This commit was manufactured by cvs2svn to create tagvendor/ipfilter/4.1.8

'ipfilter-vendor-v4-1-8'.

110 files changed, 0 insertions, 23579 deletions

diff --git a/contrib/ipfilter/COMPILE.2.5 b/contrib/ipfilter/COMPILE.2.5
deleted file mode 100644
index ae550f896e49..000000000000
--- a/contrib/ipfilter/COMPILE.2.5
+++ /dev/null
@@ -1,11 +0,0 @@
-
-If you get the following error whilst compiling:
-
-In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48,
-                 from /usr/include/sys/file.h:15,
-                 from ../ip_nat.c:15:
-/usr/include/sys/psw.h:19: #error Kernel include of psw.h
-
-Remove (comment out) the line in
-/usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3include/sys/user.h
-which includes psw.h
diff --git a/contrib/ipfilter/COMPILE.Solaris2 b/contrib/ipfilter/COMPILE.Solaris2
deleted file mode 100644
index 45442c5a4051..000000000000
--- a/contrib/ipfilter/COMPILE.Solaris2
+++ /dev/null
@@ -1,19 +0,0 @@
-If you have BOTH GNU make and the normal make shipped with your system,
-DO NOT use the GNU make to build this package.  If you have any errors
-relating to "(" or "TOP", check that you are using /usr/ccs/bin/make as
-shipped with Solaris 2.
-
-If you get the following error whilst compiling:
-
-In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48,
-                 from /usr/include/sys/file.h:15,
-                 from ../ip_nat.c:15:
-/usr/include/sys/psw.h:19: #error Kernel include of psw.h
-
-That means that you have a version of gcc build under on older release
-of Solaris 2.x
-
-You need to reinstall gcc after each Solaris upgrade; gcc creates its own
-set of modified system include files which are only valid for the exact
-release on which gcc was build.
-
diff --git a/contrib/ipfilter/FWTK/FWTK.sed b/contrib/ipfilter/FWTK/FWTK.sed
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/contrib/ipfilter/FWTK/FWTK.sed
+++ /dev/null
diff --git a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt b/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
deleted file mode 100644
index 2e719383f32b..000000000000
--- a/contrib/ipfilter/FWTK/fwtk-2.1-transparency.txt
+++ /dev/null
@@ -1,707 +0,0 @@
-diff -c -r ./ftp-gw/ftp-gw.c ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c
-*** ./ftp-gw/ftp-gw.c	Thu Feb  5 19:05:43 1998
---- ../../fwtk-2.1-violated/fwtk/ftp-gw/ftp-gw.c	Thu May 21 17:36:09 1998
-***************
-*** 44,49 ****
---- 44,51 ----
-  
-  extern	char	*optarg;
-  
-+ char *getdsthost();
-+ 
-  #include	"firewall.h"
-  
-  
-***************
-*** 88,93 ****
---- 90,97 ----
-  static	int			cmdcnt = 0;
-  static	int			timeout = PROXY_TIMEOUT;
-  
-+ static	int			do_transparent = 0;
-+ 
-  
-  static	int	cmd_user();
-  static	int	cmd_authorize();
-***************
-*** 101,106 ****
---- 105,111 ----
-  static	int	cmd_passthru();
-  static	void	saveline();
-  static	void	flushsaved();
-+ static	int	connectdest();
-  
-  #define	OP_CONN	001	/* only valid if connected */
-  #define	OP_WCON	002	/* writethrough if connected */
-***************
-*** 173,178 ****
---- 178,184 ----
-  	char		xuf[1024];
-  	char		huf[512];
-  	char		*passuser = (char *)0;	/* passed user as av */
-+ 	char		*psychic, *hotline;
-  
-  #ifndef	LOG_DAEMON
-  	openlog("ftp-gw",LOG_PID);
-***************
-*** 317,322 ****
---- 323,332 ----
-  	} else
-  		timeout = PROXY_TIMEOUT;
-  
-+ 	psychic = getdsthost(0, NULL);
-+ 	if (psychic)
-+ 		do_transparent++;
-+ 
-  	/* display a welcome file or message */
-  	if(passuser == (char *)0) {
-  		if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-***************
-*** 324,329 ****
---- 334,345 ----
-  				syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-  				exit(1);
-  			}
-+ 			if (do_transparent) {
-+ 				if (sayfile2(0, cf->argv[0], 220)) {
-+ 					syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
-+                                 	exit(1);
-+ 				}
-+ 			} else
-  			if(sayfile(0,cf->argv[0],220)) {
-  				syslog(LLEV,"fwtksyserr: cannot display welcome %.512s: %m",cf->argv[0]);
-  				exit(1);
-***************
-*** 336,341 ****
---- 352,360 ----
-  				if(say(0,"220-Proxy first requires authentication"))
-  					exit(1);
-  
-+ 			if (do_transparent)
-+ 			sprintf(xuf, "220-%s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
-+ 			else
-  			sprintf(xuf, "220 %s FTP proxy (Version %s) ready.",huf, FWTK_VERSION_MINOR);
-  			if(say(0,xuf))
-  				exit(1);
-***************
-*** 357,362 ****
---- 376,384 ----
-  				exit(1);
-  	}
-  
-+ 	if (do_transparent)
-+ 		connectdest(psychic, 21);
-+ 
-  	/* main loop */
-  	while(1) {
-  		FD_ZERO(&rdy);
-***************
-*** 653,658 ****
---- 675,696 ----
-  			return(sayn(0,noad,sizeof(noad)-1));
-  	}
-  
-+ 	if (do_transparent) {
-+ 		if((rfd == (-1)) && (x = connectdest(dest,port)))
-+ 			return x;
-+ 
-+ 		sprintf(buf,"USER %s",user);
-+ 
-+ 		if (say(rfd, buf))
-+ 			return(1);
-+ 
-+ 		x = getresp(rfd, buf, sizeof(buf), 1);
-+ 		if (sendsaved(0, x))
-+ 			return(1);
-+ 
-+ 		return(say(0, buf));
-+ 	}
-+ 
-  	if(*dest == '\0')
-  		dest = "localhost";
-  
-***************
-*** 694,705 ****
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-! 		sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
-! 	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! 	saveline(buf);
-  
-  	/* we are now connected and need to try the autologin thing */
-  	x = getresp(rfd,buf,sizeof(buf),1);
---- 732,748 ----
-  		char	ebuf[512];
-  
-  		strcpy(ebuf,buf);
-!                 if (do_transparent)
-!                         sprintf(buf, "521 %s,%d: %s", dest, ntohs(port), ebuf);
-!                 else
-! 			sprintf(buf,"521 %s: %s",dest,ebuf);
-  		rfd = -1;
-  		return(say(0,buf));
-  	}
-! 	if (!do_transparent) {
-! 		sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-! 		saveline(buf);
-! 	}
-  
-  	/* we are now connected and need to try the autologin thing */
-  	x = getresp(rfd,buf,sizeof(buf),1);
-***************
-*** 1889,1891 ****
---- 1932,2050 ----
-  	dup(nread);
-  }
-  #endif
-+ 
-+ static int connectdest(dest, port)
-+ char *dest;
-+ short port;
-+ {
-+       char buf[1024], mbuf[512];
-+       int msg_int, x;
-+ 
-+         if(*dest == '\0')
-+                 dest = "localhost";
-+ 
-+         if(validests != (char **)0) {
-+                 char    **xp;
-+                 int     x;
-+ 
-+                 for(xp = validests; *xp != (char *)0; xp++) {
-+                         if(**xp == '!' && hostmatch(*xp + 1,dest)) {
-+                                 return(baddest(0,dest));
-+                         } else {
-+                                 if(hostmatch(*xp,dest))
-+                                         break;
-+                         }
-+                 }
-+                 if(*xp == (char *)0)
-+                         return(baddest(0,dest));
-+         }
-+ 
-+         /* Extended permissions processing goes in here for destination */
-+         if(extendperm) {
-+                 msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
-+                 if(msg_int == 1) {
-+                         sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
-+                         syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                 } else {
-+                         if(msg_int == -1) {
-+                                 sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
-+                                 say(0,mbuf);
-+                                 return(1);
-+                         }
-+                 }
-+         }      
-+ 
-+         syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
-+ 
-+         if((rfd = conn_server(dest,port,0,buf)) < 0) {
-+                 char    ebuf[512];
-+ 
-+                 strcpy(ebuf,buf);
-+ 		if (do_transparent)
-+ 			sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
-+ 		else
-+                 	sprintf(buf,"521 %s: %s",dest,ebuf);
-+                 rfd = -1;
-+                 return(say(0,buf));
-+         }
-+         if (!do_transparent) {
-+         	sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
-+         	saveline(buf);
-+ 	}
-+ 
-+         /* we are now connected and need to try the autologin thing */
-+         x = getresp(rfd,buf,sizeof(buf),1);
-+         if(x / 100 != COMPLETE) {
-+                 sendsaved(0,-1);
-+                 return(say(0,buf));
-+         }
-+         saveline(buf);
-+ 
-+       sendsaved(0,-1);
-+       return 0;
-+ }
-+ 
-+ /* quick hack */
-+ sayfile2(fd,fn,code)
-+ int     fd;
-+ char    *fn;
-+ int     code;
-+ {
-+         FILE    *f;
-+         char    buf[BUFSIZ];
-+         char    yuf[BUFSIZ];
-+         char    *c;
-+         int     x;
-+         int     saidsomething = 0;
-+ 
-+         if((f = fopen(fn,"r")) == (FILE *)0)
-+                 return(1);
-+         while(fgets(buf,sizeof(buf),f) != (char *)0) {
-+                 if((c = index(buf,'\n')) != (char *)0)
-+                         *c = '\0';
-+                 x = fgetc(f);
-+                 if(feof(f))
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                 else {
-+                         sprintf(yuf,"%3.3d-%s",code,buf);
-+                         ungetc(x,f);
-+                 }
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+                 saidsomething++;
-+         }
-+         fclose(f);
-+         if (!saidsomething) {
-+                 syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
-+                 sprintf(yuf, "%3.3d The file to display is empty",code);
-+                 if(say(fd,yuf)) {
-+                         fclose(f);
-+                         return(1);
-+                 }
-+         }
-+         return(0);
-+ }
-diff -c -r ./http-gw/http-gw.c ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c
-*** ./http-gw/http-gw.c	Fri Feb  6 18:32:25 1998
---- ../../fwtk-2.1-violated/fwtk/http-gw/http-gw.c	Thu May 21 17:00:47 1998
-***************
-*** 27,32 ****
---- 27,35 ----
-  static char http_buffer[8192];
-  static char reason[8192];
-  static	int	checkBrowserType = 1;
-+ static	int	do_transparent = 0;
-+ 
-+ char	* getdsthost();
-  
-  static void do_logging()
-  {	char *proto = "GOPHER";
-***************
-*** 473,478 ****
---- 476,490 ----
-  	/*(NOT A SPECIAL FORM)*/
-  
-  		if((rem_type & TYPE_LOCAL)== 0){
-+                         char * psychic = getdsthost(sockfd, &def_port);
-+                         if (psychic) {
-+                                 if (strlen(psychic) <= MAXHOSTNAMELEN) {
-+                                         do_transparent ++;
-+                                         strncpy(def_httpd, psychic, strlen(psychic));
-+                                         strncpy(def_server, psychic, strlen(psychic));
-+                                 }
-+                         }
-+                         
-  /*  See if it can be forwarded */
-  
-  			if( can_forward(buf)){
-***************
-*** 1564,1570 ****
-  				    		    parse_vec[0], 
-  						    parse_vec[1],
-  				    		    ourname, ourport);
-! 				    }else{
-  					    sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-  						    parse_vec[0], parse_vec[2],
-  						    parse_vec[3], chk_type_ch,
---- 1576,1589 ----
-  				    		    parse_vec[0], 
-  						    parse_vec[1],
-  				    		    ourname, ourport);
-! 				    }
-! 				    else
-! 				    if (do_transparent) {
-! 					    sprintf(new_reply, "%s\t%s\t%s\t%s",
-! 							parse_vec[0], parse_vec[1],
-! 							parse_vec[2],parse_vec[3]);
-! 				    }
-! 				    else {
-  					    sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
-  						    parse_vec[0], parse_vec[2],
-  						    parse_vec[3], chk_type_ch,
-diff -c -r ./lib/hnam.c ../../fwtk-2.1-violated/fwtk/lib/hnam.c
-*** ./lib/hnam.c	Tue Dec 10 13:08:48 1996
---- ../../fwtk-2.1-violated/fwtk/lib/hnam.c	Thu May 21 17:10:00 1998
-***************
-*** 23,28 ****
---- 23,33 ----
-  
-  #include	"firewall.h"
-  
-+ #ifdef __FreeBSD__ /* or OpenBSD, NetBSD, BSDI, etc. Fix this for your system. */
-+ #include	<net/if.h>
-+ #include	"ip_nat.h"
-+ #endif /* __FreeBSD__ */
-+ 
-  
-  char	*
-  maphostname(name)
-***************
-*** 49,52 ****
---- 54,132 ----
-  	}
-  	bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
-  	return(inet_ntoa(sin.sin_addr));
-+ }
-+ 
-+ char *getdsthost(fd, ptr)
-+ int fd;
-+ int *ptr;
-+ {
-+ 	struct sockaddr_in sin;
-+ 	struct hostent	   * hp;
-+ 	int		   sl = sizeof(struct sockaddr_in), err = 0, local_h = 0, i = 0;
-+ 	char		   buf[255], hostbuf[255];
-+ #ifdef __FreeBSD__
-+ 	struct sockaddr_in rsin;
-+ 	struct natlookup   natlookup;
-+ #endif
-+ 
-+ #ifdef linux
-+ 	if (!(err = getsockname(0, &sin, &sl))) {
-+ 		if(ptr)	
-+ 			* ptr = ntohs(sin.sin_port);
-+ 
-+ 		sprintf(buf, "%s", inet_ntoa(sin.sin_addr));
-+ 		gethostname(hostbuf, 254);
-+ 		hp = gethostbyname(hostbuf);
-+ 		while (hp->h_addr_list[i]) {
-+ 			bzero(&sin, &sl);
-+ 			memcpy(&sin.sin_addr, hp->h_addr_list[i++],
-+ 				sizeof(hp->h_addr_list[i++]));
-+ 
-+ 			if (!strcmp(buf, inet_ntoa(sin.sin_addr)))
-+ 				local_h++;
-+ 		}
-+ 
-+ 		if(local_h)
-+ 			return(NULL);
-+ 		else
-+ 			return(buf);
-+  }
-+ #endif
-+ 
-+ #ifdef __FreeBSD__
-+ /*  The basis for this block of code is Darren Reed's
-+  *  patches to the TIS ftwk's ftp-gw.
-+  */
-+ 	bzero((char*)&sin, sizeof(sin));
-+ 	bzero((char*)&rsin, sizeof(rsin));
-+ 
-+ 	if (getsockname(fd, (struct sockaddr*)&sin, &sl) < 0)
-+ 		return NULL;
-+ 
-+ 	sl = sizeof(rsin);
-+ 
-+ 	if(getpeername(fd, (struct sockaddr*)&rsin, &sl) < 0)
-+ 		return NULL;
-+ 
-+ 	natlookup.nl_inport=sin.sin_port;
-+ 	natlookup.nl_outport=rsin.sin_port;
-+ 	natlookup.nl_inip=sin.sin_addr;
-+ 	natlookup.nl_outip=rsin.sin_addr;
-+ 
-+ 	if ((natfd = open("/dev/ipl",O_RDONLY)) < 0)
-+ 		return NULL;
-+ 
-+ 	if (ioctl(natfd, SIOCGNATL,&natlookup) == (-1))
-+ 		return NULL;
-+ 
-+ 	close(natfd);
-+ 
-+ 	if (ptr)
-+ 		*ptr = ntohs(natlookup.nl_inport);
-+ 
-+ 	sprintf(buf, "%s", inet_ntoa(natlookup.nl_inip));
-+ #endif
-+ 
-+ 	/* No transparent proxy support */
-+ 	return(NULL);
-  }
-diff -c -r ./plug-gw/plug-gw.c ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c
-*** ./plug-gw/plug-gw.c	Thu Feb  5 19:07:35 1998
---- ../../fwtk-2.1-violated/fwtk/plug-gw/plug-gw.c	Thu May 21 17:29:01 1998
-***************
-*** 43,48 ****
---- 43,50 ----
-  static	char		**validdests = (char **)0;
-  static 	int		net_write();
-  
-+ static	int		do_transparent = 0;
-+ 
-  main(ac,av)
-  int	ac;
-  char	*av[];
-***************
-*** 198,206 ****
---- 200,220 ----
-  	char		*ptr;
-  	int		state = 0;
-  	int		ssl_plug = 0;
-+ 	char		* getdsthost();
-+ 	int		pport = 0;
-  
-  	struct timeval	timo;
-  
-+ 	/* Transparent plug-gw is probably a bad idea, but then, plug-gw is a bad
-+ 	 * idea ..
-+ 	 */
-+ 	dhost = getdsthost(0, &pport);
-+ 	if (dhost) {
-+ 		do_transparent++;
-+ 		portid = pport;
-+ 	}
-+ 
-+ 
-  	if(c->flags & PERM_DENY) {
-  		if (p == -1)
-  			syslog(LLEV,"deny host=%.512s/%.20s port=any",rhost,raddr);
-***************
-*** 220,226 ****
-  				syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-  				exit (1);
-  			}
-! 			dhost = av[x];
-  			continue;
-  		}
-  
---- 234,241 ----
-  				syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
-  				exit (1);
-  			}
-! 			if (!dhost)
-! 				dhost = av[x];
-  			continue;
-  		}
-  
-diff -c -r ./rlogin-gw/rlogin-gw.c ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c
-*** ./rlogin-gw/rlogin-gw.c	Thu Feb  5 19:08:38 1998
---- ../../fwtk-2.1-violated/fwtk/rlogin-gw/rlogin-gw.c	Thu May 21 17:20:25 1998
-***************
-*** 103,108 ****
---- 103,111 ----
-  static	int		trusted = 0;
-  static	int		doX = 0;
-  static	char		*prompt;
-+ static	int		do_transparent = 0;
-+ 
-+ char			* getdsthost();
-  
-  main(ac,av)
-  int	ac;
-***************
-*** 123,128 ****
---- 126,132 ----
-  	static char	*tokav[56];
-  	int		tokac;
-  	struct timeval	timo;
-+ 	char		* psychic;
-  
-  #ifndef	LOG_NDELAY
-  	openlog("rlogin-gw",LOG_PID);
-***************
-*** 188,194 ****
-  		xforwarder = cf->argv[0];
-  	}
-  
-! 
-  
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
---- 192,203 ----
-  		xforwarder = cf->argv[0];
-  	}
-  
-! 	psychic = getdsthost(0, NULL);
-! 	if (psychic) {
-! 		do_transparent++;
-! 		strncpy(dest, psychic, 511);
-! 		dest[511] = '\0';
-! 	}
-  
-  	if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
-  		if(cf->argc != 1) {
-***************
-*** 266,271 ****
---- 275,281 ----
-  	if((p = index(rusername,'@')) != (char *)0) {
-  		char	*namp;
-  
-+ 		dest[0] = '\0';
-  		*p++ = '\0';
-  		if(*p == '\0')
-  			p = "localhost";
-***************
-*** 297,302 ****
---- 307,326 ----
-  
-  	if(dest[0] != '\0') {
-  /* Setup connection directly to remote machine */
-+ 		if ((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
-+ 			if (cf->argc != 1) {
-+ 				syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ 				exit(1);
-+ 			}
-+ 
-+ 			if (sayfile(0, cf->argv[0])) {
-+ 				syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
-+ 				exit(1);
-+ 			}
-+ 		}
-+ 
-+ 		/* Hey fwtk developer people -- this connect_dest thing is *nasty!* */
-+ 
-  		sprintf(buf,"connect %.1000s",dest);
-  		tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
-  		if (cmd_connect(tokac, tokav, buf) != 2)
-***************
-*** 535,548 ****
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! 		if(strlen(namp) > 20)
-! 			namp[20] = '\0';
-! 		if(rusername[0] != '\0')
-! 			sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! 		else
-! 			sprintf(ebuf,"Trying %s...",namp);
-! 		if(say(0,ebuf))
-! 			return(1);
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
-  	if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
---- 559,574 ----
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,namp);
-! 		if (!do_transparent) {
-! 			if(strlen(namp) > 20)
-! 				namp[20] = '\0';
-! 			if(rusername[0] != '\0')
-! 				sprintf(ebuf,"Trying %s@%s...",rusername,namp);
-! 			else
-! 				sprintf(ebuf,"Trying %s...",namp);
-! 			if(say(0,ebuf))
-! 				return(1);
-! 		}
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s connect to %.512s",rhost,raddr,av[1]);
-  	if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
-diff -c -r ./tn-gw/tn-gw.c ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c
-*** ./tn-gw/tn-gw.c	Thu Feb  5 19:11:36 1998
---- ../../fwtk-2.1-violated/fwtk/tn-gw/tn-gw.c	Thu May 21 17:25:06 1998
-***************
-*** 91,96 ****
---- 91,100 ----
-  static	int			cmd_xforward();
-  static	int			cmd_timeout();
-  
-+ char				* getdsthost();
-+ 
-+ static	int			do_transparent = 0;
-+ 
-  static	int			tn3270 = 1;	/* don't do tn3270 stuff */
-  static	int			doX;
-  
-***************
-*** 144,149 ****
---- 148,155 ----
-  	char		tokbuf[BSIZ];
-  	char		*tokav[56];
-  	int		tokac;
-+ 	int		port;
-+ 	char		* psychic;
-  
-  #ifndef	LOG_DAEMON
-  	openlog("tn-gw",LOG_PID);
-***************
-*** 325,330 ****
---- 331,362 ----
-  		}
-  	}
-  
-+ 	psychic = getdsthost(0, &port);
-+ 	if (psychic) {
-+ 		if ((strlen(psychic) + 10) < 510) {
-+ 			do_transparent++;
-+ 			if (port)
-+ 				sprintf(dest, "%s:%d", psychic, port);
-+ 			else
-+ 				sprintf(dest, "%s", psychic);
-+  
-+ 			if (!welcomedone)
-+ 				if ((cf = cfg_get("welcome-msg", confp)) != (Cfg *)0) {
-+ 					if (cf->argc != 1) {
-+ 						syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
-+ 						exit(1);
-+ 					}
-+ 
-+ 					if (sayfile(0, cf->argv[0])) {
-+ 						syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
-+ 						exit(1);
-+ 					}
-+ 
-+ 					welcomedone = 1;
-+ 				}
-+ 		}
-+ 	}
-+ 
-  	while (argc > 1) {
-  		argc--;
-  		argv++;
-***************
-*** 947,955 ****
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! 		sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! 		if(say(0,ebuf))
-! 			return(1);
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  
---- 979,989 ----
-  		char	ebuf[512];
-  
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,namp);
-! 		if (!do_transparent) {
-! 			sprintf(ebuf,"Trying %.100s port %d...",namp,port);
-! 			if(say(0,ebuf))
-! 				return(1);
-! 		}
-  	} else
-  		syslog(LLEV,"permit host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  
-***************
-*** 991,998 ****
-  
-  	syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! 	sprintf(buf, "Connected to %.512s.", dest);
-! 	say(0, buf);
-  	return(2);
-  }
-  
---- 1025,1034 ----
-  
-  	syslog(LLEV,"connected host=%.512s/%.20s destination=%.512s",rladdr,riaddr,av[1]);
-  	strncpy(dest,av[1], 511);
-! 	if (!do_transparent) {
-! 		sprintf(buf, "Connected to %.512s.", dest);
-! 		say(0, buf);
-! 	}
-  	return(2);
-  }
-  
diff --git a/contrib/ipfilter/FWTK/tproxy.diff b/contrib/ipfilter/FWTK/tproxy.diff
deleted file mode 100644
index 234404bf2364..000000000000
--- a/contrib/ipfilter/FWTK/tproxy.diff
+++ /dev/null
@@ -1,82 +0,0 @@
-*** tproxy.c.orig	Fri Dec 20 10:53:24 1996
---- tproxy.c	Sun Jan  3 11:33:55 1999
-***************
-*** 135,140 ****
---- 135,144 ----
-  #include	<netinet/in.h>
-  #include	<sys/signal.h>
-  #include	<syslog.h>
-+ #include	<unistd.h>
-+ #include	<fcntl.h>
-+ #include	<sys/ioctl.h>
-+ #include	<net/if.h>
-  #include	"tproxy.h"
-  
-  #ifdef AIX
-***************
-*** 147,152 ****
---- 151,159 ----
-  #define bzero(buf,size) memset(buf, '\0', size);
-  #endif /* SYSV */
-  
-+ #include "ip_compat.h"
-+ #include "ip_fil.h"
-+ #include "ip_nat.h"
-  
-  
-  /* socket to audio server */
-***************
-*** 324,329 ****
---- 331,369 ----
-  	char localbuf[2048];   
-  	void timeout();
-  	extern int errno;
-+ 	/*
-+ 	 * IP-Filter block
-+ 	 */
-+ 	struct sockaddr_in laddr, faddr;
-+ 	struct natlookup natlookup;
-+ 	int slen, natfd;
-+ 
-+ 	bzero((char *)&laddr, sizeof(laddr));
-+ 	bzero((char *)&faddr, sizeof(faddr));
-+ 	slen = sizeof(laddr);
-+ 	if (getsockname(0, (struct sockaddr *)&laddr, &slen) < 0)
-+ 		return -1;
-+ 	slen = sizeof(faddr);
-+ 	if (getpeername(0, (struct sockaddr *)&faddr, &slen) < 0)
-+ 		return -1;
-+ 	natlookup.nl_inport = laddr.sin_port;
-+ 	natlookup.nl_outport = faddr.sin_port;
-+ 	natlookup.nl_inip = laddr.sin_addr;
-+ 	natlookup.nl_outip = faddr.sin_addr;
-+ 	natlookup.nl_flags = IPN_TCP;
-+ 	if ((natfd = open(IPL_NAT, O_RDONLY)) < 0)
-+ 		return -1;
-+ 	if (ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
-+ 		syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
-+ 		close(natfd);
-+ 		return -1;
-+ 	}
-+ 	close(natfd);
-+ 	strcpy(hostname, inet_ntoa(natlookup.nl_realip));
-+ 	serverport = ntohs(natlookup.nl_realport);
-+ 	/*
-+ 	 * End of IP-Filter block
-+ 	 */
-  
-  	/* setup a timeout in case dialog doesn't finish */
-  	signal(SIGALRM, timeout);
-***************
-*** 337,344 ****
---- 377,386 ----
-  	 * and modify the call to (and subroutine) serverconnect() as 
-  	 * appropriate.
-  	 */
-+ #if 0
-  	strcpy(hostname, "randomhostname");
-  	serverport = 7070;
-+ #endif
-  	/* Can we connect to the server */
-  	if ( (serverfd = serverconnect(hostname, serverport)) < 0 ) {
-  		/* errno may still be set from previous call */
diff --git a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4 b/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
deleted file mode 100644
index 7d1b7a2b8f4c..000000000000
--- a/contrib/ipfilter/FreeBSD-4.0/INST.FreeBSD-4
+++ /dev/null
@@ -1,24 +0,0 @@
-To build a kernel with the IP filter, follow these seven steps:
-
-	1. do "make freebsd4"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3. run "FreeBSD-4.0/kinstall" as root
-
-	4. build a new kernel
-
-	5. install the new kernel
- 
-	6. If not using DEVFS, create devices for IP Filter as follows:
-		mknod /dev/ipl c 79 0
-		mknod /dev/ipnat c 79 1
-		mknod /dev/ipstate c 79 2
-		mknod /dev/ipauth c 79 3
- 
-	7. reboot
-
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch
deleted file mode 100755
index c232b2c15972..000000000000
--- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch
+++ /dev/null
@@ -1,61 +0,0 @@
-*** ip6_input.c.orig	Sun Feb 13 14:32:01 2000
---- ip6_input.c	Wed Apr 26 22:31:34 2000
-***************
-*** 121,126 ****
---- 121,127 ----
-  
-  extern struct	domain inet6domain;
-  extern struct	ip6protosw inet6sw[];
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-  
-  u_char	ip6_protox[IPPROTO_MAX];
-  static int	ip6qmaxlen = IFQ_MAXLEN;
-***************
-*** 302,307 ****
---- 303,317 ----
-  		ip6stat.ip6s_badvers++;
-  		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
-  		goto bad;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct	mbuf	*m1 = m;
-+ 
-+ 		if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
-+ 				 0, &m1) || !m1)
-+ 			return;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
-*** ip6_output.c.orig	Fri Mar 10 01:57:16 2000
---- ip6_output.c	Wed Apr 26 22:34:34 2000
-***************
-*** 108,113 ****
---- 108,115 ----
-  #include <netinet6/ip6_fw.h>
-  #endif
-  
-+ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
-+ 
-  static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
-  
-  struct ip6_exthdrs {
-***************
-*** 754,759 ****
---- 756,770 ----
-  			ip6->ip6_src.s6_addr16[1] = 0;
-  		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
-  			ip6->ip6_dst.s6_addr16[1] = 0;
-+ 	}
-+ 
-+ 	if (fr_checkp) {
-+ 		struct  mbuf    *m1 = m;
-+ 
-+ 		if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
-+ 		    !m1)
-+ 			goto done;
-+ 		ip6 = mtod(m = m1, struct ip6_hdr *);
-  	}
-  
-  #ifdef IPV6FIREWALL
diff --git a/contrib/ipfilter/INSTALL.BSDOS b/contrib/ipfilter/INSTALL.BSDOS
deleted file mode 100644
index 17d9602ef8ab..000000000000
--- a/contrib/ipfilter/INSTALL.BSDOS
+++ /dev/null
@@ -1,35 +0,0 @@
-
-BSD/OS users.
--------------
-
-First, you need to build IP Filter.  Do this from the "ip_fil3.2.x"
-directory with the command "make bsdos".  If this completes successfully,
-install the various bits and pieces with "make install-bsd".
-
-Prior to starting, it is a good idea for you to know what your kernel config
-file is (it appears that the script guesses incorrectly at present).
-
-Once you have that in mind, run the 'kinstall' script in the correct
-BSDOS3 or BSDOS4 directory.  This will attempt to patch a bunch of files
-or install the relevant .o files if you don't have kernel source.
-It will also go and install all the IP Filter .c and .h files where they
-can be find when it comes time to build the kernel.
-
-The script will then pause and ask you for your kernel configuration
-file.  After you enter this, it will add "options IPFILTER" to your
-kernel configuration file.  IF YOU WANT TO DO LOGGING, ADD
-"options IPFILTER_LOG" to your kernel configuration file NOW!
-
-Now that you've got your kernel configuration file done, use config
-to setup a new kernel build and complete with make.
-
-When the kernel rebuilt is complete, put it into / and reboot with
-your new kernel.  If IP Filter has been configured into your kernel
-correctly, you will see a message like this when your system boots:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-Upon logging in, the IP Filter commands ipfstat, et al, should all
-function properly.
-
-Darren
diff --git a/contrib/ipfilter/INSTALL.BSDOS3 b/contrib/ipfilter/INSTALL.BSDOS3
deleted file mode 100644
index 8842b981911c..000000000000
--- a/contrib/ipfilter/INSTALL.BSDOS3
+++ /dev/null
@@ -1,44 +0,0 @@
-
-BSD/OS 3.x users.
------------------
-
-First, you will need to either:
-(a) have a source license for the kernel so you can patch some files or
-(b) obtain the relevant pre-compiled .o files (I can't supply these yet).
-
-The files which you will need patched are:
-ip_input.c, ip_output.c (maybe in_proto.c and ioconf.c.i386 too - NOT sure).
-
-First, you need to build IP Filter.  Do this from the "ip_fil3.2.x"
-directory with the command "make bsdos".  If this completes successfully,
-install the various bits and pieces with "make install-bsd".
-
-Prior to starting, it is a good idea for you to know what your kernel config
-file is (it appears that the script guesses incorrectly at present).
-
-Once you have that in mind, run the 'kinstall' script in the BSDOS3
-directory.  This will attempt to patch a bunch of files.  If you've
-obtained the relevant .o files, ignore the errors, otherwise please
-report them to me and mention which version of BSD/OS you are using
-and on what platform (Sparc, i386, etc).  It will also go and install
-all the IP Filter .c and .h files where they can be find when it comes
-time to build the kernel.
-
-The script will then pause and ask you for your kernel configuration
-file.  After you enter this, it will add "options IPFILTER" to your
-kernel configuration file.  IF YOU WANT TO DO LOGGING, ADD
-"options IPFILTER_LOG" to your kernel configuration file NOW!
-
-Now that you've got your kernel configuration file done, use config
-to setup a new kernel build and complete with make.
-
-When the kernel rebuilt is complete, put it into / and reboot with
-your new kernel.  If IP Filter has been configured into your kernel
-correctly, you will see a message like this when your system boots:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-Upon logging in, the IP Filter commands ipfstat, et al, should all
-function properly.
-
-Darren
diff --git a/contrib/ipfilter/INSTALL.IRIX b/contrib/ipfilter/INSTALL.IRIX
deleted file mode 100644
index b64d4349879b..000000000000
--- a/contrib/ipfilter/INSTALL.IRIX
+++ /dev/null
@@ -1,108 +0,0 @@
-
-IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
-as well. Under IRIX 5.3, it has been successfully compiled and linked in the
-kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
-
-To build a kernel with the IP filter and install it on your system,
-follow these steps:
-
-	1. edit the top-level Makefile to
-		a) comment-out the IPFLKM definition.
-			This means changing the line reading:
-				IPFLKM=-DIPFILTER_LKM
-			to
-				#IPFLKM=-DIPFILTER_LKM
-		b) select the system's compiler (cc)
-			This means changing the line reading:
-				CC=gcc
-			to
-				CC=cc
-		b) enable full optimization
-			This means changing the lines reading:
-				DEBUG=-g
-				CFLAGS=-I$$(TOP)
-			to
-				DEBUG=
-				CFLAGS=-O2 -I$$(TOP)
-
-        1. do "make irix" (Warning: GNU make is not supported, so if it has
-	been installed on your system, verify your path and/or do "which make"
-	to guarantee that IRIX's /sbin/make has precedence)
-
-        2. do "make install-irix" as root
-	   (a new kernel will be automatically built)
-
-	3. determine the filtering rules and place them in /etc/ipf.conf
-	   and /etc/ipnat.conf
-
-        4. do "init 6" as root to reboot with the new kernel
-
-	After restarting, the filter should be active and behaving according to
-	the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
-
-	These files can be changed at any time, and reloaded using the
-	following command sequence:
-
-	# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
-
-
-To remove the IP Filter from your kernel, follow these steps:
-
-	1. Delete the /var/sysgen/boot/ipfilter.o file
-
-	# rm /var/sysgen/boot/ipfilter.o
-
-	2. If SGI's ipfilter.o had been previously installed, restore it
-	back to its original location
-
-	# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
-
-	3. Build a new kernel
-
-	# /etc/autoconfig
-
-	4. Delete the /etc/rc2.d/S33ipf symbolic link
-
-	# rm /etc/rc2.d/S33ipf
-
-	5. Reboot
-
-	# init 6
-
-
-ADDITIONAL NOTES:
-
-	- The IP filter uses the same kernel interface to the IP driver as
-	SGI's ipfilter. In fact, it is installed in place of SGI's
-	/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
-	to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
-	ipfilterd daemon is not running simultaneously, since this package uses
-	the same major device number.
-
-	- We have not tested IP Filter on a multiprocessor machine yet.
-	However, feel free to try it and send your experiences/patches
-	back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
-	systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
-	probably be uncommented on the DFLAGS line of IRIX/Makefile if your
-	machine has more than one processor.
-
-	- It is also possible to build IP Filter as a dynamically loadable
-	kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
-	top-level Makefile), but this is not recommended other than for testing
-	and debugging purposes, because the only possible method for dynamic
-	attachment to the IP stack (instruction patching) is highly dependent
-	on the processor architecture. The code provided has only been tested
-	with IP22 CPU boards and can sometime cause panics during loading due
-	to a potential race condition.
-
-
-CREDITS:
-
-	IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
-
-	Marc Boucher wishes to thank the
-		ICARI Institute (http://www.icari.qc.ca)
-	and
-		Aurelio Cascio <aurelio@toonboom.com>
-	for their financial support and testing facilities, respectively.
-
diff --git a/contrib/ipfilter/INSTALL.Linux b/contrib/ipfilter/INSTALL.Linux
deleted file mode 100644
index 1a5d15b59f02..000000000000
--- a/contrib/ipfilter/INSTALL.Linux
+++ /dev/null
@@ -1,50 +0,0 @@
-IP-Filter on Linux 2.0.31
--------------------------
-
-NOTE: I have *ONLY* compiled and created patches for using IP Filter on
-      Linux 2.0.31.  Any other kernel revision may need seprate patches.
-      Also, I've only tested on a x86 CPU so I can't make any guarantees
-      about it working on Sparc/Mac/Amiga.
-
-First, you should do a sanity check of your system to make sure it will
-compile IP Filter.  You will need a "libfl" and a "libelf".  If you don't
-have these, install them before proceeding.
-
-The installation and compiliation process assumes that Linux 2.0.31
-will be in the /usr/src/linux directory and that all the symbolic links
-in /usr/include match.  /usr/src/linux may be a symbolic link too, but
-it must point to a 2.0.31 kernel source tree.
-
-The first step is to make the IP Filter binaries.  Do this with a
-"make linux" from the ip_fil3.2.x directory.  If this completes with
-no errors, install IP Filter with a "make install-linux".
-
-Now that the user part of it is complete, it is time to work on the kernel.
-To start this off, run "Linux/minstall".  This will configure the devices
-you will need for the IP Filter.  Then run "Linux/kinstall".  This will
-patch your kernel source code and configuration files so you can enabled IP
-Filter.  You must now go to /usr/src/linux and configure your kernel using one
-of the available interfaces to enable IP Filter.  IP Filter will be presented
-as a three way choice "y/m/n" - select "m" to enable it.  Save your kernel
-configuration file, rebuild, install and reboot with the new kernel.
-
-When you've rebooted with the new kernel, you should be able to load
-IP Filter with the command "insmod if_ipl".  All going will, you will
-see a message like this on your console:
-
-IP Filter: initialized.  Default = pass all, Logging = enabled
-
-indicating that IP Filter has successfully been loaded into the kernel
-and is awaiting.
-
-Darren
-
-Features Not Available on Linux, yet:
-
-- compiled into the kernel
-"<action> in on <if> to <if> ..."
-"<action> in on <if> dup-to <if> ..."
-"<action> in on <if> fastroute ..."
-"block return-rst ..."
-"map ... proxy ..." (Linux's masquerading is better at present)
-
diff --git a/contrib/ipfilter/INSTALL.NetBSD b/contrib/ipfilter/INSTALL.NetBSD
deleted file mode 100644
index 012d6d7f8d2d..000000000000
--- a/contrib/ipfilter/INSTALL.NetBSD
+++ /dev/null
@@ -1,59 +0,0 @@
-
-To build a kernel for use with the loadable kernel module, follow these
-steps:
-	1. do "make netbsd"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3(a) NetBSD systems prior to 1.2:
-		run "NetBSD/minstall" as root
-	3(b) NetBSD 1.2 systems or later:
-		run "NetBSD-1.2/minstall" as root
-
-	4. build a new kernel
-
-	5. install and reboot with the new kernel
-
-	6. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	7. do "modstat" to confirm that it has been loaded successfully.
-
-There is no need to use mknod to create the device in /dev;
-- upon loading the module, it will create itself with the correct values,
-  under the name (IPL_NAME) from the Makefile.  It will also remove itself
-  from /dev when it is modunload'd.
-
-To build a kernel with the IP filter, follow these steps:
-
-	1. do "make netbsd"
-
-	2. do "make install-bsd"
-	   (probably has to be done as root)
-
-	3(a) NetBSD systems prior to 1.2:
-		run "NetBSD/kinstall" as root
-	3(b) NetBSD 1.2 systems or later:
-		run "NetBSD-1.2/kinstall" as root
-	3(c) If conf.c fails on the 2nd hunk of the patch, you will have to
-	     manually apply the patch.
