Import IPFilter 4.1.6

2005-02-19 21:26:02 +00:00 · 2005-02-19 21:26:02 +00:00 · 76b5d9e30f
parent 6cc7a7474f
commit 76b5d9e30f
26 changed files with 190 additions and 87 deletions
--- a/dist/ipf/ip_irc_pxy.c
+++ b/dist/ipf/ip_irc_pxy.c
@ -1,11 +1,11 @@
-/*	$NetBSD: ip_irc_pxy.c,v 1.1.1.3 2005/02/08 06:52:59 martti Exp $	*/
+/*	$NetBSD: ip_irc_pxy.c,v 1.1.1.4 2005/02/19 21:26:02 martti Exp $	*/

 /*
 * Copyright (C) 2000-2003 Darren Reed
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * Id: ip_irc_pxy.c,v 2.39.2.3 2004/12/09 19:40:59 darrenr Exp
+ * Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
 */

 #define	IPF_IRC_PROXY
@ -399,6 +399,8 @@ nat_t *nat;
 		tcp2->th_win = htons(8192);
 		tcp2->th_sport = sp;
 		tcp2->th_dport = 0; /* XXX - don't specify remote port */
+		fi.fin_state = NULL;
+		fi.fin_nat = NULL;
 		fi.fin_data[0] = ntohs(sp);
 		fi.fin_data[1] = 0;
 		fi.fin_dp = (char *)tcp2;
@ -414,6 +416,8 @@ nat_t *nat;
 			nat_update(&fi, nat2, nat2->nat_ptr);

 			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
+			if (fi.fin_state != NULL)
+				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
 		ip->ip_src = swip;
 	}
--- a/dist/ipf/ip_pool.c
+++ b/dist/ipf/ip_pool.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_pool.c,v 1.1.1.3 2005/02/08 06:53:01 martti Exp $	*/
+/*	$NetBSD: ip_pool.c,v 1.1.1.4 2005/02/19 21:26:06 martti Exp $	*/

 /*
 * Copyright (C) 1993-2001, 2003 by Darren Reed.
@ -79,7 +79,7 @@ static int rn_freenode __P((struct radix_node *, void *));

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.11 2004/10/17 15:49:14 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
 #endif

 #ifdef IPFILTER_LOOKUP
@ -307,7 +307,11 @@ iplookupop_t *op;
 		for (i = 0; i < IPL_LOGSIZE; i++)
 			stats.ipls_list[i] = ip_pool_list[i];
 	} else if (unit >= 0 && unit < IPL_LOGSIZE) {
-		stats.ipls_list[unit] = ip_pool_list[unit];
+		if (op->iplo_name[0] != '\0')
+			stats.ipls_list[unit] = ip_pool_find(unit,
+							     op->iplo_name);
+		else
+			stats.ipls_list[unit] = ip_pool_list[unit];
 	} else
 		err = EINVAL;
 	if (err == 0)
@ -332,7 +336,7 @@ char *name;
 	ip_pool_t *p;

 	for (p = ip_pool_list[unit]; p != NULL; p = p->ipo_next)
-		if (strcmp(p->ipo_name, name) == 0)
+		if (strncmp(p->ipo_name, name, sizeof(p->ipo_name)) == 0)
 			break;
 	return p;
 }
@ -532,7 +536,8 @@ iplookupop_t *op;
 #endif

 		for (p = ip_pool_list[unit]; p != NULL; ) {
-			if (strcmp(name, p->ipo_name) == 0) {
+			if (strncmp(name, p->ipo_name,
+				    sizeof(p->ipo_name)) == 0) {
 				poolnum++;
 #if defined(SNPRINTF) && defined(_KERNEL)
 				SNPRINTF(name, sizeof(name), "%x", poolnum);
--- a/dist/ipf/ip_rpcb_pxy.c
+++ b/dist/ipf/ip_rpcb_pxy.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_rpcb_pxy.c,v 1.1.1.3 2005/02/08 06:53:01 martti Exp $	*/
+/*	$NetBSD: ip_rpcb_pxy.c,v 1.1.1.4 2005/02/19 21:26:08 martti Exp $	*/

 /*
 * Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
@ -39,7 +39,7 @@
 *   o The enclosed hack of STREAMS support is pretty sick and most likely
 *     broken.
 *
- *	Id: ip_rpcb_pxy.c,v 2.25.2.2 2004/12/09 19:41:00 darrenr Exp
+ *	Id: ip_rpcb_pxy.c,v 2.25.2.3 2005/02/04 10:22:56 darrenr Exp
 */

