summaryrefslogtreecommitdiffstats
path: root/contrib/ipfilter/man
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ipfilter/man')
-rw-r--r--contrib/ipfilter/man/Makefile28
-rw-r--r--contrib/ipfilter/man/ipf.1109
-rw-r--r--contrib/ipfilter/man/ipf.4255
-rw-r--r--contrib/ipfilter/man/ipf.5556
-rw-r--r--contrib/ipfilter/man/ipf.8171
-rw-r--r--contrib/ipfilter/man/ipfilter.4239
-rw-r--r--contrib/ipfilter/man/ipfilter.4.mandoc267
-rw-r--r--contrib/ipfilter/man/ipfilter.510
-rw-r--r--contrib/ipfilter/man/ipfs.8125
-rw-r--r--contrib/ipfilter/man/ipfstat.8193
-rw-r--r--contrib/ipfilter/man/ipftest.1205
-rw-r--r--contrib/ipfilter/man/ipl.479
-rw-r--r--contrib/ipfilter/man/ipmon.567
-rw-r--r--contrib/ipfilter/man/ipmon.8185
-rw-r--r--contrib/ipfilter/man/ipnat.148
-rw-r--r--contrib/ipfilter/man/ipnat.498
-rw-r--r--contrib/ipfilter/man/ipnat.5293
-rw-r--r--contrib/ipfilter/man/ipnat.869
-rw-r--r--contrib/ipfilter/man/ippool.5153
-rw-r--r--contrib/ipfilter/man/ippool.8124
-rw-r--r--contrib/ipfilter/man/ipscan.550
-rw-r--r--contrib/ipfilter/man/ipscan.842
-rw-r--r--contrib/ipfilter/man/man.sed1
-rw-r--r--contrib/ipfilter/man/mkfilters.112
24 files changed, 0 insertions, 3379 deletions
diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile
deleted file mode 100644
index 3f12ccb..0000000
--- a/contrib/ipfilter/man/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# Copyright (C) 1993-1998 by Darren Reed.
-#
-# See the IPFILTER.LICENCE file for details on licencing.
-#
-
-all:
-
-install:
- $(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
- $(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
- $(INSTALL) -m 0644 -c -o root -g bin ipfilter.4 $(MANDIR)/man4
- $(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
- $(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
- $(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ipfilter.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ipmon.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ippool.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ippool.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ipscan.8 $(MANDIR)/man8
- $(INSTALL) -m 0644 -c -o root -g bin ipscan.5 $(MANDIR)/man5
- $(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
- @echo "Remember to rebuild the whatis database."
diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1
deleted file mode 100644
index 5ea06fa..0000000
--- a/contrib/ipfilter/man/ipf.1
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPF 1
-.SH NAME
-ipf \- alters packet filtering lists for IP packet input and ouput
-.SH SYNOPSIS
-.B ipf
-[
-.B \-AdDEInorsUvyzZ
-] [
-.B \-l
-<block|pass|nomatch>
-] [
-.B \-F
-<i|o|a>
-]
-.B \-f
-<\fIfilename\fP>
-[
-.B \-f
-<\fIfilename\fP>
-[...]]
-.SH DESCRIPTION
-.PP
-\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
-.PP
-Each rule processed by \fBipf\fP
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipf\fP.
-.SH OPTIONS
-.TP
-.B \-A
-Set the list to make changes to the active list (default).
-.TP
-.B \-d
-Turn debug mode on. Causes a hexdump of filter rules to be generated as
-it processes each one.
-.TP
-.B \-D
-Disable the filter (if enabled). Not effective for loadable kernel versions.
-.TP
-.B \-E
-Enable the filter (if disabled). Not effective for loadable kernel versions.
-.TP
-.BR \-F \0<param>
-This option specifies which filter list to flush. The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used. This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.TP
-.BR \-f \0<filename>
-This option specifies which files
-\fBipf\fP should use to get input from for modifying the packet filter rule
-lists.
-.TP
-.B \-I
-Set the list to make changes to the inactive list.
-.TP
-.B \-l \0<param>
-Use of the \fB-l\fP flag toggles default logging of packets. Valid
-arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
-When an option is set, any packet which exits filtering and matches the
-set category is logged. This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.TP
-.B \-r
-Remove matching filter rules rather than add them to the internal lists
-.TP
-.B \-s
-Swap the active filter list in use to be the "other" one.
-.TP
-.B \-U
-(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
-recognised as IP packets. They will be printed out on the console.
-.TP
-.B \-v
-Turn verbose mode on. Displays information relating to rule processing.
-.TP
-.B \-y
-(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
-by IP Filter with the current interface status list.
-.TP
-.B \-z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zero'd.
-.TP
-.B \-Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
-.DT
-.SH SEE ALSO
-ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@cyber.com.au
diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4
deleted file mode 100644
index e2e5b5b..0000000
--- a/contrib/ipfilter/man/ipf.4
+++ /dev/null
@@ -1,255 +0,0 @@
-.TH IPF 4
-.SH NAME
-ipf \- packet filtering kernel interface
-.SH SYNOPSIS
-#include <netinet/ip_compat.h>
-.br
-#include <netinet/ip_fil.h>
-.SH IOCTLS
-.PP
-To add and delete rules to the filter list, three 'basic' ioctls are provided
-for use. The ioctl's are called as:
-.LP
-.nf
- ioctl(fd, SIOCADDFR, struct frentry **)
- ioctl(fd, SIOCDELFR, struct frentry **)
- ioctl(fd, SIOCIPFFL, int *)
-.fi
-.PP
-However, the full complement is as follows:
-.LP
-.nf
- ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR)
- ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR)
- ioctl(fd, SIOCADIFR, struct frentry **)
- ioctl(fd, SIOCRMIFR, struct frentry **)
- ioctl(fd, SIOCINAFR, struct frentry **)
- ioctl(fd, SIOCINIFR, struct frentry **)
- ioctl(fd, SIOCSETFF, u_int *)
- ioctl(fd, SIOGGETFF, u_int *)
- ioctl(fd, SIOCGETFS, struct friostat **)
- ioctl(fd, SIOCIPFFL, int *)
- ioctl(fd, SIOCIPFFB, int *)
- ioctl(fd, SIOCSWAPA, u_int *)
- ioctl(fd, SIOCFRENB, u_int *)
- ioctl(fd, SIOCFRSYN, u_int *)
- ioctl(fd, SIOCFRZST, struct friostat **)
- ioctl(fd, SIOCZRLST, struct frentry **)
- ioctl(fd, SIOCAUTHW, struct fr_info **)
- ioctl(fd, SIOCAUTHR, struct fr_info **)
- ioctl(fd, SIOCATHST, struct fr_authstat **)
-.fi
-.PP
-The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
-active and inactive, respectively. All of these ioctl's are implemented
-as being routing ioctls and thus the same rules for the various routing
-ioctls and the file descriptor are employed, mainly being that the fd must
-be that of the device associated with the module (i.e., /dev/ipl).
-.LP
-.PP
-The three groups of ioctls above perform adding rules to the end of the
-list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
-and insertion of a rule into the list (SIOCIN*). The rule place into
-which it is inserted is stored in the "fr_hits" field, below.
-.LP
-.nf
-typedef struct frentry {
- struct frentry *fr_next;
- u_short fr_group; /* group to which this rule belongs */
- u_short fr_grhead; /* group # which this rule starts */
- struct frentry *fr_grp;
- int fr_ref; /* reference count - for grouping */
- void *fr_ifa;
-#if BSD >= 199306
- void *fr_oifa;
-#endif
- /*
- * These are only incremented when a packet matches this rule and
- * it is the last match
- */
- U_QUAD_T fr_hits;
- U_QUAD_T fr_bytes;
- /*
- * Fields after this may not change whilst in the kernel.
- */
- struct fr_ip fr_ip;
- struct fr_ip fr_mip; /* mask structure */
-
- u_char fr_tcpfm; /* tcp flags mask */
- u_char fr_tcpf; /* tcp flags */
-
- u_short fr_icmpm; /* data for ICMP packets (mask) */
- u_short fr_icmp;
-
- u_char fr_scmp; /* data for port comparisons */
- u_char fr_dcmp;
- u_short fr_dport;
- u_short fr_sport;
- u_short fr_stop; /* top port for <> and >< */
- u_short fr_dtop; /* top port for <> and >< */
- u_32_t fr_flags; /* per-rule flags && options (see below) */
- u_short fr_skip; /* # of rules to skip */
- u_short fr_loglevel; /* syslog log facility + priority */
- int (*fr_func) __P((int, ip_t *, fr_info_t *));
- char fr_icode; /* return ICMP code */
- char fr_ifname[IFNAMSIZ];
-#if BSD > 199306
- char fr_oifname[IFNAMSIZ];
-#endif
- struct frdest fr_tif; /* "to" interface */
- struct frdest fr_dif; /* duplicate packet interfaces */
-} frentry_t;
-.fi
-.PP
-When adding a new rule, all unused fields (in the filter rule) should be
-initialised to be zero. To insert a rule, at a particular position in the
-filter list, the number of the rule which it is to be inserted before must
-be put in the "fr_hits" field (the first rule is number 0).
-.LP
-.PP
-Flags which are recognised in fr_flags:
-.nf
-
- FR_BLOCK 0x000001 /* do not allow packet to pass */
- FR_PASS 0x000002 /* allow packet to pass */
- FR_OUTQUE 0x000004 /* outgoing packets */
- FR_INQUE 0x000008 /* ingoing packets */
- FR_LOG 0x000010 /* Log */
- FR_LOGB 0x000011 /* Log-fail */
- FR_LOGP 0x000012 /* Log-pass */
- FR_LOGBODY 0x000020 /* log the body of packets too */
- FR_LOGFIRST 0x000040 /* log only the first packet to match */
- FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
- FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
- FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
- FR_NOMATCH 0x000200 /* no match occured */
- FR_ACCOUNT 0x000400 /* count packet bytes */
- FR_KEEPFRAG 0x000800 /* keep fragment information */
- FR_KEEPSTATE 0x001000 /* keep `connection' state information */
- FR_INACTIVE 0x002000
- FR_QUICK 0x004000 /* match & stop processing list */
- FR_FASTROUTE 0x008000 /* bypass normal routing */
- FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */
- FR_DUP 0x020000 /* duplicate the packet */
- FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */
- FR_NOTSRCIP 0x080000 /* not the src IP# */
- FR_NOTDSTIP 0x100000 /* not the dst IP# */
- FR_AUTH 0x200000 /* use authentication */
- FR_PREAUTH 0x400000 /* require preauthentication */
-
-.fi
-.PP
-Values for fr_scomp and fr_dcomp (source and destination port value
-comparisons) :
-.LP
-.nf
- FR_NONE 0
- FR_EQUAL 1
- FR_NEQUAL 2
- FR_LESST 3
- FR_GREATERT 4
- FR_LESSTE 5
- FR_GREATERTE 6
- FR_OUTRANGE 7
- FR_INRANGE 8
-.fi
-.PP
-The third ioctl, SIOCIPFFL, flushes either the input filter list, the
-output filter list or both and it returns the number of filters removed
-from the list(s). The values which it will take and recognise are FR_INQUE
-and FR_OUTQUE (see above). This ioctl is also implemented for
-\fB/dev/ipstate\fP and will flush all state tables entries if passed 0
-or just all those which are not established if passed 1.
-
-.IP "\fBGeneral Logging Flags\fP" 0
-There are two flags which can be set to log packets independently of the
-rules used. These allow for packets which are either passed or blocked
-to be logged. To set (and clear)/get these flags, two ioctls are
-provided:
-.IP SIOCSETFF 16
-Takes an unsigned integer as the parameter. The flags are then set to
-those provided (clearing/setting all in one).
-.nf
-
- FF_LOGPASS 0x10000000
- FF_LOGBLOCK 0x20000000
- FF_LOGNOMATCH 0x40000000
- FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */
-.fi
-.IP SIOCGETFF 16
-Takes a pointer to an unsigned integer as the parameter. A copy of the
-flags currently in used is copied to user space.
