20 files changed, 2931 insertions, 1155 deletions

diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c
index dd7c8d3dfc31..dd6dff46d3c9 100644
--- a/sys/netinet/fil.c
+++ b/sys/netinet/fil.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -7,6 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-1996 Darren Reed";
+/* static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.16 2000/01/27 08:49:37 darrenr Exp $"; */
 static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 
@@ -19,7 +20,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
     defined(_KERNEL)
 # include "opt_ipfilter_log.h"
 #endif
-#if defined(_KERNEL) && defined(__FreeBSD_version) && \
+#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \
     (__FreeBSD_version >= 220000)
 # if (__FreeBSD_version >= 400000)
 #  ifndef KLD_MODULE
@@ -76,6 +77,12 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 #include "netinet/ip_compat.h"
+#ifdef	USE_INET6
+# include <netinet/icmp6.h>
+# if !SOLARIS && defined(_KERNEL)
+#  include <netinet6/in6_var.h>
+# endif
+#endif
 #include <netinet/tcpip.h>
 #include "netinet/ip_fil.h"
 #include "netinet/ip_proxy.h"
@@ -94,23 +101,17 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 #include "netinet/ipl.h"
 
+#include <machine/in_cksum.h>
+
 #ifndef	_KERNEL
 # include "ipf.h"
 # include "ipt.h"
 extern	int	opts;
 
-# define	FR_IFVERBOSE(ex,second,verb_pr)	if (ex) { verbose verb_pr; \
-							  second; }
-# define	FR_IFDEBUG(ex,second,verb_pr)	if (ex) { debug verb_pr; \
-							  second; }
 # define	FR_VERBOSE(verb_pr)			verbose verb_pr
 # define	FR_DEBUG(verb_pr)			debug verb_pr
-# define	SEND_RESET(ip, qif, if, m, fin)		send_reset(ip, if)
 # define	IPLLOG(a, c, d, e)		ipllog()
-# define	FR_NEWAUTH(m, fi, ip, qif)	fr_newauth((mb_t *)m, fi, ip)
 #else /* #ifndef _KERNEL */
-# define	FR_IFVERBOSE(ex,second,verb_pr)	;
-# define	FR_IFDEBUG(ex,second,verb_pr)	;
 # define	FR_VERBOSE(verb_pr)
 # define	FR_DEBUG(verb_pr)
 # define	IPLLOG(a, c, d, e)		ipflog(a, c, d, e)
@@ -129,9 +130,15 @@ extern	kmutex_t	ipf_rw;
 
 struct	filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
 struct	frentry	*ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
+#ifdef	USE_INET6
+		*ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
+		*ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
+#endif
 		*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
 struct	frgroup *ipfgroups[3][2];
-int	fr_flags = IPF_LOGGING, fr_active = 0;
+int	fr_flags = IPF_LOGGING;
+int	fr_active = 0;
+int	fr_chksrc = 0;
 #if defined(IPFILTER_DEFAULT_BLOCK)
 int	fr_pass = FR_NOMATCH|FR_BLOCK;
 #else
@@ -141,7 +148,6 @@ char	ipfilter_version[] = IPL_VERSION;
 
 fr_info_t	frcache[2];
 
-static	int	fr_tcpudpchk __P((frentry_t *, fr_info_t *));
 static	int	frflushlist __P((int, minor_t, int *, frentry_t **));
 #ifdef	_KERNEL
 static	void	frsynclist __P((frentry_t *));
@@ -198,12 +204,12 @@ int hlen;
 ip_t *ip;
 fr_info_t *fin;
 {
-	struct optlist *op;
-	tcphdr_t *tcp;
-	fr_ip_t *fi = &fin->fin_fi;
 	u_short optmsk = 0, secmsk = 0, auth = 0;
-	int i, mv, ol, off;
+	int i, mv, ol, off, p, plen, v;
+	fr_ip_t *fi = &fin->fin_fi;
+	struct optlist *op;
 	u_char *s, opt;
+	tcphdr_t *tcp;
 
 	fin->fin_rev = 0;
 	fin->fin_fr = NULL;
@@ -212,25 +218,59 @@ fr_info_t *fin;
 	fin->fin_data[1] = 0;
 	fin->fin_rule = -1;
 	fin->fin_group = -1;
-	fin->fin_id = ip->ip_id;
 #ifdef	_KERNEL
 	fin->fin_icode = ipl_unreach;
 #endif
-	fi->fi_v = ip->ip_v;
-	fi->fi_tos = ip->ip_tos;
+	v = fin->fin_v;
+	fi->fi_v = v;
 	fin->fin_hlen = hlen;
-	fin->fin_dlen = ip->ip_len - hlen;
-	tcp = (tcphdr_t *)((char *)ip + hlen);
+	if (v == 4) {
+		fin->fin_id = ip->ip_id;
+		fi->fi_tos = ip->ip_tos;
+		off = (ip->ip_off & IP_OFFMASK) << 3;
+		tcp = (tcphdr_t *)((char *)ip + hlen);
+		(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
+		fi->fi_src.i6[1] = 0;
+		fi->fi_src.i6[2] = 0;
+		fi->fi_src.i6[3] = 0;
+		fi->fi_dst.i6[1] = 0;
+		fi->fi_dst.i6[2] = 0;
+		fi->fi_dst.i6[3] = 0;
+		fi->fi_saddr = ip->ip_src.s_addr;
+		fi->fi_daddr = ip->ip_dst.s_addr;
+		p = ip->ip_p;
+		fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
+		if (ip->ip_off & 0x3fff)
+			fi->fi_fl |= FI_FRAG;
+		plen = ip->ip_len;
+		fin->fin_dlen = plen - hlen;
+	}
+#ifdef	USE_INET6
+	else if (v == 6) {
+		ip6_t *ip6 = (ip6_t *)ip;
+
+		off = 0;
+		p = ip6->ip6_nxt;
+		fi->fi_p = p;
+		fi->fi_ttl = ip6->ip6_hlim;
+		tcp = (tcphdr_t *)(ip6 + 1);
+		fi->fi_src.in6 = ip6->ip6_src;
+		fi->fi_dst.in6 = ip6->ip6_dst;
+		fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff);
+		fi->fi_tos = 0;
+		fi->fi_fl = 0;
+		plen = ntohs(ip6->ip6_plen);
+		fin->fin_dlen = plen;
+	}
+#endif
+	else
+		return;
+
+	fin->fin_off = off;
+	fin->fin_plen = plen;
 	fin->fin_dp = (void *)tcp;
-	(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
-	fi->fi_src.s_addr = ip->ip_src.s_addr;
-	fi->fi_dst.s_addr = ip->ip_dst.s_addr;
 
-	fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0;
-	off = (ip->ip_off & IP_OFFMASK) << 3;
-	if (ip->ip_off & 0x3fff)
-		fi->fi_fl |= FI_FRAG;
-	switch (ip->ip_p)
+	switch (p)
 	{
 	case IPPROTO_ICMP :
 	{
@@ -242,13 +282,19 @@ fr_info_t *fin;
 		if (!off && (icmp->icmp_type == ICMP_ECHOREPLY ||
 		     icmp->icmp_type == ICMP_ECHO))
 			minicmpsz = ICMP_MINLEN;
-		if (!off && (icmp->icmp_type == ICMP_TSTAMP ||
-		     icmp->icmp_type == ICMP_TSTAMPREPLY))
-			minicmpsz = 20; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */
-		if (!off && (icmp->icmp_type == ICMP_MASKREQ ||
-		     icmp->icmp_type == ICMP_MASKREPLY))
-			minicmpsz = 12; /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */
-		if ((!(ip->ip_len >= hlen + minicmpsz) && !off) ||
+
+		/* type(1) + code(1) + cksum(2) + id(2) seq(2) +
+		 * 3*timestamp(3*4) */
+		else if (!off && (icmp->icmp_type == ICMP_TSTAMP ||
+		    icmp->icmp_type == ICMP_TSTAMPREPLY))
+			minicmpsz = 20;
+
+		/* type(1) + code(1) + cksum(2) + id(2) seq(2) + mask(4) */
+		else if (!off && (icmp->icmp_type == ICMP_MASKREQ ||
+		    icmp->icmp_type == ICMP_MASKREPLY))
+			minicmpsz = 12;
+
+		if ((!(plen >= hlen + minicmpsz) && !off) ||
 		    (off && off < sizeof(struct icmp)))
 			fi->fi_fl |= FI_SHORT;
 		if (fin->fin_dlen > 1)
@@ -257,17 +303,33 @@ fr_info_t *fin;
 	}
 	case IPPROTO_TCP :
 		fi->fi_fl |= FI_TCPUDP;
-		if ((!IPMINLEN(ip, tcphdr) && !off) ||
-		    (off && off < sizeof(struct tcphdr)))
-			fi->fi_fl |= FI_SHORT;
+#ifdef	USE_INET6
+		if (v == 6) {
+			if (plen < sizeof(struct tcphdr))
+				fi->fi_fl |= FI_SHORT;
+		} else
+#endif
+		if (v == 4) {
+			if ((!IPMINLEN(ip, tcphdr) && !off) ||
+			     (off && off < sizeof(struct tcphdr)))
+				fi->fi_fl |= FI_SHORT;
+		}
 		if (!(fi->fi_fl & FI_SHORT) && !off)
 			fin->fin_tcpf = tcp->th_flags;
 		goto getports;
 	case IPPROTO_UDP :
 		fi->fi_fl |= FI_TCPUDP;
-		if ((!IPMINLEN(ip, udphdr) && !off) ||
-		    (off && off < sizeof(struct udphdr)))
-			fi->fi_fl |= FI_SHORT;
+#ifdef	USE_INET6
+		if (v == 6) {
+			if (plen < sizeof(struct udphdr))
+				fi->fi_fl |= FI_SHORT;
+		} else
+#endif
+		if (v == 4) {
+			if ((!IPMINLEN(ip, udphdr) && !off) ||
+			    (off && off < sizeof(struct udphdr)))
+				fi->fi_fl |= FI_SHORT;
+		}
 getports:
 		if (!off && (fin->fin_dlen > 3)) {
 			fin->fin_data[0] = ntohs(tcp->th_sport);
@@ -278,6 +340,14 @@ getports:
 		break;
 	}
 
+#ifdef	USE_INET6
+	if (v == 6) {
+		fi->fi_optmsk = 0;
+		fi->fi_secmsk = 0;
+		fi->fi_auth = 0;
+		return;
+	}
+#endif
 
 	for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) {
 		opt = *s;
@@ -338,8 +408,8 @@ getports:
 /*
  * check an IP packet for TCP/UDP characteristics such as ports and flags.
  */
-static int fr_tcpudpchk(fr, fin)
-frentry_t *fr;
+int fr_tcpudpchk(ft, fin)
+frtuc_t *ft;
 fr_info_t *fin;
 {
 	register u_short po, tup;
@@ -352,8 +422,8 @@ fr_info_t *fin;
 	 *
 	 * compare destination ports
 	 */
-	if ((i = (int)fr->fr_dcmp)) {
-		po = fr->fr_dport;
+	if ((i = (int)ft->ftu_dcmp)) {
+		po = ft->ftu_dport;
 		tup = fin->fin_data[1];
 		/*
 		 * Do opposite test to that required and
@@ -372,17 +442,17 @@ fr_info_t *fin;
 		else if (!--i && tup < po) /* GT or EQ */
 			err = 0;
 		else if (!--i &&	   /* Out of range */
-			 (tup >= po && tup <= fr->fr_dtop))
+			 (tup >= po && tup <= ft->ftu_dtop))
 			err = 0;
 		else if (!--i &&	   /* In range */
-			 (tup <= po || tup >= fr->fr_dtop))
+			 (tup <= po || tup >= ft->ftu_dtop))
 			err = 0;
 	}
 	/*
 	 * compare source ports
 	 */
-	if (err && (i = (int)fr->fr_scmp)) {
-		po = fr->fr_sport;
+	if (err && (i = (int)ft->ftu_scmp)) {
+		po = ft->ftu_sport;
 		tup = fin->fin_data[0];
 		if (!--i && tup != po)
 			err = 0;
@@ -397,10 +467,10 @@ fr_info_t *fin;
 		else if (!--i && tup < po)
 			err = 0;
 		else if (!--i &&	   /* Out of range */
-			 (tup >= po && tup <= fr->fr_stop))
+			 (tup >= po && tup <= ft->ftu_stop))
 			err = 0;
 		else if (!--i &&	   /* In range */
-			 (tup <= po || tup >= fr->fr_stop))
+			 (tup <= po || tup >= ft->ftu_stop))
 			err = 0;
 	}
 
@@ -412,14 +482,14 @@ fr_info_t *fin;
 	 */
 	if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
 		if (fin->fin_fi.fi_fl & FI_SHORT)
-			return !(fr->fr_tcpf | fr->fr_tcpfm);
+			return !(ft->ftu_tcpf | ft->ftu_tcpfm);
 		/*
 		 * Match the flags ?  If not, abort this match.
 		 */
-		if (fr->fr_tcpfm &&
-		    fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
+		if (ft->ftu_tcpfm &&
+		    ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) {
 			FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
-				 fr->fr_tcpfm, fr->fr_tcpf));
+				 ft->ftu_tcpfm, ft->ftu_tcpf));
 			err = 0;
 		}
 	}
@@ -446,7 +516,10 @@ void *m;
 	fin->fin_fr = NULL;
 	fin->fin_rule = 0;
 	fin->fin_group = 0;
-	off = ip->ip_off & IP_OFFMASK;
+	if (fin->fin_v == 4)
+		off = ip->ip_off & IP_OFFMASK;
+	else
+		off = 0;
 	pass |= (fi->fi_fl << 24);
 
 	if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
@@ -490,23 +563,77 @@ void *m;
 			lip = (u_32_t *)fi;
 			lm = (u_32_t *)&fr->fr_mip;
 			ld = (u_32_t *)&fr->fr_ip;
-			i = ((lip[0] & lm[0]) != ld[0]);
-			FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
-				   lip[0], lm[0], ld[0]));
-			i |= ((lip[1] & lm[1]) != ld[1]) << 19;
+			i = ((*lip & *lm) != *ld);
+			FR_DEBUG(("0. %#08x & %#08x != %#08x\n",
+				   *lip, *lm, *ld));
+			if (i)
+				continue;
+			/*
+			 * We now know whether the packet version and the
+			 * rule version match, along with protocol, ttl and
+			 * tos.
+			 */
+			lip++, lm++, ld++;
+			/*
+			 * Unrolled loops (4 each, for 32 bits).
+			 */
+			i |= ((*lip & *lm) != *ld) << 19;
+			FR_DEBUG(("1a. %#08x & %#08x != %#08x\n",
+				   *lip, *lm, *ld));
+			if (fi->fi_v == 6) {
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 19;
+				FR_DEBUG(("1b. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 19;
+				FR_DEBUG(("1c. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 19;
+				FR_DEBUG(("1d. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+			} else {
+				lip += 3;
+				lm += 3;
+				ld += 3;
+			}
 			i ^= (fr->fr_flags & FR_NOTSRCIP);
-			FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
-				   lip[1], lm[1], ld[1]));
-			i |= ((lip[2] & lm[2]) != ld[2]) << 20;
+			if (i)
+				continue;
+			lip++, lm++, ld++;
+			i |= ((*lip & *lm) != *ld) << 20;
+			FR_DEBUG(("2a. %#08x & %#08x != %#08x\n",
+				   *lip, *lm, *ld));
+			if (fi->fi_v == 6) {
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 20;
+				FR_DEBUG(("2b. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 20;
+				FR_DEBUG(("2c. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+				lip++, lm++, ld++;
+				i |= ((*lip & *lm) != *ld) << 20;
+				FR_DEBUG(("2d. %#08x & %#08x != %#08x\n",
+					   *lip, *lm, *ld));
+			} else {
+				lip += 3;
+				lm += 3;
+				ld += 3;
+			}
 			i ^= (fr->fr_flags & FR_NOTDSTIP);
-			FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
-				   lip[2], lm[2], ld[2]));
-			i |= ((lip[3] & lm[3]) != ld[3]);
-			FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
-				   lip[3], lm[3], ld[3]));
-			i |= ((lip[4] & lm[4]) != ld[4]);
-			FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
-				   lip[4], lm[4], ld[4]));
+			if (i)
+				continue;
+			lip++, lm++, ld++;
+			i |= ((*lip & *lm) != *ld);
+			FR_DEBUG(("3. %#08x & %#08x != %#08x\n",
+				   *lip, *lm, *ld));
+			lip++, lm++, ld++;
+			i |= ((*lip & *lm) != *ld);
+			FR_DEBUG(("4. %#08x & %#08x != %#08x\n",
+				   *lip, *lm, *ld));
 			if (i)
 				continue;
 		}
@@ -519,7 +646,7 @@ void *m;
 				 fr->fr_tcpfm))
 			continue;
 		if (fi->fi_fl & FI_TCPUDP) {
-			if (!fr_tcpudpchk(fr, fin))
+			if (!fr_tcpudpchk(&fr->fr_tuc, fin))
 				continue;
 		} else if (fr->fr_icmpm || fr->fr_icmp) {
 			if ((fi->fi_p != IPPROTO_ICMP) || off ||
@@ -546,16 +673,18 @@ void *m;
 #ifdef  IPFILTER_LOG
 		if ((passt & FR_LOGMASK) == FR_LOG) {
 			if (!IPLLOG(passt, ip, fin, m)) {
-				ATOMIC_INC(frstats[fin->fin_out].fr_skip);
+				if (passt & FR_LOGORBLOCK)
+					passt |= FR_BLOCK|FR_QUICK;
+				ATOMIC_INCL(frstats[fin->fin_out].fr_skip);
 			}
-			ATOMIC_INC(frstats[fin->fin_out].fr_pkl);
+			ATOMIC_INCL(frstats[fin->fin_out].fr_pkl);
 			logged = 1;
 		}
 #endif /* IPFILTER_LOG */
 		if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG)
 			pass = passt;
 		FR_DEBUG(("pass %#x\n", pass));
-		ATOMIC_INC(fr->fr_hits);
+		ATOMIC_INCL(fr->fr_hits);
 		if (pass & FR_ACCOUNT)
 			fr->fr_bytes += (U_QUAD_T)ip->ip_len;
 		else
@@ -605,8 +734,8 @@ int out;
 	 */
 	fr_info_t frinfo, *fc;
 	register fr_info_t *fin = &frinfo;
-	frentry_t *fr = NULL;
-	int changed, error = EHOSTUNREACH;
+	int changed, error = EHOSTUNREACH, v = ip->ip_v;
+	frentry_t *fr = NULL, *list;
 	u_32_t pass, apass;
 #if !SOLARIS || !defined(_KERNEL)
 	register mb_t *m = *mp;
@@ -628,7 +757,7 @@ int out;
 	 */
 	m->m_flags &= ~M_CANFASTFWD;
 #  endif /* M_CANFASTFWD */
-
+#  ifdef CSUM_DELAY_DATA
 	/*
 	 * disable delayed checksums.
 	 */
@@ -636,6 +765,8 @@ int out;
 		in_delayed_cksum(m);
 		m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
 	}
+#  endif /* CSUM_DELAY_DATA */
+
 
 	if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
 	     ip->ip_p == IPPROTO_ICMP)) {
@@ -661,19 +792,19 @@ int out;
 #  ifdef __sgi
 	/* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */
 			if ((up > sizeof(hbuf)) || (m_length(m) < up)) {
-				ATOMIC_INC(frstats[out].fr_pull[1]);
+				ATOMIC_INCL(frstats[out].fr_pull[1]);
 				return -1;
 			}
 			m_copydata(m, 0, up, hbuf);
-			ATOMIC_INC(frstats[out].fr_pull[0]);
+			ATOMIC_INCL(frstats[out].fr_pull[0]);
 			ip = (ip_t *)hbuf;
 #  else /* __ sgi */
 #   ifndef linux
 			if ((*mp = m_pullup(m, up)) == 0) {
-				ATOMIC_INC(frstats[out].fr_pull[1]);
+				ATOMIC_INCL(frstats[out].fr_pull[1]);
 				return -1;
 			} else {
-				ATOMIC_INC(frstats[out].fr_pull[0]);
+				ATOMIC_INCL(frstats[out].fr_pull[0]);
 				m = *mp;
 				ip = mtod(m, ip_t *);
 			}
@@ -692,24 +823,43 @@ int out;
 	fin->fin_qfm = m;
 	fin->fin_qif = qif;
 # endif
+# ifdef	USE_INET6
+	if (v == 6) {
+		ATOMIC_INCL(frstats[0].fr_ipv6[out]);
+	} else
+# endif
+		if (!out && fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
+			ATOMIC_INCL(frstats[0].fr_badsrc);
+#  if !SOLARIS
+			m_freem(m);
+#  endif
+			return error;
+		}
 #endif /* _KERNEL */
-
+	
 	/*
 	 * Be careful here: ip_id is in network byte order when called
 	 * from ip_output()
 	 */
-	if (out)
+	if ((out) && (v == 4))
 		ip->ip_id = ntohs(ip->ip_id);
-	fr_makefrip(hlen, ip, fin);
+
+	changed = 0;
+	fin->fin_v = v;
 	fin->fin_ifp = ifp;
 	fin->fin_out = out;
 	fin->fin_mp = mp;
+	fr_makefrip(hlen, ip, fin);
 	pass = fr_pass;
 
+	if (fin->fin_fi.fi_fl & FI_SHORT) {
+		ATOMIC_INCL(frstats[out].fr_short);
+	}
+
 	READ_ENTER(&ipf_mutex);
 
 	if (fin->fin_fi.fi_fl & FI_SHORT)
-		ATOMIC_INC(frstats[out].fr_short);
+		ATOMIC_INCL(frstats[out].fr_short);
 	
 	/*
 	 * Check auth now.  This, combined with the check below to see if apass
@@ -721,10 +871,16 @@ int out;
 	apass = fr_checkauth(ip, fin);
 
 	if (!out) {
+#ifdef	USE_INET6
+		if (v == 6)
+			list = ipacct6[0][fr_active];
+		else
+#endif
+			list = ipacct[0][fr_active];
 		changed = ip_natin(ip, fin);
-		if (!apass && (fin->fin_fr = ipacct[0][fr_active]) &&
+		if (!apass && (fin->fin_fr = list) &&
 		    (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
-			ATOMIC_INC(frstats[0].fr_acct);
+			ATOMIC_INCL(frstats[0].fr_acct);
 		}
 	}
 
@@ -743,19 +899,25 @@ int out;
 				 * earlier.
 				 */
 				bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
-				ATOMIC_INC(frstats[out].fr_chit);
+				ATOMIC_INCL(frstats[out].fr_chit);
 				if ((fr = fin->fin_fr)) {
-					ATOMIC_INC(fr->fr_hits);
+					ATOMIC_INCL(fr->fr_hits);
 					pass = fr->fr_flags;
 				}
 			} else {
-				if ((fin->fin_fr = ipfilter[out][fr_active]))
+#ifdef	USE_INET6
+				if (v == 6)
+					list = ipfilter6[out][fr_active];
+				else
+#endif
+					list = ipfilter[out][fr_active];
+				if ((fin->fin_fr = list))
 					pass = fr_scanlist(fr_pass, ip, fin, m);
 				if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE)))
 					bcopy((char *)fin, (char *)fc,
 					      FI_COPYSIZE);
 				if (pass & FR_NOMATCH) {
-					ATOMIC_INC(frstats[out].fr_nom);
+					ATOMIC_INCL(frstats[out].fr_nom);
 				}
 			}
 			fr = fin->fin_fr;
@@ -768,7 +930,7 @@ int out;
 		 * then pretend we've dropped it already.
 		 */
 		if ((pass & FR_AUTH))
-			if (FR_NEWAUTH(m, fin, ip, qif) != 0)
+			if (fr_newauth((mb_t *)m, fin, ip) != 0)
 #ifdef	_KERNEL
 				m = *mp = NULL;
 #else
@@ -779,9 +941,9 @@ int out;
 			READ_ENTER(&ipf_auth);
 			if ((fin->fin_fr = ipauth) &&
 			    (pass = fr_scanlist(0, ip, fin, m))) {
-				ATOMIC_INC(fr_authstats.fas_hits);
+				ATOMIC_INCL(fr_authstats.fas_hits);
 			} else {
-				ATOMIC_INC(fr_authstats.fas_miss);
+				ATOMIC_INCL(fr_authstats.fas_miss);
 			}
 			RWLOCK_EXIT(&ipf_auth);
 		}
@@ -790,19 +952,19 @@ int out;
 		if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
 			if (fin->fin_fi.fi_fl & FI_FRAG) {
 				if (ipfr_newfrag(ip, fin, pass) == -1) {
-					ATOMIC_INC(frstats[out].fr_bnfr);
+					ATOMIC_INCL(frstats[out].fr_bnfr);
 				} else {
-					ATOMIC_INC(frstats[out].fr_nfr);
+					ATOMIC_INCL(frstats[out].fr_nfr);
 				}
 			} else {
-				ATOMIC_INC(frstats[out].fr_cfr);
+				ATOMIC_INCL(frstats[out].fr_cfr);
 			}
 		}
 		if (pass & FR_KEEPSTATE) {
 			if (fr_addstate(ip, fin, 0) == NULL) {
-				ATOMIC_INC(frstats[out].fr_bads);
+				ATOMIC_INCL(frstats[out].fr_bads);
 			} else {
-				ATOMIC_INC(frstats[out].fr_ads);
+				ATOMIC_INCL(frstats[out].fr_ads);
 			}
 		}
 	} else if (fr != NULL) {
@@ -830,7 +992,7 @@ int out;
 			list = ipacct[1][fr_active];
 		if ((fin->fin_fr = list) &&
 		    (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
-			ATOMIC_INC(frstats[1].fr_acct);
+			ATOMIC_INCL(frstats[1].fr_acct);
 		}
 		fin->fin_fr = fr;
 		changed = ip_natout(ip, fin);
@@ -842,22 +1004,22 @@ int out;
 	if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
 		if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
 			pass |= FF_LOGNOMATCH;
-			ATOMIC_INC(frstats[out].fr_npkl);
+			ATOMIC_INCL(frstats[out].fr_npkl);
 			goto logit;
 		} else if (((pass & FR_LOGMASK) == FR_LOGP) ||
 		    ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
 			if ((pass & FR_LOGMASK) != FR_LOGP)
 				pass |= FF_LOGPASS;
-			ATOMIC_INC(frstats[out].fr_ppkl);
+			ATOMIC_INCL(frstats[out].fr_ppkl);
 			goto logit;
 		} else if (((pass & FR_LOGMASK) == FR_LOGB) ||
 			   ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
 			if ((pass & FR_LOGMASK) != FR_LOGB)
 				pass |= FF_LOGBLOCK;
-			ATOMIC_INC(frstats[out].fr_bpkl);
+			ATOMIC_INCL(frstats[out].fr_bpkl);
 logit:
 			if (!IPLLOG(pass, ip, fin, m)) {
-				ATOMIC_INC(frstats[out].fr_skip);
+				ATOMIC_INCL(frstats[out].fr_skip);
 				if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
 				    (FR_PASS|FR_LOGORBLOCK))
 					pass ^= FR_PASS|FR_BLOCK;
@@ -866,7 +1028,7 @@ logit:
 	}
 #endif /* IPFILTER_LOG */
 
-	if (out)
+	if ((out) && (v == 4))
 		ip->ip_id = htons(ip->ip_id);
 
 #ifdef	_KERNEL
@@ -887,9 +1049,9 @@ logit:
 # endif
 #endif
 	if (pass & FR_PASS) {
-		ATOMIC_INC(frstats[out].fr_pass);
+		ATOMIC_INCL(frstats[out].fr_pass);
 	} else if (pass & FR_BLOCK) {
-		ATOMIC_INC(frstats[out].fr_block);
+		ATOMIC_INCL(frstats[out].fr_block);
 		/*
 		 * Should we return an ICMP packet to indicate error
 		 * status passing through the packet filter ?
@@ -901,37 +1063,31 @@ logit:
 		if (!out) {
 #ifdef	_KERNEL
 			if (pass & FR_RETICMP) {
-				struct in_addr dst;
+				int dst;
 
 				if ((pass & FR_RETMASK) == FR_FAKEICMP)
-					dst = ip->ip_dst;
+					dst = 1;
 				else
-					dst.s_addr = 0;
-# if SOLARIS
-				ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
-					   qif, dst);
-# else
-				ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
-					   ifp, dst);
-# endif
-				ATOMIC_INC(frstats[0].fr_ret);
+					dst = 0;
+				send_icmp_err(ip, ICMP_UNREACH, fin, dst);
+				ATOMIC_INCL(frstats[0].fr_ret);
 			} else if (((pass & FR_RETMASK) == FR_RETRST) &&
 				   !(fin->fin_fi.fi_fl & FI_SHORT)) {
-				if (SEND_RESET(ip, qif, ifp, fin) == 0) {
-					ATOMIC_INC(frstats[1].fr_ret);
+				if (send_reset(ip, fin) == 0) {
+					ATOMIC_INCL(frstats[1].fr_ret);
 				}
 			}
 #else
 			if ((pass & FR_RETMASK) == FR_RETICMP) {
 				verbose("- ICMP unreachable sent\n");
-				ATOMIC_INC(frstats[0].fr_ret);
+				ATOMIC_INCL(frstats[0].fr_ret);
 			} else if ((pass & FR_RETMASK) == FR_FAKEICMP) {
 				verbose("- forged ICMP unreachable sent\n");
-				ATOMIC_INC(frstats[0].fr_ret);
+				ATOMIC_INCL(frstats[0].fr_ret);
 			} else if (((pass & FR_RETMASK) == FR_RETRST) &&
 				   !(fin->fin_fi.fi_fl & FI_SHORT)) {
 				verbose("- TCP RST sent\n");
-				ATOMIC_INC(frstats[1].fr_ret);
+				ATOMIC_INCL(frstats[1].fr_ret);
 			}
 #endif
 		} else {
@@ -947,6 +1103,10 @@ logit:
 	 * Once we're finished return to our caller, freeing the packet if
 	 * we are dropping it (* BSD ONLY *).
 	 */
+	if ((changed == -1) && (pass & FR_PASS)) {
+		pass &= ~FR_PASS;
+		pass |= FR_BLOCK;
+	}
 #if defined(_KERNEL)
 # if !SOLARIS
 #  if !defined(linux)
@@ -1310,8 +1470,7 @@ out:
 
 
 frgroup_t *fr_findgroup(num, flags, which, set, fgpp)
-u_int num;
-u_32_t flags;
+u_32_t num, flags;
 minor_t which;
 int set;
 frgroup_t ***fgpp;
@@ -1340,7 +1499,7 @@ frgroup_t ***fgpp;
 
 
 frgroup_t *fr_addgroup(num, fp, which, set)
-u_int num;
+u_32_t num;
 frentry_t *fp;
 minor_t which;
 int set;
@@ -1352,7 +1511,7 @@ int set;
 
 	KMALLOC(fg, frgroup_t *);
 	if (fg) {
-		fg->fg_num = num & 0xffff;
+		fg->fg_num = num;
 		fg->fg_next = *fgp;
 		fg->fg_head = fp;
 		fg->fg_start = &fp->fr_grp;
@@ -1363,8 +1522,7 @@ int set;
 
 
 void fr_delgroup(num, flags, which, set)
-u_int num;
-u_32_t flags;
+u_32_t num, flags;
 minor_t which;
 int set;
 {
@@ -1402,11 +1560,11 @@ frentry_t **listp;
 			MUTEX_EXIT(&ipf_rw);
 		}
 
-		ATOMIC_DEC(fp->fr_ref);
+		ATOMIC_DEC32(fp->fr_ref);
 		if (fp->fr_grhead) {
-			fr_delgroup((u_int)fp->fr_grhead, fp->fr_flags, 
+			fr_delgroup(fp->fr_grhead, fp->fr_flags, 
 				    unit, set);
-			fp->fr_grhead = NULL;
+			fp->fr_grhead = 0;
 		}
 		if (fp->fr_ref == 0) {
 			KFREE(fp);
@@ -1435,10 +1593,18 @@ int flags;
 		set = 1 - set;
 
 	if (flags & FR_OUTQUE) {
+#ifdef	USE_INET6
+		(void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]);
+		(void) frflushlist(set, unit, &flushed, &ipacct6[1][set]);
+#endif
 		(void) frflushlist(set, unit, &flushed, &ipfilter[1][set]);
 		(void) frflushlist(set, unit, &flushed, &ipacct[1][set]);
 	}
 	if (flags & FR_INQUE) {
+#ifdef	USE_INET6
+		(void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]);
+		(void) frflushlist(set, unit, &flushed, &ipacct6[0][set]);
+#endif
 		(void) frflushlist(set, unit, &flushed, &ipfilter[0][set]);
 		(void) frflushlist(set, unit, &flushed, &ipacct[0][set]);
 	}
@@ -1517,10 +1683,14 @@ u_32_t	ip;
 /*
  * return the first IP Address associated with an interface
  */
-int fr_ifpaddr(ifptr, inp)
+int fr_ifpaddr(v, ifptr, inp)
+int v;
 void *ifptr;
 struct in_addr *inp;
 {
+# ifdef	USE_INET6
+	struct in6_addr *inp6 = NULL;
+# endif
 # if SOLARIS
 	ill_t *ill = ifptr;
 # else
@@ -1529,13 +1699,30 @@ struct in_addr *inp;
 	struct in_addr in;
 
 # if SOLARIS
-	in.s_addr = ill->ill_ipif->ipif_local_addr;
+#  ifdef	USE_INET6
+	if (v == 6) {
+		struct in6_addr in6;
+
+		/*
+		 * First is always link local.
+		 */
+		if (ill->ill_ipif->ipif_next)
+			in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr;
+		else
+			bzero((char *)&in6, sizeof(in6));
+		bcopy((char *)&in6, (char *)inp, sizeof(in6));
+	} else
+#  endif
+	{
+		in.s_addr = ill->ill_ipif->ipif_local_addr;
+		*inp = in;
+	}
 # else /* SOLARIS */
 #  if linux
 	;
 #  else /* linux */
-	struct ifaddr *ifa;
 	struct sockaddr_in *sin;
+	struct ifaddr *ifa;
 