 #define	IPF_RPCB_PROXY
@ -1272,6 +1272,8 @@ ippr_rpcb_getnat(fin, nat, proto, port)
 			 */
 			return(-1);
 		}
+		if (fi.fin_state != NULL)
+			fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 	}

 	return(0);
--- a/dist/ipf/ip_scan.c
+++ b/dist/ipf/ip_scan.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_scan.c,v 1.1.1.2 2005/02/08 06:53:01 martti Exp $	*/
+/*	$NetBSD: ip_scan.c,v 1.1.1.3 2005/02/19 21:26:08 martti Exp $	*/

 /*
 * Copyright (C) 1995-2001 by Darren Reed.
@ -60,7 +60,7 @@ struct file;

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.1 2004/12/09 19:41:01 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
 #endif

 #ifdef	IPFILTER_SCAN	/* endif at bottom of file */
@ -525,15 +525,16 @@ ipstate_t *is;
 	 */
 	s0 = is->is_s0[rv];
 	off = seq - s0;
-	if ((seq > s0 + 15) || (off < 0))
+	if ((off > 15) || (off < 0))
 		return 1;
 	thoff = TCP_OFF(tcp) << 2;
 	dlen = fin->fin_dlen - thoff;
 	if (dlen <= 0)
 		return 1;
-	seq += dlen;
-	if (seq > s0 + 15)
-		dlen -= (seq - (s0 + 15));
+	if (dlen > 16)
+		dlen = 16;
+	if (off + dlen > 16)
+		dlen = 16 - off;

 	j = 0xffff >> (16 - dlen);
 	i = (0xffff & j) << off;
--- a/dist/ipf/lib/load_hash.c
+++ b/dist/ipf/lib/load_hash.c
@ -1,11 +1,11 @@
-/*	$NetBSD: load_hash.c,v 1.1.1.1 2004/03/28 08:56:19 martti Exp $	*/
+/*	$NetBSD: load_hash.c,v 1.1.1.2 2005/02/19 21:26:47 martti Exp $	*/

 /*
 * Copyright (C) 2002 by Darren Reed.
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * Id: load_hash.c,v 1.11.2.1 2004/03/06 14:33:28 darrenr Exp
+ * Id: load_hash.c,v 1.11.2.2 2005/02/01 02:44:05 darrenr Exp
 */

 #include <fcntl.h>
@ -32,8 +32,6 @@ ioctlfunc_t iocfunc;
 		hashfd = open(IPLOOKUP_NAME, O_RDWR);
 	if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0))
 		return -1;
-	if (list == NULL)
-		return 0;

 	for (n = 0, a = list; a != NULL; a = a->ipe_next)
 		n++;
@ -50,10 +48,17 @@ ioctlfunc_t iocfunc;
 	iph.iph_type = iphp->iph_type;
 	strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name));
 	iph.iph_flags = iphp->iph_flags;
+	if (n <= 0)
+		n = 1;
 	if (iphp->iph_size == 0)
 		size = n * 2 - 1;
 	else
 		size = iphp->iph_size;
+	if ((list == NULL) && (size == 1)) {
+		fprintf(stderr,
+			"WARNING: empty hash table %s, recommend setting %s\n",
+			iphp->iph_name, "size to match expected use");
+	}
 	iph.iph_size = size;
 	iph.iph_seed = iphp->iph_seed;
 	iph.iph_table = NULL;
@ -81,7 +86,7 @@ ioctlfunc_t iocfunc;
 			return -1;
 		}
 		iph.iph_table[0] = list;
-		printhash(&iph, bcopywrap, opts);
+		printhash(&iph, bcopywrap, iph.iph_name, opts);
 		free(iph.iph_table);

 		for (a = list; a != NULL; a = a->ipe_next) {
--- a/dist/ipf/lib/load_pool.c
+++ b/dist/ipf/lib/load_pool.c
@ -1,11 +1,11 @@
-/*	$NetBSD: load_pool.c,v 1.1.1.1 2004/03/28 08:56:19 martti Exp $	*/
+/*	$NetBSD: load_pool.c,v 1.1.1.2 2005/02/19 21:26:47 martti Exp $	*/

