aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2002-03-19 11:45:24 +0000
committerDarren Reed <darrenr@FreeBSD.org>2002-03-19 11:45:24 +0000
commit0868380a542955ca8e611f323f36c28a48b20fb2 (patch)
treed6bb5e426959109d335f22e7215936da1c3d528c
parentd564cc784ffa00509dbff15d4784ce85dfce1026 (diff)
downloadsrc-0868380a542955ca8e611f323f36c28a48b20fb2.tar.gz
src-0868380a542955ca8e611f323f36c28a48b20fb2.zip
Import IPFilter 3.4.25
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=92688
-rw-r--r--contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-424
-rw-r--r--contrib/ipfilter/ip_h323_pxy.c275
-rw-r--r--contrib/ipfilter/ip_ipsec_pxy.c292
-rw-r--r--contrib/ipfilter/ip_netbios_pxy.c109
-rw-r--r--contrib/ipfilter/man/ipnat.848
-rw-r--r--contrib/ipfilter/printnat.c462
-rw-r--r--contrib/ipfilter/printstate.c142
-rw-r--r--contrib/ipfilter/test/expected/f159
-rw-r--r--contrib/ipfilter/test/expected/f169
-rw-r--r--contrib/ipfilter/test/expected/l149
-rw-r--r--contrib/ipfilter/test/expected/l1.b47
-rw-r--r--contrib/ipfilter/test/expected/ni13
-rw-r--r--contrib/ipfilter/test/expected/ni210
-rw-r--r--contrib/ipfilter/test/input/f158
-rw-r--r--contrib/ipfilter/test/input/f168
-rw-r--r--contrib/ipfilter/test/input/ipf6-126
-rw-r--r--contrib/ipfilter/test/input/l152
-rw-r--r--contrib/ipfilter/test/input/ni16
-rw-r--r--contrib/ipfilter/test/input/ni2161
-rwxr-xr-xcontrib/ipfilter/test/logtest48
-rwxr-xr-xcontrib/ipfilter/test/mtest36
-rwxr-xr-xcontrib/ipfilter/test/natipftest28
-rw-r--r--contrib/ipfilter/test/regress/f158
-rw-r--r--contrib/ipfilter/test/regress/f1610
-rw-r--r--contrib/ipfilter/test/regress/ipf6-13
-rw-r--r--contrib/ipfilter/test/regress/l16
-rw-r--r--contrib/ipfilter/test/regress/ni1.ipf4
-rw-r--r--contrib/ipfilter/test/regress/ni1.nat1
-rw-r--r--contrib/ipfilter/test/regress/ni2.ipf1
-rw-r--r--contrib/ipfilter/test/regress/ni2.nat1
30 files changed, 1886 insertions, 0 deletions
diff --git a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
new file mode 100644
index 000000000000..6ae366a394cd
--- /dev/null
+++ b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
@@ -0,0 +1,24 @@
+To build a kernel with the IP filter, follow these seven steps:
+
+ 1. do "make freebsd4"
+
+ 2. do "make install-bsd"
+ (probably has to be done as root)
+
+ 3. run "FreeBSD-4/kinstall" as root
+
+ 4. build a new kernel
+
+ 5. install the new kernel
+
+ 6. If not using DEVFS, create devices for IP Filter as follows:
+ mknod /dev/ipl c 79 0
+ mknod /dev/ipnat c 79 1
+ mknod /dev/ipstate c 79 2
+ mknod /dev/ipauth c 79 3
+
+ 7. reboot
+
+
+Darren Reed
+darrenr@pobox.com
diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c
new file mode 100644
index 000000000000..14aa47b7d4b3
--- /dev/null
+++ b/contrib/ipfilter/ip_h323_pxy.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
+ *
+ * This source code has been published by QNX Software Systems Ltd. (QSSL).
+ * However, any use, reproduction, modification, distribution or transfer of
+ * this software, or any software which includes or is based upon any of this
+ * code, is only permitted under the terms of the QNX Open Community License
+ * version 1.0 (see licensing.qnx.com for details) or as otherwise expressly
+ * authorized by a written license agreement from QSSL. For more information,
+ * please email licensing@qnx.com.
+ *
+ */
+
+/*
+ * Simple H.323 proxy
+ *
+ * by xtang@canada.com
+ * ported to ipfilter 3.4.20 by Michael Grant mg-ipf@grant.org
+ */
+
+#if __FreeBSD_version >= 220000 && defined(_KERNEL)
+# include <sys/fcntl.h>
+# include <sys/filio.h>
+#else
+# include <sys/ioctl.h>
+#endif
+
+#define IPF_H323_PROXY
+
+int ippr_h323_init __P((void));
+int ippr_h323_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+void ippr_h323_del __P((ap_session_t *));
+int ippr_h323_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_h323_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+
+int ippr_h245_init __P((void));
+int ippr_h245_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_h245_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_h245_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+
+static frentry_t h323_fr;
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
+extern KRWLOCK_T ipf_nat;
+#endif
+
+static int find_port __P((int, u_char *, int datlen, int *, u_short *));
+
+
+static int find_port(ipaddr, data, datlen, off, port)
+int ipaddr;
+unsigned char *data;
+int datlen, *off;
+unsigned short *port;
+{
+ if (datlen < 6)
+ return -1;
+
+ *port = 0;
+ for (*off = 0; *off <= datlen - 6; *off = *off + 1) {
+ if (ipaddr == *(int *)(data + *off))
+ {
+ *port = (*(data + *off + 4) << 8) + *(data + *off +5);
+ break;
+ }
+ }
+ return (*off > datlen - 6) ? -1 : 0;
+}
+
+/*
+ * Initialize local structures.
+ */
+int ippr_h323_init()
+{
+ bzero((char *)&h323_fr, sizeof(h323_fr));
+ h323_fr.fr_ref = 1;
+ h323_fr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+
+ return 0;
+}
+
+
+int ippr_h323_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ aps->aps_data = NULL;
+ aps->aps_psiz = 0;
+
+ return 0;
+}
+
+
+void ippr_h323_del(aps)
+ap_session_t *aps;
+{
+ int i;
+ ipnat_t *ipn;
+
+ if (aps->aps_data) {
+ for (i = 0, ipn = aps->aps_data;
+ i < (aps->aps_psiz / sizeof(ipnat_t));
+ i++, ipn = (ipnat_t *)((char *)ipn + sizeof(*ipn)))
+ {
+ /*
+ * Check the comment in ippr_h323_in() function,
+ * just above nat_ioctl() call.
+ * We are lucky here because this function is not
+ * called with ipf_nat locked.
+ */
+ if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) {
+ /* log the error */
+ }
+ }
+ KFREES(aps->aps_data, aps->aps_psiz);
+ }
+ return;
+}
+
+
+int ippr_h323_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ return 0;
+}
+
+
+int ippr_h323_in(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ int ipaddr, off, datlen;
+ unsigned short port;
+ unsigned char *data;
+ tcphdr_t *tcp;
+
+ tcp = (tcphdr_t *)fin->fin_dp;
+ ipaddr = ip->ip_src.s_addr;
+
+ data = (unsigned char *)tcp + (tcp->th_off << 2);
+ datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2);
+ if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
+ ipnat_t *ipn;
+ char *newarray;
+
+ /* setup a nat rule to set a h245 proxy on tcp-port "port"
+ * it's like:
+ * map <if> <inter_ip>/<mask> -> <gate_ip>/<mask> proxy port <port> <port>/tcp
+ */
+ KMALLOCS(newarray, char *, aps->aps_psiz + sizeof(*ipn));
+ if (newarray == NULL) {
+ return -1;
+ }
+ ipn = (ipnat_t *)&newarray[aps->aps_psiz];
+ bcopy(nat->nat_ptr, ipn, sizeof(ipnat_t));
+ strncpy(ipn->in_plabel, "h245", APR_LABELLEN);
+
+ ipn->in_inip = nat->nat_inip.s_addr;
+ ipn->in_inmsk = 0xffffffff;
+ ipn->in_dport = htons(port);
+ /*
+ * we got a problem here. we need to call nat_ioctl() to add
+ * the h245 proxy rule, but since we already hold (READ locked)
+ * the nat table rwlock (ipf_nat), if we go into nat_ioctl(),
+ * it will try to WRITE lock it. This will causing dead lock
+ * on RTP.