 #   if	(__FreeBSD_version >= 300000)
 	ifa = TAILQ_FIRST(&ifp->if_addrhead);
@@ -1554,8 +1741,17 @@ struct in_addr *inp;
 	sin = (struct sockaddr_in *)&ifa->ifa_addr;
 #   else
 	sin = (struct sockaddr_in *)ifa->ifa_addr;
-	while (sin && ifa &&
-	       sin->sin_family != AF_INET) {
+	while (sin && ifa) {
+		if ((v == 4) && (sin->sin_family == AF_INET))
+			break;
+#    ifdef USE_INET6
+		if ((v == 6) && (sin->sin_family == AF_INET6)) {
+			inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr;
+			if (!IN6_IS_ADDR_LINKLOCAL(inp6) &&
+			    !IN6_IS_ADDR_LOOPBACK(inp6))
+				break;
+		}
+#    endif
 #    if	(__FreeBSD_version >= 300000)
 		ifa = TAILQ_NEXT(ifa, ifa_link);
 #    else
@@ -1573,10 +1769,17 @@ struct in_addr *inp;
 	if (sin == NULL)
 		return -1;
 #   endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */
-	in = sin->sin_addr;
+#    ifdef	USE_INET6
+	if (v == 6)
+		bcopy((char *)inp6, (char *)inp, sizeof(*inp6));
+	else
+#    endif
+	{
+		in = sin->sin_addr;
+		*inp = in;
+	}
 #  endif /* linux */
 # endif /* SOLARIS */
-	*inp = in;
 	return 0;
 }
 
@@ -1586,7 +1789,7 @@ register frentry_t *fr;
 {
 	for (; fr; fr = fr->fr_next) {
 		if (fr->fr_ifa != NULL) {
-			fr->fr_ifa = GETUNIT(fr->fr_ifname);
+			fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v);
 			if (fr->fr_ifa == NULL)
 				fr->fr_ifa = (void *)-1;
 		}
@@ -1598,9 +1801,9 @@ register frentry_t *fr;
 
 void frsync()
 {
+# if !SOLARIS
 	register struct ifnet *ifp;
 
-# if !SOLARIS
 #  if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \
      (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000))
 #   if (NetBSD >= 199905) || defined(__OpenBSD__)
@@ -1623,19 +1826,197 @@ void frsync()
 	frsynclist(ipacct[1][fr_active]);
 	frsynclist(ipfilter[0][fr_active]);
 	frsynclist(ipfilter[1][fr_active]);
+#ifdef	USE_INET6
+	frsynclist(ipacct6[0][fr_active]);
+	frsynclist(ipacct6[1][fr_active]);
+	frsynclist(ipfilter6[0][fr_active]);
+	frsynclist(ipfilter6[1][fr_active]);
+#endif
 	RWLOCK_EXIT(&ipf_mutex);
 }
 
+
+/*
+ * In the functions below, bcopy() is called because the pointer being
+ * copied _from_ in this instance is a pointer to a char buf (which could
+ * end up being unaligned) and on the kernel's local stack.
+ */
+int ircopyptr(a, b, c)
+void *a, *b;
+size_t c;
+{
+	caddr_t ca;
+	int err;
+
+#if SOLARIS
+	copyin(a, &ca, sizeof(ca));
 #else
+	bcopy(a, &ca, sizeof(ca));
+#endif
+	err = copyin(ca, b, c);
+	return err;
+}
+
+
+int iwcopyptr(a, b, c)
+void *a, *b;
+size_t c;
+{
+	caddr_t ca;
+	int err;
+
+#if SOLARIS
+	copyin(b, &ca, sizeof(ca));
+#else
+	bcopy(b, &ca, sizeof(ca));
+#endif
+	err = copyout(a, ca, c);
+	return err;
+}
+
+#else /* _KERNEL */
 
 
 /*
  * return the first IP Address associated with an interface
  */
-int fr_ifpaddr(ifptr, inp)
+int fr_ifpaddr(v, ifptr, inp)
+int v;
 void *ifptr;
 struct in_addr *inp;
 {
 	return 0;
 }
-#endif       
+
+
+int ircopyptr(a, b, c)
+void *a, *b;
+size_t c;
+{
+	caddr_t ca;
+
+	bcopy(a, &ca, sizeof(ca));
+	bcopy(ca, b, c);
+	return 0;
+}
+
+
+int iwcopyptr(a, b, c)
+void *a, *b;
+size_t c;
+{
+	caddr_t ca;
+
+	bcopy(b, &ca, sizeof(ca));
+	bcopy(a, ca, c);
+	return 0;
+}
+
+
+#endif
+
+
+int fr_lock(data, lockp)
+caddr_t data;
+int *lockp;
+{
+	int arg, error;
+
+	error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+	if (!error) {
+		error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp));
+		if (!error)
+			*lockp = arg;
+	}
+	return error;
+}
+
+
+void fr_getstat(fiop)
+friostat_t *fiop;
+{
+	bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2);
+	fiop->f_locks[0] = fr_state_lock;
+	fiop->f_locks[1] = fr_nat_lock;
+	fiop->f_locks[2] = fr_frag_lock;
+	fiop->f_locks[3] = fr_auth_lock;
+	fiop->f_fin[0] = ipfilter[0][0];
+	fiop->f_fin[1] = ipfilter[0][1];
+	fiop->f_fout[0] = ipfilter[1][0];
+	fiop->f_fout[1] = ipfilter[1][1];
+	fiop->f_acctin[0] = ipacct[0][0];
+	fiop->f_acctin[1] = ipacct[0][1];
+	fiop->f_acctout[0] = ipacct[1][0];
+	fiop->f_acctout[1] = ipacct[1][1];
+#ifdef	USE_INET6
+	fiop->f_fin6[0] = ipfilter6[0][0];
+	fiop->f_fin6[1] = ipfilter6[0][1];
+	fiop->f_fout6[0] = ipfilter6[1][0];
+	fiop->f_fout6[1] = ipfilter6[1][1];
+	fiop->f_acctin6[0] = ipacct6[0][0];
+	fiop->f_acctin6[1] = ipacct6[0][1];
+	fiop->f_acctout6[0] = ipacct6[1][0];
+	fiop->f_acctout6[1] = ipacct6[1][1];
+#endif
+	fiop->f_active = fr_active;
+	fiop->f_froute[0] = ipl_frouteok[0];
+	fiop->f_froute[1] = ipl_frouteok[1];
+
+	fiop->f_running = fr_running;
+	fiop->f_groups[0][0] = ipfgroups[0][0];
+	fiop->f_groups[0][1] = ipfgroups[0][1];
+	fiop->f_groups[1][0] = ipfgroups[1][0];
+	fiop->f_groups[1][1] = ipfgroups[1][1];
+	fiop->f_groups[2][0] = ipfgroups[2][0];
+	fiop->f_groups[2][1] = ipfgroups[2][1];
+#ifdef  IPFILTER_LOG
+	fiop->f_logging = 1;
+#else
+	fiop->f_logging = 0;
+#endif
+	fiop->f_defpass = fr_pass;
+	strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version));
+}
+
+
+#ifdef	USE_INET6
+int icmptoicmp6types[ICMP_MAXTYPE+1] = {
+	ICMP6_ECHO_REPLY,	/* 0: ICMP_ECHOREPLY */
+	-1,			/* 1: UNUSED */
+	-1,			/* 2: UNUSED */
+	ICMP6_DST_UNREACH,	/* 3: ICMP_UNREACH */
+	-1,			/* 4: ICMP_SOURCEQUENCH */
+	ND_REDIRECT,		/* 5: ICMP_REDIRECT */
+	-1,			/* 6: UNUSED */
+	-1,			/* 7: UNUSED */
+	ICMP6_ECHO_REQUEST,	/* 8: ICMP_ECHO */
+	-1,			/* 9: UNUSED */
+	-1,			/* 10: UNUSED */
+	ICMP6_TIME_EXCEEDED,	/* 11: ICMP_TIMXCEED */
+	ICMP6_PARAM_PROB,	/* 12: ICMP_PARAMPROB */
+	-1,			/* 13: ICMP_TSTAMP */
+	-1,			/* 14: ICMP_TSTAMPREPLY */
+	-1,			/* 15: ICMP_IREQ */
+	-1,			/* 16: ICMP_IREQREPLY */
+	-1,			/* 17: ICMP_MASKREQ */
+	-1,			/* 18: ICMP_MASKREPLY */
+};
+
+
+int	icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
+	ICMP6_DST_UNREACH_ADDR,		/* 0: ICMP_UNREACH_NET */
+	ICMP6_DST_UNREACH_ADDR,		/* 1: ICMP_UNREACH_HOST */
+	-1,				/* 2: ICMP_UNREACH_PROTOCOL */
+	ICMP6_DST_UNREACH_NOPORT,	/* 3: ICMP_UNREACH_PORT */
+	-1,				/* 4: ICMP_UNREACH_NEEDFRAG */
+	ICMP6_DST_UNREACH_NOTNEIGHBOR,	/* 5: ICMP_UNREACH_SRCFAIL */
+	ICMP6_DST_UNREACH_ADDR,		/* 6: ICMP_UNREACH_NET_UNKNOWN */
+	ICMP6_DST_UNREACH_ADDR,		/* 7: ICMP_UNREACH_HOST_UNKNOWN */
+	-1,				/* 8: ICMP_UNREACH_ISOLATED */
+	ICMP6_DST_UNREACH_ADMIN,	/* 9: ICMP_UNREACH_NET_PROHIB */
+	ICMP6_DST_UNREACH_ADMIN,	/* 10: ICMP_UNREACH_HOST_PROHIB */
+	-1,				/* 11: ICMP_UNREACH_TOSNET */
+	-1,				/* 12: ICMP_UNREACH_TOSHOST */
+	ICMP6_DST_UNREACH_ADMIN,	/* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
+};
+#endif
diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c
index 70d1cedba690..14c4f8208611 100644
--- a/sys/netinet/ip_auth.c
+++ b/sys/netinet/ip_auth.c
@@ -1,12 +1,12 @@
 /*
- * Copyright (C) 1998 by Darren Reed & Guido van Rooij.
+ * Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
  * to the original author and the contributors.
  */
 #if !defined(lint)
-/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.3 2000/06/17 06:24:31 darrenr Exp $";*/
+/*static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $";*/
 static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 
@@ -20,7 +20,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 # include <stdlib.h>
 # include <string.h>
 #endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
+#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
 #else
@@ -124,11 +124,12 @@ static struct wait_queue *ipfauthwait = NULL;
 int	fr_authsize = FR_NUMAUTH;
 int	fr_authused = 0;
 int	fr_defaultauthage = 600;
+int	fr_auth_lock = 0;
 fr_authstat_t	fr_authstats;
-frauth_t fr_auth[FR_NUMAUTH];
+static frauth_t fr_auth[FR_NUMAUTH];
 mb_t	*fr_authpkts[FR_NUMAUTH];
-int	fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
-frauthent_t	*fae_list = NULL;
+static int	fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
+static frauthent_t	*fae_list = NULL;
 frentry_t	*ipauth = NULL;
 
 
@@ -145,6 +146,9 @@ fr_info_t *fin;
 	u_32_t pass;
 	int i;
 
+	if (fr_auth_lock)
+		return 0;
+
 	READ_ENTER(&ipf_auth);
 	for (i = fr_authstart; i != fr_authend; ) {
 		/*
@@ -197,19 +201,19 @@ fr_info_t *fin;
  * If we do, store it and wake up any user programs which are waiting to
  * hear about these events.
  */
-int fr_newauth(m, fin, ip
-#if defined(_KERNEL) && SOLARIS
-, qif)
-qif_t *qif;
-#else
-)
-#endif
+int fr_newauth(m, fin, ip)
 mb_t *m;
 fr_info_t *fin;
 ip_t *ip;
 {
+#if defined(_KERNEL) && SOLARIS
+	qif_t *qif = fin->fin_qif;
+#endif
 	int i;
 
+	if (fr_auth_lock)
+		return 0;
+
 	WRITE_ENTER(&ipf_auth);
 	if (fr_authstart > fr_authend) {
 		fr_authstats.fas_nospace++;
@@ -239,14 +243,15 @@ ip_t *ip;
 	 * them.
 	 */
 # if SOLARIS && defined(_KERNEL)
-	if (ip == (ip_t *)m->b_rptr)
+	if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4))
 # endif
 	{
 		register u_short bo;
 
 		bo = ip->ip_len;
 		ip->ip_len = htons(bo);
-# if !SOLARIS	/* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
+# if !SOLARIS && !defined(__NetBSD__)
+		/* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
 		bo = ip->ip_id;
 		ip->ip_id = htons(bo);
 # endif
@@ -273,7 +278,7 @@ ip_t *ip;
 
 int fr_auth_ioctl(data, cmd, fr, frptr)
 caddr_t data;
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003)
 u_long cmd;
 #else
 int cmd;
@@ -281,11 +286,8 @@ int cmd;
 frentry_t *fr, **frptr;
 {
 	mb_t *m;
-#if defined(_KERNEL)
-# if !SOLARIS
+#if defined(_KERNEL) && !SOLARIS
 	struct ifqueue *ifq;
-	int s;
-# endif
 #endif
 	frauth_t auth, *au = &auth;
 	frauthent_t *fae, **faep;
@@ -293,12 +295,17 @@ frentry_t *fr, **frptr;
 
 	switch (cmd)
 	{
+	case SIOCSTLCK :
+		error = fr_lock(data, &fr_auth_lock);
+		break;
 	case SIOCINIFR :
 	case SIOCRMIFR :
 	case SIOCADIFR :
 		error = EINVAL;
 		break;
 	case SIOCINAFR :
+		error = EINVAL;
+		break;
 	case SIOCRMAFR :
 	case SIOCADAFR :
 		for (faep = &fae_list; (fae = *faep); )
@@ -319,8 +326,8 @@ frentry_t *fr, **frptr;
 		} else {
 			KMALLOC(fae, frauthent_t *);
 			if (fae != NULL) {
-				IRCOPY((char *)data, (char *)&fae->fae_fr,
-				       sizeof(fae->fae_fr));
+				bcopy((char *)fr, (char *)&fae->fae_fr,
+				      sizeof(*fr));
 				WRITE_ENTER(&ipf_auth);
 				fae->fae_age = fr_defaultauthage;
 				fae->fae_fr.fr_hits = 0;
@@ -338,15 +345,18 @@ frentry_t *fr, **frptr;
 		READ_ENTER(&ipf_auth);
 		fr_authstats.fas_faelist = fae_list;
 		RWLOCK_EXIT(&ipf_auth);
-		IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
+		error = IWCOPYPTR((char *)&fr_authstats, data,
+				   sizeof(fr_authstats));
 		break;
 	case SIOCAUTHW:
 fr_authioctlloop:
 		READ_ENTER(&ipf_auth);
 		if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
-			IWCOPY((char *)&fr_auth[fr_authnext], data,
-			       sizeof(fr_info_t));
+			error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
+					  sizeof(fr_info_t));
 			RWLOCK_EXIT(&ipf_auth);
+			if (error)
+				break;
 			WRITE_ENTER(&ipf_auth);
 			fr_authnext++;
 			if (fr_authnext == FR_NUMAUTH)
@@ -377,7 +387,9 @@ fr_authioctlloop:
 			goto fr_authioctlloop;
 		break;
 	case SIOCAUTHR:
-		IRCOPY(data, (caddr_t)&auth, sizeof(auth));
+		error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth));
+		if (error)
+			return error;
 		WRITE_ENTER(&ipf_auth);
 		i = au->fra_index;
 		if ((i < 0) || (i > FR_NUMAUTH) ||
@@ -391,7 +403,6 @@ fr_authioctlloop:
 		fr_authpkts[i] = NULL;
 #ifdef	_KERNEL
 		RWLOCK_EXIT(&ipf_auth);
-		SPL_NET(s);
 # ifndef linux
 		if (m && au->fra_info.fin_out) {
 #  if SOLARIS
@@ -457,7 +468,6 @@ fr_authioctlloop:
 			}
 		}
 # endif
-		SPL_X(s);
 #endif /* _KERNEL */
 		break;
 	default :
@@ -511,6 +521,9 @@ void fr_authexpire()
 	int s;
 #endif
 
+	if (fr_auth_lock)
+		return;
+
 	SPL_NET(s);
 	WRITE_ENTER(&ipf_auth);
 	for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
diff --git a/sys/netinet/ip_auth.h b/sys/netinet/ip_auth.h
index e6b5a59576fa..8be860cfe514 100644
--- a/sys/netinet/ip_auth.h
+++ b/sys/netinet/ip_auth.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1997-1998 by Darren Reed & Guido Van Rooij.
+ * Copyright (C) 1997-2000 by Darren Reed & Guido Van Rooij.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -51,15 +51,12 @@ extern	int	fr_authstart;
 extern	int	fr_authend;
 extern	int	fr_authsize;
 extern	int	fr_authused;
+extern	int	fr_auth_lock;
 extern	u_32_t	fr_checkauth __P((ip_t *, fr_info_t *));
 extern	void	fr_authexpire __P((void));
 extern	void	fr_authunload __P((void));
 extern	mb_t	*fr_authpkts[];
-#if defined(_KERNEL) && SOLARIS
-extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *, qif_t *));
-#else
 extern	int	fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
-#endif
 #if defined(__NetBSD__) || defined(__OpenBSD__)
 extern	int	fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **));
 #else
diff --git a/sys/netinet/ip_compat.h b/sys/netinet/ip_compat.h
index 0c8242d6b601..0ebd4365b41f 100644
--- a/sys/netinet/ip_compat.h
+++ b/sys/netinet/ip_compat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -28,6 +28,11 @@
 #ifndef	SOLARIS
 #define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 #endif
+#if SOLARIS2 >= 8
+# ifndef	USE_INET6
+#  define	USE_INET6
+# endif
+#endif
 
 #if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__)
 # undef	KERNEL
@@ -91,19 +96,29 @@ struct  ether_addr {
 # ifndef	KERNEL
 #  define	_KERNEL
 #  undef	RES_INIT
+#  if SOLARIS2 >= 8
+#   include <netinet/ip6.h>
+#  endif
 #  include <inet/common.h>
 #  include <inet/ip.h>
 #  include <inet/ip_ire.h>
 #  undef	_KERNEL
 # else /* _KERNEL */
+#  if SOLARIS2 >= 8
+#   include <netinet/ip6.h>
+#  endif
 #  include <inet/common.h>
 #  include <inet/ip.h>
 #  include <inet/ip_ire.h>
 # endif /* _KERNEL */
 # if SOLARIS2 >= 8
+#  include <inet/ip_if.h>
 #  include <netinet/ip6.h>
-#  include <inet/ip6.h>
 #  define	ipif_local_addr	ipif_lcl_addr
+/* Only defined in private include file */
+#  ifndef	V4_PART_OF_V6
+#   define	V4_PART_OF_V6(v6)	v6.s6_addr32[3]
+#  endif
 # endif
 #else
 # if !defined(__sgi)
@@ -125,12 +140,25 @@ typedef	 int	minor_t;
 # define	QUAD_T		long
 #endif /* BSD > 199306 */
 
+
 /*
  * These operating systems already take care of the problem for us.
  */
 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \
     defined(__sgi)
 typedef u_int32_t       u_32_t;
+# if defined(_KERNEL) && !defined(IPFILTER_LKM)
+#  if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000)
+#   include "opt_inet.h"
+#  endif
+#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \
+      !defined(KLD_MODULE)
+#   include "opt_inet6.h"
+#  endif
+#  ifdef INET6
+#   define USE_INET6
+#  endif
+# endif
 #else
 /*
  * Really, any arch where sizeof(long) != sizeof(int).
@@ -138,10 +166,38 @@ typedef u_int32_t       u_32_t;
 # if defined(__alpha__) || defined(__alpha) || defined(_LP64)
 typedef unsigned int    u_32_t;
 # else
-typedef unsigned long   u_32_t;
+#  if SOLARIS2 >= 6
+typedef	uint32_t	u_32_t;
+#  else
+typedef unsigned int	u_32_t;
+#  endif
 # endif
 #endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */
 
+#ifdef	USE_INET6
+# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
+#  include <netinet/ip6.h>
+#  ifdef	_KERNEL
+#   include <netinet6/ip6_var.h>
+#  endif
+typedef	struct ip6_hdr	ip6_t;
+# endif
+union	i6addr	{
+	u_32_t	i6[4];
+	struct	in_addr	in4;
+	struct	in6_addr in6;
+};
+#else
+union	i6addr	{
+	u_32_t	i6[4];
+	struct	in_addr	in4;
+};
+#endif
+
+#define	IP6CMP(a,b)	bcmp((char *)&(a), (char *)&(b), sizeof(a))
+#define	IP6EQ(a,b)	(bcmp((char *)&(a), (char *)&(b), sizeof(a)) == 0)
+#define	IP6NEQ(a,b)	(bcmp((char *)&(a), (char *)&(b), sizeof(a)) != 0)
+
 #ifndef	MAX
 #define	MAX(a,b)	(((a) > (b)) ? (a) : (b))
 #endif
@@ -203,12 +259,15 @@ typedef unsigned long   u_32_t;
 #define	IPOPT_FINN	205	/* FINN */
 
 
-#if defined(__FreeBSD__) && defined(KERNEL)
+#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
 # if __FreeBSD__ < 3
 #  include <machine/spl.h>
-# endif
-# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
-#  define	ACTUALLY_LKM_NOT_KERNEL
+# else
+#  if __FreeBSD__ == 3
+#   if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
+#    define	ACTUALLY_LKM_NOT_KERNEL
+#   endif
+#  endif
 # endif
 #endif /* __FreeBSD__ && KERNEL */
 
@@ -216,12 +275,39 @@ typedef unsigned long   u_32_t;
  * Build some macros and #defines to enable the same code to compile anywhere
  * Well, that's the idea, anyway :-)
  */
+#if !SOLARIS || (SOLARIS2 < 6) || !defined(KERNEL)
+# define	ATOMIC_INCL		ATOMIC_INC
+# define	ATOMIC_INC64		ATOMIC_INC
+# define	ATOMIC_INC32		ATOMIC_INC
+# define	ATOMIC_INC16		ATOMIC_INC
+# define	ATOMIC_DECL		ATOMIC_DEC
+# define	ATOMIC_DEC64		ATOMIC_DEC
+# define	ATOMIC_DEC32		ATOMIC_DEC
+# define	ATOMIC_DEC16		ATOMIC_DEC
+#endif
 #ifdef KERNEL
 # if SOLARIS
-#  define	ATOMIC_INC(x)		{ mutex_enter(&ipf_rw); (x)++; \
+#  if SOLARIS2 >= 6
+#   include <sys/atomic.h>
+#   if SOLARIS2 == 6
+#    define	ATOMIC_INCL(x)		atomic_add_long((uint32_t*)&(x), 1)
+#    define	ATOMIC_DECL(x)		atomic_add_long((uint32_t*)&(x), -1)
+#   else
+#    define	ATOMIC_INCL(x)		atomic_add_long(&(x), 1)
+#    define	ATOMIC_DECL(x)		atomic_add_long(&(x), -1)
+#   endif
+#   define	ATOMIC_INC64(x)		atomic_add_64((uint64_t*)&(x), 1)
+#   define	ATOMIC_INC32(x)		atomic_add_32((uint32_t*)&(x), 1)
+#   define	ATOMIC_INC16(x)		atomic_add_16((uint16_t*)&(x), 1)
+#   define	ATOMIC_DEC64(x)		atomic_add_64((uint64_t*)&(x), -1)
+#   define	ATOMIC_DEC32(x)		atomic_add_32((uint32_t*)&(x), -1)
+#   define	ATOMIC_DEC16(x)		atomic_add_16((uint16_t*)&(x), -1)
+#  else
+#   define	ATOMIC_INC(x)		{ mutex_enter(&ipf_rw); (x)++; \
 					  mutex_exit(&ipf_rw); }
-#  define	ATOMIC_DEC(x)		{ mutex_enter(&ipf_rw); (x)--; \
+#   define	ATOMIC_DEC(x)		{ mutex_enter(&ipf_rw); (x)--; \
 					  mutex_exit(&ipf_rw); }
+#  endif
 #  define	MUTEX_ENTER(x)		mutex_enter(x)
 #  if 1
 #   define	KRWLOCK_T		krwlock_t
@@ -244,10 +330,14 @@ typedef unsigned long   u_32_t;
 #   define	RWLOCK_EXIT(x)		mutex_exit(x)
 #   define	RW_DESTROY(x)		mutex_destroy(x)
 #  endif
+#  define	MUTEX_INIT(x, y, z)	mutex_init((x), (y), MUTEX_DRIVER, (z))
+#  define	MUTEX_DESTROY(x)	mutex_destroy(x)
 #  define	MUTEX_EXIT(x)	mutex_exit(x)
 #  define	MTOD(m,t)	(t)((m)->b_rptr)
 #  define	IRCOPY(a,b,c)	copyin((a), (b), (c))
 #  define	IWCOPY(a,b,c)	copyout((a), (b), (c))
+#  define	IRCOPYPTR	ircopyptr
+#  define	IWCOPYPTR	iwcopyptr
 #  define	FREE_MB_T(m)	freemsg(m)
 #  define	SPL_NET(x)	;
 #  define	SPL_IMP(x)	;
@@ -283,9 +373,11 @@ typedef	struct	qif	{
 	 * in case the ILL has disappeared...
 	 */
 	size_t	qf_hl;	/* header length */
+	int	qf_sap;
 } qif_t;
-extern	ill_t	*get_unit __P((char *));
-#  define	GETUNIT(n)	get_unit((n))
+extern	ill_t	*get_unit __P((char *, int));
+#  define	GETUNIT(n, v)	get_unit(n, v)
+#  define	IFNAME(x)	((ill_t *)x)->ill_name
 # else /* SOLARIS */
 #  if defined(__sgi)
 #   define  hz HZ
@@ -307,35 +399,48 @@ typedef struct {
 #   define	WRITE_ENTER(x)		MUTEX_ENTER(x)
 #   define	RW_UPGRADE(x)		;
 #   define	MUTEX_DOWNGRADE(x)	;
-#   define	RWLOCK_EXIT(x)	MUTEX_EXIT(x)
-#   define	MUTEX_EXIT(x)	UNLOCK((x)->l, (x)->pl);
+#   define	RWLOCK_EXIT(x)		MUTEX_EXIT(x)
+#   define	MUTEX_EXIT(x)		UNLOCK((x)->l, (x)->pl);
+#   define	MUTEX_INIT(x,y,z)	(x).l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP)
+#   define	MUTEX_DESTROY(x)	LOCK_DEALLOC((x).l)
 #  else /* __sgi */
 #   define	ATOMIC_INC(x)		(x)++
 #   define	ATOMIC_DEC(x)		(x)--
 #   define	MUTEX_ENTER(x)		;
-#   define	READ_ENTER(x)	;
-#   define	WRITE_ENTER(x)	;
-#   define	RW_UPGRADE(x)	;
+#   define	READ_ENTER(x)		;
+#   define	WRITE_ENTER(x)		;
+#   define	RW_UPGRADE(x)		;
 #   define	MUTEX_DOWNGRADE(x)	;
-#   define	RWLOCK_EXIT(x)	;
-#   define	MUTEX_EXIT(x)	;
+#   define	RWLOCK_EXIT(x)		;
+#   define	MUTEX_EXIT(x)		;
+#   define	MUTEX_INIT(x,y,z)	;
+#   define	MUTEX_DESTROY(x)	;
 #  endif /* __sgi */
 #  ifndef linux
 #   define	FREE_MB_T(m)	m_freem(m)
 #   define	MTOD(m,t)	mtod(m,t)
-#   define	IRCOPY(a,b,c)	bcopy((a), (b), (c))
-#   define	IWCOPY(a,b,c)	bcopy((a), (b), (c))
+#   define	IRCOPY(a,b,c)	(bcopy((a), (b), (c)), 0)
+#   define	IWCOPY(a,b,c)	(bcopy((a), (b), (c)), 0)
+#   define	IRCOPYPTR	ircopyptr
+#   define	IWCOPYPTR	iwcopyptr
 #  endif /* !linux */
 # endif /* SOLARIS */
 
 # ifdef sun
 #  if !SOLARIS
 #   include	<sys/kmem_alloc.h>
-#   define	GETUNIT(n)	ifunit((n), IFNAMSIZ)
+#   define	GETUNIT(n, v)	ifunit(n, IFNAMSIZ)
+#   define	IFNAME(x)	((struct ifnet *)x)->if_name
 #  endif
 # else
 #  ifndef	linux
-#   define	GETUNIT(n)	ifunit((n))
+#   define	GETUNIT(n, v)	ifunit(n)
+#   if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
+        (defined(OpenBSD) && (OpenBSD >= 199603))
+#    define	IFNAME(x)	((struct ifnet *)x)->if_xname
+#   else
+#    define	IFNAME(x)	((struct ifnet *)x)->if_name
+#   endif
 #  endif
 # endif /* sun */
 
@@ -409,6 +514,8 @@ extern	vm_map_t	kmem_map;
 # define	ATOMIC_DEC(x)	(x)--
 # define	MUTEX_ENTER(x)	;
 # define	READ_ENTER(x)	;
+# define	MUTEX_INIT(x,y,z)	;
+# define	MUTEX_DESTROY(x)	;
 # define	WRITE_ENTER(x)	;
 # define	RW_UPGRADE(x)	;
 # define	MUTEX_DOWNGRADE(x)	;
@@ -422,9 +529,11 @@ extern	vm_map_t	kmem_map;
 # define	KMALLOCS(a,b,c)	(a) = (b)malloc(c)
 # define	KFREE(x)	free(x)
 # define	KFREES(x,s)	free(x)
-# define	GETUNIT(x)	get_unit(x)
-# define	IRCOPY(a,b,c)	bcopy((a), (b), (c))
-# define	IWCOPY(a,b,c)	bcopy((a), (b), (c))
+# define	GETUNIT(x, v)	get_unit(x,v)
+# define	IRCOPY(a,b,c)	(bcopy((a), (b), (c)), 0)
+# define	IWCOPY(a,b,c)	(bcopy((a), (b), (c)), 0)
+# define	IRCOPYPTR	ircopyptr
+# define	IWCOPYPTR	iwcopyptr
 #endif /* KERNEL */
 
 #if SOLARIS
@@ -746,7 +855,7 @@ typedef	struct	uio	{
 # define	if_name	name
 
 # ifdef	KERNEL
-#  define	GETUNIT(x)	dev_get(x)
+#  define	GETUNIT(x, v)	dev_get(x)
 #  define	FREE_MB_T(m)	kfree_skb(m, FREE_WRITE)
 #  define	uniqtime	do_gettimeofday
 #  undef INT_MAX
@@ -768,16 +877,50 @@ typedef	struct	uio	{
 #  define	KMALLOCS(a,b,c)	(a) = (b)kmalloc((c), GFP_ATOMIC)
 #  define	KFREE(x)	kfree_s((x), sizeof(*(x)))
 #  define	KFREES(x,s)	kfree_s((x), (s))
-#  define	IRCOPY(a,b,c)	{ \
-				 error = verify_area(VERIFY_READ, (a) ,(c)); \
-				 if (!error) \
-					memcpy_fromfs((b), (a), (c)); \
-				}
-#  define	IWCOPY(a,b,c)	{ \
-				 error = verify_area(VERIFY_WRITE, (b), (c)); \
-				 if (!error) \
-					memcpy_tofs((b), (a), (c)); \
-				}
+#define IRCOPY(const void *a, void *b, size_t c)	{ \
+	int error; \
+
+	error = verify_area(VERIFY_READ, a ,c); \
+	if (!error) \
+		memcpy_fromfs(b, a, c); \
+	return error; \
+}
+static inline int IWCOPY(const void *a, void *b, size_t c)
+{
+	int error;
+
+	error = verify_area(VERIFY_WRITE, b, c);
+	if (!error)
+		memcpy_tofs(b, a, c);
+	return error;
+}
+static inline int IRCOPYPTR(const void *a, void *b, size_t c) {
+	caddr_t ca;
+	int	error;
+
+	error = verify_area(VERIFY_READ, a ,sizeof(ca));
+	if (!error) {
+		memcpy_fromfs(ca, a, sizeof(ca));
+		error = verify_area(VERIFY_READ, ca , c);
+		if (!error)
+			memcpy_fromfs(b, ca, c);
+	}
+	return error;
+}
+static inline int IWCOPYPTR(const void *a, void *b, size_t c) {
+	caddr_t ca;
+	int	error;
+
+
+	error = verify_area(VERIFY_READ, b ,sizeof(ca));
+	if (!error) {
+		memcpy_fromfs(ca, b, sizeof(ca));
+		error = verify_area(VERIFY_WRITE, ca, c);
+		if (!error)
+			memcpy_tofs(ca, a, c);
+	}
+	return error;
+}
 # else
 #  define	__KERNEL__
 #  undef INT_MAX
@@ -818,12 +961,18 @@ struct	ether_addr	{
 #define	A_A	&
 #endif
 
+#define	TCPF_ALL	(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
+
 #ifndef	ICMP_ROUTERADVERT
 # define	ICMP_ROUTERADVERT	9
 #endif
 #ifndef	ICMP_ROUTERSOLICIT
 # define	ICMP_ROUTERSOLICIT	10
 #endif
+#undef	ICMP_MAX_UNREACH
+#define	ICMP_MAX_UNREACH	14
+#undef	ICMP_MAXTYPE
+#define	ICMP_MAXTYPE		18
 /*
  * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
  * another IP header and then 64 bits of data, totalling 56.  Of course,
@@ -833,5 +982,6 @@ struct	ether_addr	{
 #define	ICMPERR_IPICMPHLEN	(20 + 8)
 #define	ICMPERR_MINPKTLEN	(20 + 8 + 20)
 #define	ICMPERR_MAXPKTLEN	(20 + 8 + 20 + 8)
+#define	ICMP6ERR_MINPKTLEN	(20 + 8)
 
