This commit was generated by cvs2svn to compensate for changes in r172771,

which included commits to RCS files with non-trunk default branches.
2007-10-18 21:42:51 +00:00 · 2007-10-18 21:42:51 +00:00 · 9a214eca1f
commit 9a214eca1f
parent 60e87ca8df 39ff65a633 e8e48c1c7b
39 changed files with 595 additions and 123 deletions
--- a/contrib/ipfilter/BSD/Makefile
+++ b/contrib/ipfilter/BSD/Makefile
@ -485,13 +485,21 @@ install:
 		cp if_ipl.o /lkm; \
 	fi
 	-if [ -d /modules -a -f ipf.ko ] ; then \
-		cp ipf.ko /modules; \
+		if [ -f /modules/ipl.ko ] ; then \
+			cp ipf.ko /modules/ipl.ko; \
+		else \
+			cp ipf.ko /modules; \
+		fi \
 	fi
 	-if [ -d /modules -a -f ipfrule.ko ] ; then \
 		cp ipfrule.ko /modules; \
 	fi
 	-if [ -d /boot/kernel -a -f ipf.ko ] ; then \
-		cp ipf.ko /boot/kernel; \
+		if [ -f /boot/kernel/ipl.ko ] ; then \
+			cp ipf.ko /boot/kernel/ipl.ko; \
+		else \
+			cp ipf.ko /boot/kernel; \
+		fi \
 	fi
 	-if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \
 		cp ipfrule.ko /boot/kernel; \
--- a/contrib/ipfilter/BSD/kupgrade
+++ b/contrib/ipfilter/BSD/kupgrade
@ -32,11 +32,15 @@ else
 fi
 
 if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
-	echo "Please do a build of ipfilter and then run the following"
-	echo "command to build extra files:"
-	echo
-	echo "make ip_rules.c"
-	exit 1
+	echo "Trying to build ip_rules.c and ip_rules.h"
+	make ip_rules.c
+	if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then
+		echo "Please do a build of ipfilter and then run the following"
+		echo "command to build extra files:"
+		echo
+		echo "make ip_rules.c"
+		exit 1
+	fi
 fi

 echo -n "Installing "
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@ -10,12 +10,110 @@
 # and especially those who have found the time to port IP Filter to new
 # platforms.
 #
+4.1.28 - Release 16 October 2007
+
+backout changes (B1) & (B2) as they've caused NAT entries to persist for
+too long and possibly other side effects.
+
+Still need to compile in our own radix.c for Solaris as the one in S10U4
+has a different alignment of structure members (causes panic)
+
+keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
+
+ippool -l may only lists every 2nd pool's contents
+
+4.1.27 - Released 29 September 2007
+
+SunOS5/replace script does not deal with i386 systems that have the
+i86/amd64 directory pair.
+
+make BSD/kupgrade try to build ip_rules.[ch] before complaining
+
+Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
+
+Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
+to drive 32bit cc builds differently for sparc/i386 now.
+
+Update instructions for rebuilding FreeBSD kernels
+
+Make the target "freebsd" work for building ipfilter
+
+destroying NAT entries for blocked packets can lead to NAT table entry leak,
+provide a counter of orphan'd NAT entries to track this problem.
+
+4.1.26 - Released 24 September 2007
+
+Fix build problem for Solaris prior to S10U4
+
+4.1.25 - Released 20 September 2007
+
+stepping through structures with ioctls can lead to the wrong things
+being free'd and panics
+
+if a NAT entry (such as an rdr) is created but the packet ends up being
+blocked, tear down the NAT entry.
+
+fix fragment cache preventing keep state from functioning
+
+fix handling of \ to indicate a continued line in .conf files
+
+include port ranges in the allowed input for ipf when using "port = ()"
+
+only advance TCP state for packets on the leading edge of the window. (B1)
+
+using ipnat -l can lead to memory corruption in high stress situations
+
+track TCP sequence numbers with NAT so that it can do timeout advances
+correctly inline with state
+
+ICMP checksums for some redirect'd packets are not adjusted correctly.
+
+IPv6 address components need to be explicitly cast to a 32bit pointer
+boundary so that compilers don't try to access them as two 64bit
+pieces (no guarantee is made that an Ipv6 address is on a 64bit
+aligned address)
+
+filling up the ipauth packet queue can lead to no more packets being
+processed.
+
+locking used to deref a nat entry causes a significant performance hit
+
+m_pulldown isn't properly handled, leading to possible panics with ICMPv6
+packets
+
+IPv6 fragment handling doesn't allow for "keep frag" to work
+
+build on Solaris10 Update4 with pfhooks in the kernel
+
+logging of Ipv6 packets with extension headers fix - Miroslaw Luc
+
+4.1.24 - Released 8 July 2007
+
+patch from Stuart Remphrey to address recursive mutex lock with TCP state
+
+add hash table bucket stats display to ipnat -s
+
+give ASSERT some teeth for user compiles
+
+initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
+early on
+
+do some caddr_t cleanup, where possible
+
+fr_ref no longer tracks the number of children rules in a group for head rules
+
+make sure all BCOPY* have a value assigned to something
+
+fix possible use of icmp pointer after pullup makes it invalid
+
+resolve compile problems related to FreeBSD tree
+
 4.1.23 - Released 31 May 2007

 NAT was not always correctly fixing ICMP headers for errors

 some TCP state steps when closing do not update timeouts, leading to
-them being removed prematurely.
+them being removed prematurely. (B2)

 fix compilation problems for netbsd 4.99

--- a/contrib/ipfilter/iplang/Makefile
+++ b/contrib/ipfilter/iplang/Makefile
@ -3,20 +3,21 @@
 #
 #CC=gcc -Wuninitialized -Wstrict-prototypes -Werror -O
 CFLAGS=-I..
+CCARGS=$(DEBUG) -I. -I.. $(CFLAGS) -I$(DESTDIR) -I$(DESTDIR)/.. -I../ipsend

 all: $(DESTDIR)/iplang_y.o $(DESTDIR)/iplang_l.o

 $(DESTDIR)/iplang_y.o: $(DESTDIR)/iplang_y.c
-	$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@
+	$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_y.c -o $@

