Import ip-filter 3.2beta5

1997-09-21 16:47:50 +00:00 · 1997-09-21 16:47:50 +00:00 · 985ac74a98
parent 4f72ff44fd
commit 985ac74a98
56 changed files with 4053 additions and 200 deletions
--- a/sys/netinet/ip_auth.h
+++ b/sys/netinet/ip_auth.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_auth.h,v 1.1.1.1 1997/07/06 04:58:52 thorpej Exp $	*/
+/*	$NetBSD: ip_auth.h,v 1.1.1.2 1997/09/21 16:49:28 veego Exp $	*/
 /*
 * (C)opyright 1997 by Darren Reed & Guido Van Rooij.
@ -7,7 +7,7 @@
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
- * Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp
+ * Id: ip_auth.h,v 2.0.2.8 1997/06/23 04:52:53 darrenr Exp 
 *
 */
 #ifndef	__IP_AUTH_H__
--- a/sys/netinet/ip_log.c
+++ b/sys/netinet/ip_log.c
@ -0,0 +1,432 @@
 /*	$NetBSD: ip_log.c,v 1.1.1.1 1997/09/21 16:49:48 veego Exp $	*/
 /*
 * (C)opyright 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
 * Id: ip_log.c,v 2.0.2.6 1997/09/10 13:08:18 darrenr Exp 
 */
 #ifdef	IPFILTER_LOG
 # ifndef SOLARIS
 #  define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 # endif
 # ifdef  __FreeBSD__
 #  if defined(KERNEL) && !defined(_KERNEL)
 #   define       _KERNEL
 #  endif
 #  if defined(_KERNEL) && !defined(IPFILTER_LKM)
 #   include <sys/osreldate.h>
 #  else
 #   include <osreldate.h>
 #  endif
 # endif
 # ifndef _KERNEL
 #  include <stdio.h>
 #  include <string.h>
 #  include <stdlib.h>
 #  include <ctype.h>
 # endif
 # include <sys/errno.h>
 # include <sys/types.h>
 # include <sys/param.h>
 # include <sys/file.h>
 # if __FreeBSD_version >= 220000 && defined(_KERNEL)
 #  include <sys/fcntl.h>
 #  include <sys/filio.h>
 # else
 #  include <sys/ioctl.h>
 # endif
 # include <sys/time.h>
 # ifdef  _KERNEL
 #  include <sys/systm.h>
 # endif
 # include <sys/uio.h>
 # if !SOLARIS
 #  if NetBSD > 199609
 #   include <sys/dirent.h>
 #  else
 #   include <sys/dir.h>
 #  endif
 #  include <sys/mbuf.h>
 # else
 #  include <sys/filio.h>
 #  include <sys/cred.h>
 #  include <sys/ddi.h>
 #  include <sys/sunddi.h>
 #  include <sys/ksynch.h>
 #  include <sys/kmem.h>
 #  include <sys/mkdev.h>
 #  include <sys/dditypes.h>
 #  include <sys/cmn_err.h>
 # endif
 # include <sys/protosw.h>
 # include <sys/socket.h>
 # include <net/if.h>
 # ifdef sun
 #  include <net/af.h>
 # endif
 # if __FreeBSD_version >= 300000
 #  include <net/if_var.h>
 # endif
 # include <net/route.h>
 # include <netinet/in.h>
 # include <netinet/in_var.h>
 # include <netinet/in_systm.h>
 # include <netinet/ip.h>
 # include <netinet/ip_var.h>
 # include <netinet/tcp.h>
 # include <netinet/udp.h>
 # include <netinet/tcpip.h>
 # include <netinet/ip_icmp.h>
 # ifndef _KERNEL
 #  include <syslog.h>
 # endif
 # include "netinet/ip_compat.h"
 # include "netinet/ip_fil.h"
 # include "netinet/ip_proxy.h"
 # include "netinet/ip_nat.h"
 # include "netinet/ip_frag.h"
 # include "netinet/ip_state.h"
 # include "netinet/ip_auth.h"
 # ifndef MIN
 #  define	MIN(a,b)	(((a)<(b))?(a):(b))
 # endif
 #if SOLARIS
 extern	kmutex_t	ipl_mutex;
 extern	kcondvar_t	iplwait;
 #endif
 iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
 int	iplused[IPL_LOGMAX+1];
 u_long	iplcrc[IPL_LOGMAX+1];
 u_long	iplcrcinit;
 /*
 * Initialise log buffers & pointers.  Also iniialised the CRC to a local
 * secret for use in calculating the "last log checksum".
 */
 void ipflog_init()
 {
 	struct	timeval	tv;
 	int	i;
 	for (i = IPL_LOGMAX; i >= 0; i--) {
 		iplt[i] = NULL;
 		iplh[i] = &iplt[i];
 		iplused[i] = 0;
 	}
 # if BSD >= 199306 || defined(__FreeBSD__)
 	microtime(&tv);
 # else
 	uniqtime(&tv);
 # endif
 	iplcrcinit = tv.tv_sec ^ (tv.tv_usec << 8) ^ tv.tv_usec;
 }
 /*
 * ipflog
 * Create a log record for a packet given that it has been triggered by a
 * rule (or the default setting).  Calculate the transport protocol header
 * size using predetermined size of a couple of popular protocols and thus
 * how much data to copy into the log, including part of the data body if
 * requested.
 */
 int ipflog(flags, ip, fin, m)
 u_int flags;
 ip_t *ip;
 fr_info_t *fin;
 mb_t *m;
 {
 	ipflog_t ipfl;
 	register int mlen, hlen;
 	u_long crc;
 	size_t sizes[2];
 	void *ptrs[2];
 	int types[2];
 # if SOLARIS
 	ill_t *ifp = fin->fin_ifp;
 # else
 	struct ifnet *ifp = fin->fin_ifp;
 # endif
 	/*
 	 * calculate header size.
 	 */
 	hlen = fin->fin_hlen;
 	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
 		hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
 	else if (ip->ip_p == IPPROTO_ICMP) {
 		struct	icmp	*icmp = (struct icmp *)((char *)ip + hlen);
 		/*
 		 * For ICMP, if the packet is an error packet, also include
 		 * the information about the packet which caused the error.
 		 */
 		switch (icmp->icmp_type)
 		{
 		case ICMP_UNREACH :
 		case ICMP_SOURCEQUENCH :
 		case ICMP_REDIRECT :
 		case ICMP_TIMXCEED :
 		case ICMP_PARAMPROB :
 			hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
 			break;
 		default :
 			hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
 			break;
 		}
 	}
 	/*
 	 * Get the interface number and name to which this packet is
 	 * currently associated.
 	 */
 # if SOLARIS
 	ipfl.fl_unit = (u_char)ifp->ill_ppa;
 	bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4));
 	mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
 # else
 #  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
 	strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
 #  else
 	ipfl.fl_unit = (u_char)ifp->if_unit;
 	if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
 		if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
 			if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
 				ipfl.fl_ifname[3] = ifp->if_name[3];
 #  endif
 	mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
 # endif
 	ipfl.fl_plen = (u_char)mlen;
 	ipfl.fl_hlen = (u_char)hlen;
 	ipfl.fl_rule = fin->fin_rule;
 	ipfl.fl_flags = flags;
 	ptrs[0] = (void *)&ipfl;
 	sizes[0] = sizeof(ipfl);
 	types[0] = 0;
 #if SOLARIS
 	/*
 	 * Are we copied from the mblk or an aligned array ?
 	 */
 	if (ip == (ip_t *)m->b_rptr) {
 		ptrs[1] = m;
 		sizes[1] = hlen + mlen;
 		types[1] = 1;
 	} else {
 		ptrs[1] = ip;
 		sizes[1] = hlen + mlen;
 		types[1] = 0;
 	}
 #else
 	ptrs[1] = m;
 	sizes[1] = hlen + mlen;
 	types[1] = 1;
 #endif
 	crc = (ipf_cksum((u_short *)fin, FI_CSIZE) << 8) + iplcrcinit;
 	return ipllog(IPL_LOGIPF, crc, ptrs, sizes, types, 2);
 }
 /*
 * ipllog
 */
 int ipllog(dev, crc, items, itemsz, types, cnt)
 int dev;
 u_long crc;
 void **items;
 size_t *itemsz;
 int *types, cnt;
 {
 	iplog_t *ipl;
 	caddr_t buf, s;
 	int len, i;
 	/*
 	 * Check to see if this log record has a CRC which matches the last
 	 * record logged.  If it does, just up the count on the previous one
 	 * rather than create a new one.
 	 */
 	if (crc) {
 		MUTEX_ENTER(&ipl_mutex);
 		if ((iplcrc[dev] == crc) && *iplh[dev]) {
 			(*iplh[dev])->ipl_count++;
 			MUTEX_EXIT(&ipl_mutex);
 			return 1;
 		}
 		iplcrc[dev] = crc;
 		MUTEX_EXIT(&ipl_mutex);
 	}
 	/*
 	 * Get the total amount of data to be logged.
 	 */
 	for (i = 0, len = sizeof(iplog_t); i < cnt; i++)
 		len += itemsz[i];
 	/*
 	 * check that we have space to record this information and can
 	 * allocate that much.
 	 */
 	KMALLOC(buf, caddr_t, len);
 	if (!buf)
 		return 0;
 	MUTEX_ENTER(&ipl_mutex);
 	if ((iplused[dev] + len) > IPLLOGSIZE) {
 		MUTEX_EXIT(&ipl_mutex);
 		KFREES(buf, len);
 		return 0;
 	}
 	iplused[dev] += len;
 	MUTEX_EXIT(&ipl_mutex);
 	/*
 	 * advance the log pointer to the next empty record and deduct the
 	 * amount of space we're going to use.
 	 */
 	ipl = (iplog_t *)buf;
 	ipl->ipl_count = 1;
 	ipl->ipl_next = NULL;
 	ipl->ipl_dsize = len;
 # if SOLARIS
 	uniqtime((struct timeval *)&ipl->ipl_sec);
 # else
 #  ifdef	sun
 	uniqtime((struct timeval *)&ipl->ipl_sec);
 #  endif
 #  if BSD >= 199306 || defined(__FreeBSD__)
 	microtime((struct timeval *)&ipl->ipl_sec);
 #  endif
 # endif
 	/*
 	 * Loop through all the items to be logged, copying each one to the
 	 * buffer.  Use bcopy for normal data or the mb_t copyout routine.
 	 */
 	for (i = 0, s = buf + sizeof(*ipl); i < cnt; i++) {
 		if (types[i] == 0)
 			bcopy(items[i], s, itemsz[i]);
 		else if (types[i] == 1) {
 # if SOLARIS
 			copyout_mblk(items[i], 0, itemsz[i], s);
 # else
 			m_copydata(items[i], 0, itemsz[i], s);
 # endif
 		}
 		s += itemsz[i];
 	}
 	MUTEX_ENTER(&ipl_mutex);
 	*iplh[dev] = ipl;
 	iplh[dev] = &ipl->ipl_next;
 # if SOLARIS
 	cv_signal(&iplwait);
 	mutex_exit(&ipl_mutex);
 # else
 	wakeup(iplh[dev]);
 # endif
 	return 1;
 }
 int ipflog_read(unit, uio)
 int unit;
 struct uio *uio;
 {
 	iplog_t *ipl;
 	int error = 0, dlen;
 # if defined(_KERNEL) && !SOLARIS
 	int s;
 # endif
 	/*
 	 * Sanity checks.  Make sure the minor # is valid and we're copying
 	 * a valid chunk of data.
 	 */
 	if ((IPL_LOGMAX < unit) || (unit < 0))
 		return ENXIO;
 	if (!uio->uio_resid)
 		return 0;
 	if ((uio->uio_resid < sizeof(iplog_t)) ||
 	    (uio->uio_resid > IPLLOGSIZE))
 		return EINVAL;
 	/*
 	 * Lock the log so we can snapshot the variables.  Wait for a signal
 	 * if the log is empty.
 	 */
 	SPLNET(s);
 	MUTEX_ENTER(&ipl_mutex);
 # if SOLARIS && defined(_KERNEL)
 	while (!iplused[unit])
 		if (!cv_wait_sig(&iplwait, &ipl_mutex)) {
 			MUTEX_EXIT(&ipl_mutex);
 			return EINTR;
 		}
 # else
 	while (!iplused[unit]) {
 		SPLX(s);
 		error = SLEEP(iplh[unit], "ipl sleep");
 		if (error)
 			return error;
 		SPLNET(s);
 	}
 # endif
 # if BSD >= 199306 || defined(__FreeBSD__)
 	uio->uio_rw = UIO_READ;
 # endif
 	while ((ipl = iplt[unit])) {
 		dlen = ipl->ipl_dsize;
 		if (dlen + sizeof(iplog_t) > uio->uio_resid)
 			break;
 		/*
 		 * Don't hold the mutex over the uiomove call.