+ *
+ * The quick & dirty solution here is release the read lock,
+ * call nat_ioctl() and re-lock it.
+ * A (maybe better) solution is do a UPGRADE(), and instead
+ * of calling nat_ioctl(), we add the nat rule ourself.
+ */
+ RWLOCK_EXIT(&ipf_nat);
+ if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) {
+ READ_ENTER(&ipf_nat);
+ return -1;
+ }
+ READ_ENTER(&ipf_nat);
+ bcopy(aps->aps_data, newarray, aps->aps_psiz);
+ KFREES(aps->aps_data, aps->aps_psiz);
+ aps->aps_data = newarray;
+ aps->aps_psiz += sizeof(*ipn);
+ }
+ return 0;
+}
+
+
+int ippr_h245_init()
+{
+ return 0;
+}
+
+
+int ippr_h245_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ aps->aps_data = NULL;
+ aps->aps_psiz = 0;
+ return 0;
+}
+
+
+int ippr_h245_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ int ipaddr, off, datlen;
+ u_short port;
+ unsigned char *data;
+ tcphdr_t *tcp;
+
+ tcp = (tcphdr_t *)fin->fin_dp;
+ ipaddr = nat->nat_inip.s_addr;
+ data = (unsigned char *)tcp + (tcp->th_off << 2);
+ datlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
+ if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
+ fr_info_t fi;
+ nat_t *ipn;
+
+/* port = htons(port); */
+ ipn = nat_outlookup(fin->fin_ifp, IPN_UDP, IPPROTO_UDP,
+ ip->ip_src, ip->ip_dst, 1);
+ if (ipn == NULL) {
+ struct ip newip;
+ struct udphdr udp;
+
+ bcopy(ip, &newip, sizeof(newip));
+ newip.ip_len = fin->fin_hlen + sizeof(udp);
+ newip.ip_p = IPPROTO_UDP;
+ newip.ip_src = nat->nat_inip;
+
+ bzero(&udp, sizeof(udp));
+ udp.uh_sport = port;
+
+ bcopy(fin, &fi, sizeof(fi));
+ fi.fin_fi.fi_p = IPPROTO_UDP;
+ fi.fin_data[0] = port;
+ fi.fin_data[1] = 0;
+ fi.fin_dp = (char *)&udp;
+
+ ipn = nat_new(&fi, &newip, nat->nat_ptr, NULL,
+ IPN_UDP|FI_W_DPORT, NAT_OUTBOUND);
+ if (ipn != NULL) {
+ ipn->nat_ptr->in_hits++;
+#ifdef IPFILTER_LOG
+ nat_log(ipn, (u_int)(nat->nat_ptr->in_redir));
+#endif
+ *(int *)(data + off) = ip->ip_src.s_addr;
+ *(short *)(data + off + 4) = ipn->nat_outport;
+ }
+ }
+ }
+ return 0;
+}
+
+
+int ippr_h245_in(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ return 0;
+}
diff --git a/contrib/ipfilter/ip_ipsec_pxy.c b/contrib/ipfilter/ip_ipsec_pxy.c
new file mode 100644
index 000000000000..40ce131961a3
--- /dev/null
+++ b/contrib/ipfilter/ip_ipsec_pxy.c
@@ -0,0 +1,292 @@
+/*
+ * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
+ * code.
+ *
+ * $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
+ *
+ */
+#define IPF_IPSEC_PROXY
+
+
+int ippr_ipsec_init __P((void));
+int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+void ippr_ipsec_del __P((ap_session_t *));
+int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
+
+static frentry_t ipsecfr;
+
+
+static char ipsec_buffer[1500];
+
+/*
+ * RCMD application proxy initialization.
+ */
+int ippr_ipsec_init()
+{
+ bzero((char *)&ipsecfr, sizeof(ipsecfr));
+ ipsecfr.fr_ref = 1;
+ ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ return 0;
+}
+
+
+/*
+ * Setup for a new IPSEC proxy.
+ */
+int ippr_ipsec_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ ipsec_pxy_t *ipsec;
+ fr_info_t fi;
+ ipnat_t *ipn;
+ char *ptr;
+ int p, off, dlen;
+ mb_t *m;
+
+ bzero(ipsec_buffer, sizeof(ipsec_buffer));
+ off = fin->fin_hlen + sizeof(udphdr_t);
+#ifdef _KERNEL
+# if SOLARIS
+ m = fin->fin_qfm;
+
+ dlen = msgdsize(m) - off;
+ if (dlen < 16)
+ return -1;
+ copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
+# else
+ m = *(mb_t **)fin->fin_mp;
+ dlen = mbufchainlen(m) - off;
+ if (dlen < 16)
+ return -1;
+ m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
+# endif
+#else
+ m = *(mb_t **)fin->fin_mp;
+ dlen = ip->ip_len - off;
+ ptr = (char *)m;
+ ptr += off;
+ bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
+#endif
+
+ /*
+ * Because _new() gets called from nat_new(), ipf_nat is held with a
+ * write lock so pass rw=1 to nat_outlookup().
+ */
+ if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
+ ip->ip_dst, 1) != NULL)
+ return -1;
+
+ aps->aps_psiz = sizeof(*ipsec);
+ KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
+ if (aps->aps_data == NULL)
+ return -1;
+
+ ipsec = aps->aps_data;
+ bzero((char *)ipsec, sizeof(*ipsec));
+
+ /*
+ * Create NAT rule against which the tunnel/transport mapping is
+ * created. This is required because the current NAT rule does not
+ * describe ESP but UDP instead.
+ */
+ ipn = &ipsec->ipsc_rule;
+ ipn->in_ifp = fin->fin_ifp;
+ ipn->in_apr = NULL;
+ ipn->in_use = 1;
+ ipn->in_hits = 1;
+ ipn->in_nip = ntohl(nat->nat_outip.s_addr);
+ ipn->in_ippip = 1;
+ ipn->in_inip = nat->nat_inip.s_addr;
+ ipn->in_inmsk = 0xffffffff;
+ ipn->in_outip = nat->nat_outip.s_addr;
+ ipn->in_outmsk = 0xffffffff;
+ ipn->in_srcip = fin->fin_saddr;
+ ipn->in_srcmsk = 0xffffffff;
+ ipn->in_redir = NAT_MAP;
+ bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
+ ipn->in_p = IPPROTO_ESP;
+
+ bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_fi.fi_p = IPPROTO_ESP;
+ fi.fin_fr = &ipsecfr;
+ fi.fin_data[0] = 0;
+ fi.fin_data[1] = 0;
+ p = ip->ip_p;
+ ip->ip_p = IPPROTO_ESP;
+ fi.fin_fl &= ~FI_TCPUDP;
+
+ ptr = ipsec_buffer;
+ bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
+ ptr += sizeof(ipsec_cookie_t);
+ bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
+ /*
+ * The responder cookie should only be non-zero if the initiator
+ * cookie is non-zero. Therefore, it is safe to assume(!) that the
+ * cookies are both set after copying if the responder is non-zero.
+ */
+ if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
+ ipsec->ipsc_rckset = 1;
+ else
+ nat->nat_age = 60; /* 30 seconds */
+
+ ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
+ NAT_OUTBOUND);
+ if (ipsec->ipsc_nat != NULL) {
+ fi.fin_data[0] = 0;
+ fi.fin_data[1] = 0;
+ ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
+ FI_IGNOREPKT|FI_NORULE);
+ }
+ ip->ip_p = p;
+ return 0;
+}
+
+
+/*
+ * For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
+ * we can. If they have disappeared, recreate them.
