sync with head rpaulo-netinet-merge-pcb
authorrpaulo <rpaulo@NetBSD.org>
Sat, 09 Sep 2006 02:56:44 +0000
branchrpaulo-netinet-merge-pcb
changeset 288554 ecb186bd91ca
parent 288553 5c2470e9a752
sync with head
sys/dist/ipf/netinet/fil.c
sys/dist/ipf/netinet/ip_auth.c
sys/dist/ipf/netinet/ip_auth.h
sys/dist/ipf/netinet/ip_compat.h
sys/dist/ipf/netinet/ip_fil.h
sys/dist/ipf/netinet/ip_fil_netbsd.c
sys/dist/ipf/netinet/ip_frag.c
sys/dist/ipf/netinet/ip_frag.h
sys/dist/ipf/netinet/ip_ftp_pxy.c
sys/dist/ipf/netinet/ip_h323_pxy.c
sys/dist/ipf/netinet/ip_htable.c
sys/dist/ipf/netinet/ip_ipsec_pxy.c
sys/dist/ipf/netinet/ip_irc_pxy.c
sys/dist/ipf/netinet/ip_log.c
sys/dist/ipf/netinet/ip_lookup.c
sys/dist/ipf/netinet/ip_lookup.h
sys/dist/ipf/netinet/ip_nat.c
sys/dist/ipf/netinet/ip_nat.h
sys/dist/ipf/netinet/ip_netbios_pxy.c
sys/dist/ipf/netinet/ip_pool.c
sys/dist/ipf/netinet/ip_pool.h
sys/dist/ipf/netinet/ip_pptp_pxy.c
sys/dist/ipf/netinet/ip_proxy.c
sys/dist/ipf/netinet/ip_proxy.h
sys/dist/ipf/netinet/ip_rcmd_pxy.c
sys/dist/ipf/netinet/ip_rpcb_pxy.c
sys/dist/ipf/netinet/ip_scan.c
sys/dist/ipf/netinet/ip_scan.h
sys/dist/ipf/netinet/ip_state.c
sys/dist/ipf/netinet/ip_state.h
sys/dist/ipf/netinet/ip_sync.c
sys/dist/ipf/netinet/ip_sync.h
sys/dist/ipf/netinet/ipl.h
sys/dist/pf/net/pf.c
sys/dist/pf/net/pf_ioctl.c
sys/dist/pf/net/pf_norm.c
sys/dist/pf/net/pf_table.c
sys/dist/pf/net/pfvar.h
sys/fs/Makefile
sys/fs/adosfs/adlookup.c
sys/fs/adosfs/advfsops.c
sys/fs/adosfs/advnops.c
sys/fs/cd9660/cd9660_extern.h
sys/fs/cd9660/cd9660_lookup.c
sys/fs/cd9660/cd9660_rrip.c
sys/fs/cd9660/cd9660_util.c
sys/fs/cd9660/cd9660_vfsops.c
sys/fs/cd9660/cd9660_vnops.c
sys/fs/cd9660/iso.h
sys/fs/filecorefs/filecore_bmap.c
sys/fs/filecorefs/filecore_extern.h
sys/fs/filecorefs/filecore_lookup.c
sys/fs/filecorefs/filecore_utils.c
sys/fs/filecorefs/filecore_vfsops.c
sys/fs/filecorefs/filecore_vnops.c
sys/fs/msdosfs/bootsect.h
sys/fs/msdosfs/denode.h
sys/fs/msdosfs/msdosfs_denode.c
sys/fs/msdosfs/msdosfs_fat.c
sys/fs/msdosfs/msdosfs_lookup.c
sys/fs/msdosfs/msdosfs_vfsops.c
sys/fs/msdosfs/msdosfs_vnops.c
sys/fs/ntfs/ntfs.h
sys/fs/ntfs/ntfs_subr.c
sys/fs/ntfs/ntfs_vfsops.c
sys/fs/ntfs/ntfs_vnops.c
sys/fs/ptyfs/ptyfs_subr.c
sys/fs/ptyfs/ptyfs_vfsops.c
sys/fs/ptyfs/ptyfs_vnops.c
sys/fs/smbfs/smbfs.h
sys/fs/smbfs/smbfs_io.c
sys/fs/smbfs/smbfs_kq.c
sys/fs/smbfs/smbfs_node.c
sys/fs/smbfs/smbfs_node.h
sys/fs/smbfs/smbfs_smb.c
sys/fs/smbfs/smbfs_subr.h
sys/fs/smbfs/smbfs_vfsops.c
sys/fs/smbfs/smbfs_vnops.c
sys/fs/sysvbfs/bfs.c
sys/fs/sysvbfs/bfs.h
sys/fs/sysvbfs/bfs_sysvbfs.c
sys/fs/sysvbfs/sysvbfs.c
sys/fs/sysvbfs/sysvbfs.h
sys/fs/sysvbfs/sysvbfs_vfsops.c
sys/fs/sysvbfs/sysvbfs_vnops.c
sys/fs/tmpfs/tmpfs.h
sys/fs/tmpfs/tmpfs_pool.c
sys/fs/tmpfs/tmpfs_pool.h
sys/fs/tmpfs/tmpfs_subr.c
sys/fs/tmpfs/tmpfs_vfsops.c
sys/fs/tmpfs/tmpfs_vnops.c
sys/fs/udf/Makefile
sys/fs/udf/ecma167-udf.h
sys/fs/udf/files.udf
sys/fs/udf/udf.h
sys/fs/udf/udf_bswap.h
sys/fs/udf/udf_mount.h
sys/fs/udf/udf_osta.c
sys/fs/udf/udf_osta.h
sys/fs/udf/udf_subr.c
sys/fs/udf/udf_subr.h
sys/fs/udf/udf_vfsops.c
sys/fs/udf/udf_vnops.c
sys/fs/unicode.h
sys/fs/union/union.h
sys/fs/union/union_subr.c
sys/fs/union/union_vfsops.c
sys/fs/union/union_vnops.c
sys/kern/Make.tags.inc
sys/kern/bufq_priocscan.c
sys/kern/core_elf32.c
sys/kern/exec_conf.c
sys/kern/exec_elf32.c
sys/kern/exec_macho.c
sys/kern/exec_script.c
sys/kern/exec_subr.c
sys/kern/init_main.c
sys/kern/init_sysctl.c
sys/kern/init_sysent.c
sys/kern/kern_acct.c
sys/kern/kern_auth.c
sys/kern/kern_clock.c
sys/kern/kern_descrip.c
sys/kern/kern_event.c
sys/kern/kern_exec.c
sys/kern/kern_exit.c
sys/kern/kern_fileassoc.c
sys/kern/kern_fork.c
sys/kern/kern_ktrace.c
sys/kern/kern_lkm.c
sys/kern/kern_lock.c
sys/kern/kern_lwp.c
sys/kern/kern_malloc.c
sys/kern/kern_microtime.c
sys/kern/kern_ntptime.c
sys/kern/kern_pax.c
sys/kern/kern_physio.c
sys/kern/kern_proc.c
sys/kern/kern_prot.c
sys/kern/kern_resource.c
sys/kern/kern_sa.c
sys/kern/kern_securelevel.c
sys/kern/kern_sig.c
sys/kern/kern_subr.c
sys/kern/kern_synch.c
sys/kern/kern_sysctl.c
sys/kern/kern_systrace.c
sys/kern/kern_tc.c
sys/kern/kern_time.c
sys/kern/kern_todr.c
sys/kern/kern_verifiedexec.c
sys/kern/kern_xxx.c
sys/kern/subr_autoconf.c
sys/kern/subr_callback.c
sys/kern/subr_disk.c
sys/kern/subr_disk_mbr.c
sys/kern/subr_extent.c
sys/kern/subr_iostat.c
sys/kern/subr_kmem.c
sys/kern/subr_log.c
sys/kern/subr_optstr.c
sys/kern/subr_pool.c
sys/kern/subr_prf.c
sys/kern/subr_prop.c
sys/kern/subr_vmem.c
sys/kern/subr_workqueue.c
sys/kern/sys_generic.c
sys/kern/sys_pipe.c
sys/kern/sys_process.c
sys/kern/sys_socket.c
sys/kern/syscalls.c
sys/kern/syscalls.master
sys/kern/sysv_ipc.c
sys/kern/sysv_msg.c
sys/kern/sysv_sem.c
sys/kern/sysv_shm.c
sys/kern/tty.c
sys/kern/tty_bsdpty.c
sys/kern/tty_ptm.c
sys/kern/tty_pty.c
sys/kern/tty_tty.c
sys/kern/uipc_domain.c
sys/kern/uipc_mbuf.c
sys/kern/uipc_mbuf2.c
sys/kern/uipc_proto.c
sys/kern/uipc_sem.c
sys/kern/uipc_socket.c
sys/kern/uipc_socket2.c
sys/kern/uipc_syscalls.c
sys/kern/uipc_usrreq.c
sys/kern/vfs_bio.c
sys/kern/vfs_cache.c
sys/kern/vfs_getcwd.c
sys/kern/vfs_lockf.c
sys/kern/vfs_lookup.c
sys/kern/vfs_subr.c
sys/kern/vfs_syscalls.c
sys/kern/vfs_vnops.c
sys/kern/vfs_xattr.c
sys/kern/vnode_if.c
sys/kern/vnode_if.sh
sys/kern/vnode_if.src
sys/lib/libkern/Makefile
sys/lib/libkern/arc4random.c
sys/lib/libkern/arch/hppa/Makefile.inc
sys/lib/libkern/arch/ia64/Makefile.inc
sys/lib/libkern/arch/ia64/bswap16.S
sys/lib/libkern/arch/ia64/bswap32.S
sys/lib/libkern/arch/ia64/byte_swap_2.S
sys/lib/libkern/arch/ia64/byte_swap_4.S
sys/lib/libkern/arch/ia64/divdi3.S
sys/lib/libkern/arch/ia64/divsi3.S
sys/lib/libkern/arch/ia64/htonl.S
sys/lib/libkern/arch/ia64/memcpy.S
sys/lib/libkern/arch/ia64/moddi3.S
sys/lib/libkern/arch/ia64/modsi3.S
sys/lib/libkern/arch/ia64/ntohl.S
sys/lib/libkern/arch/ia64/udivdi3.S
sys/lib/libkern/arch/ia64/udivsi3.S
sys/lib/libkern/arch/ia64/umoddi3.S
sys/lib/libkern/arch/ia64/umodsi3.S
sys/lib/libkern/arch/m68k/SYS.h
sys/lib/libkern/arch/sh3/ashiftrt.S
sys/lib/libkern/arch/sh3/ashlsi3.S
sys/lib/libkern/arch/sh3/ashrsi3.S
sys/lib/libkern/arch/sh3/byte_swap_2.S
sys/lib/libkern/arch/sh3/byte_swap_4.S
sys/lib/libkern/arch/sh3/lshrsi3.S
sys/lib/libkern/arch/sh3/movstr.S
sys/lib/libkern/arch/sh3/movstrSI.S
sys/lib/libkern/arch/sh3/movstr_i4.S
sys/lib/libkern/arch/sh3/mulsi3.S
sys/lib/libkern/arch/sh3/sdivsi3.S
sys/lib/libkern/arch/sh3/udivsi3.S
sys/lib/libkern/arch/sh5/sdivsi3.S
sys/lib/libkern/arch/sparc/SYS.h
sys/lib/libkern/arch/sparc64/SYS.h
sys/lib/libkern/bcd.c
sys/lib/libkern/libkern.h
sys/lib/libkern/rb.c
sys/lib/libkern/rb.h
sys/lib/libkern/softfloat.h
sys/lib/libkern/xlat_mbr_fstype.c
sys/lib/libsa/Makefile
sys/lib/libsa/bootp.c
sys/lib/libsa/loadfile_elf32.c
sys/lib/libsa/ufs.c
sys/lkm/Makefile.inc
sys/lkm/arch/i386/powernow/Makefile
sys/lkm/arch/i386/powernow/lkminit_powernow.c
sys/lkm/compat/freebsd/Makefile
sys/lkm/compat/linux/Makefile
sys/lkm/dev/Makefile.inc
sys/lkm/dev/pci/Makefile.inc
sys/lkm/dev/pcilkm/Makefile
sys/lkm/dev/pcilkm/examples/auich/Makefile
sys/lkm/dev/pcilkm/examples/auich/README
sys/lkm/dev/pcilkm/examples/auich/auich_lkm.c
sys/lkm/dev/pcilkm/examples/pcienum/Makefile
sys/lkm/dev/pcilkm/examples/pcienum/pcienum_lkm.c
sys/lkm/dev/pcilkm/pcilkm.4
sys/lkm/dev/pcilkm/pcilkm.h
sys/lkm/dev/pcilkm/pcilkm_lkm.c
sys/lkm/dev/pcmcia/Makefile.inc
sys/lkm/dev/vnd/lkminit_vnd.c
sys/lkm/net/tap/if_tap_lkm.c
sys/lkm/syscall/example/test/testsyscall.c
sys/lkm/vfs/Makefile
sys/lkm/vfs/udf/Makefile
sys/lkm/vfs/udf/lkminit_vfs.c
sys/miscfs/deadfs/dead_vnops.c
sys/miscfs/fdesc/fdesc_vfsops.c
sys/miscfs/fdesc/fdesc_vnops.c
sys/miscfs/fifofs/fifo_vnops.c
sys/miscfs/genfs/genfs_node.h
sys/miscfs/genfs/genfs_vnops.c
sys/miscfs/genfs/layer_extern.h
sys/miscfs/genfs/layer_vfsops.c
sys/miscfs/genfs/layer_vnops.c
sys/miscfs/kernfs/kernfs.h
sys/miscfs/kernfs/kernfs_vfsops.c
sys/miscfs/kernfs/kernfs_vnops.c
sys/miscfs/nullfs/null_vfsops.c
sys/miscfs/overlay/overlay_vfsops.c
sys/miscfs/portal/portal.h
sys/miscfs/portal/portal_vfsops.c
sys/miscfs/portal/portal_vnops.c
sys/miscfs/procfs/files.procfs
sys/miscfs/procfs/procfs_cmdline.c
sys/miscfs/procfs/procfs_ctl.c
sys/miscfs/procfs/procfs_fd.c
sys/miscfs/procfs/procfs_linux.c
sys/miscfs/procfs/procfs_map.c
sys/miscfs/procfs/procfs_status.c
sys/miscfs/procfs/procfs_subr.c
sys/miscfs/procfs/procfs_vfsops.c
sys/miscfs/procfs/procfs_vnops.c
sys/miscfs/specfs/spec_vnops.c
sys/miscfs/specfs/specdev.h
sys/miscfs/syncfs/sync_subr.c
sys/miscfs/syncfs/sync_vnops.c
sys/miscfs/umapfs/umap.h
sys/miscfs/umapfs/umap_subr.c
sys/miscfs/umapfs/umap_vfsops.c
sys/miscfs/umapfs/umap_vnops.c
sys/net/Makefile
sys/net/agr/if_agr.c
sys/net/agr/if_agrvar_impl.h
sys/net/bpf.c
sys/net/bpf_filter.c
sys/net/bridgestp.c
sys/net/dlt.h
sys/net/if.c
sys/net/if.h
sys/net/if_arcsubr.c
sys/net/if_bridge.c
sys/net/if_ecosubr.c
sys/net/if_ether.h
sys/net/if_ethersubr.c
sys/net/if_fddisubr.c
sys/net/if_gif.c
sys/net/if_gre.c
sys/net/if_gre.h
sys/net/if_hippisubr.c
sys/net/if_ieee1394subr.c
sys/net/if_llc.h
sys/net/if_loop.c
sys/net/if_media.h
sys/net/if_ppp.c
sys/net/if_pppoe.c
sys/net/if_pppvar.h
sys/net/if_sl.c
sys/net/if_slvar.h
sys/net/if_spppsubr.c
sys/net/if_stf.c
sys/net/if_strip.c
sys/net/if_stripvar.h
sys/net/if_tap.c
sys/net/if_tokensubr.c
sys/net/if_tun.c
sys/net/if_tun.h
sys/net/if_types.h
sys/net/if_vlan.c
sys/net/net_osdep.h
sys/net/netisr.h
sys/net/netisr_dispatch.h
sys/net/pfil.h
sys/net/ppp_tty.c
sys/net/radix.c
sys/net/raw_usrreq.c
sys/net/route.c
sys/net/rtsock.c
sys/net/slcompress.c
sys/net/zlib.c
sys/net80211/_ieee80211.h
sys/net80211/ieee80211.c
sys/net80211/ieee80211.h
sys/net80211/ieee80211_acl.c
sys/net80211/ieee80211_crypto.c
sys/net80211/ieee80211_crypto_ccmp.c
sys/net80211/ieee80211_crypto_none.c
sys/net80211/ieee80211_crypto_tkip.c
sys/net80211/ieee80211_crypto_wep.c
sys/net80211/ieee80211_input.c
sys/net80211/ieee80211_ioctl.c
sys/net80211/ieee80211_ioctl.h
sys/net80211/ieee80211_netbsd.c
sys/net80211/ieee80211_netbsd.h
sys/net80211/ieee80211_node.c
sys/net80211/ieee80211_node.h
sys/net80211/ieee80211_output.c
sys/net80211/ieee80211_proto.c
sys/net80211/ieee80211_proto.h
sys/net80211/ieee80211_radiotap.h
sys/net80211/ieee80211_rssadapt.c
sys/net80211/ieee80211_var.h
sys/net80211/ieee80211_xauth.c
sys/netatalk/at_control.c
sys/netatalk/at_extern.h
sys/netatalk/at_proto.c
sys/netatalk/at_rmx.c
sys/netatalk/ddp_usrreq.c
sys/netbt/Makefile
sys/netbt/bluetooth.h
sys/netbt/bt_proto.c
sys/netbt/bt_sysctl.c
sys/netbt/files.netbt
sys/netbt/hci.h
sys/netbt/hci_event.c
sys/netbt/hci_ioctl.c
sys/netbt/hci_link.c
sys/netbt/hci_misc.c
sys/netbt/hci_socket.c
sys/netbt/hci_unit.c
sys/netbt/l2cap.h
sys/netbt/l2cap_lower.c
sys/netbt/l2cap_misc.c
sys/netbt/l2cap_signal.c
sys/netbt/l2cap_socket.c
sys/netbt/l2cap_upper.c
sys/netbt/rfcomm.h
sys/netbt/rfcomm_dlc.c
sys/netbt/rfcomm_session.c
sys/netbt/rfcomm_socket.c
sys/netbt/rfcomm_upper.c
sys/netbt/sco.h
sys/netbt/sco_socket.c
sys/netbt/sco_upper.c
sys/netccitt/Makefile
sys/netccitt/README.hdlc
sys/netccitt/README.packet
sys/netccitt/ccitt_proto.c
sys/netccitt/dll.h
sys/netccitt/files.netccitt
sys/netccitt/hd_debug.c
sys/netccitt/hd_input.c
sys/netccitt/hd_output.c
sys/netccitt/hd_subr.c
sys/netccitt/hd_timer.c
sys/netccitt/hd_var.h
sys/netccitt/hdlc.h
sys/netccitt/if_x25subr.c
sys/netccitt/llc_input.c
sys/netccitt/llc_output.c
sys/netccitt/llc_subr.c
sys/netccitt/llc_timer.c
sys/netccitt/llc_var.h
sys/netccitt/pk.h
sys/netccitt/pk_acct.c
sys/netccitt/pk_debug.c
sys/netccitt/pk_extern.h
sys/netccitt/pk_input.c
sys/netccitt/pk_llcsubr.c
sys/netccitt/pk_output.c
sys/netccitt/pk_subr.c
sys/netccitt/pk_timer.c
sys/netccitt/pk_usrreq.c
sys/netccitt/pk_var.h
sys/netccitt/x25.h
sys/netccitt/x25acct.h
sys/netccitt/x25err.h
sys/netccitt/x25isr.h
sys/netinet/Makefile
sys/netinet/icmp6.h
sys/netinet/if_arp.c
sys/netinet/if_atm.c
sys/netinet/if_inarp.h
sys/netinet/in.c
sys/netinet/in.h
sys/netinet/in_gif.c
sys/netinet/in_pcb.c
sys/netinet/in_pcb.h
sys/netinet/in_proto.c
sys/netinet/in_var.h
sys/netinet/ip.h
sys/netinet/ip6.h
sys/netinet/ip_carp.c
sys/netinet/ip_carp.h
sys/netinet/ip_ecn.c
sys/netinet/ip_encap.c
sys/netinet/ip_flow.c
sys/netinet/ip_gre.c
sys/netinet/ip_icmp.c
sys/netinet/ip_icmp.h
sys/netinet/ip_id.c
sys/netinet/ip_input.c
sys/netinet/ip_mroute.c
sys/netinet/ip_output.c
sys/netinet/ip_var.h
sys/netinet/raw_ip.c
sys/netinet/tcp.h
sys/netinet/tcp_input.c
sys/netinet/tcp_output.c
sys/netinet/tcp_subr.c
sys/netinet/tcp_timer.c
sys/netinet/tcp_usrreq.c
sys/netinet/tcp_var.h
sys/netinet/udp_usrreq.c
sys/netinet6/ah_output.c
sys/netinet6/esp_core.c
sys/netinet6/esp_output.c
sys/netinet6/files.netinet6
sys/netinet6/icmp6.c
sys/netinet6/in6.c
sys/netinet6/in6.h
sys/netinet6/in6_gif.c
sys/netinet6/in6_ifattach.c
sys/netinet6/in6_ifattach.h
sys/netinet6/in6_pcb.c
sys/netinet6/in6_proto.c
sys/netinet6/in6_src.c
sys/netinet6/in6_var.h
sys/netinet6/ip6_forward.c
sys/netinet6/ip6_id.c
sys/netinet6/ip6_input.c
sys/netinet6/ip6_mroute.c
sys/netinet6/ip6_output.c
sys/netinet6/ip6_var.h
sys/netinet6/ip6protosw.h
sys/netinet6/ipcomp_core.c
sys/netinet6/ipcomp_input.c
sys/netinet6/ipsec.c
sys/netinet6/mld6.c
sys/netinet6/mld6_var.h
sys/netinet6/nd6.c
sys/netinet6/nd6.h
sys/netinet6/nd6_nbr.c
sys/netinet6/nd6_rtr.c
sys/netinet6/raw_ip6.c
sys/netinet6/scope6.c
sys/netinet6/udp6_output.c
sys/netinet6/udp6_usrreq.c
sys/netinet6/udp6_var.h
sys/netipsec/ipsec.c
sys/netipsec/ipsec.h
sys/netipsec/ipsec_netbsd.c
sys/netipsec/ipsec_osdep.h
sys/netipsec/key.c
sys/netipsec/keysock.c
sys/netipsec/xform_ah.c
sys/netipsec/xform_esp.c
sys/netisdn/i4b_capi_l4if.c
sys/netisdn/i4b_capi_msgs.h
sys/netisdn/i4b_global.h
sys/netisdn/i4b_ipr.c
sys/netisdn/i4b_l4mgmt.c
sys/netisdn/i4b_q931.c
sys/netisdn/i4b_tei.c
sys/netiso/clnp_er.c
sys/netiso/clnp_output.c
sys/netiso/cltp_usrreq.c
sys/netiso/esis.c
sys/netiso/idrp_usrreq.c
sys/netiso/if_cons.c
sys/netiso/if_eon.c
sys/netiso/iso.c
sys/netiso/iso.h
sys/netiso/iso_chksum.c
sys/netiso/iso_pcb.c
sys/netiso/iso_pcb.h
sys/netiso/iso_proto.c
sys/netiso/iso_snpac.c
sys/netiso/tp_cons.c
sys/netiso/tp_emit.c
sys/netiso/tp_input.c
sys/netiso/tp_iso.c
sys/netiso/tp_meas.c
sys/netiso/tp_output.c
sys/netiso/tp_pcb.c
sys/netiso/tp_pcb.h
sys/netiso/tp_subr2.c
sys/netiso/tp_usrreq.c
sys/netiso/tp_var.h
sys/netkey/key.c
sys/netkey/key_debug.c
sys/netkey/keysock.c
sys/netnatm/natm_proto.c
sys/netns/Makefile
sys/netns/files.netns
sys/netns/idp.h
sys/netns/idp_usrreq.c
sys/netns/idp_var.h
sys/netns/ns.c
sys/netns/ns.h
sys/netns/ns_cksum.c
sys/netns/ns_error.c
sys/netns/ns_error.h
sys/netns/ns_if.h
sys/netns/ns_input.c
sys/netns/ns_ip.c
sys/netns/ns_output.c
sys/netns/ns_pcb.c
sys/netns/ns_pcb.h
sys/netns/ns_proto.c
sys/netns/ns_var.h
sys/netns/sp.h
sys/netns/spidp.h
sys/netns/spp_debug.c
sys/netns/spp_debug.h
sys/netns/spp_timer.h
sys/netns/spp_usrreq.c
sys/netns/spp_var.h
sys/netsmb/smb_conn.c
sys/netsmb/smb_dev.c
sys/netsmb/smb_dev.h
sys/netsmb/smb_iod.c
sys/netsmb/smb_smb.c
sys/netsmb/smb_subr.c
sys/netsmb/smb_subr.h
sys/netsmb/smb_trantcp.c
sys/netsmb/subr_mchain.c
sys/nfs/krpc_subr.c
sys/nfs/nfs.h
sys/nfs/nfs_bio.c
sys/nfs/nfs_boot.c
sys/nfs/nfs_bootdhcp.c
sys/nfs/nfs_bootparam.c
sys/nfs/nfs_export.c
sys/nfs/nfs_kq.c
sys/nfs/nfs_node.c
sys/nfs/nfs_nqlease.c
sys/nfs/nfs_serv.c
sys/nfs/nfs_socket.c
sys/nfs/nfs_subs.c
sys/nfs/nfs_syscalls.c
sys/nfs/nfs_var.h
sys/nfs/nfs_vfsops.c
sys/nfs/nfs_vnops.c
sys/nfs/nfsm_subs.h
sys/nfs/nfsmount.h
sys/nfs/nfsnode.h
sys/nfs/nfsproto.h
sys/nfs/nqnfs.h
sys/opencrypto/crypto.c
sys/opencrypto/cryptodev.c
sys/opencrypto/cryptosoft.c
sys/opencrypto/deflate.c
sys/sys/Makefile
sys/sys/audioio.h
sys/sys/bootblock.h
sys/sys/bswap.h
sys/sys/buf.h
sys/sys/bufq_impl.h
sys/sys/callback.h
sys/sys/cc_microtime.h
sys/sys/cdefs.h
sys/sys/cdefs_aout.h
sys/sys/cdefs_elf.h
sys/sys/cdio.h
sys/sys/clockctl.h
sys/sys/conf.h
sys/sys/cpu_data.h
sys/sys/device.h
sys/sys/disk.h
sys/sys/disklabel_gpt.h
sys/sys/domain.h
sys/sys/endian.h
sys/sys/envsys.h
sys/sys/errno.h
sys/sys/evcnt.h
sys/sys/exec.h
sys/sys/exec_elf.h
sys/sys/extattr.h
sys/sys/extent.h
sys/sys/file.h
sys/sys/fileassoc.h
sys/sys/filedesc.h
sys/sys/fstypes.h
sys/sys/hash.h
sys/sys/iostat.h
sys/sys/ipc.h
sys/sys/kauth.h
sys/sys/kernel.h
sys/sys/kmem.h
sys/sys/ksem.h
sys/sys/lkm.h
sys/sys/lock.h
sys/sys/lockf.h
sys/sys/lwp.h
sys/sys/malloc.h
sys/sys/mallocvar.h
sys/sys/mbuf.h
sys/sys/midiio.h
sys/sys/mman.h
sys/sys/mount.h
sys/sys/msg.h
sys/sys/namei.h
sys/sys/optstr.h
sys/sys/param.h
sys/sys/pax.h
sys/sys/pool.h
sys/sys/proc.h
sys/sys/properties.h
sys/sys/protosw.h
sys/sys/ptrace.h
sys/sys/pty.h
sys/sys/queue.h
sys/sys/resource.h
sys/sys/resourcevar.h
sys/sys/savar.h
sys/sys/sched.h
sys/sys/select.h
sys/sys/sem.h
sys/sys/shm.h
sys/sys/signal.h
sys/sys/signalvar.h
sys/sys/socket.h
sys/sys/socketvar.h
sys/sys/sockio.h
sys/sys/spl.h
sys/sys/stat.h
sys/sys/statvfs.h
sys/sys/swap.h
sys/sys/syscall.h
sys/sys/syscallargs.h
sys/sys/sysctl.h
sys/sys/systm.h
sys/sys/systrace.h
sys/sys/time.h
sys/sys/timepps.h
sys/sys/timetc.h
sys/sys/timevar.h
sys/sys/timex.h
sys/sys/tree.h
sys/sys/tty.h
sys/sys/types.h
sys/sys/ucontext.h
sys/sys/ucred.h
sys/sys/uio.h
sys/sys/un.h
sys/sys/unistd.h
sys/sys/user.h
sys/sys/userret.h
sys/sys/verified_exec.h
sys/sys/vmem.h
sys/sys/vnode.h
sys/sys/vnode_if.h
sys/ufs/ext2fs/ext2fs.h
sys/ufs/ext2fs/ext2fs_alloc.c
sys/ufs/ext2fs/ext2fs_balloc.c
sys/ufs/ext2fs/ext2fs_dir.h
sys/ufs/ext2fs/ext2fs_extern.h
sys/ufs/ext2fs/ext2fs_inode.c
sys/ufs/ext2fs/ext2fs_lookup.c
sys/ufs/ext2fs/ext2fs_readwrite.c
sys/ufs/ext2fs/ext2fs_subr.c
sys/ufs/ext2fs/ext2fs_vfsops.c
sys/ufs/ext2fs/ext2fs_vnops.c
sys/ufs/ffs/ffs_alloc.c
sys/ufs/ffs/ffs_appleufs.c
sys/ufs/ffs/ffs_balloc.c
sys/ufs/ffs/ffs_extern.h
sys/ufs/ffs/ffs_inode.c
sys/ufs/ffs/ffs_snapshot.c
sys/ufs/ffs/ffs_softdep.c
sys/ufs/ffs/ffs_softdep.stub.c
sys/ufs/ffs/ffs_vfsops.c
sys/ufs/ffs/ffs_vnops.c
sys/ufs/files.ufs
sys/ufs/lfs/lfs.h
sys/ufs/lfs/lfs_alloc.c
sys/ufs/lfs/lfs_balloc.c
sys/ufs/lfs/lfs_bio.c
sys/ufs/lfs/lfs_extern.h
sys/ufs/lfs/lfs_inode.c
sys/ufs/lfs/lfs_itimes.c
sys/ufs/lfs/lfs_rfw.c
sys/ufs/lfs/lfs_segment.c
sys/ufs/lfs/lfs_subr.c
sys/ufs/lfs/lfs_syscalls.c
sys/ufs/lfs/lfs_vfsops.c
sys/ufs/lfs/lfs_vnops.c
sys/ufs/mfs/mfs_extern.h
sys/ufs/mfs/mfs_vfsops.c
sys/ufs/mfs/mfs_vnops.c
sys/ufs/ufs/extattr.h
sys/ufs/ufs/quota.h
sys/ufs/ufs/ufs_bmap.c
sys/ufs/ufs/ufs_dirhash.c
sys/ufs/ufs/ufs_extattr.c
sys/ufs/ufs/ufs_extern.h
sys/ufs/ufs/ufs_inode.c
sys/ufs/ufs/ufs_lookup.c
sys/ufs/ufs/ufs_quota.c
sys/ufs/ufs/ufs_readwrite.c
sys/ufs/ufs/ufs_vfsops.c
sys/ufs/ufs/ufs_vnops.c
sys/ufs/ufs/ufsmount.h
sys/uvm/Makefile
sys/uvm/uvm.h
sys/uvm/uvm_amap.c
sys/uvm/uvm_amap.h
sys/uvm/uvm_amap_i.h
sys/uvm/uvm_aobj.c
sys/uvm/uvm_bio.c
sys/uvm/uvm_ddb.h
sys/uvm/uvm_device.c
sys/uvm/uvm_extern.h
sys/uvm/uvm_fault.c
sys/uvm/uvm_fault.h
sys/uvm/uvm_fault_i.h
sys/uvm/uvm_glue.c
sys/uvm/uvm_init.c
sys/uvm/uvm_km.c
sys/uvm/uvm_km.h
sys/uvm/uvm_loan.c
sys/uvm/uvm_map.c
sys/uvm/uvm_map.h
sys/uvm/uvm_map_i.h
sys/uvm/uvm_meter.c
sys/uvm/uvm_mmap.c
sys/uvm/uvm_page.c
sys/uvm/uvm_page.h
sys/uvm/uvm_page_i.h
sys/uvm/uvm_pager.c
sys/uvm/uvm_pager.h
sys/uvm/uvm_pager_i.h
sys/uvm/uvm_param.h
sys/uvm/uvm_pdaemon.c
sys/uvm/uvm_pglist.c
sys/uvm/uvm_stat.h
sys/uvm/uvm_swap.c
sys/uvm/uvm_unix.c
sys/uvm/uvm_vnode.c
--- a/sys/dist/ipf/netinet/fil.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/fil.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: fil.c,v 1.21 2005/12/28 09:29:48 christos Exp $	*/
+/*	$NetBSD: fil.c,v 1.21.4.1 2006/09/09 02:56:44 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2003 by Darren Reed.
@@ -34,7 +34,9 @@
 #else
 # include <sys/ioctl.h>
 #endif
-#include <sys/fcntl.h>
+#if !defined(_AIX51)
+# include <sys/fcntl.h>
+#endif
 #if defined(_KERNEL)
 # include <sys/systm.h>
 # include <sys/file.h>
@@ -74,6 +76,9 @@
 # include <net/af.h>
 #endif
 #if !defined(_KERNEL) && defined(__FreeBSD__)
+# if (__FreeBSD_version >= 504000)
+#  undef _RADIX_H_
+# endif
 # include "radix_ipf.h"
 #endif
 #include <net/route.h>
@@ -88,7 +93,7 @@
 # include <netinet/in_var.h>
 #endif
 #include <netinet/tcp.h>
-#if !defined(__sgi) || defined(_KERNEL)
+#if (!defined(__sgi) && !defined(AIX)) || defined(_KERNEL)
 # include <netinet/udp.h>
 # include <netinet/ip_icmp.h>
 #endif
@@ -135,10 +140,10 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.21 2005/12/28 09:29:48 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.21.4.1 2006/09/09 02:56:44 rpaulo Exp $");
 #else
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp";
+static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp";
 #endif
 #endif
 
