import ip-filter 3.2

1997-10-30 05:27:24 +00:00 · 1997-10-30 05:27:24 +00:00 · 44c002beb1
commit 44c002beb1
parent f6cf10401f
29 changed files with 691 additions and 167 deletions
--- a/sys/netinet/ip_auth.h
+++ b/sys/netinet/ip_auth.h
@ -1,13 +1,13 @@
-/*	$NetBSD: ip_auth.h,v 1.1.1.2 1997/09/21 16:49:28 veego Exp $	*/
+/*	$NetBSD: ip_auth.h,v 1.1.1.3 1997/10/30 05:31:16 mrg Exp $	*/

 /*
- * (C)opyright 1997 by Darren Reed & Guido Van Rooij.
+ * Copyright (C) 1997 by Darren Reed & Guido Van Rooij.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
- * Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp 
+ * Id: ip_auth.h,v 2.0.2.10 1997/10/29 12:14:07 darrenr Exp 
 *
 */
 #ifndef	__IP_AUTH_H__
@ -60,7 +60,7 @@ extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *, qif_t *));
 #else
 extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
 #endif
-#ifdef __NetBSD__
+#if defined(__NetBSD__) || defined(__OpenBSD__)
 extern	int	fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **));
 #else
 extern	int	fr_auth_ioctl __P((caddr_t, int, frentry_t *, frentry_t **));
--- a/sys/netinet/ip_log.c
+++ b/sys/netinet/ip_log.c
@ -1,13 +1,13 @@
-/*	$NetBSD: ip_log.c,v 1.1.1.1 1997/09/21 16:49:48 veego Exp $	*/
+/*	$NetBSD: ip_log.c,v 1.1.1.2 1997/10/30 05:31:59 mrg Exp $	*/

 /*
- * (C)opyright 1997 by Darren Reed.
+ * Copyright (C) 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
- * Id: ip_log.c,v 2.0.2.6 1997/09/10 13:08:18 darrenr Exp 
+ * Id: ip_log.c,v 2.0.2.13 1997/10/29 12:14:11 darrenr Exp 
 */
 #ifdef	IPFILTER_LOG
 # ifndef SOLARIS
@ -46,7 +46,7 @@
 # endif
 # include <sys/uio.h>
 # if !SOLARIS
-#  if NetBSD > 199609
+#  if (NetBSD > 199609) || (OpenBSD > 199603)
 #   include <sys/dirent.h>
 #  else
 #   include <sys/dir.h>
@ -75,7 +75,15 @@
 # endif
 # include <net/route.h>
 # include <netinet/in.h>
+#ifdef __sgi
+#include <sys/ddi.h>
+# ifdef IFF_DRVRLOCK /* IRIX6 */
+#include <sys/hashing.h>
+# endif
+#endif
+#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */
 # include <netinet/in_var.h>
+#endif
 # include <netinet/in_systm.h>
 # include <netinet/ip.h>
 # include <netinet/ip_var.h>
@ -98,9 +106,11 @@
 # endif


-#if SOLARIS
+#if SOLARIS || defined(__sgi)
 extern	kmutex_t	ipl_mutex;
+# if SOLARIS
 extern	kcondvar_t	iplwait;
+# endif
 #endif

 iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
@ -123,7 +133,7 @@ void ipflog_init()
 		iplh[i] = &iplt[i];
 		iplused[i] = 0;
 	}
-# if BSD >= 199306 || defined(__FreeBSD__)
+# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
 	microtime(&tv);
 # else
 	uniqtime(&tv);
@ -162,8 +172,10 @@ mb_t *m;
 	 * calculate header size.
 	 */
 	hlen = fin->fin_hlen;
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
+	if (ip->ip_p == IPPROTO_TCP)
 		hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
+	else if (ip->ip_p == IPPROTO_UDP)
+		hlen += MIN(sizeof(udphdr_t), fin->fin_dlen);
 	else if (ip->ip_p == IPPROTO_ICMP) {
 		struct	icmp	*icmp = (struct icmp *)((char *)ip + hlen);
 
@ -194,7 +206,8 @@ mb_t *m;
 	bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4));
 	mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
 # else
-#  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
+#  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
+	(defined(OpenBSD) && (OpenBSD >= 199603))
 	strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
 #  else
 	ipfl.fl_unit = (u_char)ifp->if_unit;
@ -292,6 +305,7 @@ int *types, cnt;
 	 * amount of space we're going to use.
 	 */
 	ipl = (iplog_t *)buf;
+	ipl->ipl_magic = IPL_MAGIC;
 	ipl->ipl_count = 1;
 	ipl->ipl_next = NULL;
 	ipl->ipl_dsize = len;
@ -301,7 +315,7 @@ int *types, cnt;
 #  ifdef	sun
 	uniqtime((struct timeval *)&ipl->ipl_sec);
 #  endif
-#  if BSD >= 199306 || defined(__FreeBSD__)
+#  if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
 	microtime((struct timeval *)&ipl->ipl_sec);
 #  endif
 # endif
@ -329,7 +343,8 @@ int *types, cnt;
 	cv_signal(&iplwait);
 	mutex_exit(&ipl_mutex);
 # else
-	wakeup(iplh[dev]);
+	MUTEX_EXIT(&ipl_mutex);
+	wakeup(&iplh[dev]);
 # endif
 	return 1;
 }
@ -361,24 +376,25 @@ struct uio *uio;
 	 * Lock the log so we can snapshot the variables.  Wait for a signal
 	 * if the log is empty.
 	 */
-	SPLNET(s);
+	SPL_NET(s);
 	MUTEX_ENTER(&ipl_mutex);

+	while (!iplused[unit] || !iplt[unit]) {
 # if SOLARIS && defined(_KERNEL)
-	while (!iplused[unit])
 		if (!cv_wait_sig(&iplwait, &ipl_mutex)) {
 			MUTEX_EXIT(&ipl_mutex);
 			return EINTR;
 		}
 # else
-	while (!iplused[unit]) {
-		SPLX(s);
-		error = SLEEP(iplh[unit], "ipl sleep");
+		MUTEX_EXIT(&ipl_mutex);
+		SPL_X(s);
+		error = SLEEP(&iplh[unit], "ipl sleep");
 		if (error)
 			return error;
-		SPLNET(s);
-	}
+		SPL_NET(s);
+		MUTEX_ENTER(&ipl_mutex);
 # endif
+	}