+ */
+int ippr_ipsec_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ ipsec_pxy_t *ipsec;
+ fr_info_t fi;
+ int p;
+
+ bcopy((char *)fin, (char *)&fi, sizeof(fi));
+ fi.fin_fi.fi_p = IPPROTO_ESP;
+ fi.fin_fr = &ipsecfr;
+ fi.fin_data[0] = 0;
+ fi.fin_data[1] = 0;
+ p = ip->ip_p;
+ ip->ip_p = IPPROTO_ESP;
+ fi.fin_fl &= ~FI_TCPUDP;
+
+ ipsec = aps->aps_data;
+ if (ipsec != NULL) {
+ /*
+ * Update NAT timeout/create NAT if missing.
+ */
+ if (ipsec->ipsc_rckset == 0)
+ nat->nat_age = 60; /* 30 seconds */
+ if (ipsec->ipsc_nat != NULL)
+ ipsec->ipsc_nat->nat_age = nat->nat_age;
+ else
+ ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
+ &ipsec->ipsc_nat,
+ FI_IGNOREPKT, NAT_OUTBOUND);
+
+ /*
+ * Update state timeout/create state if missing.
+ */
+ READ_ENTER(&ipf_state);
+ if (ipsec->ipsc_state != NULL) {
+ ipsec->ipsc_state->is_age = nat->nat_age;
+ RWLOCK_EXIT(&ipf_state);
+ } else {
+ RWLOCK_EXIT(&ipf_state);
+ fi.fin_data[0] = 0;
+ fi.fin_data[1] = 0;
+ ipsec->ipsc_state = fr_addstate(ip, &fi,
+ &ipsec->ipsc_state,
+ FI_IGNOREPKT|FI_NORULE);
+ }
+ }
+ ip->ip_p = p;
+ return 0;
+}
+
+
+/*
+ * This extends the NAT matching to be based on the cookies associated with
+ * a session and found at the front of IKE packets. The cookies are always
+ * in the same order (not reversed depending on packet flow direction as with
+ * UDP/TCP port numbers).
+ */
+int ippr_ipsec_match(fin, aps, nat)
+fr_info_t *fin;
+ap_session_t *aps;
+nat_t *nat;
+{
+ ipsec_pxy_t *ipsec;
+ u_32_t cookies[4];
+ mb_t *m;
+ int off;
+
+ if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
+ return -1;
+
+ ipsec = aps->aps_data;
+ off = fin->fin_hlen + sizeof(udphdr_t);
+#ifdef _KERNEL
+# if SOLARIS
+ m = fin->fin_qfm;
+
+ copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
+# else
+ m = *(mb_t **)fin->fin_mp;
+ m_copydata(m, off, sizeof(cookies), (char *)cookies);
+# endif
+#else
+ m = *(mb_t **)fin->fin_mp;
+ bcopy((char *)m + off, cookies, sizeof(cookies));
+#endif
+
+ if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
+ (cookies[1] != ipsec->ipsc_icookie[1]))
+ return -1;
+
+ if (ipsec->ipsc_rckset == 0) {
+ if ((cookies[2]|cookies[3]) == 0) {
+ nat->nat_age = 60; /* 30 seconds */
+ return 0;
+ }
+ ipsec->ipsc_rckset = 1;
+ ipsec->ipsc_rcookie[0] = cookies[2];
+ ipsec->ipsc_rcookie[1] = cookies[3];
+ return 0;
+ }
+
+ if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
+ (cookies[3] != ipsec->ipsc_rcookie[1]))
+ return -1;
+ return 0;
+}
+
+
+/*
+ * clean up after ourselves.
+ */
+void ippr_ipsec_del(aps)
+ap_session_t *aps;
+{
+ ipsec_pxy_t *ipsec;
+
+ ipsec = aps->aps_data;
+
+ if (ipsec != NULL) {
+ /*
+ * Don't delete it from here, just schedule it to be
+ * deleted ASAP.
+ */
+ if (ipsec->ipsc_nat != NULL) {
+ ipsec->ipsc_nat->nat_age = 1;
+ ipsec->ipsc_nat->nat_ptr = NULL;
+ }
+
+ READ_ENTER(&ipf_state);
+ if (ipsec->ipsc_state != NULL)
+ ipsec->ipsc_state->is_age = 1;
+ RWLOCK_EXIT(&ipf_state);
+
+ ipsec->ipsc_state = NULL;
+ ipsec->ipsc_nat = NULL;
+ }
+}
diff --git a/contrib/ipfilter/ip_netbios_pxy.c b/contrib/ipfilter/ip_netbios_pxy.c
new file mode 100644
index 000000000000..ee9b0c4f118f
--- /dev/null
+++ b/contrib/ipfilter/ip_netbios_pxy.c
@@ -0,0 +1,109 @@
+/*
+ * Simple netbios-dgm transparent proxy for in-kernel use.
+ * For use with the NAT code.
+ * $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
+ */
+
+/*-
+ * Copyright (c) 2002 Paul J. Ledbetter III
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $Id: ip_netbios_pxy.c,v 1.1.2.3 2002/01/09 09:28:37 darrenr Exp $
+ */
+
+#define IPF_NETBIOS_PROXY
+
+int ippr_netbios_init __P((void));
+int ippr_netbios_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+
+static frentry_t netbiosfr;
+
+/*
+ * Initialize local structures.
+ */
+int ippr_netbios_init()
+{
+ bzero((char *)&netbiosfr, sizeof(netbiosfr));
+ netbiosfr.fr_ref = 1;
+ netbiosfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+ return 0;
+}
+
+int ippr_netbios_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+ char dgmbuf[6];
+
+ int off, dlen;
+ udphdr_t *udp;
+ mb_t *m;
+
+ m = *(mb_t **)fin->fin_mp;
+ off = fin->fin_hlen + sizeof(udphdr_t);
+#if SOLARIS
+ dlen = msgdsize(m);
+#else
+ dlen = mbufchainlen(m);
+#endif
+ dlen -= off;
+
+ /*
+ * no net bios datagram could possibly be shorter than this
+ */
+ if (dlen < 11)
+ return 0;
+
+ udp = (udphdr_t *)fin->fin_dp;
+
+ /*
+ * move past the
+ * ip header;
+ * udp header;
+ * 4 bytes into the net bios dgm header.
+ * According to rfc1002, this should be the exact location of
+ * the source address/port
+ */
+ off += 4;
+
+ /* Copy NATed source Address/port*/
+ dgmbuf[0] = (char)((ip->ip_src.s_addr ) &0xFF);
+ dgmbuf[1] = (char)((ip->ip_src.s_addr >> 8) &0xFF);
+ dgmbuf[2] = (char)((ip->ip_src.s_addr >> 16)&0xFF);
+ dgmbuf[3] = (char)((ip->ip_src.s_addr >> 24)&0xFF);
+
+ dgmbuf[4] = (char)((udp->uh_sport )&0xFF);
+ dgmbuf[5] = (char)((udp->uh_sport >> 8)&0xFF);
+
+ /* replace data in packet */
+#if SOLARIS
+ copyin_mblk(m, off, sizeof(dgmbuf), dgmbuf);
+#else
+ m_copyback(m, off, sizeof(dgmbuf), dgmbuf);
+#endif
+
+ return 0;
+}
diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8
new file mode 100644
index 000000000000..760e0af4e885
--- /dev/null
+++ b/contrib/ipfilter/man/ipnat.8
@@ -0,0 +1,48 @@
+.TH IPNAT 8
+.SH NAME
+ipnat \- user interface to the NAT
+.SH SYNOPSIS
+.B ipnat
+[
+.B \-lnrsvCF
+]
+.B \-f <\fIfilename\fP>
+.SH DESCRIPTION
+.PP
+\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
+file for a set of rules which are to be added or removed from the IP NAT.
