP Packet summary */
-	union	{
-		u_short	fid_16[2];	/* TCP/UDP ports, ICMP code/type */
-		u_32_t	fid_32;
-	} fin_dat;
-	int	fin_out;		/* in or out ? 1 == out, 0 == in */
-	int	fin_rev;		/* state only: 1 = reverse */
-	u_short	fin_hlen;		/* length of IP header in bytes */
-	u_char	fin_tcpf;		/* TCP header flags (SYN, ACK, etc) */
-	u_char	fin_icode;		/* ICMP error to return */
-	u_32_t	fin_rule;		/* rule # last matched */
-	char	fin_group[FR_GROUPLEN];	/* group number, -1 for none */
-	struct	frentry *fin_fr;	/* last matching rule */
-	void	*fin_dp;		/* start of data past IP header */
-	int	fin_dlen;		/* length of data portion of packet */
-	int	fin_plen;
-	int	fin_ipoff;		/* # bytes from buffer start to hdr */
-	u_short	fin_id;			/* IP packet id field */
-	u_short	fin_off;
-	int	fin_depth;		/* Group nesting depth */
-	int	fin_error;		/* Error code to return */
-	void	*fin_nat;
-	void	*fin_state;
-	void	*fin_nattag;
-	ip_t	*fin_ip;
-	mb_t	**fin_mp;		/* pointer to pointer to mbuf */
-	mb_t	*fin_m;			/* pointer to mbuf */
-#ifdef	MENTAT
-	mb_t	*fin_qfm;		/* pointer to mblk where pkt starts */
-	void	*fin_qpi;
-#endif
-#ifdef	__sgi
-	void	*fin_hbuf;
-#endif
-} fr_info_t;
-
-#define	fin_v		fin_fi.fi_v
-#define	fin_p		fin_fi.fi_p
-#define	fin_flx		fin_fi.fi_flx
-#define	fin_optmsk	fin_fi.fi_optmsk
-#define	fin_secmsk	fin_fi.fi_secmsk
-#define	fin_auth	fin_fi.fi_auth
-#define	fin_src		fin_fi.fi_src.in4
-#define	fin_src6	fin_fi.fi_src.in6
-#define	fin_saddr	fin_fi.fi_saddr
-#define	fin_dst		fin_fi.fi_dst.in4
-#define	fin_dst6	fin_fi.fi_dst.in6
-#define	fin_daddr	fin_fi.fi_daddr
-#define	fin_data	fin_dat.fid_16
-#define	fin_sport	fin_dat.fid_16[0]
-#define	fin_dport	fin_dat.fid_16[1]
-#define	fin_ports	fin_dat.fid_32
-
-#define	IPF_IN	0
-#define	IPF_OUT	1
-
-typedef	struct frentry	*(*ipfunc_t) __P((fr_info_t *, u_32_t *));
-typedef	int		(*ipfuncinit_t) __P((struct frentry *));
-
-typedef	struct	ipfunc_resolve	{
-	char		ipfu_name[32];
-	ipfunc_t	ipfu_addr;
-	ipfuncinit_t	ipfu_init;
-} ipfunc_resolve_t;
-
-/*
- * Size for compares on fr_info structures
- */
-#define	FI_CSIZE	offsetof(fr_info_t, fin_icode)
-#define	FI_LCSIZE	offsetof(fr_info_t, fin_dp)
-
-/*
- * Size for copying cache fr_info structure
- */
-#define	FI_COPYSIZE	offsetof(fr_info_t, fin_dp)
-
-/*
- * Structure for holding IPFilter's tag information
- */
-#define	IPFTAG_LEN	16
-typedef	struct	{
-	union	{
-		u_32_t	iptu_num[4];
-		char	iptu_tag[IPFTAG_LEN];
-	} ipt_un;
-	int	ipt_not;
-} ipftag_t;
-
-#define	ipt_tag	ipt_un.iptu_tag
-#define	ipt_num	ipt_un.iptu_num
-
-
-/*
- * This structure is used to hold information about the next hop for where
- * to forward a packet.
- */
-typedef	struct	frdest	{
-	void	*fd_ifp;
-	i6addr_t	fd_ip6;
-	char	fd_ifname[LIFNAMSIZ];
-} frdest_t;
-
-#define	fd_ip	fd_ip6.in4
-
-
-/*
- * This structure holds information about a port comparison.
- */
-typedef	struct	frpcmp	{
-	int	frp_cmp;	/* data for port comparisons */
-	u_short	frp_port;	/* top port for <> and >< */
-	u_short	frp_top;	/* top port for <> and >< */
-} frpcmp_t;
-
-#define FR_NONE 0
-#define FR_EQUAL 1
-#define FR_NEQUAL 2
-#define FR_LESST 3
-#define FR_GREATERT 4
-#define FR_LESSTE 5
-#define FR_GREATERTE 6
-#define FR_OUTRANGE 7
-#define FR_INRANGE 8
-#define FR_INCRANGE 9
-
-/*
- * Structure containing all the relevant TCP things that can be checked in
- * a filter rule.
- */
-typedef	struct	frtuc	{
-	u_char		ftu_tcpfm;	/* tcp flags mask */
-	u_char		ftu_tcpf;	/* tcp flags */
-	frpcmp_t	ftu_src;
-	frpcmp_t	ftu_dst;
-} frtuc_t;
-
-#define	ftu_scmp	ftu_src.frp_cmp
-#define	ftu_dcmp	ftu_dst.frp_cmp
-#define	ftu_sport	ftu_src.frp_port
-#define	ftu_dport	ftu_dst.frp_port
-#define	ftu_stop	ftu_src.frp_top
-#define	ftu_dtop	ftu_dst.frp_top
-
-#define	FR_TCPFMAX	0x3f
-
-/*
- * This structure makes up what is considered to be the IPFilter specific
- * matching components of a filter rule, as opposed to the data structures
- * used to define the result which are in frentry_t and not here.
- */
-typedef	struct	fripf	{
-	fr_ip_t	fri_ip;
-	fr_ip_t	fri_mip;	/* mask structure */
-
-	u_short	fri_icmpm;		/* data for ICMP packets (mask) */
-	u_short	fri_icmp;
-
-	frtuc_t	fri_tuc;
-	int	fri_satype;		/* addres type */
-	int	fri_datype;		/* addres type */
-	int	fri_sifpidx;		/* doing dynamic addressing */
-	int	fri_difpidx;		/* index into fr_ifps[] to use when */
-} fripf_t;
-
-#define	fri_dstnum	fri_ip.fi_dstnum
-#define	fri_srcnum	fri_mip.fi_srcnum
-#define	fri_dstptr	fri_ip.fi_dstptr
-#define	fri_srcptr	fri_mip.fi_srcptr
-
-#define	FRI_NORMAL	0	/* Normal address */
-#define	FRI_DYNAMIC	1	/* dynamic address */
-#define	FRI_LOOKUP	2	/* address is a pool # */
-#define	FRI_RANGE	3	/* address/mask is a range */
-#define	FRI_NETWORK	4	/* network address from if */
-#define	FRI_BROADCAST	5	/* broadcast address from if */
-#define	FRI_PEERADDR	6	/* Peer address for P-to-P */
-#define	FRI_NETMASKED	7	/* network address with netmask from if */
-
-
-typedef	struct	frentry	* (* frentfunc_t) __P((fr_info_t *));
-
-typedef	struct	frentry {
-	ipfmutex_t	fr_lock;
-	struct	frentry	*fr_next;
-	struct	frentry	**fr_grp;
-	struct	ipscan	*fr_isc;
-	void	*fr_ifas[4];
-	void	*fr_ptr;	/* for use with fr_arg */
-	char	*fr_comment;	/* text comment for rule */
-	int	fr_ref;		/* reference count - for grouping */
-	int	fr_statecnt;	/* state count - for limit rules */
-	/*
-	 * These are only incremented when a packet  matches this rule and
-	 * it is the last match
-	 */
-	U_QUAD_T	fr_hits;
-	U_QUAD_T	fr_bytes;
-
-	/*
-	 * For PPS rate limiting
-	 */
-	struct timeval	fr_lastpkt;
-	int		fr_curpps;
-
-	union	{
-		void		*fru_data;
-		caddr_t		fru_caddr;
-		fripf_t		*fru_ipf;
-		frentfunc_t	fru_func;
-	} fr_dun;
-
-	/*
-	 * Fields after this may not change whilst in the kernel.
-	 */
-	ipfunc_t fr_func; 	/* call this function */
-	int	fr_dsize;
-	int	fr_pps;
-	int	fr_statemax;	/* max reference count */
-	int	fr_flineno;	/* line number from conf file */
-	u_32_t	fr_type;
-	u_32_t	fr_flags;	/* per-rule flags && options (see below) */
-	u_32_t	fr_logtag;	/* user defined log tag # */
-	u_32_t	fr_collect;	/* collection number */
-	u_int	fr_arg;		/* misc. numeric arg for rule */ 
-	u_int	fr_loglevel;	/* syslog log facility + priority */
-	u_int	fr_age[2];	/* non-TCP timeouts */
-	u_char	fr_v;
-	u_char	fr_icode;	/* return ICMP code */
-	char	fr_group[FR_GROUPLEN];	/* group to which this rule belongs */
-	char	fr_grhead[FR_GROUPLEN];	/* group # which this rule starts */
-	ipftag_t fr_nattag;
-	char	fr_ifnames[4][LIFNAMSIZ];
-	char	fr_isctag[16];
-	frdest_t fr_tifs[2];	/* "to"/"reply-to" interface */
-	frdest_t fr_dif;	/* duplicate packet interface */
-	/*
-	 * This must be last and will change after loaded into the kernel.
-	 */
-	u_int	fr_cksum;	/* checksum on filter rules for performance */
-} frentry_t;
-
-#define	fr_caddr	fr_dun.fru_caddr
-#define	fr_data		fr_dun.fru_data
-#define	fr_dfunc	fr_dun.fru_func
-#define	fr_ipf		fr_dun.fru_ipf
-#define	fr_ip		fr_ipf->fri_ip
-#define	fr_mip		fr_ipf->fri_mip
-#define	fr_icmpm	fr_ipf->fri_icmpm
-#define	fr_icmp		fr_ipf->fri_icmp
-#define	fr_tuc		fr_ipf->fri_tuc
-#define	fr_satype	fr_ipf->fri_satype
-#define	fr_datype	fr_ipf->fri_datype
-#define	fr_sifpidx	fr_ipf->fri_sifpidx
-#define	fr_difpidx	fr_ipf->fri_difpidx
-#define	fr_proto	fr_ip.fi_p
-#define	fr_mproto	fr_mip.fi_p
-#define	fr_ttl		fr_ip.fi_ttl
-#define	fr_mttl		fr_mip.fi_ttl
-#define	fr_tos		fr_ip.fi_tos
-#define	fr_mtos		fr_mip.fi_tos
-#define	fr_tcpfm	fr_tuc.ftu_tcpfm
-#define	fr_tcpf		fr_tuc.ftu_tcpf
-#define	fr_scmp		fr_tuc.ftu_scmp
-#define	fr_dcmp		fr_tuc.ftu_dcmp
-#define	fr_dport	fr_tuc.ftu_dport
-#define	fr_sport	fr_tuc.ftu_sport
-#define	fr_stop		fr_tuc.ftu_stop
-#define	fr_dtop		fr_tuc.ftu_dtop
-#define	fr_dst		fr_ip.fi_dst.in4
-#define	fr_daddr	fr_ip.fi_dst.in4.s_addr
-#define	fr_src		fr_ip.fi_src.in4
-#define	fr_saddr	fr_ip.fi_src.in4.s_addr
-#define	fr_dmsk		fr_mip.fi_dst.in4
-#define	fr_dmask	fr_mip.fi_dst.in4.s_addr
-#define	fr_smsk		fr_mip.fi_src.in4
-#define	fr_smask	fr_mip.fi_src.in4.s_addr
-#define	fr_dstnum	fr_ip.fi_dstnum
-#define	fr_srcnum	fr_ip.fi_srcnum
-#define	fr_dsttype	fr_ip.fi_dsttype
-#define	fr_srctype	fr_ip.fi_srctype
-#define	fr_dstptr	fr_mip.fi_dstptr
-#define	fr_srcptr	fr_mip.fi_srcptr
-#define	fr_dstfunc	fr_mip.fi_dstfunc
-#define	fr_srcfunc	fr_mip.fi_srcfunc
-#define	fr_optbits	fr_ip.fi_optmsk
-#define	fr_optmask	fr_mip.fi_optmsk
-#define	fr_secbits	fr_ip.fi_secmsk
-#define	fr_secmask	fr_mip.fi_secmsk
-#define	fr_authbits	fr_ip.fi_auth
-#define	fr_authmask	fr_mip.fi_auth
-#define	fr_flx		fr_ip.fi_flx
-#define	fr_mflx		fr_mip.fi_flx
-#define	fr_ifname	fr_ifnames[0]
-#define	fr_oifname	fr_ifnames[2]
-#define	fr_ifa		fr_ifas[0]
-#define	fr_oifa		fr_ifas[2]
-#define	fr_tif		fr_tifs[0]
-#define	fr_rif		fr_tifs[1]
-
-#define	FR_NOLOGTAG	0
-
-#ifndef	offsetof
-#define	offsetof(t,m)	(int)((&((t *)0L)->m))
-#endif
-#define	FR_CMPSIZ	(sizeof(struct frentry) - \
-			 offsetof(struct frentry, fr_func))
-
-/*
- * fr_type
- */
-#define	FR_T_NONE	0
-#define	FR_T_IPF	1	/* IPF structures */
-#define	FR_T_BPFOPC	2	/* BPF opcode */
-#define	FR_T_CALLFUNC	3	/* callout to function in fr_func only */
-#define	FR_T_COMPIPF	4	/* compiled C code */
-#define	FR_T_BUILTIN	0x80000000	/* rule is in kernel space */
-
-/*
- * fr_flags
- */
-#define	FR_CALL		0x00000	/* call rule */
-#define	FR_BLOCK	0x00001	/* do not allow packet to pass */
-#define	FR_PASS		0x00002	/* allow packet to pass */
-#define	FR_AUTH		0x00003	/* use authentication */
-#define	FR_PREAUTH	0x00004	/* require preauthentication */
-#define	FR_ACCOUNT	0x00005	/* Accounting rule */
-#define	FR_SKIP		0x00006	/* skip rule */
-#define	FR_DIVERT	0x00007	/* divert rule */
-#define	FR_CMDMASK	0x0000f
-#define	FR_LOG		0x00010	/* Log */
-#define	FR_LOGB		0x00011	/* Log-fail */
-#define	FR_LOGP		0x00012	/* Log-pass */
-#define	FR_LOGMASK	(FR_LOG|FR_CMDMASK)
-#define	FR_CALLNOW	0x00020	/* call another function (fr_func) if matches */
-#define	FR_NOTSRCIP	0x00040
-#define	FR_NOTDSTIP	0x00080
-#define	FR_QUICK	0x00100	/* match & stop processing list */
-#define	FR_KEEPFRAG	0x00200	/* keep fragment information */
-#define	FR_KEEPSTATE	0x00400	/* keep `connection' state information */
-#define	FR_FASTROUTE	0x00800	/* bypass normal routing */
-#define	FR_RETRST	0x01000	/* Return TCP RST packet - reset connection */
-#define	FR_RETICMP	0x02000	/* Return ICMP unreachable packet */
-#define	FR_FAKEICMP	0x03000	/* Return ICMP unreachable with fake source */
-#define	FR_OUTQUE	0x04000	/* outgoing packets */
-#define	FR_INQUE	0x08000	/* ingoing packets */
-#define	FR_LOGBODY	0x10000	/* Log the body */
-#define	FR_LOGFIRST	0x20000	/* Log the first byte if state held */
-#define	FR_LOGORBLOCK	0x40000	/* block the packet if it can't be logged */
-#define	FR_DUP		0x80000	/* duplicate packet */
-#define	FR_FRSTRICT	0x100000	/* strict frag. cache */
-#define	FR_STSTRICT	0x200000	/* strict keep state */
-#define	FR_NEWISN	0x400000	/* new ISN for outgoing TCP */
-#define	FR_NOICMPERR	0x800000	/* do not match ICMP errors in state */
-#define	FR_STATESYNC	0x1000000	/* synchronize state to slave */
-#define	FR_NOMATCH	0x8000000	/* no match occured */
-		/*	0x10000000 	FF_LOGPASS */
-		/*	0x20000000 	FF_LOGBLOCK */
-		/*	0x40000000 	FF_LOGNOMATCH */
-		/*	0x80000000 	FF_BLOCKNONIP */
-#define	FR_COPIED	0x40000000	/* copied from user space */
-#define	FR_INACTIVE	0x80000000	/* only used when flush'ing rules */
-
-#define	FR_RETMASK	(FR_RETICMP|FR_RETRST|FR_FAKEICMP)
-#define	FR_ISBLOCK(x)	(((x) & FR_CMDMASK) == FR_BLOCK)
-#define	FR_ISPASS(x)	(((x) & FR_CMDMASK) == FR_PASS)
-#define	FR_ISAUTH(x)	(((x) & FR_CMDMASK) == FR_AUTH)
-#define	FR_ISPREAUTH(x)	(((x) & FR_CMDMASK) == FR_PREAUTH)
-#define	FR_ISACCOUNT(x)	(((x) & FR_CMDMASK) == FR_ACCOUNT)
-#define	FR_ISSKIP(x)	(((x) & FR_CMDMASK) == FR_SKIP)
-#define	FR_ISNOMATCH(x)	((x) & FR_NOMATCH)
-#define	FR_INOUT	(FR_INQUE|FR_OUTQUE)
-
-/*
- * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
- */
-#define	FF_LOGPASS	0x10000000
-#define	FF_LOGBLOCK	0x20000000
-#define	FF_LOGNOMATCH	0x40000000
-#define	FF_LOGGING	(FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
-#define	FF_BLOCKNONIP	0x80000000	/* Solaris2 Only */
-
-
-/*
- * Structure that passes information on what/how to flush to the kernel.
- */
-typedef	struct	ipfflush	{
-	int	ipflu_how;
-	int	ipflu_arg;
-} ipfflush_t;
-
-
-/*
- *
- */
-typedef	struct	ipfgetctl	{
-	u_int	ipfg_min;	/* min value */
-	u_int	ipfg_current;	/* current value */
-	u_int	ipfg_max;	/* max value */
-	u_int	ipfg_default;	/* default value */
-	u_int	ipfg_steps;	/* value increments */
-	char	ipfg_name[40];	/* tag name for this control */
-} ipfgetctl_t;
-
-typedef	struct	ipfsetctl	{
-	int	ipfs_which;	/* 0 = min 1 = current 2 = max 3 = default */
-	u_int	ipfs_value;	/* min value */
-	char	ipfs_name[40];	/* tag name for this control */
-} ipfsetctl_t;
-
-
-/*
- * Some of the statistics below are in their own counters, but most are kept
- * in this single structure so that they can all easily be collected and
- * copied back as required.
- */
-typedef	struct	filterstats {
-	u_long	fr_pass;	/* packets allowed */
-	u_long	fr_block;	/* packets denied */
-	u_long	fr_nom;		/* packets which don't match any rule */
-	u_long	fr_short;	/* packets which are short */
-	u_long	fr_ppkl;	/* packets allowed and logged */
-	u_long	fr_bpkl;	/* packets denied and logged */
-	u_long	fr_npkl;	/* packets unmatched and logged */
-	u_long	fr_pkl;		/* packets logged */
-	u_long	fr_skip;	/* packets to be logged but buffer full */
-	u_long	fr_ret;		/* packets for which a return is sent */
-	u_long	fr_acct;	/* packets for which counting was performed */
-	u_long	fr_bnfr;	/* bad attempts to allocate fragment state */
-	u_long	fr_nfr;		/* new fragment state kept */
-	u_long	fr_cfr;		/* add new fragment state but complete pkt */
-	u_long	fr_bads;	/* bad attempts to allocate packet state */
-	u_long	fr_ads;		/* new packet state kept */
-	u_long	fr_chit;	/* cached hit */
-	u_long	fr_tcpbad;	/* TCP checksum check failures */
-	u_long	fr_pull[2];	/* good and bad pullup attempts */
-	u_long	fr_badsrc;	/* source received doesn't match route */
-	u_long	fr_badttl;	/* TTL in packet doesn't reach minimum */
-	u_long	fr_bad;		/* bad IP packets to the filter */
-	u_long	fr_ipv6;	/* IPv6 packets in/out */
-	u_long	fr_ppshit;	/* dropped because of pps ceiling */
-	u_long	fr_ipud;	/* IP id update failures */
-} filterstats_t;
-
-/*
- * Log structure.  Each packet header logged is prepended by one of these.
- * Following this in the log records read from the device will be an ipflog
- * structure which is then followed by any packet data.
- */
-typedef	struct	iplog	{
-	u_32_t		ipl_magic;
-	u_int		ipl_count;
-	struct	timeval	ipl_time;
-	size_t		ipl_dsize;
-	struct	iplog	*ipl_next;
-} iplog_t;
-
-#define	ipl_sec		ipl_time.tv_sec
-#define	ipl_usec	ipl_time.tv_usec
-
-#define IPL_MAGIC	0x49504c4d	/* 'IPLM' */
-#define IPL_MAGIC_NAT	0x49504c4e	/* 'IPLN' */
-#define IPL_MAGIC_STATE	0x49504c53	/* 'IPLS' */
-#define	IPLOG_SIZE	sizeof(iplog_t)
-
-typedef	struct	ipflog	{
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-        (defined(OpenBSD) && (OpenBSD >= 199603))
-#else
-	u_int	fl_unit;
-#endif
-	u_32_t	fl_rule;
-	u_32_t	fl_flags;
-	u_32_t	fl_lflags;
-	u_32_t	fl_logtag;
-	ipftag_t	fl_nattag;
-	u_short	fl_plen;	/* extra data after hlen */
-	u_short	fl_loglevel;	/* syslog log level */
-	char	fl_group[FR_GROUPLEN];
-	u_char	fl_hlen;	/* length of IP headers saved */
-	u_char	fl_dir;
-	u_char	fl_xxx[2];	/* pad */
-	char	fl_ifname[LIFNAMSIZ];
-} ipflog_t;
-
-#ifndef	IPF_LOGGING
-# define	IPF_LOGGING	0
-#endif
-#ifndef	IPF_DEFAULT_PASS
-# define	IPF_DEFAULT_PASS	FR_PASS
-#endif
-
-#define	DEFAULT_IPFLOGSIZE	8192
-#ifndef	IPFILTER_LOGSIZE
-# define	IPFILTER_LOGSIZE	DEFAULT_IPFLOGSIZE
-#else
-# if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
-#  error IPFILTER_LOGSIZE too small.  Must be >= DEFAULT_IPFLOGSIZE
-# endif
-#endif
-
-#define	IPF_OPTCOPY	0x07ff00	/* bit mask of copied options */
-
-/*
- * Device filenames for reading log information.  Use ipf on Solaris2 because
- * ipl is already a name used by something else.
- */
-#ifndef	IPL_NAME
-# if	SOLARIS
-#  define	IPL_NAME	"/dev/ipf"
-# else
-#  define	IPL_NAME	"/dev/ipl"
-# endif
-#endif
-/*
- * Pathnames for various IP Filter control devices.  Used by LKM
- * and userland, so defined here.
- */
-#define	IPNAT_NAME	"/dev/ipnat"
-#define	IPSTATE_NAME	"/dev/ipstate"
-#define	IPAUTH_NAME	"/dev/ipauth"
-#define	IPSYNC_NAME	"/dev/ipsync"
-#define	IPSCAN_NAME	"/dev/ipscan"
-#define	IPLOOKUP_NAME	"/dev/iplookup"
-
-#define	IPL_LOGIPF	0	/* Minor device #'s for accessing logs */
-#define	IPL_LOGNAT	1
-#define	IPL_LOGSTATE	2
-#define	IPL_LOGAUTH	3
-#define	IPL_LOGSYNC	4
-#define	IPL_LOGSCAN	5
-#define	IPL_LOGLOOKUP	6
-#define	IPL_LOGCOUNT	7
-#define	IPL_LOGMAX	7
-#define	IPL_LOGSIZE	IPL_LOGMAX + 1
-#define	IPL_LOGALL	-1
-#define	IPL_LOGNONE	-2
-
-/*
- * For SIOCGETFS
- */
-typedef	struct	friostat	{
-	struct	filterstats	f_st[2];
-	struct	frentry		*f_ipf[2][2];
-	struct	frentry		*f_acct[2][2];
-	struct	frentry		*f_ipf6[2][2];
-	struct	frentry		*f_acct6[2][2];
-	struct	frentry		*f_auth;
-	struct	frgroup		*f_groups[IPL_LOGSIZE][2];
-	u_long	f_froute[2];
-	u_long	f_ticks;
-	int	f_locks[IPL_LOGMAX];
-	size_t	f_kmutex_sz;
-	size_t	f_krwlock_sz;
-	int	f_defpass;	/* default pass - from fr_pass */
-	int	f_active;	/* 1 or 0 - active rule set */
-	int	f_running;	/* 1 if running, else 0 */
-	int	f_logging;	/* 1 if enabled, else 0 */
-	int	f_features;
-	char	f_version[32];	/* version string */
-} friostat_t;
-
-#define	f_fin		f_ipf[0]
-#define	f_fin6		f_ipf6[0]
-#define	f_fout		f_ipf[1]
-#define	f_fout6		f_ipf6[1]
-#define	f_acctin	f_acct[0]
-#define	f_acctin6	f_acct6[0]
-#define	f_acctout	f_acct[1]
-#define	f_acctout6	f_acct6[1]
-
-#define	IPF_FEAT_LKM		0x001
-#define	IPF_FEAT_LOG		0x002
-#define	IPF_FEAT_LOOKUP		0x004
-#define	IPF_FEAT_BPF		0x008
-#define	IPF_FEAT_COMPILED	0x010
-#define	IPF_FEAT_CKSUM		0x020
-#define	IPF_FEAT_SYNC		0x040
-#define	IPF_FEAT_SCAN		0x080
-#define	IPF_FEAT_IPV6		0x100
-
-typedef struct	optlist {
-	u_short ol_val;
-	int	ol_bit;
-} optlist_t;
-
-
-/*
- * Group list structure.
- */
-typedef	struct frgroup {
-	struct	frgroup	*fg_next;
-	struct	frentry	*fg_head;
-	struct	frentry	*fg_start;
-	u_32_t	fg_flags;
-	int	fg_ref;
-	char	fg_name[FR_GROUPLEN];
-} frgroup_t;
-
-#define	FG_NAME(g)	(*(g)->fg_name == '\0' ? "" : (g)->fg_name)
-
-
-/*
- * Used by state and NAT tables
- */
-typedef struct icmpinfo {
-	u_short	ici_id;
-	u_short	ici_seq;
-	u_char	ici_type;
-} icmpinfo_t;
-
-typedef struct udpinfo {
-	u_short	us_sport;
-	u_short	us_dport;
-} udpinfo_t;
-
-
-typedef	struct	tcpdata	{
-	u_32_t	td_end;
-	u_32_t	td_maxend;
-	u_32_t	td_maxwin;
-	u_32_t	td_winscale;
-	u_32_t	td_maxseg;
-	int	td_winflags;
-} tcpdata_t;
-
-#define	TCP_WSCALE_MAX		14
-
-#define	TCP_WSCALE_SEEN		0x00000001
-#define	TCP_WSCALE_FIRST	0x00000002
-
-
-typedef	struct tcpinfo {
-	u_short	ts_sport;
-	u_short	ts_dport;
-	tcpdata_t ts_data[2];
-} tcpinfo_t;
-
-
-struct	grebits	{
-	u_32_t	grb_C:1;
-	u_32_t	grb_R:1;
-	u_32_t	grb_K:1;
-	u_32_t	grb_S:1;
-	u_32_t	grb_s:1;
-	u_32_t	grb_recur:1;
-	u_32_t	grb_A:1;
-	u_32_t	grb_flags:3;
-	u_32_t	grb_ver:3;
-	u_short	grb_ptype;
-};
-
-typedef	struct	grehdr	{
-	union	{
-		struct	grebits	gru_bits;
-		u_short	gru_flags;
-	} gr_un;
-	u_short	gr_len;
-	u_short	gr_call;
-} grehdr_t;
-
-#define	gr_flags	gr_un.gru_flags
-#define	gr_bits		gr_un.gru_bits
-#define	gr_ptype	gr_bits.grb_ptype
-#define	gr_C		gr_bits.grb_C
-#define	gr_R		gr_bits.grb_R
-#define	gr_K		gr_bits.grb_K
-#define	gr_S		gr_bits.grb_S
-#define	gr_s		gr_bits.grb_s
-#define	gr_recur	gr_bits.grb_recur
-#define	gr_A		gr_bits.grb_A
-#define	gr_ver		gr_bits.grb_ver
-
-
-typedef	struct	greinfo	{
-	u_short	gs_call[2];
-	u_short	gs_flags;
-	u_short	gs_ptype;
-} greinfo_t;
-
-#define	GRE_REV(x)	((ntohs(x) >> 13) & 7)
-
-
-/*
- * Timeout tail queue list member
- */
-typedef	struct	ipftqent	{
-	struct ipftqent **tqe_pnext;
-	struct ipftqent *tqe_next;
-	struct	ipftq	*tqe_ifq;
-	void	*tqe_parent;		/* pointer back to NAT/state struct */
-	u_long	tqe_die;		/* when this entriy is to die */
-	u_long	tqe_touched;
-	int	tqe_flags;
-	int	tqe_state[2];		/* current state of this entry */
-} ipftqent_t;
-
-#define	TQE_RULEBASED	0x00000001
-
-
-/*
- * Timeout tail queue head for IPFilter
- */
-typedef struct  ipftq   {
-	ipfmutex_t	ifq_lock;
-	u_int	ifq_ttl;
-	ipftqent_t	*ifq_head;
-	ipftqent_t	**ifq_tail;
-	struct	ipftq	*ifq_next;
-	struct	ipftq	**ifq_pnext;
-	int	ifq_ref;
-	u_int	ifq_flags;
-} ipftq_t;
-
-#define	IFQF_USER	0x01		/* User defined aging */
-#define	IFQF_DELETE	0x02		/* Marked for deletion */
-#define	IFQF_PROXY	0x04		/* Timeout queue in use by a proxy */
-
-#define	IPF_HZ_MULT	1
-#define	IPF_HZ_DIVIDE	2		/* How many times a second ipfilter */
-					/* checks its timeout queues.       */
-#define	IPF_TTLVAL(x)	(((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
-
-/*
- * Structure to define address for pool lookups.
- */
-typedef	struct	{
-	u_char		adf_len;
-	i6addr_t	adf_addr;
-} addrfamily_t;
-
-
-/*
- * Object structure description.  For passing through in ioctls.
- */
-typedef	struct	ipfobj	{
-	u_32_t	ipfo_rev;		/* IPFilter version number */
-	u_32_t	ipfo_size;		/* size of object at ipfo_ptr */
-	void	*ipfo_ptr;		/* pointer to object */
-	int	ipfo_type;		/* type of object being pointed to */
-	int	ipfo_offset;		/* bytes from ipfo_ptr where to start */
-	u_char	ipfo_xxxpad[32];	/* reserved for future use */
-} ipfobj_t;
-
-#define	IPFOBJ_FRENTRY		0	/* struct frentry */
-#define	IPFOBJ_IPFSTAT		1	/* struct friostat */
-#define	IPFOBJ_IPFINFO		2	/* struct fr_info */
-#define	IPFOBJ_AUTHSTAT		3	/* struct fr_authstat */
-#define	IPFOBJ_FRAGSTAT		4	/* struct ipfrstat */
-#define	IPFOBJ_IPNAT		5	/* struct ipnat */
-#define	IPFOBJ_NATSTAT		6	/* struct natstat */
-#define	IPFOBJ_STATESAVE	7	/* struct ipstate_save */
-#define	IPFOBJ_NATSAVE		8	/* struct nat_save */
-#define	IPFOBJ_NATLOOKUP	9	/* struct natlookup */
-#define	IPFOBJ_IPSTATE		10	/* struct ipstate */
-#define	IPFOBJ_STATESTAT	11	/* struct ips_stat */
-#define	IPFOBJ_FRAUTH		12	/* struct frauth */
-#define	IPFOBJ_TUNEABLE		13	/* struct ipftune */
-
-
-typedef	union	ipftunevalptr	{
-	void	*ipftp_void;
-	u_long	*ipftp_long;
-	u_int	*ipftp_int;
-	u_short	*ipftp_short;
-	u_char	*ipftp_char;
-} ipftunevalptr_t;
-
-typedef	struct	ipftuneable	{
-	ipftunevalptr_t	ipft_una;
-	char		*ipft_name;
-	u_long		ipft_min;
-	u_long		ipft_max;
-	int		ipft_sz;
-	int		ipft_flags;
-	struct ipftuneable *ipft_next;
-} ipftuneable_t;
-
-#define	ipft_addr	ipft_una.ipftp_void
-#define	ipft_plong	ipft_una.ipftp_long
-#define	ipft_pint	ipft_una.ipftp_int
-#define	ipft_pshort	ipft_una.ipftp_short
-#define	ipft_pchar	ipft_una.ipftp_char
-
-#define	IPFT_RDONLY	1	/* read-only */
-#define	IPFT_WRDISABLED	2	/* write when disabled only */
-
-typedef	union	ipftuneval	{
-	u_long	ipftu_long;
-	u_int	ipftu_int;
-	u_short	ipftu_short;
-	u_char	ipftu_char;
-} ipftuneval_t;
-
-typedef	struct	ipftune	{
-	void    	*ipft_cookie;
-	ipftuneval_t	ipft_un;
-	u_long  	ipft_min;
-	u_long  	ipft_max;
-	int		ipft_sz;
-	int		ipft_flags;
-	char		ipft_name[80];
-} ipftune_t;
-
-#define	ipft_vlong	ipft_un.ipftu_long
-#define	ipft_vint	ipft_un.ipftu_int
-#define	ipft_vshort	ipft_un.ipftu_short
-#define	ipft_vchar	ipft_un.ipftu_char
-
-
-/*
-** HPUX Port
-*/
-#ifdef __hpux
-/* HP-UX locking sequence deadlock detection module lock MAJOR ID */
-# define	IPF_SMAJ	0	/* temp assignment XXX, not critical */
-#endif
-
-#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
-    (__FreeBSD_version >= 220000)
-# define	CDEV_MAJOR	79
-#endif
-
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
- * on those hooks.  We don't need any special mods in non-IP Filter code
- * with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
-    (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
-# if (NetBSD >= 199905)
-#  define PFIL_HOOKS
-# endif
-# ifdef PFIL_HOOKS
-#  define NETBSD_PF
-# endif
-#endif
-
-#ifndef	_KERNEL
-extern	int	fr_check __P((struct ip *, int, void *, int, mb_t **));
-extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern	int	ipf_log __P((void));
-extern	struct	ifnet *get_unit __P((char *, int));
-extern	char	*get_ifname __P((struct ifnet *));
-# if defined(__NetBSD__) || defined(__OpenBSD__) || \
-	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-extern	int	iplioctl __P((int, ioctlcmd_t, caddr_t, int));
-# else
-extern	int	iplioctl __P((int, ioctlcmd_t, caddr_t, int));
-# endif
-extern	int	iplopen __P((dev_t, int));
-extern	int	iplclose __P((dev_t, int));
-extern	void	m_freem __P((mb_t *));
-#else /* #ifndef _KERNEL */
-# if defined(__NetBSD__) && defined(PFIL_HOOKS)
-extern	void	ipfilterattach __P((int));
-# endif
-extern	int	ipl_enable __P((void));
-extern	int	ipl_disable __P((void));
-# ifdef MENTAT
-extern	int	fr_check __P((struct ip *, int, void *, int, void *,
-			      mblk_t **));
-#  if SOLARIS
-#   if SOLARIS2 >= 7
-extern	int	iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
-#   else
-extern	int	iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
-#   endif
-extern	int	iplopen __P((dev_t *, int, int, cred_t *));
-extern	int	iplclose __P((dev_t, int, int, cred_t *));
-extern	int	iplread __P((dev_t, uio_t *, cred_t *));
-extern	int	iplwrite __P((dev_t, uio_t *, cred_t *));
-#  endif
-#  ifdef __hpux
-extern	int	iplopen __P((dev_t, int, intptr_t, int));
-extern	int	iplclose __P((dev_t, int, int));
-extern	int	iplioctl __P((dev_t, int, caddr_t, int));
-extern	int	iplread __P((dev_t, uio_t *));
-extern	int	iplwrite __P((dev_t, uio_t *));
-extern	int	iplselect __P((dev_t, int));
-#  endif
-extern	int	ipfsync __P((void));
-extern	int	fr_qout __P((queue_t *, mblk_t *));
-# else /* MENTAT */
-extern	int	fr_check __P((struct ip *, int, void *, int, mb_t **));
-extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern	size_t	mbufchainlen __P((mb_t *));
-#  ifdef	__sgi
-#   include <sys/cred.h>
-extern	int	iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
-extern	int	iplopen __P((dev_t *, int, int, cred_t *));
-extern	int	iplclose __P((dev_t, int, int, cred_t *));
-extern	int	iplread __P((dev_t, uio_t *, cred_t *));
-extern	int	iplwrite __P((dev_t, uio_t *, cred_t *));
-extern	int	ipfsync __P((void));
-extern	int	ipfilter_sgi_attach __P((void));
-extern	void	ipfilter_sgi_detach __P((void));
-extern	void	ipfilter_sgi_intfsync __P((void));
-#  else
-#   ifdef	IPFILTER_LKM
-extern	int	iplidentify __P((char *));
-#   endif
-#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
-      (NetBSD >= 199511) || defined(__OpenBSD__)
-#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
-       defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
-#     if (__FreeBSD_version >= 500024)
-#      if (__FreeBSD_version >= 502116)
-extern	int	iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
-#      else
-extern	int	iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
-#      endif /* __FreeBSD_version >= 502116 */
-#     else
-extern	int	iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
-#     endif /* __FreeBSD_version >= 500024 */
-#    else
-extern	int	iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
-#    endif
-#    if (__FreeBSD_version >= 500024)
-#      if (__FreeBSD_version >= 502116)
-extern	int	iplopen __P((struct cdev*, int, int, struct thread *));
-extern	int	iplclose __P((struct cdev*, int, int, struct thread *));
-#      else
-extern	int	iplopen __P((dev_t, int, int, struct thread *));
-extern	int	iplclose __P((dev_t, int, int, struct thread *));
-#      endif /* __FreeBSD_version >= 502116 */
-#    else
-extern	int	iplopen __P((dev_t, int, int, struct proc *));
-extern	int	iplclose __P((dev_t, int, int, struct proc *));
-#    endif /* __FreeBSD_version >= 500024 */
-#   else
-#    ifdef linux
-extern	int	iplioctl __P((struct inode *, struct file *, u_int, u_long));
-#    else
-extern	int	iplopen __P((dev_t, int));
-extern	int	iplclose __P((dev_t, int));
-extern	int	iplioctl __P((dev_t, int, caddr_t, int));
-#    endif
-#   endif /* (_BSDI_VERSION >= 199510) */
-#   if	BSD >= 199306
-#      if (__FreeBSD_version >= 502116)
-extern	int	iplread __P((struct cdev*, struct uio *, int));
-extern	int	iplwrite __P((struct cdev*, struct uio *, int));
-#      else
-extern	int	iplread __P((dev_t, struct uio *, int));
-extern	int	iplwrite __P((dev_t, struct uio *, int));
-#      endif /* __FreeBSD_version >= 502116 */
-#   else
-#    ifndef linux
-extern	int	iplread __P((dev_t, struct uio *));
-extern	int	iplwrite __P((dev_t, struct uio *));
-#    endif
-#   endif /* BSD >= 199306 */
-#  endif /* __ sgi */
-# endif /* MENTAT */
-
-#endif /* #ifndef _KERNEL */
-
-extern	ipfmutex_t	ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
-extern	ipfmutex_t	ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
-extern	ipfrwlock_t	ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
-extern	ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-
-extern	char	*memstr __P((char *, char *, int, int));
-extern	int	count4bits __P((u_32_t));
-extern	int	frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
-extern	char	*getifname __P((struct ifnet *));
-extern	int	iplattach __P((void));
-extern	int	ipldetach __P((void));
-extern	u_short	ipf_cksum __P((u_short *, int));
-extern	int	copyinptr __P((void *, void *, size_t));
-extern	int	copyoutptr __P((void *, void *, size_t));
-extern	int	fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
-extern	int	fr_inobj __P((void *, void *, int));
-extern	int	fr_inobjsz __P((void *, void *, int, int));
-extern	int	fr_ioctlswitch __P((int, void *, ioctlcmd_t, int));
-extern	int	fr_ipftune __P((ioctlcmd_t, void *));
-extern	int	fr_outobj __P((void *, void *, int));
-extern	int	fr_outobjsz __P((void *, void *, int, int));
-extern	void	*fr_pullup __P((mb_t *, fr_info_t *, int));
-extern	void	fr_resolvedest __P((struct frdest *, int));
-extern	int	fr_resolvefunc __P((void *));
-extern	void	*fr_resolvenic __P((char *, int));
-extern	int	fr_send_icmp_err __P((int, fr_info_t *, int));
-extern	int	fr_send_reset __P((fr_info_t *));
-#if  (__FreeBSD_version < 490000) || !defined(_KERNEL)
-extern	int	ppsratecheck __P((struct timeval *, int *, int));
-#endif
-extern	ipftq_t	*fr_addtimeoutqueue __P((ipftq_t **, u_int));
-extern	void	fr_deletequeueentry __P((ipftqent_t *));
-extern	int	fr_deletetimeoutqueue __P((ipftq_t *));
-extern	void	fr_freetimeoutqueue __P((ipftq_t *));
-extern	void	fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *));
-extern	void	fr_queueappend __P((ipftqent_t *, ipftq_t *, void *));
-extern	void	fr_queueback __P((ipftqent_t *));
-extern	void	fr_queuefront __P((ipftqent_t *));
-extern	void	fr_checkv4sum __P((fr_info_t *));
-extern	int	fr_checkl4sum __P((fr_info_t *));
-extern	int	fr_ifpfillv4addr __P((int, struct sockaddr_in *,
-				      struct sockaddr_in *, struct in_addr *,
-				      struct in_addr *));
-extern	int	fr_coalesce __P((fr_info_t *));
-#ifdef	USE_INET6
-extern	void	fr_checkv6sum __P((fr_info_t *));
-extern	int	fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
-				      struct sockaddr_in6 *, struct in_addr *,
-				      struct in_addr *));
-#endif
-
-extern	int		fr_addipftune __P((ipftuneable_t *));
-extern	int		fr_delipftune __P((ipftuneable_t *));
-
-extern	int	frflush __P((minor_t, int, int));
-extern	void	frsync __P((void *));
-extern	frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
-extern	int	fr_derefrule __P((frentry_t **));
-extern	void	fr_delgroup __P((char *, minor_t, int));
-extern	frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
-
-extern	int	fr_loginit __P((void));
-extern	int	ipflog_clear __P((minor_t));
-extern	int	ipflog_read __P((minor_t, uio_t *));
-extern	int	ipflog __P((fr_info_t *, u_int));
-extern	int	ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
-extern	void	fr_logunload __P((void));
-
-extern	frentry_t	*fr_acctpkt __P((fr_info_t *, u_32_t *));
-extern	int		fr_copytolog __P((int, char *, int));
-extern	u_short		fr_cksum __P((mb_t *, ip_t *, int, void *));
-extern	void		fr_deinitialise __P((void));
-extern	frentry_t 	*fr_dolog __P((fr_info_t *, u_32_t *));
-extern	frentry_t 	*fr_dstgrpmap __P((fr_info_t *, u_32_t *));
-extern	void		fr_fixskip __P((frentry_t **, frentry_t *, int));
-extern	void		fr_forgetifp __P((void *));
-extern	frentry_t 	*fr_getrulen __P((int, char *, u_32_t));
-extern	void		fr_getstat __P((struct friostat *));
-extern	int		fr_icmp4errortype __P((int));
-extern	int		fr_ifpaddr __P((int, int, void *,
-				struct in_addr *, struct in_addr *));
-extern	int		fr_initialise __P((void));
-extern	void		fr_lock __P((caddr_t, int *));
-extern  int		fr_makefrip __P((int, ip_t *, fr_info_t *));
-extern	int		fr_matchtag __P((ipftag_t *, ipftag_t *));
-extern	int		fr_matchicmpqueryreply __P((int, icmpinfo_t *,
-					    struct icmp *, int));
-extern	u_32_t		fr_newisn __P((fr_info_t *));
-extern	u_short		fr_nextipid __P((fr_info_t *));
-extern	int		fr_rulen __P((int, frentry_t *));
-extern	int		fr_scanlist __P((fr_info_t *, u_32_t));
-extern	frentry_t 	*fr_srcgrpmap __P((fr_info_t *, u_32_t *));
-extern	int		fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
-extern	int		fr_verifysrc __P((fr_info_t *fin));
-extern	int		fr_zerostats __P((char *));
-
-extern	int	fr_running;
-extern	u_long	fr_frouteok[2];
-extern	int	fr_pass;
-extern	int	fr_flags;
-extern	int	fr_active;
-extern	int	fr_chksrc;
-extern	int	fr_minttl;
-extern	int	fr_refcnt;
-extern	int	fr_control_forwarding;
-extern	int	fr_update_ipid;
-extern	int	nat_logging;
-extern	int	ipstate_logging;
-extern	int	ipl_suppress;
-extern	int	ipl_buffer_sz;
-extern	int	ipl_logmax;
-extern	int	ipl_logall;
-extern	int	ipl_logsize;
-extern	u_long	fr_ticks;
-extern	fr_info_t	frcache[2][8];
-extern	char	ipfilter_version[];
-extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
-extern	int	iplused[IPL_LOGMAX + 1];
-extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
-#ifdef	USE_INET6
-extern	struct frentry *ipfilter6[2][2], *ipacct6[2][2];
-extern	int	icmptoicmp6types[ICMP_MAXTYPE+1];
-extern	int	icmptoicmp6unreach[ICMP_MAX_UNREACH];
-extern	int	icmpreplytype6[ICMP6_MAXTYPE + 1];
-#endif
-extern	int	icmpreplytype4[ICMP_MAXTYPE + 1];
-extern	struct frgroup *ipfgroups[IPL_LOGSIZE][2];
-extern	struct filterstats frstats[];
-extern	frentry_t *ipfrule_match __P((fr_info_t *));
-extern	u_char	ipf_iss_secret[32];
-extern	ipftuneable_t ipf_tuneables[];
-
-#endif	/* __IP_FIL_H__ */
diff --git a/contrib/ipfilter/ip_fil_freebsd.c b/contrib/ipfilter/ip_fil_freebsd.c
deleted file mode 100644
index 3b36b93..0000000
--- a/contrib/ipfilter/ip_fil_freebsd.c
+++ /dev/null
@@ -1,1692 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_fil_freebsd.c,v 2.53.2.25 2005/02/01 03:15:56 darrenr Exp";
-#endif
-
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define	KERNEL	1
-# define	_KERNEL	1
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
-    !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
-# include "opt_inet6.h"
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 440000) && \
-    !defined(KLD_MODULE) && !defined(IPFILTER_LKM)
-# include "opt_random_ip_id.h"
-#endif
-#include <sys/param.h>
-#if defined(__FreeBSD__) && !defined(__FreeBSD_version)
-# if defined(IPFILTER_LKM)
-#  ifndef __FreeBSD_cc_version
-#   include <osreldate.h>
-#  else
-#   if __FreeBSD_cc_version < 430000
-#    include <osreldate.h>
-#   endif
-#  endif
-# endif
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/file.h>
-#if __FreeBSD_version >= 220000
-# include <sys/fcntl.h>
-# include <sys/filio.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/time.h>
-#include <sys/systm.h>
-#if (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-#else
-# include <sys/dir.h>
-#endif
-#if !defined(__hpux)
-# include <sys/mbuf.h>
-#endif
-#include <sys/protosw.h>
-#include <sys/socket.h>
-
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-# if !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_var.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#if defined(__osf__)
-# include <netinet/tcp_timer.h>
-#endif
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#ifndef _KERNEL
-# include "netinet/ipf.h"
-#endif
-#include "netinet/ip_compat.h"
-#ifdef USE_INET6
-# include <netinet/icmp6.h>
-#endif
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef	IPFILTER_SYNC
-#include "netinet/ip_sync.h"
-#endif
-#ifdef	IPFILTER_SCAN
-#include "netinet/ip_scan.h"
-#endif
-#include "netinet/ip_pool.h"
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-#include <sys/kernel.h>
-#ifdef CSUM_DATA_VALID
-#include <machine/in_cksum.h>
-#endif
-extern	int	ip_optcopy __P((struct ip *, struct ip *));
-
-#if (__FreeBSD_version > 460000)
-extern	int	path_mtu_discovery;
-#endif
-
-# ifdef IPFILTER_M_IPFILTER
-MALLOC_DEFINE(M_IPFILTER, "IP Filter", "IP Filter packet filter data structures");
-# endif
-
-
-#if !defined(__osf__)
-extern	struct	protosw	inetsw[];
-#endif
-
-static	int	(*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
-static	int	fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
-# ifdef USE_MUTEXES
-ipfmutex_t	ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
-ipfmutex_t	ipf_nat_new, ipf_natio, ipf_timeoutlock;
-ipfrwlock_t	ipf_mutex, ipf_global, ipf_ipidfrag;
-ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-# endif
-int		ipf_locks_done = 0;
-
-#if (__FreeBSD_version >= 300000)
-struct callout_handle fr_slowtimer_ch;
-#endif
-
-#if (__FreeBSD_version >= 500011)
-# include <sys/conf.h>
-# if defined(NETBSD_PF)
-#  include <net/pfil.h>
-#  include <netinet/ipprotosw.h>
-/*
- * We provide the fr_checkp name just to minimize changes later.
- */
-int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
-# endif /* NETBSD_PF */
-#endif /* __FreeBSD_version >= 500011 */
-
-
-#if (__FreeBSD_version >= 501108) && defined(_KERNEL)
-
-static int
-fr_check_wrapper(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
-{
-	struct ip *ip = mtod(*mp, struct ip *);
-	return fr_check(ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp);
-}
-
-# ifdef USE_INET6
-#  include <netinet/ip6.h>
-
-static int
-fr_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir)
-{
-	return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
-	    ifp, (dir == PFIL_OUT), mp));
-}
-# endif
-#endif /* __FreeBSD_version >= 501108 */
-#if	defined(IPFILTER_LKM)
-int iplidentify(s)
-char *s;
-{
-	if (strcmp(s, "ipl") == 0)
-		return 1;
-	return 0;
-}
-#endif /* IPFILTER_LKM */
-
-
-int iplattach()
-{
-#ifdef USE_SPL
-	int s;
-#endif
-#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
-	int error = 0;
-# if __FreeBSD_version >= 501108
-	struct pfil_head *ph_inet;
-#  ifdef USE_INET6
-	struct pfil_head *ph_inet6;
-#  endif
-# endif
-#endif
-
-	SPL_NET(s);
-	if (fr_running > 0) {
-		SPL_X(s);
-		return EBUSY;
-	}
-
-	MUTEX_INIT(&ipf_rw, "ipf rw mutex");
-	RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
-	MUTEX_INIT(&ipf_timeoutlock, "ipf timeout queue mutex");
-	RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
-	RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
-	ipf_locks_done = 1;
-
-	if (fr_initialise() < 0) {
-		SPL_X(s);
-		return EIO;
-	}
-
-
-# ifdef NETBSD_PF
-#  if __FreeBSD_version >= 500011
-#   if __FreeBSD_version >= 501108
-	ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
-#    ifdef USE_INET6
-	ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
-#    endif
-	if (ph_inet == NULL
-#    ifdef USE_INET6
-	    && ph_inet6 == NULL
-#    endif
-	   )
-		return ENODEV;
-
-	if (ph_inet != NULL)
-		error = pfil_add_hook((void *)fr_check_wrapper, NULL,
-				      PFIL_IN|PFIL_OUT, ph_inet);
-	else
-		error = 0;
-#  else
-	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-			      &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#  endif
-	if (error) {
-#   ifdef USE_INET6
-		goto pfil_error;
-#   else
-		fr_deinitialise();
-		SPL_X(s);
-		return error;
-#   endif
-	}
-#  else
-	pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
-#  endif
-#  ifdef USE_INET6
-#   if __FreeBSD_version >= 501108
-	if (ph_inet6 != NULL)
-		error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
-				      PFIL_IN|PFIL_OUT, ph_inet6);
-	else
-		error = 0;
-	if (error) {
-		pfil_remove_hook((void *)fr_check_wrapper6, NULL,
-				 PFIL_IN|PFIL_OUT, ph_inet6);
-#   else
-	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-			      &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-	if (error) {
-		pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#   endif
-pfil_error:
-		fr_deinitialise();
-		SPL_X(s);
-		return error;
-	}
-#  endif
-# endif
-	if (fr_checkp != fr_check) {
-		fr_savep = fr_checkp;
-		fr_checkp = fr_check;
-	}
-
-	bzero((char *)frcache, sizeof(frcache));
-	fr_running = 1;
-
-	if (fr_control_forwarding & 1)
-		ipforwarding = 1;
-
-	SPL_X(s);
-#if (__FreeBSD_version >= 300000)
-	fr_slowtimer_ch = timeout(fr_slowtimer, NULL,
-				    (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
-#else
-	timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
-#endif
-	return 0;
-}
-
-
-/*
- * Disable the filter by removing the hooks from the IP input/output
- * stream.
- */
-int ipldetach()
-{
-#ifdef USE_SPL
-	int s;
-#endif
-#if defined(NETBSD_PF) && (__FreeBSD_version >= 500011)
-	int error = 0;
-# if __FreeBSD_version >= 501108
-	struct pfil_head *ph_inet;
-#  ifdef USE_INET6
-	struct pfil_head *ph_inet6;
-#  endif
-# endif
-#endif
-
-	if (fr_control_forwarding & 2)
-		ipforwarding = 0;
-
-	SPL_NET(s);
-
-#if (__FreeBSD_version >= 300000)
-	if (fr_slowtimer_ch.callout != NULL)
-		untimeout(fr_slowtimer, NULL, fr_slowtimer_ch);
-	bzero(&fr_slowtimer_ch, sizeof(fr_slowtimer_ch));
-#else
-	untimeout(fr_slowtimer, NULL);
-#endif /* FreeBSD */
-
-#ifndef NETBSD_PF
-	if (fr_checkp != NULL)
-		fr_checkp = fr_savep;
-	fr_savep = NULL;
-#endif
-
-#ifdef NETBSD_PF
-# if (__FreeBSD_version >= 500011)
-#  if (__FreeBSD_version >= 501108)
-	ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
-	if (ph_inet != NULL)
-		error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
-					 PFIL_IN|PFIL_OUT, ph_inet);
-	else
-		error = 0;
-#  else
-	error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#  endif
-	if (error) {
-		SPL_X(s);
-		return error;
-	}
-# else
-	pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
-# endif
-# ifdef USE_INET6
-#  if (__FreeBSD_version >= 501108)
-	ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
-	if (ph_inet6 != NULL)
-		error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
-					 PFIL_IN|PFIL_OUT, ph_inet6);
-	else
-		error = 0;
-#  else
-	error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-				 &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-#  endif
-	if (error) {
-		SPL_X(s);
-		return error;
-	}
-# endif
-#endif
-	fr_deinitialise();
-
-	fr_running = -2;
-
-	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	(void) frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
-
-	if (ipf_locks_done == 1) {
-		MUTEX_DESTROY(&ipf_timeoutlock);
-		MUTEX_DESTROY(&ipf_rw);
-		RW_DESTROY(&ipf_mutex);
-		RW_DESTROY(&ipf_ipidfrag);
-		RW_DESTROY(&ipf_global);
-		ipf_locks_done = 0;
-	}
-
-	SPL_X(s);
-
-	return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-int iplioctl(dev, cmd, data, mode
-# if defined(_KERNEL) && ((BSD >= 199506) || (__FreeBSD_version >= 220000))
-, p)
-#  if (__FreeBSD_version >= 500024)
-struct thread *p;
-#  else
-struct proc *p;
-#  endif /* __FreeBSD_version >= 500024 */
-# else
-)
-# endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
-struct cdev *dev;
-#else
-dev_t dev;
-#endif
-ioctlcmd_t cmd;
-caddr_t data;
-int mode;
-{
-#ifdef USE_SPL
-	int s;
-#endif
-	int error = 0, unit = 0, tmp;
-	friostat_t fio;
-
-#if (BSD >= 199306) && defined(_KERNEL)
-	if ((securelevel >= 2) && (mode & FWRITE))
-		return EPERM;
-#endif
-
-	unit = GET_MINOR(dev);
-	if ((IPL_LOGMAX < unit) || (unit < 0))
-		return ENXIO;
-
-	if (fr_running <= 0) {
-		if (unit != IPL_LOGIPF)
-			return EIO;
-		if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET &&
-		    cmd != SIOCIPFSET && cmd != SIOCFRENB && 
-		    cmd != SIOCGETFS && cmd != SIOCGETFF)
-			return EIO;
-	}
-
-	SPL_NET(s);
-
-	error = fr_ioctlswitch(unit, data, cmd, mode);
-	if (error != -1) {
-		SPL_X(s);
-		return error;
-	}
-	error = 0;
-
-	switch (cmd)
-	{
-	case FIONREAD :
-#ifdef IPFILTER_LOG
-		BCOPYOUT(&iplused[IPL_LOGIPF], (caddr_t)data,
-			 sizeof(iplused[IPL_LOGIPF]));
-#endif
-		break;
-	case SIOCFRENB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			BCOPYIN(data, &tmp, sizeof(tmp));
-			if (tmp) {
-				if (fr_running > 0)
-					error = 0;
-				else
-					error = iplattach();
-				if (error == 0)
-					fr_running = 1;
-				else
-					(void) ipldetach();
-			} else {
-				error = ipldetach();
-				if (error == 0)
-					fr_running = -1;
-			}
-		}
-		break;
-	case SIOCIPFSET :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
-		}
-	case SIOCIPFGETNEXT :
-	case SIOCIPFGET :
-		error = fr_ipftune(cmd, data);
-		break;
-	case SIOCSETFF :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			BCOPYIN(data, &fr_flags, sizeof(fr_flags));
-		break;
-	case SIOCGETFF :
-		BCOPYOUT(&fr_flags, data, sizeof(fr_flags));
-		break;
-	case SIOCFUNCL :
-		error = fr_resolvefunc(data);
-		break;
-	case SIOCINAFR :
-	case SIOCRMAFR :
-	case SIOCADAFR :
-	case SIOCZRLST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, fr_active, 1);
-		break;
-	case SIOCINIFR :
-	case SIOCRMIFR :
-	case SIOCADIFR :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, 1 - fr_active, 1);
-		break;
-	case SIOCSWAPA :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			bzero((char *)frcache, sizeof(frcache[0]) * 2);
-			*(u_int *)data = fr_active;
-			fr_active = 1 - fr_active;
-		}
-		break;
-	case SIOCGETFS :
-		fr_getstat(&fio);
-		error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT);
-		break;
-	case SIOCFRZST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = fr_zerostats(data);
-		break;
-	case SIOCIPFFL :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			BCOPYIN(data, &tmp, sizeof(tmp));
-			tmp = frflush(unit, 4, tmp);
-			BCOPYOUT(&tmp, data, sizeof(tmp));
-		}
-		break;
-#ifdef USE_INET6
-	case SIOCIPFL6 :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			BCOPYIN(data, &tmp, sizeof(tmp));
-			tmp = frflush(unit, 6, tmp);
-			BCOPYOUT(&tmp, data, sizeof(tmp));
-		}
-		break;
-#endif
-	case SIOCSTLCK :
-		BCOPYIN(data, &tmp, sizeof(tmp));
-		fr_state_lock = tmp;
-		fr_nat_lock = tmp;
-		fr_frag_lock = tmp;
-		fr_auth_lock = tmp;
-		break;
-#ifdef IPFILTER_LOG
-	case SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(unit);
-		break;
-#endif /* IPFILTER_LOG */
-	case SIOCGFRST :
-		error = fr_outobj(data, fr_fragstats(), IPFOBJ_FRAGSTAT);
-		break;
-	case SIOCFRSYN :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			frsync(NULL);
-		}
-		break;
-	default :
-		error = EINVAL;
-		break;
-	}
-	SPL_X(s);
-	return error;
-}
-
-
-#if 0
-void fr_forgetifp(ifp)
-void *ifp;
-{
-	register frentry_t *f;
-
-	WRITE_ENTER(&ipf_mutex);
-	for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-#ifdef USE_INET6
-	for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-	for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
-		if (f->fr_ifa == ifp)
-			f->fr_ifa = (void *)-1;
-#endif
-	RWLOCK_EXIT(&ipf_mutex);
-	fr_natsync(ifp);
-}
-#endif
-
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(dev, flags
-#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
-, devtype, p)
-int devtype;
-# if (__FreeBSD_version >= 500024)
-struct thread *p;
-# else
-struct proc *p;
-# endif /* __FreeBSD_version >= 500024 */
-#else
-)
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
-struct cdev *dev;
-#else
-dev_t dev;
-#endif
-int flags;
-{
-	u_int min = GET_MINOR(dev);
-
-	if (IPL_LOGMAX < min)
-		min = ENXIO;
-	else
-		min = 0;
-	return min;
-}
-
-
-int iplclose(dev, flags
-#if ((BSD >= 199506) || (__FreeBSD_version >= 220000)) && defined(_KERNEL)
-, devtype, p)
-int devtype;
-# if (__FreeBSD_version >= 500024)
-struct thread *p;
-# else
-struct proc *p;
-# endif /* __FreeBSD_version >= 500024 */
-#else
-)
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
-struct cdev *dev;
-#else
-dev_t dev;
-#endif
-int flags;
-{
-	u_int	min = GET_MINOR(dev);
-
-	if (IPL_LOGMAX < min)
-		min = ENXIO;
-	else
-		min = 0;
-	return min;
-}
-
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-#if (BSD >= 199306)
-int iplread(dev, uio, ioflag)
-int ioflag;
-#else
-int iplread(dev, uio)
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
-struct cdev *dev;
-#else
-dev_t dev;
-#endif
-register struct uio *uio;
-{
-
-# ifdef	IPFILTER_SYNC
-	if (GET_MINOR(dev) == IPL_LOGSYNC)
-		return ipfsync_read(uio);
-# endif
-
-#ifdef IPFILTER_LOG
-	return ipflog_read(GET_MINOR(dev), uio);
-#else
-	return ENXIO;
-#endif
-}
-
-
-/*
- * iplwrite
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-#if (BSD >= 199306)
-int iplwrite(dev, uio, ioflag)
-int ioflag;
-#else
-int iplwrite(dev, uio)
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 502116)
-struct cdev *dev;
-#else
-dev_t dev;
-#endif
-register struct uio *uio;
-{
-
-#ifdef	IPFILTER_SYNC
-	if (GET_MINOR(dev) == IPL_LOGSYNC)
-		return ipfsync_write(uio);
-#endif
-	return ENXIO;
-}
-
-
-/*
- * fr_send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int fr_send_reset(fin)
-fr_info_t *fin;
-{
-	struct tcphdr *tcp, *tcp2;
-	int tlen = 0, hlen;
-	struct mbuf *m;
-#ifdef USE_INET6
-	ip6_t *ip6;
-#endif
-	ip_t *ip;
-
-	tcp = fin->fin_dp;
-	if (tcp->th_flags & TH_RST)
-		return -1;		/* feedback loop */
-
-#ifndef	IPFILTER_CKSUM
-	if (fr_checkl4sum(fin) == -1)
-		return -1;
-#endif
-
-	tlen = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
-			((tcp->th_flags & TH_SYN) ? 1 : 0) +
-			((tcp->th_flags & TH_FIN) ? 1 : 0);
-
-#ifdef USE_INET6
-	hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
-#else
-	hlen = sizeof(ip_t);
-#endif
-#ifdef MGETHDR
-	MGETHDR(m, M_DONTWAIT, MT_HEADER);
-#else
-	MGET(m, M_DONTWAIT, MT_HEADER);
-#endif
-	if (m == NULL)
-		return -1;
-	if (sizeof(*tcp2) + hlen > MLEN) {
-		MCLGET(m, M_DONTWAIT);
-		if ((m->m_flags & M_EXT) == 0) {
-			FREE_MB_T(m);
-			return -1;
-		}
-	}
-
-	m->m_len = sizeof(*tcp2) + hlen;
-#if (BSD >= 199103)
-	m->m_data += max_linkhdr;
-	m->m_pkthdr.len = m->m_len;
-	m->m_pkthdr.rcvif = (struct ifnet *)0;
-#endif
-	ip = mtod(m, struct ip *);
-	bzero((char *)ip, hlen);
-#ifdef USE_INET6
-	ip6 = (ip6_t *)ip;
-#endif
-	tcp2 = (struct tcphdr *)((char *)ip + hlen);
-	tcp2->th_sport = tcp->th_dport;
-	tcp2->th_dport = tcp->th_sport;
-
-	if (tcp->th_flags & TH_ACK) {
-		tcp2->th_seq = tcp->th_ack;
-		tcp2->th_flags = TH_RST;
-		tcp2->th_ack = 0;
-	} else {
-		tcp2->th_seq = 0;
-		tcp2->th_ack = ntohl(tcp->th_seq);
-		tcp2->th_ack += tlen;
-		tcp2->th_ack = htonl(tcp2->th_ack);
-		tcp2->th_flags = TH_RST|TH_ACK;
-	}
-	TCP_X2_A(tcp2, 0);
-	TCP_OFF_A(tcp2, sizeof(*tcp2) >> 2);
-	tcp2->th_win = tcp->th_win;
-	tcp2->th_sum = 0;
-	tcp2->th_urp = 0;
-
-#ifdef USE_INET6
-	if (fin->fin_v == 6) {
-		ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
-		ip6->ip6_plen = htons(sizeof(struct tcphdr));
-		ip6->ip6_nxt = IPPROTO_TCP;
-		ip6->ip6_hlim = 0;
-		ip6->ip6_src = fin->fin_dst6;
-		ip6->ip6_dst = fin->fin_src6;
-		tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
-					 sizeof(*ip6), sizeof(*tcp2));
-		return fr_send_ip(fin, m, &m);
-	}
-#endif
-	ip->ip_p = IPPROTO_TCP;
-	ip->ip_len = htons(sizeof(struct tcphdr));
-	ip->ip_src.s_addr = fin->fin_daddr;
-	ip->ip_dst.s_addr = fin->fin_saddr;
-	tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
-	ip->ip_len = hlen + sizeof(*tcp2);
-	return fr_send_ip(fin, m, &m);
-}
-
-
-static int fr_send_ip(fin, m, mpp)
-fr_info_t *fin;
-mb_t *m, **mpp;
-{
-	fr_info_t fnew;
-	ip_t *ip, *oip;
-	int hlen;
-
-	ip = mtod(m, ip_t *);
-	bzero((char *)&fnew, sizeof(fnew));
-
-	IP_V_A(ip, fin->fin_v);
-	switch (fin->fin_v)
-	{
-	case 4 :
-		fnew.fin_v = 4;
-		oip = fin->fin_ip;
-		IP_HL_A(ip, sizeof(*oip) >> 2);
-		ip->ip_tos = oip->ip_tos;
-		ip->ip_id = fin->fin_ip->ip_id;
-#if (__FreeBSD_version > 460000)
-		ip->ip_off = path_mtu_discovery ? IP_DF : 0;
-#else
-		ip->ip_off = 0;
-#endif
-		ip->ip_ttl = ip_defttl;
-		ip->ip_sum = 0;
-		hlen = sizeof(*oip);
-		break;
-#ifdef USE_INET6
-	case 6 :
-	{
-		ip6_t *ip6 = (ip6_t *)ip;
-
-		ip6->ip6_vfc = 0x60;
-		ip6->ip6_hlim = IPDEFTTL;
-
-		fnew.fin_v = 6;
-		hlen = sizeof(*ip6);
-		break;
-	}
-#endif
-	default :
-		return EINVAL;
-	}
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif
-
-	fnew.fin_ifp = fin->fin_ifp;
-	fnew.fin_flx = FI_NOCKSUM;
-	fnew.fin_m = m;
-	fnew.fin_ip = ip;
-	fnew.fin_mp = mpp;
-	fnew.fin_hlen = hlen;
-	fnew.fin_dp = (char *)ip + hlen;
-	(void) fr_makefrip(hlen, ip, &fnew);
-
-	return fr_fastroute(m, mpp, &fnew, NULL);
-}
-
-
-int fr_send_icmp_err(type, fin, dst)
-int type;
-fr_info_t *fin;
-int dst;
-{
-	int err, hlen, xtra, iclen, ohlen, avail, code;
-	struct in_addr dst4;
-	struct icmp *icmp;
-	struct mbuf *m;
-	void *ifp;
-#ifdef USE_INET6
-	ip6_t *ip6;
-	struct in6_addr dst6;
-#endif
-	ip_t *ip, *ip2;
-
-	if ((type < 0) || (type > ICMP_MAXTYPE))
-		return -1;
-
-	code = fin->fin_icode;
-#ifdef USE_INET6
-	if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
-		return -1;
-#endif
-
-#ifndef	IPFILTER_CKSUM
-	if (fr_checkl4sum(fin) == -1)
-		return -1;
-#endif
-#ifdef MGETHDR
-	MGETHDR(m, M_DONTWAIT, MT_HEADER);
-#else
-	MGET(m, M_DONTWAIT, MT_HEADER);
-#endif
-	if (m == NULL)
-		return -1;
-	avail = MHLEN;
-
-	xtra = 0;
-	hlen = 0;
-	ohlen = 0;
-	ifp = fin->fin_ifp;
-	if (fin->fin_v == 4) {
-		if ((fin->fin_p == IPPROTO_ICMP) &&
-		    !(fin->fin_flx & FI_SHORT))
-			switch (ntohs(fin->fin_data[0]) >> 8)
-			{
-			case ICMP_ECHO :
-			case ICMP_TSTAMP :
-			case ICMP_IREQ :
-			case ICMP_MASKREQ :
-				break;
-			default :
-				FREE_MB_T(m);
-				return 0;
-			}
-
-		if (dst == 0) {
-			if (fr_ifpaddr(4, FRI_NORMAL, ifp,
-				       &dst4, NULL) == -1) {
-				FREE_MB_T(m);
-				return -1;
-			}
-		} else
-			dst4.s_addr = fin->fin_daddr;
-
-		hlen = sizeof(ip_t);
-		ohlen = fin->fin_hlen;
-		if (fin->fin_hlen < fin->fin_plen)
-			xtra = MIN(fin->fin_dlen, 8);
-		else
-			xtra = 0;
-	}
-
-#ifdef USE_INET6
-	else if (fin->fin_v == 6) {
-		hlen = sizeof(ip6_t);
-		ohlen = sizeof(ip6_t);
-		type = icmptoicmp6types[type];
-		if (type == ICMP6_DST_UNREACH)
-			code = icmptoicmp6unreach[code];
-
-		if (hlen + sizeof(*icmp) + max_linkhdr +
-		    fin->fin_plen > avail) {
-			MCLGET(m, M_DONTWAIT);
-			if ((m->m_flags & M_EXT) == 0) {
-				FREE_MB_T(m);
-				return -1;
-			}
-			avail = MCLBYTES;
-		}
-		xtra = MIN(fin->fin_plen,
-			   avail - hlen - sizeof(*icmp) - max_linkhdr);
-		if (dst == 0) {
-			if (fr_ifpaddr(6, FRI_NORMAL, ifp,
-				       (struct in_addr *)&dst6, NULL) == -1) {
-				FREE_MB_T(m);
-				return -1;
-			}
-		} else
-			dst6 = fin->fin_dst6;
-	}
-#endif
-	else {
-		FREE_MB_T(m);
-		return -1;
-	}
-
-	iclen = hlen + sizeof(*icmp);
-	avail -= (max_linkhdr + iclen);
-	if (avail < 0) {
-		FREE_MB_T(m);
-		return -1;
-	}
-	if (xtra > avail)
-		xtra = avail;
-	iclen += xtra;
-	m->m_data += max_linkhdr;
-	m->m_pkthdr.rcvif = (struct ifnet *)0;
-	m->m_pkthdr.len = iclen;
-	m->m_len = iclen;
-	ip = mtod(m, ip_t *);
-	icmp = (struct icmp *)((char *)ip + hlen);
-	ip2 = (ip_t *)&icmp->icmp_ip;
-
-	icmp->icmp_type = type;
-	icmp->icmp_code = fin->fin_icode;
-	icmp->icmp_cksum = 0;
-#ifdef icmp_nextmtu
-	if (type == ICMP_UNREACH &&
-	    fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
-		icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu);
-#endif
-
-	bcopy((char *)fin->fin_ip, (char *)ip2, ohlen);
-
-#ifdef USE_INET6
-	ip6 = (ip6_t *)ip;
-	if (fin->fin_v == 6) {
-		ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow;
-		ip6->ip6_plen = htons(iclen - hlen);
-		ip6->ip6_nxt = IPPROTO_ICMPV6;
-		ip6->ip6_hlim = 0;
-		ip6->ip6_src = dst6;
-		ip6->ip6_dst = fin->fin_src6;
-		if (xtra > 0)
-			bcopy((char *)fin->fin_ip + ohlen,
-			      (char *)&icmp->icmp_ip + ohlen, xtra);
-		icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
-					     sizeof(*ip6), iclen - hlen);
-	} else
-#endif
-	{
-		ip2->ip_len = htons(ip2->ip_len);
-		ip2->ip_off = htons(ip2->ip_off);
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_src.s_addr = dst4.s_addr;
-		ip->ip_dst.s_addr = fin->fin_saddr;
-
-		if (xtra > 0)
-			bcopy((char *)fin->fin_ip + ohlen,
-			      (char *)&icmp->icmp_ip + ohlen, xtra);
-		icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
-					     sizeof(*icmp) + 8);
-		ip->ip_len = iclen;
-		ip->ip_p = IPPROTO_ICMP;
-	}
-	err = fr_send_ip(fin, m, &m);
-	return err;
-}
-
-
-#if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000)
-# if	(BSD < 199306)
-int iplinit __P((void));
-
-int
-# else
-void iplinit __P((void));
-
-void
-# endif
-iplinit()
-{
-	if (iplattach() != 0)
-		printf("IP Filter failed to attach\n");
-	ip_init();
-}
-#endif /* __FreeBSD_version < 300000 */
-
-
-int fr_fastroute(m0, mpp, fin, fdp)
-mb_t *m0, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-	register struct ip *ip, *mhip;
-	register struct mbuf *m = m0;
-	register struct route *ro;
-	int len, off, error = 0, hlen, code;
-	struct ifnet *ifp, *sifp;
-	struct sockaddr_in *dst;
-	struct route iproute;
-	u_short ip_off;
-	frentry_t *fr;
-
-#ifdef M_WRITABLE
-	/*
-	* HOT FIX/KLUDGE:
-	*
-	* If the mbuf we're about to send is not writable (because of
-	* a cluster reference, for example) we'll need to make a copy
-	* of it since this routine modifies the contents.
-	*
-	* If you have non-crappy network hardware that can transmit data
-	* from the mbuf, rather than making a copy, this is gonna be a
-	* problem.
-	*/
-	if (M_WRITABLE(m) == 0) {
-		if ((m0 = m_dup(m, M_DONTWAIT)) != 0) {
-			FREE_MB_T(m);
-			m = m0;
-			*mpp = m;
-		} else {
-			error = ENOBUFS;
-			FREE_MB_T(m);
-			*mpp = NULL;
-			fr_frouteok[1]++;
-		}
-	}
-#endif
-
-#ifdef USE_INET6
-	if (fin->fin_v == 6) {
-		/*
-		 * currently "to <if>" and "to <if>:ip#" are not supported
-		 * for IPv6
-		 */
-#if  (__FreeBSD_version >= 490000)
-		return ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
-#else
-		return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
-#endif
-	}
-#endif
-
-	hlen = fin->fin_hlen;
-	ip = mtod(m0, struct ip *);
-
-	/*
-	 * Route packet.
-	 */
-	ro = &iproute;
-	bzero((caddr_t)ro, sizeof (*ro));
-	dst = (struct sockaddr_in *)&ro->ro_dst;
-	dst->sin_family = AF_INET;
-	dst->sin_addr = ip->ip_dst;
-
-	fr = fin->fin_fr;
-	if (fdp != NULL)
-		ifp = fdp->fd_ifp;
-	else
-		ifp = fin->fin_ifp;
-
-	if ((ifp == NULL) && (!fr || !(fr->fr_flags & FR_FASTROUTE))) {
-		error = -2;
-		goto bad;
-	}
-
-	/*
-	 * In case we're here due to "to <if>" being used with "keep state",
-	 * check that we're going in the correct direction.
-	 */
-	if ((fr != NULL) && (fin->fin_rev != 0)) {
-		if ((ifp != NULL) && (fdp == &fr->fr_tif))
-			return -1;
-	}
-	if (fdp != NULL) {
-		if (fdp->fd_ip.s_addr != 0)
-			dst->sin_addr = fdp->fd_ip;
-	}
-
-	dst->sin_len = sizeof(*dst);
-	rtalloc(ro);
-
-	if ((ifp == NULL) && (ro->ro_rt != NULL))
-		ifp = ro->ro_rt->rt_ifp;
-
-	if ((ro->ro_rt == NULL) || (ifp == NULL)) {
-		if (in_localaddr(ip->ip_dst))
-			error = EHOSTUNREACH;
-		else
-			error = ENETUNREACH;
-		goto bad;
-	}
-	if (ro->ro_rt->rt_flags & RTF_GATEWAY)
-		dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
-	if (ro->ro_rt)
-		ro->ro_rt->rt_use++;
-
-	/*
-	 * For input packets which are being "fastrouted", they won't
-	 * go back through output filtering and miss their chance to get
-	 * NAT'd and counted.
-	 */
-	if (fin->fin_out == 0) {
-		sifp = fin->fin_ifp;
-		fin->fin_ifp = ifp;
-		fin->fin_out = 1;
-		(void) fr_acctpkt(fin, NULL);
-		fin->fin_fr = NULL;
-		if (!fr || !(fr->fr_flags & FR_RETMASK)) {
-			u_32_t pass;
-
-			(void) fr_checkstate(fin, &pass);
-		}
-
-		switch (fr_checknatout(fin, NULL))
-		{
-		case 0 :
-			break;
-		case 1 :
-			ip->ip_sum = 0;
-			break;
-		case -1 :
-			error = -1;
-			goto done;
-			break;
-		}
-
-		fin->fin_ifp = sifp;
-		fin->fin_out = 0;
-	} else
-		ip->ip_sum = 0;
-	/*
-	 * If small enough for interface, can just send directly.
-	 */
-	if (ip->ip_len <= ifp->if_mtu) {
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
-
-		if (!ip->ip_sum)
-			ip->ip_sum = in_cksum(m, hlen);
-		error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
-					  ro->ro_rt);
-		goto done;
-	}
-	/*
-	 * Too large for interface; fragment if possible.
-	 * Must be able to put at least 8 bytes per fragment.
-	 */
-	ip_off = ntohs(ip->ip_off);
-	if (ip_off & IP_DF) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-	len = (ifp->if_mtu - hlen) &~ 7;
-	if (len < 8) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-
-    {
-	int mhlen, firstlen = len;
-	struct mbuf **mnext = &m->m_act;
-
-	/*
-	 * Loop through length of segment after first fragment,
-	 * make new header and copy data of each part and link onto chain.
-	 */
-	m0 = m;
-	mhlen = sizeof (struct ip);
-	for (off = hlen + len; off < ip->ip_len; off += len) {
-#ifdef MGETHDR
-		MGETHDR(m, M_DONTWAIT, MT_HEADER);
-#else
-		MGET(m, M_DONTWAIT, MT_HEADER);
-#endif
-		if (m == 0) {
-			m = m0;
-			error = ENOBUFS;
-			goto bad;
-		}
-		m->m_data += max_linkhdr;
-		mhip = mtod(m, struct ip *);
-		bcopy((char *)ip, (char *)mhip, sizeof(*ip));
-		if (hlen > sizeof (struct ip)) {
-			mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
-			IP_HL_A(mhip, mhlen >> 2);
-		}
-		m->m_len = mhlen;
-		mhip->ip_off = ((off - hlen) >> 3) + ip_off;
-		if (off + len >= ip->ip_len)
-			len = ip->ip_len - off;
-		else
-			mhip->ip_off |= IP_MF;
-		mhip->ip_len = htons((u_short)(len + mhlen));
-		m->m_next = m_copy(m0, off, len);
-		if (m->m_next == 0) {
-			error = ENOBUFS;	/* ??? */
-			goto sendorfree;
-		}
-		m->m_pkthdr.len = mhlen + len;
-		m->m_pkthdr.rcvif = NULL;
-		mhip->ip_off = htons((u_short)mhip->ip_off);
-		mhip->ip_sum = 0;
-		mhip->ip_sum = in_cksum(m, mhlen);
-		*mnext = m;
-		mnext = &m->m_act;
-	}
-	/*
-	 * Update first fragment by trimming what's been copied out
-	 * and updating header, then send each fragment (in order).
-	 */
-	m_adj(m0, hlen + firstlen - ip->ip_len);
-	ip->ip_len = htons((u_short)(hlen + firstlen));
-	ip->ip_off = htons((u_short)IP_MF);
-	ip->ip_sum = 0;
-	ip->ip_sum = in_cksum(m0, hlen);
-sendorfree:
-	for (m = m0; m; m = m0) {
-		m0 = m->m_act;
-		m->m_act = 0;
-		if (error == 0)
-			error = (*ifp->if_output)(ifp, m,
-			    (struct sockaddr *)dst, ro->ro_rt);
-		else
-			FREE_MB_T(m);
-	}
-    }	
-done:
-	if (!error)
-		fr_frouteok[0]++;
-	else
-		fr_frouteok[1]++;
-
-	if (ro->ro_rt) {
-		RTFREE(ro->ro_rt);
-	}
-	*mpp = NULL;
-	return 0;
-bad:
-	if (error == EMSGSIZE) {
-		sifp = fin->fin_ifp;
-		code = fin->fin_icode;
-		fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
-		fin->fin_ifp = ifp;
-		(void) fr_send_icmp_err(ICMP_UNREACH, fin, 1);
-		fin->fin_ifp = sifp;
-		fin->fin_icode = code;
-	}
-	FREE_MB_T(m);
-	goto done;
-}
-
-
-int fr_verifysrc(fin)
-fr_info_t *fin;
-{
-	struct sockaddr_in *dst;
-	struct route iproute;
-
-	bzero((char *)&iproute, sizeof(iproute));
-	dst = (struct sockaddr_in *)&iproute.ro_dst;
-	dst->sin_len = sizeof(*dst);
-	dst->sin_family = AF_INET;
-	dst->sin_addr = fin->fin_src;
-	rtalloc(&iproute);
-	if (iproute.ro_rt == NULL)
-		return 0;
-	return (fin->fin_ifp == iproute.ro_rt->rt_ifp);
-}
-
-
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, atype, ifptr, inp, inpmask)
-int v, atype;
-void *ifptr;
-struct in_addr *inp, *inpmask;
-{
-#ifdef USE_INET6
-	struct in6_addr *inp6 = NULL;
-#endif
-	struct sockaddr *sock, *mask;
-	struct sockaddr_in *sin;
-	struct ifaddr *ifa;
-	struct ifnet *ifp;
-
-	if ((ifptr == NULL) || (ifptr == (void *)-1))
-		return -1;
-
-	sin = NULL;
-	ifp = ifptr;
-
-	if (v == 4)
-		inp->s_addr = 0;
-#ifdef USE_INET6
-	else if (v == 6)
-		bzero((char *)inp, sizeof(struct in6_addr));
-#endif
-#if  (__FreeBSD_version >= 300000)
-	ifa = TAILQ_FIRST(&ifp->if_addrhead);
-#else
-	ifa = ifp->if_addrlist;
-#endif /* __FreeBSD_version >= 300000 */
-
-	sock = ifa->ifa_addr;
-	while (sock != NULL && ifa != NULL) {
-		sin = (struct sockaddr_in *)sock;
-		if ((v == 4) && (sin->sin_family == AF_INET))
-			break;
-#ifdef USE_INET6
-		if ((v == 6) && (sin->sin_family == AF_INET6)) {
-			inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
-			if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
-			    !IN6_IS_ADDR_LOOPBACK(inp6))
-				break;
-		}
-#endif
-#if (__FreeBSD_version >= 300000)
-		ifa = TAILQ_NEXT(ifa, ifa_link);
-#else
-		ifa = ifa->ifa_next;
-#endif /* __FreeBSD_version >= 300000 */
-		if (ifa != NULL)
-			sock = ifa->ifa_addr;
-	}
-
-	if (ifa == NULL || sin == NULL)
-		return -1;
-
-	mask = ifa->ifa_netmask;
-	if (atype == FRI_BROADCAST)
-		sock = ifa->ifa_broadaddr;
-	else if (atype == FRI_PEERADDR)
-		sock = ifa->ifa_dstaddr;
-
-#ifdef USE_INET6
-	if (v == 6) {
-		return fr_ifpfillv6addr(atype, (struct sockaddr_in6 *)sock,
-					(struct sockaddr_in6 *)mask,
-					inp, inpmask);
-	}
-#endif
-	return fr_ifpfillv4addr(atype, (struct sockaddr_in *)sock,
-				(struct sockaddr_in *)mask, inp, inpmask);
-}
-
-
-u_32_t fr_newisn(fin)
-fr_info_t *fin;
-{
-	u_32_t newiss;
-#if  (__FreeBSD_version >= 400000)
-	newiss = arc4random();
-#else
-	static iss_seq_off = 0;
-	u_char hash[16];
-	MD5_CTX ctx;
-
-	/*
-	 * Compute the base value of the ISS.  It is a hash
-	 * of (saddr, sport, daddr, dport, secret).
-	 */
-	MD5Init(&ctx);
-
-	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_src,
-		  sizeof(fin->fin_fi.fi_src));
-	MD5Update(&ctx, (u_char *) &fin->fin_fi.fi_dst,
-		  sizeof(fin->fin_fi.fi_dst));
-	MD5Update(&ctx, (u_char *) &fin->fin_dat, sizeof(fin->fin_dat));
-
-	MD5Update(&ctx, ipf_iss_secret, sizeof(ipf_iss_secret));
-
-	MD5Final(hash, &ctx);
-
-	memcpy(&newiss, hash, sizeof(newiss));
-
-	/*
-	 * Now increment our "timer", and add it in to
-	 * the computed value.
-	 *
-	 * XXX Use `addin'?
-	 * XXX TCP_ISSINCR too large to use?
-	 */
-	iss_seq_off += 0x00010000;
-	newiss += iss_seq_off;
-#endif
-	return newiss;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_nextipid                                                 */
-/* Returns:     int - 0 == success, -1 == error (packet should be droppped) */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Returns the next IPv4 ID to use for this packet.                         */
-/* ------------------------------------------------------------------------ */
-u_short fr_nextipid(fin)
-fr_info_t *fin;
-{
-#ifndef	RANDOM_IP_ID
-	static u_short ipid = 0;
-	u_short id;
-
-	MUTEX_ENTER(&ipf_rw);
-	id = ipid++;
-	MUTEX_EXIT(&ipf_rw);
-#else
-	u_short id;
-
-	id = ip_randomid();
-#endif
-
-	return id;
-}
-
-
-INLINE void fr_checkv4sum(fin)
-fr_info_t *fin;
-{
-#ifdef CSUM_DATA_VALID
-	int manual = 0;
-	u_short sum;
-	ip_t *ip;
-	mb_t *m;
-
-	if ((fin->fin_flx & FI_NOCKSUM) != 0)
-		return;
-
-	m = fin->fin_m;
-	if (m == NULL) {
-		manual = 1;
-		goto skipauto;
-	}
-	ip = fin->fin_ip;
-
-	if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
-		if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
-			sum = m->m_pkthdr.csum_data;
-		else
-			sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
-					htonl(m->m_pkthdr.csum_data +
-					fin->fin_ip->ip_len + fin->fin_p));
-		sum ^= 0xffff;
-		if (sum != 0)
-			fin->fin_flx |= FI_BAD;
-	} else
-		manual = 1;
-skipauto:
-# ifdef IPFILTER_CKSUM
-	if (manual != 0)
-		if (fr_checkl4sum(fin) == -1)
-			fin->fin_flx |= FI_BAD;
-# else
-	;
-# endif
-#else
-# ifdef IPFILTER_CKSUM
-	if (fr_checkl4sum(fin) == -1)
-		fin->fin_flx |= FI_BAD;
-# endif
-#endif
-}
-
-
-#ifdef USE_INET6
-INLINE void fr_checkv6sum(fin)
-fr_info_t *fin;
-{
-# ifdef IPFILTER_CKSUM
-	if (fr_checkl4sum(fin) == -1)
-		fin->fin_flx |= FI_BAD;
-# endif
-}
-#endif /* USE_INET6 */
-
-
-size_t mbufchainlen(m0)
-struct mbuf *m0;
-{
-	size_t len;
-
-	if ((m0->m_flags & M_PKTHDR) != 0) {
-		len = m0->m_pkthdr.len;
-	} else {
-		struct mbuf *m;
-
-		for (m = m0, len = 0; m != NULL; m = m->m_next)
-			len += m->m_len;
-	}
-	return len;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_pullup                                                   */
-/* Returns:     NULL == pullup failed, else pointer to protocol header      */
-/* Parameters:  m(I)   - pointer to buffer where data packet starts         */
-/*              fin(I) - pointer to packet information                      */
-/*              len(I) - number of bytes to pullup                          */
-/*                                                                          */
-/* Attempt to move at least len bytes (from the start of the buffer) into a */
-/* single buffer for ease of access.  Operating system native functions are */
-/* used to manage buffers - if necessary.  If the entire packet ends up in  */
-/* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has  */
-/* not been called.  Both fin_ip and fin_dp are updated before exiting _IF_ */
-/* and ONLY if the pullup succeeds.                                         */
-/*                                                                          */
-/* We assume that 'min' is a pointer to a buffer that is part of the chain  */
-/* of buffers that starts at *fin->fin_mp.                                  */
-/* ------------------------------------------------------------------------ */
-void *fr_pullup(min, fin, len)
-mb_t *min;
-fr_info_t *fin;
-int len;
-{
-	int out = fin->fin_out, dpoff, ipoff;
-	mb_t *m = min;
-	char *ip;
-
-	if (m == NULL)
-		return NULL;
-
-	ip = (char *)fin->fin_ip;
-	if ((fin->fin_flx & FI_COALESCE) != 0)
-		return ip;
-
-	ipoff = fin->fin_ipoff;
-	if (fin->fin_dp != NULL)
-		dpoff = (char *)fin->fin_dp - (char *)ip;
-	else
-		dpoff = 0;
-
-	if (M_LEN(m) < len) {
-#ifdef MHLEN
-		/*
-		 * Assume that M_PKTHDR is set and just work with what is left
-		 * rather than check..
-		 * Should not make any real difference, anyway.
-		 */
-		if (len > MHLEN)
-#else
-		if (len > MLEN)
-#endif
-		{
-#ifdef HAVE_M_PULLDOWN
-			if (m_pulldown(m, 0, len, NULL) == NULL)
-				m = NULL;
-#else
-			FREE_MB_T(*fin->fin_mp);
-			m = NULL;
-#endif
-		} else
-		{
-			m = m_pullup(m, len);
-		}
-		*fin->fin_mp = m;
-		fin->fin_m = m;
-		if (m == NULL) {
-			ATOMIC_INCL(frstats[out].fr_pull[1]);
-			return NULL;
-		}
-		ip = MTOD(m, char *) + ipoff;
-	}
-
-	ATOMIC_INCL(frstats[out].fr_pull[0]);
-	fin->fin_ip = (ip_t *)ip;
-	if (fin->fin_dp != NULL)
-		fin->fin_dp = (char *)fin->fin_ip + dpoff;
-
-	if (len == fin->fin_plen)
-		fin->fin_flx |= FI_COALESCE;
-	return ip;
-}
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
deleted file mode 100644
index 087ca19..0000000
--- a/contrib/ipfilter/ip_frag.c
+++ /dev/null
@@ -1,858 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#ifdef __hpux
-# include <sys/timeout.h>
-#endif
-#if !defined(_KERNEL)
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# if defined(_KERNEL) && !defined(__sgi)
-#  include <sys/kernel.h>
-# endif
-#else
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#include "netinet/ip_proxy.h"
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL)
-#  ifndef IPFILTER_LKM
-#   include <sys/libkern.h>
-#   include <sys/systm.h>
-#  endif
-extern struct callout_handle fr_slowtimer_ch;
-# endif
-#endif
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
-# include <sys/callout.h>
-extern struct callout fr_slowtimer_ch;
-#endif
-#if defined(__OpenBSD__)
-# include <sys/timeout.h>
-extern struct timeout fr_slowtimer_ch;
-#endif
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_frag.c	1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77 2004/01/27 00:24:54 darrenr Exp";
-#endif
-
-
-static ipfr_t   *ipfr_list = NULL;
-static ipfr_t   **ipfr_tail = &ipfr_list;
-static ipfr_t	**ipfr_heads;
-
-static ipfr_t   *ipfr_natlist = NULL;
-static ipfr_t   **ipfr_nattail = &ipfr_natlist;
-static ipfr_t	**ipfr_nattab;
-
-static ipfr_t   *ipfr_ipidlist = NULL;
-static ipfr_t   **ipfr_ipidtail = &ipfr_ipidlist;
-static ipfr_t	**ipfr_ipidtab;
-
-static ipfrstat_t ipfr_stats;
-static int	ipfr_inuse = 0;
-int		ipfr_size = IPFT_SIZE;
-
-int	fr_ipfrttl = 120;	/* 60 seconds */
-int	fr_frag_lock = 0;
-int	fr_frag_init = 0;
-u_long	fr_ticks = 0;
-
-
-static ipfr_t *ipfr_newfrag __P((fr_info_t *, u_32_t, ipfr_t **));
-static ipfr_t *fr_fraglookup __P((fr_info_t *, ipfr_t **));
-static void fr_fragdelete __P((ipfr_t *, ipfr_t ***));
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fraginit                                                 */
-/* Returns:     int - 0 == success, -1 == error                             */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise the hash tables for the fragment cache lookups.               */
-/* ------------------------------------------------------------------------ */
-int fr_fraginit()
-{
-	KMALLOCS(ipfr_heads, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
-	if (ipfr_heads == NULL)
-		return -1;
-	bzero((char *)ipfr_heads, ipfr_size * sizeof(ipfr_t *));
-
-	KMALLOCS(ipfr_nattab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
-	if (ipfr_nattab == NULL)
-		return -1;
-	bzero((char *)ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
-
-	KMALLOCS(ipfr_ipidtab, ipfr_t **, ipfr_size * sizeof(ipfr_t *));
-	if (ipfr_ipidtab == NULL)
-		return -1;
-	bzero((char *)ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
-
-	RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock");
-	fr_frag_init = 1;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fragunload                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Free all memory allocated whilst running and from initialisation.        */
-/* ------------------------------------------------------------------------ */
-void fr_fragunload()
-{
-	if (fr_frag_init == 1) {
-		fr_fragclear();
-
-		RW_DESTROY(&ipf_frag);
-		fr_frag_init = 0;
-	}
-
-	if (ipfr_heads != NULL)
-		KFREES(ipfr_heads, ipfr_size * sizeof(ipfr_t *));
-	ipfr_heads = NULL;
-
-	if (ipfr_nattab != NULL)
-		KFREES(ipfr_nattab, ipfr_size * sizeof(ipfr_t *));
-	ipfr_nattab = NULL;
-
-	if (ipfr_ipidtab != NULL)
-		KFREES(ipfr_ipidtab, ipfr_size * sizeof(ipfr_t *));
-	ipfr_ipidtab = NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fragstats                                                */
-/* Returns:     ipfrstat_t* - pointer to struct with current frag stats     */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Updates ipfr_stats with current information and returns a pointer to it  */
-/* ------------------------------------------------------------------------ */
-ipfrstat_t *fr_fragstats()
-{
-	ipfr_stats.ifs_table = ipfr_heads;
-	ipfr_stats.ifs_nattab = ipfr_nattab;
-	ipfr_stats.ifs_inuse = ipfr_inuse;
-	return &ipfr_stats;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfr_newfrag                                                */
-/* Returns:     ipfr_t * - pointer to fragment cache state info or NULL     */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              table(I) - pointer to frag table to add to                  */
-/*                                                                          */
-/* Add a new entry to the fragment cache, registering it as having come     */
-/* through this box, with the result of the filter operation.               */
-/* ------------------------------------------------------------------------ */
-static ipfr_t *ipfr_newfrag(fin, pass, table)
-fr_info_t *fin;
-u_32_t pass;
-ipfr_t *table[];
-{
-	ipfr_t *fra, frag;
-	u_int idx, off;
-	ip_t *ip;
-
-	if (ipfr_inuse >= IPFT_SIZE)
-		return NULL;
-
-	if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG)
-		return NULL;
-
-	ip = fin->fin_ip;
-
-	if (pass & FR_FRSTRICT)
-		if ((ip->ip_off & IP_OFFMASK) != 0)
-			return NULL;
-
-	frag.ipfr_p = ip->ip_p;
-	idx = ip->ip_p;
-	frag.ipfr_id = ip->ip_id;
-	idx += ip->ip_id;
-	frag.ipfr_tos = ip->ip_tos;
-	frag.ipfr_src.s_addr = ip->ip_src.s_addr;
-	idx += ip->ip_src.s_addr;
-	frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
-	idx += ip->ip_dst.s_addr;
-	frag.ipfr_ifp = fin->fin_ifp;
-	idx *= 127;
-	idx %= IPFT_SIZE;
-
-	frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
-	frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
-	frag.ipfr_auth = fin->fin_fi.fi_auth;
-
-	/*
-	 * first, make sure it isn't already there...
-	 */
-	for (fra = table[idx]; (fra != NULL); fra = fra->ipfr_hnext)
-		if (!bcmp((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp,
-			  IPFR_CMPSZ)) {
-			ipfr_stats.ifs_exists++;
-			return NULL;
-		}
-
-	/*
-	 * allocate some memory, if possible, if not, just record that we
-	 * failed to do so.
-	 */
-	KMALLOC(fra, ipfr_t *);
-	if (fra == NULL) {
-		ipfr_stats.ifs_nomem++;
-		return NULL;
-	}
-
-	if ((fra->ipfr_rule = fin->fin_fr) != NULL)
-		fin->fin_fr->fr_ref++;
-
-	/*
-	 * Insert the fragment into the fragment table, copy the struct used
-	 * in the search using bcopy rather than reassign each field.
-	 * Set the ttl to the default.
-	 */
-	if ((fra->ipfr_hnext = table[idx]) != NULL)
-		table[idx]->ipfr_hprev = &fra->ipfr_hnext;
-	fra->ipfr_hprev = table + idx;
-	fra->ipfr_data = NULL;
-	table[idx] = fra;
-	bcopy((char *)&frag.ipfr_ifp, (char *)&fra->ipfr_ifp, IPFR_CMPSZ);
-	fra->ipfr_ttl = fr_ticks + fr_ipfrttl;
-
-	/*
-	 * Compute the offset of the expected start of the next packet.
-	 */
-	off = ip->ip_off & IP_OFFMASK;
-	if (off == 0)
-		fra->ipfr_seen0 = 1;
-	fra->ipfr_off = off + (fin->fin_dlen >> 3);
-	fra->ipfr_pass = pass;
-	ipfr_stats.ifs_new++;
-	ipfr_inuse++;
-	return fra;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_newfrag                                                  */
-/* Returns:     int - 0 == success, -1 == error                             */
-/* Parameters:  fin(I)  - pointer to packet information                     */
-/*                                                                          */
-/* Add a new entry to the fragment cache table based on the current packet  */
-/* ------------------------------------------------------------------------ */
-int fr_newfrag(fin, pass)
-u_32_t pass;
-fr_info_t *fin;
-{
-	ipfr_t	*fra;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock != 0))
-		return -1;
-
-	WRITE_ENTER(&ipf_frag);
-	fra = ipfr_newfrag(fin, pass, ipfr_heads);
-	if (fra != NULL) {
-		*ipfr_tail = fra;
-		fra->ipfr_prev = ipfr_tail;
-		ipfr_tail = &fra->ipfr_next;
-		if (ipfr_list == NULL)
-			ipfr_list = fra;
-		fra->ipfr_next = NULL;
-	}
-	RWLOCK_EXIT(&ipf_frag);
-	return fra ? 0 : -1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_nat_newfrag                                              */
-/* Returns:     int - 0 == success, -1 == error                             */
-/* Parameters:  fin(I)  - pointer to packet information                     */
-/*              nat(I)  - pointer to NAT structure                          */
-/*                                                                          */
-/* Create a new NAT fragment cache entry based on the current packet and    */
-/* the NAT structure for this "session".                                    */
-/* ------------------------------------------------------------------------ */
-int fr_nat_newfrag(fin, pass, nat)
-fr_info_t *fin;
-u_32_t pass;
-nat_t *nat;
-{
-	ipfr_t	*fra;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock != 0))
-		return 0;
-
-	WRITE_ENTER(&ipf_natfrag);
-	fra = ipfr_newfrag(fin, pass, ipfr_nattab);
-	if (fra != NULL) {
-		fra->ipfr_data = nat;
-		nat->nat_data = fra;
-		*ipfr_nattail = fra;
-		fra->ipfr_prev = ipfr_nattail;
-		ipfr_nattail = &fra->ipfr_next;
-		fra->ipfr_next = NULL;
-	}
-	RWLOCK_EXIT(&ipf_natfrag);
-	return fra ? 0 : -1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ipid_newfrag                                             */
-/* Returns:     int - 0 == success, -1 == error                             */
-/* Parameters:  fin(I)  - pointer to packet information                     */
-/*              ipid(I) - new IP ID for this fragmented packet              */
-/*                                                                          */
-/* Create a new fragment cache entry for this packet and store, as a data   */
-/* pointer, the new IP ID value.                                            */
-/* ------------------------------------------------------------------------ */
-int fr_ipid_newfrag(fin, ipid)
-fr_info_t *fin;
-u_32_t ipid;
-{
-	ipfr_t	*fra;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock))
-		return 0;
-
-	WRITE_ENTER(&ipf_ipidfrag);
-	fra = ipfr_newfrag(fin, 0, ipfr_ipidtab);
-	if (fra != NULL) {
-		fra->ipfr_data = (void *)ipid;
-		*ipfr_ipidtail = fra;
-		fra->ipfr_prev = ipfr_ipidtail;
-		ipfr_ipidtail = &fra->ipfr_next;
-		fra->ipfr_next = NULL;
-	}
-	RWLOCK_EXIT(&ipf_ipidfrag);
-	return fra ? 0 : -1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fraglookup                                               */
-/* Returns:     ipfr_t * - pointer to ipfr_t structure if there's a         */
-/*                         matching entry in the frag table, else NULL      */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              table(I) - pointer to fragment cache table to search        */
-/*                                                                          */
-/* Check the fragment cache to see if there is already a record of this     */
-/* packet with its filter result known.                                     */
-/* ------------------------------------------------------------------------ */
-static ipfr_t *fr_fraglookup(fin, table)
-fr_info_t *fin;
-ipfr_t *table[];
-{
-	ipfr_t *f, frag;
-	u_int idx;
-	ip_t *ip;
-
-	if ((fin->fin_flx & (FI_FRAG|FI_BAD)) != FI_FRAG)
-		return NULL;
-
-	/*
-	 * For fragments, we record protocol, packet id, TOS and both IP#'s
-	 * (these should all be the same for all fragments of a packet).
-	 *
-	 * build up a hash value to index the table with.
-	 */
-	ip = fin->fin_ip;
-	frag.ipfr_p = ip->ip_p;
-	idx = ip->ip_p;
-	frag.ipfr_id = ip->ip_id;
-	idx += ip->ip_id;
-	frag.ipfr_tos = ip->ip_tos;
-	frag.ipfr_src.s_addr = ip->ip_src.s_addr;
-	idx += ip->ip_src.s_addr;
-	frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
-	idx += ip->ip_dst.s_addr;
-	frag.ipfr_ifp = fin->fin_ifp;
-	idx *= 127;
-	idx %= IPFT_SIZE;
-
-	frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
-	frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
-	frag.ipfr_auth = fin->fin_fi.fi_auth;
-
-	/*
-	 * check the table, careful to only compare the right amount of data
-	 */
-	for (f = table[idx]; f; f = f->ipfr_hnext)
-		if (!bcmp((char *)&frag.ipfr_ifp, (char *)&f->ipfr_ifp,
-			  IPFR_CMPSZ)) {
-			u_short	off;
-
-			/*
-			 * We don't want to let short packets match because
-			 * they could be compromising the security of other
-			 * rules that want to match on layer 4 fields (and
-			 * can't because they have been fragmented off.)
-			 * Why do this check here?  The counter acts as an
-			 * indicator of this kind of attack, whereas if it was
-			 * elsewhere, it wouldn't know if other matching
-			 * packets had been seen.
-			 */
-			if (fin->fin_flx & FI_SHORT) {
-				ATOMIC_INCL(ipfr_stats.ifs_short);
-				continue;
-			}
-
-			/*
-			 * XXX - We really need to be guarding against the
-			 * retransmission of (src,dst,id,offset-range) here
-			 * because a fragmented packet is never resent with
-			 * the same IP ID# (or shouldn't).
-			 */
-			off = ip->ip_off & IP_OFFMASK;
-			if (f->ipfr_seen0) {
-				if (off == 0) {
-					ATOMIC_INCL(ipfr_stats.ifs_retrans0);
-					continue;
-				}
-			} else if (off == 0)
-				f->ipfr_seen0 = 1;
-
-			if (f != table[idx]) {
-				ipfr_t **fp;
-
-				/*
-				 * Move fragment info. to the top of the list
-				 * to speed up searches.  First, delink...
-				 */
-				fp = f->ipfr_hprev;
-				(*fp) = f->ipfr_hnext;
-				if (f->ipfr_hnext != NULL)
-					f->ipfr_hnext->ipfr_hprev = fp;
-				/*
-				 * Then put back at the top of the chain.
-				 */
-				f->ipfr_hnext = table[idx];
-				table[idx]->ipfr_hprev = &f->ipfr_hnext;
-				f->ipfr_hprev = table + idx;
-				table[idx] = f;
-			}
-
-			/*
-			 * If we've follwed the fragments, and this is the
-			 * last (in order), shrink expiration time.
-			 */
-			if (off == f->ipfr_off) {
-				if (!(ip->ip_off & IP_MF))
-					f->ipfr_ttl = fr_ticks + 1;
-				f->ipfr_off = (fin->fin_dlen >> 3) + off;
-			} else if (f->ipfr_pass & FR_FRSTRICT)
-				continue;
-			ATOMIC_INCL(ipfr_stats.ifs_hits);
-			return f;
-		}
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_nat_knownfrag                                            */
-/* Returns:     nat_t* - pointer to 'parent' NAT structure if frag table    */
-/*                       match found, else NULL                             */
-/* Parameters:  fin(I)  - pointer to packet information                     */
-/*                                                                          */
-/* Functional interface for NAT lookups of the NAT fragment cache           */
-/* ------------------------------------------------------------------------ */
-nat_t *fr_nat_knownfrag(fin)
-fr_info_t *fin;
-{
-	nat_t	*nat;
-	ipfr_t	*ipf;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock) || !ipfr_natlist)
-		return NULL;
-	READ_ENTER(&ipf_natfrag);
-	ipf = fr_fraglookup(fin, ipfr_nattab);
-	if (ipf != NULL) {
-		nat = ipf->ipfr_data;
-		/*
-		 * This is the last fragment for this packet.
-		 */
-		if ((ipf->ipfr_ttl == fr_ticks + 1) && (nat != NULL)) {
-			nat->nat_data = NULL;
-			ipf->ipfr_data = NULL;
-		}
-	} else
-		nat = NULL;
-	RWLOCK_EXIT(&ipf_natfrag);
-	return nat;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ipid_knownfrag                                           */
-/* Returns:     u_32_t - IPv4 ID for this packet if match found, else       */
-/*                       return 0xfffffff to indicate no match.             */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* Functional interface for IP ID lookups of the IP ID fragment cache       */
-/* ------------------------------------------------------------------------ */
-u_32_t fr_ipid_knownfrag(fin)
-fr_info_t *fin;
-{
-	ipfr_t	*ipf;
-	u_32_t	id;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock) || !ipfr_ipidlist)
-		return 0xffffffff;
-
-	READ_ENTER(&ipf_ipidfrag);
-	ipf = fr_fraglookup(fin, ipfr_ipidtab);
-	if (ipf != NULL)
-		id = (u_32_t)ipf->ipfr_data;
-	else
-		id = 0xffffffff;
-	RWLOCK_EXIT(&ipf_ipidfrag);
-	return id;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_knownfrag                                                */
-/* Returns:     frentry_t* - pointer to filter rule if a match is found in  */
-/*                           the frag cache table, else NULL.               */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              passp(O) - pointer to where to store rule flags resturned   */
-/*                                                                          */
-/* Functional interface for normal lookups of the fragment cache.  If a     */
-/* match is found, return the rule pointer and flags from the rule, except  */
-/* that if FR_LOGFIRST is set, reset FR_LOG.                                */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_knownfrag(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	frentry_t *fr = NULL;
-	ipfr_t	*fra;
-	u_32_t pass;
-
-	if ((fin->fin_v != 4) || (fr_frag_lock) || (ipfr_list == NULL))
-		return NULL;
-
-	READ_ENTER(&ipf_frag);
-	fra = fr_fraglookup(fin, ipfr_heads);
-	if (fra != NULL) {
-		fr = fra->ipfr_rule;
-		fin->fin_fr = fr;
-		if (fr != NULL) {
-			pass = fr->fr_flags;
-			if ((pass & FR_LOGFIRST) != 0)
-				pass &= ~(FR_LOGFIRST|FR_LOG);
-			*passp = pass;
-		}
-	}
-	RWLOCK_EXIT(&ipf_frag);
-	return fr;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_forget                                                   */
-/* Returns:     Nil                                                         */
-/* Parameters:  ptr(I) - pointer to data structure                          */
-/*                                                                          */
-/* Search through all of the fragment cache entries and wherever a pointer  */
-/* is found to match ptr, reset it to NULL.                                 */
-/* ------------------------------------------------------------------------ */
-void fr_forget(ptr)
-void *ptr;
-{
-	ipfr_t	*fr;
-
-	WRITE_ENTER(&ipf_frag);
-	for (fr = ipfr_list; fr; fr = fr->ipfr_next)
-		if (fr->ipfr_data == ptr)
-			fr->ipfr_data = NULL;
-	RWLOCK_EXIT(&ipf_frag);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_forgetnat                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  ptr(I) - pointer to data structure                          */
-/*                                                                          */
-/* Search through all of the fragment cache entries for NAT and wherever a  */
-/* pointer  is found to match ptr, reset it to NULL.                        */
-/* ------------------------------------------------------------------------ */
-void fr_forgetnat(ptr)
-void *ptr;
-{
-	ipfr_t	*fr;
-
-	WRITE_ENTER(&ipf_natfrag);
-	for (fr = ipfr_natlist; fr; fr = fr->ipfr_next)
-		if (fr->ipfr_data == ptr)
-			fr->ipfr_data = NULL;
-	RWLOCK_EXIT(&ipf_natfrag);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fragdelete                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  fra(I)   - pointer to fragment structure to delete          */
-/*              tail(IO) - pointer to the pointer to the tail of the frag   */
-/*                         list                                             */
-/*                                                                          */
-/* Remove a fragment cache table entry from the table & list.  Also free    */
-/* the filter rule it is associated with it if it is no longer used as a    */
-/* result of decreasing the reference count.                                */
-/* ------------------------------------------------------------------------ */
-static void fr_fragdelete(fra, tail)
-ipfr_t *fra, ***tail;
-{
-	frentry_t *fr;
-
-	fr = fra->ipfr_rule;
-	if (fr != NULL)
-		(void)fr_derefrule(&fr);
-
-	if (fra->ipfr_next)
-		fra->ipfr_next->ipfr_prev = fra->ipfr_prev;
-	*fra->ipfr_prev = fra->ipfr_next;
-	if (*tail == &fra->ipfr_next)
-		*tail = fra->ipfr_prev;
-
-	if (fra->ipfr_hnext)
-		fra->ipfr_hnext->ipfr_hprev = fra->ipfr_hprev;
-	*fra->ipfr_hprev = fra->ipfr_hnext;
-	KFREE(fra);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fragclear                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Free memory in use by fragment state information kept.  Do the normal    */
-/* fragment state stuff first and then the NAT-fragment table.              */
-/* ------------------------------------------------------------------------ */
-void fr_fragclear()
-{
-	ipfr_t	*fra;
-	nat_t	*nat;
-
-	WRITE_ENTER(&ipf_frag);
-	while ((fra = ipfr_list) != NULL)
-		fr_fragdelete(fra, &ipfr_tail);
-	ipfr_tail = &ipfr_list;
-	RWLOCK_EXIT(&ipf_frag);
-
-	WRITE_ENTER(&ipf_nat);
-	WRITE_ENTER(&ipf_natfrag);
-	while ((fra = ipfr_natlist) != NULL) {
-		nat = fra->ipfr_data;
-		if (nat != NULL) {
-			if (nat->nat_data == fra)
-				nat->nat_data = NULL;
-		}
-		fr_fragdelete(fra, &ipfr_nattail);
-	}
-	ipfr_nattail = &ipfr_natlist;
-	RWLOCK_EXIT(&ipf_natfrag);
-	RWLOCK_EXIT(&ipf_nat);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fragexpire                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Expire entries in the fragment cache table that have been there too long */
-/* ------------------------------------------------------------------------ */
-void fr_fragexpire()
-{
-	ipfr_t	**fp, *fra;
-	nat_t	*nat;
-#if defined(USE_SPL) && defined(_KERNEL)
-	int	s;
-#endif
-
-	if (fr_frag_lock)
-		return;
-
-	SPL_NET(s);
-	WRITE_ENTER(&ipf_frag);
-	/*
-	 * Go through the entire table, looking for entries to expire,
-	 * which is indicated by the ttl being less than or equal to fr_ticks.
-	 */
-	for (fp = &ipfr_list; ((fra = *fp) != NULL); ) {
-		if (fra->ipfr_ttl > fr_ticks)
-			break;
-		fr_fragdelete(fra, &ipfr_tail);
-		ipfr_stats.ifs_expire++;
-		ipfr_inuse--;
-	}
-	RWLOCK_EXIT(&ipf_frag);
-
-	WRITE_ENTER(&ipf_ipidfrag);
-	for (fp = &ipfr_ipidlist; ((fra = *fp) != NULL); ) {
-		if (fra->ipfr_ttl > fr_ticks)
-			break;
-		fr_fragdelete(fra, &ipfr_ipidtail);
-		ipfr_stats.ifs_expire++;
-		ipfr_inuse--;
-	}
-	RWLOCK_EXIT(&ipf_ipidfrag);
-
-	/*
-	 * Same again for the NAT table, except that if the structure also
-	 * still points to a NAT structure, and the NAT structure points back
-	 * at the one to be free'd, NULL the reference from the NAT struct.
-	 * NOTE: We need to grab both mutex's early, and in this order so as
-	 * to prevent a deadlock if both try to expire at the same time.
-	 */
-	WRITE_ENTER(&ipf_nat);
-	WRITE_ENTER(&ipf_natfrag);
-	for (fp = &ipfr_natlist; ((fra = *fp) != NULL); ) {
-		if (fra->ipfr_ttl > fr_ticks)
-			break;
-		nat = fra->ipfr_data;
-		if (nat != NULL) {
-			if (nat->nat_data == fra)
-				nat->nat_data = NULL;
-		}
-		fr_fragdelete(fra, &ipfr_nattail);
-		ipfr_stats.ifs_expire++;
-		ipfr_inuse--;
-	}
-	RWLOCK_EXIT(&ipf_natfrag);
-	RWLOCK_EXIT(&ipf_nat);
-	SPL_X(s);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_slowtimer                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Slowly expire held state for fragments.  Timeouts are set * in           */
-/* expectation of this being called twice per second.                       */
-/* ------------------------------------------------------------------------ */
-#if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \
-			  !defined(__osf__))
-# if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi))
-void fr_slowtimer __P((void *ptr))
-# else
-int fr_slowtimer()
-# endif
-{
-	READ_ENTER(&ipf_global);
-
-	fr_fragexpire();
-	fr_timeoutstate();
-	fr_natexpire();
-	fr_authexpire();
-	fr_ticks++;
-	if (fr_running <= 0)
-		goto done;
-# ifdef _KERNEL
-#  if defined(__NetBSD__) && (__NetBSD_Version__ >= 104240000)
-	callout_reset(&fr_slowtimer_ch, hz / 2, fr_slowtimer, NULL);
-#  else
-#   if defined(__OpenBSD__)
-	timeout_add(&fr_slowtimer_ch, hz/2);
-#   else
-#    if (__FreeBSD_version >= 300000)
-	fr_slowtimer_ch = timeout(fr_slowtimer, NULL, hz/2);
-#    else
-#     ifdef linux
-	;
-#     else
-	timeout(fr_slowtimer, NULL, hz/2);
-#     endif
-#    endif /* FreeBSD */
-#   endif /* OpenBSD */
-#  endif /* NetBSD */
-# endif
-done:
-	RWLOCK_EXIT(&ipf_global);
-# if (BSD < 199103) || !defined(_KERNEL)
-	return 0;
-# endif
-}
-#endif /* !SOLARIS && !defined(__hpux) && !defined(__sgi) */
diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h
deleted file mode 100644
index 786a088..0000000
--- a/contrib/ipfilter/ip_frag.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_frag.h	1.5 3/24/96
- * Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp
- */
-
-#ifndef	__IP_FRAG_H__
-#define	__IP_FRAG_H__
-
-#define	IPFT_SIZE	257
-
-typedef	struct	ipfr	{
-	struct	ipfr	*ipfr_hnext, **ipfr_hprev;
-	struct	ipfr	*ipfr_next, **ipfr_prev;
-	void	*ipfr_data;
-	void	*ipfr_ifp;
-	struct	in_addr	ipfr_src;
-	struct	in_addr	ipfr_dst;
-	u_32_t	ipfr_optmsk;
-	u_short	ipfr_secmsk;
-	u_short	ipfr_auth;
-	u_short	ipfr_id;
-	u_char	ipfr_p;
-	u_char	ipfr_tos;
-	u_32_t	ipfr_pass;
-	u_short	ipfr_off;
-	u_char	ipfr_ttl;
-	u_char	ipfr_seen0;
-	frentry_t *ipfr_rule;
-} ipfr_t;
-
-
-typedef	struct	ipfrstat {
-	u_long	ifs_exists;	/* add & already exists */
-	u_long	ifs_nomem;
-	u_long	ifs_new;
-	u_long	ifs_hits;
-	u_long	ifs_expire;
-	u_long	ifs_inuse;
-	u_long	ifs_retrans0;
-	u_long	ifs_short;
-	struct	ipfr	**ifs_table;
-	struct	ipfr	**ifs_nattab;
-} ipfrstat_t;
-
-#define	IPFR_CMPSZ	(offsetof(ipfr_t, ipfr_pass) - \
-			 offsetof(ipfr_t, ipfr_ifp))
-
-extern	int	ipfr_size;
-extern	int	fr_ipfrttl;
-extern	int	fr_frag_lock;
-extern	int	fr_fraginit __P((void));
-extern	void	fr_fragunload __P((void));
-extern	ipfrstat_t	*fr_fragstats __P((void));
-
-extern	int	fr_newfrag __P((fr_info_t *, u_32_t));
-extern	frentry_t *fr_knownfrag __P((fr_info_t *, u_32_t *));
-
-extern	int	fr_nat_newfrag __P((fr_info_t *, u_32_t, struct nat *));
-extern	nat_t	*fr_nat_knownfrag __P((fr_info_t *));
-
-extern	int	fr_ipid_newfrag __P((fr_info_t *, u_32_t));
-extern	u_32_t	fr_ipid_knownfrag __P((fr_info_t *));
-
-extern	void	fr_forget __P((void *));
-extern	void	fr_forgetnat __P((void *));
-extern	void	fr_fragclear __P((void));
-extern	void	fr_fragexpire __P((void));
-
-#if     defined(_KERNEL) && ((BSD >= 199306) || SOLARIS || defined(__sgi) \
-	        || defined(__osf__) || (defined(__sgi) && (IRIX >= 60500)))
-# if defined(SOLARIS2) && (SOLARIS2 < 7)
-extern	void	fr_slowtimer __P((void));
-# else
-extern	void	fr_slowtimer __P((void *));
-# endif
-#else
-extern	int	fr_slowtimer __P((void));
-#endif
-
-#endif	/* __IP_FRAG_H__ */
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
deleted file mode 100644
index 5bdc18a..0000000
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ /dev/null
@@ -1,1454 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1997-2003 by Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
- * code.
- *
- * Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
- */
-
-#define	IPF_FTP_PROXY
-
-#define	IPF_MINPORTLEN	18
-#define	IPF_MAXPORTLEN	30
-#define	IPF_MIN227LEN	39
-#define	IPF_MAX227LEN	51
-#define	IPF_MIN229LEN	47
-#define	IPF_MAX229LEN	51
-
-#define	FTPXY_GO	0
-#define	FTPXY_INIT	1
-#define	FTPXY_USER_1	2
-#define	FTPXY_USOK_1	3
-#define	FTPXY_PASS_1	4
-#define	FTPXY_PAOK_1	5
-#define	FTPXY_AUTH_1	6
-#define	FTPXY_AUOK_1	7
-#define	FTPXY_ADAT_1	8
-#define	FTPXY_ADOK_1	9
-#define	FTPXY_ACCT_1	10
-#define	FTPXY_ACOK_1	11
-#define	FTPXY_USER_2	12
-#define	FTPXY_USOK_2	13
-#define	FTPXY_PASS_2	14
-#define	FTPXY_PAOK_2	15
-
-/*
- * Values for FTP commands.  Numerics cover 0-999
- */
-#define	FTPXY_C_PASV	1000
-
-int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
-int ippr_ftp_complete __P((char *, size_t));
-int ippr_ftp_in __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_ftp_init __P((void));
-void ippr_ftp_fini __P((void));
-int ippr_ftp_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_ftp_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
-int ippr_ftp_epsv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
-int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
-int ippr_ftp_process __P((fr_info_t *, nat_t *, ftpinfo_t *, int));
-int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
-int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t));
-int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t));
-int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t));
-u_short ippr_ftp_atoi __P((char **));
-int ippr_ftp_pasvreply __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *,
-			    u_int, char *, char *, u_int));
-
-
-int	ftp_proxy_init = 0;
-int	ippr_ftp_pasvonly = 0;
-int	ippr_ftp_insecure = 0;	/* Do not require logins before transfers */
-int	ippr_ftp_pasvrdr = 0;
-int	ippr_ftp_forcepasv = 0;	/* PASV must be last command prior to 227 */
-#if defined(_KERNEL)
-int	ippr_ftp_debug = 0;
-#else
-int	ippr_ftp_debug = 2;
-#endif
-/*
- * 1 - security
- * 2 - errors
- * 3 - error debugging
- * 4 - parsing errors
- * 5 - parsing info
- * 6 - parsing debug
- */
-
-static	frentry_t	ftppxyfr;
-static	ipftuneable_t	ftptune = {
-	{ &ippr_ftp_debug },
-	"ippr_ftp_debug",
-	0,
-	10,
-	sizeof(ippr_ftp_debug),
-	0,
-	NULL
-};
-
-
-/*
- * Initialize local structures.
- */
-int ippr_ftp_init()
-{
-	bzero((char *)&ftppxyfr, sizeof(ftppxyfr));
-	ftppxyfr.fr_ref = 1;
-	ftppxyfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&ftppxyfr.fr_lock, "FTP Proxy Mutex");
-	ftp_proxy_init = 1;
-	(void) fr_addipftune(&ftptune);
-
-	return 0;
-}
-
-
-void ippr_ftp_fini()
-{
-	(void) fr_delipftune(&ftptune);
-
-	if (ftp_proxy_init == 1) {
-		MUTEX_DESTROY(&ftppxyfr.fr_lock);
-		ftp_proxy_init = 0;
-	}
-}
-
-
-int ippr_ftp_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ftpinfo_t *ftp;
-	ftpside_t *f;
-
-	KMALLOC(ftp, ftpinfo_t *);
-	if (ftp == NULL)
-		return -1;
-
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	aps->aps_data = ftp;
-	aps->aps_psiz = sizeof(ftpinfo_t);
-
-	bzero((char *)ftp, sizeof(*ftp));
-	f = &ftp->ftp_side[0];
-	f->ftps_rptr = f->ftps_buf;
-	f->ftps_wptr = f->ftps_buf;
-	f = &ftp->ftp_side[1];
-	f->ftps_rptr = f->ftps_buf;
-	f->ftps_wptr = f->ftps_buf;
-	ftp->ftp_passok = FTPXY_INIT;
-	ftp->ftp_incok = 0;
-	return 0;
-}
-
-
-int ippr_ftp_port(fin, ip, nat, f, dlen)
-fr_info_t *fin;
-ip_t *ip;
-nat_t *nat;
-ftpside_t *f;
-int dlen;
-{
-	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	char newbuf[IPF_FTPBUFSZ], *s;
-	struct in_addr swip, swip2;
-	u_int a1, a2, a3, a4;
-	int inc, off, flags;
-	u_short a5, a6, sp;
-	size_t nlen, olen;
-	fr_info_t fi;
-	nat_t *nat2;
-	mb_t *m;
-
-	m = fin->fin_m;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-	/*
-	 * Check for client sending out PORT message.
-	 */
-	if (dlen < IPF_MINPORTLEN) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n",
-			       dlen);
-		return 0;
-	}
-	/*
-	 * Skip the PORT command + space
-	 */
-	s = f->ftps_rptr + 5;
-	/*
-	 * Pick out the address components, two at a time.
-	 */
-	a1 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 1);
-		return 0;
-	}
-	a2 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2);
-		return 0;
-	}
-
-	/*
-	 * Check that IP address in the PORT/PASV reply is the same as the
-	 * sender of the command - prevents using PORT for port scanning.
-	 */
-	a1 <<= 16;
-	a1 |= a2;
-	if (((nat->nat_dir == NAT_OUTBOUND) &&
-	     (a1 != ntohl(nat->nat_inip.s_addr))) ||
-	    ((nat->nat_dir == NAT_INBOUND) &&
-	     (a1 != ntohl(nat->nat_oip.s_addr)))) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_port:%s != nat->nat_inip\n", "a1");
-		return APR_ERR(1);
-	}
-
-	a5 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 3);
-		return 0;
-	}
-	if (*s == ')')
-		s++;
-
-	/*
-	 * check for CR-LF at the end.
-	 */
-	if (*s == '\n')
-		s--;
-	if ((*s == '\r') && (*(s + 1) == '\n')) {
-		s += 2;
-		a6 = a5 & 0xff;
-	} else {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_port:missing %s\n", "cr-lf");
-		return 0;
-	}
-
-	a5 >>= 8;
-	a5 &= 0xff;
-	sp = a5 << 8 | a6;
-	/*
-	 * Don't allow the PORT command to specify a port < 1024 due to
-	 * security crap.
-	 */
-	if (sp < 1024) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_port:sp(%d) < 1024\n", sp);
-		return 0;
-	}
-	/*
-	 * Calculate new address parts for PORT command
-	 */
-	if (nat->nat_dir == NAT_INBOUND)
-		a1 = ntohl(nat->nat_oip.s_addr);
-	else
-		a1 = ntohl(ip->ip_src.s_addr);
-	a2 = (a1 >> 16) & 0xff;
-	a3 = (a1 >> 8) & 0xff;
-	a4 = a1 & 0xff;
-	a1 >>= 24;
-	olen = s - f->ftps_rptr;
-	/* DO NOT change this to snprintf! */
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n",
-		 "PORT", a1, a2, a3, a4, a5, a6);
-#else
-	(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
-		       "PORT", a1, a2, a3, a4, a5, a6);
-#endif
-
-	nlen = strlen(newbuf);
-	inc = nlen - olen;
-	if ((inc + ip->ip_len) > 65535) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n",
-			       inc);
-		return 0;
-	}
-
-#if !defined(_KERNEL)
-	bcopy(newbuf, MTOD(m, char *) + off, nlen);
-#else
-# if defined(MENTAT)
-	if (inc < 0)
-		(void)adjmsg(m, inc);
-# else /* defined(MENTAT) */
-	/*
-	 * m_adj takes care of pkthdr.len, if required and treats inc<0 to
-	 * mean remove -len bytes from the end of the packet.
-	 * The mbuf chain will be extended if necessary by m_copyback().
-	 */
-	if (inc < 0)
-		m_adj(m, inc);
-# endif /* defined(MENTAT) */
-#endif /* !defined(_KERNEL) */
-	COPYBACK(m, off, nlen, newbuf);
-
-	if (inc != 0) {
-		ip->ip_len += inc;
-		fin->fin_dlen += inc;
-		fin->fin_plen += inc;
-	}
-
-	/*
-	 * The server may not make the connection back from port 20, but
-	 * it is the most likely so use it here to check for a conflicting
-	 * mapping.
-	 */
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	fi.fin_state = NULL;
-	fi.fin_nat = NULL;
-	fi.fin_flx |= FI_IGNORE;
-	fi.fin_data[0] = sp;
-	fi.fin_data[1] = fin->fin_data[1] - 1;
-	/*
-	 * Add skeleton NAT entry for connection which will come back the
-	 * other way.
-	 */
-	if (nat->nat_dir == NAT_OUTBOUND)
-		nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
-				     nat->nat_inip, nat->nat_oip);
-	else
-		nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
-				    nat->nat_inip, nat->nat_oip);
-	if (nat2 == NULL) {
-		int slen;
-
-		slen = ip->ip_len;
-		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
-		bzero((char *)tcp2, sizeof(*tcp2));
-		tcp2->th_win = htons(8192);
-		tcp2->th_sport = htons(sp);
-		TCP_OFF_A(tcp2, 5);
-		tcp2->th_flags = TH_SYN;
-		tcp2->th_dport = 0; /* XXX - don't specify remote port */
-		fi.fin_data[1] = 0;
-		fi.fin_dlen = sizeof(*tcp2);
-		fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
-		fi.fin_dp = (char *)tcp2;
-		fi.fin_fr = &ftppxyfr;
-		fi.fin_out = nat->nat_dir;
-		fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
-		swip = ip->ip_src;
-		swip2 = ip->ip_dst;
-		if (nat->nat_dir == NAT_OUTBOUND) {
-			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
-			ip->ip_src = nat->nat_inip;
-		} else if (nat->nat_dir == NAT_INBOUND) {
-			fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
-			ip->ip_src = nat->nat_oip;
-		}
-
-		flags = NAT_SLAVE|IPN_TCP|SI_W_DPORT;
-		if (nat->nat_dir == NAT_INBOUND)
-			flags |= NAT_NOTRULEPORT;
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL, flags, nat->nat_dir);
-
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, IPN_TCP);
-			nat_update(&fi, nat2, nat->nat_ptr);
-			fi.fin_ifp = NULL;
-			if (nat->nat_dir == NAT_INBOUND) {
-				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
-				ip->ip_dst = nat->nat_inip;
-			}
-			(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-		ip->ip_len = slen;
-		ip->ip_src = swip;
-		ip->ip_dst = swip2;
-	} else {
-		ipstate_t *is;
-
-		nat_update(&fi, nat2, nat->nat_ptr);
-		READ_ENTER(&ipf_state);
-		is = nat2->nat_state;
-		if (is != NULL) {
-			MUTEX_ENTER(&is->is_lock);
-			(void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
-					 is->is_flags);
-			MUTEX_EXIT(&is->is_lock);
-		}
-		RWLOCK_EXIT(&ipf_state);
-	}
-	return APR_INC(inc);
-}
-
-
-int ippr_ftp_client(fin, ip, nat, ftp, dlen)
-fr_info_t *fin;
-nat_t *nat;
-ftpinfo_t *ftp;
-ip_t *ip;
-int dlen;
-{
-	char *rptr, *wptr, cmd[6], c;
-	ftpside_t *f;
-	int inc, i;
-
-	inc = 0;
-	f = &ftp->ftp_side[0];
-	rptr = f->ftps_rptr;
-	wptr = f->ftps_wptr;
-
-	for (i = 0; (i < 5) && (i < dlen); i++) {
-		c = rptr[i];
-		if (ISALPHA(c)) {
-			cmd[i] = TOUPPER(c);
-		} else {
-			cmd[i] = c;
-		}
-	}
-	cmd[i] = '\0';
-
-	ftp->ftp_incok = 0;
-	if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) {
-		if (ftp->ftp_passok == FTPXY_ADOK_1 ||
-		    ftp->ftp_passok == FTPXY_AUOK_1) {
-			ftp->ftp_passok = FTPXY_USER_2;
-			ftp->ftp_incok = 1;
-		} else {
-			ftp->ftp_passok = FTPXY_USER_1;
-			ftp->ftp_incok = 1;
-		}
-	} else if (!strncmp(cmd, "AUTH ", 5)) {
-		ftp->ftp_passok = FTPXY_AUTH_1;
-		ftp->ftp_incok = 1;
-	} else if (!strncmp(cmd, "PASS ", 5)) {
-		if (ftp->ftp_passok == FTPXY_USOK_1) {
-			ftp->ftp_passok = FTPXY_PASS_1;
-			ftp->ftp_incok = 1;
-		} else if (ftp->ftp_passok == FTPXY_USOK_2) {
-			ftp->ftp_passok = FTPXY_PASS_2;
-			ftp->ftp_incok = 1;
-		}
-	} else if ((ftp->ftp_passok == FTPXY_AUOK_1) &&
-		   !strncmp(cmd, "ADAT ", 5)) {
-		ftp->ftp_passok = FTPXY_ADAT_1;
-		ftp->ftp_incok = 1;
-	} else if ((ftp->ftp_passok == FTPXY_PAOK_1 ||
-		    ftp->ftp_passok == FTPXY_PAOK_2) &&
-		 !strncmp(cmd, "ACCT ", 5)) {
-		ftp->ftp_passok = FTPXY_ACCT_1;
-		ftp->ftp_incok = 1;
-	} else if ((ftp->ftp_passok == FTPXY_GO) && !ippr_ftp_pasvonly &&
-		 !strncmp(cmd, "PORT ", 5)) {
-		inc = ippr_ftp_port(fin, ip, nat, f, dlen);
-	} else if (ippr_ftp_insecure && !ippr_ftp_pasvonly &&
-		   !strncmp(cmd, "PORT ", 5)) {
-		inc = ippr_ftp_port(fin, ip, nat, f, dlen);
-	}
-
-	while ((*rptr++ != '\n') && (rptr < wptr))
-		;
-	f->ftps_rptr = rptr;
-	return inc;
-}
-
-
-int ippr_ftp_pasv(fin, ip, nat, ftp, dlen)
-fr_info_t *fin;
-ip_t *ip;
-nat_t *nat;
-ftpinfo_t *ftp;
-int dlen;
-{
-	u_int a1, a2, a3, a4, data_ip;
-	char newbuf[IPF_FTPBUFSZ];
-	char *s, *brackets[2];
-	u_short a5, a6;
-	ftpside_t *f;
-
-	if (ippr_ftp_forcepasv != 0 &&
-	    ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
-			       ftp->ftp_side[0].ftps_cmds);
-		return 0;
-	}
-
-	f = &ftp->ftp_side[1];
-
-#define	PASV_REPLEN	24
-	/*
-	 * Check for PASV reply message.
-	 */
-	if (dlen < IPF_MIN227LEN) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n",
-			       dlen);
-		return 0;
-	} else if (strncmp(f->ftps_rptr,
-			   "227 Entering Passive Mod", PASV_REPLEN)) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_pasv:%d reply wrong\n", 227);
-		return 0;
-	}
-
-	brackets[0] = "";
-	brackets[1] = "";
-	/*
-	 * Skip the PASV reply + space
-	 */
-	s = f->ftps_rptr + PASV_REPLEN;
-	while (*s && !ISDIGIT(*s)) {
-		if (*s == '(') {
-			brackets[0] = "(";
-			brackets[1] = ")";
-		}
-		s++;
-	}
-
-	/*
-	 * Pick out the address components, two at a time.
-	 */
-	a1 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 1);
-		return 0;
-	}
-	a2 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 2);
-		return 0;
-	}
-
-	/*
-	 * check that IP address in the PASV reply is the same as the
-	 * sender of the command - prevents using PASV for port scanning.
-	 */
-	a1 <<= 16;
-	a1 |= a2;
-
-	if (((nat->nat_dir == NAT_INBOUND) &&
-	     (a1 != ntohl(nat->nat_inip.s_addr))) ||
-	    ((nat->nat_dir == NAT_OUTBOUND) &&
-	     (a1 != ntohl(nat->nat_oip.s_addr)))) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_pasv:%s != nat->nat_oip\n", "a1");
-		return 0;
-	}
-
-	a5 = ippr_ftp_atoi(&s);
-	if (s == NULL) {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 3);
-		return 0;
-	}
-
-	if (*s == ')')
-		s++;
-	if (*s == '.')
-		s++;
-	if (*s == '\n')
-		s--;
-	/*
-	 * check for CR-LF at the end.
-	 */
-	if ((*s == '\r') && (*(s + 1) == '\n')) {
-		s += 2;
-	} else {
-		if (ippr_ftp_debug > 1)
-			printf("ippr_ftp_pasv:missing %s", "cr-lf\n");
-		return 0;
-	}
-
-	a6 = a5 & 0xff;
-	a5 >>= 8;
-	/*
-	 * Calculate new address parts for 227 reply
-	 */
-	if (nat->nat_dir == NAT_INBOUND) {
-		data_ip = nat->nat_outip.s_addr;
-		a1 = ntohl(data_ip);
-	} else
-		data_ip = htonl(a1);
-
-	a2 = (a1 >> 16) & 0xff;
-	a3 = (a1 >> 8) & 0xff;
-	a4 = a1 & 0xff;
-	a1 >>= 24;
-
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(newbuf, sizeof(newbuf), "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
-		"227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
-		a5, a6, brackets[1]);
-#else
-	(void) sprintf(newbuf, "%s %s%u,%u,%u,%u,%u,%u%s\r\n",
-		"227 Entering Passive Mode", brackets[0], a1, a2, a3, a4,
-		a5, a6, brackets[1]);
-#endif
-	return ippr_ftp_pasvreply(fin, ip, nat, f, (a5 << 8 | a6),
-				  newbuf, s, data_ip);
-}
-
-int ippr_ftp_pasvreply(fin, ip, nat, f, port, newmsg, s, data_ip)
-fr_info_t *fin;
-ip_t *ip;
-nat_t *nat;
-ftpside_t *f;
-u_int port;
-char *newmsg;
-char *s;
-u_int data_ip;
-{
-	int inc, off, nflags, sflags;
-	tcphdr_t *tcp, tcph, *tcp2;
-	struct in_addr swip, swip2;
-	struct in_addr data_addr;
-	size_t nlen, olen;
-	fr_info_t fi;
-	nat_t *nat2;
-	mb_t *m;
-
-	m = fin->fin_m;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-	data_addr.s_addr = data_ip;
-	tcp2 = &tcph;
-	inc = 0;
-
-
-	olen = s - f->ftps_rptr;
-	nlen = strlen(newmsg);
-	inc = nlen - olen;
-	if ((inc + ip->ip_len) > 65535) {
-		if (ippr_ftp_debug > 0)
-			printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n",
-			       inc);
-		return 0;
-	}
-
-#if !defined(_KERNEL)
-	bcopy(newmsg, MTOD(m, char *) + off, nlen);
-#else
-# if defined(MENTAT)
-	if (inc < 0)
-		(void)adjmsg(m, inc);
-# else /* defined(MENTAT) */
-	/*
-	 * m_adj takes care of pkthdr.len, if required and treats inc<0 to
-	 * mean remove -len bytes from the end of the packet.
-	 * The mbuf chain will be extended if necessary by m_copyback().
-	 */
-	if (inc < 0)
-		m_adj(m, inc);
-# endif /* defined(MENTAT) */
-#endif /* !defined(_KERNEL) */
-	COPYBACK(m, off, nlen, newmsg);
-
-	if (inc != 0) {
-		ip->ip_len += inc;
-		fin->fin_dlen += inc;
-		fin->fin_plen += inc;
-	}
-
-	/*
-	 * Add skeleton NAT entry for connection which will come back the
-	 * other way.
-	 */
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	fi.fin_state = NULL;
-	fi.fin_nat = NULL;
-	fi.fin_flx |= FI_IGNORE;
-	fi.fin_data[0] = 0;
-	fi.fin_data[1] = port;
-	nflags = IPN_TCP|SI_W_SPORT;
-	if (ippr_ftp_pasvrdr && f->ftps_ifp)
-		nflags |= SI_W_DPORT;
-	if (nat->nat_dir == NAT_OUTBOUND)
-		nat2 = nat_outlookup(&fi, nflags|NAT_SEARCH,
-				     nat->nat_p, nat->nat_inip, nat->nat_oip);
-	else
-		nat2 = nat_inlookup(&fi, nflags|NAT_SEARCH,
-				    nat->nat_p, nat->nat_inip, nat->nat_oip);
-	if (nat2 == NULL) {
-		int slen;
-
-		slen = ip->ip_len;
-		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
-		bzero((char *)tcp2, sizeof(*tcp2));
-		tcp2->th_win = htons(8192);
-		tcp2->th_sport = 0;		/* XXX - fake it for nat_new */
-		TCP_OFF_A(tcp2, 5);
-		tcp2->th_flags = TH_SYN;
-		fi.fin_data[1] = port;
-		fi.fin_dlen = sizeof(*tcp2);
-		tcp2->th_dport = htons(port);
-		fi.fin_data[0] = 0;
-		fi.fin_dp = (char *)tcp2;
-		fi.fin_plen = fi.fin_hlen + sizeof(*tcp);
-		fi.fin_fr = &ftppxyfr;
-		fi.fin_out = nat->nat_dir;
-		fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
-		swip = ip->ip_src;
-		swip2 = ip->ip_dst;
-		if (nat->nat_dir == NAT_OUTBOUND) {
-			fi.fin_fi.fi_daddr = data_addr.s_addr;
-			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
-			ip->ip_dst = data_addr;
-			ip->ip_src = nat->nat_inip;
-		} else if (nat->nat_dir == NAT_INBOUND) {
-			fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
-			fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
-			ip->ip_src = nat->nat_oip;
-			ip->ip_dst = nat->nat_outip;
-		}
-
-		sflags = nflags;
-		nflags |= NAT_SLAVE;
-		if (nat->nat_dir == NAT_INBOUND)
-			nflags |= NAT_NOTRULEPORT;
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir);
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, IPN_TCP);
-			nat_update(&fi, nat2, nat->nat_ptr);
-			fi.fin_ifp = NULL;
-			if (nat->nat_dir == NAT_INBOUND) {
-				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
-				ip->ip_dst = nat->nat_inip;
-			}
-			(void) fr_addstate(&fi, &nat2->nat_state, sflags);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-
-		ip->ip_len = slen;
-		ip->ip_src = swip;
-		ip->ip_dst = swip2;
-	} else {
-		ipstate_t *is;
-
-		nat_update(&fi, nat2, nat->nat_ptr);
-		READ_ENTER(&ipf_state);
-		is = nat2->nat_state;
-		if (is != NULL) {
-			MUTEX_ENTER(&is->is_lock);
-			(void)fr_tcp_age(&is->is_sti, &fi, ips_tqtqb,
-					 is->is_flags);
-			MUTEX_EXIT(&is->is_lock);
-		}
-		RWLOCK_EXIT(&ipf_state);
-	}
-	return inc;
-}
-
-
-int ippr_ftp_server(fin, ip, nat, ftp, dlen)
-fr_info_t *fin;
-ip_t *ip;
-nat_t *nat;
-ftpinfo_t *ftp;
-int dlen;
-{
-	char *rptr, *wptr;
-	ftpside_t *f;
-	int inc;
-
-	inc = 0;
-	f = &ftp->ftp_side[1];
-	rptr = f->ftps_rptr;
-	wptr = f->ftps_wptr;
-
-	if (*rptr == ' ')
-		goto server_cmd_ok;
-	if (!ISDIGIT(*rptr) || !ISDIGIT(*(rptr + 1)) || !ISDIGIT(*(rptr + 2)))
-		return 0;
-	if (ftp->ftp_passok == FTPXY_GO) {
-		if (!strncmp(rptr, "227 ", 4))
-			inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
-		else if (!strncmp(rptr, "229 ", 4))
-			inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
-	} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
-		inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
-	} else if (ippr_ftp_insecure && !strncmp(rptr, "229 ", 4)) {
-		inc = ippr_ftp_epsv(fin, ip, nat, f, dlen);
-	} else if (*rptr == '5' || *rptr == '4')
-		ftp->ftp_passok = FTPXY_INIT;
-	else if (ftp->ftp_incok) {
-		if (*rptr == '3') {
-			if (ftp->ftp_passok == FTPXY_ACCT_1)
-				ftp->ftp_passok = FTPXY_GO;
-			else
-				ftp->ftp_passok++;
-		} else if (*rptr == '2') {
-			switch (ftp->ftp_passok)
-			{
-			case FTPXY_USER_1 :
-			case FTPXY_USER_2 :
-			case FTPXY_PASS_1 :
-			case FTPXY_PASS_2 :
-			case FTPXY_ACCT_1 :
-				ftp->ftp_passok = FTPXY_GO;
-				break;
-			default :
-				ftp->ftp_passok += 3;
-				break;
-			}
-		}
-	}
-server_cmd_ok:
-	ftp->ftp_incok = 0;
-
-	while ((*rptr++ != '\n') && (rptr < wptr))
-		;
-	f->ftps_rptr = rptr;
-	return inc;
-}
-
-
-/*
- * Look to see if the buffer starts with something which we recognise as
- * being the correct syntax for the FTP protocol.
- */
-int ippr_ftp_client_valid(ftps, buf, len)
-ftpside_t *ftps;
-char *buf;
-size_t len;
-{
-	register char *s, c, pc;
-	register size_t i = len;
-	char cmd[5];
-
-	s = buf;
-
-	if (ftps->ftps_junk == 1)
-		return 1;
-
-	if (i < 5) {
-		if (ippr_ftp_debug > 3)
-			printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i);
-		return 2;
-	}
-
-	i--;
-	c = *s++;
-
-	if (ISALPHA(c)) {
-		cmd[0] = TOUPPER(c);
-		c = *s++;
-		i--;
-		if (ISALPHA(c)) {
-			cmd[1] = TOUPPER(c);
-			c = *s++;
-			i--;
-			if (ISALPHA(c)) {
-				cmd[2] = TOUPPER(c);
-				c = *s++;
-				i--;
-				if (ISALPHA(c)) {
-					cmd[3] = TOUPPER(c);
-					c = *s++;
-					i--;
-					if ((c != ' ') && (c != '\r'))
-						goto bad_client_command;
-				} else if ((c != ' ') && (c != '\r'))
-					goto bad_client_command;
-			} else
-				goto bad_client_command;
-		} else
-			goto bad_client_command;
-	} else {
-bad_client_command:
-		if (ippr_ftp_debug > 3)
-			printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
-			       "ippr_ftp_client_valid",
-			       ftps->ftps_junk, (int)len, (int)i, c,
-			       (int)len, (int)len, buf);
-		return 1;
-	}
-
-	for (; i; i--) {
-		pc = c;
-		c = *s++;
-		if ((pc == '\r') && (c == '\n')) {
-			cmd[4] = '\0';
-			if (!strcmp(cmd, "PASV"))
-				ftps->ftps_cmds = FTPXY_C_PASV;
-			else
-				ftps->ftps_cmds = 0;
-			return 0;
-		}
-	}
-#if !defined(_KERNEL)
-	printf("ippr_ftp_client_valid:junk after cmd[%*.*s]\n",
-	       (int)len, (int)len, buf);
-#endif
-	return 2;
-}
-
-
-int ippr_ftp_server_valid(ftps, buf, len)
-ftpside_t *ftps;
-char *buf;
-size_t len;
-{
-	register char *s, c, pc;
-	register size_t i = len;
-	int cmd;
-
-	s = buf;
-	cmd = 0;
-
-	if (ftps->ftps_junk == 1)
-		return 1;
-
-	if (i < 5) {
-		if (ippr_ftp_debug > 3)
-			printf("ippr_ftp_servert_valid:i(%d) < 5\n", (int)i);
-		return 2;
-	}
-
-	c = *s++;
-	i--;
-	if (c == ' ')
-		goto search_eol;
-
-	if (ISDIGIT(c)) {
-		cmd = (c - '0') * 100;
-		c = *s++;
-		i--;
-		if (ISDIGIT(c)) {
-			cmd += (c - '0') * 10;
-			c = *s++;
-			i--;
-			if (ISDIGIT(c)) {
-				cmd += (c - '0');
-				c = *s++;
-				i--;
-				if ((c != '-') && (c != ' '))
-					goto bad_server_command;
-			} else
-				goto bad_server_command;
-		} else
-			goto bad_server_command;
-	} else {
-bad_server_command:
-		if (ippr_ftp_debug > 3)
-			printf("%s:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n",
-			       "ippr_ftp_server_valid",
-			       ftps->ftps_junk, (int)len, (int)i,
-			       c, (int)len, (int)len, buf);
-		return 1;
-	}
-search_eol:
-	for (; i; i--) {
-		pc = c;
-		c = *s++;
-		if ((pc == '\r') && (c == '\n')) {
-			ftps->ftps_cmds = cmd;
-			return 0;
-		}
-	}
-	if (ippr_ftp_debug > 3)
-		printf("ippr_ftp_server_valid:junk after cmd[%*.*s]\n",
-		       (int)len, (int)len, buf);
-	return 2;
-}
-
-
-int ippr_ftp_valid(ftp, side, buf, len)
-ftpinfo_t *ftp;
-int side;
-char *buf;
-size_t len;
-{
-	ftpside_t *ftps;
-	int ret;
-
-	ftps = &ftp->ftp_side[side];
-
-	if (side == 0)
-		ret = ippr_ftp_client_valid(ftps, buf, len);
-	else
-		ret = ippr_ftp_server_valid(ftps, buf, len);
-	return ret;
-}
-
-
-/*
- * For map rules, the following applies:
- * rv == 0 for outbound processing,
- * rv == 1 for inbound processing.
- * For rdr rules, the following applies:
- * rv == 0 for inbound processing,
- * rv == 1 for outbound processing.
- */
-int ippr_ftp_process(fin, nat, ftp, rv)
-fr_info_t *fin;
-nat_t *nat;
-ftpinfo_t *ftp;
-int rv;
-{
-	int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
-	char *rptr, *wptr, *s;
-	u_32_t thseq, thack;
-	ap_session_t *aps;
-	ftpside_t *f, *t;
-	tcphdr_t *tcp;
-	ip_t *ip;
-	mb_t *m;
-
-	m = fin->fin_m;
-	ip = fin->fin_ip;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-	f = &ftp->ftp_side[rv];
-	t = &ftp->ftp_side[1 - rv];
-	thseq = ntohl(tcp->th_seq);
-	thack = ntohl(tcp->th_ack);
-
-#ifdef __sgi
-	mlen = fin->fin_plen - off;
-#else
-	mlen = MSGDSIZE(m) - off;
-#endif
-	if (ippr_ftp_debug > 4)
-		printf("ippr_ftp_process: mlen %d\n", mlen);
-
-	if (mlen <= 0) {
-		if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
-			f->ftps_seq[0] = thseq + 1;
-			t->ftps_seq[0] = thack;
-		}
-		return 0;
-	}
-	aps = nat->nat_aps;
-
-	sel = aps->aps_sel[1 - rv];
-	sel2 = aps->aps_sel[rv];
-	if (rv == 0) {
-		seqoff = aps->aps_seqoff[sel];
-		if (aps->aps_seqmin[sel] > seqoff + thseq)
-			seqoff = aps->aps_seqoff[!sel];
-		ackoff = aps->aps_ackoff[sel2];
-		if (aps->aps_ackmin[sel2] > ackoff + thack)
-			ackoff = aps->aps_ackoff[!sel2];
-	} else {
-		seqoff = aps->aps_ackoff[sel];
-		if (ippr_ftp_debug > 2)
-			printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
-			       aps->aps_ackmin[sel]);
-		if (aps->aps_ackmin[sel] > seqoff + thseq)
-			seqoff = aps->aps_ackoff[!sel];
-
-		ackoff = aps->aps_seqoff[sel2];
-		if (ippr_ftp_debug > 2)
-			printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
-			       aps->aps_seqmin[sel2]);
-		if (ackoff > 0) {
-			if (aps->aps_seqmin[sel2] > ackoff + thack)
-				ackoff = aps->aps_seqoff[!sel2];
-		} else {
-			if (aps->aps_seqmin[sel2] > thack)
-				ackoff = aps->aps_seqoff[!sel2];
-		}
-	}
-	if (ippr_ftp_debug > 2) {
-		printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n",
-		       rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff,
-		       thack, ackoff, mlen, fin->fin_plen, off);
-		printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
-		       aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
-		       aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
-		printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
-		       aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
-		       aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
-	}
-
-	/*
-	 * XXX - Ideally, this packet should get dropped because we now know
-	 * that it is out of order (and there is no real danger in doing so
-	 * apart from causing packets to go through here ordered).
-	 */
-	if (ippr_ftp_debug > 2) {
-		printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
-		       rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
-	}
-
-	ok = 0;
-	if (t->ftps_seq[0] == 0) {
-		t->ftps_seq[0] = thack;
-		ok = 1;
-	} else {
-		if (ackoff == 0) {
-			if (t->ftps_seq[0] == thack)
-				ok = 1;
-			else if (t->ftps_seq[1] == thack) {
-				t->ftps_seq[0] = thack;
-				ok = 1;
-			}
-		} else {
-			if (t->ftps_seq[0] + ackoff == thack)
-				ok = 1;
-			else if (t->ftps_seq[0] == thack + ackoff)
-				ok = 1;
-			else if (t->ftps_seq[1] + ackoff == thack) {
-				t->ftps_seq[0] = thack - ackoff;
-				ok = 1;
-			} else if (t->ftps_seq[1] == thack + ackoff) {
-				t->ftps_seq[0] = thack - ackoff;
-				ok = 1;
-			}
-		}
-	}
-
-	if (ippr_ftp_debug > 2) {
-		if (!ok)
-			printf("%s ok\n", "not");
-	}
-
-	if (!mlen) {
-		if (t->ftps_seq[0] + ackoff != thack) {
-			if (ippr_ftp_debug > 1) {
-				printf("%s:seq[0](%x) + (%x) != (%x)\n",
-				       "ippr_ftp_process", t->ftps_seq[0],
-				       ackoff, thack);
-			}
-			return APR_ERR(1);
-		}
-
-		if (ippr_ftp_debug > 2) {
-			printf("ippr_ftp_process:f:seq[0] %x seq[1] %x\n",
-				f->ftps_seq[0], f->ftps_seq[1]);
-		}
-
-		if (tcp->th_flags & TH_FIN) {
-			if (thseq == f->ftps_seq[1]) {
-				f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
-				f->ftps_seq[1] = thseq + 1 - seqoff;
-			} else {
-				if (ippr_ftp_debug > 1) {
-					printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
-					       thseq, seqoff, f->ftps_seq[0]);
-				}
-				return APR_ERR(1);
-			}
-		}
-		f->ftps_len = 0;
-		return 0;
-	}
-
-	ok = 0;
-	if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) {
-		ok = 1;
-	/*
-	 * Retransmitted data packet.
-	 */
-	} else if ((thseq + mlen == f->ftps_seq[0]) ||
-		   (thseq + mlen == f->ftps_seq[1])) {
-		ok = 1;
-	}
-
-	if (ok == 0) {
-		inc = thseq - f->ftps_seq[0];
-		if (ippr_ftp_debug > 1) {
-			printf("inc %d sel %d rv %d\n", inc, sel, rv);
-			printf("th_seq %x ftps_seq %x/%x\n",
-			       thseq, f->ftps_seq[0], f->ftps_seq[1]);
-			printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
-			       aps->aps_ackoff[sel]);
-			printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
-			       aps->aps_seqoff[sel]);
-		}
-
-		return APR_ERR(1);
-	}
-
-	inc = 0;
-	rptr = f->ftps_rptr;
-	wptr = f->ftps_wptr;
-	f->ftps_seq[0] = thseq;
-	f->ftps_seq[1] = f->ftps_seq[0] + mlen;
-	f->ftps_len = mlen;
-
-	while (mlen > 0) {
-		len = MIN(mlen, sizeof(f->ftps_buf) - (wptr - rptr));
-		COPYDATA(m, off, len, wptr);
-		mlen -= len;
-		off += len;
-		wptr += len;
-
-		if (ippr_ftp_debug > 3)
-			printf("%s:len %d/%d off %d wptr %lx junk %d [%*.*s]\n",
-			       "ippr_ftp_process",
-			       len, mlen, off, (u_long)wptr, f->ftps_junk,
-			       len, len, rptr);
-
-		f->ftps_wptr = wptr;
-		if (f->ftps_junk != 0) {
-			i = f->ftps_junk;
-			f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
-						      wptr - rptr);
-
-			if (ippr_ftp_debug > 5)
-				printf("%s:junk %d -> %d\n",
-				       "ippr_ftp_process", i, f->ftps_junk);
-
-			if (f->ftps_junk != 0) {
-				if (wptr - rptr == sizeof(f->ftps_buf)) {
-					if (ippr_ftp_debug > 4)
-						printf("%s:full buffer\n",
-						       "ippr_ftp_process");
-					f->ftps_rptr = f->ftps_buf;
-					f->ftps_wptr = f->ftps_buf;
-					rptr = f->ftps_rptr;
-					wptr = f->ftps_wptr;
-					/*
-					 * Because we throw away data here that
-					 * we would otherwise parse, set the
-					 * junk flag to indicate just ignore
-					 * any data upto the next CRLF.
-					 */
-					f->ftps_junk = 1;
-					continue;
-				}
-			}
-		}
-
-		while ((f->ftps_junk == 0) && (wptr > rptr)) {
-			len = wptr - rptr;
-			f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, len);
-
-			if (ippr_ftp_debug > 3) {
-				printf("%s=%d len %d rv %d ptr %lx/%lx ",
-				       "ippr_ftp_valid",
-				       f->ftps_junk, len, rv, (u_long)rptr,
-				       (u_long)wptr);
-				printf("buf [%*.*s]\n", len, len, rptr);
-			}
-
-			if (f->ftps_junk == 0) {
-				f->ftps_rptr = rptr;
-				if (rv)
-					inc += ippr_ftp_server(fin, ip, nat,
-							       ftp, len);
-				else
-					inc += ippr_ftp_client(fin, ip, nat,
-							       ftp, len);
-				rptr = f->ftps_rptr;
-				wptr = f->ftps_wptr;
-			}
-		}
-
-		/*
-		 * Off to a bad start so lets just forget about using the
-		 * ftp proxy for this connection.
-		 */
-		if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
-			/* f->ftps_seq[1] += inc; */
-
-			if (ippr_ftp_debug > 1)
-				printf("%s:cmds == 0 junk == 1\n",
-				       "ippr_ftp_process");
-			return APR_ERR(2);
-		}
-
-		if ((f->ftps_junk != 0) && (rptr < wptr)) {
-			for (s = rptr; s < wptr; s++) {
-				if ((*s == '\r') && (s + 1 < wptr) &&
-				    (*(s + 1) == '\n')) {
-					rptr = s + 2;
-					f->ftps_junk = 0;
-					break;
-				}
-			}
-		}
-
-		if (rptr == wptr) {
-			rptr = wptr = f->ftps_buf;
-		} else {
-			/*
-			 * Compact the buffer back to the start.  The junk
-			 * flag should already be set and because we're not
-			 * throwing away any data, it is preserved from its
-			 * current state.
-			 */
-			if (rptr > f->ftps_buf) {
-				bcopy(rptr, f->ftps_buf, len);
-				wptr -= rptr - f->ftps_buf;
-				rptr = f->ftps_buf;
-			}
-		}
-		f->ftps_rptr = rptr;
-		f->ftps_wptr = wptr;
-	}
-
-	/* f->ftps_seq[1] += inc; */
-	if (tcp->th_flags & TH_FIN)
-		f->ftps_seq[1]++;
-	if (ippr_ftp_debug > 3) {
-#ifdef __sgi
-		mlen = fin->fin_plen;
-#else
-		mlen = MSGDSIZE(m);
-#endif
-		mlen -= off;
-		printf("ftps_seq[1] = %x inc %d len %d\n",
-		       f->ftps_seq[1], inc, mlen);
-	}
-
-	f->ftps_rptr = rptr;
-	f->ftps_wptr = wptr;
-	return APR_INC(inc);
-}
-
-
-int ippr_ftp_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ftpinfo_t *ftp;
-	int rev;
-
-	ftp = aps->aps_data;
-	if (ftp == NULL)
-		return 0;
-
-	rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
-	if (ftp->ftp_side[1 - rev].ftps_ifp == NULL)
-		ftp->ftp_side[1 - rev].ftps_ifp = fin->fin_ifp;
-
-	return ippr_ftp_process(fin, nat, ftp, rev);
-}
-
-
-int ippr_ftp_in(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ftpinfo_t *ftp;
-	int rev;
-
-	ftp = aps->aps_data;
-	if (ftp == NULL)
-		return 0;
-
-	rev = (nat->nat_dir == NAT_OUTBOUND) ? 0 : 1;
-	if (ftp->ftp_side[rev].ftps_ifp == NULL)
-		ftp->ftp_side[rev].ftps_ifp = fin->fin_ifp;
-
-	return ippr_ftp_process(fin, nat, ftp, 1 - rev);
-}
-
-
-/*
- * ippr_ftp_atoi - implement a version of atoi which processes numbers in
- * pairs separated by commas (which are expected to be in the range 0 - 255),
- * returning a 16 bit number combining either side of the , as the MSB and
- * LSB.
- */
-u_short ippr_ftp_atoi(ptr)
-char **ptr;
-{
-	register char *s = *ptr, c;
-	register u_char i = 0, j = 0;
-
-	while (((c = *s++) != '\0') && ISDIGIT(c)) {
-		i *= 10;
-		i += c - '0';
-	}
-	if (c != ',') {
-		*ptr = NULL;
-		return 0;
-	}
-	while (((c = *s++) != '\0') && ISDIGIT(c)) {
-		j *= 10;
-		j += c - '0';
-	}
-	*ptr = s;
-	i &= 0xff;
-	j &= 0xff;
-	return (i << 8) | j;
-}
-
-
-int ippr_ftp_epsv(fin, ip, nat, f, dlen)
-fr_info_t *fin;
-ip_t *ip;
-nat_t *nat;
-ftpside_t *f;
-int dlen;
-{
-	char newbuf[IPF_FTPBUFSZ];
-	char *s;
-	u_short ap = 0;
-
-#define EPSV_REPLEN	33
-	/*
-	 * Check for EPSV reply message.
-	 */
-	if (dlen < IPF_MIN229LEN)
-		return (0);
-	else if (strncmp(f->ftps_rptr,
-			 "229 Entering Extended Passive Mode", EPSV_REPLEN))
-		return (0);
-
-	/*
-	 * Skip the EPSV command + space
-	 */
-	s = f->ftps_rptr + 33;
-	while (*s && !ISDIGIT(*s))
-		s++;
-
-	/*
-	 * As per RFC 2428, there are no addres components in the EPSV
-	 * response.  So we'll go straight to getting the port.
-	 */
-	while (*s && ISDIGIT(*s)) {
-		ap *= 10;
-		ap += *s++ - '0';
-	}
-
-	if (!s)
-		return 0;
-
-	if (*s == '|')
-		s++;
-	if (*s == ')')
-		s++;
-	if (*s == '\n')
-		s--;
-	/*
-	 * check for CR-LF at the end.
-	 */
-	if ((*s == '\r') && (*(s + 1) == '\n')) {
-		s += 2;
-	} else
-		return 0;
-
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(newbuf, sizeof(newbuf), "%s (|||%u|)\r\n",
-		 "229 Entering Extended Passive Mode", ap);
-#else
-	(void) sprintf(newbuf, "%s (|||%u|)\r\n",
-		       "229 Entering Extended Passive Mode", ap);
-#endif
-
-	return ippr_ftp_pasvreply(fin, ip, nat, f, (u_int)ap, newbuf, s,
-				  ip->ip_src.s_addr);
-}
diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c
deleted file mode 100644
index b6e7c7b..0000000
--- a/contrib/ipfilter/ip_h323_pxy.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
- *
- * This source code has been published by QNX Software Systems Ltd. (QSSL).
- * However, any use, reproduction, modification, distribution or transfer of
- * this software, or any software which includes or is based upon any of this
- * code, is only permitted under the terms of the QNX Open Community License
- * version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
- * authorized by a written license agreement from QSSL. For more information,
- * please email licensing@qnx.com.
- *
- * For more details, see QNX_OCL.txt provided with this distribution.
- */
-
-/*
- * Simple H.323 proxy
- *
- *      by xtang@canada.com
- *	ported to ipfilter 3.4.20 by Michael Grant mg-ipf@grant.org
- */
-
-#if __FreeBSD_version >= 220000 && defined(_KERNEL)
-# include <sys/fcntl.h>
-# include <sys/filio.h>
-#else
-# ifndef linux
-#  include <sys/ioctl.h>
-# endif
-#endif
-
-#define IPF_H323_PROXY
-
-int  ippr_h323_init __P((void));
-void  ippr_h323_fini __P((void));
-int  ippr_h323_new __P((fr_info_t *, ap_session_t *, nat_t *));
-void ippr_h323_del __P((ap_session_t *));
-int  ippr_h323_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int  ippr_h323_in __P((fr_info_t *, ap_session_t *, nat_t *));
-
-int  ippr_h245_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int  ippr_h245_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int  ippr_h245_in __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static	frentry_t	h323_fr;
-
-int	h323_proxy_init = 0;
-
-static int find_port __P((int, caddr_t, int datlen, int *, u_short *));
-
-
-static int find_port(ipaddr, data, datlen, off, port)
-int ipaddr;
-caddr_t data;
-int datlen, *off;
-unsigned short *port;
-{
-	u_32_t addr, netaddr;
-	u_char *dp;
-	int offset;
-
-	if (datlen < 6)
-		return -1;
-	
-	*port = 0;
-	offset = *off;
-	dp = (u_char *)data;
-	netaddr = ntohl(ipaddr);
-
-	for (offset = 0; offset <= datlen - 6; offset++, dp++) {
-		addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
-		if (netaddr == addr)
-		{
-			*port = (*(dp + 4) << 8) | *(dp + 5);
-			break;
-		}
-	}
-	*off = offset;
-  	return (offset > datlen - 6) ? -1 : 0;
-}
-
-/*
- * Initialize local structures.
- */
-int ippr_h323_init()
-{
-	bzero((char *)&h323_fr, sizeof(h323_fr));
-	h323_fr.fr_ref = 1;
-	h323_fr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&h323_fr.fr_lock, "H323 proxy rule lock");
-	h323_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_h323_fini()
-{
-	if (h323_proxy_init == 1) {
-		MUTEX_DESTROY(&h323_fr.fr_lock);
-		h323_proxy_init = 0;
-	}
-}
-
-
-int ippr_h323_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	aps->aps_data = NULL;
-	aps->aps_psiz = 0;
-
-	return 0;
-}
-
-
-void ippr_h323_del(aps)
-ap_session_t *aps;
-{
-	int i;
-	ipnat_t *ipn;
-	
-	if (aps->aps_data) {
-		for (i = 0, ipn = aps->aps_data;
-		     i < (aps->aps_psiz / sizeof(ipnat_t));
-		     i++, ipn = (ipnat_t *)((char *)ipn + sizeof(*ipn)))
-		{
-			/*
-			 * Check the comment in ippr_h323_in() function,
-			 * just above fr_nat_ioctl() call.
-			 * We are lucky here because this function is not
-			 * called with ipf_nat locked.
-			 */
-			if (fr_nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE|
-				         NAT_LOCKHELD|FWRITE) == -1) {
-				/*EMPTY*/;
-				/* log the error */
-			}
-		}
-		KFREES(aps->aps_data, aps->aps_psiz);
-		/* avoid double free */
-		aps->aps_data = NULL;
-		aps->aps_psiz = 0;
-	}
-	return;
-}
-
-
-int ippr_h323_in(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	int ipaddr, off, datlen;
-	unsigned short port;
-	caddr_t data;
-	tcphdr_t *tcp;
-	ip_t *ip;
-
-	ip = fin->fin_ip;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	ipaddr = ip->ip_src.s_addr;
-	
-	data = (caddr_t)tcp + (TCP_OFF(tcp) << 2);
-	datlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
-	if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
-		ipnat_t *ipn;
-		char *newarray;
-
-		/* setup a nat rule to set a h245 proxy on tcp-port "port"
-		 * it's like:
-		 *   map <if> <inter_ip>/<mask> -> <gate_ip>/<mask> proxy port <port> <port>/tcp
-		 */
-		KMALLOCS(newarray, char *, aps->aps_psiz + sizeof(*ipn));
-		if (newarray == NULL) {
-			return -1;
-		}
-		ipn = (ipnat_t *)&newarray[aps->aps_psiz];
-		bcopy((caddr_t)nat->nat_ptr, (caddr_t)ipn, sizeof(ipnat_t));
-		(void) strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
-		
-		ipn->in_inip = nat->nat_inip.s_addr;
-		ipn->in_inmsk = 0xffffffff;
-		ipn->in_dport = htons(port);
-		/*
-		 * we got a problem here. we need to call fr_nat_ioctl() to add
-		 * the h245 proxy rule, but since we already hold (READ locked)
-		 * the nat table rwlock (ipf_nat), if we go into fr_nat_ioctl(),
-		 * it will try to WRITE lock it. This will causing dead lock
-		 * on RTP.
-		 *
-		 * The quick & dirty solution here is release the read lock,
-		 * call fr_nat_ioctl() and re-lock it.
-		 * A (maybe better) solution is do a UPGRADE(), and instead
-		 * of calling fr_nat_ioctl(), we add the nat rule ourself.
-		 */
-		RWLOCK_EXIT(&ipf_nat);
-		if (fr_nat_ioctl((caddr_t)ipn, SIOCADNAT,
-				 NAT_SYSSPACE|FWRITE) == -1) {
-			READ_ENTER(&ipf_nat);
-			return -1;
-		}
-		READ_ENTER(&ipf_nat);
-		if (aps->aps_data != NULL && aps->aps_psiz > 0) {
-			bcopy(aps->aps_data, newarray, aps->aps_psiz);
-			KFREES(aps->aps_data, aps->aps_psiz);
-		}
-		aps->aps_data = newarray;
-		aps->aps_psiz += sizeof(*ipn);
-	}
-	return 0;
-}
-
-
-int ippr_h245_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	aps->aps_data = NULL;
-	aps->aps_psiz = 0;
-	return 0;
-}
-
-
-int ippr_h245_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	int ipaddr, off, datlen;
-	tcphdr_t *tcp;
-	caddr_t data;
-	u_short port;
-	ip_t *ip;
-
-	aps = aps;	/* LINT */
-
-	ip = fin->fin_ip;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	ipaddr = nat->nat_inip.s_addr;
-	data = (caddr_t)tcp + (TCP_OFF(tcp) << 2);
-	datlen = ip->ip_len - fin->fin_hlen - (TCP_OFF(tcp) << 2);
-	if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
-		fr_info_t fi;
-		nat_t     *nat2;
-
-/*		port = htons(port); */
-		nat2 = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
-				    ip->ip_src, ip->ip_dst);
-		if (nat2 == NULL) {
-			struct ip newip;
-			struct udphdr udp;
-			
-			bcopy((caddr_t)ip, (caddr_t)&newip, sizeof(newip));
-			newip.ip_len = fin->fin_hlen + sizeof(udp);
-			newip.ip_p = IPPROTO_UDP;
-			newip.ip_src = nat->nat_inip;
-			
-			bzero((char *)&udp, sizeof(udp));
-			udp.uh_sport = port;
-			
-			bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
-			fi.fin_fi.fi_p = IPPROTO_UDP;
-			fi.fin_data[0] = port;
-			fi.fin_data[1] = 0;
-			fi.fin_dp = (char *)&udp;
-
-			nat2 = nat_new(&fi, nat->nat_ptr, NULL,
-				       NAT_SLAVE|IPN_UDP|SI_W_DPORT,
-				       NAT_OUTBOUND);
-			if (nat2 != NULL) {
-				(void) nat_proto(&fi, nat2, IPN_UDP);
-				nat_update(&fi, nat2, nat2->nat_ptr);
-
-				nat2->nat_ptr->in_hits++;
-#ifdef	IPFILTER_LOG
-				nat_log(nat2, (u_int)(nat->nat_ptr->in_redir));
-#endif
-				bcopy((caddr_t)&ip->ip_src.s_addr,
-				      data + off, 4);
-				bcopy((caddr_t)&nat2->nat_outport,
-				      data + off + 4, 2);
-			}
-		}
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_htable.c b/contrib/ipfilter/ip_htable.c
deleted file mode 100644
index 50aa926..0000000
--- a/contrib/ipfilter/ip_htable.c
+++ /dev/null
@@ -1,455 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/errno.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if !defined(_KERNEL)
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#include <sys/socket.h>
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-#if defined(__FreeBSD__)
-#  include <sys/cdefs.h>
-#  include <sys/proc.h>
-#endif
-#if !defined(__svr4__) && !defined(__SVR4) && !defined(__hpux) && \
-    !defined(linux)
-# include <sys/mbuf.h>
-#endif
-#if defined(_KERNEL)
-# include <sys/systm.h>
-#else
-# include <stdio.h>
-#endif
-#include <netinet/in.h>
-#include <net/if.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
-#endif
-
-#ifdef	IPFILTER_LOOKUP
-static iphtent_t *fr_iphmfind __P((iphtable_t *, struct in_addr *));
-static	u_long	ipht_nomem[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-static	u_long	ipf_nhtables[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-static	u_long	ipf_nhtnodes[IPL_LOGSIZE] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-
-iphtable_t *ipf_htables[IPL_LOGSIZE] = { NULL, NULL, NULL, NULL,
-					 NULL, NULL, NULL, NULL };
-
-
-void fr_htable_unload()
-{
-	iplookupflush_t fop;
-
-	fop.iplf_unit = IPL_LOGALL;
-	(void)fr_flushhtable(&fop);
-}
-
-
-int fr_gethtablestat(op)
-iplookupop_t *op;
-{
-	iphtstat_t stats;
-
-	if (op->iplo_size != sizeof(stats))
-		return EINVAL;
-
-	stats.iphs_tables = ipf_htables[op->iplo_unit];
-	stats.iphs_numtables = ipf_nhtables[op->iplo_unit];
-	stats.iphs_numnodes = ipf_nhtnodes[op->iplo_unit];
-	stats.iphs_nomem = ipht_nomem[op->iplo_unit];
-
-	return COPYOUT(&stats, op->iplo_struct, sizeof(stats));
-
-}
-
-
-/*
- * Create a new hash table using the template passed.
- */
-int fr_newhtable(op)
-iplookupop_t *op;
-{
-	iphtable_t *iph, *oiph;
-	char name[FR_GROUPLEN];
-	int err, i, unit;
-
-	KMALLOC(iph, iphtable_t *);
-	if (iph == NULL)
-		return ENOMEM;
-
-	err = COPYIN(op->iplo_struct, iph, sizeof(*iph));
-	if (err != 0) {
-		KFREE(iph);
-		return EFAULT;
-	}
-
-	unit = op->iplo_unit;
-	if (iph->iph_unit != unit) {
-		KFREE(iph);
-		return EINVAL;
-	}
-
-	if ((op->iplo_arg & IPHASH_ANON) == 0) {
-		if (fr_findhtable(op->iplo_unit, op->iplo_name) != NULL) {
-			KFREE(iph);
-			return EEXIST;
-		}
-	} else {
-		i = IPHASH_ANON;
-		do {
-			i++;
-#if defined(SNPRINTF) && defined(_KERNEL)
-			SNPRINTF(name, sizeof(name), "%u", i);
-#else
-			(void)sprintf(name, "%u", i);
-#endif
-			for (oiph = ipf_htables[unit]; oiph != NULL;
-			     oiph = oiph->iph_next)
-				if (strncmp(oiph->iph_name, name,
-					    sizeof(oiph->iph_name)) == 0)
-					break;
-		} while (oiph != NULL);
-		(void)strncpy(iph->iph_name, name, sizeof(iph->iph_name));
-		err = COPYOUT(iph, op->iplo_struct, sizeof(*iph));
-		if (err != 0) {
-			KFREE(iph);
-			return EFAULT;
-		}
-		iph->iph_type |= IPHASH_ANON;
-	}
-
-	KMALLOCS(iph->iph_table, iphtent_t **,
-		 iph->iph_size * sizeof(*iph->iph_table));
-	if (iph->iph_table == NULL) {
-		KFREE(iph);
-		ipht_nomem[unit]++;
-		return ENOMEM;
-	}
-
-	bzero((char *)iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
-	iph->iph_masks = 0;
-
-	iph->iph_next = ipf_htables[unit];
-	iph->iph_pnext = &ipf_htables[unit];
-	if (ipf_htables[unit] != NULL)
-		ipf_htables[unit]->iph_pnext = &iph->iph_next;
-	ipf_htables[unit] = iph;
-
-	ipf_nhtables[unit]++;
-
-	return 0;
-}
-
-
-/*
- */
-int fr_removehtable(op)
-iplookupop_t *op;
-{
-	iphtable_t *iph;
-
-
-	iph = fr_findhtable(op->iplo_unit, op->iplo_name);
-	if (iph == NULL)
-		return ESRCH;
-
-	if (iph->iph_unit != op->iplo_unit) {
-		return EINVAL;
-	}
-
-	if (iph->iph_ref != 0) {
-		return EBUSY;
-	}
-
-	fr_delhtable(iph);
-
-	return 0;
-}
-
-
-void fr_delhtable(iph)
-iphtable_t *iph;
-{
-	iphtent_t *ipe;
-	int i;
-
-	for (i = 0; i < iph->iph_size; i++)
-		while ((ipe = iph->iph_table[i]) != NULL)
-			if (fr_delhtent(iph, ipe) != 0)
-				return;
-
-	*iph->iph_pnext = iph->iph_next;
-	if (iph->iph_next != NULL)
-		iph->iph_next->iph_pnext = iph->iph_pnext;
-
-	ipf_nhtables[iph->iph_unit]--;
-
-	if (iph->iph_ref == 0) {
-		KFREES(iph->iph_table, iph->iph_size * sizeof(*iph->iph_table));
-		KFREE(iph);
-	}
-}
-
-
-void fr_derefhtable(iph)
-iphtable_t *iph;
-{
-	iph->iph_ref--;
-	if (iph->iph_ref == 0)
-		fr_delhtable(iph);
-}
-
-
-iphtable_t *fr_findhtable(unit, name)
-int unit;
-char *name;
-{
-	iphtable_t *iph;
-
-	for (iph = ipf_htables[unit]; iph != NULL; iph = iph->iph_next)
-		if (strncmp(iph->iph_name, name, sizeof(iph->iph_name)) == 0)
-			break;
-	return iph;
-}
-
-
-size_t fr_flushhtable(op)
-iplookupflush_t *op;
-{
-	iphtable_t *iph;
-	size_t freed;
-	int i;
-
-	freed = 0;
-
-	for (i = 0; i <= IPL_LOGMAX; i++) {
-		if (op->iplf_unit == i || op->iplf_unit == IPL_LOGALL) {
-			while ((iph = ipf_htables[i]) != NULL) {
-				fr_delhtable(iph);
-				freed++;
-			}
-		}
-	}
-
-	return freed;
-}
-
-
-/*
- * Add an entry to a hash table.
- */
-int fr_addhtent(iph, ipeo)
-iphtable_t *iph;
-iphtent_t *ipeo;
-{
-	iphtent_t *ipe;
-	u_int hv;
-	int bits;
-
-	KMALLOC(ipe, iphtent_t *);
-	if (ipe == NULL)
-		return -1;
-
-	bcopy((char *)ipeo, (char *)ipe, sizeof(*ipe));
-	ipe->ipe_addr.in4_addr &= ipe->ipe_mask.in4_addr;
-	ipe->ipe_addr.in4_addr = ntohl(ipe->ipe_addr.in4_addr);
-	bits = count4bits(ipe->ipe_mask.in4_addr);
-	ipe->ipe_mask.in4_addr = ntohl(ipe->ipe_mask.in4_addr);
-
-	hv = IPE_HASH_FN(ipe->ipe_addr.in4_addr, ipe->ipe_mask.in4_addr,
-			 iph->iph_size);
-	ipe->ipe_ref = 0;
-	ipe->ipe_next = iph->iph_table[hv];
-	ipe->ipe_pnext = iph->iph_table + hv;
-
-	if (iph->iph_table[hv] != NULL)
-		iph->iph_table[hv]->ipe_pnext = &ipe->ipe_next;
-	iph->iph_table[hv] = ipe;
-	if ((bits >= 0) && (bits != 32))
-		iph->iph_masks |= 1 << bits;
-
-	switch (iph->iph_type & ~IPHASH_ANON)
-	{
-	case IPHASH_GROUPMAP :
-		ipe->ipe_ptr = fr_addgroup(ipe->ipe_group, NULL,
-					   iph->iph_flags, IPL_LOGIPF,
-					   fr_active);
-		break;
-
-	default :
-		ipe->ipe_ptr = NULL;
-		ipe->ipe_value = 0;
-		break;
-	}
-
-	ipf_nhtnodes[iph->iph_unit]++;
-
-	return 0;
-}
-
-
-/*
- * Delete an entry from a hash table.
- */
-int fr_delhtent(iph, ipe)
-iphtable_t *iph;
-iphtent_t *ipe;
-{
-
-	if (ipe->ipe_ref != 0)
-		return EBUSY;
-
-
-	*ipe->ipe_pnext = ipe->ipe_next;
-	if (ipe->ipe_next != NULL)
-		ipe->ipe_next->ipe_pnext = ipe->ipe_pnext;
-
-	switch (iph->iph_type & ~IPHASH_ANON)
-	{
-	case IPHASH_GROUPMAP :
-		if (ipe->ipe_group != NULL)
-			fr_delgroup(ipe->ipe_group, IPL_LOGIPF, fr_active);
-		break;
-
-	default :
-		ipe->ipe_ptr = NULL;
-		ipe->ipe_value = 0;
-		break;
-	}
-
-	KFREE(ipe);
-
-	ipf_nhtnodes[iph->iph_unit]--;
-
-	return 0;
-}
-
-
-void *fr_iphmfindgroup(tptr, aptr)
-void *tptr, *aptr;
-{
-	struct in_addr *addr;
-	iphtable_t *iph;
-	iphtent_t *ipe;
-	void *rval;
-
-	READ_ENTER(&ip_poolrw);
-	iph = tptr;
-	addr = aptr;
-
-	ipe = fr_iphmfind(iph, addr);
-	if (ipe != NULL)
-		rval = ipe->ipe_ptr;
-	else
-		rval = NULL;
-	RWLOCK_EXIT(&ip_poolrw);
-	return rval;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_iphmfindip                                               */
-/* Returns:     int     - 0 == +ve match, -1 == error, 1 == -ve/no match    */
-/* Parameters:  tptr(I)    - pointer to the pool to search                  */
-/*              version(I) - IP protocol version (4 or 6)                   */
-/*              aptr(I)    - pointer to address information                 */
-/*                                                                          */
-/* Search the hash table for a given address and return a search result.    */
-/* ------------------------------------------------------------------------ */
-int fr_iphmfindip(tptr, version, aptr)
-void *tptr, *aptr;
-int version;
-{
-	struct in_addr *addr;
-	iphtable_t *iph;
-	iphtent_t *ipe;
-	int rval;
-
-	if (version != 4)
-		return -1;
-
-	if (tptr == NULL || aptr == NULL)
-		return -1;
-
-	iph = tptr;
-	addr = aptr;
-
-	READ_ENTER(&ip_poolrw);
-	ipe = fr_iphmfind(iph, addr);
-	if (ipe != NULL)
-		rval = 0;
-	else
-		rval = 1;
-	RWLOCK_EXIT(&ip_poolrw);
-	return rval;
-}
-
-
-/* Locks:  ip_poolrw */
-static iphtent_t *fr_iphmfind(iph, addr)
-iphtable_t *iph;
-struct in_addr *addr;
-{
-	u_32_t hmsk, msk, ips;
-	iphtent_t *ipe;
-	u_int hv;
-
-	hmsk = iph->iph_masks;
-	msk = 0xffffffff;
-maskloop:
-	ips = ntohl(addr->s_addr) & msk;
-	hv = IPE_HASH_FN(ips, msk, iph->iph_size);
-	for (ipe = iph->iph_table[hv]; (ipe != NULL); ipe = ipe->ipe_next) {
-		if (ipe->ipe_mask.in4_addr != msk ||
-		    ipe->ipe_addr.in4_addr != ips) {
-			continue;
-		}
-		break;
-	}
-
-	if ((ipe == NULL) && (hmsk != 0)) {
-		while (hmsk != 0) {
-			msk <<= 1;
-			if (hmsk & 0x80000000)
-				break;
-			hmsk <<= 1;
-		}
-		if (hmsk != 0) {
-			hmsk <<= 1;
-			goto maskloop;
-		}
-	}
-	return ipe;
-}
-
-#endif /* IPFILTER_LOOKUP */
diff --git a/contrib/ipfilter/ip_htable.h b/contrib/ipfilter/ip_htable.h
deleted file mode 100644
index e138459..0000000
--- a/contrib/ipfilter/ip_htable.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*	$NetBSD$	*/
-
-#ifndef __IP_HTABLE_H__
-#define __IP_HTABLE_H__
-
-#include "netinet/ip_lookup.h"
-
-typedef	struct	iphtent_s	{
-	struct	iphtent_s	*ipe_next, **ipe_pnext;
-	void		*ipe_ptr;
-	i6addr_t	ipe_addr;
-	i6addr_t	ipe_mask;
-	int		ipe_ref;
-	union	{
-		char	ipeu_char[16];
-		u_long	ipeu_long;
-		u_int	ipeu_int;
-	}ipe_un;
-} iphtent_t;
-
-#define	ipe_value	ipe_un.ipeu_int
-#define	ipe_group	ipe_un.ipeu_char
-
-#define	IPE_HASH_FN(a, m, s)	(((a) * (m)) % (s))
-
-
-typedef	struct	iphtable_s	{
-	ipfrwlock_t	iph_rwlock;
-	struct	iphtable_s	*iph_next, **iph_pnext;
-	struct	iphtent_s	**iph_table;
-	size_t	iph_size;		/* size of hash table */
-	u_long	iph_seed;		/* hashing seed */
-	u_32_t	iph_flags;
-	u_int	iph_unit;		/* IPL_LOG* */
-	u_int	iph_ref;
-	u_int	iph_type;		/* lookup or group map  - IPHASH_* */
-	u_int	iph_masks;		/* IPv4 netmasks in use */
-	char	iph_name[FR_GROUPLEN];	/* hash table number */
-} iphtable_t;
-
-/* iph_type */
-#define	IPHASH_LOOKUP	0
-#define	IPHASH_GROUPMAP	1
-#define	IPHASH_ANON	0x80000000
-
-
-typedef	struct	iphtstat_s	{
-	iphtable_t	*iphs_tables;
-	u_long		iphs_numtables;
-	u_long		iphs_numnodes;
-	u_long		iphs_nomem;
-	u_long		iphs_pad[16];
-} iphtstat_t;
-
-
-extern iphtable_t *ipf_htables[IPL_LOGSIZE];
-
-extern void fr_htable_unload __P((void));
-extern int fr_newhtable __P((iplookupop_t *));
-extern iphtable_t *fr_findhtable __P((int, char *));
-extern int fr_removehtable __P((iplookupop_t *));
-extern size_t fr_flushhtable __P((iplookupflush_t *));
-extern int fr_addhtent __P((iphtable_t *, iphtent_t *));
-extern int fr_delhtent __P((iphtable_t *, iphtent_t *));
-extern void fr_derefhtable __P((iphtable_t *));
-extern void fr_delhtable __P((iphtable_t *));
-extern void *fr_iphmfindgroup __P((void *, void *));
-extern int fr_iphmfindip __P((void *, int, void *));
-extern int fr_gethtablestat __P((iplookupop_t *));
-
-#endif /* __IP_HTABLE_H__ */
diff --git a/contrib/ipfilter/ip_ipsec_pxy.c b/contrib/ipfilter/ip_ipsec_pxy.c
deleted file mode 100644
index 2159ecb..0000000
--- a/contrib/ipfilter/ip_ipsec_pxy.c
+++ /dev/null
@@ -1,343 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2001-2003 by Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Simple ISAKMP transparent proxy for in-kernel use.  For use with the NAT
- * code.
- *
- * Id: ip_ipsec_pxy.c,v 2.20.2.6 2005/03/28 10:47:53 darrenr Exp
- *
- */
-#define	IPF_IPSEC_PROXY
-
-
-int ippr_ipsec_init __P((void));
-void ippr_ipsec_fini __P((void));
-int ippr_ipsec_new __P((fr_info_t *, ap_session_t *, nat_t *));
-void ippr_ipsec_del __P((ap_session_t *));
-int ippr_ipsec_inout __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static	frentry_t	ipsecfr;
-static	ipftq_t		*ipsecnattqe;
-static	ipftq_t		*ipsecstatetqe;
-static	char	ipsec_buffer[1500];
-
-int	ipsec_proxy_init = 0;
-int	ipsec_proxy_ttl = 60;
-
-/*
- * IPSec application proxy initialization.
- */
-int ippr_ipsec_init()
-{
-	bzero((char *)&ipsecfr, sizeof(ipsecfr));
-	ipsecfr.fr_ref = 1;
-	ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&ipsecfr.fr_lock, "IPsec proxy rule lock");
-	ipsec_proxy_init = 1;
-
-	ipsecnattqe = fr_addtimeoutqueue(&nat_utqe, ipsec_proxy_ttl);
-	if (ipsecnattqe == NULL)
-		return -1;
-	ipsecstatetqe = fr_addtimeoutqueue(&ips_utqe, ipsec_proxy_ttl);
-	if (ipsecstatetqe == NULL) {
-		if (fr_deletetimeoutqueue(ipsecnattqe) == 0)
-			fr_freetimeoutqueue(ipsecnattqe);
-		ipsecnattqe = NULL;
-		return -1;
-	}
-
-	ipsecnattqe->ifq_flags |= IFQF_PROXY;
-	ipsecstatetqe->ifq_flags |= IFQF_PROXY;
-
-	ipsecfr.fr_age[0] = ipsec_proxy_ttl;
-	ipsecfr.fr_age[1] = ipsec_proxy_ttl;
-	return 0;
-}
-
-
-void ippr_ipsec_fini()
-{
-	if (ipsecnattqe != NULL) {
-		if (fr_deletetimeoutqueue(ipsecnattqe) == 0)
-			fr_freetimeoutqueue(ipsecnattqe);
-	}
-	ipsecnattqe = NULL;
-	if (ipsecstatetqe != NULL) {
-		if (fr_deletetimeoutqueue(ipsecstatetqe) == 0)
-			fr_freetimeoutqueue(ipsecstatetqe);
-	}
-	ipsecstatetqe = NULL;
-
-	if (ipsec_proxy_init == 1) {
-		MUTEX_DESTROY(&ipsecfr.fr_lock);
-		ipsec_proxy_init = 0;
-	}
-}
-
-
-/*
- * Setup for a new IPSEC proxy.
- */
-int ippr_ipsec_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ipsec_pxy_t *ipsec;
-	fr_info_t fi;
-	ipnat_t *ipn;
-	char *ptr;
-	int p, off, dlen, ttl;
-	mb_t *m;
-	ip_t *ip;
-
-	bzero(ipsec_buffer, sizeof(ipsec_buffer));
-	off = fin->fin_hlen + sizeof(udphdr_t);
-	ip = fin->fin_ip;
-	m = fin->fin_m;
-
-	dlen = M_LEN(m) - off;
-	if (dlen < 16)
-		return -1;
-	COPYDATA(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
-
-	if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
-			  ip->ip_dst) != NULL)
-		return -1;
-
-	aps->aps_psiz = sizeof(*ipsec);
-	KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
-	if (aps->aps_data == NULL)
-		return -1;
-
-	ipsec = aps->aps_data;
-	bzero((char *)ipsec, sizeof(*ipsec));
-
-	/*
-	 * Create NAT rule against which the tunnel/transport mapping is
-	 * created.  This is required because the current NAT rule does not
-	 * describe ESP but UDP instead.
-	 */
-	ipn = &ipsec->ipsc_rule;
-	ttl = IPF_TTLVAL(ipsecnattqe->ifq_ttl);
-	ipn->in_tqehead[0] = fr_addtimeoutqueue(&nat_utqe, ttl);
-	ipn->in_tqehead[1] = fr_addtimeoutqueue(&nat_utqe, ttl);
-	ipn->in_ifps[0] = fin->fin_ifp;
-	ipn->in_apr = NULL;
-	ipn->in_use = 1;
-	ipn->in_hits = 1;
-	ipn->in_nip = ntohl(nat->nat_outip.s_addr);
-	ipn->in_ippip = 1;
-	ipn->in_inip = nat->nat_inip.s_addr;
-	ipn->in_inmsk = 0xffffffff;
-	ipn->in_outip = fin->fin_saddr;
-	ipn->in_outmsk = nat->nat_outip.s_addr;
-	ipn->in_srcip = fin->fin_saddr;
-	ipn->in_srcmsk = 0xffffffff;
-	ipn->in_redir = NAT_MAP;
-	bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
-	      sizeof(ipn->in_ifnames[0]));
-	ipn->in_p = IPPROTO_ESP;
-
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	fi.fin_state = NULL;
-	fi.fin_nat = NULL;
-	fi.fin_fi.fi_p = IPPROTO_ESP;
-	fi.fin_fr = &ipsecfr;
-	fi.fin_data[0] = 0;
-	fi.fin_data[1] = 0;
-	p = ip->ip_p;
-	ip->ip_p = IPPROTO_ESP;
-	fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
-	fi.fin_flx |= FI_IGNORE;
-
-	ptr = ipsec_buffer;
-	bcopy(ptr, (char *)ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
-	ptr += sizeof(ipsec_cookie_t);
-	bcopy(ptr, (char *)ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
-	/*
-	 * The responder cookie should only be non-zero if the initiator
-	 * cookie is non-zero.  Therefore, it is safe to assume(!) that the
-	 * cookies are both set after copying if the responder is non-zero.
-	 */
-	if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
-		ipsec->ipsc_rckset = 1;
-
-	ipsec->ipsc_nat = nat_new(&fi, ipn, &ipsec->ipsc_nat,
-				  NAT_SLAVE|SI_WILDP, NAT_OUTBOUND);
-	if (ipsec->ipsc_nat != NULL) {
-		(void) nat_proto(&fi, ipsec->ipsc_nat, 0);
-		nat_update(&fi, ipsec->ipsc_nat, ipn);
-
-		fi.fin_data[0] = 0;
-		fi.fin_data[1] = 0;
-		ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state,
-						SI_WILDP);
-		if (fi.fin_state != NULL)
-			fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-	}
-	ip->ip_p = p & 0xff;
-	return 0;
-}
-
-
-/*
- * For outgoing IKE packets.  refresh timeouts for NAT & state entries, if
- * we can.  If they have disappeared, recreate them.
- */
-int ippr_ipsec_inout(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ipsec_pxy_t *ipsec;
-	fr_info_t fi;
-	ip_t *ip;
-	int p;
-
-	if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
-		return 0;
-
-	if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
-		return 0;
-
-	ipsec = aps->aps_data;
-
-	if (ipsec != NULL) {
-		ip = fin->fin_ip;
-		p = ip->ip_p;
-
-		if ((ipsec->ipsc_nat == NULL) || (ipsec->ipsc_state == NULL)) {
-			bcopy((char *)fin, (char *)&fi, sizeof(fi));
-			fi.fin_state = NULL;
-			fi.fin_nat = NULL;
-			fi.fin_fi.fi_p = IPPROTO_ESP;
-			fi.fin_fr = &ipsecfr;
-			fi.fin_data[0] = 0;
-			fi.fin_data[1] = 0;
-			ip->ip_p = IPPROTO_ESP;
-			fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
-			fi.fin_flx |= FI_IGNORE;
-		}
-
-		/*
-		 * Update NAT timeout/create NAT if missing.
-		 */
-		if (ipsec->ipsc_nat != NULL)
-			fr_queueback(&ipsec->ipsc_nat->nat_tqe);
-		else {
-			ipsec->ipsc_nat = nat_new(&fi, &ipsec->ipsc_rule,
-						  &ipsec->ipsc_nat,
-						  NAT_SLAVE|SI_WILDP,
-						  nat->nat_dir);
-			if (ipsec->ipsc_nat != NULL) {
-				(void) nat_proto(&fi, ipsec->ipsc_nat, 0);
-				nat_update(&fi, ipsec->ipsc_nat,
-					   &ipsec->ipsc_rule);
-			}
-		}
-
-		/*
-		 * Update state timeout/create state if missing.
-		 */
-		READ_ENTER(&ipf_state);
-		if (ipsec->ipsc_state != NULL) {
-			fr_queueback(&ipsec->ipsc_state->is_sti);
-			ipsec->ipsc_state->is_die = nat->nat_age;
-			RWLOCK_EXIT(&ipf_state);
-		} else {
-			RWLOCK_EXIT(&ipf_state);
-			fi.fin_data[0] = 0;
-			fi.fin_data[1] = 0;
-			ipsec->ipsc_state = fr_addstate(&fi,
-							&ipsec->ipsc_state,
-							SI_WILDP);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-		ip->ip_p = p;
-	}
-	return 0;
-}
-
-
-/*
- * This extends the NAT matching to be based on the cookies associated with
- * a session and found at the front of IKE packets.  The cookies are always
- * in the same order (not reversed depending on packet flow direction as with
- * UDP/TCP port numbers).
- */
-int ippr_ipsec_match(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ipsec_pxy_t *ipsec;
-	u_32_t cookies[4];
-	mb_t *m;
-	int off;
-
-	nat = nat;	/* LINT */
-
-	if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG))
-		return -1;
-
-	ipsec = aps->aps_data;
-	off = fin->fin_hlen + sizeof(udphdr_t);
-	m = fin->fin_m;
-	COPYDATA(m, off, sizeof(cookies), (char *)cookies);
-
-	if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
-	    (cookies[1] != ipsec->ipsc_icookie[1]))
-		return -1;
-
-	if (ipsec->ipsc_rckset == 0) {
-		if ((cookies[2]|cookies[3]) == 0) {
-			return 0;
-		}
-		ipsec->ipsc_rckset = 1;
-		ipsec->ipsc_rcookie[0] = cookies[2];
-		ipsec->ipsc_rcookie[1] = cookies[3];
-		return 0;
-	}
-
-	if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
-	    (cookies[3] != ipsec->ipsc_rcookie[1]))
-		return -1;
-	return 0;
-}
-
-
-/*
- * clean up after ourselves.
- */
-void ippr_ipsec_del(aps)
-ap_session_t *aps;
-{
-	ipsec_pxy_t *ipsec;
-
-	ipsec = aps->aps_data;
-
-	if (ipsec != NULL) {
-		/*
-		 * Don't bother changing any of the NAT structure details,
-		 * *_del() is on a callback from aps_free(), from nat_delete()
-		 */
-
-		READ_ENTER(&ipf_state);
-		if (ipsec->ipsc_state != NULL) {
-			ipsec->ipsc_state->is_die = fr_ticks + 1;
-			ipsec->ipsc_state->is_me = NULL;
-			fr_queuefront(&ipsec->ipsc_state->is_sti);
-		}
-		RWLOCK_EXIT(&ipf_state);
-
-		ipsec->ipsc_state = NULL;
-		ipsec->ipsc_nat = NULL;
-	}
-}
diff --git a/contrib/ipfilter/ip_irc_pxy.c b/contrib/ipfilter/ip_irc_pxy.c
deleted file mode 100644
index 45a120f..0000000
--- a/contrib/ipfilter/ip_irc_pxy.c
+++ /dev/null
@@ -1,435 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2000-2003 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
- */
-
-#define	IPF_IRC_PROXY
-
-#define	IPF_IRCBUFSZ	96	/* This *MUST* be >= 64! */
-
-
-int ippr_irc_init __P((void));
-void ippr_irc_fini __P((void));
-int ippr_irc_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_irc_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_irc_send __P((fr_info_t *, nat_t *));
-int ippr_irc_complete __P((ircinfo_t *, char *, size_t));
-u_short ipf_irc_atoi __P((char **));
-
-static	frentry_t	ircnatfr;
-
-int	irc_proxy_init = 0;
-
-
-/*
- * Initialize local structures.
- */
-int ippr_irc_init()
-{
-	bzero((char *)&ircnatfr, sizeof(ircnatfr));
-	ircnatfr.fr_ref = 1;
-	ircnatfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&ircnatfr.fr_lock, "IRC proxy rule lock");
-	irc_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_irc_fini()
-{
-	if (irc_proxy_init == 1) {
-		MUTEX_DESTROY(&ircnatfr.fr_lock);
-		irc_proxy_init = 0;
-	}
-}
-
-
-char *ippr_irc_dcctypes[] = {
-	"CHAT ",	/* CHAT chat ipnumber portnumber */
-	"SEND ",	/* SEND filename ipnumber portnumber */
-	"MOVE ",
-	"TSEND ",
-	"SCHAT ",
-	NULL,
-};
-
-
-/*
- * :A PRIVMSG B :^ADCC CHAT chat 0 0^A\r\n
- * PRIVMSG B ^ADCC CHAT chat 0 0^A\r\n
- */
-
-
-int ippr_irc_complete(ircp, buf, len)
-ircinfo_t *ircp;
-char *buf;
-size_t len;
-{
-	register char *s, c;
-	register size_t i;
-	u_32_t l;
-	int j, k;
-
-	ircp->irc_ipnum = 0;
-	ircp->irc_port = 0;
-
-	if (len < 31)
-		return 0;
-	s = buf;
-	c = *s++;
-	i = len - 1;
-
-	if ((c != ':') && (c != 'P'))
-		return 0;
-
-	if (c == ':') {
-		/*
-		 * Loosely check that the source is a nickname of some sort
-		 */
-		s++;
-		c = *s;
-		ircp->irc_snick = s;
-		if (!ISALPHA(c))
-			return 0;
-		i--;
-		for (c = *s; !ISSPACE(c) && (i > 0); i--)
-			c = *s++;
-		if (i < 31)
-			return 0;
-		if (c != 'P')
-			return 0;
-	} else
-		ircp->irc_snick = NULL;
-
-	/*
-	 * Check command string
-	 */
-	if (strncmp(s, "PRIVMSG ", 8))
-		return 0;
-	i -= 8;
-	s += 8;
-	c = *s;
-	ircp->irc_dnick = s;
-
-	/*
-	 * Loosely check that the destination is a nickname of some sort
-	 */
-	if (!ISALPHA(c))
-		return 0;
-	for (; !ISSPACE(c) && (i > 0); i--)
-		c = *s++;
-	if (i < 20)
-		return 0;
-	s++,
-	i--;
-
-	/*
-	 * Look for a ^A to start the DCC
-	 */
-	c = *s;
-	if (c == ':') {
-		s++;
-		c = *s;
-	}
-
-	if (strncmp(s, "\001DCC ", 4))
-		return 0;
-
-	i -= 4;
-	s += 4;
-
-	/*
-	 * Check for a recognised DCC command
-	 */
-	for (j = 0, k = 0; ippr_irc_dcctypes[j]; j++) {
-		k = MIN(strlen(ippr_irc_dcctypes[j]), i);
-		if (!strncmp(ippr_irc_dcctypes[j], s, k))
-			break;
-	}
-	if (!ippr_irc_dcctypes[j])
-		return 0;
-
-	ircp->irc_type = s;
-	i -= k;
-	s += k;
-
-	if (i < 11)
-		return 0;
-
-	/*
-	 * Check for the arg
-	 */
-	c = *s;
-	if (ISSPACE(c))
-		return 0;
-	ircp->irc_arg = s;
-	for (; (c != ' ') && (c != '\001') && (i > 0); i--)
-		c = *s++;
-
-	if (c == '\001')	/* In reality a ^A can quote another ^A...*/
-		return 0;
-
-	if (i < 5)
-		return 0;
-
-	s++;
-	i--;
-	c = *s;
-	if (!ISDIGIT(c))
-		return 0;
-	ircp->irc_addr = s;
-	/*
-	 * Get the IP#
-	 */
-	for (l = 0; ISDIGIT(c) && (i > 0); i--) {
-		l *= 10;
-		l += c - '0';
-		c = *s++;
-	}
-
-	if (i < 4)
-		return 0;
-
-	if (c != ' ')
-		return 0;
-
-	ircp->irc_ipnum = l;
-	s++;
-	i--;
-	c = *s;
-	if (!ISDIGIT(c))
-		return 0;
-	/*
-	 * Get the port#
-	 */
-	for (l = 0; ISDIGIT(c) && (i > 0); i--) {
-		l *= 10;
-		l += c - '0';
-		c = *s++;
-	}
-	if (i < 3)
-		return 0;
-	if (strncmp(s, "\001\r\n", 3))
-		return 0;
-	s += 3;
-	ircp->irc_len = s - buf;
-	ircp->irc_port = l;
-	return 1;
-}
-
-
-int ippr_irc_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	ircinfo_t *irc;
-
-	KMALLOC(irc, ircinfo_t *);
-	if (irc == NULL)
-		return -1;
-
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	aps->aps_data = irc;
-	aps->aps_psiz = sizeof(ircinfo_t);
-
-	bzero((char *)irc, sizeof(*irc));
-	return 0;
-}
-
-
-int ippr_irc_send(fin, nat)
-fr_info_t *fin;
-nat_t *nat;
-{
-	char ctcpbuf[IPF_IRCBUFSZ], newbuf[IPF_IRCBUFSZ];
-	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	int off, inc = 0, i, dlen;
-	size_t nlen = 0, olen;
-	struct in_addr swip;
-	u_short a5, sp;
-	ircinfo_t *irc;
-	fr_info_t fi;
-	nat_t *nat2;
-	u_int a1;
-	ip_t *ip;
-	mb_t *m;
-#ifdef	MENTAT
-	mb_t *m1;
-#endif
-
-	m = fin->fin_m;
-	ip = fin->fin_ip;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	bzero(ctcpbuf, sizeof(ctcpbuf));
-	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-#ifdef __sgi
-	dlen = fin->fin_plen - off;
-#else
-	dlen = MSGDSIZE(m) - off;
-#endif
-	if (dlen <= 0)
-		return 0;
-	COPYDATA(m, off, MIN(sizeof(ctcpbuf), dlen), ctcpbuf);
-
-	if (dlen <= 0)
-		return 0;
-	ctcpbuf[sizeof(ctcpbuf) - 1] = '\0';
-	*newbuf = '\0';
-
-	irc = nat->nat_aps->aps_data;
-	if (ippr_irc_complete(irc, ctcpbuf, dlen) == 0)
-		return 0;
-
-	/*
-	 * check that IP address in the PORT/PASV reply is the same as the
-	 * sender of the command - prevents using PORT for port scanning.
-	 */
-	if (irc->irc_ipnum != ntohl(nat->nat_inip.s_addr))
-		return 0;
-
-	a5 = irc->irc_port;
-
-	/*
-	 * Calculate new address parts for the DCC command
-	 */
-	a1 = ntohl(ip->ip_src.s_addr);
-	olen = irc->irc_len;
-	i = irc->irc_addr - ctcpbuf;
-	i++;
-	(void) strncpy(newbuf, ctcpbuf, i);
-	/* DO NOT change these! */
-#if defined(SNPRINTF) && defined(KERNEL)
-	SNPRINTF(newbuf, sizeof(newbuf) - i, "%u %u\001\r\n", a1, a5);
-#else
-	(void) sprintf(newbuf, "%u %u\001\r\n", a1, a5);
-#endif
-
-	nlen = strlen(newbuf);
-	inc = nlen - olen;
-
-	if ((inc + ip->ip_len) > 65535)
-		return 0;
-
-#ifdef	MENTAT
-	for (m1 = m; m1->b_cont; m1 = m1->b_cont)
-		;
-	if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
-		mblk_t *nm;
-
-		/* alloc enough to keep same trailer space for lower driver */
-		nm = allocb(nlen, BPRI_MED);
-		PANIC((!nm),("ippr_irc_out: allocb failed"));
-
-		nm->b_band = m1->b_band;
-		nm->b_wptr += nlen;
-
-		m1->b_wptr -= olen;
-		PANIC((m1->b_wptr < m1->b_rptr),
-		      ("ippr_irc_out: cannot handle fragmented data block"));
-
-		linkb(m1, nm);
-	} else {
-# if SOLARIS && defined(ICK_VALID)
-		if (m1->b_datap->db_struiolim == m1->b_wptr)
-			m1->b_datap->db_struiolim += inc;
-		m1->b_datap->db_struioflag &= ~STRUIO_IP;
-# endif
-		m1->b_wptr += inc;
-	}
-#else
-	if (inc < 0)
-		m_adj(m, inc);
-	/* the mbuf chain will be extended if necessary by m_copyback() */
-#endif
-	COPYBACK(m, off, nlen, newbuf);
-
-	if (inc != 0) {
-#if defined(MENTAT) || defined(__sgi)
-		register u_32_t	sum1, sum2;
-
-		sum1 = ip->ip_len;
-		sum2 = ip->ip_len + inc;
-
-		/* Because ~1 == -2, We really need ~1 == -1 */
-		if (sum1 > sum2)
-			sum2--;
-		sum2 -= sum1;
-		sum2 = (sum2 & 0xffff) + (sum2 >> 16);
-
-		fix_outcksum(fin, &ip->ip_sum, sum2);
-#endif
-		ip->ip_len += inc;
-	}
-
-	/*
-	 * Add skeleton NAT entry for connection which will come back the
-	 * other way.
-	 */
-	sp = htons(a5);
-	/*
-	 * Don't allow the PORT command to specify a port < 1024 due to
-	 * security crap.
-	 */
-	if (ntohs(sp) < 1024)
-		return 0;
-
-	/*
-	 * The server may not make the connection back from port 20, but
-	 * it is the most likely so use it here to check for a conflicting
-	 * mapping.
-	 */
-	bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
-	fi.fin_data[0] = sp;
-	fi.fin_data[1] = fin->fin_data[1];
-	nat2 = nat_outlookup(fin, IPN_TCP, nat->nat_p, nat->nat_inip,
-			     ip->ip_dst);
-	if (nat2 == NULL) {
-		bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi));
-		bzero((char *)tcp2, sizeof(*tcp2));
-		tcp2->th_win = htons(8192);
-		tcp2->th_sport = sp;
-		tcp2->th_dport = 0; /* XXX - don't specify remote port */
-		fi.fin_state = NULL;
-		fi.fin_nat = NULL;
-		fi.fin_data[0] = ntohs(sp);
-		fi.fin_data[1] = 0;
-		fi.fin_dp = (char *)tcp2;
-		fi.fin_fr = &ircnatfr;
-		fi.fin_dlen = sizeof(*tcp2);
-		fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
-		swip = ip->ip_src;
-		ip->ip_src = nat->nat_inip;
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL,
-			       NAT_SLAVE|IPN_TCP|SI_W_DPORT, NAT_OUTBOUND);
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, 0);
-			nat_update(&fi, nat2, nat2->nat_ptr);
-
-			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-		ip->ip_src = swip;
-	}
-	return inc;
-}
-
-
-int ippr_irc_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	aps = aps;	/* LINT */
-	return ippr_irc_send(fin, nat);
-}
diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c
deleted file mode 100644
index 196d64e..0000000
--- a/contrib/ipfilter/ip_lfil.c
+++ /dev/null
@@ -1,975 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.5 2002/10/03 13:47:19 darrenr Exp $";
-#endif
-
-#if defined(KERNEL) && !defined(_KERNEL)
-# define	_KERNEL
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <sys/dir.h>
-#include <sys/socket.h>
-#ifndef	_KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-#else
-# include <linux/module.h>
-#endif
-
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef	_KERNEL
-# include <syslog.h>
-#endif
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#ifdef _KERNEL
-#include <net/ip_forward.h>
-#endif
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-#ifndef	_KERNEL
-# include "ipt.h"
-static	struct	ifnet **ifneta = NULL;
-static	int	nifs = 0;
-#endif
-
-int	fr_running = 0;
-int	ipl_unreach = ICMP_UNREACH_FILTER;
-u_long	ipl_frouteok[2] = {0, 0};
-
-static	int	frzerostats __P((caddr_t));
-static	void	frsync __P((void));
-#if defined(__NetBSD__) || defined(__OpenBSD__)
-static	int	frrequest __P((int, u_long, caddr_t, int));
-#else
-static	int	frrequest __P((int, u_long, caddr_t, int));
-#endif
-#ifdef	_KERNEL
-static	int	(*fr_savep) __P((ip_t *, int, void *, int, mb_t **));
-#else
-int	ipllog __P((void));
-void	init_ifp __P((void));
-static int 	no_output __P((mb_t *, struct ifnet *));
-static int	write_output __P((mb_t *, struct ifnet *));
-#endif
-
-#ifdef	_KERNEL
-
-int fr_precheck(struct iphdr *ip, struct device *dev, int out, struct device **ifp)
-{
-	int hlen = ip->ihl << 2;
-
-	return fr_check((ip_t *)ip, hlen, dev, out, (mb_t **)ifp);
-}
-
-
-int iplattach()
-{
-	char *defpass;
-	int s;
-
-	if (fr_running || (fr_checkp == fr_precheck)) {
-		printk("IP Filter: already initialized\n");
-		return EBUSY;
-	}
-
-	fr_running = 1;
-	bzero((char *)frcache, sizeof(frcache));
-	bzero((char *)nat_table, sizeof(nat_table));
-	fr_savep = fr_checkp;
-	fr_checkp = fr_precheck;
-
-# ifdef	IPFILTER_LOG
-	ipflog_init();
-# endif
-	if (fr_pass & FR_PASS)
-		defpass = "pass";
-	else if (fr_pass & FR_BLOCK)
-		defpass = "block";
-	else
-		defpass = "no-match -> block";
-
-	printk("IP Filter: initialized.  Default = %s all, Logging = %s\n",
-		defpass,
-# ifdef	IPFILTER_LOG
-		"enabled");
-# else
-		"disabled");
-# endif
-	return 0;
-}
-
-
-/*
- * Disable the filter by removing the hooks from the IP input/output
- * stream.
- */
-int ipldetach()
-{
-	int s, i = FR_INQUE|FR_OUTQUE;
-
-	if (!fr_running)
-	{
-		printk("IP Filter: not initialized\n");
-		return 0;
-	}
-
-	fr_checkp = fr_savep;
-	i = frflush(IPL_LOGIPF, i);
-	fr_running = 0;
-
-	ipfr_unload();
-	ip_natunload();
-	fr_stateunload();
-	fr_authunload();
-
-	printk("IP Filter: unloaded\n");
-
-	return 0;
-}
-#endif /* _KERNEL */
-
-
-static	int	frzerostats(data)
-caddr_t	data;
-{
-	struct	friostat	fio;
-	int error;
-
-	bcopy((char *)frstats, (char *)fio.f_st,
-		sizeof(struct filterstats) * 2);
-	fio.f_fin[0] = ipfilter[0][0];
-	fio.f_fin[1] = ipfilter[0][1];
-	fio.f_fout[0] = ipfilter[1][0];
-	fio.f_fout[1] = ipfilter[1][1];
-	fio.f_acctin[0] = ipacct[0][0];
-	fio.f_acctin[1] = ipacct[0][1];
-	fio.f_acctout[0] = ipacct[1][0];
-	fio.f_acctout[1] = ipacct[1][1];
-	fio.f_active = fr_active;
-	fio.f_froute[0] = ipl_frouteok[0];
-	fio.f_froute[1] = ipl_frouteok[1];
-	error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-	if (!error)
-		bzero((char *)frstats, sizeof(*frstats) * 2);
-	return error;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-#if defined(_KERNEL)
-int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
-{
-	int s;
-	caddr_t data = (caddr_t)arg;
-
-	int mode = file->f_mode;
-#else
-int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
-{
-#endif
-	int error = 0, unit = 0, tmp;
-
-#ifdef	_KERNEL
-	unit = GET_MINOR(inode->i_rdev);
-	if ((IPL_LOGMAX < unit) || (unit < 0))
-		return ENXIO;
-#endif
-
-	if (unit == IPL_LOGNAT) {
-		error = nat_ioctl(data, cmd, mode);
-		return error;
-	}
-	if (unit == IPL_LOGSTATE) {
-		error = fr_state_ioctl(data, cmd, mode);
-		return error;
-	}
-
-	switch (cmd) {
-	case FIONREAD :
-#ifdef IPFILTER_LOG
-		error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], data,
-			       sizeof(iplused[IPL_LOGIPF]));
-#endif
-		break;
-#if !defined(IPFILTER_LKM) && defined(_KERNEL)
-	case SIOCFRENB :
-	{
-		u_int	enable;
-
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
-			if (error)
-				break;
-			if (enable)
-				error = iplattach();
-			else
-				error = ipldetach();
-		}
-		break;
-	}
-#endif
-	case SIOCSETFF :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = IRCOPY(data, (caddr_t)&fr_flags,
-				       sizeof(fr_flags));
-		break;
-	case SIOCGETFF :
-		error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
-		break;
-	case SIOCINAFR :
-	case SIOCRMAFR :
-	case SIOCADAFR :
-	case SIOCZRLST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, fr_active);
-		break;
-	case SIOCINIFR :
-	case SIOCRMIFR :
-	case SIOCADIFR :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, 1 - fr_active);
-		break;
-	case SIOCSWAPA :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			bzero((char *)frcache, sizeof(frcache[0]) * 2);
-			*(u_int *)data = fr_active;
-			fr_active = 1 - fr_active;
-		}
-		break;
-	case SIOCGETFS :
-	{
-		struct	friostat	fio;
-
-		bcopy((char *)frstats, (char *)fio.f_st,
-			sizeof(struct filterstats) * 2);
-		fio.f_fin[0] = ipfilter[0][0];
-		fio.f_fin[1] = ipfilter[0][1];
-		fio.f_fout[0] = ipfilter[1][0];
-		fio.f_fout[1] = ipfilter[1][1];
-		fio.f_acctin[0] = ipacct[0][0];
-		fio.f_acctin[1] = ipacct[0][1];
-		fio.f_acctout[0] = ipacct[1][0];
-		fio.f_acctout[1] = ipacct[1][1];
-		fio.f_auth = ipauth;
-		fio.f_active = fr_active;
-		fio.f_froute[0] = ipl_frouteok[0];
-		fio.f_froute[1] = ipl_frouteok[1];
-		error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-		break;
-	}
-	case	SIOCFRZST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frzerostats(data);
-		break;
-	case	SIOCIPFFL :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, tmp);
-				error = IWCOPY((caddr_t)&tmp, data,
-					       sizeof(tmp));
-			}
-		}
-		break;
-#ifdef	IPFILTER_LOG
-	case	SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(unit);
-		break;
-#endif /* IPFILTER_LOG */
-	case SIOCGFRST :
-		error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
-			       sizeof(ipfrstat_t));
-		break;
-	case SIOCFRSYN :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-#if defined(_KERNEL) && defined(__sgi)
-			ipfsync();
-#endif
-			frsync();
-		}
-		break;
-	default :
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-
-static void frsync()
-{
-#ifdef _KERNEL
-	struct device *dev;
-
-	for (dev = dev_base; dev; dev = dev->next)
-		ip_natsync(dev);
-#endif
-}
-
-
-static int frrequest(unit, req, data, set)
-int unit;
-u_long req;
-int set;
-caddr_t data;
-{
-	register frentry_t *fp, *f, **fprev;
-	register frentry_t **ftail;
-	frentry_t frd;
-	frdest_t *fdp;
-	frgroup_t *fg = NULL;
-	int error = 0, in;
-	u_int group;
-
-	fp = &frd;
-	error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
-	if (error)
-		return error;
-
-	/*
-	 * Check that the group number does exist and that if a head group
-	 * has been specified, doesn't exist.
-	 */
-	if (fp->fr_grhead &&
-	    fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
-		return EEXIST;
-	if (fp->fr_group &&
-	    !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
-		return ESRCH;
-
-	in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-	if (unit == IPL_LOGAUTH)
-		ftail = fprev = &ipauth;
-	else if (fp->fr_flags & FR_ACCOUNT)
-		ftail = fprev = &ipacct[in][set];
-	else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
-		ftail = fprev = &ipfilter[in][set];
-	else
-		return ESRCH;
-
-	if ((group = fp->fr_group)) {
-		if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
-			return ESRCH;
-		ftail = fprev = fg->fg_start;
-	}
-
-	bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-	if (*fp->fr_ifname) {
-		fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_ip.fi_v);
-		if (!fp->fr_ifa)
-			fp->fr_ifa = (void *)-1;
-	}
-
-	fdp = &fp->fr_dif;
-	fp->fr_flags &= ~FR_DUP;
-	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
-		if (!fdp->fd_ifp)
-			fdp->fd_ifp = (struct ifnet *)-1;
-		else
-			fp->fr_flags |= FR_DUP;
-	}
-
-	fdp = &fp->fr_tif;
-	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
-		if (!fdp->fd_ifp)
-			fdp->fd_ifp = (struct ifnet *)-1;
-	}
-
-	/*
-	 * Look for a matching filter rule, but don't include the next or
-	 * interface pointer in the comparison (fr_next, fr_ifa).
-	 */
-	for (; (f = *ftail); ftail = &f->fr_next)
-		if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
-			 FR_CMPSIZ) == 0)
-			break;
-
-	/*
-	 * If zero'ing statistics, copy current to caller and zero.
-	 */
-	if (req == SIOCZRLST) {
-		if (!f)
-			return ESRCH;
-		error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
-		if (error)
-			return error;
-		f->fr_hits = 0;
-		f->fr_bytes = 0;
-		return 0;
-	}
-
-	if (!f) {
-		if (req == SIOCINAFR || req == SIOCINIFR) {
-			ftail = fprev;
-			if (fp->fr_hits) {
-				while (--fp->fr_hits && (f = *ftail)) {
-					ftail = &f->fr_next;
-				}
-			}
-		}
-		f = NULL;
-	}
-
-	if (req == SIOCRMAFR || req == SIOCRMIFR) {
-		if (!f)
-			error = ESRCH;
-		else {
-			if (f->fr_ref > 1)
-				return EBUSY;
-			if (fg && fg->fg_head)
-				fg->fg_head->fr_ref--;
-			if (unit == IPL_LOGAUTH)
-				return fr_auth_ioctl(data, mode, req, f, ftail);
-			if (f->fr_grhead)
-				fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
-					    unit, set);
-			fixskip(fprev, f, -1);
-			*ftail = f->fr_next;
-			KFREE(f);
-		}
-	} else {
-		if (f)
-			error = EEXIST;
-		else {
-			if (unit == IPL_LOGAUTH)
-				return fr_auth_ioctl(data, mode, req, f, ftail);
-			KMALLOC(f, frentry_t *);
-			if (f != NULL) {
-				if (fg && fg->fg_head)
-					fg->fg_head->fr_ref++;
-				bcopy((char *)fp, (char *)f, sizeof(*f));
-				f->fr_ref = 1;
-				f->fr_hits = 0;
-				f->fr_next = *ftail;
-				*ftail = f;
-				if (req == SIOCINIFR || req == SIOCINAFR)
-					fixskip(fprev, f, 1);
-				f->fr_grp = NULL;
-				if ((group = f->fr_grhead))
-					fg = fr_addgroup(group, f, unit, set);
-			} else
-				error = ENOMEM;
-		}
-	}
-	return (error);
-}
-
-
-#ifdef	_KERNEL
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(struct inode *inode, struct file *file)
-{
-	u_int min = GET_MINOR(inode->i_rdev);
-
-	if (IPL_LOGMAX < min)
-		min = ENXIO;
-	else {
-		MOD_INC_USE_COUNT;
-		min = 0;
-	}
-	return min;
-}
-
-
-void iplclose(struct inode *inode, struct file *file)
-{
-	u_int	min = GET_MINOR(inode->i_rdev);
-
-	if (IPL_LOGMAX >= min) {
-		MOD_DEC_USE_COUNT;
-	}
-}
-
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(struct inode *inode, struct file *file, char *buf, int nbytes)
-{
-	struct uio uiob, *uio = &uiob;
-
-	uio->uio_buf = buf;
-	uio->uio_resid = nbytes;
-#  ifdef IPFILTER_LOG
-	return ipflog_read(GET_MINOR(inode->i_rdev), uio);
-#  else
-	return ENXIO;
-#  endif
-}
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(ti, ifp)
-struct tcpiphdr *ti;
-struct ifnet *ifp;
-{
-	tcphdr_t *tcp;
-	int tlen = 0;
-	ip_t *ip;
-	mb_t *m;
-
-	if (ti->ti_flags & TH_RST)
-		return -1;		/* feedback loop */
-
-	m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC);
-	if (m == NULL)
-		return -1;
-
-	if (ti->ti_flags & TH_SYN)
-		tlen = 1;
-
-	m->dev = ifp;
-	m->csum = 0;
-	ip = mtod(m, ip_t *);
-	m->h.iph = ip;
-	m->ip_hdr = NULL;
-	m->m_len = sizeof(tcpiphdr_t);
-	tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t));
-	bzero((char *)ip, sizeof(tcpiphdr_t));
- 
-	ip->ip_v = IPVERSION;
-	ip->ip_hl = sizeof(ip_t) >> 2;
-	ip->ip_tos = ((ip_t *)ti)->ip_tos;
-	ip->ip_p = ((ip_t *)ti)->ip_p;
-	ip->ip_id = ((ip_t *)ti)->ip_id;
-	ip->ip_len = htons(sizeof(tcpiphdr_t));
-	ip->ip_ttl = 127;
-	ip->ip_src.s_addr = ti->ti_dst.s_addr;
-	ip->ip_dst.s_addr = ti->ti_src.s_addr;
-	tcp->th_dport = ti->ti_sport;
-	tcp->th_sport = ti->ti_dport;
-	tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
-	tcp->th_off = sizeof(tcphdr_t) >> 2;
-	tcp->th_flags = TH_RST|TH_ACK;
- 
-	ip->ip_sum = 0;
-	ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t));
-	tcp->th_sum = fr_tcpsum(m, ip, tcp);
-	return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr);
-}
-
-
-size_t mbufchainlen(m0)
-register mb_t *m0;
-{
-	register size_t len = 0;
-
-	for (; m0; m0 = m0->m_next)
-		len += m0->m_len;
-	return len;
-}
-
-
-void ipfr_fastroute(m0, fin, fdp)
-mb_t *m0;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-#if notyet
-	register ip_t *ip, *mhip;
-	register mb_t *m = m0;
-	register struct route *ro;
-	struct ifnet *ifp = fdp->fd_ifp;
-	int len, off, error = 0;
-	int hlen = fin->fin_hlen;
-	struct route iproute;
-	struct sockaddr_in *dst;
-
-	ip = mtod(m0, ip_t *);
-	/*
-	 * Route packet.
-	 */
-	ro = &iproute;
-	bzero((caddr_t)ro, sizeof (*ro));
-	dst = (struct sockaddr_in *)&ro->ro_dst;
-	dst->sin_family = AF_INET;
-	dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
-	/*
-	 * XXX -allocate route here
-	 */
-	if (!ifp) {
-		if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
-			error = -2;
-			goto bad;
-		}
-		if (ro->ro_rt == 0 || (ifp = ro->ro_rt->rt_ifp) == 0) {
-			if (in_localaddr(ip->ip_dst))
-				error = EHOSTUNREACH;
-			else
-				error = ENETUNREACH;
-			goto bad;
-		}
-		if (ro->ro_rt->rt_flags & RTF_GATEWAY)
-			dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
-	}
-	ro->ro_rt->rt_use++;
-
-	/*
-	 * For input packets which are being "fastrouted", they won't
-	 * go back through output filtering and miss their chance to get
-	 * NAT'd.
-	 */
-	(void) ip_natout(ip, hlen, fin);
-	if (fin->fin_out)
-		ip->ip_sum = 0;
-	/*
-	 * If small enough for interface, can just send directly.
-	 */
-	if (ip->ip_len <= ifp->if_mtu) {
-# ifndef sparc
-		ip->ip_id = htons(ip->ip_id);
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
-# endif
-		if (!ip->ip_sum)
-			ip->ip_sum = in_cksum(m, hlen);
-		error = (*ifp->hard_start_xmit)(m, ifp, m);
-		goto done;
-	}
-	/*
-	 * Too large for interface; fragment if possible.
-	 * Must be able to put at least 8 bytes per fragment.
-	 */
-	if (ip->ip_off & IP_DF) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-	len = (ifp->if_mtu - hlen) &~ 7;
-	if (len < 8) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-
-    {
-	int mhlen, firstlen = len;
-	mb_t **mnext = &m->m_act;
-
-	/*
-	 * Loop through length of segment after first fragment,
-	 * make new header and copy data of each part and link onto chain.
-	 */
-	m0 = m;
-	mhlen = sizeof (struct ip);
-	for (off = hlen + len; off < ip->ip_len; off += len) {
-		MGET(m, M_DONTWAIT, MT_HEADER);
-		if (m == 0) {
-			error = ENOBUFS;
-			goto bad;
-		}
-		m->m_data += max_linkhdr;
-		mhip = mtod(m, struct ip *);
-		bcopy((char *)ip, (char *)mhip, sizeof(*ip));
-		if (hlen > sizeof (struct ip)) {
-			mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
-			mhip->ip_hl = mhlen >> 2;
-		}
-		m->m_len = mhlen;
-		mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
-		if (ip->ip_off & IP_MF)
-			mhip->ip_off |= IP_MF;
-		if (off + len >= ip->ip_len)
-			len = ip->ip_len - off;
-		else
-			mhip->ip_off |= IP_MF;
-		mhip->ip_len = htons((u_short)(len + mhlen));
-		m->m_next = m_copy(m0, off, len);
-		if (m->m_next == 0) {
-			error = ENOBUFS;	/* ??? */
-			goto sendorfree;
-		}
-# ifndef sparc
-		mhip->ip_off = htons((u_short)mhip->ip_off);
-# endif
-		mhip->ip_sum = 0;
-		mhip->ip_sum = in_cksum(m, mhlen);
-		*mnext = m;
-		mnext = &m->m_act;
-	}
-	/*
-	 * Update first fragment by trimming what's been copied out
-	 * and updating header, then send each fragment (in order).
-	 */
-	m_adj(m0, hlen + firstlen - ip->ip_len);
-	ip->ip_len = htons((u_short)(hlen + firstlen));
-	ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
-	ip->ip_sum = 0;
-	ip->ip_sum = in_cksum(m0, hlen);
-sendorfree:
-	for (m = m0; m; m = m0) {
-		m0 = m->m_act;
-		m->m_act = 0;
-		if (error == 0)
-			error = (*ifp->if_output)(ifp, m,
-			    (struct sockaddr *)dst);
-		else
-			m_freem(m);
-	}
-    }	
-done:
-	if (!error)
-		ipl_frouteok[0]++;
-	else
-		ipl_frouteok[1]++;
-
-	if (ro->ro_rt) {
-		RTFREE(ro->ro_rt);
-	}
-	return;
-bad:
-	m_freem(m);
-	goto done;
-# endif
-}
-
-
-/*
- * Fake BSD uiomove() call.
- */
-int uiomove(caddr_t src, size_t ssize, int rw, struct uio *uio)
-{
-	int error;
-	size_t mv = MIN(ssize, uio->uio_resid);
-
-	if (rw == UIO_READ) {
-		error = IWCOPY(src, (caddr_t)uio->uio_buf, mv);
-	} else if (rw == UIO_WRITE) {
-		error = IRCOPY((caddr_t)uio->uio_buf, src, mv);
-	} else
-		error = EINVAL;
-	if (!error) {
-		uio->uio_resid -= mv;
-		uio->uio_buf += mv;
-	}
-	return error;
-}
-
-# ifdef IPFILTER_LKM
-#  ifndef	IPL_MAJOR
-#   define	IPL_MAJOR	95
-#  endif
-
-#  ifndef	IPL_NAME
-#   define	IPL_NAME	"/dev/ipl"
-#  endif
-
-static struct file_operations ipl_fops = {
-	NULL,		/* lseek */
-	iplread,	/* read */
-	NULL,		/* write */
-	NULL,		/* readdir */
-	NULL,		/* select */
-	iplioctl,	/* ioctl */
-	NULL,		/* mmap */
-	iplopen,	/* open */
-	iplclose,	/* release */
-	NULL,		/* fsync */
-	NULL,		/* fasync */
-	NULL,		/* check_media_change */
-	NULL,		/* revalidate */
-};
-
-
-int init_module(void)
-{
-	int error = 0, major;
-
-	if (register_chrdev(IPL_MAJOR, "ipf", &ipl_fops)) {
-		printk("ipf: unable to get major number: %d\n", IPL_MAJOR);
-		return -EIO;
-	}
-
-	error = iplattach();
-	if (!error)
-		register_symtab(0);
-	return -error;
-}
-
-void cleanup_module(void)
-{
-	unregister_chrdev(IPL_MAJOR, "ipf");
-	(void) ipldetach();
-}
-# endif /* IPFILTER_LKM */
-#else /* #ifdef _KERNEL */
-
-
-static int no_output __P((mb_t *m, struct ifnet *ifp))
-{
-	return 0;
-}
-
-
-static int write_output __P((mb_t *m, struct ifnet *ifp))
-{
-	FILE *fp;
-	char fname[32];
-	ip_t *ip;
-
-	ip = mtod(m, ip_t *);
-	sprintf(fname, "/tmp/%s", ifp->name);
-	if ((fp = fopen(fname, "a"))) {
-		fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
-		fclose(fp);
-	}
-	return 0;
-}
-
-
-struct ifnet *get_unit(name, v)
-char *name;
-int v;
-{
-	struct ifnet *ifp, **ifa;
-	char ifname[32], *s;
-
-	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-		(void) sprintf(ifname, "%s", ifp->name);
-		if (!strcmp(name, ifname))
-			return ifp;
-	}
-
-	if (!ifneta) {
-		ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
-		ifneta[1] = NULL;
-		ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
-		nifs = 1;
-	} else {
-		nifs++;
-		ifneta = (struct ifnet **)realloc(ifneta,
-						  (nifs + 1) * sizeof(*ifa));
-		ifneta[nifs] = NULL;
-		ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
-	}
-	ifp = ifneta[nifs - 1];
-
-	for (s = name; *s && !isdigit(*s); s++)
-		;
-	if (*s && isdigit(*s)) {
-		ifp->name = (char *)malloc(s - name + 1);
-		strncpy(ifp->name, name, s - name);
-		ifp->name[s - name] = '\0';
-	} else {
-		ifp->name = strdup(name);
-	}
-	ifp->hard_start_xmit = no_output;
-	return ifp;
-}
-
-
-
-void init_ifp()
-{
-	FILE *fp;
-	struct ifnet *ifp, **ifa;
-	char fname[32];
-
-	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-		ifp->hard_start_xmit = write_output;
-		sprintf(fname, "/tmp/%s", ifp->name);
-		if ((fp = fopen(fname, "w")))
-			fclose(fp);
-	}
-}
-
-
-void ipfr_fastroute(ip, fin, fdp)
-ip_t *ip;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-	struct ifnet *ifp = fdp->fd_ifp;
-
-	if (!ifp)
-		return;	/* no routing table out here */
-
-	ip->ip_len = htons((u_short)ip->ip_len);
-	ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
-	ip->ip_sum = 0;
-	(*ifp->hard_start_xmit)((mb_t *)ip, ifp);
-}
-
-
-int ipllog __P((void))
-{
-	verbose("l");
-	return 0;
-}
-
-
-int send_reset(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
-	verbose("- TCP RST sent\n");
-	return 0;
-}
-
-
-int icmp_error(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
-	verbose("- TCP RST sent\n");
-	return 0;
-}
-#endif /* _KERNEL */
diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c
deleted file mode 100644
index 1243081..0000000
--- a/contrib/ipfilter/ip_log.c
+++ /dev/null
@@ -1,674 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1997-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp
- */
-#include <sys/param.h>
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
-    defined(_KERNEL)
-# include "opt_ipfilter_log.h"
-#endif
-#if defined(__FreeBSD__) && !defined(IPFILTER_LKM)
-# if defined(_KERNEL)
-#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-#   include "opt_ipfilter.h"
-#  endif
-# else
-#  include <osreldate.h>
-# endif
-#endif
-#ifndef SOLARIS
-# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/file.h>
-#ifndef _KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-# define _KERNEL
-# define KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-# undef KERNEL
-#endif
-#if __FreeBSD_version >= 220000 && defined(_KERNEL)
-# include <sys/fcntl.h>
-# include <sys/filio.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/time.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000)
-#  include <sys/proc.h>
-# endif
-#endif /* _KERNEL */
-#if !SOLARIS && !defined(__hpux) && !defined(linux)
-# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-# include <sys/mbuf.h>
-#else
-# if !defined(__hpux) && defined(_KERNEL)
-#  include <sys/filio.h>
-#  include <sys/cred.h>
-#  include <sys/ddi.h>
-#  include <sys/sunddi.h>
-#  include <sys/ksynch.h>
-#  include <sys/kmem.h>
-#  include <sys/mkdev.h>
-#  include <sys/dditypes.h>
-#  include <sys/cmn_err.h>
-# endif /* !__hpux */
-#endif /* !SOLARIS && !__hpux */
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#ifdef __sgi
-# include <sys/ddi.h>
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-#  include <sys/hashing.h>
-# endif
-#endif
-#if !defined(__hpux) && !defined(linux) && \
-    !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
-# include <netinet/in_var.h>
-#endif
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifdef USE_INET6
-# include <netinet/icmp6.h>
-#endif
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#ifndef _KERNEL
-# include <syslog.h>
-#endif
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#if (__FreeBSD_version >= 300000) || defined(__NetBSD__)
-# include <sys/malloc.h>
-#endif
-/* END OF INCLUDES */
-
-#ifdef	IPFILTER_LOG
-
-# if defined(IPL_SELECT)
-#  include	<machine/sys/user.h>
-#  include	<sys/kthread_iface.h>
-#  define	READ_COLLISION	0x001
-
-iplog_select_t	iplog_ss[IPL_LOGMAX+1];
-
-extern int selwait;
-# endif /* IPL_SELECT */
-
-# if defined(linux) && defined(_KERNEL)
-wait_queue_head_t	iplh_linux[IPL_LOGSIZE];
-# endif
-# if SOLARIS
-extern	kcondvar_t	iplwait;
-# endif
-
-iplog_t	**iplh[IPL_LOGSIZE], *iplt[IPL_LOGSIZE], *ipll[IPL_LOGSIZE];
-int	iplused[IPL_LOGSIZE];
-static fr_info_t	iplcrc[IPL_LOGSIZE];
-int	ipl_suppress = 1;
-int	ipl_buffer_sz;
-int	ipl_logmax = IPL_LOGMAX;
-int	ipl_logall = 0;
-int	ipl_log_init = 0;
-int	ipl_logsize = IPFILTER_LOGSIZE;
-int	ipl_magic[IPL_LOGSIZE] = { IPL_MAGIC, IPL_MAGIC_NAT, IPL_MAGIC_STATE,
-				   IPL_MAGIC, IPL_MAGIC, IPL_MAGIC,
-				   IPL_MAGIC, IPL_MAGIC };
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_loginit                                                  */
-/* Returns:     int - 0 == success (always returned)                        */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise log buffers & pointers.  Also iniialised the CRC to a local   */
-/* secret for use in calculating the "last log checksum".                   */
-/* ------------------------------------------------------------------------ */
-int fr_loginit()
-{
-	int	i;
-
-	for (i = IPL_LOGMAX; i >= 0; i--) {
-		iplt[i] = NULL;
-		ipll[i] = NULL;
-		iplh[i] = &iplt[i];
-		iplused[i] = 0;
-		bzero((char *)&iplcrc[i], sizeof(iplcrc[i]));
-# ifdef	IPL_SELECT
-		iplog_ss[i].read_waiter = 0;
-		iplog_ss[i].state = 0;
-# endif
-# if defined(linux) && defined(_KERNEL)
-		init_waitqueue_head(iplh_linux + i);
-# endif
-	}
-
-# if SOLARIS && defined(_KERNEL)
-	cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
-# endif
-	MUTEX_INIT(&ipl_mutex, "ipf log mutex");
-
-	ipl_log_init = 1;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_logunload                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Clean up any log data that has accumulated without being read.           */
-/* ------------------------------------------------------------------------ */
-void fr_logunload()
-{
-	int i;
-
-	if (ipl_log_init == 0)
-		return;
-
-	for (i = IPL_LOGMAX; i >= 0; i--)
-		(void) ipflog_clear(i);
-
-# if SOLARIS && defined(_KERNEL)
-	cv_destroy(&iplwait);
-# endif
-	MUTEX_DESTROY(&ipl_mutex);
-
-	ipl_log_init = 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipflog                                                      */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              flags(I) - flags from filter rules                          */
-/*                                                                          */
-/* Create a log record for a packet given that it has been triggered by a   */
-/* rule (or the default setting).  Calculate the transport protocol header  */
-/* size using predetermined size of a couple of popular protocols and thus  */
-/* how much data to copy into the log, including part of the data body if   */
-/* requested.                                                               */
-/* ------------------------------------------------------------------------ */
-int ipflog(fin, flags)
-fr_info_t *fin;
-u_int flags;
-{
-	register size_t hlen;
-	int types[2], mlen;
-	size_t sizes[2];
-	void *ptrs[2];
-	ipflog_t ipfl;
-	u_char p;
-	mb_t *m;
-# if (SOLARIS || defined(__hpux)) && defined(_KERNEL)
-	qif_t *ifp;
-# else
-	struct ifnet *ifp;
-# endif /* SOLARIS || __hpux */
-
-	ipfl.fl_nattag.ipt_num[0] = 0;
-	m = fin->fin_m;
-	ifp = fin->fin_ifp;
-	hlen = fin->fin_hlen;
-	/*
-	 * calculate header size.
-	 */
-	if (fin->fin_off == 0) {
-		p = fin->fin_fi.fi_p;
-		if (p == IPPROTO_TCP)
-			hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
-		else if (p == IPPROTO_UDP)
-			hlen += MIN(sizeof(udphdr_t), fin->fin_dlen);
-		else if (p == IPPROTO_ICMP) {
-			struct icmp *icmp;
-
-			icmp = (struct icmp *)fin->fin_dp;
-	
-			/*
-			 * For ICMP, if the packet is an error packet, also
-			 * include the information about the packet which
-			 * caused the error.
-			 */
-			switch (icmp->icmp_type)
-			{
-			case ICMP_UNREACH :
-			case ICMP_SOURCEQUENCH :
-			case ICMP_REDIRECT :
-			case ICMP_TIMXCEED :
-			case ICMP_PARAMPROB :
-				hlen += MIN(sizeof(struct icmp) + 8,
-					    fin->fin_dlen);
-				break;
-			default :
-				hlen += MIN(sizeof(struct icmp),
-					    fin->fin_dlen);
-				break;
-			}
-		}
-# ifdef USE_INET6
-		else if (p == IPPROTO_ICMPV6) {
-			struct icmp6_hdr *icmp;
-
-			icmp = (struct icmp6_hdr *)fin->fin_dp;
-
-			/*
-			 * For ICMPV6, if the packet is an error packet, also
-			 * include the information about the packet which
-			 * caused the error.
-			 */
-			if (icmp->icmp6_type < 128) {
-				hlen += MIN(sizeof(struct icmp6_hdr) + 8,
-					    fin->fin_dlen);
-			} else {
-				hlen += MIN(sizeof(struct icmp6_hdr),
-					    fin->fin_dlen);
-			}
-		}
-# endif
-	}
-	/*
-	 * Get the interface number and name to which this packet is
-	 * currently associated.
-	 */
-# if (SOLARIS || defined(__hpux)) && defined(_KERNEL)
-	ipfl.fl_unit = (u_int)ifp->qf_ppa;
-	COPYIFNAME(ifp, ipfl.fl_ifname);
-# else
-#  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-      (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \
-      (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	COPYIFNAME(ifp, ipfl.fl_ifname);
-#  else
-	ipfl.fl_unit = (u_int)ifp->if_unit;
-#   if defined(_KERNEL)
-	if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
-		if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
-			if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
-				ipfl.fl_ifname[3] = ifp->if_name[3];
-#   else
-	(void) strncpy(ipfl.fl_ifname, IFNAME(ifp), sizeof(ipfl.fl_ifname));
-	ipfl.fl_ifname[sizeof(ipfl.fl_ifname) - 1] = '\0';
-#   endif
-#  endif
-# endif /* __hpux || SOLARIS */
-	mlen = fin->fin_plen - hlen;
-	if (!ipl_logall) {
-		mlen = (flags & FR_LOGBODY) ? MIN(mlen, 128) : 0;
-	} else if ((flags & FR_LOGBODY) == 0) {
-		mlen = 0;
-	}
-	if (mlen < 0)
-		mlen = 0;
-	ipfl.fl_plen = (u_char)mlen;
-	ipfl.fl_hlen = (u_char)hlen;
-	ipfl.fl_rule = fin->fin_rule;
-	(void) strncpy(ipfl.fl_group, fin->fin_group, FR_GROUPLEN);
-	if (fin->fin_fr != NULL) {
-		ipfl.fl_loglevel = fin->fin_fr->fr_loglevel;
-		ipfl.fl_logtag = fin->fin_fr->fr_logtag;
-	} else {
-		ipfl.fl_loglevel = 0xffff;
-		ipfl.fl_logtag = FR_NOLOGTAG;
-	}
-	if (fin->fin_nattag != NULL)
-		bcopy(fin->fin_nattag, (void *)&ipfl.fl_nattag,
-		      sizeof(ipfl.fl_nattag));
-	ipfl.fl_flags = flags;
-	ipfl.fl_dir = fin->fin_out;
-	ipfl.fl_lflags = fin->fin_flx;
-	ptrs[0] = (void *)&ipfl;
-	sizes[0] = sizeof(ipfl);
-	types[0] = 0;
-# if defined(MENTAT) && defined(_KERNEL)
-	/*
-	 * Are we copied from the mblk or an aligned array ?
-	 */
-	if (fin->fin_ip == (ip_t *)m->b_rptr) {
-		ptrs[1] = m;
-		sizes[1] = hlen + mlen;
-		types[1] = 1;
-	} else {
-		ptrs[1] = fin->fin_ip;
-		sizes[1] = hlen + mlen;
-		types[1] = 0;
-	}
-# else
-	ptrs[1] = m;
-	sizes[1] = hlen + mlen;
-	types[1] = 1;
-# endif /* MENTAT */
-	return ipllog(IPL_LOGIPF, fin, ptrs, sizes, types, 2);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipllog                                                      */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  dev(I)    - device that owns this log record                */
-/*              fin(I)    - pointer to packet information                   */
-/*              items(I)  - array of pointers to log data                   */
-/*              itemsz(I) - array of size of valid memory pointed to        */
-/*              types(I)  - type of data pointed to by items pointers       */
-/*              cnt(I)    - number of elements in arrays items/itemsz/types */
-/*                                                                          */
-/* Takes an array of parameters and constructs one record to include the    */
-/* miscellaneous packet information, as well as packet data, for reading    */
-/* from the log device.                                                     */
-/* ------------------------------------------------------------------------ */
-int ipllog(dev, fin, items, itemsz, types, cnt)
-int dev;
-fr_info_t *fin;
-void **items;
-size_t *itemsz;
-int *types, cnt;
-{
-	caddr_t buf, ptr;
-	iplog_t *ipl;
-	size_t len;
-	int i;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
-
-	/*
-	 * Check to see if this log record has a CRC which matches the last
-	 * record logged.  If it does, just up the count on the previous one
-	 * rather than create a new one.
-	 */
-	if (ipl_suppress) {
-		MUTEX_ENTER(&ipl_mutex);
-		if ((fin != NULL) && (fin->fin_off == 0)) {
-			if ((ipll[dev] != NULL) &&
-			    bcmp((char *)fin, (char *)&iplcrc[dev],
-				 FI_LCSIZE) == 0) {
-				ipll[dev]->ipl_count++;
-				MUTEX_EXIT(&ipl_mutex);
-				return 0;
-			}
-			bcopy((char *)fin, (char *)&iplcrc[dev], FI_LCSIZE);
-		} else
-			bzero((char *)&iplcrc[dev], FI_CSIZE);
-		MUTEX_EXIT(&ipl_mutex);
-	}
-
-	/*
-	 * Get the total amount of data to be logged.
-	 */
-	for (i = 0, len = sizeof(iplog_t); i < cnt; i++)
-		len += itemsz[i];
-
-	/*
-	 * check that we have space to record this information and can
-	 * allocate that much.
-	 */
-	KMALLOCS(buf, caddr_t, len);
-	if (buf == NULL)
-		return -1;
-	SPL_NET(s);
-	MUTEX_ENTER(&ipl_mutex);
-	if ((iplused[dev] + len) > ipl_logsize) {
-		MUTEX_EXIT(&ipl_mutex);
-		SPL_X(s);
-		KFREES(buf, len);
-		return -1;
-	}
-	iplused[dev] += len;
-	MUTEX_EXIT(&ipl_mutex);
-	SPL_X(s);
-
-	/*
-	 * advance the log pointer to the next empty record and deduct the
-	 * amount of space we're going to use.
-	 */
-	ipl = (iplog_t *)buf;
-	ipl->ipl_magic = ipl_magic[dev];
-	ipl->ipl_count = 1;
-	ipl->ipl_next = NULL;
-	ipl->ipl_dsize = len;
-#ifdef _KERNEL
-	GETKTIME(&ipl->ipl_sec);
-#else
-	ipl->ipl_sec = 0;
-	ipl->ipl_usec = 0;
-#endif
-
-	/*
-	 * Loop through all the items to be logged, copying each one to the
-	 * buffer.  Use bcopy for normal data or the mb_t copyout routine.
-	 */
-	for (i = 0, ptr = buf + sizeof(*ipl); i < cnt; i++) {
-		if (types[i] == 0) {
-			bcopy(items[i], ptr, itemsz[i]);
-		} else if (types[i] == 1) {
-			COPYDATA(items[i], 0, itemsz[i], ptr);
-		}
-		ptr += itemsz[i];
-	}
-	SPL_NET(s);
-	MUTEX_ENTER(&ipl_mutex);
-	ipll[dev] = ipl;
-	*iplh[dev] = ipl;
-	iplh[dev] = &ipl->ipl_next;
-
-	/*
-	 * Now that the log record has been completed and added to the queue,
-	 * wake up any listeners who may want to read it.
-	 */
-# if SOLARIS && defined(_KERNEL)
-	cv_signal(&iplwait);
-	MUTEX_EXIT(&ipl_mutex);
-# else
-	MUTEX_EXIT(&ipl_mutex);
-	WAKEUP(iplh,dev);
-# endif
-	SPL_X(s);
-# ifdef	IPL_SELECT
-	iplog_input_ready(dev);
-# endif
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipflog_read                                                 */
-/* Returns:     int    - 0 == success, else error value.                    */
-/* Parameters:  unit(I) - device we are reading from                        */
-/*              uio(O)  - pointer to information about where to store data  */
-/*                                                                          */
-/* Called to handle a read on an IPFilter device.  Returns only complete    */
-/* log messages - will not partially copy a log record out to userland.     */
-/*                                                                          */
-/* NOTE: This function will block and wait for a signal to return data if   */
-/* there is none present.  Asynchronous I/O is not implemented.             */
-/* ------------------------------------------------------------------------ */
-int ipflog_read(unit, uio)
-minor_t unit;
-struct uio *uio;
-{
-	size_t dlen, copied;
-	int error = 0;
-	iplog_t *ipl;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
-
-	/*
-	 * Sanity checks.  Make sure the minor # is valid and we're copying
-	 * a valid chunk of data.
-	 */
-	if (IPL_LOGMAX < unit)
-		return ENXIO;
-	if (uio->uio_resid == 0)
-		return 0;
-	if ((uio->uio_resid < sizeof(iplog_t)) ||
-	    (uio->uio_resid > ipl_logsize))
-		return EINVAL;
-
-	/*
-	 * Lock the log so we can snapshot the variables.  Wait for a signal
-	 * if the log is empty.
-	 */
-	SPL_NET(s);
-	MUTEX_ENTER(&ipl_mutex);
-
-	while (iplt[unit] == NULL) {
-# if SOLARIS && defined(_KERNEL)
-		if (!cv_wait_sig(&iplwait, &ipl_mutex.ipf_lk)) {
-			MUTEX_EXIT(&ipl_mutex);
-			return EINTR;
-		}
-# else
-#  if defined(__hpux) && defined(_KERNEL)
-		lock_t *l;
-
-#   ifdef IPL_SELECT
-		if (uio->uio_fpflags & (FNBLOCK|FNDELAY)) {
-			/* this is no blocking system call */
-			MUTEX_EXIT(&ipl_mutex);
-			return 0;
-		}
-#   endif
-
-		MUTEX_EXIT(&ipl_mutex);
-		l = get_sleep_lock(&iplh[unit]);
-		error = sleep(&iplh[unit], PZERO+1);
-		spinunlock(l);
-#  else
-#   if defined(__osf__) && defined(_KERNEL)
-		error = mpsleep(&iplh[unit], PSUSP|PCATCH,  "iplread", 0,
-				&ipl_mutex, MS_LOCK_SIMPLE);
-#   else
-		MUTEX_EXIT(&ipl_mutex);
-		SPL_X(s);
-		error = SLEEP(unit + iplh, "ipl sleep");
-#   endif /* __osf__ */
-#  endif /* __hpux */
-		if (error)
-			return error;
-		SPL_NET(s);
-		MUTEX_ENTER(&ipl_mutex);
-# endif /* SOLARIS */
-	}
-
-# if (BSD >= 199101) || defined(__FreeBSD__) || defined(__osf__)
-	uio->uio_rw = UIO_READ;
-# endif
-
-	for (copied = 0; (ipl = iplt[unit]) != NULL; copied += dlen) {
-		dlen = ipl->ipl_dsize;
-		if (dlen > uio->uio_resid)
-			break;
-		/*
-		 * Don't hold the mutex over the uiomove call.
-		 */
-		iplt[unit] = ipl->ipl_next;
-		iplused[unit] -= dlen;
-		MUTEX_EXIT(&ipl_mutex);
-		SPL_X(s);
-		error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio);
-		if (error) {
-			SPL_NET(s);
-			MUTEX_ENTER(&ipl_mutex);
-			ipl->ipl_next = iplt[unit];
-			iplt[unit] = ipl;
-			iplused[unit] += dlen;
-			break;
-		}
-		MUTEX_ENTER(&ipl_mutex);
-		KFREES((caddr_t)ipl, dlen);
-		SPL_NET(s);
-	}
-	if (!iplt[unit]) {
-		iplused[unit] = 0;
-		iplh[unit] = &iplt[unit];
-		ipll[unit] = NULL;
-	}
-
-	MUTEX_EXIT(&ipl_mutex);
-	SPL_X(s);
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipflog_clear                                                */
-/* Returns:     int    - number of log bytes cleared.                       */
-/* Parameters:  unit(I) - device we are reading from                        */
-/*                                                                          */
-/* Deletes all queued up log records for a given output device.             */
-/* ------------------------------------------------------------------------ */
-int ipflog_clear(unit)
-minor_t unit;
-{
-	iplog_t *ipl;
-	int used;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
-
-	SPL_NET(s);
-	MUTEX_ENTER(&ipl_mutex);
-	while ((ipl = iplt[unit]) != NULL) {
-		iplt[unit] = ipl->ipl_next;
-		KFREES((caddr_t)ipl, ipl->ipl_dsize);
-	}
-	iplh[unit] = &iplt[unit];
-	ipll[unit] = NULL;
-	used = iplused[unit];
-	iplused[unit] = 0;
-	bzero((char *)&iplcrc[unit], FI_CSIZE);
-	MUTEX_EXIT(&ipl_mutex);
-	SPL_X(s);
-	return used;
-}
-#endif /* IPFILTER_LOG */
diff --git a/contrib/ipfilter/ip_lookup.c b/contrib/ipfilter/ip_lookup.c
deleted file mode 100644
index b832373..0000000
--- a/contrib/ipfilter/ip_lookup.c
+++ /dev/null
@@ -1,530 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2002-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#if defined(__osf__)
-# define _PROTO_NET_H_
-#endif
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if __FreeBSD_version >= 220000 && defined(_KERNEL)
-# include <sys/fcntl.h>
-# include <sys/filio.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#if !defined(_KERNEL)
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#include <sys/socket.h>
-#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
-# ifdef __osf__
-#  include <net/radix.h>
-# endif
-# include "radix_ipf_local.h"
-# define _RADIX_H_
-#endif
-#include <net/if.h>
-#if defined(__FreeBSD__)
-#  include <sys/cdefs.h>
-#  include <sys/proc.h>
-#endif
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#include <netinet/in.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_pool.h"
-#include "netinet/ip_htable.h"
-#include "netinet/ip_lookup.h"
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp";
-#endif
-
-#ifdef	IPFILTER_LOOKUP
-int	ip_lookup_inited = 0;
-
-static int iplookup_addnode __P((caddr_t));
-static int iplookup_delnode __P((caddr_t data));
-static int iplookup_addtable __P((caddr_t));
-static int iplookup_deltable __P((caddr_t));
-static int iplookup_stats __P((caddr_t));
-static int iplookup_flush __P((caddr_t));
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_init                                               */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise all of the subcomponents of the lookup infrstructure.         */
-/* ------------------------------------------------------------------------ */
-int ip_lookup_init()
-{
-
-	if (ip_pool_init() == -1)
-		return -1;
-
-	RWLOCK_INIT(&ip_poolrw, "ip pool rwlock");
-
-	ip_lookup_inited = 1;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_unload                                             */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Free up all pool related memory that has been allocated whilst IPFilter  */
-/* has been running.  Also, do any other deinitialisation required such     */
-/* ip_lookup_init() can be called again, safely.                            */
-/* ------------------------------------------------------------------------ */
-void ip_lookup_unload()
-{
-	ip_pool_fini();
-	fr_htable_unload();
-
-	if (ip_lookup_inited == 1) {
-		RW_DESTROY(&ip_poolrw);
-		ip_lookup_inited = 0;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_ioctl                                              */
-/* Returns:     int      - 0 = success, else error                          */
-/* Parameters:  data(IO) - pointer to ioctl data to be copied to/from user  */
-/*                         space.                                           */
-/*              cmd(I)   - ioctl command number                             */
-/*              mode(I)  - file mode bits used with open                    */
-/*                                                                          */
-/* Handle ioctl commands sent to the ioctl device.  For the most part, this */
-/* involves just calling another function to handle the specifics of each   */
-/* command.                                                                 */
-/* ------------------------------------------------------------------------ */
-int ip_lookup_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	int err;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
-
-	mode = mode;	/* LINT */
-
-	SPL_NET(s);
-
-	switch (cmd)
-	{
-	case SIOCLOOKUPADDNODE :
-	case SIOCLOOKUPADDNODEW :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_addnode(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	case SIOCLOOKUPDELNODE :
-	case SIOCLOOKUPDELNODEW :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_delnode(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	case SIOCLOOKUPADDTABLE :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_addtable(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	case SIOCLOOKUPDELTABLE :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_deltable(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	case SIOCLOOKUPSTAT :
-	case SIOCLOOKUPSTATW :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_stats(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	case SIOCLOOKUPFLUSH :
-		WRITE_ENTER(&ip_poolrw);
-		err = iplookup_flush(data);
-		RWLOCK_EXIT(&ip_poolrw);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	SPL_X(s);
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_addnode                                            */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* Add a new data node to a lookup structure.  First, check to see if the   */
-/* parent structure refered to by name exists and if it does, then go on to */
-/* add a node to it.                                                        */
-/* ------------------------------------------------------------------------ */
-static int iplookup_addnode(data)
-caddr_t data;
-{
-	ip_pool_node_t node, *m;
-	iplookupop_t op;
-	iphtable_t *iph;
-	iphtent_t hte;
-	ip_pool_t *p;
-	int err;
-
-	err = 0;
-	BCOPYIN(data, &op, sizeof(op));
-	op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-
-	switch (op.iplo_type)
-	{
-	case IPLT_POOL :
-		if (op.iplo_size != sizeof(node))
-			return EINVAL;
-
-		err = COPYIN(op.iplo_struct, &node, sizeof(node));
-		if (err != 0)
-			return EFAULT;
-
-		p = ip_pool_find(op.iplo_unit, op.iplo_name);
-		if (p == NULL)
-			return ESRCH;
-
-		/*
-		 * add an entry to a pool - return an error if it already
-		 * exists remove an entry from a pool - if it exists
-		 * - in both cases, the pool *must* exist!
-		 */
-		m = ip_pool_findeq(p, &node.ipn_addr, &node.ipn_mask);
-		if (m)
-			return EEXIST;
-		err = ip_pool_insert(p, &node.ipn_addr.adf_addr,
-				     &node.ipn_mask.adf_addr, node.ipn_info);
-		break;
-
-	case IPLT_HASH :
-		if (op.iplo_size != sizeof(hte))
-			return EINVAL;
-
-		err = COPYIN(op.iplo_struct, &hte, sizeof(hte));
-		if (err != 0)
-			return EFAULT;
-
-		iph = fr_findhtable(op.iplo_unit, op.iplo_name);
-		if (iph == NULL)
-			return ESRCH;
-		err = fr_addhtent(iph, &hte);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_delnode                                            */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* Delete a node from a lookup table by first looking for the table it is   */
-/* in and then deleting the entry that gets found.                          */
-/* ------------------------------------------------------------------------ */
-static int iplookup_delnode(data)
-caddr_t data;
-{
-	ip_pool_node_t node, *m;
-	iplookupop_t op;
-	iphtable_t *iph;
-	iphtent_t hte;
-	ip_pool_t *p;
-	int err;
-
-	err = 0;
-	BCOPYIN(data, &op, sizeof(op));
-
-	op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-
-	switch (op.iplo_type)
-	{
-	case IPLT_POOL :
-		if (op.iplo_size != sizeof(node))
-			return EINVAL;
-
-		err = COPYIN(op.iplo_struct, &node, sizeof(node));
-		if (err != 0)
-			return EFAULT;
-
-		p = ip_pool_find(op.iplo_unit, op.iplo_name);
-		if (!p)
-			return ESRCH;
-
-		m = ip_pool_findeq(p, &node.ipn_addr, &node.ipn_mask);
-		if (m == NULL)
-			return ENOENT;
-		err = ip_pool_remove(p, m);
-		break;
-
-	case IPLT_HASH :
-		if (op.iplo_size != sizeof(hte))
-			return EINVAL;
-
-		err = COPYIN(op.iplo_struct, &hte, sizeof(hte));
-		if (err != 0)
-			return EFAULT;
-
-		iph = fr_findhtable(op.iplo_unit, op.iplo_name);
-		if (iph == NULL)
-			return ESRCH;
-		err = fr_delhtent(iph, &hte);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_addtable                                           */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* Create a new lookup table, if one doesn't already exist using the name   */
-/* for this one.                                                            */
-/* ------------------------------------------------------------------------ */
-static int iplookup_addtable(data)
-caddr_t data;
-{
-	iplookupop_t op;
-	int err;
-
-	err = 0;
-	BCOPYIN(data, &op, sizeof(op));
-
-	op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-
-	switch (op.iplo_type)
-	{
-	case IPLT_POOL :
-		if (ip_pool_find(op.iplo_unit, op.iplo_name) != NULL)
-			err = EEXIST;
-		else
-			err = ip_pool_create(&op);
-		break;
-
-	case IPLT_HASH :
-		if (fr_findhtable(op.iplo_unit, op.iplo_name) != NULL)
-			err = EEXIST;
-		else
-			err = fr_newhtable(&op);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_deltable                                           */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* Decodes ioctl request to remove a particular hash table or pool and      */
-/* calls the relevant function to do the cleanup.                           */
-/* ------------------------------------------------------------------------ */
-static int iplookup_deltable(data)
-caddr_t data;
-{
-	iplookupop_t op;
-	int err;
-
-	BCOPYIN(data, &op, sizeof(op));
-	op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-
-	if (op.iplo_arg & IPLT_ANON)
-		op.iplo_arg &= IPLT_ANON;
-
-	/*
-	 * create a new pool - fail if one already exists with
-	 * the same #
-	 */
-	switch (op.iplo_type)
-	{
-	case IPLT_POOL :
-		err = ip_pool_destroy(&op);
-		break;
-
-	case IPLT_HASH :
-		err = fr_removehtable(&op);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_stats                                              */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* Copy statistical information from inside the kernel back to user space.  */
-/* ------------------------------------------------------------------------ */
-static int iplookup_stats(data)
-caddr_t data;
-{
-	iplookupop_t op;
-	int err;
-
-	err = 0;
-	BCOPYIN(data, &op, sizeof(op));
-
-	switch (op.iplo_type)
-	{
-	case IPLT_POOL :
-		err = ip_pool_statistics(&op);
-		break;
-
-	case IPLT_HASH :
-		err = fr_gethtablestat(&op);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    iplookup_flush                                              */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  data(I) - pointer to data from ioctl call                   */
-/*                                                                          */
-/* A flush is called when we want to flush all the nodes from a particular  */
-/* entry in the hash table/pool or want to remove all groups from those.    */
-/* ------------------------------------------------------------------------ */
-static int iplookup_flush(data)
-caddr_t data;
-{
-	int err, unit, num, type;
-	iplookupflush_t flush;
-
-	err = 0;
-	BCOPYIN(data, &flush, sizeof(flush));
-
-	flush.iplf_name[sizeof(flush.iplf_name) - 1] = '\0';
-
-	unit = flush.iplf_unit;
-	if ((unit < 0 || unit > IPL_LOGMAX) && (unit != IPLT_ALL))
-		return EINVAL;
-
-	type = flush.iplf_type;
-	err = EINVAL;
-	num = 0;
-
-	if (type == IPLT_POOL || type == IPLT_ALL) {
-		err = 0;
-		num = ip_pool_flush(&flush);
-	}
-
-	if (type == IPLT_HASH  || type == IPLT_ALL) {
-		err = 0;
-		num += fr_flushhtable(&flush);
-	}
-
-	if (err == 0) {
-		flush.iplf_count = num;
-		err = COPYOUT(&flush, data, sizeof(flush));
-	}
-	return err;
-}
-
-
-void ip_lookup_deref(type, ptr)
-int type;
-void *ptr;
-{
-	if (ptr == NULL)
-		return;
-
-	WRITE_ENTER(&ip_poolrw);
-	switch (type)
-	{
-	case IPLT_POOL :
-		ip_pool_deref(ptr);
-		break;
-
-	case IPLT_HASH :
-		fr_derefhtable(ptr);
-		break;
-	}
-	RWLOCK_EXIT(&ip_poolrw);
-}
-
-
-#else /* IPFILTER_LOOKUP */
-
-/*ARGSUSED*/
-int ip_lookup_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	return EIO;
-}
-#endif /* IPFILTER_LOOKUP */
diff --git a/contrib/ipfilter/ip_lookup.h b/contrib/ipfilter/ip_lookup.h
deleted file mode 100644
index e9f8cb8..0000000
--- a/contrib/ipfilter/ip_lookup.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*	$NetBSD$	*/
-
-
-#ifndef __IP_LOOKUP_H__
-#define __IP_LOOKUP_H__
-
-#if defined(__STDC__) || defined(__GNUC__)
-# define	SIOCLOOKUPADDTABLE	_IOWR('r', 60, struct iplookupop)
-# define	SIOCLOOKUPDELTABLE	_IOWR('r', 61, struct iplookupop)
-# define	SIOCLOOKUPSTAT		_IOWR('r', 64, struct iplookupop)
-# define	SIOCLOOKUPSTATW		_IOW('r', 64, struct iplookupop)
-# define	SIOCLOOKUPFLUSH		_IOWR('r', 65, struct iplookupflush)
-# define	SIOCLOOKUPADDNODE	_IOWR('r', 67, struct iplookupop)
-# define	SIOCLOOKUPADDNODEW	_IOW('r', 67, struct iplookupop)
-# define	SIOCLOOKUPDELNODE	_IOWR('r', 68, struct iplookupop)
-# define	SIOCLOOKUPDELNODEW	_IOW('r', 68, struct iplookupop)
-#else
-# define	SIOCLOOKUPADDTABLE	_IOWR(r, 60, struct iplookupop)
-# define	SIOCLOOKUPDELTABLE	_IOWR(r, 61, struct iplookupop)
-# define	SIOCLOOKUPSTAT		_IOWR(r, 64, struct iplookupop)
-# define	SIOCLOOKUPSTATW		_IOW(r, 64, struct iplookupop)
-# define	SIOCLOOKUPFLUSH		_IOWR(r, 65, struct iplookupflush)
-# define	SIOCLOOKUPADDNODE	_IOWR(r, 67, struct iplookupop)
-# define	SIOCLOOKUPADDNODEW	_IOW(r, 67, struct iplookupop)
-# define	SIOCLOOKUPDELNODE	_IOWR(r, 68, struct iplookupop)
-# define	SIOCLOOKUPDELNODEW	_IOW(r, 68, struct iplookupop)
-#endif
-
-typedef	struct	iplookupop	{
-	int	iplo_type;	/* IPLT_* */
-	int	iplo_unit;	/* IPL_LOG* */
-	u_int	iplo_arg;
-	char	iplo_name[FR_GROUPLEN];
-	size_t	iplo_size;	/* sizeof struct at iplo_struct */
-	void	*iplo_struct;
-} iplookupop_t;
-
-typedef	struct	iplookupflush	{
-	int	iplf_type;	/* IPLT_* */
-	int	iplf_unit;	/* IPL_LOG* */
-	u_int	iplf_arg;
-	size_t	iplf_count;
-	char	iplf_name[FR_GROUPLEN];
-} iplookupflush_t;
-
-typedef	struct	iplookuplink	{
-	int	ipll_type;	/* IPLT_* */
-	int	ipll_unit;	/* IPL_LOG* */
-	u_int	ipll_num;
-	char	ipll_group[FR_GROUPLEN];
-} iplookuplink_t;
-
-#define	IPLT_ALL	-1
-#define	IPLT_NONE	0
-#define	IPLT_POOL	1
-#define	IPLT_HASH	2
-
-#define	IPLT_ANON	0x80000000
-
-extern int ip_lookup_init __P((void));
-extern int ip_lookup_ioctl __P((caddr_t, ioctlcmd_t, int));
-extern void ip_lookup_unload __P((void));
-extern void ip_lookup_deref __P((int, void *));
-
-#endif /* __IP_LOOKUP_H__ */
diff --git a/contrib/ipfilter/ip_msnrpc_pxy.c b/contrib/ipfilter/ip_msnrpc_pxy.c
deleted file mode 100644
index 187a964..0000000
--- a/contrib/ipfilter/ip_msnrpc_pxy.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2000-2003 by Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Simple DCE transparent proxy for MSN RPC.
- *
- * ******* NOTE: THIS PROXY DOES NOT DO ADDRESS TRANSLATION ********
- *
- * Id: ip_msnrpc_pxy.c,v 2.17.2.1 2005/02/04 10:22:55 darrenr Exp
- */
-
-#define	IPF_MSNRPC_PROXY
-
-#define	IPF_MINMSNRPCLEN	24
-#define	IPF_MSNRPCSKIP		(2 + 19 + 2 + 2 + 2 + 19 + 2 + 2)
-
-
-typedef	struct	msnrpchdr	{
-	u_char	mrh_major;	/* major # == 5 */
-	u_char	mrh_minor;	/* minor # == 0 */
-	u_char	mrh_type;
-	u_char	mrh_flags;
-	u_32_t	mrh_endian;
-	u_short	mrh_dlen;	/* data size */
-	u_short	mrh_alen;	/* authentication length */
-	u_32_t	mrh_cid;	/* call identifier */
-	u_32_t	mrh_hint;	/* allocation hint */
-	u_short	mrh_ctxt;	/* presentation context hint */
-	u_char	mrh_ccnt;	/* cancel count */
-	u_char	mrh_ans;
-} msnrpchdr_t;
-
-int ippr_msnrpc_init __P((void));
-void ippr_msnrpc_fini __P((void));
-int ippr_msnrpc_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_msnrpc_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_msnrpc_in __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_msnrpc_check __P((ip_t *, msnrpchdr_t *));
-
-static	frentry_t	msnfr;
-
-int	msn_proxy_init = 0;
-
-/*
- * Initialize local structures.
- */
-int ippr_msnrpc_init()
-{
-	bzero((char *)&msnfr, sizeof(msnfr));
-	msnfr.fr_ref = 1;
-	msnfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&msnfr.fr_lock, "MSN RPC proxy rule lock");
-	msn_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_msnrpc_fini()
-{
-	if (msn_proxy_init == 1) {
-		MUTEX_DESTROY(&msnfr.fr_lock);
-		msn_proxy_init = 0;
-	}
-}
-
-
-int ippr_msnrpc_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	msnrpcinfo_t *mri;
-
-	KMALLOC(mri, msnrpcinfo_t *);
-	if (mri == NULL)
-		return -1;
-	aps->aps_data = mri;
-	aps->aps_psiz = sizeof(msnrpcinfo_t);
-
-	bzero((char *)mri, sizeof(*mri));
-	mri->mri_cmd[0] = 0xff;
-	mri->mri_cmd[1] = 0xff;
-	return 0;
-}
-
-
-int ippr_msnrpc_check(ip, mrh)
-ip_t *ip;
-msnrpchdr_t *mrh;
-{
-	if (mrh->mrh_major != 5)
-		return -1;
-	if (mrh->mrh_minor != 0)
-		return -1;
-	if (mrh->mrh_alen != 0)
-		return -1;
-	if (mrh->mrh_endian == 0x10) {
-		/* Both gateway and packet match endian */
-		if (mrh->mrh_dlen > ip->ip_len)
-			return -1;
-		if (mrh->mrh_type == 0 || mrh->mrh_type == 2)
-			if (mrh->mrh_hint > ip->ip_len)
-				return -1;
-	} else if (mrh->mrh_endian == 0x10000000) {
-		/* XXX - Endian mismatch - should be swapping! */
-		return -1;
-	} else {
-		return -1;
-	}
-	return 0;
-}
-
-
-int ippr_msnrpc_out(fin, ip, aps, nat)
-fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
-nat_t *nat;
-{
-	msnrpcinfo_t *mri;
-	msnrpchdr_t *mrh;
-	tcphdr_t *tcp;
-	int dlen;
-
-	mri = aps->aps_data;
-	if (mri == NULL)
-		return 0;
-
-	tcp = (tcphdr_t *)fin->fin_dp;
-	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
-	if (dlen < IPF_MINMSNRPCLEN)
-		return 0;
-
-	mrh = (msnrpchdr_t *)((char *)tcp + (TCP_OFF(tcp) << 2));
-	if (ippr_msnrpc_check(ip, mrh))
-		return 0;
-
-	mri->mri_valid++;
-
-	switch (mrh->mrh_type)
-	{
-	case 0x0b :	/* BIND */
-	case 0x00 :	/* REQUEST */
-		break;
-	case 0x0c :	/* BIND ACK */
-	case 0x02 :	/* RESPONSE */
-	default:
-		return 0;
-	}
-	mri->mri_cmd[1] = mrh->mrh_type;
-	return 0;
-}
-
-
-int ippr_msnrpc_in(fin, ip, aps, nat)
-fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
-nat_t *nat;
-{
-	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	int dlen, sz, sz2, i;
-	msnrpcinfo_t *mri;
-	msnrpchdr_t *mrh;
-	fr_info_t fi;
-	u_short len;
-	char *s;
-
-	mri = aps->aps_data;
-	if (mri == NULL)
-		return 0;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
-	if (dlen < IPF_MINMSNRPCLEN)
-		return 0;
-
-	mrh = (msnrpchdr_t *)((char *)tcp + (TCP_OFF(tcp) << 2));
-	if (ippr_msnrpc_check(ip, mrh))
-		return 0;
-
-	mri->mri_valid++;
-
-	switch (mrh->mrh_type)
-	{
-	case 0x0c :	/* BIND ACK */
-		if (mri->mri_cmd[1] != 0x0b)
-			return 0;
-		break;
-	case 0x02 :	/* RESPONSE */
-		if (mri->mri_cmd[1] != 0x00)
-			return 0;
-		break;
-	case 0x0b :	/* BIND */
-	case 0x00 :	/* REQUEST */
-	default:
-		return 0;
-	}
-	mri->mri_cmd[0] = mrh->mrh_type;
-	dlen -= sizeof(*mrh);
-
-	/*
-	 * Only processes RESPONSE's
-	 */
-	if (mrh->mrh_type != 0x02)
-		return 0;
-
-	/*
-	 * Skip over some bytes...what are these really ?
-	 */
-	if (dlen <= 44)
-		return 0;
-	s = (char *)(mrh + 1) + 20;
-	dlen -= 20;
-	bcopy(s, (char *)&len, sizeof(len));
-	if (len == 1) {
-		s += 20;
-		dlen -= 20;
-	} else if (len == 2) {
-		s += 24;
-		dlen -= 24;
-	} else
-		return 0;
-
-	if (dlen <= 10)
-		return 0;
-	dlen -= 10;
-	bcopy(s, (char *)&sz, sizeof(sz));
-	s += sizeof(sz);
-	bcopy(s, (char *)&sz2, sizeof(sz2));
-	s += sizeof(sz2);
-	if (sz2 != sz)
-		return 0;
-	if (sz > dlen)
-		return 0;
-	if (*s++ != 5)
-		return 0;
-	if (*s++ != 0)
-		return 0;
-	sz -= IPF_MSNRPCSKIP;
-	s += IPF_MSNRPCSKIP;
-	dlen -= IPF_MSNRPCSKIP;
-
-	do {
-		if (sz < 7 || dlen < 7)
-			break;
-		bcopy(s, (char *)&len, sizeof(len));
-		if (dlen < len)
-			break;
-		if (sz < len)
-			break;
-
-		if (len != 1)
-			break;
-		sz -= 3;
-		i = *(s + 2);
-		s += 3;
-		dlen -= 3;
-
-		bcopy(s, (char *)&len, sizeof(len));
-		if (dlen < len)
-			break;
-		if (sz < len)
-			break;
-		s += sizeof(len);
-
-		switch (i)
-		{
-		case 7 :
-			if (len == 2) {
-				bcopy(s, (char *)&mri->mri_rport, 2);
-				mri->mri_flags |= 1;
-			}
-			break;
-		case 9 :
-			if (len == 4) {
-				bcopy(s, (char *)&mri->mri_raddr, 4);
-				mri->mri_flags |= 2;
-			}
-			break;
-		default :
-			break;
-		}
-		sz -= len;
-		s += len;
-		dlen -= len;
-	} while (sz > 0);
-
-	if (mri->mri_flags == 3) {
-		int slen;
-
-		bcopy((char *)fin, (char *)&fi, sizeof(fi));
-		bzero((char *)tcp2, sizeof(*tcp2));
-
-		slen = ip->ip_len;
-		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
-		bcopy((char *)fin, (char *)&fi, sizeof(fi));
-		bzero((char *)tcp2, sizeof(*tcp2));
-		tcp2->th_win = htons(8192);
-		TCP_OFF_A(tcp2, 5);
-		fi.fin_data[0] = htons(mri->mri_rport);
-		tcp2->th_sport = mri->mri_rport;
-		fi.fin_data[1] = 0;
-		tcp2->th_dport = 0;
-		fi.fin_state = NULL;
-		fi.fin_nat = NULL;
-		fi.fin_dlen = sizeof(*tcp2);
-		fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
-		fi.fin_dp = (char *)tcp2;
-		fi.fin_fi.fi_daddr = ip->ip_dst.s_addr;
-		fi.fin_fi.fi_saddr = mri->mri_raddr.s_addr;
-		if (!fi.fin_fr)
-			fi.fin_fr = &msnfr;
-		if (fr_stlookup(&fi, NULL, NULL)) {
-			RWLOCK_EXIT(&ipf_state);
-		} else {
-			(void) fr_addstate(&fi, NULL, SI_W_DPORT|SI_CLONE);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-		ip->ip_len = slen;
-	}
-	mri->mri_flags = 0;
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
deleted file mode 100644
index 5529502..0000000
--- a/contrib/ipfilter/ip_nat.c
+++ /dev/null
@@ -1,4834 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
-    defined(_KERNEL)
-# include "opt_ipfilter_log.h"
-#endif
-#if !defined(_KERNEL)
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/fcntl.h>
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#if __FreeBSD_version >= 300000
-# include <sys/queue.h>
-#endif
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#endif
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-
-#ifdef RFC1825
-# include <vpn/md5.h>
-# include <vpn/ipsec.h>
-extern struct ifnet vpnif;
-#endif
-
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#ifdef	IPFILTER_SYNC
-#include "netinet/ip_sync.h"
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-/* END OF INCLUDES */
-
-#undef	SOCKADDR_IN
-#define	SOCKADDR_IN	struct sockaddr_in
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.38 2005/03/28 11:09:54 darrenr Exp";
-#endif
-
-
-/* ======================================================================== */
-/* How the NAT is organised and works.                                      */
-/*                                                                          */
-/* Inside (interface y) NAT       Outside (interface x)                     */
-/* -------------------- -+- -------------------------------------           */
-/* Packet going          |   out, processsed by fr_checknatout() for x      */
-/* ------------>         |   ------------>                                  */
-/* src=10.1.1.1          |   src=192.1.1.1                                  */
-/*                       |                                                  */
-/*                       |   in, processed by fr_checknatin() for x         */
-/* <------------         |   <------------                                  */
-/* dst=10.1.1.1          |   dst=192.1.1.1                                  */
-/* -------------------- -+- -------------------------------------           */
-/* fr_checknatout() - changes ip_src and if required, sport                 */
-/*             - creates a new mapping, if required.                        */
-/* fr_checknatin()  - changes ip_dst and if required, dport                 */
-/*                                                                          */
-/* In the NAT table, internal source is recorded as "in" and externally     */
-/* seen as "out".                                                           */
-/* ======================================================================== */
-
-
-nat_t	**nat_table[2] = { NULL, NULL },
-	*nat_instances = NULL;
-ipnat_t	*nat_list = NULL;
-u_int	ipf_nattable_max = NAT_TABLE_MAX;
-u_int	ipf_nattable_sz = NAT_TABLE_SZ;
-u_int	ipf_natrules_sz = NAT_SIZE;
-u_int	ipf_rdrrules_sz = RDR_SIZE;
-u_int	ipf_hostmap_sz = HOSTMAP_SIZE;
-u_int	fr_nat_maxbucket = 0,
-	fr_nat_maxbucket_reset = 1;
-u_32_t	nat_masks = 0;
-u_32_t	rdr_masks = 0;
-ipnat_t	**nat_rules = NULL;
-ipnat_t	**rdr_rules = NULL;
-hostmap_t	**maptable  = NULL;
-ipftq_t	nat_tqb[IPF_TCP_NSTATES];
-ipftq_t	nat_udptq;
-ipftq_t	nat_icmptq;
-ipftq_t	nat_iptq;
-ipftq_t	*nat_utqe = NULL;
-#ifdef  IPFILTER_LOG
-int	nat_logging = 1;
-#else
-int	nat_logging = 0;
-#endif
-
-u_long	fr_defnatage = DEF_NAT_AGE,
-	fr_defnatipage = 120,		/* 60 seconds */
-	fr_defnaticmpage = 6;		/* 3 seconds */
-natstat_t nat_stats;
-int	fr_nat_lock = 0;
-int	fr_nat_init = 0;
-#if SOLARIS
-extern	int		pfil_delayed_copy;
-#endif
-
-static	int	nat_flushtable __P((void));
-static	int	nat_clearlist __P((void));
-static	void	nat_addnat __P((struct ipnat *));
-static	void	nat_addrdr __P((struct ipnat *));
-static	void	nat_delete __P((struct nat *, int));
-static	void	nat_delrdr __P((struct ipnat *));
-static	void	nat_delnat __P((struct ipnat *));
-static	int	fr_natgetent __P((caddr_t));
-static	int	fr_natgetsz __P((caddr_t));
-static	int	fr_natputent __P((caddr_t, int));
-static	void	nat_tabmove __P((nat_t *));
-static	int	nat_match __P((fr_info_t *, ipnat_t *));
-static	INLINE	int nat_newmap __P((fr_info_t *, nat_t *, natinfo_t *));
-static	INLINE	int nat_newrdr __P((fr_info_t *, nat_t *, natinfo_t *));
-static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
-				    struct in_addr, struct in_addr, u_32_t));
-static	void	nat_hostmapdel __P((struct hostmap *));
-static	INLINE	int nat_icmpquerytype4 __P((int));
-static	int	nat_siocaddnat __P((ipnat_t *, ipnat_t **, int));
-static	void	nat_siocdelnat __P((ipnat_t *, ipnat_t **, int));
-static	INLINE	int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
-				      tcphdr_t *, nat_t **, int));
-static	void	nat_resolverule __P((ipnat_t *));
-static	nat_t	*fr_natclone __P((fr_info_t *, nat_t *));
-static	void	nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *));
-static	INLINE	int nat_wildok __P((nat_t *, int, int, int, int));
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natinit                                                  */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise all of the NAT locks, tables and other structures.            */
-/* ------------------------------------------------------------------------ */
-int fr_natinit()
-{
-	int i;
-
-	KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
-	if (nat_table[0] != NULL)
-		bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *));
-	else
-		return -1;
-
-	KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz);
-	if (nat_table[1] != NULL)
-		bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *));
-	else
-		return -2;
-
-	KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz);
-	if (nat_rules != NULL)
-		bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *));
-	else
-		return -3;
-
-	KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz);
-	if (rdr_rules != NULL)
-		bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));
-	else
-		return -4;
-
-	KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);
-	if (maptable != NULL)
-		bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
-	else
-		return -5;
-
-	KMALLOCS(nat_stats.ns_bucketlen[0], u_long *,
-		 ipf_nattable_sz * sizeof(u_long));
-	if (nat_stats.ns_bucketlen[0] == NULL)
-		return -6;
-	bzero((char *)nat_stats.ns_bucketlen[0],
-	      ipf_nattable_sz * sizeof(u_long));
-
-	KMALLOCS(nat_stats.ns_bucketlen[1], u_long *,
-		 ipf_nattable_sz * sizeof(u_long));
-	if (nat_stats.ns_bucketlen[1] == NULL)
-		return -7;
-
-	bzero((char *)nat_stats.ns_bucketlen[1],
-	      ipf_nattable_sz * sizeof(u_long));
-
-	if (fr_nat_maxbucket == 0) {
-		for (i = ipf_nattable_sz; i > 0; i >>= 1)
-			fr_nat_maxbucket++;
-		fr_nat_maxbucket *= 2;
-	}
-
-	fr_sttab_init(nat_tqb);
-	/*
-	 * Increase this because we may have "keep state" following this too
-	 * and packet storms can occur if this is removed too quickly.
-	 */
-	nat_tqb[IPF_TCPS_CLOSED].ifq_ttl = fr_tcplastack;
-	nat_tqb[IPF_TCP_NSTATES - 1].ifq_next = &nat_udptq;
-	nat_udptq.ifq_ttl = fr_defnatage;
-	nat_udptq.ifq_ref = 1;
-	nat_udptq.ifq_head = NULL;
-	nat_udptq.ifq_tail = &nat_udptq.ifq_head;
-	MUTEX_INIT(&nat_udptq.ifq_lock, "nat ipftq udp tab");
-	nat_udptq.ifq_next = &nat_icmptq;
-	nat_icmptq.ifq_ttl = fr_defnaticmpage;
-	nat_icmptq.ifq_ref = 1;
-	nat_icmptq.ifq_head = NULL;
-	nat_icmptq.ifq_tail = &nat_icmptq.ifq_head;
-	MUTEX_INIT(&nat_icmptq.ifq_lock, "nat icmp ipftq tab");
-	nat_icmptq.ifq_next = &nat_iptq;
-	nat_iptq.ifq_ttl = fr_defnatipage;
-	nat_iptq.ifq_ref = 1;
-	nat_iptq.ifq_head = NULL;
-	nat_iptq.ifq_tail = &nat_iptq.ifq_head;
-	MUTEX_INIT(&nat_iptq.ifq_lock, "nat ip ipftq tab");
-	nat_iptq.ifq_next = NULL;
-
-	for (i = 0; i < IPF_TCP_NSTATES; i++) {
-		if (nat_tqb[i].ifq_ttl < fr_defnaticmpage)
-			nat_tqb[i].ifq_ttl = fr_defnaticmpage;
-#ifdef LARGE_NAT
-		else if (nat_tqb[i].ifq_ttl > fr_defnatage)
-			nat_tqb[i].ifq_ttl = fr_defnatage;
-#endif
-	}
-
-	/*
-	 * Increase this because we may have "keep state" following
-	 * this too and packet storms can occur if this is removed
-	 * too quickly.
-	 */
-	nat_tqb[IPF_TCPS_CLOSED].ifq_ttl = nat_tqb[IPF_TCPS_LAST_ACK].ifq_ttl;
-
-	RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock");
-	RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock");
-	MUTEX_INIT(&ipf_nat_new, "ipf nat new mutex");
-	MUTEX_INIT(&ipf_natio, "ipf nat io mutex");
-
-	fr_nat_init = 1;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_addrdr                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  n(I) - pointer to NAT rule to add                           */
-/*                                                                          */
-/* Adds a redirect rule to the hash table of redirect rules and the list of */
-/* loaded NAT rules.  Updates the bitmask indicating which netmasks are in  */
-/* use by redirect rules.                                                   */
-/* ------------------------------------------------------------------------ */
-static void nat_addrdr(n)
-ipnat_t *n;
-{
-	ipnat_t **np;
-	u_32_t j;
-	u_int hv;
-	int k;
-
-	k = count4bits(n->in_outmsk);
-	if ((k >= 0) && (k != 32))
-		rdr_masks |= 1 << k;
-	j = (n->in_outip & n->in_outmsk);
-	hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);
-	np = rdr_rules + hv;
-	while (*np != NULL)
-		np = &(*np)->in_rnext;
-	n->in_rnext = NULL;
-	n->in_prnext = np;
-	n->in_hv = hv;
-	*np = n;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_addnat                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  n(I) - pointer to NAT rule to add                           */
-/*                                                                          */
-/* Adds a NAT map rule to the hash table of rules and the list of  loaded   */
-/* NAT rules.  Updates the bitmask indicating which netmasks are in use by  */
-/* redirect rules.                                                          */
-/* ------------------------------------------------------------------------ */
-static void nat_addnat(n)
-ipnat_t *n;
-{
-	ipnat_t **np;
-	u_32_t j;
-	u_int hv;
-	int k;
-
-	k = count4bits(n->in_inmsk);
-	if ((k >= 0) && (k != 32))
-		nat_masks |= 1 << k;
-	j = (n->in_inip & n->in_inmsk);
-	hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);
-	np = nat_rules + hv;
-	while (*np != NULL)
-		np = &(*np)->in_mnext;
-	n->in_mnext = NULL;
-	n->in_pmnext = np;
-	n->in_hv = hv;
-	*np = n;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_delrdr                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  n(I) - pointer to NAT rule to delete                        */
-/*                                                                          */
-/* Removes a redirect rule from the hash table of redirect rules.           */
-/* ------------------------------------------------------------------------ */
-static void nat_delrdr(n)
-ipnat_t *n;
-{
-	if (n->in_rnext)
-		n->in_rnext->in_prnext = n->in_prnext;
-	*n->in_prnext = n->in_rnext;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_delnat                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  n(I) - pointer to NAT rule to delete                        */
-/*                                                                          */
-/* Removes a NAT map rule from the hash table of NAT map rules.             */
-/* ------------------------------------------------------------------------ */
-static void nat_delnat(n)
-ipnat_t *n;
-{
-	if (n->in_mnext != NULL)
-		n->in_mnext->in_pmnext = n->in_pmnext;
-	*n->in_pmnext = n->in_mnext;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_hostmap                                                 */
-/* Returns:     struct hostmap* - NULL if no hostmap could be created,      */
-/*                                else a pointer to the hostmapping to use  */
-/* Parameters:  np(I)   - pointer to NAT rule                               */
-/*              real(I) - real IP address                                   */
-/*              map(I)  - mapped IP address                                 */
-/*              port(I) - destination port number                           */
-/* Write Locks: ipf_nat                                                     */
-/*                                                                          */
-/* Check if an ip address has already been allocated for a given mapping    */
-/* that is not doing port based translation.  If is not yet allocated, then */
-/* create a new entry if a non-NULL NAT rule pointer has been supplied.     */
-/* ------------------------------------------------------------------------ */
-static struct hostmap *nat_hostmap(np, src, dst, map, port)
-ipnat_t *np;
-struct in_addr src;
-struct in_addr dst;
-struct in_addr map;
-u_32_t port;
-{
-	hostmap_t *hm;
-	u_int hv;
-
-	hv = (src.s_addr ^ dst.s_addr);
-	hv += src.s_addr;
-	hv += dst.s_addr;
-	hv %= HOSTMAP_SIZE;
-	for (hm = maptable[hv]; hm; hm = hm->hm_next)
-		if ((hm->hm_srcip.s_addr == src.s_addr) &&
-		    (hm->hm_dstip.s_addr == dst.s_addr) &&
-		    ((np == NULL) || (np == hm->hm_ipnat)) &&
-		    ((port == 0) || (port == hm->hm_port))) {
-			hm->hm_ref++;
-			return hm;
-		}
-
-	if (np == NULL)
-		return NULL;
-
-	KMALLOC(hm, hostmap_t *);
-	if (hm) {
-		hm->hm_next = maptable[hv];
-		hm->hm_pnext = maptable + hv;
-		if (maptable[hv] != NULL)
-			maptable[hv]->hm_pnext = &hm->hm_next;
-		maptable[hv] = hm;
-		hm->hm_ipnat = np;
-		hm->hm_srcip = src;
-		hm->hm_dstip = dst;
-		hm->hm_mapip = map;
-		hm->hm_ref = 1;
-		hm->hm_port = port;
-	}
-	return hm;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_hostmapdel                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  hm(I) - pointer to hostmap structure                        */
-/* Write Locks: ipf_nat                                                     */
-/*                                                                          */
-/* Decrement the references to this hostmap structure by one.  If this      */
-/* reaches zero then remove it and free it.                                 */
-/* ------------------------------------------------------------------------ */
-static void nat_hostmapdel(hm)
-struct hostmap *hm;
-{
-	hm->hm_ref--;
-	if (hm->hm_ref == 0) {
-		if (hm->hm_next)
-			hm->hm_next->hm_pnext = hm->hm_pnext;
-		*hm->hm_pnext = hm->hm_next;
-		KFREE(hm);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fix_outcksum                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              sp(I)  - location of 16bit checksum to update               */
-/*              n((I)  - amount to adjust checksum by                       */
-/*                                                                          */
-/* Adjusts the 16bit checksum by "n" for packets going out.                 */
-/* ------------------------------------------------------------------------ */
-void fix_outcksum(fin, sp, n)
-fr_info_t *fin;
-u_short *sp;
-u_32_t n;
-{
-	u_short sumshort;
-	u_32_t sum1;
-
-	if (n == 0)
-		return;
-
-	if (n & NAT_HW_CKSUM) {
-		n &= 0xffff;
-		n += fin->fin_dlen;
-		n = (n & 0xffff) + (n >> 16);
-		*sp = n & 0xffff;
-		return;
-	}
-	sum1 = (~ntohs(*sp)) & 0xffff;
-	sum1 += (n);
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	/* Again */
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	sumshort = ~(u_short)sum1;
-	*(sp) = htons(sumshort);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fix_incksum                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              sp(I)  - location of 16bit checksum to update               */
-/*              n((I)  - amount to adjust checksum by                       */
-/*                                                                          */
-/* Adjusts the 16bit checksum by "n" for packets going in.                  */
-/* ------------------------------------------------------------------------ */
-void fix_incksum(fin, sp, n)
-fr_info_t *fin;
-u_short *sp;
-u_32_t n;
-{
-	u_short sumshort;
-	u_32_t sum1;
-
-	if (n == 0)
-		return;
-
-	if (n & NAT_HW_CKSUM) {
-		n &= 0xffff;
-		n += fin->fin_dlen;
-		n = (n & 0xffff) + (n >> 16);
-		*sp = n & 0xffff;
-		return;
-	}
-	sum1 = (~ntohs(*sp)) & 0xffff;
-	sum1 += ~(n) & 0xffff;
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	/* Again */
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	sumshort = ~(u_short)sum1;
-	*(sp) = htons(sumshort);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fix_datacksum                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  sp(I)  - location of 16bit checksum to update               */
-/*              n((I)  - amount to adjust checksum by                       */
-/*                                                                          */
-/* Fix_datacksum is used *only* for the adjustments of checksums in the     */
-/* data section of an IP packet.                                            */
-/*                                                                          */
-/* The only situation in which you need to do this is when NAT'ing an       */
-/* ICMP error message. Such a message, contains in its body the IP header   */
-/* of the original IP packet, that causes the error.                        */
-/*                                                                          */
-/* You can't use fix_incksum or fix_outcksum in that case, because for the  */
-/* kernel the data section of the ICMP error is just data, and no special   */
-/* processing like hardware cksum or ntohs processing have been done by the */
-/* kernel on the data section.                                              */
-/* ------------------------------------------------------------------------ */
-void fix_datacksum(sp, n)
-u_short *sp;
-u_32_t n;
-{
-	u_short sumshort;
-	u_32_t sum1;
-
-	if (n == 0)
-		return;
-
-	sum1 = (~ntohs(*sp)) & 0xffff;
-	sum1 += (n);
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	/* Again */
-	sum1 = (sum1 >> 16) + (sum1 & 0xffff);
-	sumshort = ~(u_short)sum1;
-	*(sp) = htons(sumshort);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_nat_ioctl                                                */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              cmd(I)  - ioctl command integer                             */
-/*              mode(I) - file mode bits used with open                     */
-/*                                                                          */
-/* Processes an ioctl call made to operate on the IP Filter NAT device.     */
-/* ------------------------------------------------------------------------ */
-int fr_nat_ioctl(data, cmd, mode)
-ioctlcmd_t cmd;
-caddr_t data;
-int mode;
-{
-	ipnat_t *nat, *nt, *n = NULL, **np = NULL;
-	int error = 0, ret, arg, getlock;
-	ipnat_t natd;
-
-#if (BSD >= 199306) && defined(_KERNEL)
-	if ((securelevel >= 2) && (mode & FWRITE))
-		return EPERM;
-#endif
-
-#if defined(__osf__) && defined(_KERNEL)
-	getlock = 0;
-#else
-	getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
-#endif
-
-	nat = NULL;     /* XXX gcc -Wuninitialized */
-	if (cmd == (ioctlcmd_t)SIOCADNAT) {
-		KMALLOC(nt, ipnat_t *);
-	} else {
-		nt = NULL;
-	}
-
-	if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT)) {
-		if (mode & NAT_SYSSPACE) {
-			bcopy(data, (char *)&natd, sizeof(natd));
-			error = 0;
-		} else {
-			error = fr_inobj(data, &natd, IPFOBJ_IPNAT);
-		}
-
-	} else if (cmd == (ioctlcmd_t)SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */
-		BCOPYIN(data, &arg, sizeof(arg));
-	}
-
-	if (error != 0)
-		goto done;
-
-	/*
-	 * For add/delete, look to see if the NAT entry is already present
-	 */
-	if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT)) {
-		nat = &natd;
-		if (nat->in_v == 0)	/* For backward compat. */
-			nat->in_v = 4;
-		nat->in_flags &= IPN_USERFLAGS;
-		if ((nat->in_redir & NAT_MAPBLK) == 0) {
-			if ((nat->in_flags & IPN_SPLIT) == 0)
-				nat->in_inip &= nat->in_inmsk;
-			if ((nat->in_flags & IPN_IPRANGE) == 0)
-				nat->in_outip &= nat->in_outmsk;
-		}
-		MUTEX_ENTER(&ipf_natio);
-		for (np = &nat_list; ((n = *np) != NULL); np = &n->in_next)
-			if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
-					IPN_CMPSIZ))
-				break;
-	}
-
-	switch (cmd)
-	{
-#ifdef  IPFILTER_LOG
-	case SIOCIPFFB :
-	{
-		int tmp;
-
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			tmp = ipflog_clear(IPL_LOGNAT);
-			BCOPYOUT((char *)&tmp, (char *)data, sizeof(tmp));
-		}
-		break;
-	}
-	case SIOCSETLG :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			BCOPYIN((char *)data, (char *)&nat_logging,
-				sizeof(nat_logging));
-		}
-		break;
-	case SIOCGETLG :
-		BCOPYOUT((char *)&nat_logging, (char *)data,
-			 sizeof(nat_logging));
-		break;
-	case FIONREAD :
-		arg = iplused[IPL_LOGNAT];
-		BCOPYOUT(&arg, data, sizeof(arg));
-		break;
-#endif
-	case SIOCADNAT :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-		} else if (n != NULL) {
-			error = EEXIST;
-		} else if (nt == NULL) {
-			error = ENOMEM;
-		}
-		if (error != 0) {
-			MUTEX_EXIT(&ipf_natio);
-			break;
-		}
-		bcopy((char *)nat, (char *)nt, sizeof(*n));
-		error = nat_siocaddnat(nt, np, getlock);
-		MUTEX_EXIT(&ipf_natio);
-		if (error == 0)
-			nt = NULL;
-		break;
-	case SIOCRMNAT :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			n = NULL;
-		} else if (n == NULL) {
-			error = ESRCH;
-		}
-
-		if (error != 0) {
-			MUTEX_EXIT(&ipf_natio);
-			break;
-		}
-		nat_siocdelnat(n, np, getlock);
-
-		MUTEX_EXIT(&ipf_natio);
-		n = NULL;
-		break;
-	case SIOCGNATS :
-		nat_stats.ns_table[0] = nat_table[0];
-		nat_stats.ns_table[1] = nat_table[1];
-		nat_stats.ns_list = nat_list;
-		nat_stats.ns_maptable = maptable;
-		nat_stats.ns_nattab_sz = ipf_nattable_sz;
-		nat_stats.ns_nattab_max = ipf_nattable_max;
-		nat_stats.ns_rultab_sz = ipf_natrules_sz;
-		nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
-		nat_stats.ns_hostmap_sz = ipf_hostmap_sz;
-		nat_stats.ns_instances = nat_instances;
-		nat_stats.ns_apslist = ap_sess_list;
-		error = fr_outobj(data, &nat_stats, IPFOBJ_NATSTAT);
-		break;
-	case SIOCGNATL :
-	    {
-		natlookup_t nl;
-
-		if (getlock) {
-			READ_ENTER(&ipf_nat);
-		}
-		error = fr_inobj(data, &nl, IPFOBJ_NATLOOKUP);
-		if (error == 0) {
-			if (nat_lookupredir(&nl) != NULL) {
-				error = fr_outobj(data, &nl, IPFOBJ_NATLOOKUP);
-			} else {
-				error = ESRCH;
-			}
-		}
-		if (getlock) {
-			RWLOCK_EXIT(&ipf_nat);
-		}
-		break;
-	    }
-	case SIOCIPFFL :	/* old SIOCFLNAT & SIOCCNATL */
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
-		}
-		if (getlock) {
-			WRITE_ENTER(&ipf_nat);
-		}
-		error = 0;
-		if (arg == 0)
-			ret = nat_flushtable();
-		else if (arg == 1)
-			ret = nat_clearlist();
-		else
-			error = EINVAL;
-		if (getlock) {
-			RWLOCK_EXIT(&ipf_nat);
-		}
-		if (error == 0) {
-			BCOPYOUT(&ret, data, sizeof(ret));
-		}
-		break;
-	case SIOCPROXY :
-		error = appr_ioctl(data, cmd, mode);
-		break;
-	case SIOCSTLCK :
-		fr_lock(data, &fr_nat_lock);
-		break;
-	case SIOCSTPUT :
-		if (fr_nat_lock) {
-			error = fr_natputent(data, getlock);
-		} else {
-			error = EACCES;
-		}
-		break;
-	case SIOCSTGSZ :
-		if (fr_nat_lock) {
-			if (getlock) {
-				READ_ENTER(&ipf_nat);
-			}
-			error = fr_natgetsz(data);
-			if (getlock) {
-				RWLOCK_EXIT(&ipf_nat);
-			}
-		} else
-			error = EACCES;
-		break;
-	case SIOCSTGET :
-		if (fr_nat_lock) {
-			if (getlock) {
-				READ_ENTER(&ipf_nat);
-			}
-			error = fr_natgetent(data);
-			if (getlock) {
-				RWLOCK_EXIT(&ipf_nat);
-			}
-		} else
-			error = EACCES;
-		break;
-	default :
-		error = EINVAL;
-		break;
-	}
-done:
-	if (nt)
-		KFREE(nt);
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_siocaddnat                                              */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  n(I)       - pointer to new NAT rule                        */
-/*              np(I)      - pointer to where to insert new NAT rule        */
-/*              getlock(I) - flag indicating if lock on ipf_nat is held     */
-/* Mutex Locks: ipf_natio                                                   */
-/*                                                                          */
-/* Handle SIOCADNAT.  Resolve and calculate details inside the NAT rule     */
-/* from information passed to the kernel, then add it  to the appropriate   */
-/* NAT rule table(s).                                                       */
-/* ------------------------------------------------------------------------ */
-static int nat_siocaddnat(n, np, getlock)
-ipnat_t *n, **np;
-int getlock;
-{
-	int error = 0, i, j;
-
-	nat_resolverule(n);
-	if (n->in_plabel[0] != '\0') {
-		if (n->in_apr == NULL)
-			return ENOENT;
-	}
-
-	if ((n->in_age[0] == 0) && (n->in_age[1] != 0))
-		return EINVAL;
-
-	n->in_use = 0;
-	if (n->in_redir & NAT_MAPBLK)
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
-	else if (n->in_flags & IPN_AUTOPORTMAP)
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
-	else if (n->in_flags & IPN_IPRANGE)
-		n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
-	else if (n->in_flags & IPN_SPLIT)
-		n->in_space = 2;
-	else if (n->in_outmsk != 0)
-		n->in_space = ~ntohl(n->in_outmsk);
-	else
-		n->in_space = 1;
-
-	/*
-	 * Calculate the number of valid IP addresses in the output
-	 * mapping range.  In all cases, the range is inclusive of
-	 * the start and ending IP addresses.
-	 * If to a CIDR address, lose 2: broadcast + network address
-	 *                               (so subtract 1)
-	 * If to a range, add one.
-	 * If to a single IP address, set to 1.
-	 */
-	if (n->in_space) {
-		if ((n->in_flags & IPN_IPRANGE) != 0)
-			n->in_space += 1;
-		else
-			n->in_space -= 1;
-	} else
-		n->in_space = 1;
-
-	if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
-	    ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
-		n->in_nip = ntohl(n->in_outip) + 1;
-	else if ((n->in_flags & IPN_SPLIT) &&
-		 (n->in_redir & NAT_REDIRECT))
-		n->in_nip = ntohl(n->in_inip);
-	else
-		n->in_nip = ntohl(n->in_outip);
-	if (n->in_redir & NAT_MAP) {
-		n->in_pnext = ntohs(n->in_pmin);
-		/*
-		 * Multiply by the number of ports made available.
-		 */
-		if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) {
-			n->in_space *= (ntohs(n->in_pmax) -
-					ntohs(n->in_pmin) + 1);
-			/*
-			 * Because two different sources can map to
-			 * different destinations but use the same
-			 * local IP#/port #.
-			 * If the result is smaller than in_space, then
-			 * we may have wrapped around 32bits.
-			 */
-			i = n->in_inmsk;
-			if ((i != 0) && (i != 0xffffffff)) {
-				j = n->in_space * (~ntohl(i) + 1);
-				if (j >= n->in_space)
-					n->in_space = j;
-				else
-					n->in_space = 0xffffffff;
-			}
-		}
-		/*
-		 * If no protocol is specified, multiple by 256 to allow for
-		 * at least one IP:IP mapping per protocol.
-		 */
-		if ((n->in_flags & IPN_TCPUDPICMP) == 0) {
-				j = n->in_space * 256;
-				if (j >= n->in_space)
-					n->in_space = j;
-				else
-					n->in_space = 0xffffffff;
-		}
-	}
-
-	/* Otherwise, these fields are preset */
-
-	if (getlock) {
-		WRITE_ENTER(&ipf_nat);
-	}
-	n->in_next = NULL;
-	*np = n;
-
-	if (n->in_age[0] != 0)
-		n->in_tqehead[0] = fr_addtimeoutqueue(&nat_utqe, n->in_age[0]);
-
-	if (n->in_age[1] != 0)
-		n->in_tqehead[1] = fr_addtimeoutqueue(&nat_utqe, n->in_age[1]);
-
-	if (n->in_redir & NAT_REDIRECT) {
-		n->in_flags &= ~IPN_NOTDST;
-		nat_addrdr(n);
-	}
-	if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
-		n->in_flags &= ~IPN_NOTSRC;
-		nat_addnat(n);
-	}
-	n = NULL;
-	nat_stats.ns_rules++;
-#if SOLARIS
-	pfil_delayed_copy = 0;
-#endif
-	if (getlock) {
-		RWLOCK_EXIT(&ipf_nat);			/* WRITE */
-	}
-
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_resolvrule                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  n(I)  - pointer to NAT rule                                 */
-/*                                                                          */
-/* Handle SIOCADNAT.  Resolve and calculate details inside the NAT rule     */
-/* from information passed to the kernel, then add it  to the appropriate   */
-/* NAT rule table(s).                                                       */
-/* ------------------------------------------------------------------------ */
-static void nat_resolverule(n)
-ipnat_t *n;
-{
-	n->in_ifnames[0][LIFNAMSIZ - 1] = '\0';
-	n->in_ifps[0] = fr_resolvenic(n->in_ifnames[0], 4);
-
-	n->in_ifnames[1][LIFNAMSIZ - 1] = '\0';
-	if (n->in_ifnames[1][0] == '\0') {
-		(void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ);
-		n->in_ifps[1] = n->in_ifps[0];
-	} else {
-		n->in_ifps[1] = fr_resolvenic(n->in_ifnames[0], 4);
-	}
-
-	if (n->in_plabel[0] != '\0') {
-		n->in_apr = appr_lookup(n->in_p, n->in_plabel);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_siocdelnat                                              */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  n(I)       - pointer to new NAT rule                        */
-/*              np(I)      - pointer to where to insert new NAT rule        */
-/*              getlock(I) - flag indicating if lock on ipf_nat is held     */
-/* Mutex Locks: ipf_natio                                                   */
-/*                                                                          */
-/* Handle SIOCADNAT.  Resolve and calculate details inside the NAT rule     */
-/* from information passed to the kernel, then add it  to the appropriate   */
-/* NAT rule table(s).                                                       */
-/* ------------------------------------------------------------------------ */
-static void nat_siocdelnat(n, np, getlock)
-ipnat_t *n, **np;
-int getlock;
-{
-	if (getlock) {
-		WRITE_ENTER(&ipf_nat);
-	}
-	if (n->in_redir & NAT_REDIRECT)
-		nat_delrdr(n);
-	if (n->in_redir & (NAT_MAPBLK|NAT_MAP))
-		nat_delnat(n);
-	if (nat_list == NULL) {
-		nat_masks = 0;
-		rdr_masks = 0;
-	}
-
-	if (n->in_tqehead[0] != NULL) {
-		if (fr_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
-			fr_freetimeoutqueue(n->in_tqehead[1]);
-		}
-	}
-
-	if (n->in_tqehead[1] != NULL) {
-		if (fr_deletetimeoutqueue(n->in_tqehead[1]) == 0) {
-			fr_freetimeoutqueue(n->in_tqehead[1]);
-		}
-	}
-
-	*np = n->in_next;
-
-	if (n->in_use == 0) {
-		if (n->in_apr)
-			appr_free(n->in_apr);
-		KFREE(n);
-		nat_stats.ns_rules--;
-#if SOLARIS
-		if (nat_stats.ns_rules == 0)
-			pfil_delayed_copy = 1;
-#endif
-	} else {
-		n->in_flags |= IPN_DELETE;
-		n->in_next = NULL;
-	}
-	if (getlock) {
-		RWLOCK_EXIT(&ipf_nat);			/* READ/WRITE */
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natgetsz                                                 */
-/* Returns:     int - 0 == success, != 0 is the error value.                */
-/* Parameters:  data(I) - pointer to natget structure with kernel pointer   */
-/*                        get the size of.                                  */
-/*                                                                          */
-/* Handle SIOCSTGSZ.                                                        */
-/* Return the size of the nat list entry to be copied back to user space.   */
-/* The size of the entry is stored in the ng_sz field and the enture natget */
-/* structure is copied back to the user.                                    */
-/* ------------------------------------------------------------------------ */
-static int fr_natgetsz(data)
-caddr_t data;
-{
-	ap_session_t *aps;
-	nat_t *nat, *n;
-	natget_t ng;
-
-	BCOPYIN(data, &ng, sizeof(ng));
-
-	nat = ng.ng_ptr;
-	if (!nat) {
-		nat = nat_instances;
-		ng.ng_sz = 0;
-		/*
-		 * Empty list so the size returned is 0.  Simple.
-		 */
-		if (nat == NULL) {
-			BCOPYOUT(&ng, data, sizeof(ng));
-			return 0;
-		}
-	} else {
-		/*
-		 * Make sure the pointer we're copying from exists in the
-		 * current list of entries.  Security precaution to prevent
-		 * copying of random kernel data.
-		 */
-		for (n = nat_instances; n; n = n->nat_next)
-			if (n == nat)
-				break;
-		if (!n)
-			return ESRCH;
-	}
-
-	/*
-	 * Incluse any space required for proxy data structures.
-	 */
-	ng.ng_sz = sizeof(nat_save_t);
-	aps = nat->nat_aps;
-	if (aps != NULL) {
-		ng.ng_sz += sizeof(ap_session_t) - 4;
-		if (aps->aps_data != 0)
-			ng.ng_sz += aps->aps_psiz;
-	}
-
-	BCOPYOUT(&ng, data, sizeof(ng));
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natgetent                                                */
-/* Returns:     int - 0 == success, != 0 is the error value.                */
-/* Parameters:  data(I) - pointer to natget structure with kernel pointer   */
-/*                        to NAT structure to copy out.                     */
-/*                                                                          */
-/* Handle SIOCSTGET.                                                        */
-/* Copies out NAT entry to user space.  Any additional data held for a      */
-/* proxy is also copied, as to is the NAT rule which was responsible for it */
-/* ------------------------------------------------------------------------ */
-static int fr_natgetent(data)
-caddr_t data;
-{
-	int error, outsize;
-	ap_session_t *aps;
-	nat_save_t *ipn, ipns;
-	nat_t *n, *nat;
-
-	error = fr_inobj(data, &ipns, IPFOBJ_NATSAVE);
-	if (error != 0)
-		return error;
-
-	if ((ipns.ipn_dsize < sizeof(ipns)) || (ipns.ipn_dsize > 81920))
-		return EINVAL;
-
-	KMALLOCS(ipn, nat_save_t *, ipns.ipn_dsize);
-	if (ipn == NULL)
-		return ENOMEM;
-
-	ipn->ipn_dsize = ipns.ipn_dsize;
-	nat = ipns.ipn_next;
-	if (nat == NULL) {
-		nat = nat_instances;
-		if (nat == NULL) {
-			if (nat_instances == NULL)
-				error = ENOENT;
-			goto finished;
-		}
-	} else {
-		/*
-		 * Make sure the pointer we're copying from exists in the
-		 * current list of entries.  Security precaution to prevent
-		 * copying of random kernel data.
-		 */
-		for (n = nat_instances; n; n = n->nat_next)
-			if (n == nat)
-				break;
-		if (n == NULL) {
-			error = ESRCH;
-			goto finished;
-		}
-	}
-	ipn->ipn_next = nat->nat_next;
-
-	/*
-	 * Copy the NAT structure.
-	 */
-	bcopy((char *)nat, &ipn->ipn_nat, sizeof(*nat));
-
-	/*
-	 * If we have a pointer to the NAT rule it belongs to, save that too.
-	 */
-	if (nat->nat_ptr != NULL)
-		bcopy((char *)nat->nat_ptr, (char *)&ipn->ipn_ipnat,
-		      sizeof(ipn->ipn_ipnat));
-
-	/*
-	 * If we also know the NAT entry has an associated filter rule,
-	 * save that too.
-	 */
-	if (nat->nat_fr != NULL)
-		bcopy((char *)nat->nat_fr, (char *)&ipn->ipn_fr,
-		      sizeof(ipn->ipn_fr));
-
-	/*
-	 * Last but not least, if there is an application proxy session set
-	 * up for this NAT entry, then copy that out too, including any
-	 * private data saved along side it by the proxy.
-	 */
-	aps = nat->nat_aps;
-	outsize = ipn->ipn_dsize - sizeof(*ipn) + sizeof(ipn->ipn_data);
-	if (aps != NULL) {
-		char *s;
-
-		if (outsize < sizeof(*aps)) {
-			error = ENOBUFS;
-			goto finished;
-		}
-
-		s = ipn->ipn_data;
-		bcopy((char *)aps, s, sizeof(*aps));
-		s += sizeof(*aps);
-		outsize -= sizeof(*aps);
-		if ((aps->aps_data != NULL) && (outsize >= aps->aps_psiz))
-			bcopy(aps->aps_data, s, aps->aps_psiz);
-		else
-			error = ENOBUFS;
-	}
-	if (error == 0) {
-		error = fr_outobjsz(data, ipn, IPFOBJ_NATSAVE, ipns.ipn_dsize);
-	}
-
-finished:
-	if (ipn != NULL) {
-		KFREES(ipn, ipns.ipn_dsize);
-	}
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natputent                                                */
-/* Returns:     int - 0 == success, != 0 is the error value.                */
-/* Parameters:  data(I) -     pointer to natget structure with NAT          */
-/*                            structure information to load into the kernel */
-/*              getlock(I) - flag indicating whether or not a write lock    */
-/*                           on ipf_nat is already held.                    */
-/*                                                                          */
-/* Handle SIOCSTPUT.                                                        */
-/* Loads a NAT table entry from user space, including a NAT rule, proxy and */
-/* firewall rule data structures, if pointers to them indicate so.          */
-/* ------------------------------------------------------------------------ */
-static int fr_natputent(data, getlock)
-caddr_t data;
-int getlock;
-{
-	nat_save_t ipn, *ipnn;
-	ap_session_t *aps;
-	nat_t *n, *nat;
-	frentry_t *fr;
-	fr_info_t fin;
-	ipnat_t *in;
-	int error;
-
-	error = fr_inobj(data, &ipn, IPFOBJ_NATSAVE);
-	if (error != 0)
-		return error;
-
-	/*
-	 * Initialise early because of code at junkput label.
-	 */
-	in = NULL;
-	aps = NULL;
-	nat = NULL;
-	ipnn = NULL;
-
-	/*
-	 * New entry, copy in the rest of the NAT entry if it's size is more
-	 * than just the nat_t structure.
-	 */
-	fr = NULL;
-	if (ipn.ipn_dsize > sizeof(ipn)) {
-		if (ipn.ipn_dsize > 81920) {
-			error = ENOMEM;
-			goto junkput;
-		}
-
-		KMALLOCS(ipnn, nat_save_t *, ipn.ipn_dsize);
-		if (ipnn == NULL)
-			return ENOMEM;
-
-		error = fr_inobjsz(data, ipnn, IPFOBJ_NATSAVE, ipn.ipn_dsize);
-		if (error != 0) {
-			error = EFAULT;
-			goto junkput;
-		}
-	} else
-		ipnn = &ipn;
-
-	KMALLOC(nat, nat_t *);
-	if (nat == NULL) {
-		error = ENOMEM;
-		goto junkput;
-	}
-
-	bcopy((char *)&ipnn->ipn_nat, (char *)nat, sizeof(*nat));
-	/*
-	 * Initialize all these so that nat_delete() doesn't cause a crash.
-	 */
-	bzero((char *)nat, offsetof(struct nat, nat_tqe));
-	nat->nat_tqe.tqe_pnext = NULL;
-	nat->nat_tqe.tqe_next = NULL;
-	nat->nat_tqe.tqe_ifq = NULL;
-	nat->nat_tqe.tqe_parent = nat;
-
-	/*
-	 * Restore the rule associated with this nat session
-	 */
-	in = ipnn->ipn_nat.nat_ptr;
-	if (in != NULL) {
-		KMALLOC(in, ipnat_t *);
-		nat->nat_ptr = in;
-		if (in == NULL) {
-			error = ENOMEM;
-			goto junkput;
-		}
-		bzero((char *)in, offsetof(struct ipnat, in_next6));
-		bcopy((char *)&ipnn->ipn_ipnat, (char *)in, sizeof(*in));
-		in->in_use = 1;
-		in->in_flags |= IPN_DELETE;
-
-		ATOMIC_INC(nat_stats.ns_rules);
-
-		nat_resolverule(in);
-	}
-
-	/*
-	 * Check that the NAT entry doesn't already exist in the kernel.
-	 */
-	bzero((char *)&fin, sizeof(fin));
-	fin.fin_p = nat->nat_p;
-	if (nat->nat_dir == NAT_OUTBOUND) {
-		fin.fin_data[0] = ntohs(nat->nat_oport);
-		fin.fin_data[1] = ntohs(nat->nat_outport);
-		fin.fin_ifp = nat->nat_ifps[1];
-		if (nat_inlookup(&fin, 0, fin.fin_p, nat->nat_oip,
-				  nat->nat_inip) != NULL) {
-			error = EEXIST;
-			goto junkput;
-		}
-	} else if (nat->nat_dir == NAT_INBOUND) {
-		fin.fin_data[0] = ntohs(nat->nat_outport);
-		fin.fin_data[1] = ntohs(nat->nat_oport);
-		fin.fin_ifp = nat->nat_ifps[0];
-		if (nat_outlookup(&fin, 0, fin.fin_p, nat->nat_outip,
-				 nat->nat_oip) != NULL) {
-			error = EEXIST;
-			goto junkput;
-		}
-	} else {
-		error = EINVAL;
-		goto junkput;
-	}
-
-	/*
-	 * Restore ap_session_t structure.  Include the private data allocated
-	 * if it was there.
-	 */
-	aps = nat->nat_aps;
-	if (aps != NULL) {
-		KMALLOC(aps, ap_session_t *);
-		nat->nat_aps = aps;
-		if (aps == NULL) {
-			error = ENOMEM;
-			goto junkput;
-		}
-		bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
-		if (in != NULL)
-			aps->aps_apr = in->in_apr;
-		else
-			aps->aps_apr = NULL;
-		if (aps->aps_psiz != 0) {
-			if (aps->aps_psiz > 81920) {
-				error = ENOMEM;
-				goto junkput;
-			}
-			KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
-			if (aps->aps_data == NULL) {
-				error = ENOMEM;
-				goto junkput;
-			}
-			bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
-			      aps->aps_psiz);
-		} else {
-			aps->aps_psiz = 0;
-			aps->aps_data = NULL;
-		}
-	}
-
-	/*
-	 * If there was a filtering rule associated with this entry then
-	 * build up a new one.
-	 */
-	fr = nat->nat_fr;
-	if (fr != NULL) {
-		if ((nat->nat_flags & SI_NEWFR) != 0) {
-			KMALLOC(fr, frentry_t *);
-			nat->nat_fr = fr;
-			if (fr == NULL) {
-				error = ENOMEM;
-				goto junkput;
-			}
-			ipnn->ipn_nat.nat_fr = fr;
-			fr->fr_ref = 1;
-			(void) fr_outobj(data, ipnn, IPFOBJ_NATSAVE);
-			bcopy((char *)&ipnn->ipn_fr, (char *)fr, sizeof(*fr));
-			MUTEX_NUKE(&fr->fr_lock);
-			MUTEX_INIT(&fr->fr_lock, "nat-filter rule lock");
-		} else {
-			READ_ENTER(&ipf_nat);
-			for (n = nat_instances; n; n = n->nat_next)
-				if (n->nat_fr == fr)
-					break;
-
-			if (n != NULL) {
-				MUTEX_ENTER(&fr->fr_lock);
-				fr->fr_ref++;
-				MUTEX_EXIT(&fr->fr_lock);
-			}
-			RWLOCK_EXIT(&ipf_nat);
-
-			if (!n) {
-				error = ESRCH;
-				goto junkput;
-			}
-		}
-	}
-
-	if (ipnn != &ipn) {
-		KFREES(ipnn, ipn.ipn_dsize);
-		ipnn = NULL;
-	}
-
-	if (getlock) {
-		WRITE_ENTER(&ipf_nat);
-	}
-	error = nat_insert(nat, nat->nat_rev);
-	if ((error == 0) && (aps != NULL)) {
-		aps->aps_next = ap_sess_list;
-		ap_sess_list = aps;
-	}
-	if (getlock) {
-		RWLOCK_EXIT(&ipf_nat);
-	}
-
-	if (error == 0)
-		return 0;
-
-	error = ENOMEM;
-
-junkput:
-	if (fr != NULL)
-		fr_derefrule(&fr);
-
-	if ((ipnn != NULL) && (ipnn != &ipn)) {
-		KFREES(ipnn, ipn.ipn_dsize);
-	}
-	if (nat != NULL) {
-		if (aps != NULL) {
-			if (aps->aps_data != NULL) {
-				KFREES(aps->aps_data, aps->aps_psiz);
-			}
-			KFREE(aps);
-		}
-		if (in != NULL) {
-			if (in->in_apr)
-				appr_free(in->in_apr);
-			KFREE(in);
-		}
-		KFREE(nat);
-	}
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_delete                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  natd(I)    - pointer to NAT structure to delete             */
-/*              logtype(I) - type of LOG record to create before deleting   */
-/* Write Lock:  ipf_nat                                                     */
-/*                                                                          */
-/* Delete a nat entry from the various lists and table.  If NAT logging is  */
-/* enabled then generate a NAT log record for this event.                   */
-/* ------------------------------------------------------------------------ */
-static void nat_delete(nat, logtype)
-struct nat *nat;
-int logtype;
-{
-	struct ipnat *ipn;
-
-	if (logtype != 0 && nat_logging != 0)
-		nat_log(nat, logtype);
-
-	MUTEX_ENTER(&ipf_nat_new);
-
-	/*
-	 * Take it as a general indication that all the pointers are set if
-	 * nat_pnext is set.
-	 */
-	if (nat->nat_pnext != NULL) {
-		nat_stats.ns_bucketlen[0][nat->nat_hv[0]]--;
-		nat_stats.ns_bucketlen[1][nat->nat_hv[1]]--;
-
-		*nat->nat_pnext = nat->nat_next;
-		if (nat->nat_next != NULL) {
-			nat->nat_next->nat_pnext = nat->nat_pnext;
-			nat->nat_next = NULL;
-		}
-		nat->nat_pnext = NULL;
-
-		*nat->nat_phnext[0] = nat->nat_hnext[0];
-		if (nat->nat_hnext[0] != NULL) {
-			nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
-			nat->nat_hnext[0] = NULL;
-		}
-		nat->nat_phnext[0] = NULL;
-
-		*nat->nat_phnext[1] = nat->nat_hnext[1];
-		if (nat->nat_hnext[1] != NULL) {
-			nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
-			nat->nat_hnext[1] = NULL;
-		}
-		nat->nat_phnext[1] = NULL;
-
-		if ((nat->nat_flags & SI_WILDP) != 0)
-			nat_stats.ns_wilds--;
-	}
-
-	if (nat->nat_me != NULL) {
-		*nat->nat_me = NULL;
-		nat->nat_me = NULL;
-	}
-
-	fr_deletequeueentry(&nat->nat_tqe);
-
-	nat->nat_ref--;
-	if (nat->nat_ref > 0) {
-		MUTEX_EXIT(&ipf_nat_new);
-		return;
-	}
-
-#ifdef	IPFILTER_SYNC
-	if (nat->nat_sync)
-		ipfsync_del(nat->nat_sync);
-#endif
-
-	if (nat->nat_fr != NULL)
-		(void)fr_derefrule(&nat->nat_fr);
-
-	if (nat->nat_hm != NULL)
-		nat_hostmapdel(nat->nat_hm);
-
-	/*
-	 * If there is an active reference from the nat entry to its parent
-	 * rule, decrement the rule's reference count and free it too if no
-	 * longer being used.
-	 */
-	ipn = nat->nat_ptr;
-	if (ipn != NULL) {
-		ipn->in_space++;
-		ipn->in_use--;
-		if (ipn->in_use == 0 && (ipn->in_flags & IPN_DELETE)) {
-			if (ipn->in_apr)
-				appr_free(ipn->in_apr);
-			KFREE(ipn);
-			nat_stats.ns_rules--;
-#if SOLARIS
-			if (nat_stats.ns_rules == 0)
-				pfil_delayed_copy = 1;
-#endif
-		}
-	}
-
-	MUTEX_DESTROY(&nat->nat_lock);
-
-	aps_free(nat->nat_aps);
-	nat_stats.ns_inuse--;
-	MUTEX_EXIT(&ipf_nat_new);
-
-	/*
-	 * If there's a fragment table entry too for this nat entry, then
-	 * dereference that as well.  This is after nat_lock is released
-	 * because of Tru64.
-	 */
-	fr_forgetnat((void *)nat);
-
-	KFREE(nat);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_flushtable                                              */
-/* Returns:     int - number of NAT rules deleted                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Deletes all currently active NAT sessions.  In deleting each NAT entry a */
-/* log record should be emitted in nat_delete() if NAT logging is enabled.  */
-/* ------------------------------------------------------------------------ */
-/*
- * nat_flushtable - clear the NAT table of all mapping entries.
- */
-static int nat_flushtable()
-{
-	nat_t *nat;
-	int j = 0;
-
-	/*
-	 * ALL NAT mappings deleted, so lets just make the deletions
-	 * quicker.
-	 */
-	if (nat_table[0] != NULL)
-		bzero((char *)nat_table[0],
-		      sizeof(nat_table[0]) * ipf_nattable_sz);
-	if (nat_table[1] != NULL)
-		bzero((char *)nat_table[1],
-		      sizeof(nat_table[1]) * ipf_nattable_sz);
-
-	while ((nat = nat_instances) != NULL) {
-		nat_delete(nat, NL_FLUSH);
-		j++;
-	}
-
-	nat_stats.ns_inuse = 0;
-	return j;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_clearlist                                               */
-/* Returns:     int - number of NAT/RDR rules deleted                       */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Delete all rules in the current list of rules.  There is nothing elegant */
-/* about this cleanup: simply free all entries on the list of rules and     */
-/* clear out the tables used for hashed NAT rule lookups.                   */
-/* ------------------------------------------------------------------------ */
-static int nat_clearlist()
-{
-	ipnat_t *n, **np = &nat_list;
-	int i = 0;
-
-	if (nat_rules != NULL)
-		bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz);
-	if (rdr_rules != NULL)
-		bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz);
-
-	while ((n = *np) != NULL) {
-		*np = n->in_next;
-		if (n->in_use == 0) {
-			if (n->in_apr != NULL)
-				appr_free(n->in_apr);
-			KFREE(n);
-			nat_stats.ns_rules--;
-		} else {
-			n->in_flags |= IPN_DELETE;
-			n->in_next = NULL;
-		}
-		i++;
-	}
-#if SOLARIS
-	pfil_delayed_copy = 1;
-#endif
-	nat_masks = 0;
-	rdr_masks = 0;
-	return i;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_newmap                                                  */
-/* Returns:     int - -1 == error, 0 == success                             */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              nat(I) - pointer to NAT entry                               */
-/*              ni(I)  - pointer to structure with misc. information needed */
-/*                       to create new NAT entry.                           */
-/*                                                                          */
-/* Given an empty NAT structure, populate it with new information about a   */
-/* new NAT session, as defined by the matching NAT rule.                    */
-/* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
-/* to the new IP address for the translation.                               */
-/* ------------------------------------------------------------------------ */
-static INLINE int nat_newmap(fin, nat, ni)
-fr_info_t *fin;
-nat_t *nat;
-natinfo_t *ni;
-{
-	u_short st_port, dport, sport, port, sp, dp;
-	struct in_addr in, inb;
-	hostmap_t *hm;
-	u_32_t flags;
-	u_32_t st_ip;
-	ipnat_t *np;
-	nat_t *natl;
-	int l;
-
-	/*
-	 * If it's an outbound packet which doesn't match any existing
-	 * record, then create a new port
-	 */
-	l = 0;
-	hm = NULL;
-	np = ni->nai_np;
-	st_ip = np->in_nip;
-	st_port = np->in_pnext;
-	flags = ni->nai_flags;
-	sport = ni->nai_sport;
-	dport = ni->nai_dport;
-
-	/*
-	 * Do a loop until we either run out of entries to try or we find
-	 * a NAT mapping that isn't currently being used.  This is done
-	 * because the change to the source is not (usually) being fixed.
-	 */
-	do {
-		port = 0;
-		in.s_addr = htonl(np->in_nip);
-		if (l == 0) {
-			/*
-			 * Check to see if there is an existing NAT
-			 * setup for this IP address pair.
-			 */
-			hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
-					 in, 0);
-			if (hm != NULL)
-				in.s_addr = hm->hm_mapip.s_addr;
-		} else if ((l == 1) && (hm != NULL)) {
-			nat_hostmapdel(hm);
-			hm = NULL;
-		}
-		in.s_addr = ntohl(in.s_addr);
-
-		nat->nat_hm = hm;
-
-		if ((np->in_outmsk == 0xffffffff) && (np->in_pnext == 0)) {
-			if (l > 0)
-				return -1;
-		}
-
-		if (np->in_redir == NAT_BIMAP &&
-		    np->in_inmsk == np->in_outmsk) {
-			/*
-			 * map the address block in a 1:1 fashion
-			 */
-			in.s_addr = np->in_outip;
-			in.s_addr |= fin->fin_saddr & ~np->in_inmsk;
-			in.s_addr = ntohl(in.s_addr);
-
-		} else if (np->in_redir & NAT_MAPBLK) {
-			if ((l >= np->in_ppip) || ((l > 0) &&
-			     !(flags & IPN_TCPUDP)))
-				return -1;
-			/*
-			 * map-block - Calculate destination address.
-			 */
-			in.s_addr = ntohl(fin->fin_saddr);
-			in.s_addr &= ntohl(~np->in_inmsk);
-			inb.s_addr = in.s_addr;
-			in.s_addr /= np->in_ippip;
-			in.s_addr &= ntohl(~np->in_outmsk);
-			in.s_addr += ntohl(np->in_outip);
-			/*
-			 * Calculate destination port.
-			 */
-			if ((flags & IPN_TCPUDP) &&
-			    (np->in_ppip != 0)) {
-				port = ntohs(sport) + l;
-				port %= np->in_ppip;
-				port += np->in_ppip *
-					(inb.s_addr % np->in_ippip);
-				port += MAPBLK_MINPORT;
-				port = htons(port);
-			}
-
-		} else if ((np->in_outip == 0) &&
-			   (np->in_outmsk == 0xffffffff)) {
-			/*
-			 * 0/32 - use the interface's IP address.
-			 */
-			if ((l > 0) ||
-			    fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp,
-				       &in, NULL) == -1)
-				return -1;
-			in.s_addr = ntohl(in.s_addr);
-
-		} else if ((np->in_outip == 0) && (np->in_outmsk == 0)) {
-			/*
-			 * 0/0 - use the original source address/port.
-			 */
-			if (l > 0)
-				return -1;
-			in.s_addr = ntohl(fin->fin_saddr);
-
-		} else if ((np->in_outmsk != 0xffffffff) &&
-			   (np->in_pnext == 0) && ((l > 0) || (hm == NULL)))
-			np->in_nip++;
-
-		natl = NULL;
-
-		if ((flags & IPN_TCPUDP) &&
-		    ((np->in_redir & NAT_MAPBLK) == 0) &&
-		    (np->in_flags & IPN_AUTOPORTMAP)) {
-			/*
-			 * "ports auto" (without map-block)
-			 */
-			if ((l > 0) && (l % np->in_ppip == 0)) {
-				if (l > np->in_space) {
-					return -1;
-				} else if ((l > np->in_ppip) &&
-					   np->in_outmsk != 0xffffffff)
-					np->in_nip++;
-			}
-			if (np->in_ppip != 0) {
-				port = ntohs(sport);
-				port += (l % np->in_ppip);
-				port %= np->in_ppip;
-				port += np->in_ppip *
-					(ntohl(fin->fin_saddr) %
-					 np->in_ippip);
-				port += MAPBLK_MINPORT;
-				port = htons(port);
-			}
-
-		} else if (((np->in_redir & NAT_MAPBLK) == 0) &&
-			   (flags & IPN_TCPUDPICMP) && (np->in_pnext != 0)) {
-			/*
-			 * Standard port translation.  Select next port.
-			 */
-			port = htons(np->in_pnext++);
-
-			if (np->in_pnext > ntohs(np->in_pmax)) {
-				np->in_pnext = ntohs(np->in_pmin);
-				if (np->in_outmsk != 0xffffffff)
-					np->in_nip++;
-			}
-		}
-
-		if (np->in_flags & IPN_IPRANGE) {
-			if (np->in_nip > ntohl(np->in_outmsk))
-				np->in_nip = ntohl(np->in_outip);
-		} else {
-			if ((np->in_outmsk != 0xffffffff) &&
-			    ((np->in_nip + 1) & ntohl(np->in_outmsk)) >
-			    ntohl(np->in_outip))
-				np->in_nip = ntohl(np->in_outip) + 1;
-		}
-
-		if ((port == 0) && (flags & (IPN_TCPUDPICMP|IPN_ICMPQUERY)))
-			port = sport;
-
-		/*
-		 * Here we do a lookup of the connection as seen from
-		 * the outside.  If an IP# pair already exists, try
-		 * again.  So if you have A->B becomes C->B, you can
-		 * also have D->E become C->E but not D->B causing
-		 * another C->B.  Also take protocol and ports into
-		 * account when determining whether a pre-existing
-		 * NAT setup will cause an external conflict where
-		 * this is appropriate.
-		 */
-		inb.s_addr = htonl(in.s_addr);
-		sp = fin->fin_data[0];
-		dp = fin->fin_data[1];
-		fin->fin_data[0] = fin->fin_data[1];
-		fin->fin_data[1] = htons(port);
-		natl = nat_inlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH),
-				    (u_int)fin->fin_p, fin->fin_dst, inb);
-		fin->fin_data[0] = sp;
-		fin->fin_data[1] = dp;
-
-		/*
-		 * Has the search wrapped around and come back to the
-		 * start ?
-		 */
-		if ((natl != NULL) &&
-		    (np->in_pnext != 0) && (st_port == np->in_pnext) &&
-		    (np->in_nip != 0) && (st_ip == np->in_nip))
-			return -1;
-		l++;
-	} while (natl != NULL);
-
-	if (np->in_space > 0)
-		np->in_space--;
-
-	/* Setup the NAT table */
-	nat->nat_inip = fin->fin_src;
-	nat->nat_outip.s_addr = htonl(in.s_addr);
-	nat->nat_oip = fin->fin_dst;
-	if (nat->nat_hm == NULL)
-		nat->nat_hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
-					  nat->nat_outip, 0);
-
-	/*
-	 * The ICMP checksum does not have a pseudo header containing
-	 * the IP addresses
-	 */
-	ni->nai_sum1 = LONG_SUM(ntohl(fin->fin_saddr));
-	ni->nai_sum2 = LONG_SUM(in.s_addr);
-	if ((flags & IPN_TCPUDP)) {
-		ni->nai_sum1 += ntohs(sport);
-		ni->nai_sum2 += ntohs(port);
-	}
-
-	if (flags & IPN_TCPUDP) {
-		nat->nat_inport = sport;
-		nat->nat_outport = port;	/* sport */
-		nat->nat_oport = dport;
-		((tcphdr_t *)fin->fin_dp)->th_sport = port;
-	} else if (flags & IPN_ICMPQUERY) {
-		((icmphdr_t *)fin->fin_dp)->icmp_id = port;
-		nat->nat_inport = port;
-		nat->nat_outport = port;
-	} else if (fin->fin_p == IPPROTO_GRE) {
-#if 0
-		nat->nat_gre.gs_flags = ((grehdr_t *)fin->fin_dp)->gr_flags;
-		if (GRE_REV(nat->nat_gre.gs_flags) == 1) {
-			nat->nat_oport = 0;/*fin->fin_data[1];*/
-			nat->nat_inport = 0;/*fin->fin_data[0];*/
-			nat->nat_outport = 0;/*fin->fin_data[0];*/
-			nat->nat_call[0] = fin->fin_data[0];
-			nat->nat_call[1] = fin->fin_data[0];
-		}
-#endif
-	}
-	ni->nai_ip.s_addr = in.s_addr;
-	ni->nai_port = port;
-	ni->nai_nport = dport;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_newrdr                                                  */
-/* Returns:     int - -1 == error, 0 == success (no move), 1 == success and */
-/*                    allow rule to be moved if IPN_ROUNDR is set.          */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              nat(I) - pointer to NAT entry                               */
-/*              ni(I)  - pointer to structure with misc. information needed */
-/*                       to create new NAT entry.                           */
-/*                                                                          */
-/* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/
-/* to the new IP address for the translation.                               */
-/* ------------------------------------------------------------------------ */
-static INLINE int nat_newrdr(fin, nat, ni)
-fr_info_t *fin;
-nat_t *nat;
-natinfo_t *ni;
-{
-	u_short nport, dport, sport;
-	struct in_addr in;
-	hostmap_t *hm;
-	u_32_t flags;
-	ipnat_t *np;
-	int move;
-
-	move = 1;
-	hm = NULL;
-	in.s_addr = 0;
-	np = ni->nai_np;
-	flags = ni->nai_flags;
-	sport = ni->nai_sport;
-	dport = ni->nai_dport;
-
-	/*
-	 * If the matching rule has IPN_STICKY set, then we want to have the
-	 * same rule kick in as before.  Why would this happen?  If you have
-	 * a collection of rdr rules with "round-robin sticky", the current
-	 * packet might match a different one to the previous connection but
-	 * we want the same destination to be used.
-	 */
-	if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) ==
-	    (IPN_ROUNDR|IPN_STICKY)) {
-		hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in,
-				 (u_32_t)dport);
-		if (hm != NULL) {
-			in.s_addr = ntohl(hm->hm_mapip.s_addr);
-			np = hm->hm_ipnat;
-			ni->nai_np = np;
-			move = 0;
-		}
-	}
-
-	/*
-	 * Otherwise, it's an inbound packet. Most likely, we don't
-	 * want to rewrite source ports and source addresses. Instead,
-	 * we want to rewrite to a fixed internal address and fixed
-	 * internal port.
-	 */
-	if (np->in_flags & IPN_SPLIT) {
-		in.s_addr = np->in_nip;
-
-		if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) {
-			hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
-					 in, (u_32_t)dport);
-			if (hm != NULL) {
-				in.s_addr = hm->hm_mapip.s_addr;
-				move = 0;
-			}
-		}
-
-		if (hm == NULL || hm->hm_ref == 1) {
-			if (np->in_inip == htonl(in.s_addr)) {
-				np->in_nip = ntohl(np->in_inmsk);
-				move = 0;
-			} else {
-				np->in_nip = ntohl(np->in_inip);
-			}
-		}
-
-	} else if ((np->in_inip == 0) && (np->in_inmsk == 0xffffffff)) {
-		/*
-		 * 0/32 - use the interface's IP address.
-		 */
-		if (fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp, &in, NULL) == -1)
-			return -1;
-		in.s_addr = ntohl(in.s_addr);
-
-	} else if ((np->in_inip == 0) && (np->in_inmsk== 0)) {
-		/*
-		 * 0/0 - use the original destination address/port.
-		 */
-		in.s_addr = ntohl(fin->fin_daddr);
-
-	} else if (np->in_redir == NAT_BIMAP &&
-		   np->in_inmsk == np->in_outmsk) {
-		/*
-		 * map the address block in a 1:1 fashion
-		 */
-		in.s_addr = np->in_inip;
-		in.s_addr |= fin->fin_daddr & ~np->in_inmsk;
-		in.s_addr = ntohl(in.s_addr);
-	} else {
-		in.s_addr = ntohl(np->in_inip);
-	}
-
-	if ((np->in_pnext == 0) || ((flags & NAT_NOTRULEPORT) != 0))
-		nport = dport;
-	else {
-		/*
-		 * Whilst not optimized for the case where
-		 * pmin == pmax, the gain is not significant.
-		 */
-		if (((np->in_flags & IPN_FIXEDDPORT) == 0) &&
-		    (np->in_pmin != np->in_pmax)) {
-			nport = ntohs(dport) - ntohs(np->in_pmin) +
-				ntohs(np->in_pnext);
-			nport = htons(nport);
-		} else
-			nport = np->in_pnext;
-	}
-
-	/*
-	 * When the redirect-to address is set to 0.0.0.0, just
-	 * assume a blank `forwarding' of the packet.  We don't
-	 * setup any translation for this either.
-	 */
-	if (in.s_addr == 0) {
-		if (nport == dport)
-			return -1;
-		in.s_addr = ntohl(fin->fin_daddr);
-	}
-
-	nat->nat_inip.s_addr = htonl(in.s_addr);
-	nat->nat_outip = fin->fin_dst;
-	nat->nat_oip = fin->fin_src;
-
-	ni->nai_sum1 = LONG_SUM(ntohl(fin->fin_daddr)) + ntohs(dport);
-	ni->nai_sum2 = LONG_SUM(in.s_addr) + ntohs(nport);
-
-	ni->nai_ip.s_addr = in.s_addr;
-	ni->nai_nport = nport;
-	ni->nai_port = sport;
-
-	if (flags & IPN_TCPUDP) {
-		nat->nat_inport = nport;
-		nat->nat_outport = dport;
-		nat->nat_oport = sport;
-		((tcphdr_t *)fin->fin_dp)->th_dport = nport;
-	} else if (flags & IPN_ICMPQUERY) {
-		((icmphdr_t *)fin->fin_dp)->icmp_id = nport;
-		nat->nat_inport = nport;
-		nat->nat_outport = nport;
-	} else if (fin->fin_p == IPPROTO_GRE) {
-#if 0
-		nat->nat_gre.gs_flags = ((grehdr_t *)fin->fin_dp)->gr_flags;
-		if (GRE_REV(nat->nat_gre.gs_flags) == 1) {
-			nat->nat_call[0] = fin->fin_data[0];
-			nat->nat_call[1] = fin->fin_data[1];
-			nat->nat_oport = 0; /*fin->fin_data[0];*/
-			nat->nat_inport = 0; /*fin->fin_data[1];*/
-			nat->nat_outport = 0; /*fin->fin_data[1];*/
-		}
-#endif
-	}
-
-	return move;
-}
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_new                                                     */
-/* Returns:     nat_t* - NULL == failure to create new NAT structure,       */
-/*                       else pointer to new NAT structure                  */
-/* Parameters:  fin(I)       - pointer to packet information                */
-/*              np(I)        - pointer to NAT rule                          */
-/*              natsave(I)   - pointer to where to store NAT struct pointer */
-/*              flags(I)     - flags describing the current packet          */
-/*              direction(I) - direction of packet (in/out)                 */
-/* Write Lock:  ipf_nat                                                     */
-/*                                                                          */
-/* Attempts to create a new NAT entry.  Does not actually change the packet */
-/* in any way.                                                              */
-/*                                                                          */
-/* This fucntion is in three main parts: (1) deal with creating a new NAT   */
-/* structure for a "MAP" rule (outgoing NAT translation); (2) deal with     */
-/* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */
-/* and (3) building that structure and putting it into the NAT table(s).    */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_new(fin, np, natsave, flags, direction)
-fr_info_t *fin;
-ipnat_t *np;
-nat_t **natsave;
-u_int flags;
-int direction;
-{
-	u_short port = 0, sport = 0, dport = 0, nport = 0;
-	tcphdr_t *tcp = NULL;
-	hostmap_t *hm = NULL;
-	struct in_addr in;
-	nat_t *nat, *natl;
-	u_int nflags;
-	natinfo_t ni;
-	u_32_t sumd;
-	int move;
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_M_CTL_MAGIC)
-	qpktinfo_t *qpi = fin->fin_qpi;
-#endif
-
-	if (nat_stats.ns_inuse >= ipf_nattable_max) {
-		nat_stats.ns_memfail++;
-		return NULL;
-	}
-
-	move = 1;
-	nflags = np->in_flags & flags;
-	nflags &= NAT_FROMRULE;
-
-	ni.nai_np = np;
-	ni.nai_nflags = nflags;
-	ni.nai_flags = flags;
-
-	/* Give me a new nat */
-	KMALLOC(nat, nat_t *);
-	if (nat == NULL) {
-		nat_stats.ns_memfail++;
-		/*
-		 * Try to automatically tune the max # of entries in the
-		 * table allowed to be less than what will cause kmem_alloc()
-		 * to fail and try to eliminate panics due to out of memory
-		 * conditions arising.
-		 */
-		if (ipf_nattable_max > ipf_nattable_sz) {
-			ipf_nattable_max = nat_stats.ns_inuse - 100;
-			printf("ipf_nattable_max reduced to %d\n",
-				ipf_nattable_max);
-		}
-		return NULL;
-	}
-
-	if (flags & IPN_TCPUDP) {
-		tcp = fin->fin_dp;
-		ni.nai_sport = htons(fin->fin_sport);
-		ni.nai_dport = htons(fin->fin_dport);
-	} else if (flags & IPN_ICMPQUERY) {
-		/*
-		 * In the ICMP query NAT code, we translate the ICMP id fields
-		 * to make them unique. This is indepedent of the ICMP type
-		 * (e.g. in the unlikely event that a host sends an echo and
-		 * an tstamp request with the same id, both packets will have
-		 * their ip address/id field changed in the same way).
-		 */
-		/* The icmp_id field is used by the sender to identify the
-		 * process making the icmp request. (the receiver justs
-		 * copies it back in its response). So, it closely matches
-		 * the concept of source port. We overlay sport, so we can
-		 * maximally reuse the existing code.
-		 */
-		ni.nai_sport = ((icmphdr_t *)fin->fin_dp)->icmp_id;
-		ni.nai_dport = ni.nai_sport;
-	}
-
-	bzero((char *)nat, sizeof(*nat));
-	nat->nat_flags = flags;
-
-	if ((flags & NAT_SLAVE) == 0) {
-		MUTEX_ENTER(&ipf_nat_new);
-	}
-
-	/*
-	 * Search the current table for a match.
-	 */
-	if (direction == NAT_OUTBOUND) {
-		/*
-		 * We can now arrange to call this for the same connection
-		 * because ipf_nat_new doesn't protect the code path into
-		 * this function.
-		 */
-		natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p,
-				     fin->fin_src, fin->fin_dst);
-		if (natl != NULL) {
-			nat = natl;
-			goto done;
-		}
-
-		move = nat_newmap(fin, nat, &ni);
-		if (move == -1)
-			goto badnat;
-
-		np = ni.nai_np;
-		in = ni.nai_ip;
-	} else {
-		/*
-		 * NAT_INBOUND is used only for redirects rules
-		 */
-		natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p,
-				    fin->fin_src, fin->fin_dst);
-		if (natl != NULL) {
-			nat = natl;
-			goto done;
-		}
-
-		move = nat_newrdr(fin, nat, &ni);
-		if (move == -1)
-			goto badnat;
-
-		np = ni.nai_np;
-		in = ni.nai_ip;
-	}
-	port = ni.nai_port;
-	nport = ni.nai_nport;
-
-	if ((move == 1) && (np->in_flags & IPN_ROUNDR)) {
-		if (np->in_redir == NAT_REDIRECT) {
-			nat_delrdr(np);
-			nat_addrdr(np);
-		} else if (np->in_redir == NAT_MAP) {
-			nat_delnat(np);
-			nat_addnat(np);
-		}
-	}
-
-	if (flags & IPN_TCPUDP) {
-		sport = ni.nai_sport;
-		dport = ni.nai_dport;
-	} else if (flags & IPN_ICMPQUERY) {
-		sport = ni.nai_sport;
-		dport = 0;
-	}
-
-	CALC_SUMD(ni.nai_sum1, ni.nai_sum2, sumd);
-	nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_M_CTL_MAGIC)
-	if ((flags & IPN_TCP) && dohwcksum &&
-	    (((ill_t *)qpi->qpi_ill)->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
-		if (direction == NAT_OUTBOUND)
-			ni.nai_sum1 = LONG_SUM(in.s_addr);
-		else
-			ni.nai_sum1 = LONG_SUM(ntohl(fin->fin_saddr));
-		ni.nai_sum1 += LONG_SUM(ntohl(fin->fin_daddr));
-		ni.nai_sum1 += 30;
-		ni.nai_sum1 = (ni.nai_sum1 & 0xffff) + (ni.nai_sum1 >> 16);
-		nat->nat_sumd[1] = NAT_HW_CKSUM|(ni.nai_sum1 & 0xffff);
-	} else
-#endif
-		nat->nat_sumd[1] = nat->nat_sumd[0];
-
-	if ((flags & IPN_TCPUDPICMP) && ((sport != port) || (dport != nport))) {
-		if (direction == NAT_OUTBOUND)
-			ni.nai_sum1 = LONG_SUM(ntohl(fin->fin_saddr));
-		else
-			ni.nai_sum1 = LONG_SUM(ntohl(fin->fin_daddr));
-
-		ni.nai_sum2 = LONG_SUM(in.s_addr);
-
-		CALC_SUMD(ni.nai_sum1, ni.nai_sum2, sumd);
-		nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
-	} else {
-		nat->nat_ipsumd = nat->nat_sumd[0];
-		if (!(flags & IPN_TCPUDPICMP)) {
-			nat->nat_sumd[0] = 0;
-			nat->nat_sumd[1] = 0;
-		}
-	}
-
-	if (nat_finalise(fin, nat, &ni, tcp, natsave, direction) == -1) {
-		goto badnat;
-	}
-	if (flags & SI_WILDP)
-		nat_stats.ns_wilds++;
-	goto done;
-badnat:
-	nat_stats.ns_badnat++;
-	if ((hm = nat->nat_hm) != NULL)
-		nat_hostmapdel(hm);
-	KFREE(nat);
-	nat = NULL;
-done:
-	if ((flags & NAT_SLAVE) == 0) {
-		MUTEX_EXIT(&ipf_nat_new);
-	}
-	return nat;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_finalise                                                */
-/* Returns:     int - 0 == sucess, -1 == failure                            */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              nat(I) - pointer to NAT entry                               */
-/*              ni(I)  - pointer to structure with misc. information needed */
-/*                       to create new NAT entry.                           */
-/* Write Lock:  ipf_nat                                                     */
-/*                                                                          */
-/* This is the tail end of constructing a new NAT entry and is the same     */
-/* for both IPv4 and IPv6.                                                  */
-/* ------------------------------------------------------------------------ */
-/*ARGSUSED*/
-static INLINE int nat_finalise(fin, nat, ni, tcp, natsave, direction)
-fr_info_t *fin;
-nat_t *nat;
-natinfo_t *ni;
-tcphdr_t *tcp;
-nat_t **natsave;
-int direction;
-{
-	frentry_t *fr;
-	ipnat_t *np;
-
-	np = ni->nai_np;
-
-	COPYIFNAME(fin->fin_ifp, nat->nat_ifnames[0]);
-#ifdef	IPFILTER_SYNC
-	if ((nat->nat_flags & SI_CLONE) == 0)
-		nat->nat_sync = ipfsync_new(SMC_NAT, fin, nat);
-#endif
-
-	nat->nat_me = natsave;
-	nat->nat_dir = direction;
-	nat->nat_ifps[0] = fin->fin_ifp;
-	nat->nat_ptr = np;
-	nat->nat_p = fin->fin_p;
-	nat->nat_mssclamp = np->in_mssclamp;
-	fr = fin->fin_fr;
-	nat->nat_fr = fr;
-
-	if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
-		if (appr_new(fin, nat) == -1)
-			return -1;
-
-	if (nat_insert(nat, fin->fin_rev) == 0) {
-		if (nat_logging)
-			nat_log(nat, (u_int)np->in_redir);
-		np->in_use++;
-		if (fr != NULL) {
-			MUTEX_ENTER(&fr->fr_lock);
-			fr->fr_ref++;
-			MUTEX_EXIT(&fr->fr_lock);
-		}
-		return 0;
-	}
-
-	/*
-	 * nat_insert failed, so cleanup time...
-	 */
-	return -1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:   nat_insert                                                   */
-/* Returns:    int - 0 == sucess, -1 == failure                             */
-/* Parameters: nat(I) - pointer to NAT structure                            */
-/*             rev(I) - flag indicating forward/reverse direction of packet */
-/* Write Lock: ipf_nat                                                      */
-/*                                                                          */
-/* Insert a NAT entry into the hash tables for searching and add it to the  */
-/* list of active NAT entries.  Adjust global counters when complete.       */
-/* ------------------------------------------------------------------------ */
-int	nat_insert(nat, rev)
-nat_t	*nat;
-int	rev;
-{
-	u_int hv1, hv2;
-	nat_t **natp;
-
-	/*
-	 * Try and return an error as early as possible, so calculate the hash
-	 * entry numbers first and then proceed.
-	 */
-	if ((nat->nat_flags & (SI_W_SPORT|SI_W_DPORT)) == 0) {
-		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
-				  0xffffffff);
-		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
-				  ipf_nattable_sz);
-		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
-				  0xffffffff);
-		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
-				  ipf_nattable_sz);
-	} else {
-		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, 0, 0xffffffff);
-		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1, ipf_nattable_sz);
-		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, 0, 0xffffffff);
-		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2, ipf_nattable_sz);
-	}
-
-	if (nat_stats.ns_bucketlen[0][hv1] >= fr_nat_maxbucket ||
-	    nat_stats.ns_bucketlen[1][hv2] >= fr_nat_maxbucket) {
-		return -1;
-	}
-
-	nat->nat_hv[0] = hv1;
-	nat->nat_hv[1] = hv2;
-
-	MUTEX_INIT(&nat->nat_lock, "nat entry lock");
-
-	nat->nat_rev = rev;
-	nat->nat_ref = 1;
-	nat->nat_bytes[0] = 0;
-	nat->nat_pkts[0] = 0;
-	nat->nat_bytes[1] = 0;
-	nat->nat_pkts[1] = 0;
-
-	nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
-	nat->nat_ifps[0] = fr_resolvenic(nat->nat_ifnames[0], 4);
-
-	if (nat->nat_ifnames[1][0] !='\0') {
-		nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
-		nat->nat_ifps[1] = fr_resolvenic(nat->nat_ifnames[1], 4);
-	} else {
-		(void) strncpy(nat->nat_ifnames[1], nat->nat_ifnames[0],
-			       LIFNAMSIZ);
-		nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
-		nat->nat_ifps[1] = nat->nat_ifps[0];
-	}
-
-	nat->nat_next = nat_instances;
-	nat->nat_pnext = &nat_instances;
-	if (nat_instances)
-		nat_instances->nat_pnext = &nat->nat_next;
-	nat_instances = nat;
-
-	natp = &nat_table[0][hv1];
-	if (*natp)
-		(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
-	nat->nat_phnext[0] = natp;
-	nat->nat_hnext[0] = *natp;
-	*natp = nat;
-	nat_stats.ns_bucketlen[0][hv1]++;
-
-	natp = &nat_table[1][hv2];
-	if (*natp)
-		(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
-	nat->nat_phnext[1] = natp;
-	nat->nat_hnext[1] = *natp;
-	*natp = nat;
-	nat_stats.ns_bucketlen[1][hv2]++;
-
-	fr_setnatqueue(nat, rev);
-
-	nat_stats.ns_added++;
-	nat_stats.ns_inuse++;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_icmperrorlookup                                         */
-/* Returns:     nat_t* - point to matching NAT structure                    */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              dir(I) - direction of packet (in/out)                       */
-/*                                                                          */
-/* Check if the ICMP error message is related to an existing TCP, UDP or    */
-/* ICMP query nat entry.  It is assumed that the packet is already of the   */
-/* the required length.                                                     */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_icmperrorlookup(fin, dir)
-fr_info_t *fin;
-int dir;
-{
-	int flags = 0, type, minlen;
-	icmphdr_t *icmp, *orgicmp;
-	tcphdr_t *tcp = NULL;
-	u_short data[2];
-	nat_t *nat;
-	ip_t *oip;
-	u_int p;
-
-	icmp = fin->fin_dp;
-	type = icmp->icmp_type;
-	/*
-	 * Does it at least have the return (basic) IP header ?
-	 * Only a basic IP header (no options) should be with an ICMP error
-	 * header.  Also, if it's not an error type, then return.
-	 */
-	if ((fin->fin_hlen != sizeof(ip_t)) ||
-	    !fr_icmp4errortype(type))
-		return NULL;
-
-	/*
-	 * Check packet size
-	 */
-	oip = (ip_t *)((char *)fin->fin_dp + 8);
-	minlen = IP_HL(oip) << 2;
-	if ((minlen < sizeof(ip_t)) ||
-	    (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen))
-		return NULL;
-	/*
-	 * Is the buffer big enough for all of it ?  It's the size of the IP
-	 * header claimed in the encapsulated part which is of concern.  It
-	 * may be too big to be in this buffer but not so big that it's
-	 * outside the ICMP packet, leading to TCP deref's causing problems.
-	 * This is possible because we don't know how big oip_hl is when we
-	 * do the pullup early in fr_check() and thus can't gaurantee it is
-	 * all here now.
-	 */
-#ifdef  _KERNEL
-	{
-	mb_t *m;
-
-	m = fin->fin_m;
-# if defined(MENTAT)
-	if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr)
-		return NULL;
-# else
-	if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN >
-	    (char *)fin->fin_ip + M_LEN(m))
-		return NULL;
-# endif
-	}
-#endif
-
-	if (fin->fin_daddr != oip->ip_src.s_addr)
-		return NULL;
-
-	p = oip->ip_p;
-	if (p == IPPROTO_TCP)
-		flags = IPN_TCP;
-	else if (p == IPPROTO_UDP)
-		flags = IPN_UDP;
-	else if (p == IPPROTO_ICMP) {
-		orgicmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
-
-		/* see if this is related to an ICMP query */
-		if (nat_icmpquerytype4(orgicmp->icmp_type)) {
-			data[0] = fin->fin_data[0];
-			data[1] = fin->fin_data[1];
-			fin->fin_data[0] = 0;
-			fin->fin_data[1] = orgicmp->icmp_id;
-
-			flags = IPN_ICMPERR|IPN_ICMPQUERY;
-			/*
-			 * NOTE : dir refers to the direction of the original
-			 *        ip packet. By definition the icmp error
-			 *        message flows in the opposite direction.