 $(DESTDIR)/iplang_l.o: $(DESTDIR)/iplang_l.c
-	$(CC) $(DEBUG) -I. -I.. -I$(DESTDIR) -I../ipsend $(CFLAGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@
+	$(CC) $(CCARGS) $(LINUX) -c $(DESTDIR)/iplang_l.c -o $@

 iplang_y.o: iplang_y.c
-	$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
+	$(CC) $(CCARGS) $< -o $@

 iplang_l.o: iplang_l.c
-	$(CC) $(DEBUG) -I. -I.. -I../ipsend $(CFLAGS) $(LINUX) -c $< -o $@
+	$(CC) $(CCARGS) $< -o $@

 $(DESTDIR)/iplang_l.c: iplang_l.l $(DESTDIR)/iplang_y.h
 	lex iplang_l.l
--- a/contrib/ipfilter/l4check/Makefile
+++ b/contrib/ipfilter/l4check/Makefile
@ -4,7 +4,7 @@
 all: l4check

 l4check: l4check.c
-	$(CC) -g -I.. $(CFLAGS) $(LIBS) l4check.c -o $@
+	$(CC) -g -I.. -Wall $(CFLAGS) $(LIBS) l4check.c -o $@

 clean:
 	/bin/rm -f l4check
--- a/contrib/ipfilter/lib/Makefile
+++ b/contrib/ipfilter/lib/Makefile
@ -3,7 +3,7 @@
 # 
 # See the IPFILTER.LICENCE file for details on licencing.  
 #   
-# $Id: Makefile,v 1.41.2.13 2007/05/10 06:02:19 darrenr Exp $ 
+# $Id: Makefile,v 1.41.2.14 2007/09/21 08:30:43 darrenr Exp $ 
 #     
 INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h

@ -135,8 +135,6 @@ $(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@
 $(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@
-$(DEST)/getline.o: $(LIBSRC)/getline.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/getline.c -o $@
 $(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@
 $(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP)
@ -218,10 +216,6 @@ $(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@
 $(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@
-$(DEST)/portnum.o: $(LIBSRC)/portnum.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/portnum.c -o $@
-$(DEST)/ports.o: $(LIBSRC)/ports.c $(INCDEP)
-	$(CC) $(CCARGS) -c $(LIBSRC)/ports.c -o $@
 $(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP)
 	$(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@
 $(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP)
--- a/contrib/ipfilter/lib/alist_new.c
+++ b/contrib/ipfilter/lib/alist_new.c
@ -3,7 +3,7 @@
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * $Id: alist_new.c,v 1.1.2.2 2006/08/25 22:43:21 darrenr Exp $
+ * $Id: alist_new.c,v 1.1.2.3 2007/06/06 08:05:33 darrenr Exp $
 */

 #include "ipf.h"
@ -53,12 +53,14 @@ alist_new(int v, char *host)
 	}

 	if (gethost(host, &al->al_addr) == -1) {
-		*slash = '/';
+		if (slash != NULL)
+			*slash = '/';
 		fprintf(stderr, "Cannot parse hostname\n");
 		free(al);
 		return NULL;
 	}
 	al->al_mask = htonl(mask);
-	*slash = '/';
+	if (slash != NULL)
+		*slash = '/';
 	return al;
 }
--- a/contrib/ipfilter/lib/printpool_live.c
+++ b/contrib/ipfilter/lib/printpool_live.c
@ -52,11 +52,12 @@ int opts;
 	while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) {
 		if (entry.ipn_next == NULL)
 			last = 1;
-		entry.ipn_next = top;
-		top = malloc(sizeof(*top));
-		if (top == NULL)
+		node = malloc(sizeof(*top));
+		if (node == NULL)
 			break;
-		bcopy(&entry, top, sizeof(entry));
+		bcopy(&entry, node, sizeof(entry));
+		node->ipn_next = top;
+		top = node;
 	}

 	while (top != NULL) {
@ -74,5 +75,9 @@ int opts;

 	if ((opts & OPT_DEBUG) == 0)
 		PRINTF(" };\n");
+
+	if (ioctl(fd, SIOCIPFDELTOK, &iter.ili_key) != 0)
+		perror("SIOCIPFDELTOK");
+
 	return pool->ipo_next;
 }
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@ -6,7 +6,10 @@
 BINDEST=/usr/local/bin
 SBINDEST=/sbin
 MANDIR=/usr/share/man
-all: results tests
+all: expected.d results tests
+
+expected.d:
+	(cd expected; make)

 results:
 	mkdir -p results
@ -21,13 +24,13 @@ first:
 	-mkdir -p results

 # Filtering tests
-ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
+ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24

 # Rule parsing tests
 ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 \
 	i20 i21

-ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
+ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16

 nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 \
 	ni16 ni19 ni20 ni21 ni23
@ -38,20 +41,20 @@ logtests: l1

 pools: p1 p2 p3 p5 ip1 ip2

-ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5
+ipv6: ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6

 bpf: bpf1 bpf-f1

 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f19:
 	@/bin/sh ./dotest `awk "/^$@ / { print; } " test.format`

-f15 f16 f17 f18 f20:
+f15 f16 f17 f18 f20 f24:
 	@/bin/sh ./mtest `awk "/^$@ / { print; } " test.format`

 i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21 bpf1:
 	@/bin/sh ./itest `awk "/^$@ / { print; } " test.format`

-n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14:
+n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16:
 	@/bin/sh ./nattest `awk "/^$@ / { print; } " test.format`

 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20:
@ -66,7 +69,7 @@ in1 in2 in3 in4 in5 in6:
 l1:
 	@/bin/sh ./logtest `awk "/^$@ / { print; } " test.format`