-
-	4. build a new kernel
-
-	5. Create device files.  For NetBSD-1.2 (or later), use 49 as the
-	   major number. For NetBSD-1.1 or earlier, use 59.  Run these
-	   commands as root, substituting <major> for the appropriate number:
-
-		mknod /dev/ipl c <major> 0
-		mknod /dev/ipnat c <major> 1
-		mknod /dev/ipstate c <major> 2
-		mknod /dev/ipauth c <major> 3
-
-	   ** NOTE: both the numbers 49 and 59 should be substituted with
-		    whatever number you inserted it into conf.c as.
-
-	6. install and reboot with the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.Sol2 b/contrib/ipfilter/INSTALL.Sol2
deleted file mode 100644
index 5ba84b931985..000000000000
--- a/contrib/ipfilter/INSTALL.Sol2
+++ /dev/null
@@ -1,28 +0,0 @@
-
-For those running Solaris 2.5 or later, please read COMPILE.2.5 before
-building IP Filter.
-
-Type "make solaris" to build all the required binaries.  DO NOT USE THE
-GNU make!!!
-
-Once IP Filter has been successfully compiled, you may then install it using
-the usual package method (using pkgadd), however, the package needs to be
-created, prior to pkgadd'ing.  To create the package in /var/spool/pkg, change
-directory to SunOS5 and enter the following command:
-
-make package
-
-This will build the package into SunOS5/<arch>/root, copy that to
-/var/spool/pkg as a package and then start the installation using
-pkgadd.
-
-As part of the postinstall script, it will install loadable kernel module
-as part of Solaris 2 (using add_drv) making it available for immeadiate use.
-
-IP Filter will be installed into /opt/CYBSipf (programs, manual pages and
-examples) and create a directory /etc/opt/CYBSipf with a null body file
-called "ipf.conf" using touch.  The rc scripts have been written to look
-for the configuration file here, using the installed binaries in /sbin.
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/INSTALL.SunOS b/contrib/ipfilter/INSTALL.SunOS
deleted file mode 100644
index 0d4dd8c5e07a..000000000000
--- a/contrib/ipfilter/INSTALL.SunOS
+++ /dev/null
@@ -1,40 +0,0 @@
-
-To install as a Loadable Kernel Module (LKM):
-
-	1. do a "make solaris" in this directory
-
-	2. Run the script "SunOS4/minstall" as root.
-
-	3. change directory to SunOS4 and run "make install"
-
-	4. Reboot using the new kernel
-
-	5. use modload(8) to load the packet filter with:
-		modload if_ipl.o
-
-	6. do "modstat" to confirm that it has been loaded successfully.
-
-	There is no need to use mknod to create the device in /dev;
-	- upon loading the module, it will create itself with the correct
-	  values, under the name (IPL_NAME) from the Makefile.  It will
-	  also remove itself from /dev when it is modunload'd.
-
-
-To install as part of a SunOS 4.1.x kernel:
-
-	1. do a "make solaris" in this directory
-
-	2. Run the script "SunOS4/kinstall" as root.
-		NOTE: This script sets up /dev/ipl as char. device 59,0
-			in /sys/sun/conf.c
-
-	3. Run the following commands as root:
-		mknod /dev/ipl c 59 0
-		mknod /dev/ipnat c 59 1
-		mknod /dev/ipstate c 59 2
-		mknod /dev/ipauth c 59 3
-
-	4. Reboot using the new kernel
-
-Darren Reed
-darrenr@pobox.com
diff --git a/contrib/ipfilter/LICENCE b/contrib/ipfilter/LICENCE
deleted file mode 100644
index f4cc8ee76bfa..000000000000
--- a/contrib/ipfilter/LICENCE
+++ /dev/null
@@ -1,16 +0,0 @@
-/*
- * Copyright (C) 1993-2000 by Darren Reed.
- *
- * The author accepts no responsibility for the use of this software and
- * provides it on an ``as is'' basis without express or implied warranty.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- *
- * I hate legaleese, don't you ?
- */
diff --git a/contrib/ipfilter/UPGRADE_NOTICE b/contrib/ipfilter/UPGRADE_NOTICE
deleted file mode 100644
index 8b4476072b27..000000000000
--- a/contrib/ipfilter/UPGRADE_NOTICE
+++ /dev/null
@@ -1,10 +0,0 @@
-
-NOTE: To all those upgrading from versions prior to 3.2.11 who used NAT
-      AND setup ACL's to allow untranslated address through from outside,
-
-     THIS HAS BEEN FIXED
-
-     so your ACL's will now be `broken'.  Please correct your ACL's to
-     match the the untranslated addresses (the way it was meant to work).
-
-Darren
diff --git a/contrib/ipfilter/bpf.h b/contrib/ipfilter/bpf.h
deleted file mode 100644
index 715c79a8d173..000000000000
--- a/contrib/ipfilter/bpf.h
+++ /dev/null
@@ -1,450 +0,0 @@
-/*-
- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from the Stanford/CMU enet packet filter,
- * (net/enet.c) distributed as part of 4.3BSD, and code contributed
- * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
- * Berkeley Laboratory.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
- *
- * @(#) $Header: /devel/CVS/IP-Filter/Attic/bpf.h,v 1.1.2.1 2002/11/07 13:18:35 darrenr Exp $ (LBL)
- */
-
-#ifndef BPF_MAJOR_VERSION
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* BSD style release date */
-#define BPF_RELEASE 199606
-
-typedef	int bpf_int32;
-typedef	u_int bpf_u_int32;
-
-/*
- * Alignment macros.  BPF_WORDALIGN rounds up to the next 
- * even multiple of BPF_ALIGNMENT. 
- */
-#ifndef __NetBSD__
-#define BPF_ALIGNMENT sizeof(bpf_int32)
-#else
-#define BPF_ALIGNMENT sizeof(long)
-#endif
-#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
-
-#define BPF_MAXINSNS 512
-#define BPF_MAXBUFSIZE 0x8000
-#define BPF_MINBUFSIZE 32
-
-/*
- *  Structure for BIOCSETF.
- */
-struct bpf_program {
-	u_int bf_len;
-	struct bpf_insn *bf_insns;
-};
- 
-/*
- * Struct returned by BIOCGSTATS.
- */
-struct bpf_stat {
-	u_int bs_recv;		/* number of packets received */
-	u_int bs_drop;		/* number of packets dropped */
-};
-
-/*
- * Struct return by BIOCVERSION.  This represents the version number of 
- * the filter language described by the instruction encodings below.
- * bpf understands a program iff kernel_major == filter_major &&
- * kernel_minor >= filter_minor, that is, if the value returned by the
- * running kernel has the same major number and a minor number equal
- * equal to or less than the filter being downloaded.  Otherwise, the
- * results are undefined, meaning an error may be returned or packets
- * may be accepted haphazardly.
- * It has nothing to do with the source code version.
- */
-struct bpf_version {
-	u_short bv_major;
-	u_short bv_minor;
-};
-/* Current version number of filter architecture. */
-#define BPF_MAJOR_VERSION 1
-#define BPF_MINOR_VERSION 1
-
-/*
- * BPF ioctls
- *
- * The first set is for compatibility with Sun's pcc style
- * header files.  If your using gcc, we assume that you
- * have run fixincludes so the latter set should work.
- */
-#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
-#define	BIOCGBLEN	_IOR(B,102, u_int)
-#define	BIOCSBLEN	_IOWR(B,102, u_int)
-#define	BIOCSETF	_IOW(B,103, struct bpf_program)
-#define	BIOCFLUSH	_IO(B,104)
-#define BIOCPROMISC	_IO(B,105)
-#define	BIOCGDLT	_IOR(B,106, u_int)
-#define BIOCGETIF	_IOR(B,107, struct ifreq)
-#define BIOCSETIF	_IOW(B,108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW(B,109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR(B,110, struct timeval)
-#define BIOCGSTATS	_IOR(B,111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW(B,112, u_int)
-#define BIOCVERSION	_IOR(B,113, struct bpf_version)
-#define BIOCSTCPF	_IOW(B,114, struct bpf_program)
-#define BIOCSUDPF	_IOW(B,115, struct bpf_program)
-#else
-#define	BIOCGBLEN	_IOR('B',102, u_int)
-#define	BIOCSBLEN	_IOWR('B',102, u_int)
-#define	BIOCSETF	_IOW('B',103, struct bpf_program)
-#define	BIOCFLUSH	_IO('B',104)
-#define BIOCPROMISC	_IO('B',105)
-#define	BIOCGDLT	_IOR('B',106, u_int)
-#define BIOCGETIF	_IOR('B',107, struct ifreq)
-#define BIOCSETIF	_IOW('B',108, struct ifreq)
-#define BIOCSRTIMEOUT	_IOW('B',109, struct timeval)
-#define BIOCGRTIMEOUT	_IOR('B',110, struct timeval)
-#define BIOCGSTATS	_IOR('B',111, struct bpf_stat)
-#define BIOCIMMEDIATE	_IOW('B',112, u_int)
-#define BIOCVERSION	_IOR('B',113, struct bpf_version)
-#define BIOCSTCPF	_IOW('B',114, struct bpf_program)
-#define BIOCSUDPF	_IOW('B',115, struct bpf_program)
-#endif
-
-/*
- * Structure prepended to each packet.
- */
-struct bpf_hdr {
-	struct timeval	bh_tstamp;	/* time stamp */
-	bpf_u_int32	bh_caplen;	/* length of captured portion */
-	bpf_u_int32	bh_datalen;	/* original length of packet */
-	u_short		bh_hdrlen;	/* length of bpf header (this struct
-					   plus alignment padding) */
-};
-/*
- * Because the structure above is not a multiple of 4 bytes, some compilers
- * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
- * Only the kernel needs to know about it; applications use bh_hdrlen.
- */
-#if defined(KERNEL) || defined(_KERNEL)
-#define SIZEOF_BPF_HDR 18
-#endif
-
-/*
- * Data-link level type codes.
- */
-
-/*
- * These are the types that are the same on all platforms; on other
- * platforms, a <net/bpf.h> should be supplied that defines the additional
- * DLT_* codes appropriately for that platform (the BSDs, for example,
- * should not just pick up this version of "bpf.h"; they should also define
- * the additional DLT_* codes used by their kernels, as well as the values
- * defined here - and, if the values they use for particular DLT_ types
- * differ from those here, they should use their values, not the ones
- * here).
- */
-#define DLT_NULL	0	/* no link-layer encapsulation */
-#define DLT_EN10MB	1	/* Ethernet (10Mb) */
-#define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
-#define DLT_AX25	3	/* Amateur Radio AX.25 */
-#define DLT_PRONET	4	/* Proteon ProNET Token Ring */
-#define DLT_CHAOS	5	/* Chaos */
-#define DLT_IEEE802	6	/* IEEE 802 Networks */
-#define DLT_ARCNET	7	/* ARCNET */
-#define DLT_SLIP	8	/* Serial Line IP */
-#define DLT_PPP		9	/* Point-to-point Protocol */
-#define DLT_FDDI	10	/* FDDI */
-
-/*
- * These are values from the traditional libpcap "bpf.h".
- * Ports of this to particular platforms should replace these definitions
- * with the ones appropriate to that platform, if the values are
- * different on that platform.
- */
-#define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
-#define DLT_RAW		12	/* raw IP */
-
-/*
- * These are values from BSD/OS's "bpf.h".
- * These are not the same as the values from the traditional libpcap
- * "bpf.h"; however, these values shouldn't be generated by any
- * OS other than BSD/OS, so the correct values to use here are the
- * BSD/OS values.
- *
- * Platforms that have already assigned these values to other
- * DLT_ codes, however, should give these codes the values
- * from that platform, so that programs that use these codes will
- * continue to compile - even though they won't correctly read
- * files of these types.
- */
-#ifdef __NetBSD__
-#ifndef DLT_SLIP_BSDOS
-#define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */
-#endif
-#else
-#define DLT_SLIP_BSDOS	15	/* BSD/OS Serial Line IP */
-#define DLT_PPP_BSDOS	16	/* BSD/OS Point-to-point Protocol */
-#endif
-
-#define DLT_ATM_CLIP	19	/* Linux Classical-IP over ATM */
-
-/*
- * These values are defined by NetBSD; other platforms should refrain from
- * using them for other purposes, so that NetBSD savefiles with link
- * types of 50 or 51 can be read as this type on all platforms.
- */
-#define DLT_PPP_SERIAL	50	/* PPP over serial with HDLC encapsulation */
-#define DLT_PPP_ETHER	51	/* PPP over Ethernet */
-
-/*
- * Values between 100 and 103 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * This value was defined by libpcap 0.5; platforms that have defined
- * it with a different value should define it here with that value -
- * a link type of 104 in a save file will be mapped to DLT_C_HDLC,
- * whatever value that happens to be, so programs will correctly
- * handle files with that link type regardless of the value of
- * DLT_C_HDLC.
- *
- * The name DLT_C_HDLC was used by BSD/OS; we use that name for source
- * compatibility with programs written for BSD/OS.
- *
- * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well,
- * for source compatibility with programs written for libpcap 0.5.
- */
-#define DLT_C_HDLC	104	/* Cisco HDLC */
-#define DLT_CHDLC	DLT_C_HDLC
-
-#define DLT_IEEE802_11	105	/* IEEE 802.11 wireless */
-
-/*
- * Values between 106 and 107 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ new types.
- */
-
-/*
- * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
- * that the AF_ type in the link-layer header is in network byte order.
- *
- * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
- * define it as 108 here.  If OpenBSD picks up this file, it should
- * define DLT_LOOP as 12 in its version, as per the comment above -
- * and should not use 108 as a DLT_ value.
- */
-#define DLT_LOOP	108
-
-/*
- * Values between 109 and 112 are used in capture file headers as
- * link-layer types corresponding to DLT_ types that might differ
- * between platforms; don't use those values for new DLT_ types
- * other than the corresponding DLT_ types.
- */
-
-/*
- * This is for Linux cooked sockets.
- */
-#define DLT_LINUX_SLL	113
-
-/*
- * Apple LocalTalk hardware.
- */
-#define DLT_LTALK	114
-
-/*
- * Acorn Econet.
- */
-#define DLT_ECONET	115
-
-/*
- * Reserved for use with OpenBSD ipfilter.
- */
-#define DLT_IPFILTER	116
-
-/*
- * Reserved for use in capture-file headers as a link-layer type
- * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD,
- * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it
- * in capture-file headers.
- */
-#define DLT_PFLOG	117
-
-/*
- * Registered for Cisco-internal use.
- */
-#define DLT_CISCO_IOS	118
-
-/*
- * Reserved for 802.11 cards using the Prism II chips, with a link-layer
- * header including Prism monitor mode information plus an 802.11
- * header.
- */
-#define DLT_PRISM_HEADER	119
-
-/*
- * Reserved for Aironet 802.11 cards, with an Aironet link-layer header
- * (see Doug Ambrisko's FreeBSD patches).
- */
-#define DLT_AIRONET_HEADER	120
-
-/*
- * Reserved for Siemens HiPath HDLC.
- */
-#define DLT_HHDLC		121
-
-/*
- * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from
- * Don Lee <donlee@cray.com>.
- *
- * This is not for use with raw Fibre Channel, where the link-layer
- * header starts with a Fibre Channel frame header; it's for IP-over-FC,
- * where the link-layer header starts with an RFC 2625 Network_Header
- * field.
- */
-#define DLT_IP_OVER_FC		122
-
-/*
- * The instruction encodings.
- */
-/* instruction classes */
-#define BPF_CLASS(code) ((code) & 0x07)
-#define		BPF_LD		0x00
-#define		BPF_LDX		0x01
-#define		BPF_ST		0x02
-#define		BPF_STX		0x03
-#define		BPF_ALU		0x04
-#define		BPF_JMP		0x05
-#define		BPF_RET		0x06
-#define		BPF_MISC	0x07
-
-/* ld/ldx fields */
-#define BPF_SIZE(code)	((code) & 0x18)
-#define		BPF_W		0x00
-#define		BPF_H		0x08
-#define		BPF_B		0x10
-#define BPF_MODE(code)	((code) & 0xe0)
-#define		BPF_IMM 	0x00
-#define		BPF_ABS		0x20
-#define		BPF_IND		0x40
-#define		BPF_MEM		0x60
-#define		BPF_LEN		0x80
-#define		BPF_MSH		0xa0
-
-/* alu/jmp fields */
-#define BPF_OP(code)	((code) & 0xf0)
-#define		BPF_ADD		0x00
-#define		BPF_SUB		0x10
-#define		BPF_MUL		0x20
-#define		BPF_DIV		0x30
-#define		BPF_OR		0x40
-#define		BPF_AND		0x50
-#define		BPF_LSH		0x60
-#define		BPF_RSH		0x70
-#define		BPF_NEG		0x80
-#define		BPF_JA		0x00
-#define		BPF_JEQ		0x10
-#define		BPF_JGT		0x20
-#define		BPF_JGE		0x30
-#define		BPF_JSET	0x40
-#define BPF_SRC(code)	((code) & 0x08)
-#define		BPF_K		0x00
-#define		BPF_X		0x08
-
-/* ret - BPF_K and BPF_X also apply */
-#define BPF_RVAL(code)	((code) & 0x18)
-#define		BPF_A		0x10
-
-/* misc */
-#define BPF_MISCOP(code) ((code) & 0xf8)
-#define		BPF_TAX		0x00
-#define		BPF_TXA		0x80
-
-/*
- * The instruction data structure.
- */
-struct bpf_insn {
-	u_short	code;
-	u_char 	jt;
-	u_char 	jf;
-	bpf_int32 k;
-};
-
-/*
- * Macros for insn array initializers.
- */
-#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
-#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
-
-#if defined(BSD) && (defined(KERNEL) || defined(_KERNEL))
-/*
- * Systems based on non-BSD kernels don't have ifnet's (or they don't mean
- * anything if it is in <net/if.h>) and won't work like this.
- */
-# if __STDC__
-extern void bpf_tap(struct ifnet *, u_char *, u_int);
-extern void bpf_mtap(struct ifnet *, struct mbuf *);
-extern void bpfattach(struct ifnet *, u_int, u_int);
-extern void bpfilterattach(int);
-# else
-extern void bpf_tap();
-extern void bpf_mtap();
-extern void bpfattach();
-extern void bpfilterattach();
-# endif /* __STDC__ */
-#endif /* BSD && (_KERNEL || KERNEL) */
-#if __STDC__ || defined(__cplusplus)
-extern int bpf_validate(struct bpf_insn *, int);
-extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
-#else
-extern int bpf_validate();
-extern u_int bpf_filter();
-#endif
-
-/*
- * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
- */
-#define BPF_MEMWORDS 16
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/contrib/ipfilter/buildlinux b/contrib/ipfilter/buildlinux
deleted file mode 100755
index 7ce043fc6e6a..000000000000
--- a/contrib/ipfilter/buildlinux
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-LINUX=`uname -r | perl -e '$_=<>;@F=split(/\./);printf "%02d%02d\n",$F[0],$F[1];';`
-
-case ${LINUX} in
-	0200)
-		make linuxrev "LINUXK=-DLINUX=${LINUX}"
-		;;
-	0201)
-		make linuxrev "LINUXK=-DLINUX=${LINUX}"
-		;;
-	*)
-		echo "invalid linux version $LINUX"
-		exit 1;
-		;;
-esac
-exit 0
diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c
deleted file mode 100644
index fa21fc97b574..000000000000
--- a/contrib/ipfilter/common.c
+++ /dev/null
@@ -1,610 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c	1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern	struct	ipopt_names	ionames[], secclass[];
-extern	int	opts;
-extern	int	use_inet6;
-
-
-char	*proto = NULL;
-char	flagset[] = "FSRPAUEC";
-u_char	flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
-		    TH_ECN, TH_CWR };
-
-void fill6bits __P((int, u_32_t *));
-int count6bits __P((u_32_t *));
-
-static	char	thishost[MAXHOSTNAMELEN];
-
-
-void initparse()
-{
-	gethostname(thishost, sizeof(thishost));
-	thishost[sizeof(thishost) - 1] = '\0';
-}
-
-
-int genmask(msk, mskp)
-char *msk;
-u_32_t *mskp;
-{
-	char *endptr = NULL;
-#ifdef	USE_INET6
-	u_32_t addr;
-#endif
-	int bits;
-
-	if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) {
-		/* possibly of the form xxx.xxx.xxx.xxx
-		 * or 0xYYYYYYYY */
-#ifdef	USE_INET6
-		if (use_inet6) {
-			if (inet_pton(AF_INET6, msk, &addr) != 1)
-				return -1;
-		} else
-#endif
-		if (inet_aton(msk, (struct in_addr *)mskp) == 0)
-			return -1;
-	} else {
-		/*
-		 * set x most significant bits
-		 */
-		bits = (int)strtol(msk, &endptr, 0);
-		if ((*endptr != '\0') ||
-		    ((bits > 32) && !use_inet6) || (bits < 0) ||
-		    ((bits > 128) && use_inet6))
-			return -1;
-		if (use_inet6)
-			fill6bits(bits, mskp);
-		else {
-			if (bits == 0)
-				*mskp = 0;
-			else
-				*mskp = htonl(0xffffffff << (32 - bits));
-		}
-	}
-	return 0;
-}
-
-
-
-void fill6bits(bits, msk)
-int bits;
-u_32_t *msk;
-{
-	int i;
-	
-	for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32)
-		msk[i] = 0xffffffff;
-	
-	if (bits > 0 && i < 4)
-		msk[i++] = htonl(0xffffffff << (32 - bits));
-
-	while (i < 4)
-		msk[i++] = 0;
-}
-
-
-/*
- * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
- * found in the line segments, there is an error processing this information,
- * or there is an error processing ports information.
- */
-int	hostmask(seg, sa, msk, pp, cp, tp, linenum)
-char	***seg;
-u_32_t	*sa, *msk;
-u_short	*pp, *tp;
-int	*cp;
-int	linenum;
-{
-	struct in_addr maskaddr;
-	char *s;
-
-	/*
-	 * is it possibly hostname/num ?
-	 */
-	if ((s = index(**seg, '/')) ||
-	    ((s = index(**seg, ':')) && !index(s + 1, ':'))) {
-		*s++ = '\0';
-		if (genmask(s, msk) == -1) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, s);
-			return -1;
-		}
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*sa &= *msk;
-		(*seg)++;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-
-	/*
-	 * look for extra segments if "mask" found in right spot
-	 */
-	if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		(*seg)++;
-		if (inet_aton(**seg, &maskaddr) == 0) {
-			fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
-			return -1;
-		}
-		*msk = maskaddr.s_addr;
-		(*seg)++;
-		*sa &= *msk;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-
-	if (**seg) {
-		if (hostnum(sa, **seg, linenum) == -1) {
-			fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-			return -1;
-		}
-		(*seg)++;
-		if (use_inet6) {
-			u_32_t k = 0;
-			if (sa[0] || sa[1] || sa[2] || sa[3])
-				k = 0xffffffff;
-			msk[0] = msk[1] = msk[2] = msk[3] = k;
-		}
-		else
-			*msk = *sa ? 0xffffffff : 0;
-		return ports(seg, pp, cp, tp, linenum);
-	}
-	fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
-	return -1;
-}
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-int	hostnum(ipa, host, linenum)
-u_32_t	*ipa;
-char	*host;
-int     linenum;
-{
-	struct	hostent	*hp;
-	struct	netent	*np;
-	struct	in_addr	ip;
-
-	if (!strcasecmp("any", host))
-		return 0;
-#ifdef	USE_INET6
-	if (use_inet6) {
-		if (inet_pton(AF_INET6, host, ipa) == 1)
-			return 0;
-		else
-			return -1;
-	}
-#endif
-	if (isdigit(*host) && inet_aton(host, &ip)) {
-		*ipa = ip.s_addr;
-		return 0;
-	}
-
-	if (!strcasecmp("<thishost>", host))
-		host = thishost;
-
-	if (!(hp = gethostbyname(host))) {
-		if (!(np = getnetbyname(host))) {
-			fprintf(stderr, "%d: can't resolve hostname: %s\n",
-				linenum, host);
-			return -1;
-		}
-		*ipa = htonl(np->n_net);
-		return 0;
-	}
-	*ipa = *(u_32_t *)hp->h_addr;
-	return 0;
-}
-
-
-/*
- * check for possible presence of the port fields in the line
- */
-int	ports(seg, pp, cp, tp, linenum)
-char	***seg;
-u_short	*pp, *tp;
-int	*cp;
-int     linenum;
-{
-	int	comp = -1;
-
-	if (!*seg || !**seg || !***seg)
-		return 0;
-	if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
-		(*seg)++;
-		if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
-			comp = FR_EQUAL;
-		else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
-			comp = FR_NEQUAL;
-		else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
-			comp = FR_LESST;
-		else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
-			comp = FR_GREATERT;
-		else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
-			comp = FR_LESSTE;
-		else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
-			comp = FR_GREATERTE;
-		else if (isalnum(***seg) && *(*seg + 2)) {
-			if (portnum(**seg, pp, linenum) == 0)
-				return -1;
-			(*seg)++;
-			if (!strcmp(**seg, "<>"))
-				comp = FR_OUTRANGE;
-			else if (!strcmp(**seg, "><"))
-				comp = FR_INRANGE;
-			else {
-				fprintf(stderr,
-					"%d: unknown range operator (%s)\n",
-					linenum, **seg);
-				return -1;
-			}
-			(*seg)++;
-			if (**seg == NULL) {
-				fprintf(stderr, "%d: missing 2nd port value\n",
-					linenum);
-				return -1;
-			}
-			if (portnum(**seg, tp, linenum) == 0)
-				return -1;
-		} else {
-			fprintf(stderr, "%d: unknown comparator (%s)\n",
-					linenum, **seg);
-			return -1;
-		}
-		if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
-			(*seg)++;
-			if (portnum(**seg, pp, linenum) == 0)
-				return -1;
-		}
-		*cp = comp;
-		(*seg)++;
-	}
-	return 0;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi(). Return 1 on success, 0 on failure
- */
-int	portnum(name, port, linenum)
-char	*name;
-u_short	*port;
-int     linenum;
-{
-	struct	servent	*sp, *sp2;
-	u_short	p1 = 0;
-	int i;
-
-	if (isdigit(*name)) {
-		if (ratoi(name, &i, 0, USHRT_MAX)) {
-			*port = (u_short)i;
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
-		return 0;
-	}
-	if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
-		sp = getservbyname(name, proto);
-		if (sp) {
-			*port = ntohs(sp->s_port);
-			return 1;
-		}
-		fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
-	if (sp)
-		p1 = sp->s_port;
-	sp2 = getservbyname(name, "udp");
-	if (!sp || !sp2) {
-		fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
-			linenum, name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		fprintf(stderr, "%d: %s %d/tcp is a different port to ",
-			linenum, name, p1);
-		fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
-		return 0;
-	}
-	*port = ntohs(p1);
-	return 1;
-}
-
-
-u_char tcp_flags(flgs, mask, linenum)
-char *flgs;
-u_char *mask;
-int    linenum;
-{
-	u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
-	char *s, *t;
-
-	if (*flgs == '0') {
-		s = strchr(flgs, '/');
-		if (s)
-			*s++ = '\0';
-		tcpf = strtol(flgs, NULL, 0);
-		fp = &tcpfm;
-	} else
-		s = flgs;
-
-	for (; *s; s++) {
-		if (*s == '/' && fp == &tcpf) {
-			fp = &tcpfm;
-			if (*(s + 1) == '0')
-				break;
-			continue;
-		}
-		if (!(t = index(flagset, *s))) {
-			fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
-			return 0;
-		}
-		*fp |= flags[t - flagset];
-	}
-
-	if (s && *s == '0')
-		tcpfm = strtol(s, NULL, 0);
-
-	if (!tcpfm) {
-		if (tcpf == TH_SYN)
-			tcpfm = 0xff & ~(TH_ECN|TH_CWR);
-		else
-			tcpfm = 0xff & ~(TH_ECN);
-	}
-	*mask = tcpfm;
-	return tcpf;
-}
-
-
-/*
- * count consecutive 1's in bit mask.  If the mask generated by counting
- * consecutive 1's is different to that passed, return -1, else return #
- * of bits.
- */
-int	countbits(ip)
-u_32_t	ip;
-{
-	u_32_t	ipn;
-	int	cnt = 0, i, j;
-
-	ip = ipn = ntohl(ip);
-	for (i = 32; i; i--, ipn *= 2)
-		if (ipn & 0x80000000)
-			cnt++;
-		else
-			break;
-	ipn = 0;
-	for (i = 32, j = cnt; i; i--, j--) {
-		ipn *= 2;
-		if (j > 0)
-			ipn++;
-	}
-	if (ipn == ip)
-		return cnt;
-	return -1;
-}
-
-
-int count6bits(msk)
-u_32_t *msk;
-{
-	int i = 0, k;
-	u_32_t j;
-
-	for (k = 3; k >= 0; k--)
-		if (msk[k] == 0xffffffff)
-			i += 32;
-		else {
-			for (j = msk[k]; j; j <<= 1)
-				if (j & 0x80000000)
-					i++;
-		}
-	return i;
-}
-
-
-char	*portname(pr, port)
-int	pr, port;
-{
-	static	char	buf[32];
-	struct	protoent	*p = NULL;
-	struct	servent	*sv = NULL, *sv1 = NULL;
-
-	if (pr == -1) {
-		if ((sv = getservbyport(htons(port), "tcp"))) {
-			strncpy(buf, sv->s_name, sizeof(buf)-1);
-			buf[sizeof(buf)-1] = '\0';
-			sv1 = getservbyport(htons(port), "udp");
-			sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
-			     NULL : sv1;
-		}
-		if (sv)
-			return buf;
-	} else if (pr && (p = getprotobynumber(pr))) {
-		if ((sv = getservbyport(htons(port), p->p_name))) {
-			strncpy(buf, sv->s_name, sizeof(buf)-1);
-			buf[sizeof(buf)-1] = '\0';
-			return buf;
-		}
-	}
-
-	(void) sprintf(buf, "%d", port);
-	return buf;
-}
-
-
-int	ratoi(ps, pi, min, max)
-char 	*ps;
-int	*pi, min, max;
-{
-	int i;
-	char *pe;
-
-	i = (int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
-
-
-int	ratoui(ps, pi, min, max)
-char 	*ps;
-u_int	*pi, min, max;
-{
-	u_int i;
-	char *pe;
-
-	i = (u_int)strtol(ps, &pe, 0);
-	if (*pe != '\0' || i < min || i > max)
-		return 0;
-	*pi = i;
-	return 1;
-}
-
-
-void	printhostmask(v, addr, mask)
-int	v;
-u_32_t	*addr, *mask;
-{
-	struct in_addr ipa;
-	int ones;
-
-#ifdef USE_INET6
-	if (v == 6) {
-		ones = count6bits(mask);
-		if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3])
-			printf("any");
-		else {
-			char ipbuf[64];
-			printf("%s/%d",
-			       inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)),
-			       ones);
-		}
-	}
-	else
-#endif
-	if (!*addr && !*mask)
-		printf("any");
-	else {
-		ipa.s_addr = *addr;
-		printf("%s", inet_ntoa(ipa));
-		if ((ones = countbits(*mask)) == -1) {
-			ipa.s_addr = *mask;
-			printf("/%s", inet_ntoa(ipa));
-		} else
-			printf("/%d", ones);
-	}
-}
-
-
-void	printportcmp(pr, frp)
-int	pr;
-frpcmp_t	*frp;
-{
-	static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
-				 "<>", "><"};
-
-	if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE)
-		printf(" port %d %s %d", frp->frp_port,
-			     pcmp1[frp->frp_cmp], frp->frp_top);
-	else
-		printf(" port %s %s", pcmp1[frp->frp_cmp],
-			     portname(pr, frp->frp_port));
-}
-
-
-void printbuf(buf, len, zend)
-char *buf;
-int len, zend;
-{
-	char *s, c;
-	int i;
-
-	for (s = buf, i = len; i; i--) {
-		c = *s++;
-		if (isprint(c))
-			putchar(c);
-		else
-			printf("\\%03o", c);
-		if ((c == '\0') && zend)
-			break;
-	}
-}
-
-
-
-char *hostname(v, ip)
-int v;
-void *ip;
-{
-#ifdef  USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-	struct in_addr ipa;
-
-	if (v == 4) {
-		ipa.s_addr = *(u_32_t *)ip;
-		return inet_ntoa(ipa);
-	}
-#ifdef  USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
diff --git a/contrib/ipfilter/etc/etc.sed b/contrib/ipfilter/etc/etc.sed
deleted file mode 100644
index b14fc74851d7..000000000000
--- a/contrib/ipfilter/etc/etc.sed
+++ /dev/null
@@ -1,2 +0,0 @@
-	Æ
.	Ä..'!CVS
-	protocols
diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c
deleted file mode 100644
index 79afdd214729..000000000000
--- a/contrib/ipfilter/facpri.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <syslog.h>
-#include "facpri.h"
-
-#ifndef __STDC__
-# define	const
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp $";
-#endif
-
-typedef	struct	table	{
-	char	*name;
-	int	value;
-} table_t;
-
-table_t	facs[] = {
-	{ "kern", LOG_KERN },	{ "user", LOG_USER },
-	{ "mail", LOG_MAIL },	{ "daemon", LOG_DAEMON },
-	{ "auth", LOG_AUTH },	{ "syslog", LOG_SYSLOG },
-	{ "lpr", LOG_LPR },	{ "news", LOG_NEWS },
-	{ "uucp", LOG_UUCP },
-#if LOG_CRON == LOG_CRON2 
-	{ "cron2", LOG_CRON1 },
-#else
-	{ "cron", LOG_CRON1 },
-#endif
-#ifdef	LOG_FTP
-	{ "ftp", LOG_FTP },
-#endif
-#ifdef	LOG_AUTHPRIV
-	{ "authpriv", LOG_AUTHPRIV },
-#endif
-#ifdef	LOG_AUDIT
-	{ "audit", LOG_AUDIT },
-#endif
-#ifdef	LOG_LFMT
-	{ "logalert", LOG_LFMT },
-#endif
-#if LOG_CRON == LOG_CRON1
-	{ "cron", LOG_CRON2 },
-#else
-	{ "cron2", LOG_CRON2 },
-#endif
-#ifdef	LOG_SECURITY
-	{ "security", LOG_SECURITY },
-#endif
-	{ "local0", LOG_LOCAL0 },	{ "local1", LOG_LOCAL1 },
-	{ "local2", LOG_LOCAL2 },	{ "local3", LOG_LOCAL3 },
-	{ "local4", LOG_LOCAL4 },	{ "local5", LOG_LOCAL5 },
-	{ "local6", LOG_LOCAL6 },	{ "local7", LOG_LOCAL7 },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a facility number to its name
- */
-char *
-fac_toname(facpri)
-	int facpri;
-{
-	int	i, j, fac;
-
-	fac = facpri & LOG_FACMASK;
-	j = fac >> 3;
-	if (j < 24) {
-		if (facs[j].value == fac)
-			return facs[j].name;
-		for (i = 0; facs[i].name; i++)
-			if (fac == facs[i].value)
-				return facs[i].name;
-	}
-
-	return NULL;
-}
-
-
-/*
- * map a facility name to its number
- */
-int
-fac_findname(name)
-	char *name;
-{
-	int	i;
-
-	for (i = 0; facs[i].name; i++)
-		if (!strcmp(facs[i].name, name))
-			return facs[i].value;
-	return -1;
-}
-
-
-table_t	pris[] = {
-	{ "emerg", LOG_EMERG },		{ "alert", LOG_ALERT  },
-	{ "crit", LOG_CRIT },		{ "err", LOG_ERR  },
-	{ "warn", LOG_WARNING },	{ "notice", LOG_NOTICE  },
-	{ "info", LOG_INFO },		{ "debug", LOG_DEBUG  },
-	{ NULL, 0 }
-};
-
-
-/*
- * map a priority name to its number
- */
-int
-pri_findname(name)
-	char *name;
-{
-	int	i;
-
-	for (i = 0; pris[i].name; i++)
-		if (!strcmp(pris[i].name, name))
-			return pris[i].value;
-	return -1;
-}
-
-
-/*
- * map a priority number to its name
- */
-char *
-pri_toname(facpri)
-	int facpri;
-{
-	int	i, pri;
-
-	pri = facpri & LOG_PRIMASK;
-	if (pris[pri].value == pri)
-		return pris[pri].name;
-	for (i = 0; pris[i].name; i++)
-		if (pri == pris[i].value)
-			return pris[i].name;
-	return NULL;
-}
diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h
deleted file mode 100644
index 7b80377d112e..000000000000
--- a/contrib/ipfilter/facpri.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * $Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp $
- */
-
-#ifndef	__FACPRI_H__
-#define	__FACPRI_H__
-
-#ifndef	__P
-# define P_DEF
-# ifdef	__STDC__
-#  define	__P(x) x
-# else
-#  define	__P(x) ()
-# endif
-#endif
-
-extern	char	*fac_toname __P((int));
-extern	int	fac_findname __P((char *));
-
-extern	char	*pri_toname __P((int));
-extern	int	pri_findname __P((char *));
-
-#ifdef P_DEF
-# undef	__P
-# undef	P_DEF
-#endif
-
-#if LOG_CRON == (9<<3)
-# define	LOG_CRON1	LOG_CRON
-# define	LOG_CRON2	(15<<3)
-#endif
-#if LOG_CRON == (15<<3)
-# define	LOG_CRON1	(9<<3)
-# define	LOG_CRON2	LOG_CRON
-#endif
-
-#endif /* __FACPRI_H__ */
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
deleted file mode 100644
index e21af892a577..000000000000
--- a/contrib/ipfilter/fils.c
+++ /dev/null
@@ -1,1536 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef __FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#if defined(STATETOP)
-# if defined(_BSDI_VERSION)
-#  undef STATETOP)
-# endif
-# if defined(__FreeBSD__) && \
-     (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000))
-#  undef STATETOP
-# endif
-# if defined(__NetBSD_Version__)
-#  if (__NetBSD_Version__ < 105000000)
-#   undef STATETOP
-#  else
-#   include <poll.h>
-#   define USE_POLL
-#  endif
-# endif
-# if defined(sun)
-#  if defined(__svr4__) || defined(__SVR4)
-#   include <sys/select.h>
-#  else
-#   undef STATETOP	/* NOT supported on SunOS4 */
-#  endif
-# endif
-#endif
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <nlist.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <netinet/tcp.h>
-#if defined(STATETOP) && !defined(linux)
-# include <netinet/ip_var.h>
-# include <netinet/tcp_fsm.h>
-#endif
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_auth.h"
-#ifdef STATETOP
-# include "netinet/ipl.h"
-# include <ctype.h>
-# if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \
-     defined(__sgi)
-#  ifdef ERR
-#   undef ERR
-#  endif
-#  include <curses.h>
-# else /* SOLARIS */
-#  include <ncurses.h>
-# endif /* SOLARIS */
-#endif /* STATETOP */
-#include "kmem.h"
-#if defined(__NetBSD__) || (__OpenBSD__)
-# include <paths.h>
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)fils.c	1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.45 2004/04/10 11:45:48 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-#define	F_IN	0
-#define	F_OUT	1
-#define	F_ACIN	2
-#define	F_ACOUT	3
-static	char	*filters[4] = { "ipfilter(in)", "ipfilter(out)",
-				"ipacct(in)", "ipacct(out)" };
-
-int	opts = 0;
-int	use_inet6 = 0;
-int	live_kernel = 1;
-int	state_fd = -1;
-int	auth_fd = -1;
-int	ipf_fd = -1;
-
-#ifdef STATETOP
-#define	STSTRSIZE 	80
-#define	STGROWSIZE	16
-#define	HOSTNMLEN	40
-
-#define	STSORT_PR	0
-#define	STSORT_PKTS	1
-#define	STSORT_BYTES	2
-#define	STSORT_TTL	3
-#define	STSORT_SRCIP	4
-#define	STSORT_DSTIP	5
-#define	STSORT_MAX	STSORT_DSTIP
-#define	STSORT_DEFAULT	STSORT_BYTES
-
-
-typedef struct statetop {
-	union i6addr	st_src;
-	union i6addr	st_dst;
-	u_short		st_sport;
-	u_short 	st_dport;
-	u_char		st_p;
-	u_char		st_state[2];
-	U_QUAD_T	st_pkts;
-	U_QUAD_T	st_bytes;
-	u_long		st_age;
-} statetop_t;
-#endif
-
-extern	int	main __P((int, char *[]));
-static	void	showstats __P((friostat_t *, u_32_t));
-static	void	showfrstates __P((ipfrstat_t *));
-static	void	showlist __P((friostat_t *));
-static	void	showipstates __P((ips_stat_t *));
-static	void	showauthstates __P((fr_authstat_t *));
-static	void	showgroups __P((friostat_t *));
-static	void	Usage __P((char *));
-static	void	printlist __P((frentry_t *));
-static	void	parse_ipportstr __P((const char *, struct in_addr *, int *));
-static	int	ipfstate_live __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-static	void	ipfstate_dead __P((char *, friostat_t **, ips_stat_t **,
-				   ipfrstat_t **, fr_authstat_t **, u_32_t *));
-#ifdef STATETOP
-static	void	topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int));
-static	char	*ttl_to_string __P((long));
-static	int	sort_p __P((const void *, const void *));
-static	int	sort_pkts __P((const void *, const void *));
-static	int	sort_bytes __P((const void *, const void *));
-static	int	sort_ttl __P((const void *, const void *));
-static	int	sort_srcip __P((const void *, const void *));
-static	int	sort_dstip __P((const void *, const void *));
-#endif
-#if SOLARIS
-void showqiflist __P((char *));
-#endif
-
-
-static void Usage(name)
-char *name;
-{
-#ifdef  USE_INET6
-	fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name);
-#else
-	fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name);
-#endif
-	fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n");
-	fprintf(stderr, "       %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name);
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	fr_authstat_t	frauthst;
-	fr_authstat_t	*frauthstp = &frauthst;
-	friostat_t fio;
-	friostat_t *fiop = &fio;
-	ips_stat_t ipsst;
-	ips_stat_t *ipsstp = &ipsst;
-	ipfrstat_t ifrst;
-	ipfrstat_t *ifrstp = &ifrst;
-	char	*device = IPL_NAME, *memf = NULL;
-	char	*kern = NULL;
-	int	c, myoptind;
-	struct protoent *proto;
-
-	int protocol = -1;		/* -1 = wild card for any protocol */
-	int refreshtime = 1; 		/* default update time */
-	int sport = -1;			/* -1 = wild card for any source port */
-	int dport = -1;			/* -1 = wild card for any dest port */
-	int topclosed = 0;		/* do not show closed tcp sessions */
-	struct in_addr saddr, daddr;
-	u_32_t frf;
-
-	saddr.s_addr = INADDR_ANY; 	/* default any source addr */ 
-	daddr.s_addr = INADDR_ANY; 	/* default any dest addr */
-
-	/*
-	 * Parse these two arguments now lest there be any buffer overflows
-	 * in the parsing of the rest.
