From a79df224af9e20d9f7d6e902500bd58b866cb7d2 Mon Sep 17 00:00:00 2001
From: martti <martti@NetBSD.org>
Date: Thu, 14 Mar 2002 12:30:07 +0000
Subject: [PATCH] Import IPFilter 3.4.25

---
 dist/ipf/IRIX/Makefile.std   | 32 ++++++++++++++++------
 dist/ipf/IRIX/getkflags      |  6 ++---
 dist/ipf/IRIX/getrev         |  6 +++++
 dist/ipf/OpenBSD/fixdist-3.0 | 21 ++++++++-------
 dist/ipf/common.c            |  5 +++-
 dist/ipf/printstate.c        |  5 +++-
 dist/ipf/test/expected/f15   |  9 +++++++
 dist/ipf/test/expected/f16   |  9 +++++++
 dist/ipf/test/expected/l1    | 49 +++++++++++++++++++++++++++++++++
 dist/ipf/test/expected/l1.b  | 47 ++++++++++++++++++++++++++++++++
 dist/ipf/test/input/f15      |  8 ++++++
 dist/ipf/test/input/f16      |  8 ++++++
 dist/ipf/test/input/l1       | 52 ++++++++++++++++++++++++++++++++++++
 dist/ipf/test/logtest        | 48 +++++++++++++++++++++++++++++++++
 dist/ipf/test/mtest          | 36 +++++++++++++++++++++++++
 dist/ipf/test/regress/f15    |  8 ++++++
 dist/ipf/test/regress/f16    | 10 +++++++
 dist/ipf/test/regress/l1     |  6 +++++
 18 files changed, 342 insertions(+), 23 deletions(-)
 create mode 100644 dist/ipf/IRIX/getrev
 create mode 100644 dist/ipf/test/expected/f15
 create mode 100644 dist/ipf/test/expected/f16
 create mode 100644 dist/ipf/test/expected/l1
 create mode 100644 dist/ipf/test/expected/l1.b
 create mode 100644 dist/ipf/test/input/f15
 create mode 100644 dist/ipf/test/input/f16
 create mode 100644 dist/ipf/test/input/l1
 create mode 100644 dist/ipf/test/logtest
 create mode 100644 dist/ipf/test/mtest
 create mode 100644 dist/ipf/test/regress/f15
 create mode 100644 dist/ipf/test/regress/f16
 create mode 100644 dist/ipf/test/regress/l1

diff --git a/dist/ipf/IRIX/Makefile.std b/dist/ipf/IRIX/Makefile.std
index 908d622eda72..a16527005f52 100644
--- a/dist/ipf/IRIX/Makefile.std
+++ b/dist/ipf/IRIX/Makefile.std
@@ -12,6 +12,7 @@
 # Automatically determine compiler switches and defines for kernel compilation
 # based on our current CPU:
 #
+SGIREV=-DIRIX=$(SGI)
 DCPU=`uname -m`
 KFLAGS=`$(TOP)/IRIX/getkflags`
 #
@@ -41,7 +42,7 @@ MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
 	"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \
 	"CPUDIR=$(CPUDIR)"
 #
-CCARGS=-D_STANDALONE $(DEBUG) $(CFLAGS)
+CCARGS=$(SGIREV) -D_STANDALONE $(DEBUG) $(CFLAGS) $(IPFLOG)
 #
 ########## ########## ########## ########## ########## ########## ##########
 #
@@ -52,19 +53,21 @@ INSTALL=/sbin/install
 #
 MODOBJS=ip_fil.o fil_k.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \
 	ip_auth.o ip_log.o
-DFLAGS=$(IPFLKM) $(IPFLOG) $(KFLAGS) $(MLFLAGS) -jalr #-D_MP_NETLOCKS -DMP
+DFLAGS=$(IPFLKM) $(KFLAGS) $(MLFLAGS) -jalr $(SGIREV) \
+	#-D_MP_NETLOCKS -DMP
 IPF=ipf.o parse.o common.o opt.o inet_addr.o facpri.o
 IPT=ipt.o parse.o common.o fil.o ipft_sn.o ipft_ef.o ipft_td.o ipft_pc.o \
     opt.o ipft_tx.o misc.o ip_frag_u.o ip_state_u.o ip_nat_u.o ip_proxy_u.o \
-    ip_auth_u.o ipft_hx.o ip_fil_u.o inet_addr.o natparse.o facpri.o
-IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o
-FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o
+    ip_auth_u.o ipft_hx.o ip_fil_u.o ip_log_u.o inet_addr.o natparse.o \
+    facpri.o printnat.o printstate.o
+IPNAT=ipnat.o kmem.o natparse.o common.o inet_addr.o printnat.o
+FILS=fils.o parse.o common.o kmem.o opt.o inet_addr.o facpri.o printstate.o
 
