Add kernel parts of revived ipfilter (3.3.3.)

1999-11-23 21:44:59 +00:00 · 1999-11-23 21:44:59 +00:00 · 9cc86ee930
commit 9cc86ee930
parent 4453311409
24 changed files with 10821 additions and 10 deletions
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -489,8 +489,6 @@ options 	PPP_FILTER		#enable bpf filtering (needs bpf)
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
-# IPFILTER_LKM enables LKM support for an ipfilter module (untested).
-#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@ -506,7 +504,8 @@ options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPDIVERT		#divert sockets
-#options 	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options 	IPFILTER		#ipfilter support
+options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG

--- a/sys/conf/files
+++ b/sys/conf/files
@ -632,6 +632,14 @@ netinet6/nd6.c		optional inet6
 netinet6/nd6_nbr.c	optional inet6
 netinet6/nd6_rtr.c	optional inet6
 netinet6/raw_ip6.c	optional inet6
+netinet/ip_fil.c	optional ipfilter inet
+netinet/fil.c		optional ipfilter inet
+netinet/ip_nat.c	optional ipfilter inet
+netinet/ip_frag.c	optional ipfilter inet
+netinet/ip_state.c	optional ipfilter inet
+netinet/ip_auth.c	optional ipfilter inet
+netinet/ip_proxy.c	optional ipfilter inet
+netinet/ip_log.c	optional ipfilter inet
 netipx/ipx.c		optional ipx
 netipx/ipx_cksum.c	optional ipx
 netipx/ipx_input.c	optional ipx
--- a/sys/conf/options
+++ b/sys/conf/options
@ -218,7 +218,8 @@ INET			opt_inet.h
 INET6			opt_inet.h
 IPDIVERT
 DUMMYNET		opt_ipdn.h
-IPFILTER_LKM		opt_ipfilter.h
+IPFILTER		opt_ipfilter.h
+IPFILTER_LOG		opt_ipfilter.h
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
--- a/sys/i386/conf/LINT
+++ b/sys/i386/conf/LINT
@ -489,8 +489,6 @@ options 	PPP_FILTER		#enable bpf filtering (needs bpf)
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
-# IPFILTER_LKM enables LKM support for an ipfilter module (untested).
-#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@ -506,7 +504,8 @@ options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPDIVERT		#divert sockets
-#options 	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options 	IPFILTER		#ipfilter support
+options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG

--- a/sys/i386/conf/NOTES
+++ b/sys/i386/conf/NOTES
@ -489,8 +489,6 @@ options 	PPP_FILTER		#enable bpf filtering (needs bpf)
 #
 # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
 #
-# IPFILTER_LKM enables LKM support for an ipfilter module (untested).
-#
 # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
@ -506,7 +504,8 @@ options 	IPFIREWALL_FORWARD	#enable transparent proxy support
 options 	IPFIREWALL_VERBOSE_LIMIT=100	#limit verbosity
 options 	IPFIREWALL_DEFAULT_TO_ACCEPT	#allow everything by default
 options 	IPDIVERT		#divert sockets
-#options 	IPFILTER_LKM		#kernel support for ip_fil.o LKM
+options 	IPFILTER		#ipfilter support
+options 	IPFILTER_LOG		#ipfilter logging
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG

--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c
--- a/sys/netinet/ip_auth.c
+++ b/sys/netinet/ip_auth.c
@ -0,0 +1,538 @@
+/*
+ * Copyright (C) 1998 by Darren Reed & Guido van Rooij.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#if !defined(lint)
+/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $";*/
+static const char rcsid[] = "@(#)$FreeBSD$";
+#endif
+
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/file.h>
+#if !defined(_KERNEL) && !defined(KERNEL)
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+#endif
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fcntl.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/uio.h>
+#ifndef linux
+# include <sys/protosw.h>
+#endif
+#include <sys/socket.h>
+#if defined(_KERNEL) && !defined(linux)
+# include <sys/systm.h>
+#endif
+#if !defined(__SVR4) && !defined(__svr4__)
+# ifndef linux
+#  include <sys/mbuf.h>
+# endif
+#else
+# include <sys/filio.h>
+# include <sys/byteorder.h>
+# ifdef _KERNEL
+#  include <sys/dditypes.h>
+# endif
+# include <sys/stream.h>
+# include <sys/kmem.h>
+#endif
+#if _BSDI_VERSION >= 199802
+# include <sys/queue.h>
+#endif
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
+# include <machine/cpu.h>
+#endif
+#include <net/if.h>
+#ifdef sun
+# include <net/af.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#ifndef	KERNEL
+# define	KERNEL
+# define	NOT_KERNEL
+#endif
+#ifndef linux
+# include <netinet/ip_var.h>
+#endif
+#ifdef	NOT_KERNEL
+# undef	KERNEL
+#endif
+#ifdef __sgi
+# ifdef IFF_DRVRLOCK /* IRIX6 */
+#  include <sys/hashing.h>
+# endif
+#endif
+#include <netinet/tcp.h>
+#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
+extern struct ifqueue   ipintrq;                /* ip packet input queue */
+#else
+# ifndef linux
+#  if __FreeBSD_version >= 300000
+#   include <net/if_var.h>
+#  endif
+#  include <netinet/in_var.h>
+#  include <netinet/tcp_fsm.h>
+# endif
+#endif
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
+#include "netinet/ip_fil.h"
+#include "netinet/ip_auth.h"
+#if !SOLARIS && !defined(linux)
+# include <net/netisr.h>
+# ifdef __FreeBSD__
+#  include <machine/cpufunc.h>
+# endif
+#endif
+#if (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
+#  include <sys/libkern.h>
+#  include <sys/systm.h>
+# endif
+#endif
+
+
+
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
+extern KRWLOCK_T ipf_auth;
+extern kmutex_t ipf_authmx;
+# if SOLARIS
+extern kcondvar_t ipfauthwait;
+# endif
+#endif
+#ifdef linux
+static struct wait_queue *ipfauthwait = NULL;
+#endif
+
+int	fr_authsize = FR_NUMAUTH;
+int	fr_authused = 0;
+int	fr_defaultauthage = 600;
+fr_authstat_t	fr_authstats;
+static frauth_t fr_auth[FR_NUMAUTH];
+mb_t	*fr_authpkts[FR_NUMAUTH];
+static int	fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
+static frauthent_t	*fae_list = NULL;
+frentry_t	*ipauth = NULL;
+
+
+/*
+ * Check if a packet has authorization.  If the packet is found to match an
+ * authorization result and that would result in a feedback loop (i.e. it
+ * will end up returning FR_AUTH) then return FR_BLOCK instead.
+ */
+u_32_t fr_checkauth(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+	u_short id = ip->ip_id;
+	u_32_t pass;
+	int i;
+
+	READ_ENTER(&ipf_auth);
+	for (i = fr_authstart; i != fr_authend; ) {
+		/*
+		 * index becomes -2 only after an SIOCAUTHW.  Check this in
+		 * case the same packet gets sent again and it hasn't yet been
+		 * auth'd.
+		 */
+		if ((fr_auth[i].fra_index == -2) &&
+		    (id == fr_auth[i].fra_info.fin_id) &&
+		    !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
+			/*
+			 * Avoid feedback loop.
+			 */
+			if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
+				pass = FR_BLOCK;
+			RWLOCK_EXIT(&ipf_auth);
+			WRITE_ENTER(&ipf_auth);
+			fr_authstats.fas_hits++;
+			fr_auth[i].fra_index = -1;
+			fr_authused--;
+			if (i == fr_authstart) {
+				while (fr_auth[i].fra_index == -1) {
+					i++;
+					if (i == FR_NUMAUTH)
+						i = 0;
+					fr_authstart = i;
+					if (i == fr_authend)
+						break;
+				}
+				if (fr_authstart == fr_authend) {
+					fr_authnext = 0;
+					fr_authstart = fr_authend = 0;
+				}
+			}
+			RWLOCK_EXIT(&ipf_auth);
+			return pass;
+		}
+		i++;
+		if (i == FR_NUMAUTH)
+			i = 0;
+	}
+	fr_authstats.fas_miss++;
+	RWLOCK_EXIT(&ipf_auth);
+	return 0;
+}
+
+
+/*
+ * Check if we have room in the auth array to hold details for another packet.
+ * If we do, store it and wake up any user programs which are waiting to
+ * hear about these events.
+ */
+int fr_newauth(m, fin, ip
+#if defined(_KERNEL) && SOLARIS
+, qif)
+qif_t *qif;
+#else
+)
+#endif
+mb_t *m;
+fr_info_t *fin;
+ip_t *ip;
+{
+	int i;
+
+	WRITE_ENTER(&ipf_auth);
+	if (fr_authstart > fr_authend) {
+		fr_authstats.fas_nospace++;
+		RWLOCK_EXIT(&ipf_auth);
+		return 0;
+	} else {
+		if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) {
+			fr_authstats.fas_nospace++;
+			RWLOCK_EXIT(&ipf_auth);
+			return 0;
+		}
+	}
+
+	fr_authstats.fas_added++;
+	fr_authused++;
+	i = fr_authend++;
+	if (fr_authend == FR_NUMAUTH)
+		fr_authend = 0;
+	RWLOCK_EXIT(&ipf_auth);
+	fr_auth[i].fra_index = i;
+	fr_auth[i].fra_pass = 0;
+	fr_auth[i].fra_age = fr_defaultauthage;
+	bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
+#if !defined(sparc) && !defined(m68k)
+	/*
+	 * No need to copyback here as we want to undo the changes, not keep
+	 * them.
+	 */
+# if SOLARIS && defined(_KERNEL)
+	if (ip == (ip_t *)m->b_rptr)
+# endif
+	{
+		register u_short bo;
+
+		bo = ip->ip_len;
+		ip->ip_len = htons(bo);
+# if !SOLARIS	/* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
+		bo = ip->ip_id;
+		ip->ip_id = htons(bo);
+# endif
+		bo = ip->ip_off;
+		ip->ip_off = htons(bo);
+	}
+#endif
+#if SOLARIS && defined(_KERNEL)
+	m->b_rptr -= qif->qf_off;
+	fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
+	fr_auth[i].fra_q = qif->qf_q;
+	cv_signal(&ipfauthwait);
+#else
+	fr_authpkts[i] = m;
+# if defined(linux) && defined(_KERNEL)
+	wake_up_interruptible(&ipfauthwait);
+# else
+	WAKEUP(&fr_authnext);
+# endif
+#endif
+	return 1;
+}
+
+
+int fr_auth_ioctl(data, cmd, fr, frptr)
+caddr_t data;
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003)
+u_long cmd;
+#else
+int cmd;
+#endif
+frentry_t *fr, **frptr;
+{
+	mb_t *m;
+#if defined(_KERNEL)
+# if !SOLARIS
+	struct ifqueue *ifq;
+	int s;
+# endif
+#endif
+	frauth_t auth, *au = &auth;
+	frauthent_t *fae, **faep;
+	int i, error = 0;
+
+	switch (cmd)
+	{
+	case SIOCINIFR :
+	case SIOCRMIFR :
+	case SIOCADIFR :
+		error = EINVAL;
+		break;
+	case SIOCINAFR :
+	case SIOCRMAFR :
+	case SIOCADAFR :
+		for (faep = &fae_list; (fae = *faep); )
+			if (&fae->fae_fr == fr)
+				break;
+			else
+				faep = &fae->fae_next;
+		if (cmd == SIOCRMAFR) {
+			if (!fae)
+				error = ESRCH;
+			else {
+				WRITE_ENTER(&ipf_auth);
+				*faep = fae->fae_next;
+				*frptr = fr->fr_next;
+				RWLOCK_EXIT(&ipf_auth);
+				KFREE(fae);
+			}
+		} else {
+			KMALLOC(fae, frauthent_t *);
+			if (fae != NULL) {
+				IRCOPY((char *)data, (char *)&fae->fae_fr,
+				       sizeof(fae->fae_fr));
+				WRITE_ENTER(&ipf_auth);
+				fae->fae_age = fr_defaultauthage;
+				fae->fae_fr.fr_hits = 0;
+				fae->fae_fr.fr_next = *frptr;
+				*frptr = &fae->fae_fr;
+				fae->fae_next = *faep;
+				*faep = fae;
+				ipauth = &fae_list->fae_fr;
+				RWLOCK_EXIT(&ipf_auth);
+			} else
+				error = ENOMEM;
+		}
+		break;
+	case SIOCATHST:
+		READ_ENTER(&ipf_auth);
+		fr_authstats.fas_faelist = fae_list;
+		RWLOCK_EXIT(&ipf_auth);
+		IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
+		break;
+	case SIOCAUTHW:
+fr_authioctlloop:
+		READ_ENTER(&ipf_auth);
+		if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
+			IWCOPY((char *)&fr_auth[fr_authnext], data,
+			       sizeof(fr_info_t));
+			RWLOCK_EXIT(&ipf_auth);
+			WRITE_ENTER(&ipf_auth);
+			fr_authnext++;
+			if (fr_authnext == FR_NUMAUTH)
+				fr_authnext = 0;
+			RWLOCK_EXIT(&ipf_auth);
+			return 0;
+		}
+#ifdef	_KERNEL
+# if	SOLARIS
+		mutex_enter(&ipf_authmx);
+		if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) {
+			mutex_exit(&ipf_authmx);
+			return EINTR;
+		}
+		mutex_exit(&ipf_authmx);
+# else
+#  ifdef linux
+		interruptible_sleep_on(&ipfauthwait);
+		if (current->signal & ~current->blocked)
+			error = -EINTR;
+#  else
+		error = SLEEP(&fr_authnext, "fr_authnext");
+# endif
+# endif
+#endif
+		RWLOCK_EXIT(&ipf_auth);
+		if (!error)
+			goto fr_authioctlloop;
+		break;
+	case SIOCAUTHR:
+		IRCOPY(data, (caddr_t)&auth, sizeof(auth));
+		WRITE_ENTER(&ipf_auth);
+		i = au->fra_index;
+		if ((i < 0) || (i > FR_NUMAUTH) ||
+		    (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
+			RWLOCK_EXIT(&ipf_auth);
+			return EINVAL;
+		}
+		m = fr_authpkts[i];
+		fr_auth[i].fra_index = -2;
+		fr_auth[i].fra_pass = au->fra_pass;
+		fr_authpkts[i] = NULL;
+#ifdef	_KERNEL
+		RWLOCK_EXIT(&ipf_auth);
+		SPL_NET(s);
+# ifndef linux
+		if (m && au->fra_info.fin_out) {
+#  if SOLARIS
+			error = fr_qout(fr_auth[i].fra_q, m);
+#  else /* SOLARIS */
+#   if _BSDI_VERSION >= 199802
+			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
+					  NULL);
+#   else
+			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
+#   endif
+#  endif /* SOLARIS */
+			if (error)
+				fr_authstats.fas_sendfail++;
+			else
+				fr_authstats.fas_sendok++;
+		} else if (m) {
+# if SOLARIS
+			error = fr_qin(fr_auth[i].fra_q, m);
+# else /* SOLARIS */
+			ifq = &ipintrq;
+			if (IF_QFULL(ifq)) {
+				IF_DROP(ifq);
+				m_freem(m);
+				error = ENOBUFS;
+			} else {
+				IF_ENQUEUE(ifq, m);
+				schednetisr(NETISR_IP);
+			}
+# endif /* SOLARIS */
+			if (error)
+				fr_authstats.fas_quefail++;
+			else
+				fr_authstats.fas_queok++;
+		} else
+			error = EINVAL;
+# endif
+# if SOLARIS
+		if (error)
+			error = EINVAL;
+# else
+		/*
+		 * If we experience an error which will result in the packet
+		 * not being processed, make sure we advance to the next one.
+		 */ 
+		if (error == ENOBUFS) {
+			fr_authused--;
+			fr_auth[i].fra_index = -1;
+			fr_auth[i].fra_pass = 0;
+			if (i == fr_authstart) {
+				while (fr_auth[i].fra_index == -1) {
+					i++;
+					if (i == FR_NUMAUTH)
+						i = 0;
+					fr_authstart = i;
+					if (i == fr_authend)
+						break;
+				}
+				if (fr_authstart == fr_authend) {
+					fr_authnext = 0;
+					fr_authstart = fr_authend = 0;
+				}
+			}
+		}
+# endif
+		SPL_X(s);
+#endif /* _KERNEL */
+		break;
+	default :
+		error = EINVAL;
+		break;
+	}
+	return error;
+}
+
+
+#ifdef	_KERNEL
+/*
+ * Free all network buffer memory used to keep saved packets.
+ */
+void fr_authunload()
+{
+	register int i;
+	register frauthent_t *fae, **faep;
+	mb_t *m;
+
+	WRITE_ENTER(&ipf_auth);
+	for (i = 0; i < FR_NUMAUTH; i++) {
+		if ((m = fr_authpkts[i])) {
+			FREE_MB_T(m);
+			fr_authpkts[i] = NULL;
+			fr_auth[i].fra_index = -1;
+		}
+	}
+
+
+	for (faep = &fae_list; (fae = *faep); ) {
+		*faep = fae->fae_next;
+		KFREE(fae);
+	}
+	ipauth = NULL;
+	RWLOCK_EXIT(&ipf_auth);
+}
+
+
+/*
+ * Slowly expire held auth records.  Timeouts are set
+ * in expectation of this being called twice per second.
+ */
+void fr_authexpire()
+{
+	register int i;
+	register frauth_t *fra;
+	register frauthent_t *fae, **faep;
+	mb_t *m;
+#if !SOLARIS
+	int s;
+#endif
+
+	SPL_NET(s);
+	WRITE_ENTER(&ipf_auth);
+	for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
+		if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
+			FREE_MB_T(m);
+			fr_authpkts[i] = NULL;
+			fr_auth[i].fra_index = -1;
+			fr_authstats.fas_expire++;
+			fr_authused--;
+		}
+	}
+
+	for (faep = &fae_list; (fae = *faep); ) {
+		if (!--fae->fae_age) {
+			*faep = fae->fae_next;
+			KFREE(fae);
+			fr_authstats.fas_expire++;
+		} else
+			faep = &fae->fae_next;
+	}
+	ipauth = &fae_list->fae_fr;
+	RWLOCK_EXIT(&ipf_auth);
+	SPL_X(s);
+}
+#endif
--- a/sys/netinet/ip_auth.h
+++ b/sys/netinet/ip_auth.h
@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * $Id: ip_auth.h,v 2.1 1999/08/04 17:29:54 darrenr Exp $
+ *
+ * $FreeBSD$
+ */
+#ifndef	__IP_AUTH_H__
+#define	__IP_AUTH_H__
+
+#define FR_NUMAUTH      32
+
+typedef struct  frauth {
+	int	fra_age;
+	int	fra_index;
+	u_32_t	fra_pass;
+	fr_info_t	fra_info;
+#if SOLARIS
+	queue_t	*fra_q;
+#endif
+} frauth_t;
+
+typedef	struct	frauthent  {
+	struct	frentry	fae_fr;
+	struct	frauthent	*fae_next;
+	u_long	fae_age;
+} frauthent_t;
+
+typedef struct  fr_authstat {
+	U_QUAD_T	fas_hits;
+	U_QUAD_T	fas_miss;
+	u_long		fas_nospace;
+	u_long		fas_added;
+	u_long		fas_sendfail;
+	u_long		fas_sendok;
+	u_long		fas_queok;
+	u_long		fas_quefail;
+	u_long		fas_expire;
+	frauthent_t	*fas_faelist;
+} fr_authstat_t;
+
+
+extern	frentry_t	*ipauth;
+extern	struct fr_authstat	fr_authstats;
+extern	int	fr_defaultauthage;
+extern	int	fr_authstart;
+extern	int	fr_authend;
+extern	int	fr_authsize;
+extern	int	fr_authused;
+extern	u_32_t	fr_checkauth __P((ip_t *, fr_info_t *));
+extern	void	fr_authexpire __P((void));
+extern	void	fr_authunload __P((void));
+extern	mb_t	*fr_authpkts[];
+#if defined(_KERNEL) && SOLARIS
+extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *, qif_t *));
+#else
+extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
+#endif
+#if defined(__NetBSD__) || defined(__OpenBSD__)
+extern	int	fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **));
+#else
+extern	int	fr_auth_ioctl __P((caddr_t, int, frentry_t *, frentry_t **));
+#endif
+#endif	/* __IP_AUTH_H__ */
--- a/sys/netinet/ip_compat.h
+++ b/sys/netinet/ip_compat.h
@ -0,0 +1,839 @@
+/*
+ * Copyright (C) 1993-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_compat.h	1.8 1/14/96
+ * $Id: ip_compat.h,v 2.1.2.1 1999/09/18 15:03:51 darrenr Exp $
+ * $FreeBSD$
+ */
+
+#ifndef	__IP_COMPAT_H__
+#define	__IP_COMPAT_H__
+
+#ifndef	__P
+# ifdef	__STDC__
+#  define	__P(x)  x
+# else
+#  define	__P(x)  ()
+# endif
+#endif
+#ifndef	__STDC__
+# undef		const
+# define	const
+#endif
+
+#ifndef	SOLARIS
+#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+
+#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__)
+# undef	KERNEL
+# undef	_KERNEL
+# undef 	__KERNEL__
+# define	KERNEL
+# define	_KERNEL
+# define 	__KERNEL__
+#endif
+
+#if defined(__SVR4) || defined(__svr4__) || defined(__sgi)
+#define index   strchr
+# if !defined(KERNEL)
+#  define	bzero(a,b)	memset(a,0,b)
+#  define	bcmp		memcmp
+#  define	bcopy(a,b,c)	memmove(b,a,c)
+# endif
+#endif
+
+#ifndef offsetof
+#define offsetof(t,m) (int)((&((t *)0L)->m))
+#endif
+
+#if defined(__sgi) || defined(bsdi)
+struct  ether_addr {
+        u_char  ether_addr_octet[6];
+};
+#endif
+
+#if defined(__sgi) && !defined(IPFILTER_LKM)
+# ifdef __STDC__
+#  define IPL_EXTERN(ep) ipfilter##ep
+# else
+#  define IPL_EXTERN(ep) ipfilter/**/ep
+# endif
+#else
+# ifdef __STDC__
+#  define IPL_EXTERN(ep) ipl##ep
+# else
+#  define IPL_EXTERN(ep) ipl/**/ep
+# endif
+#endif
+
+#ifdef	linux
+# include <sys/sysmacros.h>
+#endif
+#if	SOLARIS
+# define	MTYPE(m)	((m)->b_datap->db_type)
+# include	<sys/isa_defs.h>
+# include	<sys/ioccom.h>
+# include	<sys/sysmacros.h>
+# include	<sys/kmem.h>
+/*
+ * because Solaris 2 defines these in two places :-/
+ */
+# undef	IPOPT_EOL
+# undef	IPOPT_NOP
+# undef	IPOPT_LSRR
+# undef	IPOPT_RR
+# undef	IPOPT_SSRR
+# ifndef	KERNEL
+#  define	_KERNEL
+#  undef	RES_INIT
+#  include <inet/common.h>
+#  include <inet/ip.h>
+#  include <inet/ip_ire.h>
+#  undef	_KERNEL
+# else /* _KERNEL */
+#  include <inet/common.h>
+#  include <inet/ip.h>
+#  include <inet/ip_ire.h>
+# endif /* _KERNEL */
+#else
+# if !defined(__sgi)
+typedef	 int	minor_t;
+#endif
+#endif /* SOLARIS */
+#define	IPMINLEN(i, h)	((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
+
+#ifndef	IP_OFFMASK
+#define	IP_OFFMASK	0x1fff
+#endif
+
+#if	BSD > 199306
+# define	USE_QUAD_T
+# define	U_QUAD_T	u_quad_t
+# define	QUAD_T		quad_t
+#else /* BSD > 199306 */
+# define	U_QUAD_T	u_long
+# define	QUAD_T		long
+#endif /* BSD > 199306 */
+
+/*
+ * These operating systems already take care of the problem for us.