 # if BSD >= 199306 || defined(__FreeBSD__)
 	uio->uio_rw = UIO_READ;
@ -393,21 +409,23 @@ struct uio *uio;
 		 */
 		iplt[unit] = ipl->ipl_next;
 		MUTEX_EXIT(&ipl_mutex);
-		SPLX(s);
+		SPL_X(s);
 		error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio);
 		KFREES((caddr_t)ipl, ipl->ipl_dsize);
 		if (error)
 			break;
-		SPLNET(s);
+		SPL_NET(s);
 		MUTEX_ENTER(&ipl_mutex);
 		iplused[unit] -= dlen;
 	}
-	if (!ipl)
+	if (!ipl) {
+		iplused[unit] = 0;
 		iplh[unit] = &iplt[unit];
+	}

 	if (!error) {
 		MUTEX_EXIT(&ipl_mutex);
-		SPLX(s);
+		SPL_X(s);
 	}
 	return error;
 }
--- a/usr.sbin/ipf/ipf/ipf.8
+++ b/usr.sbin/ipf/ipf/ipf.8
@ -1,6 +1,6 @@
-.TH IPF 1
+.TH IPF 8
 .SH NAME
-ipf \- alters packet filtering lists for IP packet input and ouput
+ipf \- alters packet filtering lists for IP packet input and output
 .SH SYNOPSIS
 .B ipf
 [
--- a/usr.sbin/ipf/ipf/ipf.h
+++ b/usr.sbin/ipf/ipf/ipf.h
@ -1,14 +1,14 @@
-/*	$NetBSD: ipf.h,v 1.1.1.6 1997/09/21 16:47:51 veego Exp $	*/
+/*	$NetBSD: ipf.h,v 1.1.1.7 1997/10/30 05:27:27 mrg Exp $	*/

 /*
- * (C)opyright 1993-1997 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
 * @(#)ipf.h	1.12 6/5/96
- * Id: ipf.h,v 2.0.2.9 1997/08/26 12:52:46 darrenr Exp 
+ * Id: ipf.h,v 2.0.2.12 1997/09/28 07:11:50 darrenr Exp 
 */

 #ifndef	__IPF_H__
@ -46,6 +46,10 @@
 # endif
 #endif

+#ifdef	ultrix
+extern	char	*strdup __P((char *));
+#endif
+
 extern	struct	frentry	*parse __P((char *));

 extern	void	printfr __P((struct frentry *));
@ -64,7 +68,7 @@ struct	ipopt_names	{
 extern	u_32_t	buildopts __P((char *, char *, int));
 extern	u_32_t	hostnum __P((char *, int *));
 extern	u_32_t	optname __P((char ***, u_short *));
-extern	void	printpacket __P((struct ip *));
+extern	void	printpacket __P((ip_t *));
 #if SOLARIS
 extern	int	inet_aton __P((const char *, struct in_addr *));
 #endif
--- a/usr.sbin/ipf/ipf/opt.c
+++ b/usr.sbin/ipf/ipf/opt.c
@ -1,7 +1,7 @@
-/*	$NetBSD: opt.c,v 1.1.1.6 1997/09/21 16:47:50 veego Exp $	*/
+/*	$NetBSD: opt.c,v 1.1.1.7 1997/10/30 05:27:24 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -16,17 +16,24 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/tcp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <arpa/inet.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-1995 Darren Reed";
-static	char	rcsid[] = "Id: opt.c,v 2.0.2.7 1997/09/10 13:08:23 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: opt.c,v 2.0.2.9 1997/09/28 07:12:08 darrenr Exp ";
 #endif

 extern	int	opts;
--- a/usr.sbin/ipf/ipfstat/kmem.c
+++ b/usr.sbin/ipf/ipfstat/kmem.c
@ -1,7 +1,7 @@
-/*	$NetBSD: kmem.c,v 1.1.1.6 1997/09/21 16:47:59 veego Exp $	*/
+/*	$NetBSD: kmem.c,v 1.1.1.7 1997/10/30 05:27:38 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -20,9 +20,9 @@
 #include <sys/file.h>
 #include "kmem.h"

-#if !defined(lint) && defined(LIBC_SCCS)
-static  char    sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static	char	rcsid[] = "Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
+static const char rcsid[] = "@(#)Id: kmem.c,v 2.0.2.5 1997/10/23 14:50:53 darrenr Exp ";
 #endif

 static	int	kmemfd = -1;
--- a/usr.sbin/ipf/ipfstat/kmem.h
+++ b/usr.sbin/ipf/ipfstat/kmem.h
@ -1,12 +1,12 @@
-/*	$NetBSD: kmem.h,v 1.1.1.6 1997/09/21 16:48:00 veego Exp $	*/
+/*	$NetBSD: kmem.h,v 1.1.1.7 1997/10/30 05:27:41 mrg Exp $	*/

 /*
- * (C)opyright 1993-1997 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
- * Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp 
+ * Id: kmem.h,v 2.0.2.6 1997/09/28 07:12:02 darrenr Exp 
 */

 #ifndef	__KMEM_H__
--- a/usr.sbin/ipf/ipftest/ipft_ef.c
+++ b/usr.sbin/ipf/ipftest/ipft_ef.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_ef.c,v 1.1.1.6 1997/09/21 16:48:07 veego Exp $	*/
+/*	$NetBSD: ipft_ef.c,v 1.1.1.7 1997/10/30 05:27:56 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -37,21 +37,28 @@ etherfind -n -t
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <netdb.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
+#ifdef linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static	char	rcsid[] = "Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipft_ef.c,v 2.0.2.7 1997/09/28 07:11:50 darrenr Exp ";
 #endif

 static	int	etherf_open __P((char *));
@ -92,7 +99,7 @@ char	*buf, **ifn;
 int	cnt, *dir;
 {
 	struct	tcpiphdr pkt;
-	struct	ip	*ip = (struct ip *)&pkt;
+	ip_t	*ip = (ip_t *)&pkt;
 	struct	protoent *p = NULL;
 	char	src[16], dst[16], sprt[16], dprt[16];
 	char	lbuf[128], len[8], prot[8], time[8], *s;
@ -145,7 +152,7 @@ int	cnt, *dir;
 	(void) inet_aton(src, &ip->ip_src);
 	(void) inet_aton(dst, &ip->ip_dst);
 	ip->ip_len = atoi(len);
-	ip->ip_hl = sizeof(struct ip);
+	ip->ip_hl = sizeof(ip_t);

 	slen = ip->ip_hl + extra;
 	i = MIN(cnt, slen);
--- a/usr.sbin/ipf/ipftest/ipft_hx.c
+++ b/usr.sbin/ipf/ipftest/ipft_hx.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_hx.c,v 1.1.1.6 1997/09/21 16:48:13 veego Exp $	*/
+/*	$NetBSD: ipft_hx.c,v 1.1.1.7 1997/10/30 05:28:09 mrg Exp $	*/