-.IP "\fBFilter statistics\fP" 0
-Statistics on the various operations performed by this package on packets
-is kept inside the kernel. These statistics apply to packets traversing
-through the kernel. To retrieve this structure, use this ioctl:
-.nf
-
- ioctl(fd, SIOCGETFS, struct friostat *)
-
-struct friostat {
- struct filterstats f_st[2];
- struct frentry *f_fin[2];
- struct frentry *f_fout[2];
- struct frentry *f_acctin[2];
- struct frentry *f_acctout[2];
- struct frentry *f_auth;
- u_long f_froute[2];
- int f_active; /* 1 or 0 - active rule set */
- int f_defpass; /* default pass - from fr_pass */
- int f_running; /* 1 if running, else 0 */
- int f_logging; /* 1 if enabled, else 0 */
- char f_version[32]; /* version string */
-};
-
-struct filterstats {
- u_long fr_pass; /* packets allowed */
- u_long fr_block; /* packets denied */
- u_long fr_nom; /* packets which don't match any rule */
- u_long fr_ppkl; /* packets allowed and logged */
- u_long fr_bpkl; /* packets denied and logged */
- u_long fr_npkl; /* packets unmatched and logged */
- u_long fr_pkl; /* packets logged */
- u_long fr_skip; /* packets to be logged but buffer full */
- u_long fr_ret; /* packets for which a return is sent */
- u_long fr_acct; /* packets for which counting was performed */
- u_long fr_bnfr; /* bad attempts to allocate fragment state */
- u_long fr_nfr; /* new fragment state kept */
- u_long fr_cfr; /* add new fragment state but complete pkt */
- u_long fr_bads; /* bad attempts to allocate packet state */
- u_long fr_ads; /* new packet state kept */
- u_long fr_chit; /* cached hit */
- u_long fr_pull[2]; /* good and bad pullup attempts */
-#if SOLARIS
- u_long fr_notdata; /* PROTO/PCPROTO that have no data */
- u_long fr_nodata; /* mblks that have no data */
- u_long fr_bad; /* bad IP packets to the filter */
- u_long fr_notip; /* packets passed through no on ip queue */
- u_long fr_drop; /* packets dropped - no info for them! */
-#endif
-};
-.fi
-If we wanted to retrieve all the statistics and reset the counters back to
-0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
-In addition to the statistics above, each rule keeps a hit count, counting
-both number of packets and bytes. To reset these counters for a rule,
-load the various rule information into a frentry structure and call
-SIOCZRLST.
-.IP "Swapping Active lists" 0
-IP Filter supports two lists of rules for filtering and accounting: an
-active list and an inactive list. This allows for large scale rule base
-changes to be put in place atomically with otherwise minimal interruption.
-Which of the two is active can be changed using the SIOCSWAPA ioctl. It
-is important to note that no passed argument is recognised and that the
-value returned is that of the list which is now inactive.
-.br
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.SH SEE ALSO
-ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
deleted file mode 100644
index 3fd9e94..0000000
--- a/contrib/ipfilter/man/ipf.5
+++ /dev/null
@@ -1,556 +0,0 @@
-.TH IPF 5
-.SH NAME
-ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
-.SH DESCRIPTION
-.PP
-A rule file for \fBipf\fP may have any name or even be stdin. As
-\fBipfstat\fP produces parsable rules as output when displaying the internal
-kernel filter lists, it is quite plausible to use its output to feed back
-into \fBipf\fP. Thus, to remove all filters on input packets, the following
-could be done:
-.nf
-
-\fC# ipfstat \-i | ipf \-rf \-\fP
-.fi
-.SH GRAMMAR
-.PP
-The format used by \fBipf\fP for construction of filtering rules can be
-described using the following grammar in BNF:
-\fC
-.nf
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
- [ proto ] ip [ group ].
-
-insert = "@" decnumber .
-action = block | "pass" | log | "count" | skip | auth | call .
-in-out = "in" | "out" .
-options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
- [ froute ] [ replyto ] ] .
-tos = "tos" decnumber | "tos" hexnumber .
-ttl = "ttl" decnumber .
-proto = "proto" protocol .
-ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-group = [ "head" decnumber ] [ "group" decnumber ] .
-
-block = "block" [ return-icmp[return-code] | "return-rst" ] .
-log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
-tag = "tag" tagid .
-skip = "skip" decnumber .
-auth = "auth" | "preauth" .
-call = "call" [ "now" ] function-name .
-dup = "dup-to" interface-name [ ":" ipaddr ] .
-froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
-replyto = "reply-to" interface-name [ ":" ipaddr ] .
-protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst = "all" | fromto .
-fromto = "from" [ "!" ] object "to" [ "!" ] object .
-
-return-icmp = "return-icmp" | "return-icmp-as-dest" .
-return-code = "(" icmp-code ")" .
-object = addr [ port-comp | port-range ] .
-addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-addr = "any" | "<thishost>" | nummask |
- host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
-flags = "flags" flag { flag } [ "/" flag { flag } ] .
-with = "with" | "and" .
-icmp = "icmp-type" icmp-type [ "code" decnumber ] .
-return-code = "(" icmp-code ")" .
-keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
-loglevel = facility"."priority | priority .
-
-nummask = host-name [ "/" decnumber ] .
-host-name = ipaddr | hostname | "any" .
-ipaddr = host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-port-num = service-name | decnumber .
-state-options = state-opts [ "," state-options ] .
-
-state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
- "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
-withopt = [ "not" | "no" ] opttype [ withopt ] .
-opttype = "ipopts" | "short" | "frag" | "opt" optname .
-optname = ipopts [ "," optname ] .
-ipopts = optlist | "sec-class" [ secname ] .
-secname = seclvl [ "," secname ] .
-seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
- "reserv-4" | "secret" | "topsecret" .
-icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
- "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
- "inforep" | "maskreq" | "maskrep" | decnumber .
-icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
- "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
- "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
- "filter-prohib" | "host-preced" | "cutoff-preced" .
-optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
- "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
- "addext" | "visa" | "imitd" | "eip" | "finn" .
-facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
- "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
- "audit" | "logalert" | "local0" | "local1" | "local2" |
- "local3" | "local4" | "local5" | "local6" | "local7" .
-priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
- "info" | "debug" .
-
-hexnumber = "0" "x" hexstring .
-hexstring = hexdigit [ hexstring ] .
-decnumber = digit [ decnumber ] .
-
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
- "gt" | "le" | "ge" .
-range = "<>" | "><" .
-hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag = "F" | "S" | "R" | "P" | "A" | "U" .
-.fi
-.PP
-This syntax is somewhat simplified for readability, some combinations
-that match this grammar are disallowed by the software because they do
-not make sense (such as tcp \fBflags\fP for non-TCP packets).
-.SH FILTER RULES
-.PP
-The "briefest" valid rules are (currently) no-ops and are of the form:
-.nf
- block in all
- pass in all
- log out all
- count in all
-.fi
-.PP
-Filter rules are checked in order, with the last matching rule
-determining the fate of the packet (but see the \fBquick\fP option,
-below).
-.PP
-Filters are installed by default at the end of the kernel's filter
-lists, prepending the rule with \fB@n\fP will cause it to be inserted
-as the n'th entry in the current list. This is especially useful when
-modifying and testing active filter rulesets. See ipf(8) for more
-information.
-.SH ACTIONS
-.PP
-The action indicates what to do with the packet if it matches the rest
-of the filter rule. Each rule MUST have an action. The following
-actions are recognised:
-.TP
-.B block
-indicates that the packet should be flagged to be dropped. In response
-to blocking a packet, the filter may be instructed to send a reply
-packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
-masquerading as being from the original packet's destination
-(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
-ICMP packet may be generated in response to any IP packet, and its
-type may optionally be specified, but a TCP reset may only be used
-with a rule which is being applied to TCP packets. When using
-\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
-the actual unreachable `type'. That is, whether it is a network
-unreachable, port unreachable or even administratively
-prohibited. This is done by enclosing the ICMP code associated with
-it in parenthesis directly following \fBreturn-icmp\fP or
-\fBreturn-icmp-as-dest\fP as follows:
-.nf
- block return-icmp(11) ...
-.fi
-.PP
-Would return a Type-Of-Service (TOS) ICMP unreachable error.
-.TP
-.B pass
-will flag the packet to be let through the filter.
-.TP
-.B log
-causes the packet to be logged (as described in the LOGGING section
-below) and has no effect on whether the packet will be allowed through
-the filter.
-.TP
-.B count
-causes the packet to be included in the accounting statistics kept by
-the filter, and has no effect on whether the packet will be allowed through
-the filter. These statistics are viewable with ipfstat(8).
-.TP
-.B call
-this action is used to invoke the named function in the kernel, which
-must conform to a specific calling interface. Customised actions and
-semantics can thus be implemented to supplement those available. This
-feature is for use by knowledgeable hackers, and is not currently
-documented.
-.TP
-.B "skip <n>"
-causes the filter to skip over the next \fIn\fP filter rules. If a rule is
-inserted or deleted inside the region being skipped over, then the value of
-\fIn\fP is adjusted appropriately.
-.TP
-.B auth
-this allows authentication to be performed by a user-space program running
-and waiting for packet information to validate. The packet is held for a
-period of time in an internal buffer whilst it waits for the program to return
-to the kernel the \fIreal\fP flags for whether it should be allowed through
-or not. Such a program might look at the source address and request some sort
-of authentication from the user (such as a password) before allowing the
-packet through or telling the kernel to drop it if from an unrecognised source.
-.TP
-.B preauth
-tells the filter that for packets of this class, it should look in the
-pre-authenticated list for further clarification. If no further matching
-rule is found, the packet will be dropped (the FR_PREAUTH is not the same
-as FR_PASS). If a further matching rule is found, the result from that is
-used in its instead. This might be used in a situation where a person
-\fIlogs in\fP to the firewall and it sets up some temporary rules defining
-the access for that person.
-.PP
-The next word must be either \fBin\fP or \fBout\fP. Each packet
-moving through the kernel is either inbound (just been received on an
-interface, and moving towards the kernel's protocol processing) or
-outbound (transmitted or forwarded by the stack, and on its way to an
-interface). There is a requirement that each filter rule explicitly
-state which side of the I/O it is to be used on.
-.SH OPTIONS
-.PP
-The list of options is brief, and all are indeed optional. Where
-options are used, they must be present in the order shown here. These
-are the currently supported options:
-.TP
-.B log
-indicates that, should this be the last matching rule, the packet
-header will be written to the \fBipl\fP log (as described in the
-LOGGING section below).
-.TP
-.B tag tagid
-indicates that, if this rule causes the packet to be logged or entered
-in the state table, the tagid will be logged as part of the log entry.
-This can be used to quickly match "similar" rules in scripts that post
-process the log files for e.g. generation of security reports or accounting
-purposes. The tagid is a 32 bit unsigned integer.
-.TP
-.B quick
-allows "short-cut" rules in order to speed up the filter or override
-later rules. If a packet matches a filter rule which is marked as
-\fBquick\fP, this rule will be the last rule checked, allowing a
-"short-circuit" path to avoid processing later rules for this
-packet. The current status of the packet (after any effects of the
-current rule) will determine whether it is passed or blocked.
-.IP
-If this option is missing, the rule is taken to be a "fall-through"
-rule, meaning that the result of the match (block/pass) is saved and
-that processing will continue to see if there are any more matches.
-.TP
-.B on
-allows an interface name to be incorporated into the matching
-procedure. Interface names are as printed by "netstat \-i". If this
-option is used, the rule will only match if the packet is going
-through that interface in the specified direction (in/out). If this
-option is absent, the rule is taken to be applied to a packet
-regardless of the interface it is present on (i.e. on all interfaces).
-Filter rulesets are common to all interfaces, rather than having a
-filter list for each interface.
-.IP
-This option is especially useful for simple IP-spoofing protection:
-packets should only be allowed to pass inbound on the interface from
-which the specified source address would be expected, others may be
-logged and/or dropped.
-.TP
-.B dup-to
-causes the packet to be copied, and the duplicate packet to be sent
-outbound on the specified interface, optionally with the destination
-IP address changed to that specified. This is useful for off-host
-logging, using a network sniffer.
-.TP
-.B to
-causes the packet to be moved to the outbound queue on the
-specified interface. This can be used to circumvent kernel routing
-decisions, and even to bypass the rest of the kernel processing of the
-packet (if applied to an inbound rule). It is thus possible to
-construct a firewall that behaves transparently, like a filtering hub
-or switch, rather than a router. The \fBfastroute\fP keyword is a
-synonym for this option.
-.SH MATCHING PARAMETERS
-.PP
-The keywords described in this section are used to describe attributes
-of the packet to be used when determining whether rules match or don't
-match. The following general-purpose attributes are provided for
-matching, and must be used in this order:
-.TP
-.B tos
-packets with different Type-Of-Service values can be filtered.
-Individual service levels or combinations can be filtered upon. The
-value for the TOS mask can either be represented as a hex number or a
-decimal integer value.
-.TP
-.B ttl
-packets may also be selected by their Time-To-Live value. The value given in
-the filter rule must exactly match that in the packet for a match to occur.
-This value can only be given as a decimal integer value.
-.TP
-.B proto
-allows a specific protocol to be matched against. All protocol names
-found in \fB/etc/protocols\fP are recognised and may be used.
-However, the protocol may also be given as a DECIMAL number, allowing
-for rules to match your own protocols, or new ones which would
-out-date any attempted listing.
-.IP
-The special protocol keyword \fBtcp/udp\fP may be used to match either
-a TCP or a UDP packet, and has been added as a convenience to save
-duplication of otherwise-identical rules.
-.\" XXX grammar should reflect this (/etc/protocols)
-.PP
-The \fBfrom\fP and \fBto\fP keywords are used to match against IP
-addresses (and optionally port numbers). Rules must specify BOTH
-source and destination parameters.