+ */
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
+    defined(__sgi)
+typedef u_int32_t       u_32_t;
+#else
+/*
+ * Really, any arch where sizeof(long) != sizeof(int).
+ */
+# if defined(__alpha__) || defined(__alpha) || defined(_LP64)
+typedef unsigned int    u_32_t;
+# else
+typedef unsigned long   u_32_t;
+# endif
+#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
+
+#ifndef	MAX
+#define	MAX(a,b)	(((a) > (b)) ? (a) : (b))
+#endif
+
+/*
+ * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
+ *
+ * Basic Option
+ *
+ * 00000001   -   (Reserved 4)
+ * 00111101   -   Top Secret
+ * 01011010   -   Secret
+ * 10010110   -   Confidential
+ * 01100110   -   (Reserved 3)
+ * 11001100   -   (Reserved 2)
+ * 10101011   -   Unclassified
+ * 11110001   -   (Reserved 1)
+ */
+#define	IPSO_CLASS_RES4		0x01
+#define	IPSO_CLASS_TOPS		0x3d
+#define	IPSO_CLASS_SECR		0x5a
+#define	IPSO_CLASS_CONF		0x96
+#define	IPSO_CLASS_RES3		0x66
+#define	IPSO_CLASS_RES2		0xcc
+#define	IPSO_CLASS_UNCL		0xab
+#define	IPSO_CLASS_RES1		0xf1
+
+#define	IPSO_AUTH_GENSER	0x80
+#define	IPSO_AUTH_ESI		0x40
+#define	IPSO_AUTH_SCI		0x20
+#define	IPSO_AUTH_NSA		0x10
+#define	IPSO_AUTH_DOE		0x08
+#define	IPSO_AUTH_UN		0x06
+#define	IPSO_AUTH_FTE		0x01
+
+/*
+ * IP option #defines
+ */
+/*#define	IPOPT_RR	7 */
+#define	IPOPT_ZSU	10	/* ZSU */
+#define	IPOPT_MTUP	11	/* MTUP */
+#define	IPOPT_MTUR	12	/* MTUR */
+#define	IPOPT_ENCODE	15	/* ENCODE */
+/*#define	IPOPT_TS	68 */
+#define	IPOPT_TR	82	/* TR */
+/*#define	IPOPT_SECURITY	130 */
+/*#define	IPOPT_LSRR	131 */
+#define	IPOPT_E_SEC	133	/* E-SEC */
+#define	IPOPT_CIPSO	134	/* CIPSO */
+/*#define	IPOPT_SATID	136 */
+#ifndef	IPOPT_SID
+# define	IPOPT_SID	IPOPT_SATID
+#endif
+/*#define	IPOPT_SSRR	137 */
+#define	IPOPT_ADDEXT	147	/* ADDEXT */
+#define	IPOPT_VISA	142	/* VISA */
+#define	IPOPT_IMITD	144	/* IMITD */
+#define	IPOPT_EIP	145	/* EIP */
+#define	IPOPT_FINN	205	/* FINN */
+
+
+#if defined(__FreeBSD__) && defined(KERNEL)
+# if __FreeBSD__ < 3
+#  include <machine/spl.h>
+# else
+#  if __FreeBSD__ == 3
+#   if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
+#    define	ACTUALLY_LKM_NOT_KERNEL
+#   endif
+#  else
+#   if defined(IPFILTER_LKM) && !defined(KLD_MODULE)
+#    define	KLD_MODULE
+#   endif
+#  endif
+# endif
+#endif /* __FreeBSD__ && KERNEL */
+
+/*
+ * Build some macros and #defines to enable the same code to compile anywhere
+ * Well, that's the idea, anyway :-)
+ */
+#ifdef KERNEL
+# if SOLARIS
+#  define	ATOMIC_INC(x)		{ mutex_enter(&ipf_rw); (x)++; \
+					  mutex_exit(&ipf_rw); }
+#  define	ATOMIC_DEC(x)		{ mutex_enter(&ipf_rw); (x)--; \
+					  mutex_exit(&ipf_rw); }
+#  define	MUTEX_ENTER(x)		mutex_enter(x)
+#  if 1
+#   define	KRWLOCK_T		krwlock_t
+#   define	READ_ENTER(x)		rw_enter(x, RW_READER)
+#   define	WRITE_ENTER(x)		rw_enter(x, RW_WRITER)
+#   define	RW_UPGRADE(x)		{ if (rw_tryupgrade(x) == 0) { \
+					      rw_exit(x); \
+					      rw_enter(x, RW_WRITER); } \
+					}
+#   define	MUTEX_DOWNGRADE(x)	rw_downgrade(x)
+#   define	RWLOCK_INIT(x, y, z)	rw_init((x), (y), RW_DRIVER, (z))
+#   define	RWLOCK_EXIT(x)		rw_exit(x)
+#   define	RW_DESTROY(x)		rw_destroy(x)
+#  else
+#   define	KRWLOCK_T		kmutex_t
+#   define	READ_ENTER(x)		mutex_enter(x)
+#   define	WRITE_ENTER(x)		mutex_enter(x)
+#   define	MUTEX_DOWNGRADE(x)	;
+#   define	RWLOCK_INIT(x, y, z)	mutex_init((x), (y), MUTEX_DRIVER, (z))
+#   define	RWLOCK_EXIT(x)		mutex_exit(x)
+#   define	RW_DESTROY(x)		mutex_destroy(x)
+#  endif
+#  define	MUTEX_EXIT(x)	mutex_exit(x)
+#  define	MTOD(m,t)	(t)((m)->b_rptr)
+#  define	IRCOPY(a,b,c)	copyin((a), (b), (c))
+#  define	IWCOPY(a,b,c)	copyout((a), (b), (c))
+#  define	FREE_MB_T(m)	freemsg(m)
+#  define	SPL_NET(x)	;
+#  define	SPL_IMP(x)	;
+#  undef	SPL_X
+#  define	SPL_X(x)	;
+#  ifdef sparc
+#   define	ntohs(x)	(x)
+#   define	ntohl(x)	(x)
+#   define	htons(x)	(x)
+#   define	htonl(x)	(x)
+#  endif /* sparc */
+#  define	KMALLOC(a,b)	(a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
+#  define	KMALLOCS(a,b,c)	(a) = (b)kmem_alloc((c), KM_NOSLEEP)
+#  define	GET_MINOR(x)	getminor(x)
+typedef	struct	qif	{
+	struct	qif	*qf_next;
+	ill_t	*qf_ill;
+	kmutex_t	qf_lock;
+	void	*qf_iptr;
+	void	*qf_optr;
+	queue_t	*qf_in;
+	queue_t	*qf_out;
+	struct	qinit	*qf_wqinfo;
+	struct	qinit	*qf_rqinfo;
+	struct	qinit	qf_wqinit;
+	struct	qinit	qf_rqinit;
+	mblk_t	*qf_m;	/* These three fields are for passing data up from */
+	queue_t	*qf_q;	/* fr_qin and fr_qout to the packet processing. */
+	size_t	qf_off;
+	size_t	qf_len;	/* this field is used for in ipfr_fastroute */
+	char	qf_name[8];
+	/*
+	 * in case the ILL has disappeared...
+	 */
+	size_t	qf_hl;	/* header length */
+} qif_t;
+extern	ill_t	*get_unit __P((char *));
+#  define	GETUNIT(n)	get_unit((n))
+# else /* SOLARIS */
+#  if defined(__sgi)
+#   define  hz HZ
+#   include <sys/ksynch.h>
+#   define	IPF_LOCK_PL	plhi
+#   include <sys/sema.h>
+#undef kmutex_t
+typedef struct {
+	lock_t *l;
+	int pl;
+} kmutex_t;
+#   define	ATOMIC_INC(x)		{ MUTEX_ENTER(&ipf_rw); \
+					  (x)++; MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_DEC(x)		{ MUTEX_ENTER(&ipf_rw); \
+					  (x)--; MUTEX_EXIT(&ipf_rw); }
+#   define	MUTEX_ENTER(x)		(x)->pl = LOCK((x)->l, IPF_LOCK_PL);
+#   define	KRWLOCK_T		kmutex_t
+#   define	READ_ENTER(x)		MUTEX_ENTER(x)
+#   define	WRITE_ENTER(x)		MUTEX_ENTER(x)
+#   define	RW_UPGRADE(x)		;
+#   define	MUTEX_DOWNGRADE(x)	;
+#   define	RWLOCK_EXIT(x)	MUTEX_EXIT(x)
+#   define	MUTEX_EXIT(x)	UNLOCK((x)->l, (x)->pl);
+#  else /* __sgi */
+#   define	ATOMIC_INC(x)		(x)++
+#   define	ATOMIC_DEC(x)		(x)--
+#   define	MUTEX_ENTER(x)		;
+#   define	READ_ENTER(x)	;
+#   define	WRITE_ENTER(x)	;
+#   define	RW_UPGRADE(x)	;
+#   define	MUTEX_DOWNGRADE(x)	;
+#   define	RWLOCK_EXIT(x)	;
+#   define	MUTEX_EXIT(x)	;
+#  endif /* __sgi */
+#  ifndef linux
+#   define	FREE_MB_T(m)	m_freem(m)
+#   define	MTOD(m,t)	mtod(m,t)
+#   define	IRCOPY(a,b,c)	bcopy((a), (b), (c))
+#   define	IWCOPY(a,b,c)	bcopy((a), (b), (c))
+#  endif /* !linux */
+# endif /* SOLARIS */
+
+# ifdef sun
+#  if !SOLARIS
+#   include	<sys/kmem_alloc.h>
+#   define	GETUNIT(n)	ifunit((n), IFNAMSIZ)
+#  endif
+# else
+#  ifndef	linux
+#   define	GETUNIT(n)	ifunit((n))
+#  endif
+# endif /* sun */
+
+# if defined(sun) && !defined(linux) || defined(__sgi)
+#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
+#  define	SLEEP(id, n)	sleep((id), PZERO+1)
+#  define	WAKEUP(id)	wakeup(id)
+#  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
+#  define	KFREES(x,s)	kmem_free((char *)(x), (s))
+#  if !SOLARIS
+extern	void	m_copydata __P((struct mbuf *, int, int, caddr_t));
+extern	void	m_copyback __P((struct mbuf *, int, int, caddr_t));
+#  endif
+#  ifdef __sgi
+#   include <sys/kmem.h>
+#   include <sys/ddi.h>
+#   define	KMALLOC(a,b)	(a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP)
+#   define	KMALLOCS(a,b,c)	(a) = (b)kmem_alloc((c), KM_NOSLEEP)
+#   define	GET_MINOR(x)	getminor(x)
+#  else
+#   if !SOLARIS
+#    define	KMALLOC(a,b)	(a) = (b)new_kmem_alloc(sizeof(*(a)), \
+							KMEM_NOSLEEP)
+#    define	KMALLOCS(a,b,c)	(a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP)
+#   endif /* SOLARIS */
+#  endif /* __sgi */
+# endif /* sun && !linux */
+# ifndef	GET_MINOR
+#  define	GET_MINOR(x)	minor(x)
+# endif
+# if (BSD >= 199306) || defined(__FreeBSD__)
+#  include <vm/vm.h>
+#  if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3)
+#   include <vm/vm_extern.h>
+#   include <sys/proc.h>
+extern	vm_map_t	kmem_map;
+#  else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */
+#   include <vm/vm_kern.h>
+#  endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */
+#  ifdef	M_PFIL
+#   define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT)
+#   define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
+#   define	KFREE(x)	FREE((x), M_PFIL)
+#   define	KFREES(x,s)	FREE((x), M_PFIL)
+#  else
+#   define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT)
+#   define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
+#   define	KFREE(x)	FREE((x), M_TEMP)
+#   define	KFREES(x,s)	FREE((x), M_TEMP)
+#  endif /* M_PFIL */
+#  define	UIOMOVE(a,b,c,d)	uiomove(a,b,d)
+#  define	SLEEP(id, n)	tsleep((id), PPAUSE|PCATCH, n, 0)
+#  define	WAKEUP(id)	wakeup(id)
+# endif /* BSD */
+# if defined(NetBSD) && NetBSD <= 1991011 && NetBSD >= 199407
+#  define	SPL_NET(x)	x = splsoftnet()
+#  define	SPL_X(x)	(void) splx(x)
+# else
+#  if !SOLARIS && !defined(linux)
+#   define	SPL_IMP(x)	x = splimp()
+#   define	SPL_NET(x)	x = splnet()
+#   define	SPL_X(x)	(void) splx(x)
+#  endif
+# endif /* NetBSD && NetBSD <= 1991011 && NetBSD >= 199407 */
+# define	PANIC(x,y)	if (x) panic y
+#else /* KERNEL */
+# define	SLEEP(x,y)	;
+# define	WAKEUP(x)	;
+# define	PANIC(x,y)	;
+# define	ATOMIC_INC(x)	(x)++
+# define	ATOMIC_DEC(x)	(x)--
+# define	MUTEX_ENTER(x)	;
+# define	READ_ENTER(x)	;
+# define	WRITE_ENTER(x)	;
+# define	RW_UPGRADE(x)	;
+# define	MUTEX_DOWNGRADE(x)	;
+# define	RWLOCK_EXIT(x)	;
+# define	MUTEX_EXIT(x)	;
+# define	SPL_NET(x)	;
+# define	SPL_IMP(x)	;
+# undef		SPL_X
+# define	SPL_X(x)	;
+# define	KMALLOC(a,b)	(a) = (b)malloc(sizeof(*a))
+# define	KMALLOCS(a,b,c)	(a) = (b)malloc(c)
+# define	KFREE(x)	free(x)
+# define	KFREES(x,s)	free(x)
+# define	GETUNIT(x)	get_unit(x)
+# define	IRCOPY(a,b,c)	bcopy((a), (b), (c))
+# define	IWCOPY(a,b,c)	bcopy((a), (b), (c))
+#endif /* KERNEL */
+
+#if SOLARIS
+typedef mblk_t mb_t;
+# if SOLARIS2 >= 7
+#  ifdef lint
+#   define ALIGN32(ptr)    (ptr ? 0L : 0L)
+#   define ALIGN16(ptr)    (ptr ? 0L : 0L)
+#  else
+#   define ALIGN32(ptr)    (ptr)
+#   define ALIGN16(ptr)    (ptr)
+#  endif
+# endif
+#else
+# ifdef	linux
+#  ifndef kernel
+typedef struct mb {
+	struct mb *next;
+	u_int len;
+	u_char *data;
+} mb_t;
+#  else
+typedef struct sk_buff mb_t;
+#  endif
+# else
+typedef struct mbuf mb_t;
+# endif
+#endif /* SOLARIS */
+
+#if defined(linux) || defined(__sgi)
+/*
+ * These #ifdef's are here mainly for linux, but who knows, they may
+ * not be in other places or maybe one day linux will grow up and some
+ * of these will turn up there too.
+ */
+#ifndef	ICMP_MINLEN
+# define	ICMP_MINLEN	8
+#endif
+#ifndef	ICMP_UNREACH
+# define	ICMP_UNREACH	ICMP_DEST_UNREACH
+#endif
+#ifndef	ICMP_SOURCEQUENCH
+# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
+#endif
+#ifndef	ICMP_TIMXCEED
+# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
+#endif
+#ifndef	ICMP_PARAMPROB
+# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
+#endif
+#ifndef ICMP_TSTAMP
+# define	ICMP_TSTAMP	ICMP_TIMESTAMP
+#endif
+#ifndef ICMP_TSTAMPREPLY
+# define	ICMP_TSTAMPREPLY	ICMP_TIMESTAMPREPLY
+#endif
+#ifndef ICMP_IREQ
+# define	ICMP_IREQ	ICMP_INFO_REQUEST
+#endif
+#ifndef ICMP_IREQREPLY
+# define	ICMP_IREQREPLY	ICMP_INFO_REPLY
+#endif
+#ifndef	ICMP_MASKREQ
+# define	ICMP_MASKREQ	ICMP_ADDRESS
+#endif
+#ifndef ICMP_MASKREPLY
+# define	ICMP_MASKREPLY	ICMP_ADDRESSREPLY
+#endif
+#ifndef	IPVERSION
+# define	IPVERSION	4
+#endif
+#ifndef	IPOPT_MINOFF
+# define	IPOPT_MINOFF	4
+#endif
+#ifndef	IPOPT_COPIED
+# define	IPOPT_COPIED(x)	((x)&0x80)
+#endif
+#ifndef	IPOPT_EOL
+# define	IPOPT_EOL	0
+#endif
+#ifndef	IPOPT_NOP
+# define	IPOPT_NOP	1
+#endif
+#ifndef	IP_MF
+# define	IP_MF	((u_short)0x2000)
+#endif
+#ifndef	ETHERTYPE_IP
+# define	ETHERTYPE_IP	((u_short)0x0800)
+#endif
+#ifndef	TH_FIN
+# define	TH_FIN	0x01
+#endif
+#ifndef	TH_SYN
+# define	TH_SYN	0x02
+#endif
+#ifndef	TH_RST
+# define	TH_RST	0x04
+#endif
+#ifndef	TH_PUSH
+# define	TH_PUSH	0x08
+#endif
+#ifndef	TH_ACK
+# define	TH_ACK	0x10
+#endif
+#ifndef	TH_URG
+# define	TH_URG	0x20
+#endif
+#ifndef	IPOPT_EOL
+# define	IPOPT_EOL	0
+#endif
+#ifndef	IPOPT_NOP
+# define	IPOPT_NOP	1
+#endif
+#ifndef	IPOPT_RR
+# define	IPOPT_RR	7
+#endif
+#ifndef	IPOPT_TS
+# define	IPOPT_TS	68
+#endif
+#ifndef	IPOPT_SECURITY
+# define	IPOPT_SECURITY	130
+#endif
+#ifndef	IPOPT_LSRR
+# define	IPOPT_LSRR	131
+#endif
+#ifndef	IPOPT_SATID
+# define	IPOPT_SATID	136
+#endif
+#ifndef	IPOPT_SSRR
+# define	IPOPT_SSRR	137
+#endif
+#ifndef	IPOPT_SECUR_UNCLASS
+# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
+#endif
+#ifndef	IPOPT_SECUR_CONFID
+# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
+#endif
+#ifndef	IPOPT_SECUR_EFTO
+# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
+#endif
+#ifndef	IPOPT_SECUR_MMMM
+# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
+#endif
+#ifndef	IPOPT_SECUR_RESTR
+# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
+#endif
+#ifndef	IPOPT_SECUR_SECRET
+# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
+#endif
+#ifndef IPOPT_SECUR_TOPSECRET
+# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
+#endif
+#ifndef IPOPT_OLEN
+# define	IPOPT_OLEN	1
+#endif
+#endif /* linux || __sgi */
+
+#ifdef	linux
+#include <linux/in_systm.h>
+/*
+ * TCP States
+ */
+#define	TCPS_CLOSED		0	/* closed */
+#define	TCPS_LISTEN		1	/* listening for connection */
+#define	TCPS_SYN_SENT		2	/* active, have sent syn */
+#define	TCPS_SYN_RECEIVED	3	/* have send and received syn */
+/* states < TCPS_ESTABLISHED are those where connections not established */
+#define	TCPS_ESTABLISHED	4	/* established */
+#define	TCPS_CLOSE_WAIT		5	/* rcvd fin, waiting for close */
+/* states > TCPS_CLOSE_WAIT are those where user has closed */
+#define	TCPS_FIN_WAIT_1		6	/* have closed, sent fin */
+#define	TCPS_CLOSING		7	/* closed xchd FIN; await FIN ACK */
+#define	TCPS_LAST_ACK		8	/* had fin and close; await FIN ACK */
+/* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */
+#define	TCPS_FIN_WAIT_2		9	/* have closed, fin is acked */
+#define	TCPS_TIME_WAIT		10	/* in 2*msl quiet wait after close */
+
+/*
+ * file flags.