+.PP
+Each rule processed by \fBipnat\fP
+is added to the kernels internal lists if there are no parsing problems.
+Rules are added to the end of the internal lists, matching the order in
+which they appear when given to \fBipnat\fP.
+.SH OPTIONS
+.TP
+.B \-C
+delete all entries in the current NAT rule listing (NAT rules)
+.TP
+.B \-F
+delete all active entries in the current NAT translation table (currently
+active NAT mappings)
+.TP
+.B \-l
+Show the list of current NAT table entry mappings.
+.TP
+.B \-n
+This flag (no-change) prevents \fBipf\fP from actually making any ioctl
+calls or doing anything which would alter the currently running kernel.
+.TP
+.B \-s
+Retrieve and display NAT statistics
+.TP
+.B \-r
+Remove matching NAT rules rather than add them to the internal lists
+.TP
+.B \-v
+Turn verbose mode on. Displays information relating to rule processing
+and active rules/table entries.
+.DT
+.SH FILES
+/dev/ipnat
+.SH SEE ALSO
+ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
new file mode 100644
index 000000000000..647c92e9f1bc
--- /dev/null
+++ b/contrib/ipfilter/printnat.c
@@ -0,0 +1,462 @@
+/*
+ * Copyright (C) 1993-2001 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ *
+ * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
+ */
+#ifdef __sgi
+# include <sys/ptimers.h>
+#endif
+#include <stdio.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#if !defined(__SVR4) && !defined(__svr4__)
+#include <strings.h>
+#else
+#include <sys/byteorder.h>
+#endif
+#include <sys/time.h>
+#include <sys/param.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
+# include <sys/ioccom.h>
+# include <sys/sysmacros.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <net/if.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
+#include <netdb.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+#include <ctype.h>
+#include "netinet/ip_compat.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_state.h"
+#include "netinet/ip_proxy.h"
+#include "ipf.h"
+#include "kmem.h"
+
+#if defined(sun) && !SOLARIS2
+# define STRERROR(x) sys_errlist[x]
+extern char *sys_errlist[];
+#else
+# define STRERROR(x) strerror(x)
+#endif
+
+#if !defined(lint)
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $";
+#endif
+
+
+#if SOLARIS
+#define bzero(a,b) memset(a,0,b)
+#endif
+#ifdef USE_INET6
+extern int use_inet6;
+#endif
+
+extern char thishost[MAXHOSTNAMELEN];
+
+extern int countbits __P((u_32_t));
+
+void printnat __P((ipnat_t *, int));
+char *getnattype __P((ipnat_t *));
+void printactivenat __P((nat_t *, int));
+void printhostmap __P((hostmap_t *, u_int));
+char *getsumd __P((u_32_t));
+
+static void printaps __P((ap_session_t *, int));
+
+static void printaps(aps, opts)
+ap_session_t *aps;
+int opts;
+{
+ ipsec_pxy_t ipsec;
+ ap_session_t ap;
+ ftpinfo_t ftp;
+ aproxy_t apr;
+ raudio_t ra;
+
+ if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
+ return;
+ if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
+ return;
+ printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
+ apr.apr_p, apr.apr_ref, apr.apr_flags);
+ printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
+#ifdef USE_QUAD_T
+ printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
+ (unsigned long long)ap.aps_pkts);
+#else
+ printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
+#endif
+ printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
+ if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
+ printf("\t\tstate[%u,%u], sel[%d,%d]\n",
+ ap.aps_state[0], ap.aps_state[1],
+ ap.aps_sel[0], ap.aps_sel[1]);
+#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
+ (__FreeBSD_version >= 300000) || defined(OpenBSD)
+ printf("\t\tseq: off %hd/%hd min %x/%x\n",
+ ap.aps_seqoff[0], ap.aps_seqoff[1],
+ ap.aps_seqmin[0], ap.aps_seqmin[1]);
+ printf("\t\tack: off %hd/%hd min %x/%x\n",
+ ap.aps_ackoff[0], ap.aps_ackoff[1],
+ ap.aps_ackmin[0], ap.aps_ackmin[1]);
+#else
+ printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
+ ap.aps_seqoff[0], ap.aps_seqoff[1],
+ ap.aps_seqmin[0], ap.aps_seqmin[1]);
+ printf("\t\tack: off %hd/%hd min %lx/%lx\n",
+ ap.aps_ackoff[0], ap.aps_ackoff[1],
+ ap.aps_ackmin[0], ap.aps_ackmin[1]);
+#endif
+ }
+
+ if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
+ if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
+ return;
+ printf("\tReal Audio Proxy:\n");
+ printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
+ ra.rap_seenpna, ra.rap_version, ra.rap_eos);
+ printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
+ printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
+ ra.rap_plport, ra.rap_prport, ra.rap_srport);
+ } else if (!strcmp(apr.apr_label, "ftp") &&
+ (ap.aps_psiz == sizeof(ftp))) {
+ if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
+ return;
+ printf("\tFTP Proxy:\n");
+ printf("\t\tpassok: %d\n", ftp.ftp_passok);
+ ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
+ ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
+ printf("\tClient:\n");
+ printf("\t\tseq %x len %d junk %d cmds %d\n",
+ ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
+ ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
+ printf("\t\tbuf [");
+ printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
+ printf("]\n\tServer:\n");
+ printf("\t\tseq %x len %d junk %d cmds %d\n",
+ ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
+ ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
+ printf("\t\tbuf [");
+ printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
+ printf("]\n");
+ } else if (!strcmp(apr.apr_label, "ipsec") &&
+ (ap.aps_psiz == sizeof(ipsec))) {
+ if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
+ return;
+ printf("\tIPSec Proxy:\n");
+ printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
+ (u_int)ntohl(ipsec.ipsc_icookie[0]),
+ (u_int)ntohl(ipsec.ipsc_icookie[1]),
+ (u_int)ntohl(ipsec.ipsc_rcookie[0]),
+ (u_int)ntohl(ipsec.ipsc_rcookie[1]),
+ ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
+ }
+}
+
+
+/*
+ * Get a nat filter type given its kernel address.