-	 */
-	myoptind = optind;
-	while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
-		switch (c)
-		{
-		case 'M' :
-			memf = optarg;
-			live_kernel = 0;
-			break;
-		case 'N' :
-			kern = optarg;
-			live_kernel = 0;
-			break;
-		}
-	optind = myoptind;
-
-	if (live_kernel == 1) {
-		if ((state_fd = open(IPL_STATE, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-		if ((auth_fd = open(IPL_AUTH, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-		if ((ipf_fd = open(device, O_RDONLY)) == -1) {
-			perror("open");
-			exit(-1);
-		}
-	}
-
-	if (kern != NULL || memf != NULL)
-	{
-		(void)setuid(getuid());
-		(void)setgid(getgid());
-	}
-
-	if (openkmem(kern, memf) == -1)
-		exit(-1);
-
-	(void)setuid(getuid());
-	(void)setgid(getgid());
-
-	while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1)
-	{
-		switch (c)
-		{
-#ifdef	USE_INET6
-		case '6' :
-			use_inet6 = 1;
-			break;
-#endif
-		case 'a' :
-			opts |= OPT_ACCNT|OPT_SHOWLIST;
-			break;
-		case 'A' :
-			device = IPAUTH_NAME;
-			opts |= OPT_AUTHSTATS;
-			break;
-		case 'C' :
-			topclosed = 1;
-			break;
-		case 'd' :
-			device = optarg;
-			break;
-		case 'D' :
-			parse_ipportstr(optarg, &daddr, &dport);
-			break;
-		case 'f' :
-			opts |= OPT_FRSTATES;
-			break;
-		case 'g' :
-			opts |= OPT_GROUPS;
-			break;
-		case 'h' :
-			opts |= OPT_HITS;
-			break;
-		case 'i' :
-			opts |= OPT_INQUE|OPT_SHOWLIST;
-			break;
-		case 'I' :
-			opts |= OPT_INACTIVE;
-			break;
-		case 'l' :
-			opts |= OPT_SHOWLIST;
-			break;
-		case 'M' :
-			break;
-		case 'N' :
-			break;
-		case 'n' :
-			opts |= OPT_SHOWLINENO;
-			break;
-		case 'o' :
-			opts |= OPT_OUTQUE|OPT_SHOWLIST;
-			break;
-		case 'P' :
-			if ((proto = getprotobyname(optarg)) != NULL) {
-				protocol = proto->p_proto;
-			} else if (!sscanf(optarg, "%ud", &protocol) ||
-					   (protocol < 0)) {
-				fprintf(stderr, "%s : Invalid protocol: %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'q' :
-#if	SOLARIS
-			showqiflist(kern);
-			exit(0);
-			break;
-#else
-			fprintf(stderr, "-q only availble on Solaris\n");
-			exit(1);
-			break;
-#endif
-		case 's' :
-			opts |= OPT_IPSTATES;
-			break;
-		case 'S' :
-			parse_ipportstr(optarg, &saddr, &sport);
-			break;
-		case 't' :
-#ifdef STATETOP
-			opts |= OPT_STATETOP;
-			break;
-#else
-			fprintf(stderr,
-				"%s : state top facility not compiled in\n",
-				argv[0]);
-			exit(-2);
-#endif
-		case 'T' :
-			if (!sscanf(optarg, "%d", &refreshtime) ||
-				    (refreshtime <= 0)) {
-				fprintf(stderr,
-					"%s : Invalid refreshtime < 1 : %s\n",
-					argv[0], optarg);
-				exit(-2);
-			}
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		default :
-			Usage(argv[0]);
-			break;
-		}
-	}
-
-	if (live_kernel == 1) {
-		bzero((char *)&fio, sizeof(fio));
-		bzero((char *)&ipsst, sizeof(ipsst));
-		bzero((char *)&ifrst, sizeof(ifrst));
-
-		ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
-			      &frauthstp, &frf);
-	} else
-		ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
-
-	if (opts & OPT_IPSTATES) {
-		showipstates(ipsstp);
-	} else if (opts & OPT_SHOWLIST) {
-		showlist(fiop);
-		if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
-			opts &= ~OPT_OUTQUE;
-			showlist(fiop);
-		}
-	} else {
-		if (opts & OPT_FRSTATES)
-			showfrstates(ifrstp);
-#ifdef STATETOP
-		else if (opts & OPT_STATETOP)
-			topipstates(saddr, daddr, sport, dport,
-				    protocol, refreshtime, topclosed);
-#endif
-		else if (opts & OPT_AUTHSTATS)
-			showauthstates(frauthstp);
-		else if (opts & OPT_GROUPS)
-			showgroups(fiop);
-		else
-			showstats(fiop, frf);
-	}
-	return 0;
-}
-
-
-/*
- * Fill in the stats structures from the live kernel, using a combination
- * of ioctl's and copying directly from kernel memory.
- */
-int ipfstate_live(device, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *device;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-
-	if (!(opts & OPT_AUTHSTATS) && ioctl(ipf_fd, SIOCGETFS, fiopp) == -1) {
-		perror("ioctl(ipf:SIOCGETFS)");
-		exit(-1);
-	}
-
-	if ((opts & OPT_IPSTATES)) {
-		if ((ioctl(state_fd, SIOCGETFS, ipsstpp) == -1)) {
-			perror("ioctl(state:SIOCGETFS)");
-			exit(-1);
-		}
-	}
-	if ((opts & OPT_FRSTATES) &&
-	    (ioctl(ipf_fd, SIOCGFRST, ifrstpp) == -1)) {
-		perror("ioctl(SIOCGFRST)");
-		exit(-1);
-	}
-
-	if (opts & OPT_VERBOSE)
-		PRINTF("opts %#x name %s\n", opts, device);
-
-	if ((opts & OPT_AUTHSTATS) &&
-	    (ioctl(auth_fd, SIOCATHST, frauthstpp) == -1)) {
-		perror("ioctl(SIOCATHST)");
-		exit(-1);
-	}
-
-	if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1)
-		perror("ioctl(SIOCGETFF)");
-
-	return ipf_fd;
-}
-
-
-/*
- * Build up the stats structures from data held in the "core" memory.
- * This is mainly useful when looking at data in crash dumps and ioctl's
- * just won't work any more.
- */
-void ipfstate_dead(kernel, fiopp, ipsstpp, ifrstpp, frauthstpp, frfp)
-char *kernel;
-friostat_t **fiopp;
-ips_stat_t **ipsstpp;
-ipfrstat_t **ifrstpp;
-fr_authstat_t **frauthstpp;
-u_32_t *frfp;
-{
-	static fr_authstat_t frauthst, *frauthstp;
-	static ips_stat_t ipsst, *ipsstp;
-	static ipfrstat_t ifrst, *ifrstp;
-	static friostat_t fio, *fiop;
-
-	void *rules[2][2];
-	struct nlist deadlist[42] = {
-		{ "fr_authstats" },		/* 0 */
-		{ "fae_list" },
-		{ "ipauth" },
-		{ "fr_authlist" },
-		{ "fr_authstart" },
-		{ "fr_authend" },		/* 5 */
-		{ "fr_authnext" },
-		{ "fr_auth" },
-		{ "fr_authused" },
-		{ "fr_authsize" },
-		{ "fr_defaultauthage" },	/* 10 */
-		{ "fr_authpkts" },
-		{ "fr_auth_lock" },
-		{ "frstats" },
-		{ "ips_stats" },
-		{ "ips_num" },			/* 15 */
-		{ "ips_wild" },
-		{ "ips_list" },
-		{ "ips_table" },
-		{ "fr_statemax" },
-		{ "fr_statesize" },		/* 20 */
-		{ "fr_state_doflush" },
-		{ "fr_state_lock" },
-		{ "ipfr_heads" },
-		{ "ipfr_nattab" },
-		{ "ipfr_stats" },		/* 25 */
-		{ "ipfr_inuse" },
-		{ "fr_ipfrttl" },
-		{ "fr_frag_lock" },
-		{ "ipfr_timer_id" },
-		{ "fr_nat_lock" },		/* 30 */
-		{ "ipfilter" },
-		{ "ipfilter6" },
-		{ "ipacct" },
-		{ "ipacct6" },
-		{ "ipl_frouteok" },		/* 35 */
-		{ "fr_running" },
-		{ "ipfgroups" },
-		{ "fr_active" },
-		{ "fr_pass" },
-		{ "fr_flags" },			/* 40 */
-		{ NULL }
-	};
-
-
-	frauthstp = &frauthst;
-	ipsstp = &ipsst;
-	ifrstp = &ifrst;
-	fiop = &fio;
-
-	*frfp = 0;
-	*fiopp = fiop;
-	*ipsstpp = ipsstp;
-	*ifrstpp = ifrstp;
-	*frauthstpp = frauthstp;
-
-	bzero((char *)fiop, sizeof(*fiop));
-	bzero((char *)ipsstp, sizeof(*ipsstp));
-	bzero((char *)ifrstp, sizeof(*ifrstp));
-	bzero((char *)frauthstp, sizeof(*frauthstp));
-
-	if (nlist(kernel, deadlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	/*
-	 * This is for SIOCGETFF.
-	 */
-	kmemcpy((char *)frfp, (u_long)deadlist[40].n_value, sizeof(*frfp));
-
-	/*
-	 * f_locks is a combination of the lock variable from each part of
-	 * ipfilter (state, auth, nat, fragments).
-	 */
-	kmemcpy((char *)fiop, (u_long)deadlist[13].n_value, sizeof(*fiop));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[22].n_value,
-		sizeof(fiop->f_locks[0]));
-	kmemcpy((char *)&fiop->f_locks[0], (u_long)deadlist[30].n_value,
-		sizeof(fiop->f_locks[1]));
-	kmemcpy((char *)&fiop->f_locks[2], (u_long)deadlist[28].n_value,
-		sizeof(fiop->f_locks[2]));
-	kmemcpy((char *)&fiop->f_locks[3], (u_long)deadlist[12].n_value,
-		sizeof(fiop->f_locks[3]));
-
-	/*
-	 * Get pointers to each list of rules (active, inactive, in, out)
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[31].n_value, sizeof(rules));
-	fiop->f_fin[0] = rules[0][0];
-	fiop->f_fin[1] = rules[0][1];
-	fiop->f_fout[0] = rules[1][0];
-	fiop->f_fout[1] = rules[1][1];
-
-	/*
-	 * Same for IPv6, except make them null if support for it is not
-	 * being compiled in.
-	 */
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[32].n_value, sizeof(rules));
-	fiop->f_fin6[0] = rules[0][0];
-	fiop->f_fin6[1] = rules[0][1];
-	fiop->f_fout6[0] = rules[1][0];
-	fiop->f_fout6[1] = rules[1][1];
-#else
-	fiop->f_fin6[0] = NULL;
-	fiop->f_fin6[1] = NULL;
-	fiop->f_fout6[0] = NULL;
-	fiop->f_fout6[1] = NULL;
-#endif
-
-	/*
-	 * Now get accounting rules pointers.
-	 */
-	kmemcpy((char *)&rules, (u_long)deadlist[33].n_value, sizeof(rules));
-	fiop->f_acctin[0] = rules[0][0];
-	fiop->f_acctin[1] = rules[0][1];
-	fiop->f_acctout[0] = rules[1][0];
-	fiop->f_acctout[1] = rules[1][1];
-
-#ifdef	USE_INET6
-	kmemcpy((char *)&rules, (u_long)deadlist[34].n_value, sizeof(rules));
-	fiop->f_acctin6[0] = rules[0][0];
-	fiop->f_acctin6[1] = rules[0][1];
-	fiop->f_acctout6[0] = rules[1][0];
-	fiop->f_acctout6[1] = rules[1][1];
-#else
-	fiop->f_acctin6[0] = NULL;
-	fiop->f_acctin6[1] = NULL;
-	fiop->f_acctout6[0] = NULL;
-	fiop->f_acctout6[1] = NULL;
-#endif
-
-	/*
-	 * A collection of "global" variables used inside the kernel which
-	 * are all collected in friostat_t via ioctl.
-	 */
-	kmemcpy((char *)&fiop->f_froute, (u_long)deadlist[35].n_value,
-		sizeof(fiop->f_froute));
-	kmemcpy((char *)&fiop->f_running, (u_long)deadlist[36].n_value,
-		sizeof(fiop->f_running));
-	kmemcpy((char *)&fiop->f_groups, (u_long)deadlist[37].n_value,
-		sizeof(fiop->f_groups));
-	kmemcpy((char *)&fiop->f_active, (u_long)deadlist[38].n_value,
-		sizeof(fiop->f_active));
-	kmemcpy((char *)&fiop->f_defpass, (u_long)deadlist[39].n_value,
-		sizeof(fiop->f_defpass));
-
-	/*
-	 * Build up the state information stats structure.
-	 */
-	kmemcpy((char *)ipsstp, (u_long)deadlist[14].n_value, sizeof(*ipsstp));
-	kmemcpy((char *)&ipsstp->iss_active, (u_long)deadlist[15].n_value,
-		sizeof(ipsstp->iss_active));
-	ipsstp->iss_table = (void *)deadlist[18].n_value;
-	ipsstp->iss_list = (void *)deadlist[17].n_value;
-
-	/*
-	 * Build up the authentiation information stats structure.
-	 */
-	kmemcpy((char *)frauthstp, (u_long)deadlist[0].n_value,
-		sizeof(*frauthstp));
-	frauthstp->fas_faelist = (void *)deadlist[1].n_value;
-
-	/*
-	 * Build up the fragment information stats structure.
-	 */
-	kmemcpy((char *)ifrstp, (u_long)deadlist[25].n_value,
-		sizeof(*ifrstp));
-	ifrstp->ifs_table = (void *)deadlist[23].n_value;
-	ifrstp->ifs_nattab = (void *)deadlist[24].n_value;
-	kmemcpy((char *)&ifrstp->ifs_inuse, (u_long)deadlist[26].n_value,
-		sizeof(ifrstp->ifs_inuse));
-}
-
-
-/*
- * Display the kernel stats for packets blocked and passed and other
- * associated running totals which are kept.
- */
-static	void	showstats(fp, frf)
-struct	friostat	*fp;
-u_32_t frf;
-{
-
-#if SOLARIS
-	PRINTF("dropped packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
-	PRINTF("non-data packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata);
-	PRINTF("no-data packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata);
-	PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
-	PRINTF("   bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-	PRINTF("copied messages:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_copy, fp->f_st[1].fr_copy);
-#endif
-#ifdef	USE_INET6
-	PRINTF(" IPv6 packets:\t\tin %lu out %lu\n",
-			fp->f_st[0].fr_ipv6[0], fp->f_st[0].fr_ipv6[1]);
-#endif
-	PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	PRINTF(" counted %lu short %lu\n", 
-			fp->f_st[0].fr_acct, fp->f_st[0].fr_short);
-	PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	PRINTF(" counted %lu short %lu\n", 
-			fp->f_st[1].fr_acct, fp->f_st[1].fr_short);
-	PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	PRINTF("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	PRINTF(" packets logged:\tinput %lu output %lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
-	PRINTF(" log failures:\t\tinput %lu output %lu\n",
-			fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
-	PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, fp->f_st[0].fr_cfr);
-	PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n",
-			fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, fp->f_st[1].fr_cfr);
-	PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
-			fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
-	PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
-			fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
-	PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
-			fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
-	PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc);
-	PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
-	PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
-	PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
-			fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
-	PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n",
-			fp->f_froute[0], fp->f_froute[1]);
-	PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n",
-			fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad);
-
-	PRINTF("Packet log flags set: (%#x)\n", frf);
-	if (frf & FF_LOGPASS)
-		PRINTF("\tpackets passed through filter\n");
-	if (frf & FF_LOGBLOCK)
-		PRINTF("\tpackets blocked by filter\n");
-	if (frf & FF_LOGNOMATCH)
-		PRINTF("\tpackets not matched by filter\n");
-	if (!frf)
-		PRINTF("\tnone\n");
-}
-
-
-/*
- * Print out a list of rules from the kernel, starting at the one passed.
- */
-static void printlist(fp)
-frentry_t *fp;
-{
-	struct	frentry	fb;
-	int	n;
-
-	for (n = 1; fp; n++) {
-		if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
-			perror("kmemcpy");
-			return;
-		}
-		fp = &fb;
-		if (opts & OPT_OUTQUE)
-			fp->fr_flags |= FR_OUTQUE;
-		if (opts & (OPT_HITS|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_hits);
-#else
-			PRINTF("%lu ", fp->fr_hits);
-#endif
-		if (opts & (OPT_ACCNT|OPT_VERBOSE))
-#ifdef	USE_QUAD_T
-			PRINTF("%qu ", (unsigned long long) fp->fr_bytes);
-#else
-			PRINTF("%lu ", fp->fr_bytes);
-#endif
-		if (opts & OPT_SHOWLINENO)
-			PRINTF("@%d ", n);
-		printfr(fp);
-		if (opts & OPT_VERBOSE)
-			binprint(fp);
-		if (fp->fr_grp)
-			printlist(fp->fr_grp);
-		fp = fp->fr_next;
-	}
-}
-
-/*
- * print out all of the asked for rule sets, using the stats struct as
- * the base from which to get the pointers.
- */
-static	void	showlist(fiop)
-struct	friostat	*fiop;
-{
-	struct	frentry	*fp = NULL;
-	int	i, set;
-
-	set = fiop->f_active;
-	if (opts & OPT_INACTIVE)
-		set = 1 - set;
-	if (opts & OPT_ACCNT) {
-#ifdef USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_ACOUT;
-			fp = (struct frentry *)fiop->f_acctout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_ACIN;
-			fp = (struct frentry *)fiop->f_acctin[set];
-		} else {
-			FPRINTF(stderr, "No -i or -o given with -a\n");
-			return;
-		}
-	} else {
-#ifdef	USE_INET6
-		if ((use_inet6) && (opts & OPT_OUTQUE)) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout6[set];
-		} else if ((use_inet6) && (opts & OPT_INQUE)) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin6[set];
-		} else
-#endif
-		if (opts & OPT_OUTQUE) {
-			i = F_OUT;
-			fp = (struct frentry *)fiop->f_fout[set];
-		} else if (opts & OPT_INQUE) {
-			i = F_IN;
-			fp = (struct frentry *)fiop->f_fin[set];
-		} else
-			return;
-	}
-	if (opts & OPT_VERBOSE)
-		FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
-
-	if (opts & OPT_VERBOSE)
-		PRINTF("fp %p set %d\n", fp, set);
-	if (fp == NULL) {
-		FPRINTF(stderr, "empty list for %s%s\n",
-			(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
-		return;
-	}
-	printlist(fp);
-}
-
-
-/*
- * Display ipfilter stateful filtering information
- */
-static void showipstates(ipsp)
-ips_stat_t *ipsp;
-{
-	ipstate_t *istab[IPSTATE_SIZE];
-
-	/*
-	 * If a list of states hasn't been asked for, only print out stats
-	 */
-	if (!(opts & OPT_SHOWLIST)) {
-		PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
-			ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
-		PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits,
-			ipsp->iss_miss);
-		PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n",
-			ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse);
-		PRINTF("\t%lu logged\n\t%lu log failures\n",
-			ipsp->iss_logged, ipsp->iss_logfail);
-		PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
-			ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
-		return;
-	}
-
-	if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
-		return;
-
-	/*
-	 * Print out all the state information currently held in the kernel.
-	 */
-	while (ipsp->iss_list != NULL) {
-		ipsp->iss_list = printstate(ipsp->iss_list, opts);
-	}
-}
-
-
-#if SOLARIS
-/*
- * Displays the list of interfaces of which IPFilter has taken control in
- * Solaris.
- */
-void showqiflist(kern)
-char *kern;
-{
-	struct nlist qifnlist[2] = {
-		{ "_qif_head" },
-		{ NULL }
-	};
-	qif_t qif, *qf;
-	ill_t ill;
-
-	if (kern == NULL)
-		kern = "/dev/ksyms";
-
-	if (nlist(kern, qifnlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return;
-	}
-
-	printf("List of interfaces bound by IPFilter:\n");
-	if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf)))
-		return;
-	while (qf) {
-		if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif)))
-			break;
-		if (kmemcpy((char *)&ill, (u_long)qif.qf_ill, sizeof(ill)))
-			ill.ill_ppa = -1;
-		printf("Name: %-8s Header Length: %2d SAP: %s (%04x) PPA %d",
-			qif.qf_name, qif.qf_hl,
-#ifdef	IP6_DL_SAP
-			(qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			, qif.qf_sap, ill.ill_ppa);
-		printf(" %ld %ld", qif.qf_incnt, qif.qf_outcnt);
-		qf = qif.qf_next;
-		putchar('\n');
-	}
-}
-#endif
-
-
-#ifdef STATETOP
-static void topipstates(saddr, daddr, sport, dport, protocol,
-		        refreshtime, topclosed)
-struct in_addr saddr;
-struct in_addr daddr;
-int sport;
-int dport;
-int protocol;
-int refreshtime;
-int topclosed;
-{
-	char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE];
-	int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT;
-	int i, j, winx, tsentry, maxx, maxy, redraw = 0;
-	ipstate_t *istab[IPSTATE_SIZE], ips;
-	ips_stat_t ipsst, *ipsstp = &ipsst;
-	statetop_t *tstable = NULL, *tp;
-	char hostnm[HOSTNMLEN];
-	struct protoent *proto;
-	int c = 0;
-	time_t t;
-#ifdef USE_POLL
-	struct pollfd set[1];
-#else
-	struct timeval selecttimeout; 
-	fd_set readfd;
-#endif
-
-	/* init ncurses stuff */
-  	initscr();
-  	cbreak();
-  	noecho();
-
-	/* init hostname */
-	gethostname(hostnm, sizeof(hostnm) - 1);
-	hostnm[sizeof(hostnm) - 1] = '\0';
-
-	/* repeat until user aborts */
-	while ( 1 ) {
-
-		/* get state table */
-		bzero((char *)&ipsst, sizeof(&ipsst));
-		if ((ioctl(state_fd, SIOCGETFS, &ipsstp) == -1)) {
-			perror("ioctl(SIOCGETFS)");
-			exit(-1);
-		}
-		if (kmemcpy((char *)istab, (u_long)ipsstp->iss_table,
-			    sizeof(ips)))
-			return;
-
-		/* clear the history */
-		tsentry = -1;
-
-		/* read the state table and store in tstable */
-		while (ipsstp->iss_list) {
-			if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list,
-				    sizeof(ips)))
-				break;
-			ipsstp->iss_list = ips.is_next;
-
-			if (((saddr.s_addr == INADDR_ANY) ||
-			     (saddr.s_addr == ips.is_saddr)) &&
-			    ((daddr.s_addr == INADDR_ANY) ||
-			     (daddr.s_addr == ips.is_daddr)) &&
-			    ((protocol < 0) || (protocol == ips.is_p)) &&
-			    (((ips.is_p != IPPROTO_TCP) &&
-			     (ips.is_p != IPPROTO_UDP)) || 
-			     (((sport < 0) ||
-			       (htons(sport) == ips.is_sport)) &&
-			      ((dport < 0) ||
-			       (htons(dport) == ips.is_dport)))) &&
-			     (topclosed || (ips.is_p != IPPROTO_TCP) ||
-			     (ips.is_state[0] < TCPS_LAST_ACK) ||
-			     (ips.is_state[1] < TCPS_LAST_ACK))) { 
-				/*
-				 * if necessary make room for this state
-				 * entry
-				 */
-				tsentry++;
-				if (!maxtsentries ||
-				    (tsentry == maxtsentries)) {
-
-					maxtsentries += STGROWSIZE;
-					tstable = realloc(tstable, maxtsentries * sizeof(statetop_t));
-					if (!tstable) {
-						perror("malloc");
-						exit(-1);
-					}
-				}
-
-				/* fill structure */
-				tp = tstable + tsentry;
-				tp->st_src = ips.is_src;
-				tp->st_dst = ips.is_dst;
-				tp->st_p = ips.is_p;
-				tp->st_state[0] = ips.is_state[0];
-				tp->st_state[1] = ips.is_state[1];
-				tp->st_pkts = ips.is_pkts;
-				tp->st_bytes = ips.is_bytes;
-				tp->st_age = ips.is_age;
-				if ((ips.is_p == IPPROTO_TCP) ||
-				    (ips.is_p == IPPROTO_UDP)) {
-					tp->st_sport = ips.is_sport;
-					tp->st_dport = ips.is_dport;
-				}
-
-			}
-		}
-
-
-		/* sort the array */
-		if (tsentry != -1)
-			switch (sorting)
-			{
-			case STSORT_PR:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_p);
-				break;
-			case STSORT_PKTS:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_pkts);
-				break;
-			case STSORT_BYTES:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_bytes);
-				break;
-			case STSORT_TTL:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_ttl);
-				break;
-			case STSORT_SRCIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_srcip);
-				break;
-			case STSORT_DSTIP:
-				qsort(tstable, tsentry + 1,
-				      sizeof(statetop_t), sort_dstip);
-				break;
-			default:
-				break;
-			}
-
-		/* print title */
-		erase();
-		getmaxyx(stdscr, maxy, maxx);
-		attron(A_BOLD);
-		winx = 0;
-		move(winx,0);
-		sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION);
-		for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++)
-			printw(" ");
-		printw("%s", str1);
-		attroff(A_BOLD);
-
-		/* just for fun add a clock */
-		move(winx, maxx - 8);
-		t = time(NULL);
-		strftime(str1, 80, "%T", localtime(&t));
-		printw("%s\n", str1);
-
-		/*
-		 * print the display filters, this is placed in the loop, 
-		 * because someday I might add code for changing these
-		 * while the programming is running :-)
-		 */
-		if (sport >= 0)
-			sprintf(str1, "%s,%d", inet_ntoa(saddr), sport);
-		else
-			sprintf(str1, "%s", inet_ntoa(saddr));
-
-		if (dport >= 0)
-			sprintf(str2, "%s,%d", inet_ntoa(daddr), dport);
-		else
-			sprintf(str2, "%s", inet_ntoa(daddr));
-
-		if (protocol < 0)
-			strcpy(str3, "any");
-		else if ((proto = getprotobynumber(protocol)) != NULL)
-			sprintf(str3, "%s", proto->p_name); 
-		else
-			sprintf(str3, "%d", protocol);
-
-		switch (sorting)
-		{
-		case STSORT_PR:
-			sprintf(str4, "proto");
-			break;
-		case STSORT_PKTS:
-			sprintf(str4, "# pkts");
-			break;
-		case STSORT_BYTES:
-			sprintf(str4, "# bytes");
-			break;
-		case STSORT_TTL:
-			sprintf(str4, "ttl");
-			break;
-		case STSORT_SRCIP:
-			sprintf(str4, "srcip");
-			break;
-		case STSORT_DSTIP:
-			sprintf(str4, "dstip");
-			break;
-		default:
-			sprintf(str4, "unknown");
-			break;
-		}
-
-		if (reverse)
-			strcat(str4, " (reverse)");
-
-		winx += 2;
-		move(winx,0);
-		printw("Src = %s  Dest = %s  Proto = %s  Sorted by = %s\n\n",
-		       str1, str2, str3, str4);
-
-		/* print column description */
-		winx += 2;
-		move(winx,0);
-		attron(A_BOLD);
-		printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP",
-		       "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl");
-		attroff(A_BOLD);
-
-		/* print all the entries */
-		tp = tstable;
-		if (reverse)
-			tp += tsentry;
-
-		if (tsentry > maxy - 6)
-			tsentry = maxy - 6;
-		for (i = 0; i <= tsentry; i++) {
-			/* print src/dest and port */
-			if ((tp->st_p == IPPROTO_TCP) ||
-			    (tp->st_p == IPPROTO_UDP)) {
-				sprintf(str1, "%s,%hu",
-					inet_ntoa(tp->st_src.in4),
-					ntohs(tp->st_sport));
-				sprintf(str2, "%s,%hu",
-					inet_ntoa(tp->st_dst.in4),
-					ntohs(tp->st_dport));
-			} else {
-				sprintf(str1, "%s", inet_ntoa(tp->st_src.in4));
-				sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4));
-			}
-			winx++;
-			move(winx, 0);
-			printw("%-21s %-21s", str1, str2);
-
-			/* print state */
-			sprintf(str1, "%X/%X", tp->st_state[0],
-				tp->st_state[1]);
-			printw(" %3s", str1);
-
-			/* print proto */
-			proto = getprotobynumber(tp->st_p);
-			if (proto) {
-				strncpy(str1, proto->p_name, 4);
-				str1[4] = '\0';
-			} else {
-				sprintf(str1, "%d", tp->st_p);
-			}
-			printw(" %4s", str1);
-				/* print #pkt/#bytes */
-#ifdef	USE_QUAD_T
-			printw(" %7qu %9qu", (unsigned long long) tp->st_pkts,
-				(unsigned long long) tp->st_bytes);
-#else
-			printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes);
-#endif
-			printw(" %9s", ttl_to_string(tp->st_age));
-
-			if (reverse)
-				tp--;
-			else
-				tp++;
-		}
-
-		/* screen data structure is filled, now update the screen */
-		if (redraw)
-			clearok(stdscr,1);
-
-		refresh();
-		if (redraw) {
-			clearok(stdscr,0);
-			redraw = 0;
-		}
-
-		/* wait for key press or a 1 second time out period */
-#ifdef USE_POLL
-		set[0].fd = 0;
-		set[0].events = POLLIN;
-		poll(set, 1, refreshtime * 1000);
-
-		/* if key pressed, read all waiting keys */
-		if (set[0].revents & POLLIN)
-#else
-		selecttimeout.tv_sec = refreshtime;
-		selecttimeout.tv_usec = 0;
-		FD_ZERO(&readfd);
-		FD_SET(0, &readfd);
-		select(1, &readfd, NULL, NULL, &selecttimeout);
-
-		/* if key pressed, read all waiting keys */
-		if (FD_ISSET(0, &readfd))
-#endif
-
-		{
-			c = wgetch(stdscr);
-			if (c == ERR)
-				continue;
-
-			if (isalpha(c) && isupper(c))
-				c = tolower(c);
-			if (c == 'l') {
-				redraw = 1;
-			} else if (c == 'q') {
-				break;	/* exits while() loop */
-			} else if (c == 'r') {
-				reverse = !reverse;
-			} else if (c == 's') {
-				sorting++;
-				if (sorting > STSORT_MAX)
-					sorting = 0;
-			}
-		}
-	} /* while */
-
-	printw("\n");
-	nocbreak();
-	endwin();
-}
-#endif
-
-
-/*
- * Show fragment cache information that's held in the kernel.
- */
-static void showfrstates(ifsp)
-ipfrstat_t *ifsp;
-{
-	struct ipfr *ipfrtab[IPFT_SIZE], ifr;
-	frentry_t fr;
-	int i;
-
-	/*
-	 * print out the numeric statistics
-	 */
-	PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
-		ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
-	PRINTF("\t%lu no memory\n\t%lu already exist\n",
-		ifsp->ifs_nomem, ifsp->ifs_exists);
-	PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
-		return;
-
-	/*
-	 * Print out the contents (if any) of the fragment cache table.
-	 */
-	PRINTF("\n");
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i]) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
-				break;
-			PRINTF("%s -> ", hostname(4, &ifr.ipfr_src));
-			if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
-				    sizeof(fr)) == -1)
-				break; 
-			PRINTF("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = fl %#x\n",
-				hostname(4, &ifr.ipfr_dst), ntohs(ifr.ipfr_id),
-				ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_seen0, 
-				ifr.ipfr_ifp, ifr.ipfr_tos, fr.fr_flags);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
-	if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
-		return;
-	for (i = 0; i < IPFT_SIZE; i++)
-		while (ipfrtab[i]) {
-			if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
-				    sizeof(ifr)) == -1)
-				break;
-			PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src));
-			if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
-				    sizeof(fr)) == -1)
-				break;
-			PRINTF("%s %d %d %d %#02x = %#x\n",
-				hostname(4, &ifr.ipfr_dst), ifr.ipfr_id,
-				ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
-				fr.fr_flags);
-			ipfrtab[i] = ifr.ipfr_next;
-		}
-}
-
-
-/*
- * Show stats on how auth within IPFilter has been used
- */
-static void showauthstates(asp)
-fr_authstat_t *asp;
-{
-	frauthent_t *frap, fra;
-
-#ifdef	USE_QUAD_T
-	printf("Authorisation hits: %qu\tmisses %qu\n",
-		(unsigned long long) asp->fas_hits,
-		(unsigned long long) asp->fas_miss);
-#else
-	printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits,
-		asp->fas_miss);
-#endif
-	printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n",
-		asp->fas_nospace, asp->fas_added, asp->fas_sendfail,
-		asp->fas_sendok);
-	printf("queok %ld\nquefail %ld\nexpire %ld\n",
-		asp->fas_queok, asp->fas_quefail, asp->fas_expire);
-
-	frap = asp->fas_faelist;
-	while (frap) {
-		if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1)
-			break;
-
-		printf("age %ld\t", fra.fae_age);
-		printfr(&fra.fae_fr);
-		frap = fra.fae_next;
-	}
-}
-
-
-/*
- * Display groups used for each of filter rules, accounting rules and
- * authentication, separately.
- */
-static void showgroups(fiop)
-struct friostat	*fiop;
-{
-	static char *gnames[3] = { "Filter", "Accounting", "Authentication" };
-	frgroup_t *fp, grp;
-	int on, off, i;
-
-	on = fiop->f_active;
-	off = 1 - on;
-
-	for (i = 0; i < 3; i++) {
-		printf("%s groups (active):\n", gnames[i]);
-		for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%hu\n", grp.fg_num);
-		printf("%s groups (inactive):\n", gnames[i]);
-		for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next)
-			if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp)))
-				break;
-			else
-				printf("%hu\n", grp.fg_num);
-	}
-}
-
-static void parse_ipportstr(argument, ip, port)
-const char *argument;
-struct in_addr *ip;
-int *port;
-{
-
-	char *s, *comma;
-
-	/* make working copy of argument, Theoretically you must be able
-	 * to write to optarg, but that seems very ugly to me....
-	 */
-	if ((s = malloc(strlen(argument) + 1)) == NULL)
-		perror("malloc");
-	strcpy(s, argument);
-
-	/* get port */
-	if ((comma = strchr(s, ',')) != NULL) {
-		if (!strcasecmp(s, "any")) {
-			*port = -1;
-		} else if (!sscanf(comma + 1, "%d", port) ||
-			   (*port < 0) || (*port > 65535)) {
-			fprintf(stderr, "Invalid port specfication in %s\n",
-				argument);
-			exit(-2);
-		}
-		*comma = '\0';
-	}
-
-
-	/* get ip address */
-	if (!strcasecmp(s, "any")) {
-		ip->s_addr = INADDR_ANY;
-	} else	if (!inet_aton(s, ip)) {
-		fprintf(stderr, "Invalid IP address: %s\n", s);
-		exit(-2);
-	}
-
-	/* free allocated memory */
-	free(s);
-}
-
-
-#ifdef STATETOP
-static char ttlbuf[STSTRSIZE];
-
-static char *ttl_to_string(ttl)
-long int ttl;
-{
-
-	int hours, minutes, seconds;
-
-	/* ttl is in half seconds */
-	ttl /= 2;
-
-	hours = ttl / 3600;
-	ttl = ttl % 3600;
-	minutes = ttl / 60;
-	seconds = ttl % 60;
-
-	if (hours > 0 )
-		sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds);
-	else
-		sprintf(ttlbuf, "%2d:%02d", minutes, seconds);
-	return ttlbuf;
-}
-
-
-static int sort_pkts(a, b)
-const void *a;
-const void *b;
-{
-
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_pkts == bp->st_pkts)
-		return 0;
-	else if (ap->st_pkts < bp->st_pkts)
-		return 1;
-	return -1;
-}
-
-
-static int sort_bytes(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_bytes == bp->st_bytes)
-		return 0;
-	else if (ap->st_bytes < bp->st_bytes)
-		return 1;
-	return -1;
-}
-
-
-static int sort_p(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_p == bp->st_p)
-		return 0;
-	else if (ap->st_p < bp->st_p)
-		return 1;
-	return -1;
-}
-
-
-static int sort_ttl(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ap->st_age == bp->st_age)
-		return 0;
-	else if (ap->st_age < bp->st_age)
-		return 1;
-	return -1;
-}
-
-static int sort_srcip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr))
-		return 0;
-	else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr))
-		return 1;
-	return -1;
-}
-
-static int sort_dstip(a, b)
-const void *a;
-const void *b;
-{
-	register const statetop_t *ap = a;
-	register const statetop_t *bp = b;
-
-	if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr))
-		return 0;
-	else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr))
-		return 1;
-	return -1;
-}
-#endif
diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c
deleted file mode 100644
index e940280a280a..000000000000
--- a/contrib/ipfilter/inet_addr.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * ++Copyright++ 1983, 1990, 1993
- * -
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-#ifdef	__STDC__
-# ifndef __P
-#  define	__P(x)	x
-# endif
-#else
-# undef		__P
-# define	__P(x)	()
-# undef		const
-# define	const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.2 2002/02/22 15:32:46 darrenr Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-int inet_aton __P((const char *, struct in_addr *));
-
-/* 
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(cp, addr)
-	register const char *cp;
-	struct in_addr *addr;
-{
-	register u_long val;
-	register int base, n;
-	register char c;
-	u_int parts[4];
-	register u_int *pp = parts;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c))
-			return (0);
-		val = 0; base = 10;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else
-				base = 8;
-		}
-		for (;;) {
-			if (isascii(c) && isdigit(c)) {
-				val = (val * base) + (c - '0');
-				c = *++cp;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3)
-				return (0);
-			*pp++ = val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-
-	case 0:
-		return (0);		/* initial nondigit */
-
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr)
-		addr->s_addr = htonl(val);
-	return (1);
-}
-
-/* these are compatibility routines, not needed on recent BSD releases */
-
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || \
-    (defined(IRIX) && (IRIX >= 605))
-in_addr_t
-#else
-u_long
-#endif
-inet_addr(cp)
-	register const char *cp;
-{
-	struct in_addr val;
-
-	if (inet_aton(cp, &val))
-		return (val.s_addr);
-	return (0xffffffff);
-}
diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c
deleted file mode 100644
index 196d64e0fedf..000000000000
--- a/contrib/ipfilter/ip_lfil.c
+++ /dev/null
@@ -1,975 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.5 2002/10/03 13:47:19 darrenr Exp $";
-#endif
-
-#if defined(KERNEL) && !defined(_KERNEL)
-# define	_KERNEL
-#endif
-#include <sys/errno.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <sys/dir.h>
-#include <sys/socket.h>
-#ifndef	_KERNEL
-# include <stdio.h>
-# include <string.h>
-# include <stdlib.h>
-# include <ctype.h>
-#else
-# include <linux/module.h>
-#endif
-
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#ifndef	_KERNEL
-# include <syslog.h>
-#endif
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_proxy.h"
-#include "netinet/ip_frag.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_auth.h"
-#ifdef _KERNEL
-#include <net/ip_forward.h>
-#endif
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-#ifndef	_KERNEL
-# include "ipt.h"
-static	struct	ifnet **ifneta = NULL;
-static	int	nifs = 0;
-#endif
-
-int	fr_running = 0;
-int	ipl_unreach = ICMP_UNREACH_FILTER;
-u_long	ipl_frouteok[2] = {0, 0};
-
-static	int	frzerostats __P((caddr_t));
-static	void	frsync __P((void));
-#if defined(__NetBSD__) || defined(__OpenBSD__)
-static	int	frrequest __P((int, u_long, caddr_t, int));
-#else
-static	int	frrequest __P((int, u_long, caddr_t, int));
-#endif
-#ifdef	_KERNEL
-static	int	(*fr_savep) __P((ip_t *, int, void *, int, mb_t **));
-#else
-int	ipllog __P((void));
-void	init_ifp __P((void));
-static int 	no_output __P((mb_t *, struct ifnet *));
-static int	write_output __P((mb_t *, struct ifnet *));
-#endif
-
-#ifdef	_KERNEL
-
-int fr_precheck(struct iphdr *ip, struct device *dev, int out, struct device **ifp)
-{
-	int hlen = ip->ihl << 2;
-
-	return fr_check((ip_t *)ip, hlen, dev, out, (mb_t **)ifp);
-}
-
-
-int iplattach()
-{
-	char *defpass;
-	int s;
-
-	if (fr_running || (fr_checkp == fr_precheck)) {
-		printk("IP Filter: already initialized\n");
-		return EBUSY;
-	}
-
-	fr_running = 1;
-	bzero((char *)frcache, sizeof(frcache));
-	bzero((char *)nat_table, sizeof(nat_table));
-	fr_savep = fr_checkp;
-	fr_checkp = fr_precheck;
-
-# ifdef	IPFILTER_LOG
-	ipflog_init();
-# endif
-	if (fr_pass & FR_PASS)
-		defpass = "pass";
-	else if (fr_pass & FR_BLOCK)
-		defpass = "block";
-	else
-		defpass = "no-match -> block";
-
-	printk("IP Filter: initialized.  Default = %s all, Logging = %s\n",
-		defpass,
-# ifdef	IPFILTER_LOG
-		"enabled");
-# else
-		"disabled");
-# endif
-	return 0;
-}
-
-
-/*
- * Disable the filter by removing the hooks from the IP input/output
- * stream.