 #endif	/* __IP_COMPAT_H__ */
diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c
index 3d9fb0678187..746df30dabf3 100644
--- a/sys/netinet/ip_fil.c
+++ b/sys/netinet/ip_fil.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -18,15 +18,17 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #if defined(KERNEL) && !defined(_KERNEL)
 # define	_KERNEL
 #endif
+#if defined(_KERNEL) && defined(__FreeBSD_version) && \
+    (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
+#include "opt_inet6.h"
+#endif
 #include <sys/param.h>
 #if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
     defined(_KERNEL)
 # include "opt_ipfilter_log.h"
 #endif
 #if defined(__FreeBSD__) && !defined(__FreeBSD_version)
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  include <sys/osreldate.h>
-# else
+# if !defined(_KERNEL) || defined(IPFILTER_LKM)
 #  include <osreldate.h>
 # endif
 #endif
@@ -97,6 +99,9 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 # include <syslog.h>
 #endif
 #include "netinet/ip_compat.h"
+#ifdef USE_INET6
+# include <netinet/icmp6.h>
+#endif
 #include "netinet/ip_fil.h"
 #include "netinet/ip_proxy.h"
 #include "netinet/ip_nat.h"
@@ -114,6 +119,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 extern	int	ip_optcopy __P((struct ip *, struct ip *));
 #endif
 
+#include <machine/in_cksum.h>
 
 extern	struct	protosw	inetsw[];
 
@@ -130,15 +136,15 @@ extern	int	tcp_ttl;
 int	ipl_unreach = ICMP_UNREACH_FILTER;
 u_long	ipl_frouteok[2] = {0, 0};
 
-static	void	frzerostats __P((caddr_t));
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+static	int	frzerostats __P((caddr_t));
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 static	int	frrequest __P((int, u_long, caddr_t, int));
 #else
 static	int	frrequest __P((int, int, caddr_t, int));
 #endif
 #ifdef	_KERNEL
 static	int	(*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
-static	int	send_ip __P((struct mbuf *, ip_t *));
+static	int	send_ip __P((ip_t *, fr_info_t *, struct mbuf *));
 # ifdef	__sgi
 extern  kmutex_t        ipf_rw;
 extern	KRWLOCK_T	ipf_mutex;
@@ -163,6 +169,10 @@ int	fr_running = 0;
 #if (__FreeBSD_version >= 300000) && defined(_KERNEL)
 struct callout_handle ipfr_slowtimer_ch;
 #endif
+#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
+# include <sys/callout.h>
+struct callout ipfr_slowtimer_ch;
+#endif
 
 #if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
 # include <sys/device.h>
@@ -221,8 +231,8 @@ int iplattach()
 {
 	char *defpass;
 	int s;
-# ifdef __sgi
-	int error;
+# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000))
+	int error = 0;
 # endif
 
 	SPL_NET(s);
@@ -243,13 +253,44 @@ int iplattach()
 		return -1;
 
 # ifdef NETBSD_PF
+#  if __NetBSD_Version__ >= 104200000
+	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+			      &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+	if (error) {
+#   ifdef USE_INET6
+		goto pfil_error;
+#   else
+		appr_unload();
+		ip_natunload();
+		fr_stateunload();
+		return error;
+#   endif
+	}
+#  else
 	pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
+#  endif
+#  ifdef USE_INET6
+	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+			      &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+	if (error) {
+		pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+pfil_error:
+		appr_unload();
+		ip_natunload();
+		fr_stateunload();
+		return error;
+	}
+#  endif
 # endif
 
 # ifdef __sgi
 	error = ipfilter_sgi_attach();
 	if (error) {
 		SPL_X(s);
+		appr_unload();
+		ip_natunload();
+		fr_stateunload();
 		return error;
 	}
 # endif
@@ -257,6 +298,7 @@ int iplattach()
 	bzero((char *)frcache, sizeof(frcache));
 	fr_savep = fr_checkp;
 	fr_checkp = fr_check;
+	fr_running = 1;
 
 	SPL_X(s);
 	if (fr_pass & FR_PASS)
@@ -266,22 +308,25 @@ int iplattach()
 	else
 		defpass = "no-match -> block";
 
-	printf("IP Filter: initialized.  Default = %s all, Logging = %s\n",
-		defpass,
+	printf("%s initialized.  Default = %s all, Logging = %s\n",
+		ipfilter_version, defpass,
 # ifdef	IPFILTER_LOG
 		"enabled");
 # else
 		"disabled");
 # endif
-	printf("%s\n", ipfilter_version);
-#ifdef	_KERNEL
-# if (__FreeBSD_version >= 300000) && defined(_KERNEL)
-	ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
+#ifdef  _KERNEL
+# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
+	callout_init(&ipfr_slowtimer_ch);
+	callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
 # else
+#  if (__FreeBSD_version >= 300000) && defined(_KERNEL)
+	ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
+#  else
 	timeout(ipfr_slowtimer, NULL, hz/2);
+#  endif
 # endif
 #endif
-	fr_running = 1;
 	return 0;
 }
 
@@ -293,17 +338,24 @@ int iplattach()
 int ipldetach()
 {
 	int s, i = FR_INQUE|FR_OUTQUE;
+#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
+	int error = 0;
+#endif
 
-#ifdef	_KERNEL
-# if (__FreeBSD_version >= 300000)
-	untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch);
+#ifdef  _KERNEL
+# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
+	callout_stop(&ipfr_slowtimer_ch);
 # else
+#  if (__FreeBSD_version >= 300000)
+	untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch);
+#  else
 #  ifdef __sgi
 	untimeout(ipfr_slowtimer);
-#  else
+#   else
 	untimeout(ipfr_slowtimer, NULL);
-#  endif
-# endif
+#   endif
+#  endif /* FreeBSD */
+# endif /* NetBSD */
 #endif
 	SPL_NET(s);
 	if (!fr_running)
@@ -313,18 +365,34 @@ int ipldetach()
 		return 0;
 	}
 
+	printf("%s unloaded\n", ipfilter_version);
+
 	fr_checkp = fr_savep;
 	i = frflush(IPL_LOGIPF, i);
 	fr_running = 0;
 
 # ifdef NETBSD_PF
+#  if __NetBSD_Version__ >= 104200000
+	error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+	if (error)
+		return error;
+#  else
 	pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
+#  endif
+#  ifdef USE_INET6
+	error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
+				 &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+	if (error)
+		return error;
+#  endif
 # endif
 
 # ifdef __sgi
 	ipfilter_sgi_detach();
 # endif
 
+	appr_unload();
 	ipfr_unload();
 	ip_natunload();
 	fr_stateunload();
@@ -336,26 +404,20 @@ int ipldetach()
 #endif /* _KERNEL */
 
 
-static	void	frzerostats(data)
+static	int	frzerostats(data)
 caddr_t	data;
 {
 	friostat_t fio;
+	int error;
+
+	fr_getstat(&fio);
+	error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
+	if (error)
+		return EFAULT;
 
-	bcopy((char *)frstats, (char *)fio.f_st,
-		sizeof(struct filterstats) * 2);
-	fio.f_fin[0] = ipfilter[0][0];
-	fio.f_fin[1] = ipfilter[0][1];
-	fio.f_fout[0] = ipfilter[1][0];
-	fio.f_fout[1] = ipfilter[1][1];
-	fio.f_acctin[0] = ipacct[0][0];
-	fio.f_acctin[1] = ipacct[0][1];
-	fio.f_acctout[0] = ipacct[1][0];
-	fio.f_acctout[1] = ipacct[1][1];
-	fio.f_active = fr_active;
-	fio.f_froute[0] = ipl_frouteok[0];
-	fio.f_froute[1] = ipl_frouteok[1];
-	IWCOPY((caddr_t)&fio, data, sizeof(fio));
 	bzero((char *)frstats, sizeof(*frstats) * 2);
+
+	return 0;
 }
 
 
@@ -370,20 +432,21 @@ int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode
 )
 #else
 int IPL_EXTERN(ioctl)(dev, cmd, data, mode
-#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
-     (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL)
+# if (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \
+       (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \
+       defined(__OpenBSD__)))
 , p)
 struct proc *p;
-#else
+# else
 )
-#endif
+# endif
 dev_t dev;
-#if defined(__NetBSD__) || defined(__OpenBSD__) || \
-	 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
+# if defined(__NetBSD__) || defined(__OpenBSD__) || \
+	(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
 u_long cmd;
-#else
+# else
 int cmd;
-#endif
+# endif
 caddr_t data;
 int mode;
 #endif /* __sgi */
@@ -408,24 +471,34 @@ int mode;
 	SPL_NET(s);
 
 	if (unit == IPL_LOGNAT) {
-		if (!fr_running)
-			return EIO;
-		error = nat_ioctl(data, cmd, mode);
+		if (fr_running)
+			error = nat_ioctl(data, cmd, mode);
+		else
+			error = EIO;
 		SPL_X(s);
 		return error;
 	}
 	if (unit == IPL_LOGSTATE) {
+		if (fr_running)
+			error = fr_state_ioctl(data, cmd, mode);
+		else
+			error = EIO;
+		SPL_X(s);
+		return error;
+	}
+	if (unit == IPL_LOGAUTH) {
 		if (!fr_running)
 			return EIO;
-		error = fr_state_ioctl(data, cmd, mode);
+		error = fr_auth_ioctl(data, cmd, NULL, NULL);
 		SPL_X(s);
 		return error;
 	}
+
 	switch (cmd) {
 	case FIONREAD :
 #ifdef IPFILTER_LOG
-		IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
-		       sizeof(iplused[IPL_LOGIPF]));
+		error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data,
+			       sizeof(iplused[IPL_LOGIPF]));
 #endif
 		break;
 #if !defined(IPFILTER_LKM) && defined(_KERNEL)
@@ -436,7 +509,9 @@ int mode;
 		if (!(mode & FWRITE))
 			error = EPERM;
 		else {
-			IRCOPY(data, (caddr_t)&enable, sizeof(enable));
+			error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
+			if (error)
+				break;
 			if (enable)
 				error = iplattach();
 			else
@@ -449,10 +524,11 @@ int mode;
 		if (!(mode & FWRITE))
 			error = EPERM;
 		else
-			IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags));
+			error = IRCOPY(data, (caddr_t)&fr_flags,
+				       sizeof(fr_flags));
 		break;
 	case SIOCGETFF :
-		IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
+		error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
 		break;
 	case SIOCINAFR :
 	case SIOCRMAFR :
@@ -482,55 +558,42 @@ int mode;
 		break;
 	case SIOCGETFS :
 	{
-		struct	friostat	fio;
+		friostat_t	fio;
 
-		bcopy((char *)frstats, (char *)fio.f_st,
-			sizeof(struct filterstats) * 2);
-		fio.f_fin[0] = ipfilter[0][0];
-		fio.f_fin[1] = ipfilter[0][1];
-		fio.f_fout[0] = ipfilter[1][0];
-		fio.f_fout[1] = ipfilter[1][1];
-		fio.f_acctin[0] = ipacct[0][0];
-		fio.f_acctin[1] = ipacct[0][1];
-		fio.f_acctout[0] = ipacct[1][0];
-		fio.f_acctout[1] = ipacct[1][1];
-		fio.f_auth = ipauth;
-		fio.f_active = fr_active;
-		fio.f_froute[0] = ipl_frouteok[0];
-		fio.f_froute[1] = ipl_frouteok[1];
-		fio.f_running = fr_running;
-		fio.f_groups[0][0] = ipfgroups[0][0];
-		fio.f_groups[0][1] = ipfgroups[0][1];
-		fio.f_groups[1][0] = ipfgroups[1][0];
-		fio.f_groups[1][1] = ipfgroups[1][1];
-		fio.f_groups[2][0] = ipfgroups[2][0];
-		fio.f_groups[2][1] = ipfgroups[2][1];
-#ifdef	IPFILTER_LOG
-		fio.f_logging = 1;
-#else
-		fio.f_logging = 0;
-#endif
-		fio.f_defpass = fr_pass;
-		strncpy(fio.f_version, ipfilter_version,
-			sizeof(fio.f_version));
-		IWCOPY((caddr_t)&fio, data, sizeof(fio));
+		fr_getstat(&fio);
+		error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
+		if (error)
+			return EFAULT;
 		break;
 	}
 	case	SIOCFRZST :
 		if (!(mode & FWRITE))
 			error = EPERM;
 		else
-			frzerostats(data);
+			error = frzerostats(data);
 		break;
 	case	SIOCIPFFL :
 		if (!(mode & FWRITE))
 			error = EPERM;
 		else {
-			IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-			tmp = frflush(unit, tmp);
-			IWCOPY((caddr_t)&tmp, data, sizeof(tmp));
+			error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
+			if (!error) {
+				tmp = frflush(unit, tmp);
+				error = IWCOPY((caddr_t)&tmp, data,
+					       sizeof(tmp));
+			}
 		}
 		break;
+	case SIOCSTLCK :
+		error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
+		if (!error) {
+			fr_state_lock = tmp;
+			fr_nat_lock = tmp;
+			fr_frag_lock = tmp;
+			fr_auth_lock = tmp;
+		} else
+			error = EFAULT;
+		break;
 #ifdef	IPFILTER_LOG
 	case	SIOCIPFFB :
 		if (!(mode & FWRITE))
@@ -540,7 +603,10 @@ int mode;
 		break;
 #endif /* IPFILTER_LOG */
 	case SIOCGFRST :
-		IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
+		error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
+				  sizeof(ipfrstat_t));
+		if (error)
+			return EFAULT;
 		break;
 	case SIOCAUTHW :
 	case SIOCAUTHR :
@@ -548,9 +614,6 @@ int mode;
 			error = EPERM;
 			break;
 		}
-	case SIOCATHST :
-		error = fr_auth_ioctl(data, cmd, NULL, NULL);
-		break;
 	case SIOCFRSYN :
 		if (!(mode & FWRITE))
 			error = EPERM;
@@ -588,6 +651,20 @@ void *ifp;
 	for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next)
 		if (f->fr_ifa == ifp)
 			f->fr_ifa = (void *)-1;
+#ifdef	USE_INET6
+	for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next)
+		if (f->fr_ifa == ifp)
+			f->fr_ifa = (void *)-1;
+	for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next)
+		if (f->fr_ifa == ifp)
+			f->fr_ifa = (void *)-1;
+	for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next)
+		if (f->fr_ifa == ifp)
+			f->fr_ifa = (void *)-1;
+	for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next)
+		if (f->fr_ifa == ifp)
+			f->fr_ifa = (void *)-1;
+#endif
 	RWLOCK_EXIT(&ipf_mutex);
 	ip_natsync(ifp);
 }
@@ -595,7 +672,7 @@ void *ifp;
 
 static int frrequest(unit, req, data, set)
 int unit;
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 u_long req;
 #else
 int req;
@@ -608,11 +685,14 @@ caddr_t data;
 	frentry_t frd;
 	frdest_t *fdp;
 	frgroup_t *fg = NULL;
+	u_int   *p, *pp;
 	int error = 0, in;
 	u_int group;
 
 	fp = &frd;
-	IRCOPY(data, (caddr_t)fp, sizeof(*fp));
+	error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
+	if (error)
+		return EFAULT;
 	fp->fr_ref = 0;
 #if (BSD >= 199306) && defined(_KERNEL)
 	if ((securelevel > 0) && (fp->fr_func != NULL))
@@ -634,10 +714,16 @@ caddr_t data;
 
 	if (unit == IPL_LOGAUTH)
 		ftail = fprev = &ipauth;
-	else if (fp->fr_flags & FR_ACCOUNT)
+	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
 		ftail = fprev = &ipacct[in][set];
-	else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
+	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
 		ftail = fprev = &ipfilter[in][set];
+#ifdef	USE_INET6
+	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
+		ftail = fprev = &ipacct6[in][set];
+	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
+		ftail = fprev = &ipfilter6[in][set];
+#endif
 	else
 		return ESRCH;
 
@@ -650,13 +736,13 @@ caddr_t data;
 	bzero((char *)frcache, sizeof(frcache[0]) * 2);
 
 	if (*fp->fr_ifname) {
-		fp->fr_ifa = GETUNIT(fp->fr_ifname);
+		fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_v);
 		if (!fp->fr_ifa)
 			fp->fr_ifa = (void *)-1;
 	}
 #if BSD >= 199306
 	if (*fp->fr_oifname) {
-		fp->fr_oifa = GETUNIT(fp->fr_oifname);
+		fp->fr_oifa = GETUNIT(fp->fr_oifname, fp->fr_v);
 		if (!fp->fr_oifa)
 			fp->fr_oifa = (void *)-1;
 	}
@@ -665,7 +751,7 @@ caddr_t data;
 	fdp = &fp->fr_dif;
 	fp->fr_flags &= ~FR_DUP;
 	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname);
+		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
 		if (!fdp->fd_ifp)
 			fdp->fd_ifp = (struct ifnet *)-1;
 		else
@@ -674,7 +760,7 @@ caddr_t data;
 
 	fdp = &fp->fr_tif;
 	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname);
+		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v);
 		if (!fdp->fd_ifp)
 			fdp->fd_ifp = (struct ifnet *)-1;
 	}
@@ -688,8 +774,8 @@ caddr_t data;
 		fp->fr_cksum += *p;
 
 	for (; (f = *ftail); ftail = &f->fr_next)
-		if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
-			 FR_CMPSIZ) == 0)
+		if ((fp->fr_cksum == f->fr_cksum) &&
+		    !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
 			break;
 
 	/*
@@ -698,7 +784,9 @@ caddr_t data;
 	if (req == SIOCZRLST) {
 		if (!f)
 			return ESRCH;
-		IWCOPY((caddr_t)f, data, sizeof(*f));
+		error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
+		if (error)
+			return EFAULT;
 		f->fr_hits = 0;
 		f->fr_bytes = 0;
 		return 0;
@@ -718,11 +806,16 @@ caddr_t data;
 		}
 	}
 
-	if (req == SIOCDELFR || req == SIOCRMIFR) {
+	if (req == SIOCRMAFR || req == SIOCRMIFR) {
 		if (!f)
 			error = ESRCH;
 		else {
-			if (f->fr_ref > 1)
+			/*
+			 * Only return EBUSY if there is a group list, else
+			 * it's probably just state information referencing
+			 * the rule.
+			 */
+			if ((f->fr_ref > 1) && f->fr_grp)
 				return EBUSY;
 			if (fg && fg->fg_head)
 				fg->fg_head->fr_ref--;
@@ -733,7 +826,9 @@ caddr_t data;
 					    unit, set);
 			fixskip(fprev, f, -1);
 			*ftail = f->fr_next;
-			KFREE(f);
+			f->fr_next = NULL;
+			if (f->fr_ref == 0)
+				KFREE(f);
 		}
 	} else {
 		if (f)
@@ -857,14 +952,16 @@ register struct uio *uio;
  * send_reset - this could conceivably be a call to tcp_respond(), but that
  * requires a large amount of setting up and isn't any more efficient.
  */
-int send_reset(fin, oip)
-fr_info_t *fin;
+int send_reset(oip, fin)
 struct ip *oip;
+fr_info_t *fin;
 {
 	struct tcphdr *tcp, *tcp2;
-	struct tcpiphdr *tp;
+	int tlen = 0, hlen;
 	struct mbuf *m;
-	int tlen = 0;
+#ifdef	USE_INET6
+	ip6_t *ip6, *oip6 = (ip6_t *)oip;
+#endif
 	ip_t *ip;
 
 	tcp = (struct tcphdr *)fin->fin_dp;
@@ -882,92 +979,110 @@ struct ip *oip;
 
 	if (tcp->th_flags & TH_SYN)
 		tlen = 1;
-	m->m_len = sizeof(*tcp2) + sizeof(*ip);
+#ifdef	USE_INET6
+	hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t);
+#else
+	hlen = sizeof(ip_t);
+#endif
+	m->m_len = sizeof(*tcp2) + hlen;
 # if	BSD >= 199306
 	m->m_data += max_linkhdr;
 	m->m_pkthdr.len = m->m_len;
 	m->m_pkthdr.rcvif = (struct ifnet *)0;
 # endif
-	bzero(mtod(m, char *), sizeof(struct tcpiphdr));
 	ip = mtod(m, struct ip *);
-	tp = mtod(m, struct tcpiphdr *);
-	tcp2 = (struct tcphdr *)((char *)ip + sizeof(*ip));
+# ifdef	USE_INET6
+	ip6 = (ip6_t *)ip;
+# endif
+	bzero((char *)ip, sizeof(*tcp2) + hlen);
+	tcp2 = (struct tcphdr *)((char *)ip + hlen);
 
-	ip->ip_src.s_addr = oip->ip_dst.s_addr;
-	ip->ip_dst.s_addr = oip->ip_src.s_addr;
-	tcp2->th_dport = tcp->th_sport;
 	tcp2->th_sport = tcp->th_dport;
+	tcp2->th_dport = tcp->th_sport;
 	tcp2->th_ack = ntohl(tcp->th_seq);
 	tcp2->th_ack += tlen;
 	tcp2->th_ack = htonl(tcp2->th_ack);
 	tcp2->th_off = sizeof(*tcp2) >> 2;
 	tcp2->th_flags = TH_RST|TH_ACK;
-	tp->ti_pr = oip->ip_p;
-	tp->ti_len = htons(sizeof(struct tcphdr));
-	tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2));
-
-	ip->ip_tos = oip->ip_tos;
-	ip->ip_p = oip->ip_p;
-	ip->ip_len = sizeof(*ip) + sizeof(*tcp2);
-
-	return send_ip(m, ip);
+# ifdef	USE_INET6
+	if (fin->fin_v == 6) {
+		ip6->ip6_plen = htons(sizeof(struct tcphdr));
+		ip6->ip6_nxt = IPPROTO_TCP;
+		ip6->ip6_src = oip6->ip6_dst;
+		ip6->ip6_dst = oip6->ip6_src;
+		tcp2->th_sum = in6_cksum(m, IPPROTO_TCP,
+					 sizeof(*ip6), sizeof(*tcp2));
+		return send_ip(oip, fin, m);
+	}
+# endif
+	ip->ip_p = IPPROTO_TCP;
+	ip->ip_len = htons(sizeof(struct tcphdr));
+	ip->ip_src.s_addr = oip->ip_dst.s_addr;
+	ip->ip_dst.s_addr = oip->ip_src.s_addr;
+	tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2));
+	ip->ip_len = hlen + sizeof(*tcp2);
+	return send_ip(oip, fin, m);
 }
 
 
-static int send_ip(m, ip)
+static int send_ip(oip, fin, m)
+ip_t *oip;
+fr_info_t *fin;
 struct mbuf *m;
-ip_t *ip;
 {
-# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)) || \
-     (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802))
-	struct route ro;
-# endif
+	ip_t *ip;
+
+	ip = mtod(m, ip_t *);
 
+	ip->ip_v = fin->fin_v;
+	if (ip->ip_v == 4) {
+		ip->ip_hl = (sizeof(*oip) >> 2);
+		ip->ip_v = IPVERSION;
+		ip->ip_tos = oip->ip_tos;
+		ip->ip_id = oip->ip_id;
+		ip->ip_off = 0;
 # if (BSD < 199306) || defined(__sgi)
-	ip->ip_ttl = tcp_ttl;
+		ip->ip_ttl = tcp_ttl;
 # else
-	ip->ip_ttl = ip_defttl;
+		ip->ip_ttl = ip_defttl;
 # endif
+		ip->ip_sum = 0;
+	}
+# ifdef	USE_INET6
+	else if (ip->ip_v == 6) {
+		ip6_t *ip6 = (ip6_t *)ip;
 
-# ifdef	IPSEC
-	m->m_pkthdr.rcvif = NULL;
-# endif
-# if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
-	{
-	int err;
+		ip6->ip6_hlim = 127;
 
-	bzero((char *)&ro, sizeof(ro));
-	err = ip_output(m, (struct mbuf *)0, &ro, 0, 0);
-	if (ro.ro_rt)
-		RTFREE(ro.ro_rt);
-	return err;
+		return ip6_output(m, NULL, NULL, 0, NULL, NULL);
 	}
-# else
-	/*
-	 * extra 0 in case of multicast
-	 */
-#  if _BSDI_VERSION >= 199802
-	return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL);
-#  else
-#   if	defined(__OpenBSD__)
-	return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL);
-#   else
-	return ip_output(m, (struct mbuf *)0, 0, 0, 0);
-#   endif
-#  endif
 # endif
+# ifdef	IPSEC
+	m->m_pkthdr.rcvif = NULL;
+# endif
+	return ipfr_fastroute(m, fin, NULL);
 }
 
 
-int send_icmp_err(oip, type, code, ifp, dst)
+int send_icmp_err(oip, type, fin, dst)
 ip_t *oip;
-int type, code;
-void *ifp;
-struct in_addr dst;
+int type;
+fr_info_t *fin;
+int dst;
 {
+	int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code;
+	struct in_addr dst4;
 	struct icmp *icmp;
 	struct mbuf *m;
-	ip_t *nip;
+	void *ifp;
+#ifdef USE_INET6
+	ip6_t *ip6, *oip6 = (ip6_t *)oip;
+	struct in6_addr dst6;
+#endif
+	ip_t *ip;
+
+	if ((type < 0) || (type > ICMP_MAXTYPE))
+		return -1;
 
 	code = fin->fin_icode;
 #ifdef USE_INET6
@@ -993,57 +1108,112 @@ struct in_addr dst;
 			}
 
 # if	(BSD < 199306) || defined(__sgi)
-	m = m_get(M_DONTWAIT, MT_HEADER);
+		avail = MLEN;
+		m = m_get(M_DONTWAIT, MT_HEADER);
 # else
-	m = m_gethdr(M_DONTWAIT, MT_HEADER);
-# endif
-	if (m == NULL)
-		return ENOBUFS;
-	m->m_len = sizeof(*nip) + sizeof(*icmp) + 8;
-# if	BSD >= 199306
-	m->m_data += max_linkhdr;
-	m->m_pkthdr.len = sizeof(*nip) + sizeof(*icmp) + 8;
-	m->m_pkthdr.rcvif = (struct ifnet *)0;
+		avail = MHLEN;
+		m = m_gethdr(M_DONTWAIT, MT_HEADER);
 # endif
+		if (m == NULL)
+			return ENOBUFS;
 
-	bzero(mtod(m, char *), (size_t)sizeof(*nip) + sizeof(*icmp) + 8);
-	nip = mtod(m, ip_t *);
-	icmp = (struct icmp *)(nip + 1);
+		if (dst == 0) {
+			if (fr_ifpaddr(4, ifp, &dst4) == -1)
+				return -1;
+		} else
+			dst4.s_addr = oip->ip_dst.s_addr;
 
-	nip->ip_v = IPVERSION;
-	nip->ip_hl = (sizeof(*nip) >> 2);
-	nip->ip_p = IPPROTO_ICMP;
-	nip->ip_id = oip->ip_id;
-	nip->ip_sum = 0;
-	nip->ip_ttl = 60;
-	nip->ip_tos = oip->ip_tos;
-	nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8;
-	if (dst.s_addr == 0) {
-		if (fr_ifpaddr(ifp, &dst) == -1)
-			return -1;
+		hlen = sizeof(ip_t);
+		ohlen = oip->ip_hl << 2;
+		xtra = 8;
 	}
-	nip->ip_src = dst;
-	nip->ip_dst = oip->ip_src;
+
+#ifdef	USE_INET6
+	else if (fin->fin_v == 6) {
+		hlen = sizeof(ip6_t);
+		ohlen = sizeof(ip6_t);
+		type = icmptoicmp6types[type];
+		if (type == ICMP6_DST_UNREACH)
+			code = icmptoicmp6unreach[code];
+
+		MGETHDR(m, M_DONTWAIT, MT_HEADER);
+		if (!m)
+			return ENOBUFS;
+
+		MCLGET(m, M_DONTWAIT);
+		if (!m)
+			return ENOBUFS;
+		avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN;
+		xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t),
+			   avail - hlen - sizeof(*icmp) - max_linkhdr);
+		if (dst == 0) {
+			if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1)
+				return -1;
+		} else
+			dst6 = oip6->ip6_dst;
+	}
+#endif
+
+	iclen = hlen + sizeof(*icmp);
+# if	BSD >= 199306
+	avail -= (max_linkhdr + iclen);
+	m->m_data += max_linkhdr;
+	m->m_pkthdr.rcvif = (struct ifnet *)0;
+	if (xtra > avail)
+		xtra = avail;
+	iclen += xtra;
+	m->m_pkthdr.len = iclen;
+#else
+	avail -= (m->m_off + iclen);
+	if (xtra > avail)
+		xtra = avail;
+	iclen += xtra;
+#endif
+	m->m_len = iclen;
+	ip = mtod(m, ip_t *);
+	icmp = (struct icmp *)((char *)ip + hlen);
+	bzero((char *)ip, iclen);
 
 	icmp->icmp_type = type;
-	icmp->icmp_code = code;
+	icmp->icmp_code = fin->fin_icode;
 	icmp->icmp_cksum = 0;
-	bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip));
-	bcopy((char *)oip + (oip->ip_hl << 2),
-	      (char *)&icmp->icmp_ip + sizeof(*oip), 8);	/* 64 bits */
-# ifndef	sparc
+	if (avail) {
+		bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail));
+		avail -= MIN(ohlen, avail);
+	}
+
+#ifdef	USE_INET6
+	ip6 = (ip6_t *)ip;
+	if (fin->fin_v == 6) {
+		ip6->ip6_flow = 0;
+		ip6->ip6_plen = htons(iclen - hlen);
+		ip6->ip6_nxt = IPPROTO_ICMPV6;
+		ip6->ip6_hlim = 0;
+		ip6->ip6_src = dst6;
+		ip6->ip6_dst = oip6->ip6_src;
+		if (avail)
+			bcopy((char *)oip + ohlen,
+			      (char *)&icmp->icmp_ip + ohlen, avail);
+		icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6,
+					     sizeof(*ip6), iclen - hlen);
+	} else
+#endif
 	{
-	register u_short	__iplen, __ipoff;
-	ip_t *ip = &icmp->icmp_ip;
+		ip->ip_src.s_addr = dst4.s_addr;
+		ip->ip_dst.s_addr = oip->ip_src.s_addr;
 
-	__iplen = ip->ip_len;
-	__ipoff = ip->ip_off;
-	ip->ip_len = htons(__iplen);
-	ip->ip_off = htons(__ipoff);
+		if (avail > 8)
+			avail = 8;
+		if (avail)
+			bcopy((char *)oip + ohlen,
+			      (char *)&icmp->icmp_ip + ohlen, avail);
+		icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
+					     sizeof(*icmp) + 8);
+		ip->ip_len = iclen;
+		ip->ip_p = IPPROTO_ICMP;
 	}
-# endif
-	icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8);
-	return send_ip(m, nip);
+	err = send_ip(oip, fin, m);
+	return err;
 }
 
 
@@ -1085,14 +1255,24 @@ frdest_t *fdp;
 	register struct ip *ip, *mhip;
 	register struct mbuf *m = m0;
 	register struct route *ro;
-	int len, off, error = 0, hlen;
+	int len, off, error = 0, hlen, code;
+	struct ifnet *ifp, *sifp;
 	struct sockaddr_in *dst;
 	struct route iproute;
-	struct ifnet *ifp;
 	frentry_t *fr;
 
 	hlen = fin->fin_hlen;
 	ip = mtod(m0, struct ip *);
+
+#ifdef	USE_INET6
+	if (ip->ip_v == 6) {
+		/*
+		 * currently "to <if>" and "to <if>:ip#" are not supported
+		 * for IPv6
+		 */
+		return ip6_output(m0, NULL, NULL, 0, NULL, NULL);
+	}
+#endif
 	/*
 	 * Route packet.
 	 */
@@ -1102,7 +1282,13 @@ frdest_t *fdp;
 	dst->sin_family = AF_INET;
 
 	fr = fin->fin_fr;
-	ifp = fdp->fd_ifp;
+	if (fdp)
+		ifp = fdp->fd_ifp;
+	else {
+		ifp = fin->fin_ifp;
+		dst->sin_addr = ip->ip_dst;
+	}
+
 	/*
 	 * In case we're here due to "to <if>" being used with "keep state",
 	 * check that we're going in the correct direction.
@@ -1111,9 +1297,10 @@ frdest_t *fdp;
 		if ((ifp != NULL) && (fdp == &fr->fr_tif))
 			return -1;
 		dst->sin_addr = ip->ip_dst;
-	} else
+	} else if (fdp)
 		dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
-# ifdef	__bsdi__
+
+# if BSD >= 199306
 	dst->sin_len = sizeof(*dst);
 # endif
 # if	(BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
@@ -1127,7 +1314,7 @@ frdest_t *fdp;
 	rtalloc(ro);
 # endif
 	if (!ifp) {
-		if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
+		if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
 			error = -2;
 			goto bad;
 		}
@@ -1154,7 +1341,7 @@ frdest_t *fdp;
 		fin->fin_out = 1;
 		if ((fin->fin_fr = ipacct[1][fr_active]) &&
 		    (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) {
-			ATOMIC_INC(frstats[1].fr_acct);
+			ATOMIC_INCL(frstats[1].fr_acct);
 		}
 		fin->fin_fr = NULL;
 		if (!fr || !(fr->fr_flags & FR_RETMASK))
@@ -1166,6 +1353,16 @@ frdest_t *fdp;
 	 * If small enough for interface, can just send directly.
 	 */
 	if (ip->ip_len <= ifp->if_mtu) {
+# if	BSD >= 199306
+		int i = 0;
+
+#  ifdef	MCLISREFERENCED
+		if ((m->m_flags & M_EXT) && MCLISREFERENCED(m))
+#  else
+		if (m->m_flags & M_EXT)
+#  endif
+			i = 1;
+# endif
 # ifndef sparc
 		ip->ip_id = htons(ip->ip_id);
 		ip->ip_len = htons(ip->ip_len);
@@ -1176,6 +1373,11 @@ frdest_t *fdp;
 # if	BSD >= 199306
 		error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
 					  ro->ro_rt);
+		if (i) {
+			ip->ip_id = ntohs(ip->ip_id);
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+		}
 # else
 		error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
 # endif
@@ -1287,12 +1489,46 @@ done:
 		RTFREE(ro->ro_rt);
 	return 0;
 bad:
-	if (error == EMSGSIZE)
-		(void) send_icmp_err(ip, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
-				     ifp, ip->ip_dst);
+	if (error == EMSGSIZE) {
+		sifp = fin->fin_ifp;
+		code = fin->fin_icode;
+		fin->fin_icode = ICMP_UNREACH_NEEDFRAG;
+		fin->fin_ifp = ifp;
+		(void) send_icmp_err(ip, ICMP_UNREACH, fin, 1);
+		fin->fin_ifp = sifp;
+		fin->fin_icode = code;
+	}
 	m_freem(m);
 	goto done;
 }
+
+
+int fr_verifysrc(ipa, ifp)
+struct in_addr ipa;
+void *ifp;
+{
+	struct sockaddr_in *dst;
+	struct route iproute;
+
+	bzero((char *)&iproute, sizeof(iproute));
+	dst = (struct sockaddr_in *)&iproute.ro_dst;
+	dst->sin_family = AF_INET;
+	dst->sin_addr = ipa;
+# if    (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \
+        !defined(__OpenBSD__)
+#  ifdef        RTF_CLONING
+	rtalloc_ign(&iproute, RTF_CLONING);
+#  else
+	rtalloc_ign(&iproute, RTF_PRCLONING);
+#  endif
+# else
+	rtalloc(&iproute);
+# endif
+	if (iproute.ro_rt == NULL)
+		return 0;
+	return (ifp == iproute.ro_rt->rt_ifp);
+}
+
 #else /* #ifdef _KERNEL */
 