+ */
+#ifdef WRITE
+#define	FWRITE	WRITE
+#define	FREAD	READ
+#else
+#define	FWRITE	_IOC_WRITE
+#define	FREAD	_IOC_READ
+#endif
+/*
+ * mbuf related problems.
+ */
+#define	mtod(m,t)	(t)((m)->data)
+#define	m_len		len
+#define	m_next		next
+
+#ifdef	IP_DF
+#undef	IP_DF
+#endif
+#define	IP_DF		0x4000
+
+typedef	struct	{
+	__u16	th_sport;
+	__u16	th_dport;
+	__u32	th_seq;
+	__u32	th_ack;
+# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
+    defined(vax)
+	__u8	th_res:4;
+	__u8	th_off:4;
+#else
+	__u8	th_off:4;
+	__u8	th_res:4;
+#endif
+	__u8	th_flags;
+	__u16	th_win;
+	__u16	th_sum;
+	__u16	th_urp;
+} tcphdr_t;
+
+typedef	struct	{
+	__u16	uh_sport;
+	__u16	uh_dport;
+	__u16	uh_ulen;
+	__u16	uh_sum;
+} udphdr_t;
+
+typedef	struct	{
+# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
+    defined(vax)
+	__u8	ip_hl:4;
+	__u8	ip_v:4;
+# else
+	__u8	ip_hl:4;
+	__u8	ip_v:4;
+# endif
+	__u8	ip_tos;
+	__u16	ip_len;
+	__u16	ip_id;
+	__u16	ip_off;
+	__u8	ip_ttl;
+	__u8	ip_p;
+	__u16	ip_sum;
+	struct	in_addr	ip_src;
+	struct	in_addr	ip_dst;
+} ip_t;
+
+/*
+ * Structure of an icmp header.
+ */
+typedef struct icmp {
+	__u8	icmp_type;		/* type of message, see below */
+	__u8	icmp_code;		/* type sub code */
+	__u16	icmp_cksum;		/* ones complement cksum of struct */
+	union {
+		__u8	ih_pptr;		/* ICMP_PARAMPROB */
+		struct	in_addr	ih_gwaddr;	/* ICMP_REDIRECT */
+		struct	ih_idseq {
+			__u16	icd_id;
+			__u16	icd_seq;
+		} ih_idseq;
+		int ih_void;
+	} icmp_hun;
+# define	icmp_pptr	icmp_hun.ih_pptr
+# define	icmp_gwaddr	icmp_hun.ih_gwaddr
+# define	icmp_id		icmp_hun.ih_idseq.icd_id
+# define	icmp_seq	icmp_hun.ih_idseq.icd_seq
+# define	icmp_void	icmp_hun.ih_void
+	union {
+		struct id_ts {
+			n_time its_otime;
+			n_time its_rtime;
+			n_time its_ttime;
+		} id_ts;
+		struct id_ip  {
+			ip_t idi_ip;
+			/* options and then 64 bits of data */
+		} id_ip;
+		u_long	id_mask;
+		char	id_data[1];
+	} icmp_dun;
+# define	icmp_otime	icmp_dun.id_ts.its_otime
+# define	icmp_rtime	icmp_dun.id_ts.its_rtime
+# define	icmp_ttime	icmp_dun.id_ts.its_ttime
+# define	icmp_ip		icmp_dun.id_ip.idi_ip
+# define	icmp_mask	icmp_dun.id_mask
+# define	icmp_data	icmp_dun.id_data
+} icmphdr_t;
+
+# ifndef LINUX_IPOVLY
+#  define LINUX_IPOVLY
+struct ipovly {
+	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
+	u_char	ih_x1;			/* (unused) */
+	u_char	ih_pr;			/* protocol */
+	short	ih_len;			/* protocol length */
+	struct	in_addr ih_src;		/* source internet address */
+	struct	in_addr ih_dst;		/* destination internet address */
+};
+# endif
+
+typedef struct  {
+	__u8	ether_dhost[6];
+	__u8	ether_shost[6];
+	__u16	ether_type;
+} ether_header_t;
+
+typedef	struct	uio	{
+	int	uio_resid;
+	int	uio_rw;
+	caddr_t	uio_buf;
+} uio_t;
+
+# define	UIO_READ	0
+# define	UIO_WRITE	1
+# define	UIOMOVE(a, b, c, d)	uiomove(a,b,c,d)
+
+/*
+ * For masking struct ifnet onto struct device
+ */
+# define	if_name	name
+
+# ifdef	KERNEL
+#  define	GETUNIT(x)	dev_get(x)
+#  define	FREE_MB_T(m)	kfree_skb(m, FREE_WRITE)
+#  define	uniqtime	do_gettimeofday
+#  undef INT_MAX
+#  undef UINT_MAX
+#  undef LONG_MAX
+#  undef ULONG_MAX
+#  include <linux/netdevice.h>
+#  define	SPL_X(x)
+#  define	SPL_NET(x)
+#  define	SPL_IMP(x)
+ 
+#  define	bcmp(a,b,c)	memcmp(a,b,c)
+#  define	bcopy(a,b,c)	memcpy(b,a,c)
+#  define	bzero(a,c)	memset(a,0,c)
+
+#  define	UNITNAME(n)	dev_get((n))
+
+#  define	KMALLOC(a,b)	(a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC)
+#  define	KMALLOCS(a,b,c)	(a) = (b)kmalloc((c), GFP_ATOMIC)
+#  define	KFREE(x)	kfree_s((x), sizeof(*(x)))
+#  define	KFREES(x,s)	kfree_s((x), (s))
+#  define	IRCOPY(a,b,c)	{ \
+				 error = verify_area(VERIFY_READ, (a) ,(c)); \
+				 if (!error) \
+					memcpy_fromfs((b), (a), (c)); \
+				}
+#  define	IWCOPY(a,b,c)	{ \
+				 error = verify_area(VERIFY_WRITE, (b), (c)); \
+				 if (!error) \
+					memcpy_tofs((b), (a), (c)); \
+				}
+# else
+#  define	__KERNEL__
+#  undef INT_MAX
+#  undef UINT_MAX
+#  undef LONG_MAX
+#  undef ULONG_MAX
+#  define	s8 __s8
+#  define	u8 __u8
+#  define	s16 __s16
+#  define	u16 __u16
+#  define	s32 __s32
+#  define	u32 __u32
+#  include <linux/netdevice.h>
+#  undef	__KERNEL__
+# endif
+# define	ifnet	device
+#else
+typedef	struct	tcphdr	tcphdr_t;
+typedef	struct	udphdr	udphdr_t;
+typedef	struct	icmp	icmphdr_t;
+typedef	struct	ip	ip_t;
+typedef	struct	ether_header	ether_header_t;
+#endif /* linux */
+typedef	struct	tcpiphdr	tcpiphdr_t;
+
+#if defined(hpux) || defined(linux)
+struct	ether_addr	{
+	char	ether_addr_octet[6];
+};
+#endif
+
+/*
+ * XXX - This is one of those *awful* hacks which nobody likes
+ */
+#ifdef	ultrix
+#define	A_A
+#else
+#define	A_A	&
+#endif
+
+#ifndef	ICMP_ROUTERADVERT
+# define	ICMP_ROUTERADVERT	9
+#endif
+#ifndef	ICMP_ROUTERSOLICIT
+# define	ICMP_ROUTERSOLICIT	10
+#endif
+/*
+ * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
+ * another IP header and then 64 bits of data, totalling 56.  Of course,
+ * the last 64 bits is dependant on that being available.
+ */
+#define	ICMPERR_ICMPHLEN	8
+#define	ICMPERR_IPICMPHLEN	(20 + 8)
+#define	ICMPERR_MINPKTLEN	(20 + 8 + 20)
+#define	ICMPERR_MAXPKTLEN	(20 + 8 + 20 + 8)
+
+#endif	/* __IP_COMPAT_H__ */
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@ -0,0 +1,566 @@
+/*
+ * Copyright (C) 1993-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_fil.h	1.35 6/5/96
+ * $Id: ip_fil.h,v 2.3.2.4 1999/10/15 13:42:37 darrenr Exp $
+ * $FreeBSD$
+ */
+
+#ifndef	__IP_FIL_H__
+#define	__IP_FIL_H__
+
+/*
+ * Pathnames for various IP Filter control devices.  Used by LKM
+ * and userland, so defined here.
+ */
+#define	IPNAT_NAME	"/dev/ipnat"
+#define	IPSTATE_NAME	"/dev/ipstate"
+#define	IPAUTH_NAME	"/dev/ipauth"
+
+#ifndef	SOLARIS
+# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+
+#if defined(KERNEL) && !defined(_KERNEL)
+# define	_KERNEL
+#endif
+
+#ifndef	__P
+# ifdef	__STDC__
+#  define	__P(x)	x
+# else
+#  define	__P(x)	()
+# endif
+#endif
+
+#if defined(__STDC__) || defined(__GNUC__)
+# define	SIOCADAFR	_IOW('r', 60, struct frentry)
+# define	SIOCRMAFR	_IOW('r', 61, struct frentry)
+# define	SIOCSETFF	_IOW('r', 62, u_int)
+# define	SIOCGETFF	_IOR('r', 63, u_int)
+# define	SIOCGETFS	_IOR('r', 64, struct friostat)
+# define	SIOCIPFFL	_IOWR('r', 65, int)
+# define	SIOCIPFFB	_IOR('r', 66, int)
+# define	SIOCADIFR	_IOW('r', 67, struct frentry)
+# define	SIOCRMIFR	_IOW('r', 68, struct frentry)
+# define	SIOCSWAPA	_IOR('r', 69, u_int)
+# define	SIOCINAFR	_IOW('r', 70, struct frentry)
+# define	SIOCINIFR	_IOW('r', 71, struct frentry)
+# define	SIOCFRENB	_IOW('r', 72, u_int)
+# define	SIOCFRSYN	_IOW('r', 73, u_int)
+# define	SIOCFRZST	_IOWR('r', 74, struct friostat)
+# define	SIOCZRLST	_IOWR('r', 75, struct frentry)
+# define	SIOCAUTHW	_IOWR('r', 76, struct fr_info)
+# define	SIOCAUTHR	_IOWR('r', 77, struct fr_info)
+# define	SIOCATHST	_IOWR('r', 78, struct fr_authstat)
+#else
+# define	SIOCADAFR	_IOW(r, 60, struct frentry)
+# define	SIOCRMAFR	_IOW(r, 61, struct frentry)
+# define	SIOCSETFF	_IOW(r, 62, u_int)
+# define	SIOCGETFF	_IOR(r, 63, u_int)
+# define	SIOCGETFS	_IOR(r, 64, struct friostat)
+# define	SIOCIPFFL	_IOWR(r, 65, int)
+# define	SIOCIPFFB	_IOR(r, 66, int)
+# define	SIOCADIFR	_IOW(r, 67, struct frentry)
+# define	SIOCRMIFR	_IOW(r, 68, struct frentry)
+# define	SIOCSWAPA	_IOR(r, 69, u_int)
+# define	SIOCINAFR	_IOW(r, 70, struct frentry)
+# define	SIOCINIFR	_IOW(r, 71, struct frentry)
+# define	SIOCFRENB	_IOW(r, 72, u_int)
+# define	SIOCFRSYN	_IOW(r, 73, u_int)
+# define	SIOCFRZST	_IOWR(r, 74, struct friostat)
+# define	SIOCZRLST	_IOWR(r, 75, struct frentry)
+# define	SIOCAUTHW	_IOWR(r, 76, struct fr_info)
+# define	SIOCAUTHR	_IOWR(r, 77, struct fr_info)
+# define	SIOCATHST	_IOWR(r, 78, struct fr_authstat)
+#endif
+#define	SIOCADDFR	SIOCADAFR
+#define	SIOCDELFR	SIOCRMAFR
+#define	SIOCINSFR	SIOCINAFR
+
+typedef	struct	fr_ip	{
+	u_char	fi_v:4;		/* IP version */
+	u_char	fi_fl:4;	/* packet flags */
+	u_char	fi_tos;		/* IP packet TOS */
+	u_char	fi_ttl;		/* IP packet TTL */
+	u_char	fi_p;		/* IP packet protocol */
+	struct	in_addr	fi_src;	/* source address from packet */
+	struct	in_addr	fi_dst;	/* destination address from packet */
+	u_32_t	fi_optmsk;	/* bitmask composed from IP options */
+	u_short	fi_secmsk;	/* bitmask composed from IP security options */
+	u_short	fi_auth;	/* authentication code from IP sec. options */
+} fr_ip_t;
+
+#define	FI_OPTIONS	(FF_OPTIONS >> 24)
+#define	FI_TCPUDP	(FF_TCPUDP >> 24)	/* TCP/UCP implied comparison*/
+#define	FI_FRAG		(FF_FRAG >> 24)
+#define	FI_SHORT	(FF_SHORT >> 24)
+#define	FI_CMP		(FI_OPTIONS|FI_TCPUDP|FI_SHORT)
+
+/*
+ * These are both used by the state and NAT code to indicate that one port or
+ * the other should be treated as a wildcard.
+ */
+#define	FI_W_SPORT	0x00000100
+#define	FI_W_DPORT	0x00000200
+
+typedef	struct	fr_info	{
+	void	*fin_ifp;		/* interface packet is `on' */
+	struct	fr_ip	fin_fi;		/* IP Packet summary */
+	u_short	fin_data[2];		/* TCP/UDP ports, ICMP code/type */
+	u_char	fin_out;		/* in or out ? 1 == out, 0 == in */
+	u_char	fin_rev;		/* state only: 1 = reverse */
+	u_short	fin_hlen;		/* length of IP header in bytes */
+	u_char	fin_tcpf;		/* TCP header flags (SYN, ACK, etc) */
+	/* From here on is packet specific */
+	u_char	fin_icode;		/* ICMP error to return */
+	u_short	fin_rule;		/* rule # last matched */
+	u_short	fin_group;		/* group number, -1 for none */
+	struct	frentry *fin_fr;	/* last matching rule */
+	char	*fin_dp;		/* start of data past IP header */
+	u_short	fin_dlen;		/* length of data portion of packet */
+	u_short	fin_id;			/* IP packet id field */
+	void	*fin_mp;		/* pointer to pointer to mbuf */
+#if SOLARIS && defined(_KERNEL)
+	void	*fin_qfm;		/* pointer to mblk where pkt starts */
+	void	*fin_qif;
+#endif
+} fr_info_t;
+
+/*
+ * Size for compares on fr_info structures
+ */
+#define	FI_CSIZE	offsetof(fr_info_t, fin_icode)
+
+/*
+ * Size for copying cache fr_info structure
+ */
+#define	FI_COPYSIZE	offsetof(fr_info_t, fin_dp)
+
+typedef	struct	frdest	{
+	void	*fd_ifp;
+	struct	in_addr	fd_ip;
+	char	fd_ifname[IFNAMSIZ];
+} frdest_t;
+
+typedef	struct	frentry {
+	struct	frentry	*fr_next;
+	u_short	fr_group;	/* group to which this rule belongs */
+	u_short	fr_grhead;	/* group # which this rule starts */
+	struct	frentry	*fr_grp;
+	int	fr_ref;		/* reference count - for grouping */
+	void	*fr_ifa;
+#if BSD >= 199306
+	void	*fr_oifa;
+#endif
+	/*
+	 * These are only incremented when a packet  matches this rule and
+	 * it is the last match
+	 */
+	U_QUAD_T	fr_hits;
+	U_QUAD_T	fr_bytes;
+	/*
+	 * Fields after this may not change whilst in the kernel.