-			 */
-			if (dir == NAT_INBOUND)
-				nat = nat_inlookup(fin, flags, p, oip->ip_dst,
-						   oip->ip_src);
-			else
-				nat = nat_outlookup(fin, flags, p, oip->ip_dst,
-						    oip->ip_src);
-			fin->fin_data[0] = data[0];
-			fin->fin_data[1] = data[1];
-			return nat;
-		}
-	}
-		
-	if (flags & IPN_TCPUDP) {
-		minlen += 8;		/* + 64bits of data to get ports */
-		if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen)
-			return NULL;
-
-		data[0] = fin->fin_data[0];
-		data[1] = fin->fin_data[1];
-		tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
-		fin->fin_data[0] = ntohs(tcp->th_dport);
-		fin->fin_data[1] = ntohs(tcp->th_sport);
-
-		if (dir == NAT_INBOUND) {
-			nat = nat_inlookup(fin, flags, p, oip->ip_dst,
-					   oip->ip_src);
-		} else {
-			nat = nat_outlookup(fin, flags, p, oip->ip_dst,
-					    oip->ip_src);
-		}
-		fin->fin_data[0] = data[0];
-		fin->fin_data[1] = data[1];
-		return nat;
-	}
-	if (dir == NAT_INBOUND)
-		return nat_inlookup(fin, 0, p, oip->ip_dst, oip->ip_src);
-	else
-		return nat_outlookup(fin, 0, p, oip->ip_dst, oip->ip_src);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_icmperror                                               */
-/* Returns:     nat_t* - point to matching NAT structure                    */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              nflags(I) - NAT flags for this packet                       */
-/*              dir(I)    - direction of packet (in/out)                    */
-/*                                                                          */
-/* Fix up an ICMP packet which is an error message for an existing NAT      */
-/* session.  This will correct both packet header data and checksums.       */
-/*                                                                          */
-/* This should *ONLY* be used for incoming ICMP error packets to make sure  */
-/* a NAT'd ICMP packet gets correctly recognised.                           */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_icmperror(fin, nflags, dir)
-fr_info_t *fin;
-u_int *nflags;
-int dir;
-{
-	u_32_t sum1, sum2, sumd, sumd2;
-	struct in_addr in;
-	icmphdr_t *icmp;
-	int flags, dlen;
-	u_short *csump;
-	tcphdr_t *tcp;
-	nat_t *nat;
-	ip_t *oip;
-	void *dp;
-
-	if ((fin->fin_flx & (FI_SHORT|FI_FRAGBODY)))
-		return NULL;
-	/*
-	 * nat_icmperrorlookup() will return NULL for `defective' packets.
-	 */
-	if ((fin->fin_v != 4) || !(nat = nat_icmperrorlookup(fin, dir)))
-		return NULL;
-
-	tcp = NULL;
-	csump = NULL;
-	flags = 0;
-	sumd2 = 0;
-	*nflags = IPN_ICMPERR;
-	icmp = fin->fin_dp;
-	oip = (ip_t *)&icmp->icmp_ip;
-	dp = (((char *)oip) + (IP_HL(oip) << 2));
-	if (oip->ip_p == IPPROTO_TCP) {
-		tcp = (tcphdr_t *)dp;
-		csump = (u_short *)&tcp->th_sum;
-		flags = IPN_TCP;
-	} else if (oip->ip_p == IPPROTO_UDP) {
-		udphdr_t *udp;
-
-		udp = (udphdr_t *)dp;
-		tcp = (tcphdr_t *)dp;
-		csump = (u_short *)&udp->uh_sum;
-		flags = IPN_UDP;
-	} else if (oip->ip_p == IPPROTO_ICMP)
-		flags = IPN_ICMPQUERY;
-	dlen = fin->fin_plen - ((char *)dp - (char *)fin->fin_ip);
-
-	/*
-	 * Need to adjust ICMP header to include the real IP#'s and
-	 * port #'s.  Only apply a checksum change relative to the
-	 * IP address change as it will be modified again in fr_checknatout
-	 * for both address and port.  Two checksum changes are
-	 * necessary for the two header address changes.  Be careful
-	 * to only modify the checksum once for the port # and twice
-	 * for the IP#.
-	 */
-
-	/*
-	 * Step 1
-	 * Fix the IP addresses in the offending IP packet. You also need
-	 * to adjust the IP header checksum of that offending IP packet
-	 * and the ICMP checksum of the ICMP error message itself.
-	 *
-	 * Unfortunately, for UDP and TCP, the IP addresses are also contained
-	 * in the pseudo header that is used to compute the UDP resp. TCP
-	 * checksum. So, we must compensate that as well. Even worse, the
-	 * change in the UDP and TCP checksums require yet another
-	 * adjustment of the ICMP checksum of the ICMP error message.
-	 */
-
-	if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
-		sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
-		in = nat->nat_inip;
-		oip->ip_src = in;
-	} else {
-		sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr));
-		in = nat->nat_outip;
-		oip->ip_dst = in;
-	}
-
-	sum2 = LONG_SUM(ntohl(in.s_addr));
-
-	CALC_SUMD(sum1, sum2, sumd);
-
-	/*
-	 * Fix IP checksum of the offending IP packet to adjust for
-	 * the change in the IP address.
-	 *
-	 * Normally, you would expect that the ICMP checksum of the
-	 * ICMP error message needs to be adjusted as well for the
-	 * IP address change in oip.
-	 * However, this is a NOP, because the ICMP checksum is
-	 * calculated over the complete ICMP packet, which includes the
-	 * changed oip IP addresses and oip->ip_sum. However, these
-	 * two changes cancel each other out (if the delta for
-	 * the IP address is x, then the delta for ip_sum is minus x),
-	 * so no change in the icmp_cksum is necessary.
-	 *
-	 * Be careful that nat_dir refers to the direction of the
-	 * offending IP packet (oip), not to its ICMP response (icmp)
-	 */
-	fix_datacksum(&oip->ip_sum, sumd);
-	/* Fix icmp cksum : IP Addr + Cksum */
-	sumd2 = (sumd >> 16);
-
-	/*
-	 * Fix UDP pseudo header checksum to compensate for the
-	 * IP address change.
-	 */
-	if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && (*csump != 0)) {
-		/*
-		 * The UDP checksum is optional, only adjust it
-		 * if it has been set.
-		 */
-		sum1 = ntohs(*csump);
-		fix_datacksum(csump, sumd);
-		sum2 = ntohs(*csump);
-
-		/*
-		 * Fix ICMP checksum to compensate the UDP
-		 * checksum adjustment.
-		 */
-		sumd2 = sumd << 1;
-		CALC_SUMD(sum1, sum2, sumd);
-		sumd2 += sumd;
-	}
-
-	/*
-	 * Fix TCP pseudo header checksum to compensate for the
-	 * IP address change. Before we can do the change, we
-	 * must make sure that oip is sufficient large to hold
-	 * the TCP checksum (normally it does not!).
-	 * 18 = offsetof(tcphdr_t, th_sum) + 2
-	 */
-	else if (oip->ip_p == IPPROTO_TCP && dlen >= 18) {
-		sum1 = ntohs(*csump);
-		fix_datacksum(csump, sumd);
-		sum2 = ntohs(*csump);
-
-		/*
-		 * Fix ICMP checksum to compensate the TCP
-		 * checksum adjustment.
-		 */
-		sumd2 = sumd << 1;
-		CALC_SUMD(sum1, sum2, sumd);
-		sumd2 += sumd;
-	} else {
-		if (nat->nat_dir == NAT_OUTBOUND)
-			sumd2 = ~sumd2;
-		else
-			sumd2 = ~sumd2 + 1;
-	}
-
-	if (((flags & IPN_TCPUDP) != 0) && (dlen >= 4)) {
-		int mode = 0;
-
-		/*
-		 * Step 2 :
-		 * For offending TCP/UDP IP packets, translate the ports as
-		 * well, based on the NAT specification. Of course such
-		 * a change must be reflected in the ICMP checksum as well.
-		 *
-		 * Advance notice : Now it becomes complicated :-)
-		 *
-		 * Since the port fields are part of the TCP/UDP checksum
-		 * of the offending IP packet, you need to adjust that checksum
-		 * as well... but, if you change, you must change the icmp
-		 * checksum *again*, to reflect that change.
-		 *
-		 * To further complicate: the TCP checksum is not in the first
-		 * 8 bytes of the offending ip packet, so it most likely is not
-		 * available. Some OSses like Solaris return enough bytes to
-		 * include the TCP checksum. So we have to check if the
-		 * ip->ip_len actually holds the TCP checksum of the oip!
-		 */
-
-		if (nat->nat_oport == tcp->th_dport) { 
-			if (tcp->th_sport != nat->nat_inport) {
-				mode = 1;
-				sum1 = ntohs(nat->nat_inport);
-				sum2 = ntohs(tcp->th_sport);
-			}
-		} else if (tcp->th_sport == nat->nat_oport) {
-			mode = 2;
-			sum1 = ntohs(nat->nat_outport);
-			sum2 = ntohs(tcp->th_dport);
-		}
-
-		if (mode == 1) {
-			/*
-			 * Fix ICMP checksum to compensate port adjustment.
-			 */
-			tcp->th_sport = htons(sum1);
-
-			/*
-			 * Fix udp checksum to compensate port adjustment.
-			 * NOTE : the offending IP packet flows the other
-			 * direction compared to the ICMP message.
-			 *
-			 * The UDP checksum is optional, only adjust it if
-			 * it has been set.
-			 */
-			if ((oip->ip_p == IPPROTO_UDP) &&
-			    (dlen >= 8) && (*csump != 0)) {
-				sumd = sum1 - sum2;
-				sumd2 += sumd;
-
-				sum1 = ntohs(*csump);
-				fix_datacksum(csump, sumd);
-				sum2 = ntohs(*csump);
-
-				/*
-				 * Fix ICMP checksum to compenstate
-				 * UDP checksum adjustment.
-				 */
-				CALC_SUMD(sum1, sum2, sumd);
-				sumd2 += sumd;
-			}
-
-			/*
-			 * Fix TCP checksum (if present) to compensate port
-			 * adjustment. NOTE : the offending IP packet flows
-			 * the other direction compared to the ICMP message.
-			 */
-			if (oip->ip_p == IPPROTO_TCP) {
-				if (dlen >= 18) {
-					sumd = sum1 - sum2;
-					sumd2 += sumd;
-
-					sum1 = ntohs(*csump);
-					fix_datacksum(csump, sumd);
-					sum2 = ntohs(*csump);
-
-					/*
-					 * Fix ICMP checksum to compensate
-					 * TCP checksum adjustment.
-					 */
-					CALC_SUMD(sum1, sum2, sumd);
-					sumd2 += sumd;
-				} else {
-					sumd = sum2 - sum1 + 1;
-					sumd2 += sumd;
-				}
-			}
-		} else if (mode == 2) {
-			/*
-			 * Fix ICMP checksum to compensate port adjustment.
-			 */
-			tcp->th_dport = htons(sum1);
-
-			/*
-			 * Fix UDP checksum to compensate port adjustment.
-			 * NOTE : the offending IP packet flows the other
-			 * direction compared to the ICMP message.
-			 *
-			 * The UDP checksum is optional, only adjust
-			 * it if it has been set.
-			 */
-			if ((oip->ip_p == IPPROTO_UDP) &&
-			    (dlen >= 8) && (*csump != 0)) {
-				sumd = sum1 - sum2;
-				sumd2 += sumd;
-
-				sum1 = ntohs(*csump);
-				fix_datacksum(csump, sumd);
-				sum2 = ntohs(*csump);
-
-				/*
-				 * Fix ICMP checksum to compensate
-				 * UDP checksum adjustment.
-				 */
-				CALC_SUMD(sum1, sum2, sumd);
-				sumd2 += sumd;
-			}
-
-			/*
-			 * Fix TCP checksum (if present) to compensate port
-			 * adjustment. NOTE : the offending IP packet flows
-			 * the other direction compared to the ICMP message.
-			 */
-			if (oip->ip_p == IPPROTO_TCP) {
-				if (dlen >= 18) {
-					sumd = sum1 - sum2;
-					sumd2 += sumd;
-
-					sum1 = ntohs(*csump);
-					fix_datacksum(csump, sumd);
-					sum2 = ntohs(*csump);
-
-					/*
-					 * Fix ICMP checksum to compensate
-					 * TCP checksum adjustment.
-					 */
-					CALC_SUMD(sum1, sum2, sumd);
-					sumd2 += sumd;
-				} else {
-					if (nat->nat_dir == NAT_INBOUND)
-						sumd = sum2 - sum1;
-					else
-						sumd = sum2 - sum1 + 1;
-					sumd2 += sumd;
-				}
-			}
-		}
-		if (sumd2 != 0) {
-			sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
-			sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
-			fix_incksum(fin, &icmp->icmp_cksum, sumd2);
-		}
-	} else if (((flags & IPN_ICMPQUERY) != 0) && (dlen >= 8)) {
-		icmphdr_t *orgicmp;
-
-		/*
-		 * XXX - what if this is bogus hl and we go off the end ?
-		 * In this case, nat_icmperrorlookup() will have returned NULL.
-		 */
-		orgicmp = (icmphdr_t *)dp;
-
-		if (nat->nat_dir == NAT_OUTBOUND) {
-			if (orgicmp->icmp_id != nat->nat_inport) {
-
-				/*
-				 * Fix ICMP checksum (of the offening ICMP
-				 * query packet) to compensate the change
-				 * in the ICMP id of the offending ICMP
-				 * packet.
-				 *
-				 * Since you modify orgicmp->icmp_id with
-				 * a delta (say x) and you compensate that
-				 * in origicmp->icmp_cksum with a delta
-				 * minus x, you don't have to adjust the
-				 * overall icmp->icmp_cksum
-				 */
-				sum1 = ntohs(orgicmp->icmp_id);
-				sum2 = ntohs(nat->nat_inport);
-				CALC_SUMD(sum1, sum2, sumd);
-				orgicmp->icmp_id = nat->nat_inport;
-				fix_datacksum(&orgicmp->icmp_cksum, sumd);
-			}
-		} /* nat_dir == NAT_INBOUND is impossible for icmp queries */
-	}
-	return nat;
-}
-
-
-/*
- * NB: these lookups don't lock access to the list, it assumed that it has
- * already been done!
- */
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_inlookup                                                */
-/* Returns:     nat_t* - NULL == no match,                                  */
-/*                       else pointer to matching NAT entry                 */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              flags(I)  - NAT flags for this packet                       */
-/*              p(I)      - protocol for this packet                        */
-/*              src(I)    - source IP address                               */
-/*              mapdst(I) - destination IP address                          */
-/*                                                                          */
-/* Lookup a nat entry based on the mapped destination ip address/port and   */
-/* real source address/port.  We use this lookup when receiving a packet,   */
-/* we're looking for a table entry, based on the destination address.       */
-/*                                                                          */
-/* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.         */
-/*                                                                          */
-/* NOTE: IT IS ASSUMED THAT ipf_nat IS ONLY HELD WITH A READ LOCK WHEN      */
-/*       THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags.             */
-/*                                                                          */
-/* flags   -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if   */
-/*            the packet is of said protocol                                */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_inlookup(fin, flags, p, src, mapdst)
-fr_info_t *fin;
-u_int flags, p;
-struct in_addr src , mapdst;
-{
-	u_short sport, dport;
-	grehdr_t *gre;
-	ipnat_t *ipn;
-	u_int sflags;
-	nat_t *nat;
-	int nflags;
-	u_32_t dst;
-	void *ifp;
-	u_int hv;
-
-	if (fin != NULL)
-		ifp = fin->fin_ifp;
-	else
-		ifp = NULL;
-	sport = 0;
-	dport = 0;
-	gre = NULL;
-	dst = mapdst.s_addr;
-	sflags = flags & NAT_TCPUDPICMP;
-
-	switch (p)
-	{
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		sport = htons(fin->fin_data[0]);
-		dport = htons(fin->fin_data[1]);
-		break;
-	case IPPROTO_ICMP :
-		if (flags & IPN_ICMPERR)
-			sport = fin->fin_data[1];
-		else
-			dport = fin->fin_data[1];
-		break;
-	default :
-		break;
-	}
-
-
-	if ((flags & SI_WILDP) != 0)
-		goto find_in_wild_ports;
-
-	hv = NAT_HASH_FN(dst, dport, 0xffffffff);
-	hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz);
-	nat = nat_table[1][hv];
-	for (; nat; nat = nat->nat_hnext[1]) {
-		nflags = nat->nat_flags;
-
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			}
-		}
-
-		if (nat->nat_oip.s_addr == src.s_addr &&
-		    nat->nat_outip.s_addr == dst &&
-		    (((p == 0) &&
-		      (sflags == (nat->nat_flags & IPN_TCPUDPICMP)))
-		     || (p == nat->nat_p))) {
-			switch (p)
-			{
-#if 0
-			case IPPROTO_GRE :
-				if (nat->nat_call[1] != fin->fin_data[0])
-					continue;
-				break;
-#endif
-			case IPPROTO_ICMP :
-				if ((flags & IPN_ICMPERR) != 0) {
-					if (nat->nat_outport != sport)
-						continue;
-				} else {
-					if (nat->nat_outport != dport)
-						continue;
-				}
-				break;
-			case IPPROTO_TCP :
-			case IPPROTO_UDP :
-				if (nat->nat_oport != sport)
-					continue;
-				if (nat->nat_outport != dport)
-					continue;
-				break;
-			default :
-				break;
-			}
-
-			ipn = nat->nat_ptr;
-			if ((ipn != NULL) && (nat->nat_aps != NULL))
-				if (appr_match(fin, nat) != 0)
-					continue;
-			return nat;
-		}
-	}
-
-	/*
-	 * So if we didn't find it but there are wildcard members in the hash
-	 * table, go back and look for them.  We do this search and update here
-	 * because it is modifying the NAT table and we want to do this only
-	 * for the first packet that matches.  The exception, of course, is
-	 * for "dummy" (FI_IGNORE) lookups.
-	 */
-find_in_wild_ports:
-	if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH))
-		return NULL;
-	if (nat_stats.ns_wilds == 0)
-		return NULL;
-
-	RWLOCK_EXIT(&ipf_nat);
-
-	hv = NAT_HASH_FN(dst, 0, 0xffffffff);
-	hv = NAT_HASH_FN(src.s_addr, hv, ipf_nattable_sz);
-
-	WRITE_ENTER(&ipf_nat);
-
-	nat = nat_table[1][hv];
-	for (; nat; nat = nat->nat_hnext[1]) {
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			}
-		}
-
-		if (nat->nat_p != fin->fin_p)
-			continue;
-		if (nat->nat_oip.s_addr != src.s_addr ||
-		    nat->nat_outip.s_addr != dst)
-			continue;
-
-		nflags = nat->nat_flags;
-		if (!(nflags & (NAT_TCPUDP|SI_WILDP)))
-			continue;
-
-		if (nat_wildok(nat, (int)sport, (int)dport, nflags,
-			       NAT_INBOUND) == 1) {
-			if ((fin->fin_flx & FI_IGNORE) != 0)
-				break;
-			if ((nflags & SI_CLONE) != 0) {
-				nat = fr_natclone(fin, nat);
-				if (nat == NULL)
-					break;
-			} else {
-				MUTEX_ENTER(&ipf_nat_new);
-				nat_stats.ns_wilds--;
-				MUTEX_EXIT(&ipf_nat_new);
-			}
-			nat->nat_oport = sport;
-			nat->nat_outport = dport;
-			nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
-			nat_tabmove(nat);
-			break;
-		}
-	}
-
-	MUTEX_DOWNGRADE(&ipf_nat);
-
-	return nat;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_tabmove                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  nat(I) - pointer to NAT structure                           */
-/* Write Lock:  ipf_nat                                                     */
-/*                                                                          */
-/* This function is only called for TCP/UDP NAT table entries where the     */
-/* original was placed in the table without hashing on the ports and we now */
-/* want to include hashing on port numbers.                                 */
-/* ------------------------------------------------------------------------ */
-static void nat_tabmove(nat)
-nat_t *nat;
-{
-	nat_t **natp;
-	u_int hv;
-
-	if (nat->nat_flags & SI_CLONE)
-		return;
-
-	/*
-	 * Remove the NAT entry from the old location
-	 */
-	if (nat->nat_hnext[0])
-		nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0];
-	*nat->nat_phnext[0] = nat->nat_hnext[0];
-	nat_stats.ns_bucketlen[0][nat->nat_hv[0]]--;
-
-	if (nat->nat_hnext[1])
-		nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1];
-	*nat->nat_phnext[1] = nat->nat_hnext[1];
-	nat_stats.ns_bucketlen[1][nat->nat_hv[1]]--;
-
-	/*
-	 * Add into the NAT table in the new position
-	 */
-	hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, 0xffffffff);
-	hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + nat->nat_oport,
-			 ipf_nattable_sz);
-	nat->nat_hv[0] = hv;
-	natp = &nat_table[0][hv];
-	if (*natp)
-		(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
-	nat->nat_phnext[0] = natp;
-	nat->nat_hnext[0] = *natp;
-	*natp = nat;
-	nat_stats.ns_bucketlen[0][hv]++;
-
-	hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, 0xffffffff);
-	hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + nat->nat_oport,
-			 ipf_nattable_sz);
-	nat->nat_hv[1] = hv;
-	natp = &nat_table[1][hv];
-	if (*natp)
-		(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
-	nat->nat_phnext[1] = natp;
-	nat->nat_hnext[1] = *natp;
-	*natp = nat;
-	nat_stats.ns_bucketlen[1][hv]++;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_outlookup                                               */
-/* Returns:     nat_t* - NULL == no match,                                  */
-/*                       else pointer to matching NAT entry                 */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              flags(I) - NAT flags for this packet                        */
-/*              p(I)     - protocol for this packet                         */
-/*              src(I)   - source IP address                                */
-/*              dst(I)   - destination IP address                           */
-/*              rw(I)    - 1 == write lock on ipf_nat held, 0 == read lock. */
-/*                                                                          */
-/* Lookup a nat entry based on the source 'real' ip address/port and        */
-/* destination address/port.  We use this lookup when sending a packet out, */
-/* we're looking for a table entry, based on the source address.            */
-/*                                                                          */
-/* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.         */
-/*                                                                          */
-/* NOTE: IT IS ASSUMED THAT ipf_nat IS ONLY HELD WITH A READ LOCK WHEN      */
-/*       THIS FUNCTION IS CALLED WITH NAT_SEARCH SET IN nflags.             */
-/*                                                                          */
-/* flags   -> relevant are IPN_UDP/IPN_TCP/IPN_ICMPQUERY that indicate if   */
-/*            the packet is of said protocol                                */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_outlookup(fin, flags, p, src, dst)
-fr_info_t *fin;
-u_int flags, p;
-struct in_addr src , dst;
-{
-	u_short sport, dport;
-	u_int sflags;
-	ipnat_t *ipn;
-	u_32_t srcip;
-	nat_t *nat;
-	int nflags;
-	void *ifp;
-	u_int hv;
-
-	ifp = fin->fin_ifp;
-	srcip = src.s_addr;
-	sflags = flags & IPN_TCPUDPICMP;
-	sport = 0;
-	dport = 0;
-
-	switch (p)
-	{
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		sport = htons(fin->fin_data[0]);
-		dport = htons(fin->fin_data[1]);
-		break;
-	case IPPROTO_ICMP :
-		if (flags & IPN_ICMPERR)
-			sport = fin->fin_data[1];
-		else
-			dport = fin->fin_data[1];
-		break;
-	default :
-		break;
-	}
-
-	if ((flags & SI_WILDP) != 0)
-		goto find_out_wild_ports;
-
-	hv = NAT_HASH_FN(srcip, sport, 0xffffffff);
-	hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz);
-	nat = nat_table[0][hv];
-	for (; nat; nat = nat->nat_hnext[0]) {
-		nflags = nat->nat_flags;
-
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			}
-		}
-
-		if (nat->nat_inip.s_addr == srcip &&
-		    nat->nat_oip.s_addr == dst.s_addr &&
-		    (((p == 0) && (sflags == (nflags & NAT_TCPUDPICMP)))
-		     || (p == nat->nat_p))) {
-			switch (p)
-			{
-#if 0
-			case IPPROTO_GRE :
-				if (nat->nat_call[1] != fin->fin_data[0])
-					continue;
-				break;
-#endif
-			case IPPROTO_TCP :
-			case IPPROTO_UDP :
-				if (nat->nat_oport != dport)
-					continue;
-				if (nat->nat_inport != sport)
-					continue;
-				break;
-			default :
-				break;
-			}
-
-			ipn = nat->nat_ptr;
-			if ((ipn != NULL) && (nat->nat_aps != NULL))
-				if (appr_match(fin, nat) != 0)
-					continue;
-			return nat;
-		}
-	}
-
-	/*
-	 * So if we didn't find it but there are wildcard members in the hash
-	 * table, go back and look for them.  We do this search and update here
-	 * because it is modifying the NAT table and we want to do this only
-	 * for the first packet that matches.  The exception, of course, is
-	 * for "dummy" (FI_IGNORE) lookups.
-	 */
-find_out_wild_ports:
-	if (!(flags & NAT_TCPUDP) || !(flags & NAT_SEARCH))
-		return NULL;
-	if (nat_stats.ns_wilds == 0)
-		return NULL;
-
-	RWLOCK_EXIT(&ipf_nat);
-
-	hv = NAT_HASH_FN(srcip, 0, 0xffffffff);
-	hv = NAT_HASH_FN(dst.s_addr, hv, ipf_nattable_sz);
-
-	WRITE_ENTER(&ipf_nat);
-
-	nat = nat_table[0][hv];
-	for (; nat; nat = nat->nat_hnext[0]) {
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			}
-		}
-
-		if (nat->nat_p != fin->fin_p)
-			continue;
-		if ((nat->nat_inip.s_addr != srcip) ||
-		    (nat->nat_oip.s_addr != dst.s_addr))
-			continue;
-
-		nflags = nat->nat_flags;
-		if (!(nflags & (NAT_TCPUDP|SI_WILDP)))
-			continue;
-
-		if (nat_wildok(nat, (int)sport, (int)dport, nflags,
-			       NAT_OUTBOUND) == 1) {
-			if ((fin->fin_flx & FI_IGNORE) != 0)
-				break;
-			if ((nflags & SI_CLONE) != 0) {
-				nat = fr_natclone(fin, nat);
-				if (nat == NULL)
-					break;
-			} else {
-				MUTEX_ENTER(&ipf_nat_new);
-				nat_stats.ns_wilds--;
-				MUTEX_EXIT(&ipf_nat_new);
-			}
-			nat->nat_inport = sport;
-			nat->nat_oport = dport;
-			if (nat->nat_outport == 0)
-				nat->nat_outport = sport;
-			nat->nat_flags &= ~(SI_W_DPORT|SI_W_SPORT);
-			nat_tabmove(nat);
-			break;
-		}
-	}
-
-	MUTEX_DOWNGRADE(&ipf_nat);
-
-	return nat;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_lookupredir                                             */
-/* Returns:     nat_t* - NULL == no match,                                  */
-/*                       else pointer to matching NAT entry                 */
-/* Parameters:  np(I) - pointer to description of packet to find NAT table  */
-/*                      entry for.                                          */
-/*                                                                          */
-/* Lookup the NAT tables to search for a matching redirect                  */
-/* ------------------------------------------------------------------------ */
-nat_t *nat_lookupredir(np)
-natlookup_t *np;
-{
-	fr_info_t fi;
-	nat_t *nat;
-
-	bzero((char *)&fi, sizeof(fi));
-	if (np->nl_flags & IPN_IN) {
-		fi.fin_data[0] = ntohs(np->nl_realport);
-		fi.fin_data[1] = ntohs(np->nl_outport);
-	} else {
-		fi.fin_data[0] = ntohs(np->nl_inport);
-		fi.fin_data[1] = ntohs(np->nl_outport);
-	}
-	if (np->nl_flags & IPN_TCP)
-		fi.fin_p = IPPROTO_TCP;
-	else if (np->nl_flags & IPN_UDP)
-		fi.fin_p = IPPROTO_UDP;
-	else if (np->nl_flags & (IPN_ICMPERR|IPN_ICMPQUERY))
-		fi.fin_p = IPPROTO_ICMP;
-
-	/*
-	 * We can do two sorts of lookups:
-	 * - IPN_IN: we have the `real' and `out' address, look for `in'.
-	 * - default: we have the `in' and `out' address, look for `real'.
-	 */
-	if (np->nl_flags & IPN_IN) {
-		if ((nat = nat_inlookup(&fi, np->nl_flags, fi.fin_p,
-					np->nl_realip, np->nl_outip))) {
-			np->nl_inip = nat->nat_inip;
-			np->nl_inport = nat->nat_inport;
-		}
-	} else {
-		/*
-		 * If nl_inip is non null, this is a lookup based on the real
-		 * ip address. Else, we use the fake.
-		 */
-		if ((nat = nat_outlookup(&fi, np->nl_flags, fi.fin_p,
-					 np->nl_inip, np->nl_outip))) {
-
-			if ((np->nl_flags & IPN_FINDFORWARD) != 0) {
-				fr_info_t fin;
-				bzero((char *)&fin, sizeof(fin));
-				fin.fin_p = nat->nat_p;
-				fin.fin_data[0] = ntohs(nat->nat_outport);
-				fin.fin_data[1] = ntohs(nat->nat_oport);
-				if (nat_inlookup(&fin, np->nl_flags, fin.fin_p,
-						 nat->nat_outip,
-						 nat->nat_oip) != NULL) {
-					np->nl_flags &= ~IPN_FINDFORWARD;
-				}
-			}
-
-			np->nl_realip = nat->nat_outip;
-			np->nl_realport = nat->nat_outport;
-		}
- 	}
-
-	return nat;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_match                                                   */
-/* Returns:     int - 0 == no match, 1 == match                             */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              np(I)    - pointer to NAT rule                              */
-/*                                                                          */
-/* Pull the matching of a packet against a NAT rule out of that complex     */
-/* loop inside fr_checknatin() and lay it out properly in its own function. */
-/* ------------------------------------------------------------------------ */
-static int nat_match(fin, np)
-fr_info_t *fin;
-ipnat_t *np;
-{
-	frtuc_t *ft;
-
-	if (fin->fin_v != 4)
-		return 0;
-
-	if (np->in_p && fin->fin_p != np->in_p)
-		return 0;
-
-	if (fin->fin_out) {
-		if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
-			return 0;
-		if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
-		    ^ ((np->in_flags & IPN_NOTSRC) != 0))
-			return 0;
-		if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
-		    ^ ((np->in_flags & IPN_NOTDST) != 0))
-			return 0;
-	} else {
-		if (!(np->in_redir & NAT_REDIRECT))
-			return 0;
-		if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
-		    ^ ((np->in_flags & IPN_NOTSRC) != 0))
-			return 0;
-		if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
-		    ^ ((np->in_flags & IPN_NOTDST) != 0))
-			return 0;
-	}
-
-	ft = &np->in_tuc;
-	if (!(fin->fin_flx & FI_TCPUDP) ||
-	    (fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) {
-		if (ft->ftu_scmp || ft->ftu_dcmp)
-			return 0;
-		return 1;
-	}
-
-	return fr_tcpudpchk(fin, ft);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_update                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  nat(I)    - pointer to NAT structure                        */
-/*              np(I)     - pointer to NAT rule                             */
-/*                                                                          */
-/* Updates the lifetime of a NAT table entry for non-TCP packets.  Must be  */
-/* called with fin_rev updated - i.e. after calling nat_proto().            */
-/* ------------------------------------------------------------------------ */
-void nat_update(fin, nat, np)
-fr_info_t *fin;
-nat_t *nat;
-ipnat_t *np;
-{
-	ipftq_t *ifq, *ifq2;
-	ipftqent_t *tqe;
-
-	MUTEX_ENTER(&nat->nat_lock);
-	tqe = &nat->nat_tqe;
-	ifq = tqe->tqe_ifq;
-
-	/*
-	 * We allow over-riding of NAT timeouts from NAT rules, even for
-	 * TCP, however, if it is TCP and there is no rule timeout set,
-	 * then do not update the timeout here.
-	 */
-	if (np != NULL)
-		ifq2 = np->in_tqehead[fin->fin_rev];
-	else
-		ifq2 = NULL;
-
-	if (nat->nat_p == IPPROTO_TCP && ifq2 == NULL) {
-		(void) fr_tcp_age(&nat->nat_tqe, fin, nat_tqb, 0);
-	} else {
-		if (ifq2 == NULL) {
-			if (nat->nat_p == IPPROTO_UDP)
-				ifq2 = &nat_udptq;
-			else if (nat->nat_p == IPPROTO_ICMP)
-				ifq2 = &nat_icmptq;
-			else
-				ifq2 = &nat_iptq;
-		}
-
-		fr_movequeue(tqe, ifq, ifq2);
-	}
-	MUTEX_EXIT(&nat->nat_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checknatout                                              */
-/* Returns:     int - -1 == packet failed NAT checks so block it,           */
-/*                     0 == no packet translation occurred,                 */
-/*                     1 == packet was successfully translated.             */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              passp(I) - pointer to filtering result flags                */
-/*                                                                          */
-/* Check to see if an outcoming packet should be changed.  ICMP packets are */
-/* first checked to see if they match an existing entry (if an error),      */
-/* otherwise a search of the current NAT table is made.  If neither results */
-/* in a match then a search for a matching NAT rule is made.  Create a new  */
-/* NAT entry if a we matched a NAT rule.  Lastly, actually change the       */
-/* packet header(s) as required.                                            */
-/* ------------------------------------------------------------------------ */
-int fr_checknatout(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	struct ifnet *ifp, *sifp;
-	icmphdr_t *icmp = NULL;
-	tcphdr_t *tcp = NULL;
-	int rval, natfailed;
-	ipnat_t *np = NULL;
-	u_int nflags = 0;
-	u_32_t ipa, iph;
-	int natadd = 1;
-	frentry_t *fr;
-	nat_t *nat;
-
-	if (nat_stats.ns_rules == 0 || fr_nat_lock != 0)
-		return 0;
-
-	natfailed = 0;
-	fr = fin->fin_fr;
-	sifp = fin->fin_ifp;
-	if ((fr != NULL) && !(fr->fr_flags & FR_DUP) &&
-	    fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1)
-		fin->fin_ifp = fr->fr_tif.fd_ifp;
-	ifp = fin->fin_ifp;
-
-	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
-		switch (fin->fin_p)
-		{
-		case IPPROTO_TCP :
-			nflags = IPN_TCP;
-			break;
-		case IPPROTO_UDP :
-			nflags = IPN_UDP;
-			break;
-		case IPPROTO_ICMP :
-			icmp = fin->fin_dp;
-
-			/*
-			 * This is an incoming packet, so the destination is
-			 * the icmp_id and the source port equals 0
-			 */
-			if (nat_icmpquerytype4(icmp->icmp_type))
-				nflags = IPN_ICMPQUERY;
-			break;
-		default :
-			break;
-		}
-		
-		if ((nflags & IPN_TCPUDP))
-			tcp = fin->fin_dp;
-	}
-
-	ipa = fin->fin_saddr;
-
-	READ_ENTER(&ipf_nat);
-
-	if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
-	    (nat = nat_icmperror(fin, &nflags, NAT_OUTBOUND)))
-		/*EMPTY*/;
-	else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
-		natadd = 0;
-	else if ((nat = nat_outlookup(fin, nflags|NAT_SEARCH, (u_int)fin->fin_p,
-				      fin->fin_src, fin->fin_dst))) {
-		nflags = nat->nat_flags;
-	} else {
-		u_32_t hv, msk, nmsk;
-
-		/*
-		 * If there is no current entry in the nat table for this IP#,
-		 * create one for it (if there is a matching rule).
-		 */
-		RWLOCK_EXIT(&ipf_nat);
-		msk = 0xffffffff;
-		nmsk = nat_masks;
-		WRITE_ENTER(&ipf_nat);
-maskloop:
-		iph = ipa & htonl(msk);
-		hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
-		for (np = nat_rules[hv]; np; np = np->in_mnext)
-		{
-			if ((np->in_ifps[0] && (np->in_ifps[0] != ifp)))
-				continue;
-			if (np->in_v != fin->fin_v)
-				continue;
-			if (np->in_p && (np->in_p != fin->fin_p))
-				continue;
-			if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
-				continue;
-			if (np->in_flags & IPN_FILTER) {
-				if (!nat_match(fin, np))
-					continue;
-			} else if ((ipa & np->in_inmsk) != np->in_inip)
-				continue;
-
-			if ((fr != NULL) &&
-			    !fr_matchtag(&np->in_tag, &fr->fr_nattag))
-				continue;
-
-			if (*np->in_plabel != '\0') {
-				if (((np->in_flags & IPN_FILTER) == 0) &&
-				    (np->in_dport != tcp->th_dport))
-					continue;
-				if (appr_ok(fin, tcp, np) == 0)
-					continue;
-			}
-
-			if ((nat = nat_new(fin, np, NULL, nflags,
-					   NAT_OUTBOUND))) {
-				np->in_hits++;
-				break;
-			} else
-				natfailed = -1;
-		}
-		if ((np == NULL) && (nmsk != 0)) {
-			while (nmsk) {
-				msk <<= 1;
-				if (nmsk & 0x80000000)
-					break;
-				nmsk <<= 1;
-			}
-			if (nmsk != 0) {
-				nmsk <<= 1;
-				goto maskloop;
-			}
-		}
-		MUTEX_DOWNGRADE(&ipf_nat);
-	}
-
-	if (nat != NULL) {
-		rval = fr_natout(fin, nat, natadd, nflags);
-		if (rval == 1) {
-			MUTEX_ENTER(&nat->nat_lock);
-			nat->nat_ref++;
-			MUTEX_EXIT(&nat->nat_lock);
-			fin->fin_nat = nat;
-		}
-	} else
-		rval = natfailed;
-	RWLOCK_EXIT(&ipf_nat);
-
-	if (rval == -1) {
-		if (passp != NULL)
-			*passp = FR_BLOCK;
-		fin->fin_flx |= FI_BADNAT;
-	}
-	fin->fin_ifp = sifp;
-	return rval;
-}
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natout                                                   */
-/* Returns:     int - -1 == packet failed NAT checks so block it,           */
-/*                     1 == packet was successfully translated.             */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              nat(I)    - pointer to NAT structure                        */
-/*              natadd(I) - flag indicating if it is safe to add frag cache */
-/*              nflags(I) - NAT flags set for this packet                   */
-/*                                                                          */
-/* Translate a packet coming "out" on an interface.                         */
-/* ------------------------------------------------------------------------ */
-int fr_natout(fin, nat, natadd, nflags)
-fr_info_t *fin;
-nat_t *nat;
-int natadd;
-u_32_t nflags;
-{
-	icmphdr_t *icmp;
-	u_short *csump;
-	tcphdr_t *tcp;
-	ipnat_t *np;
-	int i;
-
-	tcp = NULL;
-	icmp = NULL;
-	csump = NULL;
-	np = nat->nat_ptr;
-
-	if ((natadd != 0) && (fin->fin_flx & FI_FRAG) && (np != NULL))
-		(void) fr_nat_newfrag(fin, 0, nat);
-
-	MUTEX_ENTER(&nat->nat_lock);
-	nat->nat_bytes[1] += fin->fin_plen;
-	nat->nat_pkts[1]++;
-	MUTEX_EXIT(&nat->nat_lock);
-
-	/*
-	 * Fix up checksums, not by recalculating them, but
-	 * simply computing adjustments.
-	 * This is only done for STREAMS based IP implementations where the
-	 * checksum has already been calculated by IP.  In all other cases,
-	 * IPFilter is called before the checksum needs calculating so there
-	 * is no call to modify whatever is in the header now.
-	 */
-	if (fin->fin_v == 4) {
-		if (nflags == IPN_ICMPERR) {
-			u_32_t s1, s2, sumd;
-
-			s1 = LONG_SUM(ntohl(fin->fin_saddr));
-			s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
-			CALC_SUMD(s1, s2, sumd);
-			fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd);
-		}
-#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(linux)
-		else {
-			if (nat->nat_dir == NAT_OUTBOUND)
-				fix_outcksum(fin, &fin->fin_ip->ip_sum,
-					     nat->nat_ipsumd);
-			else
-				fix_incksum(fin, &fin->fin_ip->ip_sum,
-					    nat->nat_ipsumd);
-		}
-#endif
-	}
-
-	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
-		if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) {
-			tcp = fin->fin_dp;
-
-			tcp->th_sport = nat->nat_outport;
-			fin->fin_data[0] = ntohs(nat->nat_outport);
-		}
-
-		if ((nat->nat_outport != 0) && (nflags & IPN_ICMPQUERY)) {
-			icmp = fin->fin_dp;
-			icmp->icmp_id = nat->nat_outport;
-		}
-
-		csump = nat_proto(fin, nat, nflags);
-	}
-
-	fin->fin_ip->ip_src = nat->nat_outip;
-
-	nat_update(fin, nat, np);
-
-	/*
-	 * The above comments do not hold for layer 4 (or higher) checksums...
-	 */
-	if (csump != NULL) {
-		if (nat->nat_dir == NAT_OUTBOUND)
-			fix_outcksum(fin, csump, nat->nat_sumd[1]);
-		else
-			fix_incksum(fin, csump, nat->nat_sumd[1]);
-	}
-#ifdef	IPFILTER_SYNC
-	ipfsync_update(SMC_NAT, fin, nat->nat_sync);
-#endif
-	/* ------------------------------------------------------------- */
-	/* A few quick notes:						 */
-	/*	Following are test conditions prior to calling the 	 */
-	/*	appr_check routine.					 */
-	/*								 */
-	/* 	A NULL tcp indicates a non TCP/UDP packet.  When dealing */
-	/*	with a redirect rule, we attempt to match the packet's	 */
-	/*	source port against in_dport, otherwise	we'd compare the */
-	/*	packet's destination.			 		 */
-	/* ------------------------------------------------------------- */
-	if ((np != NULL) && (np->in_apr != NULL)) {
-		i = appr_check(fin, nat);
-		if (i == 0)
-			i = 1;
-	} else
-		i = 1;
-	ATOMIC_INCL(nat_stats.ns_mapped[1]);
-	fin->fin_flx |= FI_NATED;
-	return i;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checknatin                                               */
-/* Returns:     int - -1 == packet failed NAT checks so block it,           */
-/*                     0 == no packet translation occurred,                 */
-/*                     1 == packet was successfully translated.             */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              passp(I) - pointer to filtering result flags                */
-/*                                                                          */
-/* Check to see if an incoming packet should be changed.  ICMP packets are  */
-/* first checked to see if they match an existing entry (if an error),      */
-/* otherwise a search of the current NAT table is made.  If neither results */
-/* in a match then a search for a matching NAT rule is made.  Create a new  */
-/* NAT entry if a we matched a NAT rule.  Lastly, actually change the       */
-/* packet header(s) as required.                                            */
-/* ------------------------------------------------------------------------ */
-int fr_checknatin(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	u_int nflags, natadd;
-	int rval, natfailed;
-	struct ifnet *ifp;
-	struct in_addr in;
-	icmphdr_t *icmp;
-	tcphdr_t *tcp;
-	u_short dport;
-	ipnat_t *np;
-	nat_t *nat;
-	u_32_t iph;
-
-	if (nat_stats.ns_rules == 0 || fr_nat_lock != 0)
-		return 0;
-
-	tcp = NULL;
-	icmp = NULL;
-	dport = 0;
-	natadd = 1;
-	nflags = 0;
-	natfailed = 0;
-	ifp = fin->fin_ifp;
-
-	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
-		switch (fin->fin_p)
-		{
-		case IPPROTO_TCP :
-			nflags = IPN_TCP;
-			break;
-		case IPPROTO_UDP :
-			nflags = IPN_UDP;
-			break;
-		case IPPROTO_ICMP :
-			icmp = fin->fin_dp;
-
-			/*
-			 * This is an incoming packet, so the destination is
-			 * the icmp_id and the source port equals 0
-			 */
-			if (nat_icmpquerytype4(icmp->icmp_type)) {
-				nflags = IPN_ICMPQUERY;
-				dport = icmp->icmp_id;	
-			} break;
-		default :
-			break;
-		}
-		
-		if ((nflags & IPN_TCPUDP)) {
-			tcp = fin->fin_dp;
-			dport = tcp->th_dport;
-		}
-	}
-
-	in = fin->fin_dst;
-
-	READ_ENTER(&ipf_nat);
-
-	if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
-	    (nat = nat_icmperror(fin, &nflags, NAT_INBOUND)))
-		/*EMPTY*/;
-	else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
-		natadd = 0;
-	else if ((nat = nat_inlookup(fin, nflags|NAT_SEARCH, (u_int)fin->fin_p,
-				     fin->fin_src, in))) {
-		nflags = nat->nat_flags;
-	} else {
-		u_32_t hv, msk, rmsk;
-
-		RWLOCK_EXIT(&ipf_nat);
-		rmsk = rdr_masks;
-		msk = 0xffffffff;
-		WRITE_ENTER(&ipf_nat);
-		/*
-		 * If there is no current entry in the nat table for this IP#,
-		 * create one for it (if there is a matching rule).
-		 */
-maskloop:
-		iph = in.s_addr & htonl(msk);
-		hv = NAT_HASH_FN(iph, 0, ipf_rdrrules_sz);
-		for (np = rdr_rules[hv]; np; np = np->in_rnext) {
-			if (np->in_ifps[0] && (np->in_ifps[0] != ifp))
-				continue;
-			if (np->in_v != fin->fin_v)
-				continue;
-			if (np->in_p && (np->in_p != fin->fin_p))
-				continue;
-			if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags))
-				continue;
-			if (np->in_flags & IPN_FILTER) {
-				if (!nat_match(fin, np))
-					continue;
-			} else {
-				if ((in.s_addr & np->in_outmsk) != np->in_outip)
-					continue;
-				if (np->in_pmin &&
-				    ((ntohs(np->in_pmax) < ntohs(dport)) ||
-				     (ntohs(dport) < ntohs(np->in_pmin))))
-					continue;
-			}
-
-			if (*np->in_plabel != '\0') {
-				if (!appr_ok(fin, tcp, np)) {
-					continue;
-				}
-			}
-
-			nat = nat_new(fin, np, NULL, nflags, NAT_INBOUND);
-			if (nat != NULL) {
-				np->in_hits++;
-				break;
-			} else
-				natfailed = -1;
-		}
-
-		if ((np == NULL) && (rmsk != 0)) {
-			while (rmsk) {
-				msk <<= 1;
-				if (rmsk & 0x80000000)
-					break;
-				rmsk <<= 1;
-			}
-			if (rmsk != 0) {
-				rmsk <<= 1;
-				goto maskloop;
-			}
-		}
-		MUTEX_DOWNGRADE(&ipf_nat);
-	}
-	if (nat != NULL) {
-		rval = fr_natin(fin, nat, natadd, nflags);
-		if (rval == 1) {
-			MUTEX_ENTER(&nat->nat_lock);
-			nat->nat_ref++;
-			MUTEX_EXIT(&nat->nat_lock);
-			fin->fin_nat = nat;
-			fin->fin_state = nat->nat_state;
-		}
-	} else
-		rval = natfailed;
-	RWLOCK_EXIT(&ipf_nat);
-
-	if (rval == -1) {
-		if (passp != NULL)
-			*passp = FR_BLOCK;
-		fin->fin_flx |= FI_BADNAT;
-	}
-	return rval;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natin                                                    */
-/* Returns:     int - -1 == packet failed NAT checks so block it,           */
-/*                     1 == packet was successfully translated.             */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              nat(I)    - pointer to NAT structure                        */
-/*              natadd(I) - flag indicating if it is safe to add frag cache */
-/*              nflags(I) - NAT flags set for this packet                   */
-/* Locks Held:  ipf_nat (READ)                                              */
-/*                                                                          */
-/* Translate a packet coming "in" on an interface.                          */
-/* ------------------------------------------------------------------------ */
-int fr_natin(fin, nat, natadd, nflags)
-fr_info_t *fin;
-nat_t *nat;
-int natadd;
-u_32_t nflags;
-{
-	icmphdr_t *icmp;
-	u_short *csump;
-	tcphdr_t *tcp;
-	ipnat_t *np;
-	int i;
-
-	tcp = NULL;
-	csump = NULL;
-	np = nat->nat_ptr;
-	fin->fin_fr = nat->nat_fr;
-
-	if (np != NULL) {
-		if ((natadd != 0) && (fin->fin_flx & FI_FRAG))
-			(void) fr_nat_newfrag(fin, 0, nat);
-
-	/* ------------------------------------------------------------- */
-	/* A few quick notes:						 */
-	/*	Following are test conditions prior to calling the 	 */
-	/*	appr_check routine.					 */
-	/*								 */
-	/* 	A NULL tcp indicates a non TCP/UDP packet.  When dealing */
-	/*	with a map rule, we attempt to match the packet's	 */
-	/*	source port against in_dport, otherwise	we'd compare the */
-	/*	packet's destination.			 		 */
-	/* ------------------------------------------------------------- */
-		if (np->in_apr != NULL) {
-			i = appr_check(fin, nat);
-			if (i == -1) {
-				return -1;
-			}
-		}
-	}
-
-#ifdef	IPFILTER_SYNC
-	ipfsync_update(SMC_NAT, fin, nat->nat_sync);
-#endif
-
-	MUTEX_ENTER(&nat->nat_lock);
-	nat->nat_bytes[0] += fin->fin_plen;
-	nat->nat_pkts[0]++;
-	MUTEX_EXIT(&nat->nat_lock);
-
-	fin->fin_ip->ip_dst = nat->nat_inip;
-	fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
-	if (nflags & IPN_TCPUDP)
-		tcp = fin->fin_dp;
-
-	/*
-	 * Fix up checksums, not by recalculating them, but
-	 * simply computing adjustments.
-	 * Why only do this for some platforms on inbound packets ?
-	 * Because for those that it is done, IP processing is yet to happen
-	 * and so the IPv4 header checksum has not yet been evaluated.
-	 * Perhaps it should always be done for the benefit of things like
-	 * fast forwarding (so that it doesn't need to be recomputed) but with
-	 * header checksum offloading, perhaps it is a moot point.
-	 */
-#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \
-     defined(__osf__) || defined(linux)
-	if (nat->nat_dir == NAT_OUTBOUND)
-		fix_incksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd);
-	else
-		fix_outcksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd);
-#endif
-
-	if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) {
-		if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) {
-			tcp->th_dport = nat->nat_inport;
-			fin->fin_data[1] = ntohs(nat->nat_inport);
-		}
-
-
-		if ((nat->nat_inport != 0) && (nflags & IPN_ICMPQUERY)) {
-			icmp = fin->fin_dp;
-
-			icmp->icmp_id = nat->nat_inport;
-		}
-
-		csump = nat_proto(fin, nat, nflags);
-	}
-
-	nat_update(fin, nat, np);
-
-	/*
-	 * The above comments do not hold for layer 4 (or higher) checksums...
-	 */
-	if (csump != NULL) {
-		if (nat->nat_dir == NAT_OUTBOUND)
-			fix_incksum(fin, csump, nat->nat_sumd[0]);
-		else
-			fix_outcksum(fin, csump, nat->nat_sumd[0]);
-	}
-	ATOMIC_INCL(nat_stats.ns_mapped[0]);
-	fin->fin_flx |= FI_NATED;
-	if (np != NULL && np->in_tag.ipt_num[0] != 0)
-		fin->fin_nattag = &np->in_tag;
-	return 1;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_proto                                                   */
-/* Returns:     u_short* - pointer to transport header checksum to update,  */
-/*                         NULL if the transport protocol is not recognised */
-/*                         as needing a checksum update.                    */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              nat(I)    - pointer to NAT structure                        */
-/*              nflags(I) - NAT flags set for this packet                   */
-/*                                                                          */
-/* Return the pointer to the checksum field for each protocol so understood.*/
-/* If support for making other changes to a protocol header is required,    */
-/* that is not strictly 'address' translation, such as clamping the MSS in  */
-/* TCP down to a specific value, then do it from here.                      */
-/* ------------------------------------------------------------------------ */
-u_short *nat_proto(fin, nat, nflags)
-fr_info_t *fin;
-nat_t *nat;
-u_int nflags;
-{
-	icmphdr_t *icmp;
-	u_short *csump;
-	tcphdr_t *tcp;
-	udphdr_t *udp;
-
-	csump = NULL;
-	if (fin->fin_out == 0) {
-		fin->fin_rev = (nat->nat_dir == NAT_OUTBOUND);
-	} else {
-		fin->fin_rev = (nat->nat_dir == NAT_INBOUND);
-	}
-
-	switch (fin->fin_p)
-	{
-	case IPPROTO_TCP :
-		tcp = fin->fin_dp;
-
-		csump = &tcp->th_sum;
-
-		/*
-		 * Do a MSS CLAMPING on a SYN packet,
-		 * only deal IPv4 for now.
-		 */
-		if ((nat->nat_mssclamp != 0) && (tcp->th_flags & TH_SYN) != 0)
-			nat_mssclamp(tcp, nat->nat_mssclamp, fin, csump);
-
-		break;
-
-	case IPPROTO_UDP :
-		udp = fin->fin_dp;
-
-		if (udp->uh_sum)
-			csump = &udp->uh_sum;
-		break;
-
-	case IPPROTO_ICMP :
-		icmp = fin->fin_dp;
-
-		if ((nflags & IPN_ICMPQUERY) != 0) {
-			if (icmp->icmp_cksum != 0)
-				csump = &icmp->icmp_cksum;
-		}
-		break;
-	}
-	return csump;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natunload                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Free all memory used by NAT structures allocated at runtime.             */
-/* ------------------------------------------------------------------------ */
-void fr_natunload()
-{
-	ipftq_t *ifq, *ifqnext;
-
-	(void) nat_clearlist();
-	(void) nat_flushtable();
-
-	/*
-	 * Proxy timeout queues are not cleaned here because although they
-	 * exist on the NAT list, appr_unload is called after fr_natunload
-	 * and the proxies actually are responsible for them being created.
-	 * Should the proxy timeouts have their own list?  There's no real
-	 * justification as this is the only complication.
-	 */
-	for (ifq = nat_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-		if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
-		    (fr_deletetimeoutqueue(ifq) == 0))
-			fr_freetimeoutqueue(ifq);
-	}
-
-	if (nat_table[0] != NULL) {
-		KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz);
-		nat_table[0] = NULL;
-	}
-	if (nat_table[1] != NULL) {
-		KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz);
-		nat_table[1] = NULL;
-	}
-	if (nat_rules != NULL) {
-		KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz);
-		nat_rules = NULL;
-	}
-	if (rdr_rules != NULL) {
-		KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz);
-		rdr_rules = NULL;
-	}
-	if (maptable != NULL) {
-		KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
-		maptable = NULL;
-	}
-	if (nat_stats.ns_bucketlen[0] != NULL) {
-		KFREES(nat_stats.ns_bucketlen[0],
-		       sizeof(u_long *) * ipf_nattable_sz);
-		nat_stats.ns_bucketlen[0] = NULL;
-	}
-	if (nat_stats.ns_bucketlen[1] != NULL) {
-		KFREES(nat_stats.ns_bucketlen[1],
-		       sizeof(u_long *) * ipf_nattable_sz);
-		nat_stats.ns_bucketlen[1] = NULL;
-	}
-
-	if (fr_nat_maxbucket_reset == 1)
-		fr_nat_maxbucket = 0;
-
-	if (fr_nat_init == 1) {
-		fr_nat_init = 0;
-		fr_sttab_destroy(nat_tqb);
-
-		RW_DESTROY(&ipf_natfrag);
-		RW_DESTROY(&ipf_nat);
-
-		MUTEX_DESTROY(&ipf_nat_new);
-		MUTEX_DESTROY(&ipf_natio);
-
-		MUTEX_DESTROY(&nat_udptq.ifq_lock);
-		MUTEX_DESTROY(&nat_icmptq.ifq_lock);
-		MUTEX_DESTROY(&nat_iptq.ifq_lock);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natexpire                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Check all of the timeout queues for entries at the top which need to be  */
-/* expired.                                                                 */
-/* ------------------------------------------------------------------------ */
-void fr_natexpire()
-{
-	ipftq_t *ifq, *ifqnext;
-	ipftqent_t *tqe, *tqn;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
-	int i;
-
-	SPL_NET(s);
-	WRITE_ENTER(&ipf_nat);
-	for (ifq = nat_tqb, i = 0; ifq != NULL; ifq = ifq->ifq_next) {
-		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); i++) {
-			if (tqe->tqe_die > fr_ticks)
-				break;
-			tqn = tqe->tqe_next;
-			nat_delete(tqe->tqe_parent, NL_EXPIRE);
-		}
-	}
-
-	for (ifq = nat_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-
-		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); i++) {
-			if (tqe->tqe_die > fr_ticks)
-				break;
-			tqn = tqe->tqe_next;
-			nat_delete(tqe->tqe_parent, NL_EXPIRE);
-		}
-	}
-
-	for (ifq = nat_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-
-		if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
-		    (ifq->ifq_ref == 0)) {
-			fr_freetimeoutqueue(ifq);
-		}
-	}
-
-	RWLOCK_EXIT(&ipf_nat);
-	SPL_X(s);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natsync                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  ifp(I) - pointer to network interface                       */
-/*                                                                          */
-/* Walk through all of the currently active NAT sessions, looking for those */
-/* which need to have their translated address updated.                     */
-/* ------------------------------------------------------------------------ */
-void fr_natsync(ifp)
-void *ifp;
-{
-	u_32_t sum1, sum2, sumd;
-	struct in_addr in;
-	ipnat_t *n;
-	nat_t *nat;
-	void *ifp2;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
-
-	if (fr_running <= 0)
-		return;
-
-	/*
-	 * Change IP addresses for NAT sessions for any protocol except TCP
-	 * since it will break the TCP connection anyway.  The only rules
-	 * which will get changed are those which are "map ... -> 0/32",
-	 * where the rule specifies the address is taken from the interface.
-	 */
-	SPL_NET(s);
-	WRITE_ENTER(&ipf_nat);
-
-	if (fr_running <= 0) {
-		RWLOCK_EXIT(&ipf_nat);
-		return;
-	}
-
-	for (nat = nat_instances; nat; nat = nat->nat_next) {
-		if ((nat->nat_flags & IPN_TCP) != 0)
-			continue;
-		n = nat->nat_ptr;
-		if ((n == NULL) ||
-		    (n->in_outip != 0) || (n->in_outmsk != 0xffffffff))
-			continue;
-		if (((ifp == NULL) || (ifp == nat->nat_ifps[0]) ||
-		     (ifp == nat->nat_ifps[1]))) {
-			nat->nat_ifps[0] = GETIFP(nat->nat_ifnames[0], 4);
-			if (nat->nat_ifnames[1][0] != '\0') {
-				nat->nat_ifps[1] = GETIFP(nat->nat_ifnames[1],
-							  4);
-			} else
-				nat->nat_ifps[1] = nat->nat_ifps[0];
-			ifp2 = nat->nat_ifps[0];
-			if (ifp2 == NULL)
-				continue;
-
-			/*
-			 * Change the map-to address to be the same as the
-			 * new one.
-			 */
-			sum1 = nat->nat_outip.s_addr;
-			if (fr_ifpaddr(4, FRI_NORMAL, ifp2, &in, NULL) != -1)
-				nat->nat_outip = in;
-			sum2 = nat->nat_outip.s_addr;
-
-			if (sum1 == sum2)
-				continue;
-			/*
-			 * Readjust the checksum adjustment to take into
-			 * account the new IP#.
-			 */
-			CALC_SUMD(sum1, sum2, sumd);
-			/* XXX - dont change for TCP when solaris does
-			 * hardware checksumming.
-			 */
-			sumd += nat->nat_sumd[0];
-			nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
-			nat->nat_sumd[1] = nat->nat_sumd[0];
-		}
-	}
-
-	for (n = nat_list; (n != NULL); n = n->in_next) {
-		if ((ifp == NULL) || (n->in_ifps[0] == ifp))
-			n->in_ifps[0] = fr_resolvenic(n->in_ifnames[0], 4);
-		if ((ifp == NULL) || (n->in_ifps[1] == ifp))
-			n->in_ifps[1] = fr_resolvenic(n->in_ifnames[1], 4);
-	}
-	RWLOCK_EXIT(&ipf_nat);
-	SPL_X(s);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_icmpquerytype4                                          */
-/* Returns:     int - 1 == success, 0 == failure                            */
-/* Parameters:  icmptype(I) - ICMP type number                              */
-/*                                                                          */
-/* Tests to see if the ICMP type number passed is a query/response type or  */
-/* not.                                                                     */
-/* ------------------------------------------------------------------------ */
-static INLINE int nat_icmpquerytype4(icmptype)
-int icmptype;
-{
-
-	/*
-	 * For the ICMP query NAT code, it is essential that both the query
-	 * and the reply match on the NAT rule. Because the NAT structure
-	 * does not keep track of the icmptype, and a single NAT structure
-	 * is used for all icmp types with the same src, dest and id, we
-	 * simply define the replies as queries as well. The funny thing is,
-	 * altough it seems silly to call a reply a query, this is exactly
-	 * as it is defined in the IPv4 specification
-	 */
-	
-	switch (icmptype)
-	{
-	
-	case ICMP_ECHOREPLY:
-	case ICMP_ECHO:
-	/* route aedvertisement/solliciation is currently unsupported: */
-	/* it would require rewriting the ICMP data section            */
-	case ICMP_TSTAMP:
-	case ICMP_TSTAMPREPLY:
-	case ICMP_IREQ:
-	case ICMP_IREQREPLY:
-	case ICMP_MASKREQ:
-	case ICMP_MASKREPLY:
-		return 1;
-	default:
-		return 0;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_log                                                     */
-/* Returns:     Nil                                                         */
-/* Parameters:  nat(I)  - pointer to NAT structure                          */
-/*              type(I) - type of log entry to create                       */
-/*                                                                          */
-/* Creates a NAT log entry.                                                 */
-/* ------------------------------------------------------------------------ */
-void nat_log(nat, type)
-struct nat *nat;
-u_int type;
-{
-#ifdef	IPFILTER_LOG
-# ifndef LARGE_NAT
-	struct ipnat *np;
-	int rulen;
-# endif
-	struct natlog natl;
-	void *items[1];
-	size_t sizes[1];
-	int types[1];
-
-	natl.nl_inip = nat->nat_inip;
-	natl.nl_outip = nat->nat_outip;
-	natl.nl_origip = nat->nat_oip;
-	natl.nl_bytes[0] = nat->nat_bytes[0];
-	natl.nl_bytes[1] = nat->nat_bytes[1];
-	natl.nl_pkts[0] = nat->nat_pkts[0];
-	natl.nl_pkts[1] = nat->nat_pkts[1];
-	natl.nl_origport = nat->nat_oport;
-	natl.nl_inport = nat->nat_inport;
-	natl.nl_outport = nat->nat_outport;
-	natl.nl_p = nat->nat_p;
-	natl.nl_type = type;
-	natl.nl_rule = -1;
-# ifndef LARGE_NAT
-	if (nat->nat_ptr != NULL) {
-		for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++)
-			if (np == nat->nat_ptr) {
-				natl.nl_rule = rulen;
-				break;
-			}
-	}
-# endif
-	items[0] = &natl;
-	sizes[0] = sizeof(natl);
-	types[0] = 0;
-
-	(void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1);
-#endif
-}
-
-
-#if defined(__OpenBSD__)
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_ifdetach                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  ifp(I) - pointer to network interface                       */
-/*                                                                          */
-/* Compatibility interface for OpenBSD to trigger the correct updating of   */
-/* interface references within IPFilter.                                    */
-/* ------------------------------------------------------------------------ */
-void nat_ifdetach(ifp)
-void *ifp;
-{
-	frsync(ifp);
-	return;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natderef                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  isp(I) - pointer to pointer to NAT table entry              */
-/*                                                                          */
-/* Decrement the reference counter for this NAT table entry and free it if  */
-/* there are no more things using it.                                       */
-/* ------------------------------------------------------------------------ */
-void fr_natderef(natp)
-nat_t **natp;
-{
-	nat_t *nat;
-
-	nat = *natp;
-	*natp = NULL;
-	WRITE_ENTER(&ipf_nat);
-	nat->nat_ref--;
-	if (nat->nat_ref == 0)
-		nat_delete(nat, NL_EXPIRE);
-	RWLOCK_EXIT(&ipf_nat);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_natclone                                                 */
-/* Returns:     ipstate_t* - NULL == cloning failed,                        */
-/*                           else pointer to new state structure            */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              is(I)  - pointer to master state structure                  */
-/* Write Lock:  ipf_nat                                                     */
-/*                                                                          */
-/* Create a "duplcate" state table entry from the master.                   */
-/* ------------------------------------------------------------------------ */
-static nat_t *fr_natclone(fin, nat)
-fr_info_t *fin;
-nat_t *nat;
-{
-	frentry_t *fr;
-	nat_t *clone;
-	ipnat_t *np;
-
-	KMALLOC(clone, nat_t *);
-	if (clone == NULL)
-		return NULL;
-	bcopy((char *)nat, (char *)clone, sizeof(*clone));
-
-	MUTEX_NUKE(&clone->nat_lock);
-
-	clone->nat_flags &= ~SI_CLONE;
-	clone->nat_flags |= SI_CLONED;
-
-
-	if (nat_insert(clone, fin->fin_rev) == -1) {
-		KFREE(clone);
-		return NULL;
-	}
-	np = clone->nat_ptr;
-	if (np != NULL) {
-		if (nat_logging)
-			nat_log(clone, (u_int)np->in_redir);
-		np->in_use++;
-	}
-	fr = clone->nat_fr;
-	if (fr != NULL) {
-		MUTEX_ENTER(&fr->fr_lock);
-		fr->fr_ref++;
-		MUTEX_EXIT(&fr->fr_lock);
-	}
-
-
-	/*
-	 * Because the clone is created outside the normal loop of things and
-	 * TCP has special needs in terms of state, initialise the timeout
-	 * state of the new NAT from here.
-	 */
-	if (clone->nat_p == IPPROTO_TCP) {
-		(void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb, \
-				  clone->nat_flags);
-	}
-#ifdef	IPFILTER_SYNC
-	clone->nat_sync = ipfsync_new(SMC_NAT, fin, clone);
-#endif
-	if (nat_logging)
-		nat_log(clone, NL_CLONE);
-	return clone;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:   nat_wildok                                                   */
-/* Returns:    int - 1 == packet's ports match wildcards                    */
-/*                   0 == packet's ports don't match wildcards              */
-/* Parameters: nat(I)   - NAT entry                                         */
-/*             sport(I) - source port                                       */
-/*             dport(I) - destination port                                  */
-/*             flags(I) - wildcard flags                                    */
-/*             dir(I)   - packet direction                                  */
-/*                                                                          */
-/* Use NAT entry and packet direction to determine which combination of     */
-/* wildcard flags should be used.                                           */
-/* ------------------------------------------------------------------------ */
-static INLINE int nat_wildok(nat, sport, dport, flags, dir)
-nat_t *nat;
-int sport;
-int dport;
-int flags;
-int dir;
-{
-	/*
-	 * When called by       dir is set to
-	 * nat_inlookup         NAT_INBOUND (0)
-	 * nat_outlookup        NAT_OUTBOUND (1)
-	 *
-	 * We simply combine the packet's direction in dir with the original
-	 * "intended" direction of that NAT entry in nat->nat_dir to decide
-	 * which combination of wildcard flags to allow.
-	 */
-
-	switch ((dir << 1) | nat->nat_dir)
-	{
-	case 3: /* outbound packet / outbound entry */
-		if (((nat->nat_inport == sport) ||
-		    (flags & SI_W_SPORT)) &&
-		    ((nat->nat_oport == dport) ||
-		    (flags & SI_W_DPORT)))
-			return 1;
-		break;
-	case 2: /* outbound packet / inbound entry */
-		if (((nat->nat_outport == sport) ||
-		    (flags & SI_W_DPORT)) &&
-		    ((nat->nat_oport == dport) ||
-		    (flags & SI_W_SPORT)))
-			return 1;
-		break;
-	case 1: /* inbound packet / outbound entry */
-		if (((nat->nat_oport == sport) ||
-		    (flags & SI_W_DPORT)) &&
-		    ((nat->nat_outport == dport) ||
-		    (flags & SI_W_SPORT)))
-			return 1;
-		break;
-	case 0: /* inbound packet / inbound entry */
-		if (((nat->nat_oport == sport) ||
-		    (flags & SI_W_SPORT)) &&
-		    ((nat->nat_outport == dport) ||
-		    (flags & SI_W_DPORT)))
-			return 1;
-		break;
-	default:
-		break;
-	}
-
-	return(0);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    nat_mssclamp                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  tcp(I)    - pointer to TCP header                           */
-/*              maxmss(I) - value to clamp the TCP MSS to                   */
-/*              fin(I)    - pointer to packet information                   */
-/*              csump(I)  - pointer to TCP checksum                         */
-/*                                                                          */
-/* Check for MSS option and clamp it if necessary.  If found and changed,   */
-/* then the TCP header checksum will be updated to reflect the change in    */
-/* the MSS.                                                                 */
-/* ------------------------------------------------------------------------ */
-static void nat_mssclamp(tcp, maxmss, fin, csump)
-tcphdr_t *tcp;
-u_32_t maxmss;
-fr_info_t *fin;
-u_short *csump;
-{
-	u_char *cp, *ep, opt;
-	int hlen, advance;
-	u_32_t mss, sumd;
-
-	hlen = TCP_OFF(tcp) << 2;
-	if (hlen > sizeof(*tcp)) {
-		cp = (u_char *)tcp + sizeof(*tcp);
-		ep = (u_char *)tcp + hlen;
-
-		while (cp < ep) {
-			opt = cp[0];
-			if (opt == TCPOPT_EOL)
-				break;
-			else if (opt == TCPOPT_NOP) {
-				cp++;
-				continue;
-			}
-
-			if (cp + 1 >= ep)
-				break;
-			advance = cp[1];
-			if ((cp + advance > ep) || (advance <= 0))
-				break;
-			switch (opt)
-			{
-			case TCPOPT_MAXSEG:
-				if (advance != 4)
-					break;
-				mss = cp[2] * 256 + cp[3];
-				if (mss > maxmss) {
-					cp[2] = maxmss / 256;
-					cp[3] = maxmss & 0xff;
-					CALC_SUMD(mss, maxmss, sumd);
-					fix_outcksum(fin, csump, sumd);
-				}
-				break;
-			default:
-				/* ignore unknown options */
-				break;
-			}
-
-			cp += advance;
-		}
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_setnatqueue                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  nat(I)- pointer to NAT structure                            */
-/*              rev(I) - forward(0) or reverse(1) direction                 */
-/* Locks:       ipf_nat (read or write)                                     */
-/*                                                                          */
-/* Put the NAT entry on its default queue entry, using rev as a helped in   */
-/* determining which queue it should be placed on.                          */
-/* ------------------------------------------------------------------------ */
-void fr_setnatqueue(nat, rev)
-nat_t *nat;
-int rev;
-{
-	ipftq_t *oifq, *nifq;
-
-	if (nat->nat_ptr != NULL)
-		nifq = nat->nat_ptr->in_tqehead[rev];
-	else
-		nifq = NULL;
-
-	if (nifq == NULL) {
-		switch (nat->nat_p)
-		{
-		case IPPROTO_UDP :
-			nifq = &nat_udptq;
-			break;
-		case IPPROTO_ICMP :
-			nifq = &nat_icmptq;
-			break;
-		case IPPROTO_TCP :
-			nifq = nat_tqb + nat->nat_tqe.tqe_state[rev];
-			break;
-		default :
-			nifq = &nat_iptq;
-			break;
-		}
-	}
-
-	oifq = nat->nat_tqe.tqe_ifq;
-	/*
-	 * If it's currently on a timeout queue, move it from one queue to
-	 * another, else put it on the end of the newly determined queue.
-	 */
-	if (oifq != NULL)
-		fr_movequeue(&nat->nat_tqe, oifq, nifq);
-	else
-		fr_queueappend(&nat->nat_tqe, nifq, nat);
-	return;
-}
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
deleted file mode 100644
index 09cc119..0000000
--- a/contrib/ipfilter/ip_nat.h
+++ /dev/null
@@ -1,477 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_nat.h	1.5 2/4/96
- * Id: ip_nat.h,v 2.90.2.9 2005/03/28 11:09:55 darrenr Exp
- */
-
-#ifndef	__IP_NAT_H__
-#define	__IP_NAT_H__
-
-#ifndef SOLARIS
-#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#if defined(__STDC__) || defined(__GNUC__)
-#define	SIOCADNAT	_IOW('r', 60, struct ipfobj)
-#define	SIOCRMNAT	_IOW('r', 61, struct ipfobj)
-#define	SIOCGNATS	_IOWR('r', 62, struct ipfobj)
-#define	SIOCGNATL	_IOWR('r', 63, struct ipfobj)
-#define	SIOCPROXY	_IOWR('r', 64, struct ap_control)
-#else
-#define	SIOCADNAT	_IOW(r, 60, struct ipfobj)
-#define	SIOCRMNAT	_IOW(r, 61, struct ipfobj)
-#define	SIOCGNATS	_IOWR(r, 62, struct ipfobj)
-#define	SIOCGNATL	_IOWR(r, 63, struct ipfobj)
-#define	SIOCPROXY	_IOWR(r, 64, struct ap_control)
-#endif
-
-#undef	LARGE_NAT	/* define	this if you're setting up a system to NAT
-			 * LARGE numbers of networks/hosts - i.e. in the
-			 * hundreds or thousands.  In such a case, you should
-			 * also change the RDR_SIZE and NAT_SIZE below to more
-			 * appropriate sizes.  The figures below were used for
-			 * a setup with 1000-2000 networks to NAT.
-			 */
-#ifndef NAT_SIZE
-# ifdef LARGE_NAT
-#  define	NAT_SIZE	2047
-# else
-#  define	NAT_SIZE	127
-# endif
-#endif
-#ifndef RDR_SIZE
-# ifdef LARGE_NAT
-#  define	RDR_SIZE	2047
-# else
-#  define	RDR_SIZE	127
-# endif
-#endif
-#ifndef HOSTMAP_SIZE
-# ifdef LARGE_NAT
-#  define	HOSTMAP_SIZE	8191
-# else
-#  define	HOSTMAP_SIZE	2047
-# endif
-#endif
-#ifndef NAT_TABLE_MAX
-/*
- * This is newly introduced and for the sake of "least surprise", the numbers
- * present aren't what we'd normally use for creating a proper hash table.
- */
-# ifdef	LARGE_NAT
-#  define	NAT_TABLE_MAX	180000
-# else
-#  define	NAT_TABLE_MAX	30000
-# endif
-#endif
-#ifndef NAT_TABLE_SZ
-# ifdef LARGE_NAT
-#  define	NAT_TABLE_SZ	16383
-# else
-#  define	NAT_TABLE_SZ	2047
-# endif
-#endif
-#ifndef	APR_LABELLEN
-#define	APR_LABELLEN	16
-#endif
-#define	NAT_HW_CKSUM	0x80000000
-
-#define	DEF_NAT_AGE	1200     /* 10 minutes (600 seconds) */
-
-struct ipstate;
-struct ap_session;
-
-typedef	struct	nat	{
-	ipfmutex_t	nat_lock;
-	struct	nat	*nat_next;
-	struct	nat	**nat_pnext;
-	struct	nat	*nat_hnext[2];
-	struct	nat	**nat_phnext[2];
-	struct	hostmap	*nat_hm;
-	void		*nat_data;
-	struct	nat	**nat_me;
-	struct	ipstate	*nat_state;
-	struct	ap_session	*nat_aps;		/* proxy session */
-	frentry_t	*nat_fr;	/* filter rule ptr if appropriate */
-	struct	ipnat	*nat_ptr;	/* pointer back to the rule */
-	void		*nat_ifps[2];
-	void		*nat_sync;
-	ipftqent_t	nat_tqe;
-	u_32_t		nat_flags;
-	u_32_t		nat_sumd[2];	/* ip checksum delta for data segment*/
-	u_32_t		nat_ipsumd;	/* ip checksum delta for ip header */
-	u_32_t		nat_mssclamp;	/* if != zero clamp MSS to this */
-	i6addr_t	nat_inip6;
-	i6addr_t	nat_outip6;
-	i6addr_t	nat_oip6;		/* other ip */
-	U_QUAD_T	nat_pkts[2];
-	U_QUAD_T	nat_bytes[2];
-	union	{
-		udpinfo_t	nat_unu;
-		tcpinfo_t	nat_unt;
-		icmpinfo_t	nat_uni;
-		greinfo_t	nat_ugre;
-	} nat_un;
-	u_short		nat_oport;		/* other port */
-	u_short		nat_use;
-	u_char		nat_p;			/* protocol for NAT */
-	int		nat_dir;
-	int		nat_ref;		/* reference count */
-	int		nat_hv[2];
-	char		nat_ifnames[2][LIFNAMSIZ];
-	int		nat_rev;		/* 0 = forward, 1 = reverse */
-} nat_t;
-
-#define	nat_inip	nat_inip6.in4
-#define	nat_outip	nat_outip6.in4
-#define	nat_oip		nat_oip6.in4
-#define	nat_age		nat_tqe.tqe_die
-#define	nat_inport	nat_un.nat_unt.ts_sport
-#define	nat_outport	nat_un.nat_unt.ts_dport
-#define	nat_type	nat_un.nat_uni.ici_type
-#define	nat_seq		nat_un.nat_uni.ici_seq
-#define	nat_id		nat_un.nat_uni.ici_id
-#define	nat_tcpstate	nat_tqe.tqe_state
-
-/*
- * Values for nat_dir
- */
-#define	NAT_INBOUND	0
-#define	NAT_OUTBOUND	1
-
-/*
- * Definitions for nat_flags
- */
-#define	NAT_TCP		0x0001	/* IPN_TCP */
-#define	NAT_UDP		0x0002	/* IPN_UDP */
-#define	NAT_ICMPERR	0x0004	/* IPN_ICMPERR */
-#define	NAT_ICMPQUERY	0x0008	/* IPN_ICMPQUERY */
-#define	NAT_SEARCH	0x0010
-#define	NAT_SLAVE	0x0020	/* Slave connection for a proxy */
-#define	NAT_NOTRULEPORT	0x0040
-
-#define	NAT_TCPUDP	(NAT_TCP|NAT_UDP)
-#define	NAT_TCPUDPICMP	(NAT_TCP|NAT_UDP|NAT_ICMPERR)
-#define	NAT_TCPUDPICMPQ	(NAT_TCP|NAT_UDP|NAT_ICMPQUERY)
-#define	NAT_FROMRULE	(NAT_TCP|NAT_UDP)
-
-/* 0x0100 reserved for FI_W_SPORT */
-/* 0x0200 reserved for FI_W_DPORT */
-/* 0x0400 reserved for FI_W_SADDR */
-/* 0x0800 reserved for FI_W_DADDR */
-/* 0x1000 reserved for FI_W_NEWFR */
-/* 0x2000 reserved for SI_CLONE */
-/* 0x4000 reserved for SI_CLONED */
-/* 0x8000 reserved for SI_IGNOREPKT */
-
-#define	NAT_DEBUG	0x800000
-
-typedef	struct	ipnat	{
-	struct	ipnat	*in_next;		/* NAT rule list next */
-	struct	ipnat	*in_rnext;		/* rdr rule hash next */
-	struct	ipnat	**in_prnext;		/* prior rdr next ptr */
-	struct	ipnat	*in_mnext;		/* map rule hash next */
-	struct	ipnat	**in_pmnext;		/* prior map next ptr */
-	struct	ipftq	*in_tqehead[2];
-	void		*in_ifps[2];
-	void		*in_apr;
-	char		*in_comment;
-	i6addr_t	in_next6;
-	u_long		in_space;
-	u_long		in_hits;
-	u_int		in_use;
-	u_int		in_hv;
-	int		in_flineno;		/* conf. file line number */
-	u_short		in_pnext;
-	u_char		in_v;
-	u_char		in_xxx;
-	/* From here to the end is covered by IPN_CMPSIZ */
-	u_32_t		in_flags;
-	u_32_t		in_mssclamp;		/* if != 0 clamp MSS to this */
-	u_int		in_age[2];
-	int		in_redir;		/* see below for values */
-	int		in_p;			/* protocol. */
-	i6addr_t	in_in[2];
-	i6addr_t	in_out[2];
-	i6addr_t	in_src[2];
-	frtuc_t		in_tuc;
-	u_short		in_port[2];
-	u_short		in_ppip;		/* ports per IP. */
-	u_short		in_ippip;		/* IP #'s per IP# */
-	char		in_ifnames[2][LIFNAMSIZ];
-	char		in_plabel[APR_LABELLEN];	/* proxy label. */
-	ipftag_t	in_tag;
-} ipnat_t;
-
-#define	in_pmin		in_port[0]	/* Also holds static redir port */
-#define	in_pmax		in_port[1]
-#define	in_nextip	in_next6.in4
-#define	in_nip		in_next6.in4.s_addr
-#define	in_inip		in_in[0].in4.s_addr
-#define	in_inmsk	in_in[1].in4.s_addr
-#define	in_outip	in_out[0].in4.s_addr
-#define	in_outmsk	in_out[1].in4.s_addr
-#define	in_srcip	in_src[0].in4.s_addr
-#define	in_srcmsk	in_src[1].in4.s_addr
-#define	in_scmp		in_tuc.ftu_scmp
-#define	in_dcmp		in_tuc.ftu_dcmp
-#define	in_stop		in_tuc.ftu_stop
-#define	in_dtop		in_tuc.ftu_dtop
-#define	in_sport	in_tuc.ftu_sport
-#define	in_dport	in_tuc.ftu_dport
-
-/*
- * Bit definitions for in_flags
- */
-#define	IPN_ANY		0x00000
-#define	IPN_TCP		0x00001
-#define	IPN_UDP		0x00002
-#define	IPN_TCPUDP	(IPN_TCP|IPN_UDP)
-#define	IPN_ICMPERR	0x00004
-#define	IPN_TCPUDPICMP	(IPN_TCP|IPN_UDP|IPN_ICMPERR)
-#define	IPN_ICMPQUERY	0x00008
-#define	IPN_TCPUDPICMPQ	(IPN_TCP|IPN_UDP|IPN_ICMPQUERY)
-#define	IPN_RF		(IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
-#define	IPN_AUTOPORTMAP	0x00010
-#define	IPN_IPRANGE	0x00020
-#define	IPN_FILTER	0x00040
-#define	IPN_SPLIT	0x00080
-#define	IPN_ROUNDR	0x00100
-#define	IPN_NOTSRC	0x04000
-#define	IPN_NOTDST	0x08000
-#define	IPN_DYNSRCIP	0x10000	/* dynamic src IP# */
-#define	IPN_DYNDSTIP	0x20000	/* dynamic dst IP# */
-#define	IPN_DELETE	0x40000
-#define	IPN_STICKY	0x80000
-#define	IPN_FRAG	0x100000
-#define	IPN_FIXEDDPORT	0x200000
-#define	IPN_FINDFORWARD	0x400000
-#define	IPN_IN		0x800000
-#define	IPN_USERFLAGS	(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
-			 IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|\
-			 IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY)
-
-/*
- * Values for in_redir
- */
-#define	NAT_MAP		0x01
-#define	NAT_REDIRECT	0x02
-#define	NAT_BIMAP	(NAT_MAP|NAT_REDIRECT)
-#define	NAT_MAPBLK	0x04
-
-#define	MAPBLK_MINPORT	1024	/* don't use reserved ports for src port */
-#define	USABLE_PORTS	(65536 - MAPBLK_MINPORT)
-
-#define	IPN_CMPSIZ	(sizeof(ipnat_t) - offsetof(ipnat_t, in_flags))
-
-typedef	struct	natlookup {
-	struct	in_addr	nl_inip;
-	struct	in_addr	nl_outip;
-	struct	in_addr	nl_realip;
-	int	nl_flags;
-	u_short	nl_inport;
-	u_short	nl_outport;
-	u_short	nl_realport;
-} natlookup_t;
-
-
-typedef struct  nat_save    {
-	void	*ipn_next;
-	struct	nat	ipn_nat;
-	struct	ipnat	ipn_ipnat;
-	struct	frentry ipn_fr;
-	int	ipn_dsize;
-	char	ipn_data[4];
-} nat_save_t;
-
-#define	ipn_rule	ipn_nat.nat_fr
-
-typedef	struct	natget	{
-	void	*ng_ptr;
-	int	ng_sz;
-} natget_t;
-
-
-typedef	struct	nattrpnt	{
-	struct	in_addr	tr_dstip;	/* real destination IP# */
-	struct	in_addr	tr_srcip;	/* real source IP# */
-	struct	in_addr	tr_locip;	/* local source IP# */
-	u_int	tr_flags;
-	int	tr_expire;
-	u_short	tr_dstport;	/* real destination port# */
-	u_short	tr_srcport;	/* real source port# */
-	u_short	tr_locport;	/* local source port# */
-	struct	nattrpnt	*tr_hnext;
-	struct	nattrpnt	**tr_phnext;
-	struct	nattrpnt	*tr_next;
-	struct	nattrpnt	**tr_pnext;	/* previous next */
-} nattrpnt_t;
-
-#define	TN_CMPSIZ	offsetof(nattrpnt_t, tr_hnext)
-
-
-/*
- * This structure gets used to help NAT sessions keep the same NAT rule (and
- * thus translation for IP address) when:
- * (a) round-robin redirects are in use
- * (b) different IP add
- */
-typedef	struct	hostmap	{
-	struct	hostmap	*hm_next;
-	struct	hostmap	**hm_pnext;
-	struct	ipnat	*hm_ipnat;
-	struct	in_addr	hm_srcip;
-	struct	in_addr	hm_dstip;
-	struct	in_addr	hm_mapip;
-	u_32_t		hm_port;
-	int		hm_ref;
-} hostmap_t;
-
-
-/*
- * Structure used to pass information in to nat_newmap and nat_newrdr.
- */
-typedef struct	natinfo	{
-	ipnat_t		*nai_np;
-	u_32_t		nai_sum1;
-	u_32_t		nai_sum2;
-	u_32_t		nai_nflags;
-	u_32_t		nai_flags;
-	struct	in_addr	nai_ip;
-	u_short		nai_port;
-	u_short		nai_nport;
-	u_short		nai_sport;
-	u_short		nai_dport;
-} natinfo_t;
-
-
-typedef	struct	natstat	{
-	u_long	ns_mapped[2];
-	u_long	ns_rules;
-	u_long	ns_added;
-	u_long	ns_expire;
-	u_long	ns_inuse;
-	u_long	ns_logged;
-	u_long	ns_logfail;
-	u_long	ns_memfail;
-	u_long	ns_badnat;
-	u_long	ns_addtrpnt;
-	nat_t	**ns_table[2];
-	hostmap_t **ns_maptable;
-	ipnat_t	*ns_list;
-	void	*ns_apslist;
-	u_int	ns_wilds;
-	u_int	ns_nattab_sz;
-	u_int	ns_nattab_max;
-	u_int	ns_rultab_sz;
-	u_int	ns_rdrtab_sz;
-	u_int	ns_trpntab_sz;
-	u_int	ns_hostmap_sz;
-	nat_t	*ns_instances;
-	nattrpnt_t *ns_trpntlist;
-	u_long	*ns_bucketlen[2];
-} natstat_t;
-
-typedef	struct	natlog {
-	struct	in_addr	nl_origip;
-	struct	in_addr	nl_outip;
-	struct	in_addr	nl_inip;
-	u_short	nl_origport;
-	u_short	nl_outport;
-	u_short	nl_inport;
-	u_short	nl_type;
-	int	nl_rule;
-	U_QUAD_T	nl_pkts[2];
-	U_QUAD_T	nl_bytes[2];
-	u_char	nl_p;
-} natlog_t;
-
-
-#define	NL_NEWMAP	NAT_MAP
-#define	NL_NEWRDR	NAT_REDIRECT
-#define	NL_NEWBIMAP	NAT_BIMAP
-#define	NL_NEWBLOCK	NAT_MAPBLK
-#define	NL_CLONE	0xfffd
-#define	NL_FLUSH	0xfffe
-#define	NL_EXPIRE	0xffff
-
-#define	NAT_HASH_FN(k,l,m)	(((k) + ((k) >> 12) + l) % (m))
-
-#define	LONG_SUM(in)	(((in) & 0xffff) + ((in) >> 16))
-
-#define	CALC_SUMD(s1, s2, sd) { \
-			    (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
-			    (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
-			    /* Do it twice */ \
-			    (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
-			    (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
-			    /* Because ~1 == -2, We really need ~1 == -1 */ \
-			    if ((s1) > (s2)) (s2)--; \
-			    (sd) = (s2) - (s1); \
-			    (sd) = ((sd) & 0xffff) + ((sd) >> 16); }
-
-#define	NAT_SYSSPACE		0x80000000
-#define	NAT_LOCKHELD		0x40000000
-
-
-extern	u_int	ipf_nattable_sz;
-extern	u_int	ipf_nattable_max;
-extern	u_int	ipf_natrules_sz;
-extern	u_int	ipf_rdrrules_sz;
-extern	u_int	ipf_hostmap_sz;
-extern	u_int	fr_nat_maxbucket;
-extern	u_int	fr_nat_maxbucket_reset;
-extern	int	fr_nat_lock;
-extern	void	fr_natsync __P((void *));
-extern	u_long	fr_defnatage;
-extern	u_long	fr_defnaticmpage;
-extern	u_long	fr_defnatipage;
-	/* nat_table[0] -> hashed list sorted by inside (ip, port) */
-	/* nat_table[1] -> hashed list sorted by outside (ip, port) */
-extern	nat_t	**nat_table[2];
-extern	nat_t	*nat_instances;
-extern	ipnat_t	*nat_list;
-extern	ipnat_t	**nat_rules;
-extern	ipnat_t	**rdr_rules;
-extern	ipftq_t	*nat_utqe;
-extern	natstat_t	nat_stats;
-
-#if defined(__OpenBSD__)
-extern	void	nat_ifdetach __P((void *));
-#endif
-extern	int	fr_nat_ioctl __P((caddr_t, ioctlcmd_t, int));
-extern	int	fr_natinit __P((void));
-extern	nat_t	*nat_new __P((fr_info_t *, ipnat_t *, nat_t **, u_int, int));
-extern	nat_t	*nat_outlookup __P((fr_info_t *, u_int, u_int, struct in_addr,
-				 struct in_addr));
-extern	void	fix_datacksum __P((u_short *, u_32_t));
-extern	nat_t	*nat_inlookup __P((fr_info_t *, u_int, u_int, struct in_addr,
-				struct in_addr));
-extern	nat_t	*nat_tnlookup __P((fr_info_t *, int));
-extern	nat_t	*nat_maplookup __P((void *, u_int, struct in_addr,
-				struct in_addr));
-extern	nat_t	*nat_lookupredir __P((natlookup_t *));
-extern	nat_t	*nat_icmperrorlookup __P((fr_info_t *, int));
-extern	nat_t	*nat_icmperror __P((fr_info_t *, u_int *, int));
-extern	int	nat_insert __P((nat_t *, int));
-
-extern	int	fr_checknatout __P((fr_info_t *, u_32_t *));
-extern	int	fr_natout __P((fr_info_t *, nat_t *, int, u_32_t));
-extern	int	fr_checknatin __P((fr_info_t *, u_32_t *));
-extern	int	fr_natin __P((fr_info_t *, nat_t *, int, u_32_t));
-extern	void	fr_natunload __P((void));
-extern	void	fr_natexpire __P((void));
-extern	void	nat_log __P((struct nat *, u_int));
-extern	void	fix_incksum __P((fr_info_t *, u_short *, u_32_t));
-extern	void	fix_outcksum __P((fr_info_t *, u_short *, u_32_t));
-extern	void	fr_natderef __P((nat_t **));
-extern	u_short	*nat_proto __P((fr_info_t *, nat_t *, u_int));
-extern	void	nat_update __P((fr_info_t *, nat_t *, ipnat_t *));
-extern	void	fr_setnatqueue __P((nat_t *, int));
-
-#endif /* __IP_NAT_H__ */
diff --git a/contrib/ipfilter/ip_netbios_pxy.c b/contrib/ipfilter/ip_netbios_pxy.c
deleted file mode 100644
index 0ff6d25..0000000
--- a/contrib/ipfilter/ip_netbios_pxy.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Simple netbios-dgm transparent proxy for in-kernel use.
- * For use with the NAT code.
- * Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
- */
-
-/*-
- * Copyright (c) 2002-2003 Paul J. Ledbetter III
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
- */
-
-#define	IPF_NETBIOS_PROXY
-
-int ippr_netbios_init __P((void));
-void ippr_netbios_fini __P((void));
-int ippr_netbios_out __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static	frentry_t	netbiosfr;
-
-int	netbios_proxy_init = 0;
-
-/*
- * Initialize local structures.
- */
-int ippr_netbios_init()
-{
-	bzero((char *)&netbiosfr, sizeof(netbiosfr));
-	netbiosfr.fr_ref = 1;
-	netbiosfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&netbiosfr.fr_lock, "NETBIOS proxy rule lock");
-	netbios_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_netbios_fini()
-{
-	if (netbios_proxy_init == 1) {
-		MUTEX_DESTROY(&netbiosfr.fr_lock);
-		netbios_proxy_init = 0;
-	}
-}
-
-
-int ippr_netbios_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	char dgmbuf[6];
-	int off, dlen;
-	udphdr_t *udp;
-	ip_t *ip;
-	mb_t *m;
-
-	aps = aps;	/* LINT */
-	nat = nat;	/* LINT */
-
-	ip = fin->fin_ip;
-	m = *(mb_t **)fin->fin_mp;
-	off = fin->fin_hlen + sizeof(udphdr_t);
-	dlen = M_LEN(m);
-	dlen -= off;
-
-	/*
-	 * no net bios datagram could possibly be shorter than this
-	 */
-	if (dlen < 11)
-		return 0;
-
-	udp = (udphdr_t *)fin->fin_dp;
-
-	/*
-	 * move past the
-	 *	ip header;
-	 *	udp header;
-	 *	4 bytes into the net bios dgm header.
-	 *  According to rfc1002, this should be the exact location of
-	 *  the source address/port
-	 */
-	off += 4;
-
-	/* Copy NATed source Address/port*/
-	dgmbuf[0] = (char)((ip->ip_src.s_addr     ) &0xFF);
-	dgmbuf[1] = (char)((ip->ip_src.s_addr >> 8) &0xFF);
-	dgmbuf[2] = (char)((ip->ip_src.s_addr >> 16)&0xFF);
-	dgmbuf[3] = (char)((ip->ip_src.s_addr >> 24)&0xFF);
-
-	dgmbuf[4] = (char)((udp->uh_sport     )&0xFF);
-	dgmbuf[5] = (char)((udp->uh_sport >> 8)&0xFF);
-
-	/* replace data in packet */
-	COPYBACK(m, off, sizeof(dgmbuf), dgmbuf);
-
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_pool.c b/contrib/ipfilter/ip_pool.c
deleted file mode 100644
index b6e111b..0000000
--- a/contrib/ipfilter/ip_pool.c
+++ /dev/null
@@ -1,786 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#if defined(__osf__)
-# define _PROTO_NET_H_
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(__KERNEL__)
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#else
-# include <sys/systm.h>
-# if defined(NetBSD) && (__NetBSD_Version__ >= 104000000)
-#  include <sys/proc.h>
-# endif
-#endif
-#include <sys/time.h>
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL) && (!defined(__SVR4) && !defined(__svr4__))
-# include <sys/mbuf.h>
-#endif
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-
-#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
-# ifdef __osf__
-#  include <net/radix.h>
-# endif
-# include "radix_ipf_local.h"
-# define _RADIX_H_
-#endif
-#include <net/if.h>
-#include <netinet/in.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_pool.h"
-
-#if defined(IPFILTER_LOOKUP) && defined(_KERNEL) && \
-      ((BSD >= 198911) && !defined(__osf__) && \
-      !defined(__hpux) && !defined(__sgi))
-static int rn_freenode __P((struct radix_node *, void *));
-#endif
-
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
-#endif
-
-#ifdef IPFILTER_LOOKUP
-
-# ifndef RADIX_NODE_HEAD_LOCK
-#  define RADIX_NODE_HEAD_LOCK(x)	;
-# endif
-# ifndef RADIX_NODE_HEAD_UNLOCK
-#  define RADIX_NODE_HEAD_UNLOCK(x)	;
-# endif
-
-ip_pool_stat_t ipoolstat;
-ipfrwlock_t ip_poolrw;
-
-/*
- * Binary tree routines from Sedgewick and enhanced to do ranges of addresses.
- * NOTE: Insertion *MUST* be from greatest range to least for it to work!
- * These should be replaced, eventually, by something else - most notably a
- * interval searching method.  The important feature is to be able to find
- * the best match.
- *
- * So why not use a radix tree for this?  As the first line implies, it
- * has been written to work with a _range_ of addresses.  A range is not
- * necessarily a match with any given netmask so what we end up dealing
- * with is an interval tree.  Implementations of these are hard to find
- * and the one herein is far from bug free.
- *
- * Sigh, in the end I became convinced that the bugs the code contained did
- * not make it worthwhile not using radix trees.  For now the radix tree from
- * 4.4 BSD is used, but this is not viewed as a long term solution.
- */
-ip_pool_t *ip_pool_list[IPL_LOGSIZE] = { NULL, NULL, NULL, NULL,
-					 NULL, NULL, NULL, NULL };
-
-
-#ifdef TEST_POOL
-void treeprint __P((ip_pool_t *));
-
-int
-main(argc, argv)
-	int argc;
-	char *argv[];
-{
-	addrfamily_t a, b;
-	iplookupop_t op;
-	ip_pool_t *ipo;
-	i6addr_t ip;
-
-	RWLOCK_INIT(&ip_poolrw, "poolrw");
-	ip_pool_init();
-
-	bzero((char *)&a, sizeof(a));
-	bzero((char *)&b, sizeof(b));
-	bzero((char *)&ip, sizeof(ip));
-	bzero((char *)&op, sizeof(op));
-	strcpy(op.iplo_name, "0");
-
-	if (ip_pool_create(&op) == 0)
-		ipo = ip_pool_find(0, "0");
-
-	a.adf_addr.in4.s_addr = 0x0a010203;
-	b.adf_addr.in4.s_addr = 0xffffffff;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-
-	a.adf_addr.in4.s_addr = 0x0a000000;
-	b.adf_addr.in4.s_addr = 0xff000000;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
-
-	a.adf_addr.in4.s_addr = 0x0a010100;
-	b.adf_addr.in4.s_addr = 0xffffff00;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-
-	a.adf_addr.in4.s_addr = 0x0a010200;
-	b.adf_addr.in4.s_addr = 0xffffff00;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 0);
-
-	a.adf_addr.in4.s_addr = 0x0a010000;
-	b.adf_addr.in4.s_addr = 0xffff0000;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-
-	a.adf_addr.in4.s_addr = 0x0a01020f;
-	b.adf_addr.in4.s_addr = 0xffffffff;
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-	ip_pool_insert(ipo, &a.adf_addr, &b.adf_addr, 1);
-#ifdef	DEBUG_POOL
-treeprint(ipo);
-#endif
-	ip.in4.s_addr = 0x0a00aabb;
-	printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a000001;
-	printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a000101;
-	printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a010001;
-	printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a010101;
-	printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a010201;
-	printf("search(%#x) = %d (0)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a010203;
-	printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0a01020f;
-	printf("search(%#x) = %d (1)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-	ip.in4.s_addr = 0x0b00aabb;
-	printf("search(%#x) = %d (-1)\n", ip.in4.s_addr,
-		ip_pool_search(ipo, 4, &ip));
-
-#ifdef	DEBUG_POOL
-treeprint(ipo);
-#endif
-
-	ip_pool_fini();
-
-	return 0;
-}
-
-
-void
-treeprint(ipo)
-ip_pool_t *ipo;
-{
-	ip_pool_node_t *c;
-
-	for (c = ipo->ipo_list; c != NULL; c = c->ipn_next)
-		printf("Node %p(%s) (%#x/%#x) = %d hits %lu\n",
-			c, c->ipn_name, c->ipn_addr.adf_addr.in4.s_addr,
-			c->ipn_mask.adf_addr.in4.s_addr,
-			c->ipn_info, c->ipn_hits);
-}
-#endif /* TEST_POOL */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_init                                                */
-/* Returns:     int     - 0 = success, else error                           */
-/*                                                                          */
-/* Initialise the routing table data structures where required.             */
-/* ------------------------------------------------------------------------ */
-int ip_pool_init()
-{
-
-	bzero((char *)&ipoolstat, sizeof(ipoolstat));
-
-#if (!defined(_KERNEL) || (BSD < 199306))
-	rn_init();
-#endif
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_fini                                                */
-/* Returns:     int     - 0 = success, else error                           */
-/* Locks:       WRITE(ipf_global)                                           */
-/*                                                                          */
-/* Clean up all the pool data structures allocated and call the cleanup     */
-/* function for the radix tree that supports the pools. ip_pool_destroy() is*/
-/* used to delete the pools one by one to ensure they're properly freed up. */
-/* ------------------------------------------------------------------------ */
-void ip_pool_fini()
-{
-	ip_pool_t *p, *q;
-	iplookupop_t op;
-	int i;
-
-	ASSERT(rw_read_locked(&ipf_global.ipf_lk) == 0);
-
-	for (i = 0; i <= IPL_LOGMAX; i++) {
-		for (q = ip_pool_list[i]; (p = q) != NULL; ) {
-			op.iplo_unit = i;
-			(void)strncpy(op.iplo_name, p->ipo_name,
-				sizeof(op.iplo_name));
-			q = p->ipo_next;
-			(void) ip_pool_destroy(&op);
-		}
-	}
-
-#if (!defined(_KERNEL) || (BSD < 199306))
-	rn_fini();
-#endif
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_statistics                                          */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  op(I)   - pointer to lookup operation arguments             */
-/*                                                                          */
-/* Copy the current statistics out into user space, collecting pool list    */
-/* pointers as appropriate for later use.                                   */
-/* ------------------------------------------------------------------------ */
-int ip_pool_statistics(op)
-iplookupop_t *op;
-{
-	ip_pool_stat_t stats;
-	int unit, i, err = 0;
-
-	if (op->iplo_size != sizeof(ipoolstat))
-		return EINVAL;
-
-	bcopy((char *)&ipoolstat, (char *)&stats, sizeof(stats));
-	unit = op->iplo_unit;
-	if (unit == IPL_LOGALL) {
-		for (i = 0; i < IPL_LOGSIZE; i++)
-			stats.ipls_list[i] = ip_pool_list[i];
-	} else if (unit >= 0 && unit < IPL_LOGSIZE) {
-		if (op->iplo_name[0] != '\0')
-			stats.ipls_list[unit] = ip_pool_find(unit,
-							     op->iplo_name);
-		else
-			stats.ipls_list[unit] = ip_pool_list[unit];
-	} else
-		err = EINVAL;
-	if (err == 0)
-		err = COPYOUT(&stats, op->iplo_struct, sizeof(stats));
-	return err;
-}
-
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_find                                                */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  ipo(I)  - pointer to the pool getting the new node.         */
-/*                                                                          */
-/* Find a matching pool inside the collection of pools for a particular     */
-/* device, indicated by the unit number.                                    */
-/* ------------------------------------------------------------------------ */
-void *ip_pool_find(unit, name)
-int unit;
-char *name;
-{
-	ip_pool_t *p;
-
-	for (p = ip_pool_list[unit]; p != NULL; p = p->ipo_next)
-		if (strncmp(p->ipo_name, name, sizeof(p->ipo_name)) == 0)
-			break;
-	return p;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_findeq                                              */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  ipo(I)  - pointer to the pool getting the new node.         */
-/*              addr(I) - pointer to address information to delete          */
-/*              mask(I) -                                                   */
-/*                                                                          */
-/* Searches for an exact match of an entry in the pool.                     */
-/* ------------------------------------------------------------------------ */
-ip_pool_node_t *ip_pool_findeq(ipo, addr, mask)
-ip_pool_t *ipo;
-addrfamily_t *addr, *mask;
-{
-	struct radix_node *n;
-#ifdef USE_SPL
-	int s;
-
-	SPL_NET(s);
-#endif
-	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
-	n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head);
-	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
-	SPL_X(s);
-	return (ip_pool_node_t *)n;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_search                                              */
-/* Returns:     int     - 0 == +ve match, -1 == error, 1 == -ve/no match    */
-/* Parameters:  tptr(I)    - pointer to the pool to search                  */
-/*              version(I) - IP protocol version (4 or 6)                   */
-/*              dptr(I)    - pointer to address information                 */
-/*                                                                          */
-/* Search the pool for a given address and return a search result.          */
-/* ------------------------------------------------------------------------ */
-int ip_pool_search(tptr, version, dptr)
-void *tptr;
-int version;
-void *dptr;
-{
-	struct radix_node *rn;
-	ip_pool_node_t *m;
-	i6addr_t *addr;
-	addrfamily_t v;
-	ip_pool_t *ipo;
-	int rv;
-
-	ipo = tptr;
-	if (ipo == NULL)
-		return -1;
-
-	rv = 1;
-	m = NULL;
-	addr = (i6addr_t *)dptr;
-	bzero(&v, sizeof(v));
-	v.adf_len = offsetof(addrfamily_t, adf_addr);
-
-	if (version == 4) {
-		v.adf_len += sizeof(addr->in4);
-		v.adf_addr.in4 = addr->in4;
-#ifdef USE_INET6
-	} else if (version == 6) {
-		v.adf_len += sizeof(addr->in6);
-		v.adf_addr.in6 = addr->in6;
-#endif
-	} else
-		return -1;
-
-	READ_ENTER(&ip_poolrw);
-
-	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
-	rn = ipo->ipo_head->rnh_matchaddr(&v, ipo->ipo_head);
-	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
-
-	if ((rn != NULL) && ((rn->rn_flags & RNF_ROOT) == 0)) {
-		m = (ip_pool_node_t *)rn;
-		ipo->ipo_hits++;
-		m->ipn_hits++;
-		rv = m->ipn_info;
-	}
-	RWLOCK_EXIT(&ip_poolrw);
-	return rv;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_insert                                              */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  ipo(I)  - pointer to the pool getting the new node.         */
-/*              addr(I) - address being added as a node                     */
-/*              mask(I) - netmask to with the node being added              */
-/*              info(I) - extra information to store in this node.          */
-/* Locks:       WRITE(ip_poolrw)                                            */
-/*                                                                          */
-/* Add another node to the pool given by ipo.  The three parameters passed  */
-/* in (addr, mask, info) shold all be stored in the node.                   */
-/* ------------------------------------------------------------------------ */
-int ip_pool_insert(ipo, addr, mask, info)
-ip_pool_t *ipo;
-i6addr_t *addr, *mask;
-int info;
-{
-	struct radix_node *rn;
-	ip_pool_node_t *x;
-
-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
-	KMALLOC(x, ip_pool_node_t *);
-	if (x == NULL) {
-		return ENOMEM;
-	}
-
-	bzero(x, sizeof(*x));
-
-	x->ipn_info = info;
-	(void)strncpy(x->ipn_name, ipo->ipo_name, sizeof(x->ipn_name));
-
-	bcopy(addr, &x->ipn_addr.adf_addr, sizeof(*addr));
-	x->ipn_addr.adf_len = sizeof(x->ipn_addr);
-	bcopy(mask, &x->ipn_mask.adf_addr, sizeof(*mask));
-	x->ipn_mask.adf_len = sizeof(x->ipn_mask);
-
-	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
-	rn = ipo->ipo_head->rnh_addaddr(&x->ipn_addr, &x->ipn_mask,
-					ipo->ipo_head, x->ipn_nodes);
-	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
-#ifdef	DEBUG_POOL
-	printf("Added %p at %p\n", x, rn);
-#endif
-
-	if (rn == NULL) {
-		KFREE(x);
-		return ENOMEM;
-	}
-
-	x->ipn_next = ipo->ipo_list;
-	x->ipn_pnext = &ipo->ipo_list;
-	if (ipo->ipo_list != NULL)
-		ipo->ipo_list->ipn_pnext = &x->ipn_next;
-	ipo->ipo_list = x;
-
-	ipoolstat.ipls_nodes++;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_create                                              */
-/* Returns:     int     - 0 = success, else error                           */
-/* Parameters:  op(I) - pointer to iplookup struct with call details        */
-/* Locks:       WRITE(ip_poolrw)                                            */
-/*                                                                          */
-/* Creates a new group according to the paramters passed in via the         */
-/* iplookupop structure.  Does not check to see if the group already exists */
-/* when being inserted - assume this has already been done.  If the pool is */
-/* marked as being anonymous, give it a new, unique, identifier.  Call any  */
-/* other functions required to initialise the structure.                    */
-/* ------------------------------------------------------------------------ */
-int ip_pool_create(op)
-iplookupop_t *op;
-{
-	char name[FR_GROUPLEN];
-	int poolnum, unit;
-	ip_pool_t *h;
-
-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
-	KMALLOC(h, ip_pool_t *);
-	if (h == NULL)
-		return ENOMEM;
-	bzero(h, sizeof(*h));
-
-	if (rn_inithead((void **)&h->ipo_head,
-			offsetof(addrfamily_t, adf_addr) << 3) == 0) {
-		KFREE(h);
-		return ENOMEM;
-	}
-
-	unit = op->iplo_unit;
-
-	if ((op->iplo_arg & IPOOL_ANON) != 0) {
-		ip_pool_t *p;
-
-		poolnum = IPOOL_ANON;
-
-#if defined(SNPRINTF) && defined(_KERNEL)
-		SNPRINTF(name, sizeof(name), "%x", poolnum);
-#else
-		(void)sprintf(name, "%x", poolnum);
-#endif
-
-		for (p = ip_pool_list[unit]; p != NULL; ) {
-			if (strncmp(name, p->ipo_name,
-				    sizeof(p->ipo_name)) == 0) {
-				poolnum++;
-#if defined(SNPRINTF) && defined(_KERNEL)
-				SNPRINTF(name, sizeof(name), "%x", poolnum);
-#else
-				(void)sprintf(name, "%x", poolnum);
-#endif
-				p = ip_pool_list[unit];
-			} else
-				p = p->ipo_next;
-		}
-
-		(void)strncpy(h->ipo_name, name, sizeof(h->ipo_name));
-	} else {
-		(void) strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name));
-	}
-
-	h->ipo_ref = 1;
-	h->ipo_list = NULL;
-	h->ipo_unit = unit;
-	h->ipo_next = ip_pool_list[unit];
-	if (ip_pool_list[unit] != NULL)
-		ip_pool_list[unit]->ipo_pnext = &h->ipo_next;
-	h->ipo_pnext = &ip_pool_list[unit];
-	ip_pool_list[unit] = h;
-
-	ipoolstat.ipls_pools++;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_remove                                              */
-/* Returns:     int    - 0 = success, else error                            */
-/* Parameters:  ipo(I) - pointer to the pool to remove the node from.       */
-/*              ipe(I) - address being deleted as a node                    */
-/* Locks:       WRITE(ip_poolrw)                                            */
-/*                                                                          */
-/* Add another node to the pool given by ipo.  The three parameters passed  */
-/* in (addr, mask, info) shold all be stored in the node.                   */
-/* ------------------------------------------------------------------------ */
-int ip_pool_remove(ipo, ipe)
-ip_pool_t *ipo;
-ip_pool_node_t *ipe;
-{
-	ip_pool_node_t **ipp, *n;
-
-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
-	for (ipp = &ipo->ipo_list; (n = *ipp) != NULL; ipp = &n->ipn_next) {
-		if (ipe == n) {
-			*n->ipn_pnext = n->ipn_next;
-			if (n->ipn_next)
-				n->ipn_next->ipn_pnext = n->ipn_pnext;
-			break;
-		}
-	}
-
-	if (n == NULL)
-		return ENOENT;
-
-	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
-	ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
-				   ipo->ipo_head);
-	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
-	KFREE(n);
-
-	ipoolstat.ipls_nodes--;
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_destroy                                             */
-/* Returns:     int    - 0 = success, else error                            */
-/* Parameters:  op(I)  -  information about the pool to remove              */
-/* Locks:       WRITE(ip_poolrw) or WRITE(ipf_global)                       */
-/*                                                                          */
-/* Search for a pool using paramters passed in and if it's not otherwise    */
-/* busy, free it.                                                           */
-/*                                                                          */
-/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
-/* may not be initialised, we can't use an ASSERT to enforce the locking    */
-/* assertion that one of the two (ip_poolrw,ipf_global) is held.            */
-/* ------------------------------------------------------------------------ */
-int ip_pool_destroy(op)
-iplookupop_t *op;
-{
-	ip_pool_t *ipo;
-
-	ipo = ip_pool_find(op->iplo_unit, op->iplo_name);
-	if (ipo == NULL)
-		return ESRCH;
-
-	if (ipo->ipo_ref != 1)
-		return EBUSY;
-
-	ip_pool_free(ipo);
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_flush                                               */
-/* Returns:     int    - number of pools deleted                            */
-/* Parameters:  fp(I)  - which pool(s) to flush                             */
-/* Locks:       WRITE(ip_poolrw) or WRITE(ipf_global)                       */
-/*                                                                          */
-/* Free all pools associated with the device that matches the unit number   */
-/* passed in with operation.                                                */
-/*                                                                          */
-/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
-/* may not be initialised, we can't use an ASSERT to enforce the locking    */
-/* assertion that one of the two (ip_poolrw,ipf_global) is held.            */
-/* ------------------------------------------------------------------------ */
-int ip_pool_flush(fp)
-iplookupflush_t *fp;
-{
-	int i, num = 0, unit, err;
-	ip_pool_t *p, *q;
-	iplookupop_t op;
-
-	unit = fp->iplf_unit;
-
-	for (i = 0; i <= IPL_LOGMAX; i++) {
-		if (unit != IPLT_ALL && i != unit)
-			continue;
-		for (q = ip_pool_list[i]; (p = q) != NULL; ) {
-			op.iplo_unit = i;
-			(void)strncpy(op.iplo_name, p->ipo_name,
-				sizeof(op.iplo_name));
-			q = p->ipo_next;
-			err = ip_pool_destroy(&op);
-			if (err == 0)
-				num++;
-			else
-				break;
-		}
-	}
-	return num;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_free                                                */
-/* Returns:     void                                                        */
-/* Parameters:  ipo(I) -  pointer to pool structure                         */
-/* Locks:       WRITE(ip_poolrw) or WRITE(ipf_global)                       */
-/*                                                                          */
-/* Deletes the pool strucutre passed in from the list of pools and deletes  */
-/* all of the address information stored in it, including any tree data     */
-/* structures also allocated.                                               */
-/*                                                                          */
-/* NOTE: Because this function is called out of ipldetach() where ip_poolrw */
-/* may not be initialised, we can't use an ASSERT to enforce the locking    */
-/* assertion that one of the two (ip_poolrw,ipf_global) is held.            */
-/* ------------------------------------------------------------------------ */
-void ip_pool_free(ipo)
-ip_pool_t *ipo;
-{
-	ip_pool_node_t *n;
-
-	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
-	while ((n = ipo->ipo_list) != NULL) {
-		ipo->ipo_head->rnh_deladdr(&n->ipn_addr, &n->ipn_mask,
-					   ipo->ipo_head);
-
-		*n->ipn_pnext = n->ipn_next;
-		if (n->ipn_next)
-			n->ipn_next->ipn_pnext = n->ipn_pnext;
-
-		KFREE(n);
-
-		ipoolstat.ipls_nodes--;
-	}
-	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
-
-	ipo->ipo_list = NULL;
-	if (ipo->ipo_next != NULL)
-		ipo->ipo_next->ipo_pnext = ipo->ipo_pnext;
-	*ipo->ipo_pnext = ipo->ipo_next;
-	rn_freehead(ipo->ipo_head);
-	KFREE(ipo);
-
-	ipoolstat.ipls_pools--;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ip_pool_deref                                               */
-/* Returns:     void                                                        */
-/* Parameters:  ipo(I) -  pointer to pool structure                         */
-/* Locks:       WRITE(ip_poolrw)                                            */
-/*                                                                          */
-/* Drop the number of known references to this pool structure by one and if */
-/* we arrive at zero known references, free it.                             */
-/* ------------------------------------------------------------------------ */
-void ip_pool_deref(ipo)
-ip_pool_t *ipo;
-{
-
-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
-	ipo->ipo_ref--;
-	if (ipo->ipo_ref == 0)
-		ip_pool_free(ipo);
-}
-
-
-# if defined(_KERNEL) && ((BSD >= 198911) && !defined(__osf__) && \
-      !defined(__hpux) && !defined(__sgi))
-static int
-rn_freenode(struct radix_node *n, void *p)
-{
-	struct radix_node_head *rnh = p;
-	struct radix_node *d;
-
-	d = rnh->rnh_deladdr(n->rn_key, NULL, rnh);
-	if (d != NULL) {
-		FreeS(d, max_keylen + 2 * sizeof (*d));
-	}
-	return 0;
-}
-
-
-void
-rn_freehead(rnh)
-      struct radix_node_head *rnh;
-{
-
-	RADIX_NODE_HEAD_LOCK(rnh);
-	(*rnh->rnh_walktree)(rnh, rn_freenode, rnh);
-
-	rnh->rnh_addaddr = NULL;
-	rnh->rnh_deladdr = NULL;
-	rnh->rnh_matchaddr = NULL;
-	rnh->rnh_lookup = NULL;
-	rnh->rnh_walktree = NULL;
-	RADIX_NODE_HEAD_UNLOCK(rnh);
-
-	Free(rnh);
-}
-# endif
-
-#endif /* IPFILTER_LOOKUP */
diff --git a/contrib/ipfilter/ip_pool.h b/contrib/ipfilter/ip_pool.h
deleted file mode 100644
index 3e3c073..0000000
--- a/contrib/ipfilter/ip_pool.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_pool.h,v 2.26.2.2 2004/03/23 12:44:34 darrenr Exp
- */
-
-#ifndef	__IP_POOL_H__
-#define	__IP_POOL_H__
-
-#if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \
-    !defined(linux) && !defined(sun)
-# include <net/radix.h>
-extern void rn_freehead __P((struct radix_node_head *));
-# define FreeS(p, z)		KFREES(p, z)
-extern int max_keylen;
-#else
-# if defined(__osf__) || defined(__hpux)
-#  include "radix_ipf_local.h"
-#  define radix_mask ipf_radix_mask
-#  define radix_node ipf_radix_node
-#  define radix_node_head ipf_radix_node_head
-# else
-#  include "radix_ipf.h"
-# endif
-#endif
-#include "netinet/ip_lookup.h"
-
-#define	IP_POOL_NOMATCH		0
-#define	IP_POOL_POSITIVE	1
-
-typedef	struct ip_pool_node {
-	struct	radix_node	ipn_nodes[2];
-	addrfamily_t		ipn_addr;
-	addrfamily_t		ipn_mask;
-	int			ipn_info;
-	char			ipn_name[FR_GROUPLEN];
-	u_long			ipn_hits;
-	struct ip_pool_node	*ipn_next, **ipn_pnext;
-} ip_pool_node_t;
-
-
-typedef	struct ip_pool_s {
-	struct ip_pool_s	*ipo_next;
-	struct ip_pool_s	**ipo_pnext;
-	struct radix_node_head	*ipo_head;
-	ip_pool_node_t	*ipo_list;
-	u_long		ipo_hits;
-	int		ipo_unit;
-	int		ipo_flags;
-	int		ipo_ref;
-	char		ipo_name[FR_GROUPLEN];
-} ip_pool_t;
-
-#define	IPOOL_ANON	0x80000000
-
-
-typedef	struct	ip_pool_stat	{
-	u_long		ipls_pools;
-	u_long		ipls_tables;
-	u_long		ipls_nodes;
-	ip_pool_t	*ipls_list[IPL_LOGSIZE];
-} ip_pool_stat_t;
-
-
-extern	ip_pool_stat_t	ipoolstat;
-extern	ip_pool_t	*ip_pool_list[IPL_LOGSIZE];
-
-extern	int	ip_pool_search __P((void *, int, void *));
-extern	int	ip_pool_init __P((void));
-extern	void	ip_pool_fini __P((void));
-extern	int	ip_pool_create __P((iplookupop_t *));
-extern	int	ip_pool_insert __P((ip_pool_t *, i6addr_t *, i6addr_t *, int));
-extern	int	ip_pool_remove __P((ip_pool_t *, ip_pool_node_t *));
-extern	int	ip_pool_destroy __P((iplookupop_t *));
-extern	void	ip_pool_free __P((ip_pool_t *));
-extern	void	ip_pool_deref __P((ip_pool_t *));
-extern	void	*ip_pool_find __P((int, char *));
-extern	ip_pool_node_t *ip_pool_findeq __P((ip_pool_t *,
-					  addrfamily_t *, addrfamily_t *));
-extern	int	ip_pool_flush __P((iplookupflush_t *));
-extern	int	ip_pool_statistics __P((iplookupop_t *));
-
-#endif /* __IP_POOL_H__ */
diff --git a/contrib/ipfilter/ip_pptp_pxy.c b/contrib/ipfilter/ip_pptp_pxy.c
deleted file mode 100644
index 2511a17..0000000
--- a/contrib/ipfilter/ip_pptp_pxy.c
+++ /dev/null
@@ -1,527 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2002-2003 by Darren Reed
- *
- * Simple PPTP transparent proxy for in-kernel use.  For use with the NAT
- * code.
- *
- * Id: ip_pptp_pxy.c,v 2.10.2.9 2005/03/16 18:17:34 darrenr Exp
- *
- */
-#define	IPF_PPTP_PROXY
-
-typedef	struct pptp_hdr {
-	u_short	pptph_len;
-	u_short	pptph_type;
-	u_32_t	pptph_cookie;
-} pptp_hdr_t;
-
-#define	PPTP_MSGTYPE_CTL	1
-#define	PPTP_MTCTL_STARTREQ	1
-#define	PPTP_MTCTL_STARTREP	2
-#define	PPTP_MTCTL_STOPREQ	3
-#define	PPTP_MTCTL_STOPREP	4
-#define	PPTP_MTCTL_ECHOREQ	5
-#define	PPTP_MTCTL_ECHOREP	6
-#define	PPTP_MTCTL_OUTREQ	7
-#define	PPTP_MTCTL_OUTREP	8
-#define	PPTP_MTCTL_INREQ	9
-#define	PPTP_MTCTL_INREP	10
-#define	PPTP_MTCTL_INCONNECT	11
-#define	PPTP_MTCTL_CLEAR	12
-#define	PPTP_MTCTL_DISCONNECT	13
-#define	PPTP_MTCTL_WANERROR	14
-#define	PPTP_MTCTL_LINKINFO	15
-
-
-int ippr_pptp_init __P((void));
-void ippr_pptp_fini __P((void));
-int ippr_pptp_new __P((fr_info_t *, ap_session_t *, nat_t *));
-void ippr_pptp_del __P((ap_session_t *));
-int ippr_pptp_inout __P((fr_info_t *, ap_session_t *, nat_t *));
-void ippr_pptp_donatstate __P((fr_info_t *, nat_t *, pptp_pxy_t *));
-int ippr_pptp_message __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *));
-int ippr_pptp_nextmessage __P((fr_info_t *, nat_t *, pptp_pxy_t *, int));
-int ippr_pptp_mctl __P((fr_info_t *, nat_t *, pptp_pxy_t *, pptp_side_t *));
-
-static	frentry_t	pptpfr;
-
-int	pptp_proxy_init = 0;
-int	ippr_pptp_debug = 0;
-int	ippr_pptp_gretimeout = IPF_TTLVAL(120);	/* 2 minutes */
-
-
-/*
- * PPTP application proxy initialization.
- */
-int ippr_pptp_init()
-{
-	bzero((char *)&pptpfr, sizeof(pptpfr));
-	pptpfr.fr_ref = 1;
-	pptpfr.fr_age[0] = ippr_pptp_gretimeout;
-	pptpfr.fr_age[1] = ippr_pptp_gretimeout;
-	pptpfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&pptpfr.fr_lock, "PPTP proxy rule lock");
-	pptp_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_pptp_fini()
-{
-	if (pptp_proxy_init == 1) {
-		MUTEX_DESTROY(&pptpfr.fr_lock);
-		pptp_proxy_init = 0;
-	}
-}
-
-
-/*
- * Setup for a new PPTP proxy.
- */
-int ippr_pptp_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	pptp_pxy_t *pptp;
-	ipnat_t *ipn;
-	ip_t *ip;
-	int off;
-
-	ip = fin->fin_ip;
-	off = fin->fin_hlen + sizeof(udphdr_t);
-
-	if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
-			  ip->ip_dst) != NULL) {
-		if (ippr_pptp_debug > 0)
-			printf("ippr_pptp_new: GRE session already exists\n");
-		return -1;
-	}
-
-	aps->aps_psiz = sizeof(*pptp);
-	KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp));
-	if (aps->aps_data == NULL) {
-		if (ippr_pptp_debug > 0)
-			printf("ippr_pptp_new: malloc for aps_data failed\n");
-		return -1;
-	}
-
-	/*
-	 * Create NAT rule against which the tunnel/transport mapping is
-	 * created.  This is required because the current NAT rule does not
-	 * describe GRE but TCP instead.
-	 */
-	pptp = aps->aps_data;
-	bzero((char *)pptp, sizeof(*pptp));
-	ipn = &pptp->pptp_rule;
-	ipn->in_ifps[0] = fin->fin_ifp;
-	ipn->in_apr = NULL;
-	ipn->in_use = 1;
-	ipn->in_hits = 1;
-	ipn->in_ippip = 1;
-	if (nat->nat_dir == NAT_OUTBOUND) {
-		ipn->in_nip = ntohl(nat->nat_outip.s_addr);
-		ipn->in_outip = fin->fin_saddr;
-		ipn->in_redir = NAT_MAP;
-	} else if (nat->nat_dir == NAT_INBOUND) {
-		ipn->in_nip = 0;
-		ipn->in_outip = nat->nat_outip.s_addr;
-		ipn->in_redir = NAT_REDIRECT;
-	}
-	ipn->in_inip = nat->nat_inip.s_addr;
-	ipn->in_inmsk = 0xffffffff;
-	ipn->in_outmsk = 0xffffffff;
-	ipn->in_srcip = fin->fin_saddr;
-	ipn->in_srcmsk = 0xffffffff;
-	bcopy(nat->nat_ptr->in_ifnames[0], ipn->in_ifnames[0],
-	      sizeof(ipn->in_ifnames[0]));
-	ipn->in_p = IPPROTO_GRE;
-
-	pptp->pptp_side[0].pptps_wptr = pptp->pptp_side[0].pptps_buffer;
-	pptp->pptp_side[1].pptps_wptr = pptp->pptp_side[1].pptps_buffer;
-	return 0;
-}
-
-
-void ippr_pptp_donatstate(fin, nat, pptp)
-fr_info_t *fin;
-nat_t *nat;
-pptp_pxy_t *pptp;
-{
-	fr_info_t fi;
-	grehdr_t gre;
-	nat_t *nat2;
-	u_char p;
-	ip_t *ip;
-
-	ip = fin->fin_ip;
-	p = ip->ip_p;
-
-	nat2 = pptp->pptp_nat;
-	if ((nat2 == NULL) || (pptp->pptp_state == NULL)) {
-		bcopy((char *)fin, (char *)&fi, sizeof(fi));
-		bzero((char *)&gre, sizeof(gre));
-		fi.fin_state = NULL;
-		fi.fin_nat = NULL;
-		fi.fin_fi.fi_p = IPPROTO_GRE;
-		fi.fin_fr = &pptpfr;
-		if ((nat->nat_dir == NAT_OUTBOUND && fin->fin_out) ||
-		    (nat->nat_dir == NAT_INBOUND && !fin->fin_out)) {
-			fi.fin_data[0] = pptp->pptp_call[0];
-			fi.fin_data[1] = pptp->pptp_call[1];
-		} else {
-			fi.fin_data[0] = pptp->pptp_call[1];
-			fi.fin_data[1] = pptp->pptp_call[0];
-		}
-		ip = fin->fin_ip;
-		ip->ip_p = IPPROTO_GRE;
-		fi.fin_flx &= ~(FI_TCPUDP|FI_STATE|FI_FRAG);
-		fi.fin_flx |= FI_IGNORE;
-		fi.fin_dp = &gre;
-		gre.gr_flags = htons(1 << 13);
-		if (fin->fin_out && nat->nat_dir == NAT_INBOUND) {
-			fi.fin_fi.fi_saddr = fin->fin_fi.fi_daddr;
-			fi.fin_fi.fi_daddr = nat->nat_outip.s_addr;
-		} else if (!fin->fin_out && nat->nat_dir == NAT_OUTBOUND) {
-			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
-			fi.fin_fi.fi_daddr = fin->fin_fi.fi_saddr;
-		}
-	}
-
-	/*
-	 * Update NAT timeout/create NAT if missing.
-	 */
-	if (nat2 != NULL)
-		fr_queueback(&nat2->nat_tqe);
-	else {
-		nat2 = nat_new(&fi, &pptp->pptp_rule, &pptp->pptp_nat,
-			       NAT_SLAVE, nat->nat_dir);
-		pptp->pptp_nat = nat2;
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, 0);
-			nat_update(&fi, nat2, nat2->nat_ptr);
-		}
-	}
-
-	READ_ENTER(&ipf_state);
-	if (pptp->pptp_state != NULL) {
-		fr_queueback(&pptp->pptp_state->is_sti);
-		RWLOCK_EXIT(&ipf_state);
-	} else {
-		RWLOCK_EXIT(&ipf_state);
-		if (nat->nat_dir == NAT_INBOUND)
-			fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr;
-		else
-			fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr;
-		fi.fin_ifp = NULL;
-		pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
-					       0);
-		if (fi.fin_state != NULL)
-			fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-	}
-	ip->ip_p = p;
-	return;
-}
-
-
-/*
- * Try and build up the next PPTP message in the TCP stream and if we can
- * build it up completely (fits in our buffer) then pass it off to the message
- * parsing function.
- */
-int ippr_pptp_nextmessage(fin, nat, pptp, rev)
-fr_info_t *fin;
-nat_t *nat;
-pptp_pxy_t *pptp;
-int rev;
-{
-	static char *funcname = "ippr_pptp_nextmessage";
-	pptp_side_t *pptps;
-	u_32_t start, end;
-	pptp_hdr_t *hdr;
-	tcphdr_t *tcp;
-	int dlen, off;
-	u_short len;
-	char *msg;
-
-	tcp = fin->fin_dp;
-	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
-	start = ntohl(tcp->th_seq);
-	pptps = &pptp->pptp_side[rev];
-	off = (char *)tcp - (char *)fin->fin_ip + (TCP_OFF(tcp) << 2) +
-	      fin->fin_ipoff;
-
-	if (dlen <= 0)
-		return 0;
-	/*
-	 * If the complete data packet is before what we expect to see
-	 * "next", just ignore it as the chances are we've already seen it.
-	 * The next if statement following this one really just causes packets
-	 * ahead of what we've seen to be dropped, implying that something in
-	 * the middle went missing and we want to see that first.
-	 */
-	end = start + dlen;
-	if (pptps->pptps_next > end && pptps->pptps_next > start)
-		return 0;
-
-	if (pptps->pptps_next != start) {
-		if (ippr_pptp_debug > 5)
-			printf("%s: next (%x) != start (%x)\n", funcname,
-				pptps->pptps_next, start);
-		return -1;
-	}
-
-	msg = (char *)fin->fin_dp + (TCP_OFF(tcp) << 2);
-
-	while (dlen > 0) {
-		off += pptps->pptps_bytes;
-		if (pptps->pptps_gothdr == 0) {
-			/*
-			 * PPTP has an 8 byte header that inclues the cookie.
-			 * The start of every message should include one and
-			 * it should match 1a2b3c4d.  Byte order is ignored,
-			 * deliberately, when printing out the error.
-			 */
-			len = MIN(8 - pptps->pptps_bytes, dlen);
-			COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
-			pptps->pptps_bytes += len;
-			pptps->pptps_wptr += len;
-			hdr = (pptp_hdr_t *)pptps->pptps_buffer;
-			if (pptps->pptps_bytes == 8) {
-				pptps->pptps_next += 8;
-				if (ntohl(hdr->pptph_cookie) != 0x1a2b3c4d) {
-					if (ippr_pptp_debug > 1)
-						printf("%s: bad cookie (%x)\n",
-						       funcname,
-						       hdr->pptph_cookie);
-					return -1;
-				}
-			}
-			dlen -= len;
-			msg += len;
-			off += len;
-
-			pptps->pptps_gothdr = 1;
-			len = ntohs(hdr->pptph_len);
-			pptps->pptps_len = len;
-			pptps->pptps_nexthdr += len;
-
-			/*
-			 * If a message is too big for the buffer, just set
-			 * the fields for the next message to come along.
-			 * The messages defined in RFC 2637 will not exceed
-			 * 512 bytes (in total length) so this is likely a
-			 * bad data packet, anyway.
-			 */
-			if (len > sizeof(pptps->pptps_buffer)) {
-				if (ippr_pptp_debug > 3)
-					printf("%s: message too big (%d)\n",
-					       funcname, len);
-				pptps->pptps_next = pptps->pptps_nexthdr;
-				pptps->pptps_wptr = pptps->pptps_buffer;
-				pptps->pptps_gothdr = 0;
-				pptps->pptps_bytes = 0;
-				pptps->pptps_len = 0;
-				break;
-			}
-		}
-
-		len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
-		COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
-		pptps->pptps_bytes += len;
-		pptps->pptps_wptr += len;
-		pptps->pptps_next += len;
-
-		if (pptps->pptps_len > pptps->pptps_bytes)
-			break;
-
-		ippr_pptp_message(fin, nat, pptp, pptps);
-		pptps->pptps_wptr = pptps->pptps_buffer;
-		pptps->pptps_gothdr = 0;
-		pptps->pptps_bytes = 0;
-		pptps->pptps_len = 0;
-
-		start += len;
-		msg += len;
-		dlen -= len;
-	}
-
-	return 0;
-}
-
-
-/*
- * handle a complete PPTP message
- */
-int ippr_pptp_message(fin, nat, pptp, pptps)
-fr_info_t *fin;
-nat_t *nat;
-pptp_pxy_t *pptp;
-pptp_side_t *pptps;
-{
-	pptp_hdr_t *hdr = (pptp_hdr_t *)pptps->pptps_buffer;
-
-	switch (ntohs(hdr->pptph_type))
-	{
-	case PPTP_MSGTYPE_CTL :
-		ippr_pptp_mctl(fin, nat, pptp, pptps);
-		break;
-
-	default :
-		break;
-	}
-	return 0;
-}
-
-
-/*
- * handle a complete PPTP control message
- */
-int ippr_pptp_mctl(fin, nat, pptp, pptps)
-fr_info_t *fin;
-nat_t *nat;
-pptp_pxy_t *pptp;
-pptp_side_t *pptps;
-{
-	u_short *buffer = (u_short *)(pptps->pptps_buffer);
-	pptp_side_t *pptpo;
-
-	if (pptps == &pptp->pptp_side[0])
-		pptpo = &pptp->pptp_side[1];
-	else
-		pptpo = &pptp->pptp_side[0];
-
-	/*
-	 * Breakout to handle all the various messages.  Most are just state
-	 * transition.
-	 */
-	switch (ntohs(buffer[4]))
-	{
-	case PPTP_MTCTL_STARTREQ :
-		pptps->pptps_state = PPTP_MTCTL_STARTREQ;
-		break;
-	case PPTP_MTCTL_STARTREP :
-		if (pptpo->pptps_state == PPTP_MTCTL_STARTREQ)
-			pptps->pptps_state = PPTP_MTCTL_STARTREP;
-		break;
-	case PPTP_MTCTL_STOPREQ :
-		pptps->pptps_state = PPTP_MTCTL_STOPREQ;
-		break;
-	case PPTP_MTCTL_STOPREP :
-		if (pptpo->pptps_state == PPTP_MTCTL_STOPREQ)
-			pptps->pptps_state = PPTP_MTCTL_STOPREP;
-		break;
-	case PPTP_MTCTL_ECHOREQ :
-		pptps->pptps_state = PPTP_MTCTL_ECHOREQ;
-		break;
-	case PPTP_MTCTL_ECHOREP :
-		if (pptpo->pptps_state == PPTP_MTCTL_ECHOREQ)
-			pptps->pptps_state = PPTP_MTCTL_ECHOREP;
-		break;
-	case PPTP_MTCTL_OUTREQ :
-		pptps->pptps_state = PPTP_MTCTL_OUTREQ;
-		break;
-	case PPTP_MTCTL_OUTREP :
-		if (pptpo->pptps_state == PPTP_MTCTL_OUTREQ) {
-			pptps->pptps_state = PPTP_MTCTL_OUTREP;
-			pptp->pptp_call[0] = buffer[7];
-			pptp->pptp_call[1] = buffer[6];
-			ippr_pptp_donatstate(fin, nat, pptp);
-		}
-		break;
-	case PPTP_MTCTL_INREQ :
-		pptps->pptps_state = PPTP_MTCTL_INREQ;
-		break;
-	case PPTP_MTCTL_INREP :
-		if (pptpo->pptps_state == PPTP_MTCTL_INREQ) {
-			pptps->pptps_state = PPTP_MTCTL_INREP;
-			pptp->pptp_call[0] = buffer[7];
-			pptp->pptp_call[1] = buffer[6];
-			ippr_pptp_donatstate(fin, nat, pptp);
-		}
-		break;
-	case PPTP_MTCTL_INCONNECT :
-		pptps->pptps_state = PPTP_MTCTL_INCONNECT;
-		break;
-	case PPTP_MTCTL_CLEAR :
-		pptps->pptps_state = PPTP_MTCTL_CLEAR;
-		break;
-	case PPTP_MTCTL_DISCONNECT :
-		pptps->pptps_state = PPTP_MTCTL_DISCONNECT;
-		break;
-	case PPTP_MTCTL_WANERROR :
-		pptps->pptps_state = PPTP_MTCTL_WANERROR;
-		break;
-	case PPTP_MTCTL_LINKINFO :
-		pptps->pptps_state = PPTP_MTCTL_LINKINFO;
-		break;
-	}
-
-	return 0;
-}
-
-
-/*
- * For outgoing PPTP packets.  refresh timeouts for NAT & state entries, if
- * we can.  If they have disappeared, recreate them.
- */
-int ippr_pptp_inout(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	pptp_pxy_t *pptp;
-	tcphdr_t *tcp;
-	int rev;
-
-	if ((fin->fin_out == 1) && (nat->nat_dir == NAT_INBOUND))
-		rev = 1;
-	else if ((fin->fin_out == 0) && (nat->nat_dir == NAT_OUTBOUND))
-		rev = 1;
-	else
-		rev = 0;
-
-	tcp = (tcphdr_t *)fin->fin_dp;
-	if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
-		pptp = (pptp_pxy_t *)aps->aps_data;
-		pptp->pptp_side[1 - rev].pptps_next = ntohl(tcp->th_ack);
-		pptp->pptp_side[1 - rev].pptps_nexthdr = ntohl(tcp->th_ack);
-		pptp->pptp_side[rev].pptps_next = ntohl(tcp->th_seq) + 1;
-		pptp->pptp_side[rev].pptps_nexthdr = ntohl(tcp->th_seq) + 1;
-	}
-	return ippr_pptp_nextmessage(fin, nat, (pptp_pxy_t *)aps->aps_data,
-				     rev);
-}
-
-
-/*
- * clean up after ourselves.
- */
-void ippr_pptp_del(aps)
-ap_session_t *aps;
-{
-	pptp_pxy_t *pptp;
-
-	pptp = aps->aps_data;
-
-	if (pptp != NULL) {
-		/*
-		 * Don't bother changing any of the NAT structure details,
-		 * *_del() is on a callback from aps_free(), from nat_delete()
-		 */
-
-		READ_ENTER(&ipf_state);
-		if (pptp->pptp_state != NULL) {
-			pptp->pptp_state->is_die = fr_ticks + 1;
-			pptp->pptp_state->is_me = NULL;
-			fr_queuefront(&pptp->pptp_state->is_sti);
-		}
-		RWLOCK_EXIT(&ipf_state);
-
-		pptp->pptp_state = NULL;
-		pptp->pptp_nat = NULL;
-	}
-}
diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c
deleted file mode 100644
index 18bc4e1..0000000
--- a/contrib/ipfilter/ip_proxy.c
+++ /dev/null
@@ -1,854 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1997-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/fcntl.h>
-#if !defined(_KERNEL) && !defined(__KERNEL__)
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL)
-# if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
-     !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi)
-#  include <sys/ctype.h>
-# endif
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#else
-# include <sys/ioctl.h>
-#endif
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#if __FreeBSD__ > 2
-# include <sys/queue.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef linux
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-
-#include "netinet/ip_ftp_pxy.c"
-#include "netinet/ip_rcmd_pxy.c"
-# include "netinet/ip_pptp_pxy.c"
-#if defined(_KERNEL)
-# include "netinet/ip_irc_pxy.c"
-# include "netinet/ip_raudio_pxy.c"
-# include "netinet/ip_h323_pxy.c"
-# ifdef	IPFILTER_PRO
-#  include "netinet/ip_msnrpc_pxy.c"
-# endif
-# include "netinet/ip_netbios_pxy.c"
-#endif
-#include "netinet/ip_ipsec_pxy.c"
-#include "netinet/ip_rpcb_pxy.c"
-
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
-#endif
-
-static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
-
-#define	AP_SESS_SIZE	53
-
-#if defined(_KERNEL)
-int		ipf_proxy_debug = 0;
-#else
-int		ipf_proxy_debug = 2;
-#endif
-ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
-ap_session_t	*ap_sess_list = NULL;
-aproxy_t	*ap_proxylist = NULL;
-aproxy_t	ap_proxies[] = {
-#ifdef	IPF_FTP_PROXY
-	{ NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
-	  ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL },
-#endif
-#ifdef	IPF_IRC_PROXY
-	{ NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini,
-	  ippr_irc_new, NULL, NULL, ippr_irc_out, NULL, NULL },
-#endif
-#ifdef	IPF_RCMD_PROXY
-	{ NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_fini,
-	  ippr_rcmd_new, NULL, ippr_rcmd_in, ippr_rcmd_out, NULL, NULL },
-#endif
-#ifdef	IPF_RAUDIO_PROXY
-	{ NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, ippr_raudio_fini,
-	  ippr_raudio_new, NULL, ippr_raudio_in, ippr_raudio_out, NULL, NULL },
-#endif
-#ifdef	IPF_MSNRPC_PROXY
-	{ NULL, "msnrpc", (char)IPPROTO_TCP, 0, 0, ippr_msnrpc_init, ippr_msnrpc_fini,
-	  ippr_msnrpc_new, NULL, ippr_msnrpc_in, ippr_msnrpc_out, NULL, NULL },
-#endif
-#ifdef	IPF_NETBIOS_PROXY
-	{ NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, ippr_netbios_fini,
-	  NULL, NULL, NULL, ippr_netbios_out, NULL, NULL },
-#endif
-#ifdef	IPF_IPSEC_PROXY
-	{ NULL, "ipsec", (char)IPPROTO_UDP, 0, 0,
-	  ippr_ipsec_init, ippr_ipsec_fini, ippr_ipsec_new, ippr_ipsec_del,
-	  ippr_ipsec_inout, ippr_ipsec_inout, ippr_ipsec_match, NULL },
-#endif
-#ifdef	IPF_PPTP_PROXY
-	{ NULL, "pptp", (char)IPPROTO_TCP, 0, 0,
-	  ippr_pptp_init, ippr_pptp_fini, ippr_pptp_new, ippr_pptp_del,
-	  ippr_pptp_inout, ippr_pptp_inout, NULL, NULL },
-#endif
-#ifdef  IPF_H323_PROXY
-	{ NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini,
-	  ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL },
-	{ NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL,
-	  ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
-#endif
-#ifdef	IPF_RPCB_PROXY
-# if 0
-	{ NULL, "rpcbt", (char)IPPROTO_TCP, 0, 0,
-	  ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
-	  ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
-# endif
-	{ NULL, "rpcbu", (char)IPPROTO_UDP, 0, 0,
-	  ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
-	  ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
-#endif
-	{ NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL }
-};
-
-/*
- * Dynamically add a new kernel proxy.  Ensure that it is unique in the
- * collection compiled in and dynamically added.
- */
-int appr_add(ap)
-aproxy_t *ap;
-{
-	aproxy_t *a;
-
-	for (a = ap_proxies; a->apr_p; a++)
-		if ((a->apr_p == ap->apr_p) &&
-		    !strncmp(a->apr_label, ap->apr_label,
-			     sizeof(ap->apr_label))) {
-			if (ipf_proxy_debug > 1)
-				printf("appr_add: %s/%d already present (B)\n",
-				       a->apr_label, a->apr_p);
-			return -1;
-		}
-
-	for (a = ap_proxylist; a->apr_p; a = a->apr_next)
-		if ((a->apr_p == ap->apr_p) &&
-		    !strncmp(a->apr_label, ap->apr_label,
-			     sizeof(ap->apr_label))) {
-			if (ipf_proxy_debug > 1)
-				printf("appr_add: %s/%d already present (D)\n",
-				       a->apr_label, a->apr_p);
-			return -1;
-		}
-	ap->apr_next = ap_proxylist;
-	ap_proxylist = ap;
-	if (ap->apr_init != NULL)
-		return (*ap->apr_init)();
-	return 0;
-}
-
-
-/*
- * Check to see if the proxy this control request has come through for
- * exists, and if it does and it has a control function then invoke that
- * control function.
- */
-int appr_ctl(ctl)
-ap_ctl_t *ctl;
-{
-	aproxy_t *a;
-	int error;
-
-	a = appr_lookup(ctl->apc_p, ctl->apc_label);
-	if (a == NULL) {
-		if (ipf_proxy_debug > 1)
-			printf("appr_ctl: can't find %s/%d\n",
-				ctl->apc_label, ctl->apc_p);
-		error = ESRCH;
-	} else if (a->apr_ctl == NULL) {
-		if (ipf_proxy_debug > 1)
-			printf("appr_ctl: no ctl function for %s/%d\n",
-				ctl->apc_label, ctl->apc_p);
-		error = ENXIO;
-	} else {
-		error = (*a->apr_ctl)(a, ctl);
-		if ((error != 0) && (ipf_proxy_debug > 1))
-			printf("appr_ctl: %s/%d ctl error %d\n",
-				a->apr_label, a->apr_p, error);
-	}
-	return error;
-}
-
-
-/*
- * Delete a proxy that has been added dynamically from those available.
- * If it is in use, return 1 (do not destroy NOW), not in use 0 or -1
- * if it cannot be matched.
- */
-int appr_del(ap)
-aproxy_t *ap;
-{
-	aproxy_t *a, **app;
-
-	for (app = &ap_proxylist; ((a = *app) != NULL); app = &a->apr_next)
-		if (a == ap) {
-			a->apr_flags |= APR_DELETE;
-			*app = a->apr_next;
-			if (ap->apr_ref != 0) {
-				if (ipf_proxy_debug > 2)
-					printf("appr_del: orphaning %s/%d\n",
-						ap->apr_label, ap->apr_p);
-				return 1;
-			}
-			return 0;
-		}
-	if (ipf_proxy_debug > 1)
-		printf("appr_del: proxy %lx not found\n", (u_long)ap);
-	return -1;
-}
-
-
-/*
- * Return 1 if the packet is a good match against a proxy, else 0.
- */
-int appr_ok(fin, tcp, nat)
-fr_info_t *fin;
-tcphdr_t *tcp;
-ipnat_t *nat;
-{
-	aproxy_t *apr = nat->in_apr;
-	u_short dport = nat->in_dport;
-
-	if ((apr == NULL) || (apr->apr_flags & APR_DELETE) ||
-	    (fin->fin_p != apr->apr_p))
-		return 0;
-	if ((tcp == NULL) && dport)
-		return 0;
-	return 1;
-}
-
-
-int appr_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	ap_ctl_t ctl;
-	caddr_t ptr;
-	int error;
-
-	mode = mode;	/* LINT */
-
-	switch (cmd)
-	{
-	case SIOCPROXY :
-		BCOPYIN(data, &ctl, sizeof(ctl));
-		ptr = NULL;
-
-		if (ctl.apc_dsize > 0) {
-			KMALLOCS(ptr, caddr_t, ctl.apc_dsize);
-			if (ptr == NULL)
-				error = ENOMEM;
-			else {
-				error = copyinptr(ctl.apc_data, ptr,
-						  ctl.apc_dsize);
-				if (error == 0)
-					ctl.apc_data = ptr;
-			}
-		} else {
-			ctl.apc_data = NULL;
-			error = 0;
-		}
-
-		if (error == 0)
-			error = appr_ctl(&ctl);
-
-		if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
-		    (ctl.apc_data == ptr)) {
-			KFREES(ptr, ctl.apc_dsize);
-		}
-		break;
-
-	default :
-		error = EINVAL;
-	}
-	return error;
-}
-
-
-/*
- * If a proxy has a match function, call that to do extended packet
- * matching.
- */
-int appr_match(fin, nat)
-fr_info_t *fin;
-nat_t *nat;
-{
-	aproxy_t *apr;
-	ipnat_t *ipn;
-	int result;
-
-	ipn = nat->nat_ptr;
-	if (ipf_proxy_debug > 8)
-		printf("appr_match(%lx,%lx) aps %lx ptr %lx\n",
-			(u_long)fin, (u_long)nat, (u_long)nat->nat_aps,
-			(u_long)ipn);
-
-	if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_match: flx 0x%x (BAD|SHORT)\n",
-				fin->fin_flx);
-		return -1;
-	}
-
-	apr = ipn->in_apr;
-	if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_match:apr %lx apr_flags 0x%x\n",
-				(u_long)apr, apr ? apr->apr_flags : 0);
-		return -1;
-	}
-
-	if (apr->apr_match != NULL) {
-		result = (*apr->apr_match)(fin, nat->nat_aps, nat);
-		if (result != 0) {
-			if (ipf_proxy_debug > 4)
-				printf("appr_match: result %d\n", result);
-			return -1;
-		}
-	}
-	return 0;
-}
-
-
-/*
- * Allocate a new application proxy structure and fill it in with the
- * relevant details.  call the init function once complete, prior to
- * returning.
- */
-int appr_new(fin, nat)
-fr_info_t *fin;
-nat_t *nat;
-{
-	register ap_session_t *aps;
-	aproxy_t *apr;
-
-	if (ipf_proxy_debug > 8)
-		printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat);
-
-	if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_new: nat_ptr %lx nat_aps %lx\n",
-				(u_long)nat->nat_ptr, (u_long)nat->nat_aps);
-		return -1;
-	}
-
-	apr = nat->nat_ptr->in_apr;
-
-	if ((apr->apr_flags & APR_DELETE) ||
-	    (fin->fin_p != apr->apr_p)) {
-		if (ipf_proxy_debug > 2)
-			printf("appr_new: apr_flags 0x%x p %d/%d\n",
-				apr->apr_flags, fin->fin_p, apr->apr_p);
-		return -1;
-	}
-
-	KMALLOC(aps, ap_session_t *);
-	if (!aps) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_new: malloc failed (%lu)\n",
-				(u_long)sizeof(ap_session_t));
-		return -1;
-	}
-
-	bzero((char *)aps, sizeof(*aps));
-	aps->aps_p = fin->fin_p;
-	aps->aps_data = NULL;
-	aps->aps_apr = apr;
-	aps->aps_psiz = 0;
-	if (apr->apr_new != NULL)
-		if ((*apr->apr_new)(fin, aps, nat) == -1) {
-			if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) {
-				KFREES(aps->aps_data, aps->aps_psiz);
-			}
-			KFREE(aps);
-			if (ipf_proxy_debug > 2)
-				printf("appr_new: new(%lx) failed\n",
-					(u_long)apr->apr_new);
-			return -1;
-		}
-	aps->aps_nat = nat;
-	aps->aps_next = ap_sess_list;
-	ap_sess_list = aps;
-	nat->nat_aps = aps;
-
-	return 0;
-}
-
-
-/*
- * Check to see if a packet should be passed through an active proxy routine
- * if one has been setup for it.  We don't need to check the checksum here if
- * IPFILTER_CKSUM is defined because if it is, a failed check causes FI_BAD
- * to be set.
- */
-int appr_check(fin, nat)
-fr_info_t *fin;
-nat_t *nat;
-{
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
-# if defined(ICK_VALID)
-	mb_t *m;
-# endif
-	int dosum = 1;
-#endif
-	tcphdr_t *tcp = NULL;
-	udphdr_t *udp = NULL;
-	ap_session_t *aps;
-	aproxy_t *apr;
-	ip_t *ip;
-	short rv;
-	int err;
-#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
-	u_32_t s1, s2, sd;
-#endif
-
-	if (fin->fin_flx & FI_BAD) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx);
-		return -1;
-	}
-
-#ifndef IPFILTER_CKSUM
-	if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) {
-		if (ipf_proxy_debug > 0)
-			printf("appr_check: l4 checksum failure %d\n",
-				fin->fin_p);
-		if (fin->fin_p == IPPROTO_TCP)
-			frstats[fin->fin_out].fr_tcpbad++;
-		return -1;
-	}
-#endif
-
-	aps = nat->nat_aps;
-	if ((aps != NULL) && (aps->aps_p == fin->fin_p)) {
-		/*
-		 * If there is data in this packet to be proxied then try and
-		 * get it all into the one buffer, else drop it.
-		 */
-#if defined(MENTAT) || defined(HAVE_M_PULLDOWN)
-		if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE))
-			if (fr_coalesce(fin) == -1) {
-				if (ipf_proxy_debug > 0)
-					printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx);
-				return -1;
-			}
-#endif
-		ip = fin->fin_ip;
-
-		switch (fin->fin_p)
-		{
-		case IPPROTO_TCP :
-			tcp = (tcphdr_t *)fin->fin_dp;
-
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) && defined(ICK_VALID)
-			m = fin->fin_qfm;
-			if (dohwcksum && (m->b_ick_flag == ICK_VALID))
-				dosum = 0;
-#endif
-			/*
-			 * Don't bother the proxy with these...or in fact,
-			 * should we free up proxy stuff when seen?
-			 */
-			if ((fin->fin_tcpf & TH_RST) != 0)
-				break;
-			/*FALLTHROUGH*/
-		case IPPROTO_UDP :
-			udp = (udphdr_t *)fin->fin_dp;
-			break;
-		default :
-			break;
-		}
-
-		apr = aps->aps_apr;
-		err = 0;
-		if (fin->fin_out != 0) {
-			if (apr->apr_outpkt != NULL)
-				err = (*apr->apr_outpkt)(fin, aps, nat);
-		} else {
-			if (apr->apr_inpkt != NULL)
-				err = (*apr->apr_inpkt)(fin, aps, nat);
-		}
-
-		rv = APR_EXIT(err);
-		if (((ipf_proxy_debug > 0) && (rv != 0)) ||
-		    (ipf_proxy_debug > 8))
-			printf("appr_check: out %d err %x rv %d\n",
-				fin->fin_out, err, rv);
-		if (rv == 1)
-			return -1;
-
-		if (rv == 2) {
-			appr_free(apr);
-			nat->nat_aps = NULL;
-			return -1;
-		}
-
-		/*
-		 * If err != 0 then the data size of the packet has changed
-		 * so we need to recalculate the header checksums for the
-		 * packet.
-		 */
-#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi)
-		if (err != 0) {
-			short adjlen = err & 0xffff;
-
-			s1 = LONG_SUM(ip->ip_len - adjlen);
-			s2 = LONG_SUM(ip->ip_len);
-			CALC_SUMD(s1, s2, sd);
-			fix_outcksum(fin, &ip->ip_sum, sd);
-		}
-#endif
-
-		/*
-		 * For TCP packets, we may need to adjust the sequence and
-		 * acknowledgement numbers to reflect changes in size of the
-		 * data stream.
-		 *
-		 * For both TCP and UDP, recalculate the layer 4 checksum,
-		 * regardless, as we can't tell (here) if data has been
-		 * changed or not.
-		 */
-		if (tcp != NULL) {
-			err = appr_fixseqack(fin, ip, aps, APR_INC(err));
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
-			if (dosum)
-				tcp->th_sum = fr_cksum(fin->fin_qfm, ip,
-						       IPPROTO_TCP, tcp);
-#else
-			tcp->th_sum = fr_cksum(fin->fin_m, ip,
-					       IPPROTO_TCP, tcp);
-#endif
-		} else if ((udp != NULL) && (udp->uh_sum != 0)) {
-#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
-			if (dosum)
-				udp->uh_sum = fr_cksum(fin->fin_qfm, ip,
-						       IPPROTO_UDP, udp);
-#else
-			udp->uh_sum = fr_cksum(fin->fin_m, ip,
-					       IPPROTO_UDP, udp);
-#endif
-		}
-		aps->aps_bytes += fin->fin_plen;
-		aps->aps_pkts++;
-		return 1;
-	}
-	return 0;
-}
-
-
-/*
- * Search for an proxy by the protocol it is being used with and its name.
- */
-aproxy_t *appr_lookup(pr, name)
-u_int pr;
-char *name;
-{
-	aproxy_t *ap;
-
-	if (ipf_proxy_debug > 8)
-		printf("appr_lookup(%d,%s)\n", pr, name);
-
-	for (ap = ap_proxies; ap->apr_p; ap++)
-		if ((ap->apr_p == pr) &&
-		    !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
-			ap->apr_ref++;
-			return ap;
-		}
-
-	for (ap = ap_proxylist; ap; ap = ap->apr_next)
-		if ((ap->apr_p == pr) &&
-		    !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
-			ap->apr_ref++;
-			return ap;
-		}
-	if (ipf_proxy_debug > 2)
-		printf("appr_lookup: failed for %d/%s\n", pr, name);
-	return NULL;
-}
-
-
-void appr_free(ap)
-aproxy_t *ap;
-{
-	ap->apr_ref--;
-}
-
-
-void aps_free(aps)
-ap_session_t *aps;
-{
-	ap_session_t *a, **ap;
-	aproxy_t *apr;
-
-	if (!aps)
-		return;
-
-	for (ap = &ap_sess_list; ((a = *ap) != NULL); ap = &a->aps_next)
-		if (a == aps) {
-			*ap = a->aps_next;
-			break;
-		}
-
-	apr = aps->aps_apr;
-	if ((apr != NULL) && (apr->apr_del != NULL))
-		(*apr->apr_del)(aps);
-
-	if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
-		KFREES(aps->aps_data, aps->aps_psiz);
-	KFREE(aps);
-}
-
-
-/*
- * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
- */
-static int appr_fixseqack(fin, ip, aps, inc)
-fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
-int inc;
-{
-	int sel, ch = 0, out, nlen;
-	u_32_t seq1, seq2;
-	tcphdr_t *tcp;
-	short inc2;
-
-	tcp = (tcphdr_t *)fin->fin_dp;
-	out = fin->fin_out;
-	/*
-	 * ip_len has already been adjusted by 'inc'.
-	 */
-	nlen = ip->ip_len;
-	nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
-
-	inc2 = inc;
-	inc = (int)inc2;
-
-	if (out != 0) {
-		seq1 = (u_32_t)ntohl(tcp->th_seq);
-		sel = aps->aps_sel[out];
-
-		/* switch to other set ? */
-		if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
-		    (seq1 > aps->aps_seqmin[!sel])) {
-			if (ipf_proxy_debug > 7)
-				printf("proxy out switch set seq %d -> %d %x > %x\n",
-					sel, !sel, seq1,
-					aps->aps_seqmin[!sel]);
-			sel = aps->aps_sel[out] = !sel;
-		}
-
-		if (aps->aps_seqoff[sel]) {
-			seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
-			if (seq1 > seq2) {
-				seq2 = aps->aps_seqoff[sel];
-				seq1 += seq2;
-				tcp->th_seq = htonl(seq1);
-				ch = 1;
-			}
-		}
-
-		if (inc && (seq1 > aps->aps_seqmin[!sel])) {
-			aps->aps_seqmin[sel] = seq1 + nlen - 1;
-			aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
-			if (ipf_proxy_debug > 7)
-				printf("proxy seq set %d at %x to %d + %d\n",
-					sel, aps->aps_seqmin[sel],
-					aps->aps_seqoff[sel], inc);
-		}
-
-		/***/
-
-		seq1 = ntohl(tcp->th_ack);
-		sel = aps->aps_sel[1 - out];
-
-		/* switch to other set ? */
-		if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
-		    (seq1 > aps->aps_ackmin[!sel])) {
-			if (ipf_proxy_debug > 7)
-				printf("proxy out switch set ack %d -> %d %x > %x\n",
-					sel, !sel, seq1,
-					aps->aps_ackmin[!sel]);
-			sel = aps->aps_sel[1 - out] = !sel;
-		}
-
-		if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
-			seq2 = aps->aps_ackoff[sel];
-			tcp->th_ack = htonl(seq1 - seq2);
-			ch = 1;
-		}
-	} else {
-		seq1 = ntohl(tcp->th_seq);
-		sel = aps->aps_sel[out];
-
-		/* switch to other set ? */
-		if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
-		    (seq1 > aps->aps_ackmin[!sel])) {
-			if (ipf_proxy_debug > 7)
-				printf("proxy in switch set ack %d -> %d %x > %x\n",
-					sel, !sel, seq1, aps->aps_ackmin[!sel]);
-			sel = aps->aps_sel[out] = !sel;
-		}
-
-		if (aps->aps_ackoff[sel]) {
-			seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
-			if (seq1 > seq2) {
-				seq2 = aps->aps_ackoff[sel];
-				seq1 += seq2;
-				tcp->th_seq = htonl(seq1);
-				ch = 1;
-			}
-		}
-
-		if (inc && (seq1 > aps->aps_ackmin[!sel])) {
-			aps->aps_ackmin[!sel] = seq1 + nlen - 1;
-			aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
-
-			if (ipf_proxy_debug > 7)
-				printf("proxy ack set %d at %x to %d + %d\n",
-					!sel, aps->aps_seqmin[!sel],
-					aps->aps_seqoff[sel], inc);
-		}
-
-		/***/
-
-		seq1 = ntohl(tcp->th_ack);
-		sel = aps->aps_sel[1 - out];
-
-		/* switch to other set ? */
-		if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
-		    (seq1 > aps->aps_seqmin[!sel])) {
-			if (ipf_proxy_debug > 7)
-				printf("proxy in switch set seq %d -> %d %x > %x\n",
-					sel, !sel, seq1, aps->aps_seqmin[!sel]);
-			sel = aps->aps_sel[1 - out] = !sel;
-		}
-
-		if (aps->aps_seqoff[sel] != 0) {
-			if (ipf_proxy_debug > 7)
-				printf("sel %d seqoff %d seq1 %x seqmin %x\n",
-					sel, aps->aps_seqoff[sel], seq1,
-					aps->aps_seqmin[sel]);
-			if (seq1 > aps->aps_seqmin[sel]) {
-				seq2 = aps->aps_seqoff[sel];
-				tcp->th_ack = htonl(seq1 - seq2);
-				ch = 1;
-			}
-		}
-	}
-
-	if (ipf_proxy_debug > 8)
-		printf("appr_fixseqack: seq %x ack %x\n",
-			ntohl(tcp->th_seq), ntohl(tcp->th_ack));
-	return ch ? 2 : 0;
-}
-
-
-/*
- * Initialise hook for kernel application proxies.
- * Call the initialise routine for all the compiled in kernel proxies.
- */
-int appr_init()
-{
-	aproxy_t *ap;
-	int err = 0;
-
-	for (ap = ap_proxies; ap->apr_p; ap++) {
-		if (ap->apr_init != NULL) {
-			err = (*ap->apr_init)();
-			if (err != 0)
-				break;
-		}
-	}
-	return err;
-}
-
-
-/*
- * Unload hook for kernel application proxies.
- * Call the finialise routine for all the compiled in kernel proxies.
- */
-void appr_unload()
-{
-	aproxy_t *ap;
-
-	for (ap = ap_proxies; ap->apr_p; ap++)
-		if (ap->apr_fini != NULL)
-			(*ap->apr_fini)();
-	for (ap = ap_proxylist; ap; ap = ap->apr_next)
-		if (ap->apr_fini != NULL)
-			(*ap->apr_fini)();
-}
diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h
deleted file mode 100644
index 8e53c98..0000000
--- a/contrib/ipfilter/ip_proxy.h
+++ /dev/null
@@ -1,453 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1997-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_proxy.h,v 2.31.2.2 2005/03/12 19:33:48 darrenr Exp
- */
-
-#ifndef	__IP_PROXY_H__
-#define	__IP_PROXY_H__
-
-#ifndef SOLARIS
-#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#ifndef	APR_LABELLEN
-#define	APR_LABELLEN	16
-#endif
-#define	AP_SESS_SIZE	53
-
-struct	nat;
-struct	ipnat;
-
-typedef	struct	ap_tcp {
-	u_short	apt_sport;	/* source port */
-	u_short	apt_dport;	/* destination port */
-	short	apt_sel[2];	/* {seq,ack}{off,min} set selector */
-	short	apt_seqoff[2];	/* sequence # difference */
-	tcp_seq	apt_seqmin[2];	/* don't change seq-off until after this */
-	short	apt_ackoff[2];	/* sequence # difference */
-	tcp_seq	apt_ackmin[2];	/* don't change seq-off until after this */
-	u_char	apt_state[2];	/* connection state */
-} ap_tcp_t;
-
-typedef	struct	ap_udp {
-	u_short	apu_sport;	/* source port */
-	u_short	apu_dport;	/* destination port */
-} ap_udp_t;
-
-typedef	struct ap_session {
-	struct	aproxy	*aps_apr;
-	union {
-		struct	ap_tcp	apu_tcp;
-		struct	ap_udp	apu_udp;
-	} aps_un;
-	u_int	aps_flags;
-	U_QUAD_T aps_bytes;	/* bytes sent */
-	U_QUAD_T aps_pkts;	/* packets sent */
-	void	*aps_nat;	/* pointer back to nat struct */
-	void	*aps_data;	/* private data */
-	int	aps_p;		/* protocol */
-	int	aps_psiz;	/* size of private data */
-	struct	ap_session	*aps_hnext;
-	struct	ap_session	*aps_next;
-} ap_session_t;
-
-#define	aps_sport	aps_un.apu_tcp.apt_sport
-#define	aps_dport	aps_un.apu_tcp.apt_dport
-#define	aps_sel		aps_un.apu_tcp.apt_sel
-#define	aps_seqoff	aps_un.apu_tcp.apt_seqoff
-#define	aps_seqmin	aps_un.apu_tcp.apt_seqmin
-#define	aps_state	aps_un.apu_tcp.apt_state
-#define	aps_ackoff	aps_un.apu_tcp.apt_ackoff
-#define	aps_ackmin	aps_un.apu_tcp.apt_ackmin
-
-
-typedef	struct	ap_control {
-	char	apc_label[APR_LABELLEN];
-	u_char	apc_p;
-	/*
-	 * The following fields are upto the proxy's apr_ctl routine to deal
-	 * with.  When the proxy gets this in kernel space, apc_data will
-	 * point to a malloc'd region of memory of apc_dsize bytes.  If the
-	 * proxy wants to keep that memory, it must set apc_data to NULL
-	 * before it returns.  It is expected if this happens that it will
-	 * take care to free it in apr_fini or otherwise as appropriate.
-	 * apc_cmd is provided as a standard place to put simple commands,
-	 * with apc_arg being available to put a simple arg.
-	 */
-	u_long	apc_cmd;
-	u_long	apc_arg;
-	void	*apc_data;
-	size_t	apc_dsize;
-} ap_ctl_t;
-
-
-typedef	struct	aproxy	{
-	struct	aproxy	*apr_next;
-	char	apr_label[APR_LABELLEN];	/* Proxy label # */
-	u_char	apr_p;		/* protocol */
-	int	apr_ref;	/* +1 per rule referencing it */
-	int	apr_flags;
-	int	(* apr_init) __P((void));
-	void	(* apr_fini) __P((void));
-	int	(* apr_new) __P((fr_info_t *, ap_session_t *, struct nat *));
-	void	(* apr_del) __P((ap_session_t *));
-	int	(* apr_inpkt) __P((fr_info_t *, ap_session_t *, struct nat *));
-	int	(* apr_outpkt) __P((fr_info_t *, ap_session_t *, struct nat *));
-	int	(* apr_match) __P((fr_info_t *, ap_session_t *, struct nat *));
-	int	(* apr_ctl) __P((struct aproxy *, struct ap_control *));
-} aproxy_t;
-
-#define	APR_DELETE	1
-
-#define	APR_ERR(x)	((x) << 16)
-#define	APR_EXIT(x)	(((x) >> 16) & 0xffff)
-#define	APR_INC(x)	((x) & 0xffff)
-
-/*
- * Generic #define's to cover missing things in the kernel
- */
-#ifndef isdigit
-#define isdigit(x)	((x) >= '0' && (x) <= '9')
-#endif
-#ifndef isupper
-#define isupper(x)	(((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
-#endif
-#ifndef islower
-#define islower(x)	(((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
-#endif
-#ifndef isalpha
-#define isalpha(x)	(isupper(x) || islower(x))
-#endif
-#ifndef toupper
-#define toupper(x)	(isupper(x) ? (x) : (x) - 'a' + 'A')
-#endif
-#ifndef isspace
-#define isspace(x)	(((x) == ' ') || ((x) == '\r') || ((x) == '\n') || \
-			 ((x) == '\t') || ((x) == '\b'))
-#endif
-
-/*
- * This is the scratch buffer size used to hold strings from the TCP stream
- * that we may want to parse.  It's an arbitrary size, really, but it must
- * be at least as large as IPF_FTPBUFSZ.
- */ 
-#define	FTP_BUFSZ	120
-
-/*
- * This buffer, however, doesn't need to be nearly so big.  It just needs to
- * be able to squeeze in the largest command it needs to rewrite, Which ones
- * does it rewrite? EPRT, PORT, 227 replies.
- */
-#define	IPF_FTPBUFSZ	80	/* This *MUST* be >= 53! */
-
-typedef struct  ftpside {
-	char	*ftps_rptr;
-	char	*ftps_wptr;
-	void	*ftps_ifp;
-	u_32_t	ftps_seq[2];
-	u_32_t	ftps_len;
-	int	ftps_junk;	/* 2 = no cr/lf yet, 1 = cannot parse */
-	int	ftps_cmds;
-	char	ftps_buf[FTP_BUFSZ];
-} ftpside_t;
-
-typedef struct  ftpinfo {
-	int 	  	ftp_passok;
-	int		ftp_incok;
-	ftpside_t	ftp_side[2];
-} ftpinfo_t;
-
-
-/*
- * For the irc proxy.
- */
-typedef	struct	ircinfo {
-	size_t	irc_len;
-	char	*irc_snick;
-	char	*irc_dnick;
-	char	*irc_type;
-	char	*irc_arg;
-	char	*irc_addr;
-	u_32_t	irc_ipnum;
-	u_short	irc_port;
-} ircinfo_t;
-
-
-/*
- * Real audio proxy structure and #defines
- */
-typedef	struct	raudio_s {
-	int	rap_seenpna;
-	int	rap_seenver;
-	int	rap_version;
-	int	rap_eos;	/* End Of Startup */
-	int	rap_gotid;
-	int	rap_gotlen;
-	int	rap_mode;
-	int	rap_sdone;
-	u_short	rap_plport;
-	u_short	rap_prport;
-	u_short	rap_srport;
-	char	rap_svr[19];
-	u_32_t	rap_sbf;	/* flag to indicate which of the 19 bytes have
-				 * been filled
-				 */
-	tcp_seq	rap_sseq;
-} raudio_t;
-
-#define	RA_ID_END	0
-#define	RA_ID_UDP	1
-#define	RA_ID_ROBUST	7
-
-#define	RAP_M_UDP	1
-#define	RAP_M_ROBUST	2
-#define	RAP_M_TCP	4
-#define	RAP_M_UDP_ROBUST	(RAP_M_UDP|RAP_M_ROBUST)
-
-
-/*
- * MSN RPC proxy
- */
-typedef	struct	msnrpcinfo	{
-	u_int		mri_flags;
-	int		mri_cmd[2];
-	u_int		mri_valid;
-	struct	in_addr	mri_raddr;
-	u_short		mri_rport;
-} msnrpcinfo_t;
-
-
-/*
- * IPSec proxy
- */
-typedef	u_32_t	ipsec_cookie_t[2];
-
-typedef struct ipsec_pxy {
-	ipsec_cookie_t	ipsc_icookie;
-	ipsec_cookie_t	ipsc_rcookie;
-	int		ipsc_rckset;
-	ipnat_t		ipsc_rule;
-	nat_t		*ipsc_nat;
-	ipstate_t	*ipsc_state;
-} ipsec_pxy_t;
-
-/*
- * PPTP proxy
- */
-typedef	struct pptp_side {
-	u_32_t		pptps_nexthdr;
-	u_32_t		pptps_next;
-	int		pptps_state;
-	int		pptps_gothdr;
-	int		pptps_len;
-	int		pptps_bytes;
-	char		*pptps_wptr;
-	char		pptps_buffer[512];
-} pptp_side_t;
-
-typedef	struct pptp_pxy {
-	ipnat_t		pptp_rule;
-	nat_t		*pptp_nat;
-	ipstate_t	*pptp_state;
-	u_short		pptp_call[2];
-	pptp_side_t	pptp_side[2];
-} pptp_pxy_t;
-
-
-/*
- * Sun RPCBIND proxy
- */
-#define RPCB_MAXMSG	888
-#define RPCB_RES_PMAP	0	/* Response contains a v2 port. */
-#define RPCB_RES_STRING	1	/* " " " v3 (GETADDR) string. */
-#define RPCB_RES_LIST	2	/* " " " v4 (GETADDRLIST) list. */
-#define RPCB_MAXREQS	32	/* Arbitrary limit on tracked transactions */
-
-#define RPCB_REQMIN	40
-#define RPCB_REQMAX	888
-#define RPCB_REPMIN	20
-#define	RPCB_REPMAX	604	/* XXX double check this! */
-
-/*
- * These macros determine the number of bytes between p and the end of
- * r->rs_buf relative to l.
- */
-#define RPCB_BUF_END(r) (char *)((r)->rm_msgbuf + (r)->rm_buflen)
-#define RPCB_BUF_GEQ(r, p, l)   \
-        ((RPCB_BUF_END((r)) > (char *)(p)) &&           \
-         ((RPCB_BUF_END((r)) - (char *)(p)) >= (l)))
-#define	RPCB_BUF_EQ(r, p, l)                            \
-        (RPCB_BUF_END((r)) == ((char *)(p) + (l)))
-
-/*
- * The following correspond to RPC(B) detailed in RFC183[13].
- */
-#define RPCB_CALL		0
-#define RPCB_REPLY		1
-#define RPCB_MSG_VERSION	2
-#define RPCB_PROG		100000
-#define RPCB_GETPORT		3
-#define RPCB_GETADDR		3
-#define RPCB_GETADDRLIST	11
-#define RPCB_MSG_ACCEPTED	0
-#define RPCB_MSG_DENIED		1
-
-/* BEGIN (Generic XDR structures) */
-typedef struct xdr_string {
-	u_32_t	*xs_len;
-	char	*xs_str;
-} xdr_string_t;
-
-typedef struct xdr_auth {
-	/* u_32_t	xa_flavor; */
-	xdr_string_t	xa_string;
-} xdr_auth_t;
-
-typedef struct xdr_uaddr {
-	u_32_t		xu_ip;
-	u_short         xu_port;
-	xdr_string_t	xu_str;
-} xdr_uaddr_t;
-
-typedef	struct xdr_proto {
-	u_int		xp_proto;
-	xdr_string_t	xp_str;
-} xdr_proto_t;
-
-#define xu_xslen	xu_str.xs_len
-#define xu_xsstr	xu_str.xs_str
-#define	xp_xslen	xp_str.xs_len
-#define xp_xsstr	xp_str.xs_str
-/* END (Generic XDR structures) */
-
-/* BEGIN (RPC call structures) */
-typedef struct pmap_args {
-	/* u_32_t	pa_prog; */
-	/* u_32_t	pa_vers; */
-	u_32_t		*pa_prot;
-	/* u_32_t	pa_port; */
-} pmap_args_t;
-
-typedef struct rpcb_args {
-	/* u_32_t	*ra_prog; */
-	/* u_32_t	*ra_vers; */
-	xdr_proto_t	ra_netid;
-	xdr_uaddr_t	ra_maddr;
-	/* xdr_string_t	ra_owner; */
-} rpcb_args_t;
-
-typedef struct rpc_call {
-	/* u_32_t	rc_rpcvers; */
-	/* u_32_t	rc_prog; */
-	u_32_t	*rc_vers;
-	u_32_t	*rc_proc;
-	xdr_auth_t	rc_authcred;
-	xdr_auth_t	rc_authverf;
-	union {
-		pmap_args_t	ra_pmapargs;
-		rpcb_args_t	ra_rpcbargs;
-	} rpcb_args;
-} rpc_call_t;
-
-#define	rc_pmapargs	rpcb_args.ra_pmapargs
-#define rc_rpcbargs	rpcb_args.ra_rpcbargs
-/* END (RPC call structures) */
-
-/* BEGIN (RPC reply structures) */
-typedef struct rpcb_entry {
-	xdr_uaddr_t	re_maddr;
-	xdr_proto_t	re_netid;
-	/* u_32_t	re_semantics; */
-	xdr_string_t	re_family;
-	xdr_proto_t	re_proto;
-	u_32_t		*re_more; /* 1 == another entry follows */
-} rpcb_entry_t;
-
-typedef struct rpcb_listp {
-	u_32_t		*rl_list; /* 1 == list follows */
-	int		rl_cnt;
-	rpcb_entry_t	rl_entries[2]; /* TCP / UDP only */
-} rpcb_listp_t;
-
-typedef struct rpc_resp {
-	/* u_32_t	rr_acceptdeny; */
-	/* Omitted 'message denied' fork; we don't care about rejects. */
-	xdr_auth_t	rr_authverf;
-	/* u_32_t		*rr_astat;	*/
-	union {
-		u_32_t		*resp_pmap;
-		xdr_uaddr_t	resp_getaddr;
-		rpcb_listp_t	resp_getaddrlist;
-	} rpcb_reply;
-} rpc_resp_t;
-
-#define	rr_v2	rpcb_reply.resp_pmap
-#define rr_v3	rpcb_reply.resp_getaddr
-#define	rr_v4	rpcb_reply.resp_getaddrlist
-/* END (RPC reply structures) */
-
-/* BEGIN (RPC message structure & macros) */
-typedef struct rpc_msg {
-	char	rm_msgbuf[RPCB_MAXMSG];	/* RPCB data buffer */
-	u_int	rm_buflen;
-	u_32_t	*rm_xid;
-	/* u_32_t Call vs Reply */
-	union {
-		rpc_call_t	rb_call;
-		rpc_resp_t	rb_resp;
-	} rm_body;
-} rpc_msg_t;
-
-#define rm_call		rm_body.rb_call
-#define rm_resp		rm_body.rb_resp
-/* END (RPC message structure & macros) */
-
-/*
- * These code paths aren't hot enough to warrant per transaction
- * mutexes.
- */
-typedef struct rpcb_xact {
-	struct	rpcb_xact	*rx_next;
-	struct	rpcb_xact	**rx_pnext;
-	u_32_t	rx_xid;		/* RPC transmission ID */
-	u_int	rx_type;	/* RPCB response type */
-	u_int	rx_ref;         /* reference count */
-	u_int	rx_proto;	/* transport protocol (v2 only) */
-} rpcb_xact_t;
-
-typedef struct rpcb_session {
-        ipfmutex_t	rs_rxlock;
-	rpcb_xact_t	*rs_rxlist;
-} rpcb_session_t;
-
-/*
- * For an explanation, please see the following:
- *   RFC1832 - Sections 3.11, 4.4, and 4.5.
- */
-#define XDRALIGN(x)	((((x) % 4) != 0) ? ((((x) + 3) / 4) * 4) : (x))
-
-extern	ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
-extern	ap_session_t	*ap_sess_list;
-extern	aproxy_t	ap_proxies[];
-extern	int		ippr_ftp_pasvonly;
-
-extern	int	appr_add __P((aproxy_t *));
-extern	int	appr_ctl __P((ap_ctl_t *));
-extern	int	appr_del __P((aproxy_t *));
-extern	int	appr_init __P((void));
-extern	void	appr_unload __P((void));
-extern	int	appr_ok __P((fr_info_t *, tcphdr_t *, struct ipnat *));
-extern	int	appr_match __P((fr_info_t *, struct nat *));
-extern	void	appr_free __P((aproxy_t *));
-extern	void	aps_free __P((ap_session_t *));
-extern	int	appr_check __P((fr_info_t *, struct nat *));
-extern	aproxy_t	*appr_lookup __P((u_int, char *));
-extern	int	appr_new __P((fr_info_t *, struct nat *));
-extern	int	appr_ioctl __P((caddr_t, ioctlcmd_t, int));
-
-#endif /* __IP_PROXY_H__ */
diff --git a/contrib/ipfilter/ip_raudio_pxy.c b/contrib/ipfilter/ip_raudio_pxy.c
deleted file mode 100644
index 260fcd4..0000000
--- a/contrib/ipfilter/ip_raudio_pxy.c
+++ /dev/null
@@ -1,338 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1998-2003 by Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_raudio_pxy.c,v 1.40.2.3 2005/02/04 10:22:55 darrenr Exp
- */
-
-#define	IPF_RAUDIO_PROXY
-
-
-int ippr_raudio_init __P((void));
-void ippr_raudio_fini __P((void));
-int ippr_raudio_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_raudio_in __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_raudio_out __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static	frentry_t	raudiofr;
-
-int	raudio_proxy_init = 0;
-
-
-/*
- * Real Audio application proxy initialization.
- */
-int ippr_raudio_init()
-{
-	bzero((char *)&raudiofr, sizeof(raudiofr));
-	raudiofr.fr_ref = 1;
-	raudiofr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&raudiofr.fr_lock, "Real Audio proxy rule lock");
-	raudio_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_raudio_fini()
-{
-	if (raudio_proxy_init == 1) {
-		MUTEX_DESTROY(&raudiofr.fr_lock);
-		raudio_proxy_init = 0;
-	}
-}
-
-
-/*
- * Setup for a new proxy to handle Real Audio.
- */
-int ippr_raudio_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	raudio_t *rap;
-
-	KMALLOCS(aps->aps_data, void *, sizeof(raudio_t));
-	if (aps->aps_data == NULL)
-		return -1;
-
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	bzero(aps->aps_data, sizeof(raudio_t));
-	rap = aps->aps_data;
-	aps->aps_psiz = sizeof(raudio_t);
-	rap->rap_mode = RAP_M_TCP;	/* default is for TCP */
-	return 0;
-}
-
-
-
-int ippr_raudio_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	raudio_t *rap = aps->aps_data;
-	unsigned char membuf[512 + 1], *s;
-	u_short id = 0;
-	tcphdr_t *tcp;
-	int off, dlen;
-	int len = 0;
-	mb_t *m;
-
-	nat = nat;	/* LINT */
-
-	/*
-	 * If we've already processed the start messages, then nothing left
-	 * for the proxy to do.
-	 */
-	if (rap->rap_eos == 1)
-		return 0;
-
-	m = fin->fin_m;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	off = (char *)tcp - (char *)fin->fin_ip;
-	off += (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-#ifdef __sgi
-	dlen = fin->fin_plen - off;
-#else
-	dlen = MSGDSIZE(m) - off;
-#endif
-	if (dlen <= 0)
-		return 0;
-
-	if (dlen > sizeof(membuf))
-		dlen = sizeof(membuf);
-
-	bzero((char *)membuf, sizeof(membuf));
-	COPYDATA(m, off, dlen, (char *)membuf);
-	/*
-	 * In all the startup parsing, ensure that we don't go outside
-	 * the packet buffer boundary.
-	 */
-	/*
-	 * Look for the start of connection "PNA" string if not seen yet.
-	 */
-	if (rap->rap_seenpna == 0) {
-		s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen);
-		if (s == NULL)
-			return 0;
-		s += 3;
-		rap->rap_seenpna = 1;
-	} else
-		s = membuf;
-
-	/*
-	 * Directly after the PNA will be the version number of this
-	 * connection.
-	 */
-	if (rap->rap_seenpna == 1 && rap->rap_seenver == 0) {
-		if ((s + 1) - membuf < dlen) {
-			rap->rap_version = (*s << 8) | *(s + 1);
-			s += 2;
-			rap->rap_seenver = 1;
-		} else
-			return 0;
-	}
-
-	/*
-	 * Now that we've been past the PNA and version number, we're into the
-	 * startup messages block.  This ends when a message with an ID of 0.
-	 */
-	while ((rap->rap_eos == 0) && ((s + 1) - membuf < dlen)) {
-		if (rap->rap_gotid == 0) {
-			id = (*s << 8) | *(s + 1);
-			s += 2;
-			rap->rap_gotid = 1;
-			if (id == RA_ID_END) {
-				rap->rap_eos = 1;
-				break;
-			}
-		} else if (rap->rap_gotlen == 0) {
-			len = (*s << 8) | *(s + 1);
-			s += 2;
-			rap->rap_gotlen = 1;
-		}
-
-		if (rap->rap_gotid == 1 && rap->rap_gotlen == 1) {
-			if (id == RA_ID_UDP) {
-				rap->rap_mode &= ~RAP_M_TCP;
-				rap->rap_mode |= RAP_M_UDP;
-				rap->rap_plport = (*s << 8) | *(s + 1);
-			} else if (id == RA_ID_ROBUST) {
-				rap->rap_mode |= RAP_M_ROBUST;
-				rap->rap_prport = (*s << 8) | *(s + 1);
-			}
-			s += len;
-			rap->rap_gotlen = 0;
-			rap->rap_gotid = 0;
-		}
-	}
-	return 0;
-}
-
-
-int ippr_raudio_in(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	unsigned char membuf[IPF_MAXPORTLEN + 1], *s;
-	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	raudio_t *rap = aps->aps_data;
-	struct in_addr swa, swb;
-	int off, dlen, slen;
-	int a1, a2, a3, a4;
-	u_short sp, dp;
-	fr_info_t fi;
-	tcp_seq seq;
-	nat_t *nat2;
-	u_char swp;
-	ip_t *ip;
-	mb_t *m;
-
-	/*
-	 * Wait until we've seen the end of the start messages and even then
-	 * only proceed further if we're using UDP.  If they want to use TCP
-	 * then data is sent back on the same channel that is already open.
-	 */
-	if (rap->rap_sdone != 0)
-		return 0;
-
-	m = fin->fin_m;
-	tcp = (tcphdr_t *)fin->fin_dp;
-	off = (char *)tcp - (char *)fin->fin_ip;
-	off += (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-#ifdef __sgi
-	dlen = fin->fin_plen - off;
-#else
-	dlen = MSGDSIZE(m) - off;
-#endif
-	if (dlen <= 0)
-		return 0;
-
-	if (dlen > sizeof(membuf))
-		dlen = sizeof(membuf);
-
-	bzero((char *)membuf, sizeof(membuf));
-	COPYDATA(m, off, dlen, (char *)membuf);
-
-	seq = ntohl(tcp->th_seq);
-	/*
-	 * Check to see if the data in this packet is of interest to us.
-	 * We only care for the first 19 bytes coming back from the server.
-	 */
-	if (rap->rap_sseq == 0) {
-		s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen);
-		if (s == NULL)
-			return 0;
-		a1 = s - membuf;
-		dlen -= a1;
-		a1 = 0;
-		rap->rap_sseq = seq;
-		a2 = MIN(dlen, sizeof(rap->rap_svr));
-	} else if (seq <= rap->rap_sseq + sizeof(rap->rap_svr)) {
-		/*
-		 * seq # which is the start of data and from that the offset
-		 * into the buffer array.
-		 */
-		a1 = seq - rap->rap_sseq;
-		a2 = MIN(dlen, sizeof(rap->rap_svr));
-		a2 -= a1;
-		s = membuf;
-	} else
-		return 0;
-
-	for (a3 = a1, a4 = a2; (a4 > 0) && (a3 < 19) && (a3 >= 0); a4--,a3++) {
-		rap->rap_sbf |= (1 << a3);
-		rap->rap_svr[a3] = *s++;
-	}
-
-	if ((rap->rap_sbf != 0x7ffff) || (!rap->rap_eos))	/* 19 bits */
-		return 0;
-	rap->rap_sdone = 1;
-
-	s = (u_char *)rap->rap_svr + 11;
-	if (((*s << 8) | *(s + 1)) == RA_ID_ROBUST) {
-		s += 2;
-		rap->rap_srport = (*s << 8) | *(s + 1);
-	}
-
-	ip = fin->fin_ip;
-	swp = ip->ip_p;
-	swa = ip->ip_src;
-	swb = ip->ip_dst;
-
-	ip->ip_p = IPPROTO_UDP;
-	ip->ip_src = nat->nat_inip;
-	ip->ip_dst = nat->nat_oip;
-
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	bzero((char *)tcp2, sizeof(*tcp2));
-	TCP_OFF_A(tcp2, 5);
-	fi.fin_state = NULL;
-	fi.fin_nat = NULL;
-	fi.fin_flx |= FI_IGNORE;
-	fi.fin_dp = (char *)tcp2;
-	fi.fin_fr = &raudiofr;
-	fi.fin_dlen = sizeof(*tcp2);
-	fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
-	tcp2->th_win = htons(8192);
-	slen = ip->ip_len;
-	ip->ip_len = fin->fin_hlen + sizeof(*tcp);
-
-	if (((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) &&
-	    (rap->rap_srport != 0)) {
-		dp = rap->rap_srport;
-		sp = rap->rap_prport;
-		tcp2->th_sport = htons(sp);
-		tcp2->th_dport = htons(dp);
-		fi.fin_data[0] = dp;
-		fi.fin_data[1] = sp;
-		fi.fin_out = 0;
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL,
-			       NAT_SLAVE|IPN_UDP | (sp ? 0 : SI_W_SPORT),
-			       NAT_OUTBOUND);
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, IPN_UDP);
-			nat_update(&fi, nat2, nat2->nat_ptr);
-
-			(void) fr_addstate(&fi, NULL, (sp ? 0 : SI_W_SPORT));
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-	}
-
-	if ((rap->rap_mode & RAP_M_UDP) == RAP_M_UDP) {
-		sp = rap->rap_plport;
-		tcp2->th_sport = htons(sp);
-		tcp2->th_dport = 0; /* XXX - don't specify remote port */
-		fi.fin_data[0] = sp;
-		fi.fin_data[1] = 0;
-		fi.fin_out = 1;
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL,
-			       NAT_SLAVE|IPN_UDP|SI_W_DPORT,
-			       NAT_OUTBOUND);
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, IPN_UDP);
-			nat_update(&fi, nat2, nat2->nat_ptr);
-
-			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-	}
-
-	ip->ip_p = swp;
-	ip->ip_len = slen;
-	ip->ip_src = swa;
-	ip->ip_dst = swb;
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c
deleted file mode 100644
index b7904c8..0000000
--- a/contrib/ipfilter/ip_rcmd_pxy.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1998-2003 by Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp
- *
- * Simple RCMD transparent proxy for in-kernel use.  For use with the NAT
- * code.
- */
-
-#define	IPF_RCMD_PROXY
-
-
-int ippr_rcmd_init __P((void));
-void ippr_rcmd_fini __P((void));
-int ippr_rcmd_new __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_rcmd_out __P((fr_info_t *, ap_session_t *, nat_t *));
-int ippr_rcmd_in __P((fr_info_t *, ap_session_t *, nat_t *));
-u_short ipf_rcmd_atoi __P((char *));
-int ippr_rcmd_portmsg __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static	frentry_t	rcmdfr;
-
-int	rcmd_proxy_init = 0;
-
-
-/*
- * RCMD application proxy initialization.
- */
-int ippr_rcmd_init()
-{
-	bzero((char *)&rcmdfr, sizeof(rcmdfr));
-	rcmdfr.fr_ref = 1;
-	rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&rcmdfr.fr_lock, "RCMD proxy rule lock");
-	rcmd_proxy_init = 1;
-
-	return 0;
-}
-
-
-void ippr_rcmd_fini()
-{
-	if (rcmd_proxy_init == 1) {
-		MUTEX_DESTROY(&rcmdfr.fr_lock);
-		rcmd_proxy_init = 0;
-	}
-}
-
-
-/*
- * Setup for a new RCMD proxy.
- */
-int ippr_rcmd_new(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
-
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	aps->aps_psiz = sizeof(u_32_t);
-	KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
-	if (aps->aps_data == NULL) {
-#ifdef IP_RCMD_PROXY_DEBUG
-		printf("ippr_rcmd_new:KMALLOCS(%d) failed\n", sizeof(u_32_t));
-#endif
-		return -1;
-	}
-	*(u_32_t *)aps->aps_data = 0;
-	aps->aps_sport = tcp->th_sport;
-	aps->aps_dport = tcp->th_dport;
-	return 0;
-}
-
-
-/*
- * ipf_rcmd_atoi - implement a simple version of atoi
- */
-u_short ipf_rcmd_atoi(ptr)
-char *ptr;
-{
-	register char *s = ptr, c;
-	register u_short i = 0;
-
-	while (((c = *s++) != '\0') && ISDIGIT(c)) {
-		i *= 10;
-		i += c - '0';
-	}
-	return i;
-}
-
-
-int ippr_rcmd_portmsg(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	struct in_addr swip, swip2;
-	int off, dlen, nflags;
-	char portbuf[8], *s;
-	fr_info_t fi;
-	u_short sp;
-	nat_t *nat2;
-	ip_t *ip;
-	mb_t *m;
-
-	tcp = (tcphdr_t *)fin->fin_dp;
-
-	if (tcp->th_flags & TH_SYN) {
-		*(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1);
-		return 0;
-	}
-
-	if ((*(u_32_t *)aps->aps_data != 0) &&
-	    (tcp->th_seq != *(u_32_t *)aps->aps_data))
-		return 0;
-
-	m = fin->fin_m;
-	ip = fin->fin_ip;
-	off = (char *)tcp - (char *)ip + (TCP_OFF(tcp) << 2) + fin->fin_ipoff;
-
-#ifdef __sgi
-	dlen = fin->fin_plen - off;
-#else
-	dlen = MSGDSIZE(m) - off;
-#endif
-	if (dlen <= 0)
-		return 0;
-
-	bzero(portbuf, sizeof(portbuf));
-	COPYDATA(m, off, MIN(sizeof(portbuf), dlen), portbuf);
-
-	portbuf[sizeof(portbuf) - 1] = '\0';
-	s = portbuf;
-	sp = ipf_rcmd_atoi(s);
-	if (sp == 0) {
-#ifdef IP_RCMD_PROXY_DEBUG
-		printf("ippr_rcmd_portmsg:sp == 0 dlen %d [%s]\n",
-		       dlen, portbuf);
-#endif
-		return 0;
-	}
-
-	/*
-	 * Add skeleton NAT entry for connection which will come back the
-	 * other way.
-	 */
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	fi.fin_flx |= FI_IGNORE;
-	fi.fin_data[0] = sp;
-	fi.fin_data[1] = 0;
-	if (nat->nat_dir == NAT_OUTBOUND)
-		nat2 = nat_outlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
-				     nat->nat_inip, nat->nat_oip);
-	else
-		nat2 = nat_inlookup(&fi, NAT_SEARCH|IPN_TCP, nat->nat_p,
-				    nat->nat_inip, nat->nat_oip);
-	if (nat2 == NULL) {
-		int slen;
-
-		slen = ip->ip_len;
-		ip->ip_len = fin->fin_hlen + sizeof(*tcp);
-		bzero((char *)tcp2, sizeof(*tcp2));
-		tcp2->th_win = htons(8192);
-		tcp2->th_sport = htons(sp);
-		tcp2->th_dport = 0; /* XXX - don't specify remote port */
-		TCP_OFF_A(tcp2, 5);
-		tcp2->th_flags = TH_SYN;
-		fi.fin_dp = (char *)tcp2;
-		fi.fin_fr = &rcmdfr;
-		fi.fin_dlen = sizeof(*tcp2);
-		fi.fin_plen = fi.fin_hlen + sizeof(*tcp2);
-		fi.fin_flx &= FI_LOWTTL|FI_FRAG|FI_TCPUDP|FI_OPTIONS|FI_IGNORE;
-		nflags = NAT_SLAVE|IPN_TCP|SI_W_DPORT;
-
-		swip = ip->ip_src;
-		swip2 = ip->ip_dst;
-
-		if (nat->nat_dir == NAT_OUTBOUND) {
-			fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
-			ip->ip_src = nat->nat_inip;
-		} else {
-			fi.fin_fi.fi_saddr = nat->nat_oip.s_addr;
-			ip->ip_src = nat->nat_oip;
-			nflags |= NAT_NOTRULEPORT;
-		}
-
-		nat2 = nat_new(&fi, nat->nat_ptr, NULL, nflags, nat->nat_dir);
-
-		if (nat2 != NULL) {
-			(void) nat_proto(&fi, nat2, IPN_TCP);
-			nat_update(&fi, nat2, nat2->nat_ptr);
-			fi.fin_ifp = NULL;
-			if (nat->nat_dir == NAT_INBOUND) {
-				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
-				ip->ip_dst = nat->nat_inip;
-			}
-			(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
-			if (fi.fin_state != NULL)
-				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-		}
-		ip->ip_len = slen;
-		ip->ip_src = swip;
-		ip->ip_dst = swip2;
-	}
-	return 0;
-}
-
-
-int ippr_rcmd_out(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	if (nat->nat_dir == NAT_OUTBOUND)
-		return ippr_rcmd_portmsg(fin, aps, nat);
-	return 0;
-}
-
-
-int ippr_rcmd_in(fin, aps, nat)
-fr_info_t *fin;
-ap_session_t *aps;
-nat_t *nat;
-{
-	if (nat->nat_dir == NAT_INBOUND)
-		return ippr_rcmd_portmsg(fin, aps, nat);
-	return 0;
-}
diff --git a/contrib/ipfilter/ip_rpcb_pxy.c b/contrib/ipfilter/ip_rpcb_pxy.c
deleted file mode 100644
index 5d0a1ee..0000000
--- a/contrib/ipfilter/ip_rpcb_pxy.c
+++ /dev/null
@@ -1,1460 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * Overview:
- *   This is an in-kernel application proxy for Sun's RPCBIND (nee portmap)
- *   protocol as defined in RFC1833.  It is far from complete, mostly
- *   lacking in less-likely corner cases, but it's definitely functional.
- *
- *   Invocation:
- *     rdr <int> <e_ip>/32 port <e_p> -> <i_ip> port <i_p> udp proxy rpcbu
- *
- *   If the host running IP Filter is the same as the RPC server, it's
- *   perfectly legal for both the internal and external addresses and ports
- *   to match.
- *
- *   When triggered by appropriate IP NAT rules, this proxy works by
- *   examining data contained in received packets.  Requests and replies are
- *   modified, NAT and state table entries created, etc., as necessary.
- */
-/*
- * TODO / NOTES
- *
- *   o Must implement locking to protect proxy session data.
- *   o Fragmentation isn't supported.
- *   o Only supports UDP.
- *   o Doesn't support multiple RPC records in a single request.
- *   o Errors should be more fine-grained.  (e.g., malloc failure vs.
- *     illegal RPCB request / reply)
- *   o Even with the limit on the total amount of recorded transactions,
- *     should there be a timeout on transaction removal?
- *   o There is a potential collision between cloning, wildcard NAT and
- *     state entries.  There should be an appr_getport routine for
- *     to avoid this.
- *   o The enclosed hack of STREAMS support is pretty sick and most likely
- *     broken.
- *
- *	Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp
- */
-
-#define	IPF_RPCB_PROXY
-
-/*
- * Function prototypes
- */
-int	ippr_rpcb_init __P((void));
-void	ippr_rpcb_fini __P((void));
-int	ippr_rpcb_new __P((fr_info_t *, ap_session_t *, nat_t *));
-void	ippr_rpcb_del __P((ap_session_t *));
-int	ippr_rpcb_in __P((fr_info_t *, ap_session_t *, nat_t *));
-int	ippr_rpcb_out __P((fr_info_t *, ap_session_t *, nat_t *));
-
-static void	ippr_rpcb_flush __P((rpcb_session_t *));
-static int	ippr_rpcb_decodereq __P((fr_info_t *, nat_t *,
-	rpcb_session_t *, rpc_msg_t *));
-static int	ippr_rpcb_skipauth __P((rpc_msg_t *, xdr_auth_t *, u_32_t **));
-static int	ippr_rpcb_insert __P((rpcb_session_t *, rpcb_xact_t *));
-static int	ippr_rpcb_xdrrpcb __P((rpc_msg_t *, u_32_t *, rpcb_args_t *));
-static int	ippr_rpcb_getuaddr __P((rpc_msg_t *, xdr_uaddr_t *,
-	u_32_t **));
-static u_int	ippr_rpcb_atoi __P((char *));
-static int	ippr_rpcb_modreq __P((fr_info_t *, nat_t *, rpc_msg_t *,
-	mb_t *, u_int));
-static int	ippr_rpcb_decoderep __P((fr_info_t *, nat_t *,
-	rpcb_session_t *, rpc_msg_t *, rpcb_xact_t **));
-static rpcb_xact_t *	ippr_rpcb_lookup __P((rpcb_session_t *, u_32_t));
-static void	ippr_rpcb_deref __P((rpcb_session_t *, rpcb_xact_t *));
-static int	ippr_rpcb_getproto __P((rpc_msg_t *, xdr_proto_t *,
-	u_32_t **));
-static int	ippr_rpcb_getnat __P((fr_info_t *, nat_t *, u_int, u_int));
-static int	ippr_rpcb_modv3 __P((fr_info_t *, nat_t *, rpc_msg_t *,
-	mb_t *, u_int));
-static int	ippr_rpcb_modv4 __P((fr_info_t *, nat_t *, rpc_msg_t *,
-	mb_t *, u_int));
-static void     ippr_rpcb_fixlen __P((fr_info_t *, int));
-
-/*
- * Global variables
- */
-static	frentry_t	rpcbfr;	/* Skeleton rule for reference by entities
-				   this proxy creates. */
-static	int	rpcbcnt;	/* Upper bound of allocated RPCB sessions. */
-				/* XXX rpcbcnt still requires locking. */
-
-int	rpcb_proxy_init = 0;
-
-
-/*
- * Since rpc_msg contains only pointers, one should use this macro as a
- * handy way to get to the goods.  (In case you're wondering about the name,
- * this started as BYTEREF -> BREF -> B.)
- */
-#define	B(r)	(u_32_t)ntohl(*(r))
-
-/*
- * Public subroutines
- */
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_init						*/
-/* Returns:	int - 0 == success					*/
-/* Parameters:	(void)							*/
-/*									*/
-/* Initialize the filter rule entry and session limiter.		*/
-/* --------------------------------------------------------------------	*/
-int
-ippr_rpcb_init()
-{
-	rpcbcnt = 0;
-
-	bzero((char *)&rpcbfr, sizeof(rpcbfr));
-	rpcbfr.fr_ref = 1;
-	rpcbfr.fr_flags = FR_PASS|FR_QUICK|FR_KEEPSTATE;
-	MUTEX_INIT(&rpcbfr.fr_lock, "ipf Sun RPCB proxy rule lock");
-	rpcb_proxy_init = 1;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_fini						*/
-/* Returns:	void							*/
-/* Parameters:	(void)							*/
-/*									*/
-/* Destroy rpcbfr's mutex to avoid a lock leak.				*/
-/* --------------------------------------------------------------------	*/
-void
-ippr_rpcb_fini()
-{
-	if (rpcb_proxy_init == 1) {
-		MUTEX_DESTROY(&rpcbfr.fr_lock);
-		rpcb_proxy_init = 0;
-	}
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_new						*/
-/* Returns:	int - -1 == failure, 0 == success			*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		aps(I)	- pointer to proxy session structure		*/
-/*		nat(I)	- pointer to NAT session structure		*/
-/*									*/
-/* Allocate resources for per-session proxy structures.			*/
-/* --------------------------------------------------------------------	*/
-int
-ippr_rpcb_new(fin, aps, nat)
-	fr_info_t *fin;
-	ap_session_t *aps;
-	nat_t *nat;
-{
-	rpcb_session_t *rs;
-
-	fin = fin;	/* LINT */
-	nat = nat;	/* LINT */
-
-	KMALLOC(rs, rpcb_session_t *);
-	if (rs == NULL)
-		return(-1);
-
-	bzero((char *)rs, sizeof(*rs));
-	MUTEX_INIT(&rs->rs_rxlock, "ipf Sun RPCB proxy session lock");
-
-	aps->aps_data = rs;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_del						*/
-/* Returns:	void							*/
-/* Parameters:	aps(I)	- pointer to proxy session structure		*/
-/*									*/
-/* Free up a session's list of RPCB requests.				*/
-/* --------------------------------------------------------------------	*/
-void
-ippr_rpcb_del(aps)
-	ap_session_t *aps;
-{
-	rpcb_session_t *rs;
-	rs = (rpcb_session_t *)aps->aps_data;
-
-	MUTEX_ENTER(&rs->rs_rxlock);
-	ippr_rpcb_flush(rs);
-	MUTEX_EXIT(&rs->rs_rxlock);
-	MUTEX_DESTROY(&rs->rs_rxlock);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_in						*/
-/* Returns:	int - APR_ERR(1) == drop the packet, 			*/
-/*		      APR_ERR(2) == kill the proxy session,		*/
-/*		      else change in packet length (in bytes)		*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		ip(I)	- pointer to packet header			*/
-/*		aps(I)	- pointer to proxy session structure		*/
-/*		nat(I)	- pointer to NAT session structure		*/
-/*									*/
-/* Given a presumed RPCB request, perform some minor tests and pass off */
-/* for decoding.  Also pass packet off for a rewrite if necessary.	*/
-/* --------------------------------------------------------------------	*/
-int
-ippr_rpcb_in(fin, aps, nat)
-	fr_info_t *fin;
-	ap_session_t *aps;
-	nat_t *nat;
-{
-	rpc_msg_t rpcmsg, *rm;
-	rpcb_session_t *rs;
-	u_int off, dlen;
-	mb_t *m;
-	int rv;
-
-	/* Disallow fragmented or illegally short packets. */
-	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
-		return(APR_ERR(1));
-
-	/* Perform basic variable initialization. */
-	rs = (rpcb_session_t *)aps->aps_data;
-
-	m = fin->fin_m;
-	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
-	off += sizeof(udphdr_t) + fin->fin_ipoff;
-	dlen = fin->fin_dlen - sizeof(udphdr_t);
-
-	/* Disallow packets outside legal range for supported requests. */
-	if ((dlen < RPCB_REQMIN) || (dlen > RPCB_REQMAX))
-		return(APR_ERR(1));
-
-	/* Copy packet over to convenience buffer. */
-	rm = &rpcmsg;
-	bzero((char *)rm, sizeof(*rm));
-	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
-	rm->rm_buflen = dlen;
-
-	/* Send off to decode request. */
-	rv = ippr_rpcb_decodereq(fin, nat, rs, rm);
-
-	switch(rv)
-	{
-	case -1:
-		return(APR_ERR(1));
-		/*NOTREACHED*/
-		break;
-	case 0:
-		break;
-	case 1:
-		rv = ippr_rpcb_modreq(fin, nat, rm, m, off);
-		break;
-	default:
-		/*CONSTANTCONDITION*/
-		IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_req)", rv));
-	}
-
-	return(rv);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_out						*/
-/* Returns:	int - APR_ERR(1) == drop the packet, 			*/
-/*		      APR_ERR(2) == kill the proxy session,		*/
-/*		      else change in packet length (in bytes)		*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		ip(I)	- pointer to packet header			*/
-/*		aps(I)	- pointer to proxy session structure		*/
-/*		nat(I)	- pointer to NAT session structure		*/
-/*									*/
-/* Given a presumed RPCB reply, perform some minor tests and pass off	*/
-/* for decoding.  If the message indicates a successful request with	*/
-/* valid addressing information, create NAT and state structures to	*/
-/* allow direct communication between RPC client and server.		*/
-/* --------------------------------------------------------------------	*/
-int
-ippr_rpcb_out(fin, aps, nat)
-	fr_info_t *fin;
-	ap_session_t *aps;
-	nat_t *nat;
-{
-	rpc_msg_t rpcmsg, *rm;
-	rpcb_session_t *rs;
-	rpcb_xact_t *rx;
-	u_int off, dlen;
-	int rv, diff;
-	mb_t *m;
-
-	/* Disallow fragmented or illegally short packets. */
-	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
-		return(APR_ERR(1));
-
-	/* Perform basic variable initialization. */
-	rs = (rpcb_session_t *)aps->aps_data;
-
-	m = fin->fin_m;
-	off = (char *)fin->fin_dp - (char *)fin->fin_ip;
-	off += sizeof(udphdr_t) + fin->fin_ipoff;
-	dlen = fin->fin_dlen - sizeof(udphdr_t);
-	diff = 0;
-
-	/* Disallow packets outside legal range for supported requests. */
-	if ((dlen < RPCB_REPMIN) || (dlen > RPCB_REPMAX))
-		return(APR_ERR(1));
-
-	/* Copy packet over to convenience buffer. */
-	rm = &rpcmsg;
-	bzero((char *)rm, sizeof(*rm));
-	COPYDATA(m, off, dlen, (caddr_t)&rm->rm_msgbuf);
-	rm->rm_buflen = dlen;
-
-	/* Send off to decode reply. */
-	rv = ippr_rpcb_decoderep(fin, nat, rs, rm, &rx);
-
-	switch(rv)
-	{
-	case -1: /* Bad packet */
-                if (rx != NULL) {
-                        MUTEX_ENTER(&rs->rs_rxlock);
-                        ippr_rpcb_deref(rs, rx);
-                        MUTEX_EXIT(&rs->rs_rxlock);
-                }
-		return(APR_ERR(1));
-		/*NOTREACHED*/
-		break;
-	case  0: /* Negative reply / request rejected */
-		break;
-	case  1: /* Positive reply */
-		/*
-		 * With the IP address embedded in a GETADDR(LIST) reply,
-		 * we'll need to rewrite the packet in the very possible
-		 * event that the internal & external addresses aren't the
-		 * same.  (i.e., this box is either a router or rpcbind
-		 * only listens on loopback.)
-		 */
-		if (nat->nat_inip.s_addr != nat->nat_outip.s_addr) {
-			if (rx->rx_type == RPCB_RES_STRING)
-				diff = ippr_rpcb_modv3(fin, nat, rm, m, off);
-			else if (rx->rx_type == RPCB_RES_LIST)
-				diff = ippr_rpcb_modv4(fin, nat, rm, m, off);
-		}
-		break;
-	default:
-		/*CONSTANTCONDITION*/
-		IPF_PANIC(1, ("illegal rv %d (ippr_rpcb_decoderep)", rv));
-	}
-
-	if (rx != NULL) {
-                MUTEX_ENTER(&rs->rs_rxlock);
-                /* XXX Gross hack - I'm overloading the reference
-                 * counter to deal with both threads and retransmitted
-                 * requests.  One deref signals that this thread is
-                 * finished with rx, and the other signals that we've
-                 * processed its reply.
-                 */
-                ippr_rpcb_deref(rs, rx);
-                ippr_rpcb_deref(rs, rx);
-                MUTEX_EXIT(&rs->rs_rxlock);
-	}
-
-	return(diff);
-}
-
-/*
- * Private support subroutines
- */
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_flush						*/
-/* Returns:	void							*/
-/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
-/*									*/
-/* Simply flushes the list of outstanding transactions, if any.		*/
-/* --------------------------------------------------------------------	*/
-static void
-ippr_rpcb_flush(rs)
-	rpcb_session_t *rs;
-{
-	rpcb_xact_t *r1, *r2;
-
-	r1 = rs->rs_rxlist;
-	if (r1 == NULL)
-		return;
-
-	while (r1 != NULL) {
-		r2 = r1;
-		r1 = r1->rx_next;
-		KFREE(r2);
-	}
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_decodereq					*/
-/* Returns:	int - -1 == bad request or critical failure,		*/
-/*		       0 == request successfully decoded,		*/
-/*		       1 == request successfully decoded; requires	*/
-/*			    address rewrite/modification		*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT session structure		*/
-/*		rs(I)	- pointer to RPCB session structure		*/
-/*		rm(I)	- pointer to RPC message structure		*/
-/*									*/
-/* Take a presumed RPCB request, decode it, and store the results in	*/
-/* the transaction list.  If the internal target address needs to be	*/
-/* modified, store its location in ptr.					*/
-/* WARNING:  It's the responsibility of the caller to make sure there	*/
-/* is enough room in rs_buf for the basic RPC message "preamble".	*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_decodereq(fin, nat, rs, rm)
-	fr_info_t *fin;
-	nat_t *nat;
-	rpcb_session_t *rs;
-	rpc_msg_t *rm;
-{
-	rpcb_args_t *ra;
-	u_32_t xdr, *p;
-	rpc_call_t *rc;
-	rpcb_xact_t rx;
-	int mod;
-
-	p = (u_32_t *)rm->rm_msgbuf;
-	mod = 0;
-
-	bzero((char *)&rx, sizeof(rx));
-	rc = &rm->rm_call;
-
-	rm->rm_xid = p;
-	rx.rx_xid = B(p++);	/* Record this message's XID. */
-
-	/* Parse out and test the RPC header. */
-	if ((B(p++) != RPCB_CALL) ||
-	    (B(p++) != RPCB_MSG_VERSION) ||
-	    (B(p++) != RPCB_PROG))
-		return(-1);
-
-	/* Record the RPCB version and procedure. */
-	rc->rc_vers = p++;
-	rc->rc_proc = p++;
-
-	/* Bypass RPC authentication stuff. */
-	if (ippr_rpcb_skipauth(rm, &rc->rc_authcred, &p) != 0)
-		return(-1);
-	if (ippr_rpcb_skipauth(rm, &rc->rc_authverf, &p) != 0)
-		return(-1);
-
-	/* Compare RPCB version and procedure numbers. */
-	switch(B(rc->rc_vers))
-	{
-	case 2:
-		/* This proxy only supports PMAP_GETPORT. */
-		if (B(rc->rc_proc) != RPCB_GETPORT)
-			return(-1);
-
-		/* Portmap requests contain four 4 byte parameters. */
-		if (RPCB_BUF_EQ(rm, p, 16) == 0)
-			return(-1);
-
-		p += 2; /* Skip requested program and version numbers. */
-
-		/* Sanity check the requested protocol. */
-		xdr = B(p);
-		if (!(xdr == IPPROTO_UDP || xdr == IPPROTO_TCP))
-			return(-1);
-
-		rx.rx_type = RPCB_RES_PMAP;
-		rx.rx_proto = xdr;
-		break;
-	case 3:
-	case 4:
-		/* GETADDRLIST is exclusive to v4; GETADDR for v3 & v4 */
-		switch(B(rc->rc_proc))
-		{
-		case RPCB_GETADDR:
-			rx.rx_type = RPCB_RES_STRING;
-			rx.rx_proto = (u_int)fin->fin_p;
-			break;
-		case RPCB_GETADDRLIST:
-			if (B(rc->rc_vers) != 4)
-				return(-1);
-			rx.rx_type = RPCB_RES_LIST;
-			break;
-		default:
-			return(-1);
-		}
-
-		ra = &rc->rc_rpcbargs;
-
-		/* Decode the 'struct rpcb' request. */
-		if (ippr_rpcb_xdrrpcb(rm, p, ra) != 0)
-			return(-1);
-
-		/* Are the target address & port valid? */
-		if ((ra->ra_maddr.xu_ip != nat->nat_outip.s_addr) ||
-		    (ra->ra_maddr.xu_port != nat->nat_outport))
-		    	return(-1);
-
-		/* Do we need to rewrite this packet? */
-		if ((nat->nat_outip.s_addr != nat->nat_inip.s_addr) ||
-		    (nat->nat_outport != nat->nat_inport))
-		    	mod = 1;
-		break;
-	default:
-		return(-1);
-	}
-
-        MUTEX_ENTER(&rs->rs_rxlock);
-	if (ippr_rpcb_insert(rs, &rx) != 0) {
-                MUTEX_EXIT(&rs->rs_rxlock);
-		return(-1);
-	}
-        MUTEX_EXIT(&rs->rs_rxlock);
-
-	return(mod);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_skipauth					*/
-/* Returns:	int -- -1 == illegal auth parameters (lengths)		*/
-/*			0 == valid parameters, pointer advanced		*/
-/* Parameters:	rm(I)	- pointer to RPC message structure		*/
-/*		auth(I)	- pointer to RPC auth structure			*/
-/*		buf(IO)	- pointer to location within convenience buffer	*/
-/*									*/
-/* Record auth data length & location of auth data, then advance past	*/
-/* it.									*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_skipauth(rm, auth, buf)
-	rpc_msg_t *rm;
-	xdr_auth_t *auth;
-	u_32_t **buf;
-{
-	u_32_t *p, xdr;
-
-	p = *buf;
-
-	/* Make sure we have enough space for expected fixed auth parms. */
-	if (RPCB_BUF_GEQ(rm, p, 8) == 0)
-		return(-1);
-
-	p++; /* We don't care about auth_flavor. */
-
-	auth->xa_string.xs_len = p;
-	xdr = B(p++);		/* Length of auth_data */
-
-	/* Test for absurdity / illegality of auth_data length. */
-	if ((XDRALIGN(xdr) < xdr) || (RPCB_BUF_GEQ(rm, p, XDRALIGN(xdr)) == 0))
-		return(-1);
-
-	auth->xa_string.xs_str = (char *)p;
-
-	p += XDRALIGN(xdr);	/* Advance our location. */
-
-	*buf = (u_32_t *)p;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_insert					*/
-/* Returns:	int -- -1 == list insertion failed,			*/
-/*			0 == item successfully added			*/
-/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
-/*		rx(I)	- pointer to RPCB transaction structure		*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_insert(rs, rx)
-	rpcb_session_t *rs;
-	rpcb_xact_t *rx;
-{
-	rpcb_xact_t *rxp;
-
-	rxp = ippr_rpcb_lookup(rs, rx->rx_xid);
-	if (rxp != NULL) {
-                ++rxp->rx_ref;
-		return(0);
-        }
-
-	if (rpcbcnt == RPCB_MAXREQS)
-		return(-1);
-
-	KMALLOC(rxp, rpcb_xact_t *);
-	if (rxp == NULL)
-		return(-1);
-
-	bcopy((char *)rx, (char *)rxp, sizeof(*rx));
-
-	if (rs->rs_rxlist != NULL)
-		rs->rs_rxlist->rx_pnext = &rxp->rx_next;
-
-	rxp->rx_pnext = &rs->rs_rxlist;
-	rxp->rx_next = rs->rs_rxlist;
-	rs->rs_rxlist = rxp;
-
-	rxp->rx_ref = 1;
-
-	++rpcbcnt;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_xdrrpcb					*/
-/* Returns:	int -- -1 == failure to properly decode the request	*/
-/*			0 == rpcb successfully decoded			*/
-/* Parameters:	rs(I)	- pointer to RPCB session structure		*/
-/*		p(I)	- pointer to location within session buffer	*/
-/*		rpcb(O)	- pointer to rpcb (xdr type) structure		*/
-/*									*/
-/* Decode a XDR encoded rpcb structure and record its contents in rpcb  */
-/* within only the context of TCP/UDP over IP networks.			*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_xdrrpcb(rm, p, ra)
-	rpc_msg_t *rm;
-	u_32_t *p;
-	rpcb_args_t *ra;
-{
-	if (!RPCB_BUF_GEQ(rm, p, 20))
-		return(-1);
-
-	/* Bypass target program & version. */
-	p += 2;
-
-	/* Decode r_netid.  Must be "tcp" or "udp". */
-	if (ippr_rpcb_getproto(rm, &ra->ra_netid, &p) != 0)
-		return(-1);
-
-	/* Decode r_maddr. */
-	if (ippr_rpcb_getuaddr(rm, &ra->ra_maddr, &p) != 0)
-		return(-1);
-
-	/* Advance to r_owner and make sure it's empty. */
-	if (!RPCB_BUF_EQ(rm, p, 4) || (B(p) != 0))
-		return(-1);
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_getuaddr					*/
-/* Returns:	int -- -1 == illegal string,				*/
-/*			0 == string parsed; contents recorded		*/
-/* Parameters:	rm(I)	- pointer to RPC message structure		*/
-/*		xu(I)	- pointer to universal address structure	*/
-/*		p(IO)	- pointer to location within message buffer	*/
-/*									*/
-/* Decode the IP address / port at p and record them in xu.		*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_getuaddr(rm, xu, p)
-	rpc_msg_t *rm;
-	xdr_uaddr_t *xu;
-	u_32_t **p;
-{
-	char *c, *i, *b, *pp;
-	u_int d, dd, l, t;
-	char uastr[24];
-
-	/* Test for string length. */
-	if (!RPCB_BUF_GEQ(rm, *p, 4))
-		return(-1);
-
-	xu->xu_xslen = (*p)++;
-	xu->xu_xsstr = (char *)*p;
-
-	/* Length check */
-	l = B(xu->xu_xslen);
-	if (l < 11 || l > 23 || !RPCB_BUF_GEQ(rm, *p, XDRALIGN(l)))
-		return(-1);
-
-	/* Advance p */
-	*(char **)p += XDRALIGN(l);
-
-	/* Copy string to local buffer & terminate C style */
-	bcopy(xu->xu_xsstr, uastr, l);
-	uastr[l] = '\0';
-
-	i = (char *)&xu->xu_ip;
-	pp = (char *)&xu->xu_port;
-
-	/*
-	 * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of
-	 * an IP address and [ef] are the bytes of a L4 port.
-	 */
-	if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1])))
-		return(-1);
-	b = uastr;
-	for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) {
-		if (ISDIGIT(*c)) {
-			dd = 0;
-			continue;
-		}
-		if (*c == '.') {
-			if (dd != 0)
-				return(-1);
-
-			/* Check for ASCII byte. */
-			*c = '\0';
-			t = ippr_rpcb_atoi(b);
-			if (t > 255)
-				return(-1);
-
-			/* Aim b at beginning of the next byte. */
-			b = c + 1;
-
-			/* Switch off IP addr vs port parsing. */
-			if (d < 4)
-				i[d++] = t & 0xff;
-			else
-				pp[d++ - 4] = t & 0xff;
-
-			dd = 1;
-			continue;
-		}
-		return(-1);
-	}
-	if (d != 5) /* String must contain exactly 5 periods. */
-		return(-1);
-
-	/* Handle the last byte (port low byte) */
-	t = ippr_rpcb_atoi(b);
-	if (t > 255)
-		return(-1);
-	pp[d - 4] = t & 0xff;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_atoi (XXX should be generic for all proxies)	*/
-/* Returns:	int -- integer representation of supplied string	*/
-/* Parameters:	ptr(I)	- input string					*/
-/*									*/
-/* Simple version of atoi(3) ripped from ip_rcmd_pxy.c.			*/
-/* --------------------------------------------------------------------	*/
-static u_int
-ippr_rpcb_atoi(ptr)
-	char *ptr;
-{
-	register char *s = ptr, c;
-	register u_int i = 0;
-
-	while (((c = *s++) != '\0') && ISDIGIT(c)) {
-		i *= 10;
-		i += c - '0';
-	}
-	return i;
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_modreq					*/
-/* Returns:	int -- change in datagram length			*/
-/*			APR_ERR(2) - critical failure			*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT session			*/
-/*		rm(I)	- pointer to RPC message structure		*/
-/*		m(I)	- pointer to mbuf chain				*/
-/*		off(I)	- current offset within mbuf chain		*/
-/*									*/
-/* When external and internal addresses differ, we rewrite the former	*/
-/* with the latter.  (This is exclusive to protocol versions 3 & 4).	*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_modreq(fin, nat, rm, m, off)
-	fr_info_t *fin;
-	nat_t *nat;
-	rpc_msg_t *rm;
-	mb_t *m;
-	u_int off;
-{
-	u_int len, xlen, pos, bogo;
-	rpcb_args_t *ra;
-	char uaddr[24];
-	udphdr_t *udp;
-	char *i, *p;
-	int diff;
-
-	ra = &rm->rm_call.rc_rpcbargs;
-	i = (char *)&nat->nat_inip.s_addr;
-	p = (char *)&nat->nat_inport;
-
-	/* Form new string. */
-	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(uaddr, sizeof(uaddr),
-#else
-	(void) sprintf(uaddr,
-#endif
-		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
-		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
-	len = strlen(uaddr);
-	xlen = XDRALIGN(len);
-
-	/* Determine mbuf offset to start writing to. */
-	pos = (char *)ra->ra_maddr.xu_xslen - rm->rm_msgbuf;
-	off += pos;
-
-	/* Write new string length. */
-	bogo = htonl(len);
-	COPYBACK(m, off, 4, (caddr_t)&bogo);
-	off += 4;
-
-	/* Write new string. */
-	COPYBACK(m, off, xlen, uaddr);
-	off += xlen;
-
-	/* Write in zero r_owner. */
-	bogo = 0;
-	COPYBACK(m, off, 4, (caddr_t)&bogo);
-
-	/* Determine difference in data lengths. */
-	diff = xlen - XDRALIGN(B(ra->ra_maddr.xu_xslen));
-
-	/*
-	 * If our new string has a different length, make necessary
-	 * adjustments.
-	 */
-	if (diff != 0) {
-		udp = fin->fin_dp;
-		udp->uh_ulen = htons(ntohs(udp->uh_ulen) + diff);
-		fin->fin_ip->ip_len += diff;
-		fin->fin_dlen += diff;
-		fin->fin_plen += diff;
-		/* XXX Storage lengths. */
-	}
-
-	return(diff);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_decoderep					*/
-/* Returns:	int - -1 == bad request or critical failure,		*/
-/*		       0 == valid, negative reply			*/
-/*		       1 == vaddlid, positive reply; needs no changes	*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT session structure		*/
-/*		rs(I)	- pointer to RPCB session structure		*/
-/*		rm(I)	- pointer to RPC message structure		*/
-/*		rxp(O)	- pointer to RPCB transaction structure		*/
-/*									*/
-/* Take a presumed RPCB reply, extract the XID, search for the original */
-/* request information, and determine whether the request was accepted	*/
-/* or rejected.  With a valid accepted reply, go ahead and create NAT	*/
-/* and state entries, and finish up by rewriting the packet as 		*/
-/* required.								*/
-/*									*/
-/* WARNING:  It's the responsibility of the caller to make sure there	*/
-/* is enough room in rs_buf for the basic RPC message "preamble".	*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_decoderep(fin, nat, rs, rm, rxp)
-	fr_info_t *fin;
-	nat_t *nat;
-	rpcb_session_t *rs;
-	rpc_msg_t *rm;
-	rpcb_xact_t **rxp;
-{
-	rpcb_listp_t *rl;
-	rpcb_entry_t *re;
-	rpcb_xact_t *rx;
-	u_32_t xdr, *p;
-	rpc_resp_t *rr;
-	int rv, cnt;
-
-	p = (u_32_t *)rm->rm_msgbuf;
-
-	bzero((char *)&rx, sizeof(rx));
-	rr = &rm->rm_resp;
-
-	rm->rm_xid = p;
-	xdr = B(p++);		/* Record this message's XID. */
-
-	/* Lookup XID */
-        MUTEX_ENTER(&rs->rs_rxlock);
-	if ((rx = ippr_rpcb_lookup(rs, xdr)) == NULL) {
-                MUTEX_EXIT(&rs->rs_rxlock);
-		return(-1);
-        }
-        ++rx->rx_ref;        /* per thread reference */
-        MUTEX_EXIT(&rs->rs_rxlock);
-
-	*rxp = rx;
-
-	/* Test call vs reply */
-	if (B(p++) != RPCB_REPLY)
-		return(-1);
-
-	/* Test reply_stat */
-	switch(B(p++))
-	{
-	case RPCB_MSG_DENIED:
-		return(0);
-	case RPCB_MSG_ACCEPTED:
-		break;
-	default:
-		return(-1);
-	}
-
-	/* Bypass RPC authentication stuff. */
-	if (ippr_rpcb_skipauth(rm, &rr->rr_authverf, &p) != 0)
-		return(-1);
-
-	/* Test accept status */
-	if (!RPCB_BUF_GEQ(rm, p, 4))
-		return(-1);
-	if (B(p++) != 0)
-		return(0);
-
-	/* Parse out the expected reply */
-	switch(rx->rx_type)
-	{
-	case RPCB_RES_PMAP:
-		/* There must be only one 4 byte argument. */
-		if (!RPCB_BUF_EQ(rm, p, 4))
-			return(-1);
-		
-		rr->rr_v2 = p;
-		xdr = B(rr->rr_v2);
-		
-		/* Reply w/ a 0 port indicates service isn't registered */
-		if (xdr == 0)
-			return(0);
-		
-		/* Is the value sane? */
-		if (xdr > 65535)
-			return(-1);
-
-		/* Create NAT & state table entries. */
-		if (ippr_rpcb_getnat(fin, nat, rx->rx_proto, (u_int)xdr) != 0)
-			return(-1);
-		break;
-	case RPCB_RES_STRING:
-		/* Expecting a XDR string; need 4 bytes for length */
-		if (!RPCB_BUF_GEQ(rm, p, 4))
-			return(-1);
-
-		rr->rr_v3.xu_str.xs_len = p++;
-		rr->rr_v3.xu_str.xs_str = (char *)p;
-
-		xdr = B(rr->rr_v3.xu_xslen);
-
-		/* A null string indicates an unregistered service */
-		if ((xdr == 0) && RPCB_BUF_EQ(rm, p, 0))
-			return(0);
-
-		/* Decode the target IP address / port. */
-		if (ippr_rpcb_getuaddr(rm, &rr->rr_v3, &p) != 0)
-			return(-1);
-
-		/* Validate the IP address and port contained. */
-		if (nat->nat_inip.s_addr != rr->rr_v3.xu_ip)
-			return(-1);
-
-		/* Create NAT & state table entries. */
-		if (ippr_rpcb_getnat(fin, nat, rx->rx_proto,
-				     (u_int)rr->rr_v3.xu_port) != 0)
-			return(-1);
-		break;
-	case RPCB_RES_LIST:
-		if (!RPCB_BUF_GEQ(rm, p, 4))
-			return(-1);
-		/* rpcb_entry_list_ptr */
-		switch(B(p))
-		{
-		case 0:
-			return(0);
-			/*NOTREACHED*/
-			break;
-		case 1:
-			break;
-		default:
-			return(-1);
-		}
-		rl = &rr->rr_v4;
-		rl->rl_list = p++;
-		cnt = 0;
-
-		for(;;) {
-			re = &rl->rl_entries[rl->rl_cnt];
-			if (ippr_rpcb_getuaddr(rm, &re->re_maddr, &p) != 0)
-				return(-1);
-			if (ippr_rpcb_getproto(rm, &re->re_netid, &p) != 0)
-				return(-1);
-			/* re_semantics & re_pfamily length */
-			if (!RPCB_BUF_GEQ(rm, p, 12))
-				return(-1);
-			p++; /* Skipping re_semantics. */
-			xdr = B(p++);
-			if ((xdr != 4) || strncmp((char *)p, "inet", 4))
-				return(-1);
-			p++;
-			if (ippr_rpcb_getproto(rm, &re->re_proto, &p) != 0)
-				return(-1);
-			if (!RPCB_BUF_GEQ(rm, p, 4))
-				return(-1);
-			re->re_more = p;
-			if (B(re->re_more) > 1) /* 0,1 only legal values */
-				return(-1);
-			++rl->rl_cnt;
-			++cnt;
-			if (B(re->re_more) == 0)
-				break;
-			/* Replies in  max out at 2; TCP and/or UDP */
-			if (cnt > 2)
-				return(-1);
-			p++;
-		}
-
-		for(rl->rl_cnt = 0; rl->rl_cnt < cnt; rl->rl_cnt++) {
-			re = &rl->rl_entries[rl->rl_cnt];
-			rv = ippr_rpcb_getnat(fin, nat,
-			                      re->re_proto.xp_proto,
-				              (u_int)re->re_maddr.xu_port);
-			if (rv != 0)
-				return(-1);
-		}
-		break;
-	default:
-		/*CONSTANTCONDITION*/
-		IPF_PANIC(1, ("illegal rx_type %d", rx->rx_type));
-	}
-
-	return(1);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_lookup					*/
-/* Returns:	rpcb_xact_t * 	- NULL == no matching record,		*/
-/*				  else pointer to relevant entry	*/
-/* Parameters:	rs(I)	- pointer to RPCB session			*/
-/*		xid(I)	- XID to look for				*/
-/* --------------------------------------------------------------------	*/
-static rpcb_xact_t *
-ippr_rpcb_lookup(rs, xid)
-	rpcb_session_t *rs;
-	u_32_t xid;
-{
-	rpcb_xact_t *rx;
-
-	if (rs->rs_rxlist == NULL)
-		return(NULL);
-
-	for (rx = rs->rs_rxlist; rx != NULL; rx = rx->rx_next)
-		if (rx->rx_xid == xid)
-			break;
-
-	return(rx);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_deref					        */
-/* Returns:	(void)							*/
-/* Parameters:	rs(I)	- pointer to RPCB session			*/
-/*		rx(I)	- pointer to RPC transaction struct to remove	*/
-/*              force(I) - indicates to delete entry regardless of      */
-/*                         reference count                              */
-/* Locking:	rs->rs_rxlock must be held write only			*/
-/*									*/
-/* Free the RPCB transaction record rx from the chain of entries.	*/
-/* --------------------------------------------------------------------	*/
-static void
-ippr_rpcb_deref(rs, rx)
-	rpcb_session_t *rs;
-	rpcb_xact_t *rx;
-{
-	rs = rs;	/* LINT */
-
-	if (rx == NULL)
-		return;
-
-	if (--rx->rx_ref != 0)
-		return;
-
-	if (rx->rx_next != NULL)
-		rx->rx_next->rx_pnext = rx->rx_pnext;
-
-	*rx->rx_pnext = rx->rx_next;
-
-	KFREE(rx);
-
-	--rpcbcnt;
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_getproto					*/
-/* Returns:	int - -1 == illegal protocol/netid,			*/
-/*		       0 == legal protocol/netid			*/
-/* Parameters:	rm(I)	- pointer to RPC message structure		*/
-/*		xp(I)	- pointer to netid structure			*/
-/*		p(IO)	- pointer to location within packet buffer	*/
-/* 									*/
-/* Decode netid/proto stored at p and record its numeric value.	 	*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_getproto(rm, xp, p)
-	rpc_msg_t *rm;
-	xdr_proto_t *xp;
-	u_32_t **p;
-{
-	u_int len;
-
-	/* Must have 4 bytes for length & 4 bytes for "tcp" or "udp". */
-	if (!RPCB_BUF_GEQ(rm, p, 8))
-		return(-1);
-
-	xp->xp_xslen = (*p)++;
-	xp->xp_xsstr = (char *)*p;
-
-	/* Test the string length. */
-	len = B(xp->xp_xslen);
-	if (len != 3)
-	 	return(-1);
-
-	/* Test the actual string & record the protocol accordingly. */
-	if (!strncmp((char *)xp->xp_xsstr, "tcp\0", 4))
-		xp->xp_proto = IPPROTO_TCP;
-	else if (!strncmp((char *)xp->xp_xsstr, "udp\0", 4))
-		xp->xp_proto = IPPROTO_UDP;
-	else {
-		return(-1);
-	}
-	
-	/* Advance past the string. */
-	(*p)++;
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_getnat					*/
-/* Returns:	int -- -1 == failed to create table entries,		*/
-/*			0 == success					*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT table entry			*/
-/*		proto(I) - transport protocol for new entries		*/
-/*		port(I)	- new port to use w/ wildcard table entries	*/
-/*									*/
-/* Create state and NAT entries to handle an anticipated connection	*/
-/* attempt between RPC client and server.				*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_getnat(fin, nat, proto, port)
-	fr_info_t *fin;
-	nat_t *nat;
-	u_int proto;
-	u_int port;
-{
-	ipnat_t *ipn, ipnat;
-	tcphdr_t tcp;
-	ipstate_t *is;
-	fr_info_t fi;
-	nat_t *natl;
-	int nflags;
-
-	ipn = nat->nat_ptr;
-
-	/* Generate dummy fr_info */
-	bcopy((char *)fin, (char *)&fi, sizeof(fi));
-	fi.fin_out = 0;
-	fi.fin_src = fin->fin_dst;
-	fi.fin_dst = nat->nat_outip;
-	fi.fin_p = proto;
-	fi.fin_sport = 0;
-	fi.fin_dport = port & 0xffff;
-	fi.fin_flx |= FI_IGNORE;
-
-	bzero((char *)&tcp, sizeof(tcp));
-	tcp.th_dport = htons(port);
-
-	if (proto == IPPROTO_TCP) {
-		tcp.th_win = htons(8192);
-		TCP_OFF_A(&tcp, sizeof(tcphdr_t) >> 2);
-		fi.fin_dlen = sizeof(tcphdr_t);
-		tcp.th_flags = TH_SYN;
-		nflags = NAT_TCP;
-	} else {
-		fi.fin_dlen = sizeof(udphdr_t);
-		nflags = NAT_UDP;
-	}
-
-	nflags |= SI_W_SPORT|NAT_SEARCH;
-	fi.fin_dp = &tcp;
-	fi.fin_plen = fi.fin_hlen + fi.fin_dlen;
-
-	/*
-	 * Search for existing NAT & state entries.  Pay close attention to
-	 * mutexes / locks grabbed from lookup routines, as not doing so could
-	 * lead to bad things.
-	 *
-	 * If successful, fr_stlookup returns with ipf_state locked.  We have
-	 * no use for this lock, so simply unlock it if necessary.
-	 */
-	is = fr_stlookup(&fi, &tcp, NULL);
-	if (is != NULL)
-		RWLOCK_EXIT(&ipf_state);
-
-	RWLOCK_EXIT(&ipf_nat);
-
-	WRITE_ENTER(&ipf_nat);
-	natl = nat_inlookup(&fi, nflags, proto, fi.fin_src, fi.fin_dst);
-
-	if ((natl != NULL) && (is != NULL)) {
-		MUTEX_DOWNGRADE(&ipf_nat);
-		return(0);
-	}
-
-	/* Slightly modify the following structures for actual use in creating
-	 * NAT and/or state entries.  We're primarily concerned with stripping
-	 * flags that may be detrimental to the creation process or simply
-	 * shouldn't be associated with a table entry.
-	 */
-	fi.fin_fr = &rpcbfr;
-	fi.fin_flx &= ~FI_IGNORE;
-	nflags &= ~NAT_SEARCH;
-
-	if (natl == NULL) {
-		/* XXX Since we're just copying the original ipn contents
-		 * back, would we be better off just sending a pointer to
-		 * the 'temp' copy off to nat_new instead?
-		 */
-		/* Generate template/bogus NAT rule. */
-		bcopy((char *)ipn, (char *)&ipnat, sizeof(ipnat));
-		ipn->in_flags = nflags & IPN_TCPUDP;
-		ipn->in_apr = NULL;
-		ipn->in_p = proto;
-		ipn->in_pmin = htons(fi.fin_dport);
-		ipn->in_pmax = htons(fi.fin_dport);
-		ipn->in_pnext = htons(fi.fin_dport);
-		ipn->in_space = 1;
-		ipn->in_ippip = 1;
-		if (ipn->in_flags & IPN_FILTER) {
-			ipn->in_scmp = 0;
-			ipn->in_dcmp = 0;
-		}
-		*ipn->in_plabel = '\0';
-
-		/* Create NAT entry.  return NULL if this fails. */
-		natl = nat_new(&fi, ipn, NULL, nflags|SI_CLONE|NAT_SLAVE,
-			       NAT_INBOUND);
-
-		bcopy((char *)&ipnat, (char *)ipn, sizeof(ipnat));
-
-		if (natl == NULL) {
-			MUTEX_DOWNGRADE(&ipf_nat);
-			return(-1);
-		}
-
-		ipn->in_use++;
-		(void) nat_proto(&fi, natl, nflags);
-		nat_update(&fi, natl, natl->nat_ptr);
-	}
-	MUTEX_DOWNGRADE(&ipf_nat);
-
-	if (is == NULL) {
-		/* Create state entry.  Return NULL if this fails. */
-		fi.fin_dst = nat->nat_inip;
-		fi.fin_nat = (void *)natl;
-		fi.fin_flx |= FI_NATED;
-		fi.fin_flx &= ~FI_STATE;
-		nflags &= NAT_TCPUDP;
-		nflags |= SI_W_SPORT|SI_CLONE;
-
-		is = fr_addstate(&fi, NULL, nflags);
-		if (is == NULL) {
-			/*
-			 * XXX nat_delete is private to ip_nat.c.  Should
-			 * check w/ Darren about this one.
-			 *
-			 * nat_delete(natl, NL_EXPIRE);
-			 */
-			return(-1);
-		}
-		if (fi.fin_state != NULL)
-			fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
-	}
-
-	return(0);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_modv3						*/
-/* Returns:	int -- change in packet length				*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT session			*/
-/*		rm(I)	- pointer to RPC message structure		*/
-/*		m(I)	- pointer to mbuf chain				*/
-/*		off(I)	- offset within mbuf chain			*/
-/*									*/
-/* Write a new universal address string to this packet, adjusting	*/
-/* lengths as necessary.						*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_modv3(fin, nat, rm, m, off)
-	fr_info_t *fin;
-	nat_t *nat;
-	rpc_msg_t *rm;
-	mb_t *m;
-	u_int off;
-{
-	u_int len, xlen, pos, bogo;
-	rpc_resp_t *rr;
-	char uaddr[24];
-	char *i, *p;
-	int diff;
-
-	rr = &rm->rm_resp;
-	i = (char *)&nat->nat_outip.s_addr;
-	p = (char *)&rr->rr_v3.xu_port;
-
-	/* Form new string. */
-	bzero(uaddr, sizeof(uaddr)); /* Just in case we need padding. */
-#if defined(SNPRINTF) && defined(_KERNEL)
-	SNPRINTF(uaddr, sizeof(uaddr),
-#else
-	(void) sprintf(uaddr,
-#endif
-		       "%u.%u.%u.%u.%u.%u", i[0] & 0xff, i[1] & 0xff,
-		       i[2] & 0xff, i[3] & 0xff, p[0] & 0xff, p[1] & 0xff);
-	len = strlen(uaddr);
-	xlen = XDRALIGN(len);
-
-	/* Determine mbuf offset to write to. */
-	pos = (char *)rr->rr_v3.xu_xslen - rm->rm_msgbuf;
-	off += pos;
-
-	/* Write new string length. */
-	bogo = htonl(len);
-	COPYBACK(m, off, 4, (caddr_t)&bogo);
-	off += 4;
-
-	/* Write new string. */
-	COPYBACK(m, off, xlen, uaddr);
-	
-	/* Determine difference in data lengths. */
-	diff = xlen - XDRALIGN(B(rr->rr_v3.xu_xslen));
-
-	/*
-	 * If our new string has a different length, make necessary
-	 * adjustments.
-	 */
-	if (diff != 0)
-		ippr_rpcb_fixlen(fin, diff);
-
-	return(diff);
-}
-
-/* --------------------------------------------------------------------	*/
-/* Function:	ippr_rpcb_modv4						*/
-/* Returns:	int -- change in packet length				*/
-/* Parameters:	fin(I)	- pointer to packet information			*/
-/*		nat(I)	- pointer to NAT session			*/
-/*		rm(I)	- pointer to RPC message structure		*/
-/*		m(I)	- pointer to mbuf chain				*/
-/*		off(I)	- offset within mbuf chain			*/
-/*									*/
-/* Write new rpcb_entry list, adjusting	lengths as necessary.		*/
-/* --------------------------------------------------------------------	*/
-static int
-ippr_rpcb_modv4(fin, nat, rm, m, off)
-	fr_info_t *fin;
-	nat_t *nat;
-	rpc_msg_t *rm;
-	mb_t *m;
-	u_int off;
-{
-	u_int len, xlen, pos, bogo;
-	rpcb_listp_t *rl;
-	rpcb_entry_t *re;
-	rpc_resp_t *rr;
-	char uaddr[24];
-	int diff, cnt;
-	char *i, *p;
-
-	diff = 0;
-	rr = &rm->rm_resp;
-	rl = &rr->rr_v4;
-
-	i = (char *)&nat->nat_outip.s_addr;
-
-	/* Determine mbuf offset to write to. */
-	re = &rl->rl_entries[0];
-	pos = (char *)re->re_maddr.xu_xslen - rm->rm_msgbuf;
-	off += pos;
-
-	for (cnt = 0; cnt < rl->rl_cnt; cnt++) {
-		re = &rl->rl_entries[cnt];
-		p = (char *)&re->re_maddr.xu_port;
-
-		/* Form new string. */
-		bzero(uaddr, sizeof(uaddr)); /* Just in case we need
-						padding. */
-#if defined(SNPRINTF) && defined(_KERNEL)
-		SNPRINTF(uaddr, sizeof(uaddr),
-#else
-		(void) sprintf(uaddr,
-#endif
-			       "%u.%u.%u.%u.%u.%u", i[0] & 0xff,
-			       i[1] & 0xff, i[2] & 0xff, i[3] & 0xff,
-			       p[0] & 0xff, p[1] & 0xff);
-		len = strlen(uaddr);
-		xlen = XDRALIGN(len);
-
-		/* Write new string length. */
-		bogo = htonl(len);
-		COPYBACK(m, off, 4, (caddr_t)&bogo);
-		off += 4;
-
-		/* Write new string. */
-		COPYBACK(m, off, xlen, uaddr);
-		off += xlen;
-
-		/* Record any change in length. */
-		diff += xlen - XDRALIGN(B(re->re_maddr.xu_xslen));
-
-		/* If the length changed, copy back the rest of this entry. */
-		len = ((char *)re->re_more + 4) -
-		       (char *)re->re_netid.xp_xslen;
-		if (diff != 0) {
-			COPYBACK(m, off, len, (caddr_t)re->re_netid.xp_xslen);
-		}
-		off += len;
-	}
-
-	/*
-	 * If our new string has a different length, make necessary
-	 * adjustments.
-	 */
-	if (diff != 0)
-		ippr_rpcb_fixlen(fin, diff);
-
-	return(diff);
-}
-
-
-/* --------------------------------------------------------------------	*/
-/* Function:    ippr_rpcb_fixlen                                        */
-/* Returns:     (void)                                                  */
-/* Parameters:  fin(I)  - pointer to packet information                 */
-/*              len(I)  - change in packet length                       */
-/*                                                                      */
-/* Adjust various packet related lengths held in structure and packet   */
-/* header fields.                                                       */
-/* --------------------------------------------------------------------	*/
-static void
-ippr_rpcb_fixlen(fin, len)
-        fr_info_t *fin;
-        int len;
-{
-        udphdr_t *udp;
-
-        udp = fin->fin_dp;
-        udp->uh_ulen = htons(ntohs(udp->uh_ulen) + len);
-        fin->fin_ip->ip_len += len;
-        fin->fin_dlen += len;
-        fin->fin_plen += len;
-}
-
-#undef B
diff --git a/contrib/ipfilter/ip_scan.c b/contrib/ipfilter/ip_scan.c
deleted file mode 100644
index 37f6d58..0000000
--- a/contrib/ipfilter/ip_scan.c
+++ /dev/null
@@ -1,594 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/param.h>
-#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL)
-# include <sys/kern_svcs.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/errno.h>
-#if !defined(_KERNEL)
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#else
-# include <sys/systm.h>
-# if !defined(__svr4__) && !defined(__SVR4)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#include <sys/socket.h>
-#if !defined(__hpux) && !defined(__osf__) && !defined(linux)
-# include <sys/ioccom.h>
-#endif
-#ifdef __FreeBSD__
-# include <sys/filio.h>
-# include <sys/malloc.h>
-#else
-# include <sys/ioctl.h>
-#endif
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-
-#include <net/if.h>
-
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_scan.h"
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
-#endif
-
-#ifdef	IPFILTER_SCAN	/* endif at bottom of file */
-
-
-ipscan_t	*ipsc_list = NULL,
-		*ipsc_tail = NULL;
-ipscanstat_t	ipsc_stat;
-# ifdef USE_MUTEXES
-ipfrwlock_t	ipsc_rwlock;
-# endif
-
-# ifndef isalpha
-#  define	isalpha(x)	(((x) >= 'A' && 'Z' >= (x)) || \
-				 ((x) >= 'a' && 'z' >= (x)))
-# endif
-
-
-int ipsc_add __P((caddr_t));
-int ipsc_delete __P((caddr_t));
-struct ipscan *ipsc_lookup __P((char *));
-int ipsc_matchstr __P((sinfo_t *, char *, int));
-int ipsc_matchisc __P((ipscan_t *, ipstate_t *, int, int, int *));
-int ipsc_match __P((ipstate_t *));
-
-
-
-int ipsc_init()
-{
-	RWLOCK_INIT(&ipsc_rwlock, "ip scan rwlock");
-	return 0;
-}
-
-
-void fr_scanunload()
-{
-	RW_DESTROY(&ipsc_rwlock);
-}
-
-
-int ipsc_add(data)
-caddr_t data;
-{
-	ipscan_t *i, *isc;
-	int err;
-
-	KMALLOC(isc, ipscan_t *);
-	if (!isc)
-		return ENOMEM;
-
-	err = copyinptr(data, isc, sizeof(*isc));
-	if (err)
-		return err;
-
-	WRITE_ENTER(&ipsc_rwlock);
-
-	i = ipsc_lookup(isc->ipsc_tag);
-	if (i) {
-		RWLOCK_EXIT(&ipsc_rwlock);
-		KFREE(isc);
-		return EEXIST;
-	}
-
-	if (ipsc_tail) {
-		ipsc_tail->ipsc_next = isc;
-		isc->ipsc_pnext = &ipsc_tail->ipsc_next;
-		ipsc_tail = isc;
-	} else {
-		ipsc_list = isc;
-		ipsc_tail = isc;
-		isc->ipsc_pnext = &ipsc_list;
-	}
-	isc->ipsc_next = NULL;
-
-	isc->ipsc_hits = 0;
-	isc->ipsc_fref = 0;
-	isc->ipsc_sref = 0;
-	isc->ipsc_active = 0;
-
-	ipsc_stat.iscs_entries++;
-	RWLOCK_EXIT(&ipsc_rwlock);
-	return 0;
-}
-
-
-int ipsc_delete(data)
-caddr_t data;
-{
-	ipscan_t isc, *i;
-	int err;
-
-	err = copyinptr(data, &isc, sizeof(isc));
-	if (err)
-		return err;
-
-	WRITE_ENTER(&ipsc_rwlock);
-
-	i = ipsc_lookup(isc.ipsc_tag);
-	if (i == NULL)
-		err = ENOENT;
-	else {
-		if (i->ipsc_fref) {
-			RWLOCK_EXIT(&ipsc_rwlock);
-			return EBUSY;
-		}
-
-		*i->ipsc_pnext = i->ipsc_next;
-		if (i->ipsc_next)
-			i->ipsc_next->ipsc_pnext = i->ipsc_pnext;
-		else {
-			if (i->ipsc_pnext == &ipsc_list)
-				ipsc_tail = NULL;
-			else
-				ipsc_tail = *(*i->ipsc_pnext)->ipsc_pnext;
-		}
-
-		ipsc_stat.iscs_entries--;
-		KFREE(i);
-	}
-	RWLOCK_EXIT(&ipsc_rwlock);
-	return err;
-}
-
-
-struct ipscan *ipsc_lookup(tag)
-char *tag;
-{
-	ipscan_t *i;
-
-	for (i = ipsc_list; i; i = i->ipsc_next)
-		if (!strcmp(i->ipsc_tag, tag))
-			return i;
-	return NULL;
-}
-
-
-int ipsc_attachfr(fr)
-struct frentry *fr;
-{
-	ipscan_t *i;
-
-	if (fr->fr_isctag[0]) {
-		READ_ENTER(&ipsc_rwlock);
-		i = ipsc_lookup(fr->fr_isctag);
-		if (i != NULL) {
-			ATOMIC_INC32(i->ipsc_fref);
-		}
-		RWLOCK_EXIT(&ipsc_rwlock);
-		if (i == NULL)
-			return ENOENT;
-		fr->fr_isc = i;
-	}
-	return 0;
-}
-
-
-int ipsc_attachis(is)
-struct ipstate *is;
-{
-	frentry_t *fr;
-	ipscan_t *i;
-
-	READ_ENTER(&ipsc_rwlock);
-	fr = is->is_rule;
-	if (fr) {
-		i = fr->fr_isc;
-		if (!i || (i != (ipscan_t *)-1)) {
-			is->is_isc = i;
-			if (i) {
-				ATOMIC_INC32(i->ipsc_sref);
-				if (i->ipsc_clen)
-					is->is_flags |= IS_SC_CLIENT;
-				else
-					is->is_flags |= IS_SC_MATCHC;
-				if (i->ipsc_slen)
-					is->is_flags |= IS_SC_SERVER;
-				else
-					is->is_flags |= IS_SC_MATCHS;
-			} else
-				is->is_flags |= (IS_SC_CLIENT|IS_SC_SERVER);
-		}
-	}
-	RWLOCK_EXIT(&ipsc_rwlock);
-	return 0;
-}
-
-
-int ipsc_detachfr(fr)
-struct frentry *fr;
-{
-	ipscan_t *i;
-
-	i = fr->fr_isc;
-	if (i != NULL) {
-		ATOMIC_DEC32(i->ipsc_fref);
-	}
-	return 0;
-}
-
-
-int ipsc_detachis(is)
-struct ipstate *is;
-{
-	ipscan_t *i;
-
-	READ_ENTER(&ipsc_rwlock);
-	if ((i = is->is_isc) && (i != (ipscan_t *)-1)) {
-		ATOMIC_DEC32(i->ipsc_sref);
-		is->is_isc = NULL;
-		is->is_flags &= ~(IS_SC_CLIENT|IS_SC_SERVER);
-	}
-	RWLOCK_EXIT(&ipsc_rwlock);
-	return 0;
-}
-
-
-/*
- * 'string' compare for scanning
- */
-int ipsc_matchstr(sp, str, n)
-sinfo_t *sp;
-char *str;
-int n;
-{
-	char *s, *t, *up;
-	int i = n;
-
-	if (i > sp->s_len)
-		i = sp->s_len;
-	up = str;
-
-	for (s = sp->s_txt, t = sp->s_msk; i; i--, s++, t++, up++)
-		switch ((int)*t)
-		{
-		case '.' :
-			if (*s != *up)
-				return 1;
-			break;
-		case '?' :
-			if (!ISALPHA(*up) || ((*s & 0x5f) != (*up & 0x5f)))
-				return 1;
-			break;
-		case '*' :
-			break;
-		}
-	return 0;
-}
-
-
-/*
- * Returns 3 if both server and client match, 2 if just server,
- * 1 if just client
- */
-int ipsc_matchisc(isc, is, cl, sl, maxm)
-ipscan_t *isc;
-ipstate_t *is;
-int cl, sl, maxm[2];
-{
-	int i, j, k, n, ret = 0, flags;
-
-	flags = is->is_flags;
-
-	/*
-	 * If we've already matched more than what is on offer, then
-	 * assume we have a better match already and forget this one.
-	 */
-	if (maxm != NULL) {
-		if (isc->ipsc_clen < maxm[0])
-			return 0;
-		if (isc->ipsc_slen < maxm[1])
-			return 0;
-		j = maxm[0];
-		k = maxm[1];
-	} else {
-		j = 0;
-		k = 0;
-	}
-
-	if (!isc->ipsc_clen)
-		ret = 1;
-	else if (((flags & (IS_SC_MATCHC|IS_SC_CLIENT)) == IS_SC_CLIENT) &&
-		 cl && isc->ipsc_clen) {
-		i = 0;
-		n = MIN(cl, isc->ipsc_clen);
-		if ((n > 0) && (!maxm || (n >= maxm[1]))) {
-			if (!ipsc_matchstr(&isc->ipsc_cl, is->is_sbuf[0], n)) {
-				i++;
-				ret |= 1;
-				if (n > j)
-					j = n;
-			}
-		}
-	}
-
-	if (!isc->ipsc_slen)
-		ret |= 2;
-	else if (((flags & (IS_SC_MATCHS|IS_SC_SERVER)) == IS_SC_SERVER) &&
-		 sl && isc->ipsc_slen) {
-		i = 0;
-		n = MIN(cl, isc->ipsc_slen);
-		if ((n > 0) && (!maxm || (n >= maxm[1]))) {
-			if (!ipsc_matchstr(&isc->ipsc_sl, is->is_sbuf[1], n)) {
-				i++;
-				ret |= 2;
-				if (n > k)
-					k = n;
-			}
-		}
-	}
-
-	if (maxm && (ret == 3)) {
-		maxm[0] = j;
-		maxm[1] = k;
-	}
-	return ret;
-}
-
-
-int ipsc_match(is)
-ipstate_t *is;
-{
-	int i, j, k, n, cl, sl, maxm[2];
-	ipscan_t *isc, *lm;
-	tcpdata_t *t;
-
-	for (cl = 0, n = is->is_smsk[0]; n & 1; n >>= 1)
-		cl++;
-	for (sl = 0, n = is->is_smsk[1]; n & 1; n >>= 1)
-		sl++;
-
-	j = 0;
-	isc = is->is_isc;
-	if (isc != NULL) {
-		/*
-		 * Known object to scan for.
-		 */
-		i = ipsc_matchisc(isc, is, cl, sl, NULL);
-		if (i & 1) {
-			is->is_flags |= IS_SC_MATCHC;
-			is->is_flags &= ~IS_SC_CLIENT;
-		} else if (cl >= isc->ipsc_clen)
-			is->is_flags &= ~IS_SC_CLIENT;
-		if (i & 2) {
-			is->is_flags |= IS_SC_MATCHS;
-			is->is_flags &= ~IS_SC_SERVER;
-		} else if (sl >= isc->ipsc_slen)
-			is->is_flags &= ~IS_SC_SERVER;
-	} else {
-		i = 0;
-		lm = NULL;
-		maxm[0] = 0;
-		maxm[1] = 0;
-		for (k = 0, isc = ipsc_list; isc; isc = isc->ipsc_next) {
-			i = ipsc_matchisc(isc, is, cl, sl, maxm);
-			if (i) {
-				/*
-				 * We only want to remember the best match
-				 * and the number of times we get a best
-				 * match.
-				 */
-				if ((j == 3) && (i < 3))
-					continue;
-				if ((i == 3) && (j != 3))
-					k = 1;
-				else
-					k++;
-				j = i;
-				lm = isc;
-			}
-		}
-		if (k == 1)
-			isc = lm;
-
-		/*
-		 * No matches or partial matches, so reset the respective
-		 * search flag.
-		 */
-		if (!(j & 1))
-			is->is_flags &= ~IS_SC_CLIENT;
-
-		if (!(j & 2))
-			is->is_flags &= ~IS_SC_SERVER;
-
-		/*
-		 * If we found the best match, then set flags appropriately.
-		 */
-		if ((j == 3) && (k == 1)) {
-			is->is_flags &= ~(IS_SC_SERVER|IS_SC_CLIENT);
-			is->is_flags |= (IS_SC_MATCHS|IS_SC_MATCHC);
-		}
-	}
-
-	/*
-	 * If the acknowledged side of a connection has moved past the data in
-	 * which we are interested, then reset respective flag.
-	 */
-	t = &is->is_tcp.ts_data[0];
-	if (t->td_end > is->is_s0[0] + 15)
-		is->is_flags &= ~IS_SC_CLIENT;
-
-	t = &is->is_tcp.ts_data[1];
-	if (t->td_end > is->is_s0[1] + 15)
-		is->is_flags &= ~IS_SC_SERVER;
-
-	/*
-	 * Matching complete ?
-	 */
-	j = ISC_A_NONE;
-	if ((is->is_flags & IS_SC_MATCHALL) == IS_SC_MATCHALL) {
-		j = isc->ipsc_action;
-		ipsc_stat.iscs_acted++;
-	} else if ((is->is_isc != NULL) &&
-		   ((is->is_flags & IS_SC_MATCHALL) != IS_SC_MATCHALL) &&
-		   !(is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER))) {
-		/*
-		 * Matching failed...
-		 */
-		j = isc->ipsc_else;
-		ipsc_stat.iscs_else++;
-	}
-
-	switch (j)
-	{
-	case  ISC_A_CLOSE :
-		/*
-		 * If as a result of a successful match we are to
-		 * close a connection, change the "keep state" info.
-		 * to block packets and generate TCP RST's.
-		 */
-		is->is_pass &= ~FR_RETICMP;
-		is->is_pass |= FR_RETRST;
-		break;
-	default :
-		break;
-	}
-
-	return i;
-}
-
-
-/*
- * check if a packet matches what we're scanning for
- */
-int ipsc_packet(fin, is)
-fr_info_t *fin;
-ipstate_t *is;
-{
-	int i, j, rv, dlen, off, thoff;
-	u_32_t seq, s0;
-	tcphdr_t *tcp;
-
-	rv = !IP6_EQ(&fin->fin_fi.fi_src, &is->is_src);
-	tcp = fin->fin_dp;
-	seq = ntohl(tcp->th_seq);
-
-	if (!is->is_s0[rv])
-		return 1;
-
-	/*
-	 * check if this packet has more data that falls within the first
-	 * 16 bytes sent in either direction.
-	 */
-	s0 = is->is_s0[rv];
-	off = seq - s0;
-	if ((off > 15) || (off < 0))
-		return 1;
-	thoff = TCP_OFF(tcp) << 2;
-	dlen = fin->fin_dlen - thoff;
-	if (dlen <= 0)
-		return 1;
-	if (dlen > 16)
-		dlen = 16;
-	if (off + dlen > 16)
-		dlen = 16 - off;
-
-	j = 0xffff >> (16 - dlen);
-	i = (0xffff & j) << off;
-#ifdef _KERNEL
-	COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_hlen + thoff, dlen,
-		 (caddr_t)is->is_sbuf[rv] + off);
-#endif
-	is->is_smsk[rv] |= i;
-	for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1)
-		j++;
-	if (j == 0)
-		return 1;
-
-	(void) ipsc_match(is);
-#if 0
-	/*
-	 * There is the potential here for plain text passwords to get
-	 * buffered and stored for some time...
-	 */
-	if (!(is->is_flags & IS_SC_CLIENT))
-		bzero(is->is_sbuf[0], sizeof(is->is_sbuf[0]));
-	if (!(is->is_flags & IS_SC_SERVER))
-		bzero(is->is_sbuf[1], sizeof(is->is_sbuf[1]));
-#endif
-	return 0;
-}
-
-
-int fr_scan_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	ipscanstat_t ipscs;
-	int err = 0;
-
-	switch (cmd)
-	{
-	case SIOCADSCA :
-		err = ipsc_add(data);
-		break;
-	case SIOCRMSCA :
-		err = ipsc_delete(data);
-		break;
-	case SIOCGSCST :
-		bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs));
-		ipscs.iscs_list = ipsc_list;
-		BCOPYOUT(&ipscs, data, sizeof(ipscs));
-		break;
-	default :
-		err = EINVAL;
-		break;
-	}
-
-	return err;
-}
-#endif	/* IPFILTER_SCAN */
diff --git a/contrib/ipfilter/ip_scan.h b/contrib/ipfilter/ip_scan.h
deleted file mode 100644
index de98f9c..0000000
--- a/contrib/ipfilter/ip_scan.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_scan.h,v 2.9 2003/07/25 22:05:01 darrenr Exp
- */
-
-#ifndef __IP_SCAN_H__
-#define __IP_SCAN_H__ 1
-
-#ifdef sun
-# include <sys/ioccom.h>
-#endif
-
-#define	IPSCAN_NAME	"/dev/ipscan"
-#define	IPL_SCAN	IPSCAN_NAME
-#define	ISC_TLEN	16
-
-
-struct fr_info;
-struct frentry;
-struct ip;
-struct ipstate;
-
-
-#if defined(__STDC__) || defined(__GNUC__)
-# define	SIOCADSCA	_IOWR('r', 60, struct ipscan *)
-# define	SIOCRMSCA	_IOWR('r', 61, struct ipscan *)
-# define	SIOCGSCST	_IOWR('r', 62, struct ipscan *)
-#else
-# define	SIOCADSCA	_IOWR(r, 60, struct ipscan *)
-# define	SIOCRMSCA	_IOWR(r, 61, struct ipscan *)
-# define	SIOCGSCST	_IOWR(r, 62, struct ipscan *)
-#endif
-
-struct	action	{
-	int		act_val;	/* what to do */
-	struct	in_addr	act_ip;		/* redirect IP# */
-	u_short		act_port;	/* redirect port number */
-	int		act_else;	/* what to do */
-	struct	in_addr	act_eip;	/* redirect IP# */
-	u_short		act_eport;	/* redirect port number */
-};
-
-
-typedef	struct	sinfo {
-	char	s_txt[ISC_TLEN];	/* text to match */
-	char	s_msk[ISC_TLEN];	/* mask of the above to check */
-	int	s_len;			/* length of server text */
-} sinfo_t;
-
-
-typedef	struct	ipscan	{
-	struct	ipscan	*ipsc_next;
-	struct	ipscan	**ipsc_pnext;
-	char		ipsc_tag[ISC_TLEN];	/* table entry protocol tag */
-	sinfo_t		ipsc_si[2];	/* client/server side information */
-	int		ipsc_hits;	/* times this has been matched */
-	int		ipsc_active;	/* # of active matches */
-	int		ipsc_fref;	/* # of references from filter rules */
-	int		ipsc_sref;	/* # of references from state entries */
-	struct	action	ipsc_act;
-} ipscan_t;
-
-
-#define	ipsc_cl		ipsc_si[0]
-#define	ipsc_sl		ipsc_si[1]
-#define	ipsc_ctxt	ipsc_cl.s_txt
-#define	ipsc_cmsk	ipsc_cl.s_msk
-#define	ipsc_clen	ipsc_cl.s_len
-#define	ipsc_stxt	ipsc_sl.s_txt
-#define	ipsc_smsk	ipsc_sl.s_msk
-#define	ipsc_slen	ipsc_sl.s_len
-#define	ipsc_action	ipsc_act.act_val
-#define	ipsc_ip		ipsc_act.act_ip
-#define	ipsc_port	ipsc_act.act_port
-#define	ipsc_else	ipsc_act.act_else
-#define	ipsc_eip	ipsc_act.act_eip
-#define	ipsc_eport	ipsc_act.act_eport
-
-#define	ISC_A_NONE	0
-#define	ISC_A_TRACK	1
-#define	ISC_A_CLOSE	2
-#define	ISC_A_REDIRECT	3
-
-
-typedef	struct	ipscanstat	{
-	struct	ipscan	*iscs_list;
-	u_long		iscs_acted;
-	u_long		iscs_else;
-	int		iscs_entries;
-} ipscanstat_t;
-
-
-extern	int fr_scan_ioctl __P((caddr_t, ioctlcmd_t, int));
-extern	int ipsc_init __P((void));
-extern	int ipsc_attachis __P((struct ipstate *));
-extern	int ipsc_attachfr __P((struct frentry *));
-extern	int ipsc_detachis __P((struct ipstate *));
-extern	int ipsc_detachfr __P((struct frentry *));
-extern	int ipsc_packet __P((struct fr_info *, struct ipstate *));
-extern	void fr_scanunload __P((void));
-
-#endif /* __IP_SCAN_H__ */
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
deleted file mode 100644
index 9e995d9..0000000
--- a/contrib/ipfilter/ip_sfil.c
+++ /dev/null
@@ -1,991 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * I hate legaleese, don't you ?
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.27 2003/06/12 16:03:14 darrenr Exp $";
-#endif
-
-#include <sys/types.h>
-#include <sys/errno.h>
-#include <sys/param.h>
-#include <sys/cpuvar.h>
-#include <sys/open.h>
-#include <sys/ioctl.h>
-#include <sys/filio.h>
-#include <sys/systm.h>
-#include <sys/cred.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include <sys/ksynch.h>
-#include <sys/kmem.h>
-#include <sys/mkdev.h>
-#include <sys/protosw.h>
-#include <sys/socket.h>
-#include <sys/dditypes.h>
-#include <sys/cmn_err.h>
-#include <net/if.h>
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#ifdef	USE_INET6
-# include <netinet/icmp6.h>
-#endif
-#include "ip_fil.h"
-#include "ip_state.h"
-#include "ip_nat.h"
-#include "ip_frag.h"
-#include "ip_auth.h"
-#include "ip_proxy.h"
-#include <inet/ip_ire.h>
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-extern	fr_flags, fr_active;
-
-int	fr_running = 0;
-int	ipl_unreach = ICMP_UNREACH_HOST;
-u_long	ipl_frouteok[2] = {0, 0};
-static	int	frzerostats __P((caddr_t));
-#if SOLARIS2 >= 7
-static	u_int	*ip_ttl_ptr;
-static	u_int	*ip_mtudisc;
-#else
-static	u_long	*ip_ttl_ptr;
-static	u_long	*ip_mtudisc;
-#endif
-
-static	int	frrequest __P((minor_t, int, caddr_t, int));
-static	int	send_ip __P((fr_info_t *fin, mblk_t *m));
-kmutex_t	ipl_mutex, ipf_authmx, ipf_rw;
-KRWLOCK_T	ipf_mutex, ipfs_mutex, ipf_solaris;
-KRWLOCK_T	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-kcondvar_t	iplwait, ipfauthwait;
-
-
-int ipldetach()
-{
-	int	i;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "ipldetach()\n");
-#endif
-#ifdef	IPFILTER_LOG
-	for (i = IPL_LOGMAX; i >= 0; i--)
-		ipflog_clear(i);
-#endif
-	i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
-	ipfr_unload();
-	fr_stateunload();
-	ip_natunload();
-	cv_destroy(&iplwait);
-	cv_destroy(&ipfauthwait);
-	mutex_destroy(&ipf_authmx);
-	mutex_destroy(&ipl_mutex);
-	mutex_destroy(&ipf_rw);
-	RW_DESTROY(&ipf_mutex);
-	RW_DESTROY(&ipf_frag);
-	RW_DESTROY(&ipf_state);
-	RW_DESTROY(&ipf_natfrag);
-	RW_DESTROY(&ipf_nat);
-	RW_DESTROY(&ipf_auth);
-	RW_DESTROY(&ipfs_mutex);
-	/* NOTE: This lock is acquired in ipf_detach */
-	RWLOCK_EXIT(&ipf_solaris);
-	RW_DESTROY(&ipf_solaris);
-	return 0;
-}
-
-
-int iplattach __P((void))
-{
-	int i;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplattach()\n");
-#endif
-	bzero((char *)frcache, sizeof(frcache));
-	mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL);
-	mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
-	mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL);
-	RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL);
-	RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL);
-	RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL);
-	RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL);
-	RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL);
-	RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL);
-	RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL);
-	RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL);
-	cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
-	cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
-#ifdef	IPFILTER_LOG
-	ipflog_init();
-#endif
-	if (nat_init() == -1)
-		return -1;
-	if (fr_stateinit() == -1)
-		return -1;
-	if (appr_init() == -1)
-		return -1;
-
-	ip_ttl_ptr = NULL;
-	ip_mtudisc = NULL;
-	/*
-	 * XXX - There is no terminator for this array, so it is not possible
-	 * to tell if what we are looking for is missing and go off the end
-	 * of the array.
-	 */
-	for (i = 0; ; i++) {
-		if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
-			ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
-		} else if (strcmp(ip_param_arr[i].ip_param_name,
-				  "ip_path_mtu_discovery") == 0) {
-			ip_mtudisc = &ip_param_arr[i].ip_param_value;
-		}
-
-		if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
-			break;
-	}
-	return 0;
-}
-
-
-static	int	frzerostats(data)
-caddr_t	data;
-{
-	friostat_t fio;
-	int error;
-
-	fr_getstat(&fio);
-	error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-	if (error)
-		return error;
-
-	bzero((char *)frstats, sizeof(*frstats) * 2);
-
-	return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-int iplioctl(dev, cmd, data, mode, cp, rp)
-dev_t dev;
-int cmd;
-#if SOLARIS2 >= 7
-intptr_t data;
-#else
-int *data;
-#endif
-int mode;
-cred_t *cp;
-int *rp;
-{
-	int error = 0, tmp;
-	minor_t unit;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n",
-		dev, cmd, data, mode, cp, rp);
-#endif
-	unit = getminor(dev);
-	if (IPL_LOGMAX < unit)
-		return ENXIO;
-
-	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
-		return ENODEV;
-
-	if (fr_running <= 0)
-		return 0;
-
-	READ_ENTER(&ipf_solaris);
-	if (unit == IPL_LOGNAT) {
-		error = nat_ioctl((caddr_t)data, cmd, mode);
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-	if (unit == IPL_LOGSTATE) {
-		error = fr_state_ioctl((caddr_t)data, cmd, mode);
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-	if (unit == IPL_LOGAUTH) {
-		if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
-			if (!(mode & FWRITE))  {
-				error = EPERM;
-			} else {
-				error = frrequest(unit, cmd, (caddr_t)data,
-						  fr_active);
-			}
-		} else {
-			error = fr_auth_ioctl((caddr_t)data, mode, cmd);
-		}
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-
-	switch (cmd) {
-	case SIOCFRENB :
-	{
-		u_int	enable;
-
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = IRCOPY((caddr_t)data, (caddr_t)&enable,
-				       sizeof(enable));
-		break;
-	}
-	case SIOCSETFF :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			WRITE_ENTER(&ipf_mutex);
-			error = IRCOPY((caddr_t)data, (caddr_t)&fr_flags,
-			       sizeof(fr_flags));
-			RWLOCK_EXIT(&ipf_mutex);
-		}
-		break;
-	case SIOCGETFF :
-		error = IWCOPY((caddr_t)&fr_flags, (caddr_t)data,
-			       sizeof(fr_flags));
-		if (error)
-			error = EFAULT;
-		break;
-	case SIOCINAFR :
-	case SIOCRMAFR :
-	case SIOCADAFR :
-	case SIOCZRLST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, (caddr_t)data, fr_active);
-		break;
-	case SIOCINIFR :
-	case SIOCRMIFR :
-	case SIOCADIFR :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, (caddr_t)data,
-					  1 - fr_active);
-		break;
-	case SIOCSWAPA :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			WRITE_ENTER(&ipf_mutex);
-			bzero((char *)frcache, sizeof(frcache[0]) * 2);
-			error = IWCOPY((caddr_t)&fr_active, (caddr_t)data,
-				       sizeof(fr_active));
-			if (error)
-				error = EFAULT;
-			fr_active = 1 - fr_active;
-			RWLOCK_EXIT(&ipf_mutex);
-		}
-		break;
-	case SIOCGETFS :
-	{
-		friostat_t	fio;
-
-		READ_ENTER(&ipf_mutex);
-		fr_getstat(&fio);
-		RWLOCK_EXIT(&ipf_mutex);
-		error = IWCOPYPTR((caddr_t)&fio, (caddr_t)data, sizeof(fio));
-		if (error)
-			error = EFAULT;
-		break;
-	}
-	case SIOCFRZST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frzerostats((caddr_t)data);
-		break;
-	case	SIOCIPFFL :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
-				       sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, 4, tmp);
-				error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-					       sizeof(tmp));
-				if (error)
-					error = EFAULT;
-			}
-		}
-		break;
-#ifdef	USE_INET6
-	case	SIOCIPFL6 :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
-				       sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, 6, tmp);
-				error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-					       sizeof(tmp));
-				if (error)
-					error = EFAULT;
-			}
-		}
-		break;
-#endif
-	case SIOCSTLCK :
-		error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
-		if (!error) {
-			fr_state_lock = tmp;
-			fr_nat_lock = tmp;
-			fr_frag_lock = tmp;
-			fr_auth_lock = tmp;
-		} else
-			error = EFAULT;
-	break;
-#ifdef	IPFILTER_LOG
-	case	SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			tmp = ipflog_clear(unit);
-			error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-				       sizeof(tmp));
-			if (error)
-				error = EFAULT;
-		}
-		break;
-#endif /* IPFILTER_LOG */
-	case SIOCFRSYN :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = ipfsync();
-		break;
-	case SIOCGFRST :
-		error = IWCOPYPTR((caddr_t)ipfr_fragstats(), (caddr_t)data,
-				  sizeof(ipfrstat_t));
-		break;
-	case FIONREAD :
-	{
-#ifdef	IPFILTER_LOG
-		int copy = (int)iplused[IPL_LOGIPF];
-
-		error = IWCOPY((caddr_t)&copy, (caddr_t)data, sizeof(copy));
-		if (error)
-			error = EFAULT;
-#endif
-		break;
-	}
-	default :
-		error = EINVAL;
-		break;
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return error;
-}
-
-
-ill_t	*get_unit(name, v)
-char	*name;
-int	v;
-{
-	size_t len = strlen(name) + 1;	/* includes \0 */
-	ill_t *il;
-#if SOLARIS2 >= 10
-	ill_walk_context_t ctx;
-#endif
-	int sap;
-
-	if (v == 4)
-		sap = 0x0800;
-	else if (v == 6)
-		sap = 0x86dd;
-	else
-		return NULL;
-#if SOLARIS2 >= 10
-	for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il))
-#else
-	for (il = ill_g_head; il; il = il->ill_next)
-#endif
-		if ((len == il->ill_name_length) && (il->ill_sap == sap) &&
-		    !strncmp(il->ill_name, name, len))
-			return il;
-	return NULL;
-}
-
-
-static int frrequest(unit, req, data, set)
-minor_t unit;
-int req, set;
-caddr_t data;
-{
-	register frentry_t *fp, *f, **fprev;
-	register frentry_t **ftail;
-	frgroup_t *fg = NULL;
-	int error = 0, in, i;
-	u_int *p, *pp;
-	frdest_t *fdp;
-	frentry_t fr;
-	u_32_t group;
-	ipif_t *ipif;
-	ill_t *ill;
-	ire_t *ire;
-
-	fp = &fr;
-	error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
-	if (error)
-		return EFAULT;
-	fp->fr_ref = 0;
-#if SOLARIS2 >= 8
-	if (fp->fr_v == 4)
-		fp->fr_sap = IP_DL_SAP;
-	else if (fp->fr_v == 6)
-		fp->fr_sap = IP6_DL_SAP;
-	else
-		return EINVAL;
-#else
-	fp->fr_sap = 0;
-#endif
-
-	WRITE_ENTER(&ipf_mutex);
-	/*
-	 * Check that the group number does exist and that if a head group
-	 * has been specified, doesn't exist.
-	 */
-	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
-	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
-	    fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
-		error = EEXIST;
-		goto out;
-	}
-	if ((req != SIOCZRLST) && fp->fr_group &&
-	    !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) {
-		error = ESRCH;
-		goto out;
-	}
-
-	in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-	if (unit == IPL_LOGAUTH)
-		ftail = fprev = &ipauth;
-	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
-		ftail = fprev = &ipacct[in][set];
-	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
-		ftail = fprev = &ipfilter[in][set];
-#ifdef	USE_INET6
-	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
-		ftail = fprev = &ipacct6[in][set];
-	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
-		ftail = fprev = &ipfilter6[in][set];
-#endif
-	else {
-		error = ESRCH;
-		goto out;
-	}
-
-	group = fp->fr_group;
-	if (group != 0) {
-		fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL);
-		if (fg == NULL) {
-			error = ESRCH;
-			goto out;
-		}
-		ftail = fprev = fg->fg_start;
-	}
-
-	bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-	for (i = 0; i < 4; i++) {
-		if ((fp->fr_ifnames[i][1] == '\0') &&
-		    ((fp->fr_ifnames[i][0] == '-') ||
-		     (fp->fr_ifnames[i][0] == '*'))) {
-			fp->fr_ifas[i] = NULL;
-		} else if (*fp->fr_ifnames[i]) {
-			fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
-			if (!fp->fr_ifas[i])
-				fp->fr_ifas[i] = (void *)-1;
-		}
-	}
-
-	fdp = &fp->fr_dif;
-	fdp->fd_mp = NULL;
-	fp->fr_flags &= ~FR_DUP;
-	if (*fdp->fd_ifname) {
-		ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
-		if (!ill)
-			ire = (ire_t *)-1;
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
-			ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
-						IRE_LOCAL, NULL, NULL,
-						MATCH_IRE_TYPE);
-#else
-			ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-			if (!ire)
-				ire = (ire_t *)-1;
-			else
-				fp->fr_flags |= FR_DUP;
-		}
-#ifdef	USE_INET6
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
-			ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
-						   IRE_LOCAL, NULL, NULL,
-						   MATCH_IRE_TYPE);
-			if (!ire)
-				ire = (ire_t *)-1;
-			else
-				fp->fr_flags |= FR_DUP;
-		}
-#endif
-		fdp->fd_ifp = (struct ifnet *)ire;
-	}
-
-	fdp = &fp->fr_tif;
-	fdp->fd_mp = NULL;
-	if (*fdp->fd_ifname) {
-		ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
-		if (!ill)
-			ire = (ire_t *)-1;
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
-			ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
-						IRE_LOCAL, NULL, NULL,
-						MATCH_IRE_TYPE);
-#else
-			ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-			if (!ire)
-				ire = (ire_t *)-1;
-		}
-#ifdef	USE_INET6
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
-			ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
-						   IRE_LOCAL, NULL, NULL,
-						   MATCH_IRE_TYPE);
-			if (!ire)
-				ire = (ire_t *)-1;
-		}
-#endif
-		fdp->fd_ifp = (struct ifnet *)ire;
-	}
-
-	/*
-	 * Look for a matching filter rule, but don't include the next or
-	 * interface pointer in the comparison (fr_next, fr_ifa).
-	 */
-	for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
-	     p < pp; p++)
-		fp->fr_cksum += *p;
-
-	for (; (f = *ftail); ftail = &f->fr_next)
-		if ((fp->fr_cksum == f->fr_cksum) &&
-		    !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
-			break;
-
-	/*
-	 * If zero'ing statistics, copy current to caller and zero.
-	 */
-	if (req == SIOCZRLST) {
-		if (!f) {
-			error = ESRCH;
-			goto out;
-		}
-		MUTEX_DOWNGRADE(&ipf_mutex);
-		error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
-		if (error)
-			goto out;
-		f->fr_hits = 0;
-		f->fr_bytes = 0;
-		goto out;
-	}
-
-	if (!f) {
-		if (req != SIOCINAFR && req != SIOCINIFR)
-			while ((f = *ftail))
-				ftail = &f->fr_next;
-		else {
-			ftail = fprev;
-			if (fp->fr_hits) {
-				while (--fp->fr_hits && (f = *ftail))
-					ftail = &f->fr_next;
-			}
-			f = NULL;
-		}
-	}
-
-	if (req == SIOCRMAFR || req == SIOCRMIFR) {
-		if (!f)
-			error = ESRCH;
-		else {
-			/*
-			 * Only return EBUSY if there is a group list, else
-			 * it's probably just state information referencing
-			 * the rule.
-			 */
-			if ((f->fr_ref > 1) && f->fr_grp) {
-				error = EBUSY;
-				goto out;
-			}
-			if (fg && fg->fg_head)
-				fg->fg_head->fr_ref--;
-			if (unit == IPL_LOGAUTH) {
-				return fr_preauthcmd(req, f, ftail);
-			}
-			if (f->fr_grhead)
-				fr_delgroup(f->fr_grhead, fp->fr_flags,
-					    unit, set);
-			fixskip(fprev, f, -1);
-			*ftail = f->fr_next;
-			f->fr_next = NULL;
-			f->fr_ref--;
-			if (f->fr_ref == 0)
-				KFREE(f);
-		}
-	} else {
-		if (f) {
-			error = EEXIST;
-		} else {
-			if (unit == IPL_LOGAUTH) {
-				return fr_preauthcmd(req, fp, ftail);
-			}
-			KMALLOC(f, frentry_t *);
-			if (f != NULL) {
-				if (fg && fg->fg_head)
-					fg->fg_head->fr_ref++;
-				bcopy((char *)fp, (char *)f, sizeof(*f));
-				f->fr_ref = 1;
-				f->fr_hits = 0;
-				f->fr_next = *ftail;
-				*ftail = f;
-				if (req == SIOCINIFR || req == SIOCINAFR)
-					fixskip(fprev, f, 1);
-				f->fr_grp = NULL;
-				group = f->fr_grhead;
-				if (group != 0)
-					fg = fr_addgroup(group, f, unit, set);
-			} else
-				error = ENOMEM;
-		}
-	}
-out:
-	RWLOCK_EXIT(&ipf_mutex);
-	return (error);
-}
-
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(devp, flags, otype, cred)
-dev_t *devp;
-int flags, otype;
-cred_t *cred;
-{
-	minor_t min = getminor(*devp);
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred);
-#endif
-	if ((fr_running <= 0) || !(otype & OTYP_CHR))
-		return ENXIO;
-	min = (IPL_LOGMAX < min) ? ENXIO : 0;
-	return min;
-}
-
-
-int iplclose(dev, flags, otype, cred)
-dev_t dev;
-int flags, otype;
-cred_t *cred;
-{
-	minor_t	min = getminor(dev);
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred);
-#endif
-	min = (IPL_LOGMAX < min) ? ENXIO : 0;
-	return min;
-}
-
-#ifdef	IPFILTER_LOG
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(dev, uio, cp)
-dev_t dev;
-register struct uio *uio;
-cred_t *cp;
-{
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplread(%x,%x,%x)\n", dev, uio, cp);
-#endif
-	return ipflog_read(getminor(dev), uio);
-}
-#endif /* IPFILTER_LOG */
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(oip, fin)
-ip_t *oip;
-fr_info_t *fin;
-{
-	tcphdr_t *tcp, *tcp2;
-	int tlen, hlen;
-	mblk_t *m;
-#ifdef	USE_INET6
-	ip6_t *ip6, *oip6 = (ip6_t *)oip;
-#endif
-	ip_t *ip;
-
-	tcp = (struct tcphdr *)fin->fin_dp;
-	if (tcp->th_flags & TH_RST)
-		return -1;
-	tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0;
-#ifdef	USE_INET6
-	if (fin->fin_v == 6)
-		hlen = sizeof(ip6_t);
-	else
-#endif
-		hlen = sizeof(ip_t);
-	hlen += sizeof(*tcp2);
-	if ((m = (mblk_t *)allocb(hlen + 16, BPRI_HI)) == NULL)
-		return -1;
-
-	m->b_rptr += 16;
-	MTYPE(m) = M_DATA;
-	m->b_wptr = m->b_rptr + hlen;
-	bzero((char *)m->b_rptr, hlen);
-	tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2));
-	tcp2->th_dport = tcp->th_sport;
-	tcp2->th_sport = tcp->th_dport;
-	if (tcp->th_flags & TH_ACK) {
-		tcp2->th_seq = tcp->th_ack;
-		tcp2->th_flags = TH_RST;
-	} else {
-		tcp2->th_ack = ntohl(tcp->th_seq);
-		tcp2->th_ack += tlen;
-		tcp2->th_ack = htonl(tcp2->th_ack);
-		tcp2->th_flags = TH_RST|TH_ACK;
-	}
-	tcp2->th_off = sizeof(struct tcphdr) >> 2;
-
-	/*
-	 * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum
-	 * computation that is done by their put routine.
-	 */
-	tcp2->th_sum = htons(0x14);
-#ifdef	USE_INET6
-	if (fin->fin_v == 6) {
-		ip6 = (ip6_t *)m->b_rptr;
-		ip6->ip6_src = oip6->ip6_dst;
-		ip6->ip6_dst = oip6->ip6_src;
-		ip6->ip6_plen = htons(sizeof(*tcp));
-		ip6->ip6_nxt = IPPROTO_TCP;
-	} else
-#endif
-	{
-		ip = (ip_t *)m->b_rptr;
-		ip->ip_src.s_addr = oip->ip_dst.s_addr;
-		ip->ip_dst.s_addr = oip->ip_src.s_addr;
-		ip->ip_hl = sizeof(*ip) >> 2;
-		ip->ip_p = IPPROTO_TCP;
-		ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp));
-		ip->ip_tos = oip->ip_tos;
-	}
-	return send_ip(fin, m);
-}
-
-
-int static send_ip(fin, m)
-fr_info_t *fin;
-mblk_t *m;
-{
-	RWLOCK_EXIT(&ipfs_mutex);
-	RWLOCK_EXIT(&ipf_solaris);
-#ifdef	USE_INET6
-	if (fin->fin_v == 6) {
-		extern void ip_wput_v6 __P((queue_t *, mblk_t *));
-		ip6_t *ip6;
-
-		ip6 = (ip6_t *)m->b_rptr;
-		ip6->ip6_flow = 0;
-		ip6->ip6_vfc = 0x60;
-		ip6->ip6_hlim = 127;
-		ip_wput_v6(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
-	} else
-#endif
-	{
-		ip_t *ip;
-
-		ip = (ip_t *)m->b_rptr;
-		ip->ip_v = IPVERSION;
-		ip->ip_ttl = (u_char)(*ip_ttl_ptr);
-		ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
-		ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
-	}
-	READ_ENTER(&ipf_solaris);
-	READ_ENTER(&ipfs_mutex);
-	return 0;
-}
-
-
-int send_icmp_err(oip, type, fin, dst)
-ip_t *oip;
-int type;
-fr_info_t *fin;
-int dst;
-{
-	struct in_addr dst4;
-	struct icmp *icmp;
-	mblk_t *m, *mb;
-	int hlen, code;
-	qif_t *qif;
-	u_short sz;
-	ill_t *il;
-#ifdef	USE_INET6
-	ip6_t *ip6, *oip6;
-#endif
-	ip_t *ip;
-
-	if ((type < 0) || (type > ICMP_MAXTYPE))
-		return -1;
-
-	code = fin->fin_icode;
-#ifdef USE_INET6
-	if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
-		return -1;
-#endif
-
-	qif = fin->fin_qif;
-	m = fin->fin_qfm;
-
-#ifdef	USE_INET6
-	if (oip->ip_v == 6) {
-		oip6 = (ip6_t *)oip;
-		sz = sizeof(ip6_t);
-		sz += MIN(m->b_wptr - m->b_rptr, 512);
-		hlen = sizeof(ip6_t);
-		type = icmptoicmp6types[type];
-		if (type == ICMP6_DST_UNREACH)
-			code = icmptoicmp6unreach[code];
-	} else
-#endif
-	{
-		if ((oip->ip_p == IPPROTO_ICMP) &&
-		    !(fin->fin_fi.fi_fl & FI_SHORT))
-			switch (ntohs(fin->fin_data[0]) >> 8)
-			{
-			case ICMP_ECHO :
-			case ICMP_TSTAMP :
-			case ICMP_IREQ :
-			case ICMP_MASKREQ :
-				break;
-			default :
-				return 0;
-			}
-
-		sz = sizeof(ip_t) * 2;
-		sz += 8;		/* 64 bits of data */
-		hlen = sz;
-	}
-
-	sz += offsetof(struct icmp, icmp_ip);
-	if ((mb = (mblk_t *)allocb((size_t)sz + 16, BPRI_HI)) == NULL)
-		return -1;
-	MTYPE(mb) = M_DATA;
-	mb->b_rptr += 16;
-	mb->b_wptr = mb->b_rptr + sz;
-	bzero((char *)mb->b_rptr, (size_t)sz);
-	icmp = (struct icmp *)(mb->b_rptr + sizeof(*ip));
-	icmp->icmp_type = type;
-	icmp->icmp_code = code;
-	icmp->icmp_cksum = 0;
-#ifdef	icmp_nextmtu
-	if (type == ICMP_UNREACH && (il = qif->qf_ill) &&
-	    fin->fin_icode == ICMP_UNREACH_NEEDFRAG)
-		icmp->icmp_nextmtu = htons(il->ill_max_frag);
-#endif
-
-#ifdef	USE_INET6
-	if (oip->ip_v == 6) {
-		struct in6_addr dst6;
-		int csz;
-
-		if (dst == 0) {
-			if (fr_ifpaddr(6, ((qif_t *)fin->fin_qif)->qf_ill,
-				       (struct in_addr *)&dst6) == -1)
-				return -1;
-		} else
-			dst6 = oip6->ip6_dst;
-
-		csz = sz;
-		sz -= sizeof(ip6_t);
-		ip6 = (ip6_t *)mb->b_rptr;
-		ip6->ip6_flow = 0;
-		ip6->ip6_vfc = 0x60;
-		ip6->ip6_hlim = 127;
-		ip6->ip6_plen = htons(sz);
-		ip6->ip6_nxt = IPPROTO_ICMPV6;
-		ip6->ip6_src = dst6;
-		ip6->ip6_dst = oip6->ip6_src;
-		sz -= offsetof(struct icmp, icmp_ip);
-		bcopy((char *)m->b_rptr, (char *)&icmp->icmp_ip, sz);
-		icmp->icmp_cksum = csz - sizeof(ip6_t);
-	} else
-#endif
-	{
-		ip = (ip_t *)mb->b_rptr;
-		ip->ip_v = IPVERSION;
-		ip->ip_hl = (sizeof(*ip) >> 2);
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_id = oip->ip_id;
-		ip->ip_sum = 0;
-		ip->ip_ttl = (u_char)(*ip_ttl_ptr);
-		ip->ip_tos = oip->ip_tos;
-		ip->ip_len = (u_short)htons(sz);
-		if (dst == 0) {
-			if (fr_ifpaddr(4, ((qif_t *)fin->fin_qif)->qf_ill,
-				       &dst4) == -1)
-				return -1;
-		} else
-			dst4 = oip->ip_dst;
-		ip->ip_src = dst4;
-		ip->ip_dst = oip->ip_src;
-		bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip));
-		bcopy((char *)oip + (oip->ip_hl << 2),
-		      (char *)&icmp->icmp_ip + sizeof(*oip), 8);
-		icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
-					     sizeof(*icmp) + 8);
-	}
-
-	/*
-	 * Need to exit out of these so we don't recursively call rw_enter
-	 * from fr_qout.
-	 */
-	return send_ip(fin, mb);
-}
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
deleted file mode 100644
index 4ced16d..0000000
--- a/contrib/ipfilter/ip_state.c
+++ /dev/null
@@ -1,3802 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
-    defined(_KERNEL)
-# include "opt_ipfilter_log.h"
-#endif
-#if defined(_KERNEL) && defined(__FreeBSD_version) && \
-    (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
-#include "opt_inet6.h"
-#endif
-#if !defined(_KERNEL) && !defined(__KERNEL__)
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/time.h>
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL)
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#if !defined(__hpux) && !defined(linux)
-# include <netinet/tcp_fsm.h>
-#endif
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#ifdef	IPFILTER_SYNC
-#include "netinet/ip_sync.h"
-#endif
-#ifdef	IPFILTER_SCAN
-#include "netinet/ip_scan.h"
-#endif
-#ifdef	USE_INET6
-#include <netinet/icmp6.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include <sys/libkern.h>
-#  include <sys/systm.h>
-# endif
-#endif
-/* END OF INCLUDES */
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.29 2005/03/28 10:47:54 darrenr Exp";
-#endif
-
-static	ipstate_t **ips_table = NULL;
-static	u_long	*ips_seed = NULL;
-static	int	ips_num = 0;
-static	u_long ips_last_force_flush = 0;
-ips_stat_t ips_stats;
-
-#ifdef	USE_INET6
-static ipstate_t *fr_checkicmp6matchingstate __P((fr_info_t *));
-#endif
-static ipstate_t *fr_matchsrcdst __P((fr_info_t *, ipstate_t *, i6addr_t *,
-				      i6addr_t *, tcphdr_t *, u_32_t));
-static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *));
-static int fr_state_flush __P((int, int));
-static ips_stat_t *fr_statetstats __P((void));
-static void fr_delstate __P((ipstate_t *, int));
-static int fr_state_remove __P((caddr_t));
-static void fr_ipsmove __P((ipstate_t *, u_int));
-static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *));
-static int fr_tcpoptions __P((fr_info_t *, tcphdr_t *, tcpdata_t *));
-static ipstate_t *fr_stclone __P((fr_info_t *, tcphdr_t *, ipstate_t *));
-static void fr_fixinisn __P((fr_info_t *, ipstate_t *));
-static void fr_fixoutisn __P((fr_info_t *, ipstate_t *));
-static void fr_checknewisn __P((fr_info_t *, ipstate_t *));
-
-int fr_stputent __P((caddr_t));
-int fr_stgetent __P((caddr_t));
-
-#define	ONE_DAY		IPF_TTLVAL(1 * 86400)	/* 1 day */
-#define	FIVE_DAYS	(5 * ONE_DAY)
-#define	DOUBLE_HASH(x)	(((x) + ips_seed[(x) % fr_statesize]) % fr_statesize)
-
-u_long	fr_tcpidletimeout = FIVE_DAYS,
-	fr_tcpclosewait = IPF_TTLVAL(2 * TCP_MSL),
-	fr_tcplastack = IPF_TTLVAL(2 * TCP_MSL),
-	fr_tcptimeout = IPF_TTLVAL(2 * TCP_MSL),
-	fr_tcpclosed = IPF_TTLVAL(60),
-	fr_tcphalfclosed = IPF_TTLVAL(2 * 3600),	/* 2 hours */
-	fr_udptimeout = IPF_TTLVAL(120),
-	fr_udpacktimeout = IPF_TTLVAL(12),
-	fr_icmptimeout = IPF_TTLVAL(60),
-	fr_icmpacktimeout = IPF_TTLVAL(6),
-	fr_iptimeout = IPF_TTLVAL(60);
-int	fr_statemax = IPSTATE_MAX,
-	fr_statesize = IPSTATE_SIZE;
-int	fr_state_doflush = 0,
-	fr_state_lock = 0,
-	fr_state_maxbucket = 0,
-	fr_state_maxbucket_reset = 1,
-	fr_state_init = 0;
-ipftq_t	ips_tqtqb[IPF_TCP_NSTATES],
-	ips_udptq,
-	ips_udpacktq,
-	ips_iptq,
-	ips_icmptq,
-	ips_icmpacktq,
-	*ips_utqe = NULL;
-#ifdef	IPFILTER_LOG
-int	ipstate_logging = 1;
-#else
-int	ipstate_logging = 0;
-#endif
-ipstate_t *ips_list = NULL;
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stateinit                                                */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise all the global variables used within the state code.          */
-/* This action also includes initiailising locks.                           */
-/* ------------------------------------------------------------------------ */
-int fr_stateinit()
-{
-	int i;
-
-	KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
-	if (ips_table == NULL)
-		return -1;
-	bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
-
-	KMALLOCS(ips_seed, u_long *, fr_statesize * sizeof(*ips_seed));
-	if (ips_seed == NULL)
-		return -2;
-	for (i = 0; i < fr_statesize; i++) {
-		/*
-		 * XXX - ips_seed[X] should be a random number of sorts.
-		 */
-#if  (__FreeBSD_version >= 400000)
-		ips_seed[i] = arc4random();
-#else
-		ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
-		ips_seed[i] ^= 0xa5a55a5a;
-		ips_seed[i] *= (u_long)ips_seed;
-		ips_seed[i] ^= 0x5a5aa5a5;
-		ips_seed[i] *= fr_statemax;
-#endif
-	}
-
-	/* fill icmp reply type table */
-	for (i = 0; i <= ICMP_MAXTYPE; i++)
-		icmpreplytype4[i] = -1;
-	icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
-	icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
-	icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
-	icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
-#ifdef	USE_INET6
-	/* fill icmp reply type table */
-	for (i = 0; i <= ICMP6_MAXTYPE; i++)
-		icmpreplytype6[i] = -1;
-	icmpreplytype6[ICMP6_ECHO_REQUEST] = ICMP6_ECHO_REPLY;
-	icmpreplytype6[ICMP6_MEMBERSHIP_QUERY] = ICMP6_MEMBERSHIP_REPORT;
-	icmpreplytype6[ICMP6_NI_QUERY] = ICMP6_NI_REPLY;
-	icmpreplytype6[ND_ROUTER_SOLICIT] = ND_ROUTER_ADVERT;
-	icmpreplytype6[ND_NEIGHBOR_SOLICIT] = ND_NEIGHBOR_ADVERT;
-#endif
-
-	KMALLOCS(ips_stats.iss_bucketlen, u_long *,
-		 fr_statesize * sizeof(u_long));
-	if (ips_stats.iss_bucketlen == NULL)
-		return -1;
-	bzero((char *)ips_stats.iss_bucketlen, fr_statesize * sizeof(u_long));
-
-	if (fr_state_maxbucket == 0) {
-		for (i = fr_statesize; i > 0; i >>= 1)
-			fr_state_maxbucket++;
-		fr_state_maxbucket *= 2;
-	}
-
-	fr_sttab_init(ips_tqtqb);
-	ips_tqtqb[IPF_TCP_NSTATES - 1].ifq_next = &ips_udptq;
-	ips_udptq.ifq_ttl = (u_long)fr_udptimeout;
-	ips_udptq.ifq_ref = 1;
-	ips_udptq.ifq_head = NULL;
-	ips_udptq.ifq_tail = &ips_udptq.ifq_head;
-	MUTEX_INIT(&ips_udptq.ifq_lock, "ipftq udp tab");
-	ips_udptq.ifq_next = &ips_udpacktq;
-	ips_udpacktq.ifq_ttl = (u_long)fr_udpacktimeout;
-	ips_udpacktq.ifq_ref = 1;
-	ips_udpacktq.ifq_head = NULL;
-	ips_udpacktq.ifq_tail = &ips_udpacktq.ifq_head;
-	MUTEX_INIT(&ips_udpacktq.ifq_lock, "ipftq udpack tab");
-	ips_udpacktq.ifq_next = &ips_icmptq;
-	ips_icmptq.ifq_ttl = (u_long)fr_icmptimeout;
-	ips_icmptq.ifq_ref = 1;
-	ips_icmptq.ifq_head = NULL;
-	ips_icmptq.ifq_tail = &ips_icmptq.ifq_head;
-	MUTEX_INIT(&ips_icmptq.ifq_lock, "ipftq icmp tab");
-	ips_icmptq.ifq_next = &ips_icmpacktq;
-	ips_icmpacktq.ifq_ttl = (u_long)fr_icmpacktimeout;
-	ips_icmpacktq.ifq_ref = 1;
-	ips_icmpacktq.ifq_head = NULL;
-	ips_icmpacktq.ifq_tail = &ips_icmpacktq.ifq_head;
-	MUTEX_INIT(&ips_icmpacktq.ifq_lock, "ipftq icmpack tab");
-	ips_icmpacktq.ifq_next = &ips_iptq;
-	ips_iptq.ifq_ttl = (u_long)fr_iptimeout;
-	ips_iptq.ifq_ref = 1;
-	ips_iptq.ifq_head = NULL;
-	ips_iptq.ifq_tail = &ips_iptq.ifq_head;
-	MUTEX_INIT(&ips_iptq.ifq_lock, "ipftq ip tab");
-	ips_iptq.ifq_next = NULL;
-
-	RWLOCK_INIT(&ipf_state, "ipf IP state rwlock");
-	MUTEX_INIT(&ipf_stinsert, "ipf state insert mutex");
-	fr_state_init = 1;
-
-	ips_last_force_flush = fr_ticks;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stateunload                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Release and destroy any resources acquired or initialised so that        */
-/* IPFilter can be unloaded or re-initialised.                              */
-/* ------------------------------------------------------------------------ */
-void fr_stateunload()
-{
-	ipftq_t *ifq, *ifqnext;
-	ipstate_t *is;
-
-	while ((is = ips_list) != NULL)
-		fr_delstate(is, 0);
-
-	/*
-	 * Proxy timeout queues are not cleaned here because although they
-	 * exist on the state list, appr_unload is called after fr_stateunload
-	 * and the proxies actually are responsible for them being created.
-	 * Should the proxy timeouts have their own list?  There's no real
-	 * justification as this is the only complicationA
-	 */
-	for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-		if (((ifq->ifq_flags & IFQF_PROXY) == 0) &&
-		    (fr_deletetimeoutqueue(ifq) == 0))
-			fr_freetimeoutqueue(ifq);
-	}
-
-	ips_stats.iss_inuse = 0;
-	ips_num = 0;
-
-	if (fr_state_init == 1) {
-		fr_sttab_destroy(ips_tqtqb);
-		MUTEX_DESTROY(&ips_udptq.ifq_lock);
-		MUTEX_DESTROY(&ips_icmptq.ifq_lock);
-		MUTEX_DESTROY(&ips_udpacktq.ifq_lock);
-		MUTEX_DESTROY(&ips_icmpacktq.ifq_lock);
-		MUTEX_DESTROY(&ips_iptq.ifq_lock);
-	}
-
-	if (ips_table != NULL) {
-		KFREES(ips_table, fr_statesize * sizeof(*ips_table));
-		ips_table = NULL;
-	}
-
-	if (ips_seed != NULL) {
-		KFREES(ips_seed, fr_statesize * sizeof(*ips_seed));
-		ips_seed = NULL;
-	}
-
-	if (ips_stats.iss_bucketlen != NULL) {
-		KFREES(ips_stats.iss_bucketlen, fr_statesize * sizeof(u_long));
-		ips_stats.iss_bucketlen = NULL;
-	}
-
-	if (fr_state_maxbucket_reset == 1)
-		fr_state_maxbucket = 0;
-
-	if (fr_state_init == 1) {
-		fr_state_init = 0;
-		RW_DESTROY(&ipf_state);
-		MUTEX_DESTROY(&ipf_stinsert);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_statetstats                                              */
-/* Returns:     ips_state_t* - pointer to state stats structure             */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Put all the current numbers and pointers into a single struct and return */
-/* a pointer to it.                                                         */
-/* ------------------------------------------------------------------------ */
-static ips_stat_t *fr_statetstats()
-{
-	ips_stats.iss_active = ips_num;
-	ips_stats.iss_statesize = fr_statesize;
-	ips_stats.iss_statemax = fr_statemax;
-	ips_stats.iss_table = ips_table;
-	ips_stats.iss_list = ips_list;
-	ips_stats.iss_ticks = fr_ticks;
-	return &ips_stats;
-}
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_state_remove                                             */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to state structure to delete from table   */
-/*                                                                          */
-/* Search for a state structure that matches the one passed, according to   */
-/* the IP addresses and other protocol specific information.                */
-/* ------------------------------------------------------------------------ */
-static int fr_state_remove(data)
-caddr_t data;
-{
-	ipstate_t *sp, st;
-	int error;
-
-	sp = &st;
-	error = fr_inobj(data, &st, IPFOBJ_IPSTATE);
-	if (error)
-		return EFAULT;
-
-	WRITE_ENTER(&ipf_state);
-	for (sp = ips_list; sp; sp = sp->is_next)
-		if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
-		    !bcmp((caddr_t)&sp->is_src, (caddr_t)&st.is_src,
-			  sizeof(st.is_src)) &&
-		    !bcmp((caddr_t)&sp->is_dst, (caddr_t)&st.is_src,
-			  sizeof(st.is_dst)) &&
-		    !bcmp((caddr_t)&sp->is_ps, (caddr_t)&st.is_ps,
-			  sizeof(st.is_ps))) {
-			fr_delstate(sp, ISL_REMOVE);
-			RWLOCK_EXIT(&ipf_state);
-			return 0;
-		}
-	RWLOCK_EXIT(&ipf_state);
-	return ESRCH;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_state_ioctl                                              */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              cmd(I)  - ioctl command integer                             */
-/*              mode(I) - file mode bits used with open                     */
-/*                                                                          */
-/* Processes an ioctl call made to operate on the IP Filter state device.   */
-/* ------------------------------------------------------------------------ */
-int fr_state_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	int arg, ret, error = 0;
-
-	switch (cmd)
-	{
-	/*
-	 * Delete an entry from the state table.
-	 */
-	case SIOCDELST :
-		error = fr_state_remove(data);
-		break;
-	/*
-	 * Flush the state table
-	 */
-	case SIOCIPFFL :
-		BCOPYIN(data, (char *)&arg, sizeof(arg));
-		if (arg == 0 || arg == 1) {
-			WRITE_ENTER(&ipf_state);
-			ret = fr_state_flush(arg, 4);
-			RWLOCK_EXIT(&ipf_state);
-			BCOPYOUT((char *)&ret, data, sizeof(ret));
-		} else
-			error = EINVAL;
-		break;
-#ifdef	USE_INET6
-	case SIOCIPFL6 :
-		BCOPYIN(data, (char *)&arg, sizeof(arg));
-		if (arg == 0 || arg == 1) {
-			WRITE_ENTER(&ipf_state);
-			ret = fr_state_flush(arg, 6);
-			RWLOCK_EXIT(&ipf_state);
-			BCOPYOUT((char *)&ret, data, sizeof(ret));
-		} else
-			error = EINVAL;
-		break;
-#endif
-#ifdef	IPFILTER_LOG
-	/*
-	 * Flush the state log.
-	 */
-	case SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			int tmp;
-
-			tmp = ipflog_clear(IPL_LOGSTATE);
-			BCOPYOUT((char *)&tmp, data, sizeof(tmp));
-		}
-		break;
-	/*
-	 * Turn logging of state information on/off.
-	 */
-	case SIOCSETLG :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			BCOPYIN((char *)data, (char *)&ipstate_logging,
-				sizeof(ipstate_logging));
-		}
-		break;
-	/*
-	 * Return the current state of logging.
-	 */
-	case SIOCGETLG :
-		BCOPYOUT((char *)&ipstate_logging, (char *)data,
-			 sizeof(ipstate_logging));
-		break;
-	/*
-	 * Return the number of bytes currently waiting to be read.
-	 */
-	case FIONREAD :
-		arg = iplused[IPL_LOGSTATE];	/* returned in an int */
-		BCOPYOUT((char *)&arg, data, sizeof(arg));
-		break;
-#endif
-	/*
-	 * Get the current state statistics.
-	 */
-	case SIOCGETFS :
-		error = fr_outobj(data, fr_statetstats(), IPFOBJ_STATESTAT);
-		break;
-	/*
-	 * Lock/Unlock the state table.  (Locking prevents any changes, which
-	 * means no packets match).
-	 */
-	case SIOCSTLCK :
-		fr_lock(data, &fr_state_lock);
-		break;
-	/*
-	 * Add an entry to the current state table.
-	 */
-	case SIOCSTPUT :
-		if (!fr_state_lock) {
-			error = EACCES;
-			break;
-		}
-		error = fr_stputent(data);
-		break;
-	/*
-	 * Get a state table entry.
-	 */
-	case SIOCSTGET :
-		if (!fr_state_lock) {
-			error = EACCES;
-			break;
-		}
-		error = fr_stgetent(data);
-		break;
-	default :
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stgetent                                                 */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to state structure to retrieve from table */
-/*                                                                          */
-/* Copy out state information from the kernel to a user space process.  If  */
-/* there is a filter rule associated with the state entry, copy that out    */
-/* as well.  The entry to copy out is taken from the value of "ips_next" in */
-/* the struct passed in and if not null and not found in the list of current*/
-/* state entries, the retrieval fails.                                      */
-/* ------------------------------------------------------------------------ */
-int fr_stgetent(data)
-caddr_t data;
-{
-	ipstate_t *is, *isn;
-	ipstate_save_t ips;
-	int error;
-
-	error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
-	if (error)
-		return EFAULT;
-
-	isn = ips.ips_next;
-	if (isn == NULL) {
-		isn = ips_list;
-		if (isn == NULL) {
-			if (ips.ips_next == NULL)
-				return ENOENT;
-			return 0;
-		}
-	} else {
-		/*
-		 * Make sure the pointer we're copying from exists in the
-		 * current list of entries.  Security precaution to prevent
-		 * copying of random kernel data.
-		 */
-		for (is = ips_list; is; is = is->is_next)
-			if (is == isn)
-				break;
-		if (!is)
-			return ESRCH;
-	}
-	ips.ips_next = isn->is_next;
-	bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is));
-	ips.ips_rule = isn->is_rule;
-	if (isn->is_rule != NULL)
-		bcopy((char *)isn->is_rule, (char *)&ips.ips_fr,
-		      sizeof(ips.ips_fr));
-	error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
-	if (error)
-		return EFAULT;
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stputent                                                 */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to state information struct               */
-/*                                                                          */
-/* This function implements the SIOCSTPUT ioctl: insert a state entry into  */
-/* the state table.  If the state info. includes a pointer to a filter rule */
-/* then also add in an orphaned rule (will not show up in any "ipfstat -io" */
-/* output.                                                                  */
-/* ------------------------------------------------------------------------ */
-int fr_stputent(data)
-caddr_t data;
-{
-	ipstate_t *is, *isn;
-	ipstate_save_t ips;
-	int error, out, i;
-	frentry_t *fr;
-	char *name;
-
-	error = fr_inobj(data, &ips, IPFOBJ_STATESAVE);
-	if (error)
-		return EFAULT;
-
-	KMALLOC(isn, ipstate_t *);
-	if (isn == NULL)
-		return ENOMEM;
-
-	bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn));
-	bzero((char *)isn, offsetof(struct ipstate, is_pkts));
-	isn->is_sti.tqe_pnext = NULL;
-	isn->is_sti.tqe_next = NULL;
-	isn->is_sti.tqe_ifq = NULL;
-	isn->is_sti.tqe_parent = isn;
-	isn->is_ifp[0] = NULL;
-	isn->is_ifp[1] = NULL;
-	isn->is_ifp[2] = NULL;
-	isn->is_ifp[3] = NULL;
-	isn->is_sync = NULL;
-	fr = ips.ips_rule;
-
-	if (fr == NULL) {
-		READ_ENTER(&ipf_state);
-		fr_stinsert(isn, 0);
-		RWLOCK_EXIT(&ipf_state);
-		return 0;
-	}
-
-	if (isn->is_flags & SI_NEWFR) {
-		KMALLOC(fr, frentry_t *);
-		if (fr == NULL) {
-			KFREE(isn);
-			return ENOMEM;
-		}
-		bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
-		out = fr->fr_flags & FR_OUTQUE ? 1 : 0;
-		isn->is_rule = fr;
-		ips.ips_is.is_rule = fr;
-		MUTEX_NUKE(&fr->fr_lock);
-		MUTEX_INIT(&fr->fr_lock, "state filter rule lock");
-
-		/*
-		 * Look up all the interface names in the rule.
-		 */
-		for (i = 0; i < 4; i++) {
-			name = fr->fr_ifnames[i];
-			fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v);
-			name = isn->is_ifname[i];
-			isn->is_ifp[i] = fr_resolvenic(name, isn->is_v);
-		}
-
-		fr->fr_ref = 0;
-		fr->fr_dsize = 0;
-		fr->fr_data = NULL;
-
-		fr_resolvedest(&fr->fr_tif, fr->fr_v);
-		fr_resolvedest(&fr->fr_dif, fr->fr_v);
-
-		/*
-		 * send a copy back to userland of what we ended up
-		 * to allow for verification.
-		 */
-		error = fr_outobj(data, &ips, IPFOBJ_STATESAVE);
-		if (error) {
-			KFREE(isn);
-			MUTEX_DESTROY(&fr->fr_lock);
-			KFREE(fr);
-			return EFAULT;
-		}
-		READ_ENTER(&ipf_state);
-		fr_stinsert(isn, 0);
-		RWLOCK_EXIT(&ipf_state);
-
-	} else {
-		READ_ENTER(&ipf_state);
-		for (is = ips_list; is; is = is->is_next)
-			if (is->is_rule == fr) {
-				fr_stinsert(isn, 0);
-				break;
-			}
-
-		if (is == NULL) {
-			KFREE(isn);
-			isn = NULL;
-		}
-		RWLOCK_EXIT(&ipf_state);
-
-		return (isn == NULL) ? ESRCH : 0;
-	}
-
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:   fr_stinsert                                                  */
-/* Returns:    Nil                                                          */
-/* Parameters: is(I)  - pointer to state structure                          */
-/*             rev(I) - flag indicating forward/reverse direction of packet */
-/*                                                                          */
-/* Inserts a state structure into the hash table (for lookups) and the list */
-/* of state entries (for enumeration).  Resolves all of the interface names */
-/* to pointers and adjusts running stats for the hash table as appropriate. */
-/*                                                                          */
-/* Locking: it is assumed that some kind of lock on ipf_state is held.      */
-/* ------------------------------------------------------------------------ */
-void fr_stinsert(is, rev)
-ipstate_t *is;
-int rev;
-{
-	frentry_t *fr;
-	u_int hv;
-	int i;
-
-	MUTEX_INIT(&is->is_lock, "ipf state entry");
-
-	fr = is->is_rule;
-	if (fr != NULL) {
-		MUTEX_ENTER(&fr->fr_lock);
-		fr->fr_ref++;
-		fr->fr_statecnt++;
-		MUTEX_EXIT(&fr->fr_lock);
-	}
-
-	/*
-	 * Look up all the interface names in the state entry.
-	 */
-	for (i = 0; i < 4; i++) {
-		if (is->is_ifp[i] != NULL)
-			continue;
-		is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v);
-	}
-
-	/*
-	 * If we could trust is_hv, then the modulous would not be needed, but
-	 * when running with IPFILTER_SYNC, this stops bad values.
-	 */
-	hv = is->is_hv % fr_statesize;
-	is->is_hv = hv;
-
-	/*
-	 * We need to get both of these locks...the first because it is
-	 * possible that once the insert is complete another packet might
-	 * come along, match the entry and want to update it.
-	 */
-	MUTEX_ENTER(&is->is_lock);
-	MUTEX_ENTER(&ipf_stinsert);
-
-	/*
-	 * add into list table.
-	 */
-	if (ips_list != NULL)
-		ips_list->is_pnext = &is->is_next;
-	is->is_pnext = &ips_list;
-	is->is_next = ips_list;
-	ips_list = is;
-
-	if (ips_table[hv] != NULL)
-		ips_table[hv]->is_phnext = &is->is_hnext;
-	else
-		ips_stats.iss_inuse++;
-	is->is_phnext = ips_table + hv;
-	is->is_hnext = ips_table[hv];
-	ips_table[hv] = is;
-	ips_stats.iss_bucketlen[hv]++;
-	ips_num++;
-	MUTEX_EXIT(&ipf_stinsert);
-
-	fr_setstatequeue(is, rev);
-	MUTEX_EXIT(&is->is_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_addstate                                                 */
-/* Returns:     ipstate_t* - NULL == failure, else pointer to new state     */
-/* Parameters:  fin(I)    - pointer to packet information                   */
-/*              stsave(O) - pointer to place to save pointer to created     */
-/*                          state structure.                                */
-/*              flags(I)  - flags to use when creating the structure        */
-/*                                                                          */
-/* Creates a new IP state structure from the packet information collected.  */
-/* Inserts it into the state table and appends to the bottom of the active  */
-/* list.  If the capacity of the table has reached the maximum allowed then */
-/* the call will fail and a flush is scheduled for the next timeout call.   */
-/* ------------------------------------------------------------------------ */
-ipstate_t *fr_addstate(fin, stsave, flags)
-fr_info_t *fin;
-ipstate_t **stsave;
-u_int flags;
-{
-	ipstate_t *is, ips;
-	struct icmp *ic;
-	u_int pass, hv;
-	frentry_t *fr;
-	tcphdr_t *tcp;
-	grehdr_t *gre;
-	void *ifp;
-	int out;
-
-	if (fr_state_lock ||
-	    (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
-		return NULL;
-
-	if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
-		return NULL;
-
-	fr = fin->fin_fr;
-	if ((fr->fr_statemax == 0) && (ips_num == fr_statemax)) {
-		ATOMIC_INCL(ips_stats.iss_max);
-		fr_state_doflush = 1;
-		return NULL;
-	}
-
-	/*
-	 * If a "keep state" rule has reached the maximum number of references
-	 * to it, then schedule an automatic flush in case we can clear out
-	 * some "dead old wood".
-	 */
-	if ((fr != NULL) && (fr->fr_statemax != 0) &&
-	    (fr->fr_statecnt >= fr->fr_statemax)) {
-		MUTEX_EXIT(&fr->fr_lock);
-		ATOMIC_INCL(ips_stats.iss_maxref);
-		fr_state_doflush = 1;
-		return NULL;
-	}
-
-	pass = (fr == NULL) ? 0 : fr->fr_flags;
-
-	ic = NULL;
-	tcp = NULL;
-	out = fin->fin_out;
-	is = &ips;
-	bzero((char *)is, sizeof(*is));
-	is->is_die = 1 + fr_ticks;
-
-	/*
-	 * Copy and calculate...
-	 */
-	hv = (is->is_p = fin->fin_fi.fi_p);
-	is->is_src = fin->fin_fi.fi_src;
-	hv += is->is_saddr;
-	is->is_dst = fin->fin_fi.fi_dst;
-	hv += is->is_daddr;
-#ifdef	USE_INET6
-	if (fin->fin_v == 6) {
-		/*
-		 * For ICMPv6, we check to see if the destination address is
-		 * a multicast address.  If it is, do not include it in the
-		 * calculation of the hash because the correct reply will come
-		 * back from a real address, not a multicast address.
-		 */
-		if ((is->is_p == IPPROTO_ICMPV6) &&
-		    IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) {
-			/*
-			 * So you can do keep state with neighbour discovery.
-			 *
-			 * Here we could use the address from the neighbour
-			 * solicit message to put in the state structure and
-			 * we could use that without a wildcard flag too...
-			 */
-			flags |= SI_W_DADDR;
-			hv -= is->is_daddr;
-		} else {
-			hv += is->is_dst.i6[1];
-			hv += is->is_dst.i6[2];
-			hv += is->is_dst.i6[3];
-		}
-		hv += is->is_src.i6[1];
-		hv += is->is_src.i6[2];
-		hv += is->is_src.i6[3];
-	}
-#endif
-
-	switch (is->is_p)
-	{
-#ifdef	USE_INET6
-	case IPPROTO_ICMPV6 :
-		ic = fin->fin_dp;
-
-		switch (ic->icmp_type)
-		{
-		case ICMP6_ECHO_REQUEST :
-			is->is_icmp.ici_type = ic->icmp_type;
-			hv += (is->is_icmp.ici_id = ic->icmp_id);
-			break;
-		case ICMP6_MEMBERSHIP_QUERY :
-		case ND_ROUTER_SOLICIT :
-		case ND_NEIGHBOR_SOLICIT :
-		case ICMP6_NI_QUERY :
-			is->is_icmp.ici_type = ic->icmp_type;
-			break;
-		default :
-			return NULL;
-		}
-		ATOMIC_INCL(ips_stats.iss_icmp);
-		break;
-#endif
-	case IPPROTO_ICMP :
-		ic = fin->fin_dp;
-
-		switch (ic->icmp_type)
-		{
-		case ICMP_ECHO :
-		case ICMP_TSTAMP :
-		case ICMP_IREQ :
-		case ICMP_MASKREQ :
-			is->is_icmp.ici_type = ic->icmp_type;
-			hv += (is->is_icmp.ici_id = ic->icmp_id);
-			break;
-		default :
-			return NULL;
-		}
-		ATOMIC_INCL(ips_stats.iss_icmp);
-		break;
-
-	case IPPROTO_GRE :
-		gre = fin->fin_dp;
-
-		is->is_gre.gs_flags = gre->gr_flags;
-		is->is_gre.gs_ptype = gre->gr_ptype;
-		if (GRE_REV(is->is_gre.gs_flags) == 1) {
-			is->is_call[0] = fin->fin_data[0];
-			is->is_call[1] = fin->fin_data[1];
-		}
-		break;
-
-	case IPPROTO_TCP :
-		tcp = fin->fin_dp;
-
-		if (tcp->th_flags & TH_RST)
-			return NULL;
-		/*
-		 * The endian of the ports doesn't matter, but the ack and
-		 * sequence numbers do as we do mathematics on them later.
-		 */
-		is->is_sport = htons(fin->fin_data[0]);
-		is->is_dport = htons(fin->fin_data[1]);
-		if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
-			hv += is->is_sport;
-			hv += is->is_dport;
-		}
-
-		/*
-		 * If this is a real packet then initialise fields in the
-		 * state information structure from the TCP header information.
-		 */
-
-		is->is_maxdwin = 1;
-		is->is_maxswin = ntohs(tcp->th_win);
-		if (is->is_maxswin == 0)
-			is->is_maxswin = 1;
-
-		if ((fin->fin_flx & FI_IGNORE) == 0) {
-			is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
-				      (TCP_OFF(tcp) << 2) +
-				      ((tcp->th_flags & TH_SYN) ? 1 : 0) +
-				      ((tcp->th_flags & TH_FIN) ? 1 : 0);
-			is->is_maxsend = is->is_send;
-
-			/*
-			 * Window scale option is only present in
-			 * SYN/SYN-ACK packet.
-			 */
-			if ((tcp->th_flags & ~(TH_FIN|TH_ACK|TH_ECNALL)) ==
-			    TH_SYN &&
-			    (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
-				if (fr_tcpoptions(fin, tcp,
-					      &is->is_tcp.ts_data[0]))
-					is->is_swinflags = TCP_WSCALE_SEEN|
-							   TCP_WSCALE_FIRST;
-			}
-
-			if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
-				fr_checknewisn(fin, is);
-				fr_fixoutisn(fin, is);
-			}
-
-			if ((tcp->th_flags & TH_OPENING) == TH_SYN)
-				flags |= IS_TCPFSM;
-			else {
-				is->is_maxdwin = is->is_maxswin * 2;
-				is->is_dend = ntohl(tcp->th_ack);
-				is->is_maxdend = ntohl(tcp->th_ack);
-				is->is_maxdwin *= 2;
-			}
-		}
-
-		/*
-		 * If we're creating state for a starting connection, start the
-		 * timer on it as we'll never see an error if it fails to
-		 * connect.
-		 */
-		ATOMIC_INCL(ips_stats.iss_tcp);
-		break;
-
-	case IPPROTO_UDP :
-		tcp = fin->fin_dp;
-
-		is->is_sport = htons(fin->fin_data[0]);
-		is->is_dport = htons(fin->fin_data[1]);
-		if ((flags & (SI_W_DPORT|SI_W_SPORT)) == 0) {
-			hv += tcp->th_dport;
-			hv += tcp->th_sport;
-		}
-		ATOMIC_INCL(ips_stats.iss_udp);
-		break;
-
-	default :
-		break;
-	}
-	hv = DOUBLE_HASH(hv);
-	is->is_hv = hv;
-	is->is_rule = fr;
-	is->is_flags = flags & IS_INHERITED;
-
-	/*
-	 * Look for identical state.
-	 */
-	for (is = ips_table[is->is_hv % fr_statesize]; is != NULL;
-	     is = is->is_hnext) {
-		if (bcmp(&ips.is_src, &is->is_src,
-			 offsetof(struct ipstate, is_ps) -
-			 offsetof(struct ipstate, is_src)) == 0)
-			break;
-	}
-	if (is != NULL)
-		return NULL;
-
-	if (ips_stats.iss_bucketlen[hv] >= fr_state_maxbucket) {
-		ATOMIC_INCL(ips_stats.iss_bucketfull);
-		return NULL;
-	}
-	KMALLOC(is, ipstate_t *);
-	if (is == NULL) {
-		ATOMIC_INCL(ips_stats.iss_nomem);
-		return NULL;
-	}
-	bcopy((char *)&ips, (char *)is, sizeof(*is));
-	/*
-	 * Do not do the modulous here, it is done in fr_stinsert().
-	 */
-	if (fr != NULL) {
-		(void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN);
-		if (fr->fr_age[0] != 0) {
-			is->is_tqehead[0] = fr_addtimeoutqueue(&ips_utqe,
-							       fr->fr_age[0]);
-			is->is_sti.tqe_flags |= TQE_RULEBASED;
-		}
-		if (fr->fr_age[1] != 0) {
-			is->is_tqehead[1] = fr_addtimeoutqueue(&ips_utqe,
-							       fr->fr_age[1]);
-			is->is_sti.tqe_flags |= TQE_RULEBASED;
-		}
-
-		is->is_tag = fr->fr_logtag;
-
-		is->is_ifp[(out << 1) + 1] = fr->fr_ifas[1];
-		is->is_ifp[(1 - out) << 1] = fr->fr_ifas[2];
-		is->is_ifp[((1 - out) << 1) + 1] = fr->fr_ifas[3];
-
-		if (((ifp = fr->fr_ifas[1]) != NULL) &&
-		    (ifp != (void *)-1)) {
-			COPYIFNAME(ifp, is->is_ifname[(out << 1) + 1]);
-		}
-		if (((ifp = fr->fr_ifas[2]) != NULL) &&
-		    (ifp != (void *)-1)) {
-			COPYIFNAME(ifp, is->is_ifname[(1 - out) << 1]);
-		}
-		if (((ifp = fr->fr_ifas[3]) != NULL) &&
-		    (ifp != (void *)-1)) {
-			COPYIFNAME(ifp, is->is_ifname[((1 - out) << 1) + 1]);
-		}
-	} else {
-		pass = fr_flags;
-		is->is_tag = FR_NOLOGTAG;
-	}
-
-	is->is_ifp[out << 1] = fin->fin_ifp;
-	if (fin->fin_ifp != NULL) {
-		COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1]);
-	}
-
-	/*
-	 * It may seem strange to set is_ref to 2, but fr_check() will call
-	 * fr_statederef() after calling fr_addstate() and the idea is to
-	 * have it exist at the end of fr_check() with is_ref == 1.
-	 */
-	is->is_ref = 2;
-	is->is_pass = pass;
-	is->is_pkts[0] = 0, is->is_bytes[0] = 0;
-	is->is_pkts[1] = 0, is->is_bytes[1] = 0;
-	is->is_pkts[2] = 0, is->is_bytes[2] = 0;
-	is->is_pkts[3] = 0, is->is_bytes[3] = 0;
-	if ((fin->fin_flx & FI_IGNORE) == 0) {
-		is->is_pkts[out] = 1;
-		is->is_bytes[out] = fin->fin_plen;
-		is->is_flx[out][0] = fin->fin_flx & FI_CMP;
-		is->is_flx[out][0] &= ~FI_OOW;
-	}
-
-	if (pass & FR_STSTRICT)
-		is->is_flags |= IS_STRICT;
-
-	if (pass & FR_STATESYNC)
-		is->is_flags |= IS_STATESYNC;
-
-	/*
-	 * We want to check everything that is a property of this packet,
-	 * but we don't (automatically) care about it's fragment status as
-	 * this may change.
-	 */
-	is->is_v = fin->fin_v;
-	is->is_opt = fin->fin_optmsk;
-	is->is_optmsk = 0xffffffff;
-	is->is_sec = fin->fin_secmsk;
-	is->is_secmsk = 0xffff;
-	is->is_auth = fin->fin_auth;
-	is->is_authmsk = 0xffff;
-	if (flags & (SI_WILDP|SI_WILDA)) {
-		ATOMIC_INCL(ips_stats.iss_wild);
-	}
-	is->is_rulen = fin->fin_rule;
-
-
-	if (pass & FR_LOGFIRST)
-		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
-
-	READ_ENTER(&ipf_state);
-	is->is_me = stsave;
-
-	fr_stinsert(is, fin->fin_rev);
-
-	if (fin->fin_p == IPPROTO_TCP) {
-		/*
-		* If we're creating state for a starting connection, start the
-		* timer on it as we'll never see an error if it fails to
-		* connect.
-		*/
-		MUTEX_ENTER(&is->is_lock);
-		(void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
-		MUTEX_EXIT(&is->is_lock);
-#ifdef	IPFILTER_SCAN
-		if ((is->is_flags & SI_CLONE) == 0)
-			(void) ipsc_attachis(is);
-#endif
-	}
-#ifdef	IPFILTER_SYNC
-	if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
-		is->is_sync = ipfsync_new(SMC_STATE, fin, is);
-#endif
-	if (ipstate_logging)
-		ipstate_log(is, ISL_NEW);
-
-	RWLOCK_EXIT(&ipf_state);
-	fin->fin_state = is;
-	fin->fin_rev = IP6_NEQ(&is->is_dst, &fin->fin_daddr);
-	fin->fin_flx |= FI_STATE;
-	if (fin->fin_flx & FI_FRAG)
-		(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
-
-	return is;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_tcpoptions                                               */
-/* Returns:     int - 1 == packet matches state entry, 0 == it does not     */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              tcp(I) - pointer to TCP packet header                       */
-/*              td(I)  - pointer to TCP data held as part of the state      */
-/*                                                                          */
-/* Look after the TCP header for any options and deal with those that are   */
-/* present.  Record details about those that we recogise.                   */
-/* ------------------------------------------------------------------------ */
-static int fr_tcpoptions(fin, tcp, td)
-fr_info_t *fin;
-tcphdr_t *tcp;
-tcpdata_t *td;
-{
-	int off, mlen, ol, i, len, retval;
-	char buf[64], *s, opt;
-	mb_t *m = NULL;
-
-	off = fin->fin_hlen + sizeof(*tcp);
-	len = (TCP_OFF(tcp) << 2) - sizeof(*tcp);
-	if (fin->fin_plen < off + len)
-		return 0;
-
-	m = fin->fin_m;
-	off += fin->fin_ipoff;
-	mlen = MSGDSIZE(m) - off;
-	if (len > mlen) {
-		len = mlen;
-		retval = 0;
-	} else {
-		retval = 1;
-	}
-
-	COPYDATA(m, off, len, buf);
-
-	for (s = buf; len > 0; ) {
-		opt = *s;
-		if (opt == TCPOPT_EOL)
-			break;
-		else if (opt == TCPOPT_NOP)
-			ol = 1;
-		else {
-			if (len < 2)
-				break;
-			ol = (int)*(s + 1);
-			if (ol < 2 || ol > len)
-				break;
-
-			/*
-			 * Extract the TCP options we are interested in out of
-			 * the header and store them in the the tcpdata struct.
-			 */
-			switch (opt)
-			{
-			case TCPOPT_WINDOW :
-				if (ol == TCPOLEN_WINDOW) {
-					i = (int)*(s + 2);
-					if (i > TCP_WSCALE_MAX)
-						i = TCP_WSCALE_MAX;
-					else if (i < 0)
-						i = 0;
-					td->td_winscale = i;
-				}
-				break;
-			case TCPOPT_MAXSEG :
-				/*
-				 * So, if we wanted to set the TCP MAXSEG,
-				 * it should be done here...
-				 */
-				if (ol == TCPOLEN_MAXSEG) {
-					i = (int)*(s + 2);
-					i <<= 8;
-					i += (int)*(s + 3);
-					td->td_maxseg = i;
-				}
-				break;
-			}
-		}
-		len -= ol;
-		s += ol;
-	}
-	return retval;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_tcpstate                                                 */
-/* Returns:     int - 1 == packet matches state entry, 0 == it does not     */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              tcp(I)   - pointer to TCP packet header                     */
-/*              is(I)  - pointer to master state structure                  */
-/*                                                                          */
-/* Check to see if a packet with TCP headers fits within the TCP window.    */
-/* Change timeout depending on whether new packet is a SYN-ACK returning    */
-/* for a SYN or a RST or FIN which indicate time to close up shop.          */
-/* ------------------------------------------------------------------------ */
-static int fr_tcpstate(fin, tcp, is)
-fr_info_t *fin;
-tcphdr_t *tcp;
-ipstate_t *is;
-{
-	int source, ret = 0, flags;
-	tcpdata_t  *fdata, *tdata;
-
-	source = !fin->fin_rev;
-	if (((is->is_flags & IS_TCPFSM) != 0) && (source == 1) && 
-	    (ntohs(is->is_sport) != fin->fin_data[0]))
-		source = 0;
-	fdata = &is->is_tcp.ts_data[!source];
-	tdata = &is->is_tcp.ts_data[source];
-
-	MUTEX_ENTER(&is->is_lock);
-	if (fr_tcpinwindow(fin, fdata, tdata, tcp, is->is_flags)) {
-#ifdef	IPFILTER_SCAN
-		if (is->is_flags & (IS_SC_CLIENT|IS_SC_SERVER)) {
-			ipsc_packet(fin, is);
-			if (FR_ISBLOCK(is->is_pass)) {
-				MUTEX_EXIT(&is->is_lock);
-				return 1;
-			}
-		}
-#endif
-
-		/*
-		 * Nearing end of connection, start timeout.
-		 */
-		ret = fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
-		if (ret == 0) {
-			MUTEX_EXIT(&is->is_lock);
-			return 0;
-		}
-
-		/*
-		 * set s0's as appropriate.  Use syn-ack packet as it
-		 * contains both pieces of required information.
-		 */
-		/*
-		 * Window scale option is only present in SYN/SYN-ACK packet.
-		 * Compare with ~TH_FIN to mask out T/TCP setups.
-		 */
-		flags = tcp->th_flags & ~(TH_FIN|TH_ECNALL);
-		if (flags == (TH_SYN|TH_ACK)) {
-			is->is_s0[source] = ntohl(tcp->th_ack);
-			is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
-			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) &&
-			    tdata->td_winscale) {
-				if (fr_tcpoptions(fin, tcp, fdata)) {
-					fdata->td_winflags = TCP_WSCALE_SEEN|
-							     TCP_WSCALE_FIRST;
-				} else {
-					if (!fdata->td_winscale)
-						tdata->td_winscale = 0;
-				}
-			}
-			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
-				fr_checknewisn(fin, is);
-		} else if (flags == TH_SYN) {
-			is->is_s0[source] = ntohl(tcp->th_seq) + 1;
-			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
-				if (fr_tcpoptions(fin, tcp, tdata)) {
-					tdata->td_winflags = TCP_WSCALE_SEEN|
-							     TCP_WSCALE_FIRST;
-				}
-
-			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
-				fr_checknewisn(fin, is);
-
-		}
-		ret = 1;
-	} else
-		fin->fin_flx |= FI_OOW;
-	MUTEX_EXIT(&is->is_lock);
-	return ret;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checknewisn                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              is(I)  - pointer to master state structure                  */
-/*                                                                          */
-/* Check to see if this TCP connection is expecting and needs a new         */
-/* sequence number for a particular direction of the connection.            */
-/*                                                                          */
-/* NOTE: This does not actually change the sequence numbers, only gets new  */
-/* one ready.                                                               */
-/* ------------------------------------------------------------------------ */
-static void fr_checknewisn(fin, is)
-fr_info_t *fin;
-ipstate_t *is;
-{
-	u_32_t sumd, old, new;
-	tcphdr_t *tcp;
-	int i;
-
-	i = fin->fin_rev;
-	tcp = fin->fin_dp;
-
-	if (((i == 0) && !(is->is_flags & IS_ISNSYN)) ||
-	    ((i == 1) && !(is->is_flags & IS_ISNACK))) {
-		old = ntohl(tcp->th_seq);
-		new = fr_newisn(fin);
-		is->is_isninc[i] = new - old;
-		CALC_SUMD(old, new, sumd);
-		is->is_sumd[i] = (sumd & 0xffff) + (sumd >> 16);
-
-		is->is_flags |= ((i == 0) ? IS_ISNSYN : IS_ISNACK);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_tcpinwindow                                              */
-/* Returns:     int - 1 == packet inside TCP "window", 0 == not inside.     */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              fdata(I) - pointer to tcp state informatio (forward)        */
-/*              tdata(I) - pointer to tcp state informatio (reverse)        */
-/*              tcp(I)   - pointer to TCP packet header                     */
-/*                                                                          */
-/* Given a packet has matched addresses and ports, check to see if it is    */
-/* within the TCP data window.  In a show of generosity, allow packets that */
-/* are within the window space behind the current sequence # as well.       */
-/* ------------------------------------------------------------------------ */
-int fr_tcpinwindow(fin, fdata, tdata, tcp, flags)
-fr_info_t *fin;
-tcpdata_t  *fdata, *tdata;
-tcphdr_t *tcp;
-int flags;
-{
-	tcp_seq seq, ack, end;
-	int ackskew, tcpflags;
-	u_32_t win, maxwin;
-
-	/*
-	 * Find difference between last checked packet and this packet.
-	 */
-	tcpflags = tcp->th_flags;
-	seq = ntohl(tcp->th_seq);
-	ack = ntohl(tcp->th_ack);
-	if (tcpflags & TH_SYN)
-		win = ntohs(tcp->th_win);
-	else
-		win = ntohs(tcp->th_win) << fdata->td_winscale;
-	if (win == 0)
-		win = 1;
-
-	/*
-	 * if window scaling is present, the scaling is only allowed
-	 * for windows not in the first SYN packet. In that packet the
-	 * window is 65535 to specify the largest window possible
-	 * for receivers not implementing the window scale option.
-	 * Currently, we do not assume TTCP here. That means that
-	 * if we see a second packet from a host (after the initial
-	 * SYN), we can assume that the receiver of the SYN did
-	 * already send back the SYN/ACK (and thus that we know if
-	 * the receiver also does window scaling)
-	 */
-	if (!(tcpflags & TH_SYN) && (fdata->td_winflags & TCP_WSCALE_FIRST)) {
-		if (tdata->td_winflags & TCP_WSCALE_SEEN) {
-			fdata->td_winflags &= ~TCP_WSCALE_FIRST;
-			fdata->td_maxwin = win;
-		} else {
-			fdata->td_winscale = 0;
-			fdata->td_winflags = 0;
-			tdata->td_winscale = 0;
-			tdata->td_winflags = 0;
-		  }
-	}
-
-	end = seq + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
-	      ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
-
-	if ((fdata->td_end == 0) &&
-	    (!(flags & IS_TCPFSM) ||
-	     ((tcpflags & TH_OPENING) == TH_OPENING))) {
-		/*
-		 * Must be a (outgoing) SYN-ACK in reply to a SYN.
-		 */
-		fdata->td_end = end;
-		fdata->td_maxwin = 1;
-		fdata->td_maxend = end + win;
-	}
-
-	if (!(tcpflags & TH_ACK)) {  /* Pretend an ack was sent */
-		ack = tdata->td_end;
-	} else if (((tcpflags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
-		   (ack == 0)) {
-		/* gross hack to get around certain broken tcp stacks */
-		ack = tdata->td_end;
-	}
-
-	if (seq == end)
-		seq = end = fdata->td_end;
-
-	maxwin = tdata->td_maxwin;
-	ackskew = tdata->td_end - ack;
-
-	/*
-	 * Strict sequencing only allows in-order delivery.
-	 */
-	if ((flags & IS_STRICT) != 0) {
-		if (seq != fdata->td_end) {
-			return 0;
-		}
-	}
-
-#define	SEQ_GE(a,b)	((int)((a) - (b)) >= 0)
-#define	SEQ_GT(a,b)	((int)((a) - (b)) > 0)
-	if (
-#if defined(_KERNEL)
-	    (SEQ_GE(fdata->td_maxend, end)) &&
-	    (SEQ_GE(seq, fdata->td_end - maxwin)) &&
-#endif
-/* XXX what about big packets */
-#define MAXACKWINDOW 66000
-	    (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
-	    ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
-
-		/* if ackskew < 0 then this should be due to fragmented
-		 * packets. There is no way to know the length of the
-		 * total packet in advance.
-		 * We do know the total length from the fragment cache though.
-		 * Note however that there might be more sessions with
-		 * exactly the same source and destination parameters in the
-		 * state cache (and source and destination is the only stuff
-		 * that is saved in the fragment cache). Note further that
-		 * some TCP connections in the state cache are hashed with
-		 * sport and dport as well which makes it not worthwhile to
-		 * look for them.
-		 * Thus, when ackskew is negative but still seems to belong
-		 * to this session, we bump up the destinations end value.
-		 */
-		if (ackskew < 0)
-			tdata->td_end = ack;
-
-		/* update max window seen */
-		if (fdata->td_maxwin < win)
-			fdata->td_maxwin = win;
-		if (SEQ_GT(end, fdata->td_end))
-			fdata->td_end = end;
-		if (SEQ_GE(ack + win, tdata->td_maxend))
-			tdata->td_maxend = ack + win;
-		return 1;
-	}
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stclone                                                  */
-/* Returns:     ipstate_t* - NULL == cloning failed,                        */
-/*                           else pointer to new state structure            */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              tcp(I) - pointer to TCP/UDP header                          */
-/*              is(I)  - pointer to master state structure                  */
-/*                                                                          */
-/* Create a "duplcate" state table entry from the master.                   */
-/* ------------------------------------------------------------------------ */
-static ipstate_t *fr_stclone(fin, tcp, is)
-fr_info_t *fin;
-tcphdr_t *tcp;
-ipstate_t *is;
-{
-	ipstate_t *clone;
-	u_32_t send;
-
-	if (ips_num == fr_statemax) {
-		ATOMIC_INCL(ips_stats.iss_max);
-		fr_state_doflush = 1;
-		return NULL;
-	}
-	KMALLOC(clone, ipstate_t *);
-	if (clone == NULL)
-		return NULL;
-	bcopy((char *)is, (char *)clone, sizeof(*clone));
-
-	MUTEX_NUKE(&clone->is_lock);
-
-	clone->is_die = ONE_DAY + fr_ticks;
-	clone->is_state[0] = 0;
-	clone->is_state[1] = 0;
-	send = ntohl(tcp->th_seq) + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
-		((tcp->th_flags & TH_SYN) ? 1 : 0) +
-		((tcp->th_flags & TH_FIN) ? 1 : 0);
-
-	if (fin->fin_rev == 1) {
-		clone->is_dend = send;
-		clone->is_maxdend = send;
-		clone->is_send = 0;
-		clone->is_maxswin = 1;
-		clone->is_maxdwin = ntohs(tcp->th_win);
-		if (clone->is_maxdwin == 0)
-			clone->is_maxdwin = 1;
-	} else {
-		clone->is_send = send;
-		clone->is_maxsend = send;
-		clone->is_dend = 0;
-		clone->is_maxdwin = 1;
-		clone->is_maxswin = ntohs(tcp->th_win);
-		if (clone->is_maxswin == 0)
-			clone->is_maxswin = 1;
-	}
-
-	clone->is_flags &= ~SI_CLONE;
-	clone->is_flags |= SI_CLONED;
-	fr_stinsert(clone, fin->fin_rev);
-	MUTEX_ENTER(&clone->is_lock);
-	clone->is_ref = 1;
-	if (clone->is_p == IPPROTO_TCP) {
-		(void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb,
-				  clone->is_flags);
-	}
-	MUTEX_EXIT(&clone->is_lock);
-#ifdef	IPFILTER_SCAN
-	(void) ipsc_attachis(is);
-#endif
-#ifdef	IPFILTER_SYNC
-	if (is->is_flags & IS_STATESYNC)
-		clone->is_sync = ipfsync_new(SMC_STATE, fin, clone);
-#endif
-	return clone;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_matchsrcdst                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              is(I)  - pointer to state structure                         */
-/*              src(I) - pointer to source address                          */
-/*              dst(I) - pointer to destination address                     */
-/*              tcp(I) - pointer to TCP/UDP header                          */
-/*                                                                          */
-/* Match a state table entry against an IP packet.  The logic below is that */
-/* ret gets set to one if the match succeeds, else remains 0.  If it is     */
-/* still 0 after the test. no match.                                        */
-/* ------------------------------------------------------------------------ */
-static ipstate_t *fr_matchsrcdst(fin, is, src, dst, tcp, cmask)
-fr_info_t *fin;
-ipstate_t *is;
-i6addr_t *src, *dst;
-tcphdr_t *tcp;
-u_32_t cmask;
-{
-	int ret = 0, rev, out, flags, flx = 0, idx;
-	u_short sp, dp;
-	u_32_t cflx;
-	void *ifp;
-
-	rev = IP6_NEQ(&is->is_dst, dst);
-	ifp = fin->fin_ifp;
-	out = fin->fin_out;
-	flags = is->is_flags;
-	sp = 0;
-	dp = 0;
-
-	if (tcp != NULL) {
-		sp = htons(fin->fin_sport);
-		dp = ntohs(fin->fin_dport);
-	}
-	if (!rev) {
-		if (tcp != NULL) {
-			if (!(flags & SI_W_SPORT) && (sp != is->is_sport))
-				rev = 1;
-			else if (!(flags & SI_W_DPORT) && (dp != is->is_dport))
-				rev = 1;
-		}
-	}
-
-	idx = (out << 1) + rev;
-
-	/*
-	 * If the interface for this 'direction' is set, make sure it matches.
-	 * An interface name that is not set matches any, as does a name of *.
-	 */
-	if ((is->is_ifp[idx] == NULL &&
-	    (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) ||
-	    is->is_ifp[idx] == ifp)
-		ret = 1;
-
-	if (ret == 0)
-		return NULL;
-	ret = 0;
-
-	/*
-	 * Match addresses and ports.
-	 */
-	if (rev == 0) {
-		if ((IP6_EQ(&is->is_dst, dst) || (flags & SI_W_DADDR)) &&
-		    (IP6_EQ(&is->is_src, src) || (flags & SI_W_SADDR))) {
-			if (tcp) {
-				if ((sp == is->is_sport || flags & SI_W_SPORT)&&
-				    (dp == is->is_dport || flags & SI_W_DPORT))
-					ret = 1;
-			} else {
-				ret = 1;
-			}
-		}
-	} else {
-		if ((IP6_EQ(&is->is_dst, src) || (flags & SI_W_DADDR)) &&
-		    (IP6_EQ(&is->is_src, dst) || (flags & SI_W_SADDR))) {
-			if (tcp) {
-				if ((dp == is->is_sport || flags & SI_W_SPORT)&&
-				    (sp == is->is_dport || flags & SI_W_DPORT))
-					ret = 1;
-			} else {
-				ret = 1;
-			}
-		}
-	}
-
-	if (ret == 0)
-		return NULL;
-
-	/*
-	 * Whether or not this should be here, is questionable, but the aim
-	 * is to get this out of the main line.
-	 */
-	if (tcp == NULL)
-		flags = is->is_flags & ~(SI_WILDP|SI_NEWFR|SI_CLONE|SI_CLONED);
-
-	/*
-	 * Only one of the source or destination address can be flaged as a
-	 * wildcard.  Fill in the missing address, if set.
-	 * For IPv6, if the address being copied in is multicast, then
-	 * don't reset the wild flag - multicast causes it to be set in the
-	 * first place!
-	 */
-	if ((flags & (SI_W_SADDR|SI_W_DADDR))) {
-		fr_ip_t *fi = &fin->fin_fi;
-
-		if ((flags & SI_W_SADDR) != 0) {
-			if (rev == 0) {
-#ifdef USE_INET6
-				if (is->is_v == 6 &&
-				    IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
-					/*EMPTY*/;
-				else
-#endif
-				{
-					is->is_src = fi->fi_src;
-					is->is_flags &= ~SI_W_SADDR;
-				}
-			} else {
-#ifdef USE_INET6
-				if (is->is_v == 6 &&
-				    IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
-					/*EMPTY*/;
-				else
-#endif
-				{
-					is->is_src = fi->fi_dst;
-					is->is_flags &= ~SI_W_SADDR;
-				}
-			}
-		} else if ((flags & SI_W_DADDR) != 0) {
-			if (rev == 0) {
-#ifdef USE_INET6
-				if (is->is_v == 6 &&
-				    IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6))
-					/*EMPTY*/;
-				else
-#endif
-				{
-					is->is_dst = fi->fi_dst;
-					is->is_flags &= ~SI_W_DADDR;
-				}
-			} else {
-#ifdef USE_INET6
-				if (is->is_v == 6 &&
-				    IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6))
-					/*EMPTY*/;
-				else
-#endif
-				{
-					is->is_dst = fi->fi_src;
-					is->is_flags &= ~SI_W_DADDR;
-				}
-			}
-		}
-		if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) {
-			ATOMIC_DECL(ips_stats.iss_wild);
-		}
-	}
-
-	flx = fin->fin_flx & cmask;
-	cflx = is->is_flx[out][rev];
-
-	/*
-	 * Match up any flags set from IP options.
-	 */
-	if ((cflx && (flx != (cflx & cmask))) ||
-	    ((fin->fin_optmsk & is->is_optmsk) != is->is_opt) ||
-	    ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
-	    ((fin->fin_auth & is->is_authmsk) != is->is_auth))
-		return NULL;
-
-	/*
-	 * Only one of the source or destination port can be flagged as a
-	 * wildcard.  When filling it in, fill in a copy of the matched entry
-	 * if it has the cloning flag set.
-	 */
-	if ((fin->fin_flx & FI_IGNORE) != 0) {
-		fin->fin_rev = rev;
-		return is;
-	}
-
-	if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
-		if ((flags & SI_CLONE) != 0) {
-			is = fr_stclone(fin, tcp, is);
-			if (is == NULL)
-				return NULL;
-		} else {
-			ATOMIC_DECL(ips_stats.iss_wild);
-		}
-
-		if ((flags & SI_W_SPORT) != 0) {
-			if (rev == 0) {
-				is->is_sport = sp;
-				is->is_send = ntohl(tcp->th_seq);
-			} else {
-				is->is_sport = dp;
-				is->is_send = ntohl(tcp->th_ack);
-			}
-			is->is_maxsend = is->is_send + 1;
-		} else if ((flags & SI_W_DPORT) != 0) {
-			if (rev == 0) {
-				is->is_dport = dp;
-				is->is_dend = ntohl(tcp->th_ack);
-			} else {
-				is->is_dport = sp;
-				is->is_dend = ntohl(tcp->th_seq);
-			}
-			is->is_maxdend = is->is_dend + 1;
-		}
-		is->is_flags &= ~(SI_W_SPORT|SI_W_DPORT);
-		if ((flags & SI_CLONED) && ipstate_logging)
-			ipstate_log(is, ISL_CLONE);
-	}
-
-	ret = -1;
-
-	if (is->is_flx[out][rev] == 0)
-		is->is_flx[out][rev] = flx;
-
-	/*
-	 * Check if the interface name for this "direction" is set and if not,
-	 * fill it in.
-	 */
-	if (is->is_ifp[idx] == NULL &&
-	    (*is->is_ifname[idx] == '\0' || *is->is_ifname[idx] == '*')) {
-		is->is_ifp[idx] = ifp;
-		COPYIFNAME(ifp, is->is_ifname[idx]);
-	}
-	fin->fin_rev = rev;
-	return is;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checkicmpmatchingstate                                   */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*                                                                          */
-/* If we've got an ICMP error message, using the information stored in the  */
-/* ICMP packet, look for a matching state table entry.                      */
-/*                                                                          */
-/* If we return NULL then no lock on ipf_state is held.                     */
-/* If we return non-null then a read-lock on ipf_state is held.             */
-/* ------------------------------------------------------------------------ */
-static ipstate_t *fr_checkicmpmatchingstate(fin)
-fr_info_t *fin;
-{
-	ipstate_t *is, **isp;
-	u_short sport, dport;
-	u_char	pr;
-	int backward, i, oi;
-	i6addr_t dst, src;
-	struct icmp *ic;
-	u_short savelen;
-	icmphdr_t *icmp;
-	fr_info_t ofin;
-	tcphdr_t *tcp;
-	int type, len;
-	ip_t *oip;
-	u_int hv;
-
-	/*
-	 * Does it at least have the return (basic) IP header ?
-	 * Only a basic IP header (no options) should be with
-	 * an ICMP error header.
-	 */
-	if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
-	    (fin->fin_plen < ICMPERR_MINPKTLEN))
-		return NULL;
-	ic = fin->fin_dp;
-	type = ic->icmp_type;
-	/*
-	 * If it's not an error type, then return
-	 */
-	if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
-    	    (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
-    	    (type != ICMP_PARAMPROB))
-		return NULL;
-
-	oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
-	/*
-	 * Check if the at least the old IP header (with options) and
-	 * 8 bytes of payload is present.
-	 */
-	if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((IP_HL(oip) - 5) << 2))
-		return NULL;
-
-	/*
-	 * Sanity Checks.
-	 */
-	len = fin->fin_dlen - ICMPERR_ICMPHLEN;
-	if ((len <= 0) || ((IP_HL(oip) << 2) > len))
-		return NULL;
-
-	/*
-	 * Is the buffer big enough for all of it ?  It's the size of the IP
-	 * header claimed in the encapsulated part which is of concern.  It
-	 * may be too big to be in this buffer but not so big that it's
-	 * outside the ICMP packet, leading to TCP deref's causing problems.
-	 * This is possible because we don't know how big oip_hl is when we
-	 * do the pullup early in fr_check() and thus can't guarantee it is
-	 * all here now.
-	 */
-#ifdef  _KERNEL
-	{
-	mb_t *m;
-
-	m = fin->fin_m;
-# if defined(MENTAT)
-	if ((char *)oip + len > (char *)m->b_wptr)
-		return NULL;
-# else
-	if ((char *)oip + len > (char *)fin->fin_ip + m->m_len)
-		return NULL;
-# endif
-	}
-#endif
-	bcopy((char *)fin, (char *)&ofin, sizeof(fin));
-
-	/*
-	 * in the IPv4 case we must zero the i6addr union otherwise
-	 * the IP6_EQ and IP6_NEQ macros produce the wrong results because
-	 * of the 'junk' in the unused part of the union
-	 */
-	bzero((char *)&src, sizeof(src));
-	bzero((char *)&dst, sizeof(dst));
-
-	/*
-	 * we make an fin entry to be able to feed it to
-	 * matchsrcdst note that not all fields are encessary
-	 * but this is the cleanest way. Note further we fill
-	 * in fin_mp such that if someone uses it we'll get
-	 * a kernel panic. fr_matchsrcdst does not use this.
-	 *
-	 * watch out here, as ip is in host order and oip in network
-	 * order. Any change we make must be undone afterwards, like
-	 * oip->ip_off - it is still in network byte order so fix it.
-	 */
-	savelen = oip->ip_len;
-	oip->ip_len = len;
-	oip->ip_off = htons(oip->ip_off);
-
-	ofin.fin_flx = FI_NOCKSUM;
-	ofin.fin_v = 4;
-	ofin.fin_ip = oip;
-	ofin.fin_m = NULL;	/* if dereferenced, panic XXX */
-	ofin.fin_mp = NULL;	/* if dereferenced, panic XXX */
-	ofin.fin_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
-	(void) fr_makefrip(IP_HL(oip) << 2, oip, &ofin);
-	ofin.fin_ifp = fin->fin_ifp;
-	ofin.fin_out = !fin->fin_out;
-	/*
-	 * Reset the short and bad flag here because in fr_matchsrcdst()
-	 * the flags for the current packet (fin_flx) are compared against
-	 * those for the existing session.
-	 */
-	ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
-
-	/*
-	 * Put old values of ip_len and ip_off back as we don't know
-	 * if we have to forward the packet (or process it again.
-	 */
-	oip->ip_len = savelen;
-	oip->ip_off = htons(oip->ip_off);
-
-	switch (oip->ip_p)
-	{
-	case IPPROTO_ICMP :
-		icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
-
-		/*
-		 * an ICMP error can only be generated as a result of an
-		 * ICMP query, not as the response on an ICMP error
-		 *
-		 * XXX theoretically ICMP_ECHOREP and the other reply's are
-		 * ICMP query's as well, but adding them here seems strange XXX
-		 */
-		if ((icmp->icmp_type != ICMP_ECHO) &&
-		    (icmp->icmp_type != ICMP_TSTAMP) &&
-		    (icmp->icmp_type != ICMP_IREQ) &&
-		    (icmp->icmp_type != ICMP_MASKREQ))
-		    	return NULL;
-
-		/*
-		 * perform a lookup of the ICMP packet in the state table
-		 */
-		hv = (pr = oip->ip_p);
-		src.in4 = oip->ip_src;
-		hv += src.in4.s_addr;
-		dst.in4 = oip->ip_dst;
-		hv += dst.in4.s_addr;
-		hv += icmp->icmp_id;
-		hv = DOUBLE_HASH(hv);
-
-		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
-			isp = &is->is_hnext;
-			if ((is->is_p != pr) || (is->is_v != 4))
-				continue;
-			if (is->is_pass & FR_NOICMPERR)
-				continue;
-			is = fr_matchsrcdst(&ofin, is, &src, &dst,
-					    NULL, FI_ICMPCMP);
-			if (is != NULL) {
-				if ((is->is_pass & FR_NOICMPERR) != 0) {
-					RWLOCK_EXIT(&ipf_state);
-					return NULL;
-				}
-				/*
-				 * i  : the index of this packet (the icmp
-				 *      unreachable)
-				 * oi : the index of the original packet found
-				 *      in the icmp header (i.e. the packet
-				 *      causing this icmp)
-				 * backward : original packet was backward
-				 *      compared to the state
-				 */
-				backward = IP6_NEQ(&is->is_src, &src);
-				fin->fin_rev = !backward;
-				i = (!backward << 1) + fin->fin_out;
-				oi = (backward << 1) + ofin.fin_out;
-				if (is->is_icmppkts[i] > is->is_pkts[oi])
-					continue;
-				ips_stats.iss_hits++;
-				is->is_icmppkts[i]++;
-				return is;
-			}
-		}
-		RWLOCK_EXIT(&ipf_state);
-		return NULL;
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		break;
-	default :
-		return NULL;
-	}
-
-	tcp = (tcphdr_t *)((char *)oip + (IP_HL(oip) << 2));
-	dport = tcp->th_dport;
-	sport = tcp->th_sport;
-
-	hv = (pr = oip->ip_p);
-	src.in4 = oip->ip_src;
-	hv += src.in4.s_addr;
-	dst.in4 = oip->ip_dst;
-	hv += dst.in4.s_addr;
-	hv += dport;
-	hv += sport;
-	hv = DOUBLE_HASH(hv);
-
-	READ_ENTER(&ipf_state);
-	for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
-		isp = &is->is_hnext;
-		/*
-		 * Only allow this icmp though if the
-		 * encapsulated packet was allowed through the
-		 * other way around. Note that the minimal amount
-		 * of info present does not allow for checking against
-		 * tcp internals such as seq and ack numbers.   Only the
-		 * ports are known to be present and can be even if the
-		 * short flag is set.
-		 */
-		if ((is->is_p == pr) && (is->is_v == 4) &&
-		    (is = fr_matchsrcdst(&ofin, is, &src, &dst,
-					 tcp, FI_ICMPCMP))) {
-			/*
-			 * i  : the index of this packet (the icmp unreachable)
-			 * oi : the index of the original packet found in the
-			 *      icmp header (i.e. the packet causing this icmp)
-			 * backward : original packet was backward compared to
-			 *            the state
-			 */
-			backward = IP6_NEQ(&is->is_src, &src);
-			fin->fin_rev = !backward;
-			i = (!backward << 1) + fin->fin_out;
-			oi = (backward << 1) + ofin.fin_out;
-
-			if (((is->is_pass & FR_NOICMPERR) != 0) ||
-			    (is->is_icmppkts[i] > is->is_pkts[oi]))
-				break;
-			ips_stats.iss_hits++;
-			is->is_icmppkts[i]++;
-			/*
-			 * we deliberately do not touch the timeouts
-			 * for the accompanying state table entry.
-			 * It remains to be seen if that is correct. XXX
-			 */
-			return is;
-		}
-	}
-	RWLOCK_EXIT(&ipf_state);
-	return NULL;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_ipsmove                                                  */
-/* Returns:     Nil                                                         */
-/* Parameters:  is(I) - pointer to state table entry                        */
-/*              hv(I) - new hash value for state table entry                */
-/* Write Locks: ipf_state                                                   */
-/*                                                                          */
-/* Move a state entry from one position in the hash table to another.       */
-/* ------------------------------------------------------------------------ */
-static void fr_ipsmove(is, hv)
-ipstate_t *is;
-u_int hv;
-{
-	ipstate_t **isp;
-	u_int hvm;
-
-	ASSERT(rw_read_locked(&ipf_state.ipf_lk) == 0);
-
-	hvm = is->is_hv;
-	/*
-	 * Remove the hash from the old location...
-	 */
-	isp = is->is_phnext;
-	if (is->is_hnext)
-		is->is_hnext->is_phnext = isp;
-	*isp = is->is_hnext;
-	if (ips_table[hvm] == NULL)
-		ips_stats.iss_inuse--;
-	ips_stats.iss_bucketlen[hvm]--;
-
-	/*
-	 * ...and put the hash in the new one.