-ipv6.1 ipv6.2 ipv6.3 ipv6.5:
+ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6:
 	@/bin/sh ./dotest6 `awk "/^$@ / { print; } " test.format`

 p1 p2 p3 p5:
@ -79,17 +82,18 @@ bpf-f1:
 	/bin/sh ./bpftest `awk "/^$@ / { print; } " test.format`

 clean:
-	/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20
+	/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f24
 	/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 i16 i17 i18 i19 i20 i21
-	/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14
+	/bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 n13 n14 n16
 	/bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9
 	/bin/rm -f ni10 ni11 ni12 ni13 ni14 ni15 ni16 ni19 ni20 ni21 ni23
 	/bin/rm -f in1 in2 in3 in4 in5 in6
 	/bin/rm -f p1 p2 p3 p5 ip1 ip2
 	/bin/rm -f l1
-	/bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5
+	/bin/rm -f ipv6.1 ipv6.2 ipv6.3 ipv6.5 ipv6.6
 	/bin/rm -f bpf1 bpf-f1
 	/bin/rm -f results/* logout
+	(cd expected; make clean)

 diffs:
 	-cd expected; for i in *; do if [ -f $$i -a ! -f ../$$i -a -f ../results/$$i ] ; then  diff -c $$i ../results/$$i >> ../diff.out; fi done
--- a/contrib/ipfilter/test/dotest
+++ b/contrib/ipfilter/test/dotest
@ -15,7 +15,13 @@ else
 	fi
 fi
 if [ "$tuning" != "" ] ; then
-	tuning="-T $tuning"
+	case $tuning in
+	-*)
+		;;
+	*)
+		tuning="-T $tuning"
+		;;
+	esac
 fi
 echo "${thistest}...";
 /bin/cp /dev/null results/${thistest}
--- a/contrib/ipfilter/test/expected/Makefile
+++ b/contrib/ipfilter/test/expected/Makefile
@ -0,0 +1,41 @@
+#
+# (C)opyright 2007 by Darren Reed.
+#
+# See the IPFILTER.LICENCE file for details on licencing.
+#
+all: i19
+
+i19: i19.dist Makefile
+	-if [ "`grep LOG_SECURITY /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+		if [ "`grep LOG_AUDIT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+				sed -e 's/security/!!!/g' i19.dist > i19.p1; \
+		else \
+				sed -e 's/security/audit/g' i19.dist > i19.p1; \
+		fi \
+	else \
+		/bin/cp i19.dist i19.p1; \
+	fi
+	-if [ "`grep LOG_AUTHPRIV /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+		sed -e 's/authpriv/!!!/g' i19.p1 > i19.p2; \
+	else \
+		/bin/cp i19.p1 i19.p2; \
+	fi
+	-if [ "`grep LOG_LOGALERT /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+		sed -e 's/logalert/!!!/g' i19.p2 > i19.p1; \
+	else \
+		/bin/cp i19.p2 i19.p1; \
+	fi
+	-if [ "`grep LOG_FTP /usr/include/sys/syslog.h 2>&1`" = "" ] ; then \
+		sed -e 's/ftp/!!!/g' i19.p1 > i19.p2; \
+	else \
+		/bin/cp i19.p1 i19.p2; \
+	fi
+	-if [ "`egrep 'LOG_CRON.*15' /usr/include/sys/syslog.h 2>&1`" != "" ] ; then \
+		sed -e 's/cron/cron2/g' i19.p2 > i19; \
+	else \
+		/bin/cp i19.p2 i19; \
+	fi
+	/bin/rm i19.p?
+
+clean:
+	/bin/rm -f i19
--- a/contrib/ipfilter/test/expected/f11
+++ b/contrib/ipfilter/test/expected/f11
@ -14,6 +14,16 @@ nomatch
 nomatch
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 block
 nomatch
@ -31,6 +41,16 @@ nomatch
 nomatch
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 nomatch
 nomatch
@ -48,6 +68,16 @@ pass
 nomatch
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 nomatch
 nomatch
@ -65,6 +95,16 @@ block
 nomatch
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 nomatch
 nomatch
@ -82,6 +122,36 @@ pass
 pass
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+2.2.2.2 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
+	tag 0 ttl 240 2 -> 53
+	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
+	pass in keep state	IPv4
+	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
+	pkt_security & ffff = 0, pkt_auth & ffff = 0
+	is_flx 0x8001 0 0 0
+	interfaces: in X[e1],X[] out X[],X[]
+	Sync status: not synchronized
+1.1.1.1 -> 4.4.4.4 pass 0x40008402 pr 17 state 0/0
+	tag 0 ttl 24 1 -> 53
+	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	pass in keep state	IPv4
+	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
+	pkt_security & ffff = 0, pkt_auth & ffff = 0
+	is_flx 0x8001 0x8001 0 0
+	interfaces: in X[e1],X[e0] out X[],X[]
+	Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 nomatch
 nomatch
@ -99,6 +169,36 @@ block
 block
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+2.2.2.2 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
+	tag 0 ttl 240 2 -> 53