+ */
+char *getnattype(ipnat)
+ipnat_t *ipnat;
+{
+ static char unknownbuf[20];
+ ipnat_t ipnatbuff;
+ char *which;
+
+ if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
+ sizeof(ipnatbuff))))
+ return "???";
+
+ switch (ipnatbuff.in_redir)
+ {
+ case NAT_MAP :
+ which = "MAP";
+ break;
+ case NAT_MAPBLK :
+ which = "MAP-BLOCK";
+ break;
+ case NAT_REDIRECT :
+ which = "RDR";
+ break;
+ case NAT_BIMAP :
+ which = "BIMAP";
+ break;
+ default :
+ sprintf(unknownbuf, "unknown(%04x)",
+ ipnatbuff.in_redir & 0xffffffff);
+ which = unknownbuf;
+ break;
+ }
+ return which;
+}
+
+
+void printactivenat(nat, opts)
+nat_t *nat;
+int opts;
+{
+ u_int hv1, hv2;
+
+ printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ printf(" %-5hu", ntohs(nat->nat_inport));
+
+ printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
+
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ printf(" %-5hu", ntohs(nat->nat_outport));
+
+ printf(" [%s", inet_ntoa(nat->nat_oip));
+ if ((nat->nat_flags & IPN_TCPUDP) != 0)
+ printf(" %hu", ntohs(nat->nat_oport));
+ printf("]");
+
+ if (opts & OPT_VERBOSE) {
+ printf("\n\tage %lu use %hu sumd %s/",
+ nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
+ hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
+ 0xffffffff),
+ hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
+ NAT_TABLE_SZ),
+ hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
+ 0xffffffff),
+ hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
+ NAT_TABLE_SZ),
+ printf("%s pr %u bkt %d/%d flags %x\n",
+ getsumd(nat->nat_sumd[1]), nat->nat_p,
+ hv1, hv2, nat->nat_flags);
+ printf("\tifp %s ", getifname(nat->nat_ifp));
+#ifdef USE_QUAD_T
+ printf("bytes %qu pkts %qu",
+ (unsigned long long)nat->nat_bytes,
+ (unsigned long long)nat->nat_pkts);
+#else
+ printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
+#endif
+#if SOLARIS
+ printf(" %lx", nat->nat_ipsumd);
+#endif
+ }
+
+ putchar('\n');
+ if (nat->nat_aps)
+ printaps(nat->nat_aps, opts);
+}
+
+
+void printhostmap(hmp, hv)
+hostmap_t *hmp;
+u_int hv;
+{
+ printf("%s -> ", inet_ntoa(hmp->hm_realip));
+ printf("%s ", inet_ntoa(hmp->hm_mapip));
+ printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
+}
+
+
+char *getsumd(sum)
+u_32_t sum;
+{
+ static char sumdbuf[17];
+
+ if (sum & NAT_HW_CKSUM)
+ sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
+ else
+ sprintf(sumdbuf, "%#0x", sum);
+ return sumdbuf;
+}
+
+
+/*
+ * Print out a NAT rule
+ */
+void printnat(np, opts)
+ipnat_t *np;
+int opts;
+{
+ struct protoent *pr;
+ struct servent *sv;
+ int bits;
+
+ switch (np->in_redir)
+ {
+ case NAT_REDIRECT :
+ printf("rdr");
+ break;
+ case NAT_MAP :
+ printf("map");
+ break;
+ case NAT_MAPBLK :
+ printf("map-block");
+ break;
+ case NAT_BIMAP :
+ printf("bimap");
+ break;
+ default :
+ fprintf(stderr, "unknown value for in_redir: %#x\n",
+ np->in_redir);
+ break;
+ }
+
+ printf(" %s ", np->in_ifname);
+
+ if (np->in_flags & IPN_FILTER) {
+ if (np->in_flags & IPN_NOTSRC)
+ printf("! ");
+ printf("from ");
+ if (np->in_redir == NAT_REDIRECT) {
+ printhostmask(4, (u_32_t *)&np->in_srcip,
+ (u_32_t *)&np->in_srcmsk);
+ } else {
+ printhostmask(4, (u_32_t *)&np->in_inip,
+ (u_32_t *)&np->in_inmsk);
+ }
+ if (np->in_scmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_src);
+
+ if (np->in_flags & IPN_NOTDST)
+ printf(" !");
+ printf(" to ");
+ if (np->in_redir == NAT_REDIRECT) {
+ printhostmask(4, (u_32_t *)&np->in_outip,
+ (u_32_t *)&np->in_outmsk);
+ } else {
+ printhostmask(4, (u_32_t *)&np->in_srcip,
+ (u_32_t *)&np->in_srcmsk);
+ }
+ if (np->in_dcmp)
+ printportcmp(np->in_p, &np->in_tuc.ftu_dst);
+ }
+
+ if (np->in_redir == NAT_REDIRECT) {
+ if (!(np->in_flags & IPN_FILTER)) {
+ printf("%s", inet_ntoa(np->in_out[0]));
+ bits = countbits(np->in_out[1].s_addr);
+ if (bits != -1)
+ printf("/%d ", bits);
+ else
+ printf("/%s ", inet_ntoa(np->in_out[1]));
+ printf("port %d", ntohs(np->in_pmin));
+ if (np->in_pmax != np->in_pmin)
+ printf("- %d", ntohs(np->in_pmax));
+ }
+ printf(" -> %s", inet_ntoa(np->in_in[0]));
+ if (np->in_flags & IPN_SPLIT)
+ printf(",%s", inet_ntoa(np->in_in[1]));
+ printf(" port %d", ntohs(np->in_pnext));
+ if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
+ printf(" tcp/udp");
+ else if ((np->in_flags & IPN_TCP) == IPN_TCP)
+ printf(" tcp");
+ else if ((np->in_flags & IPN_UDP) == IPN_UDP)
+ printf(" udp");
+ else if (np->in_p == 0)
+ printf(" ip");
+ else if (np->in_p != 0)
+ printf(" %d", np->in_p);
+ if (np->in_flags & IPN_ROUNDR)
+ printf(" round-robin");
+ if (np->in_flags & IPN_FRAG)
+ printf(" frag");
+ printf("\n");
+ if (opts & OPT_DEBUG)
+ printf("\tspc %lu flg %#x max %u use %d\n",
+ np->in_space, np->in_flags,
+ np->in_pmax, np->in_use);
+ } else {
+ np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
+ if (!(np->in_flags & IPN_FILTER)) {
+ printf("%s/", inet_ntoa(np->in_in[0]));
+ bits = countbits(np->in_in[1].s_addr);
+ if (bits != -1)
+ printf("%d ", bits);
+ else
+ printf("%s", inet_ntoa(np->in_in[1]));
+ }
+ printf(" -> ");
+ if (np->in_flags & IPN_IPRANGE) {
+ printf("range %s-", inet_ntoa(np->in_out[0]));
+ printf("%s", inet_ntoa(np->in_out[1]));
+ } else {
+ printf("%s/", inet_ntoa(np->in_out[0]));
+ bits = countbits(np->in_out[1].s_addr);
+ if (bits != -1)
+ printf("%d ", bits);
+ else
+ printf("%s", inet_ntoa(np->in_out[1]));
+ }
+ if (*np->in_plabel) {
+ pr = getprotobynumber(np->in_p);
+ printf(" proxy port");
+ if (np->in_dport != 0) {
+ if (pr != NULL)
+ sv = getservbyport(np->in_dport,
+ pr->p_name);
+ else
+ sv = getservbyport(np->in_dport, NULL);
+ if (sv != NULL)
+ printf(" %s", sv->s_name);
+ else
+ printf(" %hu", ntohs(np->in_dport));
+ }
+ printf(" %.*s/", (int)sizeof(np->in_plabel),
+ np->in_plabel);
+ if (pr != NULL)
+ fputs(pr->p_name, stdout);
+ else
+ printf("%d", np->in_p);
+ } else if (np->in_redir == NAT_MAPBLK) {
+ printf(" ports %d", np->in_pmin);
+ if (opts & OPT_VERBOSE)
+ printf("\n\tip modulous %d", np->in_pmax);
+ } else if (np->in_pmin || np->in_pmax) {
+ printf(" portmap");
+ if (np->in_flags & IPN_AUTOPORTMAP) {
+ printf(" auto");
+ if (opts & OPT_DEBUG)
+ printf(" [%d:%d %d %d]",
+ ntohs(np->in_pmin),
+ ntohs(np->in_pmax),
+ np->in_ippip, np->in_ppip);
+ } else {
+ if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
+ printf(" tcp/udp");
+ else if (np->in_flags & IPN_TCP)
+ printf(" tcp");
+ else if (np->in_flags & IPN_UDP)
+ printf(" udp");
+ printf(" %d:%d", ntohs(np->in_pmin),
+ ntohs(np->in_pmax));
+ }
+ }
+ if (np->in_flags & IPN_FRAG)
+ printf(" frag");
+ printf("\n");
+ if (opts & OPT_DEBUG) {
+ printf("\tspace %lu nextip %s pnext %d", np->in_space,
+ inet_ntoa(np->in_nextip), np->in_pnext);
+ printf(" flags %x use %u\n",
+ np->in_flags, np->in_use);
+ }
+ }
+}
diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c
new file mode 100644
index 000000000000..16bda9b274e6
--- /dev/null
+++ b/contrib/ipfilter/printstate.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2002 by Darren Reed.
+ *
+ * See the IPFILTER.LICENCE file for details on licencing.
