Major cleanup of the base IPFilter:
authorHiten Pandya <hmp@dragonflybsd.org>
Wed, 28 Jul 2004 00:22:37 +0000 (00:22 +0000)
committerHiten Pandya <hmp@dragonflybsd.org>
Wed, 28 Jul 2004 00:22:37 +0000 (00:22 +0000)
o Vendor's ChangeLog available in src/contrib/ipfilter/HISTORY.

o Update kernel and userland to version 3.4.35, major changes:

    * only allow non-fragmented packets to influence whether or
      not a logged packet is the same as the one logged before.

    * block packets that fail to create stable entries.

    * correct the ICMP packet checksum fixing up when processing
      ICMP errors for NAT.

    * implement a maximum for the number of entries in the NAT
      table (NAT_TABLE_MAX and ipf_nattable_max).

    * frsynclist() wasn't paying attention to all places where
      interface names are, like it should.

    * fix comparison of ICMP packets with established TCP state
      where only 8 bytes of header are returned in the ICMP
      error.

o Following files were removed from under src/contrib/ipfilter,
  because they were redundant:

      fil.c ip_auth.c ip_auth.h ip_compat.h ip_fil.c ip_fil.h
      ip_frag.c ip_frag.h ip_ftp_pxy.c ip_log.c ip_nat.c
      ip_nat.h ip_proxy.c ip_proxy.h ip_raudio_pxy.c ip_rcmd_pxy.c
      ip_state.c ip_state.h ipl.h mlfk_ipl.c

o Cast interface numbers to u_int instead of u_char, so that
  big numbered units don't get truncated. More information on
  this problem can be found at FreeBSD GNATS, PR kern/64584.

o Compile INET6 support into ipfilter unless NOINET6 is defined
  as Make variable.

o Update $FreeBSD$ CVS ID tags.

o Adjust minor style(9) changes, like prototypes, etc.

Tested by David Rhodus, Chris Beuchler and Chris Pressey.

Reviewed-by: Darren Reed <darrenr@freebsd.org> (earlier version)
             Matthew Dillon <dillon@apollo.backplane.com>

98 files changed:
contrib/ipfilter/BSD/kupgrade
contrib/ipfilter/HISTORY
contrib/ipfilter/Makefile
contrib/ipfilter/common.c
contrib/ipfilter/fil.c [deleted file]
contrib/ipfilter/fils.c
contrib/ipfilter/ip_auth.c [deleted file]
contrib/ipfilter/ip_auth.h [deleted file]
contrib/ipfilter/ip_compat.h [deleted file]
contrib/ipfilter/ip_fil.c [deleted file]
contrib/ipfilter/ip_fil.h [deleted file]
contrib/ipfilter/ip_frag.c [deleted file]
contrib/ipfilter/ip_frag.h [deleted file]
contrib/ipfilter/ip_ftp_pxy.c [deleted file]
contrib/ipfilter/ip_log.c [deleted file]
contrib/ipfilter/ip_nat.c [deleted file]
contrib/ipfilter/ip_nat.h [deleted file]
contrib/ipfilter/ip_proxy.c [deleted file]
contrib/ipfilter/ip_proxy.h [deleted file]
contrib/ipfilter/ip_raudio_pxy.c [deleted file]
contrib/ipfilter/ip_rcmd_pxy.c [deleted file]
contrib/ipfilter/ip_sfil.c
contrib/ipfilter/ip_state.c [deleted file]
contrib/ipfilter/ip_state.h [deleted file]
contrib/ipfilter/ipf.c
contrib/ipfilter/ipf.h
contrib/ipfilter/ipfs.c
contrib/ipfilter/ipft_ef.c
contrib/ipfilter/ipft_td.c
contrib/ipfilter/ipl.h [deleted file]
contrib/ipfilter/iplang/iplang_l.l
contrib/ipfilter/ipmon.c
contrib/ipfilter/ipnat.c
contrib/ipfilter/ipsend/ipsend.1
contrib/ipfilter/ipsend/ipsend.c
contrib/ipfilter/ipsend/ipsopt.c
contrib/ipfilter/ipt.c
contrib/ipfilter/kmem.c
contrib/ipfilter/man/ipf.5
contrib/ipfilter/man/ipf.8
contrib/ipfilter/man/ipfstat.8
contrib/ipfilter/man/ipl.4
contrib/ipfilter/man/ipmon.8
contrib/ipfilter/man/ipnat.5
contrib/ipfilter/mlfk_ipl.c [deleted file]
contrib/ipfilter/mln_ipl.c
contrib/ipfilter/natparse.c
contrib/ipfilter/parse.c
contrib/ipfilter/printnat.c
contrib/ipfilter/printstate.c
contrib/ipfilter/test/Makefile
contrib/ipfilter/test/dotest
contrib/ipfilter/test/dotest6
contrib/ipfilter/test/expected/in1
contrib/ipfilter/test/expected/ni1
contrib/ipfilter/test/expected/ni2
contrib/ipfilter/test/expected/ni3
contrib/ipfilter/test/expected/ni4
contrib/ipfilter/test/expected/ni5
contrib/ipfilter/test/hextest
contrib/ipfilter/test/input/f13
contrib/ipfilter/test/input/f17
contrib/ipfilter/test/input/ni1
contrib/ipfilter/test/input/ni2
contrib/ipfilter/test/input/ni3
contrib/ipfilter/test/input/ni4
contrib/ipfilter/test/input/ni5
contrib/ipfilter/test/intest
contrib/ipfilter/test/itest
contrib/ipfilter/test/logtest
contrib/ipfilter/test/mhtest
contrib/ipfilter/test/mtest
contrib/ipfilter/test/natipftest
contrib/ipfilter/test/nattest
contrib/ipfilter/test/regress/in1
sbin/ipf/Makefile
sbin/ipfstat/Makefile
sbin/ipnat/Makefile
sys/contrib/ipfilter/netinet/fil.c
sys/contrib/ipfilter/netinet/ip_compat.h
sys/contrib/ipfilter/netinet/ip_fil.c
sys/contrib/ipfilter/netinet/ip_fil.h
sys/contrib/ipfilter/netinet/ip_frag.c
sys/contrib/ipfilter/netinet/ip_frag.h
sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
sys/contrib/ipfilter/netinet/ip_log.c
sys/contrib/ipfilter/netinet/ip_nat.c
sys/contrib/ipfilter/netinet/ip_nat.h
sys/contrib/ipfilter/netinet/ip_raudio_pxy.c
sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c
sys/contrib/ipfilter/netinet/ip_state.c
sys/contrib/ipfilter/netinet/ip_state.h
sys/contrib/ipfilter/netinet/ipl.h
sys/net/ipfilter/Makefile
usr.sbin/ipftest/Makefile
usr.sbin/ipresend/Makefile
usr.sbin/ipsend/Makefile
usr.sbin/iptest/Makefile

index f4cb518..ae0b71f 100644 (file)
@@ -16,6 +16,9 @@ if [ $os = FreeBSD ] ; then
                echo "Copying /usr/include/osreldate.h to /sys/sys"
                cp /usr/include/osreldate.h /sys/sys
        fi
+       if [ -f /sys/contrib/ipfilter/netinet/mlfk_ipl.c ] ; then
+               /bin/cp mlfk_ipl.c /sys/contrib/ipfilter/netinet/
+       fi
 fi
 archdir="/sys/arch/$karch"
 ipfdir=/sys/netinet
index 80b49e2..85a8b5f 100644 (file)
 # and especially those who have found the time to port IP Filter to new
 # platforms.
 #
+3.4.35 21/6/2004 - Released
+
+some cases of ICMP checksum alteration were wrong
+
+block packets that fail to create state table entries
+
+correctly handle all return values from ip_natout() when fastrouting
+
+ipmon was not correctly calculating the length of the IPv6 packet (excluded
+ipv6 header length)
+
+3.4.34 20/4/2004 - Released
+
+correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
+
+various changes to ipsend for sending packets with ipv4 options
+
+look for ipmon's pidfile in /var/run and /etc/opt/ipf in Solaris' init script
+
+only allow non-fragmented packets to influence whether or not a logged
+packet is the same as the one logged before.
+
+make "ipfstat -f" output more informative
+
+compatibility for openbsd byte order changes to ip_off/ip_len
+
+disallow "freebsd" as a make target (encourages people to do the wrong thing)
+
+3.4.33 15/12/2003 - Released
+
+pass on messages moving through ipfilter when it is unloading itself on Solaris
+
+add disabling of auto-detach when the module attaches on Solaris
+
+compatibility patches for 'struct ifnet' changes on FreeBSD
+
+implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
+and ipf_nattable_max)
+
+fix ipfstat -A
+
+frsynclist() wasn't paying attention to all the places where interface
+names are, like it should.
+
+fix where packet header pointers are pointing to after doing an ipf_pullup
+
+fix comparing ICMP packets with established TCP state where only 8 bytes
+of header are returned in the ICMP error.
+
+3.4.32 18/6/2003 - Released
+
+fix up the behaviour of ipfs
+
+make parsing errors in ipf/ipnat return an error rather than return
+indicating success.
+
+window scaling patch
+
+make ipfstat work as a set{g,u}id thing - gave up privs before opening
+/dev/ipl
+
+checksum adjustment corrections for ICMP & NAT
+
+attempt to always get an mbuf full of data through pullup if possible
+
+Fix bug with NAT and fragments causing system to crash
+
+Add patches for OpenBSD 3.3
+
+stop LKM locking up the machine on modern NetBSD(?)
+
+allow timeouts in NAT rules to over-ride fr_defnatage if LARGE_NAT is defined
+
+Locking patches for IRIX 6.5 from SGI.
+fix bug in synchronising state sessions where all interfaces were invalidated
+
+fix bug in openbsd 3.2 bridge diffs
+
+fix bug parsing port comparisons in proxy rules
+
 3.4.31 7/12/2002 - Released
 
 Solaris 10 compatibility
index 2abeb53..a20c1d6 100644 (file)
@@ -5,6 +5,8 @@
 #
 # $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $
 #
+.PATH: ${.CURDIR}../../contrib/ipfilter ${.CURDIR}/../../sys/contrib/ipfilter
+
 BINDEST=/usr/local/bin
 SBINDEST=/sbin
 MANDIR=/usr/local/man
@@ -84,7 +86,7 @@ all:
        @echo "solaris  - auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86"
        @echo "netbsd   - compile for NetBSD"
        @echo "openbsd  - compile for OpenBSD"
-       @echo "freebsd  - compile for FreeBSD 2.0, 2.1 or earlier"
+       @echo "freebsd20        - compile for FreeBSD 2.0, 2.1 or earlier"
        @echo "freebsd22        - compile for FreeBSD-2.2 or greater"
        @echo "freebsd3 - compile for FreeBSD-3.x"
        @echo "freebsd4 - compile for FreeBSD-4.x"
@@ -123,7 +125,7 @@ freebsd22: include
        else \
                ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
        fi
-       make freebsd
+       make freebsd20
 
 freebsd4: include
        if [ x$INET6 = x ] ; then \
@@ -150,7 +152,7 @@ openbsd openbsd21: include
        (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
        (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
 