+	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
+	block in keep state	IPv4
+	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
+	pkt_security & ffff = 0, pkt_auth & ffff = 0
+	is_flx 0x8001 0 0 0
+	interfaces: in X[e1],X[] out X[],X[]
+	Sync status: not synchronized
+1.1.1.1 -> 4.4.4.4 pass 0x40008401 pr 17 state 0/0
+	tag 0 ttl 24 1 -> 53
+	forward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	backward: pkts in 1 bytes in 28 pkts out 0 bytes out 0
+	block in keep state	IPv4
+	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
+	pkt_security & ffff = 0, pkt_auth & ffff = 0
+	is_flx 0x8001 0x8001 0 0
+	interfaces: in X[e1],X[e0] out X[],X[]
+	Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
 nomatch
 nomatch
@ -116,4 +216,28 @@ nomatch
 nomatch
 nomatch
 nomatch
+List of active MAP/Redirect filters:
+
+List of active sessions:
+
+Hostmap table:
+List of active state sessions:
+1.1.1.1 -> 2.1.2.2 pass 0x40008402 pr 6 state 3/4
+	tag 0 ttl 864000
+	1 -> 25 2:66 4096<<0:16384<<0
+	cmsk 0000 smsk 0000 s0 00000000/00000000
+	FWD:ISN inc 0 sumd 0
+	REV:ISN inc 0 sumd 0
+	forward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
+	backward: pkts in 1 bytes in 40 pkts out 0 bytes out 0
+	pass in keep state	IPv4
+	pkt_flags & 0(0) = 0,		pkt_options & ffffffff = 0, ffffffff = 0 
+	pkt_security & ffff = 0, pkt_auth & ffff = 0
+	is_flx 0x8001 0x8001 0 0
+	interfaces: in X[e0],X[e1] out X[],X[]
+	Sync status: not synchronized
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
 --------
--- a/contrib/ipfilter/test/expected/f24
+++ b/contrib/ipfilter/test/expected/f24
@ -0,0 +1,5 @@
+pass
+pass
+pass
+pass
+--------
--- a/contrib/ipfilter/test/expected/i19.dist
+++ b/contrib/ipfilter/test/expected/i19.dist
@ -0,0 +1,22 @@
+block in log level user.debug quick proto icmp from any to any
+block in log level mail.info quick proto icmp from any to any
+block in log level daemon.notice quick proto icmp from any to any
+block in log level auth.warn quick proto icmp from any to any
+block in log level syslog.err quick proto icmp from any to any
+block in log level lpr.crit quick proto icmp from any to any
+block in log level news.alert quick proto icmp from any to any
+block in log level uucp.emerg quick proto icmp from any to any
+block in log level cron.debug quick proto icmp from any to any
+block in log level ftp.info quick proto icmp from any to any
+block in log level authpriv.notice quick proto icmp from any to any
+block in log level logalert.warn quick proto icmp from any to any
+block in log level local0.err quick proto icmp from any to any
+block in log level local1.crit quick proto icmp from any to any
+block in log level local2.alert quick proto icmp from any to any
+block in log level local3.emerg quick proto icmp from any to any
+block in log level local4.debug quick proto icmp from any to any
+block in log level local5.info quick proto icmp from any to any
+block in log level local6.notice quick proto icmp from any to any
+block in log level local7.warn quick proto icmp from any to any
+block in log level kern.err quick proto icmp from any to any
+block in log level security.emerg quick proto icmp from any to any
--- a/contrib/ipfilter/test/expected/i21
+++ b/contrib/ipfilter/test/expected/i21
@ -8,3 +8,9 @@ pass out from any to any port = 7
 pass out from any to any port = 9
 block in from any port = 20 to any
 block in from any port = 25 to any
+pass in from any port 11:12 to any port 1:2
+pass in from any port 21:22 to any port 1:2
+pass in from any port 11:12 to any port 4:5
+pass in from any port 21:22 to any port 4:5
+pass in from any port 11:12 to any port 8:9
+pass in from any port 21:22 to any port 8:9
--- a/contrib/ipfilter/test/expected/in1
+++ b/contrib/ipfilter/test/expected/in1
@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to any port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc
 map thisisalonginte 0.0.0.0/0 -> 0.0.0.0/32 mssclamp 1452 tag freddyliveshere
 map bar0 0.0.0.0/0 -> 0.0.0.0/32 icmpidmap icmp 1000:2000
 map ppp0,adsl0 0.0.0.0/0 -> 0.0.0.0/32
+map ppp0 from 192.168.0.0/16 to any port = 123 -> 0.0.0.0/32 age 30/1 udp
--- a/contrib/ipfilter/test/expected/in6
+++ b/contrib/ipfilter/test/expected/in6
@ -5,3 +5,4 @@ map foo0 from any port < 1 to any port > 0 -> 0.0.0.0/32 tcp