- */
-int ipldetach()
-{
-	int s, i = FR_INQUE|FR_OUTQUE;
-
-	if (!fr_running)
-	{
-		printk("IP Filter: not initialized\n");
-		return 0;
-	}
-
-	fr_checkp = fr_savep;
-	i = frflush(IPL_LOGIPF, i);
-	fr_running = 0;
-
-	ipfr_unload();
-	ip_natunload();
-	fr_stateunload();
-	fr_authunload();
-
-	printk("IP Filter: unloaded\n");
-
-	return 0;
-}
-#endif /* _KERNEL */
-
-
-static	int	frzerostats(data)
-caddr_t	data;
-{
-	struct	friostat	fio;
-	int error;
-
-	bcopy((char *)frstats, (char *)fio.f_st,
-		sizeof(struct filterstats) * 2);
-	fio.f_fin[0] = ipfilter[0][0];
-	fio.f_fin[1] = ipfilter[0][1];
-	fio.f_fout[0] = ipfilter[1][0];
-	fio.f_fout[1] = ipfilter[1][1];
-	fio.f_acctin[0] = ipacct[0][0];
-	fio.f_acctin[1] = ipacct[0][1];
-	fio.f_acctout[0] = ipacct[1][0];
-	fio.f_acctout[1] = ipacct[1][1];
-	fio.f_active = fr_active;
-	fio.f_froute[0] = ipl_frouteok[0];
-	fio.f_froute[1] = ipl_frouteok[1];
-	error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-	if (!error)
-		bzero((char *)frstats, sizeof(*frstats) * 2);
-	return error;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-#if defined(_KERNEL)
-int iplioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
-{
-	int s;
-	caddr_t data = (caddr_t)arg;
-
-	int mode = file->f_mode;
-#else
-int iplioctl(dev_t dev, int cmd, caddr_t data, int mode)
-{
-#endif
-	int error = 0, unit = 0, tmp;
-
-#ifdef	_KERNEL
-	unit = GET_MINOR(inode->i_rdev);
-	if ((IPL_LOGMAX < unit) || (unit < 0))
-		return ENXIO;
-#endif
-
-	if (unit == IPL_LOGNAT) {
-		error = nat_ioctl(data, cmd, mode);
-		return error;
-	}
-	if (unit == IPL_LOGSTATE) {
-		error = fr_state_ioctl(data, cmd, mode);
-		return error;
-	}
-
-	switch (cmd) {
-	case FIONREAD :
-#ifdef IPFILTER_LOG
-		error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], data,
-			       sizeof(iplused[IPL_LOGIPF]));
-#endif
-		break;
-#if !defined(IPFILTER_LKM) && defined(_KERNEL)
-	case SIOCFRENB :
-	{
-		u_int	enable;
-
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY(data, (caddr_t)&enable, sizeof(enable));
-			if (error)
-				break;
-			if (enable)
-				error = iplattach();
-			else
-				error = ipldetach();
-		}
-		break;
-	}
-#endif
-	case SIOCSETFF :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = IRCOPY(data, (caddr_t)&fr_flags,
-				       sizeof(fr_flags));
-		break;
-	case SIOCGETFF :
-		error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
-		break;
-	case SIOCINAFR :
-	case SIOCRMAFR :
-	case SIOCADAFR :
-	case SIOCZRLST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, fr_active);
-		break;
-	case SIOCINIFR :
-	case SIOCRMIFR :
-	case SIOCADIFR :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, data, 1 - fr_active);
-		break;
-	case SIOCSWAPA :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			bzero((char *)frcache, sizeof(frcache[0]) * 2);
-			*(u_int *)data = fr_active;
-			fr_active = 1 - fr_active;
-		}
-		break;
-	case SIOCGETFS :
-	{
-		struct	friostat	fio;
-
-		bcopy((char *)frstats, (char *)fio.f_st,
-			sizeof(struct filterstats) * 2);
-		fio.f_fin[0] = ipfilter[0][0];
-		fio.f_fin[1] = ipfilter[0][1];
-		fio.f_fout[0] = ipfilter[1][0];
-		fio.f_fout[1] = ipfilter[1][1];
-		fio.f_acctin[0] = ipacct[0][0];
-		fio.f_acctin[1] = ipacct[0][1];
-		fio.f_acctout[0] = ipacct[1][0];
-		fio.f_acctout[1] = ipacct[1][1];
-		fio.f_auth = ipauth;
-		fio.f_active = fr_active;
-		fio.f_froute[0] = ipl_frouteok[0];
-		fio.f_froute[1] = ipl_frouteok[1];
-		error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-		break;
-	}
-	case	SIOCFRZST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frzerostats(data);
-		break;
-	case	SIOCIPFFL :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, tmp);
-				error = IWCOPY((caddr_t)&tmp, data,
-					       sizeof(tmp));
-			}
-		}
-		break;
-#ifdef	IPFILTER_LOG
-	case	SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			*(int *)data = ipflog_clear(unit);
-		break;
-#endif /* IPFILTER_LOG */
-	case SIOCGFRST :
-		error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data,
-			       sizeof(ipfrstat_t));
-		break;
-	case SIOCFRSYN :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-#if defined(_KERNEL) && defined(__sgi)
-			ipfsync();
-#endif
-			frsync();
-		}
-		break;
-	default :
-		error = EINVAL;
-		break;
-	}
-	return error;
-}
-
-
-static void frsync()
-{
-#ifdef _KERNEL
-	struct device *dev;
-
-	for (dev = dev_base; dev; dev = dev->next)
-		ip_natsync(dev);
-#endif
-}
-
-
-static int frrequest(unit, req, data, set)
-int unit;
-u_long req;
-int set;
-caddr_t data;
-{
-	register frentry_t *fp, *f, **fprev;
-	register frentry_t **ftail;
-	frentry_t frd;
-	frdest_t *fdp;
-	frgroup_t *fg = NULL;
-	int error = 0, in;
-	u_int group;
-
-	fp = &frd;
-	error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
-	if (error)
-		return error;
-
-	/*
-	 * Check that the group number does exist and that if a head group
-	 * has been specified, doesn't exist.
-	 */
-	if (fp->fr_grhead &&
-	    fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
-		return EEXIST;
-	if (fp->fr_group &&
-	    !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL))
-		return ESRCH;
-
-	in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-	if (unit == IPL_LOGAUTH)
-		ftail = fprev = &ipauth;
-	else if (fp->fr_flags & FR_ACCOUNT)
-		ftail = fprev = &ipacct[in][set];
-	else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
-		ftail = fprev = &ipfilter[in][set];
-	else
-		return ESRCH;
-
-	if ((group = fp->fr_group)) {
-		if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL)))
-			return ESRCH;
-		ftail = fprev = fg->fg_start;
-	}
-
-	bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-	if (*fp->fr_ifname) {
-		fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_ip.fi_v);
-		if (!fp->fr_ifa)
-			fp->fr_ifa = (void *)-1;
-	}
-
-	fdp = &fp->fr_dif;
-	fp->fr_flags &= ~FR_DUP;
-	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
-		if (!fdp->fd_ifp)
-			fdp->fd_ifp = (struct ifnet *)-1;
-		else
-			fp->fr_flags |= FR_DUP;
-	}
-
-	fdp = &fp->fr_tif;
-	if (*fdp->fd_ifname) {
-		fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_ip.fi_v);
-		if (!fdp->fd_ifp)
-			fdp->fd_ifp = (struct ifnet *)-1;
-	}
-
-	/*
-	 * Look for a matching filter rule, but don't include the next or
-	 * interface pointer in the comparison (fr_next, fr_ifa).
-	 */
-	for (; (f = *ftail); ftail = &f->fr_next)
-		if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
-			 FR_CMPSIZ) == 0)
-			break;
-
-	/*
-	 * If zero'ing statistics, copy current to caller and zero.
-	 */
-	if (req == SIOCZRLST) {
-		if (!f)
-			return ESRCH;
-		error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
-		if (error)
-			return error;
-		f->fr_hits = 0;
-		f->fr_bytes = 0;
-		return 0;
-	}
-
-	if (!f) {
-		if (req == SIOCINAFR || req == SIOCINIFR) {
-			ftail = fprev;
-			if (fp->fr_hits) {
-				while (--fp->fr_hits && (f = *ftail)) {
-					ftail = &f->fr_next;
-				}
-			}
-		}
-		f = NULL;
-	}
-
-	if (req == SIOCRMAFR || req == SIOCRMIFR) {
-		if (!f)
-			error = ESRCH;
-		else {
-			if (f->fr_ref > 1)
-				return EBUSY;
-			if (fg && fg->fg_head)
-				fg->fg_head->fr_ref--;
-			if (unit == IPL_LOGAUTH)
-				return fr_auth_ioctl(data, mode, req, f, ftail);
-			if (f->fr_grhead)
-				fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
-					    unit, set);
-			fixskip(fprev, f, -1);
-			*ftail = f->fr_next;
-			KFREE(f);
-		}
-	} else {
-		if (f)
-			error = EEXIST;
-		else {
-			if (unit == IPL_LOGAUTH)
-				return fr_auth_ioctl(data, mode, req, f, ftail);
-			KMALLOC(f, frentry_t *);
-			if (f != NULL) {
-				if (fg && fg->fg_head)
-					fg->fg_head->fr_ref++;
-				bcopy((char *)fp, (char *)f, sizeof(*f));
-				f->fr_ref = 1;
-				f->fr_hits = 0;
-				f->fr_next = *ftail;
-				*ftail = f;
-				if (req == SIOCINIFR || req == SIOCINAFR)
-					fixskip(fprev, f, 1);
-				f->fr_grp = NULL;
-				if ((group = f->fr_grhead))
-					fg = fr_addgroup(group, f, unit, set);
-			} else
-				error = ENOMEM;
-		}
-	}
-	return (error);
-}
-
-
-#ifdef	_KERNEL
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(struct inode *inode, struct file *file)
-{
-	u_int min = GET_MINOR(inode->i_rdev);
-
-	if (IPL_LOGMAX < min)
-		min = ENXIO;
-	else {
-		MOD_INC_USE_COUNT;
-		min = 0;
-	}
-	return min;
-}
-
-
-void iplclose(struct inode *inode, struct file *file)
-{
-	u_int	min = GET_MINOR(inode->i_rdev);
-
-	if (IPL_LOGMAX >= min) {
-		MOD_DEC_USE_COUNT;
-	}
-}
-
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(struct inode *inode, struct file *file, char *buf, int nbytes)
-{
-	struct uio uiob, *uio = &uiob;
-
-	uio->uio_buf = buf;
-	uio->uio_resid = nbytes;
-#  ifdef IPFILTER_LOG
-	return ipflog_read(GET_MINOR(inode->i_rdev), uio);
-#  else
-	return ENXIO;
-#  endif
-}
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(ti, ifp)
-struct tcpiphdr *ti;
-struct ifnet *ifp;
-{
-	tcphdr_t *tcp;
-	int tlen = 0;
-	ip_t *ip;
-	mb_t *m;
-
-	if (ti->ti_flags & TH_RST)
-		return -1;		/* feedback loop */
-
-	m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC);
-	if (m == NULL)
-		return -1;
-
-	if (ti->ti_flags & TH_SYN)
-		tlen = 1;
-
-	m->dev = ifp;
-	m->csum = 0;
-	ip = mtod(m, ip_t *);
-	m->h.iph = ip;
-	m->ip_hdr = NULL;
-	m->m_len = sizeof(tcpiphdr_t);
-	tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t));
-	bzero((char *)ip, sizeof(tcpiphdr_t));
- 
-	ip->ip_v = IPVERSION;
-	ip->ip_hl = sizeof(ip_t) >> 2;
-	ip->ip_tos = ((ip_t *)ti)->ip_tos;
-	ip->ip_p = ((ip_t *)ti)->ip_p;
-	ip->ip_id = ((ip_t *)ti)->ip_id;
-	ip->ip_len = htons(sizeof(tcpiphdr_t));
-	ip->ip_ttl = 127;
-	ip->ip_src.s_addr = ti->ti_dst.s_addr;
-	ip->ip_dst.s_addr = ti->ti_src.s_addr;
-	tcp->th_dport = ti->ti_sport;
-	tcp->th_sport = ti->ti_dport;
-	tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
-	tcp->th_off = sizeof(tcphdr_t) >> 2;
-	tcp->th_flags = TH_RST|TH_ACK;
- 
-	ip->ip_sum = 0;
-	ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t));
-	tcp->th_sum = fr_tcpsum(m, ip, tcp);
-	return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr);
-}
-
-
-size_t mbufchainlen(m0)
-register mb_t *m0;
-{
-	register size_t len = 0;
-
-	for (; m0; m0 = m0->m_next)
-		len += m0->m_len;
-	return len;
-}
-
-
-void ipfr_fastroute(m0, fin, fdp)
-mb_t *m0;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-#if notyet
-	register ip_t *ip, *mhip;
-	register mb_t *m = m0;
-	register struct route *ro;
-	struct ifnet *ifp = fdp->fd_ifp;
-	int len, off, error = 0;
-	int hlen = fin->fin_hlen;
-	struct route iproute;
-	struct sockaddr_in *dst;
-
-	ip = mtod(m0, ip_t *);
-	/*
-	 * Route packet.
-	 */
-	ro = &iproute;
-	bzero((caddr_t)ro, sizeof (*ro));
-	dst = (struct sockaddr_in *)&ro->ro_dst;
-	dst->sin_family = AF_INET;
-	dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
-	/*
-	 * XXX -allocate route here
-	 */
-	if (!ifp) {
-		if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
-			error = -2;
-			goto bad;
-		}
-		if (ro->ro_rt == 0 || (ifp = ro->ro_rt->rt_ifp) == 0) {
-			if (in_localaddr(ip->ip_dst))
-				error = EHOSTUNREACH;
-			else
-				error = ENETUNREACH;
-			goto bad;
-		}
-		if (ro->ro_rt->rt_flags & RTF_GATEWAY)
-			dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
-	}
-	ro->ro_rt->rt_use++;
-
-	/*
-	 * For input packets which are being "fastrouted", they won't
-	 * go back through output filtering and miss their chance to get
-	 * NAT'd.
-	 */
-	(void) ip_natout(ip, hlen, fin);
-	if (fin->fin_out)
-		ip->ip_sum = 0;
-	/*
-	 * If small enough for interface, can just send directly.
-	 */
-	if (ip->ip_len <= ifp->if_mtu) {
-# ifndef sparc
-		ip->ip_id = htons(ip->ip_id);
-		ip->ip_len = htons(ip->ip_len);
-		ip->ip_off = htons(ip->ip_off);
-# endif
-		if (!ip->ip_sum)
-			ip->ip_sum = in_cksum(m, hlen);
-		error = (*ifp->hard_start_xmit)(m, ifp, m);
-		goto done;
-	}
-	/*
-	 * Too large for interface; fragment if possible.
-	 * Must be able to put at least 8 bytes per fragment.
-	 */
-	if (ip->ip_off & IP_DF) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-	len = (ifp->if_mtu - hlen) &~ 7;
-	if (len < 8) {
-		error = EMSGSIZE;
-		goto bad;
-	}
-
-    {
-	int mhlen, firstlen = len;
-	mb_t **mnext = &m->m_act;
-
-	/*
-	 * Loop through length of segment after first fragment,
-	 * make new header and copy data of each part and link onto chain.
-	 */
-	m0 = m;
-	mhlen = sizeof (struct ip);
-	for (off = hlen + len; off < ip->ip_len; off += len) {
-		MGET(m, M_DONTWAIT, MT_HEADER);
-		if (m == 0) {
-			error = ENOBUFS;
-			goto bad;
-		}
-		m->m_data += max_linkhdr;
-		mhip = mtod(m, struct ip *);
-		bcopy((char *)ip, (char *)mhip, sizeof(*ip));
-		if (hlen > sizeof (struct ip)) {
-			mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
-			mhip->ip_hl = mhlen >> 2;
-		}
-		m->m_len = mhlen;
-		mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
-		if (ip->ip_off & IP_MF)
-			mhip->ip_off |= IP_MF;
-		if (off + len >= ip->ip_len)
-			len = ip->ip_len - off;
-		else
-			mhip->ip_off |= IP_MF;
-		mhip->ip_len = htons((u_short)(len + mhlen));
-		m->m_next = m_copy(m0, off, len);
-		if (m->m_next == 0) {
-			error = ENOBUFS;	/* ??? */
-			goto sendorfree;
-		}
-# ifndef sparc
-		mhip->ip_off = htons((u_short)mhip->ip_off);
-# endif
-		mhip->ip_sum = 0;
-		mhip->ip_sum = in_cksum(m, mhlen);
-		*mnext = m;
-		mnext = &m->m_act;
-	}
-	/*
-	 * Update first fragment by trimming what's been copied out
-	 * and updating header, then send each fragment (in order).
-	 */
-	m_adj(m0, hlen + firstlen - ip->ip_len);
-	ip->ip_len = htons((u_short)(hlen + firstlen));
-	ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
-	ip->ip_sum = 0;
-	ip->ip_sum = in_cksum(m0, hlen);
-sendorfree:
-	for (m = m0; m; m = m0) {
-		m0 = m->m_act;
-		m->m_act = 0;
-		if (error == 0)
-			error = (*ifp->if_output)(ifp, m,
-			    (struct sockaddr *)dst);
-		else
-			m_freem(m);
-	}
-    }	
-done:
-	if (!error)
-		ipl_frouteok[0]++;
-	else
-		ipl_frouteok[1]++;
-
-	if (ro->ro_rt) {
-		RTFREE(ro->ro_rt);
-	}
-	return;
-bad:
-	m_freem(m);
-	goto done;
-# endif
-}
-
-
-/*
- * Fake BSD uiomove() call.
- */
-int uiomove(caddr_t src, size_t ssize, int rw, struct uio *uio)
-{
-	int error;
-	size_t mv = MIN(ssize, uio->uio_resid);
-
-	if (rw == UIO_READ) {
-		error = IWCOPY(src, (caddr_t)uio->uio_buf, mv);
-	} else if (rw == UIO_WRITE) {
-		error = IRCOPY((caddr_t)uio->uio_buf, src, mv);
-	} else
-		error = EINVAL;
-	if (!error) {
-		uio->uio_resid -= mv;
-		uio->uio_buf += mv;
-	}
-	return error;
-}
-
-# ifdef IPFILTER_LKM
-#  ifndef	IPL_MAJOR
-#   define	IPL_MAJOR	95
-#  endif
-
-#  ifndef	IPL_NAME
-#   define	IPL_NAME	"/dev/ipl"
-#  endif
-
-static struct file_operations ipl_fops = {
-	NULL,		/* lseek */
-	iplread,	/* read */
-	NULL,		/* write */
-	NULL,		/* readdir */
-	NULL,		/* select */
-	iplioctl,	/* ioctl */
-	NULL,		/* mmap */
-	iplopen,	/* open */
-	iplclose,	/* release */
-	NULL,		/* fsync */
-	NULL,		/* fasync */
-	NULL,		/* check_media_change */
-	NULL,		/* revalidate */
-};
-
-
-int init_module(void)
-{
-	int error = 0, major;
-
-	if (register_chrdev(IPL_MAJOR, "ipf", &ipl_fops)) {
-		printk("ipf: unable to get major number: %d\n", IPL_MAJOR);
-		return -EIO;
-	}
-
-	error = iplattach();
-	if (!error)
-		register_symtab(0);
-	return -error;
-}
-
-void cleanup_module(void)
-{
-	unregister_chrdev(IPL_MAJOR, "ipf");
-	(void) ipldetach();
-}
-# endif /* IPFILTER_LKM */
-#else /* #ifdef _KERNEL */
-
-
-static int no_output __P((mb_t *m, struct ifnet *ifp))
-{
-	return 0;
-}
-
-
-static int write_output __P((mb_t *m, struct ifnet *ifp))
-{
-	FILE *fp;
-	char fname[32];
-	ip_t *ip;
-
-	ip = mtod(m, ip_t *);
-	sprintf(fname, "/tmp/%s", ifp->name);
-	if ((fp = fopen(fname, "a"))) {
-		fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
-		fclose(fp);
-	}
-	return 0;
-}
-
-
-struct ifnet *get_unit(name, v)
-char *name;
-int v;
-{
-	struct ifnet *ifp, **ifa;
-	char ifname[32], *s;
-
-	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-		(void) sprintf(ifname, "%s", ifp->name);
-		if (!strcmp(name, ifname))
-			return ifp;
-	}
-
-	if (!ifneta) {
-		ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
-		ifneta[1] = NULL;
-		ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp));
-		nifs = 1;
-	} else {
-		nifs++;
-		ifneta = (struct ifnet **)realloc(ifneta,
-						  (nifs + 1) * sizeof(*ifa));
-		ifneta[nifs] = NULL;
-		ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
-	}
-	ifp = ifneta[nifs - 1];
-
-	for (s = name; *s && !isdigit(*s); s++)
-		;
-	if (*s && isdigit(*s)) {
-		ifp->name = (char *)malloc(s - name + 1);
-		strncpy(ifp->name, name, s - name);
-		ifp->name[s - name] = '\0';
-	} else {
-		ifp->name = strdup(name);
-	}
-	ifp->hard_start_xmit = no_output;
-	return ifp;
-}
-
-
-
-void init_ifp()
-{
-	FILE *fp;
-	struct ifnet *ifp, **ifa;
-	char fname[32];
-
-	for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
-		ifp->hard_start_xmit = write_output;
-		sprintf(fname, "/tmp/%s", ifp->name);
-		if ((fp = fopen(fname, "w")))
-			fclose(fp);
-	}
-}
-
-
-void ipfr_fastroute(ip, fin, fdp)
-ip_t *ip;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-	struct ifnet *ifp = fdp->fd_ifp;
-
-	if (!ifp)
-		return;	/* no routing table out here */
-
-	ip->ip_len = htons((u_short)ip->ip_len);
-	ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
-	ip->ip_sum = 0;
-	(*ifp->hard_start_xmit)((mb_t *)ip, ifp);
-}
-
-
-int ipllog __P((void))
-{
-	verbose("l");
-	return 0;
-}
-
-
-int send_reset(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
-	verbose("- TCP RST sent\n");
-	return 0;
-}
-
-
-int icmp_error(ip, ifp)
-ip_t *ip;
-struct ifnet *ifp;
-{
-	verbose("- TCP RST sent\n");
-	return 0;
-}
-#endif /* _KERNEL */
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
deleted file mode 100644
index 9e995d9b85c8..000000000000
--- a/contrib/ipfilter/ip_sfil.c
+++ /dev/null
@@ -1,991 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * I hate legaleese, don't you ?
- */
-#if !defined(lint)
-static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.27 2003/06/12 16:03:14 darrenr Exp $";
-#endif
-
-#include <sys/types.h>
-#include <sys/errno.h>
-#include <sys/param.h>
-#include <sys/cpuvar.h>
-#include <sys/open.h>
-#include <sys/ioctl.h>
-#include <sys/filio.h>
-#include <sys/systm.h>
-#include <sys/cred.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include <sys/ksynch.h>
-#include <sys/kmem.h>
-#include <sys/mkdev.h>
-#include <sys/protosw.h>
-#include <sys/socket.h>
-#include <sys/dditypes.h>
-#include <sys/cmn_err.h>
-#include <net/if.h>
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include "ip_compat.h"
-#ifdef	USE_INET6
-# include <netinet/icmp6.h>
-#endif
-#include "ip_fil.h"
-#include "ip_state.h"
-#include "ip_nat.h"
-#include "ip_frag.h"
-#include "ip_auth.h"
-#include "ip_proxy.h"
-#include <inet/ip_ire.h>
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-extern	fr_flags, fr_active;
-
-int	fr_running = 0;
-int	ipl_unreach = ICMP_UNREACH_HOST;
-u_long	ipl_frouteok[2] = {0, 0};
-static	int	frzerostats __P((caddr_t));
-#if SOLARIS2 >= 7
-static	u_int	*ip_ttl_ptr;
-static	u_int	*ip_mtudisc;
-#else
-static	u_long	*ip_ttl_ptr;
-static	u_long	*ip_mtudisc;
-#endif
-
-static	int	frrequest __P((minor_t, int, caddr_t, int));
-static	int	send_ip __P((fr_info_t *fin, mblk_t *m));
-kmutex_t	ipl_mutex, ipf_authmx, ipf_rw;
-KRWLOCK_T	ipf_mutex, ipfs_mutex, ipf_solaris;
-KRWLOCK_T	ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-kcondvar_t	iplwait, ipfauthwait;
-
-
-int ipldetach()
-{
-	int	i;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "ipldetach()\n");
-#endif
-#ifdef	IPFILTER_LOG
-	for (i = IPL_LOGMAX; i >= 0; i--)
-		ipflog_clear(i);
-#endif
-	i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
-	i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
-	ipfr_unload();
-	fr_stateunload();
-	ip_natunload();
-	cv_destroy(&iplwait);
-	cv_destroy(&ipfauthwait);
-	mutex_destroy(&ipf_authmx);
-	mutex_destroy(&ipl_mutex);
-	mutex_destroy(&ipf_rw);
-	RW_DESTROY(&ipf_mutex);
-	RW_DESTROY(&ipf_frag);
-	RW_DESTROY(&ipf_state);
-	RW_DESTROY(&ipf_natfrag);
-	RW_DESTROY(&ipf_nat);
-	RW_DESTROY(&ipf_auth);
-	RW_DESTROY(&ipfs_mutex);
-	/* NOTE: This lock is acquired in ipf_detach */
-	RWLOCK_EXIT(&ipf_solaris);
-	RW_DESTROY(&ipf_solaris);
-	return 0;
-}
-
-
-int iplattach __P((void))
-{
-	int i;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplattach()\n");
-#endif
-	bzero((char *)frcache, sizeof(frcache));
-	mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL);
-	mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
-	mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL);
-	RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL);
-	RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL);
-	RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL);
-	RWLOCK_INIT(&ipf_frag, "ipf fragment rwlock", NULL);
-	RWLOCK_INIT(&ipf_state, "ipf IP state rwlock", NULL);
-	RWLOCK_INIT(&ipf_nat, "ipf IP NAT rwlock", NULL);
-	RWLOCK_INIT(&ipf_natfrag, "ipf IP NAT-Frag rwlock", NULL);
-	RWLOCK_INIT(&ipf_auth, "ipf IP User-Auth rwlock", NULL);
-	cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
-	cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL);
-#ifdef	IPFILTER_LOG
-	ipflog_init();
-#endif
-	if (nat_init() == -1)
-		return -1;
-	if (fr_stateinit() == -1)
-		return -1;
-	if (appr_init() == -1)
-		return -1;
-
-	ip_ttl_ptr = NULL;
-	ip_mtudisc = NULL;
-	/*
-	 * XXX - There is no terminator for this array, so it is not possible
-	 * to tell if what we are looking for is missing and go off the end
-	 * of the array.
-	 */
-	for (i = 0; ; i++) {
-		if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
-			ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
-		} else if (strcmp(ip_param_arr[i].ip_param_name,
-				  "ip_path_mtu_discovery") == 0) {
-			ip_mtudisc = &ip_param_arr[i].ip_param_value;
-		}
-
-		if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
-			break;
-	}
-	return 0;
-}
-
-
-static	int	frzerostats(data)
-caddr_t	data;
-{
-	friostat_t fio;
-	int error;
-
-	fr_getstat(&fio);
-	error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio));
-	if (error)
-		return error;
-
-	bzero((char *)frstats, sizeof(*frstats) * 2);
-
-	return 0;
-}
-
-
-/*
- * Filter ioctl interface.
- */
-int iplioctl(dev, cmd, data, mode, cp, rp)
-dev_t dev;
-int cmd;
-#if SOLARIS2 >= 7
-intptr_t data;
-#else
-int *data;
-#endif
-int mode;
-cred_t *cp;
-int *rp;
-{
-	int error = 0, tmp;
-	minor_t unit;
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplioctl(%x,%x,%x,%d,%x,%d)\n",
-		dev, cmd, data, mode, cp, rp);
-#endif
-	unit = getminor(dev);
-	if (IPL_LOGMAX < unit)
-		return ENXIO;
-
-	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
-		return ENODEV;
-
-	if (fr_running <= 0)
-		return 0;
-
-	READ_ENTER(&ipf_solaris);
-	if (unit == IPL_LOGNAT) {
-		error = nat_ioctl((caddr_t)data, cmd, mode);
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-	if (unit == IPL_LOGSTATE) {
-		error = fr_state_ioctl((caddr_t)data, cmd, mode);
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-	if (unit == IPL_LOGAUTH) {
-		if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
-			if (!(mode & FWRITE))  {
-				error = EPERM;
-			} else {
-				error = frrequest(unit, cmd, (caddr_t)data,
-						  fr_active);
-			}
-		} else {
-			error = fr_auth_ioctl((caddr_t)data, mode, cmd);
-		}
-		RWLOCK_EXIT(&ipf_solaris);
-		return error;
-	}
-
-	switch (cmd) {
-	case SIOCFRENB :
-	{
-		u_int	enable;
-
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = IRCOPY((caddr_t)data, (caddr_t)&enable,
-				       sizeof(enable));
-		break;
-	}
-	case SIOCSETFF :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			WRITE_ENTER(&ipf_mutex);
-			error = IRCOPY((caddr_t)data, (caddr_t)&fr_flags,
-			       sizeof(fr_flags));
-			RWLOCK_EXIT(&ipf_mutex);
-		}
-		break;
-	case SIOCGETFF :
-		error = IWCOPY((caddr_t)&fr_flags, (caddr_t)data,
-			       sizeof(fr_flags));
-		if (error)
-			error = EFAULT;
-		break;
-	case SIOCINAFR :
-	case SIOCRMAFR :
-	case SIOCADAFR :
-	case SIOCZRLST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, (caddr_t)data, fr_active);
-		break;
-	case SIOCINIFR :
-	case SIOCRMIFR :
-	case SIOCADIFR :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frrequest(unit, cmd, (caddr_t)data,
-					  1 - fr_active);
-		break;
-	case SIOCSWAPA :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			WRITE_ENTER(&ipf_mutex);
-			bzero((char *)frcache, sizeof(frcache[0]) * 2);
-			error = IWCOPY((caddr_t)&fr_active, (caddr_t)data,
-				       sizeof(fr_active));
-			if (error)
-				error = EFAULT;
-			fr_active = 1 - fr_active;
-			RWLOCK_EXIT(&ipf_mutex);
-		}
-		break;
-	case SIOCGETFS :
-	{
-		friostat_t	fio;
-
-		READ_ENTER(&ipf_mutex);
-		fr_getstat(&fio);
-		RWLOCK_EXIT(&ipf_mutex);
-		error = IWCOPYPTR((caddr_t)&fio, (caddr_t)data, sizeof(fio));
-		if (error)
-			error = EFAULT;
-		break;
-	}
-	case SIOCFRZST :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = frzerostats((caddr_t)data);
-		break;
-	case	SIOCIPFFL :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
-				       sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, 4, tmp);
-				error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-					       sizeof(tmp));
-				if (error)
-					error = EFAULT;
-			}
-		}
-		break;
-#ifdef	USE_INET6
-	case	SIOCIPFL6 :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			error = IRCOPY((caddr_t)data, (caddr_t)&tmp,
-				       sizeof(tmp));
-			if (!error) {
-				tmp = frflush(unit, 6, tmp);
-				error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-					       sizeof(tmp));
-				if (error)
-					error = EFAULT;
-			}
-		}
-		break;
-#endif
-	case SIOCSTLCK :
-		error = IRCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp));
-		if (!error) {
-			fr_state_lock = tmp;
-			fr_nat_lock = tmp;
-			fr_frag_lock = tmp;
-			fr_auth_lock = tmp;
-		} else
-			error = EFAULT;
-	break;
-#ifdef	IPFILTER_LOG
-	case	SIOCIPFFB :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else {
-			tmp = ipflog_clear(unit);
-			error = IWCOPY((caddr_t)&tmp, (caddr_t)data,
-				       sizeof(tmp));
-			if (error)
-				error = EFAULT;
-		}
-		break;
-#endif /* IPFILTER_LOG */
-	case SIOCFRSYN :
-		if (!(mode & FWRITE))
-			error = EPERM;
-		else
-			error = ipfsync();
-		break;
-	case SIOCGFRST :
-		error = IWCOPYPTR((caddr_t)ipfr_fragstats(), (caddr_t)data,
-				  sizeof(ipfrstat_t));
-		break;
-	case FIONREAD :
-	{
-#ifdef	IPFILTER_LOG
-		int copy = (int)iplused[IPL_LOGIPF];
-
-		error = IWCOPY((caddr_t)&copy, (caddr_t)data, sizeof(copy));
-		if (error)
-			error = EFAULT;
-#endif
-		break;
-	}
-	default :
-		error = EINVAL;
-		break;
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return error;
-}
-
-
-ill_t	*get_unit(name, v)
-char	*name;
-int	v;
-{
-	size_t len = strlen(name) + 1;	/* includes \0 */
-	ill_t *il;
-#if SOLARIS2 >= 10
-	ill_walk_context_t ctx;
-#endif
-	int sap;
-
-	if (v == 4)
-		sap = 0x0800;
-	else if (v == 6)
-		sap = 0x86dd;
-	else
-		return NULL;
-#if SOLARIS2 >= 10
-	for (il = ILL_START_WALK_ALL(&ctx); il; il = ill_next(&ctx, il))
-#else
-	for (il = ill_g_head; il; il = il->ill_next)
-#endif
-		if ((len == il->ill_name_length) && (il->ill_sap == sap) &&
-		    !strncmp(il->ill_name, name, len))
-			return il;
-	return NULL;
-}
-
-
-static int frrequest(unit, req, data, set)
-minor_t unit;
-int req, set;
-caddr_t data;
-{
-	register frentry_t *fp, *f, **fprev;
-	register frentry_t **ftail;
-	frgroup_t *fg = NULL;
-	int error = 0, in, i;
-	u_int *p, *pp;
-	frdest_t *fdp;
-	frentry_t fr;
-	u_32_t group;
-	ipif_t *ipif;
-	ill_t *ill;
-	ire_t *ire;
-
-	fp = &fr;
-	error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp));
-	if (error)
-		return EFAULT;
-	fp->fr_ref = 0;
-#if SOLARIS2 >= 8
-	if (fp->fr_v == 4)
-		fp->fr_sap = IP_DL_SAP;
-	else if (fp->fr_v == 6)
-		fp->fr_sap = IP6_DL_SAP;
-	else
-		return EINVAL;
-#else
-	fp->fr_sap = 0;
-#endif
-
-	WRITE_ENTER(&ipf_mutex);
-	/*
-	 * Check that the group number does exist and that if a head group
-	 * has been specified, doesn't exist.
-	 */
-	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
-	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
-	    fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
-		error = EEXIST;
-		goto out;
-	}
-	if ((req != SIOCZRLST) && fp->fr_group &&
-	    !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) {
-		error = ESRCH;
-		goto out;
-	}
-
-	in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
-
-	if (unit == IPL_LOGAUTH)
-		ftail = fprev = &ipauth;
-	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4))
-		ftail = fprev = &ipacct[in][set];
-	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4))
-		ftail = fprev = &ipfilter[in][set];
-#ifdef	USE_INET6
-	else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6))
-		ftail = fprev = &ipacct6[in][set];
-	else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6))
-		ftail = fprev = &ipfilter6[in][set];
-#endif
-	else {
-		error = ESRCH;
-		goto out;
-	}
-
-	group = fp->fr_group;
-	if (group != 0) {
-		fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL);
-		if (fg == NULL) {
-			error = ESRCH;
-			goto out;
-		}
-		ftail = fprev = fg->fg_start;
-	}
-
-	bzero((char *)frcache, sizeof(frcache[0]) * 2);
-
-	for (i = 0; i < 4; i++) {
-		if ((fp->fr_ifnames[i][1] == '\0') &&
-		    ((fp->fr_ifnames[i][0] == '-') ||
-		     (fp->fr_ifnames[i][0] == '*'))) {
-			fp->fr_ifas[i] = NULL;
-		} else if (*fp->fr_ifnames[i]) {
-			fp->fr_ifas[i] = GETUNIT(fp->fr_ifnames[i], fp->fr_v);
-			if (!fp->fr_ifas[i])
-				fp->fr_ifas[i] = (void *)-1;
-		}
-	}
-
-	fdp = &fp->fr_dif;
-	fdp->fd_mp = NULL;
-	fp->fr_flags &= ~FR_DUP;
-	if (*fdp->fd_ifname) {
-		ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
-		if (!ill)
-			ire = (ire_t *)-1;
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
-			ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
-						IRE_LOCAL, NULL, NULL,
-						MATCH_IRE_TYPE);
-#else
-			ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-			if (!ire)
-				ire = (ire_t *)-1;
-			else
-				fp->fr_flags |= FR_DUP;
-		}
-#ifdef	USE_INET6
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
-			ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
-						   IRE_LOCAL, NULL, NULL,
-						   MATCH_IRE_TYPE);
-			if (!ire)
-				ire = (ire_t *)-1;
-			else
-				fp->fr_flags |= FR_DUP;
-		}
-#endif
-		fdp->fd_ifp = (struct ifnet *)ire;
-	}
-
-	fdp = &fp->fr_tif;
-	fdp->fd_mp = NULL;
-	if (*fdp->fd_ifname) {
-		ill = get_unit(fdp->fd_ifname, (int)fp->fr_v);
-		if (!ill)
-			ire = (ire_t *)-1;
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 4)) {
-#if SOLARIS2 > 5
-			ire = ire_ctable_lookup(ipif->ipif_local_addr, 0,
-						IRE_LOCAL, NULL, NULL,
-						MATCH_IRE_TYPE);
-#else
-			ire = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-			if (!ire)
-				ire = (ire_t *)-1;
-		}
-#ifdef	USE_INET6
-		else if ((ipif = ill->ill_ipif) && (fp->fr_v == 6)) {
-			ire = ire_ctable_lookup_v6(&ipif->ipif_v6lcl_addr, 0,
-						   IRE_LOCAL, NULL, NULL,
-						   MATCH_IRE_TYPE);
-			if (!ire)
-				ire = (ire_t *)-1;
-		}
-#endif
-		fdp->fd_ifp = (struct ifnet *)ire;
-	}
-
-	/*
-	 * Look for a matching filter rule, but don't include the next or
-	 * interface pointer in the comparison (fr_next, fr_ifa).
