aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2000-07-19 13:52:47 +0000
committerDarren Reed <darrenr@FreeBSD.org>2000-07-19 13:52:47 +0000
commit02aea5e854e9f95720fb6724c7a9e965f42c434e (patch)
tree9dd2dd57126e92fb1c50f3f79af38794f6e05b63
parent933f6f74ee8ab500d6220f8560b0c022fcf93830 (diff)
downloadsrc-02aea5e854e9f95720fb6724c7a9e965f42c434e.tar.gz
src-02aea5e854e9f95720fb6724c7a9e965f42c434e.zip
Import v3.4.8 into -current
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=63516
-rwxr-xr-xcontrib/ipfilter/FreeBSD/kinstall17
-rw-r--r--contrib/ipfilter/HISTORY49
-rw-r--r--contrib/ipfilter/Makefile9
-rw-r--r--contrib/ipfilter/fil.c41
-rw-r--r--contrib/ipfilter/ip_auth.c4
-rw-r--r--contrib/ipfilter/ip_fil.c40
-rw-r--r--contrib/ipfilter/ip_fil.h8
-rw-r--r--contrib/ipfilter/ip_frag.c5
-rw-r--r--contrib/ipfilter/ip_ftp_pxy.c98
-rw-r--r--contrib/ipfilter/ip_log.c8
-rw-r--r--contrib/ipfilter/ip_nat.c66
-rw-r--r--contrib/ipfilter/ip_nat.h15
-rw-r--r--contrib/ipfilter/ip_rcmd_pxy.c17
-rw-r--r--contrib/ipfilter/ip_sfil.c4
-rw-r--r--contrib/ipfilter/ip_state.c26
-rw-r--r--contrib/ipfilter/ip_state.h6
-rw-r--r--contrib/ipfilter/ipf.c32
-rw-r--r--contrib/ipfilter/ipl.h4
-rw-r--r--contrib/ipfilter/ipmon.c10
-rw-r--r--contrib/ipfilter/man/ipfstat.86
-rw-r--r--contrib/ipfilter/natparse.c106
-rw-r--r--contrib/ipfilter/parse.c27
-rw-r--r--contrib/ipfilter/solaris.c34
-rw-r--r--contrib/ipfilter/test/Makefile6
-rw-r--r--contrib/ipfilter/test/expected/n5330
-rw-r--r--contrib/ipfilter/test/expected/n670
-rw-r--r--contrib/ipfilter/test/expected/n720
-rw-r--r--contrib/ipfilter/test/input/n554
-rw-r--r--contrib/ipfilter/test/input/n613
-rw-r--r--contrib/ipfilter/test/input/n79
-rw-r--r--contrib/ipfilter/test/regress/n56
-rw-r--r--contrib/ipfilter/test/regress/n65
-rw-r--r--contrib/ipfilter/test/regress/n72
33 files changed, 959 insertions, 188 deletions
diff --git a/contrib/ipfilter/FreeBSD/kinstall b/contrib/ipfilter/FreeBSD/kinstall
index 42c2f09876ca..bb5aef50da4d 100755
--- a/contrib/ipfilter/FreeBSD/kinstall
+++ b/contrib/ipfilter/FreeBSD/kinstall
@@ -15,12 +15,17 @@ foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
chmod 644 /sys/netinet/$i
end
echo ""
-echo "Patching $archdir/$karch/conf.c"
-cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
-echo "Patching ip_input.c, ip_output.c and in_proto.c"
-cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
-(cd /sys/netinet; patch)
-
+grep iplopen $archdir/$karch/conf.c >& /dev/null
+if ( $status != 0 ) then
+ echo "Patching $archdir/$karch/conf.c"
+ cat FreeBSD/conf.c.diffs | (cd $archdir/$karch; patch)
+endif
+grep fr_checkp /sys/netinet/ip_input.c >& /dev/null
+if ( $status != 0 ) then
+ echo "Patching ip_input.c, ip_output.c and in_proto.c"
+ cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
+ (cd /sys/netinet; patch)
+endif
if ( -f /sys/conf/files.newconf ) then
echo "Patching /sys/conf/files.newconf"
cat FreeBSD/files.newconf.diffs | (cd /sys/conf; patch)
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index ea2f478b5c1b..b794c9a4c17f 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -20,6 +20,55 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.4.8 19/07/2000 - Released
+
+create fake opt_inet6.h for FreeBSD-4 compile as LKM
+
+add #ifdef's for KLD_MODULE sanity
+
+NAT fastroute'd packets which come out of return-*
+
+fix upper/lower case crap in ftp proxy and get seq# checking fixed up.
+
+3.4.7 08/07/2000 - Released
+
+make "ipf -y" lookup NAT if's which are unknown
+
+prepend line numbers to ioctl error messages in ipf/ipnat
+
+don't apply patches to FreeBSD twice
+
+allow for ip_len to be on an unaligned boundary early on in fr_precheck
+
+fix printing of icmp code when it is 0
+
+correct printing of port numbers in map rules with from/to
+
+don't allow fr_func to be called at securelevel > 0 or rules to be added
+if securelevel > 0 if they have a non-zero fr_func.
+
+3.4.6 11/06/2000 - Released
+
+add extra regression tests for new nat functionality
+
+place restrictions on using '!' in map/rdr rules
+
+fix up solaris compile problems
+
+3.4.5 10/06/2000 - Released
+
+mention -sl in ipfstat.8
+
+fix/support '!' in from/to rules (rdr) for NAT
+
+add from/to support to rdr NAT rules
+
+don't send ICMP errors in response to ICMP errors
+
+fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
+
+input accounting list used for both outbound and inbound packets
+
3.4.4 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index 050aac6c9135..cb4199e1a287 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
-# $Id: Makefile,v 2.11.2.1 2000/04/26 12:14:58 darrenr Exp $
+# $Id: Makefile,v 2.11.2.2 2000/07/18 13:58:10 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@@ -126,6 +126,11 @@ freebsd22: include
make freebsd
freebsd4: include
+ if [ x$INET6 = x ] ; then \
+ echo "#undef INET6" > opt_inet6.h; \
+ else \
+ echo "#define INET6" > opt_inet6.h; \
+ fi
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "DLKM=-DKLD_MODULE"; cd ..)
(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS1); cd ..)
@@ -181,7 +186,7 @@ setup:
clean: clean-include
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
- vnode_if.h $(LKM) *~
+ vnode_if.h $(LKM) *~ opt_inet6.h
(cd SunOS4; make clean)
(cd SunOS5; make clean)
(cd BSD; make clean)
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 258f76eacd86..623e84e2ffa8 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -7,13 +7,9 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.18 2000/07/19 13:13:40 darrenr Exp $";
#endif
-#if defined(_KERNEL) && defined(__FreeBSD_version) && \
- (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
-#include "opt_inet6.h"
-#endif
#include <sys/errno.h>
#include <sys/types.h>
#include <sys/param.h>
@@ -25,6 +21,14 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darre
#endif
#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
+# if (__FreeBSD_version >= 400000)
+# ifndef KLD_MODULE
+# include "opt_inet6.h"
+# endif
+# if (__FreeBSD_version == 400019)
+# define CSUM_DELAY_DATA
+# endif
+# endif
# include <sys/filio.h>
# include <sys/fcntl.h>
#else
@@ -115,10 +119,8 @@ extern kmutex_t ipf_rw;
# if SOLARIS
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \
ip, qif)
-# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip, qif)
# else /* SOLARIS */
# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip)
-# define SEND_RESET(ip, qif, if, fin) send_reset(fin, ip)
# endif /* SOLARIS || __sgi */
#endif /* _KERNEL */
@@ -659,8 +661,11 @@ void *m;
* Just log this packet...