@@ -147,17 +152,11 @@
 # include "ipt.h"
 # include "bpf-ipf.h"
 extern	int	opts;
-
-# define	FR_VERBOSE(verb_pr)			verbose verb_pr
-# define	FR_DEBUG(verb_pr)			debug verb_pr
-#else /* #ifndef _KERNEL */
-# define	FR_VERBOSE(verb_pr)
-# define	FR_DEBUG(verb_pr)
 #endif /* _KERNEL */
 
 
 fr_info_t	frcache[2][8];
-struct	filterstats frstats[2] = { { 0, 0, 0, 0, 0 }, { 0, 0, 0, 0, 0 } };
+struct	filterstats frstats[2] = { { .fr_pass = 0 }, { .fr_pass = 0 } };
 struct	frentry	*ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
 		*ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } },
 		*ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } },
@@ -178,6 +177,7 @@
 u_short	fr_ip_id = 0;
 int	fr_chksrc = 0;	/* causes a system crash if enabled */
 int	fr_minttl = 4;
+int	fr_icmpminfragmtu = 68;
 u_long	fr_frouteok[2] = {0, 0};
 u_long	fr_userifqs = 0;
 u_long	fr_badcoalesces[2] = {0, 0};
@@ -223,6 +223,7 @@
 static	ipfunc_t	fr_findfunc __P((ipfunc_t));
 static	frentry_t	*fr_firewall __P((fr_info_t *, u_32_t *));
 static	int		fr_funcinit __P((frentry_t *fr));
+static	INLINE void	frpr_ah __P((fr_info_t *));
 static	INLINE void	frpr_esp __P((fr_info_t *));
 static	INLINE void	frpr_gre __P((fr_info_t *));
 static	INLINE void	frpr_udp __P((fr_info_t *));
@@ -231,9 +232,9 @@
 static	INLINE void	frpr_ipv4hdr __P((fr_info_t *));
 static	INLINE int	frpr_pullup __P((fr_info_t *, int));
 static	INLINE void	frpr_short __P((fr_info_t *, int));
-static	INLINE void	frpr_tcpcommon __P((fr_info_t *));
-static	INLINE void	frpr_udpcommon __P((fr_info_t *));
-static	INLINE int	fr_updateipid __P((fr_info_t *));
+static	INLINE int	frpr_tcpcommon __P((fr_info_t *));
+static	INLINE int	frpr_udpcommon __P((fr_info_t *));
+static	int		fr_updateipid __P((fr_info_t *));
 #ifdef	IPFILTER_LOOKUP
 static	int		fr_grpmapinit __P((frentry_t *fr));
 static	INLINE void	*fr_resolvelookup __P((u_int, u_int, lookupfunc_t *));
@@ -282,6 +283,7 @@
 	{ IPPROTO_AH,			0x000020 },
 	{ IPPROTO_NONE,			0x000040 },
 	{ IPPROTO_DSTOPTS,		0x000080 },
+	{ IPPROTO_MOBILITY,		0x000100 },
 	{ 0,				0 }
 };
 #endif
@@ -319,7 +321,7 @@
 	{ "fr_srcgrpmap", fr_srcgrpmap, fr_grpmapinit },
 	{ "fr_dstgrpmap", fr_dstgrpmap, fr_grpmapinit },
 #endif
-	{ "", NULL }
+	{ "", NULL, NULL }
 };
 
 
@@ -333,15 +335,20 @@
  * adding more code to a growing switch statement.
  */
 #ifdef USE_INET6
+static	INLINE int	frpr_ah6 __P((fr_info_t *));
+static	INLINE void	frpr_esp6 __P((fr_info_t *));
+static	INLINE void	frpr_gre6 __P((fr_info_t *));
 static	INLINE void	frpr_udp6 __P((fr_info_t *));
 static	INLINE void	frpr_tcp6 __P((fr_info_t *));
 static	INLINE void	frpr_icmp6 __P((fr_info_t *));
-static	INLINE void	frpr_ipv6hdr __P((fr_info_t *));
+static	INLINE int	frpr_ipv6hdr __P((fr_info_t *));
 static	INLINE void	frpr_short6 __P((fr_info_t *, int));
 static	INLINE int	frpr_hopopts6 __P((fr_info_t *));
+static	INLINE int	frpr_mobility6 __P((fr_info_t *));
 static	INLINE int	frpr_routing6 __P((fr_info_t *));
 static	INLINE int	frpr_dstopts6 __P((fr_info_t *));
-static	INLINE int	frpr_fragment6 __P((fr_info_t *));
+static	INLINE void	frpr_fragment6 __P((fr_info_t *));
+static	INLINE int	frpr_ipv6exthdr __P((fr_info_t *, int, int));
 
 
 /* ------------------------------------------------------------------------ */
@@ -358,33 +365,28 @@
 fr_info_t *fin;
 int xmin;
 {
-	fr_ip_t *fi = &fin->fin_fi;
-	int off;
-
-	off = fin->fin_off;
-	if (off == 0) {
-		if (fin->fin_plen < fin->fin_hlen + xmin)
-			fi->fi_flx |= FI_SHORT;
-	} else if (off < xmin) {
-		fi->fi_flx |= FI_SHORT;
-	}
+
+	if (fin->fin_dlen < xmin)
+		fin->fin_flx |= FI_SHORT;
 }
 
 
 /* ------------------------------------------------------------------------ */
 /* Function:    frpr_ipv6hdr                                                */
-/* Returns:     void                                                        */
+/* Returns:     int    - 0 = IPv6 packet intact, -1 = packet lost           */
 /* Parameters:  fin(I) - pointer to packet information                      */
 /*                                                                          */
 /* IPv6 Only                                                                */
 /* Copy values from the IPv6 header into the fr_info_t struct and call the  */
-/* per-protocol analyzer if it exists.                                      */
-/* ------------------------------------------------------------------------ */
-static INLINE void frpr_ipv6hdr(fin)
+/* per-protocol analyzer if it exists.  In validating the packet, a protocol*/
+/* analyzer may pullup or free the packet itself so we need to be vigiliant */
+/* of that possibility arising.                                             */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_ipv6hdr(fin)
 fr_info_t *fin;
 {
-	int p, go = 1, i, hdrcount, coalesced;
 	ip6_t *ip6 = (ip6_t *)fin->fin_ip;
+	int p, go = 1, i, hdrcount;
 	fr_ip_t *fi = &fin->fin_fi;
 
 	fin->fin_off = 0;
@@ -394,7 +396,6 @@
 	fi->fi_secmsk = 0;
 	fi->fi_auth = 0;
 
-	coalesced = (fin->fin_flx & FI_COALESCE) ? 1 : 0;
 	p = ip6->ip6_nxt;
 	fi->fi_ttl = ip6->ip6_hlim;
 	fi->fi_src.in6 = ip6->ip6_src;
@@ -421,48 +422,35 @@
 			break;
 
 		case IPPROTO_GRE :
-			frpr_gre(fin);
+			frpr_gre6(fin);
 			go = 0;
 			break;
 
 		case IPPROTO_HOPOPTS :
-			/*
-			 * Actually, hop by hop header is only allowed right
-			 * after IPv6 header!
-			 */
-			if (hdrcount != 0)
-				fin->fin_flx |= FI_BAD;
-
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
 			p = frpr_hopopts6(fin);
 			break;
 
+		case IPPROTO_MOBILITY :
+			p = frpr_mobility6(fin);
+			break;
+
 		case IPPROTO_DSTOPTS :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
 			p = frpr_dstopts6(fin);
 			break;
 
 		case IPPROTO_ROUTING :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
 			p = frpr_routing6(fin);
 			break;
 
+		case IPPROTO_AH :
+			p = frpr_ah6(fin);
+			break;
+
 		case IPPROTO_ESP :
-			frpr_esp(fin);
-			/*FALLTHROUGH*/
-		case IPPROTO_AH :
+			frpr_esp6(fin);
+			go = 0;
+			break;
+
 		case IPPROTO_IPV6 :
 			for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
 				if (ip6exthdr[i].ol_val == p) {
@@ -477,12 +465,8 @@
 			break;
 
 		case IPPROTO_FRAGMENT :
-			if (coalesced == 0) {
-				coalesced = fr_coalesce(fin);
-				if (coalesced != 1)
-					return;
-			}
-			p = frpr_fragment6(fin);
+			frpr_fragment6(fin);
+			go = 0;
 			break;
 
 		default :
@@ -496,9 +480,9 @@
 		 * extension headers (go != 0), the entire header may not have
 		 * been pulled up when the code gets to this point.  This is
 		 * only done for "go != 0" because the other header handlers
-		 * will all pullup their complete header and the other
-		 * indicator of an incomplete header is that this eas just an
-		 * extension header.
+		 * will all pullup their complete header.  The other indicator
+		 * of an incomplete packet is that this was just an extension
+		 * header.
 		 */
 		if ((go != 0) && (p != IPPROTO_NONE) &&
 		    (frpr_pullup(fin, 0) == -1)) {
@@ -507,19 +491,32 @@
 		}
 	}
 	fi->fi_p = p;
+
+	/*
+	 * Some of the above functions, like frpr_esp6(), can call fr_pullup
+	 * and destroy whatever packet was here.  The caller of this function
+	 * expects us to return -1 if there is a problem with fr_pullup.
+	 */
+	if (fin->fin_m == NULL)
+		return -1;
+
+	return 0;
 }
 
 
 /* ------------------------------------------------------------------------ */
-/* Function:    frpr_hopopts6                                               */
+/* Function:    frpr_ipv6exthdr                                             */
 /* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
-/* Parameters:  fin(I) - pointer to packet information                      */
+/* Parameters:  fin(I)      - pointer to packet information                 */
+/*              multiple(I) - flag indicating yes/no if multiple occurances */
+/*                            of this extension header are allowed.         */
+/*              proto(I)    - protocol number for this extension header     */
 /*                                                                          */
 /* IPv6 Only                                                                */
-/* This is function checks pending hop by hop options extension header      */
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_hopopts6(fin)
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_ipv6exthdr(fin, multiple, proto)
 fr_info_t *fin;
+int multiple, proto;
 {
 	struct ip6_ext *hdr;
 	u_short shift;
@@ -544,8 +541,15 @@
 	}
 
 	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_HOPOPTS) {
-			fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+		if (ip6exthdr[i].ol_val == proto) {
+			/*
+			 * Most IPv6 extension headers are only allowed once.
+			 */
+			if ((multiple == 0) &&
+			    ((fin->fin_optmsk & ip6exthdr[i].ol_bit) != 0))
+				fin->fin_flx |= FI_BAD;
+			else
+				fin->fin_optmsk |= ip6exthdr[i].ol_bit;
 			break;
 		}
 
@@ -557,6 +561,36 @@
 
 
 /* ------------------------------------------------------------------------ */
+/* Function:    frpr_hopopts6                                               */
+/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* IPv6 Only                                                                */
+/* This is function checks pending hop by hop options extension header      */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_hopopts6(fin)
+fr_info_t *fin;
+{
+	return frpr_ipv6exthdr(fin, 0, IPPROTO_HOPOPTS);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    frpr_mobility6                                              */
+/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* IPv6 Only                                                                */
+/* This is function checks the IPv6 mobility extension header               */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_mobility6(fin)
+fr_info_t *fin;
+{
+	return frpr_ipv6exthdr(fin, 0, IPPROTO_MOBILITY);
+}
+
+
+/* ------------------------------------------------------------------------ */
 /* Function:    frpr_routing6                                               */
 /* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
 /* Parameters:  fin(I) - pointer to packet information                      */
@@ -568,100 +602,67 @@
 fr_info_t *fin;
 {
 	struct ip6_ext *hdr;
-	u_short shift;
-	int i;
-
-	fin->fin_flx |= FI_V6EXTHDR;
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
+	int shift;
+
+	if (frpr_ipv6exthdr(fin, 0, IPPROTO_ROUTING) == IPPROTO_NONE)
 		return IPPROTO_NONE;
-	}
-
-	if (frpr_pullup(fin, 8) == -1)
-		return IPPROTO_NONE;
+
 	hdr = fin->fin_dp;
-
 	shift = 8 + (hdr->ip6e_len << 3);
 	/*
 	 * Nasty extension header length?
 	 */
-	if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) ||
+	if ((shift < sizeof(struct ip6_hdr)) ||
 	    ((shift - sizeof(struct ip6_hdr)) & 15)) {
 		fin->fin_flx |= FI_BAD;
+		/*
+		 * Compensate for the changes made in frpr_ipv6exthdr()
+		 */
+		fin->fin_dlen += shift;
+		fin->fin_dp = (char *)fin->fin_dp - shift;
 		return IPPROTO_NONE;
 	}
 
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_ROUTING) {
-			fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-			break;
-		}
-
-	fin->fin_dp = (char *)fin->fin_dp + shift;
-	fin->fin_dlen -= shift;
-
 	return hdr->ip6e_nxt;
 }
 
 
 /* ------------------------------------------------------------------------ */
 /* Function:    frpr_fragment6                                              */
-/* Returns:     int    - value of the next header or IPPROTO_NONE if error  */
+/* Returns:     void                                                        */
 /* Parameters:  fin(I) - pointer to packet information                      */
 /*                                                                          */
 /* IPv6 Only                                                                */
 /* Examine the IPv6 fragment header and extract fragment offset information.*/
-/* ------------------------------------------------------------------------ */
-static INLINE int frpr_fragment6(fin)
+/*                                                                          */
+/* We don't know where the transport layer header (or whatever is next is), */
+/* as it could be behind destination options (amongst others).  Because     */
+/* there is no fragment cache, there is no knowledge about whether or not an*/
+/* upper layer header has been seen (or where it ends) and thus we are not  */
+/* able to continue processing beyond this header with any confidence.      */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_fragment6(fin)
 fr_info_t *fin;
 {
 	struct ip6_frag *frag;
-	struct ip6_ext *hdr;
-	int i;
-
-	fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR);
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	/*
-	 * Only one frgament header is allowed per IPv6 packet but it need
-	 * not be the first nor last (not possible in some cases.)
-	 */
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_FRAGMENT)
-			break;
-
-	if (fin->fin_optmsk & ip6exthdr[i].ol_bit) {
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	fin->fin_optmsk |= ip6exthdr[i].ol_bit;
+
+	fin->fin_flx |= FI_FRAG;
+
+	if (frpr_ipv6exthdr(fin, 0, IPPROTO_FRAGMENT) == IPPROTO_NONE)
+		return;
 
 	if (frpr_pullup(fin, sizeof(*frag)) == -1)
-		return IPPROTO_NONE;
-	hdr = fin->fin_dp;
-
-	/*
-	 * Length must be zero, i.e. it has no length.
-	 */
-	if (hdr->ip6e_len != 0) {
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
+		return;
 
 	frag = fin->fin_dp;
+	/*
+	 * Fragment but no fragmentation info set?  Bad packet...
+	 */
+	if (frag->ip6f_offlg == 0) {
+		fin->fin_flx |= FI_BAD;
+		return;
+	}
+
 	fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK;
 	fin->fin_off <<= 3;
 	if (fin->fin_off != 0)
@@ -669,8 +670,6 @@
 
 	fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag);
 	fin->fin_dlen -= sizeof(*frag);
-
-	return frag->ip6f_nxt;
 }
 
 
@@ -686,34 +685,7 @@
 static INLINE int frpr_dstopts6(fin)
 fr_info_t *fin;
 {
-	struct ip6_ext *hdr;
-	u_short shift;
-	int i;
-
-				/* 8 is default length of extension hdr */
-	if ((fin->fin_dlen - 8) < 0) {
-		fin->fin_flx |= FI_SHORT;
-		return IPPROTO_NONE;
-	}
-
-	if (frpr_pullup(fin, 8) == -1)
-		return IPPROTO_NONE;
-	hdr = fin->fin_dp;
-
-	shift = 8 + (hdr->ip6e_len << 3);
-	if (shift > fin->fin_dlen) {	/* Nasty extension header length? */
-		fin->fin_flx |= FI_BAD;
-		return IPPROTO_NONE;
-	}
-
-	for (i = 0; ip6exthdr[i].ol_bit != 0; i++)
-		if (ip6exthdr[i].ol_val == IPPROTO_DSTOPTS)
-			break;
-	fin->fin_optmsk |= ip6exthdr[i].ol_bit;
-	fin->fin_dp = (char *)fin->fin_dp + shift;
-	fin->fin_dlen -= shift;
-
-	return hdr->ip6e_nxt;
+	return frpr_ipv6exthdr(fin, 1, IPPROTO_DSTOPTS);
 }
 
 
@@ -732,7 +704,7 @@
 	int minicmpsz = sizeof(struct icmp6_hdr);
 	struct icmp6_hdr *icmp6;
 
-	if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t)) == -1)
+	if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN - sizeof(ip6_t)) == -1)
 		return;
 
 	if (fin->fin_dlen > 1) {
@@ -763,7 +735,7 @@
 		}
 	}
 
-	frpr_short(fin, minicmpsz);
+	frpr_short6(fin, minicmpsz);
 }
 
 
@@ -774,16 +746,16 @@
 /*                                                                          */
 /* IPv6 Only                                                                */
 /* Analyse the packet for IPv6/UDP properties.                              */
+/* Is not expected to be called for fragmented packets.                     */
 /* ------------------------------------------------------------------------ */
 static INLINE void frpr_udp6(fin)
 fr_info_t *fin;
 {
 
-	fr_checkv6sum(fin);
-
-	frpr_short(fin, sizeof(struct udphdr));
-
-	frpr_udpcommon(fin);
+	frpr_short6(fin, sizeof(struct udphdr));
+
+	if (frpr_udpcommon(fin) == 0)
+		fr_checkv6sum(fin);
 }
 
 
@@ -794,16 +766,86 @@
 /*                                                                          */
 /* IPv6 Only                                                                */
 /* Analyse the packet for IPv6/TCP properties.                              */
+/* Is not expected to be called for fragmented packets.                     */
 /* ------------------------------------------------------------------------ */
 static INLINE void frpr_tcp6(fin)
 fr_info_t *fin;
 {
 
-	fr_checkv6sum(fin);
-
-	frpr_short(fin, sizeof(struct tcphdr));
-
-	frpr_tcpcommon(fin);
+	frpr_short6(fin, sizeof(struct tcphdr));
+
+	if (frpr_tcpcommon(fin) == 0)
+		fr_checkv6sum(fin);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    frpr_esp6                                                   */
+/* Returns:     void                                                        */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* IPv6 Only                                                                */
+/* Analyse the packet for ESP properties.                                   */
+/* The minimum length is taken to be the SPI (32bits) plus a tail (32bits)  */
+/* even though the newer ESP packets must also have a sequence number that  */
+/* is 32bits as well, it is not possible(?) to determine the version from a */
+/* simple packet header.                                                    */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_esp6(fin)
+fr_info_t *fin;
+{
+
+	frpr_short6(fin, sizeof(grehdr_t));
+
+	(void) frpr_pullup(fin, 8);
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    frpr_ah6                                                    */
+/* Returns:     void                                                        */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* IPv6 Only                                                                */
+/* Analyse the packet for AH properties.                                    */
+/* The minimum length is taken to be the combination of all fields in the   */
+/* header being present and no authentication data (null algorithm used.)   */
+/* ------------------------------------------------------------------------ */
+static INLINE int frpr_ah6(fin)
+fr_info_t *fin;
+{
+	authhdr_t *ah;
+
+	frpr_short6(fin, 12);
+
+	if (frpr_pullup(fin, sizeof(*ah)) == -1)
+		return IPPROTO_NONE;
+
+	ah = (authhdr_t *)fin->fin_dp;
+	return ah->ah_next;
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    frpr_gre6                                                   */
+/* Returns:     void                                                        */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* Analyse the packet for GRE properties.                                   */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_gre6(fin)
+fr_info_t *fin;
+{
+	grehdr_t *gre;
+
+	frpr_short6(fin, sizeof(grehdr_t));
+
+	if (frpr_pullup(fin, sizeof(grehdr_t)) == -1)
+		return;
+
+	gre = fin->fin_dp;
+	if (GRE_REV(gre->gr_flags) == 1)
+		fin->fin_data[0] = gre->gr_call;
 }
 #endif	/* USE_INET6 */
 
@@ -841,10 +883,10 @@
 /* ------------------------------------------------------------------------ */
 /* Function:    frpr_short                                                  */
 /* Returns:     void                                                        */
-/* Parameters:  fin(I) - pointer to packet information                      */
-/*              min(I) - minimum header size                                */
+/* Parameters:  fin(I)  - pointer to packet information                     */
+/*              xmin(I) - minimum header size                               */
 /*                                                                          */
-/* Check if a packet is "short" as defined by min.  The rule we are         */
+/* Check if a packet is "short" as defined by xmin.  The rule we are        */
 /* applying here is that the packet must not be fragmented within the layer */
 /* 4 header.  That is, it must not be a fragment that has its offset set to */
 /* start within the layer 4 header (hdrmin) or if it is at offset 0, the    */
@@ -854,15 +896,12 @@
 fr_info_t *fin;
 int xmin;
 {
-	fr_ip_t *fi = &fin->fin_fi;
-	int off;
-
-	off = fin->fin_off;
-	if (off == 0) {
-		if (fin->fin_plen < fin->fin_hlen + xmin)
-			fi->fi_flx |= FI_SHORT;
-	} else if (off < xmin) {
-		fi->fi_flx |= FI_SHORT;
+
+	if (fin->fin_off == 0) {
+		if (fin->fin_dlen < xmin)
+			fin->fin_flx |= FI_SHORT;
+	} else if (fin->fin_off < xmin) {
+		fin->fin_flx |= FI_SHORT;
 	}
 }
 
@@ -875,7 +914,7 @@
 /* IPv4 Only                                                                */
 /* Do a sanity check on the packet for ICMP (v4).  In nearly all cases,     */
 /* except extrememly bad packets, both type and code will be present.       */
-/* The expected minimum size of an ICMP packet is very much dependant on    */
+/* The expected minimum size of an ICMP packet is very much dependent on    */
 /* the type of it.                                                          */
 /*                                                                          */
 /* XXX - other ICMP sanity checks?                                          */
@@ -885,6 +924,7 @@
 {
 	int minicmpsz = sizeof(struct icmp);
 	icmphdr_t *icmp;
+	ip_t *oip;
 
 	if (fin->fin_off != 0) {
 		frpr_short(fin, ICMPERR_ICMPHLEN);
@@ -894,8 +934,6 @@
 	if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1)
 		return;
 
-	fr_checkv4sum(fin);
-
 	if (fin->fin_dlen > 1) {
 		icmp = fin->fin_dp;
 
@@ -930,13 +968,27 @@
 		 * type(1) + code(1) + cksum(2) + id(2) seq(2) + ip(20+)
 		 */
 		case ICMP_UNREACH :
+#ifdef icmp_nextmtu
+			if (icmp->icmp_code == ICMP_UNREACH_NEEDFRAG) {
+				if (icmp->icmp_nextmtu < fr_icmpminfragmtu)
+					fin->fin_flx |= FI_BAD;
+			}
+#endif
 		case ICMP_SOURCEQUENCH :
 		case ICMP_REDIRECT :
 		case ICMP_TIMXCEED :
 		case ICMP_PARAMPROB :
+			fin->fin_flx |= FI_ICMPERR;
 			if (fr_coalesce(fin) != 1)
 				return;
-			fin->fin_flx |= FI_ICMPERR;
+			/*
+			 * ICMP error packets should not be generated for IP
+			 * packets that are a fragment that isn't the first
+			 * fragment.
+			 */
+			oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN);
+			if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0)
+				fin->fin_flx |= FI_BAD;
 			break;
 		default :
 			break;
@@ -947,12 +999,14 @@
 	}
 
 	frpr_short(fin, minicmpsz);
+
+	fr_checkv4sum(fin);
 }
 
 
 /* ------------------------------------------------------------------------ */
 /* Function:    frpr_tcpcommon                                              */
-/* Returns:     void                                                        */
+/* Returns:     int    - 0 = header ok, 1 = bad packet, -1 = buffer error   */
 /* Parameters:  fin(I) - pointer to packet information                      */
 /*                                                                          */
 /* TCP header sanity checking.  Look for bad combinations of TCP flags,     */
@@ -960,20 +1014,18 @@
 /* If compiled with IPFILTER_CKSUM, check to see if the TCP checksum is     */
 /* valid and mark the packet as bad if not.                                 */
 /* ------------------------------------------------------------------------ */
-static INLINE void frpr_tcpcommon(fin)
+static INLINE int frpr_tcpcommon(fin)
 fr_info_t *fin;
 {
 	int flags, tlen;
 	tcphdr_t *tcp;
-	fr_ip_t *fi;
-
-	fi = &fin->fin_fi;
-	fi->fi_flx |= FI_TCPUDP;
+
+	fin->fin_flx |= FI_TCPUDP;
 	if (fin->fin_off != 0)
-		return;
+		return 0;
 
 	if (frpr_pullup(fin, sizeof(*tcp)) == -1)
-		return;
+		return -1;
 	tcp = fin->fin_dp;
 
 	if (fin->fin_dlen > 3) {
@@ -981,8 +1033,8 @@
 		fin->fin_dport = ntohs(tcp->th_dport);
 	}
 
-	if ((fi->fi_flx & FI_SHORT) != 0)
-		return;
+	if ((fin->fin_flx & FI_SHORT) != 0)
+		return 1;
 
 	/*
 	 * Use of the TCP data offset *must* result in a value that is at
@@ -991,7 +1043,7 @@
 	tlen = TCP_OFF(tcp) << 2;
 	if (tlen < sizeof(tcphdr_t)) {
 		fin->fin_flx |= FI_BAD;
-		return;
+		return 1;
 	}
 
 	flags = tcp->th_flags;
@@ -1045,10 +1097,10 @@
 	 * then that might add some weight to adding this...
 	 */
 	if (tlen == sizeof(tcphdr_t))
-		return;
+		return 0;
 
 	if (frpr_pullup(fin, tlen) == -1)
-		return;
+		return -1;
 
 #if 0
 	ip = fin->fin_ip;
@@ -1087,31 +1139,31 @@
 		s += ol;
 	}
 #endif /* 0 */
+
+	return 0;
 }
 
 
 
 /* ------------------------------------------------------------------------ */
 /* Function:    frpr_udpcommon                                              */
-/* Returns:     void                                                        */
+/* Returns:     int    - 0 = header ok, 1 = bad packet                      */
 /* Parameters:  fin(I) - pointer to packet information                      */
 /*                                                                          */
 /* Extract the UDP source and destination ports, if present.  If compiled   */
 /* with IPFILTER_CKSUM, check to see if the UDP checksum is valid.          */
 /* ------------------------------------------------------------------------ */
-static INLINE void frpr_udpcommon(fin)
+static INLINE int frpr_udpcommon(fin)
 fr_info_t *fin;
 {
 	udphdr_t *udp;
-	fr_ip_t *fi;
-
-	fi = &fin->fin_fi;
-	fi->fi_flx |= FI_TCPUDP;
+
+	fin->fin_flx |= FI_TCPUDP;
 
 	if (!fin->fin_off && (fin->fin_dlen > 3)) {
 		if (frpr_pullup(fin, sizeof(*udp)) == -1) {
-			fi->fi_flx |= FI_SHORT;
-			return;
+			fin->fin_flx |= FI_SHORT;
+			return 1;
 		}
 
 		udp = fin->fin_dp;
@@ -1119,6 +1171,8 @@
 		fin->fin_sport = ntohs(udp->uh_sport);
 		fin->fin_dport = ntohs(udp->uh_dport);
 	}
+
+	return 0;
 }
 
 
@@ -1134,11 +1188,10 @@
 fr_info_t *fin;
 {
 
-	fr_checkv4sum(fin);
-
 	frpr_short(fin, sizeof(tcphdr_t));
 
-	frpr_tcpcommon(fin);
+	if (frpr_tcpcommon(fin) == 0)
+		fr_checkv4sum(fin);
 }
 
 
@@ -1154,11 +1207,10 @@
 fr_info_t *fin;
 {
 
-	fr_checkv4sum(fin);
-
 	frpr_short(fin, sizeof(udphdr_t));
 
-	frpr_udpcommon(fin);
+	if (frpr_udpcommon(fin) == 0)
+		fr_checkv4sum(fin);
 }
 
 
@@ -1176,15 +1228,42 @@
 static INLINE void frpr_esp(fin)
 fr_info_t *fin;
 {
-	if (fin->fin_off == 0 && frpr_pullup(fin, 8) == -1)
-		return;
-
-	if (fin->fin_v == 4)
+
+	if (fin->fin_off == 0) {
 		frpr_short(fin, 8);
-#ifdef USE_INET6
-	else if (fin->fin_v == 6)
-		frpr_short6(fin, sizeof(grehdr_t));
-#endif
+		(void) frpr_pullup(fin, 8);
+	}
+
+}
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    frpr_ah                                                     */
+/* Returns:     void                                                        */
+/* Parameters:  fin(I) - pointer to packet information                      */
+/*                                                                          */
+/* Analyse the packet for AH properties.                                    */
+/* The minimum length is taken to be the combination of all fields in the   */
+/* header being present and no authentication data (null algorithm used.)   */
+/* ------------------------------------------------------------------------ */
+static INLINE void frpr_ah(fin)
+fr_info_t *fin;
+{
+	authhdr_t *ah;
+	int len;
+
+	frpr_short(fin, sizeof(*ah));
+
+	if (((fin->fin_flx & FI_SHORT) != 0) || (fin->fin_off != 0))
+		return;
+
+	if (frpr_pullup(fin, sizeof(*ah)) == -1)
+		return;
+
+	ah = (authhdr_t *)fin->fin_dp;
+
+	len = (ah->ah_plen + 2) << 2;
+	frpr_short(fin, len);
 }
 
 
@@ -1200,20 +1279,19 @@
 {
 	grehdr_t *gre;
 
-	if (fin->fin_off == 0 && frpr_pullup(fin, sizeof(grehdr_t)) == -1)
+	frpr_short(fin, sizeof(*gre));
+
+	if (fin->fin_off != 0)
 		return;
 
-	if (fin->fin_v == 4)
-		frpr_short(fin, sizeof(grehdr_t));
-#ifdef USE_INET6
-	else if (fin->fin_v == 6)
-		frpr_short6(fin, sizeof(grehdr_t));
-#endif
-	if (fin->fin_off == 0 ) {
+	if (frpr_pullup(fin, sizeof(*gre)) == -1)
+		return;
+
+	if (fin->fin_off == 0) {
 		gre = fin->fin_dp;
 		if (GRE_REV(gre->gr_flags) == 1)
 			fin->fin_data[0] = gre->gr_call;
-        }
+	}
 }
 
 
@@ -1269,12 +1347,6 @@
 	 * set packet attribute flags based on the offset and
 	 * calculate the byte offset that it represents.
 	 */
-	if ((off & IP_MF) != 0) {
-		fi->fi_flx |= FI_FRAG;
-		if (fin->fin_dlen == 0)
-			fi->fi_flx |= FI_BAD;
-	}
-
 	off &= IP_MF|IP_OFFMASK;
 	if (off != 0) {
 		fi->fi_flx |= FI_FRAG;
@@ -1282,7 +1354,17 @@
 		if (off != 0) {
 			fin->fin_flx |= FI_FRAGBODY;
 			off <<= 3;
-			if (off + fin->fin_dlen > 0xffff) {
+			if ((off + fin->fin_dlen > 65535) || 
+			    (fin->fin_dlen == 0) || (fin->fin_dlen & 7)) {
+				/* 
+				 * The length of the packet, starting at its
+				 * offset cannot exceed 65535 (0xffff) as the 
+				 * length of an IP packet is only 16 bits.
+				 *
+				 * Any fragment that isn't the last fragment
+				 * must have a length greater than 0 and it
+				 * must be an even multiple of 8.
+				 */
 				fi->fi_flx |= FI_BAD;
 			}
 		}
@@ -1303,6 +1385,9 @@
 	case IPPROTO_ICMP :
 		frpr_icmp(fin);
 		break;
+	case IPPROTO_AH :
+		frpr_ah(fin);
+		break;
 	case IPPROTO_ESP :
 		frpr_esp(fin);
 		break;
@@ -1431,8 +1516,10 @@
 	if (v == 4)
 		frpr_ipv4hdr(fin);
 #ifdef	USE_INET6
-	else if (v == 6)
-		frpr_ipv6hdr(fin);
+	else if (v == 6) {
+		if (frpr_ipv6hdr(fin) == -1)
+			return -1;
+	}
 #endif
 	if (fin->fin_ip == NULL)
 		return -1;
@@ -1560,6 +1647,7 @@
 }
 
 
+
 /* ------------------------------------------------------------------------ */
 /* Function:    fr_ipfcheck                                                 */
 /* Returns:     int - 0 == match, 1 == no match                             */
@@ -1765,7 +1853,7 @@
 {
 	int rulen, portcmp, off, logged, skip;
 	struct frentry *fr, *fnext;
-	u_32_t passt;
+	u_32_t passt, passo;
 
 	/*
 	 * Do not allow nesting deeper than 16 levels.
@@ -1833,15 +1921,13 @@
 		case FR_T_BPFOPC|FR_T_BUILTIN :
 		    {
 			u_char *mc;
-			int wlen;
 
 			if (*fin->fin_mp == NULL)
 				continue;
 			if (fin->fin_v != fr->fr_v)
 				continue;
 			mc = (u_char *)fin->fin_m;
-			wlen = fin->fin_dlen + fin->fin_hlen;
-			if (!bpf_filter(fr->fr_data, mc, wlen, 0))
+			if (!bpf_filter(fr->fr_data, mc, fin->fin_plen, 0))
 				continue;
 			break;
 		    }
@@ -1887,24 +1973,23 @@
 		 * it, except for increasing the hit counter.
 		 */
 		if ((passt & FR_CALLNOW) != 0) {
+			frentry_t *frs;
+
 			ATOMIC_INC64(fr->fr_hits);
 			if ((fr->fr_func != NULL) &&
-			    (fr->fr_func != (ipfunc_t)-1)) {
-				frentry_t *frs;
-
-				frs = fin->fin_fr;
-				fin->fin_fr = fr;
-				fr = (*fr->fr_func)(fin, &passt);
-				if (fr == NULL) {
-					fin->fin_fr = frs;
-					continue;
-				}
-				passt = fr->fr_flags;
-				fin->fin_fr = fr;
+			    (fr->fr_func == (ipfunc_t)-1))
+				continue;
+
+			frs = fin->fin_fr;
+			fin->fin_fr = fr;
+			fr = (*fr->fr_func)(fin, &passt);
+			if (fr == NULL) {
+				fin->fin_fr = frs;
+				continue;
 			}
-		} else {
-			fin->fin_fr = fr;
+			passt = fr->fr_flags;
 		}
+		fin->fin_fr = fr;
 