-freebsd freebsd20 freebsd21: include
+freebsd20 freebsd21: include
        make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
        (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
        (cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
@@ -288,3 +290,27 @@ null:
                exit 1; \
        fi
        -@echo make ok
+
+test-solaris test-sunos4 test-sunos5: solaris
+       (cd test && make clean && make)
+
+test-freebsd: freebsd
+       (cd test && make clean && make)
+
+test-freebsd22: freebsd22
+       (cd test && make clean && make)
+
+test-freebsd3: freebsd3
+       (cd test && make clean && make)
+
+test-freebsd4: freebsd4
+       (cd test && make clean && make)
+
+test-netbsd: netbsd
+       (cd test && make clean && make)
+
+test-openbsd: openbsd
+       (cd test && make clean && make)
+
+test-irix: irix
+       (cd test && make clean && make)
index 8c72591..fa21fc9 100644 (file)
@@ -263,7 +263,19 @@ int     linenum;
                return 0;
        if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
                (*seg)++;
-               if (isalnum(***seg) && *(*seg + 2)) {
+               if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
+                       comp = FR_EQUAL;
+               else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
+                       comp = FR_NEQUAL;
+               else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
+                       comp = FR_LESST;
+               else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
+                       comp = FR_GREATERT;
+               else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
+                       comp = FR_LESSTE;
+               else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
+                       comp = FR_GREATERTE;
+               else if (isalnum(***seg) && *(*seg + 2)) {
                        if (portnum(**seg, pp, linenum) == 0)
                                return -1;
                        (*seg)++;
@@ -285,19 +297,7 @@ int     linenum;
                        }
                        if (portnum(**seg, tp, linenum) == 0)
                                return -1;
-               } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
-                       comp = FR_EQUAL;
-               else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
-                       comp = FR_NEQUAL;
-               else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
-                       comp = FR_LESST;
-               else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
-                       comp = FR_GREATERT;
-               else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
-                       comp = FR_LESSTE;
-               else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
-                       comp = FR_GREATERTE;
-               else {
+               } else {
                        fprintf(stderr, "%d: unknown comparator (%s)\n",
                                        linenum, **seg);
                        return -1;
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
deleted file mode 100644 (file)
index a981fcb..0000000
+++ /dev/null
@@ -1,2225 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
-    defined(_KERNEL)
-# include "opt_ipfilter_log.h"
-#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
-    (__FreeBSD_version >= 220000)
-# if (__FreeBSD_version >= 400000)
-#  ifndef KLD_MODULE
-#   include "opt_inet6.h"
-#  endif
-#  if (__FreeBSD_version == 400019)
-#   define CSUM_DELAY_DATA
-#  endif
-# endif
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
-# include <sys/systm.h>
-#else
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# ifndef linux
-#  include <sys/mbuf.h>
-# endif
-#else
-# include <sys/byteorder.h>
-# if SOLARIS2 < 5
-#  include <sys/dditypes.h>
-# endif
-#  include <sys/stream.h>
-#endif
-#ifndef linux
-# include <sys/protosw.h>
-# include <sys/socket.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef linux
-# include <netinet/ip_var.h>
-#endif
-#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
-# include <sys/hashing.h>
-# include <netinet/in_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#ifdef USE_INET6
-# include <netinet/icmp6.h>
-# if !SOLARIS && defined(_KERNEL)
-#  include <netinet6/in6_var.h>
-# endif
-#endif
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-#  include <sys/malloc.h>
-#  if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#   include "opt_ipfilter.h"
-#  endif
-# endif
-#ifndef        MIN
-# define       MIN(a,b)        (((a)<(b))?(a):(b))
-#endif
-#include "netinet/ipl.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fil.c        1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $";
-#endif
-
-#ifndef        _KERNEL
-# include "ipf.h"
-# include "ipt.h"
-extern int     opts;
-
-# define       FR_VERBOSE(verb_pr)                     verbose verb_pr
-# define       FR_DEBUG(verb_pr)                       debug verb_pr
-# define       IPLLOG(a, c, d, e)              ipflog(a, c, d, e)
-#else /* #ifndef _KERNEL */
-# define       FR_VERBOSE(verb_pr)
-# define       FR_DEBUG(verb_pr)
-# define       IPLLOG(a, c, d, e)              ipflog(a, c, d, e)
-# if SOLARIS || defined(__sgi)
-extern KRWLOCK_T       ipf_mutex, ipf_auth, ipf_nat;
-extern kmutex_t        ipf_rw;
-# endif /* SOLARIS || __sgi */
-#endif /* _KERNEL */
-
-
-struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
-struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
-#ifdef USE_INET6
-               *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
-               *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
-#endif
-               *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
-struct frgroup *ipfgroups[3][2];
-int    fr_flags = IPF_LOGGING;
-int    fr_active = 0;
-int    fr_chksrc = 0;
-int    fr_minttl = 3;
-int    fr_minttllog = 1;
-#if defined(IPFILTER_DEFAULT_BLOCK)
-int    fr_pass = FR_NOMATCH|FR_BLOCK;
-#else
-int    fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
-#endif
-char   ipfilter_version[] = IPL_VERSION;
-
-fr_info_t      frcache[2];
-
-static int     frflushlist __P((int, minor_t, int *, frentry_t **));
-#ifdef _KERNEL
-static void    frsynclist __P((frentry_t *));
-#endif
-
-
-/*
- * bit values for identifying presence of individual IP options
- */
-struct optlist ipopts[20] = {
-       { IPOPT_NOP,    0x000001 },
-       { IPOPT_RR,     0x000002 },
-       { IPOPT_ZSU,    0x000004 },
-       { IPOPT_MTUP,   0x000008 },
-       { IPOPT_MTUR,   0x000010 },
-       { IPOPT_ENCODE, 0x000020 },
-       { IPOPT_TS,     0x000040 },
-       { IPOPT_TR,     0x000080 },
-       { IPOPT_SECURITY, 0x000100 },
-       { IPOPT_LSRR,   0x000200 },
-       { IPOPT_E_SEC,  0x000400 },
-       { IPOPT_CIPSO,  0x000800 },
-       { IPOPT_SATID,  0x001000 },
-       { IPOPT_SSRR,   0x002000 },
-       { IPOPT_ADDEXT, 0x004000 },
-       { IPOPT_VISA,   0x008000 },
-       { IPOPT_IMITD,  0x010000 },
-       { IPOPT_EIP,    0x020000 },
-       { IPOPT_FINN,   0x040000 },
-       { 0,            0x000000 }
-};
-
-/*
- * bit values for identifying presence of individual IP security options
- */
-struct optlist secopt[8] = {
-       { IPSO_CLASS_RES4,      0x01 },
-       { IPSO_CLASS_TOPS,      0x02 },
-       { IPSO_CLASS_SECR,      0x04 },
-       { IPSO_CLASS_RES3,      0x08 },
-       { IPSO_CLASS_CONF,      0x10 },
-       { IPSO_CLASS_UNCL,      0x20 },
-       { IPSO_CLASS_RES2,      0x40 },
-       { IPSO_CLASS_RES1,      0x80 }
-};
-
-
-/*
- * compact the IP header into a structure which contains just the info.
- * which is useful for comparing IP headers with.
- */
-void   fr_makefrip(hlen, ip, fin)
-int hlen;
-ip_t *ip;
-fr_info_t *fin;
-{
-       u_short optmsk = 0, secmsk = 0, auth = 0;
-       int i, mv, ol, off, p, plen, v;
-       fr_ip_t *fi = &fin->fin_fi;
-       struct optlist *op;
-       u_char *s, opt;
-       tcphdr_t *tcp;
-
-       fin->fin_rev = 0;
-       fin->fin_fr = NULL;
-       fin->fin_tcpf = 0;
-       fin->fin_data[0] = 0;
-       fin->fin_data[1] = 0;
-       fin->fin_rule = -1;
-       fin->fin_group = -1;
-       fin->fin_icode = ipl_unreach;
-       v = fin->fin_v;
-       fi->fi_v = v;
-       fin->fin_hlen = hlen;
-       if (v == 4) {
-               fin->fin_id = ip->ip_id;
-               fi->fi_tos = ip->ip_tos;
-               off = (ip->ip_off & IP_OFFMASK);
-               tcp = (tcphdr_t *)((char *)ip + hlen);
-               (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
-               fi->fi_src.i6[1] = 0;
-               fi->fi_src.i6[2] = 0;
-               fi->fi_src.i6[3] = 0;
-               fi->fi_dst.i6[1] = 0;
-               fi->fi_dst.i6[2] = 0;
-               fi->fi_dst.i6[3] = 0;
-               fi->fi_saddr = ip->ip_src.s_addr;
-               fi->fi_daddr = ip->ip_dst.s_addr;
-               p = ip->ip_p;
-               fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
-               if (ip->ip_off & (IP_MF|IP_OFFMASK))
-                       fi->fi_fl |= FI_FRAG;
-               plen = ip->ip_len;
-               fin->fin_dlen = plen - hlen;
-       }
-#ifdef USE_INET6
-       else if (v == 6) {
-               ip6_t *ip6 = (ip6_t *)ip;
-
-               off = 0;
-               p = ip6->ip6_nxt;
-               fi->fi_p = p;
-               fi->fi_ttl = ip6->ip6_hlim;
-               tcp = (tcphdr_t *)(ip6 + 1);
-               fi->fi_src.in6 = ip6->ip6_src;
-               fi->fi_dst.in6 = ip6->ip6_dst;
-               fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
-               fi->fi_tos = 0;
-               fi->fi_fl = 0;
-               plen = ntohs(ip6->ip6_plen);
-               fin->fin_dlen = plen;
-               plen += sizeof(*ip6);
-       }
-#endif
-       else
-               return;
-
-       fin->fin_off = off;
-       fin->fin_plen = plen;
-       fin->fin_dp = (char *)tcp;
-       fin->fin_misc = 0;
-       off <<= 3;
-
-       switch (p)
-       {
-#ifdef USE_INET6
-       case IPPROTO_ICMPV6 :
-       {
-               int minicmpsz = sizeof(struct icmp6_hdr);
-               struct icmp6_hdr *icmp6;
-
-               if (fin->fin_dlen > 1) {
-                       fin->fin_data[0] = *(u_short *)tcp;
-
-                       icmp6 = (struct icmp6_hdr *)tcp;
-
-                       switch (icmp6->icmp6_type)
-                       {
-                       case ICMP6_ECHO_REPLY :
-                       case ICMP6_ECHO_REQUEST :
-                               minicmpsz = ICMP6_MINLEN;
-                               break;
-                       case ICMP6_DST_UNREACH :
-                       case ICMP6_PACKET_TOO_BIG :
-                       case ICMP6_TIME_EXCEEDED :
-                       case ICMP6_PARAM_PROB :
-                               minicmpsz = ICMP6ERR_IPICMPHLEN;
-                               break;
-                       default :
-                               break;
-                       }
-               }
-
-               if (!(plen >= minicmpsz))
-                       fi->fi_fl |= FI_SHORT;
-
-               break;
-       }
-#endif
-       case IPPROTO_ICMP :
-       {
-               int minicmpsz = sizeof(struct icmp);
-               icmphdr_t *icmp;
-
-               if (!off && (fin->fin_dlen > 1)) {
-                       fin->fin_data[0] = *(u_short *)tcp;
-
-                       icmp = (icmphdr_t *)tcp;
-
-                       switch (icmp->icmp_type)
-                       {
-                       case ICMP_ECHOREPLY :
-                       case ICMP_ECHO :
-                       /* Router discovery messages - RFC 1256 */
-                       case ICMP_ROUTERADVERT :
-                       case ICMP_ROUTERSOLICIT :
-                               minicmpsz = ICMP_MINLEN;
-                               break;
-                       /*
-                        * type(1) + code(1) + cksum(2) + id(2) seq(2) +
-                        * 3*timestamp(3*4)
-                        */
-                       case ICMP_TSTAMP :
-                       case ICMP_TSTAMPREPLY :
-                               minicmpsz = 20;
-                               break;
-                       /*
-                        * type(1) + code(1) + cksum(2) + id(2) seq(2) +
-                        * mask(4)
-                        */
-                       case ICMP_MASKREQ :
-                       case ICMP_MASKREPLY :
-                               minicmpsz = 12;
-                               break;
-                       default :
-                               break;
-                       }
-               }
-
-               if ((!(plen >= hlen + minicmpsz) && !off) ||
-                   (off && off < sizeof(struct icmp)))
-                       fi->fi_fl |= FI_SHORT;
-
-               break;
-       }
-       case IPPROTO_TCP :
-               fi->fi_fl |= FI_TCPUDP;
-#ifdef USE_INET6
-               if (v == 6) {
-                       if (plen < sizeof(struct tcphdr))
-                               fi->fi_fl |= FI_SHORT;
-               } else
-#endif
-               if (v == 4) {
-                       if ((!IPMINLEN(ip, tcphdr) && !off) ||
-                            (off && off < sizeof(struct tcphdr)))
-                               fi->fi_fl |= FI_SHORT;
-               }
-               if (!(fi->fi_fl & FI_SHORT) && !off)
-                       fin->fin_tcpf = tcp->th_flags;
-               goto getports;
-       case IPPROTO_UDP :
-               fi->fi_fl |= FI_TCPUDP;
-#ifdef USE_INET6
-               if (v == 6) {
-                       if (plen < sizeof(struct udphdr))
-                               fi->fi_fl |= FI_SHORT;
-               } else
-#endif
-               if (v == 4) {
-                       if ((!IPMINLEN(ip, udphdr) && !off) ||
-                           (off && off < sizeof(struct udphdr)))
-                               fi->fi_fl |= FI_SHORT;
-               }
-getports:
-               if (!off && (fin->fin_dlen > 3)) {
-                       fin->fin_data[0] = ntohs(tcp->th_sport);
-                       fin->fin_data[1] = ntohs(tcp->th_dport);
-               }
-               break;
-       case IPPROTO_ESP :
-#ifdef USE_INET6
-               if (v == 6) {
-                       if (plen < 8)
-                               fi->fi_fl |= FI_SHORT;
-               } else
-#endif
-               if (v == 4) {
-                       if (((ip->ip_len < hlen + 8) && !off) ||
-                           (off && off < 8))
-                               fi->fi_fl |= FI_SHORT;
-               }
-               break;
-       default :
-               break;
-       }
-
-#ifdef USE_INET6
-       if (v == 6) {
-               fi->fi_optmsk = 0;
-               fi->fi_secmsk = 0;
-               fi->fi_auth = 0;
-               return;
-       }
-#endif
-
-       for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
-               opt = *s;
-               if (opt == '\0')
-                       break;
-               else if (opt == IPOPT_NOP)
-                       ol = 1;
-               else {
-                       if (hlen < 2)
-                               break;
-                       ol = (int)*(s + 1);
-                       if (ol < 2 || ol > hlen)
-                               break;
-               }
-               for (i = 9, mv = 4; mv >= 0; ) {
-                       op = ipopts + i;
-                       if (opt == (u_char)op->ol_val) {
-                               optmsk |= op->ol_bit;
-                               if (opt == IPOPT_SECURITY) {
-                                       struct optlist *sp;
-                                       u_char  sec;
-                                       int j, m;
-
-                                       sec = *(s + 2); /* classification */
-                                       for (j = 3, m = 2; m >= 0; ) {
-                                               sp = secopt + j;
-                                               if (sec == sp->ol_val) {
-                                                       secmsk |= sp->ol_bit;
-                                                       auth = *(s + 3);
-                                                       auth *= 256;
-                                                       auth += *(s + 4);
-                                                       break;
-                                               }
-                                               if (sec < sp->ol_val)
-                                                       j -= m--;
-                                               else
-                                                       j += m--;
-                                       }
-                               }
-                               break;
-                       }
-                       if (opt < op->ol_val)
-                               i -= mv--;
-                       else
-                               i += mv--;
-               }
-               hlen -= ol;
-               s += ol;
-       }
-       if (auth && !(auth & 0x0100))
-               auth &= 0xff00;
-       fi->fi_optmsk = optmsk;
-       fi->fi_secmsk = secmsk;
-       fi->fi_auth = auth;
-}
-
-
-/*
- * check an IP packet for TCP/UDP characteristics such as ports and flags.
- */
-int fr_tcpudpchk(ft, fin)
-frtuc_t *ft;
-fr_info_t *fin;
-{
-       register u_short po, tup;
-       register char i;
-       register int err = 1;
-
-       /*
-        * Both ports should *always* be in the first fragment.
-        * So far, I cannot find any cases where they can not be.
-        *
-        * compare destination ports
-        */
-       if ((i = (int)ft->ftu_dcmp)) {
-               po = ft->ftu_dport;
-               tup = fin->fin_data[1];
-               /*
-                * Do opposite test to that required and
-                * continue if that succeeds.
-                */
-               if (!--i && tup != po) /* EQUAL */
-                       err = 0;
-               else if (!--i && tup == po) /* NOTEQUAL */
-                       err = 0;
-               else if (!--i && tup >= po) /* LESSTHAN */
-                       err = 0;
-               else if (!--i && tup <= po) /* GREATERTHAN */
-                       err = 0;
-               else if (!--i && tup > po) /* LT or EQ */
-                       err = 0;
-               else if (!--i && tup < po) /* GT or EQ */
-                       err = 0;
-               else if (!--i &&           /* Out of range */
-                        (tup >= po && tup <= ft->ftu_dtop))
-                       err = 0;
-               else if (!--i &&           /* In range */
-                        (tup <= po || tup >= ft->ftu_dtop))
-                       err = 0;
-       }
-       /*
-        * compare source ports
-        */
-       if (err && (i = (int)ft->ftu_scmp)) {
-               po = ft->ftu_sport;
-               tup = fin->fin_data[0];
-               if (!--i && tup != po)
-                       err = 0;
-               else if (!--i && tup == po)
-                       err = 0;
-               else if (!--i && tup >= po)
-                       err = 0;
-               else if (!--i && tup <= po)
-                       err = 0;
-               else if (!--i && tup > po)
-                       err = 0;
-               else if (!--i && tup < po)
-                       err = 0;
-               else if (!--i &&           /* Out of range */
-                        (tup >= po && tup <= ft->ftu_stop))
-                       err = 0;
-               else if (!--i &&           /* In range */
-                        (tup <= po || tup >= ft->ftu_stop))
-                       err = 0;
-       }
-
-       /*
-        * If we don't have all the TCP/UDP header, then how can we
-        * expect to do any sort of match on it ?  If we were looking for
-        * TCP flags, then NO match.  If not, then match (which should
-        * satisfy the "short" class too).
-        */
-       if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
-               if (fin->fin_fl & FI_SHORT)
-                       return !(ft->ftu_tcpf | ft->ftu_tcpfm);
-               /*
-                * Match the flags ?  If not, abort this match.
-                */
-               if (ft->ftu_tcpfm &&
-                   ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
-                       FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
-                                ft->ftu_tcpfm, ft->ftu_tcpf));
-                       err = 0;
-               }
-       }
-       return err;
-}
-
-/*
- * Check the input/output list of rules for a match and result.
- * Could be per interface, but this gets real nasty when you don't have
- * kernel sauce.
- */
-int fr_scanlist(passin, ip, fin, m)
-u_32_t passin;
-ip_t *ip;
-register fr_info_t *fin;
-void *m;
-{
-       register struct frentry *fr;
-       register fr_ip_t *fi = &fin->fin_fi;
-       int rulen, portcmp = 0, off, skip = 0, logged = 0;
-       u_32_t pass, passt, passl;
-       frentry_t *frl;
-
-       frl = NULL;
-       pass = passin;
-       fr = fin->fin_fr;
-       fin->fin_fr = NULL;
-       off = fin->fin_off;
-
-       if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
-               portcmp = 1;
-
-       for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
-               if (skip) {
-                       FR_VERBOSE(("%d (%#x)\n", skip, fr->fr_flags));
-                       skip--;
-                       continue;
-               }
-               /*
-                * In all checks below, a null (zero) value in the
-                * filter struture is taken to mean a wildcard.
-                *
-                * check that we are working for the right interface
-                */
-#ifdef _KERNEL
-# if   (BSD >= 199306)
-               if (fin->fin_out != 0) {
-                       if ((fr->fr_oifa &&
-                            (fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif)))
-                               continue;
-               }
-# endif
-#else
-               if (opts & (OPT_VERBOSE|OPT_DEBUG))
-                       printf("\n");
-#endif
-
-               FR_VERBOSE(("%c", fr->fr_skip ? 's' :
-                                 (pass & FR_PASS) ? 'p' : 
-                                 (pass & FR_AUTH) ? 'a' :
-                                 (pass & FR_ACCOUNT) ? 'A' :
-                                 (pass & FR_NOMATCH) ? 'n' : 'b'));
-
-               if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
-                       continue;
-
-               FR_VERBOSE((":i"));
-               {
-                       register u_32_t *ld, *lm, *lip;
-                       register int i;
-
-                       lip = (u_32_t *)fi;
-                       lm = (u_32_t *)&fr->fr_mip;
-                       ld = (u_32_t *)&fr->fr_ip;
-                       i = ((*lip & *lm) != *ld);
-                       FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
-                                  *lip, *lm, *ld));
-                       if (i)
-                               continue;
-                       /*
-                        * We now know whether the packet version and the
-                        * rule version match, along with protocol, ttl and
-                        * tos.
-                        */
-                       lip++, lm++, ld++;
-                       /*
-                        * Unrolled loops (4 each, for 32 bits).
-                        */
-                       FR_DEBUG(("1a. %#08x & %#08x != %#08x\n",
-                                  *lip, *lm, *ld));
-                       i |= ((*lip++ & *lm++) != *ld++) << 5;
-                       if (fi->fi_v == 6) {
-                               FR_DEBUG(("1b. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 5;
-                               FR_DEBUG(("1c. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 5;
-                               FR_DEBUG(("1d. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 5;
-                       } else {
-                               lip += 3;
-                               lm += 3;
-                               ld += 3;
-                       }
-                       i ^= (fr->fr_flags & FR_NOTSRCIP);
-                       if (i)
-                               continue;
-                       FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
-                                  *lip, *lm, *ld));
-                       i |= ((*lip++ & *lm++) != *ld++) << 6;
-                       if (fi->fi_v == 6) {
-                               FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 6;
-                               FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 6;
-                               FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
-                                          *lip, *lm, *ld));
-                               i |= ((*lip++ & *lm++) != *ld++) << 6;
-                       } else {
-                               lip += 3;
-                               lm += 3;
-                               ld += 3;
-                       }
-                       i ^= (fr->fr_flags & FR_NOTDSTIP);
-                       if (i)
-                               continue;
-                       FR_DEBUG(("3. %#08x & %#08x != %#08x\n",
-                                  *lip, *lm, *ld));
-                       i |= ((*lip++ & *lm++) != *ld++);
-                       FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
-                                  *lip, *lm, *ld));
-                       i |= ((*lip & *lm) != *ld);
-                       if (i)
-                               continue;
-               }
-
-               /*
-                * If a fragment, then only the first has what we're looking
-                * for here...
-                */
-               if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
-                                fr->fr_tcpfm))
-                       continue;
-               if (fi->fi_fl & FI_TCPUDP) {
-                       if (!fr_tcpudpchk(&fr->fr_tuc, fin))
-                               continue;
-               } else if (fr->fr_icmpm || fr->fr_icmp) {
-                       if (((fi->fi_p != IPPROTO_ICMP) &&
-                           (fi->fi_p != IPPROTO_ICMPV6)) || off ||
-                           (fin->fin_dlen < 2))
-                               continue;
-                       if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
-                               FR_DEBUG(("i. %#x & %#x != %#x\n",
-                                        fin->fin_data[0], fr->fr_icmpm,
-                                        fr->fr_icmp));
-                               continue;
-                       }
-               }
-               FR_VERBOSE(("*"));
-
-               if (fr->fr_flags & FR_NOMATCH) {
-                       passt = passl;
-                       passl = passin;
-                       fin->fin_fr = frl;
-                       frl = NULL;
-                       if (fr->fr_flags & FR_QUICK)
-                               break;
-                       continue;
-               }
-
-               passl = passt;
-               passt = fr->fr_flags;
-               frl = fin->fin_fr;
-               fin->fin_fr = fr;
-#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
-               if (securelevel <= 0)
-#endif
-                       if ((passt & FR_CALLNOW) && fr->fr_func)
-                               passt = (*fr->fr_func)(passt, ip, fin);
-#ifdef  IPFILTER_LOG
-               /*
-                * Just log this packet...
-                */
-               if ((passt & FR_LOGMASK) == FR_LOG) {
-                       if (!IPLLOG(passt, ip, fin, m)) {
-                               if (passt & FR_LOGORBLOCK)
-                                       passt |= FR_BLOCK|FR_QUICK;
-                               ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
-                       }
-                       ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
-                       logged = 1;
-               }
-#endif /* IPFILTER_LOG */
-               ATOMIC_INCL(fr->fr_hits);
-               if (passt & FR_ACCOUNT)
-                       fr->fr_bytes += (U_QUAD_T)ip->ip_len;
-               else
-                       fin->fin_icode = fr->fr_icode;
-               fin->fin_rule = rulen;
-               fin->fin_group = fr->fr_group;
-               if (fr->fr_grp != NULL) {
-                       fin->fin_fr = fr->fr_grp;
-                       passt = fr_scanlist(passt, ip, fin, m);
-                       if (fin->fin_fr == NULL) {
-                               fin->fin_rule = rulen;
-                               fin->fin_group = fr->fr_group;
-                               fin->fin_fr = fr;
-                       }
-                       if (passt & FR_DONTCACHE)
-                               logged = 1;
-               }
-               if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG)
-                       pass = passt;
-               FR_DEBUG(("pass %#x\n", pass));
-               if (passt & FR_QUICK)
-                       break;
-       }
-       if (logged)
-               pass |= FR_DONTCACHE;
-       pass |= (fi->fi_fl << 24);
-       return pass;
-}
-
-
-/*
- * frcheck - filter check
- * check using source and destination addresses/ports in a packet whether
- * or not to pass it on or not.
- */
-int fr_check(ip, hlen, ifp, out
-#if defined(_KERNEL) && SOLARIS
-, qif, mp)
-qif_t *qif;
-#else
-, mp)
-#endif
-mb_t **mp;
-ip_t *ip;
-int hlen;
-void *ifp;
-int out;
-{
-       /*
-        * The above really sucks, but short of writing a diff
-        */
-       fr_info_t frinfo, *fc;
-       register fr_info_t *fin = &frinfo;
-       int changed, error = EHOSTUNREACH, v = ip->ip_v;
-       frentry_t *fr = NULL, *list;
-       u_32_t pass, apass;
-#if !SOLARIS || !defined(_KERNEL)
-       register mb_t *m = *mp;
-#endif
-
-#ifdef _KERNEL
-       int p, len, drop = 0, logit = 0;
-       mb_t *mc = NULL;
-# if !defined(__SVR4) && !defined(__svr4__)
-#  ifdef __sgi
-       char hbuf[128];
-#  endif
-       int up;
-
-#  if !SOLARIS && !defined(NETBSD_PF) && \
-      ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
-       defined(__OpenBSD__) || defined(_BSDI_VERSION))
-       if (fr_checkp != fr_check && fr_running > 0) {
-               static int counter = 0;
-
-               if (counter == 0) {
-                       printf("WARNING: fr_checkp corrupt: value %lx\n",
-                               (u_long)fr_checkp);
-                       printf("WARNING: fr_checkp should be %lx\n",
-                               (u_long)fr_check);
-                       printf("WARNING: fixing fr_checkp\n");
-               }
-               fr_checkp = fr_check;
-               counter++;
-               if (counter == 10000)
-                       counter = 0;
-       }
-#  endif
-
-#  ifdef M_CANFASTFWD
-       /*
-        * XXX For now, IP Filter and fast-forwarding of cached flows
-        * XXX are mutually exclusive.  Eventually, IP Filter should
-        * XXX get a "can-fast-forward" filter rule.
-        */
-       m->m_flags &= ~M_CANFASTFWD;
-#  endif /* M_CANFASTFWD */
-#  ifdef CSUM_DELAY_DATA
-       /*
-        * disable delayed checksums.
-        */
-       if ((out != 0) && (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA)) {
-               in_delayed_cksum(m);
-               m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
-       }
-#  endif /* CSUM_DELAY_DATA */
-
-# ifdef        USE_INET6
-       if (v == 6) {
-               len = ntohs(((ip6_t*)ip)->ip6_plen);
-               if (!len)
-                       return -1;      /* potential jumbo gram */
-               len += sizeof(ip6_t);
-               p = ((ip6_t *)ip)->ip6_nxt;
-       } else
-# endif
-       {
-               p = ip->ip_p;
-               len = ip->ip_len;
-       }
-
-       if ((p == IPPROTO_TCP || p == IPPROTO_UDP ||
-           (v == 4 && p == IPPROTO_ICMP)
-# ifdef USE_INET6
-           || (v == 6 && p == IPPROTO_ICMPV6)
-# endif
-          )) {
-               int plen = 0;
-
-               if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0)
-                       switch(p)
-                       {
-                       case IPPROTO_TCP:
-                               plen = sizeof(tcphdr_t);
-                               break;
-                       case IPPROTO_UDP:
-                               plen = sizeof(udphdr_t);
-                               break;
-                       /* 96 - enough for complete ICMP error IP header */
-                       case IPPROTO_ICMP:
-                               plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
-                               break;
-                       case IPPROTO_ESP:
-                               plen = 8;
-                               break;
-# ifdef USE_INET6
-                       case IPPROTO_ICMPV6 :
-                               /*
-                                * XXX does not take intermediate header
-                                * into account
-                                */
-                               plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
-                               break;
-# endif
-                       }
-               up = MIN(hlen + plen, len);
-
-               if (up > m->m_len) {
-#  ifdef __sgi
-       /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
-                       if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
-                               ATOMIC_INCL(frstats[out].fr_pull[1]);
-                               return -1;
-                       }
-                       m_copydata(m, 0, up, hbuf);
-                       ATOMIC_INCL(frstats[out].fr_pull[0]);
-                       ip = (ip_t *)hbuf;
-#  else /* __ sgi */
-#   ifndef linux
-                       if ((*mp = m_pullup(m, up)) == 0) {
-                               ATOMIC_INCL(frstats[out].fr_pull[1]);
-                               return -1;
-                       } else {
-                               ATOMIC_INCL(frstats[out].fr_pull[0]);
-                               m = *mp;
-                               ip = mtod(m, ip_t *);
-                       }
-#   endif /* !linux */
-#  endif /* __sgi */
-               } else
-                       up = 0;
-       } else
-               up = 0;
-# endif /* !defined(__SVR4) && !defined(__svr4__) */
-# if SOLARIS
-       mb_t *m = qif->qf_m;
-
-       if ((u_int)ip & 0x3)
-               return 2;
-       fin->fin_qfm = m;
-       fin->fin_qif = qif;
-# endif
-#endif /* _KERNEL */
-       
-       changed = 0;
-       fin->fin_ifp = ifp;
-       fin->fin_v = v;
-       fin->fin_out = out;
-       fin->fin_mp = mp;
-       fr_makefrip(hlen, ip, fin);
-
-#ifdef _KERNEL
-# ifdef        USE_INET6
-       if (v == 6) {
-               ATOMIC_INCL(frstats[0].fr_ipv6[out]);
-               if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
-                       ATOMIC_INCL(frstats[0].fr_badttl);
-                       if (fr_minttllog & 1)
-                               logit = -3;
-                       if (fr_minttllog & 2)
-                               drop = 1;
-               }
-       } else
-# endif
-       if (!out) {
-               if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
-                       ATOMIC_INCL(frstats[0].fr_badsrc);
-                       if (fr_chksrc & 1)
-                               drop = 1;
-                       if (fr_chksrc & 2)
-                               logit = -2;
-               } else if (ip->ip_ttl < fr_minttl) {
-                       ATOMIC_INCL(frstats[0].fr_badttl);
-                       if (fr_minttllog & 1)
-                               logit = -3;
-                       if (fr_minttllog & 2)
-                               drop = 1;
-               }
-       }
-       if (drop) {
-# ifdef        IPFILTER_LOG
-               if (logit) {
-                       fin->fin_group = logit;
-                       pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
-                       (void) IPLLOG(pass, ip, fin, m);
-               }
-# endif
-# if !SOLARIS
-               m_freem(m);
-# endif
-               return error;
-       }
-#endif
-       pass = fr_pass;
-       if (fin->fin_fl & FI_SHORT) {
-               ATOMIC_INCL(frstats[out].fr_short);
-       }
-
-       READ_ENTER(&ipf_mutex);
-
-       /*
-        * Check auth now.  This, combined with the check below to see if apass
-        * is 0 is to ensure that we don't count the packet twice, which can
-        * otherwise occur when we reprocess it.  As it is, we only count it
-        * after it has no auth. table matchup.  This also stops NAT from
-        * occuring until after the packet has been auth'd.
-        */
-       apass = fr_checkauth(ip, fin);
-
-       if (!out) {
-#ifdef USE_INET6
-               if (v == 6)
-                       list = ipacct6[0][fr_active];
-               else
-#endif
-                       list = ipacct[0][fr_active];
-               changed = ip_natin(ip, fin);
-               if (!apass && (fin->fin_fr = list) &&
-                   (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
-                       ATOMIC_INCL(frstats[0].fr_acct);
-               }
-       }
-
-       if (!apass) {
-               if ((fin->fin_fl & FI_FRAG) == FI_FRAG)
-                       fr = ipfr_knownfrag(ip, fin);
-               if (!fr && !(fin->fin_fl & FI_SHORT))
-                       fr = fr_checkstate(ip, fin);
-               if (fr != NULL)
-                       pass = fr->fr_flags;
-               if (fr && (pass & FR_LOGFIRST))
-                       pass &= ~(FR_LOGFIRST|FR_LOG);
-       }
-
-       if (apass || !fr) {
-               /*
-                * If a packet is found in the auth table, then skip checking
-                * the access lists for permission but we do need to consider
-                * the result as if it were from the ACL's.
-                */
-               if (!apass) {
-                       fc = frcache + out;
-                       if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
-                               /*
-                                * copy cached data so we can unlock the mutex
-                                * earlier.
-                                */
-                               bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
-                               ATOMIC_INCL(frstats[out].fr_chit);
-                               if ((fr = fin->fin_fr)) {
-                                       ATOMIC_INCL(fr->fr_hits);
-                                       pass = fr->fr_flags;
-                               }
-                       } else {
-#ifdef USE_INET6
-                               if (v == 6)
-                                       list = ipfilter6[out][fr_active];
-                               else
-#endif
-                                       list = ipfilter[out][fr_active];
-                               if ((fin->fin_fr = list))
-                                       pass = fr_scanlist(fr_pass, ip, fin, m);
-                               if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE)))
-                                       bcopy((char *)fin, (char *)fc,
-                                             FI_COPYSIZE);
-                               if (pass & FR_NOMATCH) {
-                                       ATOMIC_INCL(frstats[out].fr_nom);
-                                       fin->fin_fr = NULL;
-                               }
-                       }
-               } else
-                       pass = apass;
-               fr = fin->fin_fr;
-
-               /*
-                * If we fail to add a packet to the authorization queue,
-                * then we drop the packet later.  However, if it was added
-                * then pretend we've dropped it already.
-                */
-               if ((pass & FR_AUTH)) {
-                       if (fr_newauth((mb_t *)m, fin, ip) != 0) {
-                               m = *mp = NULL;
-                               error = 0;
-                       } else
-                               error = ENOSPC;
-               }
-
-               if (pass & FR_PREAUTH) {
-                       READ_ENTER(&ipf_auth);
-                       if ((fin->fin_fr = ipauth) &&
-                           (pass = fr_scanlist(0, ip, fin, m))) {
-                               ATOMIC_INCL(fr_authstats.fas_hits);
-                       } else {
-                               ATOMIC_INCL(fr_authstats.fas_miss);
-                       }
-                       RWLOCK_EXIT(&ipf_auth);
-               }
-
-               fin->fin_fr = fr;
-               if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
-                       if (fin->fin_fl & FI_FRAG) {
-                               if (ipfr_newfrag(ip, fin) == -1) {
-                                       ATOMIC_INCL(frstats[out].fr_bnfr);
-                               } else {
-                                       ATOMIC_INCL(frstats[out].fr_nfr);
-                               }
-                       } else {
-                               ATOMIC_INCL(frstats[out].fr_cfr);
-                       }
-               }
-               if (pass & FR_KEEPSTATE) {
-                       if (fr_addstate(ip, fin, NULL, 0) == NULL) {
-                               ATOMIC_INCL(frstats[out].fr_bads);
-                       } else {
-                               ATOMIC_INCL(frstats[out].fr_ads);
-                       }
-               }
-       } else if (fr != NULL) {
-               pass = fr->fr_flags;
-               if (pass & FR_LOGFIRST)
-                       pass &= ~(FR_LOGFIRST|FR_LOG);
-       }
-
-#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL))
-       if (securelevel <= 0)
-#endif
-               if (fr && fr->fr_func && !(pass & FR_CALLNOW))
-                       pass = (*fr->fr_func)(pass, ip, fin);
-
-       /*
-        * Only count/translate packets which will be passed on, out the
-        * interface.
-        */
-       if (out && (pass & FR_PASS)) {
-#ifdef USE_INET6
-               if (v == 6)
-                       list = ipacct6[1][fr_active];
-               else
-#endif
-                       list = ipacct[1][fr_active];
-               if (list != NULL) {
-                       u_32_t sg, sr;
-
-                       fin->fin_fr = list;
-                       sg = fin->fin_group;
-                       sr = fin->fin_rule;
-                       if (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT) {
-                               ATOMIC_INCL(frstats[1].fr_acct);
-                       }
-                       fin->fin_group = sg;
-                       fin->fin_rule = sr;
-                       fin->fin_fr = fr;
-               }
-               changed = ip_natout(ip, fin);
-       } else
-               fin->fin_fr = fr;
-       RWLOCK_EXIT(&ipf_mutex);
-
-#ifdef IPFILTER_LOG
-       if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
-               if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
-                       pass |= FF_LOGNOMATCH;
-                       ATOMIC_INCL(frstats[out].fr_npkl);
-                       goto logit;
-               } else if (((pass & FR_LOGMASK) == FR_LOGP) ||
-                   ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
-                       if ((pass & FR_LOGMASK) != FR_LOGP)
-                               pass |= FF_LOGPASS;
-                       ATOMIC_INCL(frstats[out].fr_ppkl);
-                       goto logit;
-               } else if (((pass & FR_LOGMASK) == FR_LOGB) ||
-                          ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
-                       if ((pass & FR_LOGMASK) != FR_LOGB)
-                               pass |= FF_LOGBLOCK;
-                       ATOMIC_INCL(frstats[out].fr_bpkl);
-logit:
-                       if (!IPLLOG(pass, ip, fin, m)) {
-                               ATOMIC_INCL(frstats[out].fr_skip);
-                               if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
-                                   (FR_PASS|FR_LOGORBLOCK))
-                                       pass ^= FR_PASS|FR_BLOCK;
-                       }
-               }
-       }
-#endif /* IPFILTER_LOG */
-
-#ifdef _KERNEL
-       /*
-        * Only allow FR_DUP to work if a rule matched - it makes no sense to
-        * set FR_DUP as a "default" as there are no instructions about where
-        * to send the packet.
-        */
-       if (fr && (pass & FR_DUP))
-# if   SOLARIS
-               mc = dupmsg(m);
-# else
-#  if defined(__OpenBSD__) && (OpenBSD >= 199905)
-               mc = m_copym2(m, 0, M_COPYALL, M_DONTWAIT);
-#  else
-               mc = m_copy(m, 0, M_COPYALL);
-#  endif
-# endif
-#endif
-       if (pass & FR_PASS) {
-               ATOMIC_INCL(frstats[out].fr_pass);
-       } else if (pass & FR_BLOCK) {
-               ATOMIC_INCL(frstats[out].fr_block);
-               /*
-                * Should we return an ICMP packet to indicate error
-                * status passing through the packet filter ?
-                * WARNING: ICMP error packets AND TCP RST packets should
-                * ONLY be sent in repsonse to incoming packets.  Sending them
-                * in response to outbound packets can result in a panic on
-                * some operating systems.
-                */
-               if (!out) {
-                       if (changed == -1)
-                               /*
-                                * If a packet results in a NAT error, do not
-                                * send a reset or ICMP error as it may disrupt
-                                * an existing flow.  This is the proxy saying
-                                * the content is bad so just drop the packet
-                                * silently.
-                                */
-                               ;
-                       else if (pass & FR_RETICMP) {
-                               int dst;
-
-                               if ((pass & FR_RETMASK) == FR_FAKEICMP)
-                                       dst = 1;
-                               else
-                                       dst = 0;
-                               send_icmp_err(ip, ICMP_UNREACH, fin, dst);
-                               ATOMIC_INCL(frstats[0].fr_ret);
-                       } else if (((pass & FR_RETMASK) == FR_RETRST) &&
-                                  !(fin->fin_fl & FI_SHORT)) {
-                               if (send_reset(ip, fin) == 0) {
-                                       ATOMIC_INCL(frstats[1].fr_ret);
-                               }
-                       }
-               } else {
-                       if (pass & FR_RETRST)
-                               error = ECONNRESET;
-               }
-       }
-
-       /*
-        * If we didn't drop off the bottom of the list of rules (and thus
-        * the 'current' rule fr is not NULL), then we may have some extra
-        * instructions about what to do with a packet.
-        * Once we're finished return to our caller, freeing the packet if
-        * we are dropping it (* BSD ONLY *).
-        */
-       if ((changed == -1) && (pass & FR_PASS)) {
-               pass &= ~FR_PASS;
-               pass |= FR_BLOCK;
-       }
-#if defined(_KERNEL)
-# if !SOLARIS
-#  if !defined(linux)
-       if (fr) {
-               frdest_t *fdp = &fr->fr_tif;
-
-               if (((pass & FR_FASTROUTE) && !out) ||
-                   (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
-                       (void) ipfr_fastroute(m, mp, fin, fdp);
-                       m = *mp;
-               }
-
-               if (mc != NULL)
-                       (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif);
-       }
-
-       if (!(pass & FR_PASS) && m) {
-               m_freem(m);
-               m = *mp = NULL;
-       }
-#   ifdef __sgi
-       else if (changed && up && m)
-               m_copyback(m, 0, up, hbuf);
-#   endif
-#  endif /* !linux */
-# else /* !SOLARIS */
-       if (fr) {
-               frdest_t *fdp = &fr->fr_tif;
-
-               if (((pass & FR_FASTROUTE) && !out) ||
-                   (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1))
-                       (void) ipfr_fastroute(ip, m, mp, fin, fdp);
-
-               if (mc != NULL)
-                       (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif);
-       }
-# endif /* !SOLARIS */
-       return (pass & FR_PASS) ? 0 : error;
-#else /* _KERNEL */
-       if (pass & FR_NOMATCH)
-               return 1;
-       if (pass & FR_PASS)
-               return 0;
-       if (pass & FR_AUTH)
-               return -2;
-       if ((pass & FR_RETMASK) == FR_RETRST)
-               return -3;
-       if ((pass & FR_RETMASK) == FR_RETICMP)
-               return -4;
-       if ((pass & FR_RETMASK) == FR_FAKEICMP)
-               return -5;
-       return -1;
-#endif /* _KERNEL */
-}
-
-
-/*
- * ipf_cksum
- * addr should be 16bit aligned and len is in bytes.
- * length is in bytes
- */
-u_short ipf_cksum(addr, len)
-register u_short *addr;
-register int len;
-{
-       register u_32_t sum = 0;
-
-       for (sum = 0; len > 1; len -= 2)
-               sum += *addr++;
-
-       /* mop up an odd byte, if necessary */
-       if (len == 1)
-               sum += *(u_char *)addr;
-
-       /*
-        * add back carry outs from top 16 bits to low 16 bits
-        */
-       sum = (sum >> 16) + (sum & 0xffff);     /* add hi 16 to low 16 */
-       sum += (sum >> 16);                     /* add carry */
-       return (u_short)(~sum);
-}
-
-
-/*
- * NB: This function assumes we've pullup'd enough for all of the IP header
- * and the TCP header.  We also assume that data blocks aren't allocated in
- * odd sizes.
- */
-u_short fr_tcpsum(m, ip, tcp)
-mb_t *m;
-ip_t *ip;
-tcphdr_t *tcp;
-{
-       u_short *sp, slen, ts;
-       u_int sum, sum2;
-       int hlen;
-
-       /*
-        * Add up IP Header portion
-        */
-       hlen = ip->ip_hl << 2;
-       slen = ip->ip_len - hlen;
-       sum = htons((u_short)ip->ip_p);
-       sum += htons(slen);
-       sp = (u_short *)&ip->ip_src;
-       sum += *sp++;   /* ip_src */
-       sum += *sp++;
-       sum += *sp++;   /* ip_dst */
-       sum += *sp++;
-       ts = tcp->th_sum;
-       tcp->th_sum = 0;
-#ifdef KERNEL
-# if SOLARIS
-       sum2 = ip_cksum(m, hlen, sum);  /* hlen == offset */
-       sum2 = (sum2 & 0xffff) + (sum2 >> 16);
-       sum2 = ~sum2 & 0xffff;
-# else /* SOLARIS */
-#  if defined(BSD) || defined(sun)
-#   if BSD >= 199306
-       m->m_data += hlen;
-#   else
-       m->m_off += hlen;
-#   endif
-       m->m_len -= hlen;
-       sum2 = in_cksum(m, slen);
-       m->m_len += hlen;
-#   if BSD >= 199306
-       m->m_data -= hlen;
-#   else
-       m->m_off -= hlen;
-#   endif
-       /*
-        * Both sum and sum2 are partial sums, so combine them together.
-        */
-       sum = (sum & 0xffff) + (sum >> 16);
-       sum = ~sum & 0xffff;
-       sum2 += sum;
-       sum2 = (sum2 & 0xffff) + (sum2 >> 16);
-#  else /* defined(BSD) || defined(sun) */
-{
-       union {
-               u_char  c[2];
-               u_short s;
-       } bytes;
-       u_short len = ip->ip_len;
-# if defined(__sgi)
-       int add;
-# endif
-
-       /*
-        * Add up IP Header portion
-        */
-       sp = (u_short *)&ip->ip_src;
-       len -= (ip->ip_hl << 2);
-       sum = ntohs(IPPROTO_TCP);
-       sum += htons(len);
-       sum += *sp++;   /* ip_src */
-       sum += *sp++;
-       sum += *sp++;   /* ip_dst */
-       sum += *sp++;
-       if (sp != (u_short *)tcp)
-               sp = (u_short *)tcp;
-       sum += *sp++;   /* sport */
-       sum += *sp++;   /* dport */
-       sum += *sp++;   /* seq */
-       sum += *sp++;
-       sum += *sp++;   /* ack */
-       sum += *sp++;
-       sum += *sp++;   /* off */
-       sum += *sp++;   /* win */
-       sum += *sp++;   /* Skip over checksum */
-       sum += *sp++;   /* urp */
-
-# ifdef        __sgi
-       /*
-        * In case we had to copy the IP & TCP header out of mbufs,
-        * skip over the mbuf bits which are the header
-        */
-       if ((caddr_t)ip != mtod(m, caddr_t)) {
-               hlen = (caddr_t)sp - (caddr_t)ip;
-               while (hlen) {
-                       add = MIN(hlen, m->m_len);
-                       sp = (u_short *)(mtod(m, caddr_t) + add);
-                       hlen -= add;
-                       if (add == m->m_len) {
-                               m = m->m_next;
-                               if (!hlen) {
-                                       if (!m)
-                                               break;
-                                       sp = mtod(m, u_short *);
-                               }
-                               PANIC((!m),("fr_tcpsum(1): not enough data"));
-                       }
-               }
-       }
-# endif
-
-       if (!(len -= sizeof(*tcp)))
-               goto nodata;
-       while (len > 1) {
-               if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
-                       m = m->m_next;
-                       PANIC((!m),("fr_tcpsum(2): not enough data"));
-                       sp = mtod(m, u_short *);
-               }
-               if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) {
-                       bytes.c[0] = *(u_char *)sp;
-                       m = m->m_next;
-                       PANIC((!m),("fr_tcpsum(3): not enough data"));
-                       sp = mtod(m, u_short *);
-                       bytes.c[1] = *(u_char *)sp;
-                       sum += bytes.s;
-                       sp = (u_short *)((u_char *)sp + 1);
-               }
-               if ((u_long)sp & 1) {
-                       bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
-                       sum += bytes.s;
-               } else
-                       sum += *sp++;
-               len -= 2;
-       }
-       if (len)
-               sum += ntohs(*(u_char *)sp << 8);
-nodata:
-       while (sum > 0xffff)
-               sum = (sum & 0xffff) + (sum >> 16);
-       sum2 = (u_short)(~sum & 0xffff);
-}
-#  endif /*  defined(BSD) || defined(sun) */
-# endif /* SOLARIS */
-#else /* KERNEL */
-       for (; slen > 1; slen -= 2)
-               sum += *sp++;
-       if (slen)
-               sum += ntohs(*(u_char *)sp << 8);
-       while (sum > 0xffff)
-               sum = (sum & 0xffff) + (sum >> 16);
-       sum2 = (u_short)(~sum & 0xffff);
-#endif /* KERNEL */
-       tcp->th_sum = ts;
-       return sum2;
-}
-
-
-#if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) )
-/*
- * Copyright (c) 1982, 1986, 1988, 1991, 1993
- *     The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *     This product includes software developed by the University of
- *     California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *     @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
- */
-/*
- * Copy data from an mbuf chain starting "off" bytes from the beginning,
- * continuing for "len" bytes, into the indicated buffer.
- */
-void
-m_copydata(m, off, len, cp)
-       register mb_t *m;
-       register int off;
-       register int len;
-       caddr_t cp;
-{
-       register unsigned count;
-
-       if (off < 0 || len < 0)
-               panic("m_copydata");
-       while (off > 0) {
-               if (m == 0)
-                       panic("m_copydata");
-               if (off < m->m_len)
-                       break;
-               off -= m->m_len;
-               m = m->m_next;
-       }
-       while (len > 0) {
-               if (m == 0)
-                       panic("m_copydata");
-               count = MIN(m->m_len - off, len);
-               bcopy(mtod(m, caddr_t) + off, cp, count);
-               len -= count;
-               cp += count;
-               off = 0;
-               m = m->m_next;
-       }
-}
-
-
-# ifndef linux
-/*
- * Copy data from a buffer back into the indicated mbuf chain,
- * starting "off" bytes from the beginning, extending the mbuf
- * chain if necessary.
- */
-void
-m_copyback(m0, off, len, cp)
-       struct  mbuf *m0;
-       register int off;
-       register int len;
-       caddr_t cp;
-{
-       register int mlen;
-       register struct mbuf *m = m0, *n;
-       int totlen = 0;
-
-       if (m0 == 0)
-               return;
-       while (off > (mlen = m->m_len)) {
-               off -= mlen;
-               totlen += mlen;
-               if (m->m_next == 0) {
-                       n = m_getclr(M_DONTWAIT, m->m_type);
-                       if (n == 0)
-                               goto out;
-                       n->m_len = min(MLEN, len + off);
-                       m->m_next = n;
-               }
-               m = m->m_next;
-       }
-       while (len > 0) {
-               mlen = min (m->m_len - off, len);
-               bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
-               cp += mlen;
-               len -= mlen;
-               mlen += off;
-               off = 0;
-               totlen += mlen;
-               if (len == 0)
-                       break;
-               if (m->m_next == 0) {
-                       n = m_get(M_DONTWAIT, m->m_type);
-                       if (n == 0)
-                               break;
-                       n->m_len = min(MLEN, len);
-                       m->m_next = n;
-               }
-               m = m->m_next;
-       }
-out:
-#if 0
-       if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen))
-               m->m_pkthdr.len = totlen;
-#endif
-       return;
-}
-# endif /* linux */
-#endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */
-
-
-frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
-u_32_t num, flags;
-minor_t which;
-int set;
-frgroup_t ***fgpp;
-{
-       frgroup_t *fg, **fgp;
-
-       if (which == IPL_LOGAUTH)
-               fgp = &ipfgroups[2][set];
-       else if (flags & FR_ACCOUNT)
-               fgp = &ipfgroups[1][set];
-       else if (flags & (FR_OUTQUE|FR_INQUE))
-               fgp = &ipfgroups[0][set];
-       else
-               return NULL;
-
-       while ((fg = *fgp))
-               if (fg->fg_num == num)
-                       break;
-               else
-                       fgp = &fg->fg_next;
-       if (fgpp)
-               *fgpp = fgp;
-       return fg;
-}
-
-
-frgroup_t *fr_addgroup(num, fp, which, set)
-u_32_t num;
-frentry_t *fp;
-minor_t which;
-int set;
-{
-       frgroup_t *fg, **fgp;
-
-       if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp)))
-               return fg;
-
-       KMALLOC(fg, frgroup_t *);
-       if (fg) {
-               fg->fg_num = num;
-               fg->fg_next = *fgp;
-               fg->fg_head = fp;
-               fg->fg_start = &fp->fr_grp;
-               *fgp = fg;
-       }
-       return fg;
-}
-
-
-void fr_delgroup(num, flags, which, set)
-u_32_t num, flags;
-minor_t which;
-int set;
-{
-       frgroup_t *fg, **fgp;
-       if (!(fg = fr_findgroup(num, flags, which, set, &fgp)))
-               return;
-       *fgp = fg->fg_next;
-       KFREE(fg);
-}
-
-
-
-/*
- * recursively flush rules from the list, descending groups as they are
- * encountered.  if a rule is the head of a group and it has lost all its
- * group members, then also delete the group reference.
- */
-static int frflushlist(set, unit, nfreedp, listp)
-int set;
-minor_t unit;
-int *nfreedp;
-frentry_t **listp;
-{
-       register int freed = 0, i;
-       register frentry_t *fp;
-
-       while ((fp = *listp)) {
-               *listp = fp->fr_next;
-               if (fp->fr_grp) {
-                       i = frflushlist(set, unit, nfreedp, &fp->fr_grp);
-                       MUTEX_ENTER(&ipf_rw);
-                       fp->fr_ref -= i;
-                       MUTEX_EXIT(&ipf_rw);
-               }
-
-               ATOMIC_DEC32(fp->fr_ref);
-               if (fp->fr_grhead) {
-                       fr_delgroup(fp->fr_grhead, fp->fr_flags, 
-                                   unit, set);
-                       fp->fr_grhead = 0;
-               }
-               if (fp->fr_ref == 0) {
-                       KFREE(fp);
-                       freed++;
-               } else
-                       fp->fr_next = NULL;
-       }
-       *nfreedp += freed;
-       return freed;
-}
-
-
-int frflush(unit, proto, flags)
-minor_t unit;
-int proto, flags;
-{
-       int flushed = 0, set;
-
-       if (unit != IPL_LOGIPF)
-               return 0;
-       WRITE_ENTER(&ipf_mutex);
-       bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-       set = fr_active;
-       if (flags & FR_INACTIVE)
-               set = 1 - set;
-
-       if (flags & FR_OUTQUE) {
-#ifdef USE_INET6
-               if (proto == 0 || proto == 6) {
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipfilter6[1][set]);
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipacct6[1][set]);
-               }
-#endif
-               if (proto == 0 || proto == 4) {
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipfilter[1][set]);
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipacct[1][set]);
-               }
-       }
-       if (flags & FR_INQUE) {
-#ifdef USE_INET6
-               if (proto == 0 || proto == 6) {
-                       (void) frflushlist(set, unit,
-                                           &flushed, &ipfilter6[0][set]);
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipacct6[0][set]);
-               }
-#endif
-               if (proto == 0 || proto == 4) {
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipfilter[0][set]);
-                       (void) frflushlist(set, unit,
-                                          &flushed, &ipacct[0][set]);
-               }
-       }
-       RWLOCK_EXIT(&ipf_mutex);
-       return flushed;
-}
-
-
-char *memstr(src, dst, slen, dlen)
-char *src, *dst;
-int slen, dlen;
-{
-       char *s = NULL;
-
-       while (dlen >= slen) {
-               if (bcmp(src, dst, slen) == 0) {
-                       s = dst;
-                       break;
-               }
-               dst++;
-               dlen--;
-       }
-       return s;
-}
-
-
-void fixskip(listp, rp, addremove)
-frentry_t **listp, *rp;
-int addremove;
-{
-       frentry_t *fp;
-       int rules = 0, rn = 0;
-
-       for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++)
-               ;
-
-       if (!fp)
-               return;
-
-       for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++)
-               if (fp->fr_skip && (rn + fp->fr_skip >= rules))
-                       fp->fr_skip += addremove;
-}
-
-
-#ifdef _KERNEL
-/*
- * count consecutive 1's in bit mask.  If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int    countbits(ip)
-u_32_t ip;
-{
-       u_32_t  ipn;
-       int     cnt = 0, i, j;
-
-       ip = ipn = ntohl(ip);
-       for (i = 32; i; i--, ipn *= 2)
-               if (ipn & 0x80000000)
-                       cnt++;
-               else
-                       break;
-       ipn = 0;
-       for (i = 32, j = cnt; i; i--, j--) {
-               ipn *= 2;
-               if (j > 0)
-                       ipn++;
-       }
-       if (ipn == ip)
-               return cnt;
-       return -1;
-}
-
-
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, ifptr, inp)
-int v;
-void *ifptr;
-struct in_addr *inp;
-{
-# ifdef        USE_INET6
-       struct in6_addr *inp6 = NULL;
-# endif
-# if SOLARIS
-       ill_t *ill = ifptr;
-# else
-       struct ifnet *ifp = ifptr;
-# endif
-       struct in_addr in;
-
-# if SOLARIS
-#  ifdef       USE_INET6
-       if (v == 6) {
-               struct in6_addr in6;
-
-               /*
-                * First is always link local.
-                */
-               if (ill->ill_ipif->ipif_next)
-                       in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr;
-               else
-                       bzero((char *)&in6, sizeof(in6));
-               bcopy((char *)&in6, (char *)inp, sizeof(in6));
-       } else
-#  endif
-       {
-               in.s_addr = ill->ill_ipif->ipif_local_addr;
-               *inp = in;
-       }
-# else /* SOLARIS */
-#  if linux
-       ;
-#  else /* linux */
-       struct sockaddr_in *sin;
-       struct ifaddr *ifa;
-
-#   if (__FreeBSD_version >= 300000)
-       ifa = TAILQ_FIRST(&ifp->if_addrhead);
-#   else
-#    if defined(__NetBSD__) || defined(__OpenBSD__)
-       ifa = ifp->if_addrlist.tqh_first;
-#    else
-#     if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */
-       ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa;
-#     else
-       ifa = ifp->if_addrlist;
-#     endif
-#    endif /* __NetBSD__ || __OpenBSD__ */
-#   endif /* __FreeBSD_version >= 300000 */
-#   if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK))
-       sin = (struct sockaddr_in *)&ifa->ifa_addr;
-#   else
-       sin = (struct sockaddr_in *)ifa->ifa_addr;
-       while (sin && ifa) {
-               if ((v == 4) && (sin->sin_family == AF_INET))
-                       break;
-#    ifdef USE_INET6
-               if ((v == 6) && (sin->sin_family == AF_INET6)) {
-                       inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
-                       if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
-                           !IN6_IS_ADDR_LOOPBACK(inp6))
-                               break;
-               }
-#    endif
-#    if        (__FreeBSD_version >= 300000)
-               ifa = TAILQ_NEXT(ifa, ifa_link);
-#    else
-#     if defined(__NetBSD__) || defined(__OpenBSD__)
-               ifa = ifa->ifa_list.tqe_next;
-#     else
-               ifa = ifa->ifa_next;
-#     endif
-#    endif /* __FreeBSD_version >= 300000 */
-               if (ifa)
-                       sin = (struct sockaddr_in *)ifa->ifa_addr;
-       }
-       if (ifa == NULL)
-               sin = NULL;
-       if (sin == NULL)
-               return -1;
-#   endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
-#    ifdef     USE_INET6
-       if (v == 6)
-               bcopy((char *)inp6, (char *)inp, sizeof(*inp6));
-       else
-#    endif
-       {
-               in = sin->sin_addr;
-               *inp = in;
-       }
-#  endif /* linux */
-# endif /* SOLARIS */
-       return 0;
-}
-
-
-static void frsynclist(fr)
-register frentry_t *fr;
-{
-       for (; fr; fr = fr->fr_next) {
-               if (fr->fr_ifa != NULL) {
-                       fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v);
-                       if (fr->fr_ifa == NULL)
-                               fr->fr_ifa = (void *)-1;
-               }
-               if (fr->fr_grp)
-                       frsynclist(fr->fr_grp);
-       }
-}
-
-
-void frsync()
-{
-# if !SOLARIS
-       register struct ifnet *ifp;
-
-#  if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \
-     (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
-#   if (NetBSD >= 199905) || defined(__OpenBSD__)
-       for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next)
-#   else
-       for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next)
-#   endif
-#  else
-       for (ifp = ifnet; ifp; ifp = ifp->if_next)
-#  endif
-       {
-               ip_natsync(ifp);
-               ip_statesync(ifp);
-       }
-       ip_natsync((struct ifnet *)-1);
-# endif /* !SOLARIS */
-
-       WRITE_ENTER(&ipf_mutex);
-       frsynclist(ipacct[0][fr_active]);
-       frsynclist(ipacct[1][fr_active]);
-       frsynclist(ipfilter[0][fr_active]);
-       frsynclist(ipfilter[1][fr_active]);
-#ifdef USE_INET6
-       frsynclist(ipacct6[0][fr_active]);
-       frsynclist(ipacct6[1][fr_active]);
-       frsynclist(ipfilter6[0][fr_active]);
-       frsynclist(ipfilter6[1][fr_active]);
-#endif
-       RWLOCK_EXIT(&ipf_mutex);
-}
-
-
-/*
- * In the functions below, bcopy() is called because the pointer being
- * copied _from_ in this instance is a pointer to a char buf (which could
- * end up being unaligned) and on the kernel's local stack.
- */
-int ircopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
-       caddr_t ca;
-       int err;
-
-#if SOLARIS
-       if (copyin(a, (char *)&ca, sizeof(ca)))
-               return EFAULT;
-#else
-       bcopy(a, &ca, sizeof(ca));
-#endif
-       err = copyin(ca, b, c);
-       if (err)
-               err = EFAULT;
-       return err;
-}
-
-
-int iwcopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
-       caddr_t ca;
-       int err;
-
-#if SOLARIS
-       if (copyin(b, (char *)&ca, sizeof(ca)))
-               return EFAULT;
-#else
-       bcopy(b, &ca, sizeof(ca));
-#endif
-       err = copyout(a, ca, c);
-       if (err)
-               err = EFAULT;
-       return err;
-}
-
-#else /* _KERNEL */
-
-
-/*
- * return the first IP Address associated with an interface
- */
-int fr_ifpaddr(v, ifptr, inp)
-int v;
-void *ifptr;
-struct in_addr *inp;
-{
-       return 0;
-}
-
-
-int ircopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
-       caddr_t ca;
-
-       bcopy(a, &ca, sizeof(ca));
-       bcopy(ca, b, c);
-       return 0;
-}
-
-
-int iwcopyptr(a, b, c)
-void *a, *b;
-size_t c;
-{
-       caddr_t ca;
-
-       bcopy(b, &ca, sizeof(ca));
-       bcopy(a, ca, c);
-       return 0;
-}
-
-
-#endif
-
-
-int fr_lock(data, lockp)
-caddr_t data;
-int *lockp;
-{
-       int arg, error;
-
-       error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
-       if (!error) {
-               error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp));
-               if (!error)
-                       *lockp = arg;
-       }
-       return error;
-}
-
-
-void fr_getstat(fiop)
-friostat_t *fiop;
-{
-       bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
-       fiop->f_locks[0] = fr_state_lock;
-       fiop->f_locks[1] = fr_nat_lock;
-       fiop->f_locks[2] = fr_frag_lock;
-       fiop->f_locks[3] = fr_auth_lock;
-       fiop->f_fin[0] = ipfilter[0][0];
-       fiop->f_fin[1] = ipfilter[0][1];
-       fiop->f_fout[0] = ipfilter[1][0];
-       fiop->f_fout[1] = ipfilter[1][1];
-       fiop->f_acctin[0] = ipacct[0][0];
-       fiop->f_acctin[1] = ipacct[0][1];
-       fiop->f_acctout[0] = ipacct[1][0];
-       fiop->f_acctout[1] = ipacct[1][1];
-#ifdef USE_INET6
-       fiop->f_fin6[0] = ipfilter6[0][0];
-       fiop->f_fin6[1] = ipfilter6[0][1];
-       fiop->f_fout6[0] = ipfilter6[1][0];
-       fiop->f_fout6[1] = ipfilter6[1][1];
-       fiop->f_acctin6[0] = ipacct6[0][0];
-       fiop->f_acctin6[1] = ipacct6[0][1];
-       fiop->f_acctout6[0] = ipacct6[1][0];
-       fiop->f_acctout6[1] = ipacct6[1][1];
-#else
-       fiop->f_fin6[0] = NULL;
-       fiop->f_fin6[1] = NULL;
-       fiop->f_fout6[0] = NULL;
-       fiop->f_fout6[1] = NULL;
-       fiop->f_acctin6[0] = NULL;
-       fiop->f_acctin6[1] = NULL;
-       fiop->f_acctout6[0] = NULL;
-       fiop->f_acctout6[1] = NULL;
-#endif
-       fiop->f_active = fr_active;
-       fiop->f_froute[0] = ipl_frouteok[0];
-       fiop->f_froute[1] = ipl_frouteok[1];
-
-       fiop->f_running = fr_running;
-       fiop->f_groups[0][0] = ipfgroups[0][0];
-       fiop->f_groups[0][1] = ipfgroups[0][1];
-       fiop->f_groups[1][0] = ipfgroups[1][0];
-       fiop->f_groups[1][1] = ipfgroups[1][1];
-       fiop->f_groups[2][0] = ipfgroups[2][0];
-       fiop->f_groups[2][1] = ipfgroups[2][1];
-#ifdef  IPFILTER_LOG
-       fiop->f_logging = 1;
-#else
-       fiop->f_logging = 0;
-#endif
-       fiop->f_defpass = fr_pass;
-       strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version));
-}
-
-
-#ifdef USE_INET6
-int icmptoicmp6types[ICMP_MAXTYPE+1] = {
-       ICMP6_ECHO_REPLY,       /* 0: ICMP_ECHOREPLY */
-       -1,                     /* 1: UNUSED */
-       -1,                     /* 2: UNUSED */
-       ICMP6_DST_UNREACH,      /* 3: ICMP_UNREACH */
-       -1,                     /* 4: ICMP_SOURCEQUENCH */
-       ND_REDIRECT,            /* 5: ICMP_REDIRECT */
-       -1,                     /* 6: UNUSED */
-       -1,                     /* 7: UNUSED */
-       ICMP6_ECHO_REQUEST,     /* 8: ICMP_ECHO */
-       -1,                     /* 9: UNUSED */
-       -1,                     /* 10: UNUSED */
-       ICMP6_TIME_EXCEEDED,    /* 11: ICMP_TIMXCEED */
-       ICMP6_PARAM_PROB,       /* 12: ICMP_PARAMPROB */
-       -1,                     /* 13: ICMP_TSTAMP */
-       -1,                     /* 14: ICMP_TSTAMPREPLY */
-       -1,                     /* 15: ICMP_IREQ */
-       -1,                     /* 16: ICMP_IREQREPLY */
-       -1,                     /* 17: ICMP_MASKREQ */
-       -1,                     /* 18: ICMP_MASKREPLY */
-};
-
-
-int    icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
-       ICMP6_DST_UNREACH_ADDR,         /* 0: ICMP_UNREACH_NET */
-       ICMP6_DST_UNREACH_ADDR,         /* 1: ICMP_UNREACH_HOST */
-       -1,                             /* 2: ICMP_UNREACH_PROTOCOL */
-       ICMP6_DST_UNREACH_NOPORT,       /* 3: ICMP_UNREACH_PORT */
-       -1,                             /* 4: ICMP_UNREACH_NEEDFRAG */
-       ICMP6_DST_UNREACH_NOTNEIGHBOR,  /* 5: ICMP_UNREACH_SRCFAIL */
-       ICMP6_DST_UNREACH_ADDR,         /* 6: ICMP_UNREACH_NET_UNKNOWN */
-       ICMP6_DST_UNREACH_ADDR,         /* 7: ICMP_UNREACH_HOST_UNKNOWN */
-       -1,                             /* 8: ICMP_UNREACH_ISOLATED */
-       ICMP6_DST_UNREACH_ADMIN,        /* 9: ICMP_UNREACH_NET_PROHIB */
-       ICMP6_DST_UNREACH_ADMIN,        /* 10: ICMP_UNREACH_HOST_PROHIB */
-       -1,                             /* 11: ICMP_UNREACH_TOSNET */
-       -1,                             /* 12: ICMP_UNREACH_TOSHOST */
-       ICMP6_DST_UNREACH_ADMIN,        /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
-};
-#endif
-
-
-#ifndef        _KERNEL
-int mbuflen(buf)
-mb_t *buf;
-{
-       ip_t *ip;
-
-       ip = (ip_t *)buf;
-       return ip->ip_len;
-}
-#endif
index 4092ac4..e21af89 100644 (file)
@@ -99,7 +99,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)fils.c       1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.40 2002/12/06 11:40:20 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.45 2004/04/10 11:45:48 darrenr Exp $";
 #endif
 