+	 */
+	struct	fr_ip	fr_ip;
+	struct	fr_ip	fr_mip;	/* mask structure */
+
+	u_char	fr_tcpfm;	/* tcp flags mask */
+	u_char	fr_tcpf;	/* tcp flags */
+
+	u_short	fr_icmpm;	/* data for ICMP packets (mask) */
+	u_short	fr_icmp;
+
+	u_char	fr_scmp;	/* data for port comparisons */
+	u_char	fr_dcmp;
+	u_short	fr_dport;
+	u_short	fr_sport;
+	u_short	fr_stop;	/* top port for <> and >< */
+	u_short	fr_dtop;	/* top port for <> and >< */
+	u_32_t	fr_flags;	/* per-rule flags && options (see below) */
+	u_short	fr_skip;	/* # of rules to skip */
+	u_short	fr_loglevel;	/* syslog log facility + priority */
+	int	(*fr_func) __P((int, ip_t *, fr_info_t *));	/* call this function */
+	char	fr_icode;	/* return ICMP code */
+	char	fr_ifname[IFNAMSIZ];
+#if BSD >= 199306
+	char	fr_oifname[IFNAMSIZ];
+#endif
+	struct	frdest	fr_tif;	/* "to" interface */
+	struct	frdest	fr_dif;	/* duplicate packet interfaces */
+} frentry_t;
+
+#define	fr_proto	fr_ip.fi_p
+#define	fr_ttl		fr_ip.fi_ttl
+#define	fr_tos		fr_ip.fi_tos
+#define	fr_dst		fr_ip.fi_dst
+#define	fr_src		fr_ip.fi_src
+#define	fr_dmsk		fr_mip.fi_dst
+#define	fr_smsk		fr_mip.fi_src
+
+#ifndef	offsetof
+#define	offsetof(t,m)	(int)((&((t *)0L)->m))
+#endif
+#define	FR_CMPSIZ	(sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
+
+/*
+ * fr_flags
+ */
+#define	FR_BLOCK	0x00001	/* do not allow packet to pass */
+#define	FR_PASS		0x00002	/* allow packet to pass */
+#define	FR_OUTQUE	0x00004	/* outgoing packets */
+#define	FR_INQUE	0x00008	/* ingoing packets */
+#define	FR_LOG		0x00010	/* Log */
+#define	FR_LOGB		0x00011	/* Log-fail */
+#define	FR_LOGP		0x00012	/* Log-pass */
+#define	FR_LOGBODY	0x00020	/* Log the body */
+#define	FR_LOGFIRST	0x00040	/* Log the first byte if state held */
+#define	FR_RETRST	0x00080	/* Return TCP RST packet - reset connection */
+#define	FR_RETICMP	0x00100	/* Return ICMP unreachable packet */
+#define	FR_FAKEICMP	0x00180	/* Return ICMP unreachable with fake source */
+#define	FR_NOMATCH	0x00200	/* no match occured */
+#define	FR_ACCOUNT	0x00400	/* count packet bytes */
+#define	FR_KEEPFRAG	0x00800	/* keep fragment information */
+#define	FR_KEEPSTATE	0x01000	/* keep `connection' state information */
+#define	FR_INACTIVE	0x02000
+#define	FR_QUICK	0x04000	/* match & stop processing list */
+#define	FR_FASTROUTE	0x08000	/* bypass normal routing */
+#define	FR_CALLNOW	0x10000	/* call another function (fr_func) if matches */
+#define	FR_DUP		0x20000	/* duplicate packet */
+#define	FR_LOGORBLOCK	0x40000	/* block the packet if it can't be logged */
+#define	FR_NOTSRCIP	0x80000	/* not the src IP# */
+#define	FR_NOTDSTIP	0x100000	/* not the dst IP# */
+#define	FR_AUTH		0x200000	/* use authentication */
+#define	FR_PREAUTH	0x400000	/* require preauthentication */
+#define	FR_DONTCACHE	0x800000	/* don't cache the result */
+
+#define	FR_LOGMASK	(FR_LOG|FR_LOGP|FR_LOGB)
+#define	FR_RETMASK	(FR_RETICMP|FR_RETRST|FR_FAKEICMP)
+
+/*
+ * These correspond to #define's for FI_* and are stored in fr_flags
+ */
+#define	FF_OPTIONS	0x01000000
+#define	FF_TCPUDP	0x02000000
+#define	FF_FRAG		0x04000000
+#define	FF_SHORT	0x08000000
+/*
+ * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
+ */
+#define	FF_LOGPASS	0x10000000
+#define	FF_LOGBLOCK	0x20000000
+#define	FF_LOGNOMATCH	0x40000000
+#define	FF_LOGGING	(FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
+#define	FF_BLOCKNONIP	0x80000000	/* Solaris2 Only */
+
+#define	FR_NONE 0
+#define	FR_EQUAL 1
+#define	FR_NEQUAL 2
+#define FR_LESST 3
+#define FR_GREATERT 4
+#define FR_LESSTE 5
+#define FR_GREATERTE 6
+#define	FR_OUTRANGE 7
+#define	FR_INRANGE 8
+
+typedef	struct	filterstats {
+	u_long	fr_pass;	/* packets allowed */
+	u_long	fr_block;	/* packets denied */
+	u_long	fr_nom;		/* packets which don't match any rule */
+	u_long	fr_ppkl;	/* packets allowed and logged */
+	u_long	fr_bpkl;	/* packets denied and logged */
+	u_long	fr_npkl;	/* packets unmatched and logged */
+	u_long	fr_pkl;		/* packets logged */
+	u_long	fr_skip;	/* packets to be logged but buffer full */
+	u_long	fr_ret;		/* packets for which a return is sent */
+	u_long	fr_acct;	/* packets for which counting was performed */
+	u_long	fr_bnfr;	/* bad attempts to allocate fragment state */
+	u_long	fr_nfr;		/* new fragment state kept */
+	u_long	fr_cfr;		/* add new fragment state but complete pkt */
+	u_long	fr_bads;	/* bad attempts to allocate packet state */
+	u_long	fr_ads;		/* new packet state kept */
+	u_long	fr_chit;	/* cached hit */
+	u_long	fr_tcpbad;	/* TCP checksum check failures */
+	u_long	fr_pull[2];	/* good and bad pullup attempts */
+#if SOLARIS
+	u_long	fr_notdata;	/* PROTO/PCPROTO that have no data */
+	u_long	fr_nodata;	/* mblks that have no data */
+	u_long	fr_bad;		/* bad IP packets to the filter */
+	u_long	fr_notip;	/* packets passed through no on ip queue */
+	u_long	fr_drop;	/* packets dropped - no info for them! */
+#endif
+} filterstats_t;
+
+/*
+ * For SIOCGETFS
+ */
+typedef	struct	friostat	{
+	struct	filterstats	f_st[2];
+	struct	frentry		*f_fin[2];
+	struct	frentry		*f_fout[2];
+	struct	frentry		*f_acctin[2];
+	struct	frentry		*f_acctout[2];
+	struct	frentry		*f_auth;
+	struct	frgroup		*f_groups[3][2];
+	u_long	f_froute[2];
+	int	f_active;	/* 1 or 0 - active rule set */
+	int	f_defpass;	/* default pass - from fr_pass */
+	int	f_running;	/* 1 if running, else 0 */
+	int	f_logging;	/* 1 if enabled, else 0 */
+	char	f_version[32];	/* version string */
+} friostat_t;
+
+typedef struct	optlist {
+	u_short ol_val;
+	int	ol_bit;
+} optlist_t;
+
+
+/*
+ * Group list structure.
+ */
+typedef	struct frgroup {
+	u_short	fg_num;
+	struct	frgroup	*fg_next;
+	struct	frentry	*fg_head;
+	struct	frentry	**fg_start;
+} frgroup_t;
+
+
+/*
+ * Log structure.  Each packet header logged is prepended by one of these.
+ * Following this in the log records read from the device will be an ipflog
+ * structure which is then followed by any packet data.
+ */
+typedef	struct	iplog	{
+	u_32_t	ipl_magic;
+	u_int	ipl_count;
+	u_long	ipl_sec;
+	u_long	ipl_usec;
+	size_t	ipl_dsize;
+	struct	iplog	*ipl_next;
+} iplog_t;
+
+#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
+
+typedef	struct	ipflog	{
+#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
+        (defined(OpenBSD) && (OpenBSD >= 199603))
+	u_char	fl_ifname[IFNAMSIZ];
+#else
+	u_int	fl_unit;
+	u_char	fl_ifname[4];
+#endif
+	u_char	fl_plen;	/* extra data after hlen */
+	u_char	fl_hlen;	/* length of IP headers saved */
+	u_short	fl_rule;	/* assume never more than 64k rules, total */
+	u_short	fl_group;
+	u_short	fl_loglevel;	/* syslog log level */
+	u_32_t	fl_flags;
+	u_32_t	fl_lflags;
+} ipflog_t;
+
+
+#ifndef	ICMP_UNREACH_FILTER
+# define	ICMP_UNREACH_FILTER	13
+#endif
+
+#ifndef	IPF_LOGGING
+# define	IPF_LOGGING	0
+#endif
+#ifndef	IPF_DEFAULT_PASS
+# define	IPF_DEFAULT_PASS	FR_PASS
+#endif
+
+#define	IPMINLEN(i, h)	((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
+#define	IPLLOGSIZE	8192
+
+/*
+ * Device filenames for reading log information.  Use ipf on Solaris2 because
+ * ipl is already a name used by something else.
+ */
+#ifndef	IPL_NAME
+# if	SOLARIS
+#  define	IPL_NAME	"/dev/ipf"
+# else
+#  define	IPL_NAME	"/dev/ipl"
+# endif
+#endif
+#define	IPL_NAT		IPNAT_NAME
+#define	IPL_STATE	IPSTATE_NAME
+#define	IPL_AUTH	IPAUTH_NAME
+
+#define	IPL_LOGIPF	0	/* Minor device #'s for accessing logs */
+#define	IPL_LOGNAT	1
+#define	IPL_LOGSTATE	2
+#define	IPL_LOGAUTH	3
+#define	IPL_LOGMAX	3
+
+#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
+    (__FreeBSD_version >= 220000)
+# define	CDEV_MAJOR	79
+#endif
+
+/*
+ * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
+ * on those hooks.  We don't need any special mods in non-IP Filter code
+ * with this!
+ */
+#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
+    (defined(NetBSD1_2) && NetBSD1_2 > 1)
+# if (NetBSD >= 199905)
+#  define PFIL_HOOKS
+# endif
+# ifdef PFIL_HOOKS
+#  define NETBSD_PF
+# endif
+#endif
+
+
+#ifndef	_KERNEL
+extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
+extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
+extern	int	send_reset __P((ip_t *, struct ifnet *));
+extern	int	icmp_error __P((ip_t *, struct ifnet *));
+extern	int	ipf_log __P((void));
+extern	int	ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
+extern	struct	ifnet *get_unit __P((char *));
+# if defined(__NetBSD__) || defined(__OpenBSD__) || \
+	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
+extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
+# else
+extern	int	iplioctl __P((dev_t, int, caddr_t, int));
+# endif
+extern	int	iplopen __P((dev_t, int));
+extern	int	iplclose __P((dev_t, int));
+#else /* #ifndef _KERNEL */
+# if defined(__NetBSD__) && defined(PFIL_HOOKS)
+extern	void	ipfilterattach __P((int));
+# endif
+extern	int	iplattach __P((void));
+extern	int	ipl_enable __P((void));
+extern	int	ipl_disable __P((void));
+extern	void	ipflog_init __P((void));
+extern	int	ipflog_clear __P((minor_t));
+extern	int	ipflog_read __P((minor_t, struct uio *));
+extern	int	ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
+extern	int	ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
+# if	SOLARIS
+extern	int	fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
+extern	int	(*fr_checkp) __P((ip_t *, int, void *,
+				  int, qif_t *, mb_t **));
+extern	int	icmp_error __P((ip_t *, int, int, qif_t *, struct in_addr));
+#  if SOLARIS2 >= 7
+extern	int	iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
+#  else
+extern	int	iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
+#  endif
+extern	int	iplopen __P((dev_t *, int, int, cred_t *));
+extern	int	iplclose __P((dev_t, int, int, cred_t *));
+extern	int	ipfsync __P((void));
+extern	int	send_reset __P((fr_info_t *, ip_t *, qif_t *));
+extern	int	ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
+				   fr_info_t *, frdest_t *));
+extern	void	copyin_mblk __P((mblk_t *, size_t, size_t, char *));
+extern	void	copyout_mblk __P((mblk_t *, size_t, size_t, char *));
+extern	int	fr_qin __P((queue_t *, mblk_t *));
+extern	int	fr_qout __P((queue_t *, mblk_t *));
+#  ifdef	IPFILTER_LOG
+extern	int	iplread __P((dev_t, struct uio *, cred_t *));
+#  endif
+# else /* SOLARIS */
+extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
+extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
+#  ifdef	linux
+extern	int	send_reset __P((tcpiphdr_t *, struct ifnet *));
+#  else
+extern	int	send_reset __P((fr_info_t *, struct ip *));
+extern	int	send_icmp_err __P((ip_t *, int, int, void *, struct in_addr));
+#  endif
+extern	int	ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
+extern	size_t	mbufchainlen __P((mb_t *));
+#  ifdef	__sgi
+#   include <sys/cred.h>
+extern	int	iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
+extern	int	iplopen __P((dev_t *, int, int, cred_t *));
+extern	int	iplclose __P((dev_t, int, int, cred_t *));
+extern	int	iplread __P((dev_t, struct uio *, cred_t *));
+extern	int	ipfsync __P((void));
+extern	int	ipfilter_sgi_attach __P((void));
+extern	void	ipfilter_sgi_detach __P((void));
+extern	void	ipfilter_sgi_intfsync __P((void));
+#  else
+#   ifdef	IPFILTER_LKM
+extern	int	iplidentify __P((char *));
+#   endif
+#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
+      (NetBSD >= 199511) || defined(__OpenBSD__)
+#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
+       defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
+extern	int	iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
+#    else
+extern	int	iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
+#    endif
+extern	int	iplopen __P((dev_t, int, int, struct proc *));
+extern	int	iplclose __P((dev_t, int, int, struct proc *));
+#   else
+#    ifndef	linux
+extern	int	iplopen __P((dev_t, int));
+extern	int	iplclose __P((dev_t, int));
+extern	int	iplioctl __P((dev_t, int, caddr_t, int));
+#    else
+extern	int	iplioctl(struct inode *, struct file *, u_int, u_long);
+extern	int	iplopen __P((struct inode *, struct file *));
+extern	void	iplclose __P((struct inode *, struct file *));
+#    endif /* !linux */
+#   endif /* (_BSDI_VERSION >= 199510) */
+#   if	BSD >= 199306
+extern	int	iplread __P((dev_t, struct uio *, int));
+#   else
+#    ifndef linux
+extern	int	iplread __P((dev_t, struct uio *));
+#    else
+extern	int	iplread(struct inode *, struct file *, char *, int);
+#    endif /* !linux */
+#   endif /* BSD >= 199306 */
+#  endif /* __ sgi */
+# endif /* SOLARIS */
+#endif /* #ifndef _KERNEL */
+
+extern	void	fixskip __P((frentry_t **, frentry_t *, int));
+extern	int	countbits __P((u_32_t));
+extern	int	ipldetach __P((void));
+extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
+extern	int	fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
+extern	u_short	ipf_cksum __P((u_short *, int));
+extern	int	fr_copytolog __P((int, char *, int));
+extern	void	fr_forgetifp __P((void *));
+extern	int	frflush __P((minor_t, int));
+extern	void	frsync __P((void));
+extern	frgroup_t *fr_addgroup __P((u_int, frentry_t *, minor_t, int));
+extern	frgroup_t *fr_findgroup __P((u_int, u_32_t, minor_t, int, frgroup_t ***));
+extern	void	fr_delgroup __P((u_int, u_32_t, minor_t, int));
+extern  void	fr_makefrip __P((int, ip_t *, fr_info_t *));
+extern	int	fr_ifpaddr __P((void *, struct in_addr *));
+extern	char	*memstr __P((char *, char *, int, int));
+extern	int	ipl_unreach;
+extern	int	ipl_inited;
+extern	u_long	ipl_frouteok[2];
+extern	int	fr_pass;
+extern	int	fr_flags;
+extern	int	fr_active;
+extern	fr_info_t	frcache[2];
+extern	char	ipfilter_version[];
+#ifdef	IPFILTER_LOG
+extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
+extern	size_t	iplused[IPL_LOGMAX + 1];
+#endif
+extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
+extern	struct frgroup *ipfgroups[3][2];
+extern	struct filterstats frstats[];
+
+#endif	/* __IP_FIL_H__ */
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c
@ -0,0 +1,525 @@
+/*
+ * Copyright (C) 1993-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#if !defined(lint)
+static const char sccsid[] = "@(#)ip_frag.c	1.11 3/24/96 (C) 1993-1995 Darren Reed";
+/*static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.4.2.3 1999/09/18 15:03:54 darrenr Exp $";*/
+static const char rcsid[] = "@(#)$FreeBSD$";
+#endif
+
+#if defined(KERNEL) && !defined(_KERNEL)
+# define      _KERNEL
+#endif
+
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/file.h>
+#if !defined(_KERNEL) && !defined(KERNEL)
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+#endif
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fcntl.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/uio.h>
+#ifndef linux
+# include <sys/protosw.h>
+#endif
+#include <sys/socket.h>
+#if defined(_KERNEL) && !defined(linux)
+# include <sys/systm.h>
+#endif
+#if !defined(__SVR4) && !defined(__svr4__)
+# if defined(_KERNEL) && !defined(__sgi)
+#  include <sys/kernel.h>
+# endif
+# ifndef linux
+#  include <sys/mbuf.h>
+# endif
+#else
+# include <sys/byteorder.h>
+# ifdef _KERNEL
+#  include <sys/dditypes.h>
+# endif
+# include <sys/stream.h>
+# include <sys/kmem.h>
+#endif
+#include <net/if.h>
+#ifdef sun
+# include <net/af.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#ifndef linux
+# include <netinet/ip_var.h>
+#endif
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_frag.h"
+#include "netinet/ip_state.h"
+#include "netinet/ip_auth.h"
+#if (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+# if (defined(KERNEL) || defined(_KERNEL))
+#  ifndef IPFILTER_LKM
+#   include <sys/libkern.h>
+#   include <sys/systm.h>
+# endif
+extern struct callout_handle ipfr_slowtimer_ch;
+# endif
+#endif
+
+
+static ipfr_t	*ipfr_heads[IPFT_SIZE];
+static ipfr_t	*ipfr_nattab[IPFT_SIZE];
+static ipfrstat_t ipfr_stats;
+static int	ipfr_inuse = 0;
+
+int		fr_ipfrttl = 120;	/* 60 seconds */
+
+#ifdef _KERNEL
+# if SOLARIS2 >= 7
+extern	timeout_id_t	ipfr_timer_id;
+# else
+extern	int	ipfr_timer_id;
+# endif
+#endif
+#if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
+extern	KRWLOCK_T	ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex;
+# if	SOLARIS
+extern	KRWLOCK_T	ipf_solaris;
+# else
+KRWLOCK_T	ipf_solaris;
+# endif
+extern	kmutex_t	ipf_rw;
+#endif
+
+
+static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **));
+static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
+static void ipfr_delete __P((ipfr_t *));
+
+
+ipfrstat_t *ipfr_fragstats()
+{
+	ipfr_stats.ifs_table = ipfr_heads;
+	ipfr_stats.ifs_nattab = ipfr_nattab;
+	ipfr_stats.ifs_inuse = ipfr_inuse;
+	return &ipfr_stats;
+}
+
+
+/*
+ * add a new entry to the fragment cache, registering it as having come
+ * through this box, with the result of the filter operation.
+ */
+static ipfr_t *ipfr_new(ip, fin, pass, table)
+ip_t *ip;
+fr_info_t *fin;
+u_int pass;
+ipfr_t *table[];
+{
+	ipfr_t	**fp, *fra, frag;
+	u_int	idx;
+
+	frag.ipfr_p = ip->ip_p;
+	idx = ip->ip_p;
+	frag.ipfr_id = ip->ip_id;
+	idx += ip->ip_id;
+	frag.ipfr_tos = ip->ip_tos;
+	frag.ipfr_src.s_addr = ip->ip_src.s_addr;
+	idx += ip->ip_src.s_addr;
+	frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
+	idx += ip->ip_dst.s_addr;
+	idx *= 127;
+	idx %= IPFT_SIZE;
+
+	/*
+	 * first, make sure it isn't already there...
+	 */
+	for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next)
+		if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src,
+			  IPFR_CMPSZ)) {
+			ATOMIC_INC(ipfr_stats.ifs_exists);
+			return NULL;
+		}
+
+	/*
+	 * allocate some memory, if possible, if not, just record that we
+	 * failed to do so.
+	 */
+	KMALLOC(fra, ipfr_t *);
+	if (fra == NULL) {
+		ATOMIC_INC(ipfr_stats.ifs_nomem);
+		return NULL;
+	}
+
+	if ((fra->ipfr_rule = fin->fin_fr) != NULL) {
+		ATOMIC_INC(fin->fin_fr->fr_ref);
+	}
+
+
+	/*
+	 * Instert the fragment into the fragment table, copy the struct used
+	 * in the search using bcopy rather than reassign each field.
+	 * Set the ttl to the default and mask out logging from "pass"
+	 */
+	if ((fra->ipfr_next = table[idx]))
+		table[idx]->ipfr_prev = fra;
+	fra->ipfr_prev = NULL;
+	fra->ipfr_data = NULL;
+	table[idx] = fra;
+	bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ);
+	fra->ipfr_ttl = fr_ipfrttl;
+	/*
+	 * Compute the offset of the expected start of the next packet.
+	 */
+	fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3);
+	ATOMIC_INC(ipfr_stats.ifs_new);
+	ATOMIC_INC(ipfr_inuse);
+	return fra;
+}
+
+
+int ipfr_newfrag(ip, fin, pass)
+ip_t *ip;
+fr_info_t *fin;
+u_int pass;
+{
+	ipfr_t	*ipf;
+
+	WRITE_ENTER(&ipf_frag);
+	ipf = ipfr_new(ip, fin, pass, ipfr_heads);
+	RWLOCK_EXIT(&ipf_frag);
+	return ipf ? 0 : -1;
+}
+
+
+int ipfr_nat_newfrag(ip, fin, pass, nat)
+ip_t *ip;
+fr_info_t *fin;
+u_int pass;
+nat_t *nat;
+{
+	ipfr_t	*ipf;
+
+	WRITE_ENTER(&ipf_natfrag);
+	ipf = ipfr_new(ip, fin, pass, ipfr_nattab);
+	if (ipf != NULL) {
+		ipf->ipfr_data = nat;
+		nat->nat_data = ipf;
+	}
+	RWLOCK_EXIT(&ipf_natfrag);
+	return ipf ? 0 : -1;
+}
+
+
+/*
+ * check the fragment cache to see if there is already a record of this packet
+ * with its filter result known.
+ */
+static ipfr_t *ipfr_lookup(ip, fin, table)
+ip_t *ip;
+fr_info_t *fin;
+ipfr_t *table[];
+{
+	ipfr_t	*f, frag;
+	u_int	idx;
+
+	/*
+	 * For fragments, we record protocol, packet id, TOS and both IP#'s
+	 * (these should all be the same for all fragments of a packet).
+	 *
+	 * build up a hash value to index the table with.
+	 */
+	frag.ipfr_p = ip->ip_p;
+	idx = ip->ip_p;
+	frag.ipfr_id = ip->ip_id;
+	idx += ip->ip_id;
+	frag.ipfr_tos = ip->ip_tos;
+	frag.ipfr_src.s_addr = ip->ip_src.s_addr;
+	idx += ip->ip_src.s_addr;
+	frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
+	idx += ip->ip_dst.s_addr;
+	idx *= 127;
+	idx %= IPFT_SIZE;
+
+	/*
+	 * check the table, careful to only compare the right amount of data
+	 */
+	for (f = table[idx]; f; f = f->ipfr_next)
+		if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
+			  IPFR_CMPSZ)) {
+			u_short	atoff, off;
+
+			if (f != table[idx]) {
+				/*
+				 * move fragment info. to the top of the list
+				 * to speed up searches.