 /*
- * (C)opyright 1995 by Darren Reed.
+ * Copyright (C) 1995-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -11,12 +11,12 @@
 #include <ctype.h>
 #include <assert.h>
 #include <string.h>
+#include <sys/types.h>
 #if !defined(__SVR4) && !defined(__svr4__)
 #include <strings.h>
 #else
 #include <sys/byteorder.h>
 #endif
-#include <sys/types.h>
 #include <sys/param.h>
 #include <sys/time.h>
 #include <stdlib.h>
@ -26,12 +26,16 @@
 #include <sys/ioctl.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/udp.h>
 #include <netinet/tcp.h>
 #include <netinet/ip_icmp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <netdb.h>
 #include <arpa/nameser.h>
@ -39,10 +43,13 @@
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
-static	char	rcsid[] = "Id: ipft_hx.c,v 2.0.2.5 1997/07/20 11:10:32 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipft_hx.c,v 2.0.2.8 1997/10/19 15:39:23 darrenr Exp ";
 #endif

 extern	int	opts;
--- a/usr.sbin/ipf/ipftest/ipft_pc.c
+++ b/usr.sbin/ipf/ipftest/ipft_pc.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_pc.c,v 1.1.1.6 1997/09/21 16:48:09 veego Exp $	*/
+/*	$NetBSD: ipft_pc.c,v 1.1.1.7 1997/10/30 05:28:01 mrg Exp $	*/

 /*
- * (C)opyright 1993-1996 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -22,18 +22,25 @@
 #include <sys/param.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
 #include "pcap.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	rcsid[] = "Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp ";
+#if !defined(lint)
+static const char rcsid[] = "@(#)Id: ipft_pc.c,v 2.0.2.6 1997/09/28 07:11:52 darrenr Exp ";
 #endif

 struct	llc	{
--- a/usr.sbin/ipf/ipftest/ipft_sn.c
+++ b/usr.sbin/ipf/ipftest/ipft_sn.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_sn.c,v 1.1.1.6 1997/09/21 16:48:06 veego Exp $	*/
+/*	$NetBSD: ipft_sn.c,v 1.1.1.7 1997/10/30 05:27:54 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -26,18 +26,25 @@
 #include <sys/time.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
 #include "snoop.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	rcsid[] = "Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp ";
+#if !defined(lint)
+static const char rcsid[] = "@(#)Id: ipft_sn.c,v 2.0.2.6 1997/09/28 07:11:53 darrenr Exp ";
 #endif

 struct	llc	{
--- a/usr.sbin/ipf/ipftest/ipft_td.c
+++ b/usr.sbin/ipf/ipftest/ipft_td.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_td.c,v 1.1.1.6 1997/09/21 16:48:08 veego Exp $	*/
+/*	$NetBSD: ipft_td.c,v 1.1.1.7 1997/10/30 05:27:59 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -46,21 +46,28 @@ tcpdump -nqte
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <net/if.h>
 #include <netdb.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static	char	rcsid[] = "Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipft_td.c,v 2.0.2.6 1997/09/28 07:11:54 darrenr Exp ";
 #endif

 static	int	tcpd_open __P((char *));
@ -115,7 +122,7 @@ char	*buf, **ifn;
 int	cnt, *dir;
 {
 	struct	tcpiphdr pkt;
-	struct	ip	*ip = (struct ip *)&pkt;
+	ip_t	*ip = (ip_t *)&pkt;
 	struct	protoent *p;
 	char	src[32], dst[32], misc[256], time[32], link1[32], link2[32];
 	char	lbuf[160], *s;
@ -158,7 +165,7 @@ int	cnt, *dir;
 		(void) inet_aton(src, &ip->ip_src);
 		(void) inet_aton(src, &ip->ip_dst);
 	}
-	ip->ip_len = ip->ip_hl = sizeof(struct ip);
+	ip->ip_len = ip->ip_hl = sizeof(ip_t);

 	s = strtok(misc, " :");
 	if ((p = getprotobyname(s))) {
--- a/usr.sbin/ipf/ipftest/ipft_tx.c
+++ b/usr.sbin/ipf/ipftest/ipft_tx.c
@ -1,7 +1,7 @@
-/*	$NetBSD: ipft_tx.c,v 1.1.1.6 1997/09/21 16:48:10 veego Exp $	*/
+/*	$NetBSD: ipft_tx.c,v 1.1.1.7 1997/10/30 05:28:04 mrg Exp $	*/

 /*
- * (C)opyright 1995 by Darren Reed.
+ * Copyright (C) 1995-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -11,12 +11,12 @@
 #include <ctype.h>
 #include <assert.h>
 #include <string.h>
+#include <sys/types.h>
 #if !defined(__SVR4) && !defined(__svr4__)
 #include <strings.h>
 #else
 #include <sys/byteorder.h>
 #endif
-#include <sys/types.h>
 #include <sys/param.h>
 #include <sys/time.h>
 #include <stdlib.h>
@ -26,12 +26,16 @@
 #include <sys/ioctl.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
+#ifndef	linux
 #include <netinet/ip_var.h>
+#endif
 #include <netinet/ip.h>
 #include <netinet/udp.h>
 #include <netinet/tcp.h>
 #include <netinet/ip_icmp.h>
+#ifndef	linux
 #include <netinet/tcpip.h>
+#endif
 #include <arpa/inet.h>
 #include <net/if.h>
 #include <netdb.h>
@ -40,10 +44,13 @@
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #include "ipt.h"
+#ifdef	linux
+#include "tcpip.h"
+#endif

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static	char	rcsid[] = "Id: ipft_tx.c,v 2.0.2.7 1997/08/26 12:52:03 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipft_tx.c,v 2.0.2.11 1997/10/19 15:39:24 darrenr Exp ";
 #endif

 extern	int	opts;
@ -52,7 +59,7 @@ static	char	*tx_proto = "";

 static	int	text_open __P((char *)), text_close __P((void));
 static	int	text_readip __P((char *, int, char **, int *));
-static	int	parseline __P((char *, struct ip *, char **, int *));
+static	int	parseline __P((char *, ip_t *, char **, int *));

 static	char	tcp_flagset[] = "FSRPAU";
 static	u_char	tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
@ -137,8 +144,8 @@ char	*name;

 char	*tx_icmptypes[] = {
 	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL,
-	(char *)NULL, "timex", "paramprob", "timest", "timestrep",
+	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
+	"routersol", "timex", "paramprob", "timest", "timestrep",
 	"inforeq", "inforep", "maskreq", "maskrep", "END"
 };

@ -176,10 +183,10 @@ char	*buf, **ifn;
 int	cnt, *dir;
 {
 	register char *s;
-	struct	ip *ip;
+	ip_t *ip;
 	char	line[513];