 extern char    *optarg;
@@ -117,6 +117,9 @@ static      char    *filters[4] = { "ipfilter(in)", "ipfilter(out)",
 int    opts = 0;
 int    use_inet6 = 0;
 int    live_kernel = 1;
+int    state_fd = -1;
+int    auth_fd = -1;
+int    ipf_fd = -1;
 
 #ifdef STATETOP
 #define        STSTRSIZE       80
@@ -236,6 +239,21 @@ char *argv[];
                }
        optind = myoptind;
 
+       if (live_kernel == 1) {
+               if ((state_fd = open(IPL_STATE, O_RDONLY)) == -1) {
+                       perror("open");
+                       exit(-1);
+               }
+               if ((auth_fd = open(IPL_AUTH, O_RDONLY)) == -1) {
+                       perror("open");
+                       exit(-1);
+               }
+               if ((ipf_fd = open(device, O_RDONLY)) == -1) {
+                       perror("open");
+                       exit(-1);
+               }
+       }
+
        if (kern != NULL || memf != NULL)
        {
                (void)setuid(getuid());
@@ -404,32 +422,20 @@ ipfrstat_t **ifrstpp;
 fr_authstat_t **frauthstpp;
 u_32_t *frfp;
 {
-       int fd;
-
-       if ((fd = open(device, O_RDONLY)) < 0) {
-               perror("open");
-               exit(-1);
-       }
 
-       if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, fiopp) == -1) {
+       if (!(opts & OPT_AUTHSTATS) && ioctl(ipf_fd, SIOCGETFS, fiopp) == -1) {
                perror("ioctl(ipf:SIOCGETFS)");
                exit(-1);
        }
 
        if ((opts & OPT_IPSTATES)) {
-               int     sfd = open(IPL_STATE, O_RDONLY);
-
-               if (sfd == -1) {
-                       perror("open");
-                       exit(-1);
-               }
-               if ((ioctl(sfd, SIOCGETFS, ipsstpp) == -1)) {
+               if ((ioctl(state_fd, SIOCGETFS, ipsstpp) == -1)) {
                        perror("ioctl(state:SIOCGETFS)");
                        exit(-1);
                }
-               close(sfd);
        }
-       if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, ifrstpp) == -1)) {
+       if ((opts & OPT_FRSTATES) &&
+           (ioctl(ipf_fd, SIOCGFRST, ifrstpp) == -1)) {
                perror("ioctl(SIOCGFRST)");
                exit(-1);
        }
@@ -438,15 +444,15 @@ u_32_t *frfp;
                PRINTF("opts %#x name %s\n", opts, device);
 
        if ((opts & OPT_AUTHSTATS) &&
-           (ioctl(fd, SIOCATHST, frauthstpp) == -1)) {
+           (ioctl(auth_fd, SIOCATHST, frauthstpp) == -1)) {
                perror("ioctl(SIOCATHST)");
                exit(-1);
        }
 
-       if (ioctl(fd, SIOCGETFF, frfp) == -1)
+       if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
                perror("ioctl(SIOCGETFF)");
 
-       return fd;
+       return ipf_fd;
 }
 
 
@@ -691,10 +697,10 @@ u_32_t frf;
                        fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
        PRINTF(" log failures:\t\tinput %lu output %lu\n",
                        fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
-       PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
-                       fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
-       PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
-                       fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr);
+       PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
+                       fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, fp->f_st[0].fr_cfr);
+       PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
+                       fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, fp->f_st[1].fr_cfr);
        PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
                        fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
        PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
@@ -849,6 +855,8 @@ ips_stat_t *ipsp;
                        ipsp->iss_miss);
                PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
                        ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
+               PRINTF("\t%lu logged\n\t%lu log failures\n",
+                       ipsp->iss_logged, ipsp->iss_logfail);
                PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
                        ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
                return;
@@ -875,7 +883,7 @@ void showqiflist(kern)
 char *kern;
 {
        struct nlist qifnlist[2] = {
-               { "qif_head" },
+               { "_qif_head" },
                { NULL }
        };
        qif_t qif, *qf;
@@ -926,7 +934,7 @@ int topclosed;
 {
        char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
        int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
-       int i, j, sfd, winx, tsentry, maxx, maxy, redraw = 0;
+       int i, j, winx, tsentry, maxx, maxy, redraw = 0;
        ipstate_t *istab[IPSTATE_SIZE], ips;
        ips_stat_t ipsst, *ipsstp = &ipsst;
        statetop_t *tstable = NULL, *tp;
@@ -941,12 +949,6 @@ int topclosed;
        fd_set readfd;
 #endif
 
-       /* open state device */
-       if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) {
-               perror("open");
-               exit(-1);
-       }
-
        /* init ncurses stuff */
        initscr();
        cbreak();
@@ -961,7 +963,7 @@ int topclosed;
 
                /* get state table */
                bzero((char *)&ipsst, sizeof(&ipsst));
-               if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) {
+               if ((ioctl(state_fd, SIOCGETFS, &ipsstp) == -1)) {
                        perror("ioctl(SIOCGETFS)");
                        exit(-1);
                }
@@ -1246,8 +1248,6 @@ int topclosed;
                }
        } /* while */
 