-.PP
-IP addresses may be specified in one of two ways: as a numerical
-address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
-may either be a valid hostname, from either the hosts file or DNS
-(depending on your configuration and library) or of the dotted numeric
-form. There is no special designation for networks but network names
-are recognised. Note that having your filter rules depend on DNS
-results can introduce an avenue of attack, and is discouraged.
-.PP
-There is a special case for the hostname \fBany\fP which is taken to
-be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
-Only the presence of "any" has an implied mask, in all other
-situations, a hostname MUST be accompanied by a mask. It is possible
-to give "any" a hostmask, but in the context of this language, it is
-non-sensical.
-.PP
-The numerical format "x\fB/\fPy" indicates that a mask of y
-consecutive 1 bits set is generated, starting with the MSB, so a y value
-of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
-that the mask y is in dotted IP notation or a hexadecimal number of
-the form 0x12345678. Note that all the bits of the IP address
-indicated by the bitmask must match the address on the packet exactly;
-there isn't currently a way to invert the sense of the match, or to
-match ranges of IP addresses which do not express themselves easily as
-bitmasks (anthropomorphization; it's not just for breakfast anymore).
-.PP
-If a \fBport\fP match is included, for either or both of source and
-destination, then it is only applied to
-.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
-TCP and UDP packets. If there is no \fBproto\fP match parameter,
-packets from both protocols are compared. This is equivalent to "proto
-tcp/udp". When composing \fBport\fP comparisons, either the service
-name or an integer port number may be used. Port comparisons may be
-done in a number of forms, with a number of comparison operators, or
-port ranges may be specified. When the port appears as part of the
-\fBfrom\fP object, it matches the source port number, when it appears
-as part of the \fBto\fP object, it matches the destination port number.
-See the examples for more information.
-.PP
-The \fBall\fP keyword is essentially a synonym for "from any to any"
-with no other match parameters.
-.PP
-Following the source and destination matching parameters, the
-following additional parameters may be used:
-.TP
-.B with
-is used to match irregular attributes that some packets may have
-associated with them. To match the presence of IP options in general,
-use \fBwith ipopts\fP. To match packets that are too short to contain
-a complete header, use \fBwith short\fP. To match fragmented packets,
-use \fBwith frag\fP. For more specific filtering on IP options,
-individual options can be listed.
-.IP
-Before any parameter used after the \fBwith\fP keyword, the word
-\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
-match if the option(s) is not present.
-.IP
-Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
-the keyword \fBand\fP may be used in place of \fBwith\fP, this is
-provided purely to make the rules more readable ("with ... and ...").
-When multiple clauses are listed, all those must match to cause a
-match of the rule.
-.\" XXX describe the options more specifically in a separate section
-.TP
-.B flags
-is only effective for TCP filtering. Each of the letters possible
-represents one of the possible flags that can be set in the TCP
-header. The association is as follows:
-.LP
-.nf
- F - FIN
- S - SYN
- R - RST
- P - PUSH
- A - ACK
- U - URG
-.fi
-.IP
-The various flag symbols may be used in combination, so that "SA"
-would represent a SYN-ACK combination present in a packet. There is
-nothing preventing the specification of combinations, such as "SFR",
-that would not normally be generated by law-abiding TCP
-implementations. However, to guard against weird aberrations, it is
-necessary to state which flags you are filtering against. To allow
-this, it is possible to set a mask indicating which TCP flags you wish
-to compare (i.e., those you deem significant). This is done by
-appending "/<flags>" to the set of TCP flags you wish to match
-against, e.g.:
-.LP
-.nf
- ... flags S
- # becomes "flags S/AUPRFS" and will match
- # packets with ONLY the SYN flag set.
-
- ... flags SA
- # becomes "flags SA/AUPRFS" and will match any
- # packet with only the SYN and ACK flags set.
-
- ... flags S/SA
- # will match any packet with just the SYN flag set
- # out of the SYN-ACK pair; the common "establish"
- # keyword action. "S/SA" will NOT match a packet
- # with BOTH SYN and ACK set, but WILL match "SFP".
-.fi
-.TP
-.B icmp-type
-is only effective when used with \fBproto icmp\fP and must NOT be used
-in conjunction with \fBflags\fP. There are a number of types, which can be
-referred to by an abbreviation recognised by this language, or the numbers
-with which they are associated can be used. The most important from
-a security point of view is the ICMP redirect.
-.SH KEEP HISTORY
-.PP
-The second last parameter which can be set for a filter rule is whether or not
-to record historical information for that packet, and what sort to keep. The
-following information can be kept:
-.TP
-.B state
-keeps information about the flow of a communication session. State can
-be kept for TCP, UDP, and ICMP packets.
-.TP
-.B frags
-keeps information on fragmented packets, to be applied to later
-fragments.
-.PP
-allowing packets which match these to flow straight through, rather
-than going through the access control list.
-.SH GROUPS
-The last pair of parameters control filter rule "grouping". By default, all
-filter rules are placed in group 0 if no other group is specified. To add a
-rule to a non-default group, the group must first be started by creating a
-group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
-group, the filter processing then switches to the group, using that rule as
-the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
-processing isn't stopped until it has returned from processing the group.
-.PP
-A rule may be both the head for a new group and a member of a non-default
-group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
-.TP
-.B "head <n>"
-indicates that a new group (number n) should be created.
-.TP
-.B "group <n>"
-indicates that the rule should be put in group (number n) rather than group 0.
-.SH LOGGING
-.PP
-When a packet is logged, with either the \fBlog\fP action or option,
-the headers of the packet are written to the \fBipl\fP packet logging
-pseudo-device. Immediately following the \fBlog\fP keyword, the
-following qualifiers may be used (in order):
-.TP
-.B body
-indicates that the first 128 bytes of the packet contents will be
-logged after the headers.
-.TP
-.B first
-If log is being used in conjunction with a "keep" option, it is recommended
-that this option is also applied so that only the triggering packet is logged
-and not every packet which thereafter matches state information.
-.TP
-.B or-block
-indicates that, if for some reason the filter is unable to log the
-packet (such as the log reader being too slow) then the rule should be
-interpreted as if the action was \fBblock\fP for this packet.
-.TP
-.B "level <loglevel>"
-indicates what logging facility and priority, or just priority with
-the default facility being used, will be used to log information about
-this packet using ipmon's -s option.
-.PP
-See ipl(4) for the format of records written
-to this device. The ipmon(8) program can be used to read and format
-this log.
-.SH EXAMPLES
-.PP
-The \fBquick\fP option is good for rules such as:
-\fC
-.nf
-block in quick from any to any with ipopts
-.fi
-.PP
-which will match any packet with a non-standard header length (IP
-options present) and abort further processing of later rules,
-recording a match and also that the packet should be blocked.
-.PP
-The "fall-through" rule parsing allows for effects such as this:
-.LP
-.nf
- block in from any to any port < 6000
- pass in from any to any port >= 6000
- block in from any to any port > 6003
-.fi
-.PP
-which sets up the range 6000-6003 as being permitted and all others being
-denied. Note that the effect of the first rule is overridden by subsequent
-rules. Another (easier) way to do the same is:
-.LP
-.nf
- block in from any to any port 6000 <> 6003
- pass in from any to any port 5999 >< 6004
-.fi
-.PP
-Note that both the "block" and "pass" are needed here to effect a
-result as a failed match on the "block" action does not imply a pass,
-only that the rule hasn't taken effect. To then allow ports < 1024, a
-rule such as:
-.LP
-.nf
- pass in quick from any to any port < 1024
-.fi
-.PP
-would be needed before the first block. To create a new group for
-processing all inbound packets on le0/le1/lo0, with the default being to block
-all inbound packets, we would do something like:
-.LP
-.nf
- block in all
- block in quick on le0 all head 100
- block in quick on le1 all head 200
- block in quick on lo0 all head 300
-.fi
-.PP
-
-and to then allow ICMP packets in on le0, only, we would do:
-.LP
-.nf
- pass in proto icmp all group 100
-.fi
-.PP
-Note that because only inbound packets on le0 are used processed by group 100,
-there is no need to respecify the interface name. Likewise, we could further
-breakup processing of TCP, etc, as follows:
-.LP
-.nf
- block in proto tcp all head 110 group 100
- pass in from any to any port = 23 group 110
-.fi
-.PP
-and so on. The last line, if written without the groups would be:
-.LP
-.nf
- pass in on le0 proto tcp from any to any port = telnet
-.fi
-.PP
-Note, that if we wanted to say "port = telnet", "proto tcp" would
-need to be specified as the parser interprets each rule on its own and
-qualifies all service/port names with the protocol specified.
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/etc/hosts
-.br
-/etc/services
-.SH SEE ALSO
-ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
deleted file mode 100644
index a438415..0000000
--- a/contrib/ipfilter/man/ipf.8
+++ /dev/null
@@ -1,171 +0,0 @@
-.TH IPF 8
-.SH NAME
-ipf \- alters packet filtering lists for IP packet input and output
-.SH SYNOPSIS
-.B ipf
-[
-.B \-6AcdDEInoPrsvVyzZ
-] [
-.B \-l
-<block|pass|nomatch>
-] [
-.B \-T
-<optionlist>
-] [
-.B \-F
-<i|o|a|s|S>
-]
-.B \-f
-<\fIfilename\fP>
-[
-.B \-f
-<\fIfilename\fP>
-[...]]
-.SH DESCRIPTION
-.PP
-\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
-.PP
-Each rule processed by \fBipf\fP
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipf\fP.
-.SH OPTIONS
-.TP
-.B \-6
-This option is required to parse IPv6 rules and to have them loaded.
-.TP
-.B \-A
-Set the list to make changes to the active list (default).
-.TP
-.B \-c <language>
-This option causes \fBipf\fP to generate output files for a compiler that
-supports \fBlanguage\fI. At present, the only target language supported is
-\fBC\fB (-cc) for which two files - \fBip_rules.c\fP
-and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when
-\fBipf\fP is being run. These files can be used with the
-\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticly into
-the kernel.
-.TP
-.B \-d
-Turn debug mode on. Causes a hexdump of filter rules to be generated as
-it processes each one.
-.TP
-.B \-D
-Disable the filter (if enabled). Not effective for loadable kernel versions.
-.TP
-.B \-E
-Enable the filter (if disabled). Not effective for loadable kernel versions.
-.TP
-.BR \-F \0<i|o|a>
-This option specifies which filter list to flush. The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used. This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.TP
-.BR \-F \0<s|S>
-To flush entries from the state table, the \fB-F\fP option is used in
-conjunction with either "s" (removes state information about any non-fully
-established connections) or "S" (deletes the entire state table). Only
-one of the two options may be given. A fully established connection
-will show up in \fBipfstat -s\fP output as 5/5, with deviations either
-way indicating it is not fully established any more.
-.TP
-.BR \-F <5|6|7|8|9|10|11>
-For the TCP states that represent the closing of a connection has begun,
-be it only one side or the complete connection, it is possible to flush
-those states directly using the number corresponding to that state.
-The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1,
-7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
-.TP
-.BR \-F <number>
-If the argument supplied to \fB-F\fP is greater than 30, then state table
-entries that have been idle for more than this many seconds will be flushed.
-.TP
-.BR \-f \0<filename>
-This option specifies which files
-\fBipf\fP should use to get input from for modifying the packet filter rule
-lists.
-.TP
-.B \-I
-Set the list to make changes to the inactive list.
-.TP
-.B \-l \0<pass|block|nomatch>
-Use of the \fB-l\fP flag toggles default logging of packets. Valid
-arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
-When an option is set, any packet which exits filtering and matches the
-set category is logged. This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.TP
-.B \-P
-Add rules as temporary entries in the authentication rule table.
-.TP
-.B \-r
-Remove matching filter rules rather than add them to the internal lists
-.TP
-.B \-s
-Swap the active filter list in use to be the "other" one.
-.TP
-.B \-T <optionlist>
-This option allows run-time changing of IPFilter kernel variables. Some
-variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
-others do not. The optionlist parameter is a comma separated list of tuning
-commands. A tuning command is either "list" (retrieve a list of all variables
-in the kernel, their maximum, minimum and current value), a single variable
-name (retrieve its current value) and a variable name with a following
-assignment to set a new value. Some examples follow.
-.nf
-# Print out all IPFilter kernel tunable parameters
-ipf -T list
-# Display the current TCP idle timeout and then set it to 3600
-ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
-# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
-ipf -T fr_pass,fr_chksrc,fr_chksrc=1
-.fi
-.TP
-.B \-v
-Turn verbose mode on. Displays information relating to rule processing.
-.TP
-.B \-V
-Show version information. This will display the version information compiled
-into the ipf binary and retrieve it from the kernel code (if running/present).
-If it is present in the kernel, information about its current state will be
-displayed (whether logging is active, default filtering, etc).
-.TP
-.B \-y
-Manually resync the in-kernel interface list maintained by IP Filter with
-the current interface status list.