*/
passt = fr->fr_flags;
- if ((passt & FR_CALLNOW) && fr->fr_func)
- passt = (*fr->fr_func)(passt, ip, fin);
+#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
+ if (securelevel <= 0)
+#endif
+ if ((passt & FR_CALLNOW) && fr->fr_func)
+ passt = (*fr->fr_func)(passt, ip, fin);
fin->fin_fr = fr;
#ifdef IPFILTER_LOG
if ((passt & FR_LOGMASK) == FR_LOG) {
@@ -965,8 +970,11 @@ int out;
pass &= ~(FR_LOGFIRST|FR_LOG);
}
- if (fr && fr->fr_func && !(pass & FR_CALLNOW))
- pass = (*fr->fr_func)(pass, ip, fin);
+#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
+ if (securelevel <= 0)
+#endif
+ if (fr && fr->fr_func && !(pass & FR_CALLNOW))
+ pass = (*fr->fr_func)(pass, ip, fin);
/*
* Only count/translate packets which will be passed on, out the
@@ -975,10 +983,10 @@ int out;
if (out && (pass & FR_PASS)) {
#ifdef USE_INET6
if (v == 6)
- list = ipacct6[0][fr_active];
+ list = ipacct6[1][fr_active];
else
#endif
- list = ipacct[0][fr_active];
+ list = ipacct[1][fr_active];
if ((fin->fin_fr = list) &&
(fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
ATOMIC_INCL(frstats[1].fr_acct);
@@ -1123,11 +1131,11 @@ logit:
if (((pass & FR_FASTROUTE) && !out) ||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
- if (ipfr_fastroute(qif, ip, m, mp, fin, fdp) == 0)
+ if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0)
m = *mp = NULL;
}
if (mc)
- ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
+ ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif);
}
# endif /* !SOLARIS */
return (pass & FR_PASS) ? 0 : error;
@@ -1359,7 +1367,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.8 2000/05/22 10:26:09 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.18 2000/07/19 13:13:40 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1807,6 +1815,7 @@ void frsync()
ip_natsync(ifp);
ip_statesync(ifp);
}
+ ip_natsync((struct ifnet *)-1);
# endif
WRITE_ENTER(&ipf_mutex);
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
index 78aff43e3faf..9fa24d630dd4 100644
--- a/contrib/ipfilter/ip_auth.c
+++ b/contrib/ipfilter/ip_auth.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.3 2000/06/17 06:24:31 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -46,7 +46,7 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.2 2000/05/22 10:26:11 d
# include <sys/stream.h>
# include <sys/kmem.h>
#endif
-#if _BSDI_VERSION >= 199802
+#if (_BSDI_VERSION >= 199802) || (__FreeBSD_Version >= 400000)
# include <sys/queue.h>
#endif
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 9216b3c439f4..fe6af664669f 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.9 2000/05/22 12:48:28 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.14 2000/07/18 13:57:55 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -692,6 +692,10 @@ caddr_t data;
if (error)
return EFAULT;
fp->fr_ref = 0;
+#if (BSD >= 199306) && defined(_KERNEL)
+ if ((securelevel > 0) && (fp->fr_func != NULL))
+ return EPERM;
+#endif
/*
* Check that the group number does exist and that if a head group
@@ -764,7 +768,7 @@ caddr_t data;
* interface pointer in the comparison (fr_next, fr_ifa).
*/
for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
- p != pp; p++)
+ p < pp; p++)
fp->fr_cksum += *p;
for (; (f = *ftail); ftail = &f->fr_next)
@@ -1088,6 +1092,19 @@ int dst;
m = NULL;
ifp = fin->fin_ifp;
if (fin->fin_v == 4) {
+ if ((oip->ip_p == IPPROTO_ICMP) &&
+ !(fin->fin_fi.fi_fl & FI_SHORT))
+ switch (ntohs(fin->fin_data[0]) >> 8)
+ {
+ case ICMP_ECHO :
+ case ICMP_TSTAMP :
+ case ICMP_IREQ :
+ case ICMP_MASKREQ :
+ break;
+ default :
+ return 0;
+ }
+
# if (BSD < 199306) || defined(__sgi)
avail = MLEN;
m = m_get(M_DONTWAIT, MT_HEADER);
@@ -1325,10 +1342,9 @@ frdest_t *fdp;
ATOMIC_INCL(frstats[1].fr_acct);
}
fin->fin_fr = NULL;
- if (!fr || !(fr->fr_flags & FR_RETMASK)) {
+ if (!fr || !(fr->fr_flags & FR_RETMASK))
(void) fr_checkstate(ip, fin);
- (void) ip_natout(ip, fin);
- }
+ (void) ip_natout(ip, fin);
} else
ip->ip_sum = 0;
/*
@@ -1585,15 +1601,29 @@ int v;
if (!ifneta) {
ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
+ if (!ifneta)
+ return NULL;
ifneta[1] = NULL;
ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
+ if (!ifneta[0]) {
+ free(ifneta);
+ return NULL;
+ }
nifs = 1;
} else {
nifs++;
ifneta = (struct ifnet **)realloc(ifneta,
(nifs + 1) * sizeof(*ifa));
+ if (!ifneta) {
+ nifs = 0;
+ return NULL;
+ }
ifneta[nifs] = NULL;
ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
+ if (!ifneta[nifs - 1]) {
+ nifs--;
+ return NULL;
+ }
}
ifp = ifneta[nifs - 1];
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index 14f486167488..da109b754e10 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.2 2000/05/22 10:26:13 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.3 2000/06/05 13:12:42 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -519,8 +519,8 @@ extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int ipfsync __P((void));
-extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
- fr_info_t *, frdest_t *));
+extern int ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **,
+ fr_info_t *, frdest_t *));
extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *));
extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *));
extern int fr_qin __P((queue_t *, mblk_t *));
@@ -529,8 +529,6 @@ extern int iplread __P((dev_t, struct uio *, cred_t *));
# else /* SOLARIS */
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern int send_reset __P((struct ip *, fr_info_t *));
-extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index 3e0a7f392e56..5019c60ae753 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.3 2000/05/05 15:10:23 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.4 2000/06/06 15:49:15 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@@ -144,6 +144,9 @@ ipfr_t *table[];
ipfr_t **fp, *fra, frag;
u_int idx;
+ if (ipfr_inuse >= IPFT_SIZE)
+ return NULL;
+
frag.ipfr_p = ip->ip_p;
idx = ip->ip_p;
frag.ipfr_id = ip->ip_id;
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
index 691e0ad05daa..5ea94a17f714 100644
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ b/contrib/ipfilter/ip_ftp_pxy.c
@@ -2,14 +2,17 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.7 2000/05/13 14:28:14 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.12 2000/07/19 13:06:13 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
#endif
#define isdigit(x) ((x) >= '0' && (x) <= '9')
-#define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A')
+#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z'))
+#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z'))
+#define isalpha(x) (isupper(x) || islower(x))
+#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A')
#define IPF_FTP_PROXY
@@ -35,6 +38,7 @@ u_short ippr_ftp_atoi __P((char **));
static frentry_t natfr;
int ippr_ftp_pasvonly = 0;
+int ippr_ftp_insecure = 0;
/*
@@ -97,21 +101,12 @@ int dlen;
#endif
tcp = (tcphdr_t *)fin->fin_dp;
- off = f->ftps_seq - ntohl(tcp->th_seq);
- if (off < 0)
- return 0;
/*
* Check for client sending out PORT message.
*/
if (dlen < IPF_MINPORTLEN)
return 0;
- /*
- * Count the number of bytes in the PORT message is.
- */
- if (off < 0)
- return 0;
-
- off += fin->fin_hlen + (tcp->th_off << 2);
+ off = fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
*/
@@ -201,6 +196,10 @@ int dlen;
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
m_copyback(m, off, nlen, newbuf);
+# ifdef M_PKTHDR
+ if (!(m->m_flags & M_PKTHDR))
+ m->m_pkthdr.len += inc;
+# endif
#endif
if (inc != 0) {
#if SOLARIS || defined(__sgi)
@@ -275,27 +274,39 @@ ftpinfo_t *ftp;
ip_t *ip;
int dlen;
{
- char *rptr, *wptr;
+ char *rptr, *wptr, cmd[6], c;
ftpside_t *f;
- int inc;
+ int inc, i;
inc = 0;
f = &ftp->ftp_side[0];
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
- if ((ftp->ftp_passok == 0) && !strncmp(rptr, "USER ", 5))
+ for (i = 0; (i < 5) && (i < dlen); i++) {
+ c = rptr[i];
+ if (isalpha(c)) {
+ cmd[i] = toupper(c);
+ } else {
+ cmd[i] = c;
+ }
+ }
+ cmd[i] = '\0';
+
+ if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5))
ftp->ftp_passok = 1;
- else if ((ftp->ftp_passok == 2) && !strncmp(rptr, "PASS ", 5))
+ else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5))
ftp->ftp_passok = 3;
else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly &&
- !strncmp(rptr, "PORT ", 5)) {
+ !strncmp(cmd, "PORT ", 5)) {
+ inc = ippr_ftp_port(fin, ip, nat, f, dlen);
+ } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly &&
+ !strncmp(cmd, "PORT ", 5)) {
inc = ippr_ftp_port(fin, ip, nat, f, dlen);
}
while ((*rptr++ != '\n') && (rptr < wptr))
;
- f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
return inc;
}
@@ -313,8 +324,8 @@ int dlen;
u_short a5, a6, sp, dp;
u_int a1, a2, a3, a4;
fr_info_t fi;
- int inc, off;
nat_t *ipn;
+ int inc;
char *s;
/*
@@ -325,15 +336,8 @@ int dlen;
else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25))
return 0;
- /*
- * Count the number of bytes in the 227 reply is.