-       close(sfd);
-
        printw("\n");
        nocbreak();
        endwin();
@@ -1279,6 +1279,7 @@ ipfrstat_t *ifsp;
        /*
         * Print out the contents (if any) of the fragment cache table.
         */
+       PRINTF("\n");
        for (i = 0; i < IPFT_SIZE; i++)
                while (ipfrtab[i]) {
                        if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
@@ -1287,11 +1288,11 @@ ipfrstat_t *ifsp;
                        PRINTF("%s -> ", hostname(4, &ifr.ipfr_src));
                        if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
                                    sizeof(fr)) == -1)
-                               break;
-                       PRINTF("%s %d %d %d %#02x = %#x\n",
-                               hostname(4, &ifr.ipfr_dst), ifr.ipfr_id,
-                               ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
-                               fr.fr_flags);
+                               break; 
+                       PRINTF("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = fl %#x\n",
+                               hostname(4, &ifr.ipfr_dst), ntohs(ifr.ipfr_id),
+                               ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_seen0, 
+                               ifr.ipfr_ifp, ifr.ipfr_tos, fr.fr_flags);
                        ipfrtab[i] = ifr.ipfr_next;
                }
        if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
deleted file mode 100644 (file)
index 604d754..0000000
+++ /dev/null
@@ -1,660 +0,0 @@
-/*
- * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(KERNEL)
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#ifndef linux
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux)
-# include <sys/systm.h>
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# ifndef linux
-#  include <sys/mbuf.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000)
-# include <sys/queue.h>
-#endif
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
-# include <machine/cpu.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef        KERNEL
-# define       KERNEL
-# define       NOT_KERNEL
-#endif
-#ifndef linux
-# include <netinet/ip_var.h>
-#endif
-#ifdef NOT_KERNEL
-# undef        KERNEL
-#endif
-#ifdef __sgi
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-#  include <sys/hashing.h>
-# endif
-#endif
-#include <netinet/tcp.h>
-#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
-extern struct ifqueue   ipintrq;               /* ip packet input queue */
-#else
-# ifndef linux
-#  if __FreeBSD_version >= 300000
-#   include <net/if_var.h>
-#  endif
-#  include <netinet/in_var.h>
-#  include <netinet/tcp_fsm.h>
-# endif
-#endif
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_auth.h"
-#if !SOLARIS && !defined(linux)
-# include <net/netisr.h>
-# ifdef __FreeBSD__
-#  include <machine/cpufunc.h>
-# endif
-#endif
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
-#  include <sys/libkern.h>
-#  include <sys/systm.h>
-# endif
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $";
-#endif
-
-
-#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T ipf_auth, ipf_mutex;
-extern kmutex_t ipf_authmx;
-# if SOLARIS
-extern kcondvar_t ipfauthwait;
-# endif
-#endif
-#ifdef linux
-static struct wait_queue *ipfauthwait = NULL;
-#endif
-
-int    fr_authsize = FR_NUMAUTH;
-int    fr_authused = 0;
-int    fr_defaultauthage = 600;
-int    fr_auth_lock = 0;
-fr_authstat_t  fr_authstats;
-static frauth_t fr_auth[FR_NUMAUTH];
-mb_t   *fr_authpkts[FR_NUMAUTH];
-static int     fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
-static frauthent_t     *fae_list = NULL;
-frentry_t      *ipauth = NULL,
-               *fr_authlist = NULL;
-
-
-/*
- * Check if a packet has authorization.  If the packet is found to match an
- * authorization result and that would result in a feedback loop (i.e. it
- * will end up returning FR_AUTH) then return FR_BLOCK instead.
- */
-u_32_t fr_checkauth(ip, fin)
-ip_t *ip;
-fr_info_t *fin;
-{
-       u_short id = ip->ip_id;
-       frentry_t *fr;
-       frauth_t *fra;
-       u_32_t pass;
-       int i;
-
-       if (fr_auth_lock || !fr_authused)
-               return 0;
-
-       READ_ENTER(&ipf_auth);
-       for (i = fr_authstart; i != fr_authend; ) {
-               /*
-                * index becomes -2 only after an SIOCAUTHW.  Check this in
-                * case the same packet gets sent again and it hasn't yet been
-                * auth'd.
-                */
-               fra = fr_auth + i;
-               if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
-                   !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
-                       /*
-                        * Avoid feedback loop.
-                        */
-                       if (!(pass = fra->fra_pass) || (pass & FR_AUTH))
-                               pass = FR_BLOCK;
-                       /*
-                        * Create a dummy rule for the stateful checking to
-                        * use and return.  Zero out any values we don't
-                        * trust from userland!
-                        */
-                       if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
-                            (fin->fin_fi.fi_fl & FI_FRAG))) {
-                               KMALLOC(fr, frentry_t *);
-                               if (fr) {
-                                       bcopy((char *)fra->fra_info.fin_fr,
-                                             fr, sizeof(*fr));
-                                       fr->fr_grp = NULL;
-                                       fr->fr_ifa = fin->fin_ifp;
-                                       fr->fr_func = NULL;
-                                       fr->fr_ref = 1;
-                                       fr->fr_flags = pass;
-#if BSD >= 199306
-                                       fr->fr_oifa = NULL;
-#endif
-                               }
-                       } else
-                               fr = fra->fra_info.fin_fr;
-                       fin->fin_fr = fr;
-                       RWLOCK_EXIT(&ipf_auth);
-                       WRITE_ENTER(&ipf_auth);
-                       if (fr && fr != fra->fra_info.fin_fr) {
-                               fr->fr_next = fr_authlist;
-                               fr_authlist = fr;
-                       }
-                       fr_authstats.fas_hits++;
-                       fra->fra_index = -1;
-                       fr_authused--;
-                       if (i == fr_authstart) {
-                               while (fra->fra_index == -1) {
-                                       i++;
-                                       fra++;
-                                       if (i == FR_NUMAUTH) {
-                                               i = 0;
-                                               fra = fr_auth;
-                                       }
-                                       fr_authstart = i;
-                                       if (i == fr_authend)
-                                               break;
-                               }
-                               if (fr_authstart == fr_authend) {
-                                       fr_authnext = 0;
-                                       fr_authstart = fr_authend = 0;
-                               }
-                       }
-                       RWLOCK_EXIT(&ipf_auth);
-                       return pass;
-               }
-               i++;
-               if (i == FR_NUMAUTH)
-                       i = 0;
-       }
-       fr_authstats.fas_miss++;
-       RWLOCK_EXIT(&ipf_auth);
-       return 0;
-}
-
-
-/*
- * Check if we have room in the auth array to hold details for another packet.
- * If we do, store it and wake up any user programs which are waiting to
- * hear about these events.
- */
-int fr_newauth(m, fin, ip)
-mb_t *m;
-fr_info_t *fin;
-ip_t *ip;
-{
-#if defined(_KERNEL) && SOLARIS
-       qif_t *qif = fin->fin_qif;
-#endif
-       frauth_t *fra;
-       int i;
-
-       if (fr_auth_lock)
-               return 0;
-
-       WRITE_ENTER(&ipf_auth);
-       if (fr_authstart > fr_authend) {
-               fr_authstats.fas_nospace++;
-               RWLOCK_EXIT(&ipf_auth);
-               return 0;
-       } else {
-               if (fr_authused == FR_NUMAUTH) {
-                       fr_authstats.fas_nospace++;
-                       RWLOCK_EXIT(&ipf_auth);
-                       return 0;
-               }
-       }
-
-       fr_authstats.fas_added++;
-       fr_authused++;
-       i = fr_authend++;
-       if (fr_authend == FR_NUMAUTH)
-               fr_authend = 0;
-       RWLOCK_EXIT(&ipf_auth);
-       fra = fr_auth + i;
-       fra->fra_index = i;
-       fra->fra_pass = 0;
-       fra->fra_age = fr_defaultauthage;
-       bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
-#if SOLARIS && defined(_KERNEL)
-# if !defined(sparc)
-       /*
-        * No need to copyback here as we want to undo the changes, not keep
-        * them.
-        */
-       if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
-       {
-               register u_short bo;
-
-               bo = ip->ip_len;
-               ip->ip_len = htons(bo);
-               bo = ip->ip_off;
-               ip->ip_off = htons(bo);
-       }
-# endif
-       m->b_rptr -= qif->qf_off;
-       fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
-       fra->fra_q = qif->qf_q;
-       cv_signal(&ipfauthwait);
-#else
-# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
-       if (fin->fin_out == 0) {
-               ip->ip_len = htons(ip->ip_len);
-               ip->ip_off = htons(ip->ip_off);
-       }
-# endif
-       fr_authpkts[i] = m;
-       WAKEUP(&fr_authnext);
-#endif
-       return 1;
-}
-
-
-int fr_auth_ioctl(data, mode, cmd)
-caddr_t data;
-int mode;
-#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
-u_long cmd;
-#else
-int cmd;
-#endif
-{
-       mb_t *m;
-#if defined(_KERNEL) && !SOLARIS
-       struct ifqueue *ifq;
-       int s;
-#endif
-       frauth_t auth, *au = &auth, *fra;
-       int i, error = 0;
-
-       switch (cmd)
-       {
-       case SIOCSTLCK :
-               if (!(mode & FWRITE)) {
-                       error = EPERM;
-                       break;
-               }
-               error = fr_lock(data, &fr_auth_lock);
-               break;
-       case SIOCINIFR :
-       case SIOCRMIFR :
-       case SIOCADIFR :
-               error = EINVAL;
-               break;
-       case SIOCINAFR :
-               error = EINVAL;
-               break;
-       case SIOCRMAFR :
-       case SIOCADAFR :
-               /* These commands go via request to fr_preauthcmd */
-               error = EINVAL;
-               break;
-       case SIOCATHST:
-               fr_authstats.fas_faelist = fae_list;
-               error = IWCOPYPTR((char *)&fr_authstats, data,
-                                  sizeof(fr_authstats));
-               break;
-       case SIOCAUTHW:
-               if (!(mode & FWRITE)) {
-                       error = EPERM;
-                       break;
-               }
-fr_authioctlloop:
-               READ_ENTER(&ipf_auth);
-               if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
-                       error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
-                                         sizeof(frauth_t));
-                       RWLOCK_EXIT(&ipf_auth);
-                       if (error)
-                               break;
-                       WRITE_ENTER(&ipf_auth);
-                       SPL_NET(s);
-                       fr_authnext++;
-                       if (fr_authnext == FR_NUMAUTH)
-                               fr_authnext = 0;
-                       SPL_X(s);
-                       RWLOCK_EXIT(&ipf_auth);
-                       return 0;
-               }
-               RWLOCK_EXIT(&ipf_auth);
-#ifdef _KERNEL
-# if   SOLARIS
-               mutex_enter(&ipf_authmx);
-               if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
-                       mutex_exit(&ipf_authmx);
-                       return EINTR;
-               }
-               mutex_exit(&ipf_authmx);
-# else
-               error = SLEEP(&fr_authnext, "fr_authnext");
-# endif
-#endif
-               if (!error)
-                       goto fr_authioctlloop;
-               break;
-       case SIOCAUTHR:
-               if (!(mode & FWRITE)) {
-                       error = EPERM;
-                       break;
-               }
-               error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
-               if (error)
-                       return error;
-               WRITE_ENTER(&ipf_auth);
-               SPL_NET(s);
-               i = au->fra_index;
-               fra = fr_auth + i;
-               if ((i < 0) || (i > FR_NUMAUTH) ||
-                   (fra->fra_info.fin_id != au->fra_info.fin_id)) {
-                       SPL_X(s);
-                       RWLOCK_EXIT(&ipf_auth);
-                       return EINVAL;
-               }
-               m = fr_authpkts[i];
-               fra->fra_index = -2;
-               fra->fra_pass = au->fra_pass;
-               fr_authpkts[i] = NULL;
-               RWLOCK_EXIT(&ipf_auth);
-#ifdef _KERNEL
-               if (m && au->fra_info.fin_out) {
-# if SOLARIS
-                       error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
-# else /* SOLARIS */
-                       struct route ro;
-
-                       bzero((char *)&ro, sizeof(ro));
-#  if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \
-       defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605))
-                       error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL,
-                                         NULL);
-#  else
-                       error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL);
-#  endif
-                       if (ro.ro_rt) {
-                               RTFREE(ro.ro_rt);
-                       }
-# endif /* SOLARIS */
-                       if (error)
-                               fr_authstats.fas_sendfail++;
-                       else
-                               fr_authstats.fas_sendok++;
-               } else if (m) {
-# if SOLARIS
-                       error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
-# else /* SOLARIS */
-                       ifq = &ipintrq;
-                       if (IF_QFULL(ifq)) {
-                               IF_DROP(ifq);
-                               m_freem(m);
-                               error = ENOBUFS;
-                       } else {
-                               IF_ENQUEUE(ifq, m);
-#  if IRIX < 605
-                               schednetisr(NETISR_IP);
-#  endif
-                       }
-# endif /* SOLARIS */
-                       if (error)
-                               fr_authstats.fas_quefail++;
-                       else
-                               fr_authstats.fas_queok++;
-               } else
-                       error = EINVAL;
-# if SOLARIS
-               if (error)
-                       error = EINVAL;
-# else
-               /*
-                * If we experience an error which will result in the packet
-                * not being processed, make sure we advance to the next one.
-                */ 
-               if (error == ENOBUFS) {
-                       fr_authused--;
-                       fra->fra_index = -1;
-                       fra->fra_pass = 0;
-                       if (i == fr_authstart) {
-                               while (fra->fra_index == -1) {
-                                       i++;
-                                       if (i == FR_NUMAUTH)
-                                               i = 0;
-                                       fr_authstart = i;
-                                       if (i == fr_authend)
-                                               break;
-                               }
-                               if (fr_authstart == fr_authend) {
-                                       fr_authnext = 0;
-                                       fr_authstart = fr_authend = 0;
-                               }
-                       }
-               }
-# endif
-#endif /* _KERNEL */
-               SPL_X(s);
-               break;
-       default :
-               error = EINVAL;
-               break;
-       }
-       return error;
-}
-
-
-/*
- * Free all network buffer memory used to keep saved packets.
- */
-void fr_authunload()
-{
-       register int i;
-       register frauthent_t *fae, **faep;
-       frentry_t *fr, **frp;
-       mb_t *m;
-
-       WRITE_ENTER(&ipf_auth);
-       for (i = 0; i < FR_NUMAUTH; i++) {
-               if ((m = fr_authpkts[i])) {
-                       FREE_MB_T(m);
-                       fr_authpkts[i] = NULL;
-                       fr_auth[i].fra_index = -1;
-               }
-       }
-
-
-       for (faep = &fae_list; (fae = *faep); ) {
-               *faep = fae->fae_next;
-               KFREE(fae);
-       }
-       ipauth = NULL;
-       RWLOCK_EXIT(&ipf_auth);
-
-       if (fr_authlist) {
-               /*
-                * We *MuST* reget ipf_auth because otherwise we won't get the
-                * locks in the right order and risk deadlock.
-                * We need ipf_mutex here to prevent a rule from using it
-                * inside fr_check().
-                */
-               WRITE_ENTER(&ipf_mutex);
-               WRITE_ENTER(&ipf_auth);
-               for (frp = &fr_authlist; (fr = *frp); ) {
-                       if (fr->fr_ref == 1) {
-                               *frp = fr->fr_next;
-                               KFREE(fr);
-                       } else
-                               frp = &fr->fr_next;
-               }
-               RWLOCK_EXIT(&ipf_auth);
-               RWLOCK_EXIT(&ipf_mutex);
-       }
-}
-
-
-/*
- * Slowly expire held auth records.  Timeouts are set
- * in expectation of this being called twice per second.
- */
-void fr_authexpire()
-{
-       register int i;
-       register frauth_t *fra;
-       register frauthent_t *fae, **faep;
-       register frentry_t *fr, **frp;
-       mb_t *m;
-#if !SOLARIS && defined(_KERNEL)
-       int s;
-#endif
-
-       if (fr_auth_lock)
-               return;
-
-       SPL_NET(s);
-       WRITE_ENTER(&ipf_auth);
-       for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
-               if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
-                       FREE_MB_T(m);
-                       fr_authpkts[i] = NULL;
-                       fr_auth[i].fra_index = -1;
-                       fr_authstats.fas_expire++;
-                       fr_authused--;
-               }
-       }
-
-       for (faep = &fae_list; (fae = *faep); ) {
-               if (!--fae->fae_age) {
-                       *faep = fae->fae_next;
-                       KFREE(fae);
-                       fr_authstats.fas_expire++;
-               } else
-                       faep = &fae->fae_next;
-       }
-       if (fae_list != NULL)
-               ipauth = &fae_list->fae_fr;
-       else
-               ipauth = NULL;
-
-       for (frp = &fr_authlist; (fr = *frp); ) {
-               if (fr->fr_ref == 1) {
-                       *frp = fr->fr_next;
-                       KFREE(fr);
-               } else
-                       frp = &fr->fr_next;
-       }
-       RWLOCK_EXIT(&ipf_auth);
-       SPL_X(s);
-}
-
-int fr_preauthcmd(cmd, fr, frptr)
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
-       (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-u_long cmd;
-#else
-int cmd;
-#endif                 
-frentry_t *fr, **frptr;
-{
-       frauthent_t *fae, **faep;
-       int error = 0;
-#if defined(KERNEL) && !SOLARIS
-       int s;
-#endif
-
-       if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
-               /* Should not happen */
-               printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
-               return EIO;
-       }
-       
-       for (faep = &fae_list; (fae = *faep); )
-               if (&fae->fae_fr == fr)
-                       break;
-               else
-                       faep = &fae->fae_next;
-       if (cmd == SIOCRMAFR) {
-               if (!fr || !frptr)
-                       error = EINVAL;
-               else if (!fae)
-                       error = ESRCH;
-               else {
-                       WRITE_ENTER(&ipf_auth);
-                       SPL_NET(s);
-                       *faep = fae->fae_next;
-                       *frptr = fr->fr_next;
-                       SPL_X(s);
-                       RWLOCK_EXIT(&ipf_auth);
-                       KFREE(fae);
-               }
-       } else if (fr && frptr) {
-               KMALLOC(fae, frauthent_t *);
-               if (fae != NULL) {
-                       bcopy((char *)fr, (char *)&fae->fae_fr,
-                             sizeof(*fr));
-                       WRITE_ENTER(&ipf_auth);
-                       SPL_NET(s);
-                       fae->fae_age = fr_defaultauthage;
-                       fae->fae_fr.fr_hits = 0;
-                       fae->fae_fr.fr_next = *frptr;
-                       *frptr = &fae->fae_fr;
-                       fae->fae_next = *faep;
-                       *faep = fae;
-                       ipauth = &fae_list->fae_fr;
-                       SPL_X(s);
-                       RWLOCK_EXIT(&ipf_auth);
-               } else
-                       error = ENOMEM;
-       } else
-               error = EINVAL;
-       return error;
-}
diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h
deleted file mode 100644 (file)
index e0cbf04..0000000
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $
- *
- */
-#ifndef        __IP_AUTH_H__
-#define        __IP_AUTH_H__
-
-#define FR_NUMAUTH      32
-
-typedef struct  frauth {
-       int     fra_age;
-       int     fra_index;
-       u_32_t  fra_pass;
-       fr_info_t       fra_info;
-#if SOLARIS
-       queue_t *fra_q;
-#endif
-} frauth_t;
-
-typedef        struct  frauthent  {
-       struct  frentry fae_fr;
-       struct  frauthent       *fae_next;
-       u_long  fae_age;
-} frauthent_t;
-
-typedef struct  fr_authstat {
-       U_QUAD_T        fas_hits;
-       U_QUAD_T        fas_miss;
-       u_long          fas_nospace;
-       u_long          fas_added;
-       u_long          fas_sendfail;
-       u_long          fas_sendok;
-       u_long          fas_queok;
-       u_long          fas_quefail;
-       u_long          fas_expire;
-       frauthent_t     *fas_faelist;
-} fr_authstat_t;
-
-
-extern frentry_t       *ipauth;
-extern struct fr_authstat      fr_authstats;
-extern int     fr_defaultauthage;
-extern int     fr_authsize;
-extern int     fr_authused;
-extern int     fr_auth_lock;
-extern u_32_t  fr_checkauth __P((ip_t *, fr_info_t *));
-extern void    fr_authexpire __P((void));
-extern void    fr_authunload __P((void));
-extern mb_t    *fr_authpkts[];
-extern int     fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
-    (__FreeBSD_version >= 300003)
-extern int     fr_preauthcmd __P((u_long, frentry_t *, frentry_t **));
-extern int     fr_auth_ioctl __P((caddr_t, int, u_long));
-#else
-extern int     fr_preauthcmd __P((int, frentry_t *, frentry_t **));
-extern int     fr_auth_ioctl __P((caddr_t, int, int));
-#endif
-#endif /* __IP_AUTH_H__ */
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
deleted file mode 100644 (file)
index eeff5dc..0000000
+++ /dev/null
@@ -1,1383 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_compat.h     1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $
- * $DragonFly: src/contrib/ipfilter/Attic/ip_compat.h,v 1.4 2004/02/14 21:12:34 dillon Exp $
- */
-
-#ifndef        __IP_COMPAT_H__
-#define        __IP_COMPAT_H__
-
-#ifndef        __P
-# ifdef        __STDC__
-#  define      __P(x)  x
-# else
-#  define      __P(x)  ()
-# endif
-#endif
-#ifndef        __STDC__
-# undef                const
-# define       const
-#endif
-
-#ifndef        SOLARIS
-#define        SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-#if SOLARIS
-# if !defined(SOLARIS2)
-#  define      SOLARIS2        3       /* Pick an old version */
-# endif
-# if SOLARIS2 >= 8
-#  ifndef      USE_INET6
-#   define     USE_INET6
-#  endif
-# else
-#  undef       USE_INET6
-# endif
-#endif
-#if defined(sun) && !(defined(__svr4__) || defined(__SVR4))
-# undef        USE_INET6
-#endif
-
-#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__)
-# undef        KERNEL
-# undef        _KERNEL
-# undef        __KERNEL__
-# define       KERNEL
-# define       _KERNEL
-# define       __KERNEL__
-#endif
-
-#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
-#define index   strchr
-# if !defined(KERNEL)
-#  define      bzero(a,b)      memset(a,0,b)
-#  define      bcmp            memcmp
-#  define      bcopy(a,b,c)    memmove(b,a,c)
-# endif
-#endif
-
-#ifndef offsetof
-#define offsetof(t,m) (int)((&((t *)0L)->m))
-#endif
-
-#if defined(__sgi) || defined(bsdi)
-struct  ether_addr {
-        u_char  ether_addr_octet[6];
-};
-#endif
-
-#ifndef        LIFNAMSIZ
-# ifdef        IF_NAMESIZE
-#  define      LIFNAMSIZ       IF_NAMESIZE
-# else
-#  ifdef       IFNAMSIZ
-#   define     LIFNAMSIZ       IFNAMSIZ
-#  else
-#   define     LIFNAMSIZ       16
-#  endif
-# endif
-#endif
-
-#if defined(__sgi) && !defined(IPFILTER_LKM)
-# ifdef __STDC__
-#  define IPL_EXTERN(ep) ipfilter##ep
-# else
-#  define IPL_EXTERN(ep) ipfilter/**/ep
-# endif
-#else
-# ifdef __STDC__
-#  define IPL_EXTERN(ep) ipl##ep
-# else
-#  define IPL_EXTERN(ep) ipl/**/ep
-# endif
-#endif
-
-#ifdef __sgi
-# include      <sys/debug.h>
-#endif
-
-#ifdef linux
-# include <sys/sysmacros.h>
-#endif
-
-/*
- * This is a workaround for <sys/uio.h> troubles on FreeBSD
- */
-#ifndef _KERNEL
-# define ADD_KERNEL
-# define _KERNEL_STRUCTURES
-#endif
-#ifdef __OpenBSD__
-struct file;
-#endif
-#include <sys/uio.h>
-#ifdef ADD_KERNEL
-# undef _KERNEL_STRUCTURES
-#endif
-
-#if    SOLARIS
-# define       MTYPE(m)        ((m)->b_datap->db_type)
-# if SOLARIS2 >= 4
-#  include     <sys/isa_defs.h>
-# endif
-# include      <sys/ioccom.h>
-# include      <sys/sysmacros.h>
-# include      <sys/kmem.h>
-/*
- * because Solaris 2 defines these in two places :-/
- */
-# undef        IPOPT_EOL
-# undef        IPOPT_NOP
-# undef        IPOPT_LSRR
-# undef        IPOPT_RR
-# undef        IPOPT_SSRR
-# ifndef       KERNEL
-#  define      _KERNEL
-#  undef       RES_INIT
-#  if SOLARIS2 >= 8
-#   include <netinet/ip6.h>
-#  endif
-#  include <inet/common.h>
-#  include <inet/ip.h>
-#  include <inet/ip_ire.h>
-#  undef       _KERNEL
-# else /* _KERNEL */
-#  if SOLARIS2 >= 8
-#   include <netinet/ip6.h>
-#  endif
-#  include <inet/common.h>
-#  include <inet/ip.h>
-#  include <inet/ip_ire.h>
-# endif /* _KERNEL */
-# if SOLARIS2 >= 8
-#  include <inet/ip_if.h>
-#  include <netinet/ip6.h>
-#  define      ipif_local_addr ipif_lcl_addr
-/* Only defined in private include file */
-#  ifndef      V4_PART_OF_V6
-#   define     V4_PART_OF_V6(v6)       v6.s6_addr32[3]
-#  endif
-# endif
-
-typedef        struct  qif     {
-       struct  qif     *qf_next;
-       ill_t   *qf_ill;
-       kmutex_t        qf_lock;
-       void    *qf_iptr;
-       void    *qf_optr;
-       queue_t *qf_in;
-       queue_t *qf_out;
-       struct  qinit   *qf_wqinfo;
-       struct  qinit   *qf_rqinfo;
-       struct  qinit   qf_wqinit;
-       struct  qinit   qf_rqinit;
-       mblk_t  *qf_m;  /* These three fields are for passing data up from */
-       queue_t *qf_q;  /* fr_qin and fr_qout to the packet processing. */
-       size_t  qf_off;
-       size_t  qf_len; /* this field is used for in ipfr_fastroute */
-       char    qf_name[LIFNAMSIZ];
-       /*
-        * in case the ILL has disappeared...
-        */
-       size_t  qf_hl;  /* header length */
-       int     qf_sap;
-# if SOLARIS2 >= 8
-       int     qf_tunoff;      /* tunnel offset */
-#endif
-       size_t  qf_incnt;
-       size_t  qf_outcnt;
-} qif_t;
-#else /* SOLARIS */
-# if !defined(__sgi)
-typedef         int    minor_t;
-# endif
-#endif /* SOLARIS */
-#define        IPMINLEN(i, h)  ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
-
-#ifndef        IP_OFFMASK
-#define        IP_OFFMASK      0x1fff
-#endif
-
-#if    BSD > 199306
-# define       USE_QUAD_T
-# define       U_QUAD_T        u_quad_t
-# define       QUAD_T          quad_t
-#else /* BSD > 199306 */
-# define       U_QUAD_T        u_long
-# define       QUAD_T          long
-#endif /* BSD > 199306 */
-
-
-#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
-# include <sys/param.h>
-# ifndef __FreeBSD_version
-#  ifdef IPFILTER_LKM
-#   include <osreldate.h>
-#  else
-#   include <sys/osreldate.h>
-#  endif
-# endif
-# ifdef IPFILTER_LKM
-#  define       ACTUALLY_LKM_NOT_KERNEL
-# endif
-# if defined(__FreeBSD_version) && (__FreeBSD_version < 300000)
-#  include <machine/spl.h>
-# else
-#  if (__FreeBSD_version >= 300000) && (__FreeBSD_version < 400000)
-#   if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
-#    define    ACTUALLY_LKM_NOT_KERNEL
-#   endif
-#  endif
-# endif
-#endif /* __FreeBSD__ && KERNEL */
-
-#if defined(__DragonFly__) && defined(_KERNEL)
-#include <sys/in_cksum.h>
-#endif
-
-/*
- * These operating systems already take care of the problem for us.
- */
-#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
-    defined(__sgi)
-typedef u_int32_t       u_32_t;
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000)
-#   include "opt_inet.h"
-#  endif
-#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
-      !defined(KLD_MODULE)
-#   include "opt_inet6.h"
-#  endif
-#  ifdef INET6
-#   define USE_INET6     
-#  endif   
-# endif
-# if !defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(USE_INET6)
-#  if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \
-      (defined(OpenBSD) && (OpenBSD >= 200111)) || \
-      (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000))
-#   define USE_INET6
-#  endif
-# endif
-#else
-/*
- * Really, any arch where sizeof(long) != sizeof(int).
- */
-# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
-typedef unsigned int    u_32_t;
-# else
-#  if SOLARIS2 >= 6
-typedef        uint32_t        u_32_t;
-#  else
-typedef unsigned int   u_32_t;
-#  endif
-# endif
-#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
-
-#ifdef USE_INET6
-# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
-#  include <netinet/ip6.h>
-#  ifdef       _KERNEL
-#   include <netinet6/ip6_var.h>
-#  endif
-typedef        struct ip6_hdr  ip6_t;
-# endif
-# include <netinet/icmp6.h>
-union  i6addr  {
-       u_32_t  i6[4];
-       struct  in_addr in4;
-       struct  in6_addr in6;
-};
-#else
-union  i6addr  {
-       u_32_t  i6[4];
-       struct  in_addr in4;
-};
-#endif
-
-#define        IP6CMP(a,b)     bcmp((char *)&(a), (char *)&(b), sizeof(a))
-#define        IP6EQ(a,b)      (bcmp((char *)&(a), (char *)&(b), sizeof(a)) == 0)
-#define        IP6NEQ(a,b)     (bcmp((char *)&(a), (char *)&(b), sizeof(a)) != 0)
-#define        IP6_ISZERO(a)   ((((union i6addr *)(a))->i6[0] | \
-                         ((union i6addr *)(a))->i6[1] | \
-                         ((union i6addr *)(a))->i6[2] | \
-                         ((union i6addr *)(a))->i6[3]) == 0)
-#define        IP6_NOTZERO(a)  ((((union i6addr *)(a))->i6[0] | \
-                         ((union i6addr *)(a))->i6[1] | \
-                         ((union i6addr *)(a))->i6[2] | \
-                         ((union i6addr *)(a))->i6[3]) != 0)
-
-#ifndef        MAX
-#define        MAX(a,b)        (((a) > (b)) ? (a) : (b))
-#endif
-
-/*
- * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
- *
- * Basic Option
- *
- * 00000001   -   (Reserved 4)
- * 00111101   -   Top Secret
- * 01011010   -   Secret
- * 10010110   -   Confidential
- * 01100110   -   (Reserved 3)
- * 11001100   -   (Reserved 2)
- * 10101011   -   Unclassified
- * 11110001   -   (Reserved 1)
- */
-#define        IPSO_CLASS_RES4         0x01
-#define        IPSO_CLASS_TOPS         0x3d
-#define        IPSO_CLASS_SECR         0x5a
-#define        IPSO_CLASS_CONF         0x96
-#define        IPSO_CLASS_RES3         0x66
-#define        IPSO_CLASS_RES2         0xcc
-#define        IPSO_CLASS_UNCL         0xab
-#define        IPSO_CLASS_RES1         0xf1
-
-#define        IPSO_AUTH_GENSER        0x80
-#define        IPSO_AUTH_ESI           0x40
-#define        IPSO_AUTH_SCI           0x20
-#define        IPSO_AUTH_NSA           0x10
-#define        IPSO_AUTH_DOE           0x08
-#define        IPSO_AUTH_UN            0x06
-#define        IPSO_AUTH_FTE           0x01
-
-/*
- * IP option #defines
- */
-/*#define      IPOPT_RR        7 */
-#define        IPOPT_ZSU       10      /* ZSU */
-#define        IPOPT_MTUP      11      /* MTUP */
-#define        IPOPT_MTUR      12      /* MTUR */
-#define        IPOPT_ENCODE    15      /* ENCODE */
-/*#define      IPOPT_TS        68 */
-#define        IPOPT_TR        82      /* TR */
-/*#define      IPOPT_SECURITY  130 */
-/*#define      IPOPT_LSRR      131 */
-#define        IPOPT_E_SEC     133     /* E-SEC */
-#define        IPOPT_CIPSO     134     /* CIPSO */
-/*#define      IPOPT_SATID     136 */
-#ifndef        IPOPT_SID
-# define       IPOPT_SID       IPOPT_SATID
-#endif
-/*#define      IPOPT_SSRR      137 */
-#define        IPOPT_ADDEXT    147     /* ADDEXT */
-#define        IPOPT_VISA      142     /* VISA */
-#define        IPOPT_IMITD     144     /* IMITD */
-#define        IPOPT_EIP       145     /* EIP */
-#define        IPOPT_FINN      205     /* FINN */
