8 files changed, 124 insertions, 44 deletions

diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index 7f71f9b94f55..c415800edddf 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -85,7 +85,7 @@ all:
 	@echo "solaris	- auto-selects SunOS4.1.x/Solaris 2.3-6/Solaris2.4-6x86"
 	@echo "netbsd	- compile for NetBSD"
 	@echo "openbsd	- compile for OpenBSD"
-	@echo "freebsd	- compile for FreeBSD 2.0, 2.1 or earlier"
+	@echo "freebsd20	- compile for FreeBSD 2.0, 2.1 or earlier"
 	@echo "freebsd22	- compile for FreeBSD-2.2 or greater"
 	@echo "freebsd3	- compile for FreeBSD-3.x"
 	@echo "freebsd4	- compile for FreeBSD-4.x"
@@ -124,7 +124,7 @@ freebsd22: include
 	else \
 		ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
 	fi
-	make freebsd
+	make freebsd20
 
 freebsd4: include
 	if [ x$INET6 = x ] ; then \
@@ -151,7 +151,7 @@ openbsd openbsd21: include
 	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c"; cd ..)
 	(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
 
-freebsd freebsd20 freebsd21: include
+freebsd20 freebsd21: include
 	make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
 	(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
 	(cd BSD/$(CPUDIR); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
@@ -289,3 +289,27 @@ null:
 		exit 1; \
 	fi
 	-@echo make ok
+
+test-solaris test-sunos4 test-sunos5: solaris
+	(cd test && make clean && make)
+
+test-freebsd: freebsd
+	(cd test && make clean && make)
+
+test-freebsd22: freebsd22
+	(cd test && make clean && make)
+
+test-freebsd3: freebsd3
+	(cd test && make clean && make)
+
+test-freebsd4: freebsd4
+	(cd test && make clean && make)
+
+test-netbsd: netbsd
+	(cd test && make clean && make)
+
+test-openbsd: openbsd
+	(cd test && make clean && make)
+
+test-irix: irix
+	(cd test && make clean && make)
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 4f557ef13c8d..79194307fe51 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -994,7 +994,7 @@ int	blen;
 		p = (u_short)ip6->ip6_nxt;
 		s = (u_32_t *)&ip6->ip6_src;
 		d = (u_32_t *)&ip6->ip6_dst;
-		plen = ntohs(ip6->ip6_plen);
+		plen = hl + ntohs(ip6->ip6_plen);
 #else
 		sprintf(t, "ipv6");
 		goto printipflog;
@@ -1108,11 +1108,12 @@ int	blen;
 					ipc->ip_hl << 2, i);
 				t += strlen(t);
 				if (ipoff & IP_OFFMASK) {
-					(void) sprintf(t, " frag %s%s%hu@%hu",
-						ipoff & IP_MF ? "+" : "",
-						ipoff & IP_DF ? "-" : "",
+					(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
+						ntohs(ipc->ip_id),
 						i - (ipc->ip_hl<<2),
-						(ipoff & IP_OFFMASK) << 3);
+						(ipoff & IP_OFFMASK) << 3,
+						ipoff & IP_MF ? "+" : "",
+						ipoff & IP_DF ? "-" : "");
 				}
 			}
 		}
@@ -1123,10 +1124,11 @@ int	blen;
 			hostname(res, v, d), proto, hl, plen);
 		t += strlen(t);
 		if (off & IP_OFFMASK)
-			(void) sprintf(t, " frag %s%s%hu@%hu",
+			(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
+				ntohs(ip->ip_id),
+				plen - hl, (off & IP_OFFMASK) << 3,
 				ipoff & IP_MF ? "+" : "",
-				ipoff & IP_DF ? "-" : "",
-				plen - hl, (off & IP_OFFMASK) << 3);
+				ipoff & IP_DF ? "-" : "");
 	}
 	t += strlen(t);
 