-	 */
-	hvm = DOUBLE_HASH(hv);
-	is->is_hv = hvm;
-	isp = &ips_table[hvm];
-	if (*isp)
-		(*isp)->is_phnext = &is->is_hnext;
-	else
-		ips_stats.iss_inuse++;
-	ips_stats.iss_bucketlen[hvm]++;
-	is->is_phnext = isp;
-	is->is_hnext = *isp;
-	*isp = is;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_stlookup                                                 */
-/* Returns:     ipstate_t* - NULL == no matching state found,               */
-/*                           else pointer to state information is returned  */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              tcp(I) - pointer to TCP/UDP header.                         */
-/*                                                                          */
-/* Search the state table for a matching entry to the packet described by   */
-/* the contents of *fin.                                                    */
-/*                                                                          */
-/* If we return NULL then no lock on ipf_state is held.                     */
-/* If we return non-null then a read-lock on ipf_state is held.             */
-/* ------------------------------------------------------------------------ */
-ipstate_t *fr_stlookup(fin, tcp, ifqp)
-fr_info_t *fin;
-tcphdr_t *tcp;
-ipftq_t **ifqp;
-{
-	u_int hv, hvm, pr, v, tryagain;
-	ipstate_t *is, **isp;
-	u_short dport, sport;
-	i6addr_t src, dst;
-	struct icmp *ic;
-	ipftq_t *ifq;
-	int oow;
-
-	is = NULL;
-	ifq = NULL;
-	tcp = fin->fin_dp;
-	ic = (struct icmp *)tcp;
-	hv = (pr = fin->fin_fi.fi_p);
-	src = fin->fin_fi.fi_src;
-	dst = fin->fin_fi.fi_dst;
-	hv += src.in4.s_addr;
-	hv += dst.in4.s_addr;
-
-	v = fin->fin_fi.fi_v;
-#ifdef	USE_INET6
-	if (v == 6) {
-		hv  += fin->fin_fi.fi_src.i6[1];
-		hv  += fin->fin_fi.fi_src.i6[2];
-		hv  += fin->fin_fi.fi_src.i6[3];
-
-		if ((fin->fin_p == IPPROTO_ICMPV6) &&
-		    IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_dst.in6)) {
-			hv -= dst.in4.s_addr;
-		} else {
-			hv += fin->fin_fi.fi_dst.i6[1];
-			hv += fin->fin_fi.fi_dst.i6[2];
-			hv += fin->fin_fi.fi_dst.i6[3];
-		}
-	}
-#endif
-
-	/*
-	 * Search the hash table for matching packet header info.
-	 */
-	switch (pr)
-	{
-#ifdef	USE_INET6
-	case IPPROTO_ICMPV6 :
-		tryagain = 0;
-		if (v == 6) {
-			if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
-			    (ic->icmp_type == ICMP6_ECHO_REPLY)) {
-				hv += ic->icmp_id;
-			}
-		}
-		READ_ENTER(&ipf_state);
-icmp6again:
-		hvm = DOUBLE_HASH(hv);
-		for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
-			isp = &is->is_hnext;
-			if ((is->is_p != pr) || (is->is_v != v))
-				continue;
-			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
-			if (is != NULL &&
-			    fr_matchicmpqueryreply(v, &is->is_icmp,
-						   ic, fin->fin_rev)) {
-				if (fin->fin_rev)
-					ifq = &ips_icmpacktq;
-				else
-					ifq = &ips_icmptq;
-				break;
-			}
-		}
-
-		if (is != NULL) {
-			if ((tryagain != 0) && !(is->is_flags & SI_W_DADDR)) {
-				hv += fin->fin_fi.fi_src.i6[0];
-				hv += fin->fin_fi.fi_src.i6[1];
-				hv += fin->fin_fi.fi_src.i6[2];
-				hv += fin->fin_fi.fi_src.i6[3];
-				fr_ipsmove(is, hv);
-				MUTEX_DOWNGRADE(&ipf_state);
-			}
-			break;
-		}
-		RWLOCK_EXIT(&ipf_state);
-
-		/*
-		 * No matching icmp state entry. Perhaps this is a
-		 * response to another state entry.
-		 *
-		 * XXX With some ICMP6 packets, the "other" address is already
-		 * in the packet, after the ICMP6 header, and this could be
-		 * used in place of the multicast address.  However, taking
-		 * advantage of this requires some significant code changes
-		 * to handle the specific types where that is the case.
-		 */
-		if ((ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) &&
-		    !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) {
-			hv -= fin->fin_fi.fi_src.i6[0];
-			hv -= fin->fin_fi.fi_src.i6[1];
-			hv -= fin->fin_fi.fi_src.i6[2];
-			hv -= fin->fin_fi.fi_src.i6[3];
-			tryagain = 1;
-			WRITE_ENTER(&ipf_state);
-			goto icmp6again;
-		}
-
-		is = fr_checkicmp6matchingstate(fin);
-		if (is != NULL)
-			return is;
-		break;
-#endif
-
-	case IPPROTO_ICMP :
-		if (v == 4) {
-			hv += ic->icmp_id;
-		}
-		hv = DOUBLE_HASH(hv);
-		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
-			isp = &is->is_hnext;
-			if ((is->is_p != pr) || (is->is_v != v))
-				continue;
-			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
-			if (is != NULL &&
-			    fr_matchicmpqueryreply(v, &is->is_icmp,
-						   ic, fin->fin_rev)) {
-				if (fin->fin_rev)
-					ifq = &ips_icmpacktq;
-				else
-					ifq = &ips_icmptq;
-				break;
-			}
-		}
-		if (is == NULL) {
-			RWLOCK_EXIT(&ipf_state);
-		}
-		break;
-
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		ifqp = NULL;
-		sport = htons(fin->fin_data[0]);
-		hv += sport;
-		dport = htons(fin->fin_data[1]);
-		hv += dport;
-		oow = 0;
-		tryagain = 0;
-		READ_ENTER(&ipf_state);
-retry_tcpudp:
-		hvm = DOUBLE_HASH(hv);
-		for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
-			isp = &is->is_hnext;
-			if ((is->is_p != pr) || (is->is_v != v))
-				continue;
-			fin->fin_flx &= ~FI_OOW;
-			is = fr_matchsrcdst(fin, is, &src, &dst, tcp, FI_CMP);
-			if (is != NULL) {
-				if (pr == IPPROTO_TCP) {
-					if (!fr_tcpstate(fin, tcp, is)) {
-						oow |= fin->fin_flx & FI_OOW;
-						continue;
-					}
-				}
-				break;
-			}
-		}
-		if (is != NULL) {
-			if (tryagain &&
-			    !(is->is_flags & (SI_CLONE|SI_WILDP|SI_WILDA))) {
-				hv += dport;
-				hv += sport;
-				fr_ipsmove(is, hv);
-				MUTEX_DOWNGRADE(&ipf_state);
-			}
-			break;
-		}
-		RWLOCK_EXIT(&ipf_state);
-
-		if (!tryagain && ips_stats.iss_wild) {
-			hv -= dport;
-			hv -= sport;
-			tryagain = 1;
-			WRITE_ENTER(&ipf_state);
-			goto retry_tcpudp;
-		}
-		fin->fin_flx |= oow;
-		break;
-
-#if 0
-	case IPPROTO_GRE :
-		gre = fin->fin_dp;
-		if (GRE_REV(gre->gr_flags) == 1) {
-			hv += gre->gr_call;
-		}
-		/* FALLTHROUGH */
-#endif
-	default :
-		ifqp = NULL;
-		hvm = DOUBLE_HASH(hv);
-		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hvm]; ((is = *isp) != NULL); ) {
-			isp = &is->is_hnext;
-			if ((is->is_p != pr) || (is->is_v != v))
-				continue;
-			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
-			if (is != NULL) {
-				ifq = &ips_iptq;
-				break;
-			}
-		}
-		if (is == NULL) {
-			RWLOCK_EXIT(&ipf_state);
-		}
-		break;
-	}
-
-	if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
-	    (is->is_tqehead[fin->fin_rev] != NULL))
-		ifq = is->is_tqehead[fin->fin_rev];
-	if (ifq != NULL && ifqp != NULL)
-		*ifqp = ifq;
-	return is;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_updatestate                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              is(I)  - pointer to state table entry                       */
-/* Read Locks:  ipf_state                                                   */
-/*                                                                          */
-/* Updates packet and byte counters for a newly received packet.  Seeds the */
-/* fragment cache with a new entry as required.                             */
-/* ------------------------------------------------------------------------ */
-void fr_updatestate(fin, is, ifq)
-fr_info_t *fin;
-ipstate_t *is;
-ipftq_t *ifq;
-{
-	ipftqent_t *tqe;
-	int i, pass;
-
-	i = (fin->fin_rev << 1) + fin->fin_out;
-
-	/*
-	 * For TCP packets, ifq == NULL.  For all others, check if this new
-	 * queue is different to the last one it was on and move it if so.
-	 */
-	tqe = &is->is_sti;
-	MUTEX_ENTER(&is->is_lock);
-	if ((tqe->tqe_flags & TQE_RULEBASED) != 0)
-		ifq = is->is_tqehead[fin->fin_rev];
-
-	if (ifq != NULL)
-		fr_movequeue(tqe, tqe->tqe_ifq, ifq);
-
-	is->is_pkts[i]++;
-	is->is_bytes[i] += fin->fin_plen;
-	MUTEX_EXIT(&is->is_lock);
-
-#ifdef	IPFILTER_SYNC
-	if (is->is_flags & IS_STATESYNC)
-		ipfsync_update(SMC_STATE, fin, is->is_sync);
-#endif
-
-	ATOMIC_INCL(ips_stats.iss_hits);
-
-	fin->fin_fr = is->is_rule;
-
-	/*
-	 * If this packet is a fragment and the rule says to track fragments,
-	 * then create a new fragment cache entry.
-	 */
-	pass = is->is_pass;
-	if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(pass))
-		(void) fr_newfrag(fin, pass ^ FR_KEEPSTATE);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checkstate                                               */
-/* Returns:     frentry_t* - NULL == search failed,                         */
-/*                           else pointer to rule for matching state        */
-/* Parameters:  ifp(I)   - pointer to interface                             */
-/*              passp(I) - pointer to filtering result flags                */
-/*                                                                          */
-/* Check if a packet is associated with an entry in the state table.        */
-/* ------------------------------------------------------------------------ */
-frentry_t *fr_checkstate(fin, passp)
-fr_info_t *fin;
-u_32_t *passp;
-{
-	ipstate_t *is;
-	frentry_t *fr;
-	tcphdr_t *tcp;
-	ipftq_t *ifq;
-	u_int pass;
-
-	if (fr_state_lock || (ips_list == NULL) ||
-	    (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD)))
-		return NULL;
-
-	is = NULL;
-	if ((fin->fin_flx & FI_TCPUDP) ||
-	    (fin->fin_fi.fi_p == IPPROTO_ICMP)
-#ifdef	USE_INET6
-	    || (fin->fin_fi.fi_p == IPPROTO_ICMPV6)
-#endif
-	    )
-		tcp = fin->fin_dp;
-	else
-		tcp = NULL;
-
-	/*
-	 * Search the hash table for matching packet header info.
-	 */
-	ifq = NULL;
-	is = fin->fin_state;
-	if (is == NULL)
-		is = fr_stlookup(fin, tcp, &ifq);
-	switch (fin->fin_p)
-	{
-#ifdef	USE_INET6
-	case IPPROTO_ICMPV6 :
-		if (is != NULL)
-			break;
-		if (fin->fin_v == 6) {
-			is = fr_checkicmp6matchingstate(fin);
-			if (is != NULL)
-				goto matched;
-		}
-		break;
-#endif
-	case IPPROTO_ICMP :
-		if (is != NULL)
-			break;
-		/*
-		 * No matching icmp state entry. Perhaps this is a
-		 * response to another state entry.
-		 */
-		is = fr_checkicmpmatchingstate(fin);
-		if (is != NULL)
-			goto matched;
-		break;
-	case IPPROTO_TCP :
-		if (is == NULL)
-			break;
-
-		if (is->is_pass & FR_NEWISN) {
-			if (fin->fin_out == 0)
-				fr_fixinisn(fin, is);
-			else if (fin->fin_out == 1)
-				fr_fixoutisn(fin, is);
-		}
-		break;
-	default :
-		if (fin->fin_rev)
-			ifq = &ips_udpacktq;
-		else
-			ifq = &ips_udptq;
-		break;
-	}
-	if (is == NULL) {
-		ATOMIC_INCL(ips_stats.iss_miss);
-		return NULL;
-	}
-
-matched:
-	fr = is->is_rule;
-	if (fr != NULL) {
-		if ((fin->fin_out == 0) && (fr->fr_nattag.ipt_num[0] != 0)) {
-			if (fin->fin_nattag == NULL)
-				return NULL;
-			if (fr_matchtag(&fr->fr_nattag, fin->fin_nattag) != 0)
-				return NULL;
-		}
-		(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
-		fin->fin_icode = fr->fr_icode;
-	}
-
-	fin->fin_rule = is->is_rulen;
-	pass = is->is_pass;
-	fr_updatestate(fin, is, ifq);
-	if (fin->fin_out == 1)
-		fin->fin_nat = is->is_nat[fin->fin_rev];
-
-	fin->fin_state = is;
-	is->is_touched = fr_ticks;
-	MUTEX_ENTER(&is->is_lock);
-	is->is_ref++;
-	MUTEX_EXIT(&is->is_lock);
-	RWLOCK_EXIT(&ipf_state);
-	fin->fin_flx |= FI_STATE;
-	if ((pass & FR_LOGFIRST) != 0)
-		pass &= ~(FR_LOGFIRST|FR_LOG);
-	*passp = pass;
-	return fr;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fixoutisn                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              is(I)  - pointer to master state structure                  */
-/*                                                                          */
-/* Called only for outbound packets, adjusts the sequence number and the    */
-/* TCP checksum to match that change.                                       */
-/* ------------------------------------------------------------------------ */
-static void fr_fixoutisn(fin, is)
-fr_info_t *fin;
-ipstate_t *is;
-{
-	tcphdr_t *tcp;
-	int rev;
-	u_32_t seq;
-
-	tcp = fin->fin_dp;
-	rev = fin->fin_rev;
-	if ((is->is_flags & IS_ISNSYN) != 0) {
-		if (rev == 0) {
-			seq = ntohl(tcp->th_seq);
-			seq += is->is_isninc[0];
-			tcp->th_seq = htonl(seq);
-			fix_outcksum(fin, &tcp->th_sum, is->is_sumd[0]);
-		}
-	}
-	if ((is->is_flags & IS_ISNACK) != 0) {
-		if (rev == 1) {
-			seq = ntohl(tcp->th_seq);
-			seq += is->is_isninc[1];
-			tcp->th_seq = htonl(seq);
-			fix_outcksum(fin, &tcp->th_sum, is->is_sumd[1]);
-		}
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_fixinisn                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  fin(I)   - pointer to packet information                    */
-/*              is(I)  - pointer to master state structure                  */
-/*                                                                          */
-/* Called only for inbound packets, adjusts the acknowledge number and the  */
-/* TCP checksum to match that change.                                       */
-/* ------------------------------------------------------------------------ */
-static void fr_fixinisn(fin, is)
-fr_info_t *fin;
-ipstate_t *is;
-{
-	tcphdr_t *tcp;
-	int rev;
-	u_32_t ack;
-
-	tcp = fin->fin_dp;
-	rev = fin->fin_rev;
-	if ((is->is_flags & IS_ISNSYN) != 0) {
-		if (rev == 1) {
-			ack = ntohl(tcp->th_ack);
-			ack -= is->is_isninc[0];
-			tcp->th_ack = htonl(ack);
-			fix_incksum(fin, &tcp->th_sum, is->is_sumd[0]);
-		}
-	}
-	if ((is->is_flags & IS_ISNACK) != 0) {
-		if (rev == 0) {
-			ack = ntohl(tcp->th_ack);
-			ack -= is->is_isninc[1];
-			tcp->th_ack = htonl(ack);
-			fix_incksum(fin, &tcp->th_sum, is->is_sumd[1]);
-		}
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_statesync                                                */
-/* Returns:     Nil                                                         */
-/* Parameters:  ifp(I) - pointer to interface                               */
-/*                                                                          */
-/* Walk through all state entries and if an interface pointer match is      */
-/* found then look it up again, based on its name in case the pointer has   */
-/* changed since last time.                                                 */
-/*                                                                          */
-/* If ifp is passed in as being non-null then we are only doing updates for */
-/* existing, matching, uses of it.                                          */
-/* ------------------------------------------------------------------------ */
-void fr_statesync(ifp)
-void *ifp;
-{
-	ipstate_t *is;
-	int i;
-
-	if (fr_running <= 0)
-		return;
-
-	WRITE_ENTER(&ipf_state);
-
-	if (fr_running <= 0) {
-		RWLOCK_EXIT(&ipf_state);
-		return;
-	}
-
-	for (is = ips_list; is; is = is->is_next) {
-		/*
-		 * Look up all the interface names in the state entry.
-		 */
-		for (i = 0; i < 4; i++) {
-			if (ifp == NULL || ifp == is->is_ifp[i])
-				is->is_ifp[i] = fr_resolvenic(is->is_ifname[i],
-							      is->is_v);
-		}
-	}
-	RWLOCK_EXIT(&ipf_state);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_delstate                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  is(I)  - pointer to state structure to delete               */
-/*              why(I) - if not 0, log reason why it was deleted            */
-/* Write Locks: ipf_state                                                   */
-/*                                                                          */
-/* Deletes a state entry from the enumerated list as well as the hash table */
-/* and timeout queue lists.  Make adjustments to hash table statistics and  */
-/* global counters as required.                                             */
-/* ------------------------------------------------------------------------ */
-static void fr_delstate(is, why)
-ipstate_t *is;
-int why;
-{
-
-	ASSERT(rw_read_locked(&ipf_state.ipf_lk) == 0);
-
-	/*
-	 * Since we want to delete this, remove it from the state table,
-	 * where it can be found & used, first.
-	 */
-	if (is->is_pnext != NULL) {
-		*is->is_pnext = is->is_next;
-
-		if (is->is_next != NULL)
-			is->is_next->is_pnext = is->is_pnext;
-
-		is->is_pnext = NULL;
-		is->is_next = NULL;
-	}
-
-	if (is->is_phnext != NULL) {
-		*is->is_phnext = is->is_hnext;
-		if (is->is_hnext != NULL)
-			is->is_hnext->is_phnext = is->is_phnext;
-		if (ips_table[is->is_hv] == NULL)
-			ips_stats.iss_inuse--;
-		ips_stats.iss_bucketlen[is->is_hv]--;
-
-		is->is_phnext = NULL;
-		is->is_hnext = NULL;
-	}
-
-	/*
-	 * Because ips_stats.iss_wild is a count of entries in the state
-	 * table that have wildcard flags set, only decerement it once
-	 * and do it here.
-	 */
-	if (is->is_flags & (SI_WILDP|SI_WILDA)) {
-		if (!(is->is_flags & SI_CLONED)) {
-			ATOMIC_DECL(ips_stats.iss_wild);
-		}
-		is->is_flags &= ~(SI_WILDP|SI_WILDA);
-	}
-
-	/*
-	 * Next, remove it from the timeout queue it is in.
-	 */
-	fr_deletequeueentry(&is->is_sti);
-
-	if (is->is_me != NULL) {
-		*is->is_me = NULL;
-		is->is_me = NULL;
-	}
-
-	/*
-	 * If it is still in use by something else, do not go any further,
-	 * but note that at this point it is now an orphan.
-	 */
-	is->is_ref--;
-	if (is->is_ref > 0)
-		return;
-
-	if (is->is_tqehead[0] != NULL) {
-		if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0)
-			fr_freetimeoutqueue(is->is_tqehead[0]);
-	}
-	if (is->is_tqehead[1] != NULL) {
-		if (fr_deletetimeoutqueue(is->is_tqehead[1]) == 0)
-			fr_freetimeoutqueue(is->is_tqehead[1]);
-	}
-
-#ifdef	IPFILTER_SYNC
-	if (is->is_sync)
-		ipfsync_del(is->is_sync);
-#endif
-#ifdef	IPFILTER_SCAN
-	(void) ipsc_detachis(is);
-#endif
-
-	if (ipstate_logging != 0 && why != 0)
-		ipstate_log(is, why);
-
-	if (is->is_rule != NULL) {
-		is->is_rule->fr_statecnt--;
-		(void)fr_derefrule(&is->is_rule);
-	}
-
-	MUTEX_DESTROY(&is->is_lock);
-	KFREE(is);
-	ips_num--;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_timeoutstate                                             */
-/* Returns:     Nil                                                         */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Slowly expire held state for thingslike UDP and ICMP.  The algorithm     */
-/* used here is to keep the queue sorted with the oldest things at the top  */
-/* and the youngest at the bottom.  So if the top one doesn't need to be    */
-/* expired then neither will any under it.                                  */
-/* ------------------------------------------------------------------------ */
-void fr_timeoutstate()
-{
-	ipftq_t *ifq, *ifqnext;
-	ipftqent_t *tqe, *tqn;
-	ipstate_t *is;
-#if defined(USE_SPL) && defined(_KERNEL)
-	int s;
-#endif
-
-	SPL_NET(s);
-	WRITE_ENTER(&ipf_state);
-	for (ifq = ips_tqtqb; ifq != NULL; ifq = ifq->ifq_next)
-		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
-			if (tqe->tqe_die > fr_ticks)
-				break;
-			tqn = tqe->tqe_next;
-			is = tqe->tqe_parent;
-			fr_delstate(is, ISL_EXPIRE);
-		}
-
-	for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-
-		for (tqn = ifq->ifq_head; ((tqe = tqn) != NULL); ) {
-			if (tqe->tqe_die > fr_ticks)
-				break;
-			tqn = tqe->tqe_next;
-			is = tqe->tqe_parent;
-			fr_delstate(is, ISL_EXPIRE);
-		}
-	}
-
-	for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
-		ifqnext = ifq->ifq_next;
-
-		if (((ifq->ifq_flags & IFQF_DELETE) != 0) &&
-		    (ifq->ifq_ref == 0)) {
-			fr_freetimeoutqueue(ifq);
-		}
-	}
-
-	if (fr_state_doflush) {
-		(void) fr_state_flush(2, 0);
-		fr_state_doflush = 0;
-	}
-
-	RWLOCK_EXIT(&ipf_state);
-	SPL_X(s);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_state_flush                                              */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  Nil                                                         */
-/* Write Locks: ipf_state                                                   */
-/*                                                                          */
-/* Flush state tables.  Three actions currently defined:                    */
-/* which == 0 : flush all state table entries                               */
-/* which == 1 : flush TCP connections which have started to close but are   */
-/*	      stuck for some reason.                                        */
-/* which == 2 : flush TCP connections which have been idle for a long time, */
-/*	      starting at > 4 days idle and working back in successive half-*/
-/*	      days to at most 12 hours old.  If this fails to free enough   */
-/*            slots then work backwards in half hour slots to 30 minutes.   */
-/*            If that too fails, then work backwards in 30 second intervals */
-/*            for the last 30 minutes to at worst 30 seconds idle.          */
-/* ------------------------------------------------------------------------ */
-static int fr_state_flush(which, proto)
-int which, proto;
-{
-	ipftq_t *ifq, *ifqnext;
-	ipftqent_t *tqe, *tqn;
-	ipstate_t *is, **isp;
-	int delete, removed;
-	long try, maxtick;
-	u_long interval;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
-
-	removed = 0;
-
-	SPL_NET(s);
-	for (isp = &ips_list; ((is = *isp) != NULL); ) {
-		delete = 0;
-
-		if ((proto != 0) && (is->is_v != proto)) {
-			isp = &is->is_next;
-			continue;
-		}
-
-		switch (which)
-		{
-		case 0 :
-			delete = 1;
-			break;
-		case 1 :
-		case 2 :
-			if (is->is_p != IPPROTO_TCP)
-				break;
-			if ((is->is_state[0] != IPF_TCPS_ESTABLISHED) ||
-			    (is->is_state[1] != IPF_TCPS_ESTABLISHED))
-				delete = 1;
-			break;
-		}
-
-		if (delete) {
-			if (is->is_p == IPPROTO_TCP)
-				ips_stats.iss_fin++;
-			else
-				ips_stats.iss_expire++;
-			fr_delstate(is, ISL_FLUSH);
-			removed++;
-		} else
-			isp = &is->is_next;
-	}
-
-	if (which != 2) {
-		SPL_X(s);
-		return removed;
-	}
-
-	/*
-	 * Asked to remove inactive entries because the table is full, try
-	 * again, 3 times, if first attempt failed with a different criteria
-	 * each time.  The order tried in must be in decreasing age.
-	 * Another alternative is to implement random drop and drop N entries
-	 * at random until N have been freed up.
-	 */
-	if (fr_ticks - ips_last_force_flush < IPF_TTLVAL(5))
-		goto force_flush_skipped;
-	ips_last_force_flush = fr_ticks;
-
-	if (fr_ticks > IPF_TTLVAL(43200))
-		interval = IPF_TTLVAL(43200);
-	else if (fr_ticks > IPF_TTLVAL(1800))
-		interval = IPF_TTLVAL(1800);
-	else if (fr_ticks > IPF_TTLVAL(30))
-		interval = IPF_TTLVAL(30);
-	else
-		interval = IPF_TTLVAL(10);
-	try = fr_ticks - (fr_ticks - interval);
-	if (try < 0)
-		goto force_flush_skipped;
-
-	while (removed == 0) {
-		maxtick = fr_ticks - interval;
-		if (maxtick < 0)
-			break;
-
-		while (try < maxtick) {
-			for (ifq = ips_tqtqb; ifq != NULL;
-			     ifq = ifq->ifq_next) {
-				for (tqn = ifq->ifq_head;
-				     ((tqe = tqn) != NULL); ) {
-					if (tqe->tqe_die > try)
-						break;
-					tqn = tqe->tqe_next;
-					is = tqe->tqe_parent;
-					fr_delstate(is, ISL_EXPIRE);
-					removed++;
-				}
-			}
-
-			for (ifq = ips_utqe; ifq != NULL; ifq = ifqnext) {
-				ifqnext = ifq->ifq_next;
-
-				for (tqn = ifq->ifq_head;
-				     ((tqe = tqn) != NULL); ) {
-					if (tqe->tqe_die > try)
-						break;
-					tqn = tqe->tqe_next;
-					is = tqe->tqe_parent;
-					fr_delstate(is, ISL_EXPIRE);
-					removed++;
-				}
-			}
-			if (try + interval > maxtick)
-				break;
-			try += interval;
-		}
-
-		if (removed == 0) {
-			if (interval == IPF_TTLVAL(43200)) {
-				interval = IPF_TTLVAL(1800);
-			} else if (interval == IPF_TTLVAL(1800)) {
-				interval = IPF_TTLVAL(30);
-			} else if (interval == IPF_TTLVAL(30)) {
-				interval = IPF_TTLVAL(10);
-			} else {
-				break;
-			}
-		}
-	}
-force_flush_skipped:
-	SPL_X(s);
-	return removed;
-}
-
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_tcp_age                                                  */
-/* Returns:     int - 1 == state transition made, 0 == no change (rejected) */
-/* Parameters:  tq(I)    - pointer to timeout queue information             */
-/*              fin(I)   - pointer to packet information                    */
-/*              tqtab(I) - TCP timeout queue table this is in               */
-/*              flags(I) - flags from state/NAT entry                       */
-/*                                                                          */
-/* Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29:          */
-/*                                                                          */
-/* - (try to) base state transitions on real evidence only,                 */
-/*   i.e. packets that are sent and have been received by ipfilter;         */
-/*   diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used.       */
-/*                                                                          */
-/* - deal with half-closed connections correctly;                           */
-/*                                                                          */
-/* - store the state of the source in state[0] such that ipfstat            */
-/*   displays the state as source/dest instead of dest/source; the calls    */
-/*   to fr_tcp_age have been changed accordingly.                           */
-/*                                                                          */
-/* Internal Parameters:                                                     */
-/*                                                                          */
-/*    state[0] = state of source (host that initiated connection)           */
-/*    state[1] = state of dest   (host that accepted the connection)        */
-/*                                                                          */
-/*    dir == 0 : a packet from source to dest                               */
-/*    dir == 1 : a packet from dest to source                               */
-/*                                                                          */
-/* Locking: it is assumed that the parent of the tqe structure is locked.   */
-/* ------------------------------------------------------------------------ */
-int fr_tcp_age(tqe, fin, tqtab, flags)
-ipftqent_t *tqe;
-fr_info_t *fin;
-ipftq_t *tqtab;
-int flags;
-{
-	int dlen, ostate, nstate, rval, dir;
-	u_char tcpflags;
-	tcphdr_t *tcp;
-
-	tcp = fin->fin_dp;
-
-	rval = 0;
-	dir = fin->fin_rev;
-	tcpflags = tcp->th_flags;
-	dlen = fin->fin_plen - fin->fin_hlen - (TCP_OFF(tcp) << 2);
-
-	if (tcpflags & TH_RST) {
-		if (!(tcpflags & TH_PUSH) && !dlen)
-			nstate = IPF_TCPS_CLOSED;
-		else
-			nstate = IPF_TCPS_CLOSE_WAIT;
-		rval = 1;
-	} else {
-		ostate = tqe->tqe_state[1 - dir];
-		nstate = tqe->tqe_state[dir];
-
-		switch (nstate)
-		{
-		case IPF_TCPS_CLOSED: /* 0 */
-			if ((tcpflags & TH_OPENING) == TH_OPENING) {
-				/*
-				 * 'dir' received an S and sends SA in
-				 * response, CLOSED -> SYN_RECEIVED
-				 */
-				nstate = IPF_TCPS_SYN_RECEIVED;
-				rval = 1;
-			} else if ((tcpflags & TH_OPENING) == TH_SYN) {
-				/* 'dir' sent S, CLOSED -> SYN_SENT */
-				nstate = IPF_TCPS_SYN_SENT;
-				rval = 1;
-			}
-			/*
-			 * the next piece of code makes it possible to get
-			 * already established connections into the state table
-			 * after a restart or reload of the filter rules; this
-			 * does not work when a strict 'flags S keep state' is
-			 * used for tcp connections of course
-			 */
-			if (((flags & IS_TCPFSM) == 0) &&
-			    ((tcpflags & TH_ACKMASK) == TH_ACK)) {
-				/*
-				 * we saw an A, guess 'dir' is in ESTABLISHED
-				 * mode
-				 */
-				switch (ostate)
-				{
-				case IPF_TCPS_CLOSED :
-				case IPF_TCPS_SYN_RECEIVED :
-					nstate = IPF_TCPS_HALF_ESTAB;
-					rval = 1;
-					break;
-				case IPF_TCPS_HALF_ESTAB :
-				case IPF_TCPS_ESTABLISHED :
-					nstate = IPF_TCPS_ESTABLISHED;
-					rval = 1;
-					break;
-				default :
-					break;
-				}
-			}
-			/*
-			 * TODO: besides regular ACK packets we can have other
-			 * packets as well; it is yet to be determined how we
-			 * should initialize the states in those cases
-			 */
-			break;
-
-		case IPF_TCPS_LISTEN: /* 1 */
-			/* NOT USED */
-			break;
-
-		case IPF_TCPS_SYN_SENT: /* 2 */
-			if ((tcpflags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
-				/*
-				 * A retransmitted SYN packet.  We do not reset
-				 * the timeout here to fr_tcptimeout because a
-				 * connection connect timeout does not renew
-				 * after every packet that is sent.  We need to
-				 * set rval so as to indicate the packet has
-				 * passed the check for its flags being valid
-				 * in the TCP FSM.  Setting rval to 2 has the
-				 * result of not resetting the timeout.
-				 */
-				rval = 2;
-			} else if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) ==
-				   TH_ACK) {
-				/*
-				 * we see an A from 'dir' which is in SYN_SENT
-				 * state: 'dir' sent an A in response to an SA
-				 * which it received, SYN_SENT -> ESTABLISHED
-				 */
-				nstate = IPF_TCPS_ESTABLISHED;
-				rval = 1;
-			} else if (tcpflags & TH_FIN) {
-				/*
-				 * we see an F from 'dir' which is in SYN_SENT
-				 * state and wants to close its side of the
-				 * connection; SYN_SENT -> FIN_WAIT_1
-				 */
-				nstate = IPF_TCPS_FIN_WAIT_1;
-				rval = 1;
-			} else if ((tcpflags & TH_OPENING) == TH_OPENING) {
-				/*
-				 * we see an SA from 'dir' which is already in
-				 * SYN_SENT state, this means we have a
-				 * simultaneous open; SYN_SENT -> SYN_RECEIVED
-				 */
-				nstate = IPF_TCPS_SYN_RECEIVED;
-				rval = 1;
-			}
-			break;
-
-		case IPF_TCPS_SYN_RECEIVED: /* 3 */
-			if ((tcpflags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
-				/*
-				 * we see an A from 'dir' which was in
-				 * SYN_RECEIVED state so it must now be in
-				 * established state, SYN_RECEIVED ->
-				 * ESTABLISHED
-				 */
-				nstate = IPF_TCPS_ESTABLISHED;
-				rval = 1;
-			} else if ((tcpflags & ~(TH_ECN|TH_CWR)) ==
-				   TH_OPENING) {
-				/*
-				 * We see an SA from 'dir' which is already in
-				 * SYN_RECEIVED state.
-				 */
-				rval = 2;
-			} else if (tcpflags & TH_FIN) {
-				/*
-				 * we see an F from 'dir' which is in
-				 * SYN_RECEIVED state and wants to close its
-				 * side of the connection; SYN_RECEIVED ->
-				 * FIN_WAIT_1
-				 */
-				nstate = IPF_TCPS_FIN_WAIT_1;
-				rval = 1;
-			}
-			break;
-
-		case IPF_TCPS_HALF_ESTAB: /* 4 */
-			if (ostate >= IPF_TCPS_HALF_ESTAB) {
-				if ((tcpflags & TH_ACKMASK) == TH_ACK) {
-					nstate = IPF_TCPS_ESTABLISHED;
-					rval = 1;
-				}
-			}
-				
-			break;
-
-		case IPF_TCPS_ESTABLISHED: /* 5 */
-			rval = 1;
-			if (tcpflags & TH_FIN) {
-				/*
-				 * 'dir' closed its side of the connection;
-				 * this gives us a half-closed connection;
-				 * ESTABLISHED -> FIN_WAIT_1
-				 */
-				nstate = IPF_TCPS_FIN_WAIT_1;
-			} else if (tcpflags & TH_ACK) {
-				/*
-				 * an ACK, should we exclude other flags here?
-				 */
-				if (ostate == IPF_TCPS_FIN_WAIT_1) {
-					/*
-					 * We know the other side did an active
-					 * close, so we are ACKing the recvd
-					 * FIN packet (does the window matching
-					 * code guarantee this?) and go into
-					 * CLOSE_WAIT state; this gives us a
-					 * half-closed connection
-					 */
-					nstate = IPF_TCPS_CLOSE_WAIT;
-				} else if (ostate < IPF_TCPS_CLOSE_WAIT) {
-					/*
-					 * still a fully established
-					 * connection reset timeout
-					 */
-					nstate = IPF_TCPS_ESTABLISHED;
-				}
-			}
-			break;
-
-		case IPF_TCPS_CLOSE_WAIT: /* 6 */
-			rval = 1;
-			if (tcpflags & TH_FIN) {
-				/*
-				 * application closed and 'dir' sent a FIN,
-				 * we're now going into LAST_ACK state
-				 */
-				nstate = IPF_TCPS_LAST_ACK;
-			} else {
-				/*
-				 * we remain in CLOSE_WAIT because the other
-				 * side has closed already and we did not
-				 * close our side yet; reset timeout
-				 */
-				nstate = IPF_TCPS_CLOSE_WAIT;
-			}
-			break;
-
-		case IPF_TCPS_FIN_WAIT_1: /* 7 */
-			rval = 1;
-			if ((tcpflags & TH_ACK) &&
-			    ostate > IPF_TCPS_CLOSE_WAIT) {
-				/*
-				 * if the other side is not active anymore
-				 * it has sent us a FIN packet that we are
-				 * ack'ing now with an ACK; this means both
-				 * sides have now closed the connection and
-				 * we go into TIME_WAIT
-				 */
-				/*
-				 * XXX: how do we know we really are ACKing
-				 * the FIN packet here? does the window code
-				 * guarantee that?
-				 */
-				nstate = IPF_TCPS_TIME_WAIT;
-			} else {
-				/*
-				 * we closed our side of the connection
-				 * already but the other side is still active
-				 * (ESTABLISHED/CLOSE_WAIT); continue with
-				 * this half-closed connection
-				 */
-				nstate = IPF_TCPS_FIN_WAIT_1;
-			}
-			break;
-
-		case IPF_TCPS_CLOSING: /* 8 */
-			/* NOT USED */
-			break;
-
-		case IPF_TCPS_LAST_ACK: /* 9 */
-			if (tcpflags & TH_ACK) {
-				if ((tcpflags & TH_PUSH) || dlen)
-					/*
-					 * there is still data to be delivered,
-					 * reset timeout
-					 */
-					rval = 1;
-				else
-					rval = 2;
-			}
-			/*
-			 * we cannot detect when we go out of LAST_ACK state to
-			 * CLOSED because that is based on the reception of ACK
-			 * packets; ipfilter can only detect that a packet
-			 * has been sent by a host
-			 */
-			break;
-
-		case IPF_TCPS_FIN_WAIT_2: /* 10 */
-			rval = 1;
-			if ((tcpflags & TH_OPENING) == TH_OPENING)
-				nstate = IPF_TCPS_SYN_RECEIVED;
-			else if (tcpflags & TH_SYN)
-				nstate = IPF_TCPS_SYN_SENT;
-			break;
-
-		case IPF_TCPS_TIME_WAIT: /* 11 */
-			/* we're in 2MSL timeout now */
-			rval = 1;
-			break;
-
-		default :
-#if defined(_KERNEL)
-# if SOLARIS
-			cmn_err(CE_NOTE,
-				"tcp %lx flags %x si %lx nstate %d ostate %d\n",
-				(u_long)tcp, tcpflags, (u_long)tqe,
-				nstate, ostate);
-# else
-			printf("tcp %lx flags %x si %lx nstate %d ostate %d\n",
-				(u_long)tcp, tcpflags, (u_long)tqe,
-				nstate, ostate);
-# endif
-# ifdef DIAGNOSTIC
-			panic("invalid TCP state");
-# endif
-#else
-			abort();
-#endif
-			break;
-		}
-	}
-
-	/*
-	 * If rval == 2 then do not update the queue position, but treat the
-	 * packet as being ok.
-	 */
-	if (rval == 2)
-		rval = 1;
-	else if (rval == 1) {
-		tqe->tqe_state[dir] = nstate;
-		if ((tqe->tqe_flags & TQE_RULEBASED) == 0)
-			fr_movequeue(tqe, tqe->tqe_ifq, tqtab + nstate);
-	}
-
-	return rval;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipstate_log                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  is(I)   - pointer to state structure                        */
-/*              type(I) - type of log entry to create                       */
-/*                                                                          */
-/* Creates a state table log entry using the state structure and type info. */
-/* passed in.  Log packet/byte counts, source/destination address and other */
-/* protocol specific information.                                           */
-/* ------------------------------------------------------------------------ */
-void ipstate_log(is, type)
-struct ipstate *is;
-u_int type;
-{
-#ifdef	IPFILTER_LOG
-	struct	ipslog	ipsl;
-	size_t sizes[1];
-	void *items[1];
-	int types[1];
-
-	/*
-	 * Copy information out of the ipstate_t structure and into the
-	 * structure used for logging.
-	 */
-	ipsl.isl_type = type;
-	ipsl.isl_pkts[0] = is->is_pkts[0] + is->is_icmppkts[0];
-	ipsl.isl_bytes[0] = is->is_bytes[0];
-	ipsl.isl_pkts[1] = is->is_pkts[1] + is->is_icmppkts[1];
-	ipsl.isl_bytes[1] = is->is_bytes[1];
-	ipsl.isl_pkts[2] = is->is_pkts[2] + is->is_icmppkts[2];
-	ipsl.isl_bytes[2] = is->is_bytes[2];
-	ipsl.isl_pkts[3] = is->is_pkts[3] + is->is_icmppkts[3];
-	ipsl.isl_bytes[3] = is->is_bytes[3];
-	ipsl.isl_src = is->is_src;
-	ipsl.isl_dst = is->is_dst;
-	ipsl.isl_p = is->is_p;
-	ipsl.isl_v = is->is_v;
-	ipsl.isl_flags = is->is_flags;
-	ipsl.isl_tag = is->is_tag;
-	ipsl.isl_rulen = is->is_rulen;
-	(void) strncpy(ipsl.isl_group, is->is_group, FR_GROUPLEN);
-
-	if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
-		ipsl.isl_sport = is->is_sport;
-		ipsl.isl_dport = is->is_dport;
-		if (ipsl.isl_p == IPPROTO_TCP) {
-			ipsl.isl_state[0] = is->is_state[0];
-			ipsl.isl_state[1] = is->is_state[1];
-		}
-	} else if (ipsl.isl_p == IPPROTO_ICMP) {
-		ipsl.isl_itype = is->is_icmp.ici_type;
-	} else if (ipsl.isl_p == IPPROTO_ICMPV6) {
-		ipsl.isl_itype = is->is_icmp.ici_type;
-	} else {
-		ipsl.isl_ps.isl_filler[0] = 0;
-		ipsl.isl_ps.isl_filler[1] = 0;
-	}
-
-	items[0] = &ipsl;
-	sizes[0] = sizeof(ipsl);
-	types[0] = 0;
-
-	if (ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1)) {
-		ATOMIC_INCL(ips_stats.iss_logged);
-	} else {
-		ATOMIC_INCL(ips_stats.iss_logfail);
-	}
-#endif
-}
-
-
-#ifdef	USE_INET6
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_checkicmp6matchingstate                                  */
-/* Returns:     ipstate_t* - NULL == no match found,                        */
-/*                           else  pointer to matching state entry          */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/* Locks:       NULL == no locks, else Read Lock on ipf_state               */
-/*                                                                          */
-/* If we've got an ICMPv6 error message, using the information stored in    */
-/* the ICMPv6 packet, look for a matching state table entry.                */
-/* ------------------------------------------------------------------------ */
-static ipstate_t *fr_checkicmp6matchingstate(fin)
-fr_info_t *fin;
-{
-	struct icmp6_hdr *ic6, *oic;
-	int type, backward, i;
-	ipstate_t *is, **isp;
-	u_short sport, dport;
-	i6addr_t dst, src;
-	u_short savelen;
-	icmpinfo_t *ic;
-	fr_info_t ofin;
-	tcphdr_t *tcp;
-	ip6_t *oip6;
-	u_char	pr;
-	u_int hv;
-
-	/*
-	 * Does it at least have the return (basic) IP header ?
-	 * Only a basic IP header (no options) should be with
-	 * an ICMP error header.
-	 */
-	if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN))
-		return NULL;
-
-	ic6 = fin->fin_dp;
-	type = ic6->icmp6_type;
-	/*
-	 * If it's not an error type, then return
-	 */
-	if ((type != ICMP6_DST_UNREACH) && (type != ICMP6_PACKET_TOO_BIG) &&
-	    (type != ICMP6_TIME_EXCEEDED) && (type != ICMP6_PARAM_PROB))
-		return NULL;
-
-	oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
-	if (fin->fin_plen < sizeof(*oip6))
-		return NULL;
-
-	bcopy((char *)fin, (char *)&ofin, sizeof(fin));
-	ofin.fin_v = 6;
-	ofin.fin_ifp = fin->fin_ifp;
-	ofin.fin_out = !fin->fin_out;
-	ofin.fin_m = NULL;	/* if dereferenced, panic XXX */
-	ofin.fin_mp = NULL;	/* if dereferenced, panic XXX */
-
-	/*
-	 * We make a fin entry to be able to feed it to
-	 * matchsrcdst. Note that not all fields are necessary
-	 * but this is the cleanest way. Note further we fill
-	 * in fin_mp such that if someone uses it we'll get
-	 * a kernel panic. fr_matchsrcdst does not use this.
-	 *
-	 * watch out here, as ip is in host order and oip6 in network
-	 * order. Any change we make must be undone afterwards.
-	 */
-	savelen = oip6->ip6_plen;
-	oip6->ip6_plen = fin->fin_dlen - ICMPERR_ICMPHLEN;
-	ofin.fin_flx = FI_NOCKSUM;
-	ofin.fin_ip = (ip_t *)oip6;
-	ofin.fin_plen = oip6->ip6_plen;
-	(void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
-	ofin.fin_flx &= ~(FI_BAD|FI_SHORT);
-	oip6->ip6_plen = savelen;
-
-	if (oip6->ip6_nxt == IPPROTO_ICMPV6) {
-		oic = (struct icmp6_hdr *)(oip6 + 1);
-		/*
-		 * an ICMP error can only be generated as a result of an
-		 * ICMP query, not as the response on an ICMP error
-		 *
-		 * XXX theoretically ICMP_ECHOREP and the other reply's are
-		 * ICMP query's as well, but adding them here seems strange XXX
-		 */
-		 if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK))
-		    	return NULL;
-
-		/*
-		 * perform a lookup of the ICMP packet in the state table
-		 */
-		hv = (pr = oip6->ip6_nxt);
-		src.in6 = oip6->ip6_src;
-		hv += src.in4.s_addr;
-		dst.in6 = oip6->ip6_dst;
-		hv += dst.in4.s_addr;
-		hv += oic->icmp6_id;
-		hv += oic->icmp6_seq;
-		hv = DOUBLE_HASH(hv);
-
-		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
-			ic = &is->is_icmp;
-			isp = &is->is_hnext;
-			if ((is->is_p == pr) &&
-			    !(is->is_pass & FR_NOICMPERR) &&
-			    (oic->icmp6_id == ic->ici_id) &&
-			    (oic->icmp6_seq == ic->ici_seq) &&
-			    (is = fr_matchsrcdst(&ofin, is, &src,
-						 &dst, NULL, FI_ICMPCMP))) {
-			    	/*
-			    	 * in the state table ICMP query's are stored
-			    	 * with the type of the corresponding ICMP
-			    	 * response. Correct here
-			    	 */
-				if (((ic->ici_type == ICMP6_ECHO_REPLY) &&
-				     (oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
-				     (ic->ici_type - 1 == oic->icmp6_type )) {
-				    	ips_stats.iss_hits++;
-					backward = IP6_NEQ(&is->is_dst, &src);
-					fin->fin_rev = !backward;
-					i = (backward << 1) + fin->fin_out;
-    					is->is_icmppkts[i]++;
-					return is;
-				}
-			}
-		}
-		RWLOCK_EXIT(&ipf_state);
-		return NULL;
-	}
-
-	hv = (pr = oip6->ip6_nxt);
-	src.in6 = oip6->ip6_src;
-	hv += src.i6[0];
-	hv += src.i6[1];
-	hv += src.i6[2];
-	hv += src.i6[3];
-	dst.in6 = oip6->ip6_dst;
-	hv += dst.i6[0];
-	hv += dst.i6[1];
-	hv += dst.i6[2];
-	hv += dst.i6[3];
-
-	if ((oip6->ip6_nxt == IPPROTO_TCP) || (oip6->ip6_nxt == IPPROTO_UDP)) {
-		tcp = (tcphdr_t *)(oip6 + 1);
-		dport = tcp->th_dport;
-		sport = tcp->th_sport;
-		hv += dport;
-		hv += sport;
-	} else
-		tcp = NULL;
-	hv = DOUBLE_HASH(hv);
-
-	READ_ENTER(&ipf_state);
-	for (isp = &ips_table[hv]; ((is = *isp) != NULL); ) {
-		isp = &is->is_hnext;
-		/*
-		 * Only allow this icmp though if the
-		 * encapsulated packet was allowed through the
-		 * other way around. Note that the minimal amount
-		 * of info present does not allow for checking against
-		 * tcp internals such as seq and ack numbers.
-		 */
-		if ((is->is_p != pr) || (is->is_v != 6) ||
-		    (is->is_pass & FR_NOICMPERR))
-			continue;
-		is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP);
-		if (is != NULL) {
-			ips_stats.iss_hits++;
-			backward = IP6_NEQ(&is->is_dst, &src);
-			fin->fin_rev = !backward;
-			i = (backward << 1) + fin->fin_out;
-			is->is_icmppkts[i]++;
-			/*
-			 * we deliberately do not touch the timeouts
-			 * for the accompanying state table entry.
-			 * It remains to be seen if that is correct. XXX
-			 */
-			return is;
-		}
-	}
-	RWLOCK_EXIT(&ipf_state);
-	return NULL;
-}
-#endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_sttab_init                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqp(I) - pointer to an array of timeout queues for TCP      */
-/*                                                                          */
-/* Initialise the array of timeout queues for TCP.                          */
-/* ------------------------------------------------------------------------ */
-void fr_sttab_init(tqp)
-ipftq_t *tqp;
-{
-	int i;
-
-	for (i = IPF_TCP_NSTATES - 1; i >= 0; i--) {
-		tqp[i].ifq_ttl = 0;
-		tqp[i].ifq_ref = 1;
-		tqp[i].ifq_head = NULL;
-		tqp[i].ifq_tail = &tqp[i].ifq_head;
-		tqp[i].ifq_next = tqp + i + 1;
-		MUTEX_INIT(&tqp[i].ifq_lock, "ipftq tcp tab");
-	}
-	tqp[IPF_TCP_NSTATES - 1].ifq_next = NULL;
-	tqp[IPF_TCPS_CLOSED].ifq_ttl = fr_tcpclosed;
-	tqp[IPF_TCPS_LISTEN].ifq_ttl = fr_tcptimeout;
-	tqp[IPF_TCPS_SYN_SENT].ifq_ttl = fr_tcptimeout;
-	tqp[IPF_TCPS_SYN_RECEIVED].ifq_ttl = fr_tcptimeout;
-	tqp[IPF_TCPS_ESTABLISHED].ifq_ttl = fr_tcpidletimeout;
-	tqp[IPF_TCPS_CLOSE_WAIT].ifq_ttl = fr_tcphalfclosed;
-	tqp[IPF_TCPS_FIN_WAIT_1].ifq_ttl = fr_tcphalfclosed;
-	tqp[IPF_TCPS_CLOSING].ifq_ttl = fr_tcptimeout;
-	tqp[IPF_TCPS_LAST_ACK].ifq_ttl = fr_tcplastack;
-	tqp[IPF_TCPS_FIN_WAIT_2].ifq_ttl = fr_tcpclosewait;
-	tqp[IPF_TCPS_TIME_WAIT].ifq_ttl = fr_tcptimeout;
-	tqp[IPF_TCPS_HALF_ESTAB].ifq_ttl = fr_tcptimeout;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_sttab_destroy                                            */
-/* Returns:     Nil                                                         */
-/* Parameters:  tqp(I) - pointer to an array of timeout queues for TCP      */
-/*                                                                          */
-/* Do whatever is necessary to "destroy" each of the entries in the array   */
-/* of timeout queues for TCP.                                               */
-/* ------------------------------------------------------------------------ */
-void fr_sttab_destroy(tqp)
-ipftq_t *tqp;
-{
-	int i;
-
-	for (i = IPF_TCP_NSTATES - 1; i >= 0; i--)
-		MUTEX_DESTROY(&tqp[i].ifq_lock);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_statederef                                               */
-/* Returns:     Nil                                                         */
-/* Parameters:  isp(I) - pointer to pointer to state table entry            */
-/*                                                                          */
-/* Decrement the reference counter for this state table entry and free it   */
-/* if there are no more things using it.                                    */
-/*                                                                          */
-/* When operating in userland (ipftest), we have no timers to clear a state */
-/* entry.  Therefore, we make a few simple tests before deleting an entry   */
-/* outright.  We compare states on each side looking for a combination of   */
-/* TIME_WAIT (should really be FIN_WAIT_2?) and LAST_ACK.  Then we factor   */
-/* in packet direction with the interface list to make sure we don't        */
-/* prematurely delete an entry on a final inbound packet that's we're also  */
-/* supposed to route elsewhere.                                             */
-/*                                                                          */
-/* Internal parameters:                                                     */
-/*    state[0] = state of source (host that initiated connection)           */
-/*    state[1] = state of dest   (host that accepted the connection)        */
-/*                                                                          */
-/*    dir == 0 : a packet from source to dest                               */
-/*    dir == 1 : a packet from dest to source                               */
-/* ------------------------------------------------------------------------ */
-void fr_statederef(fin, isp)
-fr_info_t *fin;
-ipstate_t **isp;
-{
-	ipstate_t *is = *isp;
-#if 0
-	int nstate, ostate, dir, eol;
-
-	eol = 0; /* End-of-the-line flag. */
-	dir = fin->fin_rev;
-	ostate = is->is_state[1 - dir];
-	nstate = is->is_state[dir];
-	/*
-	 * Determine whether this packet is local or routed.  State entries
-	 * with us as the destination will have an interface list of
-	 * int1,-,-,int1.  Entries with us as the origin run as -,int1,int1,-.
-	 */
-	if ((fin->fin_p == IPPROTO_TCP) && (fin->fin_out == 0)) {
-		if ((strcmp(is->is_ifname[0], is->is_ifname[3]) == 0) &&
-		    (strcmp(is->is_ifname[1], is->is_ifname[2]) == 0)) {
-			if ((dir == 0) &&
-			    (strcmp(is->is_ifname[1], "-") == 0) &&
-			    (strcmp(is->is_ifname[0], "-") != 0)) {
-				eol = 1;
-			} else if ((dir == 1) &&
-				   (strcmp(is->is_ifname[0], "-") == 0) &&
-				   (strcmp(is->is_ifname[1], "-") != 0)) {
-				eol = 1;
-			}
-		}
-	}
-#endif
-
-	fin = fin;	/* LINT */
-	is = *isp;
-	*isp = NULL;
-	WRITE_ENTER(&ipf_state);
-	is->is_ref--;
-	if (is->is_ref == 0) {
-		is->is_ref++;		/* To counter ref-- in fr_delstate() */
-		fr_delstate(is, ISL_EXPIRE);
-#ifndef	_KERNEL
-#if 0
-	} else if (((fin->fin_out == 1) || (eol == 1)) &&
-		   ((ostate == IPF_TCPS_LAST_ACK) &&
-		   (nstate == IPF_TCPS_TIME_WAIT))) {
-		;
-#else
-	} else if ((is->is_sti.tqe_state[0] > IPF_TCPS_ESTABLISHED) ||
-		   (is->is_sti.tqe_state[1] > IPF_TCPS_ESTABLISHED)) {
-#endif
-		fr_delstate(is, ISL_ORPHAN);
-#endif
-	}
-	RWLOCK_EXIT(&ipf_state);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_setstatequeue                                            */
-/* Returns:     Nil                                                         */
-/* Parameters:  is(I) - pointer to state structure                          */
-/*              rev(I) - forward(0) or reverse(1) direction                 */
-/* Locks:       ipf_state (read or write)                                   */
-/*                                                                          */
-/* Put the state entry on its default queue entry, using rev as a helped in */
-/* determining which queue it should be placed on.                          */
-/* ------------------------------------------------------------------------ */
-void fr_setstatequeue(is, rev)
-ipstate_t *is;
-int rev;
-{
-	ipftq_t *oifq, *nifq;
-
-
-	if ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0)
-		nifq = is->is_tqehead[rev];
-	else
-		nifq = NULL;
-
-	if (nifq == NULL) {
-		switch (is->is_p)
-		{
-#ifdef USE_INET6
-		case IPPROTO_ICMPV6 :
-			if (rev == 1)
-				nifq = &ips_icmpacktq;
-			else
-				nifq = &ips_icmptq;
-			break;
-#endif
-		case IPPROTO_ICMP :
-			if (rev == 1)
-				nifq = &ips_icmpacktq;
-			else
-				nifq = &ips_icmptq;
-			break;
-		case IPPROTO_TCP :
-			nifq = ips_tqtqb + is->is_state[rev];
-			break;
-
-		case IPPROTO_UDP :
-			if (rev == 1)
-				nifq = &ips_udpacktq;
-			else
-				nifq = &ips_udptq;
-			break;
-
-		default :
-			nifq = &ips_iptq;
-			break;
-		}
-	}
-
-	oifq = is->is_sti.tqe_ifq;
-	/*
-	 * If it's currently on a timeout queue, move it from one queue to
-	 * another, else put it on the end of the newly determined queue.
-	 */
-	if (oifq != NULL)
-		fr_movequeue(&is->is_sti, oifq, nifq);
-	else
-		fr_queueappend(&is->is_sti, nifq, is);
-	return;
-}
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
deleted file mode 100644
index 2f5f7f1..0000000
--- a/contrib/ipfilter/ip_state.h
+++ /dev/null
@@ -1,261 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_state.h	1.3 1/12/96 (C) 1995 Darren Reed
- * Id: ip_state.h,v 2.68.2.3 2005/03/03 14:24:11 darrenr Exp
- */
-#ifndef	__IP_STATE_H__
-#define	__IP_STATE_H__
-
-#if defined(__STDC__) || defined(__GNUC__)
-# define	SIOCDELST	_IOW('r', 61, struct ipfobj)
-#else
-# define	SIOCDELST	_IOW(r, 61, struct ipfobj)
-#endif
-
-struct ipscan;
-
-#ifndef	IPSTATE_SIZE
-# define	IPSTATE_SIZE	5737
-#endif
-#ifndef	IPSTATE_MAX
-# define	IPSTATE_MAX	4013	/* Maximum number of states held */
-#endif
-
-#define	PAIRS(s1,d1,s2,d2)	((((s1) == (s2)) && ((d1) == (d2))) ||\
-				 (((s1) == (d2)) && ((d1) == (s2))))
-#define	IPPAIR(s1,d1,s2,d2)	PAIRS((s1).s_addr, (d1).s_addr, \
-				      (s2).s_addr, (d2).s_addr)
-
-
-typedef struct ipstate {
-	ipfmutex_t	is_lock;
-	struct	ipstate	*is_next;
-	struct	ipstate	**is_pnext;
-	struct	ipstate	*is_hnext;
-	struct	ipstate	**is_phnext;
-	struct	ipstate	**is_me;
-	void		*is_ifp[4];
-	void		*is_sync;
-	struct nat	*is_nat[2];
-	frentry_t	*is_rule;
-	struct	ipftq	*is_tqehead[2];
-	struct	ipscan	*is_isc;
-	U_QUAD_T	is_pkts[4];
-	U_QUAD_T	is_bytes[4];
-	U_QUAD_T	is_icmppkts[4];
-	struct	ipftqent is_sti;
-	u_int	is_frage[2];
-	int	is_ref;			/* reference count */
-	int	is_isninc[2];
-	u_short	is_sumd[2];
-	i6addr_t	is_src;
-	i6addr_t	is_dst;
-	u_int	is_pass;
-	u_char	is_p;			/* Protocol */
-	u_char	is_v;
-	u_32_t	is_hv;
-	u_32_t	is_tag;
-	u_32_t	is_opt;			/* packet options set */
-	u_32_t	is_optmsk;		/*    "      "    mask */
-	u_short	is_sec;			/* security options set */
-	u_short	is_secmsk;		/*    "        "    mask */
-	u_short	is_auth;		/* authentication options set */
-	u_short	is_authmsk;		/*    "              "    mask */
-	union {
-		icmpinfo_t	is_ics;
-		tcpinfo_t	is_ts;
-		udpinfo_t	is_us;
-		greinfo_t	is_ug;
-	} is_ps;
-	u_32_t	is_flags;
-	int	is_flx[2][2];
-	u_32_t	is_rulen;		/* rule number when created */
-	u_32_t	is_s0[2];
-	u_short	is_smsk[2];
-	char	is_group[FR_GROUPLEN];
-	char	is_sbuf[2][16];
-	char	is_ifname[4][LIFNAMSIZ];
-} ipstate_t;
-
-#define	is_die		is_sti.tqe_die
-#define	is_state	is_sti.tqe_state
-#define	is_touched	is_sti.tqe_touched
-#define	is_saddr	is_src.in4.s_addr
-#define	is_daddr	is_dst.in4.s_addr
-#define	is_icmp		is_ps.is_ics
-#define	is_type		is_icmp.ici_type
-#define	is_code		is_icmp.ici_code
-#define	is_tcp		is_ps.is_ts
-#define	is_udp		is_ps.is_us
-#define is_send		is_tcp.ts_data[0].td_end
-#define is_dend		is_tcp.ts_data[1].td_end
-#define is_maxswin	is_tcp.ts_data[0].td_maxwin
-#define is_maxdwin	is_tcp.ts_data[1].td_maxwin
-#define is_maxsend	is_tcp.ts_data[0].td_maxend
-#define is_maxdend	is_tcp.ts_data[1].td_maxend
-#define	is_swinscale	is_tcp.ts_data[0].td_winscale
-#define	is_dwinscale	is_tcp.ts_data[1].td_winscale
-#define	is_swinflags	is_tcp.ts_data[0].td_winflags
-#define	is_dwinflags	is_tcp.ts_data[1].td_winflags
-#define	is_sport	is_tcp.ts_sport
-#define	is_dport	is_tcp.ts_dport
-#define	is_ifpin	is_ifp[0]
-#define	is_ifpout	is_ifp[2]
-#define	is_gre		is_ps.is_ug
-#define	is_call		is_gre.gs_call
-
-#define	IS_WSPORT	SI_W_SPORT	/* 0x00100 */
-#define	IS_WDPORT	SI_W_DPORT	/* 0x00200 */
-#define	IS_WSADDR	SI_W_SADDR	/* 0x00400 */
-#define	IS_WDADDR	SI_W_DADDR	/* 0x00800 */
-#define	IS_NEWFR	SI_NEWFR	/* 0x01000 */
-#define	IS_CLONE	SI_CLONE	/* 0x02000 */
-#define	IS_CLONED	SI_CLONED	/* 0x04000 */
-#define	IS_TCPFSM			   0x10000
-#define	IS_STRICT			   0x20000
-#define	IS_ISNSYN			   0x40000
-#define	IS_ISNACK			   0x80000
-#define	IS_STATESYNC			   0x100000
-/*
- * IS_SC flags are for scan-operations that need to be recognised in state.
- */
-#define	IS_SC_CLIENT			0x10000000
-#define	IS_SC_SERVER			0x20000000
-#define	IS_SC_MATCHC			0x40000000
-#define	IS_SC_MATCHS			0x80000000
-#define	IS_SC_MATCHALL	(IS_SC_MATCHC|IS_SC_MATCHC)
-#define	IS_SC_ALL	(IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER)
-
-/*
- * Flags that can be passed into fr_addstate
- */
-#define	IS_INHERITED			0x0fffff00
-
-#define	TH_OPENING	(TH_SYN|TH_ACK)
-/*
- * is_flags:
- * Bits 0 - 3 are use as a mask with the current packet's bits to check for
- * whether it is short, tcp/udp, a fragment or the presence of IP options.
- * Bits 4 - 7 are set from the initial packet and contain what the packet
- * anded with bits 0-3 must match.
- * Bits 8,9 are used to indicate wildcard source/destination port matching.
- * Bits 10,11 are reserved for other wildcard flag compatibility.
- * Bits 12,13 are for scaning.
- */
-
-typedef	struct	ipstate_save	{
-	void	*ips_next;
-	struct	ipstate	ips_is;
-	struct	frentry	ips_fr;
-} ipstate_save_t;
-
-#define	ips_rule	ips_is.is_rule
-
-
-typedef	struct	ipslog	{
-	U_QUAD_T	isl_pkts[4];
-	U_QUAD_T	isl_bytes[4];
-	i6addr_t	isl_src;
-	i6addr_t	isl_dst;
-	u_32_t	isl_tag;
-	u_short	isl_type;
-	union {
-		u_short	isl_filler[2];
-		u_short	isl_ports[2];
-		u_short	isl_icmp;
-	} isl_ps;
-	u_char	isl_v;
-	u_char	isl_p;
-	u_char	isl_flags;
-	u_char	isl_state[2];
-	u_32_t	isl_rulen;
-	char	isl_group[FR_GROUPLEN];
-} ipslog_t;
-
-#define	isl_sport	isl_ps.isl_ports[0]
-#define	isl_dport	isl_ps.isl_ports[1]
-#define	isl_itype	isl_ps.isl_icmp
-
-#define	ISL_NEW			0
-#define	ISL_CLONE		1
-#define	ISL_EXPIRE		0xffff
-#define	ISL_FLUSH		0xfffe
-#define	ISL_REMOVE		0xfffd
-#define	ISL_INTERMEDIATE	0xfffc
-#define	ISL_KILLED		0xfffb
-#define	ISL_ORPHAN		0xfffa
-
-
-typedef	struct	ips_stat {
-	u_long	iss_hits;
-	u_long	iss_miss;
-	u_long	iss_max;
-	u_long	iss_maxref;
-	u_long	iss_tcp;
-	u_long	iss_udp;
-	u_long	iss_icmp;
-	u_long	iss_nomem;
-	u_long	iss_expire;
-	u_long	iss_fin;
-	u_long	iss_active;
-	u_long	iss_logged;
-	u_long	iss_logfail;
-	u_long	iss_inuse;
-	u_long	iss_wild;
-	u_long	iss_killed;
-	u_long	iss_ticks;
-	u_long	iss_bucketfull;
-	int	iss_statesize;
-	int	iss_statemax;
-	ipstate_t **iss_table;
-	ipstate_t *iss_list;
-	u_long	*iss_bucketlen;
-} ips_stat_t;
-
-
-extern	u_long	fr_tcpidletimeout;
-extern	u_long	fr_tcpclosewait;
-extern	u_long	fr_tcplastack;
-extern	u_long	fr_tcptimeout;
-extern	u_long	fr_tcpclosed;
-extern	u_long	fr_tcphalfclosed;
-extern	u_long	fr_udptimeout;
-extern	u_long	fr_udpacktimeout;
-extern	u_long	fr_icmptimeout;
-extern	u_long	fr_icmpacktimeout;
-extern	u_long	fr_iptimeout;
-extern	int	fr_statemax;
-extern	int	fr_statesize;
-extern	int	fr_state_lock;
-extern	int	fr_state_maxbucket;
-extern	int	fr_state_maxbucket_reset;
-extern	ipstate_t	*ips_list;
-extern	ipftq_t	*ips_utqe;
-extern	ipftq_t	ips_tqtqb[IPF_TCP_NSTATES];
-
-extern	int	fr_stateinit __P((void));
-extern	ipstate_t *fr_addstate __P((fr_info_t *, ipstate_t **, u_int));
-extern	frentry_t *fr_checkstate __P((struct fr_info *, u_32_t *));
-extern	ipstate_t *fr_stlookup __P((fr_info_t *, tcphdr_t *, ipftq_t **));
-extern	void	fr_statesync __P((void *));
-extern	void	fr_timeoutstate __P((void));
-extern	int	fr_tcp_age __P((struct ipftqent *, struct fr_info *,
-				struct ipftq *, int));
-extern	int	fr_tcpinwindow __P((struct fr_info *, struct tcpdata *,
-				    struct tcpdata *, tcphdr_t *, int));
-extern	void	fr_stateunload __P((void));
-extern	void	ipstate_log __P((struct ipstate *, u_int));
-extern	int	fr_state_ioctl __P((caddr_t, ioctlcmd_t, int));
-extern	void	fr_stinsert __P((struct ipstate *, int));
-extern	void	fr_sttab_init __P((struct ipftq *));
-extern	void	fr_sttab_destroy __P((struct ipftq *));
-extern	void	fr_updatestate __P((fr_info_t *, ipstate_t *, ipftq_t *));
-extern	void	fr_statederef __P((fr_info_t *, ipstate_t **));
-extern	void	fr_setstatequeue __P((ipstate_t *, int));
-
-#endif /* __IP_STATE_H__ */
diff --git a/contrib/ipfilter/ip_sync.c b/contrib/ipfilter/ip_sync.c
deleted file mode 100644
index 396bae7..0000000
--- a/contrib/ipfilter/ip_sync.c
+++ /dev/null
@@ -1,1001 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1995-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL	1
-# define        _KERNEL	1
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(__KERNEL__)
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# define _KERNEL
-# define KERNEL
-# ifdef __OpenBSD__
-struct file;
-# endif
-# include <sys/uio.h>
-# undef _KERNEL
-# undef KERNEL
-#else
-# include <sys/systm.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-#  include <sys/mbuf.h>
-# endif
-#endif
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
-# include <sys/proc.h>
-#endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/time.h>
-#if !defined(linux)
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(__SVR4) || defined(__svr4__)
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-#endif
-#if !defined(__hpux) && !defined(linux)
-# include <netinet/tcp_fsm.h>
-#endif
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_sync.h"
-#ifdef  USE_INET6
-#include <netinet/icmp6.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include <sys/libkern.h>
-#  include <sys/systm.h>
-# endif
-#endif
-/* END OF INCLUDES */
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.3 2005/02/18 13:06:29 darrenr Exp";
-#endif
-
-#define	SYNC_STATETABSZ	256
-#define	SYNC_NATTABSZ	256
-
-#ifdef	IPFILTER_SYNC
-ipfmutex_t	ipf_syncadd, ipsl_mutex;
-ipfrwlock_t	ipf_syncstate, ipf_syncnat;
-#if SOLARIS && defined(_KERNEL)
-kcondvar_t	ipslwait;
-#endif
-synclist_t	*syncstatetab[SYNC_STATETABSZ];
-synclist_t	*syncnattab[SYNC_NATTABSZ];
-synclogent_t	synclog[SYNCLOG_SZ];
-syncupdent_t	syncupd[SYNCLOG_SZ];
-u_int		ipf_syncnum = 1;
-u_int		ipf_syncwrap = 0;
-u_int		sl_idx = 0,	/* next available sync log entry */
-		su_idx = 0,	/* next available sync update entry */
-		sl_tail = 0,	/* next sync log entry to read */
-		su_tail = 0;	/* next sync update entry to read */
-int		ipf_sync_debug = 0;
-
-
-# if !defined(sparc) && !defined(__hppa)
-void ipfsync_tcporder __P((int, struct tcpdata *));
-void ipfsync_natorder __P((int, struct nat *));
-void ipfsync_storder __P((int, struct ipstate *));
-# endif
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_init                                                */
-/* Returns:     int - 0 == success, -1 == failure                           */
-/* Parameters:  Nil                                                         */
-/*                                                                          */
-/* Initialise all of the locks required for the sync code and initialise    */
-/* any data structures, as required.                                        */
-/* ------------------------------------------------------------------------ */
-int ipfsync_init()
-{
-	RWLOCK_INIT(&ipf_syncstate, "add things to state sync table");
-	RWLOCK_INIT(&ipf_syncnat, "add things to nat sync table");
-	MUTEX_INIT(&ipf_syncadd, "add things to sync table");
-	MUTEX_INIT(&ipsl_mutex, "add things to sync table");
-# if SOLARIS && defined(_KERNEL)
-	cv_init(&ipslwait, "ipsl condvar", CV_DRIVER, NULL);
-# endif
-
-	bzero((char *)syncnattab, sizeof(syncnattab));
-	bzero((char *)syncstatetab, sizeof(syncstatetab));
-
-	return 0;
-}
-
-
-# if !defined(sparc) && !defined(__hppa)
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_tcporder                                            */
-/* Returns:     Nil                                                         */
-/* Parameters:  way(I) - direction of byte order conversion.                */
-/*              td(IO) - pointer to data to be converted.                   */
-/*                                                                          */
-/* Do byte swapping on values in the TCP state information structure that   */
-/* need to be used at both ends by the host in their native byte order.     */
-/* ------------------------------------------------------------------------ */
-void ipfsync_tcporder(way, td)
-int way;
-tcpdata_t *td;
-{
-	if (way) {
-		td->td_maxwin = htons(td->td_maxwin);
-		td->td_end = htonl(td->td_end);
-		td->td_maxend = htonl(td->td_maxend);
-	} else {
-		td->td_maxwin = ntohs(td->td_maxwin);
-		td->td_end = ntohl(td->td_end);
-		td->td_maxend = ntohl(td->td_maxend);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_natorder                                            */
-/* Returns:     Nil                                                         */
-/* Parameters:  way(I)  - direction of byte order conversion.               */
-/*              nat(IO) - pointer to data to be converted.                  */
-/*                                                                          */
-/* Do byte swapping on values in the NAT data structure that need to be     */
-/* used at both ends by the host in their native byte order.                */
-/* ------------------------------------------------------------------------ */
-void ipfsync_natorder(way, n)
-int way;
-nat_t *n;
-{
-	if (way) {
-		n->nat_age = htonl(n->nat_age);
-		n->nat_flags = htonl(n->nat_flags);
-		n->nat_ipsumd = htonl(n->nat_ipsumd);
-		n->nat_use = htonl(n->nat_use);
-		n->nat_dir = htonl(n->nat_dir);
-	} else {
-		n->nat_age = ntohl(n->nat_age);
-		n->nat_flags = ntohl(n->nat_flags);
-		n->nat_ipsumd = ntohl(n->nat_ipsumd);
-		n->nat_use = ntohl(n->nat_use);
-		n->nat_dir = ntohl(n->nat_dir);
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_storder                                             */
-/* Returns:     Nil                                                         */
-/* Parameters:  way(I)  - direction of byte order conversion.               */
-/*              ips(IO) - pointer to data to be converted.                  */
-/*                                                                          */
-/* Do byte swapping on values in the IP state data structure that need to   */
-/* be used at both ends by the host in their native byte order.             */
-/* ------------------------------------------------------------------------ */
-void ipfsync_storder(way, ips)
-int way;
-ipstate_t *ips;
-{
-	ipfsync_tcporder(way, &ips->is_tcp.ts_data[0]);
-	ipfsync_tcporder(way, &ips->is_tcp.ts_data[1]);
-
-	if (way) {
-		ips->is_hv = htonl(ips->is_hv);
-		ips->is_die = htonl(ips->is_die);
-		ips->is_pass = htonl(ips->is_pass);
-		ips->is_flags = htonl(ips->is_flags);
-		ips->is_opt = htonl(ips->is_opt);
-		ips->is_optmsk = htonl(ips->is_optmsk);
-		ips->is_sec = htons(ips->is_sec);
-		ips->is_secmsk = htons(ips->is_secmsk);
-		ips->is_auth = htons(ips->is_auth);
-		ips->is_authmsk = htons(ips->is_authmsk);
-		ips->is_s0[0] = htonl(ips->is_s0[0]);
-		ips->is_s0[1] = htonl(ips->is_s0[1]);
-		ips->is_smsk[0] = htons(ips->is_smsk[0]);
-		ips->is_smsk[1] = htons(ips->is_smsk[1]);
-	} else {
-		ips->is_hv = ntohl(ips->is_hv);
-		ips->is_die = ntohl(ips->is_die);
-		ips->is_pass = ntohl(ips->is_pass);
-		ips->is_flags = ntohl(ips->is_flags);
-		ips->is_opt = ntohl(ips->is_opt);
-		ips->is_optmsk = ntohl(ips->is_optmsk);
-		ips->is_sec = ntohs(ips->is_sec);
-		ips->is_secmsk = ntohs(ips->is_secmsk);
-		ips->is_auth = ntohs(ips->is_auth);
-		ips->is_authmsk = ntohs(ips->is_authmsk);
-		ips->is_s0[0] = ntohl(ips->is_s0[0]);
-		ips->is_s0[1] = ntohl(ips->is_s0[1]);
-		ips->is_smsk[0] = ntohl(ips->is_smsk[0]);
-		ips->is_smsk[1] = ntohl(ips->is_smsk[1]);
-	}
-}
-# else /* !defined(sparc) && !defined(__hppa) */
-#  define	ipfsync_tcporder(x,y)
-#  define	ipfsync_natorder(x,y)
-#  define	ipfsync_storder(x,y)
-# endif /* !defined(sparc) && !defined(__hppa) */
-
-/* enable this for debugging */
-
-# ifdef _KERNEL
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_write                                               */
-/* Returns:     int    - 0 == success, else error value.                    */
-/* Parameters:  uio(I) - pointer to information about data to write         */
-/*                                                                          */
-/* Moves data from user space into the kernel and uses it for updating data */
-/* structures in the state/NAT tables.                                      */
-/* ------------------------------------------------------------------------ */
-int ipfsync_write(uio)
-struct uio *uio;
-{
-	synchdr_t sh;
-
-	/* 
-	 * THIS MUST BE SUFFICIENT LARGE TO STORE
-	 * ANY POSSIBLE DATA TYPE 
-	 */
-	char data[2048]; 
-
-	int err = 0;
-
-#  if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
-	uio->uio_rw = UIO_WRITE;
-#  endif
-
-	/* Try to get bytes */
-	while (uio->uio_resid > 0) {
-
-		if (uio->uio_resid >= sizeof(sh)) {
-
-			err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio);
-
-			if (err) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(header) failed: %d\n",
-						err);
-				return err;
-			}
-
-			/* convert to host order */
-			sh.sm_magic = ntohl(sh.sm_magic);
-			sh.sm_len = ntohl(sh.sm_len);
-			sh.sm_num = ntohl(sh.sm_num);
-
-			if (ipf_sync_debug > 8)
-				printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n",
-					sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd,
-					sh.sm_table, sh.sm_rev, sh.sm_len,
-					sh.sm_magic);
-
-			if (sh.sm_magic != SYNHDRMAGIC) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(header) invalud %s\n",
-						"magic");
-				return EINVAL;
-			}
-
-			if (sh.sm_v != 4 && sh.sm_v != 6) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(header) invalid %s\n",
-						"protocol");
-				return EINVAL;
-			}
-
-			if (sh.sm_cmd > SMC_MAXCMD) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(header) invalid %s\n",
-						"command");
-				return EINVAL;
-			}
-
-
-			if (sh.sm_table > SMC_MAXTBL) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(header) invalid %s\n",
-						"table");
-				return EINVAL;
-			}
-
-		} else {
-			/* unsufficient data, wait until next call */
-			if (ipf_sync_debug > 2)
-				printf("uiomove(header) insufficient data");
-			return EAGAIN;
-	 	}
-
-
-		/*
-		 * We have a header, so try to read the amount of data 
-		 * needed for the request
-		 */
-
-		/* not supported */
-		if (sh.sm_len == 0) {
-			if (ipf_sync_debug > 2)
-				printf("uiomove(data zero length %s\n",
-					"not supported");
-			return EINVAL;
-		}
-
-		if (uio->uio_resid >= sh.sm_len) {
-
-			err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio);
-
-			if (err) {
-				if (ipf_sync_debug > 2)
-					printf("uiomove(data) failed: %d\n",
-						err);
-				return err;
-			}
-
-			if (ipf_sync_debug > 7)
-				printf("uiomove(data) %d bytes read\n",
-					sh.sm_len);
-
-			if (sh.sm_table == SMC_STATE)
-				err = ipfsync_state(&sh, data);
-			else if (sh.sm_table == SMC_NAT)
-				err = ipfsync_nat(&sh, data);
-			if (ipf_sync_debug > 7)
-				printf("[%d] Finished with error %d\n",
-					sh.sm_num, err);
-
-		} else {
-			/* insufficient data, wait until next call */
-			if (ipf_sync_debug > 2)
-				printf("uiomove(data) %s %d bytes, got %d\n",
-					"insufficient data, need",
-					sh.sm_len, uio->uio_resid);
-			return EAGAIN;
-		}
-	}	 
-
-	/* no more data */
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_read                                                */
-/* Returns:     int    - 0 == success, else error value.                    */
-/* Parameters:  uio(O) - pointer to information about where to store data   */
-/*                                                                          */
-/* This function is called when a user program wants to read some data      */
-/* for pending state/NAT updates.  If no data is available, the caller is   */
-/* put to sleep, pending a wakeup from the "lower half" of this code.       */
-/* ------------------------------------------------------------------------ */
-int ipfsync_read(uio)
-struct uio *uio;
-{
-	syncupdent_t *su;
-	synclogent_t *sl;
-	int err = 0;
-
-	if ((uio->uio_resid & 3) || (uio->uio_resid < 8))
-		return EINVAL;
-
-#  if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__)
-	uio->uio_rw = UIO_READ;
-#  endif
-
-	MUTEX_ENTER(&ipsl_mutex);
-	while ((sl_tail == sl_idx) && (su_tail == su_idx)) {
-#  if SOLARIS && defined(_KERNEL)
-		if (!cv_wait_sig(&ipslwait, &ipsl_mutex)) {
-			MUTEX_EXIT(&ipsl_mutex);
-			return EINTR;
-		}
-#  else
-#   ifdef __hpux
-		{
-		lock_t *l;
-
-		l = get_sleep_lock(&sl_tail);
-		err = sleep(&sl_tail, PZERO+1);
-		spinunlock(l);
-		}
-#   else /* __hpux */
-#    ifdef __osf__
-		err = mpsleep(&sl_tail, PSUSP|PCATCH,  "ipl sleep", 0,
-			      &ipsl_mutex, MS_LOCK_SIMPLE);
-#    else
-		MUTEX_EXIT(&ipsl_mutex);
-		err = SLEEP(&sl_tail, "ipl sleep");
-#    endif /* __osf__ */
-#   endif /* __hpux */
-		if (err) {
-			MUTEX_EXIT(&ipsl_mutex);
-			return err;
-		}
-#  endif /* SOLARIS */
-	}
-	MUTEX_EXIT(&ipsl_mutex);
-
-	READ_ENTER(&ipf_syncstate);
-	while ((sl_tail < sl_idx)  && (uio->uio_resid > sizeof(*sl))) {
-		sl = synclog + sl_tail++;
-		err = UIOMOVE((caddr_t)sl, sizeof(*sl), UIO_READ, uio);
-		if (err != 0)
-			break;
-	}
-
-	while ((su_tail < su_idx)  && (uio->uio_resid > sizeof(*su))) {
-		su = syncupd + su_tail;
-		su_tail++;
-		err = UIOMOVE((caddr_t)su, sizeof(*su), UIO_READ, uio);
-		if (err != 0)
-			break;
-		if (su->sup_hdr.sm_sl != NULL)
-			su->sup_hdr.sm_sl->sl_idx = -1;
-	}
-
-	MUTEX_ENTER(&ipf_syncadd);
-	if (su_tail == su_idx)
-		su_tail = su_idx = 0;
-	if (sl_tail == sl_idx)
-		sl_tail = sl_idx = 0;
-	MUTEX_EXIT(&ipf_syncadd);
-	RWLOCK_EXIT(&ipf_syncstate);
-	return err;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_state                                               */
-/* Returns:     int    - 0 == success, else error value.                    */
-/* Parameters:  sp(I)  - pointer to sync packet data header                 */
-/*              uio(I) - pointer to user data for further information       */
-/*                                                                          */
-/* Updates the state table according to information passed in the sync      */
-/* header.  As required, more data is fetched from the uio structure but    */
-/* varies depending on the contents of the sync header.  This function can  */
-/* create a new state entry or update one.  Deletion is left to the state   */
-/* structures being timed out correctly.                                    */
-/* ------------------------------------------------------------------------ */
-int ipfsync_state(sp, data)
-synchdr_t *sp;
-void *data;
-{
-	synctcp_update_t su;
-	ipstate_t *is, sn;
-	synclist_t *sl;
-	frentry_t *fr;
-	u_int hv;
-	int err = 0;
-
-	hv = sp->sm_num & (SYNC_STATETABSZ - 1);
-
-	switch (sp->sm_cmd)
-	{
-	case SMC_CREATE :
-
-		bcopy(data, &sn, sizeof(sn));
-		KMALLOC(is, ipstate_t *);
-		if (is == NULL) {
-			err = ENOMEM;
-			break;
-		}
-
-		KMALLOC(sl, synclist_t *);
-		if (sl == NULL) {
-			err = ENOMEM;
-			KFREE(is);
-			break;
-		}
-
-		bzero((char *)is, offsetof(ipstate_t, is_die));
-		bcopy((char *)&sn.is_die, (char *)&is->is_die,
-		      sizeof(*is) - offsetof(ipstate_t, is_die));
-		ipfsync_storder(0, is);
-
-		/*
-		 * We need to find the same rule on the slave as was used on
-		 * the master to create this state entry.
-		 */
-		READ_ENTER(&ipf_mutex);
-		fr = fr_getrulen(IPL_LOGIPF, sn.is_group, sn.is_rulen);
-		if (fr != NULL) {
-			MUTEX_ENTER(&fr->fr_lock);
-			fr->fr_ref++;
-			fr->fr_statecnt++;
-			MUTEX_EXIT(&fr->fr_lock);
-		}
-		RWLOCK_EXIT(&ipf_mutex);
-
-		if (ipf_sync_debug > 4)
-			printf("[%d] Filter rules = %p\n", sp->sm_num, fr);
-
-		is->is_rule = fr;
-		is->is_sync = sl;
-
-		sl->sl_idx = -1;
-		sl->sl_ips = is;
-		bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr));
-
-		WRITE_ENTER(&ipf_syncstate);
-		WRITE_ENTER(&ipf_state);
-
-		sl->sl_pnext = syncstatetab + hv;
-		sl->sl_next = syncstatetab[hv];
-		if (syncstatetab[hv] != NULL)
-			syncstatetab[hv]->sl_pnext = &sl->sl_next;
-		syncstatetab[hv] = sl;
-		MUTEX_DOWNGRADE(&ipf_syncstate);
-		fr_stinsert(is, sp->sm_rev);
-		/*
-		 * Do not initialise the interface pointers for the state
-		 * entry as the full complement of interface names may not
-		 * be present.
-		 *
-		 * Put this state entry on its timeout queue.
-		 */
-		/*fr_setstatequeue(is, sp->sm_rev);*/
-		break;
-
-	case SMC_UPDATE :
-		bcopy(data, &su, sizeof(su));
-
-		if (ipf_sync_debug > 4)
-			printf("[%d] Update age %lu state %d/%d \n",
-				sp->sm_num, su.stu_age, su.stu_state[0],
-				su.stu_state[1]);
-
-		READ_ENTER(&ipf_syncstate);
-		for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
-			if (sl->sl_hdr.sm_num == sp->sm_num)
-				break;
-		if (sl == NULL) {
-			if (ipf_sync_debug > 1)
-				printf("[%d] State not found - can't update\n",
-					sp->sm_num);
-			RWLOCK_EXIT(&ipf_syncstate);
-			err = ENOENT;
-			break;
-		}
-
-		READ_ENTER(&ipf_state);
-
-		if (ipf_sync_debug > 6)
-			printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n", 
-				sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p, 
-				sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table,
-				sl->sl_hdr.sm_rev);
-
-		is = sl->sl_ips;
-
-		MUTEX_ENTER(&is->is_lock);
-		switch (sp->sm_p)
-		{
-		case IPPROTO_TCP :
-			/* XXX FV --- shouldn't we do ntohl/htonl???? XXX */
-			is->is_send = su.stu_data[0].td_end;
-			is->is_maxsend = su.stu_data[0].td_maxend;
-			is->is_maxswin = su.stu_data[0].td_maxwin;
-			is->is_state[0] = su.stu_state[0];
-			is->is_dend = su.stu_data[1].td_end;
-			is->is_maxdend = su.stu_data[1].td_maxend;
-			is->is_maxdwin = su.stu_data[1].td_maxwin;
-			is->is_state[1] = su.stu_state[1];
-			break;
-		default :
-			break;
-		}
-
-		if (ipf_sync_debug > 6)
-			printf("[%d] Setting timers for state\n", sp->sm_num);
-
-		fr_setstatequeue(is, sp->sm_rev);
-
-		MUTEX_EXIT(&is->is_lock);
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-
-	if (err == 0) {
-		RWLOCK_EXIT(&ipf_state);
-		RWLOCK_EXIT(&ipf_syncstate);
-	}
-
-	if (ipf_sync_debug > 6)
-		printf("[%d] Update completed with error %d\n",
-			sp->sm_num, err);
-
-	return err;
-}
-# endif /* _KERNEL */
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_del                                                 */
-/* Returns:     Nil                                                         */
-/* Parameters:  sl(I) - pointer to synclist object to delete                */
-/*                                                                          */
-/* Deletes an object from the synclist table and free's its memory.         */
-/* ------------------------------------------------------------------------ */
-void ipfsync_del(sl)
-synclist_t *sl;
-{
-	WRITE_ENTER(&ipf_syncstate);
-	*sl->sl_pnext = sl->sl_next;
-	if (sl->sl_next != NULL)
-		sl->sl_next->sl_pnext = sl->sl_pnext;
-	if (sl->sl_idx != -1)
-		syncupd[sl->sl_idx].sup_hdr.sm_sl = NULL;
-	RWLOCK_EXIT(&ipf_syncstate);
-	KFREE(sl);
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_nat                                                 */
-/* Returns:     int    - 0 == success, else error value.                    */
-/* Parameters:  sp(I)  - pointer to sync packet data header                 */
-/*              uio(I) - pointer to user data for further information       */
-/*                                                                          */
-/* Updates the NAT  table according to information passed in the sync       */
-/* header.  As required, more data is fetched from the uio structure but    */
-/* varies depending on the contents of the sync header.  This function can  */
-/* create a new NAT entry or update one.  Deletion is left to the NAT       */
-/* structures being timed out correctly.                                    */
-/* ------------------------------------------------------------------------ */
-int ipfsync_nat(sp, data)
-synchdr_t *sp;
-void *data;
-{
-	synclogent_t sle;
-	syncupdent_t su;
-	nat_t *n, *nat;
-	synclist_t *sl;
-	u_int hv = 0;
-	int err;
-
-	READ_ENTER(&ipf_syncstate);
-
-	switch (sp->sm_cmd)
-	{
-	case SMC_CREATE :
-		bcopy(data, &sle, sizeof(sle));
-
-		KMALLOC(n, nat_t *);
-		if (n == NULL) {
-			err = ENOMEM;
-			break;
-		}
-
-		KMALLOC(sl, synclist_t *);
-		if (sl == NULL) {
-			err = ENOMEM;
-			KFREE(n);
-			break;
-		}
-
-		WRITE_ENTER(&ipf_nat);
-
-		nat = &sle.sle_un.sleu_ipn;
-		bzero((char *)n, offsetof(nat_t, nat_age));
-		bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
-		      sizeof(*n) - offsetof(nat_t, nat_age));
-		ipfsync_natorder(0, n);
-		n->nat_sync = sl;
-
-		sl->sl_idx = -1;
-		sl->sl_ipn = n;
-		sl->sl_num = ntohl(sp->sm_num);
-		sl->sl_pnext = syncstatetab + hv;
-		sl->sl_next = syncstatetab[hv];
-		if (syncstatetab[hv] != NULL)
-			syncstatetab[hv]->sl_pnext = &sl->sl_next;
-		syncstatetab[hv] = sl;
-		nat_insert(n, sl->sl_rev);
-		RWLOCK_EXIT(&ipf_nat);
-		break;
-
-	case SMC_UPDATE :
-		bcopy(data, &su, sizeof(su));
-
-		READ_ENTER(&ipf_syncstate);
-		for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next)
-			if (sl->sl_hdr.sm_num == sp->sm_num)
-				break;
-		if (sl == NULL) {
-			err = ENOENT;
-			break;
-		}
-
-		READ_ENTER(&ipf_nat);
-
-		nat = sl->sl_ipn;
-
-		MUTEX_ENTER(&nat->nat_lock);
-		fr_setnatqueue(nat, sl->sl_rev);
-		MUTEX_EXIT(&nat->nat_lock);
-
-		RWLOCK_EXIT(&ipf_nat);
-
-		break;
-
-	default :
-		err = EINVAL;
-		break;
-	}
-
-	RWLOCK_EXIT(&ipf_syncstate);
-	return 0;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_new                                                 */
-/* Returns:     synclist_t* - NULL == failure, else pointer to new synclist */
-/*                            data structure.                               */
-/* Parameters:  tab(I) - type of synclist_t to create                       */
-/*              fin(I) - pointer to packet information                      */
-/*              ptr(I) - pointer to owning object                           */
-/*                                                                          */
-/* Creates a new sync table entry and notifies any sleepers that it's there */
-/* waiting to be processed.                                                 */
-/* ------------------------------------------------------------------------ */
-synclist_t *ipfsync_new(tab, fin, ptr)
-int tab;
-fr_info_t *fin;
-void *ptr;
-{
-	synclist_t *sl, *ss;
-	synclogent_t *sle;
-	u_int hv, sz;
-
-	if (sl_idx == SYNCLOG_SZ)
-		return NULL;
-	KMALLOC(sl, synclist_t *);
-	if (sl == NULL)
-		return NULL;
-
-	MUTEX_ENTER(&ipf_syncadd);
-	/*
-	 * Get a unique number for this synclist_t.  The number is only meant
-	 * to be unique for the lifetime of the structure and may be reused
-	 * later.
-	 */
-	ipf_syncnum++;
-	if (ipf_syncnum == 0) {
-		ipf_syncnum = 1;
-		ipf_syncwrap = 1;
-	}
-
-	hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
-	while (ipf_syncwrap != 0) {
-		for (ss = syncstatetab[hv]; ss; ss = ss->sl_next)
-			if (ss->sl_hdr.sm_num == ipf_syncnum)
-				break;
-		if (ss == NULL)
-			break;
-		ipf_syncnum++;
-		hv = ipf_syncnum & (SYNC_STATETABSZ - 1);
-	}
-	/*
-	 * Use the synch number of the object as the hash key.  Should end up
-	 * with relatively even distribution over time.
-	 * XXX - an attacker could lunch an DoS attack, of sorts, if they are
-	 * the only one causing new table entries by only keeping open every
-	 * nth connection they make, where n is a value in the interval
-	 * [0, SYNC_STATETABSZ-1].
-	 */
-	sl->sl_pnext = syncstatetab + hv;
-	sl->sl_next = syncstatetab[hv];
-	syncstatetab[hv] = sl;
-	sl->sl_num = ipf_syncnum;
-	MUTEX_EXIT(&ipf_syncadd);
-
-	sl->sl_magic = htonl(SYNHDRMAGIC);
-	sl->sl_v = fin->fin_v;
-	sl->sl_p = fin->fin_p;
-	sl->sl_cmd = SMC_CREATE;
-	sl->sl_idx = -1;
-	sl->sl_table = tab;
-	sl->sl_rev = fin->fin_rev;
-	if (tab == SMC_STATE) {
-		sl->sl_ips = ptr;
-		sz = sizeof(*sl->sl_ips);
-	} else if (tab == SMC_NAT) {
-		sl->sl_ipn = ptr;
-		sz = sizeof(*sl->sl_ipn);
-	} else {
-		ptr = NULL;
-		sz = 0;
-	}
-	sl->sl_len = sz;
-
-	/*
-	 * Create the log entry to be read by a user daemon.  When it has been
-	 * finished and put on the queue, send a signal to wakeup any waiters.
-	 */
-	MUTEX_ENTER(&ipf_syncadd);
-	sle = synclog + sl_idx++;
-	bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr,
-	      sizeof(sle->sle_hdr));
-	sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num);
-	sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len);
-	if (ptr != NULL) {
-		bcopy((char *)ptr, (char *)&sle->sle_un, sz);
-		if (tab == SMC_STATE) {
-			ipfsync_storder(1, &sle->sle_un.sleu_ips);
-		} else if (tab == SMC_NAT) {
-			ipfsync_natorder(1, &sle->sle_un.sleu_ipn);
-		}
-	}
-	MUTEX_EXIT(&ipf_syncadd);
-
-	MUTEX_ENTER(&ipsl_mutex);
-# if SOLARIS
-#  ifdef _KERNEL
-	cv_signal(&ipslwait);
-#  endif
-	MUTEX_EXIT(&ipsl_mutex);
-# else
-	MUTEX_EXIT(&ipsl_mutex);
-#  ifdef _KERNEL
-	wakeup(&sl_tail);
-#  endif
-# endif
-	return sl;
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    ipfsync_update                                              */
-/* Returns:     Nil                                                         */
-/* Parameters:  tab(I) - type of synclist_t to create                       */
-/*              fin(I) - pointer to packet information                      */
-/*              sl(I)  - pointer to synchronisation object                  */
-/*                                                                          */
-/* For outbound packets, only, create an sync update record for the user    */
-/* process to read.                                                         */
-/* ------------------------------------------------------------------------ */
-void ipfsync_update(tab, fin, sl)
-int tab;
-fr_info_t *fin;
-synclist_t *sl;
-{
-	synctcp_update_t *st;
-	syncupdent_t *slu;
-	ipstate_t *ips;
-	nat_t *nat;
-
-	if (fin->fin_out == 0 || sl == NULL)
-		return;
-
-	WRITE_ENTER(&ipf_syncstate);
-	MUTEX_ENTER(&ipf_syncadd);
-	if (sl->sl_idx == -1) {
-		slu = syncupd + su_idx;
-		sl->sl_idx = su_idx++;
-		bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr,
-		      sizeof(slu->sup_hdr));
-		slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC);
-		slu->sup_hdr.sm_sl = sl;
-		slu->sup_hdr.sm_cmd = SMC_UPDATE;
-		slu->sup_hdr.sm_table = tab;
-		slu->sup_hdr.sm_num = htonl(sl->sl_num);
-		slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update));
-		slu->sup_hdr.sm_rev = fin->fin_rev;
-# if 0
-		if (fin->fin_p == IPPROTO_TCP) {
-			st->stu_len[0] = 0;
-			st->stu_len[1] = 0;
-		}
-# endif
-	} else
-		slu = syncupd + sl->sl_idx;
-	MUTEX_EXIT(&ipf_syncadd);
-	MUTEX_DOWNGRADE(&ipf_syncstate);
-
-	/*
-	 * Only TCP has complex timeouts, others just use default timeouts.
-	 * For TCP, we only need to track the connection state and window.
-	 */
-	if (fin->fin_p == IPPROTO_TCP) {
-		st = &slu->sup_tcp;
-		if (tab == SMC_STATE) {
-			ips = sl->sl_ips;
-			st->stu_age = htonl(ips->is_die);
-			st->stu_data[0].td_end = ips->is_send;
-			st->stu_data[0].td_maxend = ips->is_maxsend;
-			st->stu_data[0].td_maxwin = ips->is_maxswin;
-			st->stu_state[0] = ips->is_state[0];
-			st->stu_data[1].td_end = ips->is_dend;
-			st->stu_data[1].td_maxend = ips->is_maxdend;
-			st->stu_data[1].td_maxwin = ips->is_maxdwin;
-			st->stu_state[1] = ips->is_state[1];
-		} else if (tab == SMC_NAT) {
-			nat = sl->sl_ipn;
-			st->stu_age = htonl(nat->nat_age);
-		}
-	}
-	RWLOCK_EXIT(&ipf_syncstate);
-
-	MUTEX_ENTER(&ipsl_mutex);
-# if SOLARIS
-#  ifdef _KERNEL
-	cv_signal(&ipslwait);
-#  endif
-	MUTEX_EXIT(&ipsl_mutex);
-# else
-	MUTEX_EXIT(&ipsl_mutex);
-#  ifdef _KERNEL
-	wakeup(&sl_tail);
-#  endif
-# endif
-}
-
-
-/* ------------------------------------------------------------------------ */
-/* Function:    fr_sync_ioctl                                               */
-/* Returns:     int - 0 == success, != 0 == failure                         */
-/* Parameters:  data(I) - pointer to ioctl data                             */
-/*              cmd(I)  - ioctl command integer                             */
-/*              mode(I) - file mode bits used with open                     */
-/*                                                                          */
-/* This function currently does not handle any ioctls and so just returns   */
-/* EINVAL on all occasions.                                                 */
-/* ------------------------------------------------------------------------ */
-int fr_sync_ioctl(data, cmd, mode)
-caddr_t data;
-ioctlcmd_t cmd;
-int mode;
-{
-	return EINVAL;
-}
-#endif /* IPFILTER_SYNC */
diff --git a/contrib/ipfilter/ip_sync.h b/contrib/ipfilter/ip_sync.h
deleted file mode 100644
index e319a95..0000000
--- a/contrib/ipfilter/ip_sync.h
+++ /dev/null
@@ -1,117 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
- */
-
-#ifndef __IP_SYNC_H__
-#define __IP_SYNC_H__
-
-typedef	struct	synchdr	{
-	u_32_t		sm_magic;	/* magic */
-	u_char		sm_v;		/* version: 4,6 */
-	u_char		sm_p;		/* protocol */
-	u_char		sm_cmd;		/* command */
-	u_char		sm_table;	/* NAT, STATE, etc */
-	u_int		sm_num;		/* table entry number */
-	int		sm_rev;		/* forward/reverse */
-	int		sm_len;		/* length of the data section */
-	struct	synclist	*sm_sl;		/* back pointer to parent */
-} synchdr_t;
-
-
-#define SYNHDRMAGIC 0x0FF51DE5
-
-/*
- * Commands
- * No delete required as expirey will take care of that!
- */
-#define	SMC_CREATE	0	/* pass ipstate_t after synchdr_t */
-#define	SMC_UPDATE	1
-#define	SMC_MAXCMD	1
-
-/*
- * Tables
- */
-#define	SMC_NAT		0
-#define	SMC_STATE	1
-#define	SMC_MAXTBL	1
-
-
-/*
- * Only TCP requires "more" information than just a reference to the entry
- * for which an update is being made.
- */
-typedef	struct	synctcp_update	{
-	u_long		stu_age;
-	tcpdata_t	stu_data[2];
-	int		stu_state[2];
-} synctcp_update_t;
-
-
-typedef	struct	synclist	{
-	struct	synclist	*sl_next;
-	struct	synclist	**sl_pnext;
-	int			sl_idx;		/* update index */
-	struct	synchdr		sl_hdr;
-	union	{
-		struct	ipstate	*slu_ips;
-		struct	nat	*slu_ipn;
-		void		*slu_ptr;
-	} sl_un;
-} synclist_t;
-
-#define	sl_ptr	sl_un.slu_ptr
-#define	sl_ips	sl_un.slu_ips
-#define	sl_ipn	sl_un.slu_ipn
-#define	sl_magic sl_hdr.sm_magic
-#define	sl_v	sl_hdr.sm_v
-#define	sl_p	sl_hdr.sm_p
-#define	sl_cmd	sl_hdr.sm_cmd
-#define	sl_rev	sl_hdr.sm_rev
-#define	sl_table	sl_hdr.sm_table
-#define	sl_num	sl_hdr.sm_num
-#define	sl_len	sl_hdr.sm_len
-
-/*
- * NOTE: SYNCLOG_SZ is defined *low*.  It should be the next power of two
- * up for whatever number of packets per second you expect to see.  Be
- * warned: this index's a table of large elements (upto 272 bytes in size
- * each), and thus a size of 8192, for example, results in a 2MB table.
- * The lesson here is not to use small machines for running fast firewalls
- * (100BaseT) in sync, where you might have upwards of 10k pps.
- */
-#define	SYNCLOG_SZ	256
-
-typedef	struct	synclogent	{
-	struct	synchdr	sle_hdr;
-	union	{
-		struct	ipstate	sleu_ips;
-		struct	nat	sleu_ipn;
-	} sle_un;
-} synclogent_t;
-
-typedef	struct	syncupdent	{		/* 28 or 32 bytes */
-	struct	synchdr	sup_hdr;
-	struct	synctcp_update	sup_tcp;
-} syncupdent_t;
-
-extern	synclogent_t	synclog[SYNCLOG_SZ];
-
-
-extern	int		fr_sync_ioctl __P((caddr_t, ioctlcmd_t, int));
-extern	synclist_t	*ipfsync_new __P((int, fr_info_t *, void *));
-extern	void		ipfsync_del __P((synclist_t *));
-extern	void		ipfsync_update __P((int, fr_info_t *, synclist_t *));
-extern	int		ipfsync_init __P((void));
-extern	int		ipfsync_nat __P((synchdr_t *sp, void *data));
-extern	int		ipfsync_state __P((synchdr_t *sp, void *data));
-extern	int		ipfsync_read __P((struct uio *uio));
-extern	int		ipfsync_write __P((struct uio *uio));
-
-#endif /* IP_SYNC */
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
deleted file mode 100644
index cf85280..0000000
--- a/contrib/ipfilter/ipf.c
+++ /dev/null
@@ -1,764 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-#include "ipl.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.23 2003/06/27 14:39:13 darrenr Exp $";
-#endif
-
-#if	SOLARIS
-static	void	blockunknown __P((void));
-#endif
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-void	frsync __P((void));
-void	zerostats __P((void));
-int	main __P((int, char *[]));
-
-int	opts = 0;
-int	use_inet6 = 0;
-
-static	int	fd = -1;
-
-static	void	procfile __P((char *, char *)), flushfilter __P((char *));
-static	int	set_state __P((u_int));
-static	void	showstats __P((friostat_t *));
-static	void	packetlogon __P((char *)), swapactive __P((void));
-static	int	opendevice __P((char *));
-static	void	closedevice __P((void));
-static	char	*getline __P((char *, size_t, FILE *, int *));
-static	char	*ipfname = IPL_NAME;
-static	void	usage __P((char *));
-static	int	showversion __P((void));
-static	int	get_flags __P((int *));
-
-
-#if SOLARIS
-# define	OPTS	"6AdDEf:F:Il:noPrsUvVyzZ"
-#else
-# define	OPTS	"6AdDEf:F:Il:noPrsvVyzZ"
-#endif
-
-static void usage(name)
-char *name;
-{
-	fprintf(stderr, "usage: %s [-%s] %s %s %s\n", name, OPTS,
-		"[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c;
-
-	if (argc < 2)
-		usage(argv[0]);
-
-	while ((c = getopt(argc, argv, OPTS)) != -1) {
-		switch (c)
-		{
-		case '6' :
-			use_inet6 = 1;
-			break;
-		case 'A' :
-			opts &= ~OPT_INACTIVE;
-			break;
-		case 'E' :
-			if (set_state((u_int)1))
-				exit(1);
-			break;
-		case 'D' :
-			if (set_state((u_int)0))
-				exit(1);
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			procfile(argv[0], optarg);
-			break;
-		case 'F' :
-			flushfilter(optarg);
-			break;
-		case 'I' :
-			opts |= OPT_INACTIVE;
-			break;
-		case 'l' :
-			packetlogon(optarg);
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'o' :
-			break;
-		case 'P' :
-			ipfname = IPL_AUTH;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			swapactive();
-			break;
-#if SOLARIS
-		case 'U' :
-			blockunknown();
-			break;
-#endif
-		case 'v' :
-			opts += OPT_VERBOSE;
-			break;
-		case 'V' :
-			if (showversion())
-				exit(1);
-			break;
-		case 'y' :
-			frsync();
-			break;
-		case 'z' :
-			opts |= OPT_ZERORULEST;
-			break;
-		case 'Z' :
-			zerostats();
-			break;
-		case '?' :
-		default :
-			usage(argv[0]);
-			break;
-		}
-	}
-
-	if (optind < 2)
-		usage(argv[0]);
-
-	if (fd != -1)
-		(void) close(fd);
-
-	exit(0);
-	/* NOTREACHED */
-}
-
-
-static int opendevice(ipfdev)
-char *ipfdev;
-{
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (!ipfdev)
-		ipfdev = ipfname;
-
-	/*
-	 * shouldn't we really be testing for fd < 0 here and below?
-	 */
-
-	if (fd != -1)
-		return 0;
-
-	if ((fd = open(ipfdev, O_RDWR)) == -1) {
-		if ((fd = open(ipfdev, O_RDONLY)) == -1) {
-			perror("open device");
-			if (errno == ENODEV)
-				fprintf(stderr, "IPFilter enabled?\n");
-			return -1;
-		}
-	}
-
-	return 0;
-}
-
-
-static void closedevice()
-{
-	if (fd != -1)
-		close(fd);
-	fd = -1;
-}
-
-
-/*
- * Return codes:
- *	0	Success
- *	!0	Failure (and an error message has already been printed)
- */
-static	int	get_flags(i)
-int	*i;
-{
-
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (opendevice(ipfname) < 0)
-		return -1;
-
-	if (ioctl(fd, SIOCGETFF, i) == -1) {
-		perror("SIOCGETFF");
-		return -1;
-	}
-	return 0;
-}
-
-
-static	int	set_state(enable)
-u_int	enable;
-{
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (opendevice(ipfname))
-		return -1;
-
-	if (ioctl(fd, SIOCFRENB, &enable) == -1) {
-		if (errno == EBUSY)
-			/* Not really an error */
-			fprintf(stderr,
-				"IP Filter: already initialized\n");
-		else {
-			perror("SIOCFRENB");
-			return -1;
-		}
-	}
-	return 0;
-}
-
-static	void	procfile(name, file)
-char	*name, *file;
-{
-	FILE	*fp;
-	char	line[513], *s;
-	struct	frentry	*fr;
-	u_int	add, del;
-	int     linenum = 0;
-	int	parsestatus;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (opts & OPT_INACTIVE) {
-		add = SIOCADIFR;
-		del = SIOCRMIFR;
-	} else {
-		add = SIOCADAFR;
-		del = SIOCRMAFR;
-	}
-	if (opts & OPT_DEBUG)
-		printf("add %x del %x\n", add, del);
-
-	initparse();
-
-	if (!strcmp(file, "-"))
-		fp = stdin;
-	else if (!(fp = fopen(file, "r"))) {
-		fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
-			STRERROR(errno));
-		exit(1);
-	}
-
-	while (getline(line, sizeof(line), fp, &linenum)) {
-		/*
-		 * treat CR as EOL.  LF is converted to NUL by getline().
-		 */
-		if ((s = index(line, '\r')))
-			*s = '\0';
-		/*
-		 * # is comment marker, everything after is a ignored
-		 */
-		if ((s = index(line, '#')))
-			*s = '\0';
-
-		if (!*line)
-			continue;
-
-		if (opts & OPT_VERBOSE)
-			(void)fprintf(stderr, "[%s]\n", line);
-
-		parsestatus = 1;
-		fr = parse(line, linenum, &parsestatus);
-		(void)fflush(stdout);
-
-		if (parsestatus != 0) {
-			fprintf(stderr, "%s: %s: %s error (%d), quitting\n",
-			    name, file,
-			    ((parsestatus < 0)? "parse": "internal"),
-			    parsestatus);
-			exit(1);
-		}
-
-		if (fr) {
-			if (opts & OPT_ZERORULEST)
-				add = SIOCZRLST;
-			else if (opts & OPT_INACTIVE)
-				add = (u_int)fr->fr_hits ? SIOCINIFR :
-							   SIOCADIFR;
-			else
-				add = (u_int)fr->fr_hits ? SIOCINAFR :
-							   SIOCADAFR;
-			if (fr->fr_hits)
-				fr->fr_hits--;
-			if (fr && (opts & OPT_VERBOSE))
-				printfr(fr);
-			if (fr && (opts & OPT_OUTQUE))
-				fr->fr_flags |= FR_OUTQUE;
-
-			if (opts & OPT_DEBUG)
-				binprint(fr);
-
-			if ((opts & OPT_ZERORULEST) &&
-			    !(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, add, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(SIOCZRLST)");
-					exit(1);
-				} else {
-#ifdef	USE_QUAD_T
-					printf("hits %qd bytes %qd ",
-						(long long)fr->fr_hits,
-						(long long)fr->fr_bytes);
-#else
-					printf("hits %ld bytes %ld ",
-						fr->fr_hits, fr->fr_bytes);
-#endif
-					printfr(fr);
-				}
-			} else if ((opts & OPT_REMOVE) &&
-				   !(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, del, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(delete rule)");
-					exit(1);
-				}
-			} else if (!(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, add, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(add/insert rule)");
-					exit(1);
-				}
-			}
-		}
-	}
-	if (ferror(fp) || !feof(fp)) {
-		fprintf(stderr, "%s: %s: file error or line too long\n",
-		    name, file);
-		exit(1);
-	}
-	(void)fclose(fp);
-}
-
-/*
- * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
- * Returns NULL if error occurred, EOF encounterd or input line is too long.
- */
-static char *getline(str, size, file, linenum)
-register char	*str;
-size_t	size;
-FILE	*file;
-int	*linenum;
-{
-	char *p;
-	int s, len;
-
-	do {
-		for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
-			/*
-			 * if an error occurred, EOF was encounterd, or there
-			 * was no room to put NUL, return NULL.
-			 */
-			if (fgets(p, s, file) == NULL)
-				return (NULL);
-			len = strlen(p);
-			if (p[len - 1] != '\n') {
-				p[len] = '\0';
-				break;
-			}
-			(*linenum)++;
-			p[len - 1] = '\0';
-			if (len < 2 || p[len - 2] != '\\')
-				break;
-			else
-				/*
-				 * Convert '\\' to a space so words don't
-				 * run together
-				 */
-				p[len - 2] = ' ';
-		}
-	} while (*str == '\0');
-	return (str);
-}
-
-
-static void packetlogon(opt)
-char	*opt;
-{
-	int	flag;
-
-	if (get_flags(&flag))
-		exit(1);
-
-	if (flag != 0) {
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
-			printf("log flag is currently %#x\n", flag);
-	}
-
-	flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
-
-	if (index(opt, 'p')) {
-		flag |= FF_LOGPASS;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: pass\n");
-	}
-	if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
-		flag |= FF_LOGNOMATCH;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: nomatch\n");
-	}
-	if (index(opt, 'b') || index(opt, 'd')) {
-		flag |= FF_LOGBLOCK;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: block\n");
-	}
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSETFF, &flag) != 0) {
-			perror("ioctl(SIOCSETFF)");
-			exit(1);
-		}
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		/*
-		 * Even though the ioctls above succeeded, it
-		 * is possible that a calling script/program
-		 * relies on the following verbose mode string.
-		 * Thus, we still take an error exit if get_flags
-		 * fails here.
-		 */
-		if (get_flags(&flag))
-			exit(1);
-		printf("log flag is now %#x\n", flag);
-	}
-}
-
-
-static	void	flushfilter(arg)
-char	*arg;
-{
-	int	fl = 0, rem;
-
-	if (!arg || !*arg) {
-		fprintf(stderr, "-F: no filter specified\n");
-		exit(1);
-	}
-
-	if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
-		if (*arg == 'S')
-			fl = 0;
-		else
-			fl = 1;
-		rem = fl;
-
-		closedevice();
-
-		if (opendevice(IPL_STATE) == -1) {
-			exit(1);
-		}
-
-		if (!(opts & OPT_DONOTHING)) {
-			if (use_inet6) {
-				if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-					perror("ioctl(SIOCIPFL6)");
-					exit(1);
-				}
-			} else {
-				if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-					perror("ioctl(SIOCIPFFL)");
-					exit(1);
-				}
-			}
-		}
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-			printf("remove flags %s (%d)\n", arg, rem);
-			printf("removed %d filter rules\n", fl);
-		}
-		closedevice();
-		return;
-	}
-	if (strchr(arg, 'i') || strchr(arg, 'I'))
-		fl = FR_INQUE;
-	if (strchr(arg, 'o') || strchr(arg, 'O'))
-		fl = FR_OUTQUE;
-	if (strchr(arg, 'a') || strchr(arg, 'A'))
-		fl = FR_OUTQUE|FR_INQUE;
-	fl |= (opts & FR_INACTIVE);
-	rem = fl;
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (use_inet6) {
-			if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-				perror("ioctl(SIOCIPFL6)");
-				exit(1);
-			}
-		} else {
-			if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-				perror("ioctl(SIOCIPFFL)");
-				exit(1);
-			}
-		}
-	}
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
-			(rem & FR_OUTQUE) ? "O" : "", rem);
-		printf("removed %d filter rules\n", fl);
-	}
-	return;
-}
-
-
-static void swapactive()
-{
-	int in = 2;
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSWAPA, &in) == -1) {
-			perror("ioctl(SIOCSWAPA)");
-			exit(1);
-		}
-	}
-	printf("Set %d now inactive\n", in);
-}
-
-
-void frsync()
-{
-	int frsyn = 0;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCFRSYN, &frsyn) == -1) {
-			perror("SIOCFRSYN");
-			exit(1);
-		}
-	}
-	printf("filter sync'd\n");
-}
-
-
-void zerostats()
-{
-	friostat_t	fio;
-	friostat_t	*fiop = &fio;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
-			perror("ioctl(SIOCFRZST)");
-			exit(-1);
-		}
-		showstats(fiop);
-	}
-
-}
-
-
-/*
- * Read the kernel stats for packets blocked and passed
- */
-static void showstats(fp)
-friostat_t	*fp;
-{
-#if SOLARIS
-	printf("dropped packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
-	printf("non-ip packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
-	printf("   bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-#endif
-	printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	printf("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
-			fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
-}
-
-
-#if SOLARIS
-static void blockunknown()
-{
-	int	flag;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (get_flags(&flag))
-		exit(1);
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
-		printf("log flag is currently %#x\n", flag);
-
-	flag ^= FF_BLOCKNONIP;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSETFF, &flag))
-			perror("ioctl(SIOCSETFF)");
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		if (ioctl(fd, SIOCGETFF, &flag))
-			perror("ioctl(SIOCGETFF)");
-
-		printf("log flag is now %#x\n", flag);
-	}
-}
-#endif
-
-
-/*
- * nonzero return value means caller should exit with error
- */
-static int showversion()
-{
-	struct friostat fio;
-	struct friostat *fiop=&fio;
-	int flags, vfd;
-	char *s;
-
-	printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
-
-	if ((vfd = open(ipfname, O_RDONLY)) == -1) {
-		perror("open device");
-		return 1;
-	}
-
-	if (ioctl(vfd, SIOCGETFS, &fiop)) {
-		perror("ioctl(SIOCGETFS)");
-		close(vfd);
-		return 1;
-	}
-	close(vfd);
-
-	printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
-		(int)sizeof(fio.f_version), fio.f_version);
-	printf("Running: %s\n", fio.f_running ? "yes" : "no");
-
-	if (get_flags(&flags)) {
-		return 1;
-	}
-	printf("Log Flags: %#x = ", flags);
-	s = "";
-	if (flags & FF_LOGPASS) {
-		printf("pass");
-		s = ", ";
-	}
-	if (flags & FF_LOGBLOCK) {
-		printf("%sblock", s);
-		s = ", ";
-	}
-	if (flags & FF_LOGNOMATCH) {
-		printf("%snomatch", s);
-		s = ", ";
-	}
-	if (flags & FF_BLOCKNONIP) {
-		printf("%snonip", s);
-		s = ", ";
-	}
-	if (!*s)
-		printf("none set");
-	putchar('\n');
-
-	printf("Default: ");
-	if (fio.f_defpass & FR_PASS)
-		s = "pass";
-	else if (fio.f_defpass & FR_BLOCK)
-		s = "block";
-	else
-		s = "nomatch -> block";
-	printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
-	printf("Active list: %d\n", fio.f_active);
-
-	return 0;
-}
diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h
deleted file mode 100644
index 1a2d0f0..0000000
--- a/contrib/ipfilter/ipf.h
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ipf.h	1.12 6/5/96
- * $Id: ipf.h,v 2.71.2.15 2007/05/11 10:44:14 darrenr Exp $
- */
-
-#ifndef	__IPF_H__
-#define	__IPF_H__
-
-#if defined(__osf__)
-# define radix_mask ipf_radix_mask
-# define radix_node ipf_radix_node
-# define radix_node_head ipf_radix_node_head
-#endif
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/file.h>
-/*
- * This is a workaround for <sys/uio.h> troubles on FreeBSD, HPUX, OpenBSD.
- * Needed here because on some systems <sys/uio.h> gets included by things
- * like <sys/socket.h>
- */
-#ifndef _KERNEL
-# define ADD_KERNEL
-# define _KERNEL
-# define KERNEL
-#endif
-#ifdef __OpenBSD__
-struct file;
-#endif
-#include <sys/uio.h>
-#ifdef ADD_KERNEL
-# undef _KERNEL
-# undef KERNEL
-#endif
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_icmp.h>
-#ifndef	TCP_PAWS_IDLE	/* IRIX */
-# include <netinet/tcp.h>
-#endif
-#include <netinet/udp.h>
-
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <netdb.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <stdio.h>
-#if !defined(__SVR4) && !defined(__svr4__) && defined(sun)
-# include <strings.h>
-#endif
-#include <string.h>
-#include <unistd.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-#include "netinet/ip_scan.h"
-#include "netinet/ip_htable.h"
-#include "netinet/ip_sync.h"
-
-#include "opts.h"
-
-#ifndef __P
-# ifdef __STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-#ifndef __STDC__
-# undef		const
-# define	const
-#endif
-
-#ifndef	U_32_T
-# define	U_32_T	1
-# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
-    defined(__sgi)
-typedef	u_int32_t	u_32_t;
-# else
-#  if defined(__alpha__) || defined(__alpha) || defined(_LP64)
-typedef unsigned int	u_32_t;
-#  else
-#   if SOLARIS2 >= 6
-typedef uint32_t	u_32_t;
-#   else
-typedef unsigned int	u_32_t;
-#   endif
-#  endif
-# endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
-#endif /* U_32_T */
-
-#ifndef	MAXHOSTNAMELEN
-# define	MAXHOSTNAMELEN	256
-#endif
-
-#define	MAX_ICMPCODE	16
-#define	MAX_ICMPTYPE	19
-
-
-struct	ipopt_names	{
-	int	on_value;
-	int	on_bit;
-	int	on_siz;
-	char	*on_name;
-};
-
-
-typedef struct  alist_s {
-	struct	alist_s	*al_next;
-	int		al_not;
-	i6addr_t	al_i6addr;
-	i6addr_t	al_i6mask;
-} alist_t;
-
-#define	al_addr	al_i6addr.in4_addr
-#define	al_mask	al_i6mask.in4_addr
-#define	al_1	al_addr
-#define	al_2	al_mask
-
-
-typedef	struct	{
-	u_short	fb_c;
-	u_char	fb_t;
-	u_char	fb_f;
-	u_32_t	fb_k;
-} fakebpf_t;
-
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
-        (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
-	SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux)
-# include <stdarg.h>
-typedef	int	(* ioctlfunc_t) __P((int, ioctlcmd_t, ...));
-#else
-typedef	int	(* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *));
-#endif
-typedef	void	(* addfunc_t) __P((int, ioctlfunc_t, void *));
-typedef	int	(* copyfunc_t) __P((void *, void *, size_t));
-
-
-/*
- * SunOS4
- */
-#if defined(sun) && !defined(__SVR4) && !defined(__svr4__)
-extern	int	ioctl __P((int, int, void *));
-#endif
-
-extern	char	thishost[];
-extern	char	flagset[];
-extern	u_char	flags[];
-extern	struct ipopt_names ionames[];
-extern	struct ipopt_names secclass[];
-extern	char	*icmpcodes[MAX_ICMPCODE + 1];
-extern	char	*icmptypes[MAX_ICMPTYPE + 1];
-extern	int	use_inet6;
-extern	int	lineNum;
-extern	struct ipopt_names v6ionames[];
-
-
-extern int addicmp __P((char ***, struct frentry *, int));
-extern int addipopt __P((char *, struct ipopt_names *, int, char *));
-extern void alist_free __P((alist_t *));
-extern alist_t *alist_new __P((int, char *));
-extern void binprint __P((void *, size_t));
-extern void initparse __P((void));
-extern u_32_t buildopts __P((char *, char *, int));
-extern int checkrev __P((char *));
-extern int count6bits __P((u_32_t *));
-extern int count4bits __P((u_32_t));
-extern char *fac_toname __P((int));
-extern int fac_findname __P((char *));
-extern void fill6bits __P((int, u_int *));
-extern int gethost __P((char *, u_32_t *));
-extern int getport __P((struct frentry *, char *, u_short *));
-extern int getportproto __P((char *, int));
-extern int getproto __P((char *));
-extern char *getnattype __P((struct nat *, int));
-extern char *getsumd __P((u_32_t));
-extern u_32_t getoptbyname __P((char *));
-extern u_32_t getoptbyvalue __P((int));
-extern u_32_t getv6optbyname __P((char *));
-extern u_32_t getv6optbyvalue __P((int));
-extern void initparse __P((void));
-extern void ipf_dotuning __P((int, char *, ioctlfunc_t)); 
-extern void ipf_addrule __P((int, ioctlfunc_t, void *));
-extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *));
-extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *));
-extern int ipmon_parsefile __P((char *));
-extern int ipmon_parsesome __P((FILE *));
-extern void ipnat_addrule __P((int, ioctlfunc_t, void *));
-extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *));
-extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *));
-extern int ippool_parsefile __P((int, char *, ioctlfunc_t));
-extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t));
-extern int kmemcpywrap __P((void *, void *, size_t));
-extern char *kvatoname __P((ipfunc_t, ioctlfunc_t));
-extern alist_t *load_file __P((char *));
-extern int load_hash __P((struct iphtable_s *, struct iphtent_s *,
-			  ioctlfunc_t));
-extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
-extern alist_t *load_http __P((char *));
-extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t));
-extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
-extern alist_t *load_url __P((char *));
-extern alist_t *make_range __P((int, struct in_addr, struct in_addr));
-extern ipfunc_t nametokva __P((char *, ioctlfunc_t));
-extern void nat_setgroupmap __P((struct ipnat *));
-extern int ntomask __P((int, int, u_32_t *));
-extern u_32_t optname __P((char ***, u_short *, int));
-extern struct frentry *parse __P((char *, int));
-extern char *portname __P((int, int));
-extern int pri_findname __P((char *));
-extern char *pri_toname __P((int));
-extern void print_toif __P((char *, struct frdest *));
-extern void printaps __P((ap_session_t *, int));
-extern void printbuf __P((char *, int, int));
-extern void printfr __P((struct frentry *, ioctlfunc_t));
-extern void printtunable __P((ipftune_t *));
-extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t,
-					 char *, int));
-extern struct iphtable_s *printhash_live __P((iphtable_t *, int, char *, int));
-extern void printhashdata __P((iphtable_t *, int));
-extern struct iphtent_s *printhashnode __P((struct iphtable_s *,
-					    struct iphtent_s *,
-					    copyfunc_t, int));
-extern void printhostmask __P((int, u_32_t *, u_32_t *));
-extern void printip __P((u_32_t *));
-extern void printlog __P((struct frentry *));
-extern void printlookup __P((i6addr_t *addr, i6addr_t *mask));
-extern void printmask __P((u_32_t *));
-extern void printpacket __P((struct ip *));
-extern void printpacket6 __P((struct ip *));
-extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t,
-					char *, int));
-extern struct ip_pool_s *printpool_live __P((struct ip_pool_s *, int,
-					     char *, int));
-extern void printpooldata __P((ip_pool_t *, int));
-extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int));
-extern void printproto __P((struct protoent *, int, struct ipnat *));
-extern void printportcmp __P((int, struct frpcmp *));
-extern void optprint __P((u_short *, u_long, u_long));
-#ifdef	USE_INET6
-extern void optprintv6 __P((u_short *, u_long, u_long));
-#endif
-extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t));
-extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t));
-extern int remove_pool __P((ip_pool_t *, ioctlfunc_t));
-extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t));
-extern u_char tcp_flags __P((char *, u_char *, int));
-extern u_char tcpflags __P((char *));
-extern void printc __P((struct frentry *));
-extern void printC __P((int));
-extern void emit __P((int, int, void *, struct frentry *));
-extern u_char secbit __P((int));
-extern u_char seclevel __P((char *));
-extern void printfraginfo __P((char *, struct ipfr *));
-extern void printifname __P((char *, char *, void *));
-extern char *hostname __P((int, void *));
-extern struct ipstate *printstate __P((struct ipstate *, int, u_long));
-extern void printsbuf __P((char *));
-extern void printnat __P((struct ipnat *, int));
-extern void printactivenat __P((struct nat *, int, int, u_long));
-extern void printhostmap __P((struct hostmap *, u_int));
-extern void printtqtable __P((ipftq_t *));
-
-extern void set_variable __P((char *, char *));
-extern char *get_variable __P((char *, char **, int));
-extern void resetlexer __P((void));
-
-#if SOLARIS
-extern int gethostname __P((char *, int ));
-extern void sync __P((void));
-#endif
-
-#endif /* __IPF_H__ */
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
deleted file mode 100644
index ffbd71b..0000000
--- a/contrib/ipfilter/ipfs.c
+++ /dev/null
@@ -1,859 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.15 2003/05/31 02:12:21 darrenr Exp $";
-#endif
-
-#ifndef	IPF_SAVEDIR
-# define	IPF_SAVEDIR	"/var/db/ipf"
-#endif
-#ifndef IPF_NATFILE
-# define	IPF_NATFILE	"ipnat.ipf"
-#endif
-#ifndef IPF_STATEFILE
-# define	IPF_STATEFILE	"ipstate.ipf"
-#endif
-
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-int	main __P((int, char *[]));
-void	usage __P((void));
-int	changestateif __P((char *, char *));
-int	changenatif __P((char *, char *));
-int	readstate __P((int, char *));
-int	readnat __P((int, char *));
-int	writestate __P((int, char *));
-int	opendevice __P((char *));
-void	closedevice __P((int));
-int	setlock __P((int, int));
-int	writeall __P((char *));
-int	readall __P((char *));
-int	writenat __P((int, char *));
-char	*concat __P((char *, char *));
-
-int	opts = 0;
-char	*progname;
-
-
-void usage()
-{
-	fprintf(stderr, "\
-usage: %s [-nv] -l\n\
-usage: %s [-nv] -u\n\
-usage: %s [-nv] [-d <dir>] -R\n\
-usage: %s [-nv] [-d <dir>] -W\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -N [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-usage: %s [-nv] -S [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-", progname, progname, progname, progname, progname, progname,
-		progname, progname, progname, progname);
-	exit(1);
-}
-
-
-/*
- * Change interface names in state information saved out to disk.
- */
-int changestateif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	ipstate_save_t ips;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	if (nlen >= sizeof(ips.ips_is.is_ifname) ||
-	    olen >= sizeof(ips.ips_is.is_ifname))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) {
-		rw = 0;
-		if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[0], s);
-			rw = 1;
-		}
-		if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[1], s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-/*
- * Change interface names in NAT information saved out to disk.
- */
-int changenatif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	nat_save_t ipn;
-	nat_t *nat;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	nat = &ipn.ipn_nat;
-	if (nlen >= sizeof(nat->nat_ifname) || olen >= sizeof(nat->nat_ifname))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) {
-		rw = 0;
-		if (!strncmp(nat->nat_ifname, ifs, olen + 1)) {
-			strcpy(nat->nat_ifname, s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
-	char *dirname = NULL, *filename = NULL, *ifs = NULL;
-
-	progname = argv[0];
-
-	while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			if ((set == 0) && !dirname && !filename)
-				dirname = optarg;
-			else
-				usage();
-			break;
-		case 'f' :
-			if ((set == 1) && !dirname && !filename && !(rw & 2))
-				filename = optarg;
-			else
-				usage();
-			break;
-		case 'i' :
-			ifs = optarg;
-			set = 1;
-			break;
-		case 'l' :
-			if (filename || dirname || set)
-				usage();
-			lock = 1;
-			set = 1;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'N' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 0;
-			set = 1;
-			break;
-		case 'r' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 0;
-			set = 1;
-			break;
-		case 'R' :
-			if (filename || (ns != -1))
-				usage();
-			rw = 2;
-			set = 1;
-			break;
-		case 'S' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 1;
-			set = 1;
-			break;
-		case 'u' :
-			if (filename || dirname || set)
-				usage();
-			lock = 0;
-			set = 1;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'w' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 1;
-			set = 1;
-			break;
-		case 'W' :
-			if (filename || (ns != -1))
-				usage();
-			rw = 3;
-			set = 1;
-			break;
-		case '?' :
-		default :
-			usage();
-		}
-
-	if (optind < 2)
-		usage();
-
-	if (filename == NULL) {
-		if (ns == 0) {
-			if (dirname == NULL)
-				dirname = IPF_SAVEDIR;
-			if (dirname[strlen(dirname) - 1] != '/')
-				dirname = concat(dirname, "/");
-			filename = concat(dirname, IPF_NATFILE);
-		} else if (ns == 1) {
-			if (dirname == NULL)
-				dirname = IPF_SAVEDIR;
-			if (dirname[strlen(dirname) - 1] != '/')
-				dirname = concat(dirname, "/");
-			filename = concat(dirname, IPF_STATEFILE);
-		}
-	}
-
-	if (ifs) {
-		if (!filename || ns < 0)
-			usage();
-		if (ns == 0)
-			return changenatif(ifs, filename);
-		else
-			return changestateif(ifs, filename);
-	}
-
-	if ((ns >= 0) || (lock >= 0)) {
-		if (lock >= 0)
-			devfd = opendevice(NULL);
-		else if (ns >= 0) {
-			if (ns == 1)
-				devfd = opendevice(IPL_STATE);
-			else if (ns == 0)
-				devfd = opendevice(IPL_NAT);
-		}
-		if (devfd == -1)
-			exit(1);
-	}
-
-	if (lock >= 0)
-		err = setlock(devfd, lock);
-	else if (rw >= 0) {
-		if (rw & 1) {	/* WRITE */
-			if (rw & 2)
-				err = writeall(dirname);
-			else {
-				if (ns == 0)
-					err = writenat(devfd, filename);
-				else if (ns == 1)
-					err = writestate(devfd, filename);
-			}
-		} else {
-			if (rw & 2)
-				err = readall(dirname);
-			else {
-				if (ns == 0)
-					err = readnat(devfd, filename);
-				else if (ns == 1)
-					err = readstate(devfd, filename);
-			}
-		}
-	}
-	return err;
-}
-
-
-char *concat(base, append)
-char *base, *append;
-{
-	char *str;
-
-	str = malloc(strlen(base) + strlen(append) + 1);
-	if (str != NULL) {
-		strcpy(str, base);
-		strcat(str, append);
-	}
-	return str;
-}
-
-
-int opendevice(ipfdev)
-char *ipfdev;
-{
-	int fd = -1;
-
-	if (opts & OPT_DONOTHING)
-		return -2;
-
-	if (!ipfdev)
-		ipfdev = IPL_NAME;
-
-	if ((fd = open(ipfdev, O_RDWR)) == -1)
-		if ((fd = open(ipfdev, O_RDONLY)) == -1)
-			perror("open device");
-	return fd;
-}
-
-
-void closedevice(fd)
-int fd;
-{
-	close(fd);
-}
-
-
-int setlock(fd, lock)
-int fd, lock;
-{
-	if (opts & OPT_VERBOSE)
-		printf("Turn lock %s\n", lock ? "on" : "off");
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSTLCK, &lock) == -1) {
-			perror("SIOCSTLCK");
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Lock now %s\n", lock ? "on" : "off");
-	}
-	return 0;
-}
-
-
-int writestate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *ipsp;
-	int wfd = -1;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (wfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("state:open");
-		return 1;
-	}
-
-	ipsp = &ips;
-	bzero((char *)ipsp, sizeof(ips));
-
-	do {
-		if (opts & OPT_VERBOSE)
-			printf("Getting state from addr %p\n", ips.ips_next);
-		if (ioctl(fd, SIOCSTGET, &ipsp)) {
-			if (errno == ENOENT)
-				break;
-			perror("state:SIOCSTGET");
-			close(wfd);
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Got state next %p\n", ips.ips_next);
-		if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) {
-			perror("state:write");
-			close(wfd);
-			return 1;
-		}
-	} while (ips.ips_next != NULL);
-	close(wfd);
-
-	return 0;
-}
-
-
-int readstate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
-	int sfd = -1, i;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	sfd = open(file, O_RDONLY, 0600);
-	if (sfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("open");
-		return 1;
-	}
-
-	bzero((char *)&ips, sizeof(ips));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(sfd, &ips, sizeof(ips));
-		if (i == -1) {
-			perror("read");
-			close(sfd);
-			return 1;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ips)) {
-			fprintf(stderr, "incomplete read: %d != %d\n", i,
-				(int)sizeof(ips));
-			close(sfd);
-			return 1;
-		}
-		is = (ipstate_save_t *)malloc(sizeof(*is));
-		if(!is) {
-			fprintf(stderr, "malloc failed\n");
-			return 1;
-		}
-
-		bcopy((char *)&ips, (char *)is, sizeof(ips));
-
-		/*
-		 * Check to see if this is the first state entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next)
-			if (is1->ips_rule == is->ips_rule)
-				break;
-		if (is1 == NULL)
-			is->ips_is.is_flags |= FI_NEWFR;
-		else
-			is->ips_rule = (void *)&is1->ips_rule;
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		is->ips_next = NULL;
-		if (!ipshead)
-			ipshead = is;
-		if (ipstail)
-			ipstail->ips_next = is;
-		ipstail = is;
-	} while (1);
-
-	close(sfd);
-
-	for (is = ipshead; is; is = is->ips_next) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new state table entry\n");
-		if (is->ips_is.is_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &is)) {
-				perror("SIOCSTPUT");
-				return 1;
-			}
-
-		if (is->ips_is.is_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", is->ips_rule);
-			for (is1 = is->ips_next; is1; is1 = is1->ips_next)
-				if (is1->ips_rule == (frentry_t *)&is->ips_rule)
-					is1->ips_rule = is->ips_rule;
-		}
-	}
-
-	return 0;
-}
-
-
-int readnat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL;
-	int nfd = -1, i;
-	nat_t *nat;
-	char *s;
-	int n;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_RDONLY);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-	bzero((char *)&ipn, sizeof(ipn));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(nfd, &ipn, sizeof(ipn));
-		if (i == -1) {
-			perror("read");
-			close(nfd);
-			return 1;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ipn)) {
-			fprintf(stderr, "incomplete read: %d != %d\n", i,
-				(int)sizeof(ipn));
-			close(nfd);
-			return 1;
-		}
-
-		if (ipn.ipn_dsize > 0) {
-			n = ipn.ipn_dsize;
-
-			if (n > sizeof(ipn.ipn_data))
-				n -= sizeof(ipn.ipn_data);
-			else
-				n = 0;
-			in = malloc(sizeof(*in) + n);
-			if (!in)
-				break;
-
-			if (n > 0) {
-				s = in->ipn_data + sizeof(in->ipn_data);
-				i = read(nfd, s, n);
-				if (i == 0)
-					break;
-				if (i != n) {
-					fprintf(stderr,
-						"incomplete read: %d != %d\n",
-						i, n);
-					close(nfd);
-					return 1;
-				}
-			}
-		} else
-			in = (nat_save_t *)malloc(sizeof(*in));
-		bcopy((char *)&ipn, (char *)in, sizeof(ipn));
-
-		/*
-		 * Check to see if this is the first NAT entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		nat = &in->ipn_nat;
-		if (nat->nat_fr != NULL) {
-			for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next)
-				if (in1->ipn_rule == nat->nat_fr)
-					break;
-			if (in1 == NULL)
-				nat->nat_flags |= FI_NEWFR;
-			else
-				nat->nat_fr = &in1->ipn_fr;
-		}
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		in->ipn_next = NULL;
-		if (!ipnhead)
-			ipnhead = in;
-		if (ipntail)
-			ipntail->ipn_next = in;
-		ipntail = in;
-	} while (1);
-
-	close(nfd);
-	nfd = -1;
-
-	for (in = ipnhead; in; in = in->ipn_next) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new NAT table entry\n");
-		nat = &in->ipn_nat;
-		if (nat->nat_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &in)) {
-				perror("SIOCSTPUT");
-				return 1;
-			}
-
-		if (nat->nat_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", nat->nat_fr);
-			for (in1 = in->ipn_next; in1; in1 = in1->ipn_next)
-				if (in1->ipn_rule == &in->ipn_fr)
-					in1->ipn_rule = nat->nat_fr;
-		}
-	}
-
-	return 0;
-}
-
-
-int writenat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t *ipnp = NULL, *next = NULL;
-	int nfd = -1;
-	natget_t ng;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-
-	do {
-		if (opts & OPT_VERBOSE)
-			printf("Getting nat from addr %p\n", ipnp);
-		ng.ng_ptr = next;
-		ng.ng_sz = 0;
-		if (ioctl(fd, SIOCSTGSZ, &ng)) {
-			perror("nat:SIOCSTGSZ");
-			close(nfd);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr);
-
-		if (ng.ng_sz == 0)
-			break;
-
-		if (!ipnp)
-			ipnp = malloc(ng.ng_sz);
-		else
-			ipnp = realloc((char *)ipnp, ng.ng_sz);
-		if (!ipnp) {
-			fprintf(stderr,
-				"malloc for %d bytes failed\n", ng.ng_sz);
-			break;
-		}
-
-		bzero((char *)ipnp, ng.ng_sz);
-		ipnp->ipn_next = next;
-		if (ioctl(fd, SIOCSTGET, &ipnp)) {
-			if (errno == ENOENT)
-				break;
-			perror("nat:SIOCSTGET");
-			close(nfd);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("Got nat next %p\n", ipnp->ipn_next);
-		if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) {
-			perror("nat:write");
-			close(nfd);
-			return 1;
-		}
-		next = ipnp->ipn_next;
-	} while (ipnp && next);
-	close(nfd);
-
-	return 0;
-}
-
-
-int writeall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname);
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPL_STATE);
-	if (devfd == -1)
-		goto bad;
-	if (writestate(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	devfd = opendevice(IPL_NAT);
-	if (devfd == -1)
-		goto bad;
-	if (writenat(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	return 0;
-
-bad:
-	setlock(fd, 0);
-	close(fd);
-	return 1;
-}
-
-
-int readall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPL_STATE);
-	if (devfd == -1)
-		return 1;
-	if (readstate(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	devfd = opendevice(IPL_NAT);
-	if (devfd == -1)
-		return 1;
-	if (readnat(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c
deleted file mode 100644
index c8ae3f2..0000000
--- a/contrib/ipfilter/ipft_ef.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
-                                            icmp type
- lnth proto         source     destination   src port   dst port
-
-etherfind -n
-
-   60  tcp   128.250.20.20  128.250.133.13       2419     telnet
-
-etherfind -n -t
-
- 0.32    91   04    131.170.1.10  128.250.133.13
- 0.33   566  udp  128.250.37.155   128.250.133.3        901        901
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.5 2003/05/19 12:02:35 darrenr Exp $";
-#endif
-
-static	int	etherf_open __P((char *));
-static	int	etherf_close __P((void));
-static	int	etherf_readip __P((char *, int, char **, int *));
-
-struct	ipread	etherf = { etherf_open, etherf_close, etherf_readip };
-
-static	FILE	*efp = NULL;
-static	int	efd = -1;
-
-
-static	int	etherf_open(fname)
-char	*fname;
-{
-	if (efd != -1)
-		return efd;
-
-	if (!strcmp(fname, "-")) {
-		efd = 0;
-		efp = stdin;
-	} else {
-		efd = open(fname, O_RDONLY);
-		efp = fdopen(efd, "r");
-	}
-	return efd;
-}
-
-
-static	int	etherf_close()
-{
-	return close(efd);
-}
-
-
-static	int	etherf_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	struct	protoent *p = NULL;
-	char	src[16], dst[16], sprt[16], dprt[16];
-	char	lbuf[128], len[8], prot[8], time[8], *s;
-	int	slen, extra = 0, i;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst,
-		   sprt, dprt) != 6)
-		if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time,
-			   len, prot, src, dst, sprt, dprt) != 7)
-			return -1;
-
-	ip->ip_p = atoi(prot);
-	if (ip->ip_p == 0) {
-		if (!(p = getprotobyname(prot)))
-			return -1;
-		ip->ip_p = p->p_proto;
-	}
-
-	switch (ip->ip_p) {
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		s = strtok(NULL, " :");
-		ip->ip_len += atoi(s);
-		if (p->p_proto == IPPROTO_TCP)
-			extra = sizeof(struct tcphdr);
-		else if (p->p_proto == IPPROTO_UDP)
-			extra = sizeof(struct udphdr);
-		break;
-#ifdef	IGMP
-	case IPPROTO_IGMP :
-		extra = sizeof(struct igmp);
-		break;
-#endif
-	case IPPROTO_ICMP :
-		extra = sizeof(struct icmp);
-		break;
-	default :
-		break;
-	}
-
-	(void) inet_aton(src, &ip->ip_src);
-	(void) inet_aton(dst, &ip->ip_dst);
-	ip->ip_len = atoi(len);
-	ip->ip_hl = sizeof(ip_t);
-
-	slen = ip->ip_hl + extra;
-	i = MIN(cnt, slen);
-	bcopy((char *)&pkt, buf, i);
-	return i;
-}
diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c
deleted file mode 100644
index b26bd93..0000000
--- a/contrib/ipfilter/ipft_hx.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.6 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-static	int	hex_open __P((char *));
-static	int	hex_close __P((void));
-static	int	hex_readip __P((char *, int, char **, int *));
-static	char	*readhex __P((char *, char *));
-
-struct	ipread	iphex = { hex_open, hex_close, hex_readip };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	int	hex_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	hex_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	hex_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s, *t, *u;
-	char	line[513];
-	ip_t	*ip;
-
-	/*
-	 * interpret start of line as possibly "[ifname]" or
-	 * "[in/out,ifname]".
-	 */
-	if (ifn)
-		*ifn = NULL;
-	if (dir)
-		*dir = 0;
- 	ip = (ip_t *)buf;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = index(line, '\n'))) {
-			if (s == line)
-				return (char *)ip - buf;
-			*s = '\0';
-		}
-		if ((s = index(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if (!(opts & OPT_BRIEF)) {
-			printf("input: %s\n", line);
-			fflush(stdout);
-		}
-
-		if ((*line == '[') && (s = index(line, ']'))) {
-			t = line + 1;
-			if (s - t > 0) {
-				*s++ = '\0';
-				if ((u = index(t, ',')) && (u < s)) {
-					u++;
-					if (ifn)
-						*ifn = strdup(u);
-					if (dir) {
-						if (*t == 'i')
-							*dir = 0;
-						else if (*t == 'o')
-							*dir = 1;
-					}
-				} else if (ifn)
-					*ifn = t;
-			}
-		} else
-			s = line;
-		ip = (ip_t *)readhex(s, (char *)ip);
-	}
-	return -1;
-}
-
-
-static	char	*readhex(src, dst)
-register char	*src, *dst;
-{
-	int	state = 0;
-	char	c;
-
-	while ((c = *src++)) {
-		if (isspace(c)) {
-			if (state) {
-				dst++;
-				state = 0;
-			}
-			continue;
-		} else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
-			   (c >= 'A' && c <= 'F')) {
-			c = isdigit(c) ? (c - '0') : (toupper(c) - 55);
-			if (state == 0) {
-				*dst = (c << 4);
-				state++;
-			} else {
-				*dst++ |= c;
-				state = 0;
-			}
-		} else
-			break;
-	}
-	return dst;
-}
diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c
deleted file mode 100644
index b6060de..0000000
--- a/contrib/ipfilter/ipft_pc.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "pcap.h"
-#include "bpf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.5 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_type;
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-
-static	struct	llc	llcs[] = {
-	{ DLT_NULL, 0, 0, 0 },
-	{ DLT_EN10MB, 14, 12, 2 },
-	{ DLT_EN3MB, 0, 0, 0 },
-	{ DLT_AX25, 0, 0, 0 },
-	{ DLT_PRONET, 0, 0, 0 },
-	{ DLT_CHAOS, 0, 0, 0 },
-	{ DLT_IEEE802, 0, 0, 0 },
-	{ DLT_ARCNET, 0, 0, 0 },
-	{ DLT_SLIP, 0, 0, 0 },
-	{ DLT_PPP, 0, 0, 0 },
-	{ DLT_FDDI, 0, 0, 0 },
-#ifdef DLT_ATMRFC1483
-	{ DLT_ATMRFC1483, 0, 0, 0 },
-#endif
-	{ DLT_RAW, 0, 0, 0 },
-#ifdef	DLT_ENC
-	{ DLT_ENC, 0, 0, 0 },
-#endif
-#ifdef	DLT_SLIP_BSDOS
-	{ DLT_SLIP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_BSDOS
-	{ DLT_PPP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_HIPPI
-	{ DLT_HIPPI, 0, 0, 0 },
-#endif
-#ifdef	DLT_HDLC
-	{ DLT_HDLC, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_SERIAL
-	{ DLT_PPP_SERIAL, 4, 4, 0 },
-#endif
-#ifdef	DLT_PPP_ETHER
-	{ DLT_PPP_ETHER, 8, 8, 0 },
-#endif
-#ifdef	DLT_ECONET
-	{ DLT_ECONET, 0, 0, 0 },
-#endif
-	{ -1, -1, -1, -1 }
-};
-
-static	int	pcap_open __P((char *));
-static	int	pcap_close __P((void));
-static	int	pcap_readip __P((char *, int, char **, int *));
-static	void	swap_hdr __P((pcaphdr_t *));
-static	int	pcap_read_rec __P((struct pcap_pkthdr *));
-
-static	int	pfd = -1, s_type = -1, swapped = 0;
-static	struct llc	*llcp = NULL;
-
-struct	ipread	pcap = { pcap_open, pcap_close, pcap_readip };
-
-#define	SWAPLONG(y)	\
-	((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
-#define	SWAPSHORT(y)	\
-	( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
-
-static	void	swap_hdr(p)
-pcaphdr_t	*p;
-{
-	p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
-	p->pc_v_min = SWAPSHORT(p->pc_v_min);
-	p->pc_zone = SWAPLONG(p->pc_zone);
-	p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
-	p->pc_slen = SWAPLONG(p->pc_slen);
-	p->pc_type = SWAPLONG(p->pc_type);
-}
-
-static	int	pcap_open(fname)
-char	*fname;
-{
-	pcaphdr_t ph;
-	int fd, i;
-
-	if (pfd != -1)
-		return pfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
-		return -2;
-
-	if (ph.pc_id != TCPDUMP_MAGIC) {
-		if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
-			(void) close(fd);
-			return -2;
-		}
-		swapped = 1;
-		swap_hdr(&ph);
-	}
-
-	if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
-		(void) close(fd);
-		return -2;
-	}
-
-	for (i = 0; llcs[i].lc_type != -1; i++)
-		if (llcs[i].lc_type == ph.pc_type) {
-			llcp = llcs + i;
-			break;
-		}
-
-	if (llcp == NULL) {
-		(void) close(fd);
-		return -2;
-	}
-
-	pfd = fd;
-	s_type = ph.pc_type;
-	printf("opened pcap file %s:\n", fname);
-	printf("\tid: %08x version: %d.%d type: %d snap %d\n",
-		ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
-
-	return fd;
-}
-
-
-static	int	pcap_close()
-{
-	return close(pfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a pcap file.
- */
-static	int	pcap_read_rec(rec)
-struct	pcap_pkthdr *rec;
-{
-	int	n, p;
-
-	if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
-		return -2;
-
-	if (swapped) {
-		rec->ph_clen = SWAPLONG(rec->ph_clen);
-		rec->ph_len = SWAPLONG(rec->ph_len);
-		rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
-		rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
-	}
-	p = rec->ph_clen;
-	n = MIN(p, rec->ph_len);
-	if (!n || n < 0)
-		return -3;
-
-	return p;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire pcap packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	pcap_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	pcap_pkthdr rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = pcap_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(pfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	pcap_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	pcap_pkthdr rec;
-	struct	llc	*l;
-	char	*s, ty[4];
-	int	i, n;
-
-	l = llcp;
-
-	/* do { */
-		if ((i = pcap_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		if (read(pfd, s, i) != i)
-			return -2;
-
-		i -= l->lc_sz;
-		s += l->lc_to;
-		bcopy(s, ty, l->lc_tl);
-		s += l->lc_tl;
-	/* } while (ty[0] != 0x8 && ty[1] != 0); */
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-	return n;
-}
diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c
deleted file mode 100644
index 859bf5e..0000000
--- a/contrib/ipfilter/ipft_sn.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
- * Written to comply with the recent RFC 1761 from Sun.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "snoop.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-static	struct	llc	llcs[SDL_MAX+1] = {
-	{ 0, 0, 0 },	/* SDL_8023 */
-	{ 0, 0, 0 },	/* SDL_8024 */
-	{ 0, 0, 0 },	/* SDL_8025 */
-	{ 0, 0, 0 },	/* SDL_8026 */
-	{ 14, 12, 2 },	/* SDL_ETHER */
-	{ 0, 0, 0 },	/* SDL_HDLC */
-	{ 0, 0, 0 },	/* SDL_CHSYNC */
-	{ 0, 0, 0 },	/* SDL_IBMCC */
-	{ 0, 0, 0 },	/* SDL_FDDI */
-	{ 0, 0, 0 },	/* SDL_OTHER */
-};
-
-static	int	snoop_open __P((char *));
-static	int	snoop_close __P((void));
-static	int	snoop_readip __P((char *, int, char **, int *));
-
-static	int	sfd = -1, s_type = -1;
-static	int	snoop_read_rec __P((struct snooppkt *));
-
-struct	ipread	snoop = { snoop_open, snoop_close, snoop_readip };
-
-
-static	int	snoop_open(fname)
-char	*fname;
-{
-	struct	snoophdr sh;
-	int	fd;
-	int s_v;
-
-	if (sfd != -1)
-		return sfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
-		return -2;
-
-	s_v = (int)ntohl(sh.s_v);
-	s_type = (int)ntohl(sh.s_type);
-
-	if (s_v != SNOOP_VERSION ||
-	    s_type < 0 || s_type > SDL_MAX) {
-		(void) close(fd);
-		return -2;
-	}
-
-	sfd = fd;
-	printf("opened snoop file %s:\n", fname);
-	printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
-
-	return fd;
-}
-
-
-static	int	snoop_close()
-{
-	return close(sfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a snoop file.
- */
-static	int	snoop_read_rec(rec)
-struct	snooppkt *rec;
-{
-	int	n, plen, ilen;
-
-	if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
-		return -2;
-
-	ilen = (int)ntohl(rec->sp_ilen);
-	plen = (int)ntohl(rec->sp_plen);
-	if (ilen > plen || plen < sizeof(*rec))
-		return -2;
-
-	plen -= sizeof(*rec);
-	n = MIN(plen, ilen);
-	if (!n || n < 0)
-		return -3;
-
-	return plen;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire snoop packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	snoop_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	snooppkt rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = snoop_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(sfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	snoop_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	snooppkt rec;
-	struct	llc	*l;
-	char	ty[4], *s;
-	int	i, n;
-
-	do {
-		if ((i = snoop_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		if (read(sfd, s, i) != i)
-			return -2;
-
-		l = &llcs[s_type];
-		i -= l->lc_to;
-		s += l->lc_to;
-		/*
-		 * XXX - bogus assumption here on the part of the time field
-		 * that it won't be greater than 4 bytes and the 1st two will
-		 * have the values 8 and 0 for IP.  Should be a table of
-		 * these too somewhere.  Really only works for SDL_ETHER.
-		 */
-		bcopy(s, ty, l->lc_tl);
-	} while (ty[0] != 0x8 && ty[1] != 0);
-
-	i -= l->lc_tl;
-	s += l->lc_tl;
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-
-	return n;
-}
diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c
deleted file mode 100644
index 99beab5..0000000
--- a/contrib/ipfilter/ipft_td.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
-tcpdump -n
-
-00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
-
-tcpdump -nq
-
-00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
-
-tcpdump -nqt
-
-128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqtt
-
-123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqte
-
-8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.6 2003/05/31 02:13:04 darrenr Exp $";
-#endif
-
-static	int	tcpd_open __P((char *));
-static	int	tcpd_close __P((void));
-static	int	tcpd_readip __P((char *, int, char **, int *));
-static	int	count_dots __P((char *));
-
-struct	ipread	tcpd = { tcpd_open, tcpd_close, tcpd_readip };
-
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-
-static	int	tcpd_open(fname)
-char	*fname;
-{
-	if (tfd != -1)
-		return tfd;
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	tcpd_close()
-{
-	(void) fclose(tfp);
-	return close(tfd);
-}
-
-
-static	int	count_dots(str)
-char	*str;
-{
-	int	i = 0;
-
-	while (*str)
-		if (*str++ == '.')
-			i++;
-	return i;
-}
-
-
-static	int	tcpd_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	struct	protoent *p;
-	char	src[32], dst[32], misc[256], time[32], link1[32], link2[32];
-	char	lbuf[160], *s;
-	int	n, slen, extra = 0;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3)
-		if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s",
-				time, src, dst, misc)) != 4)
-			if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s",
-					link1, link2, src, dst, misc)) != 5) {
-				n = sscanf(lbuf,
-					   "%31s %31s %31s: %31s > %31s: %255s",
-					   time, link1, link2, src, dst, misc);
-				if (n != 6)
-					return -1;
-			}
-
-	if (count_dots(dst) == 4) {
-		s = strrchr(src, '.');
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_src);
-		pkt.ti_sport = htons(atoi(s));
-		*--s = '.';
-		s = strrchr(dst, '.');
-	
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_dst);
-		pkt.ti_dport = htons(atoi(s));
-		*--s = '.';
-	
-	} else {
-		(void) inet_aton(src, &ip->ip_src);
-		(void) inet_aton(src, &ip->ip_dst);
-	}
-	ip->ip_len = ip->ip_hl = sizeof(ip_t);
-
-	s = strtok(misc, " :");
-	if ((p = getprotobyname(s))) {
-		ip->ip_p = p->p_proto;
-
-		switch (p->p_proto) {
-		case IPPROTO_TCP :
-		case IPPROTO_UDP :
-			s = strtok(NULL, " :");
-			ip->ip_len += atoi(s);
-			if (p->p_proto == IPPROTO_TCP)
-				extra = sizeof(struct tcphdr);
-			else if (p->p_proto == IPPROTO_UDP)
-				extra = sizeof(struct udphdr);
-			break;
-#ifdef	IGMP
-		case IPPROTO_IGMP :
-			extra = sizeof(struct igmp);
-			break;
-#endif
-		case IPPROTO_ICMP :
-			extra = sizeof(struct icmp);
-			break;
-		default :
-			break;
-		}
-	}
-	slen = ip->ip_hl + extra + ip->ip_len;
-	return slen;
-}
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
deleted file mode 100644
index 7ea87e3..0000000
--- a/contrib/ipfilter/ipft_tx.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <arpa/inet.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.8 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-static	char	*tx_proto = "";
-
-static	int	text_open __P((char *)), text_close __P((void));
-static	int	text_readip __P((char *, int, char **, int *));
-static	int	parseline __P((char *, ip_t *, char **, int *));
-
-static	char	_tcp_flagset[] = "FSRPAUEC";
-static	u_char	_tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
-				TH_ACK, TH_URG, TH_ECN, TH_CWR };
-
-struct	ipread	iptext = { text_open, text_close, text_readip };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	u_32_t	tx_hostnum __P((char *, int *));
-static	u_short	tx_portnum __P((char *));
-
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-static	u_32_t	tx_hostnum(host, resolved)
-char	*host;
-int	*resolved;
-{
-	struct	hostent	*hp;
-	struct	netent	*np;
-
-	*resolved = 0;
-	if (!strcasecmp("any",host))
-		return 0L;
-	if (isdigit(*host))
-		return inet_addr(host);
-
-	if (!(hp = gethostbyname(host))) {
-		if (!(np = getnetbyname(host))) {
-			*resolved = -1;
-			fprintf(stderr, "can't resolve hostname: %s\n", host);
-			return 0;
-		}
-		return htonl(np->n_net);
-	}
-	return *(u_32_t *)hp->h_addr;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi()
- */
-static	u_short	tx_portnum(name)
-char	*name;
-{
-	struct	servent	*sp, *sp2;
-	u_short	p1 = 0;
-
-	if (isdigit(*name))
-		return (u_short)atoi(name);
-	if (!tx_proto)
-		tx_proto = "tcp/udp";
-	if (strcasecmp(tx_proto, "tcp/udp")) {
-		sp = getservbyname(name, tx_proto);
-		if (sp)
-			return ntohs(sp->s_port);
-		(void) fprintf(stderr, "unknown service \"%s\".\n", name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
-	if (sp)
-		p1 = sp->s_port;
-	sp2 = getservbyname(name, "udp");
-	if (!sp || !sp2) {
-		(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
-			name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		(void) fprintf(stderr, "%s %d/tcp is a different port to ",
-			name, p1);
-		(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
-		return 0;
-	}
-	return ntohs(p1);
-}
-
-
-char	*tx_icmptypes[] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-static	int	text_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	text_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	text_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s;
-	char	line[513];
-
-	*ifn = NULL;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = index(line, '\n')))
-			*s = '\0';
-		if ((s = index(line, '\r')))
-			*s = '\0';
-		if ((s = index(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if (!(opts & OPT_BRIEF))
-			printf("input: %s\n", line);
-		*ifn = NULL;
-		*dir = 0;
-		if (!parseline(line, (ip_t *)buf, ifn, dir))
-#if 0
-			return sizeof(ip_t) + sizeof(tcphdr_t);
-#else
-			return sizeof(ip_t);
-#endif
-	}
-	return -1;
-}
-
-static	int	parseline(line, ip, ifn, out)
-char	*line;
-ip_t	*ip;
-char	**ifn;
-int	*out;
-{
-	tcphdr_t	th, *tcp = &th;
-	struct	icmp	icmp, *ic = &icmp;
-	char	*cps[20], **cpp, c, ipopts[68];
-	int	i, r;
-
-	if (*ifn)
-		free(*ifn);
-	bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
-	bzero((char *)tcp, sizeof(*tcp));
-	bzero((char *)ic, sizeof(*ic));
-	bzero(ipopts, sizeof(ipopts));
-	ip->ip_hl = sizeof(*ip) >> 2;
-	ip->ip_v = IPVERSION;
-	for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); )
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cpp = cps;
-	if (!*cpp)
-		return 1;
-
-	c = **cpp;
-	if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
-		fprintf(stderr, "bad direction \"%s\"\n", *cpp);
-		return 1;
-	}
-	*out = (tolower(c) == 'o') ? 1 : 0;
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (!strcasecmp(*cpp, "on")) {
-		cpp++;
-		if (!*cpp)
-			return 1;
-		*ifn = strdup(*cpp++);
-		if (!*cpp)
-			return 1;
-	}
-
-	c = **cpp;
-	ip->ip_len = sizeof(ip_t);
-	if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
-	    !strcasecmp(*cpp, "icmp")) {
-		if (c == 't') {
-			ip->ip_p = IPPROTO_TCP;
-			ip->ip_len += sizeof(struct tcphdr);
-			tx_proto = "tcp";
-		} else if (c == 'u') {
-			ip->ip_p = IPPROTO_UDP;
-			ip->ip_len += sizeof(struct udphdr);
-			tx_proto = "udp";
-		} else {
-			ip->ip_p = IPPROTO_ICMP;
-			ip->ip_len += ICMPERR_IPICMPHLEN;
-			tx_proto = "icmp";
-		}
-		cpp++;
-	} else if (isdigit(**cpp) && !index(*cpp, '.')) {
-		ip->ip_p = atoi(*cpp);
-		cpp++;
-	} else
-		ip->ip_p = IPPROTO_IP;
-
-	if (!*cpp)
-		return 1;
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = index(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no source port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_sport = htons(tx_portnum(last));
-	}
-	ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = index(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no destination port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_dport = htons(tx_portnum(last));
-	}
-	ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (*cpp && ip->ip_p == IPPROTO_TCP) {
-		extern	char	_tcp_flagset[];
-		extern	u_char	_tcp_flags[];
-		char	*s, *t;
-
-		for (s = *cpp; *s; s++)
-			if ((t  = index(_tcp_flagset, *s)))
-				tcp->th_flags |= _tcp_flags[t - _tcp_flagset];
-		if (tcp->th_flags)
-			cpp++;
-		assert(tcp->th_flags != 0);
-		tcp->th_win = htons(4096);
-		tcp->th_off = sizeof(*tcp) >> 2;
-	} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
-		extern	char	*tx_icmptypes[];
-		char	**s, *t;
-		int	i;
-
-		for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
-		     s++, i++)
-			if (*s && !strncasecmp(*cpp, *s, strlen(*s))) {
-				ic->icmp_type = i;
-				if ((t = index(*cpp, ',')))
-					ic->icmp_code = atoi(t+1);
-				cpp++;
-				break;
-			}
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "opt")) {
-		u_long	olen;
-
-		cpp++;
-		olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
-		if (olen) {
-			bcopy(ipopts, (char *)(ip + 1), olen);
-			ip->ip_hl += olen >> 2;
-		}
-	}
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-		bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2),
-			sizeof(*tcp));
-	else if (ip->ip_p == IPPROTO_ICMP)
-		bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2),
-			sizeof(*ic));
-	ip->ip_len = htons(ip->ip_len);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
deleted file mode 100644
index 7e90820..0000000
--- a/contrib/ipfilter/ipl.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-2001, 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ipl.h	1.21 6/5/96
- * Id: ipl.h,v 2.52.2.9 2005/03/30 14:14:05 darrenr Exp
- */
-
-#ifndef	__IPL_H__
-#define	__IPL_H__
-
-#define	IPL_VERSION	"IP Filter: v4.1.8"
-
-#define	IPFILTER_VERSION	4010800
-
-#endif
diff --git a/contrib/ipfilter/ipl_ldev.c b/contrib/ipfilter/ipl_ldev.c
deleted file mode 100644
index a289325..0000000
--- a/contrib/ipfilter/ipl_ldev.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- */
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(struct inode * inode, struct file * filp)
-{
-	u_int	min = MINOR(inode->i_rdev);
-
-	if (flags & FWRITE)
-		return ENXIO;
-	if (min)
-		return ENXIO;
-	iplbusy++;
-	return 0;
-}
-
-
-int iplclose(struct inode * inode, struct file * filp)
-{
-	u_int	min = MINOR(inode->i_rdev);
-
-	if (min)
-		return ENXIO;
-	iplbusy--;
-	return 0;
-}
-
-
-/*
- * iplread/ipllog
- * all three of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(struct inode *inode, struct file *file, char *buf, int count)
-{
-	register int	ret, s;
-	register size_t	sz, sx;
-	int error;
-
-	if (!uio->uio_resid)
-		return 0;
-	while (!iplused) {
-		error = SLEEP(iplbuf, "ipl sleep");
-		if (error)
-			return error;
-	}
-
-	SPLNET(s);
-
-	ret = sx = sz = MIN(count, iplused);
-	if (iplh < iplt)
-		sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
-	sx -= sz;
-
-	memcpy_tofs(buf, iplt, sz);
-	buf += sz;
-	iplt += sz;
-	iplused -= sz;
-	if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
-		iplt = iplbuf;
-
-	if (sx) {
-		memcpy_tofs(buf, iplt, sx);
-		ret += sx;
-		iplt += sx;
-		iplused -= sx;
-		if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
-			iplt = iplbuf;
-	}
-	if (!iplused)	/* minimise wrapping around the end */
-		iplh = iplt = iplbuf;
-
-	SPLX(s);
-	return ret;
-}
diff --git a/contrib/ipfilter/iplang/.cvsignore b/contrib/ipfilter/iplang/.cvsignore
deleted file mode 100644
index 68b5b4e..0000000
--- a/contrib/ipfilter/iplang/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-y.tab.h
-y.output
-lex.yy.c
-y.tab.c
-y.tab.o
-lex.yy.o
-iplang_y.output
-iplang_y.tab.c
-iplang_y.tab.h
diff --git a/contrib/ipfilter/iplang/BNF b/contrib/ipfilter/iplang/BNF
deleted file mode 100644
index b5fb8d0..0000000
--- a/contrib/ipfilter/iplang/BNF
+++ /dev/null
@@ -1,69 +0,0 @@
-line ::= iface | arp | send | defrouter | ipv4line .
-
-iface ::= ifhdr "{" ifaceopts "}" ";" .
-ifhdr ::= "interface" | "iface" .
-ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr |
-	      "eaddr" eaddr .
-
-send ::= "send" ";" | "send" "{" sendbodyopts "}" ";" .
-sendbodyopts ::= sendbody [ sendbodyopts ] .
-sendbody ::= "ifname" name | "via" ipaddr .
-
-defrouter ::= "router" ipaddr .
-
-arp ::= "arp" "{" arpbodyopts "}" ";" .
-arpbodyopts ::= arpbody [ arpbodyopts ] .
-arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .
-
-bodyline ::= ipv4line | tcpline | udpline | icmpline | dataline .
-
-ipv4line ::= "ipv4" "{" ipv4bodyopts "}" ";" .
-ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] | bodyline .
-ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
-	     "off" number | "v" number | "hl" number| "id" number |
-	     "ttl" number | "tos" number | "sum" number | "len" number |
-	     "opt" "{" ipv4optlist "}" ";" .
-ipv4optlist ::= ipv4option [ ipv4optlist ] .
-ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
-	      "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
-	      "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
-	      "secclass" ipv4secclass.
-ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
-		"reserv-3" | "reserv-4" | "secret" | "topsecret" .
-
-tcpline ::= "tcp" "{" tcpbodyopts "}" ";" .
-tcpbodyopts ::= tcpbody [ tcpbodyopts ] | bodyline .
-tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
-	    "off" number | "urp" number | "win" number | "sum" number |
-	    "flags" tcpflags | data .
-
-udpline ::= "udp" "{" udpbodyopts "}" ";" .
-udpbodyopts ::= udpbody [ udpbodyopts ] | bodyline .
-udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
-	    data .
-
-icmpline ::= "icmp" "{" icmpbodyopts "}" ";" .
-icmpbodyopts ::= icmpbody [ icmpbodyopts ] | bodyline .
-icmpbody ::= "type" icmptype [ "code" icmpcode ] .
-icmptype ::= "echorep" | "echorep" "{" echoopts "}" ";" | "unreach" |
-	     "unreach" "{" unreachtype "}" ";" | "squench" | "redir" |
-	     "redir" "{" redirtype "}" ";" | "echo" "{" echoopts "}" ";" |
-	     "echo" | "routerad" | "routersol" | "timex" |
-	     "timex" "{" timextype "}" ";" | "paramprob" |
-	     "paramprob" "{" parapptype "}" ";" | "timest" | "timestrep" |
-	     "inforeq" | "inforep" | "maskreq" | "maskrep" .
-
-echoopts ::= echoopts [ icmpechoopts ] .
-unreachtype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-	     "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-	     "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
-	     "filter-prohib" | "host-preced" | "cutoff-preced" .
-redirtype ::= "net-redir" | "host-redir" | "tos-net-redir" |
-	      "tos-host-redir" .
-timextype ::= "intrans" | "reass" .
-paramptype ::= "optabsent" .
-
-data	::= "data" "{" databodyopts "}" ";" .
-databodyopts ::= "len" number | "value" string | "file" filename .
-
-icmpechoopts ::= "icmpseq" number | "icmpid" number .
diff --git a/contrib/ipfilter/iplang/Makefile b/contrib/ipfilter/iplang/Makefile
deleted file mode 100644
index 1d66bb6..0000000
--- a/contrib/ipfilter/iplang/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-#CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
-CFLAGS=-I..
-CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend
-
-all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o
-
-$(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
-	$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
-
-$(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
-	$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
-
-iplang_y.o: iplang_y.c
-	$(CC) $(CCARGS) $< -o $@
-
-iplang_l.o: iplang_l.c
-	$(CC) $(CCARGS) $< -o $@
-
-$(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
-	lex iplang_l.l
-	mv lex.yy.c $(DESTDIR)/iplang_l.c
-
-$(DESTDIR)/iplang_y.c $(DESTDIR)/iplang_y.h: iplang_y.y
-	yacc -d iplang_y.y
-	mv y.tab.c $(DESTDIR)/iplang_y.c
-	mv y.tab.h $(DESTDIR)/iplang_y.h
-
-clean:
-	/bin/rm -f *.o lex.yy.c y.tab.c y.tab.h
diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h
deleted file mode 100644
index f36a384..0000000
--- a/contrib/ipfilter/iplang/iplang.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 1997-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-typedef	struct iface {
-	int	if_MTU;
-	char	*if_name;
-	struct	in_addr	if_addr;
-	struct	ether_addr	if_eaddr;
-	struct	iface *if_next;
-	int	if_fd;
-} iface_t;
-
-
-typedef	struct	send	{
-	struct	iface	*snd_if;
-	struct	in_addr	snd_gw;
-} send_t;
-
-
-typedef	struct	arp	{
-	struct	in_addr	arp_addr;
-	struct	ether_addr	arp_eaddr;
-	struct	arp *arp_next;
-} arp_t;
-
-
-typedef	struct	aniphdr	{
-	union	{
-		ip_t		*ahu_ip;
-		char		*ahu_data;
-		tcphdr_t	*ahu_tcp;
-		udphdr_t	*ahu_udp;
-		icmphdr_t	*ahu_icmp;
-	} ah_un;
-	int	ah_optlen;
-	int	ah_lastopt;
-	int	ah_p;
-	size_t	ah_len;
-	struct	aniphdr	*ah_next;
-	struct	aniphdr	*ah_prev;
-} aniphdr_t;
-
-#define	ah_ip	ah_un.ahu_ip
-#define	ah_data	ah_un.ahu_data
-#define	ah_tcp	ah_un.ahu_tcp
-#define	ah_udp	ah_un.ahu_udp
-#define	ah_icmp	ah_un.ahu_icmp
-
-extern	int	get_arpipv4 __P((char *, char *));
-
diff --git a/contrib/ipfilter/iplang/iplang.tst b/contrib/ipfilter/iplang/iplang.tst
deleted file mode 100644
index a0a2ad3..0000000
--- a/contrib/ipfilter/iplang/iplang.tst
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-interface { ifname le0; mtu 1500; } ;
-
-ipv4 {
-	src 1.1.1.1; dst 2.2.2.2;
-	tcp {
-		seq 12345; ack 0; sport 9999; dport 23; flags S; 
-		data { value "abcdef"; } ;
-	} ;
-} ;
-send { via 10.1.1.1; } ;
diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l
deleted file mode 100644
index fae30a2..0000000
--- a/contrib/ipfilter/iplang/iplang_l.l
+++ /dev/null
@@ -1,320 +0,0 @@
-%{
-/*
- * Copyright (C) 1997-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp $
- */
-#include <stdio.h>
-#include <string.h>
-#include <sys/param.h>
-#if defined(__SVR4) || defined(__sysv__)
-#include <sys/stream.h>
-#endif
-#include <sys/types.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include "iplang_y.h"
-#include "ipf.h"
-
-#ifndef	__P
-# ifdef __STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-
-extern int opts;
-
-int lineNum = 0, ipproto = 0, oldipproto = 0, next = -1, laststate = 0;
-int *prstack = NULL, numpr = 0, state = 0, token = 0;
-
-void    yyerror __P((char *));
-void	push_proto __P((void));
-void	pop_proto __P((void));
-int	next_state __P((int, int));
-int	next_item __P((int));
-int	save_token __P((void));
-void	swallow __P((void));
-int	yylex __P((void));
-
-struct	lwordtab	{
-	char	*word;
-	int	state;
-	int	next;
-};
-
-struct	lwordtab	words[] = {
-	{ "interface",	IL_INTERFACE,		-1 },
-	{ "iface",	IL_INTERFACE,		-1 },
-	{ "name",	IL_IFNAME,		IL_TOKEN },
-	{ "ifname",	IL_IFNAME,		IL_TOKEN },
-	{ "router",	IL_DEFROUTER,		IL_TOKEN },
-	{ "mtu",	IL_MTU,			IL_NUMBER },
-	{ "eaddr",	IL_EADDR,		IL_TOKEN },
-	{ "v4addr",	IL_V4ADDR,		IL_TOKEN },
-	{ "ipv4",	IL_IPV4,		-1 },
-	{ "v",		IL_V4V,			IL_TOKEN },
-	{ "proto",	IL_V4PROTO,		IL_TOKEN },
-	{ "hl",		IL_V4HL,		IL_TOKEN },
-	{ "id",		IL_V4ID,		IL_TOKEN },
-	{ "ttl",	IL_V4TTL,		IL_TOKEN },
-	{ "tos",	IL_V4TOS,		IL_TOKEN },
-	{ "src",	IL_V4SRC,		IL_TOKEN },
-	{ "dst",	IL_V4DST,		IL_TOKEN },
-	{ "opt",	IL_OPT,			-1 },
-	{ "len",	IL_LEN,			IL_TOKEN },
-	{ "off",	IL_OFF,			IL_TOKEN },
-	{ "sum",	IL_SUM,			IL_TOKEN },
-	{ "tcp",	IL_TCP,			-1 },
-	{ "sport",	IL_SPORT,		IL_TOKEN },
-	{ "dport",	IL_DPORT,		IL_TOKEN },
-	{ "seq",	IL_TCPSEQ,		IL_TOKEN },
-	{ "ack",	IL_TCPACK,		IL_TOKEN },
-	{ "flags",	IL_TCPFL,		IL_TOKEN },
-	{ "urp",	IL_TCPURP,		IL_TOKEN },
-	{ "win",	IL_TCPWIN,		IL_TOKEN },
-	{ "udp",	IL_UDP,			-1 },
-	{ "send",	IL_SEND,		-1 },
-	{ "via",	IL_VIA,			IL_TOKEN },
-	{ "arp",	IL_ARP,			-1 },
-	{ "data",	IL_DATA,		-1 },
-	{ "value",	IL_DVALUE,		IL_TOKEN },
-	{ "file",	IL_DFILE,		IL_TOKEN },
-	{ "nop",	IL_IPO_NOP,		-1 },
-	{ "eol",	IL_IPO_EOL,		-1 },
-	{ "rr",		IL_IPO_RR,		-1 },
-	{ "zsu",	IL_IPO_ZSU,		-1 },
-	{ "mtup",	IL_IPO_MTUP,		-1 },
-	{ "mtur",	IL_IPO_MTUR,		-1 },
-	{ "encode",	IL_IPO_ENCODE,		-1 },
-	{ "ts",		IL_IPO_TS,		-1 },
-	{ "tr",		IL_IPO_TR,		-1 },
-	{ "sec",	IL_IPO_SEC,		-1 },
-	{ "secclass",	IL_IPO_SECCLASS,	IL_TOKEN },
-	{ "lsrr",	IL_IPO_LSRR,		-1 },
-	{ "esec",	IL_IPO_ESEC,		-1 },
-	{ "cipso",	IL_IPO_CIPSO,		-1 },
-	{ "satid",	IL_IPO_SATID,		-1 },
-	{ "ssrr",	IL_IPO_SSRR,		-1 },
-	{ "addext",	IL_IPO_ADDEXT,		-1 },
-	{ "visa",	IL_IPO_VISA,		-1 },
-	{ "imitd",	IL_IPO_IMITD,		-1 },
-	{ "eip",	IL_IPO_EIP,		-1 },
-	{ "finn",	IL_IPO_FINN,		-1 },
-	{ "mss",	IL_TCPO_MSS,		IL_TOKEN },
-	{ "wscale",	IL_TCPO_WSCALE,		IL_TOKEN },
-	{ "reserv-4",	IL_IPS_RESERV4,		-1 },
-	{ "topsecret",	IL_IPS_TOPSECRET,	-1 },
-	{ "secret",	IL_IPS_SECRET,		-1 },
-	{ "reserv-3",	IL_IPS_RESERV3,		-1 },
-	{ "confid",	IL_IPS_CONFID,		-1 },
-	{ "unclass",	IL_IPS_UNCLASS,		-1 },
-	{ "reserv-2",	IL_IPS_RESERV2,		-1 },
-	{ "reserv-1",	IL_IPS_RESERV1,		-1 },
-	{ "icmp",	IL_ICMP,		-1 },
-	{ "type",	IL_ICMPTYPE,		-1 },
-	{ "code",	IL_ICMPCODE,		-1 },
-	{ "echorep",	IL_ICMP_ECHOREPLY,	-1 },
-	{ "unreach",	IL_ICMP_UNREACH,	-1 },
-	{ "squench",	IL_ICMP_SOURCEQUENCH,	-1 },
-	{ "redir",	IL_ICMP_REDIRECT,	-1 },
-	{ "echo",	IL_ICMP_ECHO,		-1 },
-	{ "routerad",	IL_ICMP_ROUTERADVERT,	-1 },
-	{ "routersol",	IL_ICMP_ROUTERSOLICIT,	-1 },
-	{ "timex",	IL_ICMP_TIMXCEED,	-1 },
-	{ "paramprob",	IL_ICMP_PARAMPROB,	-1 },
-	{ "timest",	IL_ICMP_TSTAMP,		-1 },
-	{ "timestrep",	IL_ICMP_TSTAMPREPLY,	-1 },
-	{ "inforeq",	IL_ICMP_IREQ,		-1 },
-	{ "inforep",	IL_ICMP_IREQREPLY,	-1 },
-	{ "maskreq",	IL_ICMP_MASKREQ,	-1 },
-	{ "maskrep",	IL_ICMP_MASKREPLY,	-1 },
-	{ "net-unr",	IL_ICMP_UNREACH_NET,	-1 },
-	{ "host-unr",	IL_ICMP_UNREACH_HOST,	-1 },
-	{ "proto-unr",	IL_ICMP_UNREACH_PROTOCOL,	-1 },
-	{ "port-unr",	IL_ICMP_UNREACH_PORT,	-1 },
-	{ "needfrag",	IL_ICMP_UNREACH_NEEDFRAG,	-1 },
-	{ "srcfail",	IL_ICMP_UNREACH_SRCFAIL,	-1 },
-	{ "net-unk",	IL_ICMP_UNREACH_NET_UNKNOWN,	-1 },
-	{ "host-unk",	IL_ICMP_UNREACH_HOST_UNKNOWN,	-1 },
-	{ "isolate",	IL_ICMP_UNREACH_ISOLATED,	-1 },
-	{ "net-prohib",	IL_ICMP_UNREACH_NET_PROHIB,	-1 },
-	{ "host-prohib",	IL_ICMP_UNREACH_HOST_PROHIB,	-1 },
-	{ "net-tos",	IL_ICMP_UNREACH_TOSNET,	-1 },
-	{ "host-tos",	IL_ICMP_UNREACH_TOSHOST,	-1 },
-	{ "filter-prohib",	IL_ICMP_UNREACH_FILTER_PROHIB,	-1 },
-	{ "host-preced",	IL_ICMP_UNREACH_HOST_PRECEDENCE,	-1 },
-	{ "cutoff-preced",	IL_ICMP_UNREACH_PRECEDENCE_CUTOFF,	-1 },
-	{ "net-redir",	IL_ICMP_REDIRECT_NET,	-1 },
-	{ "host-redir",	IL_ICMP_REDIRECT_HOST,	-1 },
-	{ "tos-net-redir",	IL_ICMP_REDIRECT_TOSNET,	-1 },
-	{ "tos-host-redir",	IL_ICMP_REDIRECT_TOSHOST,	-1 },
-	{ "intrans",	IL_ICMP_TIMXCEED_INTRANS,	-1 },
-	{ "reass",	IL_ICMP_TIMXCEED_REASS,	-1 },
-	{ "optabsent",	IL_ICMP_PARAMPROB_OPTABSENT,	-1 },
-	{ "otime",	IL_ICMP_OTIME,		-1 },
-	{ "rtime",	IL_ICMP_RTIME,		-1 },
-	{ "ttime",	IL_ICMP_TTIME,		-1 },
-	{ "icmpseq",	IL_ICMP_SEQ,		-1 },
-	{ "icmpid",	IL_ICMP_SEQ,		-1 },
-	{ ".",		IL_DOT,			-1 },
-	{ NULL, 0, 0 }
-};
-%}
-white	[ \t\r]+
-%%
-{white}	;
-\n	{ lineNum++; swallow(); }
-\{	{ push_proto(); return next_item('{'); }
-\}	{ pop_proto(); return next_item('}'); }
-;	{ return next_item(';'); }
-[0-9]+	{ return next_item(IL_NUMBER); }
-[0-9a-fA-F]	{ return next_item(IL_HEXDIGIT); }
-:	{ return next_item(IL_COLON); }
-#[^\n]*	{ return next_item(IL_COMMENT); }
-[^ \{\}\n\t;:{}]*	{ return next_item(IL_TOKEN); }
-\"[^\"]*\"	{ return next_item(IL_TOKEN); }
-%%
-void    yyerror(msg)
-char    *msg;
-{
-	fprintf(stderr, "%s error at \"%s\", line %d\n", msg, yytext,
-		lineNum + 1);
-	exit(1);
-}
-
-
-void push_proto()
-{
-	numpr++;
-	if (!prstack)
-		prstack = (int *)malloc(sizeof(int));
-	else
-		prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
-	prstack[numpr - 1] = oldipproto;
-}
-
-
-void pop_proto()
-{
-	numpr--;
-	ipproto = prstack[numpr];
-	if (!numpr) {
-		free(prstack);
-		prstack = NULL;
-		return;
-	}
-	prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
-}
-
-
-int save_token()
-{
-
-	yylval.str = strdup((char *)yytext);
-	return IL_TOKEN;
-}
-
-
-int next_item(nstate)
-int nstate;
-{
-	struct	lwordtab	*wt;
-
-	if (opts & OPT_DEBUG)
-		printf("text=[%s] id=%d next=%d\n", yytext, nstate, next);
-	if (next == IL_TOKEN) {
-		next = -1;
-		return save_token();
-	}
-	token++;
-
-	for (wt = words; wt->word; wt++)
-		if (!strcasecmp(wt->word, (char *)yytext))
-			return next_state(wt->state, wt->next);
-	if (opts & OPT_DEBUG)
-		printf("unknown keyword=[%s]\n", yytext);
-	next = -1;
-	if (nstate == IL_NUMBER)
-		yylval.num = atoi((char *)yytext);
-	token++;
-	return nstate;
-}
-
-
-int next_state(nstate, fornext)
-int nstate, fornext;
-{
-	next = fornext;
-
-	switch (nstate)
-	{
-	case IL_IPV4 :
-	case IL_TCP :
-	case IL_UDP :
-	case IL_ICMP :
-	case IL_DATA :
-	case IL_INTERFACE :
-	case IL_ARP :
-		oldipproto = ipproto;
-		ipproto = nstate;
-		break;
-	case IL_SUM :
-		if (ipproto == IL_IPV4)
-			nstate = IL_V4SUM;
-		else if (ipproto == IL_TCP)
-			nstate = IL_TCPSUM;
-		else if (ipproto == IL_UDP)
-			nstate = IL_UDPSUM;
-		break;
-	case IL_OPT :
-		if (ipproto == IL_IPV4)
-			nstate = IL_V4OPT;
-		else if (ipproto == IL_TCP)
-			nstate = IL_TCPOPT;
-		break;
-	case IL_IPO_NOP :
-		if (ipproto == IL_TCP)
-			nstate = IL_TCPO_NOP;
-		break;
-	case IL_IPO_EOL :
-		if (ipproto == IL_TCP)
-			nstate = IL_TCPO_EOL;
-		break;
-	case IL_IPO_TS :
-		if (ipproto == IL_TCP)
-			nstate = IL_TCPO_TS;
-		break;
-	case IL_OFF :
-		if (ipproto == IL_IPV4)
-			nstate = IL_V4OFF;
-		else if (ipproto == IL_TCP)
-			nstate = IL_TCPOFF;
-		break;
-	case IL_LEN :
-		if (ipproto == IL_IPV4)
-			nstate = IL_V4LEN;
-		else if (ipproto == IL_UDP)
-			nstate = IL_UDPLEN;
-		break;
-	}
-	return nstate;
-}
-
-
-void swallow()
-{
-	int c;
-
-	c = input();
-
-	if (c == '#') {
-		while ((c != '\n') && (c != EOF))
-			c = input();
-	}
-	if (c != EOF)
-		unput(c);
-}
diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y
deleted file mode 100644
index 735ac37..0000000
--- a/contrib/ipfilter/iplang/iplang_y.y
+++ /dev/null
@@ -1,1859 +0,0 @@
-%{
-/*
- * Copyright (C) 1997-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: iplang_y.y,v 2.9.2.5 2007/02/17 12:41:48 darrenr Exp $
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#else
-# include <sys/byteorder.h>
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-# include <netinet/ip_var.h>
-#endif
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#ifndef	linux
-# include <netinet/if_ether.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "ipsend.h"
-#include "ip_compat.h"
-#include "ipf.h"
-#include "iplang.h"
-
-#if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \
-    __FreeBSD_version < 400020) && (!SOLARIS || SOLARIS2 < 10)
-extern	struct ether_addr *ether_aton __P((char *));
-#endif
-
-extern	int	opts;
-extern	struct ipopt_names ionames[];
-extern	int	state, state, lineNum, token;
-extern	int	yylineno;
-extern	char	yytext[];
-extern	FILE	*yyin;
-int	yylex	__P((void));
-#define	YYDEBUG 1
-#if !defined(ultrix) && !defined(hpux)
-int	yydebug = 1;
-#else
-extern	int	yydebug;
-#endif
-
-iface_t *iflist = NULL, **iftail = &iflist;
-iface_t *cifp = NULL;
-arp_t *arplist = NULL, **arptail = &arplist, *carp = NULL;
-struct in_addr defrouter;
-send_t	sending;
-char	*sclass = NULL;
-u_short	c_chksum __P((u_short *, u_int, u_long));
-u_long	p_chksum __P((u_short *, u_int));
-
-u_long	ipbuffer[67584/sizeof(u_long)];		/* 66K */
-aniphdr_t	*aniphead = NULL, *canip = NULL, **aniptail = &aniphead;
-ip_t		*ip = NULL;
-udphdr_t	*udp = NULL;
-tcphdr_t	*tcp = NULL;
-icmphdr_t	*icmp = NULL;
-
-struct statetoopt {
-	int	sto_st;
-	int	sto_op;
-};
-
-struct	in_addr getipv4addr __P((char *arg));
-u_short	getportnum __P((char *, char *));
-struct	ether_addr *geteaddr __P((char *, struct ether_addr *));
-void	*new_header __P((int));
-void	free_aniplist __P((void));
-void	inc_anipheaders __P((int));
-void	new_data __P((void));
-void	set_datalen __P((char **));
-void	set_datafile __P((char **));
-void	set_data __P((char **));
-void	new_packet __P((void));
-void	set_ipv4proto __P((char **));
-void	set_ipv4src __P((char **));
-void	set_ipv4dst __P((char **));
-void	set_ipv4off __P((char **));
-void	set_ipv4v __P((char **));
-void	set_ipv4hl __P((char **));
-void	set_ipv4ttl __P((char **));
-void	set_ipv4tos __P((char **));
-void	set_ipv4id __P((char **));
-void	set_ipv4sum __P((char **));
-void	set_ipv4len __P((char **));
-void	new_tcpheader __P((void));
-void	set_tcpsport __P((char **));
-void	set_tcpdport __P((char **));
-void	set_tcpseq __P((char **));
-void	set_tcpack __P((char **));
-void	set_tcpoff __P((char **));
-void	set_tcpurp __P((char **));
-void	set_tcpwin __P((char **));
-void	set_tcpsum __P((char **));
-void	set_tcpflags __P((char **));
-void	set_tcpopt __P((int, char **));
-void	end_tcpopt __P((void));
-void	new_udpheader __P((void));
-void	set_udplen __P((char **));
-void	set_udpsum __P((char **));
-void	prep_packet __P((void));
-void	packet_done __P((void));
-void	new_interface __P((void));
-void	check_interface __P((void));
-void	set_ifname __P((char **));
-void	set_ifmtu __P((int));
-void	set_ifv4addr __P((char **));
-void	set_ifeaddr __P((char **));
-void	new_arp __P((void));
-void	set_arpeaddr __P((char **));
-void	set_arpv4addr __P((char **));
-void	reset_send __P((void));
-void	set_sendif __P((char **));
-void	set_sendvia __P((char **));
-void	set_defaultrouter __P((char **));
-void	new_icmpheader __P((void));
-void	set_icmpcode __P((int));
-void	set_icmptype __P((int));
-void	set_icmpcodetok __P((char **));
-void	set_icmptypetok __P((char **));
-void	set_icmpid __P((int));
-void	set_icmpseq __P((int));
-void	set_icmpotime __P((int));
-void	set_icmprtime __P((int));
-void	set_icmpttime __P((int));
-void	set_icmpmtu __P((int));
-void	set_redir __P((int, char **));
-void	new_ipv4opt __P((void));
-void	set_icmppprob __P((int));
-void	add_ipopt __P((int, void *));
-void	end_ipopt __P((void));
-void	set_secclass __P((char **));
-void	free_anipheader __P((void));
-void	end_ipv4 __P((void));
-void	end_icmp __P((void));
-void	end_udp __P((void));
-void	end_tcp __P((void));
-void	end_data __P((void));
-void	yyerror __P((char *));
-void	iplang __P((FILE *));
-int	arp_getipv4 __P((char *, char *));
-int	yyparse __P((void));
-%}
-%union {
-	char	*str;
-	int	num;
-}
-%token	<num> IL_NUMBER
-%type	<num> number digits optnumber
-%token	<str> IL_TOKEN
-%type	<str> token optoken
-%token	IL_HEXDIGIT IL_COLON IL_DOT IL_EOF IL_COMMENT
-%token	IL_INTERFACE IL_IFNAME IL_MTU IL_EADDR
-%token	IL_IPV4 IL_V4PROTO IL_V4SRC IL_V4DST IL_V4OFF IL_V4V IL_V4HL IL_V4TTL
-%token	IL_V4TOS IL_V4SUM IL_V4LEN IL_V4OPT IL_V4ID
-%token	IL_TCP IL_SPORT IL_DPORT IL_TCPFL IL_TCPSEQ IL_TCPACK IL_TCPOFF
-%token	IL_TCPWIN IL_TCPSUM IL_TCPURP IL_TCPOPT IL_TCPO_NOP IL_TCPO_EOL
-%token	IL_TCPO_MSS IL_TCPO_WSCALE IL_TCPO_TS
-%token	IL_UDP IL_UDPLEN IL_UDPSUM
-%token	IL_ICMP IL_ICMPTYPE IL_ICMPCODE
-%token	IL_SEND IL_VIA
-%token	IL_ARP
-%token	IL_DEFROUTER
-%token	IL_SUM IL_OFF IL_LEN IL_V4ADDR IL_OPT
-%token	IL_DATA IL_DLEN IL_DVALUE IL_DFILE
-%token	IL_IPO_NOP IL_IPO_RR IL_IPO_ZSU IL_IPO_MTUP IL_IPO_MTUR IL_IPO_EOL
-%token	IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC
-%token	IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD
-%token	IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE
-%token	<str> IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3
-%token	<str> IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1
-%token	IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET
-%token	IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT
-%token	IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL
-%token	IL_ICMP_UNREACH_NET_UNKNOWN IL_ICMP_UNREACH_HOST_UNKNOWN
-%token	IL_ICMP_UNREACH_ISOLATED IL_ICMP_UNREACH_NET_PROHIB
-%token	IL_ICMP_UNREACH_HOST_PROHIB IL_ICMP_UNREACH_TOSNET
-%token	IL_ICMP_UNREACH_TOSHOST IL_ICMP_UNREACH_FILTER_PROHIB
-%token	IL_ICMP_UNREACH_HOST_PRECEDENCE IL_ICMP_UNREACH_PRECEDENCE_CUTOFF
-%token	IL_ICMP_SOURCEQUENCH IL_ICMP_REDIRECT IL_ICMP_REDIRECT_NET
-%token	IL_ICMP_REDIRECT_HOST IL_ICMP_REDIRECT_TOSNET
-%token	IL_ICMP_REDIRECT_TOSHOST IL_ICMP_ECHO IL_ICMP_ROUTERADVERT
-%token	IL_ICMP_ROUTERSOLICIT IL_ICMP_TIMXCEED IL_ICMP_TIMXCEED_INTRANS
-%token	IL_ICMP_TIMXCEED_REASS IL_ICMP_PARAMPROB IL_ICMP_PARAMPROB_OPTABSENT
-%token	IL_ICMP_TSTAMP IL_ICMP_TSTAMPREPLY IL_ICMP_IREQ IL_ICMP_IREQREPLY
-%token	IL_ICMP_MASKREQ IL_ICMP_MASKREPLY IL_ICMP_SEQ IL_ICMP_ID
-%token	IL_ICMP_OTIME IL_ICMP_RTIME IL_ICMP_TTIME
-
-%%
-file:	line
-	| line file
-	| IL_COMMENT
-	| IL_COMMENT file
-	;
-
-line:	iface
-	| arp
-	| send
-	| defrouter
-	| ipline
-	;
-
-iface:  ifhdr '{' ifaceopts '}' ';'	{ check_interface(); }
-	;
-
-ifhdr:	IL_INTERFACE			{ new_interface(); }
-	;
-
-ifaceopts:
-	ifaceopt
-	| ifaceopt ifaceopts
-	;
-
-ifaceopt:
-	IL_IFNAME token			{ set_ifname(&$2); }
-	| IL_MTU number			{ set_ifmtu($2); }
-	| IL_V4ADDR token		{ set_ifv4addr(&$2); }
-	| IL_EADDR token		{ set_ifeaddr(&$2); }
-	;
-
-send:   sendhdr '{' sendbody '}' ';'	{ packet_done(); }
-	| sendhdr ';'			{ packet_done(); }
-	;
-
-sendhdr:
-	IL_SEND				{ reset_send(); }
-	;
-
-sendbody:
-	sendopt
-	| sendbody sendopt
-	;
-
-sendopt:
-	IL_IFNAME token			{ set_sendif(&$2); }
-	| IL_VIA token			{ set_sendvia(&$2); }
-	;
-
-arp:    arphdr '{' arpbody '}' ';'
-	;
-
-arphdr:	IL_ARP				{ new_arp(); }
-	;
-
-arpbody:
-	arpopt
-	| arpbody arpopt
-	;
-
-arpopt: IL_V4ADDR token			{ set_arpv4addr(&$2); }
-	| IL_EADDR token		{ set_arpeaddr(&$2); }
-	;
-
-defrouter:
-	IL_DEFROUTER token		{ set_defaultrouter(&$2); }
-	;
-
-bodyline:
-	ipline
-	| tcp tcpline
-	| udp udpline
-	| icmp icmpline
-	| data dataline
-	;
-
-ipline:	ipv4 '{' ipv4body '}' ';'	{ end_ipv4(); }
-	;
-
-ipv4:	IL_IPV4				{ new_packet(); }
-
-ipv4body:
-	ipv4type
-	| ipv4type ipv4body
-	| bodyline
-	;
-
-ipv4type:
-	IL_V4PROTO token		{ set_ipv4proto(&$2); }
-	| IL_V4SRC token		{ set_ipv4src(&$2); }
-	| IL_V4DST token		{ set_ipv4dst(&$2); }
-	| IL_V4OFF token		{ set_ipv4off(&$2); }
-	| IL_V4V token			{ set_ipv4v(&$2); }
-	| IL_V4HL token			{ set_ipv4hl(&$2); }
-	| IL_V4ID token			{ set_ipv4id(&$2); }
-	| IL_V4TTL token		{ set_ipv4ttl(&$2); }
-	| IL_V4TOS token		{ set_ipv4tos(&$2); }
-	| IL_V4SUM token		{ set_ipv4sum(&$2); }
-	| IL_V4LEN token		{ set_ipv4len(&$2); }
-	| ipv4opt '{' ipv4optlist '}' ';'	{ end_ipopt(); }
-	;
-
-tcp:	IL_TCP				{ new_tcpheader(); }
-	;
-
-tcpline:
-	'{' tcpheader '}' ';'		{ end_tcp(); }
-	;
-
-tcpheader:
-	tcpbody
-	| tcpbody tcpheader
-	| bodyline
-	;
-
-tcpbody:
-	IL_SPORT token			{ set_tcpsport(&$2); }
-	| IL_DPORT token		{ set_tcpdport(&$2); }
-	| IL_TCPSEQ token		{ set_tcpseq(&$2); }
-	| IL_TCPACK token		{ set_tcpack(&$2); }
-	| IL_TCPOFF token		{ set_tcpoff(&$2); }
-	| IL_TCPURP token		{ set_tcpurp(&$2); }
-	| IL_TCPWIN token		{ set_tcpwin(&$2); }
-	| IL_TCPSUM token		{ set_tcpsum(&$2); }
-	| IL_TCPFL token		{ set_tcpflags(&$2); }
-	| IL_TCPOPT '{' tcpopts '}' ';'	{ end_tcpopt(); }
-	;
-
-tcpopts:
-	| tcpopt tcpopts
-	;
-
-tcpopt:	IL_TCPO_NOP ';'			{ set_tcpopt(IL_TCPO_NOP, NULL); }
-	| IL_TCPO_EOL ';'		{ set_tcpopt(IL_TCPO_EOL, NULL); }
-	| IL_TCPO_MSS optoken		{ set_tcpopt(IL_TCPO_MSS,&$2);}
-	| IL_TCPO_WSCALE optoken	{ set_tcpopt(IL_TCPO_WSCALE,&$2);}
-	| IL_TCPO_TS optoken		{ set_tcpopt(IL_TCPO_TS, &$2);}
-	;
-
-udp:	IL_UDP				{ new_udpheader(); }
-	;
-
-udpline:
-	'{' udpheader '}' ';'		{ end_udp(); }
-	;
-
-
-udpheader:
-	udpbody
-	| udpbody udpheader
-	| bodyline
-	;
-
-udpbody:
-	IL_SPORT token			{ set_tcpsport(&$2); }
-	| IL_DPORT token		{ set_tcpdport(&$2); }
-	| IL_UDPLEN token		{ set_udplen(&$2); }
-	| IL_UDPSUM token		{ set_udpsum(&$2); }
-	;
-
-icmp:	IL_ICMP				{ new_icmpheader(); }
-	;
-
-icmpline:
-	'{' icmpbody '}' ';'		{ end_icmp(); }
-	;
-
-icmpbody:
-	icmpheader
-	| icmpheader bodyline
-	;
-
-icmpheader:
-	IL_ICMPTYPE icmptype
-	| IL_ICMPTYPE icmptype icmpcode
-	;
-
-icmpcode:
-	IL_ICMPCODE token		{ set_icmpcodetok(&$2); }
-	;
-
-icmptype:
-	IL_ICMP_ECHOREPLY ';'		{ set_icmptype(ICMP_ECHOREPLY); }
-	| IL_ICMP_ECHOREPLY '{' icmpechoopts '}' ';'
-	| unreach
-	| IL_ICMP_SOURCEQUENCH ';'	{ set_icmptype(ICMP_SOURCEQUENCH); }
-	| redirect
-	| IL_ICMP_ROUTERADVERT ';'	{ set_icmptype(ICMP_ROUTERADVERT); }
-	| IL_ICMP_ROUTERSOLICIT ';'	{ set_icmptype(ICMP_ROUTERSOLICIT); }
-	| IL_ICMP_ECHO ';'		{ set_icmptype(ICMP_ECHO); }
-	| IL_ICMP_ECHO '{' icmpechoopts '}' ';'
-	| IL_ICMP_TIMXCEED ';'		{ set_icmptype(ICMP_TIMXCEED); }
-	| IL_ICMP_TIMXCEED '{' exceed '}' ';'
-	| IL_ICMP_TSTAMP ';'		{ set_icmptype(ICMP_TSTAMP); }
-	| IL_ICMP_TSTAMPREPLY ';'	{ set_icmptype(ICMP_TSTAMPREPLY); }
-	| IL_ICMP_TSTAMPREPLY '{' icmptsopts '}' ';'
-	| IL_ICMP_IREQ ';'		{ set_icmptype(ICMP_IREQ); }
-	| IL_ICMP_IREQREPLY ';'		{ set_icmptype(ICMP_IREQREPLY); }
-	| IL_ICMP_IREQREPLY '{' data dataline '}' ';'
-	| IL_ICMP_MASKREQ ';'		{ set_icmptype(ICMP_MASKREQ); }
-	| IL_ICMP_MASKREPLY ';'		{ set_icmptype(ICMP_MASKREPLY); }
-	| IL_ICMP_MASKREPLY '{' token '}' ';'
-	| IL_ICMP_PARAMPROB ';'		{ set_icmptype(ICMP_PARAMPROB); }
-	| IL_ICMP_PARAMPROB '{' paramprob '}' ';'
-	| IL_TOKEN ';'			{ set_icmptypetok(&$1); }
-	;
-
-icmpechoopts:
-	| icmpechoopts icmpecho
-	;
-
-icmpecho:
-	IL_ICMP_SEQ number 		{ set_icmpseq($2); }
-	| IL_ICMP_ID number		{ set_icmpid($2); }
-	;
-
-icmptsopts:
-	| icmptsopts icmpts ';'
-	;
-
-icmpts: IL_ICMP_OTIME number 		{ set_icmpotime($2); }
-	| IL_ICMP_RTIME number 		{ set_icmprtime($2); }
-	| IL_ICMP_TTIME number 		{ set_icmpttime($2); }
-	;
-
-unreach:
-	IL_ICMP_UNREACH
-	| IL_ICMP_UNREACH '{' unreachopts '}' ';'
-	;
-
-unreachopts:
-	IL_ICMP_UNREACH_NET line
-	| IL_ICMP_UNREACH_HOST line
-	| IL_ICMP_UNREACH_PROTOCOL line
-	| IL_ICMP_UNREACH_PORT line
-	| IL_ICMP_UNREACH_NEEDFRAG number ';'	{ set_icmpmtu($2); }
-	| IL_ICMP_UNREACH_SRCFAIL line
-	| IL_ICMP_UNREACH_NET_UNKNOWN line
-	| IL_ICMP_UNREACH_HOST_UNKNOWN line
-	| IL_ICMP_UNREACH_ISOLATED line
-	| IL_ICMP_UNREACH_NET_PROHIB line
-	| IL_ICMP_UNREACH_HOST_PROHIB line
-	| IL_ICMP_UNREACH_TOSNET line
-	| IL_ICMP_UNREACH_TOSHOST line
-	| IL_ICMP_UNREACH_FILTER_PROHIB line
-	| IL_ICMP_UNREACH_HOST_PRECEDENCE line
-	| IL_ICMP_UNREACH_PRECEDENCE_CUTOFF line
-	;
-
-redirect:
-	IL_ICMP_REDIRECT
-	| IL_ICMP_REDIRECT '{' redirectopts '}' ';'
-	;
-
-redirectopts:
-	| IL_ICMP_REDIRECT_NET token		{ set_redir(0, &$2); }
-	| IL_ICMP_REDIRECT_HOST token		{ set_redir(1, &$2); }
-	| IL_ICMP_REDIRECT_TOSNET token		{ set_redir(2, &$2); }
-	| IL_ICMP_REDIRECT_TOSHOST token	{ set_redir(3, &$2); }
-	;
-
-exceed:
-	IL_ICMP_TIMXCEED_INTRANS line
-	| IL_ICMP_TIMXCEED_REASS line
-	;
-
-paramprob:
-	IL_ICMP_PARAMPROB_OPTABSENT
-	| IL_ICMP_PARAMPROB_OPTABSENT paraprobarg
-
-paraprobarg:
-	'{' number '}' ';'		{ set_icmppprob($2); }
-	;
-
-ipv4opt:	IL_V4OPT		{ new_ipv4opt(); }
-	;
-
-ipv4optlist:
-	| ipv4opts ipv4optlist
-	;
-
-ipv4opts:
-	IL_IPO_NOP ';'			{ add_ipopt(IL_IPO_NOP, NULL); }
-	| IL_IPO_RR optnumber		{ add_ipopt(IL_IPO_RR, &$2); }
-	| IL_IPO_ZSU ';'		{ add_ipopt(IL_IPO_ZSU, NULL); }
-	| IL_IPO_MTUP ';'		{ add_ipopt(IL_IPO_MTUP, NULL); }
-	| IL_IPO_MTUR ';'		{ add_ipopt(IL_IPO_MTUR, NULL); }
-	| IL_IPO_ENCODE ';'		{ add_ipopt(IL_IPO_ENCODE, NULL); }
-	| IL_IPO_TS ';'			{ add_ipopt(IL_IPO_TS, NULL); }
-	| IL_IPO_TR ';'			{ add_ipopt(IL_IPO_TR, NULL); }
-	| IL_IPO_SEC ';'		{ add_ipopt(IL_IPO_SEC, NULL); }
-	| IL_IPO_SECCLASS secclass	{ add_ipopt(IL_IPO_SECCLASS, sclass); }
-	| IL_IPO_LSRR token		{ add_ipopt(IL_IPO_LSRR,&$2); }
-	| IL_IPO_ESEC ';'		{ add_ipopt(IL_IPO_ESEC, NULL); }
-	| IL_IPO_CIPSO ';'		{ add_ipopt(IL_IPO_CIPSO, NULL); }
-	| IL_IPO_SATID optnumber	{ add_ipopt(IL_IPO_SATID,&$2);}
-	| IL_IPO_SSRR token		{ add_ipopt(IL_IPO_SSRR,&$2); }
-	| IL_IPO_ADDEXT ';'		{ add_ipopt(IL_IPO_ADDEXT, NULL); }
-	| IL_IPO_VISA ';'		{ add_ipopt(IL_IPO_VISA, NULL); }
-	| IL_IPO_IMITD ';'		{ add_ipopt(IL_IPO_IMITD, NULL); }
-	| IL_IPO_EIP ';'		{ add_ipopt(IL_IPO_EIP, NULL); }
-	| IL_IPO_FINN ';'		{ add_ipopt(IL_IPO_FINN, NULL); }
-	;
-
-secclass:
-	IL_IPS_RESERV4 ';'		{ set_secclass(&$1); }
-	| IL_IPS_TOPSECRET ';'		{ set_secclass(&$1); }
-	| IL_IPS_SECRET ';'		{ set_secclass(&$1); }
-	| IL_IPS_RESERV3 ';'		{ set_secclass(&$1); }
-	| IL_IPS_CONFID ';'		{ set_secclass(&$1); }
-	| IL_IPS_UNCLASS ';'		{ set_secclass(&$1); }
-	| IL_IPS_RESERV2 ';'		{ set_secclass(&$1); }
-	| IL_IPS_RESERV1 ';'		{ set_secclass(&$1); }
-	;
-
-data:	IL_DATA				{ new_data(); }
-	;
-
-dataline:
-	'{' databody '}' ';'		{ end_data(); }
-	;
-
-databody: dataopts
-	| dataopts databody
-	;
-
-dataopts:
-	IL_DLEN token			{ set_datalen(&$2); }
-	| IL_DVALUE token 		{ set_data(&$2); }
-	| IL_DFILE token 		{ set_datafile(&$2); }
-	;
-
-token: IL_TOKEN ';'
-	;
-
-optoken: ';'				{ $$ = ""; }
-	| token
-	;
-
-number: digits ';'
-	;
-
-optnumber: ';'				{ $$ = 0; }
-	| number
-	;
-
-digits:	IL_NUMBER
-	| digits IL_NUMBER
-	;
-%%
-
-struct	statetoopt	toipopts[] = {
-	{ IL_IPO_NOP,		IPOPT_NOP },
-	{ IL_IPO_RR,		IPOPT_RR },
-	{ IL_IPO_ZSU,		IPOPT_ZSU },
-	{ IL_IPO_MTUP,		IPOPT_MTUP },
-	{ IL_IPO_MTUR,		IPOPT_MTUR },
-	{ IL_IPO_ENCODE,	IPOPT_ENCODE },
-	{ IL_IPO_TS,		IPOPT_TS },
-	{ IL_IPO_TR,		IPOPT_TR },
-	{ IL_IPO_SEC,		IPOPT_SECURITY },
-	{ IL_IPO_SECCLASS,	IPOPT_SECURITY },
-	{ IL_IPO_LSRR,		IPOPT_LSRR },
-	{ IL_IPO_ESEC,		IPOPT_E_SEC },
-	{ IL_IPO_CIPSO,		IPOPT_CIPSO },
-	{ IL_IPO_SATID,		IPOPT_SATID },
-	{ IL_IPO_SSRR,		IPOPT_SSRR },
-	{ IL_IPO_ADDEXT,	IPOPT_ADDEXT },
-	{ IL_IPO_VISA,		IPOPT_VISA },
-	{ IL_IPO_IMITD,		IPOPT_IMITD },
-	{ IL_IPO_EIP,		IPOPT_EIP },
-	{ IL_IPO_FINN,		IPOPT_FINN },
-	{ 0, 0 }
-};
-
-struct	statetoopt	tosecopts[] = {
-	{ IL_IPS_RESERV4,	IPSO_CLASS_RES4 },
-	{ IL_IPS_TOPSECRET,	IPSO_CLASS_TOPS },
-	{ IL_IPS_SECRET,	IPSO_CLASS_SECR },
-	{ IL_IPS_RESERV3,	IPSO_CLASS_RES3 },
-	{ IL_IPS_CONFID,	IPSO_CLASS_CONF },
-	{ IL_IPS_UNCLASS,	IPSO_CLASS_UNCL },
-	{ IL_IPS_RESERV2,	IPSO_CLASS_RES2 },
-	{ IL_IPS_RESERV1,	IPSO_CLASS_RES1 },
-	{ 0, 0 }
-};
-
-#ifdef	bsdi
-struct ether_addr *
-ether_aton(s)
-	char *s;   
-{
-	static struct ether_addr n;
-	u_int i[6];
-
-	if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1],
-	    &i[2], &i[3], &i[4], &i[5]) == 6) {
-		n.ether_addr_octet[0] = (u_char)i[0];
-		n.ether_addr_octet[1] = (u_char)i[1];
-		n.ether_addr_octet[2] = (u_char)i[2];
-		n.ether_addr_octet[3] = (u_char)i[3];
-		n.ether_addr_octet[4] = (u_char)i[4];
-		n.ether_addr_octet[5] = (u_char)i[5];
-		return &n;
-	}
-	return NULL;
-}
-#endif
-
-
-struct in_addr getipv4addr(arg)
-char *arg;
-{
-	struct hostent *hp;
-	struct in_addr in;
-
-	in.s_addr = 0xffffffff;
-
-	if ((hp = gethostbyname(arg)))
-		bcopy(hp->h_addr, &in.s_addr, sizeof(struct in_addr));
-	else
-		in.s_addr = inet_addr(arg);
-	return in;
-}
-
-
-u_short getportnum(pr, name)
-char *pr, *name;
-{
-	struct servent *sp;
-
-	if (!(sp = getservbyname(name, pr)))
-		return htons(atoi(name));
-	return sp->s_port;
-}
-
-
-struct ether_addr *geteaddr(arg, buf)
-char *arg;
-struct ether_addr *buf;
-{
-	struct ether_addr *e;
-
-#if !defined(hpux) && !defined(linux)
-	e = ether_aton(arg);
-	if (!e)
-		fprintf(stderr, "Invalid ethernet address: %s\n", arg);
-	else
-# ifdef	__FreeBSD__
-		bcopy(e->octet, buf->octet, sizeof(e->octet));
-# else
-		bcopy(e->ether_addr_octet, buf->ether_addr_octet,
-		      sizeof(e->ether_addr_octet));
-# endif
-	return e;
-#else
-	return NULL;
-#endif
-}
-
-
-void *new_header(type)
-int type;
-{
-	aniphdr_t *aip, *oip = canip;
-	int	sz = 0;
-
-	aip = (aniphdr_t *)calloc(1, sizeof(*aip));
-	*aniptail = aip;
-	aniptail = &aip->ah_next;
-	aip->ah_p = type;
-	aip->ah_prev = oip;
-	canip = aip;
-
-	if (type == IPPROTO_UDP)
-		sz = sizeof(udphdr_t);
-	else if (type == IPPROTO_TCP)
-		sz = sizeof(tcphdr_t);
-	else if (type == IPPROTO_ICMP)
-		sz = sizeof(icmphdr_t);
-	else if (type == IPPROTO_IP)
-		sz = sizeof(ip_t);
-
-	if (oip)
-		canip->ah_data = oip->ah_data + oip->ah_len;
-	else
-		canip->ah_data = (char *)ipbuffer;
-
-	/*
-	 * Increase the size fields in all wrapping headers.
-	 */
-	for (aip = aniphead; aip; aip = aip->ah_next) {
-		aip->ah_len += sz;
-		if (aip->ah_p == IPPROTO_IP)
-			aip->ah_ip->ip_len += sz;
-		else if (aip->ah_p == IPPROTO_UDP)
-			aip->ah_udp->uh_ulen += sz;
-	}
-	return (void *)canip->ah_data;
-}
-
-
-void free_aniplist()
-{
-	aniphdr_t *aip, **aipp = &aniphead;
-
-	while ((aip = *aipp)) {
-		*aipp = aip->ah_next;
-		free(aip);
-	}
-	aniptail = &aniphead;
-}
-
-
-void inc_anipheaders(inc)
-int inc;
-{
-	aniphdr_t *aip;
-
-	for (aip = aniphead; aip; aip = aip->ah_next) {
-		aip->ah_len += inc;
-		if (aip->ah_p == IPPROTO_IP)
-			aip->ah_ip->ip_len += inc;
-		else if (aip->ah_p == IPPROTO_UDP)
-			aip->ah_udp->uh_ulen += inc;
-	}
-}
-
-
-void new_data()
-{
-	(void) new_header(-1);
-	canip->ah_len = 0;
-}
-
-
-void set_datalen(arg)
-char **arg;
-{
-	int	len;
-
-	len = strtol(*arg, NULL, 0);
-	inc_anipheaders(len);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_data(arg)
-char **arg;
-{
-	u_char *s = (u_char *)*arg, *t = (u_char *)canip->ah_data, c;
-	int len = 0, todo = 0, quote = 0, val = 0;
-
-	while ((c = *s++)) {
-		if (todo) {
-			if (ISDIGIT(c)) {
-				todo--;
-				if (c > '7') {
-					fprintf(stderr, "octal with %c!\n", c);
-					break;
-				}
-				val <<= 3;
-				val |= (c - '0');
-			}
-			if (!ISDIGIT(c) || !todo) {
-				*t++ = (u_char)(val & 0xff);
-				todo = 0;
-			}
-			if (todo)
-				continue;
-		}
-		if (quote) {
-			if (ISDIGIT(c)) {
-				todo = 2;
-				if (c > '7') {
-					fprintf(stderr, "octal with %c!\n", c);
-					break;
-				}
-				val = (c - '0');
-			} else {
-				switch (c)
-				{
-				case '\"' :
-					*t++ = '\"';
-					break;
-				case '\\' :
-					*t++ = '\\';
-					break;
-				case 'n' :
-					*t++ = '\n';
-					break;
-				case 'r' :
-					*t++ = '\r';
-					break;
-				case 't' :
-					*t++ = '\t';
-					break;
-				}
-			}
-			quote = 0;
-			continue;
-		}
-
-		if (c == '\\')
-			quote = 1;
-		else
-			*t++ = c;
-	}
-	if (todo)
-		*t++ = (u_char)(val & 0xff);
-	if (quote)
-		*t++ = '\\';
-	len = t - (u_char *)canip->ah_data;
-	inc_anipheaders(len - canip->ah_len);
-	canip->ah_len = len;
-}
-
-
-void set_datafile(arg)
-char **arg;
-{
-	struct stat sb;
-	char *file = *arg;
-	int fd, len;
-
-	if ((fd = open(file, O_RDONLY)) == -1) {
-		perror("open");
-		exit(-1);
-	}
-
-	if (fstat(fd, &sb) == -1) {
-		perror("fstat");
-		exit(-1);
-	}
-
-	if ((sb.st_size + aniphead->ah_len ) > 65535) {
-		fprintf(stderr, "data file %s too big to include.\n", file);
-		close(fd);
-		return;
-	}
-	if ((len = read(fd, canip->ah_data, sb.st_size)) == -1) {
-		perror("read");
-		close(fd);
-		return;
-	}
-	inc_anipheaders(len);
-	canip->ah_len += len;
-	close(fd);
-}
-
-
-void new_packet()
-{
-	static	u_short	id = 0;
-
-	if (!aniphead)
-		bzero((char *)ipbuffer, sizeof(ipbuffer));
-
-	ip = (ip_t *)new_header(IPPROTO_IP);
-	ip->ip_v = IPVERSION;
-	ip->ip_hl = sizeof(ip_t) >> 2;
-	ip->ip_len = sizeof(ip_t);
-	ip->ip_ttl = 63;
-	ip->ip_id = htons(id++);
-}
-
-
-void set_ipv4proto(arg)
-char **arg;
-{
-	struct protoent *pr;
-
-	if ((pr = getprotobyname(*arg)))
-		ip->ip_p = pr->p_proto;
-	else
-		if (!(ip->ip_p = atoi(*arg)))
-			fprintf(stderr, "unknown protocol %s\n", *arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4src(arg)
-char **arg;
-{
-	ip->ip_src = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4dst(arg)
-char **arg;
-{
-	ip->ip_dst = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4off(arg)
-char **arg;
-{
-	ip->ip_off = htons(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4v(arg)
-char **arg;
-{
-	ip->ip_v = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4hl(arg)
-char **arg;
-{
-	int newhl, inc;
-
-	newhl = strtol(*arg, NULL, 0);
-	inc = (newhl - ip->ip_hl) << 2;
-	ip->ip_len += inc;
-	ip->ip_hl = newhl;
-	canip->ah_len += inc;
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4ttl(arg)
-char **arg;
-{
-	ip->ip_ttl = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4tos(arg)
-char **arg;
-{
-	ip->ip_tos = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4id(arg)
-char **arg;
-{
-	ip->ip_id = htons(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4sum(arg)
-char **arg;
-{
-	ip->ip_sum = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ipv4len(arg)
-char **arg;
-{
-	int len;
-
-	len = strtol(*arg, NULL, 0);
-	inc_anipheaders(len - ip->ip_len);
-	ip->ip_len = len;
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void new_tcpheader()
-{
-
-	if ((ip->ip_p) && (ip->ip_p != IPPROTO_TCP)) {
-		fprintf(stderr, "protocol %d specified with TCP!\n", ip->ip_p);
-		return;
-	}
-	ip->ip_p = IPPROTO_TCP;
-
-	tcp = (tcphdr_t *)new_header(IPPROTO_TCP);
-	tcp->th_win = htons(4096);
-	tcp->th_off = sizeof(*tcp) >> 2;
-}
-
-
-void set_tcpsport(arg)
-char **arg;
-{
-	u_short *port;
-	char *pr;
-
-	if (ip->ip_p == IPPROTO_UDP) {
-		port = &udp->uh_sport;
-		pr = "udp";
-	} else {
-		port = &tcp->th_sport;
-		pr = "udp";
-	}
-
-	*port = getportnum(pr, *arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpdport(arg)
-char **arg;
-{
-	u_short *port;
-	char *pr;
-
-	if (ip->ip_p == IPPROTO_UDP) {
-		port = &udp->uh_dport;
-		pr = "udp";
-	} else {
-		port = &tcp->th_dport;
-		pr = "udp";
-	}
-
-	*port = getportnum(pr, *arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpseq(arg)
-char **arg;
-{
-	tcp->th_seq = htonl(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpack(arg)
-char **arg;
-{
-	tcp->th_ack = htonl(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpoff(arg)
-char **arg;
-{
-	int	off;
-
-	off = strtol(*arg, NULL, 0);
-	inc_anipheaders((off - tcp->th_off) << 2);
-	tcp->th_off = off;
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpurp(arg)
-char **arg;
-{
-	tcp->th_urp = htons(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpwin(arg)
-char **arg;
-{
-	tcp->th_win = htons(strtol(*arg, NULL, 0));
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpsum(arg)
-char **arg;
-{
-	tcp->th_sum = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpflags(arg)
-char **arg;
-{
-	static	char	flags[] = "ASURPF";
-	static	int	flagv[] = { TH_ACK, TH_SYN, TH_URG, TH_RST, TH_PUSH,
-				    TH_FIN } ;
-	char *s, *t;
-
-	for (s = *arg; *s; s++)
-		if (!(t = strchr(flags, *s))) {
-			if (s - *arg) {
-				fprintf(stderr, "unknown TCP flag %c\n", *s);
-				break;
-			}
-			tcp->th_flags = strtol(*arg, NULL, 0);
-			break;
-		} else
-			tcp->th_flags |= flagv[t - flags];
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_tcpopt(state, arg)
-int state;
-char **arg;
-{
-	u_char *s;
-	int val, len, val2, pad, optval;
-
-	if (arg && *arg)
-		val = atoi(*arg);
-	else
-		val = 0;
-
-	s = (u_char *)tcp + sizeof(*tcp) + canip->ah_optlen;
-	switch (state)
-	{
-	case IL_TCPO_EOL :
-		optval = 0;
-		len = 1;
-		break;
-	case IL_TCPO_NOP :
-		optval = 1;
-		len = 1;
-		break;
-	case IL_TCPO_MSS :
-		optval = 2;
-		len = 4;
-		break;
-	case IL_TCPO_WSCALE :
-		optval = 3;
-		len = 3;
-		break;
-	case IL_TCPO_TS :
-		optval = 8;
-		len = 10;
-		break;
-	default :
-		optval = 0;
-		len = 0;
-		break;
-	}
-
-	if (len > 1) {
-		/*
-		 * prepend padding - if required.
-		 */
-		if (len & 3)
-			for (pad = 4 - (len & 3); pad; pad--) {
-				*s++ = 1;
-				canip->ah_optlen++;
-			}
-		/*
-		 * build tcp option
-		 */
-		*s++ = (u_char)optval;
-		*s++ = (u_char)len;
-		if (len > 2) {
-			if (len == 3) {		/* 1 byte - char */
-				*s++ = (u_char)val;
-			} else if (len == 4) {	/* 2 bytes - short */
-				*s++ = (u_char)((val >> 8) & 0xff);
-				*s++ = (u_char)(val & 0xff);
-			} else if (len >= 6) {	/* 4 bytes - long */
-				val2 = htonl(val);
-				bcopy((char *)&val2, s, 4);
-			}
-			s += (len - 2);
-		}
-	} else
-		*s++ = (u_char)optval;
-
-	canip->ah_lastopt = optval;
-	canip->ah_optlen += len;
-
-	if (arg && *arg) {
-		free(*arg);
-		*arg = NULL;
-	}
-}
-
-
-void end_tcpopt()
-{
-	int pad;
-	char *s = (char *)tcp;
-
-	s += sizeof(*tcp) + canip->ah_optlen;
-	/*
-	 * pad out so that we have a multiple of 4 bytes in size fo the
-	 * options.  make sure last byte is EOL.
-	 */
-	if (canip->ah_optlen & 3) {
-		if (canip->ah_lastopt != 1) {
-			for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) {
-				*s++ = 1;
-				canip->ah_optlen++;
-			}
-			canip->ah_optlen++;
-		} else {
-			s -= 1;
-
-			for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) {
-				*s++ = 1;
-				canip->ah_optlen++;
-			}
-		}
-		*s++ = 0;
-	}
-	tcp->th_off = (sizeof(*tcp) + canip->ah_optlen) >> 2;
-	inc_anipheaders(canip->ah_optlen);
-}
-
-
-void new_udpheader()
-{
-	if ((ip->ip_p) && (ip->ip_p != IPPROTO_UDP)) {
-		fprintf(stderr, "protocol %d specified with UDP!\n", ip->ip_p);
-		return;
-	}
-	ip->ip_p = IPPROTO_UDP;
-
-	udp = (udphdr_t *)new_header(IPPROTO_UDP);
-	udp->uh_ulen = sizeof(*udp);
-}
-
-
-void set_udplen(arg)
-char **arg;
-{
-	int len;
-
-	len = strtol(*arg, NULL, 0);
-	inc_anipheaders(len - udp->uh_ulen);
-	udp->uh_ulen = len;
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_udpsum(arg)
-char **arg;
-{
-	udp->uh_sum = strtol(*arg, NULL, 0);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void prep_packet()
-{
-	iface_t *ifp;
-	struct in_addr gwip;
-
-	ifp = sending.snd_if;
-	if (!ifp) {
-		fprintf(stderr, "no interface defined for sending!\n");
-		return;
-	}
-	if (ifp->if_fd == -1)
-		ifp->if_fd = initdevice(ifp->if_name, 5);
-	gwip = sending.snd_gw;
-	if (!gwip.s_addr) {
-		if (aniphead == NULL) {
-			fprintf(stderr,
-				"no destination address defined for sending\n");
-			return;
-		}
-		gwip = aniphead->ah_ip->ip_dst;
-	}
-	(void) send_ip(ifp->if_fd, ifp->if_MTU, (ip_t *)ipbuffer, gwip, 2);
-}
-
-
-void packet_done()
-{
-	char    outline[80];
-	int     i, j, k;
-	u_char  *s = (u_char *)ipbuffer, *t = (u_char *)outline;
-
-	if (opts & OPT_VERBOSE) {
-		ip->ip_len = htons(ip->ip_len);
-		for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) {
-			if (j && !(j & 0xf)) {
-				*t++ = '\n';
-				*t = '\0';
-				fputs(outline, stdout);
-				fflush(stdout);
-				t = (u_char *)outline;
-				*t = '\0';
-			}
-			sprintf((char *)t, "%02x", *s & 0xff);
-			t += 2;
-			if (!((j + 1) & 0xf)) {
-				s -= 15;
-				sprintf((char *)t, "	");
-				t += 8;
-				for (k = 16; k; k--, s++)
-					*t++ = (ISPRINT(*s) ? *s : '.');
-				s--;
-			}
-
-			if ((j + 1) & 0xf)
-				*t++ = ' ';;
-		}
-
-		if (j & 0xf) {
-			for (k = 16 - (j & 0xf); k; k--) {
-				*t++ = ' ';
-				*t++ = ' ';
-				*t++ = ' ';
-			}
-			sprintf((char *)t, "       ");
-			t += 7;
-			s -= j & 0xf;
-			for (k = j & 0xf; k; k--, s++)
-				*t++ = (ISPRINT(*s) ? *s : '.');
-			*t++ = '\n';
-			*t = '\0';
-		}
-		fputs(outline, stdout);
-		fflush(stdout);
-		ip->ip_len = ntohs(ip->ip_len);
-	}
-
-	prep_packet();
-	free_aniplist();
-}
-
-
-void new_interface()
-{
-	cifp = (iface_t *)calloc(1, sizeof(iface_t));
-	*iftail = cifp;
-	iftail = &cifp->if_next;
-	cifp->if_fd = -1;
-}
-
-
-void check_interface()
-{
-	if (!cifp->if_name || !*cifp->if_name)
-		fprintf(stderr, "No interface name given!\n");
-	if (!cifp->if_MTU || !*cifp->if_name)
-		fprintf(stderr, "Interface %s has an MTU of 0!\n",
-			cifp->if_name);
-}
-
-
-void set_ifname(arg)
-char **arg;
-{
-	cifp->if_name = *arg;
-	*arg = NULL;
-}
-
-
-void set_ifmtu(arg)
-int arg;
-{
-	cifp->if_MTU = arg;
-}
-
-
-void set_ifv4addr(arg)
-char **arg;
-{
-	cifp->if_addr = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_ifeaddr(arg)
-char **arg;
-{
-	(void) geteaddr(*arg, &cifp->if_eaddr);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void new_arp()
-{
-	carp = (arp_t *)calloc(1, sizeof(arp_t));
-	*arptail = carp;
-	arptail = &carp->arp_next;
-}
-
-
-void set_arpeaddr(arg)
-char **arg;
-{
-	(void) geteaddr(*arg, &carp->arp_eaddr);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_arpv4addr(arg)
-char **arg;
-{
-	carp->arp_addr = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-int arp_getipv4(ip, addr)
-char *ip;
-char *addr;
-{
-	arp_t *a;
-
-	for (a = arplist; a; a = a->arp_next)
-		if (!bcmp(ip, (char *)&a->arp_addr, 4)) {
-			bcopy((char *)&a->arp_eaddr, addr, 6);
-			return 0;
-		}
-	return -1;
-}
-
-
-void reset_send()
-{
-	sending.snd_if = iflist;
-	sending.snd_gw = defrouter;
-}
-
-
-void set_sendif(arg)
-char **arg;
-{
-	iface_t	*ifp;
-
-	for (ifp = iflist; ifp; ifp = ifp->if_next)
-		if (ifp->if_name && !strcmp(ifp->if_name, *arg))
-			break;
-	sending.snd_if = ifp;
-	if (!ifp)
-		fprintf(stderr, "couldn't find interface %s\n", *arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_sendvia(arg)
-char **arg;
-{
-	sending.snd_gw = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_defaultrouter(arg)
-char **arg;
-{
-	defrouter = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void new_icmpheader()
-{
-	if ((ip->ip_p) && (ip->ip_p != IPPROTO_ICMP)) {
-		fprintf(stderr, "protocol %d specified with ICMP!\n",
-			ip->ip_p);
-		return;
-	}
-	ip->ip_p = IPPROTO_ICMP;
-	icmp = (icmphdr_t *)new_header(IPPROTO_ICMP);
-}
-
-
-void set_icmpcode(code)
-int code;
-{
-	icmp->icmp_code = code;
-}
-
-
-void set_icmptype(type)
-int type;
-{
-	icmp->icmp_type = type;
-}
-
-
-void set_icmpcodetok(code)
-char **code;
-{
-	char	*s;
-	int	i;
-
-	for (i = 0; (s = icmpcodes[i]); i++)
-		if (!strcmp(s, *code)) {
-			icmp->icmp_code = i;
-			break;
-		}
-	if (!s)
-		fprintf(stderr, "unknown ICMP code %s\n", *code);
-	free(*code);
-	*code = NULL;
-}
-
-
-void set_icmptypetok(type)
-char **type;
-{
-	char	*s;
-	int	i, done = 0;
-
-	for (i = 0; !(s = icmptypes[i]) || strcmp(s, "END"); i++)
-		if (s && !strcmp(s, *type)) {
-			icmp->icmp_type = i;
-			done = 1;
-			break;
-		}
-	if (!done)
-		fprintf(stderr, "unknown ICMP type %s\n", *type);
-	free(*type);
-	*type = NULL;
-}
-
-
-void set_icmpid(arg)
-int arg;
-{
-	icmp->icmp_id = htons(arg);
-}
-
-
-void set_icmpseq(arg)
-int arg;
-{
-	icmp->icmp_seq = htons(arg);
-}
-
-
-void set_icmpotime(arg)
-int arg;
-{
-	icmp->icmp_otime = htonl(arg);
-}
-
-
-void set_icmprtime(arg)
-int arg;
-{
-	icmp->icmp_rtime = htonl(arg);
-}
-
-
-void set_icmpttime(arg)
-int arg;
-{
-	icmp->icmp_ttime = htonl(arg);
-}
-
-
-void set_icmpmtu(arg)
-int arg;
-{
-#if	BSD >= 199306
-	icmp->icmp_nextmtu = htons(arg);
-#endif
-}
-
-
-void set_redir(redir, arg)
-int redir;
-char **arg;
-{
-	icmp->icmp_code = redir;
-	icmp->icmp_gwaddr = getipv4addr(*arg);
-	free(*arg);
-	*arg = NULL;
-}
-
-
-void set_icmppprob(num)
-int num;
-{
-	icmp->icmp_pptr = num;
-}
-
-
-void new_ipv4opt()
-{
-	new_header(-2);
-}
-
-
-void add_ipopt(state, ptr)
-int state;
-void *ptr;
-{
-	struct ipopt_names *io;
-	struct statetoopt *sto;
-	char numbuf[16], *arg, **param = ptr;
-	int inc, hlen;
-
-	if (state == IL_IPO_RR || state == IL_IPO_SATID) {
-		if (param)
-			sprintf(numbuf, "%d", *(int *)param);
-		else
-			strcpy(numbuf, "0");
-		arg = numbuf;
-	} else
-		arg = param ? *param : NULL;
-
-	if (canip->ah_next) {
-		fprintf(stderr, "cannot specify options after data body\n");
-		return;
-	}
-	for (sto = toipopts; sto->sto_st; sto++)
-		if (sto->sto_st == state)
-			break;
-	if (!sto->sto_st) {
-		fprintf(stderr, "No mapping for state %d to IP option\n",
-			state);
-		return;
-	}
-
-	hlen = sizeof(ip_t) + canip->ah_optlen;
-	for (io = ionames; io->on_name; io++)
-		if (io->on_value == sto->sto_op)
-			break;
-	canip->ah_lastopt = io->on_value;
-
-	if (io->on_name) {
-		inc = addipopt((char *)ip + hlen, io, hlen - sizeof(ip_t),arg);
-		if (inc > 0) {
-			while (inc & 3) {
-				((char *)ip)[sizeof(*ip) + inc] = IPOPT_NOP;
-				canip->ah_lastopt = IPOPT_NOP;
-				inc++;
-			}
-			hlen += inc;
-		}
-	}
-
-	canip->ah_optlen = hlen - sizeof(ip_t);
-
-	if (state != IL_IPO_RR && state != IL_IPO_SATID)
-		if (param && *param) {
-			free(*param);
-			*param = NULL;
-		}
-	sclass = NULL;
-}
-
-
-void end_ipopt()
-{
-	int pad;
-	char *s, *buf = (char *)ip;
-
-	/*
-	 * pad out so that we have a multiple of 4 bytes in size fo the
-	 * options.  make sure last byte is EOL.
-	 */
-	if (canip->ah_lastopt == IPOPT_NOP) {
-		buf[sizeof(*ip) + canip->ah_optlen - 1] = IPOPT_EOL;
-	} else if (canip->ah_lastopt != IPOPT_EOL) {
-		s = buf + sizeof(*ip) + canip->ah_optlen;
-
-		for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) {
-			*s++ = IPOPT_NOP;
-			*s = IPOPT_EOL;
-			canip->ah_optlen++;
-		}
-		canip->ah_optlen++;
-	} else {
-		s = buf + sizeof(*ip) + canip->ah_optlen - 1;
-
-		for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) {
-			*s++ = IPOPT_NOP;
-			*s = IPOPT_EOL;
-			canip->ah_optlen++;
-		}
-	}
-	ip->ip_hl = (sizeof(*ip) + canip->ah_optlen) >> 2;
-	inc_anipheaders(canip->ah_optlen);
-	free_anipheader();
-}
-
-
-void set_secclass(arg)
-char **arg;
-{
-	sclass = *arg;
-	*arg = NULL;
-}
-
-
-void free_anipheader()
-{
-	aniphdr_t *aip;
-
-	aip = canip;
-	if ((canip = aip->ah_prev)) {
-		canip->ah_next = NULL;
-		aniptail = &canip->ah_next;
-	}
-
-	if (canip)
-		free(aip);
-}
-
-
-void end_ipv4()
-{
-	aniphdr_t *aip;
-
-	ip->ip_sum = 0;
-	ip->ip_len = htons(ip->ip_len);
-	ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2);
-	ip->ip_len = ntohs(ip->ip_len);
-	free_anipheader();
-	for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next)
-		if (aip->ah_p == IPPROTO_IP)
-			ip = aip->ah_ip;
-}
-
-
-void end_icmp()
-{
-	aniphdr_t *aip;
-
-	icmp->icmp_cksum = 0;
-	icmp->icmp_cksum = chksum((u_short *)icmp, canip->ah_len);
-	free_anipheader();
-	for (aip = aniphead, icmp = NULL; aip; aip = aip->ah_next)
-		if (aip->ah_p == IPPROTO_ICMP)
-			icmp = aip->ah_icmp;
-}
-
-
-void end_udp()
-{
-	u_long	sum;
-	aniphdr_t *aip;
-	ip_t	iptmp;
-
-	bzero((char *)&iptmp, sizeof(iptmp));
-	iptmp.ip_p = ip->ip_p;
-	iptmp.ip_src = ip->ip_src;
-	iptmp.ip_dst = ip->ip_dst;
-	iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
-	sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
-	udp->uh_ulen = htons(udp->uh_ulen);
-	udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum);
-	free_anipheader();
-	for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next)
-		if (aip->ah_p == IPPROTO_UDP)
-			udp = aip->ah_udp;
-}
-
-
-void end_tcp()
-{
-	u_long	sum;
-	aniphdr_t *aip;
-	ip_t	iptmp;
-
-	bzero((char *)&iptmp, sizeof(iptmp));
-	iptmp.ip_p = ip->ip_p;
-	iptmp.ip_src = ip->ip_src;
-	iptmp.ip_dst = ip->ip_dst;
-	iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2));
-	sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp));
-	tcp->th_sum = 0;
-	tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum);
-	free_anipheader();
-	for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next)
-		if (aip->ah_p == IPPROTO_TCP)
-			tcp = aip->ah_tcp;
-}
-
-
-void end_data()
-{
-	free_anipheader();
-}
-
-
-void iplang(fp)
-FILE *fp;
-{
-	yyin = fp;
-
-	yydebug = (opts & OPT_DEBUG) ? 1 : 0;
-
-	while (!feof(fp))
-		yyparse();
-}
-
-
-u_short	c_chksum(buf, len, init)
-u_short	*buf;
-u_int	len;
-u_long	init;
-{
-	u_long	sum = init;
-	int	nwords = len >> 1;
- 
-	for(; nwords > 0; nwords--)
-		sum += *buf++;
-	sum = (sum>>16) + (sum & 0xffff);
-	sum += (sum >>16);
-	return (~sum);
-}
-
-
-u_long	p_chksum(buf,len)
-u_short	*buf;
-u_int	len;
-{
-	u_long	sum = 0;
-	int	nwords = len >> 1;
- 
-	for(; nwords > 0; nwords--)
-		sum += *buf++;
-	return sum;
-}
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
deleted file mode 100644
index 2e4b2b5..0000000
--- a/contrib/ipfilter/ipmon.c
+++ /dev/null
@@ -1,1493 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifndef SOLARIS
-#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
-#endif
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# if (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-#endif
-#if !defined(__SVR4) && !defined(__GNUC__)
-# include <strings.h>
-#endif
-#include <signal.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <netinet/ip.h>
-#include <netinet/tcp_fsm.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#ifndef linux
-# include <sys/protosw.h>
-# include <netinet/ip_var.h>
-#endif
-
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-
-#include <ctype.h>
-#include <syslog.h>
-
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.40 2004/05/12 23:21:55 darrenr Exp $";
-#endif
-
-
-#if	defined(sun) && !defined(SOLARIS2)
-#define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-#define	STRERROR(x)	strerror(x)
-#endif
-
-
-struct	flags {
-	int	value;
-	char	flag;
-};
-
-
-typedef	struct	icmp_subtype {
-	int	ist_val;
-	char	*ist_name;
-} icmp_subtype_t;
-
-typedef	struct	icmp_type {
-	int	it_val;
-	struct	icmp_subtype *it_subtable;
-	size_t	it_stsize;
-	char	*it_name;
-} icmp_type_t;
-
-
-#define	IST_SZ(x)	(sizeof(x)/sizeof(icmp_subtype_t))
-
-
-struct	flags	tcpfl[] = {
-	{ TH_ACK, 'A' },
-	{ TH_RST, 'R' },
-	{ TH_SYN, 'S' },
-	{ TH_FIN, 'F' },
-	{ TH_URG, 'U' },
-	{ TH_PUSH,'P' },
-	{ TH_ECN, 'E' },
-	{ TH_CWR, 'C' },
-	{ 0, '\0' }
-};
-
-#if SOLARIS
-static	char	*pidfile = "/etc/opt/ipf/ipmon.pid";
-#else
-# if BSD >= 199306
-static	char	*pidfile = "/var/run/ipmon.pid";
-# else
-static	char	*pidfile = "/etc/ipmon.pid";
-# endif
-#endif
-
-static	char	line[2048];
-static	int	opts = 0;
-static	FILE	*newlog = NULL;
-static	char	*logfile = NULL;
-static	int	donehup = 0;
-static	void	usage __P((char *));
-static	void	handlehup __P((int));
-static	void	flushlogs __P((char *, FILE *));
-static	void	print_log __P((int, FILE *, char *, int));
-static	void	print_ipflog __P((FILE *, char *, int));
-static	void	print_natlog __P((FILE *, char *, int));
-static	void	print_statelog __P((FILE *, char *, int));
-static	void	dumphex __P((FILE *, u_char *, int));
-static	int	read_log __P((int, int *, char *, int));
-static	void	write_pid __P((char *));
-static	char	*icmpname __P((u_int, u_int));
-static	char	*icmpname6 __P((u_int, u_int));
-static	icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t));
-static	icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t));
-
-char	*hostname __P((int, int, u_32_t *));
-char	*portname __P((int, char *, u_int));
-int	main __P((int, char *[]));
-
-static	void	logopts __P((int, char *));
-static	void	init_tabs __P((void));
-static	char	*getproto __P((u_int));
-
-static	char	**protocols = NULL;
-static	char	**udp_ports = NULL;
-static	char	**tcp_ports = NULL;
-
-#define	OPT_SYSLOG	0x001
-#define	OPT_RESOLVE	0x002
-#define	OPT_HEXBODY	0x004
-#define	OPT_VERBOSE	0x008
-#define	OPT_HEXHDR	0x010
-#define	OPT_TAIL	0x020
-#define	OPT_NAT		0x080
-#define	OPT_STATE	0x100
-#define	OPT_FILTER	0x200
-#define	OPT_PORTNUM	0x400
-#define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
-#define	OPT_LOGBODY	0x800
-
-#define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
-
-#ifndef	LOGFAC
-#define	LOGFAC	LOG_LOCAL0
-#endif
-
-
-static icmp_subtype_t icmpunreachnames[] = {
-	{ ICMP_UNREACH_NET,		"net" },
-	{ ICMP_UNREACH_HOST,		"host" },
-	{ ICMP_UNREACH_PROTOCOL,	"protocol" },
-	{ ICMP_UNREACH_PORT,		"port" },
-	{ ICMP_UNREACH_NEEDFRAG,	"needfrag" },
-	{ ICMP_UNREACH_SRCFAIL,		"srcfail" },
-	{ ICMP_UNREACH_NET_UNKNOWN,	"net_unknown" },
-	{ ICMP_UNREACH_HOST_UNKNOWN,	"host_unknown" },
-	{ ICMP_UNREACH_NET,		"isolated" },
-	{ ICMP_UNREACH_NET_PROHIB,	"net_prohib" },
-	{ ICMP_UNREACH_NET_PROHIB,	"host_prohib" },
-	{ ICMP_UNREACH_TOSNET,		"tosnet" },
-	{ ICMP_UNREACH_TOSHOST,		"toshost" },
-	{ ICMP_UNREACH_ADMIN_PROHIBIT,	"admin_prohibit" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t redirectnames[] = {
-	{ ICMP_REDIRECT_NET,		"net" },
-	{ ICMP_REDIRECT_HOST,		"host" },
-	{ ICMP_REDIRECT_TOSNET,		"tosnet" },
-	{ ICMP_REDIRECT_TOSHOST,	"toshost" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t timxceednames[] = {
-	{ ICMP_TIMXCEED_INTRANS,	"transit" },
-	{ ICMP_TIMXCEED_REASS,		"reassem" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t paramnames[] = {
-	{ ICMP_PARAMPROB_ERRATPTR,	"errata_pointer" },
-	{ ICMP_PARAMPROB_OPTABSENT,	"optmissing" },
-	{ ICMP_PARAMPROB_LENGTH,	"length" },
-	{ -2,				NULL }
-};
-
-static icmp_type_t icmptypes[] = {
-	{ ICMP_ECHOREPLY,	NULL,	0,		"echoreply" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_UNREACH,		icmpunreachnames,
-				IST_SZ(icmpunreachnames),"unreach" },
-	{ ICMP_SOURCEQUENCH,	NULL,	0,		"sourcequench" },
-	{ ICMP_REDIRECT,	redirectnames,
-				IST_SZ(redirectnames),	"redirect" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_ECHO,		NULL,	0,		"echo" },
-	{ ICMP_ROUTERADVERT,	NULL,	0,		"routeradvert" },
-	{ ICMP_ROUTERSOLICIT,	NULL,	0,		"routersolicit" },
-	{ ICMP_TIMXCEED,	timxceednames,
-				IST_SZ(timxceednames),	"timxceed" },
-	{ ICMP_PARAMPROB,	paramnames,
-				IST_SZ(paramnames),	"paramprob" },
-	{ ICMP_TSTAMP,		NULL,	0,		"timestamp" },
-	{ ICMP_TSTAMPREPLY,	NULL,	0,		"timestampreply" },
-	{ ICMP_IREQ,		NULL,	0,		"inforeq" },
-	{ ICMP_IREQREPLY,	NULL,	0,		"inforeply" },
-	{ ICMP_MASKREQ,		NULL,	0,		"maskreq" },
-	{ ICMP_MASKREPLY,	NULL,	0,		"maskreply" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t icmpredirect6[] = {
-	{ ICMP6_DST_UNREACH_NOROUTE,		"noroute" },
-	{ ICMP6_DST_UNREACH_ADMIN,		"admin" },
-	{ ICMP6_DST_UNREACH_NOTNEIGHBOR,	"neighbour" },
-	{ ICMP6_DST_UNREACH_ADDR,		"address" },
-	{ ICMP6_DST_UNREACH_NOPORT,		"noport" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmptimexceed6[] = {
-	{ ICMP6_TIME_EXCEED_TRANSIT,		"intransit" },
-	{ ICMP6_TIME_EXCEED_REASSEMBLY,		"reassem" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpparamprob6[] = {
-	{ ICMP6_PARAMPROB_HEADER,		"header" },
-	{ ICMP6_PARAMPROB_NEXTHEADER,		"nextheader" },
-	{ ICMP6_PARAMPROB_OPTION,		"option" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpquerysubject6[] = {
-	{ ICMP6_NI_SUBJ_IPV6,			"ipv6" },
-	{ ICMP6_NI_SUBJ_FQDN,			"fqdn" },
-	{ ICMP6_NI_SUBJ_IPV4,			"ipv4" },
-	{ -2,					NULL },
-};
-
-static icmp_subtype_t icmpnodeinfo6[] = {
-	{ ICMP6_NI_SUCCESS,			"success" },
-	{ ICMP6_NI_REFUSED,			"refused" },
-	{ ICMP6_NI_UNKNOWN,			"unknown" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmprenumber6[] = {
-	{ ICMP6_ROUTER_RENUMBERING_COMMAND,		"command" },
-	{ ICMP6_ROUTER_RENUMBERING_RESULT,		"result" },
-	{ ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET,	"seqnum_reset" },
-	{ -2,						NULL }
-};
-
-static icmp_type_t icmptypes6[] = {
-	{ 0,			NULL,	0,		NULL },
-	{ ICMP6_DST_UNREACH,	icmpredirect6,
-			IST_SZ(icmpredirect6),		"unreach" },
-	{ ICMP6_PACKET_TOO_BIG,	NULL,	0,		"toobig" },
-	{ ICMP6_TIME_EXCEEDED,	icmptimexceed6,
-			IST_SZ(icmptimexceed6),		"timxceed" },
-	{ ICMP6_PARAM_PROB,	icmpparamprob6,
-			IST_SZ(icmpparamprob6),		"paramprob" },
-	{ ICMP6_ECHO_REQUEST,	NULL,	0,		"echo" },
-	{ ICMP6_ECHO_REPLY,	NULL,	0,		"echoreply" },
-	{ ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6,
-			IST_SZ(icmpquerysubject6),	"groupmemberquery" },
-	{ ICMP6_MEMBERSHIP_REPORT,NULL,	0,		"groupmemberreport" },
-	{ ICMP6_MEMBERSHIP_REDUCTION,NULL,	0,	"groupmemberterm" },
-	{ ND_ROUTER_SOLICIT,	NULL,	0,		"routersolicit" },
-	{ ND_ROUTER_ADVERT,	NULL,	0,		"routeradvert" },
-	{ ND_NEIGHBOR_SOLICIT,	NULL,	0,		"neighborsolicit" },
-	{ ND_NEIGHBOR_ADVERT,	NULL,	0,		"neighboradvert" },
-	{ ND_REDIRECT,		NULL,	0,		"redirect" },
-	{ ICMP6_ROUTER_RENUMBERING,	icmprenumber6,
-			IST_SZ(icmprenumber6),		"routerrenumber" },
-	{ ICMP6_WRUREQUEST,	NULL,	0,		"whoareyourequest" },
-	{ ICMP6_WRUREPLY,	NULL,	0,		"whoareyoureply" },
-	{ ICMP6_FQDN_QUERY,	NULL,	0,		"fqdnquery" },
-	{ ICMP6_FQDN_REPLY,	NULL,	0,		"fqdnreply" },
-	{ ICMP6_NI_QUERY,	icmpnodeinfo6,
-			IST_SZ(icmpnodeinfo6),		"nodeinforequest" },
-	{ ICMP6_NI_REPLY,	NULL,	0,		"nodeinforeply" },
-	{ MLD6_MTRACE_RESP,	NULL,	0,		"mtraceresponse" },
-	{ MLD6_MTRACE,		NULL,	0,		"mtracerequest" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
-int type;
-icmp_subtype_t *table;
-size_t tablesz;
-{
-	icmp_subtype_t *ist;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].ist_val))
-		return NULL;
-
-	i = type;
-	if (table[type].ist_val == type)
-		return table + type;
-
-	for (i = 0, ist = table; ist->ist_val != -2; i++, ist++)
-		if (ist->ist_val == type)
-			return ist;
-	return NULL;
-}
-
-
-static icmp_type_t *find_icmptype(type, table, tablesz)
-int type;
-icmp_type_t *table;
-size_t tablesz;
-{
-	icmp_type_t *it;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].it_val))
-		return NULL;
-
-	i = type;
-	if (table[type].it_val == type)
-		return table + type;
-
-	for (i = 0, it = table; it->it_val != -2; i++, it++)
-		if (it->it_val == type)
-			return it;
-	return NULL;
-}
-
-
-static void handlehup(sig)
-int sig;
-{
-	FILE	*fp;
-
-	signal(SIGHUP, handlehup);
-	if (logfile && (fp = fopen(logfile, "a")))
-		newlog = fp;
-	init_tabs();
-	donehup = 1;
-}
-
-
-static void init_tabs()
-{
-	struct	protoent	*p;
-	struct	servent	*s;
-	char	*name, **tab;
-	int	port;
-
-	if (protocols != NULL) {
-		free(protocols);
-		protocols = NULL;
-	}
-	protocols = (char **)malloc(256 * sizeof(*protocols));
-	if (protocols != NULL) {
-		bzero((char *)protocols, 256 * sizeof(*protocols));
-
-		setprotoent(1);
-		while ((p = getprotoent()) != NULL)
-			if (p->p_proto >= 0 && p->p_proto <= 255 &&
-			    p->p_name != NULL && protocols[p->p_proto] == NULL)
-				protocols[p->p_proto] = strdup(p->p_name);
-		endprotoent();
-	}
-
-	if (udp_ports != NULL) {
-		free(udp_ports);
-		udp_ports = NULL;
-	}
-	udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
-	if (udp_ports != NULL)
-		bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
-
-	if (tcp_ports != NULL) {
-		free(tcp_ports);
-		tcp_ports = NULL;
-	}
-	tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
-	if (tcp_ports != NULL)
-		bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
-
-	setservent(1);
-	while ((s = getservent()) != NULL) {
-		if (s->s_proto == NULL)
-			continue;
-		else if (!strcmp(s->s_proto, "tcp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = tcp_ports;
-		} else if (!strcmp(s->s_proto, "udp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = udp_ports;
-		} else
-			continue;
-		if ((port < 0 || port > 65535) || (name == NULL))
-			continue;
-		tab[port] = strdup(name);
-	}
-	endservent();
-}
-
-
-static char *getproto(p)
-u_int p;
-{
-	static char pnum[4];
-	char *s;
-
-	p &= 0xff;
-	s = protocols ? protocols[p] : NULL;
-	if (s == NULL) {
-		sprintf(pnum, "%u", p);
-		s = pnum;
-	}
-	return s;
-}
-
-
-static int read_log(fd, lenp, buf, bufsize)
-int fd, bufsize, *lenp;
-char *buf;
-{
-	int	nr;
-
-	nr = read(fd, buf, bufsize);
-	if (!nr)
-		return 2;
-	if ((nr < 0) && (errno != EINTR))
-		return -1;
-	*lenp = nr;
-	return 0;
-}
-
-
-char	*hostname(res, v, ip)
-int	res, v;
-u_32_t	*ip;
-{
-# define MAX_INETA	16
-	static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
-#ifdef	USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-	struct hostent *hp;
-	struct in_addr ipa;
-
-	if (v == 4) {
-		ipa.s_addr = *ip;
-		if (!res)
-			return inet_ntoa(ipa);
-		hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET);
-		if (!hp)
-			return inet_ntoa(ipa);
-		sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name,
-			inet_ntoa(ipa));
-		return hname;
-	}
-#ifdef	USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
-
-
-char	*portname(res, proto, port)
-int	res;
-char	*proto;
-u_int	port;
-{
-	static	char	pname[8];
-	char	*s;
-
-	port = ntohs(port);
-	port &= 0xffff;
-	(void) sprintf(pname, "%u", port);
-	if (!res || (opts & OPT_PORTNUM))
-		return pname;
-	s = NULL;
-	if (!strcmp(proto, "tcp"))
-		s = tcp_ports[port];
-	else if (!strcmp(proto, "udp"))
-		s = udp_ports[port];
-	if (s == NULL)
-		s = pname;
-	return s;
-}
-
-
-static	char	*icmpname(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmptype(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-static	char	*icmpname6(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmpv6type(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-
-static	void	dumphex(log, buf, len)
-FILE	*log;
-u_char	*buf;
-int	len;
-{
-	char	line[80];
-	int	i, j, k;
-	u_char	*s = buf, *t = (u_char *)line;
-
-	if (len == 0 || buf == 0)
-		return;
-	*line = '\0';
-
-	for (i = len, j = 0; i; i--, j++, s++) {
-		if (j && !(j & 0xf)) {
-			*t++ = '\n';
-			*t = '\0';
-			if (!(opts & OPT_SYSLOG))
-				fputs(line, log);
-			else
-				syslog(LOG_INFO, "%s", line);
-			t = (u_char *)line;
-			*t = '\0';
-		}
-		sprintf((char *)t, "%02x", *s & 0xff);
-		t += 2;
-		if (!((j + 1) & 0xf)) {
-			s -= 15;
-			sprintf((char *)t, "        ");
-			t += 8;
-			for (k = 16; k; k--, s++)
-				*t++ = (isprint(*s) ? *s : '.');
-			s--;
-		}
-			
-		if ((j + 1) & 0xf)
-			*t++ = ' ';;
-	}
-
-	if (j & 0xf) {
-		for (k = 16 - (j & 0xf); k; k--) {
-			*t++ = ' ';
-			*t++ = ' ';
-			*t++ = ' ';
-		}
-		sprintf((char *)t, "       ");
-		t += 7;
-		s -= j & 0xf;
-		for (k = j & 0xf; k; k--, s++)
-			*t++ = (isprint(*s) ? *s : '.');
-		*t++ = '\n';
-		*t = '\0';
-	}
-	if (!(opts & OPT_SYSLOG)) {
-		fputs(line, log);
-		fflush(log);
-	} else
-		syslog(LOG_INFO, "%s", line);
-}
-
-static	void	print_natlog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	natlog	*nl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line;
-	struct	tm	*tm;
-	int	res, i, len;
-	char	*proto;
-
-	nl = (struct natlog *)((char *)ipl + IPLOG_SIZE);
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = localtime((time_t *)&ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
-	t += strlen(t);
-
-	if (nl->nl_type == NL_NEWMAP)
-		strcpy(t, "NAT:MAP ");
-	else if (nl->nl_type == NL_NEWRDR)
-		strcpy(t, "NAT:RDR ");
-	else if (nl->nl_type == NL_EXPIRE)
-		strcpy(t, "NAT:EXPIRE ");
-	else if (nl->nl_type == NL_FLUSH)
-		strcpy(t, "NAT:FLUSH ");
-	else if (nl->nl_type == NL_NEWBIMAP)
-		strcpy(t, "NAT:BIMAP ");
-	else if (nl->nl_type == NL_NEWBLOCK)
-		strcpy(t, "NAT:MAPBLOCK ");
-	else
-		sprintf(t, "Type: %d ", nl->nl_type);
-	t += strlen(t);
-
-	proto = getproto(nl->nl_p);
-
-	(void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
-		portname(res, proto, (u_int)nl->nl_inport));
-	t += strlen(t);
-	(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
-		portname(res, proto, (u_int)nl->nl_outport));
-	t += strlen(t);
-	(void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
-		portname(res, proto, (u_int)nl->nl_origport));
-	t += strlen(t);
-	if (nl->nl_type == NL_EXPIRE) {
-#ifdef	USE_QUAD_T
-		(void) sprintf(t, " Pkts %qd Bytes %qd",
-				(long long)nl->nl_pkts,
-				(long long)nl->nl_bytes);
-#else
-		(void) sprintf(t, " Pkts %ld Bytes %ld",
-				nl->nl_pkts, nl->nl_bytes);
-#endif
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_statelog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	ipslog *sl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line, *proto;
-	struct	tm	*tm;
-	int	res, i, len;
-
-	sl = (struct ipslog *)((char *)ipl + IPLOG_SIZE);
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = localtime((time_t *)&ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-
-	if (sl->isl_type == ISL_NEW)
-		strcpy(t, "STATE:NEW ");
-	else if (sl->isl_type == ISL_EXPIRE) {
-		if ((sl->isl_p == IPPROTO_TCP) &&
-		    (sl->isl_state[0] > TCPS_ESTABLISHED ||
-		     sl->isl_state[1] > TCPS_ESTABLISHED))
-			strcpy(t, "STATE:CLOSE ");
-		else
-			strcpy(t, "STATE:EXPIRE ");
-	} else if (sl->isl_type == ISL_FLUSH)
-		strcpy(t, "STATE:FLUSH ");
-	else if (sl->isl_type == ISL_REMOVE)
-		strcpy(t, "STATE:REMOVE ");
-	else
-		sprintf(t, "Type: %d ", sl->isl_type);
-	t += strlen(t);
-
-	proto = getproto(sl->isl_p);
-
-	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
-		(void) sprintf(t, "%s,%s -> ",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
-			portname(res, proto, (u_int)sl->isl_sport));
-		t += strlen(t);
-		(void) sprintf(t, "%s,%s PR %s",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			portname(res, proto, (u_int)sl->isl_dport), proto);
-	} else if (sl->isl_p == IPPROTO_ICMP) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	} else if (sl->isl_p == IPPROTO_ICMPV6) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	}
-	t += strlen(t);
-	if (sl->isl_type != ISL_NEW) {
-#ifdef	USE_QUAD_T
-		(void) sprintf(t, " Pkts %qd Bytes %qd",
-				(long long)sl->isl_pkts,
-				(long long)sl->isl_bytes);
-#else
-		(void) sprintf(t, " Pkts %ld Bytes %ld",
-				sl->isl_pkts, sl->isl_bytes);
-#endif
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_log(logtype, log, buf, blen)
-FILE	*log;
-char	*buf;
-int	logtype, blen;
-{
-	iplog_t	*ipl;
-	char *bp = NULL, *bpo = NULL;
-	int psize;
-
-	while (blen > 0) {
-		ipl = (iplog_t *)buf;
-		if ((u_long)ipl & (sizeof(long)-1)) {
-			if (bp)
-				bpo = bp;
-			bp = (char *)malloc(blen);
-			bcopy((char *)ipl, bp, blen);
-			if (bpo) {
-				free(bpo);
-				bpo = NULL;
-			}
-			buf = bp;
-			continue;
-		}
-		if (ipl->ipl_magic != IPL_MAGIC) {
-			/* invalid data or out of sync */
-			break;
-		}
-		psize = ipl->ipl_dsize;
-		switch (logtype)
-		{
-		case IPL_LOGIPF :
-			print_ipflog(log, buf, psize);
-			break;
-		case IPL_LOGNAT :
-			print_natlog(log, buf, psize);
-			break;
-		case IPL_LOGSTATE :
-			print_statelog(log, buf, psize);
-			break;
-		}
-
-		blen -= psize;
-		buf += psize;
-	}
-	if (bp)
-		free(bp);
-	return;
-}
-
-
-static	void	print_ipflog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	tcphdr_t	*tp;
-	struct	icmp	*ic;
-	struct	icmp	*icmp;
-	struct	tm	*tm;
-	char	*t, *proto;
-	int	i, v, lvl, res, len, off, plen, ipoff;
-	ip_t	*ipc, *ip;
-	u_short	hl, p;
-	ipflog_t *ipf;
-	iplog_t	*ipl;
-	u_32_t	*s, *d;
-#ifdef	USE_INET6
-	ip6_t *ip6;
-#endif
-
-	ipl = (iplog_t *)buf;
-	ipf = (ipflog_t *)((char *)buf + IPLOG_SIZE);
-	ip = (ip_t *)((char *)ipf + sizeof(*ipf));
-	v = ip->ip_v;
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	t = line;
-	*t = '\0';
-	tm = localtime((time_t *)&ipl->ipl_sec);
-#ifdef	linux
-	if (v == 4)
-		ip->ip_len = ntohs(ip->ip_len);
-#endif
-
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-	if (ipl->ipl_count > 1) {
-		(void) sprintf(t, "%dx ", ipl->ipl_count);
-		t += strlen(t);
-	}
-#if (SOLARIS || \
-	(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-	(defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
-	(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
-	{
-	char	ifname[sizeof(ipf->fl_ifname) + 1];
-
-	strncpy(ifname, (char *)ipf->fl_ifname, sizeof(ipf->fl_ifname));
-	ifname[sizeof(ipf->fl_ifname)] = '\0';
-	(void) sprintf(t, "%s", ifname);
-	t += strlen(t);
-# if SOLARIS
-	if (isalpha(*(t - 1))) {
-		sprintf(t, "%d", ipf->fl_unit);
-		t += strlen(t);
-	}
-# endif
-	}
-#else
-	for (len = 0; len < 3; len++)
-		if (ipf->fl_ifname[len] == '\0')
-			break;
-	if (ipf->fl_ifname[len])
-		len++;
-	(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
-	t += strlen(t);
-#endif
-	if (ipf->fl_group == 0xffffffff)
-		strcat(t, " @-1:");
-	else
-		(void) sprintf(t, " @%u:", ipf->fl_group);
-	t += strlen(t);
-	if (ipf->fl_rule == 0xffffffff)
-		strcat(t, "-1 ");
-	else
-		(void) sprintf(t, "%u ", ipf->fl_rule + 1);
-	t += strlen(t);
-
- 	if (ipf->fl_flags & FF_SHORT) {
-		*t++ = 'S';
-		lvl = LOG_ERR;
-	} else if (ipf->fl_flags & FR_PASS) {
-		if (ipf->fl_flags & FR_LOG)
-			*t++ = 'p';
-		else
-			*t++ = 'P';
-		lvl = LOG_NOTICE;
-	} else if (ipf->fl_flags & FR_BLOCK) {
-		if (ipf->fl_flags & FR_LOG)
-			*t++ = 'b';
-		else
-			*t++ = 'B';
-		lvl = LOG_WARNING;
-	} else if (ipf->fl_flags & FF_LOGNOMATCH) {
-		*t++ = 'n';
-		lvl = LOG_NOTICE;
-	} else {
-		*t++ = 'L';
-		lvl = LOG_INFO;
-	}
-	if (ipf->fl_loglevel != 0xffff)
-		lvl = ipf->fl_loglevel;
-	*t++ = ' ';
-	*t = '\0';
-
-	if (v == 6) {
-#ifdef	USE_INET6
-		off = 0;
-		ipoff = 0;
-		hl = sizeof(ip6_t);
-		ip6 = (ip6_t *)ip;
-		p = (u_short)ip6->ip6_nxt;
-		s = (u_32_t *)&ip6->ip6_src;
-		d = (u_32_t *)&ip6->ip6_dst;
-		plen = hl + ntohs(ip6->ip6_plen);
-#else
-		sprintf(t, "ipv6");
-		goto printipflog;
-#endif
-	} else if (v == 4) {
-		hl = (ip->ip_hl << 2);
-		ipoff = ip->ip_off;
-		off = ipoff & IP_OFFMASK;
-		p = (u_short)ip->ip_p;
-		s = (u_32_t *)&ip->ip_src;
-		d = (u_32_t *)&ip->ip_dst;
-		plen = ip->ip_len;
-	} else {
-		goto printipflog;
-	}
-	proto = getproto(p);
-
-	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
-		tp = (tcphdr_t *)((char *)ip + hl);
-		if (!(ipf->fl_flags & FF_SHORT)) {
-			(void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
-				portname(res, proto, (u_int)tp->th_sport));
-			t += strlen(t);
-			(void) sprintf(t, "%s,%s PR %s len %hu %hu",
-				hostname(res, v, d),
-				portname(res, proto, (u_int)tp->th_dport),
-				proto, hl, plen);
-			t += strlen(t);
-
-			if (p == IPPROTO_TCP) {
-				*t++ = ' ';
-				*t++ = '-';
-				for (i = 0; tcpfl[i].value; i++)
-					if (tp->th_flags & tcpfl[i].value)
-						*t++ = tcpfl[i].flag;
-				if (opts & OPT_VERBOSE) {
-					(void) sprintf(t, " %lu %lu %hu",
-						(u_long)(ntohl(tp->th_seq)),
-						(u_long)(ntohl(tp->th_ack)),
-						ntohs(tp->th_win));
-					t += strlen(t);
-				}
-			}
-			*t = '\0';
-		} else {
-			(void) sprintf(t, "%s -> ", hostname(res, v, s));
-			t += strlen(t);
-			(void) sprintf(t, "%s PR %s len %hu %hu",
-				hostname(res, v, d), proto, hl, plen);
-		}
-	} else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
-			hostname(res, v, d), hl, plen,
-			icmpname6(ic->icmp_type, ic->icmp_code));
-	} else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
-			hostname(res, v, d), hl, plen,
-			icmpname(ic->icmp_type, ic->icmp_code));
-		if (ic->icmp_type == ICMP_UNREACH ||
-		    ic->icmp_type == ICMP_SOURCEQUENCH ||
-		    ic->icmp_type == ICMP_PARAMPROB ||
-		    ic->icmp_type == ICMP_REDIRECT ||
-		    ic->icmp_type == ICMP_TIMXCEED) {
-			ipc = &ic->icmp_ip;
-			i = ntohs(ipc->ip_len);
-			ipoff = ntohs(ipc->ip_off);
-			proto = getproto(ipc->ip_p);
-
-			if (!(ipoff & IP_OFFMASK) &&
-			    ((ipc->ip_p == IPPROTO_TCP) ||
-			     (ipc->ip_p == IPPROTO_UDP))) {
-				tp = (tcphdr_t *)((char *)ipc + hl);
-				t += strlen(t);
-				(void) sprintf(t, " for %s,%s -",
-					HOSTNAME_V4(res, ipc->ip_src),
-					portname(res, proto,
-						 (u_int)tp->th_sport));
-				t += strlen(t);
-				(void) sprintf(t, " %s,%s PR %s len %hu %hu",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					portname(res, proto,
-						 (u_int)tp->th_dport),
-					proto, ipc->ip_hl << 2, i);
-			} else if (!(ipoff & IP_OFFMASK) &&
-				   (ipc->ip_p == IPPROTO_ICMP)) {
-				icmp = (icmphdr_t *)((char *)ipc + hl);
-
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-					HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t,
-					" %s PR icmp len %hu %hu icmp %d/%d",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					ipc->ip_hl << 2, i,
-					icmp->icmp_type, icmp->icmp_code);
-
-			} else {
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-						HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t, " %s PR %s len %hu (%hu)",
-					HOSTNAME_V4(res, ipc->ip_dst), proto,
-					ipc->ip_hl << 2, i);
-				t += strlen(t);
-				if (ipoff & IP_OFFMASK) {
-					(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
-						ntohs(ipc->ip_id),
-						i - (ipc->ip_hl<<2),
-						(ipoff & IP_OFFMASK) << 3,
-						ipoff & IP_MF ? "+" : "",
-						ipoff & IP_DF ? "-" : "");
-				}
-			}
-		}
-	} else {
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR %s len %hu (%hu)",
-			hostname(res, v, d), proto, hl, plen);
-		t += strlen(t);
-		if (off & IP_OFFMASK)
-			(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
-				ntohs(ip->ip_id),
-				plen - hl, (off & IP_OFFMASK) << 3,
-				ipoff & IP_MF ? "+" : "",
-				ipoff & IP_DF ? "-" : "");
-	}
-	t += strlen(t);
-
-	if (ipf->fl_flags & FR_KEEPSTATE) {
-		(void) strcpy(t, " K-S");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_flags & FR_KEEPFRAG) {
-		(void) strcpy(t, " K-F");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_dir == 0)
-		strcpy(t, " IN");
-	else if (ipf->fl_dir == 1)
-		strcpy(t, " OUT");
-	t += strlen(t);
-printipflog:
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(lvl, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-	if (opts & OPT_HEXHDR)
-		dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
-	if (opts & OPT_HEXBODY)
-		dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
-	else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
-		dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen);
-}
-
-
-static void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
-	exit(1);
-}
-
-
-static void write_pid(file)
-char *file;
-{
-	FILE *fp = NULL;
-	int fd;
-
-	if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0)
-		fp = fdopen(fd, "w");
-	if (!fp) {
-		close(fd);
-		fprintf(stderr, "unable to open/create pid file: %s\n", file);
-		return;
-	}
-	fprintf(fp, "%d", getpid());
-	fclose(fp);
-	close(fd);
-}
-
-
-static void flushlogs(file, log)
-char *file;
-FILE *log;
-{
-	int	fd, flushed = 0;
-
-	if ((fd = open(file, O_RDWR)) == -1) {
-		(void) fprintf(stderr, "%s: open: %s\n",
-			       file, STRERROR(errno));
-		exit(1);
-	}
-
-	if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
-		printf("%d bytes flushed from log buffer\n",
-			flushed);
-		fflush(stdout);
-	} else
-		perror("SIOCIPFFB");
-	(void) close(fd);
-
-	if (flushed) {
-		if (opts & OPT_SYSLOG)
-			syslog(LOG_INFO, "%d bytes flushed from log\n",
-				flushed);
-		else if (log != stdout)
-			fprintf(log, "%d bytes flushed from log\n", flushed);
-	}
-}
-
-
-static void logopts(turnon, options)
-int turnon;
-char *options;
-{
-	int flags = 0;
-	char *s;
-
-	for (s = options; *s; s++)
-	{
-		switch (*s)
-		{
-		case 'N' :
-			flags |= OPT_NAT;
-			break;
-		case 'S' :
-			flags |= OPT_STATE;
-			break;
-		case 'I' :
-			flags |= OPT_FILTER;
-			break;
-		default :
-			fprintf(stderr, "Unknown log option %c\n", *s);
-			exit(1);
-		}
-	}
-
-	if (turnon)
-		opts |= flags;
-	else
-		opts &= ~(flags);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	int	fdt[3], devices = 0, make_daemon = 0;
-	char	buf[IPLLOGSIZE], *iplfile[3], *s;
-	int	fd[3], doread, n, i;
-	extern	char	*optarg;
-	extern	int	optind;
-	int	regular[3], c;
-	FILE	*log = stdout;
-	struct	stat	sb;
-	size_t	nr, tr;
-
-	fd[0] = fd[1] = fd[2] = -1;
-	fdt[0] = fdt[1] = fdt[2] = -1;
-	iplfile[0] = IPL_NAME;
-	iplfile[1] = IPNAT_NAME;
-	iplfile[2] = IPSTATE_NAME;
-
-	while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
-		switch (c)
-		{
-		case 'a' :
-			opts |= OPT_LOGALL;
-			fdt[0] = IPL_LOGIPF;
-			fdt[1] = IPL_LOGNAT;
-			fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'b' :
-			opts |= OPT_LOGBODY;
-			break;
-		case 'D' :
-			make_daemon = 1;
-			break;
-		case 'f' : case 'I' :
-			opts |= OPT_FILTER;
-			fdt[0] = IPL_LOGIPF;
-			iplfile[0] = optarg;
-			break;
-		case 'F' :
-			flushlogs(iplfile[0], log);
-			flushlogs(iplfile[1], log);
-			flushlogs(iplfile[2], log);
-			break;
-		case 'n' :
-			opts |= OPT_RESOLVE;
-			break;
-		case 'N' :
-			opts |= OPT_NAT;
-			fdt[1] = IPL_LOGNAT;
-			iplfile[1] = optarg;
-			break;
-		case 'o' : case 'O' :
-			logopts(c == 'o', optarg);
-			fdt[0] = fdt[1] = fdt[2] = -1;
-			if (opts & OPT_FILTER)
-				fdt[0] = IPL_LOGIPF;
-			if (opts & OPT_NAT)
-				fdt[1] = IPL_LOGNAT;
-			if (opts & OPT_STATE)
-				fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'p' :
-			opts |= OPT_PORTNUM;
-			break;
-		case 'P' :
-			pidfile = optarg;
-			break;
-		case 's' :
-			s = strrchr(argv[0], '/');
-			if (s == NULL)
-				s = argv[0];
-			else
-				s++;
-			openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
-			opts |= OPT_SYSLOG;
-			log = NULL;
-			break;
-		case 'S' :
-			opts |= OPT_STATE;
-			fdt[2] = IPL_LOGSTATE;
-			iplfile[2] = optarg;
-			break;
-		case 't' :
-			opts |= OPT_TAIL;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'x' :
-			opts |= OPT_HEXBODY;
-			break;
-		case 'X' :
-			opts |= OPT_HEXHDR;
-			break;
-		default :
-		case 'h' :
-		case '?' :
-			usage(argv[0]);
-		}
-
-	init_tabs();
-
-	/*
-	 * Default action is to only open the filter log file.
-	 */
-	if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
-		fdt[0] = IPL_LOGIPF;
-
-	for (i = 0; i < 3; i++) {
-		if (fdt[i] == -1)
-			continue;
-		if (!strcmp(iplfile[i], "-"))
-			fd[i] = 0;
-		else {
-			if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
-				(void) fprintf(stderr,
-					       "%s: open: %s\n", iplfile[i],
-					       STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (fstat(fd[i], &sb) == -1) {
-				(void) fprintf(stderr, "%d: fstat: %s\n",
-					       fd[i], STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (!(regular[i] = !S_ISCHR(sb.st_mode)))
-				devices++;
-		}
-	}
-
-	if (!(opts & OPT_SYSLOG)) {
-		logfile = argv[optind];
-		log = logfile ? fopen(logfile, "a") : stdout;
-		if (log == NULL) {
-			(void) fprintf(stderr, "%s: fopen: %s\n",
-				       argv[optind], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setvbuf(log, NULL, _IONBF, 0);
-	} else
-		log = NULL;
-
-	if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
-#if BSD
-		daemon(0, !(opts & OPT_SYSLOG));
-#else
-		int pid;
-		if ((pid = fork()) > 0)
-			exit(0);
-		if (pid < 0) {
-			(void) fprintf(stderr, "%s: fork() failed: %s\n",
-				       argv[0], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setsid();
-		if ((opts & OPT_SYSLOG))
-			close(2);
-#endif /* !BSD */
-		close(0);
-		close(1);
-	}
-	write_pid(pidfile);
-
-	signal(SIGHUP, handlehup);
-
-	for (doread = 1; doread; ) {
-		nr = 0;
-
-		for (i = 0; i < 3; i++) {
-			tr = 0;
-			if (fdt[i] == -1)
-				continue;
-			if (!regular[i]) {
-				if (ioctl(fd[i], FIONREAD, &tr) == -1) {
-					if (opts & OPT_SYSLOG)
-						syslog(LOG_CRIT,
-						       "ioctl(FIONREAD): %m");
-					else
-						perror("ioctl(FIONREAD)");
-					exit(1);
-					/* NOTREACHED */
-				}
-			} else {
-				tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
-				if (!tr && !(opts & OPT_TAIL))
-					doread = 0;
-			}
-			if (!tr)
-				continue;
-			nr += tr;
-
-			tr = read_log(fd[i], &n, buf, sizeof(buf));
-			if (donehup) {
-				donehup = 0;
-				if (newlog) {
-					fclose(log);
-					log = newlog;
-					newlog = NULL;
-				}
-			}
-
-			switch (tr)
-			{
-			case -1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "read: %m\n");
-				else
-					perror("read");
-				doread = 0;
-				break;
-			case 1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "aborting logging\n");
-				else
-					fprintf(log, "aborting logging\n");
-				doread = 0;
-				break;
-			case 2 :
-				break;
-			case 0 :
-				if (n > 0) {
-					print_log(fdt[i], log, buf, n);
-					if (!(opts & OPT_SYSLOG))
-						fflush(log);
-				}
-				break;
-			}
-		}
-		if (!nr && ((opts & OPT_TAIL) || devices))
-			sleep(1);
-	}
-	exit(0);
-	/* NOTREACHED */
-}
diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h
deleted file mode 100644
index 5c6f8c5..0000000
--- a/contrib/ipfilter/ipmon.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_fil.h	1.35 6/5/96
- * $Id: ipmon.h,v 2.8.2.1 2006/03/21 16:13:31 darrenr Exp $
- */
-
-
-typedef	struct	ipmon_action	{
-	struct	ipmon_action	*ac_next;
-	int	ac_mflag;	/* collection of things to compare */
-	int	ac_dflag;	/* flags to compliment the doing fields */
-	int	ac_syslog;	/* = 1 to syslog rules. */
-	char	*ac_savefile;	/* filename to save log records to */
-	FILE	*ac_savefp;
-	int	ac_direction;
-	char	ac_group[FR_GROUPLEN];
-	char	ac_nattag[16];
-	u_32_t	ac_logtag;
-	int	ac_type;	/* nat/state/ipf */
-	int	ac_proto;
-	int	ac_rule;
-	int	ac_packet;
-	int	ac_second;
-	int	ac_result;
-	u_32_t	ac_sip;
-	u_32_t	ac_smsk;	
-	u_32_t	ac_dip;
-	u_32_t	ac_dmsk;	
-	u_short	ac_sport;
-	u_short	ac_dport;
-	char	*ac_exec;	/* execute argument */
-	char	*ac_run;	/* actual command that gets run */
-	char	*ac_iface;
-	/*
-	 * used with ac_packet/ac_second
-	 */
-	struct	timeval	ac_last;
-	int	ac_pktcnt;
-} ipmon_action_t;
-
-#define	ac_lastsec	ac_last.tv_sec
-#define	ac_lastusec	ac_last.tv_usec
-
-/*
- * Flags indicating what fields to do matching upon (ac_mflag).
- */
-#define	IPMAC_DIRECTION	0x0001
-#define	IPMAC_DSTIP	0x0002
-#define	IPMAC_DSTPORT	0x0004
-#define	IPMAC_EVERY	0x0008
-#define	IPMAC_GROUP	0x0010
-#define	IPMAC_INTERFACE	0x0020
-#define	IPMAC_LOGTAG	0x0040
-#define	IPMAC_NATTAG	0x0080
-#define	IPMAC_PROTOCOL	0x0100
-#define	IPMAC_RESULT	0x0200
-#define	IPMAC_RULE	0x0400
-#define	IPMAC_SRCIP	0x0800
-#define	IPMAC_SRCPORT	0x1000
-#define	IPMAC_TYPE	0x2000
-#define	IPMAC_WITH	0x4000
-
-#define	IPMR_BLOCK	1
-#define	IPMR_PASS	2
-#define	IPMR_NOMATCH	3
-#define	IPMR_LOG	4
-
-#define	IPMDO_SAVERAW	0x0001
-
-#define	OPT_SYSLOG	0x001
-#define	OPT_RESOLVE	0x002
-#define	OPT_HEXBODY	0x004
-#define	OPT_VERBOSE	0x008
-#define	OPT_HEXHDR	0x010
-#define	OPT_TAIL	0x020
-#define	OPT_NAT		0x080
-#define	OPT_STATE	0x100
-#define	OPT_FILTER	0x200
-#define	OPT_PORTNUM	0x400
-#define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
-
-#define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
-
-#ifndef	LOGFAC
-#define	LOGFAC	LOG_LOCAL0
-#endif
-
-extern	int	load_config __P((char *));
-extern	void	dumphex __P((FILE *, int, char *, int));
-extern	int	check_action __P((char *, char *, int, int));
-extern	char	*getword __P((int));
-extern	int	fac_findname __P((char *));
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
deleted file mode 100644
index 69e7959..0000000
--- a/contrib/ipfilter/ipnat.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <nlist.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.25 2003/06/05 14:00:28 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-int	use_inet6 = 0;
-char	thishost[MAXHOSTNAMELEN];
-
-extern	char	*optarg;
-extern	int	optind;
-#if 0
-extern	ipnat_t	*natparse __P((char *, int));
-#endif
-extern	void	natparsefile __P((int, char *, int));
-extern	void	printnat __P((ipnat_t *, int));
-extern	void	printactivenat __P((nat_t *, int));
-extern	void	printhostmap __P((hostmap_t *, u_int));
-extern	char	*getsumd __P((u_32_t));
-
-static int	dostats __P((natstat_t *, int));
-static int	flushtable __P((int, int));
-void	usage __P((char *));
-int	countbits __P((u_32_t));
-char	*getnattype __P((ipnat_t *));
-int	main __P((int, char*[]));
-void	printaps __P((ap_session_t *, int));
-static int	showhostmap __P((natstat_t *nsp));
-static int	natstat_dead __P((natstat_t *, char *));
-
-
-void usage(name)
-char *name;
-{
-	fprintf(stderr, "Usage: %s [-CFhlnrsv] [-f filename]\n", name);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	natstat_t ns, *nsp = &ns;
-	char	*file, *core, *kernel;
-	int	fd, opts, c, mode;
-
-	fd = -1;
-	opts = 0;
-	file = NULL;
-	core = NULL;
-	kernel = NULL;
-	mode = O_RDWR;
-
-	while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
-		switch (c)
-		{
-		case 'C' :
-			opts |= OPT_CLEAR;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			file = optarg;
-			break;
-		case 'F' :
-			opts |= OPT_FLUSH;
-			break;
-		case 'h' :
-			opts |=OPT_HITS;
-			break;
-		case 'l' :
-			opts |= OPT_LIST;
-			mode = O_RDONLY;
-			break;
-		case 'M' :
-			core = optarg;
-			break;
-		case 'N' :
-			kernel = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_NODO;
-			mode = O_RDONLY;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			opts |= OPT_STAT;
-			mode = O_RDONLY;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case '?' :
-		default :
-			usage(argv[0]);
-		}
-
-	if (optind < 2)
-		usage(argv[0]);
-
-	if ((kernel != NULL) || (core != NULL)) {
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	}
-
-	bzero((char *)&ns, sizeof(ns));
-
-	gethostname(thishost, sizeof(thishost));
-	thishost[sizeof(thishost) - 1] = '\0';
-
-	if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		if (((fd = open(IPL_NAT, mode)) == -1) &&
-		    ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
-			(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
-				STRERROR(errno));
-			if (errno == ENODEV)
-				fprintf(stderr, "IPFilter enabled?\n");
-			exit(1);
-		}
-		if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
-			perror("ioctl(SIOCGNATS)");
-			exit(1);
-		}
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	} else if ((kernel != NULL) || (core != NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		if (natstat_dead(nsp, kernel))
-			exit(1);
-		if (opts & (OPT_LIST|OPT_STAT)) {
-			if (dostats(nsp, opts))
-				exit(1);
-		}
-		exit(0);
-	}
-
-	if (opts & (OPT_FLUSH|OPT_CLEAR))
-		if (flushtable(fd, opts))
-		    exit(1);
-	if (file) {
-		/* NB natparsefile exits with nonzero in case of error */
-		natparsefile(fd, file, opts);
-	}
-	if (opts & (OPT_LIST|OPT_STAT))
-		if (dostats(nsp, opts))
-			exit(1);
-
-	/* TBD why not exit(0)? */
-	return 0;
-}
-
-
-/*
- * Read NAT statistic information in using a symbol table and memory file
- * rather than doing ioctl's.
- */
-static int natstat_dead(nsp, kernel)
-natstat_t *nsp;
-char *kernel;
-{
-	struct nlist nat_nlist[10] = {
-		{ "nat_table" },		/* 0 */
-		{ "nat_list" },
-		{ "maptable" },
-		{ "ipf_nattable_sz" },
-		{ "ipf_natrules_sz" },
-		{ "ipf_rdrrules_sz" },		/* 5 */
-		{ "ipf_hostmap_sz" },
-		{ "nat_instances" },
-		{ "ap_sess_list" },
-		{ NULL }
-	};
-	void *tables[2];
-
-	if (nlist(kernel, nat_nlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return -1;
-	}
-
-	/*
-	 * Normally the ioctl copies all of these values into the structure
-	 * for us, before returning it to userland, so here we must copy each
-	 * one in individually.
-	 */
-	kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
-	nsp->ns_table[0] = tables[0];
-	nsp->ns_table[1] = tables[1];
-
-	kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
-		sizeof(nsp->ns_list));
-	kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
-		sizeof(nsp->ns_maptable));
-	kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
-		sizeof(nsp->ns_nattab_sz));
-	kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
-		sizeof(nsp->ns_rultab_sz));
-	kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
-		sizeof(nsp->ns_rdrtab_sz));
-	kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
-		sizeof(nsp->ns_hostmap_sz));
-	kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
-		sizeof(nsp->ns_instances));
-	kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
-		sizeof(nsp->ns_apslist));
-
-	return 0;
-}
-
-
-/*
- * Display NAT statistics.
- */
-static int dostats(nsp, opts)
-natstat_t *nsp;
-int opts;
-{
-	nat_t **nt[2], *np, nat;
-	ipnat_t	ipn;
-	int rc = 0;
-
-	/*
-	 * Show statistics ?
-	 */
-	if (opts & OPT_STAT) {
-		printf("mapped\tin\t%lu\tout\t%lu\n",
-			nsp->ns_mapped[0], nsp->ns_mapped[1]);
-		printf("added\t%lu\texpired\t%lu\n",
-			nsp->ns_added, nsp->ns_expire);
-		printf("no memory\t%lu\tbad nat\t%lu\n",
-			nsp->ns_memfail, nsp->ns_badnat);
-		printf("inuse\t%lu\nrules\t%lu\n",
-			nsp->ns_inuse, nsp->ns_rules);
-		printf("wilds\t%u\n", nsp->ns_wilds);
-		if (opts & OPT_VERBOSE)
-			printf("table %p list %p\n",
-				nsp->ns_table, nsp->ns_list);
-	}
-
-	/*
-	 * Show list of NAT rules and NAT sessions ?
-	 */
-	if (opts & OPT_LIST) {
-		printf("List of active MAP/Redirect filters:\n");
-		while (nsp->ns_list) {
-			if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
-				    sizeof(ipn))) {
-				perror("kmemcpy");
-				rc = -1;
-				break;
-			}
-			if (opts & OPT_HITS)
-				printf("%d ", ipn.in_hits);
-			printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-			nsp->ns_list = ipn.in_next;
-		}
-
-		nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
-		if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
-			    sizeof(**nt) * NAT_SIZE)) {
-			perror("kmemcpy");
-			rc = -1;
-		}
-		if (rc) {
-			free(nt[0]);
-			return rc;
-		}
-
-		printf("\nList of active sessions:\n");
-
-		for (np = nsp->ns_instances; np; np = nat.nat_next) {
-			if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) {
-				/* TBD Is this an error? If so, return -1 */
-				break;
-			}
-			printactivenat(&nat, opts);
-		}
-
-		if (opts & OPT_VERBOSE) {
-			if (showhostmap(nsp)) {
-				free(nt[0]);
-				return -1;
-			}
-		}
-
-		free(nt[0]);
-	}
-	return 0;
-}
-
-
-/*
- * Display the active host mapping table.
- */
-static int showhostmap(nsp)
-natstat_t *nsp;
-{
-	hostmap_t hm, *hmp, **maptable;
-	u_int hv;
-
-	printf("\nList of active host mappings:\n");
-
-	maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
-					nsp->ns_hostmap_sz);
-	if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
-		    sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
-		perror("kmemcpy (maptable)");
-		free(maptable);
-		return -1;
-	}
-
-	for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
-		hmp = maptable[hv];
-
-		while (hmp) {
-			if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
-				perror("kmemcpy (hostmap)");
-				free(maptable);
-				return -1;
-			}
-
-			printhostmap(&hm, hv);
-			hmp = hm.hm_next;
-		}
-	}
-	free(maptable);
-	return 0;
-}
-
-
-/*
- * Issue an ioctl to flush either the NAT rules table or the active mapping
- * table or both.
- */
-static int flushtable(fd, opts)
-int fd, opts;
-{
-	int n = 0;
-	int rc = 0;
-
-	if (opts & OPT_FLUSH) {
-		n = 0;
-		if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
-			perror("ioctl(SIOCFLNAT)");
-			rc = -1;
-		} else {
-			printf("%d entries flushed from NAT table\n", n);
-		}
-	}
-
-	if (opts & OPT_CLEAR) {
-		n = 1;
-		if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
-			perror("ioctl(SIOCCNATL)");
-			rc = -1;
-		} else {
-			printf("%d entries flushed from NAT list\n", n);
-		}
-	}
-
-	return rc;
-}
diff --git a/contrib/ipfilter/ipsd/Celler/ip_compat.h b/contrib/ipfilter/ipsd/Celler/ip_compat.h
deleted file mode 100644
index a911fd8..0000000
--- a/contrib/ipfilter/ipsd/Celler/ip_compat.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.1 9/14/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# define	icmp	icmphdr
-# define	icmp_type	type
-# define	icmp_code	code
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#ifdef	solaris
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsd/Makefile b/contrib/ipfilter/ipsd/Makefile
deleted file mode 100644
index 0f3ce08..0000000
--- a/contrib/ipfilter/ipsd/Makefile
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# Copyright (C) 1993-1998 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-OBJS=ipsd.o
-BINDEST=/usr/local/bin
-SBINDEST=/sbin
-MANDIR=/usr/share/man
-BPF=sbpf.o
-NIT=snit.o
-SUNOS4=
-BSD=
-LINUX=slinux.o
-SUNOS5=dlcommon.o sdlpi.o
-
-CC=gcc
-CFLAGS=-g -I.. -I../ipsend
-
-all:
-	@echo "Use one of these targets:"
-	@echo "	sunos4-nit (standard SunOS 4.1.x)"
-	@echo "	sunos4-bpf (SunOS4.1.x with BPF in the kernel)"
-	@echo "	bsd-bpf (4.4BSD variant with BPF in the kernel)"
-	@echo "	linux (Linux kernels)"
-	@echo "	sunos5 (Solaris 2.x)"
-
-.c.o:
-	$(CC) $(CFLAGS) -c $< -o $@
-
-ipsdr: ipsdr.o
-	$(CC) ipsdr.o -o $@ $(LIBS)
-
-bpf sunos4-bpf :
-	make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS)"
-
-nit sunos4 sunos4-nit :
-	make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS)"
-
-sunos5 :
-	make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
-
-bsd-bpf :
-	make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS)"
-
-linux :
-	make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -I /usr/src/linux"
-
-ipsd: $(OBJS) $(UNIXOBJS)
-	$(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS)
-
-../ipft_sn.o ../ipft_pc.o:
-	(cd ..; make $(@:../%=%))
-
-clean:
-	rm -rf *.o core a.out ipsd ipsdr
diff --git a/contrib/ipfilter/ipsd/README b/contrib/ipfilter/ipsd/README
deleted file mode 100644
index eb6b798..0000000
--- a/contrib/ipfilter/ipsd/README
+++ /dev/null
@@ -1,32 +0,0 @@
-
-IP Scan Detetor.
-----------------
-
-This program is designed to be a passive listener for TCP packets sent to
-the host.  It does not exercise the promiscous mode of interfaces.  For
-routing Unix boxes (and firewalls which route/proxy) this is sufficient to
-detect all packets going to/through them.
-
-Upon compiling, a predefined set of "sensitive" ports are configured into
-the program.  Any TCP packets which are seen sent to these ports are counted
-and the IP# of the sending host recorded, along with the time of the first
-packet to that port for that IP#.
-
-After a given number of "hits", it will write the current table of packets
-out to disk.  This number defaults to 10,000.
-
-To analyze the information written to disk, a sample program called "ipsdr"
-is used (should but doesn't implement a tree algorithm for storing data)
-which  reads all log files it recognises and totals up the number of ports
-each host hit.  By default, all ports have the same weighting (1).  Another
-group of passes is then made over this table using a netmask of 0xfffffffe,
-grouping all results which fall under the same resulting IP#.  This netmask
-is then shrunk back to 0, with a output for each level given.  This is aimed
-at detecting port scans done from different hosts on the same subnet (although
-I've not seen this done, if one was trying to do it obscurely...)
-
-Lastly, being passive means that no action is taken to stop port scans being
-done or discourage them.
-
-Darren
-darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsd/ip_compat.h b/contrib/ipfilter/ipsd/ip_compat.h
deleted file mode 100644
index a911fd8..0000000
--- a/contrib/ipfilter/ipsd/ip_compat.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.1 9/14/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# define	icmp	icmphdr
-# define	icmp_type	type
-# define	icmp_code	code
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#ifdef	solaris
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c
deleted file mode 100644
index 51d0a14..0000000
--- a/contrib/ipfilter/ipsd/ipsd.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/*
- * (C)opyright 1995-1998 Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#include <stdio.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#include <netinet/tcpip.h>
-#endif
-#include "ip_compat.h"
-#ifdef	linux
-#include <linux/sockios.h>
-#include "tcpip.h"
-#endif
-#include "ipsd.h"
-
-#ifndef	lint
-static const char sccsid[] = "@(#)ipsd.c	1.3 12/3/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-#ifdef	linux
-char	default_device[] = "eth0";
-#else
-# ifdef	sun
-char	default_device[] = "le0";
-# else
-#  ifdef	ultrix
-char	default_device[] = "ln0";
-#  else
-char	default_device[] = "lan0";
-#  endif
-# endif
-#endif
-
-#define	NPORTS	21
-
-u_short	defports[NPORTS] = {
-		  7,   9,  20,  21,  23,  25,  53,  69,  79, 111,
-		123, 161, 162, 512, 513, 514, 515, 520, 540, 6000, 0
-	};
-
-ipsd_t	*iphits[NPORTS];
-int	writes = 0;
-
-
-int	ipcmp(sh1, sh2)
-sdhit_t	*sh1, *sh2;
-{
-	return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
-}
-
-
-/*
- * Check to see if we've already received a packet from this host for this
- * port.
- */
-int	findhit(ihp, src, dport)
-ipsd_t	*ihp;
-struct	in_addr	src;
-u_short	dport;
-{
-	int	i, j, k;
-	sdhit_t	*sh;
-
-	sh = NULL;
-
-	if (ihp->sd_sz == 4) {
-		for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++)
-			if (src.s_addr == sh->sh_ip.s_addr)
-				return 1;
-	} else {
-		for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) {
-			k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr;
-			if (!k)
-				return 1;
-			else if (k < 0)
-				i -= j;
-			else
-				i += j;
-		}
-	}
-	return 0;
-}
-
-
-/*
- * Search for port number amongst the sorted array of targets we're
- * interested in.
- */
-int	detect(ip, tcp)
-ip_t	*ip;
-tcphdr_t	*tcp;
-{
-	ipsd_t	*ihp;
-	sdhit_t	*sh;
-	int	i, j, k;
-
-	for (i = 10, j = 4; j >= 0; j--) {
-		k = tcp->th_dport - defports[i];
-		if (!k) {
-			ihp = iphits[i];
-			if (findhit(ihp, ip->ip_src, tcp->th_dport))
-				return 0;
-			sh = ihp->sd_hit + ihp->sd_cnt;
-			sh->sh_date = time(NULL);
-			sh->sh_ip.s_addr = ip->ip_src.s_addr;
-			if (++ihp->sd_cnt == ihp->sd_sz)
-			{
-				ihp->sd_sz += 8;
-				sh = realloc(sh, ihp->sd_sz * sizeof(*sh));
-				ihp->sd_hit = sh;
-			}
-			qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp);
-			return 0;
-		}
-		if (k < 0)
-			i -= j;
-		else
-			i += j;
-	}
-	return -1;
-}
-
-
-/*
- * Allocate initial storage for hosts
- */
-setuphits()
-{
-	int	i;
-
-	for (i = 0; i < NPORTS; i++) {
-		if (iphits[i]) {
-			if (iphits[i]->sd_hit)
-				free(iphits[i]->sd_hit);
-			free(iphits[i]);
-		}
-		iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t));
-		iphits[i]->sd_port = defports[i];
-		iphits[i]->sd_cnt = 0;
-		iphits[i]->sd_sz = 4;
-		iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4);
-	}
-}
-
-
-/*
- * cleanup exits
- */
-waiter()
-{
-	wait(0);
-}
-
-
-/*
- * Write statistics out to a file
- */
-writestats(nwrites)
-int	nwrites;
-{
-	ipsd_t	**ipsd, *ips;
-	char	fname[32];
-	int	i, fd;
-
-	(void) sprintf(fname, "/var/log/ipsd/ipsd-hits.%d", nwrites);
-	fd = open(fname, O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0644);
-	for (i = 0, ipsd = iphits; i < NPORTS; i++, ipsd++) {
-		ips = *ipsd;
-		if (ips->sd_cnt) {
-			write(fd, ips, sizeof(ipsd_t));
-			write(fd, ips->sd_hit, sizeof(sdhit_t) * ips->sd_sz);
-		}
-	}
-	(void) close(fd);
-	exit(0);
-}
-
-
-void writenow()
-{
-	signal(SIGCHLD, waiter);
-	switch (fork())
-	{
-	case 0 :
-		writestats(writes);
-		exit(0);
-	case -1 :
-		perror("vfork");
-		break;
-	default :
-		writes++;
-		setuphits();
-		break;
-	}
-}
-
-
-void	usage(prog)
-char	*prog;
-{
-	fprintf(stderr, "Usage: %s [-d device]\n", prog);
-	exit(1);
-}
-
-
-void detecthits(fd, writecount)
-int fd, writecount;
-{
-	struct	in_addr	ip;
-	int	hits = 0;
-
-	while (1) {
-		hits += readloop(fd, ip);
-		if (hits > writecount) {
-			writenow();
-			hits = 0;
-		}
-	}
-}
-
-
-main(argc, argv)
-int	argc;
-char	*argv[];
-{
-	char	*name =  argv[0], *dev = NULL;
-	int	fd, writeafter = 10000, angelic = 0, c;
-
-	while ((c = getopt(argc, argv, "ad:n:")) != -1)
-		switch (c)
-		{
-		case 'a' :
-			angelic = 1;
-			break;
-		case 'd' :
-			dev = optarg;
-			break;
-		case 'n' :
-			writeafter = atoi(optarg);
-			break;
-		default :
-			fprintf(stderr, "Unknown option \"%c\"\n", c);
-			usage(name);
-		}
-
-	bzero(iphits, sizeof(iphits));
-	setuphits();
-
-	if (!dev)
-		dev = default_device;
-	printf("Device:  %s\n", dev);
-	fd = initdevice(dev, 60);
-
-	if (!angelic) {
-		switch (fork())
-		{
-		case 0 :
-			(void) close(0);
-			(void) close(1);
-			(void) close(2);
-			(void) setpgrp(0, getpgrp());
-			(void) setsid();
-			break;
-		case -1:
-			perror("fork");
-			exit(-1);
-		default:
-			exit(0);
-		}
-	}
-	signal(SIGUSR1, writenow);
-	detecthits(fd, writeafter);
-}
diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h
deleted file mode 100644
index 3726b84..0000000
--- a/contrib/ipfilter/ipsd/ipsd.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * (C)opyright 1995-1998 Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ipsd.h	1.3 12/3/95
- */
-
-typedef	struct	{
-	time_t	sh_date;
-	struct	in_addr	sh_ip;
-} sdhit_t;
-
-typedef	struct	{
-	u_int	sd_sz;
-	u_int	sd_cnt;
-	u_short	sd_port;
-	sdhit_t	*sd_hit;
-} ipsd_t;
-
-typedef	struct	{
-	struct	in_addr	ss_ip;
-	int	ss_hits;
-	u_long	ss_ports;
-} ipss_t;
-
diff --git a/contrib/ipfilter/ipsd/ipsd.sed b/contrib/ipfilter/ipsd/ipsd.sed
deleted file mode 100644
index e69de29..0000000
--- a/contrib/ipfilter/ipsd/ipsd.sed
+++ /dev/null
diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c
deleted file mode 100644
index af007e4..0000000
--- a/contrib/ipfilter/ipsd/ipsdr.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * (C)opyright 1995-1998 Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#include <stdio.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <malloc.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/dir.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#include <netinet/tcpip.h>
-#endif
-#include "ip_compat.h"
-#ifdef	linux
-#include <linux/sockios.h>
-#include "tcpip.h"
-#endif
-#include "ipsd.h"
-
-#ifndef	lint
-static const char sccsid[] = "@(#)ipsdr.c	1.3 12/3/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-#define	NPORTS	21
-
-u_short	defports[NPORTS] = {
-		7,   9,  20,  21,  23,  25,  53,  69,  79, 111,
-		123, 161, 162, 512, 513, 513, 515, 520, 540, 6000, 0
-	};
-u_short	pweights[NPORTS] = {
-		1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-		1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
-	};
-
-ipsd_t	*iphits[NPORTS];
-int	pkts;
-
-
-int	ipcmp(sh1, sh2)
-sdhit_t	*sh1, *sh2;
-{
-	return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
-}
-
-
-int	ssipcmp(sh1, sh2)
-ipss_t	*sh1, *sh2;
-{
-	return sh1->ss_ip.s_addr - sh2->ss_ip.s_addr;
-}
-
-
-int countpbits(num)
-u_long	num;
-{
-	int	i, j;
-
-	for (i = 1, j = 0; i; i <<= 1)
-		if (num & i)
-			j++;
-	return j;
-}
-
-
-/*
- * Check to see if we've already received a packet from this host for this
- * port.
- */
-int	findhit(ihp, src, dport)
-ipsd_t	*ihp;
-struct	in_addr	src;
-u_short	dport;
-{
-	int	i, j, k;
-	sdhit_t	*sh;
-
-	sh = NULL;
-
-	if (ihp->sd_sz == 4) {
-		for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++)
-			if (src.s_addr == sh->sh_ip.s_addr)
-				return 1;
-	} else {
-		for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) {
-			k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr;
-			if (!k)
-				return 1;
-			else if (k < 0)
-				i -= j;
-			else
-				i += j;
-		}
-	}
-	return 0;
-}
-
-
-/*
- * Search for port number amongst the sorted array of targets we're
- * interested in.
- */
-int	detect(srcip, dport, date)
-struct	in_addr	srcip;
-u_short	dport;
-time_t	date;
-{
-	ipsd_t	*ihp;
-	sdhit_t	*sh;
-	int	i, j, k;
-
-	for (i = 10, j = 4; j >= 0; j--) {
-		k = dport - defports[i];
-		if (!k) {
-			ihp = iphits[i];
-			if (findhit(ihp, srcip, dport))
-				return 0;
-			sh = ihp->sd_hit + ihp->sd_cnt;
-			sh->sh_date = date;
-			sh->sh_ip = srcip;
-			if (++ihp->sd_cnt == ihp->sd_sz)
-			{
-				ihp->sd_sz += 8;
-				sh = realloc(sh, ihp->sd_sz * sizeof(*sh));
-				ihp->sd_hit = sh;
-			}
-			qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp);
-			return 0;
-		}
-		if (k < 0)
-			i -= j;
-		else
-			i += j;
-	}
-	return -1;
-}
-
-
-/*
- * Allocate initial storage for hosts
- */
-setuphits()
-{
-	int	i;
-
-	for (i = 0; i < NPORTS; i++) {
-		if (iphits[i]) {
-			if (iphits[i]->sd_hit)
-				free(iphits[i]->sd_hit);
-			free(iphits[i]);
-		}
-		iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t));
-		iphits[i]->sd_port = defports[i];
-		iphits[i]->sd_cnt = 0;
-		iphits[i]->sd_sz = 4;
-		iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4);
-	}
-}
-
-
-/*
- * Write statistics out to a file
- */
-addfile(file)
-char	*file;
-{
-	ipsd_t	ipsd, *ips = &ipsd;
-	sdhit_t	hit, *hp;
-	char	fname[32];
-	int	i, fd, sz;
-
-	if ((fd = open(file, O_RDONLY)) == -1) {
-		perror("open");
-		return;
-	}
-
-	printf("opened %s\n", file);
-	do {
-		if (read(fd, ips, sizeof(*ips)) != sizeof(*ips))
-			break;
-		sz = ips->sd_sz * sizeof(*hp);
-		hp = (sdhit_t *)malloc(sz);
-		if (read(fd, hp, sz) != sz)
-			break;
-		for (i = 0; i < ips->sd_cnt; i++)
-			detect(hp[i].sh_ip, ips->sd_port, hp[i].sh_date);
-	} while (1);
-	(void) close(fd);
-}
-
-
-readfiles(dir)
-char *dir;
-{
-	struct	direct	**d;
-	int	i, j;
-
-	d = NULL;
-	i = scandir(dir, &d, NULL, NULL);
-
-	for (j = 0; j < i; j++) {
-		if (strncmp(d[j]->d_name, "ipsd-hits.", 10))
-			continue;
-		addfile(d[j]->d_name);
-	}
-}
-
-
-void printreport(ss, num)
-ipss_t	*ss;
-int	num;
-{
-	struct	in_addr	ip;
-	ipss_t	*sp;
-	int	i, j, mask;
-	u_long	ports;
-
-	printf("Hosts detected: %d\n", num);
-	if (!num)
-		return;
-	for (i = 0; i < num; i++)
-		printf("%s %d %d\n", inet_ntoa(ss[i].ss_ip), ss[i].ss_hits,
-			countpbits(ss[i].ss_ports));
-
-	printf("--------------------------\n");
-	for (mask = 0xfffffffe, j = 32; j; j--, mask <<= 1) {
-		ip.s_addr = ss[0].ss_ip.s_addr & mask;
-		ports = ss[0].ss_ports;
-		for (i = 1; i < num; i++) {
-			sp = ss + i;
-			if (ip.s_addr != (sp->ss_ip.s_addr & mask)) {
-				printf("Netmask: 0x%08x\n", mask);
-				printf("%s %d\n", inet_ntoa(ip),
-					countpbits(ports));
-				ip.s_addr = sp->ss_ip.s_addr & mask;
-				ports = 0;
-			}
-			ports |= sp->ss_ports;
-		}
-		if (ports) {
-			printf("Netmask: 0x%08x\n", mask);
-			printf("%s %d\n", inet_ntoa(ip), countpbits(ports));
-		}
-	}
-}
-
-
-collectips()
-{
-	ipsd_t	*ips;
-	ipss_t	*ss;
-	int	i, num, nip, in, j, k;
-
-	for (i = 0; i < NPORTS; i++)
-		nip += iphits[i]->sd_cnt;
-
-	ss = (ipss_t *)malloc(sizeof(ipss_t) * nip);
-
-	for (in = 0, i = 0, num = 0; i < NPORTS; i++) {
-		ips = iphits[i];
-		for (j = 0; j < ips->sd_cnt; j++) {
-			for (k = 0; k < num; k++)
-				if (!bcmp(&ss[k].ss_ip, &ips->sd_hit[j].sh_ip,
-					  sizeof(struct in_addr))) {
-					ss[k].ss_hits += pweights[i];
-					ss[k].ss_ports |= (1 << i);
-					break;
-				}
-			if (k == num) {
-				ss[num].ss_ip = ips->sd_hit[j].sh_ip;
-				ss[num].ss_hits = pweights[i];
-				ss[k].ss_ports |= (1 << i);
-				num++;
-			}
-		}
-	}
-
-	qsort(ss, num, sizeof(*ss), ssipcmp);
-
-	printreport(ss, num);
-}
-
-
-main(argc, argv)
-int	argc;
-char	*argv[];
-{
-	char	c, *name =  argv[0], *dir = NULL;
-	int	fd;
-
-	setuphits();
-	dir = dir ? dir : ".";
-	readfiles(dir);
-	collectips();
-}
diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h
deleted file mode 100644
index d9606cb..0000000
--- a/contrib/ipfilter/ipsd/linux.h
+++ /dev/null
@@ -1,15 +0,0 @@
-/*
- * Copyright (C) 1997-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)linux.h	1.1 8/19/95
- */
-
-#include <linux/config.h>
-#ifdef MODULE
-#include <linux/module.h>
-#include <linux/version.h>
-#endif /* MODULE */
-
-#include "ip_compat.h"
diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c
deleted file mode 100644
index 457891b..0000000
--- a/contrib/ipfilter/ipsd/sbpf.c
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * (C)opyright 1995-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#ifdef __NetBSD__
-# include <paths.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/mbuf.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#if BSD < 199103
-#include <sys/fcntlcom.h>
-#endif
-#include <sys/dir.h>
-#include <net/bpf.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include "ip_compat.h"
-
-#ifndef	lint
-static	char	sbpf[] = "@(#)sbpf.c	1.2 12/3/95 (C)1995 Darren Reed";
-#endif
-
-/*
-(000) ldh      [12]
-(001) jeq      #0x800	   jt 2	jf 5
-(002) ldb      [23]
-(003) jeq      #0x6	     jt 4	jf 5
-(004) ret      #68
-(005) ret      #0
-*/
-struct	bpf_insn filter[] = {
-/* 0. */	{ BPF_LD|BPF_H|BPF_ABS,		0, 0, 12 },
-/* 1. */	{ BPF_JMP|BPF_JEQ,		0, 3, 0x0800 },
-/* 2. */	{ BPF_LD|BPF_B|BPF_ABS,		0, 0, 23 },
-/* 3. */	{ BPF_JMP|BPF_JEQ,		0, 1, 0x06 },
-/* 4. */	{ BPF_RET,			0, 0, 68 },
-/* 5. */	{ BPF_RET,			0, 0, 0 }
-};
-/*
- * the code herein is dervied from libpcap.
- */
-static	u_char	*buf = NULL;
-static	u_int	bufsize = 32768, timeout = 1;
-
-
-int	ack_recv(ep)
-char	*ep;
-{
-	struct	tcpiphdr	tip;
-	tcphdr_t	*tcp;
-	ip_t	*ip;
-
-	ip = (ip_t *)&tip;
-	tcp = (tcphdr_t *)(ip + 1);
-	bcopy(ep + 14, (char *)ip, sizeof(*ip));
-	bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
-	if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP)
-		return -1;
-	if (ip->ip_p & 0x1fff != 0)
-		return 0;
-	if (0 == detect(ip, tcp))
-		return 1;
-	return 0;
-}
-
-
-int	readloop(fd, port, dst)
-int 	fd, port;
-struct	in_addr dst;
-{
-	register u_char	*bp, *cp, *bufend;
-	register struct	bpf_hdr	*bh;
-	register int	cc;
-	time_t	in = time(NULL);
-	int	done = 0;
-
-	while ((cc = read(fd, buf, bufsize)) >= 0) {
-		if (!cc && (time(NULL) - in) > timeout)
-			return done;
-		bp = buf;
-		bufend = buf + cc;
-		/*
-		 * loop through each snapshot in the chunk
-		 */
-		while (bp < bufend) {
-			bh = (struct bpf_hdr *)bp;
-			cp = bp + bh->bh_hdrlen;
-			done += ack_recv(cp);
-			bp += BPF_WORDALIGN(bh->bh_caplen + bh->bh_hdrlen);
-		}
-		return done;
-	}
-	perror("read");
-	exit(-1);
-}
-
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	struct	bpf_program prog;
-	struct	bpf_version bv;
-	struct	timeval to;
-	struct	ifreq ifr;
-#ifdef _PATH_BPF
-	char 	*bpfname = _PATH_BPF;
-	int	fd;
-
-	if ((fd = open(bpfname, O_RDWR)) < 0)
-	    {
-		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
-		return -1;
-	    }
-#else
-	char	bpfname[16];
-	int	fd = -1, i;
-
-	for (i = 0; i < 16; i++)
-	    {
-		(void) sprintf(bpfname, "/dev/bpf%d", i);
-		if ((fd = open(bpfname, O_RDWR)) >= 0)
-			break;
-	    }
-	if (i == 16)
-	    {
-		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
-		return -1;
-	    }
-#endif
-
-	if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
-	    {
-		perror("BIOCVERSION");
-		return -1;
-	    }
-	if (bv.bv_major != BPF_MAJOR_VERSION ||
-	    bv.bv_minor < BPF_MINOR_VERSION)
-	    {
-		fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n",
-			bv.bv_major, bv.bv_minor);
-		fprintf(stderr, "current version: %d.%d\n",
-			BPF_MAJOR_VERSION, BPF_MINOR_VERSION);
-		return -1;
-	    }
-
-	(void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-	if (ioctl(fd, BIOCSETIF, &ifr) == -1)
-	    {
-		fprintf(stderr, "%s(%d):", ifr.ifr_name, fd);
-		perror("BIOCSETIF");
-		exit(1);
-	    }
-	/*
-	 * set the timeout
-	 */
-	timeout = tout;
-	to.tv_sec = 1;
-	to.tv_usec = 0;
-	if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1)
-	    {
-		perror("BIOCSRTIMEOUT");
-		exit(-1);
-	    }
-	/*
-	 * get kernel buffer size
-	 */
-	if (ioctl(fd, BIOCSBLEN, &bufsize) == -1)
-		perror("BIOCSBLEN");
-	if (ioctl(fd, BIOCGBLEN, &bufsize) == -1)
-	    {
-		perror("BIOCGBLEN");
-		exit(-1);
-	    }
-	printf("BPF buffer size: %d\n", bufsize);
-	buf = (u_char*)malloc(bufsize);
-
-	prog.bf_len = sizeof(filter) / sizeof(struct bpf_insn);
-	prog.bf_insns = filter;
-	if (ioctl(fd, BIOCSETF, (caddr_t)&prog) == -1)
-	    {
-		perror("BIOCSETF");
-		exit(-1);
-	    }
-	(void) ioctl(fd, BIOCFLUSH, 0);
-	return fd;
-}
diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c
deleted file mode 100644
index baede7c..0000000
--- a/contrib/ipfilter/ipsd/sdlpi.c
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/stropts.h>
-
-#include <sys/pfmod.h>
-#include <sys/bufmod.h>
-#include <sys/dlpi.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-
-#include "ip_compat.h"
-
-#ifndef	lint
-static	char	snitid[] = "%W% %G% (C)1995 Darren Reed";
-#endif
-
-#define BUFSPACE	32768
-
-static	int	solfd;
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-static	int	timeout;
-
-
-void	nullbell()
-{
-	return 0;
-}
-
-
-int	ack_recv(ep)
-char	*ep;
-{
-	struct	tcpiphdr	tip;
-	tcphdr_t	*tcp;
-	ip_t	*ip;
-
-	ip = (ip_t *)&tip;
-	tcp = (tcphdr_t *)(ip + 1);
-	bcopy(ep, (char *)ip, sizeof(*ip));
-	bcopy(ep + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
-
-	if (ip->ip_off & 0x1fff != 0)
-		return 0;
-	if (0 == detect(ip, tcp))
-		return 1;
-	return 0;
-}
-
-
-int	readloop(fd, port, dst)
-int 	fd, port;
-struct	in_addr dst;
-{
-	static	u_char	buf[BUFSPACE];
-	register u_char	*bp, *cp, *bufend;
-	register struct	sb_hdr	*hp;
-	register int	cc;
-	struct	strbuf	dbuf;
-	ether_header_t	eh;
-	time_t	now = time(NULL);
-	int	flags = 0, i, done = 0;
-
-	fd = solfd;
-	dbuf.len = 0;
-	dbuf.buf = buf;
-	dbuf.maxlen = sizeof(buf);
-	/*
-	 * no control data buffer...
-	 */
-	while (1) {
-		(void) signal(SIGALRM, nullbell);
-		alarm(1);
-		i = getmsg(fd, NULL, &dbuf, &flags);
-		alarm(0);
-		(void) signal(SIGALRM, nullbell);
-
-		cc = dbuf.len;
-		if ((time(NULL) - now) > timeout)
-			return done;
-		if (i == -1)
-			if (errno == EINTR)
-				continue;
-			else
-				break;
-		bp = buf;
-		bufend = buf + cc;
-		/*
-		 * loop through each snapshot in the chunk
-		 */
-		while (bp < bufend) {
-			/*
-			 * get past bufmod header
-			 */
-			hp = (struct sb_hdr *)bp;
-			cp = (u_char *)((char *)bp + sizeof(*hp));
-			bcopy(cp, (char *)&eh, sizeof(eh));
-			/*
-			 * next snapshot
-			 */
-			bp += hp->sbh_totlen;
-			cc -= hp->sbh_totlen;
-
-			if (eh.ether_type != ETHERTYPE_IP)
-				continue;
-
-			cp += sizeof(eh);
-			done += ack_recv(cp);
-		}
-		alarm(1);
-	}
-	perror("getmsg");
-	exit(-1);
-}
-
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	struct	strioctl si;
-	struct	timeval to;
-	struct	ifreq ifr;
-	struct	packetfilt pfil;
-	u_long	if_flags;
-	u_short	*fwp = pfil.Pf_Filter;
-	char	devname[16], *s, buf[256];
-	int	i, offset, fd, snaplen= 58, chunksize = BUFSPACE;
-
-	(void) sprintf(devname, "/dev/%s", device);
-
-	s = devname + 5;
-	while (*s && !ISDIGIT(*s))
-		s++;
-	if (!*s)
-	    {
-		fprintf(stderr, "bad device name %s\n", devname);
-		exit(-1);
-	    }
-	i = atoi(s);
-	*s = '\0';
-	/*
-	 * For reading
-	 */
-	if ((fd = open(devname, O_RDWR)) < 0)
-	    {
-		fprintf(stderr, "O_RDWR(0) ");
-		perror(devname);
-		exit(-1);
-	    }
-	if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1)
-	    {
-		fprintf(stderr, "DLPI error\n");
-		exit(-1);
-	    }
-	dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
-	dlbindack(fd, buf);
-	/*
-	 * read full headers
-	 */
-	if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
-	    {
-		fprintf(stderr, "DLIOCRAW error\n");
-		exit(-1);
-	    }
-	/*
-	 * Create some filter rules for our TCP watcher. We only want ethernet
-	 * pacets which are IP protocol and only the TCP packets from IP.
-	 */
-	offset = 6;
-	*fwp++ = ENF_PUSHWORD + offset;
-	*fwp++ = ENF_PUSHLIT | ENF_CAND;
-	*fwp++ = htons(ETHERTYPE_IP);
-	*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
-	*fwp++ = ENF_PUSHLIT | ENF_AND;
-	*fwp++ = htons(0x00ff);
-	*fwp++ = ENF_PUSHLIT | ENF_COR;
-	*fwp++ = htons(IPPROTO_TCP);
-	*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
-	*fwp++ = ENF_PUSHLIT | ENF_AND;
-	*fwp++ = htons(0x00ff);
-	*fwp++ = ENF_PUSHLIT | ENF_CAND;
-	*fwp++ = htons(IPPROTO_UDP);
-	pfil.Pf_FilterLen = (fwp - &pfil.Pf_Filter[0]);
-	/*
-	 * put filter in place.
-	 */
-
-	if (ioctl(fd, I_PUSH, "pfmod") == -1)
-	    {
-		perror("ioctl: I_PUSH pf");
-		exit(1);
-	    }
-	if (strioctl(fd, PFIOCSETF, -1, sizeof(pfil), (char *)&pfil) == -1)
-	    {
-		perror("ioctl: PFIOCSETF");
-		exit(1);
-	    }
-
-	/*
-	 * arrange to get messages from the NIT STREAM and use NIT_BUF option
-	 */
-	if (ioctl(fd, I_PUSH, "bufmod") == -1)
-	    {
-		perror("ioctl: I_PUSH bufmod");
-		exit(1);
-	    }
-	i = 128;
-	strioctl(fd, SBIOCSSNAP, -1, sizeof(i), (char *)&i);
-	/*
-	 * set the timeout
-	 */
-	to.tv_sec = 1;
-	to.tv_usec = 0;
-	if (strioctl(fd, SBIOCSTIME, -1, sizeof(to), (char *)&to) == -1)
-	    {
-		perror("strioctl(SBIOCSTIME)");
-		exit(-1);
-	    }
-	/*
-	 * flush read queue
-	 */
-	if (ioctl(fd, I_FLUSH, FLUSHR) == -1)
-	    {
-		perror("I_FLUSHR");
-		exit(-1);
-	    }
-	timeout = tout;
-	solfd = fd;
-	return fd;
-}
diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c
deleted file mode 100644
index 6372a60..0000000
--- a/contrib/ipfilter/ipsd/slinux.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/dir.h>
-#include <linux/netdevice.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include "ip_compat.h"
-#include "tcpip.h"
-
-#ifndef	lint
-static const char sccsid[] = "@(#)slinux.c	1.1 12/3/95 (C) 1995 Darren Reed";
-#endif
-
-#define BUFSPACE	32768
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-
-static	int	timeout;
-static	char	*eth_dev = NULL;
-
-
-int	ack_recv(bp)
-char	*bp;
-{
-	struct	tcpip	tip;
-	tcphdr_t	*tcp;
-	ip_t	*ip;
-
-	ip = (struct ip *)&tip;
-	tcp = (tcphdr_t *)(ip + 1);
-
-	bcopy(bp, (char *)&tip, sizeof(tip));
-	bcopy(bp + (ip.ip_hl << 2), (char *)tcp, sizeof(*tcp));
-	if (0 == detect(ip, tcp))
-		return 1;
-	return 0;
-}
-
-
-void	readloop(fd, port, dst)
-int 	fd, port;
-struct	in_addr dst;
-{
-	static	u_char	buf[BUFSPACE];
-	struct	sockaddr dest;
-	register u_char	*bp = buf;
-	register int	cc;
-	int	dlen, done = 0;
-	time_t	now = time(NULL);
-
-	do {
-		fflush(stdout);
-		dlen = sizeof(dest);
-		bzero((char *)&dest, dlen);
-		cc = recvfrom(fd, buf, BUFSPACE, 0, &dest, &dlen);
-		if (!cc)
-			if ((time(NULL) - now) > timeout)
-				return done;
-			else
-				continue;
-
-		if (bp[12] != 0x8 || bp[13] != 0)
-			continue;	/* not ip */
-
-		/*
-		 * get rid of non-tcp or fragmented packets here.
-		 */
-		if (cc >= sizeof(struct tcpiphdr))
-		    {
-			if (((bp[14+9] != IPPROTO_TCP) &&
-			     (bp[14+9] != IPPROTO_UDP)) ||
-			    (bp[14+6] & 0x1f) || (bp[14+6] & 0xff))
-				continue;
-			done += ack_recv(bp + 14);
-		    }
-	} while (cc >= 0);
-	perror("read");
-	exit(-1);
-}
-
-int	initdevice(dev, tout)
-char	*dev;
-int	tout;
-{
-	int fd;
-
-	eth_dev = strdup(dev);
-	if ((fd = socket(AF_INET, SOCK_PACKET, htons(ETHERTYPE_IP))) == -1)
-	    {
-		perror("socket(SOCK_PACKET)");
-		exit(-1);
-	    }
-
-	return fd;
-}
diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c
deleted file mode 100644
index e78c591..0000000
--- a/contrib/ipfilter/ipsd/snit.c
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <net/nit.h>
-#include <sys/fcntlcom.h>
-#include <sys/dir.h>
-#include <net/nit_if.h>
-#include <net/nit_pf.h>
-#include <net/nit_buf.h>
-#include <net/packetfilt.h>
-#include <sys/stropts.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-
-#ifndef	lint
-static	char	snitid[] = "@(#)snit.c	1.2 12/3/95 (C)1995 Darren Reed";
-#endif
-
-#define BUFSPACE	32768
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-#define BUFHDR_SIZE  (sizeof(struct nit_bufhdr))
-#define NIT_HDRSIZE  (BUFHDR_SIZE)
-
-static	int	timeout;
-
-
-int	ack_recv(ep)
-char	*ep;
-{
-	struct	tcpiphdr	tip;
-	struct	tcphdr	*tcp;
-	struct	ip	*ip;
-
-	ip = (struct ip *)&tip;
-	tcp = (struct tcphdr *)(ip + 1);
-	bcopy(ep + 14, (char *)ip, sizeof(*ip));
-	bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
-	if (ip->ip_off & 0x1fff != 0)
-		return 0;
-	if (0 == detect(ip, tcp))
-		return 1;
-	return 0;
-}
-
-
-int	readloop(fd, dst)
-int 	fd;
-struct	in_addr dst;
-{
-	static	u_char	buf[BUFSPACE];
-	register u_char	*bp, *cp, *bufend;
-	register struct	nit_bufhdr	*hp;
-	register int	cc;
-	time_t	now = time(NULL);
-	int	done = 0;
-
-	while ((cc = read(fd, buf, BUFSPACE-1)) >= 0) {
-		if (!cc)
-			if ((time(NULL) - now) > timeout)
-				return done;
-			else
-				continue;
-		bp = buf;
-		bufend = buf + cc;
-		/*
-		 * loop through each snapshot in the chunk
-		 */
-		while (bp < bufend) {
-			cp = (u_char *)((char *)bp + NIT_HDRSIZE);
-			/*
-			 * get past NIT buffer
-			 */
-			hp = (struct nit_bufhdr *)bp;
-			/*
-			 * next snapshot
-			 */
-			bp += hp->nhb_totlen;
-			done += ack_recv(cp);
-		}
-		return done;
-	}
-	perror("read");
-	exit(-1);
-}
-
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	struct	strioctl si;
-	struct	timeval to;
-	struct	ifreq ifr;
-	struct	packetfilt pfil;
-	u_long	if_flags;
-	u_short	*fwp = pfil.Pf_Filter;
-	int	ret, offset, fd, snaplen= 76, chunksize = BUFSPACE;
-
-	if ((fd = open("/dev/nit", O_RDWR)) < 0)
-	    {
-		perror("/dev/nit");
-		exit(-1);
-	    }
-
-	/*
-	 * Create some filter rules for our TCP watcher. We only want ethernet
-	 * pacets which are IP protocol and only the TCP packets from IP.
-	 */
-	offset = 6;
-	*fwp++ = ENF_PUSHWORD + offset;
-	*fwp++ = ENF_PUSHLIT | ENF_CAND;
-	*fwp++ = htons(ETHERTYPE_IP);
-	*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
-	*fwp++ = ENF_PUSHLIT | ENF_AND;
-	*fwp++ = htons(0x00ff);
-	*fwp++ = ENF_PUSHLIT | ENF_COR;
-	*fwp++ = htons(IPPROTO_TCP);
-	*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
-	*fwp++ = ENF_PUSHLIT | ENF_AND;
-	*fwp++ = htons(0x00ff);
-	*fwp++ = ENF_PUSHLIT | ENF_CAND;
-	*fwp++ = htons(IPPROTO_UDP);
-	pfil.Pf_FilterLen = fwp - &pfil.Pf_Filter[0];
-	/*
-	 * put filter in place.
-	 */
-	if (ioctl(fd, I_PUSH, "pf") == -1)
-	    {
-		perror("ioctl: I_PUSH pf");
-		exit(1);
-	    }
-	if (ioctl(fd, NIOCSETF, &pfil) == -1)
-	    {
-		perror("ioctl: NIOCSETF");
-		exit(1);
-	    }
-	/*
-	 * arrange to get messages from the NIT STREAM and use NIT_BUF option
-	 */
-	ioctl(fd, I_SRDOPT, (char*)RMSGD);
-	ioctl(fd, I_PUSH, "nbuf");
-	/*
-	 * set the timeout
-	 */
-	timeout = tout;
-	si.ic_timout = 1;
-	to.tv_sec = 1;
-	to.tv_usec = 0;
-	si.ic_cmd = NIOCSTIME;
-	si.ic_len = sizeof(to);
-	si.ic_dp = (char*)&to;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-	    {
-		perror("ioctl: NIT timeout");
-		exit(-1);
-	    }
-	/*
-	 * set the chunksize
-	 */
-	si.ic_cmd = NIOCSCHUNK;
-	si.ic_len = sizeof(chunksize);
-	si.ic_dp = (char*)&chunksize;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-		perror("ioctl: NIT chunksize");
-	if (ioctl(fd, NIOCGCHUNK, (char*)&chunksize) == -1)
-	    {
-		perror("ioctl: NIT chunksize");
-		exit(-1);
-	    }
-	printf("NIT buffer size: %d\n", chunksize);
-
-	/*
-	 * request the interface
-	 */
-	strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-	ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' ';
-	si.ic_cmd = NIOCBIND;
-	si.ic_len = sizeof(ifr);
-	si.ic_dp = (char*)&ifr;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-	    {
-		perror(ifr.ifr_name);
-		exit(1);
-	    }
-
-	/*
-	 * set the snapshot length
-	 */
-	si.ic_cmd = NIOCSSNAP;
-	si.ic_len = sizeof(snaplen);
-	si.ic_dp = (char*)&snaplen;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-	    {
-		perror("ioctl: NIT snaplen");
-		exit(1);
-	    }
-	(void) ioctl(fd, I_FLUSH, (char*)FLUSHR);
-	return fd;
-}
diff --git a/contrib/ipfilter/ipsend/.OLD/ip_compat.h b/contrib/ipfilter/ipsend/.OLD/ip_compat.h
deleted file mode 100644
index c38fa59..0000000
--- a/contrib/ipfilter/ipsend/.OLD/ip_compat.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.2 12/7/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# if LINUX < 0200
-#  define	icmp	icmphdr
-#  define	icmp_type	type
-#  define	icmp_code	code
-# endif
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-typedef struct icmp {
-	u_char	icmp_type;		/* type of message, see below */
-	u_char	icmp_code;		/* type sub code */
-	u_short	icmp_cksum;		/* ones complement cksum of struct */
-	union {
-		u_char ih_pptr;			/* ICMP_PARAMPROB */
-		struct in_addr ih_gwaddr;	/* ICMP_REDIRECT */
-		struct ih_idseq {
-			n_short	icd_id;
-			n_short	icd_seq;
-		} ih_idseq;
-		int ih_void;
-	} icmp_hun;
-#define	icmp_pptr	icmp_hun.ih_pptr
-#define	icmp_gwaddr	icmp_hun.ih_gwaddr
-#define	icmp_id		icmp_hun.ih_idseq.icd_id
-#define	icmp_seq	icmp_hun.ih_idseq.icd_seq
-#define	icmp_void	icmp_hun.ih_void
-	union {
-		struct id_ts {
-			n_time its_otime;
-			n_time its_rtime;
-			n_time its_ttime;
-		} id_ts;
-		struct id_ip  {
-			ip_t idi_ip;
-			/* options and then 64 bits of data */
-		} id_ip;
-		u_long	id_mask;
-		char	id_data[1];
-	} icmp_dun;
-#define	icmp_otime	icmp_dun.id_ts.its_otime
-#define	icmp_rtime	icmp_dun.id_ts.its_rtime
-#define	icmp_ttime	icmp_dun.id_ts.its_ttime
-#define	icmp_ip		icmp_dun.id_ip.idi_ip
-#define	icmp_mask	icmp_dun.id_mask
-#define	icmp_data	icmp_dun.id_data
-} icmphdr_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#if defined(__SVR4) || defined(__svr4__)
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsend/.cvsignore b/contrib/ipfilter/ipsend/.cvsignore
deleted file mode 100644
index b7aea24..0000000
--- a/contrib/ipfilter/ipsend/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-ipsend
-ipresend
-iptest
diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c
deleted file mode 100644
index 4b08a8b..0000000
--- a/contrib/ipfilter/ipsend/44arp.c
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Based upon 4.4BSD's /usr/sbin/arp
- */
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/sysctl.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <net/if_dl.h>
-#include <net/if_types.h>
-#if defined(__FreeBSD__)
-# include "radix_ipf.h"
-#endif
-#ifndef __osf__
-# include <net/route.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/if_ether.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <errno.h>
-#include <nlist.h>
-#include <stdio.h>
-#include "ipsend.h"
-#include "iplang/iplang.h"
-
-
-/*
- * lookup host and return
- * its IP address in address
- * (4 bytes)
- */
-int	resolve(host, address)
-char	*host, *address;
-{
-        struct	hostent	*hp;
-        u_long	add;
-
-	add = inet_addr(host);
-	if (add == -1)
-	    {
-		if (!(hp = gethostbyname(host)))
-		    {
-			fprintf(stderr, "unknown host: %s\n", host);
-			return -1;
-		    }
-		bcopy((char *)hp->h_addr, (char *)address, 4);
-		return 0;
-	}
-	bcopy((char*)&add, address, 4);
-	return 0;
-}
-
-
-int	arp(addr, eaddr)
-char	*addr, *eaddr;
-{
-	int	mib[6];
-	size_t	needed;
-	char	*lim, *buf, *next;
-	struct	rt_msghdr	*rtm;
-	struct	sockaddr_inarp	*sin;
-	struct	sockaddr_dl	*sdl;
-
-#ifdef	IPSEND
-	if (arp_getipv4(addr, ether) == 0)
-		return 0;
-#endif
-
-	if (!addr)
-		return -1;
-
-	mib[0] = CTL_NET;
-	mib[1] = PF_ROUTE;
-	mib[2] = 0;
-	mib[3] = AF_INET;
-	mib[4] = NET_RT_FLAGS;
-	mib[5] = RTF_LLINFO;
-	if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1)
-	    {
-		perror("route-sysctl-estimate");
-		exit(-1);
-	    }
-	if ((buf = malloc(needed)) == NULL)
-	    {
-		perror("malloc");
-		exit(-1);
-	    }
-	if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1)
-	    {
-		perror("actual retrieval of routing table");
-		exit(-1);
-	    }
-	lim = buf + needed;
-	for (next = buf; next < lim; next += rtm->rtm_msglen)
-	    {
-		rtm = (struct rt_msghdr *)next;
-		sin = (struct sockaddr_inarp *)(rtm + 1);
-		sdl = (struct sockaddr_dl *)(sin + 1);
-		if (!bcmp(addr, (char *)&sin->sin_addr,
-			  sizeof(struct in_addr)))
-		    {
-			bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen);
-			return 0;
-		    }
-	    }
-	return -1;
-}
diff --git a/contrib/ipfilter/ipsend/Crashable b/contrib/ipfilter/ipsend/Crashable
deleted file mode 100644
index c7ffcde..0000000
--- a/contrib/ipfilter/ipsend/Crashable
+++ /dev/null
@@ -1,21 +0,0 @@
-Test 1:
-	Solaris 2.4 - upto and including 101945-34, > 34 ?
-	Solaris 2.5 - 11/95
-	Linux 1.2.13, < 1.3.45(?)
-	3com/sonix bridge
-	Instant Internet
-	KA9Q NOS
-	Netblazer 40i, Version 3.2 OS
-	Irix 6.x
-	HP-UX 9.0
-	HP-UX 10.1
-	LivingstonsComOS
-	MacOS 7.x, 8.x
-
-Test 6:
-	SunOS 4.1.x
-	ULtrix 4.3
-
-Test 7:
-	SunOS 4.1.x
-	Linux <= 1.3.84
diff --git a/contrib/ipfilter/ipsend/Makefile b/contrib/ipfilter/ipsend/Makefile
deleted file mode 100644
index ed3a51e..0000000
--- a/contrib/ipfilter/ipsend/Makefile
+++ /dev/null
@@ -1,183 +0,0 @@
-#
-# Copyright (C) 1993-1998 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-IPFT=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o opt.o
-OBJS=ipsend.o ip.o ipsopt.o y.tab.o lex.yy.o
-ROBJS=ipresend.o ip.o resend.o $(IPFT)
-TOBJS=iptest.o iptests.o ip.o
-BPF=sbpf.o
-NIT=snit.o
-SUNOS4=sock.o arp.o inet_addr.o
-BSD=sock.o 44arp.o
-LINUX=lsock.o slinux.o larp.o
-LINUXK=
-TOP=..
-SUNOS5=dlcommon.o sdlpi.o arp.o inet_addr.o
-ULTRIX=ultrix.o sock.o arp.o inet_addr.o
-HPUX=hpux.o sock.o arp.o inet_addr.o
-
-#CC=gcc
-DEBUG=-g
-CFLAGS=$(DEBUG) -I. -Iipf
-#
-MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
-	"IPFLKM=$(IPFLKM)" \
-	"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
-	"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
-	"CPUDIR=$(CPUDIR)"
-#
-all:
-	@echo "Use one of these targets:"
-	@echo "	sunos4-nit (standard SunOS 4.1.x)"
-	@echo "	sunos4-bpf (SunOS4.1.x with BPF in the kernel)"
-	@echo "	bsd-bpf (4.4BSD variant with BPF in the kernel)"
-	@echo "	linux10 (Linux 1.0 kernels)"
-	@echo "	linux12 (Linux 1.2 kernels)"
-	@echo "	linux20 (Linux 2.0 kernels)"
-	@echo "	sunos5 (Solaris 2.x)"
-
-ipf:
-	-if [ ! -d iplang ] ; then ln -s ../iplang iplang; fi
-	-if [ ! -d netinet ] ; then ln -s ../netinet netinet; fi
-	-if [ ! -d ipf ] ; then ln -s .. ipf; fi
-
-y.tab.o: iplang/iplang_y.y
-	-if [ -h iplang ] ; then \
-		(cd iplang; ${MAKE} $(MFLAGS) 'DESTDIR=../ipsend' ) \
-	else \
-		(cd iplang; ${MAKE} $(MFLAGS) 'DESTDIR=..' ) \
-	fi
-
-lex.yy.o: iplang/iplang_l.l
-	-if [ -h iplang ] ; then \
-		(cd iplang; ${MAKE} $(MFLAGS) 'DESTDIR=../ipsend' ) \
-	else \
-		(cd iplang; ${MAKE} $(MFLAGS) 'DESTDIR=..' ) \
-	fi
-
-.c.o:
-	$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
-
-install:
-	-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)
-
-bpf sunos4-bpf :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll"
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-
-nit sunos4 sunos4-nit :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll"
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-
-dlpi sunos5 :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -Dsolaris -DIPSEND" "LIBS=-lsocket -lnsl" \
-		"LLIB=-ll"
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
-
-bsd-bpf :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET -DIPSEND" "LLIB=-ll"
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
-		"CFLAGS=$(CFLAGS) -DDOSOCKET"
-
-linuxrev :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET -DIPSEND" $(LINUXK)
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK)
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) $(INC) -DDOSOCKET" $(LINUXK)
-
-linux10:
-	make linuxrev 'LINUXK="LINUXK=-DLINUX=0100"' \
-		"INC=-I/usr/src/linux/include" "LLIB=-lfl"
-
-linux12:
-	make linuxrev 'LINUXK="LINUXK=-DLINUX=0102"' "INC=-I/usr/src/linux" \
-		"LLIB=-lfl"
-
-linux20:
-	make linuxrev 'LINUXK="LINUXK=-DLINUX=0200"' \
-		"INC=-I/usr/src/linux/include" "LLIB=-lfl" "ELIB=-lelf"
-
-ultrix :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -DIPSEND" "LIBS=" "LLIB=-ll"
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(ULTRIX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-
-hpux9 :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -DIPSEND" "LIBS="
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-
-hpux11 :
-	make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS) -DIPSEND" "LIBS="
-	make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-	make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(HPUX)" "CC=$(CC)" \
-		CFLAGS="$(CFLAGS)" "LIBS="
-
-ipsend: ipf $(OBJS) $(UNIXOBJS)
-	$(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) $(LLIB) $(ELIB)
-
-ipresend: $(ROBJS) $(UNIXOBJS)
-	$(CC) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS) $(ELIB)
-
-iptest: $(TOBJS) $(UNIXOBJS)
-	$(CC) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS) $(ELIB)
-
-ipft_ef.o: ipf/ipft_ef.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_ef.c -o $@
-
-ipft_hx.o: ipf/ipft_hx.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_hx.c -o $@
-
-ipft_pc.o: ipf/ipft_pc.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_pc.c -o $@
-
-ipft_sn.o: ipf/ipft_sn.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_sn.c -o $@
-
-ipft_td.o: ipf/ipft_td.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_td.c -o $@
-
-ipft_tx.o: ipf/ipft_tx.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/ipft_tx.c -o $@
-
-opt.o: ipf/opt.c ipf/ipt.h ipf/ipf.h ipf/ip_compat.h
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/opt.c -o $@
-
-inet_addr.o: ipf/inet_addr.c
-	$(CC) $(CFLAGS) $(LINUXK) -c ipf/inet_addr.c -o $@
-
-clean:
-	rm -rf *.o *core a.out ipsend ipresend iptest
-	if [ -d iplang ]; then (cd iplang; $(MAKE) $(MFLAGS) clean); fi
-	if [ -d $(TOP)/iplang ]; then (cd $(TOP)/iplang; $(MAKE) $(MFLAGS) clean); fi
-
-do-cvs:
-	find . -type d -name CVS -print | xargs /bin/rm -rf
-	find . -type f -name .cvsignore -print | xargs /bin/rm -f
diff --git a/contrib/ipfilter/ipsend/README b/contrib/ipfilter/ipsend/README
deleted file mode 100644
index 198556d..0000000
--- a/contrib/ipfilter/ipsend/README
+++ /dev/null
@@ -1,8 +0,0 @@
-
-This distribution contains *ONLY* the code required to build the 'ipsend'
-directory of programs (including man pages) found in the IP Filter package:
-http://coombs.anu.edu.au/~avalon/ip-filter.html
-
-Patches, bugs, etc, please send to:
-
-darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c
deleted file mode 100644
index d5497ef..0000000
--- a/contrib/ipfilter/ipsend/arp.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * arp.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)arp.c	1.4 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.2 2007/02/17 12:41:50 darrenr Exp $";
-#endif
-#include <sys/types.h>
-#include <sys/socket.h>
-#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) && !defined(_AIX51)
-# include <sys/sockio.h>
-#endif
-#include <sys/ioctl.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#include <netinet/if_ether.h>
-#ifndef	ultrix
-# include <net/if_arp.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <stdio.h>
-#include <errno.h>
-#include <netdb.h>
-#include "ipsend.h"
-#include "iplang/iplang.h"
-
-
-/*
- * lookup host and return
- * its IP address in address
- * (4 bytes)
- */
-int	resolve(host, address)
-char	*host, *address;
-{
-        struct	hostent	*hp;
-        u_long	add;
-
-	add = inet_addr(host);
-	if (add == -1)
-	    {
-		if (!(hp = gethostbyname(host)))
-		    {
-			fprintf(stderr, "unknown host: %s\n", host);
-			return -1;
-		    }
-		bcopy((char *)hp->h_addr, (char *)address, 4);
-		return 0;
-	}
-	bcopy((char*)&add, address, 4);
-	return 0;
-}
-
-/*
- * ARP for the MAC address corresponding
- * to the IP address.  This taken from
- * some BSD program, I cant remember which.
- */
-int	arp(ip, ether)
-char	*ip;
-char	*ether;
-{
-	static	int	sfd = -1;
-	static	char	ethersave[6], ipsave[4];
-	struct	arpreq	ar;
-	struct	sockaddr_in	*sin, san;
-	struct	hostent	*hp;
-	int	fd;
-
-#ifdef	IPSEND
-	if (arp_getipv4(ip, ether) == 0)
-		return 0;
-#endif
-	if (!bcmp(ipsave, ip, 4)) {
-		bcopy(ethersave, ether, 6);
-		return 0;
-	}
-	fd = -1;
-	bzero((char *)&ar, sizeof(ar));
-	sin = (struct sockaddr_in *)&ar.arp_pa;
-	sin->sin_family = AF_INET;
-	bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
-#ifndef	hpux
-	if ((hp = gethostbyaddr(ip, 4, AF_INET)))
-# if SOLARIS && (SOLARIS2 >= 10)
-		if (!(ether_hostton(hp->h_name, (struct ether_addr *)ether)))
-# else
-		if (!(ether_hostton(hp->h_name, ether)))
-# endif
-			goto savearp;
-#endif
-
-	if (sfd == -1)
-		if ((sfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		    {
-			perror("arp: socket");
-			return -1;
-		    }
-tryagain:
-	if (ioctl(sfd, SIOCGARP, (caddr_t)&ar) == -1)
-	    {
-		if (fd == -1)
-		    {
-			bzero((char *)&san, sizeof(san));
-			san.sin_family = AF_INET;
-			san.sin_port = htons(1);
-			bcopy(ip, &san.sin_addr.s_addr, 4);
-			fd = socket(AF_INET, SOCK_DGRAM, 0);
-			(void) sendto(fd, ip, 4, 0,
-				      (struct sockaddr *)&san, sizeof(san));
-			sleep(1);
-			(void) close(fd);
-			goto tryagain;
-		    }
-		fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
-		if (errno != ENXIO)
-			perror("SIOCGARP");
-		return -1;
-	    }
-
-	if ((ar.arp_ha.sa_data[0] == 0) && (ar.arp_ha.sa_data[1] == 0) &&
-	    (ar.arp_ha.sa_data[2] == 0) && (ar.arp_ha.sa_data[3] == 0) &&
-	    (ar.arp_ha.sa_data[4] == 0) && (ar.arp_ha.sa_data[5] == 0)) {
-		fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
-		return -1;
-	}
-
-	bcopy(ar.arp_ha.sa_data, ether, 6);
-savearp:
-	bcopy(ether, ethersave, 6);
-	bcopy(ip, ipsave, 4);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/dlcommon.c b/contrib/ipfilter/ipsend/dlcommon.c
deleted file mode 100644
index 8994138..0000000
--- a/contrib/ipfilter/ipsend/dlcommon.c
+++ /dev/null
@@ -1,1381 +0,0 @@
-/*
- * Common (shared) DLPI test routines.
- * Mostly pretty boring boilerplate sorta stuff.
- * These can be split into individual library routines later
- * but it's just convenient to keep them in a single file
- * while they're being developed.
- *
- * Not supported:
- *   Connection Oriented stuff
- *   QOS stuff
- */
-
-/*
-typedef	unsigned long	ulong;
-*/
-
-
-#include	<sys/types.h>
-#include	<sys/stream.h>
-#include	<sys/stropts.h>
-#ifdef __osf__
-# include	<sys/dlpihdr.h>
-#else
-# include	<sys/dlpi.h>
-#endif
-#include	<sys/signal.h>
-#include	<stdio.h>
-#include	<string.h>
-#include	"dltest.h"
-
-#define		CASERET(s)	case s:  return ("s")
-
-char	*dlprim();
-char	*dlstate();
-char	*dlerrno();
-char	*dlpromisclevel();
-char	*dlservicemode();
-char	*dlstyle();
-char	*dlmactype();
-
-
-void
-dlinforeq(fd)
-int	fd;
-{
-	dl_info_req_t	info_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	info_req.dl_primitive = DL_INFO_REQ;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (info_req);
-	ctl.buf = (char *) &info_req;
-
-	flags = RS_HIPRI;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlinforeq:  putmsg");
-}
-
-void
-dlinfoack(fd, bufp)
-int	fd;
-char	*bufp;
-{
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	ctl.maxlen = MAXDLBUF;
-	ctl.len = 0;
-	ctl.buf = bufp;
-
-	strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlinfoack");
-
-	dlp = (union DL_primitives *) ctl.buf;
-
-	expecting(DL_INFO_ACK, dlp);
-
-	if (ctl.len < sizeof (dl_info_ack_t))
-		err("dlinfoack:  response ctl.len too short:  %d", ctl.len);
-
-	if (flags != RS_HIPRI)
-		err("dlinfoack:  DL_INFO_ACK was not M_PCPROTO");
-
-	if (ctl.len < sizeof (dl_info_ack_t))
-		err("dlinfoack:  short response ctl.len:  %d", ctl.len);
-}
-
-void
-dlattachreq(fd, ppa)
-int	fd;
-u_long	ppa;
-{
-	dl_attach_req_t	attach_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	attach_req.dl_primitive = DL_ATTACH_REQ;
-	attach_req.dl_ppa = ppa;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (attach_req);
-	ctl.buf = (char *) &attach_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlattachreq:  putmsg");
-}
-
-void
-dlenabmultireq(fd, addr, length)
-int	fd;
-char	*addr;
-int	length;
-{
-	long	buf[MAXDLBUF];
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	dlp = (union DL_primitives*) buf;
-
-	dlp->enabmulti_req.dl_primitive = DL_ENABMULTI_REQ;
-	dlp->enabmulti_req.dl_addr_length = length;
-	dlp->enabmulti_req.dl_addr_offset = sizeof (dl_enabmulti_req_t);
-
-	(void) memcpy((char*)OFFADDR(buf, sizeof (dl_enabmulti_req_t)), addr, length);
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (dl_enabmulti_req_t) + length;
-	ctl.buf = (char*) buf;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlenabmultireq:  putmsg");
-}
-
-void
-dldisabmultireq(fd, addr, length)
-int	fd;
-char	*addr;
-int	length;
-{
-	long	buf[MAXDLBUF];
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	dlp = (union DL_primitives*) buf;
-
-	dlp->disabmulti_req.dl_primitive = DL_ENABMULTI_REQ;
-	dlp->disabmulti_req.dl_addr_length = length;
-	dlp->disabmulti_req.dl_addr_offset = sizeof (dl_disabmulti_req_t);
-
-	(void) memcpy((char*)OFFADDR(buf, sizeof (dl_disabmulti_req_t)), addr, length);
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (dl_disabmulti_req_t) + length;
-	ctl.buf = (char*) buf;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dldisabmultireq:  putmsg");
-}
-
-void
-dlpromisconreq(fd, level)
-int	fd;
-u_long	level;
-{
-	dl_promiscon_req_t	promiscon_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	promiscon_req.dl_primitive = DL_PROMISCON_REQ;
-	promiscon_req.dl_level = level;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (promiscon_req);
-	ctl.buf = (char *) &promiscon_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlpromiscon:  putmsg");
-
-}
-
-void
-dlpromiscoff(fd, level)
-int	fd;
-u_long	level;
-{
-	dl_promiscoff_req_t	promiscoff_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	promiscoff_req.dl_primitive = DL_PROMISCOFF_REQ;
-	promiscoff_req.dl_level = level;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (promiscoff_req);
-	ctl.buf = (char *) &promiscoff_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlpromiscoff:  putmsg");
-}
-
-void
-dlphysaddrreq(fd, addrtype)
-int	fd;
-u_long	addrtype;
-{
-	dl_phys_addr_req_t	phys_addr_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	phys_addr_req.dl_primitive = DL_PHYS_ADDR_REQ;
-	phys_addr_req.dl_addr_type = addrtype;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (phys_addr_req);
-	ctl.buf = (char *) &phys_addr_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlphysaddrreq:  putmsg");
-}
-
-void
-dlsetphysaddrreq(fd, addr, length)
-int	fd;
-char	*addr;
-int	length;
-{
-	long	buf[MAXDLBUF];
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	dlp = (union DL_primitives*) buf;
-
-	dlp->set_physaddr_req.dl_primitive = DL_ENABMULTI_REQ;
-	dlp->set_physaddr_req.dl_addr_length = length;
-	dlp->set_physaddr_req.dl_addr_offset = sizeof (dl_set_phys_addr_req_t);
-
-	(void) memcpy((char*)OFFADDR(buf, sizeof (dl_set_phys_addr_req_t)), addr, length);
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (dl_set_phys_addr_req_t) + length;
-	ctl.buf = (char*) buf;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlsetphysaddrreq:  putmsg");
-}
-
-void
-dldetachreq(fd)
-int	fd;
-{
-	dl_detach_req_t	detach_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	detach_req.dl_primitive = DL_DETACH_REQ;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (detach_req);
-	ctl.buf = (char *) &detach_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dldetachreq:  putmsg");
-}
-
-void
-dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest)
-int	fd;
-u_long	sap;
-u_long	max_conind;
-u_long	service_mode;
-u_long	conn_mgmt;
-u_long	xidtest;
-{
-	dl_bind_req_t	bind_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	bind_req.dl_primitive = DL_BIND_REQ;
-	bind_req.dl_sap = sap;
-	bind_req.dl_max_conind = max_conind;
-	bind_req.dl_service_mode = service_mode;
-	bind_req.dl_conn_mgmt = conn_mgmt;
-	bind_req.dl_xidtest_flg = xidtest;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (bind_req);
-	ctl.buf = (char *) &bind_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlbindreq:  putmsg");
-}
-
-void
-dlunitdatareq(fd, addrp, addrlen, minpri, maxpri, datap, datalen)
-int	fd;
-u_char	*addrp;
-int	addrlen;
-u_long	minpri, maxpri;
-u_char	*datap;
-int	datalen;
-{
-	long	buf[MAXDLBUF];
-	union	DL_primitives	*dlp;
-	struct	strbuf	data, ctl;
-
-	dlp = (union DL_primitives*) buf;
-
-	dlp->unitdata_req.dl_primitive = DL_UNITDATA_REQ;
-	dlp->unitdata_req.dl_dest_addr_length = addrlen;
-	dlp->unitdata_req.dl_dest_addr_offset = sizeof (dl_unitdata_req_t);
-	dlp->unitdata_req.dl_priority.dl_min = minpri;
-	dlp->unitdata_req.dl_priority.dl_max = maxpri;
-
-	(void) memcpy(OFFADDR(dlp, sizeof (dl_unitdata_req_t)), addrp, addrlen);
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (dl_unitdata_req_t) + addrlen;
-	ctl.buf = (char *) buf;
-
-	data.maxlen = 0;
-	data.len = datalen;
-	data.buf = (char *) datap;
-
-	if (putmsg(fd, &ctl, &data, 0) < 0)
-		syserr("dlunitdatareq:  putmsg");
-}
-
-void
-dlunbindreq(fd)
-int	fd;
-{
-	dl_unbind_req_t	unbind_req;
-	struct	strbuf	ctl;
-	int	flags;
-
-	unbind_req.dl_primitive = DL_UNBIND_REQ;
-
-	ctl.maxlen = 0;
-	ctl.len = sizeof (unbind_req);
-	ctl.buf = (char *) &unbind_req;
-
-	flags = 0;
-
-	if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0)
-		syserr("dlunbindreq:  putmsg");
-}
-
-void
-dlokack(fd, bufp)
-int	fd;
-char	*bufp;
-{
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	ctl.maxlen = MAXDLBUF;
-	ctl.len = 0;
-	ctl.buf = bufp;
-
-	strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlokack");
-
-	dlp = (union DL_primitives *) ctl.buf;
-
-	expecting(DL_OK_ACK, dlp);
-
-	if (ctl.len < sizeof (dl_ok_ack_t))
-		err("dlokack:  response ctl.len too short:  %d", ctl.len);
-
-	if (flags != RS_HIPRI)
-		err("dlokack:  DL_OK_ACK was not M_PCPROTO");
-
-	if (ctl.len < sizeof (dl_ok_ack_t))
-		err("dlokack:  short response ctl.len:  %d", ctl.len);
-}
-
-void
-dlerrorack(fd, bufp)
-int	fd;
-char	*bufp;
-{
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	ctl.maxlen = MAXDLBUF;
-	ctl.len = 0;
-	ctl.buf = bufp;
-
-	strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlerrorack");
-
-	dlp = (union DL_primitives *) ctl.buf;
-
-	expecting(DL_ERROR_ACK, dlp);
-
-	if (ctl.len < sizeof (dl_error_ack_t))
-		err("dlerrorack:  response ctl.len too short:  %d", ctl.len);
-
-	if (flags != RS_HIPRI)
-		err("dlerrorack:  DL_OK_ACK was not M_PCPROTO");
-
-	if (ctl.len < sizeof (dl_error_ack_t))
-		err("dlerrorack:  short response ctl.len:  %d", ctl.len);
-}
-
-void
-dlbindack(fd, bufp)
-int	fd;
-char	*bufp;
-{
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	ctl.maxlen = MAXDLBUF;
-	ctl.len = 0;
-	ctl.buf = bufp;
-
-	strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlbindack");
-
-	dlp = (union DL_primitives *) ctl.buf;
-
-	expecting(DL_BIND_ACK, dlp);
-
-	if (flags != RS_HIPRI)
-		err("dlbindack:  DL_OK_ACK was not M_PCPROTO");
-
-	if (ctl.len < sizeof (dl_bind_ack_t))
-		err("dlbindack:  short response ctl.len:  %d", ctl.len);
-}
-
-void
-dlphysaddrack(fd, bufp)
-int	fd;
-char	*bufp;
-{
-	union	DL_primitives	*dlp;
-	struct	strbuf	ctl;
-	int	flags;
-
-	ctl.maxlen = MAXDLBUF;
-	ctl.len = 0;
-	ctl.buf = bufp;
-
-	strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlphysaddrack");
-
-	dlp = (union DL_primitives *) ctl.buf;
-
-	expecting(DL_PHYS_ADDR_ACK, dlp);
-
-	if (flags != RS_HIPRI)
-		err("dlbindack:  DL_OK_ACK was not M_PCPROTO");
-
-	if (ctl.len < sizeof (dl_phys_addr_ack_t))
-		err("dlphysaddrack:  short response ctl.len:  %d", ctl.len);
-}
-
-void
-sigalrm()
-{
-	(void) err("sigalrm:  TIMEOUT");
-}
-
-strgetmsg(fd, ctlp, datap, flagsp, caller)
-int	fd;
-struct	strbuf	*ctlp, *datap;
-int	*flagsp;
-char	*caller;
-{
-	int	rc;
-	static	char	errmsg[80];
-
-	/*
-	 * Start timer.
-	 */
-	(void) signal(SIGALRM, sigalrm);
-	if (alarm(MAXWAIT) < 0) {
-		(void) sprintf(errmsg, "%s:  alarm", caller);
-		syserr(errmsg);
-	}
-
-	/*
-	 * Set flags argument and issue getmsg().
-	 */
-	*flagsp = 0;
-	if ((rc = getmsg(fd, ctlp, datap, flagsp)) < 0) {
-		(void) sprintf(errmsg, "%s:  getmsg", caller);
-		syserr(errmsg);
-	}
-
-	/*
-	 * Stop timer.
-	 */
-	if (alarm(0) < 0) {
-		(void) sprintf(errmsg, "%s:  alarm", caller);
-		syserr(errmsg);
-	}
-
-	/*
-	 * Check for MOREDATA and/or MORECTL.
-	 */
-	if ((rc & (MORECTL | MOREDATA)) == (MORECTL | MOREDATA))
-		err("%s:  MORECTL|MOREDATA", caller);
-	if (rc & MORECTL)
-		err("%s:  MORECTL", caller);
-	if (rc & MOREDATA)
-		err("%s:  MOREDATA", caller);
-
-	/*
-	 * Check for at least sizeof (long) control data portion.
-	 */
-	if (ctlp->len < sizeof (long))
-		err("getmsg:  control portion length < sizeof (long):  %d", ctlp->len);
-}
-
-expecting(prim, dlp)
-int	prim;
-union	DL_primitives	*dlp;
-{
-	if (dlp->dl_primitive != (u_long)prim) {
-		printdlprim(dlp);
-		err("expected %s got %s", dlprim(prim),
-			dlprim(dlp->dl_primitive));
-		exit(1);
-	}
-}
-
-/*
- * Print any DLPI msg in human readable format.