- */
tcp = (tcphdr_t *)fin->fin_dp;
- off = f->ftps_seq - ntohl(tcp->th_seq);
- if (off < 0)
- return 0;
- off += fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
*/
@@ -417,13 +421,13 @@ int dlen;
m1->b_wptr += inc;
}
/*copyin_mblk(m, off, nlen, newbuf);*/
-#else
+#else /* SOLARIS */
m = *((mb_t **)fin->fin_mp);
if (inc < 0)
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
/*m_copyback(m, off, nlen, newbuf);*/
-#endif
+#endif /* SOLARIS */
if (inc != 0) {
#if SOLARIS || defined(__sgi)
register u_32_t sum1, sum2;
@@ -438,10 +442,10 @@ int dlen;
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
fix_outcksum(&ip->ip_sum, sum2, 0);
-#endif
+#endif /* SOLARIS || defined(__sgi) */
ip->ip_len += inc;
}
-#endif
+#endif /* 0 */
/*
* Add skeleton NAT entry for connection which will come back the
@@ -507,10 +511,11 @@ int dlen;
ftp->ftp_passok = 0;
else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) {
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
+ } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
+ inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
}
while ((*rptr++ != '\n') && (rptr < wptr))
;
- f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
return inc;
}
@@ -548,16 +553,16 @@ size_t len;
return 1;
} else
return 1;
- } else if (isupper(c)) {
+ } else if (isalpha(c)) {
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
c = *s++;
i--;
- if (isupper(c)) {
+ if (isalpha(c)) {
c = *s++;
i--;
if ((c != ' ') && (c != '\r'))
@@ -586,10 +591,10 @@ nat_t *nat;
ftpinfo_t *ftp;
int rv;
{
- int mlen, len, off, inc, i;
+ int mlen, len, off, inc, i, sel;
char *rptr, *wptr;
+ ftpside_t *f, *t;
tcphdr_t *tcp;
- ftpside_t *f;
mb_t *m;
tcp = (tcphdr_t *)fin->fin_dp;
@@ -606,23 +611,29 @@ int rv;
#else
mlen = mbufchainlen(m) - off;
#endif
- if (!mlen)
+ t = &ftp->ftp_side[1 - rv];
+ if (!mlen) {
+ t->ftps_seq = ntohl(tcp->th_ack);
return 0;
+ }
inc = 0;
f = &ftp->ftp_side[rv];
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
- if ((wptr == f->ftps_buf) && (f->ftps_seq <= ntohl(tcp->th_seq)))
- f->ftps_seq = ntohl(tcp->th_seq);
+ sel = nat->nat_aps->aps_sel[1 - rv];
+ if (rv)
+ i = nat->nat_aps->aps_ackoff[sel];
+ else
+ i = nat->nat_aps->aps_seqoff[sel];
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
- if (ntohl(tcp->th_seq) != f->ftps_seq + (wptr - rptr)) {
- return APR_ERR(0);
+ if (ntohl(tcp->th_seq) + i != f->ftps_seq) {
+ return APR_ERR(-1);
}
while (mlen > 0) {
@@ -666,7 +677,6 @@ int rv;
} else
rptr++;
}
- f->ftps_seq += rptr - f->ftps_rptr;
f->ftps_rptr = rptr;
}
@@ -677,7 +687,6 @@ int rv;
i = wptr - rptr;
if ((rptr == f->ftps_buf) ||
(wptr - rptr > FTP_BUFSZ / 2)) {
- f->ftps_seq += i;
f->ftps_junk = 1;
rptr = wptr = f->ftps_buf;
} else {
@@ -691,6 +700,7 @@ int rv;
}
}
+ t->ftps_seq = ntohl(tcp->th_ack);
f->ftps_rptr = rptr;
f->ftps_wptr = wptr;
return inc;
diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c
index ef1af7ff512a..08073bbcdadf 100644
--- a/contrib/ipfilter/ip_log.c
+++ b/contrib/ipfilter/ip_log.c
@@ -5,7 +5,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
- * $Id: ip_log.c,v 2.5 2000/03/13 22:10:21 darrenr Exp $
+ * $Id: ip_log.c,v 2.5.2.1 2000/07/19 13:11:47 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@@ -20,7 +20,11 @@
# include "opt_ipfilter.h"
# endif
# else
-# include <osreldate.h>
+# ifdef KLD_MODULE
+# include <sys/osreldate.h>
+# else
+# include <osreldate.h>
+# endif
# endif
#endif
#ifdef IPFILTER_LOG
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index 64f50b683ea7..d25f3f78ada9 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.10 2000/05/19 15:54:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.16 2000/07/18 13:57:40 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -473,10 +473,14 @@ int mode;
n->in_next = NULL;
*np = n;
- if (n->in_redir & NAT_REDIRECT)
+ if (n->in_redir & NAT_REDIRECT) {
+ n->in_flags &= ~IPN_NOTDST;
nat_addrdr(n);
- if (n->in_redir & (NAT_MAP|NAT_MAPBLK))
+ }
+ if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
+ n->in_flags &= ~IPN_NOTSRC;
nat_addnat(n);
+ }
n->in_use = 0;
if (n->in_redir & NAT_MAPBLK)
@@ -1517,6 +1521,8 @@ int dir;
ip_t *oip;
int flags = 0;
+ if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK))
+ return NULL;
if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir)))
return NULL;
*nflags = IPN_ICMPERR;
@@ -1559,14 +1565,14 @@ int dir;
fix_outcksum(&icmp->icmp_cksum, sumd, 0);
} else {
fix_outcksum(&oip->ip_sum, sumd, 0);
-
+#if !SOLARIS && !defined(__sgi)
sumd += (sumd & 0xffff);
while (sumd > 0xffff)
sumd = (sumd & 0xffff) + (sumd >> 16);
-/* fix_incksum(&icmp->icmp_cksum, sumd, 0); */
+ fix_incksum(&icmp->icmp_cksum, sumd, 0);
+#endif
}
-
if ((flags & IPN_TCPUDP) != 0) {
tcphdr_t *tcp;
@@ -1714,19 +1720,28 @@ ip_t *ip;
if (np->in_p && ip->ip_p != np->in_p)
return 0;
if (fin->fin_out) {
- if (!(np->in_redir && (NAT_MAP|NAT_MAPBLK)))
+ if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK)))
return 0;
- if ((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
+ if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip)
+ ^ ((np->in_flags & IPN_NOTSRC) != 0))
return 0;
- if ((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
+ if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip)
+ ^ ((np->in_flags & IPN_NOTDST) != 0))
return 0;
} else {
- if (!(np->in_redir && NAT_REDIRECT))
+ if (!(np->in_redir & NAT_REDIRECT))
+ return 0;
+ if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip)
+ ^ ((np->in_flags & IPN_NOTSRC) != 0))
+ return 0;
+ if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip)
+ ^ ((np->in_flags & IPN_NOTDST) != 0))
return 0;
}
ft = &np->in_tuc;
- if (!(fin->fin_fi.fi_fl & FI_TCPUDP)) {
+ if (!(fin->fin_fi.fi_fl & FI_TCPUDP) ||
+ (fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) {
if (ft->ftu_scmp || ft->ftu_dcmp)
return 0;
return 1;
@@ -1863,7 +1878,6 @@ maskloop:
np = nat->nat_ptr;
if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
ipfr_nat_newfrag(ip, fin, 0, nat);
- ip->ip_src = nat->nat_outip;
MUTEX_ENTER(&nat->nat_lock);
nat->nat_age = fr_defnatage;
nat->nat_bytes += ip->ip_len;
@@ -1874,12 +1888,27 @@ maskloop:
* Fix up checksums, not by recalculating them, but
* simply computing adjustments.