-	 */
-	for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum;
-	     p < pp; p++)
-		fp->fr_cksum += *p;
-
-	for (; (f = *ftail); ftail = &f->fr_next)
-		if ((fp->fr_cksum == f->fr_cksum) &&
-		    !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ))
-			break;
-
-	/*
-	 * If zero'ing statistics, copy current to caller and zero.
-	 */
-	if (req == SIOCZRLST) {
-		if (!f) {
-			error = ESRCH;
-			goto out;
-		}
-		MUTEX_DOWNGRADE(&ipf_mutex);
-		error = IWCOPYPTR((caddr_t)f, data, sizeof(*f));
-		if (error)
-			goto out;
-		f->fr_hits = 0;
-		f->fr_bytes = 0;
-		goto out;
-	}
-
-	if (!f) {
-		if (req != SIOCINAFR && req != SIOCINIFR)
-			while ((f = *ftail))
-				ftail = &f->fr_next;
-		else {
-			ftail = fprev;
-			if (fp->fr_hits) {
-				while (--fp->fr_hits && (f = *ftail))
-					ftail = &f->fr_next;
-			}
-			f = NULL;
-		}
-	}
-
-	if (req == SIOCRMAFR || req == SIOCRMIFR) {
-		if (!f)
-			error = ESRCH;
-		else {
-			/*
-			 * Only return EBUSY if there is a group list, else
-			 * it's probably just state information referencing
-			 * the rule.
-			 */
-			if ((f->fr_ref > 1) && f->fr_grp) {
-				error = EBUSY;
-				goto out;
-			}
-			if (fg && fg->fg_head)
-				fg->fg_head->fr_ref--;
-			if (unit == IPL_LOGAUTH) {
-				return fr_preauthcmd(req, f, ftail);
-			}
-			if (f->fr_grhead)
-				fr_delgroup(f->fr_grhead, fp->fr_flags,
-					    unit, set);
-			fixskip(fprev, f, -1);
-			*ftail = f->fr_next;
-			f->fr_next = NULL;
-			f->fr_ref--;
-			if (f->fr_ref == 0)
-				KFREE(f);
-		}
-	} else {
-		if (f) {
-			error = EEXIST;
-		} else {
-			if (unit == IPL_LOGAUTH) {
-				return fr_preauthcmd(req, fp, ftail);
-			}
-			KMALLOC(f, frentry_t *);
-			if (f != NULL) {
-				if (fg && fg->fg_head)
-					fg->fg_head->fr_ref++;
-				bcopy((char *)fp, (char *)f, sizeof(*f));
-				f->fr_ref = 1;
-				f->fr_hits = 0;
-				f->fr_next = *ftail;
-				*ftail = f;
-				if (req == SIOCINIFR || req == SIOCINAFR)
-					fixskip(fprev, f, 1);
-				f->fr_grp = NULL;
-				group = f->fr_grhead;
-				if (group != 0)
-					fg = fr_addgroup(group, f, unit, set);
-			} else
-				error = ENOMEM;
-		}
-	}
-out:
-	RWLOCK_EXIT(&ipf_mutex);
-	return (error);
-}
-
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(devp, flags, otype, cred)
-dev_t *devp;
-int flags, otype;
-cred_t *cred;
-{
-	minor_t min = getminor(*devp);
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred);
-#endif
-	if ((fr_running <= 0) || !(otype & OTYP_CHR))
-		return ENXIO;
-	min = (IPL_LOGMAX < min) ? ENXIO : 0;
-	return min;
-}
-
-
-int iplclose(dev, flags, otype, cred)
-dev_t dev;
-int flags, otype;
-cred_t *cred;
-{
-	minor_t	min = getminor(dev);
-
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplclose(%x,%x,%x,%x)\n", dev, flags, otype, cred);
-#endif
-	min = (IPL_LOGMAX < min) ? ENXIO : 0;
-	return min;
-}
-
-#ifdef	IPFILTER_LOG
-/*
- * iplread/ipllog
- * both of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(dev, uio, cp)
-dev_t dev;
-register struct uio *uio;
-cred_t *cp;
-{
-#ifdef	IPFDEBUG
-	cmn_err(CE_CONT, "iplread(%x,%x,%x)\n", dev, uio, cp);
-#endif
-	return ipflog_read(getminor(dev), uio);
-}
-#endif /* IPFILTER_LOG */
-
-
-/*
- * send_reset - this could conceivably be a call to tcp_respond(), but that
- * requires a large amount of setting up and isn't any more efficient.
- */
-int send_reset(oip, fin)
-ip_t *oip;
-fr_info_t *fin;
-{
-	tcphdr_t *tcp, *tcp2;
-	int tlen, hlen;
-	mblk_t *m;
-#ifdef	USE_INET6
-	ip6_t *ip6, *oip6 = (ip6_t *)oip;
-#endif
-	ip_t *ip;
-
-	tcp = (struct tcphdr *)fin->fin_dp;
-	if (tcp->th_flags & TH_RST)
-		return -1;
-	tlen = (tcp->th_flags & (TH_SYN|TH_FIN)) ? 1 : 0;
-#ifdef	USE_INET6
-	if (fin->fin_v == 6)
-		hlen = sizeof(ip6_t);
-	else
-#endif
-		hlen = sizeof(ip_t);
-	hlen += sizeof(*tcp2);
-	if ((m = (mblk_t *)allocb(hlen + 16, BPRI_HI)) == NULL)
-		return -1;
-
-	m->b_rptr += 16;
-	MTYPE(m) = M_DATA;
-	m->b_wptr = m->b_rptr + hlen;
-	bzero((char *)m->b_rptr, hlen);
-	tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2));
-	tcp2->th_dport = tcp->th_sport;
-	tcp2->th_sport = tcp->th_dport;
-	if (tcp->th_flags & TH_ACK) {
-		tcp2->th_seq = tcp->th_ack;
-		tcp2->th_flags = TH_RST;
-	} else {
-		tcp2->th_ack = ntohl(tcp->th_seq);
-		tcp2->th_ack += tlen;
-		tcp2->th_ack = htonl(tcp2->th_ack);
-		tcp2->th_flags = TH_RST|TH_ACK;
-	}
-	tcp2->th_off = sizeof(struct tcphdr) >> 2;
-
-	/*
-	 * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum
-	 * computation that is done by their put routine.
-	 */
-	tcp2->th_sum = htons(0x14);
-#ifdef	USE_INET6
-	if (fin->fin_v == 6) {
-		ip6 = (ip6_t *)m->b_rptr;
-		ip6->ip6_src = oip6->ip6_dst;
-		ip6->ip6_dst = oip6->ip6_src;
-		ip6->ip6_plen = htons(sizeof(*tcp));
-		ip6->ip6_nxt = IPPROTO_TCP;
-	} else
-#endif
-	{
-		ip = (ip_t *)m->b_rptr;
-		ip->ip_src.s_addr = oip->ip_dst.s_addr;
-		ip->ip_dst.s_addr = oip->ip_src.s_addr;
-		ip->ip_hl = sizeof(*ip) >> 2;
-		ip->ip_p = IPPROTO_TCP;
-		ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp));
-		ip->ip_tos = oip->ip_tos;
-	}
-	return send_ip(fin, m);
-}
-
-
-int static send_ip(fin, m)
-fr_info_t *fin;
-mblk_t *m;
-{
-	RWLOCK_EXIT(&ipfs_mutex);
-	RWLOCK_EXIT(&ipf_solaris);
-#ifdef	USE_INET6
-	if (fin->fin_v == 6) {
-		extern void ip_wput_v6 __P((queue_t *, mblk_t *));
-		ip6_t *ip6;
-
-		ip6 = (ip6_t *)m->b_rptr;
-		ip6->ip6_flow = 0;
-		ip6->ip6_vfc = 0x60;
-		ip6->ip6_hlim = 127;
-		ip_wput_v6(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
-	} else
-#endif
-	{
-		ip_t *ip;
-
-		ip = (ip_t *)m->b_rptr;
-		ip->ip_v = IPVERSION;
-		ip->ip_ttl = (u_char)(*ip_ttl_ptr);
-		ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
-		ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
-	}
-	READ_ENTER(&ipf_solaris);
-	READ_ENTER(&ipfs_mutex);
-	return 0;
-}
-
-
-int send_icmp_err(oip, type, fin, dst)
-ip_t *oip;
-int type;
-fr_info_t *fin;
-int dst;
-{
-	struct in_addr dst4;
-	struct icmp *icmp;
-	mblk_t *m, *mb;
-	int hlen, code;
-	qif_t *qif;
-	u_short sz;
-	ill_t *il;
-#ifdef	USE_INET6
-	ip6_t *ip6, *oip6;
-#endif
-	ip_t *ip;
-
-	if ((type < 0) || (type > ICMP_MAXTYPE))
-		return -1;
-
-	code = fin->fin_icode;
-#ifdef USE_INET6
-	if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int)))
-		return -1;
-#endif
-
-	qif = fin->fin_qif;
-	m = fin->fin_qfm;
-
-#ifdef	USE_INET6
-	if (oip->ip_v == 6) {
-		oip6 = (ip6_t *)oip;
-		sz = sizeof(ip6_t);
-		sz += MIN(m->b_wptr - m->b_rptr, 512);
-		hlen = sizeof(ip6_t);
-		type = icmptoicmp6types[type];
-		if (type == ICMP6_DST_UNREACH)
-			code = icmptoicmp6unreach[code];
-	} else
-#endif
-	{
-		if ((oip->ip_p == IPPROTO_ICMP) &&
-		    !(fin->fin_fi.fi_fl & FI_SHORT))
-			switch (ntohs(fin->fin_data[0]) >> 8)
-			{
-			case ICMP_ECHO :
-			case ICMP_TSTAMP :
-			case ICMP_IREQ :
-			case ICMP_MASKREQ :
-				break;
-			default :
-				return 0;
-			}
-
-		sz = sizeof(ip_t) * 2;
-		sz += 8;		/* 64 bits of data */
-		hlen = sz;
-	}
-
-	sz += offsetof(struct icmp, icmp_ip);
-	if ((mb = (mblk_t *)allocb((size_t)sz + 16, BPRI_HI)) == NULL)
-		return -1;
-	MTYPE(mb) = M_DATA;
-	mb->b_rptr += 16;
-	mb->b_wptr = mb->b_rptr + sz;
-	bzero((char *)mb->b_rptr, (size_t)sz);
-	icmp = (struct icmp *)(mb->b_rptr + sizeof(*ip));
-	icmp->icmp_type = type;
-	icmp->icmp_code = code;
-	icmp->icmp_cksum = 0;
-#ifdef	icmp_nextmtu
-	if (type == ICMP_UNREACH && (il = qif->qf_ill) &&
-	    fin->fin_icode == ICMP_UNREACH_NEEDFRAG)
-		icmp->icmp_nextmtu = htons(il->ill_max_frag);
-#endif
-
-#ifdef	USE_INET6
-	if (oip->ip_v == 6) {
-		struct in6_addr dst6;
-		int csz;
-
-		if (dst == 0) {
-			if (fr_ifpaddr(6, ((qif_t *)fin->fin_qif)->qf_ill,
-				       (struct in_addr *)&dst6) == -1)
-				return -1;
-		} else
-			dst6 = oip6->ip6_dst;
-
-		csz = sz;
-		sz -= sizeof(ip6_t);
-		ip6 = (ip6_t *)mb->b_rptr;
-		ip6->ip6_flow = 0;
-		ip6->ip6_vfc = 0x60;
-		ip6->ip6_hlim = 127;
-		ip6->ip6_plen = htons(sz);
-		ip6->ip6_nxt = IPPROTO_ICMPV6;
-		ip6->ip6_src = dst6;
-		ip6->ip6_dst = oip6->ip6_src;
-		sz -= offsetof(struct icmp, icmp_ip);
-		bcopy((char *)m->b_rptr, (char *)&icmp->icmp_ip, sz);
-		icmp->icmp_cksum = csz - sizeof(ip6_t);
-	} else
-#endif
-	{
-		ip = (ip_t *)mb->b_rptr;
-		ip->ip_v = IPVERSION;
-		ip->ip_hl = (sizeof(*ip) >> 2);
-		ip->ip_p = IPPROTO_ICMP;
-		ip->ip_id = oip->ip_id;
-		ip->ip_sum = 0;
-		ip->ip_ttl = (u_char)(*ip_ttl_ptr);
-		ip->ip_tos = oip->ip_tos;
-		ip->ip_len = (u_short)htons(sz);
-		if (dst == 0) {
-			if (fr_ifpaddr(4, ((qif_t *)fin->fin_qif)->qf_ill,
-				       &dst4) == -1)
-				return -1;
-		} else
-			dst4 = oip->ip_dst;
-		ip->ip_src = dst4;
-		ip->ip_dst = oip->ip_src;
-		bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip));
-		bcopy((char *)oip + (oip->ip_hl << 2),
-		      (char *)&icmp->icmp_ip + sizeof(*oip), 8);
-		icmp->icmp_cksum = ipf_cksum((u_short *)icmp,
-					     sizeof(*icmp) + 8);
-	}
-
-	/*
-	 * Need to exit out of these so we don't recursively call rw_enter
-	 * from fr_qout.
-	 */
-	return send_ip(fin, mb);
-}
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
deleted file mode 100644
index cf8528046897..000000000000
--- a/contrib/ipfilter/ipf.c
+++ /dev/null
@@ -1,764 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-#include "ipl.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipf.c	1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.23 2003/06/27 14:39:13 darrenr Exp $";
-#endif
-
-#if	SOLARIS
-static	void	blockunknown __P((void));
-#endif
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-void	frsync __P((void));
-void	zerostats __P((void));
-int	main __P((int, char *[]));
-
-int	opts = 0;
-int	use_inet6 = 0;
-
-static	int	fd = -1;
-
-static	void	procfile __P((char *, char *)), flushfilter __P((char *));
-static	int	set_state __P((u_int));
-static	void	showstats __P((friostat_t *));
-static	void	packetlogon __P((char *)), swapactive __P((void));
-static	int	opendevice __P((char *));
-static	void	closedevice __P((void));
-static	char	*getline __P((char *, size_t, FILE *, int *));
-static	char	*ipfname = IPL_NAME;
-static	void	usage __P((char *));
-static	int	showversion __P((void));
-static	int	get_flags __P((int *));
-
-
-#if SOLARIS
-# define	OPTS	"6AdDEf:F:Il:noPrsUvVyzZ"
-#else
-# define	OPTS	"6AdDEf:F:Il:noPrsvVyzZ"
-#endif
-
-static void usage(name)
-char *name;
-{
-	fprintf(stderr, "usage: %s [-%s] %s %s %s\n", name, OPTS,
-		"[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]");
-	exit(1);
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c;
-
-	if (argc < 2)
-		usage(argv[0]);
-
-	while ((c = getopt(argc, argv, OPTS)) != -1) {
-		switch (c)
-		{
-		case '6' :
-			use_inet6 = 1;
-			break;
-		case 'A' :
-			opts &= ~OPT_INACTIVE;
-			break;
-		case 'E' :
-			if (set_state((u_int)1))
-				exit(1);
-			break;
-		case 'D' :
-			if (set_state((u_int)0))
-				exit(1);
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			procfile(argv[0], optarg);
-			break;
-		case 'F' :
-			flushfilter(optarg);
-			break;
-		case 'I' :
-			opts |= OPT_INACTIVE;
-			break;
-		case 'l' :
-			packetlogon(optarg);
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'o' :
-			break;
-		case 'P' :
-			ipfname = IPL_AUTH;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			swapactive();
-			break;
-#if SOLARIS
-		case 'U' :
-			blockunknown();
-			break;
-#endif
-		case 'v' :
-			opts += OPT_VERBOSE;
-			break;
-		case 'V' :
-			if (showversion())
-				exit(1);
-			break;
-		case 'y' :
-			frsync();
-			break;
-		case 'z' :
-			opts |= OPT_ZERORULEST;
-			break;
-		case 'Z' :
-			zerostats();
-			break;
-		case '?' :
-		default :
-			usage(argv[0]);
-			break;
-		}
-	}
-
-	if (optind < 2)
-		usage(argv[0]);
-
-	if (fd != -1)
-		(void) close(fd);
-
-	exit(0);
-	/* NOTREACHED */
-}
-
-
-static int opendevice(ipfdev)
-char *ipfdev;
-{
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (!ipfdev)
-		ipfdev = ipfname;
-
-	/*
-	 * shouldn't we really be testing for fd < 0 here and below?
-	 */
-
-	if (fd != -1)
-		return 0;
-
-	if ((fd = open(ipfdev, O_RDWR)) == -1) {
-		if ((fd = open(ipfdev, O_RDONLY)) == -1) {
-			perror("open device");
-			if (errno == ENODEV)
-				fprintf(stderr, "IPFilter enabled?\n");
-			return -1;
-		}
-	}
-
-	return 0;
-}
-
-
-static void closedevice()
-{
-	if (fd != -1)
-		close(fd);
-	fd = -1;
-}
-
-
-/*
- * Return codes:
- *	0	Success
- *	!0	Failure (and an error message has already been printed)
- */
-static	int	get_flags(i)
-int	*i;
-{
-
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (opendevice(ipfname) < 0)
-		return -1;
-
-	if (ioctl(fd, SIOCGETFF, i) == -1) {
-		perror("SIOCGETFF");
-		return -1;
-	}
-	return 0;
-}
-
-
-static	int	set_state(enable)
-u_int	enable;
-{
-	if (opts & OPT_DONOTHING)
-		return 0;
-
-	if (opendevice(ipfname))
-		return -1;
-
-	if (ioctl(fd, SIOCFRENB, &enable) == -1) {
-		if (errno == EBUSY)
-			/* Not really an error */
-			fprintf(stderr,
-				"IP Filter: already initialized\n");
-		else {
-			perror("SIOCFRENB");
-			return -1;
-		}
-	}
-	return 0;
-}
-
-static	void	procfile(name, file)
-char	*name, *file;
-{
-	FILE	*fp;
-	char	line[513], *s;
-	struct	frentry	*fr;
-	u_int	add, del;
-	int     linenum = 0;
-	int	parsestatus;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (opts & OPT_INACTIVE) {
-		add = SIOCADIFR;
-		del = SIOCRMIFR;
-	} else {
-		add = SIOCADAFR;
-		del = SIOCRMAFR;
-	}
-	if (opts & OPT_DEBUG)
-		printf("add %x del %x\n", add, del);
-
-	initparse();
-
-	if (!strcmp(file, "-"))
-		fp = stdin;
-	else if (!(fp = fopen(file, "r"))) {
-		fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
-			STRERROR(errno));
-		exit(1);
-	}
-
-	while (getline(line, sizeof(line), fp, &linenum)) {
-		/*
-		 * treat CR as EOL.  LF is converted to NUL by getline().
-		 */
-		if ((s = index(line, '\r')))
-			*s = '\0';
-		/*
-		 * # is comment marker, everything after is a ignored
-		 */
-		if ((s = index(line, '#')))
-			*s = '\0';
-
-		if (!*line)
-			continue;
-
-		if (opts & OPT_VERBOSE)
-			(void)fprintf(stderr, "[%s]\n", line);
-
-		parsestatus = 1;
-		fr = parse(line, linenum, &parsestatus);
-		(void)fflush(stdout);
-
-		if (parsestatus != 0) {
-			fprintf(stderr, "%s: %s: %s error (%d), quitting\n",
-			    name, file,
-			    ((parsestatus < 0)? "parse": "internal"),
-			    parsestatus);
-			exit(1);
-		}
-
-		if (fr) {
-			if (opts & OPT_ZERORULEST)
-				add = SIOCZRLST;
-			else if (opts & OPT_INACTIVE)
-				add = (u_int)fr->fr_hits ? SIOCINIFR :
-							   SIOCADIFR;
-			else
-				add = (u_int)fr->fr_hits ? SIOCINAFR :
-							   SIOCADAFR;
-			if (fr->fr_hits)
-				fr->fr_hits--;
-			if (fr && (opts & OPT_VERBOSE))
-				printfr(fr);
-			if (fr && (opts & OPT_OUTQUE))
-				fr->fr_flags |= FR_OUTQUE;
-
-			if (opts & OPT_DEBUG)
-				binprint(fr);
-
-			if ((opts & OPT_ZERORULEST) &&
-			    !(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, add, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(SIOCZRLST)");
-					exit(1);
-				} else {
-#ifdef	USE_QUAD_T
-					printf("hits %qd bytes %qd ",
-						(long long)fr->fr_hits,
-						(long long)fr->fr_bytes);
-#else
-					printf("hits %ld bytes %ld ",
-						fr->fr_hits, fr->fr_bytes);
-#endif
-					printfr(fr);
-				}
-			} else if ((opts & OPT_REMOVE) &&
-				   !(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, del, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(delete rule)");
-					exit(1);
-				}
-			} else if (!(opts & OPT_DONOTHING)) {
-				if (ioctl(fd, add, &fr) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(add/insert rule)");
-					exit(1);
-				}
-			}
-		}
-	}
-	if (ferror(fp) || !feof(fp)) {
-		fprintf(stderr, "%s: %s: file error or line too long\n",
-		    name, file);
-		exit(1);
-	}
-	(void)fclose(fp);
-}
-
-/*
- * Similar to fgets(3) but can handle '\\' and NL is converted to NUL.
- * Returns NULL if error occurred, EOF encounterd or input line is too long.
- */
-static char *getline(str, size, file, linenum)
-register char	*str;
-size_t	size;
-FILE	*file;
-int	*linenum;
-{
-	char *p;
-	int s, len;
-
-	do {
-		for (p = str, s = size;; p += (len - 1), s -= (len - 1)) {
-			/*
-			 * if an error occurred, EOF was encounterd, or there
-			 * was no room to put NUL, return NULL.
-			 */
-			if (fgets(p, s, file) == NULL)
-				return (NULL);
-			len = strlen(p);
-			if (p[len - 1] != '\n') {
-				p[len] = '\0';
-				break;
-			}
-			(*linenum)++;
-			p[len - 1] = '\0';
-			if (len < 2 || p[len - 2] != '\\')
-				break;
-			else
-				/*
-				 * Convert '\\' to a space so words don't
-				 * run together
-				 */
-				p[len - 2] = ' ';
-		}
-	} while (*str == '\0');
-	return (str);
-}
-
-
-static void packetlogon(opt)
-char	*opt;
-{
-	int	flag;
-
-	if (get_flags(&flag))
-		exit(1);
-
-	if (flag != 0) {
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
-			printf("log flag is currently %#x\n", flag);
-	}
-
-	flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
-
-	if (index(opt, 'p')) {
-		flag |= FF_LOGPASS;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: pass\n");
-	}
-	if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
-		flag |= FF_LOGNOMATCH;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: nomatch\n");
-	}
-	if (index(opt, 'b') || index(opt, 'd')) {
-		flag |= FF_LOGBLOCK;
-		if (opts & OPT_VERBOSE)
-			printf("set log flag: block\n");
-	}
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSETFF, &flag) != 0) {
-			perror("ioctl(SIOCSETFF)");
-			exit(1);
-		}
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		/*
-		 * Even though the ioctls above succeeded, it
-		 * is possible that a calling script/program
-		 * relies on the following verbose mode string.
-		 * Thus, we still take an error exit if get_flags
-		 * fails here.
-		 */
-		if (get_flags(&flag))
-			exit(1);
-		printf("log flag is now %#x\n", flag);
-	}
-}
-
-
-static	void	flushfilter(arg)
-char	*arg;
-{
-	int	fl = 0, rem;
-
-	if (!arg || !*arg) {
-		fprintf(stderr, "-F: no filter specified\n");
-		exit(1);
-	}
-
-	if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
-		if (*arg == 'S')
-			fl = 0;
-		else
-			fl = 1;
-		rem = fl;
-
-		closedevice();
-
-		if (opendevice(IPL_STATE) == -1) {
-			exit(1);
-		}
-
-		if (!(opts & OPT_DONOTHING)) {
-			if (use_inet6) {
-				if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-					perror("ioctl(SIOCIPFL6)");
-					exit(1);
-				}
-			} else {
-				if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-					perror("ioctl(SIOCIPFFL)");
-					exit(1);
-				}
-			}
-		}
-		if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-			printf("remove flags %s (%d)\n", arg, rem);
-			printf("removed %d filter rules\n", fl);
-		}
-		closedevice();
-		return;
-	}
-	if (strchr(arg, 'i') || strchr(arg, 'I'))
-		fl = FR_INQUE;
-	if (strchr(arg, 'o') || strchr(arg, 'O'))
-		fl = FR_OUTQUE;
-	if (strchr(arg, 'a') || strchr(arg, 'A'))
-		fl = FR_OUTQUE|FR_INQUE;
-	fl |= (opts & FR_INACTIVE);
-	rem = fl;
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (use_inet6) {
-			if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
-				perror("ioctl(SIOCIPFL6)");
-				exit(1);
-			}
-		} else {
-			if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
-				perror("ioctl(SIOCIPFFL)");
-				exit(1);
-			}
-		}
-	}
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
-			(rem & FR_OUTQUE) ? "O" : "", rem);
-		printf("removed %d filter rules\n", fl);
-	}
-	return;
-}
-
-
-static void swapactive()
-{
-	int in = 2;
-
-	if (opendevice(ipfname) == -1) {
-		exit(1);
-	}
-
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSWAPA, &in) == -1) {
-			perror("ioctl(SIOCSWAPA)");
-			exit(1);
-		}
-	}
-	printf("Set %d now inactive\n", in);
-}
-
-
-void frsync()
-{
-	int frsyn = 0;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCFRSYN, &frsyn) == -1) {
-			perror("SIOCFRSYN");
-			exit(1);
-		}
-	}
-	printf("filter sync'd\n");
-}
-
-
-void zerostats()
-{
-	friostat_t	fio;
-	friostat_t	*fiop = &fio;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
-			perror("ioctl(SIOCFRZST)");
-			exit(-1);
-		}
-		showstats(fiop);
-	}
-
-}
-
-
-/*
- * Read the kernel stats for packets blocked and passed
- */
-static void showstats(fp)
-friostat_t	*fp;
-{
-#if SOLARIS
-	printf("dropped packets:\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
-	printf("non-ip packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
-	printf("   bad packets:\t\tin %lu\tout %lu\n",
-			fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
-#endif
-	printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
-			fp->f_st[0].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
-			fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
-			fp->f_st[1].fr_nom);
-	printf(" counted %lu\n", fp->f_st[0].fr_acct);
-	printf(" input packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
-	printf("output packets logged:\tblocked %lu passed %lu\n",
-			fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
-	printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
-			fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
-			fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
-}
-
-
-#if SOLARIS
-static void blockunknown()
-{
-	int	flag;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (get_flags(&flag))
-		exit(1);
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
-		printf("log flag is currently %#x\n", flag);
-
-	flag ^= FF_BLOCKNONIP;
-
-	if (opendevice(ipfname) == -1)
-		exit(1);
-
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSETFF, &flag))
-			perror("ioctl(SIOCSETFF)");
-	}
-
-	if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
-		if (ioctl(fd, SIOCGETFF, &flag))
-			perror("ioctl(SIOCGETFF)");
-
-		printf("log flag is now %#x\n", flag);
-	}
-}
-#endif
-
-
-/*
- * nonzero return value means caller should exit with error
- */
-static int showversion()
-{
-	struct friostat fio;
-	struct friostat *fiop=&fio;
-	int flags, vfd;
-	char *s;
-
-	printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
-
-	if ((vfd = open(ipfname, O_RDONLY)) == -1) {
-		perror("open device");
-		return 1;
-	}
-
-	if (ioctl(vfd, SIOCGETFS, &fiop)) {
-		perror("ioctl(SIOCGETFS)");
-		close(vfd);
-		return 1;
-	}
-	close(vfd);
-
-	printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
-		(int)sizeof(fio.f_version), fio.f_version);
-	printf("Running: %s\n", fio.f_running ? "yes" : "no");
-
-	if (get_flags(&flags)) {
-		return 1;
-	}
-	printf("Log Flags: %#x = ", flags);
-	s = "";
-	if (flags & FF_LOGPASS) {
-		printf("pass");
-		s = ", ";
-	}
-	if (flags & FF_LOGBLOCK) {
-		printf("%sblock", s);
-		s = ", ";
-	}
-	if (flags & FF_LOGNOMATCH) {
-		printf("%snomatch", s);
-		s = ", ";
-	}
-	if (flags & FF_BLOCKNONIP) {
-		printf("%snonip", s);
-		s = ", ";
-	}
-	if (!*s)
-		printf("none set");
-	putchar('\n');
-
-	printf("Default: ");
-	if (fio.f_defpass & FR_PASS)
-		s = "pass";
-	else if (fio.f_defpass & FR_BLOCK)
-		s = "block";
-	else
-		s = "nomatch -> block";
-	printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
-	printf("Active list: %d\n", fio.f_active);
-
-	return 0;
-}
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
deleted file mode 100644
index ffbd71bd6488..000000000000
--- a/contrib/ipfilter/ipfs.c
+++ /dev/null
@@ -1,859 +0,0 @@
-/*
- * Copyright (C) 1999-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <sys/time.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.15 2003/05/31 02:12:21 darrenr Exp $";
-#endif
-
-#ifndef	IPF_SAVEDIR
-# define	IPF_SAVEDIR	"/var/db/ipf"
-#endif
-#ifndef IPF_NATFILE
-# define	IPF_NATFILE	"ipnat.ipf"
-#endif
-#ifndef IPF_STATEFILE
-# define	IPF_STATEFILE	"ipstate.ipf"
-#endif
-
-#if !defined(__SVR4) && defined(__GNUC__)
-extern	char	*index __P((const char *, int));
-#endif
-
-extern	char	*optarg;
-extern	int	optind;
-
-int	main __P((int, char *[]));
-void	usage __P((void));
-int	changestateif __P((char *, char *));
-int	changenatif __P((char *, char *));
-int	readstate __P((int, char *));
-int	readnat __P((int, char *));
-int	writestate __P((int, char *));
-int	opendevice __P((char *));
-void	closedevice __P((int));
-int	setlock __P((int, int));
-int	writeall __P((char *));
-int	readall __P((char *));
-int	writenat __P((int, char *));
-char	*concat __P((char *, char *));
-
-int	opts = 0;
-char	*progname;
-
-
-void usage()
-{
-	fprintf(stderr, "\
-usage: %s [-nv] -l\n\
-usage: %s [-nv] -u\n\
-usage: %s [-nv] [-d <dir>] -R\n\
-usage: %s [-nv] [-d <dir>] -W\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -r\n\
-usage: %s [-nv] -N [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -S [-f <file> | -d <dir>] -w\n\
-usage: %s [-nv] -N [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-usage: %s [-nv] -S [-f <filename> | -d <dir> ] -i <if1>,<if2>\n\
-", progname, progname, progname, progname, progname, progname,
-		progname, progname, progname, progname);
-	exit(1);
-}
-
-
-/*
- * Change interface names in state information saved out to disk.
- */
-int changestateif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	ipstate_save_t ips;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	if (nlen >= sizeof(ips.ips_is.is_ifname) ||
-	    olen >= sizeof(ips.ips_is.is_ifname))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) {
-		rw = 0;
-		if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[0], s);
-			rw = 1;
-		}
-		if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) {
-			strcpy(ips.ips_is.is_ifname[1], s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-/*
- * Change interface names in NAT information saved out to disk.
- */
-int changenatif(ifs, fname)
-char *ifs, *fname;
-{
-	int fd, olen, nlen, rw;
-	nat_save_t ipn;
-	nat_t *nat;
-	off_t pos;
-	char *s;
-
-	s = strchr(ifs, ',');
-	if (!s)
-		usage();
-	*s++ = '\0';
-	nlen = strlen(s);
-	olen = strlen(ifs);
-	nat = &ipn.ipn_nat;
-	if (nlen >= sizeof(nat->nat_ifname) || olen >= sizeof(nat->nat_ifname))
-		usage();
-
-	fd = open(fname, O_RDWR);
-	if (fd == -1) {
-		perror("open");
-		exit(1);
-	}
-
-	for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) {
-		rw = 0;
-		if (!strncmp(nat->nat_ifname, ifs, olen + 1)) {
-			strcpy(nat->nat_ifname, s);
-			rw = 1;
-		}
-		if (rw == 1) {
-			if (lseek(fd, pos, SEEK_SET) != pos) {
-				perror("lseek");
-				exit(1);
-			}
-			if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) {
-				perror("write");
-				exit(1);
-			}
-		}
-		pos = lseek(fd, 0, SEEK_CUR);
-	}
-	close(fd);
-
-	return 0;
-}
-
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
-	char *dirname = NULL, *filename = NULL, *ifs = NULL;
-
-	progname = argv[0];
-
-	while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
-		switch (c)
-		{
-		case 'd' :
-			if ((set == 0) && !dirname && !filename)
-				dirname = optarg;
-			else
-				usage();
-			break;
-		case 'f' :
-			if ((set == 1) && !dirname && !filename && !(rw & 2))
-				filename = optarg;
-			else
-				usage();
-			break;
-		case 'i' :
-			ifs = optarg;
-			set = 1;
-			break;
-		case 'l' :
-			if (filename || dirname || set)
-				usage();
-			lock = 1;
-			set = 1;
-			break;
-		case 'n' :
-			opts |= OPT_DONOTHING;
-			break;
-		case 'N' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 0;
-			set = 1;
-			break;
-		case 'r' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 0;
-			set = 1;
-			break;
-		case 'R' :
-			if (filename || (ns != -1))
-				usage();
-			rw = 2;
-			set = 1;
-			break;
-		case 'S' :
-			if ((ns >= 0) || dirname || (rw != -1) || set)
-				usage();
-			ns = 1;
-			set = 1;
-			break;
-		case 'u' :
-			if (filename || dirname || set)
-				usage();
-			lock = 0;
-			set = 1;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'w' :
-			if (dirname || (rw != -1) || (ns == -1))
-				usage();
-			rw = 1;
-			set = 1;
-			break;
-		case 'W' :
-			if (filename || (ns != -1))
-				usage();
-			rw = 3;
-			set = 1;
-			break;
-		case '?' :
-		default :
-			usage();
-		}
-
-	if (optind < 2)
-		usage();
-
-	if (filename == NULL) {
-		if (ns == 0) {
-			if (dirname == NULL)
-				dirname = IPF_SAVEDIR;
-			if (dirname[strlen(dirname) - 1] != '/')
-				dirname = concat(dirname, "/");
-			filename = concat(dirname, IPF_NATFILE);
-		} else if (ns == 1) {
-			if (dirname == NULL)
-				dirname = IPF_SAVEDIR;
-			if (dirname[strlen(dirname) - 1] != '/')
-				dirname = concat(dirname, "/");
-			filename = concat(dirname, IPF_STATEFILE);
-		}
-	}
-
-	if (ifs) {
-		if (!filename || ns < 0)
-			usage();
-		if (ns == 0)
-			return changenatif(ifs, filename);
-		else
-			return changestateif(ifs, filename);
-	}
-
-	if ((ns >= 0) || (lock >= 0)) {
-		if (lock >= 0)
-			devfd = opendevice(NULL);
-		else if (ns >= 0) {
-			if (ns == 1)
-				devfd = opendevice(IPL_STATE);
-			else if (ns == 0)
-				devfd = opendevice(IPL_NAT);
-		}
-		if (devfd == -1)
-			exit(1);
-	}
-
-	if (lock >= 0)
-		err = setlock(devfd, lock);
-	else if (rw >= 0) {
-		if (rw & 1) {	/* WRITE */
-			if (rw & 2)
-				err = writeall(dirname);
-			else {
-				if (ns == 0)
-					err = writenat(devfd, filename);
-				else if (ns == 1)
-					err = writestate(devfd, filename);
-			}
-		} else {
-			if (rw & 2)
-				err = readall(dirname);
-			else {
-				if (ns == 0)
-					err = readnat(devfd, filename);
-				else if (ns == 1)
-					err = readstate(devfd, filename);
-			}
-		}
-	}
-	return err;
-}
-
-
-char *concat(base, append)
-char *base, *append;
-{
-	char *str;
-
-	str = malloc(strlen(base) + strlen(append) + 1);
-	if (str != NULL) {
-		strcpy(str, base);
-		strcat(str, append);
-	}
-	return str;
-}
-
-
-int opendevice(ipfdev)
-char *ipfdev;
-{
-	int fd = -1;
-
-	if (opts & OPT_DONOTHING)
-		return -2;
-
-	if (!ipfdev)
-		ipfdev = IPL_NAME;
-
-	if ((fd = open(ipfdev, O_RDWR)) == -1)
-		if ((fd = open(ipfdev, O_RDONLY)) == -1)
-			perror("open device");
-	return fd;
-}
-
-
-void closedevice(fd)
-int fd;
-{
-	close(fd);
-}
-
-
-int setlock(fd, lock)
-int fd, lock;
-{
-	if (opts & OPT_VERBOSE)
-		printf("Turn lock %s\n", lock ? "on" : "off");
-	if (!(opts & OPT_DONOTHING)) {
-		if (ioctl(fd, SIOCSTLCK, &lock) == -1) {
-			perror("SIOCSTLCK");
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Lock now %s\n", lock ? "on" : "off");
-	}
-	return 0;
-}
-
-
-int writestate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *ipsp;
-	int wfd = -1;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (wfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("state:open");
-		return 1;
-	}
-
-	ipsp = &ips;
-	bzero((char *)ipsp, sizeof(ips));
-
-	do {
-		if (opts & OPT_VERBOSE)
-			printf("Getting state from addr %p\n", ips.ips_next);
-		if (ioctl(fd, SIOCSTGET, &ipsp)) {
-			if (errno == ENOENT)
-				break;
-			perror("state:SIOCSTGET");
-			close(wfd);
-			return 1;
-		}
-		if (opts & OPT_VERBOSE)
-			printf("Got state next %p\n", ips.ips_next);
-		if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) {
-			perror("state:write");
-			close(wfd);
-			return 1;
-		}
-	} while (ips.ips_next != NULL);
-	close(wfd);
-
-	return 0;
-}
-
-
-int readstate(fd, file)
-int fd;
-char *file;
-{
-	ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
-	int sfd = -1, i;
-
-	if (!file)
-		file = IPF_STATEFILE;
-
-	sfd = open(file, O_RDONLY, 0600);
-	if (sfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("open");
-		return 1;
-	}
-
-	bzero((char *)&ips, sizeof(ips));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(sfd, &ips, sizeof(ips));
-		if (i == -1) {
-			perror("read");
-			close(sfd);
-			return 1;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ips)) {
-			fprintf(stderr, "incomplete read: %d != %d\n", i,
-				(int)sizeof(ips));
-			close(sfd);
-			return 1;
-		}
-		is = (ipstate_save_t *)malloc(sizeof(*is));
-		if(!is) {
-			fprintf(stderr, "malloc failed\n");
-			return 1;
-		}
-
-		bcopy((char *)&ips, (char *)is, sizeof(ips));
-
-		/*
-		 * Check to see if this is the first state entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next)
-			if (is1->ips_rule == is->ips_rule)
-				break;
-		if (is1 == NULL)
-			is->ips_is.is_flags |= FI_NEWFR;
-		else
-			is->ips_rule = (void *)&is1->ips_rule;
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		is->ips_next = NULL;
-		if (!ipshead)
-			ipshead = is;
-		if (ipstail)
-			ipstail->ips_next = is;
-		ipstail = is;
-	} while (1);
-
-	close(sfd);
-
-	for (is = ipshead; is; is = is->ips_next) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new state table entry\n");
-		if (is->ips_is.is_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &is)) {
-				perror("SIOCSTPUT");
-				return 1;
-			}
-
-		if (is->ips_is.is_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", is->ips_rule);
-			for (is1 = is->ips_next; is1; is1 = is1->ips_next)
-				if (is1->ips_rule == (frentry_t *)&is->ips_rule)
-					is1->ips_rule = is->ips_rule;
-		}
-	}
-
-	return 0;
-}
-
-
-int readnat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL;
-	int nfd = -1, i;
-	nat_t *nat;
-	char *s;
-	int n;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_RDONLY);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-	bzero((char *)&ipn, sizeof(ipn));
-
-	/*
-	 * 1. Read all state information in.