diff --git a/contrib/ipfilter/ipsend/ipsend.5 b/contrib/ipfilter/ipsend/ipsend.5
index 1e4e82e4729c..40b186a2b19e 100644
--- a/contrib/ipfilter/ipsend/ipsend.5
+++ b/contrib/ipfilter/ipsend/ipsend.5
@@ -1,3 +1,4 @@
+.\" $FreeBSD$
 .TH IPSEND 5
 .SH NAME
 ipsend \- IP packet description language
@@ -102,7 +103,7 @@ route installed in the kernel.
 is used to describe an IP (version 4) packet.  IP header fields can be
 specified, including options, followed by a data section which may contain
 further protocol headers.
-.SH IPV4
+.SH IPv4
 .TP
 .B hl <number>
 manually specifies the IP header length (automatically adjusts with the
@@ -116,7 +117,7 @@ set the type of service (TOS) field in the IP header.  Default is 0.
 .TP
 .B len <number>
 manually specifies the length of the IP packet.  The length will automatically
-be adjusted to accomodate data or further protocol headers.
+be adjusted to accommodate data or further protocol headers.
 .TP
 .B off <number>
 sets the fragment offset field of the IP packet.  Default is 0.
@@ -158,7 +159,7 @@ is used to indicate the a ICMP protocol header is to follow.  See the
 is used to indicate that raw data is to be included in the IP packet.  See the
 \fBDATA\fP section for details on options available.
 .SH "IPv4 Options"
-these keywords indicate that the releveant IP option should be added to the
+these keywords indicate that the relevant IP option should be added to the
 IP header (the header length field will be adjusted appropriately).
 .TP
 .B nop
@@ -210,7 +211,7 @@ Strict Source Route [RFC 791].
 Address Extension
 .TP
 .B visa
-Expermental Access Control.
+Experimental Access Control.
 .TP
 .B imitd
 IMI Traffic Descriptor.
@@ -314,7 +315,7 @@ bytes with any particular data).
 indicates that the string provided should be added to the current packet as
 data.  A string may be a consecutive list of characters and numbers (with
 no white spaces) or bounded by "'s (may not contain them, even if \\'d).
-The \\ charcater is recognised with the appropriate C escaped values, including
+The \\ character is recognised with the appropriate C escaped values, including
 octal numbers.
 .TP
 .B file <filename>
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 8c9be575f9c2..80faef230239 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -25,8 +25,10 @@
 #include <arpa/inet.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <netinet/ip_var.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
+#include <netinet/udp_var.h>
 #include <netinet/ip_icmp.h>
 #ifndef	linux
 #include <netinet/ip_var.h>
@@ -71,6 +73,7 @@ char	default_device[] = "lan0";
 
 static	void	usage __P((char *));
 static	void	do_icmp __P((ip_t *, char *));
+void udpcksum(ip_t *, struct udphdr *, int);
 int	main __P((int, char **));
 
 
@@ -170,6 +173,37 @@ struct in_addr gwip;
 	return send_packet(wfd, mtu, ip, gwip);
 }
 
+void
+udpcksum(ip_t *ip, struct udphdr *udp, int len)
+{
+	union pseudoh {
+		struct hdr {
+			u_short len;
+			u_char ttl;
+			u_char proto;
+			u_32_t src;
+			u_32_t dst;
+		} h;
+		u_short w[6];
+	} ph;
+	u_32_t temp32;
+	u_short cksum, *opts;
+
+	ph.h.len = htons(len);
+	ph.h.ttl = 0;
+	ph.h.proto = IPPROTO_UDP;
+	ph.h.src = ip->ip_src.s_addr;
+	ph.h.dst = ip->ip_dst.s_addr;
+	temp32 = 0;
+	opts = &ph.w[0];
+	temp32 += opts[0] + opts[1] + opts[2] + opts[3] + opts[4] + opts[5];
+	temp32 = (temp32 >> 16) + (temp32 & 65535);
+	temp32 += (temp32 >> 16);
+	udp->uh_sum = temp32 & 65535;
+	udp->uh_sum = chksum((u_short *)udp, len);
+	if (udp->uh_sum == 0)
+		udp->uh_sum = 0xffff;
+}
 