 
@@ -1344,8 +1580,9 @@ ip_t *ip;
 }
 
 
-struct ifnet *get_unit(name)
+struct ifnet *get_unit(name, v)
 char *name;
+int v;
 {
 	struct ifnet *ifp, **ifa;
 # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h
index 3d43c6b07613..0d7ff052fa87 100644
--- a/sys/netinet/ip_fil.h
+++ b/sys/netinet/ip_fil.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -38,58 +38,69 @@
 #endif
 
 #if defined(__STDC__) || defined(__GNUC__)
-# define	SIOCADAFR	_IOW('r', 60, struct frentry)
-# define	SIOCRMAFR	_IOW('r', 61, struct frentry)
+# define	SIOCADAFR	_IOW('r', 60, struct frentry *)
+# define	SIOCRMAFR	_IOW('r', 61, struct frentry *)
 # define	SIOCSETFF	_IOW('r', 62, u_int)
 # define	SIOCGETFF	_IOR('r', 63, u_int)
-# define	SIOCGETFS	_IOR('r', 64, struct friostat)
+# define	SIOCGETFS	_IOWR('r', 64, struct friostat *)
 # define	SIOCIPFFL	_IOWR('r', 65, int)
 # define	SIOCIPFFB	_IOR('r', 66, int)
-# define	SIOCADIFR	_IOW('r', 67, struct frentry)
-# define	SIOCRMIFR	_IOW('r', 68, struct frentry)
+# define	SIOCADIFR	_IOW('r', 67, struct frentry *)
+# define	SIOCRMIFR	_IOW('r', 68, struct frentry *)
 # define	SIOCSWAPA	_IOR('r', 69, u_int)
-# define	SIOCINAFR	_IOW('r', 70, struct frentry)
-# define	SIOCINIFR	_IOW('r', 71, struct frentry)
+# define	SIOCINAFR	_IOW('r', 70, struct frentry *)
+# define	SIOCINIFR	_IOW('r', 71, struct frentry *)
 # define	SIOCFRENB	_IOW('r', 72, u_int)
 # define	SIOCFRSYN	_IOW('r', 73, u_int)
-# define	SIOCFRZST	_IOWR('r', 74, struct friostat)
-# define	SIOCZRLST	_IOWR('r', 75, struct frentry)
-# define	SIOCAUTHW	_IOWR('r', 76, struct fr_info)
-# define	SIOCAUTHR	_IOWR('r', 77, struct fr_info)
-# define	SIOCATHST	_IOWR('r', 78, struct fr_authstat)
+# define	SIOCFRZST	_IOWR('r', 74, struct friostat *)
+# define	SIOCZRLST	_IOWR('r', 75, struct frentry *)
+# define	SIOCAUTHW	_IOWR('r', 76, struct fr_info *)
+# define	SIOCAUTHR	_IOWR('r', 77, struct fr_info *)
+# define	SIOCATHST	_IOWR('r', 78, struct fr_authstat *)
+# define	SIOCSTLCK	_IOWR('r', 79, u_int)
+# define	SIOCSTPUT	_IOWR('r', 80, struct ipstate_save *)
+# define	SIOCSTGET	_IOWR('r', 81, struct ipstate_save *)
+# define	SIOCSTGSZ	_IOWR('r', 82, struct natget *)
+# define	SIOCGFRST	_IOWR('r', 83, struct ipfrstat *)
 #else
-# define	SIOCADAFR	_IOW(r, 60, struct frentry)
-# define	SIOCRMAFR	_IOW(r, 61, struct frentry)
+# define	SIOCADAFR	_IOW(r, 60, struct frentry *)
+# define	SIOCRMAFR	_IOW(r, 61, struct frentry *)
 # define	SIOCSETFF	_IOW(r, 62, u_int)
 # define	SIOCGETFF	_IOR(r, 63, u_int)
-# define	SIOCGETFS	_IOR(r, 64, struct friostat)
+# define	SIOCGETFS	_IOWR(r, 64, struct friostat *)
 # define	SIOCIPFFL	_IOWR(r, 65, int)
 # define	SIOCIPFFB	_IOR(r, 66, int)
-# define	SIOCADIFR	_IOW(r, 67, struct frentry)
-# define	SIOCRMIFR	_IOW(r, 68, struct frentry)
+# define	SIOCADIFR	_IOW(r, 67, struct frentry *)
+# define	SIOCRMIFR	_IOW(r, 68, struct frentry *)
 # define	SIOCSWAPA	_IOR(r, 69, u_int)
-# define	SIOCINAFR	_IOW(r, 70, struct frentry)
-# define	SIOCINIFR	_IOW(r, 71, struct frentry)
+# define	SIOCINAFR	_IOW(r, 70, struct frentry *)
+# define	SIOCINIFR	_IOW(r, 71, struct frentry *)
 # define	SIOCFRENB	_IOW(r, 72, u_int)
 # define	SIOCFRSYN	_IOW(r, 73, u_int)
-# define	SIOCFRZST	_IOWR(r, 74, struct friostat)
-# define	SIOCZRLST	_IOWR(r, 75, struct frentry)
-# define	SIOCAUTHW	_IOWR(r, 76, struct fr_info)
-# define	SIOCAUTHR	_IOWR(r, 77, struct fr_info)
-# define	SIOCATHST	_IOWR(r, 78, struct fr_authstat)
+# define	SIOCFRZST	_IOWR(r, 74, struct friostat *)
+# define	SIOCZRLST	_IOWR(r, 75, struct frentry *)
+# define	SIOCAUTHW	_IOWR(r, 76, struct fr_info *)
+# define	SIOCAUTHR	_IOWR(r, 77, struct fr_info *)
+# define	SIOCATHST	_IOWR(r, 78, struct fr_authstat *)
+# define	SIOCSTLCK	_IOWR(r, 79, u_int)
+# define	SIOCSTPUT	_IOWR(r, 80, struct ipstate_save *)
+# define	SIOCSTGET	_IOWR(r, 81, struct ipstate_save *)
+# define	SIOCSTGSZ	_IOWR(r, 82, struct natget *)
+# define	SIOCGFRST	_IOWR(r, 83, struct ipfrstat *)
 #endif
 #define	SIOCADDFR	SIOCADAFR
 #define	SIOCDELFR	SIOCRMAFR
 #define	SIOCINSFR	SIOCINAFR
 
+
 typedef	struct	fr_ip	{
-	u_int	fi_v:4;		/* IP version */
-	u_int	fi_fl:4;	/* packet flags */
-	u_char	fi_tos;		/* IP packet TOS */
-	u_char	fi_ttl;		/* IP packet TTL */
-	u_char	fi_p;		/* IP packet protocol */
-	struct	in_addr	fi_src;	/* source address from packet */
-	struct	in_addr	fi_dst;	/* destination address from packet */
+	u_32_t	fi_v:4;		/* IP version */
+	u_32_t	fi_fl:4;	/* packet flags */
+	u_32_t	fi_tos:8;	/* IP packet TOS */
+	u_32_t	fi_ttl:8;	/* IP packet TTL */
+	u_32_t	fi_p:8;		/* IP packet protocol */
+	union	i6addr fi_src;	/* source address from packet */
+	union	i6addr fi_dst;	/* destination address from packet */
 	u_32_t	fi_optmsk;	/* bitmask composed from IP options */
 	u_short	fi_secmsk;	/* bitmask composed from IP security options */
 	u_short	fi_auth;	/* authentication code from IP sec. options */
@@ -101,13 +112,21 @@ typedef	struct	fr_ip	{
 #define	FI_SHORT	(FF_SHORT >> 24)
 #define	FI_CMP		(FI_OPTIONS|FI_TCPUDP|FI_SHORT)
 
+#define	fi_saddr	fi_src.in4.s_addr
+#define	fi_daddr	fi_dst.in4.s_addr
+
+
 /*
  * These are both used by the state and NAT code to indicate that one port or
  * the other should be treated as a wildcard.
  */
 #define	FI_W_SPORT	0x00000100
 #define	FI_W_DPORT	0x00000200
-#define	FI_WILD		(FI_W_SPORT|FI_W_DPORT)
+#define	FI_WILDP	(FI_W_SPORT|FI_W_DPORT)
+#define	FI_W_SADDR	0x00000400
+#define	FI_W_DADDR	0x00000800
+#define	FI_WILDA	(FI_W_SADDR|FI_W_DADDR)
+#define	FI_NEWFR	0x00001000
 
 typedef	struct	fr_info	{
 	void	*fin_ifp;		/* interface packet is `on' */
@@ -120,18 +139,22 @@ typedef	struct	fr_info	{
 	/* From here on is packet specific */
 	u_char	fin_icode;		/* ICMP error to return */
 	u_short	fin_rule;		/* rule # last matched */
-	u_short	fin_group;		/* group number, -1 for none */
+	u_32_t	fin_group;		/* group number, -1 for none */
 	struct	frentry *fin_fr;	/* last matching rule */
 	char	*fin_dp;		/* start of data past IP header */
 	u_short	fin_dlen;		/* length of data portion of packet */
 	u_short	fin_id;			/* IP packet id field */
 	void	*fin_mp;		/* pointer to pointer to mbuf */
-#if SOLARIS && defined(_KERNEL)
+#if SOLARIS
 	void	*fin_qfm;		/* pointer to mblk where pkt starts */
 	void	*fin_qif;
 #endif
+	u_short	fin_plen;
+	u_short	fin_off;
 } fr_info_t;
 
+#define	fin_v	fin_fi.fi_v
+
 /*
  * Size for compares on fr_info structures
  */
@@ -148,10 +171,30 @@ typedef	struct	frdest	{
 	char	fd_ifname[IFNAMSIZ];
 } frdest_t;
 
+typedef	struct	frpcmp	{
+	int	frp_cmp;	/* data for port comparisons */
+	u_short	frp_port;	/* top port for <> and >< */
+	u_short	frp_top;	/* top port for <> and >< */
+} frpcmp_t;
+
+typedef	struct	frtuc	{
+	u_char	ftu_tcpfm;	/* tcp flags mask */
+	u_char	ftu_tcpf;	/* tcp flags */
+	frpcmp_t	ftu_src;
+	frpcmp_t	ftu_dst;
+} frtuc_t;
+
+#define	ftu_scmp	ftu_src.frp_cmp
+#define	ftu_dcmp	ftu_dst.frp_cmp
+#define	ftu_sport	ftu_src.frp_port
+#define	ftu_dport	ftu_dst.frp_port
+#define	ftu_stop	ftu_src.frp_top
+#define	ftu_dtop	ftu_dst.frp_top
+
 typedef	struct	frentry {
 	struct	frentry	*fr_next;
-	u_short	fr_group;	/* group to which this rule belongs */
-	u_short	fr_grhead;	/* group # which this rule starts */
+	u_32_t	fr_group;	/* group to which this rule belongs */
+	u_32_t	fr_grhead;	/* group # which this rule starts */
 	struct	frentry	*fr_grp;
 	int	fr_ref;		/* reference count - for grouping */
 	void	*fr_ifa;
@@ -170,38 +213,42 @@ typedef	struct	frentry {
 	struct	fr_ip	fr_ip;
 	struct	fr_ip	fr_mip;	/* mask structure */
 
-	u_char	fr_tcpfm;	/* tcp flags mask */
-	u_char	fr_tcpf;	/* tcp flags */
 
 	u_short	fr_icmpm;	/* data for ICMP packets (mask) */
 	u_short	fr_icmp;
 
-	u_char	fr_scmp;	/* data for port comparisons */
-	u_char	fr_dcmp;
-	u_short	fr_dport;
-	u_short	fr_sport;
-	u_short	fr_stop;	/* top port for <> and >< */
-	u_short	fr_dtop;	/* top port for <> and >< */
+	frtuc_t	fr_tuc;
 	u_32_t	fr_flags;	/* per-rule flags && options (see below) */
-	u_short	fr_skip;	/* # of rules to skip */
-	u_short	fr_loglevel;	/* syslog log facility + priority */
+	u_int	fr_skip;	/* # of rules to skip */
+	u_int	fr_loglevel;	/* syslog log facility + priority */
 	int	(*fr_func) __P((int, ip_t *, fr_info_t *));	/* call this function */
-	char	fr_icode;	/* return ICMP code */
+	int	fr_sap;		/* For solaris only */
+	u_char	fr_icode;	/* return ICMP code */
 	char	fr_ifname[IFNAMSIZ];
 #if BSD >= 199306
 	char	fr_oifname[IFNAMSIZ];
 #endif
 	struct	frdest	fr_tif;	/* "to" interface */
 	struct	frdest	fr_dif;	/* duplicate packet interfaces */
+	u_int	fr_cksum;	/* checksum on filter rules for performance */
 } frentry_t;
 
+#define	fr_v		fr_ip.fi_v
 #define	fr_proto	fr_ip.fi_p
 #define	fr_ttl		fr_ip.fi_ttl
 #define	fr_tos		fr_ip.fi_tos
-#define	fr_dst		fr_ip.fi_dst
-#define	fr_src		fr_ip.fi_src
-#define	fr_dmsk		fr_mip.fi_dst
-#define	fr_smsk		fr_mip.fi_src
+#define	fr_tcpfm	fr_tuc.ftu_tcpfm
+#define	fr_tcpf		fr_tuc.ftu_tcpf
+#define	fr_scmp		fr_tuc.ftu_scmp
+#define	fr_dcmp		fr_tuc.ftu_dcmp
+#define	fr_dport	fr_tuc.ftu_dport
+#define	fr_sport	fr_tuc.ftu_sport
+#define	fr_stop		fr_tuc.ftu_stop
+#define	fr_dtop		fr_tuc.ftu_dtop
+#define	fr_dst		fr_ip.fi_dst.in4
+#define	fr_src		fr_ip.fi_src.in4
+#define	fr_dmsk		fr_mip.fi_dst.in4
+#define	fr_smsk		fr_mip.fi_src.in4
 
 #ifndef	offsetof
 #define	offsetof(t,m)	(int)((&((t *)0L)->m))
@@ -288,13 +335,16 @@ typedef	struct	filterstats {
 	u_long	fr_chit;	/* cached hit */
 	u_long	fr_tcpbad;	/* TCP checksum check failures */
 	u_long	fr_pull[2];	/* good and bad pullup attempts */
+	u_long	fr_badsrc;	/* source received doesn't match route */
 #if SOLARIS
 	u_long	fr_notdata;	/* PROTO/PCPROTO that have no data */
 	u_long	fr_nodata;	/* mblks that have no data */
 	u_long	fr_bad;		/* bad IP packets to the filter */
 	u_long	fr_notip;	/* packets passed through no on ip queue */
 	u_long	fr_drop;	/* packets dropped - no info for them! */
+	u_long	fr_copy;	/* messages copied due to db_ref > 1 */
 #endif
+	u_long	fr_ipv6[2];	/* IPv6 packets in/out */
 } filterstats_t;
 
 /*
@@ -306,6 +356,10 @@ typedef	struct	friostat	{
 	struct	frentry		*f_fout[2];
 	struct	frentry		*f_acctin[2];
 	struct	frentry		*f_acctout[2];
+	struct	frentry		*f_fin6[2];
+	struct	frentry		*f_fout6[2];
+	struct	frentry		*f_acctin6[2];
+	struct	frentry		*f_acctout6[2];
 	struct	frentry		*f_auth;
 	struct	frgroup		*f_groups[3][2];
 	u_long	f_froute[2];
@@ -313,11 +367,8 @@ typedef	struct	friostat	{
 	char	f_active;	/* 1 or 0 - active rule set */
 	char	f_running;	/* 1 if running, else 0 */
 	char	f_logging;	/* 1 if enabled, else 0 */
-#if !SOLARIS && defined(sun)
-	char	f_version[25];	/* version string */
-#else
 	char	f_version[32];	/* version string */
-#endif
+	int	f_locks[4];
 } friostat_t;
 
 typedef struct	optlist {
@@ -330,7 +381,7 @@ typedef struct	optlist {
  * Group list structure.
  */
 typedef	struct frgroup {
-	u_short	fg_num;
+	u_32_t	fg_num;
 	struct	frgroup	*fg_next;
 	struct	frentry	*fg_head;
 	struct	frentry	**fg_start;
@@ -363,9 +414,9 @@ typedef	struct	ipflog	{
 #endif
 	u_char	fl_plen;	/* extra data after hlen */
 	u_char	fl_hlen;	/* length of IP headers saved */
-	u_short	fl_rule;	/* assume never more than 64k rules, total */
-	u_short	fl_group;
 	u_short	fl_loglevel;	/* syslog log level */
+	u_32_t	fl_rule;
+	u_32_t	fl_group;
 	u_32_t	fl_flags;
 	u_32_t	fl_lflags;
 } ipflog_t;
@@ -435,7 +486,7 @@ extern	int	send_reset __P((ip_t *, struct ifnet *));
 extern	int	icmp_error __P((ip_t *, struct ifnet *));
 extern	int	ipf_log __P((void));
 extern	int	ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
-extern	struct	ifnet *get_unit __P((char *));
+extern	struct	ifnet *get_unit __P((char *, int));
 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
 	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
 extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
@@ -456,11 +507,12 @@ extern	int	ipflog_clear __P((minor_t));
 extern	int	ipflog_read __P((minor_t, struct uio *));
 extern	int	ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
 extern	int	ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
+extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
+extern	int	send_reset __P((ip_t *, fr_info_t *));
 # if	SOLARIS
 extern	int	fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
 extern	int	(*fr_checkp) __P((ip_t *, int, void *,
 				  int, qif_t *, mb_t **));
-extern	int	icmp_error __P((ip_t *, int, int, qif_t *, struct in_addr));
 #  if SOLARIS2 >= 7
 extern	int	iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
 #  else
@@ -475,9 +527,7 @@ extern	void	copyin_mblk __P((mblk_t *, size_t, size_t, char *));
 extern	void	copyout_mblk __P((mblk_t *, size_t, size_t, char *));
 extern	int	fr_qin __P((queue_t *, mblk_t *));
 extern	int	fr_qout __P((queue_t *, mblk_t *));
-#  ifdef	IPFILTER_LOG
 extern	int	iplread __P((dev_t, struct uio *, cred_t *));
-#  endif
 # else /* SOLARIS */
 extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
 extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
@@ -531,35 +581,49 @@ extern	int	iplread(struct inode *, struct file *, char *, int);
 # endif /* SOLARIS */
 #endif /* #ifndef _KERNEL */
 
+extern	char	*memstr __P((char *, char *, int, int));
 extern	void	fixskip __P((frentry_t **, frentry_t *, int));
 extern	int	countbits __P((u_32_t));
 extern	int	ipldetach __P((void));
-extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
-extern	int	fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
 extern	u_short	ipf_cksum __P((u_short *, int));
-extern	int	fr_copytolog __P((int, char *, int));
-extern	void	fr_forgetifp __P((void *));
+extern	int	ircopyptr __P((void *, void *, size_t));
+extern	int	iwcopyptr __P((void *, void *, size_t));
+
 extern	int	frflush __P((minor_t, int));
 extern	void	frsync __P((void));
-extern	frgroup_t *fr_addgroup __P((u_int, frentry_t *, minor_t, int));
-extern	frgroup_t *fr_findgroup __P((u_int, u_32_t, minor_t, int, frgroup_t ***));
-extern	void	fr_delgroup __P((u_int, u_32_t, minor_t, int));
+extern	frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
+extern	void	fr_delgroup __P((u_32_t, u_32_t, minor_t, int));
+extern	frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int,
+				    frgroup_t ***));
+
+extern	int	fr_copytolog __P((int, char *, int));
+extern	void	fr_forgetifp __P((void *));
+extern	void	fr_getstat __P((struct friostat *));
+extern	int	fr_ifpaddr __P((int, void *, struct in_addr *));
+extern	int	fr_lock __P((caddr_t, int *));
 extern  void	fr_makefrip __P((int, ip_t *, fr_info_t *));
-extern	int	fr_ifpaddr __P((void *, struct in_addr *));
-extern	char	*memstr __P((char *, char *, int, int));
+extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
+extern	int	fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
+extern	int	fr_tcpudpchk __P((frtuc_t *, fr_info_t *));
+extern	int	fr_verifysrc __P((struct in_addr, void *));
+
 extern	int	ipl_unreach;
 extern	int	fr_running;
 extern	u_long	ipl_frouteok[2];
 extern	int	fr_pass;
 extern	int	fr_flags;
 extern	int	fr_active;
+extern	int	fr_chksrc;
 extern	fr_info_t	frcache[2];
 extern	char	ipfilter_version[];
-#ifdef	IPFILTER_LOG
 extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
 extern	size_t	iplused[IPL_LOGMAX + 1];
-#endif
 extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
+#ifdef	USE_INET6
+extern	struct frentry *ipfilter6[2][2], *ipacct6[2][2];
+extern	int	icmptoicmp6types[ICMP_MAXTYPE+1];
+extern	int	icmptoicmp6unreach[ICMP_MAX_UNREACH];
+#endif
 extern	struct frgroup *ipfgroups[3][2];
 extern	struct filterstats frstats[];
 
diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c
index 6448f69f9758..8d2bbc5c6787 100644
--- a/sys/netinet/ip_frag.c
+++ b/sys/netinet/ip_frag.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -25,7 +25,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 # include <string.h>
 # include <stdlib.h>
 #endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
+#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
 #else
@@ -86,13 +86,20 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 extern struct callout_handle ipfr_slowtimer_ch;
 # endif
 #endif
+#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
+# include <sys/callout.h>
+extern struct callout ipfr_slowtimer_ch;
+#endif
+
+
+static ipfr_t	*ipfr_heads[IPFT_SIZE];
+static ipfr_t	*ipfr_nattab[IPFT_SIZE];
+static ipfrstat_t ipfr_stats;
+static int	ipfr_inuse = 0;
 
+int	fr_ipfrttl = 120;	/* 60 seconds */
+int	fr_frag_lock = 0;
 
-ipfr_t	*ipfr_heads[IPFT_SIZE];
-ipfr_t	*ipfr_nattab[IPFT_SIZE];
-ipfrstat_t ipfr_stats;
-int	ipfr_inuse = 0,
-	fr_ipfrttl = 120;	/* 60 seconds */
 #ifdef _KERNEL
 # if SOLARIS2 >= 7
 extern	timeout_id_t	ipfr_timer_id;
@@ -159,7 +166,7 @@ ipfr_t *table[];
 	for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next)
 		if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src,
 			  IPFR_CMPSZ)) {
-			ATOMIC_INC(ipfr_stats.ifs_exists);
+			ATOMIC_INCL(ipfr_stats.ifs_exists);
 			return NULL;
 		}
 
@@ -169,12 +176,12 @@ ipfr_t *table[];
 	 */
 	KMALLOC(fra, ipfr_t *);
 	if (fra == NULL) {
-		ATOMIC_INC(ipfr_stats.ifs_nomem);
+		ATOMIC_INCL(ipfr_stats.ifs_nomem);
 		return NULL;
 	}
 
 	if ((fra->ipfr_rule = fin->fin_fr) != NULL) {
-		ATOMIC_INC(fin->fin_fr->fr_ref);
+		ATOMIC_INC32(fin->fin_fr->fr_ref);
 	}
 
 
@@ -194,8 +201,8 @@ ipfr_t *table[];
 	 * Compute the offset of the expected start of the next packet.
 	 */
 	fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3);
-	ATOMIC_INC(ipfr_stats.ifs_new);
-	ATOMIC_INC(ipfr_inuse);
+	ATOMIC_INCL(ipfr_stats.ifs_new);
+	ATOMIC_INC32(ipfr_inuse);
 	return fra;
 }
 
@@ -207,6 +214,8 @@ u_int pass;
 {
 	ipfr_t	*ipf;
 
+	if ((ip->ip_v != 4) || (fr_frag_lock))
+		return NULL;
 	WRITE_ENTER(&ipf_frag);
 	ipf = ipfr_new(ip, fin, pass, ipfr_heads);
 	RWLOCK_EXIT(&ipf_frag);
@@ -222,6 +231,8 @@ nat_t *nat;
 {
 	ipfr_t	*ipf;
 
+	if ((ip->ip_v != 4) || (fr_frag_lock))
+		return NULL;
 	WRITE_ENTER(&ipf_natfrag);
 	ipf = ipfr_new(ip, fin, pass, ipfr_nattab);
 	if (ipf != NULL) {
@@ -295,7 +306,7 @@ ipfr_t *table[];
 				else
 					f->ipfr_off = atoff;
 			}
-			ATOMIC_INC(ipfr_stats.ifs_hits);
+			ATOMIC_INCL(ipfr_stats.ifs_hits);
 			return f;
 		}
 	return NULL;
@@ -312,6 +323,8 @@ fr_info_t *fin;
 	nat_t	*nat;
 	ipfr_t	*ipf;
 
+	if ((ip->ip_v != 4) || (fr_frag_lock))
+		return NULL;
 	READ_ENTER(&ipf_natfrag);
 	ipf = ipfr_lookup(ip, fin, ipfr_nattab);
 	if (ipf != NULL) {
@@ -340,6 +353,8 @@ fr_info_t *fin;
 	frentry_t *fr = NULL;
 	ipfr_t	*fra;
 
+	if ((ip->ip_v != 4) || (fr_frag_lock))
+		return NULL;
 	READ_ENTER(&ipf_frag);
 	fra = ipfr_lookup(ip, fin, ipfr_heads);
 	if (fra != NULL)
@@ -375,7 +390,7 @@ ipfr_t *fra;
 
 	fr = fra->ipfr_rule;
 	if (fr != NULL) {
-		ATOMIC_DEC(fr->fr_ref);
+		ATOMIC_DEC32(fr->fr_ref);
 		if (fr->fr_ref == 0)
 			KFREE(fr);
 	}
@@ -422,19 +437,7 @@ void ipfr_unload()
 
 
 #ifdef	_KERNEL
-/*
- * Slowly expire held state for fragments.  Timeouts are set * in expectation
- * of this being called twice per second.
- */
-# if (BSD >= 199306) || SOLARIS || defined(__sgi)
-#  if defined(SOLARIS2) && (SOLARIS2 < 7)
-void ipfr_slowtimer()
-#  else
-void ipfr_slowtimer __P((void *ptr))
-#  endif
-# else
-int ipfr_slowtimer()
-# endif
+void ipfr_fragexpire()
 {
 	ipfr_t	**fp, *fra;
 	nat_t	*nat;
@@ -442,18 +445,11 @@ int ipfr_slowtimer()
 #if defined(_KERNEL)
 # if !SOLARIS
 	int	s;
-# else
-	extern	int	fr_running;
-
-	if (fr_running <= 0) 
-		return;
 # endif
 #endif
 
-	READ_ENTER(&ipf_solaris);
-#ifdef __sgi
-	ipfilter_sgi_intfsync();
-#endif
+	if (fr_frag_lock)
+		return;
 
 	SPL_NET(s);
 	WRITE_ENTER(&ipf_frag);
@@ -469,8 +465,8 @@ int ipfr_slowtimer()
 			if (fra->ipfr_ttl == 0) {
 				*fp = fra->ipfr_next;
 				ipfr_delete(fra);
-				ATOMIC_INC(ipfr_stats.ifs_expire);
-				ATOMIC_DEC(ipfr_inuse);
+				ATOMIC_INCL(ipfr_stats.ifs_expire);
+				ATOMIC_DEC32(ipfr_inuse);
 			} else
 				fp = &fra->ipfr_next;
 		}
@@ -489,8 +485,8 @@ int ipfr_slowtimer()
 		for (fp = &ipfr_nattab[idx]; (fra = *fp); ) {
 			--fra->ipfr_ttl;
 			if (fra->ipfr_ttl == 0) {
-				ATOMIC_INC(ipfr_stats.ifs_expire);
-				ATOMIC_DEC(ipfr_inuse);
+				ATOMIC_INCL(ipfr_stats.ifs_expire);
+				ATOMIC_DEC32(ipfr_inuse);
 				nat = fra->ipfr_data;
 				if (nat != NULL) {
 					if (nat->nat_data == fra)
@@ -504,23 +500,55 @@ int ipfr_slowtimer()
 	RWLOCK_EXIT(&ipf_natfrag);
 	RWLOCK_EXIT(&ipf_nat);
 	SPL_X(s);
+}
+
+
+/*
+ * Slowly expire held state for fragments.  Timeouts are set * in expectation
+ * of this being called twice per second.
+ */
+# if (BSD >= 199306) || SOLARIS || defined(__sgi)
+#  if defined(SOLARIS2) && (SOLARIS2 < 7)
+void ipfr_slowtimer()
+#  else
+void ipfr_slowtimer __P((void *ptr))
+#  endif
+# else
+int ipfr_slowtimer()
+# endif
+{
+#if defined(_KERNEL) && SOLARIS
+	extern	int	fr_running;
+
+	if (fr_running <= 0) 
+		return;
+#endif
+
+	READ_ENTER(&ipf_solaris);
+#ifdef __sgi
+	ipfilter_sgi_intfsync();
+#endif
+
+	ipfr_fragexpire();
 	fr_timeoutstate();
 	ip_natexpire();
 	fr_authexpire();
-# if	SOLARIS
+# if    SOLARIS
 	ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
+	RWLOCK_EXIT(&ipf_solaris);
 # else
-#  ifndef linux
+#  if defined(__NetBSD__) && (__NetBSD_Version__ >= 104240000)
+	callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL);
+#  else
 #   if (__FreeBSD_version >= 300000)
 	ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2);
 #   else
 	timeout(ipfr_slowtimer, NULL, hz/2);
 #   endif
-#  endif
-#  if (BSD < 199306) && !defined(__sgi)
+#   if (BSD < 199306) && !defined(__sgi)
 	return 0;
-#  endif
-# endif
-	RWLOCK_EXIT(&ipf_solaris);
+#   endif /* FreeBSD */
+#  endif /* NetBSD */
+# endif /* SOLARIS */
 }
 #endif /* defined(_KERNEL) */
diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h
index 0494e9c60531..4fb35976e70a 100644
--- a/sys/netinet/ip_frag.h
+++ b/sys/netinet/ip_frag.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1998 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -43,6 +43,7 @@ typedef	struct	ipfrstat {
 #define	IPFR_CMPSZ	(4 + 4 + 2 + 1 + 1)
 
 extern	int	fr_ipfrttl;
+extern	int	fr_frag_lock;
 extern	ipfrstat_t	*ipfr_fragstats __P((void));
 extern	int	ipfr_newfrag __P((ip_t *, fr_info_t *, u_int));
 extern	int	ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *));
@@ -50,6 +51,7 @@ extern	nat_t	*ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
 extern	frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
 extern	void	ipfr_forget __P((void *));
 extern	void	ipfr_unload __P((void));
+extern	void	ipfr_fragexpire __P((void));
 
 #if     (BSD >= 199306) || SOLARIS || defined(__sgi)
 # if defined(SOLARIS2) && (SOLARIS2 < 7)
diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c
index 56b86bdab5b3..0eb54c0bb66b 100644
--- a/sys/netinet/ip_ftp_pxy.c
+++ b/sys/netinet/ip_ftp_pxy.c
@@ -2,7 +2,6 @@
  * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  * $FreeBSD$
- *
  */
 #if SOLARIS && defined(_KERNEL)
 extern	kmutex_t	ipf_rw;
@@ -20,15 +19,21 @@ extern	kmutex_t	ipf_rw;
 #define	IPF_MAXPORTLEN	30
 #define	IPF_MIN227LEN	39
 #define	IPF_MAX227LEN	51
+#define	IPF_FTPBUFSZ	96	/* This *MUST* be >= 53! */
 