- 	ip = (struct ip *)buf;
+ 	ip = (ip_t *)buf;
 	*ifn = NULL;
 	while (fgets(line, sizeof(line)-1, tfp)) {
 		if ((s = index(line, '\n')))
@ -194,11 +201,11 @@ int	cnt, *dir;
 			printf("input: %s\n", line);
 		*ifn = NULL;
 		*dir = 0;
-		if (!parseline(line, (struct ip *)buf, ifn, dir))
+		if (!parseline(line, (ip_t *)buf, ifn, dir))
 #if 0
 			return sizeof(struct tcpiphdr);
 #else
-			return sizeof(struct ip);
+			return sizeof(ip_t);
 #endif
 	}
 	return -1;
@ -206,7 +213,7 @@ int	cnt, *dir;

 static	int	parseline(line, ip, ifn, out)
 char	*line;
-struct	ip	*ip;
+ip_t	*ip;
 char	**ifn;
 int	*out;
 {
@ -246,7 +253,7 @@ int	*out;
 	}

 	c = **cpp;
-	ip->ip_len = sizeof(struct ip);
+	ip->ip_len = sizeof(ip_t);
 	if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
 	    !strcasecmp(*cpp, "icmp")) {
 		if (c == 't') {
--- a/usr.sbin/ipf/ipftest/ipt.h
+++ b/usr.sbin/ipf/ipftest/ipt.h
@ -1,12 +1,12 @@
-/*	$NetBSD: ipt.h,v 1.1.1.6 1997/09/21 16:48:14 veego Exp $	*/
+/*	$NetBSD: ipt.h,v 1.1.1.7 1997/10/30 05:28:12 mrg Exp $	*/

 /*
- * (C)opyright 1993-1997 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
- * Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp 
+ * Id: ipt.h,v 2.0.2.7 1997/09/28 07:12:00 darrenr Exp 
 */

 #ifndef	__IPT_H__
--- a/usr.sbin/ipf/ipftest/misc.c
+++ b/usr.sbin/ipf/ipftest/misc.c
@ -1,7 +1,7 @@
-/*	$NetBSD: misc.c,v 1.1.1.6 1997/09/21 16:48:11 veego Exp $	*/
+/*	$NetBSD: misc.c,v 1.1.1.7 1997/10/30 05:28:07 mrg Exp $	*/

 /*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -10,12 +10,12 @@
 #include <stdio.h>
 #include <assert.h>
 #include <string.h>
+#include <sys/types.h>
 #if !defined(__SVR4) && !defined(__svr4__)
 #include <strings.h>
 #else
 #include <sys/byteorder.h>
 #endif
-#include <sys/types.h>
 #include <sys/param.h>
 #include <sys/time.h>
 #include <stdlib.h>
@ -41,9 +41,9 @@
 #include "ipf.h"
 #include "ipt.h"

-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sccsid[] = "@(#)misc.c	1.3 2/4/96 (C) 1995 Darren Reed";
-static	char	rcsid[] = "Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp ";
+#if !defined(lint)
+static const char sccsid[] = "@(#)misc.c	1.3 2/4/96 (C) 1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: misc.c,v 2.0.2.8 1997/10/19 15:39:28 darrenr Exp ";
 #endif

 extern	int	opts;
--- a/usr.sbin/ipf/ipftest/pcap.h
+++ b/usr.sbin/ipf/ipftest/pcap.h
@ -1,12 +1,12 @@
-/*	$NetBSD: pcap.h,v 1.1.1.3 1997/09/21 16:48:16 veego Exp $	*/
+/*	$NetBSD: pcap.h,v 1.1.1.4 1997/10/30 05:28:18 mrg Exp $	*/

 /*
- * (C)opyright 1993-1997 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
- * Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp 
+ * Id: pcap.h,v 2.0.2.4 1997/09/28 07:12:10 darrenr Exp 
 */
 /*
 * This header file is constructed to match the version described by
--- a/usr.sbin/ipf/ipftest/snoop.h
+++ b/usr.sbin/ipf/ipftest/snoop.h
@ -1,7 +1,7 @@
-/*	$NetBSD: snoop.h,v 1.1.1.6 1997/09/21 16:48:15 veego Exp $	*/
+/*	$NetBSD: snoop.h,v 1.1.1.7 1997/10/30 05:28:16 mrg Exp $	*/

 /*
- * (C)opyright 1993-1997 by Darren Reed.
+ * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
@ -13,7 +13,7 @@

 /*
 * written to comply with the RFC (1761) from Sun.
- * Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp 
+ * Id: snoop.h,v 2.0.2.5 1997/09/28 07:12:11 darrenr Exp 
 */
 struct	snoophdr	{
 	char	s_id[8];
--- a/usr.sbin/ipf/ipresend/ipresend.c
+++ b/usr.sbin/ipf/ipresend/ipresend.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipresend.c,v 1.1.1.3 1997/09/21 16:49:04 veego Exp $	*/
+/*	$NetBSD: ipresend.c,v 1.1.1.4 1997/10/30 05:29:39 mrg Exp $	*/

 /*
 * ipresend.c (C) 1995-1997 Darren Reed
@ -12,8 +12,9 @@
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 */
-#if !defined(lint) && defined(LIBC_SCCS)
-static	char	sccsid[] = "%W% %G% (C)1995 Darren Reed";
+#if !defined(lint)
+static const char sccsid[] = "%W% %G% (C)1995 Darren Reed";
+static const char rcsid[] = "@(#)Id: ipresend.c,v 2.0.2.9 1997/10/12 09:48:37 darrenr Exp ";
 #endif
 #include <stdio.h>
 #include <stdlib.h>
@ -56,7 +57,11 @@ char	default_device[] = "ln0";
 #    ifdef	__bsdi__
 char	default_device[] = "ef0";
 #    else
+#     ifdef	__sgi
+char	default_device[] = "ec0";
+#     else
 char	default_device[] = "lan0";
+#     endif
 #    endif
 #   endif
 #  endif
--- a/usr.sbin/ipf/ipsend/iplang.h
+++ b/usr.sbin/ipf/ipsend/iplang.h
@ -1,7 +1,7 @@
-/*	$NetBSD: iplang.h,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $	*/
+/*	$NetBSD: iplang.h,v 1.1.1.2 1997/10/30 05:30:27 mrg Exp $	*/

 /*
- * (C)opyright 1997 by Darren Reed.
+ * Copyright (C) 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
--- a/usr.sbin/ipf/ipsend/iplang.tst
+++ b/usr.sbin/ipf/ipsend/iplang.tst
@ -2,19 +2,10 @@
 interface { ifname le0; mtu 1500; }

 ipv4 {
-	src 10.1.1.49; dst 10.1.1.50; id 123; opt { rr 7; };
+	src 1.1.1.1; dst 2.2.2.2;
 	tcp {
-		seq 12345; ack 0; sport 9999; dport 23; flags S;
-		opt { mss 65535; }; data { value "abcdef"; } ;
+		seq 12345; ack 0; sport 9999; dport 23; flags S; 
+		data { value "abcdef"; } ;
 	}
 }
-send { via 10.1.1.50; }
-#
-ipv4 {
-	src 10.1.1.49; dst 10.1.1.50; id 1; opt { lsrr 1.1.1.1; };
-	tcp {
-		seq 12345; ack 0; sport 9999; dport 23; flags S;
-		opt { wscale 2 ; eol; mss 1; }; data { value "abcdef"; } ;
-	}
-}
-send { via 10.1.1.50; }
+send { via 10.1.1.1; }
--- a/usr.sbin/ipf/ipsend/iplang_l.l
+++ b/usr.sbin/ipf/ipsend/iplang_l.l
@ -1,20 +1,31 @@
-/*	$NetBSD: iplang_l.l,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $	*/
+/*	$NetBSD: iplang_l.l,v 1.1.1.2 1997/10/30 05:30:18 mrg Exp $	*/