 int main(argc, argv)
 int	argc;
@@ -177,8 +211,10 @@ char	**argv;
 {
 	FILE	*langfile = NULL;
 	struct	tcpiphdr *ti;
+	struct	udpiphdr *ui;
 	struct	in_addr	gwip;
 	tcphdr_t	*tcp;
+	udphdr_t	*udp;
 	ip_t	*ip;
 	char	*name =  argv[0], host[MAXHOSTNAMELEN + 1];
 	char	*gateway = NULL, *dev = NULL;
@@ -190,7 +226,10 @@ char	**argv;
 	 */
 	ip = (ip_t *)calloc(1, 65536);
 	ti = (struct tcpiphdr *)ip;
+	ui = (struct udpiphdr *)ip;
 	tcp = (tcphdr_t *)&ti->ti_sport;
+	udp = (udphdr_t *)&ui->ui_sport;
+	ui->ui_ulen = htons(sizeof(*udp));
 	ip->ip_len = sizeof(*ip);
 	ip->ip_hl = sizeof(*ip) >> 2;
 
@@ -344,27 +383,35 @@ char	**argv;
 		exit(2);
 	    }
 
+	if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP) {
+		fprintf(stderr,"Unsupported protocol %d\n", ip->ip_p);
+		exit(2);
+	}
+
 	if (olen)
 	    {
-		caddr_t	ipo = (caddr_t)ip;
+		int hlen;
+		char *p;
 
 		printf("Options: %d\n", olen);
-		ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
-		if(!ti)
+		hlen = sizeof(*ip) + olen;
+		ip->ip_hl = hlen >> 2;
+		ip->ip_len += olen;
+		p = (char *)malloc(65536);
+		if(!p)
 		    {
 			fprintf(stderr,"malloc failed\n");
 			exit(2);
 		    } 
-
-		bcopy((char *)ip, (char *)ti, sizeof(*ip));
-		ip = (ip_t *)ti;
-		ip->ip_hl = (olen >> 2);
-		bcopy(options, (char *)(ip + 1), olen);
-		bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
-		ip->ip_len += olen;
-		bcopy((char *)ip, (char *)ipo, ip->ip_len);
-		ip = (ip_t *)ipo;
-		tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
+		bcopy(ip, p, sizeof(*ip));
+		bcopy(options, p + sizeof(*ip), olen);
+		bcopy(ip + 1, p + hlen, ip->ip_len - hlen);
+		ip = (ip_t *)p;
+		if (ip->ip_p == IPPROTO_TCP) {
+			tcp = (tcphdr_t *)((char *)ip + hlen);
+		} else {
+			udp = (udphdr_t *)((char *)ip + hlen);
+		}
 	    }
 
 	if (ip->ip_p == IPPROTO_TCP)
@@ -401,9 +448,13 @@ char	**argv;
 		printf("Flags:   %#x\n", tcp->th_flags);
 	printf("mtu:     %d\n", mtu);
 