 build all: ipf ipfstat ipftest ipmon ipnat $(LKM)
 
 ipfstat: $(FILS)
 	$(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \
-	-o $@ $(LIBS) $(STATETOP_LIB)
+	-o $@ $(LIBS) $(STATETOP_LIB) -lelf
 
 ipf: $(IPF)
 	$(CC) $(CCARGS) $(IPF) -o $@ $(LIBS)
@@ -77,7 +80,7 @@ ipftest: $(IPT)
 	ln -s `pwd`/ipftest $(TOP)
 
 ipnat: $(IPNAT)
-	$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS)
+	$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf
 
 tests:
 	(cd test; make )
@@ -152,6 +155,9 @@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \
 ip_fil_u.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h
 	$(CC) $(CCARGS) -c $(TOP)/$(IPFILC) -o $@
 
+ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h
+	$(CC) $(CCARGS) -c $(TOP)/ip_log.c -o $@
+
 $(LKM): $(MODOBJS) 
 	ld $(MLFLAGS) -r -d $(MODOBJS) -o $(LKM)
 
@@ -196,18 +202,28 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h
 
 ipmon: $(TOP)/ipmon.c
 	$(CC) $(CCARGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS)
+	${RM} -f $(TOP)/ipmon
+	ln -s `pwd`/ipmon $(TOP)
 
 natparse.o: $(TOP)/natparse.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
 	$(TOP)/ip_proxy.h $(TOP)/ip_nat.h
 	$(CC) $(CCARGS) -c $(TOP)/natparse.c -o $@
 
+printnat.o: $(TOP)/printnat.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
+	$(TOP)/ip_proxy.h $(TOP)/ip_nat.h
+	$(CC) $(CCARGS) -c $(TOP)/printnat.c -o $@
+
+printstate.o: $(TOP)/printstate.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \
+	$(TOP)/ip_state.h
+	$(CC) $(CCARGS) -c $(TOP)/printstate.c -o $@
+
 clean:
 	${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon ipnat $(LKM)
 	${MAKE} -f Makefile.ipsend ${MFLAGS} clean
 	-(for i in *; do \
 		if [ -d $${i} -a -f $${i}/Makefile ] ; then \
 			cd $${i}; (make clean); cd ..; \
-			${RM} $${i}/Makefile $${i}/Makefile.ipsend; \
+			${RM} $${i}/Makefile* $${i}/Makefile.ipsend*; \
 			rmdir $${i}; \
 		fi \
 	done)
diff --git a/dist/ipf/IRIX/getkflags b/dist/ipf/IRIX/getkflags
index 922dae4fa3af..d3faf6a46bac 100644
--- a/dist/ipf/IRIX/getkflags
+++ b/dist/ipf/IRIX/getkflags
@@ -4,9 +4,9 @@ sed \
 -e 's/\!empty//' \
 -e 's/"//g' \
 -e 's/\$(\([_A-Z]*\)) == /\1 == /' \
--e 's/== IP/== /' -e 's/#[^ie].*//' \
+-e 's/== *IP/== /g' -e 's/)=/) =/g' -e 's/#[^ie].*//' \
+-e 's/\$(CPUBOARD)/CPUBOARD/g' \
 -e 's/^#$//' /var/sysgen/Makefile.kernio | \
-egrep -v '^$|^ROOT|^include' | \
 /usr/lib/cpp -DCPUBOARD=${CPUNUM} | \
-egrep -v '^$|^#.*'
+egrep -v '^$|^#.*|^$|^ROOT=|^include'
 exit 0
diff --git a/dist/ipf/IRIX/getrev b/dist/ipf/IRIX/getrev
new file mode 100644
index 000000000000..91c365dcadf3
--- /dev/null
+++ b/dist/ipf/IRIX/getrev
@@ -0,0 +1,6 @@
+#!/bin/sh
+osrev=`uname -r`
+major=`expr $osrev : '\([0-9]\)\..*'`
+minor=`expr $osrev : '.*\.\([0-9]\)'`
+printf '%d%02d' $major $minor
+exit 0
diff --git a/dist/ipf/OpenBSD/fixdist-3.0 b/dist/ipf/OpenBSD/fixdist-3.0
index 617cd0372e85..1fe8638bddb1 100644
--- a/dist/ipf/OpenBSD/fixdist-3.0
+++ b/dist/ipf/OpenBSD/fixdist-3.0
@@ -1,4 +1,4 @@
-.\"	$NetBSD: fixdist-3.0,v 1.1.1.1 2002/01/24 08:18:32 martti Exp $
+.\"	$NetBSD: fixdist-3.0,v 1.1.1.2 2002/03/14 12:30:13 martti Exp $
 .\"
 #!/bin/sh
 #
@@ -59,7 +59,7 @@ cat > ${OFILE} << __EOF__
 PROG=	ipf
 MAN=	${MFILES}
 SRCS=	${SFILES}
-CFLAGS+=-I\${.CURDIR}/../../sys/netinet
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
 