 
+int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
+int ippr_ftp_complete __P((char *, size_t));
+int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
 int ippr_ftp_init __P((void));
+int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
 int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_ftp_portmsg __P((fr_info_t *, ip_t *, nat_t *));
-int ippr_ftp_pasvmsg __P((fr_info_t *, ip_t *, nat_t *));
-
-u_short ipf_ftp_atoi __P((char **));
+int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
+int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
+int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
+int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
+int ippr_ftp_valid __P((char *, size_t));
+u_short ippr_ftp_atoi __P((char **));
 
 static	frentry_t	natfr;
 int	ippr_ftp_pasvonly = 0;
@@ -47,48 +52,47 @@ int ippr_ftp_init()
 }
 
 
-/*
- * ipf_ftp_atoi - implement a version of atoi which processes numbers in
- * pairs separated by commas (which are expected to be in the range 0 - 255),
- * returning a 16 bit number combining either side of the , as the MSB and
- * LSB.
- */
-u_short ipf_ftp_atoi(ptr)
-char **ptr;
+int ippr_ftp_new(fin, ip, aps, nat)
+fr_info_t *fin;
+ip_t *ip;
+ap_session_t *aps;
+nat_t *nat;
 {
-	register char *s = *ptr, c;
-	register u_char i = 0, j = 0;
+	ftpinfo_t *ftp;
+	ftpside_t *f;
 
-	while ((c = *s++) && isdigit(c)) {
-		i *= 10;
-		i += c - '0';
-	}
-	if (c != ',') {
-		*ptr = NULL;
-		return 0;
-	}
-	while ((c = *s++) && isdigit(c)) {
-		j *= 10;
-		j += c - '0';
-	}
-	*ptr = s;
-	return (i << 8) | j;
+	KMALLOC(ftp, ftpinfo_t *);
+	if (ftp == NULL)
+		return -1;
+	aps->aps_data = ftp;
+	aps->aps_psiz = sizeof(ftpinfo_t);
+
+	bzero((char *)ftp, sizeof(*ftp));
+	f = &ftp->ftp_side[0];
+	f->ftps_rptr = f->ftps_buf;
+	f->ftps_wptr = f->ftps_buf;
+	f = &ftp->ftp_side[1];
+	f->ftps_rptr = f->ftps_buf;
+	f->ftps_wptr = f->ftps_buf;
+	return 0;
 }
 
 
-int ippr_ftp_portmsg(fin, ip, nat)
+int ippr_ftp_port(fin, ip, nat, f, dlen)
 fr_info_t *fin;
 ip_t *ip;
 nat_t *nat;
+ftpside_t *f;
+int dlen;
 {
-	char portbuf[IPF_MAXPORTLEN + 1], newbuf[IPF_MAXPORTLEN + 1], *s;
 	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
-	size_t nlen = 0, dlen, olen;
+	char newbuf[IPF_FTPBUFSZ], *s;
 	u_short a5, a6, sp, dp;
 	u_int a1, a2, a3, a4;
 	struct in_addr swip;
-	int off, inc = 0;
+	size_t nlen, olen;
 	fr_info_t fi;
+	int inc, off;
 	nat_t *ipn;
 	mb_t *m;
 #if	SOLARIS
@@ -105,17 +109,16 @@ nat_t *nat;
 	/*
 	 * Skip the PORT command + space
 	 */
-	s = portbuf + 5;
+	s = f->ftps_rptr + 5;
 	/*
 	 * Pick out the address components, two at a time.
 	 */
-	a1 = ipf_ftp_atoi(&s);
+	a1 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
-	a2 = ipf_ftp_atoi(&s);
+	a2 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
-
 	/*
 	 * check that IP address in the PORT/PASV reply is the same as the
 	 * sender of the command - prevents using PORT for port scanning.
@@ -125,7 +128,7 @@ nat_t *nat;
 	if (a1 != ntohl(nat->nat_inip.s_addr))
 		return 0;
 
-	a5 = ipf_ftp_atoi(&s);
+	a5 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
 	if (*s == ')')
@@ -150,13 +153,18 @@ nat_t *nat;
 	a3 = (a1 >> 8) & 0xff;
 	a4 = a1 & 0xff;
 	a1 >>= 24;
-	olen = s - portbuf;
+	olen = s - f->ftps_rptr;
+	/* DO NOT change this to sprintf! */
 	(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
 		       "PORT", a1, a2, a3, a4, a5, a6);
 
 	nlen = strlen(newbuf);
 	inc = nlen - olen;
+	if ((inc + ip->ip_len) > 65535)
+		return 0;
+
 #if SOLARIS
+	m = fin->fin_qfm;
 	for (m1 = m; m1->b_cont; m1 = m1->b_cont)
 		;
 	if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
@@ -182,6 +190,7 @@ nat_t *nat;
 	}
 	copyin_mblk(m, off, nlen, newbuf);
 #else
+	m = *((mb_t **)fin->fin_mp);
 	if (inc < 0)
 		m_adj(m, inc);
 	/* the mbuf chain will be extended if necessary by m_copyback() */
@@ -215,6 +224,12 @@ nat_t *nat;
 	 */
 	sp = htons(a5 << 8 | a6);
 	/*
+	 * Don't allow the PORT command to specify a port < 1024 due to
+	 * security crap.
+	 */
+	if (ntohs(sp) < 1024)
+		return 0;
+	/*
 	 * The server may not make the connection back from port 20, but
 	 * it is the most likely so use it here to check for a conflicting
 	 * mapping.
@@ -223,10 +238,15 @@ nat_t *nat;
 	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
 			    ip->ip_dst, (dp << 16) | sp);
 	if (ipn == NULL) {
+		int slen;
+
+		slen = ip->ip_len;
+		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
 		bcopy((char *)fin, (char *)&fi, sizeof(fi));
 		bzero((char *)tcp2, sizeof(*tcp2));
 		tcp2->th_win = htons(8192);
 		tcp2->th_sport = sp;
+		tcp2->th_off = 5;
 		tcp2->th_dport = 0; /* XXX - don't specify remote port */
 		fi.fin_data[0] = ntohs(sp);
 		fi.fin_data[1] = 0;
@@ -239,17 +259,19 @@ nat_t *nat;
 			ipn->nat_age = fr_defnatage;
 			(void) fr_addstate(ip, &fi, FI_W_DPORT);
 		}
+		ip->ip_len = slen;
 		ip->ip_src = swip;
 	}
 	return inc;
 }
 
 
-int ippr_ftp_out(fin, ip, aps, nat)
+int ippr_ftp_client(fin, ip, nat, ftp, dlen)
 fr_info_t *fin;
-ip_t *ip;
-ap_session_t *aps;
 nat_t *nat;
+ftpinfo_t *ftp;
+ip_t *ip;
+int dlen;
 {
 	char *rptr, *wptr, cmd[6], c;
 	ftpside_t *f;
@@ -289,42 +311,28 @@ nat_t *nat;
 }
 
 
-int ippr_ftp_pasvmsg(fin, ip, nat)
+int ippr_ftp_pasv(fin, ip, nat, f, dlen)
 fr_info_t *fin;
 ip_t *ip;
 nat_t *nat;
+ftpside_t *f;
+int dlen;
 {
-	char portbuf[IPF_MAX227LEN + 1], newbuf[IPF_MAX227LEN + 1], *s;
-	int off, olen, dlen, nlen = 0, inc = 0;
-	tcphdr_t tcph, *tcp2 = &tcph;
+	tcphdr_t *tcp, tcph, *tcp2 = &tcph;
 	struct in_addr swip, swip2;
-	u_short a5, a6, dp, sp;
+	u_short a5, a6, sp, dp;
 	u_int a1, a2, a3, a4;
-	tcphdr_t *tcp;
 	fr_info_t fi;
 	nat_t *ipn;
 	int inc;
 	char *s;
 
-	dlen = msgdsize(m) - off;
-	if (dlen > 0)
-		copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf);
-#else
-	dlen = mbufchainlen(m) - off;
-	if (dlen > 0)
-		m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf);
-#endif
-	if (dlen == 0)
+	/*
+	 * Check for PASV reply message.
+	 */
+	if (dlen < IPF_MIN227LEN)
 		return 0;
-	portbuf[sizeof(portbuf) - 1] = '\0';
-	*newbuf = '\0';
-
-	if (!strncmp(portbuf, "227 ", 4)) {
-		if (dlen < IPF_MIN227LEN)
-			return 0;
-		else if (strncmp(portbuf, "227 Entering Passive Mode", 25))
-			return 0;
-	} else
+	else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25))
 		return 0;
 
 	tcp = (tcphdr_t *)fin->fin_dp;
@@ -332,16 +340,16 @@ nat_t *nat;
 	/*
 	 * Skip the PORT command + space
 	 */
-	s = portbuf + 25;
+	s = f->ftps_rptr + 25;
 	while (*s && !isdigit(*s))
 		s++;
 	/*
 	 * Pick out the address components, two at a time.
 	 */
-	a1 = ipf_ftp_atoi(&s);
+	a1 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
-	a2 = ipf_ftp_atoi(&s);
+	a2 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
 
@@ -354,7 +362,7 @@ nat_t *nat;
 	if (a1 != ntohl(nat->nat_oip.s_addr))
 		return 0;
 
-	a5 = ipf_ftp_atoi(&s);
+	a5 = ippr_ftp_atoi(&s);
 	if (!s)
 		return 0;
 
@@ -379,13 +387,18 @@ nat_t *nat;
 	a3 = (a1 >> 8) & 0xff;
 	a4 = a1 & 0xff;
 	a1 >>= 24;
-	olen = s - portbuf;
+	inc = 0;
+#if 0
+	olen = s - f->ftps_rptr;
 	(void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n",
 		       "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6);
-
 	nlen = strlen(newbuf);
 	inc = nlen - olen;
+	if ((inc + ip->ip_len) > 65535)
+		return 0;
+
 #if SOLARIS
+	m = fin->fin_qfm;
 	for (m1 = m; m1->b_cont; m1 = m1->b_cont)
 		;
 	if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) {
@@ -442,10 +455,15 @@ nat_t *nat;
 	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
 			    ip->ip_dst, (dp << 16) | sp);
 	if (ipn == NULL) {
+		int slen;
+
+		slen = ip->ip_len;
+		ip->ip_len = fin->fin_hlen + sizeof(*tcp2);
 		bcopy((char *)fin, (char *)&fi, sizeof(fi));
 		bzero((char *)tcp2, sizeof(*tcp2));
 		tcp2->th_win = htons(8192);
 		tcp2->th_sport = 0;		/* XXX - fake it for nat_new */
+		tcp2->th_off = 5;
 		fi.fin_data[0] = a5 << 8 | a6;
 		tcp2->th_dport = htons(fi.fin_data[0]);
 		fi.fin_data[1] = 0;
@@ -460,6 +478,7 @@ nat_t *nat;
 			ipn->nat_age = fr_defnatage;
 			(void) fr_addstate(ip, &fi, FI_W_SPORT);
 		}
+		ip->ip_len = slen;
 		ip->ip_src = swip;
 		ip->ip_dst = swip2;
 	}
@@ -708,6 +727,39 @@ ip_t *ip;
 ap_session_t *aps;
 nat_t *nat;
 {
+	ftpinfo_t *ftp;
+
+	ftp = aps->aps_data;
+	if (ftp == NULL)
+		return 0;
+	return ippr_ftp_process(fin, ip, nat, ftp, 1);
+}
+
+
+/*
+ * ippr_ftp_atoi - implement a version of atoi which processes numbers in
+ * pairs separated by commas (which are expected to be in the range 0 - 255),
+ * returning a 16 bit number combining either side of the , as the MSB and
+ * LSB.
+ */
+u_short ippr_ftp_atoi(ptr)
+char **ptr;
+{
+	register char *s = *ptr, c;
+	register u_char i = 0, j = 0;
 
-	return ippr_ftp_pasvmsg(fin, ip, nat);
+	while ((c = *s++) && isdigit(c)) {
+		i *= 10;
+		i += c - '0';
+	}
+	if (c != ',') {
+		*ptr = NULL;
+		return 0;
+	}
+	while ((c = *s++) && isdigit(c)) {
+		j *= 10;
+		j += c - '0';
+	}
+	*ptr = s;
+	return (i << 8) | j;
 }
diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c
index 206e24e9756e..9178c74742ff 100644
--- a/sys/netinet/ip_log.c
+++ b/sys/netinet/ip_log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 1997-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -16,12 +16,14 @@
 # include "opt_ipfilter_log.h"
 #endif
 #ifdef  __FreeBSD__
-# if defined(_KERNEL) && !defined(IPFILTER_LKM)
-#  if !defined(__FreeBSD_version)
+# if defined(IPFILTER_LKM) || defined(_KERNEL)
+#  if !defined(__FreeBSD_version) 
 #   include <sys/osreldate.h>
 #  endif
-#  if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
-#   include "opt_ipfilter.h"
+#  if !defined(IPFILTER_LKM)
+#   if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)
+#    include "opt_ipfilter.h"
+#   endif
 #  endif
 # else
 #  ifdef KLD_MODULE
@@ -31,7 +33,7 @@
 #  endif
 # endif
 #endif
-#ifdef	IPFILTER_LOG
+#ifdef  IPFILTER_LOG
 # ifndef SOLARIS
 #  define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 # endif
@@ -135,7 +137,7 @@ extern	kcondvar_t	iplwait;
 
 iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1];
 size_t	iplused[IPL_LOGMAX+1];
-fr_info_t	iplcrc[IPL_LOGMAX+1];
+static fr_info_t	iplcrc[IPL_LOGMAX+1];
 # ifdef	linux
 static struct wait_queue *iplwait[IPL_LOGMAX+1];
 # endif
@@ -178,6 +180,7 @@ mb_t *m;
 	size_t sizes[2];
 	void *ptrs[2];
 	int types[2];
+	u_char p;
 # if SOLARIS
 	ill_t *ifp = fin->fin_ifp;
 # else
@@ -188,15 +191,16 @@ mb_t *m;
 	 * calculate header size.
 	 */
 	hlen = fin->fin_hlen;
-	if ((ip->ip_off & IP_OFFMASK) == 0) {
-		if (ip->ip_p == IPPROTO_TCP)
+	if (fin->fin_off == 0) {
+		p = fin->fin_fi.fi_p;
+		if (p == IPPROTO_TCP)
 			hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
-		else if (ip->ip_p == IPPROTO_UDP)
+		else if (p == IPPROTO_UDP)
 			hlen += MIN(sizeof(udphdr_t), fin->fin_dlen);
-		else if (ip->ip_p == IPPROTO_ICMP) {
-			struct	icmp	*icmp;
+		else if (p == IPPROTO_ICMP) {
+			struct icmp *icmp;
 
-			icmp = (struct icmp *)((char *)ip + hlen);
+			icmp = (struct icmp *)fin->fin_dp;
 	 
 			/*
 			 * For ICMP, if the packet is an error packet, also
@@ -241,7 +245,7 @@ mb_t *m;
 			if ((ipfl.fl_ifname[2] = ifp->if_name[2]))
 				ipfl.fl_ifname[3] = ifp->if_name[3];
 #  endif
-	mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
+	mlen = (flags & FR_LOGBODY) ? MIN(fin->fin_plen - hlen, 128) : 0;
 # endif
 	ipfl.fl_plen = (u_char)mlen;
 	ipfl.fl_hlen = (u_char)hlen;
diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c
index c4ebf3803308..dc0c7f21ae82 100644
--- a/sys/netinet/ip_nat.c
+++ b/sys/netinet/ip_nat.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -31,7 +31,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 # include <string.h>
 # include <stdlib.h>
 #endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
+#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
 #else
@@ -118,24 +118,36 @@ ipnat_t	*nat_list = NULL;
 u_int	ipf_nattable_sz = NAT_TABLE_SZ;
 u_int	ipf_natrules_sz = NAT_SIZE;
 u_int	ipf_rdrrules_sz = RDR_SIZE;
+u_int	ipf_hostmap_sz = HOSTMAP_SIZE;
 u_32_t	nat_masks = 0;
 u_32_t	rdr_masks = 0;
 ipnat_t	**nat_rules = NULL;
 ipnat_t	**rdr_rules = NULL;
+hostmap_t	**maptable  = NULL;
 
 u_long	fr_defnatage = DEF_NAT_AGE,
 	fr_defnaticmpage = 6;		/* 3 seconds */
-natstat_t nat_stats;
+static natstat_t nat_stats;
+int	fr_nat_lock = 0;
 #if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern	kmutex_t	ipf_rw;
+extern	kmutex_t	ipf_rw, ipf_hostmap;
 extern	KRWLOCK_T	ipf_nat;
 #endif
 
 static	int	nat_flushtable __P((void));
 static	int	nat_clearlist __P((void));
+static	void	nat_addnat __P((struct ipnat *));
+static	void	nat_addrdr __P((struct ipnat *));
 static	void	nat_delete __P((struct nat *));
 static	void	nat_delrdr __P((struct ipnat *));
 static	void	nat_delnat __P((struct ipnat *));
+static	int	fr_natgetent __P((caddr_t));
+static	int	fr_natgetsz __P((caddr_t));
+static	int	fr_natputent __P((caddr_t));
+static	int	nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
+static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
+				    struct in_addr));
+static	void	nat_hostmapdel __P((struct hostmap *));
 
 
 int nat_init()
@@ -163,39 +175,129 @@ int nat_init()
 		bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *));
 	else
 		return -1;
+
+	KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz);
+	if (maptable != NULL)
+		bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
+	else
+		return -1;
 	return 0;
 }
 
 
-void nat_delrdr(n)
+static void nat_addrdr(n)
 ipnat_t *n;
 {
-	ipnat_t **n1;
-	u_32_t iph;
+	ipnat_t **np;
+	u_32_t j;
 	u_int hv;
+	int k;
 
-	iph = n->in_outip & n->in_outmsk;
-	hv = NAT_HASH_FN(iph, ipf_rdrrules_sz);
-	for (n1 = &rdr_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_rnext)
-		;
-	if (*n1)
-		*n1 = n->in_rnext;
+	k = countbits(n->in_outmsk);
+	if ((k >= 0) && (k != 32))
+		rdr_masks |= 1 << k;
+	j = (n->in_outip & n->in_outmsk);
+	hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz);
+	np = rdr_rules + hv;
+	while (*np != NULL)
+		np = &(*np)->in_rnext;
+	n->in_rnext = NULL;
+	n->in_prnext = np;
+	*np = n;
+}
+
+
+static void nat_addnat(n)
+ipnat_t *n;
+{
+	ipnat_t **np;
+	u_32_t j;
+	u_int hv;
+	int k;
+
+	k = countbits(n->in_inmsk);
+	if ((k >= 0) && (k != 32))
+		nat_masks |= 1 << k;
+	j = (n->in_inip & n->in_inmsk);
+	hv = NAT_HASH_FN(j, 0, ipf_natrules_sz);
+	np = nat_rules + hv;
+	while (*np != NULL)
+		np = &(*np)->in_mnext;
+	n->in_mnext = NULL;
+	n->in_pmnext = np;
+	*np = n;
+}
+
+
+static void nat_delrdr(n)
+ipnat_t *n;
+{
+	if (n->in_rnext)
+		n->in_rnext->in_prnext = n->in_prnext;
+	*n->in_prnext = n->in_rnext;
 }
 
 
 static void nat_delnat(n)
 ipnat_t *n;
 {
-	ipnat_t **n1;
-	u_32_t iph;
+	if (n->in_mnext)
+		n->in_mnext->in_pmnext = n->in_pmnext;
+	*n->in_pmnext = n->in_mnext;
+}
+
+
+/*
+ * check if an ip address has already been allocated for a given mapping that
+ * is not doing port based translation.
+ */
+static struct hostmap *nat_hostmap(np, real, map)
+ipnat_t *np;
+struct in_addr real;
+struct in_addr map;
+{
+	hostmap_t *hm;
 	u_int hv;
 
-	iph = n->in_inip & n->in_inmsk;
-	hv = NAT_HASH_FN(iph, ipf_natrules_sz);
-	for (n1 = &nat_rules[hv]; *n1 && (*n1 != n); n1 = &(*n1)->in_mnext)
-		;
-	if (*n1)
-		*n1 = n->in_mnext;
+	MUTEX_ENTER(&ipf_hostmap);
+	hv = real.s_addr % HOSTMAP_SIZE;
+	for (hm = maptable[hv]; hm; hm = hm->hm_next)
+		if ((hm->hm_realip.s_addr == real.s_addr) &&
+		    (np == hm->hm_ipnat)) {
+			hm->hm_ref++;
+			MUTEX_EXIT(&ipf_hostmap);
+			return hm;
+		}
+
+	KMALLOC(hm, hostmap_t *);
+	if (hm) {
+		hm->hm_next = maptable[hv];
+		hm->hm_pnext = maptable + hv;
+		if (maptable[hv])
+			maptable[hv]->hm_pnext = &hm->hm_next;
+		maptable[hv] = hm;
+		hm->hm_ipnat = np;
+		hm->hm_realip = real;
+		hm->hm_mapip = map;
+		hm->hm_ref = 1;
+	}
+	MUTEX_EXIT(&ipf_hostmap);
+	return hm;
+}
+
+
+static void nat_hostmapdel(hm)
+struct hostmap *hm;
+{
+	MUTEX_ENTER(&ipf_hostmap);
+	ATOMIC_DEC32(hm->hm_ref);
+	if (hm->hm_ref == 0) {
+		if (hm->hm_next)
+			hm->hm_next->hm_pnext = hm->hm_pnext;
+		*hm->hm_pnext = hm->hm_next;
+		KFREE(hm);
+	}
+	MUTEX_EXIT(&ipf_hostmap);
 }
 
 
@@ -280,7 +382,7 @@ int len;
  * Handle ioctls which manipulate the NAT.
  */
 int nat_ioctl(data, cmd, mode)
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 u_long cmd;
 #else
 int cmd;
@@ -289,12 +391,9 @@ caddr_t data;
 int mode;
 {
 	register ipnat_t *nat, *nt, *n = NULL, **np = NULL;
-	int error = 0, ret, k;
+	int error = 0, ret, arg;
 	ipnat_t natd;
 	u_32_t i, j;
-#if defined(_KERNEL) && !SOLARIS
-	int s;
-#endif
 
 #if (BSD >= 199306) && defined(_KERNEL)
 	if ((securelevel >= 2) && (mode & FWRITE))
@@ -304,19 +403,24 @@ int mode;
 	nat = NULL;     /* XXX gcc -Wuninitialized */
 	KMALLOC(nt, ipnat_t *);
 	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))
-		IRCOPY(data, (char *)&natd, sizeof(natd));
+		error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
+	else if (cmd == SIOCIPFFL)	/* SIOCFLNAT & SIOCCNATL */
+		error = IRCOPY(data, (char *)&arg, sizeof(arg));
+
+	if (error)
+		goto done;
 
 	/*
 	 * For add/delete, look to see if the NAT entry is already present
 	 */
-	SPL_NET(s);
 	WRITE_ENTER(&ipf_nat);
 	if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
 		nat = &natd;
 		nat->in_flags &= IPN_USERFLAGS;
 		if ((nat->in_redir & NAT_MAPBLK) == 0) {
-			nat->in_inip &= nat->in_inmsk;
-			if ((nat->in_flags & IPN_RANGE) == 0)
+			if ((nat->in_flags & IPN_SPLIT) == 0)
+				nat->in_inip &= nat->in_inmsk;
+			if ((nat->in_flags & IPN_IPRANGE) == 0)
 				nat->in_outip &= nat->in_outmsk;
 		}
 		for (np = &nat_list; (n = *np); np = &n->in_next)
@@ -329,11 +433,17 @@ int mode;
 	{
 #ifdef  IPFILTER_LOG
 	case SIOCIPFFB :
+	{
+		int tmp;
+
 		if (!(mode & FWRITE))
 			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(IPL_LOGNAT);
+		else {
+			tmp = ipflog_clear(IPL_LOGNAT);
+			IWCOPY((char *)&tmp, (char *)data, sizeof(tmp));
+		}
 		break;
+	}
 #endif
 	case SIOCADNAT :
 		if (!(mode & FWRITE)) {
@@ -351,7 +461,7 @@ int mode;
 		n = nt;
 		nt = NULL;
 		bcopy((char *)nat, (char *)n, sizeof(*n));
-		n->in_ifp = (void *)GETUNIT(n->in_ifname);
+		n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
 		if (!n->in_ifp)
 			n->in_ifp = (void *)-1;
 		if (n->in_plabel[0] != '\0') {
@@ -378,8 +488,10 @@ int mode;
 			n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
 		else if (n->in_flags & IPN_AUTOPORTMAP)
 			n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk);
-		else if (n->in_flags & IPN_RANGE)
+		else if (n->in_flags & IPN_IPRANGE)
 			n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip);
+		else if (n->in_flags & IPN_SPLIT)
+			n->in_space = 2;
 		else
 			n->in_space = ~ntohl(n->in_outmsk);
 		/*
@@ -392,15 +504,18 @@ int mode;
 		 * If to a single IP address, set to 1.
 		 */
 		if (n->in_space) {
-			if ((n->in_flags & IPN_RANGE) != 0)
+			if ((n->in_flags & IPN_IPRANGE) != 0)
 				n->in_space += 1;
 			else
 				n->in_space -= 1;
 		} else
 			n->in_space = 1;
 		if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) &&
-		    ((n->in_flags & IPN_RANGE) == 0))
+		    ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0))
 			n->in_nip = ntohl(n->in_outip) + 1;
+		else if ((n->in_flags & IPN_SPLIT) &&
+			 (n->in_redir & NAT_REDIRECT))
+			n->in_nip = ntohl(n->in_inip);
 		else
 			n->in_nip = ntohl(n->in_outip);
 		if (n->in_redir & NAT_MAP) {
@@ -482,44 +597,76 @@ int mode;
 		nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz;
 		nat_stats.ns_instances = nat_instances;
 		nat_stats.ns_apslist = ap_sess_list;
-		IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
+		error = IWCOPYPTR((char *)&nat_stats, (char *)data,
+				  sizeof(nat_stats));
 		break;
 	case SIOCGNATL :
 	    {
 		natlookup_t nl;
 
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IRCOPY((char *)data, (char *)&nl, sizeof(nl));
+		error = IRCOPYPTR((char *)data, (char *)&nl, sizeof(nl));
+		if (error)
+			break;
 
 		if (nat_lookupredir(&nl)) {
-			IWCOPY((char *)&nl, (char *)data, sizeof(nl));
+			error = IWCOPYPTR((char *)&nl, (char *)data,
+					  sizeof(nl));
 		} else
 			error = ESRCH;
 		break;
 	    }
-	case SIOCFLNAT :
+	case SIOCIPFFL :	/* old SIOCFLNAT & SIOCCNATL */
 		if (!(mode & FWRITE)) {
 			error = EPERM;
 			break;
 		}
-		ret = nat_flushtable();
+		error = 0;
+		if (arg == 0)
+			ret = nat_flushtable();
+		else if (arg == 1)
+			ret = nat_clearlist();
+		else
+			error = EINVAL;
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&ret, data, sizeof(ret));
+		if (!error) {
+			error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
+			if (error)
+				error = EFAULT;
+		}
 		break;
-	case SIOCCNATL :
-		if (!(mode & FWRITE)) {
-			error = EPERM;
-			break;
+	case SIOCSTLCK :
+		error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+		if (!error) {
+			error = IWCOPY((caddr_t)&fr_nat_lock, data,
+					sizeof(fr_nat_lock));
+			if (!error)
+				fr_nat_lock = arg;
 		}
-		ret = nat_clearlist();
-		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&ret, data, sizeof(ret));
+		break;
+	case SIOCSTPUT :
+		if (fr_nat_lock)
+			error = fr_natputent(data);
+		else
+			error = EACCES;
+		break;
+	case SIOCSTGSZ :
+		if (fr_nat_lock)
+			error = fr_natgetsz(data);
+		else
+			error = EACCES;
+		break;
+	case SIOCSTGET :
+		if (fr_nat_lock)
+			error = fr_natgetent(data);
+		else
+			error = EACCES;
 		break;
 	case FIONREAD :
 #ifdef	IPFILTER_LOG
 		MUTEX_DOWNGRADE(&ipf_nat);
-		IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
-		       sizeof(iplused[IPL_LOGNAT]));
+		error = IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
+			       sizeof(iplused[IPL_LOGNAT]));
 #endif
 		break;
 	default :
@@ -527,13 +674,285 @@ int mode;
 		break;
 	}
 	RWLOCK_EXIT(&ipf_nat);			/* READ/WRITE */
-	SPL_X(s);
+done:
 	if (nt)
 		KFREE(nt);
 	return error;
 }
 
 
+static int fr_natgetsz(data)
+caddr_t data;
+{
+	ap_session_t *aps;
+	nat_t *nat, *n;
+	int error = 0;
+	natget_t ng;
+
+	error = IRCOPY(data, (caddr_t)&ng, sizeof(ng));
+	if (error)
+		return EFAULT;
+
+	nat = ng.ng_ptr;
+	if (!nat) {
+		nat = nat_instances;
+		ng.ng_sz = 0;
+		if (nat == NULL) {
+			error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
+			if (error)
+				error = EFAULT;
+			return error;
+		}
+	} else {
+		/*
+		 * Make sure the pointer we're copying from exists in the
+		 * current list of entries.  Security precaution to prevent
+		 * copying of random kernel data.
+		 */
+		for (n = nat_instances; n; n = n->nat_next)
+			if (n == nat)
+				break;
+		if (!n)
+			return ESRCH;
+	}
+
+	ng.ng_sz = sizeof(nat_save_t);
+	aps = nat->nat_aps;
+	if ((aps != NULL) && (aps->aps_data != 0)) {
+		ng.ng_sz += sizeof(ap_session_t);
+		ng.ng_sz += aps->aps_psiz;
+	}
+
+	error = IWCOPY((caddr_t)&ng, data, sizeof(ng));
+	if (error)
+		error = EFAULT;
+	return error;
+}
+
+
+static int fr_natgetent(data)
+caddr_t data;
+{
+	nat_save_t ipn, *ipnp, *ipnn;
+	register nat_t *n, *nat;
+	ap_session_t *aps;
+	int error;
+
+	error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
+	if (error)
+		return EFAULT;
+	error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
+	if (error)
+		return EFAULT;
+
+	nat = ipn.ipn_next;
+	if (!nat) {
+		nat = nat_instances;
+		if (nat == NULL) {
+			if (nat_instances == NULL)
+				return ENOENT;
+			return 0;
+		}
+	} else {
+		/*
+		 * Make sure the pointer we're copying from exists in the
+		 * current list of entries.  Security precaution to prevent
+		 * copying of random kernel data.
+		 */
+		for (n = nat_instances; n; n = n->nat_next)
+			if (n == nat)
+				break;
+		if (!n)
+			return ESRCH;
+	}
+
+	ipn.ipn_next = nat->nat_next;
+	ipn.ipn_dsize = 0;
+	bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat));
+	ipn.ipn_nat.nat_data = NULL;
+
+	if (nat->nat_ptr) {
+		bcopy((char *)nat->nat_ptr, (char *)&ipn.ipn_ipnat,
+		      sizeof(ipn.ipn_ipnat));
+	}
+
+	if (nat->nat_fr)
+		bcopy((char *)nat->nat_fr, (char *)&ipn.ipn_rule,
+		      sizeof(ipn.ipn_rule));
+
+	if ((aps = nat->nat_aps)) {
+		ipn.ipn_dsize = sizeof(*aps);
+		if (aps->aps_data)
+			ipn.ipn_dsize += aps->aps_psiz;
+		KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize);
+		if (ipnn == NULL)
+			return NULL;
+		bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
+
+		bcopy((char *)aps, ipn.ipn_data, sizeof(*aps));
+		if (aps->aps_data) {
+			bcopy(aps->aps_data, ipn.ipn_data + sizeof(*aps),
+			      aps->aps_psiz);
+			ipn.ipn_dsize += aps->aps_psiz;
+		}
+		error = IWCOPY((caddr_t)ipnn, ipnp,
+			       sizeof(ipn) + ipn.ipn_dsize);
+		if (error)
+			return EFAULT;
+		KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize);
+	} else {
+		error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
+		if (error)
+			return EFAULT;
+	}
+	return 0;
+}
+
+
+static int fr_natputent(data)
+caddr_t data;
+{
+	nat_save_t ipn, *ipnp, *ipnn;
+	register nat_t *n, *nat;
+	ap_session_t *aps;
+	frentry_t *fr;
+	ipnat_t *in;
+
+	int error;
+
+	error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp));
+	if (error)
+		return EFAULT;
+	error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn));
+	if (error)
+		return EFAULT;
+	if (ipn.ipn_dsize) {
+		KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize);
+		if (ipnn == NULL)
+			return ENOMEM;
+		bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
+		error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data,
+			       ipn.ipn_dsize);
+		if (error)
+			return EFAULT;
+	} else
+		ipnn = NULL;
+
+	KMALLOC(nat, nat_t *);
+	if (nat == NULL)
+		return ENOMEM;
+
+	bcopy((char *)&ipn.ipn_nat, (char *)nat, sizeof(*nat));
+	/*
+	 * Initialize all these so that nat_delete() doesn't cause a crash.
+	 */
+	nat->nat_hstart[0] = NULL;
+	nat->nat_hstart[1] = NULL;
+	fr = nat->nat_fr;
+	nat->nat_fr = NULL;
+	aps = nat->nat_aps;
+	nat->nat_aps = NULL;
+	in = nat->nat_ptr;
+	nat->nat_ptr = NULL;
+	nat->nat_data = NULL;
+
+	/*
+	 * Restore the rule associated with this nat session
+	 */
+	if (in) {
+		KMALLOC(in, ipnat_t *);
+		if (in == NULL) {
+			error = ENOMEM;
+			goto junkput;
+		}
+		nat->nat_ptr = in;
+		bcopy((char *)&ipn.ipn_ipnat, (char *)in, sizeof(*in));
+		in->in_use = 1;
+		in->in_flags |= IPN_DELETE;
+		in->in_next = NULL;
+		in->in_rnext = NULL;
+		in->in_prnext = NULL;
+		in->in_mnext = NULL;
+		in->in_pmnext = NULL;
+		in->in_ifp = GETUNIT(in->in_ifname, 4);
+		if (in->in_plabel[0] != '\0') {
+			in->in_apr = appr_match(in->in_p, in->in_plabel);
+		}
+	}
+
+	/*
+	 * Restore ap_session_t structure.  Include the private data allocated
+	 * if it was there.
+	 */
+	if (aps) {
+		KMALLOC(aps, ap_session_t *);
+		if (aps == NULL) {
+			error = ENOMEM;
+			goto junkput;
+		}
+		nat->nat_aps = aps;
+		aps->aps_next = ap_sess_list;
+		ap_sess_list = aps;
+		bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps));
+		if (in)
+			aps->aps_apr = in->in_apr;
+		if (aps->aps_psiz) {
+			KMALLOCS(aps->aps_data, void *, aps->aps_psiz);
+			if (aps->aps_data == NULL) {
+				error = ENOMEM;
+				goto junkput;
+			}
+			bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data,
+			      aps->aps_psiz);
+		} else {
+			aps->aps_psiz = 0;
+			aps->aps_data = NULL;
+		}
+	}
+
+	/*
+	 * If there was a filtering rule associated with this entry then
+	 * build up a new one.
+	 */
+	if (fr != NULL) {
+		if (nat->nat_flags & FI_NEWFR) {
+			KMALLOC(fr, frentry_t *);
+			nat->nat_fr = fr;
+			if (fr == NULL) {
+				error = ENOMEM;
+				goto junkput;
+			}
+			bcopy((char *)&ipn.ipn_fr, (char *)fr, sizeof(*fr));
+			ipn.ipn_nat.nat_fr = fr;
+			error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn));
+			if (error) {
+				error = EFAULT;
+				goto junkput;
+			}
+		} else {
+			for (n = nat_instances; n; n = n->nat_next)
+				if (n->nat_fr == fr)
+					break;
+			if (!n) {
+				error = ESRCH;
+				goto junkput;
+			}
+		}
+	}
+
+	if (ipnn)
+		KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
+	nat_insert(nat);
+	return 0;
+junkput:
+	if (ipnn)
+		KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize);
+	if (nat)
+		nat_delete(nat);
+	return error;
+}
+
+
 /*
  * Delete a nat entry from the various lists and table.
  */
@@ -543,14 +962,14 @@ struct nat *natd;
 	register struct nat **natp, *nat;
 	struct ipnat *ipn;
 