 		 */
 		iplt[unit] = ipl->ipl_next;
 		MUTEX_EXIT(&ipl_mutex);
 		SPLX(s);
 		error = UIOMOVE((caddr_t)ipl, ipl->ipl_dsize, UIO_READ, uio);
 		KFREES((caddr_t)ipl, ipl->ipl_dsize);
 		if (error)
 			break;
 		SPLNET(s);
 		MUTEX_ENTER(&ipl_mutex);
 		iplused[unit] -= dlen;
 	}
 	if (!ipl)
 		iplh[unit] = &iplt[unit];
 	if (!error) {
 		MUTEX_EXIT(&ipl_mutex);
 		SPLX(s);
 	}
 	return error;
 }
 int ipflog_clear(unit)
 int unit;
 {
 	iplog_t *ipl;
 	int used;
 	while ((ipl = iplt[unit])) {
 		iplt[unit] = ipl->ipl_next;
 		KFREES((caddr_t)ipl, ipl->ipl_dsize);
 	}
 	iplh[unit] = &iplt[unit];
 	used = iplused[unit];
 	iplused[unit] = 0;
 	iplcrc[unit] = 0;
 	return used;
 }
 #endif /* IPFILTER_LOG */
--- a/usr.sbin/ipf/ipf/ipf.4
+++ b/usr.sbin/ipf/ipf/ipf.4
@ -2,7 +2,8 @@
 .SH NAME
 ipf \- packet filtering kernel interface
 .SH SYNOPSIS
-#include <sys/ip_fil.h>
+#include <netinet/ip_compat.h>
 #include <netinet/ip_fil.h>
 .SH IOCTLS
 .PP
 To add and delete rules to the filter list, three 'basic' ioctls are provided
@ -41,10 +42,17 @@ which it is inserted is stored in the "fr_hits" field, below.
 .nf
 typedef struct  frentry {
        struct  frentry *fr_next;
        u_short fr_group;       /* group to which this rule belongs */
        u_short fr_head;        /* group # which this rule starts */
        struct  frentry *fr_grp;
        int     fr_ref;         /* reference count - for grouping */
        struct  ifnet   *fr_ifa;
-        u_long  fr_hits;
+        /*
-        u_long  fr_bytes;       /* this is only incremented when a packet */
+         * These are only incremented when a packet  matches this rule and
-                                /* stops matching on this rule */
+         * it is the last match
         */
        U_QUAD_T  fr_hits;
        U_QUAD_T  fr_bytes;
        /*
         * Fields after this may not change whilst in the kernel.
         */
@ -64,6 +72,7 @@ typedef struct  frentry {
        u_short fr_stop;        /* top port for <> and >< */
        u_short fr_dtop;        /* top port for <> and >< */
        u_long  fr_flags;       /* per-rule flags && options (see below) */
        int     fr_skip;        /* # of rules to skip */
        int     (*fr_func)();   /* call this function */
        char    fr_icode;       /* return ICMP code */
        char    fr_ifname[IFNAMSIZ];
@ -81,26 +90,31 @@ be put in the "fr_hits" field (the first rule is number 0).
 Flags which are recognised in fr_pass:
 .nf
-	FR_BLOCK        0x00001    /* do not allow packet to pass */
+     FR_BLOCK        0x000001   /* do not allow packet to pass */
-	FR_PASS         0x00002    /* allow packet to pass */
+     FR_PASS         0x000002   /* allow packet to pass */
-	FR_OUTQUE       0x00004    /* outgoing packets */
+     FR_OUTQUE       0x000004   /* outgoing packets */
-	FR_INQUE        0x00008    /* ingoing packets */
+     FR_INQUE        0x000008   /* ingoing packets */
-	FR_LOG          0x00010    /* Log */
+     FR_LOG          0x000010   /* Log */
-	FR_LOGP         0x00011    /* Log-pass */
+     FR_LOGP         0x000011   /* Log-pass */
-	FR_LOGB         0x00012    /* Log-fail */
+     FR_LOGB         0x000012   /* Log-fail */
-        FR_LOGBODY      0x00020    /* log the body of packets too */
+     FR_LOGBODY      0x000020   /* log the body of packets too */
-        FR_LOGFIRST     0x00040    /* log only the first packet to match */
+     FR_LOGFIRST     0x000040   /* log only the first packet to match */
-	FR_RETRST       0x00080    /* return a TCP RST packet if blocked */
+     FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
-	FR_RETICMP      0x00100    /* return an ICMP packet if blocked */
+     FR__RETICMP     0x000100   /* return an ICMP packet if blocked */
-        FR_NOMATCH      0x00200    /* no match occured */
+     FR_NOMATCH      0x000200   /* no match occured */
-        FR_ACCOUNT      0x00400    /* count packet bytes */
+     FR_ACCOUNT      0x000400   /* count packet bytes */
-        FR_KEEPFRAG     0x00800
+     FR_KEEPFRAG     0x000800   /* keep fragment information */
-        FR_KEEPSTATE    0x01000    /* keep packet flow state information */
+     FR_KEEPSTATE    0x001000   /* keep `connection' state information */
-        FR_INACTIVE     0x02000
+     FR_INACTIVE     0x002000
-        FR_QUICK        0x04000    /* quick-match and return */
+     FR_QUICK        0x004000   /* match & stop processing list */
-        FR_FASTROUTE    0x08000
+     FR_FASTROUTE    0x008000   /* bypass normal routing */
-        FR_CALLNOW      0x10000
+     FR_CALLNOW      0x010000   /* call another function (fr_func) if matches */
-        FR_DUP          0x20000    /* duplicate the packet (not Solaris2)
+     FR_DUP          0x020000   /* duplicate the packet */
     FR_LOGORBLOCK   0x040000   /* block the packet if it can't be logged */
     FR_NOTSRCIP     0x080000   /* not the src IP# */
     FR_NOTDSTIP     0x100000   /* not the dst IP# */
     FR_AUTH         0x200000   /* use authentication */
     FR_PREAUTH      0x400000   /* require preauthentication */
 .fi
 .PP
@ -134,8 +148,10 @@ Takes an unsigned integer as the parameter.  The flags are then set to
 those provided (clearing/setting all in one).
 .nf
-	FF_LOGPASS	1
+	FF_LOGPASS	0x10000000
-	FF_LOGBLOCK	2
+	FF_LOGBLOCK	0x20000000
 	FF_LOGNOMATCH	0x40000000
 	FF_BLOCKNONIP	0x80000000    /* Solaris 2.x only */
 .fi
 .IP SIOCGETFF 16
 Takes a pointer to an unsigned integer as the parameter.  A copy of the
@ -149,10 +165,14 @@ through the kernel.  To retrieve this structure, use this ioctl:
 	ioctl(fd, SIOCGETFS, struct friostat *)
-struct	friostat        {
+struct  friostat        {
-	struct  filterstats     f_st[2];
+        struct  filterstats     f_st[2];
-	struct  frentry *f_fin;
+        struct  frentry         *f_fin[2];
-	struct  frentry *f_fout;
+        struct  frentry         *f_fout[2];
        struct  frentry         *f_acctin[2];
        struct  frentry         *f_acctout[2];
        struct  frentry         *f_auth;
        int     f_active;
 };
 struct	filterstats {
@ -172,6 +192,7 @@ struct	filterstats {
        u_long  fr_bads;        /* bad attempts to allocate packet state */
        u_long  fr_ads;         /* new packet state kept */
        u_long  fr_chit;        /* cached hit */
        u_long  fr_pull[2];     /* good and bad pullup attempts */
 #if SOLARIS
        u_long  fr_bad;         /* bad IP packets to the filter */
        u_long  fr_notip;       /* packets passed through no on ip queue */
--- a/usr.sbin/ipf/ipf/ipf.5
+++ b/usr.sbin/ipf/ipf/ipf.5
@ -18,28 +18,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
 described using the following grammar in BNF:
 \fC
 .nf
-filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
+filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
 	      [ proto ] [ ip ] [ group ].
 insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | skip | "auth" | "preauth" | call .
+action	= block | "pass" | log | "count" | skip | auth | call .
 in-out	= "in" | "out" .
 options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
-match	= [ tos ] [ ttl ] [ proto ] [ ip ] .
+tos	= "tos" decnumber | "tos" hexnumber .
-keep  	= "keep state" | "keep frags" .
+ttl	= "ttl" decnumber .
 proto	= "proto" protocol .
 ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
 group	= [ "head" decnumber ] [ "group" decnumber ] .
 block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
-log   	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
+auth    = "auth" | "preauth" .
-call  	= "call" [ "now" ] function-name .
+log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
 call	= "call" [ "now" ] function-name .
 skip	= "skip" decnumber .
-
+dup	= "dup-to" interface-name[":"ipaddr] .
 dup   	= "dup-to" interface-name[":"ipaddr] .
 froute	= "fastroute" | "to" interface-name .
 tos   	= "tos" decnumber | "tos" hexnumber .
 ttl   	= "ttl" decnumber .
 proto	= "proto" protocol .
 ip    	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" object "to" object .
@ -48,11 +46,11 @@ object	= addr [ port-comp | port-range ] .
 addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
 port-comp = "port" compare port-num .
 port-range = "port" port-num range port-num .
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
 return-code = "("icmp-code")" .
 keep	= "keep" "state" | "keep" "frags" .
 nummask	= host-name [ "/" decnumber ] .
 host-name = ipaddr | hostname | "any" .
@ -73,16 +71,16 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
 icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
 	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
 	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
+optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
+	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
-	  "visa" | "imitd" | "eip" | "finn" .
+	  "addext" | "visa" | "imitd" | "eip" | "finn" .
 hexnumber = "0" "x" hexstring .
 hexstring = hexdigit [ hexstring ] .
 decnumber = digit [ decnumber ] .
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
+compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
-	  "le" | "ge" .
+	  "gt" | "le" | "ge" .
 range	= "<>" | "><" .
 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
 digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
@ -95,19 +93,10 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
 .SH FILTER RULES
 .PP
 The "briefest" valid rules are (currently) no-ops and are of the form:
 .nf
       block in
       pass in
       log in
       count in
 .fi
 .PP
 These are supposed to be the same as, but currently differ from:
 .\" XXX How, why do they differ??
 .nf
       block in all
-       pass in from any to any
+       pass in all
-       log in all
+       log out all
       count in all
 .fi
 .PP
@ -154,6 +143,12 @@ must conform to a specific calling interface. Customised actions and
 semantics can thus be implemented to supplement those available. This
 feature is for use by knowledgeable hackers, and is not currently
 documented.
 .TP
 .B "skip <n>"
 .TP
 .B auth
 .TP
 .B preauth
 .PP
 The next word must be either \fBin\fP or \fBout\fP.  Each packet
 moving through the kernel is either inbound (just been received on an
@ -222,7 +217,6 @@ packets with different Type-Of-Service values can be filtered.
 Individual service levels or combinations can be filtered upon.  The
 value for the TOS mask can either be represented as a hex number or a
 decimal integer value.
 .\" XXX TOS mask??  not in grammar!
 .TP
 .B ttl
 packets may also be selected by their Time-To-Live value.  The value given in
@ -357,8 +351,9 @@ with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
 .SH KEEP HISTORY
 .PP
-The last parameter which can be set for a filter rule is whether on not to
+The second last parameter which can be set for a filter rule is whether on not
-record historical information for that packet, and what sort to keep. The following information can be kept:
+to record historical information for that packet, and what sort to keep. The
 following information can be kept:
 .TP
 .B state
 keeps information about the flow of a communication session. State can
@ -370,6 +365,23 @@ fragments.
 .PP
 allowing packets which match these to flow straight through, rather
 than going through the access control list.
 .SH GROUPS
 The last pair of parameters control filter rule "grouping".  By default, all
 filter rules are placed in group 0 if no other group is specified.  To add a
 rule to a non-default group, the group must first be started by creating a
 group \fIhead\fP.  If a packet matches a rule which is the \fIhead\fP of a
 group, the filter processing then switches to the group, using that rule as
 the default for the group.  If \fBquick\fP is used with a \fBhead\fP rule, rule
 processing isn't stopped until it has returned from processing the group.
 .PP
 A rule may be both the head for a new group and a member of a non-default
 group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
 .TP
 .B "head <n>"
 indicates that a new group (number n) should be created.
 .TP
 .B "group <n>"
 indicates that the rule should be put in group (number n) rather than group 0.
 .SH LOGGING
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
@ -428,7 +440,42 @@ rule such as:
        pass in quick from any to any port < 1024
 .fi
 .PP
-would be needed before the first block.  
+would be needed before the first block.  To create a new group for
 processing all inbould packets on le0/le1/lo0, with the default being to block
 all inbound packets, we would do something like:
 .LP
 .nf
       block in all
       block in on le0 quick all head 100
       block in on le1 quick all head 200
       block in on lo0 quick all head 300
 .fi
 .PP
 and to then allow ICMP packets in on le0, only, we would do:
 .LP
 .nf
       pass in proto icmp all group 100
 .fi
 .PP
 Note that because only inbound packets on le0 are used processed by group 100,
 there is no need to respecify the interface name.  Likewise, we could further
 breakup processing of TCP, etc, as follows:
 .LP
 .nf
       block in proto tcp all head 110 group 100
       pass in from any to any port = 23 group 110
 .fi
 .PP
 and so on.  The last line, if written without the groups would be:
 .LP
 .nf
       pass in on le0 proto tcp from any to any port = telnet
 .fi
 .PP
 Note, that if we wanted to say "port = telnet", "proto tcp" would
 need to be specified as the parser interprets each rule on its own and
 qualifies all service/port names with the protocol specified.