 map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
 map foo0 from any port <= 1 to any port >= 0 -> 0.0.0.0/32 tcp/udp
 map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0.0.0.0/32 tcp/udp
+map foo0 from any port 10:20 to any port 30:40 -> 0.0.0.0/32 tcp/udp
--- a/contrib/ipfilter/test/expected/ipv6.6
+++ b/contrib/ipfilter/test/expected/ipv6.6
@ -0,0 +1,3 @@
+pass
+pass
+--------
--- a/contrib/ipfilter/test/expected/n16
+++ b/contrib/ipfilter/test/expected/n16
@ -0,0 +1,21 @@
+4520 0068 17e4 0000 6b11 cbba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
+
+4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
+
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318 c05b ac33 0303 4ca1 0000 0000 4520 0068 17e4 0000 6a11 ccba c05b ac33 ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
+
+4500 0084 ee0f 0000 8001 4a21 45f8 4fc1 c05b ac33 0303 bf85 0000 0000 4520 0068 17e4 0000 6a11 3639 c05b ac33 45f8 4fc1 1194 94f8 0054 0000 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 
+
+List of active MAP/Redirect filters:
+rdr vlan0 from any to 69.248.79.193/32 port = 38136 -> 172.31.83.24 port 2013 udp
+
+List of active sessions:
+RDR 172.31.83.24    2013  <- -> 69.248.79.193   38136 [192.91.172.51 4500]
+
+Hostmap table:
+List of active state sessions:
+List of configured pools
+List of configured hash tables
+List of groups configured (set 0)
+List of groups configured (set 1)
+-------------------------------
--- a/contrib/ipfilter/test/input/f11
+++ b/contrib/ipfilter/test/input/f11
@ -1,14 +1,14 @@
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
-in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA
-in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
-in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S seq=1 ack=0
+in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA seq=1 ack=1
+in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA seq=101 ack=2
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA seq=101 ack=2
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
+in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A seq=2 ack=102
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A seq=102 ack=2
+in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A seq=102 ack=2
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 FA seq=2 ack=102
+in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A seq=2 ack=102
+in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A seq=2 ack=102
 in on e1 udp 1.1.1.1,1 4.4.4.4,53
 in on e1 udp 2.2.2.2,2 4.4.4.4,53
 in on e0 udp 4.4.4.4,53 1.1.1.1,1
--- a/contrib/ipfilter/test/input/f24
+++ b/contrib/ipfilter/test/input/f24
@ -0,0 +1,27 @@
+[out,hme0]
+4500 003f 6e48 0000 4011 8816 c0a8 0101
+c0a8 01fe eb22 0035 002b d9e6 4a82 0100
+0001 0000 0000 0000 0663 6f6f 6d62 7303
+616e 7503 6564 7502 6175 0000 0100 01
+
+[in,hme0]
+4500 004c fc96 2000 4011 d9ba c0a8 01fe
+c0a8 0101 0035 eb22 00a9 d7b9 4a82 8180
+0001 0001 0003 0003 0663 6f6f 6d62 7303
+616e 7503 6564 7502 6175 0000 0100 01c0
+0c00 0100 0100 0000 3c00 0496
+
+[in,hme0]
+4500 004c fc96 2006 4011 d9b4 c0a8 01fe
+c0a8 0101 cbe7 50c0 1300 0200 0100 0078
+8c00 0603 6e73 31c0 13c0 1300 0200 0100
+0078 8c00 0e02 6e73 0861 6465 6c61 6964
+65c0 17c0 1300 0200 0100 0078
+
+[in,hme0]
+4500 004d fc96 000c 4011 f9ad c0a8 01fe
+c0a8 0101 8c00 0603 756e 61c0 13c0 6b00
+0100 0100 0027 5800 0496 cb16 1cc0 5100
+0100 0100 0018 4700 0481 7f28 03c0 3f00
+0100 0100 0027 5800 0496 cb01 0a
+
--- a/contrib/ipfilter/test/input/ipv6.6
+++ b/contrib/ipfilter/test/input/ipv6.6
@ -0,0 +1,17 @@
+[out,gif0]
+6000 0000 0020 2c01
+ef00 1001 2002 0001 0000 0000 0000 0070
+2001 1002 3333 0001 0000 0000 0000 0001
+1100 0001 0000 0001
+8083 829a
+0020
+f4c1
+0000 0000 0000 0000 0000 0000 0000 0000
+
+[out,gif0]
+6000 0000 0020 2c01
+ef00 1001 2002 0001 0000 0000 0000 0070
+2001 1002 3333 0001 0000 0000 0000 0001
+1100 0008 0000 0001
+0000 0000 0000 0000 0000 0000 0000 0000
+
--- a/contrib/ipfilter/test/input/l1
+++ b/contrib/ipfilter/test/input/l1
@ -1,36 +1,36 @@
 # 1.1.1.1,1025 -> 2.2.2.2,25 TTL=63 TCP DF  SYN
 []
 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5002 2000 85c3 0000
+0401 0019 0000 0001 0000 0000 5002 2000 85c2 0000