*/
+ if (nflags == IPN_ICMPERR) {
+ u_32_t s1, s2, sumd;
+
+ s1 = LONG_SUM(ntohl(ip->ip_src.s_addr));
+ s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr));
+ CALC_SUMD(s1, s2, sumd);
+
+ if (nat->nat_dir == NAT_OUTBOUND)
+ fix_incksum(&ip->ip_sum, sumd, 0);
+ else
+ fix_outcksum(&ip->ip_sum, sumd, 0);
+ }
#if SOLARIS || defined(__sgi)
- if (nat->nat_dir == NAT_OUTBOUND)
- fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0);
- else
- fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0);
+ else {
+ if (nat->nat_dir == NAT_OUTBOUND)
+ fix_outcksum(&ip->ip_sum, nat->nat_ipsumd, 0);
+ else
+ fix_incksum(&ip->ip_sum, nat->nat_ipsumd, 0);
+ }
#endif
+ ip->ip_src = nat->nat_outip;
if (!(ip->ip_off & IP_OFFMASK) &&
!(fin->fin_fi.fi_fl & FI_SHORT)) {
@@ -1917,6 +1946,7 @@ maskloop:
} else if (ip->ip_p == IPPROTO_ICMP) {
nat->nat_age = fr_defnaticmpage;
}
+
if (csump) {
if (nat->nat_dir == NAT_OUTBOUND)
fix_outcksum(csump, nat->nat_sumd[1],
@@ -1986,7 +2016,7 @@ fr_info_t *fin;
if ((ip->ip_p == IPPROTO_ICMP) &&
(nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
;
- else if ((ip->ip_off & IP_OFFMASK) &&
+ else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
(nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p,
@@ -2024,7 +2054,7 @@ maskloop:
} else if ((in.s_addr & np->in_outmsk) != np->in_outip)
continue;
if ((np->in_redir & NAT_REDIRECT) &&
- (!np->in_pmin ||
+ (!np->in_pmin || (np->in_flags & IPN_FILTER) ||
((ntohs(np->in_pmax) >= ntohs(dport)) &&
(ntohs(dport) >= ntohs(np->in_pmin)))))
if ((nat = nat_new(np, ip, fin, nflags,
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index f1a339f2d62a..26fed254f225 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.17.2.1 2000/05/15 06:50:14 darrenr Exp $
+ * $Id: ip_nat.h,v 2.17.2.6 2000/07/15 14:50:06 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -103,9 +103,10 @@ typedef struct ipnat {
u_int in_hits;
struct in_addr in_nextip;
u_short in_pnext;
- u_short in_ppip; /* ports per IP */
u_short in_ippip; /* IP #'s per IP# */
- u_short in_flags; /* From here to in_dport must be reflected */
+ u_32_t in_flags; /* From here to in_dport must be reflected */
+ u_short in_spare;
+ u_short in_ppip; /* ports per IP */
u_short in_port[2]; /* correctly in IPN_CMPSIZ */
struct in_addr in_in[2];
struct in_addr in_out[2];
@@ -212,11 +213,13 @@ typedef struct natstat {
#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
#define IPN_AUTOPORTMAP 0x010
#define IPN_IPRANGE 0x020
-#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|\
- IPN_SPLIT|IPN_ROUNDR|IPN_FILTER)
+#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
+ IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST)
#define IPN_FILTER 0x040
#define IPN_SPLIT 0x080
#define IPN_ROUNDR 0x100
+#define IPN_NOTSRC 0x080000
+#define IPN_NOTDST 0x100000
typedef struct natlog {
@@ -236,6 +239,8 @@ typedef struct natlog {
#define NL_NEWMAP NAT_MAP
#define NL_NEWRDR NAT_REDIRECT
+#define NL_NEWBIMAP NAT_BIMAP
+#define NL_NEWBLOCK NAT_MAPBLK
#define NL_EXPIRE 0xffff
#define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m))
diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c
index daea94fdbec7..1d6264d5cc15 100644
--- a/contrib/ipfilter/ip_rcmd_pxy.c
+++ b/contrib/ipfilter/ip_rcmd_pxy.c
@@ -1,5 +1,5 @@
/*
- * $Id: ip_rcmd_pxy.c,v 1.4.2.1 2000/05/06 11:19:34 darrenr Exp $
+ * $Id: ip_rcmd_pxy.c,v 1.4.2.2 2000/07/15 12:38:30 darrenr Exp $
*/
/*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
@@ -93,8 +93,17 @@ nat_t *nat;
#endif
tcp = (tcphdr_t *)fin->fin_dp;
+
+ if (tcp->th_flags & TH_SYN) {
+ *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1);
+ return 0;
+ }
+
+ if ((*(u_32_t *)aps->aps_data != 0) &&
+ (tcp->th_seq != *(u_32_t *)aps->aps_data))
+ return 0;
+
off = (ip->ip_hl << 2) + (tcp->th_off << 2);
- m = *(mb_t **)fin->fin_mp;
#if SOLARIS
m = fin->fin_qfm;
@@ -103,13 +112,11 @@ nat_t *nat;
bzero(portbuf, sizeof(portbuf));
copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#else
+ m = *(mb_t **)fin->fin_mp;
dlen = mbufchainlen(m) - off;
bzero(portbuf, sizeof(portbuf));
m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
#endif
- if ((*(u_32_t *)aps->aps_data != 0) &&
- (tcp->th_seq != *(u_32_t *)aps->aps_data))
- return 0;
portbuf[sizeof(portbuf) - 1] = '\0';
s = portbuf;
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index 40766e00e701..615e57fc6f3a 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.2 2000/05/22 10:26:14 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.3 2000/07/08 02:20:14 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -515,7 +515,7 @@ caddr_t data;
* interface pointer in the comparison (fr_next, fr_ifa).
*/
for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
- p != pp; p++)
+ p < pp; p++)
fp->fr_cksum += *p;
for (; (f = *ftail); ftail = &f->fr_next)
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index c9a28af05654..fa8e0504e6d8 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.9 2000/05/22 10:26:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.12 2000/06/19 02:38:37 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -381,8 +381,8 @@ caddr_t data;
{
register ipstate_t *is, *isn;
ipstate_save_t ips, *ipsp;
+ int error, out;
frentry_t *fr;
- int error;
error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp));
if (error)
@@ -405,8 +405,26 @@ caddr_t data;
return ENOMEM;
}
bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr));
+ out = fr->fr_flags & FR_OUTQUE ? 1 : 0;
isn->is_rule = fr;
ips.ips_is.is_rule = fr;
+ if (*fr->fr_ifname) {
+ fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_v);
+ if (fr->fr_ifa == NULL)
+ fr->fr_ifa = (void *)-1;
+#ifdef _KERNEL
+ else {
+ strncpy(isn->is_ifname[out],
+ IFNAME(fr->fr_ifa), IFNAMSIZ);
+ isn->is_ifp[out] = fr->fr_ifa;
+ }
+#endif
+ } else
+ fr->fr_ifa = NULL;
+ /*
+ * send a copy back to userland of what we ended up
+ * to allow for verification.