 .include <bsd.prog.mk>
 __EOF__
@@ -80,7 +80,7 @@ PROG=	ipfstat
 MAN=	${MFILES}
 SRCS=	${SFILES}
 .PATH:	\${.CURDIR}/../../sbin/ipf
-CFLAGS+=-I\${.CURDIR}/../../sbin/ipf -DSTATETOP \\
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf -DSTATETOP \\
 	-I\${.CURDIR}/../../sys/netinet
 DPADD=	\${LIBCURSES}
 LDADD=	-lcurses -lkvm
@@ -104,7 +104,7 @@ PROG=	ipnat
 MAN=	${MFILES}
 SRCS=	${SFILES}
 .PATH:	\${.CURDIR}/../ipfstat \${.CURDIR}/../ipf
-CFLAGS+=-I\${.CURDIR}/../../sbin/ipfstat -I\${.CURDIR}/../ipf \\
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipfstat -I\${.CURDIR}/../ipf \\
 	-I\${.CURDIR}/../../sys/netinet
 LDADD=	-lkvm
 
@@ -163,8 +163,8 @@ SRCS=	${SFILES}
 .PATH:	\${.CURDIR}/../../sbin/ipf \${.CURDIR}/../../sbin/ipfstat \\
 	\${.CURDIR}/../../sys/netinet \${.CURDIR}/../../sbin/ipnat
 
-CFLAGS+=-I\${.CURDIR}/../../sbin/ipf -I\${.CURDIR}/../../sys/netinet \\
-	-I\${.CURDIR}/../../sys -I\${.CURDIR}
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf \\
+	-I\${.CURDIR}/../../sys/netinet -I\${.CURDIR}/../../sys -I\${.CURDIR}
 
 .include <bsd.prog.mk>
 __EOF__
@@ -186,7 +186,8 @@ PROG=	ipfs
 MAN=	${MFILES}
 SRCS=	${SFILES}
 
-CFLAGS+=-I\${.CURDIR}/../../sbin/ipf -I\${.CURDIR}/../../sys/netinet
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sbin/ipf \\
+	-I\${.CURDIR}/../../sys/netinet
 
 .include <bsd.prog.mk>
 __EOF__
@@ -207,7 +208,7 @@ cat > ${OFILE} << __EOF__
 PROG=	ipmon
 MAN=	${MFILES}
 SRCS=	${SFILES}
-CFLAGS+=-I\${.CURDIR}/../../sys/netinet
+CFLAGS+=-DUSE_INET6 -I\${.CURDIR}/../../sys/netinet
 