+	if (ip->ip_p == IPPROTO_UDP) {
+		udp->uh_sum = 0;
+		udpcksum(ip, udp, (ip->ip_len) - (ip->ip_hl << 2));
+	}
 #ifdef	DOSOCKET
-	if (tcp->th_dport)
-		return do_socket(dev, mtu, ti, gwip);
+	if (ip->ip_p == IPPROTO_TCP && tcp->th_dport)
+		return do_socket(dev, mtu, (struct tcpiphdr *)ip, gwip);
 #endif
-	return send_packets(dev, mtu, (ip_t *)ti, gwip);
+	return send_packets(dev, mtu, ip, gwip);
 }
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5
index ecd6caf8072f..2f998b539d97 100644
--- a/contrib/ipfilter/man/ipf.5
+++ b/contrib/ipfilter/man/ipf.5
@@ -1,11 +1,11 @@
 .\" $FreeBSD$
 .TH IPF 5
 .SH NAME
-ipf, ipf.conf \- IP packet filter rule syntax
+ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
 .SH DESCRIPTION
 .PP
 A rule file for \fBipf\fP may have any name or even be stdin.  As
-\fBipfstat\fP produces parseable rules as output when displaying the internal
+\fBipfstat\fP produces parsable rules as output when displaying the internal
 kernel filter lists, it is quite plausible to use its output to feed back
 into \fBipf\fP.  Thus, to remove all filters on input packets, the following
 could be done:
@@ -38,7 +38,7 @@ log	= "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
 call	= "call" [ "now" ] function-name .
 skip	= "skip" decnumber .
 dup	= "dup-to" interface-name[":"ipaddr] .
-froute	= "fastroute" | "to" interface-name .
+froute	= "fastroute" | "to" interface-name[":"ipaddr] .
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" [ "!" ] object "to" [ "!" ] object .
@@ -117,7 +117,7 @@ below).
 Filters are installed by default at the end of the kernel's filter
 lists, prepending the rule with \fB@n\fP will cause it to be inserted
 as the n'th entry in the current list. This is especially useful when
-modifying and testing active filter rulesets. See ipf(1) for more
+modifying and testing active filter rulesets. See ipf(8) for more
 information.
 .SH ACTIONS
 .PP
@@ -137,7 +137,7 @@ with a rule which is being applied to TCP packets.  When using
 \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
 the actual unreachable `type'.  That is, whether it is a network
 unreachable, port unreachable or even administratively
-prohibitied. This is done by enclosing the ICMP code associated with
+prohibited. This is done by enclosing the ICMP code associated with
 it in parenthesis directly following \fBreturn-icmp\fP or
 \fBreturn-icmp-as-dest\fP as follows:
 .nf
@@ -387,7 +387,7 @@ against, e.g.:
 .TP
 .B icmp-type
 is only effective when used with \fBproto icmp\fP and must NOT be used
-in conjuction with \fBflags\fP.  There are a number of types, which can be
+in conjunction with \fBflags\fP.  There are a number of types, which can be
 referred to by an abbreviation recognised by this language, or the numbers
 with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
@@ -428,7 +428,7 @@ indicates that the rule should be put in group (number n) rather than group 0.
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
 the headers of the packet are written to the \fBipl\fP packet logging
-psuedo-device. Immediately following the \fBlog\fP keyword, the
+pseudo-device. Immediately following the \fBlog\fP keyword, the
 following qualifiers may be used (in order):
 .TP
 .B body
diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8
index a1f5b061e608..661375a52e3a 100644
--- a/contrib/ipfilter/man/ipf.8
+++ b/contrib/ipfilter/man/ipf.8
@@ -113,7 +113,7 @@ the current interface status list.
 .TP
 .B \-z
 For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zero'd.
+display the statistics prior to them being zeroed.
 .TP
 .B \-Z
 Zero global statistics held in the kernel for filtering only (this doesn't
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index f4e5d5bc1426..e2f38a015757 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -65,7 +65,7 @@ This option is only valid in combination with \fB\-t\fP. Limit the state top
 display to show only state entries whose destination IP address and port
 match the addport argument. The addrport specification is of the form
 ipaddress[,port].  The ipaddress and port should be either numerical or the
-string "any" (specifying any ip address resp. any port). If the \fB\-D\fP
+string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
 option is not specified, it defaults to "\fB\-D\fP any,any".
 .TP
 .B \-f
@@ -141,7 +141,7 @@ kernel.
 Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
 this mode the state table is displayed similar to the way \fBtop\fP displays
 the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP 
-commandline options can be used to restrict the state entries that will be 
+command line options can be used to restrict the state entries that will be 
 shown and to specify the frequency of display updates.
 .PP
 In state top mode, the following keys can be used to influence the displayed
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index a559e940db63..d7f94dfab363 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -83,11 +83,11 @@ are displayed to the same output 'device' (stderr or syslog).
 .TP
 .B \-b
 For rules which log the body of a packet, generate hex output representing
-the packet contents afte the headers.
+the packet contents after the headers.
 .TP
 .B \-D
 Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
-of ipmon is not required to turn it into an orphan so it can run indefinately.
+of ipmon is not required to turn it into an orphan so it can run indefinitely.
 .TP
 .B "\-f <device>"
 specify an alternative device/file from which to read the log information
@@ -171,3 +171,5 @@ recorded data.
 .SH SEE ALSO
 ipl(4), ipf(8), ipfstat(8), ipnat(8)
 .\".SH BUGS
+.PP
+If you find any, please send email to me at darrenr@pobox.com