 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
 []
 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0001 0000 0000 5010 2000 85b4 0000

 #in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 AS
 []
 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0000 0000 0000 5012 2000 85b3 0000
+0019 0401 0000 0011 0000 0002 5012 2000 85a0 0000

 #in on e1 tcp 2.1.2.2,25 1.1.1.1,1025 A
 [out,e1] 4500 0028 0000 4000 3f06 35cb 0202 0202 0101 0101
-0019 0401 0000 0000 0000 0000 5010 2000 85b5 0000
+0019 0401 0000 0012 0000 0002 5010 2000 85a1 0000

-#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 F
+#in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 AF
 []
 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5011 2000 85b4 0000
+0401 0019 0000 0002 0000 0012 5011 2000 85a0 0000

 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
 []
 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000

 #in on e0 tcp 1.1.1.1,1025 2.1.2.2,25 A
 []
 4500 0028 0000 4000 3f06 35cb 0101 0101 0202 0202
-0401 0019 0000 0000 0000 0000 5010 2000 85b5 0000
+0401 0019 0000 0012 0000 0003 5010 2000 85a0 0000

 #in on e1 udp 1.1.1.1,1 4.4.4.4,53
 []
--- a/contrib/ipfilter/test/input/n16
+++ b/contrib/ipfilter/test/input/n16
@ -0,0 +1,40 @@
+[in,vlan0]
+4520 0068 17e4 0000 6b11 3539 c05b ac33 45f8 4fc1
+1194 94f8 0054 0000
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+
+[out,vlan2]
+4520 0068 17e4 0000 6a11 ccba c05b ac33
+ac1f 5318 1194 07dd 0054 0000 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5
+
+[in,vlan2]
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
+c05b ac33 0303 4ca1 0000 0000 4520 0068
+17e4 0000 6a11 ccba c05b ac33 ac1f 5318
+1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5
+
+[out,vlan0]
+4500 0084 ee0f 0000 8001 e0a2 ac1f 5318
+c05b ac33 0303 4ca1 0000 0000 4520 0068
+17e4 0000 6a11 ccba c05b ac33 ac1f 5318
+1194 07dd 0054 0000 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5 a5a5
+a5a5 a5a5
+
--- a/contrib/ipfilter/test/nattest
+++ b/contrib/ipfilter/test/nattest
@ -5,7 +5,14 @@ else
 	format="-F $2"
 fi
 if [ "$4" != "" ] ; then
-	format="-T $4 $format"
+	case $4 in
+	-*)
+		format="$4 $format"
+		;;
+	*)
+		format="-T $4 $format"
+		;;
+	esac
 fi
 if [ -f /usr/ucb/touch ] ; then
 	TOUCH=/usr/ucb/touch
--- a/contrib/ipfilter/test/regress/f24
+++ b/contrib/ipfilter/test/regress/f24
@ -0,0 +1 @@
+pass out quick proto udp all keep state keep frags
--- a/contrib/ipfilter/test/regress/i21
+++ b/contrib/ipfilter/test/regress/i21
@ -4,3 +4,4 @@ block in from port 20:21
 block out from any to port 10 <> 100
 pass out from any to port = (3,5,7,9)
 block in from port = (20,25)
+pass in from any port = (11:12, 21:22) to any port = (1:2, 4:5, 8:9)
--- a/contrib/ipfilter/test/regress/i3
+++ b/contrib/ipfilter/test/regress/i3
@ -1,7 +1,9 @@
 log in all
 pass in from 128.16/16 to 129.10.10/24
-pass in from 128.0.0.1/24 to 128\
-.0.0.1/16
+pass in from 128.0.0.1/24 to 1\
+28\
+.\
+0.0.1/16
 pass in from 128.0.0.1/0xffffff00 to 128.0.0.1/0xffff0000
 pass in from 128.0.0.1/255.255.255.0 to 128.0.0.1/255.255.0.0
 pass in from 128.0.0.1 mask 0xffffff00 to 128.0.0.1 mask 0xffff0000
--- a/contrib/ipfilter/test/regress/in1
+++ b/contrib/ipfilter/test/regress/in1
@ -28,3 +28,4 @@ map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tc
 map thisisalonginte 0/0 -> 0/32 mssclamp 1452 tag freddyliveshere
 map bar0 0/0 -> 0/32 icmpidmap icmp 1000:2000
 map ppp0,adsl0 0/0 -> 0/32
+map ppp0 from 192.168.0.0/16 to any port = 123 -> 0/32 age 30/1 udp
--- a/contrib/ipfilter/test/regress/in6
+++ b/contrib/ipfilter/test/regress/in6
@ -5,3 +5,4 @@ map foo0 from any port lt 1 to any port gt 0 -> 0/32 tcp
 map foo0 from any port <= 1 to any port >= 0 -> 0/32 tcp/udp
 map foo0 from any port le 1 to any port ge 0 -> 0/32 tcp/udp
 map foo0 from any port 1 >< 20 to any port 20 <> 40 -> 0/32 tcp/udp
+map foo0 from any port 10:20 to any port 30:40 -> 0/32 tcp/udp
--- a/contrib/ipfilter/test/regress/ipv6.6
+++ b/contrib/ipfilter/test/regress/ipv6.6
@ -0,0 +1 @@
+pass out on gif0 proto udp all keep frag
--- a/contrib/ipfilter/test/regress/n16
+++ b/contrib/ipfilter/test/regress/n16
@ -0,0 +1 @@
+rdr vlan0 from any to 69.248.79.193 port = 38136 -> 172.31.83.24 port 2013 udp
--- a/contrib/ipfilter/test/test.format
+++ b/contrib/ipfilter/test/test.format
@ -11,7 +11,7 @@ f7 text text
 f8 text text
 f9 text text
 f10 text text
-f11 text text
+f11 text text -D
 f12 hex hex
 f13 hex hex
 f14 text text
@ -94,3 +94,6 @@ p2 text text
 p3 text text
 p4 text text
 p5 text text
+n16 hex hex -D
+f24 hex text
+ipv6.6 hex text
--- a/sys/contrib/ipfilter/netinet/ip_lookup.c
+++ b/sys/contrib/ipfilter/netinet/ip_lookup.c
@ -58,7 +58,7 @@ struct file;
 /* END OF INCLUDES */

 #if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.15 2007/05/26 13:05:13 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_lookup.c,v 2.35.2.19 2007/10/11 09:05:51 darrenr Exp $";
 #endif

 #ifdef	IPFILTER_LOOKUP
@ -70,6 +70,8 @@ static int iplookup_addtable __P((caddr_t));
 static int iplookup_deltable __P((caddr_t));
 static int iplookup_stats __P((caddr_t));
 static int iplookup_flush __P((caddr_t));
+static int iplookup_iterate __P((void *, int, void *));
+static int iplookup_deltok __P((void *, int, void *));


 /* ------------------------------------------------------------------------ */
@ -181,7 +183,11 @@ void *ctx;
 		break;

 	case SIOCLOOKUPITER :
-		err = ip_lookup_iterate(data, uid, ctx);
+		err = iplookup_iterate(data, uid, ctx);
+		break;
+
+	case SIOCIPFDELTOK :
+		err = iplookup_deltok(data, uid, ctx);
 		break;

 	default :
@ -287,8 +293,9 @@ caddr_t data;
 	ip_pool_t *p;
 	int err;

-	err = 0;
-	BCOPYIN(data, &op, sizeof(op));
+	err = BCOPYIN(data, &op, sizeof(op));
+	if (err != 0)
+		return EFAULT;

 	if (op.iplo_unit < 0 || op.iplo_unit > IPL_LOGMAX)
 		return EINVAL;
@ -558,13 +565,15 @@ void *ptr;


 /* ------------------------------------------------------------------------ */
-/* Function:    ip_lookup_iterate                                           */
+/* Function:    iplookup_iterate                                            */
 /* Returns:     int     - 0 = success, else error                           */
 /* Parameters:  data(I) - pointer to data from ioctl call                   */
+/*              uid(I)  - uid of caller                                     */
+/*              ctx(I)  - pointer to give the uid context                   */
 /*                                                                          */
 /* Decodes ioctl request to step through either hash tables or pools.       */
 /* ------------------------------------------------------------------------ */
-int ip_lookup_iterate(data, uid, ctx)
+static int iplookup_iterate(data, uid, ctx)
 void *data;
 int uid;
 void *ctx;
@ -578,7 +587,7 @@ void *ctx;
 	if (err != 0)
 		return err;