- */
-printdlprim(dlp)
-union	DL_primitives	*dlp;
-{
-	switch (dlp->dl_primitive) {
-		case DL_INFO_REQ:
-			printdlinforeq(dlp);
-			break;
-
-		case DL_INFO_ACK:
-			printdlinfoack(dlp);
-			break;
-
-		case DL_ATTACH_REQ:
-			printdlattachreq(dlp);
-			break;
-
-		case DL_OK_ACK:
-			printdlokack(dlp);
-			break;
-
-		case DL_ERROR_ACK:
-			printdlerrorack(dlp);
-			break;
-
-		case DL_DETACH_REQ:
-			printdldetachreq(dlp);
-			break;
-
-		case DL_BIND_REQ:
-			printdlbindreq(dlp);
-			break;
-
-		case DL_BIND_ACK:
-			printdlbindack(dlp);
-			break;
-
-		case DL_UNBIND_REQ:
-			printdlunbindreq(dlp);
-			break;
-
-		case DL_SUBS_BIND_REQ:
-			printdlsubsbindreq(dlp);
-			break;
-
-		case DL_SUBS_BIND_ACK:
-			printdlsubsbindack(dlp);
-			break;
-
-		case DL_SUBS_UNBIND_REQ:
-			printdlsubsunbindreq(dlp);
-			break;
-
-		case DL_ENABMULTI_REQ:
-			printdlenabmultireq(dlp);
-			break;
-
-		case DL_DISABMULTI_REQ:
-			printdldisabmultireq(dlp);
-			break;
-
-		case DL_PROMISCON_REQ:
-			printdlpromisconreq(dlp);
-			break;
-
-		case DL_PROMISCOFF_REQ:
-			printdlpromiscoffreq(dlp);
-			break;
-
-		case DL_UNITDATA_REQ:
-			printdlunitdatareq(dlp);
-			break;
-
-		case DL_UNITDATA_IND:
-			printdlunitdataind(dlp);
-			break;
-
-		case DL_UDERROR_IND:
-			printdluderrorind(dlp);
-			break;
-
-		case DL_UDQOS_REQ:
-			printdludqosreq(dlp);
-			break;
-
-		case DL_PHYS_ADDR_REQ:
-			printdlphysaddrreq(dlp);
-			break;
-
-		case DL_PHYS_ADDR_ACK:
-			printdlphysaddrack(dlp);
-			break;
-
-		case DL_SET_PHYS_ADDR_REQ:
-			printdlsetphysaddrreq(dlp);
-			break;
-
-		default:
-			err("printdlprim:  unknown primitive type 0x%x",
-				dlp->dl_primitive);
-			break;
-	}
-}
-
-/* ARGSUSED */
-printdlinforeq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_INFO_REQ\n");
-}
-
-printdlinfoack(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-	u_char	brdcst[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->info_ack.dl_addr_offset),
-		dlp->info_ack.dl_addr_length, addr);
-	addrtostring(OFFADDR(dlp, dlp->info_ack.dl_brdcst_addr_offset),
-		dlp->info_ack.dl_brdcst_addr_length, brdcst);
-
-	(void) printf("DL_INFO_ACK:  max_sdu %d min_sdu %d\n",
-		dlp->info_ack.dl_max_sdu,
-		dlp->info_ack.dl_min_sdu);
-	(void) printf("addr_length %d mac_type %s current_state %s\n",
-		dlp->info_ack.dl_addr_length,
-		dlmactype(dlp->info_ack.dl_mac_type),
-		dlstate(dlp->info_ack.dl_current_state));
-	(void) printf("sap_length %d service_mode %s qos_length %d\n",
-		dlp->info_ack.dl_sap_length,
-		dlservicemode(dlp->info_ack.dl_service_mode),
-		dlp->info_ack.dl_qos_length);
-	(void) printf("qos_offset %d qos_range_length %d qos_range_offset %d\n",
-		dlp->info_ack.dl_qos_offset,
-		dlp->info_ack.dl_qos_range_length,
-		dlp->info_ack.dl_qos_range_offset);
-	(void) printf("provider_style %s addr_offset %d version %d\n",
-		dlstyle(dlp->info_ack.dl_provider_style),
-		dlp->info_ack.dl_addr_offset,
-		dlp->info_ack.dl_version);
-	(void) printf("brdcst_addr_length %d brdcst_addr_offset %d\n",
-		dlp->info_ack.dl_brdcst_addr_length,
-		dlp->info_ack.dl_brdcst_addr_offset);
-	(void) printf("addr %s\n", addr);
-	(void) printf("brdcst_addr %s\n", brdcst);
-}
-
-printdlattachreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_ATTACH_REQ:  ppa %d\n",
-		dlp->attach_req.dl_ppa);
-}
-
-printdlokack(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_OK_ACK:  correct_primitive %s\n",
-		dlprim(dlp->ok_ack.dl_correct_primitive));
-}
-
-printdlerrorack(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_ERROR_ACK:  error_primitive %s errno %s unix_errno %d: %s\n",
-		dlprim(dlp->error_ack.dl_error_primitive),
-		dlerrno(dlp->error_ack.dl_errno),
-		dlp->error_ack.dl_unix_errno,
-		strerror(dlp->error_ack.dl_unix_errno));
-}
-
-printdlenabmultireq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->enabmulti_req.dl_addr_offset),
-		dlp->enabmulti_req.dl_addr_length, addr);
-
-	(void) printf("DL_ENABMULTI_REQ:  addr_length %d addr_offset %d\n",
-		dlp->enabmulti_req.dl_addr_length,
-		dlp->enabmulti_req.dl_addr_offset);
-	(void) printf("addr %s\n", addr);
-}
-
-printdldisabmultireq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->disabmulti_req.dl_addr_offset),
-		dlp->disabmulti_req.dl_addr_length, addr);
-
-	(void) printf("DL_DISABMULTI_REQ:  addr_length %d addr_offset %d\n",
-		dlp->disabmulti_req.dl_addr_length,
-		dlp->disabmulti_req.dl_addr_offset);
-	(void) printf("addr %s\n", addr);
-}
-
-printdlpromisconreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_PROMISCON_REQ:  level %s\n",
-		dlpromisclevel(dlp->promiscon_req.dl_level));
-}
-
-printdlpromiscoffreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_PROMISCOFF_REQ:  level %s\n",
-		dlpromisclevel(dlp->promiscoff_req.dl_level));
-}
-
-printdlphysaddrreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_PHYS_ADDR_REQ:  addr_type 0x%x\n",
-		dlp->physaddr_req.dl_addr_type);
-}
-
-printdlphysaddrack(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->physaddr_ack.dl_addr_offset),
-		dlp->physaddr_ack.dl_addr_length, addr);
-
-	(void) printf("DL_PHYS_ADDR_ACK:  addr_length %d addr_offset %d\n",
-		dlp->physaddr_ack.dl_addr_length,
-		dlp->physaddr_ack.dl_addr_offset);
-	(void) printf("addr %s\n", addr);
-}
-
-printdlsetphysaddrreq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->set_physaddr_req.dl_addr_offset),
-		dlp->set_physaddr_req.dl_addr_length, addr);
-
-	(void) printf("DL_SET_PHYS_ADDR_REQ:  addr_length %d addr_offset %d\n",
-		dlp->set_physaddr_req.dl_addr_length,
-		dlp->set_physaddr_req.dl_addr_offset);
-	(void) printf("addr %s\n", addr);
-}
-
-/* ARGSUSED */
-printdldetachreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_DETACH_REQ\n");
-}
-
-printdlbindreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_BIND_REQ:  sap %d max_conind %d\n",
-		dlp->bind_req.dl_sap,
-		dlp->bind_req.dl_max_conind);
-	(void) printf("service_mode %s conn_mgmt %d xidtest_flg 0x%x\n",
-		dlservicemode(dlp->bind_req.dl_service_mode),
-		dlp->bind_req.dl_conn_mgmt,
-		dlp->bind_req.dl_xidtest_flg);
-}
-
-printdlbindack(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->bind_ack.dl_addr_offset),
-		dlp->bind_ack.dl_addr_length, addr);
-
-	(void) printf("DL_BIND_ACK:  sap %d addr_length %d addr_offset %d\n",
-		dlp->bind_ack.dl_sap,
-		dlp->bind_ack.dl_addr_length,
-		dlp->bind_ack.dl_addr_offset);
-	(void) printf("max_conind %d xidtest_flg 0x%x\n",
-		dlp->bind_ack.dl_max_conind,
-		dlp->bind_ack.dl_xidtest_flg);
-	(void) printf("addr %s\n", addr);
-}
-
-/* ARGSUSED */
-printdlunbindreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_UNBIND_REQ\n");
-}
-
-printdlsubsbindreq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	sap[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->subs_bind_req.dl_subs_sap_offset),
-		dlp->subs_bind_req.dl_subs_sap_length, sap);
-
-	(void) printf("DL_SUBS_BIND_REQ:  subs_sap_offset %d sub_sap_len %d\n",
-		dlp->subs_bind_req.dl_subs_sap_offset,
-		dlp->subs_bind_req.dl_subs_sap_length);
-	(void) printf("sap %s\n", sap);
-}
-
-printdlsubsbindack(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	sap[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->subs_bind_ack.dl_subs_sap_offset),
-		dlp->subs_bind_ack.dl_subs_sap_length, sap);
-
-	(void) printf("DL_SUBS_BIND_ACK:  subs_sap_offset %d sub_sap_length %d\n",
-		dlp->subs_bind_ack.dl_subs_sap_offset,
-		dlp->subs_bind_ack.dl_subs_sap_length);
-	(void) printf("sap %s\n", sap);
-}
-
-printdlsubsunbindreq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	sap[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->subs_unbind_req.dl_subs_sap_offset),
-		dlp->subs_unbind_req.dl_subs_sap_length, sap);
-
-	(void) printf("DL_SUBS_UNBIND_REQ:  subs_sap_offset %d sub_sap_length %d\n",
-		dlp->subs_unbind_req.dl_subs_sap_offset,
-		dlp->subs_unbind_req.dl_subs_sap_length);
-	(void) printf("sap %s\n", sap);
-}
-
-printdlunitdatareq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->unitdata_req.dl_dest_addr_offset),
-		dlp->unitdata_req.dl_dest_addr_length, addr);
-
-	(void) printf("DL_UNITDATA_REQ:  dest_addr_length %d dest_addr_offset %d\n",
-		dlp->unitdata_req.dl_dest_addr_length,
-		dlp->unitdata_req.dl_dest_addr_offset);
-	(void) printf("dl_priority.min %d dl_priority.max %d\n",
-		dlp->unitdata_req.dl_priority.dl_min,
-		dlp->unitdata_req.dl_priority.dl_max);
-	(void) printf("addr %s\n", addr);
-}
-
-printdlunitdataind(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-	u_char	src[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->unitdata_ind.dl_dest_addr_offset),
-		dlp->unitdata_ind.dl_dest_addr_length, dest);
-	addrtostring(OFFADDR(dlp, dlp->unitdata_ind.dl_src_addr_offset),
-		dlp->unitdata_ind.dl_src_addr_length, src);
-
-	(void) printf("DL_UNITDATA_IND:  dest_addr_length %d dest_addr_offset %d\n",
-		dlp->unitdata_ind.dl_dest_addr_length,
-		dlp->unitdata_ind.dl_dest_addr_offset);
-	(void) printf("src_addr_length %d src_addr_offset %d\n",
-		dlp->unitdata_ind.dl_src_addr_length,
-		dlp->unitdata_ind.dl_src_addr_offset);
-	(void) printf("group_address 0x%x\n",
-		dlp->unitdata_ind.dl_group_address);
-	(void) printf("dest %s\n", dest);
-	(void) printf("src %s\n", src);
-}
-
-printdluderrorind(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->uderror_ind.dl_dest_addr_offset),
-		dlp->uderror_ind.dl_dest_addr_length, addr);
-
-	(void) printf("DL_UDERROR_IND:  dest_addr_length %d dest_addr_offset %d\n",
-		dlp->uderror_ind.dl_dest_addr_length,
-		dlp->uderror_ind.dl_dest_addr_offset);
-	(void) printf("unix_errno %d errno %s\n",
-		dlp->uderror_ind.dl_unix_errno,
-		dlerrno(dlp->uderror_ind.dl_errno));
-	(void) printf("addr %s\n", addr);
-}
-
-printdltestreq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	addr[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->test_req.dl_dest_addr_offset),
-		dlp->test_req.dl_dest_addr_length, addr);
-
-	(void) printf("DL_TEST_REQ:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->test_req.dl_flag,
-		dlp->test_req.dl_dest_addr_length,
-		dlp->test_req.dl_dest_addr_offset);
-	(void) printf("dest_addr %s\n", addr);
-}
-
-printdltestind(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-	u_char	src[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->test_ind.dl_dest_addr_offset),
-		dlp->test_ind.dl_dest_addr_length, dest);
-	addrtostring(OFFADDR(dlp, dlp->test_ind.dl_src_addr_offset),
-		dlp->test_ind.dl_src_addr_length, src);
-
-	(void) printf("DL_TEST_IND:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->test_ind.dl_flag,
-		dlp->test_ind.dl_dest_addr_length,
-		dlp->test_ind.dl_dest_addr_offset);
-	(void) printf("src_addr_length %d src_addr_offset %d\n",
-		dlp->test_ind.dl_src_addr_length,
-		dlp->test_ind.dl_src_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-	(void) printf("src_addr %s\n", src);
-}
-
-printdltestres(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->test_res.dl_dest_addr_offset),
-		dlp->test_res.dl_dest_addr_length, dest);
-
-	(void) printf("DL_TEST_RES:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->test_res.dl_flag,
-		dlp->test_res.dl_dest_addr_length,
-		dlp->test_res.dl_dest_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-}
-
-printdltestcon(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-	u_char	src[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->test_con.dl_dest_addr_offset),
-		dlp->test_con.dl_dest_addr_length, dest);
-	addrtostring(OFFADDR(dlp, dlp->test_con.dl_src_addr_offset),
-		dlp->test_con.dl_src_addr_length, src);
-
-	(void) printf("DL_TEST_CON:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->test_con.dl_flag,
-		dlp->test_con.dl_dest_addr_length,
-		dlp->test_con.dl_dest_addr_offset);
-	(void) printf("src_addr_length %d src_addr_offset %d\n",
-		dlp->test_con.dl_src_addr_length,
-		dlp->test_con.dl_src_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-	(void) printf("src_addr %s\n", src);
-}
-
-printdlxidreq(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->xid_req.dl_dest_addr_offset),
-		dlp->xid_req.dl_dest_addr_length, dest);
-
-	(void) printf("DL_XID_REQ:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->xid_req.dl_flag,
-		dlp->xid_req.dl_dest_addr_length,
-		dlp->xid_req.dl_dest_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-}
-
-printdlxidind(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-	u_char	src[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->xid_ind.dl_dest_addr_offset),
-		dlp->xid_ind.dl_dest_addr_length, dest);
-	addrtostring(OFFADDR(dlp, dlp->xid_ind.dl_src_addr_offset),
-		dlp->xid_ind.dl_src_addr_length, src);
-
-	(void) printf("DL_XID_IND:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->xid_ind.dl_flag,
-		dlp->xid_ind.dl_dest_addr_length,
-		dlp->xid_ind.dl_dest_addr_offset);
-	(void) printf("src_addr_length %d src_addr_offset %d\n",
-		dlp->xid_ind.dl_src_addr_length,
-		dlp->xid_ind.dl_src_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-	(void) printf("src_addr %s\n", src);
-}
-
-printdlxidres(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->xid_res.dl_dest_addr_offset),
-		dlp->xid_res.dl_dest_addr_length, dest);
-
-	(void) printf("DL_XID_RES:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->xid_res.dl_flag,
-		dlp->xid_res.dl_dest_addr_length,
-		dlp->xid_res.dl_dest_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-}
-
-printdlxidcon(dlp)
-union	DL_primitives	*dlp;
-{
-	u_char	dest[MAXDLADDR];
-	u_char	src[MAXDLADDR];
-
-	addrtostring(OFFADDR(dlp, dlp->xid_con.dl_dest_addr_offset),
-		dlp->xid_con.dl_dest_addr_length, dest);
-	addrtostring(OFFADDR(dlp, dlp->xid_con.dl_src_addr_offset),
-		dlp->xid_con.dl_src_addr_length, src);
-
-	(void) printf("DL_XID_CON:  flag 0x%x dest_addr_length %d dest_addr_offset %d\n",
-		dlp->xid_con.dl_flag,
-		dlp->xid_con.dl_dest_addr_length,
-		dlp->xid_con.dl_dest_addr_offset);
-	(void) printf("src_addr_length %d src_addr_offset %d\n",
-		dlp->xid_con.dl_src_addr_length,
-		dlp->xid_con.dl_src_addr_offset);
-	(void) printf("dest_addr %s\n", dest);
-	(void) printf("src_addr %s\n", src);
-}
-
-printdludqosreq(dlp)
-union	DL_primitives	*dlp;
-{
-	(void) printf("DL_UDQOS_REQ:  qos_length %d qos_offset %d\n",
-		dlp->udqos_req.dl_qos_length,
-		dlp->udqos_req.dl_qos_offset);
-}
-
-/*
- * Return string.
- */
-addrtostring(addr, length, s)
-u_char	*addr;
-u_long	length;
-u_char	*s;
-{
-	int	i;
-
-	for (i = 0; i < length; i++) {
-		(void) sprintf((char*) s, "%x:", addr[i] & 0xff);
-		s = s + strlen((char*)s);
-	}
-	if (length)
-		*(--s) = '\0';
-}
-
-/*
- * Return length
- */
-stringtoaddr(sp, addr)
-char	*sp;
-char	*addr;
-{
-	int	n = 0;
-	char	*p;
-	int	val;
-
-	p = sp;
-	while (p = strtok(p, ":")) {
-		if (sscanf(p, "%x", &val) != 1)
-			err("stringtoaddr:  invalid input string:  %s", sp);
-		if (val > 0xff)
-			err("stringtoaddr:  invalid input string:  %s", sp);
-		*addr++ = val;
-		n++;
-		p = NULL;
-	}
-	
-	return (n);
-}
-
-
-static char
-hexnibble(c)
-char	c;
-{
-	static	char	hextab[] = {
-		'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
-		'a', 'b', 'c', 'd', 'e', 'f'
-	};
-
-	return (hextab[c & 0x0f]);
-}
-
-char*
-dlprim(prim)
-u_long	prim;
-{
-	static	char	primbuf[80];
-
-	switch ((int)prim) {
-		CASERET(DL_INFO_REQ);
-		CASERET(DL_INFO_ACK);
-		CASERET(DL_ATTACH_REQ);
-		CASERET(DL_DETACH_REQ);
-		CASERET(DL_BIND_REQ);
-		CASERET(DL_BIND_ACK);
-		CASERET(DL_UNBIND_REQ);
-		CASERET(DL_OK_ACK);
-		CASERET(DL_ERROR_ACK);
-		CASERET(DL_SUBS_BIND_REQ);
-		CASERET(DL_SUBS_BIND_ACK);
-		CASERET(DL_UNITDATA_REQ);
-		CASERET(DL_UNITDATA_IND);
-		CASERET(DL_UDERROR_IND);
-		CASERET(DL_UDQOS_REQ);
-		CASERET(DL_CONNECT_REQ);
-		CASERET(DL_CONNECT_IND);
-		CASERET(DL_CONNECT_RES);
-		CASERET(DL_CONNECT_CON);
-		CASERET(DL_TOKEN_REQ);
-		CASERET(DL_TOKEN_ACK);
-		CASERET(DL_DISCONNECT_REQ);
-		CASERET(DL_DISCONNECT_IND);
-		CASERET(DL_RESET_REQ);
-		CASERET(DL_RESET_IND);
-		CASERET(DL_RESET_RES);
-		CASERET(DL_RESET_CON);
-		default:
-			(void) sprintf(primbuf, "unknown primitive 0x%x", prim);
-			return (primbuf);
-	}
-}
-
-
-char*
-dlstate(state)
-u_long	state;
-{
-	static	char	statebuf[80];
-
-	switch (state) {
-		CASERET(DL_UNATTACHED);
-		CASERET(DL_ATTACH_PENDING);
-		CASERET(DL_DETACH_PENDING);
-		CASERET(DL_UNBOUND);
-		CASERET(DL_BIND_PENDING);
-		CASERET(DL_UNBIND_PENDING);
-		CASERET(DL_IDLE);
-		CASERET(DL_UDQOS_PENDING);
-		CASERET(DL_OUTCON_PENDING);
-		CASERET(DL_INCON_PENDING);
-		CASERET(DL_CONN_RES_PENDING);
-		CASERET(DL_DATAXFER);
-		CASERET(DL_USER_RESET_PENDING);
-		CASERET(DL_PROV_RESET_PENDING);
-		CASERET(DL_RESET_RES_PENDING);
-		CASERET(DL_DISCON8_PENDING);
-		CASERET(DL_DISCON9_PENDING);
-		CASERET(DL_DISCON11_PENDING);
-		CASERET(DL_DISCON12_PENDING);
-		CASERET(DL_DISCON13_PENDING);
-		CASERET(DL_SUBS_BIND_PND);
-		default:
-			(void) sprintf(statebuf, "unknown state 0x%x", state);
-			return (statebuf);
-	}
-}
-
-char*
-dlerrno(errno)
-u_long	errno;
-{
-	static	char	errnobuf[80];
-
-	switch (errno) {
-		CASERET(DL_ACCESS);
-		CASERET(DL_BADADDR);
-		CASERET(DL_BADCORR);
-		CASERET(DL_BADDATA);
-		CASERET(DL_BADPPA);
-		CASERET(DL_BADPRIM);
-		CASERET(DL_BADQOSPARAM);
-		CASERET(DL_BADQOSTYPE);
-		CASERET(DL_BADSAP);
-		CASERET(DL_BADTOKEN);
-		CASERET(DL_BOUND);
-		CASERET(DL_INITFAILED);
-		CASERET(DL_NOADDR);
-		CASERET(DL_NOTINIT);
-		CASERET(DL_OUTSTATE);
-		CASERET(DL_SYSERR);
-		CASERET(DL_UNSUPPORTED);
-		CASERET(DL_UNDELIVERABLE);
-		CASERET(DL_NOTSUPPORTED);
-		CASERET(DL_TOOMANY);
-		CASERET(DL_NOTENAB);
-		CASERET(DL_BUSY);
-		CASERET(DL_NOAUTO);
-		CASERET(DL_NOXIDAUTO);
-		CASERET(DL_NOTESTAUTO);
-		CASERET(DL_XIDAUTO);
-		CASERET(DL_TESTAUTO);
-		CASERET(DL_PENDING);
-
-		default:
-			(void) sprintf(errnobuf, "unknown dlpi errno 0x%x", errno);
-			return (errnobuf);
-	}
-}
-
-char*
-dlpromisclevel(level)
-u_long	level;
-{
-	static	char	levelbuf[80];
-
-	switch (level) {
-		CASERET(DL_PROMISC_PHYS);
-		CASERET(DL_PROMISC_SAP);
-		CASERET(DL_PROMISC_MULTI);
-		default:
-			(void) sprintf(levelbuf, "unknown promisc level 0x%x", level);
-			return (levelbuf);
-	}
-}
-
-char*
-dlservicemode(servicemode)
-u_long	servicemode;
-{
-	static	char	servicemodebuf[80];
-
-	switch (servicemode) {
-		CASERET(DL_CODLS);
-		CASERET(DL_CLDLS);
-		CASERET(DL_CODLS|DL_CLDLS);
-		default:
-			(void) sprintf(servicemodebuf,
-				"unknown provider service mode 0x%x", servicemode);
-			return (servicemodebuf);
-	}
-}
-
-char*
-dlstyle(style)
-long	style;
-{
-	static	char	stylebuf[80];
-
-	switch (style) {
-		CASERET(DL_STYLE1);
-		CASERET(DL_STYLE2);
-		default:
-			(void) sprintf(stylebuf, "unknown provider style 0x%x", style);
-			return (stylebuf);
-	}
-}
-
-char*
-dlmactype(media)
-u_long	media;
-{
-	static	char	mediabuf[80];
-
-	switch (media) {
-		CASERET(DL_CSMACD);
-		CASERET(DL_TPB);
-		CASERET(DL_TPR);
-		CASERET(DL_METRO);
-		CASERET(DL_ETHER);
-		CASERET(DL_HDLC);
-		CASERET(DL_CHAR);
-		CASERET(DL_CTCA);
-		default:
-			(void) sprintf(mediabuf, "unknown media type 0x%x", media);
-			return (mediabuf);
-	}
-}
-
-/*VARARGS1*/
-err(fmt, a1, a2, a3, a4)
-char	*fmt;
-char	*a1, *a2, *a3, *a4;
-{
-	(void) fprintf(stderr, fmt, a1, a2, a3, a4);
-	(void) fprintf(stderr, "\n");
-	(void) exit(1);
-}
-
-syserr(s)
-char	*s;
-{
-	(void) perror(s);
-	exit(1);
-}
-
-strioctl(fd, cmd, timout, len, dp)
-int	fd;
-int	cmd;
-int	timout;
-int	len;
-char	*dp;
-{
-	struct	strioctl	sioc;
-	int	rc;
-
-	sioc.ic_cmd = cmd;
-	sioc.ic_timout = timout;
-	sioc.ic_len = len;
-	sioc.ic_dp = dp;
-	rc = ioctl(fd, I_STR, &sioc);
-
-	if (rc < 0)
-		return (rc);
-	else
-		return (sioc.ic_len);
-}
diff --git a/contrib/ipfilter/ipsend/dltest.h b/contrib/ipfilter/ipsend/dltest.h
deleted file mode 100644
index 4c32c30..0000000
--- a/contrib/ipfilter/ipsend/dltest.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Common DLPI Test Suite header file
- *
- */
-
-/*
- * Maximum control/data buffer size (in long's !!) for getmsg().
- */
-#define		MAXDLBUF	8192
-
-/*
- * Maximum number of seconds we'll wait for any
- * particular DLPI acknowledgment from the provider
- * after issuing a request.
- */
-#define		MAXWAIT		15
-
-/*
- * Maximum address buffer length.
- */
-#define		MAXDLADDR	1024
-
-
-/*
- * Handy macro.
- */
-#define		OFFADDR(s, n)	(u_char*)((char*)(s) + (int)(n))
-
-/*
- * externs go here
- */
-extern	void	sigalrm();
diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c
deleted file mode 100644
index 42078e3..0000000
--- a/contrib/ipfilter/ipsend/hpux.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * (C)opyright 1997-1998 Darren Reed. (from tcplog)
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- */
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-
-
-int	initdevice(device, sport, tout)
-char	*device;
-int	sport, tout;
-{
-	int	fd;
-
-	if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1)
-		perror("socket");
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{			
-	if (send(fd, pkt, len, 0) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
-
-
-char *strdup(str)
-char *str;
-{
-	char	*s;
-
-	if ((s = (char *)malloc(strlen(str) + 1)))
-		return strcpy(s, str);
-	return NULL;
-}
-/*
- * (C)opyright 1997 Darren Reed. (from tcplog)
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- */
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-
-
-int	initdevice(device, sport, tout)
-char	*device;
-int	sport, tout;
-{
-	int	fd;
-
-	if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1)
-		perror("socket");
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{			
-	if (send(fd, pkt, len, 0) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
-
-
-char *strdup(str)
-char *str;
-{
-	char	*s;
-
-	if ((s = (char *)malloc(strlen(str) + 1)))
-		return strcpy(s, str);
-	return NULL;
-}
diff --git a/contrib/ipfilter/ipsend/in_var.h b/contrib/ipfilter/ipsend/in_var.h
deleted file mode 100644
index 2ebd731..0000000
--- a/contrib/ipfilter/ipsend/in_var.h
+++ /dev/null
@@ -1,177 +0,0 @@
-/*	@(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86	*/
-
-/*
- * Copyright (c) 1985, 1986 Regents of the University of California.
- * All rights reserved.  The Berkeley software License Agreement
- * specifies the terms and conditions for redistribution.
- */
-
-/*
- * Interface address, Internet version.  One of these structures
- * is allocated for each interface with an Internet address.
- * The ifaddr structure contains the protocol-independent part
- * of the structure and is assumed to be first.
- */
-
-#ifndef _netinet_in_var_h
-#define _netinet_in_var_h
-
-struct in_ifaddr {
-	struct	ifaddr ia_ifa;		/* protocol-independent info */
-#define	ia_addr	ia_ifa.ifa_addr
-#define	ia_broadaddr	ia_ifa.ifa_broadaddr
-#define	ia_dstaddr	ia_ifa.ifa_dstaddr
-#define	ia_ifp		ia_ifa.ifa_ifp
-	u_long	ia_net;			/* network number of interface */
-	u_long	ia_netmask;		/* mask of net part */
-	u_long	ia_subnet;		/* subnet number, including net */
-	u_long	ia_subnetmask;		/* mask of net + subnet */
-	struct	in_addr ia_netbroadcast; /* broadcast addr for (logical) net */
-	int	ia_flags;
-	struct	in_ifaddr *ia_next;	/* next in list of internet addresses */
-	struct	in_multi *ia_multiaddrs;/* list of multicast addresses */
-};
-/*
- * Given a pointer to an in_ifaddr (ifaddr),
- * return a pointer to the addr as a sockadd_in.
- */
-#define	IA_SIN(ia) ((struct sockaddr_in *)(&((struct in_ifaddr *)ia)->ia_addr))
-/*
- * ia_flags
- */
-#define	IFA_ROUTE	0x01		/* routing entry installed */
-
-#ifdef	KERNEL
-struct	in_ifaddr *in_ifaddr;
-struct	in_ifaddr *in_iaonnetof();
-struct	ifqueue	ipintrq;		/* ip packet input queue */
-#endif
-
-#ifdef KERNEL
-/*
- * Macro for finding the interface (ifnet structure) corresponding to one
- * of our IP addresses.
- */
-#define INADDR_TO_IFP(addr, ifp)					  \
-	/* struct in_addr addr; */					  \
-	/* struct ifnet  *ifp;  */					  \
-{									  \
-	register struct in_ifaddr *ia;					  \
-									  \
-	for (ia = in_ifaddr;						  \
-	     ia != NULL && IA_SIN(ia)->sin_addr.s_addr != (addr).s_addr;  \
-	     ia = ia->ia_next);						  \
-	(ifp) = (ia == NULL) ? NULL : ia->ia_ifp;			  \
-}
-
-/*
- * Macro for finding the internet address structure (in_ifaddr) corresponding
- * to a given interface (ifnet structure).
- */
-#define IFP_TO_IA(ifp, ia)						  \
-	/* struct ifnet     *ifp; */					  \
-	/* struct in_ifaddr *ia;  */					  \
-{									  \
-	for ((ia) = in_ifaddr;						  \
-	     (ia) != NULL && (ia)->ia_ifp != (ifp);			  \
-	     (ia) = (ia)->ia_next);					  \
-}
-#endif /* KERNEL */
-
-/*
- * Per-interface router version information is kept in this list.
- * This information should be part of the ifnet structure but we don't wish
- * to change that - as it might break a number of things
- */
-
-struct router_info {
-	struct ifnet *ifp;
-	int    type; /* type of router which is querier on this interface */
-	int    time; /* # of slow timeouts since last old query */
-	struct router_info *next;
-};
-
-/*
- * Internet multicast address structure.  There is one of these for each IP
- * multicast group to which this host belongs on a given network interface.
- * They are kept in a linked list, rooted in the interface's in_ifaddr
- * structure.
- */
-
-struct in_multi {
-	struct in_addr	   inm_addr;	/* IP multicast address             */
-	struct ifnet      *inm_ifp;	/* back pointer to ifnet            */
-	struct in_ifaddr  *inm_ia;	/* back pointer to in_ifaddr        */
-	u_int		   inm_refcount;/* no. membership claims by sockets */
-	u_int		   inm_timer;	/* IGMP membership report timer     */
-	struct in_multi   *inm_next;	/* ptr to next multicast address    */
-	u_int              inm_state;   /*  state of the membership */
-	struct router_info *inm_rti;     /* router info*/
-};
-
-#ifdef KERNEL
-/*
- * Structure used by macros below to remember position when stepping through
- * all of the in_multi records.
- */
-struct in_multistep {
-	struct in_ifaddr *i_ia;
-	struct in_multi  *i_inm;
-};
-
-/*
- * Macro for looking up the in_multi record for a given IP multicast address
- * on a given interface.  If no matching record is found, "inm" returns NULL.
- */
-#define IN_LOOKUP_MULTI(addr, ifp, inm)					    \
-	/* struct in_addr  addr; */					    \
-	/* struct ifnet    *ifp; */					    \
-	/* struct in_multi *inm; */					    \
-{									    \
-	register struct in_ifaddr *ia;					    \
-									    \
-	IFP_TO_IA((ifp), ia);						    \
-	if (ia == NULL)							    \
-		(inm) = NULL;						    \
-	else								    \
-	    for ((inm) = ia->ia_multiaddrs;				    \
-		 (inm) != NULL && (inm)->inm_addr.s_addr != (addr).s_addr;  \
-		 (inm) = inm->inm_next);				    \
-}
-
-/*
- * Macro to step through all of the in_multi records, one at a time.
- * The current position is remembered in "step", which the caller must
- * provide.  IN_FIRST_MULTI(), below, must be called to initialize "step"
- * and get the first record.  Both macros return a NULL "inm" when there
- * are no remaining records.
- */
-#define IN_NEXT_MULTI(step, inm)					\
-	/* struct in_multistep  step; */				\
-	/* struct in_multi     *inm;  */				\
-{									\
-	if (((inm) = (step).i_inm) != NULL) {				\
-		(step).i_inm = (inm)->inm_next;				\
-	}								\
-	else while ((step).i_ia != NULL) {				\
-		(inm) = (step).i_ia->ia_multiaddrs;			\
-		(step).i_ia = (step).i_ia->ia_next;			\
-		if ((inm) != NULL) {					\
-			(step).i_inm = (inm)->inm_next;			\
-			break;						\
-		}							\
-	}								\
-}
-
-#define IN_FIRST_MULTI(step, inm)					\
-	/* struct in_multistep  step; */				\
-	/* struct in_multi     *inm;  */				\
-{									\
-	(step).i_ia  = in_ifaddr;					\
-	(step).i_inm = NULL;						\
-	IN_NEXT_MULTI((step), (inm));					\
-}
-
-struct in_multi *in_addmulti();
-#endif /* KERNEL */
-#endif /*!_netinet_in_var_h*/
diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c
deleted file mode 100644
index e29f722..0000000
--- a/contrib/ipfilter/ipsend/ip.c
+++ /dev/null
@@ -1,367 +0,0 @@
-/*
- * ip.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C)1995";
-static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <netinet/in_systm.h>
-#include <sys/socket.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <sys/param.h>
-#ifndef	linux
-# include <netinet/if_ether.h>
-# include <netinet/ip_var.h>
-# if __FreeBSD_version >= 300000
-#  include <net/if_var.h>
-# endif
-#endif
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include "ipsend.h"
-
-
-static	char	*ipbuf = NULL, *ethbuf = NULL;
-
-
-u_short	chksum(buf,len)
-u_short	*buf;
-int	len;
-{
-	u_long	sum = 0;
-	int	nwords = len >> 1;
-
-	for(; nwords > 0; nwords--)
-		sum += *buf++;
-	sum = (sum>>16) + (sum & 0xffff);
-	sum += (sum >>16);
-	return (~sum);
-}
-
-
-int	send_ether(nfd, buf, len, gwip)
-int	nfd, len;
-char	*buf;
-struct	in_addr	gwip;
-{
-	static	struct	in_addr	last_gw;
-	static	char	last_arp[6] = { 0, 0, 0, 0, 0, 0};
-	ether_header_t	*eh;
-	char	*s;
-	int	err;
-
-	if (!ethbuf)
-		ethbuf = (char *)calloc(1, 65536+1024);
-	s = ethbuf;
-	eh = (ether_header_t *)s;
-
-	bcopy((char *)buf, s + sizeof(*eh), len);
-	if (gwip.s_addr == last_gw.s_addr)
-	    {
-		bcopy(last_arp, (char *)A_A eh->ether_dhost, 6);
-	    }
-	else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1)
-	    {
-		perror("arp");
-		return -2;
-	    }
-	eh->ether_type = htons(ETHERTYPE_IP);
-	last_gw.s_addr = gwip.s_addr;
-	err = sendip(nfd, s, sizeof(*eh) + len);
-	return err;
-}
-
-
-/*
- */
-int	send_ip(nfd, mtu, ip, gwip, frag)
-int	nfd, mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	frag;
-{
-	static	struct	in_addr	last_gw, local_ip;
-	static	char	local_arp[6] = { 0, 0, 0, 0, 0, 0};
-	static	char	last_arp[6] = { 0, 0, 0, 0, 0, 0};
-	static	u_short	id = 0;
-	ether_header_t	*eh;
-	ip_t	ipsv;
-	int	err, iplen;
-
-	if (!ipbuf)
-	  {
-		ipbuf = (char *)malloc(65536);
-		if (!ipbuf)
-		  {
-			perror("malloc failed");
-			return -2;
-		  }
-	  }
-
-	eh = (ether_header_t *)ipbuf;
-
-	bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost));
-	if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr))
-	    {
-		bcopy(last_arp, (char *)A_A eh->ether_dhost, 6);
-	    }
-	else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1)
-	    {
-		perror("arp");
-		return -2;
-	    }
-	bcopy((char *)A_A eh->ether_dhost, last_arp, sizeof(last_arp));
-	eh->ether_type = htons(ETHERTYPE_IP);
-
-	bcopy((char *)ip, (char *)&ipsv, sizeof(*ip));
-	last_gw.s_addr = gwip.s_addr;
-	iplen = ip->ip_len;
-	ip->ip_len = htons(iplen);
-	if (!(frag & 2)) {
-		if (!IP_V(ip))
-			IP_V_A(ip, IPVERSION);
-		if (!ip->ip_id)
-			ip->ip_id  = htons(id++);
-		if (!ip->ip_ttl)
-			ip->ip_ttl = 60;
-	}
-
-	if (ip->ip_src.s_addr != local_ip.s_addr) {
-		(void) arp((char *)&ip->ip_src, (char *)A_A local_arp);
-		bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp));
-		local_ip = ip->ip_src;
-	} else
-		bcopy(local_arp, (char *)A_A eh->ether_shost, 6);
-
-	if (!frag || (sizeof(*eh) + iplen < mtu))
-	    {
-		ip->ip_sum = 0;
-		ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
-
-		bcopy((char *)ip, ipbuf + sizeof(*eh), iplen);
-		err =  sendip(nfd, ipbuf, sizeof(*eh) + iplen);
-	    }
-	else
-	    {
-		/*
-		 * Actually, this is bogus because we're putting all IP
-		 * options in every packet, which isn't always what should be
-		 * done.  Will do for now.
-		 */
-		ether_header_t	eth;
-		char	optcpy[48], ol;
-		char	*s;
-		int	i, sent = 0, ts, hlen, olen;
-
-		hlen = IP_HL(ip) << 2;
-		if (mtu < (hlen + 8)) {
-			fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n",
-				mtu, hlen);
-			fprintf(stderr, "can't fragment data\n");
-			return -2;
-		}
-		ol = (IP_HL(ip) << 2) - sizeof(*ip);
-		for (i = 0, s = (char*)(ip + 1); ol > 0; )
-			if (*s == IPOPT_EOL) {
-				optcpy[i++] = *s;
-				break;
-			} else if (*s == IPOPT_NOP) {
-				s++;
-				ol--;
-			} else
-			    {
-				olen = (int)(*(u_char *)(s + 1));
-				ol -= olen;
-				if (IPOPT_COPIED(*s))
-				    {
-					bcopy(s, optcpy + i, olen);
-					i += olen;
-					s += olen;
-				    }
-			    }
-		if (i)
-		    {
-			/*
-			 * pad out
-			 */
-			while ((i & 3) && (i & 3) != 3)
-				optcpy[i++] = IPOPT_NOP;
-			if ((i & 3) == 3)
-				optcpy[i++] = IPOPT_EOL;
-		    }
-
-		bcopy((char *)eh, (char *)&eth, sizeof(eth));
-		s = (char *)ip + hlen;
-		iplen = ntohs(ip->ip_len) - hlen;
-		ip->ip_off |= htons(IP_MF);
-
-		while (1)
-		    {
-			if ((sent + (mtu - hlen)) >= iplen)
-			    {
-				ip->ip_off ^= htons(IP_MF);
-				ts = iplen - sent;
-			    }
-			else
-				ts = (mtu - hlen);
-			ip->ip_off &= htons(0xe000);
-			ip->ip_off |= htons(sent >> 3);
-			ts += hlen;
-			ip->ip_len = htons(ts);
-			ip->ip_sum = 0;
-			ip->ip_sum = chksum((u_short *)ip, hlen);
-			bcopy((char *)ip, ipbuf + sizeof(*eh), hlen);
-			bcopy(s + sent, ipbuf + sizeof(*eh) + hlen, ts - hlen);
-			err =  sendip(nfd, ipbuf, sizeof(*eh) + ts);
-
-			bcopy((char *)&eth, ipbuf, sizeof(eth));
-			sent += (ts - hlen);
-			if (!(ntohs(ip->ip_off) & IP_MF))
-				break;
-			else if (!(ip->ip_off & htons(0x1fff)))
-			    {
-				hlen = i + sizeof(*ip);
-				IP_HL_A(ip, (sizeof(*ip) + i) >> 2);
-				bcopy(optcpy, (char *)(ip + 1), i);
-			    }
-		    }
-	    }
-
-	bcopy((char *)&ipsv, (char *)ip, sizeof(*ip));
-	return err;
-}
-
-
-/*
- * send a tcp packet.
- */
-int	send_tcp(nfd, mtu, ip, gwip)
-int	nfd, mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-{
-	static	tcp_seq	iss = 2;
-	tcphdr_t *t, *t2;
-	int	thlen, i, iplen, hlen;
-	u_32_t	lbuf[20];
-	ip_t	*ip2;
-
-	iplen = ip->ip_len;
-	hlen = IP_HL(ip) << 2;
-	t = (tcphdr_t *)((char *)ip + hlen);
-	ip2 = (struct ip *)lbuf;
-	t2 = (tcphdr_t *)((char *)ip2 + hlen);
-	thlen = TCP_OFF(t) << 2;
-	if (!thlen)
-		thlen = sizeof(tcphdr_t);
-	bzero((char *)ip2, sizeof(*ip2) + sizeof(*t2));
-	ip->ip_p = IPPROTO_TCP;
-	ip2->ip_p = ip->ip_p;
-	ip2->ip_src = ip->ip_src;
-	ip2->ip_dst = ip->ip_dst;
-	bcopy((char *)ip + hlen, (char *)t2, thlen);
-
-	if (!t2->th_win)
-		t2->th_win = htons(4096);
-	iss += 63;
-
-	i = sizeof(struct tcpiphdr) / sizeof(long);
-
-	if ((t2->th_flags == TH_SYN) && !ntohs(ip->ip_off) &&
-	    (lbuf[i] != htonl(0x020405b4))) {
-		lbuf[i] = htonl(0x020405b4);
-		bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4,
-		      iplen - thlen - hlen);
-		thlen += 4;
-	    }
-	TCP_OFF_A(t2, thlen >> 2);
-	ip2->ip_len = htons(thlen);
-	ip->ip_len = hlen + thlen;
-	t2->th_sum = 0;
-	t2->th_sum = chksum((u_short *)ip2, thlen + sizeof(ip_t));
-
-	bcopy((char *)t2, (char *)ip + hlen, thlen);
-	return send_ip(nfd, mtu, ip, gwip, 1);
-}
-
-
-/*
- * send a udp packet.
- */
-int	send_udp(nfd, mtu, ip, gwip)
-int	nfd, mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-{
-	struct	tcpiphdr *ti;
-	int	thlen;
-	u_long	lbuf[20];
-
-	ti = (struct tcpiphdr *)lbuf;
-	bzero((char *)ti, sizeof(*ti));
-	thlen = sizeof(udphdr_t);
-	ti->ti_pr = ip->ip_p;
-	ti->ti_src = ip->ip_src;
-	ti->ti_dst = ip->ip_dst;
-	bcopy((char *)ip + (IP_HL(ip) << 2),
-	      (char *)&ti->ti_sport, sizeof(udphdr_t));
-
-	ti->ti_len = htons(thlen);
-	ip->ip_len = (IP_HL(ip) << 2) + thlen;
-	ti->ti_sum = 0;
-	ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t));
-
-	bcopy((char *)&ti->ti_sport,
-	      (char *)ip + (IP_HL(ip) << 2), sizeof(udphdr_t));
-	return send_ip(nfd, mtu, ip, gwip, 1);
-}
-
-
-/*
- * send an icmp packet.
- */
-int	send_icmp(nfd, mtu, ip, gwip)
-int	nfd, mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-{
-	struct	icmp	*ic;
-
-	ic = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
-
-	ic->icmp_cksum = 0;
-	ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp));
-
-	return send_ip(nfd, mtu, ip, gwip, 1);
-}
-
-
-int	send_packet(nfd, mtu, ip, gwip)
-int	nfd, mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-{
-        switch (ip->ip_p)
-        {
-        case IPPROTO_TCP :
-                return send_tcp(nfd, mtu, ip, gwip);
-        case IPPROTO_UDP :
-                return send_udp(nfd, mtu, ip, gwip);
-        case IPPROTO_ICMP :
-                return send_icmp(nfd, mtu, ip, gwip);
-        default :
-                return send_ip(nfd, mtu, ip, gwip, 1);
-        }
-}
diff --git a/contrib/ipfilter/ipsend/ip_compat.h b/contrib/ipfilter/ipsend/ip_compat.h
deleted file mode 100644
index c38fa59..0000000
--- a/contrib/ipfilter/ipsend/ip_compat.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.2 12/7/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# if LINUX < 0200
-#  define	icmp	icmphdr
-#  define	icmp_type	type
-#  define	icmp_code	code
-# endif
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-typedef struct icmp {
-	u_char	icmp_type;		/* type of message, see below */
-	u_char	icmp_code;		/* type sub code */
-	u_short	icmp_cksum;		/* ones complement cksum of struct */
-	union {
-		u_char ih_pptr;			/* ICMP_PARAMPROB */
-		struct in_addr ih_gwaddr;	/* ICMP_REDIRECT */
-		struct ih_idseq {
-			n_short	icd_id;
-			n_short	icd_seq;
-		} ih_idseq;
-		int ih_void;
-	} icmp_hun;
-#define	icmp_pptr	icmp_hun.ih_pptr
-#define	icmp_gwaddr	icmp_hun.ih_gwaddr
-#define	icmp_id		icmp_hun.ih_idseq.icd_id
-#define	icmp_seq	icmp_hun.ih_idseq.icd_seq
-#define	icmp_void	icmp_hun.ih_void
-	union {
-		struct id_ts {
-			n_time its_otime;
-			n_time its_rtime;
-			n_time its_ttime;
-		} id_ts;
-		struct id_ip  {
-			ip_t idi_ip;
-			/* options and then 64 bits of data */
-		} id_ip;
-		u_long	id_mask;
-		char	id_data[1];
-	} icmp_dun;
-#define	icmp_otime	icmp_dun.id_ts.its_otime
-#define	icmp_rtime	icmp_dun.id_ts.its_rtime
-#define	icmp_ttime	icmp_dun.id_ts.its_ttime
-#define	icmp_ip		icmp_dun.id_ip.idi_ip
-#define	icmp_mask	icmp_dun.id_mask
-#define	icmp_data	icmp_dun.id_data
-} icmphdr_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#if defined(__SVR4) || defined(__svr4__)
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h
deleted file mode 100644
index 92eb38a..0000000
--- a/contrib/ipfilter/ipsend/ip_var.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*	@(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86	*/
-
-/*
- * Copyright (c) 1982, 1986 Regents of the University of California.
- * All rights reserved.  The Berkeley software License Agreement
- * specifies the terms and conditions for redistribution.
- */
-
-/*
- * Overlay for ip header used by other protocols (tcp, udp).
- */
-
-#ifndef _netinet_ip_var_h
-#define _netinet_ip_var_h
-
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-/*
- * Ip reassembly queue structure.  Each fragment
- * being reassembled is attached to one of these structures.
- * They are timed out after ipq_ttl drops to 0, and may also
- * be reclaimed if memory becomes tight.
- */
-struct ipq {
-	struct	ipq *next,*prev;	/* to other reass headers */
-	u_char	ipq_ttl;		/* time for reass q to live */
-	u_char	ipq_p;			/* protocol of this fragment */
-	u_short	ipq_id;			/* sequence id for reassembly */
-	struct	ipasfrag *ipq_next,*ipq_prev;
-					/* to ip headers of fragments */
-	struct	in_addr ipq_src,ipq_dst;
-};
-
-/*
- * Ip header, when holding a fragment.
- *
- * Note: ipf_next must be at same offset as ipq_next above
- */
-struct	ipasfrag {
-#if defined(vax) || defined(i386)
-	u_char	ip_hl:4,
-		ip_v:4;
-#endif
-#if defined(mc68000) || defined(sparc)
-	u_char	ip_v:4,
-		ip_hl:4;
-#endif
-	u_char	ipf_mff;		/* copied from (ip_off&IP_MF) */
-	short	ip_len;
-	u_short	ip_id;
-	short	ip_off;
-	u_char	ip_ttl;
-	u_char	ip_p;
-	u_short	ip_sum;
-	struct	ipasfrag *ipf_next;	/* next fragment */
-	struct	ipasfrag *ipf_prev;	/* previous fragment */
-};
-
-/*
- * Structure stored in mbuf in inpcb.ip_options
- * and passed to ip_output when ip options are in use.
- * The actual length of the options (including ipopt_dst)
- * is in m_len.
- */
-#define MAX_IPOPTLEN	40
-
-struct ipoption {
-	struct	in_addr ipopt_dst;	/* first-hop dst if source routed */
-	char	ipopt_list[MAX_IPOPTLEN];	/* options proper */
-};
-
-/*
- * Structure stored in an mbuf attached to inpcb.ip_moptions and
- * passed to ip_output when IP multicast options are in use.
- */
-struct ip_moptions {
-	struct	ifnet   *imo_multicast_ifp;  /* ifp for outgoing multicasts */
-	u_char		 imo_multicast_ttl;  /* TTL for outgoing multicasts */
-	u_char		 imo_multicast_loop; /* 1 => hear sends if a member */
-	u_short		 imo_num_memberships;/* no. memberships this socket */
-	struct in_multi *imo_membership[IP_MAX_MEMBERSHIPS];
-#ifdef RSVP_ISI
-	long		 imo_multicast_vif;  /* vif for outgoing multicasts */
-#endif /* RSVP_ISI */
-};
-
-struct	ipstat {
-	long	ips_total;		/* total packets received */
-	long	ips_badsum;		/* checksum bad */
-	long	ips_tooshort;		/* packet too short */
-	long	ips_toosmall;		/* not enough data */
-	long	ips_badhlen;		/* ip header length < data size */
-	long	ips_badlen;		/* ip length < ip header length */
-	long	ips_fragments;		/* fragments received */
-	long	ips_fragdropped;	/* frags dropped (dups, out of space) */
-	long	ips_fragtimeout;	/* fragments timed out */
-	long	ips_forward;		/* packets forwarded */
-	long	ips_cantforward;	/* packets rcvd for unreachable dest */
-	long	ips_redirectsent;	/* packets forwarded on same net */
-};
-
-#ifdef KERNEL
-/* flags passed to ip_output as last parameter */
-#define	IP_FORWARDING		0x1		/* most of ip header exists */
-#define IP_MULTICASTOPTS	0x2		/* multicast opts present */
-#define	IP_ROUTETOIF		SO_DONTROUTE	/* bypass routing tables */
-#define	IP_ALLOWBROADCAST	SO_BROADCAST	/* can send broadcast packets */
-
-struct	ipstat	ipstat;
-struct	ipq	ipq;			/* ip reass. queue */
-u_short	ip_id;				/* ip packet ctr, for ids */
-
-struct	mbuf *ip_srcroute();
-#endif
-
-#endif /*!_netinet_ip_var_h*/
diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1
deleted file mode 100644
index 6014313..0000000
--- a/contrib/ipfilter/ipsend/ipresend.1
+++ /dev/null
@@ -1,106 +0,0 @@
-.TH IPRESEND 1
-.SH NAME
-ipresend \- resend IP packets out to network
-.SH SYNOPSIS
-.B ipresend
-[
-.B \-EHPRSTX
-] [
-.B \-d
-<device>
-] [
-.B \-g
-<\fIgateway\fP>
-] [
-.B \-m
-<\fIMTU\fP>
-] [
-.B \-r
-<\fIfilename\fP>
-]
-.SH DESCRIPTION
-.PP
-\fBipresend\fP was designed to allow packets to be resent, once captured,
-back out onto the network for use in testing.  \fIipresend\fP supports a
-number of different file formats as input, including saved snoop/tcpdump
-binary data.
-.SH OPTIONS
-.TP
-.BR \-d \0<interface>
-Set the interface name to be the name supplied.  This is useful with the
-\fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is not otherwise possible
-to associate a packet with an interface.  Normal "text packets" can override
-this setting.
-.TP
-.BR \-g \0<gateway>
-Specify the hostname of the gateway through which to route packets.  This
-is required whenever the destination host isn't directly attached to the
-same network as the host from which you're sending.
-.TP
-.BR \-m \0<MTU>
-Specify the MTU to be used when sending out packets.  This option allows you
-to set a fake MTU, allowing the simulation of network interfaces with small
-MTU's without setting them so.
-.TP
-.BR \-r \0<filename>
-Specify the filename from which to take input.  Default is stdin.
-.TP
-.B \-E
-The input file is to be text output from etherfind.  The text formats which
-are currently supported are those which result from the following etherfind
-option combinations:
-.PP
-.nf
-		etherfind -n
-		etherfind -n -t
-.fi
-.LP
-.TP
-.B \-H
-The input file is to be hex digits, representing the binary makeup of the
-packet.  No length correction is made, if an incorrect length is put in
-the IP header.
-.TP
-.B \-P
-The input file specified by \fB\-i\fP is a binary file produced using libpcap
-(i.e., tcpdump version 3).  Packets are read from this file as being input
-(for rule purposes).
-.TP
-.B \-R
-When sending packets out, send them out "raw" (the way they came in).  The
-only real significance here is that it will expect the link layer (i.e.
-ethernet) headers to be prepended to the IP packet being output.
-.TP
-.B \-S
-The input file is to be in "snoop" format (see RFC 1761).  Packets are read
-from this file and used as input from any interface.  This is perhaps the
-most useful input type, currently.
-.TP
-.B \-T
-The input file is to be text output from tcpdump.  The text formats which
-are currently supported are those which result from the following tcpdump
-option combinations:
-.PP
-.nf
-		tcpdump -n
-		tcpdump -nq
-		tcpdump -nqt
-		tcpdump -nqtt
-		tcpdump -nqte
-.fi
-.LP
-.TP
-.B \-X
-The input file is composed of text descriptions of IP packets.
-.DT
-.SH SEE ALSO
-snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root.
-.SH BUGS
-.PP
-Not all of the input formats are sufficiently capable of introducing a
-wide enough variety of packets for them to be all useful in testing.
-If you find any, please send email to me at darrenr@pobox.com
-
diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c
deleted file mode 100644
index 7e52fe9..0000000
--- a/contrib/ipfilter/ipsend/ipresend.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * ipresend.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include "ipsend.h"
-
-
-extern	char	*optarg;
-extern	int	optind;
-#ifndef	NO_IPF
-extern	struct	ipread	snoop, pcap, etherf, iphex, tcpd, iptext;
-#endif
-
-int	opts = 0;
-#ifndef	DEFAULT_DEVICE
-# ifdef	linux
-char	default_device[] = "eth0";
-# else
-#  ifdef	sun
-char	default_device[] = "le0";
-#  else
-#   ifdef	ultrix
-char	default_device[] = "ln0";
-#   else
-#    ifdef	__bsdi__
-char	default_device[] = "ef0";
-#    else
-#     ifdef	__sgi
-char	default_device[] = "ec0";
-#     else
-char	default_device[] = "lan0";
-#     endif
-#    endif
-#   endif
-#  endif
-# endif
-#else
-char	default_device[] = DEFAULT_DEVICE;
-#endif
-
-
-static	void	usage __P((char *));
-int	main __P((int, char **));
-
-
-static void usage(prog)
-char	*prog;
-{
-	fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\
-\t\t-r filename\tsnoop data file to resend\n\
-\t\t-R filename\tlibpcap data file to resend\n\
-\toptions:\n\
-\t\t-d device\tSend out on this device\n\
-\t\t-g gateway\tIP gateway to use if non-local dest.\n\
-\t\t-m mtu\t\tfake MTU to use when sending out\n\
-", prog);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int	argc;
-char	**argv;
-{
-	struct	in_addr	gwip;
-	struct	ipread	*ipr = NULL;
-	char	*name =  argv[0], *gateway = NULL, *dev = NULL;
-	char	*resend = NULL;
-	int	mtu = 1500, c;
-
-	while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			dev = optarg;
-			break;
-		case 'g' :
-			gateway = optarg;
-			break;
-		case 'm' :
-			mtu = atoi(optarg);
-			if (mtu < 28)
-			    {
-				fprintf(stderr, "mtu must be > 28\n");
-				exit(1);
-			    }
-		case 'r' :
-			resend = optarg;
-			break;
-		case 'R' :
-			opts |= OPT_RAW;
-			break;
-#ifndef	NO_IPF
-		case 'E' :
-			ipr = &etherf;
-			break;
-		case 'H' :
-			ipr = &iphex;
-			break;
-		case 'P' :
-			ipr = &pcap;
-			break;
-		case 'S' :
-			ipr = &snoop;
-			break;
-		case 'T' :
-			ipr = &tcpd;
-			break;
-		case 'X' :
-			ipr = &iptext;
-			break;
-#endif
-		default :
-			fprintf(stderr, "Unknown option \"%c\"\n", c);
-			usage(name);
-		}
-
-	if (!ipr || !resend)
-		usage(name);
-
-	gwip.s_addr = 0;
-	if (gateway && resolve(gateway, (char *)&gwip) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", gateway);
-		exit(2);
-	    }
-
-	if (!dev)
-		dev = default_device;
-
-	printf("Device:  %s\n", dev);
-	printf("Gateway: %s\n", inet_ntoa(gwip));
-	printf("mtu:     %d\n", mtu);
-
-	return ip_resend(dev, mtu, ipr, gwip, resend);
-}
diff --git a/contrib/ipfilter/ipsend/ipsend.1 b/contrib/ipfilter/ipsend/ipsend.1
deleted file mode 100644
index f2f8066..0000000
--- a/contrib/ipfilter/ipsend/ipsend.1
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPSEND 1
-.SH NAME
-ipsend \- sends IP packets
-.SH SYNOPSIS
-.B ipsend
-[
-.B \-dITUv
-] [
-.B \-i
-<interface>
-] [
-.B \-f
-<\fIoffset\fP>
-] [
-.B \-g
-<\fIgateway\fP>
-] [
-.B \-m
-<\fIMTU\fP>
-] [
-.B \-o
-<\fIoption\fP>
-] [
-.B \-P
-<protocol>
-] [
-.B \-s
-<\fIsource\fP>
-] [
-.B \-t
-<\fIdest. port\fP>
-] [
-.B \-w
-<\fIwindow\fP>
-] <destination> [TCP-flags]
-.SH DESCRIPTION
-.PP
-\fBipsend\fP can be compiled in two ways.  The first is used to send one-off
-packets to a destination host, using command line options to specify various
-attributes present in the headers.  The \fIdestination\fP must be given as
-the last command line option, except for when TCP flags are specified as
-a combination of A, S, F, U, P and R, last.
-.PP
-The other way it may be compiled, with DOSOCKET defined, is to allow an
-attempt at making a TCP connection using a with ipsend resending the SYN
-packet as per the command line options.
-.SH OPTIONS
-.TP
-.BR \-d
-enable debugging mode.
-.TP
-.BR \-f \0<offset>
-The \fI-f\fP allows the IP offset field in the IP header to be set to an
-arbitrary value, which can be specified in decimal or hexadecimal.
-.TP
-.BR \-g \0<gateway>
-Specify the hostname of the gateway through which to route packets.  This
-is required whenever the destination host isn't directly attached to the
-same network as the host from which you're sending.
-.TP
-.BR \-i \0<interface>
-Set the interface name to be the name supplied.
-.TP
-.TP
-.BR \-m \0<MTU>
-Specify the MTU to be used when sending out packets.  This option allows you
-to set a fake MTU, allowing the simulation of network interfaces with small
-MTU's without setting them so.
-.TP
-.BR \-o \0<option>
-Specify options to be included at the end of the IP header.  An EOL option
-is automatically appended and need not be given.  If an option would also
-have data associated with it (source as an IP# for a lsrr option), then
-this will not be initialised.
-.TP
-.BR \-s \0<source>
-Set the source address in the packet to that provided - maybe either a
-hostname or IP#.
-.TP
-.BR \-t \0<dest. port>
-Set the destination port for TCP/UDP packets.
-.TP
-.BR \-w \0<window>
-Set the window size for TCP packets.
-.TP
-.B \-I
-Set the protocol to ICMP.
-.TP
-.B \-P <protocol>
-Set the protocol to the value given.  If the parameter is a name, the name
-is looked up in the \fI/etc/protocols\fP file.
-.TP
-.B \-T
-Set the protocol to TCP.
-.TP
-.B \-U
-Set the protocol to UDP.
-.TP
-.BR \-v
-enable verbose mode.
-.DT
-.SH SEE ALSO
-ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5
deleted file mode 100644
index 4c1e66a..0000000
--- a/contrib/ipfilter/ipsend/ipsend.5
+++ /dev/null
@@ -1,401 +0,0 @@
-.TH IPSEND 5
-.SH NAME
-ipsend \- IP packet description language
-.SH DESCRIPTION
-The \fBipsend\fP program expects, with the \fB-L\fP option, input to be a
-text file which fits the grammar described below.  The purpose of this
-grammar is to allow IP packets to be described in an arbitary way which
-also allows encapsulation to be so done to an arbitary level.
-.SH GRAMMAR
-.LP
-.nf
-line ::= iface | arp | send | defrouter | ipv4line .
-
-iface ::= ifhdr "{" ifaceopts "}" ";" .
-ifhdr ::= "interface" | "iface" .
-ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr |
-	      "eaddr" eaddr .
-
-send ::= "send" ";" | "send" "{" sendbodyopts "}" ";" .
-sendbodyopts ::= sendbody [ sendbodyopts ] .
-sendbody ::= "ifname" name | "via" ipaddr .
-
-defrouter ::= "router" ipaddr .
-
-arp ::= "arp" "{" arpbodyopts "}" ";" .
-arpbodyopts ::= arpbody [ arpbodyopts ] .
-arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .
-
-bodyline ::= ipv4line | tcpline | udpline | icmpline | dataline .
-
-ipv4line ::= "ipv4" "{" ipv4bodyopts "}" ";" .
-ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] | bodyline .
-ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
-	     "off" number | "v" number | "hl" number| "id" number |
-	     "ttl" number | "tos" number | "sum" number | "len" number |
-	     "opt" "{" ipv4optlist "}" ";" .
-ipv4optlist ::= ipv4option [ ipv4optlist ] .
-ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
-	      "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
-	      "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
-	      "secclass" ipv4secclass.
-ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
-		"reserv-3" | "reserv-4" | "secret" | "topsecret" .
-
-tcpline ::= "tcp" "{" tcpbodyopts "}" ";" .
-tcpbodyopts ::= tcpbody [ tcpbodyopts ] | bodyline .
-tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
-	    "off" number | "urp" number | "win" number | "sum" number |
-	    "flags" tcpflags | data .
-
-udpline ::= "udp" "{" udpbodyopts "}" ";" .
-udpbodyopts ::= udpbody [ udpbodyopts ] | bodyline .
-udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
-	    data .
-
-icmpline ::= "icmp" "{" icmpbodyopts "}" ";" .
-icmpbodyopts ::= icmpbody [ icmpbodyopts ] | bodyline .
-icmpbody ::= "type" icmptype [ "code" icmpcode ] .
-icmptype ::= "echorep" | "echorep" "{" echoopts "}" ";" | "unreach" |
-	     "unreach" "{" unreachtype "}" ";" | "squench" | "redir" |
-	     "redir" "{" redirtype "}" ";" | "echo" "{" echoopts "}" ";" |
-	     "echo" | "routerad" | "routersol" | "timex" |
-	     "timex" "{" timextype "}" ";" | "paramprob" |
-	     "paramprob" "{" parapptype "}" ";" | "timest" | "timestrep" |
-	     "inforeq" | "inforep" | "maskreq" | "maskrep" .
-
-echoopts ::= echoopts [ icmpechoopts ] .
-unreachtype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-	     "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-	     "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
-	     "filter-prohib" | "host-preced" | "cutoff-preced" .
-redirtype ::= "net-redir" | "host-redir" | "tos-net-redir" |
-	      "tos-host-redir" .
-timextype ::= "intrans" | "reass" .
-paramptype ::= "optabsent" .
-
-data	::= "data" "{" databodyopts "}" ";" .
-databodyopts ::= "len" number | "value" string | "file" filename .
-
-icmpechoopts ::= "icmpseq" number | "icmpid" number .
-.fi
-.SH COMMANDS
-.PP
-Before sending any packets or defining any packets, it is necessary to
-describe the interface(s) which will be used to send packets out.
-.TP
-.B interface
-is used to describe a network interface.  The description included need
-not match the actual configuration currently employed by the operating
-system.
-.TP
-.B send
-is used to actually send out a packet across the network.  If the
-destination is not specified, it will attempt to send the packet
-directly out on the network to the destination without routing it.
-.TP
-.B router
-configures the default router for ipsend, as distinct from the default
-route installed in the kernel.
-.TP
-.B ipv4
-is used to describe an IP (version 4) packet.  IP header fields can be
-specified, including options, followed by a data section which may contain
-further protocol headers.
-.SH IPv4
-.TP
-.B hl <number>
-manually specifies the IP header length (automatically adjusts with the
-presence of IP options and defaults to 5);
-.TP
-.B v <number>
-set the IP version.  Default is 4.
-.TP
-.B tos <number>
-set the type of service (TOS) field in the IP header.  Default is 0.
-.TP
-.B len <number>
-manually specifies the length of the IP packet.  The length will automatically
-be adjusted to accommodate data or further protocol headers.
-.TP
-.B off <number>
-sets the fragment offset field of the IP packet.  Default is 0.
-.TP
-.B ttl <number>
-sets the time to live (TTL) field of the IP header.  Default is 60. 
-.TP
-.B proto <protocol>
-sets the protocol field of the IP header.  The protocol can either be a
-number or a name found in \fB/etc/protocols\fP.
-.TP
-.B sum
-manually specifies the checksum for the IP header.  If left unset (0), it
-will be calculated prior to being sent.
-.TP
-.B src
-manually specifies the source address of the IP header.  If left unset, it
-will default to the host's IP address.
-.TP
-.B dst
-sets the destination of the IP packet.  The default is 0.0.0.0.
-.TP
-.B opt
-is used to include IP options in the IP header.
-.TP
-.B tcp
-is used to indicate the a TCP protocol header is to follow.  See the \fBTCP\fP
-section for TCP header options.
-.TP
-.B udp
-is used to indicate the a UDP protocol header is to follow.  See the \fBUDP\fP
-section for UDP header options.
-.TP
-.B icmp
-is used to indicate the a ICMP protocol header is to follow.  See the
-\fBICMP\fP section for ICMP header options.
-.TP
-.B data
-is used to indicate that raw data is to be included in the IP packet.  See the
-\fBDATA\fP section for details on options available.
-.SH "IPv4 Options"
-these keywords indicate that the relevant IP option should be added to the
-IP header (the header length field will be adjusted appropriately).
-.TP
-.B nop
-No Operation [RFC 791] (space filler).
-.TP
-.B rr <number>
-Record Router [RFC 791].  The number given specifies the number of
-\fBbytes\fP to be used for storage.  This should be a multiple of 4 for
-proper operation.
-.TP
-.B zsu
-Experimental Measurement.
-.TP
-.B mtup [RFC 1191].
-MTU Probe.
-.TP
-.B mtur [RFC 1191].
-MTU Ready.
-.TP
-.B encode
-.TP
-.B ts
-Timestamp [RFC 791].
-.TP
-.B tr
-Traceroute [RFC 1393].
-.TP
-.B "sec-class <security-level>, sec"
-Security [RFC 1108].  This option specifies the security label for the packet.
-Using \fBsec\fP sets up the framework of the security option but unless
-\fBsec-class\fP is given, the level may not be set.
-.TP
-.B "lsrr <ip-address>"
-Loose Source Route [RFC 791].
-.TP
-.B e-sec
-Extended Security [RFC 1108].
-.TP
-.B cipso
-Commercial Security.
-.TP
-.B satid
-Stream ID [RFC 791].
-.TP
-.B "ssrr <ip-address>"
-Strict Source Route [RFC 791].
-.TP
-.B addext
-Address Extension
-.TP
-.B visa
-Experimental Access Control.
-.TP
-.B imitd
-IMI Traffic Descriptor.
-.TP
-.B eip
-[RFC 1358].
-.TP
-.B finn
-Experimental Flow Control.
-.SH TCP
-.TP
-.B sport <port>
-sets the source port to the number/name given.  Default is 0.
-.TP
-.B dport <port>
-sets the destination port to the number/name given.  Default is 0.
-.TP
-.B seq <number>
-sets the sequence number to the number specified.  Default is 0.
-.TP
-.B ack <number>
-sets the acknowledge number to the number specified.  Default is 0.
-.TP
-.B off <number>
-sets the offset value for the start of data to the number specified.  This
-implies the size of the TCP header.  It is automatically adjusted if TCP
-options are included and defaults to 5.
-.TP
-.B urp <number>
-sets the value of the urgent data pointer to the number specified.  Default
-is 0.
-.TP
-.B win <number>
-sets the size of the TCP window to the number specified.  Default is 4096.
-.TP
-.B sum <number>
-manually specifies the checksum for the TCP pseudo-header and data.  If left
-unset, it defaults to 0 and is automatically calculated.
-.TP
-.B flags <tcp-flags>
-sets the TCP flags field to match the flags specified.  Valid flags are
-"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH).
-.TP
-.B opt
-indicates that TCP header options follow.  As TCP options are added to the
-TCP header, the \fBoff\fP field is updated to match.
-.TP
-.B data
-indicates that a data section is to follow and is to be included as raw
-data, being appended to the header.
-.SH "TCP options"
-With a TCP header, it is possible to append a number of header options.
-The TCP header offset will be updated automatically to reflect the change
-in size.  The valid options are: \fBnop\fP No Operation,
-\fBeol\fP End Of (option) List, \fBmss [ size ]\fP Maximum Segment Size - this
-sets the maximum receivable size of a packet containing data,
-\fBwscale\fP Window Scale, \fBts\fP Timestamp.
-.SH UDP
-.TP
-.B sport <port>
-sets the source port to the number/name given.  Default is 0.
-.TP
-.B dport <port>
-sets the destination port to the number/name given.  Default is 0.
-.TP
-.B len <number>
-manually specifies the length of the UDP header and data.  If left unset,
-it is automatically adjusted to match the header presence and any data if
-present.
-.TP
-.B sum <number>
-manually specifies the checksum for the UDP pseudo-header and data.  If left
-unset, it defaults to 0 and is automatically calculated.
-.TP
-.B data
-indicates that a data section is to follow and is to be included as raw
-data, being appended to the header.
-.SH ICMP
-.TP
-.B type <icmptype>
-sets the ICMP type according the to the icmptype tag.  This may either be
-a number or one of the recognised tags (see the \fBICMP TYPES\fP section for a
-list of names recognised).
-.TP
-.B code <icmpcode>
-sets the ICMP code.
-.TP
-.B data
-indicates that a data section is to follow and is to be included as raw
-data, being appended to the header.
-.SH DATA
-Each of the following extend the packet in a different way.  \fBLen\fP just
-increases the length (without adding any content), \fBvalue\fP uses a string
-and \fBfile\fP a file.
-.TP
-.B len <number>
-extend the length of the packet by \fBnumber\fP bytes (without filling those
-bytes with any particular data).
-.TP
-.B value <string>
-indicates that the string provided should be added to the current packet as
-data.  A string may be a consecutive list of characters and numbers (with
-no white spaces) or bounded by "'s (may not contain them, even if \\'d).
-The \\ character is recognised with the appropriate C escaped values, including
-octal numbers.
-.TP
-.B file <filename>
-reads data in from the specified file and appends it to the current packet.
-If the new total length would exceed 64k, an error will be reported.
-.SH "ICMP TYPES"
-.TP
-.B echorep
-Echo Reply.
-.TP
-.B "unreach [ unreachable-code ]"
-Generic Unreachable error.  This is used to indicate that an error has
-occurred whilst trying to send the packet across the network and that the
-destination cannot be reached.  The unreachable code names are:
-\fBnet-unr\fP network unreachable, \fBhost-unr\fP host unreachable,
-\fBproto-unr\fP protocol unreachable, \fBport-unr\fP port unreachable,
-\fBneedfrag\fP, \fBsrcfail\fP source route failed,
-\fBnet-unk\fP network unknown, \fBhost-unk\fP host unknown,
-\fBisolate\fP, \fBnet-prohib\fP administratively prohibited contact with
-network,
-\fBhost-prohib\fP administratively prohibited contact with host,
-\fBnet-tos\fP network unreachable with given TOS,
-\fBhost-tos\fP host unreachable with given TOS,
-\fBfilter-prohib\fP packet prohibited by packet filter,
-\fBhost-preced\fP,
-\fBcutoff-preced\fP.
-.TP
-.B squench
-Source Quence.
-.TP
-.B "redir [ redirect-code ]"
-Redirect (routing).  This is used to indicate that the route being chosen
-for forwarding the packet is suboptimal and that the sender of the packet
-should be routing packets via another route.  The redirect code names are:
-\fBnet-redir\fP redirect packets for a network,
-\fBhost-redir\fP redirect packets for a host,
-\fBtos-net-redir\fP redirect packets for a network with a given TOS,
-\fBtos-host-redir\fP redirect packets for a host with a given TOS.
-.TP
-.B echo
-Echo.
-.TP
-.B routerad
-Router Advertisement.
-.TP
-.B routersol
-Router solicitation.
-.TP
-.B "timex [ timexceed-code ]"
-Time Exceeded.  This is used to indicate that the packet failed to reach the
-destination because it was in transit too long (i.e. ttl reached 0).  The
-valid code names are: \fBintrans\fP,
-\fBreass\fP could not reassemble packet from fragments within a given time.
-.TP
-.B "paramprob [ paramprob-code ]"
-Parameter problem.  There is only one available parameter problem code name:
-\fBoptabsent\fP.
-.TP
-.B timest
-Time stamp request.
-.TP
-.B "timestrep [ { timestamp-code } ]"
-Time stamp reply.  In a timestamp reply, it is possible to supply the
-following values: \fBrtime\fP, \fBotime\fP, \fBttime\fP.
-.TP
-.B inforeq
-Information request.
-.TP
-.B inforep
-Information reply.
-.TP
-.B maskreq
-Address mask request.
-.TP
-.B maskrep
-Address mask reply.
-.SH FILES
-/etc/hosts
-.br
-/etc/protocols
-.br
-/etc/services
-.SH SEE ALSO
-ipsend(1), iptest(1), hosts(5), protocols(5), services(5)
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
deleted file mode 100644
index dcd897c..0000000
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ /dev/null
@@ -1,439 +0,0 @@
-/*
- * ipsend.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipsend.c	1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.3 2006/03/17 13:45:34 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <netinet/ip.h>
-#ifndef	linux
-# include <netinet/ip_var.h>
-#endif
-#include "ipsend.h"
-#include "ipf.h"
-#ifndef	linux
-# include <netinet/udp_var.h>
-#endif
-
-
-extern	char	*optarg;
-extern	int	optind;
-extern	void	iplang __P((FILE *));
-
-char	options[68];
-int	opts;
-#ifdef linux
-char	default_device[] = "eth0";
-#else
-# ifdef ultrix
-char	default_device[] = "ln0";
-# else
-#  ifdef __bsdi__
-char	default_device[] = "ef0";
-#  else
-#   ifdef __sgi
-char	default_device[] = "ec0";
-#   else
-#    ifdef __hpux
-char	default_device[] = "lan0";
-#    else
-char	default_device[] = "le0";
-#    endif /* __hpux */
-#   endif /* __sgi */
-#  endif /* __bsdi__ */
-# endif /* ultrix */
-#endif /* linux */
-
-
-static	void	usage __P((char *));
-static	void	do_icmp __P((ip_t *, char *));
-void udpcksum(ip_t *, struct udphdr *, int);
-int	main __P((int, char **));
-
-
-static	void	usage(prog)
-char	*prog;
-{
-	fprintf(stderr, "Usage: %s [options] dest [flags]\n\
-\toptions:\n\
-\t\t-d\tdebug mode\n\
-\t\t-i device\tSend out on this device\n\
-\t\t-f fragflags\tcan set IP_MF or IP_DF\n\
-\t\t-g gateway\tIP gateway to use if non-local dest.\n\
-\t\t-I code,type[,gw[,dst[,src]]]\tSet ICMP protocol\n\
-\t\t-m mtu\t\tfake MTU to use when sending out\n\
-\t\t-P protocol\tSet protocol by name\n\
-\t\t-s src\t\tsource address for IP packet\n\
-\t\t-T\t\tSet TCP protocol\n\
-\t\t-t port\t\tdestination port\n\
-\t\t-U\t\tSet UDP protocol\n\
-\t\t-v\tverbose mode\n\
-\t\t-w <window>\tSet the TCP window size\n\
-", prog);
-	fprintf(stderr, "Usage: %s [-dv] -L <filename>\n\
-\toptions:\n\
-\t\t-d\tdebug mode\n\
-\t\t-L filename\tUse IP language for sending packets\n\
-\t\t-v\tverbose mode\n\
-", prog);
-	exit(1);
-}
-
-
-static void do_icmp(ip, args)
-ip_t *ip;
-char *args;
-{
-	struct	icmp	*ic;
-	char	*s;
-
-	ip->ip_p = IPPROTO_ICMP;
-	ip->ip_len += sizeof(*ic);
-	ic = (struct icmp *)(ip + 1);
-	bzero((char *)ic, sizeof(*ic));
-	if (!(s = strchr(args, ',')))
-	    {
-		fprintf(stderr, "ICMP args missing: ,\n");
-		return;
-	    }
-	*s++ = '\0';
-	ic->icmp_type = atoi(args);
-	ic->icmp_code = atoi(s);
-	if (ic->icmp_type == ICMP_REDIRECT && strchr(s, ','))
-	    {
-		char	*t;
-
-		t = strtok(s, ",");
-		t = strtok(NULL, ",");
-		if (resolve(t, (char *)&ic->icmp_gwaddr) == -1)
-		    {
-			fprintf(stderr,"Cant resolve %s\n", t);
-			exit(2);
-		    }
-		if ((t = strtok(NULL, ",")))
-		    {
-			if (resolve(t, (char *)&ic->icmp_ip.ip_dst) == -1)
-			    {
-				fprintf(stderr,"Cant resolve %s\n", t);
-				exit(2);
-			    }
-			if ((t = strtok(NULL, ",")))
-			    {
-				if (resolve(t,
-					    (char *)&ic->icmp_ip.ip_src) == -1)
-				    {
-					fprintf(stderr,"Cant resolve %s\n", t);
-					exit(2);
-				    }
-			    }
-		    }
-	    }
-}
-
-
-int send_packets(dev, mtu, ip, gwip)
-char *dev;
-int mtu;
-ip_t *ip;
-struct in_addr gwip;
-{
-	int wfd;
-
-	wfd = initdevice(dev, 5);
-	if (wfd == -1)
-		return -1;
-	return send_packet(wfd, mtu, ip, gwip);
-}
-
-void
-udpcksum(ip_t *ip, struct udphdr *udp, int len)
-{
-	union pseudoh {
-		struct hdr {
-			u_short len;
-			u_char ttl;
-			u_char proto;
-			u_32_t src;
-			u_32_t dst;
-		} h;
-		u_short w[6];
-	} ph;
-	u_32_t temp32;
-	u_short *opts;
-
-	ph.h.len = htons(len);
-	ph.h.ttl = 0;
-	ph.h.proto = IPPROTO_UDP;
-	ph.h.src = ip->ip_src.s_addr;
-	ph.h.dst = ip->ip_dst.s_addr;
-	temp32 = 0;
-	opts = &ph.w[0];
-	temp32 += opts[0] + opts[1] + opts[2] + opts[3] + opts[4] + opts[5];
-	temp32 = (temp32 >> 16) + (temp32 & 65535);
-	temp32 += (temp32 >> 16);
-	udp->uh_sum = temp32 & 65535;
-	udp->uh_sum = chksum((u_short *)udp, len);
-	if (udp->uh_sum == 0)
-		udp->uh_sum = 0xffff;
-}
-
-int main(argc, argv)
-int	argc;
-char	**argv;
-{
-	FILE	*langfile = NULL;
-	struct	in_addr	gwip;
-	tcphdr_t	*tcp;
-	udphdr_t	*udp;
-	ip_t	*ip;
-	char	*name =  argv[0], host[MAXHOSTNAMELEN + 1];
-	char	*gateway = NULL, *dev = NULL;
-	char	*src = NULL, *dst, *s;
-	int	mtu = 1500, olen = 0, c, nonl = 0;
-
-	/*
-	 * 65535 is maximum packet size...you never know...
-	 */
-	ip = (ip_t *)calloc(1, 65536);
-	tcp = (tcphdr_t *)(ip + 1);
-	udp = (udphdr_t *)tcp;
-	ip->ip_len = sizeof(*ip);
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-
-	while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1) {
-		switch (c)
-		{
-		case 'I' :
-			nonl++;
-			if (ip->ip_p)
-			    {
-				fprintf(stderr, "Protocol already set: %d\n",
-					ip->ip_p);
-				break;
-			    }
-			do_icmp(ip, optarg);
-			break;
-		case 'L' :
-			if (nonl) {
-				fprintf(stderr,
-					"Incorrect usage of -L option.\n");
-				usage(name);
-			}
-			if (!strcmp(optarg, "-"))
-				langfile = stdin;
-			else if (!(langfile = fopen(optarg, "r"))) {
-				fprintf(stderr, "can't open file %s\n",
-					optarg);
-				exit(1);
-			}
-			iplang(langfile);
-			return 0;
-		case 'P' :
-		    {
-			struct	protoent	*p;
-
-			nonl++;
-			if (ip->ip_p)
-			    {
-				fprintf(stderr, "Protocol already set: %d\n",
-					ip->ip_p);
-				break;
-			    }
-			if ((p = getprotobyname(optarg)))
-				ip->ip_p = p->p_proto;
-			else
-				fprintf(stderr, "Unknown protocol: %s\n",
-					optarg);
-			break;
-		    }
-		case 'T' :
-			nonl++;
-			if (ip->ip_p)
-			    {
-				fprintf(stderr, "Protocol already set: %d\n",
-					ip->ip_p);
-				break;
-			    }
-			ip->ip_p = IPPROTO_TCP;
-			ip->ip_len += sizeof(tcphdr_t);
-			break;
-		case 'U' :
-			nonl++;
-			if (ip->ip_p)
-			    {
-				fprintf(stderr, "Protocol already set: %d\n",
-					ip->ip_p);
-				break;
-			    }
-			ip->ip_p = IPPROTO_UDP;
-			ip->ip_len += sizeof(udphdr_t);
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			nonl++;
-			ip->ip_off = strtol(optarg, NULL, 0);
-			break;
-		case 'g' :
-			nonl++;
-			gateway = optarg;
-			break;
-		case 'i' :
-			nonl++;
-			dev = optarg;
-			break;
-		case 'm' :
-			nonl++;
-			mtu = atoi(optarg);
-			if (mtu < 28)
-			    {
-				fprintf(stderr, "mtu must be > 28\n");
-				exit(1);
-			    }
-			break;
-		case 'o' :
-			nonl++;
-			olen = buildopts(optarg, options, (IP_HL(ip) - 5) << 2);
-			break;
-		case 's' :
-			nonl++;
-			src = optarg;
-			break;
-		case 't' :
-			nonl++;
-			if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-				tcp->th_dport = htons(atoi(optarg));
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'w' :
-			nonl++;
-			if (ip->ip_p == IPPROTO_TCP)
-				tcp->th_win = atoi(optarg);
-			else
-				fprintf(stderr, "set protocol to TCP first\n");
-			break;
-		default :
-			fprintf(stderr, "Unknown option \"%c\"\n", c);
-			usage(name);
-		}
-	}
-
-	if (argc - optind < 1)
-		usage(name);
-	dst = argv[optind++];
-
-	if (!src)
-	    {
-		gethostname(host, sizeof(host));
-		src = host;
-	    }
-
-	if (resolve(src, (char *)&ip->ip_src) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", src);
-		exit(2);
-	    }
-
-	if (resolve(dst, (char *)&ip->ip_dst) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", dst);
-		exit(2);
-	    }
-
-	if (!gateway)
-		gwip = ip->ip_dst;
-	else if (resolve(gateway, (char *)&gwip) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", gateway);
-		exit(2);
-	    }
-
-	if (olen)
-	    {
-		int hlen;
-		char *p;
-
-		printf("Options: %d\n", olen);
-		hlen = sizeof(*ip) + olen;
-		IP_HL_A(ip, hlen >> 2);
-		ip->ip_len += olen;
-		p = (char *)malloc(65536);
-		if (p == NULL)
-		    {
-			fprintf(stderr, "malloc failed\n");
-			exit(2);
-		    }
-
-		bcopy(ip, p, sizeof(*ip));
-		bcopy(options, p + sizeof(*ip), olen);
-		bcopy(ip + 1, p + hlen, ip->ip_len - hlen);
-		ip = (ip_t *)p;
-
-		if (ip->ip_p == IPPROTO_TCP) {
-			tcp = (tcphdr_t *)(p + hlen);
-		} else if (ip->ip_p == IPPROTO_UDP) {
-			udp = (udphdr_t *)(p + hlen);
-		}
-	    }
-
-	if (ip->ip_p == IPPROTO_TCP)
-		for (s = argv[optind]; s && (c = *s); s++)
-			switch(c)
-			{
-			case 'S' : case 's' :
-				tcp->th_flags |= TH_SYN;
-				break;
-			case 'A' : case 'a' :
-				tcp->th_flags |= TH_ACK;
-				break;
-			case 'F' : case 'f' :
-				tcp->th_flags |= TH_FIN;
-				break;
-			case 'R' : case 'r' :
-				tcp->th_flags |= TH_RST;
-				break;
-			case 'P' : case 'p' :
-				tcp->th_flags |= TH_PUSH;
-				break;
-			case 'U' : case 'u' :
-				tcp->th_flags |= TH_URG;
-				break;
-			}
-
-	if (!dev)
-		dev = default_device;
-	printf("Device:  %s\n", dev);
-	printf("Source:  %s\n", inet_ntoa(ip->ip_src));
-	printf("Dest:    %s\n", inet_ntoa(ip->ip_dst));
-	printf("Gateway: %s\n", inet_ntoa(gwip));
-	if (ip->ip_p == IPPROTO_TCP && tcp->th_flags)
-		printf("Flags:   %#x\n", tcp->th_flags);
-	printf("mtu:     %d\n", mtu);
-
-	if (ip->ip_p == IPPROTO_UDP) {
-		udp->uh_sum = 0;
-		udpcksum(ip, udp, ip->ip_len - (IP_HL(ip) << 2));
-	}
-#ifdef	DOSOCKET
-	if (ip->ip_p == IPPROTO_TCP && tcp->th_dport)
-		return do_socket(dev, mtu, ip, gwip);
-#endif
-	return send_packets(dev, mtu, ip, gwip);
-}
diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h
deleted file mode 100644
index f5e51a7..0000000
--- a/contrib/ipfilter/ipsend/ipsend.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * ipsend.h (C) 1997-1998 Darren Reed
- *
- * This was written to test what size TCP fragments would get through
- * various TCP/IP packet filters, as used in IP firewalls.  In certain
- * conditions, enough of the TCP header is missing for unpredictable
- * results unless the filter is aware that this can happen.
- *
- * The author provides this program as-is, with no gaurantee for its
- * suitability for any specific purpose.  The author takes no responsibility
- * for the misuse/abuse of this program and provides it for the sole purpose
- * of testing packet filter policies.  This file maybe distributed freely
- * providing it is not modified and that this notice remains in tact.
- *
- */
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-
-#include <net/if.h>
-
-#include "ipf.h"
-#ifdef	linux
-#include <linux/sockios.h>
-#endif
-#include "tcpip.h"
-#include "ipt.h"
-
-extern	int	resolve __P((char *, char *));
-extern	int	arp __P((char *, char *));
-extern	u_short	chksum __P((u_short *, int));
-extern	int	send_ether __P((int, char *, int, struct in_addr));
-extern	int	send_ip __P((int, int, ip_t *, struct in_addr, int));
-extern	int	send_tcp __P((int, int, ip_t *, struct in_addr));
-extern	int	send_udp __P((int, int, ip_t *, struct in_addr));
-extern	int	send_icmp __P((int, int, ip_t *, struct in_addr));
-extern	int	send_packet __P((int, int, ip_t *, struct in_addr));
-extern	int	send_packets __P((char *, int, ip_t *, struct in_addr));
-extern	u_short	ipseclevel __P((char *));
-extern	u_32_t	buildopts __P((char *, char *, int));
-extern	int	addipopt __P((char *, struct ipopt_names *, int, char *));
-extern	int	initdevice __P((char *, int));
-extern	int	sendip __P((int, char *, int));
-#ifdef	linux
-extern	struct	sock	*find_tcp __P((int, struct tcpiphdr *));
-#else
-extern	struct	tcpcb	*find_tcp __P((int, struct tcpiphdr *));
-#endif
-extern	int	ip_resend __P((char *, int, struct ipread *, struct in_addr, char *));
-
-extern	void	ip_test1 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test2 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test3 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test4 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test5 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test6 __P((char *, int, ip_t *, struct in_addr, int));
-extern	void	ip_test7 __P((char *, int, ip_t *, struct in_addr, int));
-extern	int	do_socket __P((char *, int, struct tcpiphdr *, struct in_addr));
-extern	int	kmemcpy __P((char *, void *, int));
-
-#define	KMCPY(a,b,c)	kmemcpy((char *)(a), (void *)(b), (int)(c))
-
-#ifndef	OPT_RAW
-#define	OPT_RAW	0x80000
-#endif
diff --git a/contrib/ipfilter/ipsend/ipsend.sed b/contrib/ipfilter/ipsend/ipsend.sed
deleted file mode 100644
index 774c0e2..0000000
--- a/contrib/ipfilter/ipsend/ipsend.sed
+++ /dev/null
@@ -1,3 +0,0 @@
-0Æ
.	Ä,..+CVS0Í
-.cvsignore0Î44arp.c0Ï	Crashable0ÐMakefile0Ñarp.c0Ò
-dlcommon.c0Ódltest.h0Ôin_var.h0Õip.c0Öip_compat.h0×ip_var.h0Ø
diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c
deleted file mode 100644
index 9326bc6..0000000
--- a/contrib/ipfilter/ipsend/ipsopt.c
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Copyright (C) 1995-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipsopt.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.4.4.1 2004/03/23 12:58:05 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <arpa/inet.h>
-#include "ipsend.h"
-
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-
-
-struct ipopt_names ionames[] = {
-	{ IPOPT_EOL,	0x01,	1, "eol" },
-	{ IPOPT_NOP,	0x02,	1, "nop" },
-	{ IPOPT_RR,	0x04,	3, "rr" },	/* 1 route */
-	{ IPOPT_TS,	0x08,	8, "ts" },	/* 1 TS */
-	{ IPOPT_SECURITY, 0x08,	11, "sec-level" },
-	{ IPOPT_LSRR,	0x10,	7, "lsrr" },	/* 1 route */
-	{ IPOPT_SATID,	0x20,	4, "satid" },
-	{ IPOPT_SSRR,	0x40,	7, "ssrr" },	/* 1 route */
-	{ 0, 0, 0, NULL }	/* must be last */
-};
-
-struct	ipopt_names secnames[] = {
-	{ IPOPT_SECUR_UNCLASS,	0x0100,	0, "unclass" },
-	{ IPOPT_SECUR_CONFID,	0x0200,	0, "confid" },
-	{ IPOPT_SECUR_EFTO,	0x0400,	0, "efto" },
-	{ IPOPT_SECUR_MMMM,	0x0800,	0, "mmmm" },
-	{ IPOPT_SECUR_RESTR,	0x1000,	0, "restr" },
-	{ IPOPT_SECUR_SECRET,	0x2000,	0, "secret" },
-	{ IPOPT_SECUR_TOPSECRET, 0x4000,0, "topsecret" },
-	{ 0, 0, 0, NULL }	/* must be last */
-};
-
-
-u_short ipseclevel(slevel)
-char *slevel;
-{
-	struct ipopt_names *so;
-
-	for (so = secnames; so->on_name; so++)
-		if (!strcasecmp(slevel, so->on_name))
-			break;
-
-	if (!so->on_name) {
-		fprintf(stderr, "no such security level: %s\n", slevel);
-		return 0;
-	}
-	return so->on_value;
-}
-
-
-int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
-{
-	struct in_addr ipadr;
-	int olen = len, srr = 0;
-	u_short val;
-	u_char lvl;
-	char *s = op, *t;
-
-	if ((len + io->on_siz) > 48) {
-		fprintf(stderr, "options too long\n");
-		return 0;
-	}
-	len += io->on_siz;
-	*op++ = io->on_value;
-	if (io->on_siz > 1) {
-		/*
-		 * Allow option to specify RR buffer length in bytes.
-		 */
-		if (io->on_value == IPOPT_RR) {
-			val = (class && *class) ? atoi(class) : 4;
-			*op++ = val + io->on_siz;
-			len += val;
-		} else
-			*op++ = io->on_siz;
-		if (io->on_value == IPOPT_TS)
-			*op++ = IPOPT_MINOFF + 1;
-		else
-			*op++ = IPOPT_MINOFF;
-
-		while (class && *class) {
-			t = NULL;
-			switch (io->on_value)
-			{
-			case IPOPT_SECURITY :
-				lvl = ipseclevel(class);
-				*(op - 1) = lvl;
-				break;
-			case IPOPT_LSRR :
-			case IPOPT_SSRR :
-				if ((t = strchr(class, ',')))
-					*t = '\0';
-				ipadr.s_addr = inet_addr(class);
-				srr++;
-				bcopy((char *)&ipadr, op, sizeof(ipadr));
-				op += sizeof(ipadr);
-				break;
-			case IPOPT_SATID :
-				val = atoi(class);
-				bcopy((char *)&val, op, 2);
-				break;
-			}
-
-			if (t)
-				*t++ = ',';
-			class = t;
-		}
-		if (srr)
-			s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr;
-		if (io->on_value == IPOPT_RR)
-			op += val;
-		else
-			op += io->on_siz - 3;
-	}
-	return len - olen;
-}
-
-
-u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
-{
-	struct ipopt_names *io;
-	u_32_t msk = 0;
-	char *s, *t;
-	int inc, lastop = -1;
-
-	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
-		if ((t = strchr(s, '=')))
-			*t++ = '\0';
-		for (io = ionames; io->on_name; io++) {
-			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
-				continue;
-			lastop = io->on_value;
-			if ((inc = addipopt(op, io, len, t))) {
-				op += inc;
-				len += inc;
-			}
-			msk |= io->on_bit;
-			break;
-		}
-		if (!io->on_name) {
-			fprintf(stderr, "unknown IP option name %s\n", s);
-			return 0;
-		}
-	}
-
-	if (len & 3) {
-		while (len & 3) {
-			*op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP;
-			len++;
-		}
-	} else {
-		if (lastop != IPOPT_EOL) {
-			if (lastop == IPOPT_NOP)
-				*(op - 1) = IPOPT_EOL;
-			else {
-				*op++ = IPOPT_NOP;
-				*op++ = IPOPT_NOP;
-				*op++ = IPOPT_NOP;
-				*op = IPOPT_EOL;
-				len += 4;
-			}
-		}
-	}
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/iptest.1 b/contrib/ipfilter/ipsend/iptest.1
deleted file mode 100644
index ca74094..0000000
--- a/contrib/ipfilter/ipsend/iptest.1
+++ /dev/null
@@ -1,101 +0,0 @@
-.TH IPTEST 1
-.SH NAME
-iptest \- automatically generate a packets to test IP functionality
-.SH SYNOPSIS
-.B iptest
-[
-.B \-1234567
-] [
-.B \-d
-<device>
-] [
-.B \-g
-<gateway>
-] [
-.B \-m
-<\fIMTU\fP>
-] [
-.B \-p
-<\fIpointtest\fP>
-] [
-.B \-s
-<\fIsource\fP>
-] <destination>
-.SH DESCRIPTION
-.PP
-\fBiptest\fP ...
-.SH OPTIONS
-.TP
-.B \-1
-Run IP test group #1.  This group of tests generates packets with the IP
-header fields set to invalid values given other packet characteristics.
-The point tests are: 1 (ip_hl < ip_len), 2 (ip_hl > ip_len),
-3 (ip_v < 4), 4 (ip_v > 4), 5 (ip_len < packetsize, long packets),
-6 (ip_len > packet size, short packets), 7 (Zero length fragments),
-8 (packet > 64k after reassembly), 9 (IP offset with MSB set), 10 (ttl
-variations).
-.TP
-.B \-2
-Run IP test group #2.  This group of tests generates packets with the IP
-options constructed with invalid values given other packet characteristics.
-The point tests are: 1 (option length > packet length), 2 (option length = 0).
-.TP
-.B \-3
-Run IP test group #3.  This group of tests generates packets with the ICMP
-header fields set to non-standard values.  The point tests are: 1 (ICMP types
-0-31 & 255), 2 (type 3 & code 0 - 31), 3 (type 4 & code 0, 127, 128, 255),
-4 (type 5 & code 0, 127, 128, 255), 5 (types 8-10,13-18 with codes 0, 127,
-128 and 255), 6 (type 12 & code 0, 127, 128, 129, 255) and 7 (type 3 & codes
-9-10, 13-14 and 17-18 - shortened packets).
-.TP
-.B \-4
-Run IP test group #4.  This group of tests generates packets with the UDP
-header fields set to non-standard values.  The point tests are: 1 (UDP length
-> packet size), 2 (UDP length < packetsize), 3 (sport = 0, 1, 32767, 32768,
-65535), 4 (dport = 0, 1, 32767, 32768, 65535) and 5 (sizeof(struct ip) <= MTU
-<= sizeof(struct udphdr) + sizeof(struct ip)).
-.TP
-.B \-5
-Run IP test group #5.  This group of tests generates packets with the TCP
-header fields set to non-standard values.  The point tests are: 1 (TCP flags
-variations, all combinations), 2 (seq = 0, 0x7fffffff, 0x8000000, 0xa0000000,
-0xffffffff),  3 (ack = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff),
-4 (SYN packet with window of 0, 32768, 65535), 5 (set urgent pointer to 1,
-0x7fff, 0x8000, 0xffff), 6 (data offset), 7 (sport = 0, 1, 32767, 32768,
-65535) and 8 (dport = 0, 1, 32767, 32768, 65535).
-.TP
-.B \-6
-Run IP test group #6.  This test generates a large number of fragments in
-an attempt to exhaust the network buffers used for holding packets for later
-reassembly.  WARNING: this may crash or cause serious performance degradation
-to the target host.
-.TP
-.B \-7
-Run IP test group #7.  This test generates 1024 random IP packets with only
-the IP version, checksum, length and IP offset field correct.
-.TP
-.BR \-d \0<interface>
-Set the interface name to be the name supplied.
-.TP
-.BR \-g \0<gateway>
-Specify the hostname of the gateway through which to route packets.  This
-is required whenever the destination host isn't directly attached to the
-same network as the host from which you're sending.
-.TP
-.BR \-m \0<MTU>
-Specify the MTU to be used when sending out packets.  This option allows you
-to set a fake MTU, allowing the simulation of network interfaces with small
-MTU's without setting them so.
-.TP
-.B \-p <test>
-Run a...
-.DT
-.SH SEE ALSO
-ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p)
-.SH DIAGNOSTICS
-Only one of the numeric test options may be given when \fIiptest\fP is run.
-.PP
-Needs to be run as root.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c
deleted file mode 100644
index 000d1cc..0000000
--- a/contrib/ipfilter/ipsend/iptest.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * ipsend.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptest.c,v 2.6 2004/01/08 13:34:31 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#ifdef	linux
-#include <linux/sockios.h>
-#endif
-#include <stdio.h>
-#include <netdb.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include "ipsend.h"
-
-
-extern	char	*optarg;
-extern	int	optind;
-
-char	options[68];
-#ifdef	linux
-char	default_device[] = "eth0";
-#else
-# ifdef	sun
-char	default_device[] = "le0";
-# else
-#  ifdef	ultrix
-char	default_device[] = "ln0";
-#  else
-#   ifdef	__bsdi__
-char	default_device[] = "ef0";
-#   else
-#    ifdef	__sgi
-char	default_device[] = "ec0";
-#    else
-char	default_device[] = "lan0";
-#    endif
-#   endif
-#  endif
-# endif
-#endif
-
-static	void	usage __P((char *));
-int	main __P((int, char **));
-
-
-static void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "Usage: %s [options] dest\n\
-\toptions:\n\
-\t\t-d device\tSend out on this device\n\
-\t\t-g gateway\tIP gateway to use if non-local dest.\n\
-\t\t-m mtu\t\tfake MTU to use when sending out\n\
-\t\t-p pointtest\t\n\
-\t\t-s src\t\tsource address for IP packet\n\
-\t\t-1 \t\tPerform test 1 (IP header)\n\
-\t\t-2 \t\tPerform test 2 (IP options)\n\
-\t\t-3 \t\tPerform test 3 (ICMP)\n\
-\t\t-4 \t\tPerform test 4 (UDP)\n\
-\t\t-5 \t\tPerform test 5 (TCP)\n\
-\t\t-6 \t\tPerform test 6 (overlapping fragments)\n\
-\t\t-7 \t\tPerform test 7 (random packets)\n\
-", prog);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char **argv;
-{
-	struct	tcpiphdr *ti;
-	struct	in_addr	gwip;
-	ip_t	*ip;
-	char	*name =  argv[0], host[MAXHOSTNAMELEN + 1];
-	char	*gateway = NULL, *dev = NULL;
-	char	*src = NULL, *dst;
-	int	mtu = 1500, tests = 0, pointtest = 0, c;
-
-	/*
-	 * 65535 is maximum packet size...you never know...
-	 */
-	ip = (ip_t *)calloc(1, 65536);
-	ti = (struct tcpiphdr *)ip;
-	ip->ip_len = sizeof(*ip);
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-
-	while ((c = getopt(argc, argv, "1234567d:g:m:p:s:")) != -1)
-		switch (c)
-		{
-		case '1' :
-		case '2' :
-		case '3' :
-		case '4' :
-		case '5' :
-		case '6' :
-		case '7' :
-			tests = c - '0';
-			break;
-		case 'd' :
-			dev = optarg;
-			break;
-		case 'g' :
-			gateway = optarg;
-			break;
-		case 'm' :
-			mtu = atoi(optarg);
-			if (mtu < 28)
-			    {
-				fprintf(stderr, "mtu must be > 28\n");
-				exit(1);
-			    }
-			break;
-		case 'p' :
-			pointtest = atoi(optarg);
-			break;
-		case 's' :
-			src = optarg;
-			break;
-		default :
-			fprintf(stderr, "Unknown option \"%c\"\n", c);
-			usage(name);
-		}
-
-	if ((argc <= optind) || !argv[optind])
-		usage(name);
-	dst = argv[optind++];
-
-	if (!src)
-	    {
-		gethostname(host, sizeof(host));
-		host[sizeof(host) - 1] = '\0';
-		src = host;
-	    }
-
-	if (resolve(dst, (char *)&ip->ip_dst) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", dst);
-		exit(2);
-	    }
-
-	if (resolve(src, (char *)&ip->ip_src) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", src);
-		exit(2);
-	    }
-
-	if (!gateway)
-		gwip = ip->ip_dst;
-	else if (resolve(gateway, (char *)&gwip) == -1)
-	    {
-		fprintf(stderr,"Cant resolve %s\n", gateway);
-		exit(2);
-	    }
-
-
-	if (!dev)
-		dev = default_device;
-	printf("Device:  %s\n", dev);
-	printf("Source:  %s\n", inet_ntoa(ip->ip_src));
-	printf("Dest:    %s\n", inet_ntoa(ip->ip_dst));
-	printf("Gateway: %s\n", inet_ntoa(gwip));
-	printf("mtu:     %d\n", mtu);
-
-	switch (tests)
-	{
-	case 1 :
-		ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 2 :
-		ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 3 :
-		ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 4 :
-		ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 5 :
-		ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 6 :
-		ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	case 7 :
-		ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	default :
-		ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest);
-		break;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c
deleted file mode 100644
index 56cc34b..0000000
--- a/contrib/ipfilter/ipsend/iptests.c
+++ /dev/null
@@ -1,1423 +0,0 @@
-/*
- * Copyright (C) 1993-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: iptests.c,v 2.8.2.9 2007/09/13 07:19:34 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#if defined(__NetBSD__) && defined(__vax__)
-/*
- * XXX need to declare boolean_t for _KERNEL <sys/files.h>
- * which ends up including <sys/device.h> for vax.  See PR#32907
- * for further details.
- */
-typedef	int	boolean_t;
-#endif
-#include <sys/time.h>
-#if !defined(__osf__)
-# ifdef __NetBSD__ 
-#  include <machine/lock.h>
-# endif
-# define _KERNEL
-# define KERNEL
-# if !defined(solaris) && !defined(linux) && !defined(__sgi) && !defined(hpux)
-#  include <sys/file.h>
-# else
-#  ifdef solaris
-#   include <sys/dditypes.h>
-#  endif
-# endif
-# undef  _KERNEL
-# undef  KERNEL
-#endif
-#if !defined(solaris) && !defined(linux) && !defined(__sgi)
-# include <nlist.h>
-# include <sys/user.h>
-# include <sys/proc.h>
-#endif
-#if !defined(ultrix) && !defined(hpux) && !defined(linux) && \
-    !defined(__sgi) && !defined(__osf__) && !defined(_AIX51)
-# include <kvm.h>
-#endif
-#ifndef	ultrix
-# include <sys/socket.h>
-#endif
-#if defined(solaris)
-# include <sys/stream.h>
-#endif
-#include <sys/socketvar.h>
-#ifdef sun
-#include <sys/systm.h>
-#include <sys/session.h>
-#endif
-#if BSD >= 199103
-# include <sys/sysctl.h>
-# include <sys/filedesc.h>
-# include <paths.h>
-#endif
-#include <netinet/in_systm.h>
-#include <sys/socket.h>
-#ifdef __hpux
-# define _NET_ROUTE_INCLUDED
-#endif
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#if defined(linux) && (LINUX >= 0200)
-# include <asm/atomic.h>
-#endif
-#if !defined(linux)
-# if defined(__FreeBSD__)
-#  include "radix_ipf.h"
-# endif
-# include <net/route.h>
-#else
-# define __KERNEL__	/* because there's a macro not wrapped by this */
-# include <net/route.h>	/* in this file :-/ */
-#endif
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/ip.h>
-#if !defined(linux)
-# include <netinet/ip_var.h>
-# if !defined(__hpux)
-#  include <netinet/in_pcb.h>
-# endif
-#endif
-#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
-# include <sys/sysmacros.h>
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#ifdef __hpux
-# undef _NET_ROUTE_INCLUDED
-#endif
-#include "ipsend.h"
-#if !defined(linux) && !defined(__hpux)
-# include <netinet/tcp_timer.h>
-# include <netinet/tcp_var.h>
-#endif
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000)
-# define USE_NANOSLEEP
-#endif
-
-
-#ifdef USE_NANOSLEEP
-# define	PAUSE() ts.tv_sec = 0; ts.tv_nsec = 10000000; \
-		  (void) nanosleep(&ts, NULL)
-#else
-# define	PAUSE()	tv.tv_sec = 0; tv.tv_usec = 10000; \
-		  (void) select(0, NULL, NULL, NULL, &tv)
-#endif
-
-
-void	ip_test1(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	udphdr_t *u;
-	int	nfd, i = 0, len, id = getpid();
-
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-	IP_V_A(ip, IPVERSION);
-	ip->ip_tos = 0;
-	ip->ip_off = 0;
-	ip->ip_ttl = 60;
-	ip->ip_p = IPPROTO_UDP;
-	ip->ip_sum = 0;
-	u = (udphdr_t *)(ip + 1);
-	u->uh_sport = htons(1);
-	u->uh_dport = htons(9);
-	u->uh_sum = 0;
-	u->uh_ulen = htons(sizeof(*u) + 4);
-	ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen);
-	len = ip->ip_len;
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Part1: hl < len
-		 */
-		ip->ip_id = 0;
-		printf("1.1. sending packets with ip_hl < ip_len\n");
-		for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) {
-			IP_HL_A(ip, i >> 2);
-			(void) send_ip(nfd, 1500, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 2)) {
-		/*
-		 * Part2: hl > len
-		 */
-		ip->ip_id = 0;
-		printf("1.2. sending packets with ip_hl > ip_len\n");
-		for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) {
-			IP_HL_A(ip, i >> 2);
-			(void) send_ip(nfd, 1500, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 3)) {
-		/*
-		 * Part3: v < 4
-		 */
-		ip->ip_id = 0;
-		printf("1.3. ip_v < 4\n");
-		IP_HL_A(ip, sizeof(*ip) >> 2);
-		for (i = 0; i < 4; i++) {
-			IP_V_A(ip, i);
-			(void) send_ip(nfd, 1500, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 4)) {
-		/*
-		 * Part4: v > 4
-		 */
-		ip->ip_id = 0;
-		printf("1.4. ip_v > 4\n");
-		for (i = 5; i < 16; i++) {
-			IP_V_A(ip, i);
-			(void) send_ip(nfd, 1500, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 5)) {
-		/*
-		 * Part5: len < packet
-		 */
-		ip->ip_id = 0;
-		IP_V_A(ip, IPVERSION);
-		i = ip->ip_len + 1;
-		printf("1.5.0 ip_len < packet size (size++, long packets)\n");
-		for (; i < (ip->ip_len * 2); i++) {
-			ip->ip_id = htons(id++);
-			ip->ip_sum = 0;
-			ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
-			(void) send_ether(nfd, (char *)ip, i, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-		printf("1.5.1 ip_len < packet size (ip_len-, short packets)\n");
-		for (i = len; i > 0; i--) {
-			ip->ip_id = htons(id++);
-			ip->ip_len = i;
-			ip->ip_sum = 0;
-			ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
-			(void) send_ether(nfd, (char *)ip, len, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 6)) {
-		/*
-		 * Part6: len > packet
-		 */
-		ip->ip_id = 0;
-		printf("1.6.0 ip_len > packet size (increase ip_len)\n");
-		for (i = len + 1; i < (len * 2); i++) {
-			ip->ip_id = htons(id++);
-			ip->ip_len = i;
-			ip->ip_sum = 0;
-			ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
-			(void) send_ether(nfd, (char *)ip, len, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-		ip->ip_len = len;
-		printf("1.6.1 ip_len > packet size (size--, short packets)\n");
-		for (i = len; i > 0; i--) {
-			ip->ip_id = htons(id++);
-			ip->ip_sum = 0;
-			ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2);
-			(void) send_ether(nfd, (char *)ip, i, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 7)) {
-		/*
-		 * Part7: 0 length fragment
-		 */
-		printf("1.7.0 Zero length fragments (ip_off = 0x2000)\n");
-		ip->ip_id = 0;
-		ip->ip_len = sizeof(*ip);
-		ip->ip_off = htons(IP_MF);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("1.7.1 Zero length fragments (ip_off = 0x3000)\n");
-		ip->ip_id = 0;
-		ip->ip_len = sizeof(*ip);
-		ip->ip_off = htons(IP_MF);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("1.7.2 Zero length fragments (ip_off = 0xa000)\n");
-		ip->ip_id = 0;
-		ip->ip_len = sizeof(*ip);
-		ip->ip_off = htons(0xa000);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("1.7.3 Zero length fragments (ip_off = 0x0100)\n");
-		ip->ip_id = 0;
-		ip->ip_len = sizeof(*ip);
-		ip->ip_off = htons(0x0100);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 8)) {
-		struct	timeval	tv;
-
-		gettimeofday(&tv, NULL);
-		srand(tv.tv_sec ^ getpid() ^ tv.tv_usec);
-		/*
-		 * Part8.1: 63k packet + 1k fragment at offset 0x1ffe
-		 * Mark it as being ICMP (so it doesn't get junked), but
-		 * don't bother about the ICMP header, we're not worrying
-		 * about that here.
-		 */
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_off = htons(IP_MF);
-		u->uh_dport = htons(9);
-		ip->ip_id = htons(id++);
-		printf("1.8.1 63k packet + 1k fragment at offset 0x1ffe\n");
-		ip->ip_len = 768 + 20 + 8;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		printf("%d\r", i);
-
-		ip->ip_len = MIN(768 + 20, mtu - 68);
-		i = 512;
-		for (; i < (63 * 1024 + 768); i += 768) {
-			ip->ip_off = htons(IP_MF | (i >> 3));
-			(void) send_ip(nfd, mtu, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		ip->ip_len = 896 + 20;
-		ip->ip_off = htons(i >> 3);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		printf("%d\r", i);
-		putchar('\n');
-		fflush(stdout);
-
-		/*
-		 * Part8.2: 63k packet + 1k fragment at offset 0x1ffe
-		 * Mark it as being ICMP (so it doesn't get junked), but
-		 * don't bother about the ICMP header, we're not worrying
-		 * about that here.  (Lossage here)
-		 */
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_off = htons(IP_MF);
-		u->uh_dport = htons(9);
-		ip->ip_id = htons(id++);
-		printf("1.8.2 63k packet + 1k fragment at offset 0x1ffe\n");
-		ip->ip_len = 768 + 20 + 8;
-		if ((rand() & 0x1f) != 0) {
-			(void) send_ip(nfd, mtu, ip, gwip, 1);
-			printf("%d\r", i);
-		} else
-			printf("skip 0\n");
-
-		ip->ip_len = MIN(768 + 20, mtu - 68);
-		i = 512;
-		for (; i < (63 * 1024 + 768); i += 768) {
-			ip->ip_off = htons(IP_MF | (i >> 3));
-			if ((rand() & 0x1f) != 0) {
-				(void) send_ip(nfd, mtu, ip, gwip, 1);
-				printf("%d\r", i);
-			} else
-				printf("skip %d\n", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		ip->ip_len = 896 + 20;
-		ip->ip_off = htons(i >> 3);
-		if ((rand() & 0x1f) != 0) {
-			(void) send_ip(nfd, mtu, ip, gwip, 1);
-			printf("%d\r", i);
-		} else
-			printf("skip\n");
-		putchar('\n');
-		fflush(stdout);
-
-		/*
-		 * Part8.3: 33k packet - test for not dealing with -ve length
-		 * Mark it as being ICMP (so it doesn't get junked), but
-		 * don't bother about the ICMP header, we're not worrying
-		 * about that here.
-		 */
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_off = htons(IP_MF);
-		u->uh_dport = htons(9);
-		ip->ip_id = htons(id++);
-		printf("1.8.3 33k packet\n");
-		ip->ip_len = 768 + 20 + 8;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		printf("%d\r", i);
-
-		ip->ip_len = MIN(768 + 20, mtu - 68);
-		i = 512;
-		for (; i < (32 * 1024 + 768); i += 768) {
-			ip->ip_off = htons(IP_MF | (i >> 3));
-			(void) send_ip(nfd, mtu, ip, gwip, 1);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		ip->ip_len = 896 + 20;
-		ip->ip_off = htons(i >> 3);
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		printf("%d\r", i);
-		putchar('\n');
-		fflush(stdout);
-	}
-
-	ip->ip_len = len;
-	ip->ip_off = 0;
-	if (!ptest || (ptest == 9)) {
-		/*
-		 * Part9: off & 0x8000 == 0x8000
-		 */
-		ip->ip_id = 0;
-		ip->ip_off = htons(0x8000);
-		printf("1.9. ip_off & 0x8000 == 0x8000\n");
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	ip->ip_off = 0;
-
-	if (!ptest || (ptest == 10)) {
-		/*
-		 * Part10: ttl = 255
-		 */
-		ip->ip_id = 0;
-		ip->ip_ttl = 255;
-		printf("1.10.0 ip_ttl = 255\n");
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		ip->ip_ttl = 128;
-		printf("1.10.1 ip_ttl = 128\n");
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		ip->ip_ttl = 0;
-		printf("1.10.2 ip_ttl = 0\n");
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	(void) close(nfd);
-}
-
-
-void	ip_test2(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	int	nfd;
-	u_char	*s;
-
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	IP_HL_A(ip, 6);
-	ip->ip_len = IP_HL(ip) << 2;
-	s = (u_char *)(ip + 1);
-	s[IPOPT_OPTVAL] = IPOPT_NOP;
-	s++;
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Test 1: option length > packet length,
-		 *                header length == packet length
-		 */
-		s[IPOPT_OPTVAL] = IPOPT_TS;
-		s[IPOPT_OLEN] = 4;
-		s[IPOPT_OFFSET] = IPOPT_MINOFF;
-		ip->ip_p = IPPROTO_IP;
-		printf("2.1 option length > packet length\n");
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	IP_HL_A(ip, 7);
-	ip->ip_len = IP_HL(ip) << 2;
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Test 2: options have length = 0
-		 */
-		printf("2.2.1 option length = 0, RR\n");
-		s[IPOPT_OPTVAL] = IPOPT_RR;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("2.2.2 option length = 0, TS\n");
-		s[IPOPT_OPTVAL] = IPOPT_TS;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("2.2.3 option length = 0, SECURITY\n");
-		s[IPOPT_OPTVAL] = IPOPT_SECURITY;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("2.2.4 option length = 0, LSRR\n");
-		s[IPOPT_OPTVAL] = IPOPT_LSRR;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("2.2.5 option length = 0, SATID\n");
-		s[IPOPT_OPTVAL] = IPOPT_SATID;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-
-		printf("2.2.6 option length = 0, SSRR\n");
-		s[IPOPT_OPTVAL] = IPOPT_SSRR;
-		s[IPOPT_OLEN] = 0;
-		(void) send_ip(nfd, mtu, ip, gwip, 1);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	(void) close(nfd);
-}
-
-
-/*
- * test 3 (ICMP)
- */
-void	ip_test3(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-	static	int	ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 };
-	static	int	ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 };
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	struct	icmp	*icp;
-	int	nfd, i;
-
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-	IP_V_A(ip, IPVERSION);
-	ip->ip_tos = 0;
-	ip->ip_off = 0;
-	ip->ip_ttl = 60;
-	ip->ip_p = IPPROTO_ICMP;
-	ip->ip_sum = 0;
-	ip->ip_len = sizeof(*ip) + sizeof(*icp);
-	icp = (struct icmp *)((char *)ip + (IP_HL(ip) << 2));
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Type 0 - 31, 255, code = 0
-		 */
-		bzero((char *)icp, sizeof(*icp));
-		for (i = 0; i < 32; i++) {
-			icp->icmp_type = i;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.1.%d ICMP type %d code 0 (all 0's)\r", i, i);
-		}
-		icp->icmp_type = 255;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.1.%d ICMP type %d code 0 (all 0's)\r", i, 255);
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 2)) {
-		/*
-		 * Type 3, code = 0 - 31
-		 */
-		icp->icmp_type = 3;
-		for (i = 0; i < 32; i++) {
-			icp->icmp_code = i;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.2.%d ICMP type 3 code %d (all 0's)\r", i, i);
-		}
-	}
-
-	if (!ptest || (ptest == 3)) {
-		/*
-		 * Type 4, code = 0,127,128,255
-		 */
-		icp->icmp_type = 4;
-		icp->icmp_code = 0;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.3.1 ICMP type 4 code 0 (all 0's)\r");
-		icp->icmp_code = 127;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.3.2 ICMP type 4 code 127 (all 0's)\r");
-		icp->icmp_code = 128;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.3.3 ICMP type 4 code 128 (all 0's)\r");
-		icp->icmp_code = 255;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.3.4 ICMP type 4 code 255 (all 0's)\r");
-	}
-
-	if (!ptest || (ptest == 4)) {
-		/*
-		 * Type 5, code = 0,127,128,255
-		 */
-		icp->icmp_type = 5;
-		icp->icmp_code = 0;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.4.1 ICMP type 5 code 0 (all 0's)\r");
-		icp->icmp_code = 127;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.4.2 ICMP type 5 code 127 (all 0's)\r");
-		icp->icmp_code = 128;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.4.3 ICMP type 5 code 128 (all 0's)\r");
-		icp->icmp_code = 255;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.4.4 ICMP type 5 code 255 (all 0's)\r");
-	}
-
-	if (!ptest || (ptest == 5)) {
-		/*
-		 * Type 8-10;13-18, code - 0,127,128,255
-		 */
-		for (i = 0; ict1[i]; i++) {
-			icp->icmp_type = ict1[i];
-			icp->icmp_code = 0;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type 5 code 0 (all 0's)\r",
-				i * 4);
-			icp->icmp_code = 127;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type 5 code 127 (all 0's)\r",
-				i * 4 + 1);
-			icp->icmp_code = 128;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type 5 code 128 (all 0's)\r",
-				i * 4 + 2);
-			icp->icmp_code = 255;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type 5 code 255 (all 0's)\r",
-				i * 4 + 3);
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 6)) {
-		/*
-		 * Type 12, code - 0,127,128,129,255
-		 */
-		icp->icmp_type = 12;
-		icp->icmp_code = 0;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.6.1 ICMP type 12 code 0 (all 0's)\r");
-		icp->icmp_code = 127;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.6.2 ICMP type 12 code 127 (all 0's)\r");
-		icp->icmp_code = 128;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.6.3 ICMP type 12 code 128 (all 0's)\r");
-		icp->icmp_code = 129;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.6.4 ICMP type 12 code 129 (all 0's)\r");
-		icp->icmp_code = 255;
-		(void) send_icmp(nfd, mtu, ip, gwip);
-		PAUSE();
-		printf("3.6.5 ICMP type 12 code 255 (all 0's)\r");
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 7)) {
-		/*
-		 * Type 3;9-10;13-14;17-18 - shorter packets
-		 */
-		ip->ip_len = sizeof(*ip) + sizeof(*icp) / 2;
-		for (i = 0; ict2[i]; i++) {
-			icp->icmp_type = ict1[i];
-			icp->icmp_code = 0;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type %d code 0 (all 0's)\r",
-				i * 4, icp->icmp_type);
-			icp->icmp_code = 127;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type %d code 127 (all 0's)\r",
-				i * 4 + 1, icp->icmp_type);
-			icp->icmp_code = 128;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type %d code 128 (all 0's)\r",
-				i * 4 + 2, icp->icmp_type);
-			icp->icmp_code = 255;
-			(void) send_icmp(nfd, mtu, ip, gwip);
-			PAUSE();
-			printf("3.5.%d ICMP type %d code 127 (all 0's)\r",
-				i * 4 + 3, icp->icmp_type);
-		}
-		putchar('\n');
-	}
-}
-
-
-/* Perform test 4 (UDP) */
-
-void	ip_test4(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	udphdr_t	*u;
-	int	nfd, i;
-
-
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-	IP_V_A(ip, IPVERSION);
-	ip->ip_tos = 0;
-	ip->ip_off = 0;
-	ip->ip_ttl = 60;
-	ip->ip_p = IPPROTO_UDP;
-	ip->ip_sum = 0;
-	u = (udphdr_t *)((char *)ip + (IP_HL(ip) << 2));
-	u->uh_sport = htons(1);
-	u->uh_dport = htons(1);
-	u->uh_ulen = htons(sizeof(*u) + 4);
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Test 1. ulen > packet
-		 */
-		u->uh_ulen = htons(sizeof(*u) + 4);
-		ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
-		printf("4.1 UDP uh_ulen > packet size - short packets\n");
-		for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
-			u->uh_ulen = htons(i);
-			(void) send_udp(nfd, 1500, ip, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 2)) {
-		/*
-		 * Test 2. ulen < packet
-		 */
-		u->uh_ulen = htons(sizeof(*u) + 4);
-		ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
-		printf("4.2 UDP uh_ulen < packet size - short packets\n");
-		for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) {
-			ip->ip_len = i;
-			(void) send_udp(nfd, 1500, ip, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 3)) {
-		/*
-		 * Test 3: sport = 0, sport = 1, sport = 32767
-		 *         sport = 32768, sport = 65535
-		 */
-		u->uh_ulen = sizeof(*u) + 4;
-		ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
-		printf("4.3.1 UDP sport = 0\n");
-		u->uh_sport = 0;
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("0\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.3.2 UDP sport = 1\n");
-		u->uh_sport = htons(1);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("1\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.3.3 UDP sport = 32767\n");
-		u->uh_sport = htons(32767);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("32767\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.3.4 UDP sport = 32768\n");
-		u->uh_sport = htons(32768);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("32768\n");
-		putchar('\n');
-		fflush(stdout);
-		PAUSE();
-		printf("4.3.5 UDP sport = 65535\n");
-		u->uh_sport = htons(65535);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("65535\n");
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 4)) {
-		/*
-		 * Test 4: dport = 0, dport = 1, dport = 32767
-		 *         dport = 32768, dport = 65535
-		 */
-		u->uh_ulen = ntohs(sizeof(*u) + 4);
-		u->uh_sport = htons(1);
-		ip->ip_len = (IP_HL(ip) << 2) + ntohs(u->uh_ulen);
-		printf("4.4.1 UDP dport = 0\n");
-		u->uh_dport = 0;
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("0\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.4.2 UDP dport = 1\n");
-		u->uh_dport = htons(1);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("1\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.4.3 UDP dport = 32767\n");
-		u->uh_dport = htons(32767);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("32767\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.4.4 UDP dport = 32768\n");
-		u->uh_dport = htons(32768);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("32768\n");
-		fflush(stdout);
-		PAUSE();
-		printf("4.4.5 UDP dport = 65535\n");
-		u->uh_dport = htons(65535);
-		(void) send_udp(nfd, 1500, ip, gwip);
-		printf("65535\n");
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 5)) {
-		/*
-		 * Test 5: sizeof(ip_t) <= MTU <= sizeof(udphdr_t) +
-		 * sizeof(ip_t)
-		 */
-		printf("4.5 UDP 20 <= MTU <= 32\n");
-		for (i = sizeof(*ip); i <= ntohs(u->uh_ulen); i++) {
-			(void) send_udp(nfd, i, ip, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-}
-
-
-/* Perform test 5 (TCP) */
-
-void	ip_test5(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	tcphdr_t *t;
-	int	nfd, i;
-
-	t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
-#if !defined(linux) && !defined(__osf__)
-	t->th_x2 = 0;
-#endif
-	TCP_OFF_A(t, 0);
-	t->th_sport = htons(1);
-	t->th_dport = htons(1);
-	t->th_win = htons(4096);
-	t->th_urp = 0;
-	t->th_sum = 0;
-	t->th_seq = htonl(1);
-	t->th_ack = 0;
-	ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	if (!ptest || (ptest == 1)) {
-		/*
-		 * Test 1: flags variations, 0 - 3f
-		 */
-		TCP_OFF_A(t, sizeof(*t) >> 2);
-		printf("5.1 Test TCP flag combinations\n");
-		for (i = 0; i <= (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN);
-		     i++) {
-			t->th_flags = i;
-			(void) send_tcp(nfd, mtu, ip, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-	}
-
-	if (!ptest || (ptest == 2)) {
-		t->th_flags = TH_SYN;
-		/*
-		 * Test 2: seq = 0, seq = 1, seq = 0x7fffffff, seq=0x80000000,
-		 *         seq = 0xa000000, seq = 0xffffffff
-		 */
-		printf("5.2.1 TCP seq = 0\n");
-		t->th_seq = htonl(0);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.2.2 TCP seq = 1\n");
-		t->th_seq = htonl(1);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.2.3 TCP seq = 0x7fffffff\n");
-		t->th_seq = htonl(0x7fffffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.2.4 TCP seq = 0x80000000\n");
-		t->th_seq = htonl(0x80000000);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.2.5 TCP seq = 0xc0000000\n");
-		t->th_seq = htonl(0xc0000000);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.2.6 TCP seq = 0xffffffff\n");
-		t->th_seq = htonl(0xffffffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 3)) {
-		t->th_flags = TH_ACK;
-		/*
-		 * Test 3: ack = 0, ack = 1, ack = 0x7fffffff, ack = 0x8000000
-		 *         ack = 0xa000000, ack = 0xffffffff
-		 */
-		printf("5.3.1 TCP ack = 0\n");
-		t->th_ack = 0;
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.3.2 TCP ack = 1\n");
-		t->th_ack = htonl(1);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.3.3 TCP ack = 0x7fffffff\n");
-		t->th_ack = htonl(0x7fffffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.3.4 TCP ack = 0x80000000\n");
-		t->th_ack = htonl(0x80000000);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.3.5 TCP ack = 0xc0000000\n");
-		t->th_ack = htonl(0xc0000000);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.3.6 TCP ack = 0xffffffff\n");
-		t->th_ack = htonl(0xffffffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 4)) {
-		t->th_flags = TH_SYN;
-		/*
-		 * Test 4: win = 0, win = 32768, win = 65535
-		 */
-		printf("5.4.1 TCP win = 0\n");
-		t->th_seq = htonl(0);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.4.2 TCP win = 32768\n");
-		t->th_seq = htonl(0x7fff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.4.3 TCP win = 65535\n");
-		t->th_win = htons(0xffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \
-    !defined(__sgi) && !defined(__hpux) && !defined(__osf__)
-	{
-	struct tcpcb *tcbp, tcb;
-	struct tcpiphdr ti;
-	struct sockaddr_in sin;
-	int fd;
-	socklen_t slen;
-
-	bzero((char *)&sin, sizeof(sin));
-
-	for (i = 1; i < 63; i++) {
-		fd = socket(AF_INET, SOCK_STREAM, 0);
-		bzero((char *)&sin, sizeof(sin));
-		sin.sin_addr.s_addr = ip->ip_dst.s_addr;
-		sin.sin_port = htons(i);
-		sin.sin_family = AF_INET;
-		if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin)))
-			break;
-		close(fd);
-	}
-
-	if (i == 63) {
-		printf("Couldn't open a TCP socket between ports 1 and 63\n");
-		printf("to host %s for test 5 and 6 - skipping.\n",
-			inet_ntoa(ip->ip_dst));
-		goto skip_five_and_six;
-	}
-
-	bcopy((char *)ip, (char *)&ti, sizeof(*ip));
-	t->th_dport = htons(i);
-	slen = sizeof(sin);
-	if (!getsockname(fd, (struct sockaddr *)&sin, &slen))
-		t->th_sport = sin.sin_port;
-	if (!(tcbp = find_tcp(fd, &ti))) {
-		printf("Can't find PCB\n");
-		goto skip_five_and_six;
-	}
-	KMCPY(&tcb, tcbp, sizeof(tcb));
-	ti.ti_win = tcb.rcv_adv;
-	ti.ti_seq = htonl(tcb.snd_nxt - 1);
-	ti.ti_ack = tcb.rcv_nxt;
-
-	if (!ptest || (ptest == 5)) {
-		/*
-		 * Test 5: urp
-		 */
-		t->th_flags = TH_ACK|TH_URG;
-		printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n",
-			ntohs(t->th_sport), ntohs(t->th_dport));
-		t->th_urp = htons(1);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		PAUSE();
-
-		t->th_seq = htonl(tcb.snd_nxt);
-		ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1;
-		t->th_urp = htons(0x7fff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		PAUSE();
-		t->th_urp = htons(0x8000);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		PAUSE();
-		t->th_urp = htons(0xffff);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		PAUSE();
-		t->th_urp = 0;
-		t->th_flags &= ~TH_URG;
-		ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
-	}
-
-	if (!ptest || (ptest == 6)) {
-		/*
-		 * Test 6: data offset, off = 0, off is inside, off is outside
-		 */
-		t->th_flags = TH_ACK;
-		printf("5.6.1 TCP off = 1-15, len = 40\n");
-		for (i = 1; i < 16; i++) {
-			TCP_OFF_A(t, ntohs(i));
-			(void) send_tcp(nfd, mtu, ip, gwip);
-			printf("%d\r", i);
-			fflush(stdout);
-			PAUSE();
-		}
-		putchar('\n');
-		ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t);
-	}
-
-	(void) close(fd);
-	}
-skip_five_and_six:
-#endif
-	t->th_seq = htonl(1);
-	t->th_ack = htonl(1);
-	TCP_OFF_A(t, 0);
-
-	if (!ptest || (ptest == 7)) {
-		t->th_flags = TH_SYN;
-		/*
-		 * Test 7: sport = 0, sport = 1, sport = 32767
-		 *         sport = 32768, sport = 65535
-		 */
-		printf("5.7.1 TCP sport = 0\n");
-		t->th_sport = 0;
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.7.2 TCP sport = 1\n");
-		t->th_sport = htons(1);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.7.3 TCP sport = 32767\n");
-		t->th_sport = htons(32767);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.7.4 TCP sport = 32768\n");
-		t->th_sport = htons(32768);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.7.5 TCP sport = 65535\n");
-		t->th_sport = htons(65535);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	if (!ptest || (ptest == 8)) {
-		t->th_sport = htons(1);
-		t->th_flags = TH_SYN;
-		/*
-		 * Test 8: dport = 0, dport = 1, dport = 32767
-		 *         dport = 32768, dport = 65535
-		 */
-		printf("5.8.1 TCP dport = 0\n");
-		t->th_dport = 0;
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.8.2 TCP dport = 1\n");
-		t->th_dport = htons(1);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.8.3 TCP dport = 32767\n");
-		t->th_dport = htons(32767);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.8.4 TCP dport = 32768\n");
-		t->th_dport = htons(32768);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-
-		printf("5.8.5 TCP dport = 65535\n");
-		t->th_dport = htons(65535);
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	/* LAND attack - self connect, so make src & dst ip/port the same */
-	if (!ptest || (ptest == 9)) {
-		printf("5.9 TCP LAND attack. sport = 25, dport = 25\n");
-		/* chose SMTP port 25 */
-		t->th_sport = htons(25);
-		t->th_dport = htons(25);
-		t->th_flags = TH_SYN;
-		ip->ip_src = ip->ip_dst;
-		(void) send_tcp(nfd, mtu, ip, gwip);
-		fflush(stdout);
-		PAUSE();
-	}
-
-	/* TCP options header checking */
-	/* 0 length options, etc */
-}
-
-
-/* Perform test 6 (exhaust mbuf test) */
-
-void	ip_test6(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	udphdr_t *u;
-	int	nfd, i, j, k;
-
-	IP_V_A(ip, IPVERSION);
-	ip->ip_tos = 0;
-	ip->ip_off = 0;
-	ip->ip_ttl = 60;
-	ip->ip_p = IPPROTO_UDP;
-	ip->ip_sum = 0;
-	u = (udphdr_t *)(ip + 1);
-	u->uh_sport = htons(1);
-	u->uh_dport = htons(9);
-	u->uh_sum = 0;
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	u->uh_ulen = htons(7168);
-
-	printf("6. Exhaustive mbuf test.\n");
-	printf("   Send 7k packet in 768 & 128 byte fragments, 128 times.\n");
-	printf("   Total of around 8,900 packets\n");
-	for (i = 0; i < 128; i++) {
-		/*
-		 * First send the entire packet in 768 byte chunks.
-		 */
-		ip->ip_len = sizeof(*ip) + 768 + sizeof(*u);
-		IP_HL_A(ip, sizeof(*ip) >> 2);
-		ip->ip_off = htons(IP_MF);
-		(void) send_ip(nfd, 1500, ip, gwip, 1);
-		printf("%d %d\r", i, 0);
-		fflush(stdout);
-		PAUSE();
-		/*
-		 * And again using 128 byte chunks.
-		 */
-		ip->ip_len = sizeof(*ip) + 128 + sizeof(*u);
-		ip->ip_off = htons(IP_MF);
-		(void) send_ip(nfd, 1500, ip, gwip, 1);
-		printf("%d %d\r", i, 0);
-		fflush(stdout);
-		PAUSE();
-
-		for (j = 768; j < 3584; j += 768) {
-			ip->ip_len = sizeof(*ip) + 768;
-			ip->ip_off = htons(IP_MF|(j>>3));
-			(void) send_ip(nfd, 1500, ip, gwip, 1);
-			printf("%d %d\r", i, j);
-			fflush(stdout);
-			PAUSE();
-
-			ip->ip_len = sizeof(*ip) + 128;
-			for (k = j - 768; k < j; k += 128) {
-				ip->ip_off = htons(IP_MF|(k>>3));
-				(void) send_ip(nfd, 1500, ip, gwip, 1);
-				printf("%d %d\r", i, k);
-				fflush(stdout);
-				PAUSE();
-			}
-		}
-	}
-	putchar('\n');
-}
-
-
-/* Perform test 7 (random packets) */
-
-static	u_long	tbuf[64];
-
-void	ip_test7(dev, mtu, ip, gwip, ptest)
-char	*dev;
-int	mtu;
-ip_t	*ip;
-struct	in_addr	gwip;
-int	ptest;
-{
-	ip_t	*pip;
-#ifdef USE_NANOSLEEP
-	struct	timespec ts;
-#else
-	struct	timeval	tv;
-#endif
-	int	nfd, i, j;
-	u_char	*s;
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return;
-
-	pip = (ip_t *)tbuf;
-
-	srand(time(NULL) ^ (getpid() * getppid()));
-
-	printf("7. send 1024 random IP packets.\n");
-
-	for (i = 0; i < 512; i++) {
-		for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
-			*s = (rand() >> 13) & 0xff;
-		IP_V_A(pip, IPVERSION);
-		bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
-		      sizeof(struct in_addr));
-		pip->ip_sum = 0;
-		pip->ip_len &= 0xff;
-		(void) send_ip(nfd, mtu, pip, gwip, 0);
-		printf("%d\r", i);
-		fflush(stdout);
-		PAUSE();
-	}
-	putchar('\n');
-
-	for (i = 0; i < 512; i++) {
-		for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++)
-			*s = (rand() >> 13) & 0xff;
-		IP_V_A(pip, IPVERSION);
-		pip->ip_off &= htons(0xc000);
-		bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst,
-		      sizeof(struct in_addr));
-		pip->ip_sum = 0;
-		pip->ip_len &= 0xff;
-		(void) send_ip(nfd, mtu, pip, gwip, 0);
-		printf("%d\r", i);
-		fflush(stdout);
-		PAUSE();
-	}
-	putchar('\n');
-}
diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c
deleted file mode 100644
index 3d0c89c..0000000
--- a/contrib/ipfilter/ipsend/larp.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * larp.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)larp.c	1.1 8/19/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: larp.c,v 2.4 2003/12/01 02:01:16 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <net/if_arp.h>
-#include <stdio.h>
-#include <netdb.h>
-#include <errno.h>
-
-#include "ip_compat.h"
-#include "iplang/iplang.h"
-
-/*
- * lookup host and return
- * its IP address in address
- * (4 bytes)
- */
-int	resolve(host, address)
-char	*host, *address;
-{
-        struct	hostent	*hp;
-        u_long	add;
-
-	add = inet_addr(host);
-	if (add == -1)
-	    {
-		if (!(hp = gethostbyname(host)))
-		    {
-			fprintf(stderr, "unknown host: %s\n", host);
-			return -1;
-		    }
-		bcopy((char *)hp->h_addr, (char *)address, 4);
-		return 0;
-	}
-	bcopy((char*)&add, address, 4);
-	return 0;
-}
-
-/*
- * ARP for the MAC address corresponding
- * to the IP address.  This taken from
- * some BSD program, I cant remember which.
- */
-int	arp(ip, ether)
-char	*ip;
-char	*ether;
-{
-	static	int	s = -1;
-	struct	arpreq	ar;
-	struct	sockaddr_in	*sin;
-	char	*inet_ntoa();
-
-#ifdef	IP_SEND
-	if (arp_getipv4(ip, ether) == 0)
-		return 0;
-#endif
-	bzero((char *)&ar, sizeof(ar));
-	sin = (struct sockaddr_in *)&ar.arp_pa;
-	sin->sin_family = AF_INET;
-	bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
-
-	if (s == -1)
-		if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		    {
-			perror("arp: socket");
-			return -1;
-		    }
-
-	if (ioctl(s, SIOCGARP, (caddr_t)&ar) == -1)
-	    {
-		fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
-		if (errno != ENXIO)
-			perror("SIOCGARP");
-		return -1;
-	    }
-
-	bcopy(ar.arp_ha.sa_data, ether, 6);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h
deleted file mode 100644
index ae2e05f..0000000
--- a/contrib/ipfilter/ipsend/linux.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright (C) 1995-1998 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)linux.h	1.1 8/19/95
- */
-
-#include <linux/config.h>
-#ifdef MODULE
-#include <linux/module.h>
-#include <linux/version.h>
-#endif /* MODULE */
-
-#include "ip_compat.h"
diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c
deleted file mode 100644
index 7163ea7..0000000
--- a/contrib/ipfilter/ipsend/lsock.c
+++ /dev/null
@@ -1,257 +0,0 @@
-/*
- * lsock.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)lsock.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: lsock.c,v 2.3.4.1 2006/03/17 13:45:34 darrenr Exp $";
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <pwd.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <sys/dir.h>
-#define	__KERNEL__
-#if LINUX >= 0200
-# undef UINT_MAX
-# undef INT_MAX
-# undef ULONG_MAX
-# undef LONG_MAX
-# include <linux/notifier.h>
-#endif
-#include <linux/fs.h>
-#if LINUX >= 0200
-#include "linux/netdevice.h"
-#include "net/sock.h"
-#endif
-#undef	__KERNEL__
-#include <linux/sched.h>
-#include <linux/netdevice.h>
-#include <nlist.h>
-#include <sys/user.h>
-#include <sys/socket.h>
-#include <math.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#if LINUX < 0200
-#include <net/inet/sock.h>
-#endif
-#include "ipsend.h"
-
-int	nproc;
-struct	task_struct	*proc;
-
-#ifndef	KMEM
-# ifdef	_PATH_KMEM
-#  define	KMEM	_PATH_KMEM
-# endif
-#endif
-#ifndef	KMEM
-# define	KMEM	"/dev/kmem"
-#endif
-#ifndef	KERNEL
-# define	KERNEL	"/System.map"
-#endif
-
-int	kmemcpy(buf, pos, n)
-char	*buf;
-void	*pos;
-int	n;
-{
-	static	int	kfd = -1;
-
-	if (kfd == -1)
-		kfd = open(KMEM, O_RDONLY);
-
-	if (lseek(kfd, (off_t)pos, SEEK_SET) == -1)
-	    {
-		perror("lseek");
-		return -1;
-	    }
-	if (read(kfd, buf, n) == -1)
-	    {
-		perror("read");
-		return -1;
-	    }
-	return n;
-}
-
-struct	nlist	names[3] = {
-	{ "_task" },
-	{ "_nr_tasks" },
-	{ NULL }
-	};
-
-struct	task_struct	*getproc()
-{
-	struct	task_struct	*p, **pp;
-	void	*v;
-	pid_t	pid = getpid();
-	int	siz, n;
-
-	n = nlist(KERNEL, names);
-	if (n != 0)
-	    {
-		fprintf(stderr, "nlist(%#x) == %d\n", names, n);
-		return NULL;
-	    }
-	if (KMCPY(&nproc, names[1].n_value, sizeof(nproc)) == -1)
-	    {
-		fprintf(stderr, "read nproc (%#x)\n", names[1].n_value);
-		return NULL;
-	    }
-	siz = nproc * sizeof(struct task_struct *);
-	if (KMCPY(&v, names[0].n_value, sizeof(v)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) proc\n",
-			names[0].n_value, &v, sizeof(v));
-		return NULL;
-	    }
-	pp = (struct task_struct **)malloc(siz);
-	if (KMCPY(pp, v, siz) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) proc\n",
-			v, pp, siz);
-		return NULL;
-	    }
-	proc = (struct task_struct *)malloc(siz);
-	for (n = 0; n < NR_TASKS; n++)
-	    {
-		if (KMCPY((proc + n), pp[n], sizeof(*proc)) == -1)
-		    {
-			fprintf(stderr, "read(%#x,%#x,%d) proc\n",
-				pp[n], proc + n, sizeof(*proc));
-			return NULL;
-		    }
-	    }
-
-	p = proc;
-
-	for (n = NR_TASKS; n; n--, p++)
-		if (p->pid == pid)
-			break;
-	if (!n)
-		return NULL;
-
-	return p;
-}
-
-
-struct	sock	*find_tcp(fd, ti)
-int	fd;
-struct	tcpiphdr *ti;
-{
-	struct	sock	*s;
-	struct	inode	*i;
-	struct	files_struct	*fs;
-	struct	task_struct	*p;
-	struct	file	*f, **o;
-
-	if (!(p = getproc()))
-		return NULL;
-
-	fs = p->files;
-	o = (struct file **)calloc(1, sizeof(*o) * (fs->count + 1));
-	if (KMCPY(o, fs->fd, (fs->count + 1) * sizeof(*o)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - fd - failed\n",
-			fs->fd, o, sizeof(*o));
-		return NULL;
-	    }
-	f = (struct file *)calloc(1, sizeof(*f));
-	if (KMCPY(f, o[fd], sizeof(*f)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n",
-			o[fd], f, sizeof(*f));
-		return NULL;
-	    }
-
-	i = (struct inode *)calloc(1, sizeof(*i));
-	if (KMCPY(i, f->f_inode, sizeof(*i)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - f_inode - failed\n",
-			f->f_inode, i, sizeof(*i));
-		return NULL;
-	    }
-	return i->u.socket_i.data;
-}
-
-int	do_socket(dev, mtu, ti, gwip)
-char	*dev;
-int	mtu;
-struct	tcpiphdr *ti;
-struct	in_addr	gwip;
-{
-	struct	sockaddr_in	rsin, lsin;
-	struct	sock	*s, sk;
-	int	fd, nfd, len;
-
-	printf("Dest. Port: %d\n", ti->ti_dport);
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (fd == -1)
-	    {
-		perror("socket");
-		return -1;
-	    }
-
-	if (fcntl(fd, F_SETFL, FNDELAY) == -1)
-	    {
-		perror("fcntl");
-		return -1;
-	    }
-
-	bzero((char *)&lsin, sizeof(lsin));
-	lsin.sin_family = AF_INET;
-	bcopy((char *)&ti->ti_src, (char *)&lsin.sin_addr,
-	      sizeof(struct in_addr));
-	if (bind(fd, (struct sockaddr *)&lsin, sizeof(lsin)) == -1)
-	    {
-		perror("bind");
-		return -1;
-	    }
-	len = sizeof(lsin);
-	(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
-	ti->ti_sport = lsin.sin_port;
-	printf("sport %d\n", ntohs(lsin.sin_port));
-	nfd = initdevice(dev, 0);
-	if (nfd == -1)
-		return -1;
-
-	if (!(s = find_tcp(fd, ti)))
-		return -1;
-
-	bzero((char *)&rsin, sizeof(rsin));
-	rsin.sin_family = AF_INET;
-	bcopy((char *)&ti->ti_dst, (char *)&rsin.sin_addr,
-	      sizeof(struct in_addr));
-	rsin.sin_port = ti->ti_dport;
-	if (connect(fd, (struct sockaddr *)&rsin, sizeof(rsin)) == -1 &&
-	    errno != EINPROGRESS)
-	    {
-		perror("connect");
-		return -1;
-	    }
-	KMCPY(&sk, s, sizeof(sk));
-	ti->ti_win = sk.window;
-	ti->ti_seq = sk.sent_seq - 1;
-	ti->ti_ack = sk.rcv_ack_seq;
-	ti->ti_flags = TH_SYN;
-
-	if (send_tcp(nfd, mtu, (ip_t *)ti, gwip) == -1)
-		return -1;
-	(void)write(fd, "Hello World\n", 12);
-	sleep(2);
-	close(fd);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c
deleted file mode 100644
index e7b1ef4..0000000
--- a/contrib/ipfilter/ipsend/resend.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * resend.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)resend.c	1.3 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: resend.c,v 2.8.2.3 2007/02/17 12:41:51 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#ifdef __osf__
-# include "radix_ipf_local.h"
-#endif
-#include <net/if.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-# include <netinet/ip_var.h>
-# include <netinet/if_ether.h>
-# if __FreeBSD_version >= 300000
-#  include <net/if_var.h>
-# endif
-#endif
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include "ipsend.h"
-
-extern	int	opts;
-
-static	u_char	pbuf[65536];	/* 1 big packet */
-void	printpacket __P((ip_t *));
-
-
-void printpacket(ip)
-ip_t	*ip;
-{
-	tcphdr_t *t;
-	int i, j;
-
-	t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
-	if (ip->ip_tos)
-		printf("tos %#x ", ip->ip_tos);
-	if (ip->ip_off & 0x3fff)
-		printf("frag @%#x ", (ip->ip_off & 0x1fff) << 3);
-	printf("len %d id %d ", ip->ip_len, ip->ip_id);
-	printf("ttl %d p %d src %s", ip->ip_ttl, ip->ip_p,
-		inet_ntoa(ip->ip_src));
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-		printf(",%d", t->th_sport);
-	printf(" dst %s", inet_ntoa(ip->ip_dst));
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-		printf(",%d", t->th_dport);
-	if (ip->ip_p == IPPROTO_TCP) {
-		printf(" seq %lu:%lu flags ",
-			(u_long)t->th_seq, (u_long)t->th_ack);
-		for (j = 0, i = 1; i < 256; i *= 2, j++)
-			if (t->th_flags & i)
-				printf("%c", "FSRPAU--"[j]);
-	}
-	putchar('\n');
-}
-
-
-int	ip_resend(dev, mtu, r, gwip, datain)
-char	*dev;
-int	mtu;
-struct	in_addr	gwip;
-struct	ipread	*r;
-char	*datain;
-{
-	ether_header_t	*eh;
-	char	dhost[6];
-	ip_t	*ip;
-	int	fd, wfd = initdevice(dev, 5), len, i;
-
-	if (wfd == -1)
-		return -1;
-
-	if (datain)
-		fd = (*r->r_open)(datain);
-	else
-		fd = (*r->r_open)("-");
-
-	if (fd < 0)
-		exit(-1);
-
-	ip = (struct ip *)pbuf;
-	eh = (ether_header_t *)malloc(sizeof(*eh));
-	if(!eh)
-	    {
-		perror("malloc failed");
-		return -2;
-	    }
-
-	bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost));
-	if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
-	    {
-		perror("arp");
-		free(eh);
-		return -2;
-	    }
-
-	while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0)
-	    {
-		if (!(opts & OPT_RAW)) {
-			len = ntohs(ip->ip_len);
-			eh = (ether_header_t *)realloc((char *)eh, sizeof(*eh) + len);
-			eh->ether_type = htons((u_short)ETHERTYPE_IP);
-			if (!gwip.s_addr) {
-				if (arp((char *)&gwip,
-					(char *)A_A eh->ether_dhost) == -1) {
-					perror("arp");
-					continue;
-				}
-			} else
-				bcopy(dhost, (char *)A_A eh->ether_dhost,
-				      sizeof(dhost));
-			if (!ip->ip_sum)
-				ip->ip_sum = chksum((u_short *)ip,
-						    IP_HL(ip) << 2);
-			bcopy(ip, (char *)(eh + 1), len);
-			len += sizeof(*eh);
-			printpacket(ip);
-		} else {
-			eh = (ether_header_t *)pbuf;
-			len = i;
-		}
-
-		if (sendip(wfd, (char *)eh, len) == -1)
-		    {
-			perror("send_packet");
-			break;
-		    }
-	    }
-	(*r->r_close)();
-	free(eh);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c
deleted file mode 100644
index 374b7ed..0000000
--- a/contrib/ipfilter/ipsend/sbpf.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * (C)opyright 1995-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/mbuf.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#if BSD < 199103
-#include <sys/fcntlcom.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-#else
-# include <sys/dir.h>
-#endif
-#include <net/bpf.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#ifdef __NetBSD__
-# include <paths.h>
-#endif
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-
-#include "ipsend.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)sbpf.c	1.3 8/25/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.5.4.1 2006/03/21 16:32:58 darrenr Exp $";
-#endif
-
-/*
- * the code herein is dervied from libpcap.
- */
-static	u_char	*buf = NULL;
-static	int	bufsize = 0, timeout = 1;
-
-
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	struct	bpf_version bv;
-	struct	timeval to;
-	struct	ifreq ifr;
-#ifdef _PATH_BPF
-	char	*bpfname = _PATH_BPF;
-	int	fd;
-
-	if ((fd = open(bpfname, O_RDWR)) < 0)
-	    {
-		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
-		return -1;
-	    }
-#else
-	char	bpfname[16];
-	int	fd = 0, i;
-
-	for (i = 0; i < 16; i++)
-	    {
-		(void) sprintf(bpfname, "/dev/bpf%d", i);
-		if ((fd = open(bpfname, O_RDWR)) >= 0)
-			break;
-	    }
-	if (i == 16)
-	    {
-		fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
-		return -1;
-	    }
-#endif
-
-	if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
-	    {
-		perror("BIOCVERSION");
-		return -1;
-	    }
-	if (bv.bv_major != BPF_MAJOR_VERSION ||
-	    bv.bv_minor < BPF_MINOR_VERSION)
-	    {
-		fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n",
-			bv.bv_major, bv.bv_minor);
-		fprintf(stderr, "current version: %d.%d\n",
-			BPF_MAJOR_VERSION, BPF_MINOR_VERSION);
-		return -1;
-	    }
-
-	(void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-	if (ioctl(fd, BIOCSETIF, &ifr) == -1)
-	    {
-		fprintf(stderr, "%s(%d):", ifr.ifr_name, fd);
-		perror("BIOCSETIF");
-		exit(1);
-	    }
-	/*
-	 * get kernel buffer size
-	 */
-	if (ioctl(fd, BIOCGBLEN, &bufsize) == -1)
-	    {
-		perror("BIOCSBLEN");
-		exit(-1);
-	    }
-	buf = (u_char*)malloc(bufsize);
-	/*
-	 * set the timeout
-	 */
-	timeout = tout;
-	to.tv_sec = 1;
-	to.tv_usec = 0;
-	if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1)
-	    {
-		perror("BIOCSRTIMEOUT");
-		exit(-1);
-	    }
-
-	(void) ioctl(fd, BIOCFLUSH, 0);
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{			
-	if (write(fd, pkt, len) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c
deleted file mode 100644
index 1ce8946..0000000
--- a/contrib/ipfilter/ipsend/sdlpi.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/stropts.h>
-
-#ifdef sun
-# include <sys/pfmod.h>
-# include <sys/bufmod.h>
-#endif
-#ifdef __osf__
-# include <sys/dlpihdr.h>
-# include "radix_ipf_local.h"
-#else
-# include <sys/dlpi.h>
-#endif
-#ifdef __hpux
-# include <sys/dlpi_ext.h>
-#endif
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-
-#include "ipsend.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)sdlpi.c	1.3 10/30/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.2 2007/02/17 12:41:51 darrenr Exp $";
-#endif
-
-#define	CHUNKSIZE	8192
-#define BUFSPACE	(4*CHUNKSIZE)
-
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	char	devname[16], *s, buf[256];
-	int	i, fd;
-
-	(void) strcpy(devname, "/dev/");
-	(void) strncat(devname, device, sizeof(devname) - strlen(devname));
-
-	s = devname + 5;
-	while (*s && !ISDIGIT(*s))
-		s++;
-	if (!*s)
-	    {
-		fprintf(stderr, "bad device name %s\n", devname);
-		exit(-1);
-	    }
-	i = atoi(s);
-	*s = '\0';
-	/*
-	 * For writing
-	 */
-	if ((fd = open(devname, O_RDWR)) < 0)
-	    {
-		fprintf(stderr, "O_RDWR(1) ");
-		perror(devname);
-		exit(-1);
-	    }
-
-	if (dlattachreq(fd, i) == -1)
-	    {
-		fprintf(stderr, "dlattachreq: DLPI error\n");
-		exit(-1);
-	    }
-	else if (dlokack(fd, buf) == -1)
-	    {
-		fprintf(stderr, "dlokack(attach): DLPI error\n");
-		exit(-1);
-	    }
-#ifdef DL_HP_RAWDLS
-	if (dlpromisconreq(fd, DL_PROMISC_SAP) < 0)
-	    {
-		fprintf(stderr, "dlpromisconreq: DL_PROMISC_PHYS error\n");
-		exit(-1);
-	    }
-	else if (dlokack(fd, buf) < 0)
-	    {
-		fprintf(stderr, "dlokack(promisc): DLPI error\n");
-		exit(-1);
-	    }
-	/* 22 is INSAP as per the HP-UX DLPI Programmer's Guide */
-
-	dlbindreq(fd, 22, 1, DL_HP_RAWDLS, 0, 0);
-#else
-	dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
-#endif
-	dlbindack(fd, buf);
-	/*
-	 * write full headers
-	 */
-#ifdef DLIOCRAW /* we require RAW DLPI mode, which is a Sun extension */
-	if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
-	    {
-		fprintf(stderr, "DLIOCRAW error\n");
-		exit(-1);
-	    }
-#endif
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/nit
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{			
-	struct strbuf dbuf, *dp = &dbuf, *cp = NULL;
-	int pri = 0;
-#ifdef DL_HP_RAWDLS
-	struct strbuf cbuf;
-	dl_hp_rawdata_req_t raw;
-
-	cp = &cbuf;
-	raw.dl_primitive = DL_HP_RAWDATA_REQ;
-	cp->len = sizeof(raw);
-	cp->buf = (char *)&raw;
-	cp->maxlen = cp->len;
-	pri = MSG_HIPRI;
-#endif
-	/*
-	 * construct NIT STREAMS messages, first control then data.
-	 */
-	dp->buf = pkt;
-	dp->len = len;
-	dp->maxlen = dp->len;
-
-	if (putmsg(fd, cp, dp, pri) == -1)
-	    {
-		perror("putmsg");
-		return -1;
-	    }
-	if (ioctl(fd, I_FLUSH, FLUSHW) == -1)
-	    {
-		perror("I_FLUSHW");
-		return -1;
-	    }
-	return len;
-}
-
diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c
deleted file mode 100644
index 0f634f7..0000000
--- a/contrib/ipfilter/ipsend/sirix.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed.
- * (C)opyright 1997 Marc Boucher.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <net/if.h>
-#include <net/raw.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include "ipsend.h"
-#include <netinet/udp_var.h>
-
-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sirix[] = "@(#)sirix.c	1.0 10/9/97 (C)1997 Marc Boucher";
-#endif
-
-
-int	initdevice(char *device, int tout)
-{
-	int fd;
-	struct sockaddr_raw sr;
-
-	if ((fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_DRAIN)) < 0)
-	    {
-		perror("socket(PF_RAW, SOCK_RAW, RAWPROTO_DRAIN)");
-		return -1;
-	    }
-
-	memset(&sr, 0, sizeof(sr));
-	sr.sr_family = AF_RAW;
-	sr.sr_port = ETHERTYPE_IP;
-	strncpy(sr.sr_ifname, device, sizeof(sr.sr_ifname));
-	if (bind(fd, &sr, sizeof(sr)) < 0)
-	    {
-		perror("bind AF_RAW");
-		close(fd);
-		return -1;
-	    }
-	return fd;
-}
-
-
-/*
- * output an IP packet
- */
-int	sendip(int fd, char *pkt, int len)
-{			
-	struct sockaddr_raw sr;
-	int srlen = sizeof(sr);
-	struct ifreq ifr;
-	struct ether_header *eh = (struct ether_header *)pkt;
-
-	if (getsockname(fd, &sr, &srlen) == -1)
-	    {
-		perror("getsockname");
-		return -1;
-	    }
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, sr.sr_ifname, sizeof ifr.ifr_name);
-
-	if (ioctl(fd, SIOCGIFADDR, &ifr) == -1)
-	    {
-		perror("ioctl SIOCGIFADDR");
-		return -1;
-	    }
-
-	memcpy(eh->ether_shost, ifr.ifr_addr.sa_data, sizeof(eh->ether_shost));
-
-	if (write(fd, pkt, len) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c
deleted file mode 100644
index 7c362b6..0000000
--- a/contrib/ipfilter/ipsend/slinux.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/dir.h>
-#include <linux/netdevice.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include "ipsend.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)slinux.c	1.2 8/25/95";
-static const char rcsid[] = "@(#)$Id: slinux.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $";
-#endif
-
-#define	CHUNKSIZE	8192
-#define BUFSPACE	(4*CHUNKSIZE)
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-
-static	int	timeout;
-static	char	*eth_dev = NULL;
-
-
-int	initdevice(dev, spare)
-char	*dev;
-int	spare;
-{
-	int fd;
-
-	eth_dev = strdup(dev);
-	if ((fd = socket(AF_INET, SOCK_PACKET, htons(ETHERTYPE_IP))) == -1)
-	    {
-		perror("socket(SOCK_PACKET)");
-		exit(-1);
-	    }
-
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/nit
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{
-	struct	sockaddr	s;
-	struct	ifreq	ifr;
-
-	strncpy(ifr.ifr_name, eth_dev, sizeof(ifr.ifr_name));
-	if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1)
-	    {
-		perror("SIOCGIFHWADDR");
-		return -1;
-	    }
-	bcopy(ifr.ifr_hwaddr.sa_data, pkt + 6, 6);
-	s.sa_family = ETHERTYPE_IP;
-	strncpy(s.sa_data, eth_dev, sizeof(s.sa_data));
-
-	if (sendto(fd, pkt, len, 0, &s, sizeof(s)) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c
deleted file mode 100644
index bcd07d0..0000000
--- a/contrib/ipfilter/ipsend/snit.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * (C)opyright 1992-1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <signal.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/timeb.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <net/nit.h>
-#include <sys/fcntlcom.h>
-#include <sys/dir.h>
-#include <net/nit_if.h>
-#include <net/nit_pf.h>
-#include <net/nit_buf.h>
-#include <net/packetfilt.h>
-#include <sys/stropts.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-
-#include "ipsend.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)snit.c	1.5 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: snit.c,v 2.3 2001/06/09 17:09:26 darrenr Exp $";
-#endif
-
-#define	CHUNKSIZE	8192
-#define BUFSPACE	(4*CHUNKSIZE)
-
-/*
- * Be careful to only include those defined in the flags option for the
- * interface are included in the header size.
- */
-#define BUFHDR_SIZE  (sizeof(struct nit_bufhdr))
-#define NIT_HDRSIZE  (BUFHDR_SIZE)
-
-static	int	timeout;
-
-
-int	initdevice(device, tout)
-char	*device;
-int	tout;
-{
-	struct	strioctl si;
-	struct	timeval to;
-	struct	ifreq ifr;
-	int	fd;
-
-	if ((fd = open("/dev/nit", O_RDWR)) < 0)
-	    {
-		perror("/dev/nit");
-		exit(-1);
-	    }
-
-	/*
-	 * arrange to get messages from the NIT STREAM and use NIT_BUF option
-	 */
-	ioctl(fd, I_SRDOPT, (char*)RMSGD);
-	ioctl(fd, I_PUSH, "nbuf");
-
-	/*
-	 * set the timeout
-	 */
-	timeout = tout;
-	si.ic_timout = 1;
-	to.tv_sec = 1;
-	to.tv_usec = 0;
-	si.ic_cmd = NIOCSTIME;
-	si.ic_len = sizeof(to);
-	si.ic_dp = (char*)&to;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-	    {
-		perror("ioctl: NIT timeout");
-		exit(-1);
-	    }
-
-	/*
-	 * request the interface
-	 */
-	strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
-	ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' ';
-	si.ic_cmd = NIOCBIND;
-	si.ic_len = sizeof(ifr);
-	si.ic_dp = (char*)&ifr;
-	if (ioctl(fd, I_STR, (char*)&si) == -1)
-	    {
-		perror(ifr.ifr_name);
-		exit(1);
-	    }
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/nit
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{			
-	struct	sockaddr sk, *sa = &sk;
-	struct	strbuf	cbuf, *cp = &cbuf, dbuf, *dp = &dbuf;
-
-	/*
-	 * For ethernet, need at least 802.3 header and IP header.
-	 */
-	if (len < (sizeof(sa->sa_data) + sizeof(struct ip)))
-		return -1;
-	/*
-	 * to avoid any output processing for IP, say we're not.
-	 */
-	sa->sa_family = AF_UNSPEC;
-	bcopy(pkt, sa->sa_data, sizeof(sa->sa_data));
-	pkt += sizeof(sa->sa_data);
-	len -= sizeof(sa->sa_data);
-
-	/*
-	 * construct NIT STREAMS messages, first control then data.
-	 */
-	cp->len = sizeof(*sa);
-	cp->maxlen = sizeof(*sa);
-	cp->buf = (char *)sa;
-
-	dp->buf = pkt;
-	dp->len = len;
-	dp->maxlen = dp->len;
-
-	if (putmsg(fd, cp, dp, 0) == -1)
-	    {
-		perror("putmsg");
-		return -1;
-	    }
-
-	if (ioctl(fd, I_FLUSH, FLUSHW) == -1)
-	    {
-		perror("I_FLUSH");
-		return -1;
-	    }
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
deleted file mode 100644
index f4317fc..0000000
--- a/contrib/ipfilter/ipsend/sock.c
+++ /dev/null
@@ -1,451 +0,0 @@
-/*
- * sock.c (C) 1995-1998 Darren Reed
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)sock.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.8.4.7 2007/09/13 07:19:34 darrenr Exp $";
-#endif
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-#if defined(__NetBSD__) && defined(__vax__)
-/*
- * XXX need to declare boolean_t for _KERNEL <sys/files.h>
- * which ends up including <sys/device.h> for vax.  See PR#32907
- * for further details.
- */
-typedef int     boolean_t;
-#endif
-#ifndef	ultrix
-#include <fcntl.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/dirent.h>
-#else
-# include <sys/dir.h>
-#endif
-#if !defined(__osf__)
-# ifdef __NetBSD__ 
-#  include <machine/lock.h>
-# endif
-# define _KERNEL
-# define	KERNEL
-# ifdef	ultrix
-#  undef	LOCORE
-#  include <sys/smp_lock.h>
-# endif
-# include <sys/file.h>
-# undef  _KERNEL
-# undef  KERNEL
-#endif
-#include <nlist.h>
-#include <sys/user.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
-#include <sys/proc.h>
-#if !defined(ultrix) && !defined(hpux) && !defined(__osf__)
-# include <kvm.h>
-#endif
-#ifdef sun
-#include <sys/systm.h>
-#include <sys/session.h>
-#endif
-#if BSD >= 199103
-#include <sys/sysctl.h>
-#include <sys/filedesc.h>
-#include <paths.h>
-#endif
-#include <math.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if defined(__FreeBSD__)
-# include "radix_ipf.h"
-#endif
-#ifndef __osf__
-# include <net/route.h>
-#endif
-#include <netinet/ip_var.h>
-#include <netinet/in_pcb.h>
-#include <netinet/tcp_timer.h>
-#include <netinet/tcp_var.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <pwd.h>
-#include "ipsend.h"
-
-
-int	nproc;
-struct	proc	*proc;
-
-#ifndef	KMEM
-# ifdef	_PATH_KMEM
-#  define	KMEM	_PATH_KMEM
-# endif
-#endif
-#ifndef	KERNEL
-# ifdef	_PATH_UNIX
-#  define	KERNEL	_PATH_UNIX
-# endif
-#endif
-#ifndef	KMEM
-# define	KMEM	"/dev/kmem"
-#endif
-#ifndef	KERNEL
-# define	KERNEL	"/vmunix"
-#endif
-
-
-#if BSD < 199103
-static	struct	proc	*getproc __P((void));
-#else
-static	struct	kinfo_proc	*getproc __P((void));
-#endif
-
-
-int	kmemcpy(buf, pos, n)
-char	*buf;
-void	*pos;
-int	n;
-{
-	static	int	kfd = -1;
-	off_t	offset = (u_long)pos;
-
-	if (kfd == -1)
-		kfd = open(KMEM, O_RDONLY);
-
-	if (lseek(kfd, offset, SEEK_SET) == -1)
-	    {
-		perror("lseek");
-		return -1;
-	    }
-	if (read(kfd, buf, n) == -1)
-	    {
-		perror("read");
-		return -1;
-	    }
-	return n;
-}
-
-struct	nlist	names[4] = {
-	{ "_proc" },
-	{ "_nproc" },
-#ifdef	ultrix
-	{ "_u" },
-#else
-	{ NULL },
-#endif
-	{ NULL }
-	};
-
-#if BSD < 199103
-static struct proc *getproc()
-{
-	struct	proc	*p;
-	pid_t	pid = getpid();
-	int	siz, n;
-
-	n = nlist(KERNEL, names);
-	if (n != 0)
-	    {
-		fprintf(stderr, "nlist(%#x) == %d\n", names, n);
-		return NULL;
-	    }
-	if (KMCPY(&nproc, names[1].n_value, sizeof(nproc)) == -1)
-	    {
-		fprintf(stderr, "read nproc (%#x)\n", names[1].n_value);
-		return NULL;
-	    }
-	siz = nproc * sizeof(struct proc);
-	if (KMCPY(&p, names[0].n_value, sizeof(p)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) proc\n",
-			names[0].n_value, &p, sizeof(p));
-		return NULL;
-	    }
-	proc = (struct proc *)malloc(siz);
-	if (KMCPY(proc, p, siz) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) proc\n",
-			p, proc, siz);
-		return NULL;
-	    }
-
-	p = proc;
-
-	for (n = nproc; n; n--, p++)
-		if (p->p_pid == pid)
-			break;
-	if (!n)
-		return NULL;
-
-	return p;
-}
-
-
-struct	tcpcb	*find_tcp(fd, ti)
-int	fd;
-struct	tcpiphdr *ti;
-{
-	struct	tcpcb	*t;
-	struct	inpcb	*i;
-	struct	socket	*s;
-	struct	user	*up;
-	struct	proc	*p;
-	struct	file	*f, **o;
-
-	if (!(p = getproc()))
-		return NULL;
-	up = (struct user *)malloc(sizeof(*up));
-#ifndef	ultrix
-	if (KMCPY(up, p->p_uarea, sizeof(*up)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x) failed\n", p, p->p_uarea);
-		return NULL;
-	    }
-#else
-	if (KMCPY(up, names[2].n_value, sizeof(*up)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x) failed\n", p, names[2].n_value);
-		return NULL;
-	    }
-#endif
-
-	o = (struct file **)calloc(1, sizeof(*o) * (up->u_lastfile + 1));
-	if (KMCPY(o, up->u_ofile, (up->u_lastfile + 1) * sizeof(*o)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - u_ofile - failed\n",
-			up->u_ofile, o, sizeof(*o));
-		return NULL;
-	    }
-	f = (struct file *)calloc(1, sizeof(*f));
-	if (KMCPY(f, o[fd], sizeof(*f)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n",
-			up->u_ofile[fd], f, sizeof(*f));
-		return NULL;
-	    }
-
-	s = (struct socket *)calloc(1, sizeof(*s));
-	if (KMCPY(s, f->f_data, sizeof(*s)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - f_data - failed\n",
-			o[fd], s, sizeof(*s));
-		return NULL;
-	    }
-
-	i = (struct inpcb *)calloc(1, sizeof(*i));
-	if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1)
-	    {
-		fprintf(stderr, "kvm_read(%#x,%#x,%d) - so_pcb - failed\n",
-			s->so_pcb, i, sizeof(*i));
-		return NULL;
-	    }
-
-	t = (struct tcpcb *)calloc(1, sizeof(*t));
-	if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1)
-	    {
-		fprintf(stderr, "read(%#x,%#x,%d) - inp_ppcb - failed\n",
-			i->inp_ppcb, t, sizeof(*t));
-		return NULL;
-	    }
-	return (struct tcpcb *)i->inp_ppcb;
-}
-#else
-static struct kinfo_proc *getproc()
-{
-	static	struct	kinfo_proc kp;
-	pid_t	pid = getpid();
-	int	mib[4];
-	size_t	n;
-
-	mib[0] = CTL_KERN;
-	mib[1] = KERN_PROC;
-	mib[2] = KERN_PROC_PID;
-	mib[3] = pid;
-
-	n = sizeof(kp);
-	if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1)
-	    {
-		perror("sysctl");
-		return NULL;
-	    }
-	return &kp;
-}
-
-
-struct	tcpcb	*find_tcp(tfd, ti)
-int	tfd;
-struct	tcpiphdr *ti;
-{
-	struct	tcpcb	*t;
-	struct	inpcb	*i;
-	struct	socket	*s;
-	struct	filedesc	*fd;
-	struct	kinfo_proc	*p;
-	struct	file	*f, **o;
-
-	if (!(p = getproc()))
-		return NULL;
-
-	fd = (struct filedesc *)malloc(sizeof(*fd));
-	if (fd == NULL)
-		return NULL;
-#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013
-	if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx) failed\n",
-			(u_long)p, (u_long)p->ki_fd);
-		free(fd);
-		return NULL;
-	    }
-#else
-	if (KMCPY(fd, p->kp_proc.p_fd, sizeof(*fd)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx) failed\n",
-			(u_long)p, (u_long)p->kp_proc.p_fd);
-		free(fd);
-		return NULL;
-	    }
-#endif
-
-	o = NULL;
-	f = NULL;
-	s = NULL;
-	i = NULL;
-	t = NULL;
-
-	o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
-	if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n",
-			(u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o));
-		goto finderror;
-	    }
-	f = (struct file *)calloc(1, sizeof(*f));
-	if (KMCPY(f, o[tfd], sizeof(*f)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n",
-			(u_long)o[tfd], (u_long)f, (u_long)sizeof(*f));
-		goto finderror;
-	    }
-
-	s = (struct socket *)calloc(1, sizeof(*s));
-	if (KMCPY(s, f->f_data, sizeof(*s)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n",
-			(u_long)f->f_data, (u_long)s, (u_long)sizeof(*s));
-		goto finderror;
-	    }
-
-	i = (struct inpcb *)calloc(1, sizeof(*i));
-	if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1)
-	    {
-		fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n",
-			(u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i));
-		goto finderror;
-	    }
-
-	t = (struct tcpcb *)calloc(1, sizeof(*t));
-	if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1)
-	    {
-		fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n",
-			(u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t));
-		goto finderror;
-	    }
-	return (struct tcpcb *)i->inp_ppcb;
-
-finderror:
-	if (o != NULL)
-		free(o);
-	if (f != NULL)
-		free(f);
-	if (s != NULL)
-		free(s);
-	if (i != NULL)
-		free(i);
-	if (t != NULL)
-		free(t);
-	return NULL;
-}
-#endif /* BSD < 199301 */
-
-int	do_socket(dev, mtu, ti, gwip)
-char	*dev;
-int	mtu;
-struct	tcpiphdr *ti;
-struct	in_addr	gwip;
-{
-	struct	sockaddr_in	rsin, lsin;
-	struct	tcpcb	*t, tcb;
-	int	fd, nfd;
-	socklen_t len;
-
-	printf("Dest. Port: %d\n", ti->ti_dport);
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (fd == -1)
-	    {
-		perror("socket");
-		return -1;
-	    }
-
-	if (fcntl(fd, F_SETFL, FNDELAY) == -1)
-	    {
-		perror("fcntl");
-		return -1;
-	    }
-
-	bzero((char *)&lsin, sizeof(lsin));
-	lsin.sin_family = AF_INET;
-	bcopy((char *)&ti->ti_src, (char *)&lsin.sin_addr,
-	      sizeof(struct in_addr));
-	if (bind(fd, (struct sockaddr *)&lsin, sizeof(lsin)) == -1)
-	    {
-		perror("bind");
-		return -1;
-	    }
-	len = sizeof(lsin);
-	(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
-	ti->ti_sport = lsin.sin_port;
-	printf("sport %d\n", ntohs(lsin.sin_port));
-
-	nfd = initdevice(dev, 1);
-	if (nfd == -1)
-		return -1;
-
-	if (!(t = find_tcp(fd, ti)))
-		return -1;
-
-	bzero((char *)&rsin, sizeof(rsin));
-	rsin.sin_family = AF_INET;
-	bcopy((char *)&ti->ti_dst, (char *)&rsin.sin_addr,
-	      sizeof(struct in_addr));
-	rsin.sin_port = ti->ti_dport;
-	if (connect(fd, (struct sockaddr *)&rsin, sizeof(rsin)) == -1 &&
-	    errno != EINPROGRESS)
-	    {
-		perror("connect");
-		return -1;
-	    }
-	KMCPY(&tcb, t, sizeof(tcb));
-	ti->ti_win = tcb.rcv_adv;
-	ti->ti_seq = tcb.snd_nxt - 1;
-	ti->ti_ack = tcb.rcv_nxt;
-
-	if (send_tcp(nfd, mtu, (ip_t *)ti, gwip) == -1)
-		return -1;
-	(void)write(fd, "Hello World\n", 12);
-	sleep(2);
-	close(fd);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipsend/sockraw.c b/contrib/ipfilter/ipsend/sockraw.c
deleted file mode 100644
index 0e3fe59..0000000
--- a/contrib/ipfilter/ipsend/sockraw.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * (C)opyright 2000 Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * WARNING: Attempting to use this .c file on HP-UX 11.00 will cause the
- *          system to crash.
- */
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip_var.h>
-#include <netinet/udp.h>
-#include <netinet/udp_var.h>
-#include <netinet/tcp.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <errno.h>
-#include "ipsend.h"
-
-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sirix[] = "@(#)sirix.c	1.0 10/9/97 (C)1997 Marc Boucher";
-#endif
-
-
-int	initdevice(char *device, int tout)
-{
-	struct sockaddr s;
-	struct ifreq ifr;
-	int fd;
-
-	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, device, sizeof ifr.ifr_name);
-
-	if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
-	    {
-		perror("socket(AF_INET, SOCK_RAW, IPPROTO_RAW)");
-		return -1;
-	    }
-
-	if (ioctl(fd, SIOCGIFADDR, &ifr) == -1)
-	    {
-		perror("ioctl SIOCGIFADDR");
-		return -1;
-	    }
-
-	bzero((char *)&s, sizeof(s));
-	s.sa_family = AF_INET;
-	bcopy(&ifr.ifr_addr, s.sa_data, 4);
-	if (bind(fd, &s, sizeof(s)) == -1)
-		perror("bind");
-	return fd;
-}
-
-
-/*
- * output an IP packet
- */
-int	sendip(int fd, char *pkt, int len)
-{
-	struct ether_header *eh;
-	struct sockaddr_in sin;
-
-	eh = (struct ether_header *)pkt;
-	bzero((char *)&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	pkt += 14;
-	len -= 14;
-	bcopy(pkt + 12, (char *)&sin.sin_addr, 4);
-
-	if (sendto(fd, pkt, len, 0, &sin, sizeof(sin)) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
diff --git a/contrib/ipfilter/ipsend/tcpip.h b/contrib/ipfilter/ipsend/tcpip.h
deleted file mode 100644
index 44a2de9..0000000
--- a/contrib/ipfilter/ipsend/tcpip.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 1982, 1986, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)tcpip.h	8.1 (Berkeley) 6/10/93
- * $Id: tcpip.h,v 2.2.2.3 2004/05/26 15:45:48 darrenr Exp $
- */
-
-#ifndef _NETINET_TCPIP_H_
-#define _NETINET_TCPIP_H_
-
-# if defined(linux) && !defined(LINUX_IPOVLY)
-#  define LINUX_IPOVLY
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-# endif
-
-/*
- * Tcp+ip header, after ip options removed.
- */
-struct tcpiphdr {
-	struct 	ipovly ti_i;		/* overlaid ip structure */
-	struct	tcphdr ti_t;		/* tcp header */
-};
-
-#ifdef notyet
-/*
- * Tcp+ip header, after ip options removed but including TCP options.
- */
-struct full_tcpiphdr {
-	struct 	ipovly ti_i;		/* overlaid ip structure */
-	struct	tcphdr ti_t;		/* tcp header */
-	char	ti_o[TCP_MAXOLEN];	/* space for tcp options */
-};
-#endif /* notyet */
-#define	ti_next		ti_i.ih_next
-#define	ti_prev		ti_i.ih_prev
-#define	ti_x1		ti_i.ih_x1
-#define	ti_pr		ti_i.ih_pr
-#define	ti_len		ti_i.ih_len
-#define	ti_src		ti_i.ih_src
-#define	ti_dst		ti_i.ih_dst
-#define	ti_sport	ti_t.th_sport
-#define	ti_dport	ti_t.th_dport
-#define	ti_seq		ti_t.th_seq
-#define	ti_ack		ti_t.th_ack
-#define	ti_x2		ti_t.th_x2
-#define	ti_off		ti_t.th_off
-#define	ti_flags	ti_t.th_flags
-#define	ti_win		ti_t.th_win
-#define	ti_sum		ti_t.th_sum
-#define	ti_urp		ti_t.th_urp
-
-#endif
diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c
deleted file mode 100644
index f41a8a9..0000000
--- a/contrib/ipfilter/ipsend/ultrix.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * (C)opyright 1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/if_ether.h>
-#include <netdnet/dli_var.h>
-
-
-static	struct	dli_devid	dli_devid;
-
-
-int	initdevice(device, sport, tout)
-char	*device;
-int	sport, tout;
-{
-	u_char	*s;
-	int	fd;
-
-	fd = socket(AF_DLI, SOCK_DGRAM, 0);
-	if (fd == -1)
-		perror("socket(AF_DLI,SOCK_DGRAM)");
-	else {
-		strncpy(dli_devid.dli_devname, device, DLI_DEVSIZE);
-		dli_devid.dli_devname[DLI_DEVSIZE] ='\0';
-		for (s = dli_devid.dli_devname; *s && isalpha((char)*s); s++)
-			;
-		if (*s && isdigit((char)*s)) {
-			dli_devid.dli_devnumber = atoi(s);
-		}
-	}
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{
-	struct sockaddr_dl dl;
-	struct sockaddr_edl *edl = &dl.choose_addr.dli_eaddr;
-
-	dl.dli_family = AF_DLI;
-	dl.dli_substructype = DLI_ETHERNET;
-	bcopy((char *)&dli_devid, (char *)&dl.dli_device, sizeof(dli_devid));
-	bcopy(pkt, edl->dli_target, DLI_EADDRSIZE);
-	bcopy(pkt, edl->dli_dest, DLI_EADDRSIZE);
-	bcopy(pkt + DLI_EADDRSIZE * 2, (char *)&edl->dli_protype, 2);
-	edl->dli_ioctlflg = 0;
-
-	if (sendto(fd, pkt, len, 0, (struct sockaddr *)&dl, sizeof(dl)) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
-
-
-char *strdup(str)
-char *str;
-{
-	char	*s;
-
-	if ((s = (char *)malloc(strlen(str) + 1)))
-		return strcpy(s, str);
-	return NULL;
-}
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
deleted file mode 100644
index 5a20f24..0000000
--- a/contrib/ipfilter/ipt.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# define _KMEMUSER
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
-#include <strings.h>
-#else
-#if !defined(__sgi)
-#include <sys/byteorder.h>
-#endif
-#include <sys/file.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ip_frag.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.26 2003/11/09 17:22:21 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	struct frentry	*ipfilter[2][2];
-extern	struct ipread	snoop, etherf, tcpd, pcap, iptext, iphex;
-extern	struct ifnet	*get_unit __P((char *, int));
-extern	void	init_ifp __P((void));
-extern	ipnat_t	*natparse __P((char *, int, int *));
-extern	int	fr_running;
-
-int	opts = 0;
-int	rremove = 0;
-int	use_inet6 = 0;
-int	main __P((int, char *[]));
-int	loadrules __P((char *));
-int	kmemcpy __P((char *, long, int));
-void	dumpnat __P((void));
-void	dumpstate __P((void));
-char	*getifname __P((void *));
-void	drain_log __P((char *));
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	char	*datain, *iface, *ifname, *packet, *logout;
-	int	fd, i, dir, c, loaded, dump, hlen;
-	struct	in_addr	src;
-	struct	ifnet	*ifp;
-	struct	ipread	*r;
-	u_long	buf[2048];
-	ip_t	*ip;
-
-	dir = 0;
-	dump = 0;
-	loaded = 0;
-	r = &iptext;
-	iface = NULL;
-	logout = NULL;
-	src.s_addr = 0;
-	ifname = "anon0";
-	datain = NULL;
-
-	nat_init();
-	fr_stateinit();
-	initparse();
-	ipflog_init();
-	fr_running = 1;
-
-	while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:Rs:STvxX")) != -1)
-		switch (c)
-		{
-		case '6' :
-#ifdef	USE_INET6
-			use_inet6 = 1;
-			break;
-#else
-			fprintf(stderr, "IPv6 not supported\n");
-			exit(1);
-#endif
-		case 'b' :
-			opts |= OPT_BRIEF;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'D' :
-			dump = 1;
-			break;
-		case 'i' :
-			datain = optarg;
-			break;
-		case 'I' :
-			ifname = optarg;
-			break;
-		case 'l' :
-			logout = optarg;
-			break;
-		case 'o' :
-			opts |= OPT_SAVEOUT;
-			break;
-		case 'r' :
-			if (loadrules(optarg) == -1)
-				return -1;
-			loaded = 1;
-			break;
-		case 's' :
-			src.s_addr = inet_addr(optarg);
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'E' :
-			r = &etherf;
-			break;
-		case 'H' :
-			r = &iphex;
-			break;
-		case 'N' :
-			opts |= OPT_NAT;
-			break;
-		case 'P' :
-			r = &pcap;
-			break;
-		case 'R' :
-			rremove = 1;
-			break;
-		case 'S' :
-			r = &snoop;
-			break;
-		case 'T' :
-			r = &tcpd;
-			break;
-		case 'x' :
-			opts |= OPT_HEX;
-			break;
-		case 'X' :
-			r = &iptext;
-			break;
-		}
-
-	if (loaded == 0) {
-		(void)fprintf(stderr,"no rules loaded\n");
-		exit(-1);
-	}
-
-	if (opts & OPT_SAVEOUT)
-		init_ifp();
-
-	if (datain)
-		fd = (*r->r_open)(datain);
-	else
-		fd = (*r->r_open)("-");
-
-	if (fd < 0)
-		exit(-1);
-
-	ip = (ip_t *)buf;
-	while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
-				    &iface, &dir)) > 0) {
-		if (iface == NULL || *iface == '\0')
-			iface = ifname;
-		ifp = get_unit(iface, ip->ip_v);
-		hlen = 0;
-		if (!use_inet6) {
-			ip->ip_off = ntohs(ip->ip_off);
-			ip->ip_len = ntohs(ip->ip_len);
-			hlen = ip->ip_hl << 2;
-			if (src.s_addr != 0) {
-				if (src.s_addr == ip->ip_src.s_addr)
-					dir = 1;
-				else if (src.s_addr == ip->ip_dst.s_addr)
-					dir = 0;
-			}
-		}
-#ifdef	USE_INET6
-		else
-			hlen = sizeof(ip6_t);
-#endif
-		if (opts & OPT_VERBOSE) {
-			printf("%s on [%s]: ", dir ? "out" : "in",
-				(iface && *iface) ? iface : "??");
-		}
-		packet = (char *)buf;
-		/* ipfr_slowtimer(); */
-		i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);
-		if ((opts & OPT_NAT) == 0)
-			switch (i)
-			{
-			case -5 :
-				(void)printf("block return-icmp-as-dest");
-				break;
-			case -4 :
-				(void)printf("block return-icmp");
-				break;
-			case -3 :
-				(void)printf("block return-rst");
-				break;
-			case -2 :
-				(void)printf("auth");
-				break;
-			case -1 :
-				(void)printf("block");
-				break;
-			case 0 :
-				(void)printf("pass");
-				break;
-			case 1 :
-				(void)printf("nomatch");
-				break;
-			}
-		if (!use_inet6) {
-			ip->ip_off = htons(ip->ip_off);
-			ip->ip_len = htons(ip->ip_len);
-		}
-
-		if (!(opts & OPT_BRIEF)) {
-			putchar(' ');
-			printpacket((ip_t *)buf);
-			printf("--------------");
-		} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
-			printpacket((ip_t *)buf);
-#ifndef	linux
-		if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
-# if defined(__sgi) && (IRIX < 605)
-			(*ifp->if_output)(ifp, (void *)packet, NULL);
-# else
-			(*ifp->if_output)(ifp, (void *)packet, NULL, 0);
-# endif
-#endif
-		if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
-			putchar('\n');
-		dir = 0;
-		if (iface != ifname) {
-			free(iface);
-			iface = ifname;
-		}
-	}
-	(*r->r_close)();
-
-	if (logout != NULL) {
-		drain_log(logout);
-	}
-
-	if (dump == 1)  {
-		dumpnat();
-		dumpstate();
-	}
-
-	return 0;
-}
-
-
-/*
- * Load in either NAT or ipf rules from a file, which is treated as stdin
- * if the name is "-".  NOTE, stdin can only be used once as the file is
- * closed after use.
- */
-int loadrules(file)
-char *file;
-{
-	char	line[513], *s;
-	int     linenum, i;
-	void	*fr;
-	FILE	*fp;
-	int	parsestatus;
-
-	if (!strcmp(file, "-"))
-		fp = stdin;
-	else if (!(fp = fopen(file, "r"))) {
-		(void)fprintf(stderr, "couldn't open %s\n", file);
-		return (-1);
-	}
-
-	if (!(opts & OPT_BRIEF))
-		(void)printf("opening rule file \"%s\"\n", file);
-
-	linenum = 0;
-
-	while (fgets(line, sizeof(line) - 1, fp)) {
-		linenum++;
-
-		/*
-		 * treat both CR and LF as EOL
-		 */
-		if ((s = index(line, '\n')))
-			*s = '\0';
-		if ((s = index(line, '\r')))
-			*s = '\0';
-
-		/*
-		 * # is comment marker, everything after is a ignored
-		 */
-		if ((s = index(line, '#')))
-			*s = '\0';
-
-		if (!*line)
-			continue;
-
-		/* fake an `ioctl' call :) */
-
-		if ((opts & OPT_NAT) != 0) {
-			parsestatus = 1;
-			fr = natparse(line, linenum, &parsestatus);
-			if (parsestatus != 0) {
-				if (*line) {
-					fprintf(stderr,
-					    "%d: syntax error in \"%s\"\n",
-					    linenum, line);
-				}
-				fprintf(stderr, "%s: %s error (%d), quitting\n",
-				    file,
-				    ((parsestatus < 0)? "parse": "internal"),
-				    parsestatus);
-				exit(1);
-			}
-			if (!fr)
-				continue;
-
-			if (rremove == 0) {
-				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(ADNAT,%p,1) = %d\n",
-						fr, i);
-			} else {
-				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(RMNAT,%p,1) = %d\n",
-						fr, i);
-			}
-		} else {
-			fr = parse(line, linenum, &parsestatus);
-
-			if (parsestatus != 0) {
-			    fprintf(stderr, "%s: %s error (%d), quitting\n",
-				file,
-				((parsestatus < 0)? "parse": "internal"),
-				parsestatus);
-			    exit(1);
-			}
-
-			if (!fr) {
-				continue;
-			}
-
-			if (rremove == 0) {
-				i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(ADAFR,%p,1) = %d\n",
-						fr, i);
-			} else {
-				i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(RMAFR,%p,1) = %d\n",
-						fr, i);
-			}
-		}
-	}
-	(void)fclose(fp);
-
-	return 0;
-}
-
-
-int kmemcpy(addr, offset, size)
-char *addr;
-long offset;
-int size;
-{
-	bcopy((char *)offset, addr, size);
-	return 0;
-}
-
-
-/*
- * Display the built up NAT table rules and mapping entries.
- */
-void dumpnat()
-{
-	ipnat_t	*ipn;
-	nat_t	*nat;
-
-	printf("List of active MAP/Redirect filters:\n");
-	for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
-		printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-	printf("\nList of active sessions:\n");
-	for (nat = nat_instances; nat; nat = nat->nat_next)
-		printactivenat(nat, opts);
-}
-
-
-/*
- * Display the built up state table rules and mapping entries.
- */
-void dumpstate()
-{
-	ipstate_t *ips;
-
-	printf("List of active state sessions:\n");
-	for (ips = ips_list; ips != NULL; )
-		ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
-	char buf[32], *s;
-	int len;
-#endif
-	struct ifnet netif;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
-		return "X";
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	return strdup(netif.if_xname);
-#else
-	if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
-		return "X";
-	if (netif.if_unit < 10)
-		len = 2;
-	else if (netif.if_unit < 1000)
-		len = 3;
-	else if (netif.if_unit < 10000)
-		len = 4;
-	else
-		len = 5;
-	buf[sizeof(buf) - len] = '\0';
-	for (s = buf; *s && !isdigit(*s); s++)
-		;
-	if (isdigit(*s))
-		*s = '\0';
-	sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
-	return strdup(buf);
-#endif
-}
-
-
-void drain_log(filename)
-char *filename;
-{
-	char buffer[IPLLOGSIZE];
-	struct iovec iov;
-	struct uio uio;
-	size_t resid;
-	int fd;
-
-	fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
-	if (fd == -1) {
-		perror("drain_log:open");
-		return;
-	}
-
-	while (1) {
-		bzero((char *)&iov, sizeof(iov));
-		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
-
-		bzero((char *)&uio, sizeof(uio));
-		uio.uio_iov = &iov;
-		uio.uio_iovcnt = 1;
-		uio.uio_resid = iov.iov_len;
-		resid = uio.uio_resid;
-
-		if (ipflog_read(0, &uio) == 0) {
-			/*
-			 * If nothing was read then break out.
-			 */
-			if (uio.uio_resid == resid)
-				break;
-			write(fd, buffer, resid - uio.uio_resid);
-		} else
-			break;
-	}
-
-	close(fd);
-}
diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h
deleted file mode 100644
index 43b9a6d..0000000
--- a/contrib/ipfilter/ipt.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipt.h,v 2.6.4.2 2006/03/26 23:42:04 darrenr Exp $
- */
-
-#ifndef	__IPT_H__
-#define	__IPT_H__
-
-#ifndef	__P
-# define P_DEF
-# ifdef	__STDC__
-#  define	__P(x) x
-# else
-#  define	__P(x) ()
-# endif
-#endif
-
-#include <fcntl.h>
-
-
-struct	ipread	{
-	int	(*r_open) __P((char *));
-	int	(*r_close) __P((void));
-	int	(*r_readip) __P((char *, int, char **, int *));
-	int	r_flags;
-};
-
-#define	R_DO_CKSUM	0x01
-
-extern	void	debug __P((char *, ...));
-extern	void	verbose __P((char *, ...));
-
-#ifdef P_DEF
-# undef	__P
-# undef	P_DEF
-#endif
-
-#endif /* __IPT_H__ */
diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c
deleted file mode 100644
index 5723ba3..0000000
--- a/contrib/ipfilter/kmem.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * kmemcpy() - copies n bytes from kernel memory into user buffer.
- * returns 0 on success, -1 on error.
- */
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <sys/file.h>
-#ifndef __sgi
-#include <kvm.h>
-#endif
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-
-
-#ifndef __STDC__
-# define	const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.18 2003/11/09 17:22:22 darrenr Exp $";
-#endif
-
-#ifdef	__sgi
-typedef	int 	kvm_t;
-
-static	int	kvm_fd = -1;
-static	char	*kvm_errstr = NULL;
-
-kvm_t *kvm_open(kernel, core, swap, mode, errstr)
-char *kernel, *core, *swap;
-int mode;
-char *errstr;
-{
-	kvm_errstr = errstr;
-
-	if (core == NULL)
-		core = "/dev/kmem";
-	kvm_fd = open(core, mode);
-	return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
-}
-
-int kvm_read(kvm, pos, buffer, size)
-kvm_t *kvm;
-u_long pos;
-char *buffer;
-size_t size;
-{
-	size_t left;
-	char *bufp;
-	int r;
-
-	if (lseek(*kvm, pos, 0) == -1) {
-		if (kvm_errstr != NULL) {
-			fprintf(stderr, "%s:", kvm_errstr);
-			perror("lseek");
-		}
-		return -1;
-	}
-
-	for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
-		r = read(*kvm, bufp, 1);
-		if (r <= 0)
-			return -1;
-	}
-	return size;
-}
-#endif
-
-static	kvm_t	*kvm_f = NULL;
-
-int	openkmem(kern, core)
-char	*kern, *core;
-{
-	union {
-		int ui;
-		kvm_t *uk;
-	} k;
-
-	kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL);
-	if (kvm_f == NULL)
-	    {
-		perror("openkmem:open");
-		return -1;
-	    }
-	k.uk = kvm_f;
-	return k.ui;
-}
-
-int	kmemcpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%x ", (u_int)pos);
-			perror("kmemcpy:read");
-			return -1;
-		    }
-		else
-		    {
-			buf += r;
-			pos += r;
-			n -= r;
-		    }
-	return 0;
-}
-
-int	kstrncpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while (n > 0)
-	    {
-		r = kvm_read(kvm_f, pos, buf, (size_t)1);
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%x ", (u_int)pos);
-			perror("kstrncpy:read");
-			return -1;
-		    }
-		else
-		    {
-			if (*buf == '\0')
-				break;
-			buf++;
-			pos++;
-			n--;
-		    }
-	    }
-	return 0;
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if SOLARIS
-	char *ifname;
-	ill_t ill;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
-		return "X";
-	ifname = malloc(ill.ill_name_length + 1);
-	if (kmemcpy(ifname, (u_long)ill.ill_name,
-		    ill.ill_name_length) == -1)
-		return "X";
-	return ifname;
-#else
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
-	char buf[32];
-	int len;
-# endif
-	struct ifnet netif;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
-		return "X";
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	return strdup(netif.if_xname);
-# else
-	if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
-		return "X";
-	if (netif.if_unit < 10)
-		len = 2;
-	else if (netif.if_unit < 1000)
-		len = 3;
-	else if (netif.if_unit < 10000)
-		len = 4;
-	else
-		len = 5;
-	buf[sizeof(buf) - len] = '\0';
-	sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
-	return strdup(buf);
-# endif
-#endif
-}
diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h
deleted file mode 100644
index d2b1171..0000000
--- a/contrib/ipfilter/kmem.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * $Id: kmem.h,v 2.5 2002/08/21 22:57:36 darrenr Exp $
- */
-
-#ifndef	__KMEM_H__
-#define	__KMEM_H__
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-extern	int	openkmem __P((char *, char *));
-extern	int	kmemcpy __P((char *, long, int));
-extern	int	kstrncpy __P((char *, long, int));
-
-#if defined(__NetBSD__) || defined(__OpenBSD)
-# include <paths.h>
-#endif
-
-#ifdef _PATH_KMEM
-# define	KMEM	_PATH_KMEM
-#else
-# define	KMEM	"/dev/kmem"
-#endif
-
-#endif /* __KMEM_H__ */
diff --git a/contrib/ipfilter/l4check/Makefile b/contrib/ipfilter/l4check/Makefile
deleted file mode 100644
index e2bb9f8..0000000
--- a/contrib/ipfilter/l4check/Makefile
+++ /dev/null
@@ -1,10 +0,0 @@
-# For Solaris
-#LIBS=-lsocket -lnsl
-
-all: l4check
-
-l4check: l4check.c
-	$(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@
-
-clean:
-	/bin/rm -f l4check
diff --git a/contrib/ipfilter/l4check/http.check b/contrib/ipfilter/l4check/http.check
deleted file mode 100644
index 56d93d9..0000000
--- a/contrib/ipfilter/l4check/http.check
+++ /dev/null
@@ -1,2 +0,0 @@
-GET /
-
diff --git a/contrib/ipfilter/l4check/http.ok b/contrib/ipfilter/l4check/http.ok
deleted file mode 100644
index 2b5d2c1..0000000
--- a/contrib/ipfilter/l4check/http.ok
+++ /dev/null
@@ -1 +0,0 @@
-<HTML>
\ No newline at end of file
diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c
deleted file mode 100644
index a096fff..0000000
--- a/contrib/ipfilter/l4check/l4check.c
+++ /dev/null
@@ -1,822 +0,0 @@
-/*
- * (C)Copyright March, 2000 - Darren Reed.
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <sys/ioctl.h>
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-
-#include <net/if.h>
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ipl.h"
-
-#include "ipf.h"
-
-extern	char	*optarg;
-
-
-typedef	struct	l4cfg	{
-	struct	l4cfg		*l4_next;
-	struct	ipnat		l4_nat;		/* NAT rule */
-	struct	sockaddr_in	l4_sin;		/* remote socket to connect */
-	time_t			l4_last;	/* when we last connected */
-	int			l4_alive;	/* 1 = remote alive */
-	int			l4_fd;
-	int			l4_rw;		/* 0 = reading, 1 = writing */
-	char			*l4_rbuf;	/* read buffer */
-	int			l4_rsize;	/* size of buffer */
-	int			l4_rlen;	/* how much used */
-	char			*l4_wptr;	/* next byte to write */
-	int			l4_wlen;	/* length yet to be written */
-} l4cfg_t;
-
-
-l4cfg_t *l4list = NULL;
-char *response = NULL;
-char *probe = NULL;
-l4cfg_t template;
-int frequency = 20;
-int ctimeout = 1;
-int rtimeout = 1;
-size_t plen = 0;
-size_t rlen = 0;
-int natfd = -1;
-int opts = 0;
-
-#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
-# define	strerror(x)	sys_errlist[x]
-#endif
-
-
-char *copystr(dst, src)
-char *dst, *src;
-{
-	register char *s, *t, c;
-	register int esc = 0;
-
-	for (s = src, t = dst; s && t && (c = *s++); )
-		if (esc) {
-			esc = 0;
-			switch (c)
-			{
-			case 'n' :
-				*t++ = '\n';
-				break;
-			case 'r' :
-				*t++ = '\r';
-				break;
-			case 't' :
-				*t++ = '\t';
-				break;
-			}
-		} else if (c != '\\')
-			*t++ = c;
-		else
-			esc = 1;
-	*t = '\0';
-	return dst;
-}
-
-void addnat(l4)
-l4cfg_t *l4;
-{
-
-	ipnat_t *ipn = &l4->l4_nat;
-
-	printf("Add NAT rule for %s/%#x,%u -> ", inet_ntoa(ipn->in_out[0].in4),
-		ipn->in_outmsk, ntohs(ipn->in_pmin));
-	printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ntohs(ipn->in_pnext));
-	if (!(opts & OPT_DONOTHING)) {
-		ipfobj_t obj;
-
-		bzero(&obj, sizeof(obj));
-		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_size = sizeof(*ipn);
-		obj.ipfo_ptr = ipn;
-
-		if (ioctl(natfd, SIOCADNAT, &obj) == -1)
-			perror("ioctl(SIOCADNAT)");
-	}
-}
-
-
-void delnat(l4)
-l4cfg_t *l4;
-{
-	ipnat_t *ipn = &l4->l4_nat;
-
-	printf("Remove NAT rule for %s/%#x,%u -> ",
-		inet_ntoa(ipn->in_out[0].in4), ipn->in_outmsk, ipn->in_pmin);
-	printf("%s,%u\n", inet_ntoa(ipn->in_in[0].in4), ipn->in_pnext);
-	if (!(opts & OPT_DONOTHING)) {
-		ipfobj_t obj;
-
-		bzero(&obj, sizeof(obj));
-		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_size = sizeof(*ipn);
-		obj.ipfo_ptr = ipn;
-
-		if (ioctl(natfd, SIOCRMNAT, &ipn) == -1)
-			perror("ioctl(SIOCRMNAT)");
-	}
-}
-
-
-void connectl4(l4)
-l4cfg_t *l4;
-{
-	l4->l4_rw = 1;
-	l4->l4_rlen = 0;
-	l4->l4_wlen = plen;
-	if (!l4->l4_wlen) {
-		l4->l4_alive = 1;
-		addnat(l4);
-	} else
-		l4->l4_wptr = probe;
-}
-
-
-void closel4(l4, dead)
-l4cfg_t *l4;
-int dead;
-{
-	close(l4->l4_fd);
-	l4->l4_fd = -1;
-	l4->l4_rw = -1;
-	if (dead && l4->l4_alive) {
-		l4->l4_alive = 0;
-		delnat(l4);
-	}
-}
-
-
-void connectfd(l4)
-l4cfg_t *l4;
-{
-	if (connect(l4->l4_fd, (struct sockaddr *)&l4->l4_sin,
-		    sizeof(l4->l4_sin)) == -1) {
-		if (errno == EISCONN) {
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr, "Connected fd %d\n",
-					l4->l4_fd);
-			connectl4(l4);
-			return;
-		}
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "Connect failed fd %d: %s\n",
-				l4->l4_fd, strerror(errno));
-		closel4(l4, 1);
-		return;
-	}
-	l4->l4_rw = 1;
-}
-
-
-void writefd(l4)
-l4cfg_t *l4;
-{
-	int n, i, fd;
-
-	fd = l4->l4_fd;
-
-	if (l4->l4_rw == -2) {
-		connectfd(l4);
-		return;
-	}
-
-	n = l4->l4_wlen;
-
-	i = send(fd, l4->l4_wptr, n, 0);
-	if (i == 0 || i == -1) {
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "Send on fd %d failed: %s\n",
-				fd, strerror(errno));
-		closel4(l4, 1);
-	} else {
-		l4->l4_wptr += i;
-		l4->l4_wlen -= i;
-		if (l4->l4_wlen == 0)
-			l4->l4_rw = 0;
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "Sent %d bytes to fd %d\n", i, fd);
-	}
-}
-
-
-void readfd(l4)
-l4cfg_t *l4;
-{
-	char buf[80], *ptr;
-	int n, i, fd;
-
-	fd = l4->l4_fd;
-
-	if (l4->l4_rw == -2) {
-		connectfd(l4);
-		return;
-	}
-
-	if (l4->l4_rsize) {
-		n = l4->l4_rsize - l4->l4_rlen;
-		ptr = l4->l4_rbuf + l4->l4_rlen;
-	} else {
-		n = sizeof(buf) - 1;
-		ptr = buf;
-	}
-
-	if (opts & OPT_VERBOSE)
-		fprintf(stderr, "Read %d bytes on fd %d to %p\n",
-			n, fd, ptr);
-	i = recv(fd, ptr, n, 0);
-	if (i == 0 || i == -1) {
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "Read error on fd %d: %s\n",
-				fd, (i == 0) ? "EOF" : strerror(errno));
-		closel4(l4, 1);
-	} else {
-		if (ptr == buf)
-			ptr[i] = '\0';
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "%d: Read %d bytes [%*.*s]\n",
-				fd, i, i, i, ptr);
-		if (ptr != buf) {
-			l4->l4_rlen += i;
-			if (l4->l4_rlen >= l4->l4_rsize) {
-				if (!strncmp(response, l4->l4_rbuf,
-					     l4->l4_rsize)) {
-					printf("%d: Good response\n",
-						fd);
-					if (!l4->l4_alive) {
-						l4->l4_alive = 1;
-						addnat(l4);
-					}
-					closel4(l4, 0);
-				} else {
-					if (opts & OPT_VERBOSE)
-						printf("%d: Bad response\n",
-							fd);
-					closel4(l4, 1);
-				}
-			}
-		} else if (!l4->l4_alive) {
-			l4->l4_alive = 1;
-			addnat(l4);
-			closel4(l4, 0);
-		}
-	}
-}
-
-
-int runconfig()
-{
-	int fd, opt, res, mfd, i;
-	struct timeval tv;
-	time_t now, now1;
-	fd_set rfd, wfd;
-	l4cfg_t *l4;
-
-	mfd = 0;
-	opt = 1;
-	now = time(NULL);
-
-	/*
-	 * First, initiate connections that are closed, as required.
-	 */
-	for (l4 = l4list; l4; l4 = l4->l4_next) {
-		if ((l4->l4_last + frequency < now) && (l4->l4_fd == -1)) {
-			l4->l4_last = now;
-			fd = socket(AF_INET, SOCK_STREAM, 0);
-			if (fd == -1)
-				continue;
-			setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt,
-				   sizeof(opt));
-#ifdef	O_NONBLOCK
-			if ((res = fcntl(fd, F_GETFL, 0)) != -1)
-				fcntl(fd, F_SETFL, res | O_NONBLOCK);
-#endif
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr,
-					"Connecting to %s,%d (fd %d)...",
-					inet_ntoa(l4->l4_sin.sin_addr),
-					ntohs(l4->l4_sin.sin_port), fd);
-			if (connect(fd, (struct sockaddr *)&l4->l4_sin,
-				    sizeof(l4->l4_sin)) == -1) {
-				if (errno != EINPROGRESS) {
-					if (opts & OPT_VERBOSE)
-						fprintf(stderr, "failed\n");
-					perror("connect");
-					close(fd);
-					fd = -1;
-				} else {
-					if (opts & OPT_VERBOSE)
-						fprintf(stderr, "waiting\n");
-					l4->l4_rw = -2;
-				}
-			} else {
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr, "connected\n");
-				connectl4(l4);
-			}
-			l4->l4_fd = fd;
-		}
-	}
-
-	/*
-	 * Now look for fd's which we're expecting to read/write from.
-	 */
-	FD_ZERO(&rfd);
-	FD_ZERO(&wfd);
-	tv.tv_sec = MIN(rtimeout, ctimeout);
-	tv.tv_usec = 0;
-
-	for (l4 = l4list; l4; l4 = l4->l4_next)
-		if (l4->l4_rw == 0) {
-			if (now - l4->l4_last > rtimeout) {
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr, "%d: Read timeout\n",
-						l4->l4_fd);
-				closel4(l4, 1);
-				continue;
-			}
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr, "Wait for read on fd %d\n",
-					l4->l4_fd);
-			FD_SET(l4->l4_fd, &rfd);
-			if (l4->l4_fd > mfd)
-				mfd = l4->l4_fd;
-		} else if ((l4->l4_rw == 1 && l4->l4_wlen) ||
-			   l4->l4_rw == -2) {
-			if ((l4->l4_rw == -2) &&
-			    (now - l4->l4_last > ctimeout)) {
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"%d: connect timeout\n",
-						l4->l4_fd);
-				closel4(l4);
-				continue;
-			}
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr, "Wait for write on fd %d\n",
-					l4->l4_fd);
-			FD_SET(l4->l4_fd, &wfd);
-			if (l4->l4_fd > mfd)
-				mfd = l4->l4_fd;
-		}
-
-	if (opts & OPT_VERBOSE)
-		fprintf(stderr, "Select: max fd %d wait %d\n", mfd + 1,
-			tv.tv_sec);
-	i = select(mfd + 1, &rfd, &wfd, NULL, &tv);
-	if (i == -1) {
-		perror("select");
-		return -1;
-	}
-
-	now1 = time(NULL);
-
-	for (l4 = l4list; (i > 0) && l4; l4 = l4->l4_next) {
-		if (l4->l4_fd < 0)
-			continue;
-		if (FD_ISSET(l4->l4_fd, &rfd)) {
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr, "Ready to read on fd %d\n",
-					l4->l4_fd);
-			readfd(l4);
-			i--;
-		}
-
-		if ((l4->l4_fd >= 0) && FD_ISSET(l4->l4_fd, &wfd)) {
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr, "Ready to write on fd %d\n",
-					l4->l4_fd);
-			writefd(l4);
-			i--;
-		}
-	}
-	return 0;
-}
-
-
-int gethostport(str, lnum, ipp, portp)
-char *str;
-int lnum;
-u_32_t *ipp;
-u_short *portp;
-{
-	struct servent *sp;
-	struct hostent *hp;
-	char *host, *port;
-
-	host = str;
-	port = strchr(host, ',');
-	if (port)
-		*port++ = '\0';
-
-#ifdef	HAVE_INET_ATON
-	if (ISDIGIT(*host) && inet_aton(host, &ip))
-		*ipp = ip.s_addr;
-#else
-	if (ISDIGIT(*host))
-		*ipp = inet_addr(host);
-#endif
-	else {
-		if (!(hp = gethostbyname(host))) {
-			fprintf(stderr, "%d: can't resolve hostname: %s\n",
-				lnum, host);
-			return 0;
-		}
-		*ipp = *(u_32_t *)hp->h_addr;
-	}
-
-	if (port) {
-		if (ISDIGIT(*port))
-			*portp = htons(atoi(port));
-		else {
-			sp = getservbyname(port, "tcp");
-			if (sp)
-				*portp = sp->s_port;
-			else {
-				fprintf(stderr, "%d: unknown service %s\n",
-					lnum, port);
-				return 0;
-			}
-		}
-	} else
-		*portp = 0;
-	return 1;
-}
-
-
-char *mapfile(file, sizep)
-char *file;
-size_t *sizep;
-{
-	struct stat sb;
-	caddr_t addr;
-	int fd;
-
-	fd = open(file, O_RDONLY);
-	if (fd == -1) {
-		perror("open(mapfile)");
-		return NULL;
-	}
-
-	if (fstat(fd, &sb) == -1) {
-		perror("fstat(mapfile)");
-		close(fd);
-		return NULL;
-	}
-
-	addr = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
-	if (addr == (caddr_t)-1) {
-		perror("mmap(mapfile)");
-		close(fd);
-		return NULL;
-	}
-	close(fd);
-	*sizep = sb.st_size;
-	return (char *)addr;
-}
-
-
-int readconfig(filename)
-char *filename;
-{
-	char c, buf[512], *s, *t, *errtxt = NULL, *line;
-	int num, err = 0;
-	ipnat_t *ipn;
-	l4cfg_t *l4;
-	FILE *fp;
-
-	fp = fopen(filename, "r");
-	if (!fp) {
-		perror("open(configfile)");
-		return -1;
-	}
-
-	bzero((char *)&template, sizeof(template));
-	template.l4_fd = -1;
-	template.l4_rw = -1;
-	template.l4_sin.sin_family = AF_INET;
-	ipn = &template.l4_nat;
-	ipn->in_flags = IPN_TCP|IPN_ROUNDR;
-	ipn->in_redir = NAT_REDIRECT;
-
-	for (num = 1; fgets(buf, sizeof(buf), fp); num++) {
-		s = strchr(buf, '\n');
-		if  (!s) {
-			fprintf(stderr, "%d: line too long\n", num);
-			fclose(fp);
-			return -1;
-		}
-
-		*s = '\0';
-
-		/*
-		 * lines which are comments
-		 */
-		s = strchr(buf, '#');
-		if (s)
-			*s = '\0';
-
-		/*
-		 * Skip leading whitespace
-		 */
-		for (line = buf; (c = *line) && ISSPACE(c); line++)
-			;
-		if (!*line)
-			continue;
-
-		if (opts & OPT_VERBOSE)
-			fprintf(stderr, "Parsing: [%s]\n", line);
-		t = strtok(line, " \t");
-		if (!t)
-			continue;
-		if (!strcasecmp(t, "interface")) {
-			s = strtok(NULL, " \t");
-			if (s)
-				t = strtok(NULL, "\t");
-			if (!s || !t) {
-				errtxt = line;
-				err = -1;
-				break;
-			}
-
-			if (!strchr(t, ',')) {
-				fprintf(stderr,
-					"%d: local address,port missing\n",
-					num);
-				err = -1;
-				break;
-			}
-
-			strncpy(ipn->in_ifnames[0], s, LIFNAMSIZ);
-			strncpy(ipn->in_ifnames[1], s, LIFNAMSIZ);
-			if (!gethostport(t, num, &ipn->in_outip,
-					 &ipn->in_pmin)) {
-				errtxt = line;
-				err = -1;
-				break;
-			}
-			ipn->in_outmsk = 0xffffffff;
-			ipn->in_pmax = ipn->in_pmin;
-			if (opts & OPT_VERBOSE)
-				fprintf(stderr,
-					"Interface %s %s/%#x port %u\n",
-					ipn->in_ifnames[0],
-					inet_ntoa(ipn->in_out[0].in4),
-					ipn->in_outmsk, ipn->in_pmin);
-		} else if (!strcasecmp(t, "remote")) {
-			if (!*ipn->in_ifnames[0]) {
-				fprintf(stderr,
-					"%d: ifname not set prior to remote\n",
-					num);
-				err = -1;
-				break;
-			}
-			s = strtok(NULL, " \t");
-			if (s)
-				t = strtok(NULL, "");
-			if (!s || !t || strcasecmp(s, "server")) {
-				errtxt = line;
-				err = -1;
-				break;
-			}
-
-			ipn->in_pnext = 0;
-			if (!gethostport(t, num, &ipn->in_inip,
-					 &ipn->in_pnext)) {
-				errtxt = line;
-				err = -1;
-				break;
-			}
-			ipn->in_inmsk = 0xffffffff;
-			if (ipn->in_pnext == 0)
-				ipn->in_pnext = ipn->in_pmin;
-
-			l4 = (l4cfg_t *)malloc(sizeof(*l4));
-			if (!l4) {
-				fprintf(stderr, "%d: out of memory (%d)\n",
-					num, sizeof(*l4));
-				err = -1;
-				break;
-			}
-			bcopy((char *)&template, (char *)l4, sizeof(*l4));
-			l4->l4_sin.sin_addr = ipn->in_in[0].in4;
-			l4->l4_sin.sin_port = ipn->in_pnext;
-			l4->l4_next = l4list;
-			l4list = l4;
-		} else if (!strcasecmp(t, "connect")) {
-			s = strtok(NULL, " \t");
-			if (s)
-				t = strtok(NULL, "\t");
-			if (!s || !t) {
-				errtxt = line;
-				err = -1;
-				break;
-			} else if (!strcasecmp(s, "timeout")) {
-				ctimeout = atoi(t);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr, "connect timeout %d\n",
-						ctimeout);
-			} else if (!strcasecmp(s, "frequency")) {
-				frequency = atoi(t);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"connect frequency %d\n",
-						frequency);
-			} else {
-				errtxt = line;
-				err = -1;
-				break;
-			}
-		} else if (!strcasecmp(t, "probe")) {
-			s = strtok(NULL, " \t");
-			if (!s) {
-				errtxt = line;
-				err = -1;
-				break;
-			} else if (!strcasecmp(s, "string")) {
-				if (probe) {
-					fprintf(stderr,
-						"%d: probe already set\n",
-						num);
-					err = -1;
-					break;
-				}
-				t = strtok(NULL, "");
-				if (!t) {
-					fprintf(stderr,
-						"%d: No probe string\n", num);
-					err = -1;
-					break;
-				}
-
-				probe = malloc(strlen(t));
-				copystr(probe, t);
-				plen = strlen(probe);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr, "Probe string [%s]\n",
-						probe);
-			} else if (!strcasecmp(s, "file")) {
-				t = strtok(NULL, " \t");
-				if (!t) {
-					errtxt = line;
-					err = -1;
-					break;
-				}
-				if (probe) {
-					fprintf(stderr,
-						"%d: probe already set\n",
-						num);
-					err = -1;
-					break;
-				}
-				probe = mapfile(t, &plen);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"Probe file %s len %u@%p\n",
-						t, plen, probe);
-			}
-		} else if (!strcasecmp(t, "response")) {
-			s = strtok(NULL, " \t");
-			if (!s) {
-				errtxt = line;
-				err = -1;
-				break;
-			} else if (!strcasecmp(s, "timeout")) {
-				t = strtok(NULL, " \t");
-				if (!t) {
-					errtxt = line;
-					err = -1;
-					break;
-				}
-				rtimeout = atoi(t);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"response timeout %d\n",
-						rtimeout);
-			} else if (!strcasecmp(s, "string")) {
-				if (response) {
-					fprintf(stderr,
-						"%d: response already set\n",
-						num);
-					err = -1;
-					break;
-				}
-				response = strdup(strtok(NULL, ""));
-				rlen = strlen(response);
-				template.l4_rsize = rlen;
-				template.l4_rbuf = malloc(rlen);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"Response string [%s]\n",
-						response);
-			} else if (!strcasecmp(s, "file")) {
-				t = strtok(NULL, " \t");
-				if (!t) {
-					errtxt = line;
-					err = -1;
-					break;
-				}
-				if (response) {
-					fprintf(stderr,
-						"%d: response already set\n",
-						num);
-					err = -1;
-					break;
-				}
-				response = mapfile(t, &rlen);
-				template.l4_rsize = rlen;
-				template.l4_rbuf = malloc(rlen);
-				if (opts & OPT_VERBOSE)
-					fprintf(stderr,
-						"Response file %s len %u@%p\n",
-						t, rlen, response);
-			}
-		} else {
-			errtxt = line;
-			err = -1;
-			break;
-		}
-	}
-
-	if (errtxt)
-		fprintf(stderr, "%d: syntax error at \"%s\"\n", num, errtxt);
-	fclose(fp);
-	return err;
-}
-
-
-void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "Usage: %s -f <configfile>\n", prog);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	char *config = NULL;
-	int c;
-
-	while ((c = getopt(argc, argv, "f:nv")) != -1)
-		switch (c)
-		{
-		case 'f' :
-			config = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (config == NULL)
-		usage(argv[0]);
-
-	if (readconfig(config))
-		exit(1);
-
-	if (!l4list) {
-		fprintf(stderr, "No remote servers, exiting.");
-		exit(1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		natfd = open(IPNAT_NAME, O_RDWR);
-		if (natfd == -1) {
-			perror("open(IPL_NAT)");
-			exit(1);
-		}
-	}
-
-	if (opts & OPT_VERBOSE)
-		fprintf(stderr, "Starting...\n");
-	while (runconfig() == 0)
-		;
-
-	exit(1);
-}
diff --git a/contrib/ipfilter/l4check/l4check.conf b/contrib/ipfilter/l4check/l4check.conf
deleted file mode 100644
index d000e9f..0000000
--- a/contrib/ipfilter/l4check/l4check.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-#
-# NOTE: ORDER IS IMPORTANT IN THIS FILE
-#
-# Interface to do the redirections on and the IP address which will be
-# targeted.
-#
-interface nf0 192.168.1.1,2100
-#
-connect timeout 1
-connect frequency 20
-#
-# If no probe string is specified, a successful connection implies the
-# server is still alive.
-#
-probe string GET /\n\n
-#probe file http.check
-#
-response timeout 4
-response string <HTML>
-#response file http.ok
-#
-# Here we have multiple servers, listed because that's what happens to be
-# used for testing of connect timeoutes, read timeouts, success and things
-# which don't connect.
-#
-remote server 192.168.1.2,23
-remote server 192.168.1.2,2101
-remote server 192.168.1.3,25
-remote server 192.168.1.254,8000
-remote server 192.168.1.1,9
-#
diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile
deleted file mode 100644
index a838063..0000000
--- a/contrib/ipfilter/lib/Makefile
+++ /dev/null
@@ -1,310 +0,0 @@
-#
-# Copyright (C) 1993-2001 by Darren Reed.
-# 
-# See the IPFILTER.LICENCE file for details on licencing.  
-#   
-# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $ 
-#     
-INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h
-
-LIBOBJS=$(DEST)/addicmp.o \
-     $(DEST)/addipopt.o \
-     $(DEST)/alist_free.o \
-     $(DEST)/alist_new.o \
-     $(DEST)/bcopywrap.o \
-     $(DEST)/binprint.o \
-     $(DEST)/buildopts.o \
-     $(DEST)/checkrev.o \
-     $(DEST)/count6bits.o \
-     $(DEST)/count4bits.o \
-     $(DEST)/debug.o \
-     $(DEST)/facpri.o \
-     $(DEST)/flags.o \
-     $(DEST)/fill6bits.o \
-     $(DEST)/gethost.o \
-     $(DEST)/getifname.o \
-     $(DEST)/getnattype.o \
-     $(DEST)/getport.o \
-     $(DEST)/getportproto.o \
-     $(DEST)/getproto.o \
-     $(DEST)/getsumd.o \
-     $(DEST)/hostname.o \
-     $(DEST)/icmpcode.o \
-     $(DEST)/inet_addr.o \
-     $(DEST)/initparse.o \
-     $(DEST)/ionames.o \
-     $(DEST)/ipoptsec.o \
-     $(DEST)/ipf_dotuning.o \
-     $(DEST)/ipft_ef.o \
-     $(DEST)/ipft_hx.o \
-     $(DEST)/ipft_pc.o \
-     $(DEST)/ipft_sn.o \
-     $(DEST)/ipft_td.o \
-     $(DEST)/ipft_tx.o \
-     $(DEST)/kmem.o \
-     $(DEST)/kmemcpywrap.o \
-     $(DEST)/kvatoname.o \
-     $(DEST)/load_file.o \
-     $(DEST)/load_hash.o \
-     $(DEST)/load_hashnode.o \
-     $(DEST)/load_http.o \
-     $(DEST)/load_pool.o \
-     $(DEST)/load_poolnode.o \
-     $(DEST)/load_url.o \
-     $(DEST)/mutex_emul.o \
-     $(DEST)/nametokva.o \
-     $(DEST)/nat_setgroupmap.o \
-     $(DEST)/ntomask.o \
-     $(DEST)/optname.o \
-     $(DEST)/optprint.o \
-     $(DEST)/optprintv6.o \
-     $(DEST)/optvalue.o \
-     $(DEST)/portname.o \
-     $(DEST)/print_toif.o \
-     $(DEST)/printactivenat.o \
-     $(DEST)/printaps.o \
-     $(DEST)/printbuf.o \
-     $(DEST)/printhash.o \
-     $(DEST)/printhashdata.o \
-     $(DEST)/printhashnode.o \
-     $(DEST)/printhash_live.o \
-     $(DEST)/printip.o \
-     $(DEST)/printpool.o \
-     $(DEST)/printpooldata.o \
-     $(DEST)/printpoolnode.o \
-     $(DEST)/printpool_live.o \
-     $(DEST)/printproto.o \
-     $(DEST)/printfr.o \
-     $(DEST)/printfraginfo.o \
-     $(DEST)/printhostmap.o \
-     $(DEST)/printifname.o \
-     $(DEST)/printhostmask.o \
-     $(DEST)/printlog.o \
-     $(DEST)/printmask.o \
-     $(DEST)/printnat.o \
-     $(DEST)/printportcmp.o \
-     $(DEST)/printpacket.o \
-     $(DEST)/printpacket6.o \
-     $(DEST)/printsbuf.o \
-     $(DEST)/printstate.o \
-     $(DEST)/printtqtable.o \
-     $(DEST)/printtunable.o \
-     $(DEST)/remove_hash.o \
-     $(DEST)/remove_hashnode.o \
-     $(DEST)/remove_pool.o \
-     $(DEST)/remove_poolnode.o \
-     $(DEST)/resetlexer.o \
-     $(DEST)/rwlock_emul.o \
-     $(DEST)/tcpflags.o \
-     $(DEST)/tcp_flags.o \
-     $(DEST)/var.o \
-     $(DEST)/verbose.o \
-     $(DEST)/v6ionames.o \
-     $(DEST)/v6optvalue.o
-
-$(DEST)/libipf.a: $(LIBOBJS)
-	/bin/rm -f $@
-	ar $(AROPTS) $@ $(LIBOBJS)
-	$(RANLIB) $@
-
-$(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@
-$(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@
-$(DEST)/alist_free.o: $(LIBSRC)/alist_free.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@
-$(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@
-$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@
-$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/binprint.c -o $@
-$(DEST)/buildopts.o: $(LIBSRC)/buildopts.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/buildopts.c -o $@
-$(DEST)/count6bits.o: $(LIBSRC)/count6bits.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/count6bits.c -o $@
-$(DEST)/checkrev.o: $(LIBSRC)/checkrev.c $(INCDEP) $(TOP)/ipl.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/checkrev.c -o $@
-$(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@
-$(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@
-$(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@
-$(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
-$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
-$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
-$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getifname.c -o $@
-$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getnattype.c -o $@
-$(DEST)/getport.o: $(LIBSRC)/getport.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getport.c -o $@
-$(DEST)/getportproto.o: $(LIBSRC)/getportproto.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getportproto.c -o $@
-$(DEST)/getproto.o: $(LIBSRC)/getproto.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getproto.c -o $@
-$(DEST)/getsumd.o: $(LIBSRC)/getsumd.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getsumd.c -o $@
-$(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@
-$(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@
-$(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipoptsec.c -o $@
-$(DEST)/inet_addr.o: $(LIBSRC)/inet_addr.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/inet_addr.c -o $@
-$(DEST)/initparse.o: $(LIBSRC)/initparse.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/initparse.c -o $@
-$(DEST)/ionames.o: $(LIBSRC)/ionames.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ionames.c -o $@
-$(DEST)/ipf_dotuning.o: $(LIBSRC)/ipf_dotuning.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipf_dotuning.c -o $@
-$(DEST)/ipft_ef.o: $(LIBSRC)/ipft_ef.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_ef.c -o $@
-$(DEST)/ipft_hx.o: $(LIBSRC)/ipft_hx.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_hx.c -o $@
-$(DEST)/ipft_pc.o: $(LIBSRC)/ipft_pc.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_pc.c -o $@
-$(DEST)/ipft_sn.o: $(LIBSRC)/ipft_sn.c $(TOP)/snoop.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_sn.c -o $@
-$(DEST)/ipft_td.o: $(LIBSRC)/ipft_td.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_td.c -o $@
-$(DEST)/ipft_tx.o: $(LIBSRC)/ipft_tx.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ipft_tx.c -o $@
-$(DEST)/kmem.o: $(LIBSRC)/kmem.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/kmem.c -o $@
-$(DEST)/kmemcpywrap.o: $(LIBSRC)/kmemcpywrap.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/kmemcpywrap.c -o $@
-$(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@
-$(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@
-$(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@
-$(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_hashnode.c -o $@
-$(DEST)/load_http.o: $(LIBSRC)/load_http.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_http.c -o $@
-$(DEST)/load_pool.o: $(LIBSRC)/load_pool.c $(INCDEP) $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_pool.c -o $@
-$(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@
-$(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@
-$(DEST)/make_range.o: $(LIBSRC)/make_range.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/make_range.c -o $@
-$(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/mutex_emul.c -o $@
-$(DEST)/nametokva.o: $(LIBSRC)/nametokva.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/nametokva.c -o $@
-$(DEST)/nat_setgroupmap.o: $(LIBSRC)/nat_setgroupmap.c $(TOP)/ip_compat.h \
-    $(TOP)/ipf.h $(TOP)/ip_nat.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/nat_setgroupmap.c -o $@
-$(DEST)/ntomask.o: $(LIBSRC)/ntomask.c $(TOP)/ip_compat.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/ntomask.c -o $@
-$(DEST)/optname.o: $(LIBSRC)/optname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/optname.c -o $@
-$(DEST)/optprint.o: $(LIBSRC)/optprint.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/optprint.c -o $@
-$(DEST)/optprintv6.o: $(LIBSRC)/optprintv6.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/optprintv6.c -o $@
-$(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
-$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
-$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
-$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printactivenat.c -o $@
-$(DEST)/printaps.o: $(LIBSRC)/printaps.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printaps.c -o $@
-$(DEST)/printbuf.o: $(LIBSRC)/printbuf.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printbuf.c -o $@
-$(DEST)/printfr.o: $(LIBSRC)/printfr.c $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printfr.c -o $@
-$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@
-$(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@
-$(DEST)/printhashdata.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@
-$(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \
-    $(TOP)/ip_htable.h $(TOP)/ip_lookup.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@
-$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@
-$(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@
-$(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@
-$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@
-$(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \
-    $(TOP)/ip_pool.h $(TOP)/ip_lookup.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@
-$(DEST)/printpool_live.o: $(LIBSRC)/printpool_live.c $(TOP)/ip_fil.h \
-    $(TOP)/ip_pool.h $(TOP)/ip_lookup.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@
-$(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@
-$(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@
-$(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printifname.c -o $@
-$(DEST)/printmask.o: $(LIBSRC)/printmask.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printmask.c -o $@
-$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printnat.c -o $@
-$(DEST)/printhostmask.o: $(LIBSRC)/printhostmask.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printhostmask.c -o $@
-$(DEST)/printlog.o: $(LIBSRC)/printlog.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printlog.c -o $@
-$(DEST)/printpacket.o: $(LIBSRC)/printpacket.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpacket.c -o $@
-$(DEST)/printpacket6.o: $(LIBSRC)/printpacket6.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printpacket6.c -o $@
-$(DEST)/printportcmp.o: $(LIBSRC)/printportcmp.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printportcmp.c -o $@
-$(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@
-$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@
-$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@
-$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@
-$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \
-    $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@
-$(DEST)/remove_hashnode.o: $(LIBSRC)/remove_hashnode.c $(INCDEP) \
-    $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/remove_hashnode.c -o $@
-$(DEST)/remove_pool.o: $(LIBSRC)/remove_pool.c $(INCDEP) \
-    $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/remove_pool.c -o $@
-$(DEST)/remove_poolnode.o: $(LIBSRC)/remove_poolnode.c $(INCDEP) \
-    $(TOP)/ip_htable.h
-	$(CC) $(CCARGS) -c $(LIBSRC)/remove_poolnode.c -o $@
-$(DEST)/resetlexer.o: $(LIBSRC)/resetlexer.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/resetlexer.c -o $@
-$(DEST)/rwlock_emul.o: $(LIBSRC)/rwlock_emul.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/rwlock_emul.c -o $@
-$(DEST)/tcpflags.o: $(LIBSRC)/tcpflags.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/tcpflags.c -o $@
-$(DEST)/tcp_flags.o: $(LIBSRC)/tcp_flags.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/tcp_flags.c -o $@
-$(DEST)/var.o: $(LIBSRC)/var.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/var.c -o $@
-$(DEST)/verbose.o: $(LIBSRC)/verbose.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/verbose.c -o $@
-$(DEST)/v6ionames.o: $(LIBSRC)/v6ionames.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/v6ionames.c -o $@
-$(DEST)/v6optvalue.o: $(LIBSRC)/v6optvalue.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/v6optvalue.c -o $@
-
-clean-lib:
-	/bin/rm -f ${LIBOBJS} ${LIB}
diff --git a/contrib/ipfilter/lib/addicmp.c b/contrib/ipfilter/lib/addicmp.c
deleted file mode 100644
index 2567397..0000000
--- a/contrib/ipfilter/lib/addicmp.c
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: addicmp.c,v 1.10.2.5 2006/06/16 17:20:55 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-
-char	*icmptypes[MAX_ICMPTYPE + 1] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
diff --git a/contrib/ipfilter/lib/addipopt.c b/contrib/ipfilter/lib/addipopt.c
deleted file mode 100644
index 17fac0d..0000000
--- a/contrib/ipfilter/lib/addipopt.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: addipopt.c,v 1.7.4.1 2006/06/16 17:20:56 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
-{
-	int olen = len;
-	struct in_addr ipadr;
-	u_short val;
-	u_char lvl;
-	char *s;
-
-	if ((len + io->on_siz) > 48) {
-		fprintf(stderr, "options too long\n");
-		return 0;
-	}
-	len += io->on_siz;
-	*op++ = io->on_value;
-	if (io->on_siz > 1) {
-		s = op;
-		*op++ = io->on_siz;
-		*op++ = IPOPT_MINOFF;
-
-		if (class) {
-			switch (io->on_value)
-			{
-			case IPOPT_SECURITY :
-				lvl = seclevel(class);
-				*(op - 1) = lvl;
-				break;
-			case IPOPT_LSRR :
-			case IPOPT_SSRR :
-				ipadr.s_addr = inet_addr(class);
-				s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
-				bcopy((char *)&ipadr, op, sizeof(ipadr));
-				break;
-			case IPOPT_SATID :
-				val = atoi(class);
-				bcopy((char *)&val, op, 2);
-				break;
-			}
-		}
-
-		op += io->on_siz - 3;
-		if (len & 3) {
-			*op++ = IPOPT_NOP;
-			len++;
-		}
-	}
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "bo: %s %d %#x: %d\n",
-			io->on_name, io->on_value, io->on_bit, len);
-	return len - olen;
-}
diff --git a/contrib/ipfilter/lib/addkeep.c b/contrib/ipfilter/lib/addkeep.c
deleted file mode 100644
index bbc7759..0000000
--- a/contrib/ipfilter/lib/addkeep.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: addkeep.c,v 1.12 2003/12/01 01:59:42 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * Parses "keep state" and "keep frags" stuff on the end of a line.
- */
-int	addkeep(cp, fp, linenum)
-char	***cp;
-struct	frentry	*fp;
-int     linenum;
-{
-	char *s;
-
-	(*cp)++;
-	if (!**cp) {
-		fprintf(stderr, "%d: Missing state/frag after keep\n",
-			linenum);
-		return -1;
-	}
-
-	if (!strcasecmp(**cp, "state")) {
-		fp->fr_flags |= FR_KEEPSTATE;
-		(*cp)++;
-		if (**cp && !strcasecmp(**cp, "limit")) {
-			(*cp)++;
-			fp->fr_statemax = atoi(**cp);
-			(*cp)++;
-		}
-		if (**cp && !strcasecmp(**cp, "scan")) {
-			(*cp)++;
-			if (!strcmp(**cp, "*")) {
-				fp->fr_isc = NULL;
-				fp->fr_isctag[0] = '\0';
-			} else {
-				strncpy(fp->fr_isctag, **cp,
-					sizeof(fp->fr_isctag));
-				fp->fr_isctag[sizeof(fp->fr_isctag)-1] = '\0';
-				fp->fr_isc = NULL;
-			}
-			(*cp)++;
-		} else
-			fp->fr_isc = (struct ipscan *)-1;
-	} else if (!strncasecmp(**cp, "frag", 4)) {
-		fp->fr_flags |= FR_KEEPFRAG;
-		(*cp)++;
-	} else if (!strcasecmp(**cp, "state-age")) {
-		if (fp->fr_ip.fi_p == IPPROTO_TCP) {
-			fprintf(stderr, "%d: cannot use state-age with tcp\n",
-				linenum);
-			return -1;
-		}
-		if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
-			fprintf(stderr, "%d: state-age with no 'keep state'\n",
-				linenum);
-			return -1;
-		}
-		(*cp)++;
-		if (!**cp) {
-			fprintf(stderr, "%d: state-age with no arg\n",
-				linenum);
-			return -1;
-		}
-		fp->fr_age[0] = atoi(**cp);
-		s = strchr(**cp, '/');
-		if (s != NULL) {
-			s++;
-			fp->fr_age[1] = atoi(s);
-		} else
-			fp->fr_age[1] = fp->fr_age[0];
-	} else {
-		fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
-			linenum, **cp);
-		return -1;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/alist_free.c b/contrib/ipfilter/lib/alist_free.c
deleted file mode 100644
index 3c1a518..0000000
--- a/contrib/ipfilter/lib/alist_free.c
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) 2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: alist_free.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $
- */
-#include "ipf.h"
-
-void
-alist_free(hosts)
-alist_t *hosts;
-{
-	alist_t *a, *next;
-
-	for (a = hosts; a != NULL; a = next) {
-		next = a->al_next;
-		free(a);
-	}
-}
diff --git a/contrib/ipfilter/lib/alist_new.c b/contrib/ipfilter/lib/alist_new.c
deleted file mode 100644
index 50a4275..0000000
--- a/contrib/ipfilter/lib/alist_new.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (C) 2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: alist_new.c,v 1.1.2.3 2007/06/06 08:05:33 darrenr Exp $
- */
-
-#include "ipf.h"
-
-alist_t *     
-alist_new(int v, char *host)
-{
-	int a, b, c, d, bits;
-	char *slash;    
-	alist_t *al;  
-	u_int mask;     
-
-	al = calloc(1, sizeof(*al));
-	if (al == NULL) {
-		fprintf(stderr, "alist_new out of memory\n");
-		return NULL;
-	}
-
-	bits = -1;      
-	slash = strchr(host, '/');
-	if (slash != NULL) {
-		*slash = '\0';
-		bits = atoi(slash + 1);
-	}
-
-	a = b = c = d = -1;
-	sscanf(host, "%d.%d.%d.%d", &a, &b, &c, &d);
-
-	if (bits > 0 && bits < 33) {
-		mask = 0xffffffff << (32 - bits);
-	} else if (b == -1) {
-		mask = 0xff000000;
-		b = c = d = 0;  
-	} else if (c == -1) {
-		mask = 0xffff0000;
-		c = d = 0;
-	} else if (d == -1) {
-		mask = 0xffffff00;
-		d = 0;
-	} else {
-		mask = 0xffffffff;
-	}
-
-	if (*host == '!') {
-		al->al_not = 1;
-		host++;
-	}
-
-	if (gethost(host, &al->al_addr) == -1) {
-		if (slash != NULL)
-			*slash = '/';
-		fprintf(stderr, "Cannot parse hostname\n");
-		free(al);
-		return NULL;
-	}
-	al->al_mask = htonl(mask);
-	if (slash != NULL)
-		*slash = '/';
-	return al;
-}
diff --git a/contrib/ipfilter/lib/bcopywrap.c b/contrib/ipfilter/lib/bcopywrap.c
deleted file mode 100644
index 83fd04b..0000000
--- a/contrib/ipfilter/lib/bcopywrap.c
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *   
- * $Id: bcopywrap.c,v 1.1.4.1 2006/06/16 17:20:56 darrenr Exp $
- */  
-
-#include "ipf.h"
-
-int bcopywrap(from, to, size)
-void *from, *to;
-size_t size;
-{
-	bcopy((caddr_t)from, (caddr_t)to, size);
-	return 0;
-}
-
diff --git a/contrib/ipfilter/lib/binprint.c b/contrib/ipfilter/lib/binprint.c
deleted file mode 100644
index 4eb3828..0000000
--- a/contrib/ipfilter/lib/binprint.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: binprint.c,v 1.8.4.1 2006/06/16 17:20:56 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void binprint(ptr, size)
-void *ptr;
-size_t size;
-{
-	u_char *s;
-	int i, j;
-
-	for (i = size, j = 0, s = (u_char *)ptr; i; i--, s++) {
-		j++;
-		printf("%02x ", *s);
-		if (j == 16) {
-			printf("\n");
-			j = 0;
-		}
-	}
-	putchar('\n');
-	(void)fflush(stdout);
-}
diff --git a/contrib/ipfilter/lib/buildopts.c b/contrib/ipfilter/lib/buildopts.c
deleted file mode 100644
index d493f5e..0000000
--- a/contrib/ipfilter/lib/buildopts.c
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: buildopts.c,v 1.6.4.1 2006/06/16 17:20:56 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
-{
-	struct ipopt_names *io;
-	u_32_t msk = 0;
-	char *s, *t;
-	int inc;
-
-	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
-		if ((t = strchr(s, '=')))
-			*t++ = '\0';
-		for (io = ionames; io->on_name; io++) {
-			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
-				continue;
-			if ((inc = addipopt(op, io, len, t))) {
-				op += inc;
-				len += inc;
-			}
-			msk |= io->on_bit;
-			break;
-		}
-		if (!io->on_name) {
-			fprintf(stderr, "unknown IP option name %s\n", s);
-			return 0;
-		}
-	}
-	*op++ = IPOPT_EOL;
-	len++;
-	return len;
-}
diff --git a/contrib/ipfilter/lib/checkrev.c b/contrib/ipfilter/lib/checkrev.c
deleted file mode 100644
index 3c40226..0000000
--- a/contrib/ipfilter/lib/checkrev.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2000-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: checkrev.c,v 1.12.2.2 2006/06/16 17:20:56 darrenr Exp $
- */
-
-#include <sys/ioctl.h>
-#include <fcntl.h>
-
-#include "ipf.h"
-#include "netinet/ipl.h"
-
-int checkrev(ipfname)
-char *ipfname;
-{
-	static int vfd = -1;
-	struct friostat fio, *fiop = &fio;
-	ipfobj_t ipfo;
-
-	bzero((caddr_t)&ipfo, sizeof(ipfo));
-	ipfo.ipfo_rev = IPFILTER_VERSION;
-	ipfo.ipfo_size = sizeof(*fiop);
-	ipfo.ipfo_ptr = (void *)fiop;
-	ipfo.ipfo_type = IPFOBJ_IPFSTAT;
-
-	if ((vfd == -1) && ((vfd = open(ipfname, O_RDONLY)) == -1)) {
-		perror("open device");
-		return -1;
-	}
-
-	if (ioctl(vfd, SIOCGETFS, &ipfo)) {
-		perror("ioctl(SIOCGETFS)");
-		close(vfd);
-		vfd = -1;
-		return -1;
-	}
-
-	if (strncmp(IPL_VERSION, fio.f_version, sizeof(fio.f_version))) {
-		return -1;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/count4bits.c b/contrib/ipfilter/lib/count4bits.c
deleted file mode 100644
index 51e6025..0000000
--- a/contrib/ipfilter/lib/count4bits.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: count4bits.c,v 1.1.4.1 2006/06/16 17:20:57 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * count consecutive 1's in bit mask.  If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int	count4bits(ip)
-u_int	ip;
-{
-	int cnt = 0, i, j;
-	u_int ipn;
-
-	ip = ipn = ntohl(ip);
-	for (i = 32; i; i--, ipn *= 2)
-		if (ipn & 0x80000000)
-			cnt++;
-		else
-			break;
-	ipn = 0;
-	for (i = 32, j = cnt; i; i--, j--) {
-		ipn *= 2;
-		if (j > 0)
-			ipn++;
-	}
-	if (ipn == ip)
-		return cnt;
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/count6bits.c b/contrib/ipfilter/lib/count6bits.c
deleted file mode 100644
index be090b7..0000000
--- a/contrib/ipfilter/lib/count6bits.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2000-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: count6bits.c,v 1.4.4.1 2006/06/16 17:20:57 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int count6bits(msk)
-u_32_t *msk;
-{
-	int i = 0, k;
-	u_32_t j;
-
-	for (k = 3; k >= 0; k--)
-		if (msk[k] == 0xffffffff)
-			i += 32;
-		else {
-			for (j = msk[k]; j; j <<= 1)
-				if (j & 0x80000000)
-					i++;
-		}
-	return i;
-}
diff --git a/contrib/ipfilter/lib/debug.c b/contrib/ipfilter/lib/debug.c
deleted file mode 100644
index 144bc02..0000000
--- a/contrib/ipfilter/lib/debug.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2000-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: debug.c,v 1.6.4.1 2006/06/16 17:20:57 darrenr Exp $
- */
-
-#if defined(__STDC__)
-# include <stdarg.h>
-#else
-# include <varargs.h>
-#endif
-#include <stdio.h>
-
-#include "ipt.h"
-#include "opts.h"
-
-
-#ifdef	__STDC__
-void	debug(char *fmt, ...)
-#else
-void	debug(fmt, va_alist)
-char *fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-
-	if (opts & OPT_DEBUG)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
diff --git a/contrib/ipfilter/lib/extras.c b/contrib/ipfilter/lib/extras.c
deleted file mode 100644
index 9087ca6..0000000
--- a/contrib/ipfilter/lib/extras.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: extras.c,v 1.12 2002/07/13 12:06:49 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * deal with extra bits on end of the line
- */
-int	extras(cp, fr, linenum)
-char	***cp;
-struct	frentry	*fr;
-int     linenum;
-{
-	u_short	secmsk;
-	u_long	opts;
-	int	notopt;
-
-	opts = 0;
-	secmsk = 0;
-	notopt = 0;
-	(*cp)++;
-	if (!**cp)
-		return -1;
-
-	while (**cp) {
-		if (!strcasecmp(**cp, "not") || !strcasecmp(**cp, "no")) {
-			notopt = 1;
-			(*cp)++;
-			continue;
-		} else if (!strncasecmp(**cp, "ipopt", 5)) {
-			if (!notopt)
-				fr->fr_flx |= FI_OPTIONS;
-			fr->fr_mflx |= FI_OPTIONS;
-			goto nextopt;
-		} else if (!strcasecmp(**cp, "lowttl")) {
-			if (!notopt)
-				fr->fr_flx |= FI_LOWTTL;
-			fr->fr_mflx |= FI_LOWTTL;
-			goto nextopt;
-		} else if (!strcasecmp(**cp, "bad-src")) {
-			if (!notopt)
-				fr->fr_flx |= FI_BADSRC;
-			fr->fr_mflx |= FI_BADSRC;
-			goto nextopt;
-		} else if (!strncasecmp(**cp, "mbcast", 6)) {
-			if (!notopt)
-				fr->fr_flx |= FI_MBCAST;
-			fr->fr_mflx |= FI_MBCAST;
-			goto nextopt;
-		} else if (!strncasecmp(**cp, "nat", 3)) {
-			if (!notopt)
-				fr->fr_flx |= FI_NATED;
-			fr->fr_mflx |= FI_NATED;
-			goto nextopt;
-		} else if (!strncasecmp(**cp, "frag", 4)) {
-			if (!notopt)
-				fr->fr_flx |= FI_FRAG;
-			fr->fr_mflx |= FI_FRAG;
-			goto nextopt;
-		} else if (!strncasecmp(**cp, "opt", 3)) {
-			if (!*(*cp + 1)) {
-				fprintf(stderr, "%d: opt missing arguements\n",
-					linenum);
-				return -1;
-			}
-			(*cp)++;
-			if (!(opts = optname(cp, &secmsk, linenum)))
-				return -1;
-
-			if (notopt) {
-				if (!secmsk) {
-					fr->fr_optmask |= opts;
-				} else {
-					fr->fr_optmask |= (opts & ~0x0100);
-					fr->fr_secmask |= secmsk;
-				}
-				fr->fr_secbits &= ~secmsk;
-				fr->fr_optbits &= ~opts;
-			} else {
-				fr->fr_optmask |= opts;
-				fr->fr_secmask |= secmsk;
-				fr->fr_optbits |= opts;
-				fr->fr_secbits |= secmsk;
-			}
-		} else if (!strncasecmp(**cp, "short", 5)) {
-			if (fr->fr_tcpf) {
-				fprintf(stderr,
-				"%d: short cannot be used with TCP flags\n",
-					linenum);
-				return -1;
-			}
-
-			if (!notopt)
-				fr->fr_flx |= FI_SHORT;
-			fr->fr_mflx |= FI_SHORT;
-			goto nextopt;
-		} else
-			return -1;
-nextopt:
-		notopt = 0;
-		opts = 0;
-		secmsk = 0;
-		(*cp)++;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/facpri.c b/contrib/ipfilter/lib/facpri.c
deleted file mode 100644
index 6785e22..0000000
--- a/contrib/ipfilter/lib/facpri.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <syslog.h>
-#include "facpri.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6.2.5 2006/06/16 17:20:58 darrenr Exp $";
-#endif
-
-
-typedef	struct	table	{
-	char	*name;
-	int	value;
-} table_t;
-
-table_t	facs[] = {
-	{ "kern", LOG_KERN },	{ "user", LOG_USER },
-	{ "mail", LOG_MAIL },	{ "daemon", LOG_DAEMON },
-	{ "auth", LOG_AUTH },	{ "syslog", LOG_SYSLOG },
-	{ "lpr", LOG_LPR },	{ "news", LOG_NEWS },
-	{ "uucp", LOG_UUCP },
-#if LOG_CRON == LOG_CRON2
-	{ "cron2", LOG_CRON1 },
-#else
-	{ "cron", LOG_CRON1 },
-#endif
-#ifdef LOG_FTP
-	{ "ftp", LOG_FTP },
-#endif
-#ifdef LOG_AUTHPRIV
-	{ "authpriv", LOG_AUTHPRIV },
-#endif
-#ifdef	LOG_AUDIT
-	{ "audit", LOG_AUDIT },
-#endif
-#ifdef	LOG_LFMT
-	{ "logalert", LOG_LFMT },
-#endif
-#if LOG_CRON == LOG_CRON1
-	{ "cron", LOG_CRON2 },
-#else
-	{ "cron2", LOG_CRON2 },
-#endif
-#ifdef	LOG_SECURITY
-	{ "security", LOG_SECURITY },
-#endif
-	{ "local0", LOG_LOCAL0 },	{ "local1", LOG_LOCAL1 },
-	{ "local2", LOG_LOCAL2 },	{ "local3", LOG_LOCAL3 },
-	{ "local4", LOG_LOCAL4 },	{ "local5", LOG_LOCAL5 },
-	{ "local6", LOG_LOCAL6 },	{ "local7", LOG_LOCAL7 },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a facility number to its name
- */
-char *
-fac_toname(facpri)
-	int facpri;
-{
-	int	i, j, fac;
-
-	fac = facpri & LOG_FACMASK;
-	j = fac >> 3;
-	if (j < (sizeof(facs)/sizeof(facs[0]))) {
-		if (facs[j].value == fac)
-			return facs[j].name;
-	}
-	for (i = 0; facs[i].name; i++)
-		if (fac == facs[i].value)
-			return facs[i].name;
-
-	return NULL;
-}
-
-
-/*
- * map a facility name to its number
- */
-int     
-fac_findname(name)
-	char *name;
-{
-	int     i;
-
-	for (i = 0; facs[i].name; i++)
-		if (!strcmp(facs[i].name, name))
-			return facs[i].value;
-	return -1;
-}
-
-
-table_t	pris[] = {
-	{ "emerg", LOG_EMERG },		{ "alert", LOG_ALERT  },
-	{ "crit", LOG_CRIT },		{ "err", LOG_ERR  },
-	{ "warn", LOG_WARNING },	{ "notice", LOG_NOTICE  },
-	{ "info", LOG_INFO },		{ "debug", LOG_DEBUG  },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a priority number to its name
- */
-char *
-pri_toname(facpri)
-	int facpri;
-{
-	int	i, pri;
-
-	pri = facpri & LOG_PRIMASK;
-	if (pris[pri].value == pri)
-		return pris[pri].name;
-	for (i = 0; pris[i].name; i++)
-		if (pri == pris[i].value)
-			return pris[i].name;
-	return NULL;
-}
diff --git a/contrib/ipfilter/lib/facpri.h b/contrib/ipfilter/lib/facpri.h
deleted file mode 100644
index b6d5f5a..0000000
--- a/contrib/ipfilter/lib/facpri.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2000-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: facpri.h,v 1.3.4.1 2006/06/16 17:20:58 darrenr Exp $
- */
-
-#ifndef	__FACPRI_H__
-#define	__FACPRI_H__
-
-#ifndef	__P
-# define P_DEF
-# ifdef	__STDC__
-#  define	__P(x) x
-# else
-#  define	__P(x) ()
-# endif
-#endif
-
-extern	char	*fac_toname __P((int));
-extern	int	fac_findname __P((char *));
-
-extern	char	*pri_toname __P((int));
-extern	int	pri_findname __P((char *));
-
-#ifdef P_DEF
-# undef	__P
-# undef	P_DEF
-#endif
-
-#if LOG_CRON == (9<<3)
-# define	LOG_CRON1	LOG_CRON
-# define	LOG_CRON2	(15<<3)
-#endif
-#if LOG_CRON == (15<<3)
-# define	LOG_CRON1	(9<<3)
-# define	LOG_CRON2	LOG_CRON
-#endif
-
-#endif /* __FACPRI_H__ */
diff --git a/contrib/ipfilter/lib/fill6bits.c b/contrib/ipfilter/lib/fill6bits.c
deleted file mode 100644
index a5f459a..0000000
--- a/contrib/ipfilter/lib/fill6bits.c
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: fill6bits.c,v 1.5.4.1 2006/06/16 17:20:58 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void fill6bits(bits, msk)
-int bits;
-u_int *msk;
-{
-	if (bits == 0) {
-		msk[0] = 0;
-		msk[1] = 0;
-		msk[2] = 0;
-		msk[3] = 0;
-		return;
-	}
-
-	msk[0] = 0xffffffff;
-	msk[1] = 0xffffffff;
-	msk[2] = 0xffffffff;
-	msk[3] = 0xffffffff;
-
-	if (bits == 128)
-		return;
-	if (bits > 96) {
-		msk[3] = htonl(msk[3] << (128 - bits));
-	} else if (bits > 64) {
-		msk[3] = 0;
-		msk[2] = htonl(msk[2] << (96 - bits));
-	} else if (bits > 32) {
-		msk[3] = 0;
-		msk[2] = 0;
-		msk[1] = htonl(msk[1] << (64 - bits));
-	} else {
-		msk[3] = 0;
-		msk[2] = 0;
-		msk[1] = 0;
-		msk[0] = htonl(msk[0] << (32 - bits));
-	}
-}
diff --git a/contrib/ipfilter/lib/flags.c b/contrib/ipfilter/lib/flags.c
deleted file mode 100644
index 4baf3bd..0000000
--- a/contrib/ipfilter/lib/flags.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (C) 2001-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: flags.c,v 1.4.4.1 2006/06/16 17:20:58 darrenr Exp $
- */
-
-#include "ipf.h"
-
-/*
- * ECN is a new addition to TCP - RFC 2481
- */
-#ifndef TH_ECN
-# define	TH_ECN  0x40
-#endif
-#ifndef TH_CWR
-# define	TH_CWR  0x80
-#endif
-
-char	flagset[] = "FSRPAUEC";
-u_char	flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
-		    TH_ECN, TH_CWR };
diff --git a/contrib/ipfilter/lib/genmask.c b/contrib/ipfilter/lib/genmask.c
deleted file mode 100644
index 238e5b6..0000000
--- a/contrib/ipfilter/lib/genmask.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: genmask.c,v 1.7 2003/11/11 13:40:15 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int genmask(msk, mskp)
-char *msk;
-u_32_t *mskp;
-{
-	char *endptr = 0L;
-	int bits;
-
-	if (strchr(msk, '.') || strchr(msk, 'x') || strchr(msk, ':')) {
-		/* possibly of the form xxx.xxx.xxx.xxx
-		 * or 0xYYYYYYYY */
-#ifdef	USE_INET6
-		if (use_inet6) {
-			if (inet_pton(AF_INET6, msk, mskp) != 1)
-				return -1;
-		} else
-#endif
-		if (inet_aton(msk, (struct in_addr *)mskp) == 0)
-			return -1;
-	} else {
-		/*
-		 * set x most significant bits
-		 */
-		bits = (int)strtol(msk, &endptr, 0);
-#ifdef	USE_INET6
-		if ((*endptr != '\0') ||
-		    ((bits > 32) && !use_inet6) || (bits < 0) ||
-		    ((bits > 128) && use_inet6))
-#else
-		if (*endptr != '\0' || bits > 32 || bits < 0)
-#endif
-			return -1;
-#ifdef	USE_INET6
-		if (use_inet6)
-			fill6bits(bits, mskp);
-		else
-#endif
-		if (bits == 0)
-			*mskp = 0;
-		else
-			*mskp = htonl(0xffffffff << (32 - bits));
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/gethost.c b/contrib/ipfilter/lib/gethost.c
deleted file mode 100644
index d97766f..0000000
--- a/contrib/ipfilter/lib/gethost.c
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: gethost.c,v 1.3.2.2 2006/06/16 17:20:59 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-int gethost(name, hostp)
-char *name;
-u_32_t *hostp;
-{
-	struct hostent *h;
-	struct netent *n;
-	u_32_t addr;
-
-	if (!strcmp(name, "test.host.dots")) {
-		*hostp = htonl(0xfedcba98);
-		return 0;
-	}
-
-	if (!strcmp(name, "<thishost>"))
-		name = thishost;
-
-	h = gethostbyname(name);
-	if (h != NULL) {
-		if ((h->h_addr != NULL) && (h->h_length == sizeof(addr))) {
-			bcopy(h->h_addr, (char *)&addr, sizeof(addr));
-			*hostp = addr;
-			return 0;
-		}
-	}
-
-	n = getnetbyname(name);
-	if (n != NULL) {
-		*hostp = (u_32_t)htonl(n->n_net & 0xffffffff);
-		return 0;
-	}
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/getifname.c b/contrib/ipfilter/lib/getifname.c
deleted file mode 100644
index 6163239..0000000
--- a/contrib/ipfilter/lib/getifname.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: getifname.c,v 1.5.2.3 2006/07/14 06:12:24 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-#include "kmem.h"
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-#if 0
-char *getifname(ptr)
-struct ifnet *ptr;
-{
-#if SOLARIS || defined(__hpux)
-# if SOLARIS
-#  include <sys/mutex.h>
-#  include <sys/condvar.h>
-# endif
-# ifdef __hpux
-#  include "compat.h"
-# endif
-# include "../pfil/qif.h"
-	char *ifname;
-	qif_t qif;
-
-	if ((void *)ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&qif, (u_long)ptr, sizeof(qif)) == -1)
-		return "X";
-	ifname = strdup(qif.qf_name);
-	if ((ifname != NULL) && (*ifname == '\0')) {
-		free(ifname);
-		return "!";
-	}
-	return ifname;
-#else
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
-	char buf[32];
-	int len;
-# endif
-	struct ifnet netif;
-
-	if ((void *)ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
-		return "X";
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || defined(linux) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	return strdup(netif.if_xname);
-# else
-	if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
-		return "X";
-	if (netif.if_unit < 10)
-		len = 2;
-	else if (netif.if_unit < 1000)
-		len = 3;
-	else if (netif.if_unit < 10000)
-		len = 4;
-	else
-		len = 5;
-	buf[sizeof(buf) - len] = '\0';
-	sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
-	return strdup(buf);
-# endif
-#endif
-}
-#else
-char *getifname(ptr)
-struct ifnet *ptr;
-{
-	return "X";
-}
-#endif
diff --git a/contrib/ipfilter/lib/getline.c b/contrib/ipfilter/lib/getline.c
deleted file mode 100644
index 7d06d43..0000000
--- a/contrib/ipfilter/lib/getline.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: getline.c,v 1.3 2001/06/09 17:09:24 darrenr Exp $
- */
-
-#include <stdio.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <string.h>
-#include "ipf.h"
-
-
-/*
- * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
- * Returns NULL if error occured, EOF encounterd or input line is too long.
- */
-char *getline(str, size, file, linenum)
-register char	*str;
-size_t	size;
-FILE	*file;
-int	*linenum;
-{
-	char *p;
-	int s, len;
-
-	do {
-		for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
-			/*
-			 * if an error occured, EOF was encounterd, or there
-			 * was no room to put NUL, return NULL.
-			 */
-			if (fgets(p, s, file) == NULL)
-				return (NULL);
-			len = strlen(p);
-			if (p[len - 1] != '\n') {
-				p[len] = '\0';
-				break;
-			}
-			(*linenum)++;
-			p[len - 1] = '\0';
-			if (len < 2 || p[len - 2] != '\\')
-				break;
-			else
-				/*
-				 * Convert '\\' to a space so words don't
-				 * run together
-				 */
-				p[len - 2] = ' ';
-		}
-	} while (*str == '\0');
-	return (str);
-}
diff --git a/contrib/ipfilter/lib/getnattype.c b/contrib/ipfilter/lib/getnattype.c
deleted file mode 100644
index 04463c2..0000000
--- a/contrib/ipfilter/lib/getnattype.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#include "ipf.h"
-#include "kmem.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3.2.2 2006/07/14 06:12:24 darrenr Exp $";
-#endif
-
-
-/*
- * Get a nat filter type given its kernel address.
- */
-char *getnattype(nat, alive)
-nat_t *nat;
-int alive;
-{
-	static char unknownbuf[20];
-	ipnat_t *ipn, ipnat;
-	char *which;
-	int type;
-
-	if (!nat)
-		return "???";
-	if (alive) {
-		type = nat->nat_redir;
-	} else {
-		ipn = nat->nat_ptr;
-		if (kmemcpy((char *)&ipnat, (long)ipn, sizeof(ipnat)))
-			return "!!!";
-		type = ipnat.in_redir;
-	}
-
-	switch (type)
-	{
-	case NAT_MAP :
-		which = "MAP";
-		break;
-	case NAT_MAPBLK :
-		which = "MAP-BLOCK";
-		break;
-	case NAT_REDIRECT :
-		which = "RDR";
-		break;
-	case NAT_BIMAP :
-		which = "BIMAP";
-		break;
-	default :
-		sprintf(unknownbuf, "unknown(%04x)", type & 0xffffffff);
-		which = unknownbuf;
-		break;
-	}
-	return which;
-}
diff --git a/contrib/ipfilter/lib/getport.c b/contrib/ipfilter/lib/getport.c
deleted file mode 100644
index 1c5177c..0000000
--- a/contrib/ipfilter/lib/getport.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: getport.c,v 1.1.4.6 2006/06/16 17:21:00 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-int getport(fr, name, port)
-frentry_t *fr;
-char *name;
-u_short *port;
-{
-	struct protoent *p;
-	struct servent *s;
-	u_short p1;
-
-	if (fr == NULL || fr->fr_type != FR_T_IPF) {
-		s = getservbyname(name, NULL);
-		if (s != NULL) {
-			*port = s->s_port;
-			return 0;
-		}
-		return -1;
-	}
-
-	/*
-	 * Some people will use port names in rules without specifying
-	 * either TCP or UDP because it is implied by the group head.
-	 * If we don't know the protocol, then the best we can do here is
-	 * to take either only the TCP or UDP mapping (if one or the other
-	 * is missing) or make sure both of them agree.
-	 */
-	if (fr->fr_proto == 0) {
-		s = getservbyname(name, "tcp");
-		if (s != NULL)
-			p1 = s->s_port;
-		else
-			p1 = 0;
-		s = getservbyname(name, "udp");
-		if (s != NULL) {
-			if (p1 != s->s_port)
-				return -1;
-		}
-		if ((p1 == 0) && (s == NULL))
-			return -1;
-		if (p1)
-			*port = p1;
-		else
-			*port = s->s_port;
-		return 0;
-	}
-
-	if ((fr->fr_flx & FI_TCPUDP) != 0) {
-		/*
-		 * If a rule is "tcp/udp" then check that both TCP and UDP
-		 * mappings for this protocol name match ports.
-		 */
-		s = getservbyname(name, "tcp");
-		if (s == NULL)
-			return -1;
-		p1 = s->s_port;
-		s = getservbyname(name, "udp");
-		if (s == NULL || s->s_port != p1)
-			return -1;
-		*port = p1;
-		return 0;
-	}
-
-	p = getprotobynumber(fr->fr_proto);
-	s = getservbyname(name, p ? p->p_name : NULL);
-	if (s != NULL) {
-		*port = s->s_port;
-		return 0;
-	}
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/getportproto.c b/contrib/ipfilter/lib/getportproto.c
deleted file mode 100644
index 5a247ae..0000000
--- a/contrib/ipfilter/lib/getportproto.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: getportproto.c,v 1.2.4.4 2006/06/16 17:21:00 darrenr Exp $ 
- */     
-
-#include <ctype.h>
-#include "ipf.h"
-
-int getportproto(name, proto)
-char *name;
-int proto;
-{
-	struct servent *s;
-	struct protoent *p;
-
-	if (ISDIGIT(*name)) {
-		int number;
-		char *s;
-
-		for (s = name; *s != '\0'; s++)
-			if (!ISDIGIT(*s))
-				return -1;
-
-		number = atoi(name);
-		if (number < 0 || number > 65535)
-			return -1;
-		return htons(number);
-	}
-
-	p = getprotobynumber(proto);
-	s = getservbyname(name, p ? p->p_name : NULL);
-	if (s != NULL)
-		return s->s_port;
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/getproto.c b/contrib/ipfilter/lib/getproto.c
deleted file mode 100644
index 9714da2..0000000
--- a/contrib/ipfilter/lib/getproto.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: getproto.c,v 1.2.2.3 2006/06/16 17:21:00 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-int getproto(name)
-char *name;
-{
-	struct protoent *p;
-	char *s;
-
-	for (s = name; *s != '\0'; s++)
-		if (!ISDIGIT(*s))
-			break;
-	if (*s == '\0')
-		return atoi(name);
-
-#ifdef _AIX51
-	/*
-	 * For some bogus reason, "ip" is 252 in /etc/protocols on AIX 5
-	 */
-	if (!strcasecmp(name, "ip"))
-		return 0;
-#endif
-
-	p = getprotobyname(name);
-	if (p != NULL)
-		return p->p_proto;
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/getsumd.c b/contrib/ipfilter/lib/getsumd.c
deleted file mode 100644
index 00974bc..0000000
--- a/contrib/ipfilter/lib/getsumd.c
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: getsumd.c,v 1.2.4.1 2006/06/16 17:21:01 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-char *getsumd(sum)
-u_32_t sum;
-{
-	static char sumdbuf[17];
-
-	if (sum & NAT_HW_CKSUM)
-		sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
-	else
-		sprintf(sumdbuf, "%#0x", sum);
-	return sumdbuf;
-}
diff --git a/contrib/ipfilter/lib/hexdump.c b/contrib/ipfilter/lib/hexdump.c
deleted file mode 100644
index 86e731e..0000000
--- a/contrib/ipfilter/lib/hexdump.c
+++ /dev/null
@@ -1,28 +0,0 @@
-#include <ctype.h>
-
-#include "ipf.h"
-
-void hexdump(out, addr, len, ascii)
-FILE *out;
-void *addr;
-int len, ascii;
-{
-	FILE *fpout;
-	u_char *s, *t;
-	int i;
-
-	fpout = out ? out : stdout;
-	for (i = 0, s = addr; i < len; i++, s++) {
-		fprintf(fpout, "%02x", *s);
-		if (i % 16 == 15) {
-			if (ascii != 0) {
-				fputc('\t', fpout);
-				for (t = s - 15; t<= s; t++)
-					fputc(ISPRINT(*t) ? *t : '.', fpout);
-			}
-			fputc('\n', fpout);
-		} else if (i % 4 == 3) {
-			fputc(' ', fpout);
-		}
-	}
-}
diff --git a/contrib/ipfilter/lib/hostmask.c b/contrib/ipfilter/lib/hostmask.c
deleted file mode 100644
index 4ee41e16..0000000
--- a/contrib/ipfilter/lib/hostmask.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: hostmask.c,v 1.10 2002/01/28 06:50:46 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
- * found in the line segments, there is an error processing this information,
- * or there is an error processing ports information.
- */
-int	hostmask(seg, proto, ifname, sa, msk, linenum)
-char	***seg, *proto, *ifname;
-u_32_t	*sa, *msk;
-int	linenum;
-{
-	struct in_addr maskaddr;
-	char *s;
-
-	if ((s = strchr(**seg, '='))) {
-		*s++ = '\0';
-		if (!strcmp(**seg, "pool")) {
-			*sa = atoi(s);
-			return 1;
-		}
-	}
-
-	/*
-	 * is it possibly hostname/num ?
-	 */
-	if ((s = strchr(**seg, '/')) ||
-	    ((s = strchr(**seg, ':')) && !strchr(s + 1, ':'))) {
-		*s++ ='\0';
-		if (genmask(s, msk) == -1) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
-			return -1;
-		}
-		if (hostnum(sa, **seg, linenum, ifname) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*sa &= *msk;
-		(*seg)++;
-		return 0;
-	}
-
-	/*
-	 * look for extra segments if "mask" found in right spot
-	 */
-	if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
-		if (hostnum(sa, **seg, linenum, ifname) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		(*seg)++;
-		if (inet_aton(**seg, &maskaddr) == 0) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*msk = maskaddr.s_addr;
-		(*seg)++;
-		*sa &= *msk;
-		return 0;
-	}
-
-	if (**seg) {
-		u_32_t k;
-
-		if (hostnum(sa, **seg, linenum, ifname) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		k = *sa ? 0xffffffff : 0;
-#ifdef	USE_INET6
-		if (use_inet6) {
-			msk[1] = k;
-			msk[2] = k;
-			msk[3] = k;
-		}
-#endif
-		*msk = k;
-		return 0;
-	}
-	fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/hostname.c b/contrib/ipfilter/lib/hostname.c
deleted file mode 100644
index b8295d4..0000000
--- a/contrib/ipfilter/lib/hostname.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2002-2003 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: hostname.c,v 1.6.2.2 2007/01/16 02:25:22 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-char *hostname(v, ip)
-int v;
-void *ip;
-{
-	static char hostbuf[MAXHOSTNAMELEN+1];
-	struct hostent *hp;
-	struct in_addr ipa;
-	struct netent *np;
-
-	memset(&ipa, 0, sizeof(ipa));	/* XXX gcc */
-
-	if (v == 4) {
-		ipa.s_addr = *(u_32_t *)ip;
-		if (ipa.s_addr == htonl(0xfedcba98))
-			return "test.host.dots";
-	}
-
-	if ((opts & OPT_NORESOLVE) == 0) {
-		if (v == 4) {
-			hp = gethostbyaddr(ip, 4, AF_INET);
-			if (hp != NULL && hp->h_name != NULL &&
-			    *hp->h_name != '\0') {
-				strncpy(hostbuf, hp->h_name, sizeof(hostbuf));
-				hostbuf[sizeof(hostbuf) - 1] = '\0';
-				return hostbuf;
-			}
-
-			np = getnetbyaddr(ipa.s_addr, AF_INET);
-			if (np != NULL && np->n_name != NULL &&
-			    *np->n_name != '\0') {
-				strncpy(hostbuf, np->n_name, sizeof(hostbuf));
-				hostbuf[sizeof(hostbuf) - 1] = '\0';
-				return hostbuf;
-			}
-		}
-	}
-
-	if (v == 4) {
-		return inet_ntoa(ipa);
-	}
-#ifdef  USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
diff --git a/contrib/ipfilter/lib/hostnum.c b/contrib/ipfilter/lib/hostnum.c
deleted file mode 100644
index 2ec0529..0000000
--- a/contrib/ipfilter/lib/hostnum.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: hostnum.c,v 1.10.2.1 2004/12/09 19:41:20 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-int	hostnum(ipa, host, linenum, ifname)
-u_32_t	*ipa;
-char	*host;
-int     linenum;
-char	*ifname;
-{
-	struct	in_addr	ip;
-
-	if (!strcasecmp("any", host) ||
-	    (ifname && *ifname && !strcasecmp(ifname, host)))
-		return 0;
-
-#ifdef	USE_INET6
-	if (use_inet6) {
-		if (inet_pton(AF_INET6, host, ipa) == 1)
-			return 0;
-		else
-			return -1;
-	}
-#endif
-	if (ISDIGIT(*host) && inet_aton(host, &ip)) {
-		*ipa = ip.s_addr;
-		return 0;
-	}
-
-	if (!strcasecmp("<thishost>", host))
-		host = thishost;
-
-	return gethost(host, ipa);
-}
diff --git a/contrib/ipfilter/lib/icmpcode.c b/contrib/ipfilter/lib/icmpcode.c
deleted file mode 100644
index 69841e0..0000000
--- a/contrib/ipfilter/lib/icmpcode.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: icmpcode.c,v 1.7.2.5 2006/06/16 17:21:02 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-#ifndef	MIN
-# define	MIN(a,b)	((a) > (b) ? (b) : (a))
-#endif
-
-
-char	*icmpcodes[MAX_ICMPCODE + 1] = {
-	"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
-	"net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
-	"net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff",
-	NULL };
diff --git a/contrib/ipfilter/lib/inet_addr.c b/contrib/ipfilter/lib/inet_addr.c
deleted file mode 100644
index 820b7b5..0000000
--- a/contrib/ipfilter/lib/inet_addr.c
+++ /dev/null
@@ -1,208 +0,0 @@
-/*
- * ++Copyright++ 1983, 1990, 1993
- * -
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.3 2004/12/09 19:41:20 darrenr Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-#ifndef linux
-int inet_aton __P((const char *, struct in_addr *));
-
-/*
- * Because the ctype(3) posix definition, if used "safely" in code everywhere,
- * would mean all normal code that walks through strings needed casts.  Yuck.
- */
-#define	ISALNUM(x)	isalnum((u_char)(x))
-#define	ISALPHA(x)	isalpha((u_char)(x))
-#define	ISASCII(x)	isascii((u_char)(x))
-#define	ISDIGIT(x)	isdigit((u_char)(x))
-#define	ISPRINT(x)	isprint((u_char)(x))
-#define	ISSPACE(x)	isspace((u_char)(x))
-#define	ISUPPER(x)	isupper((u_char)(x))
-#define	ISXDIGIT(x)	isxdigit((u_char)(x))
-#define	ISLOWER(x)	islower((u_char)(x))
-
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(cp, addr)
-	register const char *cp;
-	struct in_addr *addr;
-{
-	register u_long val;
-	register int base, n;
-	register char c;
-	u_int parts[4];
-	register u_int *pp = parts;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!ISDIGIT(c))
-			return (0);
-		val = 0; base = 10;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else
-				base = 8;
-		}
-		for (;;) {
-			if (ISASCII(c) && ISDIGIT(c)) {
-				val = (val * base) + (c - '0');
-				c = *++cp;
-			} else if (base == 16 && ISASCII(c) && ISXDIGIT(c)) {
-				val = (val << 4) |
-					(c + 10 - (ISLOWER(c) ? 'a' : 'A'));
-				c = *++cp;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3)
-				return (0);
-			*pp++ = val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!ISASCII(c) || !ISSPACE(c)))
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-
-	case 0:
-		return (0);		/* initial nondigit */
-
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr)
-		addr->s_addr = htonl(val);
-	return (1);
-}
-#endif
-
-/* these are compatibility routines, not needed on recent BSD releases */
-
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-#if 0
-inet_addr(cp)
-	const char *cp;
-{
-	struct in_addr val;
-
-	if (inet_aton(cp, &val))
-		return (val.s_addr);
-	return (0xffffffff);
-}
-#endif
diff --git a/contrib/ipfilter/lib/initparse.c b/contrib/ipfilter/lib/initparse.c
deleted file mode 100644
index b9f162f..0000000
--- a/contrib/ipfilter/lib/initparse.c
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: initparse.c,v 1.6.4.1 2006/06/16 17:21:02 darrenr Exp $
- */
-#include "ipf.h"
-
-
-char	thishost[MAXHOSTNAMELEN];
-
-
-void initparse __P((void))
-{
-	gethostname(thishost, sizeof(thishost));
-	thishost[sizeof(thishost) - 1] = '\0';
-}
diff --git a/contrib/ipfilter/lib/ionames.c b/contrib/ipfilter/lib/ionames.c
deleted file mode 100644
index cc9374d..0000000
--- a/contrib/ipfilter/lib/ionames.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ionames.c,v 1.7.4.1 2006/06/16 17:21:02 darrenr Exp $
- */
-#include "ipf.h"
-
-
-struct	ipopt_names	ionames[] ={
-	{ IPOPT_NOP,	0x000001,	1,	"nop" },	/* RFC791 */
-	{ IPOPT_RR,	0x000002,	7,	"rr" },		/* 1 route */
-	{ IPOPT_ZSU,	0x000004,	3,	"zsu" },	/* size ?? */
-	{ IPOPT_MTUP,	0x000008,	3,	"mtup" },	/* RFC1191 */
-	{ IPOPT_MTUR,	0x000010,	3,	"mtur" },	/* RFC1191 */
-	{ IPOPT_ENCODE,	0x000020,	3,	"encode" },	/* size ?? */
-	{ IPOPT_TS,	0x000040,	8,	"ts" },		/* 1 TS */
-	{ IPOPT_TR,	0x000080,	3,	"tr" },		/* RFC1393 */
-	{ IPOPT_SECURITY,0x000100,	11,	"sec" },	/* RFC1108 */
-	{ IPOPT_SECURITY,0x000100,	11,	"sec-class" },	/* RFC1108 */
-	{ IPOPT_LSRR,	0x000200,	7,	"lsrr" },	/* 1 route */
-	{ IPOPT_E_SEC,	0x000400,	3,	"e-sec" },	/* RFC1108 */
-	{ IPOPT_CIPSO,	0x000800,	3,	"cipso" },	/* size ?? */
-	{ IPOPT_SATID,	0x001000,	4,	"satid" },	/* RFC791 */
-	{ IPOPT_SSRR,	0x002000,	7,	"ssrr" },	/* 1 route */
-	{ IPOPT_ADDEXT,	0x004000,	3,	"addext" },	/* IPv7 ?? */
-	{ IPOPT_VISA,	0x008000,	3,	"visa" },	/* size ?? */
-	{ IPOPT_IMITD,	0x010000,	3,	"imitd" },	/* size ?? */
-	{ IPOPT_EIP,	0x020000,	3,	"eip" },	/* RFC1385 */
-	{ IPOPT_FINN,	0x040000,	3,	"finn" },	/* size ?? */
-	{ IPOPT_DPS,	0x080000,	3,	"dps" },	/* size ?? */
-	{ IPOPT_SDB,	0x100000,	3,	"sdb" },	/* size ?? */
-	{ IPOPT_NSAPA,	0x200000,	3,	"nsapa" },	/* size ?? */
-	{ IPOPT_RTRALRT,0x400000,	3,	"rtralrt" },	/* RFC2113 */
-	{ IPOPT_UMP,	0x800000,	3,	"ump" },	/* size ?? */
-	{ 0, 		0,	0,	(char *)NULL }     /* must be last */
-};
diff --git a/contrib/ipfilter/lib/ipf_dotuning.c b/contrib/ipfilter/lib/ipf_dotuning.c
deleted file mode 100644
index 8f90fdb..0000000
--- a/contrib/ipfilter/lib/ipf_dotuning.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2003-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: ipf_dotuning.c,v 1.2.4.3 2006/06/16 17:21:02 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-#include "netinet/ipl.h"
-#include <sys/ioctl.h>
-
-void ipf_dotuning(fd, tuneargs, iocfn)
-int fd;
-char *tuneargs;
-ioctlfunc_t iocfn;
-{
-	ipfobj_t obj;
-	ipftune_t tu;
-	char *s, *t;
-
-	bzero((char *)&tu, sizeof(tu));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(tu);;
-	obj.ipfo_ptr = (void *)&tu;
-	obj.ipfo_type = IPFOBJ_TUNEABLE;
-
-	for (s = strtok(tuneargs, ","); s != NULL; s = strtok(NULL, ",")) {
-		if (!strcmp(s, "list")) {
-			while (1) {
-				if ((*iocfn)(fd, SIOCIPFGETNEXT, &obj) == -1) {
-					perror("ioctl(SIOCIPFGETNEXT)");
-					break;
-				}
-				if (tu.ipft_cookie == NULL)
-					break;
-
-				tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
-				printtunable(&tu);
-			}
-		} else if ((t = strchr(s, '=')) != NULL) {
-			tu.ipft_cookie = NULL;
-			*t++ = '\0';
-			strncpy(tu.ipft_name, s, sizeof(tu.ipft_name));
-			if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) {
-				if ((*iocfn)(fd, SIOCIPFSET, &obj) == -1) {
-					perror("ioctl(SIOCIPFSET)");
-					return;
-				}
-			} else {
-				fprintf(stderr, "invalid value '%s'\n", s);
-				return;
-			}
-		} else {
-			tu.ipft_cookie = NULL;
-			strncpy(tu.ipft_name, s, sizeof(tu.ipft_name));
-			if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) {
-				perror("ioctl(SIOCIPFGET)");
-				return;
-			}
-			if (tu.ipft_cookie == NULL) {
-				fprintf(stderr, "Null cookie for %s\n", s);
-				return;
-			}
-
-			tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0';
-			printtunable(&tu);
-		}
-	}
-}
diff --git a/contrib/ipfilter/lib/ipft_ef.c b/contrib/ipfilter/lib/ipft_ef.c
deleted file mode 100644
index 52eb508..0000000
--- a/contrib/ipfilter/lib/ipft_ef.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $
- */
-
-/*
-                                            icmp type
- lnth proto         source     destination   src port   dst port
-
-etherfind -n
-
-   60  tcp   128.250.20.20  128.250.133.13       2419     telnet
-
-etherfind -n -t
-
- 0.32    91   04    131.170.1.10  128.250.133.13
- 0.33   566  udp  128.250.37.155   128.250.133.3        901        901
-*/
-
-#include "ipf.h"
-#include "ipt.h"
-
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcpip.h>
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14.2.2 2006/06/16 17:21:02 darrenr Exp $";
-#endif
-
-static	int	etherf_open __P((char *));
-static	int	etherf_close __P((void));
-static	int	etherf_readip __P((char *, int, char **, int *));
-
-struct	ipread	etherf = { etherf_open, etherf_close, etherf_readip, 0 };
-
-static	FILE	*efp = NULL;
-static	int	efd = -1;
-
-
-static	int	etherf_open(fname)
-char	*fname;
-{
-	if (efd != -1)
-		return efd;
-
-	if (!strcmp(fname, "-")) {
-		efd = 0;
-		efp = stdin;
-	} else {
-		efd = open(fname, O_RDONLY);
-		efp = fdopen(efd, "r");
-	}
-	return efd;
-}
-
-
-static	int	etherf_close()
-{
-	return close(efd);
-}
-
-
-static	int	etherf_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	char	src[16], dst[16], sprt[16], dprt[16];
-	char	lbuf[128], len[8], prot[8], time[8], *s;
-	int	slen, extra = 0, i;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst,
-		   sprt, dprt) != 6)
-		if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time,
-			   len, prot, src, dst, sprt, dprt) != 7)
-			return -1;
-
-	ip->ip_p = getproto(prot);
-
-	switch (ip->ip_p) {
-	case IPPROTO_TCP :
-		if (isdigit(*sprt))
-			pkt.ti_sport = htons(atoi(sprt) & 65535);
-		if (isdigit(*dprt))
-			pkt.ti_dport = htons(atoi(dprt) & 65535);
-		extra = sizeof(struct tcphdr);
-		break;
-	case IPPROTO_UDP :
-		if (isdigit(*sprt))
-			pkt.ti_sport = htons(atoi(sprt) & 65535);
-		if (isdigit(*dprt))
-			pkt.ti_dport = htons(atoi(dprt) & 65535);
-		extra = sizeof(struct udphdr);
-		break;
-#ifdef	IGMP
-	case IPPROTO_IGMP :
-		extra = sizeof(struct igmp);
-		break;
-#endif
-	case IPPROTO_ICMP :
-		extra = sizeof(struct icmp);
-		break;
-	default :
-		break;
-	}
-
-	(void) inet_aton(src, &ip->ip_src);
-	(void) inet_aton(dst, &ip->ip_dst);
-	ip->ip_len = atoi(len);
-	IP_HL_A(ip, sizeof(ip_t));
-
-	slen = IP_HL(ip) + extra;
-	i = MIN(cnt, slen);
-	bcopy((char *)&pkt, buf, i);
-	return i;
-}
diff --git a/contrib/ipfilter/lib/ipft_hx.c b/contrib/ipfilter/lib/ipft_hx.c
deleted file mode 100644
index 4851fff..0000000
--- a/contrib/ipfilter/lib/ipft_hx.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.4 2006/06/16 17:21:03 darrenr Exp $";
-#endif
-
-#include <ctype.h>
-
-#include "ipf.h"
-#include "ipt.h"
-
-
-extern	int	opts;
-
-static	int	hex_open __P((char *));
-static	int	hex_close __P((void));
-static	int	hex_readip __P((char *, int, char **, int *));
-static	char	*readhex __P((char *, char *));
-
-struct	ipread	iphex = { hex_open, hex_close, hex_readip, 0 };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	int	hex_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	hex_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	hex_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s, *t, *u;
-	char	line[513];
-	ip_t	*ip;
-
-	/*
-	 * interpret start of line as possibly "[ifname]" or
-	 * "[in/out,ifname]".
-	 */
-	if (ifn)
-		*ifn = NULL;
-	if (dir)
-		*dir = 0;
- 	ip = (ip_t *)buf;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = strchr(line, '\n'))) {
-			if (s == line)
-				return (char *)ip - buf;
-			*s = '\0';
-		}
-		if ((s = strchr(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if ((opts & OPT_DEBUG) != 0) {
-			printf("input: %s", line);
-		}
-
-		if ((*line == '[') && (s = strchr(line, ']'))) {
-			t = line + 1;
-			if (s - t > 0) {
-				*s++ = '\0';
-				if ((u = strchr(t, ',')) && (u < s)) {
-					u++;
-					if (ifn)
-						*ifn = strdup(u);
-					if (dir) {
-						if (*t == 'i')
-							*dir = 0;
-						else if (*t == 'o')
-							*dir = 1;
-					}
-				} else if (ifn)
-					*ifn = t;
-			}
-		} else
-			s = line;
-		t = (char *)ip;
-		ip = (ip_t *)readhex(s, (char *)ip);
-		if ((opts & OPT_DEBUG) != 0) {
-			if (opts & OPT_ASCII) {
-				if (t < (char *)ip)
-					putchar('\t');
-				while (t < (char *)ip) {
-					if (ISPRINT(*t) && ISASCII(*t))
-						putchar(*t);
-					else
-						putchar('.');
-					t++;
-				}
-			}
-			putchar('\n');
-			fflush(stdout);
-		}
-	}
-	if (feof(tfp))
-		return 0;
-	return -1;
-}
-
-
-static	char	*readhex(src, dst)
-register char	*src, *dst;
-{
-	int	state = 0;
-	char	c;
-
-	while ((c = *src++)) {
-		if (ISSPACE(c)) {
-			if (state) {
-				dst++;
-				state = 0;
-			}
-			continue;
-		} else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
-			   (c >= 'A' && c <= 'F')) {
-			c = ISDIGIT(c) ? (c - '0') : (TOUPPER(c) - 55);
-			if (state == 0) {
-				*dst = (c << 4);
-				state++;
-			} else {
-				*dst++ |= c;
-				state = 0;
-			}
-		} else
-			break;
-	}
-	return dst;
-}
diff --git a/contrib/ipfilter/lib/ipft_pc.c b/contrib/ipfilter/lib/ipft_pc.c
deleted file mode 100644
index fbfe6b0..0000000
--- a/contrib/ipfilter/lib/ipft_pc.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $
- */
-#include "ipf.h"
-#include "pcap-ipf.h"
-#include "bpf-ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10.2.2 2006/06/16 17:21:03 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_type;
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-
-static	struct	llc	llcs[] = {
-	{ DLT_NULL, 0, 0, 0 },
-	{ DLT_EN10MB, 14, 12, 2 },
-	{ DLT_EN3MB, 0, 0, 0 },
-	{ DLT_AX25, 0, 0, 0 },
-	{ DLT_PRONET, 0, 0, 0 },
-	{ DLT_CHAOS, 0, 0, 0 },
-	{ DLT_IEEE802, 0, 0, 0 },
-	{ DLT_ARCNET, 0, 0, 0 },
-	{ DLT_SLIP, 0, 0, 0 },
-	{ DLT_PPP, 0, 0, 0 },
-	{ DLT_FDDI, 0, 0, 0 },
-#ifdef DLT_ATMRFC1483
-	{ DLT_ATMRFC1483, 0, 0, 0 },
-#endif
-	{ DLT_RAW, 0, 0, 0 },
-#ifdef	DLT_ENC
-	{ DLT_ENC, 0, 0, 0 },
-#endif
-#ifdef	DLT_SLIP_BSDOS
-	{ DLT_SLIP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_BSDOS
-	{ DLT_PPP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_HIPPI
-	{ DLT_HIPPI, 0, 0, 0 },
-#endif
-#ifdef	DLT_HDLC
-	{ DLT_HDLC, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_SERIAL
-	{ DLT_PPP_SERIAL, 4, 4, 0 },
-#endif
-#ifdef	DLT_PPP_ETHER
-	{ DLT_PPP_ETHER, 8, 8, 0 },
-#endif
-#ifdef	DLT_ECONET
-	{ DLT_ECONET, 0, 0, 0 },
-#endif
-	{ -1, -1, -1, -1 }
-};
-
-static	int	pcap_open __P((char *));
-static	int	pcap_close __P((void));
-static	int	pcap_readip __P((char *, int, char **, int *));
-static	void	swap_hdr __P((pcaphdr_t *));
-static	int	pcap_read_rec __P((struct pcap_pkthdr *));
-
-static	int	pfd = -1, swapped = 0;
-static	struct llc	*llcp = NULL;
-
-struct	ipread	pcap = { pcap_open, pcap_close, pcap_readip, 0 };
-
-#define	SWAPLONG(y)	\
-	((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
-#define	SWAPSHORT(y)	\
-	( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
-
-static	void	swap_hdr(p)
-pcaphdr_t	*p;
-{
-	p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
-	p->pc_v_min = SWAPSHORT(p->pc_v_min);
-	p->pc_zone = SWAPLONG(p->pc_zone);
-	p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
-	p->pc_slen = SWAPLONG(p->pc_slen);
-	p->pc_type = SWAPLONG(p->pc_type);
-}
-
-static	int	pcap_open(fname)
-char	*fname;
-{
-	pcaphdr_t ph;
-	int fd, i;
-
-	if (pfd != -1)
-		return pfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
-		return -2;
-
-	if (ph.pc_id != TCPDUMP_MAGIC) {
-		if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
-			(void) close(fd);
-			return -2;
-		}
-		swapped = 1;
-		swap_hdr(&ph);
-	}
-
-	if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
-		(void) close(fd);
-		return -2;
-	}
-
-	for (i = 0; llcs[i].lc_type != -1; i++)
-		if (llcs[i].lc_type == ph.pc_type) {
-			llcp = llcs + i;
-			break;
-		}
-
-	if (llcp == NULL) {
-		(void) close(fd);
-		return -2;
-	}
-
-	pfd = fd;
-	printf("opened pcap file %s:\n", fname);
-	printf("\tid: %08x version: %d.%d type: %d snap %d\n",
-		ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
-
-	return fd;
-}
-
-
-static	int	pcap_close()
-{
-	return close(pfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a pcap file.
- */
-static	int	pcap_read_rec(rec)
-struct	pcap_pkthdr *rec;
-{
-	int	n, p, i;
-	char	*s;
-
-	s = (char *)rec;
-	n = sizeof(*rec);
-
-	while (n > 0) {
-		i = read(pfd, (char *)rec, sizeof(*rec));
-		if (i <= 0)
-			return -2;
-		s += i;
-		n -= i;
-	}
-
-	if (swapped) {
-		rec->ph_clen = SWAPLONG(rec->ph_clen);
-		rec->ph_len = SWAPLONG(rec->ph_len);
-		rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
-		rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
-	}
-	p = rec->ph_clen;
-	n = MIN(p, rec->ph_len);
-	if (!n || n < 0)
-		return -3;
-
-	if (p < 0 || p > 65536)
-		return -4;
-	return p;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire pcap packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	pcap_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	pcap_pkthdr rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = pcap_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(pfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	pcap_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	pcap_pkthdr rec;
-	struct	llc	*l;
-	char	*s, ty[4];
-	int	i, j, n;
-
-	l = llcp;
-
-	/* do { */
-		if ((i = pcap_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		for (j = i, n = 0; j > 0; ) {
-			n = read(pfd, s, j);
-			if (n <= 0)
-				return -2;
-			j -= n;
-			s += n;
-		}
-		s = bufp;
-
-		i -= l->lc_sz;
-		s += l->lc_to;
-		bcopy(s, ty, l->lc_tl);
-		s += l->lc_tl;
-	/* } while (ty[0] != 0x8 && ty[1] != 0); */
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-	return n;
-}
diff --git a/contrib/ipfilter/lib/ipft_sn.c b/contrib/ipfilter/lib/ipft_sn.c
deleted file mode 100644
index a4c7318..0000000
--- a/contrib/ipfilter/lib/ipft_sn.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2000-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $
- */
-
-/*
- * Written to comply with the recent RFC 1761 from Sun.
- */
-#include "ipf.h"
-#include "snoop.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.7.4.1 2006/06/16 17:21:03 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-static	struct	llc	llcs[SDL_MAX+1] = {
-	{ 0, 0, 0 },	/* SDL_8023 */
-	{ 0, 0, 0 },	/* SDL_8024 */
-	{ 0, 0, 0 },	/* SDL_8025 */
-	{ 0, 0, 0 },	/* SDL_8026 */
-	{ 14, 12, 2 },	/* SDL_ETHER */
-	{ 0, 0, 0 },	/* SDL_HDLC */
-	{ 0, 0, 0 },	/* SDL_CHSYNC */
-	{ 0, 0, 0 },	/* SDL_IBMCC */
-	{ 0, 0, 0 },	/* SDL_FDDI */
-	{ 0, 0, 0 },	/* SDL_OTHER */
-};
-
-static	int	snoop_open __P((char *));
-static	int	snoop_close __P((void));
-static	int	snoop_readip __P((char *, int, char **, int *));
-
-static	int	sfd = -1, s_type = -1;
-static	int	snoop_read_rec __P((struct snooppkt *));
-
-struct	ipread	snoop = { snoop_open, snoop_close, snoop_readip, 0 };
-
-
-static	int	snoop_open(fname)
-char	*fname;
-{
-	struct	snoophdr sh;
-	int	fd;
-	int s_v;
-
-	if (sfd != -1)
-		return sfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
-		return -2;
-
-	s_v = (int)ntohl(sh.s_v);
-	s_type = (int)ntohl(sh.s_type);
-
-	if (s_v != SNOOP_VERSION ||
-	    s_type < 0 || s_type > SDL_MAX) {
-		(void) close(fd);
-		return -2;
-	}
-
-	sfd = fd;
-	printf("opened snoop file %s:\n", fname);
-	printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
-
-	return fd;
-}
-
-
-static	int	snoop_close()
-{
-	return close(sfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a snoop file.
- */
-static	int	snoop_read_rec(rec)
-struct	snooppkt *rec;
-{
-	int	n, plen, ilen;
-
-	if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
-		return -2;
-
-	ilen = (int)ntohl(rec->sp_ilen);
-	plen = (int)ntohl(rec->sp_plen);
-	if (ilen > plen || plen < sizeof(*rec))
-		return -2;
-
-	plen -= sizeof(*rec);
-	n = MIN(plen, ilen);
-	if (!n || n < 0)
-		return -3;
-
-	return plen;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire snoop packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	snoop_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	snooppkt rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = snoop_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(sfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	snoop_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	snooppkt rec;
-	struct	llc	*l;
-	char	ty[4], *s;
-	int	i, n;
-
-	do {
-		if ((i = snoop_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		if (read(sfd, s, i) != i)
-			return -2;
-
-		l = &llcs[s_type];
-		i -= l->lc_to;
-		s += l->lc_to;
-		/*
-		 * XXX - bogus assumption here on the part of the time field
-		 * that it won't be greater than 4 bytes and the 1st two will
-		 * have the values 8 and 0 for IP.  Should be a table of
-		 * these too somewhere.  Really only works for SDL_ETHER.
-		 */
-		bcopy(s, ty, l->lc_tl);
-	} while (ty[0] != 0x8 && ty[1] != 0);
-
-	i -= l->lc_tl;
-	s += l->lc_tl;
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-
-	return n;
-}
diff --git a/contrib/ipfilter/lib/ipft_td.c b/contrib/ipfilter/lib/ipft_td.c
deleted file mode 100644
index 21bb764..0000000
--- a/contrib/ipfilter/lib/ipft_td.c
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $
- */
-
-/*
-tcpdump -n
-
-00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
-
-tcpdump -nq
-
-00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
-
-tcpdump -nqt
-
-128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqtt
-
-123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqte
-
-8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-*/
-
-#include "ipf.h"
-#include "ipt.h"
-
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcpip.h>
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15.2.2 2006/06/16 17:21:03 darrenr Exp $";
-#endif
-
-static	int	tcpd_open __P((char *));
-static	int	tcpd_close __P((void));
-static	int	tcpd_readip __P((char *, int, char **, int *));
-static	int	count_dots __P((char *));
-
-struct	ipread	tcpd = { tcpd_open, tcpd_close, tcpd_readip, 0 };
-
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-
-static	int	tcpd_open(fname)
-char	*fname;
-{
-	if (tfd != -1)
-		return tfd;
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	tcpd_close()
-{
-	(void) fclose(tfp);
-	return close(tfd);
-}
-
-
-static	int	count_dots(str)
-char	*str;
-{
-	int	i = 0;
-
-	while (*str)
-		if (*str++ == '.')
-			i++;
-	return i;
-}
-
-
-static	int	tcpd_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	char	src[32], dst[32], misc[256], time[32], link1[32], link2[32];
-	char	lbuf[160], *s;
-	int	n, slen, extra = 0;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3)
-		if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s",
-				time, src, dst, misc)) != 4)
-			if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s",
-					link1, link2, src, dst, misc)) != 5) {
-				n = sscanf(lbuf,
-					   "%31s %31s %31s: %31s > %31s: %255s",
-					   time, link1, link2, src, dst, misc);
-				if (n != 6)
-					return -1;
-			}
-
-	if (count_dots(dst) == 4) {
-		s = strrchr(src, '.');
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_src);
-		pkt.ti_sport = htons(atoi(s));
-		*--s = '.';
-		s = strrchr(dst, '.');
-	
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_dst);
-		pkt.ti_dport = htons(atoi(s));
-		*--s = '.';
-	
-	} else {
-		(void) inet_aton(src, &ip->ip_src);
-		(void) inet_aton(src, &ip->ip_dst);
-	}
-	ip->ip_len = sizeof(ip_t);
-	IP_HL_A(ip, sizeof(ip_t));
-
-	s = strtok(misc, " :");
-	if (s == NULL)
-		return 0;
-	ip->ip_p = getproto(s);
-
-	switch (ip->ip_p)
-	{
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		s = strtok(NULL, " :");
-		if (s == NULL)
-			return 0;
-		ip->ip_len += atoi(s);
-		if (ip->ip_p == IPPROTO_TCP)
-			extra = sizeof(struct tcphdr);
-		else if (ip->ip_p == IPPROTO_UDP)
-			extra = sizeof(struct udphdr);
-		break;
-#ifdef	IGMP
-	case IPPROTO_IGMP :
-		extra = sizeof(struct igmp);
-		break;
-#endif
-	case IPPROTO_ICMP :
-		extra = sizeof(struct icmp);
-		break;
-	default :
-		break;
-	}
-
-	slen = IP_HL(ip) + extra + ip->ip_len;
-	return slen;
-}
diff --git a/contrib/ipfilter/lib/ipft_tx.c b/contrib/ipfilter/lib/ipft_tx.c
deleted file mode 100644
index 5dc65b4..0000000
--- a/contrib/ipfilter/lib/ipft_tx.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.10 2007/09/03 21:54:44 darrenr Exp $";
-#endif
-
-#include <ctype.h>
-
-#include "ipf.h"
-#include "ipt.h"
-
-#ifndef linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcpip.h>
-
-
-extern	int	opts;
-
-static	char	*tx_proto = "";
-
-static	int	text_open __P((char *)), text_close __P((void));
-static	int	text_readip __P((char *, int, char **, int *));
-static	int	parseline __P((char *, ip_t *, char **, int *));
-
-static	char	myflagset[] = "FSRPAUEC";
-static	u_char	myflags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
-				TH_ACK, TH_URG, TH_ECN, TH_CWR };
-
-struct	ipread	iptext = { text_open, text_close, text_readip, R_DO_CKSUM };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	u_32_t	tx_hostnum __P((char *, int *));
-static	u_short	tx_portnum __P((char *));
-
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-static	u_32_t	tx_hostnum(host, resolved)
-char	*host;
-int	*resolved;
-{
-	u_32_t	ipa;
-
-	*resolved = 0;
-	if (!strcasecmp("any", host))
-		return 0L;
-	if (ISDIGIT(*host))
-		return inet_addr(host);
-
-	if (gethost(host, &ipa) == -1) {
-		*resolved = -1;
-		fprintf(stderr, "can't resolve hostname: %s\n", host);
-		return 0;
-	}
-	return ipa;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi()
- */
-static	u_short	tx_portnum(name)
-char	*name;
-{
-	struct	servent	*sp;
-
-	if (ISDIGIT(*name))
-		return (u_short)atoi(name);
-	sp = getservbyname(name, tx_proto);
-	if (sp)
-		return ntohs(sp->s_port);
-	(void) fprintf(stderr, "unknown service \"%s\".\n", name);
-	return 0;
-}
-
-
-char	*tx_icmptypes[] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-static	int	text_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	text_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	text_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s;
-	char	line[513];
-	ip_t	*ip;
-
-	*ifn = NULL;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = strchr(line, '\n')))
-			*s = '\0';
-		if ((s = strchr(line, '\r')))
-			*s = '\0';
-		if ((s = strchr(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if ((opts & OPT_DEBUG) != 0)
-			printf("input: %s\n", line);
-		*ifn = NULL;
-		*dir = 0;
-		if (!parseline(line, (ip_t *)buf, ifn, dir)) {
-			ip = (ip_t *)buf;
-			return ntohs(ip->ip_len);
-		}
-	}
-	if (feof(tfp))
-		return 0;
-	return -1;
-}
-
-static	int	parseline(line, ip, ifn, out)
-char	*line;
-ip_t	*ip;
-char	**ifn;
-int	*out;
-{
-	tcphdr_t	th, *tcp = &th;
-	struct	icmp	icmp, *ic = &icmp;
-	char	*cps[20], **cpp, c, ipopts[68];
-	int	i, r;
-
-	if (*ifn)
-		free(*ifn);
-	bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
-	bzero((char *)tcp, sizeof(*tcp));
-	bzero((char *)ic, sizeof(*ic));
-	bzero(ipopts, sizeof(ipopts));
-	IP_HL_A(ip, sizeof(*ip) >> 2);
-	IP_V_A(ip, IPVERSION);
-	for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; )
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cpp = cps;
-	if (!*cpp)
-		return 1;
-
-	c = **cpp;
-	if (!ISALPHA(c) || (TOLOWER(c) != 'o' && TOLOWER(c) != 'i')) {
-		fprintf(stderr, "bad direction \"%s\"\n", *cpp);
-		return 1;
-	}
-	*out = (TOLOWER(c) == 'o') ? 1 : 0;
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (!strcasecmp(*cpp, "on")) {
-		cpp++;
-		if (!*cpp)
-			return 1;
-		*ifn = strdup(*cpp++);
-		if (!*cpp)
-			return 1;
-	}
-
-	c = **cpp;
-	ip->ip_len = sizeof(ip_t);
-	if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
-	    !strcasecmp(*cpp, "icmp")) {
-		if (c == 't') {
-			ip->ip_p = IPPROTO_TCP;
-			ip->ip_len += sizeof(struct tcphdr);
-			tx_proto = "tcp";
-		} else if (c == 'u') {
-			ip->ip_p = IPPROTO_UDP;
-			ip->ip_len += sizeof(struct udphdr);
-			tx_proto = "udp";
-		} else {
-			ip->ip_p = IPPROTO_ICMP;
-			ip->ip_len += ICMPERR_IPICMPHLEN;
-			tx_proto = "icmp";
-		}
-		cpp++;
-	} else if (ISDIGIT(**cpp) && !index(*cpp, '.')) {
-		ip->ip_p = atoi(*cpp);
-		cpp++;
-	} else
-		ip->ip_p = IPPROTO_IP;
-
-	if (!*cpp)
-		return 1;
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = strchr(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no source port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_sport = htons(tx_portnum(last));
-		if (ip->ip_p == IPPROTO_TCP) {
-			tcp->th_win = htons(4096);
-			TCP_OFF_A(tcp, sizeof(*tcp) >> 2);
-		}
-	}
-	ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = strchr(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no destination port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_dport = htons(tx_portnum(last));
-	}
-	ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (ip->ip_p == IPPROTO_TCP) {
-		if (*cpp != NULL) {
-			char	*s, *t;
-
-			tcp->th_flags = 0;
-			for (s = *cpp; *s; s++)
-				if ((t  = strchr(myflagset, *s)))
-					tcp->th_flags |= myflags[t-myflagset];
-			if (tcp->th_flags)
-				cpp++;
-		}
-
-		if (tcp->th_flags & TH_URG)
-			tcp->th_urp = htons(1);
-
-		if (*cpp && !strncasecmp(*cpp, "seq=", 4)) {
-			tcp->th_seq = htonl(atoi(*cpp + 4));
-			cpp++;
-		}
-
-		if (*cpp && !strncasecmp(*cpp, "ack=", 4)) {
-			tcp->th_ack = htonl(atoi(*cpp + 4));
-			cpp++;
-		}
-	} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
-		extern	char	*tx_icmptypes[];
-		char	**s, *t;
-		int	i;
-
-		t = strchr(*cpp, ',');
-		if (t != NULL)
-			*t = '\0';
-
-		for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
-		     s++, i++) {
-			if (*s && !strcasecmp(*cpp, *s)) {
-				ic->icmp_type = i;
-				if (t != NULL)
-					ic->icmp_code = atoi(t + 1);
-				cpp++;
-				break;
-			}
-		}
-		if (t != NULL)
-			*t = ',';
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "opt")) {
-		u_long	olen;
-
-		cpp++;
-		olen = buildopts(*cpp, ipopts, (IP_HL(ip) - 5) << 2);
-		if (olen) {
-			bcopy(ipopts, (char *)(ip + 1), olen);
-			IP_HL_A(ip, IP_HL(ip) + (olen >> 2));
-		}
-	}
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-		bcopy((char *)tcp, ((char *)ip) + (IP_HL(ip) << 2),
-			sizeof(*tcp));
-	else if (ip->ip_p == IPPROTO_ICMP)
-		bcopy((char *)ic, ((char *)ip) + (IP_HL(ip) << 2),
-			sizeof(*ic));
-	ip->ip_len = htons(ip->ip_len);
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/ipoptsec.c b/contrib/ipfilter/lib/ipoptsec.c
deleted file mode 100644
index a59db23..0000000
--- a/contrib/ipfilter/lib/ipoptsec.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2001-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ipoptsec.c,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-struct	ipopt_names	secclass[] = {
-	{ IPSO_CLASS_RES4,	0x01,	0, "reserv-4" },
-	{ IPSO_CLASS_TOPS,	0x02,	0, "topsecret" },
-	{ IPSO_CLASS_SECR,	0x04,	0, "secret" },
-	{ IPSO_CLASS_RES3,	0x08,	0, "reserv-3" },
-	{ IPSO_CLASS_CONF,	0x10,	0, "confid" },
-	{ IPSO_CLASS_UNCL,	0x20,	0, "unclass" },
-	{ IPSO_CLASS_RES2,	0x40,	0, "reserv-2" },
-	{ IPSO_CLASS_RES1,	0x80,	0, "reserv-1" },
-	{ 0, 0, 0, NULL }	/* must be last */
-};
-
-
-u_char seclevel(slevel)
-char *slevel;
-{
-	struct ipopt_names *so;
-
-	for (so = secclass; so->on_name; so++)
-		if (!strcasecmp(slevel, so->on_name))
-			break;
-
-	if (!so->on_name) {
-		fprintf(stderr, "no such security level: %s\n", slevel);
-		return 0;
-	}
-	return (u_char)so->on_value;
-}
-
-
-u_char secbit(class)
-int class;
-{
-	struct ipopt_names *so;
-
-	for (so = secclass; so->on_name; so++)
-		if (so->on_value == class)
-			break;
-
-	if (!so->on_name) {
-		fprintf(stderr, "no such security class: %d\n", class);
-		return 0;
-	}
-	return (u_char)so->on_bit;
-}
diff --git a/contrib/ipfilter/lib/kmem.c b/contrib/ipfilter/lib/kmem.c
deleted file mode 100644
index 07830fb..0000000
--- a/contrib/ipfilter/lib/kmem.c
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * kmemcpy() - copies n bytes from kernel memory into user buffer.
- * returns 0 on success, -1 on error.
- */
-
-#include <stdio.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <sys/file.h>
-#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(_AIX51)
-#include <kvm.h>
-#endif
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#if defined(linux) || defined(__osf__) || defined(__sgi) || defined(__hpux)
-# include <stdlib.h>
-#endif
-
-#include "kmem.h"
-
-#ifndef __STDC__
-# define	const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.3 2006/06/16 17:21:04 darrenr Exp $";
-#endif
-
-
-
-#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && \
-    !defined(linux) && !defined(_AIX51)
-/*
- * For all platforms where there is a libkvm and a kvm_t, we use that...
- */
-static	kvm_t	*kvm_f = NULL;
-
-#else
-/*
- *...and for the others (HP-UX, IRIX, Tru64), we have to provide our own.
- */
-
-typedef	int *	kvm_t;
-
-static	kvm_t	kvm_f = NULL;
-static	char	*kvm_errstr = NULL;
-
-kvm_t kvm_open __P((char *, char *, char *, int, char *));
-int kvm_read __P((kvm_t, u_long, char *, size_t));
-
-kvm_t kvm_open(kernel, core, swap, mode, errstr)
-char *kernel, *core, *swap;
-int mode;
-char *errstr;
-{
-	kvm_t k;
-	int fd;
-
-	kvm_errstr = errstr;
-
-	if (core == NULL)
-		core = "/dev/kmem";
-
-	fd = open(core, mode);
-	if (fd == -1)
-		return NULL;
-	k = malloc(sizeof(*k));
-	if (k == NULL)
-		return NULL;
-	*k = fd;
-	return k;
-}
-
-int kvm_read(kvm, pos, buffer, size)
-kvm_t kvm;
-u_long pos;
-char *buffer;
-size_t size;
-{
-	int r = 0, left;
-	char *bufp;
-
-	if (lseek(*kvm, pos, 0) == -1) {
-		if (kvm_errstr != NULL) {
-			fprintf(stderr, "%s", kvm_errstr);
-			perror("lseek");
-		}
-		return -1;
-	}
-
-	for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
-		r = read(*kvm, bufp, left);
-#ifdef	__osf__
-		/*
-		 * Tru64 returns "0" for successful operation, not the number
-		 * of bytes read.
-		 */
-		if (r == 0)
-			r = left;
-#endif
-		if (r <= 0)
-			return -1;
-	}
-	return r;
-}
-#endif /* !defined(__sgi) && !defined(__hpux) && !defined(__osf__) */
-
-int	openkmem(kern, core)
-char	*kern, *core;
-{
-	kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL);
-	if (kvm_f == NULL)
-	    {
-		perror("openkmem:open");
-		return -1;
-	    }
-	return kvm_f != NULL;
-}
-
-int	kmemcpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%lx ", (u_long)pos);
-			perror("kmemcpy:read");
-			return -1;
-		    }
-		else
-		    {
-			buf += r;
-			pos += r;
-			n -= r;
-		    }
-	return 0;
-}
-
-int	kstrncpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while (n > 0)
-	    {
-		r = kvm_read(kvm_f, pos, buf, 1);
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%lx ", (u_long)pos);
-			perror("kmemcpy:read");
-			return -1;
-		    }
-		else
-		    {
-			if (*buf == '\0')
-				break;
-			buf++;
-			pos++;
-			n--;
-		    }
-	    }
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/kmem.h b/contrib/ipfilter/lib/kmem.h
deleted file mode 100644
index 70f0a7a..0000000
--- a/contrib/ipfilter/lib/kmem.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * $Id: kmem.h,v 1.2.4.1 2006/06/16 17:21:04 darrenr Exp $
- */
-
-#ifndef	__KMEM_H__
-#define	__KMEM_H__
-
-#ifndef	__P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-extern	int	openkmem __P((char *, char *));
-extern	int	kmemcpy __P((char *, long, int));
-extern	int	kstrncpy __P((char *, long, int));
-
-#if defined(__NetBSD__) || defined(__OpenBSD)
-# include <paths.h>
-#endif
-
-#ifdef _PATH_KMEM
-# define	KMEM	_PATH_KMEM
-#else
-# define	KMEM	"/dev/kmem"
-#endif
-
-#endif /* __KMEM_H__ */
diff --git a/contrib/ipfilter/lib/kmemcpywrap.c b/contrib/ipfilter/lib/kmemcpywrap.c
deleted file mode 100644
index 7a4a161..0000000
--- a/contrib/ipfilter/lib/kmemcpywrap.c
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: kmemcpywrap.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-#include "kmem.h"
-
-int kmemcpywrap(from, to, size)
-void *from, *to;
-size_t size;
-{
-	int ret;
-
-	ret = kmemcpy((caddr_t)to, (u_long)from, size);
-	return ret;
-}
-
diff --git a/contrib/ipfilter/lib/kvatoname.c b/contrib/ipfilter/lib/kvatoname.c
deleted file mode 100644
index b0fe69d..0000000
--- a/contrib/ipfilter/lib/kvatoname.c
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: kvatoname.c,v 1.1.4.1 2006/06/16 17:21:05 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-
-char *kvatoname(func, iocfunc)
-ipfunc_t func;
-ioctlfunc_t iocfunc;
-{
-	static char funcname[40];
-	ipfunc_resolve_t res;
-	int fd;
-
-	res.ipfu_addr = func;
-	res.ipfu_name[0] = '\0';
-	fd = -1;
-
-	if ((opts & OPT_DONOTHING) == 0) {
-		fd = open(IPL_NAME, O_RDONLY);
-		if (fd == -1)
-			return NULL;
-	}
-	(void) (*iocfunc)(fd, SIOCFUNCL, &res);
-	if (fd >= 0)
-		close(fd);
-	strncpy(funcname, res.ipfu_name, sizeof(funcname));
-	funcname[sizeof(funcname) - 1] = '\0';
-	return funcname;
-}
diff --git a/contrib/ipfilter/lib/load_file.c b/contrib/ipfilter/lib/load_file.c
deleted file mode 100644
index 9bb3899..0000000
--- a/contrib/ipfilter/lib/load_file.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_file.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $
- */
-
-#include "ipf.h"
-
-alist_t *
-load_file(char *filename)
-{
-	alist_t *a, *rtop, *rbot;
-	char *s, line[1024], *t;
-	int linenum, not;
-	FILE *fp;
-
-	fp = fopen(filename + 7, "r");
-	if (fp == NULL) {
-		fprintf(stderr, "load_file cannot open '%s'\n", filename);
-		return NULL;
-	}       
-
-	a = NULL;
-	rtop = NULL;
-	rbot = NULL;
-	linenum = 0;    
-		
-	while (fgets(line, sizeof(line) - 1, fp)) {
-		line[sizeof(line) - 1] = '\0';
-		linenum++;
-		/*
-		 * Hunt for CR/LF.  If no LF, stop processing.
-		 */
-		s = strchr(line, '\n');
-		if (s == NULL) {
-			fprintf(stderr, "%d:%s: line too long\n", linenum, filename);
-			fclose(fp);
-			alist_free(rtop);
-			return NULL;
-		}
-
-		*s = '\0';
-		s = strchr(line, '\r');
-		if (s != NULL)
-			*s = '\0';
-		for (t = line; isspace(*t); t++)
-			;
-		if (*t == '!') {
-			not = 1;
-			t++;
-		} else
-			not = 0;
-
-		/*
-		 * Remove comment markers
-		 */
-		for (s = t; *s; s++) {
-			if (*s == '#')
-				*s = '\0';
-		}
-		if (!*t)
-			continue;
-		/*
-		 * Trim off tailing white spaces
-		 */
-		s = strlen(t) + t - 1;
-		while (isspace(*s))
-			*s-- = '\0';
-
-		if (isdigit(*t)) {
-			a = alist_new(4, t);
-			a->al_not = not;
-			if (rbot != NULL)
-				rbot->al_next = a;
-			else
-				rtop = a;
-			rbot = a;
-		} else {
-			fprintf(stderr, "%s: unrecognised content line %d\n",
-				filename, linenum);
-		}
-	}
-	fclose(fp);
-
-	return rtop;
-}
diff --git a/contrib/ipfilter/lib/load_hash.c b/contrib/ipfilter/lib/load_hash.c
deleted file mode 100644
index 84abca0..0000000
--- a/contrib/ipfilter/lib/load_hash.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_hash.c,v 1.11.2.5 2006/07/14 06:12:25 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-
-static int hashfd = -1;
-
-
-int load_hash(iphp, list, iocfunc)
-iphtable_t *iphp;
-iphtent_t *list;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	iphtable_t iph;
-	iphtent_t *a;
-	size_t size;
-	int n;
-
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		hashfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	for (n = 0, a = list; a != NULL; a = a->ipe_next)
-		n++;
-
-	op.iplo_arg = 0;
-	op.iplo_type = IPLT_HASH;
-	op.iplo_unit = iphp->iph_unit;
-	strncpy(op.iplo_name, iphp->iph_name, sizeof(op.iplo_name));
-	if (*op.iplo_name == '\0')
-		op.iplo_arg = IPHASH_ANON;
-	op.iplo_size = sizeof(iph);
-	op.iplo_struct = &iph;
-	iph.iph_unit = iphp->iph_unit;
-	iph.iph_type = iphp->iph_type;
-	strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name));
-	iph.iph_flags = iphp->iph_flags;
-	if (n <= 0)
-		n = 1;
-	if (iphp->iph_size == 0)
-		size = n * 2 - 1;
-	else
-		size = iphp->iph_size;
-	if ((list == NULL) && (size == 1)) {
-		fprintf(stderr,
-			"WARNING: empty hash table %s, recommend setting %s\n",
-			iphp->iph_name, "size to match expected use");
-	}
-	iph.iph_size = size;
-	iph.iph_seed = iphp->iph_seed;
-	iph.iph_table = NULL;
-	iph.iph_list = NULL;
-	iph.iph_ref = 0;
-
-	if ((opts & OPT_REMOVE) == 0) {
-		if ((*iocfunc)(hashfd, SIOCLOOKUPADDTABLE, &op))
-			if ((opts & OPT_DONOTHING) == 0) {
-				perror("load_hash:SIOCLOOKUPADDTABLE");
-				return -1;
-			}
-	}
-
-	strncpy(iph.iph_name, op.iplo_name, sizeof(op.iplo_name));
-	strncpy(iphp->iph_name, op.iplo_name, sizeof(op.iplo_name));
-
-	if (opts & OPT_VERBOSE) {
-		for (a = list; a != NULL; a = a->ipe_next) {
-			a->ipe_addr.in4_addr = ntohl(a->ipe_addr.in4_addr);
-			a->ipe_mask.in4_addr = ntohl(a->ipe_mask.in4_addr);
-		}
-		iph.iph_table = calloc(size, sizeof(*iph.iph_table));
-		if (iph.iph_table == NULL) {
-			perror("calloc(size, sizeof(*iph.iph_table))");
-			return -1;
-		}
-		iph.iph_list = list;
-		printhash(&iph, bcopywrap, iph.iph_name, opts);
-		free(iph.iph_table);
-		iph.iph_list = NULL;
-
-		for (a = list; a != NULL; a = a->ipe_next) {
-			a->ipe_addr.in4_addr = htonl(a->ipe_addr.in4_addr);
-			a->ipe_mask.in4_addr = htonl(a->ipe_mask.in4_addr);
-		}
-	}
-
-	if (opts & OPT_DEBUG)
-		printf("Hash %s:\n", iph.iph_name);
-
-	for (a = list; a != NULL; a = a->ipe_next)
-		load_hashnode(iphp->iph_unit, iph.iph_name, a, iocfunc);
-
-	if ((opts & OPT_REMOVE) != 0) {
-		if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op))
-			if ((opts & OPT_DONOTHING) == 0) {
-				perror("load_hash:SIOCLOOKUPDELTABLE");
-				return -1;
-			}
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/load_hashnode.c b/contrib/ipfilter/lib/load_hashnode.c
deleted file mode 100644
index 8ff907a..0000000
--- a/contrib/ipfilter/lib/load_hashnode.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2003-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_hashnode.c,v 1.2.4.2 2006/06/16 17:21:05 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-
-static int hashfd = -1;
-
-
-int load_hashnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-iphtent_t *node;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	iphtent_t ipe;
-	int err;
-
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		hashfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_type = IPLT_HASH;
-	op.iplo_unit = unit;
-	op.iplo_arg = 0;
-	op.iplo_size = sizeof(ipe);
-	op.iplo_struct = &ipe;
-	strncpy(op.iplo_name, name, sizeof(op.iplo_name));
-
-	bzero((char *)&ipe, sizeof(ipe));
-	bcopy((char *)&node->ipe_addr, (char *)&ipe.ipe_addr,
-	      sizeof(ipe.ipe_addr));
-	bcopy((char *)&node->ipe_mask, (char *)&ipe.ipe_mask,
-	      sizeof(ipe.ipe_mask));
-	bcopy((char *)&node->ipe_group, (char *)&ipe.ipe_group,
-	      sizeof(ipe.ipe_group));
-
-	if ((opts & OPT_REMOVE) == 0)
-		err = (*iocfunc)(hashfd, SIOCLOOKUPADDNODE, &op);
-	else
-		err = (*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op);
-
-	if (err != 0)
-		if (!(opts & OPT_DONOTHING)) {
-			perror("load_hash:SIOCLOOKUP*NODE");
-			return -1;
-		}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/load_http.c b/contrib/ipfilter/lib/load_http.c
deleted file mode 100644
index 164b8b4..0000000
--- a/contrib/ipfilter/lib/load_http.c
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Copyright (C) 2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_http.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $
- */
-
-#include "ipf.h"
-
-/*
- * Format expected is one addres per line, at the start of each line.
- */
-alist_t *
-load_http(char *url)
-{
-	int fd, len, left, port, endhdr, removed;
-	char *s, *t, *u, buffer[1024], *myurl;
-	alist_t *a, *rtop, *rbot;
-	struct sockaddr_in sin;
-	struct hostent *host;
-
-	/*
-	 * More than this would just be absurd.
-	 */
-	if (strlen(url) > 512) {
-		fprintf(stderr, "load_http has a URL > 512 bytes?!\n");
-		return NULL;
-	}
-
-	fd = -1;
-	rtop = NULL;
-	rbot = NULL;
-
-	sprintf(buffer, "GET %s HTTP/1.0\r\n", url);
-
-	myurl = strdup(url);
-	if (myurl == NULL)
-		goto done;
-
-	s = myurl + 7;			/* http:// */
-	t = strchr(s, '/');
-	if (t == NULL) {
-		fprintf(stderr, "load_http has a malformed URL '%s'\n", url);
-		free(myurl);
-		return NULL;
-	}
-	*t++ = '\0';
-
-	u = strchr(s, '@');
-	if (u != NULL)
-		s = u + 1;		/* AUTH */
-
-	sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
-
-	u = strchr(s, ':');
-	if (u != NULL) {
-		*u++ = '\0';
-		port = atoi(u);
-		if (port < 0 || port > 65535)
-			goto done;
-	} else {
-		port = 80;
-	}
-
-	memset(&sin, 0, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sin.sin_port = htons(port);
-
-	if (isdigit(*s)) {
-		if (inet_aton(s, &sin.sin_addr) == -1) {
-			goto done;
-		}
-	} else {
-		host = gethostbyname(s);
-		if (host == NULL)
-			goto done;
-		memcpy(&sin.sin_addr, host->h_addr_list[0],
-		       sizeof(sin.sin_addr));
-	}
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (fd == -1)
-		goto done;
-
-	if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
-		close(fd);
-		goto done;
-	}
-
-	len = strlen(buffer);
-	if (write(fd, buffer, len) != len) {
-		close(fd);
-		goto done;
-	}
-
-	s = buffer;
-	endhdr = 0;
-	left = sizeof(buffer) - 1;
-
-	while ((len = read(fd, s, left)) > 0) {
-		s[len] = '\0';
-		left -= len;
-		s += len;
-
-		if (endhdr >= 0) {
-			if (endhdr == 0) {
-				t = strchr(buffer, ' ');
-				if (t == NULL)
-					continue;
-				t++;
-				if (*t != '2')
-					break;
-			}
-
-			u = buffer;
-			while ((t = strchr(u, '\r')) != NULL) {
-				if (t == u) {
-					if (*(t + 1) == '\n') {
-						u = t + 2;
-						endhdr = -1;
-						break;
-					} else
-						t++;
-				} else if (*(t + 1) == '\n') {
-					endhdr++;
-					u = t + 2;
-				} else
-					u = t + 1;
-			}
-			if (endhdr >= 0)
-				continue;
-			removed = (u - buffer) + 1;
-			memmove(buffer, u, (sizeof(buffer) - left) - removed);
-			s -= removed;
-			left += removed;
-		}
-
-		do {
-			t = strchr(buffer, '\n');
-			if (t == NULL)
-				break;
-
-			*t++ = '\0';
-			for (u = buffer; isdigit(*u) || (*u == '.'); u++)
-				;
-			if (*u == '/') {
-				char *slash;
-
-				slash = u;
-				u++;
-				while (isdigit(*u))
-					u++;
-				if (!isspace(*u) && *u)
-					u = slash;
-			}
-			*u = '\0';
-
-			a = alist_new(4, buffer);
-			if (a != NULL) {
-				if (rbot != NULL)
-					rbot->al_next = a;
-				else
-					rtop = a;
-				rbot = a;
-			}
-
-			removed = t - buffer;
-			memmove(buffer, t, sizeof(buffer) - left - removed);
-			s -= removed;
-			left += removed;
-
-		} while (1);
-	}
-
-done:
-	if (myurl != NULL)
-		free(myurl);
-	if (fd != -1)
-		close(fd);
-	return rtop;
-}
diff --git a/contrib/ipfilter/lib/load_pool.c b/contrib/ipfilter/lib/load_pool.c
deleted file mode 100644
index f22b063..0000000
--- a/contrib/ipfilter/lib/load_pool.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_pool.c,v 1.14.2.4 2006/06/16 17:21:06 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-
-static int poolfd = -1;
-
-
-int load_pool(plp, iocfunc)
-ip_pool_t *plp;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	ip_pool_node_t *a;
-	ip_pool_t pool;
-
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		poolfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_unit = plp->ipo_unit;
-	op.iplo_type = IPLT_POOL;
-	op.iplo_arg = 0;
-	strncpy(op.iplo_name, plp->ipo_name, sizeof(op.iplo_name));
-	op.iplo_size = sizeof(pool);
-	op.iplo_struct = &pool;
-	bzero((char *)&pool, sizeof(pool));
-	strncpy(pool.ipo_name, plp->ipo_name, sizeof(pool.ipo_name));
-	if (plp->ipo_name[0] == '\0')
-		op.iplo_arg |= IPOOL_ANON;
-
-	if ((opts & OPT_REMOVE) == 0) {
-		if ((*iocfunc)(poolfd, SIOCLOOKUPADDTABLE, &op))
-			if ((opts & OPT_DONOTHING) == 0) {
-				perror("load_pool:SIOCLOOKUPADDTABLE");
-				return -1;
-			}
-	}
-
-	if (op.iplo_arg & IPOOL_ANON)
-		strncpy(pool.ipo_name, op.iplo_name, sizeof(pool.ipo_name));
-
-	if ((opts & OPT_VERBOSE) != 0) {
-		pool.ipo_list = plp->ipo_list;
-		printpool(&pool, bcopywrap, pool.ipo_name, opts);
-		pool.ipo_list = NULL;
-	}
-
-	for (a = plp->ipo_list; a != NULL; a = a->ipn_next)
-		load_poolnode(plp->ipo_unit, pool.ipo_name, a, iocfunc);
-
-	if ((opts & OPT_REMOVE) != 0) {
-		if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op))
-			if ((opts & OPT_DONOTHING) == 0) {
-				perror("load_pool:SIOCLOOKUPDELTABLE");
-				return -1;
-			}
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/load_poolnode.c b/contrib/ipfilter/lib/load_poolnode.c
deleted file mode 100644
index 2afc4d2..0000000
--- a/contrib/ipfilter/lib/load_poolnode.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2003-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_poolnode.c,v 1.3.2.3 2006/06/16 17:21:06 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-
-static int poolfd = -1;
-
-
-int load_poolnode(role, name, node, iocfunc)
-int role;
-char *name;
-ip_pool_node_t *node;
-ioctlfunc_t iocfunc;
-{
-	ip_pool_node_t pn;
-	iplookupop_t op;
-	int err;
-
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		poolfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_unit = role;
-	op.iplo_type = IPLT_POOL;
-	op.iplo_arg = 0;
-	op.iplo_struct = &pn;
-	op.iplo_size = sizeof(pn);
-	strncpy(op.iplo_name, name, sizeof(op.iplo_name));
-
-	bzero((char *)&pn, sizeof(pn));
-	bcopy((char *)&node->ipn_addr, (char *)&pn.ipn_addr,
-	      sizeof(pn.ipn_addr));
-	bcopy((char *)&node->ipn_mask, (char *)&pn.ipn_mask,
-	      sizeof(pn.ipn_mask));
-	pn.ipn_info = node->ipn_info;
-	strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name));
-
-	if ((opts & OPT_REMOVE) == 0)
-		err = (*iocfunc)(poolfd, SIOCLOOKUPADDNODE, &op);
-	else
-		err = (*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op);
-
-	if (err != 0) {
-		if ((opts & OPT_DONOTHING) == 0) {
-			perror("load_poolnode:SIOCLOOKUP*NODE");
-			return -1;
-		}
-	}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/load_url.c b/contrib/ipfilter/lib/load_url.c
deleted file mode 100644
index 7709153..0000000
--- a/contrib/ipfilter/lib/load_url.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: load_url.c,v 1.1.2.1 2006/08/25 21:13:04 darrenr Exp $
- */
-
-#include "ipf.h"
-
-alist_t *
-load_url(char *url)
-{
-	alist_t *hosts = NULL;
-
-	if (strncmp(url, "file://", 7) == 0) { 
-		/*      
-		 * file:///etc/passwd
-		 *        ^------------s
-		 */     
-		hosts = load_file(url);
-
-	} else if (*url == '/' || *url == '.') {
-		hosts = load_file(url);
-
-	} else if (strncmp(url, "http://", 7) == 0) {
-		hosts = load_http(url);
-	}
-
-	return hosts;  
-}
diff --git a/contrib/ipfilter/lib/loglevel.c b/contrib/ipfilter/lib/loglevel.c
deleted file mode 100644
index 47dd8ba..0000000
--- a/contrib/ipfilter/lib/loglevel.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: loglevel.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int loglevel(cpp, facpri, linenum)
-char **cpp;
-u_int *facpri;
-int linenum;
-{
-	int fac, pri;
-	char *s;
-
-	fac = 0;
-	pri = 0;
-	if (!*++cpp) {
-		fprintf(stderr, "%d: %s\n", linenum,
-			"missing identifier after level");
-		return -1;
-	}
-
-	s = strchr(*cpp, '.');
-	if (s) {
-		*s++ = '\0';
-		fac = fac_findname(*cpp);
-		if (fac == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown facility", *cpp);
-			return -1;
-		}
-		pri = pri_findname(s);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", s);
-			return -1;
-		}
-	} else {
-		pri = pri_findname(*cpp);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", *cpp);
-			return -1;
-		}
-	}
-	*facpri = fac|pri;
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/make_range.c b/contrib/ipfilter/lib/make_range.c
deleted file mode 100644
index e4335cd..0000000
--- a/contrib/ipfilter/lib/make_range.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: make_range.c,v 1.2 2002/05/18 07:27:52 darrenr Exp $
- */
-#include "ipf.h"
-
-
-alist_t	*make_range(not, a1, a2)
-int not;
-struct in_addr a1, a2;
-{
-	alist_t *a;
-
-	a = (alist_t *)calloc(1, sizeof(*a));
-	if (a != NULL) {
-		a->al_1 = a1.s_addr;
-		a->al_2 = a2.s_addr;
-		a->al_not = not;
-	}
-	return a;
-}
diff --git a/contrib/ipfilter/lib/mutex_emul.c b/contrib/ipfilter/lib/mutex_emul.c
deleted file mode 100644
index 1a58156..0000000
--- a/contrib/ipfilter/lib/mutex_emul.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: mutex_emul.c,v 1.2.4.1 2006/06/16 17:21:06 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-#define	EMM_MAGIC	0x9d7adba3
-
-void eMmutex_enter(mtx, file, line)
-eMmutex_t *mtx;
-char *file;
-int line;
-{
-	if (mtx->eMm_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMmutex_enter(%p): bad magic: %#x\n",
-			mtx->eMm_owner, mtx, mtx->eMm_magic);
-		abort();
-	}
-	if (mtx->eMm_held != 0) {
-		fprintf(stderr, "%s:eMmutex_enter(%p): already locked: %d\n",
-			mtx->eMm_owner, mtx, mtx->eMm_held);
-		abort();
-	}
-	mtx->eMm_held++;
-	mtx->eMm_heldin = file;
-	mtx->eMm_heldat = line;
-}
-
-
-void eMmutex_exit(mtx)
-eMmutex_t *mtx;
-{
-	if (mtx->eMm_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMmutex_exit(%p): bad magic: %#x\n",
-			mtx->eMm_owner, mtx, mtx->eMm_magic);
-		abort();
-	}
-	if (mtx->eMm_held != 1) {
-		fprintf(stderr, "%s:eMmutex_exit(%p): not locked: %d\n",
-			mtx->eMm_owner, mtx, mtx->eMm_held);
-		abort();
-	}
-	mtx->eMm_held--;
-	mtx->eMm_heldin = NULL;
-	mtx->eMm_heldat = 0;
-}
-
-
-void eMmutex_init(mtx, who)
-eMmutex_t *mtx;
-char *who;
-{
-	if (mtx->eMm_magic == EMM_MAGIC) {	/* safe bet ? */
-		fprintf(stderr,
-			"%s:eMmutex_init(%p): already initialised?: %#x\n",
-			mtx->eMm_owner, mtx, mtx->eMm_magic);
-		abort();
-	}
-	mtx->eMm_magic = EMM_MAGIC;
-	mtx->eMm_held = 0;
-	if (who != NULL)
-		mtx->eMm_owner = strdup(who);
-	else
-		mtx->eMm_owner = NULL;
-}
-
-
-void eMmutex_destroy(mtx)
-eMmutex_t *mtx;
-{
-	if (mtx->eMm_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMmutex_destroy(%p): bad magic: %#x\n",
-			mtx->eMm_owner, mtx, mtx->eMm_magic);
-		abort();
-	}
-	if (mtx->eMm_held != 0) {
-		fprintf(stderr, "%s:eMmutex_enter(%p): still locked: %d\n",
-			mtx->eMm_owner, mtx, mtx->eMm_held);
-		abort();
-	}
-	memset(mtx, 0xa5, sizeof(*mtx));
-}
diff --git a/contrib/ipfilter/lib/nametokva.c b/contrib/ipfilter/lib/nametokva.c
deleted file mode 100644
index 89e3474..0000000
--- a/contrib/ipfilter/lib/nametokva.c
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: nametokva.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-#include <sys/ioctl.h>
-#include <fcntl.h>
-
-ipfunc_t nametokva(name, iocfunc)
-char *name;
-ioctlfunc_t iocfunc;
-{
-	ipfunc_resolve_t res;
-	int fd;
-
-	strncpy(res.ipfu_name, name, sizeof(res.ipfu_name));
-	res.ipfu_addr = NULL;
-	fd = -1;
-
-	if ((opts & OPT_DONOTHING) == 0) {
-		fd = open(IPL_NAME, O_RDONLY);
-		if (fd == -1)
-			return NULL;
-	}
-	(void) (*iocfunc)(fd, SIOCFUNCL, &res);
-	if (fd >= 0)
-		close(fd);
-	if (res.ipfu_addr == NULL)
-		res.ipfu_addr = (ipfunc_t)-1;
-	return res.ipfu_addr;
-}
diff --git a/contrib/ipfilter/lib/nat_setgroupmap.c b/contrib/ipfilter/lib/nat_setgroupmap.c
deleted file mode 100644
index ccf7864..0000000
--- a/contrib/ipfilter/lib/nat_setgroupmap.c
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: nat_setgroupmap.c,v 1.1.4.1 2006/06/16 17:21:07 darrenr Exp $";
-#endif
-
-#include "ipf.h"
-
-void nat_setgroupmap(n)
-ipnat_t *n;
-{
-	if (n->in_outmsk == n->in_inmsk)
-		n->in_ippip = 1;
-	else if (n->in_flags & IPN_AUTOPORTMAP) {
-		n->in_ippip = ~ntohl(n->in_inmsk);
-		if (n->in_outmsk != 0xffffffff)
-			n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
-		n->in_ippip++;
-		if (n->in_ippip == 0)
-			n->in_ippip = 1;
-		n->in_ppip = USABLE_PORTS / n->in_ippip;
-	} else {
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
-		n->in_nip = 0;
-		if (!(n->in_ppip = n->in_pmin))
-			n->in_ppip = 1;
-		n->in_ippip = USABLE_PORTS / n->in_ppip;
-	}
-}
diff --git a/contrib/ipfilter/lib/natparse.c b/contrib/ipfilter/lib/natparse.c
deleted file mode 100644
index 9937380..0000000
--- a/contrib/ipfilter/lib/natparse.c
+++ /dev/null
@@ -1,728 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.8.2.1 2004/12/09 19:41:21 darrenr Exp $";
-#endif
-
-#include <sys/ioctl.h>
-#include <errno.h>
-#include <ctype.h>
-
-#include "ipf.h"
-#include "opts.h"
-
-
-void nat_setgroupmap(n)
-ipnat_t *n;
-{
-	if (n->in_outmsk == n->in_inmsk)
-		n->in_ippip = 1;
-	else if (n->in_flags & IPN_AUTOPORTMAP) {
-		n->in_ippip = ~ntohl(n->in_inmsk);
-		if (n->in_outmsk != 0xffffffff)
-			n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
-		n->in_ippip++;
-		if (n->in_ippip == 0)
-			n->in_ippip = 1;
-		n->in_ppip = USABLE_PORTS / n->in_ippip;
-	} else {
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
-		n->in_nip = 0;
-		if (!(n->in_ppip = n->in_pmin))
-			n->in_ppip = 1;
-		n->in_ippip = USABLE_PORTS / n->in_ppip;
-	}
-}
-
-
-
-ipnat_t *natparse(line, linenum)
-char *line;
-int linenum;
-{
-	static ipnat_t ipn;
-	struct protoent *pr;
-	char *dnetm = NULL, *dport = NULL, *proto = NULL;
-	char *s, *t, *cps[31], **cpp;
-	int i, cnt;
-
-
-	if ((s = strchr(line, '\n')))
-		*s = '\0';
-	if ((s = strchr(line, '#')))
-		*s = '\0';
-	while (*line && ISSPACE(*line))
-		line++;
-	if (!*line)
-		return NULL;
-
-	bzero((char *)&ipn, sizeof(ipn));
-	cnt = 0;
-
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		return NULL;
-	}
-
-	cpp = cps;
-
-	if (!strcasecmp(*cpp, "map"))
-		ipn.in_redir = NAT_MAP;
-	else if (!strcasecmp(*cpp, "map-block"))
-		ipn.in_redir = NAT_MAPBLK;
-	else if (!strcasecmp(*cpp, "rdr"))
-		ipn.in_redir = NAT_REDIRECT;
-	else if (!strcasecmp(*cpp, "bimap"))
-		ipn.in_redir = NAT_BIMAP;
-	else {
-		fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
-			linenum, *cpp);
-		return NULL;
-	}
-
-	cpp++;
-
-	strncpy(ipn.in_ifnames[0], *cpp, sizeof(ipn.in_ifnames[0]) - 1);
-	ipn.in_ifnames[0][sizeof(ipn.in_ifnames[0]) - 1] = '\0';
-	cpp++;
-
-	if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			if (strcasecmp(*cpp, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		} else if (**cpp == '!') {
-			if (strcasecmp(*cpp + 1, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		}
-		if ((ipn.in_flags & IPN_NOTSRC) &&
-		    (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
-			fprintf(stderr, "Cannot use '! from' with map\n");
-			return NULL;
-		}
-
-		ipn.in_flags |= IPN_FILTER;
-		cpp++;
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, proto, NULL,
-				     (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, linenum) == -1)
-				return NULL;
-
-			if (ports(&cpp, proto, &ipn.in_sport,
-				  &ipn.in_scmp, &ipn.in_stop, linenum))
-				return NULL;
-		} else {
-			if (hostmask(&cpp, proto, NULL,
-				     (u_32_t *)&ipn.in_inip,
-				     (u_32_t *)&ipn.in_inmsk, linenum) == -1)
-				return NULL;
-
-			if (ports(&cpp, proto, &ipn.in_dport,
-				  &ipn.in_dcmp, &ipn.in_dtop, linenum))
-				return NULL;
-		}
-
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			ipn.in_flags |= IPN_NOTDST;
-		} else if (**cpp == '!') {
-			(*cpp)++;
-			ipn.in_flags |= IPN_NOTDST;
-		}
-
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		if ((ipn.in_flags & IPN_NOTDST) &&
-		    (ipn.in_redir & (NAT_REDIRECT))) {
-			fprintf(stderr, "Cannot use '! to' with rdr\n");
-			return NULL;
-		}
-
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			return NULL;
-		}
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, proto, NULL,
-				     (u_32_t *)&ipn.in_outip,
-				     (u_32_t *)&ipn.in_outmsk, linenum))
-					return NULL;
-
-			if (ports(&cpp, proto, &ipn.in_dport,
-				  &ipn.in_dcmp, &ipn.in_dtop, linenum))
-				return NULL;
-			ipn.in_pmin = htons(ipn.in_dport);
-		} else {
-			if (hostmask(&cpp, proto, NULL,
-				     (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, linenum))
-				return NULL;
-
-			if (ports(&cpp, proto, &ipn.in_sport,
-				  &ipn.in_scmp, &ipn.in_stop, linenum))
-				return NULL;
-		}
-	} else {
-		s = *cpp;
-		if (!s)
-			return NULL;
-		t = strchr(s, '/');
-		if (!t)
-			return NULL;
-		*t++ = '\0';
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostnum((u_32_t *)&ipn.in_outip, s, linenum, NULL))
-				return NULL;
-			if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
-				return NULL;
-			}
-		} else {
-			if (hostnum((u_32_t *)&ipn.in_inip, s, linenum, NULL))
-				return NULL;
-			if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
-				return NULL;
-			}
-		}
-		cpp++;
-		if (!*cpp)
-			return NULL;
-	}
-
-	if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
-		if (strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 1st port\n",
-				linenum);
-			return NULL;
-		}
-
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			return NULL;
-		}
-
-		if (ISDIGIT(**cpp) && (s = strchr(*cpp, '-')))
-			*s++ = '\0';
-		else
-			s = NULL;
-
-		if (!portnum(*cpp, proto, &ipn.in_pmin, linenum))
-			return NULL;
-		ipn.in_pmin = htons(ipn.in_pmin);
-		cpp++;
-
-		if (!strcmp(*cpp, "-")) {
-			cpp++;
-			s = *cpp++;
-		}
-
-		if (s) {
-			if (!portnum(s, proto, &ipn.in_pmax, linenum))
-				return NULL;
-			ipn.in_pmax = htons(ipn.in_pmax);
-		} else
-			ipn.in_pmax = ipn.in_pmin;
-	}
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (->)\n", linenum);
-		return NULL;
-	}
-	if (strcmp(*cpp, "->")) {
-		fprintf(stderr, "%d: missing ->\n", linenum);
-		return NULL;
-	}
-	cpp++;
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (%s)\n",
-			linenum, ipn.in_redir ? "destination" : "target");
-		return NULL;
-	}
-
-	if (ipn.in_redir == NAT_MAP) {
-		if (!strcasecmp(*cpp, "range")) {
-			cpp++;
-			ipn.in_flags |= IPN_IPRANGE;
-			if (!*cpp) {
-				fprintf(stderr, "%d: missing fields (%s)\n",
-					linenum,
-					ipn.in_redir ? "destination":"target");
-				return NULL;
-			}
-		}
-	}
-
-	if (ipn.in_flags & IPN_IPRANGE) {
-		dnetm = strrchr(*cpp, '-');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
-					dnetm = *(cpp + 1);
-		} else
-			*dnetm++ = '\0';
-		if (dnetm == NULL || *dnetm == '\0') {
-			fprintf(stderr,
-				"%d: desination range not specified\n",
-				linenum);
-			return NULL;
-		}
-	} else if (ipn.in_redir != NAT_REDIRECT) {
-		dnetm = strrchr(*cpp, '/');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcasecmp(*cpp, "netmask"))
-				dnetm = *++cpp;
-		}
-		if (dnetm == NULL) {
-			fprintf(stderr,
-				"%d: missing fields (dest netmask)\n",
-				linenum);
-			return NULL;
-		}
-		if (*dnetm == '/')
-			*dnetm++ = '\0';
-	}
-
-	if (ipn.in_redir == NAT_REDIRECT) {
-		dnetm = strchr(*cpp, ',');
-		if (dnetm != NULL) {
-			ipn.in_flags |= IPN_SPLIT;
-			*dnetm++ = '\0';
-		}
-		if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum, NULL))
-			return NULL;
-	} else {
-		if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum, NULL))
-			return NULL;
-	}
-	cpp++;
-
-	if (ipn.in_redir & NAT_MAPBLK) {
-		if (*cpp && strcasecmp(*cpp, "ports")) {
-			fprintf(stderr,
-				"%d: expected \"ports\" - got \"%s\"\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		cpp++;
-		if (*cpp) {
-			ipn.in_pmin = atoi(*cpp);
-			cpp++;
-		} else
-			ipn.in_pmin = 0;
-	} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
-		if (*cpp && strrchr(*cpp, '/') != NULL) {
-			fprintf(stderr, "%d: No netmask supported in %s\n",
-				linenum, "destination host for redirect");
-			return NULL;
-		}
-		/* If it's a in_redir, expect target port */
-
-		if (!*cpp || strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			return NULL;
-		}
-		if (!portnum(*cpp, proto, &ipn.in_pnext, linenum))
-			return NULL;
-		ipn.in_pnext = htons(ipn.in_pnext);
-		cpp++;
-	}
-	if (dnetm && *dnetm == '/')
-		*dnetm++ = '\0';
-
-	if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
-		if (ipn.in_flags & IPN_IPRANGE) {
-			if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
-				    linenum, NULL) == -1)
-				return NULL;
-		} else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk))
-			return NULL;
-	} else {
-		if (ipn.in_flags & IPN_SPLIT) {
-			if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
-				    linenum, NULL) == -1)
-				return NULL;
-		} else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk))
-			return NULL;
-		if (!*cpp) {
-			ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
-			proto = "tcp";
-		} else {
-			if (!strcasecmp(*cpp, "tcp"))
-				ipn.in_flags |= IPN_TCP;
-			else if (!strcasecmp(*cpp, "udp"))
-				ipn.in_flags |= IPN_UDP;
-			else if (!strcasecmp(*cpp, "tcp/udp"))
-				ipn.in_flags |= IPN_TCPUDP;
-			else if (!strcasecmp(*cpp, "tcpudp"))
-				ipn.in_flags |= IPN_TCPUDP;
-			else if (!strcasecmp(*cpp, "ip"))
-				ipn.in_flags |= IPN_ANY;
-			else {
-				ipn.in_flags |= IPN_ANY;
-				ipn.in_p = getproto(*cpp);
-			}
-			proto = *cpp;
-			cpp++;
-
-			if (*cpp && !strcasecmp(*cpp, "round-robin")) {
-				cpp++;
-				ipn.in_flags |= IPN_ROUNDR;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "frag")) {
-				cpp++;
-				ipn.in_flags |= IPN_FRAG;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "age")) {
-				cpp++;
-				if (!*cpp) {
-					fprintf(stderr,
-						"%d: age with no parameters\n",
-						linenum);
-					return NULL;
-				}
-
-				ipn.in_age[0] = atoi(*cpp);
-				s = strchr(*cpp, '/');
-				if (s != NULL)
-					ipn.in_age[1] = atoi(s + 1);
-				else
-					ipn.in_age[1] = ipn.in_age[0];
-				cpp++;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-				cpp++;
-				if (*cpp) {
-					ipn.in_mssclamp = atoi(*cpp);
-					cpp++;
-				} else {
-					fprintf(stderr,
-					   "%d: mssclamp with no parameters\n",
-						linenum);
-					return NULL;
-				}
-			}
-
-			if (*cpp) {
-				fprintf(stderr,
-				"%d: extra junk at the end of rdr: %s\n",
-					linenum, *cpp);
-				return NULL;
-			}
-		}
-	}
-
-	if (!(ipn.in_flags & IPN_SPLIT))
-		ipn.in_inip &= ipn.in_inmsk;
-	if ((ipn.in_flags & IPN_IPRANGE) == 0)
-		ipn.in_outip &= ipn.in_outmsk;
-	ipn.in_srcip &= ipn.in_srcmsk;
-
-	if ((ipn.in_redir & NAT_MAPBLK) != 0)
-		nat_setgroupmap(&ipn);
-
-	if (*cpp && !strcasecmp(*cpp, "frag")) {
-		cpp++;
-		ipn.in_flags |= IPN_ROUNDR;
-	}
-
-	if (!*cpp)
-		return &ipn;
-
-	if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use proxy with bimap\n",
-				linenum);
-			return NULL;
-		}
-
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing parameter for \"proxy\"\n",
-				linenum);
-			return NULL;
-		}
-		dport = NULL;
-
-		if (!strcasecmp(*cpp, "port")) {
-			cpp++;
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"port\"\n",
-					linenum);
-				return NULL;
-			}
-
-			dport = *cpp;
-			cpp++;
-
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"proxy\"\n",
-					linenum);
-				return NULL;
-			}
-		} else {
-			fprintf(stderr,
-				"%d: missing keyword \"port\"\n", linenum);
-			return NULL;
-		}
-
-		if ((proto = strchr(*cpp, '/'))) {
-			*proto++ = '\0';
-			ipn.in_p = getproto(proto);
-		} else
-			ipn.in_p = 0;
-
-		if (dport && !portnum(dport, proto, &ipn.in_dport, linenum))
-			return NULL;
-		ipn.in_dport = htons(ipn.in_dport);
-
-		(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
-		cpp++;
-
-		if (*cpp) {
-			fprintf(stderr,
-				"%d: too many parameters for \"proxy\"\n",
-				linenum);
-			return NULL;
-		}
-		return &ipn;
-	}
-
-
-	if (!strcasecmp(*cpp, "icmpidmap")) {
-
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: icmpidmap misses protocol and range\n",
-				linenum);
-			return NULL;
-		};
-
-		if (!strcasecmp(*cpp, "icmp"))
-			ipn.in_flags = IPN_ICMPQUERY;
-		else {
-			fprintf(stderr, "%d: icmpidmap only valid for icmp\n",
-				linenum);
-			return NULL;
-		}
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: no icmp id argument found\n",
-				linenum);
-			return NULL;
-		}
-
-		if (!(t = strchr(*cpp, ':'))) {
-			fprintf(stderr,
-				"%d: no icmp id range detected in \"%s\"\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		*t++ = '\0';
-		
-		if (!icmpidnum(*cpp, &ipn.in_pmin, linenum) ||
-		    !icmpidnum(t, &ipn.in_pmax, linenum))
-			return NULL;
-	} else if (!strcasecmp(*cpp, "portmap")) {
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use proxy with bimap\n",
-				linenum);
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing expression following portmap\n",
-				linenum);
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "tcp"))
-			ipn.in_flags |= IPN_TCP;
-		else if (!strcasecmp(*cpp, "udp"))
-			ipn.in_flags |= IPN_UDP;
-		else if (!strcasecmp(*cpp, "tcpudp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else if (!strcasecmp(*cpp, "tcp/udp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else {
-			fprintf(stderr,
-				"%d: expected protocol name - got \"%s\"\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		proto = *cpp;
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: no port range found\n", linenum);
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "auto")) {
-			ipn.in_flags |= IPN_AUTOPORTMAP;
-			ipn.in_pmin = htons(1024);
-			ipn.in_pmax = htons(65535);
-			nat_setgroupmap(&ipn);
-		} else {
-			 if (!(t = strchr(*cpp, ':'))) {
-				fprintf(stderr,
-					"%d: no port range in \"%s\"\n",
-					linenum, *cpp);
-				return NULL;
-			}
-			*t++ = '\0';
-			if (!portnum(*cpp, proto, &ipn.in_pmin, linenum) ||
-			    !portnum(t, proto, &ipn.in_pmax, linenum))
-				return NULL;
-		}
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "round-robin")) {
-		cpp++;
-		ipn.in_flags |= IPN_ROUNDR;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "age")) {
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr, "%d: age with no parameters\n",
-				linenum);
-			return NULL;
-		}
-		s = strchr(*cpp, '/');
-		if (s != NULL)
-			ipn.in_age[1] = atoi(s + 1);
-		else
-			ipn.in_age[1] = ipn.in_age[0];
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-		cpp++;
-		if (*cpp) {
-			ipn.in_mssclamp = atoi(*cpp);
-			cpp++;
-		} else {
-			fprintf(stderr, "%d: mssclamp with no parameters\n",
-				linenum);
-			return NULL;
-		}
-	}
-
-	if (*cpp) {
-		fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
-			linenum, *cpp);
-		return NULL;
-	}
-
-	ipn.in_pmin = htons(ipn.in_pmin);
-	ipn.in_pmax = htons(ipn.in_pmax);
-	return &ipn;
-}
-
-
-void natparsefile(fd, file, opts)
-int fd;
-char *file;
-int opts;
-{
-	char	line[512], *s;
-	ipnat_t	*np;
-	FILE	*fp;
-	int	linenum = 0;
-
-	if (strcmp(file, "-")) {
-		if (!(fp = fopen(file, "r"))) {
-			fprintf(stderr, "%s: open: %s\n", file,
-				STRERROR(errno));
-			exit(1);
-		}
-	} else
-		fp = stdin;
-
-	while (getline(line, sizeof(line) - 1, fp, &linenum)) {
-		line[sizeof(line) - 1] = '\0';
-		if ((s = strchr(line, '\n')))
-			*s = '\0';
-
-		if (!(np = natparse(line, linenum))) {
-			if (*line)
-				fprintf(stderr, "%d: syntax error in \"%s\"\n",
-					linenum, line);
-		} else {
-			if ((opts & OPT_VERBOSE) && np)
-				printnat(np, opts);
-			if (!(opts & OPT_DONOTHING)) {
-				if (!(opts & OPT_REMOVE)) {
-					if (ioctl(fd, SIOCADNAT, &np) == -1)
-						perror("ioctl(SIOCADNAT)");
-				} else if (ioctl(fd, SIOCRMNAT, &np) == -1)
-					perror("ioctl(SIOCRMNAT)");
-			}
-		}
-	}
-	if (fp != stdin)
-		fclose(fp);
-}
-
-
-int	icmpidnum(str, id, linenum)
-char	*str;
-u_short *id;
-int     linenum;
-{
-	int i;
-
-	
-	i = atoi(str);
-
-	if ((i<0) || (i>65535)) {
-		fprintf(stderr, "%d: invalid icmp id\"%s\".\n", linenum, str);
-		return 0;
-	}
-	
-	*id = (u_short)i;
-
-	return 1;
-}
diff --git a/contrib/ipfilter/lib/ntomask.c b/contrib/ipfilter/lib/ntomask.c
deleted file mode 100644
index 4a50ef8..0000000
--- a/contrib/ipfilter/lib/ntomask.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: ntomask.c,v 1.6.2.1 2006/06/16 17:21:07 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-int ntomask(v, nbits, ap)
-int v, nbits;
-u_32_t *ap;
-{
-	u_32_t mask;
-
-	if (nbits < 0)
-		return -1;
-
-	switch (v)
-	{
-	case 4 :
-		if (nbits > 32 || use_inet6 != 0)
-			return -1;
-		if (nbits == 0) {
-			mask = 0;
-		} else {
-			mask = 0xffffffff;
-			mask <<= (32 - nbits);
-		}
-		*ap = htonl(mask);
-		break;
-
-	case 6 :
-		if ((nbits > 128) || (use_inet6 == 0))
-			return -1;
-		fill6bits(nbits, ap);
-		break;
-
-	default :
-		return -1;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/optname.c b/contrib/ipfilter/lib/optname.c
deleted file mode 100644
index 33e5f17..0000000
--- a/contrib/ipfilter/lib/optname.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2000-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: optname.c,v 1.3.4.1 2006/06/16 17:21:07 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-u_32_t optname(cp, sp, linenum)
-char ***cp;
-u_short *sp;
-int linenum;
-{
-	struct ipopt_names *io, *so;
-	u_long msk = 0;
-	u_short smsk = 0;
-	char *s;
-	int sec = 0;
-
-	for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-		for (io = ionames; io->on_name; io++)
-			if (!strcasecmp(s, io->on_name)) {
-				msk |= io->on_bit;
-				break;
-			}
-		if (!io->on_name) {
-			fprintf(stderr, "%d: unknown IP option name %s\n",
-				linenum, s);
-			return 0;
-		}
-		if (!strcasecmp(s, "sec-class"))
-			sec = 1;
-	}
-
-	if (sec && !*(*cp + 1)) {
-		fprintf(stderr, "%d: missing security level after sec-class\n",
-			linenum);
-		return 0;
-	}
-
-	if (sec) {
-		(*cp)++;
-		for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-			for (so = secclass; so->on_name; so++)
-				if (!strcasecmp(s, so->on_name)) {
-					smsk |= so->on_bit;
-					break;
-				}
-			if (!so->on_name) {
-				fprintf(stderr,
-					"%d: no such security level: %s\n",
-					linenum, s);
-				return 0;
-			}
-		}
-		if (smsk)
-			*sp = smsk;
-	}
-	return msk;
-}
diff --git a/contrib/ipfilter/lib/optprint.c b/contrib/ipfilter/lib/optprint.c
deleted file mode 100644
index 8c14fe4..0000000
--- a/contrib/ipfilter/lib/optprint.c
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: optprint.c,v 1.6.4.2 2006/06/16 17:21:08 darrenr Exp $
- */
-#include "ipf.h"
-
-
-void optprint(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
-{
-	u_short secmsk = sec[0], secbits = sec[1];
-	struct ipopt_names *io, *so;
-	char *s;
-
-	s = " opt ";
-	for (io = ionames; io->on_name; io++)
-		if ((io->on_bit & optmsk) &&
-		    ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
-			if ((io->on_value != IPOPT_SECURITY) ||
-			    (!secmsk && !secbits)) {
-				printf("%s%s", s, io->on_name);
-				/*
-				 * Because the ionames table has this entry
-				 * twice.
-				 */
-				if (io->on_value == IPOPT_SECURITY)
-					io++;
-				s = ",";
-			}
-		}
-
-
-	if (secmsk & secbits) {
-		printf("%ssec-class", s);
-		s = " ";
-		for (so = secclass; so->on_name; so++)
-			if ((secmsk & so->on_bit) &&
-			    ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
-				printf("%s%s", s, so->on_name);
-				s = ",";
-			}
-	}
-
-	if ((optmsk && (optmsk != optbits)) ||
-	    (secmsk && (secmsk != secbits))) {
-		s = " ";
-		printf(" not opt");
-		if (optmsk != optbits) {
-			for (io = ionames; io->on_name; io++)
-				if ((io->on_bit & optmsk) &&
-				    ((io->on_bit & optmsk) !=
-				     (io->on_bit & optbits))) {
-					if ((io->on_value != IPOPT_SECURITY) ||
-					    (!secmsk && !secbits)) {
-						printf("%s%s", s, io->on_name);
-						s = ",";
-						if (io->on_value ==
-						    IPOPT_SECURITY)
-							io++;
-					} else
-						io++;
-				}
-		}
-
-		if (secmsk != secbits) {
-			printf("%ssec-class", s);
-			s = " ";
-			for (so = secclass; so->on_name; so++)
-				if ((so->on_bit & secmsk) &&
-				    ((so->on_bit & secmsk) !=
-				     (so->on_bit & secbits))) {
-					printf("%s%s", s, so->on_name);
-					s = ",";
-				}
-		}
-	}
-}
diff --git a/contrib/ipfilter/lib/optprintv6.c b/contrib/ipfilter/lib/optprintv6.c
deleted file mode 100644
index 5172b5c..0000000
--- a/contrib/ipfilter/lib/optprintv6.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: optprintv6.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $
- */
-#include "ipf.h"
-
-
-#ifdef	USE_INET6
-
-void optprintv6(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
-{
-	u_short secmsk = sec[0], secbits = sec[1];
-	struct ipopt_names *io;
-	char *s;
-
-	s = " v6hdrs ";
-	for (io = v6ionames; io->on_name; io++)
-		if ((io->on_bit & optmsk) &&
-		    ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
-			printf("%s%s", s, io->on_name);
-			s = ",";
-		}
-
-	if ((optmsk && (optmsk != optbits)) ||
-	    (secmsk && (secmsk != secbits))) {
-		s = " ";
-		printf(" not v6hdrs");
-		if (optmsk != optbits) {
-			for (io = v6ionames; io->on_name; io++)
-				if ((io->on_bit & optmsk) &&
-				    ((io->on_bit & optmsk) !=
-				     (io->on_bit & optbits))) {
-					printf("%s%s", s, io->on_name);
-					s = ",";
-				}
-		}
-
-	}
-}
-#endif
diff --git a/contrib/ipfilter/lib/optvalue.c b/contrib/ipfilter/lib/optvalue.c
deleted file mode 100644
index 37bfcf9..0000000
--- a/contrib/ipfilter/lib/optvalue.c
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2001-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: optvalue.c,v 1.2.4.1 2006/06/16 17:21:08 darrenr Exp $
- */
-#include "ipf.h"
-
-
-u_32_t getoptbyname(optname)
-char *optname;
-{
-	struct ipopt_names *io;
-
-	for (io = ionames; io->on_name; io++)
-		if (!strcasecmp(optname, io->on_name))
-			return io->on_bit;
-	return -1;
-}
-
-
-u_32_t getoptbyvalue(optval)
-int optval;
-{
-	struct ipopt_names *io;
-
-	for (io = ionames; io->on_name; io++)
-		if (io->on_value == optval)
-			return io->on_bit;
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/parse.c b/contrib/ipfilter/lib/parse.c
deleted file mode 100644
index 1a49d16..0000000
--- a/contrib/ipfilter/lib/parse.c
+++ /dev/null
@@ -1,752 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: parse.c,v 1.34.2.1 2004/12/09 19:41:21 darrenr Exp $
- */
-#include <ctype.h>
-#include "ipf.h"
-#include "opts.h"
-
-static frentry_t *fp = NULL;
-
-/* parse()
- *
- * parse a line read from the input filter rule file
- */
-struct	frentry	*parse(line, linenum)
-char	*line;
-int     linenum;
-{
-	static fripf_t fip;
-	char *cps[31], **cpp, *endptr, *proto = NULL, *s;
-	struct protoent	*p = NULL;
-	int i, cnt = 1, j;
-	u_int k;
-
-	if (fp == NULL) {
-		fp = malloc(sizeof(*fp));
-		if (fp == NULL)
-			return NULL;
-	}
-
-	while (*line && ISSPACE(*line))
-		line++;
-	if (!*line)
-		return NULL;
-
-	bzero((char *)fp, sizeof(*fp));
-	bzero((char *)&fip, sizeof(fip));
-	fp->fr_v = use_inet6 ? 6 : 4;
-	fp->fr_ipf = &fip;
-	fp->fr_dsize = sizeof(fip);
-	fp->fr_ip.fi_v = fp->fr_v;
-	fp->fr_mip.fi_v = 0xf;
-	fp->fr_type = FR_T_NONE;
-	fp->fr_loglevel = 0xffff;
-	fp->fr_isc = (void *)-1;
-	fp->fr_tag = FR_NOTAG;
-
-	/*
-	 * break line up into max of 20 segments
-	 */
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "parse [%s]\n", line);
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		return NULL;
-	}
-
-	cpp = cps;
-	/*
-	 * The presence of an '@' followed by a number gives the position in
-	 * the current rule list to insert this one.
-	 */
-	if (**cpp == '@')
-		fp->fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
-
-	/*
-	 * Check the first keyword in the rule and any options that are
-	 * expected to follow it.