-
-#ifndef        TCPOPT_WSCALE
-# define       TCPOPT_WSCALE   3
-#endif
-
-/*
- * Build some macros and #defines to enable the same code to compile anywhere
- * Well, that's the idea, anyway :-)
- */
-#if SOLARIS
-typedef mblk_t mb_t;
-# if SOLARIS2 >= 7
-#  ifdef lint
-#   define ALIGN32(ptr)    (ptr ? 0L : 0L)
-#   define ALIGN16(ptr)    (ptr ? 0L : 0L)
-#  else
-#   define ALIGN32(ptr)    (ptr)
-#   define ALIGN16(ptr)    (ptr)
-#  endif
-# endif
-#else
-typedef struct mbuf mb_t;
-#endif /* SOLARIS */
-
-#if !SOLARIS || (SOLARIS2 < 6) || !defined(KERNEL)
-# define       ATOMIC_INCL             ATOMIC_INC
-# define       ATOMIC_INC64            ATOMIC_INC
-# define       ATOMIC_INC32            ATOMIC_INC
-# define       ATOMIC_INC16            ATOMIC_INC
-# define       ATOMIC_DECL             ATOMIC_DEC
-# define       ATOMIC_DEC64            ATOMIC_DEC
-# define       ATOMIC_DEC32            ATOMIC_DEC
-# define       ATOMIC_DEC16            ATOMIC_DEC
-#endif
-#ifdef __sgi
-# define  hz HZ
-# include <sys/ksynch.h>
-# define       IPF_LOCK_PL     plhi
-# include <sys/sema.h>
-#undef kmutex_t
-typedef struct {
-       lock_t *l;
-       int pl;
-} kmutex_t;
-# undef        MUTEX_INIT
-# undef        MUTEX_DESTROY
-#endif
-#ifdef KERNEL
-# if SOLARIS
-#  if SOLARIS2 >= 6
-#   include <sys/atomic.h>
-#   if SOLARIS2 == 6
-#    define    ATOMIC_INCL(x)          atomic_add_long((uint32_t*)&(x), 1)
-#    define    ATOMIC_DECL(x)          atomic_add_long((uint32_t*)&(x), -1)
-#   else
-#    define    ATOMIC_INCL(x)          atomic_add_long(&(x), 1)
-#    define    ATOMIC_DECL(x)          atomic_add_long(&(x), -1)
-#   endif
-#   define     ATOMIC_INC64(x)         atomic_add_64((uint64_t*)&(x), 1)
-#   define     ATOMIC_INC32(x)         atomic_add_32((uint32_t*)&(x), 1)
-#   define     ATOMIC_INC16(x)         atomic_add_16((uint16_t*)&(x), 1)
-#   define     ATOMIC_DEC64(x)         atomic_add_64((uint64_t*)&(x), -1)
-#   define     ATOMIC_DEC32(x)         atomic_add_32((uint32_t*)&(x), -1)
-#   define     ATOMIC_DEC16(x)         atomic_add_16((uint16_t*)&(x), -1)
-#  else
-#   define     IRE_CACHE               IRE_ROUTE
-#   define     ATOMIC_INC(x)           { mutex_enter(&ipf_rw); (x)++; \
-                                         mutex_exit(&ipf_rw); }
-#   define     ATOMIC_DEC(x)           { mutex_enter(&ipf_rw); (x)--; \
-                                         mutex_exit(&ipf_rw); }
-#  endif
-#  define      MUTEX_ENTER(x)          mutex_enter(x)
-#  if 1
-#   define     KRWLOCK_T               krwlock_t
-#   define     READ_ENTER(x)           rw_enter(x, RW_READER)
-#   define     WRITE_ENTER(x)          rw_enter(x, RW_WRITER)
-#   define     RW_UPGRADE(x)           { if (rw_tryupgrade(x) == 0) { \
-                                             rw_exit(x); \
-                                             rw_enter(x, RW_WRITER); } \
-                                       }
-#   define     MUTEX_DOWNGRADE(x)      rw_downgrade(x)
-#   define     RWLOCK_INIT(x, y, z)    rw_init((x), (y), RW_DRIVER, (z))
-#   define     RWLOCK_EXIT(x)          rw_exit(x)
-#   define     RW_DESTROY(x)           rw_destroy(x)
-#  else
-#   define     KRWLOCK_T               kmutex_t
-#   define     READ_ENTER(x)           mutex_enter(x)
-#   define     WRITE_ENTER(x)          mutex_enter(x)
-#   define     MUTEX_DOWNGRADE(x)      ;
-#   define     RWLOCK_INIT(x, y, z)    mutex_init((x), (y), MUTEX_DRIVER, (z))
-#   define     RWLOCK_EXIT(x)          mutex_exit(x)
-#   define     RW_DESTROY(x)           mutex_destroy(x)
-#  endif
-#  define      MUTEX_INIT(x, y, z)     mutex_init((x), (y), MUTEX_DRIVER, (z))
-#  define      MUTEX_DESTROY(x)        mutex_destroy(x)
-#  define      MUTEX_EXIT(x)   mutex_exit(x)
-#  define      MTOD(m,t)       (t)((m)->b_rptr)
-#  define      IRCOPY(a,b,c)   copyin((caddr_t)(a), (caddr_t)(b), (c))
-#  define      IWCOPY(a,b,c)   copyout((caddr_t)(a), (caddr_t)(b), (c))
-#  define      IRCOPYPTR       ircopyptr
-#  define      IWCOPYPTR       iwcopyptr
-#  define      FREE_MB_T(m)    freemsg(m)
-#  define      SPL_NET(x)      ;
-#  define      SPL_IMP(x)      ;
-#  undef       SPL_X
-#  define      SPL_X(x)        ;
-#  ifdef sparc
-#   define     ntohs(x)        (x)
-#   define     ntohl(x)        (x)
-#   define     htons(x)        (x)
-#   define     htonl(x)        (x)
-#  endif /* sparc */
-#  define      KMALLOC(a,b)    (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-#  define      KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
-#  define      GET_MINOR(x)    getminor(x)
-extern ill_t   *get_unit __P((char *, int));
-#  define      GETUNIT(n, v)   get_unit(n, v)
-#  define      IFNAME(x)       ((ill_t *)x)->ill_name
-# else /* SOLARIS */
-#  if defined(__sgi)
-#   define     ATOMIC_INC(x)           { MUTEX_ENTER(&ipf_rw); \
-                                         (x)++; MUTEX_EXIT(&ipf_rw); }
-#   define     ATOMIC_DEC(x)           { MUTEX_ENTER(&ipf_rw); \
-                                         (x)--; MUTEX_EXIT(&ipf_rw); }
-#   define     MUTEX_ENTER(x)          (x)->pl = LOCK((x)->l, IPF_LOCK_PL);
-#   define     KRWLOCK_T               kmutex_t
-#   define     READ_ENTER(x)           MUTEX_ENTER(x)
-#   define     WRITE_ENTER(x)          MUTEX_ENTER(x)
-#   define     RW_UPGRADE(x)           ;
-#   define     MUTEX_DOWNGRADE(x)      ;
-#   define     RWLOCK_EXIT(x)          MUTEX_EXIT(x)
-#   define     MUTEX_EXIT(x)           UNLOCK((x)->l, (x)->pl);
-#   define     MUTEX_INIT(x,y,z)       (x)->l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP)
-#   define     MUTEX_DESTROY(x)        LOCK_DEALLOC((x)->l)
-#  else /* __sgi */
-#   define     ATOMIC_INC(x)           (x)++
-#   define     ATOMIC_DEC(x)           (x)--
-#   define     MUTEX_ENTER(x)          ;
-#   define     READ_ENTER(x)           ;
-#   define     WRITE_ENTER(x)          ;
-#   define     RW_UPGRADE(x)           ;
-#   define     MUTEX_DOWNGRADE(x)      ;
-#   define     RWLOCK_EXIT(x)          ;
-#   define     MUTEX_EXIT(x)           ;
-#   define     MUTEX_INIT(x,y,z)       ;
-#   define     MUTEX_DESTROY(x)        ;
-#  endif /* __sgi */
-#  ifndef linux
-#   define     FREE_MB_T(m)    m_freem(m)
-#   define     MTOD(m,t)       mtod(m,t)
-#   define     IRCOPY(a,b,c)   (bcopy((a), (b), (c)), 0)
-#   define     IWCOPY(a,b,c)   (bcopy((a), (b), (c)), 0)
-#   define     IRCOPYPTR       ircopyptr
-#   define     IWCOPYPTR       iwcopyptr
-#  endif /* !linux */
-# endif /* SOLARIS */
-
-# ifdef sun
-#  if !SOLARIS
-#   include    <sys/time.h>
-#   include    <sys/kmem_alloc.h>
-#   define     GETUNIT(n, v)   ifunit(n, IFNAMSIZ)
-#   define     IFNAME(x)       ((struct ifnet *)x)->if_name
-#  endif
-# else
-#  ifndef      linux
-#   define     GETUNIT(n, v)   ifunit(n)
-#   if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-        (defined(OpenBSD) && (OpenBSD >= 199603))
-#    define    IFNAME(x)       ((struct ifnet *)x)->if_xname
-#   else
-#    define    USE_GETIFNAME   1
-#    define    IFNAME(x)       get_ifname((struct ifnet *)x)
-extern char    *get_ifname __P((struct ifnet *));
-#   endif
-#  endif
-# endif /* sun */
-
-# if defined(sun) && !defined(linux) || defined(__sgi)
-#  define      UIOMOVE(a,b,c,d)        uiomove((caddr_t)a,b,c,d)
-#  define      SLEEP(id, n)    sleep((id), 0)
-#  define      WAKEUP(id)      wakeup(id)
-#  define      KFREE(x)        kmem_free((char *)(x), sizeof(*(x)))
-#  define      KFREES(x,s)     kmem_free((char *)(x), (s))
-#  if !SOLARIS
-extern void    m_copydata __P((struct mbuf *, int, int, caddr_t));
-extern void    m_copyback __P((struct mbuf *, int, int, caddr_t));
-#  endif
-#  ifdef __sgi
-#   include <sys/kmem.h>
-#   include <sys/ddi.h>
-#   define     KMALLOC(a,b)    (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
-#   define     KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP)
-#   define     GET_MINOR(x)    getminor(x)
-#  else
-#   if !SOLARIS
-#    define    KMALLOC(a,b)    (a) = (b)new_kmem_alloc(sizeof(*(a)), \
-                                                       KMEM_NOSLEEP)
-#    define    KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
-#   endif /* SOLARIS */
-#  endif /* __sgi */
-# endif /* sun && !linux */
-# ifndef       GET_MINOR
-#  define      GET_MINOR(x)    minor(x)
-# endif
-# if (BSD >= 199306) || defined(__FreeBSD__)
-#  if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \
-       defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \
-       defined(_BSDI_VERSION)
-#   include <vm/vm.h>
-#  endif
-#  if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
-      (__FreeBSD_version >= 300000))
-#   if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \
-       (defined(OpenBSD) && (OpenBSD >= 200111))
-#    include <uvm/uvm_extern.h>
-#   else
-#    include <vm/vm_extern.h>
-extern vm_map_t        kmem_map;
-#   endif
-#   include <sys/proc.h>
-#  else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-#   include <vm/vm_kern.h>
-#  endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
-#  ifdef       M_PFIL
-#   define     KMALLOC(a, b)   MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT)
-#   define     KMALLOCS(a, b, c)       MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
-#   define     KFREE(x)        FREE((x), M_PFIL)
-#   define     KFREES(x,s)     FREE((x), M_PFIL)
-#  else
-#   define     KMALLOC(a, b)   MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT)
-#   define     KMALLOCS(a, b, c)       MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
-#   define     KFREE(x)        FREE((x), M_TEMP)
-#   define     KFREES(x,s)     FREE((x), M_TEMP)
-#  endif /* M_PFIL */
-#  define      UIOMOVE(a,b,c,d)        uiomove(a,b,d)
-#  define      SLEEP(id, n)    tsleep((id), PCATCH, n, 0)
-#  define      WAKEUP(id)      wakeup(id)
-# endif /* BSD */
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \
-     (defined(OpenBSD) && (OpenBSD >= 200006))
-#  define      SPL_NET(x)      x = splsoftnet()
-#  define      SPL_X(x)        (void) splx(x)
-# else
-#  if !SOLARIS && !defined(linux)
-#   define     SPL_IMP(x)      x = splimp()
-#   define     SPL_NET(x)      x = splnet()
-#   define     SPL_X(x)        (void) splx(x)
-#  endif
-# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */
-# define       PANIC(x,y)      if (x) panic y
-#else /* KERNEL */
-# define       SLEEP(x,y)      1
-# define       WAKEUP(x)       ;
-# define       PANIC(x,y)      ;
-# define       ATOMIC_INC(x)   (x)++
-# define       ATOMIC_DEC(x)   (x)--
-# define       MUTEX_ENTER(x)  ;
-# define       READ_ENTER(x)   ;
-# define       MUTEX_INIT(x,y,z)       ;
-# define       MUTEX_DESTROY(x)        ;
-# define       WRITE_ENTER(x)  ;
-# define       RW_UPGRADE(x)   ;
-# define       MUTEX_DOWNGRADE(x)      ;
-# define       RWLOCK_EXIT(x)  ;
-# define       MUTEX_EXIT(x)   ;
-# define       SPL_NET(x)      ;
-# define       SPL_IMP(x)      ;
-# undef                SPL_X
-# define       SPL_X(x)        ;
-# define       KMALLOC(a,b)    (a) = (b)malloc(sizeof(*a))
-# define       KMALLOCS(a,b,c) (a) = (b)malloc(c)
-# define       KFREE(x)        free(x)
-# define       KFREES(x,s)     free(x)
-# define       FREE_MB_T(x)    ;
-# define       GETUNIT(x, v)   get_unit(x,v)
-# define       IRCOPY(a,b,c)   (bcopy((a), (b), (c)), 0)
-# define       IWCOPY(a,b,c)   (bcopy((a), (b), (c)), 0)
-# define       IRCOPYPTR       ircopyptr
-# define       IWCOPYPTR       iwcopyptr
-# define       IFNAME(x)       get_ifname((struct ifnet *)x)
-# define       UIOMOVE(a,b,c,d)        ipfuiomove(a,b,c,d)
-# include      <sys/time.h>
-extern void    m_copydata __P((mb_t *, int, int, caddr_t));
-extern int     ipfuiomove __P((caddr_t, int, int, struct uio *));
-#endif /* KERNEL */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef        ICMP_MINLEN
-# define       ICMP_MINLEN     8
-#endif
-#ifndef        ICMP_ECHOREPLY
-# define       ICMP_ECHOREPLY  0
-#endif
-#ifndef        ICMP_UNREACH
-# define       ICMP_UNREACH    3
-#endif
-#ifndef        ICMP_UNREACH_NET
-# define       ICMP_UNREACH_NET        0
-#endif
-#ifndef        ICMP_UNREACH_HOST
-# define       ICMP_UNREACH_HOST       1
-#endif
-#ifndef        ICMP_UNREACH_PROTOCOL
-# define       ICMP_UNREACH_PROTOCOL   2
-#endif
-#ifndef        ICMP_UNREACH_PORT
-# define       ICMP_UNREACH_PORT       3
-#endif
-#ifndef        ICMP_UNREACH_NEEDFRAG
-# define       ICMP_UNREACH_NEEDFRAG   4
-#endif
-#ifndef        ICMP_UNREACH_SRCFAIL
-# define       ICMP_UNREACH_SRCFAIL    5
-#endif
-#ifndef        ICMP_UNREACH_NET_UNKNOWN
-# define       ICMP_UNREACH_NET_UNKNOWN        6
-#endif
-#ifndef        ICMP_UNREACH_HOST_UNKNOWN
-# define       ICMP_UNREACH_HOST_UNKNOWN       7
-#endif
-#ifndef        ICMP_UNREACH_ISOLATED
-# define       ICMP_UNREACH_ISOLATED   8
-#endif
-#ifndef        ICMP_UNREACH_NET_PROHIB
-# define       ICMP_UNREACH_NET_PROHIB 9
-#endif
-#ifndef        ICMP_UNREACH_HOST_PROHIB
-# define       ICMP_UNREACH_HOST_PROHIB        10
-#endif
-#ifndef        ICMP_UNREACH_TOSNET
-# define       ICMP_UNREACH_TOSNET     11
-#endif
-#ifndef        ICMP_UNREACH_TOSHOST
-# define       ICMP_UNREACH_TOSHOST    12
-#endif
-#ifndef        ICMP_UNREACH_ADMIN_PROHIBIT
-# define       ICMP_UNREACH_ADMIN_PROHIBIT     13
-#endif
-#ifndef        ICMP_UNREACH_HOST_PRECEDENCE
-# define       ICMP_UNREACH_HOST_PRECEDENCE    14
-#endif
-#ifndef        ICMP_UNREACH_PRECEDENCE_CUTOFF
-# define       ICMP_UNREACH_PRECEDENCE_CUTOFF  15
-#endif
-#ifndef        ICMP_SOURCEQUENCH
-# define       ICMP_SOURCEQUENCH       4
-#endif
-#ifndef        ICMP_REDIRECT_NET
-# define       ICMP_REDIRECT_NET       0
-#endif
-#ifndef        ICMP_REDIRECT_HOST
-# define       ICMP_REDIRECT_HOST      1
-#endif
-#ifndef        ICMP_REDIRECT_TOSNET
-# define       ICMP_REDIRECT_TOSNET    2
-#endif
-#ifndef        ICMP_REDIRECT_TOSHOST
-# define       ICMP_REDIRECT_TOSHOST   3
-#endif
-#ifndef        ICMP_ALTHOSTADDR
-# define       ICMP_ALTHOSTADDR        6
-#endif
-#ifndef        ICMP_TIMXCEED
-# define       ICMP_TIMXCEED   11
-#endif
-#ifndef        ICMP_TIMXCEED_INTRANS
-# define       ICMP_TIMXCEED_INTRANS   0
-#endif
-#ifndef        ICMP_TIMXCEED_REASS
-# define               ICMP_TIMXCEED_REASS     1
-#endif
-#ifndef        ICMP_PARAMPROB
-# define       ICMP_PARAMPROB  12
-#endif
-#ifndef        ICMP_PARAMPROB_ERRATPTR
-# define       ICMP_PARAMPROB_ERRATPTR 0
-#endif
-#ifndef        ICMP_PARAMPROB_OPTABSENT
-# define       ICMP_PARAMPROB_OPTABSENT        1
-#endif
-#ifndef        ICMP_PARAMPROB_LENGTH
-# define       ICMP_PARAMPROB_LENGTH   2
-#endif
-#ifndef ICMP_TSTAMP
-# define       ICMP_TSTAMP     13
-#endif
-#ifndef ICMP_TSTAMPREPLY
-# define       ICMP_TSTAMPREPLY        14
-#endif
-#ifndef ICMP_IREQ
-# define       ICMP_IREQ       15
-#endif
-#ifndef ICMP_IREQREPLY
-# define       ICMP_IREQREPLY  16
-#endif
-#ifndef        ICMP_MASKREQ
-# define       ICMP_MASKREQ    17
-#endif
-#ifndef ICMP_MASKREPLY
-# define       ICMP_MASKREPLY  18
-#endif
-#ifndef        ICMP_TRACEROUTE
-# define       ICMP_TRACEROUTE 30
-#endif
-#ifndef        ICMP_DATACONVERR
-# define       ICMP_DATACONVERR        31
-#endif
-#ifndef        ICMP_MOBILE_REDIRECT
-# define       ICMP_MOBILE_REDIRECT    32
-#endif
-#ifndef        ICMP_IPV6_WHEREAREYOU
-# define       ICMP_IPV6_WHEREAREYOU   33
-#endif
-#ifndef        ICMP_IPV6_IAMHERE
-# define       ICMP_IPV6_IAMHERE       34
-#endif
-#ifndef        ICMP_MOBILE_REGREQUEST
-# define       ICMP_MOBILE_REGREQUEST  35
-#endif
-#ifndef        ICMP_MOBILE_REGREPLY
-# define       ICMP_MOBILE_REGREPLY    36
-#endif
-#ifndef        ICMP_SKIP
-# define       ICMP_SKIP       39
-#endif
-#ifndef        ICMP_PHOTURIS
-# define       ICMP_PHOTURIS   40
-#endif
-#ifndef        ICMP_PHOTURIS_UNKNOWN_INDEX
-# define       ICMP_PHOTURIS_UNKNOWN_INDEX     1
-#endif
-#ifndef        ICMP_PHOTURIS_AUTH_FAILED
-# define       ICMP_PHOTURIS_AUTH_FAILED       2
-#endif
-#ifndef        ICMP_PHOTURIS_DECRYPT_FAILED
-# define       ICMP_PHOTURIS_DECRYPT_FAILED    3
-#endif
-#ifndef        IPVERSION
-# define       IPVERSION       4
-#endif
-#ifndef        IPOPT_MINOFF
-# define       IPOPT_MINOFF    4
-#endif
-#ifndef        IPOPT_COPIED
-# define       IPOPT_COPIED(x) ((x)&0x80)
-#endif
-#ifndef        IPOPT_EOL
-# define       IPOPT_EOL       0
-#endif
-#ifndef        IPOPT_NOP
-# define       IPOPT_NOP       1
-#endif
-#ifndef        IP_MF
-# define       IP_MF   ((u_short)0x2000)
-#endif
-#ifndef        ETHERTYPE_IP
-# define       ETHERTYPE_IP    ((u_short)0x0800)
-#endif
-#ifndef        TH_FIN
-# define       TH_FIN  0x01
-#endif
-#ifndef        TH_SYN
-# define       TH_SYN  0x02
-#endif
-#ifndef        TH_RST
-# define       TH_RST  0x04
-#endif
-#ifndef        TH_PUSH
-# define       TH_PUSH 0x08
-#endif
-#ifndef        TH_ACK
-# define       TH_ACK  0x10
-#endif
-#ifndef        TH_URG
-# define       TH_URG  0x20
-#endif
-#ifndef        IPOPT_EOL
-# define       IPOPT_EOL       0
-#endif
-#ifndef        IPOPT_NOP
-# define       IPOPT_NOP       1
-#endif
-#ifndef        IPOPT_RR
-# define       IPOPT_RR        7
-#endif
-#ifndef        IPOPT_TS
-# define       IPOPT_TS        68
-#endif
-#ifndef        IPOPT_SECURITY
-# define       IPOPT_SECURITY  130
-#endif
-#ifndef        IPOPT_LSRR
-# define       IPOPT_LSRR      131
-#endif
-#ifndef        IPOPT_SATID
-# define       IPOPT_SATID     136
-#endif
-#ifndef        IPOPT_SSRR
-# define       IPOPT_SSRR      137
-#endif
-#ifndef        IPOPT_SECUR_UNCLASS
-# define       IPOPT_SECUR_UNCLASS     ((u_short)0x0000)
-#endif
-#ifndef        IPOPT_SECUR_CONFID
-# define       IPOPT_SECUR_CONFID      ((u_short)0xf135)
-#endif
-#ifndef        IPOPT_SECUR_EFTO
-# define       IPOPT_SECUR_EFTO        ((u_short)0x789a)
-#endif
-#ifndef        IPOPT_SECUR_MMMM
-# define       IPOPT_SECUR_MMMM        ((u_short)0xbc4d)
-#endif
-#ifndef        IPOPT_SECUR_RESTR
-# define       IPOPT_SECUR_RESTR       ((u_short)0xaf13)
-#endif
-#ifndef        IPOPT_SECUR_SECRET
-# define       IPOPT_SECUR_SECRET      ((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define       IPOPT_SECUR_TOPSECRET   ((u_short)0x6bc5)
-#endif
-#ifndef IPOPT_OLEN
-# define       IPOPT_OLEN      1
-#endif
-#ifndef        IPPROTO_GRE
-# define       IPPROTO_GRE     47      /* GRE encaps RFC 1701 */
-#endif
-#ifndef        IPPROTO_ESP
-# define       IPPROTO_ESP     50
-#endif
-#ifndef        IPPROTO_ICMPV6
-# define       IPPROTO_ICMPV6  58
-#endif
-
-#ifdef linux
-#include <linux/in_systm.h>
-/*
- * TCP States
- */
-#define        TCPS_CLOSED             0       /* closed */
-#define        TCPS_LISTEN             1       /* listening for connection */
-#define        TCPS_SYN_SENT           2       /* active, have sent syn */
-#define        TCPS_SYN_RECEIVED       3       /* have send and received syn */
-/* states < TCPS_ESTABLISHED are those where connections not established */
-#define        TCPS_ESTABLISHED        4       /* established */
-#define        TCPS_CLOSE_WAIT         5       /* rcvd fin, waiting for close */
-/* states > TCPS_CLOSE_WAIT are those where user has closed */
-#define        TCPS_FIN_WAIT_1         6       /* have closed, sent fin */
-#define        TCPS_CLOSING            7       /* closed xchd FIN; await FIN ACK */
-#define        TCPS_LAST_ACK           8       /* had fin and close; await FIN ACK */
-/* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */
-#define        TCPS_FIN_WAIT_2         9       /* have closed, fin is acked */
-#define        TCPS_TIME_WAIT          10      /* in 2*msl quiet wait after close */
-
-/*
- * file flags.
- */
-#ifdef WRITE
-#define        FWRITE  WRITE
-#define        FREAD   READ
-#else
-#define        FWRITE  _IOC_WRITE
-#define        FREAD   _IOC_READ
-#endif
-/*
- * mbuf related problems.
- */
-#define        mtod(m,t)       (t)((m)->data)
-#define        m_len           len
-#define        m_next          next
-
-#ifdef IP_DF
-#undef IP_DF
-#endif
-#define        IP_DF           0x4000
-
-typedef        struct  {
-       __u16   th_sport;
-       __u16   th_dport;
-       __u32   th_seq;
-       __u32   th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-       __u8    th_res:4;
-       __u8    th_off:4;
-#else
-       __u8    th_off:4;
-       __u8    th_res:4;
-#endif
-       __u8    th_flags;
-       __u16   th_win;
-       __u16   th_sum;
-       __u16   th_urp;
-} tcphdr_t;
-
-typedef        struct  {
-       __u16   uh_sport;
-       __u16   uh_dport;
-       __u16   uh_ulen;
-       __u16   uh_sum;
-} udphdr_t;
-
-typedef        struct  {
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-       __u8    ip_hl:4;
-       __u8    ip_v:4;
-# else
-       __u8    ip_v:4;
-       __u8    ip_hl:4;
-# endif
-       __u8    ip_tos;
-       __u16   ip_len;
-       __u16   ip_id;
-       __u16   ip_off;
-       __u8    ip_ttl;
-       __u8    ip_p;
-       __u16   ip_sum;
-       struct  in_addr ip_src;
-       struct  in_addr ip_dst;
-} ip_t;
-
-/*
- * Structure of an icmp header.
- */
-typedef struct icmp {
-       __u8    icmp_type;              /* type of message, see below */
-       __u8    icmp_code;              /* type sub code */
-       __u16   icmp_cksum;             /* ones complement cksum of struct */
-       union {
-               __u8    ih_pptr;                /* ICMP_PARAMPROB */
-               struct  in_addr ih_gwaddr;      /* ICMP_REDIRECT */
-               struct  ih_idseq {
-                       __u16   icd_id;
-                       __u16   icd_seq;
-               } ih_idseq;
-               int ih_void;
-       } icmp_hun;
-# define       icmp_pptr       icmp_hun.ih_pptr
-# define       icmp_gwaddr     icmp_hun.ih_gwaddr
-# define       icmp_id         icmp_hun.ih_idseq.icd_id
-# define       icmp_seq        icmp_hun.ih_idseq.icd_seq
-# define       icmp_void       icmp_hun.ih_void
-       union {
-               struct id_ts {
-                       n_time its_otime;
-                       n_time its_rtime;
-                       n_time its_ttime;
-               } id_ts;
-               struct id_ip  {
-                       ip_t idi_ip;
-                       /* options and then 64 bits of data */
-               } id_ip;
-               u_long  id_mask;
-               char    id_data[1];
-       } icmp_dun;
-# define       icmp_otime      icmp_dun.id_ts.its_otime
-# define       icmp_rtime      icmp_dun.id_ts.its_rtime
-# define       icmp_ttime      icmp_dun.id_ts.its_ttime
-# define       icmp_ip         icmp_dun.id_ip.idi_ip
-# define       icmp_mask       icmp_dun.id_mask
-# define       icmp_data       icmp_dun.id_data
-} icmphdr_t;
-
-# ifndef LINUX_IPOVLY
-#  define LINUX_IPOVLY
-struct ipovly {
-       caddr_t ih_next, ih_prev;       /* for protocol sequence q's */
-       u_char  ih_x1;                  /* (unused) */
-       u_char  ih_pr;                  /* protocol */
-       short   ih_len;                 /* protocol length */
-       struct  in_addr ih_src;         /* source internet address */
-       struct  in_addr ih_dst;         /* destination internet address */
-};
-# endif
-
-typedef struct  {
-       __u8    ether_dhost[6];
-       __u8    ether_shost[6];
-       __u16   ether_type;
-} ether_header_t;
-
-typedef        struct  uio     {
-       int     uio_resid;
-       int     uio_rw;
-       caddr_t uio_buf;
-} uio_t;
-
-# define       UIO_READ        0
-# define       UIO_WRITE       1
-# define       UIOMOVE(a, b, c, d)     uiomove(a,b,c,d)
-
-/*
- * For masking struct ifnet onto struct device
- */
-# define       if_name name
-
-# ifdef        KERNEL
-#  define      GETUNIT(x, v)   dev_get(x)
-#  define      FREE_MB_T(m)    kfree_skb(m, FREE_WRITE)
-#  define      uniqtime        do_gettimeofday
-#  undef INT_MAX
-#  undef UINT_MAX
-#  undef LONG_MAX
-#  undef ULONG_MAX
-#  include <linux/netdevice.h>
-#  define      SPL_X(x)
-#  define      SPL_NET(x)
-#  define      SPL_IMP(x)
-#  define      bcmp(a,b,c)     memcmp(a,b,c)
-#  define      bcopy(a,b,c)    memcpy(b,a,c)
-#  define      bzero(a,c)      memset(a,0,c)
-
-#  define      UNITNAME(n)     dev_get((n))
-
-#  define      KMALLOC(a,b)    (a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC)
-#  define      KMALLOCS(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
-#  define      KFREE(x)        kfree_s((x), sizeof(*(x)))
-#  define      KFREES(x,s)     kfree_s((x), (s))
-#define IRCOPY(const void *a, void *b, size_t c)       { \
-       int error; \
-
-       error = verify_area(VERIFY_READ, a ,c); \
-       if (!error) \
-               memcpy_fromfs(b, a, c); \
-       return error; \
-}
-static inline int IWCOPY(const void *a, void *b, size_t c)
-{
-       int error;
-
-       error = verify_area(VERIFY_WRITE, b, c);
-       if (!error)
-               memcpy_tofs(b, a, c);
-       return error;
-}
-static inline int IRCOPYPTR(const void *a, void *b, size_t c) {
-       caddr_t ca;
-       int     error;
-
-       error = verify_area(VERIFY_READ, a ,sizeof(ca));
-       if (!error) {
-               memcpy_fromfs(ca, a, sizeof(ca));
-               error = verify_area(VERIFY_READ, ca , c);
-               if (!error)
-                       memcpy_fromfs(b, ca, c);
-       }
-       return error;
-}
-static inline int IWCOPYPTR(const void *a, void *b, size_t c) {
-       caddr_t ca;
-       int     error;
-
-
-       error = verify_area(VERIFY_READ, b ,sizeof(ca));
-       if (!error) {
-               memcpy_fromfs(ca, b, sizeof(ca));
-               error = verify_area(VERIFY_WRITE, ca, c);
-               if (!error)
-                       memcpy_tofs(ca, a, c);
-       }
-       return error;
-}
-# else
-#  define      __KERNEL__
-#  undef INT_MAX
-#  undef UINT_MAX
-#  undef LONG_MAX
-#  undef ULONG_MAX
-#  define      s8 __s8
-#  define      u8 __u8
-#  define      s16 __s16
-#  define      u16 __u16
-#  define      s32 __s32
-#  define      u32 __u32
-#  include <linux/netdevice.h>
-#  undef       __KERNEL__
-# endif
-# define       ifnet   device
-#else
-typedef        struct  tcphdr  tcphdr_t;
-typedef        struct  udphdr  udphdr_t;
-typedef        struct  icmp    icmphdr_t;
-typedef        struct  ip      ip_t;
-typedef        struct  ether_header    ether_header_t;
-#endif /* linux */
-typedef        struct  tcpiphdr        tcpiphdr_t;
-
-#if defined(hpux) || defined(linux)
-struct ether_addr      {
-       char    ether_addr_octet[6];
-};
-#endif
-
-/*
- * XXX - This is one of those *awful* hacks which nobody likes
- */
-#ifdef ultrix
-#define        A_A
-#else
-#define        A_A     &
-#endif
-
-#if (BSD >= 199306) && !defined(m_act)
-# define       m_act   m_nextpkt
-#endif
-
-#ifndef        ICMP_ROUTERADVERT
-# define       ICMP_ROUTERADVERT       9
-#endif
-#ifndef        ICMP_ROUTERSOLICIT
-# define       ICMP_ROUTERSOLICIT      10
-#endif
-#undef ICMP_MAX_UNREACH
-#define        ICMP_MAX_UNREACH        14
-#undef ICMP_MAXTYPE
-#define        ICMP_MAXTYPE            18
-/*
- * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
- * another IP header and then 64 bits of data, totalling 56.  Of course,
- * the last 64 bits is dependant on that being available.
- */
-#define        ICMPERR_ICMPHLEN        8
-#define        ICMPERR_IPICMPHLEN      (20 + 8)
-#define        ICMPERR_MINPKTLEN       (20 + 8 + 20)
-#define        ICMPERR_MAXPKTLEN       (20 + 8 + 20 + 8)
-#define        ICMP6_MINLEN            8
-#define        ICMP6ERR_MINPKTLEN      (40 + 8)
-#define        ICMP6ERR_IPICMPHLEN     (40 + 8 + 40)
-
-#ifndef        ICMP6_DST_UNREACH
-# define       ICMP6_DST_UNREACH       1
-#endif
-#ifndef        ICMP6_PACKET_TOO_BIG
-# define       ICMP6_PACKET_TOO_BIG    2
-#endif
-#ifndef        ICMP6_TIME_EXCEEDED
-# define       ICMP6_TIME_EXCEEDED     3
-#endif
-#ifndef        ICMP6_PARAM_PROB
-# define       ICMP6_PARAM_PROB        4
-#endif
-
-#ifndef        ICMP6_ECHO_REQUEST
-# define       ICMP6_ECHO_REQUEST      128
-#endif
-#ifndef        ICMP6_ECHO_REPLY
-# define       ICMP6_ECHO_REPLY        129
-#endif
-#ifndef        ICMP6_MEMBERSHIP_QUERY
-# define       ICMP6_MEMBERSHIP_QUERY  130
-#endif
-#ifndef        MLD6_LISTENER_QUERY
-# define       MLD6_LISTENER_QUERY     130
-#endif
-#ifndef        ICMP6_MEMBERSHIP_REPORT
-# define       ICMP6_MEMBERSHIP_REPORT 131
-#endif
-#ifndef        MLD6_LISTENER_REPORT
-# define       MLD6_LISTENER_REPORT    131
-#endif
-#ifndef        ICMP6_MEMBERSHIP_REDUCTION
-# define       ICMP6_MEMBERSHIP_REDUCTION      132
-#endif
-#ifndef        MLD6_LISTENER_DONE
-# define       MLD6_LISTENER_DONE      132
-#endif
-#ifndef        ND_ROUTER_SOLICIT
-# define       ND_ROUTER_SOLICIT       133
-#endif
-#ifndef        ND_ROUTER_ADVERT
-# define       ND_ROUTER_ADVERT        134
-#endif
-#ifndef        ND_NEIGHBOR_SOLICIT
-# define       ND_NEIGHBOR_SOLICIT     135
-#endif
-#ifndef        ND_NEIGHBOR_ADVERT
-# define       ND_NEIGHBOR_ADVERT      136
-#endif
-#ifndef        ND_REDIRECT
-# define       ND_REDIRECT     137
-#endif
-#ifndef        ICMP6_ROUTER_RENUMBERING
-# define       ICMP6_ROUTER_RENUMBERING        138
-#endif
-#ifndef        ICMP6_WRUREQUEST
-# define       ICMP6_WRUREQUEST        139
-#endif
-#ifndef        ICMP6_WRUREPLY
-# define       ICMP6_WRUREPLY          140
-#endif
-#ifndef        ICMP6_FQDN_QUERY
-# define       ICMP6_FQDN_QUERY        139
-#endif
-#ifndef        ICMP6_FQDN_REPLY
-# define       ICMP6_FQDN_REPLY        140
-#endif
-#ifndef        ICMP6_NI_QUERY
-# define       ICMP6_NI_QUERY          139
-#endif
-#ifndef        ICMP6_NI_REPLY
-# define       ICMP6_NI_REPLY          140
-#endif
-#ifndef        MLD6_MTRACE_RESP
-# define       MLD6_MTRACE_RESP        200
-#endif
-#ifndef        MLD6_MTRACE
-# define       MLD6_MTRACE             201
-#endif
-#ifndef        ICMP6_HADISCOV_REQUEST
-# define       ICMP6_HADISCOV_REQUEST  202
-#endif
-#ifndef        ICMP6_HADISCOV_REPLY
-# define       ICMP6_HADISCOV_REPLY    203
-#endif
-#ifndef        ICMP6_MOBILEPREFIX_SOLICIT
-# define       ICMP6_MOBILEPREFIX_SOLICIT      204
-#endif
-#ifndef        ICMP6_MOBILEPREFIX_ADVERT
-# define       ICMP6_MOBILEPREFIX_ADVERT       205
-#endif
-#ifndef        ICMP6_MAXTYPE
-# define       ICMP6_MAXTYPE           205
-#endif
-
-#ifndef        ICMP6_DST_UNREACH_NOROUTE
-# define       ICMP6_DST_UNREACH_NOROUTE       0
-#endif
-#ifndef        ICMP6_DST_UNREACH_ADMIN
-# define       ICMP6_DST_UNREACH_ADMIN         1
-#endif
-#ifndef        ICMP6_DST_UNREACH_NOTNEIGHBOR
-# define       ICMP6_DST_UNREACH_NOTNEIGHBOR   2
-#endif
-#ifndef        ICMP6_DST_UNREACH_BEYONDSCOPE
-# define       ICMP6_DST_UNREACH_BEYONDSCOPE   2
-#endif
-#ifndef        ICMP6_DST_UNREACH_ADDR
-# define       ICMP6_DST_UNREACH_ADDR          3
-#endif
-#ifndef        ICMP6_DST_UNREACH_NOPORT
-# define       ICMP6_DST_UNREACH_NOPORT        4
-#endif
-#ifndef        ICMP6_TIME_EXCEED_TRANSIT
-# define       ICMP6_TIME_EXCEED_TRANSIT       0
-#endif
-#ifndef        ICMP6_TIME_EXCEED_REASSEMBLY
-# define       ICMP6_TIME_EXCEED_REASSEMBLY    1
-#endif
-
-#ifndef        ICMP6_NI_SUCCESS
-# define       ICMP6_NI_SUCCESS        0
-#endif
-#ifndef        ICMP6_NI_REFUSED
-# define       ICMP6_NI_REFUSED        1
-#endif
-#ifndef        ICMP6_NI_UNKNOWN
-# define       ICMP6_NI_UNKNOWN        2
-#endif
-
-#ifndef        ICMP6_ROUTER_RENUMBERING_COMMAND
-# define       ICMP6_ROUTER_RENUMBERING_COMMAND        0
-#endif
-#ifndef        ICMP6_ROUTER_RENUMBERING_RESULT
-# define       ICMP6_ROUTER_RENUMBERING_RESULT 1
-#endif
-#ifndef        ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET
-# define       ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET   255
-#endif
-
-#ifndef        ICMP6_PARAMPROB_HEADER
-# define       ICMP6_PARAMPROB_HEADER  0
-#endif
-#ifndef        ICMP6_PARAMPROB_NEXTHEADER
-# define       ICMP6_PARAMPROB_NEXTHEADER      1
-#endif
-#ifndef        ICMP6_PARAMPROB_OPTION
-# define       ICMP6_PARAMPROB_OPTION  2
-#endif
-
-#ifndef        ICMP6_NI_SUBJ_IPV6
-# define       ICMP6_NI_SUBJ_IPV6      0
-#endif
-#ifndef        ICMP6_NI_SUBJ_FQDN
-# define       ICMP6_NI_SUBJ_FQDN      1
-#endif
-#ifndef        ICMP6_NI_SUBJ_IPV4
-# define       ICMP6_NI_SUBJ_IPV4      2
-#endif
-
-/*
- * ECN is a new addition to TCP - RFC 2481
- */
-#ifndef TH_ECN
-# define       TH_ECN  0x40
-#endif
-#ifndef TH_CWR
-# define       TH_CWR  0x80
-#endif
-#define        TH_ECNALL       (TH_ECN|TH_CWR)
-
-#define        TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR)
-
-#endif /* __IP_COMPAT_H__ */
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
deleted file mode 100644 (file)
index 4d74356..0000000
+++ /dev/null
@@ -1,2250 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifndef        SOLARIS
-#define        SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#if defined(KERNEL) && !defined(_KERNEL)
-# define       _KERNEL
-#endif
-#if defined(_KERNEL) && defined(__FreeBSD_version) && \
-    (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
-#include "opt_inet6.h"
-#endif
-#include <sys/param.h>
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
-    defined(_KERNEL)  && !defined(_LKM)
-# include "opt_ipfilter_log.h"
-#endif
-#if defined(__FreeBSD__) && !defined(__FreeBSD_version)
-# if !defined(_KERNEL) || defined(IPFILTER_LKM)
-#  include <osreldate.h>
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# define _KMEMUSER
-# include <sys/ptimers.h>
-#endif
-#ifndef        _KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-# include <fcntl.h>
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/file.h>
-#if __FreeBSD_version >= 220000 && defined(_KERNEL)
-# include <sys/fcntl.h>
-# include <sys/filio.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#include <sys/time.h>