+				 */
+				if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
+					f->ipfr_next->ipfr_prev = f->ipfr_prev;
+				f->ipfr_next = table[idx];
+				table[idx]->ipfr_prev = f;
+				f->ipfr_prev = NULL;
+				table[idx] = f;
+			}
+			off = ip->ip_off;
+			atoff = off + (fin->fin_dlen >> 3);
+			/*
+			 * If we've follwed the fragments, and this is the
+			 * last (in order), shrink expiration time.
+			 */
+			if ((off & IP_OFFMASK) == f->ipfr_off) {
+				if (!(off & IP_MF))
+					f->ipfr_ttl = 1;
+				else
+					f->ipfr_off = atoff;
+			}
+			ATOMIC_INC(ipfr_stats.ifs_hits);
+			return f;
+		}
+	return NULL;
+}
+
+
+/*
+ * functional interface for NAT lookups of the NAT fragment cache
+ */
+nat_t *ipfr_nat_knownfrag(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+	nat_t	*nat;
+	ipfr_t	*ipf;
+
+	READ_ENTER(&ipf_natfrag);
+	ipf = ipfr_lookup(ip, fin, ipfr_nattab);
+	if (ipf != NULL) {
+		nat = ipf->ipfr_data;
+		/*
+		 * This is the last fragment for this packet.
+		 */
+		if ((ipf->ipfr_ttl == 1) && (nat != NULL)) {
+			nat->nat_data = NULL;
+			ipf->ipfr_data = NULL;
+		}
+	} else
+		nat = NULL;
+	RWLOCK_EXIT(&ipf_natfrag);
+	return nat;
+}
+
+
+/*
+ * functional interface for normal lookups of the fragment cache
+ */
+frentry_t *ipfr_knownfrag(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+	frentry_t *fr = NULL;
+	ipfr_t	*fra;
+
+	READ_ENTER(&ipf_frag);
+	fra = ipfr_lookup(ip, fin, ipfr_heads);
+	if (fra != NULL)
+		fr = fra->ipfr_rule;
+	RWLOCK_EXIT(&ipf_frag);
+	return fr;
+}
+
+
+/*
+ * forget any references to this external object.
+ */
+void ipfr_forget(nat)
+void *nat;
+{
+	ipfr_t	*fr;
+	int	idx;
+
+	WRITE_ENTER(&ipf_natfrag);
+	for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+		for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next)
+			if (fr->ipfr_data == nat)
+				fr->ipfr_data = NULL;
+
+	RWLOCK_EXIT(&ipf_natfrag);
+}
+
+
+static void ipfr_delete(fra)
+ipfr_t *fra;
+{
+	frentry_t *fr;
+
+	fr = fra->ipfr_rule;
+	if (fr != NULL) {
+		ATOMIC_DEC(fr->fr_ref);
+		if (fr->fr_ref == 0)
+			KFREE(fr);
+	}
+	if (fra->ipfr_prev)
+		fra->ipfr_prev->ipfr_next = fra->ipfr_next;
+	if (fra->ipfr_next)
+		fra->ipfr_next->ipfr_prev = fra->ipfr_prev;
+	KFREE(fra);
+}
+
+
+/*
+ * Free memory in use by fragment state info. kept.
+ */
+void ipfr_unload()
+{
+	ipfr_t	**fp, *fra;
+	nat_t	*nat;
+	int	idx;
+
+	WRITE_ENTER(&ipf_frag);
+	for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+		for (fp = &ipfr_heads[idx]; (fra = *fp); ) {
+			*fp = fra->ipfr_next;
+			ipfr_delete(fra);
+		}
+	RWLOCK_EXIT(&ipf_frag);
+
+	WRITE_ENTER(&ipf_nat);
+	WRITE_ENTER(&ipf_natfrag);
+	for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+		for (fp = &ipfr_nattab[idx]; (fra = *fp); ) {
+			*fp = fra->ipfr_next;
+			nat = fra->ipfr_data;
+			if (nat != NULL) {
+				if (nat->nat_data == fra)
+					nat->nat_data = NULL;
+			}
+			ipfr_delete(fra);
+		}
+	RWLOCK_EXIT(&ipf_natfrag);
+	RWLOCK_EXIT(&ipf_nat);
+}
+
+
+#ifdef	_KERNEL
+/*
+ * Slowly expire held state for fragments.  Timeouts are set * in expectation
+ * of this being called twice per second.
+ */
+# if (BSD >= 199306) || SOLARIS || defined(__sgi)
+#  if defined(SOLARIS2) && (SOLARIS2 < 7)
+void ipfr_slowtimer()
+#  else
+void ipfr_slowtimer __P((void *ptr))
+#  endif
+# else
+int ipfr_slowtimer()
+# endif
+{
+	ipfr_t	**fp, *fra;
+	nat_t	*nat;
+	int	idx;
+#if defined(_KERNEL)
+# if !SOLARIS
+	int	s;
+# else
+	extern	int	fr_running;
+
+	if (fr_running <= 0) 
+		return;
+# endif
+#endif
+
+	READ_ENTER(&ipf_solaris);
+#ifdef __sgi
+	ipfilter_sgi_intfsync();
+#endif
+
+	SPL_NET(s);
+	WRITE_ENTER(&ipf_frag);
+
+	/*
+	 * Go through the entire table, looking for entries to expire,
+	 * decreasing the ttl by one for each entry.  If it reaches 0,
+	 * remove it from the chain and free it.
+	 */
+	for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+		for (fp = &ipfr_heads[idx]; (fra = *fp); ) {
+			--fra->ipfr_ttl;
+			if (fra->ipfr_ttl == 0) {
+				*fp = fra->ipfr_next;
+				ipfr_delete(fra);
+				ATOMIC_INC(ipfr_stats.ifs_expire);
+				ATOMIC_DEC(ipfr_inuse);
+			} else
+				fp = &fra->ipfr_next;
+		}
+	RWLOCK_EXIT(&ipf_frag);
+
+	/*
+	 * Same again for the NAT table, except that if the structure also
+	 * still points to a NAT structure, and the NAT structure points back
+	 * at the one to be free'd, NULL the reference from the NAT struct.
+	 * NOTE: We need to grab both mutex's early, and in this order so as
+	 * to prevent a deadlock if both try to expire at the same time.
+	 */
+	WRITE_ENTER(&ipf_nat);
+	WRITE_ENTER(&ipf_natfrag);
+	for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
+		for (fp = &ipfr_nattab[idx]; (fra = *fp); ) {
+			--fra->ipfr_ttl;
+			if (fra->ipfr_ttl == 0) {
+				ATOMIC_INC(ipfr_stats.ifs_expire);
+				ATOMIC_DEC(ipfr_inuse);
+				nat = fra->ipfr_data;
+				if (nat != NULL) {
+					if (nat->nat_data == fra)
+						nat->nat_data = NULL;
+				}
+				*fp = fra->ipfr_next;
+				ipfr_delete(fra);
+			} else
+				fp = &fra->ipfr_next;
+		}
+	RWLOCK_EXIT(&ipf_natfrag);
+	RWLOCK_EXIT(&ipf_nat);
+	SPL_X(s);
+	fr_timeoutstate();
+	ip_natexpire();
+	fr_authexpire();
+# if	SOLARIS
+	ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
+# else
+#  ifndef linux
+#   if (__FreeBSD_version >= 300000)
+	ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
+#   else
+	timeout(ipfr_slowtimer, NULL, hz/2);
+#   endif
+#  endif
+#  if (BSD < 199306) && !defined(__sgi)
+	return 0;
+#  endif
+# endif
+	RWLOCK_EXIT(&ipf_solaris);
+}
+#endif /* defined(_KERNEL) */
--- a/sys/netinet/ip_frag.h
+++ b/sys/netinet/ip_frag.h
@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 1993-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_frag.h	1.5 3/24/96
+ * $Id: ip_frag.h,v 2.2 1999/08/06 06:26:38 darrenr Exp $
+ * $FreeBSD$
+ */
+
+#ifndef	__IP_FRAG_H__
+#define	__IP_FRAG_H__
+
+#define	IPFT_SIZE	257
+
+typedef	struct	ipfr	{
+	struct	ipfr	*ipfr_next, *ipfr_prev;
+	void	*ipfr_data;
+	struct	in_addr	ipfr_src;
+	struct	in_addr	ipfr_dst;
+	u_short	ipfr_id;
+	u_char	ipfr_p;
+	u_char	ipfr_tos;
+	u_short	ipfr_off;
+	u_short	ipfr_ttl;
+	frentry_t *ipfr_rule;
+} ipfr_t;
+
+
+typedef	struct	ipfrstat {
+	u_long	ifs_exists;	/* add & already exists */
+	u_long	ifs_nomem;
+	u_long	ifs_new;
+	u_long	ifs_hits;
+	u_long	ifs_expire;
+	u_long	ifs_inuse;
+	struct	ipfr	**ifs_table;
+	struct	ipfr	**ifs_nattab;
+} ipfrstat_t;
+
+#define	IPFR_CMPSZ	(4 + 4 + 2 + 1 + 1)
+
+extern	int	fr_ipfrttl;
+extern	ipfrstat_t	*ipfr_fragstats __P((void));
+extern	int	ipfr_newfrag __P((ip_t *, fr_info_t *, u_int));
+extern	int	ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *));
+extern	nat_t	*ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
+extern	frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
+extern	void	ipfr_forget __P((void *));
+extern	void	ipfr_unload __P((void));
+
+#if     (BSD >= 199306) || SOLARIS || defined(__sgi)
+# if defined(SOLARIS2) && (SOLARIS2 < 7)
+extern	void	ipfr_slowtimer __P((void));
+# else
+extern	void	ipfr_slowtimer __P((void *));
+# endif
+#else
+extern	int	ipfr_slowtimer __P((void));
+#endif
+
+#endif	/* __IP_FIL_H__ */
--- a/sys/netinet/ip_ftp_pxy.c
+++ b/sys/netinet/ip_ftp_pxy.c
@ -0,0 +1,460 @@
+/*
+ * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
+ * code.
+ *
+ * $Id$
+ * $FreeBSD$
+ */
+#if SOLARIS && defined(_KERNEL)
+extern	kmutex_t	ipf_rw;
+#endif
+
+#define	isdigit(x)	((x) >= '0' && (x) <= '9')
+
+#define	IPF_FTP_PROXY
+
+#define	IPF_MINPORTLEN	18
+#define	IPF_MAXPORTLEN	30
+#define	IPF_MIN227LEN	39
+#define	IPF_MAX227LEN	51
+
+
+int ippr_ftp_init __P((void));
+int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *));
+int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *));
+
+u_short ipf_ftp_atoi __P((char **));
+
+static	frentry_t	natfr;
+
+
+/*
+ * Initialize local structures.
+ */
+int ippr_ftp_init()
+{
+	bzero((char *)&natfr, sizeof(natfr));
+	natfr.fr_ref = 1;
+	natfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+	return 0;
+}
+
+
+/*
+ * ipf_ftp_atoi - implement a version of atoi which processes numbers in
+ * pairs separated by commas (which are expected to be in the range 0 - 255),
+ * returning a 16 bit number combining either side of the , as the MSB and
+ * LSB.
+ */
+u_short ipf_ftp_atoi(ptr)
+char **ptr;
+{
+	register char *s = *ptr, c;
+	register u_char i = 0, j = 0;
+
+	while ((c = *s++) && isdigit(c)) {
+		i *= 10;
+		i += c - '0';
+	}
+	if (c != ',') {
+		*ptr = NULL;
+		return 0;
+	}
+	while ((c = *s++) && isdigit(c)) {
+		j *= 10;
+		j += c - '0';
+	}
+	*ptr = s;
+	return (i << 8) | j;
+}
+
+
+int ippr_ftp_portmsg(fin, ip, nat)
+fr_info_t *fin;
+ip_t *ip;
+nat_t *nat;
+{
+	char portbuf[IPF_MAXPORTLEN + 1], newbuf[IPF_MAXPORTLEN + 1], *s;
+	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
+	size_t nlen = 0, dlen, olen;
+	u_short a5, a6, sp, dp;
+	u_int a1, a2, a3, a4;
+	struct in_addr swip;
+	int off, inc = 0;
+	fr_info_t fi;
+	nat_t *ipn;
+	mb_t *m;
+#if	SOLARIS
+	mb_t *m1;
+#endif
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	bzero(portbuf, sizeof(portbuf));
+	off = (ip->ip_hl << 2) + (tcp->th_off << 2);
+
+#if	SOLARIS
+	m = fin->fin_qfm;
+
+	dlen = msgdsize(m) - off;
+	if (dlen > 0)
+		copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#else
+	m = *(mb_t **)fin->fin_mp;
+
+	dlen = mbufchainlen(m) - off;
+	if (dlen > 0)
+		m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#endif
+	if (dlen == 0)
+		return 0;
+	portbuf[sizeof(portbuf) - 1] = '\0';
+	*newbuf = '\0';
+	if (!strncmp(portbuf, "PORT ", 5)) { 
+		if (dlen < IPF_MINPORTLEN)
+			return 0;
+	} else
+		return 0;
+
+	/*
+	 * Skip the PORT command + space
+	 */
+	s = portbuf + 5;
+	/*
+	 * Pick out the address components, two at a time.
+	 */
+	a1 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+	a2 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+
+	/*
+	 * check that IP address in the PORT/PASV reply is the same as the
+	 * sender of the command - prevents using PORT for port scanning.
+	 */
+	a1 <<= 16;
+	a1 |= a2;
+	if (a1 != ntohl(nat->nat_inip.s_addr))
+		return 0;
+
+	a5 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+	if (*s == ')')
+		s++;
+
+	/*
+	 * check for CR-LF at the end.
+	 */
+	if (*s == '\n')
+		s--;
+	if ((*s == '\r') && (*(s + 1) == '\n')) {
+		s += 2;
+		a6 = a5 & 0xff;
+	} else
+		return 0;
+	a5 >>= 8;
+	/*
+	 * Calculate new address parts for PORT command
+	 */
+	a1 = ntohl(ip->ip_src.s_addr);
+	a2 = (a1 >> 16) & 0xff;
+	a3 = (a1 >> 8) & 0xff;
+	a4 = a1 & 0xff;
+	a1 >>= 24;
+	olen = s - portbuf;
+	(void) snprintf(newbuf, sizeof(newbuf), "%s %u,%u,%u,%u,%u,%u\r\n",
+		       "PORT", a1, a2, a3, a4, a5, a6);
+
+	nlen = strlen(newbuf);
+	inc = nlen - olen;
+#if SOLARIS
+	for (m1 = m; m1->b_cont; m1 = m1->b_cont)
+		;
+	if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
+		mblk_t *nm;
+
+		/* alloc enough to keep same trailer space for lower driver */
+		nm = allocb(nlen, BPRI_MED);
+		PANIC((!nm),("ippr_ftp_out: allocb failed"));
+
+		nm->b_band = m1->b_band;
+		nm->b_wptr += nlen;
+
+		m1->b_wptr -= olen;
+		PANIC((m1->b_wptr < m1->b_rptr),
+		      ("ippr_ftp_out: cannot handle fragmented data block"));
+
+		linkb(m1, nm);
+	} else {
+		if (m1->b_datap->db_struiolim == m1->b_wptr)
+			m1->b_datap->db_struiolim += inc;
+		m1->b_datap->db_struioflag &= ~STRUIO_IP;
+		m1->b_wptr += inc;
+	}
+	copyin_mblk(m, off, nlen, newbuf);
+#else
+	if (inc < 0)
+		m_adj(m, inc);
+	/* the mbuf chain will be extended if necessary by m_copyback() */
+	m_copyback(m, off, nlen, newbuf);
+#endif
+	if (inc != 0) {
+#if SOLARIS || defined(__sgi)
+		register u_32_t	sum1, sum2;
+
+		sum1 = ip->ip_len;
+		sum2 = ip->ip_len + inc;
+
+		/* Because ~1 == -2, We really need ~1 == -1 */
+		if (sum1 > sum2)
+			sum2--;
+		sum2 -= sum1;
+		sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+
+		fix_outcksum(&ip->ip_sum, sum2);
+#endif
+		ip->ip_len += inc;
+	}
+
+	/*
+	 * Add skeleton NAT entry for connection which will come back the
+	 * other way.
+	 */
+	sp = htons(a5 << 8 | a6);
+	/*
+	 * The server may not make the connection back from port 20, but
+	 * it is the most likely so use it here to check for a conflicting
+	 * mapping.
+	 */
+	dp = htons(fin->fin_data[1] - 1);
+	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
+			    ip->ip_dst, (dp << 16) | sp);
+	if (ipn == NULL) {
+		bcopy((char *)fin, (char *)&fi, sizeof(fi));
+		bzero((char *)tcp2, sizeof(*tcp2));
+		tcp2->th_win = htons(8192);
+		tcp2->th_sport = sp;
+		tcp2->th_dport = 0; /* XXX - don't specify remote port */
+		fi.fin_data[0] = ntohs(sp);
+		fi.fin_data[1] = 0;
+		fi.fin_dp = (char *)tcp2;
+		swip = ip->ip_src;
+		ip->ip_src = nat->nat_inip;
+		ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT,
+			      NAT_OUTBOUND);
+		if (ipn != NULL) {
+			ipn->nat_age = fr_defnatage;
+			(void) fr_addstate(ip, &fi, FI_W_DPORT);
+		}
+		ip->ip_src = swip;
+	}
+	return inc;
+}
+
+
+int ippr_ftp_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	return ippr_ftp_portmsg(fin, ip, nat);
+}
+
+
+int ippr_ftp_pasvmsg(fin, ip, nat)
+fr_info_t *fin;
+ip_t *ip;
+nat_t *nat;
+{
+	char portbuf[IPF_MAX227LEN + 1], newbuf[IPF_MAX227LEN + 1], *s;
+	int off, olen, dlen, nlen = 0, inc = 0;
+	tcphdr_t tcph, *tcp2 = &tcph;
+	struct in_addr swip, swip2;
+	u_short a5, a6, dp, sp;
+	u_int a1, a2, a3, a4;
+	tcphdr_t *tcp;
+	fr_info_t fi;
+	nat_t *ipn;
+	mb_t *m;
+#if	SOLARIS
+	mb_t *m1;
+#endif
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	off = (ip->ip_hl << 2) + (tcp->th_off << 2);
+	m = *(mb_t **)fin->fin_mp;
+	bzero(portbuf, sizeof(portbuf));
+
+#if	SOLARIS
+	m = fin->fin_qfm;
+
+	dlen = msgdsize(m) - off;
+	if (dlen > 0)
+		copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#else
+	dlen = mbufchainlen(m) - off;
+	if (dlen > 0)
+		m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#endif
+	if (dlen == 0)
+		return 0;
+	portbuf[sizeof(portbuf) - 1] = '\0';
+	*newbuf = '\0';
+
+	if (!strncmp(portbuf, "227 ", 4)) {
+		if (dlen < IPF_MIN227LEN)
+			return 0;
+		else if (strncmp(portbuf, "227 Entering Passive Mode", 25))
+			return 0;
+	} else
+		return 0;
+	/*
+	 * Skip the PORT command + space
+	 */
+	s = portbuf + 25;
+	while (*s && !isdigit(*s))
+		s++;
+	/*
+	 * Pick out the address components, two at a time.
+	 */
+	a1 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+	a2 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+
+	/*
+	 * check that IP address in the PORT/PASV reply is the same as the
+	 * sender of the command - prevents using PORT for port scanning.
+	 */
+	a1 <<= 16;
+	a1 |= a2;
+	if (a1 != ntohl(nat->nat_oip.s_addr))
+		return 0;
+
+	a5 = ipf_ftp_atoi(&s);
+	if (!s)
+		return 0;
+
+	if (*s == ')')
+		s++;
+	if (*s == '\n')
+		s--;
+	/*
+	 * check for CR-LF at the end.