-	if (iter.ili_unit < 0 || iter.ili_unit > IPL_LOGMAX)
+	if (iter.ili_unit > IPL_LOGMAX)
 		return EINVAL;

 	if (iter.ili_ival != IPFGENITER_LOOKUP)
@ -644,6 +653,33 @@ void *data;
 }


+/* ------------------------------------------------------------------------ */
+/* Function:    iplookup_deltok                                             */
+/* Returns:     int     - 0 = success, else error                           */
+/* Parameters:  data(I) - pointer to data from ioctl call                   */
+/*              uid(I)  - uid of caller                                     */
+/*              ctx(I)  - pointer to give the uid context                   */
+/*                                                                          */
+/* Deletes the token identified by the combination of (type,uid,ctx)        */
+/* "key" is a combination of the table type, iterator type and the unit for */
+/* which the token was being used.                                          */
+/* ------------------------------------------------------------------------ */
+static int iplookup_deltok(data, uid, ctx)
+void *data;
+int uid;
+void *ctx;
+{
+	int error, key;
+	SPL_INT(s);
+
+	SPL_SCHED(s);
+	error = BCOPYIN(data, &key, sizeof(key)); 
+	if (error == 0)
+		error = ipf_deltoken(key, uid, ctx);
+	SPL_X(s);
+	return error;
+}
+

 #else /* IPFILTER_LOOKUP */

--- a/sys/contrib/ipfilter/netinet/ip_lookup.h
+++ b/sys/contrib/ipfilter/netinet/ip_lookup.h
@ -64,7 +64,7 @@ typedef	union	{
 		char	ilik_ival;
 		u_char	ilik_type;	/* IPLT_* */
 		u_char	ilik_otype;
-		char	ilik_unit;	/* IPL_LOG* */
+		u_char	ilik_unit;	/* IPL_LOG* */
 	} ilik_unstr;
 	u_32_t	ilik_key;
 } iplookupiterkey_t;
@ -90,7 +90,6 @@ extern int ip_lookup_init __P((void));
 extern int ip_lookup_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *));
 extern void ip_lookup_unload __P((void));
 extern void ip_lookup_deref __P((int, void *));
-extern int ip_lookup_iterate __P((void *, int, void *));
 extern void ip_lookup_iterderef __P((u_32_t, void *));

 #endif /* __IP_LOOKUP_H__ */
--- a/sys/contrib/ipfilter/netinet/ip_pool.c
+++ b/sys/contrib/ipfilter/netinet/ip_pool.c
@ -53,6 +53,9 @@ struct file;
 # include <sys/malloc.h>
 #endif

+#if defined(SOLARIS2) && !defined(_KERNEL)
+# include "radix_ipf.h"
+#endif
 #if defined(_KERNEL) && (defined(__osf__) || defined(AIX) || \
     defined(__hpux) || defined(__sgi))
 # include "radix_ipf_local.h"
@ -75,15 +78,16 @@ static int rn_freenode __P((struct radix_node *, void *));

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.20 2007/05/31 12:27:35 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.24 2007/10/10 09:45:37 darrenr Exp $";
 #endif

 #ifdef IPFILTER_LOOKUP

-# ifndef RADIX_NODE_HEAD_LOCK
+# if !defined(RADIX_NODE_HEAD_LOCK) || !defined(RADIX_NODE_HEAD_UNLOCK) || \
+     !defined(_KERNEL)
+#  undef RADIX_NODE_HEAD_LOCK
+#  undef RADIX_NODE_HEAD_UNLOCK
 #  define RADIX_NODE_HEAD_LOCK(x)	;
-# endif
-# ifndef RADIX_NODE_HEAD_UNLOCK
 #  define RADIX_NODE_HEAD_UNLOCK(x)	;
 # endif

@ -264,8 +268,6 @@ void ip_pool_fini()
 	ip_pool_t *p, *q;
 	int i;

-	ASSERT(rw_read_locked(&ipf_global.ipf_lk) == 0);
-
 	for (i = 0; i <= IPL_LOGMAX; i++) {
 		for (q = ip_pool_list[i]; (p = q) != NULL; ) {
 			q = p->ipo_next;
@ -463,8 +465,6 @@ int info;
 	struct radix_node *rn;
 	ip_pool_node_t *x;

-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
 	KMALLOC(x, ip_pool_node_t *);
 	if (x == NULL) {
 		return ENOMEM;
@ -529,32 +529,27 @@ iplookupop_t *op;
 	int poolnum, unit;
 	ip_pool_t *h;

-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
 	unit = op->iplo_unit;

-	if ((op->iplo_arg & LOOKUP_ANON) == 0)
+	if ((op->iplo_arg & LOOKUP_ANON) == 0) {
 		h = ip_pool_exists(unit, op->iplo_name);
-	else
-		h = NULL;
-
-	if (h != NULL) {
-		if ((h->ipo_flags & IPOOL_DELETE) != 0) {
+		if (h != NULL) {
+			if ((h->ipo_flags & IPOOL_DELETE) == 0)
+				return EEXIST;
 			h->ipo_flags &= ~IPOOL_DELETE;
 			return 0;
 		}
-		return EEXIST;
-	} else {
-		KMALLOC(h, ip_pool_t *);
-		if (h == NULL)
-			return ENOMEM;
-		bzero(h, sizeof(*h));
+	}

-		if (rn_inithead((void **)&h->ipo_head,
-				offsetof(addrfamily_t, adf_addr) << 3) == 0) {
-			KFREE(h);
-			return ENOMEM;
-		}
+	KMALLOC(h, ip_pool_t *);
+	if (h == NULL)
+		return ENOMEM;
+	bzero(h, sizeof(*h));
+
+	if (rn_inithead((void **)&h->ipo_head,
+			offsetof(addrfamily_t, adf_addr) << 3) == 0) {
+		KFREE(h);
+		return ENOMEM;
 	}

 	if ((op->iplo_arg & LOOKUP_ANON) != 0) {
@ -589,18 +584,16 @@ iplookupop_t *op;
 		(void)strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name));
 	}