 #ifdef  IPFILTER_LOG
 		/*
@@ -1923,6 +2008,7 @@
 		}
 #endif /* IPFILTER_LOG */
 		fr->fr_bytes += (U_QUAD_T)fin->fin_plen;
+		passo = pass;
 		if (FR_ISSKIP(passt))
 			skip = fr->fr_arg;
 		else if ((passt & FR_LOGMASK) != FR_LOG)
@@ -1935,18 +2021,42 @@
 		(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
 		if (fr->fr_grp != NULL) {
 			fin->fin_fr = *fr->fr_grp;
-			pass = fr_scanlist(fin, pass);
+			passt = fr_scanlist(fin, pass);
 			if (fin->fin_fr == NULL) {
 				fin->fin_rule = rulen;
 				(void) strncpy(fin->fin_group, fr->fr_group,
 					       FR_GROUPLEN);
 				fin->fin_fr = fr;
+				passt = pass;
 			}
 			if (fin->fin_flx & FI_DONTCACHE)
 				logged = 1;
+			pass = passt;
 		}
-		if (pass & FR_QUICK)
+
+		if (passt & FR_QUICK) {
+			/*
+			 * Finally, if we've asked to track state for this
+			 * packet, set it up.  Add state for "quick" rules
+			 * here so that if the action fails we can consider
+			 * the rule to "not match" and keep on processing
+			 * filter rules.
+			 */
+			if ((pass & FR_KEEPSTATE) &&
+			    !(fin->fin_flx & FI_STATE)) {
+				int out = fin->fin_out;
+
+				fin->fin_fr = fr;
+				if (fr_addstate(fin, NULL, 0) != NULL) {
+					ATOMIC_INCL(frstats[out].fr_ads);
+				} else {
+					ATOMIC_INCL(frstats[out].fr_bads);
+					pass = passo;
+					continue;
+				}
+			}
 			break;
+		}
 	}
 	if (logged)
 		fin->fin_flx |= FI_DONTCACHE;
@@ -2031,18 +2141,22 @@
 	 * the result as if it were from the ACL's.
 	 */
 	fc = &frcache[out][CACHE_HASH(fin)];
+	READ_ENTER(&ipf_frcache);
 	if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
 		/*
-		 * copy cached data so we can unlock the mutex
-		 * earlier.
+		 * copy cached data so we can unlock the mutexes earlier.
 		 */
 		bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
+		RWLOCK_EXIT(&ipf_frcache);
 		ATOMIC_INCL(frstats[out].fr_chit);
+
 		if ((fr = fin->fin_fr) != NULL) {
 			ATOMIC_INC64(fr->fr_hits);
 			pass = fr->fr_flags;
 		}
 	} else {
+		RWLOCK_EXIT(&ipf_frcache);
+
 #ifdef	USE_INET6
 		if (fin->fin_v == 6)
 			fin->fin_fr = ipfilter6[out][fr_active];
@@ -2051,9 +2165,13 @@
 			fin->fin_fr = ipfilter[out][fr_active];
 		if (fin->fin_fr != NULL)
 			pass = fr_scanlist(fin, fr_pass);
+
 		if (((pass & FR_KEEPSTATE) == 0) &&
-		    ((fin->fin_flx & FI_DONTCACHE) == 0))
+		    ((fin->fin_flx & FI_DONTCACHE) == 0)) {
+			WRITE_ENTER(&ipf_frcache);
 			bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
+			RWLOCK_EXIT(&ipf_frcache);
+		}
 		if ((pass & FR_NOMATCH)) {
 			ATOMIC_INCL(frstats[out].fr_nom);
 		}
@@ -2078,7 +2196,8 @@
 	if (FR_ISAUTH(pass)) {
 		if (fr_newauth(fin->fin_m, fin) != 0) {
 #ifdef	_KERNEL
-			fin->fin_m = *fin->fin_mp = NULL;
+			if ((pass & FR_RETMASK) == 0)
+				fin->fin_m = *fin->fin_mp = NULL;
 #else
 			;
 #endif
@@ -2118,30 +2237,6 @@
 		}
 	}
 
-	/*
-	 * Finally, if we've asked to track state for this packet, set it up.
-	 */
-	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
-		if (fr_addstate(fin, NULL, 0) != NULL) {
-			ATOMIC_INCL(frstats[out].fr_ads);
-		} else {
-#ifdef notdef
-			/*
-			 * This blocks ICMP messages (eg. ICMP_UNREACH_NEEDFRAG)
-			 * fr_addstate returning NULL is not necessary a bad
-			 * thing because there is no state to be added on some
-			 * packets, eg. icmp packets. XXX: but for others this
-			 * is wrong.
-			 */
-			ATOMIC_INCL(frstats[out].fr_bads);
-			if (FR_ISPASS(pass)) {
-				pass &= ~FR_CMDMASK;
-				pass |= FR_BLOCK;
-			}
-#endif
-		}
-	}
-
 	fr = fin->fin_fr;
 
 	if (passp != NULL)
@@ -2157,7 +2252,7 @@
 /*              User space:                                                 */
 /*                    -1 == packet blocked                                  */
 /*                     1 == packet not matched                              */
-/*                    -2 == requires authantication                         */
+/*                    -2 == requires authentication                         */
 /*              Kernel:                                                     */
 /*                   > 0 == filter error # for packet                       */
 /* Parameters: ip(I)   - pointer to start of IPv4/6 packet                  */
@@ -2207,8 +2302,6 @@
 #ifdef USE_INET6
 	ip6_t *ip6;
 #endif
-	SPL_INT(s);
-
 	/*
 	 * The first part of fr_check() deals with making sure that what goes
 	 * into the filtering engine makes some sense.  Information about the
@@ -2222,6 +2315,8 @@
 
 	if ((u_int)ip & 0x3)
 		return 2;
+# else
+	SPL_INT(s);
 # endif
 
 	READ_ENTER(&ipf_global);
@@ -2247,6 +2342,10 @@
 	if ((m->m_flags & M_MCAST) != 0)
 		fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
 #  endif
+#  if defined(M_MLOOP)
+	if ((m->m_flags & M_MLOOP) != 0)
+		fin->fin_flx |= FI_MBCAST|FI_MULTICAST;
+#  endif
 #  if defined(M_BCAST)
 	if ((m->m_flags & M_BCAST) != 0)
 		fin->fin_flx |= FI_MBCAST|FI_BROADCAST;
@@ -2283,7 +2382,7 @@
 	fin->fin_out = out;
 	fin->fin_ifp = ifp;
 	fin->fin_error = ENETUNREACH;
-	fin->fin_hlen = (u_short )hlen;
+	fin->fin_hlen = (u_short)hlen;
 	fin->fin_dp = (char *)ip + hlen;
 
 	fin->fin_ipoff = (char *)ip - MTOD(m, char *);
@@ -2302,7 +2401,7 @@
 		fin->fin_plen = ntohs(ip6->ip6_plen);
 		if (fin->fin_plen == 0) {
 			pass = FR_BLOCK|FR_NOMATCH;
-			goto filtered;
+			goto finished;
 		}
 		fin->fin_plen += sizeof(ip6_t);
 	} else
@@ -2315,8 +2414,10 @@
 		fin->fin_plen = ip->ip_len;
 	}
 
-	if (fr_makefrip(hlen, ip, fin) == -1)
+	if (fr_makefrip(hlen, ip, fin) == -1) {
+		pass = FR_BLOCK|FR_NOMATCH;
 		goto finished;
+	}
 
 	/*
 	 * For at least IPv6 packets, if a m_pullup() fails then this pointer
@@ -2381,6 +2482,23 @@
 	if ((pass & FR_NOMATCH) || (fr == NULL))
 		fr = fr_firewall(fin, &pass);
 
+	/*
+	 * If we've asked to track state for this packet, set it up.
+	 * Here rather than fr_firewall because fr_checkauth may decide
+	 * to return a packet for "keep state"
+	 */
+	if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
+		if (fr_addstate(fin, NULL, 0) != NULL) {
+			ATOMIC_INCL(frstats[out].fr_ads);
+		} else {
+			ATOMIC_INCL(frstats[out].fr_bads);
+			if (FR_ISPASS(pass)) {
+				pass &= ~FR_CMDMASK;
+				pass |= FR_BLOCK;
+			}
+		}
+	}
+
 	fin->fin_fr = fr;
 
 	/*
@@ -2410,23 +2528,32 @@
 	}
 #endif
 
-	if (fin->fin_state != NULL)
+	if (fin->fin_state != NULL) {
 		fr_statederef(fin, (ipstate_t **)&fin->fin_state);
-
-	if (fin->fin_nat != NULL)
+		fin->fin_state = NULL;
+	}
+
+	if (fin->fin_nat != NULL) {
 		fr_natderef((nat_t **)&fin->fin_nat);
+		fin->fin_nat = NULL;
+	}
 
 	/*
-	 * Only allow FR_DUP to work if a rule matched - it makes no sense to
-	 * set FR_DUP as a "default" as there are no instructions about where
-	 * to send the packet.  Use fin_m here because it may have changed
-	 * (without an update of 'm') in prior processing.
+	 * Up the reference on fr_lock and exit ipf_mutex.  fr_fastroute
+	 * only frees up the lock on ipf_global and the generation of a
+	 * packet below could cause a recursive call into IPFilter.
+	 * Hang onto the filter rule just in case someone decides to remove
+	 * or flush it in the meantime.
 	 */
-	if ((fr != NULL) && (pass & FR_DUP)) {
-		mc = M_DUPLICATE(fin->fin_m);
+	if (fr != NULL) {
+		MUTEX_ENTER(&fr->fr_lock);
+		fr->fr_ref++;
+		MUTEX_EXIT(&fr->fr_lock);
 	}
 
-	if (pass & (FR_RETRST|FR_RETICMP)) {
+	RWLOCK_EXIT(&ipf_mutex);
+
+	if ((pass & FR_RETMASK) != 0) {
 		/*
 		 * Should we return an ICMP packet to indicate error
 		 * status passing through the packet filter ?
@@ -2447,10 +2574,19 @@
 				ATOMIC_INCL(frstats[0].fr_ret);
 			} else if (((pass & FR_RETMASK) == FR_RETRST) &&
 				   !(fin->fin_flx & FI_SHORT)) {
-				if (fr_send_reset(fin) == 0) {
+				if (((fin->fin_flx & FI_OOW) != 0) ||
+				    (fr_send_reset(fin) == 0)) {
 					ATOMIC_INCL(frstats[1].fr_ret);
 				}
 			}
+
+			/*
+			 * When using return-* with auth rules, the auth code
+			 * takes over disposing of this packet.
+			 */
+			if (FR_ISAUTH(pass) && (fin->fin_m != NULL)) {
+				fin->fin_m = *fin->fin_mp = NULL;
+			}
 		} else {
 			if (pass & FR_RETRST)
 				fin->fin_error = ECONNRESET;
@@ -2463,13 +2599,7 @@
 	 * instructions about what to do with a packet.
 	 * Once we're finished return to our caller, freeing the packet if
 	 * we are dropping it (* BSD ONLY *).
-	 * Reassign m from fin_m as we may have a new buffer, now.
 	 */
-#if defined(USE_INET6) || (defined(__sgi) && defined(_KERNEL))
-filtered:
-#endif
-	m = fin->fin_m;
-
 	if (fr != NULL) {
 		frdest_t *fdp;
 
@@ -2480,27 +2610,27 @@
 			 * For fastroute rule, no destioation interface defined
 			 * so pass NULL as the frdest_t parameter
 			 */
-			(void) fr_fastroute(m, mp, fin, NULL);
+			(void) fr_fastroute(fin->fin_m, mp, fin, NULL);
 			m = *mp = NULL;
 		} else if ((fdp->fd_ifp != NULL) &&
 			   (fdp->fd_ifp != (struct ifnet *)-1)) {
 			/* this is for to rules: */
-			(void) fr_fastroute(m, mp, fin, fdp);
+			(void) fr_fastroute(fin->fin_m, mp, fin, fdp);
 			m = *mp = NULL;
 		}
 
 		/*
 		 * Generate a duplicated packet.
 		 */
-		if (mc != NULL)
-			(void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
+		if ((pass & FR_DUP) != 0) {
+			mc = M_DUPLICATE(fin->fin_m);
+			if (mc != NULL)
+				(void) fr_fastroute(mc, &mc, fin, &fr->fr_dif);
+		}
+
+		(void) fr_derefrule(&fr);
 	}
 
-	/*
-	 * This late because the likes of fr_fastroute() use fin_fr.
-	 */
-	RWLOCK_EXIT(&ipf_mutex);
-
 finished:
 	if (!FR_ISPASS(pass)) {
 		ATOMIC_INCL(frstats[out].fr_block);
@@ -2513,7 +2643,7 @@
 #if defined(_KERNEL) && defined(__sgi)
 		if ((fin->fin_hbuf != NULL) &&
 		    (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
-			COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf);
+			COPYBACK(fin->fin_m, 0, fin->fin_plen, fin->fin_hbuf);
 		}
 #endif
 	}
@@ -2522,7 +2652,7 @@
 	RWLOCK_EXIT(&ipf_global);
 
 #ifdef _KERNEL
-# if OpenBSD >= 200311    
+# if OpenBSD >= 200311
 	if (FR_ISPASS(pass) && (v == 4)) {
 		ip = fin->fin_ip;
 		ip->ip_len = ntohs(ip->ip_len);
@@ -2671,10 +2801,10 @@
 /* Expects ip_len to be in host byte order when called.                     */
 /* ------------------------------------------------------------------------ */
 #ifdef INET
-u_short fr_cksum(m, ip, l4proto, l4hdr)
+u_short fr_cksum(m, ip, l4proto, l4hdr, l3len)
 mb_t *m;
 ip_t *ip;
-int l4proto;
+int l4proto, l3len;
 void *l4hdr;
 {
 	u_short *sp, slen, sumsave, l4hlen, *csump;
@@ -2699,7 +2829,7 @@
 	if (IP_V(ip) == 4) {
 #endif
 		hlen = IP_HL(ip) << 2;
-		slen = ip->ip_len - hlen;
+		slen = l3len - hlen;
 		sum = htons((u_short)l4proto);
 		sum += htons(slen);
 		sp = (u_short *)&ip->ip_src;
@@ -2711,9 +2841,9 @@
 	} else if (IP_V(ip) == 6) {
 		ip6 = (ip6_t *)ip;
 		hlen = sizeof(*ip6);
-		slen = ntohs(ip6->ip6_plen);
+		slen = ntohs(l3len);
 		sum = htons((u_short)l4proto);
-		sum += htons(slen);
+		sum += slen;
 		sp = (u_short *)&ip6->ip6_src;
 		sum += *sp++;	/* ip6_src */
 		sum += *sp++;
@@ -2915,7 +3045,7 @@
 
 
 #if defined(_KERNEL) && ( ((BSD < 199103) && !defined(MENTAT)) || \
-    defined(__sgi) ) && !defined(linux)
+    defined(__sgi) ) && !defined(linux) && !defined(_AIX51)
 /*
  * Copyright (c) 1982, 1986, 1988, 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
@@ -2945,7 +3075,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * Id: fil.c,v 2.243.2.57 2005/03/28 10:47:50 darrenr Exp
+ * Id: fil.c,v 2.243.2.78 2006/03/29 11:19:54 darrenr Exp
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -3014,7 +3144,7 @@
 		m = m->m_next;
 	}
 	while (len > 0) {
-		mlen = min (m->m_len - off, len);
+		mlen = min(m->m_len - off, len);
 		bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen);
 		cp += mlen;
 		len -= mlen;
@@ -3063,7 +3193,7 @@
 	frgroup_t *fg, **fgp;
 
 	/*
-	 * Which list of groups to search in is dependant on which list of
+	 * Which list of groups to search in is dependent on which list of
 	 * rules are being operated on.
 	 */
 	fgp = &ipfgroups[unit][set];
@@ -3646,13 +3776,7 @@
 	caddr_t ca;
 	int err;
 
-# if SOLARIS
-	err = COPYIN(dst, (caddr_t)&ca, sizeof(ca));
-	if (err != 0)
-		return err;
-# else
 	bcopy(dst, (caddr_t)&ca, sizeof(ca));
-# endif
 	err = COPYOUT(src, ca, size);
 	return err;
 }
@@ -4024,10 +4148,15 @@
 		fprev = &fg->fg_start;
 	}
 
-	for (f = *fprev; (f = *fprev) != NULL; fprev = &f->fr_next)
-		if (fp->fr_collect <= f->fr_collect)
+	ftail = fprev;
+	for (f = *ftail; (f = *ftail) != NULL; ftail = &f->fr_next) {
+		if (fp->fr_collect <= f->fr_collect) {
+			ftail = fprev;
+			f = NULL;
 			break;
-	ftail = fprev;
+		}
+		fprev = ftail;
+	}
 
 	/*
 	 * Copy in extra data for the rule.
@@ -4126,7 +4255,6 @@
 			break;
 #endif
 		default :
-			
 			break;
 		}
 		break;
@@ -4166,14 +4294,17 @@
 	WRITE_ENTER(&ipf_mutex);
 	bzero((char *)frcache, sizeof(frcache));
 
-	for (; (f = *ftail) != NULL; ftail = &f->fr_next)
-		if ((fp->fr_cksum == f->fr_cksum) &&
-		    (f->fr_dsize == fp->fr_dsize) &&
-		    !bcmp((char *)&f->fr_func,
-			  (char *)&fp->fr_func, FR_CMPSIZ) &&
-		    (!ptr || !f->fr_data ||
+	for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
+		if ((fp->fr_cksum != f->fr_cksum) ||
+		    (f->fr_dsize != fp->fr_dsize))
+			continue;
+		if (bcmp((char *)&f->fr_func, (char *)&fp->fr_func, FR_CMPSIZ))
+			continue;
+		if ((!ptr && !f->fr_data) ||
+		    (ptr && f->fr_data &&
 		     !bcmp((char *)ptr, (char *)f->fr_data, f->fr_dsize)))
 			break;
+	}
 
 	/*
 	 * If zero'ing statistics, copy current to caller and zero.
@@ -4219,12 +4350,40 @@
 	}
 
 	if (!f) {
-		if (req == (ioctlcmd_t)SIOCINAFR ||
-		    req == (ioctlcmd_t)SIOCINIFR) {
+		/*
+		 * At the end of this, ftail must point to the place where the
+		 * new rule is to be saved/inserted/added.
+		 * For SIOCAD*FR, this should be the last rule in the group of
+		 * rules that have equal fr_collect fields.
+		 * For SIOCIN*FR, ...
+		 */
+		if (req == (ioctlcmd_t)SIOCADAFR ||
+		    req == (ioctlcmd_t)SIOCADIFR) {
+
+			for (ftail = fprev; (f = *ftail) != NULL; ) {
+				if (f->fr_collect > fp->fr_collect)
+					break;
+				ftail = &f->fr_next;
+			}
+			f = NULL;
+			ptr = NULL;
+			error = 0;
+		} else if (req == (ioctlcmd_t)SIOCINAFR ||
+			   req == (ioctlcmd_t)SIOCINIFR) {
+			while ((f = *fprev) != NULL) {
+				if (f->fr_collect >= fp->fr_collect)
+					break;
+				fprev = &f->fr_next;
+			}
 			ftail = fprev;
 			if (fp->fr_hits != 0) {
-				while (--fp->fr_hits && (f = *ftail))
+				while (fp->fr_hits && (f = *ftail)) {
+					if (f->fr_collect != fp->fr_collect)
+						break;
+					fprev = ftail;
 					ftail = &f->fr_next;
+					fp->fr_hits--;
+				}
 			}
 			f = NULL;
 			ptr = NULL;
@@ -4269,7 +4428,7 @@
 			}
 			if (*f->fr_grhead != '\0')
 				fr_delgroup(f->fr_grhead, unit, set);
-			fr_fixskip(fprev, f, -1);
+			fr_fixskip(ftail, f, -1);
 			*ftail = f->fr_next;
 			f->fr_next = NULL;
 			(void)fr_derefrule(&f);
@@ -4290,7 +4449,7 @@
 			} else
 				f = fp;
 			if (f != NULL) {
-				if (fg != NULL && fg->fg_head!= NULL )
+				if (fg != NULL && fg->fg_head != NULL)
 					fg->fg_head->fr_ref++;
 				if (fp != f)
 					bcopy((char *)fp, (char *)f,
@@ -4309,7 +4468,7 @@
 				*ftail = f;
 				if (req == (ioctlcmd_t)SIOCINIFR ||
 				    req == (ioctlcmd_t)SIOCINAFR)
-					fr_fixskip(fprev, f, 1);
+					fr_fixskip(ftail, f, 1);
 				f->fr_grp = NULL;
 				group = f->fr_grhead;
 				if (*group != '\0') {
@@ -4737,7 +4896,7 @@
 		ifq->ifq_next->ifq_pnext = ifq->ifq_pnext;
 
 	MUTEX_DESTROY(&ifq->ifq_lock);
-	fr_userifqs--;
+	ATOMIC_DEC(fr_userifqs);
 	KFREE(ifq);
 }
 
@@ -4759,8 +4918,6 @@
 	ipftq_t *ifq;
 
 	ifq = tqe->tqe_ifq;
-	if (ifq == NULL)
-		return;
 
 	MUTEX_ENTER(&ifq->ifq_lock);
 
@@ -4832,24 +4989,21 @@
 	tqe->tqe_die = fr_ticks + ifq->ifq_ttl;
 
 	MUTEX_ENTER(&ifq->ifq_lock);
-	if (tqe->tqe_next == NULL) {		/* at the end already ? */
-		MUTEX_EXIT(&ifq->ifq_lock);
-		return;
+	if (tqe->tqe_next != NULL) {		/* at the end already ? */
+		/*
+		 * Remove from list
+		 */
+		*tqe->tqe_pnext = tqe->tqe_next;
+		tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
+
+		/*
+		 * Make it the last entry.
+		 */
+		tqe->tqe_next = NULL;
+		tqe->tqe_pnext = ifq->ifq_tail;
+		*ifq->ifq_tail = tqe;
+		ifq->ifq_tail = &tqe->tqe_next;
 	}
-
-	/*
-	 * Remove from list
-	 */
-	*tqe->tqe_pnext = tqe->tqe_next;
-	tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-
-	/*
-	 * Make it the last entry.
-	 */
-	tqe->tqe_next = NULL;
-	tqe->tqe_pnext = ifq->ifq_tail;
-	*ifq->ifq_tail = tqe;
-	ifq->ifq_tail = &tqe->tqe_next;
 	MUTEX_EXIT(&ifq->ifq_lock);
 }
 
@@ -4901,46 +5055,44 @@
 	 * Is the operation here going to be a no-op ?
 	 */
 	MUTEX_ENTER(&oifq->ifq_lock);
-	if (oifq == nifq && *oifq->ifq_tail == tqe) {
-		MUTEX_EXIT(&oifq->ifq_lock);
-		return;
+	if ((oifq != nifq) || (*oifq->ifq_tail != tqe)) {
+		/*
+		 * Remove from the old queue
+		 */
+		*tqe->tqe_pnext = tqe->tqe_next;
+		if (tqe->tqe_next)
+			tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
+		else
+			oifq->ifq_tail = tqe->tqe_pnext;
+		tqe->tqe_next = NULL;
+
+		/*
+		 * If we're moving from one queue to another, release the
+		 * lock on the old queue and get a lock on the new queue.
+		 * For user defined queues, if we're moving off it, call
+		 * delete in case it can now be freed.
+		 */
+		if (oifq != nifq) {
+			tqe->tqe_ifq = NULL;
+
+			(void) fr_deletetimeoutqueue(oifq);
+
+			MUTEX_EXIT(&oifq->ifq_lock);
+
+			MUTEX_ENTER(&nifq->ifq_lock);
+
+			tqe->tqe_ifq = nifq;
+			nifq->ifq_ref++;
+		}
+
+		/*
+		 * Add to the bottom of the new queue
+		 */
+		tqe->tqe_die = fr_ticks + nifq->ifq_ttl;
+		tqe->tqe_pnext = nifq->ifq_tail;
+		*nifq->ifq_tail = tqe;
+		nifq->ifq_tail = &tqe->tqe_next;
 	}
-
-	/*
-	 * Remove from the old queue
-	 */
-	*tqe->tqe_pnext = tqe->tqe_next;
-	if (tqe->tqe_next)
-		tqe->tqe_next->tqe_pnext = tqe->tqe_pnext;
-	else
-		oifq->ifq_tail = tqe->tqe_pnext;
-	tqe->tqe_next = NULL;
-
-	/*
-	 * If we're moving from one queue to another, release the lock on the
-	 * old queue and get a lock on the new queue.  For user defined queues,
-	 * if we're moving off it, call delete in case it can now be freed.
-	 */
-	if (oifq != nifq) {
-		tqe->tqe_ifq = NULL;
-
-		(void) fr_deletetimeoutqueue(oifq);
-
-		MUTEX_EXIT(&oifq->ifq_lock);
-
-		MUTEX_ENTER(&nifq->ifq_lock);
-
-		tqe->tqe_ifq = nifq;
-		nifq->ifq_ref++;
-	}
-
-	/*
-	 * Add to the bottom of the new queue
-	 */
-	tqe->tqe_die = fr_ticks + nifq->ifq_ttl;
-	tqe->tqe_pnext = nifq->ifq_tail;
-	*nifq->ifq_tail = tqe;
-	nifq->ifq_tail = &tqe->tqe_next;
 	MUTEX_EXIT(&nifq->ifq_lock);
 }
 
@@ -4957,7 +5109,7 @@
 /* the fragment cache for non-leading fragments.  If a non-leading fragment */
 /* has no match in the cache, return an error.                              */
 /* ------------------------------------------------------------------------ */
-static INLINE int fr_updateipid(fin)
+static int fr_updateipid(fin)
 fr_info_t *fin;
 {
 	u_short id, ido, sums;
@@ -5009,7 +5161,7 @@
 {
 	static char namebuf[LIFNAMSIZ];
 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
-     defined(__sgi) || defined(linux) || \
+     defined(__sgi) || defined(linux) || defined(_AIX51) || \
      (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
 	int unit, space;
 	char temp[20];
@@ -5021,7 +5173,7 @@
 	(void) strncpy(buffer, ifp->if_name, LIFNAMSIZ);
 	buffer[LIFNAMSIZ - 1] = '\0';
 # if defined(MENTAT) || defined(__FreeBSD__) || defined(__osf__) || \
-     defined(__sgi) || \
+     defined(__sgi) || defined(_AIX51) || \
      (defined(sun) && !defined(__SVR4) && !defined(__svr4__))
 	for (s = buffer; *s; s++)
 		;
@@ -5425,7 +5577,7 @@
 		if (dosum)
 #ifdef INET
 			sum = fr_cksum(fin->fin_m, fin->fin_ip,
-				       fin->fin_p, fin->fin_dp);
+				       fin->fin_p, fin->fin_dp, fin->fin_plen);
 #else
 			return 1;
 #endif
@@ -5629,96 +5781,101 @@
 ipftuneable_t ipf_tuneables[] = {
 	/* filtering */
 	{ { &fr_flags },	"fr_flags",		0,	0xffffffff,
-			sizeof(fr_flags),		0 },
+			sizeof(fr_flags),		0, NULL },
 	{ { &fr_active },	"fr_active",		0,	0,
-			sizeof(fr_active),		IPFT_RDONLY },
+			sizeof(fr_active),		IPFT_RDONLY, NULL },
 	{ { &fr_control_forwarding },	"fr_control_forwarding",	0, 1,
-			sizeof(fr_control_forwarding),	0 },
+			sizeof(fr_control_forwarding),	0, NULL },
 	{ { &fr_update_ipid },	"fr_update_ipid",	0,	1,
-			sizeof(fr_update_ipid),		0 },
+			sizeof(fr_update_ipid),		0, NULL },
 	{ { &fr_chksrc },	"fr_chksrc",		0,	1,
-			sizeof(fr_chksrc),		0 },
+			sizeof(fr_chksrc),		0, NULL },
+	{ { &fr_minttl },	"fr_minttl",		0,	1,
+			sizeof(fr_minttl),		0, NULL },
+	{ { &fr_icmpminfragmtu }, "fr_icmpminfragmtu",	0,	1,
+			sizeof(fr_icmpminfragmtu),	0, NULL },
 	{ { &fr_pass },		"fr_pass",		0,	0xffffffff,
-			sizeof(fr_pass),		0 },
+			sizeof(fr_pass),		0, NULL },
 	/* state */
 	{ { &fr_tcpidletimeout }, "fr_tcpidletimeout",	1,	0x7fffffff,
-			sizeof(fr_tcpidletimeout),	IPFT_WRDISABLED },
+			sizeof(fr_tcpidletimeout),	IPFT_WRDISABLED, NULL },
 	{ { &fr_tcpclosewait },	"fr_tcpclosewait",	1,	0x7fffffff,
-			sizeof(fr_tcpclosewait),	IPFT_WRDISABLED },
+			sizeof(fr_tcpclosewait),	IPFT_WRDISABLED, NULL },
 	{ { &fr_tcplastack },	"fr_tcplastack",	1,	0x7fffffff,
-			sizeof(fr_tcplastack),		IPFT_WRDISABLED },
+			sizeof(fr_tcplastack),		IPFT_WRDISABLED, NULL },
 	{ { &fr_tcptimeout },	"fr_tcptimeout",	1,	0x7fffffff,
-			sizeof(fr_tcptimeout),		IPFT_WRDISABLED },
+			sizeof(fr_tcptimeout),		IPFT_WRDISABLED, NULL },
 	{ { &fr_tcpclosed },	"fr_tcpclosed",		1,	0x7fffffff,
-			sizeof(fr_tcpclosed),		IPFT_WRDISABLED },
+			sizeof(fr_tcpclosed),		IPFT_WRDISABLED, NULL },
 	{ { &fr_tcphalfclosed }, "fr_tcphalfclosed",	1,	0x7fffffff,
-			sizeof(fr_tcphalfclosed),	IPFT_WRDISABLED },
+			sizeof(fr_tcphalfclosed),	IPFT_WRDISABLED, NULL },
 	{ { &fr_udptimeout },	"fr_udptimeout",	1,	0x7fffffff,
-			sizeof(fr_udptimeout),		IPFT_WRDISABLED },
+			sizeof(fr_udptimeout),		IPFT_WRDISABLED, NULL },
 	{ { &fr_udpacktimeout }, "fr_udpacktimeout",	1,	0x7fffffff,
-			sizeof(fr_udpacktimeout),	IPFT_WRDISABLED },
+			sizeof(fr_udpacktimeout),	IPFT_WRDISABLED, NULL },
 	{ { &fr_icmptimeout },	"fr_icmptimeout",	1,	0x7fffffff,
-			sizeof(fr_icmptimeout),		IPFT_WRDISABLED },
+			sizeof(fr_icmptimeout),		IPFT_WRDISABLED, NULL },
 	{ { &fr_icmpacktimeout }, "fr_icmpacktimeout",	1,	0x7fffffff,
-			sizeof(fr_icmpacktimeout),	IPFT_WRDISABLED },
+			sizeof(fr_icmpacktimeout),	IPFT_WRDISABLED, NULL },
 	{ { &fr_iptimeout }, "fr_iptimeout",		1,	0x7fffffff,
-			sizeof(fr_iptimeout),		IPFT_WRDISABLED },
+			sizeof(fr_iptimeout),		IPFT_WRDISABLED, NULL },
 	{ { &fr_statemax },	"fr_statemax",		1,	0x7fffffff,
-			sizeof(fr_statemax),		0 },
+			sizeof(fr_statemax),		0,	NULL },
 	{ { &fr_statesize },	"fr_statesize",		1,	0x7fffffff,
-			sizeof(fr_statesize),		IPFT_WRDISABLED },
+			sizeof(fr_statesize),		IPFT_WRDISABLED, NULL },
 	{ { &fr_state_lock },	"fr_state_lock",	0,	1,
-			sizeof(fr_state_lock),		IPFT_RDONLY },
+			sizeof(fr_state_lock),		IPFT_RDONLY, NULL },
 	{ { &fr_state_maxbucket }, "fr_state_maxbucket", 1,	0x7fffffff,
-			sizeof(fr_state_maxbucket),	IPFT_WRDISABLED },
+			sizeof(fr_state_maxbucket),	IPFT_WRDISABLED, NULL },
 	{ { &fr_state_maxbucket_reset }, "fr_state_maxbucket_reset",	0, 1,
-			sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED },
+			sizeof(fr_state_maxbucket_reset), IPFT_WRDISABLED, NULL },
 	{ { &ipstate_logging },	"ipstate_logging",	0,	1,
-			sizeof(ipstate_logging),	0 },
+			sizeof(ipstate_logging),	0, NULL },
 	/* nat */
 	{ { &fr_nat_lock },		"fr_nat_lock",		0,	1,
-			sizeof(fr_nat_lock),		IPFT_RDONLY },
+			sizeof(fr_nat_lock),		IPFT_RDONLY, NULL },
 	{ { &ipf_nattable_sz },	"ipf_nattable_sz",	1,	0x7fffffff,
-			sizeof(ipf_nattable_sz),	IPFT_WRDISABLED },
+			sizeof(ipf_nattable_sz),	IPFT_WRDISABLED, NULL },
 	{ { &ipf_nattable_max }, "ipf_nattable_max",	1,	0x7fffffff,
-			sizeof(ipf_nattable_max),	0 },
+			sizeof(ipf_nattable_max),	0, NULL },
 	{ { &ipf_natrules_sz },	"ipf_natrules_sz",	1,	0x7fffffff,
-			sizeof(ipf_natrules_sz),	IPFT_WRDISABLED },
+			sizeof(ipf_natrules_sz),	IPFT_WRDISABLED, NULL },
 	{ { &ipf_rdrrules_sz },	"ipf_rdrrules_sz",	1,	0x7fffffff,
-			sizeof(ipf_rdrrules_sz),	IPFT_WRDISABLED },
+			sizeof(ipf_rdrrules_sz),	IPFT_WRDISABLED, NULL },
 	{ { &ipf_hostmap_sz },	"ipf_hostmap_sz",	1,	0x7fffffff,
-			sizeof(ipf_hostmap_sz),		IPFT_WRDISABLED },
+			sizeof(ipf_hostmap_sz),		IPFT_WRDISABLED, NULL },
 	{ { &fr_nat_maxbucket }, "fr_nat_maxbucket",	1,	0x7fffffff,
-			sizeof(fr_nat_maxbucket),	IPFT_WRDISABLED },
+			sizeof(fr_nat_maxbucket),	IPFT_WRDISABLED, NULL },
 	{ { &fr_nat_maxbucket_reset },	"fr_nat_maxbucket_reset",	0, 1,
-			sizeof(fr_nat_maxbucket_reset),	IPFT_WRDISABLED },
+			sizeof(fr_nat_maxbucket_reset),	IPFT_WRDISABLED, NULL },
 	{ { &nat_logging },		"nat_logging",		0,	1,
-			sizeof(nat_logging),		0 },
+			sizeof(nat_logging),		0, NULL },
 	{ { &fr_defnatage },	"fr_defnatage",		1,	0x7fffffff,
-			sizeof(fr_defnatage),		IPFT_WRDISABLED },
+			sizeof(fr_defnatage),		IPFT_WRDISABLED, NULL },
 	{ { &fr_defnatipage },	"fr_defnatipage",	1,	0x7fffffff,
-			sizeof(fr_defnatipage),		IPFT_WRDISABLED },
+			sizeof(fr_defnatipage),		IPFT_WRDISABLED, NULL },
 	{ { &fr_defnaticmpage }, "fr_defnaticmpage",	1,	0x7fffffff,
-			sizeof(fr_defnaticmpage),	IPFT_WRDISABLED },
+			sizeof(fr_defnaticmpage),	IPFT_WRDISABLED, NULL },
 	/* frag */
 	{ { &ipfr_size },	"ipfr_size",		1,	0x7fffffff,
-			sizeof(ipfr_size),		IPFT_WRDISABLED },
+			sizeof(ipfr_size),		IPFT_WRDISABLED, NULL },
 	{ { &fr_ipfrttl },	"fr_ipfrttl",		1,	0x7fffffff,
-			sizeof(fr_ipfrttl),		IPFT_WRDISABLED },
+			sizeof(fr_ipfrttl),		IPFT_WRDISABLED, NULL },
 #ifdef IPFILTER_LOG
 	/* log */
 	{ { &ipl_suppress },	"ipl_suppress",		0,	1,
-			sizeof(ipl_suppress),		0 },
+			sizeof(ipl_suppress),		0, NULL },
 	{ { &ipl_buffer_sz },	"ipl_buffer_sz",	0,	0,
-			sizeof(ipl_buffer_sz),		IPFT_RDONLY },
+			sizeof(ipl_buffer_sz),		IPFT_RDONLY, NULL },
 	{ { &ipl_logmax },	"ipl_logmax",		0,	0x7fffffff,
-			sizeof(ipl_logmax),		IPFT_WRDISABLED },
+			sizeof(ipl_logmax),		IPFT_WRDISABLED, NULL },
 	{ { &ipl_logall },	"ipl_logall",		0,	1,
-			sizeof(ipl_logall),		0 },
+			sizeof(ipl_logall),		0, NULL },
 	{ { &ipl_logsize },	"ipl_logsize",		0,	0x80000,
-			sizeof(ipl_logsize),		0 },
+			sizeof(ipl_logsize),		0, NULL },
 #endif
-	{ { NULL },		NULL,			0,	0 }
+	{ { NULL },		NULL,			0,	0,
+			0,				0, NULL }
 };
 
 static ipftuneable_t *ipf_tunelist = NULL;
@@ -6132,7 +6289,7 @@
 	int error;
 
 	fr_getstat(&fio);
-	error = copyoutptr(&fio, data, sizeof(fio));
+	error = fr_outobj(data, &fio, IPFOBJ_IPFSTAT);
 	if (error)
 		return EFAULT;
 