+%e 1500
+%p 4000
+%a 4000
+%o 6000
 %{
 /*
- * (C)opyright 1997 by Darren Reed.
+ * Copyright (C) 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
- * Id: iplang_l.l,v 2.0.2.8 1997/09/13 07:14:23 darrenr Exp 
+ * Id: iplang_l.l,v 2.0.2.15 1997/09/28 07:13:08 darrenr Exp 
 */
-
 #include <stdio.h>
 #include <string.h>
 #include <sys/param.h>
+#if defined(__SVR4) || defined(__sysv__)
+#include <sys/stream.h>
+#endif
+#include <sys/types.h>
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
 #include "y.tab.h"
+#include <netinet/ip_compat.h>
+#include "ipf.h"

 #ifndef	__P
 # ifdef __STDC__
@ -24,6 +35,8 @@
 # endif
 #endif

+extern int opts;
+
 int lineNum = 0, proto = 0, oldproto = 0, next = -1, laststate = 0;
 int *prstack = NULL, numpr = 0, state = 0, token = 0;

@ -100,16 +113,62 @@ mss	{ return next_state(IL_TCPO_MSS, IL_TOKEN); }
 wscale	{ return next_state(IL_TCPO_MSS, IL_TOKEN); }
 reserv-4	{ return next_state(IL_IPS_RESERV4, -1); }
 topsecret	{ return next_state(IL_IPS_TOPSECRET, -1); }
-secret	{ return next_state(IL_IPS_SECRET, -1); }
+secret		{ return next_state(IL_IPS_SECRET, -1); }
 reserv-3	{ return next_state(IL_IPS_RESERV3, -1); }
-confid	{ return next_state(IL_IPS_CONFID, -1); }
-unclass	{ return next_state(IL_IPS_UNCLASS, -1); }
+confid		{ return next_state(IL_IPS_CONFID, -1); }
+unclass		{ return next_state(IL_IPS_UNCLASS, -1); }
 reserv-2	{ return next_state(IL_IPS_RESERV2, -1); }
 reserv-1	{ return next_state(IL_IPS_RESERV1, -1); }
-\{	{ push_proto(); return next_item(IL_LBRACE); }
-\}	{ pop_proto(); return next_item(IL_RBRACE); }
+icmp		{ return next_state(IL_ICMP, -1); }
+type		{ return next_state(IL_ICMPTYPE, -1); }
+code		{ return next_state(IL_ICMPCODE, -1); }
+echorep		{ return next_state(IL_ICMP_ECHOREPLY, -1); }
+unreach		{ return next_state(IL_ICMP_UNREACH, -1); }
+squench		{ return next_state(IL_ICMP_SOURCEQUENCH, -1); }
+redir		{ return next_state(IL_ICMP_REDIRECT, -1); }
+echo		{ return next_state(IL_ICMP_ECHO, -1); }
+routerad	{ return next_state(IL_ICMP_ROUTERADVERT, -1); }
+routersol	{ return next_state(IL_ICMP_ROUTERSOLICIT, -1); }
+timex		{ return next_state(IL_ICMP_TIMXCEED, -1); }
+paramprob	{ return next_state(IL_ICMP_PARAMPROB, -1); }
+timest		{ return next_state(IL_ICMP_TSTAMP, -1); }
+timestrep	{ return next_state(IL_ICMP_TSTAMPREPLY, -1); }
+inforeq		{ return next_state(IL_ICMP_IREQ, -1); }
+inforep		{ return next_state(IL_ICMP_IREQREPLY, -1); }
+maskreq		{ return next_state(IL_ICMP_MASKREQ, -1); }
+maskrep		{ return next_state(IL_ICMP_MASKREPLY, -1); }
+net-unr		{ return next_state(IL_ICMP_UNREACH_NET, -1); }
+host-unr	{ return next_state(IL_ICMP_UNREACH_HOST, -1); }
+proto-unr	{ return next_state(IL_ICMP_UNREACH_PROTOCOL, -1); }
+port-unr	{ return next_state(IL_ICMP_UNREACH_PORT, -1); }
+needfrag	{ return next_state(IL_ICMP_UNREACH_NEEDFRAG, -1); }
+srcfail		{ return next_state(IL_ICMP_UNREACH_SRCFAIL, -1); }
+net-unk		{ return next_state(IL_ICMP_UNREACH_NET_UNKNOWN, -1); }
+host-unk	{ return next_state(IL_ICMP_UNREACH_HOST_UNKNOWN, -1); }
+isolate		{ return next_state(IL_ICMP_UNREACH_ISOLATED, -1); }
+net-prohib	{ return next_state(IL_ICMP_UNREACH_NET_PROHIB, -1); }
+host-prohib	{ return next_state(IL_ICMP_UNREACH_HOST_PROHIB, -1); }
+net-tos		{ return next_state(IL_ICMP_UNREACH_TOSNET, -1); }
+host-tos	{ return next_state(IL_ICMP_UNREACH_TOSHOST, -1); }
+filter-prohib	{ return next_state(IL_ICMP_UNREACH_FILTER_PROHIB, -1); }
+host-preced	{ return next_state(IL_ICMP_UNREACH_HOST_PRECEDENCE, -1); }
+cutoff-preced	{ return next_state(IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1); }
+net-redir	{ return next_state(IL_ICMP_REDIRECT_NET, -1); }
+host-redir	{ return next_state(IL_ICMP_REDIRECT_HOST, -1); }
+tos-net-redir	{ return next_state(IL_ICMP_REDIRECT_TOSNET, -1); }
+tos-host-redir	{ return next_state(IL_ICMP_REDIRECT_TOSHOST, -1); }
+intrans		{ return next_state(IL_ICMP_TIMXCEED_INTRANS, -1); }
+reass		{ return next_state(IL_ICMP_TIMXCEED_REASS, -1); }
+optabsent	{ return next_state(IL_ICMP_PARAMPROB_OPTABSENT, -1); }
+otime		{ return next_state(IL_ICMP_OTIME, -1); }
+rtime		{ return next_state(IL_ICMP_RTIME, -1); }
+ttime		{ return next_state(IL_ICMP_TTIME, -1); }
+icmpseq		{ return next_state(IL_ICMP_SEQ, -1); }
+icmpid		{ return next_state(IL_ICMP_SEQ, -1); }
+\{	{ push_proto(); return next_item('{'); }
+\}	{ pop_proto(); return next_item('}'); }
 \.	{ return next_item(IL_DOT); }
-;	{ return next_item(IL_SEMICOLON); }
+;	{ return next_item(';'); }
 [0-9]+	{ return next_item(IL_NUMBER); }
 [0-9a-fA-F]	{ return next_item(IL_HEXDIGIT); }
 :	{ return next_item(IL_COLON); }
@ -117,6 +176,15 @@ reserv-1	{ return next_state(IL_IPS_RESERV1, -1); }
 [^ {}\n\t;]*	{ return next_item(IL_TOKEN); }
 \"[^\"]*\"	{ return next_item(IL_TOKEN); }
 %%
+void    yyerror(msg)
+char    *msg;
+{
+	fprintf(stderr, "%s error at \"%s\", line %d\n", msg, yytext,
+		lineNum + 1);
+	exit(1);
+}
+
+
 void push_proto()
 {
 	numpr++;
--- a/usr.sbin/ipf/ipsend/ipsend.1
+++ b/usr.sbin/ipf/ipsend/ipsend.1
@ -4,9 +4,9 @@ ipsend \- sends IP packets
 .SH SYNOPSIS
 .B ipsend
 [
-.B \-ITU
+.B \-dITUv
 ] [
-.B \-d
+.B \-i
 <interface>
 ] [
 .B \-f
@ -46,8 +46,8 @@ attempt at making a TCP connection using a with ipsend resending the SYN
 packet as per the command line options.
 .SH OPTIONS
 .TP
-.BR \-d \0<interface>
-Set the interface name to be the name supplied.
+.BR \-d
+enable debugging mode.
 .TP
 .BR \-f \0<offset>
 The \fI-f\fP allows the IP offset field in the IP header to be set to an
@ -58,6 +58,10 @@ Specify the hostname of the gateway through which to route packets.  This
 is required whenever the destination host isn't directly attached to the
 same network as the host from which you're sending.
 .TP
+.BR \-i \0<interface>
+Set the interface name to be the name supplied.
+.TP
+.TP
 .BR \-m \0<MTU>
 Specify the MTU to be used when sending out packets.  This option allows you
 to set a fake MTU, allowing the simulation of network interfaces with small
@ -91,6 +95,9 @@ Set the protocol to TCP.
 .TP
 .B \-U
 Set the protocol to UDP.
+.TP
+.BR \-d
+enable verbose mode.
 .DT
 .SH SEE ALSO
 ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
--- a/usr.sbin/ipf/ipsend/ipsend.5
+++ b/usr.sbin/ipf/ipsend/ipsend.5
@ -11,52 +11,73 @@ also allows encapsulation to be so done to an arbitary level.
 .nf
 line ::= iface | arp | send | defrouter | ipv4line .