-	if ((h->ipo_flags & IPOOL_DELETE) == 0) {
-		h->ipo_ref = 1;
-		h->ipo_list = NULL;
-		h->ipo_unit = unit;
-		h->ipo_next = ip_pool_list[unit];
-		if (ip_pool_list[unit] != NULL)
-			ip_pool_list[unit]->ipo_pnext = &h->ipo_next;
-		h->ipo_pnext = &ip_pool_list[unit];
-		ip_pool_list[unit] = h;
+	h->ipo_ref = 1;
+	h->ipo_list = NULL;
+	h->ipo_unit = unit;
+	h->ipo_next = ip_pool_list[unit];
+	if (ip_pool_list[unit] != NULL)
+		ip_pool_list[unit]->ipo_pnext = &h->ipo_next;
+	h->ipo_pnext = &ip_pool_list[unit];
+	ip_pool_list[unit] = h;

-		ipoolstat.ipls_pools++;
-	}
+	ipoolstat.ipls_pools++;

 	return 0;
 }
@ -620,8 +613,6 @@ ip_pool_t *ipo;
 ip_pool_node_t *ipe;
 {

-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
 	if (ipe->ipn_pnext != NULL)
 		*ipe->ipn_pnext = ipe->ipn_next;
 	if (ipe->ipn_next != NULL)
@ -789,8 +780,6 @@ void ip_pool_deref(ipo)
 ip_pool_t *ipo;
 {

-	ASSERT(rw_read_locked(&ip_poolrw.ipf_lk) == 0);
-
 	ipo->ipo_ref--;

 	if (ipo->ipo_ref == 0)
@ -858,11 +847,11 @@ ipflookupiter_t *ilp;

 		if (nextipo != NULL) {
 			ATOMIC_INC(nextipo->ipo_ref);
-			if (nextipo->ipo_next == NULL)
-				token->ipt_alive = 0;
+			token->ipt_data = nextipo;
 		} else {
 			bzero((char *)&zp, sizeof(zp));
 			nextipo = &zp;
+			token->ipt_data = NULL;
 		}
 		break;

@ -882,11 +871,11 @@ ipflookupiter_t *ilp;

 		if (nextnode != NULL) {
 			ATOMIC_INC(nextnode->ipn_ref);
-			if (nextnode->ipn_next == NULL)
-				token->ipt_alive = 0;
+			token->ipt_data = nextnode;
 		} else {
 			bzero((char *)&zn, sizeof(zn));
 			nextnode = &zn;
+			token->ipt_data = NULL;
 		}
 		break;
 	default :
@ -907,7 +896,6 @@ ipflookupiter_t *ilp;
 			ip_pool_deref(ipo);
 			RWLOCK_EXIT(&ip_poolrw);
 		}
-		token->ipt_data = nextipo;
 		err = COPYOUT(nextipo, ilp->ili_data, sizeof(*nextipo));
 		if (err != 0)
 			err = EFAULT;
@ -919,7 +907,6 @@ ipflookupiter_t *ilp;
 			ip_pool_node_deref(node);
 			RWLOCK_EXIT(&ip_poolrw);
 		}
-		token->ipt_data = nextnode;
 		err = COPYOUT(nextnode, ilp->ili_data, sizeof(*nextnode));
 		if (err != 0)
 			err = EFAULT;
--- a/sys/contrib/ipfilter/netinet/ip_pool.h
+++ b/sys/contrib/ipfilter/netinet/ip_pool.h
@ -3,7 +3,7 @@
 *
 * See the IPFILTER.LICENCE file for details on licencing.
 *
- * $Id: ip_pool.h,v 2.26.2.5 2007/01/14 14:06:12 darrenr Exp $
+ * $Id: ip_pool.h,v 2.26.2.6 2007/10/10 09:51:43 darrenr Exp $
 */

 #ifndef	__IP_POOL_H__
@ -16,7 +16,7 @@ extern void rn_freehead __P((struct radix_node_head *));
 # define FreeS(p, z)		KFREES(p, z)
 extern int max_keylen;
 #else
-# if defined(__osf__) || defined(__hpux)
+# if defined(__osf__) || defined(__hpux) || defined(sun)
 #  include "radix_ipf_local.h"
 #  define radix_mask ipf_radix_mask
 #  define radix_node ipf_radix_node
--- a/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c
@ -37,7 +37,7 @@
 *   o The enclosed hack of STREAMS support is pretty sick and most likely
 *     broken.
 *
- *	$Id: ip_rpcb_pxy.c,v 2.25.2.6 2007/01/17 11:34:54 darrenr Exp $
+ *	$Id: ip_rpcb_pxy.c,v 2.25.2.7 2007/06/04 09:16:31 darrenr Exp $
 */

 #define	IPF_RPCB_PROXY
--- a/sys/contrib/ipfilter/netinet/ip_scan.c
+++ b/sys/contrib/ipfilter/netinet/ip_scan.c
@ -58,7 +58,7 @@ struct file;

 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.9 2007/03/13 09:42:05 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.10 2007/06/02 21:22:28 darrenr Exp $";
 #endif

 #ifdef	IPFILTER_SCAN	/* endif at bottom of file */
@ -587,7 +587,9 @@ void *ctx;
 	case SIOCGSCST :
 		bcopy((char *)&ipsc_stat, (char *)&ipscs, sizeof(ipscs));
 		ipscs.iscs_list = ipsc_list;
-		BCOPYOUT(&ipscs, data, sizeof(ipscs));
+		err = BCOPYOUT(&ipscs, data, sizeof(ipscs));
+		if (err != 0)
+			err = EFAULT;
 		break;
 	default :
 		err = EINVAL;
				`@ -0,0 +1 @@`
				`pass out quick proto udp all keep state keep frags`
				`@ -0,0 +1 @@`
				`rdr vlan0 from any to 69.248.79.193 port = 38136 -> 172.31.83.24 port 2013 udp`