@@ -6175,31 +6332,6 @@
 
 
 /* ------------------------------------------------------------------------ */
-/* Function:    fr_icmp4errortype                                           */
-/* Returns:     int - 1 == success, 0 == failure                            */
-/* Parameters:  icmptype(I) - ICMP type number                              */
-/*                                                                          */
-/* Tests to see if the ICMP type number passed is an error type or not.     */
-/* ------------------------------------------------------------------------ */
-int fr_icmp4errortype(icmptype)
-int icmptype;
-{
-
-	switch (icmptype)
-	{
-	case ICMP_SOURCEQUENCH :
-	case ICMP_PARAMPROB :
-	case ICMP_REDIRECT :
-	case ICMP_TIMXCEED :
-	case ICMP_UNREACH :
-		return 1;
-	default:
-		return 0;
-	}
-}
-
-
-/* ------------------------------------------------------------------------ */
 /* Function:    fr_resolvenic                                               */
 /* Returns:     void* - NULL = wildcard name, -1 = failed to find NIC, else */
 /*                      pointer to interface structure for NIC              */
--- a/sys/dist/ipf/netinet/ip_auth.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_auth.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_auth.c,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_auth.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1998-2003 by Darren Reed & Guido van Rooij.
@@ -121,15 +121,16 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.4 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_auth.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 #else
-static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_auth.c,v 2.73.2.13 2006/03/29 11:19:55 darrenr Exp";
 #endif
 #endif
 
 
-#if SOLARIS
+#if SOLARIS && defined(_KERNEL)
 extern kcondvar_t ipfauthwait;
+extern struct pollhead iplpollhead[IPL_LOGSIZE];
 #endif /* SOLARIS */
 #if defined(linux) && defined(_KERNEL)
 wait_queue_head_t     fr_authnext_linux;
@@ -324,7 +325,10 @@
 
 	fra = fr_auth + i;
 	fra->fra_index = i;
-	fra->fra_pass = 0;
+	if (fin->fin_fr != NULL)
+		fra->fra_pass = fin->fin_fr->fr_flags;
+	else
+		fra->fra_pass = 0;
 	fra->fra_age = fr_defaultauthage;
 	bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
 #if !defined(sparc) && !defined(m68k)
@@ -346,17 +350,15 @@
 	}
 #endif
 #if SOLARIS && defined(_KERNEL)
+	COPYIFNAME(fin->fin_ifp, fra->fra_info.fin_ifname);
 	m->b_rptr -= qpi->qpi_off;
 	fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
 	fra->fra_q = qpi->qpi_q;	/* The queue can disappear! */
+	fra->fra_m = *fin->fin_mp;
+	fra->fra_info.fin_mp = &fra->fra_m;
 	cv_signal(&ipfauthwait);
+	pollwakeup(&iplpollhead[IPL_LOGAUTH], POLLIN|POLLRDNORM);
 #else
-# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
-	if (!fin->fin_out) {
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
-	}
-# endif
 	fr_authpkts[i] = m;
 	WAKEUP(&fr_authnext,0);
 #endif
@@ -369,19 +371,15 @@
 ioctlcmd_t cmd;
 int mode;
 {
+	frauth_t auth, *au = &auth, *fra;
+	int i, error = 0, len;
+	char *t;
 	mb_t *m;
 #if defined(_KERNEL) && !defined(MENTAT) && !defined(linux) && \
     (!defined(__FreeBSD_version) || (__FreeBSD_version < 501000))
-#ifdef INET
 	struct ifqueue *ifq;
+	SPL_INT(s);
 #endif
-# ifdef USE_SPL
-	int s;
-# endif /* USE_SPL */
-#endif
-	frauth_t auth, *au = &auth, *fra;
-	int i, error = 0, len;
-	char *t;
 
 	switch (cmd)
 	{
@@ -410,10 +408,14 @@
 	case SIOCAUTHW:
 fr_authioctlloop:
 		error = fr_inobj(data, au, IPFOBJ_FRAUTH);
+		if (error != 0)
+			break;
 		READ_ENTER(&ipf_auth);
 		if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
 			error = fr_outobj(data, &fr_auth[fr_authnext],
 					  IPFOBJ_FRAUTH);
+			if (error != 0)
+				break;
 			if (auth.fra_len != 0 && auth.fra_buf != NULL) {
 				/*
 				 * Copy packet contents out to user space if
@@ -427,11 +429,12 @@
 				for (t = auth.fra_buf; m && (len > 0); ) {
 					i = MIN(M_LEN(m), len);
 					error = copyoutptr(MTOD(m, char *),
-							  t, i);
+							   &t, i);
 					len -= i;
 					t += i;
 					if (error != 0)
 						break;
+					m = m->m_next;
 				}
 			}
 			RWLOCK_EXIT(&ipf_auth);
@@ -484,10 +487,8 @@
 #endif
 		MUTEX_EXIT(&ipf_authmx);
 		READ_ENTER(&ipf_global);
-		if (error == 0) {
-			READ_ENTER(&ipf_auth);
+		if (error == 0)
 			goto fr_authioctlloop;
-		}
 		break;
 
 	case SIOCAUTHR:
@@ -498,6 +499,7 @@
 		WRITE_ENTER(&ipf_auth);
 		i = au->fra_index;
 		fra = fr_auth + i;
+		error = 0;
 		if ((i < 0) || (i >= fr_authsize) ||
 		    (fra->fra_info.fin_id != au->fra_info.fin_id)) {
 			RWLOCK_EXIT(&ipf_auth);
@@ -513,12 +515,16 @@
 		if ((m != NULL) && (au->fra_info.fin_out != 0)) {
 #ifdef INET
 # ifdef MENTAT
-			error = !putq(fra->fra_q, m);
+			error = ipf_inject(&fra->fra_info);
+			if (error != 0) {
+				FREE_MB_T(m);
+				error = ENOBUFS;
+			}
 # else /* MENTAT */
-#  ifdef linux
+#  if defined(linux) || defined(AIX)
 #  else
 #   if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) || \
-       (defined(__sgi) && (IRIX >= 60500) || \
+       (defined(__sgi) && (IRIX >= 60500) || defined(AIX) || \
        (defined(__FreeBSD__) && (__FreeBSD_version >= 470102)))
 			error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
 					  NULL);
@@ -535,14 +541,18 @@
 		} else if (m) {
 #ifdef INET
 # ifdef MENTAT
-			error = !putq(fra->fra_q, m);
+			error = ipf_inject(&fra->fra_info);
+			if (error != 0) {
+				FREE_MB_T(m);
+				error = ENOBUFS;
+			}
 # else /* MENTAT */
-#  ifdef linux
+#  if defined(linux) || defined(AIX)
 #  else
-#   if __FreeBSD_version >= 501000
+#   if (__FreeBSD_version >= 501000)
 			netisr_dispatch(NETISR_IP, m);
 #   else
-#    if IRIX >= 60516
+#    if (IRIX >= 60516)
 			ifq = &((struct ifnet *)fra->fra_info.fin_ifp)->if_snd;
 #    else
 			ifq = &ipintrq;
@@ -567,10 +577,6 @@
 				fr_authstats.fas_queok++;
 		} else
 			error = EINVAL;
-# ifdef MENTAT
-		if (error != 0)
-			error = EINVAL;
-# else /* MENTAT */
 		/*
 		 * If we experience an error which will result in the packet
 		 * not being processed, make sure we advance to the next one.
@@ -594,7 +600,6 @@
 				}
 			}
 		}
-# endif /* MENTAT */
 #endif /* _KERNEL */
 		SPL_X(s);
 		break;
@@ -674,9 +679,7 @@
 	register frauthent_t *fae, **faep;
 	register frentry_t *fr, **frp;
 	mb_t *m;
-# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
-	int s;
-# endif
+	SPL_INT(s);
 
 	if (fr_auth_lock)
 		return;
@@ -725,9 +728,7 @@
 {
 	frauthent_t *fae, **faep;
 	int error = 0;
-# if !defined(MENAT) && defined(_KERNEL) && defined(USE_SPL)
-	int s;
-#endif
+	SPL_INT(s);
 
 	if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR))
 		return EIO;
@@ -813,3 +814,9 @@
 
 	return num_flushed;
 }
+
+
+int fr_auth_waiting()
+{
+	return (fr_authnext != fr_authend) && fr_authpkts[fr_authnext];
+}
--- a/sys/dist/ipf/netinet/ip_auth.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_auth.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,11 +1,11 @@
-/*	$NetBSD: ip_auth.h,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_auth.h,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_auth.h,v 2.16 2003/07/25 12:29:56 darrenr Exp
+ * Id: ip_auth.h,v 2.16.2.2 2006/03/16 06:45:49 darrenr Exp
  *
  */
 #ifndef _NETINET_IP_AUTH_H_
@@ -22,6 +22,7 @@
 	char	*fra_buf;
 #ifdef	MENTAT
 	queue_t	*fra_q;
+	mb_t	*fra_m;
 #endif
 } frauth_t;
 
@@ -62,5 +63,6 @@
 extern	int	fr_newauth __P((mb_t *, fr_info_t *));
 extern	int	fr_preauthcmd __P((ioctlcmd_t, frentry_t *, frentry_t **));
 extern	int	fr_auth_ioctl __P((caddr_t, ioctlcmd_t, int));
+extern	int	fr_auth_waiting __P((void));
 
 #endif	/* __IP_AUTH_H__ */
--- a/sys/dist/ipf/netinet/ip_compat.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_compat.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_compat.h,v 1.8 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_compat.h,v 1.8.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_compat.h	1.8 1/14/96
- * Id: ip_compat.h,v 2.142.2.25 2005/03/28 09:33:36 darrenr Exp
+ * Id: ip_compat.h,v 2.142.2.36 2006/03/26 05:50:29 darrenr Exp
  */
 
 #ifndef _NETINET_IP_COMPAT_H_
@@ -443,8 +443,9 @@
 				  wakeup(id + x); \
 				  spinunlock(_l); \
 				}
+#  define	POLLWAKEUP(x)	;
 #  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_IOSYS, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_IOSYS, M_NOWAIT)
+#  define	KMALLOCS(a, b, c) (a) = (b)malloc((c), M_IOSYS, M_NOWAIT)
 #  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
 #  define	KFREES(x,s)	kmem_free((char *)(x), (s))
 #  define	MSGDSIZE(x)	msgdsize(x)
@@ -580,6 +581,7 @@
 #  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
 #  define	SLEEP(id, n)	sleep((id), PZERO+1)
 #  define	WAKEUP(id,x)	wakeup(id+x)
+#  define	POLLWAKEUP(x)	;
 #  define	KFREE(x)	kmem_free((char *)(x), sizeof(*(x)))
 #  define	KFREES(x,s)	kmem_free((char *)(x), (s))
 #  define	GETIFP(n,v)	ifunit(n)
@@ -661,12 +663,13 @@
 #  define	GETIFP(n, v)		ifunit(n)
 #  define	GET_MINOR		getminor
 #  define	WAKEUP(id,x)		wakeup(id + x)
+#  define	POLLWAKEUP(x)		;
 #  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
 #  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
 #  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
 #  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
 #  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_PFILT, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_PFILT, \
+#  define	KMALLOCS(a, b, c) (a) = (b)malloc((c), M_PFILT, \
 					    ((c) > 4096) ? M_WAITOK : M_NOWAIT)
 #  define	KFREE(x)	FREE((x), M_PFILT)
 #  define	KFREES(x,s)	FREE((x), M_PFILT)
@@ -768,7 +771,7 @@
 /*                                F R E E B S D                            */
 /* ----------------------------------------------------------------------- */
 #ifdef __FreeBSD__
-# if defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(KLD_MODULE)
+# if defined(_KERNEL)
 #  if (__FreeBSD_version >= 500000)                          
 #   include "opt_bpf.h"
 #  else
@@ -1031,6 +1034,7 @@
 #  define	KFREES(x,s)	kmem_free((char *)(x), (s))
 #  define	SLEEP(id, n)	sleep((id), PZERO+1)
 #  define	WAKEUP(id,x)	wakeup(id + x)
+#  define	POLLWAKEUP(x)	;
 #  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
 #  define	IPF_PANIC(x,y)	if (x) { printf y; panic("ipf_panic"); }
 
@@ -1076,6 +1080,7 @@
 #  define	FREE_MB_T(m)	kfree_skb(m)
 #  define	GETKTIME(x)	do_gettimeofday((struct timeval *)x)
 #  define	SLEEP(x,s)	0, interruptible_sleep_on(x##_linux)
+#  define	POLLWAKEUP(x)	;
 #  define	WAKEUP(x,y)	wake_up(x##_linux + y)
 #  define	UIOMOVE(a,b,c,d)	uiomove(a,b,c,d)
 #  define	USE_MUTEXES
@@ -1122,6 +1127,7 @@
 #  define	mbuf	sk_buff
 
 #  define	mtod(m, t)	((t)(m)->data)
+#  define	m_data		data
 #  define	m_len		len
 #  define	m_next		next
 #  define	M_DUPLICATE(m)	skb_clone((m), in_interrupt() ? GFP_ATOMIC : \
@@ -1206,6 +1212,116 @@
 #endif
 
 
+/* ----------------------------------------------------------------------- */
+/*                                    A I X                                */
+/* ----------------------------------------------------------------------- */
+#if defined(_AIX51)
+# undef		MENTAT
+
+# include <sys/lock.h>
+# include <sys/sysmacros.h>
+
+# ifdef _KERNEL
+#  define rw_read_locked(x)		0
+#  include <net/net_globals.h>
+#  include <net/net_malloc.h>
+#  define	KMUTEX_T		simple_lock_t
+#  define	KRWLOCK_T		complex_lock_t
+#  define	USE_MUTEXES		1
+#  define	USE_SPL			1
+#  define	READ_ENTER(x)		lock_read((x)->ipf_lk)
+#  define	WRITE_ENTER(x)		lock_write((x)->ipf_lk)
+#  define	MUTEX_DOWNGRADE(x)	lock_write_to_read((x)->ipf_lk)
+#  define	RWLOCK_INIT(x, y)	lock_alloc(&(x)->ipf_lk, \
+						   LOCK_ALLOC_PIN, \
+						   (u_short)y, 0); \
+					lock_init((x)->ipf_lk, TRUE)
+#  define	RWLOCK_EXIT(x)		lock_done((x)->ipf_lk)
+#  define	RW_DESTROY(x)		lock_free(&(x)->ipf_lk)
+#  define	MUTEX_ENTER(x)		simple_lock((x)->ipf_lk)
+#  define	MUTEX_INIT(x, y)	lock_alloc(&(x)->ipf_lk, \
+						   LOCK_ALLOC_PIN, \
+						   (u_short)y, 0); \
+					simple_lock_init((x)->ipf_lk)
+#  define	MUTEX_DESTROY(x)	lock_free(&(x)->ipf_lk)
+#  define	MUTEX_EXIT(x)		simple_unlock((x)->ipf_lk)
+#  define	MUTEX_NUKE(x)		bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk))
+#   define	ATOMIC_INC64(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_DEC64(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_INC32(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_DEC32(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_INCL(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_DECL(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_INC(x)		{ MUTEX_ENTER(&ipf_rw); (x)++; \
+					  MUTEX_EXIT(&ipf_rw); }
+#   define	ATOMIC_DEC(x)		{ MUTEX_ENTER(&ipf_rw); (x)--; \
+					  MUTEX_EXIT(&ipf_rw); }
+#  define	SPL_NET(x)		x = splnet()
+#  define	SPL_IMP(x)		x = splimp()
+#  undef	SPL_X
+#  define	SPL_X(x)		splx(x)
+#  define	UIOMOVE(a,b,c,d)	uiomove((caddr_t)a,b,c,d)
+extern void* getifp __P((char *, int));
+#  define	GETIFP(n, v)		getifp(n, v)
+#  define	GET_MINOR		minor
+#  define	SLEEP(id, n)	sleepx((id), PZERO+1, 0)
+#  define	WAKEUP(id,x)	wakeup(id)
+#  define	POLLWAKEUP(x)	;
+#  define	COPYIN(a,b,c)	copyin((caddr_t)(a), (caddr_t)(b), (c))
+#  define	COPYOUT(a,b,c)	copyout((caddr_t)(a), (caddr_t)(b), (c))
+#  define	BCOPYIN(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
+#  define	BCOPYOUT(a,b,c)	bcopy((caddr_t)(a), (caddr_t)(b), (c))
+#  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT)
+#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), M_TEMP, \
+					    ((c) > 4096) ? M_WAITOK : M_NOWAIT)
+#  define	KFREE(x)	FREE((x), M_TEMP)
+#  define	KFREES(x,s)	FREE((x), M_TEMP)
+#  define	MSGDSIZE(x)	mbufchainlen(x)
+#  define	M_LEN(x)	(x)->m_len
+#  define	M_DUPLICATE(x)	m_copy((x), 0, M_COPYALL)
+#  define	GETKTIME(x)
+#  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
+				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
+#  define	IPF_PANIC(x,y)
+typedef struct mbuf mb_t;
+# endif /* _KERNEL */
+
+/*
+ * These are from's Solaris' #defines for little endian.
+ */
+#if !defined(IP6F_MORE_FRAG)
+# define	IP6F_MORE_FRAG		0x0100
+#endif
+#if !defined(IP6F_RESERVED_MASK)
+# define	IP6F_RESERVED_MASK	0x0600
+#endif
+#if !defined(IP6F_OFF_MASK)
+# define	IP6F_OFF_MASK		0xf8ff
+#endif
+
+struct ip6_ext {
+	u_char	ip6e_nxt;
+	u_char	ip6e_len;
+};
+
+typedef	int		ioctlcmd_t;  
+typedef	int		minor_t;
+/*
+ * Really, any arch where sizeof(long) != sizeof(int).
+ */
+typedef unsigned int    u_32_t;
+# define	U_32_T	1
+
+# define OS_RECOGNISED 1
+#endif	/* _AIX51 */
+
+
 #ifndef	OS_RECOGNISED
 #error	ip_compat.h does not recognise this platform/OS.
 #endif
@@ -1221,8 +1337,11 @@
  * For BSD kernels, if bpf is in the kernel, enable ipfilter to use bpf in
  * filter rules.
  */
-#if !defined(IPFILTER_BPF) && ((NBPF > 0) || (NBPFILTER > 0))
-# define IPFILTER_BPF
+#if !defined(IPFILTER_BPF)
+# if (defined(NBPF) && (NBPF > 0)) || (defined(DEV_BPF) && (DEV_BPF > 0)) || \
+     (defined(NBPFILTER) && (NBPFILTER > 0))
+#  define	IPFILTER_BPF
+# endif
 #endif
 
 /*
@@ -1290,10 +1409,10 @@
 #endif
 
 #if defined(linux) && defined(_KERNEL)
-extern	INLINE	void	ipf_read_enter __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_write_enter __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_rw_exit __P((ipfrwlock_t *));
-extern	INLINE	void	ipf_rw_downgrade __P((ipfrwlock_t *));
+extern	void	ipf_read_enter __P((ipfrwlock_t *));
+extern	void	ipf_write_enter __P((ipfrwlock_t *));
+extern	void	ipf_rw_exit __P((ipfrwlock_t *));
+extern	void	ipf_rw_downgrade __P((ipfrwlock_t *));
 #endif
 
 /*
@@ -1313,10 +1432,12 @@
 # define	M_LEN(x)	(x)->mb_len
 # define	M_DUPLICATE(x)	(x)
 # define	GETKTIME(x)	gettimeofday((struct timeval *)(x), NULL)
+# undef		MTOD
 # define	MTOD(m, t)	((t)(m)->mb_buf)
 # define	FREE_MB_T(x)
 # define	SLEEP(x,y)	1;
 # define	WAKEUP(x,y)	;
+# define	POLLWAKEUP(y)	;
 # define	IPF_PANIC(x,y)	;
 # define	PANIC(x,y)	;
 # define	SPL_NET(x)	;
@@ -1327,8 +1448,8 @@
 # define	KFREE(x)	free(x)
 # define	KFREES(x,s)	free(x)
 # define	GETIFP(x, v)	get_unit(x,v)
-# define	COPYIN(a,b,c)	(bcopy((a), (b), (c)), 0)
-# define	COPYOUT(a,b,c)	(bcopy((a), (b), (c)), 0)
+# define	COPYIN(a,b,c)	bcopywrap((a), (b), (c))
+# define	COPYOUT(a,b,c)	bcopywrap((a), (b), (c))
 # define	BCOPYIN(a,b,c)	(bcopy((a), (b), (c)), 0)
 # define	BCOPYOUT(a,b,c)	(bcopy((a), (b), (c)), 0)
 # define	COPYDATA(m, o, l, b)	bcopy(MTOD((mb_t *)m, char *) + (o), \
@@ -1339,6 +1460,7 @@
 # define	UIOMOVE(a,b,c,d)	ipfuiomove(a,b,c,d)
 extern	void	m_copydata __P((mb_t *, int, int, caddr_t));
 extern	int	ipfuiomove __P((caddr_t, int, int, struct uio *));
+extern	int	bcopywrap __P((void *, void *, size_t));
 # ifndef CACHE_HASH
 #  define	CACHE_HASH(x)	((IFNAME(fin->fin_ifp)[0] + \
 				  ((struct ifnet *)fin->fin_ifp)->if_unit) & 7)
@@ -1417,6 +1539,10 @@
 #endif
 
 #if defined(_KERNEL)
+# ifdef BSD
+#  include <sys/selinfo.h>
+extern struct selinfo ipfselwait[];
+# endif
 # ifdef MENTAT
 #  define	COPYDATA	mb_copydata
 #  define	COPYBACK	mb_copyback
@@ -1460,12 +1586,13 @@
 #   endif /* M_PFIL */
 #  endif /* IPFILTER_M_IPFILTER */
 #  define	KMALLOC(a, b)	MALLOC((a), b, sizeof(*(a)), _M_IPF, M_NOWAIT)
-#  define	KMALLOCS(a, b, c)	MALLOC((a), b, (c), _M_IPF, M_NOWAIT)
+#  define	KMALLOCS(a, b, c)	(a) = (b)malloc((c), _M_IPF, M_NOWAIT)
 #  define	KFREE(x)	FREE((x), _M_IPF)
 #  define	KFREES(x,s)	FREE((x), _M_IPF)
 #  define	UIOMOVE(a,b,c,d)	uiomove(a,b,d)
 #  define	SLEEP(id, n)	tsleep((id), PPAUSE|PCATCH, n, 0)
 #  define	WAKEUP(id,x)	wakeup(id+x)
+#  define	POLLWAKEUP(x)	selwakeup(ipfselwait+x)
 #  define	GETIFP(n, v)	ifunit(n)
 # endif /* (Free)BSD */
 
@@ -1619,7 +1746,7 @@
 # define	IP_HL(x)	(x)->ip_hl
 #endif
 #ifndef	IP_HL_A
-# define	IP_HL_A(x,y)	(x)->ip_hl = (y)
+# define	IP_HL_A(x,y)	(x)->ip_hl = ((y) & 0xf)
 #endif
 #ifndef	TCP_X2
 # define	TCP_X2(x)	(x)->th_x2
@@ -2043,9 +2170,10 @@
 #ifndef	IPPROTO_DSTOPTS
 # define	IPPROTO_DSTOPTS	60
 #endif
-#ifndef	IPPROTO_FRAGMENT
-# define	IPPROTO_FRAGMENT	44
+#ifndef	IPPROTO_MOBILITY
+# define	IPPROTO_MOBILITY	135
 #endif
+
 #ifndef	ICMP_ROUTERADVERT
 # define	ICMP_ROUTERADVERT	9
 #endif
@@ -2279,7 +2407,7 @@
 /*
  * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
  * another IP header and then 64 bits of data, totalling 56.  Of course,
- * the last 64 bits is dependant on that being available.
+ * the last 64 bits is dependent on that being available.
  */
 #define	ICMPERR_ICMPHLEN	8
 #define	ICMPERR_IPICMPHLEN	(20 + 8)
@@ -2298,4 +2426,8 @@
 # define	DPRINT(x)
 #endif
 
-#endif /* _NETINET_IP_COMPAT_H_ */
+#ifdef RESCUE
+# undef IPFILTER_BPF
+#endif
+
+#endif	/* __IP_COMPAT_H__ */
--- a/sys/dist/ipf/netinet/ip_fil.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_fil.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_fil.h,v 1.5 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_fil.h,v 1.5.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -6,12 +6,14 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_fil.h,v 2.170.2.18 2005/03/28 10:47:52 darrenr Exp
+ * Id: ip_fil.h,v 2.170.2.29 2006/03/29 11:19:55 darrenr Exp
  */
 
 #ifndef _NETINET_IP_FIL_H_
 #define _NETINET_IP_FIL_H_
 
+#include "netinet/ip_compat.h"
+
 #ifndef	SOLARIS
 # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 #endif
@@ -24,7 +26,7 @@
 # endif
 #endif
 
-#if defined(__STDC__) || defined(__GNUC__)
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
 # define	SIOCADAFR	_IOW('r', 60, struct ipfobj)
 # define	SIOCRMAFR	_IOW('r', 61, struct ipfobj)
 # define	SIOCSETFF	_IOW('r', 62, u_int)
@@ -305,6 +307,7 @@
 #ifdef	MENTAT
 	mb_t	*fin_qfm;		/* pointer to mblk where pkt starts */
 	void	*fin_qpi;
+	char	fin_ifname[LIFNAMSIZ];
 #endif
 #ifdef	__sgi
 	void	*fin_hbuf;
@@ -904,6 +907,7 @@
 
 #define	TCP_WSCALE_SEEN		0x00000001
 #define	TCP_WSCALE_FIRST	0x00000002
+#define	TCP_SACK_PERMIT		0x00000004
 
 
 typedef	struct tcpinfo {
@@ -913,6 +917,9 @@
 } tcpinfo_t;
 
 
+/*
+ * Structures to define a GRE header as seen in a packet.
+ */
 struct	grebits	{
 	u_32_t	grb_C:1;
 	u_32_t	grb_R:1;
@@ -947,7 +954,9 @@
 #define	gr_A		gr_bits.grb_A
 #define	gr_ver		gr_bits.grb_ver
 
-
+/*
+ * GRE information tracked by "keep state"
+ */
 typedef	struct	greinfo	{
 	u_short	gs_call[2];
 	u_short	gs_flags;
@@ -958,6 +967,20 @@
 
 
 /*
+ * Format of an Authentication header
+ */
+typedef	struct	authhdr	{
+	u_char	ah_next;
+	u_char	ah_plen;
+	u_short	ah_reserved;
+	u_32_t	ah_spi;
+	u_32_t	ah_seq;
+	/* Following the sequence number field is 0 or more bytes of */
+	/* authentication data, as specified by ah_plen - RFC 2402.  */
+} authhdr_t;
+
+
+/*
  * Timeout tail queue list member
  */
 typedef	struct	ipftqent	{
@@ -1113,6 +1136,17 @@
 # endif
 #endif
 
+#ifdef _KERNEL
+# define	FR_VERBOSE(verb_pr)
+# define	FR_DEBUG(verb_pr)
+#else
+extern	void	debug __P((char *, ...));
+extern	void	verbose __P((char *, ...));
+# define	FR_VERBOSE(verb_pr)	verbose verb_pr
+# define	FR_DEBUG(verb_pr)	debug verb_pr
+#endif
+
+
 #ifndef	_KERNEL
 extern	int	fr_check __P((struct ip *, int, void *, int, mb_t **));
 extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
@@ -1128,6 +1162,7 @@
 extern	int	iplopen __P((dev_t, int));
 extern	int	iplclose __P((dev_t, int));
 extern	void	m_freem __P((mb_t *));
+extern	int	bcopywrap __P((void *, void *, size_t));
 #else /* #ifndef _KERNEL */
 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
 extern	void	ipfilterattach __P((int));
@@ -1237,6 +1272,7 @@
 extern	ipfmutex_t	ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
 extern	ipfrwlock_t	ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
 extern	ipfrwlock_t	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
+extern	ipfrwlock_t	ipf_frcache;
 
 extern	char	*memstr __P((const char *, char *, size_t, size_t));
 extern	int	count4bits __P((u_32_t));
@@ -1295,6 +1331,7 @@
 extern	frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
 
 extern	int	fr_loginit __P((void));
+extern	int	ipflog_canread __P((int));
 extern	int	ipflog_clear __P((minor_t));
 extern	int	ipflog_read __P((minor_t, uio_t *));
 extern	int	ipflog __P((fr_info_t *, u_int));
@@ -1303,7 +1340,7 @@
 
 extern	frentry_t	*fr_acctpkt __P((fr_info_t *, u_32_t *));
 extern	int		fr_copytolog __P((int, char *, int));
-extern	u_short		fr_cksum __P((mb_t *, ip_t *, int, void *));
+extern	u_short		fr_cksum __P((mb_t *, ip_t *, int, void *, int));
 extern	void		fr_deinitialise __P((void));
 extern	frentry_t 	*fr_dolog __P((fr_info_t *, u_32_t *));
 extern	frentry_t 	*fr_dstgrpmap __P((fr_info_t *, u_32_t *));
@@ -1311,7 +1348,6 @@
 extern	void		fr_forgetifp __P((void *));
 extern	frentry_t 	*fr_getrulen __P((int, char *, u_32_t));
 extern	void		fr_getstat __P((struct friostat *));
-extern	int		fr_icmp4errortype __P((int));
 extern	int		fr_ifpaddr __P((int, int, void *,
 				struct in_addr *, struct in_addr *));
 extern	int		fr_initialise __P((void));
--- a/sys/dist/ipf/netinet/ip_fil_netbsd.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_fil_netbsd.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_fil_netbsd.c,v 1.18 2005/12/28 09:29:48 christos Exp $	*/
+/*	$NetBSD: ip_fil_netbsd.c,v 1.18.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2003 by Darren Reed.
@@ -7,7 +7,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.27 2005/02/21 22:51:08 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.38 2006/03/25 13:03:02 darrenr Exp";
 #endif
 
 #if defined(KERNEL) || defined(_KERNEL)
@@ -36,6 +36,7 @@
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
+#include <sys/poll.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -92,10 +93,6 @@
 
 static	int	(*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **));
 static	int	fr_send_ip __P((fr_info_t *, mb_t *, mb_t **));
-#ifdef KMUTEX_T
-extern  ipfmutex_t	ipf_rw;
-extern	ipfrwlock_t	ipf_mutex;
-#endif
 #ifdef USE_INET6
 static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
 				fr_info_t *, frdest_t *));
@@ -116,9 +113,19 @@
 #endif /* NETBSD_PF */
 
 #if (__NetBSD_Version__ >= 106080000) && defined(_KERNEL)
+# include <sys/select.h>
+
+# if  (__NetBSD_Version__ >= 399001400)
+int iplpoll __P((dev_t dev, int events, struct lwp *p));
+# else
+int iplpoll __P((dev_t dev, int events, struct proc *p));
+# endif
+
+struct selinfo ipfselwait[IPL_LOGSIZE];
+
 const struct cdevsw ipl_cdevsw = {
 	iplopen, iplclose, iplread, nowrite, iplioctl,
-	nostop, notty, nopoll, nommap,
+	nostop, notty, iplpoll, nommap, nokqfilter, D_OTHER,
 };
 #endif
 
@@ -207,7 +214,7 @@
 int dir;
 {
 #if defined(INET6)
-#if defined(M_CSUM_TCPv6)
+#  if defined(M_CSUM_TCPv6) && (__NetBSD_Version__ > 200000000)
 	/*
 	 * If the packet is out-bound, we can't delay checksums
 	 * here.  For in-bound, the checksum has already been
@@ -216,17 +223,40 @@
 	if (dir == PFIL_OUT) {
 		if ((*mp)->m_pkthdr.csum_flags & (M_CSUM_TCPv6|M_CSUM_UDPv6)) {
 			in6_delayed_cksum(*mp);
-			(*mp)->m_pkthdr.csum_flags &=
-			    ~(M_CSUM_TCPv6|M_CSUM_UDPv6);
+			(*mp)->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv6|
+							M_CSUM_UDPv6);
 		}
 	}
-#endif /* M_CSUM_TCPv6 */
+#  endif
 #endif /* INET6 */
 
 	return (fr_check(mtod(*mp, struct ip *), sizeof(struct ip6_hdr),
 	    ifp, (dir == PFIL_OUT), mp));
 }
 # endif
+
+
+# if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+static int ipf_pfilsync(void *, struct mbuf **, struct ifnet *, int);
+
+static int ipf_pfilsync(hdr, mp, ifp, dir)
+void *hdr;
+struct mbuf **mp;
+struct ifnet *ifp;
+int dir;
+{
+	/*
+	 * The interface pointer is useless for create (we have nothing to
+	 * compare it to) and at detach, the interface name is still in the
+	 * list of active NICs (albeit, down, but that's not any real
+	 * indicator) and doing ifunit() on the name will still return the
+	 * pointer, so it's not much use then, either.
+	 */
+	frsync(NULL);
+	return 0;
+}
+# endif
+
 #endif /* __NetBSD_Version__ >= 105110000 */
 
 
@@ -267,6 +297,9 @@
 #  ifdef USE_INET6
         struct pfil_head *ph_inet6;
 #  endif
+#  if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+        struct pfil_head *ph_ifsync;
+#  endif
 # endif
 #endif
 