 /*
 * Copyright (C) 2002 by Darren Reed.
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * Id: load_pool.c,v 1.14.2.1 2004/03/06 14:33:29 darrenr Exp
+ * Id: load_pool.c,v 1.14.2.2 2005/02/01 02:44:06 darrenr Exp
 */

 #include <fcntl.h>
@ -51,7 +51,7 @@ ioctlfunc_t iocfunc;

 	if ((opts & OPT_VERBOSE) != 0) {
 		pool.ipo_list = plp->ipo_list;
-		printpool(&pool, bcopywrap, opts);
+		printpool(&pool, bcopywrap, pool.ipo_name, opts);
 		pool.ipo_list = NULL;
 	}

--- a/dist/ipf/lib/printhash.c
+++ b/dist/ipf/lib/printhash.c
@ -1,4 +1,4 @@
-/*	$NetBSD: printhash.c,v 1.1.1.1 2004/03/28 08:56:20 martti Exp $	*/
+/*	$NetBSD: printhash.c,v 1.1.1.2 2005/02/19 21:26:48 martti Exp $	*/

 /*
 * Copyright (C) 2002 by Darren Reed.
@ -12,19 +12,23 @@
 #define	FPRINTF	(void)fprintf


-iphtable_t *printhash(hp, copyfunc, opts)
+iphtable_t *printhash(hp, copyfunc, name, opts)
 iphtable_t *hp;
 copyfunc_t copyfunc;
+char *name;
 int opts;
 {
 	iphtent_t *ipep, **table;
 	iphtable_t iph;
+	int i, printed;
 	size_t sz;
-	int i;

 	if ((*copyfunc)((char *)hp, (char *)&iph, sizeof(iph)))
 		return NULL;

+	if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN))
+		return iph.iph_next;
+
 	if ((opts & OPT_DEBUG) == 0) {
 		if ((iph.iph_type & IPHASH_ANON) == IPHASH_ANON)
 			PRINTF("# 'anonymous' table\n");
@ -122,11 +126,14 @@ int opts;
 	if ((*copyfunc)((char *)iph.iph_table, (char *)table, sz))
 		return NULL;

-	for (i = 0; i < iph.iph_size; i++) {
+	for (i = 0, printed = 0; i < iph.iph_size; i++) {
 		for (ipep = table[i]; ipep != NULL; ) {
 			ipep = printhashnode(&iph, ipep, copyfunc, opts);
+			printed++;
 		}
 	}
+	if (printed == 0)
+		putchar(';');

 	free(table);

--- a/dist/ipf/lib/printnat.c
+++ b/dist/ipf/lib/printnat.c
@ -1,4 +1,4 @@
-/*	$NetBSD: printnat.c,v 1.1.1.3 2005/02/08 06:53:17 martti Exp $	*/
+/*	$NetBSD: printnat.c,v 1.1.1.4 2005/02/19 21:26:49 martti Exp $	*/

 /*
 * Copyright (C) 1993-2001 by Darren Reed.
@ -13,9 +13,10 @@


 #if !defined(lint)
-static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.6 2004/10/17 06:45:22 darrenr Exp";
+static const char rcsid[] = "@(#)Id: printnat.c,v 1.22.2.8 2005/01/12 03:39:04 darrenr Exp";
 #endif

+static void printproto __P((ipnat_t *, struct protoent *));