 .SH FILES
 /etc/services
 .br
--- a/usr.sbin/ipf/ipf/ipf.8
+++ b/usr.sbin/ipf/ipf/ipf.8
@ -87,8 +87,8 @@ recognised as IP packets.  They will be printed out on the console.
 Turn verbose mode on.  Displays information relating to rule processing.
 .TP
 .B \-y
-(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
+Manually resync the in-kernel interface list maintained by IP Filter with
-by IP Filter with the current interface status list.
+the current interface status list.
 .TP
 .B \-z
 For each rule in the input file, reset the statistics for it to zero and
--- a/usr.sbin/ipf/ipf/ipf.h
+++ b/usr.sbin/ipf/ipf/ipf.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $	*/
+/*	$NetBSD: ipf.h,v 1.1.1.6 1997/09/21 16:47:51 veego Exp $	*/
 /*
 * (C)opyright 1993-1997 by Darren Reed.
@ -8,7 +8,7 @@
 * to the original author and the contributors.
 *
 * @(#)ipf.h	1.12 6/5/96
- * $Id: ipf.h,v 1.1.1.5 1997/07/05 05:12:40 darrenr Exp $
+ * Id: ipf.h,v 2.0.2.9 1997/08/26 12:52:46 darrenr Exp 
 */
 #ifndef	__IPF_H__
@ -36,6 +36,7 @@
 #define	OPT_ZERORULEST	0x10000
 #define	OPT_SAVEOUT	0x20000
 #define	OPT_AUTHSTATS	0x40000
 #define	OPT_RAW		0x80000
 #ifndef __P
 # ifdef	__STDC__
@ -60,7 +61,7 @@ struct	ipopt_names	{
 };
-extern	u_32_t	buildopts __P((char *, char *));
+extern	u_32_t	buildopts __P((char *, char *, int));
 extern	u_32_t	hostnum __P((char *, int *));
 extern	u_32_t	optname __P((char ***, u_short *));
 extern	void	printpacket __P((struct ip *));
--- a/usr.sbin/ipf/ipf/opt.c
+++ b/usr.sbin/ipf/ipf/opt.c
@ -1,4 +1,4 @@
-/*	$NetBSD: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $	*/
+/*	$NetBSD: opt.c,v 1.1.1.6 1997/09/21 16:47:50 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -9,6 +9,7 @@
 */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/socket.h>
@ -19,12 +20,13 @@
 #include <netinet/tcp.h>
 #include <netinet/tcpip.h>
 #include <net/if.h>
 #include <arpa/inet.h>
 #include <netinet/ip_compat.h>
 #include "ipf.h"
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-1995 Darren Reed";
-static	char	rcsid[] = "$Id: opt.c,v 1.1.1.5 1997/07/05 05:12:39 darrenr Exp $";
+static	char	rcsid[] = "Id: opt.c,v 2.0.2.7 1997/09/10 13:08:23 darrenr Exp ";
 #endif
 extern	int	opts;
@ -65,7 +67,9 @@ struct	ipopt_names	secclass[] = {
 	{ 0, 0, 0, NULL }	/* must be last */
 };
 static	u_char	seclevel __P((char *));
 int addipopt __P((char *, struct ipopt_names *, int, char *));
 static u_char seclevel(slevel)
 char *slevel;
@ -84,14 +88,70 @@ char *slevel;
 }
-u_32_t buildopts(cp, op)
+int addipopt(op, io, len, class)
 char *op;
 struct ipopt_names *io;
 int len;
 char *class;
 {
 	int olen = len;
 	struct in_addr ipadr;
 	u_short val;
 	u_char lvl;
 	char *s;
 	if ((len + io->on_siz) > 48) {
 		fprintf(stderr, "options too long\n");
 		return 0;
 	}
 	len += io->on_siz;
 	*op++ = io->on_value;
 	if (io->on_siz > 1) {
 		s = op;
 		*op++ = io->on_siz;
 		*op++ = IPOPT_MINOFF;
 		if (class) {
 			switch (io->on_value)
 			{
 			case IPOPT_SECURITY :
 				lvl = seclevel(class);
 				*(op - 1) = lvl;
 				break;
 			case IPOPT_LSRR :
 			case IPOPT_SSRR :
 				ipadr.s_addr = inet_addr(class);
 				s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
 				bcopy((char *)&ipadr, op, sizeof(ipadr));
 				break;
 			case IPOPT_SATID :
 				val = atoi(class);
 				bcopy((char *)&val, op, 2);
 				break;
 			}
 		}
 		op += io->on_siz - 3;
 		if (len & 3) {
 			*op++ = IPOPT_NOP;
 			len++;
 		}
 	}
 	if (opts & OPT_DEBUG)
 		fprintf(stderr, "bo: %s %d %#x: %d\n",
 			io->on_name, io->on_value, io->on_bit, len);
 	return len - olen;
 }
 u_32_t buildopts(cp, op, len)
 char *cp, *op;
 int len;
 {
 	struct ipopt_names *io;
 	u_char lvl;
 	u_32_t msk = 0;
 	char *s, *t;
-	int len = 0;
+	int inc;
 	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
 		if ((t = strchr(s, '=')))
@ -99,30 +159,10 @@ char *cp, *op;
 		for (io = ionames; io->on_name; io++) {
 			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
 				continue;
-			if ((len + io->on_siz) > 48) {
+			if ((inc = addipopt(op, io, len, t))) {
-				fprintf(stderr, "options too long\n");
+				op += inc;
-				return 0;
+				len += inc;
 			}
 			len += io->on_siz;
 			*op++ = io->on_value;
 			if (io->on_siz > 1) {
 				*op++ = io->on_siz;
 				*op++ = IPOPT_MINOFF;
 				if (t && !strcasecmp(s, "sec-class")) {
 					lvl = seclevel(t);
 					*(op - 1) = lvl;
 				}
 				op += io->on_siz - 3;
 				if (len & 3) {
 					*op++ = IPOPT_NOP;
 					len++;
 				}
 			}
 			if (opts & OPT_DEBUG)
 				fprintf(stderr, "bo: %s %d %#x: %d\n",
 					io->on_name, io->on_value,
 					io->on_bit, len);
 			msk |= io->on_bit;
 			break;
 		}
--- a/usr.sbin/ipf/ipfstat/ipfstat.8
+++ b/usr.sbin/ipf/ipfstat/ipfstat.8
@ -4,7 +4,7 @@ ipfstat \- reports on packet filter statistics and filter list
 .SH SYNOPSIS
 .B ipfstat
 [
-.B \-hIinov
+.B \-aAfhIinosv
 ] [
 .B \-d
 <device>
@ -24,6 +24,9 @@ accumulated over time as the kernel has put packets through the filter.
 .B \-a
 Display the accounting filter list and show bytes counted against each rule.
 .TP
 .B \-A
 Display packet authentication statistics.
 .TP
 .BR \-d \0<device>
 Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
 .TP
@ -68,6 +71,6 @@ kernel.
 .br
 /vmunix
 .SH SEE ALSO
-ipf(1), ipfstat(1)
+ipf(1)
 .SH BUGS
 none known.
--- a/usr.sbin/ipf/ipfstat/kmem.c
+++ b/usr.sbin/ipf/ipfstat/kmem.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $	*/
+/*	$NetBSD: kmem.c,v 1.1.1.6 1997/09/21 16:47:59 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -22,7 +22,7 @@
 #if !defined(lint) && defined(LIBC_SCCS)
 static  char    sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static	char	rcsid[] = "$Id: kmem.c,v 1.1.1.5 1997/07/05 05:12:43 darrenr Exp $";
+static	char	rcsid[] = "Id: kmem.c,v 2.0.2.3 1997/03/10 08:10:37 darrenr Exp ";
 #endif
 static	int	kmemfd = -1;
--- a/usr.sbin/ipf/ipfstat/kmem.h
+++ b/usr.sbin/ipf/ipfstat/kmem.h
@ -1,4 +1,4 @@
-/*	$NetBSD: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $	*/
+/*	$NetBSD: kmem.h,v 1.1.1.6 1997/09/21 16:48:00 veego Exp $	*/
 /*
 * (C)opyright 1993-1997 by Darren Reed.
@ -6,7 +6,7 @@
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
- * $Id: kmem.h,v 1.1.1.5 1997/07/05 05:12:44 darrenr Exp $
+ * Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp 
 */
 #ifndef	__KMEM_H__
--- a/usr.sbin/ipf/ipftest/ipft_ef.c
+++ b/usr.sbin/ipf/ipftest/ipft_ef.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $	*/
+/*	$NetBSD: ipft_ef.c,v 1.1.1.6 1997/09/21 16:48:07 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -51,7 +51,7 @@ etherfind -n -t
 #if !defined(lint) && defined(LIBC_SCCS)
 static char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static	char	rcsid[] = "$Id: ipft_ef.c,v 1.1.1.5 1997/07/05 05:12:48 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp ";
 #endif
 static	int	etherf_open __P((char *));
--- a/usr.sbin/ipf/ipftest/ipft_hx.c
+++ b/usr.sbin/ipf/ipftest/ipft_hx.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $	*/
+/*	$NetBSD: ipft_hx.c,v 1.1.1.6 1997/09/21 16:48:13 veego Exp $	*/
 /*
 * (C)opyright 1995 by Darren Reed.
@ -42,7 +42,7 @@
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
-static	char	rcsid[] = "$Id: ipft_hx.c,v 1.1.1.5 1997/07/05 05:13:01 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_hx.c,v 2.0.2.5 1997/07/20 11:10:32 darrenr Exp ";
 #endif
 extern	int	opts;
@ -113,19 +113,24 @@ int	cnt, *dir;
 		 * interpret start of line as possibly "[ifname]" or
 		 * "[in/out,ifname]".
 		 */
-		*ifn = NULL;
+		if (ifn)
-		*dir = 0;
+			*ifn = NULL;
 		if (dir)
 			*dir = 0;
 		if ((*buf == '[') && (s = index(line, ']'))) {
 			t = buf + 1;
 			if (t - s > 0) {
 				if ((u = index(t, ',')) && (u < s)) {
 					u++;
-					*ifn = u;
+					if (ifn)
-					if (*t == 'i')
+						*ifn = u;
-						*dir = 0;
+					if (dir) {
-					else if (*t == 'o')
+						if (*t == 'i')
-						*dir = 1;
+							*dir = 0;
-				} else
+						else if (*t == 'o')
 							*dir = 1;
 					}
 				} else if (ifn)
 					*ifn = t;
 				*s++ = '\0';
 			}
--- a/usr.sbin/ipf/ipftest/ipft_pc.c
+++ b/usr.sbin/ipf/ipftest/ipft_pc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $	*/
+/*	$NetBSD: ipft_pc.c,v 1.1.1.6 1997/09/21 16:48:09 veego Exp $	*/
 /*
 * (C)opyright 1993-1996 by Darren Reed.
@ -33,7 +33,7 @@
 #include "pcap.h"
 #if !defined(lint) && defined(LIBC_SCCS)
-static	char	rcsid[] = "$Id: ipft_pc.c,v 1.1.1.5 1997/07/05 05:12:50 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp ";
 #endif
 struct	llc	{
--- a/usr.sbin/ipf/ipftest/ipft_sn.c
+++ b/usr.sbin/ipf/ipftest/ipft_sn.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $	*/
+/*	$NetBSD: ipft_sn.c,v 1.1.1.6 1997/09/21 16:48:06 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -37,7 +37,7 @@
 #include "snoop.h"
 #if !defined(lint) && defined(LIBC_SCCS)
-static	char	rcsid[] = "$Id: ipft_sn.c,v 1.1.1.5 1997/07/05 05:12:47 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp ";
 #endif
 struct	llc	{
--- a/usr.sbin/ipf/ipftest/ipft_td.c
+++ b/usr.sbin/ipf/ipftest/ipft_td.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $	*/
+/*	$NetBSD: ipft_td.c,v 1.1.1.6 1997/09/21 16:48:08 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -60,7 +60,7 @@ tcpdump -nqte
 #if !defined(lint) && defined(LIBC_SCCS)
 static char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static	char	rcsid[] = "$Id: ipft_td.c,v 1.1.1.5 1997/07/05 05:12:49 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp ";
 #endif
 static	int	tcpd_open __P((char *));
--- a/usr.sbin/ipf/ipftest/ipft_tx.c
+++ b/usr.sbin/ipf/ipftest/ipft_tx.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $	*/
+/*	$NetBSD: ipft_tx.c,v 1.1.1.6 1997/09/21 16:48:10 veego Exp $	*/
 /*
 * (C)opyright 1995 by Darren Reed.