-	 */
-	do {
-		i = read(nfd, &ipn, sizeof(ipn));
-		if (i == -1) {
-			perror("read");
-			close(nfd);
-			return 1;
-		}
-		if (i == 0)
-			break;
-		if (i != sizeof(ipn)) {
-			fprintf(stderr, "incomplete read: %d != %d\n", i,
-				(int)sizeof(ipn));
-			close(nfd);
-			return 1;
-		}
-
-		if (ipn.ipn_dsize > 0) {
-			n = ipn.ipn_dsize;
-
-			if (n > sizeof(ipn.ipn_data))
-				n -= sizeof(ipn.ipn_data);
-			else
-				n = 0;
-			in = malloc(sizeof(*in) + n);
-			if (!in)
-				break;
-
-			if (n > 0) {
-				s = in->ipn_data + sizeof(in->ipn_data);
-				i = read(nfd, s, n);
-				if (i == 0)
-					break;
-				if (i != n) {
-					fprintf(stderr,
-						"incomplete read: %d != %d\n",
-						i, n);
-					close(nfd);
-					return 1;
-				}
-			}
-		} else
-			in = (nat_save_t *)malloc(sizeof(*in));
-		bcopy((char *)&ipn, (char *)in, sizeof(ipn));
-
-		/*
-		 * Check to see if this is the first NAT entry that will
-		 * reference a particular rule and if so, flag it as such
-		 * else just adjust the rule pointer to become a pointer to
-		 * the other.  We do this so we have a means later for tracking
-		 * who is referencing us when we get back the real pointer
-		 * in is_rule after doing the ioctl.
-		 */
-		nat = &in->ipn_nat;
-		if (nat->nat_fr != NULL) {
-			for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next)
-				if (in1->ipn_rule == nat->nat_fr)
-					break;
-			if (in1 == NULL)
-				nat->nat_flags |= FI_NEWFR;
-			else
-				nat->nat_fr = &in1->ipn_fr;
-		}
-
-		/*
-		 * Use a tail-queue type list (add things to the end)..
-		 */
-		in->ipn_next = NULL;
-		if (!ipnhead)
-			ipnhead = in;
-		if (ipntail)
-			ipntail->ipn_next = in;
-		ipntail = in;
-	} while (1);
-
-	close(nfd);
-	nfd = -1;
-
-	for (in = ipnhead; in; in = in->ipn_next) {
-		if (opts & OPT_VERBOSE)
-			printf("Loading new NAT table entry\n");
-		nat = &in->ipn_nat;
-		if (nat->nat_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Loading new filter rule\n");
-		}
-		if (!(opts & OPT_DONOTHING))
-			if (ioctl(fd, SIOCSTPUT, &in)) {
-				perror("SIOCSTPUT");
-				return 1;
-			}
-
-		if (nat->nat_flags & FI_NEWFR) {
-			if (opts & OPT_VERBOSE)
-				printf("Real rule addr %p\n", nat->nat_fr);
-			for (in1 = in->ipn_next; in1; in1 = in1->ipn_next)
-				if (in1->ipn_rule == &in->ipn_fr)
-					in1->ipn_rule = nat->nat_fr;
-		}
-	}
-
-	return 0;
-}
-
-
-int writenat(fd, file)
-int fd;
-char *file;
-{
-	nat_save_t *ipnp = NULL, *next = NULL;
-	int nfd = -1;
-	natget_t ng;
-
-	if (!file)
-		file = IPF_NATFILE;
-
-	nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
-	if (nfd == -1) {
-		fprintf(stderr, "%s ", file);
-		perror("nat:open");
-		return 1;
-	}
-
-
-	do {
-		if (opts & OPT_VERBOSE)
-			printf("Getting nat from addr %p\n", ipnp);
-		ng.ng_ptr = next;
-		ng.ng_sz = 0;
-		if (ioctl(fd, SIOCSTGSZ, &ng)) {
-			perror("nat:SIOCSTGSZ");
-			close(nfd);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr);
-
-		if (ng.ng_sz == 0)
-			break;
-
-		if (!ipnp)
-			ipnp = malloc(ng.ng_sz);
-		else
-			ipnp = realloc((char *)ipnp, ng.ng_sz);
-		if (!ipnp) {
-			fprintf(stderr,
-				"malloc for %d bytes failed\n", ng.ng_sz);
-			break;
-		}
-
-		bzero((char *)ipnp, ng.ng_sz);
-		ipnp->ipn_next = next;
-		if (ioctl(fd, SIOCSTGET, &ipnp)) {
-			if (errno == ENOENT)
-				break;
-			perror("nat:SIOCSTGET");
-			close(nfd);
-			return 1;
-		}
-
-		if (opts & OPT_VERBOSE)
-			printf("Got nat next %p\n", ipnp->ipn_next);
-		if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) {
-			perror("nat:write");
-			close(nfd);
-			return 1;
-		}
-		next = ipnp->ipn_next;
-	} while (ipnp && next);
-	close(nfd);
-
-	return 0;
-}
-
-
-int writeall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname);
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPL_STATE);
-	if (devfd == -1)
-		goto bad;
-	if (writestate(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	devfd = opendevice(IPL_NAT);
-	if (devfd == -1)
-		goto bad;
-	if (writenat(devfd, NULL))
-		goto bad;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	return 0;
-
-bad:
-	setlock(fd, 0);
-	close(fd);
-	return 1;
-}
-
-
-int readall(dirname)
-char *dirname;
-{
-	int fd, devfd;
-
-	if (!dirname)
-		dirname = IPF_SAVEDIR;
-
-	if (chdir(dirname)) {
-		perror("chdir(IPF_SAVEDIR)");
-		return 1;
-	}
-
-	fd = opendevice(NULL);
-	if (fd == -1)
-		return 1;
-	if (setlock(fd, 1)) {
-		close(fd);
-		return 1;
-	}
-
-	devfd = opendevice(IPL_STATE);
-	if (devfd == -1)
-		return 1;
-	if (readstate(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	devfd = opendevice(IPL_NAT);
-	if (devfd == -1)
-		return 1;
-	if (readnat(devfd, NULL))
-		return 1;
-	close(devfd);
-
-	if (setlock(fd, 0)) {
-		close(fd);
-		return 1;
-	}
-
-	return 0;
-}
diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c
deleted file mode 100644
index c8ae3f2a5934..000000000000
--- a/contrib/ipfilter/ipft_ef.c
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
-                                            icmp type
- lnth proto         source     destination   src port   dst port
-
-etherfind -n
-
-   60  tcp   128.250.20.20  128.250.133.13       2419     telnet
-
-etherfind -n -t
-
- 0.32    91   04    131.170.1.10  128.250.133.13
- 0.33   566  udp  128.250.37.155   128.250.133.3        901        901
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_ef.c	1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.5 2003/05/19 12:02:35 darrenr Exp $";
-#endif
-
-static	int	etherf_open __P((char *));
-static	int	etherf_close __P((void));
-static	int	etherf_readip __P((char *, int, char **, int *));
-
-struct	ipread	etherf = { etherf_open, etherf_close, etherf_readip };
-
-static	FILE	*efp = NULL;
-static	int	efd = -1;
-
-
-static	int	etherf_open(fname)
-char	*fname;
-{
-	if (efd != -1)
-		return efd;
-
-	if (!strcmp(fname, "-")) {
-		efd = 0;
-		efp = stdin;
-	} else {
-		efd = open(fname, O_RDONLY);
-		efp = fdopen(efd, "r");
-	}
-	return efd;
-}
-
-
-static	int	etherf_close()
-{
-	return close(efd);
-}
-
-
-static	int	etherf_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	struct	protoent *p = NULL;
-	char	src[16], dst[16], sprt[16], dprt[16];
-	char	lbuf[128], len[8], prot[8], time[8], *s;
-	int	slen, extra = 0, i;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst,
-		   sprt, dprt) != 6)
-		if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time,
-			   len, prot, src, dst, sprt, dprt) != 7)
-			return -1;
-
-	ip->ip_p = atoi(prot);
-	if (ip->ip_p == 0) {
-		if (!(p = getprotobyname(prot)))
-			return -1;
-		ip->ip_p = p->p_proto;
-	}
-
-	switch (ip->ip_p) {
-	case IPPROTO_TCP :
-	case IPPROTO_UDP :
-		s = strtok(NULL, " :");
-		ip->ip_len += atoi(s);
-		if (p->p_proto == IPPROTO_TCP)
-			extra = sizeof(struct tcphdr);
-		else if (p->p_proto == IPPROTO_UDP)
-			extra = sizeof(struct udphdr);
-		break;
-#ifdef	IGMP
-	case IPPROTO_IGMP :
-		extra = sizeof(struct igmp);
-		break;
-#endif
-	case IPPROTO_ICMP :
-		extra = sizeof(struct icmp);
-		break;
-	default :
-		break;
-	}
-
-	(void) inet_aton(src, &ip->ip_src);
-	(void) inet_aton(dst, &ip->ip_dst);
-	ip->ip_len = atoi(len);
-	ip->ip_hl = sizeof(ip_t);
-
-	slen = ip->ip_hl + extra;
-	i = MIN(cnt, slen);
-	bcopy((char *)&pkt, buf, i);
-	return i;
-}
diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c
deleted file mode 100644
index b26bd93e02aa..000000000000
--- a/contrib/ipfilter/ipft_hx.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_hx.c	1.1 3/9/96 (C) 1996 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.6 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-static	int	hex_open __P((char *));
-static	int	hex_close __P((void));
-static	int	hex_readip __P((char *, int, char **, int *));
-static	char	*readhex __P((char *, char *));
-
-struct	ipread	iphex = { hex_open, hex_close, hex_readip };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	int	hex_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	hex_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	hex_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s, *t, *u;
-	char	line[513];
-	ip_t	*ip;
-
-	/*
-	 * interpret start of line as possibly "[ifname]" or
-	 * "[in/out,ifname]".
-	 */
-	if (ifn)
-		*ifn = NULL;
-	if (dir)
-		*dir = 0;
- 	ip = (ip_t *)buf;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = index(line, '\n'))) {
-			if (s == line)
-				return (char *)ip - buf;
-			*s = '\0';
-		}
-		if ((s = index(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if (!(opts & OPT_BRIEF)) {
-			printf("input: %s\n", line);
-			fflush(stdout);
-		}
-
-		if ((*line == '[') && (s = index(line, ']'))) {
-			t = line + 1;
-			if (s - t > 0) {
-				*s++ = '\0';
-				if ((u = index(t, ',')) && (u < s)) {
-					u++;
-					if (ifn)
-						*ifn = strdup(u);
-					if (dir) {
-						if (*t == 'i')
-							*dir = 0;
-						else if (*t == 'o')
-							*dir = 1;
-					}
-				} else if (ifn)
-					*ifn = t;
-			}
-		} else
-			s = line;
-		ip = (ip_t *)readhex(s, (char *)ip);
-	}
-	return -1;
-}
-
-
-static	char	*readhex(src, dst)
-register char	*src, *dst;
-{
-	int	state = 0;
-	char	c;
-
-	while ((c = *src++)) {
-		if (isspace(c)) {
-			if (state) {
-				dst++;
-				state = 0;
-			}
-			continue;
-		} else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
-			   (c >= 'A' && c <= 'F')) {
-			c = isdigit(c) ? (c - '0') : (toupper(c) - 55);
-			if (state == 0) {
-				*dst = (c << 4);
-				state++;
-			} else {
-				*dst++ |= c;
-				state = 0;
-			}
-		} else
-			break;
-	}
-	return dst;
-}
diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c
deleted file mode 100644
index b6060de2297d..000000000000
--- a/contrib/ipfilter/ipft_pc.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "pcap.h"
-#include "bpf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.5 2002/12/06 11:40:25 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_type;
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-
-static	struct	llc	llcs[] = {
-	{ DLT_NULL, 0, 0, 0 },
-	{ DLT_EN10MB, 14, 12, 2 },
-	{ DLT_EN3MB, 0, 0, 0 },
-	{ DLT_AX25, 0, 0, 0 },
-	{ DLT_PRONET, 0, 0, 0 },
-	{ DLT_CHAOS, 0, 0, 0 },
-	{ DLT_IEEE802, 0, 0, 0 },
-	{ DLT_ARCNET, 0, 0, 0 },
-	{ DLT_SLIP, 0, 0, 0 },
-	{ DLT_PPP, 0, 0, 0 },
-	{ DLT_FDDI, 0, 0, 0 },
-#ifdef DLT_ATMRFC1483
-	{ DLT_ATMRFC1483, 0, 0, 0 },
-#endif
-	{ DLT_RAW, 0, 0, 0 },
-#ifdef	DLT_ENC
-	{ DLT_ENC, 0, 0, 0 },
-#endif
-#ifdef	DLT_SLIP_BSDOS
-	{ DLT_SLIP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_BSDOS
-	{ DLT_PPP_BSDOS, 0, 0, 0 },
-#endif
-#ifdef	DLT_HIPPI
-	{ DLT_HIPPI, 0, 0, 0 },
-#endif
-#ifdef	DLT_HDLC
-	{ DLT_HDLC, 0, 0, 0 },
-#endif
-#ifdef	DLT_PPP_SERIAL
-	{ DLT_PPP_SERIAL, 4, 4, 0 },
-#endif
-#ifdef	DLT_PPP_ETHER
-	{ DLT_PPP_ETHER, 8, 8, 0 },
-#endif
-#ifdef	DLT_ECONET
-	{ DLT_ECONET, 0, 0, 0 },
-#endif
-	{ -1, -1, -1, -1 }
-};
-
-static	int	pcap_open __P((char *));
-static	int	pcap_close __P((void));
-static	int	pcap_readip __P((char *, int, char **, int *));
-static	void	swap_hdr __P((pcaphdr_t *));
-static	int	pcap_read_rec __P((struct pcap_pkthdr *));
-
-static	int	pfd = -1, s_type = -1, swapped = 0;
-static	struct llc	*llcp = NULL;
-
-struct	ipread	pcap = { pcap_open, pcap_close, pcap_readip };
-
-#define	SWAPLONG(y)	\
-	((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
-#define	SWAPSHORT(y)	\
-	( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
-
-static	void	swap_hdr(p)
-pcaphdr_t	*p;
-{
-	p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
-	p->pc_v_min = SWAPSHORT(p->pc_v_min);
-	p->pc_zone = SWAPLONG(p->pc_zone);
-	p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
-	p->pc_slen = SWAPLONG(p->pc_slen);
-	p->pc_type = SWAPLONG(p->pc_type);
-}
-
-static	int	pcap_open(fname)
-char	*fname;
-{
-	pcaphdr_t ph;
-	int fd, i;
-
-	if (pfd != -1)
-		return pfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
-		return -2;
-
-	if (ph.pc_id != TCPDUMP_MAGIC) {
-		if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
-			(void) close(fd);
-			return -2;
-		}
-		swapped = 1;
-		swap_hdr(&ph);
-	}
-
-	if (ph.pc_v_maj != PCAP_VERSION_MAJ) {
-		(void) close(fd);
-		return -2;
-	}
-
-	for (i = 0; llcs[i].lc_type != -1; i++)
-		if (llcs[i].lc_type == ph.pc_type) {
-			llcp = llcs + i;
-			break;
-		}
-
-	if (llcp == NULL) {
-		(void) close(fd);
-		return -2;
-	}
-
-	pfd = fd;
-	s_type = ph.pc_type;
-	printf("opened pcap file %s:\n", fname);
-	printf("\tid: %08x version: %d.%d type: %d snap %d\n",
-		ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
-
-	return fd;
-}
-
-
-static	int	pcap_close()
-{
-	return close(pfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a pcap file.
- */
-static	int	pcap_read_rec(rec)
-struct	pcap_pkthdr *rec;
-{
-	int	n, p;
-
-	if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
-		return -2;
-
-	if (swapped) {
-		rec->ph_clen = SWAPLONG(rec->ph_clen);
-		rec->ph_len = SWAPLONG(rec->ph_len);
-		rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
-		rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
-	}
-	p = rec->ph_clen;
-	n = MIN(p, rec->ph_len);
-	if (!n || n < 0)
-		return -3;
-
-	return p;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire pcap packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	pcap_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	pcap_pkthdr rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = pcap_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(pfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	pcap_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	pcap_pkthdr rec;
-	struct	llc	*l;
-	char	*s, ty[4];
-	int	i, n;
-
-	l = llcp;
-
-	/* do { */
-		if ((i = pcap_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		if (read(pfd, s, i) != i)
-			return -2;
-
-		i -= l->lc_sz;
-		s += l->lc_to;
-		bcopy(s, ty, l->lc_tl);
-		s += l->lc_tl;
-	/* } while (ty[0] != 0x8 && ty[1] != 0); */
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-	return n;
-}
diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c
deleted file mode 100644
index 859bf5ed9df7..000000000000
--- a/contrib/ipfilter/ipft_sn.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
- * Written to comply with the recent RFC 1761 from Sun.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "snoop.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-struct	llc	{
-	int	lc_sz;	/* LLC header length */
-	int	lc_to;	/* LLC Type offset */
-	int	lc_tl;	/* LLC Type length */
-};
-
-/*
- * While many of these maybe the same, some do have different header formats
- * which make this useful.
- */
-static	struct	llc	llcs[SDL_MAX+1] = {
-	{ 0, 0, 0 },	/* SDL_8023 */
-	{ 0, 0, 0 },	/* SDL_8024 */
-	{ 0, 0, 0 },	/* SDL_8025 */
-	{ 0, 0, 0 },	/* SDL_8026 */
-	{ 14, 12, 2 },	/* SDL_ETHER */
-	{ 0, 0, 0 },	/* SDL_HDLC */
-	{ 0, 0, 0 },	/* SDL_CHSYNC */
-	{ 0, 0, 0 },	/* SDL_IBMCC */
-	{ 0, 0, 0 },	/* SDL_FDDI */
-	{ 0, 0, 0 },	/* SDL_OTHER */
-};
-
-static	int	snoop_open __P((char *));
-static	int	snoop_close __P((void));
-static	int	snoop_readip __P((char *, int, char **, int *));
-
-static	int	sfd = -1, s_type = -1;
-static	int	snoop_read_rec __P((struct snooppkt *));
-
-struct	ipread	snoop = { snoop_open, snoop_close, snoop_readip };
-
-
-static	int	snoop_open(fname)
-char	*fname;
-{
-	struct	snoophdr sh;
-	int	fd;
-	int s_v;
-
-	if (sfd != -1)
-		return sfd;
-
-	if (!strcmp(fname, "-"))
-		fd = 0;
-	else if ((fd = open(fname, O_RDONLY)) == -1)
-		return -1;
-
-	if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
-		return -2;
-
-	s_v = (int)ntohl(sh.s_v);
-	s_type = (int)ntohl(sh.s_type);
-
-	if (s_v != SNOOP_VERSION ||
-	    s_type < 0 || s_type > SDL_MAX) {
-		(void) close(fd);
-		return -2;
-	}
-
-	sfd = fd;
-	printf("opened snoop file %s:\n", fname);
-	printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type);
-
-	return fd;
-}
-
-
-static	int	snoop_close()
-{
-	return close(sfd);
-}
-
-
-/*
- * read in the header (and validate) which should be the first record
- * in a snoop file.
- */
-static	int	snoop_read_rec(rec)
-struct	snooppkt *rec;
-{
-	int	n, plen, ilen;
-
-	if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
-		return -2;
-
-	ilen = (int)ntohl(rec->sp_ilen);
-	plen = (int)ntohl(rec->sp_plen);
-	if (ilen > plen || plen < sizeof(*rec))
-		return -2;
-
-	plen -= sizeof(*rec);
-	n = MIN(plen, ilen);
-	if (!n || n < 0)
-		return -3;
-
-	return plen;
-}
-
-
-#ifdef	notyet
-/*
- * read an entire snoop packet record.  only the data part is copied into
- * the available buffer, with the number of bytes copied returned.
- */
-static	int	snoop_read(buf, cnt)
-char	*buf;
-int	cnt;
-{
-	struct	snooppkt rec;
-	static	char	*bufp = NULL;
-	int	i, n;
-
-	if ((i = snoop_read_rec(&rec)) <= 0)
-		return i;
-
-	if (!bufp)
-		bufp = malloc(i);
-	else
-		bufp = realloc(bufp, i);
-
-	if (read(sfd, bufp, i) != i)
-		return -2;
-
-	n = MIN(i, cnt);
-	bcopy(bufp, buf, n);
-	return n;
-}
-#endif
-
-
-/*
- * return only an IP packet read into buf
- */
-static	int	snoop_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	static	char	*bufp = NULL;
-	struct	snooppkt rec;
-	struct	llc	*l;
-	char	ty[4], *s;
-	int	i, n;
-
-	do {
-		if ((i = snoop_read_rec(&rec)) <= 0)
-			return i;
-
-		if (!bufp)
-			bufp = malloc(i);
-		else
-			bufp = realloc(bufp, i);
-		s = bufp;
-
-		if (read(sfd, s, i) != i)
-			return -2;
-
-		l = &llcs[s_type];
-		i -= l->lc_to;
-		s += l->lc_to;
-		/*
-		 * XXX - bogus assumption here on the part of the time field
-		 * that it won't be greater than 4 bytes and the 1st two will
-		 * have the values 8 and 0 for IP.  Should be a table of
-		 * these too somewhere.  Really only works for SDL_ETHER.
-		 */
-		bcopy(s, ty, l->lc_tl);
-	} while (ty[0] != 0x8 && ty[1] != 0);
-
-	i -= l->lc_tl;
-	s += l->lc_tl;
-	n = MIN(i, cnt);
-	bcopy(s, buf, n);
-
-	return n;
-}
diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c
deleted file mode 100644
index 99beab5b6a44..000000000000
--- a/contrib/ipfilter/ipft_td.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/*
-tcpdump -n
-
-00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
-
-tcpdump -nq
-
-00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
-
-tcpdump -nqt
-
-128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqtt
-
-123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-tcpdump -nqte
-
-8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
-
-*/
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#if !defined(__SVR4) && !defined(__GNUC__)
-#include <strings.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_td.c	1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.6 2003/05/31 02:13:04 darrenr Exp $";
-#endif
-
-static	int	tcpd_open __P((char *));
-static	int	tcpd_close __P((void));
-static	int	tcpd_readip __P((char *, int, char **, int *));
-static	int	count_dots __P((char *));
-
-struct	ipread	tcpd = { tcpd_open, tcpd_close, tcpd_readip };
-
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-
-static	int	tcpd_open(fname)
-char	*fname;
-{
-	if (tfd != -1)
-		return tfd;
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	tcpd_close()
-{
-	(void) fclose(tfp);
-	return close(tfd);
-}
-
-
-static	int	count_dots(str)
-char	*str;
-{
-	int	i = 0;
-
-	while (*str)
-		if (*str++ == '.')
-			i++;
-	return i;
-}
-
-
-static	int	tcpd_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	struct	tcpiphdr pkt;
-	ip_t	*ip = (ip_t *)&pkt;
-	struct	protoent *p;
-	char	src[32], dst[32], misc[256], time[32], link1[32], link2[32];
-	char	lbuf[160], *s;
-	int	n, slen, extra = 0;
-
-	if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
-		return 0;
-
-	if ((s = strchr(lbuf, '\n')))
-		*s = '\0';
-	lbuf[sizeof(lbuf)-1] = '\0';
-
-	bzero(&pkt, sizeof(pkt));
-
-	if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3)
-		if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s",
-				time, src, dst, misc)) != 4)
-			if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s",
-					link1, link2, src, dst, misc)) != 5) {
-				n = sscanf(lbuf,
-					   "%31s %31s %31s: %31s > %31s: %255s",
-					   time, link1, link2, src, dst, misc);
-				if (n != 6)
-					return -1;
-			}
-
-	if (count_dots(dst) == 4) {
-		s = strrchr(src, '.');
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_src);
-		pkt.ti_sport = htons(atoi(s));
-		*--s = '.';
-		s = strrchr(dst, '.');
-	
-		*s++ = '\0';
-		(void) inet_aton(src, &ip->ip_dst);
-		pkt.ti_dport = htons(atoi(s));
-		*--s = '.';
-	
-	} else {
-		(void) inet_aton(src, &ip->ip_src);
-		(void) inet_aton(src, &ip->ip_dst);
-	}
-	ip->ip_len = ip->ip_hl = sizeof(ip_t);
-
-	s = strtok(misc, " :");
-	if ((p = getprotobyname(s))) {
-		ip->ip_p = p->p_proto;
-
-		switch (p->p_proto) {
-		case IPPROTO_TCP :
-		case IPPROTO_UDP :
-			s = strtok(NULL, " :");
-			ip->ip_len += atoi(s);
-			if (p->p_proto == IPPROTO_TCP)
-				extra = sizeof(struct tcphdr);
-			else if (p->p_proto == IPPROTO_UDP)
-				extra = sizeof(struct udphdr);
-			break;
-#ifdef	IGMP
-		case IPPROTO_IGMP :
-			extra = sizeof(struct igmp);
-			break;
-#endif
-		case IPPROTO_ICMP :
-			extra = sizeof(struct icmp);
-			break;
-		default :
-			break;
-		}
-	}
-	slen = ip->ip_hl + extra + ip->ip_len;
-	return slen;
-}
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
deleted file mode 100644
index 7ea87e334c86..000000000000
--- a/contrib/ipfilter/ipft_tx.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (C) 1995-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <ctype.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <arpa/inet.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipft_tx.c	1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.8 2002/12/06 11:40:26 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-static	char	*tx_proto = "";
-
-static	int	text_open __P((char *)), text_close __P((void));
-static	int	text_readip __P((char *, int, char **, int *));
-static	int	parseline __P((char *, ip_t *, char **, int *));
-
-static	char	_tcp_flagset[] = "FSRPAUEC";
-static	u_char	_tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
-				TH_ACK, TH_URG, TH_ECN, TH_CWR };
-
-struct	ipread	iptext = { text_open, text_close, text_readip };
-static	FILE	*tfp = NULL;
-static	int	tfd = -1;
-
-static	u_32_t	tx_hostnum __P((char *, int *));
-static	u_short	tx_portnum __P((char *));
-
-
-/*
- * returns an ip address as a long var as a result of either a DNS lookup or
- * straight inet_addr() call
- */
-static	u_32_t	tx_hostnum(host, resolved)
-char	*host;
-int	*resolved;
-{
-	struct	hostent	*hp;
-	struct	netent	*np;
-
-	*resolved = 0;
-	if (!strcasecmp("any",host))
-		return 0L;
-	if (isdigit(*host))
-		return inet_addr(host);
-
-	if (!(hp = gethostbyname(host))) {
-		if (!(np = getnetbyname(host))) {
-			*resolved = -1;
-			fprintf(stderr, "can't resolve hostname: %s\n", host);
-			return 0;
-		}
-		return htonl(np->n_net);
-	}
-	return *(u_32_t *)hp->h_addr;
-}
-
-
-/*
- * find the port number given by the name, either from getservbyname() or
- * straight atoi()
- */
-static	u_short	tx_portnum(name)
-char	*name;
-{
-	struct	servent	*sp, *sp2;
-	u_short	p1 = 0;
-
-	if (isdigit(*name))
-		return (u_short)atoi(name);
-	if (!tx_proto)
-		tx_proto = "tcp/udp";
-	if (strcasecmp(tx_proto, "tcp/udp")) {
-		sp = getservbyname(name, tx_proto);
-		if (sp)
-			return ntohs(sp->s_port);
-		(void) fprintf(stderr, "unknown service \"%s\".\n", name);
-		return 0;
-	}
-	sp = getservbyname(name, "tcp");
-	if (sp)
-		p1 = sp->s_port;
-	sp2 = getservbyname(name, "udp");
-	if (!sp || !sp2) {
-		(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
-			name);
-		return 0;
-	}
-	if (p1 != sp2->s_port) {
-		(void) fprintf(stderr, "%s %d/tcp is a different port to ",
-			name, p1);
-		(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
-		return 0;
-	}
-	return ntohs(p1);
-}
-
-
-char	*tx_icmptypes[] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-static	int	text_open(fname)
-char	*fname;
-{
-	if (tfp && tfd != -1) {
-		rewind(tfp);
-		return tfd;
-	}
-
-	if (!strcmp(fname, "-")) {
-		tfd = 0;
-		tfp = stdin;
-	} else {
-		tfd = open(fname, O_RDONLY);
-		if (tfd != -1)
-			tfp = fdopen(tfd, "r");
-	}
-	return tfd;
-}
-
-
-static	int	text_close()
-{
-	int	cfd = tfd;
-
-	tfd = -1;
-	return close(cfd);
-}
-
-
-static	int	text_readip(buf, cnt, ifn, dir)
-char	*buf, **ifn;
-int	cnt, *dir;
-{
-	register char *s;
-	char	line[513];
-
-	*ifn = NULL;
-	while (fgets(line, sizeof(line)-1, tfp)) {
-		if ((s = index(line, '\n')))
-			*s = '\0';
-		if ((s = index(line, '\r')))
-			*s = '\0';
-		if ((s = index(line, '#')))
-			*s = '\0';
-		if (!*line)
-			continue;
-		if (!(opts & OPT_BRIEF))
-			printf("input: %s\n", line);
-		*ifn = NULL;
-		*dir = 0;
-		if (!parseline(line, (ip_t *)buf, ifn, dir))
-#if 0
-			return sizeof(ip_t) + sizeof(tcphdr_t);
-#else
-			return sizeof(ip_t);
-#endif
-	}
-	return -1;
-}
-
-static	int	parseline(line, ip, ifn, out)
-char	*line;
-ip_t	*ip;
-char	**ifn;
-int	*out;
-{
-	tcphdr_t	th, *tcp = &th;
-	struct	icmp	icmp, *ic = &icmp;
-	char	*cps[20], **cpp, c, ipopts[68];
-	int	i, r;
-
-	if (*ifn)
-		free(*ifn);
-	bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
-	bzero((char *)tcp, sizeof(*tcp));
-	bzero((char *)ic, sizeof(*ic));
-	bzero(ipopts, sizeof(ipopts));
-	ip->ip_hl = sizeof(*ip) >> 2;
-	ip->ip_v = IPVERSION;
-	for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); )
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cpp = cps;
-	if (!*cpp)
-		return 1;
-
-	c = **cpp;
-	if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
-		fprintf(stderr, "bad direction \"%s\"\n", *cpp);
-		return 1;
-	}
-	*out = (tolower(c) == 'o') ? 1 : 0;
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (!strcasecmp(*cpp, "on")) {
-		cpp++;
-		if (!*cpp)
-			return 1;
-		*ifn = strdup(*cpp++);
-		if (!*cpp)
-			return 1;
-	}
-
-	c = **cpp;
-	ip->ip_len = sizeof(ip_t);
-	if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
-	    !strcasecmp(*cpp, "icmp")) {
-		if (c == 't') {
-			ip->ip_p = IPPROTO_TCP;
-			ip->ip_len += sizeof(struct tcphdr);
-			tx_proto = "tcp";
-		} else if (c == 'u') {
-			ip->ip_p = IPPROTO_UDP;
-			ip->ip_len += sizeof(struct udphdr);
-			tx_proto = "udp";
-		} else {
-			ip->ip_p = IPPROTO_ICMP;
-			ip->ip_len += ICMPERR_IPICMPHLEN;
-			tx_proto = "icmp";
-		}
-		cpp++;
-	} else if (isdigit(**cpp) && !index(*cpp, '.')) {
-		ip->ip_p = atoi(*cpp);
-		cpp++;
-	} else
-		ip->ip_p = IPPROTO_IP;
-
-	if (!*cpp)
-		return 1;
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = index(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no source port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_sport = htons(tx_portnum(last));
-	}
-	ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (!*cpp)
-		return 1;
-
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
-		char	*last;
-
-		last = index(*cpp, ',');
-		if (!last) {
-			fprintf(stderr, "tcp/udp with no destination port\n");
-			return 1;
-		}
-		*last++ = '\0';
-		tcp->th_dport = htons(tx_portnum(last));
-	}
-	ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
-	cpp++;
-	if (*cpp && ip->ip_p == IPPROTO_TCP) {
-		extern	char	_tcp_flagset[];
-		extern	u_char	_tcp_flags[];
-		char	*s, *t;
-
-		for (s = *cpp; *s; s++)
-			if ((t  = index(_tcp_flagset, *s)))
-				tcp->th_flags |= _tcp_flags[t - _tcp_flagset];
-		if (tcp->th_flags)
-			cpp++;
-		assert(tcp->th_flags != 0);
-		tcp->th_win = htons(4096);
-		tcp->th_off = sizeof(*tcp) >> 2;
-	} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
-		extern	char	*tx_icmptypes[];
-		char	**s, *t;
-		int	i;
-
-		for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
-		     s++, i++)
-			if (*s && !strncasecmp(*cpp, *s, strlen(*s))) {
-				ic->icmp_type = i;
-				if ((t = index(*cpp, ',')))
-					ic->icmp_code = atoi(t+1);
-				cpp++;
-				break;
-			}
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "opt")) {
-		u_long	olen;
-
-		cpp++;
-		olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2);
-		if (olen) {
-			bcopy(ipopts, (char *)(ip + 1), olen);
-			ip->ip_hl += olen >> 2;
-		}
-	}
-	if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-		bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2),
-			sizeof(*tcp));
-	else if (ip->ip_p == IPPROTO_ICMP)
-		bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2),
-			sizeof(*ic));
-	ip->ip_len = htons(ip->ip_len);
-	return 0;
-}
diff --git a/contrib/ipfilter/ipl_ldev.c b/contrib/ipfilter/ipl_ldev.c
deleted file mode 100644
index a2893257e72e..000000000000
--- a/contrib/ipfilter/ipl_ldev.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- */
-
-/*
- * routines below for saving IP headers to buffer
- */
-int iplopen(struct inode * inode, struct file * filp)
-{
-	u_int	min = MINOR(inode->i_rdev);
-
-	if (flags & FWRITE)
-		return ENXIO;
-	if (min)
-		return ENXIO;
-	iplbusy++;
-	return 0;
-}
-
-
-int iplclose(struct inode * inode, struct file * filp)
-{
-	u_int	min = MINOR(inode->i_rdev);
-
-	if (min)
-		return ENXIO;
-	iplbusy--;
-	return 0;
-}
-
-
-/*
- * iplread/ipllog
- * all three of these must operate with at least splnet() lest they be
- * called during packet processing and cause an inconsistancy to appear in
- * the filter lists.