 /*
 * Print out a NAT rule
@ -107,18 +108,7 @@ int opts;
 			else
 				printf(" port %d", ntohs(np->in_pnext));
 		}
-		if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-			printf(" tcp/udp");
-		else if ((np->in_flags & IPN_TCP) == IPN_TCP)
-			printf(" tcp");
-		else if ((np->in_flags & IPN_UDP) == IPN_UDP)
-			printf(" udp");
-		else if (np->in_p == 0)
-			printf(" ip");
-		else if (pr != NULL)
-			printf(" %s", pr->p_name);
-		else
-			printf(" %d", np->in_p);
+		printproto(np, pr);
 		if (np->in_flags & IPN_ROUNDR)
 			printf(" round-robin");
 		if (np->in_flags & IPN_FRAG)
@ -192,14 +182,7 @@ int opts;
 			} else {
 				printf(" portmap");
 			}
-			if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-				printf(" tcp/udp");
-			else if (np->in_flags & IPN_TCP)
-				printf(" tcp");
-			else if (np->in_flags & IPN_UDP)
-				printf(" udp");
-			else if (np->in_flags & IPN_ICMPQUERY)
-				printf(" icmp");
+			printproto(np, pr);
 			if (np->in_flags & IPN_AUTOPORTMAP) {
 				printf(" auto");
 				if (opts & OPT_DEBUG)
@ -211,7 +194,9 @@ int opts;
 				printf(" %d:%d", ntohs(np->in_pmin),
 				       ntohs(np->in_pmax));
 			}
-		}
+		} else if (np->in_flags & IPN_TCPUDP || np->in_p)
+			printproto(np, pr);
+
 		if (np->in_flags & IPN_FRAG)
 			printf(" frag");
 		if (np->in_age[0] != 0 || np->in_age[1] != 0) {
@ -242,3 +227,21 @@ int opts;
 			np->in_tqehead[0], np->in_tqehead[1], np->in_comment);
 	}
 }
+
+static void printproto(np, pr)
+ipnat_t *np;
+struct protoent *pr;
+{
+	if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
+		printf(" tcp/udp");
+	else if (np->in_flags & IPN_TCP)
+		printf(" tcp");
+	else if (np->in_flags & IPN_UDP)
+		printf(" udp");
+	else if (np->in_flags & IPN_ICMPQUERY)
+		printf(" icmp");
+	else if (pr != NULL)
+		printf(" %s", pr->p_name);
+	else
+		printf(" %d", np->in_p);
+}
--- a/dist/ipf/lib/printpool.c
+++ b/dist/ipf/lib/printpool.c
@ -1,4 +1,4 @@
-/*	$NetBSD: printpool.c,v 1.1.1.1 2004/03/28 08:56:20 martti Exp $	*/
+/*	$NetBSD: printpool.c,v 1.1.1.2 2005/02/19 21:26:49 martti Exp $	*/

 /*
 * Copyright (C) 2002 by Darren Reed.
@ -11,9 +11,10 @@
 #define	PRINTF	(void)printf
 #define	FPRINTF	(void)fprintf

-ip_pool_t *printpool(pp, copyfunc, opts)
+ip_pool_t *printpool(pp, copyfunc, name, opts)
 ip_pool_t *pp;
 copyfunc_t copyfunc;
+char *name;
 int opts;
 {
 	ip_pool_node_t *ipnp, *ipnpn, ipn;
@ -22,6 +23,9 @@ int opts;
 	if ((*copyfunc)(pp, &ipp, sizeof(ipp)))
 		return NULL;

+	if ((name != NULL) && strncmp(name, ipp.ipo_name, FR_GROUPLEN))
+		return ipp.ipo_next;
+
 	if ((opts & OPT_DEBUG) == 0) {
 		if ((ipp.ipo_flags & IPOOL_ANON) != 0)
 			PRINTF("# 'anonymous' tree %s\n", ipp.ipo_name);
@ -85,11 +89,15 @@ int opts;
 		ipp.ipo_list = ipnp;
 	}

-	for (ipnp = ipp.ipo_list; ipnp != NULL; ) {
-		ipnp = printpoolnode(ipnp, opts);
+	if (ipp.ipo_list == NULL) {
+		putchar(';');
+	} else {
+		for (ipnp = ipp.ipo_list; ipnp != NULL; ) {
+			ipnp = printpoolnode(ipnp, opts);

-		if ((opts & OPT_DEBUG) == 0) {
-			putchar(';');
+			if ((opts & OPT_DEBUG) == 0) {
+				putchar(';');
+			}
 		}
 	}

--- a/dist/ipf/lib/printstate.c
+++ b/dist/ipf/lib/printstate.c
@ -1,4 +1,4 @@
-/*	$NetBSD: printstate.c,v 1.1.1.2 2005/02/08 06:53:17 martti Exp $	*/
+/*	$NetBSD: printstate.c,v 1.1.1.3 2005/02/19 21:26:49 martti Exp $	*/