 .include <bsd.prog.mk>
 __EOF__
@@ -276,7 +277,7 @@ PROG=	ipresend
 BINDIR=	/usr/sbin
 MAN=	${MFILES}
 SRCS=	${SFILES}
-CFLAGS+=  -DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
+CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
 	-I\${.CURDIR}/../../../sbin/ipf \\
 	-I\${.CURDIR}/../../../sys/netinet -I\${.CURDIR}/..
 .PATH:	\${.CURDIR}/../common \${.CURDIR}/../../ipftest \\
@@ -302,7 +303,7 @@ PROG=	iptest
 BINDIR=	/usr/sbin
 MAN=	${MFILES}
 SRCS=	${SFILES}
-CFLAGS+=  -DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
+CFLAGS+=-DDOSOCKET -I\${.CURDIR}/../common -I\${.CURDIR}/../../ipftest \\
 	-I\${.CURDIR}/../../../sys/netinet \\
 	-I\${.CURDIR}/../../../sbin/ipf -I\${.CURDIR}/..
 .PATH:	\${.CURDIR}/../common
diff --git a/dist/ipf/common.c b/dist/ipf/common.c
index a52d82ec9183..c30f2a4ca51f 100644
--- a/dist/ipf/common.c
+++ b/dist/ipf/common.c
@@ -1,10 +1,13 @@
-/*	$NetBSD: common.c,v 1.1.1.4 2002/01/24 08:18:29 martti Exp $	*/
+/*	$NetBSD: common.c,v 1.1.1.5 2002/03/14 12:30:07 martti Exp $	*/
 
 /*
  * Copyright (C) 1993-2001 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
+#ifdef __sgi
+# include <sys/ptimers.h>
+#endif
 #include <sys/types.h>
 #if !defined(__SVR4) && !defined(__svr4__)
 #include <strings.h>
diff --git a/dist/ipf/printstate.c b/dist/ipf/printstate.c
index 127dc8891248..c67a124687a1 100644
--- a/dist/ipf/printstate.c
+++ b/dist/ipf/printstate.c
@@ -1,10 +1,13 @@
-/*	$NetBSD: printstate.c,v 1.1.1.1 2002/01/24 08:18:30 martti Exp $	*/
+/*	$NetBSD: printstate.c,v 1.1.1.2 2002/03/14 12:30:10 martti Exp $	*/
 