+ */
+#ifdef __sgi
+# include <sys/ptimers.h>
+#endif
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netinet/in_systm.h>
+#include <net/if.h>
+#include <stdio.h>
+#include "kmem.h"
+#include "netinet/ip_compat.h"
+#include "ipf.h"
+#include "netinet/ip_fil.h"
+#include "netinet/ip_state.h"
+
+#define PRINTF (void)printf
+#define FPRINTF (void)fprintf
+
+ipstate_t *printstate(sp, opts)
+ipstate_t *sp;
+int opts;
+{
+ ipstate_t ips;
+
+ if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
+ return NULL;
+
+ PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
+ PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
+ hostname(ips.is_v, &ips.is_dst.in4),
+ ips.is_age, ips.is_pass, ips.is_p,
+ ips.is_state[0], ips.is_state[1]);
+#ifdef USE_QUAD_T
+ PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
+ (unsigned long long) ips.is_bytes);
+#else
+ PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
+#endif
+ if (ips.is_p == IPPROTO_TCP)
+#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
+(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
+ PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
+ ntohs(ips.is_sport), ntohs(ips.is_dport),
+ ips.is_send, ips.is_dend,
+ ips.is_maxswin, ips.is_maxdwin);
+#else
+ PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
+ ntohs(ips.is_sport), ntohs(ips.is_dport),
+ ips.is_send, ips.is_dend,
+ ips.is_maxswin, ips.is_maxdwin);
+#endif
+ else if (ips.is_p == IPPROTO_UDP)
+ PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
+ ntohs(ips.is_dport));
+ else if (ips.is_p == IPPROTO_ICMP
+#ifdef USE_INET6
+ || ips.is_p == IPPROTO_ICMPV6
+#endif
+ )
+ PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
+ ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
+
+ PRINTF("\n\t");
+
+ /*
+ * Print out bits set in the result code for the state being
+ * kept as they would for a rule.
+ */
+ if (ips.is_pass & FR_PASS) {
+ PRINTF("pass");
+ } else if (ips.is_pass & FR_BLOCK) {
+ PRINTF("block");
+ switch (ips.is_pass & FR_RETMASK)
+ {
+ case FR_RETICMP :
+ PRINTF(" return-icmp");
+ break;
+ case FR_FAKEICMP :
+ PRINTF(" return-icmp-as-dest");
+ break;
+ case FR_RETRST :
+ PRINTF(" return-rst");
+ break;
+ default :
+ break;
+ }
+ } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
+ PRINTF("log");
+ if (ips.is_pass & FR_LOGBODY)
+ PRINTF(" body");
+ if (ips.is_pass & FR_LOGFIRST)
+ PRINTF(" first");
+ } else if (ips.is_pass & FR_ACCOUNT)
+ PRINTF("count");
+
+ if (ips.is_pass & FR_OUTQUE)
+ PRINTF(" out");
+ else
+ PRINTF(" in");
+
+ if ((ips.is_pass & FR_LOG) != 0) {
+ PRINTF(" log");
+ if (ips.is_pass & FR_LOGBODY)
+ PRINTF(" body");
+ if (ips.is_pass & FR_LOGFIRST)
+ PRINTF(" first");
+ if (ips.is_pass & FR_LOGORBLOCK)
+ PRINTF(" or-block");
+ }
+ if (ips.is_pass & FR_QUICK)
+ PRINTF(" quick");
+ if (ips.is_pass & FR_KEEPFRAG)
+ PRINTF(" keep frags");
+ /* a given; no? */
+ if (ips.is_pass & FR_KEEPSTATE)
+ PRINTF(" keep state");
+ PRINTF("\tIPv%d", ips.is_v);
+ PRINTF("\n");
+
+ PRINTF("\tpkt_flags & %x(%x) = %x,\t",
+ ips.is_flags & 0xf, ips.is_flags,
+ ips.is_flags >> 4);
+ PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
+ ips.is_opt);
+ PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
+ ips.is_secmsk, ips.is_sec, ips.is_authmsk,
+ ips.is_auth);
+ PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
+ PRINTF(",%s", getifname(ips.is_ifp[1]));
+ PRINTF(" out %s", getifname(ips.is_ifp[2]));
+ PRINTF(",%s\n", getifname(ips.is_ifp[3]));
+
+ return ips.is_next;
+}
diff --git a/contrib/ipfilter/test/expected/f15 b/contrib/ipfilter/test/expected/f15
new file mode 100644
index 000000000000..9b31258e5717
--- /dev/null
+++ b/contrib/ipfilter/test/expected/f15
@@ -0,0 +1,9 @@
+block return-rst
+pass
+block return-icmp
+pass
+block
+nomatch
+pass
+pass
+--------
diff --git a/contrib/ipfilter/test/expected/f16 b/contrib/ipfilter/test/expected/f16
new file mode 100644
index 000000000000..b6cb3fae0818
--- /dev/null
+++ b/contrib/ipfilter/test/expected/f16
@@ -0,0 +1,9 @@
+block
+block
+pass
+block
+pass
+pass
+block
+block
+--------
diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1
new file mode 100644
index 000000000000..c158752d5330
--- /dev/null
+++ b/contrib/ipfilter/test/expected/l1
@@ -0,0 +1,49 @@
+log in all
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
+pass in on anon0 all head 100
+--------
+pass in log quick from 3.3.3.3 to any group 100
+--------
+pass in log body quick from 2.2.2.2 to any
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+--------
+pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+--------
+pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b
new file mode 100644
index 000000000000..eef36606b295
--- /dev/null
+++ b/contrib/ipfilter/test/expected/l1.b
@@ -0,0 +1,47 @@
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
+--------
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d ............
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+--------
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d ............
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a
+42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+--------
diff --git a/contrib/ipfilter/test/expected/ni1 b/contrib/ipfilter/test/expected/ni1
new file mode 100644
index 000000000000..a47b3da07eae
--- /dev/null
+++ b/contrib/ipfilter/test/expected/ni1
@@ -0,0 +1,3 @@
+4500 0028 4706 4000 0111 ced8 0606 0606 0404 0404 afc9 829e 0014 0b2d 0402 0000 3be5 468d 000a cfc3
+4500 0038 809a 0000 ff01 8f31 0303 0303 0202 0202 0b00 a537 0000 0000 4500 0028 4703 4000 0111 ef89 0202 0202 0404 0404 afc9 829e 0014 1d4f
+-------------------------------
diff --git a/contrib/ipfilter/test/expected/ni2 b/contrib/ipfilter/test/expected/ni2