+ */
error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips));
if (error) {
KFREE(isn);
@@ -1582,8 +1600,8 @@ fr_info_t *fin;
(oic->icmp6_type == ICMP6_ECHO_REQUEST)) ||
(is->is_type - 1 == oic->icmp6_type )) {
ips_stats.iss_hits++;
- is->is_pkts++;
- is->is_bytes += fin->fin_plen;
+ is->is_pkts++;
+ is->is_bytes += fin->fin_plen;
return is->is_rule;
}
}
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
index 01c26a07ca8a..a5643af0dbd7 100644
--- a/contrib/ipfilter/ip_state.h
+++ b/contrib/ipfilter/ip_state.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.13 2000/03/13 22:10:23 darrenr Exp $
+ * $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -17,8 +17,8 @@
# define SIOCDELST _IOW(r, 61, struct ipstate *)
#endif
-#define IPSTATE_SIZE 257
-#define IPSTATE_MAX 2048 /* Maximum number of states held */
+#define IPSTATE_SIZE 5737
+#define IPSTATE_MAX 4013 /* Maximum number of states held */
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index ac975e56f429..a1a0bfcf0182 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10 2000/03/13 22:10:23 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.1 2000/07/08 02:19:46 darrenr Exp $";
#endif
#if SOLARIS
@@ -295,9 +295,10 @@ char *name, *file;
if ((opts & OPT_ZERORULEST) &&
!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, add, &fr) == -1)
+ if (ioctl(fd, add, &fr) == -1) {
+ fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCZRLST)");
- else {
+ } else {
#ifdef USE_QUAD_T
printf("hits %qd bytes %qd ",
(long long)fr->fr_hits,
@@ -310,11 +311,15 @@ char *name, *file;
}
} else if ((opts & OPT_REMOVE) &&
!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, del, &fr) == -1)
+ if (ioctl(fd, del, &fr) == -1) {
+ fprintf(stderr, "%d:", linenum);
perror("ioctl(delete rule)");
+ }
} else if (!(opts & OPT_DONOTHING)) {
- if (ioctl(fd, add, &fr) == -1)
+ if (ioctl(fd, add, &fr) == -1) {
+ fprintf(stderr, "%d:", linenum);
perror("ioctl(add/insert rule)");
+ }
}
}
}
@@ -339,7 +344,7 @@ FILE *file;
int s, len;
do {
- for (p = str, s = size;; p += len, s -= len) {
+ for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
/*
* if an error occured, EOF was encounterd, or there
* was no room to put NUL, return NULL.
@@ -347,12 +352,21 @@ FILE *file;
if (fgets(p, s, file) == NULL)
return (NULL);
len = strlen(p);
+ if (p[len - 1] != '\n') {
+ p[len] = '\0';
+ break;
+ }
p[len - 1] = '\0';
- if (p[len - 1] != '\\')
+ if (len < 2 || p[len - 2] != '\\')
break;
- size -= len;
+ else
+ /*
+ * Convert '\\' to a space so words don't
+ * run together
+ */
+ p[len - 2] = ' ';
}
- } while (*str == '\0' || *str == '\n');
+ } while (*str == '\0');
return (str);
}
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 12d866cc5ad8..bb2523d2ed8e 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -6,12 +6,12 @@
* to the original author and the contributors.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.5 2000/05/22 10:26:16 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.9 2000/07/19 13:40:04 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.4"
+#define IPL_VERSION "IP Filter: v3.4.8"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 593c665789a6..858c40c2f361 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12 2000/03/13 22:10:24 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.2 2000/07/15 14:50:06 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -209,11 +209,11 @@ static void init_tabs()
if (s->s_proto == NULL)
continue;
else if (!strcmp(s->s_proto, "tcp")) {
- port = s->s_port;
+ port = ntohs(s->s_port);
name = s->s_name;
tab = tcp_ports;
} else if (!strcmp(s->s_proto, "udp")) {
- port = s->s_port;
+ port = ntohs(s->s_port);
name = s->s_name;
tab = udp_ports;
} else
@@ -401,6 +401,10 @@ int blen;
strcpy(t, "NAT:RDR ");
else if (nl->nl_type == NL_EXPIRE)
strcpy(t, "NAT:EXPIRE ");
+ else if (nl->nl_type == NL_NEWBIMAP)
+ strcpy(t, "NAT:BIMAP ");
+ else if (nl->nl_type == NL_NEWBLOCK)
+ strcpy(t, "NAT:MAPBLOCK ");
else
sprintf(t, "Type: %d ", nl->nl_type);
t += strlen(t);
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index d1f2c3c5eae0..11149afdfd04 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -99,8 +99,10 @@ protocol number. If this option is not specified, state entries for any
protocol are specified.
.TP
.B \-s
-Show packet/flow state information (statistics) and held state information (in
-the kernel) if any is present.
+Show packet/flow state information (statistics only).
+.TP
+.B \-sl
+Show held state information (in the kernel) if any is present (no statistics).
.TP
.BR \-S \0<addrport>
This option is only valid in combination with \fB\-t\fP. Limit the state top
diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c
index 1069dbd6724f..9655615cfa50 100644
--- a/contrib/ipfilter/natparse.c
+++ b/contrib/ipfilter/natparse.c
@@ -54,7 +54,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.1 2000/04/28 18:08:00 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $";
#endif
@@ -103,25 +103,35 @@ void *ptr;
printf(" %s ", np->in_ifname);
if (np->in_flags & IPN_FILTER) {
+ if (np->in_flags & IPN_NOTSRC)
+ printf("! ");
printf("from ");
- if (np->in_redir == NAT_REDIRECT)
+ if (np->in_redir == NAT_REDIRECT) {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
- else
+ if (np->in_scmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_src);
+ } else {
printhostmask(4, (u_32_t *)&np->in_inip,
(u_32_t *)&np->in_inmsk);
- if (np->in_scmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_src);
+ if (np->in_dcmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_dst);
+ }
+ if (np->in_flags & IPN_NOTDST)
+ printf(" !");
printf(" to ");
- if (np->in_redir == NAT_REDIRECT)
- printhostmask(4, (u_32_t *)&np->in_inip,
- (u_32_t *)&np->in_inmsk);
- else
+ if (np->in_redir == NAT_REDIRECT) {
+ printhostmask(4, (u_32_t *)&np->in_outip,
+ (u_32_t *)&np->in_outmsk);
+ if (np->in_dcmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_dst);
+ } else {
printhostmask(4, (u_32_t *)&np->in_srcip,
(u_32_t *)&np->in_srcmsk);
- if (np->in_dcmp)
- printportcmp(np->in_p, &np->in_tuc.ftu_dst);
+ if (np->in_scmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_src);
+ }
}
if (np->in_redir == NAT_REDIRECT) {
@@ -132,12 +142,12 @@ void *ptr;
printf("/%d ", bits);
else
printf("/%s ", inet_ntoa(np->in_out[1]));
+ if (np->in_pmin)
+ printf("port %d", ntohs(np->in_pmin));
+ if (np->in_pmax != np->in_pmin)
+ printf("- %d", ntohs(np->in_pmax));
}
- if (np->in_pmin)
- printf("port %d ", ntohs(np->in_pmin));
- if (np->in_pmax != np->in_pmin)
- printf("- %d ", ntohs(np->in_pmax));
- printf("-> %s", inet_ntoa(np->in_in[0]));
+ printf(" -> %s", inet_ntoa(np->in_in[0]));
if (np->in_flags & IPN_SPLIT)
printf(",%s", inet_ntoa(np->in_in[1]));
if (np->in_pnext)
@@ -312,7 +322,27 @@ int linenum;
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
cpp++;
- if (!strcasecmp(*cpp, "from")) {
+ if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
+ if (!strcmp(*cpp, "!")) {
+ cpp++;
+ if (strcasecmp(*cpp, "from")) {
+ fprintf(stderr, "Missing from after !\n");
+ return NULL;
+ }
+ ipn.in_flags |= IPN_NOTSRC;
+ } else if (**cpp == '!') {
+ if (strcasecmp(*cpp + 1, "from")) {
+ fprintf(stderr, "Missing from after !\n");
+ return NULL;
+ }
+ ipn.in_flags |= IPN_NOTSRC;
+ }
+ if ((ipn.in_flags & IPN_NOTSRC) &&