-.TP
-.B \-z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zeroed.
-.TP
-.B \-Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
-.DT
-.SH FILES
-/dev/ipauth
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.SH SEE ALSO
-ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
deleted file mode 100644
index b2d2f2a..0000000
--- a/contrib/ipfilter/man/ipfilter.4
+++ /dev/null
@@ -1,239 +0,0 @@
-.TH IP\ FILTER 4
-.SH NAME
-ipfilter \- Introduction to IP packet filtering
-.SH DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.SH FEATURES
-The IP packet filter can:
-.IP
-explicitly deny/permit any packet from passing through
-.IP
-distinguish between various interfaces
-.IP
-filter by IP networks or hosts
-.IP
-selectively filter any IP protocol
-.IP
-selectively filter fragmented IP packets
-.IP
-selectively filter packets with IP options
-.IP
-send back an ICMP error/TCP reset for blocked packets
-.IP
-keep packet state information for TCP, UDP and ICMP packet flows
-.IP
-keep fragment state information for any IP packet, applying the same rule
-to all fragments.
-.IP
-act as a Network Address Translator (NAT)
-.IP
-use redirection to setup true transparent proxy connections
-.IP
-provide packet header details to a user program for authentication
-.IP
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.PP
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.IP
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.IP
-ICMP packets by type/code
-.IP
-"established" TCP packets
-.IP
-On any arbitrary combination of TCP flags
-.IP
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.IP
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
-Service) field in packets
-.PP
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.IP
-the TCP/UDP/ICMP and IP packet headers
-.IP
-the first 128 bytes of the packet (including headers)
-.PP
-A packet can be logged when:
-.IP
-it is successfully passed through
-.IP
-it is blocked from passing through
-.IP
-it matches a rule setup to look for suspicious packets
-.PP
-IP Filter keeps its own set of statistics on:
-.IP
-packets blocked
-.IP
-packets (and bytes!) used for accounting
-.IP
-packets passed
-.lP
-packets logged
-.IP
-attempts to log which failed (buffer full)
-.IP
-and much more, for packets going both in and out.
-
-.SH Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
-of the tools provided:
-.PP
-ipf(8)
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in ipf(5).
-.PP
-ipfs(8)
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
-connections being terminated.
-.PP
-ipfstat(8)
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.PP
-ipftest(1)
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.PP
-ipmon(8)
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.IP
-screen (standard output)
-.IP
-file
-.IP
-syslog
-.PP
-ipsend(1)
-generates arbitary IP packets for ethernet connected machines.
-.PP
-ipresend(1)
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.PP
-iptest(1)
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.PP
-ipnat(8)
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in ipnat(5).
-.PP
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in ipf(4).
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in ipl(4)
-so that you may develop your own applications to work with or in place of any
-of the above.
-
-Similar, the interface to the NAT code is documented in ipnat(4).
-
-.SH PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
-various stages introduced by IP Filter.
-.PP
-.nf
- IN
- |
- V
- +-------------------------+--------------------------+
- | | |
- | V |
- | Network Address Translation |
- | | |
- | authenticated | |
- | +-------<---------+ |
- | | | |
- | | V |
- | V IP Accounting |
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | V V V |
- | | Packet State Check-->+ |
- | | | | |
- | | +->--+ | | |
- | | | | V | |
- | V groups IP Filtering V |
- | | | | | | |
- | | +--<-+ | | |
- | | | | |
- | +---------------->|<-----------+ |
- | | |
- | V |
- | +---<----+ |
- | | | |
- | function | |
- | | V |
- | +--->----+ |
- | | |
- | V |
- +--|---<--- fast-route ---<--+ |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- | |
- | V
- V [KERNEL TCP/IP Processing]
- | |
- | +-------------------------+--------------------------+
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | | V V |
- | | Packet State Check-->+ |
- | | | | |
- | | V | |
- V | IP Filtering | |
- | | | V |
- | | |<-----------+ |
- | | V |
- | | IP Accounting |
- | | | |
- | | V |
- | | Network Address Translation |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- V |
- +--------------------------->|
- V
- OUT
-.fi
-
-.SH MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.SH SEE ALSO
-ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1),
-ipl(4), ipmon(8), ipnat(8), ipnat(4),
-
diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc
deleted file mode 100644
index 72534a7..0000000
--- a/contrib/ipfilter/man/ipfilter.4.mandoc
+++ /dev/null
@@ -1,267 +0,0 @@
-.Dd December 8, 2000
-.Dt IP\ FILTER 4
-.Os
-.Sh NAME
-.Nm IP Filter
-.Nd Introduction to IP packet filtering
-.Sh DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.Sh FEATURES
-The IP packet filter can:
-.Bl -bullet -offset indent -compact
-.It
-explicitly deny/permit any packet from passing through
-.It
-distinguish between various interfaces
-.It
-filter by IP networks or hosts
-.It
-selectively filter any IP protocol
-.It
-selectively filter fragmented IP packets
-.It
-selectively filter packets with IP options
-.It
-send back an ICMP error/TCP reset for blocked packets
-.It
-keep packet state information for TCP, UDP and ICMP packet flows
-.It
-keep fragment state information for any IP packet, applying the same rule
-to all fragments.
-.It
-act as a Network Address Translator (NAT)
-.It
-use redirection to setup true transparent proxy connections
-.It
-provide packet header details to a user program for authentication
-.It
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.El
-.Pp
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.Bl -bullet -offset indent -compact
-.It
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.It
-ICMP packets by type/code
-.It
-"established" TCP packets
-.It
-On any arbitrary combination of TCP flags
-.It
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.It
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
-Service) field in packets
-.El
-.Pp
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.Bl -bullet -offset indent -compact
-.It
-the TCP/UDP/ICMP and IP packet headers
-.It
-the first 128 bytes of the packet (including headers)
-.El
-.Pp
-A packet can be logged when:
-.Bl -bullet -offset indent -compact
-.It
-it is successfully passed through
-.It
-it is blocked from passing through
-.It
-it matches a rule setup to look for suspicious packets
-.El
-.Pp
-IP Filter keeps its own set of statistics on:
-.Bl -bullet -offset indent -compact
-.It
-packets blocked
-.It
-packets (and bytes!) used for accounting
-.It
-packets passed
-.li
-packets logged
-.It
-attempts to log which failed (buffer full)
-.El
-and much more, for packets going both in and out.
-
-.Sh Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
-of the tools provided:
-.Pp
-.Xr ipf 8
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in
-.Xr ipf 5 .
-.Pp
-.Xr ipfs 8
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
-connections being terminated.
-.Pp
-.Xr ipfstat 8
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.Pp
-.Xr ipftest 1
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.Pp
-.Xr ipmon 8
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.Bl -bullet -offset indent -compact
-.It
-screen (standard output)
-.It
-file
-.It
-syslog
-.El
-.Pp
-.Xr ipsend 1
-generates arbitary IP packets for ethernet connected machines.
-.Pp
-.Xr ipresend 1
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.Pp
-.Xr iptest 1
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.Pp
-.Xr ipnat 8
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in
-.Xr ipnat 5 .
-.Pp
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in
-.Xr ipf 4 .
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in
-.Xr ipl 4
-so that you may develop your own applications to work with or in place of any
-of the above.
-
-Similar, the interface to the NAT code is documented in
-.Xr ipnat 4 .
-
-.Sh PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
-various stages introduced by IP Filter.
-.Pp
-.nf
- IN
- |
- V
- +-------------------------+--------------------------+
- | | |
- | V |
- | Network Address Translation |
- | | |
- | authenticated | |
- | +-------<---------+ |
- | | | |
- | | V |
- | V IP Accounting |
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | V V V |
- | | Packet State Check-->+ |
- | | | | |
- | | +->--+ | | |
- | | | | V | |
- | V groups IP Filtering V |
- | | | | | | |
- | | +--<-+ | | |
- | | | | |
- | +---------------->|<-----------+ |
- | | |
- | V |
- | +---<----+ |
- | | | |
- | function | |
- | | V |
- | +--->----+ |
- | | |
- | V |
- +--|---<--- fast-route ---<--+ |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- | |
- | V
- V [KERNEL TCP/IP Processing]
- | |
- | +-------------------------+--------------------------+
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | | V V |
- | | Packet State Check-->+ |
- | | | | |
- | | V | |
- V | IP Filtering | |
- | | | V |
- | | |<-----------+ |
- | | V |
- | | IP Accounting |
- | | | |
- | | V |
- | | Network Address Translation |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- V |
- +--------------------------->|
- V
- OUT
-.fi
-
-.Sh MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.Sh SEE ALSO
-.Xr ipf 4 ,
-.Xr ipf 5 ,
-.Xr ipf 8 ,
-.Xr ipfilter 5 ,
-.Xr ipfs 8 ,
-.Xr ipfstat 8 ,
-.Xr ipftest 1 ,
-.Xr ipl 4 ,
-.Xr ipmon 8 ,
-.Xr ipnat 4 ,
-.Xr ipnat 8 ,
-
diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5
deleted file mode 100644
index 0bba0f4..0000000
--- a/contrib/ipfilter/man/ipfilter.5
+++ /dev/null
@@ -1,10 +0,0 @@
-.TH IPFILTER 1
-.SH NAME
-IP Filter
-.SH DESCRIPTION
-.PP
-IP Filter is a package providing packet filtering capabilities for a variety
-of operating systems. On a properly setup system, it can be used to build a
-firewall.
-.SH SEE ALSO
-ipf(8), ipf(1), ipf(5), ipnat(8), ipnat(5), mkfilters(1)
diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8
deleted file mode 100644
index d5bf460..0000000
--- a/contrib/ipfilter/man/ipfs.8
+++ /dev/null
@@ -1,125 +0,0 @@
-.TH IPFS 8
-.SH NAME
-ipfs \- saves and restores information for NAT and state tables.
-.SH SYNOPSIS
-.B ipfs
-[-nv] -l
-.PP
-.B ipfs
-[-nv] -u
-.PP
-.B ipfs
-[-nv] [
-.B \-d
-<\fIdirname\fP>
-] -R
-.PP
-.B ipfs
-[-nv] [
-.B \-d
-<\fIdirname\fP>
-] -W
-.PP
-.B ipfs
-[-nNSv] [
-.B \-f
-<\fIfilename\fP>
-] -r
-.PP
-.B ipfs
-[-nNSv] [
-.B \-f
-<\fIfilename\fP>
-] -w
-.PP
-.B ipfs
-[-nNSv]
-.B \-f
-<\fIfilename\fP>
-.B \-i
-<if1>,<if2>
-.SH DESCRIPTION
-.PP
-\fBipfs\fP allows state information created for NAT entries and rules using
-\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
-allowing for the system to experience a reboot, followed by the restoration
-of that information, resulting in connections not being interrupted.
-.SH OPTIONS
-.TP
-.B \-d
-Change the default directory used with
-.B \-R
-and
-.B \-W
-options for saving state information.
-.TP
-.B \-n
-Don't actually take any action that would affect information stored in
-the kernel or on disk.
-.TP
-.B \-v
-Provides a verbose description of what's being done.
-.TP
-.B \-i <ifname1>,<ifname2>
-Change all instances of interface name ifname1 in the state save file to
-ifname2. Useful if you're restoring state information after a hardware
-reconfiguration or change.
-.TP
-.B \-N
-Operate on NAT information.
-.TP
-.B \-S
-Operate on filtering state information.
-.TP
-.B \-u
-Unlock state tables in the kernel.
-.TP
-.B \-l
-Lock state tables in the kernel.
-.TP
-.B \-r
-Read information in from the specified file and load it into the
-kernel. This requires the state tables to have already been locked
-and does not change the lock once complete.
-.TP
-.B \-w
-Write information out to the specified file and from the kernel.
-This requires the state tables to have already been locked
-and does not change the lock once complete.
-.TP
-.B \-R
-Restores all saved state information, if any, from two files,
-\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
-directory unless otherwise specified by the
-.B \-d
-option. The state tables are locked at the beginning of this
-operation and unlocked once complete.
-.TP
-.B \-W
-Saves in-kernel state information, if any, out to two files,
-\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP
-directory unless otherwise specified by the
-.B \-d
-option. The state tables are locked at the beginning of this
-operation and unlocked once complete.
-.DT
-.SH FILES
-/var/db/ipf/ipstate.ipf
-.br
-/var/db/ipf/ipnat.ipf
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/dev/ipnat
-.SH SEE ALSO
-ipf(8), ipl(4), ipmon(8), ipnat(8)
-.SH DIAGNOSTICS
-.PP
-Perhaps the -W and -R operations should set the locking but rather than
-undo it, restore it to what it was previously. Fragment table information
-is currently not saved.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
deleted file mode 100644
index 95cf6f3..0000000
--- a/contrib/ipfilter/man/ipfstat.8
+++ /dev/null
@@ -1,193 +0,0 @@
-.TH ipfstat 8
-.SH NAME
-ipfstat \- reports on packet filter statistics and filter list
-.SH SYNOPSIS
-.B ipfstat
-[
-.B \-6aAdfghIilnoRsv
-]
-.br
-.B ipfstat -t
-[
-.B \-6C
-] [
-.B \-D
-<addrport>
-] [
-.B \-P
-<protocol>
-] [
-.B \-S
-<addrport>
-] [
-.B \-T
-<refresh time>
-]
-.SH DESCRIPTION
-\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
-\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
-To run and work, it needs to be able to read both /dev/kmem and the
-kernel itself. The kernel name defaults to \fB/vmunix\fP.