-#ifdef _KERNEL
-# include <sys/systm.h>
-#endif
-#if !SOLARIS
-# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-# include <sys/mbuf.h>
-#else
-# include <sys/filio.h>
-#endif
-#include <sys/protosw.h>
-#include <sys/socket.h>
-
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include "opt_ipfilter.h"
-# endif
-#endif
-#ifdef __sgi
-#include <sys/debug.h>
-# ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-# endif
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */
-# include <netinet/in_var.h>
-#endif
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#ifndef        _KERNEL
-# include <unistd.h>
-# include <syslog.h>
-#endif
-#include "netinet/ip_compat.h"
-#ifdef USE_INET6
-# include <netinet/icmp6.h>
-# if !SOLARIS
-#  include <netinet6/ip6protosw.h>
-#  include <netinet6/nd6.h>
-# endif
-#endif
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-#endif
-#ifndef        MIN
-# define       MIN(a,b)        (((a)<(b))?(a):(b))
-#endif
-#if !SOLARIS && defined(_KERNEL) && !defined(__sgi)
-# include <sys/kernel.h>
-extern int     ip_optcopy __P((struct ip *, struct ip *));
-#endif
-#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
-extern int     ip6_getpmtu(struct route_in6 *, struct route_in6 *,
-                           struct ifnet *, struct in6_addr *, u_long *);
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_fil.c     2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $";
-#endif
-
-
-extern struct  protosw inetsw[];
-
-#ifndef        _KERNEL
-# include "ipt.h"
-static struct  ifnet **ifneta = NULL;
-static int     nifs = 0;
-#else
-# if   (BSD < 199306) || defined(__sgi)
-extern int     tcp_ttl;
-# endif
-#endif
-
-#ifdef ICMP_UNREACH_FILTER_PROHIB
-int    ipl_unreach = ICMP_UNREACH_FILTER_PROHIB;
-#else
-int    ipl_unreach = ICMP_UNREACH_FILTER;
-#endif
-u_long ipl_frouteok[2] = {0, 0};
-
-static int     frzerostats __P((caddr_t));
-#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
-static int     frrequest __P((int, u_long, caddr_t, int));
-#else
-static int     frrequest __P((int, int, caddr_t, int));
-#endif
-#ifdef _KERNEL
-static int     (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
-static int     send_ip __P((ip_t *, fr_info_t *, struct mbuf **));
-# ifdef        USE_INET6
-static int     ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
-                                    fr_info_t *, frdest_t *));
-# endif
-# ifdef        __sgi
-extern int             tcp_mtudisc;
-extern  kmutex_t        ipf_rw;
-extern KRWLOCK_T       ipf_mutex;
-# endif
-#else
-void   init_ifp __P((void));
-# if defined(__sgi) && (IRIX < 605)
-static int     no_output __P((struct ifnet *, struct mbuf *,
-                              struct sockaddr *));
-static int     write_output __P((struct ifnet *, struct mbuf *,
-                                 struct sockaddr *));
-# else
-static int     no_output __P((struct ifnet *, struct mbuf *,
-                              struct sockaddr *, struct rtentry *));
-static int     write_output __P((struct ifnet *, struct mbuf *,
-                                 struct sockaddr *, struct rtentry *));
-# endif
-#endif
-int    fr_running = 0;
-
-#if (__FreeBSD_version >= 300000) && defined(_KERNEL)
-struct callout_handle ipfr_slowtimer_ch;
-#endif
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
-# include <sys/callout.h>
-struct callout ipfr_slowtimer_ch;
-#endif
-#if defined(__OpenBSD__)
-# include <sys/timeout.h>
-struct timeout ipfr_slowtimer_ch;
-#endif
-#if defined(__sgi) && defined(_KERNEL)
-toid_t ipfr_slowtimer_ch;
-#endif
-
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
-    defined(_KERNEL)
-# include <sys/conf.h>
-const struct cdevsw ipl_cdevsw = {
-       iplopen, iplclose, iplread, nowrite, iplioctl,
-       nostop, notty, nopoll, nommap,
-};
-#endif
-
-#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
-# include <sys/device.h>
-# include <sys/conf.h>
-
-struct cfdriver iplcd = {
-       NULL, "ipl", NULL, NULL, DV_DULL, 0
-};
-
-struct devsw iplsw = {
-       &iplcd,
-       iplopen, iplclose, iplread, nowrite, iplioctl, noselect, nommap,
-       nostrat, nodump, nopsize, 0,
-       nostop
-};
-#endif /* _BSDI_VERSION >= 199510  && _KERNEL */
-
-#if defined(__NetBSD__) || defined(__OpenBSD__)  || (_BSDI_VERSION >= 199701)
-# include <sys/conf.h>
-# if defined(NETBSD_PF)
-#  include <net/pfil.h>
-/*
- * We provide the fr_checkp name just to minimize changes later.
- */
-int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp));
-# endif /* NETBSD_PF */
-#endif /* __NetBSD__ */
-
-
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000) && \
-    defined(_KERNEL)
-# include <net/pfil.h>
-
-static int fr_check_wrapper(void *, struct mbuf **, struct ifnet *, int );
-
-static int fr_check_wrapper(arg, mp, ifp, dir)
-void *arg;
-struct mbuf **mp;
-struct ifnet *ifp;
-int dir;
-{
-       struct ip *ip = mtod(*mp, struct ip *);
-       int rv, hlen = ip->ip_hl << 2;
-
-#if defined(M_CSUM_TCPv4)
-       /*
-        * If the packet is out-bound, we can't delay checksums
-        * here.  For in-bound, the checksum has already been
-        * validated.
-        */
-       if (dir == PFIL_OUT) {
-               if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
-                       in_delayed_cksum(*mp);
-                       (*mp)->m_pkthdr.csum_flags &=
-                           ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
-               }
-       }
-#endif /* M_CSUM_TCPv4 */
-
-       /*
-        * We get the packet with all fields in network byte
-        * order.  We expect ip_len and ip_off to be in host
-        * order.  We frob them, call the filter, then frob
-        * them back.
-        *
-        * Note, we don't need to update the checksum, because
-        * it has already been verified.
-        */
-       NTOHS(ip->ip_len);
-       NTOHS(ip->ip_off);
-
-       rv = fr_check(ip, hlen, ifp, (dir == PFIL_OUT), mp);
-
-       if (rv == 0 && *mp != NULL) {
-               ip = mtod(*mp, struct ip *);
-               HTONS(ip->ip_len);
-               HTONS(ip->ip_off);
-       }
-
-       return (rv);
-}
-
-# ifdef USE_INET6
-#  include <netinet/ip6.h>
-
-static int fr_check_wrapper6(void *, struct mbuf **, struct ifnet *, int );
-
-static int fr_check_wrapper6(arg, mp, ifp, dir)
-void *arg;
-struct mbuf **mp;
-struct ifnet *ifp;
-int dir;
-{
-       
-       return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
-           ifp, (dir == PFIL_OUT), mp));
-}
-# endif
-#endif /* __NetBSD_Version >= 105110000 && _KERNEL */
-#ifdef _KERNEL
-# if   defined(IPFILTER_LKM) && !defined(__sgi)
-int iplidentify(s)
-char *s;
-{
-       if (strcmp(s, "ipl") == 0)
-               return 1;
-       return 0;
-}
-# endif /* IPFILTER_LKM */
-
-
-/*
- * Try to detect the case when compiling for NetBSD with pseudo-device
- */
-# if defined(__NetBSD__) && defined(PFIL_HOOKS)
-void
-ipfilterattach(count)
-int count;
-{
-
-       /*
-        * Do nothing here, really.  The filter will be enabled
-        * by the SIOCFRENB ioctl.
-        */
-}
-# endif
-
-
-# if defined(__NetBSD__) || defined(__OpenBSD__)
-int ipl_enable()
-# else
-int iplattach()
-# endif
-{
-       char *defpass;
-       int s;
-# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
-       int error = 0;
-# endif
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105110000)
-       struct pfil_head *ph_inet;
-# ifdef USE_INET6
-       struct pfil_head *ph_inet6;
-# endif
-#endif
-
-       SPL_NET(s);
-       if (fr_running || (fr_checkp == fr_check)) {
-               printf("IP Filter: already initialized\n");
-               SPL_X(s);
-               return EBUSY;
-       }
-
-# ifdef        IPFILTER_LOG
-       ipflog_init();
-# endif
-       if (nat_init() == -1) {
-               SPL_X(s);
-               return EIO;
-       }
-       if (fr_stateinit() == -1) {
-               SPL_X(s);
-               return EIO;
-       }
-       if (appr_init() == -1) {
-               SPL_X(s);
-               return EIO;
-       }
-
-# ifdef NETBSD_PF
-#  if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)
-#   if __NetBSD_Version__ >= 105110000
-       ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
-#    ifdef USE_INET6
-       ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
-#    endif
-       if (ph_inet == NULL
-#    ifdef USE_INET6
-           && ph_inet6 == NULL
-#    endif
-          )
-               return ENODEV;
-
-       if (ph_inet != NULL)
-               error = pfil_add_hook((void *)fr_check_wrapper, NULL,
-                                     PFIL_IN|PFIL_OUT, ph_inet);
-       else
-               error = 0;
-#  else
-       error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-                             &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#  endif
-       if (error) {
-#   ifdef USE_INET6
-               goto pfil_error;
-#   else
-               SPL_X(s);
-               appr_unload();
-               ip_natunload();
-               fr_stateunload();
-               return error;
-#   endif
-       }
-#  else
-       pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
-#  endif
-#  ifdef USE_INET6
-#   if __NetBSD_Version__ >= 105110000
-       if (ph_inet6 != NULL)
-               error = pfil_add_hook((void *)fr_check_wrapper6, NULL,
-                                     PFIL_IN|PFIL_OUT, ph_inet6);
-       else
-               error = 0;
-       if (error) {
-               pfil_remove_hook((void *)fr_check_wrapper6, NULL,
-                                PFIL_IN|PFIL_OUT, ph_inet6);
-#   else
-       error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-                             &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-       if (error) {
-               pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-                                &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#   endif
-pfil_error:
-               SPL_X(s);
-               appr_unload();
-               ip_natunload();
-               fr_stateunload();
-               return error;
-       }
-#  endif
-# endif
-
-# ifdef __sgi
-       error = ipfilter_sgi_attach();
-       if (error) {
-               SPL_X(s);
-               appr_unload();
-               ip_natunload();
-               fr_stateunload();
-               return error;
-       }
-# endif
-
-       bzero((char *)frcache, sizeof(frcache));
-       fr_savep = fr_checkp;
-       fr_checkp = fr_check;
-       fr_running = 1;
-
-       SPL_X(s);
-       if (fr_pass & FR_PASS)
-               defpass = "pass";
-       else if (fr_pass & FR_BLOCK)
-               defpass = "block";
-       else
-               defpass = "no-match -> block";
-
-       printf("%s initialized.  Default = %s all, Logging = %s\n",
-               ipfilter_version, defpass,
-# ifdef        IPFILTER_LOG
-               "enabled");
-# else
-               "disabled");
-# endif
-#ifdef  _KERNEL
-# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
-       callout_init(&ipfr_slowtimer_ch);
-       callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
-# else
-#  if defined(__OpenBSD__)
-       timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL);
-       timeout_add(&ipfr_slowtimer_ch, hz/2);
-#  else
-#   if (__FreeBSD_version >= 300000) || defined(__sgi)
-       ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
-#   else
-       timeout(ipfr_slowtimer, NULL, hz/2);
-#   endif
-#  endif
-# endif
-#endif
-       return 0;
-}
-
-
-/*
- * Disable the filter by removing the hooks from the IP input/output
- * stream.
- */
-# if defined(__NetBSD__)
-int ipl_disable()
-# else
-int ipldetach()
-# endif
-{
-       int s, i;
-#if defined(NETBSD_PF) && \
-    ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
-       int error = 0;
-# if __NetBSD_Version__ >= 105150000
-        struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
-#  ifdef USE_INET6
-        struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
-#  endif
-# endif
-#endif
-
-#ifdef  _KERNEL
-# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
-       callout_stop(&ipfr_slowtimer_ch);
-# else
-#  if (__FreeBSD_version >= 300000)
-       untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch);
-#  else
-#  ifdef __sgi
-       untimeout(ipfr_slowtimer_ch);
-#   else
-#    if defined(__OpenBSD__)
-       timeout_del(&ipfr_slowtimer_ch);
-#    else
-       untimeout(ipfr_slowtimer, NULL);
-#    endif /* OpenBSD */
-#   endif /* __sgi */
-#  endif /* FreeBSD */
-# endif /* NetBSD */
-#endif
-       SPL_NET(s);
-       if (!fr_running)
-       {
-               printf("IP Filter: not initialized\n");
-               SPL_X(s);
-               return 0;
-       }
-
-       printf("%s unloaded\n", ipfilter_version);
-
-       fr_checkp = fr_savep;
-       i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-       i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
-       fr_running = 0;
-
-# ifdef NETBSD_PF
-#  if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
-#   if __NetBSD_Version__ >= 105110000
-       if (ph_inet != NULL)
-               error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
-                                        PFIL_IN|PFIL_OUT, ph_inet);
-       else
-               error = 0;
-#   else
-       error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-                                &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-#   endif
-       if (error) {
-               SPL_X(s);
-               return error;
-       }
-#  else
-       pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
-#  endif
-#  ifdef USE_INET6
-#   if __NetBSD_Version__ >= 105110000
-       if (ph_inet6 != NULL)
-               error = pfil_remove_hook((void *)fr_check_wrapper6, NULL,
-                                        PFIL_IN|PFIL_OUT, ph_inet6);
-       else
-               error = 0;
-#   else
-       error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
-                                &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-#   endif
-       if (error) {
-               SPL_X(s);
-               return error;
-       }
-#  endif
-# endif
-
-# ifdef __sgi
-       ipfilter_sgi_detach();
-# endif
-
-       appr_unload();
-       ipfr_unload();
-       ip_natunload();
-       fr_stateunload();
-       fr_authunload();
-
-       SPL_X(s);
-       return 0;
-}
-#endif /* _KERNEL */
-
-
-static int     frzerostats(data)
-caddr_t        data;
-{
-       friostat_t fio;
-       int error;
-
-       fr_getstat(&fio);
-       error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-       if (error)
-               return EFAULT;
-
-       bzero((char *)frstats, sizeof(*frstats) * 2);
-
-       return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-#ifdef __sgi
-int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode
-# ifdef _KERNEL
-       , cred_t *cp, int *rp
-# endif
-)
-#else
-int IPL_EXTERN(ioctl)(dev, cmd, data, mode
-# if (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \
-       (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \
-       defined(__OpenBSD__)))
-, p)
-struct proc *p;
-# else
-)
-# endif
-dev_t dev;
-# if defined(__NetBSD__) || defined(__OpenBSD__) || \
-       (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-u_long cmd;
-# else
-int cmd;
-# endif
-caddr_t data;
-int mode;
-#endif /* __sgi */
-{
-#if defined(_KERNEL) && !SOLARIS
-       int s;
-#endif
-       int error = 0, unit = 0, tmp;
-
-#if (BSD >= 199306) && defined(_KERNEL)
-       if ((securelevel >= 2) && (mode & FWRITE))
-               return EPERM;
-#endif
-#ifdef _KERNEL
-       unit = GET_MINOR(dev);
-       if ((IPL_LOGMAX < unit) || (unit < 0))
-               return ENXIO;
-#else
-       unit = dev;
-#endif
-
-       if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
-               return ENODEV;
-
-       SPL_NET(s);
-
-       if (unit == IPL_LOGNAT) {
-               if (fr_running)
-                       error = nat_ioctl(data, cmd, mode);
-               else
-                       error = EIO;
-               SPL_X(s);
-               return error;
-       }
-       if (unit == IPL_LOGSTATE) {
-               if (fr_running)
-                       error = fr_state_ioctl(data, cmd, mode);
-               else
-                       error = EIO;
-               SPL_X(s);
-               return error;
-       }
-       if (unit == IPL_LOGAUTH) {
-               if (!fr_running)
-                       error = EIO;
-               else
-                       if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
-                               if (!(mode & FWRITE))  {
-                                       error = EPERM;
-                               } else {
-                                       error = frrequest(unit, cmd, data,
-                                                         fr_active);
-                               }
-                       } else {
-                               error = fr_auth_ioctl(data, mode, cmd);
-                       }
-               SPL_X(s);
-               return error;
-       }
-
-       switch (cmd) {
-       case FIONREAD :
-#ifdef IPFILTER_LOG
-               error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
-                              sizeof(iplused[IPL_LOGIPF]));
-#endif
-               break;
-#if (!defined(IPFILTER_LKM) || defined(__NetBSD__)) && defined(_KERNEL)
-       case SIOCFRENB :
-       {
-               u_int   enable;
-
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else {
-                       error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
-                       if (error)
-                               break;
-                       if (enable)
-# if defined(__NetBSD__) || defined(__OpenBSD__)
-                               error = ipl_enable();
-# else
-                               error = iplattach();
-# endif
-                       else
-# if defined(__NetBSD__)
-                               error = ipl_disable();
-# else
-                               error = ipldetach();
-# endif
-               }
-               break;
-       }
-#endif
-       case SIOCSETFF :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else
-                       error = IRCOPY(data, (caddr_t)&fr_flags,
-                                      sizeof(fr_flags));
-               break;
-       case SIOCGETFF :
-               error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
-               break;
-       case SIOCINAFR :
-       case SIOCRMAFR :
-       case SIOCADAFR :
-       case SIOCZRLST :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else
-                       error = frrequest(unit, cmd, data, fr_active);
-               break;
-       case SIOCINIFR :
-       case SIOCRMIFR :
-       case SIOCADIFR :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else
-                       error = frrequest(unit, cmd, data, 1 - fr_active);
-               break;
-       case SIOCSWAPA :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else {
-                       bzero((char *)frcache, sizeof(frcache[0]) * 2);
-                       *(u_int *)data = fr_active;
-                       fr_active = 1 - fr_active;
-               }
-               break;
-       case SIOCGETFS :
-       {
-               friostat_t      fio;
-
-               fr_getstat(&fio);
-               error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-               if (error)
-                       error = EFAULT;
-               break;
-       }
-       case    SIOCFRZST :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else
-                       error = frzerostats(data);
-               break;
-       case    SIOCIPFFL :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else {
-                       error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-                       if (!error) {
-                               tmp = frflush(unit, 4, tmp);
-                               error = IWCOPY((caddr_t)&tmp, data,
-                                              sizeof(tmp));
-                       }
-               }
-               break;
-#ifdef USE_INET6
-       case    SIOCIPFL6 :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else {
-                       error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-                       if (!error) {
-                               tmp = frflush(unit, 6, tmp);
-                               error = IWCOPY((caddr_t)&tmp, data,
-                                              sizeof(tmp));
-                       }
-               }
-               break;
-#endif
-       case SIOCSTLCK :
-               error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-               if (!error) {
-                       fr_state_lock = tmp;
-                       fr_nat_lock = tmp;
-                       fr_frag_lock = tmp;
-                       fr_auth_lock = tmp;
-               } else
-                       error = EFAULT;
-               break;
-#ifdef IPFILTER_LOG
-       case    SIOCIPFFB :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else
-                       *(int *)data = ipflog_clear(unit);
-               break;
-#endif /* IPFILTER_LOG */
-       case SIOCGFRST :
-               error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
-                                 sizeof(ipfrstat_t));
-               if (error)
-                       error = EFAULT;
-               break;
-       case SIOCFRSYN :
-               if (!(mode & FWRITE))
-                       error = EPERM;
-               else {
-#if defined(_KERNEL) && defined(__sgi)
-                       ipfsync();
-#endif
-                       frsync();
-               }
-               break;
-       default :
-               error = EINVAL;
-               break;
-       }
-       SPL_X(s);
-       return error;
-}
-
-
-void fr_forgetifp(ifp)
-void *ifp;
-{
-       register frentry_t *f;
-
-       WRITE_ENTER(&ipf_mutex);
-       for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-#ifdef USE_INET6
-       for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-       for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
-               if (f->fr_ifa == ifp)
-                       f->fr_ifa = (void *)-1;
-#endif
-       RWLOCK_EXIT(&ipf_mutex);
-       ip_natsync(ifp);
-}
-
-
-static int frrequest(unit, req, data, set)
-int unit;
-#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
-u_long req;
-#else
-int req;
-#endif
-int set;
-caddr_t data;
-{
-       register frentry_t *fp, *f, **fprev;
-       register frentry_t **ftail;
-       frgroup_t *fg = NULL;
-       int error = 0, in, i;
-       u_int   *p, *pp;
-       frentry_t frd;
-       frdest_t *fdp;
-       u_int group;
-
-       fp = &frd;
-       error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
-       if (error)
-               return EFAULT;
-       fp->fr_ref = 0;
-#if (BSD >= 199306) && defined(_KERNEL)
-       if ((securelevel > 0) && (fp->fr_func != NULL))
-               return EPERM;
-#endif
-
-       /*
-        * Check that the group number does exist and that if a head group
-        * has been specified, doesn't exist.
-        */
-       if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
-            (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
-           fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
-               return EEXIST;
-       if ((req != SIOCZRLST) && fp->fr_group &&
-           !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
-               return ESRCH;
-
-       in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-       if (unit == IPL_LOGAUTH)
-               ftail = fprev = &ipauth;
-       else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
-               ftail = fprev = &ipacct[in][set];
-       else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
-               ftail = fprev = &ipfilter[in][set];
-#ifdef USE_INET6
-       else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
-               ftail = fprev = &ipacct6[in][set];
-       else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
-               ftail = fprev = &ipfilter6[in][set];
-#endif
-       else
-               return ESRCH;
-
-       if ((group = fp->fr_group)) {
-               if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
-                       return ESRCH;
-               ftail = fprev = fg->fg_start;
-       }
-
-       bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-       for (i = 0; i < 4; i++) {
-               if ((fp->fr_ifnames[i][1] == '\0') &&
-                   ((fp->fr_ifnames[i][0] == '-') ||
-                    (fp->fr_ifnames[i][0] == '*'))) {
-                       fp->fr_ifas[i] = NULL;
-               } else if (*fp->fr_ifnames[i]) {
-                       fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
-                       if (!fp->fr_ifas[i])
-                               fp->fr_ifas[i] = (void *)-1;
-               }
-       }
-
-       fdp = &fp->fr_dif;
-       fp->fr_flags &= ~FR_DUP;
-       if (*fdp->fd_ifname) {
-               fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
-               if (!fdp->fd_ifp)
-                       fdp->fd_ifp = (struct ifnet *)-1;
-               else
-                       fp->fr_flags |= FR_DUP;
-       }
-
-       fdp = &fp->fr_tif;
-       if (*fdp->fd_ifname) {
-               fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
-               if (!fdp->fd_ifp)
-                       fdp->fd_ifp = (struct ifnet *)-1;
-       }
-
-       /*
-        * Look for a matching filter rule, but don't include the next or
-        * interface pointer in the comparison (fr_next, fr_ifa).
-        */
-       for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
-            p < pp; p++)
-               fp->fr_cksum += *p;
-
-       for (; (f = *ftail); ftail = &f->fr_next)
-               if ((fp->fr_cksum == f->fr_cksum) &&
-                   !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
-                       break;
-
-       /*
-        * If zero'ing statistics, copy current to caller and zero.
-        */
-       if (req == SIOCZRLST) {
-               if (!f)
-                       return ESRCH;
-               error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
-               if (error)
-                       return EFAULT;
-               f->fr_hits = 0;
-               f->fr_bytes = 0;
-               return 0;
-       }
-
-       if (!f) {
-               if (req != SIOCINAFR && req != SIOCINIFR)
-                       while ((f = *ftail))
-                               ftail = &f->fr_next;
-               else {
-                       if (fp->fr_hits) {
-                               ftail = fprev;
-                               while (--fp->fr_hits && (f = *ftail))
-                                       ftail = &f->fr_next;
-                       }
-                       f = NULL;
-               }
-       }
-
-       if (req == SIOCRMAFR || req == SIOCRMIFR) {
-               if (!f)
-                       error = ESRCH;
-               else {
-                       /*
-                        * Only return EBUSY if there is a group list, else
-                        * it's probably just state information referencing
-                        * the rule.
-                        */
-                       if ((f->fr_ref > 1) && f->fr_grp)
-                               return EBUSY;
-                       if (fg && fg->fg_head)
-                               fg->fg_head->fr_ref--;
-                       if (unit == IPL_LOGAUTH) {
-                               return fr_preauthcmd(req, f, ftail);
-                       }
-                       if (f->fr_grhead)
-                               fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
-                                           unit, set);
-                       fixskip(fprev, f, -1);
-                       *ftail = f->fr_next;
-                       f->fr_next = NULL;
-                       f->fr_ref--;
-                       if (f->fr_ref == 0)
-                               KFREE(f);
-               }
-       } else {
-               if (f)
-                       error = EEXIST;
-               else {
-                       if (unit == IPL_LOGAUTH) {
-                               return fr_preauthcmd(req, fp, ftail);
-                       }
-                       KMALLOC(f, frentry_t *);
-                       if (f != NULL) {
-                               if (fg && fg->fg_head)
-                                       fg->fg_head->fr_ref++;
-                               bcopy((char *)fp, (char *)f, sizeof(*f));
-                               f->fr_ref = 1;
-                               f->fr_hits = 0;
-                               f->fr_next = *ftail;
-                               *ftail = f;
-                               if (req == SIOCINIFR || req == SIOCINAFR)
-                                       fixskip(fprev, f, 1);
-                               f->fr_grp = NULL;
-                               if ((group = f->fr_grhead))
-                                       fg = fr_addgroup(group, f, unit, set);
-                       } else
-                               error = ENOMEM;
-               }
-       }
-       return (error);
-}
-
-
-#ifdef _KERNEL
-/*
- * routines below for saving IP headers to buffer
- */
-# ifdef __sgi
-#  ifdef _KERNEL
-int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp)
-#  else
-int IPL_EXTERN(open)(dev_t dev, int flags)
-#  endif
-# else
-int IPL_EXTERN(open)(dev, flags
-#  if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
-     (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
-, devtype, p)
-int devtype;
-struct proc *p;
-#  else
-)
-#  endif
-dev_t dev;
-int flags;
-# endif /* __sgi */
-{
-# if defined(__sgi) && defined(_KERNEL)
-       u_int min = geteminor(*pdev);
-# else
-       u_int min = GET_MINOR(dev);
-# endif
-
-       if (IPL_LOGMAX < min)
-               min = ENXIO;
-       else
-               min = 0;
-       return min;
-}
-
-
-# ifdef __sgi
-int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp)
-#else
-int IPL_EXTERN(close)(dev, flags
-#  if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
-     (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
-, devtype, p)
-int devtype;
-struct proc *p;
-#  else
-)
-#  endif
-dev_t dev;
-int flags;
-# endif /* __sgi */
-{
-       u_int   min = GET_MINOR(dev);
-
-       if (IPL_LOGMAX < min)
-               min = ENXIO;
-       else
-               min = 0;
-       return min;
-}
-
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-# ifdef __sgi
-int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp)
-# else
-#  if BSD >= 199306
-int IPL_EXTERN(read)(dev, uio, ioflag)
-int ioflag;
-#  else
-int IPL_EXTERN(read)(dev, uio)
-#  endif
-dev_t dev;
-register struct uio *uio;
-# endif /* __sgi */
-{
-# ifdef IPFILTER_LOG
-       return ipflog_read(GET_MINOR(dev), uio);
-# else
-       return ENXIO;
-# endif
-}
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(oip, fin)
-struct ip *oip;
-fr_info_t *fin;
-{
-       struct tcphdr *tcp, *tcp2;
-       int tlen = 0, hlen;
-       struct mbuf *m;
-#ifdef USE_INET6
-       ip6_t *ip6, *oip6 = (ip6_t *)oip;
-#endif
-       ip_t *ip;
-
-       tcp = (struct tcphdr *)fin->fin_dp;
-       if (tcp->th_flags & TH_RST)
-               return -1;              /* feedback loop */
-# if   (BSD < 199306) || defined(__sgi)
-       m = m_get(M_DONTWAIT, MT_HEADER);
-# else
-       m = m_gethdr(M_DONTWAIT, MT_HEADER);
-# endif
-       if (m == NULL)
-               return ENOBUFS;
-       if (m == NULL)
-               return -1;
-
-       tlen = fin->fin_dlen - (tcp->th_off << 2) +
-                       ((tcp->th_flags & TH_SYN) ? 1 : 0) +
-                       ((tcp->th_flags & TH_FIN) ? 1 : 0);
-
-#ifdef USE_INET6
-       hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
-#else
-       hlen = sizeof(ip_t);
-#endif
-       m->m_len = sizeof(*tcp2) + hlen;
-# if   BSD >= 199306
-       m->m_data += max_linkhdr;
-       m->m_pkthdr.len = m->m_len;
-       m->m_pkthdr.rcvif = (struct ifnet *)0;
-# endif
-       ip = mtod(m, struct ip *);
-# ifdef        USE_INET6
-       ip6 = (ip6_t *)ip;
-# endif
-       bzero((char *)ip, sizeof(*tcp2) + hlen);
-       tcp2 = (struct tcphdr *)((char *)ip + hlen);
-
-       tcp2->th_sport = tcp->th_dport;
-       tcp2->th_dport = tcp->th_sport;
-       if (tcp->th_flags & TH_ACK) {
-               tcp2->th_seq = tcp->th_ack;
-               tcp2->th_flags = TH_RST;
-       } else {
-               tcp2->th_ack = ntohl(tcp->th_seq);
-               tcp2->th_ack += tlen;
-               tcp2->th_ack = htonl(tcp2->th_ack);
-               tcp2->th_flags = TH_RST|TH_ACK;
-       }
-       tcp2->th_off = sizeof(*tcp2) >> 2;
-# ifdef        USE_INET6
-       if (fin->fin_v == 6) {
-               ip6->ip6_plen = htons(sizeof(struct tcphdr));
-               ip6->ip6_nxt = IPPROTO_TCP;
-               ip6->ip6_src = oip6->ip6_dst;
-               ip6->ip6_dst = oip6->ip6_src;
-               tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
-                                        sizeof(*ip6), sizeof(*tcp2));
-               return send_ip(oip, fin, &m);
-       }
-# endif
-       ip->ip_p = IPPROTO_TCP;
-       ip->ip_len = htons(sizeof(struct tcphdr));
-       ip->ip_src.s_addr = oip->ip_dst.s_addr;
-       ip->ip_dst.s_addr = oip->ip_src.s_addr;