 /*
 * Copyright (C) 2002 by Darren Reed.
@ -49,10 +49,12 @@ u_long now;
 		printsbuf(ips.is_sbuf[1]);
 		PRINTF("]\n");
 #endif
-	} else if (ips.is_p == IPPROTO_UDP)
+	} else if (ips.is_p == IPPROTO_UDP) {
 		PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport),
 			ntohs(ips.is_dport));
-	else if (ips.is_p == IPPROTO_ICMP
+	} else if (ips.is_p == IPPROTO_GRE) {
+		PRINTF(" call %hu\n", ips.is_gre.gs_call);
+	} else if (ips.is_p == IPPROTO_ICMP
 #ifdef	USE_INET6
 		 || ips.is_p == IPPROTO_ICMPV6
 #endif
--- a/dist/ipf/test/expected/in6
+++ b/dist/ipf/test/expected/in6
@ -0,0 +1,3 @@
+map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp
+map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
+map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
--- a/dist/ipf/test/expected/ip1
+++ b/dist/ipf/test/expected/ip1
@ -1,3 +1,5 @@
+table role = ipf type = tree number = 1
+	{; };
 table role = ipf type = tree number = 100
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
 table role = ipf type = tree number = 110
@ -6,6 +8,8 @@ table role = ipf type = tree number = 120
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
 table role = ipf type = tree number = 130
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
+table role = ipf type = hash number = 2 size = 1
+	{; };
 table role = ipf type = hash number = 200 size = 5
 	{ 0/0; 1/32; 1.2.3.4/32; };
 table role = nat type = hash number = 210 size = 5
--- a/dist/ipf/test/regress/in6
+++ b/dist/ipf/test/regress/in6
@ -0,0 +1,3 @@
+map foo0 from any port = 1 to any port != 0 -> 0/32 udp
+map foo0 from any port < 1 to any port > 0 -> 0/32 tcp
+map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp
--- a/dist/ipf/test/regress/ip1
+++ b/dist/ipf/test/regress/ip1
@ -1,5 +1,7 @@
 #:%s/ \(number = [0-9]*\) \(type = [a-z]*\)/ \2 \1/g

+table role = ipf type = tree number = 1
+	{; };
 table role = ipf type = tree number = 100
 	{ 1.2.3.4/32; !2.2.0.0/16; 2.2.2.0/24; };
 table role = nat type = tree number = 110
@ -9,6 +11,8 @@ table role = auth type = tree number = 120
 table role = count type = tree number = 130
 	{ 1.2.3.4; !2.2.0.0/16; 2.2.2.0/24; };

+table role = ipf type = hash number = 2
+	{; };
 table role = ipf type = hash number = 200
 	{ 0/0; 1/32; 1.2.3.4/32; };
 table role = nat type = hash number = 210
--- a/dist/ipf/test/test.format
+++ b/dist/ipf/test/test.format
@ -38,6 +38,7 @@ in2 text text
 in3 text text
 in4 text text
 in5 text text
+in6 text text
 ip1 text text
 ipv6.1 hex hex
 ipv6.2 hex hex
--- a/dist/ipf/tools/ipftest.c
+++ b/dist/ipf/tools/ipftest.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipftest.c,v 1.1.1.2 2004/07/23 05:34:50 martti Exp $	*/
+/*	$NetBSD: ipftest.c,v 1.1.1.3 2005/02/19 21:27:02 martti Exp $	*/

 /*
 * Copyright (C) 1993-2001 by Darren Reed.
@ -12,7 +12,7 @@

 #if !defined(lint)
 static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ipftest.c,v 1.44.2.2 2004/04/28 17:56:21 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ipftest.c,v 1.44.2.3 2005/02/01 02:41:24 darrenr Exp";
 #endif

 extern	char	*optarg;
@ -653,12 +653,12 @@ void dumplookups()
 	printf("List of configured pools\n");
 	for (i = 0; i < IPL_LOGSIZE; i++)
 		for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next)
-			printpool(ipl, bcopywrap, opts);
+			printpool(ipl, bcopywrap, NULL, opts);

 	printf("List of configured hash tables\n");
 	for (i = 0; i < IPL_LOGSIZE; i++)
 		for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next)
-			printhash(iph, bcopywrap, opts);
+			printhash(iph, bcopywrap, NULL, opts);
 }


--- a/dist/ipf/tools/ippool_y.y
+++ b/dist/ipf/tools/ippool_y.y
@ -1,4 +1,4 @@
-/*	$NetBSD: ippool_y.y,v 1.1.1.1 2004/03/28 08:56:35 martti Exp $	*/
+/*	$NetBSD: ippool_y.y,v 1.1.1.2 2005/02/19 21:27:05 martti Exp $	*/