-iface ::= ifhdr "{" ifaceopts "}" .
+iface ::= ifhdr "{" ifaceopts "}" ";" .
 ifhdr ::= "interface" | "iface" .
-ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | "eaddr" eaddr .
+ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr |
+	      "eaddr" eaddr .

-send ::= "send" ";" | "send" "{" sendbodyopts "}" .
+send ::= "send" ";" | "send" "{" sendbodyopts "}" ";" .
 sendbodyopts ::= sendbody [ sendbodyopts ] .
 sendbody ::= "ifname" name | "via" ipaddr .

 defrouter ::= "router" ipaddr .

-arp ::= "arp" "{" arpbodyopts "}" .
+arp ::= "arp" "{" arpbodyopts "}" ";" .
 arpbodyopts ::= arpbody [ arpbodyopts ] .
 arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .

-ipv4line ::= "ipv4" "{" ipv4bodyopts "}" .
-ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] .
+bodyline ::= ipv4line | tcpline | udpline | icmpline | dataline .
+
+ipv4line ::= "ipv4" "{" ipv4bodyopts "}" ";" .
+ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] | bodyline .
 ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
-             "off" number | "v" number | "hl" number| "id" number |
-             "ttl" number | "tos" number | "sum" number | "len" number |
-             "opt" "{" ipv4optlist "}" | tcpline | udpline | icmpline |
-             ipv4line .
+	     "off" number | "v" number | "hl" number| "id" number |
+	     "ttl" number | "tos" number | "sum" number | "len" number |
+	     "opt" "{" ipv4optlist "}" ";" .
 ipv4optlist ::= ipv4option [ ipv4optlist ] .
 ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
-              "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
-              "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
-              "secclass" ipv4secclass.
+	      "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
+	      "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
+	      "secclass" ipv4secclass.
 ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
-                "reserv-3" | "reserv-4" | "secret" | "topsecret" .
+		"reserv-3" | "reserv-4" | "secret" | "topsecret" .

-tcpline ::= "tcp" "{" tcpbodyopts "}" .
-tcpbodyopts ::= tcpbody [ tcpbodyopts ] .
+tcpline ::= "tcp" "{" tcpbodyopts "}" ";" .
+tcpbodyopts ::= tcpbody [ tcpbodyopts ] | bodyline .
 tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
-            "off" number | "urp" number | "win" number | "sum" number |
-            "flags" tcpflags | data .
+	    "off" number | "urp" number | "win" number | "sum" number |
+	    "flags" tcpflags | data .

-udpline ::= "udp" "{" udpbodyopts "}" .
-udpbodyopts ::= udpbody [ udpbodyopts ] .
+udpline ::= "udp" "{" udpbodyopts "}" ";" .
+udpbodyopts ::= udpbody [ udpbodyopts ] | bodyline .
 udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
-            data .
+	    data .