-.PP
-The default behaviour of \fBipfstat\fP
-is to retrieve and display the accumulated statistics which have been
-accumulated over time as the kernel has put packets through the filter.
-.SH OPTIONS
-.TP
-.B \-6
-Display filter lists and states for IPv6, if available.
-.TP
-.B \-a
-Display the accounting filter list and show bytes counted against each rule.
-.TP
-.B \-A
-Display packet authentication statistics.
-.TP
-.B \-C
-This option is only valid in combination with \fB\-t\fP.
-Display "closed" states as well in the top. Normally, a TCP connection is
-not displayed when it reaches the CLOSE_WAIT protocol state. With this
-option enabled, all state entries are displayed.
-.TP
-.BR \-d
-Produce debugging output when displaying data.
-.TP
-.BR \-D \0<addrport>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries whose destination IP address and port
-match the addrport argument. The addrport specification is of the form
-ipaddress[,port]. The ipaddress and port should be either numerical or the
-string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
-option is not specified, it defaults to "\fB\-D\fP any,any".
-.TP
-.B \-f
-Show fragment state information (statistics) and held state information (in
-the kernel) if any is present.
-.TP
-.B \-g
-Show groups currently configured (both active and inactive).
-.TP
-.B \-h
-Show per-rule the number of times each one scores a "hit". For use in
-combination with \fB\-i\fP.
-.TP
-.B \-i
-Display the filter list used for the input side of the kernel IP processing.
-.TP
-.B \-I
-Swap between retrieving "inactive"/"active" filter list details. For use
-in combination with \fB\-i\fP.
-.TP
-.B \-n
-Show the "rule number" for each rule as it is printed.
-.TP
-.B \-o
-Display the filter list used for the output side of the kernel IP processing.
-.TP
-.BR \-P \0<protocol>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries that match a specific protocol. The
-argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a
-protocol number. If this option is not specified, state entries for any
-protocol are specified.
-.TP
-.BR \-R
-Don't try to resolve addresses to hostnames and ports to services while
-printing statistics.
-.TP
-.B \-s
-Show packet/flow state information (statistics only).
-.TP
-.B \-sl
-Show held state information (in the kernel) if any is present (no statistics).
-.TP
-.BR \-S \0<addrport>
-This option is only valid in combination with \fB\-t\fP. Limit the state top
-display to show only state entries whose source IP address and port match
-the addrport argument. The addrport specification is of the form
-ipaddress[,port]. The ipaddress and port should be either numerical or the
-string "any" (specifying any IP address resp. any port). If the \fB\-S\fP
-option is not specified, it defaults to "\fB\-S\fP any,any".
-.TP
-.B \-t
-Show the state table in a way similar to the way \fBtop(1)\fP shows the process
-table. States can be sorted using a number of different ways. This option
-requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on
-all operating systems. See below, for more information on the keys that can
-be used while ipfstat is in top mode.
-.TP
-.BR \-T \0<refreshtime>
-This option is only valid in combination with \fB\-t\fP. Specifies how often
-the state top display should be updated. The refresh time is the number of
-seconds between an update. Any positive integer can be used. The default (and
-minimal update time) is 1.
-.TP
-.B \-v
-Turn verbose mode on. Displays more debugging information. When used with
-either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the
-number of times it has been matched and the number of bytes from such packets
-is displayed. For "keep state" rules, a count of the number of state sessions
-active against the rule is also displayed.
-.SH SYNOPSIS
-The role of \fBipfstat\fP is to display current kernel statistics gathered
-as a result of applying the filters in place (if any) to packets going in and
-out of the kernel. This is the default operation when no command line
-parameters are present.
-.PP
-When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
-the appropriate list of filter rules currently installed and in use by the
-kernel.
-.PP
-One of the statistics that \fBipfstat\fP shows is \fBticks\fP.
-This number indicates how long the filter has been enabled.
-The number is incremented every half\-second.
-.SH STATE TOP
-Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
-this mode the state table is displayed similar to the way \fBtop\fP displays
-the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP
-command line options can be used to restrict the state entries that will be
-shown and to specify the frequency of display updates.
-.PP
-In state top mode, the following keys can be used to influence the displayed
-information:
-.TP
-\fBb\fP show packets/bytes from backward direction.
-.TP
-\fBf\fP show packets/bytes from forward direction. (default)
-.TP
-\fBl\fP redraw the screen.
-.TP
-\fBq\fP quit the program.
-.TP
-\fBs\fP switch between different sorting criterion.
-.TP
-\fBr\fP reverse the sorting criterion.
-.PP
-States can be sorted by protocol number, by number of IP packets, by number
-of bytes and by time-to-live of the state entry. The default is to sort by
-the number of bytes. States are sorted in descending order, but you can use
-the \fBr\fP key to sort them in ascending order.
-.SH STATE TOP LIMITATIONS
-It is currently not possible to interactively change the source, destination
-and protocol filters or the refresh frequency. This must be done from the
-command line.
-.PP
-The screen must have at least 80 columns. This is however not checked.
-When running state top in IPv6 mode, the screen must be much wider to display
-the very long IPv6 addresses.
-.PP
-Only the first X-5 entries that match the sort and filter criteria are
-displayed (where X is the number of rows on the display. The only way to see
-more entries is to resize the screen.
-.SH FILES
-/dev/kmem
-.br
-/dev/ipl
-.br
-/dev/ipstate
-.br
-/vmunix
-.SH SEE ALSO
-ipf(8)
-.SH BUGS
-none known.
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
deleted file mode 100644
index 5153687..0000000
--- a/contrib/ipfilter/man/ipftest.1
+++ /dev/null
@@ -1,205 +0,0 @@
-.TH ipftest 1
-.SH NAME
-ipftest \- test packet filter rules with arbitrary input.
-.SH SYNOPSIS
-.B ipftest
-[
-.B \-6bCdDoRvx
-] [
-.B \-F
-input-format
-] [
-.B \-i
-<filename>
-] [
-.B \-I
-interface
-] [
-.B \-l
-<filename>
-] [
-.B \-N
-<filename>
-] [
-.B \-P
-<filename>
-] [
-.B \-r
-<filename>
-] [
-.B \-S
-<ip_address>
-] [
-.B \-T
-<optionlist>
-]
-.SH DESCRIPTION
-.PP
-\fBipftest\fP is provided for the purpose of being able to test a set of
-filter rules without having to put them in place, in operation and proceed
-to test their effectiveness. The hope is that this minimises disruptions
-in providing a secure IP environment.
-.PP
-\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP,
-\fBipnat\fP and/or \fBippool\fP
-and apply input, returning output as to the result. However, \fBipftest\fP
-will return one of three values for packets passed through the filter:
-pass, block or nomatch. This is intended to give the operator a better
-idea of what is happening with packets passing through their filter
-ruleset.
-.PP
-At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified.
-.SH OPTIONS
-.TP
-.B \-6
-Use IPv6.
-.TP
-.B \-b
-Cause the output to be a brief summary (one-word) of the result of passing
-the packet through the filter; either "pass", "block" or "nomatch".
-This is used in the regression testing.
-.TP
-.B \-C
-Force the checksums to be (re)calculated for all packets being input into
-\fBipftest\fP. This may be necessary if pcap files from tcpdump are being
-fed in where there are partial checksums present due to hardware offloading.
-.TP
-.B \-d
-Turn on filter rule debugging. Currently, this only shows you what caused
-the rule to not match in the IP header checking (addresses/netmasks, etc).
-.TP
-.B \-D
-Dump internal tables before exiting.
-This excludes log messages.
-.TP
-.B \-F
-This option is used to select which input format the input file is in.
-The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text.
-.RS
-.TP
-.B etherfind
-The input file is to be text output from etherfind. The text formats which
-are currently supported are those which result from the following etherfind
-option combinations:
-.PP
-.nf
- etherfind -n
- etherfind -n -t
-.fi
-.TP
-.B hex
-The input file is to be hex digits, representing the binary makeup of the
-packet. No length correction is made, if an incorrect length is put in
-the IP header. A packet may be broken up over several lines of hex digits,
-a blank line indicating the end of the packet. It is possible to specify
-both the interface name and direction of the packet (for filtering purposes)
-at the start of the line using this format: [direction,interface] To define
-a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
-and part of the input syntax.
-.HP
-.B pcap
-The input file specified by \fB\-i\fP is a binary file produced using libpcap
-(i.e., tcpdump version 3). Packets are read from this file as being input
-(for rule purposes). An interface maybe specified using \fB\-I\fP.
-.TP
-.B snoop
-The input file is to be in "snoop" format (see RFC 1761). Packets are read
-from this file and used as input from any interface. This is perhaps the
-most useful input type, currently.
-.TP
-.B tcpdump
-The input file is to be text output from tcpdump. The text formats which
-are currently supported are those which result from the following tcpdump
-option combinations:
-.PP
-.nf
- tcpdump -n
- tcpdump -nq
- tcpdump -nqt
- tcpdump -nqtt
- tcpdump -nqte
-.fi
-.TP
-.B text
-The input file is in \fBipftest\fP text input format.
-This is the default if no \fB\-F\fP argument is specified.
-The format used is as follows:
-.nf
- "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
- srchost[,srcport] dsthost[,destport] [FSRPAU]
-.fi
-.PP
-This allows for a packet going "in" or "out" of an interface (if) to be
-generated, being one of the three main protocols (optionally), and if
-either TCP or UDP, a port parameter is also expected. If TCP is selected,
-it is possible to (optionally) supply TCP flags at the end. Some examples
-are:
-.nf
- # a UDP packet coming in on le0
- in on le0 udp 10.1.1.1,2210 10.2.1.5,23
- # an IP packet coming in on le0 from localhost - hmm :)
- in on le0 localhost 10.4.12.1
- # a TCP packet going out of le0 with the SYN flag set.
- out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
-.fi
-.LP
-.RE
-.DT
-.TP
-.BR \-i \0<filename>
-Specify the filename from which to take input. Default is stdin.
-.TP
-.BR \-I \0<interface>
-Set the interface name (used in rule matching) to be the name supplied.
-This is useful where it is
-not otherwise possible to associate a packet with an interface. Normal
-"text packets" can override this setting.
-.TP
-.BR \-l \0<filename>
-Dump log messages generated during testing to the specified file.
-.TP
-.BR \-N \0<filename>
-Specify the filename from which to read NAT rules in \fBipnat\fP(5) format.
-.TP
-.B \-o
-Save output packets that would have been written to each interface in
-a file /tmp/\fIinterface_name\fP in raw format.
-.TP
-.BR \-P \0<filename>
-Read IP pool configuration information in \fBippool\fP(5) format from the
-specified file.
-.TP
-.BR \-r \0<filename>
-Specify the filename from which to read filter rules in \fBipf\fP(5) format.
-.TP
-.B \-R
-Don't attempt to convert IP addresses to hostnames.
-.TP
-.BR \-S \0<ip_address>
-The IP address specifived with this option is used by ipftest to determine
-whether a packet should be treated as "input" or "output". If the source
-address in an IP packet matches then it is considered to be inbound. If it
-does not match then it is considered to be outbound. This is primarily
-for use with tcpdump (pcap) files where there is no in/out information
-saved with each packet.
-.TP
-.BR \-T \0<optionlist>
-This option simulates the run-time changing of IPFilter kernel variables
-available with the \fB\-T\fP option of \fBipf\fP.
-The optionlist parameter is a comma separated list of tuning
-commands. A tuning command is either "list" (retrieve a list of all variables
-in the kernel, their maximum, minimum and current value), a single variable
-name (retrieve its current value) and a variable name with a following
-assignment to set a new value. See \fBipf\fP(8) for examples.
-.TP
-.B \-v
-Verbose mode. This provides more information about which parts of rule
-matching the input packet passes and fails.
-.TP
-.B \-x
-Print a hex dump of each packet before printing the decoded contents.
-.SH SEE ALSO
-ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
-.SH BUGS
-Not all of the input formats are sufficiently capable of introducing a
-wide enough variety of packets for them to be all useful in testing.
diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4
deleted file mode 100644
index d8106cc..0000000
--- a/contrib/ipfilter/man/ipl.4
+++ /dev/null
@@ -1,79 +0,0 @@
-.TH IPL 4
-.SH NAME
-ipl \- IP packet log device
-.SH DESCRIPTION
-The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
-packet headers of packets you wish to log. If a packet header is to be
-logged, the entire header is logged (including any IP options \- TCP/UDP
-options are not included when it calculates header size) or not at all.