 %{
 #include <sys/types.h>
@ -148,7 +148,7 @@ role:
 	;

 ipftree:
-	IPT_TYPE '=' IPT_TREE number '{' addrlist '}'
+	IPT_TYPE '=' IPT_TREE number start addrlist end
 					{ strncpy(iplo.ipo_name, $4,
 						  sizeof(iplo.ipo_name));
 					  $$ = $6;
@ -156,7 +156,7 @@ ipftree:
 	;

 ipfhash:
-	IPT_TYPE '=' IPT_HASH number hashopts '{' hashlist '}'
+	IPT_TYPE '=' IPT_HASH number hashopts start hashlist end
 					{ strncpy(ipht.iph_name, $4,
 						  sizeof(ipht.iph_name));
 					  $$ = $7;
@ -164,7 +164,7 @@ ipfhash:
 	;

 ipfgroup:
-	setgroup hashopts '{' grouplist '}'
+	setgroup hashopts start grouplist end
 					{ iphtent_t *e;
 					  for (e = $4; e != NULL;
 					       e = e->ipe_next)
@ -174,7 +174,7 @@ ipfgroup:
 								FR_GROUPLEN);
 					  $$ = $4;
 					}
-	| hashopts '{' setgrouplist '}'		{ $$ = $3; }
+	| hashopts start setgrouplist end		{ $$ = $3; }
 	;

 number:	IPT_NUM '=' YY_NUMBER			{ sprintf(poolname, "%u", $3);
@ -202,13 +202,15 @@ hashopts:
 	;

 addrlist:
-	range ';' addrlist		{ $1->ipn_next = $3; $$ = $1; }
-	| range ';'			{ $$ = $1; }
+	next				{ $$ = NULL; }
+	| range next addrlist		{ $1->ipn_next = $3; $$ = $1; }
+	| range next			{ $$ = $1; }
 	;

 grouplist:
-	groupentry ';' grouplist	{ $$ = $1; $1->ipe_next = $3; }
-	| addrmask ';' grouplist	{ $$ = calloc(1, sizeof(iphtent_t));
+	next				{ $$ = NULL; }
+	| groupentry next grouplist	{ $$ = $1; $1->ipe_next = $3; }
+	| addrmask next grouplist	{ $$ = calloc(1, sizeof(iphtent_t));
 					  bcopy((char *)&($1[0]),
 						(char *)&($$->ipe_addr),
 						sizeof($$->ipe_addr));
@ -217,8 +219,8 @@ grouplist:
 						sizeof($$->ipe_mask));
 					  $$->ipe_next = $3;
 					}
-	| groupentry ';'		{ $$ = $1; }
-	| addrmask ';'			{ $$ = calloc(1, sizeof(iphtent_t));
+	| groupentry next		{ $$ = $1; }
+	| addrmask next			{ $$ = calloc(1, sizeof(iphtent_t));
 					  bcopy((char *)&($1[0]),
 						(char *)&($$->ipe_addr),
 						sizeof($$->ipe_addr));
@ -229,8 +231,9 @@ grouplist:
 	;

 setgrouplist:
-	groupentry ';'			{ $$ = $1; }
-	| groupentry ';' setgrouplist	{ $1->ipe_next = $3; $$ = $1; }
+	next				{ $$ = NULL; }
+	| groupentry next		{ $$ = $1; }
+	| groupentry next setgrouplist	{ $1->ipe_next = $3; $$ = $1; }
 	;

 groupentry:
@ -263,8 +266,9 @@ range:	addrmask	{ $$ = calloc(1, sizeof(*$$));
 			}

 hashlist:
-	hashentry ';'			{ $$ = $1; }
-	| hashentry ';' hashlist	{ $1->ipe_next = $3; $$ = $1; }
+	next				{ $$ = NULL; }
+	| hashentry next		{ $$ = $1; }
+	| hashentry next hashlist	{ $1->ipe_next = $3; $$ = $1; }
 	;

 hashentry:
@ -279,18 +283,34 @@ hashentry:
 	;

 addrmask:
-	ipaddr '/' mask		{ $$[0] = $1; $$[1].s_addr = $3.s_addr; }
-	| ipaddr		{ $$[0] = $1; $$[1].s_addr = 0xffffffff; }
+	ipaddr '/' mask		{ $$[0] = $1; $$[1].s_addr = $3.s_addr;
+				  yyexpectaddr = 0;
+				}
+	| ipaddr		{ $$[0] = $1; $$[1].s_addr = 0xffffffff;
+				  yyexpectaddr = 0;
+				}
 	;

 ipaddr:	ipv4			{ $$ = $1; }
 	| YY_NUMBER		{ $$.s_addr = htonl($1); }
+	| YY_STR		{ if (gethost($1, &($$.s_addr)) == -1)
+					yyerror("Unknown hostname");
+				}
 	;

 mask:	YY_NUMBER		{ ntomask(4, $1, (u_32_t *)&$$.s_addr); }
 	| ipv4			{ $$ = $1; }
 	;