+	 */
+	if ((*s == '\r') && (*(s + 1) == '\n')) {
+		s += 2;
+		a6 = a5 & 0xff;
+	} else
+		return 0;
+	a5 >>= 8;
+	/*
+	 * Calculate new address parts for 227 reply
+	 */
+	a1 = ntohl(ip->ip_src.s_addr);
+	a2 = (a1 >> 16) & 0xff;
+	a3 = (a1 >> 8) & 0xff;
+	a4 = a1 & 0xff;
+	a1 >>= 24;
+	olen = s - portbuf;
+	(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
+		       "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6);
+
+	nlen = strlen(newbuf);
+	inc = nlen - olen;
+#if SOLARIS
+	for (m1 = m; m1->b_cont; m1 = m1->b_cont)
+		;
+	if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
+		mblk_t *nm;
+
+		/* alloc enough to keep same trailer space for lower driver */
+		nm = allocb(nlen, BPRI_MED);
+		PANIC((!nm),("ippr_ftp_out: allocb failed"));
+
+		nm->b_band = m1->b_band;
+		nm->b_wptr += nlen;
+
+		m1->b_wptr -= olen;
+		PANIC((m1->b_wptr < m1->b_rptr),
+		      ("ippr_ftp_out: cannot handle fragmented data block"));
+
+		linkb(m1, nm);
+	} else {
+		m1->b_wptr += inc;
+	}
+	copyin_mblk(m, off, nlen, newbuf);
+#else
+	if (inc < 0)
+		m_adj(m, inc);
+	/* the mbuf chain will be extended if necessary by m_copyback() */
+	m_copyback(m, off, nlen, newbuf);
+#endif
+	if (inc != 0) {
+#if SOLARIS || defined(__sgi)
+		register u_32_t	sum1, sum2;
+
+		sum1 = ip->ip_len;
+		sum2 = ip->ip_len + inc;
+
+		/* Because ~1 == -2, We really need ~1 == -1 */
+		if (sum1 > sum2)
+			sum2--;
+		sum2 -= sum1;
+		sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+
+		fix_outcksum(&ip->ip_sum, sum2);
+#endif
+		ip->ip_len += inc;
+	}
+
+	/*
+	 * Add skeleton NAT entry for connection which will come back the
+	 * other way.
+	 */
+	sp = 0;
+	dp = htons(fin->fin_data[1] - 1);
+	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
+			    ip->ip_dst, (dp << 16) | sp);
+	if (ipn == NULL) {
+		bcopy((char *)fin, (char *)&fi, sizeof(fi));
+		bzero((char *)tcp2, sizeof(*tcp2));
+		tcp2->th_win = htons(8192);
+		tcp2->th_sport = 0;		/* XXX - fake it for nat_new */
+		fi.fin_data[0] = a5 << 8 | a6;
+		tcp2->th_dport = htons(fi.fin_data[0]);
+		fi.fin_data[1] = 0;
+		fi.fin_dp = (char *)tcp2;
+		swip = ip->ip_src;
+		swip2 = ip->ip_dst;
+		ip->ip_dst = ip->ip_src;
+		ip->ip_src = nat->nat_inip;
+		ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT,
+			      NAT_OUTBOUND);
+		if (ipn != NULL) {
+			ipn->nat_age = fr_defnatage;
+			(void) fr_addstate(ip, &fi, FI_W_SPORT);
+		}
+		ip->ip_src = swip;
+		ip->ip_dst = swip2;
+	}
+	return inc;
+}
+
+
+int ippr_ftp_in(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+
+	return ippr_ftp_pasvmsg(fin, ip, nat);
+}
--- a/sys/netinet/ip_log.c
+++ b/sys/netinet/ip_log.c
@ -0,0 +1,498 @@
+/*
+ * Copyright (C) 1997-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * $Id: ip_log.c,v 2.1.2.2 1999/09/21 11:55:44 darrenr Exp $
+ * $FreeBSD$
+ */
+#include <sys/param.h>
+#if defined(KERNEL) && !defined(_KERNEL)
+# define       _KERNEL
+#endif
+#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM)
+# include "opt_ipfilter_log.h"
+#endif
+#ifdef  __FreeBSD__
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+#   include "opt_ipfilter.h"
+#  endif
+# else
+#  include <osreldate.h>
+# endif
+#endif
+#ifdef	IPFILTER_LOG
+# ifndef SOLARIS
+#  define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+# endif
+# ifndef _KERNEL
+#  include <stdio.h>
+#  include <string.h>
+#  include <stdlib.h>
+#  include <ctype.h>
+# endif
+# include <sys/errno.h>
+# include <sys/types.h>
+# include <sys/file.h>
+# if __FreeBSD_version >= 220000 && defined(_KERNEL)
+#  include <sys/fcntl.h>
+#  include <sys/filio.h>
+# else
+#  include <sys/ioctl.h>
+# endif
+# include <sys/time.h>
+# if defined(_KERNEL) && !defined(linux)
+#  include <sys/systm.h>
+# endif
+# include <sys/uio.h>
+# if !SOLARIS
+#  if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000)
+#   include <sys/dirent.h>
+#  else
+#   include <sys/dir.h>
+#  endif
+#  ifndef linux
+#   include <sys/mbuf.h>
+#  endif
+# else
+#  include <sys/filio.h>
+#  include <sys/cred.h>
+#  include <sys/ddi.h>
+#  include <sys/sunddi.h>
+#  include <sys/ksynch.h>
+#  include <sys/kmem.h>
+#  include <sys/mkdev.h>
+#  include <sys/dditypes.h>
+#  include <sys/cmn_err.h>
+# endif
+# ifndef linux
+#  include <sys/protosw.h>
+# endif
+# include <sys/socket.h>
+
+# include <net/if.h>
+# ifdef sun
+#  include <net/af.h>
+# endif
+# if __FreeBSD_version >= 300000
+#  include <net/if_var.h>
+# endif
+# include <net/route.h>
+# include <netinet/in.h>
+# ifdef __sgi
+#  include <sys/ddi.h>
+#  ifdef IFF_DRVRLOCK /* IRIX6 */
+#   include <sys/hashing.h>
+#  endif
+# endif
+# if !defined(linux) && !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/
+#  include <netinet/in_var.h>
+# endif
+# include <netinet/in_systm.h>
+# include <netinet/ip.h>
+# include <netinet/tcp.h>
+# include <netinet/udp.h>
+# include <netinet/ip_icmp.h>
+# ifndef linux
+#  include <netinet/ip_var.h>
+# endif
+# ifndef _KERNEL
+#  include <syslog.h>
+# endif
+# include "netinet/ip_compat.h"
+# include <netinet/tcpip.h>
+# include "netinet/ip_fil.h"
+# include "netinet/ip_proxy.h"
+# include "netinet/ip_nat.h"
+# include "netinet/ip_frag.h"
+# include "netinet/ip_state.h"
+# include "netinet/ip_auth.h"
+# if (__FreeBSD_version >= 300000)
+#  include <sys/malloc.h>
+# endif
+
+# ifndef MIN
+#  define	MIN(a,b)	(((a)<(b))?(a):(b))
+# endif
+
+
+# if SOLARIS || defined(__sgi)
+extern	kmutex_t	ipl_mutex;
+#  if SOLARIS
+extern	kcondvar_t	iplwait;
+#  endif
+# endif
+
+iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1];
+size_t	iplused[IPL_LOGMAX+1];
+static fr_info_t	iplcrc[IPL_LOGMAX+1];
+# ifdef	linux
+static struct wait_queue *iplwait[IPL_LOGMAX+1];
+# endif
+
+
+/*
+ * Initialise log buffers & pointers.  Also iniialised the CRC to a local
+ * secret for use in calculating the "last log checksum".
+ */
+void ipflog_init()
+{
+	int	i;
+
+	for (i = IPL_LOGMAX; i >= 0; i--) {
+		iplt[i] = NULL;
+		ipll[i] = NULL;
+		iplh[i] = &iplt[i];
+		iplused[i] = 0;
+		bzero((char *)&iplcrc[i], sizeof(iplcrc[i]));
+	}
+}
+
+
+/*
+ * ipflog
+ * Create a log record for a packet given that it has been triggered by a
+ * rule (or the default setting).  Calculate the transport protocol header
+ * size using predetermined size of a couple of popular protocols and thus
+ * how much data to copy into the log, including part of the data body if
+ * requested.
+ */
+int ipflog(flags, ip, fin, m)
+u_int flags;
+ip_t *ip;
+fr_info_t *fin;
+mb_t *m;
+{
+	ipflog_t ipfl;
+	register size_t mlen, hlen;
+	size_t sizes[2];
+	void *ptrs[2];
+	int types[2];
+# if SOLARIS
+	ill_t *ifp = fin->fin_ifp;
+# else
+	struct ifnet *ifp = fin->fin_ifp;
+# endif
+
+	/*
+	 * calculate header size.
+	 */
+	hlen = fin->fin_hlen;
+	if ((ip->ip_off & IP_OFFMASK) == 0) {
+		if (ip->ip_p == IPPROTO_TCP)
+			hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
+		else if (ip->ip_p == IPPROTO_UDP)
+			hlen += MIN(sizeof(udphdr_t), fin->fin_dlen);
+		else if (ip->ip_p == IPPROTO_ICMP) {
+			struct	icmp	*icmp;
+
+			icmp = (struct icmp *)((char *)ip + hlen);
+	 
+			/*
+			 * For ICMP, if the packet is an error packet, also
+			 * include the information about the packet which
+			 * caused the error.
+			 */
+			switch (icmp->icmp_type)
+			{
+			case ICMP_UNREACH :
+			case ICMP_SOURCEQUENCH :
+			case ICMP_REDIRECT :
+			case ICMP_TIMXCEED :
+			case ICMP_PARAMPROB :
+				hlen += MIN(sizeof(struct icmp) + 8,
+					    fin->fin_dlen);
+				break;
+			default :
+				hlen += MIN(sizeof(struct icmp),
+					    fin->fin_dlen);
+				break;
+			}
+		}
+	}
+	/*
+	 * Get the interface number and name to which this packet is
+	 * currently associated.
+	 */
+# if SOLARIS
+	ipfl.fl_unit = (u_char)ifp->ill_ppa;
+	bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4));
+	mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
+# else
+#  if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
+	(defined(OpenBSD) && (OpenBSD >= 199603))
+	strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ);
+#  else
+#   ifndef linux
+	ipfl.fl_unit = (u_char)ifp->if_unit;
+#   endif
+	if ((ipfl.fl_ifname[0] = ifp->if_name[0]))
+		if ((ipfl.fl_ifname[1] = ifp->if_name[1]))
+			if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
+				ipfl.fl_ifname[3] = ifp->if_name[3];
+#  endif
+	mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
+# endif
+	ipfl.fl_plen = (u_char)mlen;
+	ipfl.fl_hlen = (u_char)hlen;
+	ipfl.fl_rule = fin->fin_rule;
+	ipfl.fl_group = fin->fin_group;
+	if (fin->fin_fr != NULL)
+		ipfl.fl_loglevel = fin->fin_fr->fr_loglevel;
+	else
+		ipfl.fl_loglevel = 0xffff;
+	ipfl.fl_flags = flags;
+	ptrs[0] = (void *)&ipfl;
+	sizes[0] = sizeof(ipfl);
+	types[0] = 0;
+# if SOLARIS
+	/*
+	 * Are we copied from the mblk or an aligned array ?
+	 */
+	if (ip == (ip_t *)m->b_rptr) {
+		ptrs[1] = m;
+		sizes[1] = hlen + mlen;
+		types[1] = 1;
+	} else {
+		ptrs[1] = ip;
+		sizes[1] = hlen + mlen;
+		types[1] = 0;
+	}
+# else
+	ptrs[1] = m;
+	sizes[1] = hlen + mlen;
+	types[1] = 1;
+# endif
+	return ipllog(IPL_LOGIPF, fin, ptrs, sizes, types, 2);
+}
+
+
+/*
+ * ipllog
+ */
+int ipllog(dev, fin, items, itemsz, types, cnt)
+int dev;
+fr_info_t *fin;
+void **items;
+size_t *itemsz;
+int *types, cnt;
+{
+	caddr_t buf, s;
+	iplog_t *ipl;
+	size_t len;
+	int i;
+ 
+	/*
+	 * Check to see if this log record has a CRC which matches the last
+	 * record logged.  If it does, just up the count on the previous one
+	 * rather than create a new one.
+	 */
+	MUTEX_ENTER(&ipl_mutex);
+	if (fin != NULL) {
+		if ((ipll[dev] != NULL) &&
+		    bcmp((char *)fin, (char *)&iplcrc[dev], FI_CSIZE) == 0) {
+			ipll[dev]->ipl_count++;
+			MUTEX_EXIT(&ipl_mutex);
+			return 1;
+		}
+		bcopy((char *)fin, (char *)&iplcrc[dev], FI_CSIZE);
+	} else
+		bzero((char *)&iplcrc[dev], FI_CSIZE);
+	MUTEX_EXIT(&ipl_mutex);
+
+	/*
+	 * Get the total amount of data to be logged.
+	 */
+	for (i = 0, len = sizeof(iplog_t); i < cnt; i++)
+		len += itemsz[i];
+
+	/*
+	 * check that we have space to record this information and can
+	 * allocate that much.
+	 */
+	KMALLOCS(buf, caddr_t, len);
+	if (!buf)
+		return 0;
+	MUTEX_ENTER(&ipl_mutex);
+	if ((iplused[dev] + len) > IPLLOGSIZE) {
+		MUTEX_EXIT(&ipl_mutex);
+		KFREES(buf, len);
+		return 0;
+	}
+	iplused[dev] += len;
+	MUTEX_EXIT(&ipl_mutex);
+
+	/*
+	 * advance the log pointer to the next empty record and deduct the
+	 * amount of space we're going to use.
+	 */
+	ipl = (iplog_t *)buf;
+	ipl->ipl_magic = IPL_MAGIC;
+	ipl->ipl_count = 1;
+	ipl->ipl_next = NULL;
+	ipl->ipl_dsize = len;
+# if SOLARIS || defined(sun) || defined(linux)
+	uniqtime((struct timeval *)&ipl->ipl_sec);
+# else
+#  if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
+	microtime((struct timeval *)&ipl->ipl_sec);
+#  endif
+# endif
+
+	/*
+	 * Loop through all the items to be logged, copying each one to the
+	 * buffer.  Use bcopy for normal data or the mb_t copyout routine.
+	 */
+	for (i = 0, s = buf + sizeof(*ipl); i < cnt; i++) {
+		if (types[i] == 0)
+			bcopy(items[i], s, itemsz[i]);
+		else if (types[i] == 1) {
+# if SOLARIS
+			copyout_mblk(items[i], 0, itemsz[i], s);
+# else
+			m_copydata(items[i], 0, itemsz[i], s);
+# endif
+		}
+		s += itemsz[i];
+	}
+	MUTEX_ENTER(&ipl_mutex);
+	ipll[dev] = ipl;
+	*iplh[dev] = ipl;
+	iplh[dev] = &ipl->ipl_next;
+# if SOLARIS
+	cv_signal(&iplwait);
+	mutex_exit(&ipl_mutex);
+# else
+	MUTEX_EXIT(&ipl_mutex);
+#  ifdef linux
+	wake_up_interruptible(&iplwait[dev]);
+#  else
+	wakeup(&iplh[dev]);
+#  endif
+# endif
+	return 1;
+}
+
+
+int ipflog_read(unit, uio)
+minor_t unit;
+struct uio *uio;
+{
+	size_t dlen, copied;
+	int error = 0;
+	iplog_t *ipl;
+# if defined(_KERNEL) && !SOLARIS
+	int s;
+# endif
+
+	/*
+	 * Sanity checks.  Make sure the minor # is valid and we're copying
+	 * a valid chunk of data.
+	 */
+	if (IPL_LOGMAX < unit)
+		return ENXIO;
+	if (!uio->uio_resid)
+		return 0;
+	if ((uio->uio_resid < sizeof(iplog_t)) ||
+	    (uio->uio_resid > IPLLOGSIZE))
+		return EINVAL;
+ 
+	/*
+	 * Lock the log so we can snapshot the variables.  Wait for a signal
+	 * if the log is empty.
+	 */
+	SPL_NET(s);
+	MUTEX_ENTER(&ipl_mutex);
+
+	while (!iplused[unit] || !iplt[unit]) {
+# if SOLARIS && defined(_KERNEL)
+		if (!cv_wait_sig(&iplwait, &ipl_mutex)) {
+			MUTEX_EXIT(&ipl_mutex);
+			return EINTR;
+		}
+# else
+#  ifdef linux
+		interruptible_sleep_on(&iplwait[unit]);
+		if (current->signal & ~current->blocked)
+			return -EINTR;
+#  else
+		MUTEX_EXIT(&ipl_mutex);
+		SPL_X(s);
+		error = SLEEP(&iplh[unit], "ipl sleep");
+		if (error)
+			return error;
+		SPL_NET(s);
+		MUTEX_ENTER(&ipl_mutex);
+#  endif /* linux */
+# endif /* SOLARIS */
+	}
+
+# if BSD >= 199306 || defined(__FreeBSD__)
+	uio->uio_rw = UIO_READ;
+# endif
+
+	for (copied = 0; (ipl = iplt[unit]); copied += dlen) {
+		dlen = ipl->ipl_dsize;
+		if (dlen > uio->uio_resid)
+			break;
+		/*
+		 * Don't hold the mutex over the uiomove call.
+		 */
+		iplt[unit] = ipl->ipl_next;
+		iplused[unit] -= dlen;
+		MUTEX_EXIT(&ipl_mutex);
+		SPL_X(s);
+		error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio);
+		if (error) {
+			SPL_NET(s);
+			MUTEX_ENTER(&ipl_mutex);
+			ipl->ipl_next = iplt[unit];
+			iplt[unit] = ipl;
+			iplused[unit] += dlen;
+			break;
+		}
+		KFREES((caddr_t)ipl, dlen);
+		SPL_NET(s);
+		MUTEX_ENTER(&ipl_mutex);
+	}
+	if (!iplt[unit]) {
+		iplused[unit] = 0;
+		iplh[unit] = &iplt[unit];
+		ipll[unit] = NULL;
+	}
+
+	MUTEX_EXIT(&ipl_mutex);
+	SPL_X(s);
+# ifdef 	linux
+	if (!error)
+		return (int)copied;
+	return -error;
+# else
+	return error;
+# endif
+}
+
+
+int ipflog_clear(unit)
+minor_t unit;
+{
+	iplog_t *ipl;
+	int used;
+
+	MUTEX_ENTER(&ipl_mutex);
+	while ((ipl = iplt[unit])) {
+		iplt[unit] = ipl->ipl_next;
+		KFREES((caddr_t)ipl, ipl->ipl_dsize);
+	}
+	iplh[unit] = &iplt[unit];
+	ipll[unit] = NULL;
+	used = iplused[unit];
+	iplused[unit] = 0;
+	bzero((char *)&iplcrc[unit], FI_CSIZE);
+	MUTEX_EXIT(&ipl_mutex);
+	return used;
+}
+#endif /* IPFILTER_LOG */
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
--- a/sys/netinet/ip_nat.h
+++ b/sys/netinet/ip_nat.h
@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 1995-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_nat.h	1.5 2/4/96
+ * $Id: ip_nat.h,v 2.1.2.1 1999/08/14 04:47:54 darrenr Exp $
+ * $FreeBSD$
+ */
+
+#ifndef	__IP_NAT_H__
+#define	__IP_NAT_H__
+
+#ifndef SOLARIS
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+
+#if defined(__STDC__) || defined(__GNUC__)
+#define	SIOCADNAT	_IOW('r', 80, struct ipnat)
+#define	SIOCRMNAT	_IOW('r', 81, struct ipnat)
+#define	SIOCGNATS	_IOR('r', 82, struct natstat)
+#define	SIOCGNATL	_IOWR('r', 83, struct natlookup)
+#define SIOCGFRST	_IOR('r', 84, struct ipfrstat)
+#define SIOCGIPST	_IOR('r', 85, struct ips_stat)
+#define	SIOCFLNAT	_IOWR('r', 86, int)
+#define	SIOCCNATL	_IOWR('r', 87, int)
+#else
+#define	SIOCADNAT	_IOW(r, 80, struct ipnat)
+#define	SIOCRMNAT	_IOW(r, 81, struct ipnat)
+#define	SIOCGNATS	_IOR(r, 82, struct natstat)
+#define	SIOCGNATL	_IOWR(r, 83, struct natlookup)
+#define SIOCGFRST	_IOR(r, 84, struct ipfrstat)
+#define SIOCGIPST	_IOR(r, 85, struct ips_stat)
+#define	SIOCFLNAT	_IOWR(r, 86, int)
+#define	SIOCCNATL	_IOWR(r, 87, int)
+#endif
+
+#undef	LARGE_NAT	/* define this if you're setting up a system to NAT
+			 * LARGE numbers of networks/hosts - i.e. in the
+			 * hundreds or thousands.  In such a case, you should
+			 * also change the RDR_SIZE and NAT_SIZE below to more
+			 * appropriate sizes.  The figures below were used for
+			 * a setup with 1000-2000 networks to NAT.