-The packet contents are also logged after the header. If the log reader
-is busy or otherwise unable to read log records, up to IPLLOGSIZE (8192 is the
-default) bytes of data are stored.
-.PP
-Prepending every packet header logged is a structure containing information
-relevant to the packet following and why it was logged. The structure's
-format is as follows:
-.LP
-.nf
-/*
- * Log structure. Each packet header logged is prepended by one of these.
- * Following this in the log records read from the device will be an ipflog
- * structure which is then followed by any packet data.
- */
-typedef struct iplog {
- u_long ipl_sec;
- u_long ipl_usec;
- u_int ipl_len;
- u_int ipl_count;
- size_t ipl_dsize;
- struct iplog *ipl_next;
-} iplog_t;
-
-
-typedef struct ipflog {
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
- u_char fl_ifname[IFNAMSIZ];
-#else
- u_int fl_unit;
- u_char fl_ifname[4];
-#endif
- u_char fl_plen; /* extra data after hlen */
- u_char fl_hlen; /* length of IP headers saved */
- u_short fl_rule; /* assume never more than 64k rules, total */
- u_32_t fl_flags;
-} ipflog_t;
-
-.fi
-.PP
-When reading from the \fBipl\fP device, it is necessary to call read(2) with
-a buffer big enough to hold at least 1 complete log record - reading of partial
-log records is not supported.
-.PP
-If the packet contents are more than 128 bytes when \fBlog body\fP is used,
-then only 128 bytes of the packet contents are logged.
-.PP
-Although it is only possible to read from the \fBipl\fP device, opening it
-for writing is required when using an ioctl which changes any kernel data.
-.PP
-The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
-The ioctls which are for use with logging and don't affect the filter are:
-.LP
-.nf
- ioctl(fd, SIOCIPFFB, int *)
- ioctl(fd, FIONREAD, int *)
-.fi
-.PP
-The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes
-flushed. FIONREAD returns the number of bytes currently used for storing
-log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not
-available and FIONREAD will return but not do anything.
-.PP
-There is currently no support for non-blocking IO with this device, meaning
-all read operations should be considered blocking in nature (if there is no
-data to read, it will sleep until some is made available).
-.SH SEE ALSO
-ipf(4)
-.SH BUGS
-Packet headers are dropped when the internal buffer (static size) fills.
-.SH FILES
-/dev/ipl0
diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5
deleted file mode 100644
index 2e3eebd..0000000
--- a/contrib/ipfilter/man/ipmon.5
+++ /dev/null
@@ -1,67 +0,0 @@
-.TH IPMON 5
-.SH NAME
-ipmon, ipmon.conf \- ipmon configuration file format
-.SH DESCRIPTION
-The format for files accepted by ipmon is described by the following grammar:
-.LP
-.nf
-"match" "{" matchlist "}" "do" "{" doing "}" ";"
-
-matchlist ::= matching [ "," matching ] .
-matching ::= direction | dstip | dstport | every | group | interface |
- logtag | nattag | protocol | result | rule | srcip | srcport .
-
-dolist ::= doing [ "," doing ] .
-doing ::= execute | save | syslog .
-
-direction ::= "in" | "out" .
-dstip ::= "dstip" "=" ipv4 "/" number .
-dstport ::= "dstport" "=" number .
-every ::= "every" every-options .
-execute ::= "execute" "=" string .
-group ::= "group" "=" string | "group" "=" number .
-interface ::= "interface" "=" string .
-logtag ::= "logtag" "=" string | "logtag" "=" number .
-nattag ::= "nattag" "=" string .
-protocol ::= "protocol" "=" string | "protocol" "=" number .
-result ::= "result" "=" result-option .
-rule ::= "rule" "=" number .
-srcip ::= "srcip" "=" ipv4 "/" number .
-srcport ::= "srcport" "=" number .
-type ::= "type" "=" ipftype .
-ipv4 ::= number "." number "." number "." number .
-
-every-options ::= "second" | number "seconds" | "packet" | number "packets" .
-result-option ::= "pass" | "block" | "short" | "nomatch" | "log" .
-ipftype ::= "ipf" | "nat" | "state" .
-
-.fi
-.PP
-In addition, lines that start with a # are considered to be comments.
-.TP
-.SH OVERVIEW
-.PP
-The ipmon configuration file is used for defining rules to be executed when
-logging records are read from
-.B /dev/ipl.
-.PP
-At present, only IPv4 matching is available for source/destination address
-matching.
-.SH MATCHING
-.PP
-Each rule for ipmon consists of two primary segments: the first describes how
-the log record is to be matched, the second defines what action to take if
-there is a positive match. All entries of the rules present in the file are
-compared for matches - there is no first or last rule match.
-.SH FILES
-/dev/ipl
-.br
-/dev/ipf
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.br
-/etc/ipmon.conf
-.SH SEE ALSO
-ipmon(8), ipl(4)
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
deleted file mode 100644
index 905a9c8..0000000
--- a/contrib/ipfilter/man/ipmon.8
+++ /dev/null
@@ -1,185 +0,0 @@
-.TH ipmon 8
-.SH NAME
-ipmon \- monitors /dev/ipl for logged packets
-.SH SYNOPSIS
-.B ipmon
-[
-.B \-abBDFhnpstvxX
-] [
-.B "\-N <device>"
-] [
-.B "\-L <facility>"
-] [
-.B "\-o [NSI]"
-] [
-.B "\-O [NSI]"
-] [
-.B "\-P <pidfile>"
-] [
-.B "\-S <device>"
-] [
-.B "\-f <device>"
-] [
-.B <filename>
-]
-.SH DESCRIPTION
-.LP
-\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
-the packet filter. The binary data read from the device is reprinted in
-human readable for, however, IP#'s are not mapped back to hostnames, nor are
-ports mapped back to service names. The output goes to standard output by
-default or a filename, if given on the command line. Should the \fB\-s\fP
-option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent
-via syslog have the day, month and year removed from the message, but the
-time (including microseconds), as recorded in the log, is still included.
-.LP
-Messages generated by ipmon consist of whitespace separated fields.
-Fields common to all messages are:
-.LP
-1. The date of packet receipt. This is suppressed when the message is
-sent to syslog.
-.LP
-2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
-minutes seconds, and fractions of a second (which can be several digits
-long).
-.LP
-3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
-.LP
-4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
-viewed with \fBipfstat -n\fP.
-.LP
-5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
-packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
-.LP
-6. The addresses.
-This is actually three fields: the source address and port
-(separated by a comma), the \fB->\fP symbol, and the destination address
-and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
-.LP
-7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
-.LP
-8. \fBlen\fP followed by the header length and total length of the packet,
-e.g., \fBlen 20 40\fP.
-.LP
-If the packet is a TCP packet, there will be an additional field starting
-with a hyphen followed by letters corresponding to any flags that were set.
-See the ipf.conf manual page for a list of letters and their flags.
-.LP
-If the packet is an ICMP packet, there will be two fields at the end,
-the first always being `icmp', and the next being the ICMP message and
-submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
-unreachable message.
-.LP
-In order for \fBipmon\fP to properly work, the kernel option
-\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
-\fBoptions(4)\fP for more details.
-.LP
-\fBipmon\fP reopens its log file(s) and rereads its configuration file
-when it receives a SIGHUP signal.
-.SH OPTIONS
-.TP
-.B \-a
-Open all of the device logfiles for reading log entries from. All entries
-are displayed to the same output 'device' (stderr or syslog).
-.TP
-.B \-b
-For rules which log the body of a packet, generate hex output representing
-the packet contents after the headers.
-.TP
-.B \-B <binarylogfilename>
-Enable logging of the raw, unformatted binary data to the specified
-\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP
-with the \fB-f\fP option.
-.TP
-.B \-D
-Cause ipmon to turn itself into a daemon. Using subshells or backgrounding
-of ipmon is not required to turn it into an orphan so it can run indefinitely.
-.TP
-.B "\-f <device>"
-specify an alternative device/file from which to read the log information
-for normal IP Filter log records.
-.TP
-.B \-F
-Flush the current packet log buffer. The number of bytes flushed is displayed,
-even should the result be zero.
-.TP
-.B \-L <facility>
-Using this option allows you to change the default syslog facility that
-ipmon uses for syslog messages. The default is local0.
-.TP
-.B \-n
-IP addresses and port numbers will be mapped, where possible, back into
-hostnames and service names.
-.TP
-.B "\-N <device>"
-Set the logfile to be opened for reading NAT log records from to <device>.
-.TP
-.B \-o
-Specify which log files to actually read data from. N - NAT logfile,
-S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is
-equivalent to using \fB-o NSI\fP.
-.TP
-.B \-O
-Specify which log files you do not wish to read from. This is most sensibly
-used with the \fB-a\fP. Letters available as parameters to this are the same
-as for \fB-o\fP.
-.TP
-.B \-p
-Cause the port number in log messages to always be printed as a number and
-never attempt to look it up as from \fI/etc/services\fP, etc.
-.TP
-.B \-P <pidfile>
-Write the pid of the ipmon process to a file. By default this is
-\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD
-or later) or \fI/etc/ipmon.pid\fP for all others.
-.TP
-.B \-s
-Packet information read in will be sent through syslogd rather than
-saved to a file. The default facility when compiled and installed is
-\fBlocal0\fP. The following levels are used:
-.IP
-.B LOG_INFO
-\- packets logged using the "log" keyword as the action rather
-than pass or block.
-.IP
-.B LOG_NOTICE
-\- packets logged which are also passed
-.IP
-.B LOG_WARNING
-\- packets logged which are also blocked
-.IP
-.B LOG_ERR
-\- packets which have been logged and which can be considered
-"short".
-.TP
-.B "\-S <device>"
-Set the logfile to be opened for reading state log records from to <device>.
-.TP
-.B \-t
-read the input file/device in a manner akin to tail(1).
-.TP
-.B \-v
-show tcp window, ack and sequence fields.
-.TP
-.B \-x
-show the packet data in hex.
-.TP
-.B \-X
-show the log header record data in hex.
-.SH DIAGNOSTICS
-\fBipmon\fP expects data that it reads to be consistent with how it should be
-saved and will abort if it fails an assertion which detects an anomaly in the
-recorded data.
-.SH FILES
-/dev/ipl
-.br
-/dev/ipnat
-.br
-/dev/ipstate
-.br
-/etc/services
-.SH SEE ALSO
-ipl(4), ipf(8), ipfstat(8), ipnat(8)
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@pobox.com
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
deleted file mode 100644
index f241415..0000000
--- a/contrib/ipfilter/man/ipnat.1
+++ /dev/null
@@ -1,48 +0,0 @@
-.TH IPNAT 1
-.SH NAME
-ipnat \- user interface to the NAT
-.SH SYNOPSIS
-.B ipnat
-[
-.B \-lnrsvCF
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the IP NAT.
-.PP
-Each rule processed by \fBipnat\fP
-is added to the kernels internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipnat\fP.
-.SH OPTIONS
-.TP
-.B \-C
-delete all entries in the current NAT rule listing (NAT rules)
-.TP
-.B \-F
-delete all active entries in the current NAT translation table (currently
-active NAT mappings)
-.TP
-.B \-l
-Show the list of current NAT table entry mappings.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-s
-Retrieve and display NAT statistics
-.TP
-.B \-r
-Remove matching NAT rules rather than add them to the internal lists
-.TP
-.B \-v
-Turn verbose mode on. Displays information relating to rule processing
-and active rules/table entries.
-.DT
-.SH FILES
-/dev/ipnat
-.SH SEE ALSO
-ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
deleted file mode 100644
index 54f55d3..0000000
--- a/contrib/ipfilter/man/ipnat.4
+++ /dev/null
@@ -1,98 +0,0 @@
-.TH IPNAT 4
-.SH NAME
-ipnat \- Network Address Translation kernel interface
-.SH SYNOPSIS
-#include <netinet/ip_compat.h>
-.br
-#include <netinet/ip_fil.h>
-.br
-#include <netinet/ip_proxy.h>
-.br
-#include <netinet/ip_nat.h>
-.SH IOCTLS
-.PP
-To add and delete rules to the NAT list, two 'basic' ioctls are provided
-for use. The ioctl's are called as:
-.LP
-.nf
- ioctl(fd, SIOCADNAT, struct ipnat **)
- ioctl(fd, SIOCRMNAT, struct ipnat **)
- ioctl(fd, SIOCGNATS, struct natstat **)
- ioctl(fd, SIOCGNATL, struct natlookup **)
-.fi
-.PP
-Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT
-interface. An inactive list which can be swapped to is not currently
-supported.
-
-These ioctl's are implemented as being routing ioctls and thus the same rules
-for the various routing ioctls and the file descriptor are employed, mainly
-being that the fd must be that of the device associated with the module
-(i.e., /dev/ipl).