@ -43,7 +43,7 @@
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static	char	rcsid[] = "$Id: ipft_tx.c,v 1.1.1.5 1997/07/05 05:12:51 darrenr Exp $";
+static	char	rcsid[] = "Id: ipft_tx.c,v 2.0.2.7 1997/08/26 12:52:03 darrenr Exp ";
 #endif
 extern	int	opts;
@ -328,7 +328,7 @@ int	*out;
 		u_long	olen;
 		cpp++;
-		olen = buildopts(*cpp, ipopts);
+		olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
 		if (olen) {
 			bcopy(ipopts, (char *)(ip + 1), olen);
 			ip->ip_hl += olen >> 2;
--- a/usr.sbin/ipf/ipftest/ipt.h
+++ b/usr.sbin/ipf/ipftest/ipt.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $	*/
+/*	$NetBSD: ipt.h,v 1.1.1.6 1997/09/21 16:48:14 veego Exp $	*/
 /*
 * (C)opyright 1993-1997 by Darren Reed.
@ -6,7 +6,7 @@
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
- * $Id: ipt.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
+ * Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp 
 */
 #ifndef	__IPT_H__
--- a/usr.sbin/ipf/ipftest/misc.c
+++ b/usr.sbin/ipf/ipftest/misc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $	*/
+/*	$NetBSD: misc.c,v 1.1.1.6 1997/09/21 16:48:11 veego Exp $	*/
 /*
 * (C)opyright 1993,1994,1995 by Darren Reed.
@ -43,7 +43,7 @@
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "@(#)misc.c	1.3 2/4/96 (C) 1995 Darren Reed";
-static	char	rcsid[] = "$Id: misc.c,v 1.1.1.5 1997/07/05 05:12:57 darrenr Exp $";
+static	char	rcsid[] = "Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp ";
 #endif
 extern	int	opts;
--- a/usr.sbin/ipf/ipftest/pcap.h
+++ b/usr.sbin/ipf/ipftest/pcap.h
@ -1,4 +1,4 @@
-/*	$NetBSD: pcap.h,v 1.1.1.2 1997/05/27 22:17:14 thorpej Exp $	*/
+/*	$NetBSD: pcap.h,v 1.1.1.3 1997/09/21 16:48:16 veego Exp $	*/
 /*
 * (C)opyright 1993-1997 by Darren Reed.
--- a/usr.sbin/ipf/ipftest/snoop.h
+++ b/usr.sbin/ipf/ipftest/snoop.h
@ -1,4 +1,4 @@
-/*	$NetBSD: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $	*/
+/*	$NetBSD: snoop.h,v 1.1.1.6 1997/09/21 16:48:15 veego Exp $	*/
 /*
 * (C)opyright 1993-1997 by Darren Reed.
@ -13,7 +13,7 @@
 /*
 * written to comply with the RFC (1761) from Sun.
- * $Id: snoop.h,v 1.1.1.5 1997/07/05 05:13:02 darrenr Exp $
+ * Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp 
 */
 struct	snoophdr	{
 	char	s_id[8];
--- a/usr.sbin/ipf/ipftest/test/Makefile
+++ b/usr.sbin/ipf/ipftest/test/Makefile
@ -1,11 +1,9 @@
 #
 # (C)opyright 1993-1996 by Darren Reed.
 #
-# This code may be freely distributed as long as it retains this notice
+# Redistribution and use in source and binary forms are permitted
-# and is not changed in any way.  The author accepts no responsibility
+# provided that this notice is preserved and due credit is given
-# for the use of this software.  I hate legaleese, don't you ?
+# to the original author and the contributors.
 #
 # where to put things.
 #
 BINDEST=/usr/local/bin
 SBINDEST=/sbin
@ -26,13 +24,13 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
 	@(cd ..; make ipftest; )
 1 2 3 4 5 6 7 8 9 10 11 14:
-	@./dotest $@
+	@/bin/sh ./dotest $@
 12:
-	@./hextest $@
+	@/bin/sh ./hextest $@
 i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
-	@./itest $@
+	@/bin/sh ./itest $@
 clean:
 	/bin/rm -f 1 2 3 4 5 6 7 8 9 10 11 12 results/*
--- a/usr.sbin/ipf/ipmon/ipmon.8
+++ b/usr.sbin/ipf/ipmon/ipmon.8
@ -4,9 +4,11 @@ ipmon \- monitors /dev/ipl for logged packets
 .SH SYNOPSIS
 .B ipmon
 [
-.B \-asfnSN
+.B \-aFhnNsStvxX
 ] [
-<filename>
+.B "\-f <device>"
 ] [
 .B <filename>
 ]
 .SH DESCRIPTION
 .LP
@ -20,6 +22,24 @@ via syslog have the day, month and year removed from the message, but the
 time (including microseconds), as recorded in the log, is still included.
 .SH OPTIONS
 .TP
 .B \-a
 Open all of the device logfiles for reading log entries from.  All entries
 are displayed to the same output 'device' (stderr or syslog).
 .TP
 .B "\-f <device>"
 specify an alternative device/file from which to read the log information.
 .TP
 .B \-F
 Flush the current packet log buffer.  The number of bytes flushed is displayed,
 even should the result be zero.
 .TP
 .B \-n
 IP addresses and port numbers will be mapped, where possible, back into
 hostnames and service names.
 .TP
 .B \-N
 Treat the logfile as being composed of NAT log records.
 .TP
 .B \-s
 Packet information read in will be sent through syslogd rather than
 saved to a file.  The following levels are used:
@ -38,22 +58,17 @@ than pass or block.
 \- packets which have been logged and which can be considered
 "short".
 .TP
 .B \-a
 Open all of the device logfiles for reading log entries from.
 .TP
 .B \-f
 Flush the current packet log buffer.  The number of bytes flushed is displayed,
 even should the result be zero.
 .TP
 .B \-n
 IP addresses and port numbers will be mapped, where possible, back into
 hostnames and service names.
 .TP
 .B \-N
 Treat the logfile as being composed of NAT log records.
 .TP
 .B \-S
 Treat the logfile as being composed of state log records.
 .TP
 .B \-t
 read the input file/device in a manner akin to tail(1).
 .TP
 .B \-x
 show the packet data in hex.
 .TP
 .B \-X
 show the log header record data in hex.
 .SH DIAGNOSTICS
 \fBipmon\fP expects data that it reads to be consistant with how it should be
 saved and will abort if it fails an assertion which detects an anomoly in the
--- a/usr.sbin/ipf/ipnat/ipnat.4
+++ b/usr.sbin/ipf/ipnat/ipnat.4
@ -2,7 +2,10 @@
 .SH NAME
 ipnat \- Network Address Translation kernel interface
 .SH SYNOPSIS
-#include <sys/ip_fil.h>
+#include <netinet/ip_compat.h>
 #include <netinet/ip_fil.h>
 #include <netinet/ip_proxy.h>
 #include <netinet/ip_nat.h>
 .SH IOCTLS
 .PP
 To add and delete rules to the NAT list, two 'basic' ioctls are provided
--- a/usr.sbin/ipf/ipresend/ipresend.1
+++ b/usr.sbin/ipf/ipresend/ipresend.1
@ -0,0 +1,107 @@
 .TH IPRESEND 1
 .SH NAME
 ipresend \- resend IP packets out to network
 .SH SYNOPSIS
 .B ipsend
 [
 .B \-EHPRSTX
 ] [
 .B \-d
 <device>
 ] [
 .B \-g
 <\fIgateway\fP>
 ] [
 .B \-m
 <\fIMTU\fP>
 ] [
 .B \-r
 <\fIfilename\fP>
 ]
 .SH DESCRIPTION
 .PP
 \fBipresend\fP was designed to allow packets to be resent, once captured,
 back out onto the network for use in testing.  \fIipresend\fP supports a
 number of different file formats as input, including saved snoop/tcpdump
 binary data.
 .SH OPTIONS
 .TP
 .BR \-d \0<interface>
 Set the interface name to be the name supplied.  This is useful with the
 \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is not otherwise possible
 to associate a packet with an interface.  Normal "text packets" can override
 this setting.
 .TP
 .BR \-g \0<gateway>
 Specify the hostname of the gateway through which to route packets.  This
 is required whenever the destination host isn't directly attached to the
 same network as the host from which you're sending.
 .TP
 .BR \-m \0<MTU>
 Specify the MTU to be used when sending out packets.  This option allows you
 to set a fake MTU, allowing the simulation of network interfaces with small
 MTU's without setting them so.
 .TP
 .BR \-r \0<filename>
 Specify the filename from which to take input.  Default is stdin.
 .B \-E
 The input file is to be text output from etherfind.  The text formats which
 are currently supported are those which result from the following etherfind
 option combinations:
 .PP
 .nf
 		etherfind -n
 		etherfind -n -t
 .fi
 .LP
 .TP
 .B \-H
 The input file is to be hex digits, representing the binary makeup of the
 packet.  No length correction is made, if an incorrect length is put in
 the IP header.
 .TP
 .B \-P
 The input file specified by \fB\-i\fP is a binary file produced using libpcap
 (i.e., tcpdump version 3).  Packets are read from this file as being input
 (for rule purposes).
 .TP
 .B \-R
 When sending packets out, send them out "raw" (the way they came in).  The
 only real significance here is that it will expect the link layer (i.e.
 ethernet) headers to be prepended to the IP packet being output.
 .TP
 .B \-S
 The input file is to be in "snoop" format (see RFC 1761).  Packets are read
 from this file and used as input from any interface.  This is perhaps the
 most useful input type, currently.
 .TP
 .B \-T
 The input file is to be text output from tcpdump.  The text formats which
 are currently supported are those which result from the following tcpdump
 option combinations:
 .PP
 .nf
 		tcpdump -n
 		tcpdump -nq
 		tcpdump -nqt
 		tcpdump -nqtt
 		tcpdump -nqte
 .fi
 .LP
 .TP
 .B \-X
 The input file is composed of text descriptions of IP packets.
 .TP
 .SH FILES
 .DT
 .SH SEE ALSO
 snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
 .SH DIAGNOSTICS
 .PP
 Needs to be run as root.
 .SH BUGS
 .PP
 Not all of the input formats are sufficiently capable of introducing a
 wide enough variety of packets for them to be all useful in testing.
 If you find any, please send email to me at darrenr@cyber.com.au
--- a/usr.sbin/ipf/ipresend/ipresend.c
+++ b/usr.sbin/ipf/ipresend/ipresend.c
@ -1,20 +1,16 @@
-/*	$NetBSD: ipresend.c,v 1.1.1.2 1997/05/27 22:18:08 thorpej Exp $	*/
+/*	$NetBSD: ipresend.c,v 1.1.1.3 1997/09/21 16:49:04 veego Exp $	*/
 /*
- * ipsend.c (C) 1995 Darren Reed
+ * ipresend.c (C) 1995-1997 Darren Reed
 *
 * This was written to test what size TCP fragments would get through
 * various TCP/IP packet filters, as used in IP firewalls.  In certain
 * conditions, enough of the TCP header is missing for unpredictable
 * results unless the filter is aware that this can happen.
 *
- * The author provides this program as-is, with no gaurantee for its
+ * Redistribution and use in source and binary forms are permitted
- * suitability for any specific purpose.  The author takes no responsibility
+ * provided that this notice is preserved and due credit is given
- * for the misuse/abuse of this program and provides it for the sole purpose
+ * to the original author and the contributors.
 * of testing packet filter policies.  This file maybe distributed freely
 * providing it is not modified and that this notice remains in tact.
 *
 * This was written and tested (successfully) on SunOS 4.1.x.