+			 */
+#define	NAT_SIZE	127
+#define	RDR_SIZE	127
+#define	NAT_TABLE_SZ	127
+#ifdef	LARGE_NAT
+#undef	NAT_SIZE
+#undef	RDR_SIZE
+#undef	NAT_TABLE_SZ
+#define	NAT_SIZE	2047
+#define	RDR_SIZE	2047
+#define	NAT_TABLE_SZ	16383
+#endif
+#ifndef	APR_LABELLEN
+#define	APR_LABELLEN	16
+#endif
+
+#define	DEF_NAT_AGE	1200     /* 10 minutes (600 seconds) */
+
+typedef	struct	nat	{
+	u_long	nat_age;
+	int	nat_flags;
+	u_32_t	nat_sumd;
+	u_32_t	nat_ipsumd;
+	void	*nat_data;
+	void	*nat_aps;		/* proxy session */
+	frentry_t	*nat_fr;	/* filter rule ptr if appropriate */
+	struct	in_addr	nat_inip;
+	struct	in_addr	nat_outip;
+	struct	in_addr	nat_oip;	/* other ip */
+	U_QUAD_T	nat_pkts;
+	U_QUAD_T	nat_bytes;
+	u_short	nat_oport;		/* other port */
+	u_short	nat_inport;
+	u_short	nat_outport;
+	u_short	nat_use;
+	u_char	nat_tcpstate[2];
+	u_char	nat_p;			/* protocol for NAT */
+	struct	ipnat	*nat_ptr;	/* pointer back to the rule */
+	struct	nat	*nat_next;
+	struct	nat	*nat_hnext[2];
+	struct	nat	**nat_hstart[2];
+	void	*nat_ifp;
+	int	nat_dir;
+} nat_t;
+
+typedef	struct	ipnat	{
+	struct	ipnat	*in_next;
+	struct	ipnat	*in_rnext;
+	struct	ipnat	*in_mnext;
+	void	*in_ifp;
+	void	*in_apr;
+	u_long	in_space;
+	u_int	in_use;
+	u_int	in_hits;
+	struct	in_addr	in_nextip;
+	u_short	in_pnext;
+	u_short	in_ppip;	/* ports per IP */
+	u_short	in_ippip;	/* IP #'s per IP# */
+	u_short	in_flags;	/* From here to in_dport must be reflected */
+	u_short	in_port[2];	/* correctly in IPN_CMPSIZ */
+	struct	in_addr	in_in[2];
+	struct	in_addr	in_out[2];
+	struct	in_addr	in_src[2];
+	int	in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
+	char	in_ifname[IFNAMSIZ];
+	char	in_plabel[APR_LABELLEN];	/* proxy label */
+	char	in_p;	/* protocol */
+	u_short	in_dport;
+} ipnat_t;
+
+#define	in_pmin		in_port[0]	/* Also holds static redir port */
+#define	in_pmax		in_port[1]
+#define	in_nip		in_nextip.s_addr
+#define	in_inip		in_in[0].s_addr
+#define	in_inmsk	in_in[1].s_addr
+#define	in_outip	in_out[0].s_addr
+#define	in_outmsk	in_out[1].s_addr
+#define	in_srcip	in_src[0].s_addr
+#define	in_srcmsk	in_src[1].s_addr
+
+#define	NAT_OUTBOUND	0
+#define	NAT_INBOUND	1
+
+#define	NAT_MAP		0x01
+#define	NAT_REDIRECT	0x02
+#define	NAT_BIMAP	(NAT_MAP|NAT_REDIRECT)
+#define	NAT_MAPBLK	0x04
+
+#define	MAPBLK_MINPORT	1024	/* don't use reserved ports for src port */
+#define	USABLE_PORTS	(65536 - MAPBLK_MINPORT)
+
+#define	IPN_CMPSIZ	(sizeof(ipnat_t) - offsetof(ipnat_t, in_flags))
+
+typedef	struct	natlookup {
+	struct	in_addr	nl_inip;
+	struct	in_addr	nl_outip;
+	struct	in_addr	nl_realip;
+	int	nl_flags;
+	u_short	nl_inport;
+	u_short	nl_outport;
+	u_short	nl_realport;
+} natlookup_t;
+
+typedef	struct	natstat	{
+	u_long	ns_mapped[2];
+	u_long	ns_rules;
+	u_long	ns_added;
+	u_long	ns_expire;
+	u_long	ns_inuse;
+	u_long	ns_logged;
+	u_long	ns_logfail;
+	nat_t	**ns_table[2];
+	ipnat_t	*ns_list;
+	void	*ns_apslist;
+	u_int	ns_nattab_sz;
+	u_int	ns_rultab_sz;
+	u_int	ns_rdrtab_sz;
+	nat_t	*ns_instances;
+} natstat_t;
+
+#define	IPN_ANY		0x00
+#define	IPN_TCP		0x01
+#define	IPN_UDP		0x02
+#define	IPN_TCPUDP	(IPN_TCP|IPN_UDP)
+#define	IPN_DELETE	0x04
+#define	IPN_ICMPERR	0x08
+#define	IPN_RF		(IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
+#define	IPN_AUTOPORTMAP	0x10
+#define	IPN_RANGE	0x20
+#define	IPN_USERFLAGS	(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_RANGE)
+
+
+typedef	struct	natlog {
+	struct	in_addr	nl_origip;
+	struct	in_addr	nl_outip;
+	struct	in_addr	nl_inip;
+	u_short	nl_origport;
+	u_short	nl_outport;
+	u_short	nl_inport;
+	u_short	nl_type;
+	int	nl_rule;
+	U_QUAD_T	nl_pkts;
+	U_QUAD_T	nl_bytes;
+} natlog_t;
+
+
+#define	NL_NEWMAP	NAT_MAP
+#define	NL_NEWRDR	NAT_REDIRECT
+#define	NL_EXPIRE	0xffff
+
+#define	NAT_HASH_FN(k,m)	(((k) + ((k) >> 12)) % (m))
+
+#define	LONG_SUM(in)	(((in) & 0xffff) + ((in) >> 16))
+
+#define	CALC_SUMD(s1, s2, sd) { \
+			    (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
+			    (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
+			    /* Do it twice */ \
+			    (s1) = ((s1) & 0xffff) + ((s1) >> 16); \
+			    (s2) = ((s2) & 0xffff) + ((s2) >> 16); \
+			    /* Because ~1 == -2, We really need ~1 == -1 */ \
+			    if ((s1) > (s2)) (s2)--; \
+			    (sd) = (s2) - (s1); \
+			    (sd) = ((sd) & 0xffff) + ((sd) >> 16); }
+
+
+extern	u_int	ipf_nattable_sz;
+extern	u_int	ipf_natrules_sz;
+extern	u_int	ipf_rdrrules_sz;
+extern	void	ip_natsync __P((void *));
+extern	u_long	fr_defnatage;
+extern	u_long	fr_defnaticmpage;
+extern	nat_t	**nat_table[2];
+extern	nat_t	*nat_instances;
+extern	ipnat_t	**nat_rules;
+extern	ipnat_t	**rdr_rules;
+extern	natstat_t	nat_stats;
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
+extern	int	nat_ioctl __P((caddr_t, u_long, int));
+#else
+extern	int	nat_ioctl __P((caddr_t, int, int));
+#endif
+extern	int	nat_init __P((void));
+extern	nat_t	*nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int));
+extern	nat_t	*nat_outlookup __P((void *, u_int, u_int, struct in_addr,
+				 struct in_addr, u_32_t));
+extern	nat_t	*nat_inlookup __P((void *, u_int, u_int, struct in_addr,
+				struct in_addr, u_32_t));
+extern	nat_t	*nat_maplookup __P((void *, u_int, struct in_addr,
+				struct in_addr));
+extern	nat_t	*nat_lookupredir __P((natlookup_t *));
+extern	nat_t	*nat_icmpinlookup __P((ip_t *, fr_info_t *));
+extern	nat_t	*nat_icmpin __P((ip_t *, fr_info_t *, u_int *));
+
+extern	int	ip_natout __P((ip_t *, fr_info_t *));
+extern	int	ip_natin __P((ip_t *, fr_info_t *));
+extern	void	ip_natunload __P((void)), ip_natexpire __P((void));
+extern	void	nat_log __P((struct nat *, u_int));
+extern	void	fix_incksum __P((u_short *, u_32_t));
+extern	void	fix_outcksum __P((u_short *, u_32_t));
+
+#endif /* __IP_NAT_H__ */
--- a/sys/netinet/ip_proxy.c
+++ b/sys/netinet/ip_proxy.c
@ -0,0 +1,388 @@
+/*
+ * Copyright (C) 1997-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#if !defined(lint)
+/*static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.2.2.1 1999/09/19 12:18:19 darrenr Exp $";*/
+static const char rcsid[] = "@(#)$FreeBSD$";
+#endif
+
+#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
+# define	_KERNEL
+#endif
+
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/file.h>
+#if !defined(__FreeBSD_version)  
+# include <sys/ioctl.h>      
+#endif
+#include <sys/fcntl.h>
+#include <sys/uio.h>
+#if !defined(_KERNEL) && !defined(KERNEL)
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+#endif
+#ifndef	linux
+# include <sys/protosw.h>
+#endif
+#include <sys/socket.h>
+#if defined(_KERNEL)
+# if !defined(linux)
+#  include <sys/systm.h>
+# else
+#  include <linux/string.h>
+# endif
+#endif
+#if !defined(__SVR4) && !defined(__svr4__)
+# ifndef linux
+#  include <sys/mbuf.h>
+# endif
+#else
+# include <sys/byteorder.h>
+# ifdef _KERNEL
+#  include <sys/dditypes.h>
+# endif
+# include <sys/stream.h>
+# include <sys/kmem.h>
+#endif
+#if __FreeBSD__ > 2
+# include <sys/queue.h>
+#endif
+#include <net/if.h>
+#ifdef sun
+# include <net/af.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#ifndef linux
+# include <netinet/ip_var.h>
+#endif
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
+#include "netinet/ip_fil.h"
+#include "netinet/ip_proxy.h"
+#include "netinet/ip_nat.h"
+#include "netinet/ip_state.h"
+#if (__FreeBSD_version >= 300000)
+# include <sys/malloc.h>
+#endif
+
+
+#ifndef MIN
+#define MIN(a,b)        (((a)<(b))?(a):(b))
+#endif
+
+static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *,
+					   fr_info_t *, nat_t *));
+static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
+
+
+#define	AP_SESS_SIZE	53
+
+#if defined(_KERNEL) && !defined(linux)
+#include "netinet/ip_ftp_pxy.c"
+#include "netinet/ip_rcmd_pxy.c"
+#include "netinet/ip_raudio_pxy.c"
+#endif
+
+ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
+ap_session_t	*ap_sess_list = NULL;
+aproxy_t	ap_proxies[] = {
+#ifdef	IPF_FTP_PROXY
+	{ "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
+	  ippr_ftp_in, ippr_ftp_out },
+#endif
+#ifdef	IPF_RCMD_PROXY
+	{ "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new,
+	  NULL, ippr_rcmd_out },
+#endif
+#ifdef	IPF_RAUDIO_PROXY
+	{ "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init,
+	  ippr_raudio_new, ippr_raudio_in, ippr_raudio_out },
+#endif
+	{ "", '\0', 0, 0, NULL, NULL }
+};
+
+
+int appr_ok(ip, tcp, nat)
+ip_t *ip;
+tcphdr_t *tcp;
+ipnat_t *nat;
+{
+	aproxy_t *apr = nat->in_apr;
+	u_short dport = nat->in_dport;
+
+	if (!apr || (apr->apr_flags & APR_DELETE) ||
+	    (ip->ip_p != apr->apr_p))
+		return 0;
+	if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport))
+		return 0;
+	return 1;
+}
+
+
+/*
+ * Allocate a new application proxy structure and fill it in with the
+ * relevant details.  call the init function once complete, prior to
+ * returning.
+ */
+static ap_session_t *appr_new_session(apr, ip, fin, nat)
+aproxy_t *apr;
+ip_t *ip;
+fr_info_t *fin;
+nat_t *nat;
+{
+	register ap_session_t *aps;
+
+	if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p))
+		return NULL;
+
+	KMALLOC(aps, ap_session_t *);
+	if (!aps)
+		return NULL;
+	bzero((char *)aps, sizeof(*aps));
+	aps->aps_next = ap_sess_list;
+	aps->aps_p = ip->ip_p;
+	aps->aps_data = NULL;
+	aps->aps_apr = apr;
+	aps->aps_psiz = 0;
+	ap_sess_list = aps;
+	aps->aps_nat = nat;
+	nat->nat_aps = aps;
+	if (apr->apr_new != NULL)
+		(void) (*apr->apr_new)(fin, ip, aps, nat);
+	return aps;
+}
+
+
+/*
+ * check to see if a packet should be passed through an active proxy routine
+ * if one has been setup for it.
+ */
+int appr_check(ip, fin, nat)
+ip_t *ip;
+fr_info_t *fin;
+nat_t *nat;
+{
+	ap_session_t *aps;
+	aproxy_t *apr;
+	tcphdr_t *tcp = NULL;
+	u_32_t sum;
+	int err;
+
+	if (nat->nat_aps == NULL)
+		nat->nat_aps = appr_new_session(nat->nat_ptr->in_apr, ip,
+						fin, nat);
+	aps = nat->nat_aps;
+	if ((aps != NULL) && (aps->aps_p == ip->ip_p)) {
+		if (ip->ip_p == IPPROTO_TCP) {
+			tcp = (tcphdr_t *)fin->fin_dp;
+			/*
+			 * verify that the checksum is correct.  If not, then
+			 * don't do anything with this packet.
+			 */
+#if SOLARIS && defined(_KERNEL)
+			sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
+#else
+			sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
+#endif
+			if (sum != tcp->th_sum) {
+				frstats[fin->fin_out].fr_tcpbad++;
+				return -1;
+			}
+		}
+
+		apr = aps->aps_apr;
+		err = 0;
+		if (fin->fin_out != 0) {
+			if (apr->apr_outpkt != NULL)
+				err = (*apr->apr_outpkt)(fin, ip, aps, nat);
+		} else {
+			if (apr->apr_inpkt != NULL)
+				err = (*apr->apr_inpkt)(fin, ip, aps, nat);
+		}
+
+		if (tcp != NULL) {
+			err = appr_fixseqack(fin, ip, aps, err);
+#if SOLARIS && defined(_KERNEL)
+			tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
+#else
+			tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
+#endif
+		}
+		aps->aps_bytes += ip->ip_len;
+		aps->aps_pkts++;
+		return 2;
+	}
+	return -1;
+}
+
+
+aproxy_t *appr_match(pr, name)
+u_int pr;
+char *name;
+{
+	aproxy_t *ap;
+
+	for (ap = ap_proxies; ap->apr_p; ap++)
+		if ((ap->apr_p == pr) &&
+		    !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
+			ap->apr_ref++;
+			return ap;
+		}
+	return NULL;
+}
+
+
+void appr_free(ap)
+aproxy_t *ap;
+{
+	ap->apr_ref--;
+}
+
+
+void aps_free(aps)
+ap_session_t *aps;
+{
+	ap_session_t *a, **ap;
+
+	if (!aps)
+		return;
+
+	for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next)
+		if (a == aps) {
+			*ap = a->aps_next;
+			break;
+		}
+
+	if (a) {
+		if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
+			KFREES(aps->aps_data, aps->aps_psiz);
+		KFREE(aps);
+	}
+}
+
+
+static int appr_fixseqack(fin, ip, aps, inc)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+int inc;
+{
+	int sel, ch = 0, out, nlen;
+	u_32_t seq1, seq2;
+	tcphdr_t *tcp;
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	out = fin->fin_out;
+	nlen = ip->ip_len;
+	nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+
+	if (out != 0) {
+		seq1 = (u_32_t)ntohl(tcp->th_seq);
+		sel = aps->aps_sel[out];
+
+		/* switch to other set ? */
+		if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
+		    (seq1 > aps->aps_seqmin[!sel]))
+			sel = aps->aps_sel[out] = !sel;
+
+		if (aps->aps_seqoff[sel]) {
+			seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
+			if (seq1 > seq2) {
+				seq2 = aps->aps_seqoff[sel];
+				seq1 += seq2;
+				tcp->th_seq = htonl(seq1);
+				ch = 1;
+			}
+		}
+
+		if (inc && (seq1 > aps->aps_seqmin[!sel])) {
+			aps->aps_seqmin[!sel] = seq1 + nlen - 1;
+			aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc;
+		}
+
+		/***/
+
+		seq1 = ntohl(tcp->th_ack);
+		sel = aps->aps_sel[1 - out];
+
+		/* switch to other set ? */
+		if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
+		    (seq1 > aps->aps_ackmin[!sel]))
+			sel = aps->aps_sel[1 - out] = !sel;
+
+		if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
+			seq2 = aps->aps_ackoff[sel];
+			tcp->th_ack = htonl(seq1 - seq2);
+			ch = 1;
+		}
+	} else {
+		seq1 = ntohl(tcp->th_seq);
+		sel = aps->aps_sel[out];
+
+		/* switch to other set ? */
+		if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
+		    (seq1 > aps->aps_ackmin[!sel]))
+			sel = aps->aps_sel[out] = !sel;
+
+		if (aps->aps_ackoff[sel]) {
+			seq2 = aps->aps_ackmin[sel] -
+			       aps->aps_ackoff[sel];
+			if (seq1 > seq2) {
+				seq2 = aps->aps_ackoff[sel];
+				seq1 += seq2;
+				tcp->th_seq = htonl(seq1);
+				ch = 1;
+			}
+		}
+
+		if (inc && (seq1 > aps->aps_ackmin[!sel])) {
+			aps->aps_ackmin[!sel] = seq1 + nlen - 1;
+			aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
+		}
+
+		/***/
+
+		seq1 = ntohl(tcp->th_ack);
+		sel = aps->aps_sel[1 - out];
+
+		/* switch to other set ? */
+		if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
+		    (seq1 > aps->aps_seqmin[!sel]))
+			sel = aps->aps_sel[1 - out] = !sel;
+
+		if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) {
+			seq2 = aps->aps_seqoff[sel];
+			tcp->th_ack = htonl(seq1 - seq2);
+			ch = 1;
+		}
+	}
+	return ch ? 2 : 0;
+}
+
+
+int appr_init()
+{
+	aproxy_t *ap;
+	int err = 0;
+
+	for (ap = ap_proxies; ap->apr_p; ap++) {
+		err = (*ap->apr_init)();
+		if (err != 0)
+			break;
+	}
+	return err;
+}
--- a/sys/netinet/ip_proxy.h
+++ b/sys/netinet/ip_proxy.h
@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 1997-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * $Id: ip_proxy.h,v 2.1.2.1 1999/09/19 12:18:20 darrenr Exp $
+ * $FreeBSD$
+ */
+
+#ifndef	__IP_PROXY_H__
+#define	__IP_PROXY_H__
+
+#ifndef SOLARIS
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
+
+#ifndef	APR_LABELLEN
+#define	APR_LABELLEN	16
+#endif
+#define	AP_SESS_SIZE	53
+
+struct	nat;
+struct	ipnat;
+
+typedef	struct	ap_tcp {
+	u_short	apt_sport;	/* source port */
+	u_short	apt_dport;	/* destination port */
+	short	apt_sel[2];	/* {seq,ack}{off,min} set selector */
+	short	apt_seqoff[2];	/* sequence # difference */
+	tcp_seq	apt_seqmin[2];	/* don't change seq-off until after this */
+	short	apt_ackoff[2];	/* sequence # difference */
+	tcp_seq	apt_ackmin[2];	/* don't change seq-off until after this */
+	u_char	apt_state[2];	/* connection state */
+} ap_tcp_t;
+
+typedef	struct	ap_udp {
+	u_short	apu_sport;	/* source port */
+	u_short	apu_dport;	/* destination port */
+} ap_udp_t;
+
+typedef	struct ap_session {
+	struct	aproxy	*aps_apr;
+	union {
+		struct	ap_tcp	apu_tcp;
+		struct	ap_udp	apu_udp;
+	} aps_un;
+	u_int	aps_flags;
+	U_QUAD_T aps_bytes;	/* bytes sent */
+	U_QUAD_T aps_pkts;	/* packets sent */
+	void	*aps_nat;	/* pointer back to nat struct */
+	void	*aps_data;	/* private data */
+	int	aps_p;		/* protocol */
+	int	aps_psiz;	/* size of private data */
+	struct	ap_session	*aps_hnext;
+	struct	ap_session	*aps_next;
+} ap_session_t ;
+
+#define	aps_sport	aps_un.apu_tcp.apt_sport
+#define	aps_dport	aps_un.apu_tcp.apt_dport
+#define	aps_sel		aps_un.apu_tcp.apt_sel
+#define	aps_seqoff	aps_un.apu_tcp.apt_seqoff
+#define	aps_seqmin	aps_un.apu_tcp.apt_seqmin
+#define	aps_state	aps_un.apu_tcp.apt_state
+#define	aps_ackoff	aps_un.apu_tcp.apt_ackoff
+#define	aps_ackmin	aps_un.apu_tcp.apt_ackmin
+
+
+typedef	struct	aproxy	{
+	char	apr_label[APR_LABELLEN];	/* Proxy label # */
+	u_char	apr_p;		/* protocol */
+	int	apr_ref;	/* +1 per rule referencing it */
+	int	apr_flags;
+	int	(* apr_init) __P((void));
+	int	(* apr_new) __P((fr_info_t *, ip_t *,
+				 ap_session_t *, struct nat *));
+	int	(* apr_inpkt) __P((fr_info_t *, ip_t *,
+				   ap_session_t *, struct nat *));
+	int	(* apr_outpkt) __P((fr_info_t *, ip_t *,
+				    ap_session_t *, struct nat *));
+} aproxy_t;
+
+#define	APR_DELETE	1
+
+
+/*
+ * Real audio proxy structure and #defines
+ */
+typedef	struct	{
+	int	rap_seenpna;
+	int	rap_seenver;
+	int	rap_version;
+	int	rap_eos;	/* End Of Startup */
+	int	rap_gotid;
+	int	rap_gotlen;
+	int	rap_mode;
+	int	rap_sdone;
+	u_short	rap_plport;
+	u_short	rap_prport;
+	u_short	rap_srport;
+	char	rap_svr[19];
+	u_32_t	rap_sbf;	/* flag to indicate which of the 19 bytes have
+				 * been filled
+				 */
+	tcp_seq	rap_sseq;
+} raudio_t;
+
+#define	RA_ID_END	0
+#define	RA_ID_UDP	1
+#define	RA_ID_ROBUST	7
+
+#define	RAP_M_UDP	1
+#define	RAP_M_ROBUST	2
+#define	RAP_M_TCP	4
+#define	RAP_M_UDP_ROBUST	(RAP_M_UDP|RAP_M_ROBUST)
+
+
+extern	ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
+extern	ap_session_t	*ap_sess_list;
+extern	aproxy_t	ap_proxies[];
+
+extern	int	appr_init __P((void));
+extern	int	appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *));
+extern	void	appr_free __P((aproxy_t *));
+extern	void	aps_free __P((ap_session_t *));
+extern	int	appr_check __P((ip_t *, fr_info_t *, struct nat *));
+extern	aproxy_t	*appr_match __P((u_int, char *));
+
+#endif /* __IP_PROXY_H__ */
--- a/sys/netinet/ip_raudio_pxy.c
+++ b/sys/netinet/ip_raudio_pxy.c
@ -0,0 +1,274 @@
+/*
+ * $Id$
+ * $FreeBSD$
+ */
+#if SOLARIS && defined(_KERNEL)
+extern	kmutex_t	ipf_rw;
+#endif
+
+#define	IPF_RAUDIO_PROXY
+
+
+int ippr_raudio_init __P((void));
+int ippr_raudio_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_raudio_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_raudio_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+
+static	frentry_t	raudiofr;
+
+
+/*
+ * Real Audio application proxy initialization.