+ (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
+ fprintf(stderr, "Cannot use '! from' with map\n");
+ return NULL;
+ }
+
ipn.in_flags |= IPN_FILTER;
cpp++;
if (ipn.in_redir == NAT_REDIRECT) {
@@ -325,34 +355,48 @@ int linenum;
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
(u_32_t *)&ipn.in_inmsk,
- &ipn.in_dport, &ipn.in_dcmp,
- &ipn.in_dtop, linenum)) {
+ &ipn.in_sport, &ipn.in_scmp,
+ &ipn.in_stop, linenum)) {
return NULL;
}
}
+ if (!strcmp(*cpp, "!")) {
+ cpp++;
+ ipn.in_flags |= IPN_NOTDST;
+ } else if (**cpp == '!') {
+ (*cpp)++;
+ ipn.in_flags |= IPN_NOTDST;
+ }
+
if (strcasecmp(*cpp, "to")) {
fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
linenum, *cpp);
return NULL;
}
+ if ((ipn.in_flags & IPN_NOTDST) &&
+ (ipn.in_redir & (NAT_REDIRECT))) {
+ fprintf(stderr, "Cannot use '! to' with rdr\n");
+ return NULL;
+ }
if (!*++cpp) {
fprintf(stderr, "%d: missing host after to\n", linenum);
return NULL;
}
if (ipn.in_redir == NAT_REDIRECT) {
- if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
- (u_32_t *)&ipn.in_inmsk,
+ if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
+ (u_32_t *)&ipn.in_outmsk,
&ipn.in_dport, &ipn.in_dcmp,
&ipn.in_dtop, linenum)) {
return NULL;
}
+ ipn.in_pmin = htons(ipn.in_dport);
} else {
if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
(u_32_t *)&ipn.in_srcmsk,
- &ipn.in_sport, &ipn.in_scmp,
- &ipn.in_stop, linenum)) {
+ &ipn.in_dport, &ipn.in_dcmp,
+ &ipn.in_dtop, linenum)) {
return NULL;
}
}
@@ -673,8 +717,11 @@ int linenum;
return NULL;
}
cpp++;
- if (!*cpp)
+ if (!*cpp) {
+ fprintf(stderr, "%d: missing expression following portmap\n",
+ linenum);
return NULL;
+ }
if (!strcasecmp(*cpp, "tcp"))
ipn.in_flags |= IPN_TCP;
@@ -741,7 +788,7 @@ int opts;
fp = stdin;
while (fgets(line, sizeof(line) - 1, fp)) {
- linenum++;
+ linenum++;
line[sizeof(line) - 1] = '\0';
if ((s = strchr(line, '\n')))
*s = '\0';
@@ -755,10 +802,15 @@ int opts;
printnat(np, opts, NULL);
if (!(opts & OPT_NODO)) {
if (!(opts & OPT_REMOVE)) {
- if (ioctl(fd, SIOCADNAT, &np) == -1)
+ if (ioctl(fd, SIOCADNAT, &np) == -1) {
+ fprintf(stderr, "%d:",
+ linenum);
perror("ioctl(SIOCADNAT)");
- } else if (ioctl(fd, SIOCRMNAT, &np) == -1)
+ }
+ } else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
+ fprintf(stderr, "%d:", linenum);
perror("ioctl(SIOCRMNAT)");
+ }
}
}
}
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index 0f05c15db520..ab1e08c53eb8 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -939,14 +939,20 @@ int linenum;
linenum, **cp);
return -1;
}
- fp->fr_icmp |= (u_short)i;
- fp->fr_icmpm = (u_short)0xffff;
- (*cp)++;
- return 0;
+ } else {
+ i = icmpcode(**cp);
+ if (i == -1) {
+ fprintf(stderr,
+ "%d: Invalid icmp code (%s) specified\n",
+ linenum, **cp);
+ return -1;
+ }
}
- fprintf(stderr, "%d: Invalid icmp code (%s) specified\n",
- linenum, **cp);
- return -1;
+ i &= 0xff;
+ fp->fr_icmp |= (u_short)i;
+ fp->fr_icmpm = (u_short)0xffff;
+ (*cp)++;
+ return 0;
}
@@ -966,9 +972,8 @@ char *str;
char *s;
int i, len;
- if (!(s = strrchr(str, ')')))
- return -1;
- *s = '\0';
+ if ((s = strrchr(str, ')')))
+ *s = '\0';
if (isdigit(*str)) {
if (!ratoi(str, &i, 0, 255))
return -1;
@@ -1153,7 +1158,7 @@ struct frentry *fp;
printf(" icmp-type %s", icmptypes[type]);
else
printf(" icmp-type %d", type);
- if (code)
+ if (ntohs(fp->fr_icmpm) & 0xff)
printf(" code %d", code);
}
if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
index 5187bca0e0ec..ce25337e47a7 100644
--- a/contrib/ipfilter/solaris.c
+++ b/contrib/ipfilter/solaris.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.15.2.3 2000/05/22 10:26:17 darrenr Exp $"
+#pragma ident "@(#)$Id: solaris.c,v 2.15.2.6 2000/07/18 13:56:33 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@@ -625,15 +625,28 @@ tryagain:
sap = qif->qf_ill->ill_sap;
if (sap == 0x800) {
+ u_short tlen;
+
hlen = sizeof(*ip);
- plen = ntohs(ip->ip_len);
+
+ /* XXX - might not be aligned (from ppp?) */
+ ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
+ ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
+
+ plen = ntohs(tlen);
+
sap = 0;
}
#if SOLARIS2 >= 8
else if (sap == IP6_DL_SAP) {
+ u_short tlen;
+
hlen = sizeof(ip6_t);
ip6 = (ip6_t *)ip;
- plen = ntohs(ip6->ip6_plen);
+ /* XXX - might not be aligned (from ppp?) */
+ ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
+ ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
+ plen = ntohs(tlen);
sap = IP6_DL_SAP;
}
#endif
@@ -670,7 +683,7 @@ fixalign:
s = m->b_rptr;
}
*mp = m2;
- MTYPE(m2) = M_DATA;
+ MTYPE(m2) = MTYPE(mt);
freemsg(mt);
mt = m2;
@@ -678,7 +691,6 @@ fixalign:
synced = 1;
off = 0;
goto tryagain;
-
}
if (((sap == 0) && (ip->ip_v != IP_VERSION))
@@ -1590,8 +1602,7 @@ ire_t *ire;
#endif
-int ipfr_fastroute(qf, ip, mb, mpp, fin, fdp)
-qif_t *qf;
+int ipfr_fastroute(ip, mb, mpp, fin, fdp)
ip_t *ip;
mblk_t *mb, **mpp;
fr_info_t *fin;
@@ -1608,13 +1619,15 @@ frdest_t *fdp;
frentry_t *fr;
frdest_t fd;
ill_t *ifp;
- qif_t *qif;
u_char *s;
+ qif_t *qf;
int p;
#ifndef sparc
u_short __iplen, __ipoff;
#endif
+ qf = fin->fin_qif;
+
/*
* If this is a duplicate mblk then we want ip to point at that
* data, not the original, if and only if it is already pointing at
@@ -1718,10 +1731,9 @@ frdest_t *fdp;
ATOMIC_INCL(frstats[1].fr_acct);
}
fin->fin_fr = NULL;
- if (!fr || !(fr->fr_flags & FR_RETMASK)) {
+ if (!fr || !(fr->fr_flags & FR_RETMASK))
(void) fr_checkstate(ip, fin);
- (void) ip_natout(ip, fin);
- }
+ (void) ip_natout(ip, fin);
}
#ifndef sparc
if (fin->fin_v == 4) {
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
index a6d73ef215c6..0726cdd3863b 100644
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@@ -20,7 +20,7 @@ ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
-ntests: n1 n2 n3 n4
+ntests: n1 n2 n3 n4 n5 n6 n7
0:
@(cd ..; make ipftest; )
@@ -34,10 +34,10 @@ f12:
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@/bin/sh ./itest $@
-n1 n2 n3 n4:
+n1 n2 n3 n4 n5 n6 n7:
@/bin/sh ./nattest $@
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/*
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
- /bin/rm -f n1 n2 n3 n4
+ /bin/rm -f n1 n2 n3 n4 n5 n6 n7
diff --git a/contrib/ipfilter/test/expected/n5 b/contrib/ipfilter/test/expected/n5
new file mode 100644
index 000000000000..75f174b0741c
--- /dev/null
+++ b/contrib/ipfilter/test/expected/n5
@@ -0,0 +1,330 @@
+ip 20(20) 255 10.1.1.0 > 10.1.1.2
+ip 20(20) 255 10.2.2.2 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.3.4.5
+ip 20(20) 255 10.1.1.2 > 10.3.4.5
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
+ip 48(20) 1 10.2.2.2 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.1.1.1
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.1.1.2 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.1.1.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.1.1.3 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.1.1.3 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.2.2.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.2.2.2,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.0 > 10.1.1.2
+ip 20(20) 0 10.2.2.2 > 10.1.2.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
+ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
+ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
+ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.2.2.2,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.2.2.2,1025 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