-       tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
-       ip->ip_len = hlen + sizeof(*tcp2);
-       return send_ip(oip, fin, &m);
-}
-
-
-/*
- * Send an IP(v4/v6) datagram out into the network
- */
-static int send_ip(oip, fin, mp)
-ip_t *oip;
-fr_info_t *fin;
-struct mbuf **mp;
-{
-       struct mbuf *m = *mp;
-       int error, hlen;
-       fr_info_t frn;
-       ip_t *ip;
-
-       bzero((char *)&frn, sizeof(frn));
-       frn.fin_ifp = fin->fin_ifp;
-       frn.fin_v = fin->fin_v;
-       frn.fin_out = fin->fin_out;
-       frn.fin_mp = fin->fin_mp;
-
-       ip = mtod(m, ip_t *);
-       hlen = sizeof(*ip);
-
-       ip->ip_v = fin->fin_v;
-       if (ip->ip_v == 4) {
-               ip->ip_hl = (sizeof(*oip) >> 2);
-               ip->ip_v = IPVERSION;
-               ip->ip_tos = oip->ip_tos;
-               ip->ip_id = oip->ip_id;
-
-# if defined(__NetBSD__) || \
-     (defined(__OpenBSD__) && (OpenBSD >= 200012))
-               if (ip_mtudisc != 0)
-                       ip->ip_off = IP_DF;
-# else
-#  if defined(__sgi)
-               if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
-                       ip->ip_off = IP_DF;
-#  endif
-# endif
-
-# if (BSD < 199306) || defined(__sgi)
-               ip->ip_ttl = tcp_ttl;
-# else
-               ip->ip_ttl = ip_defttl;
-# endif
-               ip->ip_sum = 0;
-               frn.fin_dp = (char *)(ip + 1);
-       }
-# ifdef        USE_INET6
-       else if (ip->ip_v == 6) {
-               ip6_t *ip6 = (ip6_t *)ip;
-
-               hlen = sizeof(*ip6);
-               ip6->ip6_hlim = 127;
-               frn.fin_dp = (char *)(ip6 + 1);
-       }
-# endif
-# ifdef        IPSEC
-       m->m_pkthdr.rcvif = NULL;
-# endif
-
-       fr_makefrip(hlen, ip, &frn);
-
-       error = ipfr_fastroute(m, mp, &frn, NULL);
-       return error;
-}
-
-
-int send_icmp_err(oip, type, fin, dst)
-ip_t *oip;
-int type;
-fr_info_t *fin;
-int dst;
-{
-       int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code;
-       u_short shlen, slen = 0, soff = 0;
-       struct in_addr dst4;
-       struct icmp *icmp;
-       struct mbuf *m;
-       void *ifp;
-#ifdef USE_INET6
-       ip6_t *ip6, *oip6 = (ip6_t *)oip;
-       struct in6_addr dst6;
-#endif
-       ip_t *ip;
-
-       if ((type < 0) || (type > ICMP_MAXTYPE))
-               return -1;
-
-       code = fin->fin_icode;
-#ifdef USE_INET6
-       if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
-               return -1;
-#endif
-
-       avail = 0;
-       m = NULL;
-       ifp = fin->fin_ifp;
-       if (fin->fin_v == 4) {
-               if ((oip->ip_p == IPPROTO_ICMP) &&
-                   !(fin->fin_fi.fi_fl & FI_SHORT))
-                       switch (ntohs(fin->fin_data[0]) >> 8)
-                       {
-                       case ICMP_ECHO :
-                       case ICMP_TSTAMP :
-                       case ICMP_IREQ :
-                       case ICMP_MASKREQ :
-                               break;
-                       default :
-                               return 0;
-                       }
-
-# if   (BSD < 199306) || defined(__sgi)
-               avail = MLEN;
-               m = m_get(M_DONTWAIT, MT_HEADER);
-# else
-               avail = MHLEN;
-               m = m_gethdr(M_DONTWAIT, MT_HEADER);
-# endif
-               if (m == NULL)
-                       return ENOBUFS;
-
-               if (dst == 0) {
-                       if (fr_ifpaddr(4, ifp, &dst4) == -1)
-                               return -1;
-               } else
-                       dst4.s_addr = oip->ip_dst.s_addr;
-
-               hlen = sizeof(ip_t);
-               ohlen = oip->ip_hl << 2;
-               xtra = 8;
-       }
-
-#ifdef USE_INET6
-       else if (fin->fin_v == 6) {
-               hlen = sizeof(ip6_t);
-               ohlen = sizeof(ip6_t);
-               type = icmptoicmp6types[type];
-               if (type == ICMP6_DST_UNREACH)
-                       code = icmptoicmp6unreach[code];
-
-               MGETHDR(m, M_DONTWAIT, MT_HEADER);
-               if (!m)
-                       return ENOBUFS;
-
-               MCLGET(m, M_DONTWAIT);
-               if ((m->m_flags & M_EXT) == 0) {
-                       m_freem(m);
-                       return ENOBUFS;
-               }
-# ifdef        M_TRAILINGSPACE
-               m->m_len = 0;
-               avail = M_TRAILINGSPACE(m);
-# else
-               avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN;
-# endif
-               xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t),
-                          avail - hlen - sizeof(*icmp) - max_linkhdr);
-               if (dst == 0) {
-                       if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1)
-                               return -1;
-               } else
-                       dst6 = oip6->ip6_dst;
-       }
-#endif
-
-       iclen = hlen + sizeof(*icmp);
-# if   BSD >= 199306
-       avail -= (max_linkhdr + iclen);
-       m->m_data += max_linkhdr;
-       m->m_pkthdr.rcvif = (struct ifnet *)0;
-       if (xtra > avail)
-               xtra = avail;
-       iclen += xtra;
-       m->m_pkthdr.len = iclen;
-#else
-       avail -= (m->m_off + iclen);
-       if (xtra > avail)
-               xtra = avail;
-       iclen += xtra;
-#endif
-       m->m_len = iclen;
-       ip = mtod(m, ip_t *);
-       icmp = (struct icmp *)((char *)ip + hlen);
-       bzero((char *)ip, iclen);
-
-       icmp->icmp_type = type;
-       icmp->icmp_code = fin->fin_icode;
-       icmp->icmp_cksum = 0;
-#ifdef icmp_nextmtu
-       if (type == ICMP_UNREACH &&
-           fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp)
-               icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu);
-#endif
-
-       if (avail) {
-               bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail));
-               avail -= MIN(ohlen, avail);
-       }
-
-#ifdef USE_INET6
-       ip6 = (ip6_t *)ip;
-       if (fin->fin_v == 6) {
-               ip6->ip6_flow = 0;
-               ip6->ip6_plen = htons(iclen - hlen);
-               ip6->ip6_nxt = IPPROTO_ICMPV6;
-               ip6->ip6_hlim = 0;
-               ip6->ip6_src = dst6;
-               ip6->ip6_dst = oip6->ip6_src;
-               if (avail)
-                       bcopy((char *)oip + ohlen,
-                             (char *)&icmp->icmp_ip + ohlen, avail);
-               icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
-                                            sizeof(*ip6), iclen - hlen);
-       } else
-#endif
-       {
-               slen = oip->ip_len;
-               oip->ip_len = htons(oip->ip_len);
-               soff = oip->ip_off;
-               oip->ip_off = htons(ip->ip_off);
-
-               ip->ip_src.s_addr = dst4.s_addr;
-               ip->ip_dst.s_addr = oip->ip_src.s_addr;
-
-               if (avail > 8)
-                       avail = 8;
-               if (avail)
-                       bcopy((char *)oip + ohlen,
-                             (char *)&icmp->icmp_ip + ohlen, avail);
-               icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
-                                            sizeof(*icmp) + 8);
-               ip->ip_len = iclen;
-               ip->ip_p = IPPROTO_ICMP;
-       }
-
-       shlen = fin->fin_hlen;
-       fin->fin_hlen = hlen;
-       err = send_ip(oip, fin, &m);
-       fin->fin_hlen = shlen;
-#ifdef USE_INET6
-       if (fin->fin_v == 4)
-#endif
-       {
-               oip->ip_len = slen;
-               oip->ip_off = soff;
-       }
-       return err;
-}
-
-
-# if !defined(IPFILTER_LKM) && !defined(__sgi) && \
-     (!defined(__FreeBSD_version) || (__FreeBSD_version < 300000))
-#  if  (BSD < 199306)
-int iplinit __P((void));
-
-int
-#  else
-void iplinit __P((void));
-
-void
-#  endif
-iplinit()
-{
-
-#  if defined(__NetBSD__) || defined(__OpenBSD__)
-       if (ipl_enable() != 0)
-#  else
-       if (iplattach() != 0)
-#  endif
-       {
-               printf("IP Filter failed to attach\n");
-       }
-       ip_init();
-}
-# endif /* ! __NetBSD__ */
-
-
-/*
- * Return the length of the entire mbuf.
- */
-size_t mbufchainlen(m0)
-register struct mbuf *m0;
-{
-#if BSD >= 199306
-       return m0->m_pkthdr.len;
-#else
-       register size_t len = 0;
-
-       for (; m0; m0 = m0->m_next)
-               len += m0->m_len;
-       return len;
-#endif
-}
-
-
-int ipfr_fastroute(m0, mpp, fin, fdp)
-struct mbuf *m0, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-       register struct ip *ip, *mhip;
-       register struct mbuf *m = m0;
-       register struct route *ro;
-       int len, off, error = 0, hlen, code;
-       struct ifnet *ifp, *sifp;
-       struct sockaddr_in *dst;
-       struct route iproute;
-       frentry_t *fr;
-
-       ip = NULL;
-       ro = NULL;
-       ifp = NULL;
-       ro = &iproute;
-       ro->ro_rt = NULL;
-
-#ifdef USE_INET6
-       if (fin->fin_v == 6) {
-               error = ipfr_fastroute6(m0, mpp, fin, fdp);
-               if (error != 0)
-                       goto bad;
-               goto done;
-       }
-#else
-       if (fin->fin_v == 6)
-               goto bad;
-#endif
-
-#ifdef M_WRITABLE
-       /*
-        * HOT FIX/KLUDGE:
-        *
-        * If the mbuf we're about to send is not writable (because of
-        * a cluster reference, for example) we'll need to make a copy
-        * of it since this routine modifies the contents.
-        *
-        * If you have non-crappy network hardware that can transmit data
-        * from the mbuf, rather than making a copy, this is gonna be a
-        * problem.
-        */
-       if (M_WRITABLE(m) == 0) {
-               if ((m0 = m_dup(m, M_DONTWAIT)) != NULL) {
-                       m_freem(*mpp);
-                       *mpp = m0;
-                       m = m0;
-               } else {
-                       error = ENOBUFS;
-                       m_freem(*mpp);
-                       goto done;
-               }
-       }
-#endif
-
-       hlen = fin->fin_hlen;
-       ip = mtod(m0, struct ip *);
-
-#if defined(__NetBSD__) && defined(M_CSUM_IPv4)
-       /*
-        * Clear any in-bound checksum flags for this packet.
-        */
-# if (__NetBSD_Version__ > 105009999)
-       m0->m_pkthdr.csum_flags = 0;
-# else
-       m0->m_pkthdr.csuminfo = 0;
-# endif
-#endif /* __NetBSD__ && M_CSUM_IPv4 */
-
-       /*
-        * Route packet.
-        */
-#if defined(__sgi) && (IRIX >= 605)
-       ROUTE_RDLOCK();
-#endif
-       bzero((caddr_t)ro, sizeof (*ro));
-       dst = (struct sockaddr_in *)&ro->ro_dst;
-       dst->sin_family = AF_INET;
-       dst->sin_addr = ip->ip_dst;
-
-       fr = fin->fin_fr;
-       if (fdp != NULL)
-               ifp = fdp->fd_ifp;
-       else
-               ifp = fin->fin_ifp;
-
-       /*
-        * In case we're here due to "to <if>" being used with "keep state",
-        * check that we're going in the correct direction.
-        */
-       if ((fr != NULL) && (fin->fin_rev != 0)) {
-               if ((ifp != NULL) && (fdp == &fr->fr_tif))
-                       return 0;
-       } else if (fdp != NULL) {
-               if (fdp->fd_ip.s_addr != 0)
-                       dst->sin_addr = fdp->fd_ip;
-       }
-
-# if BSD >= 199306
-       dst->sin_len = sizeof(*dst);
-# endif
-# if   (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
-       !defined(__OpenBSD__)
-#  ifdef       RTF_CLONING
-       rtalloc_ign(ro, RTF_CLONING);
-#  else
-       rtalloc_ign(ro, RTF_PRCLONING);
-#  endif
-# else
-       rtalloc(ro);
-# endif
-
-#if defined(__sgi) && (IRIX > 602)
-       ROUTE_UNLOCK();
-#endif
-
-       if (!ifp) {
-               if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
-                       error = -2;
-                       goto bad;
-               }
-       }
-
-       if ((ifp == NULL) && (ro->ro_rt != NULL))
-               ifp = ro->ro_rt->rt_ifp;
-
-       if ((ro->ro_rt == NULL) || (ifp == NULL)) {
-               if (in_localaddr(ip->ip_dst))
-                       error = EHOSTUNREACH;
-               else
-                       error = ENETUNREACH;
-               goto bad;
-       }
-
-       if (ro->ro_rt->rt_flags & RTF_GATEWAY) {
-#if BSD >= 199306
-               dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
-#else
-               dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
-#endif
-       }
-       ro->ro_rt->rt_use++;
-
-       /*
-        * For input packets which are being "fastrouted", they won't
-        * go back through output filtering and miss their chance to get
-        * NAT'd and counted.
-        */
-       if (fin->fin_out == 0) {
-               sifp = fin->fin_ifp;
-               fin->fin_ifp = ifp;
-               fin->fin_out = 1;
-               if ((fin->fin_fr = ipacct[1][fr_active]) &&
-                   (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
-                       ATOMIC_INCL(frstats[1].fr_acct);
-               }
-               fin->fin_fr = NULL;
-               if (!fr || !(fr->fr_flags & FR_RETMASK))
-                       (void) fr_checkstate(ip, fin);
-               (void) ip_natout(ip, fin);
-               fin->fin_ifp = sifp;
-       } else
-               ip->ip_sum = 0;
-       /*
-        * If small enough for interface, can just send directly.
-        */
-       if (ip->ip_len <= ifp->if_mtu) {
-# ifndef sparc
-#  if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
-      !(__NetBSD_Version__ >= 105110000)
-               ip->ip_id = htons(ip->ip_id);
-#  endif
-               ip->ip_len = htons(ip->ip_len);
-               ip->ip_off = htons(ip->ip_off);
-# endif
-# if defined(__NetBSD__) && defined(M_CSUM_IPv4)
-#  if (__NetBSD_Version__ > 105009999)
-               if (ifp->if_csum_flags_tx & IFCAP_CSUM_IPv4)
-                       m->m_pkthdr.csum_flags |= M_CSUM_IPv4;
-               else if (ip->ip_sum == 0)
-                       ip->ip_sum = in_cksum(m, hlen);
-#  else
-               if (ifp->if_capabilities & IFCAP_CSUM_IPv4)
-                       m->m_pkthdr.csuminfo |= M_CSUM_IPv4;
-               else if (ip->ip_sum == 0)
-                       ip->ip_sum = in_cksum(m, hlen);
-#  endif
-# else
-               if (!ip->ip_sum)
-                       ip->ip_sum = in_cksum(m, hlen);
-# endif /* __NetBSD__ && M_CSUM_IPv4 */
-# if   (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
-               error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
-                                         ro->ro_rt);
-# else
-               error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
-# endif
-               goto done;
-       }
-
-       /*
-        * Too large for interface; fragment if possible.
-        * Must be able to put at least 8 bytes per fragment.
-        */
-       if (ip->ip_off & IP_DF) {
-               error = EMSGSIZE;
-               goto bad;
-       }
-       len = (ifp->if_mtu - hlen) &~ 7;
-       if (len < 8) {
-               error = EMSGSIZE;
-               goto bad;
-       }
-
-    {
-       int mhlen, firstlen = len;
-       struct mbuf **mnext = &m->m_act;
-
-       /*
-        * Loop through length of segment after first fragment,
-        * make new header and copy data of each part and link onto chain.
-        */
-       m0 = m;
-       mhlen = sizeof (struct ip);
-       for (off = hlen + len; off < ip->ip_len; off += len) {
-# ifdef        MGETHDR
-               MGETHDR(m, M_DONTWAIT, MT_HEADER);
-# else
-               MGET(m, M_DONTWAIT, MT_HEADER);
-# endif
-               if (m == 0) {
-                       error = ENOBUFS;
-                       goto bad;
-               }
-# if BSD >= 199306
-               m->m_data += max_linkhdr;
-# else
-               m->m_off = MMAXOFF - hlen;
-# endif
-               mhip = mtod(m, struct ip *);
-               bcopy((char *)ip, (char *)mhip, sizeof(*ip));
-               if (hlen > sizeof (struct ip)) {
-                       mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
-                       mhip->ip_hl = mhlen >> 2;
-               }
-               m->m_len = mhlen;
-               mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
-               if (ip->ip_off & IP_MF)
-                       mhip->ip_off |= IP_MF;
-               if (off + len >= ip->ip_len)
-                       len = ip->ip_len - off;
-               else
-                       mhip->ip_off |= IP_MF;
-               mhip->ip_len = htons((u_short)(len + mhlen));
-               m->m_next = m_copy(m0, off, len);
-               if (m->m_next == 0) {
-                       error = ENOBUFS;        /* ??? */
-                       goto sendorfree;
-               }
-# if BSD >= 199306
-               m->m_pkthdr.len = mhlen + len;
-               m->m_pkthdr.rcvif = NULL;
-# endif
-               mhip->ip_off = htons((u_short)mhip->ip_off);
-               mhip->ip_sum = 0;
-               mhip->ip_sum = in_cksum(m, mhlen);
-               *mnext = m;
-               mnext = &m->m_act;
-       }
-       /*
-        * Update first fragment by trimming what's been copied out
-        * and updating header, then send each fragment (in order).
-        */
-       m_adj(m0, hlen + firstlen - ip->ip_len);
-       ip->ip_len = htons((u_short)(hlen + firstlen));
-       ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
-       ip->ip_sum = 0;
-       ip->ip_sum = in_cksum(m0, hlen);
-sendorfree:
-       for (m = m0; m; m = m0) {
-               m0 = m->m_act;
-               m->m_act = 0;
-               if (error == 0)
-# if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605))
-                       error = (*ifp->if_output)(ifp, m,
-                           (struct sockaddr *)dst, ro->ro_rt);
-# else
-                       error = (*ifp->if_output)(ifp, m,
-                           (struct sockaddr *)dst);
-# endif
-               else
-                       m_freem(m);
-       }
-    }  
-done:
-       if (!error)
-               ipl_frouteok[0]++;
-       else
-               ipl_frouteok[1]++;
-
-       if (ro->ro_rt != NULL) {
-               RTFREE(ro->ro_rt);
-       }
-       *mpp = NULL;
-       return error;
-bad:
-       if ((error == EMSGSIZE) && (fin->fin_v == 4)) {
-               sifp = fin->fin_ifp;
-               code = fin->fin_icode;
-               fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
-               fin->fin_ifp = ifp;
-               (void) send_icmp_err(ip, ICMP_UNREACH, fin, 1);
-               fin->fin_ifp = sifp;
-               fin->fin_icode = code;
-       }
-       m_freem(m);
-       goto done;
-}
-
-
-/*
- * Return true or false depending on whether the route to the
- * given IP address uses the same interface as the one passed.
- */
-int fr_verifysrc(ipa, ifp)
-struct in_addr ipa;
-void *ifp;
-{
-       struct sockaddr_in *dst;
-       struct route iproute;
-
-       bzero((char *)&iproute, sizeof(iproute));
-       dst = (struct sockaddr_in *)&iproute.ro_dst;
-# if    (BSD >= 199306)
-       dst->sin_len = sizeof(*dst);
-# endif
-       dst->sin_family = AF_INET;
-       dst->sin_addr = ipa;
-# if    (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
-        !defined(__OpenBSD__)
-#  ifdef        RTF_CLONING
-       rtalloc_ign(&iproute, RTF_CLONING);
-#  else
-       rtalloc_ign(&iproute, RTF_PRCLONING);
-#  endif
-# else
-       rtalloc(&iproute);
-# endif
-       if (iproute.ro_rt == NULL)
-               return 0;
-       return (ifp == iproute.ro_rt->rt_ifp);
-}
-
-
-# ifdef        USE_GETIFNAME
-char *
-get_ifname(ifp)
-struct ifnet *ifp;
-{
-       static char workbuf[64];
-
-       sprintf(workbuf, "%s%d", ifp->if_name, ifp->if_unit);
-       return workbuf;
-}
-# endif
-
-
-# if defined(USE_INET6)
-/*
- * This is the IPv6 specific fastroute code.  It doesn't clean up the mbuf's
- * or ensure that it is an IPv6 packet that is being forwarded, those are
- * expected to be done by the called (ipfr_fastroute).
- */
-static int ipfr_fastroute6(m0, mpp, fin, fdp)
-struct mbuf *m0, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-       struct route_in6 ip6route;
-       struct sockaddr_in6 *dst6;
-       struct route_in6 *ro;
-       struct ifnet *ifp;
-       frentry_t *fr;
-#if defined(OpenBSD) && (OpenBSD >= 200211)
-       struct route_in6 *ro_pmtu = NULL;
-       struct in6_addr finaldst;
-       ip6_t *ip6;
-#endif
-       u_long mtu;
-       int error;
-
-       ifp = NULL;
-       ro = &ip6route;
-       fr = fin->fin_fr;
-       bzero((caddr_t)ro, sizeof(*ro));
-       dst6 = (struct sockaddr_in6 *)&ro->ro_dst;
-       dst6->sin6_family = AF_INET6;
-       dst6->sin6_len = sizeof(struct sockaddr_in6);
-       dst6->sin6_addr = fin->fin_fi.fi_src.in6;
-
-       if (fdp != NULL)
-               ifp = fdp->fd_ifp;
-
-       if ((fr != NULL) && (fin->fin_rev != 0)) {
-               if ((ifp != NULL) && (fdp == &fr->fr_tif))
-                       return 0;
-       } else if (fdp != NULL) {
-               if (IP6_NOTZERO(&fdp->fd_ip6))
-                       dst6->sin6_addr = fdp->fd_ip6.in6;
-       }
-       if ((ifp == NULL) && ((fr == NULL) || !(fr->fr_flags & FR_FASTROUTE)))
-               return -2;
-
-       rtalloc((struct route *)ro);
-
-       if ((ifp == NULL) && (ro->ro_rt != NULL))
-               ifp = ro->ro_rt->rt_ifp;
-
-       if ((ro->ro_rt == NULL) || (ifp == NULL) ||
-           (ifp != ro->ro_rt->rt_ifp)) {
-               error = EHOSTUNREACH;
-       } else {
-               if (ro->ro_rt->rt_flags & RTF_GATEWAY)
-                       dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
-               ro->ro_rt->rt_use++;
-
-#if defined(OpenBSD) && (OpenBSD >= 200211)
-               ip6 = mtod(m0, ip6_t *);
-               ro_pmtu = ro;
-               finaldst = ip6->ip6_dst;
-               error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
-               if (error == 0) {
-#else
-                       mtu = nd_ifinfo[ifp->if_index].linkmtu;
-#endif
-                       if (m0->m_pkthdr.len <= mtu)
-                               error = nd6_output(ifp, fin->fin_ifp, m0,
-                                                  dst6, ro->ro_rt);
-                       else
-                               error = EMSGSIZE;
-#if defined(OpenBSD) && (OpenBSD >= 200211)
-               }
-#endif
-       }
-
-       if (ro->ro_rt != NULL) {
-               RTFREE(ro->ro_rt);
-       }
-       return error;
-}
-# endif
-#else /* #ifdef _KERNEL */
-
-
-# if defined(__sgi) && (IRIX < 605)
-static int no_output __P((struct ifnet *ifp, struct mbuf *m,
-                          struct sockaddr *s))
-# else
-static int no_output __P((struct ifnet *ifp, struct mbuf *m,
-                          struct sockaddr *s, struct rtentry *rt))
-# endif
-{
-       return 0;
-}
-
-
-# ifdef __STDC__
-#  if defined(__sgi) && (IRIX < 605)
-static int write_output __P((struct ifnet *ifp, struct mbuf *m,
-                            struct sockaddr *s))
-#  else
-static int write_output __P((struct ifnet *ifp, struct mbuf *m,
-                            struct sockaddr *s, struct rtentry *rt))
-#  endif
-{
-       ip_t *ip = (ip_t *)m;
-# else
-static int write_output(ifp, ip)
-struct ifnet *ifp;
-ip_t *ip;
-{
-# endif
-       char fname[32];
-       int fd;
-
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-       (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(__DragonFly__)
-       sprintf(fname, "%s", ifp->if_xname);
-# else
-       sprintf(fname, "%s%d", ifp->if_name, ifp->if_unit);
-# endif
-       fd = open(fname, O_WRONLY|O_APPEND);
-       if (fd == -1) {
-               perror("open");
-               return -1;
-       }
-       write(fd, (char *)ip, ntohs(ip->ip_len));
-       close(fd);
-       return 0;
-}
-
-
-char *get_ifname(ifp)
-struct ifnet *ifp;
-{
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-     (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(__DragonFly__)
-       return ifp->if_xname;
-# else
-       static char fullifname[LIFNAMSIZ];
-
-       sprintf(fullifname, "%s%d", ifp->if_name, ifp->if_unit);
-       return fullifname;
-# endif
-}
-
-
-struct ifnet *get_unit(ifname, v)
-char *ifname;
-int v;
-{
-       struct ifnet *ifp, **ifa, **old_ifneta;
-
-       for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-     (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(__DragonFly__)
-               if (!strncmp(ifname, ifp->if_xname, sizeof(ifp->if_xname)))
-# else
-               char fullname[LIFNAMSIZ];
-
-               sprintf(fullname, "%s%d", ifp->if_name, ifp->if_unit);
-               if (!strcmp(ifname, fullname))
-# endif
-                       return ifp;
-       }
-
-       if (!ifneta) {
-               ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
-               if (!ifneta)
-                       return NULL;
-               ifneta[1] = NULL;
-               ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
-               if (!ifneta[0]) {
-                       free(ifneta);
-                       return NULL;
-               }
-               nifs = 1;
-       } else {
-               old_ifneta = ifneta;
-               nifs++;
-               ifneta = (struct ifnet **)realloc(ifneta,
-                                                 (nifs + 1) * sizeof(*ifa));
-               if (!ifneta) {
-                       free(old_ifneta);
-                       nifs = 0;
-                       return NULL;
-               }
-               ifneta[nifs] = NULL;
-               ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
-               if (!ifneta[nifs - 1]) {
-                       nifs--;
-                       return NULL;
-               }
-       }
-       ifp = ifneta[nifs - 1];
-
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-     (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(__DragonFly__)
-       strncpy(ifp->if_xname, ifname, sizeof(ifp->if_xname));
-# else
-       ifp->if_name = strdup(ifname);
-
-       ifname = ifp->if_name;
-       while (*ifname && !isdigit(*ifname))
-               ifname++;
-       if (*ifname && isdigit(*ifname)) {
-               ifp->if_unit = atoi(ifname);
-               *ifname = '\0';
-       } else
-               ifp->if_unit = -1;
-# endif
-       ifp->if_output = no_output;
-       return ifp;
-}
-
-
-
-void init_ifp()
-{
-       struct ifnet *ifp, **ifa;
-       char fname[32];
-       int fd;
-
-# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
-       (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(__DragonFly__)
-       for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-               ifp->if_output = write_output;
-               sprintf(fname, "/tmp/%s", ifp->if_xname);
-               fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
-               if (fd == -1)
-                       perror("open");
-               else
-                       close(fd);
-       }
-# else
-
-       for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-               ifp->if_output = write_output;
-               sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
-               fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600);
-               if (fd == -1)
-                       perror("open");
-               else
-                       close(fd);
-       }
-# endif
-}
-
-
-int send_reset(ip, fin)
-ip_t *ip;
-fr_info_t *fin;
-{
-       verbose("- TCP RST sent\n");
-       return 0;
-}
-
-
-int send_icmp_err(ip, code, fin, dst)
-ip_t *ip;
-int code;
-fr_info_t *fin;
-int dst;
-{
-       verbose("- ICMP UNREACHABLE sent\n");
-       return 0;
-}
-
-
-void frsync()
-{
-       return;
-}
-
-void m_copydata(m, off, len, cp)
-mb_t *m;
-int off, len;
-caddr_t cp;
-{
-       bcopy((char *)m + off, cp, len);
-}
-
-
-int ipfuiomove(buf, len, rwflag, uio)
-caddr_t buf;
-int len, rwflag;
-struct uio *uio;
-{
-       int left, ioc, num, offset;
-       struct iovec *io;
-       char *start;
-
-       if (rwflag == UIO_READ) {
-               left = len;
-               ioc = 0;
-
-               offset = uio->uio_offset;
-
-               while ((left > 0) && (ioc < uio->uio_iovcnt)) {
-                       io = uio->uio_iov + ioc;
-                       num = io->iov_len;
-                       if (num > left)
-                               num = left;
-                       start = (char *)io->iov_base + offset;
-                       if (start > (char *)io->iov_base + io->iov_len) {
-                               offset -= io->iov_len;
-                               ioc++;
-                               continue;
-                       }
-                       bcopy(buf, start, num);
-                       uio->uio_resid -= num;
-                       uio->uio_offset += num;
-                       left -= num;
-                       if (left > 0)
-                               ioc++;
-               }
-               if (left > 0)
-                       return EFAULT;
-       }
-       return 0;
-}
-#endif /* _KERNEL */
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
deleted file mode 100644 (file)
index b97c796..0000000
+++ /dev/null
@@ -1,659 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * @(#)ip_fil.h        1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $
- */
-
-#ifndef        __IP_FIL_H__
-#define        __IP_FIL_H__
-
-/*
- * Pathnames for various IP Filter control devices.  Used by LKM
- * and userland, so defined here.
- */
-#define        IPNAT_NAME      "/dev/ipnat"
-#define        IPSTATE_NAME    "/dev/ipstate"
-#define        IPAUTH_NAME     "/dev/ipauth"
-
-#ifndef        SOLARIS
-# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
-#endif
-
-#if defined(KERNEL) && !defined(_KERNEL)
-# define       _KERNEL
-#endif
-
-#ifndef        __P
-# ifdef        __STDC__
-#  define      __P(x)  x
-# else
-#  define      __P(x)  ()
-# endif
-#endif
-
-#ifndef        offsetof
-# define       offsetof(t,m)   (int)((&((t *)0L)->m))
-#endif
-
-#if defined(__STDC__) || defined(__GNUC__)
-# define       SIOCADAFR       _IOW('r', 60, struct frentry *)
-# define       SIOCRMAFR       _IOW('r', 61, struct frentry *)
-# define       SIOCSETFF       _IOW('r', 62, u_int)
-# define       SIOCGETFF       _IOR('r', 63, u_int)
-# define       SIOCGETFS       _IOWR('r', 64, struct friostat *)
-# define       SIOCIPFFL       _IOWR('r', 65, int)
-# define       SIOCIPFFB       _IOR('r', 66, int)
-# define       SIOCADIFR       _IOW('r', 67, struct frentry *)
-# define       SIOCRMIFR       _IOW('r', 68, struct frentry *)
-# define       SIOCSWAPA       _IOR('r', 69, u_int)
-# define       SIOCINAFR       _IOW('r', 70, struct frentry *)
-# define       SIOCINIFR       _IOW('r', 71, struct frentry *)
-# define       SIOCFRENB       _IOW('r', 72, u_int)
-# define       SIOCFRSYN       _IOW('r', 73, u_int)
-# define       SIOCFRZST       _IOWR('r', 74, struct friostat *)
-# define       SIOCZRLST       _IOWR('r', 75, struct frentry *)
-# define       SIOCAUTHW       _IOWR('r', 76, struct frauth *)
-# define       SIOCAUTHR       _IOWR('r', 77, struct frauth *)
-# define       SIOCATHST       _IOWR('r', 78, struct fr_authstat *)
-# define       SIOCSTLCK       _IOWR('r', 79, u_int)
-# define       SIOCSTPUT       _IOWR('r', 80, struct ipstate_save *)
-# define       SIOCSTGET       _IOWR('r', 81, struct ipstate_save *)
-# define       SIOCSTGSZ       _IOWR('r', 82, struct natget)
-# define       SIOCGFRST       _IOWR('r', 83, struct ipfrstat *)
-# define       SIOCIPFL6       _IOWR('r', 84, int)
-#else
-# define       SIOCADAFR       _IOW(r, 60, struct frentry *)
-# define       SIOCRMAFR       _IOW(r, 61, struct frentry *)
-# define       SIOCSETFF       _IOW(r, 62, u_int)
-# define       SIOCGETFF       _IOR(r, 63, u_int)
-# define       SIOCGETFS       _IOWR(r, 64, struct friostat *)
-# define       SIOCIPFFL       _IOWR(r, 65, int)
-# define       SIOCIPFFB       _IOR(r, 66, int)
-# define       SIOCADIFR       _IOW(r, 67, struct frentry *)
-# define       SIOCRMIFR       _IOW(r, 68, struct frentry *)
-# define       SIOCSWAPA       _IOR(r, 69, u_int)
-# define       SIOCINAFR       _IOW(r, 70, struct frentry *)
-# define       SIOCINIFR       _IOW(r, 71, struct frentry *)
-# define       SIOCFRENB       _IOW(r, 72, u_int)
-# define       SIOCFRSYN       _IOW(r, 73, u_int)
-# define       SIOCFRZST       _IOWR(r, 74, struct friostat *)
-# define       SIOCZRLST       _IOWR(r, 75, struct frentry *)
-# define       SIOCAUTHW       _IOWR(r, 76, struct frauth *)
-# define       SIOCAUTHR       _IOWR(r, 77, struct frauth *)
-# define       SIOCATHST       _IOWR(r, 78, struct fr_authstat *)
-# define       SIOCSTLCK       _IOWR(r, 79, u_int)
-# define       SIOCSTPUT       _IOWR(r, 80, struct ipstate_save *)
-# define       SIOCSTGET       _IOWR(r, 81, struct ipstate_save *)
-# define       SIOCSTGSZ       _IOWR(r, 82, struct natget)
-# define       SIOCGFRST       _IOWR(r, 83, struct ipfrstat *)
-# define       SIOCIPFL6       _IOWR(r, 84, int)
-#endif
-#define        SIOCADDFR       SIOCADAFR
-#define        SIOCDELFR       SIOCRMAFR
-#define        SIOCINSFR       SIOCINAFR
-
-
-typedef        struct  fr_ip   {
-       u_32_t  fi_v:4;         /* IP version */
-       u_32_t  fi_fl:4;        /* packet flags */
-       u_32_t  fi_tos:8;       /* IP packet TOS */
-       u_32_t  fi_ttl:8;       /* IP packet TTL */
-       u_32_t  fi_p:8;         /* IP packet protocol */
-       union   i6addr fi_src;  /* source address from packet */
-       union   i6addr fi_dst;  /* destination address from packet */
-       u_32_t  fi_optmsk;      /* bitmask composed from IP options */
-       u_short fi_secmsk;      /* bitmask composed from IP security options */