@@ -289,10 +322,17 @@
 #   ifdef USE_INET6
 	ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
 #   endif
+#   if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+	ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0);
+#   endif
+
 	if (ph_inet == NULL
 #   ifdef USE_INET6
 	    && ph_inet6 == NULL
 #   endif
+#   if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+	    && ph_ifsync == NULL
+#   endif
 	   ) {
 		printf("pfil_head_get failed\n");
 		return ENODEV;
@@ -303,22 +343,16 @@
 				      PFIL_IN|PFIL_OUT, ph_inet);
 	else
 		error = 0;
-# else
+#  else
 	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
 			      &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
-# endif
-	if (error) {
-#  ifdef USE_INET6
+#  endif
+	if (error)
 		goto pfil_error;
-#  else
-		fr_deinitialise();
-		SPL_X(s);
-		return error;
-#  endif
-	}
 # else
 	pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT);
 # endif
+
 # ifdef USE_INET6
 #  if __NetBSD_Version__ >= 105110000
 	if (ph_inet6 != NULL)
@@ -329,21 +363,27 @@
 	if (error) {
 		pfil_remove_hook((void *)fr_check_wrapper6, NULL,
 				 PFIL_IN|PFIL_OUT, ph_inet6);
+		goto pfil_error;
+	}
 #  else
 	error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
 			      &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
 	if (error) {
 		pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT,
 				 &inetsw[ip_protox[IPPROTO_IP]].pr_pfh);
+		goto pfil_error;
+	}
 #  endif
-pfil_error:
-		fr_deinitialise();
-		SPL_X(s);
-		return error;
-	}
+# endif
+
+# if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+	if (ph_ifsync != NULL)
+		(void) pfil_add_hook((void *)ipf_pfilsync, NULL,
+				     PFIL_IFNET, ph_ifsync);
 # endif
 #endif
 
+	bzero((char *)ipfselwait, sizeof(ipfselwait));
 	bzero((char *)frcache, sizeof(frcache));
 	fr_savep = fr_checkp;
 	fr_checkp = fr_check;
@@ -363,6 +403,13 @@
 	timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
 #endif
 	return 0;
+
+#if __NetBSD_Version__ >= 105110000
+pfil_error:
+	fr_deinitialise();
+	SPL_X(s);
+	return error;
+#endif
 }
 
 
@@ -380,6 +427,9 @@
 #  ifdef USE_INET6
 	struct pfil_head *ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
 #  endif
+#  if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+	struct pfil_head *ph_ifsync = pfil_head_get(PFIL_TYPE_IFNET, 0);
+#  endif
 # endif
 #endif
 
@@ -403,6 +453,11 @@
 #ifdef NETBSD_PF
 # if (__NetBSD_Version__ >= 104200000)
 #  if __NetBSD_Version__ >= 105110000
+#   if defined(PFIL_TYPE_IFNET) && defined(PFIL_IFNET)
+	(void) pfil_remove_hook((void *)ipf_pfilsync, NULL,
+				PFIL_IFNET, ph_ifsync);
+#   endif
+
 	if (ph_inet != NULL)
 		error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
 					 PFIL_IN|PFIL_OUT, ph_inet);
@@ -444,8 +499,12 @@
  */
 int iplioctl(dev, cmd, data, mode
 #if (NetBSD >= 199511)
-, l)
-struct lwp *l;
+, p)
+# if  (__NetBSD_Version__ >= 399001400)
+struct lwp *p;
+# else
+struct proc *p;
+# endif
 #else
 )
 #endif
@@ -667,9 +726,13 @@
  */
 int iplopen(dev, flags
 #if (NetBSD >= 199511)
-, devtype, l)
+, devtype, p)
 int devtype;
-struct lwp *l;
+# if  (__NetBSD_Version__ >= 399001400)
+struct lwp *p;
+# else
+struct proc *p;
+# endif
 #else
 )
 #endif
@@ -688,9 +751,13 @@
 
 int iplclose(dev, flags
 #if (NetBSD >= 199511)
-, devtype, l)
+, devtype, p)
 int devtype;
-struct lwp *l;
+# if  (__NetBSD_Version__ >= 399001400)
+struct lwp *p;
+# else
+struct proc *p;
+# endif
 #else
 )
 #endif
@@ -1175,18 +1242,8 @@
 		goto bad;
 	}
 
-	/*
-	 * In case we're here due to "to <if>" being used with "keep state",
-	 * check that we're going in the correct direction.
-	 */
-	if ((fr != NULL) && (fin->fin_rev != 0)) {
-		if ((ifp != NULL) && (fdp == &fr->fr_tif))
-			return -1;
-	}
-	if (fdp != NULL) {
-		if (fdp->fd_ip.s_addr != 0)
-			dst->sin_addr = fdp->fd_ip;
-	}
+	if ((fdp != NULL) && (fdp->fd_ip.s_addr != 0))
+		dst->sin_addr = fdp->fd_ip;
 
 	dst->sin_len = sizeof(*dst);
 	rtalloc(ro);
@@ -1410,8 +1467,9 @@
 	struct ifnet *ifp;
 	frentry_t *fr;
 	u_long mtu;
-	int error = 0;
+	int error;
 
+	error = 0;
 	ro = &ip6route;
 	fr = fin->fin_fr;
 	bzero((caddr_t)ro, sizeof(*ro));
@@ -1523,7 +1581,7 @@
 #endif
 
 	ifa = ifp->if_addrlist.tqh_first;
-	sock = ifa->ifa_addr;
+	sock = ifa ? ifa->ifa_addr : NULL;
 	while (sock != NULL && ifa != NULL) {
 		sin = (struct sockaddr_in *)sock;
 		if ((v == 4) && (sin->sin_family == AF_INET))
@@ -1791,7 +1849,7 @@
 /* not been called.  Both fin_ip and fin_dp are updated before exiting _IF_ */
 /* and ONLY if the pullup succeeds.                                         */
 /*                                                                          */
-/* We assume that 'min' is a pointer to a buffer that is part of the chain  */
+/* We assume that 'xmin' is a pointer to a buffer that is part of the chain */
 /* of buffers that starts at *fin->fin_mp.                                  */
 /* ------------------------------------------------------------------------ */
 void *fr_pullup(xmin, fin, len)
@@ -1857,3 +1915,52 @@
 		fin->fin_flx |= FI_COALESCE;
 	return ip;
 }
+
+
+int iplpoll(dev, events, p)
+dev_t dev;
+int events;
+#if  (__NetBSD_Version__ >= 399001400)
+struct lwp *p;
+#else
+struct proc *p;
+#endif
+{
+	u_int xmin = GET_MINOR(dev);
+	int revents = 0;
+
+	if (IPL_LOGMAX < xmin)
+		return ENXIO;
+
+	switch (xmin)
+	{
+	case IPL_LOGIPF :
+	case IPL_LOGNAT :
+	case IPL_LOGSTATE :
+#ifdef IPFILTER_LOG
+		if ((events & (POLLIN | POLLRDNORM)) && ipflog_canread(xmin))
+			revents |= events & (POLLIN | POLLRDNORM);
+#endif
+		break;
+	case IPL_LOGAUTH :
+		if ((events & (POLLIN | POLLRDNORM)) && fr_auth_waiting())
+			revents |= events & (POLLIN | POLLRDNORM);
+		break;
+	case IPL_LOGSYNC :
+#ifdef IPFILTER_SYNC
+		if ((events & (POLLIN | POLLRDNORM)) && ipfsync_canread())
+			revents |= events & (POLLIN | POLLRDNORM);
+		if ((events & (POLLOUT | POLLWRNORM)) && ipfsync_canwrite())
+			revents |= events & (POLLOUT | POLLOUTNORM);
+#endif
+		break;
+	case IPL_LOGSCAN :
+	case IPL_LOGLOOKUP :
+	default :
+		break;
+	}
+
+	if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0))
+		selrecord(p, &ipfselwait[xmin]);
+	return revents;
+}
--- a/sys/dist/ipf/netinet/ip_frag.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_frag.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_frag.c,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_frag.c,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2003 by Darren Reed.
@@ -47,7 +47,7 @@
 # endif
 #endif
 #if !defined(__SVR4) && !defined(__svr4__)
-# if defined(_KERNEL) && !defined(__sgi)
+# if defined(_KERNEL) && !defined(__sgi) && !defined(AIX)
 #  include <sys/kernel.h>
 # endif
 #else
@@ -103,10 +103,10 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.2 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_frag.c,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 #else
 static const char sccsid[] = "@(#)ip_frag.c	1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77 2004/01/27 00:24:54 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_frag.c,v 2.77.2.5 2006/02/26 08:26:54 darrenr Exp";
 #endif
 #endif
 
@@ -231,6 +231,7 @@
 {
 	ipfr_t *fra, frag;
 	u_int idx, off;
+	frentry_t *fr;
 	ip_t *ip;
 
 	if (ipfr_inuse >= IPFT_SIZE)
@@ -242,7 +243,7 @@
 	ip = fin->fin_ip;
 
 	if (pass & FR_FRSTRICT)
-		if ((ip->ip_off & IP_OFFMASK) != 0)
+		if (fin->fin_off != 0)
 			return NULL;
 
 	frag.ipfr_p = ip->ip_p;
@@ -282,8 +283,13 @@
 		return NULL;
 	}
 
-	if ((fra->ipfr_rule = fin->fin_fr) != NULL)
-		fin->fin_fr->fr_ref++;
+	fr = fin->fin_fr;
+	fra->ipfr_rule = fr;
+	if (fr != NULL) {
+		MUTEX_ENTER(&fr->fr_lock);
+		fr->fr_ref++;
+		MUTEX_EXIT(&fr->fr_lock);
+	}
 
 	/*
 	 * Insert the fragment into the fragment table, copy the struct used
@@ -751,9 +757,7 @@
 {
 	ipfr_t	**fp, *fra;
 	nat_t	*nat;
-#if defined(USE_SPL) && defined(_KERNEL)
-	int	s;
-#endif
+	SPL_INT(s);
 
 	if (fr_frag_lock)
 		return;
@@ -819,7 +823,7 @@
 /* expectation of this being called twice per second.                       */
 /* ------------------------------------------------------------------------ */
 #if !defined(_KERNEL) || (!SOLARIS && !defined(__hpux) && !defined(__sgi) && \
-			  !defined(__osf__))
+			  !defined(__osf__) && !defined(linux))
 # if defined(_KERNEL) && ((BSD >= 199103) || defined(__sgi))
 void fr_slowtimer __P((void *ptr))
 # else
--- a/sys/dist/ipf/netinet/ip_frag.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_frag.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_frag.h,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_frag.h,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001 by Darren Reed.
@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_frag.h	1.5 3/24/96
- * Id: ip_frag.h,v 2.23.2.1 2004/03/29 16:21:56 darrenr Exp
+ * Id: ip_frag.h,v 2.23.2.2 2005/06/10 18:02:37 darrenr Exp
  */
 
 #ifndef _NETINET_IP_FRAG_H_
@@ -80,7 +80,11 @@
 extern	void	fr_slowtimer __P((void *));
 # endif
 #else
+# if defined(linux) && defined(_KERNEL)
+extern	void	fr_slowtimer __P((long));
+# else
 extern	int	fr_slowtimer __P((void));
+# endif
 #endif
 
 #endif /* _NETINET_IP_FRAG_H_ */
--- a/sys/dist/ipf/netinet/ip_ftp_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_ftp_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: ip_ftp_pxy.c,v 1.9 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_ftp_pxy.c,v 1.9.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.9 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_ftp_pxy.c,v 1.9.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 /*
  * Copyright (C) 1997-2003 by Darren Reed
@@ -11,7 +11,7 @@
  * Simple FTP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  *
- * Id: ip_ftp_pxy.c,v 2.88.2.15 2005/03/19 19:38:10 darrenr Exp
+ * Id: ip_ftp_pxy.c,v 2.88.2.19 2006/04/01 10:14:53 darrenr Exp
  */
 
 #define	IPF_FTP_PROXY
@@ -371,7 +371,7 @@
 				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
 				ip->ip_dst = nat->nat_inip;
 			}
-			(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
+			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
 			if (fi.fin_state != NULL)
 				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
@@ -476,10 +476,10 @@
 {
 	u_int a1, a2, a3, a4, data_ip;
 	char newbuf[IPF_FTPBUFSZ];
-	char *s;
 	const char *brackets[2];
 	u_short a5, a6;
 	ftpside_t *f;
+	char *s;
 
 	if (ippr_ftp_forcepasv != 0 &&
 	    ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
@@ -733,7 +733,7 @@
 				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
 				ip->ip_dst = nat->nat_inip;
 			}
-			(void) fr_addstate(&fi, &nat2->nat_state, sflags);
+			(void) fr_addstate(&fi, NULL, sflags);
 			if (fi.fin_state != NULL)
 				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
@@ -1032,13 +1032,14 @@
 	if (ippr_ftp_debug > 4)
 		printf("ippr_ftp_process: mlen %d\n", mlen);
 
-	if (mlen <= 0) {
-		if ((tcp->th_flags & TH_OPENING) == TH_OPENING) {
-			f->ftps_seq[0] = thseq + 1;
-			t->ftps_seq[0] = thack;
-		}
+	if ((mlen == 0) && ((tcp->th_flags & TH_OPENING) == TH_OPENING)) {
+		f->ftps_seq[0] = thseq + 1;
+		t->ftps_seq[0] = thack;
+		return 0;
+	} else if (mlen < 0) {
 		return 0;
 	}
+
 	aps = nat->nat_aps;
 
 	sel = aps->aps_sel[1 - rv];
@@ -1428,7 +1429,7 @@
 		ap += *s++ - '0';
 	}
 
-	if (!s)
+	if (!*s)
 		return 0;
 
 	if (*s == '|')
--- a/sys/dist/ipf/netinet/ip_h323_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_h323_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_h323_pxy.c,v 1.3 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_h323_pxy.c,v 1.3.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright 2001, QNX Software Systems Ltd. All Rights Reserved
@@ -34,7 +34,7 @@
 #include "opt_ipfilter.h"
 #endif
 
-__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.3 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_h323_pxy.c,v 1.3.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 #define IPF_H323_PROXY
 
@@ -254,7 +254,7 @@
 	tcp = (tcphdr_t *)fin->fin_dp;
 	ipaddr = nat->nat_inip.s_addr;
 	data = (caddr_t)tcp + (TCP_OFF(tcp) << 2);
-	datlen = ip->ip_len - fin->fin_hlen - (TCP_OFF(tcp) << 2);
+	datlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
 	if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
 		fr_info_t fi;
 		nat_t     *nat2;
--- a/sys/dist/ipf/netinet/ip_htable.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_htable.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_htable.c,v 1.3 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_htable.c,v 1.3.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -53,7 +53,7 @@
 /* END OF INCLUDES */
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_htable.c,v 2.34.2.4 2005/11/13 15:38:37 darrenr Exp";
 #endif
 
 #ifdef	IPFILTER_LOOKUP
@@ -104,8 +104,10 @@
 	int err, i, unit;
 
 	KMALLOC(iph, iphtable_t *);
-	if (iph == NULL)
+	if (iph == NULL) {
+		ipht_nomem[op->iplo_unit]++;
 		return ENOMEM;
+	}
 
 	err = COPYIN(op->iplo_struct, iph, sizeof(*iph));
 	if (err != 0) {
@@ -139,12 +141,9 @@
 					    sizeof(oiph->iph_name)) == 0)
 					break;
 		} while (oiph != NULL);
+
 		(void)strncpy(iph->iph_name, name, sizeof(iph->iph_name));
-		err = COPYOUT(iph, op->iplo_struct, sizeof(*iph));
-		if (err != 0) {
-			KFREE(iph);
-			return EFAULT;
-		}
+		(void)strncpy(op->iplo_name, name, sizeof(op->iplo_name));
 		iph->iph_type |= IPHASH_ANON;
 	}
 
@@ -386,16 +385,16 @@
 /*                                                                          */
 /* Search the hash table for a given address and return a search result.    */
 /* ------------------------------------------------------------------------ */
-int fr_iphmfindip(tptr, version, aptr)
+int fr_iphmfindip(tptr, ipversion, aptr)
 void *tptr, *aptr;
-int version;
+int ipversion;
 {
 	struct in_addr *addr;
 	iphtable_t *iph;
 	iphtent_t *ipe;
 	int rval;
 
-	if (version != 4)
+	if (ipversion != 4)
 		return -1;
 
 	if (tptr == NULL || aptr == NULL)
--- a/sys/dist/ipf/netinet/ip_ipsec_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_ipsec_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_ipsec_pxy.c,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_ipsec_pxy.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 2001-2003 by Darren Reed
@@ -8,11 +8,11 @@
  * Simple ISAKMP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  *
- * Id: ip_ipsec_pxy.c,v 2.20.2.6 2005/03/28 10:47:53 darrenr Exp
+ * Id: ip_ipsec_pxy.c,v 2.20.2.7 2005/08/20 13:48:22 darrenr Exp
  *
  */
 
-__KERNEL_RCSID(1, "$NetBSD: ip_ipsec_pxy.c,v 1.4 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_ipsec_pxy.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 #define	IPF_IPSEC_PROXY
 
@@ -99,8 +99,8 @@
 	mb_t *m;
 	ip_t *ip;
 
+	off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
 	bzero(ipsec_buffer, sizeof(ipsec_buffer));
-	off = fin->fin_hlen + sizeof(udphdr_t);
 	ip = fin->fin_ip;
 	m = fin->fin_m;
 
@@ -290,8 +290,8 @@
 	if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_flx & FI_FRAG))
 		return -1;
 
+	off = fin->fin_plen - fin->fin_dlen + fin->fin_ipoff;
 	ipsec = aps->aps_data;
-	off = fin->fin_hlen + sizeof(udphdr_t);
 	m = fin->fin_m;
 	COPYDATA(m, off, sizeof(cookies), (char *)cookies);
 
--- a/sys/dist/ipf/netinet/ip_irc_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_irc_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,11 +1,11 @@
-/*	$NetBSD: ip_irc_pxy.c,v 1.6 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_irc_pxy.c,v 1.6.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 2000-2003 Darren Reed
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_irc_pxy.c,v 2.39.2.4 2005/02/04 10:22:55 darrenr Exp
+ * Id: ip_irc_pxy.c,v 2.39.2.5 2005/12/04 23:39:27 darrenr Exp
  */
 
 #define	IPF_IRC_PROXY
--- a/sys/dist/ipf/netinet/ip_log.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_log.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,15 +1,15 @@
-/*	$NetBSD: ip_log.c,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_log.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1997-2003 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp
+ * Id: ip_log.c,v 2.75.2.11 2006/03/26 13:50:47 darrenr Exp
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_log.c,v 1.4 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_log.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 #include <sys/param.h>
 #if defined(KERNEL) || defined(_KERNEL)
@@ -71,6 +71,10 @@
 #  include <sys/dir.h>
 # endif
 # include <sys/mbuf.h>
+# include <sys/select.h>
+# if __FreeBSD_version >= 500000
+#  include <sys/selinfo.h>
+# endif
 #else
 # if !defined(__hpux) && defined(_KERNEL)
 #  include <sys/filio.h>
@@ -151,6 +155,7 @@
 # endif
 # if SOLARIS
 extern	kcondvar_t	iplwait;
+extern	struct pollhead	iplpollhead[IPL_LOGSIZE];
 # endif
 
 iplog_t	**iplh[IPL_LOGSIZE], *iplt[IPL_LOGSIZE], *ipll[IPL_LOGSIZE];
@@ -420,9 +425,7 @@
 	iplog_t *ipl;
 	size_t len;
 	int i;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
+	SPL_INT(s);
 
 	/*
 	 * Check to see if this log record has a CRC which matches the last
@@ -511,9 +514,11 @@
 # if SOLARIS && defined(_KERNEL)
 	cv_signal(&iplwait);
 	MUTEX_EXIT(&ipl_mutex);
+	pollwakeup(&iplpollhead[dev], POLLRDNORM);
 # else
 	MUTEX_EXIT(&ipl_mutex);
-	WAKEUP(iplh,dev);
+	WAKEUP(iplh, dev);
+	POLLWAKEUP(dev);
 # endif
 	SPL_X(s);
 # ifdef	IPL_SELECT
@@ -542,9 +547,7 @@
 	size_t dlen, copied;
 	int error = 0;
 	iplog_t *ipl;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
+	SPL_INT(s);
 
 	/*
 	 * Sanity checks.  Make sure the minor # is valid and we're copying
@@ -656,9 +659,7 @@
 {
 	iplog_t *ipl;
 	int used;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
+	SPL_INT(s);
 
 	SPL_NET(s);
 	MUTEX_ENTER(&ipl_mutex);
@@ -675,4 +676,19 @@
 	SPL_X(s);
 	return used;
 }
+
+
+/* ------------------------------------------------------------------------ */
+/* Function:    ipflog_canread                                              */
+/* Returns:     int    - 0 == no data to read, 1 = data present             */
+/* Parameters:  unit(I) - device we are reading from                        */
+/*                                                                          */
+/* Returns an indication of whether or not there is data present in the     */
+/* current buffer for the selected ipf device.                              */
+/* ------------------------------------------------------------------------ */
+int ipflog_canread(unit)
+int unit;
+{
+	return iplt[unit] != NULL;
+}
 #endif /* IPFILTER_LOG */
--- a/sys/dist/ipf/netinet/ip_lookup.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_lookup.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_lookup.c,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_lookup.c,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 2002-2003 by Darren Reed.
@@ -35,7 +35,7 @@
 # undef _KERNEL
 #endif
 #include <sys/socket.h>
-#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
+#if (defined(__osf__) || defined(AIX) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
 # ifdef __osf__
 #  include <net/radix.h>
 # endif
@@ -63,7 +63,7 @@
 /* END OF INCLUDES */
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.5 2004/07/06 11:16:25 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_lookup.c,v 2.35.2.8 2005/11/13 15:35:45 darrenr Exp";
 #endif
 
 #ifdef	IPFILTER_LOOKUP
@@ -137,9 +137,7 @@
 int mode;
 {
 	int err;
-# if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-# endif
+	SPL_INT(s);
 
 	mode = mode;	/* LINT */
 
@@ -370,6 +368,15 @@
 		err = EINVAL;
 		break;
 	}
+
+	/*
+	 * For anonymous pools, copy back the operation struct because in the
+	 * case of success it will contain the new table's name.
+	 */
+	if ((err == 0) && ((op.iplo_arg & IPOOL_ANON) != 0)) {
+		BCOPYOUT(&op, data, sizeof(op));
+	}
+
 	return err;
 }
 
@@ -489,7 +496,7 @@
 
 	if (err == 0) {
 		flush.iplf_count = num;
-		err = COPYOUT(&flush, data, sizeof(flush));
+		BCOPYOUT(&flush, data, sizeof(flush));
 	}
 	return err;
 }
--- a/sys/dist/ipf/netinet/ip_lookup.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_lookup.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,10 +1,10 @@
-/*	$NetBSD: ip_lookup.h,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_lookup.h,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 
 #ifndef __IP_LOOKUP_H__
 #define __IP_LOOKUP_H__
 
-#if defined(__STDC__) || defined(__GNUC__)
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
 # define	SIOCLOOKUPADDTABLE	_IOWR('r', 60, struct iplookupop)
 # define	SIOCLOOKUPDELTABLE	_IOWR('r', 61, struct iplookupop)
 # define	SIOCLOOKUPSTAT		_IOWR('r', 64, struct iplookupop)
--- a/sys/dist/ipf/netinet/ip_nat.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_nat.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_nat.c,v 1.8 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_nat.c,v 1.8.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-2003 by Darren Reed.
@@ -37,7 +37,9 @@
 #else
 # include <sys/ioctl.h>
 #endif
-#include <sys/fcntl.h>
+#if !defined(AIX)
+# include <sys/fcntl.h>
+#endif
 #if !defined(linux)
 # include <sys/protosw.h>
 #endif
@@ -107,7 +109,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.38 2005/03/28 11:09:54 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_nat.c,v 2.195.2.56 2006/04/01 10:15:34 darrenr Exp";
 #endif
 
 
@@ -186,15 +188,15 @@
 static	hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
 				    struct in_addr, struct in_addr, u_32_t));
 static	void	nat_hostmapdel __P((struct hostmap *));
-static	INLINE	int nat_icmpquerytype4 __P((int));
+static	int	nat_icmpquerytype4 __P((int));
 static	int	nat_siocaddnat __P((ipnat_t *, ipnat_t **, int));
 static	void	nat_siocdelnat __P((ipnat_t *, ipnat_t **, int));
-static	INLINE	int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
+static	int	nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *,
 				      tcphdr_t *, nat_t **, int));
-static	void	nat_resolverule __P((ipnat_t *));
+static	int	nat_resolverule __P((ipnat_t *));
 static	nat_t	*fr_natclone __P((fr_info_t *, nat_t *));
 static	void	nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *));
-static	INLINE	int nat_wildok __P((nat_t *, int, int, int, int));
+static	int	nat_wildok __P((nat_t *, int, int, int, int));
 
 
 /* ------------------------------------------------------------------------ */
@@ -799,10 +801,14 @@
 		error = appr_ioctl(data, cmd, mode);
 		break;
 	case SIOCSTLCK :
-		fr_lock(data, &fr_nat_lock);
+		if (!(mode & FWRITE)) {
+			error = EPERM;
+		} else {
+			fr_lock(data, &fr_nat_lock);
+		}
 		break;
 	case SIOCSTPUT :
-		if (fr_nat_lock) {
+		if ((mode & FWRITE) != 0) {
 			error = fr_natputent(data, getlock);
 		} else {
 			error = EACCES;
@@ -861,11 +867,8 @@
 {
 	int error = 0, i, j;
 
-	nat_resolverule(n);
-	if (n->in_plabel[0] != '\0') {
-		if (n->in_apr == NULL)
-			return ENOENT;
-	}
+	if (nat_resolverule(n) != 0)
+		return ENOENT;
 
 	if ((n->in_age[0] == 0) && (n->in_age[1] != 0))
 		return EINVAL;
@@ -990,7 +993,7 @@
 /* from information passed to the kernel, then add it  to the appropriate   */
 /* NAT rule table(s).                                                       */
 /* ------------------------------------------------------------------------ */
-static void nat_resolverule(n)
+static int nat_resolverule(n)
 ipnat_t *n;
 {
 	n->in_ifnames[0][LIFNAMSIZ - 1] = '\0';
@@ -1001,12 +1004,15 @@
 		(void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ);
 		n->in_ifps[1] = n->in_ifps[0];
 	} else {
-		n->in_ifps[1] = fr_resolvenic(n->in_ifnames[0], 4);
+		n->in_ifps[1] = fr_resolvenic(n->in_ifnames[1], 4);
 	}
 
 	if (n->in_plabel[0] != '\0') {
 		n->in_apr = appr_lookup(n->in_p, n->in_plabel);
+		if (n->in_apr == NULL)
+			return -1;
 	}
+	return 0;
 }
 
 
@@ -1257,18 +1263,14 @@
 caddr_t data;
 int getlock;
 {
-	nat_save_t ipn, *ipnn;
+	nat_save_t *ipn, *ipnn;
 	ap_session_t *aps;
 	nat_t *n, *nat;
 	frentry_t *fr;
-	fr_info_t fin;
+	fr_info_t *fin;
 	ipnat_t *in;
 	int error;
 
-	error = fr_inobj(data, &ipn, IPFOBJ_NATSAVE);
-	if (error != 0)
-		return error;
-
 	/*
 	 * Initialise early because of code at junkput label.
 	 */
@@ -1276,29 +1278,38 @@
 	aps = NULL;
 	nat = NULL;
 	ipnn = NULL;
+	fin = NULL;
+
+	KMALLOC(ipn, nat_save_t *);
+	if (ipn == NULL)
+		return ENOMEM;
+	error = fr_inobj(data, ipn, IPFOBJ_NATSAVE);
+	if (error != 0)
+		goto junkput;
+
 
 	/*
 	 * New entry, copy in the rest of the NAT entry if it's size is more
 	 * than just the nat_t structure.
 	 */
 	fr = NULL;
-	if (ipn.ipn_dsize > sizeof(ipn)) {
-		if (ipn.ipn_dsize > 81920) {
+	if (ipn->ipn_dsize > sizeof(*ipn)) {
+		if (ipn->ipn_dsize > 81920) {
 			error = ENOMEM;
 			goto junkput;
 		}
 
-		KMALLOCS(ipnn, nat_save_t *, ipn.ipn_dsize);
+		KMALLOCS(ipnn, nat_save_t *, ipn->ipn_dsize);
 		if (ipnn == NULL)
 			return ENOMEM;
 
-		error = fr_inobjsz(data, ipnn, IPFOBJ_NATSAVE, ipn.ipn_dsize);
+		error = fr_inobjsz(data, ipnn, IPFOBJ_NATSAVE, ipn->ipn_dsize);
 		if (error != 0) {
 			error = EFAULT;
 			goto junkput;
 		}
 	} else
-		ipnn = &ipn;
+		ipnn = ipn;
 
 	KMALLOC(nat, nat_t *);
 	if (nat == NULL) {
@@ -1334,29 +1345,55 @@
 
 		ATOMIC_INC(nat_stats.ns_rules);
 
-		nat_resolverule(in);
+		if (nat_resolverule(in) != 0) {
+			error = ESRCH;
+			goto junkput;
+		}
 	}
 
 	/*
 	 * Check that the NAT entry doesn't already exist in the kernel.
+	 *
+	 * For NAT_OUTBOUND, we're lookup for a duplicate MAP entry.  To do
+	 * this, we check to see if the inbound combination of addresses and
+	 * ports is already known.  Similar logic is applied for NAT_INBOUND.
+	 * 
 	 */
-	bzero((char *)&fin, sizeof(fin));
-	fin.fin_p = nat->nat_p;
+	KMALLOC(fin, fr_info_t *);
+	if (fin == NULL) {
+		error = ENOMEM;
+		goto junkput;
+	}
+	bzero(fin, sizeof(*fin));
+	fin->fin_p = nat->nat_p;
+	fin->fin_ifp = nat->nat_ifps[0];
 	if (nat->nat_dir == NAT_OUTBOUND) {
-		fin.fin_data[0] = ntohs(nat->nat_oport);
-		fin.fin_data[1] = ntohs(nat->nat_outport);
-		fin.fin_ifp = nat->nat_ifps[1];
-		if (nat_inlookup(&fin, 0, fin.fin_p, nat->nat_oip,
-				  nat->nat_inip) != NULL) {
+		fin->fin_data[0] = ntohs(nat->nat_oport);
+		fin->fin_data[1] = ntohs(nat->nat_outport);
+		if (getlock) {
+			READ_ENTER(&ipf_nat);
+		}
+		n = nat_inlookup(fin, nat->nat_flags, fin->fin_p,
+				 nat->nat_oip, nat->nat_inip);
+		if (getlock) {
+			RWLOCK_EXIT(&ipf_nat);
+		}
+		if (n != NULL) {
 			error = EEXIST;
 			goto junkput;
 		}
 	} else if (nat->nat_dir == NAT_INBOUND) {
-		fin.fin_data[0] = ntohs(nat->nat_outport);
-		fin.fin_data[1] = ntohs(nat->nat_oport);
-		fin.fin_ifp = nat->nat_ifps[0];
-		if (nat_outlookup(&fin, 0, fin.fin_p, nat->nat_outip,
-				 nat->nat_oip) != NULL) {
+		fin->fin_data[0] = ntohs(nat->nat_outport);
+		fin->fin_data[1] = ntohs(nat->nat_oport);
+		if (getlock) {
+			READ_ENTER(&ipf_nat);
+		}
+		n = nat_outlookup(fin, nat->nat_flags, fin->fin_p,
+				  nat->nat_outip, nat->nat_oip);
+		if (getlock) {
+			RWLOCK_EXIT(&ipf_nat);
+		}
+		if (n != NULL) {
 			error = EEXIST;
 			goto junkput;
 		}
@@ -1417,10 +1454,18 @@
 			fr->fr_ref = 1;
 			(void) fr_outobj(data, ipnn, IPFOBJ_NATSAVE);
 			bcopy((char *)&ipnn->ipn_fr, (char *)fr, sizeof(*fr));
+
+			fr->fr_ref = 1;
+			fr->fr_dsize = 0;
+			fr->fr_data = NULL;
+			fr->fr_type = FR_T_NONE;
+
 			MUTEX_NUKE(&fr->fr_lock);
 			MUTEX_INIT(&fr->fr_lock, "nat-filter rule lock");
 		} else {
-			READ_ENTER(&ipf_nat);
+			if (getlock) {
+				READ_ENTER(&ipf_nat);
+			}
 			for (n = nat_instances; n; n = n->nat_next)
 				if (n->nat_fr == fr)
 					break;
@@ -1430,7 +1475,9 @@
 				fr->fr_ref++;
 				MUTEX_EXIT(&fr->fr_lock);
 			}
-			RWLOCK_EXIT(&ipf_nat);
+			if (getlock) {
+				RWLOCK_EXIT(&ipf_nat);
+			}
 
 			if (!n) {
 				error = ESRCH;
@@ -1439,8 +1486,8 @@
 		}
 	}
 
-	if (ipnn != &ipn) {
-		KFREES(ipnn, ipn.ipn_dsize);
+	if (ipnn != ipn) {
+		KFREES(ipnn, ipn->ipn_dsize);
 		ipnn = NULL;
 	}
 
@@ -1462,12 +1509,16 @@
 	error = ENOMEM;
 
 junkput:
+	if (fin != NULL)
+		KFREE(fin);
 	if (fr != NULL)
 		fr_derefrule(&fr);
 
-	if ((ipnn != NULL) && (ipnn != &ipn)) {
-		KFREES(ipnn, ipn.ipn_dsize);
+	if ((ipnn != NULL) && (ipnn != ipn)) {
+		KFREES(ipnn, ipn->ipn_dsize);
 	}
+	if (ipn != NULL)
+		KFREE(ipn);
 	if (nat != NULL) {
 		if (aps != NULL) {
 			if (aps->aps_data != NULL) {
@@ -1552,6 +1603,9 @@
 		MUTEX_EXIT(&ipf_nat_new);
 		return;
 	}
+	/*
+	 * At this point, nat_ref can be either 0 or -1
+	 */
 
 #ifdef	IPFILTER_SYNC
 	if (nat->nat_sync)
@@ -1981,8 +2035,8 @@
 	 * packet might match a different one to the previous connection but
 	 * we want the same destination to be used.
 	 */
-	if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) ==
-	    (IPN_ROUNDR|IPN_STICKY)) {
+	if (((np->in_flags & (IPN_ROUNDR|IPN_SPLIT)) != 0) &&
+	    ((np->in_flags & IPN_STICKY) != 0)) {
 		hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in,
 				 (u_32_t)dport);
 		if (hm != NULL) {
@@ -2003,7 +2057,7 @@
 		in.s_addr = np->in_nip;
 
 		if ((np->in_flags & (IPN_ROUNDR|IPN_STICKY)) == IPN_STICKY) {
-			hm = nat_hostmap(np, fin->fin_src, fin->fin_dst,
+			hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst,
 					 in, (u_32_t)dport);
 			if (hm != NULL) {
 				in.s_addr = hm->hm_mapip.s_addr;
@@ -2076,6 +2130,9 @@
 	nat->nat_inip.s_addr = htonl(in.s_addr);
 	nat->nat_outip = fin->fin_dst;
 	nat->nat_oip = fin->fin_src;
+	if ((nat->nat_hm == NULL) && ((np->in_flags & IPN_STICKY) != 0))
+		nat->nat_hm = nat_hostmap(np, fin->fin_src, fin->fin_dst, in,
+					  (u_32_t)dport);
 
 	ni->nai_sum1 = LONG_SUM(ntohl(fin->fin_daddr)) + ntohs(dport);
 	ni->nai_sum2 = LONG_SUM(in.s_addr) + ntohs(nport);
@@ -2127,6 +2184,9 @@
 /* structure for a "MAP" rule (outgoing NAT translation); (2) deal with     */
 /* creating a new NAT structure for a "RDR" rule (incoming NAT translation) */
 /* and (3) building that structure and putting it into the NAT table(s).    */
+/*                                                                          */
+/* NOTE: natsave should NOT be used top point back to an ipstate_t struct   */
+/*       as it can result in memory being corrupted.                        */
 /* ------------------------------------------------------------------------ */
 nat_t *nat_new(fin, np, natsave, flags, direction)
 fr_info_t *fin;
@@ -2148,6 +2208,8 @@
 	qpktinfo_t *qpi = fin->fin_qpi;
 #endif
 