- */
-int iplread(struct inode *inode, struct file *file, char *buf, int count)
-{
-	register int	ret, s;
-	register size_t	sz, sx;
-	int error;
-
-	if (!uio->uio_resid)
-		return 0;
-	while (!iplused) {
-		error = SLEEP(iplbuf, "ipl sleep");
-		if (error)
-			return error;
-	}
-
-	SPLNET(s);
-
-	ret = sx = sz = MIN(count, iplused);
-	if (iplh < iplt)
-		sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
-	sx -= sz;
-
-	memcpy_tofs(buf, iplt, sz);
-	buf += sz;
-	iplt += sz;
-	iplused -= sz;
-	if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
-		iplt = iplbuf;
-
-	if (sx) {
-		memcpy_tofs(buf, iplt, sx);
-		ret += sx;
-		iplt += sx;
-		iplused -= sx;
-		if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
-			iplt = iplbuf;
-	}
-	if (!iplused)	/* minimise wrapping around the end */
-		iplh = iplt = iplbuf;
-
-	SPLX(s);
-	return ret;
-}
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
deleted file mode 100644
index 2e4b2b546275..000000000000
--- a/contrib/ipfilter/ipmon.c
+++ /dev/null
@@ -1,1493 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifndef SOLARIS
-#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
-#endif
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# if (__FreeBSD_version >= 300000)
-#  include <sys/dirent.h>
-# else
-#  include <sys/dir.h>
-# endif
-#else
-# include <sys/filio.h>
-# include <sys/byteorder.h>
-#endif
-#if !defined(__SVR4) && !defined(__GNUC__)
-# include <strings.h>
-#endif
-#include <signal.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <netinet/ip.h>
-#include <netinet/tcp_fsm.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#ifndef linux
-# include <sys/protosw.h>
-# include <netinet/ip_var.h>
-#endif
-
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-
-#include <ctype.h>
-#include <syslog.h>
-
-#include "netinet/ip_compat.h"
-#include <netinet/tcpip.h>
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.40 2004/05/12 23:21:55 darrenr Exp $";
-#endif
-
-
-#if	defined(sun) && !defined(SOLARIS2)
-#define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-#define	STRERROR(x)	strerror(x)
-#endif
-
-
-struct	flags {
-	int	value;
-	char	flag;
-};
-
-
-typedef	struct	icmp_subtype {
-	int	ist_val;
-	char	*ist_name;
-} icmp_subtype_t;
-
-typedef	struct	icmp_type {
-	int	it_val;
-	struct	icmp_subtype *it_subtable;
-	size_t	it_stsize;
-	char	*it_name;
-} icmp_type_t;
-
-
-#define	IST_SZ(x)	(sizeof(x)/sizeof(icmp_subtype_t))
-
-
-struct	flags	tcpfl[] = {
-	{ TH_ACK, 'A' },
-	{ TH_RST, 'R' },
-	{ TH_SYN, 'S' },
-	{ TH_FIN, 'F' },
-	{ TH_URG, 'U' },
-	{ TH_PUSH,'P' },
-	{ TH_ECN, 'E' },
-	{ TH_CWR, 'C' },
-	{ 0, '\0' }
-};
-
-#if SOLARIS
-static	char	*pidfile = "/etc/opt/ipf/ipmon.pid";
-#else
-# if BSD >= 199306
-static	char	*pidfile = "/var/run/ipmon.pid";
-# else
-static	char	*pidfile = "/etc/ipmon.pid";
-# endif
-#endif
-
-static	char	line[2048];
-static	int	opts = 0;
-static	FILE	*newlog = NULL;
-static	char	*logfile = NULL;
-static	int	donehup = 0;
-static	void	usage __P((char *));
-static	void	handlehup __P((int));
-static	void	flushlogs __P((char *, FILE *));
-static	void	print_log __P((int, FILE *, char *, int));
-static	void	print_ipflog __P((FILE *, char *, int));
-static	void	print_natlog __P((FILE *, char *, int));
-static	void	print_statelog __P((FILE *, char *, int));
-static	void	dumphex __P((FILE *, u_char *, int));
-static	int	read_log __P((int, int *, char *, int));
-static	void	write_pid __P((char *));
-static	char	*icmpname __P((u_int, u_int));
-static	char	*icmpname6 __P((u_int, u_int));
-static	icmp_type_t *find_icmptype __P((int, icmp_type_t *, size_t));
-static	icmp_subtype_t *find_icmpsubtype __P((int, icmp_subtype_t *, size_t));
-
-char	*hostname __P((int, int, u_32_t *));
-char	*portname __P((int, char *, u_int));
-int	main __P((int, char *[]));
-
-static	void	logopts __P((int, char *));
-static	void	init_tabs __P((void));
-static	char	*getproto __P((u_int));
-
-static	char	**protocols = NULL;
-static	char	**udp_ports = NULL;
-static	char	**tcp_ports = NULL;
-
-#define	OPT_SYSLOG	0x001
-#define	OPT_RESOLVE	0x002
-#define	OPT_HEXBODY	0x004
-#define	OPT_VERBOSE	0x008
-#define	OPT_HEXHDR	0x010
-#define	OPT_TAIL	0x020
-#define	OPT_NAT		0x080
-#define	OPT_STATE	0x100
-#define	OPT_FILTER	0x200
-#define	OPT_PORTNUM	0x400
-#define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
-#define	OPT_LOGBODY	0x800
-
-#define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
-
-#ifndef	LOGFAC
-#define	LOGFAC	LOG_LOCAL0
-#endif
-
-
-static icmp_subtype_t icmpunreachnames[] = {
-	{ ICMP_UNREACH_NET,		"net" },
-	{ ICMP_UNREACH_HOST,		"host" },
-	{ ICMP_UNREACH_PROTOCOL,	"protocol" },
-	{ ICMP_UNREACH_PORT,		"port" },
-	{ ICMP_UNREACH_NEEDFRAG,	"needfrag" },
-	{ ICMP_UNREACH_SRCFAIL,		"srcfail" },
-	{ ICMP_UNREACH_NET_UNKNOWN,	"net_unknown" },
-	{ ICMP_UNREACH_HOST_UNKNOWN,	"host_unknown" },
-	{ ICMP_UNREACH_NET,		"isolated" },
-	{ ICMP_UNREACH_NET_PROHIB,	"net_prohib" },
-	{ ICMP_UNREACH_NET_PROHIB,	"host_prohib" },
-	{ ICMP_UNREACH_TOSNET,		"tosnet" },
-	{ ICMP_UNREACH_TOSHOST,		"toshost" },
-	{ ICMP_UNREACH_ADMIN_PROHIBIT,	"admin_prohibit" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t redirectnames[] = {
-	{ ICMP_REDIRECT_NET,		"net" },
-	{ ICMP_REDIRECT_HOST,		"host" },
-	{ ICMP_REDIRECT_TOSNET,		"tosnet" },
-	{ ICMP_REDIRECT_TOSHOST,	"toshost" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t timxceednames[] = {
-	{ ICMP_TIMXCEED_INTRANS,	"transit" },
-	{ ICMP_TIMXCEED_REASS,		"reassem" },
-	{ -2,				NULL }
-};
-
-static icmp_subtype_t paramnames[] = {
-	{ ICMP_PARAMPROB_ERRATPTR,	"errata_pointer" },
-	{ ICMP_PARAMPROB_OPTABSENT,	"optmissing" },
-	{ ICMP_PARAMPROB_LENGTH,	"length" },
-	{ -2,				NULL }
-};
-
-static icmp_type_t icmptypes[] = {
-	{ ICMP_ECHOREPLY,	NULL,	0,		"echoreply" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_UNREACH,		icmpunreachnames,
-				IST_SZ(icmpunreachnames),"unreach" },
-	{ ICMP_SOURCEQUENCH,	NULL,	0,		"sourcequench" },
-	{ ICMP_REDIRECT,	redirectnames,
-				IST_SZ(redirectnames),	"redirect" },
-	{ -1,			NULL,	0,		NULL },
-	{ -1,			NULL,	0,		NULL },
-	{ ICMP_ECHO,		NULL,	0,		"echo" },
-	{ ICMP_ROUTERADVERT,	NULL,	0,		"routeradvert" },
-	{ ICMP_ROUTERSOLICIT,	NULL,	0,		"routersolicit" },
-	{ ICMP_TIMXCEED,	timxceednames,
-				IST_SZ(timxceednames),	"timxceed" },
-	{ ICMP_PARAMPROB,	paramnames,
-				IST_SZ(paramnames),	"paramprob" },
-	{ ICMP_TSTAMP,		NULL,	0,		"timestamp" },
-	{ ICMP_TSTAMPREPLY,	NULL,	0,		"timestampreply" },
-	{ ICMP_IREQ,		NULL,	0,		"inforeq" },
-	{ ICMP_IREQREPLY,	NULL,	0,		"inforeply" },
-	{ ICMP_MASKREQ,		NULL,	0,		"maskreq" },
-	{ ICMP_MASKREPLY,	NULL,	0,		"maskreply" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t icmpredirect6[] = {
-	{ ICMP6_DST_UNREACH_NOROUTE,		"noroute" },
-	{ ICMP6_DST_UNREACH_ADMIN,		"admin" },
-	{ ICMP6_DST_UNREACH_NOTNEIGHBOR,	"neighbour" },
-	{ ICMP6_DST_UNREACH_ADDR,		"address" },
-	{ ICMP6_DST_UNREACH_NOPORT,		"noport" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmptimexceed6[] = {
-	{ ICMP6_TIME_EXCEED_TRANSIT,		"intransit" },
-	{ ICMP6_TIME_EXCEED_REASSEMBLY,		"reassem" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpparamprob6[] = {
-	{ ICMP6_PARAMPROB_HEADER,		"header" },
-	{ ICMP6_PARAMPROB_NEXTHEADER,		"nextheader" },
-	{ ICMP6_PARAMPROB_OPTION,		"option" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmpquerysubject6[] = {
-	{ ICMP6_NI_SUBJ_IPV6,			"ipv6" },
-	{ ICMP6_NI_SUBJ_FQDN,			"fqdn" },
-	{ ICMP6_NI_SUBJ_IPV4,			"ipv4" },
-	{ -2,					NULL },
-};
-
-static icmp_subtype_t icmpnodeinfo6[] = {
-	{ ICMP6_NI_SUCCESS,			"success" },
-	{ ICMP6_NI_REFUSED,			"refused" },
-	{ ICMP6_NI_UNKNOWN,			"unknown" },
-	{ -2,					NULL }
-};
-
-static icmp_subtype_t icmprenumber6[] = {
-	{ ICMP6_ROUTER_RENUMBERING_COMMAND,		"command" },
-	{ ICMP6_ROUTER_RENUMBERING_RESULT,		"result" },
-	{ ICMP6_ROUTER_RENUMBERING_SEQNUM_RESET,	"seqnum_reset" },
-	{ -2,						NULL }
-};
-
-static icmp_type_t icmptypes6[] = {
-	{ 0,			NULL,	0,		NULL },
-	{ ICMP6_DST_UNREACH,	icmpredirect6,
-			IST_SZ(icmpredirect6),		"unreach" },
-	{ ICMP6_PACKET_TOO_BIG,	NULL,	0,		"toobig" },
-	{ ICMP6_TIME_EXCEEDED,	icmptimexceed6,
-			IST_SZ(icmptimexceed6),		"timxceed" },
-	{ ICMP6_PARAM_PROB,	icmpparamprob6,
-			IST_SZ(icmpparamprob6),		"paramprob" },
-	{ ICMP6_ECHO_REQUEST,	NULL,	0,		"echo" },
-	{ ICMP6_ECHO_REPLY,	NULL,	0,		"echoreply" },
-	{ ICMP6_MEMBERSHIP_QUERY, icmpquerysubject6,
-			IST_SZ(icmpquerysubject6),	"groupmemberquery" },
-	{ ICMP6_MEMBERSHIP_REPORT,NULL,	0,		"groupmemberreport" },
-	{ ICMP6_MEMBERSHIP_REDUCTION,NULL,	0,	"groupmemberterm" },
-	{ ND_ROUTER_SOLICIT,	NULL,	0,		"routersolicit" },
-	{ ND_ROUTER_ADVERT,	NULL,	0,		"routeradvert" },
-	{ ND_NEIGHBOR_SOLICIT,	NULL,	0,		"neighborsolicit" },
-	{ ND_NEIGHBOR_ADVERT,	NULL,	0,		"neighboradvert" },
-	{ ND_REDIRECT,		NULL,	0,		"redirect" },
-	{ ICMP6_ROUTER_RENUMBERING,	icmprenumber6,
-			IST_SZ(icmprenumber6),		"routerrenumber" },
-	{ ICMP6_WRUREQUEST,	NULL,	0,		"whoareyourequest" },
-	{ ICMP6_WRUREPLY,	NULL,	0,		"whoareyoureply" },
-	{ ICMP6_FQDN_QUERY,	NULL,	0,		"fqdnquery" },
-	{ ICMP6_FQDN_REPLY,	NULL,	0,		"fqdnreply" },
-	{ ICMP6_NI_QUERY,	icmpnodeinfo6,
-			IST_SZ(icmpnodeinfo6),		"nodeinforequest" },
-	{ ICMP6_NI_REPLY,	NULL,	0,		"nodeinforeply" },
-	{ MLD6_MTRACE_RESP,	NULL,	0,		"mtraceresponse" },
-	{ MLD6_MTRACE,		NULL,	0,		"mtracerequest" },
-	{ -2,			NULL,	0,		NULL }
-};
-
-static icmp_subtype_t *find_icmpsubtype(type, table, tablesz)
-int type;
-icmp_subtype_t *table;
-size_t tablesz;
-{
-	icmp_subtype_t *ist;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].ist_val))
-		return NULL;
-
-	i = type;
-	if (table[type].ist_val == type)
-		return table + type;
-
-	for (i = 0, ist = table; ist->ist_val != -2; i++, ist++)
-		if (ist->ist_val == type)
-			return ist;
-	return NULL;
-}
-
-
-static icmp_type_t *find_icmptype(type, table, tablesz)
-int type;
-icmp_type_t *table;
-size_t tablesz;
-{
-	icmp_type_t *it;
-	int i;
-
-	if (tablesz < 2)
-		return NULL;
-
-	if ((type < 0) || (type > table[tablesz - 2].it_val))
-		return NULL;
-
-	i = type;
-	if (table[type].it_val == type)
-		return table + type;
-
-	for (i = 0, it = table; it->it_val != -2; i++, it++)
-		if (it->it_val == type)
-			return it;
-	return NULL;
-}
-
-
-static void handlehup(sig)
-int sig;
-{
-	FILE	*fp;
-
-	signal(SIGHUP, handlehup);
-	if (logfile && (fp = fopen(logfile, "a")))
-		newlog = fp;
-	init_tabs();
-	donehup = 1;
-}
-
-
-static void init_tabs()
-{
-	struct	protoent	*p;
-	struct	servent	*s;
-	char	*name, **tab;
-	int	port;
-
-	if (protocols != NULL) {
-		free(protocols);
-		protocols = NULL;
-	}
-	protocols = (char **)malloc(256 * sizeof(*protocols));
-	if (protocols != NULL) {
-		bzero((char *)protocols, 256 * sizeof(*protocols));
-
-		setprotoent(1);
-		while ((p = getprotoent()) != NULL)
-			if (p->p_proto >= 0 && p->p_proto <= 255 &&
-			    p->p_name != NULL && protocols[p->p_proto] == NULL)
-				protocols[p->p_proto] = strdup(p->p_name);
-		endprotoent();
-	}
-
-	if (udp_ports != NULL) {
-		free(udp_ports);
-		udp_ports = NULL;
-	}
-	udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
-	if (udp_ports != NULL)
-		bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
-
-	if (tcp_ports != NULL) {
-		free(tcp_ports);
-		tcp_ports = NULL;
-	}
-	tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
-	if (tcp_ports != NULL)
-		bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
-
-	setservent(1);
-	while ((s = getservent()) != NULL) {
-		if (s->s_proto == NULL)
-			continue;
-		else if (!strcmp(s->s_proto, "tcp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = tcp_ports;
-		} else if (!strcmp(s->s_proto, "udp")) {
-			port = ntohs(s->s_port);
-			name = s->s_name;
-			tab = udp_ports;
-		} else
-			continue;
-		if ((port < 0 || port > 65535) || (name == NULL))
-			continue;
-		tab[port] = strdup(name);
-	}
-	endservent();
-}
-
-
-static char *getproto(p)
-u_int p;
-{
-	static char pnum[4];
-	char *s;
-
-	p &= 0xff;
-	s = protocols ? protocols[p] : NULL;
-	if (s == NULL) {
-		sprintf(pnum, "%u", p);
-		s = pnum;
-	}
-	return s;
-}
-
-
-static int read_log(fd, lenp, buf, bufsize)
-int fd, bufsize, *lenp;
-char *buf;
-{
-	int	nr;
-
-	nr = read(fd, buf, bufsize);
-	if (!nr)
-		return 2;
-	if ((nr < 0) && (errno != EINTR))
-		return -1;
-	*lenp = nr;
-	return 0;
-}
-
-
-char	*hostname(res, v, ip)
-int	res, v;
-u_32_t	*ip;
-{
-# define MAX_INETA	16
-	static char hname[MAXHOSTNAMELEN + MAX_INETA + 3];
-#ifdef	USE_INET6
-	static char hostbuf[MAXHOSTNAMELEN+1];
-#endif
-	struct hostent *hp;
-	struct in_addr ipa;
-
-	if (v == 4) {
-		ipa.s_addr = *ip;
-		if (!res)
-			return inet_ntoa(ipa);
-		hp = gethostbyaddr((char *)ip, sizeof(*ip), AF_INET);
-		if (!hp)
-			return inet_ntoa(ipa);
-		sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name,
-			inet_ntoa(ipa));
-		return hname;
-	}
-#ifdef	USE_INET6
-	(void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1);
-	hostbuf[MAXHOSTNAMELEN] = '\0';
-	return hostbuf;
-#else
-	return "IPv6";
-#endif
-}
-
-
-char	*portname(res, proto, port)
-int	res;
-char	*proto;
-u_int	port;
-{
-	static	char	pname[8];
-	char	*s;
-
-	port = ntohs(port);
-	port &= 0xffff;
-	(void) sprintf(pname, "%u", port);
-	if (!res || (opts & OPT_PORTNUM))
-		return pname;
-	s = NULL;
-	if (!strcmp(proto, "tcp"))
-		s = tcp_ports[port];
-	else if (!strcmp(proto, "udp"))
-		s = udp_ports[port];
-	if (s == NULL)
-		s = pname;
-	return s;
-}
-
-
-static	char	*icmpname(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes, sizeof(icmptypes) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmptype(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-static	char	*icmpname6(type, code)
-u_int	type;
-u_int	code;
-{
-	static char name[80];
-	icmp_subtype_t *ist;
-	icmp_type_t *it;
-	char *s;
-
-	s = NULL;
-	it = find_icmptype(type, icmptypes6, sizeof(icmptypes6) / sizeof(*it));
-	if (it != NULL)
-		s = it->it_name;
-
-	if (s == NULL)
-		sprintf(name, "icmpv6type(%d)/", type);
-	else
-		sprintf(name, "%s/", s);
-
-	ist = NULL;
-	if (it != NULL && it->it_subtable != NULL)
-		ist = find_icmpsubtype(code, it->it_subtable, it->it_stsize);
-
-	if (ist != NULL && ist->ist_name != NULL)
-		strcat(name, ist->ist_name);
-	else
-		sprintf(name + strlen(name), "%d", code);
-
-	return name;
-}
-
-
-static	void	dumphex(log, buf, len)
-FILE	*log;
-u_char	*buf;
-int	len;
-{
-	char	line[80];
-	int	i, j, k;
-	u_char	*s = buf, *t = (u_char *)line;
-
-	if (len == 0 || buf == 0)
-		return;
-	*line = '\0';
-
-	for (i = len, j = 0; i; i--, j++, s++) {
-		if (j && !(j & 0xf)) {
-			*t++ = '\n';
-			*t = '\0';
-			if (!(opts & OPT_SYSLOG))
-				fputs(line, log);
-			else
-				syslog(LOG_INFO, "%s", line);
-			t = (u_char *)line;
-			*t = '\0';
-		}
-		sprintf((char *)t, "%02x", *s & 0xff);
-		t += 2;
-		if (!((j + 1) & 0xf)) {
-			s -= 15;
-			sprintf((char *)t, "        ");
-			t += 8;
-			for (k = 16; k; k--, s++)
-				*t++ = (isprint(*s) ? *s : '.');
-			s--;
-		}
-			
-		if ((j + 1) & 0xf)
-			*t++ = ' ';;
-	}
-
-	if (j & 0xf) {
-		for (k = 16 - (j & 0xf); k; k--) {
-			*t++ = ' ';
-			*t++ = ' ';
-			*t++ = ' ';
-		}
-		sprintf((char *)t, "       ");
-		t += 7;
-		s -= j & 0xf;
-		for (k = j & 0xf; k; k--, s++)
-			*t++ = (isprint(*s) ? *s : '.');
-		*t++ = '\n';
-		*t = '\0';
-	}
-	if (!(opts & OPT_SYSLOG)) {
-		fputs(line, log);
-		fflush(log);
-	} else
-		syslog(LOG_INFO, "%s", line);
-}
-
-static	void	print_natlog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	natlog	*nl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line;
-	struct	tm	*tm;
-	int	res, i, len;
-	char	*proto;
-
-	nl = (struct natlog *)((char *)ipl + IPLOG_SIZE);
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = localtime((time_t *)&ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld @%hd ", ipl->ipl_usec, nl->nl_rule + 1);
-	t += strlen(t);
-
-	if (nl->nl_type == NL_NEWMAP)
-		strcpy(t, "NAT:MAP ");
-	else if (nl->nl_type == NL_NEWRDR)
-		strcpy(t, "NAT:RDR ");
-	else if (nl->nl_type == NL_EXPIRE)
-		strcpy(t, "NAT:EXPIRE ");
-	else if (nl->nl_type == NL_FLUSH)
-		strcpy(t, "NAT:FLUSH ");
-	else if (nl->nl_type == NL_NEWBIMAP)
-		strcpy(t, "NAT:BIMAP ");
-	else if (nl->nl_type == NL_NEWBLOCK)
-		strcpy(t, "NAT:MAPBLOCK ");
-	else
-		sprintf(t, "Type: %d ", nl->nl_type);
-	t += strlen(t);
-
-	proto = getproto(nl->nl_p);
-
-	(void) sprintf(t, "%s,%s <- -> ", HOSTNAME_V4(res, nl->nl_inip),
-		portname(res, proto, (u_int)nl->nl_inport));
-	t += strlen(t);
-	(void) sprintf(t, "%s,%s ", HOSTNAME_V4(res, nl->nl_outip),
-		portname(res, proto, (u_int)nl->nl_outport));
-	t += strlen(t);
-	(void) sprintf(t, "[%s,%s]", HOSTNAME_V4(res, nl->nl_origip),
-		portname(res, proto, (u_int)nl->nl_origport));
-	t += strlen(t);
-	if (nl->nl_type == NL_EXPIRE) {
-#ifdef	USE_QUAD_T
-		(void) sprintf(t, " Pkts %qd Bytes %qd",
-				(long long)nl->nl_pkts,
-				(long long)nl->nl_bytes);
-#else
-		(void) sprintf(t, " Pkts %ld Bytes %ld",
-				nl->nl_pkts, nl->nl_bytes);
-#endif
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_statelog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	struct	ipslog *sl;
-	iplog_t	*ipl = (iplog_t *)buf;
-	char	*t = line, *proto;
-	struct	tm	*tm;
-	int	res, i, len;
-
-	sl = (struct ipslog *)((char *)ipl + IPLOG_SIZE);
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	tm = localtime((time_t *)&ipl->ipl_sec);
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-
-	if (sl->isl_type == ISL_NEW)
-		strcpy(t, "STATE:NEW ");
-	else if (sl->isl_type == ISL_EXPIRE) {
-		if ((sl->isl_p == IPPROTO_TCP) &&
-		    (sl->isl_state[0] > TCPS_ESTABLISHED ||
-		     sl->isl_state[1] > TCPS_ESTABLISHED))
-			strcpy(t, "STATE:CLOSE ");
-		else
-			strcpy(t, "STATE:EXPIRE ");
-	} else if (sl->isl_type == ISL_FLUSH)
-		strcpy(t, "STATE:FLUSH ");
-	else if (sl->isl_type == ISL_REMOVE)
-		strcpy(t, "STATE:REMOVE ");
-	else
-		sprintf(t, "Type: %d ", sl->isl_type);
-	t += strlen(t);
-
-	proto = getproto(sl->isl_p);
-
-	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
-		(void) sprintf(t, "%s,%s -> ",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src),
-			portname(res, proto, (u_int)sl->isl_sport));
-		t += strlen(t);
-		(void) sprintf(t, "%s,%s PR %s",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			portname(res, proto, (u_int)sl->isl_dport), proto);
-	} else if (sl->isl_p == IPPROTO_ICMP) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	} else if (sl->isl_p == IPPROTO_ICMPV6) {
-		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_v,
-						     (u_32_t *)&sl->isl_src));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 %d",
-			hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst),
-			sl->isl_itype);
-	}
-	t += strlen(t);
-	if (sl->isl_type != ISL_NEW) {
-#ifdef	USE_QUAD_T
-		(void) sprintf(t, " Pkts %qd Bytes %qd",
-				(long long)sl->isl_pkts,
-				(long long)sl->isl_bytes);
-#else
-		(void) sprintf(t, " Pkts %ld Bytes %ld",
-				sl->isl_pkts, sl->isl_bytes);
-#endif
-		t += strlen(t);
-	}
-
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(LOG_INFO, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-}
-
-
-static	void	print_log(logtype, log, buf, blen)
-FILE	*log;
-char	*buf;
-int	logtype, blen;
-{
-	iplog_t	*ipl;
-	char *bp = NULL, *bpo = NULL;
-	int psize;
-
-	while (blen > 0) {
-		ipl = (iplog_t *)buf;
-		if ((u_long)ipl & (sizeof(long)-1)) {
-			if (bp)
-				bpo = bp;
-			bp = (char *)malloc(blen);
-			bcopy((char *)ipl, bp, blen);
-			if (bpo) {
-				free(bpo);
-				bpo = NULL;
-			}
-			buf = bp;
-			continue;
-		}
-		if (ipl->ipl_magic != IPL_MAGIC) {
-			/* invalid data or out of sync */
-			break;
-		}
-		psize = ipl->ipl_dsize;
-		switch (logtype)
-		{
-		case IPL_LOGIPF :
-			print_ipflog(log, buf, psize);
-			break;
-		case IPL_LOGNAT :
-			print_natlog(log, buf, psize);
-			break;
-		case IPL_LOGSTATE :
-			print_statelog(log, buf, psize);
-			break;
-		}
-
-		blen -= psize;
-		buf += psize;
-	}
-	if (bp)
-		free(bp);
-	return;
-}
-
-
-static	void	print_ipflog(log, buf, blen)
-FILE	*log;
-char	*buf;
-int	blen;
-{
-	tcphdr_t	*tp;
-	struct	icmp	*ic;
-	struct	icmp	*icmp;
-	struct	tm	*tm;
-	char	*t, *proto;
-	int	i, v, lvl, res, len, off, plen, ipoff;
-	ip_t	*ipc, *ip;
-	u_short	hl, p;
-	ipflog_t *ipf;
-	iplog_t	*ipl;
-	u_32_t	*s, *d;
-#ifdef	USE_INET6
-	ip6_t *ip6;
-#endif
-
-	ipl = (iplog_t *)buf;
-	ipf = (ipflog_t *)((char *)buf + IPLOG_SIZE);
-	ip = (ip_t *)((char *)ipf + sizeof(*ipf));
-	v = ip->ip_v;
-	res = (opts & OPT_RESOLVE) ? 1 : 0;
-	t = line;
-	*t = '\0';
-	tm = localtime((time_t *)&ipl->ipl_sec);
-#ifdef	linux
-	if (v == 4)
-		ip->ip_len = ntohs(ip->ip_len);
-#endif
-
-	len = sizeof(line);
-	if (!(opts & OPT_SYSLOG)) {
-		(void) strftime(t, len, "%d/%m/%Y ", tm);
-		i = strlen(t);
-		len -= i;
-		t += i;
-	}
-	(void) strftime(t, len, "%T", tm);
-	t += strlen(t);
-	(void) sprintf(t, ".%-.6ld ", ipl->ipl_usec);
-	t += strlen(t);
-	if (ipl->ipl_count > 1) {
-		(void) sprintf(t, "%dx ", ipl->ipl_count);
-		t += strlen(t);
-	}
-#if (SOLARIS || \
-	(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
-	(defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \
-	(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
-	{
-	char	ifname[sizeof(ipf->fl_ifname) + 1];
-
-	strncpy(ifname, (char *)ipf->fl_ifname, sizeof(ipf->fl_ifname));
-	ifname[sizeof(ipf->fl_ifname)] = '\0';
-	(void) sprintf(t, "%s", ifname);
-	t += strlen(t);
-# if SOLARIS
-	if (isalpha(*(t - 1))) {
-		sprintf(t, "%d", ipf->fl_unit);
-		t += strlen(t);
-	}
-# endif
-	}
-#else
-	for (len = 0; len < 3; len++)
-		if (ipf->fl_ifname[len] == '\0')
-			break;
-	if (ipf->fl_ifname[len])
-		len++;
-	(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
-	t += strlen(t);
-#endif
-	if (ipf->fl_group == 0xffffffff)
-		strcat(t, " @-1:");
-	else
-		(void) sprintf(t, " @%u:", ipf->fl_group);
-	t += strlen(t);
-	if (ipf->fl_rule == 0xffffffff)
-		strcat(t, "-1 ");
-	else
-		(void) sprintf(t, "%u ", ipf->fl_rule + 1);
-	t += strlen(t);
-
- 	if (ipf->fl_flags & FF_SHORT) {
-		*t++ = 'S';
-		lvl = LOG_ERR;
-	} else if (ipf->fl_flags & FR_PASS) {
-		if (ipf->fl_flags & FR_LOG)
-			*t++ = 'p';
-		else
-			*t++ = 'P';
-		lvl = LOG_NOTICE;
-	} else if (ipf->fl_flags & FR_BLOCK) {
-		if (ipf->fl_flags & FR_LOG)
-			*t++ = 'b';
-		else
-			*t++ = 'B';
-		lvl = LOG_WARNING;
-	} else if (ipf->fl_flags & FF_LOGNOMATCH) {
-		*t++ = 'n';
-		lvl = LOG_NOTICE;
-	} else {
-		*t++ = 'L';
-		lvl = LOG_INFO;
-	}
-	if (ipf->fl_loglevel != 0xffff)
-		lvl = ipf->fl_loglevel;
-	*t++ = ' ';
-	*t = '\0';
-
-	if (v == 6) {
-#ifdef	USE_INET6
-		off = 0;
-		ipoff = 0;
-		hl = sizeof(ip6_t);
-		ip6 = (ip6_t *)ip;
-		p = (u_short)ip6->ip6_nxt;
-		s = (u_32_t *)&ip6->ip6_src;
-		d = (u_32_t *)&ip6->ip6_dst;
-		plen = hl + ntohs(ip6->ip6_plen);
-#else
-		sprintf(t, "ipv6");
-		goto printipflog;
-#endif
-	} else if (v == 4) {
-		hl = (ip->ip_hl << 2);
-		ipoff = ip->ip_off;
-		off = ipoff & IP_OFFMASK;
-		p = (u_short)ip->ip_p;
-		s = (u_32_t *)&ip->ip_src;
-		d = (u_32_t *)&ip->ip_dst;
-		plen = ip->ip_len;
-	} else {
-		goto printipflog;
-	}
-	proto = getproto(p);
-
-	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !off) {
-		tp = (tcphdr_t *)((char *)ip + hl);
-		if (!(ipf->fl_flags & FF_SHORT)) {
-			(void) sprintf(t, "%s,%s -> ", hostname(res, v, s),
-				portname(res, proto, (u_int)tp->th_sport));
-			t += strlen(t);
-			(void) sprintf(t, "%s,%s PR %s len %hu %hu",
-				hostname(res, v, d),
-				portname(res, proto, (u_int)tp->th_dport),
-				proto, hl, plen);
-			t += strlen(t);
-
-			if (p == IPPROTO_TCP) {
-				*t++ = ' ';
-				*t++ = '-';
-				for (i = 0; tcpfl[i].value; i++)
-					if (tp->th_flags & tcpfl[i].value)
-						*t++ = tcpfl[i].flag;
-				if (opts & OPT_VERBOSE) {
-					(void) sprintf(t, " %lu %lu %hu",
-						(u_long)(ntohl(tp->th_seq)),
-						(u_long)(ntohl(tp->th_ack)),
-						ntohs(tp->th_win));
-					t += strlen(t);
-				}
-			}
-			*t = '\0';
-		} else {
-			(void) sprintf(t, "%s -> ", hostname(res, v, s));
-			t += strlen(t);
-			(void) sprintf(t, "%s PR %s len %hu %hu",
-				hostname(res, v, d), proto, hl, plen);
-		}
-	} else if ((p == IPPROTO_ICMPV6) && !off && (v == 6)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmpv6 len %hu %hu icmpv6 %s",
-			hostname(res, v, d), hl, plen,
-			icmpname6(ic->icmp_type, ic->icmp_code));
-	} else if ((p == IPPROTO_ICMP) && !off && (v == 4)) {
-		ic = (struct icmp *)((char *)ip + hl);
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
-			hostname(res, v, d), hl, plen,
-			icmpname(ic->icmp_type, ic->icmp_code));
-		if (ic->icmp_type == ICMP_UNREACH ||
-		    ic->icmp_type == ICMP_SOURCEQUENCH ||
-		    ic->icmp_type == ICMP_PARAMPROB ||
-		    ic->icmp_type == ICMP_REDIRECT ||
-		    ic->icmp_type == ICMP_TIMXCEED) {
-			ipc = &ic->icmp_ip;
-			i = ntohs(ipc->ip_len);
-			ipoff = ntohs(ipc->ip_off);
-			proto = getproto(ipc->ip_p);
-
-			if (!(ipoff & IP_OFFMASK) &&
-			    ((ipc->ip_p == IPPROTO_TCP) ||
-			     (ipc->ip_p == IPPROTO_UDP))) {
-				tp = (tcphdr_t *)((char *)ipc + hl);
-				t += strlen(t);
-				(void) sprintf(t, " for %s,%s -",
-					HOSTNAME_V4(res, ipc->ip_src),
-					portname(res, proto,
-						 (u_int)tp->th_sport));
-				t += strlen(t);
-				(void) sprintf(t, " %s,%s PR %s len %hu %hu",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					portname(res, proto,
-						 (u_int)tp->th_dport),
-					proto, ipc->ip_hl << 2, i);
-			} else if (!(ipoff & IP_OFFMASK) &&
-				   (ipc->ip_p == IPPROTO_ICMP)) {
-				icmp = (icmphdr_t *)((char *)ipc + hl);
-
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-					HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t,
-					" %s PR icmp len %hu %hu icmp %d/%d",
-					HOSTNAME_V4(res, ipc->ip_dst),
-					ipc->ip_hl << 2, i,
-					icmp->icmp_type, icmp->icmp_code);
-
-			} else {
-				t += strlen(t);
-				(void) sprintf(t, " for %s -",
-						HOSTNAME_V4(res, ipc->ip_src));
-				t += strlen(t);
-				(void) sprintf(t, " %s PR %s len %hu (%hu)",
-					HOSTNAME_V4(res, ipc->ip_dst), proto,
-					ipc->ip_hl << 2, i);
-				t += strlen(t);
-				if (ipoff & IP_OFFMASK) {
-					(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
-						ntohs(ipc->ip_id),
-						i - (ipc->ip_hl<<2),
-						(ipoff & IP_OFFMASK) << 3,
-						ipoff & IP_MF ? "+" : "",
-						ipoff & IP_DF ? "-" : "");
-				}
-			}
-		}
-	} else {
-		(void) sprintf(t, "%s -> ", hostname(res, v, s));
-		t += strlen(t);
-		(void) sprintf(t, "%s PR %s len %hu (%hu)",
-			hostname(res, v, d), proto, hl, plen);
-		t += strlen(t);
-		if (off & IP_OFFMASK)
-			(void) sprintf(t, " (frag %d:%hu@%hu%s%s)",
-				ntohs(ip->ip_id),
-				plen - hl, (off & IP_OFFMASK) << 3,
-				ipoff & IP_MF ? "+" : "",
-				ipoff & IP_DF ? "-" : "");
-	}
-	t += strlen(t);
-
-	if (ipf->fl_flags & FR_KEEPSTATE) {
-		(void) strcpy(t, " K-S");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_flags & FR_KEEPFRAG) {
-		(void) strcpy(t, " K-F");
-		t += strlen(t);
-	}
-
-	if (ipf->fl_dir == 0)
-		strcpy(t, " IN");
-	else if (ipf->fl_dir == 1)
-		strcpy(t, " OUT");
-	t += strlen(t);
-printipflog:
-	*t++ = '\n';
-	*t++ = '\0';
-	if (opts & OPT_SYSLOG)
-		syslog(lvl, "%s", line);
-	else
-		(void) fprintf(log, "%s", line);
-	if (opts & OPT_HEXHDR)
-		dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
-	if (opts & OPT_HEXBODY)
-		dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
-	else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
-		dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen);
-}
-
-
-static void usage(prog)
-char *prog;
-{
-	fprintf(stderr, "%s: [-NFhstvxX] [-f <logfile>]\n", prog);
-	exit(1);
-}
-
-
-static void write_pid(file)
-char *file;
-{
-	FILE *fp = NULL;
-	int fd;
-
-	if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0)
-		fp = fdopen(fd, "w");
-	if (!fp) {
-		close(fd);
-		fprintf(stderr, "unable to open/create pid file: %s\n", file);
-		return;
-	}
-	fprintf(fp, "%d", getpid());
-	fclose(fp);
-	close(fd);
-}
-
-
-static void flushlogs(file, log)
-char *file;
-FILE *log;
-{
-	int	fd, flushed = 0;
-
-	if ((fd = open(file, O_RDWR)) == -1) {
-		(void) fprintf(stderr, "%s: open: %s\n",
-			       file, STRERROR(errno));
-		exit(1);
-	}
-
-	if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
-		printf("%d bytes flushed from log buffer\n",
-			flushed);
-		fflush(stdout);
-	} else
-		perror("SIOCIPFFB");
-	(void) close(fd);
-
-	if (flushed) {
-		if (opts & OPT_SYSLOG)
-			syslog(LOG_INFO, "%d bytes flushed from log\n",
-				flushed);
-		else if (log != stdout)
-			fprintf(log, "%d bytes flushed from log\n", flushed);
-	}
-}
-
-
-static void logopts(turnon, options)
-int turnon;
-char *options;
-{
-	int flags = 0;
-	char *s;
-
-	for (s = options; *s; s++)
-	{
-		switch (*s)
-		{
-		case 'N' :
-			flags |= OPT_NAT;
-			break;
-		case 'S' :
-			flags |= OPT_STATE;
-			break;
-		case 'I' :
-			flags |= OPT_FILTER;
-			break;
-		default :
-			fprintf(stderr, "Unknown log option %c\n", *s);
-			exit(1);
-		}
-	}
-
-	if (turnon)
-		opts |= flags;
-	else
-		opts &= ~(flags);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	int	fdt[3], devices = 0, make_daemon = 0;
-	char	buf[IPLLOGSIZE], *iplfile[3], *s;
-	int	fd[3], doread, n, i;
-	extern	char	*optarg;
-	extern	int	optind;
-	int	regular[3], c;
-	FILE	*log = stdout;
-	struct	stat	sb;
-	size_t	nr, tr;
-
-	fd[0] = fd[1] = fd[2] = -1;
-	fdt[0] = fdt[1] = fdt[2] = -1;
-	iplfile[0] = IPL_NAME;
-	iplfile[1] = IPNAT_NAME;
-	iplfile[2] = IPSTATE_NAME;
-
-	while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
-		switch (c)
-		{
-		case 'a' :
-			opts |= OPT_LOGALL;
-			fdt[0] = IPL_LOGIPF;
-			fdt[1] = IPL_LOGNAT;
-			fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'b' :
-			opts |= OPT_LOGBODY;
-			break;
-		case 'D' :
-			make_daemon = 1;
-			break;
-		case 'f' : case 'I' :
-			opts |= OPT_FILTER;
-			fdt[0] = IPL_LOGIPF;
-			iplfile[0] = optarg;
-			break;
-		case 'F' :
-			flushlogs(iplfile[0], log);
-			flushlogs(iplfile[1], log);
-			flushlogs(iplfile[2], log);
-			break;
-		case 'n' :
-			opts |= OPT_RESOLVE;
-			break;
-		case 'N' :
-			opts |= OPT_NAT;
-			fdt[1] = IPL_LOGNAT;
-			iplfile[1] = optarg;
-			break;
-		case 'o' : case 'O' :
-			logopts(c == 'o', optarg);
-			fdt[0] = fdt[1] = fdt[2] = -1;
-			if (opts & OPT_FILTER)
-				fdt[0] = IPL_LOGIPF;
-			if (opts & OPT_NAT)
-				fdt[1] = IPL_LOGNAT;
-			if (opts & OPT_STATE)
-				fdt[2] = IPL_LOGSTATE;
-			break;
-		case 'p' :
-			opts |= OPT_PORTNUM;
-			break;
-		case 'P' :
-			pidfile = optarg;
-			break;
-		case 's' :
-			s = strrchr(argv[0], '/');
-			if (s == NULL)
-				s = argv[0];
-			else
-				s++;
-			openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
-			opts |= OPT_SYSLOG;
-			log = NULL;
-			break;
-		case 'S' :
-			opts |= OPT_STATE;
-			fdt[2] = IPL_LOGSTATE;
-			iplfile[2] = optarg;
-			break;
-		case 't' :
-			opts |= OPT_TAIL;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'x' :
-			opts |= OPT_HEXBODY;
-			break;
-		case 'X' :
-			opts |= OPT_HEXHDR;
-			break;
-		default :
-		case 'h' :
-		case '?' :
-			usage(argv[0]);
-		}
-
-	init_tabs();
-
-	/*
-	 * Default action is to only open the filter log file.
-	 */
-	if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1))
-		fdt[0] = IPL_LOGIPF;
-
-	for (i = 0; i < 3; i++) {
-		if (fdt[i] == -1)
-			continue;
-		if (!strcmp(iplfile[i], "-"))
-			fd[i] = 0;
-		else {
-			if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) {
-				(void) fprintf(stderr,
-					       "%s: open: %s\n", iplfile[i],
-					       STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (fstat(fd[i], &sb) == -1) {
-				(void) fprintf(stderr, "%d: fstat: %s\n",
-					       fd[i], STRERROR(errno));
-				exit(1);
-				/* NOTREACHED */
-			}
-			if (!(regular[i] = !S_ISCHR(sb.st_mode)))
-				devices++;
-		}
-	}
-
-	if (!(opts & OPT_SYSLOG)) {
-		logfile = argv[optind];
-		log = logfile ? fopen(logfile, "a") : stdout;
-		if (log == NULL) {
-			(void) fprintf(stderr, "%s: fopen: %s\n",
-				       argv[optind], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setvbuf(log, NULL, _IONBF, 0);
-	} else
-		log = NULL;
-
-	if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
-#if BSD
-		daemon(0, !(opts & OPT_SYSLOG));
-#else
-		int pid;
-		if ((pid = fork()) > 0)
-			exit(0);
-		if (pid < 0) {
-			(void) fprintf(stderr, "%s: fork() failed: %s\n",
-				       argv[0], STRERROR(errno));
-			exit(1);
-			/* NOTREACHED */
-		}
-		setsid();
-		if ((opts & OPT_SYSLOG))
-			close(2);
-#endif /* !BSD */
-		close(0);
-		close(1);
-	}
-	write_pid(pidfile);
-
-	signal(SIGHUP, handlehup);
-
-	for (doread = 1; doread; ) {
-		nr = 0;
-
-		for (i = 0; i < 3; i++) {
-			tr = 0;
-			if (fdt[i] == -1)
-				continue;
-			if (!regular[i]) {
-				if (ioctl(fd[i], FIONREAD, &tr) == -1) {
-					if (opts & OPT_SYSLOG)
-						syslog(LOG_CRIT,
-						       "ioctl(FIONREAD): %m");
-					else
-						perror("ioctl(FIONREAD)");
-					exit(1);
-					/* NOTREACHED */
-				}
-			} else {
-				tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size);
-				if (!tr && !(opts & OPT_TAIL))
-					doread = 0;
-			}
-			if (!tr)
-				continue;
-			nr += tr;
-
-			tr = read_log(fd[i], &n, buf, sizeof(buf));
-			if (donehup) {
-				donehup = 0;
-				if (newlog) {
-					fclose(log);
-					log = newlog;
-					newlog = NULL;
-				}
-			}
-
-			switch (tr)
-			{
-			case -1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "read: %m\n");
-				else
-					perror("read");
-				doread = 0;
-				break;
-			case 1 :
-				if (opts & OPT_SYSLOG)
-					syslog(LOG_CRIT, "aborting logging\n");
-				else
-					fprintf(log, "aborting logging\n");
-				doread = 0;
-				break;
-			case 2 :
-				break;
-			case 0 :
-				if (n > 0) {
-					print_log(fdt[i], log, buf, n);
-					if (!(opts & OPT_SYSLOG))
-						fflush(log);
-				}
-				break;
-			}
-		}
-		if (!nr && ((opts & OPT_TAIL) || devices))
-			sleep(1);
-	}
-	exit(0);
-	/* NOTREACHED */
-}
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
deleted file mode 100644
index 69e7959260e7..000000000000
--- a/contrib/ipfilter/ipnat.c
+++ /dev/null
@@ -1,433 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <nlist.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.25 2003/06/05 14:00:28 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-int	use_inet6 = 0;
-char	thishost[MAXHOSTNAMELEN];
-
-extern	char	*optarg;
-extern	int	optind;
-#if 0
-extern	ipnat_t	*natparse __P((char *, int));
-#endif
-extern	void	natparsefile __P((int, char *, int));
-extern	void	printnat __P((ipnat_t *, int));
-extern	void	printactivenat __P((nat_t *, int));
-extern	void	printhostmap __P((hostmap_t *, u_int));
-extern	char	*getsumd __P((u_32_t));
-
-static int	dostats __P((natstat_t *, int));
-static int	flushtable __P((int, int));
-void	usage __P((char *));
-int	countbits __P((u_32_t));
-char	*getnattype __P((ipnat_t *));
-int	main __P((int, char*[]));
-void	printaps __P((ap_session_t *, int));
-static int	showhostmap __P((natstat_t *nsp));
-static int	natstat_dead __P((natstat_t *, char *));
-
-
-void usage(name)
-char *name;
-{
-	fprintf(stderr, "Usage: %s [-CFhlnrsv] [-f filename]\n", name);
-	exit(1);
-}
-
-
-int main(argc, argv)
-int argc;
-char *argv[];
-{
-	natstat_t ns, *nsp = &ns;
-	char	*file, *core, *kernel;
-	int	fd, opts, c, mode;
-
-	fd = -1;
-	opts = 0;
-	file = NULL;
-	core = NULL;
-	kernel = NULL;
-	mode = O_RDWR;
-
-	while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1)
-		switch (c)
-		{
-		case 'C' :
-			opts |= OPT_CLEAR;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'f' :
-			file = optarg;
-			break;
-		case 'F' :
-			opts |= OPT_FLUSH;
-			break;
-		case 'h' :
-			opts |=OPT_HITS;
-			break;
-		case 'l' :
-			opts |= OPT_LIST;
-			mode = O_RDONLY;
-			break;
-		case 'M' :
-			core = optarg;
-			break;
-		case 'N' :
-			kernel = optarg;
-			break;
-		case 'n' :
-			opts |= OPT_NODO;
-			mode = O_RDONLY;
-			break;
-		case 'r' :
-			opts |= OPT_REMOVE;
-			break;
-		case 's' :
-			opts |= OPT_STAT;
-			mode = O_RDONLY;
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case '?' :
-		default :
-			usage(argv[0]);
-		}
-
-	if (optind < 2)
-		usage(argv[0]);
-
-	if ((kernel != NULL) || (core != NULL)) {
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	}
-
-	bzero((char *)&ns, sizeof(ns));
-
-	gethostname(thishost, sizeof(thishost));
-	thishost[sizeof(thishost) - 1] = '\0';
-
-	if (!(opts & OPT_NODO) && (kernel == NULL) && (core == NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		if (((fd = open(IPL_NAT, mode)) == -1) &&
-		    ((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
-			(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
-				STRERROR(errno));
-			if (errno == ENODEV)
-				fprintf(stderr, "IPFilter enabled?\n");
-			exit(1);
-		}
-		if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
-			perror("ioctl(SIOCGNATS)");
-			exit(1);
-		}
-		(void) setgid(getgid());
-		(void) setuid(getuid());
-	} else if ((kernel != NULL) || (core != NULL)) {
-		if (openkmem(kernel, core) == -1)
-			exit(1);
-
-		if (natstat_dead(nsp, kernel))
-			exit(1);
-		if (opts & (OPT_LIST|OPT_STAT)) {
-			if (dostats(nsp, opts))
-				exit(1);
-		}
-		exit(0);
-	}
-
-	if (opts & (OPT_FLUSH|OPT_CLEAR))
-		if (flushtable(fd, opts))
-		    exit(1);
-	if (file) {
-		/* NB natparsefile exits with nonzero in case of error */
-		natparsefile(fd, file, opts);
-	}
-	if (opts & (OPT_LIST|OPT_STAT))
-		if (dostats(nsp, opts))
-			exit(1);
-
-	/* TBD why not exit(0)? */
-	return 0;
-}
-
-
-/*
- * Read NAT statistic information in using a symbol table and memory file
- * rather than doing ioctl's.