 /*
  * Copyright (C) 2002 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  */
+#ifdef __sgi
+# include <sys/ptimers.h>
+#endif
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/socket.h>
diff --git a/dist/ipf/test/expected/f15 b/dist/ipf/test/expected/f15
new file mode 100644
index 000000000000..9b31258e5717
--- /dev/null
+++ b/dist/ipf/test/expected/f15
@@ -0,0 +1,9 @@
+block return-rst
+pass
+block return-icmp
+pass
+block
+nomatch
+pass
+pass
+--------
diff --git a/dist/ipf/test/expected/f16 b/dist/ipf/test/expected/f16
new file mode 100644
index 000000000000..b6cb3fae0818
--- /dev/null
+++ b/dist/ipf/test/expected/f16
@@ -0,0 +1,9 @@
+block
+block
+pass
+block
+pass
+pass
+block
+block
+--------
diff --git a/dist/ipf/test/expected/l1 b/dist/ipf/test/expected/l1
new file mode 100644
index 000000000000..c158752d5330
--- /dev/null
+++ b/dist/ipf/test/expected/l1
@@ -0,0 +1,49 @@
+log in all
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
+pass in on anon0 all head 100
+--------
+pass in log quick from 3.3.3.3 to any group 100
+--------
+pass in log body quick from 2.2.2.2 to any
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+--------
+pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+--------
+pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
diff --git a/dist/ipf/test/expected/l1.b b/dist/ipf/test/expected/l1.b
new file mode 100644
index 000000000000..eef36606b295
--- /dev/null
+++ b/dist/ipf/test/expected/l1.b
@@ -0,0 +1,47 @@
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
+--------
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d                    ............
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d                    ............
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61        ..............@a
+42 63 44 65 46 67 48 69 4a 6b 4c 6d                    BcDeFgHiJkLm
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
diff --git a/dist/ipf/test/input/f15 b/dist/ipf/test/input/f15
new file mode 100644
index 000000000000..db547cb4f326
--- /dev/null
+++ b/dist/ipf/test/input/f15
@@ -0,0 +1,8 @@
+in on hme0 tcp 10.1.2.3,1200 195.134.65.10,100 S
+in on hme0 tcp 10.1.2.3,1200 195.134.65.10,22 S
+in on hme0 udp 10.1.2.3,1200 195.134.65.10,100
+in on hme0 udp 10.1.2.3,53 195.134.65.10,53
+in on hme0 10.1.2.3 195.134.65.10
+in on hme1 195.134.65.10 10.1.2.3
+in on hme1 udp 195.134.65.10,53 10.1.2.3,53
+in on hme1 tcp 195.134.65.10,22 10.1.2.3,1200 SA
diff --git a/dist/ipf/test/input/f16 b/dist/ipf/test/input/f16
new file mode 100644
index 000000000000..a17f41f756ec
--- /dev/null
+++ b/dist/ipf/test/input/f16
@@ -0,0 +1,8 @@
+in 2.2.2.2 5.5.5.5
+in 2.2.2.2 1.1.1.1
+in udp 4.4.4.4,110 1.1.1.1,53
+in udp 4.4.4.9,101 1.1.1.3,35
+in udp 4.4.4.8,111 1.1.1.2,53
+in tcp 4.4.4.7,220 1.1.1.1,23
+in tcp 4.4.4.6,202 1.1.1.3,22
+in tcp 4.4.4.5,222 1.1.1.2,52
diff --git a/dist/ipf/test/input/l1 b/dist/ipf/test/input/l1
new file mode 100644
index 000000000000..afda0db3971b
--- /dev/null
+++ b/dist/ipf/test/input/l1
@@ -0,0 +1,52 @@
+# 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF  SYN
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 02 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
+45 00 0028 0000 4000 3f 06 0000 02020202 01010101
+0019 0401 00000000 00000000 50 12 2000 0000 0000
+
+#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
+[out,e1] 45 00 0028 0000 4000 3f 06 0000 02020202 01010101
+0019 0401 00000000 00000000 50 10 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 01 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e1 udp 1.1.1.1,1 4.4.4.4,53
+45 00 0028 0000 4000 3f 11 0000 01010101 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+
+#in on e1 udp 2.2.2.2,2 4.4.4.4,53
+45 00 0028 0000 4000 3f 11 0000 02020202 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+
+#in on e1 udp 2.2.2.2,2 4.4.4.4,53
+45 00 0038 0000 4000 3f 11 0000 02020202 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+0e0f 4061 4263 4465 4667 4869 4a6b 4c6d