+	memset(&ni, 0, sizeof ni);	/* XXX gcc */
+
 	if (nat_stats.ns_inuse >= ipf_nattable_max) {
 		nat_stats.ns_memfail++;
 		return NULL;
@@ -2220,6 +2282,7 @@
 		natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p,
 				     fin->fin_src, fin->fin_dst);
 		if (natl != NULL) {
+			KFREE(nat);
 			nat = natl;
 			goto done;
 		}
@@ -2237,6 +2300,7 @@
 		natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p,
 				    fin->fin_src, fin->fin_dst);
 		if (natl != NULL) {
+			KFREE(nat);
 			nat = natl;
 			goto done;
 		}
@@ -2337,7 +2401,7 @@
 /* for both IPv4 and IPv6.                                                  */
 /* ------------------------------------------------------------------------ */
 /*ARGSUSED*/
-static INLINE int nat_finalise(fin, nat, ni, tcp, natsave, direction)
+static int nat_finalise(fin, nat, ni, tcp, natsave, direction)
 fr_info_t *fin;
 nat_t *nat;
 natinfo_t *ni;
@@ -2350,7 +2414,12 @@
 
 	np = ni->nai_np;
 
-	COPYIFNAME(fin->fin_ifp, nat->nat_ifnames[0]);
+	if (np->in_ifps[0] != NULL) {
+		COPYIFNAME(np->in_ifps[0], nat->nat_ifnames[0]);
+	}
+	if (np->in_ifps[1] != NULL) {
+		COPYIFNAME(np->in_ifps[1], nat->nat_ifnames[1]);
+	}
 #ifdef	IPFILTER_SYNC
 	if ((nat->nat_flags & SI_CLONE) == 0)
 		nat->nat_sync = ipfsync_new(SMC_NAT, fin, nat);
@@ -2358,12 +2427,11 @@
 
 	nat->nat_me = natsave;
 	nat->nat_dir = direction;
-	nat->nat_ifps[0] = fin->fin_ifp;
+	nat->nat_ifps[0] = np->in_ifps[0];
+	nat->nat_ifps[1] = np->in_ifps[1];
 	nat->nat_ptr = np;
 	nat->nat_p = fin->fin_p;
 	nat->nat_mssclamp = np->in_mssclamp;
-	fr = fin->fin_fr;
-	nat->nat_fr = fr;
 
 	if ((np->in_apr != NULL) && ((ni->nai_flags & NAT_SLAVE) == 0))
 		if (appr_new(fin, nat) == -1)
@@ -2373,6 +2441,8 @@
 		if (nat_logging)
 			nat_log(nat, (u_int)np->in_redir);
 		np->in_use++;
+		fr = fin->fin_fr;
+		nat->nat_fr = fr;
 		if (fr != NULL) {
 			MUTEX_ENTER(&fr->fr_lock);
 			fr->fr_ref++;
@@ -2445,7 +2515,7 @@
 	nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0';
 	nat->nat_ifps[0] = fr_resolvenic(nat->nat_ifnames[0], 4);
 
-	if (nat->nat_ifnames[1][0] !='\0') {
+	if (nat->nat_ifnames[1][0] != '\0') {
 		nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0';
 		nat->nat_ifps[1] = fr_resolvenic(nat->nat_ifnames[1], 4);
 	} else {
@@ -2514,8 +2584,7 @@
 	 * Only a basic IP header (no options) should be with an ICMP error
 	 * header.  Also, if it's not an error type, then return.
 	 */
-	if ((fin->fin_hlen != sizeof(ip_t)) ||
-	    !fr_icmp4errortype(type))
+	if ((fin->fin_hlen != sizeof(ip_t)) || !(fin->fin_flx & FI_ICMPERR))
 		return NULL;
 
 	/*
@@ -2794,8 +2863,9 @@
 		 *
 		 * Since the port fields are part of the TCP/UDP checksum
 		 * of the offending IP packet, you need to adjust that checksum
-		 * as well... but, if you change, you must change the icmp
-		 * checksum *again*, to reflect that change.
+		 * as well... except that the change in the port numbers should 
+		 * be offset by the checksum change, so we only need to change  
+		 * the ICMP checksum if we only change the ports.
 		 *
 		 * To further complicate: the TCP checksum is not in the first
 		 * 8 bytes of the offending ip packet, so it most likely is not
@@ -2830,21 +2900,14 @@
 			 * The UDP checksum is optional, only adjust it if
 			 * it has been set.
 			 */
-			if ((oip->ip_p == IPPROTO_UDP) &&
-			    (dlen >= 8) && (*csump != 0)) {
+			if (oip->ip_p == IPPROTO_UDP) {
 				sumd = sum1 - sum2;
-				sumd2 += sumd;
-
-				sum1 = ntohs(*csump);
-				fix_datacksum(csump, sumd);
-				sum2 = ntohs(*csump);
-
-				/*
-				 * Fix ICMP checksum to compenstate
-				 * UDP checksum adjustment.
-				 */
-				CALC_SUMD(sum1, sum2, sumd);
-				sumd2 += sumd;
+
+				if ((dlen >= 8) && (*csump != 0)) {
+					fix_datacksum(csump, sumd);
+				} else {
+					sumd2 += sumd;
+				}
 			}
 
 			/*
@@ -2853,20 +2916,10 @@
 			 * the other direction compared to the ICMP message.
 			 */
 			if (oip->ip_p == IPPROTO_TCP) {
+				sumd = sum1 - sum2;
+
 				if (dlen >= 18) {
-					sumd = sum1 - sum2;
-					sumd2 += sumd;
-
-					sum1 = ntohs(*csump);
 					fix_datacksum(csump, sumd);
-					sum2 = ntohs(*csump);
-
-					/*
-					 * Fix ICMP checksum to compensate
-					 * TCP checksum adjustment.
-					 */
-					CALC_SUMD(sum1, sum2, sumd);
-					sumd2 += sumd;
 				} else {
 					sumd = sum2 - sum1 + 1;
 					sumd2 += sumd;
@@ -2886,21 +2939,14 @@
 			 * The UDP checksum is optional, only adjust
 			 * it if it has been set.
 			 */
-			if ((oip->ip_p == IPPROTO_UDP) &&
-			    (dlen >= 8) && (*csump != 0)) {
+			if (oip->ip_p == IPPROTO_UDP) {
 				sumd = sum1 - sum2;
-				sumd2 += sumd;
-
-				sum1 = ntohs(*csump);
-				fix_datacksum(csump, sumd);
-				sum2 = ntohs(*csump);
-
-				/*
-				 * Fix ICMP checksum to compensate
-				 * UDP checksum adjustment.
-				 */
-				CALC_SUMD(sum1, sum2, sumd);
-				sumd2 += sumd;
+
+				if ((dlen >= 8) && (*csump != 0)) {
+					fix_datacksum(csump, sumd);
+				} else {
+					sumd2 += sumd;
+				}
 			}
 
 			/*
@@ -2909,20 +2955,10 @@
 			 * the other direction compared to the ICMP message.
 			 */
 			if (oip->ip_p == IPPROTO_TCP) {
+				sumd = sum1 - sum2;
+
 				if (dlen >= 18) {
-					sumd = sum1 - sum2;
-					sumd2 += sumd;
-
-					sum1 = ntohs(*csump);
 					fix_datacksum(csump, sumd);
-					sum2 = ntohs(*csump);
-
-					/*
-					 * Fix ICMP checksum to compensate
-					 * TCP checksum adjustment.
-					 */
-					CALC_SUMD(sum1, sum2, sumd);
-					sumd2 += sumd;
 				} else {
 					if (nat->nat_dir == NAT_INBOUND)
 						sumd = sum2 - sum1;
@@ -3015,10 +3051,7 @@
 	void *ifp;
 	u_int hv;
 
-	if (fin != NULL)
-		ifp = fin->fin_ifp;
-	else
-		ifp = NULL;
+	ifp = fin->fin_ifp;
 	sport = 0;
 	dport = 0;
 	gre = NULL;
@@ -3050,18 +3083,14 @@
 	hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz);
 	nat = nat_table[1][hv];
 	for (; nat; nat = nat->nat_hnext[1]) {
+		if (nat->nat_ifps[0] != NULL) {
+			if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
+				continue;
+		} else if (ifp != NULL)
+			nat->nat_ifps[0] = ifp;
+
 		nflags = nat->nat_flags;
 
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			}
-		}
-
 		if (nat->nat_oip.s_addr == src.s_addr &&
 		    nat->nat_outip.s_addr == dst &&
 		    (((p == 0) &&
@@ -3125,15 +3154,11 @@
 
 	nat = nat_table[1][hv];
 	for (; nat; nat = nat->nat_hnext[1]) {
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			}
-		}
+		if (nat->nat_ifps[0] != NULL) {
+			if ((ifp != NULL) && (ifp != nat->nat_ifps[0]))
+				continue;
+		} else if (ifp != NULL)
+			nat->nat_ifps[0] = ifp;
 
 		if (nat->nat_p != fin->fin_p)
 			continue;
@@ -3300,18 +3325,14 @@
 	hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz);
 	nat = nat_table[0][hv];
 	for (; nat; nat = nat->nat_hnext[0]) {
+		if (nat->nat_ifps[1] != NULL) {
+			if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
+				continue;
+		} else if (ifp != NULL)
+			nat->nat_ifps[1] = ifp;
+
 		nflags = nat->nat_flags;
 
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			}
-		}
-
 		if (nat->nat_inip.s_addr == srcip &&
 		    nat->nat_oip.s_addr == dst.s_addr &&
 		    (((p == 0) && (sflags == (nflags & NAT_TCPUDPICMP)))
@@ -3365,15 +3386,11 @@
 
 	nat = nat_table[0][hv];
 	for (; nat; nat = nat->nat_hnext[0]) {
-		if (ifp != NULL) {
-			if (nat->nat_dir == NAT_REDIRECT) {
-				if (ifp != nat->nat_ifps[1])
-					continue;
-			} else {
-				if (ifp != nat->nat_ifps[0])
-					continue;
-			}
-		}
+		if (nat->nat_ifps[1] != NULL) {
+			if ((ifp != NULL) && (ifp != nat->nat_ifps[1]))
+				continue;
+		} else if (ifp != NULL)
+			nat->nat_ifps[1] = ifp;
 
 		if (nat->nat_p != fin->fin_p)
 			continue;
@@ -3422,6 +3439,16 @@
 /*                      entry for.                                          */
 /*                                                                          */
 /* Lookup the NAT tables to search for a matching redirect                  */
+/* The contents of natlookup_t should imitate those found in a packet that  */
+/* would be translated - ie a packet coming in for RDR or going out for MAP.*/
+/* We can do the lookup in one of two ways, imitating an inbound or         */
+/* outbound  packet.  By default we assume outbound, unless IPN_IN is set.  */
+/* For IN, the fields are set as follows:                                   */
+/*     nl_real* = source information                                        */
+/*     nl_out* = destination information (translated)                       */
+/* For an out packet, the fields are set like this:                         */
+/*     nl_in* = source information (untranslated)                           */
+/*     nl_out* = destination information (translated)                       */
 /* ------------------------------------------------------------------------ */
 nat_t *nat_lookupredir(np)
 natlookup_t *np;
@@ -3683,7 +3710,7 @@
 		hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
 		for (np = nat_rules[hv]; np; np = np->in_mnext)
 		{
-			if ((np->in_ifps[0] && (np->in_ifps[0] != ifp)))
+			if ((np->in_ifps[1] && (np->in_ifps[1] != ifp)))
 				continue;
 			if (np->in_v != fin->fin_v)
 				continue;
@@ -3805,8 +3832,15 @@
 			CALC_SUMD(s1, s2, sumd);
 			fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd);
 		}
-#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(linux)
+#if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || \
+    defined(linux) || defined(BRIDGE_IPF)
 		else {
+			/*
+			 * Strictly speaking, this isn't necessary on BSD
+			 * kernels because they do checksum calculation after
+			 * this code has run BUT if ipfilter is being used
+			 * to do NAT as a bridge, that code doesn't exist.
+			 */
 			if (nat->nat_dir == NAT_OUTBOUND)
 				fix_outcksum(fin, &fin->fin_ip->ip_sum,
 					     nat->nat_ipsumd);
@@ -4315,10 +4349,8 @@
 {
 	ipftq_t *ifq, *ifqnext;
 	ipftqent_t *tqe, *tqn;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
 	int i;
+	SPL_INT(s);
 
 	SPL_NET(s);
 	WRITE_ENTER(&ipf_nat);
@@ -4372,9 +4404,7 @@
 	ipnat_t *n;
 	nat_t *nat;
 	void *ifp2;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
+	SPL_INT(s);
 
 	if (fr_running <= 0)
 		return;
@@ -4456,7 +4486,7 @@
 /* Tests to see if the ICMP type number passed is a query/response type or  */
 /* not.                                                                     */
 /* ------------------------------------------------------------------------ */
-static INLINE int nat_icmpquerytype4(icmptype)
+static int nat_icmpquerytype4(icmptype)
 int icmptype;
 {
 
@@ -4609,9 +4639,20 @@
 
 	MUTEX_NUKE(&clone->nat_lock);
 
+	clone->nat_aps = NULL;
+	/*
+	 * Initialize all these so that nat_delete() doesn't cause a crash.
+	 */
+	clone->nat_tqe.tqe_pnext = NULL;
+	clone->nat_tqe.tqe_next = NULL;
+	clone->nat_tqe.tqe_ifq = NULL;
+	clone->nat_tqe.tqe_parent = clone;
+
 	clone->nat_flags &= ~SI_CLONE;
 	clone->nat_flags |= SI_CLONED;
 
+	if (clone->nat_hm)
+		clone->nat_hm->hm_ref++;
 
 	if (nat_insert(clone, fin->fin_rev) == -1) {
 		KFREE(clone);
@@ -4630,14 +4671,13 @@
 		MUTEX_EXIT(&fr->fr_lock);
 	}
 
-
 	/*
 	 * Because the clone is created outside the normal loop of things and
 	 * TCP has special needs in terms of state, initialise the timeout
 	 * state of the new NAT from here.
 	 */
 	if (clone->nat_p == IPPROTO_TCP) {
-		(void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb, \
+		(void) fr_tcp_age(&clone->nat_tqe, fin, nat_tqb,
 				  clone->nat_flags);
 	}
 #ifdef	IPFILTER_SYNC
@@ -4662,7 +4702,7 @@
 /* Use NAT entry and packet direction to determine which combination of     */
 /* wildcard flags should be used.                                           */
 /* ------------------------------------------------------------------------ */
-static INLINE int nat_wildok(nat, sport, dport, flags, dir)
+static int nat_wildok(nat, sport, dport, flags, dir)
 nat_t *nat;
 int sport;
 int dport;
--- a/sys/dist/ipf/netinet/ip_nat.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_nat.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_nat.h,v 1.6 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_nat.h,v 1.6.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-2001, 2003 by Darren Reed.
@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_nat.h	1.5 2/4/96
- * Id: ip_nat.h,v 2.90.2.9 2005/03/28 11:09:55 darrenr Exp
+ * Id: ip_nat.h,v 2.90.2.11 2005/06/18 02:41:32 darrenr Exp
  */
 
 #ifndef	__IP_NAT_H__
@@ -16,18 +16,16 @@
 #define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 #endif
 
-#if defined(__STDC__) || defined(__GNUC__)
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
 #define	SIOCADNAT	_IOW('r', 60, struct ipfobj)
 #define	SIOCRMNAT	_IOW('r', 61, struct ipfobj)
 #define	SIOCGNATS	_IOWR('r', 62, struct ipfobj)
 #define	SIOCGNATL	_IOWR('r', 63, struct ipfobj)
-#define	SIOCPROXY	_IOWR('r', 64, struct ap_control)
 #else
 #define	SIOCADNAT	_IOW(r, 60, struct ipfobj)
 #define	SIOCRMNAT	_IOW(r, 61, struct ipfobj)
 #define	SIOCGNATS	_IOWR(r, 62, struct ipfobj)
 #define	SIOCGNATL	_IOWR(r, 63, struct ipfobj)
-#define	SIOCPROXY	_IOWR(r, 64, struct ap_control)
 #endif
 
 #undef	LARGE_NAT	/* define	this if you're setting up a system to NAT
@@ -297,6 +295,7 @@
 } natget_t;
 
 
+#undef	tr_flags
 typedef	struct	nattrpnt	{
 	struct	in_addr	tr_dstip;	/* real destination IP# */
 	struct	in_addr	tr_srcip;	/* real source IP# */
--- a/sys/dist/ipf/netinet/ip_netbios_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_netbios_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,9 +1,9 @@
-/*	$NetBSD: ip_netbios_pxy.c,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_netbios_pxy.c,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Simple netbios-dgm transparent proxy for in-kernel use.
  * For use with the NAT code.
- * Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
+ * Id: ip_netbios_pxy.c,v 2.8.2.1 2005/08/20 13:48:23 darrenr Exp
  */
 
 /*-
@@ -31,10 +31,10 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * Id: ip_netbios_pxy.c,v 2.8 2003/12/01 02:52:16 darrenr Exp
+ * Id: ip_netbios_pxy.c,v 2.8.2.1 2005/08/20 13:48:23 darrenr Exp
  */
 
-__KERNEL_RCSID(1, "$NetBSD: ip_netbios_pxy.c,v 1.2 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_netbios_pxy.c,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 #define	IPF_NETBIOS_PROXY
 
@@ -84,19 +84,17 @@
 	aps = aps;	/* LINT */
 	nat = nat;	/* LINT */
 
-	ip = fin->fin_ip;
-	m = *(mb_t **)fin->fin_mp;
-	off = fin->fin_hlen + sizeof(udphdr_t);
-	dlen = M_LEN(m);
-	dlen -= off;
-
+	m = fin->fin_m;
+	dlen = fin->fin_dlen - sizeof(*udp);
 	/*
 	 * no net bios datagram could possibly be shorter than this
 	 */
 	if (dlen < 11)
 		return 0;
 
+	ip = fin->fin_ip;
 	udp = (udphdr_t *)fin->fin_dp;
+	off = (char *)udp - (char *)ip + sizeof(*udp) + fin->fin_ipoff;
 
 	/*
 	 * move past the
--- a/sys/dist/ipf/netinet/ip_pool.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_pool.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_pool.c,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_pool.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -55,7 +55,8 @@
 # include <sys/malloc.h>
 #endif
 
-#if (defined(__osf__) || defined(__hpux) || defined(__sgi)) && defined(_KERNEL)
+#if defined(_KERNEL) && (defined(__osf__) || defined(AIX) || \
+     defined(__hpux) || defined(__sgi))
 # ifdef __osf__
 #  include <net/radix.h>
 # endif
@@ -79,7 +80,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.12 2005/02/01 04:04:46 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_pool.c,v 2.55.2.15 2005/11/13 15:38:37 darrenr Exp";
 #endif
 
 #ifdef IPFILTER_LOOKUP
@@ -356,11 +357,9 @@
 addrfamily_t *addr, *mask;
 {
 	struct radix_node *n;
-#ifdef USE_SPL
-	int s;
+	SPL_INT(s);
 
 	SPL_NET(s);
-#endif
 	RADIX_NODE_HEAD_LOCK(ipo->ipo_head);
 	n = ipo->ipo_head->rnh_lookup(addr, mask, ipo->ipo_head);
 	RADIX_NODE_HEAD_UNLOCK(ipo->ipo_head);
@@ -373,14 +372,14 @@
 /* Function:    ip_pool_search                                              */
 /* Returns:     int     - 0 == +ve match, -1 == error, 1 == -ve/no match    */
 /* Parameters:  tptr(I)    - pointer to the pool to search                  */
-/*              version(I) - IP protocol version (4 or 6)                   */
+/*              ipversion(I) - IP protocol version (4 or 6)                   */
 /*              dptr(I)    - pointer to address information                 */
 /*                                                                          */
 /* Search the pool for a given address and return a search result.          */
 /* ------------------------------------------------------------------------ */
-int ip_pool_search(tptr, version, dptr)
+int ip_pool_search(tptr, ipversion, dptr)
 void *tptr;
-int version;
+int ipversion;
 void *dptr;
 {
 	struct radix_node *rn;
@@ -400,11 +399,11 @@
 	bzero(&v, sizeof(v));
 	v.adf_len = offsetof(addrfamily_t, adf_addr);
 
-	if (version == 4) {
+	if (ipversion == 4) {
 		v.adf_len += sizeof(addr->in4);
 		v.adf_addr.in4 = addr->in4;
 #ifdef USE_INET6
-	} else if (version == 6) {
+	} else if (ipversion == 6) {
 		v.adf_len += sizeof(addr->in6);
 		v.adf_addr.in6 = addr->in6;
 #endif
@@ -550,6 +549,7 @@
 		}
 
 		(void)strncpy(h->ipo_name, name, sizeof(h->ipo_name));
+		(void)strncpy(op->iplo_name, name, sizeof(op->iplo_name));
 	} else {
 		(void) strncpy(h->ipo_name, op->iplo_name, sizeof(h->ipo_name));
 	}
--- a/sys/dist/ipf/netinet/ip_pool.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_pool.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,18 +1,18 @@
-/*	$NetBSD: ip_pool.h,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_pool.h,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_pool.h,v 2.26.2.2 2004/03/23 12:44:34 darrenr Exp
+ * Id: ip_pool.h,v 2.26.2.3 2005/06/12 07:18:27 darrenr Exp
  */
 
 #ifndef	__IP_POOL_H__
 #define	__IP_POOL_H__
 
 #if defined(_KERNEL) && !defined(__osf__) && !defined(__hpux) && \
-    !defined(linux) && !defined(sun)
+    !defined(linux) && !defined(sun) && !defined(AIX)
 # include <net/radix.h>
 extern void rn_freehead __P((struct radix_node_head *));
 # define FreeS(p, z)		KFREES(p, z)
--- a/sys/dist/ipf/netinet/ip_pptp_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_pptp_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_pptp_pxy.c,v 1.5 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_pptp_pxy.c,v 1.5.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 2002-2003 by Darren Reed
@@ -6,7 +6,7 @@
  * Simple PPTP transparent proxy for in-kernel use.  For use with the NAT
  * code.
  *
- * Id: ip_pptp_pxy.c,v 2.10.2.9 2005/03/16 18:17:34 darrenr Exp
+ * Id: ip_pptp_pxy.c,v 2.10.2.13 2006/03/17 10:40:05 darrenr Exp
  *
  */
 #define	IPF_PPTP_PROXY
@@ -89,15 +89,14 @@
 	pptp_pxy_t *pptp;
 	ipnat_t *ipn;
 	ip_t *ip;
-	int off;
 
 	ip = fin->fin_ip;
-	off = fin->fin_hlen + sizeof(udphdr_t);
 
 	if (nat_outlookup(fin, 0, IPPROTO_GRE, nat->nat_inip,
 			  ip->ip_dst) != NULL) {
 		if (ippr_pptp_debug > 0)
-			printf("ippr_pptp_new: GRE session already exists\n");
+			printf("ippr_pptp_new: GRE session %s\n",
+			       "already exists");
 		return -1;
 	}
 
@@ -105,7 +104,8 @@
 	KMALLOCS(aps->aps_data, pptp_pxy_t *, sizeof(*pptp));
 	if (aps->aps_data == NULL) {
 		if (ippr_pptp_debug > 0)
-			printf("ippr_pptp_new: malloc for aps_data failed\n");
+			printf("ippr_pptp_new: malloc for aps_data %s\n",
+			       "failed");
 		return -1;
 	}
 
@@ -212,10 +212,12 @@
 		RWLOCK_EXIT(&ipf_state);
 	} else {
 		RWLOCK_EXIT(&ipf_state);
-		if (nat->nat_dir == NAT_INBOUND)
-			fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr;
-		else
-			fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr;
+		if (nat2 != NULL) {
+			if (nat->nat_dir == NAT_INBOUND)
+				fi.fin_fi.fi_daddr = nat2->nat_inip.s_addr;
+			else
+				fi.fin_fi.fi_saddr = nat2->nat_inip.s_addr;
+		}
 		fi.fin_ifp = NULL;
 		pptp->pptp_state = fr_addstate(&fi, &pptp->pptp_state,
 					       0);
--- a/sys/dist/ipf/netinet/ip_proxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_proxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_proxy.c,v 1.8 2005/12/28 09:29:48 christos Exp $	*/
+/*	$NetBSD: ip_proxy.c,v 1.8.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1997-2003 by Darren Reed.
@@ -16,7 +16,9 @@
 #include <sys/param.h>
 #include <sys/time.h>
 #include <sys/file.h>
-#include <sys/fcntl.h>
+#if !defined(AIX)
+# include <sys/fcntl.h>
+#endif
 #if !defined(_KERNEL) && !defined(__KERNEL__)
 # include <stdio.h>
 # include <string.h>
@@ -35,7 +37,8 @@
 #include <sys/socket.h>
 #if defined(_KERNEL)
 # if !defined(__NetBSD__) && !defined(sun) && !defined(__osf__) && \
-     !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi)
+     !defined(__OpenBSD__) && !defined(__hpux) && !defined(__sgi) && \
+     !defined(AIX)
 #  include <sys/ctype.h>
 # endif
 # include <sys/systm.h>
@@ -94,9 +97,6 @@
 # include "netinet/ip_irc_pxy.c"
 # include "netinet/ip_raudio_pxy.c"
 # include "netinet/ip_h323_pxy.c"
-# ifdef	IPFILTER_PRO
-#  include "netinet/ip_msnrpc_pxy.c"
-# endif
 # include "netinet/ip_netbios_pxy.c"
 #endif
 #include "netinet/ip_ipsec_pxy.c"
@@ -105,7 +105,7 @@
 /* END OF INCLUDES */
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.12 2005/03/03 14:28:24 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_proxy.c,v 2.62.2.16 2006/03/29 11:19:56 darrenr Exp";
 #endif
 
 #ifdef INET
@@ -125,7 +125,7 @@
 aproxy_t	ap_proxies[] = {
 #ifdef	IPF_FTP_PROXY
 	{ NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, ippr_ftp_fini,
-	  ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL },
+	  ippr_ftp_new, NULL, ippr_ftp_in, ippr_ftp_out, NULL, NULL },
 #endif
 #ifdef	IPF_IRC_PROXY
 	{ NULL, "irc", (char)IPPROTO_TCP, 0, 0, ippr_irc_init, ippr_irc_fini,
@@ -159,9 +159,9 @@
 #endif
 #ifdef  IPF_H323_PROXY
 	{ NULL, "h323", (char)IPPROTO_TCP, 0, 0, ippr_h323_init, ippr_h323_fini,
-	  ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL },
+	  ippr_h323_new, ippr_h323_del, ippr_h323_in, NULL, NULL, NULL },
 	{ NULL, "h245", (char)IPPROTO_TCP, 0, 0, NULL, NULL,
-	  ippr_h245_new, NULL, NULL, ippr_h245_out, NULL },
+	  ippr_h245_new, NULL, NULL, ippr_h245_out, NULL, NULL },
 #endif
 #ifdef	IPF_RPCB_PROXY
 # if 0
@@ -173,7 +173,7 @@
 	  ippr_rpcb_init, ippr_rpcb_fini, ippr_rpcb_new, ippr_rpcb_del,
 	  ippr_rpcb_in, ippr_rpcb_out, NULL, NULL },
 #endif
-	{ NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL }
+	{ NULL, "", '\0', 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
 };
 
 /*
@@ -327,8 +327,7 @@
 		if (error == 0)
 			error = appr_ctl(&ctl);
 
-		if ((ctl.apc_dsize > 0) && (ptr != NULL) &&
-		    (ctl.apc_data == ptr)) {
+		if (ptr != NULL) {
 			KFREES(ptr, ctl.apc_dsize);
 		}
 		break;
@@ -567,8 +566,8 @@
 		if (err != 0) {
 			short adjlen = err & 0xffff;
 
-			s1 = LONG_SUM(ip->ip_len - adjlen);
-			s2 = LONG_SUM(ip->ip_len);
+			s1 = LONG_SUM(fin->fin_plen - adjlen);
+			s2 = LONG_SUM(fin->fin_plen);
 			CALC_SUMD(s1, s2, sd);
 			fix_outcksum(fin, &ip->ip_sum, sd);
 		}
@@ -589,19 +588,23 @@
 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
 			if (dosum)
 				tcp->th_sum = fr_cksum(fin->fin_qfm, ip,
-						       IPPROTO_TCP, tcp);
+						       IPPROTO_TCP, tcp,
+						       fin->fin_plen);
 #else
 			tcp->th_sum = fr_cksum(fin->fin_m, ip,
-					       IPPROTO_TCP, tcp);
+					       IPPROTO_TCP, tcp,
+					       fin->fin_plen);
 #endif
 		} else if ((udp != NULL) && (udp->uh_sum != 0)) {
 #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6)
 			if (dosum)
 				udp->uh_sum = fr_cksum(fin->fin_qfm, ip,
-						       IPPROTO_UDP, udp);
+						       IPPROTO_UDP, udp,
+						       fin->fin_plen);
 #else
 			udp->uh_sum = fr_cksum(fin->fin_m, ip,
-					       IPPROTO_UDP, udp);
+					       IPPROTO_UDP, udp,
+					       fin->fin_plen);
 #endif
 		}
 #endif
@@ -694,9 +697,9 @@
 	tcp = (tcphdr_t *)fin->fin_dp;
 	out = fin->fin_out;
 	/*
-	 * ip_len has already been adjusted by 'inc'.
+	 * fin->fin_plen has already been adjusted by 'inc'.
 	 */
-	nlen = ip->ip_len;
+	nlen = fin->fin_plen;
 	nlen -= (IP_HL(ip) << 2) + (TCP_OFF(tcp) << 2);
 
 	inc2 = inc;
--- a/sys/dist/ipf/netinet/ip_proxy.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_proxy.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,11 +1,11 @@
-/*	$NetBSD: ip_proxy.h,v 1.3 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_proxy.h,v 1.3.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1997-2001 by Darren Reed.
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_proxy.h,v 2.31.2.2 2005/03/12 19:33:48 darrenr Exp
+ * Id: ip_proxy.h,v 2.31.2.3 2005/06/18 02:41:33 darrenr Exp
  */
 
 #ifndef _NETINET_IP_PROXY_H_
@@ -15,6 +15,12 @@
 #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 #endif
 
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
+#define	SIOCPROXY	_IOWR('r', 64, struct ap_control)
+#else
+#define	SIOCPROXY	_IOWR(r, 64, struct ap_control)
+#endif
+
 #ifndef	APR_LABELLEN
 #define	APR_LABELLEN	16
 #endif
@@ -22,15 +28,16 @@
 
 struct	nat;
 struct	ipnat;
+struct	ipstate;
 
 typedef	struct	ap_tcp {
 	u_short	apt_sport;	/* source port */
 	u_short	apt_dport;	/* destination port */
 	short	apt_sel[2];	/* {seq,ack}{off,min} set selector */
 	short	apt_seqoff[2];	/* sequence # difference */
-	tcp_seq	apt_seqmin[2];	/* don't change seq-off until after this */
+	u_32_t	apt_seqmin[2];	/* don't change seq-off until after this */
 	short	apt_ackoff[2];	/* sequence # difference */
-	tcp_seq	apt_ackmin[2];	/* don't change seq-off until after this */
+	u_32_t	apt_ackmin[2];	/* don't change seq-off until after this */
 	u_char	apt_state[2];	/* connection state */
 } ap_tcp_t;
 
@@ -197,7 +204,7 @@
 	u_32_t	rap_sbf;	/* flag to indicate which of the 19 bytes have
 				 * been filled
 				 */
-	tcp_seq	rap_sseq;
+	u_32_t	rap_sseq;
 } raudio_t;
 
 #define	RA_ID_END	0
@@ -233,7 +240,7 @@
 	int		ipsc_rckset;
 	ipnat_t		ipsc_rule;
 	nat_t		*ipsc_nat;
-	ipstate_t	*ipsc_state;
+	struct ipstate	*ipsc_state;
 } ipsec_pxy_t;
 
 /*
@@ -253,7 +260,7 @@
 typedef	struct pptp_pxy {
 	ipnat_t		pptp_rule;
 	nat_t		*pptp_nat;
-	ipstate_t	*pptp_state;
+	struct ipstate	*pptp_state;
 	u_short		pptp_call[2];
 	pptp_side_t	pptp_side[2];
 } pptp_pxy_t;
--- a/sys/dist/ipf/netinet/ip_rcmd_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_rcmd_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,14 +1,14 @@
-/*	$NetBSD: ip_rcmd_pxy.c,v 1.7 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_rcmd_pxy.c,v 1.7.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: ip_rcmd_pxy.c,v 1.7 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(1, "$NetBSD: ip_rcmd_pxy.c,v 1.7.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 
 /*
  * Copyright (C) 1998-2003 by Darren Reed
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Id: ip_rcmd_pxy.c,v 1.41.2.4 2005/02/04 10:22:55 darrenr Exp
+ * Id: ip_rcmd_pxy.c,v 1.41.2.6 2006/04/01 10:14:54 darrenr Exp
  *
  * Simple RCMD transparent proxy for in-kernel use.  For use with the NAT
  * code.
@@ -156,6 +156,8 @@
 	 * other way.
 	 */
 	bcopy((char *)fin, (char *)&fi, sizeof(fi));
+	fi.fin_state = NULL;
+	fi.fin_nat = NULL;
 	fi.fin_flx |= FI_IGNORE;
 	fi.fin_data[0] = sp;
 	fi.fin_data[1] = 0;
@@ -205,7 +207,7 @@
 				fi.fin_fi.fi_daddr = nat->nat_inip.s_addr;
 				ip->ip_dst = nat->nat_inip;
 			}
-			(void) fr_addstate(&fi, &nat2->nat_state, SI_W_DPORT);
+			(void) fr_addstate(&fi, NULL, SI_W_DPORT);
 			if (fi.fin_state != NULL)
 				fr_statederef(&fi, (ipstate_t **)&fi.fin_state);
 		}
--- a/sys/dist/ipf/netinet/ip_rpcb_pxy.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_rpcb_pxy.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_rpcb_pxy.c,v 1.7 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_rpcb_pxy.c,v 1.7.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 2002-2003 by Ryan Beasley <ryanb@goddamnbastard.org>
@@ -286,6 +286,8 @@
 	int rv, diff;
 	mb_t *m;
 
+	rx = NULL;	/* XXX gcc */
+
 	/* Disallow fragmented or illegally short packets. */
 	if ((fin->fin_flx & (FI_FRAG|FI_SHORT)) != 0)
 		return(APR_ERR(1));
@@ -1193,8 +1195,9 @@
 	 * no use for this lock, so simply unlock it if necessary.
 	 */
 	is = fr_stlookup(&fi, &tcp, NULL);
-	if (is != NULL)
+	if (is != NULL) {
 		RWLOCK_EXIT(&ipf_state);
+	}
 