 */
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "%W% %G% (C)1995 Darren Reed";
@ -96,10 +92,10 @@ char	**argv;
 	struct	in_addr	gwip;
 	struct	ipread	*ipr = NULL;
 	char	*name =  argv[0], *gateway = NULL, *dev = NULL;
-	char	c, *resend = NULL;
+	char	*resend = NULL;
-	int	mtu = 1500;
+	int	mtu = 1500, c;
-	while ((c = getopt(argc, argv, "EHPSTXd:g:m:r:")) != -1)
+	while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1)
 		switch (c)
 		{
 		case 'd' :
@ -118,6 +114,9 @@ char	**argv;
 		case 'r' :
 			resend = optarg;
 			break;
 		case 'R' :
 			opts |= OPT_RAW;
 			break;
 #ifndef	NO_IPF
 		case 'E' :
 			ipr = &etherf;
--- a/usr.sbin/ipf/ipsend/iplang.h
+++ b/usr.sbin/ipf/ipsend/iplang.h
@ -0,0 +1,53 @@
 /*	$NetBSD: iplang.h,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $	*/
 /*
 * (C)opyright 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 */
 typedef	struct iface {
 	int	if_MTU;
 	char	*if_name;
 	struct	in_addr	if_addr;
 	struct	ether_addr	if_eaddr;
 	struct	iface *if_next;
 	int	if_fd;
 } iface_t;
 typedef	struct	send	{
 	struct	iface	*snd_if;
 	struct	in_addr	snd_gw;
 } send_t;
 typedef	struct	arp	{
 	struct	in_addr	arp_addr;
 	struct	ether_addr	arp_eaddr;
 	struct	arp *arp_next;
 } arp_t;
 typedef	struct	aniphdr	{
 	union	{
 		ip_t		*ahu_ip;
 		char		*ahu_data;
 		tcphdr_t	*ahu_tcp;
 		udphdr_t	*ahu_udp;
 		icmphdr_t	*ahu_icmp;
 	} ah_un;
 	int	ah_optlen;
 	int	ah_lastopt;
 	int	ah_p;
 	size_t	ah_len;
 	struct	aniphdr	*ah_next;
 	struct	aniphdr	*ah_prev;
 } aniphdr_t;
 #define	ah_ip	ah_un.ahu_ip
 #define	ah_data	ah_un.ahu_data
 #define	ah_tcp	ah_un.ahu_tcp
 #define	ah_udp	ah_un.ahu_udp
 #define	ah_icmp	ah_un.ahu_icmp
--- a/usr.sbin/ipf/ipsend/iplang.tst
+++ b/usr.sbin/ipf/ipsend/iplang.tst
@ -0,0 +1,20 @@
 #
 interface { ifname le0; mtu 1500; }
 ipv4 {
 	src 10.1.1.49; dst 10.1.1.50; id 123; opt { rr 7; };
 	tcp {
 		seq 12345; ack 0; sport 9999; dport 23; flags S;
 		opt { mss 65535; }; data { value "abcdef"; } ;
 	}
 }
 send { via 10.1.1.50; }
 #
 ipv4 {
 	src 10.1.1.49; dst 10.1.1.50; id 1; opt { lsrr 1.1.1.1; };
 	tcp {
 		seq 12345; ack 0; sport 9999; dport 23; flags S;
 		opt { wscale 2 ; eol; mss 1; }; data { value "abcdef"; } ;
 	}
 }
 send { via 10.1.1.50; }
--- a/usr.sbin/ipf/ipsend/iplang_l.l
+++ b/usr.sbin/ipf/ipsend/iplang_l.l
@ -0,0 +1,246 @@
 /*	$NetBSD: iplang_l.l,v 1.1.1.1 1997/09/21 16:49:16 veego Exp $	*/
 %{
 /*
 * (C)opyright 1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
 * Id: iplang_l.l,v 2.0.2.8 1997/09/13 07:14:23 darrenr Exp 
 */
 #include <stdio.h>
 #include <string.h>
 #include <sys/param.h>
 #include "y.tab.h"
 #ifndef	__P
 # ifdef __STDC__
 #  define	__P(x)	x
 # else
 #  define	__P(x)	()
 # endif
 #endif
 int lineNum = 0, proto = 0, oldproto = 0, next = -1, laststate = 0;
 int *prstack = NULL, numpr = 0, state = 0, token = 0;
 void	push_proto __P((void));
 void	pop_proto __P((void));
 int	next_state __P((int, int));
 int	next_item __P((int));
 int	save_token __P((void));
 void	swallow __P((void));
 int	yylex __P((void));
 %}
 %%
 [ \t\r]	;
 \n	{ lineNum++; swallow(); }
 interface |
 iface	{ return next_state(IL_INTERFACE, -1); }
 name |
 ifname	{ return next_state(IL_IFNAME, IL_TOKEN); }
 router	{ return next_state(IL_DEFROUTER, IL_TOKEN); }
 mtu 	{ return next_state(IL_MTU, IL_NUMBER); }
 eaddr	{ return next_state(IL_EADDR, IL_TOKEN); }
 v4addr	{ return next_state(IL_V4ADDR, IL_TOKEN); }
 ipv4	{ return next_state(IL_IPV4, -1); }
 v	{ return next_state(IL_V4V, IL_TOKEN); }
 proto	{ return next_state(IL_V4PROTO, IL_TOKEN); }
 hl	{ return next_state(IL_V4HL, IL_TOKEN); }
 id	{ return next_state(IL_V4ID, IL_TOKEN); }
 ttl	{ return next_state(IL_V4TTL, IL_TOKEN); }
 tos	{ return next_state(IL_V4TOS, IL_TOKEN); }
 src	{ return next_state(IL_V4SRC, IL_TOKEN); }
 dst	{ return next_state(IL_V4DST, IL_TOKEN); }
 opt	{ return next_state(IL_OPT, -1); }
 len	{ return next_state(IL_LEN, IL_TOKEN); }
 off	{ return next_state(IL_OFF, IL_TOKEN); }
 sum	{ return next_state(IL_SUM, IL_TOKEN); }
 tcp	{ return next_state(IL_TCP, -1); }
 sport	{ return next_state(IL_SPORT, IL_TOKEN); }
 dport	{ return next_state(IL_DPORT, IL_TOKEN); }
 seq	{ return next_state(IL_TCPSEQ, IL_TOKEN); }
 ack	{ return next_state(IL_TCPACK, IL_TOKEN); }
 flags	{ return next_state(IL_TCPFL, IL_TOKEN); }
 urp	{ return next_state(IL_TCPURP, IL_TOKEN); }
 win	{ return next_state(IL_TCPWIN, IL_TOKEN); }
 udp	{ return next_state(IL_UDP, -1); }
 send	{ return next_state(IL_SEND, -1); }
 via	{ return next_state(IL_VIA, IL_TOKEN); }
 arp	{ return next_state(IL_ARP, -1); }
 data	{ return next_state(IL_DATA, -1); }
 value	{ return next_state(IL_DVALUE, IL_TOKEN); }
 file	{ return next_state(IL_DFILE, IL_TOKEN); }
 nop	{ return next_state(IL_IPO_NOP, -1); }
 eol	{ return next_state(IL_IPO_EOL, -1); }
 rr	{ return next_state(IL_IPO_RR, -1);  }
 zsu	{ return next_state(IL_IPO_ZSU, -1); }
 mtup	{ return next_state(IL_IPO_MTUP, -1); }
 mtur	{ return next_state(IL_IPO_MTUR, -1); }
 encode	{ return next_state(IL_IPO_ENCODE, -1); }
 ts	{ return next_state(IL_IPO_TS, -1); }
 tr	{ return next_state(IL_IPO_TR, -1); }
 sec	{ return next_state(IL_IPO_SEC, -1); }
 secclass	{ return next_state(IL_IPO_SECCLASS, IL_TOKEN); }
 lsrr	{ return next_state(IL_IPO_LSRR, -1); }
 esec	{ return next_state(IL_IPO_ESEC, -1); }
 cipso	{ return next_state(IL_IPO_CIPSO, -1); }
 satid	{ return next_state(IL_IPO_SATID, -1); }
 ssrr	{ return next_state(IL_IPO_SSRR, -1); }
 addext	{ return next_state(IL_IPO_ADDEXT, -1); }
 visa	{ return next_state(IL_IPO_VISA, -1); }
 imitd	{ return next_state(IL_IPO_IMITD, -1); }
 eip	{ return next_state(IL_IPO_EIP, -1); }
 finn	{ return next_state(IL_IPO_FINN, -1); }
 mss	{ return next_state(IL_TCPO_MSS, IL_TOKEN); }
 wscale	{ return next_state(IL_TCPO_MSS, IL_TOKEN); }
 reserv-4	{ return next_state(IL_IPS_RESERV4, -1); }
 topsecret	{ return next_state(IL_IPS_TOPSECRET, -1); }
 secret	{ return next_state(IL_IPS_SECRET, -1); }
 reserv-3	{ return next_state(IL_IPS_RESERV3, -1); }
 confid	{ return next_state(IL_IPS_CONFID, -1); }
 unclass	{ return next_state(IL_IPS_UNCLASS, -1); }
 reserv-2	{ return next_state(IL_IPS_RESERV2, -1); }
 reserv-1	{ return next_state(IL_IPS_RESERV1, -1); }
 \{	{ push_proto(); return next_item(IL_LBRACE); }
 \}	{ pop_proto(); return next_item(IL_RBRACE); }
 \.	{ return next_item(IL_DOT); }
 ;	{ return next_item(IL_SEMICOLON); }
 [0-9]+	{ return next_item(IL_NUMBER); }
 [0-9a-fA-F]	{ return next_item(IL_HEXDIGIT); }
 :	{ return next_item(IL_COLON); }
 #[^\n]*	{ return next_item(IL_COMMENT); }
 [^ {}\n\t;]*	{ return next_item(IL_TOKEN); }
 \"[^\"]*\"	{ return next_item(IL_TOKEN); }
 %%
 void push_proto()
 {
 	numpr++;
 	if (!prstack)
 		prstack = (int *)malloc(sizeof(int));
 	else
 		prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
 	prstack[numpr - 1] = oldproto;
 }
 void pop_proto()
 {
 	numpr--;
 	proto = prstack[numpr];
 	if (!numpr) {
 		free(prstack);
 		prstack = NULL;
 		return;
 	}
 	prstack = (int *)realloc((char *)prstack, numpr * sizeof(int));
 }
 int save_token()
 {
 	static char *buf = NULL;
 	if (buf && (buf == yylval.str))
 		free(buf);
 	buf = yylval.str = strdup(yytext);
 	return IL_TOKEN;
 }
 int next_item(nstate)
 int nstate;
 {
 	if (next == IL_TOKEN) {
 		next = -1;
 		return save_token();
 	}
 	next = -1;
 	if (nstate == IL_NUMBER)
 		yylval.num = atoi(yytext);
 	token++;
 	return nstate;
 }
 int next_state(nstate, fornext)
 int nstate, fornext;
 {
 	token++;
 	if (next == IL_TOKEN) {
 		next = -1;
 		return save_token();
 	}
 	next = fornext;
 	switch (nstate)
 	{
 	case IL_IPV4 :
 	case IL_TCP :
 	case IL_UDP :
 	case IL_ICMP :
 	case IL_DATA :
 	case IL_INTERFACE :
 	case IL_ARP :
 		oldproto = proto;
 		proto = nstate;
 		break;
 	case IL_SUM :
 		if (proto == IL_IPV4)
 			nstate = IL_V4SUM;
 		else if (proto == IL_TCP)
 			nstate = IL_TCPSUM;
 		else if (proto == IL_UDP)
 			nstate = IL_UDPSUM;
 		break;
 	case IL_OPT :
 		if (proto == IL_IPV4)
 			nstate = IL_V4OPT;
 		else if (proto == IL_TCP)
 			nstate = IL_TCPOPT;
 		break;
 	case IL_IPO_NOP :
 		if (proto == IL_TCP)
 			nstate = IL_TCPO_NOP;
 		break;
 	case IL_IPO_EOL :
 		if (proto == IL_TCP)
 			nstate = IL_TCPO_EOL;
 		break;
 	case IL_IPO_TS :
 		if (proto == IL_TCP)
 			nstate = IL_TCPO_TS;
 		break;
 	case IL_OFF :
 		if (proto == IL_IPV4)
 			nstate = IL_V4OFF;
 		else if (proto == IL_TCP)
 			nstate = IL_TCPOFF;
 		break;
 	case IL_LEN :
 		if (proto == IL_IPV4)
 			nstate = IL_V4LEN;
 		else if (proto == IL_UDP)
 			nstate = IL_UDPLEN;
 		break;
 	}
 	return nstate;
 }
 void swallow()
 {
 	int c = input();
 	if (c == '#') {
 		while ((c != '\n') && (c != EOF))
 			c = input();
 	}
 	unput(c);
 }
--- a/usr.sbin/ipf/ipsend/iplang_y.y
+++ b/usr.sbin/ipf/ipsend/iplang_y.y
--- a/usr.sbin/ipf/ipsend/ipsend.1
+++ b/usr.sbin/ipf/ipsend/ipsend.1
@ -0,0 +1,102 @@
 .TH IPSEND 1
 .SH NAME
 ipsend \- sends IP packets
 .SH SYNOPSIS
 .B ipsend
 [
 .B \-ITU
 ] [
 .B \-d
 <interface>
 ] [
 .B \-f
 <\fIoffset\fP>
 ] [
 .B \-g
 <\fIgateway\fP>
 ] [
 .B \-m
 <\fIMTU\fP>
 ] [
 .B \-o
 <\fIoption\fP>
 ] [
 .B \-P
 <protocol>
 ] [
 .B \-s
 <\fIsource\fP>
 ] [
 .B \-t
 <\fIdest. port\fP>
 ] [
 .B \-w
 <\fIwindow\fP>
 ] <destination> [TCP-flags]
 .SH DESCRIPTION
 .PP
 \fBipsend\fP can be compiled in two ways.  The first is used to send one-off
 packets to a destination host, using command line options to specify various
 attributes present in the headers.  The \fIdestination\fP must be given as
 the last command line option, except for when TCP flags are specified as
 a combination of A, S, F, U, P and R, last.
 .PP
 The other way it may be compiled, with DOSOCKET defined, is to allow an
 attempt at making a TCP connection using a with ipsend resending the SYN
 packet as per the command line options.
 .SH OPTIONS
 .TP
 .BR \-d \0<interface>
 Set the interface name to be the name supplied.
 .TP
 .BR \-f \0<offset>
 The \fI-f\fP allows the IP offset field in the IP header to be set to an
 arbitrary value, which can be specified in decimal or hexidecimal.