+
+#in on e0 ip 4.4.4.4,53 1.1.1.1,1
+45 00 0014 0000 4000 3f 00 0000 02020202 04040404
+
+#in on e0 udp 3.3.3.3,1023 1.1.1.1,2049
+45 00 001c 0000 4000 3f 11 0000 03030303 01010101
+03ff 0801 0000 0000
+
+#in on e0 udp 1.1.1.1,2049 3.3.3.3,1023
+45 00 001c 0000 4000 3f 11 0000 01010101 03030303
+0801 03ff 0000 0000
+
diff --git a/dist/ipf/test/logtest b/dist/ipf/test/logtest
new file mode 100644
index 000000000000..0600056c00ed
--- /dev/null
+++ b/dist/ipf/test/logtest
@@ -0,0 +1,48 @@
+#!/bin/sh
+if [ -f /usr/ucb/touch ] ; then
+	TOUCH=/usr/ucb/touch
+else
+	if [ -f /usr/bin/touch ] ; then
+		TOUCH=/usr/bin/touch
+	else
+		if [ -f /bin/touch ] ; then
+			TOUCH=/bin/touch
+		fi
+	fi
+fi
+echo "$1...";
+
+/bin/cp /dev/null results/$1
+/bin/cp /dev/null results/$1.b
+
+( while read rule; do
+	echo $rule >> results/$1 
+	echo $rule | ../ipftest -br - -Hi input/$1 -l logout > /dev/null
+	if [ $? -ne 0 ] ; then
+		/bin/rm -f logout
+		exit 1
+	fi
+	../ipmon -P /dev/null -f logout >> results/$1
+        echo "--------" >> results/$1
+	../ipmon -P /dev/null -bf logout >> results/$1.b
+        echo "--------" >> results/$1.b
+done ) < regress/$1
+../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null
+../ipmon -P /dev/null -f logout >> results/$1
+echo "--------" >> results/$1
+../ipmon -P /dev/null -bf logout >> results/$1.b
+echo "--------" >> results/$1.b
+
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+	exit $status
+fi
+cmp expected/$1.b results/$1.b
+status=$?
+if [ $status -ne 0 ] ; then
+	exit $status
+fi
+/bin/rm -f logout
+$TOUCH $1
+exit 0
diff --git a/dist/ipf/test/mtest b/dist/ipf/test/mtest
new file mode 100644
index 000000000000..b185abb2bf7f
--- /dev/null
+++ b/dist/ipf/test/mtest
@@ -0,0 +1,36 @@
+#!/bin/sh
+# multiple rules at the same time
+
+if [ -f /usr/ucb/touch ] ; then
+	TOUCH=/usr/ucb/touch
+else
+	if [ -f /usr/bin/touch ] ; then
+		TOUCH=/usr/bin/touch
+	else
+		if [ -f /bin/touch ] ; then
+			TOUCH=/bin/touch
+		fi
+	fi
+fi
+echo "$1...";
+
+/bin/cp /dev/null results/$1
+
+../ipftest -br regress/$1 -i input/$1 > results/$1
+if [ $? -ne 0 ] ; then
+	exit 1
+fi
+echo "--------" >> results/$1
+
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+	exit $status
+fi
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+	exit $status
+fi
+$TOUCH $1
+exit 0
diff --git a/dist/ipf/test/regress/f15 b/dist/ipf/test/regress/f15
new file mode 100644
index 000000000000..16185e1f3685
--- /dev/null
+++ b/dist/ipf/test/regress/f15
@@ -0,0 +1,8 @@
+block in log quick on hme0 from any to 195.134.65.0/25 head 10
+block return-rst in log quick proto tcp all flags S head 100 group 10
+pass in quick proto tcp from any to any port = 22 keep state group 100
+pass in quick proto tcp from any to any port = 23 keep state group 100
+pass in quick proto tcp from any to any port = 21 keep state group 100
+block return-icmp in quick proto udp all keep state head 110 group 10
+pass in quick proto udp from any to any port = 53 keep state group 110
+block in log quick on hme0 from any to any
diff --git a/dist/ipf/test/regress/f16 b/dist/ipf/test/regress/f16
new file mode 100644
index 000000000000..920ad8c958d2
--- /dev/null
+++ b/dist/ipf/test/regress/f16
@@ -0,0 +1,10 @@
+pass in all
+skip 2 in proto tcp all
+block in quick proto tcp all
+skip 4 in proto udp all
+block in quick proto udp all
+pass in quick proto tcp from any to 1.1.1.1
+pass in quick proto tcp from any to 1.1.1.2 port = 22
+block in quick proto udp from any to any port = 53
+pass in quick proto udp from any to any port = 53
+block in all
diff --git a/dist/ipf/test/regress/l1 b/dist/ipf/test/regress/l1
new file mode 100644
index 000000000000..88cca58039f9
--- /dev/null
+++ b/dist/ipf/test/regress/l1
@@ -0,0 +1,6 @@
+log in all
+pass in on anon0 all head 100
+pass in log quick from 3.3.3.3 to any group 100
+pass in log body quick from 2.2.2.2 to any
+pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
+pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state