+start:	'{'			{ yyexpectaddr = 1; }
+	;
+
+end:	'}'			{ yyexpectaddr = 0; }
+	;
+
+next:	';'			{ yyexpectaddr = 1; }
+	;
+
 size:	IPT_SIZE '=' YY_NUMBER	{ ipht.iph_size = $3; }
 	;

--- a/regress/sys/kern/ipf/expected/in6
+++ b/regress/sys/kern/ipf/expected/in6
@ -0,0 +1,3 @@
+map foo0 from any port = 1 to any port != 0 -> 0.0.0.0/32 udp
+map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
+map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
--- a/regress/sys/kern/ipf/expected/ip1
+++ b/regress/sys/kern/ipf/expected/ip1
@ -1,3 +1,5 @@
+table role = ipf type = tree number = 1
+	{; };
 table role = ipf type = tree number = 100
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
 table role = ipf type = tree number = 110
@ -6,6 +8,8 @@ table role = ipf type = tree number = 120
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
 table role = ipf type = tree number = 130
 	{ 2.2.2.0/24; ! 2.2.0.0/16; 1.2.3.4/32; };
+table role = ipf type = hash number = 2 size = 1
+	{; };
 table role = ipf type = hash number = 200 size = 5
 	{ 0/0; 1/32; 1.2.3.4/32; };
 table role = nat type = hash number = 210 size = 5
--- a/regress/sys/kern/ipf/regress/i1
+++ b/regress/sys/kern/ipf/regress/i1
@ -1,5 +1,6 @@
 pass in all
-block out all
+block out \
+all
 log in all
 log body in all
 count in from any to any
@ -12,4 +13,4 @@ block return-rst in quick on le0 proto tcp from any to any
 block return-icmp in on qe0 from any to any
 block return-icmp(1) in on qe0 from any to any
 block return-icmp-as-dest(port-unr) in on qe0 from any to any
-pass out on longNICname0 from test.host.dots to test.host.dots
+pass out on longNICname0 from test.host.dots to test\.host.dots
--- a/regress/sys/kern/ipf/regress/i3
+++ b/regress/sys/kern/ipf/regress/i3
@ -1,6 +1,7 @@
 log in all
 pass in from 128.16/16 to 129.10.10/24
-pass in from 128.0.0.1/24 to 128.0.0.1/16
+pass in from 128.0.0.1/24 to 128\
+.0.0.1/16
 pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000
 pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0
 pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000
--- a/regress/sys/kern/ipf/regress/in6
+++ b/regress/sys/kern/ipf/regress/in6
@ -0,0 +1,3 @@
+map foo0 from any port = 1 to any port != 0 -> 0/32 udp
+map foo0 from any port < 1 to any port > 0 -> 0/32 tcp
+map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp
--- a/regress/sys/kern/ipf/regress/ip1
+++ b/regress/sys/kern/ipf/regress/ip1
@ -1,5 +1,7 @@
 #:%s/ \(number = [0-9]*\) \(type = [a-z]*\)/ \2 \1/g

+table role = ipf type = tree number = 1
+	{; };
 table role = ipf type = tree number = 100
 	{ 1.2.3.4/32; !2.2.0.0/16; 2.2.2.0/24; };
 table role = nat type = tree number = 110
@ -9,6 +11,8 @@ table role = auth type = tree number = 120
 table role = count type = tree number = 130
 	{ 1.2.3.4; !2.2.0.0/16; 2.2.2.0/24; };