 	RWLOCK_EXIT(&ipf_nat);
 
--- a/sys/dist/ipf/netinet/ip_scan.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_scan.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_scan.c,v 1.5 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_scan.c,v 1.5.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-2001 by Darren Reed.
@@ -34,7 +34,7 @@
 # endif
 #endif
 #include <sys/socket.h>
-#if !defined(__hpux) && !defined(__osf__) && !defined(linux)
+#if !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(AIX)
 # include <sys/ioccom.h>
 #endif
 #ifdef __FreeBSD__
@@ -60,7 +60,7 @@
 
 #if !defined(lint)
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.2 2005/01/18 10:13:16 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.40.2.6 2006/03/26 23:06:49 darrenr Exp";
 #endif
 
 #ifdef	IPFILTER_SCAN	/* endif at bottom of file */
@@ -86,18 +86,23 @@
 int ipsc_matchisc __P((ipscan_t *, ipstate_t *, int, int, int *));
 int ipsc_match __P((ipstate_t *));
 
+static int	ipsc_inited = 0;
 
 
 int ipsc_init()
 {
 	RWLOCK_INIT(&ipsc_rwlock, "ip scan rwlock");
+	ipsc_inited = 1;
 	return 0;
 }
 
 
 void fr_scanunload()
 {
-	RW_DESTROY(&ipsc_rwlock);
+	if (ipsc_inited == 1) {
+		RW_DESTROY(&ipsc_rwlock);
+		ipsc_inited = 0;
+	}
 }
 
 
@@ -433,6 +438,8 @@
 		}
 		if (k == 1)
 			isc = lm;
+		if (isc == NULL)
+			return 0;
 
 		/*
 		 * No matches or partial matches, so reset the respective
@@ -539,8 +546,8 @@
 	j = 0xffff >> (16 - dlen);
 	i = (0xffff & j) << off;
 #ifdef _KERNEL
-	COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_hlen + thoff, dlen,
-		 (caddr_t)is->is_sbuf[rv] + off);
+	COPYDATA(*(mb_t **)fin->fin_mp, fin->fin_plen - fin->fin_dlen + thoff,
+		 dlen, (caddr_t)is->is_sbuf[rv] + off);
 #endif
 	is->is_smsk[rv] |= i;
 	for (j = 0, i = is->is_smsk[rv]; i & 1; i >>= 1)
--- a/sys/dist/ipf/netinet/ip_scan.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_scan.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_scan.h,v 1.2 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_scan.h,v 1.2.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001 by Darren Reed.
@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_scan.h,v 2.9 2003/07/25 22:05:01 darrenr Exp
+ * Id: ip_scan.h,v 2.9.2.1 2005/06/12 07:18:29 darrenr Exp
  */
 
 #ifndef __IP_SCAN_H__
@@ -27,7 +27,7 @@
 struct ipstate;
 
 
-#if defined(__STDC__) || defined(__GNUC__)
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
 # define	SIOCADSCA	_IOWR('r', 60, struct ipscan *)
 # define	SIOCRMSCA	_IOWR('r', 61, struct ipscan *)
 # define	SIOCGSCST	_IOWR('r', 62, struct ipscan *)
--- a/sys/dist/ipf/netinet/ip_state.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_state.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_state.c,v 1.8 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_state.c,v 1.8.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-2003 by Darren Reed.
@@ -110,10 +110,10 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.8 2005/12/11 12:24:21 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.8.4.1 2006/09/09 02:56:45 rpaulo Exp $");
 #else
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.29 2005/03/28 10:47:54 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_state.c,v 2.186.2.41 2006/04/01 10:16:28 darrenr Exp";
 #endif
 #endif
 
@@ -512,13 +512,17 @@
 	 * means no packets match).
 	 */
 	case SIOCSTLCK :
-		fr_lock(data, &fr_state_lock);
+		if (!(mode & FWRITE)) {
+			error = EPERM;
+		} else {
+			fr_lock(data, &fr_state_lock);
+		}
 		break;
 	/*
 	 * Add an entry to the current state table.
 	 */
 	case SIOCSTPUT :
-		if (!fr_state_lock) {
+		if (!fr_state_lock || !(mode &FWRITE)) {
 			error = EACCES;
 			break;
 		}
@@ -640,6 +644,7 @@
 	if (fr == NULL) {
 		READ_ENTER(&ipf_state);
 		fr_stinsert(isn, 0);
+		MUTEX_EXIT(&isn->is_lock);
 		RWLOCK_EXIT(&ipf_state);
 		return 0;
 	}
@@ -670,6 +675,7 @@
 		fr->fr_ref = 0;
 		fr->fr_dsize = 0;
 		fr->fr_data = NULL;
+		fr->fr_type = FR_T_NONE;
 
 		fr_resolvedest(&fr->fr_tif, fr->fr_v);
 		fr_resolvedest(&fr->fr_dif, fr->fr_v);
@@ -687,6 +693,7 @@
 		}
 		READ_ENTER(&ipf_state);
 		fr_stinsert(isn, 0);
+		MUTEX_EXIT(&isn->is_lock);
 		RWLOCK_EXIT(&ipf_state);
 
 	} else {
@@ -694,6 +701,7 @@
 		for (is = ips_list; is; is = is->is_next)
 			if (is->is_rule == fr) {
 				fr_stinsert(isn, 0);
+				MUTEX_EXIT(&isn->is_lock);
 				break;
 			}
 
@@ -721,6 +729,7 @@
 /* to pointers and adjusts running stats for the hash table as appropriate. */
 /*                                                                          */
 /* Locking: it is assumed that some kind of lock on ipf_state is held.      */
+/*          Exits with is_lock initialised and held.                        */
 /* ------------------------------------------------------------------------ */
 void fr_stinsert(is, rev)
 ipstate_t *is;
@@ -785,7 +794,6 @@
 	MUTEX_EXIT(&ipf_stinsert);
 
 	fr_setstatequeue(is, rev);
-	MUTEX_EXIT(&is->is_lock);
 }
 
 
@@ -801,6 +809,11 @@
 /* Inserts it into the state table and appends to the bottom of the active  */
 /* list.  If the capacity of the table has reached the maximum allowed then */
 /* the call will fail and a flush is scheduled for the next timeout call.   */
+/*                                                                          */
+/* NOTE: The use of stsave to point to nat_state will result in memory      */
+/*       corruption.  It should only be used to point to objects that will  */
+/*       either outlive this (not expired) or will deref the ip_state_t     */
+/*       when they are deleted.                                             */
 /* ------------------------------------------------------------------------ */
 ipstate_t *fr_addstate(fin, stsave, flags)
 fr_info_t *fin;
@@ -823,24 +836,29 @@
 	if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN))
 		return NULL;
 
-	fr = fin->fin_fr;
-	if ((fr->fr_statemax == 0) && (ips_num == fr_statemax)) {
-		ATOMIC_INCL(ips_stats.iss_max);
-		fr_state_doflush = 1;
-		return NULL;
-	}
-
 	/*
 	 * If a "keep state" rule has reached the maximum number of references
 	 * to it, then schedule an automatic flush in case we can clear out
-	 * some "dead old wood".
+	 * some "dead old wood".  Note that because the lock isn't held on
+	 * fr it is possible that we could overflow.  The cost of overflowing
+	 * is being ignored here as the number by which it can overflow is
+	 * a product of the number of simultaneous threads that could be
+	 * executing in here, so a limit of 100 won't result in 200, but could
+	 * result in 101 or 102.
 	 */
-	if ((fr != NULL) && (fr->fr_statemax != 0) &&
-	    (fr->fr_statecnt >= fr->fr_statemax)) {
-		MUTEX_EXIT(&fr->fr_lock);
-		ATOMIC_INCL(ips_stats.iss_maxref);
-		fr_state_doflush = 1;
-		return NULL;
+	fr = fin->fin_fr;
+	if (fr != NULL) {
+		if ((ips_num == fr_statemax) && (fr->fr_statemax == 0)) {
+			ATOMIC_INCL(ips_stats.iss_max);
+			fr_state_doflush = 1;
+			return NULL;
+		}
+		if ((fr->fr_statemax != 0) &&
+		    (fr->fr_statecnt >= fr->fr_statemax)) {
+			ATOMIC_INCL(ips_stats.iss_maxref);
+			fr_state_doflush = 1;
+			return NULL;
+		}
 	}
 
 	pass = (fr == NULL) ? 0 : fr->fr_flags;
@@ -984,9 +1002,9 @@
 			    TH_SYN &&
 			    (TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
 				if (fr_tcpoptions(fin, tcp,
-					      &is->is_tcp.ts_data[0]))
-					is->is_swinflags = TCP_WSCALE_SEEN|
-							   TCP_WSCALE_FIRST;
+					      &is->is_tcp.ts_data[0]) == -1) {
+					fin->fin_flx |= FI_BAD;
+				}
 			}
 
 			if ((fin->fin_out != 0) && (pass & FR_NEWISN) != 0) {
@@ -1129,8 +1147,15 @@
 	 * this may change.
 	 */
 	is->is_v = fin->fin_v;
-	is->is_opt = fin->fin_optmsk;
-	is->is_optmsk = 0xffffffff;
+	is->is_opt[0] = fin->fin_optmsk;
+	is->is_optmsk[0] = 0xffffffff;
+	is->is_optmsk[1] = 0xffffffff;
+	if (is->is_v == 6) {
+		is->is_opt[0] &= ~0x8;
+		is->is_optmsk[0] &= ~0x8;
+		is->is_optmsk[1] &= ~0x8;
+	}
+	is->is_me = stsave;
 	is->is_sec = fin->fin_secmsk;
 	is->is_secmsk = 0xffff;
 	is->is_auth = fin->fin_auth;
@@ -1145,7 +1170,6 @@
 		is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
 
 	READ_ENTER(&ipf_state);
-	is->is_me = stsave;
 
 	fr_stinsert(is, fin->fin_rev);
 
@@ -1155,13 +1179,14 @@
 		* timer on it as we'll never see an error if it fails to
 		* connect.
 		*/
-		MUTEX_ENTER(&is->is_lock);
 		(void) fr_tcp_age(&is->is_sti, fin, ips_tqtqb, is->is_flags);
 		MUTEX_EXIT(&is->is_lock);
 #ifdef	IPFILTER_SCAN
 		if ((is->is_flags & SI_CLONE) == 0)
 			(void) ipsc_attachis(is);
 #endif
+	} else {
+		MUTEX_EXIT(&is->is_lock);
 	}
 #ifdef	IPFILTER_SYNC
 	if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0))
@@ -1183,7 +1208,8 @@
 
 /* ------------------------------------------------------------------------ */
 /* Function:    fr_tcpoptions                                               */
-/* Returns:     int - 1 == packet matches state entry, 0 == it does not     */
+/* Returns:     int - 1 == packet matches state entry, 0 == it does not,    */
+/*                   -1 == packet has bad TCP options data                  */
 /* Parameters:  fin(I) - pointer to packet information                      */
 /*              tcp(I) - pointer to TCP packet header                       */
 /*              td(I)  - pointer to TCP data held as part of the state      */
@@ -1200,13 +1226,14 @@
 	char buf[64], *s, opt;
 	mb_t *m = NULL;
 
-	off = fin->fin_hlen + sizeof(*tcp);
-	len = (TCP_OFF(tcp) << 2) - sizeof(*tcp);
-	if (fin->fin_plen < off + len)
+	len = (TCP_OFF(tcp) << 2);
+	if (fin->fin_dlen < len)
 		return 0;
+	len -= sizeof(*tcp);
+
+	off = fin->fin_plen - fin->fin_dlen + sizeof(*tcp) + fin->fin_ipoff;
 
 	m = fin->fin_m;
-	off += fin->fin_ipoff;
 	mlen = MSGDSIZE(m) - off;
 	if (len > mlen) {
 		len = mlen;
@@ -1244,7 +1271,10 @@
 					else if (i < 0)
 						i = 0;
 					td->td_winscale = i;
-				}
+					td->td_winflags |= TCP_WSCALE_SEEN|
+							   TCP_WSCALE_FIRST;
+				} else
+					retval = -1;
 				break;
 			case TCPOPT_MAXSEG :
 				/*
@@ -1256,7 +1286,14 @@
 					i <<= 8;
 					i += (int)*(s + 3);
 					td->td_maxseg = i;
-				}
+				} else
+					retval = -1;
+				break;
+			case TCPOPT_SACK_PERMITTED :
+				if (ol == TCPOLEN_SACK_PERMITTED)
+					td->td_winflags |= TCP_SACK_PERMIT;
+				else
+					retval = -1;
 				break;
 			}
 		}
@@ -1327,24 +1364,22 @@
 			is->is_s0[source] = ntohl(tcp->th_ack);
 			is->is_s0[!source] = ntohl(tcp->th_seq) + 1;
 			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)) &&
-			    tdata->td_winscale) {
-				if (fr_tcpoptions(fin, tcp, fdata)) {
-					fdata->td_winflags = TCP_WSCALE_SEEN|
-							     TCP_WSCALE_FIRST;
-				} else {
-					if (!fdata->td_winscale)
-						tdata->td_winscale = 0;
+			    (tdata->td_winflags & TCP_WSCALE_SEEN)) {
+				if (fr_tcpoptions(fin, tcp, fdata) == -1)
+					fin->fin_flx |= FI_BAD;
+				if (!(fdata->td_winflags & TCP_WSCALE_SEEN)) {
+					fdata->td_winscale = 0;
+					tdata->td_winscale = 0;
 				}
 			}
 			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
 				fr_checknewisn(fin, is);
 		} else if (flags == TH_SYN) {
 			is->is_s0[source] = ntohl(tcp->th_seq) + 1;
-			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2)))
-				if (fr_tcpoptions(fin, tcp, tdata)) {
-					tdata->td_winflags = TCP_WSCALE_SEEN|
-							     TCP_WSCALE_FIRST;
-				}
+			if ((TCP_OFF(tcp) > (sizeof(tcphdr_t) >> 2))) {
+				if (fr_tcpoptions(fin, tcp, tdata) == -1)
+					fin->fin_flx |= FI_BAD;
+			}
 
 			if ((fin->fin_out != 0) && (is->is_pass & FR_NEWISN))
 				fr_checknewisn(fin, is);
@@ -1412,10 +1447,10 @@
 tcphdr_t *tcp;
 int flags;
 {
-#ifdef BROKEN_TCP_WINDOW_CHECK
 	tcp_seq seq, ack, end;
 	int ackskew, tcpflags;
 	u_32_t win, maxwin;
+	int dsize, inseq;
 
 	/*
 	 * Find difference between last checked packet and this packet.
@@ -1427,9 +1462,16 @@
 		win = ntohs(tcp->th_win);
 	else
 		win = ntohs(tcp->th_win) << fdata->td_winscale;
+
+	/*
+	 * A window of 0 produces undesirable behaviour from this function.
+	 */
 	if (win == 0)
 		win = 1;
 
+	dsize = fin->fin_dlen - (TCP_OFF(tcp) << 2) +
+	        ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
+
 	/*
 	 * if window scaling is present, the scaling is only allowed
 	 * for windows not in the first SYN packet. In that packet the
@@ -1447,14 +1489,15 @@
 			fdata->td_maxwin = win;
 		} else {
 			fdata->td_winscale = 0;
-			fdata->td_winflags = 0;
+			fdata->td_winflags &= ~(TCP_WSCALE_FIRST|
+						TCP_WSCALE_SEEN);
 			tdata->td_winscale = 0;
-			tdata->td_winflags = 0;
+			tdata->td_winflags &= ~(TCP_WSCALE_FIRST|
+						TCP_WSCALE_SEEN);
 		  }
 	}
 
-	end = seq + fin->fin_dlen - (TCP_OFF(tcp) << 2) +
-	      ((tcpflags & TH_SYN) ? 1 : 0) + ((tcpflags & TH_FIN) ? 1 : 0);
+	end = seq + dsize;
 
 	if ((fdata->td_end == 0) &&
 	    (!(flags & IS_TCPFSM) ||
@@ -1462,7 +1505,7 @@
 		/*
 		 * Must be a (outgoing) SYN-ACK in reply to a SYN.
 		 */
-		fdata->td_end = end;
+		fdata->td_end = end - 1;
 		fdata->td_maxwin = 1;
 		fdata->td_maxend = end + win;
 	}
@@ -1475,9 +1518,6 @@
 		ack = tdata->td_end;
 	}
 
-	if (seq == end)
-		seq = end = fdata->td_end;
-
 	maxwin = tdata->td_maxwin;
 	ackskew = tdata->td_end - ack;
 
@@ -1492,16 +1532,58 @@
 
 #define	SEQ_GE(a,b)	((int)((a) - (b)) >= 0)
 #define	SEQ_GT(a,b)	((int)((a) - (b)) > 0)
-	if (
-#if defined(_KERNEL)
-	    (SEQ_GE(fdata->td_maxend, end)) &&
+	inseq = 0;
+	if ((SEQ_GE(fdata->td_maxend, end)) &&
 	    (SEQ_GE(seq, fdata->td_end - maxwin)) &&
-#endif
 /* XXX what about big packets */
 #define MAXACKWINDOW 66000
 	    (-ackskew <= (MAXACKWINDOW << fdata->td_winscale)) &&
 	    ( ackskew <= (MAXACKWINDOW << fdata->td_winscale))) {
-
+		inseq = 1;
+	/*
+	 * Microsoft Windows will send the next packet to the right of the
+	 * window if SACK is in use.
+	 */
+	} else if ((seq == fdata->td_maxend) && (ackskew == 0) &&
+	    (fdata->td_winflags & TCP_SACK_PERMIT) &&
+	    (tdata->td_winflags & TCP_SACK_PERMIT)) {
+		inseq = 1;
+	/*
+	 * Sometimes a TCP RST will be generated with only the ACK field
+	 * set to non-zero.
+	 */
+	} else if ((seq == 0) && (tcpflags == (TH_RST|TH_ACK)) &&
+		   (ackskew >= -1) && (ackskew <= 1)) {
+		inseq = 1;
+	} else if (!(flags & IS_TCPFSM)) {
+		int i;
+
+		i = (fin->fin_rev << 1) + fin->fin_out;
+
+#if 0
+		if (is_pkts[i]0 == 0) {
+			/*
+			 * Picking up a connection in the middle, the "next"
+			 * packet seen from a direction that is new should be
+			 * accepted, even if it appears out of sequence.
+			 */
+			inseq = 1;
+		} else 
+#endif
+		if (!(fdata->td_winflags &
+			    (TCP_WSCALE_SEEN|TCP_WSCALE_FIRST))) {
+			/*
+			 * No TCPFSM and no window scaling, so make some
+			 * extra guesses.
+			 */
+			if ((seq == fdata->td_maxend) && (ackskew == 0))
+				inseq = 1;
+			else if (SEQ_GE(seq + maxwin, fdata->td_end - maxwin))
+				inseq = 1;
+		}
+	}
+
+	if (inseq) {
 		/* if ackskew < 0 then this should be due to fragmented
 		 * packets. There is no way to know the length of the
 		 * total packet in advance.
@@ -1529,9 +1611,6 @@
 		return 1;
 	}
 	return 0;
-#else
-	return 1;
-#endif
 }
 
 
@@ -1593,8 +1672,7 @@
 	clone->is_flags &= ~SI_CLONE;
 	clone->is_flags |= SI_CLONED;
 	fr_stinsert(clone, fin->fin_rev);
-	MUTEX_ENTER(&clone->is_lock);
-	clone->is_ref = 1;
+	clone->is_ref = 2;
 	if (clone->is_p == IPPROTO_TCP) {
 		(void) fr_tcp_age(&clone->is_sti, fin, ips_tqtqb,
 				  clone->is_flags);
@@ -1779,7 +1857,7 @@
 	 * Match up any flags set from IP options.
 	 */
 	if ((cflx && (flx != (cflx & cmask))) ||
-	    ((fin->fin_optmsk & is->is_optmsk) != is->is_opt) ||
+	    ((fin->fin_optmsk & is->is_optmsk[rev]) != is->is_opt[rev]) ||
 	    ((fin->fin_secmsk & is->is_secmsk) != is->is_sec) ||
 	    ((fin->fin_auth & is->is_authmsk) != is->is_auth))
 		return NULL;
@@ -1796,9 +1874,12 @@
 
 	if ((flags & (SI_W_SPORT|SI_W_DPORT))) {
 		if ((flags & SI_CLONE) != 0) {
-			is = fr_stclone(fin, tcp, is);
-			if (is == NULL)
+			ipstate_t *clone;
+
+			clone = fr_stclone(fin, tcp, is);
+			if (clone == NULL)
 				return NULL;
+			is = clone;
 		} else {
 			ATOMIC_DECL(ips_stats.iss_wild);
 		}
@@ -1829,8 +1910,14 @@
 
 	ret = -1;
 
-	if (is->is_flx[out][rev] == 0)
+	if (is->is_flx[out][rev] == 0) {
 		is->is_flx[out][rev] = flx;
+		is->is_opt[rev] = fin->fin_optmsk;
+		if (is->is_v == 6) {
+			is->is_opt[rev] &= ~0x8;
+			is->is_optmsk[rev] &= ~0x8;
+		}
+	}
 
 	/*
 	 * Check if the interface name for this "direction" is set and if not,
@@ -1876,21 +1963,16 @@
 
 	/*
 	 * Does it at least have the return (basic) IP header ?
+	 * Is it an actual recognised ICMP error type?
 	 * Only a basic IP header (no options) should be with
 	 * an ICMP error header.
 	 */
 	if ((fin->fin_v != 4) || (fin->fin_hlen != sizeof(ip_t)) ||
-	    (fin->fin_plen < ICMPERR_MINPKTLEN))
+	    (fin->fin_plen < ICMPERR_MINPKTLEN) ||
+	    !(fin->fin_flx & FI_ICMPERR))
 		return NULL;
 	ic = fin->fin_dp;
 	type = ic->icmp_type;
-	/*
-	 * If it's not an error type, then return
-	 */
-	if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
-    	    (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
-    	    (type != ICMP_PARAMPROB))
-		return NULL;
 
 	oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
 	/*
@@ -1953,7 +2035,7 @@
 	 */
 	savelen = oip->ip_len;
 	oip->ip_len = len;
-	oip->ip_off = htons(oip->ip_off);
+	oip->ip_off = ntohs(oip->ip_off);
 
 	ofin.fin_flx = FI_NOCKSUM;
 	ofin.fin_v = 4;
@@ -1981,8 +2063,6 @@
 	switch (oip->ip_p)
 	{
 	case IPPROTO_ICMP :
-		icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
-
 		/*
 		 * an ICMP error can only be generated as a result of an
 		 * ICMP query, not as the response on an ICMP error
@@ -1990,15 +2070,13 @@
 		 * XXX theoretically ICMP_ECHOREP and the other reply's are
 		 * ICMP query's as well, but adding them here seems strange XXX
 		 */
-		if ((icmp->icmp_type != ICMP_ECHO) &&
-		    (icmp->icmp_type != ICMP_TSTAMP) &&
-		    (icmp->icmp_type != ICMP_IREQ) &&
-		    (icmp->icmp_type != ICMP_MASKREQ))
+		if ((ofin.fin_flx & FI_ICMPERR) != 0)
 		    	return NULL;
 
 		/*
 		 * perform a lookup of the ICMP packet in the state table
 		 */
+		icmp = (icmphdr_t *)((char *)oip + (IP_HL(oip) << 2));
 		hv = (pr = oip->ip_p);
 		src.in4 = oip->ip_src;
 		hv += src.in4.s_addr;
@@ -2017,10 +2095,6 @@
 			is = fr_matchsrcdst(&ofin, is, &src, &dst,
 					    NULL, FI_ICMPCMP);
 			if (is != NULL) {
-				if ((is->is_pass & FR_NOICMPERR) != 0) {
-					RWLOCK_EXIT(&ipf_state);
-					return NULL;
-				}
 				/*
 				 * i  : the index of this packet (the icmp
 				 *      unreachable)
@@ -2293,7 +2367,8 @@
 			if ((is->is_p != pr) || (is->is_v != v))
 				continue;
 			is = fr_matchsrcdst(fin, is, &src, &dst, NULL, FI_CMP);
-			if (is != NULL &&
+			if ((is != NULL) &&
+			    (ic->icmp_id == is->is_icmp.ici_id) &&
 			    fr_matchicmpqueryreply(v, &is->is_icmp,
 						   ic, fin->fin_rev)) {
 				if (fin->fin_rev)
@@ -2386,11 +2461,13 @@
 		break;
 	}
 
-	if ((is != NULL) && ((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
-	    (is->is_tqehead[fin->fin_rev] != NULL))
-		ifq = is->is_tqehead[fin->fin_rev];
-	if (ifq != NULL && ifqp != NULL)
-		*ifqp = ifq;
+	if (is != NULL) {
+		if (((is->is_sti.tqe_flags & TQE_RULEBASED) != 0) &&
+		    (is->is_tqehead[fin->fin_rev] != NULL))
+			ifq = is->is_tqehead[fin->fin_rev];
+		if (ifq != NULL && ifqp != NULL)
+			*ifqp = ifq;
+	}
 	return is;
 }
 
@@ -2783,6 +2860,11 @@
 	if (ipstate_logging != 0 && why != 0)
 		ipstate_log(is, why);
 
+	if (is->is_p == IPPROTO_TCP)
+		ips_stats.iss_fin++;
+	else
+		ips_stats.iss_expire++;
+
 	if (is->is_rule != NULL) {
 		is->is_rule->fr_statecnt--;
 		(void)fr_derefrule(&is->is_rule);
@@ -2809,9 +2891,7 @@
 	ipftq_t *ifq, *ifqnext;
 	ipftqent_t *tqe, *tqn;
 	ipstate_t *is;
-#if defined(USE_SPL) && defined(_KERNEL)
-	int s;
-#endif
+	SPL_INT(s);
 
 	SPL_NET(s);
 	WRITE_ENTER(&ipf_state);
@@ -2881,9 +2961,7 @@
 	int delete, removed;
 	long try, maxtick;
 	u_long interval;
-#if defined(_KERNEL) && !defined(MENTAT) && defined(USE_SPL)
-	int s;
-#endif
+	SPL_INT(s);
 
 	removed = 0;
 
@@ -2912,10 +2990,6 @@
 		}
 
 		if (delete) {
-			if (is->is_p == IPPROTO_TCP)
-				ips_stats.iss_fin++;
-			else
-				ips_stats.iss_expire++;
 			fr_delstate(is, ISL_FLUSH);
 			removed++;
 		} else
@@ -3051,7 +3125,7 @@
 	rval = 0;
 	dir = fin->fin_rev;
 	tcpflags = tcp->th_flags;
-	dlen = fin->fin_plen - fin->fin_hlen - (TCP_OFF(tcp) << 2);
+	dlen = fin->fin_dlen - (TCP_OFF(tcp) << 2);
 
 	if (tcpflags & TH_RST) {
 		if (!(tcpflags & TH_PUSH) && !dlen)
@@ -3189,13 +3263,34 @@
 			break;
 
 		case IPF_TCPS_HALF_ESTAB: /* 4 */
-			if (ostate >= IPF_TCPS_HALF_ESTAB) {
-				if ((tcpflags & TH_ACKMASK) == TH_ACK) {
+			if (tcpflags & TH_FIN) {
+				nstate = IPF_TCPS_FIN_WAIT_1;
+				rval = 1;
+			} else if ((tcpflags & TH_ACKMASK) == TH_ACK) {
+				/*
+				 * If we've picked up a connection in mid
+				 * flight, we could be looking at a follow on
+				 * packet from the same direction as the one
+				 * that created this state.  Recognise it but
+				 * do not advance the entire connection's
+				 * state.
+				 */
+				switch (ostate)
+				{
+				case IPF_TCPS_CLOSED :
+				case IPF_TCPS_SYN_SENT :
+				case IPF_TCPS_SYN_RECEIVED :
+					rval = 1;
+					break;
+				case IPF_TCPS_HALF_ESTAB :
+				case IPF_TCPS_ESTABLISHED :
 					nstate = IPF_TCPS_ESTABLISHED;
 					rval = 1;
+					break;
+				default :
+					break;
 				}
 			}
-				
 			break;
 
 		case IPF_TCPS_ESTABLISHED: /* 5 */
@@ -3325,9 +3420,6 @@
 				(u_long)tcp, tcpflags, (u_long)tqe,
 				nstate, ostate);
 # endif
-# ifdef DIAGNOSTIC
-			panic("invalid TCP state");
-# endif
 #else
 			abort();
 #endif
@@ -3451,20 +3543,16 @@
 
 	/*
 	 * Does it at least have the return (basic) IP header ?
+	 * Is it an actual recognised ICMP error type?
 	 * Only a basic IP header (no options) should be with
 	 * an ICMP error header.
 	 */
-	if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN))
+	if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN) ||
+	    !(fin->fin_flx & FI_ICMPERR))
 		return NULL;
 
 	ic6 = fin->fin_dp;
 	type = ic6->icmp6_type;
-	/*
-	 * If it's not an error type, then return
-	 */
-	if ((type != ICMP6_DST_UNREACH) && (type != ICMP6_PACKET_TOO_BIG) &&
-	    (type != ICMP6_TIME_EXCEEDED) && (type != ICMP6_PARAM_PROB))
-		return NULL;
 
 	oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);
 	if (fin->fin_plen < sizeof(*oip6))
--- a/sys/dist/ipf/netinet/ip_state.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_state.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_state.h,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_state.h,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-2001 by Darren Reed.
@@ -6,12 +6,12 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_state.h	1.3 1/12/96 (C) 1995 Darren Reed
- * Id: ip_state.h,v 2.68.2.3 2005/03/03 14:24:11 darrenr Exp
+ * Id: ip_state.h,v 2.68.2.5 2005/08/20 13:48:25 darrenr Exp
  */
 #ifndef _NETINET_IP_STATE_H_
 #define _NETINET_IP_STATE_H_
 
-#if defined(__STDC__) || defined(__GNUC__)
+#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
 # define	SIOCDELST	_IOW('r', 61, struct ipfobj)
 #else
 # define	SIOCDELST	_IOW(r, 61, struct ipfobj)
@@ -60,8 +60,8 @@
 	u_char	is_v;
 	u_32_t	is_hv;
 	u_32_t	is_tag;
-	u_32_t	is_opt;			/* packet options set */
-	u_32_t	is_optmsk;		/*    "      "    mask */
+	u_32_t	is_opt[2];		/* packet options set */
+	u_32_t	is_optmsk[2];		/*    "      "    mask */
 	u_short	is_sec;			/* security options set */
 	u_short	is_secmsk;		/*    "        "    mask */
 	u_short	is_auth;		/* authentication options set */
--- a/sys/dist/ipf/netinet/ip_sync.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_sync.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_sync.c,v 1.4 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_sync.c,v 1.4.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1995-1998 by Darren Reed.
@@ -98,7 +98,7 @@
 /* END OF INCLUDES */
 
 #if !defined(lint)
-static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.3 2005/02/18 13:06:29 darrenr Exp";
+static const char rcsid[] = "@(#)Id: ip_sync.c,v 2.40.2.7 2006/03/19 14:59:39 darrenr Exp";
 #endif
 
 #define	SYNC_STATETABSZ	256
@@ -231,8 +231,10 @@
 		ips->is_die = htonl(ips->is_die);
 		ips->is_pass = htonl(ips->is_pass);
 		ips->is_flags = htonl(ips->is_flags);
-		ips->is_opt = htonl(ips->is_opt);
-		ips->is_optmsk = htonl(ips->is_optmsk);
+		ips->is_opt[0] = htonl(ips->is_opt[0]);
+		ips->is_opt[1] = htonl(ips->is_opt[1]);
+		ips->is_optmsk[0] = htonl(ips->is_optmsk[0]);
+		ips->is_optmsk[1] = htonl(ips->is_optmsk[1]);
 		ips->is_sec = htons(ips->is_sec);
 		ips->is_secmsk = htons(ips->is_secmsk);
 		ips->is_auth = htons(ips->is_auth);
@@ -246,8 +248,10 @@
 		ips->is_die = ntohl(ips->is_die);
 		ips->is_pass = ntohl(ips->is_pass);
 		ips->is_flags = ntohl(ips->is_flags);
-		ips->is_opt = ntohl(ips->is_opt);
-		ips->is_optmsk = ntohl(ips->is_optmsk);
+		ips->is_opt[0] = ntohl(ips->is_opt[0]);
+		ips->is_opt[1] = ntohl(ips->is_opt[1]);
+		ips->is_optmsk[0] = ntohl(ips->is_optmsk[0]);
+		ips->is_optmsk[1] = ntohl(ips->is_optmsk[1]);
 		ips->is_sec = ntohs(ips->is_sec);
 		ips->is_secmsk = ntohs(ips->is_secmsk);
 		ips->is_auth = ntohs(ips->is_auth);
@@ -442,21 +446,26 @@
 
 		l = get_sleep_lock(&sl_tail);
 		err = sleep(&sl_tail, PZERO+1);
+		if (err) {
+			MUTEX_EXIT(&ipsl_mutex);
+			return EINTR;
+		}
 		spinunlock(l);
 		}
 #   else /* __hpux */
 #    ifdef __osf__
 		err = mpsleep(&sl_tail, PSUSP|PCATCH,  "ipl sleep", 0,
 			      &ipsl_mutex, MS_LOCK_SIMPLE);
+		if (err)
+			return EINTR;
 #    else
 		MUTEX_EXIT(&ipsl_mutex);
 		err = SLEEP(&sl_tail, "ipl sleep");
+		if (err)
+			return EINTR;
+		MUTEX_ENTER(&ipsl_mutex);
 #    endif /* __osf__ */
 #   endif /* __hpux */
-		if (err) {
-			MUTEX_EXIT(&ipsl_mutex);
-			return err;
-		}
 #  endif /* SOLARIS */
 	}
 	MUTEX_EXIT(&ipsl_mutex);
@@ -695,7 +704,6 @@
 synchdr_t *sp;
 void *data;
 {
-	synclogent_t sle;
 	syncupdent_t su;
 	nat_t *n, *nat;
 	synclist_t *sl;
@@ -707,8 +715,6 @@
 	switch (sp->sm_cmd)
 	{
 	case SMC_CREATE :
-		bcopy(data, &sle, sizeof(sle));
-
 		KMALLOC(n, nat_t *);
 		if (n == NULL) {
 			err = ENOMEM;
@@ -722,9 +728,7 @@
 			break;
 		}
 
-		WRITE_ENTER(&ipf_nat);
-
-		nat = &sle.sle_un.sleu_ipn;
+		nat = (nat_t *)data;
 		bzero((char *)n, offsetof(nat_t, nat_age));
 		bcopy((char *)&nat->nat_age, (char *)&n->nat_age,
 		      sizeof(*n) - offsetof(nat_t, nat_age));
@@ -734,6 +738,8 @@
 		sl->sl_idx = -1;
 		sl->sl_ipn = n;
 		sl->sl_num = ntohl(sp->sm_num);
+
+		WRITE_ENTER(&ipf_nat);
 		sl->sl_pnext = syncstatetab + hv;
 		sl->sl_next = syncstatetab[hv];
 		if (syncstatetab[hv] != NULL)
@@ -998,4 +1004,16 @@
 {
 	return EINVAL;
 }
+
+
+int ipfsync_canread()
+{
+	return !((sl_tail == sl_idx) && (su_tail == su_idx));
+}
+
+
+int ipfsync_canwrite()
+{
+	return 1;
+}
 #endif /* IPFILTER_SYNC */
--- a/sys/dist/ipf/netinet/ip_sync.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ip_sync.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_sync.h,v 1.3 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ip_sync.h,v 1.3.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001 by Darren Reed.
@@ -6,7 +6,7 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ip_fil.h	1.35 6/5/96
- * Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp
+ * Id: ip_sync.h,v 2.11.2.3 2006/03/19 14:59:39 darrenr Exp
  */
 