-	 */
-	if (!strcasecmp("block", *cpp)) {
-		fp->fr_flags |= FR_BLOCK;
-		if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
-		    (i = 19))
-			fp->fr_flags |= FR_FAKEICMP;
-		else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
-			fp->fr_flags |= FR_RETICMP;
-		if (fp->fr_flags & FR_RETICMP) {
-			cpp++;
-			if (strlen(*cpp) == i) {
-				if (*(cpp + 1) && **(cpp +1) == '(') {
-					cpp++;
-					i = 0;
-				} else
-					i = -1;
-			}
-
-			/*
-			 * The ICMP code is not required to follow in ()'s
-			 */
-			if ((i >= 0) && (*(*cpp + i) == '(')) {
-				i++;
-				j = icmpcode(*cpp + i);
-				if (j == -1) {
-					fprintf(stderr,
-					"%d: unrecognised icmp code %s\n",
-						linenum, *cpp + 20);
-					return NULL;
-				}
-				fp->fr_icode = j;
-			}
-		} else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
-			fp->fr_flags |= FR_RETRST;
-			cpp++;
-		}
-	} else if (!strcasecmp("count", *cpp)) {
-		fp->fr_flags |= FR_ACCOUNT;
-	} else if (!strcasecmp("pass", *cpp)) {
-		fp->fr_flags |= FR_PASS;
-	} else if (!strcasecmp("auth", *cpp)) {
-		 fp->fr_flags |= FR_AUTH;
-	} else if (fp->fr_arg != 0) {
-		printf("skip %u", fp->fr_arg);
-	} else if (!strcasecmp("preauth", *cpp)) {
-		 fp->fr_flags |= FR_PREAUTH;
-	} else if (!strcasecmp("nomatch", *cpp)) {
-		 fp->fr_flags |= FR_NOMATCH;
-	} else if (!strcasecmp("skip", *cpp)) {
-		cpp++;
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fp->fr_arg = k;
-		else {
-			fprintf(stderr, "%d: integer must follow skip\n",
-				linenum);
-			return NULL;
-		}
-	} else if (!strcasecmp("log", *cpp)) {
-		fp->fr_flags |= FR_LOG;
-		if (!strcasecmp(*(cpp+1), "body")) {
-			fp->fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "first")) {
-			fp->fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*(cpp+1), "or-block")) {
-			fp->fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "level")) {
-			cpp++;
-			if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1)
-				return NULL;
-			cpp++;
-		}
-	} else {
-		/*
-		 * Doesn't start with one of the action words
-		 */
-		fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
-		return NULL;
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
-		return NULL;
-	}
-
-	/*
-	 * Get the direction for filtering.  Impose restrictions on direction
-	 * if blocking with returning ICMP or an RST has been requested.
-	 */
-	if (!strcasecmp("in", *cpp))
-		fp->fr_flags |= FR_INQUE;
-	else if (!strcasecmp("out", *cpp)) {
-		fp->fr_flags |= FR_OUTQUE;
-		if (fp->fr_flags & FR_RETICMP) {
-			fprintf(stderr,
-				"%d: Can only use return-icmp with 'in'\n",
-				linenum);
-			return NULL;
-		} else if (fp->fr_flags & FR_RETRST) {
-			fprintf(stderr,
-				"%d: Can only use return-rst with 'in'\n",
-				linenum);
-			return NULL;
-		}
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		return NULL;
-	}
-
-	if (!strcasecmp("log", *cpp)) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing source specification\n",
-				linenum);
-			return NULL;
-		}
-		if (FR_ISPASS(fp->fr_flags))
-			fp->fr_flags |= FR_LOGP;
-		else if (FR_ISBLOCK(fp->fr_flags))
-			fp->fr_flags |= FR_LOGB;
-		if (*cpp && !strcasecmp(*cpp, "body")) {
-			fp->fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "first")) {
-			fp->fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "or-block")) {
-			if (!FR_ISPASS(fp->fr_flags)) {
-				fprintf(stderr,
-					"%d: or-block must be used with pass\n",
-					linenum);
-				return NULL;
-			}
-			fp->fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "level")) {
-			if (loglevel(cpp, &fp->fr_loglevel, linenum) == -1)
-				return NULL;
-			cpp++;
-			cpp++;
-		}
-	}
-
-	if (*cpp && !strcasecmp("quick", *cpp)) {
-		if (fp->fr_arg != 0) {
-			fprintf(stderr, "%d: cannot use skip with quick\n",
-				linenum);
-			return NULL;
-		}
-		cpp++;
-		fp->fr_flags |= FR_QUICK;
-	}
-
-	/*
-	 * Parse rule options that are available if a rule is tied to an
-	 * interface.
-	 */
-	*fp->fr_ifname = '\0';
-	*fp->fr_oifname = '\0';
-	if (*cpp && !strcasecmp(*cpp, "on")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: interface name missing\n",
-				linenum);
-			return NULL;
-		}
-		(void)strncpy(fp->fr_ifname, *cpp, IFNAMSIZ-1);
-		fp->fr_ifname[IFNAMSIZ-1] = '\0';
-		cpp++;
-		if (!*cpp) {
-			if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) {
-				fprintf(stderr,
-					"%d: %s can only be used with TCP\n",
-					linenum, "return-rst");
-				return NULL;
-			}
-			return fp;
-		}
-
-		if (!strcasecmp(*cpp, "out-via")) {
-			if (fp->fr_flags & FR_OUTQUE) {
-				fprintf(stderr,
-					"out-via must be used with in\n");
-				return NULL;
-			}
-			cpp++;
-			(void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1);
-			fp->fr_oifname[IFNAMSIZ-1] = '\0';
-			cpp++;
-		} else if (!strcasecmp(*cpp, "in-via")) {
-			if (fp->fr_flags & FR_INQUE) {
-				fprintf(stderr,
-					"in-via must be used with out\n");
-				return NULL;
-			}
-			cpp++;
-			(void)strncpy(fp->fr_oifname, *cpp, IFNAMSIZ-1);
-			fp->fr_oifname[IFNAMSIZ-1] = '\0';
-			cpp++;
-		}
-
-		if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
-			cpp++;
-			if (to_interface(&fp->fr_dif, *cpp, linenum))
-				return NULL;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) {
-			cpp++;
-			if (to_interface(&fp->fr_tif, *cpp, linenum))
-				return NULL;
-			cpp++;
-		} else if (*cpp && !strcasecmp(*cpp, "fastroute")) {
-			if (!(fp->fr_flags & FR_INQUE)) {
-				fprintf(stderr,
-					"can only use %s with 'in'\n",
-					"fastroute");
-				return NULL;
-			}
-			fp->fr_flags |= FR_FASTROUTE;
-			cpp++;
-		}
-
-		/*
-		 * Set the "other" interface name.  Lets you specify both
-		 * inbound and outbound interfaces for state rules.  Do not
-		 * prevent both interfaces from being the same.
-		 */
-		strcpy(fp->fr_ifnames[3], "*");
-		if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
-		    ((((fp->fr_flags & FR_INQUE) != 0) &&
-		      (strcasecmp(*cpp, "out-via") == 0)) ||
-		     (((fp->fr_flags & FR_OUTQUE) != 0) &&
-		      (strcasecmp(*cpp, "in-via") == 0)))) {
-			cpp++;
-
-			s = strchr(*cpp, ',');
-			if (s != NULL) {
-				*s++ = '\0';
-				(void)strncpy(fp->fr_ifnames[3], s,
-					      IFNAMSIZ - 1);
-				fp->fr_ifnames[3][IFNAMSIZ - 1] = '\0';
-			}
-
-                        (void)strncpy(fp->fr_ifnames[2], *cpp, IFNAMSIZ - 1);
-                        fp->fr_ifnames[2][IFNAMSIZ - 1] = '\0';
-                        cpp++;
-                } else
-                        strcpy(fp->fr_ifnames[2], "*");
-
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "tos")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: tos missing value\n", linenum);
-			return NULL;
-		}
-		fp->fr_tos = strtol(*cpp, NULL, 0);
-		fp->fr_mip.fi_tos = 0xff;
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "ttl")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: ttl missing hopcount value\n",
-				linenum);
-			return NULL;
-		}
-		if (ratoi(*cpp, &i, 0, 255))
-			fp->fr_ttl = i;
-		else {
-			fprintf(stderr, "%d: invalid ttl (%s)\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		fp->fr_mip.fi_ttl = 0xff;
-		cpp++;
-	}
-
-	/*
-	 * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
-	 */
-	if (*cpp && !strcasecmp(*cpp, "proto")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: protocol name missing\n", linenum);
-			return NULL;
-		}
-		fp->fr_type = FR_T_IPF;
-		proto = *cpp++;
-		if (!strcasecmp(proto, "tcp/udp")) {
-			fp->fr_flx |= FI_TCPUDP;
-			fp->fr_mflx |= FI_TCPUDP;
-		} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
-			fprintf(stderr,
-"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
-				linenum);
-			return NULL;
-		} else {
-			fp->fr_proto = getproto(proto);
-			fp->fr_mip.fi_p = 0xff;
-		}
-	}
-	if ((fp->fr_proto != IPPROTO_TCP) &&
-	    ((fp->fr_flags & FR_RETMASK) == FR_RETRST)) {
-		fprintf(stderr, "%d: %s can only be used with TCP\n",
-			linenum, "return-rst");
-		return NULL;
-	}
-
-	/*
-	 * get the from host and bit mask to use against packets
-	 */
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		return NULL;
-	}
-	if (!strcasecmp(*cpp, "all")) {
-		cpp++;
-		if (!*cpp) {
-			if (fp->fr_type == FR_T_NONE) {
-				fp->fr_dsize = 0;
-				fp->fr_data = NULL;
-			}
-			return fp;
-		}
-		fp->fr_type = FR_T_IPF;
-#ifdef	IPFILTER_BPF
-	} else if (!strcmp(*cpp, "{")) {
-		struct bpf_program bpf;
-		struct pcap *p;
-		char **cp;
-		u_32_t l;
-
-		if (fp->fr_type != FR_T_NONE) {
-			fprintf(stderr,
-				"%d: cannot mix BPF/ipf matching\n", linenum);
-			return NULL;
-		}
-		fp->fr_type = FR_T_BPFOPC;
-		cpp++;
-		if (!strncmp(*cpp, "0x", 2)) {
-			fp->fr_data = malloc(4);
-			for (cp = cpp, i = 0; *cp; cp++, i++) {
-				if (!strcmp(*cp, "}"))
-					break;
-				fp->fr_data = realloc(fp->fr_data,
-						      (i + 1) * 4);
-				l = strtoul(*cp, NULL, 0);
-				((u_32_t *)fp->fr_data)[i] = l;
-			}
-			if (!*cp) {
-				fprintf(stderr, "Missing closing '}'\n");
-				return NULL;
-			}
-			fp->fr_dsize = i * sizeof(l);
-			bpf.bf_insns = fp->fr_data;
-			bpf.bf_len = fp->fr_dsize / sizeof(struct bpf_insn);
-		} else {
-			for (cp = cpp; *cp; cp++) {
-				if (!strcmp(*cp, "}"))
-					break;
-				(*cp)[-1] = ' ';
-			}
-			if (!*cp) {
-				fprintf(stderr, "Missing closing '}'\n");
-				return NULL;
-			}
-
-			bzero((char *)&bpf, sizeof(bpf));
-			p = pcap_open_dead(DLT_RAW, 1);
-			if (!p) {
-				fprintf(stderr, "pcap_open_dead failed\n");
-				return NULL;
-			}
-
-			if (pcap_compile(p, &bpf, *cpp, 1, 0xffffffff)) {
-				pcap_perror(p, "ipf");
-				pcap_close(p);
-				fprintf(stderr, "pcap parsing failed\n");
-				return NULL;
-			}
-			pcap_close(p);
-			fp->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
-			fp->fr_data = bpf.bf_insns;
-			if (!bpf_validate(fp->fr_data, bpf.bf_len)) {
-				fprintf(stderr, "BPF validation failed\n");
-				return NULL;
-			}
-			if (opts & OPT_DEBUG)
-				bpf_dump(&bpf, 0);
-		}
-		cpp = cp;
-		(*cpp)++;
-#endif
-	} else {
-		fp->fr_type = FR_T_IPF;
-
-		if (strcasecmp(*cpp, "from")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after from\n",
-				linenum);
-			return NULL;
-		}
-		if (**cpp == '!') {
-			fp->fr_flags |= FR_NOTSRCIP;
-			(*cpp)++;
-		} else if (!strcmp(*cpp, "!")) {
-			fp->fr_flags |= FR_NOTSRCIP;
-			cpp++;
-		}
-
-		s = *cpp;
-		i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_src,
-			     (u_32_t *)&fp->fr_smsk, linenum);
-		if (i == -1)
-			return NULL;
-		if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname))
-			fp->fr_satype = FRI_DYNAMIC;
-		if (i == 1) {
-			if (fp->fr_v == 6) {
-				fprintf(stderr,
-					"can only use pools with ipv4\n");
-				return NULL;
-			}
-			fp->fr_satype = FRI_LOOKUP;
-		}
-
-		if (ports(&cpp, proto, &fp->fr_sport, &fp->fr_scmp,
-			  &fp->fr_stop, linenum))
-			return NULL;
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: missing to fields\n", linenum);
-			return NULL;
-		}
-
-		/*
-		 * do the same for the to field (destination host)
-		 */
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			return NULL;
-		}
-
-		if (**cpp == '!') {
-			fp->fr_flags |= FR_NOTDSTIP;
-			(*cpp)++;
-		} else if (!strcmp(*cpp, "!")) {
-			fp->fr_flags |= FR_NOTDSTIP;
-			cpp++;
-		}
-
-		s = *cpp;
-		i = hostmask(&cpp, proto, fp->fr_ifname, (u_32_t *)&fp->fr_dst,
-			     (u_32_t *)&fp->fr_dmsk, linenum);
-		if (i == -1)
-			return NULL;
-		if (*fp->fr_ifname && !strcasecmp(s, fp->fr_ifname))
-			fp->fr_datype = FRI_DYNAMIC;
-		if (i == 1) {
-			if (fp->fr_v == 6) {
-				fprintf(stderr,
-					"can only use pools with ipv4\n");
-				return NULL;
-			}
-			fp->fr_datype = FRI_LOOKUP;
-		}
-
-		if (ports(&cpp, proto, &fp->fr_dport, &fp->fr_dcmp,
-			  &fp->fr_dtop, linenum))
-			return NULL;
-	}
-
-	if (fp->fr_type == FR_T_IPF) {
-		/*
-		 * check some sanity, make sure we don't have icmp checks
-		 * with tcp or udp or visa versa.
-		 */
-		if (fp->fr_proto && (fp->fr_dcmp || fp->fr_scmp) &&
-		    fp->fr_proto != IPPROTO_TCP &&
-		    fp->fr_proto != IPPROTO_UDP) {
-			fprintf(stderr,
-				"%d: port operation on non tcp/udp\n",linenum);
-			return NULL;
-		}
-		if (fp->fr_icmp && fp->fr_proto != IPPROTO_ICMP) {
-			fprintf(stderr,
-				"%d: icmp comparisons on wrong protocol\n",
-				linenum);
-			return NULL;
-		}
-
-		if (!*cpp)
-			return fp;
-
-		if (*cpp && (fp->fr_type == FR_T_IPF) &&
-		    !strcasecmp(*cpp, "flags")) {
-			if (!*++cpp) {
-				fprintf(stderr, "%d: no flags present\n",
-					linenum);
-				return NULL;
-			}
-			fp->fr_tcpf = tcp_flags(*cpp, &fp->fr_tcpfm, linenum);
-			cpp++;
-		}
-
-		/*
-		 * extras...
-		 */
-		if ((fp->fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") ||
-		     !strcasecmp(*cpp, "and")))
-			if (extras(&cpp, fp, linenum))
-				return NULL;
-
-		/*
-		 * icmp types for use with the icmp protocol
-		 */
-		if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
-			if (fp->fr_proto != IPPROTO_ICMP &&
-			    fp->fr_proto != IPPROTO_ICMPV6) {
-				fprintf(stderr,
-					"%d: icmp with wrong protocol (%d)\n",
-					linenum, fp->fr_proto);
-				return NULL;
-			}
-			if (addicmp(&cpp, fp, linenum))
-				return NULL;
-			fp->fr_icmp = htons(fp->fr_icmp);
-			fp->fr_icmpm = htons(fp->fr_icmpm);
-		}
-	}
-
-	/*
-	 * Keep something...
-	 */
-	while (*cpp && !strcasecmp(*cpp, "keep"))
-		if (addkeep(&cpp, fp, linenum))
-			return NULL;
-
-	/*
-	* This is here to enforce the old interface binding behaviour.
-	* That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
-	*/
-	if (fp->fr_flags & FR_KEEPSTATE) {
-		if (*fp->fr_ifnames[0] && !*fp->fr_ifnames[3]) {
-			bcopy(fp->fr_ifnames[0], fp->fr_ifnames[3],
-			      sizeof(fp->fr_ifnames[3]));
-			strncpy(fp->fr_ifnames[2], "*",
-				sizeof(fp->fr_ifnames[3]));
-		}
-	}
-
-	/*
-	 * head of a new group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "head")) {
-		if (fp->fr_arg != 0) {
-			fprintf(stderr, "%d: cannot use skip with head\n",
-				linenum);
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: head without group #\n", linenum);
-			return NULL;
-		}
-		if (strlen(*cpp) > FR_GROUPLEN) {
-			fprintf(stderr, "%d: head name too long #\n", linenum);
-			return NULL;
-		}
-		strncpy(fp->fr_grhead, *cpp, FR_GROUPLEN);
-		cpp++;
-	}
-
-	/*
-	 * reference to an already existing group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "group")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: group without group #\n",
-				linenum);
-			return NULL;
-		}
-		if (strlen(*cpp) > FR_GROUPLEN) {
-			fprintf(stderr, "%d: group name too long #\n", linenum);
-			return NULL;
-		}
-		strncpy(fp->fr_group, *cpp, FR_GROUPLEN);
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "tag")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: tag id missing value\n", linenum);
-			return NULL;
-		}
-		fp->fr_tag = strtol(*cpp, NULL, 0);
-		cpp++;
-	}
-
-	/*
-	 * pps counter
-	 */
-	if (*cpp && !strcasecmp(*cpp, "pps")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: pps without rate\n", linenum);
-			return NULL;
-		}
-		if (ratoui(*cpp, &k, 0, INT_MAX))
-			fp->fr_pps = k;
-		else {
-			fprintf(stderr, "%d: invalid pps rate (%s)\n",
-				linenum, *cpp);
-			return NULL;
-		}
-		cpp++;
-	}
-
-	/*
-	 * leftovers...yuck
-	 */
-	if (*cpp && **cpp) {
-		fprintf(stderr, "%d: unknown words at end: [", linenum);
-		for (; *cpp; cpp++)
-			fprintf(stderr, "%s ", *cpp);
-		fprintf(stderr, "]\n");
-		return NULL;
-	}
-
-	/*
-	 * lazy users...
-	 */
-	if (fp->fr_type == FR_T_IPF) {
-		if ((fp->fr_tcpf || fp->fr_tcpfm) &&
-		    (fp->fr_proto != IPPROTO_TCP)) {
-			fprintf(stderr,
-				"%d: TCP protocol not specified\n", linenum);
-			return NULL;
-		}
-		if (!(fp->fr_flx & FI_TCPUDP) &&
-		    (fp->fr_proto != IPPROTO_TCP) &&
-		    (fp->fr_proto != IPPROTO_UDP) &&
-		    (fp->fr_dcmp || fp->fr_scmp)) {
-			if (!fp->fr_proto) {
-				fp->fr_flx |= FI_TCPUDP;
-				fp->fr_mflx |= FI_TCPUDP;
-			} else {
-				fprintf(stderr,
-					"%d: port check for non-TCP/UDP\n",
-					linenum);
-				return NULL;
-			}
-		}
-	}
-	if (*fp->fr_oifname && strcmp(fp->fr_oifname, "*") &&
-	    !(fp->fr_flags & FR_KEEPSTATE)) {
-		fprintf(stderr, "%d: *-via <if> must be used %s\n",
-			linenum, "with keep-state");
-		return NULL;
-	}
-	return fp;
-}
diff --git a/contrib/ipfilter/lib/portname.c b/contrib/ipfilter/lib/portname.c
deleted file mode 100644
index d8bf1d9..0000000
--- a/contrib/ipfilter/lib/portname.c
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2000-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: portname.c,v 1.7.2.1 2006/06/16 17:21:09 darrenr Exp $
- */
-#include "ipf.h"
-
-
-char	*portname(pr, port)
-int	pr, port;
-{
-	static	char	buf[32];
-	struct	protoent	*p = NULL;
-	struct	servent	*sv = NULL, *sv1 = NULL;
-
-	if ((opts & OPT_NORESOLVE) == 0) {
-		if (pr == -1) {
-			if ((sv = getservbyport(htons(port), "tcp"))) {
-				strncpy(buf, sv->s_name, sizeof(buf)-1);
-				buf[sizeof(buf)-1] = '\0';
-				sv1 = getservbyport(htons(port), "udp");
-				sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
-				     NULL : sv1;
-			}
-			if (sv)
-				return buf;
-		} else if ((pr != -2) && (p = getprotobynumber(pr))) {
-			if ((sv = getservbyport(htons(port), p->p_name))) {
-				strncpy(buf, sv->s_name, sizeof(buf)-1);
-				buf[sizeof(buf)-1] = '\0';
-				return buf;
-			}
-		}
-	}
-
-	(void) sprintf(buf, "%d", port);
-	return buf;
-}
diff --git a/contrib/ipfilter/lib/portnum.c b/contrib/ipfilter/lib/portnum.c
deleted file mode 100644
index 4079f46..0000000
--- a/contrib/ipfilter/lib/portnum.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- *
- * $Id: portnum.c,v 1.6.4.1 2004/12/09 19:41:22 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi(). Return 1 on success, 0 on failure
- */
-int	portnum(name, proto, port, linenum)
-char	*name, *proto;
-u_short	*port;
-int     linenum;
-{
-	struct	servent	*sp, *sp2;
-	u_short	p1 = 0;
-	int i;
-
-	if (ISDIGIT(*name)) {
-		if (ratoi(name, &i, 0, USHRT_MAX)) {
-			*port = (u_short)i;
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
-		return 0;
-	}
-	if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
-		sp = getservbyname(name, proto);
-		if (sp) {
-			*port = ntohs(sp->s_port);
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
-	if (sp)
-		p1 = sp->s_port;
-	sp2 = getservbyname(name, "udp");
-	if (!sp || !sp2) {
-		fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
-			linenum, name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		fprintf(stderr, "%d: %s %d/tcp is a different port to ",
-			linenum, name, p1);
-		fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
-		return 0;
-	}
-	*port = ntohs(p1);
-	return 1;
-}
diff --git a/contrib/ipfilter/lib/ports.c b/contrib/ipfilter/lib/ports.c
deleted file mode 100644
index 9a44e2c..0000000
--- a/contrib/ipfilter/lib/ports.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ports.c,v 1.9.4.1 2004/12/09 19:41:22 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-
-/*
- * check for possible presence of the port fields in the line
- */
-int	ports(seg, proto, pp, cp, tp, linenum)
-char	***seg;
-char	*proto;
-u_short	*pp;
-int	*cp;
-u_short	*tp;
-int     linenum;
-{
-	int	comp = -1;
-
-	if (!*seg || !**seg || !***seg)
-		return 0;
-	if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
-		(*seg)++;
-		if (ISALNUM(***seg) && *(*seg + 2)) {
-			if (portnum(**seg, proto, pp, linenum) == 0)
-				return -1;
-			(*seg)++;
-			if (!strcmp(**seg, "<>"))
-				comp = FR_OUTRANGE;
-			else if (!strcmp(**seg, "><"))
-				comp = FR_INRANGE;
-			else {
-				fprintf(stderr,
-					"%d: unknown range operator (%s)\n",
-					linenum, **seg);
-				return -1;
-			}
-			(*seg)++;
-			if (**seg == NULL) {
-				fprintf(stderr, "%d: missing 2nd port value\n",
-					linenum);
-				return -1;
-			}
-			if (portnum(**seg, proto, tp, linenum) == 0)
-				return -1;
-		} else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
-			comp = FR_EQUAL;
-		else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
-			comp = FR_NEQUAL;
-		else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
-			comp = FR_LESST;
-		else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
-			comp = FR_GREATERT;
-		else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
-			comp = FR_LESSTE;
-		else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
-			comp = FR_GREATERTE;
-		else {
-			fprintf(stderr, "%d: unknown comparator (%s)\n",
-					linenum, **seg);
-			return -1;
-		}
-		if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
-			(*seg)++;
-			if (portnum(**seg, proto, pp, linenum) == 0)
-				return -1;
-		}
-		*cp = comp;
-		(*seg)++;
-	}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/print_toif.c b/contrib/ipfilter/lib/print_toif.c
deleted file mode 100644
index 696fcd3..0000000
--- a/contrib/ipfilter/lib/print_toif.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: print_toif.c,v 1.8.4.1 2006/06/16 17:21:09 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void print_toif(tag, fdp)
-char *tag;
-frdest_t *fdp;
-{
-	printf("%s %s%s", tag, fdp->fd_ifname,
-		     (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
-#ifdef	USE_INET6
-	if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
-		char ipv6addr[80];
-
-		inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
-			  sizeof(fdp->fd_ip6));
-		printf(":%s", ipv6addr);
-	} else
-#endif
-		if (fdp->fd_ip.s_addr)
-			printf(":%s", inet_ntoa(fdp->fd_ip));
-	putchar(' ');
-}
diff --git a/contrib/ipfilter/lib/printactivenat.c b/contrib/ipfilter/lib/printactivenat.c
deleted file mode 100644
index 99f3e58..0000000
--- a/contrib/ipfilter/lib/printactivenat.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-
-#include "ipf.h"
-
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.7 2006/12/12 16:13:00 darrenr Exp $";
-#endif
-
-
-void printactivenat(nat, opts, alive, now)
-nat_t *nat;
-int opts, alive;
-u_long now;
-{
-
-	printf("%s", getnattype(nat, alive));
-
-	if (nat->nat_flags & SI_CLONE)
-		printf(" CLONE");
-
-	printf(" %-15s", inet_ntoa(nat->nat_inip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_inport));
-
-	printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_outport));
-
-	printf(" [%s", inet_ntoa(nat->nat_oip));
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %hu", ntohs(nat->nat_oport));
-	printf("]");
-
-	if (opts & OPT_VERBOSE) {
-		printf("\n\tttl %lu use %hu sumd %s/",
-			nat->nat_age - now, nat->nat_use,
-			getsumd(nat->nat_sumd[0]));
-		printf("%s pr %u bkt %d/%d flags %x\n",
-			getsumd(nat->nat_sumd[1]), nat->nat_p,
-			nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags);
-		printf("\tifp %s", getifname(nat->nat_ifps[0]));
-		printf(",%s ", getifname(nat->nat_ifps[1]));
-#ifdef	USE_QUAD_T
-		printf("bytes %qu/%qu pkts %qu/%qu",
-			(unsigned long long)nat->nat_bytes[0],
-			(unsigned long long)nat->nat_bytes[1],
-			(unsigned long long)nat->nat_pkts[0],
-			(unsigned long long)nat->nat_pkts[1]);
-#else
-		printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0],
-			nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]);
-#endif
-		printf(" ipsumd %x", nat->nat_ipsumd);
-	}
-
-	if (opts & OPT_DEBUG) {
-		printf("\n\tnat_next %p _pnext %p _hm %p\n",
-			nat->nat_next, nat->nat_pnext, nat->nat_hm);
-		printf("\t_hnext %p/%p _phnext %p/%p\n",
-			nat->nat_hnext[0], nat->nat_hnext[1],
-			nat->nat_phnext[0], nat->nat_phnext[1]);
-		printf("\t_data %p _me %p _state %p _aps %p\n",
-			nat->nat_data, nat->nat_me, nat->nat_state, nat->nat_aps);
-		printf("\tfr %p ptr %p ifps %p/%p sync %p\n",
-			nat->nat_fr, nat->nat_ptr, nat->nat_ifps[0],
-			nat->nat_ifps[1], nat->nat_sync);
-		printf("\ttqe:pnext %p next %p ifq %p parent %p/%p\n",
-			nat->nat_tqe.tqe_pnext, nat->nat_tqe.tqe_next,
-			nat->nat_tqe.tqe_ifq, nat->nat_tqe.tqe_parent, nat);
-		printf("\ttqe:die %ld touched %ld flags %x state %d/%d\n",
-			nat->nat_tqe.tqe_die, nat->nat_tqe.tqe_touched,
-			nat->nat_tqe.tqe_flags, nat->nat_tqe.tqe_state[0],
-			nat->nat_tqe.tqe_state[1]);
-	}
-	putchar('\n');
-}
diff --git a/contrib/ipfilter/lib/printaps.c b/contrib/ipfilter/lib/printaps.c
deleted file mode 100644
index c0c36d4..0000000
--- a/contrib/ipfilter/lib/printaps.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-
-#include "ipf.h"
-#include "kmem.h"
-
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printaps.c,v 1.4.2.1 2006/06/16 17:21:10 darrenr Exp $";
-#endif
-
-
-void printaps(aps, opts)
-ap_session_t *aps;
-int opts;
-{
-	ipsec_pxy_t ipsec;
-	ap_session_t ap;
-	ftpinfo_t ftp;
-	aproxy_t apr;
-	raudio_t ra;
-
-	if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
-		return;
-	if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
-		return;
-	printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
-		apr.apr_p, apr.apr_ref, apr.apr_flags);
-	printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
-#ifdef	USE_QUAD_T
-	printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
-		(unsigned long long)ap.aps_pkts);
-#else
-	printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
-#endif
-	printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
-	if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
-		printf("\t\tstate[%u,%u], sel[%d,%d]\n",
-			ap.aps_state[0], ap.aps_state[1],
-			ap.aps_sel[0], ap.aps_sel[1]);
-#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
-    (__FreeBSD_version >= 300000) || defined(OpenBSD)
-		printf("\t\tseq: off %hd/%hd min %x/%x\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %x/%x\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#else
-		printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %lx/%lx\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#endif
-	}
-
-	if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
-		if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
-			return;
-		printf("\tReal Audio Proxy:\n");
-		printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
-			ra.rap_seenpna, ra.rap_version, ra.rap_eos);
-		printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
-		printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
-			ra.rap_plport, ra.rap_prport, ra.rap_srport);
-	} else if (!strcmp(apr.apr_label, "ftp") &&
-		   (ap.aps_psiz == sizeof(ftp))) {
-		if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
-			return;
-		printf("\tFTP Proxy:\n");
-		printf("\t\tpassok: %d\n", ftp.ftp_passok);
-		ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		printf("\tClient:\n");
-		printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
-			ftp.ftp_side[0].ftps_seq[0],
-			ftp.ftp_side[0].ftps_seq[1],
-			ftp.ftp_side[0].ftps_len, ftp.ftp_side[0].ftps_junk,
-			ftp.ftp_side[0].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n\tServer:\n");
-		printf("\t\tseq %x (ack %x) len %d junk %d cmds %d\n",
-			ftp.ftp_side[1].ftps_seq[0],
-			ftp.ftp_side[1].ftps_seq[1],
-			ftp.ftp_side[1].ftps_len, ftp.ftp_side[1].ftps_junk,
-			ftp.ftp_side[1].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n");
-	} else if (!strcmp(apr.apr_label, "ipsec") &&
-		   (ap.aps_psiz == sizeof(ipsec))) {
-		if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
-			return;
-		printf("\tIPSec Proxy:\n");
-		printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
-			(u_int)ntohl(ipsec.ipsc_icookie[0]),
-			(u_int)ntohl(ipsec.ipsc_icookie[1]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[0]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[1]),
-			ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
-	}
-}
diff --git a/contrib/ipfilter/lib/printbuf.c b/contrib/ipfilter/lib/printbuf.c
deleted file mode 100644
index bc097e0..0000000
--- a/contrib/ipfilter/lib/printbuf.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2000-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printbuf.c,v 1.5.4.2 2006/06/16 17:21:10 darrenr Exp $
- */
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-
-void printbuf(buf, len, zend)
-char *buf;
-int len, zend;
-{
-	char *s, c;
-	int i;
-
-	for (s = buf, i = len; i; i--) {
-		c = *s++;
-		if (ISPRINT(c))
-			putchar(c);
-		else
-			printf("\\%03o", c);
-		if ((c == '\0') && zend)
-			break;
-	}
-}
diff --git a/contrib/ipfilter/lib/printfr.c b/contrib/ipfilter/lib/printfr.c
deleted file mode 100644
index 0750694..0000000
--- a/contrib/ipfilter/lib/printfr.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/*
- * Copyright (C) 2000-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printfr.c,v 1.43.2.18 2007/05/07 06:55:38 darrenr Exp $
- */
-
-#include "ipf.h"
-
-static void printaddr(int, int, char *, u_32_t *, u_32_t *);
-
-static void printaddr(v, type, ifname, addr, mask)
-int v, type;
-char *ifname;
-u_32_t *addr, *mask;
-{
-	char *suffix;
-
-	switch (type)
-	{
-	case FRI_BROADCAST :
-		suffix = "bcast";
-		break;
-
-	case FRI_DYNAMIC :
-		printf("%s", ifname);
-		printmask(mask);
-		suffix = NULL;
-		break;
-
-	case FRI_NETWORK :
-		suffix = "net";
-		break;
-
-	case FRI_NETMASKED :
-		suffix = "netmasked";
-		break;
-
-	case FRI_PEERADDR :
-		suffix = "peer";
-		break;
-
-	case FRI_LOOKUP :
-		suffix = NULL;
-		printlookup((i6addr_t *)addr, (i6addr_t *)mask);
-		break;
-
-	case FRI_NORMAL :
-		printhostmask(v, addr, mask);
-		suffix = NULL;
-		break;
-	default :
-		printf("<%d>", type);
-		printmask(mask);
-		suffix = NULL;
-		break;
-	}
-
-	if (suffix != NULL) {
-		printf("%s/%s", ifname, suffix);
-	}
-}
-
-
-void printlookup(addr, mask)
-i6addr_t *addr, *mask;
-{
-	switch (addr->iplookuptype)
-	{
-	case IPLT_POOL :
-		printf("pool/");
-		break;
-	case IPLT_HASH :
-		printf("hash/");
-		break;
-	default :
-		printf("lookup(%x)=", addr->iplookuptype);
-		break;
-	}
-
-	printf("%u", addr->iplookupnum);
-	if (mask->iplookupptr == NULL)
-		printf("(!)");
-}
-
-
-/*
- * print the filter structure in a useful way
- */
-void	printfr(fp, iocfunc)
-struct	frentry	*fp;
-ioctlfunc_t	iocfunc;
-{
-	struct protoent	*p;
-	u_short	sec[2];
-	u_32_t type;
-	u_char *t;
-	char *s;
-	int pr;
-
-	pr = -2;
-	type = fp->fr_type & ~FR_T_BUILTIN;
-
-	if ((fp->fr_type & FR_T_BUILTIN) != 0)
-		printf("# Builtin: ");
-
-	if (fp->fr_collect != 0)
-		printf("%u ", fp->fr_collect);
-
-	if (fp->fr_type == FR_T_CALLFUNC) {
-		;
-	} else if (fp->fr_func != NULL) {
-		printf("call");
-		if ((fp->fr_flags & FR_CALLNOW) != 0)
-			printf(" now");
-		s = kvatoname(fp->fr_func, iocfunc);
-		printf(" %s/%u", s ? s : "?", fp->fr_arg);
-	} else if (FR_ISPASS(fp->fr_flags))
-		printf("pass");
-	else if (FR_ISBLOCK(fp->fr_flags)) {
-		printf("block");
-	} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
-		printlog(fp);
-	} else if (FR_ISACCOUNT(fp->fr_flags))
-		printf("count");
-	else if (FR_ISAUTH(fp->fr_flags))
-		printf("auth");
-	else if (FR_ISPREAUTH(fp->fr_flags))
-		printf("preauth");
-	else if (FR_ISNOMATCH(fp->fr_flags))
-		printf("nomatch");
-	else if (FR_ISSKIP(fp->fr_flags))
-		printf("skip %u", fp->fr_arg);
-	else {
-		printf("%x", fp->fr_flags);
-	}
-	if (fp->fr_flags & FR_RETICMP) {
-		if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
-			printf(" return-icmp-as-dest");
-		else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
-			printf(" return-icmp");
-		if (fp->fr_icode) {
-			if (fp->fr_icode <= MAX_ICMPCODE)
-				printf("(%s)",
-					icmpcodes[(int)fp->fr_icode]);
-			else
-				printf("(%d)", fp->fr_icode);
-		}
-	} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-		printf(" return-rst");
-
-	if (fp->fr_flags & FR_OUTQUE)
-		printf(" out ");
-	else
-		printf(" in ");
-
-	if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
-	    ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
-		printlog(fp);
-		putchar(' ');
-	}
-
-	if (fp->fr_flags & FR_QUICK)
-		printf("quick ");
-
-	if (*fp->fr_ifname) {
-		printifname("on ", fp->fr_ifname, fp->fr_ifa);
-		if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
-			printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
-		putchar(' ');
-	}
-
-	if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP))
-		print_toif("dup-to", &fp->fr_dif);
-	if (*fp->fr_tif.fd_ifname)
-		print_toif("to", &fp->fr_tif);
-	if (*fp->fr_rif.fd_ifname)
-		print_toif("reply-to", &fp->fr_rif);
-	if (fp->fr_flags & FR_FASTROUTE)
-		printf("fastroute ");
-
-	if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
-	    (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
-		if (fp->fr_flags & FR_OUTQUE)
-			printf("in-via ");
-		else
-			printf("out-via ");
-
-		if (*fp->fr_ifnames[2]) {
-			printifname("", fp->fr_ifnames[2],
-				    fp->fr_ifas[2]);
-			if (*fp->fr_ifnames[3]) {
-				printifname(",", fp->fr_ifnames[3],
-					    fp->fr_ifas[3]);
-			}
-			putchar(' ');
-		}
-	}
-
-	if (type == FR_T_IPF) {
-		if (fp->fr_mip.fi_tos)
-			printf("tos %#x ", fp->fr_tos);
-		if (fp->fr_mip.fi_ttl)
-			printf("ttl %d ", fp->fr_ttl);
-		if (fp->fr_flx & FI_TCPUDP) {
-			printf("proto tcp/udp ");
-			pr = -1;
-		} else if (fp->fr_mip.fi_p) {
-			pr = fp->fr_ip.fi_p;
-			p = getprotobynumber(pr);
-			printf("proto ");
-			printproto(p, pr, NULL);
-			putchar(' ');
-		}
-	}
-
-	if (type == FR_T_NONE) {
-		printf("all");
-	} else if (type == FR_T_IPF) {
-		printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
-		printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname,
-			  &fp->fr_src.s_addr, &fp->fr_smsk.s_addr);
-		if (fp->fr_scmp)
-			printportcmp(pr, &fp->fr_tuc.ftu_src);
-
-		printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
-		printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname,
-			  &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr);
-		if (fp->fr_dcmp)
-			printportcmp(pr, &fp->fr_tuc.ftu_dst);
-
-		if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
-			int	type = fp->fr_icmp, code;
-
-			type = ntohs(fp->fr_icmp);
-			code = type & 0xff;
-			type /= 256;
-			if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
-			    icmptypes[type])
-				printf(" icmp-type %s", icmptypes[type]);
-			else
-				printf(" icmp-type %d", type);
-			if (ntohs(fp->fr_icmpm) & 0xff)
-				printf(" code %d", code);
-		}
-		if ((fp->fr_proto == IPPROTO_TCP) &&
-		    (fp->fr_tcpf || fp->fr_tcpfm)) {
-			printf(" flags ");
-			if (fp->fr_tcpf & ~TCPF_ALL)
-				printf("0x%x", fp->fr_tcpf);
-			else
-				for (s = flagset, t = flags; *s; s++, t++)
-					if (fp->fr_tcpf & *t)
-						(void)putchar(*s);
-			if (fp->fr_tcpfm) {
-				(void)putchar('/');
-				if (fp->fr_tcpfm & ~TCPF_ALL)
-					printf("0x%x", fp->fr_tcpfm);
-				else
-					for (s = flagset, t = flags; *s;
-					     s++, t++)
-						if (fp->fr_tcpfm & *t)
-							(void)putchar(*s);
-			}
-		}
-	} else if (type == FR_T_BPFOPC) {
-		fakebpf_t *fb;
-		int i;
-
-		printf("bpf-v%d { \"", fp->fr_v);
-		i = fp->fr_dsize / sizeof(*fb);
-
-		for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ")
-			printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t,
-			       fb->fb_f, fb->fb_k);
-
-		printf("\" }");
-	} else if (type == FR_T_COMPIPF) {
-		;
-	} else if (type == FR_T_CALLFUNC) {
-		printf("call function at %p", fp->fr_data);
-	} else {
-		printf("[unknown filter type %#x]", fp->fr_type);
-	}
-
-	if ((type == FR_T_IPF) &&
-	    ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) ||
-	     fp->fr_optbits || fp->fr_optmask ||
-	     fp->fr_secbits || fp->fr_secmask)) {
-		char *comma = " ";
-
-		printf(" with");
-		if (fp->fr_optbits || fp->fr_optmask ||
-		    fp->fr_secbits || fp->fr_secmask) {
-			sec[0] = fp->fr_secmask;
-			sec[1] = fp->fr_secbits;
-			if (fp->fr_v == 4)
-				optprint(sec, fp->fr_optmask, fp->fr_optbits);
-#ifdef	USE_INET6
-			else
-				optprintv6(sec, fp->fr_optmask,
-					   fp->fr_optbits);
-#endif
-		} else if (fp->fr_mflx & FI_OPTIONS) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_OPTIONS))
-				printf("not ");
-			printf("ipopts");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_SHORT) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_SHORT))
-				printf("not ");
-			printf("short");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_FRAG) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_FRAG))
-				printf("not ");
-			printf("frag");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_FRAGBODY) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_FRAGBODY))
-				printf("not ");
-			printf("frag-body");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_NATED) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_NATED))
-				printf("not ");
-			printf("nat");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_LOWTTL) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_LOWTTL))
-				printf("not ");
-			printf("lowttl");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_BAD) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_BAD))
-				printf("not ");
-			printf("bad");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_BADSRC) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_BADSRC))
-				printf("not ");
-			printf("bad-src");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_BADNAT) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_BADNAT))
-				printf("not ");
-			printf("bad-nat");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_OOW) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_OOW))
-				printf("not ");
-			printf("oow");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_MBCAST) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_MBCAST))
-				printf("not ");
-			printf("mbcast");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_BROADCAST) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_BROADCAST))
-				printf("not ");
-			printf("bcast");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_MULTICAST) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_MULTICAST))
-				printf("not ");
-			printf("mcast");
-			comma = ",";
-		}
-		if (fp->fr_mflx & FI_STATE) {
-			fputs(comma, stdout);
-			if (!(fp->fr_flx & FI_STATE))
-				printf("not ");
-			printf("state");
-			comma = ",";
-		}
-	}
-
-	if (fp->fr_flags & FR_KEEPSTATE) {
-		printf(" keep state");
-		if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) ||
-		    (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) {
-			char *comma = "";
-			printf(" (");
-			if (fp->fr_statemax != 0) {
-				printf("limit %u", fp->fr_statemax);
-				comma = ",";
-			}
-			if (fp->fr_flags & FR_STSTRICT) {
-				printf("%sstrict", comma);
-				comma = ",";
-			}
-			if (fp->fr_flags & FR_NEWISN) {
-				printf("%snewisn", comma);
-				comma = ",";
-			}
-			if (fp->fr_flags & FR_NOICMPERR) {
-				printf("%sno-icmp-err", comma);
-				comma = ",";
-			}
-			if (fp->fr_flags & FR_STATESYNC) {
-				printf("%ssync", comma);
-				comma = ",";
-			}
-			if (fp->fr_age[0] || fp->fr_age[1])
-				printf("%sage %d/%d", comma, fp->fr_age[0],
-				       fp->fr_age[1]);
-			printf(")");
-		}
-	}
-	if (fp->fr_flags & FR_KEEPFRAG) {
-		printf(" keep frags");
-		if (fp->fr_flags & (FR_FRSTRICT)) {
-			printf(" (");
-			if (fp->fr_flags & FR_FRSTRICT)
-				printf("strict");
-			printf(")");
-				
-		}
-	}
-	if (fp->fr_isc != (struct ipscan *)-1) {
-		if (fp->fr_isctag[0])
-			printf(" scan %s", fp->fr_isctag);
-		else
-			printf(" scan *");
-	}
-	if (*fp->fr_grhead != '\0')
-		printf(" head %s", fp->fr_grhead);
-	if (*fp->fr_group != '\0')
-		printf(" group %s", fp->fr_group);
-	if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) {
-		char *s = "";
-
-		printf(" set-tag(");
-		if (fp->fr_logtag != FR_NOLOGTAG) {
-			printf("log=%u", fp->fr_logtag);
-			s = ", ";
-		}
-		if (*fp->fr_nattag.ipt_tag) {
-			printf("%snat=%-.*s", s, IPFTAG_LEN,
-				fp->fr_nattag.ipt_tag);
-		}
-		printf(")");
-	}
-
-	if (fp->fr_pps)
-		printf(" pps %d", fp->fr_pps);
-
-	if ((fp->fr_flags & FR_KEEPSTATE) && (opts & OPT_VERBOSE)) {
-		printf(" # count %d", fp->fr_statecnt);
-	}
-	(void)putchar('\n');
-}
diff --git a/contrib/ipfilter/lib/printfraginfo.c b/contrib/ipfilter/lib/printfraginfo.c
deleted file mode 100644
index 012df06..0000000
--- a/contrib/ipfilter/lib/printfraginfo.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printfraginfo.c,v 1.1.2.5 2006/12/25 15:10:37 darrenr Exp $
- */
-#include "ipf.h"
-#include "kmem.h"
-
-void printfraginfo(prefix, ifr)
-char *prefix;
-struct ipfr *ifr;
-{
-	frentry_t fr;
-
-	fr.fr_flags = 0xffffffff;
-
-	printf("%s%s -> ", prefix, hostname(4, &ifr->ipfr_src));
-/*
-	if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule,
-		    sizeof(fr)) == -1)
-		return;
-*/
-	printf("%s id %d ttl %ld pr %d seen0 %d ref %d tos %#02x\n",
-		hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_ttl,
-		ifr->ipfr_p, ifr->ipfr_seen0, ifr->ipfr_ref, ifr->ipfr_tos);
-}
diff --git a/contrib/ipfilter/lib/printhash.c b/contrib/ipfilter/lib/printhash.c
deleted file mode 100644
index 8e7948b..0000000
--- a/contrib/ipfilter/lib/printhash.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-
-iphtable_t *printhash(hp, copyfunc, name, opts)
-iphtable_t *hp;
-copyfunc_t copyfunc;
-char *name;
-int opts;
-{
-	iphtent_t *ipep, **table;
-	iphtable_t iph;
-	int printed;
-	size_t sz;
-
-	if ((*copyfunc)((char *)hp, (char *)&iph, sizeof(iph)))
-		return NULL;
-
-	if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN))
-		return iph.iph_next;
-
-	printhashdata(hp, opts);
-
-	if ((hp->iph_flags & IPHASH_DELETE) != 0)
-		PRINTF("# ");
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF("\t{");
-
-	sz = iph.iph_size * sizeof(*table);
-	table = malloc(sz);
-	if ((*copyfunc)((char *)iph.iph_table, (char *)table, sz))
-		return NULL;
-
-	for (printed = 0, ipep = iph.iph_list; ipep != NULL; ) {
-		ipep = printhashnode(&iph, ipep, copyfunc, opts);
-		printed++;
-	}
-	if (printed == 0)
-		putchar(';');
-
-	free(table);
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF(" };\n");
-
-	return iph.iph_next;
-}
diff --git a/contrib/ipfilter/lib/printhash_live.c b/contrib/ipfilter/lib/printhash_live.c
deleted file mode 100644
index 1afe632..0000000
--- a/contrib/ipfilter/lib/printhash_live.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ipl.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-
-iphtable_t *printhash_live(hp, fd, name, opts)
-iphtable_t *hp;
-int fd;
-char *name;
-int opts;
-{
-	iphtent_t entry, *top, *node;
-	ipflookupiter_t iter;
-	int printed, last;
-	ipfobj_t obj;
-
-	if ((name != NULL) && strncmp(name, hp->iph_name, FR_GROUPLEN))
-		return hp->iph_next;
-
-	printhashdata(hp, opts);
-
-	if ((hp->iph_flags & IPHASH_DELETE) != 0)
-		PRINTF("# ");
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF("\t{");
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_LOOKUPITER;
-	obj.ipfo_ptr = &iter;
-	obj.ipfo_size = sizeof(iter);
-
-	iter.ili_data = &entry;
-	iter.ili_type = IPLT_HASH;
-	iter.ili_otype = IPFLOOKUPITER_NODE;
-	iter.ili_ival = IPFGENITER_LOOKUP;
-	iter.ili_unit = hp->iph_unit;
-	strncpy(iter.ili_name, hp->iph_name, FR_GROUPLEN);
-
-	last = 0;
-	top = NULL;
-	printed = 0;
-
-	while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
-		if (entry.ipe_next == NULL)
-			last = 1;
-		entry.ipe_next = top;
-		top = malloc(sizeof(*top));
-		if (top == NULL)
-			break;
-		bcopy(&entry, top, sizeof(entry));
-	}
-
-	while (top != NULL) {
-		node = top;
-		(void) printhashnode(hp, node, bcopywrap, opts);
-		top = node->ipe_next;
-		free(node);
-		printed++;
-	}
-
-	if (printed == 0)
-		putchar(';');
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF(" };\n");
-	return hp->iph_next;
-}
diff --git a/contrib/ipfilter/lib/printhashdata.c b/contrib/ipfilter/lib/printhashdata.c
deleted file mode 100644
index d278c36..0000000
--- a/contrib/ipfilter/lib/printhashdata.c
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-
-void printhashdata(hp, opts)
-iphtable_t *hp;
-int opts;
-{
-
-	if ((opts & OPT_DEBUG) == 0) {
-		if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON)
-			PRINTF("# 'anonymous' table\n");
-		if ((hp->iph_flags & IPHASH_DELETE) == IPHASH_DELETE)
-			PRINTF("# ");
-		switch (hp->iph_type & ~IPHASH_ANON)
-		{
-		case IPHASH_LOOKUP :
-			PRINTF("table");
-			break;
-		case IPHASH_GROUPMAP :
-			PRINTF("group-map");
-			if (hp->iph_flags & FR_INQUE)
-				PRINTF(" in");
-			else if (hp->iph_flags & FR_OUTQUE)
-				PRINTF(" out");
-			else
-				PRINTF(" ???");
-			break;
-		default :
-			PRINTF("%#x", hp->iph_type);
-			break;
-		}
-		PRINTF(" role = ");
-	} else {
-		PRINTF("Hash Table %s: %s",
-			isdigit(*hp->iph_name) ? "Number" : "Name",
-			hp->iph_name);
-		if ((hp->iph_type & IPHASH_ANON) == IPHASH_ANON)
-			PRINTF("(anon)");
-		putchar(' ');
-		PRINTF("Role: ");
-	}
-
-	switch (hp->iph_unit)
-	{
-	case IPL_LOGNAT :
-		PRINTF("nat");
-		break;
-	case IPL_LOGIPF :
-		PRINTF("ipf");
-		break;
-	case IPL_LOGAUTH :
-		PRINTF("auth");
-		break;
-	case IPL_LOGCOUNT :
-		PRINTF("count");
-		break;
-	default :
-		PRINTF("#%d", hp->iph_unit);
-		break;
-	}
-
-	if ((opts & OPT_DEBUG) == 0) {
-		if ((hp->iph_type & ~IPHASH_ANON) == IPHASH_LOOKUP)
-			PRINTF(" type = hash");
-		PRINTF(" %s = %s size = %lu",
-			isdigit(*hp->iph_name) ? "number" : "name",
-			hp->iph_name, (u_long)hp->iph_size);
-		if (hp->iph_seed != 0)
-			PRINTF(" seed = %lu", hp->iph_seed);
-		putchar('\n');
-	} else {
-		PRINTF(" Type: ");
-		switch (hp->iph_type & ~IPHASH_ANON)
-		{
-		case IPHASH_LOOKUP :
-			PRINTF("lookup");
-			break;
-		case IPHASH_GROUPMAP :
-			PRINTF("groupmap Group. %s", hp->iph_name);
-			break;
-		default :
-			break;
-		}
-
-		putchar('\n');
-		PRINTF("\t\tSize: %lu\tSeed: %lu",
-			(u_long)hp->iph_size, hp->iph_seed);
-		PRINTF("\tRef. Count: %d\tMasks: %#x\n", hp->iph_ref,
-			hp->iph_masks);
-	}
-
-	if ((opts & OPT_DEBUG) != 0) {
-		struct in_addr m;
-		int i;
-
-		for (i = 0; i < 32; i++) {
-			if ((1 << i) & hp->iph_masks) {
-				ntomask(4, i, &m.s_addr);
-				PRINTF("\t\tMask: %s\n", inet_ntoa(m));
-			}
-		}
-	}
-}
diff --git a/contrib/ipfilter/lib/printhashnode.c b/contrib/ipfilter/lib/printhashnode.c
deleted file mode 100644
index 9b51af9..0000000
--- a/contrib/ipfilter/lib/printhashnode.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-iphtent_t *printhashnode(iph, ipep, copyfunc, opts)
-iphtable_t *iph;
-iphtent_t *ipep;
-copyfunc_t copyfunc;
-int opts;
-{
-	iphtent_t ipe;
-
-	if ((*copyfunc)(ipep, &ipe, sizeof(ipe)))
-		return NULL;
-
-	ipe.ipe_addr.in4_addr = htonl(ipe.ipe_addr.in4_addr);
-	ipe.ipe_mask.in4_addr = htonl(ipe.ipe_mask.in4_addr);
-
-	if ((opts & OPT_DEBUG) != 0) {
-		PRINTF("\tAddress: %s",
-			inet_ntoa(ipe.ipe_addr.in4));
-		printmask((u_32_t *)&ipe.ipe_mask.in4_addr);
-		PRINTF("\tRef. Count: %d\tGroup: %s\n", ipe.ipe_ref,
-			ipe.ipe_group);
-	} else {
-		putchar(' ');
-		printip((u_32_t *)&ipe.ipe_addr.in4_addr);
-		printmask((u_32_t *)&ipe.ipe_mask.in4_addr);
-		if (ipe.ipe_value != 0) {
-			switch (iph->iph_type & ~IPHASH_ANON)
-			{
-			case IPHASH_GROUPMAP :
-				if (strncmp(ipe.ipe_group, iph->iph_name,
-					    FR_GROUPLEN))
-					PRINTF(", group = %s", ipe.ipe_group);
-				break;
-			}
-		}
-		putchar(';');
-	}
-
-	ipep = ipe.ipe_next;
-	return ipep;
-}
diff --git a/contrib/ipfilter/lib/printhostmap.c b/contrib/ipfilter/lib/printhostmap.c
deleted file mode 100644
index 92996ed..0000000
--- a/contrib/ipfilter/lib/printhostmap.c
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: printhostmap.c,v 1.3.2.3 2006/09/30 21:42:07 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-void printhostmap(hmp, hv)
-hostmap_t *hmp;
-u_int hv;
-{
-
-	printf("%s,", inet_ntoa(hmp->hm_srcip));
-	printf("%s -> ", inet_ntoa(hmp->hm_dstip));
-	printf("%s ", inet_ntoa(hmp->hm_mapip));
-	printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
-}
diff --git a/contrib/ipfilter/lib/printhostmask.c b/contrib/ipfilter/lib/printhostmask.c
deleted file mode 100644
index 105fb20..0000000
--- a/contrib/ipfilter/lib/printhostmask.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printhostmask.c,v 1.8.4.1 2006/06/16 17:21:12 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void	printhostmask(v, addr, mask)
-int	v;
-u_32_t	*addr, *mask;
-{
-#ifdef  USE_INET6
-	char ipbuf[64];
-#else
-	struct in_addr ipa;
-#endif
-
-	if (!*addr && !*mask)
-		printf("any");
-	else {
-#ifdef  USE_INET6
-		void *ptr = addr;
-		int af;
-
-		if (v == 4) {
-			ptr = addr;
-			af = AF_INET;
-		} else if (v == 6) {
-			ptr = addr;
-			af = AF_INET6;
-		} else
-			af = 0;
-		printf("%s", inet_ntop(af, ptr, ipbuf, sizeof(ipbuf)));
-#else
-		ipa.s_addr = *addr;
-		printf("%s", inet_ntoa(ipa));
-#endif
-		printmask(mask);
-	}
-}
diff --git a/contrib/ipfilter/lib/printifname.c b/contrib/ipfilter/lib/printifname.c
deleted file mode 100644
index 1bfe27d..0000000
--- a/contrib/ipfilter/lib/printifname.c
+++ /dev/null
@@ -1,18 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printifname.c,v 1.2.4.1 2006/06/16 17:21:12 darrenr Exp $
- */
-
-#include "ipf.h"
-
-void printifname(format, name, ifp)
-char *format, *name;
-void *ifp;
-{
-	printf("%s%s", format, name);
-	if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
-		printf("(!)");
-}
diff --git a/contrib/ipfilter/lib/printip.c b/contrib/ipfilter/lib/printip.c
deleted file mode 100644
index fb91208..0000000
--- a/contrib/ipfilter/lib/printip.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printip.c,v 1.3.4.1 2006/06/16 17:21:12 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void	printip(addr)
-u_32_t	*addr;
-{
-	struct in_addr ipa;
-
-	ipa.s_addr = *addr;
-	if (ntohl(ipa.s_addr) < 256)
-		printf("%lu", (u_long)ntohl(ipa.s_addr));
-	else
-		printf("%s", inet_ntoa(ipa));
-}
diff --git a/contrib/ipfilter/lib/printlog.c b/contrib/ipfilter/lib/printlog.c
deleted file mode 100644
index 192c671..0000000
--- a/contrib/ipfilter/lib/printlog.c
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printlog.c,v 1.6.4.3 2006/06/16 17:21:12 darrenr Exp $
- */
-
-#include "ipf.h"
-
-#include <syslog.h>
-
-
-void printlog(fp)
-frentry_t *fp;
-{
-	char *s, *u;
-
-	printf("log");
-	if (fp->fr_flags & FR_LOGBODY)
-		printf(" body");
-	if (fp->fr_flags & FR_LOGFIRST)
-		printf(" first");
-	if (fp->fr_flags & FR_LOGORBLOCK)
-		printf(" or-block");
-	if (fp->fr_loglevel != 0xffff) {
-		printf(" level ");
-		s = fac_toname(fp->fr_loglevel);
-		if (s == NULL || *s == '\0')
-			s = "!!!";
-		u = pri_toname(fp->fr_loglevel);
-		if (u == NULL || *u == '\0')
-			u = "!!!";
-		printf("%s.%s", s, u);
-	}
-}
diff --git a/contrib/ipfilter/lib/printmask.c b/contrib/ipfilter/lib/printmask.c
deleted file mode 100644
index 27b3e6c..0000000
--- a/contrib/ipfilter/lib/printmask.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printmask.c,v 1.5.4.1 2006/06/16 17:21:13 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void	printmask(mask)
-u_32_t	*mask;
-{
-	struct in_addr ipa;
-	int ones;
-
-#ifdef  USE_INET6
-	if (use_inet6)
-		printf("/%d", count6bits(mask));
-	else
-#endif
-	if ((ones = count4bits(*mask)) == -1) {
-		ipa.s_addr = *mask;
-		printf("/%s", inet_ntoa(ipa));
-	} else
-		printf("/%d", ones);
-}
diff --git a/contrib/ipfilter/lib/printnat.c b/contrib/ipfilter/lib/printnat.c
deleted file mode 100644
index 37666a2..0000000
--- a/contrib/ipfilter/lib/printnat.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-
-#include "ipf.h"
-#include "kmem.h"
-
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.14 2007/09/06 16:40:11 darrenr Exp $";
-#endif
-
-/*
- * Print out a NAT rule
- */
-void printnat(np, opts)
-ipnat_t *np;
-int opts;
-{
-	struct	protoent	*pr;
-	int	bits;
-
-	pr = getprotobynumber(np->in_p);
-
-	switch (np->in_redir)
-	{
-	case NAT_REDIRECT :
-		printf("rdr");
-		break;
-	case NAT_MAP :
-		printf("map");
-		break;
-	case NAT_MAPBLK :
-		printf("map-block");
-		break;
-	case NAT_BIMAP :
-		printf("bimap");
-		break;
-	default :
-		fprintf(stderr, "unknown value for in_redir: %#x\n",
-			np->in_redir);
-		break;
-	}
-
-	if (!strcmp(np->in_ifnames[0], "-"))
-		printf(" \"%s\"", np->in_ifnames[0]);
-	else
-		printf(" %s", np->in_ifnames[0]);
-	if ((np->in_ifnames[1][0] != '\0') &&
-	    (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) {
-		if (!strcmp(np->in_ifnames[1], "-"))
-			printf(",\"%s\"", np->in_ifnames[1]);
-		else
-			printf(",%s", np->in_ifnames[1]);
-	}
-	putchar(' ');
-
-	if (np->in_flags & IPN_FILTER) {
-		if (np->in_flags & IPN_NOTSRC)
-			printf("! ");
-		printf("from ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_inip,
-				      (u_32_t *)&np->in_inmsk);
-		}
-		if (np->in_scmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_src);
-
-		if (np->in_flags & IPN_NOTDST)
-			printf(" !");
-		printf(" to ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_outip,
-				      (u_32_t *)&np->in_outmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		}
-		if (np->in_dcmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_dst);
-	}
-
-	if (np->in_redir == NAT_REDIRECT) {
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s", inet_ntoa(np->in_out[0].in4));
-			bits = count4bits(np->in_outmsk);
-			if (bits != -1)
-				printf("/%d", bits);
-			else
-				printf("/%s", inet_ntoa(np->in_out[1].in4));
-			if (np->in_flags & IPN_TCPUDP) {
-				printf(" port %d", ntohs(np->in_pmin));
-				if (np->in_pmax != np->in_pmin)
-					printf("-%d", ntohs(np->in_pmax));
-			}
-		}
-		printf(" -> %s", inet_ntoa(np->in_in[0].in4));
-		if (np->in_flags & IPN_SPLIT)
-			printf(",%s", inet_ntoa(np->in_in[1].in4));
-		else if (np->in_inmsk == 0 && np->in_inip == 0)
-			printf("/0");
-		if (np->in_flags & IPN_TCPUDP) {
-			if ((np->in_flags & IPN_FIXEDDPORT) != 0)
-				printf(" port = %d", ntohs(np->in_pnext));
-			else
-				printf(" port %d", ntohs(np->in_pnext));
-		}
-		putchar(' ');
-		printproto(pr, np->in_p, np);
-		if (np->in_flags & IPN_ROUNDR)
-			printf(" round-robin");
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0] != 0 || np->in_age[1] != 0) {
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		}
-		if (np->in_flags & IPN_STICKY)
-			printf(" sticky");
-		if (np->in_mssclamp != 0)
-			printf(" mssclamp %d", np->in_mssclamp);
-		if (*np->in_plabel != '\0')
-			printf(" proxy %.*s", (int)sizeof(np->in_plabel),
-				np->in_plabel);
-		if (np->in_tag.ipt_tag[0] != '\0')
-			printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag);
-		printf("\n");
-		if (opts & OPT_DEBUG)
-			printf("\tpmax %u\n", np->in_pmax);
-	} else {
-		int protoprinted = 0;
-
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s/", inet_ntoa(np->in_in[0].in4));
-			bits = count4bits(np->in_inmsk);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_in[1].in4));
-		}
-		printf(" -> ");
-		if (np->in_flags & IPN_IPRANGE) {
-			printf("range %s-", inet_ntoa(np->in_out[0].in4));
-			printf("%s", inet_ntoa(np->in_out[1].in4));
-		} else {
-			printf("%s/", inet_ntoa(np->in_out[0].in4));
-			bits = count4bits(np->in_outmsk);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_out[1].in4));
-		}
-		if (*np->in_plabel != '\0') {
-			printf(" proxy port ");
-			if (np->in_dcmp != 0)
-				np->in_dport = htons(np->in_dport);
-			if (np->in_dport != 0) {
-				char *s;
-
-				s = portname(np->in_p, ntohs(np->in_dport));
-				if (s != NULL)
-					fputs(s, stdout);
-				else
-					fputs("???", stdout);
-			}
-			printf(" %.*s/", (int)sizeof(np->in_plabel),
-				np->in_plabel);
-			printproto(pr, np->in_p, NULL);
-			protoprinted = 1;
-		} else if (np->in_redir == NAT_MAPBLK) {
-			if ((np->in_pmin == 0) &&
-			    (np->in_flags & IPN_AUTOPORTMAP))
-				printf(" ports auto");
-			else
-				printf(" ports %d", np->in_pmin);
-			if (opts & OPT_DEBUG)
-				printf("\n\tip modulous %d", np->in_pmax);
-		} else if (np->in_pmin || np->in_pmax) {
-			if (np->in_flags & IPN_ICMPQUERY) {
-				printf(" icmpidmap ");
-			} else {
-				printf(" portmap ");
-			}
-			printproto(pr, np->in_p, np);
-			protoprinted = 1;
-			if (np->in_flags & IPN_AUTOPORTMAP) {
-				printf(" auto");
-				if (opts & OPT_DEBUG)
-					printf(" [%d:%d %d %d]",
-					       ntohs(np->in_pmin),
-					       ntohs(np->in_pmax),
-					       np->in_ippip, np->in_ppip);
-			} else {
-				printf(" %d:%d", ntohs(np->in_pmin),
-				       ntohs(np->in_pmax));
-			}
-		}
-
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0] != 0 || np->in_age[1] != 0) {
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		}
-		if (np->in_mssclamp != 0)
-			printf(" mssclamp %d", np->in_mssclamp);
-		if (np->in_tag.ipt_tag[0] != '\0')
-			printf(" tag %s", np->in_tag.ipt_tag);
-		if (!protoprinted && (np->in_flags & IPN_TCPUDP || np->in_p)) {
-			putchar(' ');
-			printproto(pr, np->in_p, np);
-		}
-		printf("\n");
-		if (opts & OPT_DEBUG) {
-			struct in_addr nip;
-
-			nip.s_addr = htonl(np->in_nextip.s_addr);
-
-			printf("\tnextip %s pnext %d\n",
-			       inet_ntoa(nip), np->in_pnext);
-		}
-	}
-
-	if (opts & OPT_DEBUG) {
-		printf("\tspace %lu use %u hits %lu flags %#x proto %d hv %d\n",
-			np->in_space, np->in_use, np->in_hits,
-			np->in_flags, np->in_p, np->in_hv);
-		printf("\tifp[0] %p ifp[1] %p apr %p\n",
-			np->in_ifps[0], np->in_ifps[1], np->in_apr);
-		printf("\ttqehead %p/%p comment %p\n",
-			np->in_tqehead[0], np->in_tqehead[1], np->in_comment);
-	}
-}
diff --git a/contrib/ipfilter/lib/printpacket.c b/contrib/ipfilter/lib/printpacket.c
deleted file mode 100644
index 6ee3679..0000000
--- a/contrib/ipfilter/lib/printpacket.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2000-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printpacket.c,v 1.12.4.5 2007/09/09 22:15:30 darrenr Exp $
- */
-
-#include "ipf.h"
-
-#ifndef	IP_OFFMASK
-# define	IP_OFFMASK	0x3fff
-#endif
-
-
-void printpacket(ip)
-struct ip *ip;
-{
-	struct	tcphdr	*tcp;
-	u_short len;
-	u_short off;
-
-	if (IP_V(ip) == 6) {
-		off = 0;
-		len = ntohs(((u_short *)ip)[2]) + 40;
-	} else {
-		off = ntohs(ip->ip_off);
-		len = ntohs(ip->ip_len);
-	}
-
-	if ((opts & OPT_HEX) == OPT_HEX) {
-		u_char *s;
-		int i;
-
-		for (s = (u_char *)ip, i = 0; i < len; i++) {
-			printf("%02x", *s++ & 0xff);
-			if (len - i > 1) {
-				i++;
-				printf("%02x", *s++ & 0xff);
-			}
-			putchar(' ');
-		}
-		putchar('\n');
-		putchar('\n');
-		return;
-	}
-
-	if (IP_V(ip) == 6) {
-		printpacket6(ip);
-		return;
-	}
-
-	tcp = (struct tcphdr *)((char *)ip + (IP_HL(ip) << 2));
-	printf("ip #%d %d(%d) %d", ntohs(ip->ip_id), ntohs(ip->ip_len),
-	       IP_HL(ip) << 2, ip->ip_p);
-	if (off & IP_OFFMASK)
-		printf(" @%d", (off & IP_OFFMASK) << 3);
-	printf(" %s", inet_ntoa(ip->ip_src));
-	if (!(off & IP_OFFMASK))
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			printf(",%d", ntohs(tcp->th_sport));
-	printf(" > ");
-	printf("%s", inet_ntoa(ip->ip_dst));
-	if (!(off & IP_OFFMASK)) {
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			printf(",%d", ntohs(tcp->th_dport));
-		if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags != 0)) {
-			putchar(' ');
-			if (tcp->th_flags & TH_FIN)
-				putchar('F');
-			if (tcp->th_flags & TH_SYN)
-				putchar('S');
-			if (tcp->th_flags & TH_RST)
-				putchar('R');
-			if (tcp->th_flags & TH_PUSH)
-				putchar('P');
-			if (tcp->th_flags & TH_ACK)
-				putchar('A');
-			if (tcp->th_flags & TH_URG)
-				putchar('U');
-			if (tcp->th_flags & TH_ECN)
-				putchar('E');
-			if (tcp->th_flags & TH_CWR)
-				putchar('C');
-		}
-	}
-
-	putchar('\n');
-}
diff --git a/contrib/ipfilter/lib/printpacket6.c b/contrib/ipfilter/lib/printpacket6.c
deleted file mode 100644
index 16c807d..0000000
--- a/contrib/ipfilter/lib/printpacket6.c
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: printpacket6.c,v 1.3.4.1 2006/06/16 17:21:13 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-/*
- * This is meant to work without the IPv6 header files being present or
- * the inet_ntop() library.
- */
-void printpacket6(ip)
-struct ip *ip;
-{
-	u_char *buf, p;
-	u_short plen, *addrs;
-	tcphdr_t *tcp;
-	u_32_t flow;
-
-	buf = (u_char *)ip;
-	tcp = (tcphdr_t *)(buf + 40);
-	p = buf[6];
-	flow = ntohl(*(u_32_t *)buf);
-	flow &= 0xfffff;
-	plen = ntohs(*((u_short *)buf +2));
-	addrs = (u_short *)buf + 4;
-
-	printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_sport));
-	printf(" >");
-	addrs += 8;
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_dport));
-	putchar('\n');
-}
diff --git a/contrib/ipfilter/lib/printpool.c b/contrib/ipfilter/lib/printpool.c
deleted file mode 100644
index cfb1e78..0000000
--- a/contrib/ipfilter/lib/printpool.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-ip_pool_t *printpool(pp, copyfunc, name, opts)
-ip_pool_t *pp;
-copyfunc_t copyfunc;
-char *name;
-int opts;
-{
-	ip_pool_node_t *ipnp, *ipnpn, ipn;
-	ip_pool_t ipp;
-
-	if ((*copyfunc)(pp, &ipp, sizeof(ipp)))
-		return NULL;
-
-	if ((name != NULL) && strncmp(name, ipp.ipo_name, FR_GROUPLEN))
-		return ipp.ipo_next;
-
-	printpooldata(&ipp, opts);
-
-	if ((ipp.ipo_flags & IPOOL_DELETE) != 0)
-		PRINTF("# ");
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF("\t{");
-
-	ipnpn = ipp.ipo_list;
-	ipp.ipo_list = NULL;
-	while (ipnpn != NULL) {
-		ipnp = (ip_pool_node_t *)malloc(sizeof(*ipnp));
-		(*copyfunc)(ipnpn, ipnp, sizeof(ipn));
-		ipnpn = ipnp->ipn_next;
-		ipnp->ipn_next = ipp.ipo_list;
-		ipp.ipo_list = ipnp;
-	}
-
-	if (ipp.ipo_list == NULL) {
-		putchar(';');
-	} else {
-		for (ipnp = ipp.ipo_list; ipnp != NULL; ) {
-			ipnp = printpoolnode(ipnp, opts);
-
-			if ((opts & OPT_DEBUG) == 0) {
-				putchar(';');
-			}
-		}
-	}
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF(" };\n");
-
-	return ipp.ipo_next;
-}
diff --git a/contrib/ipfilter/lib/printpool_live.c b/contrib/ipfilter/lib/printpool_live.c
deleted file mode 100644
index e228a39..0000000
--- a/contrib/ipfilter/lib/printpool_live.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ipl.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-
-ip_pool_t *printpool_live(pool, fd, name, opts)
-ip_pool_t *pool;
-int fd;
-char *name;
-int opts;
-{
-	ip_pool_node_t entry, *top, *node;
-	ipflookupiter_t iter;
-	int printed, last;
-	ipfobj_t obj;
-
-	if ((name != NULL) && strncmp(name, pool->ipo_name, FR_GROUPLEN))
-		return pool->ipo_next;
-
-	printpooldata(pool, opts);
-
-	if ((pool->ipo_flags & IPOOL_DELETE) != 0)
-		PRINTF("# ");
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF("\t{");
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_LOOKUPITER;
-	obj.ipfo_ptr = &iter;
-	obj.ipfo_size = sizeof(iter);
-
-	iter.ili_data = &entry;
-	iter.ili_type = IPLT_POOL;
-	iter.ili_otype = IPFLOOKUPITER_NODE;
-	iter.ili_ival = IPFGENITER_LOOKUP;
-	iter.ili_unit = pool->ipo_unit;
-	strncpy(iter.ili_name, pool->ipo_name, FR_GROUPLEN);
-
-	last = 0;
-	top = NULL;
-	printed = 0;
-
-	while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
-		if (entry.ipn_next == NULL)
-			last = 1;
-		node = malloc(sizeof(*top));
-		if (node == NULL)
-			break;
-		bcopy(&entry, node, sizeof(entry));
-		node->ipn_next = top;
-		top = node;
-	}
-
-	while (top != NULL) {
-		node = top;
-		(void) printpoolnode(node, opts);
-		if ((opts & OPT_DEBUG) == 0)
-			putchar(';');
-		top = node->ipn_next;
-		free(node);
-		printed++;
-	}
-
-	if (printed == 0)
-		putchar(';');
-
-	if ((opts & OPT_DEBUG) == 0)
-		PRINTF(" };\n");
-
-	if (ioctl(fd, SIOCIPFDELTOK, &iter.ili_key) != 0)
-		perror("SIOCIPFDELTOK");
-
-	return pool->ipo_next;
-}
diff --git a/contrib/ipfilter/lib/printpooldata.c b/contrib/ipfilter/lib/printpooldata.c
deleted file mode 100644
index 8d8e962..0000000
--- a/contrib/ipfilter/lib/printpooldata.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-void printpooldata(pool, opts)
-ip_pool_t *pool;
-int opts;
-{
-
-	if ((opts & OPT_DEBUG) == 0) {
-		if ((pool->ipo_flags & IPOOL_ANON) != 0)
-			PRINTF("# 'anonymous' tree %s\n", pool->ipo_name);
-		if ((pool->ipo_flags & IPOOL_DELETE) != 0)
-			PRINTF("# ");
-		PRINTF("table role = ");
-	} else {
-		if ((pool->ipo_flags & IPOOL_DELETE) != 0)
-			PRINTF("# ");
-		PRINTF("%s: %s",
-			isdigit(*pool->ipo_name) ? "Number" : "Name",
-			pool->ipo_name);
-		if ((pool->ipo_flags & IPOOL_ANON) == IPOOL_ANON)
-			PRINTF("(anon)");
-		putchar(' ');
-		PRINTF("Role: ");
-	}
-
-	switch (pool->ipo_unit)
-	{
-	case IPL_LOGIPF :
-		printf("ipf");
-		break;
-	case IPL_LOGNAT :
-		printf("nat");
-		break;
-	case IPL_LOGSTATE :
-		printf("state");
-		break;
-	case IPL_LOGAUTH :
-		printf("auth");
-		break;
-	case IPL_LOGSYNC :
-		printf("sync");
-		break;
-	case IPL_LOGSCAN :
-		printf("scan");
-		break;
-	case IPL_LOGLOOKUP :
-		printf("lookup");
-		break;
-	case IPL_LOGCOUNT :
-		printf("count");
-		break;
-	default :
-		printf("unknown(%d)", pool->ipo_unit);
-	}
-
-	if ((opts & OPT_DEBUG) == 0) {
-		PRINTF(" type = tree %s = %s\n",
-			isdigit(*pool->ipo_name) ? "number" : "name",
-			pool->ipo_name);
-	} else {
-		putchar(' ');
-
-		PRINTF("\tReferences: %d\tHits: %lu\n", pool->ipo_ref,
-			pool->ipo_hits);
-		if ((pool->ipo_flags & IPOOL_DELETE) != 0)
-			PRINTF("# ");
-		PRINTF("\tNodes Starting at %p\n", pool->ipo_list);
-	}
-}
diff --git a/contrib/ipfilter/lib/printpoolnode.c b/contrib/ipfilter/lib/printpoolnode.c
deleted file mode 100644
index a53ee33..0000000
--- a/contrib/ipfilter/lib/printpoolnode.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-ip_pool_node_t *printpoolnode(np, opts)
-ip_pool_node_t *np;
-int opts;
-{
-
-	if ((opts & OPT_DEBUG) == 0) {
-		putchar(' ');
-		if (np->ipn_info == 1)
-			PRINTF("! ");
-		printip((u_32_t *)&np->ipn_addr.adf_addr.in4);
-		printmask((u_32_t *)&np->ipn_mask.adf_addr);
-	} else {
-		PRINTF("\tAddress: %s%s", np->ipn_info ? "! " : "",
-			inet_ntoa(np->ipn_addr.adf_addr.in4));
-		printmask((u_32_t *)&np->ipn_mask.adf_addr);
-		PRINTF("\t\tHits %lu\tName %s\tRef %d\n",
-			np->ipn_hits, np->ipn_name, np->ipn_ref);
-	}
-	return np->ipn_next;
-}
diff --git a/contrib/ipfilter/lib/printportcmp.c b/contrib/ipfilter/lib/printportcmp.c
deleted file mode 100644
index a820387..0000000
--- a/contrib/ipfilter/lib/printportcmp.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2000-2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: printportcmp.c,v 1.7.4.1 2006/06/16 17:21:14 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-void	printportcmp(pr, frp)
-int	pr;
-frpcmp_t	*frp;
-{
-	static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
-				 "<>", "><", ":" };
-
-	if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
-		printf(" port %d %s %d", frp->frp_port,
-			     pcmp1[frp->frp_cmp], frp->frp_top);
-	else if (frp->frp_cmp == FR_INCRANGE)
-		printf(" port %d:%d", frp->frp_port, frp->frp_top);
-	else
-		printf(" port %s %s", pcmp1[frp->frp_cmp],
-			     portname(pr, frp->frp_port));
-}
diff --git a/contrib/ipfilter/lib/printproto.c b/contrib/ipfilter/lib/printproto.c
deleted file mode 100644
index e65ec11..0000000
--- a/contrib/ipfilter/lib/printproto.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.2 2006/06/16 17:21:14 darrenr Exp $";
-#endif
-
-
-void printproto(pr, p, np)
-struct protoent *pr;
-int p;
-ipnat_t *np;
-{
-	if (np != NULL) {
-		if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-			printf("tcp/udp");
-		else if (np->in_flags & IPN_TCP)
-			printf("tcp");
-		else if (np->in_flags & IPN_UDP)
-			printf("udp");
-		else if (np->in_flags & IPN_ICMPQUERY)
-			printf("icmp");
-#ifdef _AIX51
-		/*
-		 * To make up for "ip = 252" and "hopopt = 0" in /etc/protocols
-		 */
-		else if (np->in_p == 0)
-			printf("ip");
-#endif
-		else if (pr != NULL)
-			printf("%s", pr->p_name);
-		else
-			printf("%d", np->in_p);
-	} else {
-#ifdef _AIX51
-		if (p == 0)
-			printf("ip");
-		else
-#endif
-		if (pr != NULL)
-			printf("%s", pr->p_name);
-		else
-			printf("%d", p);
-	}
-}
diff --git a/contrib/ipfilter/lib/printsbuf.c b/contrib/ipfilter/lib/printsbuf.c
deleted file mode 100644
index 81f5e0b..0000000
--- a/contrib/ipfilter/lib/printsbuf.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: printsbuf.c,v 1.2.4.2 2006/06/16 17:21:14 darrenr Exp $ 
- */     
-
-#ifdef	IPFILTER_SCAN
-
-#include <ctype.h>
-#include <stdio.h>
-#include "ipf.h"
-#include "netinet/ip_scan.h"
-
-void printsbuf(buf)
-char *buf;
-{
-	u_char *s;
-	int i;
-
-	for (s = (u_char *)buf, i = ISC_TLEN; i; i--, s++) {
-		if (ISPRINT(*s))
-			putchar(*s);
-		else
-			printf("\\%o", *s);
-	}
-}
-
-#endif
diff --git a/contrib/ipfilter/lib/printstate.c b/contrib/ipfilter/lib/printstate.c
deleted file mode 100644
index fcf42d6..0000000
--- a/contrib/ipfilter/lib/printstate.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/*
- * Copyright (C) 2002-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include "ipf.h"
-#include "kmem.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-ipstate_t *printstate(sp, opts, now)
-ipstate_t *sp;
-int opts;
-u_long now;
-{
-	synclist_t ipsync;
-
-	if (sp->is_phnext == NULL)
-		PRINTF("ORPHAN ");
-	PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4));
-	PRINTF("%s pass %#x pr %d state %d/%d",
-		hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p,
-		sp->is_state[0], sp->is_state[1]);
-	if (opts & OPT_DEBUG)
-		PRINTF(" bkt %d ref %d", sp->is_hv, sp->is_ref);
-	PRINTF("\n\ttag %u ttl %lu", sp->is_tag, sp->is_die - now);
-
-	if (sp->is_p == IPPROTO_TCP) {
-		PRINTF("\n\t%hu -> %hu %x:%x %hu<<%d:%hu<<%d\n",
-			ntohs(sp->is_sport), ntohs(sp->is_dport),
-			sp->is_send, sp->is_dend,
-			sp->is_maxswin, sp->is_swinscale,
-			sp->is_maxdwin, sp->is_dwinscale);
-		PRINTF("\tcmsk %04x smsk %04x s0 %08x/%08x\n",
-			sp->is_smsk[0], sp->is_smsk[1],
-			sp->is_s0[0], sp->is_s0[1]);
-		PRINTF("\tFWD:ISN inc %x sumd %x\n",
-			sp->is_isninc[0], sp->is_sumd[0]);
-		PRINTF("\tREV:ISN inc %x sumd %x\n",
-			sp->is_isninc[1], sp->is_sumd[1]);
-#ifdef	IPFILTER_SCAN
-		PRINTF("\tsbuf[0] [");
-		printsbuf(sp->is_sbuf[0]);
-		PRINTF("] sbuf[1] [");
-		printsbuf(sp->is_sbuf[1]);
-		PRINTF("]\n");
-#endif
-	} else if (sp->is_p == IPPROTO_UDP) {
-		PRINTF(" %hu -> %hu\n", ntohs(sp->is_sport),
-			ntohs(sp->is_dport));
-	} else if (sp->is_p == IPPROTO_GRE) {
-		PRINTF(" call %hx/%hx\n", ntohs(sp->is_gre.gs_call[0]),
-		       ntohs(sp->is_gre.gs_call[1]));
-	} else if (sp->is_p == IPPROTO_ICMP
-#ifdef	USE_INET6
-		 || sp->is_p == IPPROTO_ICMPV6
-#endif
-		)
-		PRINTF(" id %hu seq %hu type %d\n", sp->is_icmp.ici_id,
-			sp->is_icmp.ici_seq, sp->is_icmp.ici_type);
-
-#ifdef        USE_QUAD_T
-	PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n",
-		sp->is_pkts[0], sp->is_bytes[0],
-		sp->is_pkts[1], sp->is_bytes[1],
-		sp->is_pkts[2], sp->is_bytes[2],
-		sp->is_pkts[3], sp->is_bytes[3]);
-#else
-	PRINTF("\tforward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n\tbackward: pkts in %ld bytes in %ld pkts out %ld bytes out %ld\n",
-		sp->is_pkts[0], sp->is_bytes[0],
-		sp->is_pkts[1], sp->is_bytes[1],
-		sp->is_pkts[2], sp->is_bytes[2],
-		sp->is_pkts[3], sp->is_bytes[3]);
-#endif
-
-	PRINTF("\t");
-
-	/*
-	 * Print out bits set in the result code for the state being
-	 * kept as they would for a rule.
-	 */
-	if (FR_ISPASS(sp->is_pass)) {
-		PRINTF("pass");
-	} else if (FR_ISBLOCK(sp->is_pass)) {
-		PRINTF("block");
-		switch (sp->is_pass & FR_RETMASK)
-		{
-		case FR_RETICMP :
-			PRINTF(" return-icmp");
-			break;
-		case FR_FAKEICMP :
-			PRINTF(" return-icmp-as-dest");
-			break;
-		case FR_RETRST :
-			PRINTF(" return-rst");
-			break;
-		default :
-			break;
-		}
-	} else if ((sp->is_pass & FR_LOGMASK) == FR_LOG) {
-			PRINTF("log");
-		if (sp->is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (sp->is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-	} else if (FR_ISACCOUNT(sp->is_pass)) {
-		PRINTF("count");
-	} else if (FR_ISPREAUTH(sp->is_pass)) {
-		PRINTF("preauth");
-	} else if (FR_ISAUTH(sp->is_pass))
-		PRINTF("auth");
-
-	if (sp->is_pass & FR_OUTQUE)
-		PRINTF(" out");
-	else
-		PRINTF(" in");
-
-	if ((sp->is_pass & FR_LOG) != 0) {
-		PRINTF(" log");
-		if (sp->is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (sp->is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-		if (sp->is_pass & FR_LOGORBLOCK)
-			PRINTF(" or-block");
-	}
-	if (sp->is_pass & FR_QUICK)
-		PRINTF(" quick");
-	if (sp->is_pass & FR_KEEPFRAG)
-		PRINTF(" keep frags");
-	/* a given; no? */
-	if (sp->is_pass & FR_KEEPSTATE) {
-		PRINTF(" keep state");
-		if (sp->is_pass & FR_STATESYNC)	
-			PRINTF(" ( sync )");
-	}
-	PRINTF("\tIPv%d", sp->is_v);
-	PRINTF("\n");
-
-	PRINTF("\tpkt_flags & %x(%x) = %x,\t",
-		sp->is_flags & 0xf, sp->is_flags,
-		sp->is_flags >> 4);
-	PRINTF("\tpkt_options & %x = %x, %x = %x \n", sp->is_optmsk[0],
-		sp->is_opt[0], sp->is_optmsk[1], sp->is_opt[1]);
-	PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
-		sp->is_secmsk, sp->is_sec, sp->is_authmsk,
-		sp->is_auth);
-	PRINTF("\tis_flx %#x %#x %#x %#x\n", sp->is_flx[0][0], sp->is_flx[0][1],
-	       sp->is_flx[1][0], sp->is_flx[1][1]);
-	PRINTF("\tinterfaces: in %s[%s", getifname(sp->is_ifp[0]),
-		sp->is_ifname[0]);
-	if (opts & OPT_DEBUG)
-		PRINTF("/%p", sp->is_ifp[0]);
-	putchar(']');
-	PRINTF(",%s[%s", getifname(sp->is_ifp[1]), sp->is_ifname[1]);
-	if (opts & OPT_DEBUG)
-		PRINTF("/%p", sp->is_ifp[1]);
-	putchar(']');
-	PRINTF(" out %s[%s", getifname(sp->is_ifp[2]), sp->is_ifname[2]);
-	if (opts & OPT_DEBUG)
-		PRINTF("/%p", sp->is_ifp[2]);
-	putchar(']');
-	PRINTF(",%s[%s", getifname(sp->is_ifp[3]), sp->is_ifname[3]);
-	if (opts & OPT_DEBUG)
-		PRINTF("/%p", sp->is_ifp[3]);
-	PRINTF("]\n");
-
-	if (sp->is_sync != NULL) {
-
-		if (kmemcpy((char *)&ipsync, (u_long)sp->is_sync, sizeof(ipsync))) {
-	
-			PRINTF("\tSync status: status could not be retrieved\n");
-			return NULL;
-		}
-
-		PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n",
-			ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v,
-			ipsync.sl_p, ipsync.sl_rev);
-		
-	} else {
-		PRINTF("\tSync status: not synchronized\n");
-	}
-
-	return sp->is_next;
-}
diff --git a/contrib/ipfilter/lib/printtqtable.c b/contrib/ipfilter/lib/printtqtable.c
deleted file mode 100644
index 67adb53..0000000
--- a/contrib/ipfilter/lib/printtqtable.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2007 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-
-
-void printtqtable(table)
-ipftq_t *table;
-{
-	int i;
-
-	printf("TCP Entries per state\n");
-	for (i = 0; i < IPF_TCP_NSTATES; i++)
-		printf(" %5d", i);
-	printf("\n");
-
-	for (i = 0; i < IPF_TCP_NSTATES; i++)
-		printf(" %5d", table[i].ifq_ref - 1);
-	printf("\n");
-}
diff --git a/contrib/ipfilter/lib/printtunable.c b/contrib/ipfilter/lib/printtunable.c
deleted file mode 100644
index dcf9f85..0000000
--- a/contrib/ipfilter/lib/printtunable.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: printtunable.c,v 1.1.4.1 2006/06/16 17:21:15 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-void printtunable(tup)
-ipftune_t *tup;
-{
-	printf("%s\tmin %#lx\tmax %#lx\tcurrent ",
-		tup->ipft_name, tup->ipft_min, tup->ipft_max);
-	if (tup->ipft_sz == sizeof(u_long))
-		printf("%lu\n", tup->ipft_vlong);
-	else if (tup->ipft_sz == sizeof(u_int))
-		printf("%u\n", tup->ipft_vint);
-	else if (tup->ipft_sz == sizeof(u_short))
-		printf("%hu\n", tup->ipft_vshort);
-	else if (tup->ipft_sz == sizeof(u_char))
-		printf("%u\n", (u_int)tup->ipft_vchar);
-	else {
-		printf("sz = %d\n", tup->ipft_sz);
-	}
-}
diff --git a/contrib/ipfilter/lib/ratoi.c b/contrib/ipfilter/lib/ratoi.c
deleted file mode 100644
index fb8552d..0000000
--- a/contrib/ipfilter/lib/ratoi.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ratoi.c,v 1.4 2001/06/09 17:09:25 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int	ratoi(ps, pi, min, max)
-char 	*ps;
-int	*pi, min, max;
-{
-	int i;
-	char *pe;
-
-	i = (int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
diff --git a/contrib/ipfilter/lib/ratoui.c b/contrib/ipfilter/lib/ratoui.c
deleted file mode 100644
index 191f87f..0000000
--- a/contrib/ipfilter/lib/ratoui.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ratoui.c,v 1.4 2001/06/09 17:09:25 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int	ratoui(ps, pi, min, max)
-char 	*ps;
-u_int	*pi, min, max;
-{
-	u_int i;
-	char *pe;
-
-	i = (u_int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
diff --git a/contrib/ipfilter/lib/remove_hash.c b/contrib/ipfilter/lib/remove_hash.c
deleted file mode 100644
index 55dab91..0000000
--- a/contrib/ipfilter/lib/remove_hash.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: remove_hash.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-
-static int hashfd = -1;
-
-
-int remove_hash(iphp, iocfunc)
-iphtable_t *iphp;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	iphtable_t iph;
-
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		hashfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_type = IPLT_HASH;
-	op.iplo_unit = iphp->iph_unit;
-	strncpy(op.iplo_name, iphp->iph_name, sizeof(op.iplo_name));
-	if (*op.iplo_name == '\0')
-		op.iplo_arg = IPHASH_ANON;
-	op.iplo_size = sizeof(iph);
-	op.iplo_struct = &iph;
-
-	bzero((char *)&iph, sizeof(iph));
-	iph.iph_unit = iphp->iph_unit;
-	iph.iph_type = iphp->iph_type;
-	strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name));
-	iph.iph_flags = iphp->iph_flags;
-
-	if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op))
-		if ((opts & OPT_DONOTHING) == 0) {
-			perror("remove_hash:SIOCLOOKUPDELTABLE");
-			return -1;
-		}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/remove_hashnode.c b/contrib/ipfilter/lib/remove_hashnode.c
deleted file mode 100644
index d51f8ab..0000000
--- a/contrib/ipfilter/lib/remove_hashnode.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: remove_hashnode.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-
-static int hashfd = -1;
-
-
-int remove_hashnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-iphtent_t *node;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	iphtent_t ipe;
-
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		hashfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_type = IPLT_HASH;
-	op.iplo_unit = unit;
-	op.iplo_size = sizeof(ipe);
-	op.iplo_struct = &ipe;
-	op.iplo_arg = 0;
-	strncpy(op.iplo_name, name, sizeof(op.iplo_name));
-
-	bzero((char *)&ipe, sizeof(ipe));
-	bcopy((char *)&node->ipe_addr, (char *)&ipe.ipe_addr,
-	      sizeof(ipe.ipe_addr));
-	bcopy((char *)&node->ipe_mask, (char *)&ipe.ipe_mask,
-	      sizeof(ipe.ipe_mask));
-
-	if (opts & OPT_DEBUG) {
-		printf("\t%s - ", inet_ntoa(ipe.ipe_addr.in4));
-		printf("%s\n", inet_ntoa(ipe.ipe_mask.in4));
-	}
-
-	if ((*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op))
-		if (!(opts & OPT_DONOTHING)) {
-			perror("remove_hash:SIOCLOOKUPDELNODE");
-			return -1;
-		}
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/remove_pool.c b/contrib/ipfilter/lib/remove_pool.c
deleted file mode 100644
index 19ab4c6..0000000
--- a/contrib/ipfilter/lib/remove_pool.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: remove_pool.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_htable.h"
-
-static int poolfd = -1;
-
-
-int remove_pool(poolp, iocfunc)
-ip_pool_t *poolp;
-ioctlfunc_t iocfunc;
-{
-	iplookupop_t op;
-	ip_pool_t pool;
-
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		poolfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_type = IPLT_POOL;
-	op.iplo_unit = poolp->ipo_unit;
-	strncpy(op.iplo_name, poolp->ipo_name, sizeof(op.iplo_name));
-	op.iplo_size = sizeof(pool);
-	op.iplo_struct = &pool;
-
-	bzero((char *)&pool, sizeof(pool));
-	pool.ipo_unit = poolp->ipo_unit;
-	strncpy(pool.ipo_name, poolp->ipo_name, sizeof(pool.ipo_name));
-	pool.ipo_flags = poolp->ipo_flags;
-
-	if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op))
-		if ((opts & OPT_DONOTHING) == 0) {
-			perror("remove_pool:SIOCLOOKUPDELTABLE");
-			return -1;
-		}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/remove_poolnode.c b/contrib/ipfilter/lib/remove_poolnode.c
deleted file mode 100644
index ad04b23..0000000
--- a/contrib/ipfilter/lib/remove_poolnode.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: remove_poolnode.c,v 1.3.2.1 2006/06/16 17:21:16 darrenr Exp $
- */
-
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-
-static int poolfd = -1;
-
-
-int remove_poolnode(unit, name, node, iocfunc)
-int unit;
-char *name;
-ip_pool_node_t *node;
-ioctlfunc_t iocfunc;
-{
-	ip_pool_node_t pn;
-	iplookupop_t op;
-
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		poolfd = open(IPLOOKUP_NAME, O_RDWR);
-	if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0))
-		return -1;
-
-	op.iplo_unit = unit;
-	op.iplo_type = IPLT_POOL;
-	op.iplo_arg = 0;
-	strncpy(op.iplo_name, name, sizeof(op.iplo_name));
-	op.iplo_struct = &pn;
-	op.iplo_size = sizeof(pn);
-
-	bzero((char *)&pn, sizeof(pn));
-	bcopy((char *)&node->ipn_addr, (char *)&pn.ipn_addr,
-	      sizeof(pn.ipn_addr));
-	bcopy((char *)&node->ipn_mask, (char *)&pn.ipn_mask,
-	      sizeof(pn.ipn_mask));
-	pn.ipn_info = node->ipn_info;
-	strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name));
-
-	if ((*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op)) {
-		if ((opts & OPT_DONOTHING) == 0) {
-			perror("remove_pool:SIOCLOOKUPDELNODE");
-			return -1;
-		}
-	}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/resetlexer.c b/contrib/ipfilter/lib/resetlexer.c
deleted file mode 100644
index ab9b82e..0000000
--- a/contrib/ipfilter/lib/resetlexer.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: resetlexer.c,v 1.1.4.1 2006/06/16 17:21:16 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-long	string_start = -1;
-long	string_end = -1;
-char	*string_val = NULL;
-long	pos = 0;
-
-
-void resetlexer()
-{
-	string_start = -1;
-	string_end = -1;
-	string_val = NULL;
-	pos = 0;
-}
diff --git a/contrib/ipfilter/lib/rwlock_emul.c b/contrib/ipfilter/lib/rwlock_emul.c
deleted file mode 100644
index 1f0c3a8..0000000
--- a/contrib/ipfilter/lib/rwlock_emul.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: rwlock_emul.c,v 1.1.4.1 2006/06/16 17:21:17 darrenr Exp $ 
- */     
-
-#include "ipf.h"
-
-#define	EMM_MAGIC	0x97dd8b3a
-
-void eMrwlock_read_enter(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
-{
-	if (rw->eMrw_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMrwlock_read_enter(%p): bad magic: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	if (rw->eMrw_read != 0 || rw->eMrw_write != 0) {
-		fprintf(stderr,
-			"%s:eMrwlock_read_enter(%p): already locked: %d/%d\n",
-			rw->eMrw_owner, rw, rw->eMrw_read, rw->eMrw_write);
-		abort();
-	}
-	rw->eMrw_read++;
-	rw->eMrw_heldin = file;
-	rw->eMrw_heldat = line;
-}
-
-
-void eMrwlock_write_enter(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
-{
-	if (rw->eMrw_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	if (rw->eMrw_read != 0 || rw->eMrw_write != 0) {
-		fprintf(stderr,
-			"%s:eMrwlock_write_enter(%p): already locked: %d/%d\n",
-			rw->eMrw_owner, rw, rw->eMrw_read, rw->eMrw_write);
-		abort();
-	}
-	rw->eMrw_write++;
-	rw->eMrw_heldin = file;
-	rw->eMrw_heldat = line;
-}
-
-
-void eMrwlock_downgrade(rw, file, line)
-eMrwlock_t *rw;
-char *file;
-int line;
-{
-	if (rw->eMrw_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMrwlock_write_enter(%p): bad magic: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	if (rw->eMrw_read != 0 || rw->eMrw_write != 1) {
-		fprintf(stderr,
-			"%s:eMrwlock_write_enter(%p): already locked: %d/%d\n",
-			rw->eMrw_owner, rw, rw->eMrw_read, rw->eMrw_write);
-		abort();
-	}
-	rw->eMrw_write--;
-	rw->eMrw_read++;
-	rw->eMrw_heldin = file;
-	rw->eMrw_heldat = line;
-}
-
-
-void eMrwlock_exit(rw)
-eMrwlock_t *rw;
-{
-	if (rw->eMrw_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMrwlock_exit(%p): bad magic: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	if (rw->eMrw_read != 1 && rw->eMrw_write != 1) {
-		fprintf(stderr, "%s:eMrwlock_exit(%p): not locked: %d/%d\n",
-			rw->eMrw_owner, rw, rw->eMrw_read, rw->eMrw_write);
-		abort();
-	}
-	if (rw->eMrw_read == 1)
-		rw->eMrw_read--;
-	else if (rw->eMrw_write == 1)
-		rw->eMrw_write--;
-	rw->eMrw_heldin = NULL;
-	rw->eMrw_heldat = 0;
-}
-
-
-void eMrwlock_init(rw, who)
-eMrwlock_t *rw;
-char *who;
-{
-	if (rw->eMrw_magic == EMM_MAGIC) {	/* safe bet ? */
-		fprintf(stderr,
-			"%s:eMrwlock_init(%p): already initialised?: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	rw->eMrw_magic = EMM_MAGIC;
-	rw->eMrw_read = 0;
-	rw->eMrw_write = 0;
-	if (who != NULL)
-		rw->eMrw_owner = strdup(who);
-	else
-		rw->eMrw_owner = NULL;
-}
-
-
-void eMrwlock_destroy(rw)
-eMrwlock_t *rw;
-{
-	if (rw->eMrw_magic != EMM_MAGIC) {
-		fprintf(stderr, "%s:eMrwlock_destroy(%p): bad magic: %#x\n",
-			rw->eMrw_owner, rw, rw->eMrw_magic);
-		abort();
-	}
-	memset(rw, 0xa5, sizeof(*rw));
-}
diff --git a/contrib/ipfilter/lib/tcp_flags.c b/contrib/ipfilter/lib/tcp_flags.c
deleted file mode 100644
index 67b7dad..0000000
--- a/contrib/ipfilter/lib/tcp_flags.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2000-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: tcp_flags.c,v 1.8.2.1 2006/06/16 17:21:17 darrenr Exp $
- */
-
-#include "ipf.h"
-
-extern	char	flagset[];
-extern	u_char	flags[];
-
-
-u_char tcp_flags(flgs, mask, linenum)
-char *flgs;
-u_char *mask;
-int    linenum;
-{
-	u_char tcpf = 0, tcpfm = 0;
-	char *s;
-
-	s = strchr(flgs, '/');
-	if (s)
-		*s++ = '\0';
-
-	if (*flgs == '0') {
-		tcpf = strtol(flgs, NULL, 0);
-	} else {
-		tcpf = tcpflags(flgs);
-	}
-
-	if (s != NULL) {
-		if (*s == '0')
-			tcpfm = strtol(s, NULL, 0);
-		else
-			tcpfm = tcpflags(s);
-	}
-
-	if (!tcpfm) {
-		if (tcpf == TH_SYN)
-			tcpfm = 0xff & ~(TH_ECN|TH_CWR);
-		else
-			tcpfm = 0xff & ~(TH_ECN);
-	}
-	*mask = tcpfm;
-	return tcpf;
-}
diff --git a/contrib/ipfilter/lib/tcpflags.c b/contrib/ipfilter/lib/tcpflags.c
deleted file mode 100644
index bf2c284..0000000
--- a/contrib/ipfilter/lib/tcpflags.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2001-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: tcpflags.c,v 1.3.4.1 2006/06/16 17:21:17 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-/*
- * ECN is a new addition to TCP - RFC 2481
- */
-#ifndef TH_ECN
-# define	TH_ECN  0x40
-#endif
-#ifndef TH_CWR
-# define	TH_CWR  0x80
-#endif
-
-extern	char	flagset[];
-extern	u_char	flags[];
-
-
-u_char tcpflags(flgs)
-char *flgs;
-{
-	u_char tcpf = 0;
-	char *s, *t;
-
-	for (s = flgs; *s; s++) {
-		if (*s == 'W')
-			tcpf |= TH_CWR;
-		else {
-			if (!(t = strchr(flagset, *s))) {
-				return 0;
-			}
-			tcpf |= flags[t - flagset];
-		}
-	}
-	return tcpf;
-}
diff --git a/contrib/ipfilter/lib/tcpoptnames.c b/contrib/ipfilter/lib/tcpoptnames.c
deleted file mode 100644
index 7c03736..0000000
--- a/contrib/ipfilter/lib/tcpoptnames.c
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * Copyright (C) 2000-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: tcpoptnames.c,v 1.5.4.1 2006/06/16 17:21:17 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-struct	ipopt_names	tcpoptnames[] ={
-	{ TCPOPT_NOP,			0x000001,	1,	"nop" },
-	{ TCPOPT_MAXSEG,		0x000002,	4,	"maxseg" },
-	{ TCPOPT_WINDOW,		0x000004,	3,	"wscale" },
-	{ TCPOPT_SACK_PERMITTED,	0x000008,	2,	"sackok" },
-	{ TCPOPT_SACK,			0x000010,	3,	"sack" },
-	{ TCPOPT_TIMESTAMP,		0x000020,	10,	"tstamp" },
-	{ 0, 		0,	0,	(char *)NULL }     /* must be last */
-};
diff --git a/contrib/ipfilter/lib/to_interface.c b/contrib/ipfilter/lib/to_interface.c
deleted file mode 100644
index 8f2c16f..0000000
--- a/contrib/ipfilter/lib/to_interface.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: to_interface.c,v 1.8 2002/01/28 06:50:48 darrenr Exp $
- */
-
-#include "ipf.h"
-
-
-int to_interface(fdp, to, linenum)
-frdest_t *fdp;
-char *to;
-int linenum;
-{
-	char *s;
-
-	s = strchr(to, ':');
-	fdp->fd_ifp = NULL;
-	if (s) {
-		*s++ = '\0';
-		if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum, NULL) == -1)
-			return -1;
-	}
-	(void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
-	fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
-	return 0;
-}
diff --git a/contrib/ipfilter/lib/v6ionames.c b/contrib/ipfilter/lib/v6ionames.c
deleted file mode 100644
index 97c20b0..0000000
--- a/contrib/ipfilter/lib/v6ionames.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2003-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: v6ionames.c,v 1.1.4.3 2006/06/16 17:21:18 darrenr Exp $
- */
-#include "ipf.h"
-
-
-#ifdef	USE_INET6
-
-struct	ipopt_names	v6ionames[] ={
-	{ IPPROTO_HOPOPTS,	0x000001,	0,	"hopopts" },
-	{ IPPROTO_IPV6,		0x000002,	0,	"ipv6" },
-	{ IPPROTO_ROUTING,	0x000004,	0,	"routing" },
-	{ IPPROTO_FRAGMENT,	0x000008,	0,	"frag" },	
-	{ IPPROTO_ESP,		0x000010,	0,	"esp" },
-	{ IPPROTO_AH,		0x000020,	0,	"ah" },
-	{ IPPROTO_NONE,		0x000040,	0,	"none" },	
-	{ IPPROTO_DSTOPTS,	0x000080,	0,	"dstopts" },
-	{ IPPROTO_MOBILITY,	0x000100,	0,	"mobility" },
-	{ 0, 			0,		0,	(char *)NULL }
-};
-
-#endif
diff --git a/contrib/ipfilter/lib/v6optvalue.c b/contrib/ipfilter/lib/v6optvalue.c
deleted file mode 100644
index 6123fc2..0000000
--- a/contrib/ipfilter/lib/v6optvalue.c
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2003 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: v6optvalue.c,v 1.1.4.1 2006/06/16 17:21:18 darrenr Exp $
- */
-#include "ipf.h"
-
-
-
-u_32_t getv6optbyname(optname)
-char *optname;
-{
-#ifdef	USE_INET6
-	struct ipopt_names *io;
-
-	for (io = v6ionames; io->on_name; io++)
-		if (!strcasecmp(optname, io->on_name))
-			return io->on_bit;
-#endif
-	return -1;
-}
-
-
-u_32_t getv6optbyvalue(optval)
-int optval;
-{
-#ifdef	USE_INET6
-	struct ipopt_names *io;
-
-	for (io = v6ionames; io->on_name; io++)
-		if (io->on_value == optval)
-			return io->on_bit;
-#endif
-	return -1;
-}
diff --git a/contrib/ipfilter/lib/var.c b/contrib/ipfilter/lib/var.c
deleted file mode 100644
index 3d90a23..0000000
--- a/contrib/ipfilter/lib/var.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- * 
- * See the IPFILTER.LICENCE file for details on licencing.  
- *   
- * $Id: var.c,v 1.4.2.3 2006/06/16 17:21:18 darrenr Exp $ 
- */     
-
-#include <ctype.h>
-
-#include "ipf.h"
-
-typedef	struct	variable	{
-	struct	variable	*v_next;
-	char	*v_name;
-	char	*v_value;
-} variable_t;
-
-static	variable_t	*vtop = NULL;
-
-static variable_t *find_var __P((char *));
-static char *expand_string __P((char *, int));
-
-
-static variable_t *find_var(name)
-char *name;
-{
-	variable_t *v;
-
-	for (v = vtop; v != NULL; v = v->v_next)
-		if (!strcmp(name, v->v_name))
-			return v;
-	return NULL;
-}
-
-
-char *get_variable(string, after, line)
-char *string, **after;
-int line;
-{
-	char c, *s, *t, *value;
-	variable_t *v;
-
-	s = string;
-
-	if (*s == '{') {
-		s++;
-		for (t = s; *t != '\0'; t++)
-			if (*t == '}')
-				break;
-		if (*t == '\0') {
-			fprintf(stderr, "%d: { without }\n", line);
-			return NULL;
-		}
-	} else if (ISALPHA(*s)) {
-		for (t = s + 1; *t != '\0'; t++)
-			if (!ISALPHA(*t) && !ISDIGIT(*t) && (*t != '_'))
-				break;
-	} else {
-		fprintf(stderr, "%d: variables cannot start with '%c'\n",
-			line, *s);
-		return NULL;
-	}
-
-	if (after != NULL)
-		*after = t;
-	c = *t;
-	*t = '\0';
-	v = find_var(s);
-	*t = c;
-	if (v == NULL) {
-		fprintf(stderr, "%d: unknown variable '%s'\n", line, s);
-		return NULL;
-	}
-
-	s = strdup(v->v_value);
-	value = expand_string(s, line);
-	if (value != s)
-		free(s);
-	return value;
-}
-
-
-static char *expand_string(oldstring, line)
-char *oldstring;
-int line;
-{
-	char c, *s, *p1, *p2, *p3, *newstring, *value;
-	int len;
-
-	p3 = NULL;
-	newstring = oldstring;
-
-	for (s = oldstring; *s != '\0'; s++)
-		if (*s == '$') {
-			*s = '\0';
-			s++;
-
-			switch (*s)
-			{
-			case '$' :
-				bcopy(s, s - 1, strlen(s));
-				break;
-			default :
-				c = *s;
-				if (c == '\0')
-					return newstring;
-
-				value = get_variable(s, &p3, line);
-				if (value == NULL)
-					return NULL;
-
-				p2 = expand_string(value, line);
-				if (p2 == NULL)
-					return NULL;
-
-				len = strlen(newstring) + strlen(p2);
-				if (p3 != NULL) {
-					if (c == '{' && *p3 == '}')
-						p3++;
-					len += strlen(p3);
-				}
-				p1 = malloc(len + 1);
-				if (p1 == NULL)
-					return NULL;
-
-				*(s - 1) = '\0';
-				strcpy(p1, newstring);
-				strcat(p1, p2);
-				if (p3 != NULL)
-					strcat(p1, p3);
-
-				s = p1 + len - strlen(p3) - 1;
-				if (newstring != oldstring)
-					free(newstring);
-				newstring = p1;
-				break;
-			}
-		}
-	return newstring;
-}
-
-
-void set_variable(name, value)
-char *name;
-char *value;
-{
-	variable_t *v;
-	int len;
-
-	if (name == NULL || value == NULL || *name == '\0')
-		return;
-
-	v = find_var(name);
-	if (v != NULL) {
-		free(v->v_value);
-		v->v_value = strdup(value);
-		return;
-	}
-
-	len = strlen(value);
-
-	if ((*value == '"' && value[len - 1] == '"') ||
-	    (*value == '\'' && value[len - 1] == '\'')) {
-		value[len - 1] = '\0';
-		value++;
-		len -=2;
-	}
-
-	v = (variable_t *)malloc(sizeof(*v));
-	if (v == NULL)
-		return;
-	v->v_name = strdup(name);
-	v->v_value = strdup(value);
-	v->v_next = vtop;
-	vtop = v;
-}
diff --git a/contrib/ipfilter/lib/verbose.c b/contrib/ipfilter/lib/verbose.c
deleted file mode 100644
index 4a856b0..0000000
--- a/contrib/ipfilter/lib/verbose.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2000-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: verbose.c,v 1.6.4.1 2006/06/16 17:21:18 darrenr Exp $
- */
-
-#if defined(__STDC__)
-# include <stdarg.h>
-#else
-# include <varargs.h>
-#endif
-#include <stdio.h>
-
-#include "ipt.h"
-#include "opts.h"
-
-
-#if defined(__STDC__)
-void	verbose(char *fmt, ...)
-#else
-void	verbose(fmt, va_alist)
-char	*fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-
-	if (opts & OPT_VERBOSE)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h
deleted file mode 100644
index 61fd821..0000000
--- a/contrib/ipfilter/linux.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright (C) 1993-1998 by Darren Reed.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.  The author accepts no
- * responsibility and is not changed in any way.
- *
- * I hate legaleese, don't you ?
- * $Id: linux.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $
- */
-
-#include <linux/config.h>
-#ifdef MODULE
-#include <linux/module.h>
-#include <linux/version.h>
-#endif /* MODULE */
-
-#include "ip_compat.h"
diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
deleted file mode 100644
index 3f12ccb..0000000
--- a/contrib/ipfilter/man/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# Copyright (C) 1993-1998 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-
-all:
-
-install:
-	$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
-	$(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
-	$(INSTALL) -m 0644 -c -o root -g bin ipfilter.4 $(MANDIR)/man4
-	$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
-	$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
-	$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ipfilter.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ipmon.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ippool.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ippool.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ipscan.8 $(MANDIR)/man8
-	$(INSTALL) -m 0644 -c -o root -g bin ipscan.5 $(MANDIR)/man5
-	$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
-	@echo "Remember to rebuild the whatis database."
diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1
deleted file mode 100644
index 5ea06fa..0000000
--- a/contrib/ipfilter/man/ipf.1
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPF 1
-.SH NAME
-ipf \- alters packet filtering lists for IP packet input and ouput
-.SH SYNOPSIS
-.B ipf
-[
-.B \-AdDEInorsUvyzZ
-] [
-.B \-l
-<block|pass|nomatch>
-] [
-.B \-F
-<i|o|a>
-]
-.B \-f
-<\fIfilename\fP>
-[
-.B \-f
-<\fIfilename\fP>
-[...]]
-.SH DESCRIPTION
-.PP
-\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
-.PP
-Each rule processed by \fBipf\fP
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipf\fP.
-.SH OPTIONS
-.TP
-.B \-A
-Set the list to make changes to the active list (default).
-.TP
-.B \-d
-Turn debug mode on.  Causes a hexdump of filter rules to be generated as
-it processes each one.
-.TP
-.B \-D
-Disable the filter (if enabled).  Not effective for loadable kernel versions.
-.TP
-.B \-E
-Enable the filter (if disabled).  Not effective for loadable kernel versions.
-.TP
-.BR \-F \0<param>
-This option specifies which filter list to flush.  The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used.  This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.TP
-.BR \-f \0<filename>
-This option specifies which files
-\fBipf\fP should use to get input from for modifying the packet filter rule
-lists.
-.TP
-.B \-I
-Set the list to make changes to the inactive list.
-.TP
-.B \-l \0<param>
-Use of the \fB-l\fP flag toggles default logging of packets.  Valid
-arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
-When an option is set, any packet which exits filtering and matches the
-set category is logged.  This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.TP
-.B \-r
-Remove matching filter rules rather than add them to the internal lists
-.TP
-.B \-s
-Swap the active filter list in use to be the "other" one.
-.TP
-.B \-U
-(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
-recognised as IP packets.  They will be printed out on the console.
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing.
-.TP
-.B \-y
-(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
-by IP Filter with the current interface status list.
-.TP
-.B \-z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zero'd.
-.TP
-.B \-Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
-.DT
-.SH SEE ALSO
-ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@cyber.com.au
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
deleted file mode 100644
index e2e5b5b..0000000
--- a/contrib/ipfilter/man/ipf.4
+++ /dev/null
@@ -1,255 +0,0 @@
-.TH IPF 4
-.SH NAME
-ipf \- packet filtering kernel interface
-.SH SYNOPSIS
-#include <netinet/ip_compat.h>
-.br
-#include <netinet/ip_fil.h>
-.SH IOCTLS
-.PP
-To add and delete rules to the filter list, three 'basic' ioctls are provided
-for use.  The ioctl's are called as:
-.LP
-.nf
-	ioctl(fd, SIOCADDFR, struct frentry **)
-	ioctl(fd, SIOCDELFR, struct frentry **)
-	ioctl(fd, SIOCIPFFL, int *)
-.fi
-.PP
-However, the full complement is as follows:
-.LP
-.nf
-	ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR)
-	ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR)
-	ioctl(fd, SIOCADIFR, struct frentry **)
-	ioctl(fd, SIOCRMIFR, struct frentry **)
-	ioctl(fd, SIOCINAFR, struct frentry **)
-	ioctl(fd, SIOCINIFR, struct frentry **)
-	ioctl(fd, SIOCSETFF, u_int *)
-	ioctl(fd, SIOGGETFF, u_int *)
-	ioctl(fd, SIOCGETFS, struct friostat **)
-	ioctl(fd, SIOCIPFFL, int *)
-	ioctl(fd, SIOCIPFFB, int *)
-	ioctl(fd, SIOCSWAPA, u_int *)
-	ioctl(fd, SIOCFRENB, u_int *)
-	ioctl(fd, SIOCFRSYN, u_int *)
-	ioctl(fd, SIOCFRZST, struct friostat **)
-	ioctl(fd, SIOCZRLST, struct frentry **)
-	ioctl(fd, SIOCAUTHW, struct fr_info **)
-	ioctl(fd, SIOCAUTHR, struct fr_info **)
-	ioctl(fd, SIOCATHST, struct fr_authstat **)
-.fi
-.PP
-The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
-active and inactive, respectively.  All of these ioctl's are implemented
-as being routing ioctls and thus the same rules for the various routing
-ioctls and the file descriptor are employed, mainly being that the fd must
-be that of the device associated with the module (i.e., /dev/ipl).
-.LP
-.PP
-The three groups of ioctls above perform adding rules to the end of the
-list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
-and insertion of a rule into the list (SIOCIN*).  The rule place into
-which it is inserted is stored in the "fr_hits" field, below.
-.LP
-.nf
-typedef struct  frentry {
-        struct  frentry *fr_next;
-        u_short fr_group;       /* group to which this rule belongs */
-        u_short fr_grhead;      /* group # which this rule starts */
-        struct  frentry *fr_grp;
-        int     fr_ref;         /* reference count - for grouping */
-        void    *fr_ifa;
-#if BSD >= 199306
-        void    *fr_oifa;
-#endif
-        /*
-         * These are only incremented when a packet  matches this rule and
-         * it is the last match
-         */
-        U_QUAD_T        fr_hits;
-        U_QUAD_T        fr_bytes;
-        /*
-         * Fields after this may not change whilst in the kernel.
-         */
-        struct  fr_ip   fr_ip;
-        struct  fr_ip   fr_mip; /* mask structure */
-
-        u_char  fr_tcpfm;       /* tcp flags mask */
-        u_char  fr_tcpf;        /* tcp flags */
-
-        u_short fr_icmpm;       /* data for ICMP packets (mask) */
-        u_short fr_icmp;
-
-        u_char  fr_scmp;        /* data for port comparisons */
-        u_char  fr_dcmp; 
-        u_short fr_dport;
-        u_short fr_sport;
-        u_short fr_stop;        /* top port for <> and >< */ 
-        u_short fr_dtop;        /* top port for <> and >< */
-        u_32_t  fr_flags;       /* per-rule flags && options (see below) */
-        u_short fr_skip;        /* # of rules to skip */
-        u_short fr_loglevel;    /* syslog log facility + priority */
-        int     (*fr_func) __P((int, ip_t *, fr_info_t *));
-        char    fr_icode;       /* return ICMP code */
-        char    fr_ifname[IFNAMSIZ];
-#if BSD > 199306
-        char    fr_oifname[IFNAMSIZ];
-#endif  
-        struct  frdest  fr_tif; /* "to" interface */
-        struct  frdest  fr_dif; /* duplicate packet interfaces */
-} frentry_t;
-.fi
-.PP
-When adding a new rule, all unused fields (in the filter rule) should be
-initialised to be zero.  To insert a rule, at a particular position in the
-filter list, the number of the rule which it is to be inserted before must
-be put in the "fr_hits" field (the first rule is number 0).
-.LP
-.PP
-Flags which are recognised in fr_flags:
-.nf
-
-     FR_BLOCK        0x000001   /* do not allow packet to pass */
-     FR_PASS         0x000002   /* allow packet to pass */
-     FR_OUTQUE       0x000004   /* outgoing packets */
-     FR_INQUE        0x000008   /* ingoing packets */
-     FR_LOG          0x000010   /* Log */
-     FR_LOGB         0x000011   /* Log-fail */
-     FR_LOGP         0x000012   /* Log-pass */
-     FR_LOGBODY      0x000020   /* log the body of packets too */
-     FR_LOGFIRST     0x000040   /* log only the first packet to match */
-     FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
-     FR_RETICMP      0x000100   /* return an ICMP packet if blocked */
-     FR_FAKEICMP     0x00180    /* Return ICMP unreachable with fake source */
-     FR_NOMATCH      0x000200   /* no match occured */
-     FR_ACCOUNT      0x000400   /* count packet bytes */
-     FR_KEEPFRAG     0x000800   /* keep fragment information */
-     FR_KEEPSTATE    0x001000   /* keep `connection' state information */
-     FR_INACTIVE     0x002000
-     FR_QUICK        0x004000   /* match & stop processing list */
-     FR_FASTROUTE    0x008000   /* bypass normal routing */
-     FR_CALLNOW      0x010000   /* call another function (fr_func) if matches */
-     FR_DUP          0x020000   /* duplicate the packet */
-     FR_LOGORBLOCK   0x040000   /* block the packet if it can't be logged */
-     FR_NOTSRCIP     0x080000   /* not the src IP# */
-     FR_NOTDSTIP     0x100000   /* not the dst IP# */
-     FR_AUTH         0x200000   /* use authentication */
-     FR_PREAUTH      0x400000   /* require preauthentication */
-	
-.fi
-.PP
-Values for fr_scomp and fr_dcomp (source and destination port value
-comparisons) :
-.LP
-.nf
-	FR_NONE         0
-	FR_EQUAL        1
-	FR_NEQUAL       2
-	FR_LESST        3
-	FR_GREATERT     4
-	FR_LESSTE       5
-	FR_GREATERTE    6
-	FR_OUTRANGE     7
-	FR_INRANGE      8
-.fi
-.PP
-The third ioctl, SIOCIPFFL, flushes either the input filter list, the
-output filter list or both and it returns the number of filters removed
-from the list(s).  The values which it will take and recognise are FR_INQUE
-and FR_OUTQUE (see above).  This ioctl is also implemented for
-\fB/dev/ipstate\fP and will flush all state tables entries if passed 0
-or just all those which are not established if passed 1.
-
-.IP "\fBGeneral Logging Flags\fP" 0
-There are two flags which can be set to log packets independently of the
-rules used.  These allow for packets which are either passed or blocked
-to be logged.  To set (and clear)/get these flags, two ioctls are
-provided:
-.IP SIOCSETFF 16
-Takes an unsigned integer as the parameter.  The flags are then set to
-those provided (clearing/setting all in one).
-.nf
-
-	FF_LOGPASS	0x10000000
-	FF_LOGBLOCK	0x20000000
-	FF_LOGNOMATCH	0x40000000
-	FF_BLOCKNONIP	0x80000000    /* Solaris 2.x only */
-.fi
-.IP SIOCGETFF 16
-Takes a pointer to an unsigned integer as the parameter.  A copy of the
-flags currently in used is copied to user space.
-.IP "\fBFilter statistics\fP" 0
-Statistics on the various operations performed by this package on packets
-is kept inside the kernel.  These statistics apply to packets traversing
-through the kernel.  To retrieve this structure, use this ioctl:
-.nf
-
-	ioctl(fd, SIOCGETFS, struct friostat *)
-
-struct  friostat        {
-        struct  filterstats     f_st[2];
-        struct  frentry         *f_fin[2];
-        struct  frentry         *f_fout[2];
-        struct  frentry         *f_acctin[2];
-        struct  frentry         *f_acctout[2];
-        struct  frentry         *f_auth;
-        u_long  f_froute[2];
-        int     f_active;       /* 1 or 0 - active rule set */
-        int     f_defpass;      /* default pass - from fr_pass */
-        int     f_running;      /* 1 if running, else 0 */
-        int     f_logging;      /* 1 if enabled, else 0 */
-        char    f_version[32];  /* version string */
-};
-
-struct	filterstats {
-        u_long  fr_pass;        /* packets allowed */
-        u_long  fr_block;       /* packets denied */
-        u_long  fr_nom;         /* packets which don't match any rule */
-        u_long  fr_ppkl;        /* packets allowed and logged */
-        u_long  fr_bpkl;        /* packets denied and logged */
-        u_long  fr_npkl;        /* packets unmatched and logged */
-        u_long  fr_pkl;         /* packets logged */
-        u_long  fr_skip;        /* packets to be logged but buffer full */
-        u_long  fr_ret;         /* packets for which a return is sent */
-        u_long  fr_acct;        /* packets for which counting was performed */
-        u_long  fr_bnfr;        /* bad attempts to allocate fragment state */
-        u_long  fr_nfr;         /* new fragment state kept */
-        u_long  fr_cfr;         /* add new fragment state but complete pkt */
-        u_long  fr_bads;        /* bad attempts to allocate packet state */
-        u_long  fr_ads;         /* new packet state kept */
-        u_long  fr_chit;        /* cached hit */
-        u_long  fr_pull[2];     /* good and bad pullup attempts */
-#if SOLARIS
-        u_long  fr_notdata;     /* PROTO/PCPROTO that have no data */
-        u_long  fr_nodata;      /* mblks that have no data */
-        u_long  fr_bad;         /* bad IP packets to the filter */
-        u_long  fr_notip;       /* packets passed through no on ip queue */
-        u_long  fr_drop;        /* packets dropped - no info for them! */
-#endif
-};
-.fi
-If we wanted to retrieve all the statistics and reset the counters back to
-0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
-In addition to the statistics above, each rule keeps a hit count, counting
-both number of packets and bytes.  To reset these counters for a rule,
-load the various rule information into a frentry structure and call
-SIOCZRLST.
-.IP "Swapping Active lists" 0
-IP Filter supports two lists of rules for filtering and accounting: an
-active list and an inactive list.  This allows for large scale rule base
-changes to be put in place atomically with otherwise minimal interruption.
-Which of the two is active can be changed using the SIOCSWAPA ioctl.  It
-is important to note that no passed argument is recognised and that the
-value returned is that of the list which is now inactive.
-.br
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.SH SEE ALSO
-ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
deleted file mode 100644
index 3fd9e94..0000000
--- a/contrib/ipfilter/man/ipf.5
+++ /dev/null
@@ -1,556 +0,0 @@
-.TH IPF 5
-.SH NAME
-ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
-.SH DESCRIPTION
-.PP
-A rule file for \fBipf\fP may have any name or even be stdin.  As
-\fBipfstat\fP produces parsable rules as output when displaying the internal
-kernel filter lists, it is quite plausible to use its output to feed back
-into \fBipf\fP.  Thus, to remove all filters on input packets, the following
-could be done:
-.nf
-
-\fC# ipfstat \-i | ipf \-rf \-\fP
-.fi
-.SH GRAMMAR
-.PP
-The format used by \fBipf\fP for construction of filtering rules can be
-described using the following grammar in BNF:
-\fC
-.nf
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
-	      [ proto ] ip [ group ].
-
-insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | skip | auth | call .
-in-out	= "in" | "out" .
-options	= [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
-           [ froute ] [ replyto ] ] .
-tos	= "tos" decnumber | "tos" hexnumber .
-ttl	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-group	= [ "head" decnumber ] [ "group" decnumber ] .
-
-block	= "block" [ return-icmp[return-code] | "return-rst" ] .
-log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-tag     = "tag" tagid .
-skip	= "skip" decnumber .
-auth	= "auth" | "preauth" .
-call	= "call" [ "now" ] function-name .
-dup	= "dup-to" interface-name [ ":" ipaddr ] .
-froute	= "fastroute" | "to" interface-name [ ":" ipaddr ] .
-replyto = "reply-to" interface-name [ ":" ipaddr ] .
-protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst	= "all" | fromto .
-fromto	= "from" [ "!" ] object "to" [ "!" ] object .
-
-return-icmp = "return-icmp" | "return-icmp-as-dest" .
-return-code = "(" icmp-code ")" .
-object	= addr [ port-comp | port-range ] .
-addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-addr	= "any" | "<thishost>" | nummask |
-	  host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-flags	= "flags" flag { flag } [ "/" flag { flag } ] .
-with	= "with" | "and" .
-icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "(" icmp-code ")" .
-keep	= "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
-loglevel = facility"."priority | priority .
-
-nummask	= host-name [ "/" decnumber ] .
-host-name = ipaddr | hostname | "any" .
-ipaddr	= host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-port-num = service-name | decnumber .
-state-options = state-opts [ "," state-options ] .
-
-state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
-             "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
-withopt = [ "not" | "no" ] opttype [ withopt ] .
-opttype = "ipopts" | "short" | "frag" | "opt" optname .
-optname	= ipopts [ "," optname ] .
-ipopts  = optlist | "sec-class" [ secname ] .
-secname	= seclvl [ "," secname ] .
-seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
-	  "reserv-4" | "secret" | "topsecret" .
-icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
-	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
-	    "inforep" | "maskreq" | "maskrep"  | decnumber .
-icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
-	    "filter-prohib" | "host-preced" | "cutoff-preced" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
-	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
-	  "addext" | "visa" | "imitd" | "eip" | "finn" .
-facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
-	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
-	   "audit" | "logalert" | "local0" | "local1" | "local2" |
-	   "local3" | "local4" | "local5" | "local6" | "local7" .
-priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
-	   "info" | "debug" . 
-
-hexnumber = "0" "x" hexstring .
-hexstring = hexdigit [ hexstring ] .
-decnumber = digit [ decnumber ] .
-
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
-	  "gt" | "le" | "ge" .
-range	= "<>" | "><" .
-hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag	= "F" | "S" | "R" | "P" | "A" | "U" .
-.fi
-.PP
-This syntax is somewhat simplified for readability, some combinations
-that match this grammar are disallowed by the software because they do
-not make sense (such as tcp \fBflags\fP for non-TCP packets).
-.SH FILTER RULES
-.PP
-The "briefest" valid rules are (currently) no-ops and are of the form:
-.nf
-       block in all
-       pass in all
-       log out all
-       count in all
-.fi
-.PP
-Filter rules are checked in order, with the last matching rule
-determining the fate of the packet (but see the \fBquick\fP option,
-below).
-.PP
-Filters are installed by default at the end of the kernel's filter
-lists, prepending the rule with \fB@n\fP will cause it to be inserted
-as the n'th entry in the current list. This is especially useful when
-modifying and testing active filter rulesets. See ipf(8) for more
-information.
-.SH ACTIONS
-.PP
-The action indicates what to do with the packet if it matches the rest
-of the filter rule. Each rule MUST have an action. The following
-actions are recognised:
-.TP
-.B block
-indicates that the packet should be flagged to be dropped. In response
-to blocking a packet, the filter may be instructed to send a reply
-packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
-masquerading as being from the original packet's destination
-(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP).  An
-ICMP packet may be generated in response to any IP packet, and its
-type may optionally be specified, but a TCP reset may only be used
-with a rule which is being applied to TCP packets.  When using
-\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
-the actual unreachable `type'.  That is, whether it is a network
-unreachable, port unreachable or even administratively
-prohibited. This is done by enclosing the ICMP code associated with
-it in parenthesis directly following \fBreturn-icmp\fP or
-\fBreturn-icmp-as-dest\fP as follows:
-.nf
-        block return-icmp(11) ...
-.fi
-.PP
-Would return a Type-Of-Service (TOS) ICMP unreachable error.
-.TP
-.B pass
-will flag the packet to be let through the filter.  
-.TP
-.B log
-causes the packet to be logged (as described in the LOGGING section
-below) and has no effect on whether the packet will be allowed through
-the filter.
-.TP
-.B count
-causes the packet to be included in the accounting statistics kept by
-the filter, and has no effect on whether the packet will be allowed through
-the filter. These statistics are viewable with ipfstat(8).
-.TP
-.B call
-this action is used to invoke the named function in the kernel, which
-must conform to a specific calling interface. Customised actions and
-semantics can thus be implemented to supplement those available. This
-feature is for use by knowledgeable hackers, and is not currently
-documented.
-.TP
-.B "skip <n>"
-causes the filter to skip over the next \fIn\fP filter rules.  If a rule is
-inserted or deleted inside the region being skipped over, then the value of
-\fIn\fP is adjusted appropriately.
-.TP
-.B auth
-this allows authentication to be performed by a user-space program running
-and waiting for packet information to validate.  The packet is held for a
-period of time in an internal buffer whilst it waits for the program to return
-to the kernel the \fIreal\fP flags for whether it should be allowed through
-or not.  Such a program might look at the source address and request some sort
-of authentication from the user (such as a password) before allowing the
-packet through or telling the kernel to drop it if from an unrecognised source.
-.TP
-.B preauth
-tells the filter that for packets of this class, it should look in the
-pre-authenticated list for further clarification.  If no further matching
-rule is found, the packet will be dropped (the FR_PREAUTH is not the same
-as FR_PASS).  If a further matching rule is found, the result from that is
-used in its instead.  This might be used in a situation where a person
-\fIlogs in\fP to the firewall and it sets up some temporary rules defining
-the access for that person.
-.PP
-The next word must be either \fBin\fP or \fBout\fP.  Each packet
-moving through the kernel is either inbound (just been received on an
-interface, and moving towards the kernel's protocol processing) or
-outbound (transmitted or forwarded by the stack, and on its way to an
-interface). There is a requirement that each filter rule explicitly
-state which side of the I/O it is to be used on.
-.SH OPTIONS
-.PP
-The list of options is brief, and all are indeed optional. Where
-options are used, they must be present in the order shown here. These
-are the currently supported options:
-.TP
-.B log
-indicates that, should this be the last matching rule, the packet
-header will be written to the \fBipl\fP log (as described in the
-LOGGING section below).
-.TP
-.B tag tagid
-indicates that, if this rule causes the packet to be logged or entered
-in the state table, the tagid will be logged as part of the log entry.
-This can be used to quickly match "similar" rules in scripts that post
-process the log files for e.g. generation of security reports or accounting
-purposes. The tagid is a 32 bit unsigned integer.
-.TP
-.B quick
-allows "short-cut" rules in order to speed up the filter or override
-later rules.  If a packet matches a filter rule which is marked as
-\fBquick\fP, this rule will be the last rule checked, allowing a
-"short-circuit" path to avoid processing later rules for this
-packet. The current status of the packet (after any effects of the
-current rule) will determine whether it is passed or blocked.
-.IP
-If this option is missing, the rule is taken to be a "fall-through"
-rule, meaning that the result of the match (block/pass) is saved and
-that processing will continue to see if there are any more matches.
-.TP
-.B on
-allows an interface name to be incorporated into the matching
-procedure. Interface names are as printed by "netstat \-i". If this
-option is used, the rule will only match if the packet is going
-through that interface in the specified direction (in/out). If this
-option is absent, the rule is taken to be applied to a packet
-regardless of the interface it is present on (i.e. on all interfaces).
-Filter rulesets are common to all interfaces, rather than having a
-filter list for each interface.
-.IP
-This option is especially useful for simple IP-spoofing protection:
-packets should only be allowed to pass inbound on the interface from
-which the specified source address would be expected, others may be
-logged and/or dropped.
-.TP
-.B dup-to
-causes the packet to be copied, and the duplicate packet to be sent
-outbound on the specified interface, optionally with the destination
-IP address changed to that specified. This is useful for off-host
-logging, using a network sniffer.
-.TP
-.B to
-causes the packet to be moved to the outbound queue on the
-specified interface. This can be used to circumvent kernel routing
-decisions, and even to bypass the rest of the kernel processing of the
-packet (if applied to an inbound rule). It is thus possible to
-construct a firewall that behaves transparently, like a filtering hub
-or switch, rather than a router. The \fBfastroute\fP keyword is a
-synonym for this option.
-.SH MATCHING PARAMETERS
-.PP 
-The keywords described in this section are used to describe attributes
-of the packet to be used when determining whether rules match or don't
-match. The following general-purpose attributes are provided for
-matching, and must be used in this order:
-.TP
-.B tos
-packets with different Type-Of-Service values can be filtered.
-Individual service levels or combinations can be filtered upon.  The
-value for the TOS mask can either be represented as a hex number or a
-decimal integer value.
-.TP
-.B ttl
-packets may also be selected by their Time-To-Live value.  The value given in
-the filter rule must exactly match that in the packet for a match to occur.
-This value can only be given as a decimal integer value.
-.TP
-.B proto
-allows a specific protocol to be matched against.  All protocol names
-found in \fB/etc/protocols\fP are recognised and may be used.
-However, the protocol may also be given as a DECIMAL number, allowing
-for rules to match your own protocols, or new ones which would
-out-date any attempted listing.
-.IP
-The special protocol keyword \fBtcp/udp\fP may be used to match either
-a TCP or a UDP packet, and has been added as a convenience to save
-duplication of otherwise-identical rules.
-.\" XXX grammar should reflect this (/etc/protocols)
-.PP
-The \fBfrom\fP and \fBto\fP keywords are used to match against IP
-addresses (and optionally port numbers). Rules must specify BOTH
-source and destination parameters.
-.PP 
-IP addresses may be specified in one of two ways: as a numerical
-address\fB/\fPmask, or as a hostname \fBmask\fP netmask.  The hostname
-may either be a valid hostname, from either the hosts file or DNS
-(depending on your configuration and library) or of the dotted numeric
-form.  There is no special designation for networks but network names
-are recognised.  Note that having your filter rules depend on DNS
-results can introduce an avenue of attack, and is discouraged.
-.PP
-There is a special case for the hostname \fBany\fP which is taken to
-be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
-Only the presence of "any" has an implied mask, in all other
-situations, a hostname MUST be accompanied by a mask.  It is possible
-to give "any" a hostmask, but in the context of this language, it is
-non-sensical.
-.PP
-The numerical format "x\fB/\fPy" indicates that a mask of y
-consecutive 1 bits set is generated, starting with the MSB, so a y value
-of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
-that the mask y is in dotted IP notation or a hexadecimal number of
-the form 0x12345678.  Note that all the bits of the IP address
-indicated by the bitmask must match the address on the packet exactly;
-there isn't currently a way to invert the sense of the match, or to
-match ranges of IP addresses which do not express themselves easily as
-bitmasks (anthropomorphization; it's not just for breakfast anymore).
-.PP
-If a \fBport\fP match is included, for either or both of source and
-destination, then it is only applied to
-.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
-TCP and UDP packets. If there is no \fBproto\fP match parameter,
-packets from both protocols are compared. This is equivalent to "proto
-tcp/udp".  When composing \fBport\fP comparisons, either the service
-name or an integer port number may be used. Port comparisons may be
-done in a number of forms, with a number of comparison operators, or
-port ranges may be specified. When the port appears as part of the
-\fBfrom\fP object, it matches the source port number, when it appears
-as part of the \fBto\fP object, it matches the destination port number.
-See the examples for more information.
-.PP
-The \fBall\fP keyword is essentially a synonym for "from any to any"
-with no other match parameters.
-.PP
-Following the source and destination matching parameters, the
-following additional parameters may be used:
-.TP
-.B with
-is used to match irregular attributes that some packets may have
-associated with them.  To match the presence of IP options in general,
-use \fBwith ipopts\fP. To match packets that are too short to contain
-a complete header, use \fBwith short\fP. To match fragmented packets,
-use \fBwith frag\fP.  For more specific filtering on IP options,
-individual options can be listed.
-.IP
-Before any parameter used after the \fBwith\fP keyword, the word
-\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
-match if the option(s) is not present.
-.IP
-Multiple consecutive \fBwith\fP clauses are allowed.  Alternatively,
-the keyword \fBand\fP may be used in place of \fBwith\fP, this is
-provided purely to make the rules more readable ("with ... and ...").
-When multiple clauses are listed, all those must match to cause a
-match of the rule.
-.\" XXX describe the options more specifically in a separate section
-.TP
-.B flags
-is only effective for TCP filtering.  Each of the letters possible
-represents one of the possible flags that can be set in the TCP
-header.  The association is as follows:
-.LP
-.nf
-        F - FIN
-        S - SYN
-        R - RST
-        P - PUSH
-        A - ACK
-        U - URG
-.fi
-.IP
-The various flag symbols may be used in combination, so that "SA"
-would represent a SYN-ACK combination present in a packet.  There is
-nothing preventing the specification of combinations, such as "SFR",
-that would not normally be generated by law-abiding TCP
-implementations.  However, to guard against weird aberrations, it is
-necessary to state which flags you are filtering against.  To allow
-this, it is possible to set a mask indicating which TCP flags you wish
-to compare (i.e., those you deem significant).  This is done by
-appending "/<flags>" to the set of TCP flags you wish to match
-against, e.g.:
-.LP
-.nf
-	... flags S
-			# becomes "flags S/AUPRFS" and will match
-			# packets with ONLY the SYN flag set.
-
-	... flags SA
-			# becomes "flags SA/AUPRFS" and will match any
-			# packet with only the SYN and ACK flags set.
-
-	... flags S/SA
-			# will match any packet with just the SYN flag set
-			# out of the SYN-ACK pair; the common "establish"
-			# keyword action.  "S/SA" will NOT match a packet
-			# with BOTH SYN and ACK set, but WILL match "SFP".
-.fi
-.TP
-.B icmp-type
-is only effective when used with \fBproto icmp\fP and must NOT be used
-in conjunction with \fBflags\fP.  There are a number of types, which can be
-referred to by an abbreviation recognised by this language, or the numbers
-with which they are associated can be used.  The most important from
-a security point of view is the ICMP redirect.
-.SH KEEP HISTORY
-.PP
-The second last parameter which can be set for a filter rule is whether or not
-to record historical information for that packet, and what sort to keep. The
-following information can be kept:
-.TP
-.B state
-keeps information about the flow of a communication session. State can
-be kept for TCP, UDP, and ICMP packets.
-.TP
-.B frags
-keeps information on fragmented packets, to be applied to later
-fragments.
-.PP
-allowing packets which match these to flow straight through, rather
-than going through the access control list.
-.SH GROUPS
-The last pair of parameters control filter rule "grouping".  By default, all
-filter rules are placed in group 0 if no other group is specified.  To add a
-rule to a non-default group, the group must first be started by creating a
-group \fIhead\fP.  If a packet matches a rule which is the \fIhead\fP of a
-group, the filter processing then switches to the group, using that rule as
-the default for the group.  If \fBquick\fP is used with a \fBhead\fP rule, rule
-processing isn't stopped until it has returned from processing the group.
-.PP
-A rule may be both the head for a new group and a member of a non-default
-group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
-.TP
-.B "head <n>"
-indicates that a new group (number n) should be created.
-.TP
-.B "group <n>"
-indicates that the rule should be put in group (number n) rather than group 0.
-.SH LOGGING
-.PP
-When a packet is logged, with either the \fBlog\fP action or option,
-the headers of the packet are written to the \fBipl\fP packet logging
-pseudo-device. Immediately following the \fBlog\fP keyword, the
-following qualifiers may be used (in order):
-.TP
-.B body
-indicates that the first 128 bytes of the packet contents will be
-logged after the headers. 
-.TP
-.B first
-If log is being used in conjunction with a "keep" option, it is recommended
-that this option is also applied so that only the triggering packet is logged
-and not every packet which thereafter matches state information.
-.TP
-.B or-block
-indicates that, if for some reason the filter is unable to log the
-packet (such as the log reader being too slow) then the rule should be
-interpreted as if the action was \fBblock\fP for this packet.
-.TP
-.B "level <loglevel>"
-indicates what logging facility and priority, or just priority with
-the default facility being used, will be used to log information about 
-this packet using ipmon's -s option.
-.PP
-See ipl(4) for the format of records written
-to this device. The ipmon(8) program can be used to read and format
-this log.
-.SH EXAMPLES
-.PP
-The \fBquick\fP option is good for rules such as:
-\fC
-.nf
-block in quick from any to any with ipopts
-.fi
-.PP
-which will match any packet with a non-standard header length (IP
-options present) and abort further processing of later rules,
-recording a match and also that the packet should be blocked.
-.PP
-The "fall-through" rule parsing allows for effects such as this:
-.LP
-.nf
-        block in from any to any port < 6000
-        pass in from any to any port >= 6000
-        block in from any to any port > 6003
-.fi
-.PP
-which sets up the range 6000-6003 as being permitted and all others being
-denied.  Note that the effect of the first rule is overridden by subsequent
-rules.  Another (easier) way to do the same is:
-.LP
-.nf
-        block in from any to any port 6000 <> 6003
-        pass in from any to any port 5999 >< 6004
-.fi
-.PP
-Note that both the "block" and "pass" are needed here to effect a
-result as a failed match on the "block" action does not imply a pass,
-only that the rule hasn't taken effect.  To then allow ports < 1024, a
-rule such as:
-.LP
-.nf
-        pass in quick from any to any port < 1024
-.fi
-.PP
-would be needed before the first block.  To create a new group for
-processing all inbound packets on le0/le1/lo0, with the default being to block
-all inbound packets, we would do something like:
-.LP
-.nf
-       block in all
-       block in quick on le0 all head 100
-       block in quick on le1 all head 200
-       block in quick on lo0 all head 300
-.fi
-.PP
-
-and to then allow ICMP packets in on le0, only, we would do:
-.LP
-.nf
-       pass in proto icmp all group 100
-.fi
-.PP
-Note that because only inbound packets on le0 are used processed by group 100,
-there is no need to respecify the interface name.  Likewise, we could further
-breakup processing of TCP, etc, as follows:
-.LP
-.nf
-       block in proto tcp all head 110 group 100
-       pass in from any to any port = 23 group 110
-.fi
-.PP
-and so on.  The last line, if written without the groups would be:
-.LP
-.nf
-       pass in on le0 proto tcp from any to any port = telnet
-.fi
-.PP
-Note, that if we wanted to say "port = telnet", "proto tcp" would
-need to be specified as the parser interprets each rule on its own and
-qualifies all service/port names with the protocol specified.
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/etc/hosts
-.br
-/etc/services
-.SH SEE ALSO
-ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
deleted file mode 100644
index a438415..0000000
--- a/contrib/ipfilter/man/ipf.8
+++ /dev/null
@@ -1,171 +0,0 @@
-.TH IPF 8
-.SH NAME
-ipf \- alters packet filtering lists for IP packet input and output
-.SH SYNOPSIS
-.B ipf
-[
-.B \-6AcdDEInoPrsvVyzZ
-] [
-.B \-l
-<block|pass|nomatch>
-] [
-.B \-T
-<optionlist>
-] [
-.B \-F
-<i|o|a|s|S>
-]
-.B \-f
-<\fIfilename\fP>
-[
-.B \-f
-<\fIfilename\fP>
-[...]]
-.SH DESCRIPTION
-.PP
-\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
-.PP
-Each rule processed by \fBipf\fP
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipf\fP.
-.SH OPTIONS
-.TP
-.B \-6
-This option is required to parse IPv6 rules and to have them loaded.
-.TP
-.B \-A
-Set the list to make changes to the active list (default).
-.TP
-.B \-c <language>
-This option causes \fBipf\fP to generate output files for a compiler that
-supports \fBlanguage\fI.  At present, the only target language supported is
-\fBC\fB (-cc) for which two files - \fBip_rules.c\fP
-and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when
-\fBipf\fP is being run.  These files can be used with the
-\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticly into
-the kernel.
-.TP
-.B \-d
-Turn debug mode on.  Causes a hexdump of filter rules to be generated as
-it processes each one.
-.TP
-.B \-D
-Disable the filter (if enabled).  Not effective for loadable kernel versions.
-.TP
-.B \-E
-Enable the filter (if disabled).  Not effective for loadable kernel versions.
-.TP
-.BR \-F \0<i|o|a>
-This option specifies which filter list to flush.  The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used.  This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.TP
-.BR \-F \0<s|S>
-To flush entries from the state table, the \fB-F\fP option is used in
-conjunction with either "s" (removes state information about any non-fully
-established connections) or "S" (deletes the entire state table).  Only
-one of the two options may be given.  A fully established connection
-will show up in \fBipfstat -s\fP output as 5/5, with deviations either
-way indicating it is not fully established any more.
-.TP
-.BR \-F <5|6|7|8|9|10|11>
-For the TCP states that represent the closing of a connection has begun,
-be it only one side or the complete connection, it is possible to flush
-those states directly using the number corresponding to that state.
-The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1,
-7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
-.TP
-.BR \-F <number>
-If the argument supplied to \fB-F\fP is greater than 30, then state table
-entries that have been idle for more than this many seconds will be flushed.
-.TP
-.BR \-f \0<filename>
-This option specifies which files
-\fBipf\fP should use to get input from for modifying the packet filter rule
-lists.
-.TP
-.B \-I
-Set the list to make changes to the inactive list.
-.TP
-.B \-l \0<pass|block|nomatch>
-Use of the \fB-l\fP flag toggles default logging of packets.  Valid
-arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
-When an option is set, any packet which exits filtering and matches the
-set category is logged.  This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.TP
-.B \-P
-Add rules as temporary entries in the authentication rule table.
-.TP
-.B \-r
-Remove matching filter rules rather than add them to the internal lists
-.TP
-.B \-s
-Swap the active filter list in use to be the "other" one.
-.TP
-.B \-T <optionlist>
-This option allows run-time changing of IPFilter kernel variables.  Some
-variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
-others do not.  The optionlist parameter is a comma separated list of tuning
-commands.  A tuning command is either "list" (retrieve a list of all variables
-in the kernel, their maximum, minimum and current value), a single variable
-name (retrieve its current value) and a variable name with a following
-assignment to set a new value.  Some examples follow.
-.nf
-# Print out all IPFilter kernel tunable parameters
-ipf -T list
-# Display the current TCP idle timeout and then set it to 3600
-ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
-# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
-ipf -T fr_pass,fr_chksrc,fr_chksrc=1
-.fi
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing.
-.TP
-.B \-V
-Show version information.  This will display the version information compiled
-into the ipf binary and retrieve it from the kernel code (if running/present).
-If it is present in the kernel, information about its current state will be
-displayed (whether logging is active, default filtering, etc).
-.TP
-.B \-y
-Manually resync the in-kernel interface list maintained by IP Filter with
-the current interface status list.
-.TP
-.B \-z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zeroed.
-.TP
-.B \-Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
-.DT
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.SH SEE ALSO
-ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
deleted file mode 100644
index b2d2f2a..0000000
--- a/contrib/ipfilter/man/ipfilter.4
+++ /dev/null
@@ -1,239 +0,0 @@
-.TH IP\ FILTER 4
-.SH NAME
-ipfilter \- Introduction to IP packet filtering
-.SH DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.SH FEATURES
-The IP packet filter can:
-.IP
-explicitly deny/permit any packet from passing through
-.IP
-distinguish between various interfaces
-.IP
-filter by IP networks or hosts
-.IP
-selectively filter any IP protocol
-.IP
-selectively filter fragmented IP packets
-.IP
-selectively filter packets with IP options
-.IP
-send back an ICMP error/TCP reset for blocked packets
-.IP
-keep packet state information for TCP, UDP and ICMP packet flows
-.IP
-keep fragment state information for any IP packet, applying the same rule 
-to all fragments.
-.IP
-act as a Network Address Translator (NAT)
-.IP
-use redirection to setup true transparent proxy connections
-.IP
-provide packet header details to a user program for authentication
-.IP
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.PP
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.IP
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.IP
-ICMP packets by type/code
-.IP
-"established" TCP packets
-.IP
-On any arbitrary combination of TCP flags
-.IP
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.IP
-any of the 19 IP options or 8 registered IP security classes TOS (Type of 
-Service) field in packets
-.PP
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.IP
-the TCP/UDP/ICMP and IP packet headers
-.IP
-the first 128 bytes of the packet (including headers)
-.PP
-A packet can be logged when:
-.IP
-it is successfully passed through
-.IP
-it is blocked from passing through
-.IP
-it matches a rule setup to look for suspicious packets
-.PP
-IP Filter keeps its own set of statistics on:
-.IP
-packets blocked 
-.IP
-packets (and bytes!) used for accounting
-.IP
-packets passed
-.lP
-packets logged
-.IP
-attempts to log which failed (buffer full)
-.IP
-and much more, for packets going both in and out.
-
-.SH Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description 
-of the tools provided:
-.PP
-ipf(8)
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in ipf(5).
-.PP
-ipfs(8)
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the 
-connections being terminated.
-.PP
-ipfstat(8)
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.PP
-ipftest(1)
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.PP
-ipmon(8)
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.IP
-screen (standard output) 
-.IP
-file
-.IP
-syslog
-.PP
-ipsend(1)
-generates arbitary IP packets for ethernet connected machines.
-.PP
-ipresend(1)
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.PP
-iptest(1)
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.PP
-ipnat(8)
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in ipnat(5).
-.PP
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in ipf(4).
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in ipl(4)
-so that you may develop your own applications to work with or in place of any 
-of the above.
-
-Similar, the interface to the NAT code is documented in ipnat(4).
-
-.SH PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the 
-various stages introduced by IP Filter.
-.PP
-.nf
-                                   IN
-                                    |
-                                    V
-          +-------------------------+--------------------------+
-          |                         |                          |
-          |                         V                          |
-          |            Network Address Translation             |
-          |                         |                          |
-          |         authenticated   |                          |
-          |       +-------<---------+                          |
-          |       |                 |                          |
-          |       |                 V                          |
-          |       V           IP Accounting                    |
-          |       |                 |                          |
-          |       |                 V                          |
-          |       |        Fragment Cache Check--+             |
-          |       |                 |            |             |
-          |       V                 V            V             |
-          |       |         Packet State Check-->+             |
-          |       |                 |            |             |
-          |       |       +->--+    |            |             |
-          |       |       |    |    V            |             |
-          |       V   groups   IP Filtering      V             |
-          |       |       |    |    |            |             |
-          |       |       +--<-+    |            |             |
-          |       |                 |            |             |
-          |       +---------------->|<-----------+             |
-          |                         |                          |
-          |                         V                          |
-          |                +---<----+                          |
-          |                |        |                          |
-          |            function     |                          |
-          |                |        V                          |
-          |                +--->----+                          |
-          |                         |                          |
-          |                         V                          |
-       +--|---<--- fast-route ---<--+                          |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  +-------------------------+--------------------------+
-       |                            |
-       |                        pass only
-       |                            |
-       |                            V
-       V               [KERNEL TCP/IP Processing]
-       |                            |
-       |  +-------------------------+--------------------------+
-       |  |                         |                          |
-       |  |                         V                          |
-       |  |                Fragment Cache Check--+             |
-       |  |                         |            |             |
-       |  |                         V            V             |
-       |  |                 Packet State Check-->+             |
-       |  |                         |            |             |
-       |  |                         V            |             |
-       V  |                    IP Filtering      |             |
-       |  |                         |            V             |
-       |  |                         |<-----------+             |
-       |  |                         V                          |
-       |  |                   IP Accounting                    |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  |            Network Address Translation             |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  +-------------------------+--------------------------+
-       |                            |
-       |                        pass only
-       V                            |
-       +--------------------------->|
-                                    V
-                                   OUT
-.fi
-
-.SH MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.SH SEE ALSO
-ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1),
-ipl(4), ipmon(8), ipnat(8), ipnat(4),
-
diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc
deleted file mode 100644
index 72534a7..0000000
--- a/contrib/ipfilter/man/ipfilter.4.mandoc
+++ /dev/null
@@ -1,267 +0,0 @@
-.Dd December 8, 2000
-.Dt IP\ FILTER 4
-.Os
-.Sh NAME
-.Nm IP Filter
-.Nd Introduction to IP packet filtering
-.Sh DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.Sh FEATURES
-The IP packet filter can:
-.Bl -bullet -offset indent -compact
-.It
-explicitly deny/permit any packet from passing through
-.It
-distinguish between various interfaces
-.It
-filter by IP networks or hosts
-.It
-selectively filter any IP protocol
-.It
-selectively filter fragmented IP packets
-.It
-selectively filter packets with IP options
-.It
-send back an ICMP error/TCP reset for blocked packets
-.It
-keep packet state information for TCP, UDP and ICMP packet flows
-.It
-keep fragment state information for any IP packet, applying the same rule 
-to all fragments.
-.It
-act as a Network Address Translator (NAT)
-.It
-use redirection to setup true transparent proxy connections
-.It
-provide packet header details to a user program for authentication
-.It
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.El
-.Pp
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.Bl -bullet -offset indent -compact
-.It
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.It
-ICMP packets by type/code
-.It
-"established" TCP packets
-.It
-On any arbitrary combination of TCP flags
-.It
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.It
-any of the 19 IP options or 8 registered IP security classes TOS (Type of 
-Service) field in packets
-.El
-.Pp
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.Bl -bullet -offset indent -compact
-.It
-the TCP/UDP/ICMP and IP packet headers
-.It
-the first 128 bytes of the packet (including headers)
-.El
-.Pp
-A packet can be logged when:
-.Bl -bullet -offset indent -compact
-.It
-it is successfully passed through
-.It
-it is blocked from passing through
-.It
-it matches a rule setup to look for suspicious packets
-.El
-.Pp
-IP Filter keeps its own set of statistics on:
-.Bl -bullet -offset indent -compact
-.It
-packets blocked 
-.It
-packets (and bytes!) used for accounting
-.It
-packets passed
-.li
-packets logged
-.It
-attempts to log which failed (buffer full)
-.El
-and much more, for packets going both in and out.
-
-.Sh Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description 
-of the tools provided:
-.Pp
-.Xr ipf 8
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in
-.Xr ipf 5 .
-.Pp
-.Xr ipfs 8
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the 
-connections being terminated.
-.Pp
-.Xr ipfstat 8
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.Pp
-.Xr ipftest 1
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.Pp
-.Xr ipmon 8
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.Bl  -bullet -offset indent -compact
-.It
-screen (standard output) 
-.It
-file
-.It
-syslog
-.El
-.Pp
-.Xr ipsend 1
-generates arbitary IP packets for ethernet connected machines.
-.Pp
-.Xr ipresend 1
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.Pp
-.Xr iptest 1
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.Pp
-.Xr ipnat 8
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in 
-.Xr ipnat 5 .
-.Pp
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in
-.Xr ipf 4 .
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in
-.Xr ipl 4 
-so that you may develop your own applications to work with or in place of any 
-of the above.
-
-Similar, the interface to the NAT code is documented in 
-.Xr ipnat 4 .
-
-.Sh PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the 
-various stages introduced by IP Filter.
-.Pp
-.nf
-                                   IN
-                                    |
-                                    V
-          +-------------------------+--------------------------+
-          |                         |                          |
-          |                         V                          |
-          |            Network Address Translation             |
-          |                         |                          |
-          |         authenticated   |                          |
-          |       +-------<---------+                          |
-          |       |                 |                          |
-          |       |                 V                          |
-          |       V           IP Accounting                    |
-          |       |                 |                          |
-          |       |                 V                          |
-          |       |        Fragment Cache Check--+             |
-          |       |                 |            |             |
-          |       V                 V            V             |
-          |       |         Packet State Check-->+             |
-          |       |                 |            |             |
-          |       |       +->--+    |            |             |
-          |       |       |    |    V            |             |
-          |       V   groups   IP Filtering      V             |
-          |       |       |    |    |            |             |
-          |       |       +--<-+    |            |             |
-          |       |                 |            |             |
-          |       +---------------->|<-----------+             |
-          |                         |                          |
-          |                         V                          |
-          |                +---<----+                          |
-          |                |        |                          |
-          |            function     |                          |
-          |                |        V                          |
-          |                +--->----+                          |
-          |                         |                          |
-          |                         V                          |
-       +--|---<--- fast-route ---<--+                          |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  +-------------------------+--------------------------+
-       |                            |
-       |                        pass only
-       |                            |
-       |                            V
-       V               [KERNEL TCP/IP Processing]
-       |                            |
-       |  +-------------------------+--------------------------+
-       |  |                         |                          |
-       |  |                         V                          |
-       |  |                Fragment Cache Check--+             |
-       |  |                         |            |             |
-       |  |                         V            V             |
-       |  |                 Packet State Check-->+             |
-       |  |                         |            |             |
-       |  |                         V            |             |
-       V  |                    IP Filtering      |             |
-       |  |                         |            V             |
-       |  |                         |<-----------+             |
-       |  |                         V                          |
-       |  |                   IP Accounting                    |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  |            Network Address Translation             |
-       |  |                         |                          |
-       |  |                         V                          |
-       |  +-------------------------+--------------------------+
-       |                            |
-       |                        pass only
-       V                            |
-       +--------------------------->|
-                                    V
-                                   OUT
-.fi
-
-.Sh MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.Sh SEE ALSO
-.Xr ipf 4 ,
-.Xr ipf 5 ,
-.Xr ipf 8 ,
-.Xr ipfilter 5 ,
-.Xr ipfs 8 ,
-.Xr ipfstat 8 ,
-.Xr ipftest 1 ,
-.Xr ipl 4 ,
-.Xr ipmon 8 ,
-.Xr ipnat 4 ,
-.Xr ipnat 8 ,
-
diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5
deleted file mode 100644
index 0bba0f4..0000000
--- a/contrib/ipfilter/man/ipfilter.5
+++ /dev/null
@@ -1,10 +0,0 @@
-.TH IPFILTER 1
-.SH NAME
-IP Filter
-.SH DESCRIPTION
-.PP
-IP Filter is a package providing packet filtering capabilities for a variety
-of operating systems.  On a properly setup system, it can be used to build a
-firewall.
-.SH SEE ALSO
-ipf(8), ipf(1), ipf(5), ipnat(8), ipnat(5), mkfilters(1)
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
deleted file mode 100644
index d5bf460..0000000
--- a/contrib/ipfilter/man/ipfs.8
+++ /dev/null
@@ -1,125 +0,0 @@
-.TH IPFS 8
-.SH NAME
-ipfs \- saves and restores information for NAT and state tables.
-.SH SYNOPSIS
-.B ipfs
-[-nv] -l
-.PP
-.B ipfs
-[-nv] -u
-.PP
-.B ipfs
-[-nv] [
-.B \-d
-<\fIdirname\fP>
-] -R
-.PP
-.B ipfs
-[-nv] [
-.B \-d
-<\fIdirname\fP>
-] -W
-.PP
-.B ipfs
-[-nNSv] [
-.B \-f
-<\fIfilename\fP>
-] -r
-.PP
-.B ipfs
-[-nNSv] [
-.B \-f
-<\fIfilename\fP>
-] -w
-.PP
-.B ipfs
-[-nNSv]
-.B \-f
-<\fIfilename\fP>
-.B \-i
-<if1>,<if2>
-.SH DESCRIPTION
-.PP
-\fBipfs\fP allows state information created for NAT entries and rules using
-\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
-allowing for the system to experience a reboot, followed by the restoration
-of that information, resulting in connections not being interrupted.
-.SH OPTIONS
-.TP
-.B \-d
-Change the default directory used with
-.B \-R
-and
-.B \-W
-options for saving state information.
-.TP
-.B \-n
-Don't actually take any action that would affect information stored in
-the kernel or on disk.
-.TP
-.B \-v
-Provides a verbose description of what's being done.
-.TP
-.B \-i <ifname1>,<ifname2>
-Change all instances of interface name ifname1 in the state save file to
-ifname2.  Useful if you're restoring state information after a hardware
-reconfiguration or change.
-.TP
-.B \-N
-Operate on NAT information.
-.TP
-.B \-S
-Operate on filtering state information.
-.TP
-.B \-u
-Unlock state tables in the kernel.
-.TP
-.B \-l
-Lock state tables in the kernel.
-.TP
-.B \-r
-Read information in from the specified file and load it into the
-kernel.  This requires the state tables to have already been locked
-and does not change the lock once complete.
-.TP
-.B \-w
-Write information out to the specified file and from the kernel.
-This requires the state tables to have already been locked
-and does not change the lock once complete.
-.TP
-.B \-R
-Restores all saved state information, if any, from two files,
-\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
-directory unless otherwise specified by the
-.B \-d
-option.  The state tables are locked at the beginning of this
-operation and unlocked once complete.
-.TP
-.B \-W
-Saves in-kernel state information, if any, out to two files,
-\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
-directory unless otherwise specified by the
-.B \-d
-option.  The state tables are locked at the beginning of this
-operation and unlocked once complete.
-.DT
-.SH FILES
-/var/db/ipf/ipstate.ipf
-.br
-/var/db/ipf/ipnat.ipf
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/dev/ipnat
-.SH SEE ALSO
-ipf(8), ipl(4), ipmon(8), ipnat(8)
-.SH DIAGNOSTICS
-.PP
-Perhaps the -W and -R operations should set the locking but rather than
-undo it, restore it to what it was previously.  Fragment table information
-is currently not saved.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
deleted file mode 100644
index 95cf6f3..0000000
--- a/contrib/ipfilter/man/ipfstat.8
+++ /dev/null
@@ -1,193 +0,0 @@
-.TH ipfstat 8
-.SH NAME
-ipfstat \- reports on packet filter statistics and filter list
-.SH SYNOPSIS
-.B ipfstat
-[
-.B \-6aAdfghIilnoRsv
-]
-.br
-.B ipfstat -t
-[
-.B \-6C
-] [
-.B \-D
-<addrport>
-] [
-.B \-P
-<protocol>
-] [
-.B \-S
-<addrport>
-] [
-.B \-T
-<refresh time>
-]
-.SH DESCRIPTION
-\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
-\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
-To run and work, it needs to be able to read both /dev/kmem and the
-kernel itself.  The kernel name defaults to \fB/vmunix\fP.
-.PP
-The default behaviour of \fBipfstat\fP
-is to retrieve and display the accumulated statistics which have been
-accumulated over time as the kernel has put packets through the filter.
-.SH OPTIONS
-.TP
-.B \-6
-Display filter lists and states for IPv6, if available.
-.TP
-.B \-a
-Display the accounting filter list and show bytes counted against each rule.
-.TP
-.B \-A
-Display packet authentication statistics.
-.TP 
-.B \-C
-This option is only valid in combination with \fB\-t\fP.
-Display "closed" states as well in the top. Normally, a TCP connection is
-not displayed when it reaches the CLOSE_WAIT protocol state. With this
-option enabled, all state entries are displayed.
-.TP
-.BR \-d
-Produce debugging output when displaying data.
-.TP
-.BR \-D \0<addrport>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries whose destination IP address and port
-match the addrport argument. The addrport specification is of the form
-ipaddress[,port].  The ipaddress and port should be either numerical or the
-string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
-option is not specified, it defaults to "\fB\-D\fP any,any".
-.TP
-.B \-f
-Show fragment state information (statistics) and held state information (in
-the kernel) if any is present.
-.TP
-.B \-g
-Show groups currently configured (both active and inactive).
-.TP
-.B \-h
-Show per-rule the number of times each one scores a "hit".  For use in
-combination with \fB\-i\fP.
-.TP
-.B \-i
-Display the filter list used for the input side of the kernel IP processing.
-.TP
-.B \-I
-Swap between retrieving "inactive"/"active" filter list details.  For use
-in combination with \fB\-i\fP.
-.TP
-.B \-n
-Show the "rule number" for each rule as it is printed.
-.TP
-.B \-o
-Display the filter list used for the output side of the kernel IP processing.
-.TP
-.BR \-P \0<protocol>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries that match a specific protocol. The
-argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a
-protocol number. If this option is not specified, state entries for any
-protocol are specified.
-.TP
-.BR \-R
-Don't try to resolve addresses to hostnames and ports to services while
-printing statistics.
-.TP
-.B \-s
-Show packet/flow state information (statistics only).
-.TP
-.B \-sl
-Show held state information (in the kernel) if any is present (no statistics).
-.TP
-.BR \-S \0<addrport>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries whose source IP address and port match
-the addrport argument. The addrport specification is of the form
-ipaddress[,port].  The ipaddress and port should be either numerical or the
-string "any" (specifying any IP address resp. any port). If the \fB\-S\fP
-option is not specified, it defaults to "\fB\-S\fP any,any".
-.TP
-.B \-t
-Show the state table in a way similar to the way \fBtop(1)\fP shows the process
-table. States can be sorted using a number of different ways. This option
-requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on
-all operating systems. See below, for more information on the keys that can
-be used while ipfstat is in top mode.
-.TP
-.BR \-T \0<refreshtime>
-This option is only valid in combination with \fB\-t\fP. Specifies how often
-the state top display should be updated. The refresh time is the number of
-seconds between an update. Any positive integer can be used. The default (and
-minimal update time) is 1.
-.TP
-.B \-v
-Turn verbose mode on.  Displays more debugging information.  When used with
-either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the
-number of times it has been matched and the number of bytes from such packets
-is displayed.  For "keep state" rules, a count of the number of state sessions
-active against the rule is also displayed.
-.SH SYNOPSIS
-The role of \fBipfstat\fP is to display current kernel statistics gathered
-as a result of applying the filters in place (if any) to packets going in and
-out of the kernel.  This is the default operation when no command line
-parameters are present.
-.PP
-When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
-the appropriate list of filter rules currently installed and in use by the
-kernel.
-.PP
-One of the statistics that \fBipfstat\fP shows is \fBticks\fP.
-This number indicates how long the filter has been enabled.
-The number is incremented every half\-second.
-.SH STATE TOP
-Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
-this mode the state table is displayed similar to the way \fBtop\fP displays
-the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP 
-command line options can be used to restrict the state entries that will be 
-shown and to specify the frequency of display updates.
-.PP
-In state top mode, the following keys can be used to influence the displayed
-information:
-.TP
-\fBb\fP show packets/bytes from backward direction.
-.TP
-\fBf\fP show packets/bytes from forward direction. (default)
-.TP
-\fBl\fP redraw the screen.
-.TP
-\fBq\fP quit the program. 
-.TP
-\fBs\fP switch between different sorting criterion.
-.TP
-\fBr\fP reverse the sorting criterion.
-.PP
-States can be sorted by protocol number, by number of IP packets, by number
-of bytes and by time-to-live of the state entry. The default is to sort by
-the number of bytes. States are sorted in descending order, but you can use
-the \fBr\fP key to sort them in ascending order.
-.SH STATE TOP LIMITATIONS
-It is currently not possible to interactively change the source, destination
-and protocol filters or the refresh frequency. This must be done from the
-command line.
-.PP
-The screen must have at least 80 columns. This is however not checked.
-When running state top in IPv6 mode, the screen must be much wider to display
-the very long IPv6 addresses.
-.PP
-Only the first X-5 entries that match the sort and filter criteria are
-displayed (where X is the number of rows on the display. The only way to see
-more entries is to resize the screen.
-.SH FILES
-/dev/kmem
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/vmunix
-.SH SEE ALSO
-ipf(8)
-.SH BUGS
-none known.
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
deleted file mode 100644
index 5153687..0000000
--- a/contrib/ipfilter/man/ipftest.1
+++ /dev/null
@@ -1,205 +0,0 @@
-.TH ipftest 1
-.SH NAME
-ipftest \- test packet filter rules with arbitrary input.
-.SH SYNOPSIS
-.B ipftest
-[
-.B \-6bCdDoRvx
-] [
-.B \-F
-input-format
-] [
-.B \-i
-<filename>
-] [
-.B \-I
-interface
-] [
-.B \-l
-<filename>
-] [
-.B \-N
-<filename>
-] [
-.B \-P
-<filename>
-] [
-.B \-r
-<filename>
-] [
-.B \-S
-<ip_address>
-] [
-.B \-T
-<optionlist>
-]
-.SH DESCRIPTION
-.PP
-\fBipftest\fP is provided for the purpose of being able to test a set of
-filter rules without having to put them in place, in operation and proceed
-to test their effectiveness.  The hope is that this minimises disruptions
-in providing a secure IP environment.
-.PP
-\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP,
-\fBipnat\fP and/or \fBippool\fP
-and apply input, returning output as to the result.  However, \fBipftest\fP
-will return one of three values for packets passed through the filter:
-pass, block or nomatch.  This is intended to give the operator a better
-idea of what is happening with packets passing through their filter
-ruleset.
-.PP
-At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified.
-.SH OPTIONS
-.TP
-.B \-6
-Use IPv6.
-.TP
-.B \-b
-Cause the output to be a brief summary (one-word) of the result of passing
-the packet through the filter; either "pass", "block" or "nomatch".
-This is used in the regression testing.
-.TP
-.B \-C
-Force the checksums to be (re)calculated for all packets being input into
-\fBipftest\fP.  This may be necessary if pcap files from tcpdump are being
-fed in where there are partial checksums present due to hardware offloading.
-.TP
-.B \-d
-Turn on filter rule debugging.  Currently, this only shows you what caused
-the rule to not match in the IP header checking (addresses/netmasks, etc).
-.TP
-.B \-D
-Dump internal tables before exiting.
-This excludes log messages.
-.TP
-.B \-F
-This option is used to select which input format the input file is in.
-The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text.
-.RS
-.TP
-.B etherfind
-The input file is to be text output from etherfind.  The text formats which
-are currently supported are those which result from the following etherfind
-option combinations:
-.PP
-.nf
-		etherfind -n
-		etherfind -n -t
-.fi
-.TP
-.B hex
-The input file is to be hex digits, representing the binary makeup of the
-packet.  No length correction is made, if an incorrect length is put in
-the IP header.  A packet may be broken up over several lines of hex digits,
-a blank line indicating the end of the packet.  It is possible to specify
-both the interface name and direction of the packet (for filtering purposes)
-at the start of the line using this format: [direction,interface]  To define
-a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
-and part of the input syntax.
-.HP
-.B pcap
-The input file specified by \fB\-i\fP is a binary file produced using libpcap
-(i.e., tcpdump version 3).  Packets are read from this file as being input
-(for rule purposes).  An interface maybe specified using \fB\-I\fP.
-.TP
-.B snoop
-The input file is to be in "snoop" format (see RFC 1761).  Packets are read
-from this file and used as input from any interface.  This is perhaps the
-most useful input type, currently.
-.TP
-.B tcpdump
-The input file is to be text output from tcpdump.  The text formats which
-are currently supported are those which result from the following tcpdump
-option combinations:
-.PP
-.nf
-		tcpdump -n
-		tcpdump -nq
-		tcpdump -nqt
-		tcpdump -nqtt
-		tcpdump -nqte
-.fi
-.TP
-.B text
-The input file is in \fBipftest\fP text input format.
-This is the default if no \fB\-F\fP argument is specified.
-The format used is as follows:
-.nf
-	"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
-		srchost[,srcport] dsthost[,destport] [FSRPAU]
-.fi
-.PP
-This allows for a packet going "in" or "out" of an interface (if) to be
-generated, being one of the three main protocols (optionally), and if
-either TCP or UDP, a port parameter is also expected.  If TCP is selected,
-it is possible to (optionally) supply TCP flags at the end.  Some examples
-are:
-.nf
-	# a UDP packet coming in on le0
-	in on le0 udp 10.1.1.1,2210 10.2.1.5,23
-	# an IP packet coming in on le0 from localhost - hmm :)
-	in on le0 localhost 10.4.12.1
-	# a TCP packet going out of le0 with the SYN flag set.
-	out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
-.fi
-.LP
-.RE
-.DT
-.TP
-.BR \-i \0<filename>
-Specify the filename from which to take input.  Default is stdin.
-.TP
-.BR \-I \0<interface>
-Set the interface name (used in rule matching) to be the name supplied.
-This is useful where it is
-not otherwise possible to associate a packet with an interface.  Normal
-"text packets" can override this setting.
-.TP
-.BR \-l \0<filename>
-Dump log messages generated during testing to the specified file.
-.TP
-.BR \-N \0<filename>
-Specify the filename from which to read NAT rules in \fBipnat\fP(5) format.
-.TP
-.B \-o
-Save output packets that would have been written to each interface in
-a file /tmp/\fIinterface_name\fP in raw format.
-.TP
-.BR \-P \0<filename>
-Read IP pool configuration information in \fBippool\fP(5) format from the
-specified file.
-.TP
-.BR \-r \0<filename>
-Specify the filename from which to read filter rules in \fBipf\fP(5) format.
-.TP
-.B \-R
-Don't attempt to convert IP addresses to hostnames.
-.TP
-.BR \-S \0<ip_address>
-The IP address specifived with this option is used by ipftest to determine
-whether a packet should be treated as "input" or "output".  If the source
-address in an IP packet matches then it is considered to be inbound.  If it
-does not match then it is considered to be outbound.  This is primarily
-for use with tcpdump (pcap) files where there is no in/out information
-saved with each packet.
-.TP
-.BR \-T \0<optionlist>
-This option simulates the run-time changing of IPFilter kernel variables
-available with the \fB\-T\fP option of \fBipf\fP.
-The optionlist parameter is a comma separated list of tuning
-commands.  A tuning command is either "list" (retrieve a list of all variables
-in the kernel, their maximum, minimum and current value), a single variable
-name (retrieve its current value) and a variable name with a following
-assignment to set a new value.  See \fBipf\fP(8) for examples.
-.TP
-.B \-v
-Verbose mode.  This provides more information about which parts of rule
-matching the input packet passes and fails.
-.TP
-.B \-x
-Print a hex dump of each packet before printing the decoded contents.
-.SH SEE ALSO
-ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
-.SH BUGS
-Not all of the input formats are sufficiently capable of introducing a
-wide enough variety of packets for them to be all useful in testing.
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
deleted file mode 100644
index d8106cc..0000000
--- a/contrib/ipfilter/man/ipl.4
+++ /dev/null
@@ -1,79 +0,0 @@
-.TH IPL 4
-.SH NAME
-ipl \- IP packet log device
-.SH DESCRIPTION
-The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
-packet headers of packets you wish to log.  If a packet header is to be
-logged, the entire header is logged (including any IP options \- TCP/UDP
-options are not included when it calculates header size) or not at all.
-The packet contents are also logged after the header.  If the log reader
-is busy or otherwise unable to read log records, up to IPLLOGSIZE (8192 is the
-default) bytes of data are stored.
-.PP
-Prepending every packet header logged is a structure containing information
-relevant to the packet following and why it was logged.  The structure's
-format is as follows:
-.LP
-.nf
-/*
- * Log structure.  Each packet header logged is prepended by one of these.
- * Following this in the log records read from the device will be an ipflog
- * structure which is then followed by any packet data.
- */
-typedef struct iplog    {
-        u_long  ipl_sec;
-        u_long  ipl_usec;
-        u_int   ipl_len;
-        u_int   ipl_count;
-        size_t  ipl_dsize;
-        struct  iplog   *ipl_next;
-} iplog_t;
-
-
-typedef struct  ipflog  {
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
-        u_char  fl_ifname[IFNAMSIZ];
-#else
-        u_int   fl_unit;
-        u_char  fl_ifname[4];
-#endif
-        u_char  fl_plen;        /* extra data after hlen */
-        u_char  fl_hlen;        /* length of IP headers saved */
-        u_short fl_rule;        /* assume never more than 64k rules, total */
-        u_32_t  fl_flags;
-} ipflog_t;
-
-.fi
-.PP
-When reading from the \fBipl\fP device, it is necessary to call read(2) with
-a buffer big enough to hold at least 1 complete log record - reading of partial
-log records is not supported.
-.PP
-If the packet contents are more than 128 bytes when \fBlog body\fP is used,
-then only 128 bytes of the packet contents are logged.
-.PP
-Although it is only possible to read from the \fBipl\fP device, opening it
-for writing is required when using an ioctl which changes any kernel data.
-.PP
-The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
-The ioctls which are for use with logging and don't affect the filter are:
-.LP
-.nf
-        ioctl(fd, SIOCIPFFB, int *)
-        ioctl(fd, FIONREAD, int *)
-.fi
-.PP
-The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes
-flushed.  FIONREAD returns the number of bytes currently used for storing
-log data.  If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not
-available and FIONREAD will return but not do anything.
-.PP
-There is currently no support for non-blocking IO with this device, meaning
-all read operations should be considered blocking in nature (if there is no
-data to read, it will sleep until some is made available).
-.SH SEE ALSO
-ipf(4)
-.SH BUGS
-Packet headers are dropped when the internal buffer (static size) fills.
-.SH FILES
-/dev/ipl0
diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5
deleted file mode 100644
index 2e3eebd..0000000
--- a/contrib/ipfilter/man/ipmon.5
+++ /dev/null
@@ -1,67 +0,0 @@
-.TH IPMON 5
-.SH NAME
-ipmon, ipmon.conf \- ipmon configuration file format
-.SH DESCRIPTION
-The format for files accepted by ipmon is described by the following grammar:
-.LP
-.nf
-"match" "{" matchlist "}" "do" "{" doing "}" ";"
-
-matchlist ::= matching [ "," matching ] .
-matching  ::= direction | dstip | dstport | every | group | interface |
-              logtag | nattag | protocol | result | rule | srcip | srcport .
-
-dolist ::= doing [ "," doing ] .
-doing  ::= execute | save | syslog .
-
-direction ::= "in" | "out" .
-dstip     ::= "dstip" "=" ipv4 "/" number .
-dstport   ::= "dstport" "=" number .
-every     ::= "every" every-options .
-execute   ::= "execute" "=" string .
-group     ::= "group" "=" string | "group" "=" number .
-interface ::= "interface" "=" string .
-logtag    ::= "logtag" "=" string | "logtag" "=" number .
-nattag    ::= "nattag" "=" string .
-protocol  ::= "protocol" "=" string | "protocol" "=" number .
-result    ::= "result" "=" result-option .
-rule      ::= "rule" "=" number .
-srcip     ::= "srcip" "=" ipv4 "/" number .
-srcport   ::= "srcport" "=" number .
-type      ::= "type" "=" ipftype .
-ipv4      ::= number "." number "." number "." number .
-
-every-options ::= "second" | number "seconds" | "packet" | number "packets" .
-result-option ::= "pass" | "block" | "short" | "nomatch" | "log" .
-ipftype ::= "ipf" | "nat" | "state" .
-
-.fi
-.PP
-In addition, lines that start with a # are considered to be comments.
-.TP
-.SH OVERVIEW
-.PP
-The ipmon configuration file is used for defining rules to be executed when
-logging records are read from
-.B /dev/ipl.
-.PP
-At present, only IPv4 matching is available for source/destination address
-matching.
-.SH MATCHING
-.PP
-Each rule for ipmon consists of two primary segments: the first describes how
-the log record is to be matched, the second defines what action to take if
-there is a positive match.  All entries of the rules present in the file are
-compared for matches - there is no first or last rule match.
-.SH FILES
-/dev/ipl
-.br
-/dev/ipf
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.br
-/etc/ipmon.conf
-.SH SEE ALSO
-ipmon(8), ipl(4)
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
deleted file mode 100644
index 905a9c8..0000000
--- a/contrib/ipfilter/man/ipmon.8
+++ /dev/null
@@ -1,185 +0,0 @@
-.TH ipmon 8
-.SH NAME
-ipmon \- monitors /dev/ipl for logged packets
-.SH SYNOPSIS
-.B ipmon
-[
-.B \-abBDFhnpstvxX
-] [
-.B "\-N <device>"
-] [
-.B "\-L <facility>"
-] [
-.B "\-o [NSI]"
-] [
-.B "\-O [NSI]"
-] [
-.B "\-P <pidfile>"
-] [
-.B "\-S <device>"
-] [
-.B "\-f <device>"
-] [
-.B <filename>
-]
-.SH DESCRIPTION
-.LP
-\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
-the packet filter.  The binary data read from the device is reprinted in
-human readable for, however, IP#'s are not mapped back to hostnames, nor are
-ports mapped back to service names.  The output goes to standard output by
-default or a filename, if given on the command line.  Should the \fB\-s\fP
-option be used, output is instead sent to \fBsyslogd(8)\fP.  Messages sent
-via syslog have the day, month and year removed from the message, but the
-time (including microseconds), as recorded in the log, is still included.
-.LP
-Messages generated by ipmon consist of whitespace separated fields.
-Fields common to all messages are:
-.LP
-1. The date of packet receipt. This is suppressed when the message is
-sent to syslog.
-.LP
-2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
-minutes seconds, and fractions of a second (which can be several digits
-long).
-.LP
-3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
-.LP
-4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
-viewed with \fBipfstat -n\fP.
-.LP
-5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
-packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
-.LP
-6. The addresses.
-This is actually three fields: the source address and port
-(separated by a comma), the \fB->\fP symbol, and the destination address
-and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
-.LP
-7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
-.LP
-8. \fBlen\fP followed by the header length and total length of the packet,
-e.g., \fBlen 20 40\fP.
-.LP
-If the packet is a TCP packet, there will be an additional field starting
-with a hyphen followed by letters corresponding to any flags that were set.
-See the ipf.conf manual page for a list of letters and their flags.
-.LP
-If the packet is an ICMP packet, there will be two fields at the end,
-the first always being `icmp', and the next being the ICMP message and
-submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
-unreachable message.
-.LP
-In order for \fBipmon\fP to properly work, the kernel option
-\fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
-\fBoptions(4)\fP for more details.
-.LP
-\fBipmon\fP reopens its log file(s) and rereads its configuration file
-when it receives a SIGHUP signal.
-.SH OPTIONS
-.TP
-.B \-a
-Open all of the device logfiles for reading log entries from.  All entries
-are displayed to the same output 'device' (stderr or syslog).
-.TP
-.B \-b
-For rules which log the body of a packet, generate hex output representing
-the packet contents after the headers.
-.TP
-.B \-B <binarylogfilename>
-Enable logging of the raw, unformatted binary data to the specified
-\fI<binarylogfilename>\fP file.  This can be read, later, using \fBipmon\fP
-with the \fB-f\fP option.
-.TP
-.B \-D
-Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
-of ipmon is not required to turn it into an orphan so it can run indefinitely.
-.TP
-.B "\-f <device>"
-specify an alternative device/file from which to read the log information
-for normal IP Filter log records.
-.TP
-.B \-F
-Flush the current packet log buffer.  The number of bytes flushed is displayed,
-even should the result be zero.
-.TP
-.B \-L <facility>
-Using this option allows you to change the default syslog facility that
-ipmon uses for syslog messages.  The default is local0.
-.TP
-.B \-n
-IP addresses and port numbers will be mapped, where possible, back into
-hostnames and service names.
-.TP
-.B "\-N <device>"
-Set the logfile to be opened for reading NAT log records from to <device>.
-.TP
-.B \-o
-Specify which log files to actually read data from.  N - NAT logfile,
-S - State logfile, I - normal IP Filter logfile.  The \fB-a\fP option is
-equivalent to using \fB-o NSI\fP.
-.TP
-.B \-O
-Specify which log files you do not wish to read from.  This is most sensibly
-used with the \fB-a\fP.  Letters available as parameters to this are the same
-as for \fB-o\fP.
-.TP
-.B \-p
-Cause the port number in log messages to always be printed as a number and
-never attempt to look it up as from \fI/etc/services\fP, etc.
-.TP
-.B \-P <pidfile>
-Write the pid of the ipmon process to a file.  By default this is
-\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD
-or later) or \fI/etc/ipmon.pid\fP for all others.
-.TP
-.B \-s
-Packet information read in will be sent through syslogd rather than
-saved to a file.  The default facility when compiled and installed is
-\fBlocal0\fP.  The following levels are used:
-.IP
-.B LOG_INFO
-\- packets logged using the "log" keyword as the action rather
-than pass or block.
-.IP
-.B LOG_NOTICE
-\- packets logged which are also passed
-.IP
-.B LOG_WARNING
-\- packets logged which are also blocked
-.IP
-.B LOG_ERR
-\- packets which have been logged and which can be considered
-"short".
-.TP
-.B "\-S <device>"
-Set the logfile to be opened for reading state log records from to <device>.
-.TP
-.B \-t
-read the input file/device in a manner akin to tail(1).
-.TP
-.B \-v
-show tcp window, ack and sequence fields.
-.TP
-.B \-x
-show the packet data in hex.
-.TP
-.B \-X
-show the log header record data in hex.
-.SH DIAGNOSTICS
-\fBipmon\fP expects data that it reads to be consistent with how it should be
-saved and will abort if it fails an assertion which detects an anomaly in the
-recorded data.
-.SH FILES
-/dev/ipl
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.br
-/etc/services
-.SH SEE ALSO
-ipl(4), ipf(8), ipfstat(8), ipnat(8)
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
deleted file mode 100644
index f241415..0000000
--- a/contrib/ipfilter/man/ipnat.1
+++ /dev/null
@@ -1,48 +0,0 @@
-.TH IPNAT 1
-.SH NAME
-ipnat \- user interface to the NAT
-.SH SYNOPSIS
-.B ipnat
-[
-.B \-lnrsvCF
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the IP NAT.
-.PP
-Each rule processed by \fBipnat\fP
-is added to the kernels internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipnat\fP.
-.SH OPTIONS
-.TP
-.B \-C
-delete all entries in the current NAT rule listing (NAT rules)
-.TP
-.B \-F
-delete all active entries in the current NAT translation table (currently
-active NAT mappings)
-.TP
-.B \-l
-Show the list of current NAT table entry mappings.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-s
-Retrieve and display NAT statistics
-.TP
-.B \-r
-Remove matching NAT rules rather than add them to the internal lists
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing
-and active rules/table entries.
-.DT
-.SH FILES
-/dev/ipnat
-.SH SEE ALSO
-ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
deleted file mode 100644
index 54f55d3..0000000
--- a/contrib/ipfilter/man/ipnat.4
+++ /dev/null
@@ -1,98 +0,0 @@
-.TH IPNAT 4
-.SH NAME
-ipnat \- Network Address Translation kernel interface
-.SH SYNOPSIS
-#include <netinet/ip_compat.h>
-.br
-#include <netinet/ip_fil.h>
-.br
-#include <netinet/ip_proxy.h>
-.br
-#include <netinet/ip_nat.h>
-.SH IOCTLS
-.PP
-To add and delete rules to the NAT list, two 'basic' ioctls are provided
-for use.  The ioctl's are called as:
-.LP
-.nf
-	ioctl(fd, SIOCADNAT, struct ipnat **)
-	ioctl(fd, SIOCRMNAT, struct ipnat **)
-	ioctl(fd, SIOCGNATS, struct natstat **)
-	ioctl(fd, SIOCGNATL, struct natlookup **)
-.fi
-.PP
-Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT
-interface.  An inactive list which can be swapped to is not currently
-supported.
-
-These ioctl's are implemented as being routing ioctls and thus the same rules
-for the various routing ioctls and the file descriptor are employed, mainly
-being that the fd must be that of the device associated with the module
-(i.e., /dev/ipl).
-.LP
-.PP
-The structure used with the NAT interface is described below:
-.LP
-.nf
-typedef struct  ipnat   {
-        struct  ipnat   *in_next;
-        void    *in_ifp;
-        u_short in_flags;
-        u_short in_pnext;
-        u_short in_port[2];
-        struct  in_addr in_in[2];
-        struct  in_addr in_out[2];
-        struct  in_addr in_nextip;
-        int     in_space;
-        int     in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
-        char    in_ifname[IFNAMSIZ];
-} ipnat_t;
-
-#define in_pmin         in_port[0]      /* Also holds static redir port */
-#define in_pmax         in_port[1]
-#define in_nip          in_nextip.s_addr
-#define in_inip         in_in[0].s_addr
-#define in_inmsk        in_in[1].s_addr
-#define in_outip        in_out[0].s_addr
-#define in_outmsk       in_out[1].s_addr
-
-.fi
-.PP
-Recognised values for in_redir:
-.LP
-.nf
-#define NAT_MAP         0
-#define NAT_REDIRECT    1
-.fi
-.PP
-.LP
-\fBNAT statistics\fP
-Statistics on the number of packets mapped, going in and out are kept,
-the number of times a new entry is added and deleted (through expiration) to
-the NAT table and the current usage level of the NAT table.
-.PP
-Pointers to the NAT table inside the kernel, as well as to the top of the
-internal NAT lists constructed with the \fBSIOCADNAT\fP ioctls.  The table
-itself is a hash table of size NAT_SIZE (default size is 367).
-.PP
-To retrieve the statistics, the \fBSIOCGNATS\fP ioctl must be used, with
-the appropriate structure passed by reference, as follows:
-.nf
-	ioctl(fd, SIOCGNATS, struct natstat *)
-
-typedef struct  natstat {
-        u_long  ns_mapped[2];
-        u_long  ns_added;
-        u_long  ns_expire;
-        u_long  ns_inuse;
-        nat_t   ***ns_table;
-        ipnat_t *ns_list;
-} natstat_t;
-.fi
-.SH BUGS
-It would be nice if there were more flexibility when adding and deleting
-filter rules.
-.SH FILES
-/dev/ipnat
-.SH SEE ALSO
-ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
deleted file mode 100644
index 2d76a46..0000000
--- a/contrib/ipfilter/man/ipnat.5
+++ /dev/null
@@ -1,293 +0,0 @@
-.TH IPNAT 5
-.SH NAME
-ipnat, ipnat.conf \- IP NAT file format
-.SH DESCRIPTION
-The format for files accepted by ipnat is described by the following grammar:
-.LP
-.nf
-ipmap :: = mapblock | redir | map .
-
-map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
-        mapoptions .
-mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
-redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
-
-lhs ::= ipmask | fromto .
-rlhs ::= ipmask dport | fromto .
-dport ::= "port" portnum [ "-" portnum ] .
-ports ::= "ports" numports | "auto" .
-rdrport ::= "port" portnum .
-mapit ::= "map" | "bimap" .
-fromto ::= "from" object "to" object .
-ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
-dstipmask ::= ipmask | "range" ip "-" ip .
-mapicmp ::= "icmpidmap" "icmp" number ":" number .
-mapport ::= "portmap" tcpudp portspec .
-mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
-rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] .
-
-object :: = addr [ port-comp | port-range ] .
-addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp :: = "port" compare port-num .
-port-range :: = "port" port-num range port-num .
-rdrproto ::= tcpudp | protocol .
-
-rr ::= "round-robin" .
-age ::= "age" decnumber [ "/" decnumber ] .
-clamp ::= "mssclamp" decnumber .
-tcpudp ::= "tcp/udp" | protocol .
-mapproxy ::= "proxy" "port" port proxy-name '/' protocol
-rdrproxy ::= "proxy" proxy-name .
-
-protocol ::= protocol-name | decnumber .
-nummask ::= host-name [ "/" decnumber ] .
-portspec ::= "auto" | portnumber ":" portnumber .
-port ::= portnumber | port-name .
-portnumber ::= number { numbers } .
-ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
-
-numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
-.fi
-.PP
-For standard NAT functionality, a rule should start with \fBmap\fP and then
-proceeds to specify the interface for which outgoing packets will have their
-source address rewritten.
-.PP
-Packets which will be rewritten can only be selected by matching the original
-source address.  A netmask must be specified with the IP address.
-.PP
-The address selected for replacing the original is chosen from an IP#/netmask
-pair.  A netmask of all 1's indicating a hostname is valid.  A netmask of
-31 1's (255.255.255.254) is considered invalid as there is no space for
-allocating host IP#'s after consideration for broadcast and network
-addresses.
-.PP
-When remapping TCP and UDP packets, it is also possible to change the source
-port number.  Either TCP or UDP or both can be selected by each rule, with a
-range of port numbers to remap into given as \fBport-number:port-number\fP.
-.SH COMMANDS
-There are four commands recognised by IP Filter's NAT code:
-.TP
-.B map
-that is used for mapping one address or network to another in an unregulated
-round robin fashion;
-.TP
-.B rdr
-that is used for redirecting packets to one IP address and port pair to
-another;
-.TP
-.B bimap
-for setting up bidirectional NAT between an external IP address and an internal
-IP address and
-.TP
-.B map-block
-which sets up static IP address based translation, based on a algorithm to
-squeeze the addresses to be translated into the destination range.
-.SH MATCHING
-.PP
-For basic NAT and redirection of packets, the address subject to change is used
-along with its protocol to check if a packet should be altered.  The packet
-\fImatching\fP part of the rule is to the left of the "->" in each rule.
-.PP
-Matching of packets has now been extended to allow more complex compares.
-In place of the address which is to be translated, an IP address and port
-number comparison can be made using the same expressions available with
-\fBipf\fP.  A simple NAT rule could be written as:
-.LP
-.nf
-map de0 10.1.0.0/16 -> 201.2.3.4/32
-.fi
-.LP
-or as
-.LP
-.nf
-map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
-.fi
-.LP
-Only IP address and port numbers can be compared against.  This is available
-with all NAT rules.
-.SH TRANSLATION
-.PP
-To the right of the "->" is the address and port specification which will be
-written into the packet providing it has already successfully matched the
-prior constraints.  The case of redirections (\fBrdr\fP) is the simplest:
-the new destination address is that specified in the rule.  For \fBmap\fP
-rules, the destination address will be one for which the tuple combining
-the new source and destination is known to be unique.  If the packet is
-either a TCP or UDP packet, the destination and source ports come into the
-equation too.  If the tuple already exists, IP Filter will increment the
-port number first, within the available range specified with \fBportmap\fP
-and if there exists no unique tuple, the source address will be incremented
-within the specified netmask.  If a unique tuple cannot be determined, then
-the packet will not be translated.  The \fBmap-block\fP is more limited in
-how it searches for a new, free and unique tuple, in that it will used an
-algorithm to determine what the new source address should be, along with the
-range of available ports - the IP address is never changed and nor does the
-port number ever exceed its allotted range.
-.SH ICMPIDMAP
-.PP
-ICMP messages can be divided into two groups: "errors" and "queries". ICMP
-errors are generated as a response of another IP packet. IP Filter will take
-care that ICMP errors that are the response of a NAT-ed IP packet are
-handled properly.
-.PP
-For 4 types of ICMP queries (echo request, timestamp request, information 
-request and address mask request) IP Filter supports an additional mapping
-called "ICMP id mapping". All these 4 types of ICMP queries use a unique
-identifier called the ICMP id. This id is set by the process sending the
-ICMP query and it is usually equal to the process id. The receiver of the
-ICMP query will use the same id in its response, thus enabling the
-sender to recognize that the incoming ICMP reply is intended for him and is
-an answer to a query that he made. The "ICMP id mapping" feature modifies 
-these ICMP id in a way identical to \fBportmap\fP for TCP or UDP.
-.PP
-The reason that you might want this, is that using this feature you don't
-need an IP address per host behind the NAT box, that wants to do ICMP queries.
-The two numbers behind the \fBicmpidmap\fP keyword are the first and the
-last icmp id number that can be used. There is one important caveat: if you
-map to an IP address that belongs to the NAT box itself (notably if you have
-only a single public IP address), then you must ensure that the NAT box does
-not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule.
-Since the ICMP id is usually the process id, it is wise to restrict the
-largest permittable process id (PID) on your operating system to e.g. 63999 and
-use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is
-system dependent. For most BSD derived systems can be done by changing 
-PID_MAX in /usr/include/sys/proc.h and then rebuild the system.
-.SH KERNEL PROXIES
-.PP
-IP Filter comes with a few, simple, proxies built into the code that is loaded
-into the kernel to allow secondary channels to be opened without forcing the
-packets through a user program.  The current state of the proxies is listed
-below, as one of three states:
-.HP
-Aging - protocol is roughly understood from
-the time at which the proxy was written but it is not well tested or
-maintained;
-.HP
-Developmental - basic functionality exists, works most of the time but
-may be problematic in extended real use;
-.HP
-Experimental - rough support for the protocol at best, may or may not
-work as testing has been at best sporadic, possible large scale changes
-to the code in order to properly support the protocol.
-.HP
-Mature - well tested, protocol is properly
-understood by the proxy;
-.PP
-The currently compiled in proxy list is as follows:
-.HP
-FTP - Mature
-.HP
-IRC - Experimental
-.HP
-rpcbind - Experimental
-.HP
-H.323 - Experimental
-.HP
-Real Audio (PNA) - Aging
-.HP
-IPsec - Developmental
-.HP
-netbios - Experimental
-.HP
-R-command - Mature
-
-.SH TRANSPARENT PROXIES
-.PP
-True transparent proxying should be performed using the redirect (\fBrdr\fP)
-rules directing ports to localhost (127.0.0.1) with the proxy program doing
-a lookup through \fB/dev/ipnat\fP to determine the real source and address
-of the connection.
-.SH LOAD-BALANCING
-.PP
-Two options for use with \fBrdr\fP are available to support primitive,
-\fIround-robin\fP based load balancing.  The first option allows for a
-\fBrdr\fP to specify a second destination, as follows:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp
-.fi
-.LP
-This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
-In scenarios where the load is being spread amongst a larger set of
-servers, you can use:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin
-.fi
-.LP
-In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4
-and then 203.1.2.5 before going back to 203.1.2.3.  In accomplishing this,
-the rule is removed from the top of the list and added to the end,
-automatically, as required.  This will not effect the display of rules
-using "ipnat -l", only the internal application order.
-.SH EXAMPLES
-.PP
-This section deals with the \fBmap\fP command and its variations.
-.PP
-To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-The obvious problem here is we're trying to squeeze over 16,000,000 IP
-addresses into a 254 address space.  To increase the scope, remapping for TCP
-and/or UDP, port remapping can be used;
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-.fi
-.PP
-which falls only 527,566 `addresses' short of the space available in network
-10.  If we were to combine these rules, they would need to be specified as
-follows:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-so that all TCP/UDP packets were port mapped and only other protocols, such as
-ICMP, only have their IP# changed.  In some instances, it is more appropriate
-to use the keyword \fBauto\fP in place of an actual range of port numbers if
-you want to guarantee simultaneous access to all within the given range.
-However, in the above case, it would default to 1 port per IP address, since
-we need to squeeze 24 bits of address space into 8.  A good example of how
-this is used might be:
-.LP
-.nf
-map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
-.fi
-.PP
-which would result in each IP address being given a small range of ports to
-use (252).  In all cases, the new port number that is used is deterministic.
-That is, port X will always map to port Y.
-WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing
-to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to
-the same port number, outgoing and ultimately this will only succeed for one
-of them.
-The problem here is that the \fBmap\fP directive tells the NAT
-code to use the next address/port pair available for an outgoing connection,
-resulting in no easily discernible relation between external addresses/ports
-and internal ones.  This is overcome by using \fBmap-block\fP as follows:
-.LP
-.nf
-map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
-.fi
-.PP
-For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
-with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
-own.  As opposed to the above use of \fBmap\fP, if for some reason the user
-of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
-be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
-IP address with the \fBmap\fP command.
-/dev/ipnat
-.br
-/etc/services
-.br
-/etc/hosts
-.SH SEE ALSO
-ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
deleted file mode 100644
index 683e8f1..0000000
--- a/contrib/ipfilter/man/ipnat.8
+++ /dev/null
@@ -1,69 +0,0 @@
-.TH IPNAT 8
-.SH NAME
-ipnat \- user interface to the NAT subsystem
-.SH SYNOPSIS
-.B ipnat
-[
-.B \-dhlnrsvCF
-]
-[
-.B \-M core
-]
-[
-.B \-N system
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the IP NAT.
-.PP
-Each rule processed by \fBipnat\fP
-is added to the kernels internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipnat\fP.
-.PP
-Note that if
-\fBipf(8)\fP
-is not enabled when NAT is configured, it will be enabled
-automatically, as the same kernel facilities are used for
-NAT functionality.  In addition, packet forwarding must be
-enabled.
-.SH OPTIONS
-.TP
-.B \-C
-delete all entries in the current NAT rule listing (NAT rules)
-.TP
-.B \-d
-Enable printing of some extra debugging information.
-.TP
-.B \-F
-delete all active entries in the current NAT translation table (currently
-active NAT mappings)
-.TP
-.B \-h
-Print number of hits for each MAP/Redirect filter.
-.TP
-.B \-l
-Show the list of current NAT table entry mappings.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-r
-Remove matching NAT rules rather than add them to the internal lists.
-.TP
-.B \-s
-Retrieve and display NAT statistics.
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing
-and active rules/table entries.
-.DT
-.SH FILES
-/dev/ipnat
-.br
-/usr/share/examples/ipf  Directory with examples.
-.SH SEE ALSO
-ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5
deleted file mode 100644
index aeff3c8..0000000
--- a/contrib/ipfilter/man/ippool.5
+++ /dev/null
@@ -1,153 +0,0 @@
-.TH IPPOOL 5
-.SH NAME
-ippool, ippool.conf \- IP Pool file format
-.SH DESCRIPTION
-The format for files accepted by ippool is described by the following grammar:
-.LP
-.nf
-line ::= table | groupmap .
-table ::= "table" role tabletype .
-groupmap ::= "group-map" inout role number ipfgroup
-tabletype ::= ipftree | ipfhash .
-
-role ::= "role" "=" "ipf" .
-inout ::= "in" | "out" .
-
-ipftree ::= "type" "=" "tree" number "{" addrlist "}" .
-ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" .
-
-ipfgroup ::= setgroup hashopts "{" grouplist "}" |
-             hashopts "{" setgrouplist "}" .
-setgroup ::= "group" "=" groupname .
-
-hashopts ::= size [ seed ] | seed .
-
-size ::= "size" number .
-seed ::= "seed" number .
-
-addrlist ::= [ "!" ] addrmask ";" [ addrlist ] .
-grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] .
-
-setgrouplist ::= groupentry ";" [ setgrouplist ] .
-
-groupentry ::= addrmask "," setgroup .
-
-hashlist ::= hashentry ";" [ hashlist ] .
-hashentry ::= addrmask .
-
-addrmask ::= ipaddr | ipaddr "/" mask .
-
-mask ::= number | ipaddr .
-
-groupname ::= number | name .
-
-number ::= digit { digit } .
-
-ipaddr  = host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-
-digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-name ::= letter { letter | digit } .
-.fi
-.PP
-The IP pool configuration file is used for defining a single object that
-contains a reference to multiple IP address/netmask pairs.  A pool may consist
-of a mixture of netmask sizes, from 0 to 32.
-.PP
-At this point in time, only IPv4 addressing is supported.
-.TP
-.SH OVERVIEW
-.PP
-The IP pool configuration file provides for defining two different mechanisms
-for improving speed in matching IP addresses with rules.
-The first,
-.B table
-, defines a lookup
-.I table
-to provide a single reference in a
-filter rule to multiple targets and the second,
-.B group-map
-, provides a mechanism to target multiple groups from a single filter line.
-.PP
-The
-.B group-map
-command can only be used with filter rules that use the
-.B call
-command to invoke either
-.B fr_srcgrpmap
-or
-.B fr_dstgrpmap
-, to use the source or destination address,
-respectively, for determining which filter group to jump to next for
-continuation of filter packet processing.
-.SH POOL TYPES
-.PP
-Two storage formats are provided: hash tables and tree structure.  The hash
-table is intended for use with objects all containing the same netmask or a
-few different sized netmasks of non-overlapping address space and the tree
-is designed for being able to support exceptions to a covering mask, in
-addition to normal searching as you would do with a table.  It is not possible
-to use the tree data storage type with
-.B group-map
-configuration entries.
-.SH POOL ROLES
-.PP
-When a pool is defined in the configuration file, it must have an associated
-role.  At present the only supported role is
-.B ipf.
-Future development will see futher expansion of their use by other sections
-of IPFilter code.
-.SH EXAMPLES
-The following examples show how the pool configuration file is used with
-the ipf configuration file to enhance the ability for the ipf configuration
-file to be succinct in meaning.
-.TP
-1
-The first example shows how a filter rule makes reference to a specific
-pool for matching of the source address.
-.nf
-pass in from pool/100 to any
-.fi
-.PP
-The pool configuration, which matches IP addresses 1.1.1.1 and any
-in 2.2.0.0/16, except for those in 2.2.2.0/24.
-.PP
-.nf
-table role = ipf type = tree number = 100
-        { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
-.fi
-.TP
-2
-The following ipf.conf extract uses the
-fr_srcgrpmap/fr_dstgrpmap lookups to use the
-.B group-map
-facility to lookup the next group to use for filter processing, providing
-the
-.B call
-filter rule is matched.
-.nf
-call now fr_srcgrpmap/1010 in all
-call now fr_dstgrpmap/2010 out all
-pass in all group 1020
-block in all group 1030
-pass out all group 2020
-block out all group 2040
-.fi
-.PP
-A ippool configuration to work with the above ipf.conf file might
-look like this:
-.PP
-.nf
-group-map in role = ipf number = 1010
-	{ 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
-group-map out role = ipf number = 2010 group = 2020
-	{ 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
-.fi
-.SH FILES
-/dev/iplookup
-.br
-/etc/ippool.conf
-.br
-/etc/hosts
-.SH SEE ALSO
-ippool(8), hosts(5), ipf(5), ipf(8), ipnat(8)
diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8
deleted file mode 100644
index e27cb92..0000000
--- a/contrib/ipfilter/man/ippool.8
+++ /dev/null
@@ -1,124 +0,0 @@
-.TH IPPOOL 8
-.SH NAME
-ippool \- user interface to the IPFilter pools
-.SH SYNOPSIS
-.br
-.B ippool
--a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
-.br
-.B ippool
--A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]
-.br
-.B ippool
--f <file> [-dnuv]
-.br
-.B ippool
--F [-dv] [-o <role>] [-t <type>]
-.br
-.B ippool
--l [-dv] [-m <name>] [-t <type>]
-.br
-.B ippool
--r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
-.br
-.B ippool
--R [-dnv] [-m <name>] [-o <role>] [-t <type>]
-.br
-.B ippool
--s [-dtv] [-M <core>] [-N <namelist>]
-.SH DESCRIPTION
-.PP
-.B Ippool
-is used to manage information stored in the IP pools subsystem of IPFilter.
-Configuration file information may be parsed and loaded into the kernel,
-currently configured pools removed or changed as well as inspected.
-.PP
-The command line options used are broken into two sections: the global
-options and the instance specific options.
-.SH GLOBAL OPTIONS
-.TP
-.B \-d
-Toggle debugging of processing the configuration file.
-.TP
-.B \-n
-This flag (no-change) prevents
-.B ippool
-from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-v
-Turn verbose mode on.
-.SH COMMAND OPTIONS
-.TP
-.B -a
-Add a new data node to an existing pool in the kernel.
-.TP
-.B -A
-Add a new (empty) pool to the kernel.
-.TP
-.B -f <file>
-Read in IP pool configuration information from the file and load it into
-the kernel.
-.TP
-.B -F
-Flush loaded pools from the kernel.
-.TP
-.B -l
-Display a list of pools currently loaded into the kernel.
-.TP
-.B -r
-Remove an existing data node from a pool in the kernel.
-.TP
-.B -R
-Remove an existing pool from within the kernel.
-.TP
-.B -s
-Display IP pool statistical information.
-.SH OPTIONS
-.TP
-.B -i <ipaddr>[/<netmask>]
-Sets the IP address for the operation being undertaken with an
-all-one's mask or, optionally, a specific netmask given in either
-the dotted-quad notation or a single integer.
-.TP
-.B -m <name>
-Sets the pool name for the current operation.
-.TP
-.B -M <core>
-Specify an alternative path to /dev/kmem to retrieve statistical information
-from.
-.TP
-.B -N <namelist>
-Specify an alternative path to lookup symbol name information from when
-retrieving statistical information.
-.TP
-.B -o <role>
-Sets the role with which this pool is to be used.  Currently only
-.B ipf,
-.B auth
-and
-.B count
-are accepted as arguments to this option.
-.TP
-.B -S <seed>
-Sets the hashing seed to the number specified.  Only for use with
-.B hash
-type pools.
-.TP
-.B -t <type>
-Sets the type of pool being defined.  Myst be one of
-.B tree,
-.B hash,
-.B group-map.
-.TP
-.B -u
-When parsing a configuration file, rather than load new pool data into the
-kernel, unload it.
-.DT
-.SH FILES
-.br
-/dev/iplookup
-.br
-/etc/ippool.conf
-.SH SEE ALSO
-ippool(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipscan.5 b/contrib/ipfilter/man/ipscan.5
deleted file mode 100644
index cc12ca3..0000000
--- a/contrib/ipfilter/man/ipscan.5
+++ /dev/null
@@ -1,50 +0,0 @@
-.TH IPSCAN 5
-.SH NAME
-ipscan, ipscan.conf \- ipscan file format
-.SH DESCRIPTION
-.PP
-WARNING: This feature is to be considered experimental and may change
-significantly until a final implementation is drawn up.
-.PP
-The format for files accept by ipscan currently follow this rough grammar:
-.LP
-.nf
-line     ::= name ":" matchup [ "," matchup ] "=" action .
-matchup  ::= "(" ")" | "(" literal ")" | "(" literal "," match ")" .
-action   ::= result | result "else" result .
-result   ::= "close" | "track" | redirect .
-redirect ::= "redirect" ip-address [ "(" "," port-number ")" ] .
-match    ::= { match-char }
-match-char ::= "*" | "?" | "."
-.fi
-.PP
-In this example an ip-address is a dotted-quad IPv4 address and a port-number
-is a number betwee 1 and 65535, inclusive.  The match string is must be of
-same length as the literal string that it is matching (literal).  The length
-of either string is limited to 16 bytes.
-.PP
-Currently, the redirect option is not yet been implemented.
-.LP
-.nf
-#
-# * = match any character, . = exact match, ? = case insensitive
-#
-# Scan for anything that looks like HTTP and redirect it to the local
-# proxy.  One catch - this feature (redirect) is not yet implemented.
-#
-http : ("GET ", "???." ) = redirect(127.0.0.1)
-#
-# Track ssh connections (i.e do nothing)
-#
-ssh : (), ("SSH-") = track
-#
-# Things which look like smtp to be tracked else closed.
-# Client can start with EHLO (ESMTP) or HELO (SMTP).
-#
-smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
-#
-.fi
-.SH FILES
-/etc/ipscan.conf
-.SH SEE ALSO
-ipscan(8)
diff --git a/contrib/ipfilter/man/ipscan.8 b/contrib/ipfilter/man/ipscan.8
deleted file mode 100644
index 958c456..0000000
--- a/contrib/ipfilter/man/ipscan.8
+++ /dev/null
@@ -1,42 +0,0 @@
-.TH IPSCAN 8
-.SH NAME
-ipscan \- user interface to the IPFilter content scanning
-.SH SYNOPSIS
-.B ipscan
-[
-.B \-dlnrsv
-] [
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the
-file to build up a content scanning configuration to load into the kernel.
-Currently only the first 16 bytes of a connection can be compared.
-.SH OPTIONS
-.TP
-.B \-d
-Toggle debugging of processing the configuration file.
-.TP
-.B \-l
-Show the list of currently configured content scanning entries.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipscan\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-r
-Remove commands from kernel configuration as they are read from the
-configuration file rather than adding new ones.
-.TP
-.B \-s
-Retrieve and display content scanning statistics
-.TP
-.B \-v
-Turn verbose mode on.
-.DT
-.SH FILES
-/dev/ipscan
-/etc/ipscan.conf
-.SH SEE ALSO
-ipscan(5), ipf(8)
diff --git a/contrib/ipfilter/man/man.sed b/contrib/ipfilter/man/man.sed
deleted file mode 100644
index 0be8dab..0000000
--- a/contrib/ipfilter/man/man.sed
+++ /dev/null
@@ -1 +0,0 @@
-DF
.	Ä..–CVSD~MakefileDipf.1D€ipf.4D�ipf.5D‚
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
deleted file mode 100644
index b5fd9dc..0000000
--- a/contrib/ipfilter/man/mkfilters.1
+++ /dev/null
@@ -1,12 +0,0 @@
-.TH MKFILTERS 1
-.SH NAME
-mkfilters \- generate a minimal firewall ruleset for ipfilter
-.SH SYNOPSIS
-.B mkfilters
-.SH DESCRIPTION
-.PP
-\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
-use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
-.DT
-.SH SEE ALSO
-ipf(8), ipf(5), ipfilter(5), ifconfig(8)
diff --git a/contrib/ipfilter/md5.c b/contrib/ipfilter/md5.c
deleted file mode 100644
index c46a957..0000000
--- a/contrib/ipfilter/md5.c
+++ /dev/null
@@ -1,312 +0,0 @@
-
-
-/*
- ***********************************************************************
- ** md5.c -- the source code for MD5 routines                         **
- ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
- ** Created: 2/17/90 RLR                                              **
- ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. **
- ***********************************************************************
- */
-
-/*
- ***********************************************************************
- ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
- **                                                                   **
- ** License to copy and use this software is granted provided that    **
- ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
- ** Digest Algorithm" in all material mentioning or referencing this  **
- ** software or this function.                                        **
- **                                                                   **
- ** License is also granted to make and use derivative works          **
- ** provided that such works are identified as "derived from the RSA  **
- ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
- ** material mentioning or referencing the derived work.              **
- **                                                                   **
- ** RSA Data Security, Inc. makes no representations concerning       **
- ** either the merchantability of this software or the suitability    **
- ** of this software for any particular purpose.  It is provided "as  **
- ** is" without express or implied warranty of any kind.              **
- **                                                                   **
- ** These notices must be retained in any copies of any part of this  **
- ** documentation and/or software.                                    **
- ***********************************************************************
- */
-
-#if defined(_KERNEL) && !defined(__sgi)
-# include <sys/systm.h>
-#else
-# include <string.h>
-#endif
-
-#include "md5.h"
-
-/*
- ***********************************************************************
- **  Message-digest routines:                                         **
- **  To form the message digest for a message M                       **
- **    (1) Initialize a context buffer mdContext using MD5Init        **
- **    (2) Call MD5Update on mdContext and M                          **
- **    (3) Call MD5Final on mdContext                                 **
- **  The message digest is now in mdContext->digest[0...15]           **
- ***********************************************************************
- */
-
-/* forward declaration */
-static void Transform __P((UINT4 *, UINT4 *));
-
-static unsigned char PADDING[64] = {
-  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-/* F, G, H and I are basic MD5 functions */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
-
-/* ROTATE_LEFT rotates x left n bits */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */
-/* Rotation is separate from addition to prevent recomputation */
-#define FF(a, b, c, d, x, s, ac) \
-  {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
-   (a) = ROTATE_LEFT ((a), (s)); \
-   (a) += (b); \
-  }
-#define GG(a, b, c, d, x, s, ac) \
-  {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
-   (a) = ROTATE_LEFT ((a), (s)); \
-   (a) += (b); \
-  }
-#define HH(a, b, c, d, x, s, ac) \
-  {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
-   (a) = ROTATE_LEFT ((a), (s)); \
-   (a) += (b); \
-  }
-#define II(a, b, c, d, x, s, ac) \
-  {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
-   (a) = ROTATE_LEFT ((a), (s)); \
-   (a) += (b); \
-  }
-
-#ifdef __STDC__
-#define UL(x)	x##U
-#else
-#define UL(x)	x
-#endif
-
-/* The routine MD5Init initializes the message-digest context
-   mdContext. All fields are set to zero.
- */
-void MD5Init (mdContext)
-MD5_CTX *mdContext;
-{
-  mdContext->i[0] = mdContext->i[1] = (UINT4)0;
-
-  /* Load magic initialization constants.
-   */
-  mdContext->buf[0] = (UINT4)0x67452301;
-  mdContext->buf[1] = (UINT4)0xefcdab89;
-  mdContext->buf[2] = (UINT4)0x98badcfe;
-  mdContext->buf[3] = (UINT4)0x10325476;
-}
-
-/* The routine MD5Update updates the message-digest context to
-   account for the presence of each of the characters inBuf[0..inLen-1]
-   in the message whose digest is being computed.
- */
-void MD5Update (mdContext, inBuf, inLen)
-MD5_CTX *mdContext;
-unsigned char *inBuf;
-unsigned int inLen;
-{
-  UINT4 in[16];
-  int mdi;
-  unsigned int i, ii;
-
-  /* compute number of bytes mod 64 */
-  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
-
-  /* update number of bits */
-  if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0])
-    mdContext->i[1]++;
-  mdContext->i[0] += ((UINT4)inLen << 3);
-  mdContext->i[1] += ((UINT4)inLen >> 29);
-
-  while (inLen--) {
-    /* add new character to buffer, increment mdi */
-    mdContext->in[mdi++] = *inBuf++;
-
-    /* transform if necessary */
-    if (mdi == 0x40) {
-      for (i = 0, ii = 0; i < 16; i++, ii += 4)
-        in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
-                (((UINT4)mdContext->in[ii+2]) << 16) |
-                (((UINT4)mdContext->in[ii+1]) << 8) |
-                ((UINT4)mdContext->in[ii]);
-      Transform (mdContext->buf, in);
-      mdi = 0;
-    }
-  }
-}
-
-/* The routine MD5Final terminates the message-digest computation and
-   ends with the desired message digest in mdContext->digest[0...15].
- */
-void MD5Final (hash, mdContext)
-unsigned char hash[];
-MD5_CTX *mdContext;
-{
-  UINT4 in[16];
-  int mdi;
-  unsigned int i, ii;
-  unsigned int padLen;
-
-  /* save number of bits */
-  in[14] = mdContext->i[0];
-  in[15] = mdContext->i[1];
-
-  /* compute number of bytes mod 64 */
-  mdi = (int)((mdContext->i[0] >> 3) & 0x3F);
-
-  /* pad out to 56 mod 64 */
-  padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi);
-  MD5Update (mdContext, PADDING, padLen);
-
-  /* append length in bits and transform */
-  for (i = 0, ii = 0; i < 14; i++, ii += 4)
-    in[i] = (((UINT4)mdContext->in[ii+3]) << 24) |
-            (((UINT4)mdContext->in[ii+2]) << 16) |
-            (((UINT4)mdContext->in[ii+1]) << 8) |
-            ((UINT4)mdContext->in[ii]);
-  Transform (mdContext->buf, in);
-
-  /* store buffer in digest */
-  for (i = 0, ii = 0; i < 4; i++, ii += 4) {
-    mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF);
-    mdContext->digest[ii+1] =
-      (unsigned char)((mdContext->buf[i] >> 8) & 0xFF);
-    mdContext->digest[ii+2] =
-      (unsigned char)((mdContext->buf[i] >> 16) & 0xFF);
-    mdContext->digest[ii+3] =
-      (unsigned char)((mdContext->buf[i] >> 24) & 0xFF);
-  }
-  bcopy((char *)mdContext->digest, (char *)hash, 16);
-}
-
-/* Basic MD5 step. Transforms buf based on in.
- */
-static void Transform (buf, in)
-UINT4 *buf;
-UINT4 *in;
-{
-  UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
-
-  /* Round 1 */
-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-  FF ( a, b, c, d, in[ 0], S11, UL(3614090360)); /* 1 */
-  FF ( d, a, b, c, in[ 1], S12, UL(3905402710)); /* 2 */
-  FF ( c, d, a, b, in[ 2], S13, UL( 606105819)); /* 3 */
-  FF ( b, c, d, a, in[ 3], S14, UL(3250441966)); /* 4 */
-  FF ( a, b, c, d, in[ 4], S11, UL(4118548399)); /* 5 */
-  FF ( d, a, b, c, in[ 5], S12, UL(1200080426)); /* 6 */
-  FF ( c, d, a, b, in[ 6], S13, UL(2821735955)); /* 7 */
-  FF ( b, c, d, a, in[ 7], S14, UL(4249261313)); /* 8 */
-  FF ( a, b, c, d, in[ 8], S11, UL(1770035416)); /* 9 */
-  FF ( d, a, b, c, in[ 9], S12, UL(2336552879)); /* 10 */
-  FF ( c, d, a, b, in[10], S13, UL(4294925233)); /* 11 */
-  FF ( b, c, d, a, in[11], S14, UL(2304563134)); /* 12 */
-  FF ( a, b, c, d, in[12], S11, UL(1804603682)); /* 13 */
-  FF ( d, a, b, c, in[13], S12, UL(4254626195)); /* 14 */
-  FF ( c, d, a, b, in[14], S13, UL(2792965006)); /* 15 */
-  FF ( b, c, d, a, in[15], S14, UL(1236535329)); /* 16 */
-
-  /* Round 2 */
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-  GG ( a, b, c, d, in[ 1], S21, UL(4129170786)); /* 17 */
-  GG ( d, a, b, c, in[ 6], S22, UL(3225465664)); /* 18 */
-  GG ( c, d, a, b, in[11], S23, UL( 643717713)); /* 19 */
-  GG ( b, c, d, a, in[ 0], S24, UL(3921069994)); /* 20 */
-  GG ( a, b, c, d, in[ 5], S21, UL(3593408605)); /* 21 */
-  GG ( d, a, b, c, in[10], S22, UL(  38016083)); /* 22 */
-  GG ( c, d, a, b, in[15], S23, UL(3634488961)); /* 23 */
-  GG ( b, c, d, a, in[ 4], S24, UL(3889429448)); /* 24 */
-  GG ( a, b, c, d, in[ 9], S21, UL( 568446438)); /* 25 */
-  GG ( d, a, b, c, in[14], S22, UL(3275163606)); /* 26 */
-  GG ( c, d, a, b, in[ 3], S23, UL(4107603335)); /* 27 */
-  GG ( b, c, d, a, in[ 8], S24, UL(1163531501)); /* 28 */
-  GG ( a, b, c, d, in[13], S21, UL(2850285829)); /* 29 */
-  GG ( d, a, b, c, in[ 2], S22, UL(4243563512)); /* 30 */
-  GG ( c, d, a, b, in[ 7], S23, UL(1735328473)); /* 31 */
-  GG ( b, c, d, a, in[12], S24, UL(2368359562)); /* 32 */
-
-  /* Round 3 */
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-  HH ( a, b, c, d, in[ 5], S31, UL(4294588738)); /* 33 */
-  HH ( d, a, b, c, in[ 8], S32, UL(2272392833)); /* 34 */
-  HH ( c, d, a, b, in[11], S33, UL(1839030562)); /* 35 */
-  HH ( b, c, d, a, in[14], S34, UL(4259657740)); /* 36 */
-  HH ( a, b, c, d, in[ 1], S31, UL(2763975236)); /* 37 */
-  HH ( d, a, b, c, in[ 4], S32, UL(1272893353)); /* 38 */
-  HH ( c, d, a, b, in[ 7], S33, UL(4139469664)); /* 39 */
-  HH ( b, c, d, a, in[10], S34, UL(3200236656)); /* 40 */
-  HH ( a, b, c, d, in[13], S31, UL( 681279174)); /* 41 */
-  HH ( d, a, b, c, in[ 0], S32, UL(3936430074)); /* 42 */
-  HH ( c, d, a, b, in[ 3], S33, UL(3572445317)); /* 43 */
-  HH ( b, c, d, a, in[ 6], S34, UL(  76029189)); /* 44 */
-  HH ( a, b, c, d, in[ 9], S31, UL(3654602809)); /* 45 */
-  HH ( d, a, b, c, in[12], S32, UL(3873151461)); /* 46 */
-  HH ( c, d, a, b, in[15], S33, UL( 530742520)); /* 47 */
-  HH ( b, c, d, a, in[ 2], S34, UL(3299628645)); /* 48 */
-
-  /* Round 4 */
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-  II ( a, b, c, d, in[ 0], S41, UL(4096336452)); /* 49 */
-  II ( d, a, b, c, in[ 7], S42, UL(1126891415)); /* 50 */
-  II ( c, d, a, b, in[14], S43, UL(2878612391)); /* 51 */
-  II ( b, c, d, a, in[ 5], S44, UL(4237533241)); /* 52 */
-  II ( a, b, c, d, in[12], S41, UL(1700485571)); /* 53 */
-  II ( d, a, b, c, in[ 3], S42, UL(2399980690)); /* 54 */
-  II ( c, d, a, b, in[10], S43, UL(4293915773)); /* 55 */
-  II ( b, c, d, a, in[ 1], S44, UL(2240044497)); /* 56 */
-  II ( a, b, c, d, in[ 8], S41, UL(1873313359)); /* 57 */
-  II ( d, a, b, c, in[15], S42, UL(4264355552)); /* 58 */
-  II ( c, d, a, b, in[ 6], S43, UL(2734768916)); /* 59 */
-  II ( b, c, d, a, in[13], S44, UL(1309151649)); /* 60 */
-  II ( a, b, c, d, in[ 4], S41, UL(4149444226)); /* 61 */
-  II ( d, a, b, c, in[11], S42, UL(3174756917)); /* 62 */
-  II ( c, d, a, b, in[ 2], S43, UL( 718787259)); /* 63 */
-  II ( b, c, d, a, in[ 9], S44, UL(3951481745)); /* 64 */
-
-  buf[0] += a;
-  buf[1] += b;
-  buf[2] += c;
-  buf[3] += d;
-}
-
-/*
- ***********************************************************************
- ** End of md5.c                                                      **
- ******************************** (cut) ********************************
- */
diff --git a/contrib/ipfilter/md5.h b/contrib/ipfilter/md5.h
deleted file mode 100644
index e67f5b1..0000000
--- a/contrib/ipfilter/md5.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- ***********************************************************************
- ** md5.h -- header file for implementation of MD5                    **
- ** RSA Data Security, Inc. MD5 Message-Digest Algorithm              **
- ** Created: 2/17/90 RLR                                              **
- ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version               **
- ** Revised (for MD5): RLR 4/27/91                                    **
- **   -- G modified to have y&~z instead of y&z                       **
- **   -- FF, GG, HH modified to add in last register done             **
- **   -- Access pattern: round 2 works mod 5, round 3 works mod 3     **
- **   -- distinct additive constant for each step                     **
- **   -- round 4 added, working mod 7                                 **
- ***********************************************************************
- */
-
-/*
- ***********************************************************************
- ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.  **
- **                                                                   **
- ** License to copy and use this software is granted provided that    **
- ** it is identified as the "RSA Data Security, Inc. MD5 Message-     **
- ** Digest Algorithm" in all material mentioning or referencing this  **
- ** software or this function.                                        **
- **                                                                   **
- ** License is also granted to make and use derivative works          **
- ** provided that such works are identified as "derived from the RSA  **
- ** Data Security, Inc. MD5 Message-Digest Algorithm" in all          **
- ** material mentioning or referencing the derived work.              **
- **                                                                   **
- ** RSA Data Security, Inc. makes no representations concerning       **
- ** either the merchantability of this software or the suitability    **
- ** of this software for any particular purpose.  It is provided "as  **
- ** is" without express or implied warranty of any kind.              **
- **                                                                   **
- ** These notices must be retained in any copies of any part of this  **
- ** documentation and/or software.                                    **
- ***********************************************************************
- */
-
-#if !defined(__MD5_INCLUDE__) && !defined(_SYS_MD5_H)
-
-#ifndef __P
-# ifdef __STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-#ifndef __STDC__
-# undef		const
-# define	const
-#endif
-
-/* typedef a 32-bit type */
-typedef unsigned int UINT4;
-
-/* Data structure for MD5 (Message-Digest) computation */
-typedef struct {
-  UINT4 i[2];                   /* number of _bits_ handled mod 2^64 */
-  UINT4 buf[4];                                    /* scratch buffer */
-  unsigned char in[64];                              /* input buffer */
-  unsigned char digest[16];     /* actual digest after MD5Final call */
-} MD5_CTX;
-
-extern void MD5Init __P((MD5_CTX *));
-extern void MD5Update __P((MD5_CTX *, unsigned char *, unsigned int));
-extern void MD5Final __P((unsigned char *, MD5_CTX *));
-
-#define __MD5_INCLUDE__
-#endif /* __MD5_INCLUDE__ */
diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c
deleted file mode 100644
index e39b98f..0000000
--- a/contrib/ipfilter/misc.c
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#if (SOLARIS2 >= 7)
-# define _SYS_VARARGS_H
-# define _VARARGS_H
-#endif
-#if defined(__STDC__)
-# include <stdarg.h>
-#else
-# include <varargs.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)misc.c	1.3 2/4/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.9 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-
-void	printpacket(ip)
-ip_t	*ip;
-{
-	tcphdr_t	*tcp;
-	u_short	len;
-
-	if (ip->ip_v == 4)
-		len = ntohs(ip->ip_len);
-	else if (ip->ip_v == 6)
-		len = ntohs(((u_short *)ip)[2]) + 40;
-	else
-		len = 0;
-
-	if ((opts & OPT_HEX) == OPT_HEX) {
-		u_char *s;
-		int i;
-
-		for (s = (u_char *)ip, i = 0; i < len; i++) {
-			printf("%02x", *s++ & 0xff);
-			if (len - i > 1) {
-				i++;
-				printf("%02x", *s++ & 0xff);
-			}
-			if (i + 1 != len)
-				putchar(' ');
-		}
-		putchar('\n');
-		return;
-	}
-
-	if (ip->ip_v == 6) {
-		printpacket6(ip);
-		return;
-	}
-
-	tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
-	printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
-	if (ip->ip_off & IP_OFFMASK)
-		printf(" @%d", ip->ip_off << 3);
-	(void)printf(" %s", inet_ntoa(ip->ip_src));
-	if (!(ip->ip_off & IP_OFFMASK))
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_sport));
-	(void)printf(" > ");
-	(void)printf("%s", inet_ntoa(ip->ip_dst));
-	if (!(ip->ip_off & IP_OFFMASK)) {
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_dport));
-		if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags)) {
-			putchar(' ');
-			if (tcp->th_flags & TH_FIN)
-				putchar('F');
-			if (tcp->th_flags & TH_SYN)
-				putchar('S');
-			if (tcp->th_flags & TH_RST)
-				putchar('R');
-			if (tcp->th_flags & TH_PUSH)
-				putchar('P');
-			if (tcp->th_flags & TH_ACK)
-				putchar('A');
-			if (tcp->th_flags & TH_URG)
-				putchar('U');
-			if (tcp->th_flags & TH_ECN)
-				putchar('E');
-			if (tcp->th_flags & TH_CWR)
-				putchar('C');
-		}
-	}
-	putchar('\n');
-}
-
-
-/*
- * This is meant to work without the IPv6 header files being present or
- * the inet_ntop() library.
- */
-void	printpacket6(ip)
-ip_t	*ip;
-{
-	u_char *buf, p, hops;
-	u_short plen, *addrs;
-	tcphdr_t *tcp;
-	u_32_t flow;
-
-	buf = (u_char *)ip;
-	tcp = (tcphdr_t *)(buf + 40);
-	p = buf[6];
-	hops = buf[7];
-	flow = ntohl(*(u_32_t *)buf);
-	flow &= 0xfffff;
-	plen = ntohs(*((u_short *)buf +2));
-	addrs = (u_short *)buf + 4;
-
-	printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_sport));
-	printf(" >");
-	addrs += 8;
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_dport));
-	putchar('\n');
-}
-
-
-#if defined(__STDC__)
-void	verbose(char *fmt, ...)
-#else
-void	verbose(fmt, va_alist)
-char	*fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-	if (opts & OPT_VERBOSE)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
-
-
-#ifdef	__STDC__
-void	debug(char *fmt, ...)
-#else
-void	debug(fmt, va_alist)
-char *fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-	if (opts & OPT_DEBUG)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
diff --git a/contrib/ipfilter/mkfilters b/contrib/ipfilter/mkfilters
deleted file mode 100644
index f0e6ff4..0000000
--- a/contrib/ipfilter/mkfilters
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/usr/local/bin/perl
-# for best results, bring up all your interfaces before running this
-
-if ($^O =~ m/^irix/i)
-{
-    &irix_mkfilters || regular_mkfilters || die $!;
-}
-else
-{
-    &regular_mkfilters || irix_mkfilters || die $!;
-}
-
-foreach $i (keys %ifaces) {
-	$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
-}
-#
-# print out route suggestions
-#
-print "#\n";
-print "# The following routes should be configured, if not already:\n";
-print "#\n";
-foreach $i (keys %ifaces) {
-	next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
-	print "# route add $inet{$i} localhost 0\n";
-}
-print "#\n";
-
-#
-# print out some generic filters which people should use somewhere near the top
-#
-print "block in log quick from any to any with ipopts\n";
-print "block in log quick proto tcp from any to any with short\n";
-
-$grpi = 0;
-
-foreach $i (keys %ifaces) {
-	if (!defined($inet{$i})) {
-		next;
-	}
-
-	$grpi += 100;
-	$grpo = $grpi + 50;
-
-	if ($i !~ /lo/) {
-		print "pass out on $i all head $grpo\n";
-		print "block out from 127.0.0.0/8 to any group $grpo\n";
-		print "block out from any to 127.0.0.0/8 group $grpo\n";
-		print "block out from any to $inet{$i}/32 group $grpo\n";
-		print "pass in on $i all head $grpi\n";
-		print "block in from 127.0.0.0/8 to any group $grpi\n";
-		print "block in from $inet{$i}/32 to any group $grpi\n";
-		foreach $j (keys %ifaces) {
-			if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
-				print "block in from $net{$j} to any group $grpi\n";
-			}
-		}
-	}
-}
-
-sub irix_mkfilters
-{
-    open(NETSTAT, "/usr/etc/netstat -i|") || return 0;
-    
-    while (defined($line = <NETSTAT>))
-    {
-	if ($line =~ m/^Name/)
-	{
-	    next;
-	}
-	elsif ($line =~ m/^(\S+)/)
-	{
-	    open(I, "/usr/etc/ifconfig $1|") || return 0;
-	    &scan_ifconfig;
-	    close I;		# being neat... - Allen
-	}
-    }
-    close NETSTAT;			# again, being neat... - Allen
-    return 1;
-}
-
-sub regular_mkfilters
-{
-    open(I, "ifconfig -a|") || return 0;
-    &scan_ifconfig;
-    close I;			# being neat... - Allen
-    return 1;
-}
-
-sub scan_ifconfig
-{
-    while (<I>) {
-	chop;
-	if (/^[a-zA-Z]+\d+:/) {
-	    ($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
-	    $ifaces{$iface} = $iface;
-	    next;
-	}
-	if (/inet/) {
-	    if (/\-\-\>/) { # PPP, (SLIP?)
-			($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
-			($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
-		    } else {
-			($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
-		    }
-	}
-	if (/netmask/) {
-	    ($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
-		    $mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
-	    $netmask{$iface} = $mask;
-	}
-	if (/broadcast/) {
-	    ($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
-	}
-    }
-}
-    
diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c
deleted file mode 100644
index 4db9a9b..0000000
--- a/contrib/ipfilter/ml_ipl.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * responsibility and is not changed in any way.
- *
- * I hate legaleese, don't you ?
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-#include <sun/openprom.h>
-#endif
-
-#ifndef	IPL_NAME
-#define	IPL_NAME	"/dev/ipl"
-#endif
-
-extern	int	iplattach(), iplopen(), iplclose(), iplioctl(), iplread();
-extern	int	nulldev(), iplidentify(), errno;
-
-struct	cdevsw	ipldevsw = 
-{
-	iplopen, iplclose, iplread, nulldev,
-	iplioctl, nulldev, nulldev, nulldev,
-	0, nulldev,
-};
-
-
-struct	dev_ops	ipl_ops = 
-{
-	1,
-	iplidentify,
-	iplattach,
-	iplopen,
-	iplclose,
-	iplread,
-	NULL,		/* write */
-	NULL,		/* strategy */
-	NULL,		/* dump */
-	0,		/* psize */
-        iplioctl,
-	NULL,		/* reset */
-	NULL		/* mmap */
-};
-
-int	ipl_major = 0;
-
-#ifdef sun4m
-struct	vdldrv	vd = 
-{
-	VDMAGIC_PSEUDO,
-	"ipl",
-	&ipl_ops,
-	NULL,
-	&ipldevsw,
-	0,
-	0,
-	NULL,
-	NULL,
-	NULL,
-	0,
-	1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
-	VDMAGIC_PSEUDO,	/* magic */
-	"ipl",		/* name */
-#ifdef sun4c
-	&ipl_ops,	/* dev_ops */
-#else
-	NULL,		/* struct mb_ctlr *mb_ctlr */
-	NULL,		/* struct mb_driver *mb_driver */
-	NULL,		/* struct mb_device *mb_device */
-	0,		/* num ctlrs */
-	1,		/* numdevs */
-#endif /* sun4c */
-	NULL,		/* bdevsw */
-	&ipldevsw,	/* cdevsw */
-	0,		/* block major */
-	0,		/* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev();
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, vdi, vds)
-u_int	fc;
-struct	vddrv	*vdp;
-caddr_t	vdi;
-struct	vdstat	*vds;
-{
-	struct	vdlinkage *v;
-	int	i;
-
-	switch (fc)
-	{
-	case VDLOAD:
-		while (ipl_major < nchrdev &&
-		       cdevsw[ipl_major].d_open != vd_unuseddev)
-			ipl_major++;
-		if (ipl_major == nchrdev)
-			return ENODEV;
-		vd.Drv_charmajor = ipl_major;
-		vdp->vdd_vdtab = (struct vdlinkage *)&vd;
-		return ipl_attach(vdi);
-	case VDUNLOAD:
-		return unload(vdp, vdi);
-		
-	case VDSTAT:
-		return 0;
-
-	default:
-		return EIO;
-	}
-}
-
-static unload(vdp, vdi)
-	struct vddrv *vdp;
-	struct vdioctl_unload  *vdi;
-{
-	int	i;
-
-	(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
-	return ipldetach();
-}
-
-
-static	int	ipl_attach(vdi)
-struct	vdioctl_load	*vdi;
-{
-	struct	vnode	*vp;
-	struct	vattr	vattr;
-	int		error = 0, fmode = S_IFCHR|0600;
-
-	(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
-	vattr_null(&vattr);
-	vattr.va_type = MFTOVT(fmode);
-	vattr.va_mode = (fmode & 07777);
-	vattr.va_rdev = ipl_major<<8;
-
-	error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
-	if (error == 0)
-		VN_RELE(vp);
-	return iplattach(0);
-}
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
deleted file mode 100644
index b39a14d..0000000
--- a/contrib/ipfilter/mlf_ipl.c
+++ /dev/null
@@ -1,467 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-
-
-#include <sys/param.h>
-
-#ifdef	IPFILTER_LKM
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-# define	ACTUALLY_LKM_NOT_KERNEL
-#else
-# ifndef __FreeBSD_cc_version
-#  include <sys/osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <sys/osreldate.h>
-#  endif
-# endif
-#endif
-#include <sys/systm.h>
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
-# ifndef ACTUALLY_LKM_NOT_KERNEL
-#  include "opt_devfs.h"
-# endif
-# include <sys/conf.h>
-# include <sys/kernel.h>
-# ifdef DEVFS
-#  include <sys/devfsext.h>
-# endif /*DEVFS*/
-#endif
-#include <sys/conf.h>
-#include <sys/file.h>
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/lock.h>
-#endif
-#include <sys/stat.h>
-#include <sys/proc.h>
-#include <sys/kernel.h>
-#include <sys/vnode.h>
-#include <sys/namei.h>
-#include <sys/malloc.h>
-#include <sys/mount.h>
-#include <sys/exec.h>
-#include <sys/mbuf.h>
-#if	BSD >= 199506
-# include <sys/sysctl.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/socket.h>
-#endif
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <net/route.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <sys/sysent.h>
-#include <sys/lkm.h>
-#include "netinet/ipl.h"
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_auth.h"
-#include "netinet/ip_frag.h"
-
-
-#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
-#define	VOP_LEASE	LEASE_CHECK
-#endif
-
-int	xxxinit __P((struct lkm_table *, int, int));
-
-#ifdef  SYSCTL_OID
-int sysctl_ipf_int SYSCTL_HANDLER_ARGS;
-# define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
-		   ptr, val, sysctl_ipf_int, "I", descr);
-# define	CTLFLAG_OFF	0x00800000	/* IPFilter must be disabled */
-# define	CTLFLAG_RWO	(CTLFLAG_RW|CTLFLAG_OFF)
-SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
-	   &fr_tcpidletimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
-	   &fr_tcphalfclosed, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
-	   &fr_tcpclosewait, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
-	   &fr_tcplastack, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
-	   &fr_tcptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
-	   &fr_tcpclosed, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
-	   &fr_udptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
-	   &fr_icmptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
-	   &fr_defnatage, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
-	   &fr_ipfrttl, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
-	   &fr_running, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
-	   &fr_statesize, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
-	   &fr_statemax, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
-	   &fr_authsize, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
-	   &fr_authused, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
-	   &fr_defaultauthage, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW,
-	   &ippr_ftp_pasvonly, 0, "");
-#endif
-
-#ifdef DEVFS
-static void *ipf_devfs[IPL_LOGSIZE];
-#endif
-
-#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
-int	ipl_major = 0;
-
-static struct   cdevsw  ipldevsw =
-{
-	iplopen,		/* open */
-	iplclose,		/* close */
-	iplread,		/* read */
-	(void *)nullop,		/* write */
-	iplioctl,		/* ioctl */
-	(void *)nullop,		/* stop */
-	(void *)nullop,		/* reset */
-	(void *)NULL,		/* tty */
-	(void *)nullop,		/* select */
-	(void *)nullop,		/* mmap */
-	NULL			/* strategy */
-};
-
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
-
-extern struct cdevsw cdevsw[];
-extern int vd_unuseddev __P((void));
-extern int nchrdev;
-#else
-
-static struct cdevsw ipl_cdevsw = {
-	iplopen,	iplclose,	iplread,	nowrite, /* 79 */
-	iplioctl,	nostop,		noreset,	nodevtotty,
-#if (__FreeBSD_version >= 300000)
-	seltrue,	nommap,		nostrategy,	"ipl",
-#else
-	noselect,	nommap,		nostrategy,	"ipl",
-#endif
-	NULL,	-1
-};
-#endif
-
-static void ipl_drvinit __P((void *));
-
-#ifdef ACTUALLY_LKM_NOT_KERNEL
-static  int     if_ipl_unload __P((struct lkm_table *, int));
-static  int     if_ipl_load __P((struct lkm_table *, int));
-static  int     if_ipl_remove __P((void));
-static  int     ipl_major = CDEV_MAJOR;
-
-static int iplaction __P((struct lkm_table *, int));
-static char *ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				IPL_SCAN, IPL_SYNC, IPL_POOL, NULL };
-
-extern	int	lkmenodev __P((void));
-
-static int iplaction(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
-	int i = ipl_major;
-	struct lkm_dev *args = lkmtp->private.lkm_dev;
-#endif
-	int err = 0;
-
-	switch (cmd)
-	{
-	case LKM_E_LOAD :
-		if (lkmexists(lkmtp))
-			return EEXIST;
-
-#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
-		for (i = 0; i < nchrdev; i++)
-			if (cdevsw[i].d_open == lkmenodev ||
-			    cdevsw[i].d_open == iplopen)
-				break;
-		if (i == nchrdev) {
-			printf("IP Filter: No free cdevsw slots\n");
-			return ENODEV;
-		}
-
-		ipl_major = i;
-		args->lkm_offset = i;   /* slot in cdevsw[] */
-#endif
-		printf("IP Filter: loaded into slot %d\n", ipl_major);
-		err = if_ipl_load(lkmtp, cmd);
-		if (!err)
-			ipl_drvinit((void *)NULL);
-		return err;
-		break;
-	case LKM_E_UNLOAD :
-		err = if_ipl_unload(lkmtp, cmd);
-		if (!err) {
-			printf("IP Filter: unloaded from slot %d\n",
-				ipl_major);
-#ifdef	DEVFS
-			if (ipf_devfs[IPL_LOGIPF])
-				devfs_remove_dev(ipf_devfs[IPL_LOGIPF]);
-			if (ipf_devfs[IPL_LOGNAT])
-				devfs_remove_dev(ipf_devfs[IPL_LOGNAT]);
-			if (ipf_devfs[IPL_LOGSTATE])
-				devfs_remove_dev(ipf_devfs[IPL_LOGSTATE]);
-			if (ipf_devfs[IPL_LOGAUTH])
-				devfs_remove_dev(ipf_devfs[IPL_LOGAUTH]);
-			if (ipf_devfs[IPL_LOGSCAN])
-				devfs_remove_dev(ipf_devfs[IPL_LOGSCAN]);
-			if (ipf_devfs[IPL_LOGSYNC])
-				devfs_remove_dev(ipf_devfs[IPL_LOGSYNC]);
-			if (ipf_devfs[IPL_LOGLOOKUP])
-				devfs_remove_dev(ipf_devfs[IPL_LOGLOOKUP]);
-#endif
-		}
-		return err;
-	case LKM_E_STAT :
-		break;
-	default:
-		err = EIO;
-		break;
-	}
-	return 0;
-}
-
-
-static int if_ipl_remove __P((void))
-{
-	char *name;
-	struct nameidata nd;
-	int error, i;
-
-	for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return (error);
-		VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
-#if (__FreeBSD_version >= 300000)
-		VOP_LOCK(nd.ni_vp, LK_RETRY | LK_EXCLUSIVE, curproc);
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
-
-		if (nd.ni_dvp == nd.ni_vp)
-			vrele(nd.ni_dvp);
-		else
-			vput(nd.ni_dvp);
-		if (nd.ni_vp != NULLVP)
-			vput(nd.ni_vp);
-#else
-		VOP_LOCK(nd.ni_vp);
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
-#endif
-	}
-
-	return 0;
-}
-
-
-static int if_ipl_unload(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	int error = 0;
-
-	error = ipldetach();
-	if (!error)
-		error = if_ipl_remove();
-	return error;
-}
-
-
-static int if_ipl_load(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	struct nameidata nd;
-	struct vattr vattr;
-	int error = 0, fmode = S_IFCHR|0600, i;
-	char *name;
-
-	error = iplattach();
-	if (error)
-		return error;
-	(void) if_ipl_remove();
-
-	for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return error;
-		if (nd.ni_vp != NULL) {
-			VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
-			if (nd.ni_dvp == nd.ni_vp)
-				vrele(nd.ni_dvp);
-			else
-				vput(nd.ni_dvp);
-			vrele(nd.ni_vp);
-			return (EEXIST);
-		}
-		VATTR_NULL(&vattr);
-		vattr.va_type = VCHR;
-		vattr.va_mode = (fmode & 07777);
-		vattr.va_rdev = (ipl_major << 8) | i;
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
-#if (__FreeBSD_version >= 300000)
-		vput(nd.ni_dvp);
-#endif
-		if (error)
-			return error;
-	}
-	return 0;
-}
-
-#endif  /* actually LKM */
-
-#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
-/*
- * strlen isn't present in 2.1.* kernels.
- */
-size_t strlen(string)
-char *string;
-{
-	register char *s;
-
-	for (s = string; *s; s++)
-		;
-	return (size_t)(s - string);
-}
-
-
-int xxxinit(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-	DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-}
-#else	/* __FREEBSD_version >= 220000 */
-# ifdef	IPFILTER_LKM
-#  include <sys/exec.h>
-
-#  if (__FreeBSD_version >= 300000)
-MOD_DEV(if_ipl, LM_DT_CHAR, CDEV_MAJOR, &ipl_cdevsw);
-#  else
-MOD_DECL(if_ipl);
-
-
-static struct lkm_dev _module = {
-	LM_DEV,
-	LKM_VERSION,
-	IPL_VERSION,
-	CDEV_MAJOR,
-	LM_DT_CHAR,
-	{ (void *)&ipl_cdevsw }
-};
-#  endif
-
-
-int if_ipl __P((struct lkm_table *, int, int));
-
-
-int if_ipl(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-#  if (__FreeBSD_version >= 300000)
-	MOD_DISPATCH(if_ipl, lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-#  else
-	DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-#  endif
-}
-# endif /* IPFILTER_LKM */
-static ipl_devsw_installed = 0;
-
-static void ipl_drvinit __P((void *unused))
-{
-	dev_t dev;
-# ifdef	DEVFS
-	void **tp = ipf_devfs;
-# endif
-
-	if (!ipl_devsw_installed ) {
-		dev = makedev(CDEV_MAJOR, 0);
-		cdevsw_add(&dev, &ipl_cdevsw, NULL);
-		ipl_devsw_installed = 1;
-
-# ifdef	DEVFS
-		tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
-						  DV_CHR, 0, 0, 0600, "ipf");
-		tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
-						  DV_CHR, 0, 0, 0600, "ipnat");
-		tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
-						    DV_CHR, 0, 0, 0600,
-						    "ipstate");
-		tp[IPL_LOGAUTH] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGAUTH,
-						   DV_CHR, 0, 0, 0600,
-						   "ipauth");
-# endif
-	}
-}
-
-
-#ifdef SYSCTL_IPF
-int
-sysctl_ipf_int SYSCTL_HANDLER_ARGS
-{
-	int error = 0;
-
-	if (arg1)
-		error = SYSCTL_OUT(req, arg1, sizeof(int));
-	else
-		error = SYSCTL_OUT(req, &arg2, sizeof(int));
-
-	if (error || !req->newptr)
-		return (error);
-
-	if (!arg1)
-		error = EPERM;
-	else {
-		if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
-			error = EBUSY;
-		else
-			error = SYSCTL_IN(req, arg1, sizeof(int));
-	}
-	return (error);
-}
-#endif
-
-
-# if defined(IPFILTER_LKM) || \
-     defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
-SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
-# endif /* IPFILTER_LKM */
-#endif /* _FreeBSD_version */
diff --git a/contrib/ipfilter/mlf_rule.c b/contrib/ipfilter/mlf_rule.c
deleted file mode 100644
index c540ebd..0000000
--- a/contrib/ipfilter/mlf_rule.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-
-
-#include <sys/param.h>
-
-#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
-# ifdef	IPFILTER_LKM
-#  include <osreldate.h>
-#  define	ACTUALLY_LKM_NOT_KERNEL
-# else
-#  include <sys/osreldate.h>
-# endif
-#endif
-#include <sys/systm.h>
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
-# include <sys/conf.h>
-# include <sys/kernel.h>
-# ifdef DEVFS
-#  include <sys/devfsext.h>
-# endif /*DEVFS*/
-#endif
-#include <sys/conf.h>
-#include <sys/file.h>
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/lock.h>
-#endif
-#include <sys/stat.h>
-#include <sys/proc.h>
-#include <sys/kernel.h>
-#include <sys/vnode.h>
-#include <sys/namei.h>
-#include <sys/malloc.h>
-#include <sys/mount.h>
-#include <sys/exec.h>
-#include <sys/mbuf.h>
-#if	BSD >= 199506
-# include <sys/sysctl.h>
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/socket.h>
-#endif
-#if (__FreeBSD_version >= 199511)
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <net/route.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#endif
-#if (__FreeBSD__ > 1)
-# include <sys/sysent.h>
-#endif
-#include <sys/lkm.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_rules.h"
-
-
-int	xxxinit __P((struct lkm_table *, int, int));
-
-#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
-#endif
-
-static int ipfrule_ioctl __P((struct lkm_table *, int));
-
-#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
-
-int xxxinit(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-	DISPATCH(lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl, ipfrule_ioctl);
-}
-#else	/* __FREEBSD_version >= 220000 */
-# ifdef	IPFILTER_LKM
-#  include <sys/exec.h>
-
-#  if (__FreeBSD_version >= 300000)
-MOD_MISC(ipfrule);
-#  else
-MOD_DECL(ipfrule);
-
-
-static struct lkm_misc _module = {
-	LM_MISC,
-	LKM_VERSION,
-	"IP Filter rules",
-	0,
-};
-#  endif
-
-
-int ipfrule __P((struct lkm_table *, int, int));
-
-
-int ipfrule(lkmtp, cmd, ver)
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-#  if (__FreeBSD_version >= 300000)
-	MOD_DISPATCH(ipfrule, lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl,
-		     ipfrule_ioctl);
-#  else
-	DISPATCH(lkmtp, cmd, ver, ipfrule_ioctl, ipfrule_ioctl, ipfrule_ioctl);
-#  endif
-}
-# endif /* IPFILTER_LKM */
-
-
-int ipfrule_load(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	return ipfrule_add();
-}
-
-
-int ipfrule_unload(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	return ipfrule_remove();
-}
-
-
-static int ipfrule_ioctl(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	int err = 0;
-
-	switch (cmd)
-	{
-	case LKM_E_LOAD :
-		if (lkmexists(lkmtp))
-			return EEXIST;
-
-		err = ipfrule_load(lkmtp, cmd);
-		if (!err)
-			fr_refcnt++;
-		break;
-	case LKM_E_UNLOAD :
-		err = ipfrule_unload(lkmtp, cmd);
-		if (!err)
-			fr_refcnt--;
-		break;
-	case LKM_E_STAT :
-		break;
-	default:
-		err = EIO;
-		break;
-	}
-	return err;
-}
-#endif /* _FreeBSD_version */
diff --git a/contrib/ipfilter/mlfk_ipl.c b/contrib/ipfilter/mlfk_ipl.c
deleted file mode 100644
index 0f50fea..0000000
--- a/contrib/ipfilter/mlfk_ipl.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 2000 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-
-#include <sys/param.h>
-#include <sys/systm.h>
-#include <sys/kernel.h>
-#include <sys/module.h>
-#include <sys/conf.h>
-#include <sys/socket.h>
-#include <sys/sysctl.h>
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-
-
-#include <netinet/ipl.h>
-#include <netinet/ip_compat.h>
-#include <netinet/ip_fil.h>
-#include <netinet/ip_state.h>
-#include <netinet/ip_nat.h>
-#include <netinet/ip_auth.h>
-#include <netinet/ip_frag.h>
-
-#if __FreeBSD_version >= 502116
-static struct cdev *ipf_devs[IPL_LOGSIZE];
-#else
-static dev_t ipf_devs[IPL_LOGSIZE];
-#endif
-
-static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
-static int ipf_modload(void);
-static int ipf_modunload(void);
-
-SYSCTL_DECL(_net_inet);
-#define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
-	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
-		   ptr, val, sysctl_ipf_int, "I", descr);
-#define	CTLFLAG_OFF	0x00800000	/* IPFilter must be disabled */
-#define	CTLFLAG_RWO	(CTLFLAG_RW|CTLFLAG_OFF)
-SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
-	   &fr_tcpidletimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
-	   &fr_tcphalfclosed, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
-	   &fr_tcpclosewait, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
-	   &fr_tcplastack, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
-	   &fr_tcptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
-	   &fr_tcpclosed, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
-	   &fr_udptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
-	   &fr_udpacktimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
-	   &fr_icmptimeout, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
-	   &fr_defnatage, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
-	   &fr_ipfrttl, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
-	   &fr_running, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
-	   &fr_statesize, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
-	   &fr_statemax, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO,
-	   &ipf_nattable_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO,
-	   &ipf_natrules_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO,
-	   &ipf_rdrrules_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO,
-	   &ipf_hostmap_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
-	   &fr_authsize, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
-	   &fr_authused, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
-	   &fr_defaultauthage, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
-
-#define CDEV_MAJOR 79
-#if __FreeBSD_version >= 501000
-static struct cdevsw ipl_cdevsw = {
-#if __FreeBSD_version >= 502103
-	.d_version =	D_VERSION,
-	.d_flags =	0,	/* D_NEEDGIANT - Should be SMP safe */
-#endif
-	.d_open =	iplopen,
-	.d_close =	iplclose,
-	.d_read =	iplread,
-	.d_ioctl =	iplioctl,
-	.d_name =	"ipl",
-	.d_maj =	CDEV_MAJOR,
-};
-#else
-static struct cdevsw ipl_cdevsw = {
-	/* open */	iplopen,
-	/* close */	iplclose,
-	/* read */	iplread,
-	/* write */	iplwrite,
-	/* ioctl */	iplioctl,
-	/* poll */	nopoll,
-	/* mmap */	nommap,
-	/* strategy */	nostrategy,
-	/* name */	"ipl",
-	/* maj */	CDEV_MAJOR,
-	/* dump */	nodump,
-	/* psize */	nopsize,
-	/* flags */	0,
-# if (__FreeBSD_version < 500043)
-	/* bmaj */	-1,
-# endif
-	/* kqfilter */	NULL
-};
-#endif
-
-static char *ipf_devfiles[] = {	IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
-				IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };
-
-
-static int
-ipfilter_modevent(module_t mod, int type, void *unused)
-{
-	int error = 0;
-
-	switch (type)
-	{
-	case MOD_LOAD :
-		error = ipf_modload();
-		break;
-
-	case MOD_UNLOAD :
-		error = ipf_modunload();
-		break;
-	default:
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-
-static int
-ipf_modload()
-{
-	char *defpass, *c, *str;
-	int i, j, error;
-
-	error = iplattach();
-	if (error)
-		return error;
-
-	for (i = 0; i < IPL_LOGSIZE; i++)
-		ipf_devs[i] = NULL;
-
-	for (i = 0; (str = ipf_devfiles[i]); i++) {
-		c = NULL;
-		for(j = strlen(str); j > 0; j--)
-			if (str[j] == '/') {
-				c = str + j + 1;
-				break;
-			}
-		if (!c)
-			c = str;
-		ipf_devs[i] = make_dev(&ipl_cdevsw, i, 0, 0, 0600, c);
-	}
-
-	if (FR_ISPASS(fr_pass))
-		defpass = "pass";
-	else if (FR_ISBLOCK(fr_pass))
-		defpass = "block";
-	else          
-		defpass = "no-match -> block";
-
-	printf("%s initialized.  Default = %s all, Logging = %s%s\n",
-		ipfilter_version, defpass,                
-#ifdef IPFILTER_LOG
-		"enabled",
-#else
-		"disabled",
-#endif
-#ifdef IPFILTER_COMPILED
-		" (COMPILED)"
-#else
-		""
-#endif
-		);         
-	return 0;
-}
-
-
-static int
-ipf_modunload()
-{
-	int error, i;
-
-	if (fr_refcnt)
-		return EBUSY;
-
-	if (fr_running >= 0) {
-		error = ipldetach();
-		if (error != 0)
-			return error;
-	} else
-		error = 0;
-
-	fr_running = -2;
-
-	for (i = 0; ipf_devfiles[i]; i++) {
-		if (ipf_devs[i] != NULL)
-			destroy_dev(ipf_devs[i]);
-	}
-
-	printf("%s unloaded\n", ipfilter_version);
-
-	return error;
-}
-
-
-static moduledata_t ipfiltermod = {
-	"ipfilter",
-	ipfilter_modevent,
-	0
-};
-
-
-DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
-#ifdef	MODULE_VERSION
-MODULE_VERSION(ipfilter, 1);
-#endif
-
-
-#ifdef SYSCTL_IPF
-int
-sysctl_ipf_int ( SYSCTL_HANDLER_ARGS )
-{
-	int error = 0;
-
-	if (arg1)
-		error = SYSCTL_OUT(req, arg1, sizeof(int));
-	else
-		error = SYSCTL_OUT(req, &arg2, sizeof(int));
-
-	if (error || !req->newptr)
-		return (error);
-
-	if (!arg1)
-		error = EPERM;
-	else {
-		if ((oidp->oid_kind & CTLFLAG_OFF) && (fr_running > 0))
-			error = EBUSY;
-		else
-			error = SYSCTL_IN(req, arg1, sizeof(int));
-	}
-	return (error);
-}
-#endif
diff --git a/contrib/ipfilter/mlfk_rule.c b/contrib/ipfilter/mlfk_rule.c
deleted file mode 100644
index c175076..0000000
--- a/contrib/ipfilter/mlfk_rule.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2000 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: mlfk_rule.c,v 2.4.4.2 2004/04/16 23:32:08 darrenr Exp $
- */
-
-
-#include <sys/param.h>
-#include <sys/systm.h>
-#include <sys/kernel.h>
-#include <sys/module.h>
-#include <sys/conf.h>
-#include <sys/socket.h>
-#include <sys/sysctl.h>
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-
-#include <netinet/ipl.h>
-#include <netinet/ip_compat.h>
-#include <netinet/ip_fil.h>
-#include <netinet/ip_state.h>
-#include <netinet/ip_nat.h>
-#include <netinet/ip_auth.h>
-#include <netinet/ip_frag.h>
-
-#include "ip_rules.h"
-
-
-static int
-ipfrule_modevent(module_t mod, int type, void *unused)
-{
-	int error = 0;
-
-	switch (type)
-	{
-	case MOD_LOAD :
-		error = ipfrule_add();
-		if (!error)
-			fr_refcnt++;
-		break;
-	case MOD_UNLOAD :
-		error = ipfrule_remove();
-		if (!error)
-			fr_refcnt--;
-		break;
-	default:
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-static moduledata_t ipfrulemod = {
-	"ipfrule",
-	ipfrule_modevent,
-        0
-};
-DECLARE_MODULE(ipfrule, ipfrulemod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
-#ifdef	MODULE_DEPEND
-MODULE_DEPEND(ipfrule, ipfilter, 1, 1, 1);
-#endif
-#ifdef	MODULE_VERSION
-MODULE_VERSION(ipfrule, 1);
-#endif
diff --git a/contrib/ipfilter/mlh_rule.c b/contrib/ipfilter/mlh_rule.c
deleted file mode 100644
index e71c7be..0000000
--- a/contrib/ipfilter/mlh_rule.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*	$NetBSD$	*/
-
-/*
- * Copyright (C) 1993-1998 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-/* #pragma ident   "@(#)solaris.c	1.12 6/5/96 (C) 1995 Darren Reed"*/
-
-/*typedef unsigned int spustate_t;*/
-struct uio;
-
-#include <sys/types.h>
-#include <sys/cmn_err.h>
-#include <sys/kernel.h>
-#include <sys/systm.h>
-#include <sys/malloc.h>
-#include <sys/conf.h>
-#include <sys/callout.h>
-#include <sys/moddefs.h>
-#include <sys/io.h>
-#include <sys/wsio.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/byteorder.h>
-#include <sys/socket.h>
-#include <sys/stropts.h>
-#include <net/if.h>
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_rules.h"
-
-
-/*
- * Driver Header
- */
-static drv_info_t ipf_drv_info = {
-	"IP Filter Rules",				/* type */
-	"pseudo",					/* class */
-	DRV_PSEUDO|DRV_SAVE_CONF|DRV_MP_SAFE,		/* flags */
-	-1,						/* b_major */
-	-1,						/* c_major */
-	NULL,						/* cdio */
-	NULL,						/* gio_private */
-	NULL,						/* cdio_private */
-};
-
-
-extern	struct	mod_operations	gio_mod_ops;
-static	drv_info_t	ipf_drv_info;
-extern	struct	mod_conf_data	ipf_conf_data;
-
-static struct mod_type_data	ipf_drv_link = {
-	IPL_VERSION, (void *)NULL
-};
-
-static	struct	modlink	ipf_mod_link[] = {
-	{ &gio_mod_ops, (void *)&ipf_drv_link },
-	{ NULL, (void *)NULL }
-};
-
-struct	modwrapper	ipf_wrapper = {
-	MODREV,
-	ipf_load,
-	ipf_unload,
-	(void (*)())NULL,
-	(void *)&ipf_conf_data,
-	ipf_mod_link
-};
-
-
-static int ipf_load(void *arg)
-{
-	int i;
-
-	i = ipfrule_add();
-	if (!i)
-		fr_refcnt--;
-#ifdef	IPFDEBUG
-	printf("IP Filter Rules: ipfrule_add() = %d\n", i);
-#endif
-	if (!i)
-		cmn_err(CE_CONT, "IP Filter Rules: Loaded\n");
-	return i;
-}
-
-
-static int ipf_unload(void *arg)
-{
-	int i;
-
-	i = ipfrule_remove();
-	if (!i)
-		fr_refcnt--;
-#ifdef	IPFDEBUG
-	printf("IP Filter Rules: ipfrule_remove() = %d\n", i);
-#endif
-	if (!i)
-		cmn_err(CE_CONT, "IP Filter Rules: Unloaded\n");
-	return i;
-}
diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c
deleted file mode 100644
index 235a5af..0000000
--- a/contrib/ipfilter/mli_ipl.c
+++ /dev/null
@@ -1,596 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- * (C)opyright 1997 by Marc Boucher.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/* TODO: (MARCXXX)
-	- ipl_init failure -> open ENODEV or whatever
-	- prevent multiple LKM loads
-	- surround access to ifnet structures by IFNET_LOCK()/IFNET_UNLOCK() ?
-	- m != m1 problem
-*/
-
-#include <sys/types.h>
-#include <sys/conf.h>
-#ifdef IPFILTER_LKM
-#include <sys/mload.h>
-#endif
-#include <sys/systm.h>
-#include <sys/errno.h>
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-#include <netinet/in_var.h>
-#endif
-#include <sys/mbuf.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <netinet/ipfilter.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-
-/*#define IPFDEBUG 1*/
-
-unsigned IPL_EXTERN(devflag) = D_MP;
-#ifdef IPFILTER_LKM
-char *IPL_EXTERN(mversion) = M_VERSION;
-#endif
-
-kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw;
-kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-
-int     (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
-
-#ifdef IPFILTER_LKM
-static int *ipff_addr = 0;
-static int ipff_value;
-static __psunsigned_t *ipfk_addr = 0;
-static __psunsigned_t ipfk_code[4];
-#endif
-
-typedef	struct	nif	{
-	struct	nif	*nf_next;
-	struct ifnet	*nf_ifp;
-#if IRIX < 605
-	int     (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *);
-#else
-	int     (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
-			     struct rtentry *);
-#endif
-	char	nf_name[IFNAMSIZ];
-	int	nf_unit;
-} nif_t;
-
-static nif_t *nif_head = 0;
-static int nif_interfaces = 0;
-extern int in_interfaces;
-
-extern ipnat_t *nat_list;
-
-static int
-#if IRIX < 605
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
-#else
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
-	      struct rtentry *rt)
-#endif
-{
-	nif_t *nif;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	for (nif = nif_head; nif; nif = nif->nf_next)
-		if (nif->nf_ifp == ifp)
-			break;
-
-	MUTEX_EXIT(&ipfi_mutex);
-	if (!nif) {
-		printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp);
-		return ENETDOWN;
-	}
-
-#if	IPFDEBUG >= 4
-	static unsigned int cnt = 0;
-	if ((++cnt % 200) == 0)
-		printf("IP Filter: ipl_if_output(ifp=0x%lx, m=0x%lx, dst=0x%lx), m_type=%d m_flags=0x%lx m_off=0x%lx\n", ifp, m, dst, m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
-	if (fr_checkp) {
-		struct mbuf *m1 = m;
-		struct ip *ip;
-		int hlen;
-
-		switch(m->m_type) {
-		case MT_DATA:
-			if (m->m_flags & M_BCAST) {
-#if	IPFDEBUG >= 2
-				printf("IP Filter: ipl_if_output: passing M_BCAST\n");
-#endif
-				break;
-			}
-			/* FALLTHROUGH */
-		case MT_HEADER:
-#if	IPFDEBUG >= 4
-			if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
-				printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-				goto done;
-			}
-#endif
-			if (m->m_len < sizeof(char)) {
-				printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
-				goto done;
-			}
-			ip = mtod(m, struct ip *);
-			if (ip->ip_v != IPVERSION) {
-#if	IPFDEBUG >= 4
-				printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
-				goto done;
-			}
-
-			hlen = ip->ip_hl << 2;
-			if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
-				return EHOSTUNREACH;
-
-			if (!m1)
-				return 0;
-
-			m = m1;
-			break;
-
-		default:
-			printf("IP Filter: ipl_if_output: bad m_type=%d m_flags=0x%lxm_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			break;
-		}
-	}
-done:
-#if IRIX < 605
-	return (*nif->nf_output)(ifp, m, dst);
-#else
-	return (*nif->nf_output)(ifp, m, dst, rt);
-#endif
-}
-
-int
-IPL_EXTERN(_kernel)(struct ifnet *rcvif, struct mbuf *m)
-{
-#if	IPFDEBUG >= 4
-	static unsigned int cnt = 0;
-	if ((++cnt % 200) == 0)
-		printf("IP Filter: ipl_ipfilter_kernel(rcvif=0x%lx, m=0x%lx\n", rcvif, m);
-#endif
-
-	/*
-	 * Check if we want to allow this packet to be processed.
-	 * Consider it to be bad if not.
-	 */
-	if (fr_checkp) {
-		struct mbuf *m1 = m;
-		struct ip *ip;
-		int hlen;
-
-		if ((m->m_type != MT_DATA) && (m->m_type != MT_HEADER)) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			return IPF_ACCEPTIT;
-		}
-
-#if	IPFDEBUG >= 4
-		if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			return IPF_ACCEPTIT;
-		}
-#endif
-		if (m->m_len < sizeof(char)) {
-			printf("IP Filter: ipl_ipfilter_kernel: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
-			return IPF_ACCEPTIT;
-		}
-		ip = mtod(m, struct ip *);
-		if (ip->ip_v != IPVERSION) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad ip_v\n");
-			m_freem(m);
-			return IPF_DROPIT;
-		}
-
-		hlen = ip->ip_hl << 2;
-		if ((*fr_checkp)(ip, hlen, rcvif, 0, &m1) || !m1)
-			return IPF_DROPIT;
-		if (m != m1)
-			printf("IP Filter: ipl_ipfilter_kernel: m != m1\n");
-	}
-
-	return IPF_ACCEPTIT;
-}
-
-static int
-ipfilterattach(void)
-{
-#ifdef IPFILTER_LKM
-	__psunsigned_t *addr_ff, *addr_fk;
-
-	st_findaddr("ipfilterflag", &addr_ff);
-#if	IPFDEBUG >= 4
-	printf("IP Filter: st_findaddr ipfilterflag=0x%lx\n", addr_ff);
-#endif
-	if (!addr_ff)
-		return ESRCH;
-
-	st_findaddr("ipfilter_kernel", &addr_fk);
-#if	IPFDEBUG >= 4
-	printf("IP Filter: st_findaddr ipfilter_kernel=0x%lx\n", addr_fk);
-#endif
-	if (!addr_fk)
-		return ESRCH;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	ipff_addr = (int *)addr_ff;
-	
-	ipff_value = *ipff_addr;
-	*ipff_addr = 0;
-
-
-	ipfk_addr = addr_fk;
-
-	bcopy(ipfk_addr, ipfk_code,
-		sizeof(ipfk_code));
-
-	/* write a "li t4, ipl_ipfilter_kernel" instruction */
-	ipfk_addr[0] = 0x3c0c0000 |
-		       (((__psunsigned_t)IPL_EXTERN(_kernel) >> 16) & 0xffff);
-	ipfk_addr[1] = 0x358c0000 |
-		       ((__psunsigned_t)IPL_EXTERN(_kernel) & 0xffff);
-	/* write a "jr t4" instruction" */
-	ipfk_addr[2] = 0x01800008;
-
-	/* write a "nop" instruction */
-	ipfk_addr[3] = 0;
-
-	icache_inval(ipfk_addr, sizeof(ipfk_code));
-
-	*ipff_addr = 1; /* enable ipfilter_kernel */
-
-	MUTEX_EXIT(&ipfi_mutex);
-#else
-	extern int ipfilterflag;
-
-	ipfilterflag = 1;
-#endif
-
-	return 0;
-}
-
-/*
- * attach the packet filter to each non-loopback interface that is running
- */
-static void
-nifattach()
-{
-	struct ifnet *ifp;
-	struct frentry *f;
-	ipnat_t *np;
-	nif_t *nif;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	for (ifp = ifnet; ifp; ifp = ifp->if_next) {
-		if ((!(ifp->if_flags & IFF_RUNNING)) ||
-			(ifp->if_flags & IFF_LOOPBACK))
-			continue;
-
-		/*
-		 * Look for entry already setup for this device
-		 */
-		for (nif = nif_head; nif; nif = nif->nf_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (nif)
-			continue;
-
-		if (ifp->if_output == ipl_if_output) {
-			printf("IP Filter: ERROR INTF 0x%lx STILL ATTACHED\n",
-				ifp);
-			continue;
-		}
-#if	IPFDEBUG >= 4
-		printf("IP Filter: nifattach nif %x opt %x\n",
-		       ifp, ifp->if_output);
-#endif
-		KMALLOC(nif, nif_t *);
-		if (!nif) {
-			printf("IP Filter: malloc(%d) for nif_t failed\n",
-			       sizeof(nif_t));
-			continue;
-		}
-
-		nif->nf_ifp = ifp;
-		strncpy(nif->nf_name, ifp->if_name, sizeof(nif->nf_name));
-		nif->nf_name[sizeof(nif->nf_name) - 1] = '\0';
-		nif->nf_unit = ifp->if_unit;
-
-		nif->nf_next = nif_head;
-		nif_head = nif;
-
-		/*
-		 * Activate any rules directly associated with this interface
-		 */
-		MUTEX_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][0]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				if (f->fr_ifname[0] &&
-				    (GETUNIT(f->fr_ifname, 4) == ifp))
-					f->fr_ifa = ifp;
-			}
-		}
-		for (f = ipfilter[1][0]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				if (f->fr_ifname[0] &&
-				    (GETUNIT(f->fr_ifname, 4) == ifp))
-					f->fr_ifa = ifp;
-			}
-		}
-		MUTEX_EXIT(&ipf_mutex);
-		MUTEX_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next) {
-			if ((np->in_ifp == (void *)-1)) {
-				if (np->in_ifname[0] &&
-				    (GETUNIT(np->in_ifname, 4) == ifp))
-					np->in_ifp = (void *)ifp;
-			}
-		}
-		MUTEX_EXIT(&ipf_nat);
-
-		nif->nf_output = ifp->if_output;
-		ifp->if_output = ipl_if_output;
-
-#if	IPFDEBUG >= 4
-		printf("IP Filter: nifattach: ifp(%lx)->if_output FROM %lx TO %lx\n",
-			ifp, nif->nf_output, ifp->if_output);
-#endif
-
-		printf("IP Filter: attach to [%s,%d]\n",
-			nif->nf_name, ifp->if_unit);
-	}
-	if (!nif_head)
-		printf("IP Filter: not attached to any interfaces\n");
-
-	nif_interfaces = in_interfaces;
-
-	MUTEX_EXIT(&ipfi_mutex);
-
-	return;
-}
-
-/*
- * look for bad consistancies between the list of interfaces the filter knows
- * about and those which are currently configured.
- */
-int
-ipfsync(void)
-{
-	register struct frentry *f;
-	register ipnat_t *np;
-	register nif_t *nif, **qp;
-	register struct ifnet *ifp;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	for (qp = &nif_head; (nif = *qp); ) {
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if ((nif->nf_ifp == ifp) &&
-			    (nif->nf_unit == ifp->if_unit) &&
-			    !strcmp(nif->nf_name, ifp->if_name)) {
-				break;
-			}
-		if (ifp) {
-			qp = &nif->nf_next;
-			continue;
-		}
-		printf("IP Filter: detaching [%s]\n", nif->nf_name);
-		*qp = nif->nf_next;
-
-		/*
-		 * Disable any rules directly associated with this interface
-		 */
-		MUTEX_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][0]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)nif->nf_ifp)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter[1][0]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)nif->nf_ifp)
-				f->fr_ifa = (struct ifnet *)-1;
-		MUTEX_EXIT(&ipf_mutex);
-		MUTEX_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next)
-			if (np->in_ifp == (void *)nif->nf_ifp)
-				np->in_ifp =(struct ifnet *)-1;
-		MUTEX_EXIT(&ipf_nat);
-
-		KFREE(nif);
-		nif = *qp;
-	}
-	MUTEX_EXIT(&ipfi_mutex);
-
-	nifattach();
-
-	return 0;
-}
-
-
-/*
- * unhook the IP filter from all defined interfaces with IP addresses
- */
-static void
-nifdetach()
-{
-	struct ifnet *ifp;
-	nif_t *nif, **qp;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	/*
-	 * Make two passes, first get rid of all the unknown devices, next
-	 * unlink known devices.
-	 */
-	for (qp = &nif_head; (nif = *qp); ) {
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (ifp) {
-			qp = &nif->nf_next;
-			continue;
-		}
-		printf("IP Filter: removing [%s]\n", nif->nf_name);
-		*qp = nif->nf_next;
-		KFREE(nif);
-	}
-
-	while ((nif = nif_head)) {
-		nif_head = nif->nf_next;
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (ifp) {
-			printf("IP Filter: detaching [%s,%d]\n",
-				nif->nf_name, ifp->if_unit);
-
-#if	IPFDEBUG >= 4
-			printf("IP Filter: nifdetach: ifp(%lx)->if_output FROM %lx TO %lx\n",
-				ifp, ifp->if_output, nif->nf_output);
-#endif
-			ifp->if_output = nif->nf_output;
-		}
-		KFREE(nif);
-	}
-	MUTEX_EXIT(&ipfi_mutex);
-
-	return;
-}
-
-
-static void
-ipfilterdetach(void)
-{
-#ifdef IPFILTER_LKM
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	if (ipff_addr) {
-		*ipff_addr = 0;
-
-		if (ipfk_addr)
-			bcopy(ipfk_code, ipfk_addr, sizeof(ipfk_code));
-
-		*ipff_addr = ipff_value;
-	}
-
-	MUTEX_EXIT(&ipfi_mutex);
-#else
-	extern int ipfilterflag;
-
-	ipfilterflag = 0;
-#endif
-}
-
-/* called by ipldetach() */
-void
-ipfilter_sgi_detach(void)
-{
-	nifdetach();
-
-	ipfilterdetach();
-}
-
-/* called by iplattach() */
-int
-ipfilter_sgi_attach(void)
-{
-	int error;
-
-	nif_interfaces = 0;
-
-	error = ipfilterattach();
-
-	if (!error)
-		nifattach();
-
-	return error;
-}
-
-/* this function is called from ipfr_slowtimer at 500ms intervals to
-   keep our interface list in sync */
-void
-ipfilter_sgi_intfsync(void)
-{
-	MUTEX_ENTER(&ipfi_mutex);
-	if (nif_interfaces != in_interfaces) {
-		/* if the number of interfaces has changed, resync */
-		MUTEX_EXIT(&ipfi_mutex);
-		ipfsync();
-	} else
-		MUTEX_EXIT(&ipfi_mutex);
-}
-
-#ifdef IPFILTER_LKM
-/* this routine should be treated as an interrupt routine and should
-   not call any routines that would cause it to sleep, such as: biowait(),
-   sleep(), psema() or delay().
-*/
-int
-IPL_EXTERN(unload)(void)
-{
-	int error = 0;
-
-	error = ipldetach();
-
-	LOCK_DEALLOC(ipl_mutex.l);
-	LOCK_DEALLOC(ipf_rw.l);
-	LOCK_DEALLOC(ipf_auth.l);
-	LOCK_DEALLOC(ipf_natfrag.l);
-	LOCK_DEALLOC(ipf_nat.l);
-	LOCK_DEALLOC(ipf_state.l);
-	LOCK_DEALLOC(ipf_frag.l);
-	LOCK_DEALLOC(ipf_mutex.l);
-	LOCK_DEALLOC(ipfi_mutex.l);
-
-	return error;
-}
-#endif
-
-void
-IPL_EXTERN(init)(void)
-{
-#ifdef IPFILTER_LKM
-	int error;
-#endif
-
-	ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-
-	if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l ||
-	    !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l ||
-	    !ipl_mutex.l)
-		panic("IP Filter: LOCK_ALLOC failed");
-
-#ifdef IPFILTER_LKM
-	error = iplattach();
-	if (error) {
-		IPL_EXTERN(unload)();
-	}
-#endif
-
-	return;
-}
-
diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c
deleted file mode 100644
index b170940..0000000
--- a/contrib/ipfilter/mln_ipl.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-
-
-#include <sys/param.h>
-
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
- * on those hooks.  We don't need any special mods with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
-    (defined(NetBSD1_2) && NetBSD1_2 > 1)
-# define NETBSD_PF
-#endif
-
-#include <sys/systm.h>
-#include <sys/conf.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <sys/proc.h>
-#include <sys/uio.h>
-#include <sys/kernel.h>
-#include <sys/vnode.h>
-#include <sys/namei.h>
-#include <sys/malloc.h>
-#include <sys/mount.h>
-#include <sys/exec.h>
-#include <sys/mbuf.h>
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <net/route.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <sys/lkm.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
-#define vn_lock(v,f) VOP_LOCK(v)
-#endif
-
-#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
-#define	VOP_LEASE	LEASE_CHECK
-#endif
-
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-extern	int	lkmenodev __P((void));
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int	if_ipl_lkmentry __P((struct lkm_table *, int, int));
-#else
-#if defined(OpenBSD)
-int	if_ipl __P((struct lkm_table *, int, int));
-#else
-int	xxxinit __P((struct lkm_table *, int, int));
-#endif
-#endif
-static	int	ipl_unload __P((void));
-static	int	ipl_load __P((void));
-static	int	ipl_remove __P((void));
-static	int	iplaction __P((struct lkm_table *, int));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-
-
-#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
-    (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
-# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-extern const struct cdevsw ipl_cdevsw;
-# else
-struct	cdevsw	ipldevsw = 
-{
-	iplopen,		/* open */
-	iplclose,		/* close */
-	iplread,		/* read */
-	0,			/* write */
-	iplioctl,		/* ioctl */
-	0,			/* stop */
-	0,			/* tty */
-	0,			/* select */
-	0,			/* mmap */
-	NULL			/* strategy */
-};
-# endif
-#else
-struct	cdevsw	ipldevsw = 
-{
-	iplopen,		/* open */
-	iplclose,		/* close */
-	iplread,		/* read */
-	(void *)nullop,		/* write */
-	iplioctl,		/* ioctl */
-	(void *)nullop,		/* stop */
-#ifndef OpenBSD
-	(void *)nullop,		/* reset */
-#endif
-	(void *)NULL,		/* tty */
-	(void *)nullop,		/* select */
-	(void *)nullop,		/* mmap */
-	NULL			/* strategy */
-};
-#endif
-int	ipl_major = 0;
-
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-MOD_DEV(IPL_VERSION, "ipl", NULL, -1, &ipl_cdevsw, -1);
-#else
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
-#endif
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int if_ipl_lkmentry(lkmtp, cmd, ver)
-#else
-#if defined(OpenBSD)
-int if_ipl(lkmtp, cmd, ver)
-#else
-int xxxinit(lkmtp, cmd, ver)
-#endif
-#endif
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-	DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-}
-
-#ifdef OpenBSD
-int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */
-#endif
-
-static int iplaction(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	struct lkm_dev *args = lkmtp->private.lkm_dev;
-	int err = 0;
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
-	int i;
-#endif
-
-	switch (cmd)
-	{
-	case LKM_E_LOAD :
-		if (lkmexists(lkmtp))
-			return EEXIST;
-
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
-		for (i = 0; i < nchrdev; i++)
-			if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev ||
-			    cdevsw[i].d_open == iplopen)
-				break;
-		if (i == nchrdev) {
-			printf("IP Filter: No free cdevsw slots\n");
-			return ENODEV;
-		}
-
-		ipl_major = i;
-		args->lkm_offset = i;   /* slot in cdevsw[] */
-#else
-		err = devsw_attach(args->lkm_devname,
-				   args->lkm_bdev, &args->lkm_bdevmaj,
-				   args->lkm_cdev, &args->lkm_cdevmaj);
-		if (err != 0)
-			return (err);
-		ipl_major = args->lkm_cdevmaj;
-#endif
-		printf("IP Filter: loaded into slot %d\n", ipl_major);
-		return ipl_load();
-	case LKM_E_UNLOAD :
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-		devsw_detach(args->lkm_bdev, args->lkm_cdev);
-		args->lkm_bdevmaj = -1;
-		args->lkm_cdevmaj = -1;
-#endif
-		err = ipl_unload();
-		if (!err)
-			printf("IP Filter: unloaded from slot %d\n",
-			       ipl_major);
-		break;
-	case LKM_E_STAT :
-		break;
-	default:
-		err = EIO;
-		break;
-	}
-	return err;
-}
-
-
-static int ipl_remove()
-{
-	char *name;
-	struct nameidata nd;
-	int error, i;
-
-        for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return (error);
-		VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
-#ifdef OpenBSD
-		VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc);
-#else
-# if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000)
-		vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
-# endif
-#endif
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
-	}
-	return 0;
-}
-
-
-static int ipl_unload()
-{
-	int error = 0;
-
-	/*
-	 * Unloading - remove the filter rule check from the IP
-	 * input/output stream.
-	 */
-#if defined(__NetBSD__)
-	error = ipl_disable();
-#else
-	error = ipldetach();
-#endif
-
-	if (!error)
-		error = ipl_remove();
-	return error;
-}
-
-
-static int ipl_load()
-{
-	struct nameidata nd;
-	struct vattr vattr;
-	int error = 0, fmode = S_IFCHR|0600, i;
-	char *name;
-
-	/*
-	 * XXX Remove existing device nodes prior to creating new ones
-	 * XXX using the assigned LKM device slot's major number.  In a
-	 * XXX perfect world we could use the ones specified by cdevsw[].
-	 */
-	(void)ipl_remove();
-
-	error = ipl_enable();
-	if (error)
-		return error;
-
-	for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return error;
-		if (nd.ni_vp != NULL) {
-			VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
-			if (nd.ni_dvp == nd.ni_vp)
-				vrele(nd.ni_dvp);
-			else
-				vput(nd.ni_dvp);
-			vrele(nd.ni_vp);
-			return (EEXIST);
-		}
-		VATTR_NULL(&vattr);
-		vattr.va_type = VCHR;
-		vattr.va_mode = (fmode & 07777);
-		vattr.va_rdev = (ipl_major << 8) | i;
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
-		if (error)
-			return error;
-	}
-	return error;
-}
diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c
deleted file mode 100644
index 5a70ab9..0000000
--- a/contrib/ipfilter/mls_ipl.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/mbuf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-# include <sun/openprom.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <net/if.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)mls_ipl.c	2.6 10/15/95 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $";
-#endif
-
-extern	int	ipldetach __P((void));
-#ifndef	IPFILTER_LOG
-#define	iplread	nulldev
-#endif
-extern	int	nulldev __P((void));
-extern	int	errno;
-extern	int	iplidentify __P((char *));
-
-extern int nodev __P((void));
-
-static	int	unload __P((void));
-static	int	ipl_attach __P((void));
-int	xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-
-
-struct	cdevsw	ipldevsw = 
-{
-	iplopen, iplclose, iplread, nulldev,
-	iplioctl, nulldev, nulldev, nulldev,
-	0, nulldev,
-};
-
-
-struct	dev_ops	ipl_ops = 
-{
-	1,
-	iplidentify,
-	iplattach,
-	iplopen,
-	iplclose,
-	iplread,
-	NULL,		/* write */
-	NULL,		/* strategy */
-	NULL,		/* dump */
-	0,		/* psize */
-        iplioctl,
-	NULL,		/* reset */
-	NULL		/* mmap */
-};
-
-int	ipl_major = 0;
-
-#ifdef sun4m
-struct	vdldrv	vd = 
-{
-	VDMAGIC_PSEUDO,
-	IPL_VERSION,
-	&ipl_ops,
-	NULL,
-	&ipldevsw,
-	0,
-	0,
-	NULL,
-	NULL,
-	NULL,
-	0,
-	1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
-	VDMAGIC_PSEUDO,	/* magic */
-	IPL_VERSION,
-#ifdef sun4c
-	&ipl_ops,	/* dev_ops */
-#else
-	NULL,		/* struct mb_ctlr *mb_ctlr */
-	NULL,		/* struct mb_driver *mb_driver */
-	NULL,		/* struct mb_device *mb_device */
-	0,		/* num ctlrs */
-	1,		/* numdevs */
-#endif /* sun4c */
-	NULL,		/* bdevsw */
-	&ipldevsw,	/* cdevsw */
-	0,		/* block major */
-	0,		/* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, data, vds)
-u_int	fc;
-struct	vddrv	*vdp;
-caddr_t	data;
-struct	vdstat	*vds;
-{
-	struct vdioctl_load *vdi = (struct vdioctl_load *)data;
-
-	switch (fc)
-	{
-	case VDLOAD:
-	    {
-		struct vdconf *vdc;
-		if (vdi && vdi->vdi_userconf)
-			for (vdc = vdi->vdi_userconf; vdc->vdc_type; vdc++)
-				if (vdc->vdc_type == VDCCHARMAJOR) {
-					ipl_major = vdc->vdc_data;
-					break;
-				}
-
-		if (!ipl_major) {
-			while (ipl_major < nchrdev &&
-			       cdevsw[ipl_major].d_open != vd_unuseddev)
-				ipl_major++;
-			if (ipl_major == nchrdev)
-				return ENODEV;
-		}
-		vdp->vdd_vdtab = (struct vdlinkage *)&vd;
-		vd.Drv_charmajor = ipl_major;
-		return ipl_attach();
-	    }
-	case VDUNLOAD:
-		return unload();
-	case VDSTAT:
-		return 0;
-	default:
-		return EIO;
-	}
-}
-
-
-static	int	unload()
-{
-	char *name;
-	int err, i;
-
-	err = ipldetach();
-	if (err)
-		return err;
-	for (i = 0; (name = ipf_devfiles[i]); i++)
-		(void) vn_remove(name, UIO_SYSSPACE, FILE);
-	return 0;
-}
-
-
-static	int	ipl_attach()
-{
-	struct vnode *vp;
-	struct vattr vattr;
-	int error = 0, fmode = S_IFCHR|0600, i;
-	char *name;
-
-	error = iplattach();
-	if (error)
-		return error;
-
-        for (i = 0; (name = ipf_devfiles[i]); i++) {
-		(void) vn_remove(name, UIO_SYSSPACE, FILE);
-		vattr_null(&vattr);
-		vattr.va_type = MFTOVT(fmode);
-		vattr.va_mode = (fmode & 07777);
-		vattr.va_rdev = (ipl_major << 8) | i;
-
-		error = vn_create(name, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
-		if (error) {
-			printf("IP Filter: vn_create(%s) = %d\n", name, error);
-			break;
-		} else {
-			VN_RELE(vp);
-		}
-	}
-	return error;
-}
diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c
deleted file mode 100644
index 7246234..0000000
--- a/contrib/ipfilter/natparse.c
+++ /dev/null
@@ -1,902 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#else
-# include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.29 2003/05/15 17:45:34 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-
-extern	void	printnat __P((ipnat_t *, int));
-extern	int	countbits __P((u_32_t));
-extern	char	*proto;
-
-ipnat_t	*natparse __P((char *, int, int *));
-void	natparsefile __P((int, char *, int));
-void	nat_setgroupmap __P((struct ipnat *));
-
-
-void nat_setgroupmap(n)
-ipnat_t *n;
-{
-	if (n->in_outmsk == n->in_inmsk)
-		n->in_ippip = 1;
-	else if (n->in_flags & IPN_AUTOPORTMAP) {
-		n->in_ippip = ~ntohl(n->in_inmsk);
-		if (n->in_outmsk != 0xffffffff)
-			n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
-		n->in_ippip++;
-		if (n->in_ippip == 0)
-			n->in_ippip = 1;
-		n->in_ppip = USABLE_PORTS / n->in_ippip;
-	} else {
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
-		n->in_nip = 0;
-		if (!(n->in_ppip = n->in_pmin))
-			n->in_ppip = 1;
-		n->in_ippip = USABLE_PORTS / n->in_ppip;
-	}
-}
-
-
-/*
- * Parse a line of input from the ipnat configuration file
- *
- * status:
- *	< 0	error
- *	= 0	OK
- *	> 0	programmer error
- */
-ipnat_t *natparse(line, linenum, status)
-char *line;
-int linenum;
-int *status;
-{
-	static ipnat_t ipn;
-	struct protoent *pr;
-	char *dnetm = NULL, *dport = NULL;
-	char *s, *t, *cps[31], **cpp;
-	int i, cnt;
-	char *port1a = NULL, *port1b = NULL, *port2a = NULL;
-
-	*status = 100;		/* default to error */
-	proto = NULL;
-
-	/*
-	 * Search for end of line and comment marker, advance of leading spaces
-	 */
-	if ((s = strchr(line, '\n')))
-		*s = '\0';
-	if ((s = strchr(line, '#')))
-		*s = '\0';
-	while (*line && isspace(*line))
-		line++;
-	if (!*line) {
-		*status = 0;
-		return NULL;
-	}
-
-	bzero((char *)&ipn, sizeof(ipn));
-	cnt = 0;
-
-	/*
-	 * split line upto into segments.
-	 */
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp = cps;
-
-	/*
-	 * Check first word is a recognised keyword and then is the interface
-	 */
-	if (!strcasecmp(*cpp, "map"))
-		ipn.in_redir = NAT_MAP;
-	else if (!strcasecmp(*cpp, "map-block"))
-		ipn.in_redir = NAT_MAPBLK;
-	else if (!strcasecmp(*cpp, "rdr"))
-		ipn.in_redir = NAT_REDIRECT;
-	else if (!strcasecmp(*cpp, "bimap"))
-		ipn.in_redir = NAT_BIMAP;
-	else {
-		fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
-			linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp++;
-
-	strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
-	ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
-	cpp++;
-
-	/*
-	 * If the first word after the interface is "from" or is a ! then
-	 * the expanded syntax is being used so parse it differently.
-	 */
-	if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			if (strcasecmp(*cpp, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		} else if (**cpp == '!') {
-			if (strcasecmp(*cpp + 1, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		}
-		if ((ipn.in_flags & IPN_NOTSRC) &&
-		    (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
-			fprintf(stderr, "Cannot use '! from' with map\n");
-			*status = -1;
-			return NULL;
-		}
-
-		ipn.in_flags |= IPN_FILTER;
-		cpp++;
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
-				     &ipn.in_scmp, &ipn.in_stop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
-				     (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
-				     &ipn.in_scmp, &ipn.in_stop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		}
-
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			ipn.in_flags |= IPN_NOTDST;
-		} else if (**cpp == '!') {
-			(*cpp)++;
-			ipn.in_flags |= IPN_NOTDST;
-		}
-
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if ((ipn.in_flags & IPN_NOTDST) &&
-		    (ipn.in_redir & (NAT_REDIRECT))) {
-			fprintf(stderr, "Cannot use '! to' with rdr\n");
-			*status = -1;
-			return NULL;
-		}
-
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
-				     (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
-				     &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmin = htons(ipn.in_dport);
-		} else {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
-				     &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		}
-	} else {
-		s = *cpp;
-		if (!s) {
-			fprintf(stderr, "%d: short line\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		t = strchr(s, '/');
-		if (!t) {
-			fprintf(stderr, "%d: no netmask on LHS\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		*t++ = '\0';
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1){
-				*status = -1;
-				return NULL;
-			}
-			if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-			if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr, "%d: short line\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-
-	/*
-	 * If it is a standard redirect then we expect it to have a port
-	 * match after the hostmask.
-	 */
-	if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
-		if (strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 1st port\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
-			*s++ = '\0';
-		else
-			s = NULL;
-
-		port1a = *cpp++;
-
-		if (!strcmp(*cpp, "-")) {
-			cpp++;
-			s = *cpp++;
-		}
-
-		if (s)
-			port1b = s;
-		else
-			ipn.in_pmax = ipn.in_pmin;
-	}
-
-	/*
-	 * In the middle of the NAT rule syntax is -> to indicate the
-	 * direction of translation.
-	 */
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (->)\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (strcmp(*cpp, "->")) {
-		fprintf(stderr, "%d: missing ->\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	cpp++;
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (%s)\n",
-			linenum, ipn.in_redir ? "destination" : "target");
-		*status = -1;
-		return NULL;
-	}
-
-	if (ipn.in_redir == NAT_MAP) {
-		if (!strcasecmp(*cpp, "range")) {
-			cpp++;
-			ipn.in_flags |= IPN_IPRANGE;
-			if (!*cpp) {
-				fprintf(stderr, "%d: missing fields (%s)\n",
-					linenum,
-					ipn.in_redir ? "destination":"target");
-				*status = -1;
-				return NULL;
-			}
-		}
-	}
-
-	if (ipn.in_flags & IPN_IPRANGE) {
-		dnetm = strrchr(*cpp, '-');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
-					dnetm = *(cpp + 1);
-		} else
-			*dnetm++ = '\0';
-		if (dnetm == NULL || *dnetm == '\0') {
-			fprintf(stderr,
-				"%d: desination range not specified\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	} else if (ipn.in_redir != NAT_REDIRECT) {
-		dnetm = strrchr(*cpp, '/');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcasecmp(*cpp, "netmask"))
-				dnetm = *++cpp;
-		}
-		if (dnetm == NULL) {
-			fprintf(stderr,
-				"%d: missing fields (dest netmask)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (*dnetm == '/')
-			*dnetm++ = '\0';
-	}
-
-	if (ipn.in_redir == NAT_REDIRECT) {
-		dnetm = strchr(*cpp, ',');
-		if (dnetm != NULL) {
-			ipn.in_flags |= IPN_SPLIT;
-			*dnetm++ = '\0';
-		}
-		if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) {
-			*status = -1;
-			return NULL;
-		}
-#if SOLARIS
-		if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) {
-			fprintf(stderr,
-				"localhost as destination not supported\n");
-			*status = -1;
-			return NULL;
-		}
-#endif
-	} else {
-		if (!strcmp(*cpp, ipn.in_ifname))
-			*cpp = "0";
-		if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) {
-			*status = -1;
-			return NULL;
-		}
-	}
-	cpp++;
-
-	if (ipn.in_redir & NAT_MAPBLK) {
-		if (*cpp) {
-			if (strcasecmp(*cpp, "ports")) {
-				fprintf(stderr,
-					"%d: expected \"ports\" - got \"%s\"\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-			if (*cpp == NULL) {
-				fprintf(stderr,
-					"%d: missing argument to \"ports\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-			if (!strcasecmp(*cpp, "auto"))
-				ipn.in_flags |= IPN_AUTOPORTMAP;
-			else
-				ipn.in_pmin = atoi(*cpp);
-			cpp++;
-		} else
-			ipn.in_pmin = 0;
-	} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
-		if (*cpp && (strrchr(*cpp, '/') != NULL)) {
-			fprintf(stderr, "%d: No netmask supported in %s\n",
-				linenum, "destination host for redirect");
-			*status = -1;
-			return NULL;
-		}
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: Missing destination port %s\n",
-				linenum, "in redirect");
-			*status = -1;
-			return NULL;
-		}
-
-		/* If it's a in_redir, expect target port */
-
-		if (strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		port2a = *cpp++;
-	} 
-	if (dnetm && *dnetm == '/')
-		*dnetm++ = '\0';
-
-	if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
-		if (ipn.in_flags & IPN_IPRANGE) {
-			if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
-				    linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) {
-			*status = -1;
-			return NULL;
-		}
-	} else {
-		if (ipn.in_flags & IPN_SPLIT) {
-			if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
-				    linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)){
-			*status = -1;
-			return NULL;
-		}
-		if (!*cpp) {
-			ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
-			proto = "tcp";
-		} else {
-			proto = *cpp++;
-			if (!strcasecmp(proto, "tcp"))
-				ipn.in_flags |= IPN_TCP;
-			else if (!strcasecmp(proto, "udp"))
-				ipn.in_flags |= IPN_UDP;
-			else if (!strcasecmp(proto, "tcp/udp"))
-				ipn.in_flags |= IPN_TCPUDP;
-			else if (!strcasecmp(proto, "tcpudp")) {
-				ipn.in_flags |= IPN_TCPUDP;
-				proto = "tcp/udp";
-			} else if (!strcasecmp(proto, "ip"))
-				ipn.in_flags |= IPN_ANY;
-			else {
-				ipn.in_flags |= IPN_ANY;
-				if ((pr = getprotobyname(proto)))
-					ipn.in_p = pr->p_proto;
-				else {
-					if (!isdigit(*proto)) {
-						fprintf(stderr,
-						"%d: Unknown protocol %s\n",
-							linenum, proto);
-						*status = -1;
-						return NULL;
-					} else
-						ipn.in_p = atoi(proto);
-				}
-			}
-			if ((ipn.in_flags & IPN_TCPUDP) == 0) {
-				port1a = "0";
-				port2a = "0";
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "round-robin")) {
-				cpp++;
-				ipn.in_flags |= IPN_ROUNDR;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "frag")) {
-				cpp++;
-				ipn.in_flags |= IPN_FRAG;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "age")) {
-				cpp++;
-				if (!*cpp) {
-					fprintf(stderr,
-						"%d: age with no parameters\n",
-						linenum);
-					*status = -1;
-					return NULL;
-				}
-
-				ipn.in_age[0] = atoi(*cpp);
-				s = index(*cpp, '/');
-				if (s != NULL)
-					ipn.in_age[1] = atoi(s + 1);
-				else
-					ipn.in_age[1] = ipn.in_age[0];
-				cpp++;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-				cpp++;
-				if (*cpp) {
-					ipn.in_mssclamp = atoi(*cpp);
-					cpp++;
-				} else {
-					fprintf(stderr,
-					   "%d: mssclamp with no parameters\n",
-						linenum);
-					*status = -1;
-					return NULL;
-				}
-			}
-
-			if (*cpp) {
-				fprintf(stderr,
-				"%d: extra junk at the end of the line: %s\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-		}
-	}
-
-	if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
-		if (!portnum(port1a, &ipn.in_pmin, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_pmin = htons(ipn.in_pmin);
-		if (port1b != NULL) {
-			if (!portnum(port1b, &ipn.in_pmax, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmax = htons(ipn.in_pmax);
-		} else
-			ipn.in_pmax = ipn.in_pmin;
-	}
-
-	if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
-		if (!portnum(port2a, &ipn.in_pnext, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_pnext = htons(ipn.in_pnext);
-	}
-
-	if (!(ipn.in_flags & IPN_SPLIT))
-		ipn.in_inip &= ipn.in_inmsk;
-	if ((ipn.in_flags & IPN_IPRANGE) == 0)
-		ipn.in_outip &= ipn.in_outmsk;
-	ipn.in_srcip &= ipn.in_srcmsk;
-
-	if ((ipn.in_redir & NAT_MAPBLK) != 0)
-		nat_setgroupmap(&ipn);
-
-	if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
-		cpp++;
-		ipn.in_flags |= IPN_FRAG;
-	}
-
-	if (!*cpp) {
-		*status = 0;
-		return &ipn;
-	}
-
-	if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
-		u_short pport;
-
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use proxy with bimap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing parameter for \"proxy\"\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		dport = NULL;
-
-		if (!strcasecmp(*cpp, "port")) {
-			cpp++;
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"port\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-
-			dport = *cpp;
-			cpp++;
-
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"proxy\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			fprintf(stderr,
-				"%d: missing keyword \"port\"\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if ((proto = index(*cpp, '/'))) {
-			*proto++ = '\0';
-			if ((pr = getprotobyname(proto)))
-				ipn.in_p = pr->p_proto;
-			else
-				ipn.in_p = atoi(proto);
-		} else
-			ipn.in_p = 0;
-
-		if (dport && !portnum(dport, &pport, linenum))
-			return NULL;
-		if (ipn.in_dcmp != 0) {
-			if (pport != ipn.in_dport) {
-				fprintf(stderr,
-					"%d: mismatch in port numbers\n",
-					linenum);
-				return NULL;
-			}
-		} else
-			ipn.in_dport = htons(pport);
-
-		(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
-		cpp++;
-
-	} else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) {
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use portmap with bimap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing expression following portmap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "tcp"))
-			ipn.in_flags |= IPN_TCP;
-		else if (!strcasecmp(*cpp, "udp"))
-			ipn.in_flags |= IPN_UDP;
-		else if (!strcasecmp(*cpp, "tcpudp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else if (!strcasecmp(*cpp, "tcp/udp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else {
-			fprintf(stderr,
-				"%d: expected protocol name - got \"%s\"\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		proto = *cpp;
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: no port range found\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "auto")) {
-			ipn.in_flags |= IPN_AUTOPORTMAP;
-			ipn.in_pmin = htons(1024);
-			ipn.in_pmax = htons(65535);
-			nat_setgroupmap(&ipn);
-			cpp++;
-		} else {
-			if (!(t = strchr(*cpp, ':'))) {
-				fprintf(stderr,
-					"%d: no port range in \"%s\"\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-			*t++ = '\0';
-			if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
-			    !portnum(t, &ipn.in_pmax, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmin = htons(ipn.in_pmin);
-			ipn.in_pmax = htons(ipn.in_pmax);
-			cpp++;
-		}
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "frag")) {
-		cpp++;
-		ipn.in_flags |= IPN_FRAG;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "age")) {
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr, "%d: age with no parameters\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_age[0] = atoi(*cpp);
-		s = index(*cpp, '/');
-		if (s != NULL)
-			ipn.in_age[1] = atoi(s + 1);
-		else
-			ipn.in_age[1] = ipn.in_age[0];
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-		cpp++;
-		if (*cpp) {
-			ipn.in_mssclamp = atoi(*cpp);
-			cpp++;
-		} else {
-			fprintf(stderr, "%d: mssclamp with no parameters\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-
-	if (*cpp) {
-		fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
-			linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-
-	*status = 0;
-	return &ipn;
-}
-
-
-void natparsefile(fd, file, opts)
-int fd;
-char *file;
-int opts;
-{
-	char	line[512], *s;
-	ipnat_t	*np;
-	FILE	*fp;
-	int	linenum = 0;
-	int	parsestatus;
-
-	if (strcmp(file, "-")) {
-		if (!(fp = fopen(file, "r"))) {
-			fprintf(stderr, "%s: open: %s\n", file,
-				STRERROR(errno));
-			exit(1);
-		}
-	} else
-		fp = stdin;
-
-	while (fgets(line, sizeof(line) - 1, fp)) {
-		linenum++;
-		line[sizeof(line) - 1] = '\0';
-		if ((s = strchr(line, '\n')))
-			*s = '\0';
-
-		parsestatus = 1;
-		np = natparse(line, linenum, &parsestatus);
-		if (parsestatus != 0) {
-			if (*line) {
-				fprintf(stderr, "%d: syntax error in \"%s\"\n",
-					linenum, line);
-			}
-			fprintf(stderr, "%s: %s error (%d), quitting\n",
-			    file,
-			    ((parsestatus < 0)? "parse": "internal"),
-			    parsestatus);
-			exit(1);
-		}
-		if (np) {
-			if ((opts & OPT_VERBOSE) && np)
-				printnat(np, opts);
-			if (!(opts & OPT_NODO)) {
-				if (!(opts & OPT_REMOVE)) {
-					if (ioctl(fd, SIOCADNAT, &np) == -1) {
-						fprintf(stderr, "%d:",
-							linenum);
-						perror("ioctl(SIOCADNAT)");
-					}
-				} else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(SIOCRMNAT)");
-				}
-			}
-		}
-	}
-	if (fp != stdin)
-		fclose(fp);
-}
diff --git a/contrib/ipfilter/net/.cvsignore b/contrib/ipfilter/net/.cvsignore
deleted file mode 100644
index 19f86f4..0000000
--- a/contrib/ipfilter/net/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-done
diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c
deleted file mode 100644
index 825a5e3..0000000
--- a/contrib/ipfilter/opt.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include <arpa/inet.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.3 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-struct	ipopt_names	ionames[] ={
-	{ IPOPT_NOP,	0x000001,	1,	"nop" },
-	{ IPOPT_RR,	0x000002,	7,	"rr" },		/* 1 route */
-	{ IPOPT_ZSU,	0x000004,	3,	"zsu" },
-	{ IPOPT_MTUP,	0x000008,	3,	"mtup" },
-	{ IPOPT_MTUR,	0x000010,	3,	"mtur" },
-	{ IPOPT_ENCODE,	0x000020,	3,	"encode" },
-	{ IPOPT_TS,	0x000040,	8,	"ts" },		/* 1 TS */
-	{ IPOPT_TR,	0x000080,	3,	"tr" },
-	{ IPOPT_SECURITY,0x000100,	11,	"sec" },
-	{ IPOPT_SECURITY,0x000100,	11,	"sec-class" },
-	{ IPOPT_LSRR,	0x000200,	7,	"lsrr" },	/* 1 route */
-	{ IPOPT_E_SEC,	0x000400,	3,	"e-sec" },
-	{ IPOPT_CIPSO,	0x000800,	3,	"cipso" },
-	{ IPOPT_SATID,	0x001000,	4,	"satid" },
-	{ IPOPT_SSRR,	0x002000,	7,	"ssrr" },	/* 1 route */
-	{ IPOPT_ADDEXT,	0x004000,	3,	"addext" },
-	{ IPOPT_VISA,	0x008000,	3,	"visa" },
-	{ IPOPT_IMITD,	0x010000,	3,	"imitd" },
-	{ IPOPT_EIP,	0x020000,	3,	"eip" },
-	{ IPOPT_FINN,	0x040000,	3,	"finn" },
-	{ 0, 		0,	0,	(char *)NULL }     /* must be last */
-};
-
-struct	ipopt_names	secclass[] = {
-	{ IPSO_CLASS_RES4,	0x01,	0, "reserv-4" },
-	{ IPSO_CLASS_TOPS,	0x02,	0, "topsecret" },
-	{ IPSO_CLASS_SECR,	0x04,	0, "secret" },
-	{ IPSO_CLASS_RES3,	0x08,	0, "reserv-3" },
-	{ IPSO_CLASS_CONF,	0x10,	0, "confid" },
-	{ IPSO_CLASS_UNCL,	0x20,	0, "unclass" },
-	{ IPSO_CLASS_RES2,	0x40,	0, "reserv-2" },
-	{ IPSO_CLASS_RES1,	0x80,	0, "reserv-1" },
-	{ 0, 0, 0, NULL }	/* must be last */
-};
-
-
-static	u_char	seclevel __P((char *));
-int addipopt __P((char *, struct ipopt_names *, int, char *));
-
-static u_char seclevel(slevel)
-char *slevel;
-{
-	struct ipopt_names *so;
-
-	for (so = secclass; so->on_name; so++)
-		if (!strcasecmp(slevel, so->on_name))
-			break;
-
-	if (!so->on_name) {
-		fprintf(stderr, "no such security level: %s\n", slevel);
-		return 0;
-	}
-	return (u_char)so->on_value;
-}
-
-
-int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
-{
-	int olen = len;
-	struct in_addr ipadr;
-	u_short val;
-	u_char lvl;
-	char *s;
-
-	if ((len + io->on_siz) > 48) {
-		fprintf(stderr, "options too long\n");
-		return 0;
-	}
-	len += io->on_siz;
-	*op++ = io->on_value;
-	if (io->on_siz > 1) {
-		s = op;
-		*op++ = io->on_siz;
-		*op++ = IPOPT_MINOFF;
-
-		if (class) {
-			switch (io->on_value)
-			{
-			case IPOPT_SECURITY :
-				lvl = seclevel(class);
-				*(op - 1) = lvl;
-				break;
-			case IPOPT_LSRR :
-			case IPOPT_SSRR :
-				ipadr.s_addr = inet_addr(class);
-				s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
-				bcopy((char *)&ipadr, op, sizeof(ipadr));
-				break;
-			case IPOPT_SATID :
-				val = atoi(class);
-				bcopy((char *)&val, op, 2);
-				break;
-			}
-		}
-
-		op += io->on_siz - 3;
-		if (len & 3) {
-			*op++ = IPOPT_NOP;
-			len++;
-		}
-	}
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "bo: %s %d %#x: %d\n",
-			io->on_name, io->on_value, io->on_bit, len);
-	return len - olen;
-}
-
-
-u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
-{
-	struct ipopt_names *io;
-	u_32_t msk = 0;
-	char *s, *t;
-	int inc;
-
-	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
-		if ((t = strchr(s, '=')))
-			*t++ = '\0';
-		for (io = ionames; io->on_name; io++) {
-			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
-				continue;
-			if ((inc = addipopt(op, io, len, t))) {
-				op += inc;
-				len += inc;
-			}
-			msk |= io->on_bit;
-			break;
-		}
-		if (!io->on_name) {
-			fprintf(stderr, "unknown IP option name %s\n", s);
-			return 0;
-		}
-	}
-	*op++ = IPOPT_EOL;
-	len++;
-	return len;
-}
diff --git a/contrib/ipfilter/opt_inet6.h b/contrib/ipfilter/opt_inet6.h
deleted file mode 100644
index 43e7657..0000000
--- a/contrib/ipfilter/opt_inet6.h
+++ /dev/null
@@ -1 +0,0 @@
-#define INET6
diff --git a/contrib/ipfilter/opts.h b/contrib/ipfilter/opts.h
deleted file mode 100644
index 655f9f0..0000000
--- a/contrib/ipfilter/opts.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2000 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: opts.h,v 2.12 2003/08/14 14:24:27 darrenr Exp $
- */
-
-#ifndef	__OPTS_H__
-#define	__OPTS_H__
-
-#ifndef	SOLARIS
-#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-#define	OPT_REMOVE	0x000001
-#define	OPT_DEBUG	0x000002
-#define	OPT_AUTHSTATS	0x000004
-#define	OPT_RAW		0x000008
-#define	OPT_LOG		0x000010
-#define	OPT_SHOWLIST	0x000020
-#define	OPT_VERBOSE	0x000040
-#define	OPT_DONOTHING	0x000080
-#define	OPT_HITS	0x000100
-#define	OPT_BRIEF	0x000200
-#define	OPT_ACCNT	0x000400
-#define	OPT_FRSTATES	0x000800
-#define	OPT_SHOWLINENO	0x001000
-#define	OPT_PRINTFR	0x002000
-#define	OPT_OUTQUE	FR_OUTQUE	/* 0x4000 */
-#define	OPT_INQUE	FR_INQUE	/* 0x8000 */
-#define	OPT_ZERORULEST	0x010000
-#define	OPT_SAVEOUT	0x020000
-#define	OPT_IPSTATES	0x040000
-#define	OPT_INACTIVE	0x080000
-#define	OPT_NAT		0x100000
-#define	OPT_GROUPS	0x200000
-#define	OPT_STATETOP	0x400000
-#define	OPT_FLUSH	0x800000
-#define	OPT_CLEAR	0x1000000
-#define	OPT_HEX		0x2000000
-#define	OPT_ASCII	0x4000000
-#define	OPT_NORESOLVE	0x8000000
-
-#define	OPT_STAT	OPT_FRSTATES
-#define	OPT_LIST	OPT_SHOWLIST
-
-
-#ifndef __P
-# ifdef	__STDC__
-#  define	__P(x)	x
-# else
-#  define	__P(x)	()
-# endif
-#endif
-
-#if defined(sun) && !SOLARIS
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-extern	int	opts;
-
-#endif /* __OPTS_H__ */
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
deleted file mode 100644
index 0d8a617..0000000
--- a/contrib/ipfilter/parse.c
+++ /dev/null
@@ -1,1510 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c	1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern	struct	ipopt_names	ionames[], secclass[];
-extern	int	opts;
-extern	int	use_inet6;
-
-int	addicmp __P((char ***, struct frentry *, int));
-int	extras __P((char ***, struct frentry *, int));
-
-int	icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int));
-int	to_interface __P((frdest_t *, char *, int));
-void	print_toif __P((char *, frdest_t *));
-void	optprint __P((u_short *, u_long, u_long));
-int	loglevel __P((char **, u_int *, int));
-void	printlog __P((frentry_t *));
-void	printifname __P((char *, char *, void *));
-
-extern	char	*proto;
-extern	char	flagset[];
-extern	u_char	flags[];
-
-
-/* parse()
- *
- * parse a line read from the input filter rule file
- *
- * status:
- *	< 0	error
- *	= 0	OK
- *	> 0	programmer error
- */
-struct	frentry	*parse(line, linenum, status)
-char	*line;
-int     linenum;
-int	*status;	/* good, bad, or indifferent */
-{
-	static	struct	frentry	fil;
-	char	*cps[31], **cpp, *endptr, *s;
-	struct	protoent	*p = NULL;
-	int	i, cnt = 1, j, ch;
-	u_int	k;
-
-	*status = 100;	/* default to error */
-
-	while (*line && isspace(*line))
-		line++;
-	if (!*line) {
-		*status = 0;
-		return NULL;
-	}
-
-	bzero((char *)&fil, sizeof(fil));
-	fil.fr_mip.fi_v = 0xf;
-	fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
-	fil.fr_loglevel = 0xffff;
-
-	/*
-	 * break line up into max of 20 segments
-	 */
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "parse [%s]\n", line);
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp = cps;
-	/*
-	 * The presence of an '@' followed by a number gives the position in
-	 * the current rule list to insert this one.
-	 */
-	if (**cpp == '@')
-		fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
-
-
-	/*
-	 * Check the first keyword in the rule and any options that are
-	 * expected to follow it.
-	 */
-	if (!strcasecmp("block", *cpp)) {
-		fil.fr_flags |= FR_BLOCK;
-		if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
-		    (i = 19))
-			fil.fr_flags |= FR_FAKEICMP;
-		else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
-			fil.fr_flags |= FR_RETICMP;
-		if (fil.fr_flags & FR_RETICMP) {
-			cpp++;
-			if (strlen(*cpp) == i) {
-				if (*(cpp + 1) && **(cpp +1) == '(') {
-					cpp++;
-					i = 0;
-				} else
-					i = -1;
-			}
-
-			/*
-			 * The ICMP code is not required to follow in ()'s
-			 */
-			if ((i >= 0) && (*(*cpp + i) == '(')) {
-				i++;
-				j = icmpcode(*cpp + i);
-				if (j == -1) {
-					fprintf(stderr,
-					"%d: unrecognised icmp code %s\n",
-						linenum, *cpp + 20);
-					*status = -1;
-					return NULL;
-				}
-				fil.fr_icode = j;
-			}
-		} else if (!strcasecmp(*(cpp+1), "return-rst")) {
-			fil.fr_flags |= FR_RETRST;
-			cpp++;
-		}
-	} else if (!strcasecmp("count", *cpp)) {
-		fil.fr_flags |= FR_ACCOUNT;
-	} else if (!strcasecmp("pass", *cpp)) {
-		fil.fr_flags |= FR_PASS;
-	} else if (!strcasecmp("nomatch", *cpp)) {
-		fil.fr_flags |= FR_NOMATCH;
-	} else if (!strcasecmp("auth", *cpp)) {
-		fil.fr_flags |= FR_AUTH;
-		if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
-			fil.fr_flags |= FR_RETRST;
-			cpp++;
-		}
-	} else if (!strcasecmp("preauth", *cpp)) {
-		 fil.fr_flags |= FR_PREAUTH;
-	} else if (!strcasecmp("skip", *cpp)) {
-		cpp++;
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_skip = k;
-		else {
-			fprintf(stderr, "%d: integer must follow skip\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	} else if (!strcasecmp("log", *cpp)) {
-		fil.fr_flags |= FR_LOG;
-		if (!strcasecmp(*(cpp+1), "body")) {
-			fil.fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "first")) {
-			fil.fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*(cpp+1), "or-block")) {
-			fil.fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "level")) {
-			cpp++;
-			if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
-				/* NB loglevel prints its own error message */
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-		}
-	} else {
-		/*
-		 * Doesn't start with one of the action words
-		 */
-		fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * Get the direction for filtering.  Impose restrictions on direction
-	 * if blocking with returning ICMP or an RST has been requested.
-	 */
-	if (!strcasecmp("in", *cpp))
-		fil.fr_flags |= FR_INQUE;
-	else if (!strcasecmp("out", *cpp)) {
-		fil.fr_flags |= FR_OUTQUE;
-		if (fil.fr_flags & FR_RETICMP) {
-			fprintf(stderr,
-				"%d: Can only use return-icmp with 'in'\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		} else if (fil.fr_flags & FR_RETRST) {
-			fprintf(stderr,
-				"%d: Can only use return-rst with 'in'\n", 
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	if (!strcasecmp("log", *cpp)) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing source specification\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (fil.fr_flags & FR_PASS)
-			fil.fr_flags |= FR_LOGP;
-		else if (fil.fr_flags & FR_BLOCK)
-			fil.fr_flags |= FR_LOGB;
-		if (*cpp && !strcasecmp(*cpp, "body")) {
-			fil.fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "first")) {
-			fil.fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "or-block")) {
-			if (!(fil.fr_flags & FR_PASS)) {
-				fprintf(stderr,
-					"%d: or-block must be used with pass\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-			fil.fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "level")) {
-			if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-			cpp++;
-		}
-	}
-
-	if (*cpp && !strcasecmp("quick", *cpp)) {
-		if (fil.fr_skip != 0) {
-			fprintf(stderr, "%d: cannot use skip with quick\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		fil.fr_flags |= FR_QUICK;
-	}
-
-	/*
-	 * Parse rule options that are available if a rule is tied to an
-	 * interface.
-	 */
-	*fil.fr_ifname = '\0';
-	*fil.fr_oifname = '\0';
-	if (*cpp && !strcasecmp(*cpp, "on")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: interface name missing\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		s = index(*cpp, ',');
-		if (s != NULL) {
-			*s++ = '\0';
-			(void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
-			fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
-		} else
-			strcpy(fil.fr_ifnames[1], "*");
-
-		(void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
-		fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
-
-		cpp++;
-		if (!*cpp) {
-			if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
-				fprintf(stderr,
-					"%d: %s can only be used with TCP\n",
-					linenum, "return-rst");
-				*status = -1;
-				return NULL;
-			}
-			*status = 0;
-			return &fil;
-		}
-
-		if (*cpp) {
-			if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
-				cpp++;
-				if (to_interface(&fil.fr_dif, *cpp, linenum)) {
-					*status = -1;
-					return NULL;
-				}
-				cpp++;
-			}
-			if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) {
-				cpp++;
-				if (to_interface(&fil.fr_tif, *cpp, linenum)) {
-					*status = -1;
-					return NULL;
-				}
-				cpp++;
-			} else if (*cpp && !strcasecmp(*cpp, "fastroute")) {
-				if (!(fil.fr_flags & FR_INQUE)) {
-					fprintf(stderr,
-						"can only use %s with 'in'\n",
-						"fastroute");
-					*status = -1;
-					return NULL;
-				}
-				fil.fr_flags |= FR_FASTROUTE;
-				cpp++;
-			}
-		}
-
-		/*
-		 * Set the "other" interface name.  Lets you specify both
-		 * inbound and outbound interfaces for state rules.  Do not
-		 * prevent both interfaces from being the same.
-		 */
-		strcpy(fil.fr_ifnames[3], "*");
-		if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
-		    ((((fil.fr_flags & FR_INQUE) != 0) &&
-		      (strcasecmp(*cpp, "out-via") == 0)) ||
-		     (((fil.fr_flags & FR_OUTQUE) != 0) &&
-		      (strcasecmp(*cpp, "in-via") == 0)))) {
-			cpp++;
-
-			s = index(*cpp, ',');
-			if (s != NULL) {
-				*s++ = '\0';
-				(void)strncpy(fil.fr_ifnames[3], s,
-					      IFNAMSIZ - 1);
-				fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
-			}
-
-			(void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
-			fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
-			cpp++;
-		} else
-			strcpy(fil.fr_ifnames[2], "*");
-	}
-	if (*cpp && !strcasecmp(*cpp, "tos")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: tos missing value\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_tos = strtol(*cpp, NULL, 0);
-		fil.fr_mip.fi_tos = 0xff;
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "ttl")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: ttl missing hopcount value\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoi(*cpp, &i, 0, 255))
-			fil.fr_ttl = i;
-		else {
-			fprintf(stderr, "%d: invalid ttl (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_mip.fi_ttl = 0xff;
-		cpp++;
-	}
-
-	/*
-	 * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
-	 */
-	proto = NULL;
-	if (*cpp && !strcasecmp(*cpp, "proto")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: protocol name missing\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		proto = *cpp++;
-		if (!strcasecmp(proto, "tcp/udp")) {
-			fil.fr_ip.fi_fl |= FI_TCPUDP;
-			fil.fr_mip.fi_fl |= FI_TCPUDP;
-		} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
-			fprintf(stderr,
-"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
-				linenum);
-		} else {
-			if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
-				fprintf(stderr,
-					"%d: unknown protocol (%s)\n",
-					linenum, proto);
-				*status = -1;
-				return NULL;
-			}
-			if (p)
-				fil.fr_proto = p->p_proto;
-			else if (isdigit(*proto)) {
-				i = (int)strtol(proto, &endptr, 0);
-				if (*endptr != '\0' || i < 0 || i > 255) {
-					fprintf(stderr,
-						"%d: unknown protocol (%s)\n",
-						linenum, proto);
-					*status = -1;
-					return NULL;		
-				}
-				fil.fr_proto = i;
-			}
-			fil.fr_mip.fi_p = 0xff;
-		}
-	}
-	if ((fil.fr_proto != IPPROTO_TCP) &&
-	    ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) {
-		fprintf(stderr, "%d: %s can only be used with TCP\n",
-			linenum, "return-rst");
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * get the from host and bit mask to use against packets
-	 */
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (!strcasecmp(*cpp, "all")) {
-		cpp++;
-		if (!*cpp) {
-			*status = 0;
-			return &fil;
-		}
-	} else {
-		if (strcasecmp(*cpp, "from")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after from\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (!strcmp(*cpp, "!")) {
-			fil.fr_flags |= FR_NOTSRCIP;
-			if (!*++cpp) {
-				fprintf(stderr,
-					"%d: missing host after from\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else if (**cpp == '!') {
-			fil.fr_flags |= FR_NOTSRCIP;
-			(*cpp)++;
-		}
-		ch = 0;
-		if (hostmask(&cpp, (u_32_t *)&fil.fr_src,
-			     (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch,
-			     &fil.fr_stop, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-		if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
-		    (fil.fr_proto != IPPROTO_UDP) &&
-		    !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
-			fprintf(stderr,
-				"%d: cannot use port and neither tcp or udp\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		fil.fr_scmp = ch;
-		if (!*cpp) {
-			fprintf(stderr, "%d: missing to fields\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		/*
-		 * do the same for the to field (destination host)
-		 */
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		ch = 0;
-		if (!strcmp(*cpp, "!")) {
-			fil.fr_flags |= FR_NOTDSTIP;
-			if (!*++cpp) {
-				fprintf(stderr,
-					"%d: missing host after from\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else if (**cpp == '!') {
-			fil.fr_flags |= FR_NOTDSTIP;
-			(*cpp)++;
-		}
-		if (hostmask(&cpp, (u_32_t *)&fil.fr_dst,
-			     (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch,
-			     &fil.fr_dtop, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
-		    (fil.fr_proto != IPPROTO_UDP) &&
-		    !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
-			fprintf(stderr,
-				"%d: cannot use port and neither tcp or udp\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		fil.fr_dcmp = ch;
-	}
-
-	/*
-	 * check some sanity, make sure we don't have icmp checks with tcp
-	 * or udp or visa versa.
-	 */
-	if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) &&
-	    fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) {
-		fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) {
-		fprintf(stderr, "%d: icmp comparisons on wrong protocol\n",
-			linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	if (!*cpp) {
-		*status = 0;
-		return &fil;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "flags")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: no flags present\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum);
-		cpp++;
-	}
-
-	/*
-	 * extras...
-	 */
-	if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") ||
-	     !strcasecmp(*cpp, "and")))
-		if (extras(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-	/*
-	 * icmp types for use with the icmp protocol
-	 */
-	if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
-		if (fil.fr_proto != IPPROTO_ICMP &&
-		    fil.fr_proto != IPPROTO_ICMPV6) {
-			fprintf(stderr,
-				"%d: icmp with wrong protocol (%d)\n",
-				linenum, fil.fr_proto);
-			*status = -1;
-			return NULL;
-		}
-		if (addicmp(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_icmp = htons(fil.fr_icmp);
-		fil.fr_icmpm = htons(fil.fr_icmpm);
-	}
-
-	/*
-	 * Keep something...
-	 */
-	while (*cpp && !strcasecmp(*cpp, "keep"))
-		if (addkeep(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-	/*
-	 * This is here to enforce the old interface binding behaviour.
-	 * That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
-	 */
-	if (fil.fr_flags & FR_KEEPSTATE) {
-		if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
-			bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
-			      sizeof(fil.fr_ifnames[3]));
-			strncpy(fil.fr_ifnames[2], "*",
-				sizeof(fil.fr_ifnames[3]));
-		}
-	}
-
-	/*
-	 * head of a new group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "head")) {
-		if (fil.fr_skip != 0) {
-			fprintf(stderr, "%d: cannot use skip with head\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: head without group #\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_grhead = (u_32_t)k;
-		else {
-			fprintf(stderr, "%d: invalid group (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-	}
-
-	/*
-	 * head of a new group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "group")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: group without group #\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_group = k;
-		else {
-			fprintf(stderr, "%d: invalid group (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-	}
-
-	/*
-	 * leftovers...yuck
-	 */
-	if (*cpp && **cpp) {
-		fprintf(stderr, "%d: unknown words at end: [", linenum);
-		for (; *cpp; cpp++)
-			fprintf(stderr, "%s ", *cpp);
-		fprintf(stderr, "]\n");
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * lazy users...
-	 */
-	if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
-		fprintf(stderr, "%d: TCP protocol not specified\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
-	    (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
-		if (!fil.fr_proto) {
-			fil.fr_ip.fi_fl |= FI_TCPUDP;
-			fil.fr_mip.fi_fl |= FI_TCPUDP;
-		} else {
-			fprintf(stderr,
-				"%d: port comparisons for non-TCP/UDP\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-/*
-	if ((fil.fr_flags & FR_KEEPFRAG) &&
-	    (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
-		fprintf(stderr,
-			"%d: must use 'with frags' with 'keep frags'\n",
-			linenum);
-		*status = -1;
-		return NULL;
-	}
-*/
-	*status = 0;
-	return &fil;
-}
-
-
-int loglevel(cpp, facpri, linenum)
-char **cpp;
-u_int *facpri;
-int linenum;
-{
-	int fac, pri;
-	char *s;
-
-	fac = 0;
-	pri = 0;
-	if (!*++cpp) {
-		fprintf(stderr, "%d: %s\n", linenum,
-			"missing identifier after level");
-		return -1;
-	}
-
-	s = index(*cpp, '.');
-	if (s) {
-		*s++ = '\0';
-		fac = fac_findname(*cpp);
-		if (fac == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown facility", *cpp);
-			return -1;
-		}
-		pri = pri_findname(s);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", s);
-			return -1;
-		}
-	} else {
-		pri = pri_findname(*cpp);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", *cpp);
-			return -1;
-		}
-	}
-	*facpri = fac|pri;
-	return 0;
-}
-
-
-int to_interface(fdp, to, linenum)
-frdest_t *fdp;
-char *to;
-int linenum;
-{
-	char *s;
-
-	s = index(to, ':');
-	fdp->fd_ifp = NULL;
-	if (s) {
-		*s++ = '\0';
-		if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum) == -1)
-			return -1;
-	}
-	(void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
-	fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
-	return 0;
-}
-
-
-void print_toif(tag, fdp)
-char *tag;
-frdest_t *fdp;
-{
-	printf("%s %s%s", tag, fdp->fd_ifname,
-		     (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
-#ifdef	USE_INET6
-	if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
-		char ipv6addr[80];
-
-		inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
-			  sizeof(fdp->fd_ip6));
-		printf(":%s", ipv6addr);
-	} else
-#endif
-	if (fdp->fd_ip.s_addr)
-		printf(":%s", inet_ntoa(fdp->fd_ip));
-	putchar(' ');
-}
-
-
-/*
- * deal with extra bits on end of the line
- */
-int	extras(cp, fr, linenum)
-char	***cp;
-struct	frentry	*fr;
-int     linenum;
-{
-	u_short	secmsk;
-	u_long	opts;
-	int	notopt;
-	char	oflags;
-
-	opts = 0;
-	secmsk = 0;
-	notopt = 0;
-	(*cp)++;
-	if (!**cp)
-		return -1;
-
-	while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
-	       !strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) ||
-	       !strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") ||
-	       !strcasecmp(**cp, "short"))) {
-		if (***cp == 'n' || ***cp == 'N') {
-			notopt = 1;
-			(*cp)++;
-			continue;
-		} else if (***cp == 'i' || ***cp == 'I') {
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_OPTIONS;
-			fr->fr_mip.fi_fl |= FI_OPTIONS;
-			goto nextopt;
-		} else if (***cp == 'f' || ***cp == 'F') {
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_FRAG;
-			fr->fr_mip.fi_fl |= FI_FRAG;
-			goto nextopt;
-		} else if (***cp == 'o' || ***cp == 'O') {
-			if (!*(*cp + 1)) {
-				fprintf(stderr,
-					"%d: opt missing arguements\n",
-					linenum);
-				return -1;
-			}
-			(*cp)++;
-			if (!(opts = optname(cp, &secmsk, linenum)))
-				return -1;
-			oflags = FI_OPTIONS;
-		} else if (***cp == 's' || ***cp == 'S') {
-			if (fr->fr_tcpf) {
-				fprintf(stderr,
-				"%d: short cannot be used with TCP flags\n",
-					linenum);
-				return -1;
-			}
-
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_SHORT;
-			fr->fr_mip.fi_fl |= FI_SHORT;
-			goto nextopt;
-		} else
-			return -1;
-
-		if (!notopt || !opts)
-			fr->fr_mip.fi_fl |= oflags;
-		if (notopt) {
-		  if (!secmsk) {
-				fr->fr_mip.fi_optmsk |= opts;
-		  } else {
-				fr->fr_mip.fi_optmsk |= (opts & ~0x0100);
-		  }
-		} else {
-				fr->fr_mip.fi_optmsk |= opts;
-		}
-		fr->fr_mip.fi_secmsk |= secmsk;
-
-		if (notopt) {
-			fr->fr_ip.fi_fl &= (~oflags & 0xf);
-			fr->fr_ip.fi_optmsk &= ~opts;
-			fr->fr_ip.fi_secmsk &= ~secmsk;
-		} else {
-			fr->fr_ip.fi_fl |= oflags;
-			fr->fr_ip.fi_optmsk |= opts;
-			fr->fr_ip.fi_secmsk |= secmsk;
-		}
-nextopt:
-		notopt = 0;
-		opts = 0;
-		oflags = 0;
-		secmsk = 0;
-		(*cp)++;
-	}
-	return 0;
-}
-
-
-u_32_t optname(cp, sp, linenum)
-char ***cp;
-u_short *sp;
-int linenum;
-{
-	struct ipopt_names *io, *so;
-	u_long msk = 0;
-	u_short smsk = 0;
-	char *s;
-	int sec = 0;
-
-	for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-		for (io = ionames; io->on_name; io++)
-			if (!strcasecmp(s, io->on_name)) {
-				msk |= io->on_bit;
-				break;
-			}
-		if (!io->on_name) {
-			fprintf(stderr, "%d: unknown IP option name %s\n",
-				linenum, s);
-			return 0;
-		}
-		if (!strcasecmp(s, "sec-class"))
-			sec = 1;
-	}
-
-	if (sec && !*(*cp + 1)) {
-		fprintf(stderr, "%d: missing security level after sec-class\n",
-			linenum);
-		return 0;
-	}
-
-	if (sec) {
-		(*cp)++;
-		for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-			for (so = secclass; so->on_name; so++)
-				if (!strcasecmp(s, so->on_name)) {
-					smsk |= so->on_bit;
-					break;
-				}
-			if (!so->on_name) {
-				fprintf(stderr,
-					"%d: no such security level: %s\n",
-					linenum, s);
-				return 0;
-			}
-		}
-		if (smsk)
-			*sp = smsk;
-	}
-	return msk;
-}
-
-
-#ifdef __STDC__
-void optprint(u_short *sec, u_long optmsk, u_long optbits)
-#else
-void optprint(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
-#endif
-{
-	u_short secmsk = sec[0], secbits = sec[1];
-	struct ipopt_names *io, *so;
-	char *s;
-
-	s = " opt ";
-	for (io = ionames; io->on_name; io++)
-		if ((io->on_bit & optmsk) &&
-		    ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
-			if ((io->on_value != IPOPT_SECURITY) ||
-			    (!secmsk && !secbits)) {
-				printf("%s%s", s, io->on_name);
-				if (io->on_value == IPOPT_SECURITY)
-					io++;
-				s = ",";
-			}
-		}
-
-
-	if (secmsk & secbits) {
-		printf("%ssec-class", s);
-		s = " ";
-		for (so = secclass; so->on_name; so++)
-			if ((secmsk & so->on_bit) &&
-			    ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
-				printf("%s%s", s, so->on_name);
-				s = ",";
-			}
-	}
-
-	if ((optmsk && (optmsk != optbits)) ||
-	    (secmsk && (secmsk != secbits))) {
-		s = " ";
-		printf(" not opt");
-		if (optmsk != optbits) {
-			for (io = ionames; io->on_name; io++)
-				if ((io->on_bit & optmsk) &&
-				    ((io->on_bit & optmsk) !=
-				     (io->on_bit & optbits))) {
-					if ((io->on_value != IPOPT_SECURITY) ||
-					    (!secmsk && !secbits)) {
-						printf("%s%s", s, io->on_name);
-						s = ",";
-						if (io->on_value ==
-						    IPOPT_SECURITY)
-							io++;
-					} else
-						io++;
-				}
-		}
-
-		if (secmsk != secbits) {
-			printf("%ssec-class", s);
-			s = " ";
-			for (so = secclass; so->on_name; so++)
-				if ((so->on_bit & secmsk) &&
-				    ((so->on_bit & secmsk) !=
-				     (so->on_bit & secbits))) {
-					printf("%s%s", s, so->on_name);
-					s = ",";
-				}
-		}
-	}
-}
-
-char	*icmptypes[] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addicmp(cp, fp, linenum)
-char ***cp;
-struct frentry	*fp;
-int linenum;
-{
-	char	**t;
-	int	i;
-
-	(*cp)++;
-	if (!**cp)
-		return -1;
-
-	if (isdigit(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr,
-				"%d: Invalid icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else if (fp->fr_proto == IPPROTO_ICMPV6) {
-		fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
-			linenum, **cp, "(use numeric value instead)\n");
-		return -1;
-	} else {
-		for (t = icmptypes, i = 0; ; t++, i++) {
-			if (!*t)
-				continue;
-			if (!strcasecmp("END", *t)) {
-				i = -1;
-				break;
-			}
-			if (!strcasecmp(*t, **cp))
-				break;
-		}
-		if (i == -1) {
-			fprintf(stderr,
-				"%d: Invalid icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	fp->fr_icmp = (u_short)(i << 8);
-	fp->fr_icmpm = (u_short)0xff00;
-	(*cp)++;
-	if (!**cp)
-		return 0;
-
-	if (**cp && strcasecmp("code", **cp))
-		return 0;
-	(*cp)++;
-	if (isdigit(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr, 
-				"%d: Invalid icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else {
-		i = icmpcode(**cp);
-		if (i == -1) {
-			fprintf(stderr, 
-				"%d: Invalid icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	i &= 0xff;
-	fp->fr_icmp |= (u_short)i;
-	fp->fr_icmpm = (u_short)0xffff;
-	(*cp)++;
-	return 0;
-}
-
-
-#define	MAX_ICMPCODE	15
-
-char	*icmpcodes[] = {
-	"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag",
-	"srcfail", "net-unk", "host-unk", "isolate", "net-prohib",
-	"host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced",
-	"preced-cutoff", NULL };
-/*
- * Return the number for the associated ICMP unreachable code.
- */
-int icmpcode(str)
-char *str;
-{
-	char	*s;
-	int	i, len;
-
-	if ((s = strrchr(str, ')')))
-		*s = '\0';
-	if (isdigit(*str)) {
-		if (!ratoi(str, &i, 0, 255))
-			return -1;
-		else
-			return i;
-	}
-	len = strlen(str);
-	for (i = 0; icmpcodes[i]; i++)
-		if (!strncasecmp(str, icmpcodes[i], MIN(len,
-				 strlen(icmpcodes[i])) ))
-			return i;
-	return -1;
-}
-
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addkeep(cp, fp, linenum)
-char ***cp;
-struct frentry	*fp;
-int linenum; 
-{
-	char *s;
-
-	(*cp)++;
-	if (!**cp) {
-		fprintf(stderr, "%d: Missing keyword after keep\n",
-			linenum);
-		return -1;
-	}
-
-	if (strcasecmp(**cp, "state") == 0)
-		fp->fr_flags |= FR_KEEPSTATE;
-	else if (strncasecmp(**cp, "frag", 4) == 0)
-		fp->fr_flags |= FR_KEEPFRAG;
-	else if (strcasecmp(**cp, "state-age") == 0) {
-		if (fp->fr_ip.fi_p == IPPROTO_TCP) {
-			fprintf(stderr, "%d: cannot use state-age with tcp\n",
-				linenum);
-			return -1;
-		}
-		if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
-			fprintf(stderr, "%d: state-age with no 'keep state'\n",
-				linenum);
-			return -1;
-		}
-		(*cp)++;
-		if (!**cp) {
-			fprintf(stderr, "%d: state-age with no arg\n",
-				linenum);
-			return -1;
-		}
-		fp->fr_age[0] = atoi(**cp);
-		s = index(**cp, '/');
-		if (s != NULL) {
-			s++;
-			fp->fr_age[1] = atoi(s);
-		} else
-			fp->fr_age[1] = fp->fr_age[0];
-	} else {
-		fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
-			linenum, **cp);
-		return -1;
-	}
-	(*cp)++;
-	return 0;
-}
-
-
-void printifname(format, name, ifp)
-char *format, *name;
-void *ifp;
-{
-	printf("%s%s", format, name);
-	if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
-		printf("(!)");
-}
-
-
-/*
- * print the filter structure in a useful way
- */
-void printfr(fp)
-struct frentry	*fp;
-{
-	struct protoent	*p;
-	u_short	sec[2];
-	char *s;
-	u_char *t;
-	int pr;
-
-	if (fp->fr_flags & FR_PASS)
-		printf("pass");
-	if (fp->fr_flags & FR_NOMATCH)
-		printf("nomatch");
-	else if (fp->fr_flags & FR_BLOCK) {
-		printf("block");
-		if (fp->fr_flags & FR_RETICMP) {
-			if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
-				printf(" return-icmp-as-dest");
-			else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
-				printf(" return-icmp");
-			if (fp->fr_icode) {
-				if (fp->fr_icode <= MAX_ICMPCODE)
-					printf("(%s)",
-						icmpcodes[(int)fp->fr_icode]);
-				else
-					printf("(%d)", fp->fr_icode);
-			}
-		} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-			printf(" return-rst");
-	} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
-		printlog(fp);
-	} else if (fp->fr_flags & FR_ACCOUNT)
-		printf("count");
-	else if (fp->fr_flags & FR_AUTH) {
-		printf("auth");
-		if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-			printf(" return-rst");
-	} else if (fp->fr_flags & FR_PREAUTH)
-		printf("preauth");
-	else if (fp->fr_skip)
-		printf("skip %hu", fp->fr_skip);
-
-	if (fp->fr_flags & FR_OUTQUE)
-		printf(" out ");
-	else
-		printf(" in ");
-
-	if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
-	    ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
-		printlog(fp);
-		putchar(' ');
-	}
-
-	if (fp->fr_flags & FR_QUICK)
-		printf("quick ");
-
-	if (*fp->fr_ifname) {
-		printifname("on ", fp->fr_ifname, fp->fr_ifa);
-		if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
-			printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
-		putchar(' ');
-
-		if (*fp->fr_dif.fd_ifname)
-			print_toif("dup-to", &fp->fr_dif);
-		if (*fp->fr_tif.fd_ifname)
-			print_toif("to", &fp->fr_tif);
-		if (fp->fr_flags & FR_FASTROUTE)
-			printf("fastroute ");
-
-		if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
-		    (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
-			if (fp->fr_flags & FR_OUTQUE)
-				printf("in-via ");
-			else
-				printf("out-via ");
-
-			if (*fp->fr_ifnames[2]) {
-				printifname("", fp->fr_ifnames[2],
-					    fp->fr_ifas[2]);
-				putchar(',');
-			}
-
-			if (*fp->fr_ifnames[3])
-				printifname("", fp->fr_ifnames[3],
-					    fp->fr_ifas[3]);
-			putchar(' ');
-		}
-	}
-
-	if (fp->fr_mip.fi_tos)
-		printf("tos %#x ", fp->fr_tos);
-	if (fp->fr_mip.fi_ttl)
-		printf("ttl %d ", fp->fr_ttl);
-	if (fp->fr_ip.fi_fl & FI_TCPUDP) {
-			printf("proto tcp/udp ");
-			pr = -1;
-	} else if ((pr = fp->fr_mip.fi_p)) {
-		if ((p = getprotobynumber(fp->fr_proto)))
-			printf("proto %s ", p->p_name);
-		else
-			printf("proto %d ", fp->fr_proto);
-	}
-
-	printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
-	printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr,
-		      (u_32_t *)&fp->fr_smsk.s_addr);
-	if (fp->fr_scmp)
-		printportcmp(pr, &fp->fr_tuc.ftu_src);
-
-	printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
-	printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr,
-		      (u_32_t *)&fp->fr_dmsk.s_addr);
-	if (fp->fr_dcmp)
-		printportcmp(pr, &fp->fr_tuc.ftu_dst);
-
-	if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) ||
-	    (fp->fr_mip.fi_fl & ~FI_TCPUDP) ||
-	    fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
-	    fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
-		printf(" with");
-		if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
-		    fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
-			sec[0] = fp->fr_mip.fi_secmsk;
-			sec[1] = fp->fr_ip.fi_secmsk;
-			optprint(sec,
-				 fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk);
-		} else if (fp->fr_mip.fi_fl & FI_OPTIONS) {
-			if (!(fp->fr_ip.fi_fl & FI_OPTIONS))
-				printf(" not");
-			printf(" ipopt");
-		}
-		if (fp->fr_mip.fi_fl & FI_SHORT) {
-			if (!(fp->fr_ip.fi_fl & FI_SHORT))
-				printf(" not");
-			printf(" short");
-		}
-		if (fp->fr_mip.fi_fl & FI_FRAG) {
-			if (!(fp->fr_ip.fi_fl & FI_FRAG))
-				printf(" not");
-			printf(" frag");
-		}
-	}
-	if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) {
-		int	type = fp->fr_icmp, code;
-
-		type = ntohs(fp->fr_icmp);
-		code = type & 0xff;
-		type /= 256;
-		if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
-		    icmptypes[type])
-			printf(" icmp-type %s", icmptypes[type]);
-		else
-			printf(" icmp-type %d", type);
-		if (ntohs(fp->fr_icmpm) & 0xff)
-			printf(" code %d", code);
-	}
-	if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) {
-		int	type = fp->fr_icmp, code;
-
-		type = ntohs(fp->fr_icmp);
-		code = type & 0xff;
-		type /= 256;
-		printf(" icmp-type %d", type);
-		if (ntohs(fp->fr_icmpm) & 0xff)
-			printf(" code %d", code);
-	}
-	if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
-		printf(" flags ");
-		if (fp->fr_tcpf & ~TCPF_ALL)
-			printf("0x%x", fp->fr_tcpf);
-		else
-			for (s = flagset, t = flags; *s; s++, t++)
-				if (fp->fr_tcpf & *t)
-					(void)putchar(*s);
-		if (fp->fr_tcpfm) {
-			(void)putchar('/');
-			if (fp->fr_tcpfm & ~TCPF_ALL)
-				printf("0x%x", fp->fr_tcpfm);
-			else
-				for (s = flagset, t = flags; *s; s++, t++)
-					if (fp->fr_tcpfm & *t)
-						(void)putchar(*s);
-		}
-	}
-
-	if (fp->fr_flags & FR_KEEPSTATE)
-		printf(" keep state");
-	if (fp->fr_flags & FR_KEEPFRAG)
-		printf(" keep frags");
-	if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0)
-		printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]);
-	if (fp->fr_grhead)
-		printf(" head %d", fp->fr_grhead);
-	if (fp->fr_group)
-		printf(" group %d", fp->fr_group);
-	(void)putchar('\n');
-}
-
-void	binprint(fp)
-struct frentry *fp;
-{
-	int i = sizeof(*fp), j = 0;
-	u_char *s;
-
-	for (s = (u_char *)fp; i; i--, s++) {
-		j++;
-		printf("%02x ", *s);
-		if (j == 16) {
-			printf("\n");
-			j = 0;
-		}
-	}
-	putchar('\n');
-	(void)fflush(stdout);
-}
-
-
-void printlog(fp)
-frentry_t *fp;
-{
-	char *s, *u;
-
-	printf("log");
-	if (fp->fr_flags & FR_LOGBODY)
-		printf(" body");
-	if (fp->fr_flags & FR_LOGFIRST)
-		printf(" first");
-	if (fp->fr_flags & FR_LOGORBLOCK)
-		printf(" or-block");
-	if (fp->fr_loglevel != 0xffff) {
-		printf(" level ");
-		if (fp->fr_loglevel & LOG_FACMASK) {
-			s = fac_toname(fp->fr_loglevel);
-			if (s == NULL)
-				s = "!!!";
-		} else
-			s = "";
-		u = pri_toname(fp->fr_loglevel);
-		if (u == NULL)
-			u = "!!!";
-		if (*s)
-			printf("%s.%s", s, u);
-		else
-			printf("%s", u);
-	}
-}
diff --git a/contrib/ipfilter/pcap-ipf.h b/contrib/ipfilter/pcap-ipf.h
deleted file mode 100644
index 2ad5b01..0000000
--- a/contrib/ipfilter/pcap-ipf.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- */
-/*
- * This header file is constructed to match the version described by
- * PCAP_VERSION_MAJ.
- *
- * The structure largely derives from libpcap which wouldn't include
- * nicely without bpf.
- */
-typedef	struct	pcap_filehdr	{
-	u_int	pc_id;
-	u_short	pc_v_maj;
-	u_short	pc_v_min;
-	u_int	pc_zone;
-	u_int	pc_sigfigs;
-	u_int	pc_slen;
-	u_int	pc_type;
-} pcaphdr_t;
-
-#define	TCPDUMP_MAGIC		0xa1b2c3d4
-
-#define	PCAP_VERSION_MAJ	2
-
-typedef	struct	pcap_pkthdr	{
-	struct	timeval	ph_ts;
-	u_int	ph_clen;
-	u_int	ph_len;
-} pcappkt_t;
-
diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h
deleted file mode 100644
index aa24798..0000000
--- a/contrib/ipfilter/pcap.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $
- */
-/*
- * This header file is constructed to match the version described by
- * PCAP_VERSION_MAJ.
- *
- * The structure largely derives from libpcap which wouldn't include
- * nicely without bpf.
- */
-typedef	struct	pcap_filehdr	{
-	u_int	pc_id;
-	u_short	pc_v_maj;
-	u_short	pc_v_min;
-	u_int	pc_zone;
-	u_int	pc_sigfigs;
-	u_int	pc_slen;
-	u_int	pc_type;
-} pcaphdr_t;
-
-#define	TCPDUMP_MAGIC		0xa1b2c3d4
-
-#define	PCAP_VERSION_MAJ	2
-
-typedef	struct	pcap_pkthdr	{
-	struct	timeval	ph_ts;
-	u_int	ph_clen;
-	u_int	ph_len;
-} pcappkt_t;
-
diff --git a/contrib/ipfilter/perl/Ipfanaly.pl b/contrib/ipfilter/perl/Ipfanaly.pl
deleted file mode 100644
index 0fa7c17..0000000
--- a/contrib/ipfilter/perl/Ipfanaly.pl
+++ /dev/null
@@ -1,639 +0,0 @@
-#!/usr/local/bin/perl
-# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com)
-#
-############### START SUBROUTINE DECLARATIONS ###########
-
-
-sub usage {
-    print "\n" x 24;
-    print "USAGE: ipfanalyze.pl -h  [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n";
-    print "\n arguments to -p -f -o REQUIRED\n";
-    print "\n -h show this help\n";
-    print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n";
-    print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n";
-    print " -s make  security report only (no graphical or full port info generated) \n";
-    print " -o  lowest port number incoming traffic can talk to and be regarded as safe\n";
-    print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n";
-    print " -t the ip address of the inerface on which you collected data!\n";
-    print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n";
-    print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n";
-    print "Will look at traffic to/from all ports and make graphs from file log1\n";
-    print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n";
-    print "Will look at SMTP traffic and make graphs from file log2\n";
-    print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n";
-    print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n";
-    print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n";
-    print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n";
-}
-
-
-
-
-sub makegifs {
-local  ($maxin,$maxout,$lookat,$xmax)=@_;
-$YMAX=$maxin;
-$XMAX=$xmax;
-
-if ($maxout > $maxin)
-  { $YMAX=$maxout;}
-
-($dateis,$junk)=split " " ,  @recs[0];
-($dayis,$monthis,$yearis)=split "/",$dateis;
-$month=$months{$monthis};
-$dateis="$dayis " . "$month " . "$yearis ";
-# split graphs in to 6 four hour spans for 24 hours 
-$numgraphs=int($XMAX/240);
-
-$junk=0;
-$junk=$XMAX - 240*($numgraphs);
-if($junk gt 0 )
-{
-$numgraphs++;
-}
-
-$cnt1=0;
-$end=0;
-$loop=0;
-
-while ($cnt1++ < $numgraphs)
-{
- $filename1="in$cnt1.dat";
- $filename2="out$cnt1.dat";
- $filename3="graph$cnt1.conf";
- open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n";
- open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n";
-  
- $loop=$end;
- $end=($end + 240);
-
-# write all files as x time coord from 1 to 240 minutes
-# set hour in graph via conf file
- $arraycnt=0;
- while ($loop++ < $end )
-  {
-   $arraycnt++;
-   $val1="";
-   $val2="";
-   $val1=$inwards[$loop] [1];
-   if($val1 eq "")
-     {$val1=0};
-   $val2=$outwards[$loop] [1];
-   if($val2 eq "")
-     {$val2=0};
-   print INDATA "$arraycnt:$val1\n";
-   print OUTDATA "$arraycnt:$val2\n";
-  }
-  close INDATA;
-  close OUTDATA;
-  $gnum=($cnt1 - 1);
- open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n";
-   print INCONFIG "NUMBERYCELLGRIDSIZE:5\n";
-   print INCONFIG "MAXYVALUE:$YMAX\n";
-   print INCONFIG "MINYVALUE:0\n";
-   print INCONFIG "XCELLGRIDSIZE:1.3\n";
-   print INCONFIG "XMAX: 240\n";
-   print INCONFIG "Bar:0\n";
-   print INCONFIG "Average:0\n";
-   print INCONFIG "Graphnum:$gnum\n";
-   print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis  \n";
-   print INCONFIG "Transparent:no\n";
-   print INCONFIG "Rbgcolour:0\n";
-   print INCONFIG "Gbgcolour:255\n";
-   print INCONFIG "Bbgcolour:255\n";
-   print INCONFIG "Rfgcolour:0\n";
-   print INCONFIG "Gfgcolour:0\n";
-   print INCONFIG "Bfgcolour:0\n";
-   print INCONFIG "Rcolour:0\n";
-   print INCONFIG "Gcolour:0\n";
-   print INCONFIG "Bcolour:255\n";
-   print INCONFIG "Racolour:255\n";
-   print INCONFIG "Gacolour:255\n";
-   print INCONFIG "Bacolour:0\n";
-   print INCONFIG "Rincolour:100\n";
-   print INCONFIG "Gincolour:100\n";
-   print INCONFIG "Bincolour:60\n";
-   print INCONFIG "Routcolour:60\n";
-   print INCONFIG "Goutcolour:100\n";
-   print INCONFIG "Boutcolour:100\n";
-   close INCONFIG;
-
-}
-
-
-$cnt1=0;
-while ($cnt1++ < $numgraphs)
-{
- $filename1="in$cnt1.dat";
- $out="out$cnt1.gif";
- $filename2="out$cnt1.dat";
- $filename3="graph$cnt1.conf";
- system( "cp ./$filename1  ./in.dat;
-          cp ./$filename2  ./out.dat;
-          cp ./$filename3  ./graph.conf");
- system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out");
- system(" cp $out /isb/local/etc/httpd/htdocs/.");
-
-}
-
-} # end of subroutine make gifs
-
-
-
-
-sub packbytime {
-local  ($xmax)=@_;
-$XMAX=$xmax;
-# pass in the dest port number or get graph for all packets
-# at 1 minute intervals 
-# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
-# @recs has form 27/07/1998 00:01:05.216596  le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
-#
-# dont uses hashes to store how many packets per minite as they
-# return random x coordinate order
-@inwards=();
-@outwards=();
-$cnt=-1;
-$value5=0;
-$maxin=0;
-$maxout=0;
-$xpos=0;
-while ($cnt++ <= $#recs )
- {
- ($srcip,$srcport,$destip,$destport,$pro)= split " " ,  @shortrecs[$cnt];
-  $bit=substr(@recs[$cnt],11);
-  ($bit,$junkit)= split " " , $bit ;
- ($hour,$minute,$sec,$junk) = split ":", $bit;
-#
-# covert the time to decimal minutes and bucket to nearest minute
-#
- $xpos=($hour * 3600) + ($minute * 60) + ($sec) ;
-# xpos is number of seconds since 00:00:00 on day......
- $xpos=int($xpos / 60);
-# if we just want to see all packet in/out activity
- if("$lookat" eq "all")
-   {
-    if("$destip" eq "$gatekeep")
-      {
-#      TO GATEKEEP port lookat
-#        print "to gatekeep at $xpos\n"; 
-        $value5=$inwards[$xpos] [1];
-        $value5++ ; 
-#        $maxin = $value5 if $maxin < $value5 ;
-
-         if($value5 > $maxin)
-                   {
-                        $maxin=$value5;
-                        $timemaxin="$hour:$minute";
-                   }
-        $inwards[$xpos][1]=$value5;
-        }
-    else
-      {
-#       FROM GATEKEEP to port lookat
-#        print "from gatekeep at $xpos\n"; 
-        $value4=$outwards[$xpos] [1];
-        $value4++ ; 
-#        $maxout = $value4 if $maxout < $value4 ;
-	if($value4 > $maxout)
-           {
-                $maxout=$value4;
-                $timemaxout="$hour:$minute";
-           }
-
-        $outwards[$xpos][1]=$value4;
-      }
-    }
-
-
-
-
- if("$destport" eq "$lookat")
-   {
-    if("$destip" eq "$gatekeep")
-      {
-#      TO GATEKEEP port lookat
-#        print "to gatekeep at $xpos\n"; 
-        $value5=$inwards[$xpos] [1];
-        $value5++ ; 
-        $maxin = $value5 if $maxin < $value5 ;
-        $inwards[$xpos][1]=$value5;
-        }
-    else
-      {
-#       FROM GATEKEEP to port lookat
-#        print "from gatekeep at $xpos\n"; 
-        $value4=$outwards[$xpos] [1];
-        $value4++ ; 
-        $maxout = $value4 if $maxout < $value4 ;
-        $outwards[$xpos][1]=$value4;
-      }
-   }
- } # end while
-
-# now call gif making stuff
-if("$opt_g" eq "1")
-{
- print "Making plots of in files outN.gif\n";;
- makegifs($maxin,$maxout,$lookat,$#inwards);
-}
-if ("$timemaxin" ne "")
-{print "\nTime of peak packets/minute in was $timemaxin\n";}
-if ("$timemaxout" ne "")
-{print "\nTime of peak packets/minute OUT was $timemaxout\n";}
-
-} # end of subroutine packets by time
-
-
-
-
-
-sub posbadones {
-
-$safenam="";
-@dummy=$saferports;
-foreach $it (split " ",$saferports) {
-if ($it eq "icmp" )
- {
-   $safenam = $safenam . " icmp";
- }
-else
- {
-   $safenam = $safenam . " $services{$it}" ;
- }
-
-}
-print "\n\n########################################################################\n";
-print "well known ports are 0->1023\n";
-print "Registered ports are 1024->49151\n";
-print "Dynamic/Private ports are 49152->65535\n\n";
-print "Sites that contacted gatekeep on 'less safe' ports  (<$ITRUSTABOVE)\n";
-
-print " 'safe'  ports are $safenam                               \n";
-print "\n variables  saferports and safehosts hardwire what/who we trust\n";
-print "########################################################################\n";
-
-$loop=-1;
-while ($loop++ <= $#recs )
- {
- ($srcip,$srcport,$destip,$destport,$pro)= split " " ,  @shortrecs[$loop];
-  if ("$destip" eq "$gatekeep") 
-    {
-     if ($destport < $ITRUSTABOVE )
-     {
-#      if index not found (ie < 0) then we have a low port attach to gatekeep
-#      that is not to a safer port (see top of this file)
-#      ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp
-       $where=index($saferports,$destport);
-       if ($where < 0)
-         {
-          $nameis=$services{$destport};
-          if ("$nameis" eq "" )
-            {
-              $nameis=$destport;
-            }
-              print " Warning: $srcip contacted gatekeep $nameis\n";
-         }
-      }
-    }
-  }
-print "\n\n";
-} # end of subroutine posbadones
-
-
-
-
-sub toobusy_site {
-$percsafe=1;
-print "\n\n########################################################################\n";
-print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n";
-print "Trusted hosts are $safehosts\n";
-print "\nTOTAL packets were $#recs \n";
-print "########################################################################\n";
-while(($ipadd,$numpacketsent)=each %numpacks) 
-{
-$perc=$numpacketsent/$#recs*100;
-if ($perc > $percsafe) 
-# dont believe safehosts are attacking!
- {
-   $where=index($safehosts,$ipadd);
-#  if not found (ie < 0 then the source host IP address
-#  isn't in the saferhosts list, a list we trust......