-icmpline ::= "icmp" "{" icmpbodyopts "}" .
-icmpbodyopts ::= icmpbody [ icmpbodyopts ] .
-icmpbody ::= "type" icmptype [ typeopts ] [ "code" icmpcode ] .
-icmptype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
-             "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
-             "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
+icmpline ::= "icmp" "{" icmpbodyopts "}" ";" .
+icmpbodyopts ::= icmpbody [ icmpbodyopts ] | bodyline .
+icmpbody ::= "type" icmptype [ "code" icmpcode ] .
+icmptype ::= "echorep" | "echorep" "{" echoopts "}" ";" | "unreach" |
+	     "unreach" "{" unreachtype "}" ";" | "squench" | "redir" |
+	     "redir" "{" redirtype "}" ";" | "echo" "{" echoopts "}" ";" |
+	     "echo" | "routerad" | "routersol" | "timex" |
+	     "timex" "{" timextype "}" ";" | "paramprob" |
+	     "paramprob" "{" parapptype "}" ";" | "timest" | "timestrep" |
+	     "inforeq" | "inforep" | "maskreq" | "maskrep" .
+
+echoopts ::= echoopts [ icmpechoopts ] .
+unreachtype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
+	     "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
+	     "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
+	     "filter-prohib" | "host-preced" | "cutoff-preced" .
+redirtype ::= "net-redir" | "host-redir" | "tos-net-redir" |
+	      "tos-host-redir" .
+timextype ::= "intrans" | "reass" .
+paramptype ::= "optabsent" .
+
+data	::= "data" "{" databodyopts "}" ";" .
+databodyopts ::= "len" number | "value" string | "file" filename .
+
+icmpechoopts ::= "icmpseq" number | "icmpid" number .
 .fi
 .SH COMMANDS
 .PP
@ -136,6 +157,69 @@ is used to indicate the a ICMP protocol header is to follow.  See the
 .B data
 is used to indicate that raw data is to be included in the IP packet.  See the
 \fBDATA\fP section for details on options available.
+.SH "IPv4 Options"
+these keywords indicate that the releveant IP option should be added to the
+IP header (the header length field will be adjusted appropriately).
+.TP
+.B nop
+No Operation [RFC 791] (space filler).
+.TP
+.B rr <number>
+Record Router [RFC 791].  The number given specifies the number of
+\fBbytes\fP to be used for storage.  This should be a multiple of 4 for
+proper operation.
+.TP
+.B zsu
+Experimental Measurement.
+.TP
+.B mtup [RFC 1191].
+MTU Probe.
+.TP
+.B mtur [RFC 1191].
+MTU Ready.
+.TP
+.B encode
+.TP
+.B ts
+Timestamp [RFC 791].
+.TP
+.B tr
+Traceroute [RFC 1393].
+.TP
+.B "sec-class <security-level>, sec"
+Security [RFC 1108].  This option specifies the security label for the packet.
+Using \fBsec\fP sets up the framework of the security option but unless
+\fBsec-class\fP is given, the level may not be set.
+.TP
+.B "lsrr <ip-address>"
+Loose Source Route [RFC 791].
+.TP
+.B e-sec
+Extended Security [RFC 1108].
+.TP
+.B cipso
+Commercial Security.
+.TP
+.B satid
+Stream ID [RFC 791].
+.TP
+.B "ssrr <ip-address>"
+Strict Source Route [RFC 791].
+.TP
+.B addext
+Address Extension
+.TP
+.B visa
+Expermental Access Control.
+.TP
+.B imitd
+IMI Traffic Descriptor.
+.TP
+.B eip
+[RFC 1358].
+.TP
+.B finn
+Experimental Flow Control.
 .SH TCP
 .TP
 .B sport <port>
@ -177,6 +261,13 @@ TCP header, the \fBoff\fP field is updated to match.
 .B data
 indicates that a data section is to follow and is to be included as raw
 data, being appended to the header.
+.SH "TCP options"
+With a TCP header, it is possible to append a number of header options.
+The TCP header offset will be updated automatically to reflect the change
+in size.  The valid options are: \fBnop\fP No Operation,
+\fBeol\fP End Of (option) List, \fBmss [ size ]\fP Maximum Segment Size - this
+sets the maximum receivable size of a packet containing data,
+\fBwscale\fP Window Scale, \fBts\fP Timestamp.
 .SH UDP
 .TP
 .B sport <port>
@ -201,7 +292,7 @@ data, being appended to the header.
 .TP
 .B type <icmptype>
 sets the ICMP type according the to the icmptype tag.  This may either be
-a number or one of the recognised tags (see the ICMP TYPES section for a
+a number or one of the recognised tags (see the \fBICMP TYPES\fP section for a
 list of names recognised).
 .TP
 .B code <icmpcode>
@ -229,6 +320,77 @@ octal numbers.
 .B file <filename>
 reads data in from the specified file and appends it to the current packet.
 If the new total length would exceed 64k, an error will be reported.
+.SH "ICMP TYPES"
+.TP
+.B echorep
+Eecho Reply.
+.TP
+.B "unreach [ unreachable-code ]"
+Generic Unreachable error.  This is used to indicate that an error has
+occurred whilst trying to send the packet across the network and that the
+destination cannot be reached.  The unreachable code names are:
+\fBnet-unr\fP network unreachable, \fBhost-unr\fP host unreachable,
+\fBproto-unr\fP protocol unreachable, \fBport-unr\fP port unreachable,
+\fBneedfrag\fP, \fBsrcfail\fP source route failed,
+\fBnet-unk\fP network unknown, \fBhost-unk\fP host unknown,
+\fBisolate\fP, \fBnet-prohib\fP administratively prohibited contact with
+network,
+\fBhost-prohib\fP administratively prohibited contact with host,
+\fBnet-tos\fP network unreachable with given TOS,
+\fBhost-tos\fP host unreachable with given TOS,
+\fBfilter-prohib\fP packet prohibited by packet filter,
+\fBhost-preced\fP,
+\fBcutoff-preced\fP.
+.TP
+.B squench
+Source Quence.
+.TP
+.B "redir [ redirect-code ]"
+Redirect (routing).  This is used to indicate that the route being chosen
+for forwarding the packet is suboptimal and that the sender of the packet
+should be routing packets via another route.  The redirect code names are:
+\fBnet-redir\fP redirect packets for a network,
+\fBhost-redir\fP redirect packets for a host,
+\fBtos-net-redir\fP redirect packets for a network with a given TOS,
+\fBtos-host-redir\fP redirect packets for a host with a given TOS.
+.TP
+.B echo
+Echo.
+.TP
+.B routerad
+Router Advertisment.
+.TP
+.B routersol
+Router solicitation.
+.TP
+.B "timex [ timexceed-code ]"
+Time Exceeded.  This is used to indicate that the packet failed to reach the
+destination because it was in transit too long (i.e. ttl reached 0).  The
+valid code names are: \fBintrans\fP,
+\fBreass\fP could not reassemble packet from fragments within a given time.
+.TP
+.B "paramprob [ paramprob-code ]"
+Parameter problem.  There is only one available parameter problem code name:
+\fBoptabsent\fP.
+.TP
+.B timest
+Time stamp request.
+.TP
+.B "timestrep [ { timestamp-code } ]"
+Time stamp reply.  In a timestamp reply, it is possible to supply the
+following values: \fBrtime\fP, \fBotime\fP, \fBttime\fP.
+.TP
+.B inforeq
+Information request.
+.TP
+.B inforep
+Information reply.
+.TP
+.B maskreq
+Address mask request.
+.TP
+.B maskrep
+Address mask reply.
 .SH FILES
 /etc/protocols
 /etc/services
--- a/usr.sbin/ipf/ipsend/tcpip.h
+++ b/usr.sbin/ipf/ipsend/tcpip.h
@ -1,4 +1,4 @@
-/*	$NetBSD: tcpip.h,v 1.1.1.1 1997/09/21 16:49:15 veego Exp $	*/
+/*	$NetBSD: tcpip.h,v 1.1.1.2 1997/10/30 05:30:07 mrg Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1993
@ -33,7 +33,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)tcpip.h	8.1 (Berkeley) 6/10/93
- * Id: tcpip.h,v 2.0.2.2 1997/05/28 13:49:45 darrenr Exp 
+ * Id: tcpip.h,v 2.0.2.3 1997/09/17 10:55:58 darrenr Exp 
 */