 #ifndef __IP_SYNC_H__
@@ -113,5 +113,7 @@
 extern	int		ipfsync_state __P((synchdr_t *sp, void *data));
 extern	int		ipfsync_read __P((struct uio *uio));
 extern	int		ipfsync_write __P((struct uio *uio));
+extern	int		ipfsync_canread __P((void));
+extern	int		ipfsync_canwrite __P((void));
 
 #endif /* IP_SYNC */
--- a/sys/dist/ipf/netinet/ipl.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/ipf/netinet/ipl.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipl.h,v 1.5 2005/12/11 12:24:21 christos Exp $	*/
+/*	$NetBSD: ipl.h,v 1.5.4.1 2006/09/09 02:56:45 rpaulo Exp $	*/
 
 /*
  * Copyright (C) 1993-2001, 2003 by Darren Reed.
@@ -6,14 +6,14 @@
  * See the IPFILTER.LICENCE file for details on licencing.
  *
  * @(#)ipl.h	1.21 6/5/96
- * Id: ipl.h,v 2.52.2.9 2005/03/30 14:14:05 darrenr Exp
+ * Id: ipl.h,v 2.52.2.14 2006/04/01 20:09:42 darrenr Exp
  */
 
 #ifndef	__IPL_H__
 #define	__IPL_H__
 
-#define	IPL_VERSION	"IP Filter: v4.1.8"
+#define	IPL_VERSION	"IP Filter: v4.1.13"
 
-#define	IPFILTER_VERSION	4010800
+#define	IPFILTER_VERSION	4011300
 
 #endif
--- a/sys/dist/pf/net/pf.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/pf/net/pf.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf.c,v 1.19 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: pf.c,v 1.19.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 /*	$OpenBSD: pf.c,v 1.483 2005/03/15 17:38:43 dhartmei Exp $ */
 
 /*
@@ -2577,7 +2577,7 @@
 		    dport, 0);
 		if (in6p == NULL) {
 			in6p = in6_pcblookup_bind(tb, &daddr->v6, dport, 0);
-			if (inp == NULL)
+			if (in6p == NULL)
 				return (0);
 		}
 #endif
@@ -2785,8 +2785,8 @@
 	u_int16_t		 bport, nport = 0;
 	sa_family_t		 af = pd->af;
 	int			 lookup = -1;
-	uid_t			 uid;
-	gid_t			 gid;
+	uid_t			 uid = 0;	/* XXX: GCC */
+	gid_t			 gid = 0;	/* XXX: GCC */
 	struct pf_rule		*r, *a = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_src_node	*nsn = NULL;
@@ -3161,8 +3161,8 @@
 	u_int16_t		 bport, nport = 0;
 	sa_family_t		 af = pd->af;
 	int			 lookup = -1;
-	uid_t			 uid;
-	gid_t			 gid;
+	uid_t			 uid = 0;	/* XXX: GCC */
+	gid_t			 gid = 0;	/* XXX: GCC */
 	struct pf_rule		*r, *a = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_src_node	*nsn = NULL;
@@ -4691,6 +4691,8 @@
 		int		ipoff2 = 0;
 		int		off2 = 0;
 
+		memset(&pd2, 0, sizeof pd2);	/* XXX gcc */
+
 		pd2.af = pd->af;
 		switch (pd->af) {
 #ifdef INET
@@ -5371,9 +5373,6 @@
 	struct pf_addr		 naddr;
 	struct pf_src_node	*sn = NULL;
 	int			 error = 0;
-#ifdef __NetBSD__
-	struct tcphdr		 th;
-#endif
 
 	if (m == NULL || *m == NULL || r == NULL ||
 	    (dir != PF_IN && dir != PF_OUT) || oifp == NULL)
@@ -5499,10 +5498,10 @@
 		}
 	}
 #else
-	m_copydata(m0, sizeof(*ip), sizeof(th), &th);
-	th.th_sum = 0;
-	m_copyback(m0, sizeof(*ip), sizeof(th), &th);
-	in4_cksum(m0, IPPROTO_TCP, sizeof(*ip), m0->m_pkthdr.len - sizeof(*ip));
+	if (m0->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
+		in_delayed_cksum(m0);
+		m0->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
+	}
 #endif
 
 	if (ntohs(ip->ip_len) <= ifp->if_mtu) {
@@ -5518,6 +5517,8 @@
 #else
 		ip->ip_sum = 0;
 		ip->ip_sum = in_cksum(m0, ip->ip_hl << 2);
+
+		m0->m_pkthdr.csum_flags &= ~M_CSUM_IPv4;
 #endif
 #ifdef __OpenBSD__
 		/* Update relevant hardware checksum stats for TCP/UDP */
--- a/sys/dist/pf/net/pf_ioctl.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/pf/net/pf_ioctl.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf_ioctl.c,v 1.21 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: pf_ioctl.c,v 1.21.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 /*	$OpenBSD: pf_ioctl.c,v 1.139 2005/03/03 07:13:39 dhartmei Exp $ */
 
 /*
@@ -130,7 +130,7 @@
 #ifdef __NetBSD__
 const struct cdevsw pf_cdevsw = {
 	pfopen, pfclose, noread, nowrite, pfioctl,
-	nostop, notty, nopoll, nommap, nokqfilter,
+	nostop, notty, nopoll, nommap, nokqfilter, D_OTHER,
 };
 
 static int pf_pfil_attach(void);
--- a/sys/dist/pf/net/pf_norm.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/pf/net/pf_norm.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf_norm.c,v 1.11 2006/01/25 10:45:20 peter Exp $	*/
+/*	$NetBSD: pf_norm.c,v 1.11.2.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 /*	$OpenBSD: pf_norm.c,v 1.97 2004/09/21 16:59:12 aaron Exp $ */
 
 /*
@@ -1666,7 +1666,7 @@
 
 
 		/* Calculate max ticks since the last timestamp */
-#define TS_MAXFREQ	1100		/* RFC max TS freq of 1Khz + 10% skew */
+#define TS_MAXFREQ	1100		/* RFC max TS freq of 1 kHz + 10% skew */
 #define TS_MICROSECS	1000000		/* microseconds per second */
 		timersub(&uptime, &src->scrub->pfss_last, &delta_ts);
 		tsval_from_last = (delta_ts.tv_sec + ts_fudge) * TS_MAXFREQ;
@@ -1836,7 +1836,7 @@
 
 	thoff = th->th_off << 2;
 	cnt = thoff - sizeof(struct tcphdr);
-	optp = mtod(m, caddr_t) + off + sizeof(struct tcphdr);
+	optp = mtod(m, u_char *) + off + sizeof(struct tcphdr);
 
 	for (; cnt > 0; cnt -= optlen, optp += optlen) {
 		opt = optp[0];
--- a/sys/dist/pf/net/pf_table.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/pf/net/pf_table.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pf_table.c,v 1.7 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: pf_table.c,v 1.7.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 /*	$OpenBSD: pf_table.c,v 1.62 2004/12/07 18:02:04 mcbride Exp $	*/
 
 /*
@@ -1901,6 +1901,7 @@
 {
 	struct pfr_ktable	*kt;
 	struct pf_ruleset	*rs;
+	void			*h4 = NULL, *h6 = NULL;
 
 	kt = pool_get(&pfr_ktable_pl, PR_NOWAIT);
 	if (kt == NULL)
@@ -1918,16 +1919,21 @@
 		rs->tables++;
 	}
 
-	if (!rn_inithead((void **)&kt->pfrkt_ip4,
-	    offsetof(struct sockaddr_in, sin_addr) * 8) ||
-	    !rn_inithead((void **)&kt->pfrkt_ip6,
-	    offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
-		pfr_destroy_ktable(kt, 0);
-		return (NULL);
+	if (!rn_inithead(&h4, offsetof(struct sockaddr_in, sin_addr) * 8))
+		goto out;
+
+	if (!rn_inithead(&h6, offsetof(struct sockaddr_in6, sin6_addr) * 8)) {
+		Free(h4);
+		goto out;
 	}
+	kt->pfrkt_ip4 = h4;
+	kt->pfrkt_ip6 = h6;
 	kt->pfrkt_tzero = tzero;
 
 	return (kt);
+out:
+	pfr_destroy_ktable(kt, 0);
+	return (NULL);
 }
 
 void
--- a/sys/dist/pf/net/pfvar.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/dist/pf/net/pfvar.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: pfvar.h,v 1.11 2006/01/17 12:24:53 peter Exp $	*/
+/*	$NetBSD: pfvar.h,v 1.11.2.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 /*	$OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
 
 /*
@@ -1608,6 +1608,7 @@
 #define	PRIu32	"u"	/* XXX */
 #endif
 #if !defined(__OpenBSD__)
+#if !defined(__NetBSD__)
 #include <sys/kernel.h> /* mono_time */
 static __inline void getmicrouptime(struct timeval *);
 static __inline void
@@ -1620,9 +1621,10 @@
 	splx(s);
 }
 #define	time_second	time.tv_sec
+#endif /* !__NetBSD__ */
 #define	m_copym2	m_dup
 #define	pool_allocator_oldnointr	pool_allocator_nointr
-#endif
+#endif /* !__OpenBSD__ */
 #endif /* _KERNEL */
 
 /* The fingerprint functions can be linked into userland programs (tcpdump) */
--- a/sys/fs/Makefile	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/Makefile	Sat Sep 09 02:56:44 2006 +0000
@@ -1,5 +1,5 @@
-#	$NetBSD: Makefile,v 1.11 2005/12/29 14:53:47 tsutsui Exp $
+#	$NetBSD: Makefile,v 1.11.4.1 2006/09/09 02:56:56 rpaulo Exp $
 
-SUBDIR=	adosfs cd9660 filecorefs msdosfs ntfs smbfs sysvbfs union
+SUBDIR=	adosfs cd9660 filecorefs msdosfs ntfs smbfs sysvbfs udf union
 
 .include <bsd.kinc.mk>
--- a/sys/fs/adosfs/adlookup.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/adosfs/adlookup.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: adlookup.c,v 1.7 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: adlookup.c,v 1.7.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: adlookup.c,v 1.7 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: adlookup.c,v 1.7.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -77,7 +77,7 @@
 	struct anode *ap;	/* anode to find */
 	struct vnode *vdp;	/* vnode of search dir */
 	struct anode *adp;	/* anode of search dir */
-	struct ucred *ucp;	/* lookup credentials */
+	kauth_cred_t ucp;	/* lookup credentials */
 	u_long bn, plen, hval;
 	const u_char *pelt;
 
--- a/sys/fs/adosfs/advfsops.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/adosfs/advfsops.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: advfsops.c,v 1.26 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: advfsops.c,v 1.26.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: advfsops.c,v 1.26 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: advfsops.c,v 1.26.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -55,6 +55,7 @@
 #include <sys/queue.h>
 #include <sys/buf.h>
 #include <sys/conf.h>
+#include <sys/kauth.h>
 #include <fs/adosfs/adosfs.h>
 
 void adosfs_init __P((void));
@@ -67,10 +68,10 @@
 int adosfs_root __P((struct mount *, struct vnode **));
 int adosfs_quotactl __P((struct mount *, int, uid_t, void *, struct lwp *));
 int adosfs_statvfs __P((struct mount *, struct statvfs *, struct lwp *));
-int adosfs_sync __P((struct mount *, int, struct ucred *, struct lwp *));
+int adosfs_sync __P((struct mount *, int, kauth_cred_t, struct lwp *));
 int adosfs_vget __P((struct mount *, ino_t, struct vnode **));
 int adosfs_fhtovp __P((struct mount *, struct fid *, struct vnode **));
-int adosfs_vptofh __P((struct vnode *, struct fid *));
+int adosfs_vptofh __P((struct vnode *, struct fid *, size_t *));
 
 int adosfs_mountfs __P((struct vnode *, struct mount *, struct lwp *));
 int adosfs_loadbitmap __P((struct adosfsmount *));
@@ -101,11 +102,9 @@
 	struct vnode *devvp;
 	struct adosfs_args args;
 	struct adosfsmount *amp;
-	struct proc *p;
 	int error;
 	mode_t accessmode;
 
-	p = l->l_proc;
 	if (mp->mnt_flag & MNT_GETARGS) {
 		amp = VFSTOADOSFS(mp);
 		if (amp == NULL)
@@ -147,12 +146,12 @@
 	 * If mount by non-root, then verify that user has necessary
 	 * permissions on the device.
 	 */
-	if (p->p_ucred->cr_uid != 0) {
+	if (kauth_cred_geteuid(l->l_cred) != 0) {
 		accessmode = VREAD;
 		if ((mp->mnt_flag & MNT_RDONLY) == 0)
 			accessmode |= VWRITE;
 		vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
-		error = VOP_ACCESS(devvp, accessmode, p->p_ucred, l);
+		error = VOP_ACCESS(devvp, accessmode, l->l_cred, l);
 		if (error) {
 			vput(devvp);
 			return (error);
@@ -198,7 +197,7 @@
 		return (error);
 	if (vcount(devvp) > 1 && devvp != rootvp)
 		return (EBUSY);
-	if ((error = vinvalbuf(devvp, V_SAVE, l->l_proc->p_ucred, l, 0, 0))
+	if ((error = vinvalbuf(devvp, V_SAVE, l->l_cred, l, 0, 0))
 	    != 0)
 		return (error);
 
@@ -707,18 +706,23 @@
 	struct fid *fhp;
 	struct vnode **vpp;
 {
-	struct ifid *ifhp = (struct ifid *)fhp;
+	struct ifid ifh;
 #if 0
 	struct anode *ap;
 #endif
 	struct vnode *nvp;
 	int error;
 
+	if (fhp->fid_len != sizeof(struct ifid))
+		return EINVAL;
+
 #ifdef ADOSFS_DIAGNOSTIC
 	printf("adfhtovp(%x, %x, %x)\n", mp, fhp, vpp);
 #endif
 
-	if ((error = VFS_VGET(mp, ifhp->ifid_ino, &nvp)) != 0) {
+	memcpy(&ifh, fhp, sizeof(ifh));
+
+	if ((error = VFS_VGET(mp, ifh.ifid_ino, &nvp)) != 0) {
 		*vpp = NULLVP;
 		return (error);
 	}
@@ -735,18 +739,25 @@
 }
 
 int
-adosfs_vptofh(vp, fhp)
+adosfs_vptofh(vp, fhp, fh_size)
 	struct vnode *vp;
 	struct fid *fhp;
+	size_t *fh_size;
 {
 	struct anode *ap = VTOA(vp);
-	struct ifid *ifhp;
+	struct ifid ifh;
 
-	ifhp = (struct ifid *)fhp;
-	ifhp->ifid_len = sizeof(struct ifid);
+	if (*fh_size < sizeof(struct ifid)) {
+		*fh_size = sizeof(struct ifid);
+		return E2BIG;
+	}
+	*fh_size = sizeof(struct ifid);
 
-	ifhp->ifid_ino = ap->block;
-	ifhp->ifid_start = ap->block;
+	memset(&ifh, 0, sizeof(ifh));
+	ifh.ifid_len = sizeof(struct ifid);
+	ifh.ifid_ino = ap->block;
+	ifh.ifid_start = ap->block;
+	memcpy(fhp, &ifh, sizeof(ifh));
 
 #ifdef ADOSFS_DIAGNOSTIC
 	printf("advptofh(%x, %x)\n", vp, fhp);
@@ -769,7 +780,7 @@
 adosfs_sync(mp, waitfor, uc, l)
 	struct mount *mp;
 	int waitfor;
-	struct ucred *uc;
+	kauth_cred_t uc;
 	struct lwp *l;
 {
 #ifdef ADOSFS_DIAGNOSTIC
--- a/sys/fs/adosfs/advnops.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/adosfs/advnops.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: advnops.c,v 1.18 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: advnops.c,v 1.18.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*
  * Copyright (c) 1994 Christian E. Hopps
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: advnops.c,v 1.18 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: advnops.c,v 1.18.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_quota.h"
@@ -52,6 +52,7 @@
 #include <sys/stat.h>
 #include <sys/unistd.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
 
 #include <miscfs/genfs/genfs.h>
 #include <miscfs/specfs/specdev.h>
@@ -152,7 +153,7 @@
 	struct vop_getattr_args /* {
 		struct vnode *a_vp;
 		struct vattr *a_vap;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *sp = v;
 	struct vattr *vap;
@@ -220,7 +221,7 @@
 		struct vnode *a_vp;
 		struct uio *a_uio;
 		int a_ioflag;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 	} */ *sp = v;
 	struct vnode *vp = sp->a_vp;
 	struct adosfsmount *amp;
@@ -359,7 +360,7 @@
 		struct vnode *a_vp;
 		struct uio *a_uio;
 		int a_ioflag;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 	} */ *sp = v;
 	advopprint(sp);
 	printf(" EOPNOTSUPP)");
@@ -610,7 +611,7 @@
 	struct vop_readdir_args /* {
 		struct vnode *a_vp;
 		struct uio *a_uio;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		int *a_eofflag;
 		off_t **a_cookies;
 		int *a_ncookies;
@@ -787,7 +788,7 @@
 	struct vop_access_args /* {
 		struct vnode *a_vp;
 		int  a_mode;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *sp = v;
 	struct anode *ap;
@@ -837,7 +838,7 @@
 	struct vop_readlink_args /* {
 		struct vnode *a_vp;
 		struct uio *a_uio;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 	} */ *sp = v;
 	struct anode *ap;
 	int error;
--- a/sys/fs/cd9660/cd9660_extern.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_extern.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_extern.h,v 1.18 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_extern.h,v 1.18.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994
@@ -105,10 +105,10 @@
 int cd9660_root(struct mount *, struct vnode **);
 int cd9660_quotactl(struct mount *, int, uid_t, void *, struct lwp *);
 int cd9660_statvfs(struct mount *, struct statvfs *, struct lwp *);
-int cd9660_sync(struct mount *, int, struct ucred *, struct lwp *);
+int cd9660_sync(struct mount *, int, kauth_cred_t, struct lwp *);
 int cd9660_vget(struct mount *, ino_t, struct vnode **);
 int cd9660_fhtovp(struct mount *, struct fid *, struct vnode **);
-int cd9660_vptofh(struct vnode *, struct fid *);
+int cd9660_vptofh(struct vnode *, struct fid *, size_t *);
 void cd9660_init(void);
 void cd9660_reinit(void);
 void cd9660_done(void);
--- a/sys/fs/cd9660/cd9660_lookup.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_lookup.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_lookup.c,v 1.9 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_lookup.c,v 1.9.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1989, 1993, 1994
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd9660_lookup.c,v 1.9 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd9660_lookup.c,v 1.9.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/namei.h>
@@ -48,6 +48,7 @@
 #include <sys/vnode.h>
 #include <sys/mount.h>
 #include <sys/systm.h>
+#include <sys/kauth.h>
 
 #include <fs/cd9660/iso.h>
 #include <fs/cd9660/cd9660_extern.h>
@@ -126,7 +127,7 @@
 	const char *name;
 	struct vnode **vpp = ap->a_vpp;
 	struct componentname *cnp = ap->a_cnp;
-	struct ucred *cred = cnp->cn_cred;
+	kauth_cred_t cred = cnp->cn_cred;
 	int flags;
 	int nameiop = cnp->cn_nameiop;
 
@@ -218,6 +219,7 @@
 		/*
 		 * Get pointer to next entry.
 		 */
+		KASSERT(bp != NULL);
 		ep = (struct iso_directory_record *)
 			((char *)bp->b_data + entryoffsetinblock);
 
--- a/sys/fs/cd9660/cd9660_rrip.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_rrip.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_rrip.c,v 1.9 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_rrip.c,v 1.9.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1993, 1994
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd9660_rrip.c,v 1.9 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd9660_rrip.c,v 1.9.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -48,6 +48,7 @@
 #include <sys/mount.h>
 #include <sys/kernel.h>
 #include <sys/stat.h>
+#include <sys/kauth.h>
 
 #include <sys/time.h>
 
--- a/sys/fs/cd9660/cd9660_util.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_util.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_util.c,v 1.6 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_util.c,v 1.6.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd9660_util.c,v 1.6 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd9660_util.c,v 1.6.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -123,7 +123,7 @@
 				break;
 			}
 			fn++;
-			for (i = 0; --fnlen >= 0; i = i * 10 + *fn++ - '0') {
+			for (i = 0; fnlen-- != 0; i = i * 10 + *fn++ - '0') {
 				if (*fn < '0' || *fn > '9') {
 					return -1;
 				}
--- a/sys/fs/cd9660/cd9660_vfsops.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_vfsops.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_vfsops.c,v 1.30 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_vfsops.c,v 1.30.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd9660_vfsops.c,v 1.30 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd9660_vfsops.c,v 1.30.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -64,6 +64,7 @@
 #include <sys/stat.h>
 #include <sys/conf.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <fs/cd9660/iso.h>
 #include <fs/cd9660/cd9660_extern.h>
@@ -103,6 +104,8 @@
 	(int (*)(struct mount *, struct vnode *, struct timespec *)) eopnotsupp,
 	vfs_stdextattrctl,
 	cd9660_vnodeopv_descs,
+	0,	/* refcount */
+	{ NULL, NULL } /* list */
 };
 VFS_ATTACH(cd9660_vfsops);
 
@@ -129,7 +132,7 @@
 	int error;
 	struct iso_args args;
 
-	if (root_device->dv_class != DV_DISK)
+	if (device_class(root_device) != DV_DISK)
 		return (ENODEV);
 
 	if ((error = vfs_rootmountalloc(MOUNT_CD9660, "root_device", &mp))
@@ -168,11 +171,9 @@
 {
 	struct vnode *devvp;
 	struct iso_args args;
-	struct proc *p;
 	int error;
 	struct iso_mnt *imp = VFSTOISOFS(mp);
 
-	p = l->l_proc;
 	if (mp->mnt_flag & MNT_GETARGS) {
 		if (imp == NULL)
 			return EIO;
@@ -211,9 +212,9 @@
 	 * If mount by non-root, then verify that user has necessary
 	 * permissions on the device.
 	 */
-	if (p->p_ucred->cr_uid != 0) {
+	if (kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER, NULL) != 0) {
 		vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
-		error = VOP_ACCESS(devvp, VREAD, p->p_ucred, l);
+		error = VOP_ACCESS(devvp, VREAD, l->l_cred, l);
 		VOP_UNLOCK(devvp, 0);
 		if (error) {
 			vrele(devvp);
@@ -326,7 +327,7 @@
 		return EROFS;
 
 	/* Flush out any old buffers remaining from a previous use. */
-	if ((error = vinvalbuf(devvp, V_SAVE, l->l_proc->p_ucred, l, 0, 0)) != 0)
+	if ((error = vinvalbuf(devvp, V_SAVE, l->l_cred, l, 0, 0)) != 0)
 		return (error);
 
 	/* This is the "logical sector size".  The standard says this
@@ -634,7 +635,7 @@
 cd9660_sync(mp, waitfor, cred, l)
 	struct mount *mp;
 	int waitfor;
-	struct ucred *cred;
+	kauth_cred_t cred;
 	struct lwp *l;
 {
 	return (0);
@@ -664,17 +665,21 @@
 	struct fid *fhp;
 	struct vnode **vpp;
 {
-	struct ifid *ifhp = (struct ifid *)fhp;
+	struct ifid ifh;
 	struct iso_node *ip;
 	struct vnode *nvp;
 	int error;
 
+	if (fhp->fid_len != sizeof(ifh))
+		return EINVAL;
+
+	memcpy(&ifh, fhp, sizeof(ifh));
 #ifdef	ISOFS_DBG
 	printf("fhtovp: ino %d, start %ld\n",
-	    ifhp->ifid_ino, ifhp->ifid_start);
+	    ifh.ifid_ino, ifh.ifid_start);
 #endif
 
-	if ((error = VFS_VGET(mp, ifhp->ifid_ino, &nvp)) != 0) {
+	if ((error = VFS_VGET(mp, ifh.ifid_ino, &nvp)) != 0) {
 		*vpp = NULLVP;
 		return (error);
 	}
@@ -924,22 +929,29 @@
  */
 /* ARGSUSED */
 int
-cd9660_vptofh(vp, fhp)
+cd9660_vptofh(vp, fhp, fh_size)
 	struct vnode *vp;
 	struct fid *fhp;
+	size_t *fh_size;
 {
 	struct iso_node *ip = VTOI(vp);
-	struct ifid *ifhp;
+	struct ifid ifh;
 
-	ifhp = (struct ifid *)fhp;
-	ifhp->ifid_len = sizeof(struct ifid);
+	if (*fh_size < sizeof(struct ifid)) {
+		*fh_size = sizeof(struct ifid);
+		return E2BIG;
+	}
+	*fh_size = sizeof(struct ifid);
 
-	ifhp->ifid_ino = ip->i_number;
-	ifhp->ifid_start = ip->iso_start;
+	memset(&ifh, 0, sizeof(ifh));
+	ifh.ifid_len = sizeof(struct ifid);
+	ifh.ifid_ino = ip->i_number;
+	ifh.ifid_start = ip->iso_start;
+	memcpy(fhp, &ifh, sizeof(ifh));
 
 #ifdef	ISOFS_DBG
 	printf("vptofh: ino %d, start %ld\n",
-	    ifhp->ifid_ino,ifhp->ifid_start);
+	    ifh.ifid_ino,ifh.ifid_start);
 #endif
 	return 0;
 }
--- a/sys/fs/cd9660/cd9660_vnops.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/cd9660_vnops.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cd9660_vnops.c,v 1.19 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: cd9660_vnops.c,v 1.19.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cd9660_vnops.c,v 1.19 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cd9660_vnops.c,v 1.19.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -52,6 +52,7 @@
 #include <sys/vnode.h>
 #include <sys/malloc.h>
 #include <sys/dirent.h>
+#include <sys/kauth.h>
 
 #include <miscfs/fifofs/fifo.h>
 #include <miscfs/genfs/genfs.h>
@@ -91,7 +92,7 @@
 int
 cd9660_mknod(ndp, vap, cred, p)
 	struct nameidata *ndp;
-	struct ucred *cred;
+	kauth_cred_t cred;
 	struct vattr *vap;
 	struct proc *p;
 {
@@ -152,7 +153,7 @@
 	struct vop_access_args /* {
 		struct vnode *a_vp;
 		int  a_mode;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *ap = v;
 	struct vnode *vp = ap->a_vp;
@@ -185,7 +186,7 @@
 	struct vop_getattr_args /* {
 		struct vnode *a_vp;
 		struct vattr *a_vap;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct lwp *a_l;
 	} */ *ap = v;
 	struct vnode *vp = ap->a_vp;
@@ -218,9 +219,8 @@
 		auio.uio_iovcnt = 1;
 		auio.uio_offset = 0;
 		auio.uio_rw = UIO_READ;
-		auio.uio_segflg = UIO_SYSSPACE;
-		auio.uio_lwp = NULL;
 		auio.uio_resid = MAXPATHLEN;
+		UIO_SETUP_SYSSPACE(&auio);
 		rdlnk.a_uio = &auio;
 		rdlnk.a_vp = ap->a_vp;
 		rdlnk.a_cred = ap->a_cred;
@@ -247,7 +247,7 @@
 		struct vnode *a_vp;
 		struct uio *a_uio;
 		int a_ioflag;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 	} */ *ap = v;
 	struct vnode *vp = ap->a_vp;
 	struct uio *uio = ap->a_uio;
@@ -419,7 +419,7 @@
 	struct vop_readdir_args /* {
 		struct vnode *a_vp;
 		struct uio *a_uio;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		int *a_eofflag;
 		off_t **a_cookies;
 		int *a_ncookies;
@@ -492,6 +492,7 @@
 		/*
 		 * Get pointer to next entry.
 		 */
+		KASSERT(bp != NULL);
 		ep = (struct iso_directory_record *)
 			((char *)bp->b_data + entryoffsetinblock);
 
@@ -623,7 +624,7 @@
 	struct vop_readlink_args /* {
 		struct vnode *a_vp;
 		struct uio *a_uio;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 	} */ *ap = v;
 	ISONODE	*ip;
 	ISODIR	*dirp;
@@ -633,6 +634,7 @@
 	u_short	symlen;
 	int	error;
 	char	*symname;
+	boolean_t use_pnbuf;
 
 	ip  = VTOI(ap->a_vp);
 	imp = ip->i_mnt;
@@ -672,19 +674,21 @@
 	 * Now get a buffer
 	 * Abuse a namei buffer for now.
 	 */
-	if (uio->uio_segflg == UIO_SYSSPACE &&
-	    uio->uio_iov->iov_len >= MAXPATHLEN)
+	use_pnbuf = !VMSPACE_IS_KERNEL_P(uio->uio_vmspace) ||
+	    uio->uio_iov->iov_len < MAXPATHLEN;
+	if (use_pnbuf) {
+		symname = PNBUF_GET();
+	} else {
 		symname = uio->uio_iov->iov_base;
-	else
-		symname = PNBUF_GET();
+	}
 
 	/*
 	 * Ok, we just gathering a symbolic name in SL record.
 	 */
 	if (cd9660_rrip_getsymname(dirp, symname, &symlen, imp) == 0) {
-		if (uio->uio_segflg != UIO_SYSSPACE ||
-		    uio->uio_iov->iov_len < MAXPATHLEN)
+		if (use_pnbuf) {
 			PNBUF_PUT(symname);
+		}
 		brelse(bp);
 		return (EINVAL);
 	}
@@ -696,8 +700,7 @@
 	/*
 	 * return with the symbolic name to caller's.
 	 */
-	if (uio->uio_segflg != UIO_SYSSPACE ||
-	    uio->uio_iov->iov_len < MAXPATHLEN) {
+	if (use_pnbuf) {
 		error = uiomove(symname, symlen, uio);
 		PNBUF_PUT(symname);
 		return (error);
@@ -849,7 +852,7 @@
 		struct vnodeop_desc *a_desc;
 		struct vnode *a_vp;
 		struct vattr *a_vap;
-		struct ucred *a_cred;
+		kauth_cred_t a_cred;
 		struct proc *a_p;
 	} */ *ap = v;
 	struct vattr *vap = ap->a_vap;
--- a/sys/fs/cd9660/iso.h	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/cd9660/iso.h	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: iso.h,v 1.7 2005/12/24 20:45:09 perry Exp $	*/
+/*	$NetBSD: iso.h,v 1.7.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994
@@ -171,31 +171,31 @@
 	u_char len_au			[ISODCL (247, 250)]; /* 723 */
 };
 
-static inline int isonum_711(u_char *) __attribute__ ((unused));
-static inline int isonum_712(char *) __attribute__ ((unused));
-static inline uint16_t isonum_721(u_char *) __attribute__ ((unused));
-static inline uint16_t isonum_722(u_char *) __attribute__ ((unused));
-static inline uint16_t isonum_723(u_char *) __attribute__ ((unused));
-static inline uint32_t isonum_731(u_char *) __attribute__ ((unused));
-static inline uint32_t isonum_732(u_char *) __attribute__ ((unused));
-static inline uint32_t isonum_733(u_char *) __attribute__ ((unused));
+static __inline int isonum_711(u_char *) __attribute__ ((unused));
+static __inline int isonum_712(char *) __attribute__ ((unused));
+static __inline uint16_t isonum_721(u_char *) __attribute__ ((unused));
+static __inline uint16_t isonum_722(u_char *) __attribute__ ((unused));
+static __inline uint16_t isonum_723(u_char *) __attribute__ ((unused));
+static __inline uint32_t isonum_731(u_char *) __attribute__ ((unused));
+static __inline uint32_t isonum_732(u_char *) __attribute__ ((unused));
+static __inline uint32_t isonum_733(u_char *) __attribute__ ((unused));
 
 /* 7.1.1: unsigned char */
-static inline int
+static __inline int
 isonum_711(u_char *p)
 {
 	return *p;
 }
 
 /* 7.1.2: signed(?) char */
-static inline int
+static __inline int
 isonum_712(char *p)
 {
 	return *p;
 }
 
 /* 7.2.1: unsigned little-endian 16-bit value.  NOT USED IN KERNEL. */
-static inline uint16_t
+static __inline uint16_t
 isonum_721(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && (BYTE_ORDER == LITTLE_ENDIAN)
@@ -206,7 +206,7 @@
 }
 
 /* 7.2.2: unsigned big-endian 16-bit value.  NOT USED IN KERNEL. */
-static inline uint16_t
+static __inline uint16_t
 isonum_722(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && (BYTE_ORDER == BIG_ENDIAN)
@@ -217,7 +217,7 @@
 }
 
 /* 7.2.3: unsigned both-endian (little, then big) 16-bit value */
-static inline uint16_t
+static __inline uint16_t
 isonum_723(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && \
@@ -233,7 +233,7 @@
 }
 
 /* 7.3.1: unsigned little-endian 32-bit value.  NOT USED IN KERNEL. */
-static inline uint32_t
+static __inline uint32_t
 isonum_731(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && (BYTE_ORDER == LITTLE_ENDIAN)
@@ -244,7 +244,7 @@
 }
 
 /* 7.3.2: unsigned big-endian 32-bit value.  NOT USED IN KERNEL. */
-static inline uint32_t
+static __inline uint32_t
 isonum_732(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && (BYTE_ORDER == BIG_ENDIAN)
@@ -255,7 +255,7 @@
 }
 
 /* 7.3.3: unsigned both-endian (little, then big) 32-bit value */
-static inline uint32_t
+static __inline uint32_t
 isonum_733(u_char *p)
 {
 #if defined(UNALIGNED_ACCESS) && \
--- a/sys/fs/filecorefs/filecore_bmap.c	Sat Sep 09 02:46:41 2006 +0000
+++ b/sys/fs/filecorefs/filecore_bmap.c	Sat Sep 09 02:56:44 2006 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: filecore_bmap.c,v 1.3 2005/12/11 12:24:25 christos Exp $	*/
+/*	$NetBSD: filecore_bmap.c,v 1.3.4.1 2006/09/09 02:56:56 rpaulo Exp $	*/
 
 /*-
  * Copyright (c) 1994 The Regents of the University of California.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: filecore_bmap.c,v 1.3 2005/12/11 12:24:25 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: filecore_bmap.c,v 1.3.4.1 2006/09/09 02:56:56 rpaulo Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -75,6 +75,7 @@
 #include <sys/file.h>
 #include <sys/vnode.h>
 #include <sys/mount.h>
+#include <sys/kauth.h>
 
 #include <fs/filecorefs/filecore.h>
 #include <fs/filecorefs/filecore_extern.h>
@@ -241,7 +242,7 @@
 	struct filecore_mnt *fcmp;
 	u_int32_t addr;
 	int size;
-	struct ucred *cred;
+	kauth_cred_t cred;
 	struct buf **bp;
 {
 	int error = 0;
--- a/sys/fs/filecorefs/filecore_extern.h	Sat Sep 09 02:46:41 200