new file mode 100644
index 000000000000..4fa04c0cb24a
--- /dev/null
+++ b/contrib/ipfilter/test/expected/ni2
@@ -0,0 +1,10 @@
+4510 002c bd0d 4000 3e06 ea1d 0101 0101 c0a8 0133 9c40 0077 a664 2485 0000 0000 6002 4000 cea4 0000 0204 05b4
+4500 002c ce83 4000 7e06 98b7 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a21 a664 2486 6012 2238 62a5 0000 0204 05b4
+4510 0028 bd0e 4000 3e06 ea20 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a22 5010 4470 cbdf 0000
+4500 005b cf83 4000 7e06 9788 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a22 a664 2486 5018 2238 b5d9 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0a
+4510 0028 bd18 4000 3e06 ea16 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5010 4470 cbac 0000
+4510 002e bd1e 4000 3e06 ea0a 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 deb6 0000 0000 0000 0d0a
+4500 0048 e383 4000 7e06 839b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 fe54 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
+4500 05dc e483 4000 7e06 7d07 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f6c 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
+4500 0038 d71d 4000 4001 f0be 0101 0101 c0a8 0133 0304 348b 0000 05a0 4500 05dc e483 4000 7e06 8707 c0a8 0133 0101 0101 0077 9c40 fbdf 1a75
+-------------------------------
diff --git a/contrib/ipfilter/test/input/f15 b/contrib/ipfilter/test/input/f15
new file mode 100644
index 000000000000..db547cb4f326
--- /dev/null
+++ b/contrib/ipfilter/test/input/f15
@@ -0,0 +1,8 @@
+in on hme0 tcp 10.1.2.3,1200 195.134.65.10,100 S
+in on hme0 tcp 10.1.2.3,1200 195.134.65.10,22 S
+in on hme0 udp 10.1.2.3,1200 195.134.65.10,100
+in on hme0 udp 10.1.2.3,53 195.134.65.10,53
+in on hme0 10.1.2.3 195.134.65.10
+in on hme1 195.134.65.10 10.1.2.3
+in on hme1 udp 195.134.65.10,53 10.1.2.3,53
+in on hme1 tcp 195.134.65.10,22 10.1.2.3,1200 SA
diff --git a/contrib/ipfilter/test/input/f16 b/contrib/ipfilter/test/input/f16
new file mode 100644
index 000000000000..a17f41f756ec
--- /dev/null
+++ b/contrib/ipfilter/test/input/f16
@@ -0,0 +1,8 @@
+in 2.2.2.2 5.5.5.5
+in 2.2.2.2 1.1.1.1
+in udp 4.4.4.4,110 1.1.1.1,53
+in udp 4.4.4.9,101 1.1.1.3,35
+in udp 4.4.4.8,111 1.1.1.2,53
+in tcp 4.4.4.7,220 1.1.1.1,23
+in tcp 4.4.4.6,202 1.1.1.3,22
+in tcp 4.4.4.5,222 1.1.1.2,52
diff --git a/contrib/ipfilter/test/input/ipf6-1 b/contrib/ipfilter/test/input/ipf6-1
new file mode 100644
index 000000000000..8cc2d175dc24
--- /dev/null
+++ b/contrib/ipfilter/test/input/ipf6-1
@@ -0,0 +1,26 @@
+[out,de0]
+6000 0000 0020 3aff ef00 0000 0000 0000
+0000 0000 0001 0013 ff02 0000 0000 0000
+0000 0001 ff01 000b 8700 ea32 0000 0000
+ef00 0000 0000 0000 0000 0000 0001 000b
+0101 0048 5487 5c6f
+
+[in,de0]
+6000 0000 0020 3aff ef00 0000 0000 0000
+0000 0000 0001 000b ef00 0000 0000 0000
+0000 0000 0001 0013 8800 5322 6000 0000
+ef00 0000 0000 0000 0000 0000 0001 000b
+0201 0800 2071 cce1
+
+[out,de0]
+6000 0000 0010 3a40 ef00 0000 0000 0000
+0000 0000 0001 0013 ef00 0000 0000 0000
+0000 0000 0001 000b 8000 3210 06ff 0002
+9ec3 3c3c 8a82 0300
+
+[in,de0]
+6000 0000 0010 3aff ef00 0000 0000 0000
+0000 0000 0001 000b ef00 0000 0000 0000
+0000 0000 0001 0013 8100 3110 06ff 0002
+9ec3 3c3c 8a82 0300
+
diff --git a/contrib/ipfilter/test/input/l1 b/contrib/ipfilter/test/input/l1
new file mode 100644
index 000000000000..afda0db3971b
--- /dev/null
+++ b/contrib/ipfilter/test/input/l1
@@ -0,0 +1,52 @@
+# 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF SYN
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 02 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
+45 00 0028 0000 4000 3f 06 0000 02020202 01010101
+0019 0401 00000000 00000000 50 12 2000 0000 0000
+
+#in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
+[out,e1] 45 00 0028 0000 4000 3f 06 0000 02020202 01010101
+0019 0401 00000000 00000000 50 10 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 01 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
+45 00 0028 0000 4000 3f 06 0000 01010101 02020202
+0401 0019 00000000 00000000 50 10 2000 0000 0000
+
+#in on e1 udp 1.1.1.1,1 4.4.4.4,53
+45 00 0028 0000 4000 3f 11 0000 01010101 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+
+#in on e1 udp 2.2.2.2,2 4.4.4.4,53
+45 00 0028 0000 4000 3f 11 0000 02020202 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+
+#in on e1 udp 2.2.2.2,2 4.4.4.4,53
+45 00 0038 0000 4000 3f 11 0000 02020202 04040404
+0001 0035 0000 0000 0102 0304 0506 0708 090a 0b0d
+0e0f 4061 4263 4465 4667 4869 4a6b 4c6d
+
+#in on e0 ip 4.4.4.4,53 1.1.1.1,1
+45 00 0014 0000 4000 3f 00 0000 02020202 04040404
+
+#in on e0 udp 3.3.3.3,1023 1.1.1.1,2049
+45 00 001c 0000 4000 3f 11 0000 03030303 01010101
+03ff 0801 0000 0000
+
+#in on e0 udp 1.1.1.1,2049 3.3.3.3,1023
+45 00 001c 0000 4000 3f 11 0000 01010101 03030303
+0801 03ff 0000 0000
+
diff --git a/contrib/ipfilter/test/input/ni1 b/contrib/ipfilter/test/input/ni1
new file mode 100644
index 000000000000..a099f8004d6d
--- /dev/null
+++ b/contrib/ipfilter/test/input/ni1
@@ -0,0 +1,6 @@
+#v tos len id off ttl p sum src dst
+# ICMP timeout exceeded in reply to a ICMP packet going out.
+[out,df0] 45 00 0028 4706 4000 01 11 ced8 0202 0202 0404 0404 afc9 829e 0014 1335 0402 0000 3be5 468d 000a cfc3
+
+[in,df0] 45 00 0038 809a 0000 ff 01 8f31 0303 0303 0101 0101 0b00 ad3f 0000 0000 4500 0028 4703 4000 0111 e781 0606 0606 0404 0404 afc9 829e 0014 1547
+
diff --git a/contrib/ipfilter/test/input/ni2 b/contrib/ipfilter/test/input/ni2
new file mode 100644
index 000000000000..95547fe8f07e
--- /dev/null
+++ b/contrib/ipfilter/test/input/ni2
@@ -0,0 +1,161 @@
+# Test of fragmentation required coming from the inside.