-.LP
-.PP
-The structure used with the NAT interface is described below:
-.LP
-.nf
-typedef struct ipnat {
- struct ipnat *in_next;
- void *in_ifp;
- u_short in_flags;
- u_short in_pnext;
- u_short in_port[2];
- struct in_addr in_in[2];
- struct in_addr in_out[2];
- struct in_addr in_nextip;
- int in_space;
- int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
- char in_ifname[IFNAMSIZ];
-} ipnat_t;
-
-#define in_pmin in_port[0] /* Also holds static redir port */
-#define in_pmax in_port[1]
-#define in_nip in_nextip.s_addr
-#define in_inip in_in[0].s_addr
-#define in_inmsk in_in[1].s_addr
-#define in_outip in_out[0].s_addr
-#define in_outmsk in_out[1].s_addr
-
-.fi
-.PP
-Recognised values for in_redir:
-.LP
-.nf
-#define NAT_MAP 0
-#define NAT_REDIRECT 1
-.fi
-.PP
-.LP
-\fBNAT statistics\fP
-Statistics on the number of packets mapped, going in and out are kept,
-the number of times a new entry is added and deleted (through expiration) to
-the NAT table and the current usage level of the NAT table.
-.PP
-Pointers to the NAT table inside the kernel, as well as to the top of the
-internal NAT lists constructed with the \fBSIOCADNAT\fP ioctls. The table
-itself is a hash table of size NAT_SIZE (default size is 367).
-.PP
-To retrieve the statistics, the \fBSIOCGNATS\fP ioctl must be used, with
-the appropriate structure passed by reference, as follows:
-.nf
- ioctl(fd, SIOCGNATS, struct natstat *)
-
-typedef struct natstat {
- u_long ns_mapped[2];
- u_long ns_added;
- u_long ns_expire;
- u_long ns_inuse;
- nat_t ***ns_table;
- ipnat_t *ns_list;
-} natstat_t;
-.fi
-.SH BUGS
-It would be nice if there were more flexibility when adding and deleting
-filter rules.
-.SH FILES
-/dev/ipnat
-.SH SEE ALSO
-ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
deleted file mode 100644
index 2d76a46..0000000
--- a/contrib/ipfilter/man/ipnat.5
+++ /dev/null
@@ -1,293 +0,0 @@
-.TH IPNAT 5
-.SH NAME
-ipnat, ipnat.conf \- IP NAT file format
-.SH DESCRIPTION
-The format for files accepted by ipnat is described by the following grammar:
-.LP
-.nf
-ipmap :: = mapblock | redir | map .
-
-map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ]
- mapoptions .
-mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions .
-redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions .
-
-lhs ::= ipmask | fromto .
-rlhs ::= ipmask dport | fromto .
-dport ::= "port" portnum [ "-" portnum ] .
-ports ::= "ports" numports | "auto" .
-rdrport ::= "port" portnum .
-mapit ::= "map" | "bimap" .
-fromto ::= "from" object "to" object .
-ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
-dstipmask ::= ipmask | "range" ip "-" ip .
-mapicmp ::= "icmpidmap" "icmp" number ":" number .
-mapport ::= "portmap" tcpudp portspec .
-mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] .
-rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] .
-
-object :: = addr [ port-comp | port-range ] .
-addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp :: = "port" compare port-num .
-port-range :: = "port" port-num range port-num .
-rdrproto ::= tcpudp | protocol .
-
-rr ::= "round-robin" .
-age ::= "age" decnumber [ "/" decnumber ] .
-clamp ::= "mssclamp" decnumber .
-tcpudp ::= "tcp/udp" | protocol .
-mapproxy ::= "proxy" "port" port proxy-name '/' protocol
-rdrproxy ::= "proxy" proxy-name .
-
-protocol ::= protocol-name | decnumber .
-nummask ::= host-name [ "/" decnumber ] .
-portspec ::= "auto" | portnumber ":" portnumber .
-port ::= portnumber | port-name .
-portnumber ::= number { numbers } .
-ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
-
-numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
-.fi
-.PP
-For standard NAT functionality, a rule should start with \fBmap\fP and then
-proceeds to specify the interface for which outgoing packets will have their
-source address rewritten.
-.PP
-Packets which will be rewritten can only be selected by matching the original
-source address. A netmask must be specified with the IP address.
-.PP
-The address selected for replacing the original is chosen from an IP#/netmask
-pair. A netmask of all 1's indicating a hostname is valid. A netmask of
-31 1's (255.255.255.254) is considered invalid as there is no space for
-allocating host IP#'s after consideration for broadcast and network
-addresses.
-.PP
-When remapping TCP and UDP packets, it is also possible to change the source
-port number. Either TCP or UDP or both can be selected by each rule, with a
-range of port numbers to remap into given as \fBport-number:port-number\fP.
-.SH COMMANDS
-There are four commands recognised by IP Filter's NAT code:
-.TP
-.B map
-that is used for mapping one address or network to another in an unregulated
-round robin fashion;
-.TP
-.B rdr
-that is used for redirecting packets to one IP address and port pair to
-another;
-.TP
-.B bimap
-for setting up bidirectional NAT between an external IP address and an internal
-IP address and
-.TP
-.B map-block
-which sets up static IP address based translation, based on a algorithm to
-squeeze the addresses to be translated into the destination range.
-.SH MATCHING
-.PP
-For basic NAT and redirection of packets, the address subject to change is used
-along with its protocol to check if a packet should be altered. The packet
-\fImatching\fP part of the rule is to the left of the "->" in each rule.
-.PP
-Matching of packets has now been extended to allow more complex compares.
-In place of the address which is to be translated, an IP address and port
-number comparison can be made using the same expressions available with
-\fBipf\fP. A simple NAT rule could be written as:
-.LP
-.nf
-map de0 10.1.0.0/16 -> 201.2.3.4/32
-.fi
-.LP
-or as
-.LP
-.nf
-map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
-.fi
-.LP
-Only IP address and port numbers can be compared against. This is available
-with all NAT rules.
-.SH TRANSLATION
-.PP
-To the right of the "->" is the address and port specification which will be
-written into the packet providing it has already successfully matched the
-prior constraints. The case of redirections (\fBrdr\fP) is the simplest:
-the new destination address is that specified in the rule. For \fBmap\fP
-rules, the destination address will be one for which the tuple combining
-the new source and destination is known to be unique. If the packet is
-either a TCP or UDP packet, the destination and source ports come into the
-equation too. If the tuple already exists, IP Filter will increment the
-port number first, within the available range specified with \fBportmap\fP
-and if there exists no unique tuple, the source address will be incremented
-within the specified netmask. If a unique tuple cannot be determined, then
-the packet will not be translated. The \fBmap-block\fP is more limited in
-how it searches for a new, free and unique tuple, in that it will used an
-algorithm to determine what the new source address should be, along with the
-range of available ports - the IP address is never changed and nor does the
-port number ever exceed its allotted range.
-.SH ICMPIDMAP
-.PP
-ICMP messages can be divided into two groups: "errors" and "queries". ICMP
-errors are generated as a response of another IP packet. IP Filter will take
-care that ICMP errors that are the response of a NAT-ed IP packet are
-handled properly.
-.PP
-For 4 types of ICMP queries (echo request, timestamp request, information
-request and address mask request) IP Filter supports an additional mapping
-called "ICMP id mapping". All these 4 types of ICMP queries use a unique
-identifier called the ICMP id. This id is set by the process sending the
-ICMP query and it is usually equal to the process id. The receiver of the
-ICMP query will use the same id in its response, thus enabling the
-sender to recognize that the incoming ICMP reply is intended for him and is
-an answer to a query that he made. The "ICMP id mapping" feature modifies
-these ICMP id in a way identical to \fBportmap\fP for TCP or UDP.
-.PP
-The reason that you might want this, is that using this feature you don't
-need an IP address per host behind the NAT box, that wants to do ICMP queries.
-The two numbers behind the \fBicmpidmap\fP keyword are the first and the
-last icmp id number that can be used. There is one important caveat: if you
-map to an IP address that belongs to the NAT box itself (notably if you have
-only a single public IP address), then you must ensure that the NAT box does
-not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule.
-Since the ICMP id is usually the process id, it is wise to restrict the
-largest permittable process id (PID) on your operating system to e.g. 63999 and
-use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is
-system dependent. For most BSD derived systems can be done by changing
-PID_MAX in /usr/include/sys/proc.h and then rebuild the system.
-.SH KERNEL PROXIES
-.PP
-IP Filter comes with a few, simple, proxies built into the code that is loaded
-into the kernel to allow secondary channels to be opened without forcing the
-packets through a user program. The current state of the proxies is listed
-below, as one of three states:
-.HP
-Aging - protocol is roughly understood from
-the time at which the proxy was written but it is not well tested or
-maintained;
-.HP
-Developmental - basic functionality exists, works most of the time but
-may be problematic in extended real use;
-.HP
-Experimental - rough support for the protocol at best, may or may not
-work as testing has been at best sporadic, possible large scale changes
-to the code in order to properly support the protocol.
-.HP
-Mature - well tested, protocol is properly
-understood by the proxy;
-.PP
-The currently compiled in proxy list is as follows:
-.HP
-FTP - Mature
-.HP
-IRC - Experimental
-.HP
-rpcbind - Experimental
-.HP
-H.323 - Experimental
-.HP
-Real Audio (PNA) - Aging
-.HP
-IPsec - Developmental
-.HP
-netbios - Experimental
-.HP
-R-command - Mature
-
-.SH TRANSPARENT PROXIES
-.PP
-True transparent proxying should be performed using the redirect (\fBrdr\fP)
-rules directing ports to localhost (127.0.0.1) with the proxy program doing
-a lookup through \fB/dev/ipnat\fP to determine the real source and address
-of the connection.
-.SH LOAD-BALANCING
-.PP
-Two options for use with \fBrdr\fP are available to support primitive,
-\fIround-robin\fP based load balancing. The first option allows for a
-\fBrdr\fP to specify a second destination, as follows:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp
-.fi
-.LP
-This would send alternate connections to either 203.1.2.3 or 203.1.2.4.
-In scenarios where the load is being spread amongst a larger set of
-servers, you can use:
-.LP
-.nf
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin
-rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin
-.fi
-.LP
-In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4
-and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this,
-the rule is removed from the top of the list and added to the end,
-automatically, as required. This will not effect the display of rules
-using "ipnat -l", only the internal application order.
-.SH EXAMPLES
-.PP
-This section deals with the \fBmap\fP command and its variations.
-.PP
-To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-The obvious problem here is we're trying to squeeze over 16,000,000 IP
-addresses into a 254 address space. To increase the scope, remapping for TCP
-and/or UDP, port remapping can be used;
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-.fi
-.PP
-which falls only 527,566 `addresses' short of the space available in network
-10. If we were to combine these rules, they would need to be specified as
-follows:
-.LP
-.nf
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
-map ppp0 10.0.0.0/8 -> 209.1.2.0/24
-.fi
-.PP
-so that all TCP/UDP packets were port mapped and only other protocols, such as
-ICMP, only have their IP# changed. In some instances, it is more appropriate
-to use the keyword \fBauto\fP in place of an actual range of port numbers if
-you want to guarantee simultaneous access to all within the given range.
-However, in the above case, it would default to 1 port per IP address, since
-we need to squeeze 24 bits of address space into 8. A good example of how
-this is used might be:
-.LP
-.nf
-map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
-.fi
-.PP
-which would result in each IP address being given a small range of ports to
-use (252). In all cases, the new port number that is used is deterministic.
-That is, port X will always map to port Y.
-WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing
-to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to
-the same port number, outgoing and ultimately this will only succeed for one
-of them.
-The problem here is that the \fBmap\fP directive tells the NAT
-code to use the next address/port pair available for an outgoing connection,
-resulting in no easily discernible relation between external addresses/ports
-and internal ones. This is overcome by using \fBmap-block\fP as follows:
-.LP
-.nf
-map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
-.fi
-.PP
-For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
-with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
-own. As opposed to the above use of \fBmap\fP, if for some reason the user
-of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
-be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
-IP address with the \fBmap\fP command.
-/dev/ipnat
-.br
-/etc/services
-.br
-/etc/hosts
-.SH SEE ALSO
-ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
deleted file mode 100644
index 683e8f1..0000000
--- a/contrib/ipfilter/man/ipnat.8
+++ /dev/null
@@ -1,69 +0,0 @@
-.TH IPNAT 8
-.SH NAME
-ipnat \- user interface to the NAT subsystem
-.SH SYNOPSIS
-.B ipnat
-[
-.B \-dhlnrsvCF
-]
-[
-.B \-M core
-]
-[
-.B \-N system
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the IP NAT.
-.PP
-Each rule processed by \fBipnat\fP
-is added to the kernels internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipnat\fP.
-.PP
-Note that if
-\fBipf(8)\fP
-is not enabled when NAT is configured, it will be enabled
-automatically, as the same kernel facilities are used for
-NAT functionality. In addition, packet forwarding must be
-enabled.