-   if ($where < 0 )
-   {
-     printf "$ipadd	 sent %4.1f (\045) of all packets to gatekeep\n",$perc;
-   }
- }
-}
-
-print "\n\n";
-} # end of subroutine toobusy_site 
-
-
-############### END SUBROUTINE DECLARATIONS ###########
-
-use Getopt::Std;
-
-getopt('pfot');
-
-if("$opt_t" eq "0")
- {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n";
-exit;
-}
- 
-if("$opt_h" eq "1")
- {usage;exit 0};
-if("$opt_H" eq "1")
- {usage;exit 0};
-
-if("$opt_v" eq "1")
-{
-$ITRUSTABOVE=1024;
-$opt_s=1;
-$opt_o=$ITRUSTABOVE;
-print "\n" x 5;
-print "NOTE: when the final section of the verbose report is generated\n";
-print "      every host IP address that contacted $gatekeep has \n";
-print "      a tally of how many times packets from a particular port on that host\n";
-print "      reached $gatekeep, and WHICH source port or source portname \n";
-print "      these packets originated from.\n";
-print "      Many non RFC obeying boxes do not use high ports and respond to requests from\n";
-print "      $gatekeep using  reserved low ports... hence you'll see things like\n";
-print "      #### with 207.50.191.60 as the the source for packets ####\n";
-print "      1 connections from topx to gatekeep\n\n\n\n";
-
-}
-
-if("$opt_o" eq "")
- {usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0}
-else
-{
-$ITRUSTABOVE=$opt_o;$opt_s=1;}
-
-if("$opt_f" eq "")
- {usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0};
-$FILENAME=$opt_f;
-
-if("$opt_p" eq "")
- {usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0};
-
-# -p arg must be all or AN INTEGER in range 1<=N<=64K
-if ("$opt_p" ne "all")
- {
-   $_=$opt_p;  
-   unless (/^[+-]?\d+$/)
-   {
-     usage;
-     print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n";
-     exit 0;
-   }
- }
-
-
-# if we get here then the port option is either 'all' or an integer...
-# good enough.....
-$lookat=$opt_p;
-
-# -o arg must be all or AN INTEGER in range 1<=N<=64K
-   $_=$opt_o;  
-   unless (/^[+-]?\d+$/)
-   {
-     usage;
-     print "\n---->ERROR: Must specify port number (1-64K)  with -o \n";
-     exit 0;
-   }
-
-
-#---------------------------------------------------------------------
-
-
-%danger=();
-%numpacks=();
-
-$saferports="25 53 113 123 icmp";
-$gatekeep="192.216.16.2";
-#genmagic is  192.216.25.254
-$safehosts="$gatekeep 192.216.25.254";
-
-
-
-# load hash with service numbers versus names
-
-# hash  called $services
-print "Creating hash of service names / numbers \n";
-$SERV="./services";
-open (INFILE, $SERV) || die "Cant open $SERV: $!n";
-while(<INFILE>)
-{
- ($servnum,$servname,$junk)=split(/ /,$_);
-# chop off null trailing.....
-  $servname =~ s/\n$//;
-  $services{$servnum}=$servname;
-}
-print "Create hash of month numbers as month names\n";
-%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December");
-
-print "Reading log file into an array\n";
-#$FILENAME="./ipfilter.log";
-open (REC, $FILENAME) || die "Cant open $FILENAME: \n";
-($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC;
-print "Log file $FILENAME is $size bytes in size\n";
-#each record is an element of array rec[] now
-while(<REC>) 
- {
- @recs[$numrec++]=$_;
- }
-
-
-# get list of UNIQUE source IP addresses now, records look like
-# 192.216.25.254,62910 ->  192.216.16.2,113 PR tcp len 20 40 -R
-# this is slow on big log files, about 1minute for every 2.5M log file
-print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n";
-$loop=-1;
-$where=-1;
-while ($loop++ < $#recs )
- {
-# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly
-  $bit=substr(@recs[$loop],39);
-  $bit =~ s/,/ /g;
-  ($sourceip,$junkit)= split " " , $bit ;
-  
-# NOTE the  . is the string concat command NOT + .......!!!!
-
-  $sourceip =~ split " ", $sourceip;
-   $where=index($allips,$sourceip);
-#  if not found (ie < 0, add it)
-   if ($where < 0 )
-   {
-     $allips = $allips . "$sourceip " ;
-   }
- }
-  
-print "Put all unique ip addresses into a 1D array\n";
-@allips=split " ", $allips;
-
-#set loop back to -1 as first array element in recs is element 0 NOT 1 !!
-print "Making compact array of logged entries\n";
-$loop=-1;
-$icmp=" icmp ";
-$ptr=" -> ";
-$lenst=" len ";
-$numpackets=0;
-
-while ($loop++ < $#recs )
- {
-# this prints from 39 char to EOR
- $a=substr(@recs[$loop],39);
- ($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " ,  $a ;
-# need to rewrite icmp ping records.... they dont have service numbers
- $whereicmp=index($a,"PR icmp");
- if($whereicmp > 0 )
- {
-  $a = $srcip . $icmp .  $ptr . $destip  . $icmp . $icmp . $lenst . $lenicmp ;
- }
- 
-# dump the "->"  and commas from logging
- $a =~ s/->//g;
- $a =~ s/PR//g;
- $a =~ s/,/ /g;
-# shortrec has records that look like
-# 209.24.1.217 123 192.216.16.2 123 udp len 20 76
- @shortrecs[$loop]= "$a";
-
-# count number packets from each IP address into hash
- ($srcip,$junk) = split " ","$a";
- $numpackets=$numpacks{"$srcip"};
- $numpackets++ ;
- $numpacks{"$srcip"}=$numpackets; 
-
-}
-
-
-
-# call sub to analyse packets by time
-# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
-# @recs has form 27/07/1998 00:01:05.216596  le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
-packbytime($XMAX);
-
-if("$opt_s" eq "1")
-{
-# call subroutine to scan for connections to ports on gatekeep
-# other than those listed in saferports, connections to high
-# ports are assumed OK.....
-posbadones;
-
-# call subroutine to print out which sites had sent more than
-# a defined % of packets to gatekeep
-toobusy_site;
-}
-
-
-# verbose reporting?
-if ("$opt_v" eq "1")
-{
-$cnt=-1;
-# loop over ALL unique IP source destinations
-while ($cnt++ < $#allips)
-{
-  %tally=();
-  %unknownsrcports=();
-  $uniqip=@allips[$cnt];
-  $loop=-1;
-  $value=0;
-  $value1=0;
-  $value2=0;
-  $value3=0;
-  $set="N";
-
-  while ($loop++ < $#recs )
-   {
-#    get src IP num,    src port number, 
-#    destination IP num, destnation port number,protocol
-     ($srcip,$srcport,$destip,$destport,$pro)= split " " ,  @shortrecs[$loop];
-# loop over all records for the machine $uniqip
-# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!!
-   if(  "$uniqip" eq "$srcip")
-    {
-# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT???
-# its more than likely  a request coming back in on a high port
-# ....So...
-# find out the destination port from the unknown (high) src port
-# and tally these as they may be a port attack
-  if ("$srcport" eq "icmp")
-   { $srcportnam="icmp";}
-  else
-   {
-     $srcportnam=$services{$srcport};
-   }
-#    try and get dest portname, if not there, leave it as the 
-#    dest portnumber
-  if ("$destport" eq "icmp")
-   { $destportnam="icmp";}
-  else
-   {
-  $destportnam=$services{$destport};
-   }
-
-  if ($destportnam eq "")
-   {
-     $destportnam=$destport;
-   }
-
-  if ($srcportnam eq "")
-    {
-#    increment number of times a (high)/unknown port has gone to destport
-     $value1=$unknownsrcports{$destportnam}; 
-     $value1++ ; 
-     $unknownsrcports{$destportnam}=$value1;
-    }
-  else
-   {
-#    want tally(srcport) counter to be increased by 1
-     $value3=$tally{$srcportnam};
-     $value3++ ; 
-     $tally{$srcportnam}=$value3;
-    }
-   }
-
-
-   }
-#  end of loop over ALL IP's
-
-if ($set eq "N")
-{
-$set="Y";
-
-print "\n#### with $uniqip as the the source for packets ####\n";
-while(($key,$value)=each %tally) 
-  {
-   if (not "$uniqip" eq "$gatekeep")
-    {
-      print "$value connections from $key to gatekeep\n";
-    }
-   else
-    {
-      print "$value connections from gatekeep to $key\n";
-     }
-  }
-
-
-
-while(($key2,$value2)=each %unknownsrcports) 
-  {
-   if (not "$uniqip" eq "$gatekeep")
-    {
-     print "$value2 high port connections to $key2 on gatekeep\n";
-    }
-   else
-    {
-      print "$value2 high port connections to $key2 from gatekeep\n";
-     }
-  }
-
-}
-# print if rests for UNIQIP IF flag is set to N then toggle flag
-
-} # end of all IPs loop 
-} # end of if verbose option set block
-
-
-
diff --git a/contrib/ipfilter/perl/Isbgraph b/contrib/ipfilter/perl/Isbgraph
deleted file mode 100644
index c68b672..0000000
--- a/contrib/ipfilter/perl/Isbgraph
+++ /dev/null
@@ -1,297 +0,0 @@
-#!/usr/local/bin/perl
-
-# isbgraph
-# an example in not so hot perl programming....
-# based around GraphMaker from Fabrizio Pivari
-# A graph maker perl script
-
-use GD;
-use Getopt::Long;
-$hr=0;
-
-sub main{
-
-$opt_conf="./graphmaker.cnf";
-
-@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX",
-       "Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour",
-       "Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour",
-       "Gcolour","Bcolour","Racolour","Gacolour","Bacolour");
-
-%option=(
-      NUMBERYCELLGRIDSIZE => '8',
-      MAXYVALUE => '7748',
-      MINYVALUE => '6500',
-      XCELLGRIDSIZE => '18',
-      XMAX => '1000',
-      Data => './graphmaker.dat',
-      Graph => './graphmaker.gif',
-      Bar => '1',
-      Average => '1',
-      Graphnum => '1',
-      Title => 'GraphMaker 2.1',
-      Transparent => 'yes',
-      Rbgcolour => '255',
-      Gbgcolour => '255',
-      Bbgcolour => '255',
-      Rfgcolour => '0',
-      Gfgcolour => '0',
-      Bfgcolour => '0',
-      Rcolour => '0',
-      Gcolour => '0',
-      Bcolour => '255',
-      Racolour => '255',
-      Gacolour => '255',
-      Bacolour => '0');
-
-&GetOptions("conf=s","help") || &printusage ;
-
-
-if ($opt_help) {&printusage};
-
-open (CNF, $opt_conf) || die;
-while (<CNF>) {
-s/\t/ /g;  #replace tabs by space
-next if /^\s*\#/; #ignore comment lines
-next if /^\s*$/;  #ignore empty lines
-foreach $elem (@elem)
-   {
-   if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; }
-   }
-}
-close(CNF);
-#########################################
-#
-#
-#
-#       number datapoints/24 hours is 1440 (minutes)
-#
-#       Split into N graphs where each graph has max of 240 datapoints (4 hours)
-# 
-
-$barset=0;
-$m=0;
-$YGRIDSIZE = 400;
-$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'};
-$XINIT = 30;
-$XEND = 8;
-$YINIT =20;
-$YEND = 20;
-#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'});
-#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'});
-$XGRIDSIZE = 620;
-$XGIF = $XGRIDSIZE + $XINIT + $XEND;
-$XGRAPH = $XGRIDSIZE + $XINIT;
-$YGIF = $YGRIDSIZE + $YEND + $YINIT;
-$YGRAPH = $YGRIDSIZE + $YINIT;
-$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'};
-$SCALE=$YGRIDSIZE/$RANGE;
-
-# NEW IMAGE
-   $im=new GD::Image($XGIF,$YGIF);
-
-$white=$im->colorAllocate(255,255,255);
-$black=$im->colorAllocate(0,0,0);
-$pink=$im->colorAllocate(255,153,153);
-$red=$im->colorAllocate(255,0,0);
-$blue=$im->colorAllocate(0,0,255);
-$green=$im->colorAllocate(0,192,51);
-$orange=$im->colorAllocate(255,102,0);
-$pink=$im->colorAllocate(255,153,153);
-$teal=$im->colorAllocate(51,153,153);
-# gif background is $bg
-   $bg=$white;
-   $fg=$blue;
-# LINE COLOUR HELP BY VAR $colour
-   $colour=$red;
-   $acolour=$yellow;
-   # GRID
-   if ($option{'Transparent'} eq "yes") {$im->transparent($bg)};
-   $im->filledRectangle(0,0,$XGIF,$YGIF,$bg);
-
-# Dot style
-# vertical markers on Y axis grid
-   $im->setStyle($fg,$bg,$bg,$bg);
-   for $i (0..$option{'XMAX'})
-      {
-      $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i;
-     # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled);
-      $num = $i+1;
-      
-      use integer;
-     {
-      $posis=$num - ($num/60)*60;
-    }
-      if ($posis eq 0)
-         {
-	   $outhr=0;
-           $hr=($hr + 1) ;
-	   $outhr=$hr+$option{'Graphnum'}*4;
-#          shift minutes coords to correct stat hour!
-           $im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg);
-         }
-
-      } # end of scan over X values (minutes)
-
-   $YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'};
-   for $i (0..$option{'NUMBERYCELLGRIDSIZE'})
-      {
-      $num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i);
-      $im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg);
-      }
-   $im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg);
-
-   $odd_even = $option{'XCELLGRIDSIZE'}%2;
-   #odd
-   if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
-   else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
-
-# start reading data
-#   open (DATA,$option{'Data'}) || die "cant open $option{'Data'}";
-# nextdata becomes Y on reading of second data set....
-$nextdata="N";
-@datafiles=("./in.dat" , "./out.dat" );
-   foreach  ( @datafiles )
-{
-   $m=0;
-   $count=0;
-   $i=0;
-   $fname=$_;
-    
-  print "fname $fname\n";
-#  change entry for red in colour table to green for packets LEAVING target host
-
-   open (DATA,$_) || die "cant open $_";
-   print "$nextdata nextdata\n";
-   while (<DATA>)
-      {
-      /(.*):(.*)/;
-      if ($option{'Average'} eq 1) {$m+=$2;$i++;}
-      if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next}
-      $X=$1; $Y=$2;
-# +($X-1) are the pixel of the line
-      $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1);
-      $xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1);
-      $yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE;
-      $yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE;
-      $barset=$option{'Bar'};
-      if ($barset eq  0)
-   {
-
-     if($nextdata eq "Y")
-     {
-	
-         #$im->line($XINIT,$YGRAPH,$X,$Y,$orange);
-         $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green);
-     }
-     else
-     {
-         $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red);
-     } 
-    }
-      else
-         {
-         if ($1 eq 2)
-            {
-            $im->filledRectangle($xspaceold,$yspaceold,
-                                 $xspaceold+$middle,$YGRAPH,$colour);
-            $im->rectangle($xspaceold,$yspaceold,
-                           $xspaceold+$middle,$YGRAPH,$fg);
-            }
-         else
-            {
-            $im->filledRectangle($xspaceold-$middle,$yspaceold,
-                                 $xspaceold+$middle,$YGRAPH,$colour);
-            $im->rectangle($xspaceold-$middle,$yspaceold,
-                           $xspaceold+$middle,$YGRAPH,$fg);
-            }
-         }
-      $XOLD=$X; $YOLD=$Y;
-
-      }  # end of while DATA loop
-
-     $im->line(500,40,530,40,$red);
-     $im->line(500,60,530,60,$green);
-     $im->string(gdSmallFont,535,35,"Packets IN",$fg);
-     $im->string(gdSmallFont,535,55,"Packets OUT",$fg);
-     
-   if ($option{'Bar'} ne 0)
-      {
-      if ($X eq $option{'XMAX'})
-         {
-         $im->filledRectangle($xspace-$middle,$yspace,
-                              $xspace,$YGRAPH,$colour);
-         $im->rectangle($xspace-$middle,$yspace,
-                        $xspace,$YGRAPH,$fg);
-         }
-      else
-         {
-         $im->filledRectangle($xspace-$middle,$yspace,
-                              $xspace+$middle,$YGRAPH,$colour);
-         $im->rectangle($xspace-$middle,$yspace,
-                        $xspace+$middle,$YGRAPH,$fg);
-         }
-      }
-   close (DATA);
-
-
-     $nextdata="Y";
-# TOP LEFT is 0,0 on GIF (image)
-# origin of plot is xinit,yinit 
- # print "little line\n";
-     $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue);
-     $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue);
-#    (0,0) in cartesian space time=0 minutes, rate 0 packets/s
-     $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue);
-     $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green);
-
-} # close foreach loop on data file names
-
-
-
-
-   if ($option{'Average'} eq 1)
-      {
-      # Line style
-      $im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg);
-      $m=$m/$i;
-      $ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE;
-      $im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled)
-      }
-   $im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg);
-   $im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg);
-   $im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg);
-   $im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg);
-
-   $im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg);
-   open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n";
-   print GRAPH $im -> gif;
-   close (GRAPH);
-
-
-
-
-} # end of subroutine main
-
-main;
-exit(0);
-
-sub printusage {
-    print <<USAGEDESC;
-
-usage:
-        graphmaker [-options ...]
-
-where options include:
-    -help                        print out this message
-    -conf  file                  the configuration file (default graphmaker.cnf)
-
-If you want to know more about this tool, you might want
-to read the docs. They came together with graphmaker!
-
-Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html
-
-USAGEDESC
-    exit(1);
-}
-
diff --git a/contrib/ipfilter/perl/LICENSE b/contrib/ipfilter/perl/LICENSE
deleted file mode 100644
index 4ae42df..0000000
--- a/contrib/ipfilter/perl/LICENSE
+++ /dev/null
@@ -1,6 +0,0 @@
-These shell scripts are provided "as is" by Ivan S. Bishop and any
-express or implied warranties, including, but not limited to, the
-implied warranties of merchantability and fitness for a particular
-purpose are disclaimed.
-
-Permission has been granted for their redistribution within this package.
diff --git a/contrib/ipfilter/perl/Services b/contrib/ipfilter/perl/Services
deleted file mode 100644
index 401fff0..0000000
--- a/contrib/ipfilter/perl/Services
+++ /dev/null
@@ -1,2146 +0,0 @@
-1 tcpmux TCPPortServiceMultiplexer
-3 compressnet CompressionProcess
-5 rje RemoteJobEntry
-7 echo
-9 discard
-11 systat
-13 daytime
-15 netstat
-17 qotd QuoteoftheDay
-18 msp MessageSendProtocol
-19 chargen
-20 ftp-data
-21 ftp
-22 ssh SSHRemoteLoginProtocol
-23 telnet
-25 smtp
-27 nsw-fe NSWUserSystemFE
-29 msg-icp MSGICP
-31 msg-auth MSGAuthentication
-33 dsp DisplaySupportProtocol
-37 time Time
-38 rap RouteAccessProtocol
-39 rlp ResourceLocationProtocol
-41 graphics Graphics
-42 nameserver HostNameServer
-43 whois
-44 mpm-flags MPMFLAGSProtocol
-45 mpm MessageProcessingModule[recv]
-46 mpm-snd MPM[defaultsend]
-47 ni-ftp NIFTP
-48 auditd DigitalAuditDaemon
-49 tacacs LoginHostProtocol(TACACS)
-50 re-mail-ck RemoteMailCheckingProtocol
-51 la-maint IMPLogicalAddressMaintenance
-52 xns-time XNSTimeProtocol
-53 domain DomainNameServer
-54 xns-ch XNSClearinghouse
-55 isi-gl ISIGraphicsLanguage
-56 xns-auth XNSAuthentication
-58 xns-mail XNSMail
-61 ni-mail NIMAIL
-62 acas ACAServices
-63 whois++ whois++
-64 covia CommunicationsIntegrator(CI)
-65 tacacs-ds TACACS-DatabaseService
-66 sqlnet OracleSQL*NET
-67 bootps BootstrapProtocolServer
-68 bootpc BootstrapProtocolClient
-69 tftp TrivialFileTransfer
-70 gopher Gopher
-71 netrjs-1 RemoteJobService
-72 netrjs-2 RemoteJobService
-73 netrjs-3 RemoteJobService
-74 netrjs-4 RemoteJobService
-76 deos DistributedExternalObjectStore
-77 rje
-78 vettcp vettcp
-79 finger Finger
-80 www-http WorldWideWebHTTP
-81 hosts2-ns HOSTS2NameServer
-82 xfer XFERUtility
-83 mit-ml-dev MITMLDevice
-84 ctf CommonTraceFacility
-85 mit-ml-dev MITMLDevice
-86 mfcobol MicroFocusCobol
-87 link
-88 kerberos Kerberos
-89 su-mit-tg SU/MITTelnetGateway
-90 dnsix DNSIXSecuritAttributeTokenMap
-91 mit-dov MITDoverSpooler
-92 npp NetworkPrintingProtocol
-93 dcp DeviceControlProtocol
-94 objcall TivoliObjectDispatcher
-95 supdup SUPDUP
-96 dixie DIXIEProtocolSpecification
-97 swift-rvf SwiftRemoteVirturalFileProtocol
-98 tacnews TACNews
-99 metagram MetagramRelay
-100 newacct [unauthorizeduse]
-101 hostname NICHostNameServer
-102 iso-tsap ISO-TSAPClass0
-103 x400
-104 x400-snd
-105 cso CCSOnameserverprotocol
-106 3com-tsmux 3COM-TSMUX
-107 rtelnet RemoteTelnetService
-108 snagas SNAGatewayAccessServer
-109 pop2 PostOfficeProtocol-Version2
-110 pop3 PostOfficeProtocol-Version3
-111 sunrpc SUNRemoteProcedureCall
-112 mcidas McIDASDataTransmissionProtocol
-113 ident 
-114 audionews AudioNewsMulticast
-115 sftp SimpleFileTransferProtocol
-116 ansanotify ANSAREXNotify
-117 uucp-path UUCPPathService
-118 sqlserv SQLServices
-119 nntp NetworkNewsTransferProtocol
-120 cfdptkt CFDPTKT
-121 erpc EncoreExpeditedRemotePro.Call
-122 smakynet SMAKYNET
-123 ntp NetworkTimeProtocol
-124 ansatrader ANSAREXTrader
-125 locus-map LocusPC-InterfaceNetMapSer
-126 unitary UnisysUnitaryLogin
-127 locus-con LocusPC-InterfaceConnServer
-128 gss-xlicen GSSXLicenseVerification
-129 pwdgen PasswordGeneratorProtocol
-130 cisco-fna ciscoFNATIVE
-131 cisco-tna ciscoTNATIVE
-132 cisco-sys ciscoSYSMAINT
-133 statsrv StatisticsService
-134 ingres-net INGRES-NETService
-135 epmap DCEendpointresolution
-136 profile PROFILENamingSystem
-137 netbios-ns NETBIOSNameService
-138 netbios-dgm NETBIOSDatagramService
-139 netbios-ssn NETBIOSSessionService
-140 emfis-data EMFISDataService
-141 emfis-cntl EMFISControlService
-142 bl-idm Britton-LeeIDM
-143 imap InternetMessageAccessProtocol
-144 NeWS
-145 uaac UAACProtocol
-146 iso-tp0 ISO-IP0
-147 iso-ip ISO-IP
-148 jargon Jargon
-149 aed-512 AED512EmulationService
-150 sql-net SQL-NET
-151 hems HEMS
-152 bftp BackgroundFileTransferProgram
-153 sgmp SGMP
-154 netsc-prod NETSC
-155 netsc-dev NETSC
-156 sqlsrv SQLService
-157 knet-cmp KNET/VMCommand/MessageProtocol
-158 pcmail-srv PCMailServer
-159 nss-routing NSS-Routing
-160 sgmp-traps SGMP-TRAPS
-161 snmp SNMP
-162 snmptrap SNMPTRAP
-163 cmip-man CMIP/TCPManager
-164 cmip-agent CMIP/TCPAgent
-165 xns-courier Xerox
-166 s-net SiriusSystems
-167 namp NAMP
-168 rsvd RSVD
-169 send SEND
-170 print-srv NetworkPostScript
-171 multiplex NetworkInnovationsMultiplex
-172 cl/1 NetworkInnovationsCL/1
-173 xyplex-mux Xyplex
-174 mailq MAILQ
-175 vmnet VMNET
-176 genrad-mux GENRAD-MUX
-177 xdmcp XDisplayManagerControlProtocol
-178 nextstep NextStepWindowServer
-179 bgp BorderGatewayProtocol
-180 ris Intergraph
-181 unify Unify
-182 audit UnisysAuditSITP
-183 ocbinder OCBinder
-184 ocserver OCServer
-185 remote-kis Remote-KIS
-186 kis KISProtocol
-187 aci ApplicationCommunicationInterface
-188 mumps PlusFive'sMUMPS
-189 qft QueuedFileTransport
-190 gacp GatewayAccessControlProtocol
-191 prospero ProsperoDirectoryService
-192 osu-nms OSUNetworkMonitoringSystem
-193 srmp SpiderRemoteMonitoringProtocol
-194 irc InternetRelayChatProtocol
-195 dn6-nlm-aud DNSIXNetworkLevelModuleAudit
-196 dn6-smm-red DNSIXSessionMgtModuleAuditRedir
-197 dls DirectoryLocationService
-198 dls-mon DirectoryLocationServiceMonitor
-199 smux SMUX
-200 src IBMSystemResourceController
-201 at-rtmp AppleTalkRoutingMaintenance
-202 at-nbp AppleTalkNameBinding
-203 at-3 AppleTalkUnused
-204 at-echo AppleTalkEcho
-205 at-5 AppleTalkUnused
-206 at-zis AppleTalkZoneInformation
-207 at-7 AppleTalkUnused
-208 at-8 AppleTalkUnused
-209 qmtp TheQuickMailTransferProtocol
-210 z39.50 ANSIZ39.50
-211 914c/g TexasInstruments914C/GTerminal
-212 anet ATEXSSTR
-213 ipx IPX
-214 vmpwscs VMPWSCS
-215 softpc InsigniaSolutions
-216 CAIlic ComputerAssociatesInt'lLicenseServer
-217 dbase dBASEUnix
-218 mpp NetixMessagePostingProtocol
-219 uarps UnisysARPs
-220 imap3 InteractiveMailAccessProtocolv3
-221 fln-spx BerkeleyrlogindwithSPXauth
-222 rsh-spx BerkeleyrshdwithSPXauth
-223 cdc CertificateDistributionCenter
-224 Reserved
-225 Reserved
-226 Reserved
-227 Reserved
-228 Reserved
-229 Reserved
-230 Reserved
-231 Reserved
-232 Reserved
-233 Reserved
-234 Reserved
-235 Reserved
-236 Reserved
-237 Reserved
-238 Reserved
-239 Reserved
-240 Reserved
-241 Reserved
-242 direct Direct
-243 sur-meas SurveyMeasurement
-244 dayna Dayna
-245 link LINK
-246 dsp3270 DisplaySystemsProtocol
-247 subntbcst_tftp SUBNTBCST_TFTP
-248 bhfhs bhfhs
-249
-250 Reserved
-251 Reserved
-252 Reserved
-253 Reserved
-254 Reserved
-255 Reserved
-256 rap RAP
-257 set SecureElectronicTransaction
-258 yak-chat YakWinsockPersonalChat
-259 esro-gen EfficientShortRemoteOperations
-260 openport Openport
-261 nsiiops IIOPNameServiceoverTLS/SSL
-262 arcisdms Arcisdms
-263 hdap HDAP
-280 http-mgmt http-mgmt
-281 personal-link PersonalLink
-282 cableport-ax CablePortA/X
-309 entrusttime EntrustTime
-310 bhmds bhmds
-311 asip-webadmin AppleShareIPWebAdmin
-312 vslmp VSLMP
-313 magenta-logic MagentaLogic
-314 opalis-robot OpalisRobot
-315 dpsi DPSI
-316 decauth decAuth
-317 zannet Zannet
-344 pdap ProsperoDataAccessProtocol
-345 pawserv PerfAnalysisWorkbench
-346 zserv Zebraserver
-347 fatserv FatmenServer
-348 csi-sgwp CabletronManagementProtocol
-349 mftp mftp
-350 matip-type-a MATIPTypeA
-351 bhoetty bhoetty(added5/21/97)
-352 dtag-ste-sb DTAG
-353 ndsauth NDSAUTH
-354 bh611 bh611
-355 datex-asn DATEX-ASN
-356 cloanto-net-1 CloantoNet1
-357 bhevent bhevent
-358 shrinkwrap Shrinkwrap
-359 tenebris_nts TenebrisNetworkTraceService
-360 scoi2odialog scoi2odialog
-361 semantix Semantix
-362 srssend SRSSend
-363 rsvp_tunnel RSVPTunnel
-364 aurora-cmgr AuroraCMGR
-365 dtk DTK
-366 odmr ODMR
-367 mortgageware MortgageWare
-368 qbikgdp QbikGDP
-369 rpc2portmap rpc2portmap
-370 codaauth2 codaauth2
-371 clearcase Clearcase
-372 ulistproc ListProcessor
-373 legent-1 LegentCorporation
-374 legent-2 LegentCorporation
-375 hassle Hassle
-376 nip AmigaEnvoyNetworkInquiryProto
-377 tnETOS NECCorporation
-378 dsETOS NECCorporation
-379 is99c TIA/EIA/IS-99modemclient
-380 is99s TIA/EIA/IS-99modemserver
-381 hp-collector hpperformancedatacollector
-382 hp-managed-node hpperformancedatamanagednode
-383 hp-alarm-mgr hpperformancedataalarmmanager
-384 arns ARemoteNetworkServerSystem
-385 ibm-app IBMApplication
-386 asa ASAMessageRouterObjectDef.
-387 aurp AppletalkUpdate-BasedRoutingPro.
-388 unidata-ldm UnidataLDMVersion4
-389 ldap LightweightDirectoryAccessProtocol
-390 uis UIS
-391 synotics-relay SynOpticsSNMPRelayPort
-392 synotics-broker SynOpticsPortBrokerPort
-393 dis DataInterpretationSystem
-394 embl-ndt EMBLNucleicDataTransfer
-395 netcp NETscoutControlProtocol
-396 netware-ip NovellNetwareoverIP
-397 mptn MultiProtocolTrans.Net.
-398 kryptolan Kryptolan
-399 iso-tsap-c2 ISOTransportClass2Non-Controlover
-400 work-sol WorkstationSolutions
-401 ups UninterruptiblePowerSupply
-402 genie GenieProtocol
-403 decap decap
-404 nced nced
-405 ncld ncld
-406 imsp InteractiveMailSupportProtocol
-407 timbuktu Timbuktu
-408 prm-sm ProsperoResourceManagerSys.Man.
-409 prm-nm ProsperoResourceManagerNodeMan.
-410 decladebug DECLadebugRemoteDebugProtocol
-411 rmt RemoteMTProtocol
-412 synoptics-trap TrapConventionPort
-413 smsp SMSP
-414 infoseek InfoSeek
-415 bnet BNet
-416 silverplatter Silverplatter
-417 onmux Onmux
-418 hyper-g Hyper-G
-419 ariel1 Ariel
-420 smpte SMPTE
-421 ariel2 Ariel
-422 ariel3 Ariel
-423 opc-job-start IBMOperationsPlanningandControlStart
-424 opc-job-track IBMOperationsPlanningandControlTrack
-425 icad-el ICAD
-426 smartsdp smartsdp
-427 svrloc ServerLocation
-428 ocs_cmu OCS_CMU
-429 ocs_amu OCS_AMU
-430 utmpsd UTMPSD
-431 utmpcd UTMPCD
-432 iasd IASD
-433 nnsp NNSP
-434 mobileip-agent MobileIP-Agent
-435 mobilip-mn MobilIP-MN
-436 dna-cml DNA-CML
-437 comscm comscm
-438 dsfgw dsfgw
-439 dasp daspThomasObermair
-440 sgcp sgcp
-441 decvms-sysmgt decvms-sysmgt
-442 cvc_hostd cvc_hostd
-443 https httpprotocoloverTLS/SSL
-444 snpp SimpleNetworkPagingProtocol
-445 microsoft-ds Microsoft-DS
-446 ddm-rdb DDM-RDB
-447 ddm-dfm DDM-RFM
-448 ddm-ssl DDM-SSL
-449 as-servermap ASServerMapper
-450 tserver TServer
-451 sfs-smp-net CrayNetworkSemaphoreserver
-452 sfs-config CraySFSconfigserver
-453 creativeserver CreativeServer
-454 contentserver ContentServer
-455 creativepartnr CreativePartnr
-456 macon-udp macon-udp
-457 scohelp scohelp
-458 appleqtc applequicktime
-459 ampr-rcmd ampr-rcmd
-460 skronk skronk
-461 datasurfsrv DataRampSrv
-462 datasurfsrvsec DataRampSrvSec
-463 alpes alpes
-464 kpasswd kpasswd
-465 smtps smtpprotocoloverTLS/SSL(wasssmtp)
-466 digital-vrc digital-vrc
-467 mylex-mapd mylex-mapd
-468 photuris proturis
-469 rcp RadioControlProtocol
-470 scx-proxy scx-proxy
-471 mondex Mondex
-472 ljk-login ljk-login
-473 hybrid-pop hybrid-pop
-474 tn-tl-w1 tn-tl-w1
-475 tcpnethaspsrv tcpnethaspsrv
-476 tn-tl-fd1 tn-tl-fd1
-477 ss7ns ss7ns
-478 spsc spsc
-479 iafserver iafserver
-480 iafdbase iafdbase
-481 ph Phservice
-482 bgs-nsi bgs-nsi
-483 ulpnet ulpnet
-484 integra-sme IntegraSoftwareManagementEnvironment
-485 powerburst AirSoftPowerBurst
-486 avian avian
-487 saft saftSimpleAsynchronousFileTransfer
-488 gss-http gss-http
-489 nest-protocol nest-protocol
-490 micom-pfs micom-pfs
-491 go-login go-login
-492 ticf-1 TransportIndependentConvergenceforFNA
-493 ticf-2 TransportIndependentConvergenceforFNA
-494 pov-ray POV-Ray
-495 intecourier intecourier
-496 pim-rp-disc PIM-RP-DISC
-497 dantz dantz
-498 siam siam
-499 iso-ill ISOILLProtocol
-500 isakmp isakmp
-501 stmf STMF
-502 asa-appl-proto asa-appl-proto
-503 intrinsa Intrinsa
-504 citadel citadel
-505 mailbox-lm mailbox-lm
-506 ohimsrv ohimsrv
-507 crs crs
-508 xvttp xvttp
-509 snare snare
-510 fcp FirstClassProtocol
-511 mynet mynet-as
-512 exec-or-biff
-513 login-or-who
-514 shell-or-syslog
-515 printer spooler
-516 videotex videotex
-517 talk liketenexlink,butacross
-518 ntalk 
-519 utime unixtime
-520 route
-521 ripng ripng
-522 ulp ULP
-523 ibm-db2 IBM-DB2
-524 ncp NCP
-525 timed timeserver
-526 tempo newdate
-527 stx StockIXChange
-528 custix CustomerIXChange
-529 irc-serv IRC-SERV
-530 courier rpc
-531 conference chat
-532 netnews readnews
-533 netwall foremergencybroadcasts
-534 mm-admin MegaMediaAdmin
-535 iiop iiop
-536 opalis-rdv opalis-rdv
-537 nmsp NetworkedMediaStreamingProtocol
-538 gdomap gdomap
-539 apertus-ldp ApertusTechnologiesLoadDetermination
-540 uucp uucpd
-541 uucp-rlogin uucp-rlogin
-542 commerce commerce
-543 klogin 
-544 kshell krcmd
-545 appleqtcsrvr appleqtcsrvr
-546 dhcpv6-client DHCPv6Client
-547 dhcpv6-server DHCPv6Server
-548 afpovertcp AFPoverTCP
-549 idfp IDFP
-550 new-rwho new-who
-551 cybercash cybercash
-552 deviceshare deviceshare
-553 pirp pirp
-554 rtsp RealTimeStreamControlProtocol
-555 dsf 
-556 remotefs rfsserver
-557 openvms-sysipc openvms-sysipc
-558 sdnskmp SDNSKMP
-559 teedtap TEEDTAP
-560 rmonitor rmonitord
-561 monitor
-562 chshell chcmd
-563 nntps nntpprotocoloverTLS/SSL(wassnntp)
-564 9pfs plan9fileservice
-565 whoami whoami
-566 streettalk streettalk
-567 banyan-rpc banyan-rpc
-568 ms-shuttle microsoftshuttle
-569 ms-rome microsoftrome
-570 meter demon
-571 meter udemon
-573 banyan-vip banyan-vip
-574 ftp-agent FTPSoftwareAgentSystem
-575 vemmi VEMMI
-576 ipcd ipcd
-577 vnas vnas
-578 ipdd ipdd
-579 decbsrv decbsrv
-580 sntp-heartbeat SNTPHEARTBEAT
-581 bdp BundleDiscoveryProtocol
-582 scc-security SCCSecurity
-583 philips-vc PhilipsVideo-Conferencing
-584 keyserver KeyServer
-585 imap4-ssl IMAP4+SSL(use993instead)
-586 password-chg PasswordChange
-587 submission Submission
-588 cal CAL
-589 eyelink EyeLink
-590 tns-cml TNSCML
-591 http-alt FileMaker,Inc.-HTTPAlternate(see
-592 eudora-set EudoraSet
-593 http-rpc-epmap HTTPRPCEpMap
-594 tpip TPIP
-595 cab-protocol CABProtocol
-596 smsd SMSD
-597 ptcnameservice PTCNameService
-598 sco-websrvrmg3 SCOWebServerManager3
-599 acp AeolonCoreProtocol
-600 ipcserver SunIPCserver
-606 urm CrayUnifiedResourceManager
-607 nqs nqs
-608 sift-uft Sender-Initiated/UnsolicitedFileTransfer
-609 npmp-trap npmp-trap
-610 npmp-local npmp-local
-611 npmp-gui npmp-gui
-612 hmmp-ind HMMPIndication
-613 hmmp-op HMMPOperation
-614 sshell SSLshell
-615 sco-inetmgr InternetConfigurationManager
-616 sco-sysmgr SCOSystemAdministrationServer
-617 sco-dtmgr SCODesktopAdministrationServer
-618 dei-icda DEI-ICDA
-619 digital-evm DigitalEVM
-620 sco-websrvrmgr SCOWebServerManager
-621 escp-ip ESCP
-622 collaborator Collaborator
-623 aux_bus_shunt AuxBusShunt
-624 cryptoadmin CryptoAdmin
-625 dec_dlm DECDLM
-626 asia ASIA
-627 cks-tivioli CKS&TIVIOLI
-628 qmqp QMQP
-629 3com-amp3 3ComAMP3
-630 rda RDA
-631 ipp IPP(InternetPrintingProtocol)
-632 bmpp bmpp
-633 servstat ServiceStatusupdate(SterlingSoftware)
-634 ginad ginad
-635 rlzdbase RLZDBase
-636 ldaps ldapprotocoloverTLS/SSL(wassldap)
-637 lanserver lanserver
-638 mcns-sec mcns-sec
-639 msdp MSDP
-666 mdqs 
-667 disclose campaigncontributiondisclosures-SDRTechnologies
-668 mecomm MeComm
-669 meregister MeRegister
-670 vacdsm-sws VACDSM-SWS
-671 vacdsm-app VACDSM-APP
-672 vpps-qua VPPS-QUA
-673 cimplex CIMPLEX
-674 acap ACAP
-675 dctp DCTP
-676 vpps-via VPPSVia
-704 elcsd errlogcopy/serverdaemon
-705 agentx AgentX
-707 borland-dsj BorlandDSJ
-709 entrust-kmsh EntrustKeyManagementServiceHandler
-710 entrust-ash EntrustAdministrationServiceHandler
-711 cisco-tdp CiscoTDP
-729 netviewdm1 IBMNetViewDM/6000Server/Client
-730 netviewdm2 IBMNetViewDM/6000send
-731 netviewdm3 IBMNetViewDM/6000receive
-741 netgw netGW
-742 netrcs NetworkbasedRev.Cont.Sys.
-744 flexlm FlexibleLicenseManager
-747 fujitsu-dev FujitsuDeviceControl
-748 ris-cm RussellInfoSciCalendarManager
-749 kerberos-adm kerberosadministration
-750 kerberos-iv kerberosversioniv
-751 pump 
-752 qrh 
-753 rrh 
-754 tell send
-758 nlogin 
-759 con 
-760 ns 
-761 rxe 
-762 quotad 
-763 cycleserv 
-764 omserv 
-765 webster 
-767 phonebook phone
-769 vid 
-770 cadlock 
-771 rtip 
-772 cycleserv2 
-773 notify 
-774 rpasswd 
-775 acmaint_transd 
-776 wpages 
-780 wpgs 
-786 concert Concert
-787 qsc QSC
-800 mdbs_daemon 
-801 device 
-829 pkix-3-ca-ra PKIX-3CA/RA
-873 rsync rsync
-886 iclcnet-locate ICLcoNETionlocateserver
-887 iclcnet_svinfo ICLcoNETionserverinfo
-888 accessbuilder AccessBuilder
-900 omginitialrefs OMGInitialRefs
-911 xact-backup xact-backup
-989 ftps-data ftpprotocol,data,overTLS/SSL
-990 ftps ftpprotocol,control,overTLS/SSL
-991 nas NetnewsAdministrationSystem
-992 telnets telnetprotocoloverTLS/SSL
-993 imaps imap4protocoloverTLS/SSL
-994 ircs ircprotocoloverTLS/SSL
-995 pop3s pop3protocoloverTLS/SSL(wasspop3)
-996 vsinet vsinet
-997 maitrd 
-998 busboy 
-999 garcon 
-1000 cadlock 
-1008 ufsd
-1010 surf surf
-1011 Reserved
-1012 Reserved
-1013 Reserved
-1014 Reserved
-1015 Reserved
-1016 Reserved
-1017 Reserved
-1018 Reserved
-1019 Reserved
-1020 Reserved
-1021 Reserved
-1022 Reserved
-1025 blackjack networkblackjack
-1030 iad1 BBNIAD
-1031 iad2 BBNIAD
-1032 iad3 BBNIAD
-1047 neod1 Sun'sNEOObjectRequestBroker
-1048 neod2 Sun'sNEOObjectRequestBroker
-1058 nim nim
-1059 nimreg nimreg
-1067 instl_boots InstallationBootstrapProto.Serv.
-1068 instl_bootc InstallationBootstrapProto.Cli.
-1080 socks Socks
-1083 ansoft-lm-1 AnasoftLicenseManager
-1084 ansoft-lm-2 AnasoftLicenseManager
-1099 rmiSun
-1103 xaudio
-1110 nfsd-status Clusterstatusinfo
-1111 lmsocialserver LMSocialServer
-1123 murray Murray
-1155 nfa NetworkFileAccess
-1161 health-polling HealthPolling
-1162 health-trap HealthTrap
-1180 mc-client MillicentClientProxy
-1212 lupa lupa
-1222 nerv SNIR&Dnetwork
-1234 search-agent InfoseekSearchAgent
-1239 nmsd NMSD
-1248 hermes 
-1300 h323hostcallsc H323HostCallSecure
-1313 bmc_patroldb BMC_PATROLDB
-1314 pdps PhotoscriptDistributedPrintingSystem
-1345 vpjp VPJP
-1346 alta-ana-lm AltaAnalyticsLicenseManager
-1347 bbn-mmc multimediaconferencing
-1348 bbn-mmx multimediaconferencing
-1349 sbook RegistrationNetworkProtocol
-1350 editbench RegistrationNetworkProtocol
-1351 equationbuilder DigitalToolWorks(MIT)
-1352 lotusnote LotusNote
-1353 relief ReliefConsulting
-1354 rightbrain RightBrainSoftware
-1355 intuitive-edge IntuitiveEdge
-1356 cuillamartin CuillaMartinCompany
-1357 pegboard ElectronicPegBoard
-1358 connlcli CONNLCLI
-1359 ftsrv FTSRV
-1360 mimer MIMER
-1361 linx LinX
-1362 timeflies TimeFlies
-1363 ndm-requester NetworkDataMoverRequester
-1364 ndm-server NetworkDataMoverServer
-1365 adapt-sna NetworkSoftwareAssociates
-1366 netware-csp NovellNetWareCommServicePlatform
-1367 dcs DCS
-1368 screencast ScreenCast
-1369 gv-us GlobalViewtoUnixShell
-1370 us-gv UnixShelltoGlobalView
-1371 fc-cli FujitsuConfigProtocol
-1372 fc-ser FujitsuConfigProtocol
-1373 chromagrafx Chromagrafx
-1374 molly EPISoftwareSystems
-1375 bytex Bytex
-1376 ibm-pps IBMPersontoPersonSoftware
-1377 cichlid CichlidLicenseManager
-1378 elan ElanLicenseManager
-1379 dbreporter IntegritySolutions
-1380 telesis-licman TelesisNetworkLicenseManager
-1381 apple-licman AppleNetworkLicenseManager
-1382 udt_os 
-1383 gwha GWHannawayNetworkLicenseManager
-1384 os-licman ObjectiveSolutionsLicenseManager
-1385 atex_elmd AtexPublishingLicenseManager
-1386 checksum CheckSumLicenseManager
-1387 cadsi-lm ComputerAidedDesignSoftwareIncLM
-1388 objective-dbc ObjectiveSolutionsDataBaseCache
-1389 iclpv-dm DocumentManager
-1390 iclpv-sc StorageController
-1391 iclpv-sas StorageAccessServer
-1392 iclpv-pm PrintManager
-1393 iclpv-nls NetworkLogServer
-1394 iclpv-nlc NetworkLogClient
-1395 iclpv-wsm PCWorkstationManagersoftware
-1396 dvl-activemail DVLActiveMail
-1397 audio-activmail AudioActiveMail
-1398 video-activmail VideoActiveMail
-1399 cadkey-licman CadkeyLicenseManager
-1400 cadkey-tablet CadkeyTabletDaemon
-1401 goldleaf-licman GoldleafLicenseManager
-1402 prm-sm-np ProsperoResourceManager
-1403 prm-nm-np ProsperoResourceManager
-1404 igi-lm InfiniteGraphicsLicenseManager
-1405 ibm-res IBMRemoteExecutionStarter
-1406 netlabs-lm NetLabsLicenseManager
-1407 dbsa-lm DBSALicenseManager
-1408 sophia-lm SophiaLicenseManager
-1409 here-lm HereLicenseManager
-1410 hiq HiQLicenseManager
-1411 af AudioFile
-1412 innosys InnoSys
-1413 innosys-acl Innosys-ACL
-1414 ibm-mqseries IBMMQSeries
-1415 dbstar DBStar
-1416 novell-lu6.2 NovellLU6.2
-1417 timbuktu-srv1 TimbuktuService1Port
-1418 timbuktu-srv2 TimbuktuService2Port
-1419 timbuktu-srv3 TimbuktuService3Port
-1420 timbuktu-srv4 TimbuktuService4Port
-1421 gandalf-lm GandalfLicenseManager
-1422 autodesk-lm AutodeskLicenseManager
-1423 essbase EssbaseArborSoftware
-1424 hybrid HybridEncryptionProtocol
-1425 zion-lm ZionSoftwareLicenseManager
-1426 sais Satellite-dataAcquisitionSystem1
-1427 mloadd mloaddmonitoringtool
-1428 informatik-lm InformatikLicenseManager
-1429 nms HypercomNMS
-1430 tpdu HypercomTPDU
-1431 rgtp ReverseGossipTransport
-1432 blueberry-lm BlueberrySoftwareLicenseManager
-1433 ms-sql-s Microsoft-SQL-Server
-1434 ms-sql-m Microsoft-SQL-Monitor
-1435 ibm-cics IBMCICS
-1436 saism Satellite-dataAcquisitionSystem2
-1437 tabula Tabula
-1438 eicon-server EiconSecurityAgent/Server
-1439 eicon-x25 EiconX25/SNAGateway
-1440 eicon-slp EiconServiceLocationProtocol
-1441 cadis-1 CadisLicenseManagement
-1442 cadis-2 CadisLicenseManagement
-1443 ies-lm IntegratedEngineeringSoftware
-1444 marcam-lm MarcamLicenseManagement
-1445 proxima-lm ProximaLicenseManager
-1446 ora-lm OpticalResearchAssociatesLicenseManager
-1447 apri-lm AppliedParallelResearchLM
-1448 oc-lm OpenConnectLicenseManager
-1449 peport PEport
-1450 dwf TandemDistributedWorkbenchFacility
-1451 infoman IBMInformationManagement
-1452 gtegsc-lm GTEGovernmentSystemsLicenseMan
-1453 genie-lm GenieLicenseManager
-1454 interhdl_elmd interHDLLicenseManager
-1455 esl-lm ESLLicenseManager
-1456 dca DCA
-1457 valisys-lm ValisysLicenseManager
-1458 nrcabq-lm NicholsResearchCorp.
-1459 proshare1 ProshareNotebookApplication
-1460 proshare2 ProshareNotebookApplication
-1461 ibm_wrless_lan IBMWirelessLAN
-1462 world-lm WorldLicenseManager
-1463 nucleus Nucleus
-1464 msl_lmd MSLLicenseManager
-1465 pipes PipesPlatformmfarlin@peerlogic.com
-1466 oceansoft-lm OceanSoftwareLicenseManager
-1467 csdmbase CSDMBASE
-1468 csdm CSDM
-1469 aal-lm ActiveAnalysisLimitedLicenseManager
-1470 uaiact UniversalAnalytics
-1471 csdmbase csdmbase
-1472 csdm csdm
-1473 openmath OpenMath
-1474 telefinder Telefinder
-1475 taligent-lm TaligentLicenseManager
-1476 clvm-cfg clvm-cfg
-1477 ms-sna-server ms-sna-server
-1478 ms-sna-base ms-sna-base
-1479 dberegister dberegister
-1480 pacerforum PacerForum
-1481 airs AIRS
-1482 miteksys-lm MiteksysLicenseManager
-1483 afs AFSLicenseManager
-1484 confluent ConfluentLicenseManager
-1485 lansource LANSource
-1486 nms_topo_serv nms_topo_serv
-1487 localinfosrvr LocalInfoSrvr
-1488 docstor DocStor
-1489 dmdocbroker dmdocbroker
-1490 insitu-conf insitu-conf
-1491 anynetgateway anynetgateway
-1492 stone-design-1 stone-design-1
-1493 netmap_lm netmap_lm
-1494 ica ica
-1495 cvc cvc
-1496 liberty-lm liberty-lm
-1497 rfx-lm rfx-lm
-1498 sybase-sqlany SybaseSQLAny
-1499 fhc FedericoHeinzConsultora
-1500 vlsi-lm VLSILicenseManager
-1501 saiscm Satellite-dataAcquisitionSystem3
-1502 shivadiscovery Shiva
-1503 imtc-mcs Databeam
-1504 evb-elm EVBSoftwareEngineeringLicenseManager
-1505 funkproxy FunkSoftware,Inc.
-1506 utcd UniversalTimedaemon(utcd)
-1507 symplex symplex
-1508 diagmond diagmond
-1509 robcad-lm Robcad,Ltd.LicenseManager
-1510 mvx-lm MidlandValleyExplorationLtd.Lic.Man.
-1511 3l-l1 3l-l1
-1512 wins Microsoft'sWindowsInternetNameService
-1513 fujitsu-dtc FujitsuSystemsBusinessofAmerica,Inc
-1514 fujitsu-dtcns FujitsuSystemsBusinessofAmerica,Inc
-1515 ifor-protocol ifor-protocol
-1516 vpad VirtualPlacesAudiodata
-1517 vpac VirtualPlacesAudiocontrol
-1518 vpvd VirtualPlacesVideodata
-1519 vpvc VirtualPlacesVideocontrol
-1520 atm-zip-office atmzipoffice
-1521 ncube-lm nCubeLicenseManager
-1522 ricardo-lm RicardoNorthAmericaLicenseManager
-1523 cichild-lm cichild
-1524 ingreslock ingres
-1525 orasrv oracle
-1526 pdap-np ProsperoDataAccessProtnon-priv
-1527 tlisrv oracle
-1528 mciautoreg micautoreg
-1529 coauthor oracle
-1530 rap-service rap-service
-1531 rap-listen rap-listen
-1532 miroconnect miroconnect
-1533 virtual-places VirtualPlacesSoftware
-1534 micromuse-lm micromuse-lm
-1535 ampr-info ampr-info
-1536 ampr-inter ampr-inter
-1537 sdsc-lm isi-lm
-1538 3ds-lm 3ds-lm
-1539 intellistor-lm IntellistorLicenseManager
-1540 rds rds
-1541 rds2 rds2
-1542 gridgen-elmd gridgen-elmd
-1543 simba-cs simba-cs
-1544 aspeclmd aspeclmd
-1545 vistium-share vistium-share
-1546 abbaccuray abbaccuray
-1547 laplink laplink
-1548 axon-lm AxonLicenseManager
-1549 shivahose ShivaHose
-1550 3m-image-lm ImageStoragelicensemanager3MCompany
-1551 hecmtl-db HECMTL-DB
-1552 pciarray pciarray
-1553 sna-cs sna-cs
-1554 caci-lm CACIProductsCompanyLicenseManager
-1555 livelan livelan
-1556 ashwin AshWinCITecnologies
-1557 arbortext-lm ArborTextLicenseManager
-1558 xingmpeg xingmpeg
-1559 web2host web2host
-1560 asci-val asci-val
-1561 facilityview facilityview
-1562 pconnectmgr pconnectmgr
-1563 cadabra-lm CadabraLicenseManager
-1564 pay-per-view Pay-Per-View
-1565 winddlb WinDD
-1566 corelvideo CORELVIDEO
-1567 jlicelmd jlicelmd
-1568 tsspmap tsspmap
-1569 ets ets
-1570 orbixd orbixd
-1571 rdb-dbs-disp OracleRemoteDataBase
-1572 chip-lm ChipcomLicenseManager
-1573 itscomm-ns itscomm-ns
-1574 mvel-lm mvel-lm
-1575 oraclenames oraclenames
-1576 moldflow-lm moldflow-lm
-1577 hypercube-lm hypercube-lm
-1578 jacobus-lm JacobusLicenseManager
-1579 ioc-sea-lm ioc-sea-lm
-1580 tn-tl-r2 tn-tl-r2
-1581 mil-2045-47001 MIL-2045-47001
-1582 msims MSIMS
-1583 simbaexpress simbaexpress
-1584 tn-tl-fd2 tn-tl-fd2
-1585 intv intv
-1586 ibm-abtact ibm-abtact
-1587 pra_elmd pra_elmd
-1588 triquest-lm triquest-lm
-1589 vqp VQP
-1590 gemini-lm gemini-lm
-1591 ncpm-pm ncpm-pm
-1592 commonspace commonspace
-1593 mainsoft-lm mainsoft-lm
-1594 sixtrak sixtrak
-1595 radio radio
-1596 radio-bc radio-bc
-1597 orbplus-iiop orbplus-iiop
-1598 picknfs picknfs
-1599 simbaservices simbaservices
-1600 issd 
-1601 aas aas
-1602 inspect inspect
-1603 picodbc pickodbc
-1604 icabrowser icabrowser
-1605 slp SalutationManager(SalutationProtocol)
-1606 slm-api SalutationManager(SLM-API)
-1607 stt stt
-1608 smart-lm SmartCorp.LicenseManager
-1609 isysg-lm isysg-lm
-1610 taurus-wh taurus-wh
-1611 ill InterLibraryLoan
-1612 netbill-trans NetBillTransactionServer
-1613 netbill-keyrep NetBillKeyRepository
-1614 netbill-cred NetBillCredentialServer
-1615 netbill-auth NetBillAuthorizationServer
-1616 netbill-prod NetBillProductServer
-1617 nimrod-agent NimrodInter-AgentCommunication
-1618 skytelnet skytelnet
-1619 xs-openstorage xs-openstorage
-1620 faxportwinport faxportwinport
-1621 softdataphone softdataphone
-1622 ontime ontime
-1623 jaleosnd jaleosnd
-1624 udp-sr-port udp-sr-port
-1625 svs-omagent svs-omagent
-1630 oraclenet8cman OracleNet8Cman
-1636 cncp CableNetControlProtocol
-1637 cnap CableNetAdminProtocol
-1638 cnip CableNetInfoProtocol
-1639 cert-initiator cert-initiator
-1640 cert-responder cert-responder
-1641 invision InVision
-1642 isis-am isis-am
-1643 isis-ambc isis-ambc
-1644 saiseh Satellite-dataAcquisitionSystem4
-1645 datametrics datametrics
-1646 sa-msg-port sa-msg-port
-1647 rsap rsap
-1648 concurrent-lm concurrent-lm
-1649 inspect inspect
-1650 nkd nkd
-1651 shiva_confsrvr shiva_confsrvr
-1652 xnmp xnmp
-1653 alphatech-lm alphatech-lm
-1654 stargatealerts stargatealerts
-1655 dec-mbadmin dec-mbadmin
-1656 dec-mbadmin-h dec-mbadmin-h
-1657 fujitsu-mmpdc fujitsu-mmpdc
-1658 sixnetudr sixnetudr
-1659 sg-lm SiliconGrailLicenseManager
-1660 skip-mc-gikreq skip-mc-gikreq
-1661 netview-aix-1 netview-aix-1
-1662 netview-aix-2 netview-aix-2
-1663 netview-aix-3 netview-aix-3
-1664 netview-aix-4 netview-aix-4
-1665 netview-aix-5 netview-aix-5
-1666 netview-aix-6 netview-aix-6
-1667 netview-aix-7 netview-aix-7
-1668 netview-aix-8 netview-aix-8
-1669 netview-aix-9 netview-aix-9
-1670 netview-aix-10 netview-aix-10
-1671 netview-aix-11 netview-aix-11
-1672 netview-aix-12 netview-aix-12
-1673 proshare-mc-1 IntelProshareMulticast
-1674 proshare-mc-2 IntelProshareMulticast
-1675 pdp PacificDataProducts
-1676 netcomm1 netcomm1
-1677 groupwise groupwise
-1678 prolink prolink
-1679 darcorp-lm darcorp-lm
-1680 microcom-sbp microcom-sbp
-1681 sd-elmd sd-elmd
-1682 lanyon-lantern lanyon-lantern
-1683 ncpm-hip ncpm-hip
-1684 snaresecure SnareSecure
-1685 n2nremote n2nremote
-1686 cvmon cvmon
-1687 nsjtp-ctrl nsjtp-ctrl
-1688 nsjtp-data nsjtp-data
-1689 firefox firefox
-1690 ng-umds ng-umds
-1691 empire-empuma empire-empuma
-1692 sstsys-lm sstsys-lm
-1693 rrirtr rrirtr
-1694 rrimwm rrimwm
-1695 rrilwm rrilwm
-1696 rrifmm rrifmm
-1697 rrisat rrisat
-1698 rsvp-encap-1 RSVP-ENCAPSULATION-1
-1699 rsvp-encap-2 RSVP-ENCAPSULATION-2
-1700 mps-raft mps-raft
-1701 l2f l2f
-1702 deskshare deskshare
-1703 hb-engine hb-engine
-1704 bcs-broker bcs-broker
-1705 slingshot slingshot
-1706 jetform jetform
-1707 vdmplay vdmplay
-1708 gat-lmd gat-lmd
-1709 centra centra
-1710 impera impera
-1711 pptconference pptconference
-1712 registrar resourcemonitoringservice
-1713 conferencetalk ConferenceTalk
-1714 sesi-lm sesi-lm
-1715 houdini-lm houdini-lm
-1716 xmsg xmsg
-1717 fj-hdnet fj-hdnet
-1718 h323gatedisc h323gatedisc
-1719 h323gatestat h323gatestat
-1720 h323hostcall h323hostcall
-1721 caicci caicci
-1722 hks-lm HKSLicenseManager
-1723 pptp pptp
-1724 csbphonemaster csbphonemaster
-1725 iden-ralp iden-ralp
-1726 iberiagames IBERIAGAMES
-1727 winddx winddx
-1728 telindus TELINDUS
-1729 citynl CityNLLicenseManagement
-1730 roketz roketz
-1731 msiccp MSICCP
-1732 proxim proxim
-1733 siipat SIMS-SIIPATProtocolforAlarm
-1734 cambertx-lm CamberCorporationLicenseManagement
-1735 privatechat PrivateChat
-1736 street-stream street-stream
-1737 ultimad ultimad
-1738 gamegen1 GameGen1
-1739 webaccess webaccess
-1740 encore encore
-1741 cisco-net-mgmt cisco-net-mgmt
-1742 3Com-nsd 3Com-nsd
-1743 cinegrfx-lm CinemaGraphicsLicenseManager
-1744 ncpm-ft ncpm-ft
-1745 remote-winsock remote-winsock
-1746 ftrapid-1 ftrapid-1
-1747 ftrapid-2 ftrapid-2
-1748 oracle-em1 oracle-em1
-1749 aspen-services aspen-services
-1750 sslp SimpleSocketLibrary'sPortMaster
-1751 swiftnet SwiftNet
-1752 lofr-lm LeapofFaithResearchLicenseManager
-1753 translogic-lm TranslogicLicenseManager
-1754 oracle-em2 oracle-em2
-1755 ms-streaming ms-streaming
-1756 capfast-lmd capfast-lmd
-1757 cnhrp cnhrp
-1758 tftp-mcast tftp-mcast
-1759 spss-lm SPSSLicenseManager
-1760 www-ldap-gw www-ldap-gw
-1761 cft-0 cft-0
-1762 cft-1 cft-1
-1763 cft-2 cft-2
-1764 cft-3 cft-3
-1765 cft-4 cft-4
-1766 cft-5 cft-5
-1767 cft-6 cft-6
-1768 cft-7 cft-7
-1769 bmc-net-adm bmc-net-adm
-1770 bmc-net-svc bmc-net-svc
-1771 vaultbase vaultbase
-1772 essweb-gw EssWebGateway
-1773 kmscontrol KMSControl
-1774 global-dtserv global-dtserv
-1775 Unknown 
-1776 femis FederalEmergencyManagementInformationSystem
-1777 powerguardian powerguardian
-1778 prodigy-intrnet prodigy-internet
-1779 pharmasoft pharmasoft
-1780 dpkeyserv dpkeyserv
-1781 answersoft-lm answersoft-lm
-1782 hp-hcip hp-hcip
-1783 fjris FujitsuRemoteInstallService
-1784 finle-lm FinleLicenseManager
-1785 windlm WindRiverSystemsLicenseManager
-1786 funk-logger funk-logger
-1787 funk-license funk-license
-1788 psmond psmond
-1789 hello hello
-1790 nmsp NarrativeMediaStreamingProtocol
-1791 ea1 EA1
-1792 ibm-dt-2 ibm-dt-2
-1793 rsc-robot rsc-robot
-1794 cera-bcm cera-bcm
-1795 dpi-proxy dpi-proxy
-1796 vocaltec-admin VocaltecServerAdministration
-1797 uma UMA
-1798 etp EventTransferProtocol
-1799 netrisk NETRISK
-1800 ansys-lm ANSYS-Licensemanager
-1801 msmq MicrosoftMessageQue
-1802 concomp1 ConComp1
-1803 hp-hcip-gwy HP-HCIP-GWY
-1804 enl ENL
-1805 enl-name ENL-Name
-1806 musiconline Musiconline
-1807 fhsp FujitsuHotStandbyProtocol
-1808 oracle-vp2 Oracle-VP2
-1809 oracle-vp1 Oracle-VP1
-1810 jerand-lm JerandLicenseManager
-1811 scientia-sdb Scientia-SDB
-1812 radius RADIUS
-1813 radius-acct RADIUSAccounting
-1814 tdp-suite TDPSuite
-1815 mmpft MMPFT
-1816 harp HARP
-1818 etftp EnhancedTrivialFileTransferProtocol
-1819 plato-lm PlatoLicenseManager
-1820 mcagent mcagent
-1821 donnyworld donnyworld
-1822 es-elmd es-elmd
-1823 unisys-lm UnisysNaturalLanguageLicenseManager
-1824 metrics-pas metrics-pas
-1850 gsi GSI
-1860 sunscalar-svc SunSCALARServices
-1861 lecroy-vicp LeCroyVICP
-1862 techra-server techra-server
-1863 msnp MSNP
-1864 paradym-31port Paradym31Port
-1865 entp ENTP
-1870 sunscalar-dns SunSCALARDNSService
-1881 ibm-mqseries2 IBMMQSeries
-1901 fjicl-tep-a FujitsuICLTerminalEmulatorProgramA
-1902 fjicl-tep-b FujitsuICLTerminalEmulatorProgramB
-1903 linkname LocalLinkNameResolution
-1904 fjicl-tep-c FujitsuICLTerminalEmulatorProgramC
-1905 sugp SecureUP.LinkGatewayProtocol
-1906 tpmd TPortMapperReq
-1907 intrastar IntraSTAR
-1908 dawn Dawn
-1909 global-wlink GlobalWorldLink
-1911 mtp StarlightNetworksMultimediaTransportProtocol
-1913 armadp armadp
-1914 elm-momentum Elm-Momentum
-1915 facelink FACELINK
-1916 persona PersoftPersona
-1917 noagent nOAgent
-1918 can-nds CandleDirectoryService-NDS
-1919 can-dch CandleDirectoryService-DCH
-1920 can-ferret CandleDirectoryService-FERRET
-1921 noadmin NoAdmin
-1944 close-combat close-combat
-1945 dialogic-elmd dialogic-elmd
-1946 tekpls tekpls
-1947 hlserver hlserver
-1948 eye2eye eye2eye
-1949 ismaeasdaqlive ISMAEasdaqLive
-1950 ismaeasdaqtest ISMAEasdaqTest
-1951 bcs-lmserver bcs-lmserver
-1973 dlsrap DataLinkSwitchingRemoteAccessProtocol
-1985 hsrp HotStandbyRouterProtocol
-1986 licensedaemon ciscolicensemanagement
-1987 tr-rsrb-p1 ciscoRSRBPriority1port
-1988 tr-rsrb-p2 ciscoRSRBPriority2port
-1989 tr-rsrb-p3 ciscoRSRBPriority3port
-1990 stun-p1 ciscoSTUNPriority1port
-1991 stun-p2 ciscoSTUNPriority2port
-1992 stun-p3 ciscoSTUNPriority3port
-1993 snmp-tcp-port ciscoSNMPTCPport
-1994 stun-port ciscoserialtunnelport
-1995 perf-port ciscoperfport
-1996 tr-rsrb-port ciscoRemoteSRBport
-1997 gdp-port ciscoGatewayDiscoveryProtocol
-1998 x25-svc-port ciscoX.25service(XOT)
-1999 tcp-id-port ciscoidentificationport
-2000 callbook 
-2001 dc 
-2002 globe 
-2004 mailbox 
-2005 berknet 
-2006 invokator 
-2007 dectalk 
-2008 conf 
-2009 news 
-2010 search 
-2011 raid-cc raid
-2012 ttyinfo 
-2013 raid-am 
-2014 troff 
-2015 cypress 
-2016 bootserver 
-2017 cypress-stat 
-2018 terminaldb 
-2019 whosockami 
-2020 xinupageserver 
-2021 servexec 
-2022 down 
-2023 xinuexpansion3 
-2024 xinuexpansion4 
-2025 ellpack 
-2026 scrabble 
-2027 shadowserver 
-2028 submitserver 
-2030 device2 
-2032 blackboard 
-2033 glogger 
-2034 scoremgr 
-2035 imsldoc 
-2038 objectmanager 
-2040 lam 
-2041 interbase 
-2042 isis isis
-2043 isis-bcast isis-bcast
-2044 rimsl 
-2045 cdfunc 
-2046 sdfunc 
-2047 dls 
-2048 dls-monitor 
-2049 nfsd-or-shilp
-2065 dlsrpn DataLinkSwitchReadPortNumber
-2067 dlswpn DataLinkSwitchWritePortNumber
-2090 lrp LoadReportProtocol
-2091 prp PRP
-2102 zephyr-srv Zephyrserver
-2103 zephyr-clt Zephyrserv-hmconnection
-2104 zephyr-hm Zephyrhostmanager
-2105 minipay MiniPay
-2180 mc-gt-srv MillicentVendorGatewayServer
-2200 ici ICI
-2201 ats AdvancedTrainingSystemProgram
-2202 imtc-map Int.MultimediaTeleconferencingCosortium
-2213 kali Kali
-2220 ganymede Ganymede
-2221 unreg-ab1 Allen-Bradleyunregisteredport
-2222 unreg-ab2 Allen-Bradleyunregisteredport
-2223 inreg-ab3 Allen-Bradleyunregisteredport
-2232 ivs-video IVSVideodefault
-2233 infocrypt INFOCRYPT
-2234 directplay DirectPlay
-2235 sercomm-wlink Sercomm-WLink
-2236 nani Nani
-2237 optech-port1-lm OptechPort1LicenseManager
-2238 aviva-sna AVIVASNASERVER
-2239 imagequery ImageQuery
-2240 recipe RECIPe
-2241 ivsd IVSDaemon
-2242 foliocorp FolioRemoteServer
-2279 xmquery xmquery
-2280 lnvpoller LNVPOLLER
-2281 lnvconsole LNVCONSOLE
-2282 lnvalarm LNVALARM
-2283 lnvstatus LNVSTATUS
-2284 lnvmaps LNVMAPS
-2285 lnvmailmon LNVMAILMON
-2286 nas-metering NAS-Metering
-2287 dna DNA
-2288 netml NETML
-2295 advant-lm AdvantLicenseManager
-2296 theta-lm ThetaLicenseManager(Rainbow)
-2297 d2k-datamover1 D2KDataMover1
-2298 d2k-datamover2 D2KDataMover2
-2299 pc-telecommute PCTelecommute
-2300 cvmmon CVMMON
-2301 cpq-wbem CompaqHTTP
-2302 binderysupport BinderySupport
-2303 proxy-gateway ProxyGateway
-2304 attachmate-uts AttachmateUTS
-2305 mt-scaleserver MTScaleServer
-2306 tappi-boxnet TAPPIBoxNet
-2307 pehelp pehelp
-2308 sdhelp sdhelp
-2309 sdserver SDServer
-2310 sdclient SDClient
-2311 messageservice MessageService
-2313 iapp IAPP(InterAccessPointProtocol)
-2314 cr-websystems CRWebSystems
-2315 precise-sft PreciseSft.
-2316 sent-lm SENTLicenseManager
-2317 attachmate-g32 AttachmateG32
-2318 cadencecontrol CadenceControl
-2319 infolibria InfoLibria
-2320 siebel-ns SiebelNS
-2321 rdlap RDLAPoverUDP
-2322 ofsd ofsd
-2323 3d-nfsd 3d-nfsd
-2324 cosmocall Cosmocall
-2325 designspace-lm DesignSpaceLicenseManagement
-2326 idcp IDCP
-2327 xingcsm xingcsm
-2328 netrix-sftm NetrixSFTM
-2329 nvd NVD
-2330 tscchat TSCCHAT
-2331 agentview AGENTVIEW
-2332 rcc-host RCCHost
-2333 snapp SNAPP
-2334 ace-client ACEClientAuth
-2335 ace-proxy ACEProxy
-2336 appleugcontrol AppleUGControl
-2337 ideesrv ideesrv
-2338 norton-lambert NortonLambert
-2339 3com-webview 3ComWebView
-2340 wrs_registry WRSRegistry
-2341 xiostatus XIOStatus
-2342 manage-exec SeagateManageExec
-2343 nati-logos natilogos
-2344 fcmsys fcmsys
-2345 dbm dbm
-2346 redstorm_join GameConnectionPort
-2347 redstorm_find GameAnnouncementandLocation
-2348 redstorm_info Informationtoqueryforgamestatus
-2349 redstorm_diag DisgnosticsPort
-2350 psbserver psbserver
-2351 psrserver psrserver
-2352 pslserver pslserver
-2353 pspserver pspserver
-2354 psprserver psprserver
-2355 psdbserver psdbserver
-2356 gxtelmd GXTLicenseManagemant
-2357 unihub-server UniHubServer
-2358 futrix Futrix
-2359 flukeserver FlukeServer
-2389 ovsessionmgr OpenViewSessionMgr
-2390 rsmtp RSMTP
-2391 3com-net-mgmt 3COMNetManagement
-2392 tacticalauth TacticalAuth
-2393 ms-olap1 MSOLAP1
-2394 ms-olap2 MSOLAP2
-2395 lan900_remote LAN900Remote
-2396 wusage Wusage
-2397 ncl NCL
-2398 orbiter Orbiter
-2399 fmpro-fdal FileMaker,Inc.-DataAccessLayer
-2400 opequus-server OpEquusServer
-2401 cvspserver cvspserver
-2402 taskmaster2000 TaskMaster2000Server
-2403 taskmaster2000 TaskMaster2000Web
-2404 iec870-5-104 IEC870-5-104
-2405 trc-netpoll TRCNetpoll
-2406 jediserver JediServer
-2407 orion Orion
-2408 optimanet OptimaNet
-2409 sns-protocol SNSProtocol
-2410 vrts-registry VRTSRegistry
-2411 netwave-ap-mgmt NetwaveAPManagement
-2412 cdn CDN
-2413 orion-rmi-reg orion-rmi-reg
-2414 interlingua Interlingua
-2415 comtest COMTEST
-2416 rmtserver RMTServer
-2417 composit-server CompositServer
-2418 cas cas
-2419 attachmate-s2s AttachmateS2S
-2420 dslremote-mgmt DSLRemoteManagement
-2421 g-talk G-Talk
-2422 crmsbits CRMSBITS
-2423 rnrp RNRP
-2424 kofax-svr KOFAX-SVR
-2425 fjitsuappmgr FujitsuAppManager
-2426 appliantudp AppliantUDP
-2427 stgcp SimpletelephonyGatewayControlProtocol
-2428 ott OneWayTripTime
-2429 ft-role FT-ROLE
-2430 venus venus
-2431 venus-se venus-se
-2432 codasrv codasrv
-2433 codasrv-se codasrv-se
-2434 pxc-epmap pxc-epmap
-2435 optilogic OptiLogic
-2436 topx TOP/X
-2437 unicontrol UniControl
-2438 msp MSP
-2439 sybasedbsynch SybaseDBSynch
-2440 spearway SpearwayLockser
-2441 pvsw-inet pvsw-inet
-2442 netangel Netangel
-2500 rtsserv ResourceTrackingsystemserver
-2501 rtsclient ResourceTrackingsystemclient
-2524 optiwave-lm OptiwaveLicenseManagement
-2525 ms-v-worlds MSV-Worlds
-2526 ema-sent-lm EMALicenseManager
-2527 iqserver IQServer
-2528 ncr_ccl NCRCCL
-2529 utsftp UTSFTP
-2530 vrcommerce VRCommerce
-2531 ito-e-gui ITO-EGUI
-2532 ovtopmd OVTOPMD
-2534 combox-web-acc ComboxWebAccess
-2564 hp-3000-telnet HP3000NS/VTblockmodetelnet
-2592 netrek netrek
-2593 mns-mail MNSMailNoticeService
-2628 dict DICT
-2629 sitaraserver SitaraServer
-2630 sitaramgmt SitaraManagement
-2631 sitaradir SitaraDir
-2632 irdg-post IRdgPost
-2633 interintelli InterIntelli
-2634 pk-electronics PKElectronics
-2635 backburner BackBurner
-2636 solve Solve
-2637 imdocsvc ImportDocumentService
-2638 sybaseanywhere SybaseAnywhere
-2639 aminet AMInet
-2640 sai_sentlm SabbaghAssociatesLicenceManager
-2641 hdl-srv HDLServer
-2642 tragic Tragic
-2643 gte-samp GTE-SAMP
-2644 travsoft-ipx-t TravsoftIPXTunnel
-2645 novell-ipx-cmd NovellIPXCMD
-2646 and-lm ANDLicenceManager
-2647 syncserver SyncServer
-2648 upsnotifyprot Upsnotifyprot
-2649 vpsipport VPSIPPORT
-2650 eristwoguns eristwoguns
-2651 ebinsite EBInSite
-2652 interpathpanel InterPathPanel
-2653 sonus Sonus
-2654 corel_vncadmin CorelVNCAdmin
-2655 unglue UNIXNtGlue
-2656 kana Kana
-2657 sns-dispatcher SNSDispatcher
-2658 sns-admin SNSAdmin
-2659 sns-query SNSQuery
-2700 tqdata tqdata
-2766 listen
-2784 www-dev worldwideweb-development
-2785 aic-np aic-np
-2786 aic-oncrpc aic-oncrpc-DestinyMCDdatabase
-2787 piccolo piccolo-CornerstoneSoftware
-2788 fryeserv NetWareLoadableModule-SeagateSoftware
-2908 mao mao
-2909 funk-dialout FunkDialout
-2910 tdaccess TDAccess
-2911 blockade Blockade
-2912 epicon Epicon
-2913 boosterware BoosterWare
-2914 gamelobby GameLobby
-2915 tksocket TKSocket
-2916 elvin_server ElvinServer
-2917 elvin_client ElvinClient
-2918 kastenchasepad KastenChasePad
-2971 netclip NetClip
-2972 pmsm-webrctl PMSMWebrctl
-2973 svnetworks SVNetworks
-2974 signal Signal
-2975 fjmpcm FujitsuConfigurationManagementService
-2998 realsecure RealSecure
-3000 hbci HBCI
-3001 redwood-broker RedwoodBroker
-3002 exlm-agent EXLMAgent
-3003 cgms CGMS
-3004 csoftragent CsoftAgent
-3005 geniuslm GeniusLicenseManager
-3006 ii-admin InstantInternetAdmin
-3007 lotusmtap LotusMailTrackingAgentProtocol
-3008 midnight-tech MidnightTechnologies
-3009 pxc-ntfy PXC-NTFY
-3010 gw TelerateWorkstation
-3011 trusted-web TrustedWeb
-3012 twsdss TrustedWebClient
-3013 gilatskysurfer GilatSkySurfer
-3014 broker_service BrokerService
-3015 nati-dstp NATIDSTP
-3016 notify_srvr NotifyServer
-3017 event_listener EventListener
-3018 srvc_registry ServiceRegistry
-3019 resource_mgr ResourceManager
-3020 cifs CIFS
-3021 agriserver AGRIServer
-3047 hlserver FastSecurityHLServer
-3048 pctrader SierraNetPCTrader
-3049 nsws NSWS
-3080 stm_pproc stm_pproc
-3105 cardbox Cardbox
-3106 cardbox-http CardboxHTTP
-3130 icpv2 ICPv2
-3131 netbookmark NetBookMark
-3141 vmodem VMODEM
-3142 rdc-wh-eos RDCWHEOS
-3143 seaview SeaView
-3144 tarantella Tarantella
-3145 csi-lfap CSI-LFAP
-3147 rfio RFIO
-3180 mc-brk-srv MillicentBrokerServer
-3264 ccmail cc:mail/lotus
-3265 altav-tunnel AltavTunnel
-3266 ns-cfg-server NSCFGServer
-3267 ibm-dial-out IBMDialOut
-3268 msft-gc MicrosoftGlobalCatalog
-3269 msft-gc-ssl MicrosoftGlobalCatalogwithLDAP/SSL
-3270 verismart Verismart
-3271 csoft-prev CSoftPrevPort
-3272 user-manager FujitsuUserManager
-3273 sxmp SimpleExtensibleMultiplexedProtocol
-3274 ordinox-server OrdinoxServer
-3275 samd SAMD
-3276 maxim-asics MaximASICs
-3277 awg-proxy AWGProxy
-3278 lkcmserver LKCMServer
-3279 admind admind
-3280 vs-server VSServer
-3281 sysopt SYSOPT
-3282 datusorb Datusorb
-3283 net-assistant NetAssistant
-3284 4talk 4Talk
-3285 plato Plato
-3286 e-net E-Net
-3287 directvdata DIRECTVDATA
-3288 cops COPS
-3289 enpc ENPC
-3290 caps-lm CAPSLOGISTICSTOOLKIT-LM
-3291 sah-lm SAHolditch&Associates-
-3292 cart-o-rama CartORama
-3293 fg-fps fg-fps
-3294 fg-gip fg-gip
-3295 dyniplookup DynamicIPLookup
-3296 rib-slm RibLicenseManager
-3297 cytel-lm CytelLicenseManager
-3298 transview Transview
-3299 pdrncs pdrncs
-3300 bmcpatrolagent BMCPatrolAgent
-3301 bmcpatrolrnvu BMCPatrolRendezvous
-3302 mcs-fastmail MCSFastmail
-3303 opsession-clnt OPSessionClient
-3304 opsession-srvr OPSessionServer
-3305 odette-ftp ODETTE-FTP
-3306 mysql MySQL
-3307 opsession-prxy OPSessionProxy
-3308 tns-server TNSServer
-3309 tns-adv TNDADV
-3310 dyna-access DynaAccess
-3311 mcns-tel-ret MCNSTelRet
-3312 appman-server ApplicationManagementServer
-3313 uorb UnifyObjectBroker
-3314 uohost UnifyObjectHost
-3315 cdid CDID
-3316 aicc-cmi AICC/CMI
-3317 vsaiport VSAIPORT
-3318 ssrip SwithtoSwithRoutingInformationProtocol
-3319 sdt-lmd SDTLicenseManager
-3320 officelink2000 OfficeLink2000
-3321 vnsstr VNSSTR
-3322 active-net
-3323 active-net
-3324 active-net
-3325 active-net
-3326 sftu SFTU
-3327 bbars BBARS
-3328 egptlm EaglepointLicenseManager
-3329 hp-device-disc HPDeviceDisc
-3330 mcs-calypsoicf MCSCalypsoICF
-3331 mcs-messaging MCSMessaging
-3332 mcs-mailsvr MCSMailServer
-3333 dec-notes DECNotes
-3334 directv-web DirectTVWebcasting
-3335 directv-soft DirectTVSoftwareUpdates
-3336 directv-tick DirectTVTickers
-3337 directv-catlg DirectTVDataCatalog
-3338 anet-b OMFdatab
-3339 anet-l OMFdatal
-3340 anet-m OMFdatam
-3341 anet-h OMFdatah
-3342 webtie WebTIE
-3343 ms-cluster-net MSClusterNet
-3344 bnt-manager BNTManager
-3345 influence Influence
-3346 trnsprntproxy TrnsprntProxy
-3347 phoenix-rpc PhoenixRPC
-3348 pangolin-laser PangolinLaser
-3349 chevinservices ChevinServices
-3350 findviatv FINDVIATV
-3351 btrieve BTRIEVE
-3352 ssql SSQL
-3353 fatpipe FATPIPE
-3354 suitjd SUITJD
-3355 ordinox-dbase OrdinoxDbase
-3356 upnotifyps UPNOTIFYPS
-3357 adtech-test AdtechTestIP
-3358 mpsysrmsvr MpSysRmsvr
-3359 wg-netforce WGNetForce
-3360 kv-server KVServer
-3361 kv-agent KVAgent
-3362 dj-ilm DJILM
-3363 nati-vi-server NATIViServer
-3364 creativeserver CreativeServer
-3365 contentserver ContentServer
-3366 creativepartnr CreativePartner
-3367 satvid-dtalnk
-3368 satvid-dtalnk
-3369 satvid-dtalnk
-3370 satvid-dtalnk
-3371 satvid-dtalnk
-3372 tip2 TIP2
-3373 lavenir-lm LavenirLicenseManager
-3374 cluster-disc ClusterDisc
-3375 vsnm-agent VSNMAgent
-3376 cdbroker CDBroker
-3377 cogsys-lm CogsysNetworkLicenseManager
-3378 wsicopy WSICOPY
-3379 socorfs SOCORFS
-3380 sns-channels SNSChannels
-3381 geneous Geneous
-3382 fujitsu-neat FujitsuNetworkEnhancedAntitheftfunction
-3383 esp-lm EnterpriseSoftwareProductsLicenseManager
-3384 hp-clic HardwareManagement
-3385 qnxnetman qnxnetman
-3386 gprs-sig GPRSSIG
-3387 backroomnet BackRoomNet
-3388 cbserver CBServer
-3389 ms-wbt-server MSWBTServer
-3390 dsc DistributedServiceCoordinator
-3391 savant SAVANT
-3392 efi-lm EFILicenseManagement
-3393 d2k-tapestry1 D2KTapestryClienttoServer
-3394 d2k-tapestry2 D2KTapestryServertoServer
-3395 dyna-lm DynaLicenseManager(Elam)
-3396 printer_agent PrinterAgent
-3397 cloanto-lm CloantoLicenseManager
-3398 mercantile Mercantile
-3421 bmap BullAppriseportmapper
-3454 mira AppleRemoteAccessProtocol
-3455 prsvp RSVPPort
-3456 vat VATdefaultdata
-3457 vat-control VATdefaultcontrol
-3458 d3winosfi DsWinOSFI
-3459 integral Integral
-3460 edm-manager EDMManger
-3461 edm-stager EDMStager
-3462 edm-std-notify EDMSTDNotify
-3463 edm-adm-notify EDMADMNotify
-3464 edm-mgr-sync EDMMGRSync
-3465 edm-mgr-cntrl EDMMGRCntrl
-3466 workflow WORKFLOW
-3563 watcomdebug WatcomDebug
-3900 udt_os UnidataUDTOS
-3984 mapper-nodemgr MAPPERnetworknodemanager
-3985 mapper-mapethd MAPPERTCP/IPserver
-3986 mapper-ws_ethd MAPPERworkstationserver
-3987 centerline Centerline
-4000 terabase Terabase
-4001 newoak NewOak
-4008 netcheque NetChequeaccounting
-4009 chimera-hwm ChimeraHWM
-4010 samsung-unidex SamsungUnidex
-4011 altserviceboot AlternateServiceBoot
-4012 pda-gate PDAGate
-4013 acl-manager ACLManager
-4014 taiclock TAICLOCK
-4045 lockd
-4096 bre BRE(BridgeRelayElement)
-4132 nuts_dem NUTSDaemon
-4133 nuts_bootp NUTSBootpServer
-4134 nifty-hmi NIFTY-ServeHMIprotocol
-4141 oirtgsvc WorkflowServer
-4142 oidocsvc DocumentServer
-4143 oidsr DocumentReplication
-4200 VRML
-4201 VRML
-4202 VRML
-4203 VRML
-4204 VRML
-4205 VRML
-4206 VRML
-4207 VRML
-4208 VRML
-4209 VRML
-4210 VRML
-4211 VRML
-4212 VRML
-4213 VRML
-4214 VRML
-4215 VRML
-4216 VRML
-4217 VRML
-4218 VRML
-4219 VRML
-4220 VRML
-4221 VRML
-4222 VRML
-4223 VRML
-4224 VRML
-4225 VRML
-4226 VRML
-4227 VRML
-4228 VRML
-4229 VRML
-4230 VRML
-4231 VRML
-4232 VRML
-4233 VRML
-4234 VRML
-4235 VRML
-4236 VRML
-4237 VRML
-4238 VRML
-4239 VRML
-4240 VRML
-4241 VRML
-4242 VRML
-4243 VRML
-4244 VRML
-4245 VRML
-4246 VRML
-4247 VRML
-4248 VRML
-4249 VRML
-4250 VRML
-4251 VRML
-4252 VRML
-4253 VRML
-4254 VRML
-4255 VRML
-4256 VRML
-4257 VRML
-4258 VRML
-4259 VRML
-4260 VRML
-4261 VRML
-4262 VRML
-4263 VRML
-4264 VRML
-4265 VRML
-4266 VRML
-4267 VRML
-4268 VRML
-4269 VRML
-4270 VRML
-4271 VRML
-4272 VRML
-4273 VRML
-4274 VRML
-4275 VRML
-4276 VRML
-4277 VRML
-4278 VRML
-4279 VRML
-4280 VRML
-4281 VRML
-4282 VRML
-4283 VRML
-4284 VRML
-4285 VRML
-4286 VRML
-4287 VRML
-4288 VRML
-4289 VRML
-4290 VRML
-4291 VRML
-4292 VRML
-4293 VRML
-4294 VRML
-4295 VRML
-4296 VRML
-4297 VRML
-4298 VRML
-4299 VRML
-4300 corelccam CorelCCam
-4321 rwhois RemoteWhoIs
-4343 unicall UNICALL
-4344 vinainstall VinaInstall
-4345 m4-network-as Macro4NetworkAS
-4346 elanlm ELANLM
-4347 lansurveyor LANSurveyor
-4348 itose ITOSE
-4349 fsportmap FileSystemPortMap
-4350 net-device NetDevice
-4351 plcy-net-svcs PLCYNetServices
-4444 krb524 KRB524
-4445 upnotifyp UPNOTIFYP
-4446 n1-fwp N1-FWP
-4447 n1-rmgmt N1-RMGMT
-4448 asc-slmd ASCLicenceManager
-4449 privatewire PrivateWire
-4450 camp Camp
-4451 ctisystemmsg CTISystemMsg
-4452 ctiprogramload CTIProgramLoad
-4453 nssalertmgr NSSAlertManager
-4454 nssagentmgr NSSAgentManager
-4455 prchat-user PRChatUser
-4456 prchat-server PRChatServer
-4457 prRegister PRRegister
-4500 sae-urn sae-urn
-4501 urn-x-cdchoice urn-x-cdchoice
-4545 highscore Highscore
-4546 sf-lm SFLicenseManager(Sentinel)
-4547 lanner-lm LannerLicenseManager
-4672 rfa remotefileaccessserver
-4800 iims IconaInstantMessengingSystem
-4801 iwec IconaWebEmbeddedChat
-4802 ilss IconaLicenseSystemServer
-4827 htcp HTCP
-4868 phrelay PhotonRelay
-4869 phrelaydbg PhotonRelayDebug
-4885 abbs ABBS
-5000 commplex-main 
-5001 commplex-link 
-5002 rfe radiofreeethernet
-5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding
-5004 avt-profile-1 avt-profile-1
-5005 avt-profile-2 avt-profile-2
-5010 telelpathstart TelepathStart
-5011 telelpathattack TelepathAttack
-5020 zenginkyo-1 zenginkyo-1
-5021 zenginkyo-2 zenginkyo-2
-5050 mmcc multimediaconferencecontroltool
-5051 ita-agent ITAAgent
-5052 ita-manager ITAManager
-5060 sip SIP
-5145 rmonitor_secure 
-5150 atmp AscendTunnelManagementProtocol
-5190 aol America-Online
-5191 aol-1 AmericaOnline1
-5192 aol-2 AmericaOnline2
-5193 aol-3 AmericaOnline3
-5236 padl2sim 
-5272 pk PK
-5300 hacl-hb #HAclusterheartbeat
-5301 hacl-gs #HAclustergeneralservices
-5302 hacl-cfg #HAclusterconfiguration
-5303 hacl-probe #HAclusterprobing
-5304 hacl-local #HAClusterCommands
-5305 hacl-test #HAClusterTest
-5306 sun-mc-grp SunMCGroup
-5307 sco-aip SCOAIP
-5308 cfengine CFengine
-5309 jprinter JPrinter
-5310 outlaws Outlaws
-5311 tmlogin TMLogin
-5400 excerpt ExcerptSearch
-5401 excerpts ExcerptSearchSecure
-5402 mftp MFTP
-5403 hpoms-ci-lstn HPOMS-CI-LSTN
-5404 hpoms-dps-lstn HPOMS-DPS-LSTN
-5405 netsupport NetSupport
-5406 systemics-sox SystemicsSox
-5407 foresyte-clear Foresyte-Clear
-5408 foresyte-sec Foresyte-Sec
-5409 salient-dtasrv SalientDataServer
-5410 salient-usrmgr SalientUserManager
-5411 actnet ActNet
-5412 continuus Continuus
-5413 wwiotalk WWIOTALK
-5414 statusd StatusD
-5415 ns-server NSServer
-5416 sns-gateway SNSGateway
-5417 sns-agent SNSAgent
-5418 mcntp MCNTP
-5419 dj-ice DJ-ICE
-5420 cylink-c Cylink-C
-5500 fcp-addr-srvr1 fcp-addr-srvr1
-5501 fcp-addr-srvr2 fcp-addr-srvr2
-5502 fcp-srvr-inst1 fcp-srvr-inst1
-5503 fcp-srvr-inst2 fcp-srvr-inst2
-5504 fcp-cics-gw1 fcp-cics-gw1
-5555 personal-agent PersonalAgent
-5599 esinstall EnterpriseSecurityRemoteInstall
-5600 esmmanager EnterpriseSecurityManager
-5601 esmagent EnterpriseSecurityAgent
-5602 a1-msc A1-MSC
-5603 a1-bs A1-BS
-5604 a3-sdunode A3-SDUNode
-5605 a4-sdunode A4-SDUNode
-5631 pcanywheredata pcANYWHEREdata
-5632 pcanywherestat pcANYWHEREstat
-5678 rrac RemoteReplicationAgentConnection
-5679 dccm DirectCableConnectManager
-5713 proshareaudio proshareconfaudio
-5714 prosharevideo proshareconfvideo
-5715 prosharedata proshareconfdata
-5716 prosharerequest proshareconfrequest
-5717 prosharenotify proshareconfnotify
-5729 openmail OpenmailUserAgentLayer
-5741 ida-discover1 IDADiscoverPort1
-5742 ida-discover2 IDADiscoverPort2
-5745 fcopy-server fcopy-server
-5746 fcopys-server fcopys-server
-5755 openmailg OpenMailDeskGatewayserver
-5757 x500ms OpenMailX.500DirectoryServer
-5766 openmailns OpenMailNewMailServer
-5767 s-openmail OpenMailSuerAgentLayer(Secure)
-5768 openmailpxy OpenMailCMTSServer
-6000 X11
-6001 X11
-6002 X11
-6003 X11
-6004 X11
-6005 X11
-6006 X11
-6007 X11
-6008 X11
-6009 X11
-6010 X11
-6011 X11
-6012 X11
-6013 X11
-6014 X11
-6015 X11
-6016 X11
-6017 X11
-6018 X11
-6019 X11
-6020 X11
-6021 X11
-6022 X11
-6023 X11
-6024 X11
-6025 X11
-6026 X11
-6027 X11
-6028 X11
-6029 X11
-6030 X11
-6031 X11
-6032 X11
-6033 X11
-6034 X11
-6035 X11
-6036 X11
-6037 X11
-6038 X11
-6039 X11
-6040 X11
-6041 X11
-6042 X11
-6043 X11
-6044 X11
-6045 X11
-6046 X11
-6047 X11
-6048 X11
-6049 X11
-6050 X11
-6051 X11
-6052 X11
-6053 X11
-6054 X11
-6055 X11
-6056 X11
-6057 X11
-6058 X11
-6059 X11
-6060 X11
-6061 X11
-6062 X11
-6063 X11
-6110 softcm HPSoftBenchCM
-6111 spc HPSoftBenchSub-ProcessControl
-6112 dtspcd dtspcd
-6123 backup-express BackupExpress
-6141 meta-corp MetaCorporationLicenseManager
-6142 aspentec-lm AspenTechnologyLicenseManager
-6143 watershed-lm WatershedLicenseManager
-6144 statsci1-lm StatSciLicenseManager-1
-6145 statsci2-lm StatSciLicenseManager-2
-6146 lonewolf-lm LoneWolfSystemsLicenseManager
-6147 montage-lm MontageLicenseManager
-6148 ricardo-lm RicardoNorthAmericaLicenseManager
-6149 tal-pod tal-pod
-6253 crip CRIP
-6389 clariion-evr01 clariion-evr01
-6455 skip-cert-recv SKIPCertificateReceive
-6456 skip-cert-send SKIPCertificateSend
-6471 lvision-lm LVisionLicenseManager
-6500 boks BoKSMaster
-6501 boks_servc BoKSServc
-6502 boks_servm BoKSServm
-6503 boks_clntd BoKSClntd
-6505 badm_priv BoKSAdminPrivatePort
-6506 badm_pub BoKSAdminPublicPort
-6507 bdir_priv BoKSDirServer,PrivatePort
-6508 bdir_pub BoKSDirServer,PublicPort
-6558 xdsxdm 
-6665 ircu
-6666 ircu
-6667 ircu
-6668 ircu
-6669 ircu IRCU
-6670 vocaltec-gold VocaltecGlobalOnlineDirectory
-6672 vision_server vision_server
-6673 vision_elmd vision_elmd
-6701 kti-icad-srvr KTI/ICADNameserver
-6790 hnmp HNMP
-6831 ambit-lm ambit-lm
-6969 acmsoda acmsoda
-7000 afs3-fileserver fileserveritself
-7001 afs3-callback callbackstocachemanagers
-7002 afs3-prserver users&groupsdatabase
-7003 afs3-vlserver volumelocationdatabase
-7004 afs3-kaserver AFS/Kerberosauthenticationservice
-7005 afs3-volser volumemanagementserver
-7006 afs3-errors errorinterpretationservice
-7007 afs3-bos basicoverseerprocess
-7008 afs3-update server-to-serverupdater
-7009 afs3-rmtsys remotecachemanagerservice
-7010 ups-onlinet onlinetuninterruptablepowersupplies
-7020 dpserve DPServe
-7021 dpserveadmin DPServeAdmin
-7070 arcp ARCP
-7099 lazy-ptop lazy-ptop
-7100 font-service XFontService
-7121 virprot-lm VirtualPrototypesLicenseManager
-7174 clutild Clutild
-7200 fodms FODMSFLIP
-7201 dlip DLIP
-7395 winqedit winqedit
-7426 pmdmgr OpenViewDMPostmasterManager
-7427 oveadmgr OpenViewDMEventAgentManager
-7428 ovladmgr OpenViewDMLogAgentManager
-7429 opi-sock OpenViewDMrqtcommunication
-7430 xmpv7 OpenViewDMxmpv7apipipe
-7431 pmd OpenViewDMovc/xmpv3apipipe
-7491 telops-lmd telops-lmd
-7511 pafec-lm pafec-lm
-7544 nta-ds FlowAnalyzerDisplayServer
-7545 nta-us FlowAnalyzerUtilityServer
-7570 aries-kfinder AriesKfinder
-7588 sun-lm SunLicenseManager
-7777 cbt cbt
-7781 accu-lmgr accu-lmgr
-7932 t2-drm Tier2DataResourceManager
-7933 t2-brm Tier2BusinessRulesManager
-7980 quest-vista QuestVista
-7999 irdmi2 iRDMI2
-8000 irdmi iRDMI
-8001 vcom-tunnel VCOMTunnel
-8008 http-alt HTTPAlternate
-8032 pro-ed ProEd
-8033 mindprint MindPrint
-8080 http-alt HTTPAlternate(seeport80)
-8200 trivnet1 TRIVNET
-8201 trivnet2 TRIVNET
-8376 cruise-enum CruiseENUM
-8377 cruise-swroute CruiseSWROUTE
-8378 cruise-config CruiseCONFIG
-8379 cruise-diags CruiseDIAGS
-8380 cruise-update CruiseUPDATE
-8400 cvd cvd
-8401 sabarsd sabarsd
-8402 abarsd abarsd
-8403 admind admind
-8450 npmp npmp
-8473 vp2p VitualPointtoPoint
-8554 rtsp-alt RTSPAlternate(seeport554)
-8765 ultraseek-http UltraseekHTTP
-8880 cddbp-alt CDDBP
-8888 ddi-tcp-1 NewsEDGEserverTCP(TCP1)
-8889 ddi-tcp-2 DesktopDataTCP1
-8890 ddi-tcp-3 DesktopDataTCP2
-8891 ddi-tcp-4 DesktopDataTCP3:NESSapplication
-8892 ddi-tcp-5 DesktopDataTCP4:FARMproduct
-8893 ddi-tcp-6 DesktopDataTCP5:NewsEDGE/Webapplication
-8894 ddi-tcp-7 DesktopDataTCP6:COALapplication
-9000 cslistener CSlistener
-9006 sctp SCTP
-9090 websm WebSM
-9535 man 
-9594 msgsys MessageSystem
-9595 pds PingDiscoveryService
-9876 sd SessionDirector
-9888 cyborg-systems CYBORGSystems
-9898 monkeycom MonkeyCom
-9992 palace Palace
-9993 palace Palace
-9994 palace Palace
-9995 palace Palace
-9996 palace Palace
-9997 palace Palace
-9998 distinct32 Distinct32
-9999 distinct distinct
-10000 ndmp NetworkDataManagementProtocol
-10007 mvs-capacity MVSCapacity
-11001 metasys Metasys
-11367 atm-uhas ATMUHAS
-12000 entextxid IBMEnterpriseExtenderSNAXIDExchange
-12001 entextnetwk IBMEnterpriseExtenderSNACOSNetwork
-12002 entexthigh IBMEnterpriseExtenderSNACOSHigh
-12003 entextmed IBMEnterpriseExtenderSNACOSMedium
-12004 entextlow IBMEnterpriseExtenderSNACOSLow
-12753 tsaf tsafport
-13160 i-zipqd I-ZIPQD
-13720 bprd BPRDProtocol(VERITASNetBackup)
-13721 bpbrm BPBRMProtocol(VERITASNetBackup)
-13782 bpcd VERITASNetBackup
-13818 dsmcc-config DSMCCConfig
-13819 dsmcc-session DSMCCSessionMessages
-13820 dsmcc-passthru DSMCCPass-ThruMessages
-13821 dsmcc-download DSMCCDownloadProtocol
-13822 dsmcc-ccp DSMCCChannelChangeProtocol
-14001 itu-sccp-ss7 ITUSCCP(SS7)
-17007 isode-dua 
-17219 chipper Chipper
-18000 biimenu BeckmanInstruments,Inc.
-19541 jcp JCPClient
-21845 webphone webphone
-21846 netspeak-is NetSpeakCorp.DirectoryServices
-21847 netspeak-cs NetSpeakCorp.ConnectionServices
-21848 netspeak-acd NetSpeakCorp.AutomaticCallDistribution
-21849 netspeak-cps NetSpeakCorp.CreditProcessingSystem
-22273 wnn6 wnn6
-22555 vocaltec-wconf VocaltecWebConference
-22800 aws-brf TelerateInformationPlatformLAN
-22951 brf-gw TelerateInformationPlatformWAN
-24000 med-ltp med-ltp
-24001 med-fsp-rx med-fsp-rx
-24002 med-fsp-tx med-fsp-tx
-24003 med-supp med-supp
-24004 med-ovw med-ovw
-24005 med-ci med-ci
-24006 med-net-svc med-net-svc
-25000 icl-twobase1 icl-twobase1
-25001 icl-twobase2 icl-twobase2
-25002 icl-twobase3 icl-twobase3
-25003 icl-twobase4 icl-twobase4
-25004 icl-twobase5 icl-twobase5
-25005 icl-twobase6 icl-twobase6
-25006 icl-twobase7 icl-twobase7
-25007 icl-twobase8 icl-twobase8
-25008 icl-twobase9 icl-twobase9
-25009 icl-twobase10 icl-twobase10
-25793 vocaltec-hos VocaltecAddressServer
-26000 quake quake
-26208 wnn6-ds wnn6-ds
-27000 flex-lm
-27001 flex-lm FLEXLM(1-10)
-27002 flex-lm FLEXLM(1-10)
-27003 flex-lm FLEXLM(1-10)
-27004 flex-lm FLEXLM(1-10)
-27005 flex-lm FLEXLM(1-10)
-27006 flex-lm FLEXLM(1-10)
-27007 flex-lm FLEXLM(1-10)
-27008 flex-lm FLEXLM(1-10)
-27009 flex-lm FLEXLM(1-10)
-27999 tw-auth-key TWAuthentication/KeyDistributionand
-33434 traceroute tracerouteuse
-44818 rockwell-encap RockwellEncapsulation
-45678 eba EBAPRISE
-47557 dbbrowse DatabeamCorporation
-47624 directplaysrvr DirectPlayServer
-47806 ap ALCProtocol
-47808 bacnet BuildingAutomationandControlNetworks
diff --git a/contrib/ipfilter/perl/ipf-mrtg.pl b/contrib/ipfilter/perl/ipf-mrtg.pl
deleted file mode 100644
index cce30ab..0000000
--- a/contrib/ipfilter/perl/ipf-mrtg.pl
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/local/bin/perl
-# reads stats and uptime for ip-filter for mrtg
-# ron@rosie.18james.com,  2 Jan 2000
-
-my $firewall = "IP Filter v3.3.3";
-my($in_pkts,$out_pkts) = (0,0);
-
-open(FW, "/sbin/ipfstat -hi|") || die "cannot open ipfstat -hi\n";
-while (<FW>) {
-  $in_pkts += $1 if (/^(\d+)\s+pass\s+in\s+quick.*group\s+1\d0/);
-}
-close(FW);
-open(FW, "/sbin/ipfstat -ho|") || die "cannot open ipfstat -ho\n";
-while (<FW>) {
-  $out_pkts += $1 if (/^(\d+)\s+pass\s+out\s+quick.*group\s+1\d0/);
-}
-print "$in_pkts\n",
-      "$out_pkts\n";
-my $uptime = `/usr/bin/uptime`;
-$uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/;
-print "$2 $3\n",
-      "$firewall\n";
\ No newline at end of file
diff --git a/contrib/ipfilter/perl/ipfmeta.pl b/contrib/ipfilter/perl/ipfmeta.pl
deleted file mode 100644
index 1a7bb3f..0000000
--- a/contrib/ipfilter/perl/ipfmeta.pl
+++ /dev/null
@@ -1,210 +0,0 @@
-#!/usr/bin/perl -w
-#
-# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000
-# ipfmeta is in the Public Domain.
-#
-
-use strict;
-use Getopt::Std;
-
-## PROCESS COMMANDLINE
-our($opt_v); $opt_v=1;
-getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n";
-my $verbose = $opt_v + 0;
-my $objfile = shift || "ipf.objs";
-my $MAXRECURSION = 10;
-
-## READ OBJECTS
-open(FH, "$objfile") || die "cannot open $objfile: $!\n";
-my @tokens;
-while (<FH>) {
-	chomp;
-	s/#.*$//;	# remove comments
-	s/^\s+//;	# compress whitespace
-	s/\s+$//;
-	next if m/^$/;	# skip empty lines
-	push (@tokens, split);
-}
-close(FH) || die "cannot close $objfile: $!\n";
-# link objects with their values
-my $obj="";
-my %objs;
-while (@tokens) {
-	my $token = shift(@tokens);
-	if ($token =~ m/^\[([^]]*)\]$/) {
-		# new object
-		$obj = $1;
-	} else {
-		# new value
-		push(@{$objs{$obj}}, $token) unless ($obj eq "");
-	}
-}
-
-# sort objects: longest first
-my @objs = sort { length($b) <=> length($a) } keys %objs;
-
-## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN
-foreach (<STDIN>) {
-	foreach (expand($_, 0)) {
-		print;
-	}
-}
-
-## END
-
-sub expand {
-	my $line = shift;
-	my $level = shift;
-	my @retlines = $line;
-	my $obj;
-	my $val;
-
-	# coarse protection
-	if ($level > $MAXRECURSION) {
-		print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n";
-		return;
-	}
-
-	foreach $obj (@objs) {
-		if ($line =~ m/$obj/) {
-			@retlines = "";
-			if ($level < $verbose) {
-				# add metarule as a comment
-				push(@retlines, "# ".$line);
-			}
-			foreach $val (@{$objs{$obj}}) {
-				my $newline = $line;
-				$newline =~ s/$obj/$val/;
-				push(@retlines, expand($newline, $level+1));
-			}
-			last;
-		}
-	}
-
-	return @retlines;
-}
-				
-__END__
-
-=head1 NAME
-
-B<ipfmeta> - use objects in IP filter files
-
-=head1 SYNOPSIS
-
-B<ipfmeta> [F<options>] [F<objfile>]
-
-=head1 DESCRIPTION
-
-B<ipfmeta> is used to simplify the maintenance of your IP filter
-ruleset. It does this through the use of 'objects'.  A matching
-object gets replaced by its values at runtime.  This is similar to
-what a macro processor like m4 does.
-
-B<ipfmeta> is specifically geared towards IP filter. It is line
-oriented, if an object has multiple values, the line with the object
-is duplicated and substituted for each value. It is also recursive,
-an object may have another object as a value.
-
-Rules to be processed are read from stdin, output goes to stdout.
-
-The verbose option allows for the inclusion of the metarules in the
-output as comments.
-
-Definition of the objects and their values is done in a separate
-file, the filename defaults to F<ipf.objs>.  An object is delimited
-by square brackets. A value is delimited by whitespace.  Comments
-start with '#' and end with a newline. Empty lines and extraneous
-whitespace are allowed.  A value belongs to the first object that
-precedes it.
-
-It is recommended that you use all caps or another distinguishing
-feature for object names. You can use B<ipfmeta> for NAT rules also,
-for instance to keep them in sync with filter rules.  Combine
-B<ipfmeta> with a Makefile to save typing.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-v> I<verboselevel>
-
-Include metarules in output as comments. Default is 1, the top level
-metarules. Higher levels cause expanded metarules to be included.
-Level 0 does not add comments at all.
-
-=back
-
-=head1 BUGS
-
-A value can not have whitespace in it.
-
-=head1 EXAMPLE
-
-(this does not look good, formatted)
-
-I<ipf.objs>
-
-[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
-
-[MULTICAST] 224.0.0.0/4
-
-[UNWANTED] PRIVATE MULTICAST
-
-[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32
-
-[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32
-
-[MGMT-PORTS] 22 23
-
-I<ipf.metarules>
-
-block in from UNWANTED to any
-
-pass  in from NOC to WEBSERVERS port = MGMT-PORTS
-
-pass  out all
- 
-I<Run>
-
-ipfmeta ipf.objs <ipf.metarules >ipf.rules
-
-I<Output>
-
-# block in from UNWANTED to any
-
-block in from 10.0.0.0/8 to any
-
-block in from 127.0.0.0/8 to any
-
-block in from 172.16.0.0/12 to any
-
-block in from 192.168.0.0/16 to any
-
-block in from 224.0.0.0/4 to any
-
-# pass  in from NOC to WEBSERVERS port = MGMT-PORTS
-
-pass  in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22
-
-pass  in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23
-
-pass  in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22
-
-pass  in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23
-
-pass  in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22
-
-pass  in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23
-
-pass  in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22
-
-pass  in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23
-
-pass  out all
-
-=head1 AUTHOR
-
-Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain.
-
-=cut
diff --git a/contrib/ipfilter/perl/logfilter.pl b/contrib/ipfilter/perl/logfilter.pl
deleted file mode 100644
index 6ebe401..0000000
--- a/contrib/ipfilter/perl/logfilter.pl
+++ /dev/null
@@ -1,181 +0,0 @@
-#!perl.exe
-
-# Author: Chris Grant
-# Copyright 1999, Codetalker Communications, Inc.
-#
-# This script takes a firewall log and breaks it into several 
-# different files. Each file is named based on the service that
-# runs on the port that was recognized in log line. After
-# this script has run, you should end up with several files.
-# Of course you will have the original log file and then files
-# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log,
-# netbus.log, and unknown.log.
-#
-# The number of entries in unknown.log should be minimal. The
-# mappings of the port numbers and file names are stored in the bottom
-# of this file in the data section. Simply look at the ports being hit,
-# find out what these ports do, and add them to the data section.
-#
-# You may be wondering why I haven't simply parsed RFC1700 to come up
-# with a list of port numbers and files. The reason is that I don't
-# believe reading firewall logs should be all that automated. You 
-# should be familiar with what probes are hitting your system. By
-# manually adding entries to the data section this ensures that I 
-# have at least educated myself about what this protocol is, what 
-# the potential exposure is, and why you might be seeing this traffic. 
-
-%icmp = ();
-%udp = ();
-%tcp = ();
-%openfiles = ();
-$TIDBITSFILE = "unknown.log";
-
-# Read the ports data from the end of this file and build the three hashes
-while (<DATA>) {
-    chomp;                                # trim the newline
-    s/#.*//;                              # no comments
-    s/^\s+//;                             # no leading white
-    s/\s+$//;                             # no trailing white
-    next unless length;                   # anything left?
-    $_ = lc;                              # switch to lowercase
-    ($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/;
-    SWITCH: {
-	if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; };
-	if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; };
-        if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; };
-	die "An unknown protocol listed in the proto defs\n$_\n";
-    }
-}
-
-$filename = shift;
-unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; }
-open(LOGFILE, $filename) || die "Could not open the firewall log file.\n";
-$openfiles{$filename} = "LOGFILE";
-
-$linenum = 0;
-while($line = <LOGFILE>) {
-
-    chomp($line);
-    $linenum++;
-
-    # determine the protocol - send to unknown.log if not found
-    SWITCH: {
-
-	($line =~ m /\sicmp\s/) && do { 
-
-	    #
-	    # ICMP Protocol 
-	    #
-	    # Extract the icmp packet information specifying the type.
-	    # 
-	    # Note: Must check for ICMP first because this may be an ICMP reply
-	    #       to a TCP or UDP connection (eg Port Unreachable).
-	    
-	    ($icmptype) = $line =~ m/icmp (\d+)\/\d+/;
-
-	    $filename = $TIDBITSFILE;
-	    $filename = $icmp{$icmptype} if (defined($icmp{$icmptype}));
-
-	    last SWITCH; 
-	  };
-
-	($line =~ m /\stcp\s/) && do { 
-
-	    # 
-	    # TCP Protocol
-	    #
-	    # extract the source and destination ports and compare them to 
-	    # known ports in the tcp hash. For the first match, place this
-	    # line in the file specified by the tcp hash. Ignore one of the
-	    # port matches if both ports happen to be known services.
-
-	    ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
-	    #print "$line\n" unless (defined($sport) && defined($dport));
-
-	    $filename = $TIDBITSFILE;
-	    $filename = $tcp{$sport} if (defined($tcp{$sport}));
-	    $filename = $tcp{$dport} if (defined($tcp{$dport}));
-
-	    last SWITCH; 
-	  };
-
-	($line =~ m /\sudp\s/) && do { 
-
-	    #
-	    # UDP Protocol - same procedure as with TCP, different hash
-	    # 
-
-	    ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
-
-	    $filename = $TIDBITSFILE;
-	    $filename = $udp{$sport} if (defined($udp{$sport}));
-	    $filename = $udp{$dport} if (defined($udp{$dport}));
-
-	    last SWITCH; 
-	  };
-
-	#
-	# The default case is that the protocol was unknown
-	#
-	$filename = $TIDBITSFILE;
-    }
-
-    #
-    # write the line to the appropriate file as determined above
-    #
-    # check for filename in the openfiles hash. if it exists then write
-    # to the given handle. otherwise open a handle to the file and add
-    # it to the hash of open files.
-    
-    if (defined($openfiles{$filename})) {
-	$handle = $openfiles{$filename};
-    } else {
-	$handle = "HANDLE" . keys %openfiles;
-	open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename";
-	$openfiles{$filename} = $handle;
-    }
-    print $handle "#$linenum\t $line\n";
-
-}
-
-# close all open file handles
-
-foreach $key (keys %openfiles) {
-    close($openfiles{$key});
-}
-
-close(LOGFILE);
-
-__DATA__
-icmp    3         destunreach.log
-icmp    8         ping.log
-icmp    9         router.log
-icmp    10        router.log
-icmp    11        ttl.log
-tcp     23        telnet.log
-tcp     25        smtp.log
-udp     25        smtp.log
-udp     53        dns.log
-tcp     80        http.log
-tcp     110       pop3.log
-tcp     111       rpc.log
-udp     111       rpc.log
-tcp     137       netbios.log
-udp     137       netbios.log
-tcp     143       imap.log
-udp     161       snmp.log
-udp     370       backweb.log
-udp     371       backweb.log
-tcp     443       https.log
-udp     443       https.log
-udp     512       syslog.log
-tcp     635       nfs.log           # NFS mount services
-udp     635       nfs.log           # NFS mount services
-tcp     1080      socks.log
-udp     1080      socks.log
-tcp     6112      games.log         # Battle net
-tcp     6667      irc.log
-tcp     7070      realaudio.log
-tcp     8080      http.log
-tcp     12345     netbus.log
-udp     31337     backorifice.log
\ No newline at end of file
diff --git a/contrib/ipfilter/perl/plog b/contrib/ipfilter/perl/plog
deleted file mode 100644
index 208c6ea..0000000
--- a/contrib/ipfilter/perl/plog
+++ /dev/null
@@ -1,1061 +0,0 @@
-#!/usr/bin/perl -wT
-#
-# Author: Jefferson Ogata (JO317) <jogata@pobox.com>
-# Date: 2000/04/22
-# Version: 0.10
-#
-# Please feel free to use or redistribute this program if you find it useful.
-# If you have suggestions, or even better, bits of new code, send them to me
-# and I will add them when I have time. The current version of this script
-# can always be found at the URL:
-#
-#    http://www.antibozo.net/ogata/webtools/plog.pl
-#    http://pobox.com/~ogata/webtools/plog.txt
-#
-# Parse ipmon output into a coherent form. This program only handles the
-# lines regarding filter actions. It does not parse nat and state lines.
-#
-# Present lines from ipmon to this program on standard input.
-#
-# EXAMPLES
-#
-# plog -AF block,log < /var/log/ipf
-#
-#    Generate source and destination reports of all packets logged with
-#    block or log actions, and report TCP flags and keep state actions.
-#
-# plog -S -s ./services www.example.com < /var/log/ipf
-#
-#    Generate a source report of traffic to or from www.example.com using
-#    the additional services defined in ./services.
-#
-# plog -nSA block < /var/log/ipf
-#
-#    Generate a source report of all blocked packets with no hostname
-#    lookups. This is handy for an initial pass to identify portscans or
-#    other aggressive traffic.
-#
-# plog -SFp 192.168.0.0/24 www.example.com/24 < /var/log/ipf
-#
-#    Generate a source report of all packets whose source or destination
-#    address is either in 192.168.0.0/24 or an address associated with
-#    the host www.example.com, report packet flags and perform paranoid
-#    hostname lookups. This is a handy usage for examining traffic more
-#    closely after identifying a potential attack.
-#
-# TODO
-#
-# - Handle output from ipmon -v.
-# - Handle timestamps from other locales. Anyone with a timestamp problem
-#   please email me the format of your timestamps.
-# - It looks as though short TCP or UDP packets will break things, but I
-#   haven't seen any yet.
-#
-# CHANGES
-#
-# 2000/04/22 (0.10):
-# - Restructured host name and address caches. Hosts are now cached using
-#   packed addresses as keys. Conversion to IPv6 should be simple now.
-# - Added paranoid hostname lookups.
-# - Added netmask qualifications for address arguments.
-# - Tweaked usage info.
-# 2000/04/20:
-# - Added parsing and tracking of TCP and state flags.
-# 2000/04/12 (0.9):
-# - Wasn't handling underscore in hostname,servicename fields; these may be
-#   logged using ipmon -n. Observation by <ark@eltex.ru>.
-# - Hadn't properly attributed observation and fix for repetition counter in
-#   0.8 change log. Added John Ladwig to attribution. Thanks, John.
-#
-# 2000/04/10 (0.8):
-# - Service names can also have hyphens, dummy. I wasn't allowing these
-#   either. Observation and fix thanks to Taso N. Devetzis
-#   <devetzis@snet.net>.
-# - IP Filter now logs a repetition counter. Observation and fixes (changed
-#   slightly) from Andy Kreiling <Andy@ntcs-inc.com> and John Ladwig
-#   <jladwig@nts.umn.edu>.
-# - Added fix to handle new Solaris log format, e.g.:
-#     Nov 30 04:49:37 raoul ipmon[121]: [ID 702911 local0.warning] 04:49:36.420541 hme0 @0:34 b 205.152.16.6,58596 -> 204.60.220.24,113 PR tcp len 20 44
-#   Fix thanks to Taso N. Devetzis <devetzis@SNET.Net>.
-# - Added services map option.
-# - Added options for generating only source/destination tables.
-# - Added verbosity option.
-# - Added option for reporting traffic for specific hosts.
-# - Added some more ICMP unreachable codes, and made code and type names
-#   match the ones in IP Filter parse.c.
-# - Condensed output format somewhat.
-# - Various minor improvements, perhaps slight speed improvements.
-# - Documented new options in usage() and tried to improve wording.
-#
-# 1999/08/02 (0.7):
-# - Hostnames can have hyphens, dummy. I wasn't allowing them in the syslog
-#   line. Fix from Antoine Verheijen <antoine.verheijen@ualberta.ca>.
-#
-# 1999/05/05 (0.6):
-# - IRIX syslog prefixes the hostname with a severity code. Handle it. Fix
-#   from John Ladwig <jladwig@nts.umn.edu>.
-#
-# 1999/05/05 (0.5):
-# - Protocols other than TCP, UDP, or ICMP have packet lengths reported in
-#   parentheses for some reason. The script now handles this. Thanks to
-#   Dispatcher <dispatch@blackhelicopters.org>.
-# - I had mixed up info-request and info-reply ICMP codes, and omitted the
-#   traceroute code. Sorted this out. I had also missed code 0 for type 6
-#   (alternate address for host). Thanks to John Ladwig <jladwig@nts.umn.edu>.
-#
-# 1999/05/03:
-# - Now accepts hostnames in the source and destination address fields, as
-#   well as port names in the port fields. This allows the people who are
-#   using ipmon -n to still use plog. Note that if you are logging
-#   hostnames, you are vulnerable to forgery of DNS information, modified
-#   DNS information, and your log files will be larger also. If you are
-#   using this program you can have it look up the names for you (still
-#   vulnerable to forgery) and keep your logged addresses all in numeric
-#   format, so that packets from the same source will always show the same
-#   source address regardless of what's up with DNS. Obviously, I don't
-#   favor using ipmon -n. Nevertheless, some people wanted this, so here it
-#   is.
-# - Added S and n flags to %acts hash. Thanks to Stephen J. Roznowski
-#   <sjr@home.net>.
-# - Stopped reporting host IPs twice when numeric output was requested.
-#   Thanks, yet again, to Stephen J. Roznowski <sjr@home.net>.
-# - Number of minor tweaks that might speed it up a bit, and some comments.
-# - Put the script back up on the web site. I had moved the site and
-#   forgotten to move the tool.
-#
-# 1999/02/04:
-# - Changed log line parser to accept fully-qualified name in the logging
-#   host field. Thanks to Stephen J. Roznowski <sjr@home.net>.
-#
-# 1999/01/22:
-# - Changed high port strategy to use 65536 for unknown high ports so that
-#   they are sorted last.
-#
-# 1999/01/21:
-# - Moved icmp parsing to output loop.
-# - Added parsing of icmp codes, and more types.
-# - Changed packet sort routine to sort by port number rather than service
-#   name.
-#
-# 1999/01/20:
-# - Fixed problem matching ipmon log lines. Sometimes they have "/ipmon" in
-#   them, sometimes just "ipmon".
-# - Added numeric parse option to turn off hostname lookups.
-# - Moved summary to usage() sub.
-
-use strict;
-use Socket;
-use IO::File;
-
-select STDOUT; $| = 1;
-
-my %hosts;
-
-my $me = $0;
-$me =~ s/^.*\///;
-
-# Map of log codes for various actions. Not all of these can occur, but
-# I've included everything in print_ipflog() from ipmon.c.
-my %acts = (
-    'p'	=> 'pass',
-    'P'	=> 'pass',
-    'b'	=> 'block',
-    'B'	=> 'block',
-    'L'	=> 'log',
-    'S' => 'short',
-    'n' => 'nomatch',
-);
-
-# Map of ICMP types and their relevant codes.
-my %icmpTypeMap = (
-    0	=> +{
-	name	=> 'echorep',
-	codes	=> +{0	=> undef},
-    },
-    3	=> +{
-	name	=> 'unreach',
-	codes	=> +{
-	    0	=> 'net-unr',
-	    1	=> 'host-unr',
-	    2	=> 'proto-unr',
-	    3	=> 'port-unr',
-	    4	=> 'needfrag',
-	    5	=> 'srcfail',
-	    6	=> 'net-unk',
-	    7	=> 'host-unk',
-	    8	=> 'isolate',
-	    9	=> 'net-prohib',
-	    10	=> 'host-prohib',
-	    11	=> 'net-tos',
-	    12	=> 'host-tos',
-	    13	=> 'filter-prohib',
-	    14	=> 'host-preced',
-	    15	=> 'preced-cutoff',
-	},
-    },
-    4	=> +{
-	name	=> 'squench',
-	codes	=> +{0	=> undef},
-    },
-    5	=> +{
-	name	=> 'redir',
-	codes	=> +{
-	    0	=> 'net',
-	    1	=> 'host',
-	    2	=> 'tos',
-	    3	=> 'tos-host',
-	},
-    },
-    6	=> +{
-	name	=> 'alt-host-addr',
-	codes	=> +{
-	    0	=> 'alt-addr'
-	},
-    },
-    8	=> +{
-	name	=> 'echo',
-	codes	=> +{0	=> undef},
-    },
-    9	=> +{
-	name	=> 'routerad',
-	codes	=> +{0	=> undef},
-    },
-    10	=> +{
-	name	=> 'routersol',
-	codes	=> +{0	=> undef},
-    },
-    11	=> +{
-	name	=> 'timex',
-	codes	=> +{
-	    0	=> 'in-transit',
-	    1	=> 'frag-assy',
-	},
-    },
-    12	=> +{
-	name	=> 'paramprob',
-	codes	=> +{
-	    0	=> 'ptr-err',
-	    1	=> 'miss-opt',
-	    2	=> 'bad-len',
-	},
-    },
-    13	=> +{
-	name	=> 'timest',
-	codes	=> +{0	=> undef},
-    },
-    14	=> +{
-	name	=> 'timestrep',
-	codes	=> +{0	=> undef},
-    },
-    15	=> +{
-	name	=> 'inforeq',
-	codes	=> +{0	=> undef},
-    },
-    16	=> +{
-	name	=> 'inforep',
-	codes	=> +{0	=> undef},
-    },
-    17	=> +{
-	name	=> 'maskreq',
-	codes	=> +{0	=> undef},
-    },
-    18	=> +{
-	name	=> 'maskrep',
-	codes	=> +{0	=> undef},
-    },
-    30	=> +{
-	name	=> 'tracert',
-	codes	=> +{ },
-    },
-    31	=> +{
-	name	=> 'dgram-conv-err',
-	codes	=> +{ },
-    },
-    32	=> +{
-	name	=> 'mbl-host-redir',
-	codes	=> +{ },
-    },
-    33	=> +{
-	name	=> 'ipv6-whereru?',
-	codes	=> +{ },
-    },
-    34	=> +{
-	name	=> 'ipv6-iamhere',
-	codes	=> +{ },
-    },
-    35	=> +{
-	name	=> 'mbl-reg-req',
-	codes	=> +{ },
-    },
-    36	=> +{
-	name	=> 'mbl-reg-rep',
-	codes	=> +{ },
-    },
-);
-
-# Arguments we will parse from argument list.
-my $numeric = 0;	# Don't lookup hostnames.
-my $paranoid = 0;	# Do paranoid hostname lookups.
-my $verbosity = 0;	# Bla' bla' bla'.
-my $sTable = 0;		# Generate source table.
-my $dTable = 0;		# Generate destination table.
-my @services = ();	# Preload services tables.
-my $showFlags = 0;	# Show TCP flag combinations.
-my %selectAddrs;	# Limit report to these hosts.
-my %selectActs;		# Limit report to these actions.
-
-# Parse argument list.
-while (defined ($_ = shift))
-{
-    if (s/^-//)
-    {
-	while (s/^([vnpSD\?hsAF])//)
-	{
-	    my $flag = $1;
-	    if ($flag eq 'v')
-	    {
-		++$verbosity;
-	    }
-	    elsif ($flag eq 'n')
-	    {
-		$numeric = 1;
-	    }
-	    elsif ($flag eq 'p')
-	    {
-		$paranoid = 1;
-	    }
-	    elsif ($flag eq 'S')
-	    {
-		$sTable = 1;
-	    }
-	    elsif ($flag eq 'D')
-	    {
-		$dTable = 1;
-	    }
-	    elsif ($flag eq 'F')
-	    {
-		$showFlags = 1;
-	    }
-	    elsif (($flag eq '?') || ($flag eq 'h'))
-	    {
-		&usage (0);
-	    }
-	    else
-	    {
-		my $arg = shift;
-		defined ($arg) || &usage (1, qq{-$flag requires an argument});
-		if ($flag eq 's')
-		{
-		    push (@services, $arg);
-		}
-		elsif ($flag eq 'A')
-		{
-		    my @acts = split (/,/, $arg);
-		    my $a;
-		    foreach $a (@acts)
-		    {
-			my $aa;
-			my $match = 0;
-			foreach $aa (keys (%acts))
-			{
-			    if ($acts{$aa} eq $a)
-			    {
-				++$match;
-				$selectActs{$aa} = $a;
-			    }
-			}
-			$match || &usage (1, qq{unknown action $a});
-		    }
-		}
-	    }
-	}
-
-	&usage (1, qq{unknown option: -$_}) if (length);
-
-	next;
-    }
-
-    # Add host to hash of hosts we're interested in.
-    (/^(.+)\/([\d+\.]+)$/) || (/^(.+)$/) || &usage (1, qq{invalid CIDR address $_});
-    my ($addr, $mask) = ($1, $2);
-    my @addr = &hostAddrs ($addr);
-    (scalar (@addr)) || &usage (1, qq{cannot resolve hostname $_});
-    if (!defined ($mask))
-    {
-	$mask = (2 ** 32) - 1;
-    }
-    elsif (($mask =~ /^\d+$/) && ($mask <= 32))
-    {
-	$mask = (2 ** 32) - 1 - ((2 ** (32 - $mask)) - 1);
-    }
-    elsif (defined ($mask = &isDottedAddr ($mask)))
-    {
-	$mask = &integerAddr ($mask);
-    }
-    else
-    {
-	&usage (1, qq{invalid CIDR address $_});
-    }
-    foreach $addr (@addr)
-    {
-	# Save mask unless we already have a less specific one for this address.
-	my $a = &integerAddr ($addr) & $mask;
-	$selectAddrs{$a} = $mask unless (exists ($selectAddrs{$a}) && ($selectAddrs{$a} < $mask));
-    }
-}
-
-# Which tables will we generate?
-$dTable = $sTable = 1 unless ($dTable || $sTable);
-my @dirs;
-push (@dirs, 'd') if ($dTable);
-push (@dirs, 's') if ($sTable);
-
-# Are we interested in specific hosts?
-my $selectAddrs = scalar (keys (%selectAddrs));
-
-# Are we interested in specific actions?
-if (scalar (keys (%selectActs)) == 0)
-{
-    %selectActs = %acts;
-}
-
-# We use this hash to cache port name -> number and number -> name mappings.
-# Isn't it cool that we can use the same hash for both?
-my %pn;
-
-# Preload any services maps.
-my $sm;
-foreach $sm (@services)
-{
-    my $sf = new IO::File ($sm, "r");
-    defined ($sf) || &quit (1, qq{cannot open services file $sm});
-
-    while (defined ($_ = $sf->getline ()))
-    {
-	my $text = $_;
-	chomp;
-	s/#.*$//;
-	s/\s+$//;
-	next unless (length);
-	my ($name, $spec, @aliases) = split (/\s+/);
-	($spec =~ /^([\w\-]+)\/([\w\-]+)$/)
-	    || &quit (1, qq{$sm:$.: invalid definition: $text});
-	my ($pnum, $proto) = ($1, $2);
-
-	# Enter service definition in pn hash both forwards and backwards.
-	my $port;
-	my $pname;
-	foreach $port ($name, @aliases)
-	{
-	    $pname = "$pnum/$proto";
-	    $pn{$pname} = $port;
-	}
-	$pname = "$name/$proto";
-	$pn{$pname} = $pnum;
-    }
-
-    $sf->close ();
-}
-
-# Cache for host name -> addr mappings.
-my %ipAddr;
-
-# Cache for host addr -> name mappings.
-my %ipName;
-
-# Hash for protocol number <--> name mappings.
-my %pr;
-
-# Under IPv4 port numbers are unsigned shorts. The value below is higher
-# than the maximum value of an unsigned short, and is used in place of
-# high port numbers that don't correspond to known services. This makes
-# high ports get sorted behind all others.
-my $highPort = 0x10000;
-
-while (<STDIN>)
-{
-    chomp;
-
-    # For ipmon output that came through syslog, we'll have an asctime
-    # timestamp, an optional severity code (IRIX), the hostname,
-    # "ipmon"[process id]: prefixed to the line. For output that was
-    # written directly to a file by ipmon, we'll have a date prefix as
-    # dd/mm/yyyy (no y2k problem here!). Both formats then have a packet
-    # timestamp and the log info.
-    my ($log);
-    if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+(?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//)
-    {
-	$log = $_;
-    }
-    elsif (s/^(?:\d+\/\d+\/\d+)\s+(?:\d+:\d+:\d+\.\d+)\s+//)
-    {
-	$log = $_;
-    }
-    else
-    {
-	# It don't look like no ipmon output to me, baby.
-	next;
-    }
-    next unless (defined ($log));
-
-    print STDERR "$log\n" if ($verbosity);
-
-    # Parse the log line. We're expecting interface name, rule group and
-    # number, an action code, a source host name or IP with possible port
-    # name or number, a destination host name or IP with possible port
-    # number, "PR", a protocol name or number, "len", a header length, a
-    # packet length (which will be in parentheses for protocols other than
-    # TCP, UDP, or ICMP), and maybe some additional info.
-    my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\.,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox);
-    unless (scalar (@fields))
-    {
-	print STDERR "$me:$.: cannot parse: $_\n";
-	next;
-    }
-    my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) = @fields;
-
-    # Skip actions we're not interested in.
-    next unless (exists ($selectActs{$act}));
-
-    # Packet count defaults to 1.
-    $count = 1 unless (defined ($count));
-
-    my ($sport, $dport, @flags);
-
-    if ($proto eq 'icmp')
-    {
-	if ($more =~ s/^icmp (\d+)\/(\d+)\s*//)
-	{
-	    # We save icmp type and code in both sport and dport. This
-	    # allows us to sort icmp packets using the normal port-sorting
-	    # code.
-	    $dport = $sport = "$1.$2";
-	}
-	else
-	{
-	    $sport = '';
-	    $dport = '';
-	}
-    }
-    else
-    {
-	if ($showFlags)
-	{
-	    if (($proto eq 'tcp') && ($more =~ s/^\-([A-Z]+)\s*//))
-	    {
-		push (@flags, $1);
-	    }
-	    if ($more =~ s/^K\-S\s*//)
-	    {
-		push (@flags, 'state');
-	    }
-	}
-	if ($src =~ s/,([\-\w]+)$//)
-	{
-	    $sport = &portSimplify ($1, $proto);
-	}
-	else
-	{
-	    $sport = '';
-	}
-	if ($dest =~ s/,([\-\w]+)$//)
-	{
-	    $dport = &portSimplify ($1, $proto);
-	}
-	else
-	{
-	    $dport = '';
-	}
-    }
-
-    # Make sure addresses are numeric at this point. We want to sort by
-    # IP address later. If the hostname doesn't resolve, punt. If you
-    # must use ipmon -n, be ready for weirdness. Use only the first
-    # address returned.
-    my $x;
-    $x = (&hostAddrs ($src))[0];
-    unless (defined ($x))
-    {
-	print STDERR "$me:$.: cannot resolve hostname $src\n";
-	next;
-    }
-    $src = $x;
-    $x = (&hostAddrs ($dest))[0];
-    unless (defined ($x))
-    {
-	print STDERR "$me:$.: cannot resolve hostname $dest\n";
-	next;
-    }
-    $dest = $x;
-
-    # Skip hosts we're not interested in.
-    if ($selectAddrs)
-    {
-	my ($a, $m);
-	my $s = &integerAddr ($src);
-	my $d = &integerAddr ($dest);
-	my $cute = 0;
-	while (($a, $m) = each (%selectAddrs))
-	{
-	    if ((($s & $m) == $a) || (($d & $m) == $a))
-	    {
-		$cute = 1;
-		last;
-	    }
-	}
-	next unless ($cute);
-    }
-
-    # Convert proto to proto number.
-    $proto = &protoNumber ($proto);
-
-    sub countPacket
-    {
-	my ($host, $dir, $peer, $proto, $count, $packet, @flags) = @_;
-
-	# Make sure host is in the hosts hash.
-	$hosts{$host} =
-	    +{
-		'd'	=> +{ },
-		's'	=> +{ },
-	    } unless (exists ($hosts{$host}));
-
-	# Get the source/destination traffic hash for the host in question.
-	my $trafficHash = $hosts{$host}->{$dir};
-
-	# Make sure there's a hash for the peer.
-	$trafficHash->{$peer} = +{ } unless (exists ($trafficHash->{$peer}));
-
-	# Make sure the peer hash has a hash for the protocol number.
-	my $peerHash = $trafficHash->{$peer};
-	$peerHash->{$proto} = +{ } unless (exists ($peerHash->{$proto}));
-
-	# Make sure there's a counter for this packet type in the proto hash.
-	my $protoHash = $peerHash->{$proto};
-	$protoHash->{$packet} = +{ '' => 0 } unless (exists ($protoHash->{$packet}));
-
-	# Increment the counter and mark flags.
-	my $packetHash = $protoHash->{$packet};
-	$packetHash->{''} += $count;
-	map { $packetHash->{$_} = undef; } (@flags);
-    }
-
-    # Count the packet as outgoing traffic from the source address.
-    &countPacket ($src, 's', $dest, $proto, $count, "$sport:$dport:$if:$act", @flags) if ($sTable);
-
-    # Count the packet as incoming traffic to the destination address.
-    &countPacket ($dest, 'd', $src, $proto, $count, "$dport:$sport:$if:$act", @flags) if ($dTable);
-}
-
-my $dir;
-foreach $dir (@dirs)
-{
-    my $order = ($dir eq 's' ? 'source' : 'destination');
-    my $arrow = ($dir eq 's' ? '->' : '<-');
-
-    print "###\n";
-    print "### Traffic by $order address:\n";
-    print "###\n";
-
-    sub ipSort
-    {
-	&integerAddr ($a) <=> &integerAddr ($b);
-    }
-
-    sub packetSort
-    {
-	my ($asport, $adport, $aif, $aact) = split (/:/, $a);
-	my ($bsport, $bdport, $bif, $bact) = split (/:/, $b);
-	$bact cmp $aact || $aif cmp $bif || $asport <=> $bsport || $adport <=> $bdport;
-    }
-
-    my $host;
-    foreach $host (sort ipSort (keys %hosts))
-    {
-	my $traffic = $hosts{$host}->{$dir};
-
-	# Skip hosts with no traffic.
-	next unless (scalar (keys (%{$traffic})));
-
-	if ($numeric)
-	{
-	    print &dottedAddr ($host), "\n";
-	}
-	else
-	{
-	    print &hostName ($host), " \[", &dottedAddr ($host), "\]\n";
-	}
-
-	my $peer;
-	foreach $peer (sort ipSort (keys %{$traffic}))
-	{
-	    my $peerHash = $traffic->{$peer};
-	    my $peerName = ($numeric ? &dottedAddr ($peer) : &hostName ($peer));
-	    my $proto;
-	    foreach $proto (sort (keys (%{$peerHash})))
-	    {
-		my $protoHash = $peerHash->{$proto};
-		my $protoName = &protoName ($proto);
-
-		my $packet;
-		foreach $packet (sort packetSort (keys %{$protoHash}))
-		{
-		    my ($sport, $dport, $if, $act) = split (/:/, $packet);
-		    my $packetHash = $protoHash->{$packet};
-		    my $count = $packetHash->{''};
-		    $act = '?' unless (defined ($act = $acts{$act}));
-		    if (($protoName eq 'tcp') || ($protoName eq 'udp'))
-		    {
-			printf ("    %-6s %7s %4d %4s %16s %2s %s.%s", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName));
-		    }
-		    elsif ($protoName eq 'icmp')
-		    {
-			printf ("    %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName);
-		    }
-		    else
-		    {
-			printf ("    %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, '', $arrow, $peerName);
-		    }
-		    if ($showFlags)
-		    {
-			my @flags = sort (keys (%{$packetHash}));
-			if (scalar (@flags))
-			{
-			    shift (@flags);
-			    print ' (', join (',', @flags), ')' if (scalar (@flags));
-			}
-		    }
-		    print "\n";
-		}
-	    }
-	}
-    }
-
-    print "\n";
-}
-
-exit (0);
-
-# Translates a numeric port/named protocol to a port name. Reserved ports
-# that do not have an entry in the services database are left numeric. High
-# ports that do not have an entry in the services database are mapped
-# to '<high>'.
-sub portName
-{
-    my $port = shift;
-    my $proto = shift;
-    my $pname = "$port/$proto";
-    unless (exists ($pn{$pname}))
-    {
-	my $name = getservbyport ($port, $proto);
-	$pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '<high>'));
-    }
-    return $pn{$pname};
-}
-
-# Translates a named port/protocol to a port number.
-sub portNumber
-{
-    my $port = shift;
-    my $proto = shift;
-    my $pname = "$port/$proto";
-    unless (exists ($pn{$pname}))
-    {
-	my $number = getservbyname ($port, $proto);
-	unless (defined ($number))
-	{
-	    # I don't think we need to recover from this. How did the port
-	    # name get into the log file if we can't find it? Log file from
-	    # a different machine? Fix /etc/services on this one if that's
-	    # your problem.
-	    die ("Unrecognized port name \"$port\" at $.");
-	}
-	$pn{$pname} = $number;
-    }
-    return $pn{$pname};
-}
-
-# Convert all unrecognized high ports to the same value so they are treated
-# identically. The protocol should be by name.
-sub portSimplify
-{
-    my $port = shift;
-    my $proto = shift;
-
-    # Make sure port is numeric.
-    $port = &portNumber ($port, $proto)
-	unless ($port =~ /^\d+$/);
-
-    # Look up port name.
-    my $portName = &portName ($port, $proto);
-
-    # Port is an unknown high port. Return a value that is too high for a
-    # port number, so that high ports get sorted last.
-    return $highPort if ($portName eq '<high>');
-
-    # Return original port number.
-    return $port;
-}
-
-# Translates a numeric address into a hostname. Pass only packed numeric
-# addresses to this routine.
-sub hostName
-{
-    my $ip = shift;
-    return $ipName{$ip} if (exists ($ipName{$ip}));
-
-    # Do an inverse lookup on the address.
-    my $name = gethostbyaddr ($ip, AF_INET);
-    unless (defined ($name))
-    {
-	# Inverse lookup failed, so map the IP address to its dotted
-	# representation and cache that.
-	$ipName{$ip} = &dottedAddr ($ip);
-	return $ipName{$ip};
-    }
-
-    # For paranoid hostname lookups.
-    if ($paranoid)
-    {
-	# If this address already matches, we're happy.
-	unless (exists ($ipName{$ip}) && (lc ($ipName{$ip}) eq lc ($name)))
-	{
-	    # Do a forward lookup on the resulting name.
-	    my @addr = &hostAddrs ($name);
-	    my $match = 0;
-
-	    # Cache the forward lookup results for future inverse lookups,
-	    # but don't stomp on inverses we've already cached, even if they
-	    # are questionable. We want to generate consistent output, and
-	    # the cache is growing incrementally.
-	    foreach (@addr)
-	    {
-		$ipName{$_} = $name unless (exists ($ipName{$_}));
-		$match = 1 if ($_ eq $ip);
-	    }
-
-	    # Was this one of the addresses? If not, tack on a ?.
-	    $name .= '?' unless ($match);
-	}
-    }
-    else
-    {
-	# Just believe it and cache it.
-	$ipName{$ip} = $name;
-    }
-
-    return $name;
-}
-
-# Translates a hostname or dotted address into a list of packed numeric
-# addresses.
-sub hostAddrs
-{
-    my $name = shift;
-    my $ip;
-
-    # Check if it's a dotted representation.
-    return ($ip) if (defined ($ip = &isDottedAddr ($name)));
-
-    # Return result from cache.
-    $name = lc ($name);
-    return @{$ipAddr{$name}} if (exists ($ipAddr{$name}));
-
-    # Look up the addresses.
-    my @addr = gethostbyname ($name);
-    splice (@addr, 0, 4);
-
-    unless (scalar (@addr))
-    {
-	# Again, I don't think we need to recover from this gracefully.
-	# If we can't resolve a hostname that ended up in the log file,
-	# punt. We want to be able to sort hosts by IP address later,
-	# and letting hostnames through will snarl up that code. Users
-	# of ipmon -n will have to grin and bear it for now. The
-	# functions that get undef back should treat it as an error or
-	# as some default address, e.g. 0 just to make things work.
-	return ();
-    }
-
-    $ipAddr{$name} = [ @addr ];
-    return @{$ipAddr{$name}};
-}
-
-# If the argument is a valid dotted address, returns the corresponding
-# packed numeric address, otherwise returns undef.
-sub isDottedAddr
-{
-    my $addr = shift;
-    if ($addr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)
-    {
-	my @a = (int ($1), int ($2), int ($3), int ($4));
-	foreach (@a)
-	{
-	    return undef if ($_ >= 256);
-	}
-	return pack ('C*', @a);
-    }
-    return undef;
-}
-
-# Unpacks a packed numeric address and returns an integer representation.
-sub integerAddr
-{
-    my $addr = shift;
-    return unpack ('N', $addr);
-
-    # The following is for generalized IPv4/IPv6 stuff. For now, it's a
-    # lot faster to assume IPv4.
-    my @a = unpack ('C*', $addr);
-    my $a = 0;
-    while (scalar (@a))
-    {
-	$a = ($a << 8) | shift (@a);
-    }
-    return $a;
-}
-
-# Unpacks a packed numeric address into a dotted representation.
-sub dottedAddr
-{
-    my $addr = shift;
-    my @a = unpack ('C*', $addr);
-    return join ('.', @a);
-}
-
-# Translates a protocol number into a protocol name, or a number if no name
-# is found in the protocol database.
-sub protoName
-{
-    my $code = shift;
-    return $code if ($code !~ /^\d+$/);
-    unless (exists ($pr{$code}))
-    {
-	my $name = scalar (getprotobynumber ($code));
-	if (defined ($name))
-	{
-	    $pr{$code} = $name;
-	}
-	else
-	{
-	    $pr{$code} = $code;
-	}
-    }
-    return $pr{$code};
-}
-
-# Translates a protocol name or number into a protocol number.
-sub protoNumber
-{
-    my $name = shift;
-    return $name if ($name =~ /^\d+$/);
-    unless (exists ($pr{$name}))
-    {
-	my $code = scalar (getprotobyname ($name));
-	if (defined ($code))
-	{
-	    $pr{$name} = $code;
-	}
-	else
-	{
-	    $pr{$name} = $name;
-	}
-    }
-    return $pr{$name};
-}
-
-sub icmpType
-{
-    my $typeCode = shift;
-    my ($type, $code) = split ('\.', $typeCode);
-
-    return "?" unless (defined ($code));
-
-    my $info = $icmpTypeMap{$type};
-
-    return "\(type=$type/$code?\)" unless (defined ($info));
-
-    my $typeName = $info->{name};
-    my $codeName;
-    if (exists ($info->{codes}->{$code}))
-    {
-	$codeName = $info->{codes}->{$code};
-	$codeName = (defined ($codeName) ? "/$codeName" : '');
-    }
-    else
-    {
-	$codeName = "/$code";
-    }
-    return "$typeName$codeName";
-}
-
-sub quit
-{
-    my $ec = shift;
-    my $msg = shift;
-
-    print STDERR "$me: $msg\n";
-    exit ($ec);
-}
-
-sub usage
-{
-    my $ec = shift;
-    my @msg = @_;
-
-    if (scalar (@msg))
-    {
-	print STDERR "$me: ", join ("\n", @msg), "\n\n";
-    }
-
-    print <<EOT;
-usage: $me [-nSDF] [-s servicemap] [-A act1,...] [address...]
-
-Parses logging from ipmon and presents it in a comprehensible format. This
-program generates two reports: one organized by source address and another
-organized by destination address. For the first report, source addresses are
-sorted by IP address. For each address, all packets originating at the address
-are presented in a tabular form, where all packets with the same source and
-destination address and port are counted as a single entry. Any port number
-greater than 1023 that does not match an entry in the services table is treated
-as a "high" port; all high ports are coalesced into the same entry. The fields
-for the source address report are:
-    iface action packet-count proto src-port dest-host.dest-port \[\(flags\)\]
-The fields for the destination address report are:
-    iface action packet-count proto dest-port src-host.src-port \[\(flags\)\]
-
-Options are:
--n           Disable hostname lookups, and report only IP addresses.
--p           Perform paranoid hostname lookups.
--S           Generate a source address report.
--D           Generate a destination address report.
--F           Show all flag combinations associated with packets.
--s map       Supply an alternate services map to be preloaded. The map should
-	     be in the same format as /etc/services. Any service name not found
-             in the map will be looked for in the system services file.
--A act1,...  Limit the report to the specified actions. The possible actions
-	     are pass, block, log, short, and nomatch.
-
-If any addresses are supplied on the command line, the report is limited to
-these hosts. Addresses may be given as dotted IP addresses or hostnames, and
-may be qualified with netmasks in CIDR \(/24\) or dotted \(/255.255.255.0\) format.
-If a hostname resolves to multiple addresses, all addresses are used.
-
-If neither -S nor -D is given, both reports are generated.
-
-Note: if you are logging traffic with ipmon -n, ipmon will already have looked
-up and logged addresses as hostnames where possible. This has an important side
-effect: this program will translate the hostnames back into IP addresses which
-may not match the original addresses of the logged packets because of numerous
-DNS issues. If you care about where packets are really coming from, you simply
-cannot rely on ipmon -n. An attacker with control of his reverse DNS can map
-the reverse lookup to anything he likes. If you haven't logged the numeric IP
-address, there's no way to discover the source of an attack reliably. For this
-reason, I strongly recommend that you run ipmon without the -n option, and use
-this or a similar script to do reverse lookups during analysis, rather than
-during logging.
-EOT
-
-    exit ($ec);
-}
-
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
deleted file mode 100644
index 5a12b32..0000000
--- a/contrib/ipfilter/printnat.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.15 2003/03/22 15:31:49 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-#ifdef	USE_INET6
-extern	int	use_inet6;
-#endif
-
-extern	char	thishost[MAXHOSTNAMELEN];
-
-extern	int	countbits __P((u_32_t));
-
-void	printnat __P((ipnat_t *, int));
-char	*getnattype __P((ipnat_t *));
-void	printactivenat __P((nat_t *, int));
-void	printhostmap __P((hostmap_t *, u_int));
-char	*getsumd __P((u_32_t));
-
-static void	printaps __P((ap_session_t *, int));
-
-static void printaps(aps, opts)
-ap_session_t *aps;
-int opts;
-{
-	ipsec_pxy_t ipsec;
-	ap_session_t ap;
-	ftpinfo_t ftp;
-	aproxy_t apr;
-	raudio_t ra;
-
-	if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
-		return;
-	if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
-		return;
-	printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
-		apr.apr_p, apr.apr_ref, apr.apr_flags);
-	printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
-#ifdef	USE_QUAD_T
-	printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
-		(unsigned long long)ap.aps_pkts);
-#else
-	printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
-#endif
-	printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
-	if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
-		printf("\t\tstate[%u,%u], sel[%d,%d]\n",
-			ap.aps_state[0], ap.aps_state[1],
-			ap.aps_sel[0], ap.aps_sel[1]);
-#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
-    (__FreeBSD_version >= 300000) || defined(OpenBSD)
-		printf("\t\tseq: off %hd/%hd min %x/%x\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %x/%x\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#else
-		printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %lx/%lx\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#endif
-	}
-
-	if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
-		if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
-			return;
-		printf("\tReal Audio Proxy:\n");
-		printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
-			ra.rap_seenpna, ra.rap_version, ra.rap_eos);
-		printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
-		printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
-			ra.rap_plport, ra.rap_prport, ra.rap_srport);
-	} else if (!strcmp(apr.apr_label, "ftp") &&
-		   (ap.aps_psiz == sizeof(ftp))) {
-		if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
-			return;
-		printf("\tFTP Proxy:\n");
-		printf("\t\tpassok: %d\n", ftp.ftp_passok);
-		ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		printf("\tClient:\n");
-		printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
-			ftp.ftp_side[0].ftps_seq[1],
-			ftp.ftp_side[0].ftps_seq[0],
-			ftp.ftp_side[0].ftps_len,
-			ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n\tServer:\n");
-		printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
-			ftp.ftp_side[1].ftps_seq[1],
-			ftp.ftp_side[1].ftps_seq[0],
-			ftp.ftp_side[1].ftps_len,
-			ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n");
-	} else if (!strcmp(apr.apr_label, "ipsec") &&
-		   (ap.aps_psiz == sizeof(ipsec))) {
-		if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
-			return;
-		printf("\tIPSec Proxy:\n");
-		printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
-			(u_int)ntohl(ipsec.ipsc_icookie[0]),
-			(u_int)ntohl(ipsec.ipsc_icookie[1]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[0]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[1]),
-			ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
-	}
-}
-
-
-/*
- * Get a nat filter type given its kernel address.
- */
-char *getnattype(ipnat)
-ipnat_t *ipnat;
-{
-	static char unknownbuf[20];
-	ipnat_t ipnatbuff;
-	char *which;
-
-	if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
-					sizeof(ipnatbuff))))
-		return "???";
-
-	switch (ipnatbuff.in_redir)
-	{
-	case NAT_MAP :
-		which = "MAP";
-		break;
-	case NAT_MAPBLK :
-		which = "MAP-BLOCK";
-		break;
-	case NAT_REDIRECT :
-		which = "RDR";
-		break;
-	case NAT_BIMAP :
-		which = "BIMAP";
-		break;
-	default :
-		sprintf(unknownbuf, "unknown(%04x)",
-			ipnatbuff.in_redir & 0xffffffff);
-		which = unknownbuf;
-		break;
-	}
-	return which;
-}
-
-
-void printactivenat(nat, opts)
-nat_t *nat;
-int opts;
-{
-	u_int hv1, hv2;
-
-	printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_inport));
-
-	printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_outport));
-
-	printf(" [%s", inet_ntoa(nat->nat_oip));
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %hu", ntohs(nat->nat_oport));
-	printf("]");
-
-	if (opts & OPT_VERBOSE) {
-		printf("\n\tage %lu use %hu sumd %s/",
-			nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
-		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
-				  0xffffffff),
-		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
-				  NAT_TABLE_SZ),
-		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
-				  0xffffffff),
-		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
-				  NAT_TABLE_SZ),
-		printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
-			getsumd(nat->nat_sumd[1]), nat->nat_p,
-			hv1, hv2, nat->nat_flags,
-			nat->nat_drop[0], nat->nat_drop[1]);
-		printf("\tifp %s ", getifname(nat->nat_ifp));
-#ifdef	USE_QUAD_T
-		printf("bytes %qu pkts %qu",
-			(unsigned long long)nat->nat_bytes,
-			(unsigned long long)nat->nat_pkts);
-#else
-		printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
-#endif
-#if SOLARIS
-		printf(" %lx", nat->nat_ipsumd);
-#endif
-	}
-
-	putchar('\n');
-	if (nat->nat_aps)
-		printaps(nat->nat_aps, opts);
-}
-
-
-void printhostmap(hmp, hv)
-hostmap_t *hmp;
-u_int hv;
-{
-	printf("%s -> ", inet_ntoa(hmp->hm_realip));
-	printf("%s ", inet_ntoa(hmp->hm_mapip));
-	printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
-}
-
-
-char *getsumd(sum)
-u_32_t sum;
-{
-	static char sumdbuf[17];
-
-	if (sum & NAT_HW_CKSUM)
-		sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
-	else
-		sprintf(sumdbuf, "%#0x", sum);
-	return sumdbuf;
-}
-
-
-/*
- * Print out a NAT rule
- */
-void printnat(np, opts)
-ipnat_t *np;
-int opts;
-{
-	struct	protoent	*pr;
-	struct	servent	*sv;
-	int	bits;
-
-	pr = getprotobynumber(np->in_p);
-
-	switch (np->in_redir)
-	{
-	case NAT_REDIRECT :
-		printf("rdr");
-		break;
-	case NAT_MAP :
-		printf("map");
-		break;
-	case NAT_MAPBLK :
-		printf("map-block");
-		break;
-	case NAT_BIMAP :
-		printf("bimap");
-		break;
-	default :
-		fprintf(stderr, "unknown value for in_redir: %#x\n",
-			np->in_redir);
-		break;
-	}
-
-	printf(" %s ", np->in_ifname);
-
-	if (np->in_flags & IPN_FILTER) {
-		if (np->in_flags & IPN_NOTSRC)
-			printf("! ");
-		printf("from ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_inip,
-				      (u_32_t *)&np->in_inmsk);
-		}
-		if (np->in_scmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_src);
-
-		if (np->in_flags & IPN_NOTDST)
-			printf(" !");
-		printf(" to ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_outip,
-				      (u_32_t *)&np->in_outmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		}
-		if (np->in_dcmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_dst);
-	}
-
-	if (np->in_redir == NAT_REDIRECT) {
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s", inet_ntoa(np->in_out[0]));
-			bits = countbits(np->in_out[1].s_addr);
-			if (bits != -1)
-				printf("/%d ", bits);
-			else
-				printf("/%s ", inet_ntoa(np->in_out[1]));
-			printf("port %d", ntohs(np->in_pmin));
-			if (np->in_pmax != np->in_pmin)
-				printf("- %d", ntohs(np->in_pmax));
-		}
-		printf(" -> %s", inet_ntoa(np->in_in[0]));
-		if (np->in_flags & IPN_SPLIT)
-			printf(",%s", inet_ntoa(np->in_in[1]));
-		printf(" port %d", ntohs(np->in_pnext));
-		if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-			printf(" tcp/udp");
-		else if ((np->in_flags & IPN_TCP) == IPN_TCP)
-			printf(" tcp");
-		else if ((np->in_flags & IPN_UDP) == IPN_UDP)
-			printf(" udp");
-		else if (np->in_p == 0)
-			printf(" ip");
-		else if (np->in_p != 0) {
-			if (pr != NULL)
-				printf(" %s", pr->p_name);
-			else
-				printf(" %d", np->in_p);
-		}
-		if (np->in_flags & IPN_ROUNDR)
-			printf(" round-robin");
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0])
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		if (np->in_mssclamp)
-			printf(" mssclamp %u", np->in_mssclamp);
-		printf("\n");
-		if (opts & OPT_DEBUG)
-			printf("\tspc %lu flg %#x max %u use %d\n",
-			       np->in_space, np->in_flags,
-			       np->in_pmax, np->in_use);
-	} else {
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s/", inet_ntoa(np->in_in[0]));
-			bits = countbits(np->in_in[1].s_addr);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_in[1]));
-		}
-		printf(" -> ");
-		if (np->in_flags & IPN_IPRANGE) {
-			printf("range %s-", inet_ntoa(np->in_out[0]));
-			printf("%s", inet_ntoa(np->in_out[1]));
-		} else {
-			printf("%s/", inet_ntoa(np->in_out[0]));
-			bits = countbits(np->in_out[1].s_addr);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_out[1]));
-		}
-		if (*np->in_plabel) {
-			printf(" proxy port");
-			if (np->in_dcmp != 0)
-				np->in_dport = htons(np->in_dport);
-			if (np->in_dport != 0) {
-				if (pr != NULL)
-					sv = getservbyport(np->in_dport,
-							   pr->p_name);
-				else
-					sv = getservbyport(np->in_dport, NULL);
-				if (sv != NULL)
-					printf(" %s", sv->s_name);
-				else
-					printf(" %hu", ntohs(np->in_dport));
-			}
-			printf(" %.*s/", (int)sizeof(np->in_plabel),
-				np->in_plabel);
-			if (pr != NULL)
-				fputs(pr->p_name, stdout);
-			else
-				printf("%d", np->in_p);
-		} else if (np->in_redir == NAT_MAPBLK) {
-			if ((np->in_pmin == 0) &&
-			    (np->in_flags & IPN_AUTOPORTMAP))
-				printf(" ports auto");
-			else
-				printf(" ports %d", np->in_pmin);
-			if (opts & OPT_DEBUG)
-				printf("\n\tip modulous %d", np->in_pmax);
-		} else if (np->in_pmin || np->in_pmax) {
-			printf(" portmap");
-			if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-				printf(" tcp/udp");
-			else if (np->in_flags & IPN_TCP)
-				printf(" tcp");
-			else if (np->in_flags & IPN_UDP)
-				printf(" udp");
-			if (np->in_flags & IPN_AUTOPORTMAP) {
-				printf(" auto");
-				if (opts & OPT_DEBUG)
-					printf(" [%d:%d %d %d]",
-					       ntohs(np->in_pmin),
-					       ntohs(np->in_pmax),
-					       np->in_ippip, np->in_ppip);
-			} else {
-				printf(" %d:%d", ntohs(np->in_pmin),
-				       ntohs(np->in_pmax));
-			}
-		}
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0])
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		printf("\n");
-		if (opts & OPT_DEBUG) {
-			struct in_addr nip;
-
-			nip.s_addr = htonl(np->in_nextip.s_addr);
-
-			printf("\tspace %lu nextip %s pnext %d", np->in_space,
-			       inet_ntoa(nip), np->in_pnext);
-			printf(" flags %x use %u\n",
-			       np->in_flags, np->in_use);
-		}
-	}
-}
diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c
deleted file mode 100644
index 624493b..0000000
--- a/contrib/ipfilter/printstate.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <stdio.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "ipf.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-ipstate_t *printstate(sp, opts)
-ipstate_t *sp;
-int opts;
-{
-	ipstate_t ips;
-
-	if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
-		return NULL;
-
-	PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
-	PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
-		hostname(ips.is_v, &ips.is_dst.in4),
-		ips.is_age, ips.is_pass, ips.is_p,
-		ips.is_state[0], ips.is_state[1]);
-#ifdef	USE_QUAD_T
-	PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
-		(unsigned long long) ips.is_bytes);
-#else
-	PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
-#endif
-	if (ips.is_p == IPPROTO_TCP) {
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
-		PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
-			ntohs(ips.is_sport), ntohs(ips.is_dport),
-			ips.is_send, ips.is_dend,
-			ips.is_maxsend, ips.is_maxdend);
-		PRINTF("\t%u<<%d:%u<<%d",
-			ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
-			ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#else
-		PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
-			ntohs(ips.is_sport), ntohs(ips.is_dport),
-			ips.is_send, ips.is_dend,
-			ips.is_maxsend, ips.is_maxdend);
-		PRINTF("\t%u<<%d:%u<<%d",
-			ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
-			ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#endif
-	} else if (ips.is_p == IPPROTO_UDP)
-		PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
-			ntohs(ips.is_dport));
-	else if (ips.is_p == IPPROTO_ICMP
-#ifdef	USE_INET6
-		 || ips.is_p == IPPROTO_ICMPV6
-#endif
-		)
-		PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
-			ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
-
-	PRINTF("\n\t");
-
-	/*
-	 * Print out bits set in the result code for the state being
-	 * kept as they would for a rule.
-	 */
-	if (ips.is_pass & FR_PASS) {
-		PRINTF("pass");
-	} else if (ips.is_pass & FR_BLOCK) {
-		PRINTF("block");
-		switch (ips.is_pass & FR_RETMASK)
-		{
-		case FR_RETICMP :
-			PRINTF(" return-icmp");
-			break;
-		case FR_FAKEICMP :
-			PRINTF(" return-icmp-as-dest");
-			break;
-		case FR_RETRST :
-			PRINTF(" return-rst");
-			break;
-		default :
-			break;
-		}
-	} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
-			PRINTF("log");
-		if (ips.is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (ips.is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-	} else if (ips.is_pass & FR_ACCOUNT)
-		PRINTF("count");
-
-	if (ips.is_pass & FR_OUTQUE)
-		PRINTF(" out");
-	else
-		PRINTF(" in");
-
-	if ((ips.is_pass & FR_LOG) != 0) {
-		PRINTF(" log");
-		if (ips.is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (ips.is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-		if (ips.is_pass & FR_LOGORBLOCK)
-			PRINTF(" or-block");
-	}
-	if (ips.is_pass & FR_QUICK)
-		PRINTF(" quick");
-	if (ips.is_pass & FR_KEEPFRAG)
-		PRINTF(" keep frags");
-	/* a given; no? */
-	if (ips.is_pass & FR_KEEPSTATE)
-		PRINTF(" keep state");
-	PRINTF("\tIPv%d", ips.is_v);
-	PRINTF("\n");
-
-	PRINTF("\tpkt_flags & %x(%x) = %x,\t",
-		ips.is_flags & 0xf, ips.is_flags,
-		ips.is_flags >> 4);
-	PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
-		ips.is_opt);
-	PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
-		ips.is_secmsk, ips.is_sec, ips.is_authmsk,
-		ips.is_auth);
-	PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
-	PRINTF(",%s", getifname(ips.is_ifp[1]));
-	PRINTF(" out %s", getifname(ips.is_ifp[2]));
-	PRINTF(",%s\n", getifname(ips.is_ifp[3]));
-
-	return ips.is_next;
-}
diff --git a/contrib/ipfilter/radix.c b/contrib/ipfilter/radix.c
deleted file mode 100644
index f9fc20c..0000000
--- a/contrib/ipfilter/radix.c
+++ /dev/null
@@ -1,1212 +0,0 @@
-/*
- * Copyright (c) 1988, 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)radix.c	8.6 (Berkeley) 10/17/95
- */
-
-/*
- * Routines to build and maintain radix trees for routing lookups.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-# undef KERNEL
-# undef _KERNEL
-# define        KERNEL  1
-# define        _KERNEL 1
-#endif
-#define __SYS_ATOMIC_OPS_H__
-#if !defined(__svr4__) && !defined(__SVR4) && !defined(__osf__) && \
-    !defined(__hpux) && !defined(__sgi)
-#include <sys/cdefs.h>
-#endif
-#ifndef __P
-# ifdef __STDC__
-#  define       __P(x)  x
-# else
-#  define       __P(x)  ()
-# endif
-#endif
-#ifdef __osf__
-# define CONST
-# define _IPV6_SWTAB_H
-# define _PROTO_NET_H_
-# define _PROTO_IPV6_H
-# include <sys/malloc.h>
-#endif
-
-#include <sys/param.h>
-#ifdef	_KERNEL
-#include <sys/systm.h>
-#else
-void panic __P((char *str));
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#endif
-#ifdef __hpux
-#include <syslog.h>
-#else
-#include <sys/syslog.h>
-#endif
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <net/if.h>
-#ifdef SOLARIS2
-# define _RADIX_H_
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#ifdef SOLARIS2
-# undef _RADIX_H_
-#endif
-/* END OF INCLUDES */
-#include "radix_ipf.h"
-#ifndef min
-# define	min	MIN
-#endif
-#ifndef max
-# define	max	MAX
-#endif
-
-int	max_keylen = 16;
-static struct radix_mask *rn_mkfreelist;
-static struct radix_node_head *mask_rnhead;
-static char *addmask_key;
-static u_char normal_chars[] = {0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff};
-static char *rn_zeros = NULL, *rn_ones = NULL;
-
-#define rn_masktop (mask_rnhead->rnh_treetop)
-#undef Bcmp
-#define Bcmp(a, b, l) (l == 0 ? 0 : bcmp((caddr_t)(a), (caddr_t)(b), (u_long)l))
-
-static int rn_satisfies_leaf __P((char *, struct radix_node *, int));
-static int rn_lexobetter __P((void *, void *));
-static struct radix_mask *rn_new_radix_mask __P((struct radix_node *,
-    struct radix_mask *));
-static int rn_freenode __P((struct radix_node *, void *));
-#if defined(AIX) && !defined(_KERNEL)
-struct radix_node *rn_match __P((void *, struct radix_node_head *));
-struct radix_node *rn_addmask __P((int, int, void *));
-#define	FreeS(x, y)	KFREES(x, y)
-#define	Bcopy(x, y, z)	bcopy(x, y, z)
-#endif
-
-/*
- * The data structure for the keys is a radix tree with one way
- * branching removed.  The index rn_b at an internal node n represents a bit
- * position to be tested.  The tree is arranged so that all descendants
- * of a node n have keys whose bits all agree up to position rn_b - 1.
- * (We say the index of n is rn_b.)
- *
- * There is at least one descendant which has a one bit at position rn_b,
- * and at least one with a zero there.
- *
- * A route is determined by a pair of key and mask.  We require that the
- * bit-wise logical and of the key and mask to be the key.
- * We define the index of a route to associated with the mask to be
- * the first bit number in the mask where 0 occurs (with bit number 0
- * representing the highest order bit).
- *
- * We say a mask is normal if every bit is 0, past the index of the mask.
- * If a node n has a descendant (k, m) with index(m) == index(n) == rn_b,
- * and m is a normal mask, then the route applies to every descendant of n.
- * If the index(m) < rn_b, this implies the trailing last few bits of k
- * before bit b are all 0, (and hence consequently true of every descendant
- * of n), so the route applies to all descendants of the node as well.
- *
- * Similar logic shows that a non-normal mask m such that
- * index(m) <= index(n) could potentially apply to many children of n.
- * Thus, for each non-host route, we attach its mask to a list at an internal
- * node as high in the tree as we can go.
- *
- * The present version of the code makes use of normal routes in short-
- * circuiting an explicit mask and compare operation when testing whether
- * a key satisfies a normal route, and also in remembering the unique leaf
- * that governs a subtree.
- */
-
-struct radix_node *
-rn_search(v_arg, head)
-	void *v_arg;
-	struct radix_node *head;
-{
-	struct radix_node *x;
-	caddr_t v;
-
-	for (x = head, v = v_arg; x->rn_b >= 0;) {
-		if (x->rn_bmask & v[x->rn_off])
-			x = x->rn_r;
-		else
-			x = x->rn_l;
-	}
-	return (x);
-}
-
-struct radix_node *
-rn_search_m(v_arg, head, m_arg)
-	struct radix_node *head;
-	void *v_arg, *m_arg;
-{
-	struct radix_node *x;
-	caddr_t v = v_arg, m = m_arg;
-
-	for (x = head; x->rn_b >= 0;) {
-		if ((x->rn_bmask & m[x->rn_off]) &&
-		    (x->rn_bmask & v[x->rn_off]))
-			x = x->rn_r;
-		else
-			x = x->rn_l;
-	}
-	return x;
-}
-
-int
-rn_refines(m_arg, n_arg)
-	void *m_arg, *n_arg;
-{
-	caddr_t m = m_arg, n = n_arg;
-	caddr_t lim, lim2 = lim = n + *(u_char *)n;
-	int longer = (*(u_char *)n++) - (int)(*(u_char *)m++);
-	int masks_are_equal = 1;
-
-	if (longer > 0)
-		lim -= longer;
-	while (n < lim) {
-		if (*n & ~(*m))
-			return 0;
-		if (*n++ != *m++)
-			masks_are_equal = 0;
-	}
-	while (n < lim2)
-		if (*n++)
-			return 0;
-	if (masks_are_equal && (longer < 0))
-		for (lim2 = m - longer; m < lim2; )
-			if (*m++)
-				return 1;
-	return (!masks_are_equal);
-}
-
-struct radix_node *
-rn_lookup(v_arg, m_arg, head)
-	void *v_arg, *m_arg;
-	struct radix_node_head *head;
-{
-	struct radix_node *x;
-	caddr_t netmask = 0;
-
-	if (m_arg) {
-		if ((x = rn_addmask(m_arg, 1, head->rnh_treetop->rn_off)) == 0)
-			return (0);
-		netmask = x->rn_key;
-	}
-	x = rn_match(v_arg, head);
-	if (x && netmask) {
-		while (x && x->rn_mask != netmask)
-			x = x->rn_dupedkey;
-	}
-	return x;
-}
-
-static int
-rn_satisfies_leaf(trial, leaf, skip)
-	char *trial;
-	struct radix_node *leaf;
-	int skip;
-{
-	char *cp = trial, *cp2 = leaf->rn_key, *cp3 = leaf->rn_mask;
-	char *cplim;
-	int length = min(*(u_char *)cp, *(u_char *)cp2);
-
-	if (cp3 == 0)
-		cp3 = rn_ones;
-	else
-		length = min(length, *(u_char *)cp3);
-	cplim = cp + length;
-	cp3 += skip;
-	cp2 += skip;
-	for (cp += skip; cp < cplim; cp++, cp2++, cp3++)
-		if ((*cp ^ *cp2) & *cp3)
-			return 0;
-	return 1;
-}
-
-struct radix_node *
-rn_match(v_arg, head)
-	void *v_arg;
-	struct radix_node_head *head;
-{
-	caddr_t v = v_arg;
-	struct radix_node *t = head->rnh_treetop, *x;
-	caddr_t cp = v, cp2;
-	caddr_t cplim;
-	struct radix_node *saved_t, *top = t;
-	int off = t->rn_off, vlen = *(u_char *)cp, matched_off;
-	int test, b, rn_b;
-
-	/*
-	 * Open code rn_search(v, top) to avoid overhead of extra
-	 * subroutine call.
-	 */
-	for (; t->rn_b >= 0; ) {
-		if (t->rn_bmask & cp[t->rn_off])
-			t = t->rn_r;
-		else
-			t = t->rn_l;
-	}
-	/*
-	 * See if we match exactly as a host destination
-	 * or at least learn how many bits match, for normal mask finesse.
-	 *
-	 * It doesn't hurt us to limit how many bytes to check
-	 * to the length of the mask, since if it matches we had a genuine
-	 * match and the leaf we have is the most specific one anyway;
-	 * if it didn't match with a shorter length it would fail
-	 * with a long one.  This wins big for class B&C netmasks which
-	 * are probably the most common case...
-	 */
-	if (t->rn_mask)
-		vlen = *(u_char *)t->rn_mask;
-	cp += off;
-	cp2 = t->rn_key + off;
-	cplim = v + vlen;
-	for (; cp < cplim; cp++, cp2++)
-		if (*cp != *cp2)
-			goto on1;
-	/*
-	 * This extra grot is in case we are explicitly asked
-	 * to look up the default.  Ugh!
-	 */
-	if ((t->rn_flags & RNF_ROOT) && t->rn_dupedkey)
-		t = t->rn_dupedkey;
-	return t;
-on1:
-	test = (*cp ^ *cp2) & 0xff; /* find first bit that differs */
-	for (b = 7; (test >>= 1) > 0;)
-		b--;
-	matched_off = cp - v;
-	b += matched_off << 3;
-	rn_b = -1 - b;
-	/*
-	 * If there is a host route in a duped-key chain, it will be first.
-	 */
-	if ((saved_t = t)->rn_mask == 0)
-		t = t->rn_dupedkey;
-	for (; t; t = t->rn_dupedkey)
-		/*
-		 * Even if we don't match exactly as a host,
-		 * we may match if the leaf we wound up at is
-		 * a route to a net.
-		 */
-		if (t->rn_flags & RNF_NORMAL) {
-			if (rn_b <= t->rn_b)
-				return t;
-		} else if (rn_satisfies_leaf(v, t, matched_off))
-				return t;
-	t = saved_t;
-	/* start searching up the tree */
-	do {
-		struct radix_mask *m;
-		t = t->rn_p;
-		m = t->rn_mklist;
-		if (m) {
-			/*
-			 * If non-contiguous masks ever become important
-			 * we can restore the masking and open coding of
-			 * the search and satisfaction test and put the
-			 * calculation of "off" back before the "do".
-			 */
-			do {
-				if (m->rm_flags & RNF_NORMAL) {
-					if (rn_b <= m->rm_b)
-						return (m->rm_leaf);
-				} else {
-					off = min(t->rn_off, matched_off);
-					x = rn_search_m(v, t, m->rm_mask);
-					while (x && x->rn_mask != m->rm_mask)
-						x = x->rn_dupedkey;
-					if (x && rn_satisfies_leaf(v, x, off))
-						return x;
-				}
-				m = m->rm_mklist;
-			} while (m);
-		}
-	} while (t != top);
-	return 0;
-}
-
-#ifdef RN_DEBUG
-int	rn_nodenum;
-struct	radix_node *rn_clist;
-int	rn_saveinfo;
-int	rn_debug =  1;
-#endif
-
-struct radix_node *
-rn_newpair(v, b, nodes)
-	void *v;
-	int b;
-	struct radix_node nodes[2];
-{
-	struct radix_node *tt = nodes, *t = tt + 1;
-	t->rn_b = b;
-	t->rn_bmask = 0x80 >> (b & 7);
-	t->rn_l = tt;
-	t->rn_off = b >> 3;
-	tt->rn_b = -1;
-	tt->rn_key = (caddr_t)v;
-	tt->rn_p = t;
-	tt->rn_flags = t->rn_flags = RNF_ACTIVE;
-#ifdef RN_DEBUG
-	tt->rn_info = rn_nodenum++;
-	t->rn_info = rn_nodenum++;
-	tt->rn_twin = t;
-	tt->rn_ybro = rn_clist;
-	rn_clist = tt;
-#endif
-	return t;
-}
-
-struct radix_node *
-rn_insert(v_arg, head, dupentry, nodes)
-	void *v_arg;
-	struct radix_node_head *head;
-	int *dupentry;
-	struct radix_node nodes[2];
-{
-	caddr_t v = v_arg;
-	struct radix_node *top = head->rnh_treetop;
-	int head_off = top->rn_off, vlen = (int)*((u_char *)v);
-	struct radix_node *t = rn_search(v_arg, top);
-	caddr_t cp = v + head_off;
-	int b;
-	struct radix_node *tt;
-
-#ifdef	RN_DEBUG
-	if (rn_debug)
-		log(LOG_DEBUG, "rn_insert(%p,%p,%p,%p)\n", v_arg, head, dupentry, nodes);
-#endif
-    	/*
-	 * Find first bit at which v and t->rn_key differ
-	 */
-    {
-	caddr_t cp2 = t->rn_key + head_off;
-	int cmp_res;
-	caddr_t cplim = v + vlen;
-
-	while (cp < cplim)
-		if (*cp2++ != *cp++)
-			goto on1;
-	*dupentry = 1;
-	return t;
-on1:
-	*dupentry = 0;
-	cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
-	for (b = (cp - v) << 3; cmp_res; b--)
-		cmp_res >>= 1;
-    }
-    {
-	struct radix_node *p, *x = top;
-	cp = v;
-	do {
-		p = x;
-		if (cp[x->rn_off] & x->rn_bmask)
-			x = x->rn_r;
-		else
-			x = x->rn_l;
-	} while (b > (unsigned) x->rn_b); /* x->rn_b < b && x->rn_b >= 0 */
-#ifdef RN_DEBUG
-	if (rn_debug)
-		log(LOG_DEBUG, "rn_insert: Going In:\n"); // traverse(p);
-#endif
-	t = rn_newpair(v_arg, b, nodes);
-	tt = t->rn_l;
-	if ((cp[p->rn_off] & p->rn_bmask) == 0)
-		p->rn_l = t;
-	else
-		p->rn_r = t;
-	x->rn_p = t;
-	t->rn_p = p; /* frees x, p as temp vars below */
-	if ((cp[t->rn_off] & t->rn_bmask) == 0) {
-		t->rn_r = x;
-	} else {
-		t->rn_r = tt;
-		t->rn_l = x;
-	}
-#ifdef RN_DEBUG
-	if (rn_debug)
-		log(LOG_DEBUG, "rn_insert: Coming Out:\n"); // traverse(p);
-#endif
-    }
-	return (tt);
-}
-
-struct radix_node *
-rn_addmask(n_arg, search, skip)
-	int search, skip;
-	void *n_arg;
-{
-	caddr_t netmask = (caddr_t)n_arg;
-	struct radix_node *x;
-	caddr_t cp, cplim;
-	int b = 0, mlen, j;
-	int maskduplicated, m0, isnormal;
-	struct radix_node *saved_x;
-	static int last_zeroed = 0;
-
-#ifdef	RN_DEBUG
-	if (rn_debug)
-		log(LOG_DEBUG, "rn_addmask(%p,%d,%d)\n", n_arg, search, skip);
-#endif
-	mlen = *(u_char *)netmask;
-	if ((mlen = *(u_char *)netmask) > max_keylen)
-		mlen = max_keylen;
-	if (skip == 0)
-		skip = 1;
-	if (mlen <= skip)
-		return (mask_rnhead->rnh_nodes);
-	if (skip > 1)
-		Bcopy(rn_ones + 1, addmask_key + 1, skip - 1);
-	if ((m0 = mlen) > skip)
-		Bcopy(netmask + skip, addmask_key + skip, mlen - skip);
-	/*
-	 * Trim trailing zeroes.
-	 */
-	for (cp = addmask_key + mlen; (cp > addmask_key) && cp[-1] == 0;)
-		cp--;
-	mlen = cp - addmask_key;
-	if (mlen <= skip) {
-		if (m0 >= last_zeroed)
-			last_zeroed = mlen;
-		return (mask_rnhead->rnh_nodes);
-	}
-	if (m0 < last_zeroed)
-		Bzero(addmask_key + m0, last_zeroed - m0);
-	*addmask_key = last_zeroed = mlen;
-	x = rn_search(addmask_key, rn_masktop);
-	if (Bcmp(addmask_key, x->rn_key, mlen) != 0)
-		x = 0;
-	if (x || search)
-		return (x);
-	R_Malloc(x, struct radix_node *, max_keylen + 2 * sizeof (*x));
-	if ((saved_x = x) == 0)
-		return (0);
-	Bzero(x, max_keylen + 2 * sizeof (*x));
-	netmask = cp = (caddr_t)(x + 2);
-	Bcopy(addmask_key, cp, mlen);
-	x = rn_insert(cp, mask_rnhead, &maskduplicated, x);
-	if (maskduplicated) {
-#if 0
-		log(LOG_ERR, "rn_addmask: mask impossibly already in tree\n");
-#endif
-		Free(saved_x);
-		return (x);
-	}
-	/*
-	 * Calculate index of mask, and check for normalcy.
-	 */
-	cplim = netmask + mlen;
-	isnormal = 1;
-	for (cp = netmask + skip; (cp < cplim) && *(u_char *)cp == 0xff;)
-		cp++;
-	if (cp != cplim) {
-		for (j = 0x80; (j & *cp) != 0; j >>= 1)
-			b++;
-		if (*cp != normal_chars[b] || cp != (cplim - 1))
-			isnormal = 0;
-	}
-	b += (cp - netmask) << 3;
-	x->rn_b = -1 - b;
-	if (isnormal)
-		x->rn_flags |= RNF_NORMAL;
-	return (x);
-}
-
-static int	/* XXX: arbitrary ordering for non-contiguous masks */
-rn_lexobetter(m_arg, n_arg)
-	void *m_arg, *n_arg;
-{
-	u_char *mp = m_arg, *np = n_arg, *lim;
-
-	if (*mp > *np)
-		return 1;  /* not really, but need to check longer one first */
-	if (*mp == *np)
-		for (lim = mp + *mp; mp < lim;)
-			if (*mp++ > *np++)
-				return 1;
-	return 0;
-}
-
-static struct radix_mask *
-rn_new_radix_mask(tt, next)
-	struct radix_node *tt;
-	struct radix_mask *next;
-{
-	struct radix_mask *m;
-
-	MKGet(m);
-	if (m == 0) {
-#if 0
-		log(LOG_ERR, "Mask for route not entered\n");
-#endif
-		return (0);
-	}
-	Bzero(m, sizeof *m);
-	m->rm_b = tt->rn_b;
-	m->rm_flags = tt->rn_flags;
-	if (tt->rn_flags & RNF_NORMAL)
-		m->rm_leaf = tt;
-	else
-		m->rm_mask = tt->rn_mask;
-	m->rm_mklist = next;
-	tt->rn_mklist = m;
-	return m;
-}
-
-struct radix_node *
-rn_addroute(v_arg, n_arg, head, treenodes)
-	void *v_arg, *n_arg;
-	struct radix_node_head *head;
-	struct radix_node treenodes[2];
-{
-	caddr_t v = (caddr_t)v_arg, netmask = (caddr_t)n_arg;
-	struct radix_node *t, *x = NULL, *tt;
-	struct radix_node *saved_tt, *top = head->rnh_treetop;
-	short b = 0, b_leaf = 0;
-	int keyduplicated;
-	caddr_t mmask;
-	struct radix_mask *m, **mp;
-
-#ifdef	RN_DEBUG
-	if (rn_debug)
-		log(LOG_DEBUG, "rn_addroute(%p,%p,%p,%p)\n", v_arg, n_arg, head, treenodes);
-#endif
-	/*
-	 * In dealing with non-contiguous masks, there may be
-	 * many different routes which have the same mask.
-	 * We will find it useful to have a unique pointer to
-	 * the mask to speed avoiding duplicate references at
-	 * nodes and possibly save time in calculating indices.
-	 */
-	if (netmask) {
-		if ((x = rn_addmask(netmask, 0, top->rn_off)) == 0)
-			return (0);
-		b_leaf = x->rn_b;
-		b = -1 - x->rn_b;
-		netmask = x->rn_key;
-	}
-	/*
-	 * Deal with duplicated keys: attach node to previous instance
-	 */
-	saved_tt = tt = rn_insert(v, head, &keyduplicated, treenodes);
-	if (keyduplicated) {
-		for (t = tt; tt; t = tt, tt = tt->rn_dupedkey) {
-			if (tt->rn_mask == netmask)
-				return (0);
-			if (netmask == 0 ||
-			    (tt->rn_mask &&
-			     ((b_leaf < tt->rn_b) || /* index(netmask) > node */
-			       rn_refines(netmask, tt->rn_mask) ||
-			       rn_lexobetter(netmask, tt->rn_mask))))
-				break;
-		}
-		/*
-		 * If the mask is not duplicated, we wouldn't
-		 * find it among possible duplicate key entries
-		 * anyway, so the above test doesn't hurt.
-		 *
-		 * We sort the masks for a duplicated key the same way as
-		 * in a masklist -- most specific to least specific.
-		 * This may require the unfortunate nuisance of relocating
-		 * the head of the list.
-		 *
-		 * We also reverse, or doubly link the list through the
-		 * parent pointer.
-		 */
-		if (tt == saved_tt) {
-			struct	radix_node *xx = x;
-			/* link in at head of list */
-			(tt = treenodes)->rn_dupedkey = t;
-			tt->rn_flags = t->rn_flags;
-			tt->rn_p = x = t->rn_p;
-			t->rn_p = tt;
-			if (x->rn_l == t)
-				x->rn_l = tt;
-			else
-				x->rn_r = tt;
-			saved_tt = tt;
-			x = xx;
-		} else {
-			(tt = treenodes)->rn_dupedkey = t->rn_dupedkey;
-			t->rn_dupedkey = tt;
-			tt->rn_p = t;
-			if (tt->rn_dupedkey)
-				tt->rn_dupedkey->rn_p = tt;
-		}
-#ifdef RN_DEBUG
-		t=tt+1;
-		tt->rn_info = rn_nodenum++;
-		t->rn_info = rn_nodenum++;
-		tt->rn_twin = t;
-		tt->rn_ybro = rn_clist;
-		rn_clist = tt;
-#endif
-		tt->rn_key = (caddr_t) v;
-		tt->rn_b = -1;
-		tt->rn_flags = RNF_ACTIVE;
-	}
-	/*
-	 * Put mask in tree.
-	 */
-	if (netmask) {
-		tt->rn_mask = netmask;
-		tt->rn_b = x->rn_b;
-		tt->rn_flags |= x->rn_flags & RNF_NORMAL;
-	}
-	t = saved_tt->rn_p;
-	if (keyduplicated)
-		goto on2;
-	b_leaf = -1 - t->rn_b;
-	if (t->rn_r == saved_tt)
-		x = t->rn_l;
-	else
-		x = t->rn_r;
-	/* Promote general routes from below */
-	if (x->rn_b < 0) {
-	    for (mp = &t->rn_mklist; x; x = x->rn_dupedkey)
-		if (x->rn_mask && (x->rn_b >= b_leaf) && x->rn_mklist == 0) {
-			*mp = m = rn_new_radix_mask(x, 0);
-			if (m)
-				mp = &m->rm_mklist;
-		}
-	} else if (x->rn_mklist) {
-		/*
-		 * Skip over masks whose index is > that of new node
-		 */
-		for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist)
-			if (m->rm_b >= b_leaf)
-				break;
-		t->rn_mklist = m;
-		*mp = 0;
-	}
-on2:
-	/* Add new route to highest possible ancestor's list */
-	if ((netmask == 0) || (b > t->rn_b ))
-		return tt; /* can't lift at all */
-	b_leaf = tt->rn_b;
-	do {
-		x = t;
-		t = t->rn_p;
-	} while (b <= t->rn_b && x != top);
-	/*
-	 * Search through routes associated with node to
-	 * insert new route according to index.
-	 * Need same criteria as when sorting dupedkeys to avoid
-	 * double loop on deletion.
-	 */
-	for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist) {
-		if (m->rm_b < b_leaf)
-			continue;
-		if (m->rm_b > b_leaf)
-			break;
-		if (m->rm_flags & RNF_NORMAL) {
-			mmask = m->rm_leaf->rn_mask;
-			if (tt->rn_flags & RNF_NORMAL) {
-#if 0
-				log(LOG_ERR, "Non-unique normal route,"
-				    " mask not entered\n");
-#endif
-				return tt;
-			}
-		} else
-			mmask = m->rm_mask;
-		if (mmask == netmask) {
-			m->rm_refs++;
-			tt->rn_mklist = m;
-			return tt;
-		}
-		if (rn_refines(netmask, mmask)
-		    || rn_lexobetter(netmask, mmask))
-			break;
-	}
-	*mp = rn_new_radix_mask(tt, *mp);
-	return tt;
-}
-
-struct radix_node *
-rn_delete(v_arg, netmask_arg, head)
-	void *v_arg, *netmask_arg;
-	struct radix_node_head *head;
-{
-	struct radix_node *t, *p, *x, *tt;
-	struct radix_mask *m, *saved_m, **mp;
-	struct radix_node *dupedkey, *saved_tt, *top;
-	caddr_t v, netmask;
-	int b, head_off, vlen;
-
-	v = v_arg;
-	netmask = netmask_arg;
-	x = head->rnh_treetop;
-	tt = rn_search(v, x);
-	head_off = x->rn_off;
-	vlen =  *(u_char *)v;
-	saved_tt = tt;
-	top = x;
-	if (tt == 0 ||
-	    Bcmp(v + head_off, tt->rn_key + head_off, vlen - head_off))
-		return (0);
-	/*
-	 * Delete our route from mask lists.
-	 */
-	if (netmask) {
-		if ((x = rn_addmask(netmask, 1, head_off)) == 0)
-			return (0);
-		netmask = x->rn_key;
-		while (tt->rn_mask != netmask)
-			if ((tt = tt->rn_dupedkey) == 0)
-				return (0);
-	}
-	if (tt->rn_mask == 0 || (saved_m = m = tt->rn_mklist) == 0)
-		goto on1;
-	if (tt->rn_flags & RNF_NORMAL) {
-		if (m->rm_leaf != tt || m->rm_refs > 0) {
-#if 0
-			log(LOG_ERR, "rn_delete: inconsistent annotation\n");
-#endif
-			return 0;  /* dangling ref could cause disaster */
-		}
-	} else {
-		if (m->rm_mask != tt->rn_mask) {
-#if 0
-			log(LOG_ERR, "rn_delete: inconsistent annotation\n");
-#endif
-			goto on1;
-		}
-		if (--m->rm_refs >= 0)
-			goto on1;
-	}
-	b = -1 - tt->rn_b;
-	t = saved_tt->rn_p;
-	if (b > t->rn_b)
-		goto on1; /* Wasn't lifted at all */
-	do {
-		x = t;
-		t = t->rn_p;
-	} while (b <= t->rn_b && x != top);
-	for (mp = &x->rn_mklist; (m = *mp) != NULL; mp = &m->rm_mklist)
-		if (m == saved_m) {
-			*mp = m->rm_mklist;
-			MKFree(m);
-			break;
-		}
-	if (m == 0) {
-#if 0
-		log(LOG_ERR, "rn_delete: couldn't find our annotation\n");
-#endif
-		if (tt->rn_flags & RNF_NORMAL)
-			return (0); /* Dangling ref to us */
-	}
-on1:
-	/*
-	 * Eliminate us from tree
-	 */
-	if (tt->rn_flags & RNF_ROOT)
-		return (0);
-#ifdef RN_DEBUG
-	/* Get us out of the creation list */
-	for (t = rn_clist; t && t->rn_ybro != tt; t = t->rn_ybro)
-		;
-	if (t) t->rn_ybro = tt->rn_ybro;
-#endif
-	t = tt->rn_p;
-	dupedkey = saved_tt->rn_dupedkey;
-	if (dupedkey) {
-		/*
-		 * Here, tt is the deletion target and
-		 * saved_tt is the head of the dupedkey chain.
-		 */
-		if (tt == saved_tt) {
-			x = dupedkey;
-			x->rn_p = t;
-			if (t->rn_l == tt)
-				t->rn_l = x;
-			else
-				t->rn_r = x;
-		} else {
-			/* find node in front of tt on the chain */
-			for (x = p = saved_tt; p && p->rn_dupedkey != tt;)
-				p = p->rn_dupedkey;
-			if (p) {
-				p->rn_dupedkey = tt->rn_dupedkey;
-				if (tt->rn_dupedkey)
-					tt->rn_dupedkey->rn_p = p;
-			}
-#if 0
-			else
-				log(LOG_ERR, "rn_delete: couldn't find us\n");
-#endif
-		}
-		t = tt + 1;
-		if  (t->rn_flags & RNF_ACTIVE) {
-#ifndef RN_DEBUG
-			*++x = *t;
-			p = t->rn_p;
-#else
-			b = t->rn_info;
-			*++x = *t;
-			t->rn_info = b;
-			p = t->rn_p;
-#endif
-			if (p->rn_l == t)
-				p->rn_l = x;
-			else
-				p->rn_r = x;
-			x->rn_l->rn_p = x;
-			x->rn_r->rn_p = x;
-		}
-		goto out;
-	}
-	if (t->rn_l == tt)
-		x = t->rn_r;
-	else
-		x = t->rn_l;
-	p = t->rn_p;
-	if (p->rn_r == t)
-		p->rn_r = x;
-	else
-		p->rn_l = x;
-	x->rn_p = p;
-	/*
-	 * Demote routes attached to us.
-	 */
-	if (t->rn_mklist) {
-		if (x->rn_b >= 0) {
-			for (mp = &x->rn_mklist; (m = *mp) != NULL;)
-				mp = &m->rm_mklist;
-			*mp = t->rn_mklist;
-		} else {
-			/* If there are any key,mask pairs in a sibling
-			   duped-key chain, some subset will appear sorted
-			   in the same order attached to our mklist */
-			for (m = t->rn_mklist; m && x; x = x->rn_dupedkey)
-				if (m == x->rn_mklist) {
-					struct radix_mask *mm = m->rm_mklist;
-					x->rn_mklist = 0;
-					if (--(m->rm_refs) < 0)
-						MKFree(m);
-					m = mm;
-				}
-#if 0
-			if (m)
-				log(LOG_ERR, "%s %p at %p\n",
-				    "rn_delete: Orphaned Mask", m, x);
-#endif
-		}
-	}
-	/*
-	 * We may be holding an active internal node in the tree.
-	 */
-	x = tt + 1;
-	if (t != x) {
-#ifndef RN_DEBUG
-		*t = *x;
-#else
-		b = t->rn_info;
-		*t = *x;
-		t->rn_info = b;
-#endif
-		t->rn_l->rn_p = t;
-		t->rn_r->rn_p = t;
-		p = x->rn_p;
-		if (p->rn_l == x)
-			p->rn_l = t;
-		else
-			p->rn_r = t;
-	}
-out:
-	tt->rn_flags &= ~RNF_ACTIVE;
-	tt[1].rn_flags &= ~RNF_ACTIVE;
-	return (tt);
-}
-
-int
-rn_walktree(h, f, w)
-	struct radix_node_head *h;
-	int (*f) __P((struct radix_node *, void *));
-	void *w;
-{
-	int error;
-	struct radix_node *base, *next;
-	struct radix_node *rn = h->rnh_treetop;
-	/*
-	 * This gets complicated because we may delete the node
-	 * while applying the function f to it, so we need to calculate
-	 * the successor node in advance.
-	 */
-	/* First time through node, go left */
-	while (rn->rn_b >= 0)
-		rn = rn->rn_l;
-	for (;;) {
-		base = rn;
-		/* If at right child go back up, otherwise, go right */
-		while (rn->rn_p->rn_r == rn && (rn->rn_flags & RNF_ROOT) == 0)
-			rn = rn->rn_p;
-		/* Find the next *leaf* since next node might vanish, too */
-		for (rn = rn->rn_p->rn_r; rn->rn_b >= 0;)
-			rn = rn->rn_l;
-		next = rn;
-		/* Process leaves */
-		while ((rn = base) != NULL) {
-			base = rn->rn_dupedkey;
-			if (!(rn->rn_flags & RNF_ROOT)
-			    && (error = (*f)(rn, w)))
-				return (error);
-		}
-		rn = next;
-		if (rn->rn_flags & RNF_ROOT)
-			return (0);
-	}
-	/* NOTREACHED */
-}
-
-int
-rn_inithead(head, off)
-	void **head;
-	int off;
-{
-	struct radix_node_head *rnh;
-
-	if (*head)
-		return (1);
-	R_Malloc(rnh, struct radix_node_head *, sizeof (*rnh));
-	if (rnh == 0)
-		return (0);
-	*head = rnh;
-	return rn_inithead0(rnh, off);
-}
-
-int
-rn_inithead0(rnh, off)
-	struct radix_node_head *rnh;
-	int off;
-{
-	struct radix_node *t, *tt, *ttt;
-
-	Bzero(rnh, sizeof (*rnh));
-	t = rn_newpair(rn_zeros, off, rnh->rnh_nodes);
-	ttt = rnh->rnh_nodes + 2;
-	t->rn_r = ttt;
-	t->rn_p = t;
-	tt = t->rn_l;
-	tt->rn_flags = t->rn_flags = RNF_ROOT | RNF_ACTIVE;
-	tt->rn_b = -1 - off;
-	*ttt = *tt;
-	ttt->rn_key = rn_ones;
-	rnh->rnh_addaddr = rn_addroute;
-	rnh->rnh_deladdr = rn_delete;
-	rnh->rnh_matchaddr = rn_match;
-	rnh->rnh_lookup = rn_lookup;
-	rnh->rnh_walktree = rn_walktree;
-	rnh->rnh_treetop = t;
-	return (1);
-}
-
-void
-rn_init()
-{
-	char *cp, *cplim;
-
-	if (max_keylen == 0) {
-#if 0
-		log(LOG_ERR,
-		    "rn_init: radix functions require max_keylen be set\n");
-#endif
-		return;
-	}
-	if (rn_zeros == NULL) {
-		R_Malloc(rn_zeros, char *, 3 * max_keylen);
-	}
-	if (rn_zeros == NULL)
-		panic("rn_init");
-	Bzero(rn_zeros, 3 * max_keylen);
-	rn_ones = cp = rn_zeros + max_keylen;
-	addmask_key = cplim = rn_ones + max_keylen;
-	while (cp < cplim)
-		*cp++ = -1;
-	if (rn_inithead((void *)&mask_rnhead, 0) == 0)
-		panic("rn_init 2");
-}
-
-
-static int
-rn_freenode(struct radix_node *n, void *p)
-{
-	struct radix_node_head *rnh = p;
-	struct radix_node *d;
-
-	d = rnh->rnh_deladdr(n->rn_key, NULL, rnh);
-	if (d != NULL) {
-		FreeS(d, max_keylen + 2 * sizeof (*d));
-	}
-	return 0;
-}
-
-
-void
-rn_freehead(rnh)
-      struct radix_node_head *rnh;
-{
-
-	(void)rn_walktree(rnh, rn_freenode, rnh);
-
-	rnh->rnh_addaddr = NULL;
-	rnh->rnh_deladdr = NULL;
-	rnh->rnh_matchaddr = NULL;
-	rnh->rnh_lookup = NULL;
-	rnh->rnh_walktree = NULL;
-
-	Free(rnh);
-}
-
-
-void
-rn_fini()
-{
-	struct radix_mask *m;
-
-	if (rn_zeros != NULL) {
-		FreeS(rn_zeros, 3 * max_keylen);
-		rn_zeros = NULL;
-	}
-
-	if (mask_rnhead != NULL) {
-		rn_freehead(mask_rnhead);
-		mask_rnhead = NULL;
-	}
-
-	while ((m = rn_mkfreelist) != NULL) {
-		rn_mkfreelist = m->rm_mklist;
-		KFREE(m);
-	}
-}
-
-
-#ifdef	USE_MAIN
-
-typedef struct myst {
-	addrfamily_t	dst;
-	addrfamily_t	mask;
-	struct radix_node nodes[2];
-} myst_t;
-
-int
-main(int argc, char *argv[])
-{
-	struct radix_node_head *rnh;
-	struct radix_node *rn;
-	addrfamily_t af, mf;
-	myst_t st1, st2, *stp;
-
-	memset(&st1, 0, sizeof(st1));
-	memset(&st2, 0, sizeof(st2));
-	memset(&af, 0, sizeof(af));
-
-	rn_init();
-
-	rnh = NULL;
-	rn_inithead(&rnh, offsetof(addrfamily_t, adf_addr) << 3);
-
-	st1.dst.adf_len = sizeof(st1);
-	st1.mask.adf_len = sizeof(st1);
-	st1.dst.adf_addr.in4.s_addr = inet_addr("127.0.0.0");
-	st1.mask.adf_addr.in4.s_addr = inet_addr("255.0.0.0");
-	rn = rnh->rnh_addaddr(&st1.dst, &st1.mask, rnh, st1.nodes);
-	printf("add.1 %p\n", rn);
-
-	st2.dst.adf_len = sizeof(st2);
-	st2.mask.adf_len = sizeof(st2);
-	st2.dst.adf_addr.in4.s_addr = inet_addr("127.0.1.0");
-	st2.mask.adf_addr.in4.s_addr = inet_addr("255.255.255.0");
-	rn = rnh->rnh_addaddr(&st2.dst, &st2.mask, rnh, st2.nodes);
-	printf("add.2 %p\n", rn);
-
-	af.adf_len = sizeof(af);
-	af.adf_addr.in4.s_addr = inet_addr("127.0.1.0");
-	rn = rnh->rnh_matchaddr(&af, rnh);
-	if (rn != NULL) {
-		printf("1.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
-		stp = rn->rn_key;
-		printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
-		stp = rn->rn_mask;
-		printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
-	}
-
-	mf.adf_len = sizeof(mf);
-	mf.adf_addr.in4.s_addr = inet_addr("255.255.255.0");
-	rn = rnh->rnh_lookup(&af, &mf, rnh);
-	if (rn != NULL) {
-		printf("2.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
-		stp = rn->rn_key;
-		printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
-		stp = rn->rn_mask;
-		printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
-	}
-
-	af.adf_len = sizeof(af);
-	af.adf_addr.in4.s_addr = inet_addr("126.0.0.1");
-	rn = rnh->rnh_matchaddr(&af, rnh);
-	if (rn != NULL) {
-		printf("3.lookup = %p key %p mask %p\n", rn, rn->rn_key, rn->rn_mask);
-		stp = rn->rn_key;
-		printf("%s/", inet_ntoa(stp->dst.adf_addr.in4));
-		stp = rn->rn_mask;
-		printf("%s\n", inet_ntoa(stp->dst.adf_addr.in4));
-	}
-
-	return 0;
-}
-
-
-void
-log(int level, char *format, ...)
-{
-	va_list ap;
-
-	va_start(ap, format);
-	vfprintf(stderr, format, ap);
-	va_end(ap);
-}
-#endif
-
-
-#ifndef	_KERNEL
-void
-panic(char *str)
-{
-	fputs(str, stderr);
-	abort();
-}
-#endif
diff --git a/contrib/ipfilter/radix_ipf.h b/contrib/ipfilter/radix_ipf.h
deleted file mode 100644
index f9b0a30..0000000
--- a/contrib/ipfilter/radix_ipf.h
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
- * Copyright (c) 1988, 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)radix.h	8.2 (Berkeley) 10/31/94
- */
-
-#if !defined(_NET_RADIX_H_) && !defined(_RADIX_H_)
-#define	_NET_RADIX_H_
-#ifndef _RADIX_H_
-#define	_RADIX_H_
-#endif /* _RADIX_H_ */
-
-#ifndef __P
-# ifdef __STDC__
-#  define	__P(x)  x
-# else
-#  define	__P(x)  ()
-# endif
-#endif
-
-#if defined(__sgi) || defined(__osf__) || defined(sun)
-# define	radix_mask	ipf_radix_mask
-# define	radix_node	ipf_radix_node
-# define	radix_node_head	ipf_radix_node_head
-#endif
-
-/*
- * Radix search tree node layout.
- */
-
-struct radix_node {
-	struct	radix_mask *rn_mklist;	/* list of masks contained in subtree */
-	struct	radix_node *rn_p;	/* parent */
-	short	rn_b;			/* bit offset; -1-index(netmask) */
-	char	rn_bmask;		/* node: mask for bit test*/
-	u_char	rn_flags;		/* enumerated next */
-#define RNF_NORMAL	1		/* leaf contains normal route */
-#define RNF_ROOT	2		/* leaf is root leaf for tree */
-#define RNF_ACTIVE	4		/* This node is alive (for rtfree) */
-	union {
-		struct {			/* leaf only data: */
-			caddr_t rn_Key;		/* object of search */
-			caddr_t rn_Mask;	/* netmask, if present */
-			struct	radix_node *rn_Dupedkey;
-		} rn_leaf;
-		struct {			/* node only data: */
-			int	rn_Off;		/* where to start compare */
-			struct	radix_node *rn_L;/* progeny */
-			struct	radix_node *rn_R;/* progeny */
-		} rn_node;
-	} rn_u;
-#ifdef RN_DEBUG
-	int rn_info;
-	struct radix_node *rn_twin;
-	struct radix_node *rn_ybro;
-#endif
-};
-
-#define rn_dupedkey rn_u.rn_leaf.rn_Dupedkey
-#define rn_key rn_u.rn_leaf.rn_Key
-#define rn_mask rn_u.rn_leaf.rn_Mask
-#define rn_off rn_u.rn_node.rn_Off
-#define rn_l rn_u.rn_node.rn_L
-#define rn_r rn_u.rn_node.rn_R
-
-/*
- * Annotations to tree concerning potential routes applying to subtrees.
- */
-
-struct radix_mask {
-	short	rm_b;			/* bit offset; -1-index(netmask) */
-	char	rm_unused;		/* cf. rn_bmask */
-	u_char	rm_flags;		/* cf. rn_flags */
-	struct	radix_mask *rm_mklist;	/* more masks to try */
-	union	{
-		caddr_t	rmu_mask;		/* the mask */
-		struct	radix_node *rmu_leaf;	/* for normal routes */
-	}	rm_rmu;
-	int	rm_refs;		/* # of references to this struct */
-};
-
-#define rm_mask rm_rmu.rmu_mask
-#define rm_leaf rm_rmu.rmu_leaf		/* extra field would make 32 bytes */
-
-#define MKGet(m) {\
-	if (rn_mkfreelist) {\
-		m = rn_mkfreelist; \
-		rn_mkfreelist = (m)->rm_mklist; \
-	} else \
-		R_Malloc(m, struct radix_mask *, sizeof (*(m))); }\
-
-#define MKFree(m) { (m)->rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);}
-
-struct radix_node_head {
-	struct	radix_node *rnh_treetop;
-	struct	radix_node *rnh_leaflist;
-	u_long	rnh_hits;
-	u_int	rnh_number;
-	u_int	rnh_ref;
-	int	rnh_addrsize;		/* permit, but not require fixed keys */
-	int	rnh_pktsize;		/* permit, but not require fixed keys */
-	struct	radix_node *(*rnh_addaddr)	/* add based on sockaddr */
-		__P((void *v, void *mask,
-		     struct radix_node_head *head, struct radix_node nodes[]));
-	struct	radix_node *(*rnh_addpkt)	/* add based on packet hdr */
-		__P((void *v, void *mask,
-		     struct radix_node_head *head, struct radix_node nodes[]));
-	struct	radix_node *(*rnh_deladdr)	/* remove based on sockaddr */
-		__P((void *v, void *mask, struct radix_node_head *head));
-	struct	radix_node *(*rnh_delpkt)	/* remove based on packet hdr */
-		__P((void *v, void *mask, struct radix_node_head *head));
-	struct	radix_node *(*rnh_matchaddr)	/* locate based on sockaddr */
-		__P((void *v, struct radix_node_head *head));
-	struct	radix_node *(*rnh_lookup)	/* locate based on sockaddr */
-		__P((void *v, void *mask, struct radix_node_head *head));
-	struct	radix_node *(*rnh_matchpkt)	/* locate based on packet hdr */
-		__P((void *v, struct radix_node_head *head));
-	int	(*rnh_walktree)			/* traverse tree */
-		__P((struct radix_node_head *,
-		     int (*)(struct radix_node *, void *), void *));
-	struct	radix_node rnh_nodes[3];	/* empty tree for common case */
-};
-
-
-#if defined(AIX)
-# undef Bcmp
-# undef Bzero
-# undef R_Malloc
-# undef Free
-#endif
-#define Bcmp(a, b, n)	bcmp(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n))
-#if defined(linux) && defined(_KERNEL)
-# define Bcopy(a, b, n)	memmove(((caddr_t)(b)), ((caddr_t)(a)), (unsigned)(n))
-#else
-# define Bcopy(a, b, n)	bcopy(((caddr_t)(a)), ((caddr_t)(b)), (unsigned)(n))
-#endif
-#define Bzero(p, n)		bzero((caddr_t)(p), (unsigned)(n));
-#define R_Malloc(p, t, n)	KMALLOCS(p, t, n)
-#define FreeS(p, z)		KFREES(p, z)
-#define Free(p)			KFREE(p)
-
-#if (defined(__osf__) || defined(AIX) || (IRIX >= 60516) || defined(sun)) && defined(_KERNEL)
-# define	rn_init		ipf_rn_init
-# define	rn_fini		ipf_rn_fini
-# define	rn_inithead	ipf_rn_inithead
-# define	rn_freehead	ipf_rn_freehead
-# define	rn_inithead0	ipf_rn_inithead0
-# define	rn_refines	ipf_rn_refines
-# define	rn_walktree	ipf_rn_walktree
-# define	rn_addmask	ipf_rn_addmask
-# define	rn_addroute	ipf_rn_addroute
-# define	rn_delete	ipf_rn_delete
-# define	rn_insert	ipf_rn_insert
-# define	rn_lookup	ipf_rn_lookup
-# define	rn_match	ipf_rn_match
-# define	rn_newpair	ipf_rn_newpair
-# define	rn_search	ipf_rn_search
-# define	rn_search_m	ipf_rn_search_m
-# define	max_keylen	ipf_maxkeylen
-# define	rn_mkfreelist	ipf_rn_mkfreelist
-# define	rn_zeros	ipf_rn_zeros
-# define	rn_ones		ipf_rn_ones
-# define	rn_satisfies_leaf	ipf_rn_satisfies_leaf
-# define	rn_lexobetter	ipf_rn_lexobetter
-# define	rn_new_radix_mask	ipf_rn_new_radix_mask
-# define	rn_freenode	ipf_rn_freenode
-#endif
-
-void	 rn_init __P((void));
-void	 rn_fini __P((void));
-int	 rn_inithead __P((void **, int));
-void	 rn_freehead __P((struct radix_node_head *));
-int	 rn_inithead0 __P((struct radix_node_head *, int));
-int	 rn_refines __P((void *, void *));
-int	 rn_walktree __P((struct radix_node_head *,
-			  int (*)(struct radix_node *, void *), void *));
-struct radix_node
-	 *rn_addmask __P((void *, int, int)),
-	 *rn_addroute __P((void *, void *, struct radix_node_head *,
-			struct radix_node [2])),
-	 *rn_delete __P((void *, void *, struct radix_node_head *)),
-	 *rn_insert __P((void *, struct radix_node_head *, int *,
-			struct radix_node [2])),
-	 *rn_lookup __P((void *, void *, struct radix_node_head *)),
-	 *rn_match __P((void *, struct radix_node_head *)),
-	 *rn_newpair __P((void *, int, struct radix_node[2])),
-	 *rn_search __P((void *, struct radix_node *)),
-	 *rn_search_m __P((void *, struct radix_node *, void *));
-
-#endif /* _NET_RADIX_H_ */
diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c
deleted file mode 100644
index 6a67433..0000000
--- a/contrib/ipfilter/relay.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Sample program to be used as a transparent proxy.
- *
- * Must be executed with permission enough to do an ioctl on /dev/ipl
- * or equivalent.  This is just a sample and is only alpha quality.
- * - Darren Reed (8 April 1996)
- */
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/errno.h>
-#include <sys/syslog.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <sys/socket.h>
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)
-# include <poll.h>
-# define USE_POLL
-#endif
-#include "ip_nat.h"
-
-#define	RELAY_BUFSZ	8192
-
-char	ibuff[RELAY_BUFSZ];
-char	obuff[RELAY_BUFSZ];
-
-int relay(ifd, ofd, rfd)
-int ifd, ofd, rfd;
-{
-#ifdef	USE_POLL
-	struct pollfd set[3];
-#else
-	fd_set	rfds, wfds;
-#endif
-	char	*irh, *irt, *rrh, *rrt;
-	char	*iwh, *iwt, *rwh, *rwt;
-	int	nfd, n, rw;
-
-	irh = irt = ibuff;
-	iwh = iwt = obuff;
-	nfd = ifd;
-	if (nfd < ofd)
-		nfd = ofd;
-	if (nfd < rfd)
-		nfd = rfd;
-
-#ifdef	USE_POLL
-	set[0].fd = rfd;
-	set[1].fd = ifd;
-	set[2].fd = ofd;
-#endif
-
-	while (1) {
-#ifdef	USE_POLL
-		set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) |
-				(irh > irt ? POLLOUT : 0);
-		set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0);
-		set[2].events = (iwh > iwt ? POLLOUT : 0);
-
-		switch ((n = poll(set, 3, INFTIM)))
-#else
-		FD_ZERO(&rfds);
-		FD_ZERO(&wfds);
-		if (irh > irt)
-			FD_SET(rfd, &wfds);
-		if (irh < (ibuff + RELAY_BUFSZ))
-			FD_SET(ifd, &rfds);
-		if (iwh > iwt)
-			FD_SET(ofd, &wfds);
-		if (iwh < (obuff + RELAY_BUFSZ))
-			FD_SET(rfd, &rfds);
-
-		switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
-#endif
-		{
-		case -1 :
-		case 0 :
-			return -1;
-		default :
-#ifdef	USE_POLL
-			if (set[1].revents & POLLIN)
-#else
-			if (FD_ISSET(ifd, &rfds))
-#endif
-			{
-				rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				irh += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[2].revents & POLLOUT)
-#else
-			if (n && FD_ISSET(ofd, &wfds))
-#endif
-			{
-				rw = write(ofd, iwt, iwh  - iwt);
-				if (rw == -1)
-					return -1;
-				iwt += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[0].revents & POLLIN)
-#else
-			if (n && FD_ISSET(rfd, &rfds))
-#endif
-			{
-				rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				iwh += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[0].revents & POLLOUT)
-#else
-			if (n && FD_ISSET(rfd, &wfds))
-#endif
-			{
-				rw = write(rfd, irt, irh  - irt);
-				if (rw == -1)
-					return -1;
-				irt += rw;
-				n--;
-			}
-			if (irh == irt)
-				irh = irt = ibuff;
-			if (iwh == iwt)
-				iwh = iwt = obuff;
-		}
-	}
-}
-
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct	sockaddr_in	sin;
-	natlookup_t	nl;
-	natlookup_t	*nlp = &nl;
-	int	fd, sl = sizeof(sl), se;
-
-	openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
-	if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) {
-		se = errno;
-		perror("open");
-		errno = se;
-		syslog(LOG_ERR, "open: %m\n");
-		exit(-1);
-	}
-
-	bzero(&nl, sizeof(nl));
-	nl.nl_flags = IPN_TCP;
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getsockname");
-		errno = se;
-		syslog(LOG_ERR, "getsockname: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_inip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_inport = sin.sin_port;
-	}
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getpeername");
-		errno = se;
-		syslog(LOG_ERR, "getpeername: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_outip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_outport = sin.sin_port;
-	}
-
-	if (ioctl(fd, SIOCGNATL, &nlp) == -1) {
-		se = errno;
-		perror("ioctl");
-		errno = se;
-		syslog(LOG_ERR, "ioctl: %m\n");
-		exit(-1);
-	}
-
-	sin.sin_port = nl.nl_realport;
-	sin.sin_addr = nl.nl_realip;
-	sl = sizeof(sin);
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
-		se = errno;
-		perror("connect");
-		errno = se;
-		syslog(LOG_ERR, "connect: %m\n");
-		exit(-1);
-	}
-
-	(void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-
-	syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
-		ntohs(sin.sin_port));
-	if (relay(0, 1, fd) == -1) {
-		se = errno;
-		perror("relay");
-		errno = se;
-		syslog(LOG_ERR, "relay: %m\n");
-		exit(-1);
-	}
-	exit(0);
-}
diff --git a/contrib/ipfilter/rules/.cvsignore b/contrib/ipfilter/rules/.cvsignore
deleted file mode 100644
index 3e75765..0000000
--- a/contrib/ipfilter/rules/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-new
diff --git a/contrib/ipfilter/rules/BASIC.NAT b/contrib/ipfilter/rules/BASIC.NAT
deleted file mode 100644
index 213e338..0000000
--- a/contrib/ipfilter/rules/BASIC.NAT
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/sbin/ipnat -f -
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# If we have only 1 valid IP address from our ISP, then we do this:
-#
-# To make ftp work, using the internal ftp proxy, use:
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
-#
-# For normal TCP/UDP and other IP protocols
-#
-map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
-map ppp0 w.x.y.z/24 -> a.b.c.d/32
-#
-# if we get a different dialup IP address each time, then we would use:
-#
-#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> 0/32
-#
-# If we have a class C address space of valid IP#'s from our ISP, then we can
-# do this:
-#
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.z/24 -> a.b.c.d/24
-#
-# or, if we only have a small number of PC's, this:
-#
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.v/32 -> a.b.c.E/32
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.u/32 -> a.b.c.F/32
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.t/32 -> a.b.c.G/32
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.s/32 -> a.b.c.H/32
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.r/32 -> a.b.c.I/32
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.q/32 -> a.b.c.J/32
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
-#map ppp0 w.x.y.p/32 -> a.b.c.K/32
diff --git a/contrib/ipfilter/rules/BASIC_1.FW b/contrib/ipfilter/rules/BASIC_1.FW
deleted file mode 100644
index d2bd60a..0000000
--- a/contrib/ipfilter/rules/BASIC_1.FW
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: RESTRICTIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block in log proto tcp all flags S/SA head 101 group 100 
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block in log proto tcp all flags S/SA head 201 group 200 
-block in log proto udp all head 202 group 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Allow outgoing DNS requests (no named on firewall)
-#
-pass in quick proto udp from any to any port = 53 keep state group 202
-#
-# If we were running named on the firewall and all internal hosts talked to
-# it, we'd use the following:
-#
-#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
-#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
-#
-# Allow outgoing FTP from any internal host to any external FTP server.
-#
-pass in quick proto tcp from any to any port = ftp keep state group 201
-pass in quick proto tcp from any to any port = ftp-data keep state group 201
-pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
-#
-# Allow NTP from any internal host to any external NTP server.
-#
-pass in quick proto udp from any to any port = ntp keep state group 202
-#
-# Allow outgoing connections: SSH, TELNET, WWW
-#
-pass in quick proto tcp from any to any port = 22 keep state group 201
-pass in quick proto tcp from any to any port = telnet keep state group 201
-pass in quick proto tcp from any to any port = www keep state group 201
-#
-#-------------------------------------------------------
-block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
-#
-# Allow incoming to the external firewall interface: mail, WWW, DNS
-#
-pass in log quick proto tcp from any to any port = smtp keep state group 110
-pass in log quick proto tcp from any to any port = www keep state group 110
-pass in log quick proto tcp from any to any port = 53 keep state group 110
-pass in log quick proto udp from any to any port = 53 keep state group 100
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/BASIC_2.FW b/contrib/ipfilter/rules/BASIC_2.FW
deleted file mode 100644
index 46564f0..0000000
--- a/contrib/ipfilter/rules/BASIC_2.FW
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/sbin/ipf -f -
-#
-# SAMPLE: PERMISSIVE FILTER RULES
-#
-# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3
-#
-# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
-#
-# ed0 - (internal) network interface, address w.x.y.z/32
-#
-# This file contains the basic rules needed to construct a firewall for the
-# above situation.
-#
-#-------------------------------------------------------
-# *Nasty* packets we don't want to allow near us at all!
-# short packets which are packets fragmented too short to be real.
-block in log quick all with short
-#-------------------------------------------------------
-# Group setup.
-# ============
-# By default, block and log everything.  This maybe too much logging
-# (especially for ed0) and needs to be further refined.
-#
-block in log on ppp0 all head 100
-block out log on ppp0 all head 150
-block in log on ed0 from w.x.y.z/24 to any head 200
-block out log on ed0 all head 250
-#-------------------------------------------------------
-# Invalid Internet packets.
-# =========================
-#
-# Deny reserved addresses.
-#
-block in log quick from 10.0.0.0/8 to any group 100
-block in log quick from 192.168.0.0/16 to any group 100
-block in log quick from 172.16.0.0/12 to any group 100
-#
-# Prevent IP spoofing.
-#
-block in log quick from a.b.c.d/24 to any group 100
-#
-#-------------------------------------------------------
-# Localhost packets.
-# ==================
-# packets going in/out of network interfaces that aren't on the loopback
-# interface should *NOT* exist.
-block in log quick from 127.0.0.0/8 to any group 100
-block in log quick from any to 127.0.0.0/8 group 100
-block in log quick from 127.0.0.0/8 to any group 200
-block in log quick from any to 127.0.0.0/8 group 200
-# And of course, make sure the loopback allows packets to traverse it.
-pass in quick on lo0 all
-pass out quick on lo0 all
-#-------------------------------------------------------
-# Allow any communication between the inside network and the outside only.
-#
-# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
-#
-pass in log quick proto tcp all flags S/SA keep state group 200 
-#
-# Support all UDP `connections' initiated from inside.
-#
-# Allow ping out
-#
-pass in log quick proto icmp all keep state group 200
-#-------------------------------------------------------
-# Log these:
-# ==========
-# * return RST packets for invalid SYN packets to help the other end close
-block return-rst in log proto tcp from any to any flags S/SA group 100
-# * return ICMP error packets for invalid UDP packets
-block return-icmp(net-unr) in proto udp all group 100
diff --git a/contrib/ipfilter/rules/example.1 b/contrib/ipfilter/rules/example.1
deleted file mode 100644
index ff93f49..0000000
--- a/contrib/ipfilter/rules/example.1
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination.
-#
-block in on le0 proto tcp from 10.1.1.1/32 to any
diff --git a/contrib/ipfilter/rules/example.10 b/contrib/ipfilter/rules/example.10
deleted file mode 100644
index 560d1e6..0000000
--- a/contrib/ipfilter/rules/example.10
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# pass ack packets (ie established connection)
-#
-pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
-#
-# block incoming connection requests to my internal network from the big bad
-# internet.
-#
-block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
-#  to block the replies:
-block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
diff --git a/contrib/ipfilter/rules/example.11 b/contrib/ipfilter/rules/example.11
deleted file mode 100644
index c6b4e7f..0000000
--- a/contrib/ipfilter/rules/example.11
+++ /dev/null
@@ -1,26 +0,0 @@
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block anything trying to get to X terminal ports, X:0 to X:9
-#
-block in proto tcp from any to any port 5999 >< 6010
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-block in proto tcp/udp all
-pass in proto tcp/udp from any to any port 512 <> 515
-#
-# allow any connections to be made, except to BSD print/r-services
-# this will also protect syslog.
-#
-pass in proto tcp/udp all
-block in proto tcp/udp from any to any port 511 >< 516
diff --git a/contrib/ipfilter/rules/example.12 b/contrib/ipfilter/rules/example.12
deleted file mode 100644
index c0ba1d3..0000000
--- a/contrib/ipfilter/rules/example.12
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# get rid of all short IP fragments (too small for valid comparison)
-#
-block in proto tcp all with short
-#
-# drop and log any IP packets with options set in them.
-#
-block in log all with ipopts
-#
-# log packets with BOTH ssrr and lsrr set
-#
-log in all with opt lsrr,ssrr
-#
-# drop any source routing options
-#
-block in quick all with opt lsrr
-block in quick all with opt ssrr
diff --git a/contrib/ipfilter/rules/example.13 b/contrib/ipfilter/rules/example.13
deleted file mode 100644
index 854f07f..0000000
--- a/contrib/ipfilter/rules/example.13
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
-# destination for the packet.
-#
-block in on qe0 to qe3:10.3.3.3 proto tcp all with short
-#
-# Log all connection attempts for TCP
-#
-pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
-#
-# Route all UDP packets through transparently.
-#
-pass in on ppp0 fastroute proto udp all
-#
-# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
-#
-pass in on le0 to le1:10.3.3.1 proto icmp all
diff --git a/contrib/ipfilter/rules/example.2 b/contrib/ipfilter/rules/example.2
deleted file mode 100644
index 4f81725..0000000
--- a/contrib/ipfilter/rules/example.2
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all outgoing TCP packets on le0 from any host to port 23 of
-# host 10.1.1.2
-#
-block out on le0 proto tcp from any to 10.1.1.3/32 port = 23
diff --git a/contrib/ipfilter/rules/example.3 b/contrib/ipfilter/rules/example.3
deleted file mode 100644
index cd31f73..0000000
--- a/contrib/ipfilter/rules/example.3
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# block all inbound packets.
-#
-block in from any to any
-#
-# pass through packets to and from localhost.
-#
-pass in from 127.0.0.1/32 to 127.0.0.1/32
-#
-# allow a variety of individual hosts to send any type of IP packet to any
-# other host.
-#
-pass in from 10.1.3.1/32 to any
-pass in from 10.1.3.2/32 to any
-pass in from 10.1.3.3/32 to any
-pass in from 10.1.3.4/32 to any
-pass in from 10.1.3.5/32 to any
-pass in from 10.1.0.13/32 to any
-pass in from 10.1.1.1/32 to any
-pass in from 10.1.2.1/32 to any
-#
-#
-# block all outbound packets.
-#
-block out from any to any
-#
-# allow any packets destined for localhost out.
-#
-pass out from any to 127.0.0.1/32
-#
-# allow any host to send any IP packet out to a limited number of hosts.
-#
-pass out from any to 10.1.3.1/32
-pass out from any to 10.1.3.2/32
-pass out from any to 10.1.3.3/32
-pass out from any to 10.1.3.4/32
-pass out from any to 10.1.3.5/32
-pass out from any to 10.1.0.13/32
-pass out from any to 10.1.1.1/32
-pass out from any to 10.1.2.1/32
diff --git a/contrib/ipfilter/rules/example.4 b/contrib/ipfilter/rules/example.4
deleted file mode 100644
index 7918ec2..0000000
--- a/contrib/ipfilter/rules/example.4
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-# block all ICMP packets.
-#
-block in proto icmp from any to any
diff --git a/contrib/ipfilter/rules/example.5 b/contrib/ipfilter/rules/example.5
deleted file mode 100644
index 6d688b5..0000000
--- a/contrib/ipfilter/rules/example.5
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# test ruleset
-#
-# allow packets coming from foo to bar through.
-#
-pass in from 10.1.1.2 to 10.2.1.1
-#
-# allow any TCP packets from the same subnet as foo is on through to host
-# 10.1.1.2 if they are destined for port 6667.
-#
-pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
-#
-# allow in UDP packets which are NOT from port 53 and are destined for
-# localhost
-#
-pass in proto udp from 10.2.2.2 port != 53 to localhost
-#
-# block all ICMP unreachables.
-#
-block in proto icmp from any to any icmp-type unreach
-#
-# allow packets through which have a non-standard IP header length (ie there
-# are IP options such as source-routing present).
-#
-pass in from any to any with ipopts
diff --git a/contrib/ipfilter/rules/example.6 b/contrib/ipfilter/rules/example.6
deleted file mode 100644
index d40f0f3..0000000
--- a/contrib/ipfilter/rules/example.6
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# block all TCP packets with only the SYN flag set (this is the first
-# packet sent to establish a connection) out of the SYN-ACK pair.
-#
-block in proto tcp from any to any flags S/SA
diff --git a/contrib/ipfilter/rules/example.7 b/contrib/ipfilter/rules/example.7
deleted file mode 100644
index 062de98..0000000
--- a/contrib/ipfilter/rules/example.7
+++ /dev/null
@@ -1,12 +0,0 @@
-# block all ICMP packets.
-#
-block in proto icmp all
-#
-# allow in ICMP echos and echo-replies.
-#
-pass in on le1 proto icmp from any to any icmp-type echo
-pass in on le1 proto icmp from any to any icmp-type echorep
-#
-# block all ICMP destination unreachable packets which are port-unreachables
-#
-block in on le1 proto icmp from any to any icmp-type unreach code 3
diff --git a/contrib/ipfilter/rules/example.8 b/contrib/ipfilter/rules/example.8
deleted file mode 100644
index baa0258..0000000
--- a/contrib/ipfilter/rules/example.8
+++ /dev/null
@@ -1,10 +0,0 @@
-#
-# block all incoming TCP connections but send back a TCP-RST for ones to
-# the ident port
-#
-block in proto tcp from any to any flags S/SA
-block return-rst in quick proto tcp from any to any port = 113 flags S/SA
-#
-# block all inbound UDP packets and send back an ICMP error.
-#
-block return-icmp in proto udp from any to any
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
deleted file mode 100644
index daff203..0000000
--- a/contrib/ipfilter/rules/example.9
+++ /dev/null
@@ -1,12 +0,0 @@
-#
-# drop all packets without IP security options
-#
-block in all
-pass in all with opt sec
-#
-# only allow packets in and out on le1 which are top secret
-#
-block out on le1 all
-pass out on le1 all with opt sec-class topsecret
-block in on le1 all
-pass in on le1 all with opt sec-class topsecret
diff --git a/contrib/ipfilter/rules/example.sr b/contrib/ipfilter/rules/example.sr
deleted file mode 100644
index c4c1994..0000000
--- a/contrib/ipfilter/rules/example.sr
+++ /dev/null
@@ -1,61 +0,0 @@
-#
-# log all inbound packet on le0 which has IP options present
-#
-log in on le0 from any to any with ipopts
-#
-# block any inbound packets on le0 which are fragmented and "too short" to
-# do any meaningful comparison on.  This actually only applies to TCP
-# packets which can be missing the flags/ports (depending on which part
-# of the fragment you see).
-#
-block in log quick on le0 from any to any with short frag
-#
-# log all inbound TCP packets with the SYN flag (only) set
-#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
-#         had IP options present, this rule and the above would cause it
-#         to be logged twice).
-#
-log in on le0 proto tcp from any to any flags S/SA
-#
-# block and log any inbound ICMP unreachables
-#
-block in log on le0 proto icmp from any to any icmp-type unreach
-#
-# block and log any inbound UDP packets on le0 which are going to port 2049
-# (the NFS port).
-#
-block in log on le0 proto udp from any to any port = 2049
-#
-# quickly allow any packets to/from a particular pair of hosts
-#
-pass in quick from any to 10.1.3.2/32
-pass in quick from any to 10.1.0.13/32
-pass in quick from 10.1.3.2/32 to any
-pass in quick from 10.1.0.13/32 to any
-#
-# block (and stop matching) any packet with IP options present.
-#
-block in quick on le0 from any to any with ipopts
-#
-# allow any packet through
-#
-pass in from any to any
-#
-# block any inbound UDP packets destined for these subnets.
-#
-block in on le0 proto udp from any to 10.1.3.0/24
-block in on le0 proto udp from any to 10.1.1.0/24
-block in on le0 proto udp from any to 10.1.2.0/24
-#
-# block any inbound TCP packets with only the SYN flag set that are
-# destined for these subnets.
-#
-block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
-block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
-#
-# block any inbound ICMP packets destined for these subnets.
-#
-block in on le0 proto icmp from any to 10.1.3.0/24
-block in on le0 proto icmp from any to 10.1.1.0/24
-block in on le0 proto icmp from any to 10.1.2.0/24
diff --git a/contrib/ipfilter/rules/firewall b/contrib/ipfilter/rules/firewall
deleted file mode 100644
index 681a81d..0000000
--- a/contrib/ipfilter/rules/firewall
+++ /dev/null
@@ -1,39 +0,0 @@
-Configuring IP Filter for firewall usage.
-=========================================
-
-Step 1 - Block out "bad" IP packets.
-------------------------------------
-
-Run the perl script "mkfilters".  This will generate a list of blocking
-rules which:
-	a) blocks all packets which might belong to an IP Spoofing attack;
-	b) blocks all packets with IP options;
-	c) blocks all packets which have a length which is too short for
-	   any legal packet;
-
-Step 2 - Convert Network Security Policy to filter rules.
----------------------------------------------------------
-
-Draw up a list of which services you want to allow users to use on the
-Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
-want each host that is part of your firewall to be allowed to do, including
-communication with internal hosts.
-
-Step 3 - Create TCP "keep state" rules.
----------------------------------------
-
-For each service that uses TCP, create a rule as follows:
-
-pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
-
-where
-* "int-a" is the internal interface of the firewall.  That is, it is the
-  closest to your internal network in terms of network hops.
-
-* "int-net" is the internal network IP# subnet address range.  This might
-   be something like 10.1.0.0/16, or 128.33.1.0/24 
-
-* "ext-service" is the service to which you wish to connect or if it doesn't
-  have a proper name, a number can be used.  The translation of "ext-service"
-  as a name to a number is controlled with the /etc/services file.
-
diff --git a/contrib/ipfilter/rules/ftp-proxy b/contrib/ipfilter/rules/ftp-proxy
deleted file mode 100644
index ad2f717..0000000
--- a/contrib/ipfilter/rules/ftp-proxy
+++ /dev/null
@@ -1,45 +0,0 @@
-How to setup FTP proxying using the built in proxy code.
-========================================================
-
-NOTE: Currently, the built-in FTP proxy is only available for use with NAT
-      (i.e. only if you're already using "map" rules with ipnat).  It does
-      support null-NAT mappings, that is, using the proxy without changing
-      the addresses.
-
-Lets assume your network diagram looks something like this:
-
-
-[host A]
-   |a
----+-------------+----------
-                 |b
-             [host B]
-                 |c
----+-------------+----------
-   |d
-[host C]
-
-and IP Filter is running on host B.  If you want to proxy FTP from A to C
-then you would do:
-
-map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy port ftp ftp/tcp
-
-int-c = name of "interface c"
-ipaddr-a = ip# of interface a
-ipaddr-c-net = another ip# on the C-network (usually not the same as the
-interface).
-
-e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
-which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
-203.45.67.90, you would do:
-
-map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy port ftp ftp/tcp
-
-where:
-ipaddr-a = 10.1.1.1
-int-c = vx0
-ipaddr-c-net = 203.45.67.91
-
-The "map" rule for this proxy should precede any other NAT rules you are
-using.
-
diff --git a/contrib/ipfilter/rules/ftppxy b/contrib/ipfilter/rules/ftppxy
deleted file mode 100755
index 2c42c52..0000000
--- a/contrib/ipfilter/rules/ftppxy
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-# The proxy bit is as follows:
-# proxy [port <portname>] <tag>/<protocol>
-# the <tag> should match a tagname in the proxy table, as does the protocol.
-# this format isn't finalised yet
-echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
diff --git a/contrib/ipfilter/rules/ip_rules b/contrib/ipfilter/rules/ip_rules
deleted file mode 100644
index 9850f16..0000000
--- a/contrib/ipfilter/rules/ip_rules
+++ /dev/null
@@ -1,3 +0,0 @@
-# Used to generate ../ip_rules.c and ../ip_rules.h
-pass in all
-pass out all
diff --git a/contrib/ipfilter/rules/ipmon.conf b/contrib/ipfilter/rules/ipmon.conf
deleted file mode 100644
index 47b0146..0000000
--- a/contrib/ipfilter/rules/ipmon.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-#
-#
-#
-match { logtag = 10000 }
-	do { execute "/usr/bin/mail -s 'logtag 10000' root" };
-match { logtag = 2000, every 10 seconds }
-	do { execute "echo 'XXXXXXXX tag 2000 packet XXXXXXXX'" };
-#
-match { protocol = udp, result = block }
-	do { execute "/usr/bin/mail -s 'blocked udp' root"
-};
-#
-match {
-	srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
-	do { execute "/usr/bin/mail -s 'from 10.1 to 192.168.1' root"
-};
-#
-match {
-	rule = 12, logtag = 101, direction = in, result = block,
-	protocol = udp, srcip = 10.1.0.0/16, dstip = 192.168.1.0/24 }
-	do { execute "run shell command"
-};
-#
diff --git a/contrib/ipfilter/rules/nat-setup b/contrib/ipfilter/rules/nat-setup
deleted file mode 100644
index b10e8f1..0000000
--- a/contrib/ipfilter/rules/nat-setup
+++ /dev/null
@@ -1,77 +0,0 @@
-Configuring NAT on your network.
-================================
-
-To start setting up NAT, we need to define which is your "internal" interface
-and which is your "external" interface.  The "internal" interface is the
-network adapter connected to the network with private IP addresses which
-you need to change for communicating on the Internet.  The "external"
-interface is configured with a valid internet address.
-
-For example, your internal interface might have an IP# of 10.1.1.1 and be
-connected to your ethernet, whilst your external interface might be a PPP
-connection with an IP number of 204.51.62.176.
-
-Thus your network might look like this:
-
-<Internal Network>
- [pc]      [pc]
-  |         |
-+-+---------+------+
-                   |
-               [firewall]
-                   |
-                   |
-               Internet
-<External Network>
-
-
-Writing the map-rule.
----------------------
-When you're connected to the Internet, you will either have a block of IP
-addresses assigned to you, maybe several different blocks, or you use a
-single IP address, i.e. with dialup PPP.  If you have a block of addresses
-assigned, these can be used to create either a 1:1 mapping (if you have
-only a few internal IP addresses) or N:1 mappings, where groups of internal
-addresses map to a single IP address and unless you have enough Internet
-addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
-UDP port numbers.
-
-For an N:1 situation, you might have:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
-
-where if you had 16 addresses available, you could do:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
-
-Or if you wanted to allocate subnets to each IP#, you might do:
-
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
-map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
-map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
-map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
-
-*** NOTE: NAT rules are used on a first-match basis only!
-
-
-Filtering with NAT.
--------------------
-IP Filter will always translate addresses in a packet _BEFORE_ it checks its
-access list for inbound packets and translates addresses _AFTER_ it has
-checked the access control lists for outbound packets.
-
-For example (using the above NAT rules), if you wanted to prevent all hosts
-in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
-with ipf:
-
-block out on ppp0 from 10.1.2.0/24 to any
-block in on ppp0 from any to 10.1.2.0/24
-
-and use these with ipnat:
-
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
-map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
diff --git a/contrib/ipfilter/rules/nat.eg b/contrib/ipfilter/rules/nat.eg
deleted file mode 100644
index 9c26754..0000000
--- a/contrib/ipfilter/rules/nat.eg
+++ /dev/null
@@ -1,14 +0,0 @@
-# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
-# port number to something between 10,000 and 20,000 inclusive.  For all other
-# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
-# for each new user.
-#
-map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
-map ed1 10.1.0.0/16 -> 240.1.0.0/24
-#
-# Redirection is triggered for input packets.
-# For example, to redirect FTP connections through this box, to the local ftp
-# port, forcing them to connect through a proxy, you would use:
-#
-rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
-#
diff --git a/contrib/ipfilter/rules/pool.conf b/contrib/ipfilter/rules/pool.conf
deleted file mode 100644
index 285398d..0000000
--- a/contrib/ipfilter/rules/pool.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-#
-pool 0 = { !10.0.0.0 - 10.255.255.255, 10.1.0.0 - 10.1.255.255,
-	10.1.1.0 - 10.1.1.255, !10.1.2.0 - 10.2.2.255,
-	10.1.2.3 - 10.1.2.3, 10.1.2.15 - 10.1.2.15 };
diff --git a/contrib/ipfilter/rules/rules.sed b/contrib/ipfilter/rules/rules.sed
deleted file mode 100644
index 050d9b6..0000000
--- a/contrib/ipfilter/rules/rules.sed
+++ /dev/null
@@ -1,5 +0,0 @@
-WÆ
.	Ä..'&CVSWÜ	example.1WÝ
-example.10WÞ
-example.11Wß
-example.12Wà
-example.13Wá	example.2Wâ	example.3Wã	example.4Wä	example.5Wå	example.6Wæ	example.7Wç	example.8Wè	example.9Wé
diff --git a/contrib/ipfilter/rules/server b/contrib/ipfilter/rules/server
deleted file mode 100644
index f2fb204..0000000
--- a/contrib/ipfilter/rules/server
+++ /dev/null
@@ -1,11 +0,0 @@
-#
-# For a network server, which has two interfaces, 128.1.40.1 (le0) and
-# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
-# connected to the majority of the network, whilst le0 is connected to a
-# leaf subnet.  We're not concerned about filtering individual services
-# or 
-#
-pass in quick on le0 from 128.1.40.0/24 to any
-block in log quick on le0 from any to any
-block in log quick on le1 from 128.1.1.0/24 to any
-pass in quick on le1 from any to any
diff --git a/contrib/ipfilter/rules/tcpstate b/contrib/ipfilter/rules/tcpstate
deleted file mode 100644
index 339a25f..0000000
--- a/contrib/ipfilter/rules/tcpstate
+++ /dev/null
@@ -1,13 +0,0 @@
-#
-# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
-# somewhere, waiting for it.
-#
-pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
-block out on le0 proto tcp all
-block in on le0 proto tcp all
-#
-# allow nameserver queries and replies to pass through, but no other UDP
-#
-pass out quick on le0 proto udp from any to any port = 53 keep state
-block out on le0 proto udp all
-block in on le0 proto udp all
diff --git a/contrib/ipfilter/samples/.cvsignore b/contrib/ipfilter/samples/.cvsignore
deleted file mode 100644
index 4d38251..0000000
--- a/contrib/ipfilter/samples/.cvsignore
+++ /dev/null
@@ -1,4 +0,0 @@
-userauth
-proxy
-relay
-trans_relay
diff --git a/contrib/ipfilter/samples/Makefile b/contrib/ipfilter/samples/Makefile
deleted file mode 100644
index 47ab4a2..0000000
--- a/contrib/ipfilter/samples/Makefile
+++ /dev/null
@@ -1,24 +0,0 @@
-CC=gcc
-all:
-	@echo "Please do one of the following:"
-	@echo "make bsd"
-	@echo "make bsdi"
-	@echo "make freebsd"
-	@echo "make freebsd22"
-	@echo "make netbsd"
-	@echo "make openbsd"
-	@echo "make sunos4"
-	@echo "make sunos5"
-
-sunos5:
-	$(CC) -I.. userauth.c -o userauth -lsocket -lnsl
-	$(CC) -I.. proxy.c -o proxy -lsocket -lnsl
-	$(CC) -I.. relay.c -o relay -lsocket -lnsl
-
-freebsd freebsd22 netbsd bsd bsdi sunos4 openbsd:
-	$(CC) -I.. userauth.c -o userauth
-	$(CC) -I.. proxy.c -o proxy
-	$(CC) -I.. relay.c -o relay
-
-clean:
-	/bin/rm -f userauth proxy relay
diff --git a/contrib/ipfilter/samples/ipfilter-pb.gif b/contrib/ipfilter/samples/ipfilter-pb.gif
deleted file mode 100644
index afaefa8..0000000
--- a/contrib/ipfilter/samples/ipfilter-pb.gif
+++ /dev/null
diff --git a/contrib/ipfilter/samples/proxy.c b/contrib/ipfilter/samples/proxy.c
deleted file mode 100644
index f2063ec..0000000
--- a/contrib/ipfilter/samples/proxy.c
+++ /dev/null
@@ -1,315 +0,0 @@
-/*
- * Sample transparent proxy program.
- *
- * Sample implementation of a program which intercepts a TCP connectiona and
- * just echos all data back to the origin.  Written to work via inetd as a
- * "nonwait" program running as root; ie.
- * tcpmux          stream  tcp     nowait root /usr/local/bin/proxy proxy
- * with a NAT rue like this:
- * rdr smc0 0/0 port 80 -> 127.0.0.1/32 port 1
- */
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <syslog.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ipl.h"
-
-
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct	sockaddr_in	sin, sloc, sout;
-	ipfobj_t	obj;
-	natlookup_t	natlook;
-	char	buffer[512];
-	int	namelen, fd, n;
-
-	/*
-	 * get IP# and port # of the remote end of the connection (at the
-	 * origin).
-	 */
-	namelen = sizeof(sin);
-	if (getpeername(0, (struct sockaddr *)&sin, &namelen) == -1) {
-		perror("getpeername");
-		exit(-1);
-	}
-
-	/*
-	 * get IP# and port # of the local end of the connection (at the
-	 * man-in-the-middle).
-	 */
-	namelen = sizeof(sin);
-	if (getsockname(0, (struct sockaddr *)&sloc, &namelen) == -1) {
-		perror("getsockname");
-		exit(-1);
-	}
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(natlook);
-	obj.ipfo_ptr = &natlook;
-	obj.ipfo_type = IPFOBJ_NATLOOKUP;
-
-	/*
-	 * Build up the NAT natlookup structure.
-	 */
-	bzero((char *)&natlook, sizeof(natlook));
-	natlook.nl_outip = sin.sin_addr;
-	natlook.nl_inip = sloc.sin_addr;
-	natlook.nl_flags = IPN_TCP;
-	natlook.nl_outport = sin.sin_port;
-	natlook.nl_inport = sloc.sin_port;
-
-	/*
-	 * Open the NAT device and lookup the mapping pair.
-	 */
-	fd = open(IPNAT_NAME, O_RDONLY);
-	if (ioctl(fd, SIOCGNATL, &obj) == -1) {
-		perror("ioctl(SIOCGNATL)");
-		exit(-1);
-	}
-
-#define	DO_NAT_OUT
-#ifdef	DO_NAT_OUT
-	if (argc > 1)
-		do_nat_out(0, 1, fd, &natlook, argv[1]);
-#else
-
-	/*
-	 * Log it
-	 */
-	syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d",
-		inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
-	printf("connect to %s,%d\n",
-		inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));
-
-	/*
-	 * Just echo data read in from stdin to stdout
-	 */
-	while ((n = read(0, buffer, sizeof(buffer))) > 0)
-		if (write(1, buffer, n) != n)
-			break;
-	close(0);
-#endif
-}
-
-
-#ifdef	DO_NAT_OUT
-do_nat_out(in, out, fd, nlp, extif)
-int fd;
-natlookup_t *nlp;
-char *extif;
-{
-	nat_save_t ns, *nsp = &ns;
-	struct sockaddr_in usin;
-	u_32_t sum1, sum2, sumd;
-	int onoff, ofd, slen;
-	ipfobj_t obj;
-	ipnat_t *ipn;
-	nat_t *nat;
-
-	bzero((char *)&ns, sizeof(ns));
-
-	nat = &ns.ipn_nat;
-	nat->nat_p = IPPROTO_TCP;
-	nat->nat_dir = NAT_OUTBOUND;
-	if ((extif != NULL) && (*extif != '\0')) {
-		strncpy(nat->nat_ifnames[0], extif,
-			sizeof(nat->nat_ifnames[0]));
-		strncpy(nat->nat_ifnames[1], extif,
-			sizeof(nat->nat_ifnames[1]));
-		nat->nat_ifnames[0][sizeof(nat->nat_ifnames[0]) - 1] = '\0';
-		nat->nat_ifnames[1][sizeof(nat->nat_ifnames[1]) - 1] = '\0';
-	}
-
-	ofd = socket(AF_INET, SOCK_DGRAM, 0);
-	bzero((char *)&usin, sizeof(usin));
-	usin.sin_family = AF_INET;
-	usin.sin_addr = nlp->nl_realip;
-	usin.sin_port = nlp->nl_realport;
-	(void) connect(ofd, (struct sockaddr *)&usin, sizeof(usin));
-	slen = sizeof(usin);
-	(void) getsockname(ofd, (struct sockaddr *)&usin, &slen);
-	close(ofd);
-printf("local IP# to use: %s\n", inet_ntoa(usin.sin_addr));
-
-	if ((ofd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
-		perror("socket");
-	usin.sin_port = 0;
-	if (bind(ofd, (struct sockaddr *)&usin, sizeof(usin)))
-		perror("bind");
-	slen = sizeof(usin);
-	if (getsockname(ofd, (struct sockaddr *)&usin, &slen))
-		perror("getsockname");
-printf("local port# to use: %d\n", ntohs(usin.sin_port));
-
-	nat->nat_inip = usin.sin_addr;
-	nat->nat_outip = nlp->nl_outip;
-	nat->nat_oip = nlp->nl_realip;
-
-	sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr)) + ntohs(usin.sin_port);
-	sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)) + ntohs(nlp->nl_outport);
-	CALC_SUMD(sum1, sum2, sumd);
-	nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16);
-	nat->nat_sumd[1] = nat->nat_sumd[0];
-
-	sum1 = LONG_SUM(ntohl(usin.sin_addr.s_addr));
-	sum2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
-	CALC_SUMD(sum1, sum2, sumd);
-	nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
-
-	nat->nat_inport = usin.sin_port;
-	nat->nat_outport = nlp->nl_outport;
-	nat->nat_oport = nlp->nl_realport;
-
-	nat->nat_flags = IPN_TCPUDP;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(*nsp);
-	obj.ipfo_ptr = nsp;
-	obj.ipfo_type = IPFOBJ_NATSAVE;
-
-	onoff = 1;
-	if (ioctl(fd, SIOCSTLCK, &onoff) == 0) {
-		if (ioctl(fd, SIOCSTPUT, &obj) != 0)
-			perror("SIOCSTPUT");
-		onoff = 0;
-		if (ioctl(fd, SIOCSTLCK, &onoff) != 0)
-			perror("SIOCSTLCK");
-	}
-
-	usin.sin_addr = nlp->nl_realip;
-	usin.sin_port = nlp->nl_realport;
-printf("remote end for connection: %s,%d\n", inet_ntoa(usin.sin_addr),
-ntohs(usin.sin_port));
-fflush(stdout);
-	if (connect(ofd, (struct sockaddr *)&usin, sizeof(usin)))
-		perror("connect");
-
-	relay(in, out, ofd);
-}
-
-
-relay(in, out, net)
-int in, out, net;
-{
-	char netbuf[1024], outbuf[1024];
-	char *nwptr, *nrptr, *owptr, *orptr;
-	size_t nsz, osz;
-	fd_set rd, wr;
-	int i, n, maxfd;
-
-	n = 0;
-	maxfd = in;
-	if (out > maxfd)
-		maxfd = out;
-	if (net > maxfd)
-		maxfd = net;
-
-	nrptr = netbuf;
-	nwptr = netbuf;
-	nsz = sizeof(netbuf);
-	orptr = outbuf;
-	owptr = outbuf;
-	osz = sizeof(outbuf);
-
-	while (n >= 0) {
-		FD_ZERO(&rd);
-		FD_ZERO(&wr);
-
-		if (nrptr - netbuf < sizeof(netbuf))
-			FD_SET(in, &rd);
-		if (orptr - outbuf < sizeof(outbuf))
-			FD_SET(net, &rd);
-
-		if (nsz < sizeof(netbuf))
-			FD_SET(net, &wr);
-		if (osz < sizeof(outbuf))
-			FD_SET(out, &wr);
-
-		n = select(maxfd + 1, &rd, &wr, NULL, NULL);
-
-		if ((n > 0) && FD_ISSET(in, &rd)) {
-			i = read(in, nrptr, sizeof(netbuf) - (nrptr - netbuf));
-			if (i <= 0)
-				break;
-			nsz -= i;
-			nrptr += i;
-			n--;
-		}
-
-		if ((n > 0) && FD_ISSET(net, &rd)) {
-			i = read(net, orptr, sizeof(outbuf) - (orptr - outbuf));
-			if (i <= 0)
-				break;
-			osz -= i;
-			orptr += i;
-			n--;
-		}
-
-		if ((n > 0) && FD_ISSET(out, &wr)) {
-			i = write(out, owptr, orptr - owptr);
-			if (i <= 0)
-				break;
-			osz += i;
-			if (osz == sizeof(outbuf) || owptr == orptr) {
-				orptr = outbuf;
-				owptr = outbuf;
-			} else
-				owptr += i;
-			n--;
-		}
-
-		if ((n > 0) && FD_ISSET(net, &wr)) {
-			i = write(net, nwptr, nrptr - nwptr);
-			if (i <= 0)
-				break;
-			nsz += i;
-			if (nsz == sizeof(netbuf) || nwptr == nrptr) {
-				nrptr = netbuf;
-				nwptr = netbuf;
-			} else
-				nwptr += i;
-		}
-	}
-
-	close(net);
-	close(out);
-	close(in);
-}
-#endif
diff --git a/contrib/ipfilter/samples/relay.c b/contrib/ipfilter/samples/relay.c
deleted file mode 100644
index 6b96fc4..0000000
--- a/contrib/ipfilter/samples/relay.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Sample program to be used as a transparent proxy.
- *
- * Must be executed with permission enough to do an ioctl on /dev/ipl
- * or equivalent.  This is just a sample and is only alpha quality.
- * - Darren Reed (8 April 1996)
- */
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/syslog.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ipl.h"
-
-#define	RELAY_BUFSZ	8192
-
-char	ibuff[RELAY_BUFSZ];
-char	obuff[RELAY_BUFSZ];
-
-int relay(ifd, ofd, rfd)
-int ifd, ofd, rfd;
-{
-	fd_set	rfds, wfds;
-	char	*irh, *irt, *rrh, *rrt;
-	char	*iwh, *iwt, *rwh, *rwt;
-	int	nfd, n, rw;
-
-	irh = irt = ibuff;
-	iwh = iwt = obuff;
-	nfd = ifd;
-	if (nfd < ofd)
-		nfd = ofd;
-	if (nfd < rfd)
-		nfd = rfd;
-
-	while (1) {
-		FD_ZERO(&rfds);
-		FD_ZERO(&wfds);
-		if (irh > irt)
-			FD_SET(rfd, &wfds);
-		if (irh < (ibuff + RELAY_BUFSZ))
-			FD_SET(ifd, &rfds);
-		if (iwh > iwt)
-			FD_SET(ofd, &wfds);
-		if (iwh < (obuff + RELAY_BUFSZ))
-			FD_SET(rfd, &rfds);
-
-		switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
-		{
-		case -1 :
-		case 0 :
-			return -1;
-		default :
-			if (FD_ISSET(ifd, &rfds)) {
-				rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				irh += rw;
-				n--;
-			}
-			if (n && FD_ISSET(ofd, &wfds)) {
-				rw = write(ofd, iwt, iwh  - iwt);
-				if (rw == -1)
-					return -1;
-				iwt += rw;
-				n--;
-			}
-			if (n && FD_ISSET(rfd, &rfds)) {
-				rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				iwh += rw;
-				n--;
-			}
-			if (n && FD_ISSET(rfd, &wfds)) {
-				rw = write(rfd, irt, irh  - irt);
-				if (rw == -1)
-					return -1;
-				irt += rw;
-				n--;
-			}
-			if (irh == irt)
-				irh = irt = ibuff;
-			if (iwh == iwt)
-				iwh = iwt = obuff;
-		}
-	}
-}
-
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct	sockaddr_in	sin;
-	ipfobj_t	obj;
-	natlookup_t	nl;
-	natlookup_t	*nlp = &nl;
-	int	fd, sl = sizeof(sl), se;
-
-	openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
-	if ((fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
-		se = errno;
-		perror("open");
-		errno = se;
-		syslog(LOG_ERR, "open: %m\n");
-		exit(-1);
-	}
-
-	bzero(&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(nl);
-	obj.ipfo_ptr = &nl;
-	obj.ipfo_type = IPFOBJ_NATLOOKUP;
-
-	bzero(&nl, sizeof(nl));
-	nl.nl_flags = IPN_TCP;
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getsockname");
-		errno = se;
-		syslog(LOG_ERR, "getsockname: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_inip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_inport = sin.sin_port;
-	}
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getpeername");
-		errno = se;
-		syslog(LOG_ERR, "getpeername: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_outip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_outport = sin.sin_port;
-	}
-
-	if (ioctl(fd, SIOCGNATL, &obj) == -1) {
-		se = errno;
-		perror("ioctl");
-		errno = se;
-		syslog(LOG_ERR, "ioctl: %m\n");
-		exit(-1);
-	}
-
-	sin.sin_port = nl.nl_realport;
-	sin.sin_addr = nl.nl_realip;
-	sl = sizeof(sin);
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
-		se = errno;
-		perror("connect");
-		errno = se;
-		syslog(LOG_ERR, "connect: %m\n");
-		exit(-1);
-	}
-
-	(void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-
-	syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
-		ntohs(sin.sin_port));
-	if (relay(0, 1, fd) == -1) {
-		se = errno;
-		perror("relay");
-		errno = se;
-		syslog(LOG_ERR, "relay: %m\n");
-		exit(-1);
-	}
-	exit(0);
-}
diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c
deleted file mode 100644
index dbfeac6..0000000
--- a/contrib/ipfilter/samples/userauth.c
+++ /dev/null
@@ -1,60 +0,0 @@
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_auth.h"
-
-extern	int	errno;
-
-main()
-{
-	struct frauth fra;
-	struct frauth *frap = &fra;
-	fr_info_t *fin = &fra.fra_info;
-	fr_ip_t	*fi = &fin->fin_fi;
-	char yn[16];
-	int fd;
-
-	fd = open(IPL_NAME, O_RDWR);
-	fra.fra_len = 0;
-	fra.fra_buf = NULL;
-	while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
-		if (fra.fra_info.fin_out)
-			fra.fra_pass = FR_OUTQUE;
-		else
-			fra.fra_pass = FR_INQUE;
-
-		printf("%s ", inet_ntoa(fi->fi_src));
-		if (fi->fi_flx & FI_TCPUDP)
-			printf("port %d ", fin->fin_data[0]);
-		printf("-> %s ", inet_ntoa(fi->fi_dst));
-		if (fi->fi_flx & FI_TCPUDP)
-			printf("port %d ", fin->fin_data[1]);
-		printf("\n");
-		printf("Allow packet through ? [y/n]");
-		fflush(stdout);
-		if (!fgets(yn, sizeof(yn), stdin))
-			break;
-		fflush(stdin);
-		if (yn[0] == 'n' || yn[0] == 'N')
-			fra.fra_pass |= FR_BLOCK;
-		else if (yn[0] == 'y' || yn[0] == 'Y') {
-			fra.fra_pass |= FR_PASS;
-			if (fra.fra_info.fin_fi.fi_flx & FI_TCPUDP)
-				fra.fra_pass |= FR_KEEPSTATE;
-		} else
-			fra.fra_pass |= FR_NOMATCH;
-		printf("answer = %c (%x), id %d idx %d\n", yn[0],
-			fra.fra_pass, fra.fra_info.fin_id, fra.fra_index);
-		if (ioctl(fd, SIOCAUTHR, &frap) != 0)
-			perror("SIOCAUTHR");
-	}
-	fprintf(stderr, "errno=%d \n", errno);
-	perror("frauth-SIOCAUTHW");
-}
diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h
deleted file mode 100644
index 8fa6f7e..0000000
--- a/contrib/ipfilter/snoop.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-#ifndef	__SNOOP_H__
-#define	__SNOOP_H__
-
-/*
- * written to comply with the RFC (1761) from Sun.
- * $Id: snoop.h,v 2.3 2001/06/09 17:09:23 darrenr Exp $
- */
-struct	snoophdr	{
-	char	s_id[8];
-	int	s_v;
-	int	s_type;
-};
-
-#define	SNOOP_VERSION	2
-
-#define	SDL_8023	0
-#define	SDL_8024	1
-#define	SDL_8025	2
-#define	SDL_8026	3
-#define	SDL_ETHER	4
-#define	SDL_HDLC	5
-#define	SDL_CHSYNC	6
-#define	SDL_IBMCC	7
-#define	SDL_FDDI	8
-#define	SDL_OTHER	9
-
-#define	SDL_MAX		9
-
-
-struct	snooppkt	{
-	int	sp_olen;
-	int	sp_ilen;
-	int	sp_plen;
-	int	sp_drop;
-	int	sp_sec;
-	int	sp_usec;
-};
-
-#endif /* __SNOOP_H__ */
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
deleted file mode 100644
index aa139d3..0000000
--- a/contrib/ipfilter/solaris.c
+++ /dev/null
@@ -1,2131 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/* #pragma ident   "@(#)solaris.c	1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $"
-
-#include <sys/systm.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/buf.h>
-#include <sys/modctl.h>
-#include <sys/open.h>
-#include <sys/kmem.h>
-#include <sys/conf.h>
-#include <sys/cmn_err.h>
-#include <sys/stat.h>
-#include <sys/cred.h>
-#include <sys/dditypes.h>
-#include <sys/stream.h>
-#include <sys/poll.h>
-#include <sys/autoconf.h>
-#include <sys/byteorder.h>
-#include <sys/socket.h>
-#include <sys/dlpi.h>
-#include <sys/stropts.h>
-#include <sys/sockio.h>
-#include <net/if.h>
-#if SOLARIS2 >= 6
-# include <net/if_types.h>
-#endif
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include "ip_compat.h"
-#include "ipl.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-
-
-char	_depends_on[] = "drv/ip";
-
-
-void	solipdrvattach __P((void));
-int	solipdrvdetach __P((void));
-
-void	solattach __P((void));
-int	soldetach __P((void));
-
-extern	struct	filterstats	frstats[];
-extern	KRWLOCK_T	ipf_mutex, ipfs_mutex, ipf_nat, ipf_solaris;
-extern	kmutex_t	ipf_rw;
-extern	int	fr_running;
-extern	int	fr_flags;
-
-extern ipnat_t *nat_list;
-
-static	qif_t	*qif_head = NULL;
-static	int	ipf_getinfo __P((dev_info_t *, ddi_info_cmd_t,
-				 void *, void **));
-static	int	ipf_probe __P((dev_info_t *));
-static	int	ipf_identify __P((dev_info_t *));
-static	int	ipf_attach __P((dev_info_t *, ddi_attach_cmd_t));
-static	int	ipf_detach __P((dev_info_t *, ddi_detach_cmd_t));
-static	qif_t	*qif_from_queue __P((queue_t *));
-static	void	fr_donotip __P((int, qif_t *, queue_t *, mblk_t *,
-				mblk_t *, ip_t *, size_t));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-static	int	(*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL;
-
-
-#if SOLARIS2 >= 7
-extern	void	ipfr_slowtimer __P((void *));
-timeout_id_t	ipfr_timer_id;
-static	timeout_id_t	synctimeoutid = 0;
-#else
-extern	void	ipfr_slowtimer __P((void));
-int	ipfr_timer_id;
-static	int	synctimeoutid = 0;
-#endif
-int	ipf_debug = 0;
-int	ipf_debug_verbose = 0;
-
-/* #undef	IPFDEBUG	1 */
-/* #undef	IPFDEBUG_VERBOSE	1 */
-#ifdef	IPFDEBUG
-void	printire __P((ire_t *));
-#endif
-#define	isdigit(x)	((x) >= '0' && (x) <= '9')
-
-static int	fr_precheck __P((mblk_t **, queue_t *, qif_t *, int));
-
-
-static struct cb_ops ipf_cb_ops = {
-	iplopen,
-	iplclose,
-	nodev,		/* strategy */
-	nodev,		/* print */
-	nodev,		/* dump */
-	iplread,
-	nodev,		/* write */
-	iplioctl,	/* ioctl */
-	nodev,		/* devmap */
-	nodev,		/* mmap */
-	nodev,		/* segmap */
-	nochpoll,	/* poll */
-	ddi_prop_op,
-	NULL,
-	D_MTSAFE,
-#if SOLARIS2 > 4
-	CB_REV,
-	nodev,		/* aread */
-	nodev,		/* awrite */
-#endif
-};
-
-static struct dev_ops ipf_ops = {
-	DEVO_REV,
-	0,
-	ipf_getinfo,
-	ipf_identify,
-	ipf_probe,
-	ipf_attach,
-	ipf_detach,
-	nodev,		/* reset */
-	&ipf_cb_ops,
-	(struct bus_ops *)0
-};
-
-extern struct mod_ops mod_driverops;
-static struct modldrv iplmod = {
-	&mod_driverops, IPL_VERSION, &ipf_ops };
-static struct modlinkage modlink1 = { MODREV_1, &iplmod, NULL };
-
-#if SOLARIS2 >= 6
-static	size_t	hdrsizes[57][2] = {
-	{ 0, 0 },
-	{ IFT_OTHER, 0 },
-	{ IFT_1822, 14 },	/* 14 for ire0 ?? */
-	{ IFT_HDH1822, 0 },
-	{ IFT_X25DDN, 0 },
-	{ IFT_X25, 0 },
-	{ IFT_ETHER, 14 },
-	{ IFT_ISO88023, 14 },
-	{ IFT_ISO88024, 0 },
-	{ IFT_ISO88025, 0 },
-	{ IFT_ISO88026, 0 },
-	{ IFT_STARLAN, 0 },
-	{ IFT_P10, 0 },
-	{ IFT_P80, 0 },
-	{ IFT_HY, 0 },
-	{ IFT_FDDI, 24 },
-	{ IFT_LAPB, 0 },
-	{ IFT_SDLC, 0 },
-	{ IFT_T1, 0 },
-	{ IFT_CEPT, 0 },
-	{ IFT_ISDNBASIC, 0 },
-	{ IFT_ISDNPRIMARY, 0 },
-	{ IFT_PTPSERIAL, 0 },
-	{ IFT_PPP, 0 },
-	{ IFT_LOOP, 0 },
-	{ IFT_EON, 0 },
-	{ IFT_XETHER, 0 },
-	{ IFT_NSIP, 0 },
-	{ IFT_SLIP, 0 },
-	{ IFT_ULTRA, 0 },
-	{ IFT_DS3, 0 },
-	{ IFT_SIP, 0 },
-	{ IFT_FRELAY, 0 },
-	{ IFT_RS232, 0 },
-	{ IFT_PARA, 0 },
-	{ IFT_ARCNET, 0 },
-	{ IFT_ARCNETPLUS, 0 },
-	{ IFT_ATM, 0 },
-	{ IFT_MIOX25, 0 },
-	{ IFT_SONET, 0 },
-	{ IFT_X25PLE, 0 },
-	{ IFT_ISO88022LLC, 0 },
-	{ IFT_LOCALTALK, 0 },
-	{ IFT_SMDSDXI, 0 },
-	{ IFT_FRELAYDCE, 0 },
-	{ IFT_V35, 0 },
-	{ IFT_HSSI, 0 },
-	{ IFT_HIPPI, 0 },
-	{ IFT_MODEM, 0 },
-	{ IFT_AAL5, 0 },
-	{ IFT_SONETPATH, 0 },
-	{ IFT_SONETVT, 0 },
-	{ IFT_SMDSICIP, 0 },
-	{ IFT_PROPVIRTUAL, 0 },
-	{ IFT_PROPMUX, 0 },
-};
-#endif /* SOLARIS2 >= 6 */
-
-static dev_info_t *ipf_dev_info = NULL;
-
-
-int _init()
-{
-	int ipfinst;
-
-	ipfinst = mod_install(&modlink1);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
-#endif
-	return ipfinst;
-}
-
-
-int _fini(void)
-{
-	int ipfinst;
-
-	ipfinst = mod_remove(&modlink1);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
-#endif
-	return ipfinst;
-}
-
-
-int _info(modinfop)
-struct modinfo *modinfop;
-{
-	int ipfinst;
-
-	ipfinst = mod_info(&modlink1, modinfop);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x",
-			modinfop, ipfinst);
-#endif
-	if (fr_running > 0)
-		ipfsync();
-	return ipfinst;
-}
-
-
-static int ipf_probe(dip)
-dev_info_t *dip;
-{
-	if (fr_running < 0)
-		return DDI_PROBE_FAILURE;
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
-#endif
-	return DDI_PROBE_SUCCESS;
-}
-
-
-static int ipf_identify(dip)
-dev_info_t *dip;
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
-#endif
-	if (strcmp(ddi_get_name(dip), "ipf") == 0)
-		return (DDI_IDENTIFIED);
-	return (DDI_NOT_IDENTIFIED);
-}
-
-
-static void ipf_ire_walk(ire, arg)
-ire_t *ire;
-void *arg;
-{
-	qif_t *qif = arg;
-
-	if ((ire->ire_type == IRE_CACHE) &&
-#if SOLARIS2 >= 6
-	    (ire->ire_ipif != NULL) &&
-	    (ire->ire_ipif->ipif_ill == qif->qf_ill)
-#else
-	    (ire_to_ill(ire) == qif->qf_ill)
-#endif
-	    ) {
-#if SOLARIS2 >= 8
-		mblk_t *m = ire->ire_fp_mp;
-#else
-		mblk_t *m = ire->ire_ll_hdr_mp;
-#endif
-		if (m != NULL)
-			qif->qf_hl = m->b_wptr - m->b_rptr;
-	}
-}
-
-
-static int ipf_attach(dip, cmd)
-dev_info_t *dip;
-ddi_attach_cmd_t cmd;
-{
-#ifdef	IPFDEBUG
-	int instance;
-
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
-#endif
-	switch (cmd) {
-	case DDI_ATTACH:
-		if (fr_running < 0)
-			break;
-#ifdef	IPFDEBUG
-		instance = ddi_get_instance(dip);
-
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
-#endif
-		if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipauth", S_IFCHR, IPL_LOGAUTH,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		ipf_dev_info = dip;
-		sync();
-		/*
-		 * Initialize mutex's
-		 */
-		if (iplattach() == -1)
-			goto attach_failed;
-		/*
-		 * Lock people out while we set things up.
-		 */
-		WRITE_ENTER(&ipf_solaris);
-		solattach();
-		solipdrvattach();
-		RWLOCK_EXIT(&ipf_solaris);
-		cmn_err(CE_CONT, "%s, attaching complete.\n",
-			ipfilter_version);
-		sync();
-		if (fr_running == 0)
-			fr_running = 1;
-		if (ipfr_timer_id == 0)
-			ipfr_timer_id = timeout(ipfr_slowtimer, NULL,
-						drv_usectohz(500000));
-		if (fr_running == 1)
-			return DDI_SUCCESS;
-#if SOLARIS2 >= 8
-	case DDI_RESUME :
-	case DDI_PM_RESUME :
-		if (ipfr_timer_id == 0)
-			ipfr_timer_id = timeout(ipfr_slowtimer, NULL,
-						drv_usectohz(500000));
-		return DDI_SUCCESS;
-#endif
-	default:
-		return DDI_FAILURE;
-	}
-
-attach_failed:
-	cmn_err(CE_NOTE, "IP Filter: failed to attach\n");
-	/*
-	 * Use our own detach routine to toss
-	 * away any stuff we allocated above.
-	 */
-	(void) ipf_detach(dip, DDI_DETACH);
-	return DDI_FAILURE;
-}
-
-
-static int ipf_detach(dip, cmd)
-dev_info_t *dip;
-ddi_detach_cmd_t cmd;
-{
-	int i;
-
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
-#endif
-	switch (cmd) {
-	case DDI_DETACH:
-		if (fr_running <= 0)
-			break;
-		/*
-		 * Make sure we're the only one's modifying things.  With
-		 * this lock others should just fall out of the loop.
-		 */
-		mutex_enter(&ipf_rw);
-		if (ipfr_timer_id != 0) {
-			untimeout(ipfr_timer_id);
-			ipfr_timer_id = 0;
-		}
-		mutex_exit(&ipf_rw);
-		WRITE_ENTER(&ipf_solaris);
-		mutex_enter(&ipf_rw);
-		if (fr_running <= 0) {
-			mutex_exit(&ipf_rw);
-			return DDI_FAILURE;
-		}
-		fr_running = -1;
-		mutex_exit(&ipf_rw);
-		/* NOTE: ipf_solaris rwlock is released in ipldetach */
-
-		/*
-		 * Undo what we did in ipf_attach, freeing resources
-		 * and removing things we installed.  The system
-		 * framework guarantees we are not active with this devinfo
-		 * node in any other entry points at this time.
-		 */
-		ddi_prop_remove_all(dip);
-		i = ddi_get_instance(dip);
-		ddi_remove_minor_node(dip, NULL);
-		sync();
-		i = solipdrvdetach();
-		if (i > 0) {
-			cmn_err(CE_CONT, "IP Filter: still attached (%d)\n", i);
-			return DDI_FAILURE;
-		}
-		if (!soldetach()) {
-			cmn_err(CE_CONT, "%s detached\n", ipfilter_version);
-			return (DDI_SUCCESS);
-		}
-#if SOLARIS2 >= 8
-	case DDI_SUSPEND :
-	case DDI_PM_SUSPEND :
-		if (ipfr_timer_id != 0) {
-			untimeout(ipfr_timer_id);
-			ipfr_timer_id = 0;
-		}
-		if (synctimeoutid) {
-			untimeout(synctimeoutid);
-			synctimeoutid = 0;
-		}
-		return DDI_SUCCESS;
-#endif
-	default:
-		return (DDI_FAILURE);
-	}
-	return DDI_FAILURE;
-}
-
-
-static int ipf_getinfo(dip, infocmd, arg, result)
-dev_info_t *dip;
-ddi_info_cmd_t infocmd;
-void *arg, **result;
-{
-	int error;
-
-	if (fr_running <= 0)
-		return DDI_FAILURE;
-	error = DDI_FAILURE;
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)",
-			dip, infocmd, arg);
-#endif
-	switch (infocmd) {
-	case DDI_INFO_DEVT2DEVINFO:
-		*result = ipf_dev_info;
-		error = DDI_SUCCESS;
-		break;
-	case DDI_INFO_DEVT2INSTANCE:
-		*result = (void *)getminor((dev_t) arg);
-		error = DDI_SUCCESS;
-		break;
-	default:
-		break;
-	}
-	return (error);
-}
-
-/*
- * find the filter structure setup for this queue
- */
-static qif_t *qif_from_queue(q)
-queue_t *q;
-{
-	qif_t *qif;
-
-	for (qif = qif_head; qif; qif = qif->qf_next)
-		if ((qif->qf_iptr == q->q_ptr) || (qif->qf_optr == q->q_ptr))
-			break;
-	return qif;
-}
-
-
-/*
- * OK, this is pretty scrappy code, but then it's essentially just here for
- * debug purposes and that's it.  Packets should not normally come through
- * here, and if they do, well, we would like to see as much information as
- * possible about them and what they claim to hold.
- */
-void fr_donotip(out, qif, q, m, mt, ip, off)
-int out;
-qif_t *qif;
-queue_t *q;
-mblk_t *m, *mt;
-ip_t *ip;
-size_t off;
-{
-	u_char *s, outb[256], *t;
-	int i;
-
-	outb[0] = '\0';
-	outb[1] = '\0';
-	outb[2] = '\0';
-	outb[3] = '\0';
-	s = ip ? (u_char *)ip : outb;
-	if (!ip && (m == mt) && m->b_cont && (MTYPE(m) != M_DATA))
-		m = m->b_cont;
-
-	cmn_err(CE_CONT, " !IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n",
-		qif ? qif->qf_name : "?", out, qif ? qif->qf_hl : -1, q,
-		q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL,
-		mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr,
-		m->b_wptr - m->b_rptr, off, ip);
-	cmn_err(CE_CONT, "%02x%02x%02x%02x\n", *s, *(s+1), *(s+2), *(s+3));
-	while (m != mt) {
-		i = 0;
-		t = outb;
-		s = mt->b_rptr;
-		sprintf((char *)t, "%d:", MTYPE(mt));
-		t += strlen((char *)t);
-		for (; (i < 100) && (s < mt->b_wptr); i++) {
-			sprintf((char *)t, "%02x%s", *s++,
-				((i & 3) == 3) ? " " : "");
-			t += ((i & 3) == 3) ? 3 : 2;
-		}
-		*t++ = '\n';
-		*t = '\0';
-		cmn_err(CE_CONT, "%s", outb);
-		mt = mt->b_cont;
-	}
-	i = 0;
-	t = outb;
-	s = m->b_rptr;
-	sprintf((char *)t, "%d:", MTYPE(m));
-	t += strlen((char *)t);
-	for (; (i < 100) && (s < m->b_wptr); i++) {
-		sprintf((char *)t, "%02x%s", *s++, ((i & 3) == 3) ? " " : "");
-		t += ((i & 3) == 3) ? 3 : 2;
-	}
-	*t++ = '\n';
-	*t = '\0';
-	cmn_err(CE_CONT, "%s", outb);
-}
-
-
-/*
- * find the first data mblk, if present, in the chain we're processing.  Also
- * make a few sanity checks to try prevent the filter from causing a panic -
- * none of the nice IP sanity checks (including checksumming) should have been
- * done yet (for incoming packets) - dangerous!
- */
-static int fr_precheck(mp, q, qif, out)
-mblk_t **mp;
-queue_t *q;
-qif_t *qif;
-int out;
-{
-	register mblk_t *m, *mt = *mp;
-	register ip_t *ip;
-	size_t hlen, len, off, off2, mlen, iphlen, plen, woff;
-	int err, synced = 0, sap, p, realigned = 0, multi = 0;
-	u_char *bp;
-#if SOLARIS2 >= 8
-	ip6_t *ip6;
-#endif
-#ifndef	sparc
-	u_short __ipoff;
-#endif
-tryagain:
-	ip = NULL;
-	m = NULL;
-	/*
-	 * If there is only M_DATA for a packet going out, then any header
-	 * information (which would otherwise appear in an M_PROTO mblk before
-	 * the M_DATA) is prepended before the IP header.  We need to set the
-	 * offset to account for this. - see MMM
-	 */
-	off = (out) ? qif->qf_hl : 0;
-
-	/*
-	 * If the message protocol block indicates that there isn't a data
-	 * block following it, just return back.
-	 */
-	bp = (u_char *)ALIGN32(mt->b_rptr);
-	if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) {
-		dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp;
-		if (dl->dl_primitive == DL_UNITDATA_IND) {
-			multi = dl->dl_group_address;
-			m = mt->b_cont;
-			/*
-			 * This is a complete kludge to try and work around
-			 * some bizarre packets which drop through into
-			 * fr_donotip.
-			 */
-			if (m && multi && ((*((u_char *)m->b_rptr) == 0x0) &&
-			    ((*((u_char *)m->b_rptr + 2) == 0x45)))) {
-				ip = (ip_t *)(m->b_rptr + 2);
-				off = 2;
-			} else
-				off = 0;
-		} else if (dl->dl_primitive != DL_UNITDATA_REQ) {
-			ip = (ip_t *)dl;
-			if ((ip->ip_v == IPVERSION) &&
-			    (ip->ip_hl == (sizeof(*ip) >> 2)) &&
-			    (ntohs(ip->ip_len) == mt->b_wptr - mt->b_rptr)) {
-				off = 0;
-				m = mt;
-			} else {
-				frstats[out].fr_notdata++;
-				return 0;
-			}
-		}
-	}
-
-	/*
-	 * Find the first data block, count the data blocks in this chain and
-	 * the total amount of data.
-	 */
-	if (ip == NULL)
-		for (m = mt; m && (MTYPE(m) != M_DATA); m = m->b_cont)
-			off = 0;	/* Any non-M_DATA cancels the offset */
-
-	if (!m) {
-		frstats[out].fr_nodata++;
-		return 0;	/* No data blocks */
-	}
-
-	ip = (ip_t *)(m->b_rptr + off);		/* MMM */
-
-	/*
-	 * We might have a 1st data block which is really M_PROTO, i.e. it is
-	 * only big enough for the link layer header
-	 */
-	while ((u_char *)ip >= m->b_wptr) {
-		len = (u_char *)ip - m->b_wptr;
-		m = m->b_cont;
-		if (m == NULL)
-			return 0;	/* not enough data for IP */
-		ip = (ip_t *)(m->b_rptr + len);
-	}
-	off = (u_char *)ip - m->b_rptr;
-	if (off != 0)
-		m->b_rptr = (u_char *)ip;
-
-	len = m->b_wptr - m->b_rptr;
-	if (m->b_wptr < m->b_rptr) {
-		cmn_err(CE_NOTE, "!IP Filter: Bad packet: wptr %p < rptr %p",
-			m->b_wptr, m->b_rptr);
-		frstats[out].fr_bad++;
-		return -1;
-	}
-
-	mlen = msgdsize(m);
-	sap = qif->qf_ill->ill_sap;
-
-	if (sap == 0x800) {
-		u_short tlen;
-
-		hlen = sizeof(*ip);
-
-		/* XXX - might not be aligned (from ppp?) */
-		((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
-		((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
-
-		plen = ntohs(tlen);
-
-		sap = 0;
-	}
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP) {
-		u_short tlen;
-
-		hlen = sizeof(ip6_t);
-		ip6 = (ip6_t *)ip;
-		/* XXX - might not be aligned (from ppp?) */
-		((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0];
-		((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1];
-		plen = ntohs(tlen);
-		if (!plen)
-			return -1;	/* Jumbo gram */
-		plen += sizeof(*ip6);
-	}
-#endif
-	else {
-		plen = 0;
-		hlen = 0;
-		sap = -1;
-	}
-
-	/*
-	 * Ok, the IP header isn't on a 32bit aligned address so junk it.
-	 */
-	if (((u_long)ip & 0x3) || (plen > mlen) || (len < hlen) ||
-	    (sap == -1)) {
-		mblk_t *m1, *m2;
-		u_char *s, c;
-		int v;
-
-		/*
-		 * Junk using pullupmsg - it's next to useless.
-		 */
-fixalign:
-		if (off)
-			m->b_rptr -= off;
-		c = *(u_char *)ip;
-		c >>= 4;
-		if (c != 4
-#if SOLARIS2 >= 8
-		    && c != 6
-#endif
-		) {
-			frstats[out].fr_notip++;
-			return (fr_flags & FF_BLOCKNONIP) ? -1 : 0;
-		}
-
-		if (realigned)
-			return -1;
-		realigned = 1;
-		off2 = (size_t)((u_long)ip & 0x3);
-		if (off2)
-			off2 = 4 - off2;
-		len = msgdsize(m);
-		m2 = allocb(len + off2, BPRI_HI);
-		if (m2 == NULL) {
-			frstats[out].fr_pull[1]++;
-			return -1;
-		}
-
-		MTYPE(m2) = M_DATA;
-		if (m->b_rptr != (u_char *)ip)
-			m2->b_rptr += off2;
-		m2->b_wptr = m2->b_rptr + len;
-		m1 = m;
-		s = (u_char *)m->b_rptr;
-		for (bp = m2->b_rptr; m1 && (bp < m2->b_wptr); bp += len) {
-			len = MIN(m1->b_wptr - s, m2->b_wptr - bp);
-			bcopy(s, bp, len);
-			m1 = m1->b_cont;
-			if (m1)
-				s = m1->b_rptr;
-		}
-
-		if (mt != m && mt->b_cont == m && !off) {
-			/*
-			 * check if the buffer we're changing is chained in-
-			 * between other buffers and unlink/relink as required.
-			 */
-			(void) unlinkb(mt);	/* should return 'm' */
-			m1 = unlinkb(m);
-			if (m1)
-				linkb(m2, m1);
-			freemsg(m);
-			linkb(mt, m2);
-		} else {
-			if (m == mt) {
-				m1 = unlinkb(mt);
-				if (m1)
-					linkb(m2, m1);
-			}
-			freemsg(mt);
-			*mp = m2;
-			mt = m2;
-		}
-
-		frstats[out].fr_pull[0]++;
-		synced = 1;
-		off = 0;
-		goto tryagain;
-	}
-
-	if (((sap == 0) && (ip->ip_v != IP_VERSION))
-#if SOLARIS2 >= 8
-	    || ((sap == IP6_DL_SAP) && ((ip6->ip6_vfc >> 4) != 6))
-#endif
-	) {
-		m->b_rptr -= off;
-		return -2;
-	}
-
-#ifndef	sparc
-# if SOLARIS2 >= 8
-	if (sap == IP6_DL_SAP) {
-		ip6->ip6_plen = plen - sizeof(*ip6);
-	} else {
-# endif
-		__ipoff = (u_short)ip->ip_off;
-
-		ip->ip_len = plen;
-		ip->ip_off = ntohs(__ipoff);
-# if SOLARIS2 >= 8
-	}
-# endif
-#endif
-	if (sap == 0)
-		iphlen = ip->ip_hl << 2;
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP)
-		iphlen = sizeof(ip6_t);
-#endif
-
-	if ((
-#if SOLARIS2 >= 8
-	     (sap == IP6_DL_SAP) && (mlen < plen)) ||
-	    ((sap == 0) &&
-#endif
-	     ((iphlen < hlen) || (iphlen > plen) || (mlen < plen)))) {
-		/*
-		 * Bad IP packet or not enough data/data length mismatches
-		 */
-#ifndef	sparc
-# if SOLARIS2 >= 8
-		if (sap == IP6_DL_SAP) {
-			ip6->ip6_plen = htons(plen - sizeof(*ip6));
-		} else {
-# endif
-			__ipoff = (u_short)ip->ip_off;
-
-			ip->ip_len = htons(plen);
-			ip->ip_off = htons(__ipoff);
-# if SOLARIS2 >= 8
-		}
-# endif
-#endif
-		m->b_rptr -= off;
-		frstats[out].fr_bad++;
-		return -1;
-	}
-
-	/*
-	 * Make hlen the total size of the IP header plus TCP/UDP/ICMP header
-	 * (if it is one of these three).
-	 */
-	if (sap == 0)
-		p = ip->ip_p;
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP)
-		p = ip6->ip6_nxt;
-
-	if ((sap == IP6_DL_SAP) || ((ip->ip_off & IP_OFFMASK) == 0))
-#else
-	if ((ip->ip_off & IP_OFFMASK) == 0)
-#endif
-		switch (p)
-		{
-		case IPPROTO_TCP :
-			hlen += sizeof(tcphdr_t);
-			break;
-		case IPPROTO_UDP :
-			hlen += sizeof(udphdr_t);
-			break;
-		case IPPROTO_ICMP :
-			/* 76 bytes is enough for a complete ICMP error. */
-			hlen += 76 + sizeof(icmphdr_t);
-			break;
-		default :
-			break;
-		}
-
-	woff = 0;
-	if (hlen > mlen) {
-		hlen = mlen;
-	} else if (m->b_wptr - m->b_rptr > plen) {
-		woff = m->b_wptr - m->b_rptr - plen;
-		m->b_wptr -= woff;
-	}
-
-	/*
-	 * If we don't have enough data in the mblk or we haven't yet copied
-	 * enough (above), then copy some more.
-	 */
-	if ((hlen > len)) {
-		if (!pullupmsg(m, (int)hlen)) {
-			cmn_err(CE_NOTE, "pullupmsg failed");
-			frstats[out].fr_pull[1]++;
-			return -1;
-		}
-		frstats[out].fr_pull[0]++;
-		ip = (ip_t *)ALIGN32(m->b_rptr);
-	}
-	qif->qf_m = m;
-	qif->qf_q = q;
-	qif->qf_off = off;
-	qif->qf_len = len;
-	err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp);
-	if (err == 2) {
-		goto fixalign;
-	}
-	/*
-	 * Copy back the ip header data if it was changed, we haven't yet
-	 * freed the message and we aren't going to drop the packet.
-	 * BUT only do this if there were no changes to the buffer, else
-	 * we can't be sure that the ip pointer is still correct!
-	 */
-	if (*mp != NULL) {
-		if (*mp == mt) {
-			m->b_wptr += woff;
-			m->b_rptr -= off;
-#ifndef	sparc
-# if SOLARIS2 >= 8
-			if (sap == IP6_DL_SAP) {
-				ip6->ip6_plen = htons(plen - sizeof(*ip6));
-			} else {
-# endif
-				__ipoff = (u_short)ip->ip_off;
-				/*
-				 * plen is useless because of NAT.
-				 */
-				ip->ip_len = htons(ip->ip_len);
-				ip->ip_off = htons(__ipoff);
-# if SOLARIS2 >= 8
-			}
-# endif
-#endif
-		} else
-			cmn_err(CE_NOTE,
-				"!IP Filter: *mp %p mt %p %s", *mp, mt,
-				"mblk changed, cannot revert ip_len, ip_off");
-	}
-	return err;
-}
-
-
-/*
- * Only called for M_IOCACK messages
- */
-void fr_qif_update(qif, mp)
-qif_t *qif;
-mblk_t *mp;
-{
-	struct iocblk *iocp;
-
-	if (!qif || !mp)
-		return;
-	iocp = (struct iocblk *)mp->b_rptr;
-	if (mp->b_cont && (iocp->ioc_cmd == DL_IOC_HDR_INFO)) {
-		mp = mp->b_cont;
-		if (MTYPE(mp) == M_PROTO && mp->b_cont) {
-			mp = mp->b_cont;
-			if (MTYPE(mp) == M_DATA) {
-				qif->qf_hl = mp->b_wptr - mp->b_rptr;
-			}
-		}
-	}
-}
-
-
-int fr_qin(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
-	qif_t qf, *qif;
-
-#ifdef	IPFDEBUG_VERBOSE
-	if (ipf_debug_verbose)
-		cmn_err(CE_CONT,
-			"fr_qin(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
-			q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
-			msgdsize(mb));
-#endif
-
-	/*
-	 * IPFilter is still in the packet path but not enabled.  Drop whatever
-	 * it is that has come through.
-	 */
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	type = MTYPE(mb);
-
-	/*
-	 * If a mblk has more than one reference, make a copy, filter that and
-	 * free a reference to the original.
-	 */
-	if (mb->b_datap->db_ref > 1) {
-		mblk_t *m1;
-
-		m1 = copymsg(mb);
-		if (!m1) {
-			frstats[0].fr_drop++;
-			mb->b_prev = NULL;
-			freemsg(mb);
-			return 0;
-		}
-		mb->b_prev = NULL;
-		freemsg(mb);
-		mb = m1;
-		frstats[0].fr_copy++;
-	}
-
-	READ_ENTER(&ipf_solaris);
-again:
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-	READ_ENTER(&ipfs_mutex);
-	if (!(qif = qif_from_queue(q))) {
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (&qif->qf_rqinit == q->q_qinfo && qif->qf_rqinfo &&
-					qif->qf_rqinfo->qi_putp) {
-				pnext = qif->qf_rqinfo->qi_putp;
-				frstats[0].fr_notip++;
-				RWLOCK_EXIT(&ipfs_mutex);
-				if (!synced) {
-					ipfsync();
-					synced = 1;
-					goto again;
-				}
-				RWLOCK_EXIT(&ipf_solaris);
-				/* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */
-				return (*pnext)(q, mb);
-			}
-		RWLOCK_EXIT(&ipfs_mutex);
-		if (!synced) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		cmn_err(CE_WARN,
-			"!IP Filter: dropped: fr_qin(%x,%x): type %x qif %x",
-			q, mb, type, qif);
-		cmn_err(CE_CONT,
-			"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
-			q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
-			q->q_nbsrv);
-		cmn_err(CE_CONT, "!IP Filter: info: putp %x srvp %x info %x\n",
-			q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp,
-#if SOLARIS > 3
-			q->q_qinfo->qi_infop
-#else
-			0
-#endif
-			);
-		frstats[0].fr_drop++;
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-
-	qif->qf_incnt++;
-	pnext = qif->qf_rqinfo->qi_putp;
-	if (type == M_IOCACK)
-		fr_qif_update(qif, mb);
-	bcopy((char *)qif, (char *)&qf, sizeof(qf));
-	if (datamsg(type) || (type == M_BREAK))
-		err = fr_precheck(&mb, q, &qf, 0);
-
-	RWLOCK_EXIT(&ipfs_mutex);
-
-	if ((err == 0) && (mb != NULL)) {
-		if (pnext) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-
-		cmn_err(CE_WARN,
-			"!IP Filter: inp NULL: qif %x %s q %x info %x",
-			qif, qf.qf_name, q, q->q_qinfo);
-	}
-
-	if (err == -2) {
-		if (synced == 0) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		frstats[0].fr_notip++;
-		if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-	}
-	
-
-	if (mb) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return 1;
-}
-
-
-int fr_qout(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
-	qif_t qf, *qif;
-
-#ifdef	IPFDEBUG_VERBOSE
-	if (ipf_debug_verbose)
-		cmn_err(CE_CONT,
-			"fr_qout(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
-			q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
-			msgdsize(mb));
-#endif
-
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	type = MTYPE(mb);
-
-#if SOLARIS2 >= 6
-	if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) &&
-	    (mb->b_datap->db_ref > 1))
-#else
-	if (mb->b_datap->db_ref > 1)
-#endif
-	{
-		mblk_t *m1;
-
-		m1 = copymsg(mb);
-		if (!m1) {
-			frstats[1].fr_drop++;
-			mb->b_prev = NULL;
-			freemsg(mb);
-			return 0;
-		}
-		mb->b_prev = NULL;
-		freemsg(mb);
-		mb = m1;
-		frstats[1].fr_copy++;
-	}
-
-	READ_ENTER(&ipf_solaris);
-again:
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-	READ_ENTER(&ipfs_mutex);
-	if (!(qif = qif_from_queue(q))) {
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (&qif->qf_wqinit == q->q_qinfo && qif->qf_wqinfo &&
-					qif->qf_wqinfo->qi_putp) {
-				pnext = qif->qf_wqinfo->qi_putp;
-				RWLOCK_EXIT(&ipfs_mutex);
-				frstats[1].fr_notip++;
-				if (!synced) {
-					ipfsync();
-					synced = 1;
-					goto again;
-				}
-				/* fr_donotip(1, NULL, q, mb, mb, NULL, 0); */
-				RWLOCK_EXIT(&ipf_solaris);
-				return (*pnext)(q, mb);
-			}
-		RWLOCK_EXIT(&ipfs_mutex);
-		if (!synced) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		cmn_err(CE_WARN,
-			"!IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x",
-			q, mb, type, qif);
-		cmn_err(CE_CONT,
-			"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
-			q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
-			q->q_nbsrv);
-		cmn_err(CE_CONT, "!IP Filter: info: putp %x srvp %x info %x\n",
-			q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp,
-#if SOLARIS > 3
-			q->q_qinfo->qi_infop
-#else
-			0
-#endif
-			);
-		if (q->q_nfsrv)
-			cmn_err(CE_CONT,
-				"!IP Filter: nfsrv: info %x next %x ptr %x\n",
-				q->q_nfsrv->q_qinfo, q->q_nfsrv->q_next,
-				q->q_nfsrv->q_ptr);
-		if (q->q_nbsrv)
-			cmn_err(CE_CONT,
-				"!IP Filter: nbsrv: info %x next %x ptr %x\n",
-				q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next,
-				q->q_nbsrv->q_ptr);
-		frstats[1].fr_drop++;
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-
-	qif->qf_outcnt++;
-	pnext = qif->qf_wqinfo->qi_putp;
-	if (type == M_IOCACK)
-		fr_qif_update(qif, mb);
-	bcopy((char *)qif, (char *)&qf, sizeof(qf));
-	if (datamsg(type) || (type == M_BREAK))
-		err = fr_precheck(&mb, q, &qf, 1);
-
-	RWLOCK_EXIT(&ipfs_mutex);
-
-	if ((err == 0) && (mb != NULL)) {
-		if (pnext) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-
-		cmn_err(CE_WARN,
-			"!IP Filter: outp NULL: qif %x %s q %x info %x",
-			qif, qf.qf_name, q, q->q_qinfo);
-	}
-
-	if (err == -2) {
-		if (synced == 0) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		frstats[1].fr_notip++;
-		if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-	}
-
-	if (mb) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return 1;
-}
-
-
-void ipf_synctimeout(arg)
-void *arg;
-{
-	if (fr_running < 0)
-		return;
-	READ_ENTER(&ipf_solaris);
-	ipfsync();
-	WRITE_ENTER(&ipfs_mutex);
-	synctimeoutid = 0;
-	RWLOCK_EXIT(&ipfs_mutex);
-	RWLOCK_EXIT(&ipf_solaris);
-}
-
-
-static int ipf_ip_qin(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	struct iocblk *ioc;
-	int ret;
-
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	if (MTYPE(mb) != M_IOCTL)
-		return (*ipf_ip_inp)(q, mb);
-
-	READ_ENTER(&ipf_solaris);
-	if (fr_running <= 0) {
-		RWLOCK_EXIT(&ipf_solaris);
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-	ioc = (struct iocblk *)mb->b_rptr;
-
-	switch (ioc->ioc_cmd)
-	{
-	case DL_IOC_HDR_INFO:
-		fr_qif_update(qif_from_queue(q), mb);
-		break;
-	case I_LINK:
-	case I_UNLINK:
-	case SIOCSIFADDR:
-	case SIOCSIFFLAGS:
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
-				ioc->ioc_cmd);
-#endif
-		WRITE_ENTER(&ipfs_mutex);
-		if (synctimeoutid == 0) {
-			synctimeoutid = timeout(ipf_synctimeout,
-						NULL,
-						drv_usectohz(1000000) /*1 sec*/
-					);
-		}
-		RWLOCK_EXIT(&ipfs_mutex);
-		break;
-	default:
-		break;
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return (*ipf_ip_inp)(q, mb);
-}
-
-static int ipdrvattcnt = 0;
-extern struct streamtab ipinfo;
-
-void solipdrvattach()
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
-			ipdrvattcnt, &ipinfo);
-#endif
-
-	if (++ipdrvattcnt == 1) {
-		if (ipf_ip_inp == NULL) {
-			ipf_ip_inp = ipinfo.st_wrinit->qi_putp;
-			ipinfo.st_wrinit->qi_putp = ipf_ip_qin;
-		}
-	}
-}
-
-int solipdrvdetach()
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
-			ipdrvattcnt, &ipinfo);
-#endif
-
-	WRITE_ENTER(&ipfs_mutex);
-	if (--ipdrvattcnt <= 0) {
-		if (ipf_ip_inp && (ipinfo.st_wrinit->qi_putp == ipf_ip_qin)) {
-			ipinfo.st_wrinit->qi_putp = ipf_ip_inp;
-			ipf_ip_inp = NULL;
-		}
-		if (synctimeoutid) {
-			untimeout(synctimeoutid);
-			synctimeoutid = 0;
-		}
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	return ipdrvattcnt;
-}
-
-/*
- * attach the packet filter to each interface that is defined as having an
- * IP address associated with it and save some of the info. for that struct
- * so we're not out of date as soon as the ill disappears - but we must sync
- * to be correct!
- */
-void solattach()
-{
-	queue_t *in, *out;
-	struct frentry *f;
-	qif_t *qif, *qf2;
-	ipnat_t *np;
-	size_t len;
-	ill_t *il;
-
-	for (il = ill_g_head; il; il = il->ill_next) {
-		in = il->ill_rq;
-		if (!in || !il->ill_wq)
-			continue;
-
-		out = il->ill_wq->q_next;
-
-		WRITE_ENTER(&ipfs_mutex);
-		/*
-		 * Look for entry already setup for this device
-		 */
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (qif->qf_iptr == in->q_ptr &&
-			    qif->qf_optr == out->q_ptr)
-				break;
-		if (qif) {
-			RWLOCK_EXIT(&ipfs_mutex);
-			continue;
-		}
-#ifdef	IPFDEBUGX
-		if (ipf_debug)
-		cmn_err(CE_NOTE,
-			"IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x",
-			il, in->q_ptr,  out->q_ptr, in->q_qinfo->qi_putp,
-			out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo);
-#endif
-		KMALLOC(qif, qif_t *);
-		if (!qif) {
-			cmn_err(CE_WARN,
-				"IP Filter: malloc(%d) for qif_t failed",
-				sizeof(qif_t));
-			RWLOCK_EXIT(&ipfs_mutex);
-			continue;
-		}
-
-		if (in->q_qinfo->qi_putp == fr_qin) {
-			for (qf2 = qif_head; qf2; qf2 = qf2->qf_next)
-				if (&qf2->qf_rqinit == in->q_qinfo) {
-					qif->qf_rqinfo = qf2->qf_rqinfo;
-					break;
-				}
-			if (!qf2) {
-#ifdef	IPFDEBUGX
-				if (ipf_debug)
-				cmn_err(CE_WARN,
-					"IP Filter: rq:%s put %x qi %x",
-					il->ill_name, in->q_qinfo->qi_putp,
-					in->q_qinfo);
-#endif
-				RWLOCK_EXIT(&ipfs_mutex);
-				KFREE(qif);
-				continue;
-			}
-		} else
-			qif->qf_rqinfo = in->q_qinfo;
-
-		if (out->q_qinfo->qi_putp == fr_qout) {
-			for (qf2 = qif_head; qf2; qf2 = qf2->qf_next)
-				if (&qf2->qf_wqinit == out->q_qinfo) {
-					qif->qf_wqinfo = qf2->qf_wqinfo;
-					break;
-				}
-			if (!qf2) {
-#ifdef	IPFDEBUGX
-				if (ipf_debug)
-				cmn_err(CE_WARN,
-					"IP Filter: wq:%s put %x qi %x",
-					il->ill_name, out->q_qinfo->qi_putp,
-					out->q_qinfo);
-#endif
-				RWLOCK_EXIT(&ipfs_mutex);
-				KFREE(qif);
-				continue;
-			}
-		} else
-			qif->qf_wqinfo = out->q_qinfo;
-
-		qif->qf_ill = il;
-		qif->qf_in = in;
-		qif->qf_out = out;
-		qif->qf_iptr = in->q_ptr;
-		qif->qf_optr = out->q_ptr;
-#if SOLARIS2 < 8
-		qif->qf_hl = il->ill_hdr_length;
-#else
-		{
-		ire_t *ire;
-		mblk_t *m;
-
-		qif->qf_hl = 0;
-		qif->qf_sap = il->ill_sap;
-# if 0
-		/*
-		 * Can't seem to lookup a route for the IP address on the
-		 * interface itself.
-		 */
-		ire = ire_route_lookup(il->ill_ipif->ipif_lcl_addr, 0xffffffff,
-					0, 0, NULL, NULL, NULL,
-					MATCH_IRE_DSTONLY|MATCH_IRE_RECURSIVE);
-		if ((ire != NULL) && (m = ire->ire_fp_mp))
-			qif->qf_hl = m->b_wptr - m->b_rptr;
-# endif
-		if ((qif->qf_hl == 0) && (il->ill_type > 0) &&
-		    (il->ill_type < 0x37) &&
-		    (hdrsizes[il->ill_type][0] == il->ill_type))
-			qif->qf_hl = hdrsizes[il->ill_type][1];
-
-		/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
-		if (il->ill_type == IFT_ETHER &&
-		    il->ill_name[0] == 'c' && il->ill_name[1] == 'e' &&
-		    isdigit(il->ill_name[2]) && il->ill_name_length >= 6) {
-			cmn_err(CE_NOTE, "VLAN HACK ENABLED");
-			qif->qf_hl += 4;
-		}
-		/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
-
-		if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER)
-			cmn_err(CE_WARN,
-				"Unknown layer 2 header size for %s type %d",
-				il->ill_name, il->ill_type);
-		}
-
-		/*
-		 * XXX Awful hack for PPP; fix when PPP/snoop fixed.
-		 */
-		if (il->ill_type == IFT_ETHER && !il->ill_bcast_addr_length)
-			qif->qf_hl = 0;
-#endif
-		strncpy(qif->qf_name, il->ill_name, sizeof(qif->qf_name));
-		qif->qf_name[sizeof(qif->qf_name) - 1] = '\0';
-
-		qif->qf_next = qif_head;
-		qif_head = qif;
-
-		/*
-		 * Activate any rules directly associated with this interface
-		 */
-		WRITE_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-		for (f = ipfilter[1][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-#if SOLARIS2 >= 8
-		for (f = ipfilter6[0][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-		for (f = ipfilter6[1][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-#endif
-		RWLOCK_EXIT(&ipf_mutex);
-		WRITE_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next) {
-			if ((np->in_ifp == (struct ifnet *)-1)) {
-				len = strlen(np->in_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, np->in_ifname, len))
-					np->in_ifp = il;
-			}
-		}
-		RWLOCK_EXIT(&ipf_nat);
-
-		bcopy((caddr_t)qif->qf_rqinfo, (caddr_t)&qif->qf_rqinit,
-		      sizeof(struct qinit));
-		qif->qf_rqinit.qi_putp = fr_qin;
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-				in, in->q_qinfo, &qif->qf_rqinit);
-#endif
-		in->q_qinfo = &qif->qf_rqinit;
-
-		bcopy((caddr_t)qif->qf_wqinfo, (caddr_t)&qif->qf_wqinit,
-		      sizeof(struct qinit));
-		qif->qf_wqinit.qi_putp = fr_qout;
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-				out, out->q_qinfo, &qif->qf_wqinit);
-#endif
-		out->q_qinfo = &qif->qf_wqinit;
-
-		ire_walk(ipf_ire_walk, (char *)qif);
-		RWLOCK_EXIT(&ipfs_mutex);
-		cmn_err(CE_CONT, "IP Filter: attach to [%s,%d] - %s\n",
-			qif->qf_name, il->ill_ppa,
-#if SOLARIS2 >= 8
-			il->ill_isv6 ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-	}
-	if (!qif_head)
-		cmn_err(CE_CONT, "IP Filter: not attached to any interfaces\n");
-	return;
-}
-
-
-/*
- * look for bad consistancies between the list of interfaces the filter knows
- * about and those which are currently configured.
- */
-int ipfsync()
-{
-	register struct frentry *f;
-	register ipnat_t *np;
-	register qif_t *qif, **qp;
-	register ill_t *il;
-	queue_t *in, *out;
-
-	WRITE_ENTER(&ipfs_mutex);
-	for (qp = &qif_head; (qif = *qp); ) {
-		for (il = ill_g_head; il; il = il->ill_next)
-			if ((qif->qf_ill == il) &&
-			    !strcmp(qif->qf_name, il->ill_name)) {
-#if SOLARIS2 < 8
-				mblk_t	*m = il->ill_hdr_mp;
-
-				qif->qf_hl = il->ill_hdr_length;
-				if (m && qif->qf_hl != (m->b_wptr - m->b_rptr))
-					cmn_err(CE_NOTE,
-						"IP Filter: ILL Header Length Mismatch\n");
-#endif
-				break;
-			}
-		if (il) {
-			qp = &qif->qf_next;
-			continue;
-		}
-		cmn_err(CE_CONT, "IP Filter: detaching [%s] - %s\n",
-			qif->qf_name,
-#if SOLARIS2 >= 8
-			(qif->qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-		*qp = qif->qf_next;
-
-		/*
-		 * Disable any rules directly associated with this interface
-		 */
-		WRITE_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next)
-			if (np->in_ifp == (void *)qif->qf_ill)
-				np->in_ifp = (struct ifnet *)-1;
-		RWLOCK_EXIT(&ipf_nat);
-		WRITE_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter[1][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-#if SOLARIS2 >= 8
-		for (f = ipfilter6[0][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter6[1][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-#endif
-
-#if 0 /* XXX */
-		/*
-		 * As well as the ill disappearing when a device is unplumb'd,
-		 * it also appears that the associated queue structures also
-		 * disappear - at least in the case of ppp, which is the most
-		 * volatile here.  Thanks to Greg for finding this problem.
-		 */
-		/*
-		 * Restore q_qinfo pointers in interface queues
-		 */
-		out = qif->qf_out;
-		in = qif->qf_in;
-		if (in) {
-# ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-					in, in->q_qinfo, qif->qf_rqinfo);
-# endif
-			in->q_qinfo = qif->qf_rqinfo;
-		}
-		if (out) {
-# ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-					out, out->q_qinfo, qif->qf_wqinfo);
-# endif
-			out->q_qinfo = qif->qf_wqinfo;
-		}
-#endif /* XXX */
-		RWLOCK_EXIT(&ipf_mutex);
-		KFREE(qif);
-		qif = *qp;
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	solattach();
-
-	frsync();
-	/*
-	 * Resync. any NAT `connections' using this interface and its IP #.
-	 */
-	for (il = ill_g_head; il; il = il->ill_next) {
-		ip_natsync((void *)il);
-		ip_statesync((void *)il);
-	}
-	return 0;
-}
-
-
-/*
- * unhook the IP filter from all defined interfaces with IP addresses
- */
-int soldetach()
-{
-	queue_t *in, *out;
-	qif_t *qif, **qp;
-	ill_t *il;
-
-	WRITE_ENTER(&ipfs_mutex);
-	/*
-	 * Make two passes, first get rid of all the unknown devices, next
-	 * unlink known devices.
-	 */
-	for (qp = &qif_head; (qif = *qp); ) {
-		for (il = ill_g_head; il; il = il->ill_next)
-			if (qif->qf_ill == il)
-				break;
-		if (il) {
-			qp = &qif->qf_next;
-			continue;
-		}
-		cmn_err(CE_CONT, "IP Filter: removing [%s]\n", qif->qf_name);
-		*qp = qif->qf_next;
-		KFREE(qif);
-	}
-
-	while ((qif = qif_head)) {
-		qif_head = qif->qf_next;
-		for (il = ill_g_head; il; il = il->ill_next)
-			if (qif->qf_ill == il)
-				break;
-		if (il) {
-			in = qif->qf_in;
-			out = qif->qf_out;
-			cmn_err(CE_CONT, "IP Filter: detaching [%s,%d] - %s\n",
-				qif->qf_name, il->ill_ppa,
-#if SOLARIS2 >= 8
-			(qif->qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-
-#ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-					in, in->q_qinfo, qif->qf_rqinfo);
-#endif
-			in->q_qinfo = qif->qf_rqinfo;
-
-			/*
-			 * and the write queue...
-			 */
-#ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-					out, out->q_qinfo, qif->qf_wqinfo);
-#endif
-			out->q_qinfo = qif->qf_wqinfo;
-		}
-		KFREE(qif);
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	return ipldetach();
-}
-
-
-#ifdef	IPFDEBUG
-void printire(ire)
-ire_t *ire;
-{
-	if (!ipf_debug)
-		return;
-	printf("ire: ll_hdr_mp %p rfq %p stq %p src_addr %x max_frag %d\n",
-# if SOLARIS2 >= 8
-		NULL,
-# else
-		ire->ire_ll_hdr_mp,
-# endif
-		ire->ire_rfq, ire->ire_stq,
-		ire->ire_src_addr, ire->ire_max_frag);
-	printf("ire: mask %x addr %x gateway_addr %x type %d\n",
-		ire->ire_mask, ire->ire_addr, ire->ire_gateway_addr,
-		ire->ire_type);
-	printf("ire: ll_hdr_length %d ll_hdr_saved_mp %p\n",
-		ire->ire_ll_hdr_length,
-# if SOLARIS2 >= 8
-		NULL
-# else
-		ire->ire_ll_hdr_saved_mp
-# endif
-		);
-}
-#endif
-
-
-int ipfr_fastroute(ip, mb, mpp, fin, fdp)
-ip_t *ip;
-mblk_t *mb, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-#ifdef	USE_INET6
-	ip6_t *ip6 = (ip6_t *)ip;
-#endif
-	ire_t *ir, *dir, *gw;
-	struct in_addr dst;
-	queue_t *q = NULL;
-	mblk_t *mp = NULL;
-	size_t hlen = 0;
-	frentry_t *fr;
-	frdest_t fd;
-	ill_t *ifp;
-	u_char *s;
-	qif_t *qf;
-	int p;
-
-#ifndef	sparc
-	u_short __iplen, __ipoff;
-#endif
-	qf = fin->fin_qif;
-
-	/*
-	 * If this is a duplicate mblk then we want ip to point at that
-	 * data, not the original, if and only if it is already pointing at
-	 * the current mblk data.
-	 */
-	if ((ip == (ip_t *)qf->qf_m->b_rptr) && (qf->qf_m != mb))
-		ip = (ip_t *)mb->b_rptr;
-
-	/*
-	 * If there is another M_PROTO, we don't want it
-	 */
-	if (*mpp != mb) {
-		mp = *mpp;
-		(void) unlinkb(mp);
-		mp = (*mpp)->b_cont;
-		(*mpp)->b_cont = NULL;
-		(*mpp)->b_prev = NULL;
-		freemsg(*mpp);
-		*mpp = mp;
-	}
-
-	if (!fdp) {
-		ipif_t *ipif;
-
-		ifp = fin->fin_ifp;
-		ipif = ifp->ill_ipif;
-		if (!ipif)
-			goto bad_fastroute;
-#if SOLARIS2 > 5
-		ir = ire_ctable_lookup(ipif->ipif_local_addr, 0, IRE_LOCAL,
-				       NULL, NULL, MATCH_IRE_TYPE);
-#else
-		ir = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-		if (!ir)
-			ir = (ire_t *)-1;
-
-		fd.fd_ifp = (struct ifnet *)ir;
-		fd.fd_ip = ip->ip_dst;
-		fdp = &fd;
-	}
-
-	ir = (ire_t *)fdp->fd_ifp;
-
-	if (fdp->fd_ip.s_addr)
-		dst = fdp->fd_ip;
-	else
-		dst.s_addr = fin->fin_fi.fi_daddr;
-
-#if SOLARIS2 >= 6
-	gw = NULL;
-	if (fin->fin_v == 4) {
-		p = ip->ip_p;
-		dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL,
-					&gw, NULL, MATCH_IRE_DSTONLY|
-					MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE);
-	}
-# ifdef	USE_INET6
-	else if (fin->fin_v == 6) {
-		p = ip6->ip6_nxt;
-		dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0,
-					NULL, &gw, NULL, MATCH_IRE_DSTONLY|
-					MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE);
-	}
-# endif
-#else
-	dir = ire_lookup(dst.s_addr);
-#endif
-#if SOLARIS2 < 8
-	if (dir)
-		if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
-			dir = NULL;
-#else
-	if (dir)
-		if (!dir->ire_fp_mp || !dir->ire_dlureq_mp)
-			dir = NULL;
-#endif
-
-	if (!ir)
-		ir = dir;
-
-	if (ir && dir) {
-		ifp = ire_to_ill(ir);
-		if (ifp == NULL)
-			goto bad_fastroute;
-		fr = fin->fin_fr;
-
-		/*
-		 * In case we're here due to "to <if>" being used with
-		 * "keep state", check that we're going in the correct
-		 * direction.
-		 */
-		if ((fr != NULL) && (fdp->fd_ifp != NULL) &&
-		    (fin->fin_rev != 0) && (fdp == &fr->fr_tif))
-			return 1;
-
-		fin->fin_ifp = ifp;
-		if (fin->fin_out == 0) {
-			fin->fin_fr = ipacct[1][fr_active];
-			if ((fin->fin_fr != NULL) &&
-			    (fr_scanlist(FR_NOMATCH, ip, fin, mb)&FR_ACCOUNT)){
-				ATOMIC_INCL(frstats[1].fr_acct);
-			}
-			fin->fin_fr = NULL;
-			if (!fr || !(fr->fr_flags & FR_RETMASK))
-				(void) fr_checkstate(ip, fin);
-			(void) ip_natout(ip, fin);
-		}
-#ifndef	sparc
-		if (fin->fin_v == 4) {
-			__iplen = (u_short)ip->ip_len,
-			__ipoff = (u_short)ip->ip_off;
-
-			ip->ip_len = htons(__iplen);
-			ip->ip_off = htons(__ipoff);
-		}
-#endif
-
-#if SOLARIS2 < 8
-		mp = dir->ire_ll_hdr_mp;
-		hlen = dir->ire_ll_hdr_length;
-#else
-		mp = dir->ire_fp_mp;
-		hlen = mp ? mp->b_wptr - mp->b_rptr : 0;
-		mp = dir->ire_dlureq_mp;
-#endif
-		if (mp != NULL) {
-			s = mb->b_rptr;
-			if (
-#if SOLARIS2 >= 6
-			    (dohwcksum &&
-			     ifp->ill_ick.ick_magic == ICK_M_CTL_MAGIC) ||
-#endif
-			    (hlen && (s - mb->b_datap->db_base) >= hlen)) {
-				s -= hlen;
-				mb->b_rptr = (u_char *)s;
-				bcopy((char *)mp->b_rptr, (char *)s, hlen);
-			} else {
-				mblk_t	*mp2;
-
-				mp2 = copyb(mp);
-				if (!mp2)
-					goto bad_fastroute;
-				linkb(mp2, mb);
-				mb = mp2;
-			}
-		}
-		*mpp = mb;
-
-		if (ir->ire_stq)
-			q = ir->ire_stq;
-		else if (ir->ire_rfq)
-			q = WR(ir->ire_rfq);
-		if (q) {
-			mb->b_prev = NULL;
-			mb->b_queue = q;
-			RWLOCK_EXIT(&ipfs_mutex);
-			RWLOCK_EXIT(&ipf_solaris);
-#if SOLARIS2 >= 6
-			if ((p == IPPROTO_TCP) && dohwcksum &&
-			    (ifp->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
-				tcphdr_t *tcp;
-				u_32_t t;
-
-				tcp = (tcphdr_t *)((char *)ip + fin->fin_hlen);
-				t = ip->ip_src.s_addr;
-				t += ip->ip_dst.s_addr;
-				t += 30;
-				t = (t & 0xffff) + (t >> 16);
-				tcp->th_sum = t & 0xffff;
-			}
-#endif
-			putnext(q, mb);
-			READ_ENTER(&ipf_solaris);
-			READ_ENTER(&ipfs_mutex);
-			ipl_frouteok[0]++;
-			*mpp = NULL;
-			return 0;
-		}
-	}
-bad_fastroute:
-	mb->b_prev = NULL;
-	freemsg(mb);
-	ipl_frouteok[1]++;
-	*mpp = NULL;
-	return -1;
-}
-
-
-void copyout_mblk(m, off, len, buf)
-mblk_t *m;
-size_t off, len;
-char *buf;
-{
-	u_char *s, *bp = (u_char *)buf;
-	size_t mlen, olen, clen;
-
-	for (; m && len; m = m->b_cont) {
-		if (MTYPE(m) != M_DATA)
-			continue;
-		s = m->b_rptr;
-		mlen = m->b_wptr - s;
-		olen = MIN(off, mlen);
-		if ((olen == mlen) || (olen < off)) {
-			off -= olen;
-			continue;
-		} else if (olen) {
-			off -= olen;
-			s += olen;
-			mlen -= olen;
-		}
-		clen = MIN(mlen, len);
-		bcopy(s, bp, clen);
-		len -= clen;
-		bp += clen;
-	}
-}
-
-
-void copyin_mblk(m, off, len, buf)
-mblk_t *m;
-size_t off, len;
-char *buf;
-{
-	u_char *s, *bp = (u_char *)buf;
-	size_t mlen, olen, clen;
-
-	for (; m && len; m = m->b_cont) {
-		if (MTYPE(m) != M_DATA)
-			continue;
-		s = m->b_rptr;
-		mlen = m->b_wptr - s;
-		olen = MIN(off, mlen);
-		if ((olen == mlen) || (olen < off)) {
-			off -= olen;
-			continue;
-		} else if (olen) {
-			off -= olen;
-			s += olen;
-			mlen -= olen;
-		}
-		clen = MIN(mlen, len);
-		bcopy(bp, s, clen);
-		len -= clen;
-		bp += clen;
-	}
-}
-
-
-int fr_verifysrc(ipa, ifp)
-struct in_addr ipa;
-void *ifp;
-{
-	ire_t *ir, *dir, *gw;
-
-#if SOLARIS2 >= 6
-	dir = ire_route_lookup(ipa.s_addr, 0xffffffff, 0, 0, NULL, &gw, NULL,
-				MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT|
-				MATCH_IRE_RECURSIVE);
-#else
-	dir = ire_lookup(ipa.s_addr);
-#endif
-
-	if (!dir)
-		return 0;
-	return (ire_to_ill(dir) == ifp);
-}
diff --git a/contrib/ipfilter/test/.cvsignore b/contrib/ipfilter/test/.cvsignore
deleted file mode 100644
index 5825abc..0000000
--- a/contrib/ipfilter/test/.cvsignore
+++ /dev/null
@@ -1,87 +0,0 @@
-results
-1
-2
-3
-4
-5
-6
-7
-8
-9
-10
-11
-12
-i1
-i2
-i3
-i4
-i5
-i6
-i7
-i8
-i9
-i10
-i11
-f1
-f2
-f3
-f4
-f5
-f6
-f7
-f8
-f9
-f10
-f11
-f12
-f13
-f14
-n1
-n2
-n3
-n4
-n5
-n6
-n7
-f15
-f16
-ipv6.1
-ipv6.2
-l1
-ni1
-ni2
-ni3
-ni4
-f17
-in1
-in2
-in3
-in4
-p1
-p2
-i12
-ip1
-p3
-i13
-ni5
-ni6
-i14
-in5
-ipv6.3
-n8
-n9
-n10
-n11
-ni7
-ni8
-ni9
-ni10
-ni11
-ni12
-n12
-in6
-i15
-ni13
-ni14
-ni15
-ni16
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
deleted file mode 100644
index b0462f3..0000000
--- a/contrib/ipfilter/test/Makefile
+++ /dev/null
@@ -1,99 +0,0 @@
-#
-# (C)opyright 1993-1996 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-BINDEST=/usr/local/bin
-SBINDEST=/sbin
-MANDIR=/usr/share/man
-all: expected.d results tests
-
-expected.d:
-	(cd expected; make)
-
-results:
-	mkdir -p results
-
-tests: ipf nat logtests ipv6 pools bpf
-
-ipf: ftests ptests
-
-nat: ntests nitests intests
-
-first:
-	-mkdir -p results
-
-# Filtering tests
-ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24
-
-# Rule parsing tests
-ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
-	i20 i21
-
-ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16
-
-nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \
-	ni16 ni19 ni20 ni21 ni23
-
-intests: in1 in2 in3 in4 in5 in6
-
-logtests: l1
-
-pools: p1 p2 p3 p5 ip1 ip2
-
-ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6
-
-bpf: bpf1 bpf-f1
-
-f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19:
-	@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`
-
-f15 f16 f17 f18 f20 f24:
-	@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`
-
-i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1:
-	@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`
-
-n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16:
-	@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`
-
-ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20:
-	@/bin/sh ./natipftest single `awk "/^$@ / { print; } " test.format`
-
-ni1 ni6 ni21 ni23:
-	@/bin/sh ./natipftest multi `awk "/^$@ / { print; } " test.format`
-
-in1 in2 in3 in4 in5 in6:
-	@/bin/sh ./intest `awk "/^$@ / { print; } " test.format`
-
-l1:
-	@/bin/sh ./logtest `awk "/^$@ / { print; } " test.format`
-
-ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6:
-	@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`
-
-p1 p2 p3 p5:
-	@/bin/sh ./ptest `awk "/^$@ / { print; } " test.format`
-
-ip1 ip2:
-	@/bin/sh ./iptest `awk "/^$@ / { print; } " test.format`
-
-bpf-f1:
-	/bin/sh ./bpftest `awk "/^$@ / { print; } " test.format`
-
-clean:
-	/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24
-	/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21
-	/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16
-	/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9
-	/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 ni23
-	/bin/rm -f in1 in2 in3 in4 in5 in6
-	/bin/rm -f p1 p2 p3 p5 ip1 ip2
-	/bin/rm -f l1
-	/bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6
-	/bin/rm -f bpf1 bpf-f1
-	/bin/rm -f results/* logout
-	(cd expected; make clean)
-
-diffs:
-	-cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then  diff -c $$i ../results/$$i >> ../diff.out; fi done
diff --git a/contrib/ipfilter/test/README.TXT b/contrib/ipfilter/test/README.TXT
deleted file mode 100644
index 0b62145..0000000
--- a/contrib/ipfilter/test/README.TXT
+++ /dev/null
@@ -1,30 +0,0 @@
-The contents of this directory sub tree is dedicated to regression testing
-of IPFilter.
-
-The tests are broken down into these groups:
-f    - filter rule tests
-i    - parsing & printing test of ipf rules
-in   - parsing & printing test of ipnat rules
-ipv6 - ipv6 filter rule tests
-l    - logging test
-n    - NAT testing
-ni   - combined NAT & IPF tests
-
-      TEST
-f1  - block/pass, in/out.
-f2  - proto
-f3  - from IP#
-f4  - to #IP
-f5  - source port
-f6  - destination port
-f7  - icmp-type, code
-f8  - flags
-f9  - ipoptions
-f10 - ipoptions
-f11 - keep frag/state
-f12 - short/frag
-f13 - keep frag/state (fragmented packets)
-f14 - from !host, to !host
-f15 - groups
-f16 - skip
-f17 - TCP state transition on flags
diff --git a/contrib/ipfilter/test/bpftest b/contrib/ipfilter/test/bpftest
deleted file mode 100644
index b24c0f1..0000000
--- a/contrib/ipfilter/test/bpftest
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-input=`expr $1 : 'bpf-\(.*\)'`
-/bin/cp /dev/null results/$1
-( while read rule; do
-	echo "$rule" | ../ipftest -Rbr - -i input/$input >> results/$1;
-	if [ $? -ne 0 ] ; then
-		exit 1;
-	fi
-	echo "--------" >> results/$1
-done ) < regress/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/dotest b/contrib/ipfilter/test/dotest
deleted file mode 100644
index 2989109..0000000
--- a/contrib/ipfilter/test/dotest
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/sh
-thistest=$1
-format=$2
-output=$3
-tuning=$4
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-if [ "$tuning" != "" ] ; then
-	case $tuning in
-	-*)
-		;;
-	*)
-		tuning="-T $tuning"
-		;;
-	esac
-fi
-echo "${thistest}...";
-/bin/cp /dev/null results/${thistest}
-( while read rule; do
-	echo "$rule" | ../ipftest -F $format -Rbr - -i input/${thistest} $tuning>> results/${thistest};
-	if [ $? -ne 0 ] ; then
-		exit 1;
-	fi
-	echo "--------" >> results/${thistest}
-done ) < regress/${thistest}
-cmp expected/${thistest} results/${thistest}
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH ${thistest}
-fi
-exit $status
diff --git a/contrib/ipfilter/test/dotest6 b/contrib/ipfilter/test/dotest6
deleted file mode 100755
index d6db564..0000000
--- a/contrib/ipfilter/test/dotest6
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-format=$2
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-../ipftest -6 -r /dev/null -i /dev/null >/dev/null 2>&1
-if [ $? -ne 0 ] ; then
-	echo "skipping IPv6 tests"
-	$TOUCH $1
-	exit 0
-fi
-( while read rule; do
-	echo "$rule" | ../ipftest -F $format -6br - -i input/$1 >> results/$1;
-	if [ $? -ne 0 ] ; then
-		exit 1;
-	fi
-	echo "--------" >> results/$1
-done ) < regress/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/expected/1 b/contrib/ipfilter/test/expected/1
deleted file mode 100644
index 93b7333..0000000
--- a/contrib/ipfilter/test/expected/1
+++ /dev/null
@@ -1,16 +0,0 @@
-block
-block
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/10 b/contrib/ipfilter/test/expected/10
deleted file mode 100644
index bc0d83e..0000000
--- a/contrib/ipfilter/test/expected/10
+++ /dev/null
@@ -1,108 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-block
-block
-nomatch
-nomatch
-nomatch
-block
-pass
-pass
-nomatch
-nomatch
-nomatch
-pass
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-block
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-pass
-pass
-pass
-pass
-pass
-block
-block
-nomatch
-block
-nomatch
-block
-pass
-pass
-nomatch
-pass
-nomatch
-pass
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-nomatch
-nomatch
-block
diff --git a/contrib/ipfilter/test/expected/11 b/contrib/ipfilter/test/expected/11
deleted file mode 100644
index eb00875..0000000
--- a/contrib/ipfilter/test/expected/11
+++ /dev/null
@@ -1,66 +0,0 @@
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/12 b/contrib/ipfilter/test/expected/12
deleted file mode 100644
index f94cf76..0000000
--- a/contrib/ipfilter/test/expected/12
+++ /dev/null
@@ -1,54 +0,0 @@
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
diff --git a/contrib/ipfilter/test/expected/14 b/contrib/ipfilter/test/expected/14
deleted file mode 100644
index d06d92b..0000000
--- a/contrib/ipfilter/test/expected/14
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/2 b/contrib/ipfilter/test/expected/2
deleted file mode 100644
index 03b71cd..0000000
--- a/contrib/ipfilter/test/expected/2
+++ /dev/null
@@ -1,36 +0,0 @@
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/3 b/contrib/ipfilter/test/expected/3
deleted file mode 100644
index d06d92b..0000000
--- a/contrib/ipfilter/test/expected/3
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/4 b/contrib/ipfilter/test/expected/4
deleted file mode 100644
index d06d92b..0000000
--- a/contrib/ipfilter/test/expected/4
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/5 b/contrib/ipfilter/test/expected/5
deleted file mode 100644
index bc80580..0000000
--- a/contrib/ipfilter/test/expected/5
+++ /dev/null
@@ -1,1344 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/6 b/contrib/ipfilter/test/expected/6
deleted file mode 100644
index bc80580..0000000
--- a/contrib/ipfilter/test/expected/6
+++ /dev/null
@@ -1,1344 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/7 b/contrib/ipfilter/test/expected/7
deleted file mode 100644
index c53d6ea..0000000
--- a/contrib/ipfilter/test/expected/7
+++ /dev/null
@@ -1,54 +0,0 @@
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/8 b/contrib/ipfilter/test/expected/8
deleted file mode 100644
index 398058a..0000000
--- a/contrib/ipfilter/test/expected/8
+++ /dev/null
@@ -1,36 +0,0 @@
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-block
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/9 b/contrib/ipfilter/test/expected/9
deleted file mode 100644
index a4572e6..0000000
--- a/contrib/ipfilter/test/expected/9
+++ /dev/null
@@ -1,108 +0,0 @@
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
diff --git a/contrib/ipfilter/test/expected/Makefile b/contrib/ipfilter/test/expected/Makefile
deleted file mode 100644
index bb91b8b..0000000
--- a/contrib/ipfilter/test/expected/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-#
-# (C)opyright 2007 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-all: i19
-
-i19: i19.dist Makefile
-	-if [ "`grep LOG_SECURITY /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
-		if [ "`grep LOG_AUDIT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
-				sed -e 's/security/!!!/g' i19.dist > i19.p1; \
-		else \
-				sed -e 's/security/audit/g' i19.dist > i19.p1; \
-		fi \
-	else \
-		/bin/cp i19.dist i19.p1; \
-	fi
-	-if [ "`grep LOG_AUTHPRIV /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
-		sed -e 's/authpriv/!!!/g' i19.p1 > i19.p2; \
-	else \
-		/bin/cp i19.p1 i19.p2; \
-	fi
-	-if [ "`grep LOG_LOGALERT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
-		sed -e 's/logalert/!!!/g' i19.p2 > i19.p1; \
-	else \
-		/bin/cp i19.p2 i19.p1; \
-	fi
-	-if [ "`grep LOG_FTP /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
-		sed -e 's/ftp/!!!/g' i19.p1 > i19.p2; \
-	else \
-		/bin/cp i19.p1 i19.p2; \
-	fi
-	-if [ "`egrep 'LOG_CRON.*15' /usr/include/sys/syslog.h 2>&1`" != "" ] ; then \
-		sed -e 's/cron/cron2/g' i19.p2 > i19; \
-	else \
-		/bin/cp i19.p2 i19; \
-	fi
-	/bin/rm i19.p?
-
-clean:
-	/bin/rm -f i19
diff --git a/contrib/ipfilter/test/expected/bpf-f1 b/contrib/ipfilter/test/expected/bpf-f1
deleted file mode 100644
index 85ce84c..0000000
--- a/contrib/ipfilter/test/expected/bpf-f1
+++ /dev/null
@@ -1,20 +0,0 @@
-nomatch
-pass
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-pass
---------
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/bpf1 b/contrib/ipfilter/test/expected/bpf1
deleted file mode 100644
index 76381a7..0000000
--- a/contrib/ipfilter/test/expected/bpf1
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in bpf-v4 { "0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "0 0 0 0 0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x1 0x6 0 0 0" }
-pass in bpf-v4 { "0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "0 0 0 0 0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x1 0x6 0 0 0" }
diff --git a/contrib/ipfilter/test/expected/expected.sed b/contrib/ipfilter/test/expected/expected.sed
deleted file mode 100644
index e69de29..0000000
--- a/contrib/ipfilter/test/expected/expected.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/expected/f1 b/contrib/ipfilter/test/expected/f1
deleted file mode 100644
index 86d9592..0000000
--- a/contrib/ipfilter/test/expected/f1
+++ /dev/null
@@ -1,20 +0,0 @@
-block
-block
-nomatch
-nomatch
---------
-pass
-pass
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-block
---------
-nomatch
-nomatch
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f10 b/contrib/ipfilter/test/expected/f10
deleted file mode 100644
index da6c312..0000000
--- a/contrib/ipfilter/test/expected/f10
+++ /dev/null
@@ -1,126 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-block
-block
-block
-nomatch
-nomatch
-block
---------
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-block
-block
-nomatch
-nomatch
-nomatch
-block
---------
-pass
-pass
-nomatch
-nomatch
-nomatch
-pass
---------
-block
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-block
-block
-block
-nomatch
-block
---------
-nomatch
-pass
-pass
-pass
-nomatch
-pass
---------
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-block
-block
---------
-nomatch
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-nomatch
-block
-nomatch
-block
---------
-pass
-pass
-nomatch
-pass
-nomatch
-pass
---------
-block
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-nomatch
-nomatch
-block
---------
diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11
deleted file mode 100644
index c1eb060..0000000
--- a/contrib/ipfilter/test/expected/f11
+++ /dev/null
@@ -1,243 +0,0 @@
-pass
-nomatch
-nomatch
-pass
-pass
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-block
-nomatch
-nomatch
-block
-block
-nomatch
-block
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-2.2.2.2 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
-	tag 0 ttl 240 2 -> 53
-	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
-	pass in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0 0 0
-	interfaces: in X[e1],X[] out X[],X[]
-	Sync status: not synchronized
-1.1.1.1 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
-	tag 0 ttl 24 1 -> 53
-	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	pass in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0x8001 0 0
-	interfaces: in X[e1],X[e0] out X[],X[]
-	Sync status: not synchronized
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-2.2.2.2 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
-	tag 0 ttl 240 2 -> 53
-	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
-	block in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0 0 0
-	interfaces: in X[e1],X[] out X[],X[]
-	Sync status: not synchronized
-1.1.1.1 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
-	tag 0 ttl 24 1 -> 53
-	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
-	block in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0x8001 0 0
-	interfaces: in X[e1],X[e0] out X[],X[]
-	Sync status: not synchronized
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-1.1.1.1 -> 2.1.2.2 pass 0x40008402 pr 6 state 3/4
-	tag 0 ttl 864000
-	1 -> 25 2:66 4096<<0:16384<<0
-	cmsk 0000 smsk 0000 s0 00000000/00000000
-	FWD:ISN inc 0 sumd 0
-	REV:ISN inc 0 sumd 0
-	forward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
-	backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
-	pass in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0x8001 0 0
-	interfaces: in X[e0],X[e1] out X[],X[]
-	Sync status: not synchronized
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
---------
diff --git a/contrib/ipfilter/test/expected/f12 b/contrib/ipfilter/test/expected/f12
deleted file mode 100644
index 094d8c0..0000000
--- a/contrib/ipfilter/test/expected/f12
+++ /dev/null
@@ -1,60 +0,0 @@
-pass
-pass
-pass
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
---------
-pass
-pass
-pass
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-bad-packet
-block
-nomatch
-bad-packet
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-bad-packet
-block
-nomatch
-bad-packet
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-pass
---------
-nomatch
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-block
---------
diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13
deleted file mode 100644
index 99c0565..0000000
--- a/contrib/ipfilter/test/expected/f13
+++ /dev/null
@@ -1,160 +0,0 @@
-pass
-bad-packet
-nomatch
-pass
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-bad-packet
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-bad-packet
-nomatch
-block
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-bad-packet
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-pass
-bad-packet
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-block
-bad-packet
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-bad-packet
-nomatch
-pass
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-bad-packet
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-pass
---------
-block
-bad-packet
-nomatch
-block
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-bad-packet
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-block
-block
---------
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-nomatch
-bad-packet
-pass
-bad-packet
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-bad-packet
-nomatch
-pass
-bad-packet
-nomatch
-nomatch
-bad-packet
-nomatch
-bad-packet
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f14 b/contrib/ipfilter/test/expected/f14
deleted file mode 100644
index 1c6ed5c..0000000
--- a/contrib/ipfilter/test/expected/f14
+++ /dev/null
@@ -1,48 +0,0 @@
-block
-nomatch
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-nomatch
-nomatch
-pass
-pass
---------
-block
-nomatch
-nomatch
-nomatch
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f15 b/contrib/ipfilter/test/expected/f15
deleted file mode 100644
index 9b31258..0000000
--- a/contrib/ipfilter/test/expected/f15
+++ /dev/null
@@ -1,9 +0,0 @@
-block return-rst
-pass
-block return-icmp
-pass
-block
-nomatch
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f16 b/contrib/ipfilter/test/expected/f16
deleted file mode 100644
index b6cb3fa..0000000
--- a/contrib/ipfilter/test/expected/f16
+++ /dev/null
@@ -1,9 +0,0 @@
-block
-block
-pass
-block
-pass
-pass
-block
-block
---------
diff --git a/contrib/ipfilter/test/expected/f17 b/contrib/ipfilter/test/expected/f17
deleted file mode 100644
index c586e5b..0000000
--- a/contrib/ipfilter/test/expected/f17
+++ /dev/null
@@ -1,7 +0,0 @@
-pass
-block return-rst
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f18 b/contrib/ipfilter/test/expected/f18
deleted file mode 100644
index 801abd3..0000000
--- a/contrib/ipfilter/test/expected/f18
+++ /dev/null
@@ -1,5 +0,0 @@
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f19 b/contrib/ipfilter/test/expected/f19
deleted file mode 100644
index 5ee2e9d..0000000
--- a/contrib/ipfilter/test/expected/f19
+++ /dev/null
@@ -1,10 +0,0 @@
-pass
-pass
-pass
-nomatch
---------
-pass
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f2 b/contrib/ipfilter/test/expected/f2
deleted file mode 100644
index 7093a41..0000000
--- a/contrib/ipfilter/test/expected/f2
+++ /dev/null
@@ -1,42 +0,0 @@
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
---------
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f20 b/contrib/ipfilter/test/expected/f20
deleted file mode 100644
index 86308a0..0000000
--- a/contrib/ipfilter/test/expected/f20
+++ /dev/null
@@ -1,3 +0,0 @@
-pass
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f24 b/contrib/ipfilter/test/expected/f24
deleted file mode 100644
index 801abd3..0000000
--- a/contrib/ipfilter/test/expected/f24
+++ /dev/null
@@ -1,5 +0,0 @@
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f3 b/contrib/ipfilter/test/expected/f3
deleted file mode 100644
index 5df3ac4..0000000
--- a/contrib/ipfilter/test/expected/f3
+++ /dev/null
@@ -1,48 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
---------
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f4 b/contrib/ipfilter/test/expected/f4
deleted file mode 100644
index 5df3ac4..0000000
--- a/contrib/ipfilter/test/expected/f4
+++ /dev/null
@@ -1,48 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
---------
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f5 b/contrib/ipfilter/test/expected/f5
deleted file mode 100644
index 36c7d40..0000000
--- a/contrib/ipfilter/test/expected/f5
+++ /dev/null
@@ -1,1392 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
---------
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
---------
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f6 b/contrib/ipfilter/test/expected/f6
deleted file mode 100644
index 36c7d40..0000000
--- a/contrib/ipfilter/test/expected/f6
+++ /dev/null
@@ -1,1392 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
---------
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
---------
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
---------
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f7 b/contrib/ipfilter/test/expected/f7
deleted file mode 100644
index 7a4daed..0000000
--- a/contrib/ipfilter/test/expected/f7
+++ /dev/null
@@ -1,144 +0,0 @@
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/f8 b/contrib/ipfilter/test/expected/f8
deleted file mode 100644
index ad42ff2..0000000
--- a/contrib/ipfilter/test/expected/f8
+++ /dev/null
@@ -1,42 +0,0 @@
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-block
-nomatch
-block
-nomatch
-nomatch
-nomatch
---------
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/f9 b/contrib/ipfilter/test/expected/f9
deleted file mode 100644
index cc5be68..0000000
--- a/contrib/ipfilter/test/expected/f9
+++ /dev/null
@@ -1,180 +0,0 @@
-block
-block
-block
-block
-block
-block
-block
-block
-block
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
---------
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
---------
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/i1 b/contrib/ipfilter/test/expected/i1
deleted file mode 100644
index 74d0f30..0000000
--- a/contrib/ipfilter/test/expected/i1
+++ /dev/null
@@ -1,17 +0,0 @@
-pass in all
-block out all
-log in all
-log body in all
-count in from any to any
-pass in from !any to any pps 10
-block in from any to !any
-pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
-pass in on ed0(!),vx0(!) from 127.0.0.1/32 to 127.0.0.1/32
-block in log first on lo0(!) from any to any
-pass in log body or-block quick from any to any
-block return-rst in quick on le0(!) proto tcp from any to any
-block return-icmp in on qe0(!) from any to any
-block return-icmp(host-unr) in on qe0(!) from any to any
-block return-icmp-as-dest in on le0(!) from any to any
-block return-icmp-as-dest(port-unr) in on qe0(!) from any to any
-pass out on longNICname0(!) from 254.220.186.152/32 to 254.220.186.152/32
diff --git a/contrib/ipfilter/test/expected/i10 b/contrib/ipfilter/test/expected/i10
deleted file mode 100644
index 9e0a5d5..0000000
--- a/contrib/ipfilter/test/expected/i10
+++ /dev/null
@@ -1,5 +0,0 @@
-pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt sec
-pass in from 127.0.0.1/32 to 127.0.0.1/32 with opt lsrr not opt sec
-block in from any to any with not opt sec-class topsecret
-block in from any to any with not opt sec-class topsecret,secret
-pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass
diff --git a/contrib/ipfilter/test/expected/i11 b/contrib/ipfilter/test/expected/i11
deleted file mode 100644
index 154f31e..0000000
--- a/contrib/ipfilter/test/expected/i11
+++ /dev/null
@@ -1,11 +0,0 @@
-pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 keep state # count 0
-block in log first on lo0(!) proto tcp/udp from any to any port = 7 keep state # count 0
-pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 20499 keep frags
-pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags (strict)
-pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags # count 0
-pass in on ed0(!) out-via vx0(!) proto udp from any to any keep state # count 0
-pass out on ppp0(!) in-via le0(!) proto tcp from any to any keep state # count 0
-pass in on ed0(!),vx0(!) out-via vx0(!),ed0(!) proto udp from any to any keep state # count 0
-pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 1024 keep state # count 0
-pass in proto tcp from any to any flags S/FSRPAU keep state (limit 101,strict,newisn,no-icmp-err,age 600/600) # count 0
-pass in proto udp from any to any keep state (sync,age 10/20) # count 0
diff --git a/contrib/ipfilter/test/expected/i12 b/contrib/ipfilter/test/expected/i12
deleted file mode 100644
index dadf597..0000000
--- a/contrib/ipfilter/test/expected/i12
+++ /dev/null
@@ -1,39 +0,0 @@
-pass in from 1.1.1.1/32 to 2.2.2.2/32
-pass in from 2.2.2.0/24 to 4.4.4.4/32
-pass in from 3.3.3.3/32 to 4.4.4.4/32
-pass in from 2.2.2.0/24 to 5.5.5.5/32
-pass in from 3.3.3.3/32 to 5.5.5.5/32
-pass in from 2.2.2.0/24 to 6.6.6.6/32
-pass in from 3.3.3.3/32 to 6.6.6.6/32
-pass in from 2.2.2.0/24 to 5.5.5.5/32 port = 22
-pass in from 3.3.3.3/32 to 5.5.5.5/32 port = 22
-pass in from 2.2.2.0/24 to 6.6.6.6/32 port = 22
-pass in from 3.3.3.3/32 to 6.6.6.6/32 port = 22
-pass in from 2.2.2.0/24 to 5.5.5.5/32 port = 25
-pass in from 3.3.3.3/32 to 5.5.5.5/32 port = 25
-pass in from 2.2.2.0/24 to 6.6.6.6/32 port = 25
-pass in from 3.3.3.3/32 to 6.6.6.6/32 port = 25
-pass in proto tcp from 2.2.2.0/24 port = 53 to 5.5.5.5/32
-pass in proto tcp from 3.3.3.3/32 port = 53 to 5.5.5.5/32
-pass in proto tcp from 2.2.2.0/24 port = 9 to 5.5.5.5/32
-pass in proto tcp from 3.3.3.3/32 port = 9 to 5.5.5.5/32
-pass in proto tcp from 2.2.2.0/24 port = 53 to 6.6.6.6/32
-pass in proto tcp from 3.3.3.3/32 port = 53 to 6.6.6.6/32
-pass in proto tcp from 2.2.2.0/24 port = 9 to 6.6.6.6/32
-pass in proto tcp from 3.3.3.3/32 port = 9 to 6.6.6.6/32
-pass in proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 53
-pass in proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 53
-pass in proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 53
-pass in proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 53
-pass in proto udp from 2.2.2.0/24 to 5.5.5.5/32 port = 9
-pass in proto udp from 3.3.3.3/32 to 5.5.5.5/32 port = 9
-pass in proto udp from 2.2.2.0/24 to 6.6.6.6/32 port = 9
-pass in proto udp from 3.3.3.3/32 to 6.6.6.6/32 port = 9
-pass in from 10.10.10.10/32 to 11.11.11.11/32
-pass in from pool/101(!) to hash/202(!)
-pass in from hash/303(!) to pool/404(!)
-table role = ipf type = tree name = 
-	{ ! 1.1.1.1/32; 2.2.2.2/32; ! 2.2.0.0/16; };
-table role = ipf type = tree name = 
-	{ 1.1.0.0/16; };
-pass in from pool/0(!) to pool/0(!)
diff --git a/contrib/ipfilter/test/expected/i13 b/contrib/ipfilter/test/expected/i13
deleted file mode 100644
index 5c8d945..0000000
--- a/contrib/ipfilter/test/expected/i13
+++ /dev/null
@@ -1,2 +0,0 @@
-block in from any to any
-pass in from any to any
diff --git a/contrib/ipfilter/test/expected/i14 b/contrib/ipfilter/test/expected/i14
deleted file mode 100644
index 08ba19a..0000000
--- a/contrib/ipfilter/test/expected/i14
+++ /dev/null
@@ -1,10 +0,0 @@
-block in on eri0(!) all head 1
-pass in on eri0(!) proto icmp from any to any group 1
-pass out on ed0(!) all head 1000000
-block out on ed0(!) proto udp from any to any group 1000000
-block in on vm0(!) proto tcp/udp from any to any head 101
-pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group 101
-pass in proto tcp from 1.0.0.1/32 to 2.0.0.2/32 group 101
-pass in proto udp from 2.0.0.2/32 to 3.0.0.3/32 group 101
-block in on vm0(!) proto tcp/udp from any to any head vm0-group
-pass in proto tcp/udp from 1.1.1.1/32 to 2.2.2.2/32 group vm0-group
diff --git a/contrib/ipfilter/test/expected/i15 b/contrib/ipfilter/test/expected/i15
deleted file mode 100644
index 4974659..0000000
--- a/contrib/ipfilter/test/expected/i15
+++ /dev/null
@@ -1,4 +0,0 @@
-pass out on fxp0(!) all set-tag(log=100)
-pass out on fxp0(!) all set-tag(nat=foo)
-pass out on fxp0(!) all set-tag(log=100, nat=200)
-pass out on fxp0(!) all set-tag(log=2147483648, nat=overtherainbowis)
diff --git a/contrib/ipfilter/test/expected/i16 b/contrib/ipfilter/test/expected/i16
deleted file mode 100644
index c5b3cf3..0000000
--- a/contrib/ipfilter/test/expected/i16
+++ /dev/null
@@ -1,3 +0,0 @@
-block out all
-100 pass in all
-10101 pass out proto tcp from any to any
diff --git a/contrib/ipfilter/test/expected/i17 b/contrib/ipfilter/test/expected/i17
deleted file mode 100644
index bcc4d2d..0000000
--- a/contrib/ipfilter/test/expected/i17
+++ /dev/null
@@ -1,10 +0,0 @@
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
diff --git a/contrib/ipfilter/test/expected/i18 b/contrib/ipfilter/test/expected/i18
deleted file mode 100644
index 88fca47..0000000
--- a/contrib/ipfilter/test/expected/i18
+++ /dev/null
@@ -1,11 +0,0 @@
-pass in tos 0x50 from any to any
-pass in tos 0x80 from any to any
-pass in tos 0x80 from any to any
-pass in tos 0x50 from any to any
-block in ttl 0 from any to any
-block in ttl 1 from any to any
-block in ttl 2 from any to any
-block in ttl 3 from any to any
-block in ttl 4 from any to any
-block in ttl 5 from any to any
-block in ttl 6 from any to any
diff --git a/contrib/ipfilter/test/expected/i19 b/contrib/ipfilter/test/expected/i19
deleted file mode 100644
index 4ca19b5..0000000
--- a/contrib/ipfilter/test/expected/i19
+++ /dev/null
@@ -1,22 +0,0 @@
-block in log level user.debug quick proto icmp from any to any
-block in log level mail.info quick proto icmp from any to any
-block in log level daemon.notice quick proto icmp from any to any
-block in log level auth.warn quick proto icmp from any to any
-block in log level syslog.err quick proto icmp from any to any
-block in log level lpr.crit quick proto icmp from any to any
-block in log level news.alert quick proto icmp from any to any
-block in log level uucp.emerg quick proto icmp from any to any
-block in log level cron.debug quick proto icmp from any to any
-block in log level ftp.info quick proto icmp from any to any
-block in log level authpriv.notice quick proto icmp from any to any
-block in log level !!!.warn quick proto icmp from any to any
-block in log level local0.err quick proto icmp from any to any
-block in log level local1.crit quick proto icmp from any to any
-block in log level local2.alert quick proto icmp from any to any
-block in log level local3.emerg quick proto icmp from any to any
-block in log level local4.debug quick proto icmp from any to any
-block in log level local5.info quick proto icmp from any to any
-block in log level local6.notice quick proto icmp from any to any
-block in log level local7.warn quick proto icmp from any to any
-block in log level kern.err quick proto icmp from any to any
-block in log level !!!.emerg quick proto icmp from any to any
diff --git a/contrib/ipfilter/test/expected/i19.dist b/contrib/ipfilter/test/expected/i19.dist
deleted file mode 100644
index 5d9c26c..0000000
--- a/contrib/ipfilter/test/expected/i19.dist
+++ /dev/null
@@ -1,22 +0,0 @@
-block in log level user.debug quick proto icmp from any to any
-block in log level mail.info quick proto icmp from any to any
-block in log level daemon.notice quick proto icmp from any to any
-block in log level auth.warn quick proto icmp from any to any
-block in log level syslog.err quick proto icmp from any to any
-block in log level lpr.crit quick proto icmp from any to any
-block in log level news.alert quick proto icmp from any to any
-block in log level uucp.emerg quick proto icmp from any to any
-block in log level cron.debug quick proto icmp from any to any
-block in log level ftp.info quick proto icmp from any to any
-block in log level authpriv.notice quick proto icmp from any to any
-block in log level logalert.warn quick proto icmp from any to any
-block in log level local0.err quick proto icmp from any to any
-block in log level local1.crit quick proto icmp from any to any
-block in log level local2.alert quick proto icmp from any to any
-block in log level local3.emerg quick proto icmp from any to any
-block in log level local4.debug quick proto icmp from any to any
-block in log level local5.info quick proto icmp from any to any
-block in log level local6.notice quick proto icmp from any to any
-block in log level local7.warn quick proto icmp from any to any
-block in log level kern.err quick proto icmp from any to any
-block in log level security.emerg quick proto icmp from any to any
diff --git a/contrib/ipfilter/test/expected/i2 b/contrib/ipfilter/test/expected/i2
deleted file mode 100644
index 5ff18f4..0000000
--- a/contrib/ipfilter/test/expected/i2
+++ /dev/null
@@ -1,8 +0,0 @@
-log in proto tcp from any to any
-pass in proto tcp from any to any
-pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32
-block in proto ipv6 from any to any
-block in proto udp from any to any
-block in proto 250 from any to any
-pass in proto tcp/udp from any to any
-block in proto tcp/udp from any to any
diff --git a/contrib/ipfilter/test/expected/i20 b/contrib/ipfilter/test/expected/i20
deleted file mode 100644
index 77eabdb..0000000
--- a/contrib/ipfilter/test/expected/i20
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in on ppp0(!) from ppp0/peer to ppp0/32
-block in on hme0(!) from any to hme0/bcast
-pass in on bge0(!) from bge0/net to bge0/32
-block in on eri0(!) from any to eri0/netmasked
diff --git a/contrib/ipfilter/test/expected/i21 b/contrib/ipfilter/test/expected/i21
deleted file mode 100644
index d4d28da..0000000
--- a/contrib/ipfilter/test/expected/i21
+++ /dev/null
@@ -1,16 +0,0 @@
-pass in from any port = 10101 to any
-pass out from any to any port != 22
-block in from any port 20:21 to any
-block out from any to any port 10 <> 100
-pass out from any to any port = 3
-pass out from any to any port = 5
-pass out from any to any port = 7
-pass out from any to any port = 9
-block in from any port = 20 to any
-block in from any port = 25 to any
-pass in from any port 11:12 to any port 1:2
-pass in from any port 21:22 to any port 1:2
-pass in from any port 11:12 to any port 4:5
-pass in from any port 21:22 to any port 4:5
-pass in from any port 11:12 to any port 8:9
-pass in from any port 21:22 to any port 8:9
diff --git a/contrib/ipfilter/test/expected/i3 b/contrib/ipfilter/test/expected/i3
deleted file mode 100644
index 6150c7e..0000000
--- a/contrib/ipfilter/test/expected/i3
+++ /dev/null
@@ -1,11 +0,0 @@
-log in all
-pass in from 128.16.0.0/16 to 129.10.10.0/24
-pass in from 128.0.0.0/24 to 128.0.0.0/16
-pass in from 128.0.0.0/24 to 128.0.0.0/16
-pass in from 128.0.0.0/24 to 128.0.0.0/16
-pass in from 128.0.0.0/24 to 128.0.0.0/16
-pass in from 128.0.0.0/24 to 128.0.0.0/16
-pass in from 127.0.0.1/32 to 127.0.0.1/32
-block in log from any to any
-block in log level auth.info on hme0(!) all
-log level local5.warn out all
diff --git a/contrib/ipfilter/test/expected/i4 b/contrib/ipfilter/test/expected/i4
deleted file mode 100644
index 4992455..0000000
--- a/contrib/ipfilter/test/expected/i4
+++ /dev/null
@@ -1,9 +0,0 @@
-log in proto tcp from any port > 0 to any
-log in proto tcp from any to any port > 0
-pass in proto tcp from any port != 0 to any port 0 >< 65535
-pass in proto udp from 127.0.0.1/32 port > 32000 to 127.0.0.1/32 port < 29000
-block in proto udp from any port != 123 to any port < 7
-block in proto tcp from any port = 25 to any port > 25
-pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3
-pass in proto tcp/udp from any port 2:2 to any port 10:20
-pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state # count 0
diff --git a/contrib/ipfilter/test/expected/i5 b/contrib/ipfilter/test/expected/i5
deleted file mode 100644
index edf9865..0000000
--- a/contrib/ipfilter/test/expected/i5
+++ /dev/null
@@ -1,9 +0,0 @@
-log in all
-count in tos 0x80 from any to any
-pass in on ed0(!) tos 0x40 from 127.0.0.1/32 to 127.0.0.1/32
-block in log on lo0(!) ttl 0 from any to any
-pass in quick ttl 1 from any to any
-skip 3 out from 127.0.0.1/32 to any
-auth out on foo0(!) proto tcp from any to any port = 80
-preauth out on foo0(!) proto tcp from any to any port = 22
-nomatch out on foo0(!) proto tcp from any port < 1024 to any
diff --git a/contrib/ipfilter/test/expected/i6 b/contrib/ipfilter/test/expected/i6
deleted file mode 100644
index e4b14c3..0000000
--- a/contrib/ipfilter/test/expected/i6
+++ /dev/null
@@ -1,12 +0,0 @@
-pass in on lo0(!) fastroute from any to any
-pass in on lo0(!) to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32
-pass in on le0(!) to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32
-pass in on lo0(!) dup-to qe0(!) from 127.0.0.1/32 to 127.0.0.1/32
-pass in on le0(!) dup-to qe0(!):127.0.0.1 from 127.0.0.1/32 to 127.0.0.1/32
-pass in on le0(!) dup-to qe0(!):127.0.0.1 to hme0(!):10.1.1.1 from 127.0.0.1/32 to 127.0.0.1/32
-block in quick on qe0(!) to qe1(!) from any to any
-block in quick to qe1(!) from any to any
-pass out quick dup-to hme0(!) from any to any
-pass out quick on hme0(!) reply-to hme1(!) from any to any
-pass in on le0(!) dup-to qe0(!):127.0.0.1 reply-to hme1(!):10.10.10.10 all
-pass in quick fastroute all
diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7
deleted file mode 100644
index 309cd28..0000000
--- a/contrib/ipfilter/test/expected/i7
+++ /dev/null
@@ -1,9 +0,0 @@
-pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA
-block in on lo0(!) proto tcp from any to any flags A/FSRPAU
-pass in on lo0(!) proto tcp from any to any flags /SPA
-block in on lo0(!) proto tcp from any to any flags C/A
-pass in on lo0(!) proto tcp from any to any flags S/SA
-block in on lo0(!) proto tcp from any to any flags S/SA
-pass in on lo0(!) proto tcp from any to any flags S/FSRPAU
-block in on lo0(!) proto tcp from any to any flags /A
-pass in on lo0(!) proto tcp from any to any flags S/SA
diff --git a/contrib/ipfilter/test/expected/i8 b/contrib/ipfilter/test/expected/i8
deleted file mode 100644
index f033e6b..0000000
--- a/contrib/ipfilter/test/expected/i8
+++ /dev/null
@@ -1,35 +0,0 @@
-pass in proto icmp from 127.0.0.1/32 to 127.0.0.1/32 icmp-type timest
-block in proto icmp from any to any icmp-type unreach code 1
-pass in proto icmp from any to any icmp-type unreach code 15
-pass in proto icmp from any to any icmp-type unreach code 13
-pass in proto icmp from any to any icmp-type unreach code 8
-pass in proto icmp from any to any icmp-type unreach code 4
-pass in proto icmp from any to any icmp-type unreach code 9
-pass in proto icmp from any to any icmp-type unreach code 11
-pass in proto icmp from any to any icmp-type unreach code 14
-pass in proto icmp from any to any icmp-type unreach code 10
-pass in proto icmp from any to any icmp-type unreach code 12
-pass in proto icmp from any to any icmp-type unreach code 7
-pass in proto icmp from any to any icmp-type unreach code 1
-pass in proto icmp from any to any icmp-type unreach code 6
-pass in proto icmp from any to any icmp-type unreach code 0
-pass in proto icmp from any to any icmp-type unreach code 3
-pass in proto icmp from any to any icmp-type unreach code 2
-pass in proto icmp from any to any icmp-type unreach code 5
-pass in proto icmp from any to any icmp-type echo
-pass in proto icmp from any to any icmp-type echorep
-pass in proto icmp from any to any icmp-type inforeq
-pass in proto icmp from any to any icmp-type inforep
-pass in proto icmp from any to any icmp-type maskrep
-pass in proto icmp from any to any icmp-type maskreq
-pass in proto icmp from any to any icmp-type paramprob
-pass in proto icmp from any to any icmp-type redir
-pass in proto icmp from any to any icmp-type unreach
-pass in proto icmp from any to any icmp-type routerad
-pass in proto icmp from any to any icmp-type routersol
-pass in proto icmp from any to any icmp-type squench
-pass in proto icmp from any to any icmp-type timest
-pass in proto icmp from any to any icmp-type timestrep
-pass in proto icmp from any to any icmp-type timex
-pass in proto icmp from any to any icmp-type 254
-pass in proto icmp from any to any icmp-type 253 code 254
diff --git a/contrib/ipfilter/test/expected/i9 b/contrib/ipfilter/test/expected/i9
deleted file mode 100644
index b128f99..0000000
--- a/contrib/ipfilter/test/expected/i9
+++ /dev/null
@@ -1,17 +0,0 @@
-pass in from 127.0.0.1/32 to 127.0.0.1/32 with short,frag
-block in from any to any with ipopts
-pass in from any to any with opt nop,rr,zsu
-pass in from any to any with opt nop,rr,zsu not opt lsrr,ssrr
-pass in from 127.0.0.1/32 to 127.0.0.1/32 with not frag
-pass in from 127.0.0.1/32 to 127.0.0.1/32 with frag,frag-body
-pass in proto tcp from any to any flags S/FSRPAU with not oow keep state # count 0
-block in proto tcp from any to any with oow
-pass in proto tcp from any to any flags S/FSRPAU with not bad,bad-src,bad-nat
-block in proto tcp from any to any flags S/FSRPAU with bad,not bad-src,not bad-nat
-pass in quick from any to any with not short
-block in quick from any to any with not nat
-pass in quick from any to any with not frag-body
-block in quick from any to any with not lowttl
-pass in from any to any with not ipopts,mbcast,not bcast,mcast,not state
-block in from any to any with not mbcast,bcast,not mcast,state
-pass in from any to any with opt mtup,mtur,encode,ts,tr,sec,e-sec,cipso,satid,ssrr,addext,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump
diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1
deleted file mode 100644
index 03436b6..0000000
--- a/contrib/ipfilter/test/expected/in1
+++ /dev/null
@@ -1,31 +0,0 @@
-map le0 0.0.0.0/0 -> 0.0.0.0/32
-map le0 0.0.0.1/32 -> 0.0.0.1/32
-map le0 128.0.0.0/1 -> 0.0.0.0/0
-map le0 10.0.0.0/8 -> 1.2.3.0/24
-map le0 10.0.0.0/8 -> 1.2.3.0/24
-map le0 10.0.0.0/8 -> 1.2.3.0/24
-map le0 0.0.0.5/0.0.0.255 -> 1.2.3.0/24
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 21 ftp/tcp
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp
-map le0 0.0.0.0/0 -> 0.0.0.0/32 frag
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 21 ftp/tcp frag
-map le0 0.0.0.0/0 -> 0.0.0.0/32 age 10/10
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 age 10/20
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 age 30/30
-map le0 0.0.0.0/0 -> 0.0.0.0/32 frag age 10/10
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag age 30/30
-map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp
-map thisisalonginte 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere
-map bar0 0.0.0.0/0 -> 0.0.0.0/32 icmpidmap icmp 1000:2000
-map ppp0,adsl0 0.0.0.0/0 -> 0.0.0.0/32
-map ppp0 from 192.168.0.0/16 to any port = 123 -> 0.0.0.0/32 age 30/1 udp
diff --git a/contrib/ipfilter/test/expected/in2 b/contrib/ipfilter/test/expected/in2
deleted file mode 100644
index f1239b1..0000000
--- a/contrib/ipfilter/test/expected/in2
+++ /dev/null
@@ -1,71 +0,0 @@
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
-rdr le0 9.8.7.6/32 -> 1.1.1.1 255
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
-rdr le0 9.0.0.0/8 -> 1.1.1.1 ip
-rdr le0 9.8.0.0/16 -> 1.1.1.1 ip
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 0.0.0.0/0 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp/udp frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag nattagcacheline
-rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
-rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
-rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp
-rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp
-rdr le0 0.0.0.0/0 -> 254.220.186.152 ip
-rdr le0 0.0.0.0/0 -> 254.220.186.152,254.220.186.152 ip
-rdr adsl0,ppp0 0.0.0.0/0 port 25 -> 127.0.0.1 port 25 tcp
diff --git a/contrib/ipfilter/test/expected/in3 b/contrib/ipfilter/test/expected/in3
deleted file mode 100644
index b8a85bf..0000000
--- a/contrib/ipfilter/test/expected/in3
+++ /dev/null
@@ -1,5 +0,0 @@
-bimap le0 0.0.0.0/0 -> 0.0.0.0/32
-bimap le0 0.0.0.1/32 -> 0.0.0.1/32
-bimap le0 128.0.0.0/1 -> 0.0.0.0/0
-bimap le0 10.0.0.0/8 -> 1.2.3.0/24
-bimap le0 10.0.5.0/24 -> 1.2.3.0/24
diff --git a/contrib/ipfilter/test/expected/in4 b/contrib/ipfilter/test/expected/in4
deleted file mode 100644
index ac8dce1..0000000
--- a/contrib/ipfilter/test/expected/in4
+++ /dev/null
@@ -1,5 +0,0 @@
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 256
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports auto
-map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto
diff --git a/contrib/ipfilter/test/expected/in5 b/contrib/ipfilter/test/expected/in5
deleted file mode 100644
index e77de71..0000000
--- a/contrib/ipfilter/test/expected/in5
+++ /dev/null
@@ -1,24 +0,0 @@
-map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1/32 portmap tcp 10000:20000
-map le0 from 9.8.7.6/32 port > 1024 ! to 1.2.3.4/32 -> 1.1.1.1/32 portmap tcp 10000:20000
-rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
-rdr le0 ! from 1.2.3.4/32 to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40
diff --git a/contrib/ipfilter/test/expected/in6 b/contrib/ipfilter/test/expected/in6
deleted file mode 100644
index 05426e7..0000000
--- a/contrib/ipfilter/test/expected/in6
+++ /dev/null
@@ -1,8 +0,0 @@
-map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp
-map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp
-map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
-map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
-map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
-map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
-map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0.0.0.0/32 tcp/udp
-map foo0 from any port 10:20 to any port 30:40 -> 0.0.0.0/32 tcp/udp
diff --git a/contrib/ipfilter/test/expected/ip1 b/contrib/ipfilter/test/expected/ip1
deleted file mode 100644
index b04fa9d..0000000
--- a/contrib/ipfilter/test/expected/ip1
+++ /dev/null
@@ -1,68 +0,0 @@
-table role = ipf type = tree number = 1
-	{; };
-table role = ipf type = tree number = 100
-	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
-table role = ipf type = tree number = 110
-	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
-table role = ipf type = tree number = 120
-	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
-table role = ipf type = tree number = 130
-	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
-table role = ipf type = hash number = 2 size = 1
-	{; };
-table role = ipf type = hash number = 200 size = 5
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 210 size = 5
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 220 size = 5
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 230 size = 5
-	{ 0/0; 4/32; 1.2.3.4/32; };
-table role = ipf type = hash number = 240 size = 5 seed = 101
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 250 size = 5 seed = 101
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 260 size = 5 seed = 101
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 270 size = 5 seed = 101
-	{ 0/0; 4/32; 1.2.3.4/32; };
-table role = ipf type = hash number = 2000 size = 1001
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 2000 size = 1001
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 2000 size = 1001
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 2000 size = 1001
-	{ 0/0; 4/32; 1.2.3.4/32; };
-table role = ipf type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 4/32; 1.2.3.4/32; };
-group-map in role = ipf number = 300 size = 5
-	{ 0/0, group = 303; 5/32, group = 303; 1.2.3.4/32, group = 303; };
-group-map in role = nat number = 300 size = 5
-	{ 0/0, group = 303; 6/32, group = 303; 1.2.3.4/32, group = 303; };
-group-map in role = auth number = 300 size = 5
-	{ 0/0, group = 303; 7/32, group = 303; 1.2.3.4/32, group = 303; };
-group-map in role = count number = 300 size = 5
-	{ 0/0, group = 303; 8/32, group = 303; 1.2.3.4/32, group = 303; };
-group-map out role = ipf number = 400 size = 5
-	{ 0/0, group = 303; 5/32, group = 303; 1.2.3.4/32, group = 606; };
-group-map out role = nat number = 400 size = 5
-	{ 0/0, group = 303; 6/32, group = 303; 1.2.3.4/32, group = 606; };
-group-map out role = auth number = 400 size = 5
-	{ 0/0, group = 303; 7/32, group = 303; 1.2.3.4/32, group = 606; };
-group-map out role = count number = 400 size = 5
-	{ 0/0, group = 303; 8/32, group = 303; 1.2.3.4/32, group = 606; };
-group-map in role = ipf number = 500 size = 5
-	{ 0/0, group = 10; 5/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = nat number = 500 size = 5
-	{ 0/0, group = 10; 6/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = auth number = 500 size = 5
-	{ 0/0, group = 10; 7/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = count number = 500 size = 5
-	{ 0/0, group = 10; 8/32, group = 800; 1.2.3.4/32, group = 606; };
diff --git a/contrib/ipfilter/test/expected/ip2 b/contrib/ipfilter/test/expected/ip2
deleted file mode 100644
index 9b0ed2b..0000000
--- a/contrib/ipfilter/test/expected/ip2
+++ /dev/null
@@ -1,2 +0,0 @@
-table role = ipf type = tree name = letters
-	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.1.1.1/32; };
diff --git a/contrib/ipfilter/test/expected/ipv6.1 b/contrib/ipfilter/test/expected/ipv6.1
deleted file mode 100644
index 9fd5437..0000000
--- a/contrib/ipfilter/test/expected/ipv6.1
+++ /dev/null
@@ -1,4 +0,0 @@
-pass
-pass
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/ipv6.2 b/contrib/ipfilter/test/expected/ipv6.2
deleted file mode 100644
index ba1581b..0000000
--- a/contrib/ipfilter/test/expected/ipv6.2
+++ /dev/null
@@ -1,15 +0,0 @@
-nomatch
-block
-nomatch
-block
---------
-block
-nomatch
-block
-nomatch
---------
-pass
-pass
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/ipv6.3 b/contrib/ipfilter/test/expected/ipv6.3
deleted file mode 100644
index 58cddec..0000000
--- a/contrib/ipfilter/test/expected/ipv6.3
+++ /dev/null
@@ -1,6 +0,0 @@
-pass
-nomatch
-nomatch
-nomatch
-pass
---------
diff --git a/contrib/ipfilter/test/expected/ipv6.5 b/contrib/ipfilter/test/expected/ipv6.5
deleted file mode 100644
index 3133a7f..0000000
--- a/contrib/ipfilter/test/expected/ipv6.5
+++ /dev/null
@@ -1,6 +0,0 @@
-pass
-nomatch
---------
-block
-nomatch
---------
diff --git a/contrib/ipfilter/test/expected/ipv6.6 b/contrib/ipfilter/test/expected/ipv6.6
deleted file mode 100644
index abc0e87..0000000
--- a/contrib/ipfilter/test/expected/ipv6.6
+++ /dev/null
@@ -1,3 +0,0 @@
-pass
-pass
---------
diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1
deleted file mode 100644
index ba0de69..0000000
--- a/contrib/ipfilter/test/expected/l1
+++ /dev/null
@@ -1,49 +0,0 @@
-log in all
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
---------
-pass in on anon0 all head 100
---------
-pass in log quick from 3.3.3.3 to any group 100
---------
-pass in log body quick from 2.2.2.2 to any
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
---------
-pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN
---------
-pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
---------
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
---------
diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b
deleted file mode 100644
index c060086..0000000
--- a/contrib/ipfilter/test/expected/l1.b
+++ /dev/null
@@ -1,47 +0,0 @@
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
---------
---------
---------
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01 02 03 04 05 06 07 08 09 0a 0b 0d                    ............