+[out,xl0]
+4510 002c bd0d 4000 3e06 ea1d
+0a01 0201
+c0a8 0133
+05f6 0077 a664 2485 0000 0000
+6002 4000 5aef 0000 0204 05b4
+
+[in,xl0]
+4500 002c ce83 4000 7e06 98b7
+c0a8 0133
+0a01 0201
+0077 05f6 fbdf 1a21 a664 2486
+6012 2238 62a5 0000 0204 05b4 0000
+
+[out,xl0]
+4510 0028 bd0e 4000 3e06 ea20
+0a01 0201
+c0a8 0133
+05f6 0077 a664 2486 fbdf 1a22
+5010 4470 582a 0000
+
+[in,xl0]
+4500 005b cf83 4000 7e06 9788
+c0a8 0133
+0a01 0201
+0077 05f6 fbdf 1a22 a664 2486
+5018 2238 b5d9 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0a
+
+[out,xl0]
+4510 0028 bd18 4000 3e06 ea16
+0a01 0201
+c0a8 0133
+05f6 0077 a664 2486 fbdf 1a55
+5010 4470 57f7 0000
+
+[out,xl0]
+4510 002e bd1e 4000 3e06 ea0a
+0a01 0201
+c0a8 0133
+05f6 0077 a664 2486 fbdf 1a55
+5018 4470 6b01 0000 0000 0000 0d0a
+
+[in,xl0]
+4500 0048 e383 4000 7e06 839b
+c0a8 0133
+0a01 0201
+0077 05f6 fbdf 1a55 a664 248c
+5018 2232 fe54 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000
+
+[in,xl0]
+4500 05dc e483 4000 7e06 7d07
+c0a8 0133
+0a01 0201
+0077 05f6 fbdf 1a75 a664 248c
+5010 2232 9f6c 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3331 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 1111 2222 3333
+0000 0000 0000 0000 0000 0000 1111 2222
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 1111 2222 3333 0000 0000 0000 0000
+0000 0000 1111 2222 3333 0000 0000 0000
+0000 0000 0000 1111 2222 3333 0000 0000
+0000 0000 0000 0000 1111 2222 3333 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000 0000 0000
+0000 0000 0000 0000 0000 0000
+
+[out,xl0]
+4500 0038 d71d 4000 4001 ce16
+c0a8 6401
+c0a8 0133
+0304 cad5 0000 05a0 4500 05dc
+e483 4000 7e06 7d07 c0a8 0133 0a01 0201
+0077 05f6 fbdf 1a75
+
diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest
new file mode 100755
index 000000000000..0600056c00ed
--- /dev/null
+++ b/contrib/ipfilter/test/logtest
@@ -0,0 +1,48 @@
+#!/bin/sh
+if [ -f /usr/ucb/touch ] ; then
+ TOUCH=/usr/ucb/touch
+else
+ if [ -f /usr/bin/touch ] ; then
+ TOUCH=/usr/bin/touch
+ else
+ if [ -f /bin/touch ] ; then
+ TOUCH=/bin/touch
+ fi
+ fi
+fi
+echo "$1...";
+
+/bin/cp /dev/null results/$1
+/bin/cp /dev/null results/$1.b
+
+( while read rule; do
+ echo $rule >> results/$1
+ echo $rule | ../ipftest -br - -Hi input/$1 -l logout > /dev/null
+ if [ $? -ne 0 ] ; then
+ /bin/rm -f logout
+ exit 1
+ fi
+ ../ipmon -P /dev/null -f logout >> results/$1
+ echo "--------" >> results/$1
+ ../ipmon -P /dev/null -bf logout >> results/$1.b
+ echo "--------" >> results/$1.b
+done ) < regress/$1
+../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null
+../ipmon -P /dev/null -f logout >> results/$1
+echo "--------" >> results/$1
+../ipmon -P /dev/null -bf logout >> results/$1.b
+echo "--------" >> results/$1.b
+
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+ exit $status
+fi
+cmp expected/$1.b results/$1.b
+status=$?
+if [ $status -ne 0 ] ; then
+ exit $status
+fi
+/bin/rm -f logout
+$TOUCH $1
+exit 0
diff --git a/contrib/ipfilter/test/mtest b/contrib/ipfilter/test/mtest
new file mode 100755
index 000000000000..b185abb2bf7f
--- /dev/null
+++ b/contrib/ipfilter/test/mtest
@@ -0,0 +1,36 @@
+#!/bin/sh
+# multiple rules at the same time
+
+if [ -f /usr/ucb/touch ] ; then
+ TOUCH=/usr/ucb/touch
+else
+ if [ -f /usr/bin/touch ] ; then
+ TOUCH=/usr/bin/touch
+ else
+ if [ -f /bin/touch ] ; then
+ TOUCH=/bin/touch
+ fi
+ fi
+fi
+echo "$1...";
+
+/bin/cp /dev/null results/$1
+
+../ipftest -br regress/$1 -i input/$1 > results/$1
+if [ $? -ne 0 ] ; then
+ exit 1
+fi
+echo "--------" >> results/$1
+
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+ exit $status
+fi
+cmp expected/$1 results/$1
+status=$?
+if [ $status -ne 0 ] ; then
+ exit $status
+fi
+$TOUCH $1
+exit 0
diff --git a/contrib/ipfilter/test/natipftest b/contrib/ipfilter/test/natipftest
new file mode 100755
index 000000000000..8627168ed2cd
--- /dev/null
+++ b/contrib/ipfilter/test/natipftest
@@ -0,0 +1,28 @@
+#!/bin/sh
+if [ -f /usr/ucb/touch ] ; then
+ TOUCH=/usr/ucb/touch
+else
+ if [ -f /usr/bin/touch ] ; then
+ TOUCH=/usr/bin/touch
+ else
+ if [ -f /bin/touch ] ; then
+ TOUCH=/bin/touch
+ fi
+ fi
+fi
+echo "$1...";
+/bin/cp /dev/null results/$1
+( while read rule; do
+ echo "$rule" | ../ipftest -bHx -r regress/$1.ipf -Nr - -i input/$1 >> \
+ results/$1;
+ if [ $? -ne 0 ] ; then
+ exit 1;
+ fi
+ echo "-------------------------------" >> results/$1
+done ) < regress/$1.nat
+cmp expected/$1 results/$1
+status=$?
+if [ $status = 0 ] ; then
+ $TOUCH $1
+fi
+exit $status
diff --git a/contrib/ipfilter/test/regress/f15 b/contrib/ipfilter/test/regress/f15
new file mode 100644
index 000000000000..16185e1f3685
--- /dev/null
+++ b/contrib/ipfilter/test/regress/f15
@@ -0,0 +1,8 @@
+block in log quick on hme0 from any to 195.134.65.0/25 head 10
+block return-rst in log quick proto tcp all flags S head 100 group 10
+pass in quick proto tcp from any to any port = 22 keep state group 100
+pass in quick proto tcp from any to any port = 23 keep state group 100
+pass in quick proto tcp from any to any port = 21 keep state group 100
+block return-icmp in quick proto udp all keep state head 110 group 10
+pass in quick proto udp from any to any port = 53 keep state group 110
+block in log quick on hme0 from any to any
diff --git a/contrib/ipfilter/test/regress/f16 b/contrib/ipfilter/test/regress/f16
new file mode 100644
index 000000000000..920ad8c958d2
--- /dev/null
+++ b/contrib/ipfilter/test/regress/f16
@@ -0,0 +1,10 @@
+pass in all
+skip 2 in proto tcp all
+block in quick proto tcp all
+skip 4 in proto udp all
+block in quick proto udp all
+pass in quick proto tcp from any to 1.1.1.1
+pass in quick proto tcp from any to 1.1.1.2 port = 22
+block in quick proto udp from any to any port = 53
+pass in quick proto udp from any to any port = 53
+block in all
diff --git a/contrib/ipfilter/test/regress/ipf6-1 b/contrib/ipfilter/test/regress/ipf6-1
new file mode 100644
index 000000000000..814dfd6cd664
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ipf6-1
@@ -0,0 +1,3 @@
+block in all
+block out all
+pass out proto 58 all keep state
diff --git a/contrib/ipfilter/test/regress/l1 b/contrib/ipfilter/test/regress/l1
new file mode 100644
index 000000000000..88cca58039f9
--- /dev/null
+++ b/contrib/ipfilter/test/regress/l1
@@ -0,0 +1,6 @@
+log in all
+pass in on anon0 all head 100
+pass in log quick from 3.3.3.3 to any group 100
+pass in log body quick from 2.2.2.2 to any
+pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
+pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni1.ipf b/contrib/ipfilter/test/regress/ni1.ipf
new file mode 100644
index 000000000000..c7e5797185dc
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ni1.ipf
@@ -0,0 +1,4 @@
+block in all
+block out all
+pass out proto udp from any to any keep state
+pass out proto tcp from any to any flags S keep state
diff --git a/contrib/ipfilter/test/regress/ni1.nat b/contrib/ipfilter/test/regress/ni1.nat
new file mode 100644
index 000000000000..4306f4b45d3d
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ni1.nat
@@ -0,0 +1 @@
+map df0 2.2.2.2/32 -> 6.6.6.6/32
diff --git a/contrib/ipfilter/test/regress/ni2.ipf b/contrib/ipfilter/test/regress/ni2.ipf
new file mode 100644
index 000000000000..5956cf9f929c
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ni2.ipf
@@ -0,0 +1 @@
+pass out quick proto tcp from any to any flags S/SAFR keep state
diff --git a/contrib/ipfilter/test/regress/ni2.nat b/contrib/ipfilter/test/regress/ni2.nat
new file mode 100644
index 000000000000..4ad73c2ed4b8
--- /dev/null
+++ b/contrib/ipfilter/test/regress/ni2.nat
@@ -0,0 +1 @@
+map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000