-.SH OPTIONS
-.TP
-.B \-C
-delete all entries in the current NAT rule listing (NAT rules)
-.TP
-.B \-d
-Enable printing of some extra debugging information.
-.TP
-.B \-F
-delete all active entries in the current NAT translation table (currently
-active NAT mappings)
-.TP
-.B \-h
-Print number of hits for each MAP/Redirect filter.
-.TP
-.B \-l
-Show the list of current NAT table entry mappings.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-r
-Remove matching NAT rules rather than add them to the internal lists.
-.TP
-.B \-s
-Retrieve and display NAT statistics.
-.TP
-.B \-v
-Turn verbose mode on. Displays information relating to rule processing
-and active rules/table entries.
-.DT
-.SH FILES
-/dev/ipnat
-.br
-/usr/share/examples/ipf Directory with examples.
-.SH SEE ALSO
-ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5
deleted file mode 100644
index aeff3c8..0000000
--- a/contrib/ipfilter/man/ippool.5
+++ /dev/null
@@ -1,153 +0,0 @@
-.TH IPPOOL 5
-.SH NAME
-ippool, ippool.conf \- IP Pool file format
-.SH DESCRIPTION
-The format for files accepted by ippool is described by the following grammar:
-.LP
-.nf
-line ::= table | groupmap .
-table ::= "table" role tabletype .
-groupmap ::= "group-map" inout role number ipfgroup
-tabletype ::= ipftree | ipfhash .
-
-role ::= "role" "=" "ipf" .
-inout ::= "in" | "out" .
-
-ipftree ::= "type" "=" "tree" number "{" addrlist "}" .
-ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" .
-
-ipfgroup ::= setgroup hashopts "{" grouplist "}" |
- hashopts "{" setgrouplist "}" .
-setgroup ::= "group" "=" groupname .
-
-hashopts ::= size [ seed ] | seed .
-
-size ::= "size" number .
-seed ::= "seed" number .
-
-addrlist ::= [ "!" ] addrmask ";" [ addrlist ] .
-grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] .
-
-setgrouplist ::= groupentry ";" [ setgrouplist ] .
-
-groupentry ::= addrmask "," setgroup .
-
-hashlist ::= hashentry ";" [ hashlist ] .
-hashentry ::= addrmask .
-
-addrmask ::= ipaddr | ipaddr "/" mask .
-
-mask ::= number | ipaddr .
-
-groupname ::= number | name .
-
-number ::= digit { digit } .
-
-ipaddr = host-num "." host-num "." host-num "." host-num .
-host-num = digit [ digit [ digit ] ] .
-
-digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-name ::= letter { letter | digit } .
-.fi
-.PP
-The IP pool configuration file is used for defining a single object that
-contains a reference to multiple IP address/netmask pairs. A pool may consist
-of a mixture of netmask sizes, from 0 to 32.
-.PP
-At this point in time, only IPv4 addressing is supported.
-.TP
-.SH OVERVIEW
-.PP
-The IP pool configuration file provides for defining two different mechanisms
-for improving speed in matching IP addresses with rules.
-The first,
-.B table
-, defines a lookup
-.I table
-to provide a single reference in a
-filter rule to multiple targets and the second,
-.B group-map
-, provides a mechanism to target multiple groups from a single filter line.
-.PP
-The
-.B group-map
-command can only be used with filter rules that use the
-.B call
-command to invoke either
-.B fr_srcgrpmap
-or
-.B fr_dstgrpmap
-, to use the source or destination address,
-respectively, for determining which filter group to jump to next for
-continuation of filter packet processing.
-.SH POOL TYPES
-.PP
-Two storage formats are provided: hash tables and tree structure. The hash
-table is intended for use with objects all containing the same netmask or a
-few different sized netmasks of non-overlapping address space and the tree
-is designed for being able to support exceptions to a covering mask, in
-addition to normal searching as you would do with a table. It is not possible
-to use the tree data storage type with
-.B group-map
-configuration entries.
-.SH POOL ROLES
-.PP
-When a pool is defined in the configuration file, it must have an associated
-role. At present the only supported role is
-.B ipf.
-Future development will see futher expansion of their use by other sections
-of IPFilter code.
-.SH EXAMPLES
-The following examples show how the pool configuration file is used with
-the ipf configuration file to enhance the ability for the ipf configuration
-file to be succinct in meaning.
-.TP
-1
-The first example shows how a filter rule makes reference to a specific
-pool for matching of the source address.
-.nf
-pass in from pool/100 to any
-.fi
-.PP
-The pool configuration, which matches IP addresses 1.1.1.1 and any
-in 2.2.0.0/16, except for those in 2.2.2.0/24.
-.PP
-.nf
-table role = ipf type = tree number = 100
- { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 };
-.fi
-.TP
-2
-The following ipf.conf extract uses the
-fr_srcgrpmap/fr_dstgrpmap lookups to use the
-.B group-map
-facility to lookup the next group to use for filter processing, providing
-the
-.B call
-filter rule is matched.
-.nf
-call now fr_srcgrpmap/1010 in all
-call now fr_dstgrpmap/2010 out all
-pass in all group 1020
-block in all group 1030
-pass out all group 2020
-block out all group 2040
-.fi
-.PP
-A ippool configuration to work with the above ipf.conf file might
-look like this:
-.PP
-.nf
-group-map in role = ipf number = 1010
- { 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; };
-group-map out role = ipf number = 2010 group = 2020
- { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; };
-.fi
-.SH FILES
-/dev/iplookup
-.br
-/etc/ippool.conf
-.br
-/etc/hosts
-.SH SEE ALSO
-ippool(8), hosts(5), ipf(5), ipf(8), ipnat(8)
diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8
deleted file mode 100644
index e27cb92..0000000
--- a/contrib/ipfilter/man/ippool.8
+++ /dev/null
@@ -1,124 +0,0 @@
-.TH IPPOOL 8
-.SH NAME
-ippool \- user interface to the IPFilter pools
-.SH SYNOPSIS
-.br
-.B ippool
--a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
-.br
-.B ippool
--A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>]
-.br
-.B ippool
--f <file> [-dnuv]
-.br
-.B ippool
--F [-dv] [-o <role>] [-t <type>]
-.br
-.B ippool
--l [-dv] [-m <name>] [-t <type>]
-.br
-.B ippool
--r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>]
-.br
-.B ippool
--R [-dnv] [-m <name>] [-o <role>] [-t <type>]
-.br
-.B ippool
--s [-dtv] [-M <core>] [-N <namelist>]
-.SH DESCRIPTION
-.PP
-.B Ippool
-is used to manage information stored in the IP pools subsystem of IPFilter.
-Configuration file information may be parsed and loaded into the kernel,
-currently configured pools removed or changed as well as inspected.
-.PP
-The command line options used are broken into two sections: the global
-options and the instance specific options.
-.SH GLOBAL OPTIONS
-.TP
-.B \-d
-Toggle debugging of processing the configuration file.
-.TP
-.B \-n
-This flag (no-change) prevents
-.B ippool
-from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-v
-Turn verbose mode on.
-.SH COMMAND OPTIONS
-.TP
-.B -a
-Add a new data node to an existing pool in the kernel.
-.TP
-.B -A
-Add a new (empty) pool to the kernel.
-.TP
-.B -f <file>
-Read in IP pool configuration information from the file and load it into
-the kernel.
-.TP
-.B -F
-Flush loaded pools from the kernel.
-.TP
-.B -l
-Display a list of pools currently loaded into the kernel.
-.TP
-.B -r
-Remove an existing data node from a pool in the kernel.
-.TP
-.B -R
-Remove an existing pool from within the kernel.
-.TP
-.B -s
-Display IP pool statistical information.
-.SH OPTIONS
-.TP
-.B -i <ipaddr>[/<netmask>]
-Sets the IP address for the operation being undertaken with an
-all-one's mask or, optionally, a specific netmask given in either
-the dotted-quad notation or a single integer.
-.TP
-.B -m <name>
-Sets the pool name for the current operation.
-.TP
-.B -M <core>
-Specify an alternative path to /dev/kmem to retrieve statistical information
-from.
-.TP
-.B -N <namelist>
-Specify an alternative path to lookup symbol name information from when
-retrieving statistical information.
-.TP
-.B -o <role>
-Sets the role with which this pool is to be used. Currently only
-.B ipf,
-.B auth
-and
-.B count
-are accepted as arguments to this option.
-.TP
-.B -S <seed>
-Sets the hashing seed to the number specified. Only for use with
-.B hash
-type pools.
-.TP
-.B -t <type>
-Sets the type of pool being defined. Myst be one of
-.B tree,
-.B hash,
-.B group-map.
-.TP
-.B -u
-When parsing a configuration file, rather than load new pool data into the
-kernel, unload it.
-.DT
-.SH FILES
-.br
-/dev/iplookup
-.br
-/etc/ippool.conf
-.SH SEE ALSO
-ippool(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/ipscan.5 b/contrib/ipfilter/man/ipscan.5
deleted file mode 100644
index cc12ca3..0000000
--- a/contrib/ipfilter/man/ipscan.5
+++ /dev/null
@@ -1,50 +0,0 @@
-.TH IPSCAN 5
-.SH NAME
-ipscan, ipscan.conf \- ipscan file format
-.SH DESCRIPTION
-.PP
-WARNING: This feature is to be considered experimental and may change
-significantly until a final implementation is drawn up.
-.PP
-The format for files accept by ipscan currently follow this rough grammar:
-.LP
-.nf
-line ::= name ":" matchup [ "," matchup ] "=" action .
-matchup ::= "(" ")" | "(" literal ")" | "(" literal "," match ")" .
-action ::= result | result "else" result .
-result ::= "close" | "track" | redirect .
-redirect ::= "redirect" ip-address [ "(" "," port-number ")" ] .
-match ::= { match-char }
-match-char ::= "*" | "?" | "."
-.fi
-.PP
-In this example an ip-address is a dotted-quad IPv4 address and a port-number
-is a number betwee 1 and 65535, inclusive. The match string is must be of
-same length as the literal string that it is matching (literal). The length
-of either string is limited to 16 bytes.
-.PP
-Currently, the redirect option is not yet been implemented.
-.LP
-.nf
-#
-# * = match any character, . = exact match, ? = case insensitive
-#
-# Scan for anything that looks like HTTP and redirect it to the local
-# proxy. One catch - this feature (redirect) is not yet implemented.
-#
-http : ("GET ", "???." ) = redirect(127.0.0.1)
-#
-# Track ssh connections (i.e do nothing)
-#
-ssh : (), ("SSH-") = track
-#
-# Things which look like smtp to be tracked else closed.
-# Client can start with EHLO (ESMTP) or HELO (SMTP).
-#
-smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
-#
-.fi
-.SH FILES
-/etc/ipscan.conf
-.SH SEE ALSO
-ipscan(8)
diff --git a/contrib/ipfilter/man/ipscan.8 b/contrib/ipfilter/man/ipscan.8
deleted file mode 100644
index 958c456..0000000
--- a/contrib/ipfilter/man/ipscan.8
+++ /dev/null
@@ -1,42 +0,0 @@
-.TH IPSCAN 8
-.SH NAME
-ipscan \- user interface to the IPFilter content scanning
-.SH SYNOPSIS
-.B ipscan
-[
-.B \-dlnrsv
-] [
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the
-file to build up a content scanning configuration to load into the kernel.
-Currently only the first 16 bytes of a connection can be compared.
-.SH OPTIONS
-.TP
-.B \-d
-Toggle debugging of processing the configuration file.
-.TP
-.B \-l
-Show the list of currently configured content scanning entries.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipscan\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-r
-Remove commands from kernel configuration as they are read from the
-configuration file rather than adding new ones.
-.TP
-.B \-s
-Retrieve and display content scanning statistics
-.TP
-.B \-v
-Turn verbose mode on.
-.DT
-.SH FILES
-/dev/ipscan
-/etc/ipscan.conf
-.SH SEE ALSO
-ipscan(5), ipf(8)
diff --git a/contrib/ipfilter/man/man.sed b/contrib/ipfilter/man/man.sed
deleted file mode 100644
index 0be8dab..0000000
--- a/contrib/ipfilter/man/man.sed
+++ /dev/null
@@ -1 +0,0 @@
-DF . .. CVSD~MakefileDipf.1Dipf.4Dipf.5D
diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1
deleted file mode 100644
index b5fd9dc..0000000
--- a/contrib/ipfilter/man/mkfilters.1
+++ /dev/null
@@ -1,12 +0,0 @@
-.TH MKFILTERS 1
-.SH NAME
-mkfilters \- generate a minimal firewall ruleset for ipfilter
-.SH SYNOPSIS
-.B mkfilters
-.SH DESCRIPTION
-.PP
-\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
-use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
-.DT
-.SH SEE ALSO
-ipf(8), ipf(5), ipfilter(5), ifconfig(8)
OpenPOWER on IntegriCloud