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
---------
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN
---------
-01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
---------
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -AF K-S IN
-01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01 02 03 04 05 06 07 08 09 0a 0b 0d                    ............
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61        ..............@a
-42 63 44 65 46 67 48 69 4a 6b 4c 6d                    BcDeFgHiJkLm
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
---------
diff --git a/contrib/ipfilter/test/expected/n1 b/contrib/ipfilter/test/expected/n1
deleted file mode 100644
index 537f9bb..0000000
--- a/contrib/ipfilter/test/expected/n1
+++ /dev/null
@@ -1,105 +0,0 @@
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.2.2.2 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.2.2.2 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.1.1.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.4
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
--------------------------------
-ip #0 20(20) 255 10.3.4.5 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.5 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.0
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 48(20) 1 10.3.4.5 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.4
-ip #0 48(20) 1 10.4.3.2 > 10.1.1.1
-ip #0 20(20) 34 10.3.4.5 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.3.4.5 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.1.1.2
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.3.4.5 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
--------------------------------
-ip #0 20(20) 255 10.3.4.1 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.2 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.3 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.3,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.3,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.3.4.3 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.2
-ip #0 48(20) 1 10.4.3.2 > 10.1.1.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.4
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.3.4.3 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.3.4.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.3.4.4 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.3.4.4 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n10 b/contrib/ipfilter/test/expected/n10
deleted file mode 100644
index ae541d1..0000000
--- a/contrib/ipfilter/test/expected/n10
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 655d 0000 0204 0064 
-
--------------------------------
-4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 61d9 0000 0204 03e8 
-
--------------------------------
-4500 002c 10c9 4000 ff06 5c9d cbcb cbcb 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 600d 0000 0204 05b4 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n11 b/contrib/ipfilter/test/expected/n11
deleted file mode 100644
index 5257a64..0000000
--- a/contrib/ipfilter/test/expected/n11
+++ /dev/null
@@ -1,51 +0,0 @@
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 1.6.7.8 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
--------------------------------
-ip #0 20(20) 255 10.2.2.2 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.2.2.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.1.1.0
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.0
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
--------------------------------
-ip #0 20(20) 255 10.3.4.0 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.1 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.5
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.5
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.5
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n12 b/contrib/ipfilter/test/expected/n12
deleted file mode 100644
index 0d5cefb..0000000
--- a/contrib/ipfilter/test/expected/n12
+++ /dev/null
@@ -1,7 +0,0 @@
-4510 0040 2020 4000 4006 9478 c0a8 01bc c0a8 0303 2710 0017 4e33 298e 0000 0000 b002 4000 6ff8 0000 0204 05b4 0101 0402 0103 0300 0101 080a 0c72 549e 0000 0000 
-
-4500 003c 00b0 4000 fe06 7964 c0a8 0303 c0a8 7e53 0017 12c2 f674 e02c 4e33 298f a012 2798 7ace 0000 0101 080a 2c05 b797 0c72 549e 0103 0300 0204 05b4 
-
-4510 0034 493b 4000 4006 6b69 c0a8 01bc c0a8 0303 2710 0017 4e33 298f f674 e02d 8010 4000 f673 0000 0101 080a 0c72 549e 2c05 b797 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n13 b/contrib/ipfilter/test/expected/n13
deleted file mode 100644
index bfe2018..0000000
--- a/contrib/ipfilter/test/expected/n13
+++ /dev/null
@@ -1,5 +0,0 @@
-ip #0 20(20) 0 203.1.1.23 > 150.1.1.1
-ip #0 20(20) 0 203.1.1.23 > 150.1.1.2
-ip #0 20(20) 0 203.1.1.24 > 150.1.1.2
-ip #0 20(20) 0 203.1.1.25 > 150.1.1.1
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n14 b/contrib/ipfilter/test/expected/n14
deleted file mode 100644
index 4669300..0000000
--- a/contrib/ipfilter/test/expected/n14
+++ /dev/null
@@ -1,5 +0,0 @@
-ip #0 40(20) 6 10.2.2.5,2000 > 10.1.1.254,80
-ip #0 40(20) 6 10.2.2.6,2000 > 10.1.1.253,80
-ip #0 40(20) 6 10.2.2.7,2000 > 10.1.1.254,80
-ip #0 40(20) 6 10.2.2.5,2001 > 10.1.1.254,80
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n16 b/contrib/ipfilter/test/expected/n16
deleted file mode 100644
index da617d9..0000000
--- a/contrib/ipfilter/test/expected/n16
+++ /dev/null
@@ -1,21 +0,0 @@
-4520 0068 17e4 0000 6b11 cbba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
-
-4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
-
-4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 c05b ac33 0303 4ca1 0000 0000 4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
-
-4500 0084 ee0f 0000 8001 4a21 45f8 4fc1 c05b ac33 0303 bf85 0000 0000 4520 0068 17e4 0000 6a11 3639 c05b ac33 45f8 4fc1 1194 94f8 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
-
-List of active MAP/Redirect filters:
-rdr vlan0 from any to 69.248.79.193/32 port = 38136 -> 172.31.83.24 port 2013 udp
-
-List of active sessions:
-RDR 172.31.83.24    2013  <- -> 69.248.79.193   38136 [192.91.172.51 4500]
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n2 b/contrib/ipfilter/test/expected/n2
deleted file mode 100644
index 827272e..0000000
--- a/contrib/ipfilter/test/expected/n2
+++ /dev/null
@@ -1,80 +0,0 @@
-ip #0 40(20) 6 10.2.2.2,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.2.2.2,10001 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80
-ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80
-ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80
-ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.5,40000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.2.1,80
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.3.1,80
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.1.1.3,2000
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n3 b/contrib/ipfilter/test/expected/n3
deleted file mode 100644
index 0e019ae..0000000
--- a/contrib/ipfilter/test/expected/n3
+++ /dev/null
@@ -1,12 +0,0 @@
-ip #0 40(20) 6 192.168.2.1,1488 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.2.1,1276 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.2.1,1032 > 203.1.1.1,80
-ip #0 28(20) 17 192.168.2.1,1032 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.2.1,65299 > 203.1.1.1,80
--------------------------------
-ip #0 40(20) 6 192.168.1.1,1488 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.1.1,1276 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.1.0,1032 > 203.1.1.1,80
-ip #0 28(20) 17 192.168.1.0,1032 > 203.1.1.1,80
-ip #0 40(20) 6 192.168.1.255,65299 > 203.1.1.1,80
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n4 b/contrib/ipfilter/test/expected/n4
deleted file mode 100644
index 863217c..0000000
--- a/contrib/ipfilter/test/expected/n4
+++ /dev/null
@@ -1,66 +0,0 @@
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345
--------------------------------
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345
--------------------------------
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.1.1.1,23 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.2.2.1,10023
-ip #0 40(20) 6 10.1.0.0,23 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345
--------------------------------
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053
-ip #0 28(20) 17 10.1.1.0,53 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.1,53 > 10.3.3.3,12345
--------------------------------
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345
--------------------------------
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53
-ip #0 40(20) 6 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12346 > 10.1.0.0,23
-ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346
-ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53
-ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n5 b/contrib/ipfilter/test/expected/n5
deleted file mode 100644
index 0e578b6..0000000
--- a/contrib/ipfilter/test/expected/n5
+++ /dev/null
@@ -1,330 +0,0 @@
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.2.2.2 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.2.2.2 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.1.1.1
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.2.2.2 > 10.1.2.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 20(20) 255 10.3.4.5 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.3.4.5 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.0
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 48(20) 1 10.1.1.1 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.3.4.5 > 10.1.1.2
-ip #0 20(20) 0 10.3.4.5 > 10.1.2.1
-ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.3.4.1 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.3.4.1 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.3.4.1 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.3.4.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.3.4.2 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.3,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.3.4.3,1025 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.3.4.3,1025 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.1.1.1 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
-ip #0 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
-ip #0 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
-ip #0 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.1.1.1 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80
-ip #0 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80
-ip #0 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80
-ip #0 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
-ip #0 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
-ip #0 20(20) 255 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
-ip #0 20(20) 255 10.2.2.1 > 10.1.2.1
-ip #0 20(20) 255 10.2.2.2 > 10.1.2.1
-ip #0 20(20) 255 10.1.1.1 > 10.1.1.2
-ip #0 20(20) 255 10.1.1.2 > 10.1.1.1
-ip #0 20(20) 255 10.2.2.1 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.2 > 10.2.1.1
-ip #0 20(20) 255 10.2.2.3 > 10.1.1.1
-ip #0 20(20) 255 10.2.3.4 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.1 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.2 > 10.2.2.2
-ip #0 20(20) 255 10.1.1.0 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.1 > 10.3.4.5
-ip #0 20(20) 255 10.1.1.2 > 10.3.4.5
-ip #0 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
-ip #0 48(20) 1 10.1.1.1 > 10.4.3.2
-ip #0 48(20) 1 10.4.3.2 > 10.2.2.2
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.3
-ip #0 48(20) 1 10.4.3.2 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.2
-ip #0 20(20) 34 10.4.3.2 > 10.3.4.4
-ip #0 20(20) 34 10.1.1.2 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.5
-ip #0 20(20) 34 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 34 10.4.3.4 > 10.3.4.6
-ip #0 20(20) 35 10.1.1.3 > 10.4.3.4
-ip #0 20(20) 35 10.4.3.4 > 10.3.4.7
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.0 > 10.1.1.2
-ip #0 20(20) 0 10.1.1.1 > 10.1.2.1
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
-ip #0 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80
-ip #0 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80
-ip #0 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80
-ip #0 20(20) 0 10.1.1.1 > 10.1.1.2
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 20(20) 0 10.1.1.2 > 10.1.1.1
-ip #0 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
-ip #0 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000
-ip #0 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
-ip #0 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001
-ip #0 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
-ip #0 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n6 b/contrib/ipfilter/test/expected/n6
deleted file mode 100644
index cbdad9f..0000000
--- a/contrib/ipfilter/test/expected/n6
+++ /dev/null
@@ -1,70 +0,0 @@
-ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
-ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
--------------------------------
-ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
-ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
--------------------------------
-ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
-ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
--------------------------------
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
-ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
--------------------------------
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
-ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
-ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053
-ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
-ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n7 b/contrib/ipfilter/test/expected/n7
deleted file mode 100644
index eb23534..0000000
--- a/contrib/ipfilter/test/expected/n7
+++ /dev/null
@@ -1,30 +0,0 @@
-ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
-ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050
-ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079
-ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80
-ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80
-ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80
-ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
-ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
--------------------------------
-ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
-ip #0 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10023
-ip #0 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80
-ip #0 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80
-ip #0 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80
-ip #0 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
-ip #0 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
--------------------------------
-ip #0 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
-ip #0 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23
-ip #0 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50
-ip #0 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79
-ip #0 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128
-ip #0 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128
-ip #0 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128
-ip #0 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128
-ip #0 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n8 b/contrib/ipfilter/test/expected/n8
deleted file mode 100644
index d3e061d..0000000
--- a/contrib/ipfilter/test/expected/n8
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 8bc1 0000 ff01 13d5 0a0a 0a01 0404 0404 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/n9 b/contrib/ipfilter/test/expected/n9
deleted file mode 100644
index 917105f..0000000
--- a/contrib/ipfilter/test/expected/n9
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efdf 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7df 6220 0000 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 8bc1 0000 ff01 17d9 0202 0202 0a0a 0a01 0800 efde 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
-4500 0054 3fd5 4000 ff01 2fc8 0404 0404 0202 0202 0000 f7de 6220 0001 3f6f 6e80 000b 0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni1 b/contrib/ipfilter/test/expected/ni1
deleted file mode 100644
index d4e2de2..0000000
--- a/contrib/ipfilter/test/expected/ni1
+++ /dev/null
@@ -1,19 +0,0 @@
-4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 
-
-4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 5773 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10 
-
-4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 afc9 829e 0014 6b10 0402 0000 3be5 468d 000a cfc3 
-
-4500 0028 0001 4000 0111 65b0 0606 0607 0404 0404 4e20 829e 0014 c4b0 0402 0000 3be5 468d 000a cfc3 
-
-4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 5773 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 0800 829e 0014 12da 
-
-4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 0800 829e 0014 12da 0402 0000 3be5 468d 000a cfc3 
-
-4500 0028 0002 4000 0111 65ae 0606 0608 0404 0404 07d0 829e 0014 0b00 0402 0000 3be5 468d 000a cfc3 
-
-4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0b00 ff6a 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 5000 829e 0014 22e2 
-
-4500 0044 809a 0000 ff01 3115 0303 0303 0202 0202 0b00 0131 0000 0000 4500 0028 0000 4000 0111 6dba 0202 0202 0404 0404 5000 829e 0014 cad9 0402 0000 3be5 468d 000a cfc3 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni10 b/contrib/ipfilter/test/expected/ni10
deleted file mode 100644
index 3ee63fb..0000000
--- a/contrib/ipfilter/test/expected/ni10
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 
-
-4500 0058 0001 0000 ff01 af98 0202 0202 0404 0404 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni11 b/contrib/ipfilter/test/expected/ni11
deleted file mode 100644
index 88d6406..0000000
--- a/contrib/ipfilter/test/expected/ni11
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 
-
-4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni12 b/contrib/ipfilter/test/expected/ni12
deleted file mode 100644
index 7d24a49..0000000
--- a/contrib/ipfilter/test/expected/ni12
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 
-
-4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni13 b/contrib/ipfilter/test/expected/ni13
deleted file mode 100644
index 897bef3..0000000
--- a/contrib/ipfilter/test/expected/ni13
+++ /dev/null
@@ -1,63 +0,0 @@
-4500 0030 5e11 4000 8006 3961 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 
-
-4500 002c 0000 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 
-
-4500 00c4 5e12 4000 8006 38cc c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00c4 0001 4000 4006 d6dd c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00d0 5e13 4000 8006 38bf c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0048 0002 4000 4006 d758 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 
-
-4500 0040 5e14 4000 8006 394e c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff 
-
-4500 0039 5e15 0000 802f 792b c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 
-
-4500 0020 0003 0000 ff2f 5856 c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff 
-
-4500 0028 0004 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 
-
-4500 0038 0005 0000 ff2f 583c c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 002f 0006 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 
-
-4500 003c 5e16 0000 802f 7927 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 0036 5e17 0000 802f 792c c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 003a 0007 0000 ff2f 5838 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 0032 0008 0000 ff2f 583f c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 
-
-4500 0040 5e18 4000 8006 394a c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff 
-
-4500 0038 5e19 0000 802f 7928 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 0009 0000 ff2f 5832 c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 5e1a 0000 802f 7921 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0044 000a 0000 ff2f 582b c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0030 5e1b 0000 802f 792e c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 
-
-4500 002a 000b 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 
-
-4500 002c 000c 0000 ff2f 5841 c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 
-
-4500 0048 5e1c 0000 802f 7915 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0042 000d 0000 ff2f 582a c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0030 5e1d 0000 802f 792c c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 
-
-4500 0030 000e 0000 ff2f 583b c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 
-
-4500 002a 5e1e 0000 802f 7931 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 
-
-4500 0032 5e1f 0000 802f 7928 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc 
-
-4500 002a 000f 0000 ff2f 5840 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni14 b/contrib/ipfilter/test/expected/ni14
deleted file mode 100644
index 5ad5a1b..0000000
--- a/contrib/ipfilter/test/expected/ni14
+++ /dev/null
@@ -1,63 +0,0 @@
-4500 0030 5e11 4000 8006 ec0b c0a8 7101 7f00 0001 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 d44b 0000 0204 05b4 0101 0402 
-
-4500 002c 0000 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 
-
-4500 00c4 5e12 4000 8006 eb76 c0a8 7101 7f00 0001 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 954b 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00c4 0001 4000 4006 d6dd c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00d0 5e13 4000 8006 eb69 c0a8 7101 7f00 0001 05e7 06bb abf0 4b42 a564 6977 5018 fa54 5eb2 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0048 0002 4000 4006 d758 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 
-
-4500 0040 5e14 4000 8006 ebf8 c0a8 7101 7f00 0001 05e7 06bb abf0 4bea a564 6997 5018 fa34 9abb 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff 
-
-4500 0039 5e15 0000 802f 2bd6 c0a8 7101 7f00 0001 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 
-
-4500 0020 0003 0000 ff2f 5856 c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff 
-
-4500 0028 0004 4000 4006 d776 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 
-
-4500 0038 0005 0000 ff2f 583c c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 002f 0006 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 
-
-4500 003c 5e16 0000 802f 2bd2 c0a8 7101 7f00 0001 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 0036 5e17 0000 802f 2bd7 c0a8 7101 7f00 0001 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 003a 0007 0000 ff2f 5838 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 0032 0008 0000 ff2f 583f c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 
-
-4500 0040 5e18 4000 8006 ebf4 c0a8 7101 7f00 0001 05e7 06bb abf0 4c02 a564 6997 5018 fa34 9aa3 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff 
-
-4500 0038 5e19 0000 802f 2bd3 c0a8 7101 7f00 0001 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 0009 0000 ff2f 5832 c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 5e1a 0000 802f 2bcc c0a8 7101 7f00 0001 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0044 000a 0000 ff2f 582b c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0030 5e1b 0000 802f 2bd9 c0a8 7101 7f00 0001 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 
-
-4500 002a 000b 0000 ff2f 5844 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 
-
-4500 002c 000c 0000 ff2f 5841 c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 
-
-4500 0048 5e1c 0000 802f 2bc0 c0a8 7101 7f00 0001 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0042 000d 0000 ff2f 582a c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0030 5e1d 0000 802f 2bd7 c0a8 7101 7f00 0001 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 
-
-4500 0030 000e 0000 ff2f 583b c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 
-
-4500 002a 5e1e 0000 802f 2bdc c0a8 7101 7f00 0001 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 
-
-4500 0032 5e1f 0000 802f 2bd3 c0a8 7101 7f00 0001 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc 
-
-4500 002a 000f 0000 ff2f 5840 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni15 b/contrib/ipfilter/test/expected/ni15
deleted file mode 100644
index 3820d56..0000000
--- a/contrib/ipfilter/test/expected/ni15
+++ /dev/null
@@ -1,63 +0,0 @@
-4500 0030 0000 4000 8006 9772 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 
-
-4500 002c 69a6 4000 4006 6dd0 c0a8 7103 c0a8 7101 06bb 05e7 a564 68da abf0 4aa6 6012 8000 a348 0000 0204 05b4 
-
-4500 00c4 0001 4000 8006 96dd c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00c4 69a7 4000 4006 6d37 c0a8 7103 c0a8 7101 06bb 05e7 a564 68db abf0 4b42 5018 832c cecf 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00d0 0002 4000 8006 96d0 c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0048 69a8 4000 4006 6db2 c0a8 7103 c0a8 7101 06bb 05e7 a564 6977 abf0 4bea 5018 832c 36fa 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 
-
-4500 0040 0003 4000 8006 975f c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff 
-
-4500 0039 0004 0000 802f d73c c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 
-
-4500 0020 69a9 0000 ff2f eeaf c0a8 7103 c0a8 7101 2081 880b 0000 4000 ffff ffff 
-
-4500 0028 69aa 4000 4006 6dd0 c0a8 7103 c0a8 7101 06bb 05e7 a564 6997 abf0 4c02 5010 832c b5c1 0000 
-
-4500 0038 69ab 0000 ff2f ee95 c0a8 7103 c0a8 7101 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 002f 69ac 0000 ff2f ee9d c0a8 7103 c0a8 7101 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 
-
-4500 003c 0005 0000 802f d738 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 0036 0006 0000 802f d73d c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 003a 69ad 0000 ff2f ee91 c0a8 7103 c0a8 7101 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 0032 69ae 0000 ff2f ee98 c0a8 7103 c0a8 7101 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 
-
-4500 0040 0007 4000 8006 975b c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff 
-
-4500 0038 0008 0000 802f d739 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 69af 0000 ff2f ee8b c0a8 7103 c0a8 7101 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 0009 0000 802f d732 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0044 69b0 0000 ff2f ee84 c0a8 7103 c0a8 7101 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0030 000a 0000 802f d73f c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 
-
-4500 002a 69b1 0000 ff2f ee9d c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 
-
-4500 002c 69b2 0000 ff2f ee9a c0a8 7103 c0a8 7101 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 
-
-4500 0048 000b 0000 802f d726 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0042 69b3 0000 ff2f ee83 c0a8 7103 c0a8 7101 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0030 000c 0000 802f d73d c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 
-
-4500 0030 69b4 0000 ff2f ee94 c0a8 7103 c0a8 7101 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 
-
-4500 002a 000d 0000 802f d742 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 
-
-4500 0032 000e 0000 802f d739 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc 
-
-4500 002a 69b5 0000 ff2f ee99 c0a8 7103 c0a8 7101 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni16 b/contrib/ipfilter/test/expected/ni16
deleted file mode 100644
index 2c34f5c..0000000
--- a/contrib/ipfilter/test/expected/ni16
+++ /dev/null
@@ -1,63 +0,0 @@
-4500 0030 0000 4000 8006 9772 c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa5 0000 0000 7002 faf0 21a1 0000 0204 05b4 0101 0402 
-
-4500 002c 69a6 4000 4006 9376 c0a8 7103 0a02 0202 06bb 05e7 a564 68da abf0 4aa6 6012 8000 c8ee 0000 0204 05b4 
-
-4500 00c4 0001 4000 8006 96dd c0a8 7101 c0a8 7103 05e7 06bb abf0 4aa6 a564 68db 5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d 0001 0000 0100 0000 0000 0001 0000 0001 0000 0a28 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4d69 6372 6f73 6f66 7420 5769 6e64 6f77 7320 4e54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00c4 69a7 4000 4006 92dd c0a8 7103 0a02 0202 06bb 05e7 a564 68db abf0 4b42 5018 832c f475 0000 009c 0001 1a2b 3c4d 0002 0000 0100 0100 0000 0000 0000 0000 0001 0001 6c6f 6361 6c00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6c69 6e75 7800 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 00d0 0002 4000 8006 96d0 c0a8 7101 c0a8 7103 05e7 06bb abf0 4b42 a564 6977 5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d 0007 0000 4000 1331 0000 012c 05f5 e100 0000 0003 0000 0003 0040 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0048 69a8 4000 4006 9358 c0a8 7103 0a02 0202 06bb 05e7 a564 6977 abf0 4bea 5018 832c 5ca0 0000 0020 0001 1a2b 3c4d 0008 0000 0000 4000 0100 0000 05f5 e100 0040 0000 0000 0000 
-
-4500 0040 0003 4000 8006 975f c0a8 7101 c0a8 7103 05e7 06bb abf0 4bea a564 6997 5018 fa34 e810 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 ffff ffff ffff ffff 
-
-4500 0039 0004 0000 802f d73c c0a8 7101 c0a8 7103 3001 880b 0019 0000 0000 0000 ff03 c021 0100 0015 0104 0578 0506 577f 7c5b 0702 0802 0d03 06 
-
-4500 0020 69a9 0000 ff2f 1456 c0a8 7103 0a02 0202 2081 880b 0000 4000 ffff ffff 
-
-4500 0028 69aa 4000 4006 9376 c0a8 7103 0a02 0202 06bb 05e7 a564 6997 abf0 4c02 5010 832c db67 0000 
-
-4500 0038 69ab 0000 ff2f 143c c0a8 7103 0a02 0202 3001 880b 0018 4000 0000 0000 ff03 c021 0101 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 002f 69ac 0000 ff2f 1444 c0a8 7103 0a02 0202 3081 880b 000b 4000 0000 0001 0000 0000 ff03 c021 0400 0007 0d03 06 
-
-4500 003c 0005 0000 802f d738 c0a8 7101 c0a8 7103 3081 880b 0018 0000 0000 0001 0000 0001 ff03 c021 0201 0014 0206 0000 0000 0506 22d9 0cfa 0702 0802 
-
-4500 0036 0006 0000 802f d73d c0a8 7101 c0a8 7103 3001 880b 0016 0000 0000 0002 ff03 c021 0101 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 003a 69ad 0000 ff2f 1438 c0a8 7103 0a02 0202 3081 880b 0016 4000 0000 0002 0000 0002 ff03 c021 0201 0012 0104 0578 0506 577f 7c5b 0702 0802 
-
-4500 0032 69ae 0000 ff2f 143f c0a8 7103 0a02 0202 3001 880b 0012 4000 0000 0003 8021 0101 0010 0306 c0a8 0001 0206 002d 0f01 
-
-4500 0040 0007 4000 8006 975b c0a8 7101 c0a8 7103 05e7 06bb abf0 4c02 a564 6997 5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d 000f 0000 0000 0000 0000 0000 ffff ffff 
-
-4500 0038 0008 0000 802f d739 c0a8 7101 c0a8 7103 3081 880b 0014 0000 0000 0003 0000 0003 c021 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 69af 0000 ff2f 1432 c0a8 7103 0a02 0202 3081 880b 001a 4000 0000 0004 0000 0003 ff03 c021 0702 0016 0c02 0012 577f 7c5b 4d53 5241 5356 352e 3130 
-
-4500 003e 0009 0000 802f d732 c0a8 7101 c0a8 7103 3081 880b 001a 0000 0000 0004 0000 0004 c021 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0044 69b0 0000 ff2f 142b c0a8 7103 0a02 0202 3081 880b 0020 4000 0000 0005 0000 0004 ff03 c021 0703 001c 0c03 0018 577f 7c5b 4d53 5241 532d 302d 434c 4159 4d4f 4f52 
-
-4500 0030 000a 0000 802f d73f c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0005 0000 0005 80fd 0104 000a 1206 0100 0001 
-
-4500 002a 69b1 0000 ff2f 1444 c0a8 7103 0a02 0202 3081 880b 0006 4000 0000 0006 0000 0005 80fd 0101 0004 
-
-4500 002c 69b2 0000 ff2f 1441 c0a8 7103 0a02 0202 3001 880b 000c 4000 0000 0007 80fd 0404 000a 1206 0100 0001 
-
-4500 0048 000b 0000 802f d726 c0a8 7101 c0a8 7103 3081 880b 0024 0000 0000 0006 0000 0007 8021 0105 0022 0306 0000 0000 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0042 69b3 0000 ff2f 142a c0a8 7103 0a02 0202 3081 880b 001e 4000 0000 0008 0000 0006 8021 0405 001c 8106 0000 0000 8206 0000 0000 8306 0000 0000 8406 0000 0000 
-
-4500 0030 000c 0000 802f d73d c0a8 7101 c0a8 7103 3081 880b 000c 0000 0000 0007 0000 0008 8021 0401 000a 0206 002d 0f01 
-
-4500 0030 69b4 0000 ff2f 143b c0a8 7103 0a02 0202 3081 880b 000c 4000 0000 0009 0000 0007 8021 0102 000a 0306 c0a8 0001 
-
-4500 002a 000d 0000 802f d742 c0a8 7101 c0a8 7103 3081 880b 0006 0000 0000 0008 0000 0009 80fd 0201 0004 
-
-4500 0032 000e 0000 802f d739 c0a8 7101 c0a8 7103 3001 880b 0012 0000 0000 0009 80fd 0506 0010 577f 7c5b 003c cd74 0000 02dc 
-
-4500 002a 69b5 0000 ff2f 1440 c0a8 7103 0a02 0202 3081 880b 0006 4000 0000 000a 0000 0009 80fd 0606 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni19 b/contrib/ipfilter/test/expected/ni19
deleted file mode 100644
index fa40771..0000000
--- a/contrib/ipfilter/test/expected/ni19
+++ /dev/null
@@ -1,49 +0,0 @@
-4500 0040 e3fc 4000 4006 40b5 0a01 0101 0a01 0104 03f1 0202 6523 90b2 0000 0000 b002 8000 a431 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 
-
-4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302 
-
-4500 0028 e3fd 4000 4006 40cc 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5010 832c e3b7 0000 
-
-4500 002d e3fe 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90b3 915a a5c5 5018 832c 8242 0000 3130 3038 00 
-
-4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000 
-
-4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302 
-
-4500 0040 e3ff 4000 4006 40b2 0a01 0101 0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 452f 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101 
-
-4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000 
-
-4500 0030 e400 4000 4006 40c1 0a01 0101 0a01 0104 03f1 0202 6523 90b8 915a a5c5 5018 832c 3560 0000 6461 7272 656e 7200 
-
-4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000 
-
-4500 0053 e401 4000 4006 409d 0a01 0101 0a01 0104 03f1 0202 6523 90c0 915a a5c5 5018 832c cce7 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00 
-
-4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000 
-
-4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00 
-
-4500 0028 e403 4000 4006 40c6 0a01 0101 0a01 0104 03f1 0202 6523 90eb 915a a5c6 5010 832c e37e 0000 
-
-4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a 
-
-4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a 
-
-4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000 
-
-4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 
-
-4500 0028 e404 4000 4006 1a1b c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5010 8328 bcd3 0000 
-
-4500 0034 e405 4000 4006 1a0e c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 57d7 0000 0101 080a 0000 0004 0039 dd6c 
-
-4500 0028 e40a 4000 4006 1a15 c0a8 7103 0a01 0104 03f1 0202 6523 90eb 915a a5cb 5011 832c bcce 0000 
-
-4500 0034 e40b 4000 4006 1a08 c0a8 7103 0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 57d2 0000 0101 080a 0000 0004 0039 dd6c 
-
-4500 0028 0004 4000 4006 fe1b 0a01 0104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 3a47 0000 
-
-4500 0034 118e 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 d548 0000 0101 080a 0039 dd6e 0000 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni2 b/contrib/ipfilter/test/expected/ni2
deleted file mode 100644
index e2a7eb8..0000000
--- a/contrib/ipfilter/test/expected/ni2
+++ /dev/null
@@ -1,19 +0,0 @@
-4510 002c 0000 4000 3e06 78df 0101 0101 c0a8 0133 9c40 0077 a664 2485 0000 0000 6002 4000 2ca8 0000 0204 05b4 
-
-4500 002c ce83 4000 7e06 606b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a21 a664 2486 6012 2238 c0a8 0000 0204 05b4 
-
-4510 0028 0001 4000 3e06 78e2 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a22 5010 4470 29e3 0000 
-
-4500 005b cf83 4000 7e06 5f3c c0a8 0133 0a01 0201 0077 05f6 fbdf 1a22 a664 2486 5018 2238 ce2a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0a 
-
-4510 0028 0002 4000 3e06 78e1 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5010 4470 29b0 0000 
-
-4510 002e 0003 4000 3e06 78da 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 1c98 0000 0000 0000 0d0a 
-
-4500 0048 e383 4000 7e06 4b4f c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 d80a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0038 0004 4000 4001 76e4 0101 0101 c0a8 0133 0304 9dea 0000 05a0 4500 05dc e483 4000 7e06 4ebb c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni20 b/contrib/ipfilter/test/expected/ni20
deleted file mode 100644
index 6001a5a..0000000
--- a/contrib/ipfilter/test/expected/ni20
+++ /dev/null
@@ -1,49 +0,0 @@
-4500 0040 e3fc 4000 4006 f362 c0a8 7103 c0a8 7104 03f1 0202 6523 90b2 0000 0000 b002 8000 56df 0000 0204 05b4 0103 0300 0402 0101 0101 080a 0000 0000 0000 0000 
-
-4500 0034 0000 4000 4006 fe13 0a01 0104 c0a8 7103 0202 03f1 915a a5c4 6523 90b3 8012 16d0 e89c 0000 0204 05b4 0101 0402 0103 0302 
-
-4500 0028 e3fd 4000 4006 f379 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5010 832c 9665 0000 
-
-4500 002d e3fe 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90b3 915a a5c5 5018 832c 34f0 0000 3130 3038 00 
-
-4500 0028 7ce5 4000 4006 813a 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90b8 5010 05b4 3a81 0000 
-
-4500 003c 1186 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000 a002 16d0 b8c0 0000 0204 05b4 0402 080a 0039 d924 0000 0000 0103 0302 
-
-4500 0040 e3ff 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b810 91d4 c8a3 b012 8000 f7dc 0000 0204 05b4 0103 0300 0101 080a 0000 0000 0039 d924 0402 0101 
-
-4500 0034 1188 4000 4006 ec8b 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8010 05b4 d99b 0000 0101 080a 0039 d925 0000 0000 
-
-4500 0030 e400 4000 4006 f36e c0a8 7103 c0a8 7104 03f1 0202 6523 90b8 915a a5c5 5018 832c e80d 0000 6461 7272 656e 7200 
-
-4500 0028 7ce7 4000 4006 8138 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90c0 5010 05b4 3a79 0000 
-
-4500 0053 e401 4000 4006 f34a c0a8 7103 c0a8 7104 03f1 0202 6523 90c0 915a a5c5 5018 832c 7f95 0000 6461 7272 656e 7200 7368 202d 6320 2265 6368 6f20 666f 6f20 3e26 313b 2065 6368 6f20 6261 7220 3e26 3222 00 
-
-4500 0028 7ce9 4000 4006 8136 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5010 05b4 3a4e 0000 
-
-4500 0029 7ceb 4000 4006 8133 0a01 0104 c0a8 7103 0202 03f1 915a a5c5 6523 90eb 5018 05b4 3a45 0000 00 
-
-4500 0028 e403 4000 4006 f373 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5c6 5010 832c 962c 0000 
-
-4500 002c 7ced 4000 4006 812e 0a01 0104 c0a8 7103 0202 03f1 915a a5c6 6523 90eb 5018 05b4 64c7 0000 666f 6f0a 
-
-4500 0038 118a 4000 4006 ec85 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811 8018 05b4 00dd 0000 0101 080a 0039 dd6c 0000 0000 6261 720a 
-
-4500 0028 7cef 4000 4006 8130 0a01 0104 c0a8 7103 0202 03f1 915a a5ca 6523 90eb 5011 05b4 3a48 0000 
-
-4500 0034 118c 4000 4006 ec87 0a01 0104 c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811 8011 05b4 d54e 0000 0101 080a 0039 dd6d 0000 0000 
-
-4500 0028 e404 4000 4006 f372 c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5010 8328 962b 0000 
-
-4500 0034 e405 4000 4006 f365 c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8010 8328 312f 0000 0101 080a 0000 0004 0039 dd6c 
-
-4500 0028 e40a 4000 4006 f36c c0a8 7103 c0a8 7104 03f1 0202 6523 90eb 915a a5cb 5011 832c 9626 0000 
-
-4500 0034 e40b 4000 4006 f35f c0a8 7103 c0a8 7104 03f0 03ff 66e5 b811 91d4 c8a8 8011 832c 312a 0000 0101 080a 0000 0004 0039 dd6c 
-
-4500 0028 0004 4000 4006 d773 c0a8 7104 c0a8 7103 0202 03f1 915a a5cb 6523 90ec 5010 05b4 139f 0000 
-
-4500 0034 118e 4000 4006 c5dd c0a8 7104 c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812 8010 05b4 aea0 0000 0101 080a 0039 dd6e 0000 0004 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni21 b/contrib/ipfilter/test/expected/ni21
deleted file mode 100644
index 349ae23..0000000
--- a/contrib/ipfilter/test/expected/ni21
+++ /dev/null
@@ -1,4 +0,0 @@
-ip #0 20(20) 0 4.4.4.4 > 3.3.3.3
-ip #0 20(20) 0 3.3.3.3 > 2.2.2.2
-ip #0 20(20) 0 4.4.4.4 > 3.3.3.3
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni23 b/contrib/ipfilter/test/expected/ni23
deleted file mode 100644
index 24909b0..0000000
--- a/contrib/ipfilter/test/expected/ni23
+++ /dev/null
@@ -1,29 +0,0 @@
-ip #0 28(20) 17 4.4.4.4,6700 > 2.2.2.2,4500
-ip #0 28(20) 17 2.2.2.2,4500 > 3.3.3.1,6700
-ip #0 28(20) 17 1.1.2.3,4500 > 3.3.3.1,6700
-List of active MAP/Redirect filters:
-rdr le0,bge0 1.1.0.0/16 -> 2.2.2.2 ip
-map hme0,ppp0 3.3.3.0/24 -> 4.4.4.4/32
-
-List of active sessions:
-MAP 3.3.3.1         6700  <- -> 4.4.4.4         6700  [2.2.2.2 4500]
-RDR 2.2.2.2         4500  <- -> 1.1.2.3         4500  [3.3.3.1 6700]
-
-Hostmap table:
-3.3.3.1,2.2.2.2 -> 4.4.4.4 (use = 1 hv = 0)
-List of active state sessions:
-3.3.3.1 -> 2.2.2.2 pass 0x40008402 pr 17 state 0/0
-	tag 0 ttl 24 6700 -> 4500
-	forward: pkts in 1 bytes in 28 pkts out 1 bytes out 28
-	backward: pkts in 1 bytes in 28 pkts out 1 bytes out 28
-	pass in keep state	IPv4
-	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
-	pkt_security & ffff = 0, pkt_auth & ffff = 0
-	is_flx 0x8001 0x8001 0x8001 0x1
-	interfaces: in X[le0],X[hme0] out X[ppp0],X[bge0]
-	Sync status: not synchronized
-List of configured pools
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni3 b/contrib/ipfilter/test/expected/ni3
deleted file mode 100644
index 107d5d9..0000000
--- a/contrib/ipfilter/test/expected/ni3
+++ /dev/null
@@ -1,7 +0,0 @@
-4500 003c 0000 4000 ff06 67a8 0606 0606 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 
-
-4500 0058 809a 0000 ff01 3101 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni4 b/contrib/ipfilter/test/expected/ni4
deleted file mode 100644
index c9f7504..0000000
--- a/contrib/ipfilter/test/expected/ni4
+++ /dev/null
@@ -1,7 +0,0 @@
-4500 003c 0000 4000 ff06 67a8 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 809a 0000 ff01 3121 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 
-
-4500 0058 809a 0000 ff01 3101 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni5 b/contrib/ipfilter/test/expected/ni5
deleted file mode 100644
index e713cf2..0000000
--- a/contrib/ipfilter/test/expected/ni5
+++ /dev/null
@@ -1,103 +0,0 @@
-4500 002c 0000 4000 ff06 02fc 0101 0101 96cb e002 8032 0015 bd6b c9c8 0000 0000 6002 2238 f5a2 0000 0204 05b4 
-
-4500 002c ffdd 4000 ef06 5374 96cb e002 c0a8 0103 0015 8032 3786 76c4 bd6b c9c9 6012 269c 8369 0000 0204 0584 
-
-4500 0028 0001 4000 ff06 02ff 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 76c5 5010 269c 5aa0 0000 
-
-4500 006f ffde 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 76c5 bd6b c9c9 5018 269c 967e 0000 3232 302d 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 7520 4e63 4654 5064 2053 6572 7665 7220 2866 7265 6520 6564 7563 6174 696f 6e61 6c20 6c69 6365 6e73 6529 2072 6561 6479 2e0d 0a 
-
-4500 0028 0002 4000 ff06 02fe 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 770c 5010 269c 5a59 0000 
-
-4500 00c7 ffdf 4000 ef06 52d7 96cb e002 c0a8 0103 0015 8032 3786 770c bd6b c9c9 5018 269c 1087 0000 3232 302d 0d0a 3232 302d 4d61 696e 7461 696e 6564 2062 7920 5253 5353 2061 6e64 2052 5350 4153 2049 5420 5374 6166 6620 2870 7265 7669 6f75 736c 7920 6b6e 6f77 6e20 6173 2043 6f6f 6d62 7320 436f 6d70 7574 696e 6720 556e 6974 290d 0a32 3230 2d41 6e79 2070 726f 626c 656d 7320 636f 6e74 6163 7420 6674 706d 6173 7465 7240 636f 6f6d 6273 2e61 6e75 2e65 6475 2e61 750d 0a32 3230 2d0d 0a32 3230 200d 0a 
-
-4500 0028 0003 4000 ff06 02fd 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5010 269c 59ba 0000 
-
-4500 0038 0004 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b c9c9 3786 77ab 5018 269c d1c5 0000 5553 4552 2061 6e6f 6e79 6d6f 7573 0d0a 
-
-4500 0028 ffe0 4000 ef06 5375 96cb e002 c0a8 0103 0015 8032 3786 77ab bd6b c9d9 5010 269c 9a00 0000 
-
-4500 006c ffe1 4000 ef06 5330 96cb e002 c0a8 0103 0015 8032 3786 77ab bd6b c9d9 5018 269c b00f 0000 3333 3120 4775 6573 7420 6c6f 6769 6e20 6f6b 2c20 7365 6e64 2079 6f75 7220 636f 6d70 6c65 7465 2065 2d6d 6169 6c20 6164 6472 6573 7320 6173 2070 6173 7377 6f72 642e 0d0a 
-
-4500 0028 0005 4000 ff06 02fb 0101 0101 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5010 269c 5966 0000 
-
-4500 0036 0006 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b c9d9 3786 77ef 5018 269c 373f 0000 5041 5353 2061 7661 6c6f 6e40 0d0a 
-
-4500 005f ffe2 4000 ef06 533c 96cb e002 c0a8 0103 0015 8032 3786 77ef bd6b c9e7 5018 269c 895e 0000 3233 302d 596f 7520 6172 6520 7573 6572 2023 3420 6f66 2035 3020 7369 6d75 6c74 616e 656f 7573 2075 7365 7273 2061 6c6c 6f77 6564 2e0d 0a 
-
-4500 0028 0007 4000 ff06 02f9 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7826 5010 269c 5921 0000 
-
-4500 0099 ffe3 4000 ef06 5301 96cb e002 c0a8 0103 0015 8032 3786 7826 bd6b c9e7 5018 269c d399 0000 3233 302d 0d0a 3233 302d 0d0a 3233 302d 4869 2e20 2057 6527 7265 2063 6c65 616e 696e 6720 7570 2e20 2041 6e79 2066 6565 6462 6163 6b20 6d6f 7374 2077 656c 636f 6d65 2e20 3130 2041 7567 2030 300d 0a32 3330 2d0d 0a32 3330 204c 6f67 6765 6420 696e 2061 6e6f 6e79 6d6f 7573 6c79 2e0d 0a 
-
-4500 0028 0008 4000 ff06 02f8 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7897 5010 269c 58b0 0000 
-
-4500 0030 0009 4000 ff06 02ef 0101 0101 96cb e002 8032 0015 bd6b c9e7 3786 7897 5018 269c 86ae 0000 5459 5045 2049 0d0a 
-
-4500 0038 ffe4 4000 ef06 5361 96cb e002 c0a8 0103 0015 8032 3786 7897 bd6b c9ef 5018 269c 5fae 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a 
-
-4500 0028 000a 4000 ff06 02f6 0101 0101 96cb e002 8032 0015 bd6b c9ef 3786 78a7 5010 269c 5898 0000 
-
-4500 003d 000b 4000 ff06 02e0 0101 0101 96cb e002 8032 0015 bd6b c9ef 3786 78a7 5018 269c 4b67 0000 504f 5254 2031 2c31 2c31 2c31 2c31 3238 2c35 310d 0a 
-
-4500 0046 ffe5 4000 ef06 5352 96cb e002 c0a8 0103 0015 8032 3786 78a7 bd6b ca0c 5018 269c dbc3 0000 3230 3020 504f 5254 2063 6f6d 6d61 6e64 2073 7563 6365 7373 6675 6c2e 0d0a 
-
-4500 0030 000c 4000 ff06 02ec 0101 0101 96cb e002 8032 0015 bd6b ca04 3786 78c5 5018 269c 866b 0000 5459 5045 2041 0d0a 
-
-4500 0038 ffe6 4000 ef06 535f 96cb e002 c0a8 0103 0015 8032 3786 78c5 bd6b ca14 5018 269c 5f5b 0000 3230 3020 5479 7065 206f 6b61 792e 0d0a 
-
-4500 002e 000d 4000 ff06 02ed 0101 0101 96cb e002 8032 0015 bd6b ca0c 3786 78d5 5018 269c a994 0000 4e4c 5354 0d0a 
-
-4500 002c ffe7 4000 ef06 536a 96cb e002 c0a8 0103 0014 8033 d9f8 11d4 0000 0000 6002 2238 d190 0000 0204 0584 
-
-4500 002c 000e 4000 ff06 02ee 0101 0101 96cb e002 8033 0014 bd78 5c12 d9f8 11d5 6012 02f8 96de 0000 0204 0584 
-
-4500 0028 ffe8 4000 ef06 536d 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5010 269c cb1d 0000 
-
-4500 005d ffe9 4000 ef06 5337 96cb e002 c0a8 0103 0015 8032 3786 78d5 bd6b ca1a 5018 269c eed0 0000 3135 3020 4f70 656e 696e 6720 4153 4349 4920 6d6f 6465 2064 6174 6120 636f 6e6e 6563 7469 6f6e 2066 6f72 202f 6269 6e2f 6c73 2e0d 0a 
-
-4500 0028 000f 4000 ff06 02f1 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 11d5 5010 6348 4e1b 0000 
-
-4500 003d 0010 4000 ff06 02db 0101 0101 96cb e002 8032 0015 bd6b ca12 3786 78d5 5018 269c 4a16 0000 504f 5254 2031 2c31 2c31 2c31 2c31 3238 2c35 320d 0a 
-
-4500 0046 ffea 4000 ef06 534d 96cb e002 c0a8 0103 0015 8032 3786 78d5 bd6b ca37 5018 269c db6a 0000 3230 3020 504f 5254 2063 6f6d 6d61 6e64 2073 7563 6365 7373 6675 6c2e 0d0a 
-
-4500 0030 0011 4000 ff06 02e7 0101 0101 96cb e002 8032 0015 bd6b ca27 3786 78f3 5018 269c 861a 0000 5459 5045 2041 0d0a 
-
-4500 0038 ffeb 4000 ef06 535a 96cb e002 c0a8 0103 0015 8032 3786 78f3 bd6b ca3f 5018 269c 5ef2 0000 3230 3020 5479 7065 206f 6b61 793e 0d0a 
-
-4500 002e 0012 4000 ff06 02e8 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 7903 5018 269c a943 0000 4e4c 5354 0d0a 
-
-4500 002c ffec 4000 ef06 5365 96cb e002 c0a8 0103 0014 8034 d9f8 11d4 0000 0000 6002 2238 d18f 0000 0204 0584 
-
-4500 002c 0013 4000 ff06 02e9 0101 0101 96cb e002 8034 0014 bd78 5c12 d9f8 11d5 6012 02f8 96dd 0000 0204 0584 
-
-4500 0028 ffec 4000 ef06 5369 96cb e002 c0a8 0103 0014 8034 d9f8 11d4 0000 0000 5010 2238 e90d 0000 
-
-4500 0063 ffed 4000 ef06 532d 96cb e002 c0a8 0103 0014 8033 d9f8 11d5 bd78 5c13 5018 269c a315 0000 636f 6f6d 6273 7061 7065 7273 0d0a 6465 7074 730d 0a66 6f75 6e64 2d66 696c 6573 0d0a 696e 636f 6d69 6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075 620d 0a 
-
-4500 0028 0014 4000 ff06 02ec 0101 0101 96cb e002 8033 0014 bd78 5c13 d9f8 1210 5010 6348 4de0 0000 
-
-4500 0028 ffee 4000 ef06 5367 96cb e002 c0a8 0103 0014 8033 d9f8 1210 bd78 5c13 5011 269c cae1 0000 
-
-4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5010 6348 8e35 0000 
-
-4500 0028 10dd 4000 ff06 3279 c0a8 0103 96cb e002 8033 0014 bd78 5c13 d9f8 1211 5011 6348 8e34 0000 
-
-4500 0028 ffef 4000 ef06 5366 96cb e002 c0a8 0103 0014 8033 d9f8 1211 bd78 5c14 5010 269c cae0 0000 
-
-4500 0040 fff0 4000 ef06 534d 96cb e002 c0a8 0103 0015 8032 3786 7903 bd6b ca3f 5018 269c 7c80 0000 3232 3620 4c69 7374 696e 6720 636f 6d70 6c65 7465 642e 0d0a 
-
-4500 0028 0015 4000 ff06 02eb 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5010 269c 57e4 0000 
-
-4500 002e 0016 4000 ff06 02e4 0101 0101 96cb e002 8032 0015 bd6b ca2f 3786 791b 5018 269c b022 0000 5155 4954 0d0a 
-
-4500 0036 fff2 4000 ef06 5355 96cb e002 c0a8 0103 0015 8032 3786 791b bd6b ca45 5018 269c a936 0000 3232 3120 476f 6f64 6279 652e 0d0a 
-
-4500 0028 0017 4000 ff06 02e9 0101 0101 96cb e002 8032 0015 bd6b ca35 3786 7929 5011 269c 57cf 0000 
-
-4500 0028 fff3 4000 ef06 5362 96cb e002 c0a8 0103 0015 8032 3786 7929 bd6b ca45 5011 269c 9815 0000 
-
-4500 0028 10e3 4000 ff06 3273 c0a8 0103 96cb e002 8032 0015 bd6b ca3d 3786 792a 5010 269c 981d 0000 
-
-4500 0028 fff4 4000 ef06 5361 96cb e002 c0a8 0103 0015 8032 3786 792a bd6b ca46 5010 269c 9814 0000 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni6 b/contrib/ipfilter/test/expected/ni6
deleted file mode 100644
index 0da034a..0000000
--- a/contrib/ipfilter/test/expected/ni6
+++ /dev/null
@@ -1,17 +0,0 @@
-4500 0054 cd8a 4000 ff11 1fbb c0a8 0601 c0a8 0701 8075 006f 0040 d26e 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 
-
-4500 0054 0000 4000 ff11 ec44 c0a8 0702 c0a8 0701 8075 006f 0040 d16d 3e1d d249 0000 0000 0000 0002 0001 86a0 0000 0002 0000 0003 0000 0000 0000 0000 0000 0000 0000 0000 0001 86a3 0000 0003 0000 0011 0000 0000 
-
-4500 0038 cd83 4000 ff11 1fde c0a8 0701 c0a8 0601 006f 8075 0024 d805 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 
-
-4500 0038 0001 4000 ff11 ee5f c0a8 0602 c0a8 0601 006f 8075 0024 d904 3e1d d249 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 0000 0801 
-
-4500 0044 d5a6 4000 ff11 17af c0a8 0601 c0a8 0701 80df 0801 0030 03f1 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0044 0002 4000 ff11 ec52 c0a8 0702 c0a8 0701 80df 0801 0030 02f0 3e10 1fb1 0000 0000 0000 0002 0001 86a3 0000 0002 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0034 0000 4000 fe11 ee65 c0a8 0701 c0a8 0601 0801 80df 0020 8ab8 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 
-
-4500 0034 0003 4000 fe11 ef61 c0a8 0602 c0a8 0601 0801 80df 0020 0000 3e10 1fb1 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni7 b/contrib/ipfilter/test/expected/ni7
deleted file mode 100644
index 38c39ab..0000000
--- a/contrib/ipfilter/test/expected/ni7
+++ /dev/null
@@ -1,5 +0,0 @@
-4500 0028 4706 4000 0111 1eac 0404 0404 0606 0606 afc9 829e 0014 6308 0402 0000 3be5 468d 000a cfc3 
-
-4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0b00 f91c 0000 0000 4500 0028 4706 4000 0111 26b4 0404 0404 0202 0202 afc9 829e 0014 c966 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni8 b/contrib/ipfilter/test/expected/ni8
deleted file mode 100644
index 689ccaa..0000000
--- a/contrib/ipfilter/test/expected/ni8
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 
-
-4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/ni9 b/contrib/ipfilter/test/expected/ni9
deleted file mode 100644
index 1eb6fbc..0000000
--- a/contrib/ipfilter/test/expected/ni9
+++ /dev/null
@@ -1,9 +0,0 @@
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9c40 0000 0001 0000 0000 a002 16d0 3ef4 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0000 0000 ff01 adb7 0303 0303 0404 0404 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 
-
-4500 0058 0001 0000 ff01 ad96 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 
-
-4500 0038 0002 0000 ff01 abb3 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 
-
--------------------------------
diff --git a/contrib/ipfilter/test/expected/p1 b/contrib/ipfilter/test/expected/p1
deleted file mode 100644
index 9f02804..0000000
--- a/contrib/ipfilter/test/expected/p1
+++ /dev/null
@@ -1,21 +0,0 @@
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-table role = ipf type = tree number = 100
-	{ 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; };
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/expected/p2 b/contrib/ipfilter/test/expected/p2
deleted file mode 100644
index 67a7c3e..0000000
--- a/contrib/ipfilter/test/expected/p2
+++ /dev/null
@@ -1,25 +0,0 @@
-block
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-# 'anonymous' table
-table role = ipf type = hash number = 2147483650 size = 3
-	{ 127.0.0.1/32; 4.4.0.0/16; };
-# 'anonymous' table
-table role = ipf type = hash number = 2147483649 size = 3
-	{ 127.0.0.1/32; 4.4.0.0/16; };
-List of groups configured (set 0)
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/expected/p3 b/contrib/ipfilter/test/expected/p3
deleted file mode 100644
index 94fde9e..0000000
--- a/contrib/ipfilter/test/expected/p3
+++ /dev/null
@@ -1,35 +0,0 @@
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-block
-nomatch
-nomatch
-pass
-nomatch
-block
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-List of configured hash tables
-group-map out role = ipf number = 2010 size = 5
-	{ 5.0.0.0/8, group = 2040; 4.4.0.0/16, group = 2020; 2.2.2.2/32, group = 2020; };
-group-map in role = ipf number = 1010 size = 3
-	{ 3.3.0.0/16, group = 1030; 1.1.1.1/32, group = 1020; };
-List of groups configured (set 0)
-Dev.0. Group 1020 Ref 1 Flags 0x8000
-2 pass in all group 1020
-Dev.0. Group 1030 Ref 1 Flags 0x8000
-2 block in all group 1030
-Dev.0. Group 2020 Ref 2 Flags 0x4000
-4 pass out all group 2020
-Dev.0. Group 2040 Ref 1 Flags 0x4000
-2 block out all group 2040
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/expected/p5 b/contrib/ipfilter/test/expected/p5
deleted file mode 100644
index d8ea95c..0000000
--- a/contrib/ipfilter/test/expected/p5
+++ /dev/null
@@ -1,21 +0,0 @@
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-List of active MAP/Redirect filters:
-
-List of active sessions:
-
-Hostmap table:
-List of active state sessions:
-List of configured pools
-table role = ipf type = tree name = letters
-	{ 1.1.1.1/32; ! 2.2.0.0/16; 2.2.2.0/24; };
-List of configured hash tables
-List of groups configured (set 0)
-List of groups configured (set 1)
--------------------------------
diff --git a/contrib/ipfilter/test/hextest b/contrib/ipfilter/test/hextest
deleted file mode 100644
index b7b0b2c..0000000
--- a/contrib/ipfilter/test/hextest
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-( while read rule; do
-	echo "$rule" | ../ipftest -br - -F hex -i input/$1 >> results/$1;
-	if [ $? -ne 0 ] ; then
-		exit 1;
-	fi
-	echo "--------" >> results/$1
-done ) < regress/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/input/1 b/contrib/ipfilter/test/input/1
deleted file mode 100644
index 7c3ae8a..0000000
--- a/contrib/ipfilter/test/input/1
+++ /dev/null
@@ -1,4 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/10 b/contrib/ipfilter/test/input/10
deleted file mode 100644
index 254cee7..0000000
--- a/contrib/ipfilter/test/input/10
+++ /dev/null
@@ -1,6 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/11 b/contrib/ipfilter/test/input/11
deleted file mode 100644
index 4eda58e..0000000
--- a/contrib/ipfilter/test/input/11
+++ /dev/null
@@ -1,11 +0,0 @@
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
-in on e1 udp 1.1.1.1,1 4.4.4.4,53
-in on e1 udp 2.2.2.2,2 4.4.4.4,53
-in on e0 udp 4.4.4.4,53 1.1.1.1,1
-in on e0 udp 4.4.4.4,1023 1.1.1.1,2049
-in on e0 udp 4.4.4.4,2049 1.1.1.1,1023
diff --git a/contrib/ipfilter/test/input/12 b/contrib/ipfilter/test/input/12
deleted file mode 100644
index 5d9c1de..0000000
--- a/contrib/ipfilter/test/input/12
+++ /dev/null
@@ -1,35 +0,0 @@
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  SYN
-45 00 0028 0000 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 02 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  ACK
-45 00 0028 0000 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK
-45 00 0028 0000 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-45 00 001c 0000 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK
-45 00 001c 0000 6001 3f 06 0000 01010101 02010101
-00000000 50 10 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-45 00 0014 0000 6000 3f 11 0000 01010101 02010101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 0018 0000 2000 3f 11 0000 01010101 02010101
-0035 0035
-
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
-45 00 001c 0000 2000 3f 11 0000 01010101 02010101
-0001 0001 0004 0000
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 001c 0000 2000 3f 11 0000 01010101 02010101
-0035 0035 0004 0000
-
diff --git a/contrib/ipfilter/test/input/13 b/contrib/ipfilter/test/input/13
deleted file mode 100644
index 56ec16d..0000000
--- a/contrib/ipfilter/test/input/13
+++ /dev/null
@@ -1,39 +0,0 @@
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,MF,FO=0  SYN
-45 00 0028 0001 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 02 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF  ACK
-45 00 0024 0002 2000 3f 06 0000 01010101 02010101
-0401001900000000 0000000050102000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2  ACK
-45 00 002c 0002 0002 3f 06 0000 01010101 02010101
-0000000000010203 0405060708090a0b 0c0d0e0f10111213
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN
-45 00 0028 0003 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-45 00 001c 0004 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN
-45 00 001c 0005 6001 3f 06 0000 01010101 02010101
-00000000 50 10 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-45 00 0014 0006 6000 3f 11 0000 01010101 02010101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 0018 0007 2000 3f 11 0000 01010101 02010101
-0035 0035
-
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
-45 00 001c 0008 2000 3f 11 0000 01010101 02010101
-0035003500040000
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1
-45 00 001c 0008 0001 3f 11 0000 01010101 02010101
-0000000000000000
-
diff --git a/contrib/ipfilter/test/input/14 b/contrib/ipfilter/test/input/14
deleted file mode 100644
index 16a806f..0000000
--- a/contrib/ipfilter/test/input/14
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/2 b/contrib/ipfilter/test/input/2
deleted file mode 100644
index d168af0..0000000
--- a/contrib/ipfilter/test/input/2
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 127.0.0.1,1 127.0.0.1,21
-in tcp 1.1.1.1,1 1.2.1.1,21
-in udp 127.0.0.1,1 127.0.0.1,21
-in udp 1.1.1.1,1 1.2.1.1,21
-in icmp 127.0.0.1 127.0.0.1
-in icmp 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/3 b/contrib/ipfilter/test/input/3
deleted file mode 100644
index 16a806f..0000000
--- a/contrib/ipfilter/test/input/3
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/4 b/contrib/ipfilter/test/input/4
deleted file mode 100644
index 2956d1b..0000000
--- a/contrib/ipfilter/test/input/4
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.1.1.1
-in 1.1.1.1 1.1.1.2
-in 1.1.1.1 1.1.2.2
-in 1.1.1.1 1.2.2.2
diff --git a/contrib/ipfilter/test/input/5 b/contrib/ipfilter/test/input/5
deleted file mode 100644
index 41600c1..0000000
--- a/contrib/ipfilter/test/input/5
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 1.1.1.1,0 2.2.2.2,2222
-in tcp 1.1.1.1,1 2.2.2.2,2222
-in tcp 1.1.1.1,23 2.2.2.2,2222
-in tcp 1.1.1.1,21 2.2.2.2,2222
-in tcp 1.1.1.1,1023 2.2.2.2,2222
-in tcp 1.1.1.1,1024 2.2.2.2,2222
-in tcp 1.1.1.1,1025 2.2.2.2,2222
-in tcp 1.1.1.1,32767 2.2.2.2,2222
-in tcp 1.1.1.1,32768 2.2.2.2,2222
-in tcp 1.1.1.1,65535 2.2.2.2,2222
-in tcp 1.1.1.1,5999 2.2.2.2,2222
-in tcp 1.1.1.1,6000 2.2.2.2,2222
-in tcp 1.1.1.1,6009 2.2.2.2,2222
-in tcp 1.1.1.1,6010 2.2.2.2,2222
-in udp 1.1.1.1,0 2.2.2.2,2222
-in udp 1.1.1.1,1 2.2.2.2,2222
-in udp 1.1.1.1,23 2.2.2.2,2222
-in udp 1.1.1.1,21 2.2.2.2,2222
-in udp 1.1.1.1,1023 2.2.2.2,2222
-in udp 1.1.1.1,1024 2.2.2.2,2222
-in udp 1.1.1.1,1025 2.2.2.2,2222
-in udp 1.1.1.1,32767 2.2.2.2,2222
-in udp 1.1.1.1,32768 2.2.2.2,2222
-in udp 1.1.1.1,65535 2.2.2.2,2222
-in udp 1.1.1.1,5999 2.2.2.2,2222
-in udp 1.1.1.1,6000 2.2.2.2,2222
-in udp 1.1.1.1,6009 2.2.2.2,2222
-in udp 1.1.1.1,6010 2.2.2.2,2222
diff --git a/contrib/ipfilter/test/input/6 b/contrib/ipfilter/test/input/6
deleted file mode 100644
index 21f0be3..0000000
--- a/contrib/ipfilter/test/input/6
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 2.2.2.2,2222 1.1.1.1,0
-in tcp 2.2.2.2,2222 1.1.1.1,1
-in tcp 2.2.2.2,2222 1.1.1.1,23
-in tcp 2.2.2.2,2222 1.1.1.1,21
-in tcp 2.2.2.2,2222 1.1.1.1,1023
-in tcp 2.2.2.2,2222 1.1.1.1,1024
-in tcp 2.2.2.2,2222 1.1.1.1,1025
-in tcp 2.2.2.2,2222 1.1.1.1,32767
-in tcp 2.2.2.2,2222 1.1.1.1,32768
-in tcp 2.2.2.2,2222 1.1.1.1,65535
-in tcp 2.2.2.2,2222 1.1.1.1,5999
-in tcp 2.2.2.2,2222 1.1.1.1,6000
-in tcp 2.2.2.2,2222 1.1.1.1,6009
-in tcp 2.2.2.2,2222 1.1.1.1,6010
-in udp 2.2.2.2,2222 1.1.1.1,0
-in udp 2.2.2.2,2222 1.1.1.1,1
-in udp 2.2.2.2,2222 1.1.1.1,23
-in udp 2.2.2.2,2222 1.1.1.1,21
-in udp 2.2.2.2,2222 1.1.1.1,1023
-in udp 2.2.2.2,2222 1.1.1.1,1024
-in udp 2.2.2.2,2222 1.1.1.1,1025
-in udp 2.2.2.2,2222 1.1.1.1,32767
-in udp 2.2.2.2,2222 1.1.1.1,32768
-in udp 2.2.2.2,2222 1.1.1.1,65535
-in udp 2.2.2.2,2222 1.1.1.1,5999
-in udp 2.2.2.2,2222 1.1.1.1,6000
-in udp 2.2.2.2,2222 1.1.1.1,6009
-in udp 2.2.2.2,2222 1.1.1.1,6010
diff --git a/contrib/ipfilter/test/input/7 b/contrib/ipfilter/test/input/7
deleted file mode 100644
index 2721af2..0000000
--- a/contrib/ipfilter/test/input/7
+++ /dev/null
@@ -1,9 +0,0 @@
-in icmp 1.1.1.1 2.1.1.1 echo
-in icmp 1.1.1.1 2.1.1.1 echo,1
-in icmp 1.1.1.1 2.1.1.1 echo,3
-in icmp 1.1.1.1 2.1.1.1 unreach
-in icmp 1.1.1.1 2.1.1.1 unreach,1
-in icmp 1.1.1.1 2.1.1.1 unreach,3
-in icmp 1.1.1.1 2.1.1.1 echorep
-in icmp 1.1.1.1 2.1.1.1 echorep,1
-in icmp 1.1.1.1 2.1.1.1 echorep,3
diff --git a/contrib/ipfilter/test/input/8 b/contrib/ipfilter/test/input/8
deleted file mode 100644
index cace511..0000000
--- a/contrib/ipfilter/test/input/8
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 1.1.1.1,1 2.1.2.2,1 S
-in tcp 1.1.1.1,1 2.1.2.2,1 SA
-in tcp 1.1.1.1,1 2.1.2.2,1 SF
-in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR
-in tcp 1.1.1.1,1 2.1.2.2,1 PAU
-in tcp 1.1.1.1,1 2.1.2.2,1 A
diff --git a/contrib/ipfilter/test/input/9 b/contrib/ipfilter/test/input/9
deleted file mode 100644
index 33f3be3..0000000
--- a/contrib/ipfilter/test/input/9
+++ /dev/null
@@ -1,6 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1 opt lsrr,ssrr
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/f1 b/contrib/ipfilter/test/input/f1
deleted file mode 100644
index 7c3ae8a..0000000
--- a/contrib/ipfilter/test/input/f1
+++ /dev/null
@@ -1,4 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/f10 b/contrib/ipfilter/test/input/f10
deleted file mode 100644
index 254cee7..0000000
--- a/contrib/ipfilter/test/input/f10
+++ /dev/null
@@ -1,6 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11
deleted file mode 100644
index d558150..0000000
--- a/contrib/ipfilter/test/input/f11
+++ /dev/null
@@ -1,16 +0,0 @@
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S seq=1 ack=0
-in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA seq=1 ack=1
-in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA seq=101 ack=2
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA seq=101 ack=2
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
-in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A seq=2 ack=102
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A seq=102 ack=2
-in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A seq=102 ack=2
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA seq=2 ack=102
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
-in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A seq=2 ack=102
-in on e1 udp 1.1.1.1,1 4.4.4.4,53
-in on e1 udp 2.2.2.2,2 4.4.4.4,53
-in on e0 udp 4.4.4.4,53 1.1.1.1,1
-in on e0 udp 4.4.4.4,1023 1.1.1.1,2049
-in on e0 udp 4.4.4.4,2049 1.1.1.1,1023
diff --git a/contrib/ipfilter/test/input/f12 b/contrib/ipfilter/test/input/f12
deleted file mode 100644
index 52edde1..0000000
--- a/contrib/ipfilter/test/input/f12
+++ /dev/null
@@ -1,44 +0,0 @@
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  SYN
-[]
-4500 0028 0000 4000 3f06 36cd 0101 0101 0201 0101
-0401 0019 0000 0000 0000 0000 5002 2000 86c5 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  ACK
-[]
-4500 0028 0000 4000 3f06 36cd 0101 0101 0201 0101
-0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK
-[]
-4500 0028 0000 6000 3f06 16cd 0101 0101 0201 0101
-0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-[]
-4500 001c 0000 6000 3f06 16d9 0101 0101 0201 0101
-0401 0019 0000 0000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK
-[]
-4500 001c 0000 6001 3f06 16d8 0101 0101 0201 0101
-0000 0000 5010 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-[]
-4500 0014 0000 6000 3f11 16d6 0101 0101 0201 0101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-[]
-4500 0018 0000 2000 3f11 56d2 0101 0101 0201 0101
-0035 0035
-
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
-[]
-4500 001c 0000 2000 3f11 56ce 0101 0101 0201 0101
-0001 0001 0004 fadc
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-[]
-4500 001c 0000 2000 3f11 56ce 0101 0101 0201 0101
-0035 0035 0004 fa74
-
diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13
deleted file mode 100644
index 77e537e..0000000
--- a/contrib/ipfilter/test/input/f13
+++ /dev/null
@@ -1,95 +0,0 @@
-# This checksum is deliberately incorrect.
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,FO=0  SYN
-[in]
-4500 0028 0001 4000 3f06 36cc 0101 0101 0201 0101
-0401 0019 0000 0000 0000 0000 50 02 2000 86bb 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF  ACK
-[in]
-4500 0024 0002 2000 3f06 56cf 0101 0101 0201 0101
-0401 0019 0000 0000 0000 0000 5010 2000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2  ACK
-[in]
-4500 002c 0002 0002 3f06 76c5 0101 0101 0201 0101
-0000 0000 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 1213
-
-# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN
-[in]
-4500 0028 0003 6000 3f06 16ca 0101 0101 0201 0101
-0400 0019 7000 0000 0000 0000 5002 2000 16c6 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-[in]
-4500 001c 0004 6000 3f06 16d5 0101 0101 0201 0101
-0401 0019 0000 0000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN
-[in]
-4500 001c 0005 6001 3f06 16d3 0101 0101 0201 0101
-0000 0000 5010 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-[in]
-4500 0014 0006 6000 3f11 16d0 0101 0101 0201 0101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-[in]
-4500 0018 0007 2000 3f11 56cb 0101 0101 0201 0101
-0035 0035
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-[in]
-4500 001c 0008 2000 3f11 56c6 0101 0101 0201 0101
-0035 0035 0004 0000
-
-# 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short)
-[in]
-4500 0018 0008 2000 3f11 56ca 0101 0101 0201 0101
-0035 0036
-
-# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0
-[in]
-4500 001c 0008 2000 3f11 56c6 0101 0101 0201 0101
-0015 0036 0004 0000
-
-# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0
-[in]
-4500 001c 0008 2000 3f06 56d1 0101 0101 0201 0101
-0015 0036 0000 0000 0000 0000 50 02 2000 0000 0000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=3
-[in]
-4500 001c 0008 0003 3f11 76c3 0101 0101 0201 0101
-0000 0000 0000 0000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1
-[in]
-4500 001c 0008 0001 3f11 76c5 0101 0101 0201 0101
-0000 0000 0000 0000
-
-# 2.1.1.1,53 -> 1.1.1.1,53 TTL=63 UDP
-[out]
-4500 001c 0008 0000 3f11 76c6 0201 0101 0101 0101
-0035 0035 0004 0000
-
-# 2.1.1.1,25 -> 1.1.1.1,1014 TTL=63 TCP DF SYN-ACK
-[out]
-4500 0028 0003 4000 3f06 36ca 0201 0101 0101 0101
-0019 0400 0000 0001 7000 0001 5012 2000 16b4 0000
-
-# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF ACK (OOW)
-[in]
-4500 0028 0003 4000 3f06 36ca 0101 0101 0201 0101
-0400 0019 0040 0000 0000 0000 5010 2000 8678 0000
-
-# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF ACK
-[in]
-4500 0028 0003 4000 3f06 36ca 0101 0101 0201 0101
-0400 0019 7000 0004 0000 0002 5010 2000 16b2 0000
-
-# 1.1.1.1,1024 -> 2.1.1.1,25 TTL=63 TCP DF ACK
-[in]
-4500 0028 0003 4000 3f06 36ca 0101 0101 0201 0101
-0400 0019 7000 0001 0000 0002 5010 2000 16b5 0000
-
diff --git a/contrib/ipfilter/test/input/f14 b/contrib/ipfilter/test/input/f14
deleted file mode 100644
index 16a806f..0000000
--- a/contrib/ipfilter/test/input/f14
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/f15 b/contrib/ipfilter/test/input/f15
deleted file mode 100644
index db547cb..0000000
--- a/contrib/ipfilter/test/input/f15
+++ /dev/null
@@ -1,8 +0,0 @@
-in on hme0 tcp 10.1.2.3,1200 195.134.65.10,100 S
-in on hme0 tcp 10.1.2.3,1200 195.134.65.10,22 S
-in on hme0 udp 10.1.2.3,1200 195.134.65.10,100
-in on hme0 udp 10.1.2.3,53 195.134.65.10,53
-in on hme0 10.1.2.3 195.134.65.10
-in on hme1 195.134.65.10 10.1.2.3
-in on hme1 udp 195.134.65.10,53 10.1.2.3,53
-in on hme1 tcp 195.134.65.10,22 10.1.2.3,1200 SA
diff --git a/contrib/ipfilter/test/input/f16 b/contrib/ipfilter/test/input/f16
deleted file mode 100644
index a17f41f..0000000
--- a/contrib/ipfilter/test/input/f16
+++ /dev/null
@@ -1,8 +0,0 @@
-in 2.2.2.2 5.5.5.5
-in 2.2.2.2 1.1.1.1
-in udp 4.4.4.4,110 1.1.1.1,53
-in udp 4.4.4.9,101 1.1.1.3,35
-in udp 4.4.4.8,111 1.1.1.2,53
-in tcp 4.4.4.7,220 1.1.1.1,23
-in tcp 4.4.4.6,202 1.1.1.3,22
-in tcp 4.4.4.5,222 1.1.1.2,52
diff --git a/contrib/ipfilter/test/input/f17 b/contrib/ipfilter/test/input/f17
deleted file mode 100644
index a0d44d7..0000000
--- a/contrib/ipfilter/test/input/f17
+++ /dev/null
@@ -1,39 +0,0 @@
-# TCP 1.1.1.1,54076 -> 2.2.2.2,27 SYN
-[out,ppp0]
-4500 003c 8262 0000 4006 f254 0101 0101
-0202 0202 d33c 0019 bfd0 8989 0000 0000
-a002 4000 cfcd 0000 0204 05b4 0103 0300
-0101 080a 008e 17f7 0000 0000
-
-# TCP 2.2.2.2,27 -> 1.1.1.1,54076 ACK
-[in,ppp0]
-4500 003c 8262 0000 1106 2155 0202 0202
-0101 0101 0019 d33c 4020 3436 bfdf cbc9
-5010 4000 694a 0000 0204 0584 0103 0300
-0101 080a 008e 17f7 0000 0000
-
-# TCP 1.1.1.1,54076 -> 2.2.2.2,27 SYN
-[out,ppp0]
-4500 003c 8265 0000 4006 f251 0101 0101
-0202 0202 d33c 0019 bfd0 8989 0000 0000
-a002 4000 cfc2 0000 0204 05b4 0103 0300
-0101 080a 008e 1802 0000 0000
-
-# TCP 2.2.2.2,27 -> 1.1.1.1,54076 SYN-ACK
-[in,ppp0]
-4500 002c 7442 4000 2906 d784 0202 0202
-0101 0101 0019 d33c ed67 4d4e bfd0 898a
-6012 2118 19c2 0000 0204 0584
-
-# TCP 1.1.1.1,54076 -> 2.2.2.2,27 ACK
-[out,ppp0]
-4500 0028 8262 0000 4006 f268 0101 0101
-0202 0202 d33c 0019 bfd0 898a ed67 4d4e
-5010 4000 1268 0000
-
-# TCP 2.2.2.2,27 -> 1.1.1.1,54076 ACK+data
-[in,ppp0]
-4500 002a 7442 4000 2906 d786 0202 0202
-0101 0101 0019 d33c ed67 4d4e bfd0 8990
-5012 2118 2f43 0000 0203
-
diff --git a/contrib/ipfilter/test/input/f18 b/contrib/ipfilter/test/input/f18
deleted file mode 100644
index 9ecbb7f..0000000
--- a/contrib/ipfilter/test/input/f18
+++ /dev/null
@@ -1,4 +0,0 @@
-in on le1 1.1.1.1 3.3.3.3
-in on le1 1.1.1.1 5.5.5.5
-out on le1 2.2.2.2 4.4.4.4
-out on le1 2.2.2.2 6.6.6.6
diff --git a/contrib/ipfilter/test/input/f19 b/contrib/ipfilter/test/input/f19
deleted file mode 100644
index 6cab988..0000000
--- a/contrib/ipfilter/test/input/f19
+++ /dev/null
@@ -1,4 +0,0 @@
-in tcp 127.0.0.1,1 127.0.0.1,21 S
-in tcp 127.0.0.1,2 127.0.0.1,21 S
-in tcp 127.0.0.1,3 127.0.0.1,21 S
-in tcp 127.0.0.1,4 127.0.0.1,21 S
diff --git a/contrib/ipfilter/test/input/f2 b/contrib/ipfilter/test/input/f2
deleted file mode 100644
index f4e9d23..0000000
--- a/contrib/ipfilter/test/input/f2
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 127.0.0.1,1 127.0.0.1,ftp
-in tcp 1.1.1.1,1 1.2.1.1,ftp
-in udp 127.0.0.1,1 127.0.0.1,21
-in udp 1.1.1.1,1 1.2.1.1,21
-in icmp 127.0.0.1 127.0.0.1
-in icmp 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/f20 b/contrib/ipfilter/test/input/f20
deleted file mode 100644
index 605ba7c..0000000
--- a/contrib/ipfilter/test/input/f20
+++ /dev/null
@@ -1,2 +0,0 @@
-out on de0 1.1.1.1 2.2.2.2
-out on ab0 1.1.1.1 2.2.2.2
diff --git a/contrib/ipfilter/test/input/f24 b/contrib/ipfilter/test/input/f24
deleted file mode 100644
index 1d06682..0000000
--- a/contrib/ipfilter/test/input/f24
+++ /dev/null
@@ -1,27 +0,0 @@
-[out,hme0]
-4500 003f 6e48 0000 4011 8816 c0a8 0101
-c0a8 01fe eb22 0035 002b d9e6 4a82 0100
-0001 0000 0000 0000 0663 6f6f 6d62 7303
-616e 7503 6564 7502 6175 0000 0100 01
-
-[in,hme0]
-4500 004c fc96 2000 4011 d9ba c0a8 01fe
-c0a8 0101 0035 eb22 00a9 d7b9 4a82 8180
-0001 0001 0003 0003 0663 6f6f 6d62 7303
-616e 7503 6564 7502 6175 0000 0100 01c0
-0c00 0100 0100 0000 3c00 0496
-
-[in,hme0]
-4500 004c fc96 2006 4011 d9b4 c0a8 01fe
-c0a8 0101 cbe7 50c0 1300 0200 0100 0078
-8c00 0603 6e73 31c0 13c0 1300 0200 0100
-0078 8c00 0e02 6e73 0861 6465 6c61 6964
-65c0 17c0 1300 0200 0100 0078
-
-[in,hme0]
-4500 004d fc96 000c 4011 f9ad c0a8 01fe
-c0a8 0101 8c00 0603 756e 61c0 13c0 6b00
-0100 0100 0027 5800 0496 cb16 1cc0 5100
-0100 0100 0018 4700 0481 7f28 03c0 3f00
-0100 0100 0027 5800 0496 cb01 0a
-
diff --git a/contrib/ipfilter/test/input/f3 b/contrib/ipfilter/test/input/f3
deleted file mode 100644
index 16a806f..0000000
--- a/contrib/ipfilter/test/input/f3
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/f4 b/contrib/ipfilter/test/input/f4
deleted file mode 100644
index 2956d1b..0000000
--- a/contrib/ipfilter/test/input/f4
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.1.1.1
-in 1.1.1.1 1.1.1.2
-in 1.1.1.1 1.1.2.2
-in 1.1.1.1 1.2.2.2
diff --git a/contrib/ipfilter/test/input/f5 b/contrib/ipfilter/test/input/f5
deleted file mode 100644
index 41600c1..0000000
--- a/contrib/ipfilter/test/input/f5
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 1.1.1.1,0 2.2.2.2,2222
-in tcp 1.1.1.1,1 2.2.2.2,2222
-in tcp 1.1.1.1,23 2.2.2.2,2222
-in tcp 1.1.1.1,21 2.2.2.2,2222
-in tcp 1.1.1.1,1023 2.2.2.2,2222
-in tcp 1.1.1.1,1024 2.2.2.2,2222
-in tcp 1.1.1.1,1025 2.2.2.2,2222
-in tcp 1.1.1.1,32767 2.2.2.2,2222
-in tcp 1.1.1.1,32768 2.2.2.2,2222
-in tcp 1.1.1.1,65535 2.2.2.2,2222
-in tcp 1.1.1.1,5999 2.2.2.2,2222
-in tcp 1.1.1.1,6000 2.2.2.2,2222
-in tcp 1.1.1.1,6009 2.2.2.2,2222
-in tcp 1.1.1.1,6010 2.2.2.2,2222
-in udp 1.1.1.1,0 2.2.2.2,2222
-in udp 1.1.1.1,1 2.2.2.2,2222
-in udp 1.1.1.1,23 2.2.2.2,2222
-in udp 1.1.1.1,21 2.2.2.2,2222
-in udp 1.1.1.1,1023 2.2.2.2,2222
-in udp 1.1.1.1,1024 2.2.2.2,2222
-in udp 1.1.1.1,1025 2.2.2.2,2222
-in udp 1.1.1.1,32767 2.2.2.2,2222
-in udp 1.1.1.1,32768 2.2.2.2,2222
-in udp 1.1.1.1,65535 2.2.2.2,2222
-in udp 1.1.1.1,5999 2.2.2.2,2222
-in udp 1.1.1.1,6000 2.2.2.2,2222
-in udp 1.1.1.1,6009 2.2.2.2,2222
-in udp 1.1.1.1,6010 2.2.2.2,2222
diff --git a/contrib/ipfilter/test/input/f6 b/contrib/ipfilter/test/input/f6
deleted file mode 100644
index 21f0be3..0000000
--- a/contrib/ipfilter/test/input/f6
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 2.2.2.2,2222 1.1.1.1,0
-in tcp 2.2.2.2,2222 1.1.1.1,1
-in tcp 2.2.2.2,2222 1.1.1.1,23
-in tcp 2.2.2.2,2222 1.1.1.1,21
-in tcp 2.2.2.2,2222 1.1.1.1,1023
-in tcp 2.2.2.2,2222 1.1.1.1,1024
-in tcp 2.2.2.2,2222 1.1.1.1,1025
-in tcp 2.2.2.2,2222 1.1.1.1,32767
-in tcp 2.2.2.2,2222 1.1.1.1,32768
-in tcp 2.2.2.2,2222 1.1.1.1,65535
-in tcp 2.2.2.2,2222 1.1.1.1,5999
-in tcp 2.2.2.2,2222 1.1.1.1,6000
-in tcp 2.2.2.2,2222 1.1.1.1,6009
-in tcp 2.2.2.2,2222 1.1.1.1,6010
-in udp 2.2.2.2,2222 1.1.1.1,0
-in udp 2.2.2.2,2222 1.1.1.1,1
-in udp 2.2.2.2,2222 1.1.1.1,23
-in udp 2.2.2.2,2222 1.1.1.1,21
-in udp 2.2.2.2,2222 1.1.1.1,1023
-in udp 2.2.2.2,2222 1.1.1.1,1024
-in udp 2.2.2.2,2222 1.1.1.1,1025
-in udp 2.2.2.2,2222 1.1.1.1,32767
-in udp 2.2.2.2,2222 1.1.1.1,32768
-in udp 2.2.2.2,2222 1.1.1.1,65535
-in udp 2.2.2.2,2222 1.1.1.1,5999
-in udp 2.2.2.2,2222 1.1.1.1,6000
-in udp 2.2.2.2,2222 1.1.1.1,6009
-in udp 2.2.2.2,2222 1.1.1.1,6010
diff --git a/contrib/ipfilter/test/input/f7 b/contrib/ipfilter/test/input/f7
deleted file mode 100644
index dbc9e33..0000000
--- a/contrib/ipfilter/test/input/f7
+++ /dev/null
@@ -1,15 +0,0 @@
-in icmp 1.1.1.1 2.1.1.1 echo
-in icmp 1.1.1.1 2.1.1.1 echo,1
-in icmp 1.1.1.1 2.1.1.1 echo,3
-in icmp 1.1.1.1 2.1.1.1 unreach
-in icmp 1.1.1.1 2.1.1.1 unreach,1
-in icmp 1.1.1.1 2.1.1.1 unreach,3
-in icmp 1.1.1.1 2.1.1.1 echorep
-in icmp 1.1.1.1 2.1.1.1 echorep,1
-in icmp 1.1.1.1 2.1.1.1 echorep,3
-in icmp 2.2.2.2 3.3.3.3 maskreq
-out icmp 3.3.3.3 2.2.2.2 maskrep
-in icmp 4.4.4.4 5.5.5.5 timest
-out icmp 5.5.5.5 4.4.4.4 timestrep
-in icmp 6.6.6.6 7.7.7.7 inforeq
-out icmp 7.7.7.7 6.6.6.6 inforep
diff --git a/contrib/ipfilter/test/input/f8 b/contrib/ipfilter/test/input/f8
deleted file mode 100644
index cace511..0000000
--- a/contrib/ipfilter/test/input/f8
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 1.1.1.1,1 2.1.2.2,1 S
-in tcp 1.1.1.1,1 2.1.2.2,1 SA
-in tcp 1.1.1.1,1 2.1.2.2,1 SF
-in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR
-in tcp 1.1.1.1,1 2.1.2.2,1 PAU
-in tcp 1.1.1.1,1 2.1.2.2,1 A
diff --git a/contrib/ipfilter/test/input/f9 b/contrib/ipfilter/test/input/f9
deleted file mode 100644
index e64e299..0000000
--- a/contrib/ipfilter/test/input/f9
+++ /dev/null
@@ -1,9 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1 opt lsrr=1.1.1.1
-in 1.1.1.1 2.1.1.1 opt lsrr,ssrr
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt satid
-in 1.1.1.1 2.1.1.1 opt satid=234
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/input.sed b/contrib/ipfilter/test/input/input.sed
deleted file mode 100644
index e69de29..0000000
--- a/contrib/ipfilter/test/input/input.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/input/ip2.data b/contrib/ipfilter/test/input/ip2.data
deleted file mode 100644
index ef34eb5..0000000
--- a/contrib/ipfilter/test/input/ip2.data
+++ /dev/null
@@ -1,3 +0,0 @@
-1.1.1.1/32
-!2.2.0.0/16
-2.2.2.0/24
diff --git a/contrib/ipfilter/test/input/ipf6-1 b/contrib/ipfilter/test/input/ipf6-1
deleted file mode 100644
index 8cc2d17..0000000
--- a/contrib/ipfilter/test/input/ipf6-1
+++ /dev/null
@@ -1,26 +0,0 @@
-[out,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 0013 ff02 0000 0000 0000
-0000 0001 ff01 000b 8700 ea32 0000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0101 0048 5487 5c6f
-
-[in,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8800 5322 6000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0201 0800 2071 cce1
-
-[out,de0]
-6000 0000 0010 3a40 ef00 0000 0000 0000
-0000 0000 0001 0013 ef00 0000 0000 0000
-0000 0000 0001 000b 8000 3210 06ff 0002
-9ec3 3c3c 8a82 0300
-
-[in,de0]
-6000 0000 0010 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8100 3110 06ff 0002
-9ec3 3c3c 8a82 0300
-
diff --git a/contrib/ipfilter/test/input/ipv6.1 b/contrib/ipfilter/test/input/ipv6.1
deleted file mode 100644
index 3f0fd30..0000000
--- a/contrib/ipfilter/test/input/ipv6.1
+++ /dev/null
@@ -1,32 +0,0 @@
-[out,gif0] 6000 0000 0018 1101
-ef00 1001 2002 0001 0000 0000 0000 0070
-2001 1002 3333 0001 0000 0000 0000 0001
-8083 829a
-0018
-f4c1
-0000 0344 0000 0004 f8f1 9d3c ddba 0e00
-
-[in,gif0] 6000 0000 0048 3a40
-ef00 1001 0880 6cbf 0000 0000 0000 0001
-ef00 1001 2002 0001 0000 0000 0000 0070
-0300 7d44 0000 0000
-6000 0000 0018 1101
-ef00 1001 2002 0001 0000 0000 0000 0070
-2001 1002 3333 0001 0000 0000 0000 0001
-8083 829a
-0018
-f427
-0000 0344 0000 0004 f8f1 9d3c ddba 0e00
-
-[in,gif0] 6000 0000 0048 3a40
-ef00 1001 0880 6cbf 0000 0000 0000 0001
-ef00 1001 2002 0001 0000 0000 0000 0070
-0300 7d44 0000 0000
-6000 0000 0018 1101
-ef00 1001 2002 1001 0000 0000 0000 0070
-2001 1002 3333 0001 0000 0000 0000 0001
-8083 829a
-0018
-f427
-0000 0344 0000 0004 f8f1 9d3c ddba 0e00
-
diff --git a/contrib/ipfilter/test/input/ipv6.2 b/contrib/ipfilter/test/input/ipv6.2
deleted file mode 100644
index 8cc2d17..0000000
--- a/contrib/ipfilter/test/input/ipv6.2
+++ /dev/null
@@ -1,26 +0,0 @@
-[out,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 0013 ff02 0000 0000 0000
-0000 0001 ff01 000b 8700 ea32 0000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0101 0048 5487 5c6f
-
-[in,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8800 5322 6000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0201 0800 2071 cce1
-
-[out,de0]
-6000 0000 0010 3a40 ef00 0000 0000 0000
-0000 0000 0001 0013 ef00 0000 0000 0000
-0000 0000 0001 000b 8000 3210 06ff 0002
-9ec3 3c3c 8a82 0300
-
-[in,de0]
-6000 0000 0010 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8100 3110 06ff 0002
-9ec3 3c3c 8a82 0300
-
diff --git a/contrib/ipfilter/test/input/ipv6.3 b/contrib/ipfilter/test/input/ipv6.3
deleted file mode 100644
index e8ad9f2..0000000
--- a/contrib/ipfilter/test/input/ipv6.3
+++ /dev/null
@@ -1,30 +0,0 @@
-[out,gif0]
-6000 0000 0010 3a40 3ffe 8280 0000 2001
-0000 0000 0000 4395 3ffe 8280 0000 2001
-0000 0000 0000 4394 8000 3f77 085c 0038
-0c06 b73d 1b3d 0d00
-
-[in,gif0]
-6000 0000 0010 3a40 3ffe 8280 0000 2001
-0000 0000 0000 4393 3ffe 8280 0000 2001
-0000 0000 0000 4395 8100 3e77 085c 0038
-0c06 b73d 1b3d 0d00
-
-[in,gif0]
-6000 0000 0010 3a40 3ffe 8280 0000 2001
-0000 0000 0000 4394 3ffe 8280 0000 2001
-0000 0000 0000 4395 8300 3e77 085c 0038
-0c06 b73d 1b3d 0d00
-
-[in,gif0]
-6000 0000 0010 3a40 3ffe 8280 0000 2001
-0000 0000 0000 4394 3ffe 8280 0000 2001
-0000 0000 0000 4395 8000 3e77 085c 0038
-0c06 b73d 1b3d 0d00
-
-[in,gif0]
-6000 0000 0010 3a40 3ffe 8280 0000 2001
-0000 0000 0000 4394 3ffe 8280 0000 2001
-0000 0000 0000 4395 8100 3e77 085c 0038
-0c06 b73d 1b3d 0d00
-
diff --git a/contrib/ipfilter/test/input/ipv6.5 b/contrib/ipfilter/test/input/ipv6.5
deleted file mode 100644
index e46407c..0000000
--- a/contrib/ipfilter/test/input/ipv6.5
+++ /dev/null
@@ -1,14 +0,0 @@
-[out,de0]
-6000 0000 002c 2bff
-ef00 0000 0000 0000 0000 0000 0001 0013
-ff02 0000 0000 0000 0000 0001 ff01 000b
-0602 0000 0000 0000
-ff02 0000 0000 0000 0000 0001 ff01 000b
-0401 0019 0000 0000 0000 0000 5002 2000 9ea3 0000
-
-[out,de0]
-6000 0000 0014 06ff
-ef00 0000 0000 0000 0000 0000 0001 0013
-ff02 0000 0000 0000 0000 0001 ff01 000b
-0401 0019 0000 0000 0000 0000 5002 2000 9ea3 0000
-
diff --git a/contrib/ipfilter/test/input/ipv6.6 b/contrib/ipfilter/test/input/ipv6.6
deleted file mode 100644
index 82efeac..0000000
--- a/contrib/ipfilter/test/input/ipv6.6
+++ /dev/null
@@ -1,17 +0,0 @@
-[out,gif0]
-6000 0000 0020 2c01
-ef00 1001 2002 0001 0000 0000 0000 0070
-2001 1002 3333 0001 0000 0000 0000 0001
-1100 0001 0000 0001
-8083 829a
-0020
-f4c1
-0000 0000 0000 0000 0000 0000 0000 0000
-
-[out,gif0]
-6000 0000 0020 2c01
-ef00 1001 2002 0001 0000 0000 0000 0070
-2001 1002 3333 0001 0000 0000 0000 0001
-1100 0008 0000 0001
-0000 0000 0000 0000 0000 0000 0000 0000
-
diff --git a/contrib/ipfilter/test/input/l1 b/contrib/ipfilter/test/input/l1
deleted file mode 100644
index a59dbe3..0000000
--- a/contrib/ipfilter/test/input/l1
+++ /dev/null
@@ -1,64 +0,0 @@
-# 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF  SYN
-[]
-4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0001 0000 0000 5002 2000 85c2 0000
-
-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
-[]
-4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0001 0000 0000 5010 2000 85b4 0000
-
-#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
-[]
-4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0011 0000 0002 5012 2000 85a0 0000
-
-#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
-[out,e1] 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0012 0000 0002 5010 2000 85a1 0000
-
-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 AF
-[]
-4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0002 0000 0012 5011 2000 85a0 0000
-
-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
-[]
-4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000
-
-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
-[]
-4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000
-
-#in on e1 udp 1.1.1.1,1 4.4.4.4,53
-[]
-4500 0028 0000 4000 3f11 31bc 0101 0101 0404 0404
-0001 0035 0000 d16f 0102 0304 0506 0708 090a 0b0d
-
-#in on e1 udp 2.2.2.2,2 4.4.4.4,53
-[]
-4500 0028 0000 4000 3f11 2fba 0202 0202 0404 0404
-0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
-
-#in on e1 udp 2.2.2.2,2 4.4.4.4,53
-[]
-4500 0038 0000 4000 3f11 2faa 0202 0202 0404 0404
-0001 0035 0000 d47b 0102 0304 0506 0708 090a 0b0d
-0e0f 4061 4263 4465 4667 4869 4a6b 4c6d
-
-#in on e0 ip 4.4.4.4,53 1.1.1.1,1
-[]
-4500 0014 0000 4000 3f00 2fdf 0202 0202 0404 0404
-
-#in on e0 udp 3.3.3.3,1023 1.1.1.1,2049
-[]
-4500 001c 0000 4000 3f11 33ca 0303 0303 0101 0101
-03ff 0801 0000 ebde
-
-#in on e0 udp 1.1.1.1,2049 3.3.3.3,1023
-[]
-4500 001c 0000 4000 3f11 33ca 0101 0101 0303 0303
-0801 03ff 0000 0000
-
diff --git a/contrib/ipfilter/test/input/n1 b/contrib/ipfilter/test/input/n1
deleted file mode 100644
index 04b24ef..0000000
--- a/contrib/ipfilter/test/input/n1
+++ /dev/null
@@ -1,34 +0,0 @@
-out on zx0 255 10.1.1.0 10.1.1.2
-out on zx0 255 10.1.1.1 10.1.1.2
-out on zx0 255 10.1.1.2 10.1.1.1
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
-out on zx0 255 10.2.2.1 10.1.2.1
-out on zx0 255 10.2.2.2 10.1.2.1
-in on zx0 255 10.1.1.1 10.1.1.2
-in on zx0 255 10.1.1.2 10.1.1.1
-in on zx0 255 10.2.2.1 10.2.1.1
-in on zx0 255 10.2.2.2 10.2.1.1
-in on zx0 255 10.2.2.3 10.1.1.1
-in on zx0 255 10.2.3.4 10.2.2.2
-in on zx0 255 10.1.1.1 10.2.2.2
-in on zx0 255 10.1.1.2 10.2.2.2
-in on zx0 255 10.1.1.0 10.3.4.5
-in on zx0 255 10.1.1.1 10.3.4.5
-in on zx0 255 10.1.1.2 10.3.4.5
-in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025
-out on zx0 icmp 10.1.1.1 10.4.3.2
-in on zx0 icmp 10.4.3.2 10.2.2.2
-in on zx0 icmp 10.4.3.2 10.3.4.1
-in on zx0 icmp 10.4.3.2 10.3.4.2
-in on zx0 icmp 10.4.3.2 10.3.4.3
-in on zx0 icmp 10.4.3.2 10.3.4.4
-in on zx0 icmp 10.4.3.2 10.3.4.5
-out on zx0 34 10.1.1.2 10.4.3.2
-in on zx0 34 10.4.3.2 10.3.4.4
-out on zx0 34 10.1.1.2 10.4.3.4
-in on zx0 34 10.4.3.4 10.3.4.5
-out on zx0 34 10.1.1.3 10.4.3.4
-in on zx0 34 10.4.3.4 10.3.4.6
-out on zx0 35 10.1.1.3 10.4.3.4
-in on zx0 35 10.4.3.4 10.3.4.7
diff --git a/contrib/ipfilter/test/input/n10 b/contrib/ipfilter/test/input/n10
deleted file mode 100644
index 321ed0b..0000000
--- a/contrib/ipfilter/test/input/n10
+++ /dev/null
@@ -1,6 +0,0 @@
-# TCP SYN packet with an MSS option
-[out,ppp0]
-4500 002c 10c9 4000 ff06 3289 c0a8 0103
-96cb e002 8032 0015 bd6b c9c8 0000 0000
-6002 2238 35f9 0000 0204 05b4
-
diff --git a/contrib/ipfilter/test/input/n11 b/contrib/ipfilter/test/input/n11
deleted file mode 100644
index 8712674..0000000
--- a/contrib/ipfilter/test/input/n11
+++ /dev/null
@@ -1,16 +0,0 @@
-out on zx0 255 10.1.1.0 10.1.1.2
-out on zx0 255 10.1.1.1 10.1.1.2
-out on zx0 255 10.1.1.2 10.1.1.1
-out on zx0 255 10.2.2.1 10.1.2.1
-out on zx0 255 10.2.2.2 10.1.2.1
-in on zx0 255 10.1.1.1 10.1.1.2
-in on zx0 255 10.1.1.2 10.1.1.1
-in on zx0 255 10.2.2.1 10.2.1.1
-in on zx0 255 10.2.2.2 10.2.1.1
-in on zx0 255 10.2.2.3 10.1.1.1
-in on zx0 255 10.2.3.4 10.2.2.2
-in on zx0 255 10.1.1.1 10.2.2.2
-in on zx0 255 10.1.1.2 10.2.2.2
-in on zx0 255 10.1.1.0 10.3.4.5
-in on zx0 255 10.1.1.1 10.3.4.5
-in on zx0 255 10.1.1.2 10.3.4.5
diff --git a/contrib/ipfilter/test/input/n12 b/contrib/ipfilter/test/input/n12
deleted file mode 100644
index fb4d76d..0000000
--- a/contrib/ipfilter/test/input/n12
+++ /dev/null
@@ -1,18 +0,0 @@
-[out,le0=192.168.1.188]
-4510 0040 2020 4000 4006 17e1 c0a8 7e53
-c0a8 0303 12c2 0017 4e33 298e 0000 0000
-b002 4000 07af 0000 0204 05b4 0101 0402
-0103 0300 0101 080a 0c72 549e 0000 0000
-
-[in,le0]
-4500 003c 00b0 4000 fe06 f5fb c0a8 0303
-c0a8 01bc 0017 2710 f674 e02c 4e33 298f
-a012 2798 e317 0000 0101 080a 2c05 b797
-0c72 549e 0103 0300 0204 05b4
-
-[out,le0]
-4510 0034 493b 4000 4006 eed1 c0a8 7e53
-c0a8 0303 12c2 0017 4e33 298f f674 e02d
-8010 4000 8e2a 0000 0101 080a 0c72 549e
-2c05 b797
-
diff --git a/contrib/ipfilter/test/input/n13 b/contrib/ipfilter/test/input/n13
deleted file mode 100644
index ac7bbbd..0000000
--- a/contrib/ipfilter/test/input/n13
+++ /dev/null
@@ -1,4 +0,0 @@
-out on le0 192.168.1.1 150.1.1.1
-out on le0 192.168.1.1 150.1.1.2
-out on le0 192.168.1.2 150.1.1.2
-out on le0 192.168.1.3 150.1.1.1
diff --git a/contrib/ipfilter/test/input/n14 b/contrib/ipfilter/test/input/n14
deleted file mode 100644
index 969eb1c..0000000
--- a/contrib/ipfilter/test/input/n14
+++ /dev/null
@@ -1,4 +0,0 @@
-in on gre0 tcp 10.2.2.5,2000 203.1.1.1,80
-in on gre0 tcp 10.2.2.6,2000 203.1.1.1,80
-in on gre0 tcp 10.2.2.7,2000 203.1.1.1,80
-in on gre0 tcp 10.2.2.5,2001 203.1.1.1,80
diff --git a/contrib/ipfilter/test/input/n16 b/contrib/ipfilter/test/input/n16
deleted file mode 100644
index 2e77e40..0000000
--- a/contrib/ipfilter/test/input/n16
+++ /dev/null
@@ -1,40 +0,0 @@
-[in,vlan0]
-4520 0068 17e4 0000 6b11 3539 c05b ac33 45f8 4fc1
-1194 94f8 0054 0000
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-
-[out,vlan2]
-4520 0068 17e4 0000 6a11 ccba c05b ac33
-ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5
-
-[in,vlan2]
-4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
-c05b ac33 0303 4ca1 0000 0000 4520 0068
-17e4 0000 6a11 ccba c05b ac33 ac1f 5318
-1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5
-
-[out,vlan0]
-4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
-c05b ac33 0303 4ca1 0000 0000 4520 0068
-17e4 0000 6a11 ccba c05b ac33 ac1f 5318
-1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
-a5a5 a5a5
-
diff --git a/contrib/ipfilter/test/input/n2 b/contrib/ipfilter/test/input/n2
deleted file mode 100644
index 476f16e..0000000
--- a/contrib/ipfilter/test/input/n2
+++ /dev/null
@@ -1,19 +0,0 @@
-out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
-out on zx0 10.1.1.0 10.1.1.2
-out on zx0 10.1.1.1 10.1.2.1
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
-out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80
-out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80
-out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80
-out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80
-in on zx0 10.1.1.1 10.1.1.2
-in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
-in on zx0 10.1.1.2 10.1.1.1
-in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
-in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
-in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
-in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
diff --git a/contrib/ipfilter/test/input/n3 b/contrib/ipfilter/test/input/n3
deleted file mode 100644
index deca317..0000000
--- a/contrib/ipfilter/test/input/n3
+++ /dev/null
@@ -1,5 +0,0 @@
-out on zz0 tcp 10.1.1.1,5000 203.1.1.1,80
-out on zz0 tcp 10.1.1.1,252 203.1.1.1,80
-out on zz0 tcp 10.1.0.0,32768 203.1.1.1,80
-out on zz0 udp 10.1.0.0,32768 203.1.1.1,80
-out on zz0 tcp 10.1.255.255,65535 203.1.1.1,80
diff --git a/contrib/ipfilter/test/input/n4 b/contrib/ipfilter/test/input/n4
deleted file mode 100644
index 1218ef9..0000000
--- a/contrib/ipfilter/test/input/n4
+++ /dev/null
@@ -1,10 +0,0 @@
-in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23
-out on zx0 tcp 10.2.2.1,10023 10.3.3.3,12345
-in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53
-out on zx0 tcp 10.2.2.1,10053 10.3.3.3,12345
-in on zx0 tcp 10.3.3.3,12346 10.1.0.0,23
-out on zx0 tcp 10.2.2.1,10023 10.3.3.3,12346
-in on zx0 udp 10.3.3.3,12345 10.1.1.0,53
-out on zx0 udp 10.2.2.1,10053 10.3.3.3,12345
-in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53
-out on zx0 tcp 10.2.2.1,53 10.3.3.3,12345
diff --git a/contrib/ipfilter/test/input/n5 b/contrib/ipfilter/test/input/n5
deleted file mode 100644
index 579210b..0000000
--- a/contrib/ipfilter/test/input/n5
+++ /dev/null
@@ -1,54 +0,0 @@
-out on zx0 255 10.1.1.0 10.1.1.2
-out on zx0 255 10.1.1.1 10.1.1.2
-out on zx0 255 10.1.1.2 10.1.1.1
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
-out on zx0 255 10.2.2.1 10.1.2.1
-out on zx0 255 10.2.2.2 10.1.2.1
-in on zx0 255 10.1.1.1 10.1.1.2
-in on zx0 255 10.1.1.2 10.1.1.1
-in on zx0 255 10.2.2.1 10.2.1.1
-in on zx0 255 10.2.2.2 10.2.1.1
-in on zx0 255 10.2.2.3 10.1.1.1
-in on zx0 255 10.2.3.4 10.2.2.2
-in on zx0 255 10.1.1.1 10.2.2.2
-in on zx0 255 10.1.1.2 10.2.2.2
-in on zx0 255 10.1.1.0 10.3.4.5
-in on zx0 255 10.1.1.1 10.3.4.5
-in on zx0 255 10.1.1.2 10.3.4.5
-in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025
-out on zx0 icmp 10.1.1.1 10.4.3.2
-in on zx0 icmp 10.4.3.2 10.2.2.2
-in on zx0 icmp 10.4.3.2 10.3.4.3
-in on zx0 icmp 10.4.3.2 10.3.4.5
-out on zx0 34 10.1.1.2 10.4.3.2
-in on zx0 34 10.4.3.2 10.3.4.4
-out on zx0 34 10.1.1.2 10.4.3.4
-in on zx0 34 10.4.3.4 10.3.4.5
-out on zx0 34 10.1.1.3 10.4.3.4
-in on zx0 34 10.4.3.4 10.3.4.6
-out on zx0 35 10.1.1.3 10.4.3.4
-in on zx0 35 10.4.3.4 10.3.4.7
-out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
-out on zx0 10.1.1.0 10.1.1.2
-out on zx0 10.1.1.1 10.1.2.1
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
-out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025
-out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80
-out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80
-out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80
-out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80
-in on zx0 10.1.1.1 10.1.1.2
-in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
-in on zx0 10.1.1.2 10.1.1.1
-out on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
-in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
-out on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
-in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
-out on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
-in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
-out on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
-in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
diff --git a/contrib/ipfilter/test/input/n6 b/contrib/ipfilter/test/input/n6
deleted file mode 100644
index 8a0c924..0000000
--- a/contrib/ipfilter/test/input/n6
+++ /dev/null
@@ -1,13 +0,0 @@
-in on zx0 tcp 10.2.2.2,12345 10.1.1.1,23
-in on zx0 tcp 10.2.2.2,12345 10.1.1.2,23
-in on zx0 tcp 10.3.0.1,12345 10.1.2.2,23
-in on zx0 tcp 10.3.0.1,12345 10.2.2.2,23
-in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23
-in on zx0 tcp 10.2.2.2,12345 10.1.1.1,53
-in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53
-in on zx0 tcp 10.2.2.2,12345 10.1.0.0,23
-in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23
-in on zx0 udp 10.2.2.2,12345 10.1.1.0,53
-in on zx0 udp 10.3.3.3,12345 10.1.1.0,53
-in on zx0 tcp 10.2.2.2,12345 10.1.1.0,53
-in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53
diff --git a/contrib/ipfilter/test/input/n7 b/contrib/ipfilter/test/input/n7
deleted file mode 100644
index 79af901..0000000
--- a/contrib/ipfilter/test/input/n7
+++ /dev/null
@@ -1,9 +0,0 @@
-in on zx0 tcp 10.2.3.1,1230 10.1.1.1,22
-in on zx0 tcp 10.2.3.1,1231 10.1.1.1,23
-in on zx0 tcp 10.2.3.1,1232 10.1.1.1,50
-in on zx0 tcp 10.2.3.1,1233 10.1.1.1,79
-in on zx0 tcp 10.2.3.1,1234 10.1.1.1,80
-in on zx0 tcp 10.2.3.1,1235 10.1.1.2,80
-in on zx0 tcp 10.2.3.1,1236 10.1.1.3,80
-in on zx0 tcp 10.2.3.1,1237 10.1.1.4,80
-in on zx0 tcp 10.2.3.1,1238 10.1.1.4,80
diff --git a/contrib/ipfilter/test/input/n8 b/contrib/ipfilter/test/input/n8
deleted file mode 100644
index 1f5b213..0000000
--- a/contrib/ipfilter/test/input/n8
+++ /dev/null
@@ -1,30 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP ECHO (ping) exchange
-[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
-0800 efdf 6220 0000 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01
-0000 f7df 6220 0000 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[out,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
-0800 efde 6220 0001 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[in,icmp0] 4500 0054 3fd5 4000 ff01 1fc1 0404 0404 0a0a 0a01
-0000 f7de 6220 0001 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
diff --git a/contrib/ipfilter/test/input/n9 b/contrib/ipfilter/test/input/n9
deleted file mode 100644
index c4aada8..0000000
--- a/contrib/ipfilter/test/input/n9
+++ /dev/null
@@ -1,30 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP ECHO (ping) exchange
-[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
-0800 efdf 6220 0000 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202
-0000 f7df 6220 0000 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[in,icmp0] 4500 0054 8bc1 0000 ff01 23dc 0202 0202 0404 0404
-0800 efde 6220 0001 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
-[out,icmp0] 4500 0054 3fd5 4000 ff01 23c5 0a0a 0a01 0202 0202
-0000 f7de 6220 0001 3f6f 6e80 000b
-0d02 0809 0a0b 0c0d 0e0f 1011 1213 1415
-1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
-2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
-3637
-
diff --git a/contrib/ipfilter/test/input/ni1 b/contrib/ipfilter/test/input/ni1
deleted file mode 100644
index fb6b0b6..0000000
--- a/contrib/ipfilter/test/input/ni1
+++ /dev/null
@@ -1,56 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP timeout exceeded in reply to a ICMP packet going out.
-[out,df0]
-4500 0028 4706 4000 0111 26b4 0202 0202
-0404 0404 afc9 829e 0014 6b10 0402 0000
-3be5 468d 000a cfc3
-
-[in,df0]
-4500 0038 809a 0000 ff01 2919 0303 0303
-0606 0606 0b00 5f7b 0000 0000
-4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404
-afc9 829e 0014 6308 
-
-[in,df0]
-4500 0044 809a 0000 ff01 290d 0303 0303
-0606 0606 0b00 0939 0000 0000
-4500 0028 0000 4000 0111 65b2 0606 0606 0404 0404
-afc9 829e 0014 6308
-0402 0000 3be5 468d 000a cfc3
-
-[out,df0]
-4500 0028 4706 4000 0111 26b4 0202 0202
-0404 0404 0800 829e 0014 12da 0402 0000
-3be5 468d 000a cfc3
-
-[in,df0]
-4500 0038 809a 0000 ff01 2918 0303 0303
-0606 0607 0b00 5f7c 0000 0000
-4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404
-4e20 829e 0014 c4b0
-
-[in,df0]
-4500 0044 809a 0000 ff01 290c 0303 0303
-0606 0607 0b00 093a 0000 0000
-4500 0028 0000 4000 0111 65b1 0606 0607 0404 0404
-4e20 829e 0014 c4b0
-0402 0000 3be5 468d 000a cfc3
-
-[out,df0]
-4500 0028 4706 4000 0111 26b4 0202 0202
-0404 0404 5000 829e 0014 cad9 0402 0000
-3be5 468d 000a cfc3
-
-[in,df0]
-4500 0038 809a 0000 ff01 2917 0303 0303
-0606 0608 0b00 0775 0000 0000
-4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404
-07d0 829e 0014 6308 
-
-[in,df0]
-4500 0044 809a 0000 ff01 290b 0303 0303
-0606 0608 0b00 093b 0000 0000
-4500 0028 0000 4000 0111 65b0 0606 0608 0404 0404
-07d0 829e 0014 0b00
-0402 0000 3be5 468d 000a cfc3
-
diff --git a/contrib/ipfilter/test/input/ni10 b/contrib/ipfilter/test/input/ni10
deleted file mode 100644
index 48ac225..0000000
--- a/contrib/ipfilter/test/input/ni10
+++ /dev/null
@@ -1,23 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-# IP 4.4.4.4 2.2.2.2 TCP(20480,80)
-[in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
-0303 acab 0000 0000
-4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606
-5000 0050 0000 0001
-
-# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
-
-# IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80))
-[out,df0]
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
-0303 acab 0000 0000
-4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001
-
diff --git a/contrib/ipfilter/test/input/ni11 b/contrib/ipfilter/test/input/ni11
deleted file mode 100644
index 788e603..0000000
--- a/contrib/ipfilter/test/input/ni11
+++ /dev/null
@@ -1,24 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[out,df0]
-4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
-0303 0735 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
-0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
-
-[out,df0]
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-
diff --git a/contrib/ipfilter/test/input/ni12 b/contrib/ipfilter/test/input/ni12
deleted file mode 100644
index 788e603..0000000
--- a/contrib/ipfilter/test/input/ni12
+++ /dev/null
@@ -1,24 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[out,df0]
-4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
-0303 0735 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
-0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
-
-[out,df0]
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-
diff --git a/contrib/ipfilter/test/input/ni13 b/contrib/ipfilter/test/input/ni13
deleted file mode 100644
index 77569ee..0000000
--- a/contrib/ipfilter/test/input/ni13
+++ /dev/null
@@ -1,235 +0,0 @@
-# 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
-[in,pcn1=192.168.113.3]
-4500 0030 5e11 4000 8006 3961 c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa5 0000 0000
-7002 faf0 21a1 0000 0204 05b4 0101 0402
-
-# 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF)
-[out,pcn1]
-4500 002c 69a6 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68da abf0 4aa6
-6012 8000 a348 0000 0204 05b4
-
-# 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF)
-[in,pcn1]
-4500 00c4 5e12 4000 8006 38cc c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa6 a564 68db
-5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d
-0001 0000 0100 0000 0000 0001 0000 0001
-0000 0a28 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 4d69 6372 6f73 6f66 7420 5769
-6e64 6f77 7320 4e54 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF)
-[out,pcn1]
-4500 00c4 69a7 4000 4006 6d37 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68db abf0 4b42
-5018 832c cecf 0000 009c 0001 1a2b 3c4d
-0002 0000 0100 0100 0000 0000 0000 0000
-0001 0001 6c6f 6361 6c00 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 6c69 6e75 7800 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF)
-[in,pcn1]
-4500 00d0 5e13 4000 8006 38bf c0a8 7101
-c0a8 7103 05e7 06bb abf0 4b42 a564 6977
-5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d
-0007 0000 4000 1331 0000 012c 05f5 e100
-0000 0003 0000 0003 0040 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-
-# 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
-[out,pcn1]
-4500 0048 69a8 4000 4006 6db2 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6977 abf0 4bea
-5018 832c 36fa 0000 0020 0001 1a2b 3c4d
-0008 0000 0000 4000 0100 0000 05f5 e100
-0040 0000 0000 0000
-
-# 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF)
-[in,pcn1]
-4500 0040 5e14 4000 8006 394e c0a8 7101
-c0a8 7103 05e7 06bb abf0 4bea a564 6997
-5018 fa34 e810 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 ffff ffff ffff ffff
-
-# 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP
-[in,pcn1]
-4500 0039 5e15 0000 802f 792b c0a8 7101
-c0a8 7103 3001 880b 0019 0000 0000 0000
-ff03 c021 0100 0015 0104 0578 0506 577f
-7c5b 0702 0802 0d03 06
-
-# 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre]
-[out,pcn1]
-4500 0020 69a9 0000 ff2f eeaf c0a8 7103
-c0a8 7101 2081 880b 0000 4000 ffff ffff
-
-# 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF)
-[out,pcn1]
-4500 0028 69aa 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6997 abf0 4c02
-5010 832c b5c1 0000
-
-# 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[out,pcn1]
-4500 0038 69ab 0000 ff2f ee95 c0a8 7103
-c0a8 7101 3001 880b 0018 4000 0000 0000
-ff03 c021 0101 0014 0206 0000 0000 0506
-22d9 0cfa 0702 0802
-
-# 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP
-[out,pcn1]
-4500 002f 69ac 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 000b 4000 0000 0001
-0000 0000 ff03 c021 0400 0007 0d03 06
-
-# 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[in,pcn1]
-4500 003c 5e16 0000 802f 7927 c0a8 7101
-c0a8 7103 3081 880b 0018 0000 0000 0001
-0000 0001 ff03 c021 0201 0014 0206 0000
-0000 0506 22d9 0cfa 0702 0802
-
-# 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[in,pcn1]
-4500 0036 5e17 0000 802f 792c c0a8 7101
-c0a8 7103 3001 880b 0016 0000 0000 0002
-ff03 c021 0101 0012 0104 0578 0506 577f
-7c5b 0702 0802
-
-# 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[out,pcn1]
-4500 003a 69ad 0000 ff2f ee91 c0a8 7103
-c0a8 7101 3081 880b 0016 4000 0000 0002
-0000 0002 ff03 c021 0201 0012 0104 0578
-0506 577f 7c5b 0702 0802
-
-# 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp
-[out,pcn1]
-4500 0032 69ae 0000 ff2f ee98 c0a8 7103
-c0a8 7101 3001 880b 0012 4000 0000 0003
-8021 0101 0010 0306 c0a8 0001 0206 002d
-0f01
-
-# 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF)
-[in,pcn1]
-4500 0040 5e18 4000 8006 394a c0a8 7101
-c0a8 7103 05e7 06bb abf0 4c02 a564 6997
-5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 0000 0000 ffff ffff
-
-# 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b
-[in,pcn1]
-4500 0038 5e19 0000 802f 7928 c0a8 7101
-c0a8 7103 3081 880b 0014 0000 0000 0003
-0000 0003 c021 0c02 0012 577f 7c5b 4d53
-5241 5356 352e 3130
-
-# 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2)
-[out,pcn1]
-4500 003e 69af 0000 ff2f ee8b c0a8 7103
-c0a8 7101 3081 880b 001a 4000 0000 0004
-0000 0003 ff03 c021 0702 0016 0c02 0012
-577f 7c5b 4d53 5241 5356 352e 3130
-
-# 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b
-[in,pcn1]
-4500 003e 5e1a 0000 802f 7921 c0a8 7101
-c0a8 7103 3081 880b 001a 0000 0000 0004
-0000 0004 c021 0c03 0018 577f 7c5b 4d53
-5241 532d 302d 434c 4159 4d4f 4f52
-
-# 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3)
-[out,pcn1]
-4500 0044 69b0 0000 ff2f ee84 c0a8 7103
-c0a8 7101 3081 880b 0020 4000 0000 0005
-0000 0004 ff03 c021 0703 001c 0c03 0018
-577f 7c5b 4d53 5241 532d 302d 434c 4159
-4d4f 4f52
-
-# 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC
-[in,pcn1]
-4500 0030 5e1b 0000 802f 792e c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0005
-0000 0005 80fd 0104 000a 1206 0100 0001
-
-# 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1)
-[out,pcn1]
-4500 002a 69b1 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 0006
-0000 0005 80fd 0101 0004
-
-# 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC
-[out,pcn1]
-4500 002c 69b2 0000 ff2f ee9a c0a8 7103
-c0a8 7101 3001 880b 000c 4000 0000 0007
-80fd 0404 000a 1206 0100 0001
-
-# 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[in,pcn1]
-4500 0048 5e1c 0000 802f 7915 c0a8 7101
-c0a8 7103 3081 880b 0024 0000 0000 0006
-0000 0007 8021 0105 0022 0306 0000 0000
-8106 0000 0000 8206 0000 0000 8306 0000
-0000 8406 0000 0000
-
-# 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[out,pcn1]
-4500 0042 69b3 0000 ff2f ee83 c0a8 7103
-c0a8 7101 3081 880b 001e 4000 0000 0008
-0000 0006 8021 0405 001c 8106 0000 0000
-8206 0000 0000 8306 0000 0000 8406 0000
-0000
-
-# 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp
-[in,pcn1]
-4500 0030 5e1d 0000 802f 792c c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0007
-0000 0008 8021 0401 000a 0206 002d 0f01
-
-# 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1
-[out,pcn1]
-4500 0030 69b4 0000 ff2f ee94 c0a8 7103
-c0a8 7101 3081 880b 000c 4000 0000 0009
-0000 0007 8021 0102 000a 0306 c0a8 0001
-
-# 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1)
-[in,pcn1]
-4500 002a 5e1e 0000 802f 7931 c0a8 7101
-c0a8 7103 3081 880b 0006 0000 0000 0008
-0000 0009 80fd 0201 0004 0000 0000
-
-# 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6)
-[in,pcn1]
-4500 0032 5e1f 0000 802f 7928 c0a8 7101
-c0a8 7103 3001 880b 0012 0000 0000 0009
-80fd 0506 0010 577f 7c5b 003c cd74 0000
-02dc
-
-# 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6)
-[out,pcn1]
-4500 002a 69b5 0000 ff2f ee99 c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 000a
-0000 0009 80fd 0606 0004
-
diff --git a/contrib/ipfilter/test/input/ni14 b/contrib/ipfilter/test/input/ni14
deleted file mode 100644
index 6811321..0000000
--- a/contrib/ipfilter/test/input/ni14
+++ /dev/null
@@ -1,235 +0,0 @@
-# 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
-[in,pcn1=192.168.113.3]
-4500 0030 5e11 4000 8006 3961 c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa5 0000 0000
-7002 faf0 21a1 0000 0204 05b4 0101 0402
-
-# 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF)
-[out,pcn1]
-4500 002c 69a6 4000 4006 207b 7f00 0001
-c0a8 7101 06bb 05e7 a564 68da abf0 4aa6
-6012 8000 55f3 0000 0204 05b4
-
-# 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF)
-[in,pcn1]
-4500 00c4 5e12 4000 8006 38cc c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa6 a564 68db
-5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d
-0001 0000 0100 0000 0000 0001 0000 0001
-0000 0a28 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 4d69 6372 6f73 6f66 7420 5769
-6e64 6f77 7320 4e54 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF)
-[out,pcn1]
-4500 00c4 69a7 4000 4006 1fe2 7f00 0001
-c0a8 7101 06bb 05e7 a564 68db abf0 4b42
-5018 832c 817a 0000 009c 0001 1a2b 3c4d
-0002 0000 0100 0100 0000 0000 0000 0000
-0001 0001 6c6f 6361 6c00 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 6c69 6e75 7800 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF)
-[in,pcn1]
-4500 00d0 5e13 4000 8006 38bf c0a8 7101
-c0a8 7103 05e7 06bb abf0 4b42 a564 6977
-5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d
-0007 0000 4000 1331 0000 012c 05f5 e100
-0000 0003 0000 0003 0040 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-
-# 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
-[out,pcn1]
-4500 0048 69a8 4000 4006 205d 7f00 0001
-c0a8 7101 06bb 05e7 a564 6977 abf0 4bea
-5018 832c e9a4 0000 0020 0001 1a2b 3c4d
-0008 0000 0000 4000 0100 0000 05f5 e100
-0040 0000 0000 0000
-
-# 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF)
-[in,pcn1]
-4500 0040 5e14 4000 8006 394e c0a8 7101
-c0a8 7103 05e7 06bb abf0 4bea a564 6997
-5018 fa34 e810 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 ffff ffff ffff ffff
-
-# 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP
-[in,pcn1]
-4500 0039 5e15 0000 802f 792b c0a8 7101
-c0a8 7103 3001 880b 0019 0000 0000 0000
-ff03 c021 0100 0015 0104 0578 0506 577f
-7c5b 0702 0802 0d03 06
-
-# 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre]
-[out,pcn1]
-4500 0020 69a9 0000 ff2f a15a 7f00 0001
-c0a8 7101 2081 880b 0000 4000 ffff ffff
-
-# 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF)
-[out,pcn1]
-4500 0028 69aa 4000 4006 207b 7f00 0001
-c0a8 7101 06bb 05e7 a564 6997 abf0 4c02
-5010 832c 686c 0000
-
-# 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[out,pcn1]
-4500 0038 69ab 0000 ff2f a140 7f00 0001
-c0a8 7101 3001 880b 0018 4000 0000 0000
-ff03 c021 0101 0014 0206 0000 0000 0506
-22d9 0cfa 0702 0802
-
-# 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP
-[out,pcn1]
-4500 002f 69ac 0000 ff2f a148 7f00 0001
-c0a8 7101 3081 880b 000b 4000 0000 0001
-0000 0000 ff03 c021 0400 0007 0d03 06
-
-# 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[in,pcn1]
-4500 003c 5e16 0000 802f 7927 c0a8 7101
-c0a8 7103 3081 880b 0018 0000 0000 0001
-0000 0001 ff03 c021 0201 0014 0206 0000
-0000 0506 22d9 0cfa 0702 0802
-
-# 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[in,pcn1]
-4500 0036 5e17 0000 802f 792c c0a8 7101
-c0a8 7103 3001 880b 0016 0000 0000 0002
-ff03 c021 0101 0012 0104 0578 0506 577f
-7c5b 0702 0802
-
-# 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[out,pcn1]
-4500 003a 69ad 0000 ff2f a13c 7f00 0001
-c0a8 7101 3081 880b 0016 4000 0000 0002
-0000 0002 ff03 c021 0201 0012 0104 0578
-0506 577f 7c5b 0702 0802
-
-# 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp
-[out,pcn1]
-4500 0032 69ae 0000 ff2f a143 7f00 0001
-c0a8 7101 3001 880b 0012 4000 0000 0003
-8021 0101 0010 0306 c0a8 0001 0206 002d
-0f01
-
-# 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF)
-[in,pcn1]
-4500 0040 5e18 4000 8006 394a c0a8 7101
-c0a8 7103 05e7 06bb abf0 4c02 a564 6997
-5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 0000 0000 ffff ffff
-
-# 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b
-[in,pcn1]
-4500 0038 5e19 0000 802f 7928 c0a8 7101
-c0a8 7103 3081 880b 0014 0000 0000 0003
-0000 0003 c021 0c02 0012 577f 7c5b 4d53
-5241 5356 352e 3130
-
-# 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2)
-[out,pcn1]
-4500 003e 69af 0000 ff2f a136 7f00 0001
-c0a8 7101 3081 880b 001a 4000 0000 0004
-0000 0003 ff03 c021 0702 0016 0c02 0012
-577f 7c5b 4d53 5241 5356 352e 3130
-
-# 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b
-[in,pcn1]
-4500 003e 5e1a 0000 802f 7921 c0a8 7101
-c0a8 7103 3081 880b 001a 0000 0000 0004
-0000 0004 c021 0c03 0018 577f 7c5b 4d53
-5241 532d 302d 434c 4159 4d4f 4f52
-
-# 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3)
-[out,pcn1]
-4500 0044 69b0 0000 ff2f a12f 7f00 0001
-c0a8 7101 3081 880b 0020 4000 0000 0005
-0000 0004 ff03 c021 0703 001c 0c03 0018
-577f 7c5b 4d53 5241 532d 302d 434c 4159
-4d4f 4f52
-
-# 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC
-[in,pcn1]
-4500 0030 5e1b 0000 802f 792e c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0005
-0000 0005 80fd 0104 000a 1206 0100 0001
-
-# 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1)
-[out,pcn1]
-4500 002a 69b1 0000 ff2f a148 7f00 0001
-c0a8 7101 3081 880b 0006 4000 0000 0006
-0000 0005 80fd 0101 0004
-
-# 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC
-[out,pcn1]
-4500 002c 69b2 0000 ff2f a145 7f00 0001
-c0a8 7101 3001 880b 000c 4000 0000 0007
-80fd 0404 000a 1206 0100 0001
-
-# 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[in,pcn1]
-4500 0048 5e1c 0000 802f 7915 c0a8 7101
-c0a8 7103 3081 880b 0024 0000 0000 0006
-0000 0007 8021 0105 0022 0306 0000 0000
-8106 0000 0000 8206 0000 0000 8306 0000
-0000 8406 0000 0000
-
-# 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[out,pcn1]
-4500 0042 69b3 0000 ff2f a12e 7f00 0001
-c0a8 7101 3081 880b 001e 4000 0000 0008
-0000 0006 8021 0405 001c 8106 0000 0000
-8206 0000 0000 8306 0000 0000 8406 0000
-0000
-
-# 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp
-[in,pcn1]
-4500 0030 5e1d 0000 802f 792c c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0007
-0000 0008 8021 0401 000a 0206 002d 0f01
-
-# 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1
-[out,pcn1]
-4500 0030 69b4 0000 ff2f a13f 7f00 0001
-c0a8 7101 3081 880b 000c 4000 0000 0009
-0000 0007 8021 0102 000a 0306 c0a8 0001
-
-# 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1)
-[in,pcn1]
-4500 002a 5e1e 0000 802f 7931 c0a8 7101
-c0a8 7103 3081 880b 0006 0000 0000 0008
-0000 0009 80fd 0201 0004 0000 0000
-
-# 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6)
-[in,pcn1]
-4500 0032 5e1f 0000 802f 7928 c0a8 7101
-c0a8 7103 3001 880b 0012 0000 0000 0009
-80fd 0506 0010 577f 7c5b 003c cd74 0000
-02dc
-
-# 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6)
-[out,pcn1]
-4500 002a 69b5 0000 ff2f a144 7f00 0001
-c0a8 7101 3081 880b 0006 4000 0000 000a
-0000 0009 80fd 0606 0004
-
diff --git a/contrib/ipfilter/test/input/ni15 b/contrib/ipfilter/test/input/ni15
deleted file mode 100644
index fb445bb..0000000
--- a/contrib/ipfilter/test/input/ni15
+++ /dev/null
@@ -1,235 +0,0 @@
-# 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
-[out,pcn1=192.168.113.3]
-4500 0030 5e11 4000 8006 3961 c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa5 0000 0000
-7002 faf0 21a1 0000 0204 05b4 0101 0402
-
-# 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF)
-[in,pcn1]
-4500 002c 69a6 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68da abf0 4aa6
-6012 8000 a348 0000 0204 05b4
-
-# 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF)
-[out,pcn1]
-4500 00c4 5e12 4000 8006 38cc c0a8 7101
-c0a8 7103 05e7 06bb abf0 4aa6 a564 68db
-5018 faf0 e2a0 0000 009c 0001 1a2b 3c4d
-0001 0000 0100 0000 0000 0001 0000 0001
-0000 0a28 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 4d69 6372 6f73 6f66 7420 5769
-6e64 6f77 7320 4e54 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF)
-[in,pcn1]
-4500 00c4 69a7 4000 4006 6d37 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68db abf0 4b42
-5018 832c cecf 0000 009c 0001 1a2b 3c4d
-0002 0000 0100 0100 0000 0000 0000 0000
-0001 0001 6c6f 6361 6c00 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 6c69 6e75 7800 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF)
-[out,pcn1]
-4500 00d0 5e13 4000 8006 38bf c0a8 7101
-c0a8 7103 05e7 06bb abf0 4b42 a564 6977
-5018 fa54 ac07 0000 00a8 0001 1a2b 3c4d
-0007 0000 4000 1331 0000 012c 05f5 e100
-0000 0003 0000 0003 0040 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-
-# 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
-[in,pcn1]
-4500 0048 69a8 4000 4006 6db2 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6977 abf0 4bea
-5018 832c 36fa 0000 0020 0001 1a2b 3c4d
-0008 0000 0000 4000 0100 0000 05f5 e100
-0040 0000 0000 0000
-
-# 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF)
-[out,pcn1]
-4500 0040 5e14 4000 8006 394e c0a8 7101
-c0a8 7103 05e7 06bb abf0 4bea a564 6997
-5018 fa34 e810 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 ffff ffff ffff ffff
-
-# 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP
-[out,pcn1]
-4500 0039 5e15 0000 802f 792b c0a8 7101
-c0a8 7103 3001 880b 0019 0000 0000 0000
-ff03 c021 0100 0015 0104 0578 0506 577f
-7c5b 0702 0802 0d03 06
-
-# 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre]
-[in,pcn1]
-4500 0020 69a9 0000 ff2f eeaf c0a8 7103
-c0a8 7101 2081 880b 0000 4000 ffff ffff
-
-# 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF)
-[in,pcn1]
-4500 0028 69aa 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6997 abf0 4c02
-5010 832c b5c1 0000
-
-# 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[in,pcn1]
-4500 0038 69ab 0000 ff2f ee95 c0a8 7103
-c0a8 7101 3001 880b 0018 4000 0000 0000
-ff03 c021 0101 0014 0206 0000 0000 0506
-22d9 0cfa 0702 0802
-
-# 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP
-[in,pcn1]
-4500 002f 69ac 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 000b 4000 0000 0001
-0000 0000 ff03 c021 0400 0007 0d03 06
-
-# 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[out,pcn1]
-4500 003c 5e16 0000 802f 7927 c0a8 7101
-c0a8 7103 3081 880b 0018 0000 0000 0001
-0000 0001 ff03 c021 0201 0014 0206 0000
-0000 0506 22d9 0cfa 0702 0802
-
-# 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[out,pcn1]
-4500 0036 5e17 0000 802f 792c c0a8 7101
-c0a8 7103 3001 880b 0016 0000 0000 0002
-ff03 c021 0101 0012 0104 0578 0506 577f
-7c5b 0702 0802
-
-# 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[in,pcn1]
-4500 003a 69ad 0000 ff2f ee91 c0a8 7103
-c0a8 7101 3081 880b 0016 4000 0000 0002
-0000 0002 ff03 c021 0201 0012 0104 0578
-0506 577f 7c5b 0702 0802
-
-# 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp
-[in,pcn1]
-4500 0032 69ae 0000 ff2f ee98 c0a8 7103
-c0a8 7101 3001 880b 0012 4000 0000 0003
-8021 0101 0010 0306 c0a8 0001 0206 002d
-0f01
-
-# 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF)
-[out,pcn1]
-4500 0040 5e18 4000 8006 394a c0a8 7101
-c0a8 7103 05e7 06bb abf0 4c02 a564 6997
-5018 fa34 e7f8 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 0000 0000 ffff ffff
-
-# 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b
-[out,pcn1]
-4500 0038 5e19 0000 802f 7928 c0a8 7101
-c0a8 7103 3081 880b 0014 0000 0000 0003
-0000 0003 c021 0c02 0012 577f 7c5b 4d53
-5241 5356 352e 3130
-
-# 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2)
-[in,pcn1]
-4500 003e 69af 0000 ff2f ee8b c0a8 7103
-c0a8 7101 3081 880b 001a 4000 0000 0004
-0000 0003 ff03 c021 0702 0016 0c02 0012
-577f 7c5b 4d53 5241 5356 352e 3130
-
-# 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b
-[out,pcn1]
-4500 003e 5e1a 0000 802f 7921 c0a8 7101
-c0a8 7103 3081 880b 001a 0000 0000 0004
-0000 0004 c021 0c03 0018 577f 7c5b 4d53
-5241 532d 302d 434c 4159 4d4f 4f52
-
-# 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3)
-[in,pcn1]
-4500 0044 69b0 0000 ff2f ee84 c0a8 7103
-c0a8 7101 3081 880b 0020 4000 0000 0005
-0000 0004 ff03 c021 0703 001c 0c03 0018
-577f 7c5b 4d53 5241 532d 302d 434c 4159
-4d4f 4f52
-
-# 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC
-[out,pcn1]
-4500 0030 5e1b 0000 802f 792e c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0005
-0000 0005 80fd 0104 000a 1206 0100 0001
-
-# 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1)
-[in,pcn1]
-4500 002a 69b1 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 0006
-0000 0005 80fd 0101 0004
-
-# 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC
-[in,pcn1]
-4500 002c 69b2 0000 ff2f ee9a c0a8 7103
-c0a8 7101 3001 880b 000c 4000 0000 0007
-80fd 0404 000a 1206 0100 0001
-
-# 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[out,pcn1]
-4500 0048 5e1c 0000 802f 7915 c0a8 7101
-c0a8 7103 3081 880b 0024 0000 0000 0006
-0000 0007 8021 0105 0022 0306 0000 0000
-8106 0000 0000 8206 0000 0000 8306 0000
-0000 8406 0000 0000
-
-# 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[in,pcn1]
-4500 0042 69b3 0000 ff2f ee83 c0a8 7103
-c0a8 7101 3081 880b 001e 4000 0000 0008
-0000 0006 8021 0405 001c 8106 0000 0000
-8206 0000 0000 8306 0000 0000 8406 0000
-0000
-
-# 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp
-[out,pcn1]
-4500 0030 5e1d 0000 802f 792c c0a8 7101
-c0a8 7103 3081 880b 000c 0000 0000 0007
-0000 0008 8021 0401 000a 0206 002d 0f01
-
-# 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1
-[in,pcn1]
-4500 0030 69b4 0000 ff2f ee94 c0a8 7103
-c0a8 7101 3081 880b 000c 4000 0000 0009
-0000 0007 8021 0102 000a 0306 c0a8 0001
-
-# 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1)
-[out,pcn1]
-4500 002a 5e1e 0000 802f 7931 c0a8 7101
-c0a8 7103 3081 880b 0006 0000 0000 0008
-0000 0009 80fd 0201 0004 0000 0000
-
-# 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6)
-[out,pcn1]
-4500 0032 5e1f 0000 802f 7928 c0a8 7101
-c0a8 7103 3001 880b 0012 0000 0000 0009
-80fd 0506 0010 577f 7c5b 003c cd74 0000
-02dc
-
-# 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6)
-[in,pcn1]
-4500 002a 69b5 0000 ff2f ee99 c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 000a
-0000 0009 80fd 0606 0004
-
diff --git a/contrib/ipfilter/test/input/ni16 b/contrib/ipfilter/test/input/ni16
deleted file mode 100644
index 24bfcfc..0000000
--- a/contrib/ipfilter/test/input/ni16
+++ /dev/null
@@ -1,235 +0,0 @@
-# 23:18:36.130424 192.168.113.1.1511 > 192.168.113.3.1723: S 2884651685:2884651685(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
-[out,pcn1=192.168.113.1]
-4500 0030 5e11 4000 8006 5f07 0a02 0202
-c0a8 7103 05e7 06bb abf0 4aa5 0000 0000
-7002 faf0 4747 0000 0204 05b4 0101 0402
-
-# 23:18:36.130778 192.168.113.3.1723 > 192.168.113.1.1511: S 2774821082:2774821082(0) ack 2884651686 win 32768 <mss 1460> (DF)
-[in,pcn1]
-4500 002c 69a6 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68da abf0 4aa6
-6012 8000 a348 0000 0204 05b4
-
-# 23:18:36.130784 192.168.113.1.1511 > 192.168.113.3.1723: P 1:157(156) ack 1 win 64240: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF)
-[out,pcn1]
-4500 00c4 5e12 4000 8006 5e72 0a02 0202
-c0a8 7103 05e7 06bb abf0 4aa6 a564 68db
-5018 faf0 0847 0000 009c 0001 1a2b 3c4d
-0001 0000 0100 0000 0000 0001 0000 0001
-0000 0a28 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 4d69 6372 6f73 6f66 7420 5769
-6e64 6f77 7320 4e54 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260235 192.168.113.3.1723 > 192.168.113.1.1511: P 1:157(156) ack 157 win 33580: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux) (DF)
-[in,pcn1]
-4500 00c4 69a7 4000 4006 6d37 c0a8 7103
-c0a8 7101 06bb 05e7 a564 68db abf0 4b42
-5018 832c cecf 0000 009c 0001 1a2b 3c4d
-0002 0000 0100 0100 0000 0000 0000 0000
-0001 0001 6c6f 6361 6c00 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 6c69 6e75 7800 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-# 23:18:36.260252 192.168.113.1.1511 > 192.168.113.3.1723: P 157:325(168) ack 157 win 64084: pptp CTRL_MSGTYPE=OCRQ CALL_ID(16384) CALL_SER_NUM(4913) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR() (DF)
-[out,pcn1]
-4500 00d0 5e13 4000 8006 5e65 0a02 0202
-c0a8 7103 05e7 06bb abf0 4b42 a564 6977
-5018 fa54 d1ad 0000 00a8 0001 1a2b 3c4d
-0007 0000 4000 1331 0000 012c 05f5 e100
-0000 0003 0000 0003 0040 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-
-# 23:18:36.272856 192.168.113.3.1723 > 192.168.113.1.1511: P 157:189(32) ack 325 win 33580: pptp CTRL_MSGTYPE=OCRP CALL_ID(0) PEER_CALL_ID(16384) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0) (DF)
-[in,pcn1]
-4500 0048 69a8 4000 4006 6db2 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6977 abf0 4bea
-5018 832c 36fa 0000 0020 0001 1a2b 3c4d
-0008 0000 0000 4000 0100 0000 05f5 e100
-0040 0000 0000 0000
-
-# 23:18:36.321819 192.168.113.1.1511 > 192.168.113.3.1723: P 325:349(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) (DF)
-[out,pcn1]
-4500 0040 5e14 4000 8006 5ef4 0a02 0202
-c0a8 7103 05e7 06bb abf0 4bea a564 6997
-5018 fa34 0db7 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 ffff ffff ffff ffff
-
-# 23:18:36.349759 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:0 ppp: LCP 25: Conf-Req(0), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC, Call-Back CBCP
-[out,pcn1]
-4500 0039 5e15 0000 802f 9ed1 0a02 0202
-c0a8 7103 3001 880b 0019 0000 0000 0000
-ff03 c021 0100 0015 0104 0578 0506 577f
-7c5b 0702 0802 0d03 06
-
-# 23:18:36.389970 192.168.113.3 > 192.168.113.1: gre [KAv1] ID:4000 A:4294967295 [|gre]
-[in,pcn1]
-4500 0020 69a9 0000 ff2f eeaf c0a8 7103
-c0a8 7101 2081 880b 0000 4000 ffff ffff
-
-# 23:18:36.518426 192.168.113.3.1723 > 192.168.113.1.1511: . ack 349 win 33580 (DF)
-[in,pcn1]
-4500 0028 69aa 4000 4006 6dd0 c0a8 7103
-c0a8 7101 06bb 05e7 a564 6997 abf0 4c02
-5010 832c b5c1 0000
-
-# 23:18:36.555363 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:0 ppp: LCP 24: Conf-Req(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[in,pcn1]
-4500 0038 69ab 0000 ff2f ee95 c0a8 7103
-c0a8 7101 3001 880b 0018 4000 0000 0000
-ff03 c021 0101 0014 0206 0000 0000 0506
-22d9 0cfa 0702 0802
-
-# 23:18:36.556030 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:1 A:0 ppp: LCP 11: Conf-Rej(0), Call-Back CBCP
-[in,pcn1]
-4500 002f 69ac 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 000b 4000 0000 0001
-0000 0000 ff03 c021 0400 0007 0d03 06
-
-# 23:18:36.557166 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:1 A:1 ppp: LCP 24: Conf-Ack(1), ACCM=00000000, Magic-Num=22d90cfa, PFC, ACFC
-[out,pcn1]
-4500 003c 5e16 0000 802f 9ecd 0a02 0202
-c0a8 7103 3081 880b 0018 0000 0000 0001
-0000 0001 ff03 c021 0201 0014 0206 0000
-0000 0506 22d9 0cfa 0702 0802
-
-# 23:18:36.557764 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:2 ppp: LCP 22: Conf-Req(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[out,pcn1]
-4500 0036 5e17 0000 802f 9ed2 0a02 0202
-c0a8 7103 3001 880b 0016 0000 0000 0002
-ff03 c021 0101 0012 0104 0578 0506 577f
-7c5b 0702 0802
-
-# 23:18:36.564658 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:2 A:2 ppp: LCP 22: Conf-Ack(1), MRU=1400, Magic-Num=577f7c5b, PFC, ACFC
-[in,pcn1]
-4500 003a 69ad 0000 ff2f ee91 c0a8 7103
-c0a8 7101 3081 880b 0016 4000 0000 0002
-0000 0002 ff03 c021 0201 0012 0104 0578
-0506 577f 7c5b 0702 0802
-
-# 23:18:36.564803 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:3 ppp: IPCP 18: Conf-Req(1), IP-Addr=192.168.0.1, IP-Comp VJ-Comp
-[in,pcn1]
-4500 0032 69ae 0000 ff2f ee98 c0a8 7103
-c0a8 7101 3001 880b 0012 4000 0000 0003
-8021 0101 0010 0306 c0a8 0001 0206 002d
-0f01
-
-# 23:18:36.570395 192.168.113.1.1511 > 192.168.113.3.1723: P 349:373(24) ack 189 win 64052: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(0) SEND_ACCM(0x00000000) RECV_ACCM(0xffffffff) (DF)
-[out,pcn1]
-4500 0040 5e18 4000 8006 5ef0 0a02 0202
-c0a8 7103 05e7 06bb abf0 4c02 a564 6997
-5018 fa34 0d9f 0000 0018 0001 1a2b 3c4d
-000f 0000 0000 0000 0000 0000 ffff ffff
-
-# 23:18:36.573307 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:3 A:3 ppp: LCP 20: Ident(2), Magic-Num=577f7c5b
-[out,pcn1]
-4500 0038 5e19 0000 802f 9ece 0a02 0202
-c0a8 7103 3081 880b 0014 0000 0000 0003
-0000 0003 c021 0c02 0012 577f 7c5b 4d53
-5241 5356 352e 3130
-
-# 23:18:36.573856 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:4 A:3 ppp: LCP 26: Code-Rej(2)
-[in,pcn1]
-4500 003e 69af 0000 ff2f ee8b c0a8 7103
-c0a8 7101 3081 880b 001a 4000 0000 0004
-0000 0003 ff03 c021 0702 0016 0c02 0012
-577f 7c5b 4d53 5241 5356 352e 3130
-
-# 23:18:36.584936 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:4 A:4 ppp: LCP 26: Ident(3), Magic-Num=577f7c5b
-[out,pcn1]
-4500 003e 5e1a 0000 802f 9ec7 0a02 0202
-c0a8 7103 3081 880b 001a 0000 0000 0004
-0000 0004 c021 0c03 0018 577f 7c5b 4d53
-5241 532d 302d 434c 4159 4d4f 4f52
-
-# 23:18:36.585562 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:5 A:4 ppp: LCP 32: Code-Rej(3)
-[in,pcn1]
-4500 0044 69b0 0000 ff2f ee84 c0a8 7103
-c0a8 7101 3081 880b 0020 4000 0000 0005
-0000 0004 ff03 c021 0703 001c 0c03 0018
-577f 7c5b 4d53 5241 532d 302d 434c 4159
-4d4f 4f52
-
-# 23:18:36.588721 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:5 A:5 ppp: CCP 12: Conf-Req(4), MPPC
-[out,pcn1]
-4500 0030 5e1b 0000 802f 9ed4 0a02 0202
-c0a8 7103 3081 880b 000c 0000 0000 0005
-0000 0005 80fd 0104 000a 1206 0100 0001
-
-# 23:18:36.589445 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:6 A:5 ppp: CCP 6: Conf-Req(1)
-[in,pcn1]
-4500 002a 69b1 0000 ff2f ee9d c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 0006
-0000 0005 80fd 0101 0004
-
-# 23:18:36.589540 192.168.113.3 > 192.168.113.1: gre [KSv1] ID:4000 S:7 ppp: CCP 12: Conf-Rej(4), MPPC
-[in,pcn1]
-4500 002c 69b2 0000 ff2f ee9a c0a8 7103
-c0a8 7101 3001 880b 000c 4000 0000 0007
-80fd 0404 000a 1206 0100 0001
-
-# 23:18:36.590023 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:6 A:7 ppp: IPCP 36: Conf-Req(5), IP-Addr=0.0.0.0, Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[out,pcn1]
-4500 0048 5e1c 0000 802f 9ebb 0a02 0202
-c0a8 7103 3081 880b 0024 0000 0000 0006
-0000 0007 8021 0105 0022 0306 0000 0000
-8106 0000 0000 8206 0000 0000 8306 0000
-0000 8406 0000 0000
-
-# 23:18:36.590489 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:8 A:6 ppp: IPCP 30: Conf-Rej(5), Pri-DNS=0.0.0.0, Pri-NBNS=0.0.0.0, Sec-DNS=0.0.0.0, Sec-NBNS=0.0.0.0
-[in,pcn1]
-4500 0042 69b3 0000 ff2f ee83 c0a8 7103
-c0a8 7101 3081 880b 001e 4000 0000 0008
-0000 0006 8021 0405 001c 8106 0000 0000
-8206 0000 0000 8306 0000 0000 8406 0000
-0000
-
-# 23:18:36.591003 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:7 A:8 ppp: IPCP 12: Conf-Rej(1), IP-Comp VJ-Comp
-[out,pcn1]
-4500 0030 5e1d 0000 802f 9ed2 0a02 0202
-c0a8 7103 3081 880b 000c 0000 0000 0007
-0000 0008 8021 0401 000a 0206 002d 0f01
-
-# 23:18:36.593819 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:9 A:7 ppp: IPCP 12: Conf-Req(2), IP-Addr=192.168.0.1
-[in,pcn1]
-4500 0030 69b4 0000 ff2f ee94 c0a8 7103
-c0a8 7101 3081 880b 000c 4000 0000 0009
-0000 0007 8021 0102 000a 0306 c0a8 0001
-
-# 23:18:36.594840 192.168.113.1 > 192.168.113.3: gre [KSAv1] ID:0000 S:8 A:9 ppp: CCP 6: Conf-Ack(1)
-[out,pcn1]
-4500 002a 5e1e 0000 802f 9ed7 0a02 0202
-c0a8 7103 3081 880b 0006 0000 0000 0008
-0000 0009 80fd 0201 0004 0000 0000
-
-# 23:18:36.595525 192.168.113.1 > 192.168.113.3: gre [KSv1] ID:0000 S:9 ppp: CCP 18: Term-Req(6)
-[out,pcn1]
-4500 0032 5e1f 0000 802f 9ece 0a02 0202
-c0a8 7103 3001 880b 0012 0000 0000 0009
-80fd 0506 0010 577f 7c5b 003c cd74 0000
-02dc
-
-# 23:18:36.595937 192.168.113.3 > 192.168.113.1: gre [KSAv1] ID:4000 S:10 A:9 ppp: CCP 6: Term-Ack(6)
-[in,pcn1]
-4500 002a 69b5 0000 ff2f ee99 c0a8 7103
-c0a8 7101 3081 880b 0006 4000 0000 000a
-0000 0009 80fd 0606 0004
-
diff --git a/contrib/ipfilter/test/input/ni17 b/contrib/ipfilter/test/input/ni17
deleted file mode 100644
index f9dec94..0000000
--- a/contrib/ipfilter/test/input/ni17
+++ /dev/null
@@ -1,6 +0,0 @@
-in on le0 tcp 10.2.2.5,2000 203.1.1.1,80
-in on le0 tcp 10.2.2.6,2000 203.1.1.1,80
-in on le0 tcp 10.2.2.7,2000 203.1.1.1,80
-in on le0 tcp 10.2.2.7,2001 203.1.1.1,80
-in on le0 tcp 10.2.2.8,2000 203.1.1.1,80
-in on le0 tcp 10.2.2.9,2000 203.1.1.1,80
diff --git a/contrib/ipfilter/test/input/ni19 b/contrib/ipfilter/test/input/ni19
deleted file mode 100644
index d95e68a..0000000
--- a/contrib/ipfilter/test/input/ni19
+++ /dev/null
@@ -1,157 +0,0 @@
-# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
-[out,bge0]
-4500 0040 e3fc 4000 4006 1a0b c0a8 7103
-0a01 0104 03f1 0202 6523 90b2 0000 0000
-b002 8000 7d87 0000 0204 05b4 0103 0300
-0402 0101 0101 080a 0000 0000 0000 0000
-
-# 10.1.1.4.shell > 10.1.1.1.1009: SYN win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
-[in,bge0]
-4500 0034 0000 4000 4006 24be 0a01 0104
-0a01 0101 0202 03f1 915a a5c4 6523 90b3
-8012 16d0 0f47 0000 0204 05b4 0101 0402
-0103 0302                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0028 e3fd 4000 4006 1a22 c0a8 7103
-0a01 0104 03f1 0202 6523 90b3 915a a5c5
-5010 832c bd0d 0000                    
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 002d e3fe 4000 4006 1a1c c0a8 7103
-0a01 0104 03f1 0202 6523 90b3 915a a5c5
-5018 832c 5b98 0000 3130 3038 00       
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0028 7ce5 4000 4006 a7e4 0a01 0104
-0a01 0101 0202 03f1 915a a5c5 6523 90b8
-5010 05b4 612b 0000 0000 0000 0000     
-
-# 10.1.1.4.1023 > 10.1.1.1.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2>
-[in,bge0]
-4500 003c 1186 4000 4006 1330 0a01 0104
-0a01 0101 03ff 03f0 91d4 c8a2 0000 0000
-a002 16d0 df6a 0000 0204 05b4 0402 080a
-0039 d924 0000 0000 0103 0302          
-
-# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 3791140,sackOK,nop,nop>
-[out,bge0]
-4500 0040 e3ff 4000 4006 1a08 c0a8 7103
-0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3
-b012 8000 1e85 0000 0204 05b4 0103 0300
-0101 080a 0000 0000 0039 d924 0402 0101
-
-# 10.1.1.4.1023 > 10.1.1.1.1008
-[in,bge0]
-4500 0034 1188 4000 4006 1336 0a01 0104
-0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811
-8010 05b4 0046 0000 0101 080a 0039 d925
-0000 0000                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0030 e400 4000 4006 1a17 c0a8 7103
-0a01 0104 03f1 0202 6523 90b8 915a a5c5
-5018 832c 0eb6 0000 6461 7272 656e 7200
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0028 7ce7 4000 4006 a7e2 0a01 0104
-0a01 0101 0202 03f1 915a a5c5 6523 90c0
-5010 05b4 6123 0000 0000 0000 0000     
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0053 e401 4000 4006 19f3 c0a8 7103
-0a01 0104 03f1 0202 6523 90c0 915a a5c5
-5018 832c a63d 0000 6461 7272 656e 7200
-7368 202d 6320 2265 6368 6f20 666f 6f20
-3e26 313b 2065 6368 6f20 6261 7220 3e26
-3222 00                                
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0028 7ce9 4000 4006 a7e0 0a01 0104
-0a01 0101 0202 03f1 915a a5c5 6523 90eb
-5010 05b4 60f8 0000 0000 0000 0000     
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0029 7ceb 4000 4006 a7dd 0a01 0104
-0a01 0101 0202 03f1 915a a5c5 6523 90eb
-5018 05b4 60ef 0000 0000 0000 0000     
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0028 e403 4000 4006 1a1c c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5c6
-5010 832c bcd4 0000                    
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 002c 7ced 4000 4006 a7d8 0a01 0104
-0a01 0101 0202 03f1 915a a5c6 6523 90eb
-5018 05b4 8b71 0000 666f 6f0a 0000     
-
-# 10.1.1.4.1023 > 10.1.1.1.1008
-[in,bge0]
-4500 0038 118a 4000 4006 1330 0a01 0104
-0a01 0101 03ff 03f0 91d4 c8a3 66e5 b811
-8018 05b4 2787 0000 0101 080a 0039 dd6c
-0000 0000 6261 720a                    
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0028 7cef 4000 4006 a7da 0a01 0104
-0a01 0101 0202 03f1 915a a5ca 6523 90eb
-5011 05b4 60f2 0000 0000 0000 0000     
-
-# 10.1.1.4.1023 > 10.1.1.1.1008
-[in,bge0]
-4500 0034 118c 4000 4006 1332 0a01 0104
-0a01 0101 03ff 03f0 91d4 c8a7 66e5 b811
-8011 05b4 fbf8 0000 0101 080a 0039 dd6d
-0000 0000                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0028 e404 4000 4006 1a1b c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5cb
-5010 8328 bcd3 0000                    
-
-# 192.168.113.3.1008 > 10.1.1.4.1023
-[out,bge0]
-4500 0034 e405 4000 4006 1a0e c0a8 7103
-0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
-8010 8328 57d7 0000 0101 080a 0000 0004
-0039 dd6c                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[out,bge0]
-4500 0028 e40a 4000 4006 1a15 c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5cb
-5011 832c bcce 0000                    
-
-# 192.168.113.3.1008 > 10.1.1.4.1023
-[out,bge0]
-4500 0034 e40b 4000 4006 1a08 c0a8 7103
-0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
-8011 832c 57d2 0000 0101 080a 0000 0004
-0039 dd6c                              
-
-# 10.1.1.4.shell > 10.1.1.1.1009
-[in,bge0]
-4500 0028 0004 4000 4006 24c6 0a01 0104
-0a01 0101 0202 03f1 915a a5cb 6523 90ec
-5010 05b4 60f1 0000 0000 0000 0000     
-
-# 10.1.1.4.1023 > 10.1.1.1.1008
-[in,bge0]
-4500 0034 118e 4000 4006 1330 0a01 0104
-0a01 0101 03ff 03f0 91d4 c8a8 66e5 b812
-8010 05b4 fbf2 0000 0101 080a 0039 dd6e
-0000 0004                              
-
diff --git a/contrib/ipfilter/test/input/ni2 b/contrib/ipfilter/test/input/ni2
deleted file mode 100644
index 3045821..0000000
--- a/contrib/ipfilter/test/input/ni2
+++ /dev/null
@@ -1,161 +0,0 @@
-# Test of fragmentation required coming from the inside.
-[out,xl0]
-4510 002c bd0d 4000 3e06 b1d1
-0a01 0201
-c0a8 0133
-05f6 0077 a664 2485 0000 0000
-6002 4000 b8f2 0000 0204 05b4
-
-[in,xl0]
-4500 002c ce83 4000 7e06 606b
-c0a8 0133
-0a01 0201
-0077 05f6 fbdf 1a21 a664 2486
-6012 2238 c0a8 0000 0204 05b4 0000
-
-[out,xl0]
-4510 0028 bd0e 4000 3e06 b1d4
-0a01 0201
-c0a8 0133
-05f6 0077 a664 2486 fbdf 1a22
-5010 4470 b62d 0000
-
-[in,xl0]
-4500 005b cf83 4000 7e06 5f3c
-c0a8 0133
-0a01 0201
-0077 05f6 fbdf 1a22 a664 2486
-5018 2238 ce2a 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0a
-
-[out,xl0]
-4510 0028 bd18 4000 3e06 b1ca
-0a01 0201
-c0a8 0133
-05f6 0077 a664 2486 fbdf 1a55
-5010 4470 b5fa 0000
-
-[out,xl0]
-4510 002e bd1e 4000 3e06 b1be
-0a01 0201
-c0a8 0133
-05f6 0077 a664 2486 fbdf 1a55
-5018 4470 a8e2 0000 0000 0000 0d0a
-
-[in,xl0]
-4500 0048 e383 4000 7e06 4b4f
-c0a8 0133
-0a01 0201
-0077 05f6 fbdf 1a55 a664 248c
-5018 2232 d80a 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000
-
-[in,xl0]
-4500 05dc e483 4000 7e06 44bb
-c0a8 0133
-0a01 0201
-0077 05f6 fbdf 1a75 a664 248c
-5010 2232 9f2d 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3331 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 1111 2222 3333
-0000 0000 0000 0000 0000 0000 1111 2222
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 1111 2222 3333 0000 0000 0000 0000
-0000 0000 1111 2222 3333 0000 0000 0000
-0000 0000 0000 1111 2222 3333 0000 0000
-0000 0000 0000 0000 1111 2222 3333 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0000 0000 0000
-
-[out,xl0]
-4500 0038 d71d 4000 4001 7d22
-c0a8 6401
-c0a8 0133
-0304 3435 0000 05a0
-4500 05dc e483 4000 7e06 44bb c0a8 0133 0a01 0201
-0077 05f6 fbdf 1a75 a664
-
diff --git a/contrib/ipfilter/test/input/ni20 b/contrib/ipfilter/test/input/ni20
deleted file mode 100644
index 4c2b87e..0000000
--- a/contrib/ipfilter/test/input/ni20
+++ /dev/null
@@ -1,157 +0,0 @@
-# 192.168.113.3.1009 > 10.1.1.4.shell: SYN win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
-[in,bge0]
-4500 0040 e3fc 4000 4006 1a0b c0a8 7103
-0a01 0104 03f1 0202 6523 90b2 0000 0000
-b002 8000 7d87 0000 0204 05b4 0103 0300
-0402 0101 0101 080a 0000 0000 0000 0000
-
-# 192.168.113.4.shell > 192.168.113.3.1009: SYN win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2>
-[out,bge0]
-4500 0034 0000 4000 4006 d76b c0a8 7104
-c0a8 7103 0202 03f1 915a a5c4 6523 90b3
-8012 16d0 c1f4 0000 0204 05b4 0101 0402
-0103 0302                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0028 e3fd 4000 4006 1a22 c0a8 7103
-0a01 0104 03f1 0202 6523 90b3 915a a5c5
-5010 832c bd0d 0000                    
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 002d e3fe 4000 4006 1a1c c0a8 7103
-0a01 0104 03f1 0202 6523 90b3 915a a5c5
-5018 832c 5b98 0000 3130 3038 00       
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0028 7ce5 4000 4006 5a92 c0a8 7104
-c0a8 7103 0202 03f1 915a a5c5 6523 90b8
-5010 05b4 13d9 0000 0000 0000 0000     
-
-# 192.168.113.4.1023 > 192.168.113.3.1008: SYN win 5840 <mss 1460,sackOK,timestamp 3791140 0,nop,wscale 2>
-[out,bge0]
-4500 003c 1186 4000 4006 c5dd c0a8 7104
-c0a8 7103 03ff 03f0 91d4 c8a2 0000 0000
-a002 16d0 9218 0000 0204 05b4 0402 080a
-0039 d924 0000 0000 0103 0302          
-
-# 192.168.113.3.1008 > 10.1.1.4.1023: SYN win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 3791140,sackOK,nop,nop>
-[in,bge0]
-4500 0040 e3ff 4000 4006 1a08 c0a8 7103
-0a01 0104 03f0 03ff 66e5 b810 91d4 c8a3
-b012 8000 1e85 0000 0204 05b4 0103 0300
-0101 080a 0000 0000 0039 d924 0402 0101
-
-# 192.168.113.4.1023 > 192.168.113.3.1008
-[out,bge0]
-4500 0034 1188 4000 4006 c5e3 c0a8 7104
-c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811
-8010 05b4 b2f3 0000 0101 080a 0039 d925
-0000 0000                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0030 e400 4000 4006 1a17 c0a8 7103
-0a01 0104 03f1 0202 6523 90b8 915a a5c5
-5018 832c 0eb6 0000 6461 7272 656e 7200
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0028 7ce7 4000 4006 5a90 c0a8 7104
-c0a8 7103 0202 03f1 915a a5c5 6523 90c0
-5010 05b4 13d1 0000 0000 0000 0000     
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0053 e401 4000 4006 19f3 c0a8 7103
-0a01 0104 03f1 0202 6523 90c0 915a a5c5
-5018 832c a63d 0000 6461 7272 656e 7200
-7368 202d 6320 2265 6368 6f20 666f 6f20
-3e26 313b 2065 6368 6f20 6261 7220 3e26
-3222 00                                
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0028 7ce9 4000 4006 5a8e c0a8 7104
-c0a8 7103 0202 03f1 915a a5c5 6523 90eb
-5010 05b4 13a6 0000 0000 0000 0000     
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0029 7ceb 4000 4006 5a8b c0a8 7104
-c0a8 7103 0202 03f1 915a a5c5 6523 90eb
-5018 05b4 139d 0000 0000 0000 0000     
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0028 e403 4000 4006 1a1c c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5c6
-5010 832c bcd4 0000                    
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 002c 7ced 4000 4006 5a86 c0a8 7104
-c0a8 7103 0202 03f1 915a a5c6 6523 90eb
-5018 05b4 3e1f 0000 666f 6f0a 0000     
-
-# 192.168.113.4.1023 > 192.168.113.3.1008
-[out,bge0]
-4500 0038 118a 4000 4006 c5dd c0a8 7104
-c0a8 7103 03ff 03f0 91d4 c8a3 66e5 b811
-8018 05b4 da34 0000 0101 080a 0039 dd6c
-0000 0000 6261 720a                    
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0028 7cef 4000 4006 5a88 c0a8 7104
-c0a8 7103 0202 03f1 915a a5ca 6523 90eb
-5011 05b4 13a0 0000 0000 0000 0000     
-
-# 192.168.113.4.1023 > 192.168.113.3.1008
-[out,bge0]
-4500 0034 118c 4000 4006 c5df c0a8 7104
-c0a8 7103 03ff 03f0 91d4 c8a7 66e5 b811
-8011 05b4 aea6 0000 0101 080a 0039 dd6d
-0000 0000                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0028 e404 4000 4006 1a1b c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5cb
-5010 8328 bcd3 0000                    
-
-# 192.168.113.3.1008 > 10.1.1.4.1023
-[in,bge0]
-4500 0034 e405 4000 4006 1a0e c0a8 7103
-0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
-8010 8328 57d7 0000 0101 080a 0000 0004
-0039 dd6c                              
-
-# 192.168.113.3.1009 > 10.1.1.4.shell
-[in,bge0]
-4500 0028 e40a 4000 4006 1a15 c0a8 7103
-0a01 0104 03f1 0202 6523 90eb 915a a5cb
-5011 832c bcce 0000                    
-
-# 192.168.113.3.1008 > 10.1.1.4.1023
-[in,bge0]
-4500 0034 e40b 4000 4006 1a08 c0a8 7103
-0a01 0104 03f0 03ff 66e5 b811 91d4 c8a8
-8011 832c 57d2 0000 0101 080a 0000 0004
-0039 dd6c                              
-
-# 192.168.113.4.shell > 192.168.113.3.1009
-[out,bge0]
-4500 0028 0004 4000 4006 d773 c0a8 7104
-c0a8 7103 0202 03f1 915a a5cb 6523 90ec
-5010 05b4 139f 0000 0000 0000 0000     
-
-# 192.168.113.4.1023 > 192.168.113.3.1008
-[out,bge0]
-4500 0034 118e 4000 4006 c5dd c0a8 7104
-c0a8 7103 03ff 03f0 91d4 c8a8 66e5 b812
-8010 05b4 aea0 0000 0101 080a 0039 dd6e
-0000 0004                              
-
diff --git a/contrib/ipfilter/test/input/ni21 b/contrib/ipfilter/test/input/ni21
deleted file mode 100644
index daf741e..0000000
--- a/contrib/ipfilter/test/input/ni21
+++ /dev/null
@@ -1,3 +0,0 @@
-out on lan0 2.2.2.2 3.3.3.3
-in on lan0 3.3.3.3 4.4.4.4
-out on lan0 2.2.2.2 3.3.3.3
diff --git a/contrib/ipfilter/test/input/ni23 b/contrib/ipfilter/test/input/ni23
deleted file mode 100644
index 938b7b8..0000000
--- a/contrib/ipfilter/test/input/ni23
+++ /dev/null
@@ -1,3 +0,0 @@
-in on le0 udp 3.3.3.1,6700 1.1.2.3,4500
-in on hme0 udp 2.2.2.2,4500 4.4.4.4,6700
-out on bge0 udp 2.2.2.2,4500 3.3.3.1,6700
diff --git a/contrib/ipfilter/test/input/ni3 b/contrib/ipfilter/test/input/ni3
deleted file mode 100644
index 66b22a6..0000000
--- a/contrib/ipfilter/test/input/ni3
+++ /dev/null
@@ -1,10 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 ac ab 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
-
diff --git a/contrib/ipfilter/test/input/ni4 b/contrib/ipfilter/test/input/ni4
deleted file mode 100644
index ad5575f..0000000
--- a/contrib/ipfilter/test/input/ni4
+++ /dev/null
@@ -1,10 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[out,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 02 02 02 02 04 04 04 04 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[in,df0] 45 00 00 38 80 9a 00 00 ff 01 29 19 03 03 03 03 06 06 06 06 03 03 60 6b 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[in,df0] 45 00 00 58 80 9a 00 00 ff 01 28 f9 03 03 03 03 06 06 06 06 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 06 06 06 06 04 04 04 04 9c 40 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 84 9a 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00
-
diff --git a/contrib/ipfilter/test/input/ni5 b/contrib/ipfilter/test/input/ni5
deleted file mode 100644
index c45be54..0000000
--- a/contrib/ipfilter/test/input/ni5
+++ /dev/null
@@ -1,363 +0,0 @@
-# 32818,21 SYN
-[out,ppp0]
-4500 002c 10c9 4000 ff06 3289 c0a8 0103
-96cb e002 8032 0015 bd6b c9c8 0000 0000
-6002 2238 35f9 0000 0204 05b4
-
-# 21,32818 SYN+ACK
-[in,ppp0]
-4500 002c ffdd 4000 ef06 131e 96cb e002
-0101 0101 0015 8032 3786 76c4 bd6b c9c9
-6012 269c 4313 0000 0204 0584
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10ca 4000 ff06 328c c0a8 0103
-96cb e002 8032 0015 bd6b c9c9 3786 76c5
-5010 269c 9af6 0000
-
-# ACK+PUSH "[220-coombs.anu.edu.au NcFTPd Server (free educational license) ready.\r\n"
-[in,ppp0]
-4500 006f ffde 4000 ef06 12da 96cb e002
-0101 0101 0015 8032 3786 76c5 bd6b c9c9
-5018 269c 5628 0000 3232 302d 636f 6f6d
-6273 2e61 6e75 2e65 6475 2e61 7520 4e63
-4654 5064 2053 6572 7665 7220 2866 7265
-6520 6564 7563 6174 696f 6e61 6c20 6c69
-6365 6e73 6529 2072 6561 6479 2e0d 0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10cb 4000 ff06 328b c0a8 0103
-96cb e002 8032 0015 bd6b c9c9 3786 770c
-5010 269c 9aaf 0000
-
-# 21,32818 ACK+PUSH
-# "220-Maintained by RSSS and RSPAS IT Staff (previously known as Coombs Computing Unit)\r\n
-# "220-Any problems contact ftpmaster@coombs.anu.edu.au\r\n"
-# "220-\r\n220 \r\n"
-[in,ppp0]
-4500 00c7 ffdf 4000 ef06 1281 96cb e002
-0101 0101 0015 8032 3786 770c bd6b c9c9
-5018 269c d030 0000 3232 302d 0d0a 3232
-302d 4d61 696e 7461 696e 6564 2062 7920
-5253 5353 2061 6e64 2052 5350 4153 2049
-5420 5374 6166 6620 2870 7265 7669 6f75
-736c 7920 6b6e 6f77 6e20 6173 2043 6f6f
-6d62 7320 436f 6d70 7574 696e 6720 556e
-6974 290d 0a32 3230 2d41 6e79 2070 726f
-626c 656d 7320 636f 6e74 6163 7420 6674
-706d 6173 7465 7240 636f 6f6d 6273 2e61
-6e75 2e65 6475 2e61 750d 0a32 3230 2d0d
-0a32 3230 200d 0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10cc 4000 ff06 328a c0a8 0103
-96cb e002 8032 0015 bd6b c9c9 3786 77ab
-5010 269c 9a10 0000
-
-# 32818,21 ACK+PUSH "USER anonymous\r\n"
-[out,ppp0]
-4500 0038 10cd 4000 ff06 3279 c0a8 0103
-96cb e002 8032 0015 bd6b c9c9 3786 77ab
-5018 269c 121c 0000 5553 4552 2061 6e6f
-6e79 6d6f 7573 0d0a
-
-# 21,32818 ACK
-[in,ppp0]
-4500 0028 ffe0 4000 ef06 131f 96cb e002
-0101 0101 0015 8032 3786 77ab bd6b c9d9
-5010 269c 59aa 0000
-
-# 21,32818 ACK+PUSH "331 Guest login ok, send your complete e-mail address as password.\r\n"
-[in,ppp0]
-4500 006c ffe1 4000 ef06 12da 96cb e002
-0101 0101 0015 8032 3786 77ab bd6b c9d9
-5018 269c 6fb9 0000 3333 3120 4775 6573
-7420 6c6f 6769 6e20 6f6b 2c20 7365 6e64
-2079 6f75 7220 636f 6d70 6c65 7465 2065
-2d6d 6169 6c20 6164 6472 6573 7320 6173
-2070 6173 7377 6f72 642e 0d0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10ce 4000 ff06 3288 c0a8 0103
-96cb e002 8032 0015 bd6b c9d9 3786 77ef
-5010 269c 99bc 0000
-
-# 32818,21 ACK+PUSH "PASS avalon@\r\n"
-[out,ppp0]
-4500 0036 10cf 4000 ff06 3279 c0a8 0103
-96cb e002 8032 0015 bd6b c9d9 3786 77ef
-5018 269c 7795 0000 5041 5353 2061 7661
-6c6f 6e40 0d0a
-
-# 21,32818 ACK+PUSH
-# "230-You are user #4 of 50 simultaneous users allowed.\r\n"
-[in,ppp0]
-4500 005f ffe2 4000 ef06 12e6 96cb e002
-0101 0101 0015 8032 3786 77ef bd6b c9e7
-5018 269c 4908 0000 3233 302d 596f 7520
-6172 6520 7573 6572 2023 3420 6f66 2035
-3020 7369 6d75 6c74 616e 656f 7573 2075
-7365 7273 2061 6c6c 6f77 6564 2e0d 0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10d0 4000 ff06 3286 c0a8 0103
-96cb e002 8032 0015 bd6b c9e7 3786 7826
-5010 269c 9977 0000
-
-# 21,32818 ACK+PUSH
-# "230-\r\n230-\r\n"
-# "230-Hi.  We're cleaning up.  Any feedback most welcome. 10 Aug 00\r\n"
-# "230-\r\n230 Logged in anonymously.\r\n"
-[in,ppp0]
-4500 0099 ffe3 4000 ef06 12ab 96cb e002
-0101 0101 0015 8032 3786 7826 bd6b c9e7
-5018 269c 9343 0000 3233 302d 0d0a 3233
-302d 0d0a 3233 302d 4869 2e20 2057 6527
-7265 2063 6c65 616e 696e 6720 7570 2e20
-2041 6e79 2066 6565 6462 6163 6b20 6d6f
-7374 2077 656c 636f 6d65 2e20 3130 2041
-7567 2030 300d 0a32 3330 2d0d 0a32 3330
-204c 6f67 6765 6420 696e 2061 6e6f 6e79
-6d6f 7573 6c79 2e0d 0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10d1 4000 ff06 3285 c0a8 0103
-96cb e002 8032 0015 bd6b c9e7 3786 7897
-5010 269c 9906 0000
-
-# 32818,21 ACK "TYPE I\r\n"
-[out,ppp0]
-4500 0030 10d2 4000 ff06 327c c0a8 0103
-96cb e002 8032 0015 bd6b c9e7 3786 7897
-5018 269c c704 0000 5459 5045 2049 0d0a
-
-# 21,32818 "200 Type okay.\r\n"
-[in,ppp0]
-4500 0038 ffe4 4000 ef06 130b 96cb e002
-0101 0101 0015 8032 3786 7897 bd6b c9ef
-5018 269c 1f58 0000 3230 3020 5479 7065
-206f 6b61 792e 0d0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10d3 4000 ff06 3283 c0a8 0103
-96cb e002 8032 0015 bd6b c9ef 3786 78a7
-5010 269c 98ee 0000
-
-# 32818,21 ACK "PORT 192,158,1,3,128,51\r\n"
-[out,ppp0]
-4500 0041 10d4 4000 ff06 3269 c0a8 0103
-96cb e002 8032 0015 bd6b c9ef 3786 78a7
-5018 269c 1c4d 0000 504f 5254 2031 3932
-2c31 3638 2c31 2c33 2c31 3238 2c35 310d
-0a
-
-# 32818,21 ACK "200 PORT command successful.\r\n"
-[in,ppp0]
-4500 0046 ffe5 4000 ef06 12fc 96cb e002
-0101 0101 0015 8032 3786 78a7 bd6b ca08
-5018 269c 9b71 0000 3230 3020 504f 5254
-2063 6f6d 6d61 6e64 2073 7563 6365 7373
-6675 6c2e 0d0a
-
-# 32818,21 "TYPE A\r\n"
-[out,ppp0]
-4500 0030 10d5 4000 ff06 3279 c0a8 0103
-96cb e002 8032 0015 bd6b ca08 3786 78c5
-5018 269c c6bd 0000 5459 5045 2041 0d0a
-
-# 21,32818 "200 Type okay.\r\n"
-[in,ppp0]
-4500 0038 ffe6 4000 ef06 1309 96cb e002
-0101 0101 0015 8032 3786 78c5 bd6b ca10
-5018 269c 1f09 0000 3230 3020 5479 7065
-206f 6b61 792e 0d0a
-
-# 32818,21 "NLST\r\n"
-[out,ppp0]
-4500 002e 10d6 4000 ff06 327a c0a8 0103
-96cb e002 8032 0015 bd6b ca10 3786 78d5
-5018 269c e9e6 0000 4e4c 5354 0d0a
-
-# 20,32819 SYN
-[in,ppp0]
-4500 002c ffe7 4000 ef06 1314 96cb e002
-0101 0101 0014 8033 d9f8 11d4 0000 0000
-6002 2238 913a 0000 0204 0584
-
-# 32819,20 SYN+ACK
-[out,ppp0]
-4500 002c 10d7 4000 ff06 327b c0a8 0103
-96cb e002 8033 0014 bd78 5c12 d9f8 11d5
-6012 02f8 d734 0000 0204 0584
-
-# 20,32819 ACK
-[in,ppp0]
-4500 0028 ffe8 4000 ef06 1317 96cb e002
-0101 0101 0014 8033 d9f8 11d5 bd78 5c13
-5010 269c 8ac7 0000
-
-# 21,32819 ACK "150 Opening ASCII mode data connection for /bin/ls.\r\n"
-[in,ppp0]
-4500 005d ffe9 4000 ef06 12e1 96cb e002
-0101 0101 0015 8032 3786 78d5 bd6b ca16
-5018 269c ae7e 0000 3135 3020 4f70 656e
-696e 6720 4153 4349 4920 6d6f 6465 2064
-6174 6120 636f 6e6e 6563 7469 6f6e 2066
-6f72 202f 6269 6e2f 6c73 2e0d 0a
-
-# 32819,20 ACK
-[out,ppp0]
-4500 0028 10d8 4000 ff06 327e c0a8 0103
-96cb e002 8033 0014 bd78 5c13 d9f8 11d5
-5010 6348 8e71 0000
-
-# 32818,21 ACK+PUSH "PORT 192,158,1,3,128,52\r\n"
-[out,ppp0]
-4500 0041 10d9 4000 ff06 3264 c0a8 0103
-96cb e002 8032 0015 bd6b ca16 3786 78d5
-5018 269c 1af8 0000 504f 5254 2031 3932
-2c31 3638 2c31 2c33 2c31 3238 2c35 320d
-0a
-
-# 21,32818 ACK+PUSH "200 PORT command successful\r\n"
-[in,ppp0]
-4500 0046 ffea 4000 ef06 12f7 96cb e002
-0101 0101 0015 8032 3786 78d5 bd6b ca2f
-5018 269c 9b1c 0000 3230 3020 504f 5254
-2063 6f6d 6d61 6e64 2073 7563 6365 7373
-6675 6c2e 0d0a
-
-# 32818,21 ACK+PUSH "TYPE A\r\n"
-[out,ppp0]
-4500 0030 10da 4000 ff06 3274 c0a8 0103
-96cb e002 8032 0015 bd6b ca2f 3786 78f3
-5018 269c c668 0000 5459 5045 2041 0d0a
-
-# 21,32818 "200 Type okay.\r\n"
-[in,ppp0]
-4500 0038 ffeb 4000 ef06 1304 96cb e002
-0101 0101 0015 8032 3786 78f3 bd6b ca37
-5018 269c 1ea4 0000 3230 3020 5479 7065
-206f 6b61 793e 0d0a
-
-# 32818,21 ACK+PUSH "NLST\r\n"
-[out,ppp0]
-4500 002e 10db 4000 ff06 3275 c0a8 0103
-96cb e002 8032 0015 bd6b ca37 3786 7903
-5018 269c e991 0000 4e4c 5354 0d0a
-
-# 20,32820 2nd connection SYN
-[in,ppp0]
-4500 002c ffec 4000 ef06 130f 96cb e002
-0101 0101 0014 8034 d9f8 11d4 0000 0000
-6002 2238 9139 0000 0204 0584
-
-# 32820,20 SYN+ACK
-[out,ppp0]
-4500 002c 10d7 4000 ff06 327b c0a8 0103
-96cb e002 8034 0014 bd78 5c12 d9f8 11d5
-6012 02f8 d733 0000 0204 0584
-
-# 20,32820 ACK
-[in,ppp0]
-4500 0028 ffec 4000 ef06 1313 96cb e002
-0101 0101 0014 8034 d9f8 11d4 0000 0000
-5010 2238 a8b7 0000
-
-# 20,32819 ACK+PUSH
-[in,ppp0]
-4500 0063 ffed 4000 ef06 12d7 96cb e002
-0101 0101 0014 8033 d9f8 11d5 bd78 5c13
-5018 269c 62bf 0000 636f 6f6d 6273 7061
-7065 7273 0d0a 6465 7074 730d 0a66 6f75
-6e64 2d66 696c 6573 0d0a 696e 636f 6d69
-6e67 0d0a 6e6c 632d 7465 7374 0d0a 7075
-620d 0a
-
-# 32819,20 ACK
-[out,ppp0]
-4500 0028 10dc 4000 ff06 327a c0a8 0103
-96cb e002 8033 0014 bd78 5c13 d9f8 1210
-5010 6348 8e36 0000
-
-# 20,32819 FIN+ACK
-[in,ppp0]
-4500 0028 ffee 4000 ef06 1311 96cb e002
-0101 0101 0014 8033 d9f8 1210 bd78 5c13
-5011 269c 8a8b 0000
-
-# 32819,20 ACK
-[out,ppp0]
-4500 0028 10dd 4000 ff06 3279 c0a8 0103
-96cb e002 8033 0014 bd78 5c13 d9f8 1211
-5010 6348 8e35 0000
-
-# 32819,20 FIN+ACK
-[out,ppp0]
-4500 0028 10dd 4000 ff06 3279 c0a8 0103
-96cb e002 8033 0014 bd78 5c13 d9f8 1211
-5011 6348 8e34 0000
-
-# 20,32819 ACK
-[in,ppp0]
-4500 0028 ffef 4000 ef06 1310 96cb e002
-0101 0101 0014 8033 d9f8 1211 bd78 5c14
-5010 269c 8a8a 0000
-
-# 21,32818 220 "226 Listing completed.\r\n"
-[in,ppp0]
-4500 0040 fff0 4000 ef06 12f7 96cb e002
-0101 0101 0015 8032 3786 7903 bd6b ca37
-5018 269c 3c32 0000 3232 3620 4c69 7374
-696e 6720 636f 6d70 6c65 7465 642e 0d0a
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10e0 4000 ff06 3276 c0a8 0103
-96cb e002 8032 0015 bd6b ca37 3786 791b
-5010 269c 9832 0000
-
-# 32818,21 "QUIT\r\n"
-[out,ppp0]
-4500 002e 10e1 4000 ff06 326f c0a8 0103
-96cb e002 8032 0015 bd6b ca37 3786 791b
-5018 269c f070 0000 5155 4954 0d0a
-
-# 21,32818 "221 Goodbye."
-[in,ppp0]
-4500 0036 fff2 4000 ef06 12ff 96cb e002
-0101 0101 0015 8032 3786 791b bd6b ca3d
-5018 269c 68e8 0000 3232 3120 476f 6f64
-6279 652e 0d0a
-
-# 32818,21 ACK+FIN
-[out,ppp0]
-4500 0028 10e2 4000 ff06 3274 c0a8 0103
-96cb e002 8032 0015 bd6b ca3d 3786 7929
-5011 269c 981d 0000
-
-# 21,32818 ACK+FIN
-[in,ppp0]
-4500 0028 fff3 4000 ef06 130c 96cb e002
-0101 0101 0015 8032 3786 7929 bd6b ca3d
-5011 269c 57c7 0000
-
-# 32818,21 ACK
-[out,ppp0]
-4500 0028 10e3 4000 ff06 3273 c0a8 0103
-96cb e002 8032 0015 bd6b ca3d 3786 792a
-5010 269c 981d 0000
-
-# 21,32818 ACK
-[in,ppp0]
-4500 0028 fff4 4000 ef06 130b 96cb e002
-0101 0101 0015 8032 3786 792a bd6b ca3e
-5010 269c 57c6 0000
-
diff --git a/contrib/ipfilter/test/input/ni6 b/contrib/ipfilter/test/input/ni6
deleted file mode 100644
index 70e80c0..0000000
--- a/contrib/ipfilter/test/input/ni6
+++ /dev/null
@@ -1,54 +0,0 @@
-[in,nf0]
-4500 0054 cd8a 4000 ff11 20ba c0a8 0601
-c0a8 0602 8075 006f 0040 d36d 3e1d d249
-0000 0000 0000 0002 0001 86a0 0000 0002
-0000 0003 0000 0000 0000 0000 0000 0000
-0000 0000 0001 86a3 0000 0003 0000 0011
-0000 0000
-
-[out,qfe0]
-4500 0054 cd8a 4000 ff11 1fbb c0a8 0601
-c0a8 0701 8075 006f 0040 d26e 3e1d d249
-0000 0000 0000 0002 0001 86a0 0000 0002
-0000 0003 0000 0000 0000 0000 0000 0000
-0000 0000 0001 86a3 0000 0003 0000 0011
-0000 0000 
-
-[in,qfe0]
-4500 0038 cd83 4000 ff11 1edd c0a8 0701
-c0a8 0702 006f 8075 0024 d704 3e1d d249
-0000 0001 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0801
-
-[out,nf0]
-4500 0038 cd83 4000 ff11 1fde c0a8 0701
-c0a8 0601 006f 8075 0024 d805 3e1d d249
-0000 0001 0000 0000 0000 0000 0000 0000
-0000 0000 0000 0801 
-
-[in,nf0]
-4500 0044 d5a6 4000 ff11 18ae c0a8 0601
-c0a8 0602 80df 0801 0030 04f0 3e10 1fb1
-0000 0000 0000 0002 0001 86a3 0000 0002
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000
-
-[out,qfe0]
-4500 0044 d5a6 4000 ff11 17af c0a8 0601
-c0a8 0701 80df 0801 0030 03f1 3e10 1fb1
-0000 0000 0000 0002 0001 86a3 0000 0002
-0000 0000 0000 0000 0000 0000 0000 0000
-0000 0000 
-
-[in,qfe0]
-4500 0034 0000 4000 fe11 ed64 c0a8 0701
-c0a8 0702 0801 80df 0020 89b7 3e10 1fb1
-0000 0001 0000 0000 0000 0000 0000 0000
-0000 0000
-
-[out,nf0]
-4500 0034 0000 4000 fe11 ee65 c0a8 0701
-c0a8 0601 0801 80df 0020 0000 3e10 1fb1
-0000 0001 0000 0000 0000 0000 0000 0000
-0000 0000
-
diff --git a/contrib/ipfilter/test/input/ni7 b/contrib/ipfilter/test/input/ni7
deleted file mode 100644
index 30f247d..0000000
--- a/contrib/ipfilter/test/input/ni7
+++ /dev/null
@@ -1,13 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP timeout exceeded in reply to a ICMP packet coming in.
-[in,df0]
-4500 0028 4706 4000 0111 26b4 0404 0404
-0202 0202 afc9 829e 0014 6b10 0402 0000
-3be5 468d 000a cfc3
-
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303
-0404 0404 0b00 0125 0000 0000 4500 0028
-4706 4000 0111 1eac 0404 0404 0606 0606
-afc9 829e 0014 c15e
-
diff --git a/contrib/ipfilter/test/input/ni8 b/contrib/ipfilter/test/input/ni8
deleted file mode 100644
index 788e603..0000000
--- a/contrib/ipfilter/test/input/ni8
+++ /dev/null
@@ -1,24 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[out,df0]
-4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
-0303 0735 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
-0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
-
-[out,df0]
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-
diff --git a/contrib/ipfilter/test/input/ni9 b/contrib/ipfilter/test/input/ni9
deleted file mode 100644
index 788e603..0000000
--- a/contrib/ipfilter/test/input/ni9
+++ /dev/null
@@ -1,24 +0,0 @@
-#v tos len id   off  ttl p sum  src       dst
-# ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet
-# going out)
-[in,df0] 45 00 00 3c 47 06 40 00 ff 06 20 aa 04 04 04 04 0a 02 02 02 50 00 05 00 00 00 00 01 00 00 00 00 a0 02 16 d0 cc 32 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 
-
-[out,df0]
-4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001
-
-# ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits)
-[out,df0]
-4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404
-0303 0735 0000 0000
-4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101
-5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000
-0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300
-
-[out,df0]
-4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505
-0303 0fa3 0000 0000
-4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001
-
diff --git a/contrib/ipfilter/test/input/p1 b/contrib/ipfilter/test/input/p1
deleted file mode 100644
index f6753fa..0000000
--- a/contrib/ipfilter/test/input/p1
+++ /dev/null
@@ -1,8 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
-in 2.3.0.1 1.2.1.1
-in 2.2.2.1 1.2.1.1
-in 2.2.0.1 1.2.1.1
-out 4.4.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/p2 b/contrib/ipfilter/test/input/p2
deleted file mode 100644
index f6753fa..0000000
--- a/contrib/ipfilter/test/input/p2
+++ /dev/null
@@ -1,8 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
-in 2.3.0.1 1.2.1.1
-in 2.2.2.1 1.2.1.1
-in 2.2.0.1 1.2.1.1
-out 4.4.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/p3 b/contrib/ipfilter/test/input/p3
deleted file mode 100644
index 4a6666b..0000000
--- a/contrib/ipfilter/test/input/p3
+++ /dev/null
@@ -1,12 +0,0 @@
-in 1.1.1.1 1.2.1.1
-in 1.2.1.1 1.1.1.1
-out 1.1.1.1 1.2.1.1
-out 1.2.1.1 1.1.1.1
-in 2.2.2.2 2.1.2.1
-out 2.1.2.1 2.2.2.2
-in 3.3.1.1 3.1.3.1
-out 3.1.3.1 3.3.1.1
-in 4.4.1.1 4.1.4.1
-out 4.1.4.1 4.4.1.1
-in 5.5.1.1 5.1.5.1
-out 5.1.5.1 5.5.1.1
diff --git a/contrib/ipfilter/test/input/p5 b/contrib/ipfilter/test/input/p5
deleted file mode 100644
index f6753fa..0000000
--- a/contrib/ipfilter/test/input/p5
+++ /dev/null
@@ -1,8 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
-in 2.3.0.1 1.2.1.1
-in 2.2.2.1 1.2.1.1
-in 2.2.0.1 1.2.1.1
-out 4.4.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/intest b/contrib/ipfilter/test/intest
deleted file mode 100755
index e94ca08..0000000
--- a/contrib/ipfilter/test/intest
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-../ipnat -Rnvf regress/$1 2>/dev/null > results/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/iptest b/contrib/ipfilter/test/iptest
deleted file mode 100644
index bb3ab5e..0000000
--- a/contrib/ipfilter/test/iptest
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-../ippool -f regress/$1 -nRv 2>/dev/null > results/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/itest b/contrib/ipfilter/test/itest
deleted file mode 100644
index 8fefc63..0000000
--- a/contrib/ipfilter/test/itest
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-case $3 in
-ipf)
-	../ipf -Rnvf regress/$1 2>/dev/null > results/$1
-	;;
-ipftest)
-	../ipftest -D -r regress/$1 -i /dev/null > results/$1
-	;;
-esac
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest
deleted file mode 100755
index 089f915..0000000
--- a/contrib/ipfilter/test/logtest
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/bin/sh
-format=$2
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-
-case `uname -s` in
-OSF1)
-	GMT=:
-	;;
-*)
-	GMT=GMT
-	;;
-esac
-
-/bin/cp /dev/null results/$1
-/bin/cp /dev/null results/$1.b
-
-( while read rule; do
-	echo $rule >> results/$1 
-	echo $rule | ../ipftest -br - -F $format -i input/$1 -l logout > /dev/null
-	if [ $? -ne 0 ] ; then
-		/bin/rm -f logout
-		exit 1
-	fi
-	TZ=$GMT ../ipmon -P /dev/null -f logout >> results/$1
-        echo "--------" >> results/$1
-	TZ=$GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
-        echo "--------" >> results/$1.b
-done ) < regress/$1
-../ipftest -br regress/$1 -F $format -i input/$1 -l logout > /dev/null
-TZ=$GMT ../ipmon -P /dev/null -f logout >> results/$1
-echo "--------" >> results/$1
-TZ=$GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
-echo "--------" >> results/$1.b
-
-cmp expected/$1 results/$1
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-cmp expected/$1.b results/$1.b
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-/bin/rm -f logout
-$TOUCH $1
-exit 0
diff --git a/contrib/ipfilter/test/mhtest b/contrib/ipfilter/test/mhtest
deleted file mode 100755
index a4d48d6..0000000
--- a/contrib/ipfilter/test/mhtest
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-# multiple rules at the same time
-
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-
-/bin/cp /dev/null results/$1
-
-../ipftest -br regress/$1 -F hex -i input/$1 > results/$1
-if [ $? -ne 0 ] ; then
-	exit 1
-fi
-echo "--------" >> results/$1
-
-cmp expected/$1 results/$1
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-cmp expected/$1 results/$1
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-$TOUCH $1
-exit 0
diff --git a/contrib/ipfilter/test/mtest b/contrib/ipfilter/test/mtest
deleted file mode 100755
index 2a3ed38..0000000
--- a/contrib/ipfilter/test/mtest
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh
-format=$2
-mkdir -p results
-# multiple rules at the same time
-
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-
-/bin/cp /dev/null results/$1
-
-../ipftest -F $format -Rbr regress/$1 -i input/$1 > results/$1
-if [ $? -ne 0 ] ; then
-	exit 1
-fi
-echo "--------" >> results/$1
-
-cmp expected/$1 results/$1
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-cmp expected/$1 results/$1
-status=$?
-if [ $status -ne 0 ] ; then
-	exit $status
-fi
-$TOUCH $1
-exit 0
diff --git a/contrib/ipfilter/test/natipftest b/contrib/ipfilter/test/natipftest
deleted file mode 100755
index 5776b42..0000000
--- a/contrib/ipfilter/test/natipftest
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh
-mode=$1
-name=$2
-input=$3
-output=$4
-shift
-if [ $output = hex ] ; then
-	format="-xF $input"
-else
-	format="-F $input"
-fi
-shift
-shift
-shift
-while [ $# -ge 1 ] ; do
-	l=`echo $1 | cut -c1`
-	if [ "$l" = "-" ] ; then
-		format="$format $1"
-	else
-		format="-T $1 $format"
-	fi
-	shift
-done
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-
-case $mode in
-single)
-	echo "$name...";
-	/bin/cp /dev/null results/$name
-	( while read rule; do
-		echo "$rule" | ../ipftest -R $format -b -r regress/$name.ipf -N - -i input/$name >> \
-			results/$name;
-		if [ $? -ne 0 ] ; then
-			exit 1;
-		fi
-		echo "-------------------------------" >> results/$name
-	done ) < regress/$name.nat
-	cmp expected/$name results/$name
-	status=$?
-	if [ $status = 0 ] ; then
-		$TOUCH $name
-	fi
-	;;
-multi)
-	echo "$name...";
-	/bin/cp /dev/null results/$name
-	../ipftest -R $format -b -r regress/$name.ipf -N regress/$name.nat \
-		-i input/$name >> results/$name;
-	if [ $? -ne 0 ] ; then
-		exit 2;
-	fi
-	echo "-------------------------------" >> results/$name
-	cmp expected/$name results/$name
-	status=$?
-	if [ $status = 0 ] ; then
-		$TOUCH $name
-	fi
-	;;
-esac
-exit $status
diff --git a/contrib/ipfilter/test/nattest b/contrib/ipfilter/test/nattest
deleted file mode 100755
index fece276..0000000
--- a/contrib/ipfilter/test/nattest
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-if [ $3 = hex ] ; then
-	format="-xF $2"
-else
-	format="-F $2"
-fi
-if [ "$4" != "" ] ; then
-	case $4 in
-	-*)
-		format="$4 $format"
-		;;
-	*)
-		format="-T $4 $format"
-		;;
-	esac
-fi
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-( while read rule; do
-	echo "$rule" | ../ipftest $format -RbN - -i input/$1 >> results/$1;
-	if [ $? -ne 0 ] ; then
-		exit 1;
-	fi
-	echo "-------------------------------" >> results/$1
-done ) < regress/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/ptest b/contrib/ipfilter/test/ptest
deleted file mode 100644
index 7deccd3..0000000
--- a/contrib/ipfilter/test/ptest
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-mkdir -p results
-if [ -f /usr/ucb/touch ] ; then
-	TOUCH=/usr/ucb/touch
-else
-	if [ -f /usr/bin/touch ] ; then
-		TOUCH=/usr/bin/touch
-	else
-		if [ -f /bin/touch ] ; then
-			TOUCH=/bin/touch
-		fi
-	fi
-fi
-echo "$1...";
-/bin/cp /dev/null results/$1
-if [ -f regress/$1.pool ] ; then
-	../ipftest -RD -b -P regress/$1.pool -r regress/$1.ipf -i input/$1 >> \
-		results/$1
-else
-	../ipftest -RD -b -r regress/$1.ipf -i input/$1 >> results/$1
-fi
-if [ $? -ne 0 ] ; then
-	exit 1;
-fi
-echo "-------------------------------" >> results/$1
-cmp expected/$1 results/$1
-status=$?
-if [ $status = 0 ] ; then
-	$TOUCH $1
-fi
-exit $status
diff --git a/contrib/ipfilter/test/regress/1 b/contrib/ipfilter/test/regress/1
deleted file mode 100644
index 6a2ede9..0000000
--- a/contrib/ipfilter/test/regress/1
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-pass in all
-block out all
-pass out all
diff --git a/contrib/ipfilter/test/regress/10 b/contrib/ipfilter/test/regress/10
deleted file mode 100644
index 3552983..0000000
--- a/contrib/ipfilter/test/regress/10
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with not ipopts
-pass in from any to any with not opt sec-class topsecret
-block in from any to any with not opt ssrr,sec-class topsecret
-pass in from any to any with not opt ssrr,sec-class topsecret
-block in from any to any with not opt ts,sec-class topsecret
-pass in from any to any with not opt ts,sec-class topsecret
-block in from any to any with not opt sec-class secret
-pass in from any to any with not opt sec-class secret
-block in from any to any with not opt lsrr,ssrr
-pass in from any to any with not opt lsrr,ssrr
-pass in from any to any with not ipopts
-block in from any to any with not opt lsrr
-pass in from any to any with not opt lsrr
-block in from any to any with not opt ssrr,ts
-pass in from any to any with not opt ssrr,ts
-block in from any to any with not opt rr
-pass in from any to any with not opt rr
-block in from any to any with not opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/11 b/contrib/ipfilter/test/regress/11
deleted file mode 100644
index 0bf0a2a..0000000
--- a/contrib/ipfilter/test/regress/11
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any to any port = 23 flags S/SA keep state
-block in proto tcp from any to any port = 23 flags S/SA keep state
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto udp from any to any port = 53 keep state
-block in proto udp from any to any port = 53 keep state
diff --git a/contrib/ipfilter/test/regress/12 b/contrib/ipfilter/test/regress/12
deleted file mode 100644
index c29f839..0000000
--- a/contrib/ipfilter/test/regress/12
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any port > 1024 to any port = 25 with not short
-pass in proto tcp from any port > 1024 to any port = 25
-block in proto tcp from any to any with short
-block in proto tcp from any to any with frag
-pass in proto udp from any port = 53 to any port = 53
-block in proto udp from any port = 53 to any port = 53 with not short
diff --git a/contrib/ipfilter/test/regress/13 b/contrib/ipfilter/test/regress/13
deleted file mode 100644
index f123e47..0000000
--- a/contrib/ipfilter/test/regress/13
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any to any port = 25 flags S/SA keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep frags
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep state keep frags
diff --git a/contrib/ipfilter/test/regress/14 b/contrib/ipfilter/test/regress/14
deleted file mode 100644
index aa54af8..0000000
--- a/contrib/ipfilter/test/regress/14
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from !1.1.1.1 to any
-pass in from 1.1.1.1 to !any
-block in from 1.1.1.1/24 to !any
-pass in from !1.1.1.1/24 to any
-block in from !1.1.1.1/16 to any
-pass in from 1.1.1.1/16 to !any
-block in from 1.1.1.1/0 to !any
-pass in from !1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/2 b/contrib/ipfilter/test/regress/2
deleted file mode 100644
index e2f02a4..0000000
--- a/contrib/ipfilter/test/regress/2
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any
-pass in proto tcp from any to any
-block in proto udp from any to any
-pass in proto udp from any to any
-block in proto icmp from any to any
-pass in proto icmp from any to any
diff --git a/contrib/ipfilter/test/regress/3 b/contrib/ipfilter/test/regress/3
deleted file mode 100644
index ee80729..0000000
--- a/contrib/ipfilter/test/regress/3
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from 1.1.1.1 to any
-pass in from 1.1.1.1 to any
-block in from 1.1.1.1/24 to any
-pass in from 1.1.1.1/24 to any
-block in from 1.1.1.1/16 to any
-pass in from 1.1.1.1/16 to any
-block in from 1.1.1.1/0 to any
-pass in from 1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/4 b/contrib/ipfilter/test/regress/4
deleted file mode 100644
index bc8af2f..0000000
--- a/contrib/ipfilter/test/regress/4
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from any to 1.1.1.1
-pass in from any to 1.1.1.1
-block in from any to 1.1.1.1/24
-pass in from any to 1.1.1.1/24
-block in from any to 1.1.1.1/16
-pass in from any to 1.1.1.1/16
-block in from any to 1.1.1.1/0
-pass in from any to 1.1.1.1/0
diff --git a/contrib/ipfilter/test/regress/5 b/contrib/ipfilter/test/regress/5
deleted file mode 100644
index 998eabd..0000000
--- a/contrib/ipfilter/test/regress/5
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any port = 23 to any
-block in proto udp from any port = 23 to any
-block in proto tcp/udp from any port = 23 to any
-pass in proto tcp from any port <= 1023 to any
-pass in proto udp from any port <= 1023 to any
-pass in proto tcp/udp from any port <= 1023 to any
-block in proto tcp from any port >= 1024 to any
-block in proto udp from any port >= 1024 to any
-block in proto tcp/udp from any port >= 1024 to any
-pass in proto tcp from any port >= 1024 to any
-pass in proto udp from any port >= 1024 to any
-pass in proto tcp/udp from any port >= 1024 to any
-block in proto tcp from any port 0 >< 512 to any
-block in proto udp from any port 0 >< 512 to any
-block in proto tcp/udp from any port 0 >< 512 to any
-pass in proto tcp from any port 0 >< 512 to any
-pass in proto udp from any port 0 >< 512 to any
-pass in proto tcp/udp from any port 0 >< 512 to any
-block in proto tcp from any port 6000 <> 6009 to any
-block in proto udp from any port 6000 <> 6009 to any
-block in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port 6000 <> 6009 to any
-pass in proto udp from any port 6000 <> 6009 to any
-pass in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port = 23 to any
-pass in proto udp from any port = 23 to any
-pass in proto tcp/udp from any port = 23 to any
-block in proto tcp from any port != 21 to any
-block in proto udp from any port != 21 to any
-block in proto tcp/udp from any port != 21 to any
-pass in proto tcp from any port != 21 to any
-pass in proto udp from any port != 21 to any
-pass in proto tcp/udp from any port != 21 to any
-block in proto tcp from any port < 1024 to any
-block in proto udp from any port < 1024 to any
-block in proto tcp/udp from any port < 1024 to any
-pass in proto tcp from any port < 1024 to any
-pass in proto udp from any port < 1024 to any
-pass in proto tcp/udp from any port < 1024 to any
-block in proto tcp from any port > 1023 to any
-block in proto udp from any port > 1023 to any
-block in proto tcp/udp from any port > 1023 to any
-pass in proto tcp from any port > 1023 to any
-pass in proto udp from any port > 1023 to any
-pass in proto tcp/udp from any port > 1023 to any
-block in proto tcp from any port <= 1023 to any
-block in proto udp from any port <= 1023 to any
-block in proto tcp/udp from any port <= 1023 to any
diff --git a/contrib/ipfilter/test/regress/6 b/contrib/ipfilter/test/regress/6
deleted file mode 100644
index 291f09ad..0000000
--- a/contrib/ipfilter/test/regress/6
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any to any port = 23
-block in proto udp from any to any port = 23
-block in proto tcp/udp from any to any port = 23
-pass in proto tcp from any to any port <= 1023
-pass in proto udp from any to any port <= 1023
-pass in proto tcp/udp from any to any port <= 1023
-block in proto tcp from any to any port >= 1024
-block in proto udp from any to any port >= 1024
-block in proto tcp/udp from any to any port >= 1024
-pass in proto tcp from any to any port >= 1024
-pass in proto udp from any to any port >= 1024
-pass in proto tcp/udp from any to any port >= 1024
-block in proto tcp from any to any port 0 >< 512
-block in proto udp from any to any port 0 >< 512
-block in proto tcp/udp from any to any port 0 >< 512
-pass in proto tcp from any to any port 0 >< 512
-pass in proto udp from any to any port 0 >< 512
-pass in proto tcp/udp from any to any port 0 >< 512
-block in proto tcp from any to any port 6000 <> 6009
-block in proto udp from any to any port 6000 <> 6009
-block in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port 6000 <> 6009
-pass in proto udp from any to any port 6000 <> 6009
-pass in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port = 23
-pass in proto udp from any to any port = 23
-pass in proto tcp/udp from any to any port = 23
-block in proto tcp from any to any port != 21
-block in proto udp from any to any port != 21
-block in proto tcp/udp from any to any port != 21
-pass in proto tcp from any to any port != 21
-pass in proto udp from any to any port != 21
-pass in proto tcp/udp from any to any port != 21
-block in proto tcp from any to any port < 1024
-block in proto udp from any to any port < 1024
-block in proto tcp/udp from any to any port < 1024
-pass in proto tcp from any to any port < 1024
-pass in proto udp from any to any port < 1024
-pass in proto tcp/udp from any to any port < 1024
-block in proto tcp from any to any port > 1023
-block in proto udp from any to any port > 1023
-block in proto tcp/udp from any to any port > 1023
-pass in proto tcp from any to any port > 1023
-pass in proto udp from any to any port > 1023
-pass in proto tcp/udp from any to any port > 1023
-block in proto tcp from any to any port <= 1023
-block in proto udp from any to any port <= 1023
-block in proto tcp/udp from any to any port <= 1023
diff --git a/contrib/ipfilter/test/regress/7 b/contrib/ipfilter/test/regress/7
deleted file mode 100644
index 6848a68..0000000
--- a/contrib/ipfilter/test/regress/7
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto icmp from any to any icmp-type echo
-pass in proto icmp from any to any icmp-type echo
-block in proto icmp from any to any icmp-type unreach code 3
-pass in proto icmp from any to any icmp-type unreach code 3
-block in proto icmp from any to any icmp-type echorep
-pass in proto icmp from any to any icmp-type echorep
diff --git a/contrib/ipfilter/test/regress/8 b/contrib/ipfilter/test/regress/8
deleted file mode 100644
index 0f28fd2..0000000
--- a/contrib/ipfilter/test/regress/8
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any flags S
-pass in proto tcp from any to any flags S
-block in proto tcp from any to any flags S/SA
-pass in proto tcp from any to any flags S/SA
-block in proto tcp from any to any flags S/APU
-pass in proto tcp from any to any flags S/APU
diff --git a/contrib/ipfilter/test/regress/9 b/contrib/ipfilter/test/regress/9
deleted file mode 100644
index 17bc967..0000000
--- a/contrib/ipfilter/test/regress/9
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with ipopts
-pass in from any to any with opt sec-class topsecret
-block in from any to any with opt ssrr,sec-class topsecret
-pass in from any to any with opt ssrr,sec-class topsecret
-block in from any to any with opt ts,sec-class topsecret
-pass in from any to any with opt ts,sec-class topsecret
-block in from any to any with opt sec-class secret
-pass in from any to any with opt sec-class secret
-block in from any to any with opt lsrr,ssrr
-pass in from any to any with opt lsrr,ssrr
-pass in from any to any with ipopts
-block in from any to any with opt lsrr
-pass in from any to any with opt lsrr
-block in from any to any with opt ssrr,ts
-pass in from any to any with opt ssrr,ts
-block in from any to any with opt rr
-pass in from any to any with opt rr
-block in from any to any with opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/bpf-f1 b/contrib/ipfilter/test/regress/bpf-f1
deleted file mode 100644
index 2c80283..0000000
--- a/contrib/ipfilter/test/regress/bpf-f1
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in bpf-v4 { "0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass in bpf-v4 { "0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
diff --git a/contrib/ipfilter/test/regress/bpf1 b/contrib/ipfilter/test/regress/bpf1
deleted file mode 100644
index 5d83b77..0000000
--- a/contrib/ipfilter/test/regress/bpf1
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in bpf-v4 { "0x20 0 0 0xc 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "src host 1.1.1.1" }
-pass in bpf-v4 { "0x20 0 0 0x10 0x15 0 0x1 0x1010101 0x6 0 0 0x60 0x6 0 0 0" }
-pass out bpf-v4 { "dst host 1.1.1.1" }
diff --git a/contrib/ipfilter/test/regress/f1 b/contrib/ipfilter/test/regress/f1
deleted file mode 100644
index 6a2ede9..0000000
--- a/contrib/ipfilter/test/regress/f1
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-pass in all
-block out all
-pass out all
diff --git a/contrib/ipfilter/test/regress/f10 b/contrib/ipfilter/test/regress/f10
deleted file mode 100644
index 3552983..0000000
--- a/contrib/ipfilter/test/regress/f10
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with not ipopts
-pass in from any to any with not opt sec-class topsecret
-block in from any to any with not opt ssrr,sec-class topsecret
-pass in from any to any with not opt ssrr,sec-class topsecret
-block in from any to any with not opt ts,sec-class topsecret
-pass in from any to any with not opt ts,sec-class topsecret
-block in from any to any with not opt sec-class secret
-pass in from any to any with not opt sec-class secret
-block in from any to any with not opt lsrr,ssrr
-pass in from any to any with not opt lsrr,ssrr
-pass in from any to any with not ipopts
-block in from any to any with not opt lsrr
-pass in from any to any with not opt lsrr
-block in from any to any with not opt ssrr,ts
-pass in from any to any with not opt ssrr,ts
-block in from any to any with not opt rr
-pass in from any to any with not opt rr
-block in from any to any with not opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11
deleted file mode 100644
index a71e528..0000000
--- a/contrib/ipfilter/test/regress/f11
+++ /dev/null
@@ -1,7 +0,0 @@
-pass in proto tcp from any to any port = 23 flags S/SA keep state
-block in proto tcp from any to any port = 23 flags S/SA keep state
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto udp from any to any port = 53 keep state
-block in proto udp from any to any port = 53 keep state
-pass in on e0 proto tcp from any to any port = 25 keep state
diff --git a/contrib/ipfilter/test/regress/f12 b/contrib/ipfilter/test/regress/f12
deleted file mode 100644
index c29f839..0000000
--- a/contrib/ipfilter/test/regress/f12
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any port > 1024 to any port = 25 with not short
-pass in proto tcp from any port > 1024 to any port = 25
-block in proto tcp from any to any with short
-block in proto tcp from any to any with frag
-pass in proto udp from any port = 53 to any port = 53
-block in proto udp from any port = 53 to any port = 53 with not short
diff --git a/contrib/ipfilter/test/regress/f13 b/contrib/ipfilter/test/regress/f13
deleted file mode 100644
index 8106419..0000000
--- a/contrib/ipfilter/test/regress/f13
+++ /dev/null
@@ -1,8 +0,0 @@
-pass in proto tcp from any to any port = 25 flags S/SA keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep frags
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep state keep frags
-pass in proto udp from any to any port = 53 keep frags(strict)
-pass in proto tcp from any to any port = 25 keep state(strict)
diff --git a/contrib/ipfilter/test/regress/f14 b/contrib/ipfilter/test/regress/f14
deleted file mode 100644
index 06ab519..0000000
--- a/contrib/ipfilter/test/regress/f14
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from !1.1.1.1 to any
-pass in from 1.1.1.1 to !any
-block in from 1.1.1.0/24 to !any
-pass in from !1.1.1.0/24 to any
-block in from !1.1.0.0/16 to any
-pass in from 1.1.0.0/16 to !1.2.0.0/16
-block in from any to !127.0.0.0/8
-pass in from !any to any
diff --git a/contrib/ipfilter/test/regress/f15 b/contrib/ipfilter/test/regress/f15
deleted file mode 100644
index 16185e1..0000000
--- a/contrib/ipfilter/test/regress/f15
+++ /dev/null
@@ -1,8 +0,0 @@
-block in log quick on hme0 from any to 195.134.65.0/25 head 10
-block return-rst in log quick proto tcp all flags S head 100 group 10
-pass in quick proto tcp from any to any port = 22 keep state group 100
-pass in quick proto tcp from any to any port = 23 keep state group 100
-pass in quick proto tcp from any to any port = 21 keep state group 100
-block return-icmp in quick proto udp all keep state head 110 group 10
-pass in quick proto udp from any to any port = 53 keep state group 110
-block in log quick on hme0 from any to any
diff --git a/contrib/ipfilter/test/regress/f16 b/contrib/ipfilter/test/regress/f16
deleted file mode 100644
index 920ad8c..0000000
--- a/contrib/ipfilter/test/regress/f16
+++ /dev/null
@@ -1,10 +0,0 @@
-pass in all
-skip 2 in proto tcp all
-block in quick proto tcp all
-skip 4 in proto udp all
-block in quick proto udp all
-pass in quick proto tcp from any to 1.1.1.1
-pass in quick proto tcp from any to 1.1.1.2 port = 22
-block in quick proto udp from any to any port = 53
-pass in quick proto udp from any to any port = 53
-block in all
diff --git a/contrib/ipfilter/test/regress/f17 b/contrib/ipfilter/test/regress/f17
deleted file mode 100644
index 9a75ae3..0000000
--- a/contrib/ipfilter/test/regress/f17
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass out quick on ppp0 proto tcp all flags S keep state
-block return-rst in quick proto tcp all
diff --git a/contrib/ipfilter/test/regress/f18 b/contrib/ipfilter/test/regress/f18
deleted file mode 100644
index acba2b3..0000000
--- a/contrib/ipfilter/test/regress/f18
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in from 1.1.1.1 to any
-pass out from 2.2.2.2 to any
-count in from 1.1.1.1 to 3.3.3.3
-count out from 2.2.2.2 to 4.4.4.4
diff --git a/contrib/ipfilter/test/regress/f19 b/contrib/ipfilter/test/regress/f19
deleted file mode 100644
index d7770b8..0000000
--- a/contrib/ipfilter/test/regress/f19
+++ /dev/null
@@ -1,2 +0,0 @@
-pass in quick proto tcp all flags S keep state
-pass in quick proto tcp all flags S keep state(limit 1)
diff --git a/contrib/ipfilter/test/regress/f2 b/contrib/ipfilter/test/regress/f2
deleted file mode 100644
index e2f02a4..0000000
--- a/contrib/ipfilter/test/regress/f2
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any
-pass in proto tcp from any to any
-block in proto udp from any to any
-pass in proto udp from any to any
-block in proto icmp from any to any
-pass in proto icmp from any to any
diff --git a/contrib/ipfilter/test/regress/f20 b/contrib/ipfilter/test/regress/f20
deleted file mode 100644
index 279523e..0000000
--- a/contrib/ipfilter/test/regress/f20
+++ /dev/null
@@ -1,4 +0,0 @@
-block out quick on de0 head 100
-skip 1 out group 100
-block out quick group 100
-pass out quick group 100
diff --git a/contrib/ipfilter/test/regress/f24 b/contrib/ipfilter/test/regress/f24
deleted file mode 100644
index 5cb3bab..0000000
--- a/contrib/ipfilter/test/regress/f24
+++ /dev/null
@@ -1 +0,0 @@
-pass out quick proto udp all keep state keep frags
diff --git a/contrib/ipfilter/test/regress/f3 b/contrib/ipfilter/test/regress/f3
deleted file mode 100644
index ee80729..0000000
--- a/contrib/ipfilter/test/regress/f3
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from 1.1.1.1 to any
-pass in from 1.1.1.1 to any
-block in from 1.1.1.1/24 to any
-pass in from 1.1.1.1/24 to any
-block in from 1.1.1.1/16 to any
-pass in from 1.1.1.1/16 to any
-block in from 1.1.1.1/0 to any
-pass in from 1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/f4 b/contrib/ipfilter/test/regress/f4
deleted file mode 100644
index bc8af2f..0000000
--- a/contrib/ipfilter/test/regress/f4
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from any to 1.1.1.1
-pass in from any to 1.1.1.1
-block in from any to 1.1.1.1/24
-pass in from any to 1.1.1.1/24
-block in from any to 1.1.1.1/16
-pass in from any to 1.1.1.1/16
-block in from any to 1.1.1.1/0
-pass in from any to 1.1.1.1/0
diff --git a/contrib/ipfilter/test/regress/f5 b/contrib/ipfilter/test/regress/f5
deleted file mode 100644
index 998eabd..0000000
--- a/contrib/ipfilter/test/regress/f5
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any port = 23 to any
-block in proto udp from any port = 23 to any
-block in proto tcp/udp from any port = 23 to any
-pass in proto tcp from any port <= 1023 to any
-pass in proto udp from any port <= 1023 to any
-pass in proto tcp/udp from any port <= 1023 to any
-block in proto tcp from any port >= 1024 to any
-block in proto udp from any port >= 1024 to any
-block in proto tcp/udp from any port >= 1024 to any
-pass in proto tcp from any port >= 1024 to any
-pass in proto udp from any port >= 1024 to any
-pass in proto tcp/udp from any port >= 1024 to any
-block in proto tcp from any port 0 >< 512 to any
-block in proto udp from any port 0 >< 512 to any
-block in proto tcp/udp from any port 0 >< 512 to any
-pass in proto tcp from any port 0 >< 512 to any
-pass in proto udp from any port 0 >< 512 to any
-pass in proto tcp/udp from any port 0 >< 512 to any
-block in proto tcp from any port 6000 <> 6009 to any
-block in proto udp from any port 6000 <> 6009 to any
-block in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port 6000 <> 6009 to any
-pass in proto udp from any port 6000 <> 6009 to any
-pass in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port = 23 to any
-pass in proto udp from any port = 23 to any
-pass in proto tcp/udp from any port = 23 to any
-block in proto tcp from any port != 21 to any
-block in proto udp from any port != 21 to any
-block in proto tcp/udp from any port != 21 to any
-pass in proto tcp from any port != 21 to any
-pass in proto udp from any port != 21 to any
-pass in proto tcp/udp from any port != 21 to any
-block in proto tcp from any port < 1024 to any
-block in proto udp from any port < 1024 to any
-block in proto tcp/udp from any port < 1024 to any
-pass in proto tcp from any port < 1024 to any
-pass in proto udp from any port < 1024 to any
-pass in proto tcp/udp from any port < 1024 to any
-block in proto tcp from any port > 1023 to any
-block in proto udp from any port > 1023 to any
-block in proto tcp/udp from any port > 1023 to any
-pass in proto tcp from any port > 1023 to any
-pass in proto udp from any port > 1023 to any
-pass in proto tcp/udp from any port > 1023 to any
-block in proto tcp from any port <= 1023 to any
-block in proto udp from any port <= 1023 to any
-block in proto tcp/udp from any port <= 1023 to any
diff --git a/contrib/ipfilter/test/regress/f6 b/contrib/ipfilter/test/regress/f6
deleted file mode 100644
index 291f09ad..0000000
--- a/contrib/ipfilter/test/regress/f6
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any to any port = 23
-block in proto udp from any to any port = 23
-block in proto tcp/udp from any to any port = 23
-pass in proto tcp from any to any port <= 1023
-pass in proto udp from any to any port <= 1023
-pass in proto tcp/udp from any to any port <= 1023
-block in proto tcp from any to any port >= 1024
-block in proto udp from any to any port >= 1024
-block in proto tcp/udp from any to any port >= 1024
-pass in proto tcp from any to any port >= 1024
-pass in proto udp from any to any port >= 1024
-pass in proto tcp/udp from any to any port >= 1024
-block in proto tcp from any to any port 0 >< 512
-block in proto udp from any to any port 0 >< 512
-block in proto tcp/udp from any to any port 0 >< 512
-pass in proto tcp from any to any port 0 >< 512
-pass in proto udp from any to any port 0 >< 512
-pass in proto tcp/udp from any to any port 0 >< 512
-block in proto tcp from any to any port 6000 <> 6009
-block in proto udp from any to any port 6000 <> 6009
-block in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port 6000 <> 6009
-pass in proto udp from any to any port 6000 <> 6009
-pass in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port = 23
-pass in proto udp from any to any port = 23
-pass in proto tcp/udp from any to any port = 23
-block in proto tcp from any to any port != 21
-block in proto udp from any to any port != 21
-block in proto tcp/udp from any to any port != 21
-pass in proto tcp from any to any port != 21
-pass in proto udp from any to any port != 21
-pass in proto tcp/udp from any to any port != 21
-block in proto tcp from any to any port < 1024
-block in proto udp from any to any port < 1024
-block in proto tcp/udp from any to any port < 1024
-pass in proto tcp from any to any port < 1024
-pass in proto udp from any to any port < 1024
-pass in proto tcp/udp from any to any port < 1024
-block in proto tcp from any to any port > 1023
-block in proto udp from any to any port > 1023
-block in proto tcp/udp from any to any port > 1023
-pass in proto tcp from any to any port > 1023
-pass in proto udp from any to any port > 1023
-pass in proto tcp/udp from any to any port > 1023
-block in proto tcp from any to any port <= 1023
-block in proto udp from any to any port <= 1023
-block in proto tcp/udp from any to any port <= 1023
diff --git a/contrib/ipfilter/test/regress/f7 b/contrib/ipfilter/test/regress/f7
deleted file mode 100644
index be1b969..0000000
--- a/contrib/ipfilter/test/regress/f7
+++ /dev/null
@@ -1,9 +0,0 @@
-block in proto icmp from any to any icmp-type echo
-pass in proto icmp from any to any icmp-type echo
-block in proto icmp from any to any icmp-type unreach code 3
-pass in proto icmp from any to any icmp-type unreach code 3
-block in proto icmp from any to any icmp-type echorep
-pass in proto icmp from any to any icmp-type echorep
-pass in proto icmp all icmp-type maskreq keep state
-pass in proto icmp all icmp-type timest keep state
-pass in proto icmp all icmp-type inforeq keep state
diff --git a/contrib/ipfilter/test/regress/f8 b/contrib/ipfilter/test/regress/f8
deleted file mode 100644
index 0f28fd2..0000000
--- a/contrib/ipfilter/test/regress/f8
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any flags S
-pass in proto tcp from any to any flags S
-block in proto tcp from any to any flags S/SA
-pass in proto tcp from any to any flags S/SA
-block in proto tcp from any to any flags S/APU
-pass in proto tcp from any to any flags S/APU
diff --git a/contrib/ipfilter/test/regress/f9 b/contrib/ipfilter/test/regress/f9
deleted file mode 100644
index 17bc967..0000000
--- a/contrib/ipfilter/test/regress/f9
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with ipopts
-pass in from any to any with opt sec-class topsecret
-block in from any to any with opt ssrr,sec-class topsecret
-pass in from any to any with opt ssrr,sec-class topsecret
-block in from any to any with opt ts,sec-class topsecret
-pass in from any to any with opt ts,sec-class topsecret
-block in from any to any with opt sec-class secret
-pass in from any to any with opt sec-class secret
-block in from any to any with opt lsrr,ssrr
-pass in from any to any with opt lsrr,ssrr
-pass in from any to any with ipopts
-block in from any to any with opt lsrr
-pass in from any to any with opt lsrr
-block in from any to any with opt ssrr,ts
-pass in from any to any with opt ssrr,ts
-block in from any to any with opt rr
-pass in from any to any with opt rr
-block in from any to any with opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/i1 b/contrib/ipfilter/test/regress/i1
deleted file mode 100644
index 0fd2c6e..0000000
--- a/contrib/ipfilter/test/regress/i1
+++ /dev/null
@@ -1,18 +0,0 @@
-pass in all
-block out \
-all
-log in all
-log body in all
-count in from any to any
-pass in from !any to any pps 10
-block in from any to !any
-pass in on ed0 from localhost to localhost
-pass in on ed0,vx0 from localhost to localhost
-block in log first on lo0 from any to any
-pass in log body or-block quick from any to any
-block return-rst in quick on le0 proto tcp from any to any
-block return-icmp in on qe0 from any to any
-block return-icmp(1) in on qe0 from any to any
-block return-icmp-as-dest in on le0 from any to any
-block return-icmp-as-dest(port-unr) in on qe0 from any to any
-pass out on longNICname0 from test.host.dots to test\.host.dots
diff --git a/contrib/ipfilter/test/regress/i10 b/contrib/ipfilter/test/regress/i10
deleted file mode 100644
index 640ac84..0000000
--- a/contrib/ipfilter/test/regress/i10
+++ /dev/null
@@ -1,5 +0,0 @@
-pass in from localhost to localhost with opt sec
-pass in from localhost to localhost with opt lsrr not opt sec
-block in from any to any with not opt sec-class topsecret
-block in from any to any with not opt sec-class topsecret,secret
-pass in from any to any with opt sec-class topsecret,confid not opt sec-class unclass
diff --git a/contrib/ipfilter/test/regress/i11 b/contrib/ipfilter/test/regress/i11
deleted file mode 100644
index cb7d683..0000000
--- a/contrib/ipfilter/test/regress/i11
+++ /dev/null
@@ -1,11 +0,0 @@
-pass in on ed0 proto tcp from localhost to localhost port = telnet keep state
-block in log first on lo0 proto tcp/udp from any to any port = echo keep state
-pass in proto udp from localhost to localhost port = 20499 keep frag
-pass in proto udp from localhost to localhost port = 2049 keep frag(strict)
-pass in proto udp from localhost to localhost port = 53 keep state keep frags
-pass in on ed0 out-via vx0 proto udp from any to any keep state
-pass out on ppp0 in-via le0 proto tcp from any to any keep state
-pass in on ed0,vx0 out-via vx0,ed0 proto udp from any to any keep state
-pass in proto tcp from any port gt 1024 to localhost port eq 1024 keep state
-pass in proto tcp all flags S keep state(strict,newisn,no-icmp-err,limit 101,age 600)
-pass in proto udp all keep state(age 10/20,sync)
diff --git a/contrib/ipfilter/test/regress/i12 b/contrib/ipfilter/test/regress/i12
deleted file mode 100644
index 5342702..0000000
--- a/contrib/ipfilter/test/regress/i12
+++ /dev/null
@@ -1,10 +0,0 @@
-pass in from 1.1.1.1/32 to 2.2.2.2/32
-pass in from (2.2.2.2/24,3.3.3.3/32) to 4.4.4.4/32
-pass in from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32)
-pass in from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32) port = (22,25)
-pass in proto tcp from (2.2.2.2/24,3.3.3.3/32) port = (53,9) to (5.5.5.5/32,6.6.6.6/32)
-pass in proto udp from (2.2.2.2/24,3.3.3.3/32) to (5.5.5.5/32,6.6.6.6/32) port = (53,9)
-pass in from 10.10.10.10 to 11.11.11.11
-pass in from pool/101 to hash/202
-pass in from hash/303 to pool/404
-pass in from pool=(!1.1.1.1,2.2.2.2,!2.2.0.0/16) to pool = ( 1.1.0.0/16 )
diff --git a/contrib/ipfilter/test/regress/i13 b/contrib/ipfilter/test/regress/i13
deleted file mode 100644
index 3ba343d..0000000
--- a/contrib/ipfilter/test/regress/i13
+++ /dev/null
@@ -1,8 +0,0 @@
-a=any;
-b="from $a";
-c='to $a';
-d=block;
-e="pass in";
-$d in $b $c
-f=" $b $c";
-$e${f}
diff --git a/contrib/ipfilter/test/regress/i14 b/contrib/ipfilter/test/regress/i14
deleted file mode 100644
index 2cd2613..0000000
--- a/contrib/ipfilter/test/regress/i14
+++ /dev/null
@@ -1,10 +0,0 @@
-block in on eri0 all head 1
-pass in on eri0 proto icmp all group 1
-pass out on ed0 all head 1000000
-block out on ed0 proto udp all group 1000000
-block in on vm0 proto tcp/udp all head 101
-pass in from 1.1.1.1 to 2.2.2.2 group 101
-pass in proto tcp from 1.0.0.1 to 2.0.0.2 group 101
-pass in proto udp from 2.0.0.2 to 3.0.0.3 group 101
-block in on vm0 proto tcp/udp all head vm0-group
-pass in from 1.1.1.1 to 2.2.2.2 group vm0-group
diff --git a/contrib/ipfilter/test/regress/i15 b/contrib/ipfilter/test/regress/i15
deleted file mode 100644
index 0e6b0d1..0000000
--- a/contrib/ipfilter/test/regress/i15
+++ /dev/null
@@ -1,4 +0,0 @@
-pass out on fxp0 all set-tag(log=100)
-pass out on fxp0 all set-tag(nat=foo)
-pass out on fxp0 all set-tag(log=100, nat=200)
-pass out on fxp0 all set-tag(log=2147483648, nat=overtherainbowisapotof)
diff --git a/contrib/ipfilter/test/regress/i16 b/contrib/ipfilter/test/regress/i16
deleted file mode 100644
index 5c9144a..0000000
--- a/contrib/ipfilter/test/regress/i16
+++ /dev/null
@@ -1,3 +0,0 @@
-0 block out all
-100 pass in all
-10101 pass out proto tcp all
diff --git a/contrib/ipfilter/test/regress/i17 b/contrib/ipfilter/test/regress/i17
deleted file mode 100644
index e399248..0000000
--- a/contrib/ipfilter/test/regress/i17
+++ /dev/null
@@ -1,13 +0,0 @@
-100 pass in all
-200 pass in proto tcp all
-110 pass in proto udp all
-110 pass in from localhost to any
-pass in all
-pass in from localhost to any
-@0 100 pass in from localhost to any
-@1 pass in from any to localhost
-@0 pass in from 1.1.1.1 to any
-@1 110 pass in from 2.2.2.2 to any
-@2 pass in from 3.3.3.3 to any
-call fr_srcgrpmap/100 out from 10.1.0.0/16 to any
-call now fr_dstgrpmap/200 in from 10.2.0.0/16 to any
diff --git a/contrib/ipfilter/test/regress/i18 b/contrib/ipfilter/test/regress/i18
deleted file mode 100644
index 03ce713..0000000
--- a/contrib/ipfilter/test/regress/i18
+++ /dev/null
@@ -1,3 +0,0 @@
-pass in tos (80,0x80) all
-pass in tos (0x80,80) all
-block in ttl (0,1,2,3,4,5,6) all
diff --git a/contrib/ipfilter/test/regress/i19 b/contrib/ipfilter/test/regress/i19
deleted file mode 100644
index a09fd56..0000000
--- a/contrib/ipfilter/test/regress/i19
+++ /dev/null
@@ -1,22 +0,0 @@
-block in quick log level user.debug proto icmp all
-block in quick log level mail.info proto icmp all
-block in quick log level daemon.notice proto icmp all
-block in quick log level auth.warn proto icmp all
-block in quick log level syslog.err proto icmp all
-block in quick log level lpr.crit proto icmp all
-block in quick log level news.alert proto icmp all
-block in quick log level uucp.emerg proto icmp all
-block in quick log level cron.debug proto icmp all
-block in quick log level ftp.info proto icmp all
-block in quick log level authpriv.notice proto icmp all
-block in quick log level logalert.warn proto icmp all
-block in quick log level local0.err proto icmp all
-block in quick log level local1.crit proto icmp all
-block in quick log level local2.alert proto icmp all
-block in quick log level local3.emerg proto icmp all
-block in quick log level local4.debug proto icmp all
-block in quick log level local5.info proto icmp all
-block in quick log level local6.notice proto icmp all
-block in quick log level local7.warn proto icmp all
-block in quick log level kern.err proto icmp all
-block in quick log level security.emerg proto icmp all
diff --git a/contrib/ipfilter/test/regress/i2 b/contrib/ipfilter/test/regress/i2
deleted file mode 100644
index 50f6107..0000000
--- a/contrib/ipfilter/test/regress/i2
+++ /dev/null
@@ -1,8 +0,0 @@
-log in proto tcp all
-pass in proto 6 from any to any
-pass in proto udp from localhost to localhost
-block in proto ipv6 from any to any
-block in proto 17 from any to any
-block in proto 250 from any to any
-pass in proto tcp/udp from any to any
-block in proto tcp-udp from any to any
diff --git a/contrib/ipfilter/test/regress/i20 b/contrib/ipfilter/test/regress/i20
deleted file mode 100644
index 99039ee..0000000
--- a/contrib/ipfilter/test/regress/i20
+++ /dev/null
@@ -1,4 +0,0 @@
-pass in on ppp0 from ppp0/peer to ppp0/32
-block in on hme0 from any to hme0/broadcast
-pass in on bge0 from bge0/network to bge0/32
-block in on eri0 from any to eri0/netmasked
diff --git a/contrib/ipfilter/test/regress/i21 b/contrib/ipfilter/test/regress/i21
deleted file mode 100644
index 9d583ab..0000000
--- a/contrib/ipfilter/test/regress/i21
+++ /dev/null
@@ -1,7 +0,0 @@
-pass in from port = 10101
-pass out from any to port != 22
-block in from port 20:21
-block out from any to port 10 <> 100
-pass out from any to port = (3,5,7,9)
-block in from port = (20,25)
-pass in from any port = (11:12, 21:22) to any port = (1:2, 4:5, 8:9)
diff --git a/contrib/ipfilter/test/regress/i3 b/contrib/ipfilter/test/regress/i3
deleted file mode 100644
index 390fc3c..0000000
--- a/contrib/ipfilter/test/regress/i3
+++ /dev/null
@@ -1,14 +0,0 @@
-log in all
-pass in from 128.16/16 to 129.10.10/24
-pass in from 128.0.0.1/24 to 1\
-28\
-.\
-0.0.1/16
-pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000
-pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0
-pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000
-pass in from 128.0.0.1 mask 255.255.255.0 to 128.0.0.1 mask 255.255.0.0
-pass in from localhost to localhost
-block in log from 0/0 to 0/0
-block in log level auth.info on hme0 all
-log level local5.warn out all
diff --git a/contrib/ipfilter/test/regress/i4 b/contrib/ipfilter/test/regress/i4
deleted file mode 100644
index 8551f76..0000000
--- a/contrib/ipfilter/test/regress/i4
+++ /dev/null
@@ -1,9 +0,0 @@
-log in proto tcp from any port > 0 to any
-log in proto tcp from any to any port > 0
-pass in proto 6 from any port != 0 to any port 0 >< 65535
-pass in proto 17 from localhost port > 32000 to localhost port < 29000
-block in proto udp from any port != \ntp to any port < echo
-block in proto tcp from any port = smtp to any port > 25
-pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3
-pass in proto tcp/udp from any port 2:2 to any port 10:20
-pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S keep state
diff --git a/contrib/ipfilter/test/regress/i5 b/contrib/ipfilter/test/regress/i5
deleted file mode 100644
index 788f971..0000000
--- a/contrib/ipfilter/test/regress/i5
+++ /dev/null
@@ -1,9 +0,0 @@
-log in all
-count in tos 0x80 from any to any
-pass in on ed0 tos 64 from localhost to localhost
-block in log on lo0 ttl 0 from any to any
-pass in quick ttl 1 from any to any
-skip 3 out from 127.0.0.1 to any
-auth out on foo0 proto tcp from any to any port = 80
-preauth out on foo0 proto tcp from any to any port = 22
-nomatch out on foo0 proto tcp from any port < 1024 to any
diff --git a/contrib/ipfilter/test/regress/i6 b/contrib/ipfilter/test/regress/i6
deleted file mode 100644
index 0b371bd..0000000
--- a/contrib/ipfilter/test/regress/i6
+++ /dev/null
@@ -1,12 +0,0 @@
-pass in on lo0 fastroute from any to any
-pass in on lo0 to qe0 from localhost to localhost
-pass in on le0 to qe0:127.0.0.1 from localhost to localhost
-pass in on lo0 dup-to qe0 from localhost to localhost
-pass in on le0 dup-to qe0:127.0.0.1 from localhost to localhost
-pass in on le0 to hme0:10.1.1.1 dup-to qe0:127.0.0.1 from localhost to localhost
-block in quick on qe0 to qe1 from any to any
-block in quick to qe1 from any to any
-pass out quick dup-to hme0 from any to any
-pass out quick on hme0 reply-to hme1 from any to any
-pass in on le0 dup-to qe0:127.0.0.1 reply-to hme1:10.10.10.10 all
-pass in quick fastroute all
diff --git a/contrib/ipfilter/test/regress/i7 b/contrib/ipfilter/test/regress/i7
deleted file mode 100644
index 1a82940..0000000
--- a/contrib/ipfilter/test/regress/i7
+++ /dev/null
@@ -1,9 +0,0 @@
-pass in on ed0 proto tcp from localhost to localhost port = 23 flags S/SA
-block in on lo0 proto tcp from any to any flags A
-pass in on lo0 proto tcp from any to any flags /SAP
-block in on lo0 proto tcp from any to any flags 0x80/A
-pass in on lo0 proto tcp from any to any flags S/18
-block in on lo0 proto tcp from any to any flags 2/18
-pass in on lo0 proto tcp from any to any flags 2
-block in on lo0 proto tcp from any to any flags /16
-pass in on lo0 proto tcp from any to any flags 2/SA
diff --git a/contrib/ipfilter/test/regress/i8 b/contrib/ipfilter/test/regress/i8
deleted file mode 100644
index c30f8bd..0000000
--- a/contrib/ipfilter/test/regress/i8
+++ /dev/null
@@ -1,33 +0,0 @@
-pass in proto icmp from localhost to localhost icmp-type timest
-block in proto icmp from any to any icmp-type unreach code 1
-pass in proto icmp all icmp-type unreach code cutoff-preced
-pass in proto icmp all icmp-type unreach code filter-prohib
-pass in proto icmp all icmp-type unreach code isolate
-pass in proto icmp all icmp-type unreach code needfrag
-pass in proto icmp all icmp-type unreach code net-prohib
-pass in proto icmp all icmp-type unreach code net-tos
-pass in proto icmp all icmp-type unreach code host-preced
-pass in proto icmp all icmp-type unreach code host-prohib
-pass in proto icmp all icmp-type unreach code host-tos
-pass in proto icmp all icmp-type unreach code host-unk
-pass in proto icmp all icmp-type unreach code host-unr
-pass in proto icmp all icmp-type unreach code (net-unk,net-unr)
-pass in proto icmp all icmp-type unreach code port-unr
-pass in proto icmp all icmp-type unreach code proto-unr
-pass in proto icmp all icmp-type unreach code srcfail
-pass in proto icmp all icmp-type (echo,echorep)
-pass in proto icmp all icmp-type inforeq
-pass in proto icmp all icmp-type inforep
-pass in proto icmp all icmp-type maskrep
-pass in proto icmp all icmp-type maskreq
-pass in proto icmp all icmp-type paramprob
-pass in proto icmp all icmp-type redir
-pass in proto icmp all icmp-type unreach
-pass in proto icmp all icmp-type routerad
-pass in proto icmp all icmp-type routersol
-pass in proto icmp all icmp-type squench
-pass in proto icmp all icmp-type timest
-pass in proto icmp all icmp-type timestrep
-pass in proto icmp all icmp-type timex
-pass in proto icmp all icmp-type 254
-pass in proto icmp all icmp-type 253 code 254
diff --git a/contrib/ipfilter/test/regress/i9 b/contrib/ipfilter/test/regress/i9
deleted file mode 100644
index 441cfa9..0000000
--- a/contrib/ipfilter/test/regress/i9
+++ /dev/null
@@ -1,17 +0,0 @@
-pass in from localhost to localhost with short,frags
-block in from any to any with ipopts
-pass in from any to any with opt nop,rr,zsu
-pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr
-pass in from localhost to localhost and not frag
-pass in from localhost to localhost with frags,frag-body
-pass in proto tcp all flags S with not oow keep state
-block in proto tcp all with oow
-pass in proto tcp all flags S with not bad,bad-src,bad-nat
-block in proto tcp all flags S with bad,not bad-src,not bad-nat
-pass in quick all with not short
-block in quick all with not nat
-pass in quick all with not frag-body
-block in quick all with not lowttl
-pass in all with mbcast,not bcast,multicast,not state,not ipopts
-block in all with not mbcast,bcast,not multicast,state
-pass in from any to any with opt mtur,mtup,encode,ts,tr,sec,cipso,satid,ssrr,visa,imitd,eip,finn,dps,sdb,nsapa,rtralrt,ump,addext,e-sec
diff --git a/contrib/ipfilter/test/regress/in1 b/contrib/ipfilter/test/regress/in1
deleted file mode 100644
index d5d0cf4..0000000
--- a/contrib/ipfilter/test/regress/in1
+++ /dev/null
@@ -1,31 +0,0 @@
-map le0 0/0 -> 0/32
-map le0 1/32 -> 1/32
-map le0 128.0.0.0/1 -> 0/0
-map le0 10.0.0.0/8 -> 1.2.3.0/24
-map le0 10.0.0.5/8 -> 1.2.3.4/24
-map le0 10.0.0.5/0xff000000 -> 1.2.3.4/24
-map le0 10.0.0.5/0xff -> 1.2.3.4/24
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999
-map ppp0 192.168.0.0/16 -> 0/32 portmap udp 20000:29999
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp/udp 30000:39999
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp auto
-map ppp0 192.168.0.0/16 -> 0/32 portmap udp auto
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcpudp auto
-map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/6
-map ppp0 192.168.0.0/16 -> 0/32 proxy port 1010 ftp/tcp
-map le0 0/0 -> 0/32 frag
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag
-map ppp0 192.168.0.0/16 -> 0/32 proxy port ftp ftp/tcp frag
-map le0 0/0 -> 0/32 age 10
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 age 10/20
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 age 30
-map le0 0/0 -> 0/32 frag age 10
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20
-map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag age 30
-map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp
-map thisisalonginte 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere
-map bar0 0/0 -> 0/32 icmpidmap icmp 1000:2000
-map ppp0,adsl0 0/0 -> 0/32
-map ppp0 from 192.168.0.0/16 to any port = 123 -> 0/32 age 30/1 udp
diff --git a/contrib/ipfilter/test/regress/in2 b/contrib/ipfilter/test/regress/in2
deleted file mode 100644
index 83a2ca5..0000000
--- a/contrib/ipfilter/test/regress/in2
+++ /dev/null
@@ -1,71 +0,0 @@
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 255
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip
-rdr le0 9.8.7.6/0xff000000 -> 1.1.1.1 ip
-rdr le0 9.8.7.6/0xffff0000 -> 1.1.1.1 ip
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 0/0 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcpudp frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag
-rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip tag nattagcacheline
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000 tag nattagcacheline
-rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000 tag nattagcacheline
-rdr ge0 9.8.7.6/32 -> 1.1.1.1 proxy port 21 ftp/tcp
-rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp
-rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp
-rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp
-rdr le0 0/0 -> test.host.dots
-rdr le0 0/0 -> test.host.dots,test.host.dots
-rdr adsl0,ppp0 0/0 port 25 -> 127.0.0.1 port 25
diff --git a/contrib/ipfilter/test/regress/in3 b/contrib/ipfilter/test/regress/in3
deleted file mode 100644
index d8016b6..0000000
--- a/contrib/ipfilter/test/regress/in3
+++ /dev/null
@@ -1,5 +0,0 @@
-bimap le0 0/0 -> 0/32
-bimap le0 1/32 -> 1/32
-bimap le0 128.0.0.0/1 -> 0/0
-bimap le0 10.0.0.0/8 -> 1.2.3.0/24
-bimap le0 10.0.5.6/24 -> 1.2.3.4/24
diff --git a/contrib/ipfilter/test/regress/in4 b/contrib/ipfilter/test/regress/in4
deleted file mode 100644
index 46bbd81..0000000
--- a/contrib/ipfilter/test/regress/in4
+++ /dev/null
@@ -1,5 +0,0 @@
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 0
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports 256
-map-block le0 10.0.0.0/24 -> 203.1.1.0/24 ports auto
-map-block le0 10.0.0.0/16 -> 203.1.1.0/24 ports auto
diff --git a/contrib/ipfilter/test/regress/in5 b/contrib/ipfilter/test/regress/in5
deleted file mode 100644
index 766c3e3..0000000
--- a/contrib/ipfilter/test/regress/in5
+++ /dev/null
@@ -1,24 +0,0 @@
-map le0 from 9.8.7.6/32 port > 1024 to any -> 1.1.1.1 portmap 10000:20000 tcp
-map le0 from 9.8.7.6/32 port > 1024 to ! 1.2.3.4 -> 1.1.1.1 portmap 10000:20000 tcp
-rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp
-rdr le0 from any to 9.8.7.6/0xffffffff port = 0 -> 1.1.1.1 port 0 ip
-rdr le0 ! from 1.2.3.4 to 9.8.7.6 port = 8888 -> 1.1.1.1 port 888 tcp
-rdr le0 from any to 9.8.7.6/255.255.255.255 port = 8888 -> 1.1.1.1 port 888 ip
-rdr le0 from any to 9.8.7.6 mask 0xffffffff port = 8888 -> 1.1.1.1 port 888 tcp
-rdr le0 from any to 9.8.7.6 mask 255.255.255.255 port = 8888 -> 1.1.1.1 port 888 udp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 888 icmp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag
-rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag age 10
-rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag age 10
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30
-rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40
diff --git a/contrib/ipfilter/test/regress/in6 b/contrib/ipfilter/test/regress/in6
deleted file mode 100644
index 70e71dd..0000000
--- a/contrib/ipfilter/test/regress/in6
+++ /dev/null
@@ -1,8 +0,0 @@
-map foo0 from any port = 1 to any port != 0 -> 0/32 udp
-map foo0 from any port eq 1 to any port ne 0 -> 0/32 udp
-map foo0 from any port < 1 to any port > 0 -> 0/32 tcp
-map foo0 from any port lt 1 to any port gt 0 -> 0/32 tcp
-map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp
-map foo0 from any port le 1 to any port ge 0 -> 0/32 tcp/udp
-map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0/32 tcp/udp
-map foo0 from any port 10:20 to any port 30:40 -> 0/32 tcp/udp
diff --git a/contrib/ipfilter/test/regress/ip1 b/contrib/ipfilter/test/regress/ip1
deleted file mode 100644
index c31ba25..0000000
--- a/contrib/ipfilter/test/regress/ip1
+++ /dev/null
@@ -1,78 +0,0 @@
-#:%s/ \(number = [0-9]*\) \(type = [a-z]*\)/ \2 \1/g
-
-table role = ipf type = tree number = 1
-	{; };
-table role = ipf type = tree number = 100
-	{ 1.2.3.4/32; !2.2.0.0/16; 2.2.2.0/24; };
-table role = nat type = tree number = 110
-	{ 1.2.3.4/32; !2.2.0.0/16; 2.2.2.0/24; };
-table role = auth type = tree number = 120
-	{ 1.2.3.4/32; !2.2.0.0/16; 2.2.2.0/24; };
-table role = count type = tree number = 130
-	{ 1.2.3.4; !2.2.0.0/16; 2.2.2.0/24; };
-
-table role = ipf type = hash number = 2
-	{; };
-table role = ipf type = hash number = 200
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 210
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 220
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 230
-	{ 0/0; 4/32; 1.2.3.4/32; };
-
-table role = ipf type = hash number = 240 seed = 101
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 250 seed = 101
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 260 seed = 101
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 270 seed = 101
-	{ 0/0; 4/32; 1.2.3.4/32; };
-
-table role = ipf type = hash number = 2000 size = 1001
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 2000 size = 1001
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 2000 size = 1001
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 2000 size = 1001
-	{ 0/0; 4/32; 1.2.3.4/32; };
-
-table role = ipf type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 1/32; 1.2.3.4/32; };
-table role = nat type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 2/32; 1.2.3.4/32; };
-table role = auth type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 3/32; 1.2.3.4/32; };
-table role = count type = hash number = 100 size = 1001 seed = 101
-	{ 0/0; 4/32; 1.2.3.4/32; };
-
-group-map in role = ipf number = 300 group = 303
-	{ 0/0; 5/32; 1.2.3.4/32; };
-group-map in role = nat number = 300 group = 303
-	{ 0/0; 6/32; 1.2.3.4/32; };
-group-map in role = auth number = 300 group = 303
-	{ 0/0; 7/32; 1.2.3.4/32; };
-group-map in role = count number = 300 group = 303
-	{ 0/0; 8/32; 1.2.3.4/32; };
-
-group-map out role = ipf number = 400 group = 303
-	{ 0/0; 5/32; 1.2.3.4/32, group = 606; };
-group-map out role = nat number = 400 group = 303
-	{ 0/0; 6/32; 1.2.3.4/32, group = 606; };
-group-map out role = auth number = 400 group = 303
-	{ 0/0; 7/32; 1.2.3.4/32, group = 606; };
-group-map out role = count number = 400 group = 303
-	{ 0/0; 8/32; 1.2.3.4/32, group = 606; };
-
-group-map in role = ipf number = 500
-	{ 0/0, group = 10; 5/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = nat number = 500
-	{ 0/0, group = 10; 6/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = auth number = 500
-	{ 0/0, group = 10; 7/32, group = 800; 1.2.3.4/32, group = 606; };
-group-map in role = count number = 500
-	{ 0/0, group = 10; 8/32, group = 800; 1.2.3.4/32, group = 606; };
-
diff --git a/contrib/ipfilter/test/regress/ip2 b/contrib/ipfilter/test/regress/ip2
deleted file mode 100644
index 76f31b6..0000000
--- a/contrib/ipfilter/test/regress/ip2
+++ /dev/null
@@ -1,2 +0,0 @@
-table role = ipf type = tree name = letters
-	{ "file://input/ip2.data"; };
diff --git a/contrib/ipfilter/test/regress/ipf6-1 b/contrib/ipfilter/test/regress/ipf6-1
deleted file mode 100644
index 814dfd6..0000000
--- a/contrib/ipfilter/test/regress/ipf6-1
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-block out all
-pass out proto 58 all keep state
diff --git a/contrib/ipfilter/test/regress/ipv6.1 b/contrib/ipfilter/test/regress/ipv6.1
deleted file mode 100644
index fc532b6..0000000
--- a/contrib/ipfilter/test/regress/ipv6.1
+++ /dev/null
@@ -1 +0,0 @@
-pass out log quick on gif0 proto udp from ef00:1001:2002::/48 to any port 33433 >< 34000 keep state
diff --git a/contrib/ipfilter/test/regress/ipv6.2 b/contrib/ipfilter/test/regress/ipv6.2
deleted file mode 100644
index 814dfd6..0000000
--- a/contrib/ipfilter/test/regress/ipv6.2
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-block out all
-pass out proto 58 all keep state
diff --git a/contrib/ipfilter/test/regress/ipv6.3 b/contrib/ipfilter/test/regress/ipv6.3
deleted file mode 100644
index 6dc9e93..0000000
--- a/contrib/ipfilter/test/regress/ipv6.3
+++ /dev/null
@@ -1 +0,0 @@
-pass out log quick on gif0 proto ipv6-icmp from any to any icmp-type 128 keep state
diff --git a/contrib/ipfilter/test/regress/ipv6.5 b/contrib/ipfilter/test/regress/ipv6.5
deleted file mode 100644
index ba8cabb..0000000
--- a/contrib/ipfilter/test/regress/ipv6.5
+++ /dev/null
@@ -1,2 +0,0 @@
-pass out all with v6hdrs routing
-block out proto tcp all with v6hdrs routing
diff --git a/contrib/ipfilter/test/regress/ipv6.6 b/contrib/ipfilter/test/regress/ipv6.6
deleted file mode 100644
index f1f904b..0000000
--- a/contrib/ipfilter/test/regress/ipv6.6
+++ /dev/null
@@ -1 +0,0 @@
-pass out on gif0 proto udp all keep frag
diff --git a/contrib/ipfilter/test/regress/l1 b/contrib/ipfilter/test/regress/l1
deleted file mode 100644
index 88cca58..0000000
--- a/contrib/ipfilter/test/regress/l1
+++ /dev/null
@@ -1,6 +0,0 @@
-log in all
-pass in on anon0 all head 100
-pass in log quick from 3.3.3.3 to any group 100
-pass in log body quick from 2.2.2.2 to any
-pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
-pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/n1 b/contrib/ipfilter/test/regress/n1
deleted file mode 100644
index 9bcf29b..0000000
--- a/contrib/ipfilter/test/regress/n1
+++ /dev/null
@@ -1,3 +0,0 @@
-map zx0 10.1.1.1/32 -> 10.2.2.2/32
-map zx0 10.1.1.0/24 -> 10.3.4.5/32
-map zx0 10.1.1.0/24 -> 10.3.4.0/24
diff --git a/contrib/ipfilter/test/regress/n10 b/contrib/ipfilter/test/regress/n10
deleted file mode 100644
index 0f48192..0000000
--- a/contrib/ipfilter/test/regress/n10
+++ /dev/null
@@ -1,3 +0,0 @@
-map ppp0 0/0 -> 203.203.203.203/32 mssclamp 100
-map ppp0 0/0 -> 203.203.203.203/32 mssclamp 1000
-map ppp0 0/0 -> 203.203.203.203/32 mssclamp 10000
diff --git a/contrib/ipfilter/test/regress/n11 b/contrib/ipfilter/test/regress/n11
deleted file mode 100644
index 8cdf7fc..0000000
--- a/contrib/ipfilter/test/regress/n11
+++ /dev/null
@@ -1,3 +0,0 @@
-bimap zx0 10.1.1.1/32 -> 1.6.7.8/32
-bimap zx0 10.1.1.0/24 -> 10.2.2.2/32
-bimap zx0 10.1.1.0/24 -> 10.3.4.5/24
diff --git a/contrib/ipfilter/test/regress/n12 b/contrib/ipfilter/test/regress/n12
deleted file mode 100644
index 225675b..0000000
--- a/contrib/ipfilter/test/regress/n12
+++ /dev/null
@@ -1 +0,0 @@
-map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000
diff --git a/contrib/ipfilter/test/regress/n13 b/contrib/ipfilter/test/regress/n13
deleted file mode 100644
index 8047930..0000000
--- a/contrib/ipfilter/test/regress/n13
+++ /dev/null
@@ -1 +0,0 @@
-map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45
diff --git a/contrib/ipfilter/test/regress/n14 b/contrib/ipfilter/test/regress/n14
deleted file mode 100644
index 6f5d571..0000000
--- a/contrib/ipfilter/test/regress/n14
+++ /dev/null
@@ -1 +0,0 @@
-rdr gre0 0/0 port 80 -> 10.1.1.254,10.1.1.253 port 80 tcp sticky
diff --git a/contrib/ipfilter/test/regress/n16 b/contrib/ipfilter/test/regress/n16
deleted file mode 100644
index ff8958c..0000000
--- a/contrib/ipfilter/test/regress/n16
+++ /dev/null
@@ -1 +0,0 @@
-rdr vlan0 from any to 69.248.79.193 port = 38136 -> 172.31.83.24 port 2013 udp
diff --git a/contrib/ipfilter/test/regress/n2 b/contrib/ipfilter/test/regress/n2
deleted file mode 100644
index dbce5aa..0000000
--- a/contrib/ipfilter/test/regress/n2
+++ /dev/null
@@ -1,4 +0,0 @@
-map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
-map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
diff --git a/contrib/ipfilter/test/regress/n3 b/contrib/ipfilter/test/regress/n3
deleted file mode 100644
index 82c83dd..0000000
--- a/contrib/ipfilter/test/regress/n3
+++ /dev/null
@@ -1,2 +0,0 @@
-map zz0 10.1.0.0/16 -> 192.168.2.0/24 portmap tcp/udp auto
-map-block zz0 10.1.0.0/16 -> 192.168.1.0/24 ports 252
diff --git a/contrib/ipfilter/test/regress/n4 b/contrib/ipfilter/test/regress/n4
deleted file mode 100644
index e7c0314..0000000
--- a/contrib/ipfilter/test/regress/n4
+++ /dev/null
@@ -1,6 +0,0 @@
-rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 10.1.1.0/24 port 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 0/0 port 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 10.1.1.0/24 port 53 -> 10.2.2.1 port 10053 udp
-rdr zx0 10.1.1.0/24 port 0 -> 10.2.2.1 port 0 tcp
-rdr zx0 10.1.1.0/24 port 0 -> 10.2.2.1 port 0 ip
diff --git a/contrib/ipfilter/test/regress/n5 b/contrib/ipfilter/test/regress/n5
deleted file mode 100644
index e55cea0..0000000
--- a/contrib/ipfilter/test/regress/n5
+++ /dev/null
@@ -1,6 +0,0 @@
-map zx0 10.1.1.1/32 -> 10.2.2.2/32
-map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
-map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
-map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
-map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
diff --git a/contrib/ipfilter/test/regress/n6 b/contrib/ipfilter/test/regress/n6
deleted file mode 100644
index 79f11a4..0000000
--- a/contrib/ipfilter/test/regress/n6
+++ /dev/null
@@ -1,5 +0,0 @@
-rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 from any to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 from 10.2.0.0/16 to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 from 10.3.0.0/16 to 10.1.0.0/16 port = 23 -> 10.2.2.1 port 10023 tcp
-rdr zx0 ! from 10.2.0.0/16 to 10.1.1.0/24 port = 53 -> 10.2.2.1 port 10053 udp
diff --git a/contrib/ipfilter/test/regress/n7 b/contrib/ipfilter/test/regress/n7
deleted file mode 100644
index be995c2..0000000
--- a/contrib/ipfilter/test/regress/n7
+++ /dev/null
@@ -1,3 +0,0 @@
-rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1 port 10023 tcp
-rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1 port = 10023 tcp
-rdr zx0 10.1.1.0/24 port 80 -> 10.2.2.1,1.2.2.129 port 3128 tcp
diff --git a/contrib/ipfilter/test/regress/n8 b/contrib/ipfilter/test/regress/n8
deleted file mode 100644
index bf0e94f..0000000
--- a/contrib/ipfilter/test/regress/n8
+++ /dev/null
@@ -1 +0,0 @@
-map icmp0 2.2.2.0/24 -> 10.10.10.0/24
diff --git a/contrib/ipfilter/test/regress/n9 b/contrib/ipfilter/test/regress/n9
deleted file mode 100644
index 81a7ccd..0000000
--- a/contrib/ipfilter/test/regress/n9
+++ /dev/null
@@ -1 +0,0 @@
-rdr icmp0 4.4.4.0/24 port 0 -> 10.10.10.1 port 0 ip
diff --git a/contrib/ipfilter/test/regress/ni1.ipf b/contrib/ipfilter/test/regress/ni1.ipf
deleted file mode 100644
index c7e5797..0000000
--- a/contrib/ipfilter/test/regress/ni1.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass out proto udp from any to any keep state
-pass out proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni1.nat b/contrib/ipfilter/test/regress/ni1.nat
deleted file mode 100644
index f38e435..0000000
--- a/contrib/ipfilter/test/regress/ni1.nat
+++ /dev/null
@@ -1,3 +0,0 @@
-map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp 2000:2500
-map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp 20000:25000
-map df0 from 2.2.2.2/32 to any -> 6.6.6.6/32
diff --git a/contrib/ipfilter/test/regress/ni10.ipf b/contrib/ipfilter/test/regress/ni10.ipf
deleted file mode 100644
index 4151b6e..0000000
--- a/contrib/ipfilter/test/regress/ni10.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass in proto udp from any to any keep state
-pass in proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni10.nat b/contrib/ipfilter/test/regress/ni10.nat
deleted file mode 100644
index 2a04ef7..0000000
--- a/contrib/ipfilter/test/regress/ni10.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 2.2.2.2/32 -> 6.6.6.6
diff --git a/contrib/ipfilter/test/regress/ni11.ipf b/contrib/ipfilter/test/regress/ni11.ipf
deleted file mode 100644
index 4151b6e..0000000
--- a/contrib/ipfilter/test/regress/ni11.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass in proto udp from any to any keep state
-pass in proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni11.nat b/contrib/ipfilter/test/regress/ni11.nat
deleted file mode 100644
index 1d0018c..0000000
--- a/contrib/ipfilter/test/regress/ni11.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port 40000 tcp/udp
diff --git a/contrib/ipfilter/test/regress/ni12.ipf b/contrib/ipfilter/test/regress/ni12.ipf
deleted file mode 100644
index 4151b6e..0000000
--- a/contrib/ipfilter/test/regress/ni12.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass in proto udp from any to any keep state
-pass in proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni12.nat b/contrib/ipfilter/test/regress/ni12.nat
deleted file mode 100644
index 8c36bc8..0000000
--- a/contrib/ipfilter/test/regress/ni12.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port = 40000 tcp/udp
diff --git a/contrib/ipfilter/test/regress/ni13.ipf b/contrib/ipfilter/test/regress/ni13.ipf
deleted file mode 100644
index 04b6d13..0000000
--- a/contrib/ipfilter/test/regress/ni13.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-pass in quick on pcn1 proto tcp from any to any port = 1723 keep state
-block in all
-block out all
diff --git a/contrib/ipfilter/test/regress/ni13.nat b/contrib/ipfilter/test/regress/ni13.nat
deleted file mode 100644
index 7a879d8..0000000
--- a/contrib/ipfilter/test/regress/ni13.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr pcn1 192.168.113.3/32 port 1723 -> 0.0.0.0 port 1723 proxy pptp
diff --git a/contrib/ipfilter/test/regress/ni14.ipf b/contrib/ipfilter/test/regress/ni14.ipf
deleted file mode 100644
index 04b6d13..0000000
--- a/contrib/ipfilter/test/regress/ni14.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-pass in quick on pcn1 proto tcp from any to any port = 1723 keep state
-block in all
-block out all
diff --git a/contrib/ipfilter/test/regress/ni14.nat b/contrib/ipfilter/test/regress/ni14.nat
deleted file mode 100644
index c546e99..0000000
--- a/contrib/ipfilter/test/regress/ni14.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr pcn1 192.168.113.3/32 port 1723 -> 127.0.0.1 port 1723 proxy pptp
diff --git a/contrib/ipfilter/test/regress/ni15.ipf b/contrib/ipfilter/test/regress/ni15.ipf
deleted file mode 100644
index 1b9a013..0000000
--- a/contrib/ipfilter/test/regress/ni15.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-pass out quick on pcn1 proto tcp from any to any port = 1723 keep state
-block in all
-block out all
diff --git a/contrib/ipfilter/test/regress/ni15.nat b/contrib/ipfilter/test/regress/ni15.nat
deleted file mode 100644
index 420c7b7..0000000
--- a/contrib/ipfilter/test/regress/ni15.nat
+++ /dev/null
@@ -1 +0,0 @@
-map pcn1 0/0 -> 0/0 proxy port 1723 pptp/tcp
diff --git a/contrib/ipfilter/test/regress/ni16.ipf b/contrib/ipfilter/test/regress/ni16.ipf
deleted file mode 100644
index 1b9a013..0000000
--- a/contrib/ipfilter/test/regress/ni16.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-pass out quick on pcn1 proto tcp from any to any port = 1723 keep state
-block in all
-block out all
diff --git a/contrib/ipfilter/test/regress/ni16.nat b/contrib/ipfilter/test/regress/ni16.nat
deleted file mode 100644
index 5fad3cd..0000000
--- a/contrib/ipfilter/test/regress/ni16.nat
+++ /dev/null
@@ -1 +0,0 @@
-map pcn1 10.2.2.2/32 -> 0/32 proxy port 1723 pptp/tcp
diff --git a/contrib/ipfilter/test/regress/ni17.nat b/contrib/ipfilter/test/regress/ni17.nat
deleted file mode 100644
index 3da6338..0000000
--- a/contrib/ipfilter/test/regress/ni17.nat
+++ /dev/null
@@ -1,4 +0,0 @@
-rdr le0 0/0 port 80 -> 10.1.1.252 port 3128 tcp round-robin
-rdr le0 0/0 port 80 -> 10.1.2.252 port 3128 tcp round-robin
-rdr le0 0/0 port 80 -> 10.1.3.252 port 3128 tcp round-robin sticky
-rdr le0 0/0 port 80 -> 10.1.1.253,10.1.2.253 port 3128 tcp round-robin sticky
diff --git a/contrib/ipfilter/test/regress/ni19.ipf b/contrib/ipfilter/test/regress/ni19.ipf
deleted file mode 100644
index c6fcec1..0000000
--- a/contrib/ipfilter/test/regress/ni19.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-pass out quick on bge0 proto tcp from any to any port = shell flags S keep state
-block out all
diff --git a/contrib/ipfilter/test/regress/ni19.nat b/contrib/ipfilter/test/regress/ni19.nat
deleted file mode 100644
index 56b81a9..0000000
--- a/contrib/ipfilter/test/regress/ni19.nat
+++ /dev/null
@@ -1 +0,0 @@
-map bge0 192.168.113.0/24 -> 10.1.1.1/32 proxy port shell rcmd/tcp
diff --git a/contrib/ipfilter/test/regress/ni2.ipf b/contrib/ipfilter/test/regress/ni2.ipf
deleted file mode 100644
index 5956cf9..0000000
--- a/contrib/ipfilter/test/regress/ni2.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass out quick proto tcp from any to any flags S/SAFR keep state
diff --git a/contrib/ipfilter/test/regress/ni2.nat b/contrib/ipfilter/test/regress/ni2.nat
deleted file mode 100644
index 4ad73c2..0000000
--- a/contrib/ipfilter/test/regress/ni2.nat
+++ /dev/null
@@ -1 +0,0 @@
-map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000
diff --git a/contrib/ipfilter/test/regress/ni20.ipf b/contrib/ipfilter/test/regress/ni20.ipf
deleted file mode 100644
index c6f6d84..0000000
--- a/contrib/ipfilter/test/regress/ni20.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-pass in quick on bge0 proto tcp from any to any port = shell flags S keep state
-block out all
diff --git a/contrib/ipfilter/test/regress/ni20.nat b/contrib/ipfilter/test/regress/ni20.nat
deleted file mode 100644
index f2dd0a7..0000000
--- a/contrib/ipfilter/test/regress/ni20.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr bge0 10.1.1.4/32 port shell -> 192.168.113.4 port shell tcp proxy rcmd
diff --git a/contrib/ipfilter/test/regress/ni21.ipf b/contrib/ipfilter/test/regress/ni21.ipf
deleted file mode 100644
index 6d6ed08..0000000
--- a/contrib/ipfilter/test/regress/ni21.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass out on lan0 to eri0:1.1.1.1 from 2.2.2.2 to any
diff --git a/contrib/ipfilter/test/regress/ni21.nat b/contrib/ipfilter/test/regress/ni21.nat
deleted file mode 100644
index 6b2d46a..0000000
--- a/contrib/ipfilter/test/regress/ni21.nat
+++ /dev/null
@@ -1 +0,0 @@
-map lan0,eri0 2.2.2.2 -> 4.4.4.4
diff --git a/contrib/ipfilter/test/regress/ni23.ipf b/contrib/ipfilter/test/regress/ni23.ipf
deleted file mode 100644
index 49ebcf7..0000000
--- a/contrib/ipfilter/test/regress/ni23.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-block out all
-block in all
-pass in on le0,hme0 out-via ppp0,bge0 to ppp0:3.3.3.254 proto udp all keep state
diff --git a/contrib/ipfilter/test/regress/ni23.nat b/contrib/ipfilter/test/regress/ni23.nat
deleted file mode 100644
index 094d377..0000000
--- a/contrib/ipfilter/test/regress/ni23.nat
+++ /dev/null
@@ -1,2 +0,0 @@
-rdr le0,bge0 1.1.0.0/16 -> 2.2.2.2
-map hme0,ppp0 3.3.3.0/24 -> 4.4.4.4/32
diff --git a/contrib/ipfilter/test/regress/ni3.ipf b/contrib/ipfilter/test/regress/ni3.ipf
deleted file mode 100644
index c7e5797..0000000
--- a/contrib/ipfilter/test/regress/ni3.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass out proto udp from any to any keep state
-pass out proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni3.nat b/contrib/ipfilter/test/regress/ni3.nat
deleted file mode 100644
index 4306f4b..0000000
--- a/contrib/ipfilter/test/regress/ni3.nat
+++ /dev/null
@@ -1 +0,0 @@
-map df0 2.2.2.2/32 -> 6.6.6.6/32
diff --git a/contrib/ipfilter/test/regress/ni4.ipf b/contrib/ipfilter/test/regress/ni4.ipf
deleted file mode 100644
index c7e5797..0000000
--- a/contrib/ipfilter/test/regress/ni4.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass out proto udp from any to any keep state
-pass out proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni4.nat b/contrib/ipfilter/test/regress/ni4.nat
deleted file mode 100644
index 6eefdc2..0000000
--- a/contrib/ipfilter/test/regress/ni4.nat
+++ /dev/null
@@ -1 +0,0 @@
-map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000
diff --git a/contrib/ipfilter/test/regress/ni5.ipf b/contrib/ipfilter/test/regress/ni5.ipf
deleted file mode 100644
index 8f11424..0000000
--- a/contrib/ipfilter/test/regress/ni5.ipf
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-pass out quick on ppp0 proto tcp from any to any port = ftp flags S keep state
-block out all
diff --git a/contrib/ipfilter/test/regress/ni5.nat b/contrib/ipfilter/test/regress/ni5.nat
deleted file mode 100644
index 8e80d22..0000000
--- a/contrib/ipfilter/test/regress/ni5.nat
+++ /dev/null
@@ -1 +0,0 @@
-map ppp0 192.168.1.0/24 -> 1.1.1.1/32 proxy port ftp ftp/tcp
diff --git a/contrib/ipfilter/test/regress/ni6.ipf b/contrib/ipfilter/test/regress/ni6.ipf
deleted file mode 100644
index f5b83b2..0000000
--- a/contrib/ipfilter/test/regress/ni6.ipf
+++ /dev/null
@@ -1,9 +0,0 @@
-block out log quick on qfe0 from 192.168.7.0/24 to any
-block out log quick on nf0 from 192.168.6.0/24 to any
-pass in quick on nf0 proto tcp from any to any port = 111 flags S keep state
-pass in quick on nf0 proto udp from any to any port = 111 keep state
-block return-rst in log quick on nf0 proto tcp from any to any
-block in log quick on nf0 from 192.168.7.0/24 to any
-block return-rst in log quick on qfe0 proto tcp from any to any
-block in log quick on qfe0 from 192.168.6.0/24 to any
-
diff --git a/contrib/ipfilter/test/regress/ni6.nat b/contrib/ipfilter/test/regress/ni6.nat
deleted file mode 100644
index 00d57d0..0000000
--- a/contrib/ipfilter/test/regress/ni6.nat
+++ /dev/null
@@ -1,3 +0,0 @@
-rdr nf0 192.168.6.2 port 111 -> 192.168.7.1 port 111 udp proxy rpcbu
-rdr nf0 192.168.6.2 port 111 -> 192.168.7.1 port 111 tcp proxy rpcbt
-map qfe0 192.168.6.0/24 -> 192.168.7.2/32
diff --git a/contrib/ipfilter/test/regress/ni7.ipf b/contrib/ipfilter/test/regress/ni7.ipf
deleted file mode 100644
index 4151b6e..0000000
--- a/contrib/ipfilter/test/regress/ni7.ipf
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-block out all
-pass in proto udp from any to any keep state
-pass in proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni7.nat b/contrib/ipfilter/test/regress/ni7.nat
deleted file mode 100644
index 2a04ef7..0000000
--- a/contrib/ipfilter/test/regress/ni7.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 2.2.2.2/32 -> 6.6.6.6
diff --git a/contrib/ipfilter/test/regress/ni8.ipf b/contrib/ipfilter/test/regress/ni8.ipf
deleted file mode 100644
index 6666241..0000000
--- a/contrib/ipfilter/test/regress/ni8.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass in quick proto tcp from any to any flags S/SAFR keep state
diff --git a/contrib/ipfilter/test/regress/ni8.nat b/contrib/ipfilter/test/regress/ni8.nat
deleted file mode 100644
index 1d0018c..0000000
--- a/contrib/ipfilter/test/regress/ni8.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port 40000 tcp/udp
diff --git a/contrib/ipfilter/test/regress/ni9.ipf b/contrib/ipfilter/test/regress/ni9.ipf
deleted file mode 100644
index 6666241..0000000
--- a/contrib/ipfilter/test/regress/ni9.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass in quick proto tcp from any to any flags S/SAFR keep state
diff --git a/contrib/ipfilter/test/regress/ni9.nat b/contrib/ipfilter/test/regress/ni9.nat
deleted file mode 100644
index 8c36bc8..0000000
--- a/contrib/ipfilter/test/regress/ni9.nat
+++ /dev/null
@@ -1 +0,0 @@
-rdr df0 10.0.0.0/8 port 1000:2000 -> 1.1.1.1 port = 40000 tcp/udp
diff --git a/contrib/ipfilter/test/regress/p1.ipf b/contrib/ipfilter/test/regress/p1.ipf
deleted file mode 100644
index acaf639..0000000
--- a/contrib/ipfilter/test/regress/p1.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass in from pool/100 to any
diff --git a/contrib/ipfilter/test/regress/p1.pool b/contrib/ipfilter/test/regress/p1.pool
deleted file mode 100644
index 14ae3a3..0000000
--- a/contrib/ipfilter/test/regress/p1.pool
+++ /dev/null
@@ -1,2 +0,0 @@
-table role = ipf type = tree number = 100
-	{ 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; };
diff --git a/contrib/ipfilter/test/regress/p2.ipf b/contrib/ipfilter/test/regress/p2.ipf
deleted file mode 100644
index 4cfb388..0000000
--- a/contrib/ipfilter/test/regress/p2.ipf
+++ /dev/null
@@ -1,2 +0,0 @@
-pass out from hash=(127.0.0.1,4.4.0.0/16) to any
-block in from hash=(127.0.0.1,4.4.0.0/16) to any
diff --git a/contrib/ipfilter/test/regress/p3.ipf b/contrib/ipfilter/test/regress/p3.ipf
deleted file mode 100644
index aad7cb3..0000000
--- a/contrib/ipfilter/test/regress/p3.ipf
+++ /dev/null
@@ -1,6 +0,0 @@
-call now fr_srcgrpmap/1010 in all
-call now fr_dstgrpmap/2010 out all
-pass in all group 1020
-block in all group 1030
-pass out all group 2020
-block out all group 2040
diff --git a/contrib/ipfilter/test/regress/p3.pool b/contrib/ipfilter/test/regress/p3.pool
deleted file mode 100644
index 3fadd59..0000000
--- a/contrib/ipfilter/test/regress/p3.pool
+++ /dev/null
@@ -1,4 +0,0 @@
-group-map in role = ipf number = 1010
-	{ 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
-group-map out role = ipf number = 2010 group = 2020
-	{ 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
diff --git a/contrib/ipfilter/test/regress/p5.ipf b/contrib/ipfilter/test/regress/p5.ipf
deleted file mode 100644
index ada9f56..0000000
--- a/contrib/ipfilter/test/regress/p5.ipf
+++ /dev/null
@@ -1 +0,0 @@
-pass in from pool/letters to any
diff --git a/contrib/ipfilter/test/regress/p5.pool b/contrib/ipfilter/test/regress/p5.pool
deleted file mode 100644
index 9a8eaa3..0000000
--- a/contrib/ipfilter/test/regress/p5.pool
+++ /dev/null
@@ -1,2 +0,0 @@
-table role = ipf type = tree name = letters
-	{ 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; };
diff --git a/contrib/ipfilter/test/regress/regress.sed b/contrib/ipfilter/test/regress/regress.sed
deleted file mode 100644
index e69de29..0000000
--- a/contrib/ipfilter/test/regress/regress.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/test.format b/contrib/ipfilter/test/test.format
deleted file mode 100644
index dfc3f35..0000000
--- a/contrib/ipfilter/test/test.format
+++ /dev/null
@@ -1,99 +0,0 @@
-#test input-format output-format
-bpf-f1 text text
-bpf1 text ipf
-f1 text text
-f2 text text
-f3 text text
-f4 text text
-f5 text text
-f6 text text
-f7 text text
-f8 text text
-f9 text text
-f10 text text
-f11 text text -D
-f12 hex hex
-f13 hex hex
-f14 text text
-f15 text text
-f16 text text
-f17 hex hex
-f18 text text
-f19 text text fr_statemax=3
-f20 text text
-i1 text ipf
-i2 text ipf
-i3 text ipf
-i4 text ipf
-i5 text ipf
-i6 text ipf
-i7 text ipf
-i8 text ipf
-i9 text ipf
-i10 text ipf
-i11 text ipf
-i12 text ipf
-i13 text ipf
-i14 text ipf
-i15 text ipf
-i16 text ipf
-i17 text ipftest
-i18 text ipf
-i19 text ipf
-i20 text ipf
-i21 text ipf
-in1 text text
-in2 text text
-in3 text text
-in4 text text
-in5 text text
-in6 text text
-ip1 text text
-ip2 text text
-ipv6.1 hex hex
-ipv6.2 hex hex
-ipv6.3 hex hex
-ipv6.5 hex hex
-l1 hex hex
-n1 text text
-n2 text text
-n3 text text
-n4 text text
-n5 text text
-n6 text text
-n7 text text
-n8 hex hex fr_update_ipid=0
-n9 hex hex fr_update_ipid=0
-n10 hex hex fr_update_ipid=0
-n11 text text
-n12 hex hex fr_update_ipid=0
-n13 text text
-n14 text text
-ni1 hex hex fr_update_ipid=1
-ni2 hex hex fr_update_ipid=1
-ni3 hex hex fr_update_ipid=1
-ni4 hex hex fr_update_ipid=1
-ni5 hex hex fr_update_ipid=1
-ni6 hex hex fr_update_ipid=1
-ni7 hex hex fr_update_ipid=1
-ni8 hex hex fr_update_ipid=1
-ni9 hex hex fr_update_ipid=1
-ni10 hex hex fr_update_ipid=1
-ni11 hex hex fr_update_ipid=1
-ni12 hex hex fr_update_ipid=1
-ni13 hex hex fr_update_ipid=1
-ni14 hex hex fr_update_ipid=1
-ni15 hex hex fr_update_ipid=1
-ni16 hex hex fr_update_ipid=1
-ni19 hex hex fr_update_ipid=0
-ni20 hex hex fr_update_ipid=0
-ni21 text text
-ni23 text text -D
-p1 text text
-p2 text text
-p3 text text
-p4 text text
-p5 text text
-n16 hex hex -D
-f24 hex text
-ipv6.6 hex text
diff --git a/contrib/ipfilter/test/test.sed b/contrib/ipfilter/test/test.sed
deleted file mode 100644
index 3ce0cb1..0000000
--- a/contrib/ipfilter/test/test.sed
+++ /dev/null
@@ -1,6 +0,0 @@
-	Ç
.	Ä..0þCVSGexpected0ÇinputDG$regress
- 
-.cvsignore
-!Makefile
-"dotest
-#hextest
diff --git a/contrib/ipfilter/test/vfycksum.pl b/contrib/ipfilter/test/vfycksum.pl
deleted file mode 100755
index b3a20be..0000000
--- a/contrib/ipfilter/test/vfycksum.pl
+++ /dev/null
@@ -1,294 +0,0 @@
-
-#
-# validate the IPv4 header checksum.
-# $bytes[] is an array of 16bit values, with $cnt elements in the array.
-#
-sub dump {
-	print "\n";
-	for ($i = 0; $i < $#bytes; $i++) {
-		printf "%04x ", $bytes[$i];
-	}
-	print "\n";
-}
-
-sub dosum {
-	local($seed) = $_[0];
-	local($start) = $_[1];
-	local($max) = $_[2];
-	local($idx) = $start;
-	local($lsum) = $seed;
-
-	for ($idx = $start, $lsum = $seed; $idx < $max; $idx++) {
-		$lsum += $bytes[$idx];
-	}
-	$lsum = ($lsum & 0xffff) + ($lsum >> 16);
-	$lsum = ~$lsum & 0xffff;
-	return $lsum;
-}
-
-sub ipv4check {
-	local($base) = $_[0];
-	$hl = $bytes[$base] / 256;
-	return if (($hl >> 4) != 4);	# IPv4 ?
-	$hl &= 0xf;
-	$hl <<= 1;			# get the header length in 16bit words
-
-	$hs = &dosum(0, $base, $base + $hl);
-	$osum = $bytes[$base + 5];
-
-	if ($hs != 0) {
-		$bytes[$base + 5] = 0;
-		$hs2 = &dosum(0, $base, $base + $hl);
-		$bytes[$base + 5] = $osum;
-		printf " IP: ($hl,%x) %x != %x", $hs, $osum, $hs2;
-	} else {
-		print " IP($base): ok ";
-	}
-
-	#
-	# Recognise TCP & UDP and calculate checksums for each of these.
-	#
-	if (($bytes[$base + 4] & 0xff) == 6) {
-		&tcpcheck($base);
-	}
-
-	if (($bytes[$base + 4] & 0xff) == 17) {
-		&udpcheck($base);
-	}
-
-	if (($bytes[$base + 4] & 0xff) == 1) {
-		&icmpcheck($base);
-	}
-	if ($base == 0) {
-		print "\n";
-	}
-}
-
-sub tcpcheck {
-	local($base) = $_[0];
-	local($hl) = $bytes[$base] / 256;
-	return if (($hl >> 4) != 4);
-	return if ($bytes[$base + 3] & 0x1fff);
-	$hl &= 0xf;
-	$hl <<= 1;
-
-	local($hs2);
-	local($hs) = 6;	# TCP
-	local($len) = $bytes[$base + 1] - ($hl << 1);
-	$hs += $len;
-	$hs += $bytes[$base + 6];	# source address
-	$hs += $bytes[$base + 7];
-	$hs += $bytes[$base + 8];	# destination address
-	$hs += $bytes[$base + 9];
-	local($tcpsum) = $hs;
-
-	local($thl) = $bytes[$base + $hl + 6] >> 8;
-	$thl &= 0xf0;
-	$thl >>= 2;
-
-	$x = $bytes[$base + 1];
-	$y = ($cnt - $base) * 2;
-	$z = 0;
-	if ($bytes[$base + 1] > ($cnt - $base) * 2) {
-		print "[cnt=$cnt base=$base]";
-		$x = $bytes[$base + 1];
-		$y = ($cnt - $base) * 2;
-		$z = 1;
-	} elsif (($cnt - $base) * 2 < $hl + 20) {
-		$x = ($cnt - $base) * 2;
-		$y = $hl + 20;
-		$z = 2;
-	} elsif (($cnt - $base) * 2 < $hl + $thl) {
-		$x = ($cnt - $base) * 2;
-		$y = $hl + $thl;
-		$z = 3;
-	} elsif ($len < $thl) {
-		$x = ($cnt - $base) * 2;
-		$y = $len;
-		$z = 4;
-	}
-
-	if ($z) {
-		print " TCP: missing data($x $y $z) $hl";
-#		&dump();
-		return;
-	}
-
-	local($tcpat) = $base + $hl;
-	$hs = &dosum($tcpsum, $tcpat, $cnt);
-	if ($hs != 0) {
-		local($osum) = $bytes[$tcpat + 8];
-		$bytes[$base + $hl + 8] = 0;
-		$hs2 = &dosum($tcpsum, $tcpat, $cnt);
-		$bytes[$tcpat + 8] = $osum;
-		printf " TCP: (%x) %x != %x", $hs, $osum, $hs2;
-	} else {
-		print " TCP: ok ($x $y)";
-	}
-}
-
-sub udpcheck {
-	local($base) = $_[0];
-	local($hl) = $bytes[0] / 256;
-	return if (($hl >> 4) != 4);
-	return if ($bytes[3] & 0x1fff);
-	$hl &= 0xf;
-	$hl <<= 1;
-
-	local($hs2);
-	local($hs) = 17;	# UDP
-	local($len) = $bytes[$base + 1] - ($hl << 1);
-	$hs += $len;
-	$hs += $bytes[$base + 6];	# source address
-	$hs += $bytes[$base + 7];
-	$hs += $bytes[$base + 8];	# destination address
-	$hs += $bytes[$base + 9];
-	local($udpsum) = $hs;
-
-	if ($bytes[$base + 1] > ($cnt - $base) * 2) {
-		print " UDP: missing data(1)";
-		return;
-	} elsif ($bytes[$base + 1] < ($hl << 1) + 8) {
-		print " UDP: missing data(2)";
-		return;
-	} elsif (($cnt - $base) * 2 < ($hl << 1) + 8) {
-		print " UDP: missing data(3)";
-		return;
-	}
-
-	local($udpat) = $base + $hl;
-	$hs = &dosum($udpsum, $udpat, $cnt);
-	local($osum) = $bytes[$udpat + 3];
-
-	#
-	# It is valid for UDP packets to have a 0 checksum field.
-	# If it is 0, then display what it would otherwise be.
-	#
-	if ($osum == 0) {
-		printf " UDP: => %x", $hs;
-	} elsif ($hs != 0) {
-		$bytes[$udpat + 3] = 0;
-		$hs2 = &dosum($udpsum, $udpat, $cnt);
-		$bytes[$udpat + 3] = $osum;
-		printf " UDP: (%x) %x != %x", $hs, $osum, $hs2;
-	} else {
-		print " UDP: ok";
-	}
-}
-
-sub icmpcheck {
-	local($base) = $_[0];
-	local($hl) = $bytes[$base + 0] / 256;
-	return if (($hl >> 4) != 4);
-	return if ($bytes[3] & 0x1fff);
-	$hl &= 0xf;
-	$hl <<= 1;
-
-	local($hs);
-	local($hs2);
-
-	local($len) = $bytes[$base + 1] - ($hl << 1);
-
-	if ($bytes[$base + 1] > ($cnt - $base) * 2) {
-		print " ICMP: missing data(1)";
-		return;
-	} elsif ($bytes[$base + 1] < ($hl << 1) + 8) {
-		print " ICMP: missing data(2)";
-		return;
-	} elsif (($cnt - $base) * 2 < ($hl << 1) + 8) {
-		print " ICMP: missing data(3)";
-		return;
-	}
-
-	local($osum) = $bytes[$base + $hl + 1];
-	$bytes[$base + $hl + 1] = 0;
-	$hs2 = &dosum(0, $base + $hl, $cnt);
-	$bytes[$base + $hl + 1] = $osum;
-
-	if ($osum != $hs2) {
-		printf " ICMP: (%x) %x != %x", $hs, $osum, $hs2;
-	} else {
-		print " ICMP: ok";
-	}
-	if ($base == 0) {
-		$type = $bytes[$hl] >> 8;
-		if ($type == 3 || $type == 4 || $type == 5 ||
-		    $type == 11 || $type == 12) {
-			&ipv4check($hl + 4);
-		}
-	}
-}
-
-while ($#ARGV >= 0) {
-	open(I, "$ARGV[0]") || die $!;
-	print "--- $ARGV[0] ---\n";
-	$multi = 0;
-	while (<I>) {
-		chop;
-		s/#.*//g;
-
-		#
-		# If the first non-comment, non-empty line of input starts
-		# with a '[', then allow the input to be a multi-line hex
-		# string, otherwise it has to be all on one line.
-		#
-		if (/^\[/) {
-			$multi=1;
-			s/^\[[^]]*\]//g;
-
-		}
-		s/^ *//g;
-		if (length == 0) {
-			next if ($cnt == 0);
-			&ipv4check(0);
-			$cnt = 0;
-			$multi = 0;
-			next;
-		}
-
-		#
-		# look for 16 bits, represented with leading 0's as required,
-		# in hex.
-		#
-		s/\t/ /g;
-		while (/^[0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F] .*/) {
-			s/^([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F]) (.*)/$1$2 $3/;
-		}
-		while (/.* [0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F] .*/) {
-$b=$_;
-			s/(.*?) ([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F]) (.*)/$1 $2$3 $4/g;
-		}
-		if (/.* [0-9a-fA-F][0-9a-fA-F] [0-9a-fA-F][0-9a-fA-F]/) {
-$b=$_;
-			s/(.*?) ([0-9a-fA-F][0-9a-fA-F]) ([0-9a-fA-F][0-9a-fA-F])/$1 $2$3/g;
-		}
-		while (/^[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F].*/) {
-			$x = $_;
-			$x =~ s/([0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]).*/$1/;
-			$x =~ s/ *//g;
-			$y = hex $x;
-			s/[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F] *(.*)/$1/;
-			$bytes[$cnt] = $y;
-#print "bytes[$cnt] = $x\n";
-			$cnt++;
-		}
-
-		#
-		# Pick up stragler bytes.
-		#
-		if (/^[0-9a-fA-F][0-9a-fA-F]/) {
-			$y = hex $_;
-			$bytes[$cnt++] = $y * 256;
-		}
-		if ($multi == 0 && $cnt > 0) {
-			&ipv4check(0);
-			$cnt = 0;
-		}
-	}
-
-	if ($cnt > 0) {
-		&ipv4check(0);
-	}
-	close(I);
-	shift(@ARGV);
-}
diff --git a/contrib/ipfilter/todo b/contrib/ipfilter/todo
deleted file mode 100644
index 5b2c059..0000000
--- a/contrib/ipfilter/todo
+++ /dev/null
@@ -1,98 +0,0 @@
-BUGS:
------
-* fix "to <ifname>" bug on FreeBSD 2.2.8
-fastroute works
-
-===============================================================================
-GENERAL:
---------
-
-* support redirection like "rdr tun0 0/32 port 80 ..."
-
-* use fr_tcpstate() with NAT code for increased NAT usage security or even
-  fr_checkstate() - suspect this is not possible.
-
-* add another alias for <thishost> for interfaces <thisif>? as well as
-  all IP#'s associated with the box <myaddrs>?
-
-time permitting:
-
-* load balancing across interfaces
-
-* record buffering for TCP/UDP
-
-* modular application proxying
--done
-
-* allow multiple ip addresses in a source route list for ipsend
-
-* port IP Filter to Linux
-Not in this century.
-
-* document bimap
-
-* document NAT rule order processing
-
-* add more docs
-in progress
-
-3.4:
-XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
-traffic priorization) should be *TOP* in the TO DO list.
-
-* Bandwidth limiting!!!
-maybe for solaris, otherwise "ALTQ"
-* More examples
-* More documentation
-* Load balancing features added to the NAT code, so that I can have
-something coming in for 20.20.20.20:80 and it gets shuffled around between
-internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
-- done, stage 1 (round robin/split)
-The one thing that Cisco's PIX has on IPF that I can see is that
-rewrites the sequence numbers with semi-random ones.
-- done
-
-I would also love to see a more extensive NAT.  It can choose to do
-rdr and map based on saddr, daddr, sport and dport.  (Does the kernel
-module already have functionality for that and it just needs support in
-the userland ipnat?)
--sort of done
-
-        * intrusion detection 
-                detection of port scans 
-                detection of multiple connection attempts
-                
-        * support for multiple log files
-                i.e. all connections to ftp and telnet logged to 
-                        a seperate log file
-
-        * multiple levels of log severity with E-mail notification
-                of intrusion alerts or other high priority errors
-
-        * poison pill facility
-                after detection of a port scan, start sending back
-                large packets of garbage or other packets to
-                otherwise confuse the intruder (ping of death?)
-
-IPv6:
------
-* NAT is yet not available, either as a null proxy or address translation
-
-BSD:
-* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
-
-Solaris:
-* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
-
-Tru64:
-------
-* IPv6 checksum calculation for RST's and ICMP packets is not done (there
-  are routines in the Tru64 kernel to do this but what is the interface?)
-
-does bimap allow equal sized subnets?
-
-make return-icmp 'intelligent' if no type is given about what type to use?
-
-reply-to - enforce packets to pass through interfaces in particular
-combinations - opposite to "to", set reverse path interface
-
diff --git a/contrib/ipfilter/tools/BNF.ipf b/contrib/ipfilter/tools/BNF.ipf
deleted file mode 100644
index 0e84332..0000000
--- a/contrib/ipfilter/tools/BNF.ipf
+++ /dev/null
@@ -1,80 +0,0 @@
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
-	      [ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
-
-insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | auth | call .
-in-out	= "in" | "out" .
-options	= [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
-tos	= "tos" decnumber | "tos" hexnumber .
-ttl	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-group	= [ "head" decnumber ] [ "group" decnumber ] .
-pps	= "pps" decnumber .
-
-onif	= "on" interface-name [ "out-via" interface-name ] .
-block	= "block" [ return-icmp[return-code] | "return-rst" ] .
-auth	= "auth" | "preauth" .
-log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-tag	= "tag" tagid .
-call	= "call" [ "now" ] function-name .
-dup	= "dup-to" interface-name[":"ipaddr] .
-froute	= "fastroute" | "to" interface-name .
-protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst	= "all" | fromto .
-fromto	= "from" object "to" object .
-
-return-icmp = "return-icmp" | "return-icmp-as-dest" .
-loglevel = facility"."priority | priority .
-object	= addr [ port-comp | port-range ] .
-addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-flags	= "flags" flag { flag } [ "/" flag { flag } ] .
-with	= "with" | "and" .
-icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "("icmp-code")" .
-keep	= "keep" "state" [ "limit" number ] | "keep" "frags" .
-
-nummask	= host-name [ "/" decnumber ] .
-host-name = ipaddr | hostname | "any" .
-ipaddr	= host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-port-num = service-name | decnumber .
-
-withopt = [ "not" | "no" ] opttype [ withopt ] .
-opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
-          "mbcast" | "opt" ipopts  .
-optname	= ipopts [ "," optname ] .
-ipopts  = optlist | "sec-class" [ secname ] .
-secname	= seclvl [ "," secname ] .
-seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
-	  "reserv-4" | "secret" | "topsecret" .
-icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
-	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
-	    "inforep" | "maskreq" | "maskrep"  | "routerad" |
-	    "routersol" | decnumber .
-icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
-	    "filter-prohib" | "host-preced" | "cutoff-preced" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
-	  "visa" | "imitd" | "eip" | "finn" .
-facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
-	   "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
-	   "audit" | "logalert" | "local0" | "local1" | "local2" |
-	   "local3" | "local4" | "local5" | "local6" | "local7" .
-priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
-	   "info" | "debug" . 
-
-hexnumber = "0" "x" hexstring .
-hexstring = hexdigit [ hexstring ] .
-decnumber = digit [ decnumber ] .
-
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
-	  "le" | "ge" .
-range	= "<>" | "><" .
-hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag	= "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
diff --git a/contrib/ipfilter/tools/BNF.ipnat b/contrib/ipfilter/tools/BNF.ipnat
deleted file mode 100644
index 69ed8a2..0000000
--- a/contrib/ipfilter/tools/BNF.ipnat
+++ /dev/null
@@ -1,28 +0,0 @@
-ipmap :: = mapblock | redir | map .
-
-map ::= mapit ifname ipmask "->" ipmask [ mapport | mapicmpid ] .
-map ::= mapit ifname fromto "->" ipmask [ mapport | mapicmpid ] .
-mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
-redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options .
-
-dport ::= "port" portnum [ "-" portnum ] .
-ports ::= "ports" numports | "auto" .
-mapit ::= "map" | "bimap" .
-fromto ::= "from" object "to" object .
-ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
-mapport ::= "portmap" tcpudp portnumber ":" portnumber .
-mapicmpid ::= "icmpidmap" icmp idnumber ":" idnumber .
-options ::= [ tcpudp ] [ rr ] .
-
-object  = addr [ port-comp | port-range ] .
-addr    = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-
-rr ::= "round-robin" .
-tcpudp ::= "tcp" | "udp" | "tcp/udp" .
-portnumber ::= number { numbers } | "auto" .
-idnumber ::= number { numbers } .
-ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
-
-numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
diff --git a/contrib/ipfilter/tools/Makefile b/contrib/ipfilter/tools/Makefile
deleted file mode 100644
index 43ec1a8..0000000
--- a/contrib/ipfilter/tools/Makefile
+++ /dev/null
@@ -1,107 +0,0 @@
-#
-# Copyright (C) 1993-2001 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-DEST=.
-
-all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \
-	$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c \
-	$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c \
-	$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c \
-	$(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c \
-	$(DEST)/ipf_l.h $(DEST)/ipnat_l.h $(DEST)/ipscan_l.h \
-	$(DEST)/ippool_l.h $(DEST)/ipmon_l.h
-
-$(DEST)/ipf_y.h: $(DEST)/ipf_y.c
-
-$(DEST)/ipf_y.c: ipf_y.y
-	yacc -d ipf_y.y
-	sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \
-	    -e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \
-	    y.tab.c > $(DEST)/ipf_y.c
-	sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' y.tab.h > $(DEST)/ipf_y.h
-	/bin/rm -f y.tab.c y.tab.h
-
-$(DEST)/ipf_l.c: lexer.c
-	sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \
-	    -e 's/lexer.h/ipf_l.h/' lexer.c > $@
-
-$(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c
-
-$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y
-	yacc -d ipmon_y.y
-	sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \
-	    y.tab.c > $(DEST)/ipmon_y.c
-	sed -e 's/yy/ipmon_yy/g' y.tab.h > $(DEST)/ipmon_y.h
-	/bin/rm -f y.tab.c y.tab.h
-
-$(DEST)/ipmon_l.c: lexer.c
-	sed -e 's/yy/ipmon_yy/g' -e 's/y.tab.h/ipmon_y.h/' \
-	    -e 's/lexer.h/ipmon_l.h/' lexer.c > $@
-
-$(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c
-
-$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y
-	yacc -d ipscan_y.y
-	sed -e 's/yy/ipscan_yy/g' \
-	    -e 's/"ipscan_y.y"/"..\/tools\/ipscan_y.y"/' \
-	    y.tab.c > $(DEST)/ipscan_y.c
-	sed -e 's/yy/ipscan_yy/g' y.tab.h > $(DEST)/ipscan_y.h
-	/bin/rm -f y.tab.c y.tab.h
-
-$(DEST)/ipscan_l.c: lexer.c
-	sed -e 's/yy/ipscan_yy/g' -e 's/y.tab.h/ipscan_y.h/' \
-	    -e 's/lexer.h/ipscan_l.h/' lexer.c > $@
-
-$(DEST)/ippool_y.h: $(DEST)/ippool_y.c
-
-$(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y
-	yacc -d ippool_y.y
-	sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \
-	    y.tab.c > $(DEST)/ippool_y.c
-	sed -e 's/yy/ippool_yy/g' y.tab.h > $(DEST)/ippool_y.h
-	/bin/rm -f y.tab.c y.tab.h
-
-$(DEST)/ippool_l.c: lexer.c
-	sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \
-	    -e 's/lexer.h/ippool_l.h/' lexer.c > $@
-
-$(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c
-
-$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y
-	yacc -d ipnat_y.y
-	sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \
-	    -e s/\"ipnat_y.y\"/\"..\\/tools\\/ipnat_y.y\"/ \
-	    y.tab.c > $(DEST)/ipnat_y.c
-	sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \
-	    y.tab.h > $(DEST)/ipnat_y.h
-	/bin/rm -f y.tab.c y.tab.h
-
-$(DEST)/ipnat_l.c: lexer.c
-	sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \
-	    -e 's/lexer.h/ipnat_l.h/' lexer.c > $@
-
-$(DEST)/ipf_l.h: lexer.h
-	sed -e 's/yy/ipf_yy/g' lexer.h > $@
-
-$(DEST)/ipmon_l.h: lexer.h
-	sed -e 's/yy/ipmon_yy/g' lexer.h > $@
-
-$(DEST)/ipscan_l.h: lexer.h
-	sed -e 's/yy/ipscan_yy/g' lexer.h > $@
-
-$(DEST)/ippool_l.h: lexer.h
-	sed -e 's/yy/ippool_yy/g' lexer.h > $@
-
-$(DEST)/ipnat_l.h: lexer.h
-	sed -e 's/yy/ipnat_yy/g' lexer.h > $@
-
-clean:
-	/bin/rm -f $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c
-	/bin/rm -f $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c
-	/bin/rm -f $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c
-	/bin/rm -f $(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c
-	/bin/rm -f $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c
-	/bin/rm -f $(DEST)/ipf_l.h $(DEST)/ipmon_l.h $(DEST)/ippool_l.h
-	/bin/rm -f $(DEST)/ipscan_l.h $(DEST)/ipnat_l.h
diff --git a/contrib/ipfilter/tools/ipf.c b/contrib/ipfilter/tools/ipf.c
deleted file mode 100644
index 063ecf0..0000000
--- a/contrib/ipfilter/tools/ipf.c
+++ /dev/null
@@ -1,568 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include "ipf.h"
-#include <fcntl.h>
-#include <sys/ioctl.h>
-#include "netinet/ipl.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.8 2007/05/10 06:12:01 darrenr Exp $";
-#endif
-
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-extern	frentry_t *frtop;
-
-
-void	ipf_frsync __P((void));
-void	zerostats __P((void));
-int	main __P((int, char *[]));
-
-int	opts = 0;
-int	outputc = 0;
-int	use_inet6 = 0;
-
-static	void	procfile __P((char *, char *)), flushfilter __P((char *));
-static	void	set_state __P((u_int)), showstats __P((friostat_t *));
-static	void	packetlogon __P((char *)), swapactive __P((void));
-static	int	opendevice __P((char *, int));
-static	void	closedevice __P((void));
-static	char	*ipfname = IPL_NAME;
-static	void	usage __P((void));
-static	int	showversion __P((void));
-static	int	get_flags __P((void));
-static	void	ipf_interceptadd __P((int, ioctlfunc_t, void *));
-
-static	int	fd = -1;
-static	ioctlfunc_t	iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
-						      ioctl, ioctl, ioctl,
-						      ioctl, ioctl };
-
-
-static void usage()
-{
-	fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n",
-		"[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
-		"[-f filename] [-T <tuneopts>]");
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c;
-
-	if (argc < 2)
-		usage();
-
-	while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) {
-		switch (c)
-		{
-		case '?' :
-			usage();
-			break;
-#ifdef	USE_INET6
-		case '6' :
-			use_inet6 = 1;
-			break;
-#endif
-		case 'A' :
-			opts &= ~OPT_INACTIVE;
-			break;
-		case 'c' :
-			if (strcmp(optarg, "c") == 0)
-				outputc = 1;
-			break;
-		case 'E' :
-			set_state((u_int)1);
-			break;
-		case 'D' :
-			set_state((u_int)0);
-			break;
-		case 'd' :
-			opts ^= OPT_DEBUG;
-			break;
-		case 'f' :
-			procfile(argv[0], optarg);
-			break;
-		case 'F' :
-			flushfilter(optarg);
-			break;
-		case 'I' :
-			opts ^= OPT_INACTIVE;
-			break;
-		case 'l' :
-			packetlogon(optarg);
-			break;
-		case 'n' :
-			opts ^= OPT_DONOTHING;
-			break;
-		case 'o' :
-			break;
-		case 'P' :
-			ipfname = IPAUTH_NAME;
-			break;
-		case 'R' :
-			opts ^= OPT_NORESOLVE;
-			break;
-		case 'r' :
-			opts ^= OPT_REMOVE;
-			break;
-		case 's' :
-			swapactive();
-			break;
-		case 'T' :
-			if (opendevice(ipfname, 1) >= 0)
-				ipf_dotuning(fd, optarg, ioctl);
-			break;
-		case 'v' :
-			opts += OPT_VERBOSE;
-			break;
-		case 'V' :
-			if (showversion())
-				exit(1);
-			break;
-		case 'y' :
-			ipf_frsync();
-			break;
-		case 'z' :
-			opts ^= OPT_ZERORULEST;
-			break;
-		case 'Z' :
-			zerostats();
-			break;
-		}
-	}
-
-	if (optind < 2)
-		usage();
-
-	if (fd != -1)
-		(void) close(fd);
-
-	return(0);
-	/* NOTREACHED */
-}
-
-
-static int opendevice(ipfdev, check)
-char *ipfdev;
-int check;
-{
-	if (opts & OPT_DONOTHING)
-		return -2;
-
-	if (check && checkrev(ipfname) == -1) {
-		fprintf(stderr, "User/kernel version check failed\n");
-		return -2;
-	}
-
-	if (!ipfdev)
-		ipfdev = ipfname;
-
-	if (fd == -1)
-		if ((fd = open(ipfdev, O_RDWR)) == -1)
-			if ((fd = open(ipfdev, O_RDONLY)) == -1)
-				perror("open device");
-	return fd;
-}
-
-
-static void closedevice()
-{
-	close(fd);
-	fd = -1;
-}
-
-
-static	int	get_flags()
-{
-	int i = 0;
-
-	if ((opendevice(ipfname, 1) != -2) &&
-	    (ioctl(fd, SIOCGETFF, &i) == -1)) {
-		perror("SIOCGETFF");
-		return 0;
-	}
-	return i;
-}
-
-
-static	void	set_state(enable)
-u_int	enable;
-{
-	if (opendevice(ipfname, 0) != -2)
-		if (ioctl(fd, SIOCFRENB, &enable) == -1) {
-			if (errno == EBUSY)
-				fprintf(stderr,
-					"IP FIlter: already initialized\n");
-			else
-				perror("SIOCFRENB");
-		}
-	return;
-}
-
-
-static	void	procfile(name, file)
-char	*name, *file;
-{
-	(void) opendevice(ipfname, 1);
-
-	initparse();
-
-	ipf_parsefile(fd, ipf_interceptadd, iocfunctions, file);
-
-	if (outputc) {
-		printC(0);
-		printC(1);
-		emit(-1, -1, NULL, NULL);
-	}
-}
-
-
-static void ipf_interceptadd(fd, ioctlfunc, ptr)
-int fd;
-ioctlfunc_t ioctlfunc;
-void *ptr;
-{
-	if (outputc)
-		printc(ptr);
-
-	ipf_addrule(fd, ioctlfunc, ptr);
-}
-
-
-static void packetlogon(opt)
-char	*opt;
-{
-	int	flag, xfd, logopt, change = 0;
-
-	flag = get_flags();
-	if (flag != 0) {
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
-			printf("log flag is currently %#x\n", flag);
-	}
-
-	flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
-
-	if (strstr(opt, "pass")) {
-		flag |= FF_LOGPASS;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: pass\n");
-		change = 1;
-	}
-	if (strstr(opt, "nomatch")) {
-		flag |= FF_LOGNOMATCH;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: nomatch\n");
-		change = 1;
-	}
-	if (strstr(opt, "block") || index(opt, 'd')) {
-		flag |= FF_LOGBLOCK;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: block\n");
-		change = 1;
-	}
-	if (strstr(opt, "none")) {
-		if (opts & OPT_VERBOSE)
-			printf("disable all log flags\n");
-		change = 1;
-	}
-
-	if (change == 1) {
-		if (opendevice(ipfname, 1) != -2 &&
-		    (ioctl(fd, SIOCSETFF, &flag) != 0))
-			perror("ioctl(SIOCSETFF)");
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		flag = get_flags();
-		printf("log flags are now %#x\n", flag);
-	}
-
-	if (strstr(opt, "state")) {
-		if (opts & OPT_VERBOSE)
-			printf("set state log flag\n");
-		xfd = open(IPSTATE_NAME, O_RDWR);
-		if (xfd >= 0) {
-			logopt = 0;
-			if (ioctl(xfd, SIOCGETLG, &logopt))
-				perror("ioctl(SIOCGETLG)");
-			else {
-				logopt = 1 - logopt;
-				if (ioctl(xfd, SIOCSETLG, &logopt))
-					perror("ioctl(SIOCSETLG)");
-			}
-			close(xfd);
-		}
-	}
-
-	if (strstr(opt, "nat")) {
-		if (opts & OPT_VERBOSE)
-			printf("set nat log flag\n");
-		xfd = open(IPNAT_NAME, O_RDWR);
-		if (xfd >= 0) {
-			logopt = 0;
-			if (ioctl(xfd, SIOCGETLG, &logopt))
-				perror("ioctl(SIOCGETLG)");
-			else {
-				logopt = 1 - logopt;
-				if (ioctl(xfd, SIOCSETLG, &logopt))
-					perror("ioctl(SIOCSETLG)");
-			}
-			close(xfd);
-		}
-	}
-}
-
-
-static	void	flushfilter(arg)
-char	*arg;
-{
-	int	fl = 0, rem;
-
-	if (!arg || !*arg)
-		return;
-	if (!strcmp(arg, "s") || !strcmp(arg, "S") || ISDIGIT(*arg)) {
-		if (*arg == 'S')
-			fl = 0;
-		else if (*arg == 's')
-			fl = 1;
-		else
-			fl = atoi(arg);
-		rem = fl;
-
-		closedevice();
-		if (opendevice(IPSTATE_NAME, 1) == -2)
-			exit(1);
-
-		if (!(opts & OPT_DONOTHING)) {
-			if (use_inet6) {
-				if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-					perror("ioctl(SIOCIPFL6)");
-					exit(1);
-				}
-			} else {
-				if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-					perror("ioctl(SIOCIPFFL)");
-					exit(1);
-				}
-			}
-		}
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-			printf("remove flags %s (%d)\n", arg, rem);
-			printf("removed %d entries\n", fl);
-		}
-		closedevice();
-		return;
-	}
-
-#ifdef	SIOCIPFFA
-	if (!strcmp(arg, "u")) {
-		closedevice();
-		/*
-		 * Flush auth rules and packets
-		 */
-		if (opendevice(IPL_AUTH, 1) == -1)
-			perror("open(IPL_AUTH)");
-		else {
-			if (ioctl(fd, SIOCIPFFA, &fl) == -1)
-				perror("ioctl(SIOCIPFFA)");
-		}
-		closedevice();
-		return;
-	}
-#endif
-
-	if (strchr(arg, 'i') || strchr(arg, 'I'))
-		fl = FR_INQUE;
-	if (strchr(arg, 'o') || strchr(arg, 'O'))
-		fl = FR_OUTQUE;
-	if (strchr(arg, 'a') || strchr(arg, 'A'))
-		fl = FR_OUTQUE|FR_INQUE;
-	if (opts & OPT_INACTIVE)
-		fl |= FR_INACTIVE;
-	rem = fl;
-
-	if (opendevice(ipfname, 1) == -2)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (use_inet6) {
-			if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-				perror("ioctl(SIOCIPFL6)");
-				exit(1);
-			}
-		} else {
-			if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-				perror("ioctl(SIOCIPFFL)");
-				exit(1);
-			}
-		}
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
-			(rem & FR_OUTQUE) ? "O" : "", rem);
-		printf("removed %d filter rules\n", fl);
-	}
-	return;
-}
-
-
-static void swapactive()
-{
-	int in = 2;
-
-	if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
-		perror("ioctl(SIOCSWAPA)");
-	else
-		printf("Set %d now inactive\n", in);
-}
-
-
-void ipf_frsync()
-{
-	int frsyn = 0;
-
-	if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
-		perror("SIOCFRSYN");
-	else
-		printf("filter sync'd\n");
-}
-
-
-void zerostats()
-{
-	ipfobj_t	obj;
-	friostat_t	fio;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_IPFSTAT;
-	obj.ipfo_size = sizeof(fio);
-	obj.ipfo_ptr = &fio;
-	obj.ipfo_offset = 0;
-
-	if (opendevice(ipfname, 1) != -2) {
-		if (ioctl(fd, SIOCFRZST, &obj) == -1) {
-			perror("ioctl(SIOCFRZST)");
-			exit(-1);
-		}
-		showstats(&fio);
-	}
-
-}
-
-
-/*
- * read the kernel stats for packets blocked and passed
- */
-static void showstats(fp)
-friostat_t	*fp;
-{
-	printf("bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-	printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	printf("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
-			fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
-}
-
-
-static int showversion()
-{
-	struct friostat fio;
-	ipfobj_t ipfo;
-	u_32_t flags;
-	char *s;
-	int vfd;
-
-	bzero((caddr_t)&ipfo, sizeof(ipfo));
-	ipfo.ipfo_rev = IPFILTER_VERSION;
-	ipfo.ipfo_size = sizeof(fio);
-	ipfo.ipfo_ptr = (void *)&fio;
-	ipfo.ipfo_type = IPFOBJ_IPFSTAT;
-
-	printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
-
-	if ((vfd = open(ipfname, O_RDONLY)) == -1) {
-		perror("open device");
-		return 1;
-	}
-
-	if (ioctl(vfd, SIOCGETFS, &ipfo)) {
-		perror("ioctl(SIOCGETFS)");
-		close(vfd);
-		return 1;
-	}
-	close(vfd);
-	flags = get_flags();
-
-	printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
-		(int)sizeof(fio.f_version), fio.f_version);
-	printf("Running: %s\n", (fio.f_running > 0) ? "yes" : "no");
-	printf("Log Flags: %#x = ", flags);
-	s = "";
-	if (flags & FF_LOGPASS) {
-		printf("pass");
-		s = ", ";
-	}
-	if (flags & FF_LOGBLOCK) {
-		printf("%sblock", s);
-		s = ", ";
-	}
-	if (flags & FF_LOGNOMATCH) {
-		printf("%snomatch", s);
-		s = ", ";
-	}
-	if (flags & FF_BLOCKNONIP) {
-		printf("%snonip", s);
-		s = ", ";
-	}
-	if (!*s)
-		printf("none set");
-	putchar('\n');
-
-	printf("Default: ");
-	if (FR_ISPASS(fio.f_defpass))
-		s = "pass";
-	else if (FR_ISBLOCK(fio.f_defpass))
-		s = "block";
-	else
-		s = "nomatch -> block";
-	printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
-	printf("Active list: %d\n", fio.f_active);
-	printf("Feature mask: %#x\n", fio.f_features);
-
-	return 0;
-}
diff --git a/contrib/ipfilter/tools/ipf_y.y b/contrib/ipfilter/tools/ipf_y.y
deleted file mode 100644
index 4156250..0000000
--- a/contrib/ipfilter/tools/ipf_y.y
+++ /dev/null
@@ -1,2197 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-%{
-#include "ipf.h"
-#include <sys/ioctl.h>
-#include <syslog.h>
-#ifdef IPFILTER_BPF
-# include "pcap-bpf.h"
-# define _NET_BPF_H_
-# include <pcap.h>
-#endif
-#include "netinet/ip_pool.h"
-#include "netinet/ip_htable.h"
-#include "netinet/ipl.h"
-#include "ipf_l.h"
-
-#define	YYDEBUG	1
-#define	DOALL(x)	for (fr = frc; fr != NULL; fr = fr->fr_next) { x }
-#define	DOREM(x)	for (; fr != NULL; fr = fr->fr_next) { x }
-
-extern	void	yyerror __P((char *));
-extern	int	yyparse __P((void));
-extern	int	yylex __P((void));
-extern	int	yydebug;
-extern	FILE	*yyin;
-extern	int	yylineNum;
-
-static	void	newrule __P((void));
-static	void	setipftype __P((void));
-static	u_32_t	lookuphost __P((char *));
-static	void	dobpf __P((int, char *));
-static	void	resetaddr __P((void));
-static	struct	alist_s	*newalist __P((struct alist_s *));
-static	u_int	makehash __P((struct alist_s *));
-static	int	makepool __P((struct alist_s *));
-static	frentry_t *addrule __P((void));
-static	void	setsyslog __P((void));
-static	void	unsetsyslog __P((void));
-static	void	fillgroup __P((frentry_t *));
-
-frentry_t	*fr = NULL, *frc = NULL, *frtop = NULL, *frold = NULL;
-
-static	int		ifpflag = 0;
-static	int		nowith = 0;
-static	int		dynamic = -1;
-static	int		pooled = 0;
-static	int		hashed = 0;
-static	int		nrules = 0;
-static	int		newlist = 0;
-static	int		added = 0;
-static	int		ipffd = -1;
-static	int		*yycont = 0;
-static	ioctlfunc_t	ipfioctl[IPL_LOGSIZE];
-static	addfunc_t	ipfaddfunc = NULL;
-static	struct	wordtab ipfwords[95];
-static	struct	wordtab	addrwords[4];
-static	struct	wordtab	maskwords[5];
-static	struct	wordtab icmpcodewords[17];
-static	struct	wordtab icmptypewords[16];
-static	struct	wordtab ipv4optwords[25];
-static	struct	wordtab ipv4secwords[9];
-static	struct	wordtab ipv6optwords[9];
-static	struct	wordtab logwords[33];
-
-%}
-%union	{
-	char	*str;
-	u_32_t	num;
-	struct	in_addr	ipa;
-	frentry_t	fr;
-	frtuc_t	*frt;
-	struct	alist_s	*alist;
-	u_short	port;
-	struct	{
-		u_short	p1;
-		u_short	p2;
-		int	pc;
-	} pc;
-	struct	{
-		union	i6addr	a;
-		union	i6addr	m;
-	} ipp;
-	union	i6addr	ip6;
-	struct	{
-		char	*if1;
-		char	*if2;
-	} ifs;
-};
-
-%type	<port>	portnum
-%type	<num>	facility priority icmpcode seclevel secname icmptype
-%type	<num>	opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr
-%type	<num>	portc porteq
-%type	<ipa>	hostname ipv4 ipv4mask ipv4_16 ipv4_24
-%type	<ip6>	ipv6mask
-%type	<ipp>	addr ipaddr
-%type	<str>	servicename name interfacename
-%type	<pc>	portrange portcomp
-%type	<alist>	addrlist poollist
-%type	<ifs>	onname
-
-%token	<num>	YY_NUMBER YY_HEX
-%token	<str>	YY_STR
-%token		YY_COMMENT
-%token		YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token		YY_RANGE_OUT YY_RANGE_IN
-%token	<ip6>	YY_IPV6
-
-%token	IPFY_PASS IPFY_BLOCK IPFY_COUNT IPFY_CALL IPFY_NOMATCH
-%token	IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST
-%token	IPFY_IN IPFY_OUT
-%token	IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA
-%token	IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO
-%token	IPFY_TOS IPFY_TTL IPFY_PROTO
-%token	IPFY_HEAD IPFY_GROUP
-%token	IPFY_AUTH IPFY_PREAUTH
-%token	IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK
-%token	IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP
-%token	IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH
-%token	IPFY_PPS
-%token	IPFY_ESP IPFY_AH
-%token	IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT
-%token	IPFY_TCPUDP IPFY_TCP IPFY_UDP
-%token	IPFY_FLAGS IPFY_MULTICAST
-%token	IPFY_MASK IPFY_BROADCAST IPFY_NETWORK IPFY_NETMASKED IPFY_PEER
-%token	IPFY_PORT
-%token	IPFY_NOW
-%token	IPFY_ICMP IPFY_ICMPTYPE IPFY_ICMPCODE
-%token	IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG
-%token	IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR
-%token	IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE
-%token	IPFY_SYNC IPFY_FRAGBODY
-%token	IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP
-%token	IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR
-%token	IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO
-%token	IPFY_IPOPT_SATID IPFY_IPOPT_SSRR IPFY_IPOPT_ADDEXT IPFY_IPOPT_VISA
-%token	IPFY_IPOPT_IMITD IPFY_IPOPT_EIP IPFY_IPOPT_FINN IPFY_IPOPT_DPS
-%token	IPFY_IPOPT_SDB IPFY_IPOPT_NSAPA IPFY_IPOPT_RTRALRT IPFY_IPOPT_UMP
-%token	IPFY_SECCLASS IPFY_SEC_UNC IPFY_SEC_CONF IPFY_SEC_RSV1 IPFY_SEC_RSV2
-%token	IPFY_SEC_RSV4 IPFY_SEC_SEC IPFY_SEC_TS IPFY_SEC_RSV3
-
-%token	IPF6_V6HDRS IPFY_IPV6OPT IPFY_IPV6OPT_DSTOPTS IPFY_IPV6OPT_HOPOPTS
-%token	IPFY_IPV6OPT_IPV6 IPFY_IPV6OPT_NONE IPFY_IPV6OPT_ROUTING
-%token	IPFY_IPV6OPT_MOBILITY IPFY_IPV6OPT_ESP IPFY_IPV6OPT_FRAG
-
-%token	IPFY_ICMPT_UNR IPFY_ICMPT_ECHO IPFY_ICMPT_ECHOR IPFY_ICMPT_SQUENCH
-%token	IPFY_ICMPT_REDIR IPFY_ICMPT_TIMEX IPFY_ICMPT_PARAMP IPFY_ICMPT_TIMEST
-%token	IPFY_ICMPT_TIMESTREP IPFY_ICMPT_INFOREQ IPFY_ICMPT_INFOREP
-%token	IPFY_ICMPT_MASKREQ IPFY_ICMPT_MASKREP IPFY_ICMPT_ROUTERAD
-%token	IPFY_ICMPT_ROUTERSOL
-
-%token	IPFY_ICMPC_NETUNR IPFY_ICMPC_HSTUNR IPFY_ICMPC_PROUNR IPFY_ICMPC_PORUNR
-%token	IPFY_ICMPC_NEEDF IPFY_ICMPC_SRCFAIL IPFY_ICMPC_NETUNK IPFY_ICMPC_HSTUNK
-%token	IPFY_ICMPC_ISOLATE IPFY_ICMPC_NETPRO IPFY_ICMPC_HSTPRO
-%token	IPFY_ICMPC_NETTOS IPFY_ICMPC_HSTTOS IPFY_ICMPC_FLTPRO IPFY_ICMPC_HSTPRE
-%token	IPFY_ICMPC_CUTPRE
-
-%token	IPFY_FAC_KERN IPFY_FAC_USER IPFY_FAC_MAIL IPFY_FAC_DAEMON IPFY_FAC_AUTH
-%token	IPFY_FAC_SYSLOG IPFY_FAC_LPR IPFY_FAC_NEWS IPFY_FAC_UUCP IPFY_FAC_CRON
-%token	IPFY_FAC_LOCAL0 IPFY_FAC_LOCAL1 IPFY_FAC_LOCAL2 IPFY_FAC_LOCAL3
-%token	IPFY_FAC_LOCAL4 IPFY_FAC_LOCAL5 IPFY_FAC_LOCAL6 IPFY_FAC_LOCAL7
-%token	IPFY_FAC_SECURITY IPFY_FAC_FTP IPFY_FAC_AUTHPRIV IPFY_FAC_AUDIT
-%token	IPFY_FAC_LFMT IPFY_FAC_CONSOLE
-
-%token	IPFY_PRI_EMERG IPFY_PRI_ALERT IPFY_PRI_CRIT IPFY_PRI_ERR IPFY_PRI_WARN
-%token	IPFY_PRI_NOTICE IPFY_PRI_INFO IPFY_PRI_DEBUG
-%%
-file:	line
-	| assign
-	| file line
-	| file assign
-	;
-
-line:	rule		{ while ((fr = frtop) != NULL) {
-				frtop = fr->fr_next;
-				fr->fr_next = NULL;
-				(*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr);
-				fr->fr_next = frold;
-				frold = fr;
-			  }
-			  resetlexer();
-			}
-	| YY_COMMENT
-	;
-
-xx:					{ newrule(); }
-	;
-
-assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
-					  resetlexer();
-					  free($1);
-					  free($3);
-					  yyvarnext = 0;
-					}
-	;
-
-assigning:
-	'='				{ yyvarnext = 1; }
-	;
-
-rule:	inrule eol
-	| outrule eol
-	;
-
-eol:	| ';'
-	;
-
-inrule:
-	rulehead markin inopts rulemain ruletail intag ruletail2
-	;
-
-outrule:
-	rulehead markout outopts rulemain ruletail outtag ruletail2
-	;
-
-rulehead:
-	xx collection action
-	| xx insert collection action
-	;
-
-markin:	IPFY_IN				{ fr->fr_flags |= FR_INQUE; }
-	;
-
-markout:
-	IPFY_OUT			{ fr->fr_flags |= FR_OUTQUE; }
-	;
-
-rulemain:
-	ipfrule
-	| bpfrule
-	;
-
-ipfrule:
-	tos ttl proto ip
-	;
-
-bpfrule:
-	IPFY_BPFV4 '{' YY_STR '}' 	{ dobpf(4, $3); free($3); }
-	| IPFY_BPFV6 '{' YY_STR '}' 	{ dobpf(6, $3); free($3); }
-	;
-
-ruletail:
-	with keep head group
-	;
-
-ruletail2:
-	pps age new
-	;
-
-intag:	settagin matchtagin
-	;
-
-outtag:	settagout matchtagout
-	;
-
-insert:
-	'@' YY_NUMBER			{ fr->fr_hits = (U_QUAD_T)$2 + 1; }
-	;
-
-collection:
-	| YY_NUMBER			{ fr->fr_collect = $1; }
-	;
-
-action:	block
-	| IPFY_PASS			{ fr->fr_flags |= FR_PASS; }
-	| IPFY_NOMATCH			{ fr->fr_flags |= FR_NOMATCH; }
-	| log
-	| IPFY_COUNT			{ fr->fr_flags |= FR_ACCOUNT; }
-	| auth
-	| IPFY_SKIP YY_NUMBER		{ fr->fr_flags |= FR_SKIP;
-					  fr->fr_arg = $2; }
-	| IPFY_CALL func
-	| IPFY_CALL IPFY_NOW func	{ fr->fr_flags |= FR_CALLNOW; }
-	;
-
-block:	blocked
-	| blocked blockreturn
-	;
-
-blocked:
-	IPFY_BLOCK			{ fr->fr_flags = FR_BLOCK; }
-	;
-blockreturn:
-	IPFY_RETICMP			{ fr->fr_flags |= FR_RETICMP; }
-	| IPFY_RETICMP returncode	{ fr->fr_flags |= FR_RETICMP; }
-	| IPFY_RETICMPASDST		{ fr->fr_flags |= FR_FAKEICMP; }
-	| IPFY_RETICMPASDST returncode	{ fr->fr_flags |= FR_FAKEICMP; }
-	| IPFY_RETRST			{ fr->fr_flags |= FR_RETRST; }
-	;
-
-log:	IPFY_LOG			{ fr->fr_flags |= FR_LOG; }
-	| IPFY_LOG logoptions		{ fr->fr_flags |= FR_LOG; }
-	;
-
-auth:	IPFY_AUTH			{ fr->fr_flags |= FR_AUTH; }
-	| IPFY_AUTH blockreturn		{ fr->fr_flags |= FR_AUTH;}
-	| IPFY_PREAUTH			{ fr->fr_flags |= FR_PREAUTH; }
-	;
-
-func:	YY_STR '/' YY_NUMBER	{ fr->fr_func = nametokva($1,
-							  ipfioctl[IPL_LOGIPF]);
-				  fr->fr_arg = $3;
-				  free($1); }
-	;
-
-inopts:
-	| inopts inopt
-	;
-
-inopt:
-	logopt
-	| quick
-	| on
-	| dup
-	| froute
-	| proute
-	| replyto
-	;
-
-outopts:
-	| outopts outopt
-	;
-
-outopt:
-	logopt
-	| quick
-	| on
-	| dup
-	| proute
-	| replyto
-	;
-
-tos:	| settos YY_NUMBER	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
-	| settos YY_HEX	{ DOALL(fr->fr_tos = $2; fr->fr_mtos = 0xff;) }
-	| settos lstart toslist lend
-	;
-
-settos:	IPFY_TOS			{ setipftype(); }
-	;
-
-toslist:
-	YY_NUMBER	{ DOALL(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
-	| YY_HEX	{ DOREM(fr->fr_tos = $1; fr->fr_mtos = 0xff;) }
-	| toslist lmore YY_NUMBER
-			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
-	| toslist lmore YY_HEX	
-			{ DOREM(fr->fr_tos = $3; fr->fr_mtos = 0xff;) }
-	;
-
-ttl:	| setttl YY_NUMBER
-			{ DOALL(fr->fr_ttl = $2; fr->fr_mttl = 0xff;) }
-	| setttl lstart ttllist lend
-	;
-
-lstart:	'('				{ newlist = 1; fr = frc; added = 0; }
-	;
-
-lend:	')'				{ nrules += added; }
-	;
-
-lmore:	lanother			{ if (newlist == 1) {
-						newlist = 0;
-					  }
-					  fr = addrule();
-					  if (yycont != NULL)
-						*yycont = 1;
-					}
-	;
-
-lanother:
-	| ','
-	;
-
-setttl:	IPFY_TTL			{ setipftype(); }
-	;
-
-ttllist:
-	YY_NUMBER	{ DOREM(fr->fr_ttl = $1; fr->fr_mttl = 0xff;) }
-	| ttllist lmore YY_NUMBER
-			{ DOREM(fr->fr_ttl = $3; fr->fr_mttl = 0xff;) }
-	;
-
-proto:	| protox protocol		{ yyresetdict(); }
-	;
-
-protox:	IPFY_PROTO			{ setipftype();
-					  fr = frc;
-					  yysetdict(NULL); }
-	;
-
-ip:	srcdst flags icmp
-	;
-
-group:	| IPFY_GROUP YY_STR		{ DOALL(strncpy(fr->fr_group, $2, \
-							FR_GROUPLEN); \
-							fillgroup(fr););
-					  free($2); }
-	| IPFY_GROUP YY_NUMBER		{ DOALL(sprintf(fr->fr_group, "%d", \
-							$2); \
-							fillgroup(fr);) }
-	;
-
-head:	| IPFY_HEAD YY_STR		{ DOALL(strncpy(fr->fr_grhead, $2, \
-							FR_GROUPLEN););
-					  free($2); }
-	| IPFY_HEAD YY_NUMBER		{ DOALL(sprintf(fr->fr_grhead, "%d", \
-							$2);) }
-	;
-
-settagin:
-	| IPFY_SETTAG '(' taginlist ')'
-	;
-
-taginlist:
-	taginspec
-	| taginlist ',' taginspec
-	;
-
-taginspec:
-	logtag
-	;
-
-nattag:	IPFY_NAT '=' YY_STR		{ DOALL(strncpy(fr->fr_nattag.ipt_tag,\
-						$3, IPFTAG_LEN););
-					  free($3); }
-	| IPFY_NAT '=' YY_NUMBER	{ DOALL(sprintf(fr->fr_nattag.ipt_tag,\
-						"%d", $3 & 0xffffffff);) }
-	;
-
-logtag:	IPFY_LOG '=' YY_NUMBER		{ DOALL(fr->fr_logtag = $3;) }
-	;
-
-settagout:
-	| IPFY_SETTAG '(' tagoutlist ')'
-	;
-
-tagoutlist:
-	tagoutspec
-	| tagoutlist ',' tagoutspec
-	;
-
-tagoutspec:
-	logtag
-	| nattag
-	;
-
-matchtagin:
-	| IPFY_MATCHTAG '(' tagoutlist ')'
-	;
-
-matchtagout:
-	| IPFY_MATCHTAG '(' taginlist ')'
-	;
-
-pps:	| IPFY_PPS YY_NUMBER		{ DOALL(fr->fr_pps = $2;) }
-	;
-
-new:	| savegroup file restoregroup
-	;
-
-savegroup:
-	'{'
-	;
-
-restoregroup:
-	'}'
-	;
-
-logopt:	log
-	;
-
-quick:
-	IPFY_QUICK			{ fr->fr_flags |= FR_QUICK; }
-	;
-
-on:	IPFY_ON onname
-	| IPFY_ON lstart onlist lend
-	| IPFY_ON onname IPFY_INVIA vianame
-	| IPFY_ON onname IPFY_OUTVIA vianame
-	;
-
-onlist:	onname			{ DOREM(strncpy(fr->fr_ifnames[0], $1.if1, \
-					sizeof(fr->fr_ifnames[0])); 	   \
-					if ($1.if2 != NULL) {		   \
-						strncpy(fr->fr_ifnames[1], \
-							$1.if2,		   \
-						sizeof(fr->fr_ifnames[1]));\
-					}				   \
-					) }
-	| onlist lmore onname	{ DOREM(strncpy(fr->fr_ifnames[0], $3.if1, \
-					sizeof(fr->fr_ifnames[0])); 	   \
-					if ($3.if2 != NULL) {		   \
-						strncpy(fr->fr_ifnames[1], \
-							$3.if2,		   \
-						sizeof(fr->fr_ifnames[1]));\
-					}				   \
-					) }
-	;
-
-onname:	interfacename
-		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
-		  $$.if1 = fr->fr_ifnames[0];
-		  $$.if2 = NULL;
-		  free($1);
-		}
-	| interfacename ',' interfacename
-		{ strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0]));
-		  $$.if1 = fr->fr_ifnames[0];
-		  free($1);
-		  strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1]));
-		  $$.if1 = fr->fr_ifnames[1];
-		  free($3);
-		}
-	;
-
-vianame:
-	name
-		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
-		  free($1);
-		}
-	| name ',' name
-		{ strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2]));
-		  free($1);
-		  strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3]));
-		  free($3);
-		}
-	;
-
-dup:	IPFY_DUPTO name
-	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
-	  free($2);
-	}
-	| IPFY_DUPTO name duptoseparator hostname
-	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
-	  fr->fr_dif.fd_ip = $4;
-	  yyexpectaddr = 0;
-	  free($2);
-	}
-	| IPFY_DUPTO name duptoseparator YY_IPV6
-	{ strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname));
-	  bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6));
-	  yyexpectaddr = 0;
-	  free($2);
-	}
-	;
-
-duptoseparator:
-	':'	{ yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); }
-	;
-
-froute:	IPFY_FROUTE			{ fr->fr_flags |= FR_FASTROUTE; }
-	;
-
-proute:	routeto name
-	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
-	  free($2);
-	}
-	| routeto name duptoseparator hostname
-	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
-	  fr->fr_tif.fd_ip = $4;
-	  yyexpectaddr = 0;
-	  free($2);
-	}
-	| routeto name duptoseparator YY_IPV6
-	{ strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname));
-	  bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6));
-	  yyexpectaddr = 0;
-	  free($2);
-	}
-	;
-
-routeto:
-	IPFY_TO
-	| IPFY_ROUTETO
-	;
-
-replyto:
-	IPFY_REPLY_TO name
-	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
-	  free($2);
-	}
-	| IPFY_REPLY_TO name duptoseparator hostname
-	{ strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname));
-	  fr->fr_rif.fd_ip = $4;
-	  free($2);
-	}
-	;
-
-logoptions:
-	logoption
-	| logoptions logoption
-	;
-
-logoption:
-	IPFY_BODY			{ fr->fr_flags |= FR_LOGBODY; }
-	| IPFY_FIRST			{ fr->fr_flags |= FR_LOGFIRST; }
-	| IPFY_ORBLOCK			{ fr->fr_flags |= FR_LOGORBLOCK; }
-	| level loglevel		{ unsetsyslog(); }
-	;
-
-returncode:
-	starticmpcode icmpcode ')'	{ fr->fr_icode = $2; yyresetdict(); }
-	;
-
-starticmpcode:
-	'('				{ yysetdict(icmpcodewords); }
-	;
-
-srcdst:	| IPFY_ALL
-	| fromto
-	;
-
-protocol:
-	YY_NUMBER		{ DOREM(fr->fr_proto = $1; \
-					fr->fr_mproto = 0xff;) }
-	| YY_STR		{ if (!strcmp($1, "tcp-udp")) {
-					DOREM(fr->fr_flx |= FI_TCPUDP; \
-					      fr->fr_mflx |= FI_TCPUDP;)
-				  } else {
-					int p = getproto($1);
-					if (p == -1)
-						yyerror("protocol unknown");
-					DOREM(fr->fr_proto = p; \
-						fr->fr_mproto = 0xff;)
-				  }
-				  free($1);
-					}
-	| YY_STR nextstring YY_STR
-				{ if (!strcmp($1, "tcp") &&
-				      !strcmp($3, "udp")) {
-					DOREM(fr->fr_flx |= FI_TCPUDP; \
-					      fr->fr_mflx |= FI_TCPUDP;)
-				  } else
-					YYERROR;
-				  free($1);
-				  free($3);
-				}
-	;
-
-nextstring:
-	'/'			{ yysetdict(NULL); }
-	;
-
-fromto:	from srcobject to dstobject	{ yyexpectaddr = 0; yycont = NULL; }
-	| to dstobject			{ yyexpectaddr = 0; yycont = NULL; }
-	| from srcobject		{ yyexpectaddr = 0; yycont = NULL; }
-	;
-
-from:	IPFY_FROM			{ setipftype();
-					  if (fr == NULL)
-						fr = frc;
-					  yyexpectaddr = 1;
-					  if (yydebug)
-						printf("set yyexpectaddr\n");
-					  yycont = &yyexpectaddr;
-					  yysetdict(addrwords);
-					  resetaddr(); }
-	;
-
-to:	IPFY_TO				{ if (fr == NULL)
-						fr = frc;
-					  yyexpectaddr = 1;
-					  if (yydebug)
-						printf("set yyexpectaddr\n");
-					  yycont = &yyexpectaddr;
-					  yysetdict(addrwords);
-					  resetaddr(); }
-	;
-
-with:	| andwith withlist
-	;
-
-andwith:
-	IPFY_WITH			{ nowith = 0; setipftype(); }
-	| IPFY_AND			{ nowith = 0; setipftype(); }
-	;
-
-flags:	| startflags flagset	
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
-	| startflags flagset '/' flagset
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
-	| startflags '/' flagset
-		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
-	| startflags YY_NUMBER
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) }
-	| startflags '/' YY_NUMBER
-		{ DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) }
-	| startflags YY_NUMBER '/' YY_NUMBER
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
-	| startflags flagset '/' YY_NUMBER
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
-	| startflags YY_NUMBER '/' flagset
-		{ DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) }
-	;
-
-startflags:
-	IPFY_FLAGS	{ if (frc->fr_type != FR_T_IPF)
-				yyerror("flags with non-ipf type rule");
-			  if (frc->fr_proto != IPPROTO_TCP)
-				yyerror("flags with non-TCP rule");
-			}
-	;
-
-flagset:
-	YY_STR				{ $$ = tcpflags($1); free($1); }
-	| YY_HEX			{ $$ = $1; }
-	;
-
-srcobject:
-	{ yyresetdict(); } fromport
-	| srcaddr srcport
-	| '!' srcaddr srcport
-		{ DOALL(fr->fr_flags |= FR_NOTSRCIP;) }
-	;
-
-srcaddr:
-	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
-			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
-			if (dynamic != -1) { \
-				fr->fr_satype = ifpflag; \
-				fr->fr_ipf->fri_sifpidx = dynamic; \
-			} else if (pooled || hashed) \
-				fr->fr_satype = FRI_LOOKUP;)
-		}
-	| lstart srcaddrlist lend
-	;
-
-srcaddrlist:
-	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_src, sizeof($1.a)); \
-			bcopy(&($1.m), &fr->fr_mip.fi_src, sizeof($1.m)); \
-			if (dynamic != -1) { \
-				fr->fr_satype = ifpflag; \
-				fr->fr_ipf->fri_sifpidx = dynamic; \
-			} else if (pooled || hashed) \
-				fr->fr_satype = FRI_LOOKUP;)
-		}
-	| srcaddrlist lmore addr
-		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_src, sizeof($3.a)); \
-			bcopy(&($3.m), &fr->fr_mip.fi_src, sizeof($3.m)); \
-			if (dynamic != -1) { \
-				fr->fr_satype = ifpflag; \
-				fr->fr_ipf->fri_sifpidx = dynamic; \
-			} else if (pooled || hashed) \
-				fr->fr_satype = FRI_LOOKUP;)
-		}
-	;
-
-srcport:
-	| portcomp
-		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
-	| portrange
-		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
-			fr->fr_stop = $1.p2;) }
-	| porteq lstart srcportlist lend
-		{ yyresetdict(); }
-	;
-
-fromport:
-	portcomp
-		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1;) }
-	| portrange
-		{ DOALL(fr->fr_scmp = $1.pc; fr->fr_sport = $1.p1; \
-			fr->fr_stop = $1.p2;) }
-	| porteq lstart srcportlist lend
-		{ yyresetdict(); }
-	;
-
-srcportlist:
-	portnum		{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $1;) }
-	| portnum ':' portnum	
-			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $1; \
-				fr->fr_stop = $3;) }
-	| portnum YY_RANGE_IN portnum	
-			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $1; \
-				fr->fr_stop = $3;) }
-	| srcportlist lmore portnum
-			{ DOREM(fr->fr_scmp = FR_EQUAL; fr->fr_sport = $3;) }
-	| srcportlist lmore portnum ':' portnum
-			{ DOREM(fr->fr_scmp = FR_INCRANGE; fr->fr_sport = $3; \
-				fr->fr_stop = $5;) }
-	| srcportlist lmore portnum YY_RANGE_IN portnum
-			{ DOREM(fr->fr_scmp = FR_INRANGE; fr->fr_sport = $3; \
-				fr->fr_stop = $5;) }
-	;
-
-dstobject:
-	{ yyresetdict(); } toport
-	| dstaddr dstport
-	| '!' dstaddr dstport
-			{ DOALL(fr->fr_flags |= FR_NOTDSTIP;) }
-	;
-
-dstaddr:
-	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
-			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
-			if (dynamic != -1) { \
-				fr->fr_datype = ifpflag; \
-				fr->fr_ipf->fri_difpidx = dynamic; \
-			  } else if (pooled || hashed) \
-				fr->fr_datype = FRI_LOOKUP;)
-		}
-	| lstart dstaddrlist lend
-	;
-
-dstaddrlist:
-	addr	{ DOREM(bcopy(&($1.a), &fr->fr_ip.fi_dst, sizeof($1.a)); \
-			bcopy(&($1.m), &fr->fr_mip.fi_dst, sizeof($1.m)); \
-			if (dynamic != -1) { \
-				fr->fr_datype = ifpflag; \
-				fr->fr_ipf->fri_difpidx = dynamic; \
-			} else if (pooled || hashed) \
-				fr->fr_datype = FRI_LOOKUP;)
-		}
-	| dstaddrlist lmore addr
-		{ DOREM(bcopy(&($3.a), &fr->fr_ip.fi_dst, sizeof($3.a)); \
-			bcopy(&($3.m), &fr->fr_mip.fi_dst, sizeof($3.m)); \
-			if (dynamic != -1) { \
-				fr->fr_datype = ifpflag; \
-				fr->fr_ipf->fri_difpidx = dynamic; \
-			} else if (pooled || hashed) \
-				fr->fr_datype = FRI_LOOKUP;)
-		}
-	;
-
-
-dstport:
-	| portcomp
-		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
-	| portrange
-		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
-			fr->fr_dtop = $1.p2;) }
-	| porteq lstart dstportlist lend
-		{ yyresetdict(); }
-	;
-
-toport:
-	portcomp
-		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1;) }
-	| portrange
-		{ DOALL(fr->fr_dcmp = $1.pc; fr->fr_dport = $1.p1; \
-			fr->fr_dtop = $1.p2;) }
-	| porteq lstart dstportlist lend
-		{ yyresetdict(); }
-	;
-
-dstportlist:
-	portnum		{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $1;) }
-	| portnum ':' portnum	
-			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $1; \
-				fr->fr_dtop = $3;) }
-	| portnum YY_RANGE_IN portnum	
-			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $1; \
-				fr->fr_dtop = $3;) }
-	| dstportlist lmore portnum
-			{ DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) }
-	| dstportlist lmore portnum ':' portnum
-			{ DOREM(fr->fr_dcmp = FR_INCRANGE; fr->fr_dport = $3; \
-				fr->fr_dtop = $5;) }
-	| dstportlist lmore portnum YY_RANGE_IN portnum
-			{ DOREM(fr->fr_dcmp = FR_INRANGE; fr->fr_dport = $3; \
-				fr->fr_dtop = $5;) }
-	;
-
-addr:	pool '/' YY_NUMBER		{ pooled = 1;
-					  $$.a.iplookuptype = IPLT_POOL;
-					  $$.a.iplookupsubtype = 0;
-					  $$.a.iplookupnum = $3; }
-	| pool '/' YY_STR		{ pooled = 1;
-					  $$.a.iplookuptype = IPLT_POOL;
-					  $$.a.iplookupsubtype = 1;
-					  strncpy($$.a.iplookupname, $3,
-						  sizeof($$.a.iplookupname));
-					}
-	| pool '=' '(' poollist ')'	{ pooled = 1;
-					  $$.a.iplookuptype = IPLT_POOL;
-					  $$.a.iplookupsubtype = 0;
-					  $$.a.iplookupnum = makepool($4); }
-	| hash '/' YY_NUMBER		{ hashed = 1;
-					  $$.a.iplookuptype = IPLT_HASH;
-					  $$.a.iplookupsubtype = 0;
-					  $$.a.iplookupnum = $3; }
-	| hash '/' YY_STR		{ pooled = 1;
-					  $$.a.iplookuptype = IPLT_HASH;
-					  $$.a.iplookupsubtype = 1;
-					  strncpy($$.a.iplookupname, $3,
-						  sizeof($$.a.iplookupname));
-					}
-	| hash '=' '(' addrlist ')'	{ hashed = 1;
-					  $$.a.iplookuptype = IPLT_HASH;
-					  $$.a.iplookupsubtype = 0;
-					  $$.a.iplookupnum = makehash($4); }
-	| ipaddr			{ bcopy(&$1, &$$, sizeof($$));
-					  yyexpectaddr = 0; }
-	;
-
-ipaddr:	IPFY_ANY			{ bzero(&($$), sizeof($$));
-					  yyresetdict();
-					  yyexpectaddr = 0; }
-	| hostname			{ $$.a.in4 = $1;
-					  $$.m.in4_addr = 0xffffffff;
-					  yyexpectaddr = 0; }
-	| hostname			{ yyresetdict();
-					  $$.a.in4_addr = $1.s_addr; }
-		maskspace		{ yysetdict(maskwords); }
-		ipv4mask		{ $$.m.in4_addr = $5.s_addr;
-					  $$.a.in4_addr &= $5.s_addr;
-					  yyresetdict();
-					  yyexpectaddr = 0; }
-	| YY_IPV6			{ bcopy(&$1, &$$.a, sizeof($$.a));
-					  fill6bits(128, (u_32_t *)&$$.m);
-					  yyresetdict();
-					  yyexpectaddr = 0; }
-	| YY_IPV6			{ yyresetdict();
-					  bcopy(&$1, &$$.a, sizeof($$.a)); }
-		maskspace		{ yysetdict(maskwords); }
-		ipv6mask		{ bcopy(&$5, &$$.m, sizeof($$.m));
-					  yyresetdict();
-					  yyexpectaddr = 0; }
-	;
-maskspace:
-	'/'
-	| IPFY_MASK
-	;
-
-ipv4mask:
-	ipv4				{ $$ = $1; }
-	| YY_HEX			{ $$.s_addr = htonl($1); }
-	| YY_NUMBER			{ ntomask(4, $1, (u_32_t *)&$$); }
-	| IPFY_BROADCAST		{ if (ifpflag == FRI_DYNAMIC) {
-						$$.s_addr = 0;
-						ifpflag = FRI_BROADCAST;
-					  } else
-						YYERROR;
-					}
-	| IPFY_NETWORK			{ if (ifpflag == FRI_DYNAMIC) {
-						$$.s_addr = 0;
-						ifpflag = FRI_NETWORK;
-					  } else
-						YYERROR;
-					}
-	| IPFY_NETMASKED		{ if (ifpflag == FRI_DYNAMIC) {
-						$$.s_addr = 0;
-						ifpflag = FRI_NETMASKED;
-					  } else
-						YYERROR;
-					}
-	| IPFY_PEER			{ if (ifpflag == FRI_DYNAMIC) {
-						$$.s_addr = 0;
-						ifpflag = FRI_PEERADDR;
-					  } else
-						YYERROR;
-					}
-	;
-
-ipv6mask:
-	YY_NUMBER			{ ntomask(6, $1, $$.i6); }
-	| IPFY_BROADCAST		{ if (ifpflag == FRI_DYNAMIC) {
-						bzero(&$$, sizeof($$));
-						ifpflag = FRI_BROADCAST;
-					  } else
-						YYERROR;
-					}
-	| IPFY_NETWORK			{ if (ifpflag == FRI_DYNAMIC) {
-						bzero(&$$, sizeof($$));
-						ifpflag = FRI_BROADCAST;
-					  } else
-						YYERROR;
-					}
-	| IPFY_NETMASKED		{ if (ifpflag == FRI_DYNAMIC) {
-						bzero(&$$, sizeof($$));
-						ifpflag = FRI_BROADCAST;
-					  } else
-						YYERROR;
-					}
-	| IPFY_PEER			{ if (ifpflag == FRI_DYNAMIC) {
-						bzero(&$$, sizeof($$));
-						ifpflag = FRI_BROADCAST;
-					  } else
-						YYERROR;
-					}
-	;
-
-hostname:
-	ipv4				{ $$ = $1; }
-	| YY_NUMBER			{ $$.s_addr = $1; }
-	| YY_HEX			{ $$.s_addr = $1; }
-	| YY_STR			{ $$.s_addr = lookuphost($1);
-					  free($1);
-					}
-	;
-
-addrlist:
-	ipaddr		{ $$ = newalist(NULL);
-			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
-			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
-	| addrlist ',' ipaddr
-			{ $$ = newalist($1);
-			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
-			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
-	;
-
-pool:	IPFY_POOL	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
-	;
-
-hash:	IPFY_HASH	{ yyexpectaddr = 0; yycont = NULL; yyresetdict(); }
-	;
-
-poollist:
-	ipaddr		{ $$ = newalist(NULL);
-			  bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a));
-			  bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); }
-	| '!' ipaddr	{ $$ = newalist(NULL);
-			  $$->al_not = 1;
-			  bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a));
-			  bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); }
-	| poollist ',' ipaddr
-			{ $$ = newalist($1);
-			  bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a));
-			  bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); }
-	| poollist ',' '!' ipaddr
-			{ $$ = newalist($1);
-			  $$->al_not = 1;
-			  bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a));
-			  bcopy(&($4.m), &($$->al_i6mask), sizeof($4.m)); }
-	;
-
-port:	IPFY_PORT			{ yyexpectaddr = 0;
-					  yycont = NULL;
-					}
-	;
-
-portc:	port compare			{ $$ = $2;
-					  yysetdict(NULL); }
-	| porteq			{ $$ = $1; }
-	;
-
-porteq:	port '='			{ $$ = FR_EQUAL;
-					  yysetdict(NULL); }
-	;
-
-portr:	IPFY_PORT			{ yyexpectaddr = 0;
-					  yycont = NULL;
-					  yysetdict(NULL); }
-	;
-
-portcomp:
-	portc portnum			{ $$.pc = $1;
-					  $$.p1 = $2;
-					  yyresetdict(); }
-	;
-
-portrange:
-	portr portnum range portnum	{ $$.p1 = $2;
-					  $$.pc = $3;
-					  $$.p2 = $4;
-					  yyresetdict(); }
-	;
-
-icmp:	| itype icode
-	;
-
-itype:	seticmptype icmptype
-	{ DOALL(fr->fr_icmp = htons($2 << 8); fr->fr_icmpm = htons(0xff00););
-	  yyresetdict();
-	}
-	| seticmptype lstart typelist lend	{ yyresetdict(); }
-	;
-
-seticmptype:
-	IPFY_ICMPTYPE				{ setipftype();
-						  yysetdict(icmptypewords); }
-	;
-
-icode:	| seticmpcode icmpcode
-	{ DOALL(fr->fr_icmp |= htons($2); fr->fr_icmpm |= htons(0xff););
-	  yyresetdict();
-	}
-	| seticmpcode lstart codelist lend	{ yyresetdict(); }
-	;
-
-seticmpcode:
-	IPFY_ICMPCODE				{ yysetdict(icmpcodewords); }
-	;
-
-typelist:
-	icmptype
-	{ DOREM(fr->fr_icmp = htons($1 << 8); fr->fr_icmpm = htons(0xff00);) }
-	| typelist lmore icmptype
-	{ DOREM(fr->fr_icmp = htons($3 << 8); fr->fr_icmpm = htons(0xff00);) }
-	;
-
-codelist:
-	icmpcode
-	{ DOREM(fr->fr_icmp |= htons($1); fr->fr_icmpm |= htons(0xff);) }
-	| codelist lmore icmpcode
-	{ DOREM(fr->fr_icmp &= htons(0xff00); fr->fr_icmp |= htons($3); \
-		fr->fr_icmpm |= htons(0xff);) }
-	;
-
-age:	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
-						fr->fr_age[1] = $2;) }
-	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
-					{ DOALL(fr->fr_age[0] = $2; \
-						fr->fr_age[1] = $4;) }
-	;
-
-keep:	| IPFY_KEEP keepstate keep
-	| IPFY_KEEP keepfrag keep
-	;
-
-keepstate:
-	IPFY_STATE stateoptlist		{ DOALL(fr->fr_flags |= FR_KEEPSTATE;)}
-	;
-
-keepfrag:
-	IPFY_FRAGS fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
-	| IPFY_FRAG fragoptlist		{ DOALL(fr->fr_flags |= FR_KEEPFRAG;) }
-	;
-
-fragoptlist:
-	| '(' fragopts ')'
-	;
-
-fragopts:
-	fragopt lanother fragopts
-	| fragopt
-	;
-
-fragopt:
-	IPFY_STRICT			{ DOALL(fr->fr_flags |= FR_FRSTRICT;) }
-	;
-
-stateoptlist:
-	| '(' stateopts ')'
-	;
-
-stateopts:
-	stateopt lanother stateopts
-	| stateopt
-	;
-
-stateopt:
-	IPFY_LIMIT YY_NUMBER	{ DOALL(fr->fr_statemax = $2;) }
-	| IPFY_STRICT		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
-						YYERROR; \
-					  } else \
-						fr->fr_flags |= FR_STSTRICT;)
-				}
-	| IPFY_NEWISN		{ DOALL(if (fr->fr_proto != IPPROTO_TCP) { \
-						YYERROR; \
-					  } else \
-						fr->fr_flags |= FR_NEWISN;)
-				}
-	| IPFY_NOICMPERR	{ DOALL(fr->fr_flags |= FR_NOICMPERR;) }
-
-	| IPFY_SYNC		{ DOALL(fr->fr_flags |= FR_STATESYNC;) }
-	| IPFY_AGE YY_NUMBER		{ DOALL(fr->fr_age[0] = $2; \
-						fr->fr_age[1] = $2;) }
-	| IPFY_AGE YY_NUMBER '/' YY_NUMBER
-					{ DOALL(fr->fr_age[0] = $2; \
-						fr->fr_age[1] = $4;) }
-	;
-
-portnum:
-	servicename			{ if (getport(frc, $1, &($$)) == -1)
-						yyerror("service unknown");
-					  $$ = ntohs($$);
-					  free($1);
-					}
-	| YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
-						yyerror("invalid port number");
-					  else
-						$$ = $1;
-					}
-	;
-
-withlist:
-	withopt				{ nowith = 0; }
-	| withlist withopt		{ nowith = 0; }
-	| withlist ',' withopt		{ nowith = 0; }
-	;
-
-withopt:
-	opttype		{ DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) }
-	| notwith opttype		{ DOALL(fr->fr_mflx |= $2;) }
-	| ipopt ipopts			{ yyresetdict(); }
-	| notwith ipopt ipopts		{ yyresetdict(); }
-	| startv6hdrs ipv6hdrs		{ yyresetdict(); }
-	;
-
-ipopt:	IPFY_OPT			{ yysetdict(ipv4optwords); }
-	;
-
-startv6hdrs:
-	IPF6_V6HDRS	{ if (use_inet6 == 0)
-				yyerror("only available with IPv6");
-			  yysetdict(ipv6optwords);
-			}
-	;
-
-notwith:
-	IPFY_NOT			{ nowith = 1; }
-	| IPFY_NO			{ nowith = 1; }
-	;
-
-opttype:
-	IPFY_IPOPTS			{ $$ = FI_OPTIONS; }
-	| IPFY_SHORT			{ $$ = FI_SHORT; }
-	| IPFY_NAT			{ $$ = FI_NATED; }
-	| IPFY_BAD			{ $$ = FI_BAD; }
-	| IPFY_BADNAT			{ $$ = FI_BADNAT; }
-	| IPFY_BADSRC			{ $$ = FI_BADSRC; }
-	| IPFY_LOWTTL			{ $$ = FI_LOWTTL; }
-	| IPFY_FRAG			{ $$ = FI_FRAG; }
-	| IPFY_FRAGBODY			{ $$ = FI_FRAGBODY; }
-	| IPFY_FRAGS			{ $$ = FI_FRAG; }
-	| IPFY_MBCAST			{ $$ = FI_MBCAST; }
-	| IPFY_MULTICAST		{ $$ = FI_MULTICAST; }
-	| IPFY_BROADCAST		{ $$ = FI_BROADCAST; }
-	| IPFY_STATE			{ $$ = FI_STATE; }
-	| IPFY_OOW			{ $$ = FI_OOW; }
-	;
-
-ipopts:	optlist		{ DOALL(fr->fr_mip.fi_optmsk |= $1;
-				if (!nowith)
-					fr->fr_ip.fi_optmsk |= $1;)
-			}
-	;
-
-optlist:
-	opt				{ $$ |= $1; }
-	| optlist ',' opt		{ $$ |= $1 | $3; }
-	;
-
-ipv6hdrs:
-	ipv6hdrlist	{ DOALL(fr->fr_mip.fi_optmsk |= $1;
-				if (!nowith)
-					fr->fr_ip.fi_optmsk |= $1;)
-			}
-	;
-
-ipv6hdrlist:
-	ipv6hdr				{ $$ |= $1; }
-	| ipv6hdrlist ',' ipv6hdr	{ $$ |= $1 | $3; }
-	;
-
-secname:
-	seclevel			{ $$ |= $1; }
-	| secname ',' seclevel		{ $$ |= $1 | $3; }
-	;
-
-seclevel:
-	IPFY_SEC_UNC			{ $$ = secbit(IPSO_CLASS_UNCL); }
-	| IPFY_SEC_CONF			{ $$ = secbit(IPSO_CLASS_CONF); }
-	| IPFY_SEC_RSV1			{ $$ = secbit(IPSO_CLASS_RES1); }
-	| IPFY_SEC_RSV2			{ $$ = secbit(IPSO_CLASS_RES2); }
-	| IPFY_SEC_RSV3			{ $$ = secbit(IPSO_CLASS_RES3); }
-	| IPFY_SEC_RSV4			{ $$ = secbit(IPSO_CLASS_RES4); }
-	| IPFY_SEC_SEC			{ $$ = secbit(IPSO_CLASS_SECR); }
-	| IPFY_SEC_TS			{ $$ = secbit(IPSO_CLASS_TOPS); }
-	;
-
-icmptype:
-	YY_NUMBER			{ $$ = $1; }
-	| IPFY_ICMPT_UNR		{ $$ = ICMP_UNREACH; }
-	| IPFY_ICMPT_ECHO		{ $$ = ICMP_ECHO; }
-	| IPFY_ICMPT_ECHOR		{ $$ = ICMP_ECHOREPLY; }
-	| IPFY_ICMPT_SQUENCH		{ $$ = ICMP_SOURCEQUENCH; }
-	| IPFY_ICMPT_REDIR		{ $$ = ICMP_REDIRECT; }
-	| IPFY_ICMPT_TIMEX		{ $$ = ICMP_TIMXCEED; }
-	| IPFY_ICMPT_PARAMP		{ $$ = ICMP_PARAMPROB; }
-	| IPFY_ICMPT_TIMEST		{ $$ = ICMP_TSTAMP; }
-	| IPFY_ICMPT_TIMESTREP		{ $$ = ICMP_TSTAMPREPLY; }
-	| IPFY_ICMPT_INFOREQ		{ $$ = ICMP_IREQ; }
-	| IPFY_ICMPT_INFOREP		{ $$ = ICMP_IREQREPLY; }
-	| IPFY_ICMPT_MASKREQ		{ $$ = ICMP_MASKREQ; }
-	| IPFY_ICMPT_MASKREP		{ $$ = ICMP_MASKREPLY; }
-	| IPFY_ICMPT_ROUTERAD		{ $$ = ICMP_ROUTERADVERT; }
-	| IPFY_ICMPT_ROUTERSOL		{ $$ = ICMP_ROUTERSOLICIT; }
-	;
-
-icmpcode:
-	YY_NUMBER			{ $$ = $1; }
-	| IPFY_ICMPC_NETUNR		{ $$ = ICMP_UNREACH_NET; }
-	| IPFY_ICMPC_HSTUNR		{ $$ = ICMP_UNREACH_HOST; }
-	| IPFY_ICMPC_PROUNR		{ $$ = ICMP_UNREACH_PROTOCOL; }
-	| IPFY_ICMPC_PORUNR		{ $$ = ICMP_UNREACH_PORT; }
-	| IPFY_ICMPC_NEEDF		{ $$ = ICMP_UNREACH_NEEDFRAG; }
-	| IPFY_ICMPC_SRCFAIL		{ $$ = ICMP_UNREACH_SRCFAIL; }
-	| IPFY_ICMPC_NETUNK		{ $$ = ICMP_UNREACH_NET_UNKNOWN; }
-	| IPFY_ICMPC_HSTUNK		{ $$ = ICMP_UNREACH_HOST_UNKNOWN; }
-	| IPFY_ICMPC_ISOLATE		{ $$ = ICMP_UNREACH_ISOLATED; }
-	| IPFY_ICMPC_NETPRO		{ $$ = ICMP_UNREACH_NET_PROHIB; }
-	| IPFY_ICMPC_HSTPRO		{ $$ = ICMP_UNREACH_HOST_PROHIB; }
-	| IPFY_ICMPC_NETTOS		{ $$ = ICMP_UNREACH_TOSNET; }
-	| IPFY_ICMPC_HSTTOS		{ $$ = ICMP_UNREACH_TOSHOST; }
-	| IPFY_ICMPC_FLTPRO		{ $$ = ICMP_UNREACH_ADMIN_PROHIBIT; }
-	| IPFY_ICMPC_HSTPRE		{ $$ = 14; }
-	| IPFY_ICMPC_CUTPRE		{ $$ = 15; }
-	;
-
-opt:
-	IPFY_IPOPT_NOP			{ $$ = getoptbyvalue(IPOPT_NOP); }
-	| IPFY_IPOPT_RR			{ $$ = getoptbyvalue(IPOPT_RR); }
-	| IPFY_IPOPT_ZSU		{ $$ = getoptbyvalue(IPOPT_ZSU); }
-	| IPFY_IPOPT_MTUP		{ $$ = getoptbyvalue(IPOPT_MTUP); }
-	| IPFY_IPOPT_MTUR		{ $$ = getoptbyvalue(IPOPT_MTUR); }
-	| IPFY_IPOPT_ENCODE		{ $$ = getoptbyvalue(IPOPT_ENCODE); }
-	| IPFY_IPOPT_TS			{ $$ = getoptbyvalue(IPOPT_TS); }
-	| IPFY_IPOPT_TR			{ $$ = getoptbyvalue(IPOPT_TR); }
-	| IPFY_IPOPT_SEC		{ $$ = getoptbyvalue(IPOPT_SECURITY); }
-	| IPFY_IPOPT_LSRR		{ $$ = getoptbyvalue(IPOPT_LSRR); }
-	| IPFY_IPOPT_ESEC		{ $$ = getoptbyvalue(IPOPT_E_SEC); }
-	| IPFY_IPOPT_CIPSO		{ $$ = getoptbyvalue(IPOPT_CIPSO); }
-	| IPFY_IPOPT_SATID		{ $$ = getoptbyvalue(IPOPT_SATID); }
-	| IPFY_IPOPT_SSRR		{ $$ = getoptbyvalue(IPOPT_SSRR); }
-	| IPFY_IPOPT_ADDEXT		{ $$ = getoptbyvalue(IPOPT_ADDEXT); }
-	| IPFY_IPOPT_VISA		{ $$ = getoptbyvalue(IPOPT_VISA); }
-	| IPFY_IPOPT_IMITD		{ $$ = getoptbyvalue(IPOPT_IMITD); }
-	| IPFY_IPOPT_EIP		{ $$ = getoptbyvalue(IPOPT_EIP); }
-	| IPFY_IPOPT_FINN		{ $$ = getoptbyvalue(IPOPT_FINN); }
-	| IPFY_IPOPT_DPS		{ $$ = getoptbyvalue(IPOPT_DPS); }
-	| IPFY_IPOPT_SDB		{ $$ = getoptbyvalue(IPOPT_SDB); }
-	| IPFY_IPOPT_NSAPA		{ $$ = getoptbyvalue(IPOPT_NSAPA); }
-	| IPFY_IPOPT_RTRALRT		{ $$ = getoptbyvalue(IPOPT_RTRALRT); }
-	| IPFY_IPOPT_UMP		{ $$ = getoptbyvalue(IPOPT_UMP); }
-	| setsecclass secname
-			{ DOALL(fr->fr_mip.fi_secmsk |= $2;
-				if (!nowith)
-					fr->fr_ip.fi_secmsk |= $2;)
-			  $$ = 0;
-			  yyresetdict();
-			}
-	;
-
-setsecclass:
-	IPFY_SECCLASS	{ yysetdict(ipv4secwords); }
-	;
-
-ipv6hdr:
-	IPFY_AH			{ $$ = getv6optbyvalue(IPPROTO_AH); }
-	| IPFY_IPV6OPT_DSTOPTS	{ $$ = getv6optbyvalue(IPPROTO_DSTOPTS); }
-	| IPFY_IPV6OPT_ESP	{ $$ = getv6optbyvalue(IPPROTO_ESP); }
-	| IPFY_IPV6OPT_HOPOPTS	{ $$ = getv6optbyvalue(IPPROTO_HOPOPTS); }
-	| IPFY_IPV6OPT_IPV6	{ $$ = getv6optbyvalue(IPPROTO_IPV6); }
-	| IPFY_IPV6OPT_NONE	{ $$ = getv6optbyvalue(IPPROTO_NONE); }
-	| IPFY_IPV6OPT_ROUTING	{ $$ = getv6optbyvalue(IPPROTO_ROUTING); }
-	| IPFY_IPV6OPT_FRAG	{ $$ = getv6optbyvalue(IPPROTO_FRAGMENT); }
-	| IPFY_IPV6OPT_MOBILITY	{ $$ = getv6optbyvalue(IPPROTO_MOBILITY); }
-	;
-
-level:	IPFY_LEVEL			{ setsyslog(); }
-	;
-
-loglevel:
-	priority			{ fr->fr_loglevel = LOG_LOCAL0|$1; }
-	| facility '.' priority		{ fr->fr_loglevel = $1 | $3; }
-	;
-
-facility:
-	IPFY_FAC_KERN			{ $$ = LOG_KERN; }
-	| IPFY_FAC_USER			{ $$ = LOG_USER; }
-	| IPFY_FAC_MAIL			{ $$ = LOG_MAIL; }
-	| IPFY_FAC_DAEMON		{ $$ = LOG_DAEMON; }
-	| IPFY_FAC_AUTH			{ $$ = LOG_AUTH; }
-	| IPFY_FAC_SYSLOG		{ $$ = LOG_SYSLOG; }
-	| IPFY_FAC_LPR			{ $$ = LOG_LPR; }
-	| IPFY_FAC_NEWS			{ $$ = LOG_NEWS; }
-	| IPFY_FAC_UUCP			{ $$ = LOG_UUCP; }
-	| IPFY_FAC_CRON			{ $$ = LOG_CRON; }
-	| IPFY_FAC_FTP			{ $$ = LOG_FTP; }
-	| IPFY_FAC_AUTHPRIV		{ $$ = LOG_AUTHPRIV; }
-	| IPFY_FAC_AUDIT		{ $$ = LOG_AUDIT; }
-	| IPFY_FAC_LFMT			{ $$ = LOG_LFMT; }
-	| IPFY_FAC_LOCAL0		{ $$ = LOG_LOCAL0; }
-	| IPFY_FAC_LOCAL1		{ $$ = LOG_LOCAL1; }
-	| IPFY_FAC_LOCAL2		{ $$ = LOG_LOCAL2; }
-	| IPFY_FAC_LOCAL3		{ $$ = LOG_LOCAL3; }
-	| IPFY_FAC_LOCAL4		{ $$ = LOG_LOCAL4; }
-	| IPFY_FAC_LOCAL5		{ $$ = LOG_LOCAL5; }
-	| IPFY_FAC_LOCAL6		{ $$ = LOG_LOCAL6; }
-	| IPFY_FAC_LOCAL7		{ $$ = LOG_LOCAL7; }
-	| IPFY_FAC_SECURITY		{ $$ = LOG_SECURITY; }
-	;
-
-priority:
-	IPFY_PRI_EMERG			{ $$ = LOG_EMERG; }
-	| IPFY_PRI_ALERT		{ $$ = LOG_ALERT; }
-	| IPFY_PRI_CRIT			{ $$ = LOG_CRIT; }
-	| IPFY_PRI_ERR			{ $$ = LOG_ERR; }
-	| IPFY_PRI_WARN			{ $$ = LOG_WARNING; }
-	| IPFY_PRI_NOTICE		{ $$ = LOG_NOTICE; }
-	| IPFY_PRI_INFO			{ $$ = LOG_INFO; }
-	| IPFY_PRI_DEBUG		{ $$ = LOG_DEBUG; }
-	;
-
-compare:
-	YY_CMP_EQ			{ $$ = FR_EQUAL; }
-	| YY_CMP_NE			{ $$ = FR_NEQUAL; }
-	| YY_CMP_LT			{ $$ = FR_LESST; }
-	| YY_CMP_LE			{ $$ = FR_LESSTE; }
-	| YY_CMP_GT			{ $$ = FR_GREATERT; }
-	| YY_CMP_GE			{ $$ = FR_GREATERTE; }
-	;
-
-range:	YY_RANGE_IN			{ $$ = FR_INRANGE; }
-	| YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
-	| ':'				{ $$ = FR_INCRANGE; }
-	;
-
-servicename:
-	YY_STR				{ $$ = $1; }
-	;
-
-interfacename:	name				{ $$ = $1; }
-	| name ':' YY_NUMBER
-		{ $$ = $1;
-		  fprintf(stderr, "%d: Logical interface %s:%d unsupported, "
-			  "use the physical interface %s instead.\n",
-			  yylineNum, $1, $3, $1);
-		}
-	;
-
-name:	YY_STR				{ $$ = $1; }
-	| '-'				{ $$ = strdup("-"); }
-	;
-
-ipv4_16:
-	YY_NUMBER '.' YY_NUMBER
-		{ if ($1 > 255 || $3 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr = ($1 << 24) | ($3 << 16);
-		  $$.s_addr = htonl($$.s_addr);
-		}
-	;
-
-ipv4_24:
-	ipv4_16 '.' YY_NUMBER
-		{ if ($3 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr |= htonl($3 << 8);
-		}
-	;
-
-ipv4:	ipv4_24 '.' YY_NUMBER
-		{ if ($3 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr |= htonl($3);
-		}
-	| ipv4_24
-	| ipv4_16
-	;
-
-%%
-
-
-static	struct	wordtab ipfwords[95] = {
-	{ "age",			IPFY_AGE },
-	{ "ah",				IPFY_AH },
-	{ "all",			IPFY_ALL },
-	{ "and",			IPFY_AND },
-	{ "auth",			IPFY_AUTH },
-	{ "bad",			IPFY_BAD },
-	{ "bad-nat",			IPFY_BADNAT },
-	{ "bad-src",			IPFY_BADSRC },
-	{ "bcast",			IPFY_BROADCAST },
-	{ "block",			IPFY_BLOCK },
-	{ "body",			IPFY_BODY },
-	{ "bpf-v4",			IPFY_BPFV4 },
-#ifdef USE_INET6
-	{ "bpf-v6",			IPFY_BPFV6 },
-#endif
-	{ "call",			IPFY_CALL },
-	{ "code",			IPFY_ICMPCODE },
-	{ "count",			IPFY_COUNT },
-	{ "dup-to",			IPFY_DUPTO },
-	{ "eq",				YY_CMP_EQ },
-	{ "esp",			IPFY_ESP },
-	{ "fastroute",			IPFY_FROUTE },
-	{ "first",			IPFY_FIRST },
-	{ "flags",			IPFY_FLAGS },
-	{ "frag",			IPFY_FRAG },
-	{ "frag-body",			IPFY_FRAGBODY },
-	{ "frags",			IPFY_FRAGS },
-	{ "from",			IPFY_FROM },
-	{ "ge",				YY_CMP_GE },
-	{ "group",			IPFY_GROUP },
-	{ "gt",				YY_CMP_GT },
-	{ "head",			IPFY_HEAD },
-	{ "icmp",			IPFY_ICMP },
-	{ "icmp-type",			IPFY_ICMPTYPE },
-	{ "in",				IPFY_IN },
-	{ "in-via",			IPFY_INVIA },
-	{ "ipopt",			IPFY_IPOPTS },
-	{ "ipopts",			IPFY_IPOPTS },
-	{ "keep",			IPFY_KEEP },
-	{ "le",				YY_CMP_LE },
-	{ "level",			IPFY_LEVEL },
-	{ "limit",			IPFY_LIMIT },
-	{ "log",			IPFY_LOG },
-	{ "lowttl",			IPFY_LOWTTL },
-	{ "lt",				YY_CMP_LT },
-	{ "mask",			IPFY_MASK },
-	{ "match-tag",			IPFY_MATCHTAG },
-	{ "mbcast",			IPFY_MBCAST },
-	{ "mcast",			IPFY_MULTICAST },
-	{ "multicast",			IPFY_MULTICAST },
-	{ "nat",			IPFY_NAT },
-	{ "ne",				YY_CMP_NE },
-	{ "net",			IPFY_NETWORK },
-	{ "newisn",			IPFY_NEWISN },
-	{ "no",				IPFY_NO },
-	{ "no-icmp-err",		IPFY_NOICMPERR },
-	{ "nomatch",			IPFY_NOMATCH },
-	{ "now",			IPFY_NOW },
-	{ "not",			IPFY_NOT },
-	{ "oow",			IPFY_OOW },
-	{ "on",				IPFY_ON },
-	{ "opt",			IPFY_OPT },
-	{ "or-block",			IPFY_ORBLOCK },
-	{ "out",			IPFY_OUT },
-	{ "out-via",			IPFY_OUTVIA },
-	{ "pass",			IPFY_PASS },
-	{ "port",			IPFY_PORT },
-	{ "pps",			IPFY_PPS },
-	{ "preauth",			IPFY_PREAUTH },
-	{ "proto",			IPFY_PROTO },
-	{ "quick",			IPFY_QUICK },
-	{ "reply-to",			IPFY_REPLY_TO },
-	{ "return-icmp",		IPFY_RETICMP },
-	{ "return-icmp-as-dest",	IPFY_RETICMPASDST },
-	{ "return-rst",			IPFY_RETRST },
-	{ "route-to",			IPFY_ROUTETO },
-	{ "sec-class",			IPFY_SECCLASS },
-	{ "set-tag",			IPFY_SETTAG },
-	{ "skip",			IPFY_SKIP },
-	{ "short",			IPFY_SHORT },
-	{ "state",			IPFY_STATE },
-	{ "state-age",			IPFY_AGE },
-	{ "strict",			IPFY_STRICT },
-	{ "sync",			IPFY_SYNC },
-	{ "tcp",			IPFY_TCP },
-	{ "tcp-udp",			IPFY_TCPUDP },
-	{ "tos",			IPFY_TOS },
-	{ "to",				IPFY_TO },
-	{ "ttl",			IPFY_TTL },
-	{ "udp",			IPFY_UDP },
-	{ "v6hdrs",			IPF6_V6HDRS },
-	{ "with",			IPFY_WITH },
-	{ NULL,				0 }
-};
-
-static	struct	wordtab	addrwords[4] = {
-	{ "any",			IPFY_ANY },
-	{ "hash",			IPFY_HASH },
-	{ "pool",			IPFY_POOL },
-	{ NULL,				0 }
-};
-
-static	struct	wordtab	maskwords[5] = {
-	{ "broadcast",			IPFY_BROADCAST },
-	{ "netmasked",			IPFY_NETMASKED },
-	{ "network",			IPFY_NETWORK },
-	{ "peer",			IPFY_PEER },
-	{ NULL,				0 }
-};
-
-static	struct	wordtab icmptypewords[16] = {
-	{ "echo",			IPFY_ICMPT_ECHO },
-	{ "echorep",			IPFY_ICMPT_ECHOR },
-	{ "inforeq",			IPFY_ICMPT_INFOREQ },
-	{ "inforep",			IPFY_ICMPT_INFOREP },
-	{ "maskrep",			IPFY_ICMPT_MASKREP },
-	{ "maskreq",			IPFY_ICMPT_MASKREQ },
-	{ "paramprob",			IPFY_ICMPT_PARAMP },
-	{ "redir",			IPFY_ICMPT_REDIR },
-	{ "unreach",			IPFY_ICMPT_UNR },
-	{ "routerad",			IPFY_ICMPT_ROUTERAD },
-	{ "routersol",			IPFY_ICMPT_ROUTERSOL },
-	{ "squench",			IPFY_ICMPT_SQUENCH },
-	{ "timest",			IPFY_ICMPT_TIMEST },
-	{ "timestrep",			IPFY_ICMPT_TIMESTREP },
-	{ "timex",			IPFY_ICMPT_TIMEX },
-	{ NULL,				0 },
-};
-
-static	struct	wordtab icmpcodewords[17] = {
-	{ "cutoff-preced",		IPFY_ICMPC_CUTPRE },
-	{ "filter-prohib",		IPFY_ICMPC_FLTPRO },
-	{ "isolate",			IPFY_ICMPC_ISOLATE },
-	{ "needfrag",			IPFY_ICMPC_NEEDF },
-	{ "net-prohib",			IPFY_ICMPC_NETPRO },
-	{ "net-tos",			IPFY_ICMPC_NETTOS },
-	{ "host-preced",		IPFY_ICMPC_HSTPRE },
-	{ "host-prohib",		IPFY_ICMPC_HSTPRO },
-	{ "host-tos",			IPFY_ICMPC_HSTTOS },
-	{ "host-unk",			IPFY_ICMPC_HSTUNK },
-	{ "host-unr",			IPFY_ICMPC_HSTUNR },
-	{ "net-unk",			IPFY_ICMPC_NETUNK },
-	{ "net-unr",			IPFY_ICMPC_NETUNR },
-	{ "port-unr",			IPFY_ICMPC_PORUNR },
-	{ "proto-unr",			IPFY_ICMPC_PROUNR },
-	{ "srcfail",			IPFY_ICMPC_SRCFAIL },
-	{ NULL,				0 },
-};
-
-static	struct	wordtab ipv4optwords[25] = {
-	{ "addext",			IPFY_IPOPT_ADDEXT },
-	{ "cipso",			IPFY_IPOPT_CIPSO },
-	{ "dps",			IPFY_IPOPT_DPS },
-	{ "e-sec",			IPFY_IPOPT_ESEC },
-	{ "eip",			IPFY_IPOPT_EIP },
-	{ "encode",			IPFY_IPOPT_ENCODE },
-	{ "finn",			IPFY_IPOPT_FINN },
-	{ "imitd",			IPFY_IPOPT_IMITD },
-	{ "lsrr",			IPFY_IPOPT_LSRR },
-	{ "mtup",			IPFY_IPOPT_MTUP },
-	{ "mtur",			IPFY_IPOPT_MTUR },
-	{ "nop",			IPFY_IPOPT_NOP },
-	{ "nsapa",			IPFY_IPOPT_NSAPA },
-	{ "rr",				IPFY_IPOPT_RR },
-	{ "rtralrt",			IPFY_IPOPT_RTRALRT },
-	{ "satid",			IPFY_IPOPT_SATID },
-	{ "sdb",			IPFY_IPOPT_SDB },
-	{ "sec",			IPFY_IPOPT_SEC },
-	{ "ssrr",			IPFY_IPOPT_SSRR },
-	{ "tr",				IPFY_IPOPT_TR },
-	{ "ts",				IPFY_IPOPT_TS },
-	{ "ump",			IPFY_IPOPT_UMP },
-	{ "visa",			IPFY_IPOPT_VISA },
-	{ "zsu",			IPFY_IPOPT_ZSU },
-	{ NULL,				0 },
-};
-
-static	struct	wordtab ipv4secwords[9] = {
-	{ "confid",			IPFY_SEC_CONF },
-	{ "reserv-1",			IPFY_SEC_RSV1 },
-	{ "reserv-2",			IPFY_SEC_RSV2 },
-	{ "reserv-3",			IPFY_SEC_RSV3 },
-	{ "reserv-4",			IPFY_SEC_RSV4 },
-	{ "secret",			IPFY_SEC_SEC },
-	{ "topsecret",			IPFY_SEC_TS },
-	{ "unclass",			IPFY_SEC_UNC },
-	{ NULL,				0 },
-};
-
-static	struct	wordtab ipv6optwords[9] = {
-	{ "dstopts",			IPFY_IPV6OPT_DSTOPTS },
-	{ "esp",			IPFY_IPV6OPT_ESP },
-	{ "frag",			IPFY_IPV6OPT_FRAG },
-	{ "hopopts",			IPFY_IPV6OPT_HOPOPTS },
-	{ "ipv6",			IPFY_IPV6OPT_IPV6 },
-	{ "mobility",			IPFY_IPV6OPT_MOBILITY },
-	{ "none",			IPFY_IPV6OPT_NONE },
-	{ "routing",			IPFY_IPV6OPT_ROUTING },
-	{ NULL,				0 },
-};
-
-static	struct	wordtab logwords[33] = {
-	{ "kern",			IPFY_FAC_KERN },
-	{ "user",			IPFY_FAC_USER },
-	{ "mail",			IPFY_FAC_MAIL },
-	{ "daemon",			IPFY_FAC_DAEMON },
-	{ "auth",			IPFY_FAC_AUTH },
-	{ "syslog",			IPFY_FAC_SYSLOG },
-	{ "lpr",			IPFY_FAC_LPR },
-	{ "news",			IPFY_FAC_NEWS },
-	{ "uucp",			IPFY_FAC_UUCP },
-	{ "cron",			IPFY_FAC_CRON },
-	{ "ftp",			IPFY_FAC_FTP },
-	{ "authpriv",			IPFY_FAC_AUTHPRIV },
-	{ "audit",			IPFY_FAC_AUDIT },
-	{ "logalert",			IPFY_FAC_LFMT },
-	{ "console",			IPFY_FAC_CONSOLE },
-	{ "security",			IPFY_FAC_SECURITY },
-	{ "local0",			IPFY_FAC_LOCAL0 },
-	{ "local1",			IPFY_FAC_LOCAL1 },
-	{ "local2",			IPFY_FAC_LOCAL2 },
-	{ "local3",			IPFY_FAC_LOCAL3 },
-	{ "local4",			IPFY_FAC_LOCAL4 },
-	{ "local5",			IPFY_FAC_LOCAL5 },
-	{ "local6",			IPFY_FAC_LOCAL6 },
-	{ "local7",			IPFY_FAC_LOCAL7 },
-	{ "emerg",			IPFY_PRI_EMERG },
-	{ "alert",			IPFY_PRI_ALERT },
-	{ "crit",			IPFY_PRI_CRIT },
-	{ "err",			IPFY_PRI_ERR },
-	{ "warn",			IPFY_PRI_WARN },
-	{ "notice",			IPFY_PRI_NOTICE },
-	{ "info",			IPFY_PRI_INFO },
-	{ "debug",			IPFY_PRI_DEBUG },
-	{ NULL,				0 },
-};
-
-
-
-
-int ipf_parsefile(fd, addfunc, iocfuncs, filename)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t *iocfuncs;
-char *filename;
-{
-	FILE *fp = NULL;
-	char *s;
-
-	yylineNum = 1;
-	yysettab(ipfwords);
-
-	s = getenv("YYDEBUG");
-	if (s != NULL)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	if (strcmp(filename, "-")) {
-		fp = fopen(filename, "r");
-		if (fp == NULL) {
-			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
-				STRERROR(errno));
-			return -1;
-		}
-	} else
-		fp = stdin;
-
-	while (ipf_parsesome(fd, addfunc, iocfuncs, fp) == 1)
-		;
-	if (fp != NULL)
-		fclose(fp);
-	return 0;
-}
-
-
-int ipf_parsesome(fd, addfunc, iocfuncs, fp)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t *iocfuncs;
-FILE *fp;
-{
-	char *s;
-	int i;
-
-	ipffd = fd;
-	for (i = 0; i <= IPL_LOGMAX; i++)
-		ipfioctl[i] = iocfuncs[i];
-	ipfaddfunc = addfunc;
-
-	if (feof(fp))
-		return 0;
-	i = fgetc(fp);
-	if (i == EOF)
-		return 0;
-	if (ungetc(i, fp) == 0)
-		return 0;
-	if (feof(fp))
-		return 0;
-	s = getenv("YYDEBUG");
-	if (s != NULL)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	yyin = fp;
-	yyparse();
-	return 1;
-}
-
-
-static void newrule()
-{
-	frentry_t *frn;
-
-	frn = (frentry_t *)calloc(1, sizeof(frentry_t));
-	for (fr = frtop; fr != NULL && fr->fr_next != NULL; fr = fr->fr_next)
-		;
-	if (fr != NULL)
-		fr->fr_next = frn;
-	if (frtop == NULL)
-		frtop = frn;
-	fr = frn;
-	frc = frn;
-	fr->fr_loglevel = 0xffff;
-	fr->fr_isc = (void *)-1;
-	fr->fr_logtag = FR_NOLOGTAG;
-	fr->fr_type = FR_T_NONE;
-	if (use_inet6 != 0)
-		fr->fr_v = 6;
-	else
-		fr->fr_v = 4;
-
-	nrules = 1;
-}
-
-
-static void setipftype()
-{
-	for (fr = frc; fr != NULL; fr = fr->fr_next) {
-		if (fr->fr_type == FR_T_NONE) {
-			fr->fr_type = FR_T_IPF;
-			fr->fr_data = (void *)calloc(sizeof(fripf_t), 1);
-			fr->fr_dsize = sizeof(fripf_t);
-			fr->fr_ip.fi_v = frc->fr_v;
-			fr->fr_mip.fi_v = 0xf;
-			fr->fr_ipf->fri_sifpidx = -1;
-			fr->fr_ipf->fri_difpidx = -1;
-		}
-		if (fr->fr_type != FR_T_IPF) {
-			fprintf(stderr, "IPF Type not set\n");
-		}
-	}
-}
-
-
-static frentry_t *addrule()
-{
-	frentry_t *f, *f1, *f2;
-	int count;
-
-	for (f2 = frc; f2->fr_next != NULL; f2 = f2->fr_next)
-		;
-
-	count = nrules;
-	f = f2;
-	for (f1 = frc; count > 0; count--, f1 = f1->fr_next) {
-		f->fr_next = (frentry_t *)calloc(sizeof(*f), 1);
-		added++;
-		f = f->fr_next;
-		bcopy(f1, f, sizeof(*f));
-		f->fr_next = NULL;
-		if (f->fr_caddr != NULL) {
-			f->fr_caddr = malloc(f->fr_dsize);
-			bcopy(f1->fr_caddr, f->fr_caddr, f->fr_dsize);
-		}
-	}
-
-	return f2->fr_next;
-}
-
-
-static u_32_t lookuphost(name)
-char *name;
-{
-	u_32_t addr;
-	int i;
-
-	hashed = 0;
-	pooled = 0;
-	dynamic = -1;
-
-	for (i = 0; i < 4; i++) {
-		if (strncmp(name, frc->fr_ifnames[i],
-			    sizeof(frc->fr_ifnames[i])) == 0) {
-			ifpflag = FRI_DYNAMIC;
-			dynamic = i;
-			return 0;
-		}
-	}
-
-	if (gethost(name, &addr) == -1) {
-		fprintf(stderr, "unknown name \"%s\"\n", name);
-		return 0;
-	}
-	return addr;
-}
-
-
-static void dobpf(v, phrase)
-int v;
-char *phrase;
-{
-#ifdef IPFILTER_BPF
-	struct bpf_program bpf;
-	struct pcap *p;
-#endif
-	fakebpf_t *fb;
-	u_32_t l;
-	char *s;
-	int i;
-
-	for (fr = frc; fr != NULL; fr = fr->fr_next) {
-		if (fr->fr_type != FR_T_NONE) {
-			fprintf(stderr, "cannot mix IPF and BPF matching\n");
-			return;
-		}
-		fr->fr_v = v;
-		fr->fr_type = FR_T_BPFOPC;
-
-		if (!strncmp(phrase, "0x", 2)) {
-			fb = malloc(sizeof(fakebpf_t));
-
-			for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL;
-			     s = strtok(NULL, " \r\n\t"), i++) {
-				fb = realloc(fb, (i / 4 + 1) * sizeof(*fb));
-				l = (u_32_t)strtol(s, NULL, 0);
-				switch (i & 3)
-				{
-				case 0 :
-					fb[i / 4].fb_c = l & 0xffff;
-					break;
-				case 1 :
-					fb[i / 4].fb_t = l & 0xff;
-					break;
-				case 2 :
-					fb[i / 4].fb_f = l & 0xff;
-					break;
-				case 3 :
-					fb[i / 4].fb_k = l;
-					break;
-				}
-			}
-			if ((i & 3) != 0) {
-				fprintf(stderr,
-					"Odd number of bytes in BPF code\n");
-				exit(1);
-			}
-			i--;
-			fr->fr_dsize = (i / 4 + 1) * sizeof(*fb);
-			fr->fr_data = fb;
-			return;
-		}
-
-#ifdef IPFILTER_BPF
-		bzero((char *)&bpf, sizeof(bpf));
-		p = pcap_open_dead(DLT_RAW, 1);
-		if (!p) {
-			fprintf(stderr, "pcap_open_dead failed\n");
-			return;
-		}
-
-		if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) {
-			pcap_perror(p, "ipf");
-			pcap_close(p);
-			fprintf(stderr, "pcap parsing failed (%s)\n", phrase);
-			return;
-		}
-		pcap_close(p);
-
-		fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn);
-		fr->fr_data = malloc(fr->fr_dsize);
-		bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize);
-		if (!bpf_validate(fr->fr_data, bpf.bf_len)) {
-			fprintf(stderr, "BPF validation failed\n");
-			return;
-		}
-#endif
-	}
-
-#ifdef IPFILTER_BPF
-	if (opts & OPT_DEBUG)
-		bpf_dump(&bpf, 0);
-#else
-	fprintf(stderr, "BPF filter expressions not supported\n");
-	exit(1);
-#endif
-}
-
-
-static void resetaddr()
-{
-	hashed = 0;
-	pooled = 0;
-	dynamic = -1;
-}
-
-
-static alist_t *newalist(ptr)
-alist_t *ptr;
-{
-	alist_t *al;
-
-	al = malloc(sizeof(*al));
-	if (al == NULL)
-		return NULL;
-	al->al_not = 0;
-	al->al_next = ptr;
-	return al;
-}
-
-
-static int makepool(list)
-alist_t *list;
-{
-	ip_pool_node_t *n, *top;
-	ip_pool_t pool;
-	alist_t *a;
-	int num;
-
-	if (list == NULL)
-		return 0;
-	top = calloc(1, sizeof(*top));
-	if (top == NULL)
-		return 0;
-	
-	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
-		n->ipn_addr.adf_addr.in4.s_addr = a->al_1;
-		n->ipn_mask.adf_addr.in4.s_addr = a->al_2;
-		n->ipn_info = a->al_not;
-		if (a->al_next != NULL) {
-			n->ipn_next = calloc(1, sizeof(*n));
-			n = n->ipn_next;
-		}
-	}
-
-	bzero((char *)&pool, sizeof(pool));
-	pool.ipo_unit = IPL_LOGIPF;
-	pool.ipo_list = top;
-	num = load_pool(&pool, ipfioctl[IPL_LOGLOOKUP]);
-
-	while ((n = top) != NULL) {
-		top = n->ipn_next;
-		free(n);
-	}
-	return num;
-}
-
-
-static u_int makehash(list)
-alist_t *list;
-{
-	iphtent_t *n, *top;
-	iphtable_t iph;
-	alist_t *a;
-	int num;
-
-	if (list == NULL)
-		return 0;
-	top = calloc(1, sizeof(*top));
-	if (top == NULL)
-		return 0;
-	
-	for (n = top, a = list; (n != NULL) && (a != NULL); a = a->al_next) {
-		n->ipe_addr.in4_addr = a->al_1;
-		n->ipe_mask.in4_addr = a->al_2;
-		n->ipe_value = 0;
-		if (a->al_next != NULL) {
-			n->ipe_next = calloc(1, sizeof(*n));
-			n = n->ipe_next;
-		}
-	}
-
-	bzero((char *)&iph, sizeof(iph));
-	iph.iph_unit = IPL_LOGIPF;
-	iph.iph_type = IPHASH_LOOKUP;
-	*iph.iph_name = '\0';
-
-	if (load_hash(&iph, top, ipfioctl[IPL_LOGLOOKUP]) == 0)
-		sscanf(iph.iph_name, "%u", &num);
-	else
-		num = 0;
-
-	while ((n = top) != NULL) {
-		top = n->ipe_next;
-		free(n);
-	}
-	return num;
-}
-
-
-void ipf_addrule(fd, ioctlfunc, ptr)
-int fd;
-ioctlfunc_t ioctlfunc;
-void *ptr;
-{
-	ioctlcmd_t add, del;
-	frentry_t *fr;
-	ipfobj_t obj;
-
-	if (ptr == NULL)
-		return;
-
-	fr = ptr;
-	add = 0;
-	del = 0;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(*fr);
-	obj.ipfo_type = IPFOBJ_FRENTRY;
-	obj.ipfo_ptr = ptr;
-
-	if ((opts & OPT_DONOTHING) != 0)
-		fd = -1;
-
-	if (opts & OPT_ZERORULEST) {
-		add = SIOCZRLST;
-	} else if (opts & OPT_INACTIVE) {
-		add = (u_int)fr->fr_hits ? SIOCINIFR :
-					   SIOCADIFR;
-		del = SIOCRMIFR;
-	} else {
-		add = (u_int)fr->fr_hits ? SIOCINAFR :
-					   SIOCADAFR;
-		del = SIOCRMAFR;
-	}
-
-	if ((opts & OPT_OUTQUE) != 0)
-		fr->fr_flags |= FR_OUTQUE;
-	if (fr->fr_hits)
-		fr->fr_hits--;
-	if ((opts & OPT_VERBOSE) != 0)
-		printfr(fr, ioctlfunc);
-
-	if ((opts & OPT_DEBUG) != 0) {
-		binprint(fr, sizeof(*fr));
-		if (fr->fr_data != NULL)
-			binprint(fr->fr_data, fr->fr_dsize);
-	}
-
-	if ((opts & OPT_ZERORULEST) != 0) {
-		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
-			if ((opts & OPT_DONOTHING) == 0) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(SIOCZRLST)");
-			}
-		} else {
-#ifdef	USE_QUAD_T
-			printf("hits %qd bytes %qd ",
-				(long long)fr->fr_hits,
-				(long long)fr->fr_bytes);
-#else
-			printf("hits %ld bytes %ld ",
-				fr->fr_hits, fr->fr_bytes);
-#endif
-			printfr(fr, ioctlfunc);
-		}
-	} else if ((opts & OPT_REMOVE) != 0) {
-		if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
-			if ((opts & OPT_DONOTHING) != 0) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(delete rule)");
-			}
-		}
-	} else {
-		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
-			if (!(opts & OPT_DONOTHING)) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(add/insert rule)");
-			}
-		}
-	}
-}
-
-static void setsyslog()
-{
-	yysetdict(logwords);
-	yybreakondot = 1;
-}
-
-
-static void unsetsyslog()
-{
-	yyresetdict();
-	yybreakondot = 0;
-}
-
-
-static void fillgroup(fr)
-frentry_t *fr;
-{
-	frentry_t *f;
-
-	for (f = frold; f != NULL; f = f->fr_next)
-		if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0)
-			break;
-	if (f == NULL)
-		return;
-
-	/*
-	 * Only copy down matching fields if the rules are of the same type
-	 * and are of ipf type.   The only fields that are copied are those
-	 * that impact the rule parsing itself, eg. need for knowing what the
-	 * protocol should be for rules with port comparisons in them.