-	for (natp = natd->nat_hstart[0]; (nat = *natp);
+	for (natp = natd->nat_hstart[0]; natp && (nat = *natp);
 	     natp = &nat->nat_hnext[0])
 		if (nat == natd) {
 			*natp = nat->nat_hnext[0];
 			break;
 		}
 
-	for (natp = natd->nat_hstart[1]; (nat = *natp);
+	for (natp = natd->nat_hstart[1]; natp && (nat = *natp);
 	     natp = &nat->nat_hnext[1])
 		if (nat == natd) {
 			*natp = nat->nat_hnext[1];
@@ -558,8 +977,12 @@ struct nat *natd;
 		}
 
 	if (natd->nat_fr != NULL) {
-		ATOMIC_DEC(natd->nat_fr->fr_ref);
+		ATOMIC_DEC32(natd->nat_fr->fr_ref);
 	}
+
+	if (natd->nat_hm != NULL)
+		nat_hostmapdel(natd->nat_hm);
+
 	/*
 	 * If there is an active reference from the nat entry to its parent
 	 * rule, decrement the rule's reference count and free it too if no
@@ -577,6 +1000,7 @@ struct nat *natd;
 		}
 	}
 
+	MUTEX_DESTROY(&natd->nat_lock);
 	/*
 	 * If there's a fragment table entry too for this nat entry, then
 	 * dereference that as well.
@@ -662,11 +1086,11 @@ int direction;
 {
 	register u_32_t sum1, sum2, sumd, l;
 	u_short port = 0, sport = 0, dport = 0, nport = 0;
-	nat_t *nat, **natp, *natl = NULL;
 	struct in_addr in, inb;
 	tcphdr_t *tcp = NULL;
+	hostmap_t *hm = NULL;
+	nat_t *nat, *natl;
 	u_short nflags;
-	u_int hv;
 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
 	qif_t *qf = fin->fin_qif;
 #endif
@@ -680,8 +1104,10 @@ int direction;
 
 	/* Give me a new nat */
 	KMALLOC(nat, nat_t *);
-	if (nat == NULL)
+	if (nat == NULL) {
+		nat_stats.ns_memfail++;
 		return NULL;
+	}
 
 	bzero((char *)nat, sizeof(*nat));
 	nat->nat_flags = flags;
@@ -705,42 +1131,33 @@ int direction;
 
 		do {
 			port = 0;
-			in.s_addr = np->in_nip;
+			in.s_addr = htonl(np->in_nip);
 			if (l == 0) {
 				/*
 				 * Check to see if there is an existing NAT
 				 * setup for this IP address pair.
 				 */
-				natl = nat_maplookup(fin->fin_ifp, flags,
-						     ip->ip_src, ip->ip_dst);
-				if (natl != NULL) {
-					in = natl->nat_outip;
-					if ((in.s_addr & np->in_outmsk) !=
-					    np->in_outip)
-						in.s_addr = 0;
-					else
-#ifndef sparc
-						in.s_addr = ntohl(in.s_addr);
-#else
-						;
-#endif
-				}
+				hm = nat_hostmap(np, ip->ip_src, in);
+				if (hm != NULL)
+					in.s_addr = hm->hm_mapip.s_addr;
+			} else if ((l == 1) && (hm != NULL)) {
+				nat_hostmapdel(hm);
+				hm = NULL;
 			}
+			in.s_addr = ntohl(in.s_addr);
+
+			nat->nat_hm = hm;
 
 			if ((np->in_outmsk == 0xffffffff) &&
 			    (np->in_pnext == 0)) {
-				if (l > 0) {
-					KFREE(nat);
-					return NULL;
-				}
+				if (l > 0)
+					goto badnat;
 			}
 
 			if (np->in_redir & NAT_MAPBLK) {
 				if ((l >= np->in_ppip) || ((l > 0) &&
-				     !(flags & IPN_TCPUDP))) {
-					KFREE(nat);
-					return NULL;
-				}
+				     !(flags & IPN_TCPUDP)))
+					goto badnat;
 				/*
 				 * map-block - Calculate destination address.
 				 */
@@ -762,29 +1179,25 @@ int direction;
 					port += MAPBLK_MINPORT;
 					port = htons(port);
 				}
-			} else if (!in.s_addr &&
+			} else if (!np->in_outip &&
 				   (np->in_outmsk == 0xffffffff)) {
 				/*
 				 * 0/32 - use the interface's IP address.
 				 */
 				if ((l > 0) ||
-				    fr_ifpaddr(fin->fin_ifp, &in) == -1) {
-					KFREE(nat);
-					return NULL;
-				}
+				    fr_ifpaddr(4, fin->fin_ifp, &in) == -1)
+					goto badnat;
 				in.s_addr = ntohl(in.s_addr);
-			} else if (!in.s_addr && !np->in_outmsk) {
+			} else if (!np->in_outip && !np->in_outmsk) {
 				/*
 				 * 0/0 - use the original source address/port.
 				 */
-				if (l > 0) {
-					KFREE(nat);
-					return NULL;
-				}
+				if (l > 0)
+					goto badnat;
 				in.s_addr = ntohl(ip->ip_src.s_addr);
 			} else if ((np->in_outmsk != 0xffffffff) &&
 				   (np->in_pnext == 0) &&
-				   ((l > 0) || (natl == NULL)))
+				   ((l > 0) || (hm == NULL)))
 				np->in_nip++;
 			natl = NULL;
 
@@ -793,8 +1206,7 @@ int direction;
 			    (np->in_flags & IPN_AUTOPORTMAP)) {
 				if ((l > 0) && (l % np->in_ppip == 0)) {
 					if (l > np->in_space) {
-						KFREE(nat);
-						return NULL;
+						goto badnat;
 					} else if ((l > np->in_ppip) &&
 						   np->in_outmsk != 0xffffffff)
 						np->in_nip++;
@@ -820,8 +1232,8 @@ int direction;
 				}
 			}
 
-			if (np->in_flags & IPN_RANGE) {
-				if (np->in_nip >= ntohl(np->in_outmsk))
+			if (np->in_flags & IPN_IPRANGE) {
+				if (np->in_nip > ntohl(np->in_outmsk))
 					np->in_nip = ntohl(np->in_outip);
 			} else {
 				if ((np->in_outmsk != 0xffffffff) &&
@@ -844,7 +1256,7 @@ int direction;
 			 * this is appropriate.
 			 */
 			inb.s_addr = htonl(in.s_addr);
-			natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILD,
+			natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP,
 					    (u_int)ip->ip_p, ip->ip_dst, inb,
 					    (port << 16) | dport);
 
@@ -854,10 +1266,8 @@ int direction;
 			 */
 			if ((natl != NULL) &&
 			    (np->in_pnext != 0) && (st_port == np->in_pnext) &&
-			    (np->in_nip != 0) && (st_ip == np->in_nip)) {
-				KFREE(nat);
-				return NULL;
-			}
+			    (np->in_nip != 0) && (st_ip == np->in_nip))
+				goto badnat;
 			l++;
 		} while (natl != NULL);
 
@@ -868,6 +1278,9 @@ int direction;
 		nat->nat_inip = ip->ip_src;
 		nat->nat_outip.s_addr = htonl(in.s_addr);
 		nat->nat_oip = ip->ip_dst;
+		if (nat->nat_hm == NULL)
+			nat->nat_hm = nat_hostmap(np, ip->ip_src,
+						  nat->nat_outip);
 
 		sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport);
 		sum2 = LONG_SUM(in.s_addr) + ntohs(port);
@@ -884,18 +1297,45 @@ int direction;
 		 * we want to rewrite to a fixed internal address and fixed
 		 * internal port.
 		 */
-		in.s_addr = ntohl(np->in_inip);
-		if (!(nport = np->in_pnext))
+		if (np->in_flags & IPN_SPLIT) {
+			in.s_addr = np->in_nip;
+			if (np->in_inip == htonl(in.s_addr))
+				np->in_nip = ntohl(np->in_inmsk);
+			else {
+				np->in_nip = ntohl(np->in_inip);
+				if (np->in_flags & IPN_ROUNDR) {
+					nat_delrdr(np);
+					nat_addrdr(np);
+				}
+			}
+		} else {
+			in.s_addr = ntohl(np->in_inip);
+			if (np->in_flags & IPN_ROUNDR) {
+				nat_delrdr(np);
+				nat_addrdr(np);
+			}
+		}
+		if (!np->in_pnext)
 			nport = dport;
+		else {
+			/*
+			 * Whilst not optimized for the case where
+			 * pmin == pmax, the gain is not significant.
+			 */
+			nport = ntohs(dport) - ntohs(np->in_pmin) +
+				ntohs(np->in_pnext);
+			nport = htons(nport);
+		}
 
 		/*
 		 * When the redirect-to address is set to 0.0.0.0, just
 		 * assume a blank `forwarding' of the packet.  We don't
 		 * setup any translation for this either.
 		 */
-		if ((in.s_addr == 0) && (nport == dport)) {
-			KFREE(nat);
-			return NULL;
+		if (in.s_addr == 0) {
+			if (nport == dport)
+				goto badnat;
+			in.s_addr = ntohl(ip->ip_dst.s_addr);
 		}
 
 		nat->nat_inip.s_addr = htonl(in.s_addr);
@@ -943,28 +1383,21 @@ int direction;
 		nat->nat_ipsumd = nat->nat_sumd[0];
 
 	in.s_addr = htonl(in.s_addr);
-	nat->nat_next = nat_instances;
-	nat_instances = nat;
-	hv = NAT_HASH_FN(nat->nat_inip.s_addr, ipf_nattable_sz);
-	natp = &nat_table[0][hv];
-	nat->nat_hstart[0] = natp;
-	nat->nat_hnext[0] = *natp;
-	*natp = nat;
-	hv = NAT_HASH_FN(nat->nat_outip.s_addr, ipf_nattable_sz);
-	natp = &nat_table[1][hv];
-	nat->nat_hstart[1] = natp;
-	nat->nat_hnext[1] = *natp;
-	*natp = nat;
+
+#ifdef  _KERNEL
+	strncpy(nat->nat_ifname, IFNAME(fin->fin_ifp), IFNAMSIZ);
+#endif
+	nat_insert(nat);
+
 	nat->nat_dir = direction;
 	nat->nat_ifp = fin->fin_ifp;
 	nat->nat_ptr = np;
 	nat->nat_p = ip->ip_p;
 	nat->nat_bytes = 0;
 	nat->nat_pkts = 0;
-	nat->nat_age = fr_defnatage;
 	nat->nat_fr = fin->fin_fr;
 	if (nat->nat_fr != NULL) {
-		ATOMIC_INC(nat->nat_fr->fr_ref);
+		ATOMIC_INC32(nat->nat_fr->fr_ref);
 	}
 	if (direction == NAT_OUTBOUND) {
 		if (flags & IPN_TCPUDP)
@@ -973,16 +1406,55 @@ int direction;
 		if (flags & IPN_TCPUDP)
 			tcp->th_dport = nport;
 	}
-	nat_stats.ns_added++;
-	nat_stats.ns_inuse++;
 	np->in_use++;
 	return nat;
+badnat:
+	nat_stats.ns_badnat++;
+	if ((hm = nat->nat_hm) != NULL)
+		nat_hostmapdel(hm);
+	KFREE(nat);
+	return NULL;
 }
 
 
-nat_t *nat_icmpinlookup(ip, fin)
+void	nat_insert(nat)
+nat_t	*nat;
+{
+	nat_t **natp;
+	u_int hv;
+
+	MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL);
+
+	nat->nat_age = fr_defnatage;
+	nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0';
+	if (nat->nat_ifname[0] !='\0') {
+		nat->nat_ifp = GETUNIT(nat->nat_ifname, 4);
+	}
+
+	nat->nat_next = nat_instances;
+	nat_instances = nat;
+	hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
+			 ipf_nattable_sz);
+	natp = &nat_table[0][hv];
+	nat->nat_hstart[0] = natp;
+	nat->nat_hnext[0] = *natp;
+	*natp = nat;
+	hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
+			 ipf_nattable_sz);
+	natp = &nat_table[1][hv];
+	nat->nat_hstart[1] = natp;
+	nat->nat_hnext[1] = *natp;
+	*natp = nat;
+
+	nat_stats.ns_added++;
+	nat_stats.ns_inuse++;
+}
+
+
+nat_t *nat_icmplookup(ip, fin, dir)
 ip_t *ip;
 fr_info_t *fin;
+int dir;
 {
 	icmphdr_t *icmp;
 	tcphdr_t *tcp = NULL;
@@ -1015,12 +1487,21 @@ fr_info_t *fin;
 		flags = IPN_UDP;
 	if (flags & IPN_TCPUDP) {
 		tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
-		return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p,
-				    oip->ip_dst, oip->ip_src,
-				    (tcp->th_sport << 16) | tcp->th_dport);
+		if (dir == NAT_INBOUND)
+			return nat_inlookup(fin->fin_ifp, flags,
+				(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
+				(tcp->th_sport << 16) | tcp->th_dport);
+		else
+			return nat_outlookup(fin->fin_ifp, flags,
+				(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
+				(tcp->th_sport << 16) | tcp->th_dport);
 	}
-	return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, oip->ip_dst,
-			    oip->ip_src, 0);
+	if (dir == NAT_INBOUND)
+		return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
+			oip->ip_dst, oip->ip_src, 0);
+	else
+		return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
+			oip->ip_dst, oip->ip_src, 0);
 }
 
 
@@ -1028,10 +1509,11 @@ fr_info_t *fin;
  * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP
  * packet gets correctly recognised.
  */
-nat_t *nat_icmpin(ip, fin, nflags)
+nat_t *nat_icmp(ip, fin, nflags, dir)
 ip_t *ip;
 fr_info_t *fin;
 u_int *nflags;
+int dir;
 {
 	u_32_t sum1, sum2, sumd;
 	struct in_addr in;
@@ -1060,6 +1542,7 @@ u_int *nflags;
 	 * to only modify the checksum once for the port # and twice
 	 * for the IP#.
 	 */
+
 	if (nat->nat_dir == NAT_OUTBOUND) {
 		sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
 		in = nat->nat_inip;
@@ -1145,7 +1628,7 @@ u_32_t ports;
 	sport = ports & 0xffff;
 	flags &= IPN_TCPUDP;
 
-	hv = NAT_HASH_FN(mapdst.s_addr, ipf_nattable_sz);
+	hv = NAT_HASH_FN(mapdst.s_addr, mapdport, ipf_nattable_sz);
 	nat = nat_table[1][hv];
 	for (; nat; nat = nat->nat_hnext[1]) {
 		nflags = nat->nat_flags;
@@ -1184,7 +1667,7 @@ u_32_t ports;
 	dport = ports >> 16;
 	flags &= IPN_TCPUDP;
 
-	hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz);
+	hv = NAT_HASH_FN(src.s_addr, sport, ipf_nattable_sz);
 	nat = nat_table[0][hv];
 	for (; nat; nat = nat->nat_hnext[0]) {
 		nflags = nat->nat_flags;
@@ -1203,35 +1686,6 @@ u_32_t ports;
 
 
 /*
- * check if an ip address has already been allocated for a given mapping that
- * is not doing port based translation.
- */
-nat_t *nat_maplookup(ifp, flags, src, dst)
-void *ifp;
-register u_int flags;
-struct in_addr src , dst;
-{
-	register nat_t *nat;
-	register int oflags;
-	u_int hv;
-
-	hv = NAT_HASH_FN(src.s_addr, ipf_nattable_sz);
-	nat = nat_table[0][hv];
-	for (; nat; nat = nat->nat_hnext[0]) {
-		oflags = (flags & IPN_TCPUDP) & nat->nat_ptr->in_flags;
-		if (oflags != 0)
-			continue;
-
-		if ((!ifp || ifp == nat->nat_ifp) &&
-		    nat->nat_inip.s_addr == src.s_addr &&
-		    nat->nat_oip.s_addr == dst.s_addr)
-			return nat;
-	}
-	return NULL;
-}
-
-
-/*
  * Lookup the NAT tables to search for a matching redirect
  */
 nat_t *nat_lookupredir(np)
@@ -1309,16 +1763,16 @@ fr_info_t *fin;
 	register ipnat_t *np = NULL;
 	register u_32_t ipa;
 	tcphdr_t *tcp = NULL;
-	u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
+	u_short sport = 0, dport = 0, *csump = NULL;
 	struct ifnet *ifp;
 	int natadd = 1;
 	frentry_t *fr;
-	u_int hv, msk;
+	u_int nflags = 0, hv, msk;
 	u_32_t iph;
 	nat_t *nat;
 	int i;
 
-	if (nat_list == NULL)
+	if (nat_list == NULL || (fr_nat_lock))
 		return 0;
 
 	if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
@@ -1342,8 +1796,12 @@ fr_info_t *fin;
 	ipa = ip->ip_src.s_addr;
 
 	READ_ENTER(&ipf_nat);
-	if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
-	    (nat = ipfr_nat_knownfrag(ip, fin)))
+
+	if ((ip->ip_p == IPPROTO_ICMP) &&
+	    (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
+		;
+	else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
+			(nat = ipfr_nat_knownfrag(ip, fin)))
 		natadd = 0;
 	else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src,
 				      ip->ip_dst, (dport << 16) | sport))) {
@@ -1371,15 +1829,21 @@ fr_info_t *fin;
 		i = 32;
 maskloop:
 		iph = ipa & htonl(msk);
-		hv = NAT_HASH_FN(iph, ipf_natrules_sz);
+		hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
 		for (np = nat_rules[hv]; np; np = np->in_mnext)
 		{
-			if ((np->in_ifp == ifp) && np->in_space &&
-			    (!(np->in_flags & IPN_RF) ||
-			     (np->in_flags & nflags)) &&
-			    ((ipa & np->in_inmsk) == np->in_inip) &&
-			    ((np->in_redir & (NAT_MAP|NAT_MAPBLK)) ||
-			     (np->in_pnext == sport))) {
+			if ((np->in_ifp && (np->in_ifp != ifp)) ||
+			    !np->in_space)
+				continue;
+			if ((np->in_flags & IPN_RF) &&
+			    !(np->in_flags & nflags))
+				continue;
+			if (np->in_flags & IPN_FILTER) {
+				if (!nat_match(fin, np, ip))
+					continue;
+			} else if ((ipa & np->in_inmsk) != np->in_inip)
+				continue;
+			if (np->in_redir & (NAT_MAP|NAT_MAPBLK)) {
 				if (*np->in_plabel && !appr_ok(ip, tcp, np))
 					continue;
 				/*
@@ -1419,7 +1883,7 @@ maskloop:
 		nat->nat_age = fr_defnatage;
 		nat->nat_bytes += ip->ip_len;
 		nat->nat_pkts++;
-		MUTEX_EXIT(&ipf_rw);
+		MUTEX_EXIT(&nat->nat_lock);
 
 		/*
 		 * Fix up checksums, not by recalculating them, but
@@ -1457,14 +1921,14 @@ maskloop:
 
 			if (ip->ip_p == IPPROTO_TCP) {
 				csump = &tcp->th_sum;
-				MUTEX_ENTER(&ipf_rw);
+				MUTEX_ENTER(&nat->nat_lock);
 				fr_tcp_age(&nat->nat_age,
-					   nat->nat_tcpstate, ip, fin, 1);
+					   nat->nat_tcpstate, fin, 1);
 				if (nat->nat_age < fr_defnaticmpage)
 					nat->nat_age = fr_defnaticmpage;
 #ifdef LARGE_NAT
-				else if (nat->nat_age > DEF_NAT_AGE)
-					nat->nat_age = DEF_NAT_AGE;
+				else if (nat->nat_age > fr_defnatage)
+					nat->nat_age = fr_defnatage;
 #endif
 				/*
 				 * Increase this because we may have
@@ -1474,12 +1938,14 @@ maskloop:
 				 */
 				if (nat->nat_age == fr_tcpclosed)
 					nat->nat_age = fr_tcplastack;
-				MUTEX_EXIT(&ipf_rw);
+				MUTEX_EXIT(&nat->nat_lock);
 			} else if (ip->ip_p == IPPROTO_UDP) {
 				udphdr_t *udp = (udphdr_t *)tcp;
 
 				if (udp->uh_sum)
 					csump = &udp->uh_sum;
+			} else if (ip->ip_p == IPPROTO_ICMP) {
+				nat->nat_age = fr_defnaticmpage;
 			}
 
 			if (csump) {
@@ -1491,12 +1957,17 @@ maskloop:
 						     ip->ip_len);
 			}
 		}
+
 		if ((np->in_apr != NULL) && (np->in_dport == 0 ||
-		     (tcp != NULL && dport == np->in_dport)))
-			(void) appr_check(ip, fin, nat);
-		ATOMIC_INC(nat_stats.ns_mapped[1]);
+		     (tcp != NULL && dport == np->in_dport))) {
+			i = appr_check(ip, fin, nat);
+			if (i == 0)
+				i = 1;
+		} else
+			i = 1;
+		ATOMIC_INCL(nat_stats.ns_mapped[1]);
 		RWLOCK_EXIT(&ipf_nat);	/* READ */
-		return 1;
+		return i;
 	}
 	RWLOCK_EXIT(&ipf_nat);			/* READ/WRITE */
 	return 0;
@@ -1522,7 +1993,7 @@ fr_info_t *fin;
 	u_32_t iph;
 	int i;
 
-	if (nat_list == NULL)
+	if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock))
 		return 0;
 
 	if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
@@ -1543,7 +2014,8 @@ fr_info_t *fin;
 
 	READ_ENTER(&ipf_nat);
 
-	if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmpin(ip, fin, &nflags)))
+	if ((ip->ip_p == IPPROTO_ICMP) &&
+	    (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND)))
 		;
 	else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
 		 (nat = ipfr_nat_knownfrag(ip, fin)))
@@ -1594,7 +2066,8 @@ maskloop:
 #endif
 					break;
 				}
-			}
+		}
+
 		if ((np == NULL) && (i > 0)) {
 			do {
 				i--;
@@ -1611,18 +2084,23 @@ maskloop:
 		if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
 			ipfr_nat_newfrag(ip, fin, 0, nat);
 		if ((np->in_apr != NULL) && (np->in_dport == 0 ||
-		    (tcp != NULL && sport == np->in_dport)))
-			(void) appr_check(ip, fin, nat);
+		    (tcp != NULL && sport == np->in_dport))) {
+			i = appr_check(ip, fin, nat);
+			if (i == -1) {
+				RWLOCK_EXIT(&ipf_nat);
+				return i;
+			}
+		}
 
-		MUTEX_ENTER(&ipf_rw);
+		MUTEX_ENTER(&nat->nat_lock);
 		if (nflags != IPN_ICMPERR)
 			nat->nat_age = fr_defnatage;
 
 		nat->nat_bytes += ip->ip_len;
 		nat->nat_pkts++;
-		MUTEX_EXIT(&ipf_rw);
+		MUTEX_EXIT(&nat->nat_lock);
 		ip->ip_dst = nat->nat_inip;
-		fin->fin_fi.fi_dst = nat->nat_inip;
+		fin->fin_fi.fi_daddr = nat->nat_inip.s_addr;
 
 		/*
 		 * Fix up checksums, not by recalculating them, but
@@ -1644,14 +2122,14 @@ maskloop:
 
 			if (ip->ip_p == IPPROTO_TCP) {
 				csump = &tcp->th_sum;
-				MUTEX_ENTER(&ipf_rw);
+				MUTEX_ENTER(&nat->nat_lock);
 				fr_tcp_age(&nat->nat_age,
-					   nat->nat_tcpstate, ip, fin, 0);
+					   nat->nat_tcpstate, fin, 0);
 				if (nat->nat_age < fr_defnaticmpage)
 					nat->nat_age = fr_defnaticmpage;
 #ifdef LARGE_NAT
-				else if (nat->nat_age > DEF_NAT_AGE)
-					nat->nat_age = DEF_NAT_AGE;
+				else if (nat->nat_age > fr_defnatage)
+					nat->nat_age = fr_defnatage;
 #endif
 				/*
 				 * Increase this because we may have
@@ -1661,21 +2139,26 @@ maskloop:
 				 */
 				if (nat->nat_age == fr_tcpclosed)
 					nat->nat_age = fr_tcplastack;
-				MUTEX_EXIT(&ipf_rw);
+				MUTEX_EXIT(&nat->nat_lock);
 			} else if (ip->ip_p == IPPROTO_UDP) {
 				udphdr_t *udp = (udphdr_t *)tcp;
 
 				if (udp->uh_sum)
 					csump = &udp->uh_sum;
+			} else if (ip->ip_p == IPPROTO_ICMP) {
+				nat->nat_age = fr_defnaticmpage;
 			}
+
 			if (csump) {
 				if (nat->nat_dir == NAT_OUTBOUND)
-					fix_incksum(csump, nat->nat_sumd[0], 0);
+					fix_incksum(csump, nat->nat_sumd[0],
+						    0);
 				else
-					fix_outcksum(csump, nat->nat_sumd[0], 0);
+					fix_outcksum(csump, nat->nat_sumd[0],
+						     0);
 			}
 		}
-		ATOMIC_INC(nat_stats.ns_mapped[0]);
+		ATOMIC_INCL(nat_stats.ns_mapped[0]);
 		RWLOCK_EXIT(&ipf_nat);			/* READ */
 		return 1;
 	}
@@ -1710,6 +2193,10 @@ void ip_natunload()
 		KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz);
 		rdr_rules = NULL;
 	}
+	if (maptable != NULL) {
+		KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz);
+		maptable = NULL;
+	}
 }
 
 
@@ -1775,7 +2262,7 @@ void *ifp;
 			 * new one.
 			 */
 			sum1 = nat->nat_outip.s_addr;
-			if (fr_ifpaddr(ifp2, &in) != -1)
+			if (fr_ifpaddr(4, ifp2, &in) != -1)
 				nat->nat_outip = in;
 			sum2 = nat->nat_outip.s_addr;
 
@@ -1796,7 +2283,7 @@ void *ifp;
 
 	for (n = nat_list; (n != NULL); n = n->in_next)
 		if (n->in_ifp == ifp) {
-			n->in_ifp = (void *)GETUNIT(n->in_ifname);
+			n->in_ifp = (void *)GETUNIT(n->in_ifname, 4);
 			if (!n->in_ifp)
 				n->in_ifp = (void *)-1;
 		}
diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h
index 733216daeb8a..b5d53e8b8b66 100644
--- a/sys/netinet/ip_nat.h
+++ b/sys/netinet/ip_nat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -18,23 +18,15 @@
 #endif
 
 #if defined(__STDC__) || defined(__GNUC__)
-#define	SIOCADNAT	_IOW('r', 80, struct ipnat)
-#define	SIOCRMNAT	_IOW('r', 81, struct ipnat)
-#define	SIOCGNATS	_IOR('r', 82, struct natstat)
-#define	SIOCGNATL	_IOWR('r', 83, struct natlookup)
-#define SIOCGFRST	_IOR('r', 84, struct ipfrstat)
-#define SIOCGIPST	_IOR('r', 85, struct ips_stat)
-#define	SIOCFLNAT	_IOWR('r', 86, int)
-#define	SIOCCNATL	_IOWR('r', 87, int)
+#define	SIOCADNAT	_IOW('r', 60, struct ipnat *)
+#define	SIOCRMNAT	_IOW('r', 61, struct ipnat *)
+#define	SIOCGNATS	_IOWR('r', 62, struct natstat *)
+#define	SIOCGNATL	_IOWR('r', 63, struct natlookup *)
 #else
-#define	SIOCADNAT	_IOW(r, 80, struct ipnat)
-#define	SIOCRMNAT	_IOW(r, 81, struct ipnat)
-#define	SIOCGNATS	_IOR(r, 82, struct natstat)
-#define	SIOCGNATL	_IOWR(r, 83, struct natlookup)
-#define SIOCGFRST	_IOR(r, 84, struct ipfrstat)
-#define SIOCGIPST	_IOR(r, 85, struct ips_stat)
-#define	SIOCFLNAT	_IOWR(r, 86, int)
-#define	SIOCCNATL	_IOWR(r, 87, int)
+#define	SIOCADNAT	_IOW(r, 60, struct ipnat *)
+#define	SIOCRMNAT	_IOW(r, 61, struct ipnat *)
+#define	SIOCGNATS	_IOWR(r, 62, struct natstat *)
+#define	SIOCGNATL	_IOWR(r, 63, struct natlookup *)
 #endif
 
 #undef	LARGE_NAT	/* define this if you're setting up a system to NAT
@@ -46,14 +38,17 @@
 			 */
 #define	NAT_SIZE	127
 #define	RDR_SIZE	127
+#define	HOSTMAP_SIZE	127
 #define	NAT_TABLE_SZ	127
 #ifdef	LARGE_NAT
 #undef	NAT_SIZE
 #undef	RDR_SIZE
 #undef	NAT_TABLE_SZ
+#undef	HOSTMAP_SIZE	127
 #define	NAT_SIZE	2047
 #define	RDR_SIZE	2047
 #define	NAT_TABLE_SZ	16383
+#define	HOSTMAP_SIZE	8191
 #endif
 #ifndef	APR_LABELLEN
 #define	APR_LABELLEN	16
@@ -62,14 +57,16 @@
 
 #define	DEF_NAT_AGE	1200     /* 10 minutes (600 seconds) */
 
+struct ap_session;
+
 typedef	struct	nat	{
 	u_long	nat_age;
 	int	nat_flags;
 	u_32_t	nat_sumd[2];
 	u_32_t	nat_ipsumd;
 	void	*nat_data;
-	void	*nat_aps;		/* proxy session */
-	frentry_t	*nat_fr;	/* filter rule ptr if appropriate */
+	struct	ap_session	*nat_aps;		/* proxy session */
+	struct	frentry	*nat_fr;	/* filter rule ptr if appropriate */
 	struct	in_addr	nat_inip;
 	struct	in_addr	nat_outip;
 	struct	in_addr	nat_oip;	/* other ip */
@@ -82,17 +79,24 @@ typedef	struct	nat	{
 	u_char	nat_tcpstate[2];
 	u_char	nat_p;			/* protocol for NAT */
 	struct	ipnat	*nat_ptr;	/* pointer back to the rule */
+	struct	hostmap	*nat_hm;
 	struct	nat	*nat_next;
 	struct	nat	*nat_hnext[2];
 	struct	nat	**nat_hstart[2];
 	void	*nat_ifp;
 	int	nat_dir;
+	char	nat_ifname[IFNAMSIZ];
+#if SOLARIS || defined(_sgi)
+	kmutex_t	nat_lock;
+#endif
 } nat_t;
 
 typedef	struct	ipnat	{
 	struct	ipnat	*in_next;
 	struct	ipnat	*in_rnext;
+	struct	ipnat	**in_prnext;
 	struct	ipnat	*in_mnext;
+	struct	ipnat	**in_pmnext;
 	void	*in_ifp;
 	void	*in_apr;
 	u_long	in_space;
@@ -108,11 +112,11 @@ typedef	struct	ipnat	{
 	struct	in_addr	in_in[2];
 	struct	in_addr	in_out[2];
 	struct	in_addr	in_src[2];
+	struct	frtuc	in_tuc;
 	int	in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
 	char	in_ifname[IFNAMSIZ];
 	char	in_plabel[APR_LABELLEN];	/* proxy label */
 	char	in_p;	/* protocol */
-	u_short	in_dport;
 } ipnat_t;
 