 #ifndef _NETINET_TCPIP_H_
@ -44,7 +44,11 @@
 */
 struct tcpiphdr {
 	struct 	ipovly ti_i;		/* overlaid ip structure */
+#ifdef	linux
+	tcphdr_t	ti_t;
+#else
 	struct	tcphdr ti_t;		/* tcp header */
+#endif
 };
 #ifdef notyet
 /*
--- a/usr.sbin/ipf/rules/BASIC.NAT
+++ b/usr.sbin/ipf/rules/BASIC.NAT
@ -0,0 +1,45 @@
+#!/sbin/ipnat -f -
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# If we have only 1 valid IP address from our ISP, then we do this:
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000
+map ppp0 w.x.y.z/24 -> a.b.c.d/32
+#
+# if we get a different dialup IP address each time, then we would use:
+#
+#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> 0/32
+#
+# If we have a class C address space of valid IP#'s from our ISP, then we can
+# do this:
+#
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.z/24 -> a.b.c.d/24
+#
+# or, if we only have a small number of PC's, this:
+#
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.v/32 -> a.b.c.E/32
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.u/32 -> a.b.c.F/32
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.t/32 -> a.b.c.G/32
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.s/32 -> a.b.c.H/32
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.r/32 -> a.b.c.I/32
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.q/32 -> a.b.c.J/32
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000
+#map ppp0 w.x.y.p/32 -> a.b.c.K/32
+#
+# To make ftp work, using the internal ftp proxy, use:
+#
+map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
+#
--- a/usr.sbin/ipf/rules/BASIC_1.FW
+++ b/usr.sbin/ipf/rules/BASIC_1.FW
@ -0,0 +1,99 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: RESTRICTIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block in log proto tcp all flags S/SA head 101 group 100 
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block in log proto tcp all flags S/SA head 201 group 200 
+block in log proto udp all head 202 group 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.0.0.0/16 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Allow outgoing DNS requests (no named on firewall)
+#
+pass in quick proto udp from any to any port = 53 keep state group 202
+#
+# If we were running named on the firewall and all internal hosts talked to
+# it, we'd use the following:
+#
+#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202
+#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state
+#
+# Allow outgoing FTP from any internal host to any external FTP server.
+#
+pass in quick proto tcp from any to any port = ftp keep state group 201
+pass in quick proto tcp from any to any port = ftp-data keep state group 201
+pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101
+#
+# Allow NTP from any internal host to any external NTP server.
+#
+pass in quick proto udp from any to any port = ntp keep state group 202
+#
+# Allow outgoing connections: SSH, TELNET, WWW
+#
+pass in quick proto tcp from any to any port = 22 keep state group 201
+pass in quick proto tcp from any to any port = telnet keep state group 201
+pass in quick proto tcp from any to any port = www keep state group 201
+#
+#-------------------------------------------------------
+block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100
+#
+# Allow incoming to the external firewall interface: mail, WWW, DNS
+#
+pass in log quick proto tcp from any to any port = smtp keep state group 110
+pass in log quick proto tcp from any to any port = www keep state group 110
+pass in log quick proto tcp from any to any port = 53 keep state group 110
+pass in log quick proto udp from any to any port = 53 keep state group 100
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
--- a/usr.sbin/ipf/rules/BASIC_2.FW
+++ b/usr.sbin/ipf/rules/BASIC_2.FW
@ -0,0 +1,72 @@
+#!/sbin/ipf -f -
+#
+# SAMPLE: PERMISSIVE FILTER RULES
+#
+# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.2
+#
+# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32
+#
+# ed0 - (internal) network interface, address w.x.y.z/32
+#
+# This file contains the basic rules needed to construct a firewall for the
+# above situation.
+#
+#-------------------------------------------------------
+# *Nasty* packets we don't want to allow near us at all!
+# short packets which are packets fragmented too short to be real.
+block in log quick all with short
+#-------------------------------------------------------
+# Group setup.
+# ============
+# By default, block and log everything.  This maybe too much logging
+# (especially for ed0) and needs to be further refined.
+#
+block in log on ppp0 all head 100
+block out log on ppp0 all head 150
+block in log on ed0 from w.x.y.z/24 to any head 200
+block out log on ed0 all head 250
+#-------------------------------------------------------
+# Invalid Internet packets.
+# =========================
+#
+# Deny reserved addresses.
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.0.0.0/16 to any group 100
+#
+# Prevent IP spoofing.
+#
+block in log quick from a.b.c.d/24 to any group 100
+#
+#-------------------------------------------------------
+# Localhost packets.
+# ==================
+# packets going in/out of network interfaces that aren't on the loopback
+# interface should *NOT* exist.
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from any to 127.0.0.0/8 group 100
+block in log quick from 127.0.0.0/8 to any group 200
+block in log quick from any to 127.0.0.0/8 group 200
+# And of course, make sure the loopback allows packets to traverse it.
+pass in quick on lo0 all
+pass out quick on lo0 all
+#-------------------------------------------------------
+# Allow any communication between the inside network and the outside only.
+#
+# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc)
+#
+pass in log quick proto tcp all SA flags S/SA keep state group 200 
+#
+# Support all UDP `connections' initiated from inside.
+#
+# Allow ping out
+#
+pass in log quick proto icmp all keep state group 200
+#-------------------------------------------------------
+# Log these:
+# ==========
+# * return RST packets for invalid SYN packets to help the other end close
+block return-rst in log proto tcp from any to any flags S/SA group 100
+# * return ICMP error packets for invalid UDP packets
+block return-icmp(net-unr) in proto udp all group 100
--- a/usr.sbin/ipf/rules/Makefile
+++ b/usr.sbin/ipf/rules/Makefile
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.1.1.1 1997/09/21 16:49:25 veego Exp $
+#	$NetBSD: Makefile,v 1.1.1.2 1997/10/30 05:31:07 mrg Exp $

 FILESDIR= /usr/share/samples/ipf

--- a/usr.sbin/ipf/rules/example.10
+++ b/usr.sbin/ipf/rules/example.10
@ -1,8 +1,8 @@
 #
 # pass ack packets (ie established connection)
 #
-pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
-pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
+pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
+pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
 #
 # block incoming connection requests to my internal network from the big bad
 # internet.