-	 */
-	if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF)
-		return;
-
-	if (fr->fr_v == 0 && f->fr_v != 0)
-		fr->fr_v = f->fr_v;
-
-	if (fr->fr_mproto == 0 && f->fr_mproto != 0)
-		fr->fr_mproto = f->fr_mproto;
-	if (fr->fr_proto == 0 && f->fr_proto != 0)
-		fr->fr_proto = f->fr_proto;
-
-	if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) &&
-	    ((f->fr_flx & FI_TCPUDP) != 0))
-		fr->fr_flx |= FI_TCPUDP;
-}
diff --git a/contrib/ipfilter/tools/ipfcomp.c b/contrib/ipfilter/tools/ipfcomp.c
deleted file mode 100644
index aa25c77..0000000
--- a/contrib/ipfilter/tools/ipfcomp.c
+++ /dev/null
@@ -1,1358 +0,0 @@
-/*
- * Copyright (C) 2001-2005 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.7 2007/05/01 22:15:00 darrenr Exp $";
-#endif
-
-#include "ipf.h"
-
-
-typedef struct {
-	int c;
-	int e;
-	int n;
-	int p;
-	int s;
-} mc_t;
-
-
-static char *portcmp[] = { "*", "==", "!=", "<", ">", "<=", ">=", "**", "***" };
-static int count = 0;
-
-int intcmp __P((const void *, const void *));
-static void indent __P((FILE *, int));
-static void printeq __P((FILE *, char *, int, int, int));
-static void printipeq __P((FILE *, char *, int, int, int));
-static void addrule __P((FILE *, frentry_t *));
-static void printhooks __P((FILE *, int, int, frgroup_t *));
-static void emitheader __P((frgroup_t *, u_int, u_int));
-static void emitGroup __P((int, int, void *, frentry_t *, char *,
-			   u_int, u_int));
-static void emittail __P((void));
-static void printCgroup __P((int, frentry_t *, mc_t *, char *));
-
-#define	FRC_IFN	0
-#define	FRC_V	1
-#define	FRC_P	2
-#define	FRC_FL	3
-#define	FRC_TOS	4
-#define	FRC_TTL	5
-#define	FRC_SRC	6
-#define	FRC_DST	7
-#define	FRC_TCP	8
-#define	FRC_SP	9
-#define	FRC_DP	10
-#define	FRC_OPT	11
-#define	FRC_SEC	12
-#define	FRC_ATH	13
-#define	FRC_ICT	14
-#define	FRC_ICC	15
-#define	FRC_MAX	16
-
-
-static	FILE	*cfile = NULL;
-
-/*
- * This is called once per filter rule being loaded to emit data structures
- * required.
- */
-void printc(fr)
-frentry_t *fr;
-{
-	fripf_t *ipf;
-	u_long *ulp;
-	char *and;
-	FILE *fp;
-	int i;
-
-	if (fr->fr_v != 4)
-		return;
-	if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE))
-		return;
-	if ((fr->fr_type == FR_T_IPF) &&
-	    ((fr->fr_datype != FRI_NORMAL) || (fr->fr_satype != FRI_NORMAL)))
-		return;
-	ipf = fr->fr_ipf;
-
-	if (cfile == NULL)
-		cfile = fopen("ip_rules.c", "w");
-	if (cfile == NULL)
-		return;
-	fp = cfile;
-	if (count == 0) {
-		fprintf(fp, "/*\n");
- 		fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n");
- 		fprintf(fp, "*\n");
- 		fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n");
- 		fprintf(fp, "* provided that this notice is preserved and due credit is given\n");
- 		fprintf(fp, "* to the original author and the contributors.\n");
- 		fprintf(fp, "*/\n\n");
-
-		fprintf(fp, "#include <sys/param.h>\n");
-		fprintf(fp, "#include <sys/types.h>\n");
-		fprintf(fp, "#include <sys/time.h>\n");
-		fprintf(fp, "#include <sys/socket.h>\n");
-		fprintf(fp, "#if (__FreeBSD_version >= 40000)\n");
-		fprintf(fp, "# if defined(_KERNEL)\n");
-		fprintf(fp, "#  include <sys/libkern.h>\n");
-		fprintf(fp, "# else\n");
-		fprintf(fp, "#  include <sys/unistd.h>\n");
-		fprintf(fp, "# endif\n");
-		fprintf(fp, "#endif\n");
-		fprintf(fp, "#if (__NetBSD_Version__ >= 399000000)\n");
-		fprintf(fp, "#else\n");
-		fprintf(fp, "# if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
-		fprintf(fp, "#  include <sys/systm.h>\n");
-		fprintf(fp, "# endif\n");
-		fprintf(fp, "#endif\n");
-		fprintf(fp, "#include <sys/errno.h>\n");
-		fprintf(fp, "#include <sys/param.h>\n");
-		fprintf(fp,
-"#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux)\n");
-		fprintf(fp, "# include <sys/mbuf.h>\n");
-		fprintf(fp, "#endif\n");
-		fprintf(fp,
-"#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n");
-		fprintf(fp, "# include <sys/sockio.h>\n");
-		fprintf(fp, "#else\n");
-		fprintf(fp, "# include <sys/ioctl.h>\n");
-		fprintf(fp, "#endif /* FreeBSD */\n");
-		fprintf(fp, "#include <net/if.h>\n");
-		fprintf(fp, "#include <netinet/in.h>\n");
-		fprintf(fp, "#include <netinet/in_systm.h>\n");
-		fprintf(fp, "#include <netinet/ip.h>\n");
-		fprintf(fp, "#include <netinet/tcp.h>\n");
-		fprintf(fp, "#include \"netinet/ip_compat.h\"\n");
-		fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n");
-		fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n");
-		fprintf(fp, "#ifndef _KERNEL\n");
-		fprintf(fp, "# include <string.h>\n");
-		fprintf(fp, "#endif /* _KERNEL */\n");
-		fprintf(fp, "\n");
-		fprintf(fp, "#ifdef IPFILTER_COMPILED\n");
-	}
-
-	addrule(fp, fr);
-	fr->fr_type |= FR_T_BUILTIN;
-	and = "";
-	fr->fr_ref = 1;
-	i = sizeof(*fr);
-	if (i & -(1 - sizeof(*ulp)))
-		i += sizeof(u_long);
-	for (i /= sizeof(u_long), ulp = (u_long *)fr; i > 0; i--) {
-		fprintf(fp, "%s%#lx", and, *ulp++);
-		and = ", ";
-	}
-	fprintf(fp, "\n};\n");
-	fr->fr_type &= ~FR_T_BUILTIN;
-
-	count++;
-
-	fflush(fp);
-}
-
-
-static frgroup_t *groups = NULL;
-
-
-static void addrule(fp, fr)
-FILE *fp;
-frentry_t *fr;
-{
-	frentry_t *f, **fpp;
-	frgroup_t *g;
-	u_long *ulp;
-	char *and;
-	int i;
-
-	f = (frentry_t *)malloc(sizeof(*f));
-	bcopy((char *)fr, (char *)f, sizeof(*fr));
-	if (fr->fr_ipf) {
-		f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf));
-		bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf,
-		      sizeof(*fr->fr_ipf));
-	}
-
-	f->fr_next = NULL;
-	for (g = groups; g != NULL; g = g->fg_next)
-		if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) &&
-		    (g->fg_flags == (f->fr_flags & FR_INOUT)))
-			break;
-
-	if (g == NULL) {
-		g = (frgroup_t *)calloc(1, sizeof(*g));
-		g->fg_next = groups;
-		groups = g;
-		g->fg_head = f;
-		bcopy(f->fr_group, g->fg_name, FR_GROUPLEN);
-		g->fg_ref = 0;
-		g->fg_flags = f->fr_flags & FR_INOUT;
-	}
-
-	for (fpp = &g->fg_start; *fpp != NULL; )
-		fpp = &((*fpp)->fr_next);
-	*fpp = f;
-
-	if (fr->fr_dsize > 0) {
-		fprintf(fp, "\
-static u_long ipf%s_rule_data_%s_%u[] = {\n",
-			f->fr_flags & FR_INQUE ? "in" : "out",
-			g->fg_name, g->fg_ref);
-		and = "";
-		i = fr->fr_dsize;
-		ulp = fr->fr_data;
-		for (i /= sizeof(u_long); i > 0; i--) {
-			fprintf(fp, "%s%#lx", and, *ulp++);
-			and = ", ";
-		}
-		fprintf(fp, "\n};\n");
-	}
-
-	fprintf(fp, "\nstatic u_long %s_rule_%s_%d[] = {\n",
-		f->fr_flags & FR_INQUE ? "in" : "out", g->fg_name, g->fg_ref);
-
-	g->fg_ref++;
-
-	if (f->fr_grhead != 0) {
-		for (g = groups; g != NULL; g = g->fg_next)
-			if ((strncmp(g->fg_name, f->fr_grhead,
-				     FR_GROUPLEN) == 0) &&
-			    g->fg_flags == (f->fr_flags & FR_INOUT))
-				break;
-		if (g == NULL) {
-			g = (frgroup_t *)calloc(1, sizeof(*g));
-			g->fg_next = groups;
-			groups = g;
-			g->fg_head = f;
-			bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN);
-			g->fg_ref = 0;
-			g->fg_flags = f->fr_flags & FR_INOUT;
-		}
-	}
-}
-
-
-int intcmp(c1, c2)
-const void *c1, *c2;
-{
-	const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2;
-
-	if (i1->n == i2->n) {
-		return i1->c - i2->c;
-	}
-	return i2->n - i1->n;
-}
-
-
-static void indent(fp, in)
-FILE *fp;
-int in;
-{
-	for (; in; in--)
-		fputc('\t', fp);
-}
-
-static void printeq(fp, var, m, max, v)
-FILE *fp;
-char *var;
-int m, max, v;
-{
-	if (m == max)
-		fprintf(fp, "%s == %#x) {\n", var, v);
-	else
-		fprintf(fp, "(%s & %#x) == %#x) {\n", var, m, v);
-}
-
-/*
- * Parameters: var - IP# being compared
- *             fl - 0 for positive match, 1 for negative match
- *             m - netmask
- *             v - required address
- */
-static void printipeq(fp, var, fl, m, v)
-FILE *fp;
-char *var;
-int fl, m, v;
-{
-	if (m == 0xffffffff)
-		fprintf(fp, "%s ", var);
-	else
-		fprintf(fp, "(%s & %#x) ", var, m);
-	fprintf(fp, "%c", fl ? '!' : '=');
-	fprintf(fp, "= %#x) {\n", v);
-}
-
-
-void emit(num, dir, v, fr)
-int num, dir;
-void *v;
-frentry_t *fr;
-{
-	u_int incnt, outcnt;
-	frgroup_t *g;
-	frentry_t *f;
-
-	for (g = groups; g != NULL; g = g->fg_next) {
-		if (dir == 0 || dir == -1) {
-			if ((g->fg_flags & FR_INQUE) == 0)
-				continue;
-			for (incnt = 0, f = g->fg_start; f != NULL;
-			     f = f->fr_next)
-				incnt++;
-			emitGroup(num, dir, v, fr, g->fg_name, incnt, 0);
-		}
-		if (dir == 1 || dir == -1) {
-			if ((g->fg_flags & FR_OUTQUE) == 0)
-				continue;
-			for (outcnt = 0, f = g->fg_start; f != NULL;
-			     f = f->fr_next)
-				outcnt++;
-			emitGroup(num, dir, v, fr, g->fg_name, 0, outcnt);
-		}
-	}
-
-	if (num == -1 && dir == -1) {
-		for (g = groups; g != NULL; g = g->fg_next) {
-			if ((g->fg_flags & FR_INQUE) != 0) {
-				for (incnt = 0, f = g->fg_start; f != NULL;
-				     f = f->fr_next)
-					incnt++;
-				if (incnt > 0)
-					emitheader(g, incnt, 0);
-			}
-			if ((g->fg_flags & FR_OUTQUE) != 0) {
-				for (outcnt = 0, f = g->fg_start; f != NULL;
-				     f = f->fr_next)
-					outcnt++;
-				if (outcnt > 0)
-					emitheader(g, 0, outcnt);
-			}
-		}
-		emittail();
-		fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n");
-	}
-
-}
-
-
-static void emitheader(grp, incount, outcount)
-frgroup_t *grp;
-u_int incount, outcount;
-{
-	static FILE *fph = NULL;
-	frgroup_t *g;
-
-	if (fph == NULL) {
-		fph = fopen("ip_rules.h", "w");
-		if (fph == NULL)
-			return;
-
-		fprintf(fph, "extern int ipfrule_add __P((void));\n");
-		fprintf(fph, "extern int ipfrule_remove __P((void));\n");
-	}
-
-	printhooks(cfile, incount, outcount, grp);
-
-	if (incount) {
-		fprintf(fph, "\n\
-extern frentry_t *ipfrule_match_in_%s __P((fr_info_t *, u_32_t *));\n\
-extern frentry_t *ipf_rules_in_%s[%d];\n",
-			grp->fg_name, grp->fg_name, incount);
-
-		for (g = groups; g != grp; g = g->fg_next)
-			if ((strncmp(g->fg_name, grp->fg_name,
-				     FR_GROUPLEN) == 0) &&
-			    g->fg_flags == grp->fg_flags)
-				break;
-		if (g == grp) {
-			fprintf(fph, "\n\
-extern int ipfrule_add_in_%s __P((void));\n\
-extern int ipfrule_remove_in_%s __P((void));\n", grp->fg_name, grp->fg_name);
-		}
-	}
-	if (outcount) {
-		fprintf(fph, "\n\
-extern frentry_t *ipfrule_match_out_%s __P((fr_info_t *, u_32_t *));\n\
-extern frentry_t *ipf_rules_out_%s[%d];\n",
-			grp->fg_name, grp->fg_name, outcount);
-
-		for (g = groups; g != g; g = g->fg_next)
-			if ((strncmp(g->fg_name, grp->fg_name,
-				     FR_GROUPLEN) == 0) &&
-			    g->fg_flags == grp->fg_flags)
-				break;
-		if (g == grp) {
-			fprintf(fph, "\n\
-extern int ipfrule_add_out_%s __P((void));\n\
-extern int ipfrule_remove_out_%s __P((void));\n",
-				grp->fg_name, grp->fg_name);
-		}
-	}
-}
-
-static void emittail()
-{
-	frgroup_t *g;
-
-	fprintf(cfile, "\n\
-int ipfrule_add()\n\
-{\n\
-	int err;\n\
-\n");
-	for (g = groups; g != NULL; g = g->fg_next)
-		fprintf(cfile, "\
-	err = ipfrule_add_%s_%s();\n\
-	if (err != 0)\n\
-		return err;\n",
-			(g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
-	fprintf(cfile, "\
-	return 0;\n");
-	fprintf(cfile, "}\n\
-\n");
-
-	fprintf(cfile, "\n\
-int ipfrule_remove()\n\
-{\n\
-	int err;\n\
-\n");
-	for (g = groups; g != NULL; g = g->fg_next)
-		fprintf(cfile, "\
-	err = ipfrule_remove_%s_%s();\n\
-	if (err != 0)\n\
-		return err;\n",
-			(g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
-	fprintf(cfile, "\
-	return 0;\n");
-	fprintf(cfile, "}\n");
-}
-
-
-static void emitGroup(num, dir, v, fr, group, incount, outcount)
-int num, dir;
-void *v;
-frentry_t *fr;
-char *group;
-u_int incount, outcount;
-{
-	static FILE *fp = NULL;
-	static int header[2] = { 0, 0 };
-	static char egroup[FR_GROUPLEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
-	static int openfunc = 0;
-	static mc_t *n = NULL;
-	static int sin = 0;
-	frentry_t *f;
-	frgroup_t *g;
-	fripf_t *ipf;
-	int i, in, j;
-	mc_t *m = v;
-
-	if (fp == NULL)
-		fp = cfile;
-	if (fp == NULL)
-		return;
-	if (strncmp(egroup, group, FR_GROUPLEN)) {
-		for (sin--; sin > 0; sin--) {
-			indent(fp, sin);
-			fprintf(fp, "}\n");
-		}
-		if (openfunc == 1) {
-			fprintf(fp, "\treturn fr;\n}\n");
-			openfunc = 0;
-			if (n != NULL) {
-				free(n);
-				n = NULL;
-			}
-		}
-		sin = 0;
-		header[0] = 0;
-		header[1] = 0;
-		strncpy(egroup, group, FR_GROUPLEN);
-	} else if (openfunc == 1 && num < 0) {
-		if (n != NULL) {
-			free(n);
-			n = NULL;
-		}
-		for (sin--; sin > 0; sin--) {
-			indent(fp, sin);
-			fprintf(fp, "}\n");
-		}
-		if (openfunc == 1) {
-			fprintf(fp, "\treturn fr;\n}\n");
-			openfunc = 0;
-		}
-	}
-
-	if (dir == -1)
-		return;
-
-	for (g = groups; g != NULL; g = g->fg_next) {
-		if (dir == 0 && (g->fg_flags & FR_INQUE) == 0)
-			continue;
-		else if (dir == 1 && (g->fg_flags & FR_OUTQUE) == 0)
-			continue;
-		if (strncmp(g->fg_name, group, FR_GROUPLEN) != 0)
-			continue;
-		break;
-	}
-
-	/*
-	 * Output the array of pointers to rules for this group.
-	 */
-	if (g != NULL && num == -2 && dir == 0 && header[0] == 0 &&
-	    incount != 0) {
-		fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {",
-			group, incount);
-		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
-			if ((f->fr_flags & FR_INQUE) == 0)
-				continue;
-			if ((i & 1) == 0) {
-				fprintf(fp, "\n\t");
-			}
-			fprintf(fp,
-				"(frentry_t *)&in_rule_%s_%d",
-				f->fr_group, i);
-			if (i + 1 < incount)
-				fprintf(fp, ", ");
-			i++;
-		}
-		fprintf(fp, "\n};\n");
-	}
-
-	if (g != NULL && num == -2 && dir == 1 && header[0] == 0 &&
-	    outcount != 0) {
-		fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {",
-			group, outcount);
-		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
-			if ((f->fr_flags & FR_OUTQUE) == 0)
-				continue;
-			if ((i & 1) == 0) {
-				fprintf(fp, "\n\t");
-			}
-			fprintf(fp,
-				"(frentry_t *)&out_rule_%s_%d",
-				f->fr_group, i);
-			if (i + 1 < outcount)
-				fprintf(fp, ", ");
-			i++;
-		}
-		fprintf(fp, "\n};\n");
-		fp = NULL;
-	}
-
-	if (num < 0)
-		return;
-
-	in = 0;
-	ipf = fr->fr_ipf;
-
-	/*
-	 * If the function header has not been printed then print it now.
-	 */
-	if (g != NULL && header[dir] == 0) {
-		int pdst = 0, psrc = 0;
-
-		openfunc = 1;
-		fprintf(fp, "\nfrentry_t *ipfrule_match_%s_%s(fin, passp)\n",
-			(dir == 0) ? "in" : "out", group);
-		fprintf(fp, "fr_info_t *fin;\n");
-		fprintf(fp, "u_32_t *passp;\n");
-		fprintf(fp, "{\n");
-		fprintf(fp, "\tfrentry_t *fr = NULL;\n");
-
-		/*
-		 * Print out any variables that need to be declared.
-		 */
-		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
-			if (incount + outcount > m[FRC_SRC].e + 1)
-				psrc = 1;
-			if (incount + outcount > m[FRC_DST].e + 1)
-				pdst = 1;
-		}
-		if (psrc == 1)
-			fprintf(fp, "\tu_32_t src = ntohl(%s);\n",
-				"fin->fin_fi.fi_saddr");
-		if (pdst == 1)
-			fprintf(fp, "\tu_32_t dst = ntohl(%s);\n",
-				"fin->fin_fi.fi_daddr");
-	}
-
-	for (i = 0; i < FRC_MAX; i++) {
-		switch(m[i].c)
-		{
-		case FRC_IFN :
-			if (*fr->fr_ifname)
-				m[i].s = 1;
-			break;
-		case FRC_V :
-			if (ipf != NULL && ipf->fri_mip.fi_v != 0)
-				m[i].s = 1;
-			break;
-		case FRC_FL :
-			if (ipf != NULL && ipf->fri_mip.fi_flx != 0)
-				m[i].s = 1;
-			break;
-		case FRC_P :
-			if (ipf != NULL && ipf->fri_mip.fi_p != 0)
-				m[i].s = 1;
-			break;
-		case FRC_TTL :
-			if (ipf != NULL && ipf->fri_mip.fi_ttl != 0)
-				m[i].s = 1;
-			break;
-		case FRC_TOS :
-			if (ipf != NULL && ipf->fri_mip.fi_tos != 0)
-				m[i].s = 1;
-			break;
-		case FRC_TCP :
-			if (ipf == NULL)
-				break;
-			if ((ipf->fri_ip.fi_p == IPPROTO_TCP) &&
-			    fr->fr_tcpfm != 0)
-				m[i].s = 1;
-			break;
-		case FRC_SP :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_scmp == FR_INRANGE)
-				m[i].s = 1;
-			else if (fr->fr_scmp == FR_OUTRANGE)
-				m[i].s = 1;
-			else if (fr->fr_scmp != 0)
-				m[i].s = 1;
-			break;
-		case FRC_DP :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_dcmp == FR_INRANGE)
-				m[i].s = 1;
-			else if (fr->fr_dcmp == FR_OUTRANGE)
-				m[i].s = 1;
-			else if (fr->fr_dcmp != 0)
-				m[i].s = 1;
-			break;
-		case FRC_SRC :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_satype == FRI_LOOKUP) {
-				;
-			} else if ((fr->fr_smask != 0) ||
-				   (fr->fr_flags & FR_NOTSRCIP) != 0)
-				m[i].s = 1;
-			break;
-		case FRC_DST :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_datype == FRI_LOOKUP) {
-				;
-			} else if ((fr->fr_dmask != 0) ||
-				   (fr->fr_flags & FR_NOTDSTIP) != 0)
-				m[i].s = 1;
-			break;
-		case FRC_OPT :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_optmask != 0)
-				m[i].s = 1;
-			break;
-		case FRC_SEC :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_secmask != 0)
-				m[i].s = 1;
-			break;
-		case FRC_ATH :
-			if (ipf == NULL)
-				break;
-			if (fr->fr_authmask != 0)
-				m[i].s = 1;
-			break;
-		case FRC_ICT :
-			if (ipf == NULL)
-				break;
-			if ((fr->fr_icmpm & 0xff00) != 0)
-				m[i].s = 1;
-			break;
-		case FRC_ICC :
-			if (ipf == NULL)
-				break;
-			if ((fr->fr_icmpm & 0xff) != 0)
-				m[i].s = 1;
-			break;
-		}
-	}
-
-	if (!header[dir]) {
-		fprintf(fp, "\n");
-		header[dir] = 1;
-		sin = 0;
-	}
-
-	qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
-
-	if (n) {
-		/*
-		 * Calculate the indentation interval upto the last common
-		 * common comparison being made.
-		 */
-		for (i = 0, in = 1; i < FRC_MAX; i++) {
-			if (n[i].c != m[i].c)
-				break;
-			if (n[i].s != m[i].s)
-				break;
-			if (n[i].s) {
-				if (n[i].n && (n[i].n > n[i].e)) {
-					m[i].p++;
-					in += m[i].p;
-					break;
-				}
-				if (n[i].e > 0) {
-					in++;
-				} else
-					break;
-			}
-		}
-		if (sin != in) {
-			for (j = sin - 1; j >= in; j--) {
-				indent(fp, j);
-				fprintf(fp, "}\n");
-			}
-		}
-	} else {
-		in = 1;
-		i = 0;
-	}
-
-	/*
-	 * print out C code that implements a filter rule.
-	 */
-	for (; i < FRC_MAX; i++) {
-		switch(m[i].c)
-		{
-		case FRC_IFN :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_ifp == ");
-				fprintf(fp, "ipf_rules_%s_%s[%d]->fr_ifa) {\n",
-					dir ? "out" : "in", group, num);
-				in++;
-			}
-			break;
-		case FRC_V :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_v == %d) {\n",
-					ipf->fri_ip.fi_v);
-				in++;
-			}
-			break;
-		case FRC_FL :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_flx",
-				        ipf->fri_mip.fi_flx, 0xf,
-					ipf->fri_ip.fi_flx);
-				in++;
-			}
-			break;
-		case FRC_P :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_p == %d) {\n",
-					ipf->fri_ip.fi_p);
-				in++;
-			}
-			break;
-		case FRC_TTL :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_ttl",
-					ipf->fri_mip.fi_ttl, 0xff,
-					ipf->fri_ip.fi_ttl);
-				in++;
-			}
-			break;
-		case FRC_TOS :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_tos");
-				printeq(fp, "fin->fin_tos",
-					ipf->fri_mip.fi_tos, 0xff,
-					ipf->fri_ip.fi_tos);
-				in++;
-			}
-			break;
-		case FRC_TCP :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_tcpf", fr->fr_tcpfm,
-					0xff, fr->fr_tcpf);
-				in++;
-			}
-			break;
-		case FRC_SP :
-			if (!m[i].s)
-				break;
-			if (fr->fr_scmp == FR_INRANGE) {
-				indent(fp, in);
-				fprintf(fp, "if ((fin->fin_data[0] > %d) && ",
-					fr->fr_sport);
-				fprintf(fp, "(fin->fin_data[0] < %d)",
-					fr->fr_stop);
-				fprintf(fp, ") {\n");
-				in++;
-			} else if (fr->fr_scmp == FR_OUTRANGE) {
-				indent(fp, in);
-				fprintf(fp, "if ((fin->fin_data[0] < %d) || ",
-					fr->fr_sport);
-				fprintf(fp, "(fin->fin_data[0] > %d)",
-					fr->fr_stop);
-				fprintf(fp, ") {\n");
-				in++;
-			} else if (fr->fr_scmp) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_data[0] %s %d)",
-					portcmp[fr->fr_scmp], fr->fr_sport);
-				fprintf(fp, " {\n");
-				in++;
-			}
-			break;
-		case FRC_DP :
-			if (!m[i].s)
-				break;
-			if (fr->fr_dcmp == FR_INRANGE) {
-				indent(fp, in);
-				fprintf(fp, "if ((fin->fin_data[1] > %d) && ",
-					fr->fr_dport);
-				fprintf(fp, "(fin->fin_data[1] < %d)",
-					fr->fr_dtop);
-				fprintf(fp, ") {\n");
-				in++;
-			} else if (fr->fr_dcmp == FR_OUTRANGE) {
-				indent(fp, in);
-				fprintf(fp, "if ((fin->fin_data[1] < %d) || ",
-					fr->fr_dport);
-				fprintf(fp, "(fin->fin_data[1] > %d)",
-					fr->fr_dtop);
-				fprintf(fp, ") {\n");
-				in++;
-			} else if (fr->fr_dcmp) {
-				indent(fp, in);
-				fprintf(fp, "if (fin->fin_data[1] %s %d)",
-					portcmp[fr->fr_dcmp], fr->fr_dport);
-				fprintf(fp, " {\n");
-				in++;
-			}
-			break;
-		case FRC_SRC :
-			if (!m[i].s)
-				break;
-			if (fr->fr_satype == FRI_LOOKUP) {
-				;
-			} else if ((fr->fr_smask != 0) ||
-				   (fr->fr_flags & FR_NOTSRCIP) != 0) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printipeq(fp, "src",
-					  fr->fr_flags & FR_NOTSRCIP,
-					  fr->fr_smask, fr->fr_saddr);
-				in++;
-			}
-			break;
-		case FRC_DST :
-			if (!m[i].s)
-				break;
-			if (fr->fr_datype == FRI_LOOKUP) {
-				;
-			} else if ((fr->fr_dmask != 0) ||
-				   (fr->fr_flags & FR_NOTDSTIP) != 0) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printipeq(fp, "dst",
-					  fr->fr_flags & FR_NOTDSTIP,
-					  fr->fr_dmask, fr->fr_daddr);
-				in++;
-			}
-			break;
-		case FRC_OPT :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_fi.fi_optmsk",
-					fr->fr_optmask, 0xffffffff,
-				        fr->fr_optbits);
-				in++;
-			}
-			break;
-		case FRC_SEC :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_fi.fi_secmsk",
-					fr->fr_secmask, 0xffff,
-					fr->fr_secbits);
-				in++;
-			}
-			break;
-		case FRC_ATH :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_fi.fi_authmsk",
-					fr->fr_authmask, 0xffff,
-					fr->fr_authbits);
-				in++;
-			}
-			break;
-		case FRC_ICT :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_data[0]",
-					fr->fr_icmpm & 0xff00, 0xffff,
-					fr->fr_icmp & 0xff00);
-				in++;
-			}
-			break;
-		case FRC_ICC :
-			if (m[i].s) {
-				indent(fp, in);
-				fprintf(fp, "if (");
-				printeq(fp, "fin->fin_data[0]",
-					fr->fr_icmpm & 0xff, 0xffff,
-					fr->fr_icmp & 0xff);
-				in++;
-			}
-			break;
-		}
-
-	}
-
-	indent(fp, in);
-	if (fr->fr_flags & FR_QUICK) {
-		fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n",
-			fr->fr_flags & FR_INQUE ? "in" : "out",
-			fr->fr_group, num);
-	} else {
-		fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n",
-			fr->fr_flags & FR_INQUE ? "in" : "out",
-			fr->fr_group, num);
-	}
-	if (n == NULL)
-		n = (mc_t *)malloc(sizeof(*n) * FRC_MAX);
-	bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX);
-	sin = in;
-}
-
-
-void printC(dir)
-int dir;
-{
-	static mc_t *m = NULL;
-	frgroup_t *g;
-
-	if (m == NULL)
-		m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX);
-
-	for (g = groups; g != NULL; g = g->fg_next) {
-		if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0))
-			printCgroup(dir, g->fg_start, m, g->fg_name);
-		if ((dir == 1) && ((g->fg_flags & FR_OUTQUE) != 0))
-			printCgroup(dir, g->fg_start, m, g->fg_name);
-	}
-
-	emit(-1, dir, m, NULL);
-}
-
-
-/*
- * Now print out code to implement all of the rules.
- */
-static void printCgroup(dir, top, m, group)
-int dir;
-frentry_t *top;
-mc_t *m;
-char *group;
-{
-	frentry_t *fr, *fr1;
-	int i, n, rn;
-	u_int count;
-
-	for (count = 0, fr1 = top; fr1 != NULL; fr1 = fr1->fr_next) {
-		if ((dir == 0) && ((fr1->fr_flags & FR_INQUE) != 0))
-			count++;
-		else if ((dir == 1) && ((fr1->fr_flags & FR_OUTQUE) != 0))
-			count++;
-	}
-
-	if (dir == 0)
-		emitGroup(-2, dir, m, fr1, group, count, 0);
-	else if (dir == 1)
-		emitGroup(-2, dir, m, fr1, group, 0, count);
-
-	/*
-	 * Before printing each rule, check to see how many of its fields are
-	 * matched by subsequent rules.
-	 */
-	for (fr1 = top, rn = 0; fr1 != NULL; fr1 = fr1->fr_next, rn++) {
-		if (!dir && !(fr1->fr_flags & FR_INQUE))
-			continue;
-		if (dir && !(fr1->fr_flags & FR_OUTQUE))
-			continue;
-		n = 0xfffffff;
-
-		for (i = 0; i < FRC_MAX; i++)
-			m[i].e = 0;
-		qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
-
-		for (i = 0; i < FRC_MAX; i++) {
-			m[i].c = i;
-			m[i].e = 0;
-			m[i].n = 0;
-			m[i].s = 0;
-		}
-
-		for (fr = fr1->fr_next; fr; fr = fr->fr_next) {
-			if (!dir && !(fr->fr_flags & FR_INQUE))
-				continue;
-			if (dir && !(fr->fr_flags & FR_OUTQUE))
-				continue;
-
-			if ((n & 0x0001) &&
-			    !strcmp(fr1->fr_ifname, fr->fr_ifname)) {
-				m[FRC_IFN].e++;
-				m[FRC_IFN].n++;
-			} else
-				n &= ~0x0001;
-
-			if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) {
-				m[FRC_V].e++;
-				m[FRC_V].n++;
-			} else
-				n &= ~0x0002;
-
-			if ((n & 0x0004) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_mip.fi_flx == fr->fr_mip.fi_flx) &&
-			    (fr1->fr_ip.fi_flx == fr->fr_ip.fi_flx)) {
-				m[FRC_FL].e++;
-				m[FRC_FL].n++;
-			} else
-				n &= ~0x0004;
-
-			if ((n & 0x0008) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_proto == fr->fr_proto)) {
-				m[FRC_P].e++;
-				m[FRC_P].n++;
-			} else
-				n &= ~0x0008;
-
-			if ((n & 0x0010) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_ttl == fr->fr_ttl)) {
-				m[FRC_TTL].e++;
-				m[FRC_TTL].n++;
-			} else
-				n &= ~0x0010;
-
-			if ((n & 0x0020) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_tos == fr->fr_tos)) {
-				m[FRC_TOS].e++;
-				m[FRC_TOS].n++;
-			} else
-				n &= ~0x0020;
-
-			if ((n & 0x0040) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_tcpfm == fr->fr_tcpfm) &&
-			    (fr1->fr_tcpf == fr->fr_tcpf))) {
-				m[FRC_TCP].e++;
-				m[FRC_TCP].n++;
-			} else
-				n &= ~0x0040;
-
-			if ((n & 0x0080) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_scmp == fr->fr_scmp) &&
-			     (fr1->fr_stop == fr->fr_stop) &&
-			     (fr1->fr_sport == fr->fr_sport))) {
-				m[FRC_SP].e++;
-				m[FRC_SP].n++;
-			} else
-				n &= ~0x0080;
-
-			if ((n & 0x0100) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_dcmp == fr->fr_dcmp) &&
-			     (fr1->fr_dtop == fr->fr_dtop) &&
-			     (fr1->fr_dport == fr->fr_dport))) {
-				m[FRC_DP].e++;
-				m[FRC_DP].n++;
-			} else
-				n &= ~0x0100;
-
-			if ((n & 0x0200) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_satype == FRI_LOOKUP) &&
-			    (fr->fr_satype == FRI_LOOKUP) &&
-			    (fr1->fr_srcnum == fr->fr_srcnum))) {
-				m[FRC_SRC].e++;
-				m[FRC_SRC].n++;
-			} else if ((n & 0x0200) &&
-				   (fr->fr_type == fr1->fr_type) &&
-				   (fr->fr_type == FR_T_IPF) &&
-				   (((fr1->fr_flags & FR_NOTSRCIP) ==
-				    (fr->fr_flags & FR_NOTSRCIP)))) {
-					if ((fr1->fr_smask == fr->fr_smask) &&
-					    (fr1->fr_saddr == fr->fr_saddr))
-						m[FRC_SRC].e++;
-					else
-						n &= ~0x0200;
-					if (fr1->fr_smask &&
-					    (fr1->fr_saddr & fr1->fr_smask) ==
-					    (fr->fr_saddr & fr1->fr_smask)) {
-						m[FRC_SRC].n++;
-						n |= 0x0200;
-					}
-			} else {
-				n &= ~0x0200;
-			}
-
-			if ((n & 0x0400) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_datype == FRI_LOOKUP) &&
-			    (fr->fr_datype == FRI_LOOKUP) &&
-			    (fr1->fr_dstnum == fr->fr_dstnum))) {
-				m[FRC_DST].e++;
-				m[FRC_DST].n++;
-			} else if ((n & 0x0400) &&
-				   (fr->fr_type == fr1->fr_type) &&
-				   (fr->fr_type == FR_T_IPF) &&
-				   (((fr1->fr_flags & FR_NOTDSTIP) ==
-				    (fr->fr_flags & FR_NOTDSTIP)))) {
-					if ((fr1->fr_dmask == fr->fr_dmask) &&
-					    (fr1->fr_daddr == fr->fr_daddr))
-						m[FRC_DST].e++;
-					else
-						n &= ~0x0400;
-					if (fr1->fr_dmask &&
-					    (fr1->fr_daddr & fr1->fr_dmask) ==
-					    (fr->fr_daddr & fr1->fr_dmask)) {
-						m[FRC_DST].n++;
-						n |= 0x0400;
-					}
-			} else {
-				n &= ~0x0400;
-			}
-
-			if ((n & 0x0800) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_optmask == fr->fr_optmask) &&
-			    (fr1->fr_optbits == fr->fr_optbits)) {
-				m[FRC_OPT].e++;
-				m[FRC_OPT].n++;
-			} else
-				n &= ~0x0800;
-
-			if ((n & 0x1000) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_secmask == fr->fr_secmask) &&
-			    (fr1->fr_secbits == fr->fr_secbits)) {
-				m[FRC_SEC].e++;
-				m[FRC_SEC].n++;
-			} else
-				n &= ~0x1000;
-
-			if ((n & 0x10000) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    (fr1->fr_authmask == fr->fr_authmask) &&
-			    (fr1->fr_authbits == fr->fr_authbits)) {
-				m[FRC_ATH].e++;
-				m[FRC_ATH].n++;
-			} else
-				n &= ~0x10000;
-
-			if ((n & 0x20000) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_icmpm & 0xff00) ==
-			     (fr->fr_icmpm & 0xff00)) &&
-			    ((fr1->fr_icmp & 0xff00) ==
-			     (fr->fr_icmp & 0xff00))) {
-				m[FRC_ICT].e++;
-				m[FRC_ICT].n++;
-			} else
-				n &= ~0x20000;
-
-			if ((n & 0x40000) &&
-			    (fr->fr_type == fr1->fr_type) &&
-			    (fr->fr_type == FR_T_IPF) &&
-			    ((fr1->fr_icmpm & 0xff) == (fr->fr_icmpm & 0xff)) &&
-			    ((fr1->fr_icmp & 0xff) == (fr->fr_icmp & 0xff))) {
-				m[FRC_ICC].e++;
-				m[FRC_ICC].n++;
-			} else
-				n &= ~0x40000;
-		}
-		/*msort(m);*/
-
-		if (dir == 0)
-			emitGroup(rn, dir, m, fr1, group, count, 0);
-		else if (dir == 1)
-			emitGroup(rn, dir, m, fr1, group, 0, count);
-	}
-}
-
-static void printhooks(fp, in, out, grp)
-FILE *fp;
-int in;
-int out;
-frgroup_t *grp;
-{
-	frentry_t *fr;
-	char *group;
-	int dogrp, i;
-	char *instr;
-
-	group = grp->fg_name;
-	dogrp = *group ? 1 : 0;
-
-	if (in && out) {
-		fprintf(stderr,
-			"printhooks called with both in and out set\n");
-		exit(1);
-	}
-
-	if (in) {
-		instr = "in";
-	} else if (out) {
-		instr = "out";
-	} else {
-		instr = "???";
-	}
-	fprintf(fp, "static frentry_t ipfrule_%s_%s;\n", instr, group);
-
-	fprintf(fp, "\
-\n\
-int ipfrule_add_%s_%s()\n", instr, group);
-	fprintf(fp, "\
-{\n\
-	int i, j, err = 0, max;\n\
-	frentry_t *fp;\n");
-
-	if (dogrp)
-		fprintf(fp, "\
-	frgroup_t *fg;\n");
-
-	fprintf(fp, "\n");
-
-	for (i = 0, fr = grp->fg_start; fr != NULL; i++, fr = fr->fr_next)
-		if (fr->fr_dsize > 0) {
-			fprintf(fp, "\
-	ipf_rules_%s_%s[%d]->fr_data = &ipf%s_rule_data_%s_%u;\n",
-				instr, grp->fg_name, i,
-				instr, grp->fg_name, i);
-		}
-	fprintf(fp, "\
-	max = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *);\n\
-	for (i = 0; i < max; i++) {\n\
-		fp = ipf_rules_%s_%s[i];\n\
-		fp->fr_next = NULL;\n", instr, group, instr, group);
-
-	fprintf(fp, "\
-		for (j = i + 1; j < max; j++)\n\
-			if (strncmp(fp->fr_group,\n\
-				    ipf_rules_%s_%s[j]->fr_group,\n\
-				    FR_GROUPLEN) == 0) {\n\
-				fp->fr_next = ipf_rules_%s_%s[j];\n\
-				break;\n\
-			}\n", instr, group, instr, group);
-	if (dogrp)
-		fprintf(fp, "\
-\n\
-		if (fp->fr_grhead != 0) {\n\
-			fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\
-					 IPL_LOGIPF, 0);\n\
-			if (fg != NULL)\n\
-				fp->fr_grp = &fg->fg_start;\n\
-		}\n");
-	fprintf(fp, "\
-	}\n\
-\n\
-	fp = &ipfrule_%s_%s;\n", instr, group);
-		fprintf(fp, "\
-	bzero((char *)fp, sizeof(*fp));\n\
-	fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\
-	fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\
-	fp->fr_data = (void *)ipf_rules_%s_%s[0];\n",
-		(in != 0) ? "IN" : "OUT", instr, group);
-	fprintf(fp, "\
-	fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n",
-		instr, group);
-
-	fprintf(fp, "\
-	fp->fr_v = 4;\n\
-	fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\
-	err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n",
-			instr, group);
-	fprintf(fp, "\treturn err;\n}\n");
-
-	fprintf(fp, "\n\n\
-int ipfrule_remove_%s_%s()\n", instr, group);
-	fprintf(fp, "\
-{\n\
-	int err = 0, i;\n\
-	frentry_t *fp;\n\
-\n\
-	/*\n\
-	 * Try to remove the %sbound rule.\n", instr);
-
-	fprintf(fp, "\
-	 */\n\
-	if (ipfrule_%s_%s.fr_ref > 0) {\n", instr, group);
-
-	fprintf(fp, "\
-		err = EBUSY;\n\
-	} else {\n");
-
-	fprintf(fp, "\
-		i = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *) - 1;\n\
-		for (; i >= 0; i--) {\n\
-			fp = ipf_rules_%s_%s[i];\n\
-			if (fp->fr_ref > 1) {\n\
-				err = EBUSY;\n\
-				break;\n\
-			}\n\
-		}\n\
-	}\n\
-	if (err == 0)\n\
-		err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\
-				(caddr_t)&ipfrule_%s_%s, fr_active, 0);\n",
-		instr, group, instr, group, instr, group);
-	fprintf(fp, "\
-	if (err)\n\
-		return err;\n\
-\n\n");
-
-	fprintf(fp, "\treturn err;\n}\n");
-}
diff --git a/contrib/ipfilter/tools/ipfs.c b/contrib/ipfilter/tools/ipfs.c
deleted file mode 100644
index 3acb5d4..0000000
--- a/contrib/ipfilter/tools/ipfs.c
+++ /dev/null
@@ -1,890 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ipf.h"
-#include "netinet/ipl.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp";
-#endif
-
-#ifndef	IPF_SAVEDIR
-# define	IPF_SAVEDIR	"/var/db/ipf"
-#endif
-#ifndef IPF_NATFILE
-# define	IPF_NATFILE	"ipnat.ipf"
-#endif
-#ifndef IPF_STATEFILE
-# define	IPF_STATEFILE	"ipstate.ipf"
-#endif
-
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-int	main __P((int, char *[]));
-void	usage __P((void));
-int	changestateif __P((char *, char *));
-int	changenatif __P((char *, char *));
-int	readstate __P((int, char *));
-int	readnat __P((int, char *));
-int	writestate __P((int, char *));
-int	opendevice __P((char *));
-void	closedevice __P((int));
-int	setlock __P((int, int));
-int	writeall __P((char *));
-int	readall __P((char *));
-int	writenat __P((int, char *));
-
-int	opts = 0;
-char	*progname;
-
-
-void usage()
-{
-	fprintf(stderr, "usage: %s [-nv] -l\n", progname);
-	fprintf(stderr, "usage: %s [-nv] -u\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -R\n", progname);
-	fprintf(stderr, "usage: %s [-nv] [-d <dir>] -W\n", progname);
-	fprintf(stderr, "usage: %s [-nNSv] [-f <file>] -r\n", progname);
-	fprintf(stderr, "usage: %s [-nNSv] [-f <file>] -w\n", progname);
-	fprintf(stderr, "usage: %s [-nNSv] -f <filename> -i <if1>,<if2>\n",
-		progname);
-	exit(1);
-}
-
-
-/*
- * Change interface names in state information saved out to disk.
- */
-int changestateif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	ipstate_save_t ips;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	if (nlen >= sizeof(ips.ips_is.is_ifname) ||
-	    olen >= sizeof(ips.ips_is.is_ifname))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) {
-		rw = 0;
-		if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[0], s);
-			rw = 1;
-		}
-		if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[1], s);
-			rw = 1;
-		}
-		if (!strncmp(ips.ips_is.is_ifname[2], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[2], s);
-			rw = 1;
-		}
-		if (!strncmp(ips.ips_is.is_ifname[3], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[3], s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-/*
- * Change interface names in NAT information saved out to disk.
- */
-int changenatif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	nat_save_t ipn;
-	nat_t *nat;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	nat = &ipn.ipn_nat;
-	if (nlen >= sizeof(nat->nat_ifnames[0]) ||
-	    olen >= sizeof(nat->nat_ifnames[0]))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) {
-		rw = 0;
-		if (!strncmp(nat->nat_ifnames[0], ifs, olen + 1)) {
-			strcpy(nat->nat_ifnames[0], s);
-			rw = 1;
-		}
-		if (!strncmp(nat->nat_ifnames[1], ifs, olen + 1)) {
-			strcpy(nat->nat_ifnames[1], s);
-			rw = 1;
-		}
-		if (!strncmp(nat->nat_ifnames[2], ifs, olen + 1)) {
-			strcpy(nat->nat_ifnames[2], s);
-			rw = 1;
-		}
-		if (!strncmp(nat->nat_ifnames[3], ifs, olen + 1)) {
-			strcpy(nat->nat_ifnames[3], s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
-	char *dirname = NULL, *filename = NULL, *ifs = NULL;
-
-	progname = argv[0];
-	while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			if ((set == 0) && !dirname && !filename)
-				dirname = optarg;
-			else
-				usage();
-			break;
-		case 'f' :
-			if ((set != 0) && !dirname && !filename)
-				filename = optarg;
-			else
-				usage();
-			break;
-		case 'i' :
-			ifs = optarg;
-			set = 1;
-			break;
-		case 'l' :
-			if (filename || dirname || set)
-				usage();
-			lock = 1;
-			set = 1;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'N' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 0;
-			set = 1;
-			break;
-		case 'r' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 0;
-			set = 1;
-			break;
-		case 'R' :
-			rw = 2;
-			set = 1;
-			break;
-		case 'S' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 1;
-			set = 1;
-			break;
-		case 'u' :
-			if (filename || dirname || set)
-				usage();
-			lock = 0;
-			set = 1;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'w' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 1;
-			set = 1;
-			break;
-		case 'W' :
-			rw = 3;
-			set = 1;
-			break;
-		case '?' :
-		default :
-			usage();
-		}
-
-	if (ifs) {
-		if (!filename || ns < 0)
-			usage();
-		if (ns == 0)
-			return changenatif(ifs, filename);
-		else
-			return changestateif(ifs, filename);
-	}
-
-	if ((ns >= 0) || (lock >= 0)) {
-		if (lock >= 0)
-			devfd = opendevice(NULL);
-		else if (ns >= 0) {
-			if (ns == 1)
-				devfd = opendevice(IPSTATE_NAME);
-			else if (ns == 0)
-				devfd = opendevice(IPNAT_NAME);
-		}
-		if (devfd == -1)
-			exit(1);
-	}
-
-	if (lock >= 0)
-		err = setlock(devfd, lock);
-	else if (rw >= 0) {
-		if (rw & 1) {	/* WRITE */
-			if (rw & 2)
-				err = writeall(dirname);
-			else {
-				if (ns == 0)
-					err = writenat(devfd, filename);
-				else if (ns == 1)
-					err = writestate(devfd, filename);
-			}
-		} else {
-			if (rw & 2)
-				err = readall(dirname);
-			else {
-				if (ns == 0)
-					err = readnat(devfd, filename);
-				else if (ns == 1)
-					err = readstate(devfd, filename);
-			}
-		}
-	}
-	return err;
-}
-
-
-int opendevice(ipfdev)
-char *ipfdev;
-{
-	int fd = -1;
-
-	if (opts & OPT_DONOTHING)
-		return -2;
-
-	if (!ipfdev)
-		ipfdev = IPL_NAME;
-
-	if ((fd = open(ipfdev, O_RDWR)) == -1)
-		if ((fd = open(ipfdev, O_RDONLY)) == -1)
-			perror("open device");
-	return fd;
-}
-
-
-void closedevice(fd)
-int fd;
-{
-	close(fd);
-}
-
-
-int setlock(fd, lock)
-int fd, lock;
-{
-	if (opts & OPT_VERBOSE)
-		printf("Turn lock %s\n", lock ? "on" : "off");
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSTLCK, &lock) == -1) {
-			perror("SIOCSTLCK");
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Lock now %s\n", lock ? "on" : "off");
-	}
-	return 0;
-}
-
-
-int writestate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *ipsp;
-	ipfobj_t obj;
-	int wfd = -1;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (wfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("state:open");
-		return 1;
-	}
-
-	ipsp = &ips;
-	bzero((char *)&obj, sizeof(obj));
-	bzero((char *)ipsp, sizeof(ips));
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(*ipsp);
-	obj.ipfo_type = IPFOBJ_STATESAVE;
-	obj.ipfo_ptr = ipsp;
-
-	do {
-
-		if (opts & OPT_VERBOSE)
-			printf("Getting state from addr %p\n", ips.ips_next);
-		if (ioctl(fd, SIOCSTGET, &obj)) {
-			if (errno == ENOENT)
-				break;
-			perror("state:SIOCSTGET");
-			close(wfd);
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Got state next %p\n", ips.ips_next);
-		if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) {
-			perror("state:write");
-			close(wfd);
-			return 1;
-		}
-	} while (ips.ips_next != NULL);
-	close(wfd);
-
-	return 0;
-}
-
-
-int readstate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
-	int sfd = -1, i;
-	ipfobj_t obj;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	sfd = open(file, O_RDONLY, 0600);
-	if (sfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("open");
-		return 1;
-	}
-
-	bzero((char *)&ips, sizeof(ips));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(sfd, &ips, sizeof(ips));
-		if (i == -1) {
-			perror("read");
-			goto freeipshead;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ips)) {
-			fprintf(stderr, "state:incomplete read: %d != %d\n",
-				i, (int)sizeof(ips));
-			goto freeipshead;
-		}
-		is = (ipstate_save_t *)malloc(sizeof(*is));
-		if (is == NULL) {
-			fprintf(stderr, "malloc failed\n");
-			goto freeipshead;
-		}
-
-		bcopy((char *)&ips, (char *)is, sizeof(ips));
-
-		/*
-		 * Check to see if this is the first state entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next)
-			if (is1->ips_rule == is->ips_rule)
-				break;
-		if (is1 == NULL)
-			is->ips_is.is_flags |= SI_NEWFR;
-		else
-			is->ips_rule = (void *)&is1->ips_rule;
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		is->ips_next = NULL;
-		if (!ipshead)
-			ipshead = is;
-		if (ipstail)
-			ipstail->ips_next = is;
-		ipstail = is;
-	} while (1);
-
-	close(sfd);
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(*is);
-	obj.ipfo_type = IPFOBJ_STATESAVE;
-
-	while ((is = ipshead) != NULL) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new state table entry\n");
-		if (is->ips_is.is_flags & SI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-
-		obj.ipfo_ptr = is;
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &obj)) {
-				perror("SIOCSTPUT");
-				goto freeipshead;
-			}
-
-		if (is->ips_is.is_flags & SI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", is->ips_rule);
-			for (is1 = is->ips_next; is1; is1 = is1->ips_next)
-				if (is1->ips_rule == (frentry_t *)&is->ips_rule)
-					is1->ips_rule = is->ips_rule;
-		}
-
-		ipshead = is->ips_next;
-		free(is);
-	}
-
-	return 0;
-
-freeipshead:
-	while ((is = ipshead) != NULL) {
-		ipshead = is->ips_next;
-		free(is);
-	}
-	if (sfd != -1)
-		close(sfd);
-	return 1;
-}
-
-
-int readnat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL;
-	ipfobj_t obj;
-	int nfd, i;
-	nat_t *nat;
-	char *s;
-	int n;
-
-	nfd = -1;
-	in = NULL;
-	ipnhead = NULL;
-	ipntail = NULL;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_RDONLY);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-	bzero((char *)&ipn, sizeof(ipn));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(nfd, &ipn, sizeof(ipn));
-		if (i == -1) {
-			perror("read");
-			goto freenathead;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ipn)) {
-			fprintf(stderr, "nat:incomplete read: %d != %d\n",
-				i, (int)sizeof(ipn));
-			goto freenathead;
-		}
-
-		in = (nat_save_t *)malloc(ipn.ipn_dsize);
-		if (in == NULL) {
-			fprintf(stderr, "nat:cannot malloc nat save atruct\n");
-			goto freenathead;
-		}
-
-		if (ipn.ipn_dsize > sizeof(ipn)) {
-			n = ipn.ipn_dsize - sizeof(ipn);
-			if (n > 0) {
-				s = in->ipn_data + sizeof(in->ipn_data);
- 				i = read(nfd, s, n);
-				if (i == 0)
-					break;
-				if (i != n) {
-					fprintf(stderr,
-					    "nat:incomplete read: %d != %d\n",
-					    i, n);
-					goto freenathead;
-				}
-			}
-		}
-		bcopy((char *)&ipn, (char *)in, sizeof(ipn));
-
-		/*
-		 * Check to see if this is the first NAT entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		nat = &in->ipn_nat;
-		if (nat->nat_fr != NULL) {
-			for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next)
-				if (in1->ipn_rule == nat->nat_fr)
-					break;
-			if (in1 == NULL)
-				nat->nat_flags |= SI_NEWFR;
-			else
-				nat->nat_fr = &in1->ipn_fr;
-		}
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		in->ipn_next = NULL;
-		if (!ipnhead)
-			ipnhead = in;
-		if (ipntail)
-			ipntail->ipn_next = in;
-		ipntail = in;
-	} while (1);
-
-	close(nfd);
-	nfd = -1;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_NATSAVE;
-
-	while ((in = ipnhead) != NULL) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new NAT table entry\n");
-		nat = &in->ipn_nat;
-		if (nat->nat_flags & SI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-
-		obj.ipfo_ptr = in;
-		obj.ipfo_size = in->ipn_dsize;
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &obj)) {
-				fprintf(stderr, "in=%p:", in);
-				perror("SIOCSTPUT");
-				return 1;
-			}
-
-		if (nat->nat_flags & SI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", nat->nat_fr);
-			for (in1 = in->ipn_next; in1; in1 = in1->ipn_next)
-				if (in1->ipn_rule == &in->ipn_fr)
-					in1->ipn_rule = nat->nat_fr;
-		}
-
-		ipnhead = in->ipn_next;
-		free(in);
-	}
-
-	return 0;
-
-freenathead:
-	while ((in = ipnhead) != NULL) {
-		ipnhead = in->ipn_next;
-		free(in);
-	}
-	if (nfd != -1)
-		close(nfd);
-	return 1;
-}
-
-
-int writenat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t *ipnp = NULL, *next = NULL;
-	ipfobj_t obj;
-	int nfd = -1;
-	natget_t ng;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_NATSAVE;
-
-	do {
-		if (opts & OPT_VERBOSE)
-			printf("Getting nat from addr %p\n", ipnp);
-		ng.ng_ptr = next;
-		ng.ng_sz = 0;
-		if (ioctl(fd, SIOCSTGSZ, &ng)) {
-			perror("nat:SIOCSTGSZ");
-			close(nfd);
-			if (ipnp != NULL)
-				free(ipnp);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr);
-
-		if (ng.ng_sz == 0)
-			break;
-
-		if (!ipnp)
-			ipnp = malloc(ng.ng_sz);
-		else
-			ipnp = realloc((char *)ipnp, ng.ng_sz);
-		if (!ipnp) {
-			fprintf(stderr,
-				"malloc for %d bytes failed\n", ng.ng_sz);
-			break;
-		}
-
-		bzero((char *)ipnp, ng.ng_sz);
-		obj.ipfo_size = ng.ng_sz;
-		obj.ipfo_ptr = ipnp;
-		ipnp->ipn_dsize = ng.ng_sz;
-		ipnp->ipn_next = next;
-		if (ioctl(fd, SIOCSTGET, &obj)) {
-			if (errno == ENOENT)
-				break;
-			perror("nat:SIOCSTGET");
-			close(nfd);
-			free(ipnp);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("Got nat next %p ipn_dsize %d ng_sz %d\n",
-				ipnp->ipn_next, ipnp->ipn_dsize, ng.ng_sz);
-		if (write(nfd, ipnp, ipnp->ipn_dsize) != ipnp->ipn_dsize) {
-			perror("nat:write");
-			close(nfd);
-			free(ipnp);
-			return 1;
-		}
-		next = ipnp->ipn_next;
-	} while (ipnp && next);
-	if (ipnp != NULL)
-		free(ipnp);
-	close(nfd);
-
-	return 0;
-}
-
-
-int writeall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname);
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPSTATE_NAME);
-	if (devfd == -1)
-		goto bad;
-	if (writestate(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	devfd = opendevice(IPNAT_NAME);
-	if (devfd == -1)
-		goto bad;
-	if (writenat(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	close(fd);
-	return 0;
-
-bad:
-	setlock(fd, 0);
-	close(fd);
-	return 1;
-}
-
-
-int readall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPSTATE_NAME);
-	if (devfd == -1)
-		return 1;
-	if (readstate(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	devfd = opendevice(IPNAT_NAME);
-	if (devfd == -1)
-		return 1;
-	if (readnat(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/tools/ipfstat.c b/contrib/ipfilter/tools/ipfstat.c
deleted file mode 100644
index e28fe4c..0000000
--- a/contrib/ipfilter/tools/ipfstat.c
+++ /dev/null
@@ -1,2112 +0,0 @@
-/*
- * Copyright (C) 2002-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include <sys/ioctl.h>
-#include <fcntl.h>
-#ifdef linux
-# include <linux/a.out.h>
-#else
-# include <nlist.h>
-#endif
-#include <ctype.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <stddef.h>
-#endif
-#include "ipf.h"
-#include "netinet/ipl.h"
-#if defined(STATETOP)
-# if defined(_BSDI_VERSION)
-#  undef STATETOP
-# endif
-# if defined(__FreeBSD__) && \
-     (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
-#  undef STATETOP
-# endif
-# if defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105000000)
-#  undef STATETOP
-# endif
-# if defined(sun)
-#  if defined(__svr4__) || defined(__SVR4)
-#   include <sys/select.h>
-#  else
-#   undef STATETOP	/* NOT supported on SunOS4 */
-#  endif
-# endif
-#endif
-#if defined(STATETOP) && !defined(linux)
-# include <netinet/ip_var.h>
-# include <netinet/tcp_fsm.h>
-#endif
-#ifdef STATETOP
-# include <ctype.h>
-# include <signal.h>
-# include <time.h>
-# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
-     defined(__sgi)
-#  ifdef ERR
-#   undef ERR
-#  endif
-#  include <curses.h>
-# else /* SOLARIS */
-#  include <ncurses.h>
-# endif /* SOLARIS */
-#endif /* STATETOP */
-#include "kmem.h"
-#if defined(__NetBSD__) || (__OpenBSD__)
-# include <paths.h>
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.25 2007/06/30 09:48:50 darrenr Exp $";
-#endif
-
-#ifdef __hpux
-# define	nlist	nlist64
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-extern	int	opterr;
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
-				"ipacct(in)", "ipacct(out)" };
-static	int	state_logging = -1;
-
-int	opts = 0;
-int	use_inet6 = 0;
-int	live_kernel = 1;
-int	state_fd = -1;
-int	ipf_fd = -1;
-int	auth_fd = -1;
-int	nat_fd = -1;
-frgroup_t *grtop = NULL;
-frgroup_t *grtail = NULL;
-
-#ifdef STATETOP
-#define	STSTRSIZE 	80
-#define	STGROWSIZE	16
-#define	HOSTNMLEN	40
-
-#define	STSORT_PR	0
-#define	STSORT_PKTS	1
-#define	STSORT_BYTES	2
-#define	STSORT_TTL	3
-#define	STSORT_SRCIP	4
-#define	STSORT_SRCPT	5
-#define	STSORT_DSTIP	6
-#define	STSORT_DSTPT	7
-#define	STSORT_MAX	STSORT_DSTPT
-#define	STSORT_DEFAULT	STSORT_BYTES
-
-
-typedef struct statetop {
-	i6addr_t	st_src;
-	i6addr_t	st_dst;
-	u_short		st_sport;
-	u_short 	st_dport;
-	u_char		st_p;
-	u_char		st_v;
-	u_char		st_state[2];
-	U_QUAD_T	st_pkts;
-	U_QUAD_T	st_bytes;
-	u_long		st_age;
-} statetop_t;
-#endif
-
-int		main __P((int, char *[]));
-
-static	int	fetchfrag __P((int, int, ipfr_t *));
-static	void	showstats __P((friostat_t *, u_32_t));
-static	void	showfrstates __P((ipfrstat_t *, u_long));
-static	void	showlist __P((friostat_t *));
-static	void	showipstates __P((ips_stat_t *));
-static	void	showauthstates __P((fr_authstat_t *));
-static	void	showgroups __P((friostat_t *));
-static	void	usage __P((char *));
-static	void	showtqtable_live __P((int));
-static	void	printlivelist __P((int, int, frentry_t *, char *, char *));
-static	void	printdeadlist __P((int, int, frentry_t *, char *, char *));
-static	void	parse_ipportstr __P((const char *, i6addr_t *, int *));
-static	void	ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-static	void	ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-static	ipstate_t *fetchstate __P((ipstate_t *, ipstate_t *));
-#ifdef STATETOP
-static	void	topipstates __P((i6addr_t, i6addr_t, int, int, int,
-				 int, int, int));
-static	void	sig_break __P((int));
-static	void	sig_resize __P((int));
-static	char	*getip __P((int, i6addr_t *));
-static	char	*ttl_to_string __P((long));
-static	int	sort_p __P((const void *, const void *));
-static	int	sort_pkts __P((const void *, const void *));
-static	int	sort_bytes __P((const void *, const void *));
-static	int	sort_ttl __P((const void *, const void *));
-static	int	sort_srcip __P((const void *, const void *));
-static	int	sort_srcpt __P((const void *, const void *));
-static	int	sort_dstip __P((const void *, const void *));
-static	int	sort_dstpt __P((const void *, const void *));
-#endif
-
-
-static void usage(name)
-char *name;
-{
-#ifdef  USE_INET6
-	fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name);
-#else
-	fprintf(stderr, "Usage: %s [-aAdfghIilnoRsv]\n", name);
-#endif
-	fprintf(stderr, "       %s [-M corefile] [-N symbol-list]\n", name);
-#ifdef	USE_INET6
-	fprintf(stderr, "       %s -t [-6C] ", name);
-#else
-	fprintf(stderr, "       %s -t [-C] ", name);
-#endif
-	fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n");
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	fr_authstat_t	frauthst;
-	fr_authstat_t	*frauthstp = &frauthst;
-	friostat_t fio;
-	friostat_t *fiop = &fio;
-	ips_stat_t ipsst;
-	ips_stat_t *ipsstp = &ipsst;
-	ipfrstat_t ifrst;
-	ipfrstat_t *ifrstp = &ifrst;
-	char	*memf = NULL;
-	char	*options, *kern = NULL;
-	int	c, myoptind;
-
-	int protocol = -1;		/* -1 = wild card for any protocol */
-	int refreshtime = 1; 		/* default update time */
-	int sport = -1;			/* -1 = wild card for any source port */
-	int dport = -1;			/* -1 = wild card for any dest port */
-	int topclosed = 0;		/* do not show closed tcp sessions */
-	i6addr_t saddr, daddr;
-	u_32_t frf;
-
-#ifdef	USE_INET6
-	options = "6aACdfghIilnostvD:M:N:P:RS:T:";
-#else
-	options = "aACdfghIilnostvD:M:N:P:RS:T:";
-#endif
-
-	saddr.in4.s_addr = INADDR_ANY; 	/* default any v4 source addr */
-	daddr.in4.s_addr = INADDR_ANY; 	/* default any v4 dest addr */
-#ifdef	USE_INET6
-	saddr.in6 = in6addr_any;	/* default any v6 source addr */
-	daddr.in6 = in6addr_any;	/* default any v6 dest addr */
-#endif
-
-	/* Don't warn about invalid flags when we run getopt for the 1st time */
-	opterr = 0;
-
-	/*
-	 * Parse these two arguments now lest there be any buffer overflows
-	 * in the parsing of the rest.
-	 */
-	myoptind = optind;
-	while ((c = getopt(argc, argv, options)) != -1) {
-		switch (c)
-		{
-		case 'M' :
-			memf = optarg;
-			live_kernel = 0;
-			break;
-		case 'N' :
-			kern = optarg;
-			live_kernel = 0;
-			break;
-		}
-	}
-	optind = myoptind;
-
-	if (live_kernel == 1) {
-		if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) {
-			perror("open(IPSTATE_NAME)");
-			exit(-1);
-		}
-		if ((auth_fd = open(IPAUTH_NAME, O_RDONLY)) == -1) {
-			perror("open(IPAUTH_NAME)");
-			exit(-1);
-		}
-		if ((nat_fd = open(IPNAT_NAME, O_RDONLY)) == -1) {
-			perror("open(IPAUTH_NAME)");
-			exit(-1);
-		}
-		if ((ipf_fd = open(IPL_NAME, O_RDONLY)) == -1) {
-			fprintf(stderr, "open(%s)", IPL_NAME);
-			perror("");
-			exit(-1);
-		}
-	}
-
-	if (kern != NULL || memf != NULL) {
-		(void)setgid(getgid());
-		(void)setuid(getuid());
-	}
-
-	if (live_kernel == 1) {
-		(void) checkrev(IPL_NAME);
-	} else {
-		if (openkmem(kern, memf) == -1)
-			exit(-1);
-	}
-
-	(void)setgid(getgid());
-	(void)setuid(getuid());
-
-	opterr = 1;
-
-	while ((c = getopt(argc, argv, options)) != -1)
-	{
-		switch (c)
-		{
-#ifdef	USE_INET6
-		case '6' :
-			use_inet6 = 1;
-			break;
-#endif
-		case 'a' :
-			opts |= OPT_ACCNT|OPT_SHOWLIST;
-			break;
-		case 'A' :
-			opts |= OPT_AUTHSTATS;
-			break;
-		case 'C' :
-			topclosed = 1;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'D' :
-			parse_ipportstr(optarg, &daddr, &dport);
-			break;
-		case 'f' :
-			opts |= OPT_FRSTATES;
-			break;
-		case 'g' :
-			opts |= OPT_GROUPS;
-			break;
-		case 'h' :
-			opts |= OPT_HITS;
-			break;
-		case 'i' :
-			opts |= OPT_INQUE|OPT_SHOWLIST;
-			break;
-		case 'I' :
-			opts |= OPT_INACTIVE;
-			break;
-		case 'l' :
-			opts |= OPT_SHOWLIST;
-			break;
-		case 'M' :
-			break;
-		case 'N' :
-			break;
-		case 'n' :
-			opts |= OPT_SHOWLINENO;
-			break;
-		case 'o' :
-			opts |= OPT_OUTQUE|OPT_SHOWLIST;
-			break;
-		case 'P' :
-			protocol = getproto(optarg);
-			if (protocol == -1) {
-				fprintf(stderr, "%s: Invalid protocol: %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 's' :
-			opts |= OPT_IPSTATES;
-			break;
-		case 'S' :
-			parse_ipportstr(optarg, &saddr, &sport);
-			break;
-		case 't' :
-#ifdef STATETOP
-			opts |= OPT_STATETOP;
-			break;
-#else
-			fprintf(stderr,
-				"%s: state top facility not compiled in\n",
-				argv[0]);
-			exit(-2);
-#endif
-		case 'T' :
-			if (!sscanf(optarg, "%d", &refreshtime) ||
-				    (refreshtime <= 0)) {
-				fprintf(stderr,
-					"%s: Invalid refreshtime < 1 : %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		default :
-			usage(argv[0]);
-			break;
-		}
-	}
-
-	if (live_kernel == 1) {
-		bzero((char *)&fio, sizeof(fio));
-		bzero((char *)&ipsst, sizeof(ipsst));
-		bzero((char *)&ifrst, sizeof(ifrst));
-
-		ipfstate_live(IPL_NAME, &fiop, &ipsstp, &ifrstp,
-			      &frauthstp, &frf);
-	} else
-		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
-
-	if (opts & OPT_IPSTATES) {
-		showipstates(ipsstp);
-	} else if (opts & OPT_SHOWLIST) {
-		showlist(fiop);
-		if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
-			opts &= ~OPT_OUTQUE;
-			showlist(fiop);
-		}
-	} else if (opts & OPT_FRSTATES)
-		showfrstates(ifrstp, fiop->f_ticks);
-#ifdef STATETOP
-	else if (opts & OPT_STATETOP)
-		topipstates(saddr, daddr, sport, dport, protocol,
-			    use_inet6 ? 6 : 4, refreshtime, topclosed);
-#endif
-	else if (opts & OPT_AUTHSTATS)
-		showauthstates(frauthstp);
-	else if (opts & OPT_GROUPS)
-		showgroups(fiop);
-	else
-		showstats(fiop, frf);
-
-	return 0;
-}
-
-
-/*
- * Fill in the stats structures from the live kernel, using a combination
- * of ioctl's and copying directly from kernel memory.
- */
-static void ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *device;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-	ipfobj_t ipfo;
-
-	if (checkrev(device) == -1) {
-		fprintf(stderr, "User/kernel version check failed\n");
-		exit(1);
-	}
-
-	if ((opts & OPT_AUTHSTATS) == 0) {
-		bzero((caddr_t)&ipfo, sizeof(ipfo));
-		ipfo.ipfo_rev = IPFILTER_VERSION;
-		ipfo.ipfo_type = IPFOBJ_IPFSTAT;
-		ipfo.ipfo_size = sizeof(friostat_t);
-		ipfo.ipfo_ptr = (void *)*fiopp;
-
-		if (ioctl(ipf_fd, SIOCGETFS, &ipfo) == -1) {
-			perror("ioctl(ipf:SIOCGETFS)");
-			exit(-1);
-		}
-
-		if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
-			perror("ioctl(SIOCGETFF)");
-	}
-
-	if ((opts & OPT_IPSTATES) != 0) {
-
-		bzero((caddr_t)&ipfo, sizeof(ipfo));
-		ipfo.ipfo_rev = IPFILTER_VERSION;
-		ipfo.ipfo_type = IPFOBJ_STATESTAT;
-		ipfo.ipfo_size = sizeof(ips_stat_t);
-		ipfo.ipfo_ptr = (void *)*ipsstpp;
-
-		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
-			perror("ioctl(state:SIOCGETFS)");
-			exit(-1);
-		}
-		if (ioctl(state_fd, SIOCGETLG, &state_logging) == -1) {
-			perror("ioctl(state:SIOCGETLG)");
-			exit(-1);
-		}
-	}
-
-	if ((opts & OPT_FRSTATES) != 0) {
-		bzero((caddr_t)&ipfo, sizeof(ipfo));
-		ipfo.ipfo_rev = IPFILTER_VERSION;
-		ipfo.ipfo_type = IPFOBJ_FRAGSTAT;
-		ipfo.ipfo_size = sizeof(ipfrstat_t);
-		ipfo.ipfo_ptr = (void *)*ifrstpp;
-	
-		if (ioctl(ipf_fd, SIOCGFRST, &ipfo) == -1) {
-			perror("ioctl(SIOCGFRST)");
-			exit(-1);
-		}
-	}
-
-	if (opts & OPT_DEBUG)
-		PRINTF("opts %#x name %s\n", opts, device);
-
-	if ((opts & OPT_AUTHSTATS) != 0) {
-		bzero((caddr_t)&ipfo, sizeof(ipfo));
-		ipfo.ipfo_rev = IPFILTER_VERSION;
-		ipfo.ipfo_type = IPFOBJ_AUTHSTAT;
-		ipfo.ipfo_size = sizeof(fr_authstat_t);
-		ipfo.ipfo_ptr = (void *)*frauthstpp;
-
-	    	if (ioctl(auth_fd, SIOCATHST, &ipfo) == -1) {
-			perror("ioctl(SIOCATHST)");
-			exit(-1);
-		}
-	}
-}
-
-
-/*
- * Build up the stats structures from data held in the "core" memory.
- * This is mainly useful when looking at data in crash dumps and ioctl's
- * just won't work any more.
- */
-static void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *kernel;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-	static fr_authstat_t frauthst, *frauthstp;
-	static ips_stat_t ipsst, *ipsstp;
-	static ipfrstat_t ifrst, *ifrstp;
-	static friostat_t fio, *fiop;
-	static ipftq_t ipssttab[IPF_TCP_NSTATES];
-	int temp;
-
-	void *rules[2][2];
-	struct nlist deadlist[44] = {
-		{ "fr_authstats" },		/* 0 */
-		{ "fae_list" },
-		{ "ipauth" },
-		{ "fr_authlist" },
-		{ "fr_authstart" },
-		{ "fr_authend" },		/* 5 */
-		{ "fr_authnext" },
-		{ "fr_auth" },
-		{ "fr_authused" },
-		{ "fr_authsize" },
-		{ "fr_defaultauthage" },	/* 10 */
-		{ "fr_authpkts" },
-		{ "fr_auth_lock" },
-		{ "frstats" },
-		{ "ips_stats" },
-		{ "ips_num" },			/* 15 */
-		{ "ips_wild" },
-		{ "ips_list" },
-		{ "ips_table" },
-		{ "fr_statemax" },
-		{ "fr_statesize" },		/* 20 */
-		{ "fr_state_doflush" },
-		{ "fr_state_lock" },
-		{ "ipfr_heads" },
-		{ "ipfr_nattab" },
-		{ "ipfr_stats" },		/* 25 */
-		{ "ipfr_inuse" },
-		{ "fr_ipfrttl" },
-		{ "fr_frag_lock" },
-		{ "ipfr_timer_id" },
-		{ "fr_nat_lock" },		/* 30 */
-		{ "ipfilter" },
-		{ "ipfilter6" },
-		{ "ipacct" },
-		{ "ipacct6" },
-		{ "ipl_frouteok" },		/* 35 */
-		{ "fr_running" },
-		{ "ipfgroups" },
-		{ "fr_active" },
-		{ "fr_pass" },
-		{ "fr_flags" },			/* 40 */
-		{ "ipstate_logging" },
-		{ "ips_tqtqb" },
-		{ NULL }
-	};
-
-
-	frauthstp = &frauthst;
-	ipsstp = &ipsst;
-	ifrstp = &ifrst;
-	fiop = &fio;
-
-	*frfp = 0;
-	*fiopp = fiop;
-	*ipsstpp = ipsstp;
-	*ifrstpp = ifrstp;
-	*frauthstpp = frauthstp;
-
-	bzero((char *)fiop, sizeof(*fiop));
-	bzero((char *)ipsstp, sizeof(*ipsstp));
-	bzero((char *)ifrstp, sizeof(*ifrstp));
-	bzero((char *)frauthstp, sizeof(*frauthstp));
-
-	if (nlist(kernel, deadlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	/*
-	 * This is for SIOCGETFF.
-	 */
-	kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
-
-	/*
-	 * f_locks is a combination of the lock variable from each part of
-	 * ipfilter (state, auth, nat, fragments).
-	 */
-	kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
-		sizeof(fiop->f_locks[0]));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
-		sizeof(fiop->f_locks[1]));
-	kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
-		sizeof(fiop->f_locks[2]));
-	kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
-		sizeof(fiop->f_locks[3]));
-
-	/*
-	 * Get pointers to each list of rules (active, inactive, in, out)
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
-	fiop->f_fin[0] = rules[0][0];
-	fiop->f_fin[1] = rules[0][1];
-	fiop->f_fout[0] = rules[1][0];
-	fiop->f_fout[1] = rules[1][1];
-
-	/*
-	 * Same for IPv6, except make them null if support for it is not
-	 * being compiled in.
-	 */
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
-	fiop->f_fin6[0] = rules[0][0];
-	fiop->f_fin6[1] = rules[0][1];
-	fiop->f_fout6[0] = rules[1][0];
-	fiop->f_fout6[1] = rules[1][1];
-#else
-	fiop->f_fin6[0] = NULL;
-	fiop->f_fin6[1] = NULL;
-	fiop->f_fout6[0] = NULL;
-	fiop->f_fout6[1] = NULL;
-#endif
-
-	/*
-	 * Now get accounting rules pointers.
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
-	fiop->f_acctin[0] = rules[0][0];
-	fiop->f_acctin[1] = rules[0][1];
-	fiop->f_acctout[0] = rules[1][0];
-	fiop->f_acctout[1] = rules[1][1];
-
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
-	fiop->f_acctin6[0] = rules[0][0];
-	fiop->f_acctin6[1] = rules[0][1];
-	fiop->f_acctout6[0] = rules[1][0];
-	fiop->f_acctout6[1] = rules[1][1];
-#else
-	fiop->f_acctin6[0] = NULL;
-	fiop->f_acctin6[1] = NULL;
-	fiop->f_acctout6[0] = NULL;
-	fiop->f_acctout6[1] = NULL;
-#endif
-
-	/*
-	 * A collection of "global" variables used inside the kernel which
-	 * are all collected in friostat_t via ioctl.
-	 */
-	kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
-		sizeof(fiop->f_froute));
-	kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
-		sizeof(fiop->f_running));
-	kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
-		sizeof(fiop->f_groups));
-	kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
-		sizeof(fiop->f_active));
-	kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
-		sizeof(fiop->f_defpass));
-
-	/*
-	 * Build up the state information stats structure.
-	 */
-	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
-	kmemcpy((char *)&temp, (u_long)deadlist[15].n_value, sizeof(temp));
-	kmemcpy((char *)ipssttab, (u_long)deadlist[42].n_value,
-		sizeof(ipssttab));
-	ipsstp->iss_active = temp;
-	ipsstp->iss_table = (void *)deadlist[18].n_value;
-	ipsstp->iss_list = (void *)deadlist[17].n_value;
-	ipsstp->iss_tcptab = ipssttab;
-
-	/*
-	 * Build up the authentiation information stats structure.
-	 */
-	kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
-		sizeof(*frauthstp));
-	frauthstp->fas_faelist = (void *)deadlist[1].n_value;
-
-	/*
-	 * Build up the fragment information stats structure.
-	 */
-	kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
-		sizeof(*ifrstp));
-	ifrstp->ifs_table = (void *)deadlist[23].n_value;
-	ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
-	kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
-		sizeof(ifrstp->ifs_inuse));
-
-	/*
-	 * Get logging on/off switches
-	 */
-	kmemcpy((char *)&state_logging, (u_long)deadlist[41].n_value,
-		sizeof(state_logging));
-}
-
-
-/*
- * Display the kernel stats for packets blocked and passed and other
- * associated running totals which are kept.
- */
-static	void	showstats(fp, frf)
-struct	friostat	*fp;
-u_32_t frf;
-{
-
-	PRINTF("bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-#ifdef	USE_INET6
-	PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
-			fp->f_st[0].fr_ipv6, fp->f_st[1].fr_ipv6);
-#endif
-	PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	PRINTF(" counted %lu short %lu\n",
-			fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
-	PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	PRINTF(" counted %lu short %lu\n",
-			fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
-	PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	PRINTF("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	PRINTF(" packets logged:\tinput %lu output %lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
-	PRINTF(" log failures:\t\tinput %lu output %lu\n",
-			fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
-	PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr,
-			fp->f_st[0].fr_cfr);
-	PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr,
-			fp->f_st[0].fr_cfr);
-	PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
-			fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
-	PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
-			fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
-	PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
-			fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
-	PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
-	PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
-	PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
-	PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
-	PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
-			fp->f_froute[0], fp->f_froute[1]);
-	PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
-	PRINTF("IPF Ticks:\t%lu\n", fp->f_ticks);
-
-	PRINTF("Packet log flags set: (%#x)\n", frf);
-	if (frf & FF_LOGPASS)
-		PRINTF("\tpackets passed through filter\n");
-	if (frf & FF_LOGBLOCK)
-		PRINTF("\tpackets blocked by filter\n");
-	if (frf & FF_LOGNOMATCH)
-		PRINTF("\tpackets not matched by filter\n");
-	if (!frf)
-		PRINTF("\tnone\n");
-}
-
-
-/*
- * Print out a list of rules from the kernel, starting at the one passed.
- */
-static void printlivelist(out, set, fp, group, comment)
-int out, set;
-frentry_t *fp;
-char *group, *comment;
-{
-	struct	frentry	fb;
-	ipfruleiter_t rule;
-	frentry_t zero;
-	frgroup_t *g;
-	ipfobj_t obj;
-	int n;
-
-	if (use_inet6 == 1)
-		fb.fr_v = 6;
-	else
-		fb.fr_v = 4;
-	fb.fr_next = fp;
-	n = 0;
-
-	rule.iri_inout = out;
-	rule.iri_active = set;
-	rule.iri_rule = &fb;
-	rule.iri_nrules = 1;
-	rule.iri_v = use_inet6 ? 6 : 4;
-	if (group != NULL)
-		strncpy(rule.iri_group, group, FR_GROUPLEN);
-	else
-		rule.iri_group[0] = '\0';
-
-	bzero((char *)&zero, sizeof(zero));
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_IPFITER;
-	obj.ipfo_size = sizeof(rule);
-	obj.ipfo_ptr = &rule;
-
-	do {
-		u_long array[1000];
-
-		memset(array, 0xff, sizeof(array));
-		fp = (frentry_t *)array;
-		rule.iri_rule = fp;
-		if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
-			perror("ioctl(SIOCIPFITER)");
-			n = IPFGENITER_IPF;
-			ioctl(ipf_fd, SIOCIPFDELTOK, &n);
-			return;
-		}
-		if (bcmp(fp, &zero, sizeof(zero)) == 0)
-			break;
-		if (fp->fr_data != NULL)
-			fp->fr_data = (char *)fp + sizeof(*fp);
-
-		n++;
-
-		if (opts & (OPT_HITS|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_hits);
-#else
-			PRINTF("%lu ", fp->fr_hits);
-#endif
-		if (opts & (OPT_ACCNT|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
-#else
-			PRINTF("%lu ", fp->fr_bytes);
-#endif
-		if (opts & OPT_SHOWLINENO)
-			PRINTF("@%d ", n);
-
-		printfr(fp, ioctl);
-		if (opts & OPT_DEBUG) {
-			binprint(fp, sizeof(*fp));
-			if (fp->fr_data != NULL && fp->fr_dsize > 0)
-				binprint(fp->fr_data, fp->fr_dsize);
-		}
-		if (fp->fr_grhead[0] != '\0') {
-			for (g = grtop; g != NULL; g = g->fg_next) {
-				if (!strncmp(fp->fr_grhead, g->fg_name,
-					     FR_GROUPLEN))
-					break;
-			}
-			if (g == NULL) {
-				g = calloc(1, sizeof(*g));
-
-				if (g != NULL) {
-					strncpy(g->fg_name, fp->fr_grhead,
-						FR_GROUPLEN);
-					if (grtop == NULL) {
-						grtop = g;
-						grtail = g;
-					} else {
-						grtail->fg_next = g;
-						grtail = g;
-					}
-				}
-			}
-		}
-		if (fp->fr_type == FR_T_CALLFUNC) {
-			printlivelist(out, set, fp->fr_data, group,
-				      "# callfunc: ");
-		}
-	} while (fp->fr_next != NULL);
-
-	n = IPFGENITER_IPF;
-	ioctl(ipf_fd, SIOCIPFDELTOK, &n);
-
-	if (group == NULL) {
-		while ((g = grtop) != NULL) {
-			printf("# Group %s\n", g->fg_name);
-			printlivelist(out, set, NULL, g->fg_name, comment);
-			grtop = g->fg_next;
-			free(g);
-		}
-	}
-}
-
-
-static void printdeadlist(out, set, fp, group, comment)
-int out, set;
-frentry_t *fp;
-char *group, *comment;
-{
-	frgroup_t *grtop, *grtail, *g;
-	struct	frentry	fb;
-	char	*data;
-	u_32_t	type;
-	int	n;
-
-	fb.fr_next = fp;
-	n = 0;
-	grtop = NULL;
-	grtail = NULL;
-
-	do {
-		fp = fb.fr_next;
-		if (kmemcpy((char *)&fb, (u_long)fb.fr_next,
-			    sizeof(fb)) == -1) {
-			perror("kmemcpy");
-			return;
-		}
-
-		data = NULL;
-		type = fb.fr_type & ~FR_T_BUILTIN;
-		if (type == FR_T_IPF || type == FR_T_BPFOPC) {
-			if (fb.fr_dsize) {
-				data = malloc(fb.fr_dsize);
-
-				if (kmemcpy(data, (u_long)fb.fr_data,
-					    fb.fr_dsize) == -1) {
-					perror("kmemcpy");
-					return;
-				}
-				fb.fr_data = data;
-			}
-		}
-
-		n++;
-
-		if (opts & (OPT_HITS|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fb.fr_hits);
-#else
-			PRINTF("%lu ", fb.fr_hits);
-#endif
-		if (opts & (OPT_ACCNT|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fb.fr_bytes);
-#else
-			PRINTF("%lu ", fb.fr_bytes);
-#endif
-		if (opts & OPT_SHOWLINENO)
-			PRINTF("@%d ", n);
-
-		printfr(fp, ioctl);
-		if (opts & OPT_DEBUG) {
-			binprint(fp, sizeof(*fp));
-			if (fb.fr_data != NULL && fb.fr_dsize > 0)
-				binprint(fb.fr_data, fb.fr_dsize);
-		}
-		if (data != NULL)
-			free(data);
-		if (fb.fr_grhead[0] != '\0') {
-			g = calloc(1, sizeof(*g));
-
-			if (g != NULL) {
-				strncpy(g->fg_name, fb.fr_grhead,
-					FR_GROUPLEN);
-				if (grtop == NULL) {
-					grtop = g;
-					grtail = g;
-				} else {
-					grtail->fg_next = g;
-					grtail = g;
-				}
-			}
-		}
-		if (type == FR_T_CALLFUNC) {
-			printdeadlist(out, set, fb.fr_data, group,
-				      "# callfunc: ");
-		}
-	} while (fb.fr_next != NULL);
-
-	while ((g = grtop) != NULL) {
-		printdeadlist(out, set, NULL, g->fg_name, comment);
-		grtop = g->fg_next;
-		free(g);
-	}
-}
-
-/*
- * print out all of the asked for rule sets, using the stats struct as
- * the base from which to get the pointers.
- */
-static	void	showlist(fiop)
-struct	friostat	*fiop;
-{
-	struct	frentry	*fp = NULL;
-	int	i, set;
-
-	set = fiop->f_active;
-	if (opts & OPT_INACTIVE)
-		set = 1 - set;
-	if (opts & OPT_ACCNT) {
-#ifdef USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin[set];
-		} else {
-			FPRINTF(stderr, "No -i or -o given with -a\n");
-			return;
-		}
-	} else {
-#ifdef	USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin[set];
-		} else
-			return;
-	}
-	if (opts & OPT_DEBUG)
-		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
-
-	if (opts & OPT_DEBUG)
-		PRINTF("fp %p set %d\n", fp, set);
-	if (!fp) {
-		FPRINTF(stderr, "empty list for %s%s\n",
-			(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
-		return;
-	}
-	if (live_kernel == 1)
-		printlivelist(i, set, fp, NULL, NULL);
-	else
-		printdeadlist(i, set, fp, NULL, NULL);
-}
-
-
-/*
- * Display ipfilter stateful filtering information
- */
-static void showipstates(ipsp)
-ips_stat_t *ipsp;
-{
-	u_long minlen, maxlen, totallen, *buckets;
-	ipftable_t table;
-	ipfobj_t obj;
-	int i, sz;
-
-	/*
-	 * If a list of states hasn't been asked for, only print out stats
-	 */
-	if (!(opts & OPT_SHOWLIST)) {
-
-		sz = sizeof(*buckets) * ipsp->iss_statesize;
-		buckets = (u_long *)malloc(sz);
-
-		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_type = IPFOBJ_GTABLE;
-		obj.ipfo_size = sizeof(table);
-		obj.ipfo_ptr = &table;
-
-		table.ita_type = IPFTABLE_BUCKETS;
-		table.ita_table = buckets;
-
-		if (live_kernel == 1) {
-			if (ioctl(state_fd, SIOCGTABL, &obj) != 0) {
-				free(buckets);
-				return;
-			}
-		} else {
-			if (kmemcpy((char *)buckets,
-				    (u_long)ipsp->iss_bucketlen, sz)) {
-				free(buckets);
-				return;
-			}
-		}
-
-		PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
-			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
-		PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
-			ipsp->iss_miss);
-		PRINTF("\t%lu bucket full\n", ipsp->iss_bucketfull);
-		PRINTF("\t%lu maximum rule references\n", ipsp->iss_maxref);
-		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
-			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
-		PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
-			ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
-
-		PRINTF("State logging %sabled\n",
-			state_logging ? "en" : "dis");
-
-		PRINTF("\nState table bucket statistics:\n");
-		PRINTF("\t%lu in use\t\n", ipsp->iss_inuse);
-		PRINTF("\t%u%% hash efficiency\n", ipsp->iss_active ?
-			(u_int)(ipsp->iss_inuse * 100 / ipsp->iss_active) : 0);
-
-		minlen = ipsp->iss_inuse;
-		totallen = 0;
-		maxlen = 0;
-
-		for (i = 0; i < ipsp->iss_statesize; i++) {
-			if (buckets[i] > maxlen)
-				maxlen = buckets[i];
-			if (buckets[i] < minlen)
-				minlen = buckets[i];
-			totallen += buckets[i];
-		}
-
-		PRINTF("\t%2.2f%% bucket usage\n\t%lu minimal length\n",
-			((float)ipsp->iss_inuse / ipsp->iss_statesize) * 100.0,
-			minlen);
-		PRINTF("\t%lu maximal length\n\t%.3f average length\n",
-			maxlen,
-			ipsp->iss_inuse ? (float) totallen/ ipsp->iss_inuse :
-					  0.0);
-
-#define ENTRIES_PER_LINE 5
-
-		if (opts & OPT_VERBOSE) {
-			PRINTF("\nCurrent bucket sizes :\n");
-			for (i = 0; i < ipsp->iss_statesize; i++) {
-				if ((i % ENTRIES_PER_LINE) == 0)
-					PRINTF("\t");
-				PRINTF("%4d -> %4lu", i, buckets[i]);
-				if ((i % ENTRIES_PER_LINE) ==
-				    (ENTRIES_PER_LINE - 1))
-					PRINTF("\n");
-				else
-					PRINTF("  ");
-			}
-			PRINTF("\n");
-		}
-		PRINTF("\n");
-
-		free(buckets);
-
-		if (live_kernel == 1) {
-			showtqtable_live(state_fd);
-		} else {
-			printtqtable(ipsp->iss_tcptab);
-		}
-
-		return;
-
-	}
-
-	/*
-	 * Print out all the state information currently held in the kernel.
-	 */
-	while (ipsp->iss_list != NULL) {
-		ipstate_t ips;
-
-		ipsp->iss_list = fetchstate(ipsp->iss_list, &ips);
-
-		if (ipsp->iss_list != NULL) {
-			ipsp->iss_list = ips.is_next;
-			printstate(&ips, opts, ipsp->iss_ticks);
-		}
-	}
-}
-
-
-#ifdef STATETOP
-static int handle_resize = 0, handle_break = 0;
-
-static void topipstates(saddr, daddr, sport, dport, protocol, ver,
-		        refreshtime, topclosed)
-i6addr_t saddr;
-i6addr_t daddr;
-int sport;
-int dport;
-int protocol;
-int ver;
-int refreshtime;
-int topclosed;
-{
-	char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
-	int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
-	int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0;
-	int len, srclen, dstlen, forward = 1, c = 0;
-	ips_stat_t ipsst, *ipsstp = &ipsst;
-	statetop_t *tstable = NULL, *tp;
-	const char *errstr = "";
-	ipstate_t ips;
-	ipfobj_t ipfo;
-	struct timeval selecttimeout;
-	char hostnm[HOSTNMLEN];
-	struct protoent *proto;
-	fd_set readfd;
-	time_t t;
-
-	/* install signal handlers */
-	signal(SIGINT, sig_break);
-	signal(SIGQUIT, sig_break);
-	signal(SIGTERM, sig_break);
-	signal(SIGWINCH, sig_resize);
-
-	/* init ncurses stuff */
-  	initscr();
-  	cbreak();
-  	noecho();
-	curs_set(0);
-	timeout(0);
-	getmaxyx(stdscr, maxy, maxx);
-
-	/* init hostname */
-	gethostname(hostnm, sizeof(hostnm) - 1);
-	hostnm[sizeof(hostnm) - 1] = '\0';
-
-	/* init ipfobj_t stuff */
-	bzero((caddr_t)&ipfo, sizeof(ipfo));
-	ipfo.ipfo_rev = IPFILTER_VERSION;
-	ipfo.ipfo_type = IPFOBJ_STATESTAT;
-	ipfo.ipfo_size = sizeof(*ipsstp);
-	ipfo.ipfo_ptr = (void *)ipsstp;
-
-	/* repeat until user aborts */
-	while ( 1 ) {
-
-		/* get state table */
-		bzero((char *)&ipsst, sizeof(ipsst));
-		if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) {
-			errstr = "ioctl(SIOCGETFS)";
-			ret = -1;
-			goto out;
-		}
-
-		/* clear the history */
-		tsentry = -1;
-
-		/* reset max str len */
-		srclen = dstlen = 0;
-
-		/* read the state table and store in tstable */
-		for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) {
-
-			ipsstp->iss_list = fetchstate(ipsstp->iss_list, &ips);
-			if (ipsstp->iss_list == NULL)
-				break;
-
-			if (ips.is_v != ver)
-				continue;
-
-			/* check v4 src/dest addresses */
-			if (ips.is_v == 4) {
-				if ((saddr.in4.s_addr != INADDR_ANY &&
-				     saddr.in4.s_addr != ips.is_saddr) ||
-				    (daddr.in4.s_addr != INADDR_ANY &&
-				     daddr.in4.s_addr != ips.is_daddr))
-					continue;
-			}
-#ifdef	USE_INET6
-			/* check v6 src/dest addresses */
-			if (ips.is_v == 6) {
-				if ((IP6_NEQ(&saddr, &in6addr_any) &&
-				     IP6_NEQ(&saddr, &ips.is_src)) ||
-				    (IP6_NEQ(&daddr, &in6addr_any) &&
-				     IP6_NEQ(&daddr, &ips.is_dst)))
-					continue;
-			}
-#endif
-			/* check protocol */
-			if (protocol > 0 && protocol != ips.is_p)
-				continue;
-
-			/* check ports if protocol is TCP or UDP */
-			if (((ips.is_p == IPPROTO_TCP) ||
-			     (ips.is_p == IPPROTO_UDP)) &&
-			   (((sport > 0) && (htons(sport) != ips.is_sport)) ||
-			    ((dport > 0) && (htons(dport) != ips.is_dport))))
-				continue;
-
-			/* show closed TCP sessions ? */
-			if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) &&
-			    (ips.is_state[0] >= IPF_TCPS_LAST_ACK) &&
-			    (ips.is_state[1] >= IPF_TCPS_LAST_ACK))
-				continue;
-
-			/*
-			 * if necessary make room for this state
-			 * entry
-			 */
-			tsentry++;
-			if (!maxtsentries || tsentry == maxtsentries) {
-				maxtsentries += STGROWSIZE;
-				tstable = realloc(tstable,
-				    maxtsentries * sizeof(statetop_t));
-				if (tstable == NULL) {
-					perror("realloc");
-					exit(-1);
-				}
-			}
-
-			/* get max src/dest address string length */
-			len = strlen(getip(ips.is_v, &ips.is_src));
-			if (srclen < len)
-				srclen = len;
-			len = strlen(getip(ips.is_v, &ips.is_dst));
-			if (dstlen < len)
-				dstlen = len;
-
-			/* fill structure */
-			tp = tstable + tsentry;
-			tp->st_src = ips.is_src;
-			tp->st_dst = ips.is_dst;
-			tp->st_p = ips.is_p;
-			tp->st_v = ips.is_v;
-			tp->st_state[0] = ips.is_state[0];
-			tp->st_state[1] = ips.is_state[1];
-			if (forward) {
-				tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1];
-				tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1];
-			} else {
-				tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3];
-				tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3];
-			}
-			tp->st_age = ips.is_die - ipsstp->iss_ticks;
-			if ((ips.is_p == IPPROTO_TCP) ||
-			    (ips.is_p == IPPROTO_UDP)) {
-				tp->st_sport = ips.is_sport;
-				tp->st_dport = ips.is_dport;
-			}
-		}
-
-
-		/* sort the array */
-		if (tsentry != -1) {
-			switch (sorting)
-			{
-			case STSORT_PR:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_p);
-				break;
-			case STSORT_PKTS:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_pkts);
-				break;
-			case STSORT_BYTES:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_bytes);
-				break;
-			case STSORT_TTL:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_ttl);
-				break;
-			case STSORT_SRCIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_srcip);
-				break;
-			case STSORT_SRCPT:
-				qsort(tstable, tsentry +1,
-					sizeof(statetop_t), sort_srcpt);
-				break;
-			case STSORT_DSTIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_dstip);
-				break;
-			case STSORT_DSTPT:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_dstpt);
-				break;
-			default:
-				break;
-			}
-		}
-
-		/* handle window resizes */
-		if (handle_resize) {
-			endwin();
-			initscr();
-			cbreak();
-			noecho();
-			curs_set(0);
-			timeout(0);
-			getmaxyx(stdscr, maxy, maxx);
-			redraw = 1;
-			handle_resize = 0;
-                }
-
-		/* stop program? */
-		if (handle_break)
-			break;
-
-		/* print title */
-		erase();
-		attron(A_BOLD);
-		winy = 0;
-		move(winy,0);
-		sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
-		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
-			printw(" ");
-		printw("%s", str1);
-		attroff(A_BOLD);
-
-		/* just for fun add a clock */
-		move(winy, maxx - 8);
-		t = time(NULL);
-		strftime(str1, 80, "%T", localtime(&t));
-		printw("%s\n", str1);
-
-		/*
-		 * print the display filters, this is placed in the loop,
-		 * because someday I might add code for changing these
-		 * while the programming is running :-)
-		 */
-		if (sport >= 0)
-			sprintf(str1, "%s,%d", getip(ver, &saddr), sport);
-		else
-			sprintf(str1, "%s", getip(ver, &saddr));
-
-		if (dport >= 0)
-			sprintf(str2, "%s,%d", getip(ver, &daddr), dport);
-		else
-			sprintf(str2, "%s", getip(ver, &daddr));
-
-		if (protocol < 0)
-			strcpy(str3, "any");
-		else if ((proto = getprotobynumber(protocol)) != NULL)
-			sprintf(str3, "%s", proto->p_name);
-		else
-			sprintf(str3, "%d", protocol);
-
-		switch (sorting)
-		{
-		case STSORT_PR:
-			sprintf(str4, "proto");
-			break;
-		case STSORT_PKTS:
-			sprintf(str4, "# pkts");
-			break;
-		case STSORT_BYTES:
-			sprintf(str4, "# bytes");
-			break;
-		case STSORT_TTL:
-			sprintf(str4, "ttl");
-			break;
-		case STSORT_SRCIP:
-			sprintf(str4, "src ip");
-			break;
-		case STSORT_SRCPT:
-			sprintf(str4, "src port");
-			break;
-		case STSORT_DSTIP:
-			sprintf(str4, "dest ip");
-			break;
-		case STSORT_DSTPT:
-			sprintf(str4, "dest port");
-			break;
-		default:
-			sprintf(str4, "unknown");
-			break;
-		}
-
-		if (reverse)
-			strcat(str4, " (reverse)");
-
-		winy += 2;
-		move(winy,0);
-		printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n",
-		       str1, str2, str3, str4);
-
-		/* 
-		 * For an IPv4 IP address we need at most 15 characters,
-		 * 4 tuples of 3 digits, separated by 3 dots. Enforce this
-		 * length, so the colums do not change positions based
-		 * on the size of the IP address. This length makes the
-		 * output fit in a 80 column terminal. 
-		 * We are lacking a good solution for IPv6 addresses (that
-		 * can be longer that 15 characters), so we do not enforce 
-		 * a maximum on the IP field size.
-		 */
-		if (srclen < 15)
-			srclen = 15;
-		if (dstlen < 15)
-			dstlen = 15;
-
-		/* print column description */
-		winy += 2;
-		move(winy,0);
-		attron(A_BOLD);
-		printw("%-*s %-*s %3s %4s %7s %9s %9s\n",
-		       srclen + 6, "Source IP", dstlen + 6, "Destination IP",
-		       "ST", "PR", "#pkts", "#bytes", "ttl");
-		attroff(A_BOLD);
-
-		/* print all the entries */
-		tp = tstable;
-		if (reverse)
-			tp += tsentry;
-
-		if (tsentry > maxy - 6)
-			tsentry = maxy - 6;
-		for (i = 0; i <= tsentry; i++) {
-			/* print src/dest and port */
-			if ((tp->st_p == IPPROTO_TCP) ||
-			    (tp->st_p == IPPROTO_UDP)) {
-				sprintf(str1, "%s,%hu",
-					getip(tp->st_v, &tp->st_src),
-					ntohs(tp->st_sport));
-				sprintf(str2, "%s,%hu",
-					getip(tp->st_v, &tp->st_dst),
-					ntohs(tp->st_dport));
-			} else {
-				sprintf(str1, "%s", getip(tp->st_v,
-				    &tp->st_src));
-				sprintf(str2, "%s", getip(tp->st_v,
-				    &tp->st_dst));
-			}
-			winy++;
-			move(winy, 0);
-			printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2);
-
-			/* print state */
-			sprintf(str1, "%X/%X", tp->st_state[0],
-				tp->st_state[1]);
-			printw(" %3s", str1);
-
-			/* print protocol */
-			proto = getprotobynumber(tp->st_p);
-			if (proto) {
-				strncpy(str1, proto->p_name, 4);
-				str1[4] = '\0';
-			} else {
-				sprintf(str1, "%d", tp->st_p);
-			}
-			/* just print icmp for IPv6-ICMP */
-			if (tp->st_p == IPPROTO_ICMPV6)
-				strcpy(str1, "icmp");
-			printw(" %4s", str1);
-
-			/* print #pkt/#bytes */
-#ifdef	USE_QUAD_T
-			printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
-				(unsigned long long) tp->st_bytes);
-#else
-			printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
-#endif
-			printw(" %9s", ttl_to_string(tp->st_age));
-
-			if (reverse)
-				tp--;
-			else
-				tp++;
-		}
-
-		/* screen data structure is filled, now update the screen */
-		if (redraw)
-			clearok(stdscr,1);
-
-		if (refresh() == ERR)
-			break;
-		if (redraw) {
-			clearok(stdscr,0);
-			redraw = 0;
-		}
-
-		/* wait for key press or a 1 second time out period */
-		selecttimeout.tv_sec = refreshtime;
-		selecttimeout.tv_usec = 0;
-		FD_ZERO(&readfd);
-		FD_SET(0, &readfd);
-		select(1, &readfd, NULL, NULL, &selecttimeout);
-
-		/* if key pressed, read all waiting keys */
-		if (FD_ISSET(0, &readfd)) {
-			c = wgetch(stdscr);
-			if (c == ERR)
-				continue;
-
-			if (ISALPHA(c) && ISUPPER(c))
-				c = TOLOWER(c);
-			if (c == 'l') {
-				redraw = 1;
-			} else if (c == 'q') {
-				break;
-			} else if (c == 'r') {
-				reverse = !reverse;
-			} else if (c == 'b') {
-				forward = 0;
-			} else if (c == 'f') {
-				forward = 1;
-			} else if (c == 's') {
-				if (++sorting > STSORT_MAX)
-					sorting = 0;
-			}
-		}
-	} /* while */
-
-out:
-	printw("\n");
-	curs_set(1);
-	/* nocbreak(); XXX - endwin() should make this redundant */
-	endwin();
-
-	free(tstable);
-	if (ret != 0)
-		perror(errstr);
-}
-#endif
-
-
-/*
- * Show fragment cache information that's held in the kernel.
- */
-static void showfrstates(ifsp, ticks)
-ipfrstat_t *ifsp;
-u_long ticks;
-{
-	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
-	int i;
-
-	/*
-	 * print out the numeric statistics
-	 */
-	PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
-		ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
-	PRINTF("\t%lu retrans\n\t%lu too short\n",
-		ifsp->ifs_retrans0, ifsp->ifs_short);
-	PRINTF("\t%lu no memory\n\t%lu already exist\n",
-		ifsp->ifs_nomem, ifsp->ifs_exists);
-	PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
-	PRINTF("\n");
-
-	if (live_kernel == 0) {
-		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table,
-			    sizeof(ipfrtab)))
-			return;
-	}
-
-	/*
-	 * Print out the contents (if any) of the fragment cache table.
-	 */
-	if (live_kernel == 1) {
-		do {
-			if (fetchfrag(ipf_fd, IPFGENITER_FRAG, &ifr) != 0)
-				break;
-			if (ifr.ipfr_ifp == NULL)
-				break;
-			ifr.ipfr_ttl -= ticks;
-			printfraginfo("", &ifr);
-		} while (1);
-	} else {
-		for (i = 0; i < IPFT_SIZE; i++)
-			while (ipfrtab[i] != NULL) {
-				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-					    sizeof(ifr)) == -1)
-					break;
-				printfraginfo("", &ifr);
-				ipfrtab[i] = ifr.ipfr_next;
-			}
-	}
-	/*
-	 * Print out the contents (if any) of the NAT fragment cache table.
-	 */
-
-	if (live_kernel == 0) {
-		if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,
-			    sizeof(ipfrtab)))
-			return;
-	}
-
-	if (live_kernel == 1) {
-		do {
-			if (fetchfrag(nat_fd, IPFGENITER_NATFRAG, &ifr) != 0)
-				break;
-			if (ifr.ipfr_ifp == NULL)
-				break;
-			ifr.ipfr_ttl -= ticks;
-			printfraginfo("NAT: ", &ifr);
-		} while (1);
-	} else {
-		for (i = 0; i < IPFT_SIZE; i++)
-			while (ipfrtab[i] != NULL) {
-				if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-					    sizeof(ifr)) == -1)
-					break;
-				printfraginfo("NAT: ", &ifr);
-				ipfrtab[i] = ifr.ipfr_next;
-			}
-	}
-}
-
-
-/*
- * Show stats on how auth within IPFilter has been used
- */
-static void showauthstates(asp)
-fr_authstat_t *asp;
-{
-	frauthent_t *frap, fra;
-	ipfgeniter_t auth;
-	ipfobj_t obj;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_GENITER;
-	obj.ipfo_size = sizeof(auth);
-	obj.ipfo_ptr = &auth;
-
-	auth.igi_type = IPFGENITER_AUTH;
-	auth.igi_nitems = 1;
-	auth.igi_data = &fra;
-
-#ifdef	USE_QUAD_T
-	printf("Authorisation hits: %qu\tmisses %qu\n",
-		(unsigned long long) asp->fas_hits,
-		(unsigned long long) asp->fas_miss);
-#else
-	printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
-		asp->fas_miss);
-#endif
-	printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
-		asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
-		asp->fas_sendok);
-	printf("queok %ld\nquefail %ld\nexpire %ld\n",
-		asp->fas_queok, asp->fas_quefail, asp->fas_expire);
-
-	frap = asp->fas_faelist;
-	while (frap) {
-		if (live_kernel == 1) {
-			if (ioctl(auth_fd, SIOCGENITER, &obj))
-				break;
-		} else {
-			if (kmemcpy((char *)&fra, (u_long)frap,
-				    sizeof(fra)) == -1)
-				break;
-		}
-		printf("age %ld\t", fra.fae_age);
-		printfr(&fra.fae_fr, ioctl);
-		frap = fra.fae_next;
-	}
-}
-
-
-/*
- * Display groups used for each of filter rules, accounting rules and
- * authentication, separately.
- */
-static void showgroups(fiop)
-struct friostat	*fiop;
-{
-	static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
-	static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH };
-	frgroup_t *fp, grp;
-	int on, off, i;
-
-	on = fiop->f_active;
-	off = 1 - on;
-
-	for (i = 0; i < 3; i++) {
-		printf("%s groups (active):\n", gnames[i]);
-		for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL;
-		     fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%s\n", grp.fg_name);
-		printf("%s groups (inactive):\n", gnames[i]);
-		for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL;
-		     fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%s\n", grp.fg_name);
-	}
-}
-
-static void parse_ipportstr(argument, ip, port)
-const char *argument;
-i6addr_t *ip;
-int *port;
-{
-	char *s, *comma;
-	int ok = 0;
-
-	/* make working copy of argument, Theoretically you must be able
-	 * to write to optarg, but that seems very ugly to me....
-	 */
-	s = strdup(argument);
-	if (s == NULL)
-		return;
-
-	/* get port */
-	if ((comma = strchr(s, ',')) != NULL) {
-		if (!strcasecmp(comma + 1, "any")) {
-			*port = -1;
-		} else if (!sscanf(comma + 1, "%d", port) ||
-			   (*port < 0) || (*port > 65535)) {
-			fprintf(stderr, "Invalid port specification in %s\n",
-				argument);
-			free(s);
-			exit(-2);
-		}
-		*comma = '\0';
-	}
-
-
-	/* get ip address */
-	if (!strcasecmp(s, "any")) {
-		ip->in4.s_addr = INADDR_ANY;
-		ok = 1;
-#ifdef	USE_INET6
-		ip->in6 = in6addr_any;
-	} else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) {
-		ok = 1;
-#endif
-	} else if (inet_aton(s, &ip->in4))
-		ok = 1;
-
-	if (ok == 0) {
-		fprintf(stderr, "Invalid IP address: %s\n", s);
-		free(s);
-		exit(-2);
-	}
-
-	/* free allocated memory */
-	free(s);
-}
-
-
-#ifdef STATETOP
-static void sig_resize(s)
-int s;
-{
-	handle_resize = 1;
-}
-
-static void sig_break(s)
-int s;
-{
-	handle_break = 1;
-}
-
-static char *getip(v, addr)
-int v;
-i6addr_t *addr;
-{
-#ifdef  USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-
-	if (v == 4)
-		return inet_ntoa(addr->in4);
-
-#ifdef  USE_INET6
-	(void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
-
-
-static char *ttl_to_string(ttl)
-long int ttl;
-{
-	static char ttlbuf[STSTRSIZE];
-	int hours, minutes, seconds;
-
-	/* ttl is in half seconds */
-	ttl /= 2;
-
-	hours = ttl / 3600;
-	ttl = ttl % 3600;
-	minutes = ttl / 60;
-	seconds = ttl % 60;
-
-	if (hours > 0)
-		sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
-	else
-		sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
-	return ttlbuf;
-}
-
-
-static int sort_pkts(a, b)
-const void *a;
-const void *b;
-{
-
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_pkts == bp->st_pkts)
-		return 0;
-	else if (ap->st_pkts < bp->st_pkts)
-		return 1;
-	return -1;
-}
-
-
-static int sort_bytes(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_bytes == bp->st_bytes)
-		return 0;
-	else if (ap->st_bytes < bp->st_bytes)
-		return 1;
-	return -1;
-}
-
-
-static int sort_p(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_p == bp->st_p)
-		return 0;
-	else if (ap->st_p < bp->st_p)
-		return 1;
-	return -1;
-}
-
-
-static int sort_ttl(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_age == bp->st_age)
-		return 0;
-	else if (ap->st_age < bp->st_age)
-		return 1;
-	return -1;
-}
-
-static int sort_srcip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-#ifdef USE_INET6
-	if (use_inet6) {
-		if (IP6_EQ(&ap->st_src, &bp->st_src))
-			return 0;
-		else if (IP6_GT(&ap->st_src, &bp->st_src))
-			return 1;
-	} else
-#endif
-	{
-		if (ntohl(ap->st_src.in4.s_addr) ==
-		    ntohl(bp->st_src.in4.s_addr))
-			return 0;
-		else if (ntohl(ap->st_src.in4.s_addr) >
-		         ntohl(bp->st_src.in4.s_addr))
-			return 1;
-	}
-	return -1;
-}
-
-static int sort_srcpt(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (htons(ap->st_sport) == htons(bp->st_sport))
-		return 0;
-	else if (htons(ap->st_sport) > htons(bp->st_sport))
-		return 1;
-	return -1;
-}
-
-static int sort_dstip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-#ifdef USE_INET6
-	if (use_inet6) {
-		if (IP6_EQ(&ap->st_dst, &bp->st_dst))
-			return 0;
-		else if (IP6_GT(&ap->st_dst, &bp->st_dst))
-			return 1;
-	} else
-#endif
-	{
-		if (ntohl(ap->st_dst.in4.s_addr) ==
-		    ntohl(bp->st_dst.in4.s_addr))
-			return 0;
-		else if (ntohl(ap->st_dst.in4.s_addr) >
-		         ntohl(bp->st_dst.in4.s_addr))
-			return 1;
-	}
-	return -1;
-}
-
-static int sort_dstpt(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (htons(ap->st_dport) == htons(bp->st_dport))
-		return 0;
-	else if (htons(ap->st_dport) > htons(bp->st_dport))
-		return 1;
-	return -1;
-}
-
-#endif
-
-
-ipstate_t *fetchstate(src, dst)
-ipstate_t *src, *dst;
-{
-	int i;
-
-	if (live_kernel == 1) {
-		ipfgeniter_t state;
-		ipfobj_t obj;
-
-		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_type = IPFOBJ_GENITER;
-		obj.ipfo_size = sizeof(state);
-		obj.ipfo_ptr = &state;
-
-		state.igi_type = IPFGENITER_STATE;
-		state.igi_nitems = 1;
-		state.igi_data = dst;
-
-		if (ioctl(state_fd, SIOCGENITER, &obj) != 0)
-			return NULL;
-		if (dst->is_next == NULL) {
-			i = IPFGENITER_STATE;
-			ioctl(state_fd, SIOCIPFDELTOK, &i);
-		}
-	} else {
-		if (kmemcpy((char *)dst, (u_long)src, sizeof(*dst)))
-			return NULL;
-	}
-	return dst;
-}
-
-
-static int fetchfrag(fd, type, frp)
-int fd, type;
-ipfr_t *frp;
-{
-	ipfgeniter_t frag;
-	ipfobj_t obj;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_GENITER;
-	obj.ipfo_size = sizeof(frag);
-	obj.ipfo_ptr = &frag;
-
-	frag.igi_type = type;
-	frag.igi_nitems = 1;
-	frag.igi_data = frp;
-
-	if (ioctl(fd, SIOCGENITER, &obj))
-		return EFAULT;
-	return 0;
-}
-
-
-static void showtqtable_live(fd)
-int fd;
-{
-	ipftq_t table[IPF_TCP_NSTATES];
-	ipfobj_t obj;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(table);
-	obj.ipfo_ptr = (void *)table;
-	obj.ipfo_type = IPFOBJ_STATETQTAB;
-
-	if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
-		printtqtable(table);
-	}
-}
diff --git a/contrib/ipfilter/tools/ipftest.c b/contrib/ipfilter/tools/ipftest.c
deleted file mode 100644
index 8343b2c..0000000
--- a/contrib/ipfilter/tools/ipftest.c
+++ /dev/null
@@ -1,804 +0,0 @@
-/*
- * Copyright (C) 2002-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include "ipf.h"
-#include "ipt.h"
-#include <sys/ioctl.h>
-#include <sys/file.h>
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	struct frentry	*ipfilter[2][2];
-extern	struct ipread	snoop, etherf, tcpd, pcap, iptext, iphex;
-extern	struct ifnet	*get_unit __P((char *, int));
-extern	void	init_ifp __P((void));
-extern	ipnat_t	*natparse __P((char *, int));
-extern	int	fr_running;
-extern	hostmap_t **ipf_hm_maptable;
-extern	hostmap_t *ipf_hm_maplist;
-
-ipfmutex_t	ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
-ipfmutex_t	ipf_nat_new, ipf_natio, ipf_timeoutlock;
-ipfrwlock_t	ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache;
-ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens;
-int	opts = OPT_DONOTHING;
-int	use_inet6 = 0;
-int	docksum = 0;
-int	pfil_delayed_copy = 0;
-int	main __P((int, char *[]));
-int	loadrules __P((char *, int));
-int	kmemcpy __P((char *, long, int));
-int     kstrncpy __P((char *, long, int n));
-void	dumpnat __P((void));
-void	dumpstate __P((void));
-void	dumplookups __P((void));
-void	dumpgroups __P((void));
-void	drain_log __P((char *));
-void	fixv4sums __P((mb_t *, ip_t *));
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
-	(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
-	defined(__osf__) || defined(linux)
-int ipftestioctl __P((int, ioctlcmd_t, ...));
-int ipnattestioctl __P((int, ioctlcmd_t, ...));
-int ipstatetestioctl __P((int, ioctlcmd_t, ...));
-int ipauthtestioctl __P((int, ioctlcmd_t, ...));
-int ipscantestioctl __P((int, ioctlcmd_t, ...));
-int ipsynctestioctl __P((int, ioctlcmd_t, ...));
-int ipooltestioctl __P((int, ioctlcmd_t, ...));
-#else
-int ipftestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipnattestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipstatetestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipauthtestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipsynctestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipscantestioctl __P((dev_t, ioctlcmd_t, void *));
-int ipooltestioctl __P((dev_t, ioctlcmd_t, void *));
-#endif
-
-static	ioctlfunc_t	iocfunctions[IPL_LOGSIZE] = { ipftestioctl,
-						      ipnattestioctl,
-						      ipstatetestioctl,
-						      ipauthtestioctl,
-						      ipsynctestioctl,
-						      ipscantestioctl,
-						      ipooltestioctl,
-						      NULL };
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	char	*datain, *iface, *ifname, *logout;
-	int	fd, i, dir, c, loaded, dump, hlen;
-	struct	in_addr	sip;
-	struct	ifnet	*ifp;
-	struct	ipread	*r;
-	mb_t	mb, *m;
-	ip_t	*ip;
-
-	m = &mb;
-	dir = 0;
-	dump = 0;
-	hlen = 0;
-	loaded = 0;
-	r = &iptext;
-	iface = NULL;
-	logout = NULL;
-	datain = NULL;
-	sip.s_addr = 0;
-	ifname = "anon0";
-
-	MUTEX_INIT(&ipf_rw, "ipf rw mutex");
-	MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock");
-	RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
-	RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
-	RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
-	RWLOCK_INIT(&ipf_frcache, "ipf filter cache");
-	RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
-
-	initparse();
-	if (fr_initialise() == -1)
-		abort();
-	fr_running = 1;
-
-	while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1)
-		switch (c)
-		{
-		case '6' :
-#ifdef	USE_INET6
-			use_inet6 = 1;
-#else
-			fprintf(stderr, "IPv6 not supported\n");
-			exit(1);
-#endif
-			break;
-		case 'b' :
-			opts |= OPT_BRIEF;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'C' :
-			docksum = 1;
-			break;
-		case 'D' :
-			dump = 1;
-			break;
-		case 'F' :
-			if (strcasecmp(optarg, "pcap") == 0)
-				r = &pcap;
-			else if (strcasecmp(optarg, "etherfind") == 0)
-				r = &etherf;
-			else if (strcasecmp(optarg, "snoop") == 0)
-				r = &snoop;
-			else if (strcasecmp(optarg, "tcpdump") == 0)
-				r = &tcpd;
-			else if (strcasecmp(optarg, "hex") == 0)
-				r = &iphex;
-			else if (strcasecmp(optarg, "text") == 0)
-				r = &iptext;
-			break;
-		case 'i' :
-			datain = optarg;
-			break;
-		case 'I' :
-			ifname = optarg;
-			break;
-		case 'l' :
-			logout = optarg;
-			break;
-		case 'N' :
-			if (ipnat_parsefile(-1, ipnat_addrule, ipnattestioctl,
-					    optarg) == -1)
-				return -1;
-			loaded = 1;
-			opts |= OPT_NAT;
-			break;
-		case 'o' :
-			opts |= OPT_SAVEOUT;
-			break;
-		case 'P' :
-			if (ippool_parsefile(-1, optarg, ipooltestioctl) == -1)
-				return -1;
-			loaded = 1;
-			break;
-		case 'r' :
-			if (ipf_parsefile(-1, ipf_addrule, iocfunctions,
-					  optarg) == -1)
-				return -1;
-			loaded = 1;
-			break;
-		case 'S' :
-			sip.s_addr = inet_addr(optarg);
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 'T' :
-			ipf_dotuning(-1, optarg, ipftestioctl);
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'x' :
-			opts |= OPT_HEX;
-			break;
-		}
-
-	if (loaded == 0) {
-		(void)fprintf(stderr,"no rules loaded\n");
-		exit(-1);
-	}
-
-	if (opts & OPT_SAVEOUT)
-		init_ifp();
-
-	if (datain)
-		fd = (*r->r_open)(datain);
-	else
-		fd = (*r->r_open)("-");
-
-	if (fd < 0)
-		exit(-1);
-
-	ip = MTOD(m, ip_t *);
-	while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
-				    &iface, &dir)) > 0) {
-		if ((iface == NULL) || (*iface == '\0'))
-			iface = ifname;
-		ifp = get_unit(iface, IP_V(ip));
-		if (!use_inet6) {
-			ip->ip_off = ntohs(ip->ip_off);
-			ip->ip_len = ntohs(ip->ip_len);
-			if ((r->r_flags & R_DO_CKSUM) || docksum)
-				fixv4sums(m, ip);
-			hlen = IP_HL(ip) << 2;
-			if (sip.s_addr)
-				dir = !(sip.s_addr == ip->ip_src.s_addr);
-		}
-#ifdef	USE_INET6
-		else
-			hlen = sizeof(ip6_t);
-#endif
-		/* ipfr_slowtimer(); */
-		m = &mb;
-		m->mb_len = i;
-		i = fr_check(ip, hlen, ifp, dir, &m);
-		if ((opts & OPT_NAT) == 0)
-			switch (i)
-			{
-			case -4 :
-				(void)printf("preauth");
-				break;
-			case -3 :
-				(void)printf("account");
-				break;
-			case -2 :
-				(void)printf("auth");
-				break;
-			case -1 :
-				(void)printf("block");
-				break;
-			case 0 :
-				(void)printf("pass");
-				break;
-			case 1 :
-				if (m == NULL)
-					(void)printf("bad-packet");
-				else
-					(void)printf("nomatch");
-				break;
-			case 3 :
-				(void)printf("block return-rst");
-				break;
-			case 4 :
-				(void)printf("block return-icmp");
-				break;
-			case 5 :
-				(void)printf("block return-icmp-as-dest");
-				break;
-			default :
-				(void)printf("recognised return %#x\n", i);
-				break;
-			}
-		if (!use_inet6) {
-			ip->ip_off = htons(ip->ip_off);
-			ip->ip_len = htons(ip->ip_len);
-		}
-
-		if (!(opts & OPT_BRIEF)) {
-			putchar(' ');
-			printpacket(ip);
-			printf("--------------");
-		} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
-			printpacket(ip);
-		if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL))
-#if  defined(__sgi) && (IRIX < 60500)
-			(*ifp->if_output)(ifp, (void *)m, NULL);
-#else
-# if TRU64 >= 1885
-			(*ifp->if_output)(ifp, (void *)m, NULL, 0, 0);
-# else
-			(*ifp->if_output)(ifp, (void *)m, NULL, 0);
-# endif
-#endif
-		if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
-			putchar('\n');
-		dir = 0;
-		if (iface != ifname) {
-			free(iface);
-			iface = ifname;
-		}
-		m = &mb;
-	}
-
-	if (i != 0)
-		fprintf(stderr, "readip failed: %d\n", i);
-	(*r->r_close)();
-
-	if (logout != NULL) {
-		drain_log(logout);
-	}
-
-	if (dump == 1)  {
-		dumpnat();
-		dumpstate();
-		dumplookups();
-		dumpgroups();
-	}
-
-	fr_deinitialise();
-
-	return 0;
-}
-
-
-#if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
-	(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
-	defined(__osf__) || defined(linux)
-int ipftestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipnattestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipstatetestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipauthtestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipscantestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipsynctestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipooltestioctl(int dev, ioctlcmd_t cmd, ...)
-{
-	caddr_t data;
-	va_list ap;
-	int i;
-
-	va_start(ap, cmd);
-	data = va_arg(ap, caddr_t);
-	va_end(ap);
-
-	i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n",
-			(u_int)cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-#else
-int ipftestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipnattestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipstatetestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipauthtestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipsynctestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipscantestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
-	if ((opts & OPT_DEBUG) || (i != 0))
-		fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-
-
-int ipooltestioctl(dev, cmd, data)
-dev_t dev;
-ioctlcmd_t cmd;
-void *data;
-{
-	int i;
-
-	i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i);
-	if (i != 0) {
-		errno = i;
-		return -1;
-	}
-	return 0;
-}
-#endif
-
-
-int kmemcpy(addr, offset, size)
-char *addr;
-long offset;
-int size;
-{
-	bcopy((char *)offset, addr, size);
-	return 0;
-}
-
-
-int kstrncpy(buf, pos, n)
-char *buf;
-long pos;
-int n;
-{
-	char *ptr;
-
-	ptr = (char *)pos;
-
-	while ((n > 0) && (*buf++ = *ptr++))
-		;
-	return 0;
-}
-
-
-/*
- * Display the built up NAT table rules and mapping entries.
- */
-void dumpnat()
-{
-	hostmap_t *hm;
-	ipnat_t	*ipn;
-	nat_t *nat;
-
-	printf("List of active MAP/Redirect filters:\n");
-	for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
-		printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-	printf("\nList of active sessions:\n");
-	for (nat = nat_instances; nat; nat = nat->nat_next) {
-		printactivenat(nat, opts, 0, 0);
-		if (nat->nat_aps)
-			printaps(nat->nat_aps, opts);
-	}
-
-	printf("\nHostmap table:\n");
-	for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
-		printhostmap(hm, 0);
-}
-
-
-/*
- * Display the built up state table rules and mapping entries.
- */
-void dumpstate()
-{
-	ipstate_t *ips;
-
-	printf("List of active state sessions:\n");
-	for (ips = ips_list; ips != NULL; )
-		ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE),
-				 fr_ticks);
-}
-
-
-void dumplookups()
-{
-	iphtable_t *iph;
-	ip_pool_t *ipl;
-	int i;
-
-	printf("List of configured pools\n");
-	for (i = 0; i < IPL_LOGSIZE; i++)
-		for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next)
-			printpool(ipl, bcopywrap, NULL, opts);
-
-	printf("List of configured hash tables\n");
-	for (i = 0; i < IPL_LOGSIZE; i++)
-		for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next)
-			printhash(iph, bcopywrap, NULL, opts);
-}
-
-
-void dumpgroups()
-{
-	frgroup_t *fg;
-	frentry_t *fr;
-	int i;
-
-	printf("List of groups configured (set 0)\n");
-	for (i = 0; i < IPL_LOGSIZE; i++)
-		for (fg =  ipfgroups[i][0]; fg != NULL; fg = fg->fg_next) {
-			printf("Dev.%d. Group %s Ref %d Flags %#x\n",
-				i, fg->fg_name, fg->fg_ref, fg->fg_flags);
-			for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
-#ifdef	USE_QUAD_T
-				printf("%qu ",(unsigned long long)fr->fr_hits);
-#else
-				printf("%ld ", fr->fr_hits);
-#endif
-				printfr(fr, ipftestioctl);
-			}
-		}
-
-	printf("List of groups configured (set 1)\n");
-	for (i = 0; i < IPL_LOGSIZE; i++)
-		for (fg =  ipfgroups[i][1]; fg != NULL; fg = fg->fg_next) {
-			printf("Dev.%d. Group %s Ref %d Flags %#x\n",
-				i, fg->fg_name, fg->fg_ref, fg->fg_flags);
-			for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
-#ifdef	USE_QUAD_T
-				printf("%qu ",(unsigned long long)fr->fr_hits);
-#else
-				printf("%ld ", fr->fr_hits);
-#endif
-				printfr(fr, ipftestioctl);
-			}
-		}
-}
-
-
-void drain_log(filename)
-char *filename;
-{
-	char buffer[DEFAULT_IPFLOGSIZE];
-	struct iovec iov;
-	struct uio uio;
-	size_t resid;
-	int fd, i;
-
-	fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
-	if (fd == -1) {
-		perror("drain_log:open");
-		return;
-	}
-
-	for (i = 0; i <= IPL_LOGMAX; i++)
-		while (1) {
-			bzero((char *)&iov, sizeof(iov));
-			iov.iov_base = buffer;
-			iov.iov_len = sizeof(buffer);
-
-			bzero((char *)&uio, sizeof(uio));
-			uio.uio_iov = &iov;
-			uio.uio_iovcnt = 1;
-			uio.uio_resid = iov.iov_len;
-			resid = uio.uio_resid;
-
-			if (ipflog_read(i, &uio) == 0) {
-				/*
-				 * If nothing was read then break out.
-				 */
-				if (uio.uio_resid == resid)
-					break;
-				write(fd, buffer, resid - uio.uio_resid);
-			} else
-				break;
-	}
-
-	close(fd);
-}
-
-
-void fixv4sums(m, ip)
-mb_t *m;
-ip_t *ip;
-{
-	u_char *csump, *hdr;
-
-	ip->ip_sum = 0;
-	ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2);
-
-	csump = (u_char *)ip;
-	csump += IP_HL(ip) << 2;
-
-	switch (ip->ip_p)
-	{
-	case IPPROTO_TCP :
-		hdr = csump;
-		csump += offsetof(tcphdr_t, th_sum);
-		break;
-	case IPPROTO_UDP :
-		hdr = csump;
-		csump += offsetof(udphdr_t, uh_sum);
-		break;
-	case IPPROTO_ICMP :
-		hdr = csump;
-		csump += offsetof(icmphdr_t, icmp_cksum);
-		break;
-	default :
-		csump = NULL;
-		hdr = NULL;
-		break;
-	}
-	if (hdr != NULL) {
-		*csump = 0;
-		*(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);
-	}
-}
diff --git a/contrib/ipfilter/tools/ipmon.c b/contrib/ipfilter/tools/ipmon.c
deleted file mode 100644
index f07396d..0000000
--- a/contrib/ipfilter/tools/ipmon.c
+++ /dev/null
@@ -1,1732 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifndef SOLARIS
-#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/time.h>
-#define _KERNEL
-#include <sys/uio.h>
-#undef _KERNEL
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <time.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# if (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-#endif
-#if !defined(__hpux) && (!defined(__SVR4) && !defined(__GNUC__))
-# include <strings.h>
-#endif
-#include <signal.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <netinet/ip.h>
-#if !defined(__hpux) && !defined(linux)
-# include <netinet/tcp_fsm.h>
-#endif
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef	__hpux
-# undef	NOERROR
-#endif
-#include <resolv.h>
-
-#if !defined(linux)
-# include <sys/protosw.h>
-# include <netinet/ip_var.h>
-#endif
-
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-
-#include <ctype.h>
-#include <syslog.h>
-
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipmon.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.20 2007/09/20 12:51:56 darrenr Exp $";
-#endif
-
-
-#if	defined(sun) && !defined(SOLARIS2)
-#define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-#define	STRERROR(x)	strerror(x)
-#endif
-
-
-struct	flags {
-	int	value;
-	char	flag;
-};
-
-
-typedef	struct	icmp_subtype {
-	int	ist_val;
-	char	*ist_name;
-} icmp_subtype_t;
-
-typedef	struct	icmp_type {
-	int	it_val;
-	struct	icmp_subtype *it_subtable;
-	size_t	it_stsize;
-	char	*it_name;
-} icmp_type_t;
-
-
-#define	IST_SZ(x)	(sizeof(x)/sizeof(icmp_subtype_t))
-
-
-struct	flags	tcpfl[] = {
-	{ TH_ACK, 'A' },
-	{ TH_RST, 'R' },
-	{ TH_SYN, 'S' },
-	{ TH_FIN, 'F' },
-	{ TH_URG, 'U' },
-	{ TH_PUSH,'P' },
-	{ TH_ECN, 'E' },
-	{ TH_CWR, 'C' },
-	{ 0, '\0' }
-};
-
-#ifdef	MENTAT
-static	char	*pidfile = "/etc/opt/ipf/ipmon.pid";
-#else
-# if BSD >= 199306
-static	char	*pidfile = "/var/run/ipmon.pid";
-# else
-static	char	*pidfile = "/etc/ipmon.pid";
-# endif
-#endif
-
-static	char	line[2048];
-static	int	opts = 0;
-static	char	*logfile = NULL;
-static	FILE	*binarylog = NULL;
-static	char	*binarylogfile = NULL;
-static	int	donehup = 0;
-static	void	usage __P((char *));
-static	void	handlehup __P((int));
-static	void	flushlogs __P((char *, FILE *));
-static	void	print_log __P((int, FILE *, char *, int));
-static	void	print_ipflog __P((FILE *, char *, int));
-static	void	print_natlog __P((FILE *, char *, int));
-static	void	print_statelog __P((FILE *, char *, int));
-static	int	read_log __P((int, int *, char *, int));
-static	void	write_pid __P((char *));
-static	char	*icmpname __P((u_int, u_int));
-static	char	*icmpname6 __P((u_int, u_int));
-static	icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t));
-static	icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t));
-#ifdef __hpux
-static	struct	tm	*get_tm __P((u_32_t));
-#else
-static	struct	tm	*get_tm __P((time_t));
-#endif
-
-char	*hostname __P((int, int, u_32_t *));
-char	*portname __P((int, char *, u_int));
-int	main __P((int, char *[]));
-
-static	void	logopts __P((int, char *));
-static	void	init_tabs __P((void));
-static	char	*getproto __P((u_int));
-
-static	char	**protocols = NULL;
-static	char	**udp_ports = NULL;
-static	char	**tcp_ports = NULL;
-static	char	*conf_file = NULL;
-
-
-#define	OPT_SYSLOG	0x001
-#define	OPT_RESOLVE	0x002
-#define	OPT_HEXBODY	0x004
-#define	OPT_VERBOSE	0x008
-#define	OPT_HEXHDR	0x010
-#define	OPT_TAIL	0x020
-#define	OPT_NAT		0x080
-#define	OPT_STATE	0x100
-#define	OPT_FILTER	0x200
-#define	OPT_PORTNUM	0x400
-#define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
-#define	OPT_LOGBODY	0x800
-
-#define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
-
-#ifndef	LOGFAC
-#define	LOGFAC	LOG_LOCAL0
-#endif
-int	logfac = LOGFAC;
-
-
-static icmp_subtype_t icmpunreachnames[] = {
-	{ ICMP_UNREACH_NET,		"net" },
-	{ ICMP_UNREACH_HOST,		"host" },
-	{ ICMP_UNREACH_PROTOCOL,	"protocol" },
-	{ ICMP_UNREACH_PORT,		"port" },
-	{ ICMP_UNREACH_NEEDFRAG,	"needfrag" },
-	{ ICMP_UNREACH_SRCFAIL,		"srcfail" },
-	{ ICMP_UNREACH_NET_UNKNOWN,	"net_unknown" },
-	{ ICMP_UNREACH_HOST_UNKNOWN,	"host_unknown" },
-	{ ICMP_UNREACH_NET,		"isolated" },
-	{ ICMP_UNREACH_NET_PROHIB,	"net_prohib" },
-	{ ICMP_UNREACH_NET_PROHIB,	"host_prohib" },
-	{ ICMP_UNREACH_TOSNET,		"tosnet" },
-	{ ICMP_UNREACH_TOSHOST,		"toshost" },
-	{ ICMP_UNREACH_ADMIN_PROHIBIT,	"admin_prohibit" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t redirectnames[] = {
-	{ ICMP_REDIRECT_NET,		"net" },
-	{ ICMP_REDIRECT_HOST,		"host" },
-	{ ICMP_REDIRECT_TOSNET,		"tosnet" },
-	{ ICMP_REDIRECT_TOSHOST,	"toshost" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t timxceednames[] = {
-	{ ICMP_TIMXCEED_INTRANS,	"transit" },
-	{ ICMP_TIMXCEED_REASS,		"reassem" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t paramnames[] = {
-	{ ICMP_PARAMPROB_ERRATPTR,	"errata_pointer" },
-	{ ICMP_PARAMPROB_OPTABSENT,	"optmissing" },
-	{ ICMP_PARAMPROB_LENGTH,	"length" },
-	{ -2,				NULL }
-};
-
-static icmp_type_t icmptypes[] = {
-	{ ICMP_ECHOREPLY,	NULL,	0,		"echoreply" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_UNREACH,		icmpunreachnames,
-				IST_SZ(icmpunreachnames),"unreach" },
-	{ ICMP_SOURCEQUENCH,	NULL,	0,		"sourcequench" },
-	{ ICMP_REDIRECT,	redirectnames,
-				IST_SZ(redirectnames),	"redirect" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_ECHO,		NULL,	0,		"echo" },
-	{ ICMP_ROUTERADVERT,	NULL,	0,		"routeradvert" },
-	{ ICMP_ROUTERSOLICIT,	NULL,	0,		"routersolicit" },
-	{ ICMP_TIMXCEED,	timxceednames,
-				IST_SZ(timxceednames),	"timxceed" },
-	{ ICMP_PARAMPROB,	paramnames,
-				IST_SZ(paramnames),	"paramprob" },
-	{ ICMP_TSTAMP,		NULL,	0,		"timestamp" },
-	{ ICMP_TSTAMPREPLY,	NULL,	0,		"timestampreply" },
-	{ ICMP_IREQ,		NULL,	0,		"inforeq" },
-	{ ICMP_IREQREPLY,	NULL,	0,		"inforeply" },
-	{ ICMP_MASKREQ,		NULL,	0,		"maskreq" },
-	{ ICMP_MASKREPLY,	NULL,	0,		"maskreply" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t icmpredirect6[] = {
-	{ ICMP6_DST_UNREACH_NOROUTE,		"noroute" },
-	{ ICMP6_DST_UNREACH_ADMIN,		"admin" },
-	{ ICMP6_DST_UNREACH_NOTNEIGHBOR,	"neighbour" },
-	{ ICMP6_DST_UNREACH_ADDR,		"address" },
-	{ ICMP6_DST_UNREACH_NOPORT,		"noport" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmptimexceed6[] = {
-	{ ICMP6_TIME_EXCEED_TRANSIT,		"intransit" },
-	{ ICMP6_TIME_EXCEED_REASSEMBLY,		"reassem" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpparamprob6[] = {
-	{ ICMP6_PARAMPROB_HEADER,		"header" },
-	{ ICMP6_PARAMPROB_NEXTHEADER,		"nextheader" },
-	{ ICMP6_PARAMPROB_OPTION,		"option" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpquerysubject6[] = {
-	{ ICMP6_NI_SUBJ_IPV6,			"ipv6" },
-	{ ICMP6_NI_SUBJ_FQDN,			"fqdn" },
-	{ ICMP6_NI_SUBJ_IPV4,			"ipv4" },
-	{ -2,					NULL },
-};
-
-static icmp_subtype_t icmpnodeinfo6[] = {
-	{ ICMP6_NI_SUCCESS,			"success" },
-	{ ICMP6_NI_REFUSED,			"refused" },
-	{ ICMP6_NI_UNKNOWN,			"unknown" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmprenumber6[] = {
-	{ ICMP6_ROUTER_RENUMBERING_COMMAND,		"command" },
-	{ ICMP6_ROUTER_RENUMBERING_RESULT,		"result" },
-	{ ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET,	"seqnum_reset" },
-	{ -2,						NULL }
-};
-
-static icmp_type_t icmptypes6[] = {
-	{ 0,			NULL,	0,		NULL },
-	{ ICMP6_DST_UNREACH,	icmpredirect6,
-			IST_SZ(icmpredirect6),		"unreach" },
-	{ ICMP6_PACKET_TOO_BIG,	NULL,	0,		"toobig" },
-	{ ICMP6_TIME_EXCEEDED,	icmptimexceed6,
-			IST_SZ(icmptimexceed6),		"timxceed" },
-	{ ICMP6_PARAM_PROB,	icmpparamprob6,
-			IST_SZ(icmpparamprob6),		"paramprob" },
-	{ ICMP6_ECHO_REQUEST,	NULL,	0,		"echo" },
-	{ ICMP6_ECHO_REPLY,	NULL,	0,		"echoreply" },
-	{ ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6,
-			IST_SZ(icmpquerysubject6),	"groupmemberquery" },
-	{ ICMP6_MEMBERSHIP_REPORT,NULL,	0,		"groupmemberreport" },
-	{ ICMP6_MEMBERSHIP_REDUCTION,NULL,	0,	"groupmemberterm" },
-	{ ND_ROUTER_SOLICIT,	NULL,	0,		"routersolicit" },
-	{ ND_ROUTER_ADVERT,	NULL,	0,		"routeradvert" },
-	{ ND_NEIGHBOR_SOLICIT,	NULL,	0,		"neighborsolicit" },
-	{ ND_NEIGHBOR_ADVERT,	NULL,	0,		"neighboradvert" },
-	{ ND_REDIRECT,		NULL,	0,		"redirect" },
-	{ ICMP6_ROUTER_RENUMBERING,	icmprenumber6,
-			IST_SZ(icmprenumber6),		"routerrenumber" },
-	{ ICMP6_WRUREQUEST,	NULL,	0,		"whoareyourequest" },
-	{ ICMP6_WRUREPLY,	NULL,	0,		"whoareyoureply" },
-	{ ICMP6_FQDN_QUERY,	NULL,	0,		"fqdnquery" },
-	{ ICMP6_FQDN_REPLY,	NULL,	0,		"fqdnreply" },
-	{ ICMP6_NI_QUERY,	icmpnodeinfo6,
-			IST_SZ(icmpnodeinfo6),		"nodeinforequest" },
-	{ ICMP6_NI_REPLY,	NULL,	0,		"nodeinforeply" },
-	{ MLD6_MTRACE_RESP,	NULL,	0,		"mtraceresponse" },
-	{ MLD6_MTRACE,		NULL,	0,		"mtracerequest" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
-int type;
-icmp_subtype_t *table;
-size_t tablesz;
-{
-	icmp_subtype_t *ist;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].ist_val))
-		return NULL;
-
-	i = type;
-	if (table[type].ist_val == type)
-		return table + type;
-
-	for (i = 0, ist = table; ist->ist_val != -2; i++, ist++)
-		if (ist->ist_val == type)
-			return ist;
-	return NULL;
-}
-
-
-static icmp_type_t *find_icmptype(type, table, tablesz)
-int type;
-icmp_type_t *table;
-size_t tablesz;
-{
-	icmp_type_t *it;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].it_val))
-		return NULL;
-
-	i = type;
-	if (table[type].it_val == type)
-		return table + type;
-
-	for (i = 0, it = table; it->it_val != -2; i++, it++)
-		if (it->it_val == type)
-			return it;
-	return NULL;
-}
-
-
-static void handlehup(sig)
-int sig;
-{
-	signal(SIGHUP, handlehup);
-	donehup = 1;
-}
-
-
-static void init_tabs()
-{
-	struct	protoent	*p;
-	struct	servent	*s;
-	char	*name, **tab;
-	int	port, i;
-
-	if (protocols != NULL) {
-		for (i = 0; i < 256; i++)
-			if (protocols[i] != NULL) {
-				free(protocols[i]);
-				protocols[i] = NULL;
-			}
-		free(protocols);
-		protocols = NULL;
-	}
-	protocols = (char **)malloc(256 * sizeof(*protocols));
-	if (protocols != NULL) {
-		bzero((char *)protocols, 256 * sizeof(*protocols));
-
-		setprotoent(1);
-		while ((p = getprotoent()) != NULL)
-			if (p->p_proto >= 0 && p->p_proto <= 255 &&
-			    p->p_name != NULL && protocols[p->p_proto] == NULL)
-				protocols[p->p_proto] = strdup(p->p_name);
-		endprotoent();
-#if defined(_AIX51)
-		if (protocols[0])
-			free(protocols[0]);
-		if (protocols[252])
-			free(protocols[252]);
-		protocols[0] = "ip";
-		protocols[252] = NULL;
-#endif
-	}
-
-	if (udp_ports != NULL) {
-		for (i = 0; i < 65536; i++)
-			if (udp_ports[i] != NULL) {
-				free(udp_ports[i]);
-				udp_ports[i] = NULL;
-			}
-		free(udp_ports);
-		udp_ports = NULL;
-	}
-	udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
-	if (udp_ports != NULL)
-		bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
-
-	if (tcp_ports != NULL) {
-		for (i = 0; i < 65536; i++)
-			if (tcp_ports[i] != NULL) {
-				free(tcp_ports[i]);
-				tcp_ports[i] = NULL;
-			}
-		free(tcp_ports);
-		tcp_ports = NULL;
-	}
-	tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
-	if (tcp_ports != NULL)
-		bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
-
-	setservent(1);
-	while ((s = getservent()) != NULL) {
-		if (s->s_proto == NULL)
-			continue;
-		else if (!strcmp(s->s_proto, "tcp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = tcp_ports;
-		} else if (!strcmp(s->s_proto, "udp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = udp_ports;
-		} else
-			continue;
-		if ((port < 0 || port > 65535) || (name == NULL))
-			continue;
-		if (tab != NULL)
-			tab[port] = strdup(name);
-	}
-	endservent();
-}
-
-
-static char *getproto(p)
-u_int p;
-{
-	static char pnum[4];
-	char *s;
-
-	p &= 0xff;
-	s = protocols ? protocols[p] : NULL;
-	if (s == NULL) {
-		sprintf(pnum, "%u", p);
-		s = pnum;
-	}
-	return s;
-}
-
-
-static int read_log(fd, lenp, buf, bufsize)
-int fd, bufsize, *lenp;
-char *buf;
-{
-	int	nr;
-
-	nr = read(fd, buf, bufsize);
-	if (!nr)
-		return 2;
-	if ((nr < 0) && (errno != EINTR))
-		return -1;
-	*lenp = nr;
-	return 0;
-}
-
-
-char	*hostname(res, v, ip)
-int	res, v;
-u_32_t	*ip;
-{
-# define MAX_INETA	16
-	static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
-#ifdef	USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-	struct hostent *hp;
-	struct in_addr ipa;
-
-	if (v == 4) {
-		ipa.s_addr = *ip;
-		if (!res)
-			return inet_ntoa(ipa);
-		hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET);
-		if (!hp)
-			return inet_ntoa(ipa);
-		sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name,
-			inet_ntoa(ipa));
-		return hname;
-	}
-#ifdef	USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
-
-
-char	*portname(res, proto, port)
-int	res;
-char	*proto;
-u_int	port;
-{
-	static	char	pname[8];
-	char	*s;
-
-	port = ntohs(port);
-	port &= 0xffff;
-	(void) sprintf(pname, "%u", port);
-	if (!res || (opts & OPT_PORTNUM))
-		return pname;
-	s = NULL;
-	if (!strcmp(proto, "tcp"))
-		s = tcp_ports[port];
-	else if (!strcmp(proto, "udp"))
-		s = udp_ports[port];
-	if (s == NULL)
-		s = pname;
-	return s;
-}
-
-
-static	char	*icmpname(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmptype(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-static	char	*icmpname6(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmpv6type(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-
-void	dumphex(log, dopts, buf, len)
-FILE	*log;
-int	dopts;
-char	*buf;
-int	len;
-{
-	char	hline[80];
-	int	i, j, k;
-	u_char	*s = (u_char *)buf, *t = (u_char *)hline;
-
-	if (buf == NULL || len == 0)
-		return;
-
-	*hline = '\0';
-
-	for (i = len, j = 0; i; i--, j++, s++) {
-		if (j && !(j & 0xf)) {
-			*t++ = '\n';
-			*t = '\0';
-			if ((dopts & OPT_SYSLOG))
-				syslog(LOG_INFO, "%s", hline);
-			else if (log != NULL)
-				fputs(hline, log);
-			t = (u_char *)hline;
-			*t = '\0';
-		}
-		sprintf((char *)t, "%02x", *s & 0xff);
-		t += 2;
-		if (!((j + 1) & 0xf)) {
-			s -= 15;
-			sprintf((char *)t, "        ");
-			t += 8;
-			for (k = 16; k; k--, s++)
-				*t++ = (ISPRINT(*s) ? *s : '.');
-			s--;
-		}
-			
-		if ((j + 1) & 0xf)
-			*t++ = ' ';;
-	}
-
-	if (j & 0xf) {
-		for (k = 16 - (j & 0xf); k; k--) {
-			*t++ = ' ';
-			*t++ = ' ';
-			*t++ = ' ';
-		}
-		sprintf((char *)t, "       ");
-		t += 7;
-		s -= j & 0xf;
-		for (k = j & 0xf; k; k--, s++)
-			*t++ = (ISPRINT(*s) ? *s : '.');
-		*t++ = '\n';
-		*t = '\0';
-	}
-	if ((dopts & OPT_SYSLOG) != 0)
-		syslog(LOG_INFO, "%s", hline);
-	else if (log != NULL) {
-		fputs(hline, log);
-		fflush(log);
-	}
-}
-
-
-static	struct	tm	*get_tm(sec)
-#ifdef __hpux
-u_32_t	sec;
-#else
-time_t	sec;
-#endif
-{
-	struct tm *tm;
-	time_t t;
-
-	t = sec;
-	tm = localtime(&t);
-	return tm;
-}
-
-static	void	print_natlog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	natlog	*nl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line;
-	struct	tm	*tm;
-	int	res, i, len;
-	char	*proto;
-
-	nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = get_tm(ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
-	t += strlen(t);
-
-	if (nl->nl_type == NL_NEWMAP)
-		strcpy(t, "NAT:MAP ");
-	else if (nl->nl_type == NL_NEWRDR)
-		strcpy(t, "NAT:RDR ");
-	else if (nl->nl_type == NL_FLUSH)
-		strcpy(t, "NAT:FLUSH ");
-	else if (nl->nl_type == NL_EXPIRE)
-		strcpy(t, "NAT:EXPIRE ");
-	else if (nl->nl_type == NL_NEWBIMAP)
-		strcpy(t, "NAT:BIMAP ");
-	else if (nl->nl_type == NL_NEWBLOCK)
-		strcpy(t, "NAT:MAPBLOCK ");
-	else if (nl->nl_type == NL_CLONE)
-		strcpy(t, "NAT:CLONE ");
-	else if (nl->nl_type == NL_DESTROY)
-		strcpy(t, "NAT:DESTROY ");
-	else
-		sprintf(t, "Type: %d ", nl->nl_type);
-	t += strlen(t);
-
-	proto = getproto(nl->nl_p);
-
-	(void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
-		portname(res, proto, (u_int)nl->nl_inport));
-	t += strlen(t);
-	(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
-		portname(res, proto, (u_int)nl->nl_outport));
-	t += strlen(t);
-	(void) sprintf(t, "[%s,%s PR %s]", HOSTNAME_V4(res, nl->nl_origip),
-		portname(res, proto, (u_int)nl->nl_origport),
-		getproto(nl->nl_p));
-	t += strlen(t);
-	if (nl->nl_type == NL_EXPIRE) {
-#ifdef	USE_QUAD_T
-		(void) sprintf(t, " Pkts %qd/%qd Bytes %qd/%qd",
-				(long long)nl->nl_pkts[0],
-				(long long)nl->nl_pkts[1],
-				(long long)nl->nl_bytes[0],
-				(long long)nl->nl_bytes[1]);
-#else
-		(void) sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld",
-				nl->nl_pkts[0], nl->nl_pkts[1],
-				nl->nl_bytes[0], nl->nl_bytes[1]);
-#endif
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else if (log != NULL)
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_statelog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	ipslog *sl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line, *proto;
-	struct	tm	*tm;
-	int	res, i, len;
-
-	sl = (struct ipslog *)((char *)ipl + sizeof(*ipl));
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = get_tm(ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-
-	switch (sl->isl_type)
-	{
-	case ISL_NEW :
-		strcpy(t, "STATE:NEW ");
-		break;
-
-	case ISL_CLONE :
-		strcpy(t, "STATE:CLONED ");
-		break;
-
-	case ISL_EXPIRE :
-		if ((sl->isl_p == IPPROTO_TCP) &&
-		    (sl->isl_state[0] > IPF_TCPS_ESTABLISHED ||
-		     sl->isl_state[1] > IPF_TCPS_ESTABLISHED))
-			strcpy(t, "STATE:CLOSE ");
-		else
-			strcpy(t, "STATE:EXPIRE ");
-		break;
-
-	case ISL_FLUSH :
-		strcpy(t, "STATE:FLUSH ");
-		break;
-
-	case ISL_INTERMEDIATE :
-		strcpy(t, "STATE:INTERMEDIATE ");
-		break;
-
-	case ISL_REMOVE :
-		strcpy(t, "STATE:REMOVE ");
-		break;
-
-	case ISL_KILLED :
-		strcpy(t, "STATE:KILLED ");
-		break;
-
-	case ISL_UNLOAD :
-		strcpy(t, "STATE:UNLOAD ");
-		break;
-
-	default :
-		sprintf(t, "Type: %d ", sl->isl_type);
-		break;
-	}
-	t += strlen(t);
-
-	proto = getproto(sl->isl_p);
-
-	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
-		(void) sprintf(t, "%s,%s -> ",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
-			portname(res, proto, (u_int)sl->isl_sport));
-		t += strlen(t);
-		(void) sprintf(t, "%s,%s PR %s",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			portname(res, proto, (u_int)sl->isl_dport), proto);
-	} else if (sl->isl_p == IPPROTO_ICMP) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	} else if (sl->isl_p == IPPROTO_ICMPV6) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	} else {
-		(void) sprintf(t, "%s -> ",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR %s",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			proto);
-	}
-	t += strlen(t);
-	if (sl->isl_tag != FR_NOLOGTAG) {
-		(void) sprintf(t, " tag %u", sl->isl_tag);
-		t += strlen(t);
-	}
-	if (sl->isl_type != ISL_NEW) {
-		sprintf(t,
-#ifdef	USE_QUAD_T
-#ifdef	PRId64
-			" Forward: Pkts in %" PRId64 " Bytes in %" PRId64
-			" Pkts out %" PRId64 " Bytes out %" PRId64
-			" Backward: Pkts in %" PRId64 " Bytes in %" PRId64
-			" Pkts out %" PRId64 " Bytes out %" PRId64,
-#else
-			" Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd",
-#endif /* PRId64 */
-#else
-			" Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld",
-#endif
-			sl->isl_pkts[0], sl->isl_bytes[0],
-			sl->isl_pkts[1], sl->isl_bytes[1],
-			sl->isl_pkts[2], sl->isl_bytes[2],
-			sl->isl_pkts[3], sl->isl_bytes[3]);
-
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else if (log != NULL)
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_log(logtype, log, buf, blen)
-FILE	*log;
-char	*buf;
-int	logtype, blen;
-{
-	iplog_t	*ipl;
-	char *bp = NULL, *bpo = NULL;
-	int psize;
-
-	while (blen > 0) {
-		ipl = (iplog_t *)buf;
-		if ((u_long)ipl & (sizeof(long)-1)) {
-			if (bp)
-				bpo = bp;
-			bp = (char *)malloc(blen);
-			bcopy((char *)ipl, bp, blen);
-			if (bpo) {
-				free(bpo);
-				bpo = NULL;
-			}
-			buf = bp;
-			continue;
-		}
-
-		psize = ipl->ipl_dsize;
-		if (psize > blen)
-			break;
-
-		if (binarylog) {
-			fwrite(buf, psize, 1, binarylog);
-			fflush(binarylog);
-		}
-
-		if (logtype == IPL_LOGIPF) {
-			if (ipl->ipl_magic == IPL_MAGIC)
-				print_ipflog(log, buf, psize);
-
-		} else if (logtype == IPL_LOGNAT) {
-			if (ipl->ipl_magic == IPL_MAGIC_NAT)
-				print_natlog(log, buf, psize);
-
-		} else if (logtype == IPL_LOGSTATE) {
-			if (ipl->ipl_magic == IPL_MAGIC_STATE)
-				print_statelog(log, buf, psize);
-		}
-
-		blen -= psize;
-		buf += psize;
-	}
-	if (bp)
-		free(bp);
-	return;
-}
-
-
-static	void	print_ipflog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	tcphdr_t	*tp;
-	struct	icmp	*ic;
-	struct	icmp	*icmp;
-	struct	tm	*tm;
-	char	*t, *proto;
-	int	i, v, lvl, res, len, off, plen, ipoff, defaction;
-	ip_t	*ipc, *ip;
-	u_32_t	*s, *d;
-	u_short	hl, p;
-	ipflog_t *ipf;
-	iplog_t	*ipl;
-#ifdef	USE_INET6
-	struct ip6_ext *ehp;
-	u_short ehl;
-	ip6_t *ip6;
-	int go;
-#endif
-
-	ipl = (iplog_t *)buf;
-	ipf = (ipflog_t *)((char *)buf + sizeof(*ipl));
-	ip = (ip_t *)((char *)ipf + sizeof(*ipf));
-	v = IP_V(ip);
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	t = line;
-	*t = '\0';
-	tm = get_tm(ipl->ipl_sec);
-
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-	if (ipl->ipl_count > 1) {
-		(void) sprintf(t, "%dx ", ipl->ipl_count);
-		t += strlen(t);
-	}
-#if (defined(MENTAT) || \
-	(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-	(defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
-	(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
-	{
-	char	ifname[sizeof(ipf->fl_ifname) + 1];
-
-	strncpy(ifname, ipf->fl_ifname, sizeof(ipf->fl_ifname));
-	ifname[sizeof(ipf->fl_ifname)] = '\0';
-	(void) sprintf(t, "%s", ifname);
-	t += strlen(t);
-# if defined(MENTAT) || defined(linux)
-	if (ISALPHA(*(t - 1))) {
-		sprintf(t, "%d", ipf->fl_unit);
-		t += strlen(t);
-	}
-# endif
-	}
-#else
-	for (len = 0; len < 3; len++)
-		if (ipf->fl_ifname[len] == '\0')
-			break;
-	if (ipf->fl_ifname[len])
-		len++;
-	(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
-	t += strlen(t);
-#endif
-	if ((ipf->fl_group[0] == (char)~0) && (ipf->fl_group[1] == '\0'))
-		strcat(t, " @-1:");
-	else if (ipf->fl_group[0] == '\0')
-		(void) strcpy(t, " @0:");
-	else
-		(void) sprintf(t, " @%s:", ipf->fl_group);
-	t += strlen(t);
-	if (ipf->fl_rule == 0xffffffff)
-		strcat(t, "-1 ");
-	else
-		(void) sprintf(t, "%u ", ipf->fl_rule + 1);
-	t += strlen(t);
-
-	lvl = LOG_NOTICE;
-
- 	if (ipf->fl_lflags & FI_SHORT) {
-		*t++ = 'S';
-		lvl = LOG_ERR;
-	}
-
-	if (FR_ISPASS(ipf->fl_flags)) {
-		if (ipf->fl_flags & FR_LOGP)
-			*t++ = 'p';
-		else
-			*t++ = 'P';
-	} else if (FR_ISBLOCK(ipf->fl_flags)) {
-		if (ipf->fl_flags & FR_LOGB)
-			*t++ = 'b';
-		else
-			*t++ = 'B';
-		lvl = LOG_WARNING;
-	} else if ((ipf->fl_flags & FR_LOGMASK) == FR_LOG) {
-		*t++ = 'L';
-		lvl = LOG_INFO;
-	} else if (ipf->fl_flags & FF_LOGNOMATCH) {
-		*t++ = 'n';
-	} else {
-		*t++ = '?';
-		lvl = LOG_EMERG;
-	}
-	if (ipf->fl_loglevel != 0xffff)
-		lvl = ipf->fl_loglevel;
-	*t++ = ' ';
-	*t = '\0';
-
-	if (v == 6) {
-#ifdef	USE_INET6
-		off = 0;
-		ipoff = 0;
-		hl = sizeof(ip6_t);
-		ip6 = (ip6_t *)ip;
-		p = (u_short)ip6->ip6_nxt;
-		s = (u_32_t *)&ip6->ip6_src;
-		d = (u_32_t *)&ip6->ip6_dst;
-		plen = hl + ntohs(ip6->ip6_plen);
-		go = 1;
-		ehp = (struct ip6_ext *)((char *)ip6 + hl);
-		while (go == 1) {
-			switch (p)
-			{
-			case IPPROTO_HOPOPTS :
-			case IPPROTO_MOBILITY :
-			case IPPROTO_DSTOPTS :
-			case IPPROTO_ROUTING :
-			case IPPROTO_AH :
-				p = ehp->ip6e_nxt;
-				ehl = 8 + (ehp->ip6e_len << 3);
-				hl += ehl;
-				ehp = (struct ip6_ext *)((char *)ehp + ehl);
-				break;
-			case IPPROTO_FRAGMENT :
-				hl += sizeof(struct ip6_frag);
-				/* FALLTHROUGH */
-			default :
-				go = 0;
-				break;
-			}
-		}
-#else
-		sprintf(t, "ipv6");
-		goto printipflog;
-#endif
-	} else if (v == 4) {
-		hl = IP_HL(ip) << 2;
-		ipoff = ip->ip_off;
-		off = ipoff & IP_OFFMASK;
-		p = (u_short)ip->ip_p;
-		s = (u_32_t *)&ip->ip_src;
-		d = (u_32_t *)&ip->ip_dst;
-		plen = ip->ip_len;
-	} else {
-		goto printipflog;
-	}
-	proto = getproto(p);
-
-	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
-		tp = (tcphdr_t *)((char *)ip + hl);
-		if (!(ipf->fl_lflags & FI_SHORT)) {
-			(void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
-				portname(res, proto, (u_int)tp->th_sport));
-			t += strlen(t);
-			(void) sprintf(t, "%s,%s PR %s len %hu %hu",
-				hostname(res, v, d),
-				portname(res, proto, (u_int)tp->th_dport),
-				proto, hl, plen);
-			t += strlen(t);
-
-			if (p == IPPROTO_TCP) {
-				*t++ = ' ';
-				*t++ = '-';
-				for (i = 0; tcpfl[i].value; i++)
-					if (tp->th_flags & tcpfl[i].value)
-						*t++ = tcpfl[i].flag;
-				if (opts & OPT_VERBOSE) {
-					(void) sprintf(t, " %lu %lu %hu",
-						(u_long)(ntohl(tp->th_seq)),
-						(u_long)(ntohl(tp->th_ack)),
-						ntohs(tp->th_win));
-					t += strlen(t);
-				}
-			}
-			*t = '\0';
-		} else {
-			(void) sprintf(t, "%s -> ", hostname(res, v, s));
-			t += strlen(t);
-			(void) sprintf(t, "%s PR %s len %hu %hu",
-				hostname(res, v, d), proto, hl, plen);
-		}
-	} else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
-			hostname(res, v, d), hl, plen,
-			icmpname6(ic->icmp_type, ic->icmp_code));
-	} else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
-			hostname(res, v, d), hl, plen,
-			icmpname(ic->icmp_type, ic->icmp_code));
-		if (ic->icmp_type == ICMP_UNREACH ||
-		    ic->icmp_type == ICMP_SOURCEQUENCH ||
-		    ic->icmp_type == ICMP_PARAMPROB ||
-		    ic->icmp_type == ICMP_REDIRECT ||
-		    ic->icmp_type == ICMP_TIMXCEED) {
-			ipc = &ic->icmp_ip;
-			i = ntohs(ipc->ip_len);
-			/*
-			 * XXX - try to guess endian of ip_len in ICMP
-			 * returned data.
-			 */
-			if (i > 1500)
-				i = ipc->ip_len;
-			ipoff = ntohs(ipc->ip_off);
-			proto = getproto(ipc->ip_p);
-
-			if (!(ipoff & IP_OFFMASK) &&
-			    ((ipc->ip_p == IPPROTO_TCP) ||
-			     (ipc->ip_p == IPPROTO_UDP))) {
-				tp = (tcphdr_t *)((char *)ipc + hl);
-				t += strlen(t);
-				(void) sprintf(t, " for %s,%s -",
-					HOSTNAME_V4(res, ipc->ip_src),
-					portname(res, proto,
-						 (u_int)tp->th_sport));
-				t += strlen(t);
-				(void) sprintf(t, " %s,%s PR %s len %hu %hu",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					portname(res, proto,
-						 (u_int)tp->th_dport),
-					proto, IP_HL(ipc) << 2, i);
-			} else if (!(ipoff & IP_OFFMASK) &&
-				   (ipc->ip_p == IPPROTO_ICMP)) {
-				icmp = (icmphdr_t *)((char *)ipc + hl);
-
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-					HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t,
-					" %s PR icmp len %hu %hu icmp %d/%d",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					IP_HL(ipc) << 2, i,
-					icmp->icmp_type, icmp->icmp_code);
-			} else {
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-						HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t, " %s PR %s len %hu (%hu)",
-					HOSTNAME_V4(res, ipc->ip_dst), proto,
-					IP_HL(ipc) << 2, i);
-				t += strlen(t);
-				if (ipoff & IP_OFFMASK) {
-					(void) sprintf(t,
-						"(frag %d:%hu@%hu%s%s)",
-						ntohs(ipc->ip_id),
-						i - (IP_HL(ipc) << 2),
-						(ipoff & IP_OFFMASK) << 3,
-						ipoff & IP_MF ? "+" : "",
-						ipoff & IP_DF ? "-" : "");
-				}
-			}
-
-		}
-	} else {
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR %s len %hu (%hu)",
-			hostname(res, v, d), proto, hl, plen);
-		t += strlen(t);
-		if (off & IP_OFFMASK)
-			(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
-				ntohs(ip->ip_id),
-				plen - hl, (off & IP_OFFMASK) << 3,
-				ipoff & IP_MF ? "+" : "",
-				ipoff & IP_DF ? "-" : "");
-	}
-	t += strlen(t);
-
-printipflog:
-	if (ipf->fl_flags & FR_KEEPSTATE) {
-		(void) strcpy(t, " K-S");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_flags & FR_KEEPFRAG) {
-		(void) strcpy(t, " K-F");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_dir == 0)
-		strcpy(t, " IN");
-	else if (ipf->fl_dir == 1)
-		strcpy(t, " OUT");
-	t += strlen(t);
-	if (ipf->fl_logtag != 0) {
-		sprintf(t, " log-tag %d", ipf->fl_logtag);
-		t += strlen(t);
-	}
-	if (ipf->fl_nattag.ipt_num[0] != 0) {
-		strcpy(t, " nat-tag ");
-		t += strlen(t);
-		strncpy(t, ipf->fl_nattag.ipt_tag, sizeof(ipf->fl_nattag));
-		t += strlen(t);
-	}
-	if ((ipf->fl_lflags & FI_LOWTTL) != 0) {
-			strcpy(t, " low-ttl");
-			t += 8;
-	}
-	if ((ipf->fl_lflags & FI_OOW) != 0) {
-			strcpy(t, " OOW");
-			t += 4;
-	}
-	if ((ipf->fl_lflags & FI_BAD) != 0) {
-			strcpy(t, " bad");
-			t += 4;
-	}
-	if ((ipf->fl_lflags & FI_NATED) != 0) {
-			strcpy(t, " NAT");
-			t += 4;
-	}
-	if ((ipf->fl_lflags & FI_BADNAT) != 0) {
-			strcpy(t, " bad-NAT");
-			t += 8;
-	}
-	if ((ipf->fl_lflags & FI_BADSRC) != 0) {
-			strcpy(t, " bad-src");
-			t += 8;
-	}
-	if ((ipf->fl_lflags & FI_MULTICAST) != 0) {
-			strcpy(t, " multicast");
-			t += 10;
-	}
-	if ((ipf->fl_lflags & FI_BROADCAST) != 0) {
-			strcpy(t, " broadcast");
-			t += 10;
-	}
-	if ((ipf->fl_lflags & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST)) ==
-	    FI_MBCAST) {
-			strcpy(t, " mbcast");
-			t += 7;
-	}
-	*t++ = '\n';
-	*t++ = '\0';
-	defaction = 0;
-	if (conf_file != NULL)
-		defaction = check_action(buf, line, opts, lvl);
-	if (defaction == 0) {
-		if (opts & OPT_SYSLOG)
-			syslog(lvl, "%s", line);
-		else if (log != NULL)
-			(void) fprintf(log, "%s", line);
-
-		if (opts & OPT_HEXHDR)
-			dumphex(log, opts, buf,
-				sizeof(iplog_t) + sizeof(*ipf));
-		if (opts & OPT_HEXBODY)
-			dumphex(log, opts, (char *)ip,
-				ipf->fl_plen + ipf->fl_hlen);
-		else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
-			dumphex(log, opts, (char *)ip + ipf->fl_hlen,
-				ipf->fl_plen);
-	}
-}
-
-
-static void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
-	exit(1);
-}
-
-
-static void write_pid(file)
-char *file;
-{
-	FILE *fp = NULL;
-	int fd;
-
-	if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0) {
-		fp = fdopen(fd, "w");
-		if (fp == NULL) {
-			close(fd);
-			fprintf(stderr,
-				"unable to open/create pid file: %s\n", file);
-			return;
-		}
-		fprintf(fp, "%d", getpid());
-		fclose(fp);
-	}
-}
-
-
-static void flushlogs(file, log)
-char *file;
-FILE *log;
-{
-	int	fd, flushed = 0;
-
-	if ((fd = open(file, O_RDWR)) == -1) {
-		(void) fprintf(stderr, "%s: open: %s\n",
-			       file, STRERROR(errno));
-		exit(1);
-	}
-
-	if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
-		printf("%d bytes flushed from log buffer\n",
-			flushed);
-		fflush(stdout);
-	} else
-		perror("SIOCIPFFB");
-	(void) close(fd);
-
-	if (flushed) {
-		if (opts & OPT_SYSLOG) {
-			syslog(LOG_INFO, "%d bytes flushed from log\n",
-				flushed);
-		} else if ((log != stdout) && (log != NULL)) {
-			fprintf(log, "%d bytes flushed from log\n", flushed);
-		}
-	}
-}
-
-
-static void logopts(turnon, options)
-int turnon;
-char *options;
-{
-	int flags = 0;
-	char *s;
-
-	for (s = options; *s; s++)
-	{
-		switch (*s)
-		{
-		case 'N' :
-			flags |= OPT_NAT;
-			break;
-		case 'S' :
-			flags |= OPT_STATE;
-			break;
-		case 'I' :
-			flags |= OPT_FILTER;
-			break;
-		default :
-			fprintf(stderr, "Unknown log option %c\n", *s);
-			exit(1);
-		}
-	}
-
-	if (turnon)
-		opts |= flags;
-	else
-		opts &= ~(flags);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct	stat	sb;
-	FILE	*log = stdout;
-	FILE	*fp;
-	int	fd[3], doread, n, i;
-	int	tr, nr, regular[3], c;
-	int	fdt[3], devices = 0, make_daemon = 0;
-	char	buf[DEFAULT_IPFLOGSIZE], *iplfile[3], *s;
-	extern	int	optind;
-	extern	char	*optarg;
-
-	fd[0] = fd[1] = fd[2] = -1;
-	fdt[0] = fdt[1] = fdt[2] = -1;
-	iplfile[0] = IPL_NAME;
-	iplfile[1] = IPNAT_NAME;
-	iplfile[2] = IPSTATE_NAME;
-
-	while ((c = getopt(argc, argv,
-			   "?abB:C:Df:FhL:nN:o:O:pP:sS:tvxX")) != -1)
-		switch (c)
-		{
-		case 'a' :
-			opts |= OPT_LOGALL;
-			fdt[0] = IPL_LOGIPF;
-			fdt[1] = IPL_LOGNAT;
-			fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'b' :
-			opts |= OPT_LOGBODY;
-			break;
-		case 'B' :
-			binarylogfile = optarg;
-			binarylog = fopen(optarg, "a");
-			break;
-		case 'C' :
-			conf_file = optarg;
-			break;
-		case 'D' :
-			make_daemon = 1;
-			break;
-		case 'f' : case 'I' :
-			opts |= OPT_FILTER;
-			fdt[0] = IPL_LOGIPF;
-			iplfile[0] = optarg;
-			break;
-		case 'F' :
-			flushlogs(iplfile[0], log);
-			flushlogs(iplfile[1], log);
-			flushlogs(iplfile[2], log);
-			break;
-		case 'L' :
-			logfac = fac_findname(optarg);
-			if (logfac == -1) {
-				fprintf(stderr,
-					"Unknown syslog facility '%s'\n",
-					 optarg);
-				exit(1);
-			}
-			break;
-		case 'n' :
-			opts |= OPT_RESOLVE;
-			break;
-		case 'N' :
-			opts |= OPT_NAT;
-			fdt[1] = IPL_LOGNAT;
-			iplfile[1] = optarg;
-			break;
-		case 'o' : case 'O' :
-			logopts(c == 'o', optarg);
-			fdt[0] = fdt[1] = fdt[2] = -1;
-			if (opts & OPT_FILTER)
-				fdt[0] = IPL_LOGIPF;
-			if (opts & OPT_NAT)
-				fdt[1] = IPL_LOGNAT;
-			if (opts & OPT_STATE)
-				fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'p' :
-			opts |= OPT_PORTNUM;
-			break;
-		case 'P' :
-			pidfile = optarg;
-			break;
-		case 's' :
-			s = strrchr(argv[0], '/');
-			if (s == NULL)
-				s = argv[0];
-			else
-				s++;
-			openlog(s, LOG_NDELAY|LOG_PID, logfac);
-			s = NULL;
-			opts |= OPT_SYSLOG;
-			log = NULL;
-			break;
-		case 'S' :
-			opts |= OPT_STATE;
-			fdt[2] = IPL_LOGSTATE;
-			iplfile[2] = optarg;
-			break;
-		case 't' :
-			opts |= OPT_TAIL;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'x' :
-			opts |= OPT_HEXBODY;
-			break;
-		case 'X' :
-			opts |= OPT_HEXHDR;
-			break;
-		default :
-		case 'h' :
-		case '?' :
-			usage(argv[0]);
-		}
-
-	init_tabs();
-	if (conf_file)
-		if (load_config(conf_file) == -1)
-			exit(1);
-
-	/*
-	 * Default action is to only open the filter log file.
-	 */
-	if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
-		fdt[0] = IPL_LOGIPF;
-
-	for (i = 0; i < 3; i++) {
-		if (fdt[i] == -1)
-			continue;
-		if (!strcmp(iplfile[i], "-"))
-			fd[i] = 0;
-		else {
-			if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
-				(void) fprintf(stderr,
-					       "%s: open: %s\n", iplfile[i],
-					       STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (fstat(fd[i], &sb) == -1) {
-				(void) fprintf(stderr, "%d: fstat: %s\n",
-					       fd[i], STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (!(regular[i] = !S_ISCHR(sb.st_mode)))
-				devices++;
-		}
-	}
-
-	if (!(opts & OPT_SYSLOG)) {
-		logfile = argv[optind];
-		log = logfile ? fopen(logfile, "a") : stdout;
-		if (log == NULL) {
-			(void) fprintf(stderr, "%s: fopen: %s\n",
-				       argv[optind], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setvbuf(log, NULL, _IONBF, 0);
-	} else
-		log = NULL;
-
-	if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
-#if BSD >= 199306
-		daemon(0, !(opts & OPT_SYSLOG));
-#else
-		int pid;
-		if ((pid = fork()) > 0)
-			exit(0);
-		if (pid < 0) {
-			(void) fprintf(stderr, "%s: fork() failed: %s\n",
-				       argv[0], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setsid();
-		if ((opts & OPT_SYSLOG))
-			close(2);
-#endif /* !BSD */
-		close(0);
-		close(1);
-		write_pid(pidfile);
-	}
-
-	signal(SIGHUP, handlehup);
-
-	for (doread = 1; doread; ) {
-		nr = 0;
-
-		for (i = 0; i < 3; i++) {
-			tr = 0;
-			if (fdt[i] == -1)
-				continue;
-			if (!regular[i]) {
-				if (ioctl(fd[i], FIONREAD, &tr) == -1) {
-					if (opts & OPT_SYSLOG)
-						syslog(LOG_CRIT,
-						       "ioctl(FIONREAD): %m");
-					else
-						perror("ioctl(FIONREAD)");
-					exit(1);
-					/* NOTREACHED */
-				}
-			} else {
-				tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
-				if (!tr && !(opts & OPT_TAIL))
-					doread = 0;
-			}
-			if (!tr)
-				continue;
-			nr += tr;
-			n = 0;
-
-			tr = read_log(fd[i], &n, buf, sizeof(buf));
-			if (donehup) {
-				if (logfile && (fp = fopen(logfile, "a"))) {
-					fclose(log);
-					log = fp;
-				}
-				if (binarylogfile &&
-				    (fp = fopen(binarylogfile, "a"))) {
-					fclose(binarylog);
-					binarylog = fp;
-				}
-				init_tabs();
-				if (conf_file != NULL)
-					load_config(conf_file);
-				donehup = 0;
-			}
-
-			switch (tr)
-			{
-			case -1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "read: %m\n");
-				else
-					perror("read");
-				doread = 0;
-				break;
-			case 1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "aborting logging\n");
-				else if (log != NULL)
-					fprintf(log, "aborting logging\n");
-				doread = 0;
-				break;
-			case 2 :
-				break;
-			case 0 :
-				if (n > 0) {
-					print_log(fdt[i], log, buf, n);
-					if (!(opts & OPT_SYSLOG))
-						fflush(log);
-				}
-				break;
-			}
-		}
-		if (!nr && ((opts & OPT_TAIL) || devices))
-			sleep(1);
-	}
-	return(0);
-	/* NOTREACHED */
-}
diff --git a/contrib/ipfilter/tools/ipmon_y.y b/contrib/ipfilter/tools/ipmon_y.y
deleted file mode 100644
index bc3ec6d..0000000
--- a/contrib/ipfilter/tools/ipmon_y.y
+++ /dev/null
@@ -1,698 +0,0 @@
-/*
- * Copyright (C) 2001-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-%{
-#include "ipf.h"
-#include <syslog.h>
-#undef	OPT_NAT
-#undef	OPT_VERBOSE
-#include "ipmon_l.h"
-#include "ipmon.h"
-
-#define	YYDEBUG	1
-
-extern	void	yyerror __P((char *));
-extern	int	yyparse __P((void));
-extern	int	yylex __P((void));
-extern	int	yydebug;
-extern	FILE	*yyin;
-extern	int	yylineNum;
-
-typedef	struct	opt	{
-	struct	opt	*o_next;
-	int		o_line;
-	int		o_type;
-	int		o_num;
-	char		*o_str;
-	struct in_addr	o_ip;
-} opt_t;
-
-static	void	build_action __P((struct opt *));
-static	opt_t	*new_opt __P((int));
-static	void	free_action __P((ipmon_action_t *));
-
-static	ipmon_action_t	*alist = NULL;
-%}
-
-%union	{
-	char	*str;
-	u_32_t	num;
-	struct in_addr	addr;
-	struct opt	*opt;
-	union	i6addr	ip6;
-}
-
-%token	<num>	YY_NUMBER YY_HEX
-%token	<str>	YY_STR
-%token	<ip6>	YY_IPV6
-%token	YY_COMMENT 
-%token	YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token	YY_RANGE_OUT YY_RANGE_IN
-
-%token	IPM_MATCH IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT
-%token	IPM_EVERY IPM_EXECUTE IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT
-%token	IPM_PACKET IPM_PACKETS IPM_POOL IPM_PROTOCOL IPM_RESULT IPM_RULE
-%token	IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_LOGTAG IPM_WITH
-%token	IPM_DO IPM_SAVE IPM_SYSLOG IPM_NOTHING IPM_RAW IPM_TYPE IPM_NAT
-%token	IPM_STATE IPM_NATTAG IPM_IPF
-%type	<addr> ipv4
-%type	<opt> direction dstip dstport every execute group interface
-%type	<opt> protocol result rule srcip srcport logtag matching
-%type	<opt> matchopt nattag type doopt doing save syslog nothing
-%type	<num> saveopts saveopt typeopt
-
-%%
-file:	line
-	| assign
-	| file line
-	| file assign
-	;
-
-line:	IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';'
-					{ build_action($3); resetlexer(); }
-	| IPM_COMMENT
-	| YY_COMMENT
-	;
-
-assign:	YY_STR assigning YY_STR ';'		{ set_variable($1, $3);
-						  resetlexer();
-						  free($1);
-						  free($3);
-						  yyvarnext = 0;
-						} 
-	;
-
-assigning:
-	'='					{ yyvarnext = 1; }
-	;
-
-matching:
-	matchopt				{ $$ = $1; }
-	| matchopt ',' matching			{ $1->o_next = $3; $$ = $1; }
-	;
-
-matchopt:
-	direction				{ $$ = $1; }
-	| dstip					{ $$ = $1; }
-	| dstport				{ $$ = $1; }
-	| every					{ $$ = $1; }
-	| group					{ $$ = $1; }
-	| interface				{ $$ = $1; }
-	| protocol				{ $$ = $1; }
-	| result				{ $$ = $1; }
-	| rule					{ $$ = $1; }
-	| srcip					{ $$ = $1; }
-	| srcport				{ $$ = $1; }
-	| logtag				{ $$ = $1; }
-	| nattag				{ $$ = $1; }
-	| type					{ $$ = $1; }
-	;
-
-doing:
-	doopt					{ $$ = $1; }
-	| doopt ',' doing			{ $1->o_next = $3; $$ = $1; }
-	;
-
-doopt:
-	execute					{ $$ = $1; }
-	| save					{ $$ = $1; }
-	| syslog				{ $$ = $1; }
-	| nothing				{ $$ = $1; }
-	;
-
-direction:
-	IPM_DIRECTION '=' IPM_IN		{ $$ = new_opt(IPM_DIRECTION);
-						  $$->o_num = IPM_IN; }
-	| IPM_DIRECTION '=' IPM_OUT		{ $$ = new_opt(IPM_DIRECTION);
-						  $$->o_num = IPM_OUT; }
-	;
-
-dstip:	IPM_DSTIP '=' ipv4 '/' YY_NUMBER	{ $$ = new_opt(IPM_DSTIP);
-						  $$->o_ip = $3;
-						  $$->o_num = $5; }
-	;
-
-dstport:
-	IPM_DSTPORT '=' YY_NUMBER		{ $$ = new_opt(IPM_DSTPORT);
-						  $$->o_num = $3; }
-	| IPM_DSTPORT '=' YY_STR		{ $$ = new_opt(IPM_DSTPORT);
-						  $$->o_str = $3; }
-	;
-
-every:	IPM_EVERY IPM_SECOND			{ $$ = new_opt(IPM_SECOND);
-						  $$->o_num = 1; }
-	| IPM_EVERY YY_NUMBER IPM_SECONDS	{ $$ = new_opt(IPM_SECOND);
-						  $$->o_num = $2; }
-	| IPM_EVERY IPM_PACKET			{ $$ = new_opt(IPM_PACKET);
-						  $$->o_num = 1; }
-	| IPM_EVERY YY_NUMBER IPM_PACKETS	{ $$ = new_opt(IPM_PACKET);
-						  $$->o_num = $2; }
-	;
-
-group:	IPM_GROUP '=' YY_NUMBER			{ $$ = new_opt(IPM_GROUP);
-						  $$->o_num = $3; }
-	| IPM_GROUP '=' YY_STR			{ $$ = new_opt(IPM_GROUP);
-						  $$->o_str = $3; }
-	;
-
-interface:
-	IPM_INTERFACE '=' YY_STR		{ $$ = new_opt(IPM_INTERFACE);
-						  $$->o_str = $3; }
-	;
-
-logtag:	IPM_LOGTAG '=' YY_NUMBER		{ $$ = new_opt(IPM_LOGTAG);
-						  $$->o_num = $3; }
-	;
-
-nattag:	IPM_NATTAG '=' YY_STR			{ $$ = new_opt(IPM_NATTAG);
-						  $$->o_str = $3; }
-	;
-
-protocol:
-	IPM_PROTOCOL '=' YY_NUMBER		{ $$ = new_opt(IPM_PROTOCOL);
-						  $$->o_num = $3; }
-	| IPM_PROTOCOL '=' YY_STR		{ $$ = new_opt(IPM_PROTOCOL);
-						  $$->o_num = getproto($3);
-						  free($3);
-						}
-	;
-
-result:	IPM_RESULT '=' YY_STR			{ $$ = new_opt(IPM_RESULT);
-						  $$->o_str = $3; }
-	;
-
-rule:	IPM_RULE '=' YY_NUMBER			{ $$ = new_opt(IPM_RULE);
-						  $$->o_num = YY_NUMBER; }
-	;
-
-srcip:	IPM_SRCIP '=' ipv4 '/' YY_NUMBER	{ $$ = new_opt(IPM_SRCIP);
-						  $$->o_ip = $3;
-						  $$->o_num = $5; }
-	;
-
-srcport:
-	IPM_SRCPORT '=' YY_NUMBER		{ $$ = new_opt(IPM_SRCPORT);
-						  $$->o_num = $3; }
-	| IPM_SRCPORT '=' YY_STR		{ $$ = new_opt(IPM_SRCPORT);
-						  $$->o_str = $3; }
-	;
-
-type:	IPM_TYPE '=' typeopt			{ $$ = new_opt(IPM_TYPE);
-						  $$->o_num = $3; }
-	;
-
-typeopt:
-	IPM_IPF					{ $$ = IPL_MAGIC; }
-	| IPM_NAT				{ $$ = IPL_MAGIC_NAT; }
-	| IPM_STATE				{ $$ = IPL_MAGIC_STATE; }
-	;
-
-execute:
-	IPM_EXECUTE YY_STR			{ $$ = new_opt(IPM_EXECUTE);
-						  $$->o_str = $2; }
-	;
-
-save:	IPM_SAVE saveopts YY_STR		{ $$ = new_opt(IPM_SAVE);
-						  $$->o_num = $2;
-						  $$->o_str = $3; }
-	;
-
-saveopts:					{ $$ = 0; }
-	| saveopt				{ $$ = $1; }
-	| saveopt ',' saveopts			{ $$ = $1 | $3; }
-	;
-
-saveopt:
-	IPM_RAW					{ $$ = IPMDO_SAVERAW; }
-	;
-
-syslog:	IPM_SYSLOG				{ $$ = new_opt(IPM_SYSLOG); }
-	;
-
-nothing:
-	IPM_NOTHING				{ $$ = 0; }
-	;
-
-ipv4:   YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
-		{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
-		  $$.s_addr = htonl($$.s_addr);
-		}
-%%
-static	struct	wordtab	yywords[] = {
-	{ "body",	IPM_BODY },
-	{ "direction",	IPM_DIRECTION },
-	{ "do",		IPM_DO },
-	{ "dstip",	IPM_DSTIP },
-	{ "dstport",	IPM_DSTPORT },
-	{ "every",	IPM_EVERY },
-	{ "execute",	IPM_EXECUTE },
-	{ "group",	IPM_GROUP },
-	{ "in",		IPM_IN },
-	{ "interface",	IPM_INTERFACE },
-	{ "ipf",	IPM_IPF },
-	{ "logtag",	IPM_LOGTAG },
-	{ "match",	IPM_MATCH },
-	{ "nat",	IPM_NAT },
-	{ "nattag",	IPM_NATTAG },
-	{ "no",		IPM_NO },
-	{ "nothing",	IPM_NOTHING },
-	{ "out",	IPM_OUT },
-	{ "packet",	IPM_PACKET },
-	{ "packets",	IPM_PACKETS },
-	{ "protocol",	IPM_PROTOCOL },
-	{ "result",	IPM_RESULT },
-	{ "rule",	IPM_RULE },
-	{ "save",	IPM_SAVE },
-	{ "second",	IPM_SECOND },
-	{ "seconds",	IPM_SECONDS },
-	{ "srcip",	IPM_SRCIP },
-	{ "srcport",	IPM_SRCPORT },
-	{ "state",	IPM_STATE },
-	{ "syslog",	IPM_SYSLOG },
-	{ "with",	IPM_WITH },
-	{ NULL,		0 }
-};
-
-static int macflags[17][2] = {
-	{ IPM_DIRECTION,	IPMAC_DIRECTION	},
-	{ IPM_DSTIP,		IPMAC_DSTIP	},
-	{ IPM_DSTPORT,		IPMAC_DSTPORT	},
-	{ IPM_GROUP,		IPMAC_GROUP	},
-	{ IPM_INTERFACE,	IPMAC_INTERFACE	},
-	{ IPM_LOGTAG,		IPMAC_LOGTAG 	},
-	{ IPM_NATTAG,		IPMAC_NATTAG 	},
-	{ IPM_PACKET,		IPMAC_EVERY	},
-	{ IPM_PROTOCOL,		IPMAC_PROTOCOL	},
-	{ IPM_RESULT,		IPMAC_RESULT	},
-	{ IPM_RULE,		IPMAC_RULE	},
-	{ IPM_SECOND,		IPMAC_EVERY	},
-	{ IPM_SRCIP,		IPMAC_SRCIP	},
-	{ IPM_SRCPORT,		IPMAC_SRCPORT	},
-	{ IPM_TYPE,		IPMAC_TYPE 	},
-	{ IPM_WITH,		IPMAC_WITH 	},
-	{ 0, 0 }
-};
-
-static opt_t *new_opt(type)
-int type;
-{
-	opt_t *o;
-
-	o = (opt_t *)malloc(sizeof(*o));
-	o->o_type = type;
-	o->o_line = yylineNum;
-	o->o_num = 0;
-	o->o_str = (char *)0;
-	o->o_next = NULL;
-	return o;
-}
-
-static void build_action(olist)
-opt_t *olist;
-{
-	ipmon_action_t *a;
-	opt_t *o;
-	char c;
-	int i;
-
-	a = (ipmon_action_t *)calloc(1, sizeof(*a));
-	if (a == NULL)
-		return;
-	while ((o = olist) != NULL) {
-		/*
-		 * Check to see if the same comparator is being used more than
-		 * once per matching statement.
-		 */
-		for (i = 0; macflags[i][0]; i++)
-			if (macflags[i][0] == o->o_type)
-				break;
-		if (macflags[i][1] & a->ac_mflag) {
-			fprintf(stderr, "%s redfined on line %d\n",
-				yykeytostr(o->o_type), yylineNum);
-			if (o->o_str != NULL)
-				free(o->o_str);
-			olist = o->o_next;
-			free(o);
-			continue;
-		}
-
-		a->ac_mflag |= macflags[i][1];
-
-		switch (o->o_type)
-		{
-		case IPM_DIRECTION :
-			a->ac_direction = o->o_num;
-			break;
-		case IPM_DSTIP :
-			a->ac_dip = o->o_ip.s_addr;
-			a->ac_dmsk = htonl(0xffffffff << (32 - o->o_num));
-			break;
-		case IPM_DSTPORT :
-			a->ac_dport = htons(o->o_num);
-			break;
-		case IPM_EXECUTE :
-			a->ac_exec = o->o_str;
-			c = *o->o_str;
-			if (c== '"'|| c == '\'') {
-				if (o->o_str[strlen(o->o_str) - 1] == c) {
-					a->ac_run = strdup(o->o_str + 1);
-					a->ac_run[strlen(a->ac_run) - 1] ='\0';
-				} else
-					a->ac_run = o->o_str;
-			} else
-				a->ac_run = o->o_str;
-			o->o_str = NULL;
-			break;
-		case IPM_INTERFACE :
-			a->ac_iface = o->o_str;
-			o->o_str = NULL;
-			break;
-		case IPM_GROUP : 
-			if (o->o_str != NULL)
-				strncpy(a->ac_group, o->o_str, FR_GROUPLEN);
-			else
-				sprintf(a->ac_group, "%d", o->o_num);
-			break;
-		case IPM_LOGTAG :
-			a->ac_logtag = o->o_num;
-			break;
-		case IPM_NATTAG :
-			strncpy(a->ac_nattag, o->o_str, sizeof(a->ac_nattag));
-			break;
-		case IPM_PACKET :
-			a->ac_packet = o->o_num;
-			break;
-		case IPM_PROTOCOL :
-			a->ac_proto = o->o_num;
-			break;
-		case IPM_RULE :
-			a->ac_rule = o->o_num;
-			break;
-		case IPM_RESULT :
-			if (!strcasecmp(o->o_str, "pass"))
-				a->ac_result = IPMR_PASS;
-			else if (!strcasecmp(o->o_str, "block"))
-				a->ac_result = IPMR_BLOCK;
-			else if (!strcasecmp(o->o_str, "nomatch"))
-				a->ac_result = IPMR_NOMATCH;
-			else if (!strcasecmp(o->o_str, "log"))
-				a->ac_result = IPMR_LOG;
-			break;
-		case IPM_SECOND :
-			a->ac_second = o->o_num;
-			break;
-		case IPM_SRCIP :
-			a->ac_sip = o->o_ip.s_addr;
-			a->ac_smsk = htonl(0xffffffff << (32 - o->o_num));
-			break;
-		case IPM_SRCPORT :
-			a->ac_sport = htons(o->o_num);
-			break;
-		case IPM_SAVE :
-			if (a->ac_savefile != NULL) {
-				fprintf(stderr, "%s redfined on line %d\n",
-					yykeytostr(o->o_type), yylineNum);
-				break;
-			}
-			a->ac_savefile = strdup(o->o_str);
-			a->ac_savefp = fopen(o->o_str, "a");
-			a->ac_dflag |= o->o_num & IPMDO_SAVERAW;
-			break;
-		case IPM_SYSLOG :
-			if (a->ac_syslog != 0) {
-				fprintf(stderr, "%s redfined on line %d\n",
-					yykeytostr(o->o_type), yylineNum);
-				break;
-			}
-			a->ac_syslog = 1;
-			break;
-		case IPM_TYPE :
-			a->ac_type = o->o_num;
-			break;
-		case IPM_WITH :
-			break;
-		default :
-			break;
-		}
-
-		olist = o->o_next;
-		if (o->o_str != NULL)
-			free(o->o_str);
-		free(o);
-	}
-	a->ac_next = alist;
-	alist = a;
-}
-
-
-int check_action(buf, log, opts, lvl)
-char *buf, *log;
-int opts, lvl;
-{
-	ipmon_action_t *a;
-	struct timeval tv;
-	ipflog_t *ipf;
-	tcphdr_t *tcp;
-	iplog_t *ipl;
-	int matched;
-	u_long t1;
-	ip_t *ip;
-
-	matched = 0;
-	ipl = (iplog_t *)buf;
-	ipf = (ipflog_t *)(ipl +1);
-	ip = (ip_t *)(ipf + 1);
-	tcp = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2));
-
-	for (a = alist; a != NULL; a = a->ac_next) {
-		if ((a->ac_mflag & IPMAC_DIRECTION) != 0) {
-			if (a->ac_direction == IPM_IN) {
-				if ((ipf->fl_flags & FR_INQUE) == 0)
-					continue;
-			} else if (a->ac_direction == IPM_OUT) {
-				if ((ipf->fl_flags & FR_OUTQUE) == 0)
-					continue;
-			}
-		}
-
-		if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic))
-			continue;
-
-		if ((a->ac_mflag & IPMAC_EVERY) != 0) {
-			gettimeofday(&tv, NULL);
-			t1 = tv.tv_sec - a->ac_lastsec;
-			if (tv.tv_usec <= a->ac_lastusec)
-				t1--;
-			if (a->ac_second != 0) {
-				if (t1 < a->ac_second)
-					continue;
-				a->ac_lastsec = tv.tv_sec;
-				a->ac_lastusec = tv.tv_usec;
-			}
-
-			if (a->ac_packet != 0) {
-				if (a->ac_pktcnt == 0)
-					a->ac_pktcnt++;
-				else if (a->ac_pktcnt == a->ac_packet) {
-					a->ac_pktcnt = 0;
-					continue;
-				} else {
-					a->ac_pktcnt++;
-					continue;
-				}
-			}
-		}
-
-		if ((a->ac_mflag & IPMAC_DSTIP) != 0) {
-			if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_DSTPORT) != 0) {
-			if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP)
-				continue;
-			if (tcp->th_dport != a->ac_dport)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_GROUP) != 0) {
-			if (strncmp(a->ac_group, ipf->fl_group,
-				    FR_GROUPLEN) != 0)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_INTERFACE) != 0) {
-			if (strcmp(a->ac_iface, ipf->fl_ifname))
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) {
-			if (a->ac_proto != ip->ip_p)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_RESULT) != 0) {
-			if ((ipf->fl_flags & FF_LOGNOMATCH) != 0) {
-				if (a->ac_result != IPMR_NOMATCH)
-					continue;
-			} else if (FR_ISPASS(ipf->fl_flags)) {
-				if (a->ac_result != IPMR_PASS)
-					continue;
-			} else if (FR_ISBLOCK(ipf->fl_flags)) {
-				if (a->ac_result != IPMR_BLOCK)
-					continue;
-			} else {	/* Log only */
-				if (a->ac_result != IPMR_LOG)
-					continue;
-			}
-		}
-
-		if ((a->ac_mflag & IPMAC_RULE) != 0) {
-			if (a->ac_rule != ipf->fl_rule)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_SRCIP) != 0) {
-			if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_SRCPORT) != 0) {
-			if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP)
-				continue;
-			if (tcp->th_sport != a->ac_sport)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_LOGTAG) != 0) {
-			if (a->ac_logtag != ipf->fl_logtag)
-				continue;
-		}
-
-		if ((a->ac_mflag & IPMAC_NATTAG) != 0) {
-			if (strncmp(a->ac_nattag, ipf->fl_nattag.ipt_tag,
-				    IPFTAG_LEN) != 0)
-				continue;
-		}
-
-		matched = 1;
-
-		/*
-		 * It matched so now execute the command
-		 */
-		if (a->ac_syslog != 0) {
-			syslog(lvl, "%s", log);
-		}
-
-		if (a->ac_savefp != NULL) {
-			if (a->ac_dflag & IPMDO_SAVERAW)
-				fwrite(ipl, 1, ipl->ipl_dsize, a->ac_savefp);
-			else
-				fputs(log, a->ac_savefp);
-		}
-
-		if (a->ac_exec != NULL) {
-			switch (fork())
-			{
-			case 0 :
-			{
-				FILE *pi;
-
-				pi = popen(a->ac_run, "w");
-				if (pi != NULL) {
-					fprintf(pi, "%s\n", log);
-					if ((opts & OPT_HEXHDR) != 0) {
-						dumphex(pi, 0, buf,
-							sizeof(*ipl) +
-							sizeof(*ipf));
-					}
-					if ((opts & OPT_HEXBODY) != 0) {
-						dumphex(pi, 0, (char *)ip,
-							ipf->fl_hlen +
-							ipf->fl_plen);
-					}
-					pclose(pi);
-				}
-				exit(1);
-			}
-			case -1 :
-				break;
-			default :
-				break;
-			}
-		}
-	}
-
-	return matched;
-}
-
-
-static void free_action(a)
-ipmon_action_t *a;
-{
-	if (a->ac_savefile != NULL) {
-		free(a->ac_savefile);
-		a->ac_savefile = NULL;
-	}
-	if (a->ac_savefp != NULL) {
-		fclose(a->ac_savefp);
-		a->ac_savefp = NULL;
-	}
-	if (a->ac_exec != NULL) {
-		free(a->ac_exec);
-		if (a->ac_run == a->ac_exec)
-			a->ac_run = NULL;
-		a->ac_exec = NULL;
-	}
-	if (a->ac_run != NULL) {
-		free(a->ac_run);
-		a->ac_run = NULL;
-	}
-	if (a->ac_iface != NULL) {
-		free(a->ac_iface);
-		a->ac_iface = NULL;
-	}
-	a->ac_next = NULL;
-	free(a);
-}
-
-
-int load_config(file)
-char *file;
-{
-	ipmon_action_t *a;
-	FILE *fp;
-	char *s;
-
-	s = getenv("YYDEBUG");
-	if (s != NULL)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	while ((a = alist) != NULL) {
-		alist = a->ac_next;
-		free_action(a);
-	}
-
-	yylineNum = 1;
-
-	(void) yysettab(yywords);
-
-	fp = fopen(file, "r");
-	if (!fp) {
-		perror("load_config:fopen:");
-		return -1;
-	}
-	yyin = fp;
-	while (!feof(fp))
-		yyparse();
-	fclose(fp);
-	return 0;
-}
diff --git a/contrib/ipfilter/tools/ipnat.c b/contrib/ipfilter/tools/ipnat.c
deleted file mode 100644
index 038df6d..0000000
--- a/contrib/ipfilter/tools/ipnat.c
+++ /dev/null
@@ -1,576 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/file.h>
-#define _KERNEL
-#include <sys/uio.h>
-#undef _KERNEL
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#if defined(linux)
-# include <linux/a.out.h>
-#else
-# include <nlist.h>
-#endif
-#include "ipf.h"
-#include "netinet/ipl.h"
-#include "kmem.h"
-
-#ifdef	__hpux
-# define	nlist	nlist64
-#endif
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.11 2007/09/25 08:27:34 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-int	use_inet6 = 0;
-char	thishost[MAXHOSTNAMELEN];
-
-extern	char	*optarg;
-
-void	dostats __P((int, natstat_t *, int, int));
-void	dotable __P((natstat_t *, int, int));
-void	flushtable __P((int, int));
-void	usage __P((char *));
-int	main __P((int, char*[]));
-void	showhostmap __P((natstat_t *nsp));
-void	natstat_dead __P((natstat_t *, char *));
-void	dostats_live __P((int, natstat_t *, int));
-void	showhostmap_dead __P((natstat_t *));
-void	showhostmap_live __P((int, natstat_t *));
-void	dostats_dead __P((natstat_t *, int));
-void	showtqtable_live __P((int));
-
-int	opts;
-
-void usage(name)
-char *name;
-{
-	fprintf(stderr, "Usage: %s [-CFhlnrRsv] [-f filename]\n", name);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	char *file, *core, *kernel;
-	natstat_t ns, *nsp;
-	int fd, c, mode;
-	ipfobj_t obj;
-
-	fd = -1;
-	opts = 0;
-	nsp = &ns;
-	file = NULL;
-	core = NULL;
-	kernel = NULL;
-	mode = O_RDWR;
-
-	while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1)
-		switch (c)
-		{
-		case 'C' :
-			opts |= OPT_CLEAR;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			file = optarg;
-			break;
-		case 'F' :
-			opts |= OPT_FLUSH;
-			break;
-		case 'h' :
-			opts |=OPT_HITS;
-			break;
-		case 'l' :
-			opts |= OPT_LIST;
-			mode = O_RDONLY;
-			break;
-		case 'M' :
-			core = optarg;
-			break;
-		case 'N' :
-			kernel = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			mode = O_RDONLY;
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			opts |= OPT_STAT;
-			mode = O_RDONLY;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		default :
-			usage(argv[0]);
-		}
-
-	initparse();
-
-	if ((kernel != NULL) || (core != NULL)) {
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (((fd = open(IPNAT_NAME, mode)) == -1) &&
-		    ((fd = open(IPNAT_NAME, O_RDONLY)) == -1)) {
-			(void) fprintf(stderr, "%s: open: %s\n", IPNAT_NAME,
-				STRERROR(errno));
-			exit(1);
-		}
-	}
-
-	bzero((char *)&ns, sizeof(ns));
-
-	if ((opts & OPT_DONOTHING) == 0) {
-		if (checkrev(IPL_NAME) == -1) {
-			fprintf(stderr, "User/kernel version check failed\n");
-			exit(1);
-		}
-	}
-
-	if (!(opts & OPT_DONOTHING) && (kernel == NULL) && (core == NULL)) {
-		bzero((char *)&obj, sizeof(obj));
-		obj.ipfo_rev = IPFILTER_VERSION;
-		obj.ipfo_type = IPFOBJ_NATSTAT;
-		obj.ipfo_size = sizeof(*nsp);
-		obj.ipfo_ptr = (void *)nsp;
-		if (ioctl(fd, SIOCGNATS, &obj) == -1) {
-			perror("ioctl(SIOCGNATS)");
-			exit(1);
-		}
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	} else if ((kernel != NULL) || (core != NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		natstat_dead(nsp, kernel);
-		if (opts & (OPT_LIST|OPT_STAT))
-			dostats(fd, nsp, opts, 0);
-		exit(0);
-	}
-
-	if (opts & (OPT_FLUSH|OPT_CLEAR))
-		flushtable(fd, opts);
-	if (file) {
-		ipnat_parsefile(fd, ipnat_addrule, ioctl, file);
-	}
-	if (opts & (OPT_LIST|OPT_STAT))
-		dostats(fd, nsp, opts, 1);
-	return 0;
-}
-
-
-/*
- * Read NAT statistic information in using a symbol table and memory file
- * rather than doing ioctl's.
- */
-void natstat_dead(nsp, kernel)
-natstat_t *nsp;
-char *kernel;
-{
-	struct nlist nat_nlist[10] = {
-		{ "nat_table" },		/* 0 */
-		{ "nat_list" },
-		{ "maptable" },
-		{ "ipf_nattable_sz" },
-		{ "ipf_natrules_sz" },
-		{ "ipf_rdrrules_sz" },		/* 5 */
-		{ "ipf_hostmap_sz" },
-		{ "nat_instances" },
-		{ "ap_sess_list" },
-		{ NULL }
-	};
-	void *tables[2];
-
-	if (nlist(kernel, nat_nlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	/*
-	 * Normally the ioctl copies all of these values into the structure
-	 * for us, before returning it to userland, so here we must copy each
-	 * one in individually.
-	 */
-	kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
-	nsp->ns_table[0] = tables[0];
-	nsp->ns_table[1] = tables[1];
-
-	kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
-		sizeof(nsp->ns_list));
-	kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
-		sizeof(nsp->ns_maptable));
-	kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
-		sizeof(nsp->ns_nattab_sz));
-	kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
-		sizeof(nsp->ns_rultab_sz));
-	kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
-		sizeof(nsp->ns_rdrtab_sz));
-	kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
-		sizeof(nsp->ns_hostmap_sz));
-	kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
-		sizeof(nsp->ns_instances));
-	kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
-		sizeof(nsp->ns_apslist));
-}
-
-
-/*
- * Issue an ioctl to flush either the NAT rules table or the active mapping
- * table or both.
- */
-void flushtable(fd, opts)
-int fd, opts;
-{
-	int n = 0;
-
-	if (opts & OPT_FLUSH) {
-		n = 0;
-		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
-			perror("ioctl(SIOCFLNAT)");
-		else
-			printf("%d entries flushed from NAT table\n", n);
-	}
-
-	if (opts & OPT_CLEAR) {
-		n = 1;
-		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
-			perror("ioctl(SIOCCNATL)");
-		else
-			printf("%d entries flushed from NAT list\n", n);
-	}
-}
-
-
-/*
- * Display NAT statistics.
- */
-void dostats_dead(nsp, opts)
-natstat_t *nsp;
-int opts;
-{
-	nat_t *np, nat;
-	ipnat_t	ipn;
-
-	printf("List of active MAP/Redirect filters:\n");
-	while (nsp->ns_list) {
-		if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
-			    sizeof(ipn))) {
-			perror("kmemcpy");
-			break;
-		}
-		if (opts & OPT_HITS)
-			printf("%lu ", ipn.in_hits);
-		printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-		nsp->ns_list = ipn.in_next;
-	}
-
-	printf("\nList of active sessions:\n");
-
-	for (np = nsp->ns_instances; np; np = nat.nat_next) {
-		if (kmemcpy((char *)&nat, (long)np, sizeof(nat)))
-			break;
-		printactivenat(&nat, opts, 0, nsp->ns_ticks);
-		if (nat.nat_aps)
-			printaps(nat.nat_aps, opts);
-	}
-
-	if (opts & OPT_VERBOSE)
-		showhostmap_dead(nsp);
-}
-
-
-void dostats(fd, nsp, opts, alive)
-natstat_t *nsp;
-int fd, opts, alive;
-{
-	/*
-	 * Show statistics ?
-	 */
-	if (opts & OPT_STAT) {
-		printf("mapped\tin\t%lu\tout\t%lu\n",
-			nsp->ns_mapped[0], nsp->ns_mapped[1]);
-		printf("added\t%lu\texpired\t%lu\n",
-			nsp->ns_added, nsp->ns_expire);
-		printf("no memory\t%lu\tbad nat\t%lu\n",
-			nsp->ns_memfail, nsp->ns_badnat);
-		printf("inuse\t%lu\norphans\t%u\nrules\t%lu\n",
-			nsp->ns_inuse, nsp->ns_orphans, nsp->ns_rules);
-		printf("wilds\t%u\n", nsp->ns_wilds);
-		dotable(nsp, fd, alive);
-		if (opts & OPT_VERBOSE)
-			printf("table %p list %p\n",
-				nsp->ns_table, nsp->ns_list);
-		if (alive)
-			showtqtable_live(fd);
-	}
-
-	if (opts & OPT_LIST) {
-		if (alive)
-			dostats_live(fd, nsp, opts);
-		else
-			dostats_dead(nsp, opts);
-	}
-}
-
-
-void dotable(nsp, fd, alive)
-natstat_t *nsp;
-int fd, alive;
-{
-	int sz, i, used, totallen, maxlen, minlen;
-	ipftable_t table;
-	u_long *buckets;
-	ipfobj_t obj;
-
-	sz = sizeof(*buckets) * nsp->ns_nattab_sz;
-	buckets = (u_long *)malloc(sz);
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_GTABLE;
-	obj.ipfo_size = sizeof(table);
-	obj.ipfo_ptr = &table;
-
-	table.ita_type = IPFTABLE_BUCKETS_NATIN;
-	table.ita_table = buckets;
-
-	if (alive) {
-		if (ioctl(fd, SIOCGTABL, &obj) != 0) {
-			free(buckets);
-			return;
-		}
-	} else {
-		if (kmemcpy((char *)buckets, (u_long)nsp->ns_nattab_sz, sz)) {
-			free(buckets);
-			return;
-		}
-	}
-
-	totallen = 0;
-	maxlen = 0;
-	minlen = nsp->ns_inuse;
-	used = 0;
-
-	for (i = 0; i < nsp->ns_nattab_sz; i++) {
-		if (buckets[i] > maxlen)
-			maxlen = buckets[i];
-		if (buckets[i] < minlen)
-			minlen = buckets[i];
-		if (buckets[i] != 0)
-			used++;
-		totallen += buckets[i];
-	}
-
-	printf("hash efficiency\t%2.2f%%\n",
-	       totallen ? ((float)used / totallen) * 100.0 : 0.0);
-	printf("bucket usage\t%2.2f%%\n",
-		((float)used / nsp->ns_nattab_sz) * 100.0);
-	printf("minimal length\t%d\n", minlen);
-	printf("maximal length\t%d\n", maxlen);
-	printf("average length\t%.3f\n", used ? (float)totallen / used : 0.0);
-}
-
-
-/*
- * Display NAT statistics.
- */
-void dostats_live(fd, nsp, opts)
-natstat_t *nsp;
-int fd, opts;
-{
-	ipfgeniter_t iter;
-	ipfobj_t obj;
-	ipnat_t	ipn;
-	nat_t nat;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_GENITER;
-	obj.ipfo_size = sizeof(iter);
-	obj.ipfo_ptr = &iter;
-
-	iter.igi_type = IPFGENITER_IPNAT;
-	iter.igi_nitems = 1;
-	iter.igi_data = &ipn;
-
-	/*
-	 * Show list of NAT rules and NAT sessions ?
-	 */
-	printf("List of active MAP/Redirect filters:\n");
-	while (nsp->ns_list) {
-		if (ioctl(fd, SIOCGENITER, &obj) == -1)
-			break;
-		if (opts & OPT_HITS)
-			printf("%lu ", ipn.in_hits);
-		printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-		nsp->ns_list = ipn.in_next;
-	}
-
-	printf("\nList of active sessions:\n");
-
-	iter.igi_type = IPFGENITER_NAT;
-	iter.igi_nitems = 1;
-	iter.igi_data = &nat;
-
-	while (nsp->ns_instances != NULL) {
-		if (ioctl(fd, SIOCGENITER, &obj) == -1)
-			break;
-		printactivenat(&nat, opts, 1, nsp->ns_ticks);
-		if (nat.nat_aps)
-			printaps(nat.nat_aps, opts);
-		nsp->ns_instances = nat.nat_next;
-	}
-
-	if (opts & OPT_VERBOSE)
-		showhostmap_live(fd, nsp);
-}
-
-
-/*
- * Display the active host mapping table.
- */
-void showhostmap_dead(nsp)
-natstat_t *nsp;
-{
-	hostmap_t hm, *hmp, **maptable;
-	u_int hv;
-
-	printf("\nList of active host mappings:\n");
-
-	maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
-					nsp->ns_hostmap_sz);
-	if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
-		    sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
-		perror("kmemcpy (maptable)");
-		return;
-	}
-
-	for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
-		hmp = maptable[hv];
-
-		while (hmp) {
-			if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
-				perror("kmemcpy (hostmap)");
-				return;
-			}
-
-			printhostmap(&hm, hv);
-			hmp = hm.hm_next;
-		}
-	}
-	free(maptable);
-}
-
-
-/*
- * Display the active host mapping table.
- */
-void showhostmap_live(fd, nsp)
-int fd;
-natstat_t *nsp;
-{
-	ipfgeniter_t iter;
-	hostmap_t hm;
-	ipfobj_t obj;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_GENITER;
-	obj.ipfo_size = sizeof(iter);
-	obj.ipfo_ptr = &iter;
-
-	iter.igi_type = IPFGENITER_HOSTMAP;
-	iter.igi_nitems = 1;
-	iter.igi_data = &hm;
-
-	printf("\nList of active host mappings:\n");
-
-	while (nsp->ns_maplist != NULL) {
-		if (ioctl(fd, SIOCGENITER, &obj) == -1)
-			break;
-		printhostmap(&hm, 0);
-		nsp->ns_maplist = hm.hm_next;
-	}
-}
-
-
-void showtqtable_live(fd)
-int fd;
-{
-	ipftq_t table[IPF_TCP_NSTATES];
-	ipfobj_t obj;
-
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(table);
-	obj.ipfo_ptr = (void *)table;
-	obj.ipfo_type = IPFOBJ_STATETQTAB;
-
-	if (ioctl(fd, SIOCGTQTAB, &obj) == 0) {
-		printtqtable(table);      
-	}
-}
diff --git a/contrib/ipfilter/tools/ipnat_y.y b/contrib/ipfilter/tools/ipnat_y.y
deleted file mode 100644
index 6208c98..0000000
--- a/contrib/ipfilter/tools/ipnat_y.y
+++ /dev/null
@@ -1,871 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-%{
-#ifdef  __FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <syslog.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ipf.h"
-#include "netinet/ipl.h"
-#include "ipnat_l.h"
-
-#define	YYDEBUG	1
-
-extern	void	yyerror __P((char *));
-extern	int	yyparse __P((void));
-extern	int	yylex __P((void));
-extern	int	yydebug;
-extern	FILE	*yyin;
-extern	int	yylineNum;
-
-static	ipnat_t		*nattop = NULL;
-static	ipnat_t		*nat = NULL;
-static	int		natfd = -1;
-static	ioctlfunc_t	natioctlfunc = NULL;
-static	addfunc_t	nataddfunc = NULL;
-static	int		suggest_port = 0;
-
-static	void	newnatrule __P((void));
-static	void	setnatproto __P((int));
-
-%}
-%union	{
-	char	*str;
-	u_32_t	num;
-	struct	in_addr	ipa;
-	frentry_t	fr;
-	frtuc_t	*frt;
-	u_short	port;
-	struct	{
-		u_short	p1;
-		u_short	p2;
-		int	pc;
-	} pc;
-	struct	{
-		struct	in_addr	a;
-		struct	in_addr	m;
-	} ipp;
-	union	i6addr	ip6;
-};
-
-%token  <num>   YY_NUMBER YY_HEX
-%token  <str>   YY_STR
-%token	  YY_COMMENT 
-%token	  YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token	  YY_RANGE_OUT YY_RANGE_IN
-%token  <ip6>   YY_IPV6
-
-%token	IPNY_MAPBLOCK IPNY_RDR IPNY_PORT IPNY_PORTS IPNY_AUTO IPNY_RANGE
-%token	IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
-%token	IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
-%token	IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
-%token	IPNY_TLATE
-%type	<port> portspec
-%type	<num> hexnumber compare range proto
-%type	<ipa> hostname ipv4
-%type	<ipp> addr nummask rhaddr
-%type	<pc> portstuff
-%%
-file:	line
-	| assign
-	| file line
-	| file assign
-	;
-
-line:	xx rule		{ while ((nat = nattop) != NULL) {
-				nattop = nat->in_next;
-				(*nataddfunc)(natfd, natioctlfunc, nat);
-				free(nat);
-			  }
-			  resetlexer();
-			}
-	| YY_COMMENT
-	;
-
-assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
-					  resetlexer();
-					  free($1);
-					  free($3);
-					  yyvarnext = 0;
-					}
-	;
-
-assigning:
-	'='				{ yyvarnext = 1; }
-	;
-
-xx:					{ newnatrule(); }
-	;
-
-rule:	map eol
-	| mapblock eol
-	| redir eol
-	;
-
-eol:	| ';'
-	;
-
-map:	mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions
-				{ nat->in_v = 4;
-				  nat->in_inip = $3.a.s_addr;
-				  nat->in_inmsk = $3.m.s_addr;
-				  nat->in_outip = $5.a.s_addr;
-				  nat->in_outmsk = $5.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if ((nat->in_flags & IPN_TCPUDP) == 0)
-					setnatproto(nat->in_p);
-				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
-				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
-					nat_setgroupmap(nat);
-				}
-	| mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions
-				{ nat->in_v = 4;
-				  nat->in_inip = $3.a.s_addr;
-				  nat->in_inmsk = $3.m.s_addr;
-				  nat->in_outip = $5.a.s_addr;
-				  nat->in_outmsk = $5.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
-				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
-					nat_setgroupmap(nat);
-				}
-	| mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions
-				{ nat->in_v = 4;
-				  nat->in_outip = $5.a.s_addr;
-				  nat->in_outmsk = $5.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if ((suggest_port == 1) &&
-				      (nat->in_flags & IPN_TCPUDP) == 0)
-					nat->in_flags |= IPN_TCPUDP;
-				  if ((nat->in_flags & IPN_TCPUDP) == 0)
-					setnatproto(nat->in_p);
-				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
-				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
-					nat_setgroupmap(nat);
-				}
-	| mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions
-				{ nat->in_v = 4;
-				  nat->in_outip = $5.a.s_addr;
-				  nat->in_outmsk = $5.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if ((suggest_port == 1) &&
-				      (nat->in_flags & IPN_TCPUDP) == 0)
-					nat->in_flags |= IPN_TCPUDP;
-				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
-				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
-					nat_setgroupmap(nat);
-				}
-	;
-
-mapblock:
-	mapblockit ifnames addr IPNY_TLATE addr ports mapoptions
-				{ nat->in_v = 4;
-				  nat->in_inip = $3.a.s_addr;
-				  nat->in_inmsk = $3.m.s_addr;
-				  nat->in_outip = $5.a.s_addr;
-				  nat->in_outmsk = $5.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if ((nat->in_flags & IPN_TCPUDP) == 0)
-					setnatproto(nat->in_p);
-				  if (((nat->in_redir & NAT_MAPBLK) != 0) ||
-				      ((nat->in_flags & IPN_AUTOPORTMAP) != 0))
-					nat_setgroupmap(nat);
-				}
-	;
-
-redir:	rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions
-				{ nat->in_v = 4;
-				  nat->in_outip = $3.a.s_addr;
-				  nat->in_outmsk = $3.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				  if ((nat->in_p == 0) &&
-				      ((nat->in_flags & IPN_TCPUDP) == 0) &&
-				      (nat->in_pmin != 0 ||
-				       nat->in_pmax != 0 ||
-				       nat->in_pnext != 0))
-					setnatproto(IPPROTO_TCP);
-				}
-	| rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions
-				{ nat->in_v = 4;
-				  if ((nat->in_p == 0) &&
-				      ((nat->in_flags & IPN_TCPUDP) == 0) &&
-				      (nat->in_pmin != 0 ||
-				       nat->in_pmax != 0 ||
-				       nat->in_pnext != 0))
-					setnatproto(IPPROTO_TCP);
-				  if ((suggest_port == 1) &&
-				      (nat->in_flags & IPN_TCPUDP) == 0)
-					nat->in_flags |= IPN_TCPUDP;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				}
-	| rdrit ifnames addr IPNY_TLATE dip setproto rdroptions
-				{ nat->in_v = 4;
-				  nat->in_outip = $3.a.s_addr;
-				  nat->in_outmsk = $3.m.s_addr;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				}
-	| rdrit ifnames rdrfrom IPNY_TLATE dip setproto rdroptions
-				{ nat->in_v = 4;
-				  if ((suggest_port == 1) &&
-				      (nat->in_flags & IPN_TCPUDP) == 0)
-					nat->in_flags |= IPN_TCPUDP;
-				  if (nat->in_ifnames[1][0] == '\0')
-					strncpy(nat->in_ifnames[1],
-						nat->in_ifnames[0],
-						sizeof(nat->in_ifnames[0]));
-				}
-	;
-
-proxy:	| IPNY_PROXY port portspec YY_STR '/' proto
-			{ strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
-			  if (nat->in_dcmp == 0) {
-				nat->in_dport = htons($3);
-			  } else if ($3 != nat->in_dport) {
-				yyerror("proxy port numbers not consistant");
-			  }
-			  setnatproto($6);
-			  free($4);
-			}
-	| IPNY_PROXY port YY_STR YY_STR '/' proto
-			{ int pnum;
-			  strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel));
-			  pnum = getportproto($3, $6);
-			  if (pnum == -1)
-				yyerror("invalid port number");
-			  nat->in_dport = pnum;
-			  setnatproto($6);
-			  free($3);
-			  free($4);
-			}
-	;
-
-setproto:
-	| proto				{ if (nat->in_p != 0 ||
-					      nat->in_flags & IPN_TCPUDP)
-						yyerror("protocol set twice");
-					  setnatproto($1);
-					}
-	| IPNY_TCPUDP			{ if (nat->in_p != 0 ||
-					      nat->in_flags & IPN_TCPUDP)
-						yyerror("protocol set twice");
-					  nat->in_flags |= IPN_TCPUDP;
-					  nat->in_p = 0;
-					}
-	| IPNY_TCP '/' IPNY_UDP		{ if (nat->in_p != 0 ||
-					      nat->in_flags & IPN_TCPUDP)
-						yyerror("protocol set twice");
-					  nat->in_flags |= IPN_TCPUDP;
-					  nat->in_p = 0;
-					}
-	;
-
-rhaddr:	addr				{ $$.a = $1.a; $$.m = $1.m; }
-	| IPNY_RANGE ipv4 '-' ipv4
-					{ $$.a = $2; $$.m = $4;
-					  nat->in_flags |= IPN_IPRANGE; }
-	;
-
-dip:
-	hostname			{ nat->in_inip = $1.s_addr;
-					  nat->in_inmsk = 0xffffffff; }
-	| hostname '/' YY_NUMBER	{ if ($3 != 0 || $1.s_addr != 0)
-						yyerror("Only 0/0 supported");
-					  nat->in_inip = 0;
-					  nat->in_inmsk = 0;
-					}
-	| hostname ',' hostname		{ nat->in_flags |= IPN_SPLIT;
-					  nat->in_inip = $1.s_addr;
-					  nat->in_inmsk = $3.s_addr; }
-	;
-
-port:	IPNY_PORT			{ suggest_port = 1; }
-	;
-
-portspec:
-	YY_NUMBER			{ if ($1 > 65535)	/* Unsigned */
-						yyerror("invalid port number");
-					  else
-						$$ = $1;
-					}
-	| YY_STR			{ if (getport(NULL, $1, &($$)) == -1)
-						yyerror("invalid port number");
-					  $$ = ntohs($$);
-					}
-	;
-
-dport:	| port portspec			{ nat->in_pmin = htons($2);
-					  nat->in_pmax = htons($2); }
-	| port portspec '-' portspec	{ nat->in_pmin = htons($2);
-					  nat->in_pmax = htons($4); }
-	| port portspec ':' portspec	{ nat->in_pmin = htons($2);
-					  nat->in_pmax = htons($4); }
-	;
-
-nport:	port portspec			{ nat->in_pnext = htons($2); }
-	| port '=' portspec		{ nat->in_pnext = htons($3);
-					  nat->in_flags |= IPN_FIXEDDPORT;
-					}
-	;
-
-ports:	| IPNY_PORTS YY_NUMBER		{ nat->in_pmin = $2; }
-	| IPNY_PORTS IPNY_AUTO		{ nat->in_flags |= IPN_AUTOPORTMAP; }
-	;
-
-mapit:	IPNY_MAP			{ nat->in_redir = NAT_MAP; }
-	| IPNY_BIMAP			{ nat->in_redir = NAT_BIMAP; }
-	;
-
-rdrit:	IPNY_RDR			{ nat->in_redir = NAT_REDIRECT; }
-	;
-
-mapblockit:
-	IPNY_MAPBLOCK			{ nat->in_redir = NAT_MAPBLK; }
-	;
-
-mapfrom:
-	from sobject IPNY_TO dobject
-	| from sobject '!' IPNY_TO dobject
-					{ nat->in_flags |= IPN_NOTDST; }
-	| from sobject IPNY_TO '!' dobject
-					{ nat->in_flags |= IPN_NOTDST; }
-	;
-
-rdrfrom:
-	from sobject IPNY_TO dobject
-	| '!' from sobject IPNY_TO dobject
-					{ nat->in_flags |= IPN_NOTSRC; }
-	| from '!' sobject IPNY_TO dobject
-					{ nat->in_flags |= IPN_NOTSRC; }
-	;
-
-from:	IPNY_FROM			{ nat->in_flags |= IPN_FILTER; }
-	;
-
-ifnames:
-	ifname
-	| ifname ',' otherifname
-	;
-
-ifname:	YY_STR			{ strncpy(nat->in_ifnames[0], $1,
-					  sizeof(nat->in_ifnames[0]));
-				  nat->in_ifnames[0][LIFNAMSIZ - 1] = '\0';
-				  free($1);
-				}
-	;
-
-otherifname:
-	YY_STR			{ strncpy(nat->in_ifnames[1], $1,
-					  sizeof(nat->in_ifnames[1]));
-				  nat->in_ifnames[1][LIFNAMSIZ - 1] = '\0';
-				  free($1);
-				}
-	;
-
-mapport:
-	IPNY_PORTMAP tcpudp portspec ':' portspec
-			{ nat->in_pmin = htons($3);
-			  nat->in_pmax = htons($5);
-			}
-	| IPNY_PORTMAP tcpudp IPNY_AUTO
-			{ nat->in_flags |= IPN_AUTOPORTMAP;
-			  nat->in_pmin = htons(1024);
-			  nat->in_pmax = htons(65535);
-			}
-	| IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER
-			{ if (strcmp($2, "icmp") != 0) {
-				yyerror("icmpidmap not followed by icmp");
-			  }
-			  free($2);
-			  if ($3 < 0 || $3 > 65535)
-				yyerror("invalid ICMP Id number");
-			  if ($5 < 0 || $5 > 65535)
-				yyerror("invalid ICMP Id number");
-			  nat->in_flags = IPN_ICMPQUERY;
-			  nat->in_pmin = htons($3);
-			  nat->in_pmax = htons($5);
-			}
-	;
-
-sobject:
-	saddr
-	| saddr port portstuff	{ nat->in_sport = $3.p1;
-					  nat->in_stop = $3.p2;
-					  nat->in_scmp = $3.pc; }
-	;
-
-saddr:	addr				{ if (nat->in_redir == NAT_REDIRECT) {
-						nat->in_srcip = $1.a.s_addr;
-						nat->in_srcmsk = $1.m.s_addr;
-					  } else {
-						nat->in_inip = $1.a.s_addr;
-						nat->in_inmsk = $1.m.s_addr;
-					  }
-					}
-	;
-
-dobject:
-	daddr
-	| daddr port portstuff	{ nat->in_dport = $3.p1;
-					  nat->in_dtop = $3.p2;
-					  nat->in_dcmp = $3.pc;
-					  if (nat->in_redir == NAT_REDIRECT)
-						nat->in_pmin = htons($3.p1);
-					}
-	;
-
-daddr:	addr				{ if (nat->in_redir == NAT_REDIRECT) {
-						nat->in_outip = $1.a.s_addr;
-						nat->in_outmsk = $1.m.s_addr;
-					  } else {
-						nat->in_srcip = $1.a.s_addr;
-						nat->in_srcmsk = $1.m.s_addr;
-					  }
-					}
-	;
-
-addr:	IPNY_ANY			{ $$.a.s_addr = 0; $$.m.s_addr = 0; }
-	| nummask			{ $$.a = $1.a; $$.m = $1.m;
-					  $$.a.s_addr &= $$.m.s_addr; }
-	| hostname '/' ipv4		{ $$.a = $1; $$.m = $3;
-					  $$.a.s_addr &= $$.m.s_addr; }
-	| hostname '/' hexnumber	{ $$.a = $1; $$.m.s_addr = htonl($3);
-					  $$.a.s_addr &= $$.m.s_addr; }
-	| hostname IPNY_MASK ipv4	{ $$.a = $1; $$.m = $3;
-					  $$.a.s_addr &= $$.m.s_addr; }
-	| hostname IPNY_MASK hexnumber	{ $$.a = $1; $$.m.s_addr = htonl($3);
-					  $$.a.s_addr &= $$.m.s_addr; }
-	;
-
-nummask:
-	hostname			{ $$.a = $1;
-					  $$.m.s_addr = 0xffffffff; }
-	| hostname '/' YY_NUMBER	{ $$.a = $1;
-					  ntomask(4, $3, &$$.m.s_addr); }
-	;
-
-portstuff:
-	compare portspec		{ $$.pc = $1; $$.p1 = $2; }
-	| portspec range portspec	{ $$.pc = $2; $$.p1 = $1; $$.p2 = $3; }
-	;
-
-mapoptions:
-	rr frag age mssclamp nattag setproto
-	;
-
-rdroptions:
-	rr frag age sticky mssclamp rdrproxy nattag
-	;
-
-nattag:	| IPNY_TAG YY_STR		{ strncpy(nat->in_tag.ipt_tag, $2,
-						  sizeof(nat->in_tag.ipt_tag));
-					}
-rr:	| IPNY_ROUNDROBIN		{ nat->in_flags |= IPN_ROUNDR; }
-	;
-
-frag:	| IPNY_FRAG			{ nat->in_flags |= IPN_FRAG; }
-	;
-
-age:	| IPNY_AGE YY_NUMBER			{ nat->in_age[0] = $2;
-						  nat->in_age[1] = $2; }
-	| IPNY_AGE YY_NUMBER '/' YY_NUMBER	{ nat->in_age[0] = $2;
-						  nat->in_age[1] = $4; }
-	;
-
-sticky:	| IPNY_STICKY			{ if (!(nat->in_flags & IPN_ROUNDR) &&
-					      !(nat->in_flags & IPN_SPLIT)) {
-						fprintf(stderr,
-		"'sticky' for use with round-robin/IP splitting only\n");
-					  } else
-						nat->in_flags |= IPN_STICKY;
-					}
-	;
-
-mssclamp:
-	| IPNY_MSSCLAMP YY_NUMBER		{ nat->in_mssclamp = $2; }
-	;
-
-tcpudp:	| IPNY_TCP			{ setnatproto(IPPROTO_TCP); }
-	| IPNY_UDP			{ setnatproto(IPPROTO_UDP); }
-	| IPNY_TCPUDP			{ nat->in_flags |= IPN_TCPUDP;
-					  nat->in_p = 0;
-					}
-	| IPNY_TCP '/' IPNY_UDP		{ nat->in_flags |= IPN_TCPUDP;
-					  nat->in_p = 0;
-					}
-	;
-
-rdrproxy:
-	IPNY_PROXY YY_STR
-					{ strncpy(nat->in_plabel, $2,
-						  sizeof(nat->in_plabel));
-					  nat->in_dport = nat->in_pnext;
-					  nat->in_dport = htons(nat->in_dport);
-					  free($2);
-					}
-	| proxy				{ if (nat->in_plabel[0] != '\0') {
-						  nat->in_pmin = nat->in_dport;
-						  nat->in_pmax = nat->in_pmin;
-						  nat->in_pnext = nat->in_pmin;
-					  }
-					}
-	;
-
-proto:	YY_NUMBER			{ $$ = $1;
-					  if ($$ != IPPROTO_TCP &&
-					      $$ != IPPROTO_UDP)
-						suggest_port = 0;
-					}
-	| IPNY_TCP			{ $$ = IPPROTO_TCP; }
-	| IPNY_UDP			{ $$ = IPPROTO_UDP; }
-	| YY_STR			{ $$ = getproto($1); free($1);
-					  if ($$ != IPPROTO_TCP &&
-					      $$ != IPPROTO_UDP)
-						suggest_port = 0;
-					}
-	;
-
-hexnumber:
-	YY_HEX				{ $$ = $1; }
-	;
-
-hostname:
-	YY_STR				{ if (gethost($1, &$$.s_addr) == -1)
-						fprintf(stderr,
-							"Unknown host '%s'\n",
-							$1);
-					  free($1);
-					}
-	| YY_NUMBER			{ $$.s_addr = htonl($1); }
-	| ipv4				{ $$.s_addr = $1.s_addr; }
-	;
-
-compare:
-	'='				{ $$ = FR_EQUAL; }
-	| YY_CMP_EQ			{ $$ = FR_EQUAL; }
-	| YY_CMP_NE			{ $$ = FR_NEQUAL; }
-	| YY_CMP_LT			{ $$ = FR_LESST; }
-	| YY_CMP_LE			{ $$ = FR_LESSTE; }
-	| YY_CMP_GT			{ $$ = FR_GREATERT; }
-	| YY_CMP_GE			{ $$ = FR_GREATERTE; }
-
-range:
-	YY_RANGE_OUT			{ $$ = FR_OUTRANGE; }
-	| YY_RANGE_IN			{ $$ = FR_INRANGE; }
-	| ':'				{ $$ = FR_INCRANGE; }
-	;
-
-ipv4:	YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
-		{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
-		  $$.s_addr = htonl($$.s_addr);
-		}
-	;
-
-%%
-
-
-static	wordtab_t	yywords[] = {
-	{ "age",	IPNY_AGE },
-	{ "any",	IPNY_ANY },
-	{ "auto",	IPNY_AUTO },
-	{ "bimap",	IPNY_BIMAP },
-	{ "frag",	IPNY_FRAG },
-	{ "from",	IPNY_FROM },
-	{ "icmpidmap",	IPNY_ICMPIDMAP },
-	{ "mask",	IPNY_MASK },
-	{ "map",	IPNY_MAP },
-	{ "map-block",	IPNY_MAPBLOCK },
-	{ "mssclamp",	IPNY_MSSCLAMP },
-	{ "netmask",	IPNY_MASK },
-	{ "port",	IPNY_PORT },
-	{ "portmap",	IPNY_PORTMAP },
-	{ "ports",	IPNY_PORTS },
-	{ "proxy",	IPNY_PROXY },
-	{ "range",	IPNY_RANGE },
-	{ "rdr",	IPNY_RDR },
-	{ "round-robin",IPNY_ROUNDROBIN },
-	{ "sticky",	IPNY_STICKY },
-	{ "tag",	IPNY_TAG },
-	{ "tcp",	IPNY_TCP },
-	{ "tcpudp",	IPNY_TCPUDP },
-	{ "to",		IPNY_TO },
-	{ "udp",	IPNY_UDP },
-	{ "-",		'-' },
-	{ "->",		IPNY_TLATE },
-	{ "eq",		YY_CMP_EQ },
-	{ "ne",		YY_CMP_NE },
-	{ "lt",		YY_CMP_LT },
-	{ "gt",		YY_CMP_GT },
-	{ "le",		YY_CMP_LE },
-	{ "ge",		YY_CMP_GE },
-	{ NULL,		0 }
-};
-
-
-int ipnat_parsefile(fd, addfunc, ioctlfunc, filename)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t ioctlfunc;
-char *filename;
-{
-	FILE *fp = NULL;
-	char *s;
-
-	(void) yysettab(yywords);
-
-	s = getenv("YYDEBUG");
-	if (s)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	if (strcmp(filename, "-")) {
-		fp = fopen(filename, "r");
-		if (!fp) {
-			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
-				STRERROR(errno));
-			return -1;
-		}
-	} else
-		fp = stdin;
-
-	while (ipnat_parsesome(fd, addfunc, ioctlfunc, fp) == 1)
-		;
-	if (fp != NULL)
-		fclose(fp);
-	return 0;
-}
-
-
-int ipnat_parsesome(fd, addfunc, ioctlfunc, fp)
-int fd;
-addfunc_t addfunc;
-ioctlfunc_t ioctlfunc;
-FILE *fp;
-{
-	char *s;
-	int i;
-
-	yylineNum = 1;
-
-	natfd = fd;
-	nataddfunc = addfunc;
-	natioctlfunc = ioctlfunc;
-
-	if (feof(fp))
-		return 0;
-	i = fgetc(fp);
-	if (i == EOF)
-		return 0;
-	if (ungetc(i, fp) == EOF)
-		return 0;
-	if (feof(fp))
-		return 0;
-	s = getenv("YYDEBUG");
-	if (s)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	yyin = fp;
-	yyparse();
-	return 1;
-}
-
-
-static void newnatrule()
-{
-	ipnat_t *n;
-
-	n = calloc(1, sizeof(*n));
-	if (n == NULL)
-		return;
-
-	if (nat == NULL)
-		nattop = nat = n;
-	else {
-		nat->in_next = n;
-		nat = n;
-	}
-
-	suggest_port = 0;
-}
-
-
-static void setnatproto(p)
-int p;
-{
-	nat->in_p = p;
-
-	switch (p)
-	{
-	case IPPROTO_TCP :
-		nat->in_flags |= IPN_TCP;
-		nat->in_flags &= ~IPN_UDP;
-		break;
-	case IPPROTO_UDP :
-		nat->in_flags |= IPN_UDP;
-		nat->in_flags &= ~IPN_TCP;
-		break;
-	case IPPROTO_ICMP :
-		nat->in_flags &= ~IPN_TCPUDP;
-		if (!(nat->in_flags & IPN_ICMPQUERY)) {
-			nat->in_dcmp = 0;
-			nat->in_scmp = 0;
-			nat->in_pmin = 0;
-			nat->in_pmax = 0;
-			nat->in_pnext = 0;
-		}
-		break;
-	default :
-		if ((nat->in_redir & NAT_MAPBLK) == 0) {
-			nat->in_flags &= ~IPN_TCPUDP;
-			nat->in_dcmp = 0;
-			nat->in_scmp = 0;
-			nat->in_pmin = 0;
-			nat->in_pmax = 0;
-			nat->in_pnext = 0;
-		}
-		break;
-	}
-
-	if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT)
-		nat->in_flags &= ~IPN_FIXEDDPORT;
-}
-
-
-void ipnat_addrule(fd, ioctlfunc, ptr)
-int fd;
-ioctlfunc_t ioctlfunc;
-void *ptr;
-{
-	ioctlcmd_t add, del;
-	ipfobj_t obj;
-	ipnat_t *ipn;
-
-	ipn = ptr;
-	bzero((char *)&obj, sizeof(obj));
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_size = sizeof(ipnat_t);
-	obj.ipfo_type = IPFOBJ_IPNAT;
-	obj.ipfo_ptr = ptr;
-	add = 0;
-	del = 0;
-
-	if ((opts & OPT_DONOTHING) != 0)
-		fd = -1;
-
-	if (opts & OPT_ZERORULEST) {
-		add = SIOCZRLST;
-	} else if (opts & OPT_INACTIVE) {
-		add = SIOCADNAT;
-		del = SIOCRMNAT;
-	} else {
-		add = SIOCADNAT;
-		del = SIOCRMNAT;
-	}
-
-	if ((opts & OPT_VERBOSE) != 0)
-		printnat(ipn, opts);
-
-	if (opts & OPT_DEBUG)
-		binprint(ipn, sizeof(*ipn));
-
-	if ((opts & OPT_ZERORULEST) != 0) {
-		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
-			if ((opts & OPT_DONOTHING) == 0) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(SIOCZRLST)");
-			}
-		} else {
-#ifdef	USE_QUAD_T
-/*
-			printf("hits %qd bytes %qd ",
-				(long long)fr->fr_hits,
-				(long long)fr->fr_bytes);
-*/
-#else
-/*
-			printf("hits %ld bytes %ld ",
-				fr->fr_hits, fr->fr_bytes);
-*/
-#endif
-			printnat(ipn, opts);
-		}
-	} else if ((opts & OPT_REMOVE) != 0) {
-		if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) {
-			if ((opts & OPT_DONOTHING) == 0) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(delete nat rule)");
-			}
-		}
-	} else {
-		if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) {
-			if ((opts & OPT_DONOTHING) == 0) {
-				fprintf(stderr, "%d:", yylineNum);
-				perror("ioctl(add/insert nat rule)");
-			}
-		}
-	}
-}
diff --git a/contrib/ipfilter/tools/ippool.c b/contrib/ipfilter/tools/ippool.c
deleted file mode 100644
index cbdfd69..0000000
--- a/contrib/ipfilter/tools/ippool.c
+++ /dev/null
@@ -1,876 +0,0 @@
-/*
- * Copyright (C) 2002-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#if defined(BSD) && (BSD >= 199306)
-# include <sys/cdefs.h>
-#endif
-#include <sys/ioctl.h>
-
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <unistd.h>
-#ifdef linux
-# include <linux/a.out.h>
-#else
-# include <nlist.h>
-#endif
-
-#include "ipf.h"
-#include "netinet/ipl.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-#include "netinet/ip_htable.h"
-#include "kmem.h"
-
-
-extern	int	ippool_yyparse __P((void));
-extern	int	ippool_yydebug;
-extern	FILE	*ippool_yyin;
-extern	char	*optarg;
-extern	int	lineNum;
-
-void	usage __P((char *));
-int	main __P((int, char **));
-int	poolcommand __P((int, int, char *[]));
-int	poolnodecommand __P((int, int, char *[]));
-int	loadpoolfile __P((int, char *[], char *));
-int	poollist __P((int, char *[]));
-void	poollist_dead __P((int, char *, int, char *, char *));
-void	poollist_live __P((int, char *, int, int));
-int	poolflush __P((int, char *[]));
-int	poolstats __P((int, char *[]));
-int	gettype __P((char *, u_int *));
-int	getrole __P((char *));
-int	setnodeaddr __P((ip_pool_node_t *node, char *arg));
-void	showpools_live __P((int, int, ip_pool_stat_t *, char *));
-void	showhashs_live __P((int, int, iphtstat_t *, char *));
-
-int	opts = 0;
-int	fd = -1;
-int	use_inet6 = 0;
-
-
-void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "Usage:\t%s\n", prog);
-	fprintf(stderr, "\t\t\t-a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
-	fprintf(stderr, "\t\t\t-A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-f <file> [-dnuv]\n");
-	fprintf(stderr, "\t\t\t-F [-dv] [-o <role>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-l [-dv] [-m <name>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/netmask]\n");
-	fprintf(stderr, "\t\t\t-R [-dnv] [-m <name>] [-o <role>] [-t <type>]\n");
-	fprintf(stderr, "\t\t\t-s [-dtv] [-M <core>] [-N <namelist>]\n");
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	int err;
-
-	if (argc < 2)
-		usage(argv[0]);
-
-	switch (getopt(argc, argv, "aAf:FlrRs"))
-	{
-	case 'a' :
-		err = poolnodecommand(0, argc, argv);
-		break;
-	case 'A' :
-		err = poolcommand(0, argc, argv);
-		break;
-	case 'f' :
-		err = loadpoolfile(argc, argv, optarg);
-		break;
-	case 'F' :
-		err = poolflush(argc, argv);
-		break;
-	case 'l' :
-		err = poollist(argc, argv);
-		break;
-	case 'r' :
-		err = poolnodecommand(1, argc, argv);
-		break;
-	case 'R' :
-		err = poolcommand(1, argc, argv);
-		break;
-	case 's' :
-		err = poolstats(argc, argv);
-		break;
-	default :
-		exit(1);
-	}
-
-	if (err != 0)
-		exit(1);
-	return 0;
-}
-
-
-int poolnodecommand(remove, argc, argv)
-int remove, argc;
-char *argv[];
-{
-	int err, c, ipset, role;
-	char *poolname = NULL;
-	ip_pool_node_t node;
-
-	ipset = 0;
-	role = IPL_LOGIPF;
-	bzero((char *)&node, sizeof(node));
-
-	while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			ippool_yydebug++;
-			break;
-		case 'i' :
-			if (setnodeaddr(&node, optarg) == 0)
-				ipset = 1;
-			break;
-		case 'm' :
-			poolname = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE)
-				return -1;
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (argv[optind] != NULL && ipset == 0) {
-		if (setnodeaddr(&node, argv[optind]) == 0)
-			ipset = 1;
-	}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poolnodecommand: opts = %#x\n", opts);
-
-	if (ipset == 0) {
-		fprintf(stderr, "no IP address given with -i\n");
-		return -1;
-	}
-
-	if (poolname == NULL) {
-		fprintf(stderr, "poolname not given with add/remove node\n");
-		return -1;
-	}
-
-	if (remove == 0)
-		err = load_poolnode(0, poolname, &node, ioctl);
-	else
-		err = remove_poolnode(0, poolname, &node, ioctl);
-	return err;
-}
-
-
-int poolcommand(remove, argc, argv)
-int remove, argc;
-char *argv[];
-{
-	int type, role, c, err;
-	char *poolname;
-	iphtable_t iph;
-	ip_pool_t pool;
-
-	err = 1;
-	role = 0;
-	type = 0;
-	poolname = NULL;
-	role = IPL_LOGIPF;
-	bzero((char *)&iph, sizeof(iph));
-	bzero((char *)&pool, sizeof(pool));
-
-	while ((c = getopt(argc, argv, "dm:no:RSt:v")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			ippool_yydebug++;
-			break;
-		case 'm' :
-			poolname = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE) {
-				fprintf(stderr, "unknown role '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 'S' :
-			iph.iph_seed = atoi(optarg);
-			break;
-		case 't' :
-			type = gettype(optarg, &iph.iph_type);
-			if (type == IPLT_NONE) {
-				fprintf(stderr, "unknown type '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poolcommand: opts = %#x\n", opts);
-
-	if (poolname == NULL) {
-		fprintf(stderr, "poolname not given with add/remove pool\n");
-		return -1;
-	}
-
-	if (type == IPLT_HASH) {
-		strncpy(iph.iph_name, poolname, sizeof(iph.iph_name));
-		iph.iph_name[sizeof(iph.iph_name) - 1] = '\0';
-		iph.iph_unit = role;
-	} else if (type == IPLT_POOL) {
-		strncpy(pool.ipo_name, poolname, sizeof(pool.ipo_name));
-		pool.ipo_name[sizeof(pool.ipo_name) - 1] = '\0';
-		pool.ipo_unit = role;
-	}
-
-	if (remove == 0) {
-		switch (type)
-		{
-		case IPLT_HASH :
-			err = load_hash(&iph, NULL, ioctl);
-			break;
-		case IPLT_POOL :
-			err = load_pool(&pool, ioctl);
-			break;
-		}
-	} else {
-		switch (type)
-		{
-		case IPLT_HASH :
-			err = remove_hash(&iph, ioctl);
-			break;
-		case IPLT_POOL :
-			err = remove_pool(&pool, ioctl);
-			break;
-		}
-	}
-	return err;
-}
-
-
-int loadpoolfile(argc, argv, infile)
-int argc;
-char *argv[], *infile;
-{
-	int c;
-
-	infile = optarg;
-
-	while ((c = getopt(argc, argv, "dnRuv")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			ippool_yydebug++;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 'u' :
-			opts |= OPT_REMOVE;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "loadpoolfile: opts = %#x\n", opts);
-
-	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
-		fd = open(IPLOOKUP_NAME, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPLOOKUP_NAME)");
-			exit(1);
-		}
-	}
-
-	if (ippool_parsefile(fd, infile, ioctl) != 0)
-		return -1;
-	return 0;
-}
-
-
-int poolstats(argc, argv)
-int argc;
-char *argv[];
-{
-	int c, type, role, live_kernel;
-	ip_pool_stat_t plstat;
-	char *kernel, *core;
-	iphtstat_t htstat;
-	iplookupop_t op;
-
-	core = NULL;
-	kernel = NULL;
-	live_kernel = 1;
-	type = IPLT_ALL;
-	role = IPL_LOGALL;
-
-	bzero((char *)&op, sizeof(op));
-
-	while ((c = getopt(argc, argv, "dM:N:o:t:v")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'M' :
-			live_kernel = 0;
-			core = optarg;
-			break;
-		case 'N' :
-			live_kernel = 0;
-			kernel = optarg;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE) {
-				fprintf(stderr, "unknown role '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 't' :
-			type = gettype(optarg, NULL);
-			if (type != IPLT_POOL) {
-				fprintf(stderr,
-					"-s not supported for this type yet\n");
-				return -1;
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poolstats: opts = %#x\n", opts);
-
-	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
-		fd = open(IPLOOKUP_NAME, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPLOOKUP_NAME)");
-			exit(1);
-		}
-	}
-
-	if (type == IPLT_ALL || type == IPLT_POOL) {
-		op.iplo_type = IPLT_POOL;
-		op.iplo_struct = &plstat;
-		op.iplo_size = sizeof(plstat);
-		if (!(opts & OPT_DONOTHING)) {
-			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-			if (c == -1) {
-				perror("ioctl(SIOCLOOKUPSTAT)");
-				return -1;
-			}
-			printf("Pools:\t%lu\n", plstat.ipls_pools);
-			printf("Nodes:\t%lu\n", plstat.ipls_nodes);
-		}
-	}
-
-	if (type == IPLT_ALL || type == IPLT_HASH) {
-		op.iplo_type = IPLT_HASH;
-		op.iplo_struct = &htstat;
-		op.iplo_size = sizeof(htstat);
-		if (!(opts & OPT_DONOTHING)) {
-			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-			if (c == -1) {
-				perror("ioctl(SIOCLOOKUPSTAT)");
-				return -1;
-			}
-			printf("Hash Tables:\t%lu\n", htstat.iphs_numtables);
-			printf("Nodes:\t%lu\n", htstat.iphs_numnodes);
-			printf("Out of Memory:\t%lu\n", htstat.iphs_nomem);
-		}
-	}
-	return 0;
-}
-
-
-int poolflush(argc, argv)
-int argc;
-char *argv[];
-{
-	int c, role, type, arg;
-	iplookupflush_t flush;
-
-	arg = IPLT_ALL;
-	type = IPLT_ALL;
-	role = IPL_LOGALL;
-
-	while ((c = getopt(argc, argv, "do:t:v")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE) {
-				fprintf(stderr, "unknown role '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 't' :
-			type = gettype(optarg, NULL);
-			if (type == IPLT_NONE) {
-				fprintf(stderr, "unknown type '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poolflush: opts = %#x\n", opts);
-
-	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
-		fd = open(IPLOOKUP_NAME, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPLOOKUP_NAME)");
-			exit(1);
-		}
-	}
-
-	bzero((char *)&flush, sizeof(flush));
-	flush.iplf_type = type;
-	flush.iplf_unit = role;
-	flush.iplf_arg = arg;
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCLOOKUPFLUSH, &flush) == -1) {
-			perror("ioctl(SIOCLOOKUPFLUSH)");
-			exit(1);
-		}
-
-	}
-	printf("%u object%s flushed\n", flush.iplf_count,
-	       (flush.iplf_count == 1) ? "" : "s");
-
-	return 0;
-}
-
-
-int getrole(rolename)
-char *rolename;
-{
-	int role;
-
-	if (!strcasecmp(rolename, "ipf")) {
-		role = IPL_LOGIPF;
-#if 0
-	} else if (!strcasecmp(rolename, "nat")) {
-		role = IPL_LOGNAT;
-	} else if (!strcasecmp(rolename, "state")) {
-		role = IPL_LOGSTATE;
-	} else if (!strcasecmp(rolename, "auth")) {
-		role = IPL_LOGAUTH;
-	} else if (!strcasecmp(rolename, "sync")) {
-		role = IPL_LOGSYNC;
-	} else if (!strcasecmp(rolename, "scan")) {
-		role = IPL_LOGSCAN;
-	} else if (!strcasecmp(rolename, "pool")) {
-		role = IPL_LOGLOOKUP;
-	} else if (!strcasecmp(rolename, "count")) {
-		role = IPL_LOGCOUNT;
-#endif
-	} else {
-		role = IPL_LOGNONE;
-	}
-
-	return role;
-}
-
-
-int gettype(typename, minor)
-char *typename;
-u_int *minor;
-{
-	int type;
-
-	if (!strcasecmp(optarg, "tree") || !strcasecmp(optarg, "pool")) {
-		type = IPLT_POOL;
-	} else if (!strcasecmp(optarg, "hash")) {
-		type = IPLT_HASH;
-		if (minor != NULL)
-			*minor = IPHASH_LOOKUP;
-	} else if (!strcasecmp(optarg, "group-map")) {
-		type = IPLT_HASH;
-		if (minor != NULL)
-			*minor = IPHASH_GROUPMAP;
-	} else {
-		type = IPLT_NONE;
-	}
-	return type;
-}
-
-
-int poollist(argc, argv)
-int argc;
-char *argv[];
-{
-	char *kernel, *core, *poolname;
-	int c, role, type, live_kernel;
-	iplookupop_t op;
-
-	core = NULL;
-	kernel = NULL;
-	live_kernel = 1;
-	type = IPLT_ALL;
-	poolname = NULL;
-	role = IPL_LOGALL;
-
-	while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'm' :
-			poolname = optarg;
-			break;
-		case 'M' :
-			live_kernel = 0;
-			core = optarg;
-			break;
-		case 'N' :
-			live_kernel = 0;
-			kernel = optarg;
-			break;
-		case 'o' :
-			role = getrole(optarg);
-			if (role == IPL_LOGNONE) {
-				fprintf(stderr, "unknown role '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'R' :
-			opts |= OPT_NORESOLVE;
-			break;
-		case 't' :
-			type = gettype(optarg, NULL);
-			if (type == IPLT_NONE) {
-				fprintf(stderr, "unknown type '%s'\n", optarg);
-				return -1;
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "poollist: opts = %#x\n", opts);
-
-	if (!(opts & OPT_DONOTHING) && (fd == -1)) {
-		fd = open(IPLOOKUP_NAME, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPLOOKUP_NAME)");
-			exit(1);
-		}
-	}
-
-	bzero((char *)&op, sizeof(op));
-	if (poolname != NULL) {
-		strncpy(op.iplo_name, poolname, sizeof(op.iplo_name));
-		op.iplo_name[sizeof(op.iplo_name) - 1] = '\0';
-	}
-	op.iplo_unit = role;
-
-	if (live_kernel)
-		poollist_live(role, poolname, type, fd);
-	else
-		poollist_dead(role, poolname, type, kernel, core);
-	return 0;
-}
-
-
-void poollist_dead(role, poolname, type, kernel, core)
-int role, type;
-char *poolname, *kernel, *core;
-{
-	iphtable_t *hptr;
-	ip_pool_t *ptr;
-
-	if (openkmem(kernel, core) == -1)
-		exit(-1);
-
-	if (type == IPLT_ALL || type == IPLT_POOL) {
-		ip_pool_t *pools[IPL_LOGSIZE];
-		struct nlist names[2] = { { "ip_pool_list" } , { "" } };
-
-		if (nlist(kernel, names) != 1)
-			return;
-
-		bzero(&pools, sizeof(pools));
-		if (kmemcpy((char *)&pools, names[0].n_value, sizeof(pools)))
-			return;
-
-		if (role != IPL_LOGALL) {
-			ptr = pools[role];
-			while (ptr != NULL) {
-				ptr = printpool(ptr, kmemcpywrap, poolname,
-						opts);
-			}
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-				ptr = pools[role];
-				while (ptr != NULL) {
-					ptr = printpool(ptr, kmemcpywrap,
-							poolname, opts);
-				}
-			}
-			role = IPL_LOGALL;
-		}
-	}
-	if (type == IPLT_ALL || type == IPLT_HASH) {
-		iphtable_t *tables[IPL_LOGSIZE];
-		struct nlist names[2] = { { "ipf_htables" } , { "" } };
-
-		if (nlist(kernel, names) != 1)
-			return;
-
-		bzero(&tables, sizeof(tables));
-		if (kmemcpy((char *)&tables, names[0].n_value, sizeof(tables)))
-			return;
-
-		if (role != IPL_LOGALL) {
-			hptr = tables[role];
-			while (hptr != NULL) {
-				hptr = printhash(hptr, kmemcpywrap,
-						 poolname, opts);
-			}
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-				hptr = tables[role];
-				while (hptr != NULL) {
-					hptr = printhash(hptr, kmemcpywrap,
-							 poolname, opts);
-				}
-			}
-		}
-	}
-}
-
-
-void poollist_live(role, poolname, type, fd)
-int role, type, fd;
-char *poolname;
-{
-	ip_pool_stat_t plstat;
-	iphtstat_t htstat;
-	iplookupop_t op;
-	int c;
-
-	if (type == IPLT_ALL || type == IPLT_POOL) {
-		op.iplo_type = IPLT_POOL;
-		op.iplo_size = sizeof(plstat);
-		op.iplo_struct = &plstat;
-		op.iplo_name[0] = '\0';
-		op.iplo_arg = 0;
-
-		if (role != IPL_LOGALL) {
-			op.iplo_unit = role;
-
-			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-			if (c == -1) {
-				perror("ioctl(SIOCLOOKUPSTAT)");
-				return;
-			}
-
-			showpools_live(fd, role, &plstat, poolname);
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-				op.iplo_unit = role;
-
-				c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-				if (c == -1) {
-					perror("ioctl(SIOCLOOKUPSTAT)");
-					return;
-				}
-
-				showpools_live(fd, role, &plstat, poolname);
-			}
-
-			role = IPL_LOGALL;
-		}
-	}
-
-	if (type == IPLT_ALL || type == IPLT_HASH) {
-		op.iplo_type = IPLT_HASH;
-		op.iplo_size = sizeof(htstat);
-		op.iplo_struct = &htstat;
-		op.iplo_name[0] = '\0';
-		op.iplo_arg = 0;
-
-		if (role != IPL_LOGALL) {
-			op.iplo_unit = role;
-
-			c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-			if (c == -1) {
-				perror("ioctl(SIOCLOOKUPSTAT)");
-				return;
-			}
-			showhashs_live(fd, role, &htstat, poolname);
-		} else {
-			for (role = 0; role <= IPL_LOGMAX; role++) {
-
-				op.iplo_unit = role;
-				c = ioctl(fd, SIOCLOOKUPSTAT, &op);
-				if (c == -1) {
-					perror("ioctl(SIOCLOOKUPSTAT)");
-					return;
-				}
-
-				showhashs_live(fd, role, &htstat, poolname);
-			}
-		}
-	}
-}
-
-
-void showpools_live(fd, role, plstp, poolname)
-int fd, role;
-ip_pool_stat_t *plstp;
-char *poolname;
-{
-	ipflookupiter_t iter;
-	ip_pool_t pool;
-	ipfobj_t obj;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_LOOKUPITER;
-	obj.ipfo_size = sizeof(iter);
-	obj.ipfo_ptr = &iter;
-
-	iter.ili_type = IPLT_POOL;
-	iter.ili_otype = IPFLOOKUPITER_LIST;
-	iter.ili_ival = IPFGENITER_LOOKUP;
-	iter.ili_nitems = 1;
-	iter.ili_data = &pool;
-	iter.ili_unit = role;
-	*iter.ili_name = '\0';
-
-	while (plstp->ipls_list[role] != NULL) {
-		if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
-			perror("ioctl(SIOCLOOKUPITER)");
-			break;
-		}
-		printpool_live(&pool, fd, poolname, opts);
-
-		plstp->ipls_list[role] = pool.ipo_next;
-	}
-}
-
-
-void showhashs_live(fd, role, htstp, poolname)
-int fd, role;
-iphtstat_t *htstp;
-char *poolname;
-{
-	ipflookupiter_t iter;
-	iphtable_t table;
-	ipfobj_t obj;
-
-	obj.ipfo_rev = IPFILTER_VERSION;
-	obj.ipfo_type = IPFOBJ_LOOKUPITER;
-	obj.ipfo_size = sizeof(iter);
-	obj.ipfo_ptr = &iter;
-
-	iter.ili_type = IPLT_HASH;
-	iter.ili_otype = IPFLOOKUPITER_LIST;
-	iter.ili_ival = IPFGENITER_LOOKUP;
-	iter.ili_nitems = 1;
-	iter.ili_data = &table;
-	iter.ili_unit = role;
-	*iter.ili_name = '\0';
-
-	while (htstp->iphs_tables != NULL) {
-		if (ioctl(fd, SIOCLOOKUPITER, &obj)) {
-			perror("ioctl(SIOCLOOKUPITER)");
-			break;
-		}
-
-		printhash_live(&table, fd, poolname, opts);
-
-		htstp->iphs_tables = table.iph_next;
-	}
-}
-
-
-int setnodeaddr(ip_pool_node_t *node, char *arg)
-{
-	struct in_addr mask;
-	char *s;
-
-	s = strchr(arg, '/');
-	if (s == NULL)
-		mask.s_addr = 0xffffffff;
-	else if (strchr(s, '.') == NULL) {
-		if (ntomask(4, atoi(s + 1), &mask.s_addr) != 0)
-			return -1;
-	} else {
-		mask.s_addr = inet_addr(s + 1);
-	}
-	if (s != NULL)
-		*s = '\0';
-	node->ipn_addr.adf_len = sizeof(node->ipn_addr);
-	node->ipn_addr.adf_addr.in4.s_addr = inet_addr(arg);
-	node->ipn_mask.adf_len = sizeof(node->ipn_mask);
-	node->ipn_mask.adf_addr.in4.s_addr = mask.s_addr;
-
-	return 0;
-}
diff --git a/contrib/ipfilter/tools/ippool_y.y b/contrib/ipfilter/tools/ippool_y.y
deleted file mode 100644
index 4aa5108..0000000
--- a/contrib/ipfilter/tools/ippool_y.y
+++ /dev/null
@@ -1,520 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-%{
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#if defined(BSD) && (BSD >= 199306)
-# include <sys/cdefs.h>
-#endif
-#include <sys/ioctl.h>
-
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <unistd.h>
-
-#include "ipf.h"
-#include "netinet/ip_lookup.h"
-#include "netinet/ip_pool.h"
-#include "netinet/ip_htable.h"
-#include "ippool_l.h"
-#include "kmem.h"
-
-#define	YYDEBUG	1
-#define	YYSTACKSIZE	0x00ffffff
-
-extern	int	yyparse __P((void));
-extern	int	yydebug;
-extern	FILE	*yyin;
-
-static	iphtable_t	ipht;
-static	iphtent_t	iphte;
-static	ip_pool_t	iplo;
-static	ioctlfunc_t	poolioctl = NULL;
-static	char		poolname[FR_GROUPLEN];
-
-static iphtent_t *add_htablehosts __P((char *));
-static ip_pool_node_t *add_poolhosts __P((char *));
-
-%}
-
-%union	{
-	char	*str;
-	u_32_t	num;
-	struct	in_addr	addr;
-	struct	alist_s	*alist;
-	struct	in_addr	adrmsk[2];
-	iphtent_t	*ipe;
-	ip_pool_node_t	*ipp;
-	union	i6addr	ip6;
-}
-
-%token  <num>   YY_NUMBER YY_HEX
-%token  <str>   YY_STR
-%token	  YY_COMMENT 
-%token	  YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token	  YY_RANGE_OUT YY_RANGE_IN
-%token  <ip6>   YY_IPV6
-
-%token	IPT_IPF IPT_NAT IPT_COUNT IPT_AUTH IPT_IN IPT_OUT
-%token	IPT_TABLE IPT_GROUPMAP IPT_HASH
-%token	IPT_ROLE IPT_TYPE IPT_TREE
-%token	IPT_GROUP IPT_SIZE IPT_SEED IPT_NUM IPT_NAME
-%type	<num> role table inout
-%type	<ipp> ipftree range addrlist
-%type	<adrmsk> addrmask
-%type	<ipe> ipfgroup ipfhash hashlist hashentry
-%type	<ipe> groupentry setgrouplist grouplist
-%type	<addr> ipaddr mask ipv4
-%type	<str> number setgroup
-
-%%
-file:	line
-	| assign
-	| file line
-	| file assign
-	;
-
-line:	table role ipftree eol		{ iplo.ipo_unit = $2;
-					  iplo.ipo_list = $3;
-					  load_pool(&iplo, poolioctl);
-					  resetlexer();
-					}
-	| table role ipfhash eol	{ ipht.iph_unit = $2;
-					  ipht.iph_type = IPHASH_LOOKUP;
-					  load_hash(&ipht, $3, poolioctl);
-					  resetlexer();
-					}
-	| groupmap role number ipfgroup eol
-					{ ipht.iph_unit = $2;
-					  strncpy(ipht.iph_name, $3,
-						  sizeof(ipht.iph_name));
-					  ipht.iph_type = IPHASH_GROUPMAP;
-					  load_hash(&ipht, $4, poolioctl);
-					  resetlexer();
-					}
-	| YY_COMMENT
-	;
-
-eol:	';'
-	;
-
-assign:	YY_STR assigning YY_STR ';'	{ set_variable($1, $3);
-					  resetlexer();
-					  free($1);
-					  free($3);
-					  yyvarnext = 0;
-					}
-	;
-
-assigning:
-	'='				{ yyvarnext = 1; }
-	;
-
-table:	IPT_TABLE		{ bzero((char *)&ipht, sizeof(ipht));
-				  bzero((char *)&iphte, sizeof(iphte));
-				  bzero((char *)&iplo, sizeof(iplo));
-				  *ipht.iph_name = '\0';
-				  iplo.ipo_flags = IPHASH_ANON;
-				  iplo.ipo_name[0] = '\0';
-				}
-	;
-
-groupmap:
-	IPT_GROUPMAP inout	{ bzero((char *)&ipht, sizeof(ipht));
-				  bzero((char *)&iphte, sizeof(iphte));
-				  *ipht.iph_name = '\0';
-				  ipht.iph_unit = IPHASH_GROUPMAP;
-				  ipht.iph_flags = $2;
-				}
-	;
-
-inout:	IPT_IN				{ $$ = FR_INQUE; }
-	| IPT_OUT			{ $$ = FR_OUTQUE; }
-	;
-role:
-	IPT_ROLE '=' IPT_IPF		{ $$ = IPL_LOGIPF; }
-	| IPT_ROLE '=' IPT_NAT		{ $$ = IPL_LOGNAT; }
-	| IPT_ROLE '=' IPT_AUTH		{ $$ = IPL_LOGAUTH; }
-	| IPT_ROLE '=' IPT_COUNT	{ $$ = IPL_LOGCOUNT; }
-	;
-
-ipftree:
-	IPT_TYPE '=' IPT_TREE number start addrlist end
-					{ strncpy(iplo.ipo_name, $4,
-						  sizeof(iplo.ipo_name));
-					  $$ = $6;
-					}
-	;
-
-ipfhash:
-	IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
-					{ strncpy(ipht.iph_name, $4,
-						  sizeof(ipht.iph_name));
-					  $$ = $7;
-					}
-	;
-
-ipfgroup:
-	setgroup hashopts start grouplist end
-					{ iphtent_t *e;
-					  for (e = $4; e != NULL;
-					       e = e->ipe_next)
-						if (e->ipe_group[0] == '\0')
-							strncpy(e->ipe_group,
-								$1,
-								FR_GROUPLEN);
-					  $$ = $4;
-					}
-	| hashopts start setgrouplist end		{ $$ = $3; }
-	;
-
-number:	IPT_NUM '=' YY_NUMBER			{ sprintf(poolname, "%u", $3);
-						  $$ = poolname;
-						}
-	| IPT_NAME '=' YY_STR			{ $$ = $3; }
-	|					{ $$ = ""; }
-	;
-
-setgroup:
-	IPT_GROUP '=' YY_STR		{ char tmp[FR_GROUPLEN+1];
-					  strncpy(tmp, $3, FR_GROUPLEN);
-					  $$ = strdup(tmp);
-					}
-	| IPT_GROUP '=' YY_NUMBER	{ char tmp[FR_GROUPLEN+1];
-					  sprintf(tmp, "%u", $3);
-					  $$ = strdup(tmp);
-					}
-	;
-
-hashopts:
-	| size
-	| seed
-	| size seed
-	;
-
-addrlist:
-	next				{ $$ = NULL; }
-	| range next addrlist		{ $1->ipn_next = $3; $$ = $1; }
-	| range next			{ $$ = $1; }
-	;
-
-grouplist:
-	next				{ $$ = NULL; }
-	| groupentry next grouplist	{ $$ = $1; $1->ipe_next = $3; }
-	| addrmask next grouplist	{ $$ = calloc(1, sizeof(iphtent_t));
-					  bcopy((char *)&($1[0]),
-						(char *)&($$->ipe_addr),
-						sizeof($$->ipe_addr));
-					  bcopy((char *)&($1[1]),
-						(char *)&($$->ipe_mask),
-						sizeof($$->ipe_mask));
-					  $$->ipe_next = $3;
-					}
-	| groupentry next		{ $$ = $1; }
-	| addrmask next			{ $$ = calloc(1, sizeof(iphtent_t));
-					  bcopy((char *)&($1[0]),
-						(char *)&($$->ipe_addr),
-						sizeof($$->ipe_addr));
-					  bcopy((char *)&($1[1]),
-						(char *)&($$->ipe_mask),
-						sizeof($$->ipe_mask));
-					}
-	;
-
-setgrouplist:
-	next				{ $$ = NULL; }
-	| groupentry next		{ $$ = $1; }
-	| groupentry next setgrouplist	{ $1->ipe_next = $3; $$ = $1; }
-	;
-
-groupentry:
-	addrmask ',' setgroup		{ $$ = calloc(1, sizeof(iphtent_t));
-					  bcopy((char *)&($1[0]),
-						(char *)&($$->ipe_addr),
-						sizeof($$->ipe_addr));
-					  bcopy((char *)&($1[1]),
-						(char *)&($$->ipe_mask),
-						sizeof($$->ipe_mask));
-					  strncpy($$->ipe_group, $3,
-						  FR_GROUPLEN);
-					  free($3);
-					}
-	| YY_STR			{ $$ = add_htablehosts($1); }
-	;
-
-range:	addrmask	{ $$ = calloc(1, sizeof(*$$));
-			  $$->ipn_info = 0;
-			  $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
-			  $$->ipn_addr.adf_addr.in4.s_addr = $1[0].s_addr;
-			  $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
-			  $$->ipn_mask.adf_addr.in4.s_addr = $1[1].s_addr;
-			}
-	| '!' addrmask	{ $$ = calloc(1, sizeof(*$$));
-			  $$->ipn_info = 1;
-			  $$->ipn_addr.adf_len = sizeof($$->ipn_addr);
-			  $$->ipn_addr.adf_addr.in4.s_addr = $2[0].s_addr;
-			  $$->ipn_mask.adf_len = sizeof($$->ipn_mask);
-			  $$->ipn_mask.adf_addr.in4.s_addr = $2[1].s_addr;
-			}
-	| YY_STR			{ $$ = add_poolhosts($1); }
-
-hashlist:
-	next				{ $$ = NULL; }
-	| hashentry next		{ $$ = $1; }
-	| hashentry next hashlist	{ $1->ipe_next = $3; $$ = $1; }
-	;
-
-hashentry:
-	addrmask 			{ $$ = calloc(1, sizeof(iphtent_t));
-					  bcopy((char *)&($1[0]),
-						(char *)&($$->ipe_addr),
-						sizeof($$->ipe_addr));
-					  bcopy((char *)&($1[1]),
-						(char *)&($$->ipe_mask),
-						sizeof($$->ipe_mask));
-					}
-	| YY_STR			{ $$ = add_htablehosts($1); }
-	;
-
-addrmask:
-	ipaddr '/' mask		{ $$[0] = $1; $$[1].s_addr = $3.s_addr;
-				  yyexpectaddr = 0;
-				}
-	| ipaddr		{ $$[0] = $1; $$[1].s_addr = 0xffffffff;
-				  yyexpectaddr = 0;
-				}
-	;
-
-ipaddr:	ipv4			{ $$ = $1; }
-	| YY_NUMBER		{ $$.s_addr = htonl($1); }
-	;
-
-mask:	YY_NUMBER		{ ntomask(4, $1, (u_32_t *)&$$.s_addr); }
-	| ipv4			{ $$ = $1; }
-	;
-
-start:	'{'			{ yyexpectaddr = 1; }
-	;
-
-end:	'}'			{ yyexpectaddr = 0; }
-	;
-
-next:	';'			{ yyexpectaddr = 1; }
-	;
-
-size:	IPT_SIZE '=' YY_NUMBER	{ ipht.iph_size = $3; }
-	;
-
-seed:	IPT_SEED '=' YY_NUMBER	{ ipht.iph_seed = $3; }
-	;
-
-ipv4:	YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
-		{ if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) {
-			yyerror("Invalid octet string for IP address");
-			return 0;
-		  }
-		  $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7;
-		  $$.s_addr = htonl($$.s_addr);
-		}
-	;
-%%
-static	wordtab_t	yywords[] = {
-	{ "auth",	IPT_AUTH },
-	{ "count",	IPT_COUNT },
-	{ "group",	IPT_GROUP },
-	{ "group-map",	IPT_GROUPMAP },
-	{ "hash",	IPT_HASH },
-	{ "in",		IPT_IN },
-	{ "ipf",	IPT_IPF },
-	{ "name",	IPT_NAME },
-	{ "nat",	IPT_NAT },
-	{ "number",	IPT_NUM },
-	{ "out",	IPT_OUT },
-	{ "role",	IPT_ROLE },
-	{ "seed",	IPT_SEED },
-	{ "size",	IPT_SIZE },
-	{ "table",	IPT_TABLE },
-	{ "tree",	IPT_TREE },
-	{ "type",	IPT_TYPE },
-	{ NULL,		0 }
-};
-
-
-int ippool_parsefile(fd, filename, iocfunc)
-int fd;
-char *filename;
-ioctlfunc_t iocfunc;
-{
-	FILE *fp = NULL;
-	char *s;
-
-	yylineNum = 1;
-	(void) yysettab(yywords);
-
-	s = getenv("YYDEBUG");
-	if (s)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	if (strcmp(filename, "-")) {
-		fp = fopen(filename, "r");
-		if (!fp) {
-			fprintf(stderr, "fopen(%s) failed: %s\n", filename,
-				STRERROR(errno));
-			return -1;
-		}
-	} else
-		fp = stdin;
-
-	while (ippool_parsesome(fd, fp, iocfunc) == 1)
-		;
-	if (fp != NULL)
-		fclose(fp);
-	return 0;
-}
-
-
-int ippool_parsesome(fd, fp, iocfunc)
-int fd;
-FILE *fp;
-ioctlfunc_t iocfunc;
-{
-	char *s;
-	int i;
-
-	poolioctl = iocfunc;
-
-	if (feof(fp))
-		return 0;
-	i = fgetc(fp);
-	if (i == EOF)
-		return 0;
-	if (ungetc(i, fp) == EOF)
-		return 0;
-	if (feof(fp))
-		return 0;
-	s = getenv("YYDEBUG");
-	if (s)
-		yydebug = atoi(s);
-	else
-		yydebug = 0;
-
-	yyin = fp;
-	yyparse();
-	return 1;
-}
-
-
-static iphtent_t *
-add_htablehosts(url)
-char *url;
-{
-	iphtent_t *htop, *hbot, *h;
-	alist_t *a, *hlist;
-
-	if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
-		hlist = load_url(url);
-	} else {
-		use_inet6 = 0;
-
-		hlist = calloc(1, sizeof(*hlist));
-		if (hlist == NULL)
-			return NULL;
-
-		if (gethost(url, &hlist->al_addr) == -1)
-			yyerror("Unknown hostname");
-	}
-
-	hbot = NULL;
-	htop = NULL;
-
-	for (a = hlist; a != NULL; a = a->al_next) {
-		h = calloc(1, sizeof(*h));
-		if (h == NULL)
-			break;
-
-		bcopy((char *)&a->al_addr, (char *)&h->ipe_addr,
-		      sizeof(h->ipe_addr));
-		bcopy((char *)&a->al_mask, (char *)&h->ipe_mask,
-		      sizeof(h->ipe_mask));
-
-		if (hbot != NULL)
-			hbot->ipe_next = h;
-		else
-			htop = h;
-		hbot = h;
-	}
-
-	alist_free(hlist);
-
-	return htop;
-}
-
-
-static ip_pool_node_t *
-add_poolhosts(url)
-char *url;
-{
-	ip_pool_node_t *ptop, *pbot, *p;
-	alist_t *a, *hlist;
-
-	if (!strncmp(url, "file://", 7) || !strncmp(url, "http://", 7)) {
-		hlist = load_url(url);
-	} else {
-		use_inet6 = 0;
-
-		hlist = calloc(1, sizeof(*hlist));
-		if (hlist == NULL)
-			return NULL;
-
-		if (gethost(url, &hlist->al_addr) == -1)
-			yyerror("Unknown hostname");
-	}
-
-	pbot = NULL;
-	ptop = NULL;
-
-	for (a = hlist; a != NULL; a = a->al_next) {
-		p = calloc(1, sizeof(*p));
-		if (p == NULL)
-			break;
-
-		p->ipn_addr.adf_len = 8;
-		p->ipn_mask.adf_len = 8;
-
-		p->ipn_info = a->al_not;
-
-		bcopy((char *)&a->al_addr, (char *)&p->ipn_addr.adf_addr,
-		      sizeof(p->ipn_addr.adf_addr));
-		bcopy((char *)&a->al_mask, (char *)&p->ipn_mask.adf_addr,
-		      sizeof(p->ipn_mask.adf_addr));
-
-		if (pbot != NULL)
-			pbot->ipn_next = p;
-		else
-			ptop = p;
-		pbot = p;
-	}
-
-	alist_free(hlist);
-
-	return ptop;
-}
diff --git a/contrib/ipfilter/tools/ipscan_y.y b/contrib/ipfilter/tools/ipscan_y.y
deleted file mode 100644
index 5d7e7e6..0000000
--- a/contrib/ipfilter/tools/ipscan_y.y
+++ /dev/null
@@ -1,569 +0,0 @@
-/*
- * Copyright (C) 2001-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-%{
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include "ipf.h"
-#include "opts.h"
-#include "kmem.h"
-#include "ipscan_l.h"
-#include "netinet/ip_scan.h"
-
-#define	YYDEBUG	1
-
-extern	char	*optarg;
-extern	void	yyerror __P((char *));
-extern	int	yyparse __P((void));
-extern	int	yylex __P((void));
-extern	int	yydebug;
-extern	FILE	*yyin;
-extern	int	yylineNum;
-extern	void	printbuf __P((char *, int, int));
-
-
-void		printent __P((ipscan_t *));
-void		showlist __P((void));
-int		getportnum __P((char *));
-struct in_addr	gethostip __P((char *));
-struct in_addr	combine __P((int, int, int, int));
-char		**makepair __P((char *, char *));
-void		addtag __P((char *, char **, char **, struct action *));
-int		cram __P((char *, char *));
-void		usage __P((char *));
-int		main __P((int, char **));
-
-int		opts = 0;
-int		fd = -1;
-
-
-%}
-
-%union	{
-	char	*str;
-	char	**astr;
-	u_32_t	num;
-	struct	in_addr	ipa;
-	struct	action	act;
-	union	i6addr	ip6;
-}
-
-%type	<str> tag
-%type	<act> action redirect result
-%type	<ipa> ipaddr
-%type	<num> portnum
-%type	<astr> matchup onehalf twohalves
-
-%token  <num>   YY_NUMBER YY_HEX
-%token  <str>   YY_STR
-%token          YY_COMMENT 
-%token          YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT
-%token          YY_RANGE_OUT YY_RANGE_IN
-%token  <ip6>   YY_IPV6
-%token		IPSL_START IPSL_STARTGROUP IPSL_CONTENT
-
-%token	IPSL_CLOSE IPSL_TRACK IPSL_EOF IPSL_REDIRECT IPSL_ELSE
-
-%%
-file:	line ';'
-	| assign ';'
-	| file line ';'
-	| file assign ';'
-	| YY_COMMENT
-	;
-
-line:	IPSL_START dline
-	| IPSL_STARTGROUP gline
-	| IPSL_CONTENT oline
-	;
-
-dline:	cline					{ resetlexer(); }
-	| sline					{ resetlexer(); }
-	| csline				{ resetlexer(); }
-	;
-
-gline:	YY_STR ':' glist '=' action
-	;
-
-oline:	cline
-	| sline
-	| csline
-	;
-
-assign:	YY_STR assigning YY_STR
-						{ set_variable($1, $3);
-						  resetlexer();
-						  free($1);
-						  free($3);
-						  yyvarnext = 0;
-						}
-	;
-
-assigning:
-	'='					{ yyvarnext = 1; }
-	;
-
-cline:	tag ':' matchup '=' action		{ addtag($1, $3, NULL, &$5); }
-	;
-
-sline:	tag ':' '(' ')' ',' matchup '=' action	{ addtag($1, NULL, $6, &$8); }
-	;
-
-csline:	tag ':' matchup ',' matchup '=' action	{ addtag($1, $3, $5, &$7); }
-	;
-
-glist:	YY_STR
-	| glist ',' YY_STR
-	;
-
-tag:	YY_STR					{ $$ = $1; }
-	;
-
-matchup:
-	onehalf					{ $$ = $1; }
-	| twohalves				{ $$ = $1; }
-	;
-
-action:	result				{ $$.act_val = $1.act_val;
-					  $$.act_ip = $1.act_ip;
-					  $$.act_port = $1.act_port; }
-	| result IPSL_ELSE result	{ $$.act_val = $1.act_val;
-					  $$.act_else = $3.act_val;
-					  if ($1.act_val == IPSL_REDIRECT) {
-						  $$.act_ip = $1.act_ip;
-						  $$.act_port = $1.act_port;
-					  }
-					  if ($3.act_val == IPSL_REDIRECT) {
-						  $$.act_eip = $3.act_eip;
-						  $$.act_eport = $3.act_eport;
-					  }
-					}
-
-result:	IPSL_CLOSE				{ $$.act_val = IPSL_CLOSE; }
-	| IPSL_TRACK				{ $$.act_val = IPSL_TRACK; }
-	| redirect				{ $$.act_val = IPSL_REDIRECT;
-						  $$.act_ip = $1.act_ip;
-						  $$.act_port = $1.act_port; }
-	;
-
-onehalf:
-	'(' YY_STR ')'			{ $$ = makepair($2, NULL); }
-	;
-
-twohalves:
-	'(' YY_STR ',' YY_STR ')'	{ $$ = makepair($2, $4); }
-	;
-
-redirect:
-	IPSL_REDIRECT '(' ipaddr ')'		{ $$.act_ip = $3;
-						  $$.act_port = 0; }
-	| IPSL_REDIRECT '(' ipaddr ',' portnum ')'
-						{ $$.act_ip = $3;
-						  $$.act_port = $5; }
-	;
-
-
-ipaddr:	YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER
-						{ $$ = combine($1,$3,$5,$7); }
-	| YY_STR				{ $$ = gethostip($1);
-						  free($1);
-						}
-	;
-
-portnum:
-	YY_NUMBER				{ $$ = htons($1); }
-	| YY_STR				{ $$ = getportnum($1);
-						  free($1);
-						}
-	;
-
-%%
-
-
-static	struct	wordtab	yywords[] = {
-	{ "close",		IPSL_CLOSE },
-	{ "content",		IPSL_CONTENT },
-	{ "else",		IPSL_ELSE },
-	{ "start-group",	IPSL_STARTGROUP },
-	{ "redirect",		IPSL_REDIRECT },
-	{ "start",		IPSL_START },
-	{ "track",		IPSL_TRACK },
-	{ NULL,		0 }
-};
-
-
-int cram(dst, src)
-char *dst;
-char *src;
-{
-	char c, *s, *t, *u;
-	int i, j, k;
-
-	c = *src;
-	s = src + 1;
-	t = strchr(s, c);
-	*t = '\0';
-	for (u = dst, i = 0; (i <= ISC_TLEN) && (s < t); ) {
-		c = *s++;
-		if (c == '\\') {
-			if (s >= t)
-				break;
-			j = k = 0;
-			do {
-				c = *s++;
-				if (j && (!ISDIGIT(c) || (c > '7') ||
-				     (k >= 248))) {
-					*u++ = k, i++;
-					j = k = 0;
-					s--;
-					break;
-				}
-				i++;
-
-				if (ISALPHA(c) || (c > '7')) {
-					switch (c)
-					{
-					case 'n' :
-						*u++ = '\n';
-						break;
-					case 'r' :
-						*u++ = '\r';
-						break;
-					case 't' :
-						*u++ = '\t';
-						break;
-					default :
-						*u++ = c;
-						break;
-					}
-				} else if (ISDIGIT(c)) {
-					j = 1;
-					k <<= 3;
-					k |= (c - '0');
-					i--;
-				} else
-						*u++ = c;
-			} while ((i <= ISC_TLEN) && (s <= t) && (j > 0));
-		} else
-			*u++ = c, i++;
-	}
-	return i;
-}
-
-
-void printent(isc)
-ipscan_t *isc;
-{
-	char buf[ISC_TLEN+1];
-	u_char *u;
-	int i, j;
-
-	buf[ISC_TLEN] = '\0';
-	bcopy(isc->ipsc_ctxt, buf, ISC_TLEN);
-	printf("%s : (\"", isc->ipsc_tag);
-	printbuf(isc->ipsc_ctxt, isc->ipsc_clen, 0);
-
-	bcopy(isc->ipsc_cmsk, buf, ISC_TLEN);
-	printf("\", \"%s\"), (\"", buf);
-
-	printbuf(isc->ipsc_stxt, isc->ipsc_slen, 0);
-
-	bcopy(isc->ipsc_smsk, buf, ISC_TLEN);
-	printf("\", \"%s\") = ", buf);
-
-	switch (isc->ipsc_action)
-	{
-	case ISC_A_TRACK :
-		printf("track");
-		break;
-	case ISC_A_REDIRECT :
-		printf("redirect");
-		printf("(%s", inet_ntoa(isc->ipsc_ip));
-		if (isc->ipsc_port)
-			printf(",%d", isc->ipsc_port);
-		printf(")");
-		break;
-	case ISC_A_CLOSE :
-		printf("close");
-		break;
-	default :
-		break;
-	}
-
-	if (isc->ipsc_else != ISC_A_NONE) {
-		printf(" else ");
-		switch (isc->ipsc_else)
-		{
-		case ISC_A_TRACK :
-			printf("track");
-			break;
-		case ISC_A_REDIRECT :
-			printf("redirect");
-			printf("(%s", inet_ntoa(isc->ipsc_eip));
-			if (isc->ipsc_eport)
-				printf(",%d", isc->ipsc_eport);
-			printf(")");
-			break;
-		case ISC_A_CLOSE :
-			printf("close");
-			break;
-		default :
-			break;
-		}
-	}
-	printf("\n");
-
-	if (opts & OPT_DEBUG) {
-		for (u = (u_char *)isc, i = sizeof(*isc); i; ) {
-			printf("#");
-			for (j = 32; (j > 0) && (i > 0); j--, i--)
-				printf("%s%02x", (j & 7) ? "" : " ", *u++);
-			printf("\n");
-		}
-	}
-	if (opts & OPT_VERBOSE) {
-		printf("# hits %d active %d fref %d sref %d\n",
-			isc->ipsc_hits, isc->ipsc_active, isc->ipsc_fref,
-			isc->ipsc_sref);
-	}
-}
-
-
-void addtag(tstr, cp, sp, act)
-char *tstr;
-char **cp, **sp;
-struct action *act;
-{
-	ipscan_t isc, *iscp;
-
-	bzero((char *)&isc, sizeof(isc));
-
-	strncpy(isc.ipsc_tag, tstr, sizeof(isc.ipsc_tag));
-	isc.ipsc_tag[sizeof(isc.ipsc_tag) - 1] = '\0';
-
-	if (cp) {
-		isc.ipsc_clen = cram(isc.ipsc_ctxt, cp[0]);
-		if (cp[1]) {
-			if (cram(isc.ipsc_cmsk, cp[1]) != isc.ipsc_clen) {
-				fprintf(stderr,
-					"client text/mask strings different length\n");
-				return;
-			}
-		}
-	}
-
-	if (sp) {
-		isc.ipsc_slen = cram(isc.ipsc_stxt, sp[0]);
-		if (sp[1]) {
-			if (cram(isc.ipsc_smsk, sp[1]) != isc.ipsc_slen) {
-				fprintf(stderr,
-					"server text/mask strings different length\n");
-				return;
-			}
-		}
-	}
-
-	if (act->act_val == IPSL_CLOSE) {
-		isc.ipsc_action = ISC_A_CLOSE;
-	} else if (act->act_val == IPSL_TRACK) {
-		isc.ipsc_action = ISC_A_TRACK;
-	} else if (act->act_val == IPSL_REDIRECT) {
-		isc.ipsc_action = ISC_A_REDIRECT;
-		isc.ipsc_ip = act->act_ip;
-		isc.ipsc_port = act->act_port;
-		fprintf(stderr, "%d: redirect unsupported\n", yylineNum + 1);
-	}
-
-	if (act->act_else == IPSL_CLOSE) {
-		isc.ipsc_else = ISC_A_CLOSE;
-	} else if (act->act_else == IPSL_TRACK) {
-		isc.ipsc_else = ISC_A_TRACK;
-	} else if (act->act_else == IPSL_REDIRECT) {
-		isc.ipsc_else = ISC_A_REDIRECT;
-		isc.ipsc_eip = act->act_eip;
-		isc.ipsc_eport = act->act_eport;
-		fprintf(stderr, "%d: redirect unsupported\n", yylineNum + 1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		iscp = &isc;
-		if (opts & OPT_REMOVE) {
-			if (ioctl(fd, SIOCRMSCA, &iscp) == -1)
-				perror("SIOCADSCA");
-		} else {
-			if (ioctl(fd, SIOCADSCA, &iscp) == -1)
-				perror("SIOCADSCA");
-		}
-	}
-
-	if (opts & OPT_VERBOSE)
-		printent(&isc);
-}
-
-
-char **makepair(s1, s2)
-char *s1, *s2;
-{
-	char **a;
-
-	a = malloc(sizeof(char *) * 2);
-	a[0] = s1;
-	a[1] = s2;
-	return a;
-}
-
-
-struct in_addr combine(a1, a2, a3, a4)
-int a1, a2, a3, a4;
-{
-	struct in_addr in;
-
-	a1 &= 0xff;
-	in.s_addr = a1 << 24;
-	a2 &= 0xff;
-	in.s_addr |= (a2 << 16);
-	a3 &= 0xff;
-	in.s_addr |= (a3 << 8);
-	a4 &= 0xff;
-	in.s_addr |= a4;
-	in.s_addr = htonl(in.s_addr);
-	return in;
-}
-
-
-struct in_addr gethostip(host)
-char *host;
-{
-	struct hostent *hp;
-	struct in_addr in;
-
-	in.s_addr = 0;
-
-	hp = gethostbyname(host);
-	if (!hp)
-		return in;
-	bcopy(hp->h_addr, (char *)&in, sizeof(in));
-	return in;
-}
-
-
-int getportnum(port)
-char *port;
-{
-	struct servent *s;
-
-	s = getservbyname(port, "tcp");
-	if (s == NULL)
-		return -1;
-	return s->s_port;
-}
-
-
-void showlist()
-{
-	ipscanstat_t ipsc, *ipscp = &ipsc;
-	ipscan_t isc;
-
-	if (ioctl(fd, SIOCGSCST, &ipscp) == -1)
-		perror("ioctl(SIOCGSCST)");
-	else if (opts & OPT_SHOWLIST) {
-		while (ipsc.iscs_list != NULL) {
-			if (kmemcpy((char *)&isc, (u_long)ipsc.iscs_list,
-				    sizeof(isc)) == -1) {
-				perror("kmemcpy");
-				break;
-			} else {
-				printent(&isc);
-				ipsc.iscs_list = isc.ipsc_next;
-			}
-		}
-	} else {
-		printf("scan entries loaded\t%d\n", ipsc.iscs_entries);
-		printf("scan entries matches\t%ld\n", ipsc.iscs_acted);
-		printf("negative matches\t%ld\n", ipsc.iscs_else);
-	}
-}
-
-
-void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "Usage:\t%s [-dnrv] -f <filename>\n", prog);
-	fprintf(stderr, "\t%s [-dlv]\n", prog);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	FILE *fp = NULL;
-	int c;
-
-	(void) yysettab(yywords);
-
-	if (argc < 2)
-		usage(argv[0]);
-
-	while ((c = getopt(argc, argv, "df:lnrsv")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			opts |= OPT_DEBUG;
-			yydebug++;
-			break;
-		case 'f' :
-			if (!strcmp(optarg, "-"))
-				fp = stdin;
-			else {
-				fp = fopen(optarg, "r");
-				if (!fp) {
-					perror("open");
-					exit(1);
-				}
-			}
-			yyin = fp;
-			break;
-		case 'l' :
-			opts |= OPT_SHOWLIST;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			opts |= OPT_STAT;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		}
-
-	if (!(opts & OPT_DONOTHING)) {
-		fd = open(IPL_SCAN, O_RDWR);
-		if (fd == -1) {
-			perror("open(IPL_SCAN)");
-			exit(1);
-		}
-	}
-
-	if (fp != NULL) {
-		yylineNum = 1;
-
-		while (!feof(fp))
-			yyparse();
-		fclose(fp);
-		exit(0);
-	}
-
-	if (opts & (OPT_SHOWLIST|OPT_STAT)) {
-		showlist();
-		exit(0);
-	}
-	exit(1);
-}
diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c
deleted file mode 100644
index fc79abb..0000000
--- a/contrib/ipfilter/tools/ipsyncm.c
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.5 2006/08/26 11:21:14 darrenr Exp $";
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <net/if.h>
-
-#include <arpa/inet.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <string.h>
-#include <syslog.h>
-#include <signal.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_sync.h"
-
-
-int	main __P((int, char *[]));
-void	usage __P((const char *));
-
-int	terminate = 0;
-
-void usage(const char *progname) {
-	fprintf(stderr, "Usage: %s <destination IP> <destination port>\n", progname);
-}
-
-#if 0
-static void handleterm(int sig)
-{
-	terminate = sig;
-}
-#endif
-
- 
-/* should be large enough to hold header + any datatype */
-#define BUFFERLEN 1400
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct sockaddr_in sin;
-	char buff[BUFFERLEN];
-	synclogent_t *sl;
-	syncupdent_t *su;
-	int nfd = -1, lfd = -1, n1, n2, n3, len;
-	int inbuf;
-	u_32_t magic;
-	synchdr_t *sh;
-	char *progname;
-	
-	progname = strrchr(argv[0], '/');
-	if (progname) {
-		progname++;
-	} else {
-		progname = argv[0];
-	}
-	
-
-	if (argc < 2) {
-		usage(progname);
-		exit(1);
-	}
-
-#if 0
-       	signal(SIGHUP, handleterm);
-       	signal(SIGINT, handleterm);
-       	signal(SIGTERM, handleterm);
-#endif
-
-	openlog(progname, LOG_PID, LOG_SECURITY);
-
-	bzero((char *)&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sin.sin_addr.s_addr = inet_addr(argv[1]);
-	if (argc > 2)
-		sin.sin_port = htons(atoi(argv[2]));
-	else
-		sin.sin_port = htons(43434);
-
-	while (1) {
-
-		if (lfd != -1)
-			close(lfd);
-		if (nfd != -1)
-			close(nfd);
-
-		lfd = open(IPSYNC_NAME, O_RDONLY);
-		if (lfd == -1) {
-			syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
-			goto tryagain;
-		}
-		
-		nfd = socket(AF_INET, SOCK_DGRAM, 0);
-		if (nfd == -1) {
-			syslog(LOG_ERR, "Socket :%m");
-			goto tryagain;
-		}
-	
-		if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
-			syslog(LOG_ERR, "Connect: %m");
-			goto tryagain;
-		}
-
-		syslog(LOG_INFO, "Sending data to %s",
-		       inet_ntoa(sin.sin_addr));
-	
-		inbuf = 0;	
-		while (1) {
-
-			n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf);
-		
-			printf("header : %d bytes read (header = %d bytes)\n",
-			       n1, sizeof(*sh));
-	
-			if (n1 < 0) {
-				syslog(LOG_ERR, "Read error (header): %m");
-				goto tryagain;
-			}
-
-			if (n1 == 0) {
-				/* XXX can this happen??? */
-				syslog(LOG_ERR,
-				       "Read error (header) : No data");
-				sleep(1);
-				continue;
-			}
-			
-			inbuf += n1;		
-
-moreinbuf:
-			if (inbuf < sizeof(*sh)) {
-				continue; /* need more data */
-			}
-
-			sh = (synchdr_t *)buff;
-			len = ntohl(sh->sm_len);
-			magic = ntohl(sh->sm_magic);		
-
-			if (magic != SYNHDRMAGIC) {
-				syslog(LOG_ERR,
-				       "Invalid header magic %x", magic);
-				goto tryagain;
-			}
-
-#define IPSYNC_DEBUG
-#ifdef IPSYNC_DEBUG
-			printf("v:%d p:%d len:%d magic:%x", sh->sm_v,
-			       sh->sm_p, len, magic);
-
-			if (sh->sm_cmd == SMC_CREATE)
-				printf(" cmd:CREATE");
-			else if (sh->sm_cmd == SMC_UPDATE)
-				printf(" cmd:UPDATE");
-			else
-				printf(" cmd:Unknown(%d)", sh->sm_cmd);
-
-			if (sh->sm_table == SMC_NAT)
-				printf(" table:NAT");
-			else if (sh->sm_table == SMC_STATE)
-				printf(" table:STATE");
-			else
-				printf(" table:Unknown(%d)", sh->sm_table);
-
-			printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
-#endif			
-			
-			if (inbuf < sizeof(*sh) + len) {
-				continue; /* need more data */
-				goto tryagain;
-			}
-
-#ifdef IPSYNC_DEBUG
-			if (sh->sm_cmd == SMC_CREATE) {
-				sl = (synclogent_t *)buff;
-
-			} else if (sh->sm_cmd == SMC_UPDATE) {
-				su = (syncupdent_t *)buff;
-				if (sh->sm_p == IPPROTO_TCP) {
-					printf(" TCP Update: age %lu state %d/%d\n", 
-						su->sup_tcp.stu_age,
-						su->sup_tcp.stu_state[0], 
-						su->sup_tcp.stu_state[1]);
-				}
-			} else {
-				printf("Unknown command\n");
-			}
-#endif
-
-			n2 = sizeof(*sh) + len;
-			n3 = write(nfd, buff, n2);
-			if (n3 <= 0) {
-				syslog(LOG_ERR, "Write error: %m");
-				goto tryagain;
-			}
-
-			
-			if (n3 != n2) {
-				syslog(LOG_ERR, "Incomplete write (%d/%d)",
-				       n3, n2);
-				goto tryagain;
-			}
-
-			/* signal received? */
-			if (terminate)
-				break;
-
-			/* move buffer to the front,we might need to make
-			 * this more efficient, by using a rolling pointer
-			 * over the buffer and only copying it, when
-			 * we are reaching the end 
-			 */
-			inbuf -= n2;
-			if (inbuf) {
-				bcopy(buff+n2, buff, inbuf);
-				printf("More data in buffer\n");
-				goto moreinbuf;
-			}
-		}
-
-		if (terminate)
-			break;
-tryagain:
-		sleep(1);
-	}
-
-
-	/* terminate */
-	if (lfd != -1)
-		close(lfd);
-	if (nfd != -1)
-		close(nfd);
-
-	syslog(LOG_ERR, "signal %d received, exiting...", terminate);
-
-	exit(1);
-}
-
diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c
deleted file mode 100644
index 3a8270f..0000000
--- a/contrib/ipfilter/tools/ipsyncs.c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Copyright (C) 2001-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.4 2006/08/26 11:21:15 darrenr Exp $";
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <net/if.h>
-
-#include <arpa/inet.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <syslog.h>
-#include <errno.h>
-#include <signal.h>
-
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_sync.h"
-
-int	main __P((int, char *[]));
-void	usage __P((const char *progname));
-
-int	terminate = 0;
-
-void usage(const char *progname) {
-	fprintf(stderr,
-		"Usage: %s <destination IP> <destination port> [remote IP]\n",
-		progname);
-}
-
-#if 0
-static void handleterm(int sig)
-{
-	terminate = sig;
-}
-#endif
-
-#define BUFFERLEN 1400
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	int nfd = -1 , lfd = -1; 
-	int n1, n2, n3, magic, len, inbuf;
-	struct sockaddr_in sin;
-	struct sockaddr_in in;
-	char buff[BUFFERLEN];
-	synclogent_t *sl;
-	syncupdent_t *su;
-	synchdr_t *sh;
-	char *progname;
-	
-	progname = strrchr(argv[0], '/');
-	if (progname) {
-		progname++;
-	} else {
-		progname = argv[0];
-	}
-	
-	if (argc < 2) {
-		usage(progname);
-		exit(1);
-	}
-
-#if 0
-       	signal(SIGHUP, handleterm);
-       	signal(SIGINT, handleterm);
-       	signal(SIGTERM, handleterm);
-#endif
-
-	openlog(progname, LOG_PID, LOG_SECURITY);
-       
-	lfd = open(IPSYNC_NAME, O_WRONLY);
-	if (lfd == -1) {
-		syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
-		exit(1);
-	}
-
-	bzero((char *)&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	if (argc > 1)
-		sin.sin_addr.s_addr = inet_addr(argv[1]);
-	if (argc > 2)
-		sin.sin_port = htons(atoi(argv[2]));
-	else
-		sin.sin_port = htons(43434);
-	if (argc > 3) 
-		in.sin_addr.s_addr = inet_addr(argv[3]);
-	else
-		in.sin_addr.s_addr = 0;
-	in.sin_port = 0;
-
-	while(1) {
-	
-		if (lfd != -1)
-			close(lfd);
-		if (nfd != -1)
-			close(nfd);
-
-		lfd = open(IPSYNC_NAME, O_WRONLY);
-		if (lfd == -1) {
-			syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME);
-			goto tryagain;
-		}
-		
-		nfd = socket(AF_INET, SOCK_DGRAM, 0);
-		if (nfd == -1) {
-			syslog(LOG_ERR, "Socket :%m");
-			goto tryagain;
-		}
-
-	        n1 = 1;
-                setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n1, sizeof(n1));
-
-		if (bind(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
-			syslog(LOG_ERR, "Bind: %m");
-			goto tryagain;
-		}
-
-		syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr));
-	
-		inbuf = 0;	
-		while (1) {
-
-
-			/* 
-			 * XXX currently we do not check the source address
-			 * of a datagram, this can be a security risk
-			 */
-			n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf);
-		
-			printf("header : %d bytes read (header = %d bytes)\n",
-			       n1, sizeof(*sh));
-	
-			if (n1 < 0) {
-				syslog(LOG_ERR, "Read error (header): %m");
-				goto tryagain;
-			}
-
-			if (n1 == 0) {
-				/* XXX can this happen??? */
-				syslog(LOG_ERR,
-				       "Read error (header) : No data");
-				sleep(1);
-				continue;
-			}
-			
-			inbuf += n1;		
-
-moreinbuf:
-			if (inbuf < sizeof(*sh)) {
-				continue; /* need more data */
-			}
-
-			sh = (synchdr_t *)buff;
-			len = ntohl(sh->sm_len);
-			magic = ntohl(sh->sm_magic);		
-
-			if (magic != SYNHDRMAGIC) {
-				syslog(LOG_ERR, "Invalid header magic %x",
-				       magic);
-				goto tryagain;
-			}
-
-#define IPSYNC_DEBUG
-#ifdef IPSYNC_DEBUG
-			printf("v:%d p:%d len:%d magic:%x", sh->sm_v,
-			       sh->sm_p, len, magic);
-
-			if (sh->sm_cmd == SMC_CREATE)
-				printf(" cmd:CREATE");
-			else if (sh->sm_cmd == SMC_UPDATE)
-				printf(" cmd:UPDATE");
-			else
-				printf(" cmd:Unknown(%d)", sh->sm_cmd);
-
-			if (sh->sm_table == SMC_NAT)
-				printf(" table:NAT");
-			else if (sh->sm_table == SMC_STATE)
-				printf(" table:STATE");
-			else
-				printf(" table:Unknown(%d)", sh->sm_table);
-
-			printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num));
-#endif			
-			
-			if (inbuf < sizeof(*sh) + len) {
-				continue; /* need more data */
-				goto tryagain;
-			}
-
-#ifdef IPSYNC_DEBUG
-			if (sh->sm_cmd == SMC_CREATE) {
-				sl = (synclogent_t *)buff;
-
-			} else if (sh->sm_cmd == SMC_UPDATE) {
-				su = (syncupdent_t *)buff;
-				if (sh->sm_p == IPPROTO_TCP) {
-					printf(" TCP Update: age %lu state %d/%d\n", 
-					       su->sup_tcp.stu_age,
-					       su->sup_tcp.stu_state[0], 
-					       su->sup_tcp.stu_state[1]);
-				}
-			} else {
-				printf("Unknown command\n");
-			}
-#endif
-
-			n2 = sizeof(*sh) + len;
-			n3 = write(lfd, buff, n2);
-			if (n3 <= 0) {
-				syslog(LOG_ERR, "%s: Write error: %m",
-				       IPSYNC_NAME);
-				goto tryagain;
-			}
-
-			
-			if (n3 != n2) {
-				syslog(LOG_ERR, "%s: Incomplete write (%d/%d)",
-				       IPSYNC_NAME, n3, n2);
-				goto tryagain;
-			}
-
-			/* signal received? */
-			if (terminate)
-				break;
-
-			/* move buffer to the front,we might need to make
-			 * this more efficient, by using a rolling pointer
-			 * over the buffer and only copying it, when
-			 * we are reaching the end 
-			 */
-			inbuf -= n2;
-			if (inbuf) {
-				bcopy(buff+n2, buff, inbuf);
-				printf("More data in buffer\n");
-				goto moreinbuf;
-			}
-		}
-
-		if (terminate)
-			break;
-tryagain:
-		sleep(1);
-	}
-
-
-	/* terminate */
-	if (lfd != -1)
-		close(lfd);
-	if (nfd != -1)
-		close(nfd);
-
-	syslog(LOG_ERR, "signal %d received, exiting...", terminate);
-
-	exit(1);
-}
diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h
deleted file mode 100644
index a6f9cf6..0000000
--- a/contrib/ipfilter/tools/lex_var.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-extern	long		string_start;
-extern	long		string_end;
-extern	char		*string_val;
-extern	long		pos;
-
-#define YY_INPUT(buf, result, max_size) \
-	if (pos >= string_start && pos <= string_end) { \
-		buf[0] = string_val[pos - string_start]; \
-		pos++; \
-		result = 1; \
-	} else if ( yy_current_buffer->yy_is_interactive ) \
-		{ \
-		int c = '*', n; \
-		for ( n = 0; n < 1 && \
-			     (c = getc( yyin )) != EOF && c != '\n'; ++n ) \
-			buf[n] = (char) c; \
-		if ( c == '\n' ) \
-			buf[n++] = (char) c; \
-		if ( c == EOF && ferror( yyin ) ) \
-			YY_FATAL_ERROR( "input in flex scanner failed" ); \
-		result = n; \
-		pos++; \
-		} \
-	else if ( ((result = fread( buf, 1, 1, yyin )) == 0) \
-		  && ferror( yyin ) ) \
-		YY_FATAL_ERROR( "input in flex scanner failed" );
-
-#ifdef input
-# undef input
-# define input() (((pos >= string_start) && (pos < string_end)) ? \
-		  yysptr = yysbuf, string_val[pos++ - string_start] : \
-		  ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \
-		   getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \
-		  yytchar) == EOF ? (pos++, 0) : (pos++, yytchar))
-#endif
-
-#ifdef lex_input
-# undef lex_input
-# define lex_input() (((pos >= string_start) && (pos < string_end)) ? \
-		  yysptr = yysbuf, string_val[pos++ - string_start] : \
-		  ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \
-		   getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \
-		  yytchar) == EOF ? (pos++, 0) : (pos++, yytchar))
-#endif
-
-#ifdef unput
-# undef unput
-# define unput(c) { if (pos > 0) pos--; \
-		    yytchar = (c); if (yytchar == '\n') yylineno--; \
-		    *yysptr++ = yytchar; }
-#endif
-
diff --git a/contrib/ipfilter/tools/lexer.c b/contrib/ipfilter/tools/lexer.c
deleted file mode 100644
index 1ad00c4..0000000
--- a/contrib/ipfilter/tools/lexer.c
+++ /dev/null
@@ -1,661 +0,0 @@
-/*
- * Copyright (C) 2002-2006 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <ctype.h>
-#include "ipf.h"
-#ifdef	IPFILTER_SCAN
-# include "netinet/ip_scan.h"
-#endif
-#include <sys/ioctl.h>
-#include <syslog.h>
-#ifdef	TEST_LEXER
-# define	NO_YACC
-union	{
-	int		num;
-	char		*str;
-	struct in_addr	ipa;
-	i6addr_t	ip6;
-} yylval;
-#endif
-#include "lexer.h"
-#include "y.tab.h"
-
-FILE *yyin;
-
-#define	ishex(c)	(ISDIGIT(c) || ((c) >= 'a' && (c) <= 'f') || \
-			 ((c) >= 'A' && (c) <= 'F'))
-#define	TOOLONG		-3
-
-extern int	string_start;
-extern int	string_end;
-extern char	*string_val;
-extern int	pos;
-extern int	yydebug;
-
-char		*yystr = NULL;
-int		yytext[YYBUFSIZ+1];
-char		yychars[YYBUFSIZ+1];
-int		yylineNum = 1;
-int		yypos = 0;
-int		yylast = -1;
-int		yyexpectaddr = 0;
-int		yybreakondot = 0;
-int		yyvarnext = 0;
-int		yytokentype = 0;
-wordtab_t	*yywordtab = NULL;
-int		yysavedepth = 0;
-wordtab_t	*yysavewords[30];
-
-
-static	wordtab_t	*yyfindkey __P((char *));
-static	int		yygetc __P((int));
-static	void		yyunputc __P((int));
-static	int		yyswallow __P((int));
-static	char		*yytexttostr __P((int, int));
-static	void		yystrtotext __P((char *));
-static	char		*yytexttochar __P((void));
-
-static int yygetc(docont)
-int docont;
-{
-	int c;
-
-	if (yypos < yylast) {
-		c = yytext[yypos++];
-		if (c == '\n')
-			yylineNum++;
-		return c;
-	}
-
-	if (yypos == YYBUFSIZ)
-		return TOOLONG;
-
-	if (pos >= string_start && pos <= string_end) {
-		c = string_val[pos - string_start];
-		yypos++;
-	} else {
-		c = fgetc(yyin);
-		if (docont && (c == '\\')) {
-			c = fgetc(yyin);
-			if (c == '\n') {
-				yylineNum++;
-				c = fgetc(yyin);
-			}
-		}
-	}
-	if (c == '\n')
-		yylineNum++;
-	yytext[yypos++] = c;
-	yylast = yypos;
-	yytext[yypos] = '\0';
-
-	return c;
-}
-
-
-static void yyunputc(c)
-int c;
-{
-	if (c == '\n')
-		yylineNum--;
-	yytext[--yypos] = c;
-}
-
-
-static int yyswallow(last)
-int last;
-{
-	int c;
-
-	while (((c = yygetc(0)) > '\0') && (c != last))
-		;
-
-	if (c != EOF)
-		yyunputc(c);
-	if (c == last)
-		return 0;
-	return -1;
-}
-
-
-static char *yytexttochar()
-{
-	int i;
-
-	for (i = 0; i < yypos; i++)
-		yychars[i] = (char)(yytext[i] & 0xff);
-	yychars[i] = '\0';
-	return yychars;
-}
-
-
-static void yystrtotext(str)
-char *str;
-{
-	int len;
-	char *s;
-
-	len = strlen(str);
-	if (len > YYBUFSIZ)
-		len = YYBUFSIZ;
-
-	for (s = str; *s != '\0' && len > 0; s++, len--)
-		yytext[yylast++] = *s;
-	yytext[yylast] = '\0';
-}
-
-
-static char *yytexttostr(offset, max)
-int offset, max;
-{
-	char *str;
-	int i;
-
-	if ((yytext[offset] == '\'' || yytext[offset] == '"') &&
-	    (yytext[offset] == yytext[offset + max - 1])) {
-		offset++;
-		max--;
-	}
-
-	if (max > yylast)
-		max = yylast;
-	str = malloc(max + 1);
-	if (str != NULL) {
-		for (i = offset; i < max; i++)
-			str[i - offset] = (char)(yytext[i] & 0xff);
-		str[i - offset] = '\0';
-	}
-	return str;
-}
-
-
-int yylex()
-{
-	int c, n, isbuilding, rval, lnext, nokey = 0;
-	char *name;
-
-	isbuilding = 0;
-	lnext = 0;
-	rval = 0;
-
-	if (yystr != NULL) {
-		free(yystr);
-		yystr = NULL;
-	}
-
-nextchar:
-	c = yygetc(0);
-	if (yydebug > 1)
-		printf("yygetc = (%x) %c [%*.*s]\n", c, c, yypos, yypos, yytexttochar());
-
-	switch (c)
-	{
-	case '\n' :
-		lnext = 0;
-		nokey = 0;
-	case '\t' :
-	case '\r' :
-	case ' ' :
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		if (yylast > yypos) {
-			bcopy(yytext + yypos, yytext,
-			      sizeof(yytext[0]) * (yylast - yypos + 1));
-		}
-		yylast -= yypos;
-		yypos = 0;
-		lnext = 0;
-		nokey = 0;
-		goto nextchar;
-
-	case '\\' :
-		if (lnext == 0) {
-			lnext = 1;
-			if (yylast == yypos) {
-				yylast--;
-				yypos--;
-			} else
-				yypos--;
-			if (yypos == 0)
-				nokey = 1;
-			goto nextchar;
-		}
-		break;
-	}
-
-	if (lnext == 1) {
-		lnext = 0;
-		if ((isbuilding == 0) && !ISALNUM(c)) {
-			return c;
-		}
-		goto nextchar;
-	}
-
-	switch (c)
-	{
-	case '#' :
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		yyswallow('\n');
-		rval = YY_COMMENT;
-		goto nextchar;
-
-	case '$' :
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		n = yygetc(0);
-		if (n == '{') {
-			if (yyswallow('}') == -1) {
-				rval = -2;
-				goto done;
-			}
-			(void) yygetc(0);
-		} else {
-			if (!ISALPHA(n)) {
-				yyunputc(n);
-				break;
-			}
-			do {
-				n = yygetc(1);
-			} while (ISALPHA(n) || ISDIGIT(n) || n == '_');
-			yyunputc(n);
-		}
-
-		name = yytexttostr(1, yypos);		/* skip $ */
-
-		if (name != NULL) {
-			string_val = get_variable(name, NULL, yylineNum);
-			free(name);
-			if (string_val != NULL) {
-				name = yytexttostr(yypos, yylast);
-				if (name != NULL) {
-					yypos = 0;
-					yylast = 0;
-					yystrtotext(string_val);
-					yystrtotext(name);
-					free(string_val);
-					free(name);
-					goto nextchar;
-				}
-				free(string_val);
-			}
-		}
-		break;
-
-	case '\'':
-	case '"' :
-		if (isbuilding == 1) {
-			goto done;
-		}
-		do {
-			n = yygetc(1);
-			if (n == EOF || n == TOOLONG) {
-				rval = -2;
-				goto done;
-			}
-			if (n == '\n') {
-				yyunputc(' ');
-				yypos++;
-			}
-		} while (n != c);
-		rval = YY_STR;
-		goto done;
-		/* NOTREACHED */
-
-	case EOF :
-		yylineNum = 1;
-		yypos = 0;
-		yylast = -1;
-		yyexpectaddr = 0;
-		yybreakondot = 0;
-		yyvarnext = 0;
-		yytokentype = 0;
-		return 0;
-	}
-
-	if (strchr("=,/;{}()@", c) != NULL) {
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		rval = c;
-		goto done;
-	} else if (c == '.') {
-		if (isbuilding == 0) {
-			rval = c;
-			goto done;
-		}
-		if (yybreakondot != 0) {
-			yyunputc(c);
-			goto done;
-		}
-	}
-
-	switch (c)
-	{
-	case '-' :
-		if (yyexpectaddr)
-			break;
-		if (isbuilding == 1)
-			break;
-		n = yygetc(0);
-		if (n == '>') {
-			isbuilding = 1;
-			goto done;
-		}
-		yyunputc(n);
-		rval = '-';
-		goto done;
-
-	case '!' :
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		n = yygetc(0);
-		if (n == '=') {
-			rval = YY_CMP_NE;
-			goto done;
-		}
-		yyunputc(n);
-		rval = '!';
-		goto done;
-
-	case '<' :
-		if (yyexpectaddr)
-			break;
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		n = yygetc(0);
-		if (n == '=') {
-			rval = YY_CMP_LE;
-			goto done;
-		}
-		if (n == '>') {
-			rval = YY_RANGE_OUT;
-			goto done;
-		}
-		yyunputc(n);
-		rval = YY_CMP_LT;
-		goto done;
-
-	case '>' :
-		if (yyexpectaddr)
-			break;
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		n = yygetc(0);
-		if (n == '=') {
-			rval = YY_CMP_GE;
-			goto done;
-		}
-		if (n == '<') {
-			rval = YY_RANGE_IN;
-			goto done;
-		}
-		yyunputc(n);
-		rval = YY_CMP_GT;
-		goto done;
-	}
-
-	/*
-	 * Now for the reason this is here...IPv6 address parsing.
-	 * The longest string we can expect is of this form:
-	 * 0000:0000:0000:0000:0000:0000:000.000.000.000
-	 * not:
-	 * 0000:0000:0000:0000:0000:0000:0000:0000
-	 */
-#ifdef	USE_INET6
-	if (yyexpectaddr == 1 && isbuilding == 0 && (ishex(c) || c == ':')) {
-		char ipv6buf[45 + 1], *s, oc;
-		int start;
-
-		start = yypos;
-		s = ipv6buf;
-		oc = c;
-
-		/*
-		 * Perhaps we should implement stricter controls on what we
-		 * swallow up here, but surely it would just be duplicating
-		 * the code in inet_pton() anyway.
-		 */
-		do {
-			*s++ = c;
-			c = yygetc(1);
-		} while ((ishex(c) || c == ':' || c == '.') &&
-			 (s - ipv6buf < 46));
-		yyunputc(c);
-		*s = '\0';
-
-		if (inet_pton(AF_INET6, ipv6buf, &yylval.ip6) == 1) {
-			rval = YY_IPV6;
-			yyexpectaddr = 0;
-			goto done;
-		}
-		yypos = start;
-		c = oc;
-	}
-#endif
-
-	if (c == ':') {
-		if (isbuilding == 1) {
-			yyunputc(c);
-			goto done;
-		}
-		rval = ':';
-		goto done;
-	}
-
-	if (isbuilding == 0 && c == '0') {
-		n = yygetc(0);
-		if (n == 'x') {
-			do {
-				n = yygetc(1);
-			} while (ishex(n));
-			yyunputc(n);
-			rval = YY_HEX;
-			goto done;
-		}
-		yyunputc(n);
-	}
-
-	/*
-	 * No negative numbers with leading - sign..
-	 */
-	if (isbuilding == 0 && ISDIGIT(c)) {
-		do {
-			n = yygetc(1);
-		} while (ISDIGIT(n));
-		yyunputc(n);
-		rval = YY_NUMBER;
-		goto done;
-	}
-
-	isbuilding = 1;
-	goto nextchar;
-
-done:
-	yystr = yytexttostr(0, yypos);
-
-	if (yydebug)
-		printf("isbuilding %d yyvarnext %d nokey %d\n",
-		       isbuilding, yyvarnext, nokey);
-	if (isbuilding == 1) {
-		wordtab_t *w;
-
-		w = NULL;
-		isbuilding = 0;
-
-		if ((yyvarnext == 0) && (nokey == 0)) {
-			w = yyfindkey(yystr);
-			if (w == NULL && yywordtab != NULL) {
-				yyresetdict();
-				w = yyfindkey(yystr);
-			}
-		} else
-			yyvarnext = 0;
-		if (w != NULL)
-			rval = w->w_value;
-		else
-			rval = YY_STR;
-	}
-
-	if (rval == YY_STR && yysavedepth > 0)
-		yyresetdict();
-
-	yytokentype = rval;
-
-	if (yydebug)
-		printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start,
-			string_end, pos, rval, yysavedepth);
-
-	switch (rval)
-	{
-	case YY_NUMBER :
-		sscanf(yystr, "%u", &yylval.num);
-		break;
-
-	case YY_HEX :
-		sscanf(yystr, "0x%x", (u_int *)&yylval.num);
-		break;
-
-	case YY_STR :
-		yylval.str = strdup(yystr);
-		break;
-
-	default :
-		break;
-	}
-
-	if (yylast > 0) {
-		bcopy(yytext + yypos, yytext,
-		      sizeof(yytext[0]) * (yylast - yypos + 1));
-		yylast -= yypos;
-		yypos = 0;
-	}
-
-	return rval;
-}
-
-
-static wordtab_t *yyfindkey(key)
-char *key;
-{
-	wordtab_t *w;
-
-	if (yywordtab == NULL)
-		return NULL;
-
-	for (w = yywordtab; w->w_word != 0; w++)
-		if (strcasecmp(key, w->w_word) == 0)
-			return w;
-	return NULL;
-}
-
-
-char *yykeytostr(num)
-int num;
-{
-	wordtab_t *w;
-
-	if (yywordtab == NULL)
-		return "<unknown>";
-
-	for (w = yywordtab; w->w_word; w++)
-		if (w->w_value == num)
-			return w->w_word;
-	return "<unknown>";
-}
-
-
-wordtab_t *yysettab(words)
-wordtab_t *words;
-{
-	wordtab_t *save;
-
-	save = yywordtab;
-	yywordtab = words;
-	return save;
-}
-
-
-void yyerror(msg)
-char *msg;
-{
-	char *txt, letter[2];
-	int freetxt = 0;
-
-	if (yytokentype < 256) {
-		letter[0] = yytokentype;
-		letter[1] = '\0';
-		txt =  letter;
-	} else if (yytokentype == YY_STR || yytokentype == YY_HEX ||
-		   yytokentype == YY_NUMBER) {
-		if (yystr == NULL) {
-			txt = yytexttostr(yypos, YYBUFSIZ);
-			freetxt = 1;
-		} else
-			txt = yystr;
-	} else {
-		txt = yykeytostr(yytokentype);
-	}
-	fprintf(stderr, "%s error at \"%s\", line %d\n", msg, txt, yylineNum);
-	if (freetxt == 1)
-		free(txt);
-	exit(1);
-}
-
-
-void yysetdict(newdict)
-wordtab_t *newdict;
-{
-	if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) {
-		fprintf(stderr, "%d: at maximum dictionary depth\n",
-			yylineNum);
-		return;
-	}
-
-	yysavewords[yysavedepth++] = yysettab(newdict);
-	if (yydebug)
-		printf("yysavedepth++ => %d\n", yysavedepth);
-}
-
-void yyresetdict()
-{
-	if (yydebug)
-		printf("yyresetdict(%d)\n", yysavedepth);
-	if (yysavedepth > 0) {
-		yysettab(yysavewords[--yysavedepth]);
-		if (yydebug)
-			printf("yysavedepth-- => %d\n", yysavedepth);
-	}
-}
-
-
-
-#ifdef	TEST_LEXER
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	int n;
-
-	yyin = stdin;
-
-	while ((n = yylex()) != 0)
-		printf("%d.n = %d [%s] %d %d\n",
-			yylineNum, n, yystr, yypos, yylast);
-}
-#endif
diff --git a/contrib/ipfilter/tools/lexer.h b/contrib/ipfilter/tools/lexer.h
deleted file mode 100644
index b838d41..0000000
--- a/contrib/ipfilter/tools/lexer.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2002-2004 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-typedef	struct	wordtab	{
-	char	*w_word;
-	int	w_value;
-} wordtab_t;
-
-#ifdef	NO_YACC
-#define	YY_COMMENT	1000
-#define	YY_CMP_NE	1001
-#define	YY_CMP_LE	1002
-#define	YY_RANGE_OUT	1003
-#define	YY_CMP_GE	1004
-#define	YY_RANGE_IN	1005
-#define	YY_HEX		1006
-#define	YY_NUMBER	1007
-#define	YY_IPV6		1008
-#define	YY_STR		1009
-#define	YY_IPADDR	1010
-#endif
-
-#define	YYBUFSIZ	8192
-
-extern	wordtab_t	*yysettab __P((wordtab_t *));
-extern	void		yysetdict __P((wordtab_t *));
-extern	int		yylex __P((void));
-extern	void		yyerror __P((char *));
-extern	char		*yykeytostr __P((int));
-extern	void		yyresetdict __P((void));
-
-extern	FILE	*yyin;
-extern	int	yylineNum;
-extern	int	yyexpectaddr;
-extern	int	yybreakondot;
-extern	int	yyvarnext;
-