 #define	in_pmin		in_port[0]	/* Also holds static redir port */
@@ -124,6 +128,12 @@ typedef	struct	ipnat	{
 #define	in_outmsk	in_out[1].s_addr
 #define	in_srcip	in_src[0].s_addr
 #define	in_srcmsk	in_src[1].s_addr
+#define	in_scmp		in_tuc.ftu_scmp
+#define	in_dcmp		in_tuc.ftu_dcmp
+#define	in_stop		in_tuc.ftu_stop
+#define	in_dtop		in_tuc.ftu_dtop
+#define	in_sport	in_tuc.ftu_sport
+#define	in_dport	in_tuc.ftu_dport
 
 #define	NAT_OUTBOUND	0
 #define	NAT_INBOUND	1
@@ -148,6 +158,34 @@ typedef	struct	natlookup {
 	u_short	nl_realport;
 } natlookup_t;
 
+
+typedef struct  nat_save    {
+	void	*ipn_next;
+	struct	nat	ipn_nat;
+	struct	ipnat	ipn_ipnat;
+	struct	frentry ipn_fr;
+	int	ipn_dsize;
+	char	ipn_data[4];
+} nat_save_t;
+
+#define	ipn_rule	ipn_nat.nat_fr
+
+typedef	struct	natget	{
+	void	*ng_ptr;
+	int	ng_sz;
+} natget_t;
+
+
+typedef	struct	hostmap	{
+	struct	hostmap	*hm_next;
+	struct	hostmap	**hm_pnext;
+	struct	ipnat	*hm_ipnat;
+	struct	in_addr	hm_realip;
+	struct	in_addr	hm_mapip;
+	int	hm_ref;
+} hostmap_t;
+
+
 typedef	struct	natstat	{
 	u_long	ns_mapped[2];
 	u_long	ns_rules;
@@ -156,6 +194,8 @@ typedef	struct	natstat	{
 	u_long	ns_inuse;
 	u_long	ns_logged;
 	u_long	ns_logfail;
+	u_long	ns_memfail;
+	u_long	ns_badnat;
 	nat_t	**ns_table[2];
 	ipnat_t	*ns_list;
 	void	*ns_apslist;
@@ -165,12 +205,12 @@ typedef	struct	natstat	{
 	nat_t	*ns_instances;
 } natstat_t;
 
-#define	IPN_ANY		0x00
-#define	IPN_TCP		0x01
-#define	IPN_UDP		0x02
+#define	IPN_ANY		0x000
+#define	IPN_TCP		0x001
+#define	IPN_UDP		0x002
 #define	IPN_TCPUDP	(IPN_TCP|IPN_UDP)
-#define	IPN_DELETE	0x04
-#define	IPN_ICMPERR	0x08
+#define	IPN_DELETE	0x004
+#define	IPN_ICMPERR	0x008
 #define	IPN_RF		(IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR)
 #define	IPN_AUTOPORTMAP	0x010
 #define	IPN_IPRANGE	0x020
@@ -204,7 +244,7 @@ typedef	struct	natlog {
 #define	NL_NEWBLOCK	NAT_MAPBLK
 #define	NL_EXPIRE	0xffff
 
-#define	NAT_HASH_FN(k,m)	(((k) + ((k) >> 12)) % (m))
+#define	NAT_HASH_FN(k,l,m)	(((k) + ((k) >> 12) + l) % (m))
 
 #define	LONG_SUM(in)	(((in) & 0xffff) + ((in) >> 16))
 
@@ -223,6 +263,7 @@ typedef	struct	natlog {
 extern	u_int	ipf_nattable_sz;
 extern	u_int	ipf_natrules_sz;
 extern	u_int	ipf_rdrrules_sz;
+extern	int	fr_nat_lock;
 extern	void	ip_natsync __P((void *));
 extern	u_long	fr_defnatage;
 extern	u_long	fr_defnaticmpage;
@@ -231,7 +272,7 @@ extern	nat_t	*nat_instances;
 extern	ipnat_t	**nat_rules;
 extern	ipnat_t	**rdr_rules;
 extern	natstat_t	nat_stats;
-#if defined(__NetBSD__) || defined(__OpenBSD__)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
 extern	int	nat_ioctl __P((caddr_t, u_long, int));
 #else
 extern	int	nat_ioctl __P((caddr_t, int, int));
@@ -245,8 +286,9 @@ extern	nat_t	*nat_inlookup __P((void *, u_int, u_int, struct in_addr,
 extern	nat_t	*nat_maplookup __P((void *, u_int, struct in_addr,
 				struct in_addr));
 extern	nat_t	*nat_lookupredir __P((natlookup_t *));
-extern	nat_t	*nat_icmpinlookup __P((ip_t *, fr_info_t *));
-extern	nat_t	*nat_icmpin __P((ip_t *, fr_info_t *, u_int *));
+extern	nat_t	*nat_icmplookup __P((ip_t *, fr_info_t *, int));
+extern	nat_t	*nat_icmp __P((ip_t *, fr_info_t *, u_int *, int));
+extern	void	nat_insert __P((nat_t *));
 
 extern	int	ip_natout __P((ip_t *, fr_info_t *));
 extern	int	ip_natin __P((ip_t *, fr_info_t *));
diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c
index 3a038632148f..47d0e5ea0de3 100644
--- a/sys/netinet/ip_proxy.c
+++ b/sys/netinet/ip_proxy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 1997-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -99,23 +99,62 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
 
 ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
 ap_session_t	*ap_sess_list = NULL;
+aproxy_t	*ap_proxylist = NULL;
 aproxy_t	ap_proxies[] = {
 #ifdef	IPF_FTP_PROXY
-	{ "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
-	  ippr_ftp_in, ippr_ftp_out },
+	{ NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL,
+	  ippr_ftp_new, ippr_ftp_in, ippr_ftp_out },
 #endif
 #ifdef	IPF_RCMD_PROXY
-	{ "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, ippr_rcmd_new,
-	  NULL, ippr_rcmd_out },
+	{ NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL,
+	  ippr_rcmd_new, NULL, ippr_rcmd_out },
 #endif
 #ifdef	IPF_RAUDIO_PROXY
-	{ "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init,
+	{ NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL,
 	  ippr_raudio_new, ippr_raudio_in, ippr_raudio_out },
 #endif
-	{ "", '\0', 0, 0, NULL, NULL }
+	{ NULL, "", '\0', 0, 0, NULL, NULL }
 };
 
 
+int appr_add(ap)
+aproxy_t *ap;
+{
+	aproxy_t *a;
+
+	for (a = ap_proxies; a->apr_p; a++)
+		if ((a->apr_p == ap->apr_p) &&
+		    !strncmp(a->apr_label, ap->apr_label,
+			     sizeof(ap->apr_label)))
+			return -1;
+
+	for (a = ap_proxylist; a->apr_p; a = a->apr_next)
+		if ((a->apr_p == ap->apr_p) &&
+		    !strncmp(a->apr_label, ap->apr_label,
+			     sizeof(ap->apr_label)))
+			return -1;
+	ap->apr_next = ap_proxylist;
+	ap_proxylist = ap;
+	return (*ap->apr_init)();
+}
+
+
+int appr_del(ap)
+aproxy_t *ap;
+{
+	aproxy_t *a, **app;
+
+	for (app = &ap_proxylist; (a = *app); app = &a->apr_next)
+		if (a == ap) {
+			if (ap->apr_ref != 0)
+				return 1;
+			*app = a->apr_next;
+			return 0;
+		}
+	return -1;
+}
+
+
 int appr_ok(ip, tcp, nat)
 ip_t *ip;
 tcphdr_t *tcp;
@@ -153,16 +192,18 @@ nat_t *nat;
 	if (!aps)
 		return NULL;
 	bzero((char *)aps, sizeof(*aps));
-	aps->aps_next = ap_sess_list;
 	aps->aps_p = ip->ip_p;
 	aps->aps_data = NULL;
 	aps->aps_apr = apr;
 	aps->aps_psiz = 0;
-	ap_sess_list = aps;
-	aps->aps_nat = nat;
-	nat->nat_aps = aps;
 	if (apr->apr_new != NULL)
-		(void) (*apr->apr_new)(fin, ip, aps, nat);
+		if ((*apr->apr_new)(fin, ip, aps, nat) == -1) {
+			KFREE(aps);
+			return NULL;
+		}
+	aps->aps_nat = nat;
+	aps->aps_next = ap_sess_list;
+	ap_sess_list = aps;
 	return aps;
 }
 
@@ -180,6 +221,7 @@ nat_t *nat;
 	aproxy_t *apr;
 	tcphdr_t *tcp = NULL;
 	u_32_t sum;
+	short rv;
 	int err;
 
 	if (nat->nat_aps == NULL)
@@ -214,8 +256,12 @@ nat_t *nat;
 				err = (*apr->apr_inpkt)(fin, ip, aps, nat);
 		}
 
+		rv = APR_EXIT(err);
+		if (rv == -1)
+			return rv;
+
 		if (tcp != NULL) {
-			err = appr_fixseqack(fin, ip, aps, err);
+			err = appr_fixseqack(fin, ip, aps, APR_INC(err));
 #if SOLARIS && defined(_KERNEL)
 			tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp);
 #else
@@ -224,9 +270,9 @@ nat_t *nat;
 		}
 		aps->aps_bytes += ip->ip_len;
 		aps->aps_pkts++;
-		return 2;
+		return 1;
 	}
-	return -1;
+	return 0;
 }
 
 
@@ -242,6 +288,13 @@ char *name;
 			ap->apr_ref++;
 			return ap;
 		}
+
+	for (ap = ap_proxylist; ap; ap = ap->apr_next)
+		if ((ap->apr_p == pr) &&
+		    !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
+			ap->apr_ref++;
+			return ap;
+		}
 	return NULL;
 }
 
@@ -267,11 +320,9 @@ ap_session_t *aps;
 			break;
 		}
 
-	if (a) {
-		if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
-			KFREES(aps->aps_data, aps->aps_psiz);
-		KFREE(aps);
-	}
+	if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
+		KFREES(aps->aps_data, aps->aps_psiz);
+	KFREE(aps);
 }
 
 
@@ -386,3 +437,16 @@ int appr_init()
 	}
 	return err;
 }
+
+
+void appr_unload()
+{
+	aproxy_t *ap;
+
+	for (ap = ap_proxies; ap->apr_p; ap++)
+		if (ap->apr_fini)
+			(*ap->apr_fini)();
+	for (ap = ap_proxylist; ap; ap = ap->apr_next)
+		if (ap->apr_fini)
+			(*ap->apr_fini)();
+}
diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h
index 9ccd46a4c078..edee695a8899 100644
--- a/sys/netinet/ip_proxy.h
+++ b/sys/netinet/ip_proxy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1997-1998 by Darren Reed.
+ * Copyright (C) 1997-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -55,7 +55,7 @@ typedef	struct ap_session {
 	int	aps_psiz;	/* size of private data */
 	struct	ap_session	*aps_hnext;
 	struct	ap_session	*aps_next;
-} ap_session_t ;
+} ap_session_t;
 
 #define	aps_sport	aps_un.apu_tcp.apt_sport
 #define	aps_dport	aps_un.apu_tcp.apt_dport
@@ -68,11 +68,13 @@ typedef	struct ap_session {
 
 
 typedef	struct	aproxy	{
+	struct	aproxy	*apr_next;
 	char	apr_label[APR_LABELLEN];	/* Proxy label # */
 	u_char	apr_p;		/* protocol */
 	int	apr_ref;	/* +1 per rule referencing it */
 	int	apr_flags;
 	int	(* apr_init) __P((void));
+	void	(* apr_fini) __P((void));
 	int	(* apr_new) __P((fr_info_t *, ip_t *,
 				 ap_session_t *, struct nat *));
 	int	(* apr_inpkt) __P((fr_info_t *, ip_t *,
@@ -83,6 +85,26 @@ typedef	struct	aproxy	{
 
 #define	APR_DELETE	1
 
+#define	APR_ERR(x)	(((x) & 0xffff) << 16)
+#define	APR_EXIT(x)	(((x) >> 16) & 0xffff)
+#define	APR_INC(x)	((x) & 0xffff)
+
+#define	FTP_BUFSZ	160
+/*
+ * For the ftp proxy.
+ */
+typedef struct  ftpside {
+	char	*ftps_rptr;
+	char	*ftps_wptr;
+	u_32_t	ftps_seq;
+	int	ftps_junk;
+	char	ftps_buf[FTP_BUFSZ];
+} ftpside_t;
+
+typedef struct  ftpinfo {
+	u_int   	ftp_passok;
+	ftpside_t	ftp_side[2];
+} ftpinfo_t;
 
 /*
  * Real audio proxy structure and #defines
@@ -119,8 +141,12 @@ typedef	struct	{
 extern	ap_session_t	*ap_sess_tab[AP_SESS_SIZE];
 extern	ap_session_t	*ap_sess_list;
 extern	aproxy_t	ap_proxies[];
+extern	int		ippr_ftp_pasvonly;
 
+extern	int	appr_add __P((aproxy_t *));
+extern	int	appr_del __P((aproxy_t *));
 extern	int	appr_init __P((void));
+extern	void	appr_unload __P((void));
 extern	int	appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *));
 extern	void	appr_free __P((aproxy_t *));
 extern	void	aps_free __P((ap_session_t *));
diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c
index 611dc2652906..fd6203388816 100644
--- a/sys/netinet/ip_raudio_pxy.c
+++ b/sys/netinet/ip_raudio_pxy.c
@@ -41,12 +41,13 @@ nat_t *nat;
 
 
 	KMALLOCS(aps->aps_data, void *, sizeof(raudio_t));
-	if (aps->aps_data != NULL) {
-		bzero(aps->aps_data, sizeof(raudio_t));
-		rap = aps->aps_data;
-		aps->aps_psiz = sizeof(raudio_t);
-		rap->rap_mode = RAP_M_TCP;	/* default is for TCP */
-	}
+	if (aps->aps_data == NULL)
+		return -1;
+
+	bzero(aps->aps_data, sizeof(raudio_t));
+	rap = aps->aps_data;
+	aps->aps_psiz = sizeof(raudio_t);
+	rap->rap_mode = RAP_M_TCP;	/* default is for TCP */
 	return 0;
 }
 
@@ -171,8 +172,8 @@ nat_t *nat;
 	raudio_t *rap = aps->aps_data;
 	struct in_addr swa, swb;
 	u_int a1, a2, a3, a4;
+	int off, dlen, slen;
 	u_short sp, dp;
-	int off, dlen;
 	fr_info_t fi;
 	tcp_seq seq;
 	nat_t *ipn;
@@ -261,9 +262,12 @@ nat_t *nat;
 
 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
 	bzero((char *)tcp2, sizeof(*tcp2));
+	tcp2->th_off = 5;
 	fi.fin_dp = (char *)tcp2;
 	fi.fin_fr = &raudiofr;
 	tcp2->th_win = htons(8192);
+	slen = ip->ip_len;
+	ip->ip_len = fin->fin_hlen + sizeof(*tcp);
 
 	if (((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) &&
 	    (rap->rap_srport != 0)) {
@@ -274,8 +278,7 @@ nat_t *nat;
 		fi.fin_data[0] = dp;
 		fi.fin_data[1] = sp;
 		ipn = nat_new(nat->nat_ptr, ip, &fi, 
-			      IPN_UDP | (sp ? 0 : FI_W_SPORT),
-			      NAT_OUTBOUND);
+			      IPN_UDP | (sp ? 0 : FI_W_SPORT), NAT_OUTBOUND);
 		if (ipn != NULL) {
 			ipn->nat_age = fr_defnatage;
 			(void) fr_addstate(ip, &fi, sp ? 0 : FI_W_SPORT);
@@ -295,8 +298,9 @@ nat_t *nat;
 			(void) fr_addstate(ip, &fi, FI_W_DPORT);
 		}
 	}
-		
+
 	ip->ip_p = swp;
+	ip->ip_len = slen;
 	ip->ip_src = swa;
 	ip->ip_dst = swb;
 	return 0;
diff --git a/sys/netinet/ip_rcmd_pxy.c b/sys/netinet/ip_rcmd_pxy.c
index ca7d38fb0faf..112171f815ba 100644
--- a/sys/netinet/ip_rcmd_pxy.c
+++ b/sys/netinet/ip_rcmd_pxy.c
@@ -134,11 +134,16 @@ nat_t *nat;
 	ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
 			    ip->ip_dst, (dp << 16) | sp);
 	if (ipn == NULL) {
+		int slen;
+
+		slen = ip->ip_len;
+		ip->ip_len = fin->fin_hlen + sizeof(*tcp);
 		bcopy((char *)fin, (char *)&fi, sizeof(fi));
 		bzero((char *)tcp2, sizeof(*tcp2));
 		tcp2->th_win = htons(8192);
 		tcp2->th_sport = sp;
 		tcp2->th_dport = 0; /* XXX - don't specify remote port */
+		tcp2->th_off = 5;
 		fi.fin_data[0] = ntohs(sp);
 		fi.fin_data[1] = 0;
 		fi.fin_dp = (char *)tcp2;
@@ -151,6 +156,7 @@ nat_t *nat;
 			fi.fin_fr = &rcmdfr;
 			(void) fr_addstate(ip, &fi, FI_W_DPORT);
 		}
+		ip->ip_len = slen;
 		ip->ip_src = swip;
 	}
 	return 0;
diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c
index 710b6d19642e..e5166d8ae1c4 100644
--- a/sys/netinet/ip_state.c
+++ b/sys/netinet/ip_state.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -7,7 +7,6 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-1995 Darren Reed";
-/*static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.12 2000/06/19 02:38:37 darrenr Exp $";*/
 static const char rcsid[] = "@(#)$FreeBSD$";
 #endif
 
@@ -19,6 +18,10 @@ static const char rcsid[] = "@(#)$FreeBSD$";
     defined(_KERNEL)
 # include "opt_ipfilter_log.h"
 #endif
+#if defined(_KERNEL) && defined(__FreeBSD_version) && \
+    (__FreeBSD_version >= 400000) && !defined(KLD_MODULE)
+#include "opt_inet6.h"
+#endif
 #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__)
 # include <stdio.h>
 # include <stdlib.h>
@@ -29,7 +32,7 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #  include <linux/module.h>
 # endif
 #endif
-#if defined(_KERNEL) && (__FreeBSD_version >= 220000)
+#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000)
 # include <sys/filio.h>
 # include <sys/fcntl.h>
 # if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM)
@@ -83,6 +86,9 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #include "netinet/ip_frag.h"
 #include "netinet/ip_proxy.h"
 #include "netinet/ip_state.h"
+#ifdef	USE_INET6
+#include <netinet/icmp6.h>
+#endif
 #if (__FreeBSD_version >= 300000)
 # include <sys/malloc.h>
 # if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM)
@@ -97,20 +103,29 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 
 #define	TCP_CLOSE	(TH_FIN|TH_RST)
 
-ipstate_t **ips_table = NULL;
-int	ips_num = 0;
-ips_stat_t ips_stats;
+static ipstate_t **ips_table = NULL;
+static ipstate_t *ips_list = NULL;
+static int	ips_num = 0;
+static ips_stat_t ips_stats;
 #if	(SOLARIS || defined(__sgi)) && defined(_KERNEL)
 extern	KRWLOCK_T	ipf_state, ipf_mutex;
 extern	kmutex_t	ipf_rw;
 #endif
 
-static int fr_matchsrcdst __P((ipstate_t *, struct in_addr, struct in_addr,
+#ifdef	USE_INET6
+static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *));
+#endif
+static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr,
 			       fr_info_t *, tcphdr_t *));
 static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
+static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *));
 static int fr_state_flush __P((int));
 static ips_stat_t *fr_statetstats __P((void));
 static void fr_delstate __P((ipstate_t *));
+static int fr_state_remove __P((caddr_t));
+int fr_stputent __P((caddr_t));
+int fr_stgetent __P((caddr_t));
+void fr_stinsert __P((ipstate_t *));
 
 
 #define	FIVE_DAYS	(2 * 5 * 86400)	/* 5 days: half closed session */
@@ -125,16 +140,29 @@ u_long	fr_tcpidletimeout = FIVE_DAYS,
 	fr_icmptimeout = 120;
 int	fr_statemax = IPSTATE_MAX,
 	fr_statesize = IPSTATE_SIZE;
-int	fr_state_doflush = 0;
+int	fr_state_doflush = 0,
+	fr_state_lock = 0;
 
+static 	int icmpreplytype4[ICMP_MAXTYPE + 1];
 
 int fr_stateinit()
 {
+	int i;
+
 	KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
 	if (ips_table != NULL)
 		bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *));
 	else
 		return -1;
+
+	/* fill icmp reply type table */
+	for (i = 0; i <= ICMP_MAXTYPE; i++)
+		icmpreplytype4[i] = -1;
+	icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY;
+	icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY;
+	icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY;
+	icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY;
+
 	return 0;
 }
 
@@ -143,6 +171,7 @@ static ips_stat_t *fr_statetstats()
 {
 	ips_stats.iss_active = ips_num;
 	ips_stats.iss_table = ips_table;
+	ips_stats.iss_list = ips_list;
 	return &ips_stats;
 }
 
@@ -156,7 +185,6 @@ static ips_stat_t *fr_statetstats()
 static int fr_state_flush(which)
 int which;
 {
-	register int i;
 	register ipstate_t *is, **isp;
 #if defined(_KERNEL) && !SOLARIS
 	int s;
@@ -164,48 +192,69 @@ int which;
 	int delete, removed = 0;
 
 	SPL_NET(s);
-	WRITE_ENTER(&ipf_state);
-	for (i = fr_statesize - 1; i >= 0; i--)
-		for (isp = &ips_table[i]; (is = *isp); ) {
-			delete = 0;
+	for (isp = &ips_list; (is = *isp); ) {
+		delete = 0;
 
-			switch (which)
-			{
-			case 0 :
-				delete = 1;
-				break;
-			case 1 :
-				if (is->is_p != IPPROTO_TCP)
-					break;
-				if ((is->is_state[0] != TCPS_ESTABLISHED) ||
-				    (is->is_state[1] != TCPS_ESTABLISHED))
-					delete = 1;
+		switch (which)
+		{
+		case 0 :
+			delete = 1;
+			break;
+		case 1 :
+			if (is->is_p != IPPROTO_TCP)
 				break;
-			}
+			if ((is->is_state[0] != TCPS_ESTABLISHED) ||
+			    (is->is_state[1] != TCPS_ESTABLISHED))
+				delete = 1;
+			break;
+		}
 
-			if (delete) {
-				*isp = is->is_next;
-				if (is->is_p == IPPROTO_TCP)
-					ips_stats.iss_fin++;
-				else
-					ips_stats.iss_expire++;
-				if (ips_table[i] == NULL)
-					ips_stats.iss_inuse--;
+		if (delete) {
+			if (is->is_p == IPPROTO_TCP)
+				ips_stats.iss_fin++;
+			else
+				ips_stats.iss_expire++;
 #ifdef	IPFILTER_LOG
-				ipstate_log(is, ISL_FLUSH);
+			ipstate_log(is, ISL_FLUSH);
 #endif
-				fr_delstate(is);
-				ips_num--;
-				removed++;
-			} else
-				isp = &is->is_next;
-		}
-	RWLOCK_EXIT(&ipf_state);
+			fr_delstate(is);
+			removed++;
+		} else
+			isp = &is->is_next;
+	}
 	SPL_X(s);
 	return removed;
 }
 
 
+static int fr_state_remove(data)
+caddr_t data;
+{
+	ipstate_t *sp, st;
+	int error;
+
+	sp = &st;
+	error = IRCOPYPTR(data, (caddr_t)&st, sizeof(st));
+	if (error)
+		return EFAULT;
+
+	for (sp = ips_list; sp; sp = sp->is_next)
+		if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
+		    !bcmp(&sp->is_src, &st.is_src, sizeof(st.is_src)) &&
+		    !bcmp(&sp->is_dst, &st.is_src, sizeof(st.is_dst)) &&
+		    !bcmp(&sp->is_ps, &st.is_ps, sizeof(st.is_ps))) {
+			WRITE_ENTER(&ipf_state);
+#ifdef	IPFILTER_LOG
+			ipstate_log(sp, ISL_REMOVE);
+#endif
+			fr_delstate(sp);
+			RWLOCK_EXIT(&ipf_state);
+			return 0;
+		}
+	return ESRCH;
+}
+
+
 int fr_state_ioctl(data, cmd, mode)
 caddr_t data;
 #if defined(__NetBSD__) || defined(__OpenBSD__)
@@ -215,15 +264,22 @@ int cmd;
 #endif
 int mode;
 {
-	int	arg, ret, error = 0;
+	int arg, ret, error = 0;
 
 	switch (cmd)
 	{
+	case SIOCDELST :
+		error = fr_state_remove(data);
+		break;
 	case SIOCIPFFL :
-		IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+		error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+		if (error)
+			break;
 		if (arg == 0 || arg == 1) {
+			WRITE_ENTER(&ipf_state);
 			ret = fr_state_flush(arg);
-			IWCOPY((caddr_t)&ret, data, sizeof(ret));
+			RWLOCK_EXIT(&ipf_state);
+			error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
 		} else
 			error = EINVAL;
 		break;
@@ -231,19 +287,41 @@ int mode;
 	case SIOCIPFFB :
 		if (!(mode & FWRITE))
 			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(IPL_LOGSTATE);
+		else {
+			int tmp;
+
+			tmp = ipflog_clear(IPL_LOGSTATE);
+			IWCOPY((char *)&tmp, data, sizeof(tmp));
+		}
 		break;
 #endif
-	case SIOCGIPST :
-		IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
+	case SIOCGETFS :
+		error = IWCOPYPTR((caddr_t)fr_statetstats(), data,
+				  sizeof(ips_stat_t));
 		break;
 	case FIONREAD :
 #ifdef	IPFILTER_LOG
-		IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
-		       sizeof(iplused[IPL_LOGSTATE]));
+		error = IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
+			       sizeof(iplused[IPL_LOGSTATE]));
 #endif
 		break;
+	case SIOCSTLCK :
+		error = fr_lock(data, &fr_state_lock);
+		break;
+	case SIOCSTPUT :
+		if (!fr_state_lock) {
+			error = EACCES;
+			break;
+		}
+		error = fr_stputent(data);
+		break;
+	case SIOCSTGET :
+		if (!fr_state_lock) {
+			error = EACCES;
+			break;
+		}
+		error = fr_stgetent(data);
+		break;
 	default :
 		error = EINVAL;
 		break;
@@ -410,18 +488,22 @@ ip_t *ip;
 fr_info_t *fin;
 u_int flags;
 {
+	register tcphdr_t *tcp = NULL;
 	register ipstate_t *is;
 	register u_int hv;
 	ipstate_t ips;
 	u_int pass;
+	int out;
 
-	if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
+	if (fr_state_lock || (fin->fin_off & IP_OFFMASK) ||
+	    (fin->fin_fi.fi_fl & FI_SHORT))
 		return NULL;
 	if (ips_num == fr_statemax) {
 		ips_stats.iss_max++;
 		fr_state_doflush = 1;
 		return NULL;
 	}
+	out = fin->fin_out;
 	is = &ips;
 	bzero((char *)is, sizeof(*is));
 	ips.is_age = 1;
@@ -430,38 +512,71 @@ u_int flags;
 	/*
 	 * Copy and calculate...
 	 */
-	hv = (is->is_p = ip->ip_p);
-	hv += (is->is_src.s_addr = ip->ip_src.s_addr);
-	hv += (is->is_dst.s_addr = ip->ip_dst.s_addr);
+	hv = (is->is_p = fin->fin_fi.fi_p);
+	is->is_src = fin->fin_fi.fi_src;
+	hv += is->is_saddr;
+	is->is_dst = fin->fin_fi.fi_dst;
+	hv += is->is_daddr;
+#ifdef	USE_INET6
+	if (fin->fin_v == 6) {
+		if (is->is_p == IPPROTO_ICMPV6) {
+			if (IN6_IS_ADDR_MULTICAST(&is->is_dst.in6))
+				flags |= FI_W_DADDR;
+			if (out)
+				hv -= is->is_daddr;
+			else
+				hv -= is->is_saddr;
+		}
+	}
+#endif
 
-	switch (ip->ip_p)
+	switch (is->is_p)
 	{
+#ifdef	USE_INET6
+	case IPPROTO_ICMPV6 :
+#endif
 	case IPPROTO_ICMP :
 	    {
 		struct icmp *ic = (struct icmp *)fin->fin_dp;
 
+#ifdef	USE_INET6
+		if ((is->is_p == IPPROTO_ICMPV6) &&
+		    ((ic->icmp_type & ICMP6_INFOMSG_MASK) == 0))
+			return NULL;
+#endif
 		switch (ic->icmp_type)
 		{
-		case ICMP_ECHO :
-			is->is_icmp.ics_type = ICMP_ECHOREPLY;	/* XXX */
+#ifdef	USE_INET6
+		case ICMP6_ECHO_REQUEST :
+			is->is_icmp.ics_type = ICMP6_ECHO_REPLY;
 			hv += (is->is_icmp.ics_id = ic->icmp_id);
 			hv += (is->is_icmp.ics_seq = ic->icmp_seq);
 			break;
+		case ICMP6_MEMBERSHIP_QUERY :
+		case ND_ROUTER_SOLICIT :
+		case ND_NEIGHBOR_SOLICIT :
+			is->is_icmp.ics_type = ic->icmp_type + 1;
+			break;
+			break;
+#endif
+		case ICMP_ECHO :
 		case ICMP_TSTAMP :
 		case ICMP_IREQ :
 		case ICMP_MASKREQ :
-			is->is_icmp.ics_type = ic->icmp_type + 1;
+			is->is_icmp.ics_type = ic->icmp_type;
+			hv += (is->is_icmp.ics_id = ic->icmp_id);
+			hv += (is->is_icmp.ics_seq = ic->icmp_seq);
 			break;
 		default :
 			return NULL;
 		}
-		ATOMIC_INC(ips_stats.iss_icmp);
+		ATOMIC_INCL(ips_stats.iss_icmp);
 		is->is_age = fr_icmptimeout;
 		break;
 	    }
 	case IPPROTO_TCP :
 	    {
-		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
+		tcp = (tcphdr_t *)fin->fin_dp;
 
 		if (tcp->th_flags & TH_RST)
 			return NULL;
@@ -475,14 +590,13 @@ u_int flags;
 			hv += tcp->th_dport;
 			hv += tcp->th_sport;
 		}
-		if (tcp->th_seq != 0) {
-			is->is_send = ntohl(tcp->th_seq) + ip->ip_len -
-				      fin->fin_hlen - (tcp->th_off << 2) +
-				      ((tcp->th_flags & TH_SYN) ? 1 : 0) +
-				      ((tcp->th_flags & TH_FIN) ? 1 : 0);
-			is->is_maxsend = is->is_send + 1;
-		}
+		is->is_send = ntohl(tcp->th_seq) + ip->ip_len -
+			      fin->fin_hlen - (tcp->th_off << 2) +
+			      ((tcp->th_flags & TH_SYN) ? 1 : 0) +
+			      ((tcp->th_flags & TH_FIN) ? 1 : 0);
+		is->is_maxsend = is->is_send;
 		is->is_dend = 0;
+		is->is_maxdwin = 1;
 		is->is_maxswin = ntohs(tcp->th_win);
 		if (is->is_maxswin == 0)
 			is->is_maxswin = 1;
@@ -491,16 +605,12 @@ u_int flags;
 		 * timer on it as we'll never see an error if it fails to
 		 * connect.
 		 */
-		MUTEX_ENTER(&ipf_rw);
-		ips_stats.iss_tcp++;
-		fr_tcp_age(&is->is_age, is->is_state, ip, fin,
-			   tcp->th_sport == is->is_sport);
-		MUTEX_EXIT(&ipf_rw);
+		ATOMIC_INCL(ips_stats.iss_tcp);
 		break;
 	    }
 	case IPPROTO_UDP :
 	    {
-		register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
+		tcp = (tcphdr_t *)fin->fin_dp;
 
 		is->is_dport = tcp->th_dport;
 		is->is_sport = tcp->th_sport;
@@ -508,7 +618,7 @@ u_int flags;
 			hv += tcp->th_dport;
 			hv += tcp->th_sport;
 		}
-		ATOMIC_INC(ips_stats.iss_udp);
+		ATOMIC_INCL(ips_stats.iss_udp);
 		is->is_age = fr_udptimeout;
 		break;
 	    }
@@ -518,30 +628,29 @@ u_int flags;
 
 	KMALLOC(is, ipstate_t *);
 	if (is == NULL) {
-		ATOMIC_INC(ips_stats.iss_nomem);
+		ATOMIC_INCL(ips_stats.iss_nomem);
 		return NULL;
 	}
 	bcopy((char *)&ips, (char *)is, sizeof(*is));
 	hv %= fr_statesize;
-	RW_UPGRADE(&ipf_mutex);
+	is->is_hv = hv;
 	is->is_rule = fin->fin_fr;
 	if (is->is_rule != NULL) {
-		is->is_rule->fr_ref++;
+		ATOMIC_INC32(is->is_rule->fr_ref);
 		pass = is->is_rule->fr_flags;
 	} else
 		pass = fr_flags;
-	MUTEX_DOWNGRADE(&ipf_mutex);
 	WRITE_ENTER(&ipf_state);
 