 .TP
 .BR \-g \0<gateway>
 Specify the hostname of the gateway through which to route packets.  This
 is required whenever the destination host isn't directly attached to the
 same network as the host from which you're sending.
 .TP
 .BR \-m \0<MTU>
 Specify the MTU to be used when sending out packets.  This option allows you
 to set a fake MTU, allowing the simulation of network interfaces with small
 MTU's without setting them so.
 .TP
 .BR \-o \0<option>
 Specify options to be included at the end of the IP header.  An EOL option
 is automatically appended and need not be given.  If an option would also
 have data associated with it (source as an IP# for a lsrr option), then
 this will not be initialised.
 .TP
 .BR \-s \0<source>
 Set the source address in the packet to that provided - maybe either a
 hostname or IP#.
 .TP
 .BR \-t \0<dest. port>
 Set the destination port for TCP/UDP packets.
 .TP
 .BR \-w \0<window>
 Set the window size for TCP packets.
 .TP
 .B \-I
 Set the protocol to ICMP.
 .TP
 .B \-P <protocol>
 Set the protocol to the value given.  If the parameter is a name, the name
 is looked up in the \fI/etc/protocols\fP file.
 .TP
 .B \-T
 Set the protocol to TCP.
 .TP
 .B \-U
 Set the protocol to UDP.
 .DT
 .SH SEE ALSO
 ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
 .SH DIAGNOSTICS
 .PP
 Needs to be run as root.
 .SH BUGS
 .PP
 If you find any, please send email to me at darrenr@cyber.com.au
--- a/usr.sbin/ipf/ipsend/ipsend.5
+++ b/usr.sbin/ipf/ipsend/ipsend.5
@ -0,0 +1,236 @@
 .TH IPSEND 5
 .SH NAME
 ipsend \- IP packet description language
 .SH DESCRIPTION
 The \fBipsend\fP program expects, with the \fB-L\fP option, input to be a
 text file which fits the grammar described below.  The purpose of this
 grammar is to allow IP packets to be described in an arbitary way which
 also allows encapsulation to be so done to an arbitary level.
 .SH GRAMMAR
 .LP
 .nf
 line ::= iface | arp | send | defrouter | ipv4line .
 iface ::= ifhdr "{" ifaceopts "}" .
 ifhdr ::= "interface" | "iface" .
 ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | "eaddr" eaddr .
 send ::= "send" ";" | "send" "{" sendbodyopts "}" .
 sendbodyopts ::= sendbody [ sendbodyopts ] .
 sendbody ::= "ifname" name | "via" ipaddr .
 defrouter ::= "router" ipaddr .
 arp ::= "arp" "{" arpbodyopts "}" .
 arpbodyopts ::= arpbody [ arpbodyopts ] .
 arpbody ::= "v4addr" ipaddr | "eaddr" eaddr .
 ipv4line ::= "ipv4" "{" ipv4bodyopts "}" .
 ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] .
 ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr |
             "off" number | "v" number | "hl" number| "id" number |
             "ttl" number | "tos" number | "sum" number | "len" number |
             "opt" "{" ipv4optlist "}" | tcpline | udpline | icmpline |
             ipv4line .
 ipv4optlist ::= ipv4option [ ipv4optlist ] .
 ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
              "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" |
              "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" |
              "secclass" ipv4secclass.
 ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" |
                "reserv-3" | "reserv-4" | "secret" | "topsecret" .
 tcpline ::= "tcp" "{" tcpbodyopts "}" .
 tcpbodyopts ::= tcpbody [ tcpbodyopts ] .
 tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number |
            "off" number | "urp" number | "win" number | "sum" number |
            "flags" tcpflags | data .
 udpline ::= "udp" "{" udpbodyopts "}" .
 udpbodyopts ::= udpbody [ udpbodyopts ] .
 udpbody ::= "sport" port | "dport" port | "len" number | "sum" number |
            data .
 icmpline ::= "icmp" "{" icmpbodyopts "}" .
 icmpbodyopts ::= icmpbody [ icmpbodyopts ] .
 icmpbody ::= "type" icmptype [ typeopts ] [ "code" icmpcode ] .
 icmptype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
             "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
             "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
 .fi
 .SH COMMANDS
 .PP
 Before sending any packets or defining any packets, it is necessary to
 describe the interface(s) which will be used to send packets out.
 .TP
 .B interface
 is used to describe a network interface.  The description included need
 not match the actual configuration currently employed by the operating
 system.
 .TP
 .B send
 is used to actually send out a packet across the network.  If the
 destination is not specified, it will attempt to send the packet
 directly out on the network to the destination without routing it.
 .TP
 .B router
 configures the default router for ipsend, as distinct from the default
 route installed in the kernel.
 .TP
 .B ipv4
 is used to describe an IP (version 4) packet.  IP header fields can be
 specified, including options, followed by a data section which may contain
 further protocol headers.
 .SH IPV4
 .TP
 .B hl <number>
 manually specifies the IP header length (automatically adjusts with the
 presence of IP options and defaults to 5);
 .TP
 .B v <number>
 set the IP version.  Default is 4.
 .TP
 .B tos <number>
 set the type of service (TOS) field in the IP header.  Default is 0.
 .TP
 .B len <number>
 manually specifies the length of the IP packet.  The length will automatically
 be adjusted to accomodate data or further protocol headers.
 .TP
 .B off <number>
 sets the fragment offset field of the IP packet.  Default is 0.
 .TP
 .B ttl <number>
 sets the time to live (TTL) field of the IP header.  Default is 60. 
 .TP
 .B proto <protocol>
 sets the protocol field of the IP header.  The protocol can either be a
 number or a name found in \fB/etc/protocols\fP.
 .TP
 .B sum
 manually specifies the checksum for the IP header.  If left unset (0), it
 will be calculated prior to being sent.
 .TP
 .B src
 manually specifies the source address of the IP header.  If left unset, it
 will default to the host's IP address.
 .TP
 .B dst
 sets the destination of the IP packet.  The default is 0.0.0.0.
 .TP
 .B opt
 is used to include IP options in the IP header.
 .TP
 .B tcp
 is used to indicate the a TCP protocol header is to follow.  See the \fBTCP\fP
 section for TCP header options.
 .TP
 .B udp
 is used to indicate the a UDP protocol header is to follow.  See the \fBUDP\fP
 section for UDP header options.
 .TP
 .B icmp
 is used to indicate the a ICMP protocol header is to follow.  See the
 \fBICMP\fP section for ICMP header options.
 .TP
 .B data
 is used to indicate that raw data is to be included in the IP packet.  See the
 \fBDATA\fP section for details on options available.
 .SH TCP
 .TP
 .B sport <port>
 sets the source port to the number/name given.  Default is 0.
 .TP
 .B dport <port>
 sets the destination port to the number/name given.  Default is 0.
 .TP
 .B seq <number>
 sets the sequence number to the number specified.  Default is 0.
 .TP
 .B ack <number>
 sets the acknowledge number to the number specified.  Default is 0.
 .TP
 .B off <number>
 sets the offset value for the start of data to the number specified.  This
 implies the size of the TCP header.  It is automatically adjusted if TCP
 options are included and defaults to 5.
 .TP
 .B urp <number>
 sets the value of the urgent data pointer to the number specified.  Default
 is 0.
 .TP
 .B win <number>
 sets the size of the TCP window to the number specified.  Default is 4096.
 .TP
 .B sum <number>
 manually specifies the checksum for the TCP pseudo-header and data.  If left
 unset, it defaults to 0 and is automatically calculated.
 .TP
 .B flags <tcp-flags>
 sets the TCP flags field to match the flags specified.  Valid flags are
 "S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH).
 .TP
 .B opt
 indicates that TCP header options follow.  As TCP options are added to the
 TCP header, the \fBoff\fP field is updated to match.
 .TP
 .B data
 indicates that a data section is to follow and is to be included as raw
 data, being appended to the header.
 .SH UDP
 .TP
 .B sport <port>
 sets the source port to the number/name given.  Default is 0.
 .TP
 .B dport <port>
 sets the destination port to the number/name given.  Default is 0.
 .TP
 .B len <number>
 manually specifies the length of the UDP header and data.  If left unset,
 it is automatically adjusted to match the header presence and any data if
 present.
 .TP
 .B sum <number>
 manually specifies the checksum for the UDP pseudo-header and data.  If left
 unset, it defaults to 0 and is automatically calculated.
 .TP
 .B data
 indicates that a data section is to follow and is to be included as raw
 data, being appended to the header.
 .SH ICMP
 .TP
 .B type <icmptype>
 sets the ICMP type according the to the icmptype tag.  This may either be
 a number or one of the recognised tags (see the ICMP TYPES section for a
 list of names recognised).
 .TP
 .B code <icmpcode>
 sets the ICMP code.
 .TP
 .B data
 indicates that a data section is to follow and is to be included as raw
 data, being appended to the header.
 .SH DATA
 Each of the following extend the packet in a different way.  \fBLen\fP just
 increases the length (without adding any content), \fBvalue\fP uses a string
 and \fBfile\fP a file.
 .TP
 .B len <number>
 extend the length of the packet by \fBnumber\fP bytes (without filling those
 bytes with any particular data).
 .TP
 .B value <string>
 indicates that the string provided should be added to the current packet as
 data.  A string may be a consecutive list of characters and numbers (with
 no white spaces) or bounded by "'s (may not contain them, even if \\'d).
 The \\ charcater is recognised with the appropriate C escaped values, including
 octal numbers.
 .TP
 .B file <filename>
 reads data in from the specified file and appends it to the current packet.
 If the new total length would exceed 64k, an error will be reported.
 .SH FILES
 /etc/protocols
 /etc/services
 /etc/hosts
 .SH SEE ALSO
--- a/usr.sbin/ipf/ipsend/ipsopt.c
+++ b/usr.sbin/ipf/ipsend/ipsopt.c
@ -1,23 +1,25 @@
-/*	$NetBSD: ipsopt.c,v 1.1.1.2 1997/05/27 22:18:17 thorpej Exp $	*/
+/*	$NetBSD: ipsopt.c,v 1.1.1.3 1997/09/21 16:49:13 veego Exp $	*/
 /*
- * (C)opyright 1995 by Darren Reed.
+ * (C)opyright 1995-1997 by Darren Reed.
 *
- * This code may be freely distributed as long as it retains this notice
+ * Redistribution and use in source and binary forms are permitted
- * and is not changed in any way.  The author accepts no responsibility
+ * provided that this notice is preserved and due credit is given
- * for the use of this software.  I hate legaleese, don't you ?
+ * to the original author and the contributors.
 */
 #if !defined(lint) && defined(LIBC_SCCS)
 static	char	sccsid[] = "@(#)ipsopt.c	1.2 1/11/96 (C)1995 Darren Reed";
 #endif
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <arpa/inet.h>
 #include <netinet/ip_compat.h>
@ -40,7 +42,7 @@ struct ipopt_names {
 struct ipopt_names ionames[] = {
 	{ IPOPT_EOL,	0x01,	1, "eol" },
 	{ IPOPT_NOP,	0x02,	1, "nop" },
-	{ IPOPT_RR,	0x04,	7, "rr" },	/* 1 route */
+	{ IPOPT_RR,	0x04,	3, "rr" },	/* 1 route */
 	{ IPOPT_TS,	0x08,	8, "ts" },	/* 1 TS */
 	{ IPOPT_SECURITY, 0x08,	11, "sec-level" },
 	{ IPOPT_LSRR,	0x10,	7, "lsrr" },	/* 1 route */
@ -61,8 +63,10 @@ struct	ipopt_names secnames[] = {
 };
-u_short seclevel __P((char *));
+u_short	seclevel __P((char *));
-u_long optname __P((char *, char *));
+u_long	optname __P((char *, char *));
 int	addipopt __P((char *, struct ipopt_names *, int, char *));
 u_32_t	buildopts __P((char *, char *, int));
 u_short seclevel(slevel)
@ -82,14 +86,82 @@ char *slevel;
 }
-u_long optname(cp, op)
+int addipopt(op, io, len, class)
 char *op;
 struct ipopt_names *io;
 int len;
 char *class;
 {
 	struct in_addr ipadr;
 	int olen = len, srr = 0;
 	u_short val;
 	u_char lvl;
 	char *s = op, *t;
 	if ((len + io->on_siz) > 48) {
 		fprintf(stderr, "options too long\n");
 		return 0;
 	}
 	len += io->on_siz;
 	*op++ = io->on_value;
 	if (io->on_siz > 1) {
 		/*
 		 * Allow option to specify RR buffer length in bytes.