+table role = ipf type = hash number = 2
+	{; };
 table role = ipf type = hash number = 200
 	{ 0/0; 1/32; 1.2.3.4/32; };
 table role = nat type = hash number = 210
--- a/regress/sys/kern/ipf/test.format
+++ b/regress/sys/kern/ipf/test.format
@ -38,6 +38,7 @@ in2 text text
 in3 text text
 in4 text text
 in5 text text
+in6 text text
 ip1 text text
 ipv6.1 hex hex
 ipv6.2 hex hex
--- a/sys/dist/ipf/netinet/ip_ipsec_pxy.c
+++ b/sys/dist/ipf/netinet/ip_ipsec_pxy.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_ipsec_pxy.c,v 1.1.1.1 2004/12/31 11:30:43 martti Exp $	*/
+/*	$NetBSD: ip_ipsec_pxy.c,v 1.1.1.2 2005/02/19 21:27:14 martti Exp $	*/

 /*
 * Copyright (C) 2001-2003 by Darren Reed
@ -8,7 +8,7 @@
 * Simple ISAKMP transparent proxy for in-kernel use.  For use with the NAT
 * code.
 *
- * Id: ip_ipsec_pxy.c,v 2.20.2.3 2004/06/07 14:20:05 darrenr Exp
+ * Id: ip_ipsec_pxy.c,v 2.20.2.4 2005/02/04 10:22:55 darrenr Exp
 *
 */
 #define	IPF_IPSEC_PROXY
@ -135,6 +135,8 @@ nat_t *nat;
 	ipn->in_p = IPPROTO_ESP;

 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
+	fi.fin_state = NULL;
+	fi.fin_nat = NULL;
 	fi.fin_fi.fi_p = IPPROTO_ESP;
 	fi.fin_fr = &ipsecfr;
 	fi.fin_data[0] = 0;
@ -166,6 +168,8 @@ nat_t *nat;
 		fi.fin_data[1] = 0;
 		ipsec->ipsc_state = fr_addstate(&fi, &ipsec->ipsc_state,
 						SI_WILDP);
+		if (fi.fin_state != NULL)
+			fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 	}
 	ip->ip_p = p & 0xff;
 	return 0;
@ -200,6 +204,8 @@ nat_t *nat;

 		if ((ipsec->ipsc_nat == NULL) || (ipsec->ipsc_state == NULL)) {
 			bcopy((char *)fin, (char *)&fi, sizeof(fi));
+			fi.fin_state = NULL;
+			fi.fin_nat = NULL;
 			fi.fin_fi.fi_p = IPPROTO_ESP;
 			fi.fin_fr = &ipsecfr;
 			fi.fin_data[0] = 0;
@ -241,6 +247,8 @@ nat_t *nat;
 			ipsec->ipsc_state = fr_addstate(&fi,
 							&ipsec->ipsc_state,
 							SI_WILDP);
+			if (fi.fin_state != NULL)
+				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
 		ip->ip_p = p;
 	}
--- a/sys/dist/ipf/netinet/ip_raudio_pxy.c
+++ b/sys/dist/ipf/netinet/ip_raudio_pxy.c
@ -1,11 +1,11 @@
-/*	$NetBSD: ip_raudio_pxy.c,v 1.1.1.1 2004/12/31 11:30:45 martti Exp $	*/
+/*	$NetBSD: ip_raudio_pxy.c,v 1.1.1.2 2005/02/19 21:27:19 martti Exp $	*/

 /*
 * Copyright (C) 1998-2003 by Darren Reed
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * Id: ip_raudio_pxy.c,v 1.40.2.2 2004/05/24 14:01:48 darrenr Exp
+ * Id: ip_raudio_pxy.c,v 1.40.2.3 2005/02/04 10:22:55 darrenr Exp
 */

 #define	IPF_RAUDIO_PROXY
@ -277,6 +277,8 @@ nat_t *nat;
 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
 	bzero((char *)tcp2, sizeof(*tcp2));
 	TCP_OFF_A(tcp2, 5);
+	fi.fin_state = NULL;
+	fi.fin_nat = NULL;
 	fi.fin_flx |= FI_IGNORE;
 	fi.fin_dp = (char *)tcp2;
 	fi.fin_fr = &raudiofr;
@ -303,6 +305,8 @@ nat_t *nat;
 			nat_update(&fi, nat2, nat2->nat_ptr);

 			(void) fr_addstate(&fi, NULL, (sp ? 0 : SI_W_SPORT));
+			if (fi.fin_state != NULL)
+				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
 	}

@ -321,6 +325,8 @@ nat_t *nat;
 			nat_update(&fi, nat2, nat2->nat_ptr);

 			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
+			if (fi.fin_state != NULL)
+				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
 	}