+ip 20(20) 255 10.3.4.5 > 10.1.1.2
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.3.4.5 > 10.1.1.1
+ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.2.2.2
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.0
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 48(20) 1 10.1.1.1 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.2.2.2
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.1.1.2 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.1.1.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.1.1.3 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.1.1.3 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.3.4.5 > 10.1.1.2
+ip 20(20) 0 10.3.4.5 > 10.1.2.1
+ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,1026 > 10.1.1.1,1025
+ip 28(20) 17 10.3.4.5,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,2000 > 10.1.2.1,80
+ip 40(20) 6 10.3.4.5,2001 > 10.1.3.1,80
+ip 40(20) 6 10.3.4.5,2002 > 10.1.4.1,80
+ip 40(20) 6 10.3.4.5,2003 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
+ip 20(20) 255 10.1.1.0 > 10.1.1.2
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.2.2.2
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.3.4.5
+ip 20(20) 255 10.1.1.2 > 10.3.4.5
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
+ip 48(20) 1 10.3.4.1 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.2.2.2
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.3.4.1 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.3.4.1 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.3.4.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.3.4.2 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.0 > 10.1.1.2
+ip 20(20) 0 10.1.1.1 > 10.1.2.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 28(20) 17 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
+ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
+ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
+ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.3.4.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.3.4.1,1025 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 28(20) 17 10.3.4.1,1025 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
+ip 20(20) 255 10.1.1.0 > 10.1.1.2
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.2.2.2
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.3.4.5
+ip 20(20) 255 10.1.1.2 > 10.3.4.5
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
+ip 48(20) 1 10.1.1.1 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.2.2.2
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.1.1.2 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.1.1.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.1.1.3 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.1.1.3 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.0 > 10.1.1.2
+ip 20(20) 0 10.1.1.1 > 10.1.2.1
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.2,1026 > 10.1.1.1,1025
+ip 28(20) 17 10.3.4.5,10000 > 10.1.1.1,1025
+ip 40(20) 6 10.1.1.3,2000 > 10.1.2.1,80
+ip 40(20) 6 10.1.1.3,2001 > 10.1.3.1,80
+ip 40(20) 6 10.1.1.3,2002 > 10.1.4.1,80
+ip 40(20) 6 10.1.1.3,2003 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 28(20) 17 10.3.4.5,10001 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
+ip 20(20) 255 10.1.1.0 > 10.1.1.2
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.2.2.2
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.3.4.5
+ip 20(20) 255 10.1.1.2 > 10.3.4.5
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
+ip 48(20) 1 10.1.1.1 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.2.2.2
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.1.1.2 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.1.1.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.1.1.3 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.1.1.3 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.3.4.1,10002 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.1,10003 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.0 > 10.1.1.2
+ip 20(20) 0 10.1.1.1 > 10.1.2.1
+ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.1,10000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.1,10001 > 10.1.1.1,1025
+ip 28(20) 17 10.3.4.1,10004 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.1,10005 > 10.1.2.1,80
+ip 40(20) 6 10.3.4.1,10006 > 10.1.3.1,80
+ip 40(20) 6 10.3.4.1,10007 > 10.1.4.1,80
+ip 40(20) 6 10.3.4.1,10008 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.3.4.1,10009 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.3.4.1,10010 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,40000
+ip 28(20) 17 10.3.4.1,10011 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.3.4.1,10012 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
+ip 20(20) 255 10.1.1.0 > 10.1.1.2
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
+ip 20(20) 255 10.2.2.1 > 10.1.2.1
+ip 20(20) 255 10.2.2.2 > 10.1.2.1
+ip 20(20) 255 10.1.1.1 > 10.1.1.2
+ip 20(20) 255 10.1.1.2 > 10.1.1.1
+ip 20(20) 255 10.2.2.1 > 10.2.1.1
+ip 20(20) 255 10.2.2.2 > 10.2.1.1
+ip 20(20) 255 10.2.2.3 > 10.1.1.1
+ip 20(20) 255 10.2.3.4 > 10.2.2.2
+ip 20(20) 255 10.1.1.1 > 10.2.2.2
+ip 20(20) 255 10.1.1.2 > 10.2.2.2
+ip 20(20) 255 10.1.1.0 > 10.3.4.5
+ip 20(20) 255 10.1.1.1 > 10.3.4.5
+ip 20(20) 255 10.1.1.2 > 10.3.4.5
+ip 40(20) 6 10.1.1.1,1025 > 10.3.4.5,1025
+ip 48(20) 1 10.1.1.1 > 10.4.3.2
+ip 48(20) 1 10.4.3.2 > 10.2.2.2
+ip 48(20) 1 10.4.3.2 > 10.3.4.3
+ip 48(20) 1 10.4.3.2 > 10.3.4.5
+ip 20(20) 34 10.1.1.2 > 10.4.3.2
+ip 20(20) 34 10.4.3.2 > 10.3.4.4
+ip 20(20) 34 10.1.1.2 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.5
+ip 20(20) 34 10.1.1.3 > 10.4.3.4
+ip 20(20) 34 10.4.3.4 > 10.3.4.6
+ip 20(20) 35 10.1.1.3 > 10.4.3.4
+ip 20(20) 35 10.4.3.4 > 10.3.4.7
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,40000 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.0 > 10.1.1.2
+ip 20(20) 0 10.1.1.1 > 10.1.2.1
+ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,40000 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,40001 > 10.1.1.1,1025
+ip 28(20) 17 10.3.4.5,40001 > 10.1.1.1,1025
+ip 40(20) 6 10.3.4.5,40000 > 10.1.2.1,80
+ip 40(20) 6 10.3.4.5,40001 > 10.1.3.1,80
+ip 40(20) 6 10.3.4.5,40000 > 10.1.4.1,80
+ip 40(20) 6 10.3.4.5,40001 > 10.1.4.1,80
+ip 20(20) 0 10.1.1.1 > 10.1.1.2
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 20(20) 0 10.1.1.2 > 10.1.1.1
+ip 40(20) 6 10.3.4.5,40000 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1026 > 10.3.4.5,40000
+ip 40(20) 6 10.3.4.5,40001 > 10.3.4.5,40000
+ip 40(20) 6 10.1.1.1,1025 > 10.1.1.2,1025
+ip 28(20) 17 10.3.4.5,40000 > 10.3.4.5,40001
+ip 28(20) 17 10.1.1.2,1025 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+ip 40(20) 6 10.1.2.1,80 > 10.3.4.5,40001
+-------------------------------
diff --git a/contrib/ipfilter/test/expected/n6 b/contrib/ipfilter/test/expected/n6
new file mode 100644
index 000000000000..d28d4f1ee4d7
--- /dev/null
+++ b/contrib/ipfilter/test/expected/n6
@@ -0,0 +1,70 @@
+ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
+ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
+ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
+ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
+-------------------------------
+ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
+ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
+ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
+ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
+-------------------------------
+ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
+ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
+ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
+-------------------------------
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
+ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
+ip 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023
+ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
+ip 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
+-------------------------------
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,23
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23
+ip 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53
+ip 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23
+ip 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23
+ip 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53
+ip 28(20) 17 10.3.3.3,12345 > 10.2.2.1,10053
+ip 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53
+ip 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53
+-------------------------------
diff --git a/contrib/ipfilter/test/expected/n7 b/contrib/ipfilter/test/expected/n7
new file mode 100644
index 000000000000..51aa987c2da6
--- /dev/null
+++ b/contrib/ipfilter/test/expected/n7
@@ -0,0 +1,20 @@
+ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
+ip 40(20) 6 10.2.3.1,1231 > 10.2.2.1,10023
+ip 40(20) 6 10.2.3.1,1232 > 10.2.2.1,10050
+ip 40(20) 6 10.2.3.1,1233 > 10.2.2.1,10079
+ip 40(20) 6 10.2.3.1,1234 > 10.1.1.1,80
+ip 40(20) 6 10.2.3.1,1235 > 10.1.1.2,80
+ip 40(20) 6 10.2.3.1,1236 > 10.1.1.3,80
+ip 40(20) 6 10.2.3.1,1237 > 10.1.1.4,80
+ip 40(20) 6 10.2.3.1,1238 > 10.1.1.4,80
+-------------------------------
+ip 40(20) 6 10.2.3.1,1230 > 10.1.1.1,22
+ip 40(20) 6 10.2.3.1,1231 > 10.1.1.1,23
+ip 40(20) 6 10.2.3.1,1232 > 10.1.1.1,50
+ip 40(20) 6 10.2.3.1,1233 > 10.1.1.1,79
+ip 40(20) 6 10.2.3.1,1234 > 10.2.2.1,3128
+ip 40(20) 6 10.2.3.1,1235 > 1.2.2.129,3128
+ip 40(20) 6 10.2.3.1,1236 > 10.2.2.1,3128
+ip 40(20) 6 10.2.3.1,1237 > 1.2.2.129,3128
+ip 40(20) 6 10.2.3.1,1238 > 10.2.2.1,3128
+-------------------------------
diff --git a/contrib/ipfilter/test/input/n5 b/contrib/ipfilter/test/input/n5
new file mode 100644
index 000000000000..579210b3a369
--- /dev/null
+++ b/contrib/ipfilter/test/input/n5
@@ -0,0 +1,54 @@
+out on zx0 255 10.1.1.0 10.1.1.2
+out on zx0 255 10.1.1.1 10.1.1.2
+out on zx0 255 10.1.1.2 10.1.1.1
+out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
+out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
+out on zx0 255 10.2.2.1 10.1.2.1
+out on zx0 255 10.2.2.2 10.1.2.1
+in on zx0 255 10.1.1.1 10.1.1.2
+in on zx0 255 10.1.1.2 10.1.1.1
+in on zx0 255 10.2.2.1 10.2.1.1
+in on zx0 255 10.2.2.2 10.2.1.1
+in on zx0 255 10.2.2.3 10.1.1.1
+in on zx0 255 10.2.3.4 10.2.2.2
+in on zx0 255 10.1.1.1 10.2.2.2
+in on zx0 255 10.1.1.2 10.2.2.2
+in on zx0 255 10.1.1.0 10.3.4.5
+in on zx0 255 10.1.1.1 10.3.4.5
+in on zx0 255 10.1.1.2 10.3.4.5
+in on zx0 tcp 10.1.1.1,1025 10.3.4.5,1025
+out on zx0 icmp 10.1.1.1 10.4.3.2
+in on zx0 icmp 10.4.3.2 10.2.2.2
+in on zx0 icmp 10.4.3.2 10.3.4.3
+in on zx0 icmp 10.4.3.2 10.3.4.5
+out on zx0 34 10.1.1.2 10.4.3.2
+in on zx0 34 10.4.3.2 10.3.4.4
+out on zx0 34 10.1.1.2 10.4.3.4
+in on zx0 34 10.4.3.4 10.3.4.5
+out on zx0 34 10.1.1.3 10.4.3.4
+in on zx0 34 10.4.3.4 10.3.4.6
+out on zx0 35 10.1.1.3 10.4.3.4
+in on zx0 35 10.4.3.4 10.3.4.7
+out on zx0 tcp 10.1.1.1,1025 10.1.1.1,1025
+out on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
+out on zx0 10.1.1.0 10.1.1.2
+out on zx0 10.1.1.1 10.1.2.1
+out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
+out on zx0 tcp 10.1.1.2,1025 10.1.1.1,1025
+out on zx0 tcp 10.1.1.2,1026 10.1.1.1,1025
+out on zx0 udp 10.1.1.2,1025 10.1.1.1,1025
+out on zx0 tcp 10.1.1.3,2000 10.1.2.1,80
+out on zx0 tcp 10.1.1.3,2001 10.1.3.1,80
+out on zx0 tcp 10.1.1.3,2002 10.1.4.1,80
+out on zx0 tcp 10.1.1.3,2003 10.1.4.1,80
+in on zx0 10.1.1.1 10.1.1.2
+in on zx0 tcp 10.1.1.1,1025 10.1.1.2,1025
+in on zx0 10.1.1.2 10.1.1.1
+out on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
+in on zx0 tcp 10.1.1.1,1026 10.3.4.5,40000
+out on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
+in on zx0 tcp 10.1.1.1,1025 10.3.4.5,40000
+out on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
+in on zx0 udp 10.1.1.2,1025 10.3.4.5,40001
+out on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
+in on zx0 tcp 10.1.2.1,80 10.3.4.5,40001
diff --git a/contrib/ipfilter/test/input/n6 b/contrib/ipfilter/test/input/n6
new file mode 100644
index 000000000000..8a0c924b36a0
--- /dev/null
+++ b/contrib/ipfilter/test/input/n6
@@ -0,0 +1,13 @@
+in on zx0 tcp 10.2.2.2,12345 10.1.1.1,23
+in on zx0 tcp 10.2.2.2,12345 10.1.1.2,23
+in on zx0 tcp 10.3.0.1,12345 10.1.2.2,23
+in on zx0 tcp 10.3.0.1,12345 10.2.2.2,23
+in on zx0 tcp 10.3.3.3,12345 10.1.1.1,23
+in on zx0 tcp 10.2.2.2,12345 10.1.1.1,53
+in on zx0 tcp 10.3.3.3,12345 10.1.1.1,53
+in on zx0 tcp 10.2.2.2,12345 10.1.0.0,23
+in on zx0 tcp 10.3.3.3,12345 10.1.0.0,23
+in on zx0 udp 10.2.2.2,12345 10.1.1.0,53
+in on zx0 udp 10.3.3.3,12345 10.1.1.0,53
+in on zx0 tcp 10.2.2.2,12345 10.1.1.0,53
+in on zx0 tcp 10.3.3.3,12345 10.1.1.0,53
diff --git a/contrib/ipfilter/test/input/n7 b/contrib/ipfilter/test/input/n7
new file mode 100644
index 000000000000..79af9010825d
--- /dev/null
+++ b/contrib/ipfilter/test/input/n7
@@ -0,0 +1,9 @@
+in on zx0 tcp 10.2.3.1,1230 10.1.1.1,22
+in on zx0 tcp 10.2.3.1,1231 10.1.1.1,23
+in on zx0 tcp 10.2.3.1,1232 10.1.1.1,50
+in on zx0 tcp 10.2.3.1,1233 10.1.1.1,79
+in on zx0 tcp 10.2.3.1,1234 10.1.1.1,80
+in on zx0 tcp 10.2.3.1,1235 10.1.1.2,80
+in on zx0 tcp 10.2.3.1,1236 10.1.1.3,80
+in on zx0 tcp 10.2.3.1,1237 10.1.1.4,80
+in on zx0 tcp 10.2.3.1,1238 10.1.1.4,80
diff --git a/contrib/ipfilter/test/regress/n5 b/contrib/ipfilter/test/regress/n5
new file mode 100644
index 000000000000..e55cea02a82a
--- /dev/null
+++ b/contrib/ipfilter/test/regress/n5
@@ -0,0 +1,6 @@
+map zx0 10.1.1.1/32 -> 10.2.2.2/32
+map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
+map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
+map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
+map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
diff --git a/contrib/ipfilter/test/regress/n6 b/contrib/ipfilter/test/regress/n6
new file mode 100644
index 000000000000..79f11a40d88a
--- /dev/null
+++ b/contrib/ipfilter/test/regress/n6
@@ -0,0 +1,5 @@
+rdr zx0 10.1.1.1/32 port 23 -> 10.2.2.1 port 10023 tcp
+rdr zx0 from any to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
+rdr zx0 from 10.2.0.0/16 to 10.1.1.0/24 port = 23 -> 10.2.2.1 port 10023 tcp
+rdr zx0 from 10.3.0.0/16 to 10.1.0.0/16 port = 23 -> 10.2.2.1 port 10023 tcp
+rdr zx0 ! from 10.2.0.0/16 to 10.1.1.0/24 port = 53 -> 10.2.2.1 port 10053 udp
diff --git a/contrib/ipfilter/test/regress/n7 b/contrib/ipfilter/test/regress/n7
new file mode 100644
index 000000000000..4abde530a21d
--- /dev/null
+++ b/contrib/ipfilter/test/regress/n7
@@ -0,0 +1,2 @@
+rdr zx0 10.1.1.1/32 port 23-79 -> 10.2.2.1 port 10023 tcp
+rdr zx0 10.1.1.0/24 port 80 -> 10.2.2.1,1.2.2.129 port 3128 tcp