+ */
+int ippr_raudio_init()
+{
+	bzero((char *)&raudiofr, sizeof(raudiofr));
+	raudiofr.fr_ref = 1;
+	raudiofr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+	return 0;
+}
+
+
+/*
+ * Setup for a new proxy to handle Real Audio.
+ */
+int ippr_raudio_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	raudio_t *rap;
+
+
+	KMALLOCS(aps->aps_data, void *, sizeof(raudio_t));
+	if (aps->aps_data != NULL) {
+		bzero(aps->aps_data, sizeof(raudio_t));
+		rap = aps->aps_data;
+		aps->aps_psiz = sizeof(raudio_t);
+		rap->rap_mode = RAP_M_TCP;	/* default is for TCP */
+	}
+	return 0;
+}
+
+
+
+int ippr_raudio_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	char membuf[512 + 1], *s;
+	int off, dlen, inc = 0;
+	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
+	raudio_t *rap = aps->aps_data;
+	u_short sp, dp, id = 0;
+	struct in_addr swip;
+	fr_info_t fi;
+	int len = 0;
+	nat_t *ipn;
+	mb_t *m;
+#if	SOLARIS
+	mb_t *m1;
+#endif
+
+	/*
+	 * If we've already processed the start messages, then nothing left
+	 * for the proxy to do.
+	 */
+	if (rap->rap_eos == 1)
+		return 0;
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	off = (ip->ip_hl << 2) + (tcp->th_off << 2);
+	bzero(membuf, sizeof(membuf));
+#if	SOLARIS
+	m = fin->fin_qfm;
+
+	dlen = msgdsize(m) - off;
+	if (dlen <= 0)
+		return 0;
+	copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf);
+#else
+	m = *(mb_t **)fin->fin_mp;
+
+	dlen = mbufchainlen(m) - off;
+	if (dlen <= 0)
+		return 0;
+	m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf);
+#endif
+	/*
+	 * In all the startup parsing, ensure that we don't go outside
+	 * the packet buffer boundary.
+	 */
+	/*
+	 * Look for the start of connection "PNA" string if not seen yet.
+	 */
+	if (rap->rap_seenpna == 0) {
+		s = memstr("PNA", membuf, 3, dlen);
+		if (s == NULL)
+			return 0;
+		s += 3;
+		rap->rap_seenpna = 1;
+	} else
+		s = membuf;
+
+	/*
+	 * Directly after the PNA will be the version number of this
+	 * connection.
+	 */
+	if (rap->rap_seenpna == 1 && rap->rap_seenver == 0) {
+		if ((s + 1) - membuf < dlen) {
+			rap->rap_version = (*s << 8) | *(s + 1);
+			s += 2;
+			rap->rap_seenver = 1;
+		} else
+			return 0;
+	}
+
+	/*
+	 * Now that we've been past the PNA and version number, we're into the
+	 * startup messages block.  This ends when a message with an ID of 0.
+	 */
+	while ((rap->rap_eos == 0) && ((s + 1) - membuf < dlen)) {
+		if (rap->rap_gotid == 0) {
+			id = (*s << 8) | *(s + 1);
+			s += 2;
+			rap->rap_gotid = 1;
+			if (id == RA_ID_END) {
+				rap->rap_eos = 1;
+				break;
+			}
+		} else if (rap->rap_gotlen == 0) {
+			len = (*s << 8) | *(s + 1);
+			s += 2;
+			rap->rap_gotlen = 1;
+		}
+
+		if (rap->rap_gotid == 1 && rap->rap_gotlen == 1) {
+			if (id == RA_ID_UDP) {
+				rap->rap_mode &= ~RAP_M_TCP;
+				rap->rap_mode |= RAP_M_UDP;
+				rap->rap_plport = (*s << 8) | *(s + 1);
+			} else if (id == RA_ID_ROBUST) {
+				rap->rap_mode |= RAP_M_ROBUST;
+				rap->rap_prport = (*s << 8) | *(s + 1);
+			}
+			s += len;
+			rap->rap_gotlen = 0;
+			rap->rap_gotid = 0;
+		}
+	}
+
+	/*
+	 * Wait until we've seen the end of the start messages and even then
+	 * only proceed further if we're using UDP.
+	 */
+	if ((rap->rap_eos == 0) || ((rap->rap_mode & RAP_M_UDP) != RAP_M_UDP))
+		return 0;
+	sp = rap->rap_plport;
+	dp = 0;
+
+	bcopy((char *)fin, (char *)&fi, sizeof(fi));
+	bzero((char *)tcp2, sizeof(*tcp2));
+	tcp2->th_sport = htons(sp);
+	tcp2->th_dport = 0; /* XXX - don't specify remote port */
+	tcp2->th_win = htons(8192);
+	fi.fin_dp = (char *)tcp2;
+	fi.fin_data[0] = sp;
+	fi.fin_data[1] = 0;
+	fi.fin_fr = &raudiofr;
+	swip = ip->ip_src;
+	ip->ip_src = nat->nat_inip;
+	ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, NAT_OUTBOUND);
+	if (ipn != NULL) {
+		ipn->nat_age = fr_defnatage;
+		(void) fr_addstate(ip, &fi, FI_W_DPORT);
+	}
+	ip->ip_src = swip;
+
+	if ((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) {
+		sp = rap->rap_prport;
+	}
+	return inc;
+}
+
+
+int ippr_raudio_in(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	char membuf[IPF_MAXPORTLEN + 1], *s;
+	int off, dlen;
+	raudio_t *rap = aps->aps_data;
+	u_int a1, a2, a3, a4;
+	tcphdr_t *tcp;
+	tcp_seq seq;
+	mb_t *m;
+#if	SOLARIS
+	mb_t *m1;
+#endif
+
+	if ((rap->rap_sdone != 0) ||
+	    ((rap->rap_mode & RAP_M_UDP_ROBUST) != RAP_M_UDP_ROBUST))
+		return 0;
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	off = (ip->ip_hl << 2) + (tcp->th_off << 2);
+	m = *(mb_t **)fin->fin_mp;
+
+#if	SOLARIS
+	m = fin->fin_qfm;
+
+	dlen = msgdsize(m) - off;
+	if (dlen <= 0)
+		return 0;
+	bzero(membuf, sizeof(membuf));
+	copyout_mblk(m, off, MIN(sizeof(membuf), dlen), membuf);
+#else
+	dlen = mbufchainlen(m) - off;
+	if (dlen <= 0)
+		return 0;
+	bzero(membuf, sizeof(membuf));
+	m_copydata(m, off, MIN(sizeof(membuf), dlen), membuf);
+#endif
+
+	seq = ntohl(tcp->th_seq);
+	/*
+	 * Check to see if the data in this packet is of interest to us.
+	 * We only care for the first 19 bytes coming back from the server.
+	 */
+	if (rap->rap_sseq == 0) {
+		s = memstr("PNA", membuf, 3, dlen);
+		if (s == NULL)
+			return 0;
+		a1 = s - membuf;
+		dlen -= a1;
+		a1 = 0;
+		rap->rap_sseq = seq;
+		a2 = MIN(dlen, sizeof(rap->rap_svr));
+	} else if (seq <= rap->rap_sseq + sizeof(rap->rap_svr)) {
+		/*
+		 * seq # which is the start of data and from that the offset
+		 * into the buffer array.
+		 */
+		a1 = seq - rap->rap_sseq;
+		a2 = MIN(dlen, sizeof(rap->rap_svr));
+		a2 -= a1;
+		s = membuf;
+	} else
+		return 0;
+
+	for (a3 = a1, a4 = a2; a4 > 0; a4--, a3++) {
+		rap->rap_sbf |= (1 << a3);
+		rap->rap_svr[a3] = *s++;
+	}
+	if (rap->rap_sbf == 0x7ffff) {		/* 19 bits */
+		s = rap->rap_svr + 13;
+		rap->rap_srport = (*s << 8) | *(s + 1);
+	}
+	return 0;
+}
--- a/sys/netinet/ip_rcmd_pxy.c
+++ b/sys/netinet/ip_rcmd_pxy.c
@ -0,0 +1,160 @@
+/*
+ * $Id$
+ * $FreeBSD$
+ */
+/*
+ * Simple RCMD transparent proxy for in-kernel use.  For use with the NAT
+ * code.
+ */
+#if SOLARIS && defined(_KERNEL)
+extern	kmutex_t	ipf_rw;
+#endif
+
+#define	isdigit(x)	((x) >= '0' && (x) <= '9')
+
+#define	IPF_RCMD_PROXY
+
+
+int ippr_rcmd_init __P((void));
+int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+u_short ipf_rcmd_atoi __P((char *));
+int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
+
+static	frentry_t	rcmdfr;
+
+
+/*
+ * RCMD application proxy initialization.
+ */
+int ippr_rcmd_init()
+{
+	bzero((char *)&rcmdfr, sizeof(rcmdfr));
+	rcmdfr.fr_ref = 1;
+	rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
+	return 0;
+}
+
+
+/*
+ * Setup for a new RCMD proxy.
+ */
+int ippr_rcmd_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
+
+	aps->aps_psiz = sizeof(u_32_t);
+	KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t));
+	if (aps->aps_data == NULL)
+		return -1;
+	*(u_32_t *)aps->aps_data = 0;
+	aps->aps_sport = tcp->th_sport;
+	aps->aps_dport = tcp->th_dport;
+	return 0;
+}
+
+
+/*
+ * ipf_rcmd_atoi - implement a simple version of atoi
+ */
+u_short ipf_rcmd_atoi(ptr)
+char *ptr;
+{
+	register char *s = ptr, c;
+	register u_short i = 0;
+
+	while ((c = *s++) && isdigit(c)) {
+		i *= 10;
+		i += c - '0';
+	}
+	return i;
+}
+
+
+int ippr_rcmd_portmsg(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	char portbuf[8], *s;
+	struct in_addr swip;
+	u_short sp, dp;
+	int off, dlen;
+	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
+	fr_info_t fi;
+	nat_t *ipn;
+	mb_t *m;
+#if	SOLARIS
+	mb_t *m1;
+#endif
+
+	tcp = (tcphdr_t *)fin->fin_dp;
+	off = (ip->ip_hl << 2) + (tcp->th_off << 2);
+	m = *(mb_t **)fin->fin_mp;
+
+#if	SOLARIS
+	m = fin->fin_qfm;
+
+	dlen = msgdsize(m) - off;
+	bzero(portbuf, sizeof(portbuf));
+	copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#else
+	dlen = mbufchainlen(m) - off;
+	bzero(portbuf, sizeof(portbuf));
+	m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
+#endif
+	if ((*(u_32_t *)aps->aps_data != 0) &&
+	    (tcp->th_seq != *(u_32_t *)aps->aps_data))
+		return 0;
+
+	portbuf[sizeof(portbuf) - 1] = '\0';
+	s = portbuf;
+	sp = ipf_rcmd_atoi(s);
+	if (!sp)
+		return 0;
+
+	/*
+	 * Add skeleton NAT entry for connection which will come back the
+	 * other way.
+	 */
+	sp = htons(sp);
+	dp = htons(fin->fin_data[1]);
+	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
+			    ip->ip_dst, (dp << 16) | sp);
+	if (ipn == NULL) {
+		bcopy((char *)fin, (char *)&fi, sizeof(fi));
+		bzero((char *)tcp2, sizeof(*tcp2));
+		tcp2->th_win = htons(8192);
+		tcp2->th_sport = sp;
+		tcp2->th_dport = 0; /* XXX - don't specify remote port */
+		fi.fin_data[0] = ntohs(sp);
+		fi.fin_data[1] = 0;
+		fi.fin_dp = (char *)tcp2;
+		swip = ip->ip_src;
+		ip->ip_src = nat->nat_inip;
+		ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT,
+			      NAT_OUTBOUND);
+		if (ipn != NULL) {
+			ipn->nat_age = fr_defnatage;
+			fi.fin_fr = &rcmdfr;
+			(void) fr_addstate(ip, &fi, FI_W_DPORT);
+		}
+		ip->ip_src = swip;
+	}
+	return 0;
+}
+
+
+int ippr_rcmd_out(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
+{
+	return ippr_rcmd_portmsg(fin, ip, aps, nat);
+}
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 1995-1998 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ip_state.h	1.3 1/12/96 (C) 1995 Darren Reed
+ * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $
+ * $FreeBSD$
+ */
+#ifndef	__IP_STATE_H__
+#define	__IP_STATE_H__
+
+#define	IPSTATE_SIZE	257
+#define	IPSTATE_MAX	2048	/* Maximum number of states held */
+
+#define	PAIRS(s1,d1,s2,d2)	((((s1) == (s2)) && ((d1) == (d2))) ||\
+				 (((s1) == (d2)) && ((d1) == (s2))))
+#define	IPPAIR(s1,d1,s2,d2)	PAIRS((s1).s_addr, (d1).s_addr, \
+				      (s2).s_addr, (d2).s_addr)
+
+
+typedef struct udpstate {
+	u_short	us_sport;
+	u_short	us_dport;
+} udpstate_t;
+
+typedef struct icmpstate {
+	u_short	ics_id;
+	u_short	ics_seq;
+	u_char	ics_type;
+} icmpstate_t;
+
+typedef	struct	tcpdata	{
+	u_32_t	td_end;
+	u_32_t	td_maxend;
+	u_short	td_maxwin;
+} tcpdata_t;
+
+typedef	struct tcpstate {
+	u_short	ts_sport;
+	u_short	ts_dport;
+	tcpdata_t ts_data[2];
+	u_char	ts_state[2];
+} tcpstate_t;
+
+typedef struct ipstate {
+	struct	ipstate	*is_next;
+	u_long	is_age;
+	u_int	is_pass;
+	U_QUAD_T	is_pkts;
+	U_QUAD_T	is_bytes;
+	void	*is_ifpin;
+	void	*is_ifpout;
+	frentry_t	*is_rule;
+	struct	in_addr	is_src;
+	struct	in_addr	is_dst;
+	u_char	is_p;			/* Protocol */
+	u_char	is_rout;		/* Is rule in/out ? */
+	u_32_t	is_flags;
+	u_32_t	is_opt;			/* packet options set */
+	u_32_t	is_optmsk;		/*    "      "    mask */
+	u_short	is_sec;			/* security options set */
+	u_short	is_secmsk;		/*    "        "    mask */
+	u_short	is_auth;		/* authentication options set */
+	u_short	is_authmsk;		/*    "              "    mask */
+	union {
+		icmpstate_t	is_ics;
+		tcpstate_t	is_ts;
+		udpstate_t	is_us;
+	} is_ps;
+} ipstate_t;
+
+#define	is_icmp	is_ps.is_ics
+#define	is_type	is_icmp.ics_type
+#define	is_code	is_icmp.ics_code
+#define	is_tcp	is_ps.is_ts
+#define	is_udp	is_ps.is_us
+#define is_send	is_tcp.ts_data[0].td_end
+#define is_dend	is_tcp.ts_data[1].td_end
+#define is_maxswin	is_tcp.ts_data[0].td_maxwin
+#define is_maxdwin	is_tcp.ts_data[1].td_maxwin
+#define is_maxsend	is_tcp.ts_data[0].td_maxend
+#define is_maxdend	is_tcp.ts_data[1].td_maxend
+#define	is_sport	is_tcp.ts_sport
+#define	is_dport	is_tcp.ts_dport
+#define	is_state	is_tcp.ts_state
+
+#define	TH_OPENING	(TH_SYN|TH_ACK)
+/*
+ * is_flags:
+ * Bits 0 - 3 are use as a mask with the current packet's bits to check for
+ * whether it is short, tcp/udp, a fragment or the presence of IP options.
+ * Bits 4 - 7 are set from the initial packet and contain what the packet
+ * anded with bits 0-3 must match.
+ * Bits 8,9 are used to indicate wildcard source/destination port matching.
+ */
+
+
+typedef	struct	ipslog	{
+	U_QUAD_T	isl_pkts;
+	U_QUAD_T	isl_bytes;
+	struct	in_addr	isl_src;
+	struct	in_addr	isl_dst;
+	u_char	isl_p;
+	u_char	isl_flags;
+	u_char	isl_state[2];
+	u_short	isl_type;
+	union {
+		u_short	isl_filler[2];
+		u_short	isl_ports[2];
+		u_short	isl_icmp;
+	} isl_ps;
+} ipslog_t;
+
+#define	isl_sport	isl_ps.isl_ports[0]
+#define	isl_dport	isl_ps.isl_ports[1]
+#define	isl_itype	isl_ps.isl_icmp
+
+#define	ISL_NEW		0
+#define	ISL_EXPIRE	0xffff
+#define	ISL_FLUSH	0xfffe
+
+
+typedef	struct	ips_stat {
+	u_long	iss_hits;
+	u_long	iss_miss;
+	u_long	iss_max;
+	u_long	iss_tcp;
+	u_long	iss_udp;
+	u_long	iss_icmp;
+	u_long	iss_nomem;
+	u_long	iss_expire;
+	u_long	iss_fin;
+	u_long	iss_active;
+	u_long	iss_logged;
+	u_long	iss_logfail;
+	u_long	iss_inuse;
+	ipstate_t **iss_table;
+} ips_stat_t;
+
+
+extern	u_long	fr_tcpidletimeout;
+extern	u_long	fr_tcpclosewait;
+extern	u_long	fr_tcplastack;
+extern	u_long	fr_tcptimeout;
+extern	u_long	fr_tcpclosed;
+extern	u_long	fr_udptimeout;
+extern	u_long	fr_icmptimeout;
+extern	int	fr_stateinit __P((void));
+extern	int	fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
+extern	ipstate_t	*fr_addstate __P((ip_t *, fr_info_t *, u_int));
+extern	frentry_t	*fr_checkstate __P((ip_t *, fr_info_t *));
+extern	void	fr_timeoutstate __P((void));
+extern	void	fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
+extern	void	fr_stateunload __P((void));
+extern	void	ipstate_log __P((struct ipstate *, u_int));
+#if defined(__NetBSD__) || defined(__OpenBSD__)
+extern	int	fr_state_ioctl __P((caddr_t, u_long, int));
+#else
+extern	int	fr_state_ioctl __P((caddr_t, int, int));
+#endif
+
+#endif /* __IP_STATE_H__ */
--- a/sys/netinet/ipl.h
+++ b/sys/netinet/ipl.h
@ -0,0 +1,18 @@
+/*
+ * Copyright (C) 1993-1999 by Darren Reed.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ *
+ * @(#)ipl.h	1.21 6/5/96
+ * $Id$
+ * $FreeBSD$
+ */
+
+#ifndef	__IPL_H__
+#define	__IPL_H__
+
+#define	IPL_VERSION	"IP Filter: v3.3.3"
+
+#endif