-	is->is_rout = pass & FR_OUTQUE ? 1 : 0;
 	is->is_pass = pass;
 	is->is_pkts = 1;
-	is->is_bytes = ip->ip_len;
+	is->is_bytes = fin->fin_dlen + fin->fin_hlen;
 	/*
 	 * We want to check everything that is a property of this packet,
 	 * but we don't (automatically) care about it's fragment status as
 	 * this may change.
 	 */
+	is->is_v = fin->fin_fi.fi_v;
 	is->is_opt = fin->fin_fi.fi_optmsk;
 	is->is_optmsk = 0xffffffff;
 	is->is_sec = fin->fin_fi.fi_secmsk;
@@ -550,29 +659,28 @@ u_int flags;
 	is->is_authmsk = 0xffff;
 	is->is_flags = fin->fin_fi.fi_fl & FI_CMP;
 	is->is_flags |= FI_CMP << 4;
-	is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT);
-	/*
-	 * add into table.
-	 */
-	is->is_next = ips_table[hv];
-	ips_table[hv] = is;
-	if (is->is_next == NULL)
-		ips_stats.iss_inuse++;
-	if (fin->fin_out) {
-		is->is_ifpin = NULL;
-		is->is_ifpout = fin->fin_ifp;
-	} else {
-		is->is_ifpin = fin->fin_ifp;
-		is->is_ifpout = NULL;
-	}
+	is->is_flags |= flags & (FI_WILDP|FI_WILDA);
+	is->is_ifp[1 - out] = NULL;
+	is->is_ifp[out] = fin->fin_ifp;
+#ifdef	_KERNEL
+	strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), IFNAMSIZ);
+#endif
+	is->is_ifname[1 - out][0] = '\0';
 	if (pass & FR_LOGFIRST)
 		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
-	ATOMIC_INC(ips_num);
+	fr_stinsert(is);
+	ips_num++;
+	if (is->is_p == IPPROTO_TCP) {
+		MUTEX_ENTER(&is->is_lock);
+		fr_tcp_age(&is->is_age, is->is_state, fin,
+			   tcp->th_sport == is->is_sport);
+		MUTEX_EXIT(&is->is_lock);
+	}
 #ifdef	IPFILTER_LOG
 	ipstate_log(is, ISL_NEW);
 #endif
 	RWLOCK_EXIT(&ipf_state);
-	fin->fin_rev = (is->is_dst.s_addr != ip->ip_dst.s_addr);
+	fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst);
 	if (fin->fin_fi.fi_fl & FI_FRAG)
 		ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
 	return is;
@@ -601,13 +709,13 @@ tcphdr_t *tcp;
 	/*
 	 * Find difference between last checked packet and this packet.
 	 */
-	source = (ip->ip_src.s_addr == is->is_src.s_addr);
+	source = IP6EQ(fin->fin_fi.fi_src, is->is_src);
 	fdata = &is->is_tcp.ts_data[!source];
 	tdata = &is->is_tcp.ts_data[source];
 	seq = ntohl(tcp->th_seq);
 	ack = ntohl(tcp->th_ack);
 	win = ntohs(tcp->th_win);
-	end = seq + ip->ip_len - fin->fin_hlen - (tcp->th_off << 2) +
+	end = seq + fin->fin_dlen - (tcp->th_off << 2) +
 	       ((tcp->th_flags & TH_SYN) ? 1 : 0) +
 	       ((tcp->th_flags & TH_FIN) ? 1 : 0);
 
@@ -622,9 +730,6 @@ tcphdr_t *tcp;
 
 	if (!(tcp->th_flags & TH_ACK)) {  /* Pretend an ack was sent */
 		ack = tdata->td_end;
-		win = 1;
-		if ((tcp->th_flags == TH_SYN) && (tdata->td_maxwin == 0))
-			 tdata->td_maxwin = 1;
 	} else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) &&
 		   (ack == 0)) {
 		/* gross hack to get around certain broken tcp stacks */
@@ -673,15 +778,15 @@ tcphdr_t *tcp;
 				tdata->td_maxend++;
 		}
 
-		ATOMIC_INC(ips_stats.iss_hits);
+		ATOMIC_INCL(ips_stats.iss_hits);
 		is->is_pkts++;
-		is->is_bytes += ip->ip_len;
+		is->is_bytes += fin->fin_dlen + fin->fin_hlen;
 		/*
 		 * Nearing end of connection, start timeout.
 		 */
-		MUTEX_ENTER(&ipf_rw);
-		fr_tcp_age(&is->is_age, is->is_state, ip, fin, source);
-		MUTEX_EXIT(&ipf_rw);
+		MUTEX_ENTER(&is->is_lock);
+		fr_tcp_age(&is->is_age, is->is_state, fin, source);
+		MUTEX_EXIT(&is->is_lock);
 		ret = 1;
 	}
 	return ret;
@@ -690,7 +795,7 @@ tcphdr_t *tcp;
 
 static int fr_matchsrcdst(is, src, dst, fin, tcp)
 ipstate_t *is;
-struct in_addr src, dst;
+union i6addr src, dst;
 fr_info_t *fin;
 tcphdr_t *tcp;
 {
@@ -698,7 +803,7 @@ tcphdr_t *tcp;
 	u_short sp, dp;
 	void *ifp;
 
-	rev = fin->fin_rev = (is->is_dst.s_addr != dst.s_addr);
+	rev = fin->fin_rev = IP6NEQ(is->is_dst, dst);
 	ifp = fin->fin_ifp;
 	out = fin->fin_out;
 
@@ -707,14 +812,14 @@ tcphdr_t *tcp;
 		sp = tcp->th_sport;
 		dp = tcp->th_dport;
 	} else {
-		flags = 0;
+		flags = is->is_flags & FI_WILDA;
 		sp = 0;
 		dp = 0;
 	}
 
 	if (rev == 0) {
 		if (!out) {
-			if (is->is_ifpin == ifp)
+			if (is->is_ifpin == NULL || is->is_ifpin == ifp)
 				ret = 1;
 		} else {
 			if (is->is_ifpout == NULL || is->is_ifpout == ifp)
@@ -722,7 +827,7 @@ tcphdr_t *tcp;
 		}
 	} else {
 		if (out) {
-			if (is->is_ifpin == ifp)
+			if (is->is_ifpin == NULL || is->is_ifpin == ifp)
 				ret = 1;
 		} else {
 			if (is->is_ifpout == NULL || is->is_ifpout == ifp)
@@ -734,15 +839,17 @@ tcphdr_t *tcp;
 	ret = 0;
 
 	if (rev == 0) {
-		if ((is->is_dst.s_addr == dst.s_addr) &&
-		    (is->is_src.s_addr == src.s_addr) &&
+		if (
+		    (IP6EQ(is->is_dst, dst) || (flags & FI_W_DADDR)) &&
+		    (IP6EQ(is->is_src, src) || (flags & FI_W_SADDR)) &&
 		    (!tcp || ((sp == is->is_sport || flags & FI_W_SPORT) &&
 		     (dp == is->is_dport || flags & FI_W_DPORT)))) {
 			ret = 1;
 		}
 	} else {
-		if ((is->is_dst.s_addr == src.s_addr) &&
-		    (is->is_src.s_addr == dst.s_addr) &&
+		if (
+		    (IP6EQ(is->is_dst, src) || (flags & FI_W_DADDR)) &&
+		    (IP6EQ(is->is_src, dst) || (flags & FI_W_SADDR)) &&
 		    (!tcp || ((sp == is->is_dport || flags & FI_W_DPORT) &&
 		     (dp == is->is_sport || flags & FI_W_SPORT)))) {
 			ret = 1;
@@ -787,34 +894,80 @@ tcphdr_t *tcp;
 		is->is_flags &= ~(FI_W_SPORT|FI_W_DPORT);
 	}
 
+	ret = -1;
+
 	if (!rev) {
-		if (out && (out == is->is_rout)) {
+		if (out) {
 			if (!is->is_ifpout)
-				is->is_ifpout = ifp;
+				ret = 1;
 		} else {
 			if (!is->is_ifpin)
-				is->is_ifpin = ifp;
+				ret = 0;
 		}
 	} else {
-		if (!out && (out != is->is_rout)) {
+		if (out) {
 			if (!is->is_ifpin)
-				is->is_ifpin = ifp;
+				ret = 0;
 		} else {
 			if (!is->is_ifpout)
-				is->is_ifpout = ifp;
+				ret = 1;
 		}
 	}
+
+	if (ret >= 0) {
+		is->is_ifp[ret] = ifp;
+#ifdef	_KERNEL
+		strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp),
+			sizeof(is->is_ifname[1]));
+#endif
+	}
+#ifdef  _KERNEL
+	if (ret >= 0) {
+		strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp),
+			sizeof(is->is_ifname[1]));
+	}
+#endif
 	return 1;
 }
 
-frentry_t *fr_checkicmpmatchingstate(ip, fin)
+static int fr_matchicmpqueryreply(v, is, icmp)
+int v;
+ipstate_t *is;
+icmphdr_t *icmp;
+{
+	if (v == 4) {
+		/*
+		 * If we matched its type on the way in, then when going out
+		 * it will still be the same type.
+		 */
+		if (((icmp->icmp_type == is->is_type) ||
+		     (icmpreplytype4[is->is_type] == icmp->icmp_type)) &&
+		    (icmp->icmp_id == is->is_icmp.ics_id) &&
+		    (icmp->icmp_seq == is->is_icmp.ics_seq)) {
+			return 1;
+		};
+	}
+#ifdef	USE_INET6
+	else if (is->is_v == 6) {
+		if ((is->is_type == ICMP6_ECHO_REPLY) &&
+		    (icmp->icmp_type == ICMP6_ECHO_REQUEST) &&
+		    (icmp->icmp_id == is->is_icmp.ics_id) &&
+		    (icmp->icmp_seq == is->is_icmp.ics_seq)) {
+			return 1;
+		};
+	}
+#endif
+	return 0;
+}
+
+static frentry_t *fr_checkicmpmatchingstate(ip, fin)
 ip_t *ip;
 fr_info_t *fin;
 {
-	register struct in_addr	dst, src;
 	register ipstate_t *is, **isp;
 	register u_short sport, dport;
 	register u_char	pr;
+	union i6addr dst, src;
 	struct icmp *ic;
 	u_short savelen;
 	fr_info_t ofin;
@@ -830,9 +983,10 @@ fr_info_t *fin;
 	 * Only a basic IP header (no options) should be with
 	 * an ICMP error header.
 	 */
-	if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
+	if (((ip->ip_v != 4) && (ip->ip_hl != 5)) ||
+	    (fin->fin_plen < ICMPERR_MINPKTLEN))
 		return NULL;
-	ic = (struct icmp *)((char *)ip + fin->fin_hlen);
+	ic = (struct icmp *)fin->fin_dp;
 	type = ic->icmp_type;
 	/*
 	 * If it's not an error type, then return
@@ -842,12 +996,11 @@ fr_info_t *fin;
     	    (type != ICMP_PARAMPROB))
 		return NULL;
 
-	oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
-	if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
+	oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
+	if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
 		return NULL;
 
 	if (oip->ip_p == IPPROTO_ICMP) {
-
 		icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2));
 
 		/*
@@ -866,14 +1019,13 @@ fr_info_t *fin;
 		/*
 		 * perform a lookup of the ICMP packet in the state table
 		 */
-
 		hv = (pr = oip->ip_p);
-		hv += (src.s_addr = oip->ip_src.s_addr);
-		hv += (dst.s_addr = oip->ip_dst.s_addr);
-		if (icmp->icmp_type == ICMP_ECHO) {
-			hv += icmp->icmp_id;
-			hv += icmp->icmp_seq;
-		}
+		src.in4 = oip->ip_src;
+		hv += src.in4.s_addr;
+		dst.in4 = oip->ip_dst;
+		hv += dst.in4.s_addr;
+		hv += icmp->icmp_id;
+		hv += icmp->icmp_seq;
 		hv %= fr_statesize;
 
 		oip->ip_len = ntohs(oip->ip_len);
@@ -884,26 +1036,16 @@ fr_info_t *fin;
 		ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
 
 		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
-			if ((is->is_p == pr) &&
-			    fr_matchsrcdst(is, src, dst, &ofin, NULL)) {
-			    	/*
-			    	 * in the state table ICMP query's are stored
-			    	 * with the type of the corresponding ICMP
-			    	 * response. Correct here
-			    	 */
-				if (((is->is_type == ICMP_ECHOREPLY) &&
-				     (icmp->icmp_id == is->is_icmp.ics_id) &&
-				     (icmp->icmp_seq == is->is_icmp.ics_seq) &&
-				     (icmp->icmp_type == ICMP_ECHO)) ||
-				    (is->is_type - 1 == ic->icmp_type)) {
-				    	ips_stats.iss_hits++;
-    		                        is->is_pkts++;
-                	                is->is_bytes += ip->ip_len;
-					fr = is->is_rule;
-					RWLOCK_EXIT(&ipf_state);
-					return fr;
-				}
+		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
+			if ((is->is_p == pr) && (is->is_v == 4) &&
+			    fr_matchsrcdst(is, src, dst, &ofin, NULL) &&
+			    fr_matchicmpqueryreply(is->is_v, is, icmp)) {
+				ips_stats.iss_hits++;
+				is->is_pkts++;
+				is->is_bytes += ip->ip_len;
+				fr = is->is_rule;
+				RWLOCK_EXIT(&ipf_state);
+				return fr;
 			}
 		RWLOCK_EXIT(&ipf_state);
 		return NULL;
@@ -917,8 +1059,10 @@ fr_info_t *fin;
 	sport = tcp->th_sport;
 
 	hv = (pr = oip->ip_p);
-	hv += (src.s_addr = oip->ip_src.s_addr);
-	hv += (dst.s_addr = oip->ip_dst.s_addr);
+	src.in4 = oip->ip_src;
+	hv += src.in4.s_addr;
+	dst.in4 = oip->ip_dst;
+	hv += dst.in4.s_addr;
 	hv += dport;
 	hv += sport;
 	hv %= fr_statesize;
@@ -940,7 +1084,7 @@ fr_info_t *fin;
 	ofin.fin_out = !fin->fin_out;
 	ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
 	READ_ENTER(&ipf_state);
-	for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) {
+	for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) {
 		/*
 		 * Only allow this icmp though if the
 		 * encapsulated packet was allowed through the
@@ -948,7 +1092,7 @@ fr_info_t *fin;
 		 * of info present does not allow for checking against
 		 * tcp internals such as seq and ack numbers.
 		 */
-		if ((is->is_p == pr) &&
+		if ((is->is_p == pr) && (is->is_v == 4) &&
 		    fr_matchsrcdst(is, src, dst, &ofin, tcp)) {
 			fr = is->is_rule;
 			ips_stats.iss_hits++;
@@ -957,7 +1101,7 @@ fr_info_t *fin;
 			 * comes the other way around
 			 */
 			is->is_pkts++;
-			is->is_bytes += ip->ip_len;
+			is->is_bytes += fin->fin_plen;
 			/*
 			 * we deliberately do not touch the timeouts
 			 * for the accompanying state table entry.
@@ -978,51 +1122,63 @@ frentry_t *fr_checkstate(ip, fin)
 ip_t *ip;
 fr_info_t *fin;
 {
-	register struct in_addr dst, src;
+	union i6addr dst, src;
 	register ipstate_t *is, **isp;
 	register u_char pr;
-	u_int hv, hvm, hlen, tryagain, pass;
+	u_int hv, hvm, hlen, tryagain, pass, v;
 	struct icmp *ic;
 	frentry_t *fr;
 	tcphdr_t *tcp;
 
-	if ((ip->ip_off & IP_OFFMASK) || (fin->fin_fi.fi_fl & FI_SHORT))
+	if (fr_state_lock || (fin->fin_off & IP_OFFMASK) ||
+	    (fin->fin_fi.fi_fl & FI_SHORT))
 		return NULL;
 
 	is = NULL;
 	hlen = fin->fin_hlen;
 	tcp = (tcphdr_t *)((char *)ip + hlen);
 	ic = (struct icmp *)tcp;
-	hv = (pr = ip->ip_p);
-	hv += (src.s_addr = ip->ip_src.s_addr);
-	hv += (dst.s_addr = ip->ip_dst.s_addr);
+	hv = (pr = fin->fin_fi.fi_p);
+	src = fin->fin_fi.fi_src;
+	dst = fin->fin_fi.fi_dst;
+	hv += src.in4.s_addr;
+	hv += dst.in4.s_addr;
 
 	/*
 	 * Search the hash table for matching packet header info.
 	 */
-	switch (ip->ip_p)
+	v = fin->fin_fi.fi_v;
+	switch (fin->fin_fi.fi_p)
 	{
+#ifdef	USE_INET6
+	case IPPROTO_ICMPV6 :
+		if (v == 6) {
+			if (fin->fin_out)
+				hv -= dst.in4.s_addr;
+			else
+				hv -= src.in4.s_addr;
+			if ((ic->icmp_type == ICMP6_ECHO_REQUEST) ||
+			    (ic->icmp_type == ICMP6_ECHO_REPLY)) {
+				hv += ic->icmp_id;
+				hv += ic->icmp_seq;
+			}
+		}
+#endif
 	case IPPROTO_ICMP :
-		if ((ic->icmp_type == ICMP_ECHO) ||
-		    (ic->icmp_type == ICMP_ECHOREPLY)) {
+		if (v == 4) {
 			hv += ic->icmp_id;
 			hv += ic->icmp_seq;
 		}
 		hv %= fr_statesize;
 		READ_ENTER(&ipf_state);
-		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
-			if ((is->is_p == pr) &&
-			    fr_matchsrcdst(is, src, dst, fin, NULL)) {
-				if ((is->is_type == ICMP_ECHOREPLY) &&
-				    (ic->icmp_type == ICMP_ECHO) &&
-				    (ic->icmp_id == is->is_icmp.ics_id) &&
-				    (ic->icmp_seq == is->is_icmp.ics_seq))
-					;
-				else if (is->is_type != ic->icmp_type)
-					continue;
+		for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) {
+			if ((is->is_p == pr) && (is->is_v == v) &&
+			    fr_matchsrcdst(is, src, dst, fin, NULL) &&
+			    fr_matchicmpqueryreply(v, is, ic)) {
 				is->is_age = fr_icmptimeout;
 				break;
 			}
+		}
 		if (is != NULL)
 			break;
 		RWLOCK_EXIT(&ipf_state);
@@ -1030,7 +1186,12 @@ fr_info_t *fin;
 		 * No matching icmp state entry. Perhaps this is a
 		 * response to another state entry.
 		 */
-		fr = fr_checkicmpmatchingstate(ip, fin);
+#ifdef	USE_INET6
+		if (v == 6)
+			fr = fr_checkicmp6matchingstate((ip6_t *)ip, fin);
+		else
+#endif
+			fr = fr_checkicmpmatchingstate(ip, fin);
 		if (fr)
 			return fr;
 		break;
@@ -1043,22 +1204,13 @@ retry_tcp:
 		hvm = hv % fr_statesize;
 		WRITE_ENTER(&ipf_state);
 		for (isp = &ips_table[hvm]; (is = *isp);
-		     isp = &is->is_next)
-			if ((is->is_p == pr) &&
+		     isp = &is->is_hnext)
+
+
+			if ((is->is_p == pr) && (is->is_v == v) &&
 			    fr_matchsrcdst(is, src, dst, fin, tcp)) {
-				if (fr_tcpstate(is, fin, ip, tcp)) {
-#ifndef	_KERNEL
-					if (tcp->th_flags & TCP_CLOSE) {
-						*isp = is->is_next;
-						isp = &ips_table[hvm];
-						if (ips_table[hvm] == NULL)
-							ips_stats.iss_inuse--;
-						fr_delstate(is);
-						ips_num--;
-					}
-#endif
+				if (fr_tcpstate(is, fin, ip, tcp))
 					break;
-				}
 				is = NULL;
 				break;
 			}
@@ -1084,8 +1236,8 @@ retry_udp:
 		 * Nothing else to match on but ports. and IP#'s
 		 */
 		READ_ENTER(&ipf_state);
-		for (is = ips_table[hvm]; is; is = is->is_next)
-			if ((is->is_p == pr) &&
+		for (is = ips_table[hvm]; is; is = is->is_hnext)
+			if ((is->is_p == pr) && (is->is_v == v) &&
 			    fr_matchsrcdst(is, src, dst, fin, tcp)) {
 				is->is_age = fr_udptimeout;
 				break;
@@ -1105,17 +1257,21 @@ retry_udp:
 		break;
 	}
 	if (is == NULL) {
-		ATOMIC_INC(ips_stats.iss_miss);
+		ATOMIC_INCL(ips_stats.iss_miss);
 		return NULL;
 	}
-	MUTEX_ENTER(&ipf_rw);
-	is->is_bytes += ip->ip_len;
+	MUTEX_ENTER(&is->is_lock);
+	is->is_bytes += fin->fin_plen;
 	ips_stats.iss_hits++;
 	is->is_pkts++;
-	MUTEX_EXIT(&ipf_rw);
+	MUTEX_EXIT(&is->is_lock);
 	fr = is->is_rule;
 	fin->fin_fr = fr;
 	pass = is->is_pass;
+#ifndef	_KERNEL
+	if (tcp->th_flags & TCP_CLOSE)
+		fr_delstate(is);
+#endif
 	RWLOCK_EXIT(&ipf_state);
 	if (fin->fin_fi.fi_fl & FI_FRAG)
 		ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
@@ -1123,18 +1279,53 @@ retry_udp:
 }
 
 
+void ip_statesync(ifp)
+void *ifp;
+{
+	register ipstate_t *is;
+
+	WRITE_ENTER(&ipf_state);
+	for (is = ips_list; is; is = is->is_next) {
+		if (is->is_ifpin == ifp) {
+			is->is_ifpin = GETUNIT(is->is_ifname[0], is->is_v);
+			if (!is->is_ifpin)
+				is->is_ifpin = (void *)-1;
+		}
+		if (is->is_ifpout == ifp) {
+			is->is_ifpout = GETUNIT(is->is_ifname[1], is->is_v);
+			if (!is->is_ifpout)
+				is->is_ifpout = (void *)-1;
+		}
+	}
+	RWLOCK_EXIT(&ipf_state);
+}
+
+
 static void fr_delstate(is)
 ipstate_t *is;
 {
 	frentry_t *fr;
 
+	if (is->is_next)
+		is->is_next->is_pnext = is->is_pnext;
+	*is->is_pnext = is->is_next;
+	if (is->is_hnext)
+		is->is_hnext->is_phnext = is->is_phnext;
+	*is->is_phnext = is->is_hnext;
+	if (ips_table[is->is_hv] == NULL)
+		ips_stats.iss_inuse--;
+
 	fr = is->is_rule;
 	if (fr != NULL) {
-		ATOMIC_DEC(fr->fr_ref);
+		ATOMIC_DEC32(fr->fr_ref);
 		if (fr->fr_ref == 0)
 			KFREE(fr);
 	}
+#ifdef	_KERNEL
+	MUTEX_DESTROY(&is->is_lock);
+#endif
 	KFREE(is);
+	ips_num--;
 }
 
 
@@ -1143,16 +1334,11 @@ ipstate_t *is;
  */
 void fr_stateunload()
 {
-	register int i;
-	register ipstate_t *is, **isp;
+	register ipstate_t *is;
 
 	WRITE_ENTER(&ipf_state);
-	for (i = fr_statesize - 1; i >= 0; i--)
-		for (isp = &ips_table[i]; (is = *isp); ) {
-			*isp = is->is_next;
-			fr_delstate(is);
-			ips_num--;
-		}
+	while ((is = ips_list))
+		fr_delstate(is);
 	ips_stats.iss_inuse = 0;
 	ips_num = 0;
 	RWLOCK_EXIT(&ipf_state);
@@ -1167,7 +1353,6 @@ void fr_stateunload()
  */
 void fr_timeoutstate()
 {
-	register int i;
 	register ipstate_t *is, **isp;
 #if defined(_KERNEL) && !SOLARIS
 	int s;
@@ -1175,23 +1360,18 @@ void fr_timeoutstate()
 
 	SPL_NET(s);
 	WRITE_ENTER(&ipf_state);
-	for (i = fr_statesize - 1; i >= 0; i--)
-		for (isp = &ips_table[i]; (is = *isp); )
-			if (is->is_age && !--is->is_age) {
-				*isp = is->is_next;
-				if (is->is_p == IPPROTO_TCP)
-					ips_stats.iss_fin++;
-				else
-					ips_stats.iss_expire++;
-				if (ips_table[i] == NULL)
-					ips_stats.iss_inuse--;
+	for (isp = &ips_list; (is = *isp); )
+		if (is->is_age && !--is->is_age) {
+			if (is->is_p == IPPROTO_TCP)
+				ips_stats.iss_fin++;
+			else
+				ips_stats.iss_expire++;
 #ifdef	IPFILTER_LOG
-				ipstate_log(is, ISL_EXPIRE);
+			ipstate_log(is, ISL_EXPIRE);
 #endif
-				fr_delstate(is);
-				ips_num--;
-			} else
-				isp = &is->is_next;
+			fr_delstate(is);
+		} else
+			isp = &is->is_next;
 	RWLOCK_EXIT(&ipf_state);
 	SPL_X(s);
 	if (fr_state_doflush) {
@@ -1205,10 +1385,9 @@ void fr_timeoutstate()
  * Original idea freom Pradeep Krishnan for use primarily with NAT code.
  * (pkrishna@netcom.com)
  */
-void fr_tcp_age(age, state, ip, fin, dir)
+void fr_tcp_age(age, state, fin, dir)
 u_long *age;
 u_char *state;
-ip_t *ip;
 fr_info_t *fin;
 int dir;
 {
@@ -1218,7 +1397,7 @@ int dir;
 
 	ostate = state[1 - dir];
 
-	dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
+	dlen = fin->fin_plen - fin->fin_hlen - (tcp->th_off << 2);
 
 	if (flags & TH_RST) {
 		if (!(tcp->th_flags & TH_PUSH) && !dlen) {
@@ -1313,6 +1492,7 @@ u_int type;
 	ipsl.isl_src = is->is_src;
 	ipsl.isl_dst = is->is_dst;
 	ipsl.isl_p = is->is_p;
+	ipsl.isl_v = is->is_v;
 	ipsl.isl_flags = is->is_flags;
 	if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
 		ipsl.isl_sport = is->is_sport;
@@ -1336,11 +1516,23 @@ u_int type;
 #endif
 
 
-void ip_statesync(ifp)
-void *ifp;
+#ifdef	USE_INET6
+frentry_t *fr_checkicmp6matchingstate(ip, fin)
+ip6_t *ip;
+fr_info_t *fin;
 {
-	register ipstate_t *is;
-	register int i;
+	register ipstate_t *is, **isp;
+	register u_short sport, dport;
+	register u_char	pr;
+	struct icmp6_hdr *ic, *oic;
+	union i6addr dst, src;
+	u_short savelen;
+	fr_info_t ofin;
+	tcphdr_t *tcp;
+	frentry_t *fr;
+	ip6_t *oip;
+	int type;
+	u_int hv;
 
 	/*
 	 * Does it at least have the return (basic) IP header ?
@@ -1477,5 +1669,8 @@ void *ifp;
 			RWLOCK_EXIT(&ipf_state);
 			return fr;
 		}
+	}
 	RWLOCK_EXIT(&ipf_state);
+	return NULL;
 }
+#endif
diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h
index 5addb7d444a2..2374068b6688 100644
--- a/sys/netinet/ip_state.h
+++ b/sys/netinet/ip_state.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1995-1998 by Darren Reed.
+ * Copyright (C) 1995-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
@@ -53,17 +53,20 @@ typedef	struct tcpstate {
 
 typedef struct ipstate {
 	struct	ipstate	*is_next;
+	struct	ipstate	**is_pnext;
+	struct	ipstate	*is_hnext;
+	struct	ipstate	**is_phnext;
 	u_long	is_age;
 	u_int	is_pass;
 	U_QUAD_T	is_pkts;
 	U_QUAD_T	is_bytes;
-	void	*is_ifpin;
-	void	*is_ifpout;
+	void	*is_ifp[2];
 	frentry_t	*is_rule;
-	struct	in_addr	is_src;
-	struct	in_addr	is_dst;
+	union	i6addr	is_src;
+	union	i6addr	is_dst;
 	u_char	is_p;			/* Protocol */
-	u_char	is_rout;		/* Is rule in/out ? */
+	u_char	is_v;
+	u_int	is_hv;
 	u_32_t	is_flags;
 	u_32_t	is_opt;			/* packet options set */
 	u_32_t	is_optmsk;		/*    "      "    mask */
@@ -76,15 +79,21 @@ typedef struct ipstate {
 		tcpstate_t	is_ts;
 		udpstate_t	is_us;
 	} is_ps;
+	char	is_ifname[2][IFNAMSIZ];
+#if SOLARIS || defined(__sgi)
+	kmutex_t	is_lock;
+#endif
 } ipstate_t;
 
-#define	is_icmp	is_ps.is_ics
-#define	is_type	is_icmp.ics_type
-#define	is_code	is_icmp.ics_code
-#define	is_tcp	is_ps.is_ts
-#define	is_udp	is_ps.is_us
-#define is_send	is_tcp.ts_data[0].td_end
-#define is_dend	is_tcp.ts_data[1].td_end
+#define	is_saddr	is_src.in4.s_addr
+#define	is_daddr	is_dst.in4.s_addr
+#define	is_icmp		is_ps.is_ics
+#define	is_type		is_icmp.ics_type
+#define	is_code		is_icmp.ics_code
+#define	is_tcp		is_ps.is_ts
+#define	is_udp		is_ps.is_us
+#define is_send		is_tcp.ts_data[0].td_end
+#define is_dend		is_tcp.ts_data[1].td_end
 #define is_maxswin	is_tcp.ts_data[0].td_maxwin
 #define is_maxdwin	is_tcp.ts_data[1].td_maxwin
 #define is_maxsend	is_tcp.ts_data[0].td_maxend
@@ -92,6 +101,8 @@ typedef struct ipstate {
 #define	is_sport	is_tcp.ts_sport
 #define	is_dport	is_tcp.ts_dport
 #define	is_state	is_tcp.ts_state
+#define	is_ifpin	is_ifp[0]
+#define	is_ifpout	is_ifp[1]
 
 #define	TH_OPENING	(TH_SYN|TH_ACK)
 /*
@@ -103,21 +114,30 @@ typedef struct ipstate {
  * Bits 8,9 are used to indicate wildcard source/destination port matching.
  */
 
+typedef	struct	ipstate_save	{
+	void	*ips_next;
+	struct	ipstate	ips_is;
+	struct	frentry	ips_fr;
+} ipstate_save_t;
+
+#define	ips_rule	ips_is.is_rule
+
 
 typedef	struct	ipslog	{
 	U_QUAD_T	isl_pkts;
 	U_QUAD_T	isl_bytes;
-	struct	in_addr	isl_src;
-	struct	in_addr	isl_dst;
-	u_char	isl_p;
-	u_char	isl_flags;
-	u_char	isl_state[2];
+	union	i6addr	isl_src;
+	union	i6addr	isl_dst;
 	u_short	isl_type;
 	union {
 		u_short	isl_filler[2];
 		u_short	isl_ports[2];
 		u_short	isl_icmp;
 	} isl_ps;
+	u_char	isl_v;
+	u_char	isl_p;
+	u_char	isl_flags;
+	u_char	isl_state[2];
 } ipslog_t;
 
 #define	isl_sport	isl_ps.isl_ports[0]
@@ -127,6 +147,7 @@ typedef	struct	ipslog	{
 #define	ISL_NEW		0
 #define	ISL_EXPIRE	0xffff
 #define	ISL_FLUSH	0xfffe
+#define	ISL_REMOVE	0xfffd
 
 
 typedef	struct	ips_stat {
@@ -144,6 +165,7 @@ typedef	struct	ips_stat {
 	u_long	iss_logfail;
 	u_long	iss_inuse;
 	ipstate_t **iss_table;
+	ipstate_t *iss_list;
 } ips_stat_t;
 
 
@@ -154,13 +176,14 @@ extern	u_long	fr_tcptimeout;
 extern	u_long	fr_tcpclosed;
 extern	u_long	fr_udptimeout;
 extern	u_long	fr_icmptimeout;
+extern	int	fr_state_lock;
 extern	int	fr_stateinit __P((void));
 extern	int	fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
 extern	ipstate_t	*fr_addstate __P((ip_t *, fr_info_t *, u_int));
 extern	frentry_t	*fr_checkstate __P((ip_t *, fr_info_t *));
 extern	void	ip_statesync __P((void *));
 extern	void	fr_timeoutstate __P((void));
-extern	void	fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
+extern	void	fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int));
 extern	void	fr_stateunload __P((void));
 extern	void	ipstate_log __P((struct ipstate *, u_int));
 #if defined(__NetBSD__) || defined(__OpenBSD__)
diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h
index c46275e4c1a4..a0f595d4d069 100644
--- a/sys/netinet/ipl.h
+++ b/sys/netinet/ipl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1993-1999 by Darren Reed.
+ * Copyright (C) 1993-2000 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
  * provided that this notice is preserved and due credit is given
diff --git a/sys/netinet/mlfk_ipl.c b/sys/netinet/mlfk_ipl.c
index 732808d44ab1..b573a9e2d83f 100644
--- a/sys/netinet/mlfk_ipl.c
+++ b/sys/netinet/mlfk_ipl.c
@@ -26,6 +26,7 @@
  * $FreeBSD$
  */
 
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -108,6 +109,7 @@ ipfilter_modevent(module_t mod, int type, void *unused)
 
 	switch (type) {
 	case MOD_LOAD :
+
 		error = iplattach();
 		if (error)
 			break;
@@ -162,7 +164,6 @@ ipfilter_modevent(module_t mod, int type, void *unused)
 		destroy_dev(ipf_devs[IPL_LOGNAT]);
 		destroy_dev(ipf_devs[IPL_LOGSTATE]);
 		destroy_dev(ipf_devs[IPL_LOGAUTH]);
-		cdevsw_remove(&ipl_cdevsw);
 		error = ipldetach();
 		break;
 	default:
@@ -173,7 +174,7 @@ ipfilter_modevent(module_t mod, int type, void *unused)
 }
 
 static moduledata_t ipfiltermod = {
-	"ipfilter",
+	IPL_VERSION,
 	ipfilter_modevent,
         0
 };