-       u_short fi_auth;        /* authentication code from IP sec. options */
-} fr_ip_t;
-
-#define        FI_OPTIONS      (FF_OPTIONS >> 24)
-#define        FI_TCPUDP       (FF_TCPUDP >> 24)       /* TCP/UCP implied comparison*/
-#define        FI_FRAG         (FF_FRAG >> 24)
-#define        FI_SHORT        (FF_SHORT >> 24)
-#define        FI_CMP          (FI_OPTIONS|FI_TCPUDP|FI_SHORT)
-
-#define        fi_saddr        fi_src.in4.s_addr
-#define        fi_daddr        fi_dst.in4.s_addr
-
-
-/*
- * These are both used by the state and NAT code to indicate that one port or
- * the other should be treated as a wildcard.
- */
-#define        FI_W_SPORT      0x00000100
-#define        FI_W_DPORT      0x00000200
-#define        FI_WILDP        (FI_W_SPORT|FI_W_DPORT)
-#define        FI_W_SADDR      0x00000400
-#define        FI_W_DADDR      0x00000800
-#define        FI_WILDA        (FI_W_SADDR|FI_W_DADDR)
-#define        FI_NEWFR        0x00001000      /* Create a filter rule */
-#define        FI_IGNOREPKT    0x00002000      /* Do not treat as a real packet */
-#define        FI_NORULE       0x00004000      /* Not direct a result of a rule */
-
-typedef        struct  fr_info {
-       void    *fin_ifp;               /* interface packet is `on' */
-       struct  fr_ip   fin_fi;         /* IP Packet summary */
-       u_short fin_data[2];            /* TCP/UDP ports, ICMP code/type */
-       u_int   fin_out;                /* in or out ? 1 == out, 0 == in */
-       u_short fin_hlen;               /* length of IP header in bytes */
-       u_char  fin_rev;                /* state only: 1 = reverse */
-       u_char  fin_tcpf;               /* TCP header flags (SYN, ACK, etc) */
-       u_int   fin_icode;              /* ICMP error to return */
-       u_32_t  fin_rule;               /* rule # last matched */
-       u_32_t  fin_group;              /* group number, -1 for none */
-       struct  frentry *fin_fr;        /* last matching rule */
-       char    *fin_dp;                /* start of data past IP header */
-       u_short fin_plen;
-       u_short fin_off;
-       u_short fin_dlen;               /* length of data portion of packet */
-       u_short fin_id;                 /* IP packet id field */
-       u_int   fin_misc;
-       void    *fin_mp;                /* pointer to pointer to mbuf */
-#if SOLARIS
-       void    *fin_qfm;               /* pointer to mblk where pkt starts */
-       void    *fin_qif;
-#endif
-} fr_info_t;
-
-#define        fin_v           fin_fi.fi_v
-#define        fin_p           fin_fi.fi_p
-#define        fin_saddr       fin_fi.fi_saddr
-#define        fin_src         fin_fi.fi_src.in4
-#define        fin_daddr       fin_fi.fi_daddr
-#define        fin_dst         fin_fi.fi_dst.in4
-#define        fin_fl          fin_fi.fi_fl
-
-/*
- * Size for compares on fr_info structures
- */
-#define        FI_CSIZE        offsetof(fr_info_t, fin_icode)
-#define        FI_LCSIZE       offsetof(fr_info_t, fin_dp)
-
-/*
- * For fin_misc
- */
-#define        FM_BADSTATE     0x00000001
-
-/*
- * Size for copying cache fr_info structure
- */
-#define        FI_COPYSIZE     offsetof(fr_info_t, fin_dp)
-
-typedef        struct  frdest  {
-       void    *fd_ifp;
-       union   i6addr  fd_ip6;
-       char    fd_ifname[LIFNAMSIZ];
-#if SOLARIS
-       mb_t    *fd_mp;                 /* cache resolver for to/dup-to */
-#endif
-} frdest_t;
-
-#define        fd_ip   fd_ip6.in4
-
-
-typedef        struct  frpcmp  {
-       int     frp_cmp;        /* data for port comparisons */
-       u_short frp_port;       /* top port for <> and >< */
-       u_short frp_top;        /* top port for <> and >< */
-} frpcmp_t;
-
-typedef        struct  frtuc   {
-       u_char  ftu_tcpfm;      /* tcp flags mask */
-       u_char  ftu_tcpf;       /* tcp flags */
-       frpcmp_t        ftu_src;
-       frpcmp_t        ftu_dst;
-} frtuc_t;
-
-#define        ftu_scmp        ftu_src.frp_cmp
-#define        ftu_dcmp        ftu_dst.frp_cmp
-#define        ftu_sport       ftu_src.frp_port
-#define        ftu_dport       ftu_dst.frp_port
-#define        ftu_stop        ftu_src.frp_top
-#define        ftu_dtop        ftu_dst.frp_top
-
-typedef        struct  frentry {
-       struct  frentry *fr_next;
-       struct  frentry *fr_grp;
-       int     fr_ref;         /* reference count - for grouping */
-       void    *fr_ifas[4];
-       /*
-        * These are only incremented when a packet  matches this rule and
-        * it is the last match
-        */
-       U_QUAD_T        fr_hits;
-       U_QUAD_T        fr_bytes;
-       /*
-        * Fields after this may not change whilst in the kernel.
-        */
-       struct  fr_ip   fr_ip;
-       struct  fr_ip   fr_mip; /* mask structure */
-
-
-       u_short fr_icmpm;       /* data for ICMP packets (mask) */
-       u_short fr_icmp;
-
-       u_int   fr_age[2];      /* aging for state */
-       frtuc_t fr_tuc;
-       u_32_t  fr_group;       /* group to which this rule belongs */
-       u_32_t  fr_grhead;      /* group # which this rule starts */
-       u_32_t  fr_flags;       /* per-rule flags && options (see below) */
-       u_int   fr_skip;        /* # of rules to skip */
-       u_int   fr_loglevel;    /* syslog log facility + priority */
-       int     (*fr_func) __P((int, ip_t *, fr_info_t *));     /* call this function */
-       int     fr_sap;         /* For solaris only */
-       u_char  fr_icode;       /* return ICMP code */
-       char    fr_ifnames[4][LIFNAMSIZ];
-       struct  frdest  fr_tif; /* "to" interface */
-       struct  frdest  fr_dif; /* duplicate packet interfaces */
-       u_int   fr_cksum;       /* checksum on filter rules for performance */
-} frentry_t;
-
-#define        fr_v            fr_ip.fi_v
-#define        fr_proto        fr_ip.fi_p
-#define        fr_ttl          fr_ip.fi_ttl
-#define        fr_tos          fr_ip.fi_tos
-#define        fr_tcpfm        fr_tuc.ftu_tcpfm
-#define        fr_tcpf         fr_tuc.ftu_tcpf
-#define        fr_scmp         fr_tuc.ftu_scmp
-#define        fr_dcmp         fr_tuc.ftu_dcmp
-#define        fr_dport        fr_tuc.ftu_dport
-#define        fr_sport        fr_tuc.ftu_sport
-#define        fr_stop         fr_tuc.ftu_stop
-#define        fr_dtop         fr_tuc.ftu_dtop
-#define        fr_dst          fr_ip.fi_dst.in4
-#define        fr_src          fr_ip.fi_src.in4
-#define        fr_dmsk         fr_mip.fi_dst.in4
-#define        fr_smsk         fr_mip.fi_src.in4
-#define        fr_ifname       fr_ifnames[0]
-#define        fr_oifname      fr_ifnames[2]
-#define        fr_ifa          fr_ifas[0]
-#define        fr_oifa         fr_ifas[2]
-
-#define        FR_CMPSIZ       (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
-
-/*
- * fr_flags
- */
-#define        FR_BLOCK        0x00001 /* do not allow packet to pass */
-#define        FR_PASS         0x00002 /* allow packet to pass */
-#define        FR_OUTQUE       0x00004 /* outgoing packets */
-#define        FR_INQUE        0x00008 /* ingoing packets */
-#define        FR_LOG          0x00010 /* Log */
-#define        FR_LOGB         0x00011 /* Log-fail */
-#define        FR_LOGP         0x00012 /* Log-pass */
-#define        FR_NOTSRCIP     0x00020 /* not the src IP# */
-#define        FR_NOTDSTIP     0x00040 /* not the dst IP# */
-#define        FR_RETRST       0x00080 /* Return TCP RST packet - reset connection */
-#define        FR_RETICMP      0x00100 /* Return ICMP unreachable packet */
-#define        FR_FAKEICMP     0x00180 /* Return ICMP unreachable with fake source */
-#define        FR_NOMATCH      0x00200 /* no match occured */
-#define        FR_ACCOUNT      0x00400 /* count packet bytes */
-#define        FR_KEEPFRAG     0x00800 /* keep fragment information */
-#define        FR_KEEPSTATE    0x01000 /* keep `connection' state information */
-#define        FR_INACTIVE     0x02000
-#define        FR_QUICK        0x04000 /* match & stop processing list */
-#define        FR_FASTROUTE    0x08000 /* bypass normal routing */
-#define        FR_CALLNOW      0x10000 /* call another function (fr_func) if matches */
-#define        FR_DUP          0x20000 /* duplicate packet */
-#define        FR_LOGORBLOCK   0x40000 /* block the packet if it can't be logged */
-#define        FR_LOGBODY      0x80000 /* Log the body */
-#define        FR_LOGFIRST     0x100000        /* Log the first byte if state held */
-#define        FR_AUTH         0x200000        /* use authentication */
-#define        FR_PREAUTH      0x400000        /* require preauthentication */
-#define        FR_DONTCACHE    0x800000        /* don't cache the result */
-
-#define        FR_LOGMASK      (FR_LOG|FR_LOGP|FR_LOGB)
-#define        FR_RETMASK      (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
-
-/*
- * These correspond to #define's for FI_* and are stored in fr_flags
- */
-#define        FF_OPTIONS      0x01000000
-#define        FF_TCPUDP       0x02000000
-#define        FF_FRAG         0x04000000
-#define        FF_SHORT        0x08000000
-/*
- * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
- */
-#define        FF_LOGPASS      0x10000000
-#define        FF_LOGBLOCK     0x20000000
-#define        FF_LOGNOMATCH   0x40000000
-#define        FF_LOGGING      (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
-#define        FF_BLOCKNONIP   0x80000000      /* Solaris2 Only */
-
-#define        FR_NONE 0
-#define        FR_EQUAL 1
-#define        FR_NEQUAL 2
-#define FR_LESST 3
-#define FR_GREATERT 4
-#define FR_LESSTE 5
-#define FR_GREATERTE 6
-#define        FR_OUTRANGE 7
-#define        FR_INRANGE 8
-
-typedef        struct  filterstats {
-       u_long  fr_pass;        /* packets allowed */
-       u_long  fr_block;       /* packets denied */
-       u_long  fr_nom;         /* packets which don't match any rule */
-       u_long  fr_short;       /* packets which are short */
-       u_long  fr_ppkl;        /* packets allowed and logged */
-       u_long  fr_bpkl;        /* packets denied and logged */
-       u_long  fr_npkl;        /* packets unmatched and logged */
-       u_long  fr_pkl;         /* packets logged */
-       u_long  fr_skip;        /* packets to be logged but buffer full */
-       u_long  fr_ret;         /* packets for which a return is sent */
-       u_long  fr_acct;        /* packets for which counting was performed */
-       u_long  fr_bnfr;        /* bad attempts to allocate fragment state */
-       u_long  fr_nfr;         /* new fragment state kept */
-       u_long  fr_cfr;         /* add new fragment state but complete pkt */
-       u_long  fr_bads;        /* bad attempts to allocate packet state */
-       u_long  fr_ads;         /* new packet state kept */
-       u_long  fr_chit;        /* cached hit */
-       u_long  fr_tcpbad;      /* TCP checksum check failures */
-       u_long  fr_pull[2];     /* good and bad pullup attempts */
-       u_long  fr_badsrc;      /* source received doesn't match route */
-       u_long  fr_badttl;      /* TTL in packet doesn't reach minimum */
-#if SOLARIS
-       u_long  fr_notdata;     /* PROTO/PCPROTO that have no data */
-       u_long  fr_nodata;      /* mblks that have no data */
-       u_long  fr_bad;         /* bad IP packets to the filter */
-       u_long  fr_notip;       /* packets passed through no on ip queue */
-       u_long  fr_drop;        /* packets dropped - no info for them! */
-       u_long  fr_copy;        /* messages copied due to db_ref > 1 */
-#endif
-       u_long  fr_ipv6[2];     /* IPv6 packets in/out */
-} filterstats_t;
-
-/*
- * For SIOCGETFS
- */
-typedef        struct  friostat        {
-       struct  filterstats     f_st[2];
-       struct  frentry         *f_fin[2];
-       struct  frentry         *f_fout[2];
-       struct  frentry         *f_acctin[2];
-       struct  frentry         *f_acctout[2];
-       struct  frentry         *f_fin6[2];
-       struct  frentry         *f_fout6[2];
-       struct  frentry         *f_acctin6[2];
-       struct  frentry         *f_acctout6[2];
-       struct  frentry         *f_auth;
-       struct  frgroup         *f_groups[3][2];
-       u_long  f_froute[2];
-       int     f_defpass;      /* default pass - from fr_pass */
-       char    f_active;       /* 1 or 0 - active rule set */
-       char    f_running;      /* 1 if running, else 0 */
-       char    f_logging;      /* 1 if enabled, else 0 */
-       char    f_version[32];  /* version string */
-       int     f_locks[4];
-} friostat_t;
-
-typedef struct optlist {
-       u_short ol_val;
-       int     ol_bit;
-} optlist_t;
-
-
-/*
- * Group list structure.
- */
-typedef        struct frgroup {
-       u_32_t  fg_num;
-       struct  frgroup *fg_next;
-       struct  frentry *fg_head;
-       struct  frentry **fg_start;
-} frgroup_t;
-
-
-/*
- * Log structure.  Each packet header logged is prepended by one of these.
- * Following this in the log records read from the device will be an ipflog
- * structure which is then followed by any packet data.
- */
-typedef        struct  iplog   {
-       u_32_t          ipl_magic;
-       u_int           ipl_count;
-       struct  timeval ipl_tv;
-       size_t          ipl_dsize;
-       struct  iplog   *ipl_next;
-} iplog_t;
-
-#define        ipl_sec         ipl_tv.tv_sec
-#define        ipl_usec        ipl_tv.tv_usec
-
-#define IPL_MAGIC      0x49504c4d /* 'IPLM' */
-#define        IPLOG_SIZE      sizeof(iplog_t)
-
-typedef        struct  ipflog  {
-#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-        (defined(OpenBSD) && (OpenBSD >= 199603))
-       char    fl_ifname[LIFNAMSIZ];
-#else
-       u_int   fl_unit;
-       char    fl_ifname[LIFNAMSIZ];
-#endif
-       u_char  fl_plen;        /* extra data after hlen */
-       u_char  fl_hlen;        /* length of IP headers saved */
-       u_short fl_loglevel;    /* syslog log level */
-       u_32_t  fl_rule;
-       u_32_t  fl_group;
-       u_32_t  fl_flags;
-       u_char  fl_dir;
-       u_char  fl_pad[3];
-} ipflog_t;
-
-
-#ifndef        ICMP_UNREACH_FILTER
-# define       ICMP_UNREACH_FILTER     13
-#endif
-
-#ifndef        IPF_LOGGING
-# define       IPF_LOGGING     0
-#endif
-#ifndef        IPF_DEFAULT_PASS
-# define       IPF_DEFAULT_PASS        FR_PASS
-#endif
-
-#define        IPMINLEN(i, h)  ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
-#define        IPLLOGSIZE      8192
-
-#define        IPF_OPTCOPY     0x07ff00        /* bit mask of copied options */
-
-/*
- * Device filenames for reading log information.  Use ipf on Solaris2 because
- * ipl is already a name used by something else.
- */
-#ifndef        IPL_NAME
-# if   SOLARIS
-#  define      IPL_NAME        "/dev/ipf"
-# else
-#  define      IPL_NAME        "/dev/ipl"
-# endif
-#endif
-#define        IPL_NAT         IPNAT_NAME
-#define        IPL_STATE       IPSTATE_NAME
-#define        IPL_AUTH        IPAUTH_NAME
-
-#define        IPL_LOGIPF      0       /* Minor device #'s for accessing logs */
-#define        IPL_LOGNAT      1
-#define        IPL_LOGSTATE    2
-#define        IPL_LOGAUTH     3
-#define        IPL_LOGMAX      3
-
-#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
-    (__FreeBSD_version >= 220000)
-# define       CDEV_MAJOR      79
-#endif
-
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
- * on those hooks.  We don't need any special mods in non-IP Filter code
- * with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
-    (defined(NetBSD1_2) && NetBSD1_2 > 1)
-# if (NetBSD >= 199905)
-#  define PFIL_HOOKS
-# endif
-# ifdef PFIL_HOOKS
-#  define NETBSD_PF
-# endif
-#endif
-
-
-#ifndef        _KERNEL
-extern char    *get_ifname __P((struct ifnet *));
-extern int     fr_check __P((ip_t *, int, void *, int, mb_t **));
-extern int     (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern int     send_reset __P((ip_t *, fr_info_t *));
-extern int     send_icmp_err __P((ip_t *, int, fr_info_t *, int));
-extern int     ipf_log __P((void));
-extern struct  ifnet *get_unit __P((char *, int));
-extern int     mbuflen __P((mb_t *));
-# if defined(__NetBSD__) || defined(__OpenBSD__) || \
-         (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
-extern int     iplioctl __P((dev_t, u_long, caddr_t, int));
-# else
-extern int     iplioctl __P((dev_t, int, caddr_t, int));
-# endif
-extern int     iplopen __P((dev_t, int));
-extern int     iplclose __P((dev_t, int));
-#else /* #ifndef _KERNEL */
-# if defined(__NetBSD__) && defined(PFIL_HOOKS)
-extern void    ipfilterattach __P((int));
-# endif
-extern int     iplattach __P((void));
-extern int     ipl_enable __P((void));
-extern int     ipl_disable __P((void));
-extern int     send_icmp_err __P((ip_t *, int, fr_info_t *, int));
-extern int     send_reset __P((ip_t *, fr_info_t *));
-# if   SOLARIS
-extern int     fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
-extern int     (*fr_checkp) __P((ip_t *, int, void *,
-                                 int, qif_t *, mb_t **));
-#  if SOLARIS2 >= 7
-extern int     iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
-#  else
-extern int     iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
-#  endif
-extern int     iplopen __P((dev_t *, int, int, cred_t *));
-extern int     iplclose __P((dev_t, int, int, cred_t *));
-extern int     ipfsync __P((void));
-extern int     ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **,
-                                   fr_info_t *, frdest_t *));
-extern void    copyin_mblk __P((mblk_t *, size_t, size_t, char *));
-extern void    copyout_mblk __P((mblk_t *, size_t, size_t, char *));
-extern int     fr_qin __P((queue_t *, mblk_t *));
-extern int     fr_qout __P((queue_t *, mblk_t *));
-extern int     iplread __P((dev_t, struct uio *, cred_t *));
-# else /* SOLARIS */
-extern int     fr_check __P((ip_t *, int, void *, int, mb_t **));
-extern int     (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
-extern int     ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
-extern size_t  mbufchainlen __P((mb_t *));
-#  ifdef       __sgi
-#   include <sys/cred.h>
-extern int     iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
-extern int     iplopen __P((dev_t *, int, int, cred_t *));
-extern int     iplclose __P((dev_t, int, int, cred_t *));
-extern int     iplread __P((dev_t, struct uio *, cred_t *));
-extern int     ipfsync __P((void));
-extern int     ipfilter_sgi_attach __P((void));
-extern void    ipfilter_sgi_detach __P((void));
-extern void    ipfilter_sgi_intfsync __P((void));
-#  else
-#   ifdef      IPFILTER_LKM
-extern int     iplidentify __P((char *));
-#   endif
-#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
-      (NetBSD >= 199511) || defined(__OpenBSD__)
-#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
-       defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
-extern int     iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
-#    else
-extern int     iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
-#    endif
-extern int     iplopen __P((dev_t, int, int, struct proc *));
-extern int     iplclose __P((dev_t, int, int, struct proc *));
-#   else
-#    ifndef    linux
-extern int     iplopen __P((dev_t, int));
-extern int     iplclose __P((dev_t, int));
-extern int     iplioctl __P((dev_t, int, caddr_t, int));
-#    else
-extern int     iplioctl(struct inode *, struct file *, u_int, u_long);
-extern int     iplopen __P((struct inode *, struct file *));
-extern void    iplclose __P((struct inode *, struct file *));
-#    endif /* !linux */
-#   endif /* (_BSDI_VERSION >= 199510) */
-#   if BSD >= 199306
-extern int     iplread __P((dev_t, struct uio *, int));
-#   else
-#    ifndef linux
-extern int     iplread __P((dev_t, struct uio *));
-#    else
-extern int     iplread(struct inode *, struct file *, char *, int);
-#    endif /* !linux */
-#   endif /* BSD >= 199306 */
-#  endif /* __ sgi */
-# endif /* SOLARIS */
-#endif /* #ifndef _KERNEL */
-
-extern char    *memstr __P((char *, char *, int, int));
-extern void    fixskip __P((frentry_t **, frentry_t *, int));
-extern int     countbits __P((u_32_t));
-extern int     ipldetach __P((void));
-extern u_short ipf_cksum __P((u_short *, int));
-extern int     ircopyptr __P((void *, void *, size_t));
-extern int     iwcopyptr __P((void *, void *, size_t));
-
-extern void    ipflog_init __P((void));
-extern int     ipflog_clear __P((minor_t));
-extern int     ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
-extern int     ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
-extern int     ipflog_read __P((minor_t, struct uio *));
-
-extern int     frflush __P((minor_t, int, int));
-extern void    frsync __P((void));
-extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
-extern void    fr_delgroup __P((u_32_t, u_32_t, minor_t, int));
-extern frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int,
-                                   frgroup_t ***));
-
-extern int     fr_copytolog __P((int, char *, int));
-extern void    fr_forgetifp __P((void *));
-extern void    fr_getstat __P((struct friostat *));
-extern int     fr_ifpaddr __P((int, void *, struct in_addr *));
-extern int     fr_lock __P((caddr_t, int *));
-extern  void   fr_makefrip __P((int, ip_t *, fr_info_t *));
-extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
-extern int     fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
-extern int     fr_tcpudpchk __P((frtuc_t *, fr_info_t *));
-extern int     fr_verifysrc __P((struct in_addr, void *));
-
-extern int     ipl_unreach;
-extern int     fr_running;
-extern u_long  ipl_frouteok[2];
-extern int     fr_pass;
-extern int     fr_flags;
-extern int     fr_active;
-extern int     fr_chksrc;
-extern int     fr_minttl;
-extern int     fr_minttllog;
-extern fr_info_t       frcache[2];
-extern char    ipfilter_version[];
-extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
-extern size_t  iplused[IPL_LOGMAX + 1];
-extern struct frentry *ipfilter[2][2], *ipacct[2][2];
-#ifdef USE_INET6
-extern struct frentry *ipfilter6[2][2], *ipacct6[2][2];
-extern int     icmptoicmp6types[ICMP_MAXTYPE+1];
-extern int     icmptoicmp6unreach[ICMP_MAX_UNREACH];
-#endif
-extern struct frgroup *ipfgroups[3][2];
-extern struct filterstats frstats[];
-
-#endif /* __IP_FIL_H__ */
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
deleted file mode 100644 (file)
index 0f3b818..0000000
+++ /dev/null
@@ -1,618 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(KERNEL) && !defined(_KERNEL)
-# define      _KERNEL
-#endif
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#if !defined(_KERNEL) && !defined(KERNEL)
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-#endif
-#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
-# include <sys/filio.h>
-# include <sys/fcntl.h>
-#else
-# include <sys/ioctl.h>
-#endif
-#ifndef linux
-# include <sys/protosw.h>
-#endif
-#include <sys/socket.h>
-#if defined(_KERNEL) && !defined(linux)
-# include <sys/systm.h>
-#endif
-#if !defined(__SVR4) && !defined(__svr4__)
-# if defined(_KERNEL) && !defined(__sgi)
-#  include <sys/kernel.h>
-# endif
-# ifndef linux
-#  include <sys/mbuf.h>
-# endif
-#else
-# include <sys/byteorder.h>
-# ifdef _KERNEL
-#  include <sys/dditypes.h>
-# endif
-# include <sys/stream.h>
-# include <sys/kmem.h>
-#endif
-#include <net/if.h>
-#ifdef sun
-# include <net/af.h>
-#endif
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef linux
-# include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#if (__FreeBSD_version >= 300000)
-# include <sys/malloc.h>
-# if (defined(KERNEL) || defined(_KERNEL))
-#  ifndef IPFILTER_LKM
-#   include <sys/libkern.h>
-#   include <sys/systm.h>
-#  endif
-extern struct callout_handle ipfr_slowtimer_ch;
-# endif
-#endif
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
-# include <sys/callout.h>
-extern struct callout ipfr_slowtimer_ch;
-#endif
-#if defined(__OpenBSD__)
-# include <sys/timeout.h>
-extern struct timeout ipfr_slowtimer_ch;
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ip_frag.c    1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $";
-#endif
-
-
-static ipfr_t  *ipfr_heads[IPFT_SIZE];
-static ipfr_t  *ipfr_nattab[IPFT_SIZE];
-static ipfrstat_t ipfr_stats;
-static int     ipfr_inuse = 0;
-
-int    fr_ipfrttl = 120;       /* 60 seconds */
-int    fr_frag_lock = 0;
-
-#ifdef _KERNEL
-# if SOLARIS2 >= 7
-extern timeout_id_t    ipfr_timer_id;
-# else
-extern int     ipfr_timer_id;
-# endif
-#endif
-#if    (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern KRWLOCK_T       ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex;
-# if   SOLARIS
-extern KRWLOCK_T       ipf_solaris;
-# else
-KRWLOCK_T      ipf_solaris;
-# endif
-extern kmutex_t        ipf_rw;
-#endif
-
-
-static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **));
-static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
-static void ipfr_delete __P((ipfr_t *));
-
-
-ipfrstat_t *ipfr_fragstats()
-{
-       ipfr_stats.ifs_table = ipfr_heads;
-       ipfr_stats.ifs_nattab = ipfr_nattab;
-       ipfr_stats.ifs_inuse = ipfr_inuse;
-       return &ipfr_stats;
-}
-
-
-/*
- * add a new entry to the fragment cache, registering it as having come
- * through this box, with the result of the filter operation.
- */
-static ipfr_t *ipfr_new(ip, fin, table)
-ip_t *ip;
-fr_info_t *fin;
-ipfr_t *table[];
-{
-       ipfr_t **fp, *fra, frag;
-       u_int idx, off;
-
-       if (ipfr_inuse >= IPFT_SIZE)
-               return NULL;
-
-       if (!(fin->fin_fl & FI_FRAG))
-               return NULL;
-
-       frag.ipfr_p = ip->ip_p;
-       idx = ip->ip_p;
-       frag.ipfr_id = ip->ip_id;
-       idx += ip->ip_id;
-       frag.ipfr_tos = ip->ip_tos;
-       frag.ipfr_src.s_addr = ip->ip_src.s_addr;
-       idx += ip->ip_src.s_addr;
-       frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
-       idx += ip->ip_dst.s_addr;
-       frag.ipfr_ifp = fin->fin_ifp;
-       idx *= 127;
-       idx %= IPFT_SIZE;
-
-       frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
-       frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
-       frag.ipfr_auth = fin->fin_fi.fi_auth;
-
-       /*
-        * first, make sure it isn't already there...
-        */
-       for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next)
-               if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src,
-                         IPFR_CMPSZ)) {
-                       ATOMIC_INCL(ipfr_stats.ifs_exists);
-                       return NULL;
-               }
-
-       /*
-        * allocate some memory, if possible, if not, just record that we
-        * failed to do so.
-        */
-       KMALLOC(fra, ipfr_t *);
-       if (fra == NULL) {
-               ATOMIC_INCL(ipfr_stats.ifs_nomem);
-               return NULL;
-       }
-
-       if ((fra->ipfr_rule = fin->fin_fr) != NULL) {
-               ATOMIC_INC32(fin->fin_fr->fr_ref);
-       }
-
-
-       /*
-        * Instert the fragment into the fragment table, copy the struct used
-        * in the search using bcopy rather than reassign each field.
-        * Set the ttl to the default.
-        */
-       if ((fra->ipfr_next = table[idx]))
-               table[idx]->ipfr_prev = fra;
-       fra->ipfr_prev = NULL;
-       fra->ipfr_data = NULL;
-       table[idx] = fra;
-       bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ);
-       fra->ipfr_ttl = fr_ipfrttl;
-       /*
-        * Compute the offset of the expected start of the next packet.
-        */
-       off = ip->ip_off & IP_OFFMASK;
-       if (!off)
-               fra->ipfr_seen0 = 1;
-       fra->ipfr_off = off + (fin->fin_dlen >> 3);
-       ATOMIC_INCL(ipfr_stats.ifs_new);
-       ATOMIC_INC32(ipfr_inuse);
-       return fra;
-}
-
-
-int ipfr_newfrag(ip, fin)
-ip_t *ip;
-fr_info_t *fin;
-{
-       ipfr_t  *ipf;
-
-       if ((ip->ip_v != 4) || (fr_frag_lock))
-               return -1;
-       WRITE_ENTER(&ipf_frag);
-       ipf = ipfr_new(ip, fin, ipfr_heads);
-       RWLOCK_EXIT(&ipf_frag);
-       if (ipf == NULL) {
-               ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
-               return -1;
-       }
-       ATOMIC_INCL(frstats[fin->fin_out].fr_nfr);
-       return 0;
-}
-
-
-int ipfr_nat_newfrag(ip, fin, nat)
-ip_t *ip;
-fr_info_t *fin;
-nat_t *nat;
-{
-       ipfr_t  *ipf;
-       int off;
-
-       if ((ip->ip_v != 4) || (fr_frag_lock))
-               return -1;
-
-       off = fin->fin_off;
-       off <<= 3;
-       if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
-               return -1;
-
-       WRITE_ENTER(&ipf_natfrag);
-       ipf = ipfr_new(ip, fin, ipfr_nattab);
-       if (ipf != NULL) {
-               ipf->ipfr_data = nat;
-               nat->nat_data = ipf;
-       }
-       RWLOCK_EXIT(&ipf_natfrag);
-       return ipf ? 0 : -1;
-}
-
-
-/*
- * check the fragment cache to see if there is already a record of this packet
- * with its filter result known.
- */
-static ipfr_t *ipfr_lookup(ip, fin, table)
-ip_t *ip;
-fr_info_t *fin;
-ipfr_t *table[];
-{
-       ipfr_t  *f, frag;
-       u_int idx;
-       /*
-        * For fragments, we record protocol, packet id, TOS and both IP#'s
-        * (these should all be the same for all fragments of a packet).
-        *
-        * build up a hash value to index the table with.
-        */
-       frag.ipfr_p = ip->ip_p;
-       idx = ip->ip_p;
-       frag.ipfr_id = ip->ip_id;
-       idx += ip->ip_id;
-       frag.ipfr_tos = ip->ip_tos;
-       frag.ipfr_src.s_addr = ip->ip_src.s_addr;
-       idx += ip->ip_src.s_addr;
-       frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
-       idx += ip->ip_dst.s_addr;
-       frag.ipfr_ifp = fin->fin_ifp;
-       idx *= 127;
-       idx %= IPFT_SIZE;
-
-       frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY;
-       frag.ipfr_secmsk = fin->fin_fi.fi_secmsk;
-       frag.ipfr_auth = fin->fin_fi.fi_auth;
-
-       /*
-        * check the table, careful to only compare the right amount of data
-        */
-       for (f = table[idx]; f; f = f->ipfr_next)
-               if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
-                         IPFR_CMPSZ)) {
-                       u_short atoff, off;
-
-                       off = fin->fin_off;
-
-                       /*
-                        * XXX - We really need to be guarding against the
-                        * retransmission of (src,dst,id,offset-range) here
-                        * because a fragmented packet is never resent with
-                        * the same IP ID#.
-                        */
-                       if (f->ipfr_seen0) {
-                               if (!off || (fin->fin_fl & FI_SHORT))
-                                       continue;
-                       } else if (!off)
-                               f->ipfr_seen0 = 1;
-
-                       if (f != table[idx]) {
-                               /*
-                                * move fragment info. to the top of the list
-                                * to speed up searches.
-                                */
-                               if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
-                                       f->ipfr_next->ipfr_prev = f->ipfr_prev;
-                               f->ipfr_next = table[idx];
-                               table[idx]->ipfr_prev = f;
-                               f->ipfr_prev = NULL;
-                               table[idx] = f;
-                       }
-                       atoff = off + (fin->fin_dlen >> 3);
-                       /*
-                        * If we've follwed the fragments, and this is the
-                        * last (in order), shrink expiration time.
-                        */
-                       if (off == f->ipfr_off) {
-                               if (!(ip->ip_off & IP_MF))
-                                       f->ipfr_ttl = 1;
-                               else
-                                       f->ipfr_off = atoff;
-                       }
-                       ATOMIC_INCL(ipfr_stats.ifs_hits);
-                       return f;
-               }
-       return NULL;
-}
-
-
-/*
- * functional interface for NAT lookups of the NAT fragment cache
- */
-nat_t *ipfr_nat_knownfrag(ip, fin)
-ip_t *ip;
-fr_info_t *fin;
-{
-       ipfr_t *ipf;
-       nat_t *nat;
-       int off;
-
-       if ((fin->fin_v != 4) || (fr_frag_lock))
-               return NULL;
-
-       off = fin->fin_off;
-       off <<= 3;
-       if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
-               return NULL;
-
-       READ_ENTER(&ipf_natfrag);
-       ipf = ipfr_lookup(ip, fin, ipfr_nattab);
-       if (ipf != NULL) {
-               nat = ipf->ipfr_data;
-               /*
-                * This is the last fragment for this packet.
-                */
-               if ((ipf->ipfr_ttl == 1) && (nat != NULL)) {
-                       nat->nat_data = NULL;
-                       ipf->ipfr_data = NULL;
-               }
-       } else
-               nat = NULL;
-       RWLOCK_EXIT(&ipf_natfrag);
-       return nat;
-}
-
-
-/*
- * functional interface for normal lookups of the fragment cache
- */
-frentry_t *ipfr_knownfrag(ip, fin)
-ip_t *ip;
-fr_info_t *fin;
-{
-       frentry_t *fr;
-       ipfr_t *fra;
-       int off;
-
-       if ((fin->fin_v != 4) || (fr_frag_lock))
-               return NULL;
-
-       off = fin->fin_off;
-       off <<= 3;
-       if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
-               return NULL;
-
-       READ_ENTER(&ipf_frag);
-       fra = ipfr_lookup(ip, fin, ipfr_heads);
-       if (fra != NULL)
-               fr = fra->ipfr_rule;
-       else
-           &