 		 */
 		if (io->on_value == IPOPT_RR) {
 			val = (class && *class) ? atoi(class) : 4;
 			*op++ = val + io->on_siz;
 			len += val;
 		} else
 			*op++ = io->on_siz;
 		*op++ = IPOPT_MINOFF;
 		while (class && *class) {
 			t = NULL;
 			switch (io->on_value)
 			{
 			case IPOPT_SECURITY :
 				lvl = seclevel(class);
 				*(op - 1) = lvl;
 				break;
 			case IPOPT_LSRR :
 			case IPOPT_SSRR :
 				if ((t = strchr(class, ',')))
 					*t = '\0';
 				ipadr.s_addr = inet_addr(class);
 				srr++;
 				bcopy((char *)&ipadr, op, sizeof(ipadr));
 				op += sizeof(ipadr);
 				break;
 			case IPOPT_SATID :
 				val = atoi(class);
 				bcopy((char *)&val, op, 2);
 				break;
 			}
 			if (t)
 				*t++ = ',';
 			class = t;
 		}
 		if (srr)
 			s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr;
 		if (io->on_value == IPOPT_RR)
 			op += val;
 		else
 			op += io->on_siz - 3;
 	}
 	return len - olen;
 }
 u_32_t buildopts(cp, op, len)
 char *cp, *op;
 int len;
 {
 	struct ipopt_names *io;
-	u_short lvl;
+	u_32_t msk = 0;
 	u_long msk = 0;
 	char *s, *t;
-	int len = 0;
+	int inc, lastop = -1;
 	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
 		if ((t = strchr(s, '=')))
@ -97,21 +169,10 @@ char *cp, *op;
 		for (io = ionames; io->on_name; io++) {
 			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
 				continue;
-			if ((len + io->on_siz) > 48) {
+			lastop = io->on_value;
-				fprintf(stderr, "options too long\n");
+			if ((inc = addipopt(op, io, len, t))) {
-				return 0;
+				op += inc;
-			}
+				len += inc;
 			len += io->on_siz;
 			*op++ = io->on_value;
 			if (io->on_siz > 1) {
 				*op++ = io->on_siz;
 				*op++ = IPOPT_MINOFF;
 				if (t && !strcasecmp(s, "sec-level")) {
 					lvl = seclevel(t);
 					bcopy(&lvl, op, sizeof(lvl));
 				}
 				op += io->on_siz - 3;
 			}
 			msk |= io->on_bit;
 			break;
@ -121,7 +182,24 @@ char *cp, *op;
 			return 0;
 		}
 	}
-	*op++ = IPOPT_EOL;
+
-	len++;
+	if (len & 3) {
 		while (len & 3) {
 			*op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP;
 			len++;
 		}
 	} else {
 		if (lastop != IPOPT_EOL) {
 			if (lastop == IPOPT_NOP)
 				*(op - 1) = IPOPT_EOL;
 			else {
 				*op++ = IPOPT_NOP;
 				*op++ = IPOPT_NOP;
 				*op++ = IPOPT_NOP;
 				*op = IPOPT_EOL;
 				len += 4;
 			}
 		}
 	}
 	return len;
 }
--- a/usr.sbin/ipf/ipsend/tcpip.h
+++ b/usr.sbin/ipf/ipsend/tcpip.h
@ -0,0 +1,77 @@
 /*	$NetBSD: tcpip.h,v 1.1.1.1 1997/09/21 16:49:15 veego Exp $	*/
 /*
 * Copyright (c) 1982, 1986, 1993
 *	The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the University of
 *	California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *	@(#)tcpip.h	8.1 (Berkeley) 6/10/93
 * Id: tcpip.h,v 2.0.2.2 1997/05/28 13:49:45 darrenr Exp 
 */
 #ifndef _NETINET_TCPIP_H_
 #define _NETINET_TCPIP_H_
 /*
 * Tcp+ip header, after ip options removed.
 */
 struct tcpiphdr {
 	struct 	ipovly ti_i;		/* overlaid ip structure */
 	struct	tcphdr ti_t;		/* tcp header */
 };
 #ifdef notyet
 /*
 * Tcp+ip header, after ip options removed but including TCP options.
 */
 struct full_tcpiphdr {
 	struct 	ipovly ti_i;		/* overlaid ip structure */
 	struct	tcphdr ti_t;		/* tcp header */
 	char	ti_o[TCP_MAXOLEN];	/* space for tcp options */
 };
 #endif /* notyet */
 #define	ti_next		ti_i.ih_next
 #define	ti_prev		ti_i.ih_prev
 #define	ti_x1		ti_i.ih_x1
 #define	ti_pr		ti_i.ih_pr
 #define	ti_len		ti_i.ih_len
 #define	ti_src		ti_i.ih_src
 #define	ti_dst		ti_i.ih_dst
 #define	ti_sport	ti_t.th_sport
 #define	ti_dport	ti_t.th_dport
 #define	ti_seq		ti_t.th_seq
 #define	ti_ack		ti_t.th_ack
 #define	ti_x2		ti_t.th_x2
 #define	ti_off		ti_t.th_off
 #define	ti_flags	ti_t.th_flags
 #define	ti_win		ti_t.th_win
 #define	ti_sum		ti_t.th_sum
 #define	ti_urp		ti_t.th_urp
 #endif
--- a/usr.sbin/ipf/iptest/iptest.1
+++ b/usr.sbin/ipf/iptest/iptest.1
@ -0,0 +1,101 @@
 .TH IPTEST 1
 .SH NAME
 iptest \- automatically generate a packets to test IP functionality
 .SH SYNOPSIS
 .B iptest
 [
 .B \-1234567
 ] [
 .B \-d
 <device>
 ] [
 .B \-g
 <gateway>
 ] [
 .B \-m
 <\fIMTU\fP>
 ] [
 .B \-p
 <\fIpointtest\fP>
 ] [
 .B \-s
 <\fIsource\fP>
 ] <destination>
 .SH DESCRIPTION
 .PP
 \fBiptest\fP ...
 .SH OPTIONS
 .TP
 .B \-1
 Run IP test group #1.  This group of tests generates packets with the IP
 header fields set to invalid values given other packet characteristics.
 The point tests are: 1 (ip_hl < ip_len), 2 (ip_hl > ip_len),
 3 (ip_v < 4), 4 (ip_v > 4), 5 (ip_len < packetsize, long packets),
 6 (ip_len > packet size, short packets), 7 (Zero length fragments),
 8 (packet > 64k after reassembly), 9 (IP offset with MSB set), 10 (ttl
 variations).
 .TP
 .B \-2
 Run IP test group #2.  This group of tests generates packets with the IP
 options constructed with invalud values given other packet characteristics.
 The point tests are: 1 (option length > packet length), 2 (option length = 0).
 .TP
 .B \-3
 Run IP test group #3.  This group of tests generates packets with the ICMP
 header fields set to non-standard values.  The point tests are: 1 (ICMP types
 0-31 & 255), 2 (type 3 & code 0 - 31), 3 (type 4 & code 0, 127, 128, 255),
 4 (type 5 & code 0, 127, 128, 255), 5 (types 8-10,13-18 with codes 0, 127,
 128 and 255), 6 (type 12 & code 0, 127, 128, 129, 255) and 7 (type 3 & codes
 9-10, 13-14 and 17-18 - shortened packets).
 .TP
 .B \-4
 Run IP test group #4.  This group of tests generates packets with the UDP
 header fields set to non-standard values.  The point tests are: 1 (UDP length
 > packet size), 2 (UDP length < packetsize), 3 (sport = 0, 1, 32767, 32768,
 65535), 4 (dport = 0, 1, 32767, 32768, 65535) and 5 (sizeof(struct ip) <= MTU
 <= sizeof(struct udphdr) + sizeof(struct ip)).
 .TP
 .B \-5
 Run IP test group #5.  This group of tests generates packets with the TCP
 header fields set to non-standard values.  The point tests are: 1 (TCP flags
 variations, all combinations), 2 (seq = 0, 0x7fffffff, 0x8000000, 0xa0000000,
 0xffffffff),  3 (ack = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff),
 4 (SYN packet with window of 0, 32768, 65535), 5 (set urgent pointer to 1,
 0x7fff, 0x8000, 0xffff), 6 (data offset), 7 (sport = 0, 1, 32767, 32768,
 65535) and 8 (dport = 0, 1, 32767, 32768, 65535).
 .TP
 .B \-6
 Run IP test group #6.  This test generates a large number of fragments in
 an attempt to exhaust the network buffers used for holding packets for later
 reassembly.  WARNING: this may crash or cause serious performance degradation
 to the target host.
 .TP
 .B \-7
 Run IP test group #7.  This test generates 1024 random IP packets with only
 the IP version, checksum, length and IP offset field correct.
 .TP
 .BR \-d \0<interface>
 Set the interface name to be the name supplied.
 .TP
 .BR \-g \0<gateway>
 Specify the hostname of the gateway through which to route packets.  This
 is required whenever the destination host isn't directly attached to the
 same network as the host from which you're sending.
 .TP
 .BR \-m \0<MTU>
 Specify the MTU to be used when sending out packets.  This option allows you
 to set a fake MTU, allowing the simulation of network interfaces with small
 MTU's without setting them so.
 .TP
 .B \-p <test>
 Run a...
 .DT
 .SH SEE ALSO
 ipsend(1), ipresend(1), bpf(4), dlpi(7p)
 .SH DIAGNOSTICS
 Only one of the numeric test options may be given when \fIiptest\fP is run.
 .PP
 Needs to be run as root.
 .SH BUGS
 .PP
 If you find any, please send email to me at darrenr@cyber.com.au
--- a/usr.sbin/ipf/rules/Makefile
+++ b/usr.sbin/ipf/rules/Makefile
@ -0,0 +1,12 @@
 #	$NetBSD: Makefile,v 1.1.1.1 1997/09/21 16:49:25 veego Exp $
 FILESDIR= /usr/share/samples/ipf
 FILES=	example.1 example.2 example.3 example.4 example.5 example.6 example.7 \
 	example.8 example.9 example.10 example.sr firewall ftp-proxy ftppxy \
 	nat-setup nat.eg server tcpstate
 all:
 .include <bsd.own.mk>
 .include <bsd.files.mk>
--- a/usr.sbin/ipf/rules/example.1
+++ b/usr.sbin/ipf/rules/example.1
@ -0,0 +1,4 @@
 #
 # block all incoming TCP packets on le0 from host "foo" to any destination.
 #
 block in on le0 proto tcp from foo/32 to any
--- a/usr.sbin/ipf/rules/example.10
+++ b/usr.sbin/ipf/rules/example.10
@ -0,0 +1,12 @@
 #
 # pass ack packets (ie established connection)
 #
 pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
 pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A
 #
 # block incoming connection requests to my internal network from the big bad
 # internet.
 #
 block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
 #  to block the replies:
 block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA
--- a/usr.sbin/ipf/rules/example.11
+++ b/usr.sbin/ipf/rules/example.11
@ -0,0 +1,26 @@
 #
 # allow any TCP packets from the same subnet as foo is on through to host
 # 10.1.1.2 if they are destined for port 6667.
 #
 pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
 #
 # allow in UDP packets which are NOT from port 53 and are destined for
 # localhost
 #
 pass in proto udp from fubar port != 53 to localhost
 #
 # block anything trying to get to X terminal ports, X:0 to X:9
 #
 block in proto tcp from any to any port 5999 >< 6010
 #
 # allow any connections to be made, except to BSD print/r-services
 # this will also protect syslog.
 #
 block in proto tcp/udp all
 pass in proto tcp/udp from any to any port 512 <> 515
 #
 # allow any connections to be made, except to BSD print/r-services
 # this will also protect syslog.
 #
 pass in proto tcp/udp all
 block in proto tcp/udp from any to any port 511 >< 516
--- a/usr.sbin/ipf/rules/example.12
+++ b/usr.sbin/ipf/rules/example.12
@ -0,0 +1,17 @@
 #
 # get rid of all short IP fragments (too small for valid comparison)
 #
 block in proto tcp all with short
 #
 # drop and log any IP packets with options set in them.
 #
 block in log all with ipopts
 #
 # log packets with BOTH ssrr and lsrr set
 #
 log in all with opt lsrr,ssrr
 #
 # drop any source routing options
 #
 block in quick all with opt lsrr
 block in quick all with opt ssrr
--- a/usr.sbin/ipf/rules/example.13
+++ b/usr.sbin/ipf/rules/example.13
@ -0,0 +1,17 @@
 #
 # Log all short TCP packets to qe3, with "packetlog" as the intended
 # destination for the packet.
 #
 block in to qe3:packetlog proto tcp all with short
 #
 # Log all connection attempts for TCP
 #
 pass in dup-to le0:packetlog proto tcp all flags S/SA
 #
 # Route all UDP packets through transparently.
 #
 pass in fastroute proto udp all
 #
 # Route all ICMP packets to network 10 out through le1, to "router"
 #
 pass in to le1:router proto icmp all
--- a/usr.sbin/ipf/rules/example.2
+++ b/usr.sbin/ipf/rules/example.2
@ -0,0 +1,4 @@
 #
 # block all outgoing TCP packets on le0 from any host to port 23 of host bar.
 #
 block out on le0 proto tcp from any to bar/32 port != 23
--- a/usr.sbin/ipf/rules/example.3
+++ b/usr.sbin/ipf/rules/example.3
@ -0,0 +1,40 @@
 #
 # block all inbound packets.
 #
 block in from any to any
 #
 # pass through packets to and from localhost.
 #
 pass in from 127.0.0.1/32 to 127.0.0.1/32
 #
 # allow a variety of individual hosts to send any type of IP packet to any
 # other host.
 #
 pass in from 10.1.3.1/32 to any
 pass in from 10.1.3.2/32 to any
 pass in from 10.1.3.3/32 to any
 pass in from 10.1.3.4/32 to any
 pass in from 10.1.3.5/32 to any
 pass in from 10.1.0.13/32 to any
 pass in from 10.1.1.1/32 to any
 pass in from 10.1.2.1/32 to any
 #
 #
 # block all outbound packets.
 #
 block out from any to any
 #
 # allow any packets destined for localhost out.
 #
 pass out from any to 127.0.0.1/32
 #
 # allow any host to send any IP packet out to a limited number of hosts.
 #
 pass out from any to 10.1.3.1/32
 pass out from any to 10.1.3.2/32
 pass out from any to 10.1.3.3/32
 pass out from any to 10.1.3.4/32
 pass out from any to 10.1.3.5/32
 pass out from any to 10.1.0.13/32
 pass out from any to 10.1.1.1/32
 pass out from any to 10.1.2.1/32
--- a/usr.sbin/ipf/rules/example.4
+++ b/usr.sbin/ipf/rules/example.4
@ -0,0 +1,4 @@
 #
 # block all ICMP packets.
 #
 block in proto icmp from any to any
--- a/usr.sbin/ipf/rules/example.5
+++ b/usr.sbin/ipf/rules/example.5
@ -0,0 +1,25 @@
 #
 # test ruleset
 #
 # allow packets coming from foo to bar through.
 #
 pass from foo to bar
 #
 # allow any TCP packets from the same subnet as foo is on through to host
 # 10.1.1.2 if they are destined for port 6667.
 #
 pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667
 #
 # allow in UDP packets which are NOT from port 53 and are destined for
 # localhost
 #
 pass proto udp from fubar port != 53 to localhost
 #
 # block all ICMP unreachables.
 #
 block from any to any icmp unreach
 #
 # allow packets through which have a non-standard IP header length (ie there
 # are IP options such as source-routing present).
 #
 pass from any to any with ipopts
--- a/usr.sbin/ipf/rules/example.6
+++ b/usr.sbin/ipf/rules/example.6
@ -0,0 +1,5 @@
 #
 # block all TCP packets with only the SYN flag set (this is the first
 # packet sent to establish a connection) out of the SYN-ACK pair.
 #
 block in proto tcp from any to any flags S/SA
--- a/usr.sbin/ipf/rules/example.7
+++ b/usr.sbin/ipf/rules/example.7
@ -0,0 +1,12 @@
 # block all ICMP packets.
 #
 block in proto icmp all
 #
 # allow in ICMP echos and echo-replies.
 #
 pass in on le1 proto icmp from any to any icmp-type echo
 pass in on le1 proto icmp from any to any icmp-type echorep
 #
 # block all ICMP destination unreachable packets which are port-unreachables
 #
 block in on le1 proto icmp from any to any icmp-type unreach code 3
--- a/usr.sbin/ipf/rules/example.8
+++ b/usr.sbin/ipf/rules/example.8
@ -0,0 +1,10 @@
 #
 # block all incoming TCP connections but send back a TCP-RST for ones to
 # the ident port
 #
 block in proto tcp from any to any flags S/SA
 block return-rst in quick proto tcp from any to any port = 113 flags S/SA
 #
 # block all inbound UDP packets and send back an ICMP error.
 #
 block return-icmp in proto udp from any to any
--- a/usr.sbin/ipf/rules/example.9
+++ b/usr.sbin/ipf/rules/example.9
@ -0,0 +1,12 @@
 #
 # drop all packets without IP security options
 #
 block in all
 pass in all with opt sec
 #
 # only allow packets in and out on le0 which are top secret
 #
 block out on le1 all
 pass out on le1 all with opt sec-class topsecret
 block in on le1 all
 pass in on le1 all with opt sec-class topsecret
--- a/usr.sbin/ipf/rules/example.sr
+++ b/usr.sbin/ipf/rules/example.sr
@ -0,0 +1,61 @@
 #
 # log all inbound packet on le0 which has IP options present
 #
 log in on le0 from any to any with ipopts
 #
 # block any inbound packets on le0 which are fragmented and "too short" to
 # do any meaningful comparison on.  This actually only applies to TCP
 # packets which can be missing the flags/ports (depending on which part
 # of the fragment you see).
 #
 block in log quick on le0 from any to any with short frag
 #
 # log all inbound TCP packets with the SYN flag (only) set
 #  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
 #         had IP options present, this rule and the above would cause it
 #         to be logged twice).
 #
 log in on le0 proto tcp from any to any flags S/SA
 #
 # block and log any inbound ICMP unreachables
 #
 block in log on le0 proto icmp from any to any icmp-type unreach
 #
 # block and log any inbound UDP packets on le0 which are going to port 2049
 # (the NFS port).
 #
 block in log on le0 proto udp from any to any port = 2049
 #
 # quickly allow any packets to/from a particular pair of hosts
 #
 pass in quick from any to 10.1.3.2/32
 pass in quick from any to 10.1.0.13/32
 pass in quick from 10.1.3.2/32 to any
 pass in quick from 10.1.0.13/32 to any
 #
 # block (and stop matching) any packet with IP options present.
 #
 block in quick on le0 from any to any with ipopts
 #
 # allow any packet through
 #
 pass in from any to any
 #
 # block any inbound UDP packets destined for these subnets.
 #
 block in on le0 proto udp from any to 10.1.3.0/24
 block in on le0 proto udp from any to 10.1.1.0/24
 block in on le0 proto udp from any to 10.1.2.0/24
 #
 # block any inbound TCP packets with only the SYN flag set that are
 # destined for these subnets.
 #
 block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
 block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
 block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
 #
 # block any inbound ICMP packets destined for these subnets.
 #
 block in on le0 proto icmp from any to 10.1.3.0/24
 block in on le0 proto icmp from any to 10.1.1.0/24
 block in on le0 proto icmp from any to 10.1.2.0/24
--- a/usr.sbin/ipf/rules/firewall
+++ b/usr.sbin/ipf/rules/firewall
@ -0,0 +1,39 @@
 Configuring IP Filter for firewall usage.
 =========================================
 Step 1 - Block out "bad" IP packets.
 ------------------------------------
 Run the perl script "mkfilters".  This will generate a list of blocking
 rules which:
 	a) blocks all packets which might belong to an IP Spoofing attack;
 	b) blocks all packets with IP options;
 	c) blocks all packets which have a length which is too short for
 	   any legal packet;
 Step 2 - Convert Network Security Policy to filter rules.
 ---------------------------------------------------------
 Draw up a list of which services you want to allow users to use on the
 Internet (e.g. WWW, ftp, etc).  Draw up a separate list for what you
 want each host that is part of your firewall to be allowed to do, including
 communication with internal hosts.
 Step 3 - Create TCP "keep state" rules.
 ---------------------------------------
 For each service that uses TCP, create a rule as follows:
 pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
 where
 * "int-a" is the internal interface of the firewall.  That is, it is the
  closest to your internal network in terms of network hops.
 * "int-net" is the internal network IP# subnet address range.  This might
   be something like 10.1.0.0/16, or 128.33.1.0/24 
 * "ext-service" is the service to which you which to connect or if it doesn't
  have a proper name, a number can be used.  The translation of "ext-service"
  as a name to a number is controlled with the /etc/services file.
--- a/usr.sbin/ipf/rules/ftp-proxy
+++ b/usr.sbin/ipf/rules/ftp-proxy
@ -0,0 +1,40 @@
 How to setup FTP proxying using the built in proxy code.
 ========================================================
 NOTE: Currently, the built-in FTP proxy is only available for use with NAT
      (i.e. only if you're already using "map" rules with ipnat).
 Lets assume your network diagram looks something like this:
 [host A]
   |a
 ---+-------------+----------
                 |b
             [host B]
                 |c
 ---+-------------+----------
   |d
 [host C]
 and IP Filter is running on host B.  If you want to proxy FTP from A to C
 then you would do:
 map int-c ipaddr-a/32 -> ip-addr-c-net/32 proxy ftp ftp/tcp
 int-c = name of "interface c"
 ipaddr-a = ip# of interface a
 ipaddr-c-net = another ip# on the C-network (usually not the same as the
 interface).
 e.g., if host A was 10.1.1.1, host B had two network interfaces ed0 and vx0
 which had IP#'s 10.1.1.2 and 203.45.67.89 respectively, and host C was
 203.45.67.90, you would do:
 map vx0 10.1.1.1/32 -> 203.45.67.91/32 proxy ftp ftp/tcp
 where:
 ipaddr-a = 10.1.1.1
 int-c = vx0
 ipaddr-c-net = 203.45.67.91
--- a/usr.sbin/ipf/rules/ftppxy
+++ b/usr.sbin/ipf/rules/ftppxy
@ -0,0 +1,6 @@
 #!/bin/sh
 # The proxy bit is as follows:
 # proxy [port <portname>] <tag>/<protocol>
 # the <tag> should match a tagname in the proxy table, as does the protocol.
 # this format isn't finalised yet
 echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
--- a/usr.sbin/ipf/rules/nat-setup
+++ b/usr.sbin/ipf/rules/nat-setup
@ -0,0 +1,77 @@
 Configuring NAT on your network.
 ================================
 To start setting up NAT, we need to define which is your "internal" interface
 and which is your "external" interface.  The "internal" interface is the
 network adapter connected to the network with private IP addresses which
 you need to change for communicating on the Internet.  The "external"
 interface is configured with a valid internet address.
 For example, your internal interface might have an IP# of 10.1.1.1 and be
 connected to your ethernet, whilst your external interface might be a PPP
 connection with an IP number of 204.51.62.176.
 Thus your network might look like this:
 <Internal Network>
 [pc]      [pc]
  |         |
 +-+---------+------+
                   |
               [firewall]
                   |
                   |
               Internet
 <External Network>
 Writing the map-rule.
 ---------------------
 When you're connected to the Internet, you will either have a block of IP
 addresses assigned to you, maybe several different blocks, or you use a
 single IP address, i.e. with dialup PPP.  If you have a block of addresses
 assigned, these can be used to create either a 1:1 mapping (if you have
 only a few internal IP addresses) or N:1 mappings, where groups of internal
 addresses map to a single IP address and unless you have enough Internet
 addresses for a 1:1 mapping, you will want to do "portmapping" for TCP and
 UDP port numbers.
 For an N:1 situation, you might have:
 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.5/32 portmap
 where if you had 16 addresses available, you could do:
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
 Or if you wanted to allocate subnets to each IP#, you might do:
 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap tcp/udp 10000:40000
 map ppp0 10.1.1.0/24 -> 209.23.1.2/32 portmap
 map ppp0 10.1.2.0/24 -> 209.23.1.3/32 portmap
 map ppp0 10.1.3.0/24 -> 209.23.1.4/32 portmap
 *** NOTE: NAT rules are used on a first-match basis only!
 Filtering with NAT.
 -------------------
 IP Filter will always translate addresses in a packet _BEFORE_ it checks its
 access list for inbound packets and translates addresses _AFTER_ it has
 checked the access control lists for outbound packets.
 For example (using the above NAT rules), if you wanted to prevent all hosts
 in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
 with ipf:
 block out on ppp0 from 10.1.2.0/24 to any
 block in on ppp0 from any to 10.1.2.0/24
 and use these with ipnat:
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
 map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
--- a/usr.sbin/ipf/rules/nat.eg
+++ b/usr.sbin/ipf/rules/nat.eg
@ -0,0 +1,14 @@
 # map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source
 # port number to something between 10,000 and 20,000 inclusive.  For all other
 # IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily
 # for each new user.
 #
 map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000
 map ed1 10.1.0.0/16 -> 240.1.0.0/24
 #
 # Redirection is triggered for input packets.
 # For example, to redirect FTP connections through this box, to the local ftp
 # port, forcing them to connect through a proxy, you would use:
 #
 rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
 #
--- a/usr.sbin/ipf/rules/server
+++ b/usr.sbin/ipf/rules/server
@ -0,0 +1,11 @@
 #
 # For a network server, which has two interfaces, 128.1.40.1 (le0) and
 # 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
 # connected to the majority of the network, whilst le0 is connected to a
 # leaf subnet.  We're not concerned about filtering individual services
 # or 
 #
 pass in quick on le0 from 128.1.40.0/24 to any
 block in quick log on le0 from any to any
 block in quick log on le1 from 128.1.1.0/24 to any
 pass in quick on le1 from any to any
--- a/usr.sbin/ipf/rules/tcpstate
+++ b/usr.sbin/ipf/rules/tcpstate
@ -0,0 +1,13 @@
 #
 # Only allow TCP packets in/out of le0 if there is an outgoing connection setup
 # somewhere, waiting for it.
 #
 pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
 block out on le0 proto tcp all
 block in on le0 proto tcp all
 #
 # allow nameserver queries and replies to pass through, but no other UDP
 #
 pass out quick on le0 proto udp from any to any port = 53 keep state
 block out on le0 proto udp all
 block in on le0 proto udp all