- */
-static int natstat_dead(nsp, kernel)
-natstat_t *nsp;
-char *kernel;
-{
-	struct nlist nat_nlist[10] = {
-		{ "nat_table" },		/* 0 */
-		{ "nat_list" },
-		{ "maptable" },
-		{ "ipf_nattable_sz" },
-		{ "ipf_natrules_sz" },
-		{ "ipf_rdrrules_sz" },		/* 5 */
-		{ "ipf_hostmap_sz" },
-		{ "nat_instances" },
-		{ "ap_sess_list" },
-		{ NULL }
-	};
-	void *tables[2];
-
-	if (nlist(kernel, nat_nlist) == -1) {
-		fprintf(stderr, "nlist error\n");
-		return -1;
-	}
-
-	/*
-	 * Normally the ioctl copies all of these values into the structure
-	 * for us, before returning it to userland, so here we must copy each
-	 * one in individually.
-	 */
-	kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables));
-	nsp->ns_table[0] = tables[0];
-	nsp->ns_table[1] = tables[1];
-
-	kmemcpy((char *)&nsp->ns_list, nat_nlist[1].n_value,
-		sizeof(nsp->ns_list));
-	kmemcpy((char *)&nsp->ns_maptable, nat_nlist[2].n_value,
-		sizeof(nsp->ns_maptable));
-	kmemcpy((char *)&nsp->ns_nattab_sz, nat_nlist[3].n_value,
-		sizeof(nsp->ns_nattab_sz));
-	kmemcpy((char *)&nsp->ns_rultab_sz, nat_nlist[4].n_value,
-		sizeof(nsp->ns_rultab_sz));
-	kmemcpy((char *)&nsp->ns_rdrtab_sz, nat_nlist[5].n_value,
-		sizeof(nsp->ns_rdrtab_sz));
-	kmemcpy((char *)&nsp->ns_hostmap_sz, nat_nlist[6].n_value,
-		sizeof(nsp->ns_hostmap_sz));
-	kmemcpy((char *)&nsp->ns_instances, nat_nlist[7].n_value,
-		sizeof(nsp->ns_instances));
-	kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value,
-		sizeof(nsp->ns_apslist));
-
-	return 0;
-}
-
-
-/*
- * Display NAT statistics.
- */
-static int dostats(nsp, opts)
-natstat_t *nsp;
-int opts;
-{
-	nat_t **nt[2], *np, nat;
-	ipnat_t	ipn;
-	int rc = 0;
-
-	/*
-	 * Show statistics ?
-	 */
-	if (opts & OPT_STAT) {
-		printf("mapped\tin\t%lu\tout\t%lu\n",
-			nsp->ns_mapped[0], nsp->ns_mapped[1]);
-		printf("added\t%lu\texpired\t%lu\n",
-			nsp->ns_added, nsp->ns_expire);
-		printf("no memory\t%lu\tbad nat\t%lu\n",
-			nsp->ns_memfail, nsp->ns_badnat);
-		printf("inuse\t%lu\nrules\t%lu\n",
-			nsp->ns_inuse, nsp->ns_rules);
-		printf("wilds\t%u\n", nsp->ns_wilds);
-		if (opts & OPT_VERBOSE)
-			printf("table %p list %p\n",
-				nsp->ns_table, nsp->ns_list);
-	}
-
-	/*
-	 * Show list of NAT rules and NAT sessions ?
-	 */
-	if (opts & OPT_LIST) {
-		printf("List of active MAP/Redirect filters:\n");
-		while (nsp->ns_list) {
-			if (kmemcpy((char *)&ipn, (long)nsp->ns_list,
-				    sizeof(ipn))) {
-				perror("kmemcpy");
-				rc = -1;
-				break;
-			}
-			if (opts & OPT_HITS)
-				printf("%d ", ipn.in_hits);
-			printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-			nsp->ns_list = ipn.in_next;
-		}
-
-		nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
-		if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0],
-			    sizeof(**nt) * NAT_SIZE)) {
-			perror("kmemcpy");
-			rc = -1;
-		}
-		if (rc) {
-			free(nt[0]);
-			return rc;
-		}
-
-		printf("\nList of active sessions:\n");
-
-		for (np = nsp->ns_instances; np; np = nat.nat_next) {
-			if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) {
-				/* TBD Is this an error? If so, return -1 */
-				break;
-			}
-			printactivenat(&nat, opts);
-		}
-
-		if (opts & OPT_VERBOSE) {
-			if (showhostmap(nsp)) {
-				free(nt[0]);
-				return -1;
-			}
-		}
-
-		free(nt[0]);
-	}
-	return 0;
-}
-
-
-/*
- * Display the active host mapping table.
- */
-static int showhostmap(nsp)
-natstat_t *nsp;
-{
-	hostmap_t hm, *hmp, **maptable;
-	u_int hv;
-
-	printf("\nList of active host mappings:\n");
-
-	maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) *
-					nsp->ns_hostmap_sz);
-	if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable,
-		    sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) {
-		perror("kmemcpy (maptable)");
-		free(maptable);
-		return -1;
-	}
-
-	for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) {
-		hmp = maptable[hv];
-
-		while (hmp) {
-			if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) {
-				perror("kmemcpy (hostmap)");
-				free(maptable);
-				return -1;
-			}
-
-			printhostmap(&hm, hv);
-			hmp = hm.hm_next;
-		}
-	}
-	free(maptable);
-	return 0;
-}
-
-
-/*
- * Issue an ioctl to flush either the NAT rules table or the active mapping
- * table or both.
- */
-static int flushtable(fd, opts)
-int fd, opts;
-{
-	int n = 0;
-	int rc = 0;
-
-	if (opts & OPT_FLUSH) {
-		n = 0;
-		if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
-			perror("ioctl(SIOCFLNAT)");
-			rc = -1;
-		} else {
-			printf("%d entries flushed from NAT table\n", n);
-		}
-	}
-
-	if (opts & OPT_CLEAR) {
-		n = 1;
-		if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) {
-			perror("ioctl(SIOCCNATL)");
-			rc = -1;
-		} else {
-			printf("%d entries flushed from NAT list\n", n);
-		}
-	}
-
-	return rc;
-}
diff --git a/contrib/ipfilter/ipsd/ip_compat.h b/contrib/ipfilter/ipsd/ip_compat.h
deleted file mode 100644
index a911fd83c3f3..000000000000
--- a/contrib/ipfilter/ipsd/ip_compat.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.1 9/14/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# define	icmp	icmphdr
-# define	icmp_type	type
-# define	icmp_code	code
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#ifdef	solaris
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsd/ipsd.sed b/contrib/ipfilter/ipsd/ipsd.sed
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/contrib/ipfilter/ipsd/ipsd.sed
+++ /dev/null
diff --git a/contrib/ipfilter/ipsend/ip_compat.h b/contrib/ipfilter/ipsend/ip_compat.h
deleted file mode 100644
index c38fa59ed3c7..000000000000
--- a/contrib/ipfilter/ipsend/ip_compat.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * (C)opyright 1995 by Darren Reed.
- *
- * This code may be freely distributed as long as it retains this notice
- * and is not changed in any way.  The author accepts no responsibility
- * for the use of this software.  I hate legaleese, don't you ?
- *
- * @(#)ip_compat.h	1.2 12/7/95
- */
-
-/*
- * These #ifdef's are here mainly for linux, but who knows, they may
- * not be in other places or maybe one day linux will grow up and some
- * of these will turn up there too.
- */
-#ifndef	ICMP_UNREACH
-# define	ICMP_UNREACH	ICMP_DEST_UNREACH
-#endif
-#ifndef	ICMP_SOURCEQUENCH
-# define	ICMP_SOURCEQUENCH	ICMP_SOURCE_QUENCH
-#endif
-#ifndef	ICMP_TIMXCEED
-# define	ICMP_TIMXCEED	ICMP_TIME_EXCEEDED
-#endif
-#ifndef	ICMP_PARAMPROB
-# define	ICMP_PARAMPROB	ICMP_PARAMETERPROB
-#endif
-#ifndef	IPVERSION
-# define	IPVERSION	4
-#endif
-#ifndef	IPOPT_MINOFF
-# define	IPOPT_MINOFF	4
-#endif
-#ifndef	IPOPT_COPIED
-# define	IPOPT_COPIED(x)	((x)&0x80)
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IP_MF
-# define	IP_MF	((u_short)0x2000)
-#endif
-#ifndef	ETHERTYPE_IP
-# define	ETHERTYPE_IP	((u_short)0x0800)
-#endif
-#ifndef	TH_FIN
-# define	TH_FIN	0x01
-#endif
-#ifndef	TH_SYN
-# define	TH_SYN	0x02
-#endif
-#ifndef	TH_RST
-# define	TH_RST	0x04
-#endif
-#ifndef	TH_PUSH
-# define	TH_PUSH	0x08
-#endif
-#ifndef	TH_ACK
-# define	TH_ACK	0x10
-#endif
-#ifndef	TH_URG
-# define	TH_URG	0x20
-#endif
-#ifndef	IPOPT_EOL
-# define	IPOPT_EOL	0
-#endif
-#ifndef	IPOPT_NOP
-# define	IPOPT_NOP	1
-#endif
-#ifndef	IPOPT_RR
-# define	IPOPT_RR	7
-#endif
-#ifndef	IPOPT_TS
-# define	IPOPT_TS	68
-#endif
-#ifndef	IPOPT_SECURITY
-# define	IPOPT_SECURITY	130
-#endif
-#ifndef	IPOPT_LSRR
-# define	IPOPT_LSRR	131
-#endif
-#ifndef	IPOPT_SATID
-# define	IPOPT_SATID	136
-#endif
-#ifndef	IPOPT_SSRR
-# define	IPOPT_SSRR	137
-#endif
-#ifndef	IPOPT_SECUR_UNCLASS
-# define	IPOPT_SECUR_UNCLASS	((u_short)0x0000)
-#endif
-#ifndef	IPOPT_SECUR_CONFID
-# define	IPOPT_SECUR_CONFID	((u_short)0xf135)
-#endif
-#ifndef	IPOPT_SECUR_EFTO
-# define	IPOPT_SECUR_EFTO	((u_short)0x789a)
-#endif
-#ifndef	IPOPT_SECUR_MMMM
-# define	IPOPT_SECUR_MMMM	((u_short)0xbc4d)
-#endif
-#ifndef	IPOPT_SECUR_RESTR
-# define	IPOPT_SECUR_RESTR	((u_short)0xaf13)
-#endif
-#ifndef	IPOPT_SECUR_SECRET
-# define	IPOPT_SECUR_SECRET	((u_short)0xd788)
-#endif
-#ifndef IPOPT_SECUR_TOPSECRET
-# define	IPOPT_SECUR_TOPSECRET	((u_short)0x6bc5)
-#endif
-
-#ifdef linux
-# if LINUX < 0200
-#  define	icmp	icmphdr
-#  define	icmp_type	type
-#  define	icmp_code	code
-# endif
-
-/*
- * From /usr/include/netinet/ip_var.h
- * !%@#!$@# linux...
- */
-struct ipovly {
-	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
-	u_char	ih_x1;			/* (unused) */
-	u_char	ih_pr;			/* protocol */
-	short	ih_len;			/* protocol length */
-	struct	in_addr ih_src;		/* source internet address */
-	struct	in_addr ih_dst;		/* destination internet address */
-};
-
-typedef	struct	{
-	__u16	th_sport;
-	__u16	th_dport;
-	__u32	th_seq;
-	__u32	th_ack;
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	th_res:4;
-	__u8	th_off:4;
-#else
-	__u8	th_off:4;
-	__u8	th_res:4;
-#endif
-	__u8	th_flags;
-	__u16	th_win;
-	__u16	th_sum;
-	__u16	th_urp;
-} tcphdr_t;
-
-typedef	struct	{
-	__u16	uh_sport;
-	__u16	uh_dport;
-	__s16	uh_ulen;
-	__u16	uh_sum;
-} udphdr_t;
-
-typedef	struct	{
-# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
-    defined(vax)
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# else
-	__u8	ip_hl:4;
-	__u8	ip_v:4;
-# endif
-	__u8	ip_tos;
-	__u16	ip_len;
-	__u16	ip_id;
-	__u16	ip_off;
-	__u8	ip_ttl;
-	__u8	ip_p;
-	__u16	ip_sum;
-	struct	in_addr	ip_src;
-	struct	in_addr	ip_dst;
-} ip_t;
-
-typedef	struct	{
-	__u8	ether_dhost[6];
-	__u8	ether_shost[6];
-	__u16	ether_type;
-} ether_header_t;
-
-typedef struct icmp {
-	u_char	icmp_type;		/* type of message, see below */
-	u_char	icmp_code;		/* type sub code */
-	u_short	icmp_cksum;		/* ones complement cksum of struct */
-	union {
-		u_char ih_pptr;			/* ICMP_PARAMPROB */
-		struct in_addr ih_gwaddr;	/* ICMP_REDIRECT */
-		struct ih_idseq {
-			n_short	icd_id;
-			n_short	icd_seq;
-		} ih_idseq;
-		int ih_void;
-	} icmp_hun;
-#define	icmp_pptr	icmp_hun.ih_pptr
-#define	icmp_gwaddr	icmp_hun.ih_gwaddr
-#define	icmp_id		icmp_hun.ih_idseq.icd_id
-#define	icmp_seq	icmp_hun.ih_idseq.icd_seq
-#define	icmp_void	icmp_hun.ih_void
-	union {
-		struct id_ts {
-			n_time its_otime;
-			n_time its_rtime;
-			n_time its_ttime;
-		} id_ts;
-		struct id_ip  {
-			ip_t idi_ip;
-			/* options and then 64 bits of data */
-		} id_ip;
-		u_long	id_mask;
-		char	id_data[1];
-	} icmp_dun;
-#define	icmp_otime	icmp_dun.id_ts.its_otime
-#define	icmp_rtime	icmp_dun.id_ts.its_rtime
-#define	icmp_ttime	icmp_dun.id_ts.its_ttime
-#define	icmp_ip		icmp_dun.id_ip.idi_ip
-#define	icmp_mask	icmp_dun.id_mask
-#define	icmp_data	icmp_dun.id_data
-} icmphdr_t;
-
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-
-# define	ifnet	device
-
-#else
-
-typedef	struct	udphdr	udphdr_t;
-typedef	struct	tcphdr	tcphdr_t;
-typedef	struct	ip	ip_t;
-typedef	struct	ether_header	ether_header_t;
-
-#endif
-
-#if defined(__SVR4) || defined(__svr4__)
-# define	bcopy(a,b,c)	memmove(b,a,c)
-# define	bcmp(a,b,c)	memcmp(a,b,c)
-# define	bzero(a,b)	memset(a,0,b)
-#endif
diff --git a/contrib/ipfilter/ipsend/ipsend.sed b/contrib/ipfilter/ipsend/ipsend.sed
deleted file mode 100644
index 774c0e24e3df..000000000000
--- a/contrib/ipfilter/ipsend/ipsend.sed
+++ /dev/null
@@ -1,3 +0,0 @@
-0Æ
.	Ä,..+CVS0Í
-.cvsignore0Î44arp.c0Ï	Crashable0ÐMakefile0Ñarp.c0Ò
-dlcommon.c0Ódltest.h0Ôin_var.h0Õip.c0Öip_compat.h0×ip_var.h0Ø
diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c
deleted file mode 100644
index f41a8a9a7481..000000000000
--- a/contrib/ipfilter/ipsend/ultrix.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * (C)opyright 1998 Darren Reed. (from tcplog)
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#include <stdio.h>
-#include <strings.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-#include <net/if.h>
-#include <netinet/in.h>
-#include <netinet/if_ether.h>
-#include <netdnet/dli_var.h>
-
-
-static	struct	dli_devid	dli_devid;
-
-
-int	initdevice(device, sport, tout)
-char	*device;
-int	sport, tout;
-{
-	u_char	*s;
-	int	fd;
-
-	fd = socket(AF_DLI, SOCK_DGRAM, 0);
-	if (fd == -1)
-		perror("socket(AF_DLI,SOCK_DGRAM)");
-	else {
-		strncpy(dli_devid.dli_devname, device, DLI_DEVSIZE);
-		dli_devid.dli_devname[DLI_DEVSIZE] ='\0';
-		for (s = dli_devid.dli_devname; *s && isalpha((char)*s); s++)
-			;
-		if (*s && isdigit((char)*s)) {
-			dli_devid.dli_devnumber = atoi(s);
-		}
-	}
-	return fd;
-}
-
-
-/*
- * output an IP packet onto a fd opened for /dev/bpf
- */
-int	sendip(fd, pkt, len)
-int	fd, len;
-char	*pkt;
-{
-	struct sockaddr_dl dl;
-	struct sockaddr_edl *edl = &dl.choose_addr.dli_eaddr;
-
-	dl.dli_family = AF_DLI;
-	dl.dli_substructype = DLI_ETHERNET;
-	bcopy((char *)&dli_devid, (char *)&dl.dli_device, sizeof(dli_devid));
-	bcopy(pkt, edl->dli_target, DLI_EADDRSIZE);
-	bcopy(pkt, edl->dli_dest, DLI_EADDRSIZE);
-	bcopy(pkt + DLI_EADDRSIZE * 2, (char *)&edl->dli_protype, 2);
-	edl->dli_ioctlflg = 0;
-
-	if (sendto(fd, pkt, len, 0, (struct sockaddr *)&dl, sizeof(dl)) == -1)
-	    {
-		perror("send");
-		return -1;
-	    }
-
-	return len;
-}
-
-
-char *strdup(str)
-char *str;
-{
-	char	*s;
-
-	if ((s = (char *)malloc(strlen(str) + 1)))
-		return strcpy(s, str);
-	return NULL;
-}
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
deleted file mode 100644
index 5a20f240aa9d..000000000000
--- a/contrib/ipfilter/ipt.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#ifdef	__FreeBSD__
-# ifndef __FreeBSD_cc_version
-#  include <osreldate.h>
-# else
-#  if __FreeBSD_cc_version < 430000
-#   include <osreldate.h>
-#  endif
-# endif
-#endif
-#if defined(__sgi) && (IRIX > 602)
-# define _KMEMUSER
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi)
-#include <strings.h>
-#else
-#if !defined(__sgi)
-#include <sys/byteorder.h>
-#endif
-#include <sys/file.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-#include "ip_frag.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)ipt.c	1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.26 2003/11/09 17:22:21 darrenr Exp $";
-#endif
-
-extern	char	*optarg;
-extern	struct frentry	*ipfilter[2][2];
-extern	struct ipread	snoop, etherf, tcpd, pcap, iptext, iphex;
-extern	struct ifnet	*get_unit __P((char *, int));
-extern	void	init_ifp __P((void));
-extern	ipnat_t	*natparse __P((char *, int, int *));
-extern	int	fr_running;
-
-int	opts = 0;
-int	rremove = 0;
-int	use_inet6 = 0;
-int	main __P((int, char *[]));
-int	loadrules __P((char *));
-int	kmemcpy __P((char *, long, int));
-void	dumpnat __P((void));
-void	dumpstate __P((void));
-char	*getifname __P((void *));
-void	drain_log __P((char *));
-
-int main(argc,argv)
-int argc;
-char *argv[];
-{
-	char	*datain, *iface, *ifname, *packet, *logout;
-	int	fd, i, dir, c, loaded, dump, hlen;
-	struct	in_addr	src;
-	struct	ifnet	*ifp;
-	struct	ipread	*r;
-	u_long	buf[2048];
-	ip_t	*ip;
-
-	dir = 0;
-	dump = 0;
-	loaded = 0;
-	r = &iptext;
-	iface = NULL;
-	logout = NULL;
-	src.s_addr = 0;
-	ifname = "anon0";
-	datain = NULL;
-
-	nat_init();
-	fr_stateinit();
-	initparse();
-	ipflog_init();
-	fr_running = 1;
-
-	while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:Rs:STvxX")) != -1)
-		switch (c)
-		{
-		case '6' :
-#ifdef	USE_INET6
-			use_inet6 = 1;
-			break;
-#else
-			fprintf(stderr, "IPv6 not supported\n");
-			exit(1);
-#endif
-		case 'b' :
-			opts |= OPT_BRIEF;
-			break;
-		case 'd' :
-			opts |= OPT_DEBUG;
-			break;
-		case 'D' :
-			dump = 1;
-			break;
-		case 'i' :
-			datain = optarg;
-			break;
-		case 'I' :
-			ifname = optarg;
-			break;
-		case 'l' :
-			logout = optarg;
-			break;
-		case 'o' :
-			opts |= OPT_SAVEOUT;
-			break;
-		case 'r' :
-			if (loadrules(optarg) == -1)
-				return -1;
-			loaded = 1;
-			break;
-		case 's' :
-			src.s_addr = inet_addr(optarg);
-			break;
-		case 'v' :
-			opts |= OPT_VERBOSE;
-			break;
-		case 'E' :
-			r = &etherf;
-			break;
-		case 'H' :
-			r = &iphex;
-			break;
-		case 'N' :
-			opts |= OPT_NAT;
-			break;
-		case 'P' :
-			r = &pcap;
-			break;
-		case 'R' :
-			rremove = 1;
-			break;
-		case 'S' :
-			r = &snoop;
-			break;
-		case 'T' :
-			r = &tcpd;
-			break;
-		case 'x' :
-			opts |= OPT_HEX;
-			break;
-		case 'X' :
-			r = &iptext;
-			break;
-		}
-
-	if (loaded == 0) {
-		(void)fprintf(stderr,"no rules loaded\n");
-		exit(-1);
-	}
-
-	if (opts & OPT_SAVEOUT)
-		init_ifp();
-
-	if (datain)
-		fd = (*r->r_open)(datain);
-	else
-		fd = (*r->r_open)("-");
-
-	if (fd < 0)
-		exit(-1);
-
-	ip = (ip_t *)buf;
-	while ((i = (*r->r_readip)((char *)buf, sizeof(buf),
-				    &iface, &dir)) > 0) {
-		if (iface == NULL || *iface == '\0')
-			iface = ifname;
-		ifp = get_unit(iface, ip->ip_v);
-		hlen = 0;
-		if (!use_inet6) {
-			ip->ip_off = ntohs(ip->ip_off);
-			ip->ip_len = ntohs(ip->ip_len);
-			hlen = ip->ip_hl << 2;
-			if (src.s_addr != 0) {
-				if (src.s_addr == ip->ip_src.s_addr)
-					dir = 1;
-				else if (src.s_addr == ip->ip_dst.s_addr)
-					dir = 0;
-			}
-		}
-#ifdef	USE_INET6
-		else
-			hlen = sizeof(ip6_t);
-#endif
-		if (opts & OPT_VERBOSE) {
-			printf("%s on [%s]: ", dir ? "out" : "in",
-				(iface && *iface) ? iface : "??");
-		}
-		packet = (char *)buf;
-		/* ipfr_slowtimer(); */
-		i = fr_check(ip, hlen, ifp, dir, (mb_t **)&packet);
-		if ((opts & OPT_NAT) == 0)
-			switch (i)
-			{
-			case -5 :
-				(void)printf("block return-icmp-as-dest");
-				break;
-			case -4 :
-				(void)printf("block return-icmp");
-				break;
-			case -3 :
-				(void)printf("block return-rst");
-				break;
-			case -2 :
-				(void)printf("auth");
-				break;
-			case -1 :
-				(void)printf("block");
-				break;
-			case 0 :
-				(void)printf("pass");
-				break;
-			case 1 :
-				(void)printf("nomatch");
-				break;
-			}
-		if (!use_inet6) {
-			ip->ip_off = htons(ip->ip_off);
-			ip->ip_len = htons(ip->ip_len);
-		}
-
-		if (!(opts & OPT_BRIEF)) {
-			putchar(' ');
-			printpacket((ip_t *)buf);
-			printf("--------------");
-		} else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
-			printpacket((ip_t *)buf);
-#ifndef	linux
-		if (dir && (ifp != NULL) && ip->ip_v && (packet != NULL))
-# if defined(__sgi) && (IRIX < 605)
-			(*ifp->if_output)(ifp, (void *)packet, NULL);
-# else
-			(*ifp->if_output)(ifp, (void *)packet, NULL, 0);
-# endif
-#endif
-		if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
-			putchar('\n');
-		dir = 0;
-		if (iface != ifname) {
-			free(iface);
-			iface = ifname;
-		}
-	}
-	(*r->r_close)();
-
-	if (logout != NULL) {
-		drain_log(logout);
-	}
-
-	if (dump == 1)  {
-		dumpnat();
-		dumpstate();
-	}
-
-	return 0;
-}
-
-
-/*
- * Load in either NAT or ipf rules from a file, which is treated as stdin
- * if the name is "-".  NOTE, stdin can only be used once as the file is
- * closed after use.
- */
-int loadrules(file)
-char *file;
-{
-	char	line[513], *s;
-	int     linenum, i;
-	void	*fr;
-	FILE	*fp;
-	int	parsestatus;
-
-	if (!strcmp(file, "-"))
-		fp = stdin;
-	else if (!(fp = fopen(file, "r"))) {
-		(void)fprintf(stderr, "couldn't open %s\n", file);
-		return (-1);
-	}
-
-	if (!(opts & OPT_BRIEF))
-		(void)printf("opening rule file \"%s\"\n", file);
-
-	linenum = 0;
-
-	while (fgets(line, sizeof(line) - 1, fp)) {
-		linenum++;
-
-		/*
-		 * treat both CR and LF as EOL
-		 */
-		if ((s = index(line, '\n')))
-			*s = '\0';
-		if ((s = index(line, '\r')))
-			*s = '\0';
-
-		/*
-		 * # is comment marker, everything after is a ignored
-		 */
-		if ((s = index(line, '#')))
-			*s = '\0';
-
-		if (!*line)
-			continue;
-
-		/* fake an `ioctl' call :) */
-
-		if ((opts & OPT_NAT) != 0) {
-			parsestatus = 1;
-			fr = natparse(line, linenum, &parsestatus);
-			if (parsestatus != 0) {
-				if (*line) {
-					fprintf(stderr,
-					    "%d: syntax error in \"%s\"\n",
-					    linenum, line);
-				}
-				fprintf(stderr, "%s: %s error (%d), quitting\n",
-				    file,
-				    ((parsestatus < 0)? "parse": "internal"),
-				    parsestatus);
-				exit(1);
-			}
-			if (!fr)
-				continue;
-
-			if (rremove == 0) {
-				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(ADNAT,%p,1) = %d\n",
-						fr, i);
-			} else {
-				i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(RMNAT,%p,1) = %d\n",
-						fr, i);
-			}
-		} else {
-			fr = parse(line, linenum, &parsestatus);
-
-			if (parsestatus != 0) {
-			    fprintf(stderr, "%s: %s error (%d), quitting\n",
-				file,
-				((parsestatus < 0)? "parse": "internal"),
-				parsestatus);
-			    exit(1);
-			}
-
-			if (!fr) {
-				continue;
-			}
-
-			if (rremove == 0) {
-				i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(ADAFR,%p,1) = %d\n",
-						fr, i);
-			} else {
-				i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
-						      (caddr_t)&fr,
-						      FWRITE|FREAD);
-				if (opts & OPT_DEBUG)
-					fprintf(stderr,
-						"iplioctl(RMAFR,%p,1) = %d\n",
-						fr, i);
-			}
-		}
-	}
-	(void)fclose(fp);
-
-	return 0;
-}
-
-
-int kmemcpy(addr, offset, size)
-char *addr;
-long offset;
-int size;
-{
-	bcopy((char *)offset, addr, size);
-	return 0;
-}
-
-
-/*
- * Display the built up NAT table rules and mapping entries.
- */
-void dumpnat()
-{
-	ipnat_t	*ipn;
-	nat_t	*nat;
-
-	printf("List of active MAP/Redirect filters:\n");
-	for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
-		printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
-	printf("\nList of active sessions:\n");
-	for (nat = nat_instances; nat; nat = nat->nat_next)
-		printactivenat(nat, opts);
-}
-
-
-/*
- * Display the built up state table rules and mapping entries.
- */
-void dumpstate()
-{
-	ipstate_t *ips;
-
-	printf("List of active state sessions:\n");
-	for (ips = ips_list; ips != NULL; )
-		ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE));
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
-	char buf[32], *s;
-	int len;
-#endif
-	struct ifnet netif;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
-		return "X";
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	return strdup(netif.if_xname);
-#else
-	if (kmemcpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
-		return "X";
-	if (netif.if_unit < 10)
-		len = 2;
-	else if (netif.if_unit < 1000)
-		len = 3;
-	else if (netif.if_unit < 10000)
-		len = 4;
-	else
-		len = 5;
-	buf[sizeof(buf) - len] = '\0';
-	for (s = buf; *s && !isdigit(*s); s++)
-		;
-	if (isdigit(*s))
-		*s = '\0';
-	sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
-	return strdup(buf);
-#endif
-}
-
-
-void drain_log(filename)
-char *filename;
-{
-	char buffer[IPLLOGSIZE];
-	struct iovec iov;
-	struct uio uio;
-	size_t resid;
-	int fd;
-
-	fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
-	if (fd == -1) {
-		perror("drain_log:open");
-		return;
-	}
-
-	while (1) {
-		bzero((char *)&iov, sizeof(iov));
-		iov.iov_base = buffer;
-		iov.iov_len = sizeof(buffer);
-
-		bzero((char *)&uio, sizeof(uio));
-		uio.uio_iov = &iov;
-		uio.uio_iovcnt = 1;
-		uio.uio_resid = iov.iov_len;
-		resid = uio.uio_resid;
-
-		if (ipflog_read(0, &uio) == 0) {
-			/*
-			 * If nothing was read then break out.
-			 */
-			if (uio.uio_resid == resid)
-				break;
-			write(fd, buffer, resid - uio.uio_resid);
-		} else
-			break;
-	}
-
-	close(fd);
-}
diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c
deleted file mode 100644
index 5723ba3806c6..000000000000
--- a/contrib/ipfilter/kmem.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * kmemcpy() - copies n bytes from kernel memory into user buffer.
- * returns 0 on success, -1 on error.
- */
-
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <string.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <sys/file.h>
-#ifndef __sgi
-#include <kvm.h>
-#endif
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "ipf.h"
-
-
-#ifndef __STDC__
-# define	const
-#endif
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)kmem.c	1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.18 2003/11/09 17:22:22 darrenr Exp $";
-#endif
-
-#ifdef	__sgi
-typedef	int 	kvm_t;
-
-static	int	kvm_fd = -1;
-static	char	*kvm_errstr = NULL;
-
-kvm_t *kvm_open(kernel, core, swap, mode, errstr)
-char *kernel, *core, *swap;
-int mode;
-char *errstr;
-{
-	kvm_errstr = errstr;
-
-	if (core == NULL)
-		core = "/dev/kmem";
-	kvm_fd = open(core, mode);
-	return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
-}
-
-int kvm_read(kvm, pos, buffer, size)
-kvm_t *kvm;
-u_long pos;
-char *buffer;
-size_t size;
-{
-	size_t left;
-	char *bufp;
-	int r;
-
-	if (lseek(*kvm, pos, 0) == -1) {
-		if (kvm_errstr != NULL) {
-			fprintf(stderr, "%s:", kvm_errstr);
-			perror("lseek");
-		}
-		return -1;
-	}
-
-	for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
-		r = read(*kvm, bufp, 1);
-		if (r <= 0)
-			return -1;
-	}
-	return size;
-}
-#endif
-
-static	kvm_t	*kvm_f = NULL;
-
-int	openkmem(kern, core)
-char	*kern, *core;
-{
-	union {
-		int ui;
-		kvm_t *uk;
-	} k;
-
-	kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL);
-	if (kvm_f == NULL)
-	    {
-		perror("openkmem:open");
-		return -1;
-	    }
-	k.uk = kvm_f;
-	return k.ui;
-}
-
-int	kmemcpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%x ", (u_int)pos);
-			perror("kmemcpy:read");
-			return -1;
-		    }
-		else
-		    {
-			buf += r;
-			pos += r;
-			n -= r;
-		    }
-	return 0;
-}
-
-int	kstrncpy(buf, pos, n)
-register char	*buf;
-long	pos;
-register int	n;
-{
-	register int	r;
-
-	if (!n)
-		return 0;
-
-	if (kvm_f == NULL)
-		if (openkmem(NULL, NULL) == -1)
-			return -1;
-
-	while (n > 0)
-	    {
-		r = kvm_read(kvm_f, pos, buf, (size_t)1);
-		if (r <= 0)
-		    {
-			fprintf(stderr, "pos=0x%x ", (u_int)pos);
-			perror("kstrncpy:read");
-			return -1;
-		    }
-		else
-		    {
-			if (*buf == '\0')
-				break;
-			buf++;
-			pos++;
-			n--;
-		    }
-	    }
-	return 0;
-}
-
-
-/*
- * Given a pointer to an interface in the kernel, return a pointer to a
- * string which is the interface name.
- */
-char *getifname(ptr)
-void *ptr;
-{
-#if SOLARIS
-	char *ifname;
-	ill_t ill;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1)
-		return "X";
-	ifname = malloc(ill.ill_name_length + 1);
-	if (kmemcpy(ifname, (u_long)ill.ill_name,
-		    ill.ill_name_length) == -1)
-		return "X";
-	return ifname;
-#else
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-#else
-	char buf[32];
-	int len;
-# endif
-	struct ifnet netif;
-
-	if (ptr == (void *)-1)
-		return "!";
-	if (ptr == NULL)
-		return "-";
-
-	if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1)
-		return "X";
-# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-    defined(__OpenBSD__) || \
-    (defined(__FreeBSD__) && (__FreeBSD_version >= 501113))
-	return strdup(netif.if_xname);
-# else
-	if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1)
-		return "X";
-	if (netif.if_unit < 10)
-		len = 2;
-	else if (netif.if_unit < 1000)
-		len = 3;
-	else if (netif.if_unit < 10000)
-		len = 4;
-	else
-		len = 5;
-	buf[sizeof(buf) - len] = '\0';
-	sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000);
-	return strdup(buf);
-# endif
-#endif
-}
diff --git a/contrib/ipfilter/linux.h b/contrib/ipfilter/linux.h
deleted file mode 100644
index 61fd821c2adb..000000000000
--- a/contrib/ipfilter/linux.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright (C) 1993-1998 by Darren Reed.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.  The author accepts no
- * responsibility and is not changed in any way.
- *
- * I hate legaleese, don't you ?
- * $Id: linux.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $
- */
-
-#include <linux/config.h>
-#ifdef MODULE
-#include <linux/module.h>
-#include <linux/version.h>
-#endif /* MODULE */
-
-#include "ip_compat.h"
diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1
deleted file mode 100644
index 5ea06fa74c35..000000000000
--- a/contrib/ipfilter/man/ipf.1
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPF 1
-.SH NAME
-ipf \- alters packet filtering lists for IP packet input and ouput
-.SH SYNOPSIS
-.B ipf
-[
-.B \-AdDEInorsUvyzZ
-] [
-.B \-l
-<block|pass|nomatch>
-] [
-.B \-F
-<i|o|a>
-]
-.B \-f
-<\fIfilename\fP>
-[
-.B \-f
-<\fIfilename\fP>
-[...]]
-.SH DESCRIPTION
-.PP
-\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
-.PP
-Each rule processed by \fBipf\fP
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipf\fP.
-.SH OPTIONS
-.TP
-.B \-A
-Set the list to make changes to the active list (default).
-.TP
-.B \-d
-Turn debug mode on.  Causes a hexdump of filter rules to be generated as
-it processes each one.
-.TP
-.B \-D
-Disable the filter (if enabled).  Not effective for loadable kernel versions.
-.TP
-.B \-E
-Enable the filter (if disabled).  Not effective for loadable kernel versions.
-.TP
-.BR \-F \0<param>
-This option specifies which filter list to flush.  The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used.  This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.TP
-.BR \-f \0<filename>
-This option specifies which files
-\fBipf\fP should use to get input from for modifying the packet filter rule
-lists.
-.TP
-.B \-I
-Set the list to make changes to the inactive list.
-.TP
-.B \-l \0<param>
-Use of the \fB-l\fP flag toggles default logging of packets.  Valid
-arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
-When an option is set, any packet which exits filtering and matches the
-set category is logged.  This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.TP
-.B \-r
-Remove matching filter rules rather than add them to the internal lists
-.TP
-.B \-s
-Swap the active filter list in use to be the "other" one.
-.TP
-.B \-U
-(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
-recognised as IP packets.  They will be printed out on the console.
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing.
-.TP
-.B \-y
-(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
-by IP Filter with the current interface status list.
-.TP
-.B \-z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zero'd.
-.TP
-.B \-Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
-.DT
-.SH SEE ALSO
-ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
-.SH DIAGNOSTICS
-.PP
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.SH BUGS
-.PP
-If you find any, please send email to me at darrenr@cyber.com.au
diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1
deleted file mode 100644
index f24141546171..000000000000
--- a/contrib/ipfilter/man/ipnat.1
+++ /dev/null
@@ -1,48 +0,0 @@
-.TH IPNAT 1
-.SH NAME
-ipnat \- user interface to the NAT
-.SH SYNOPSIS
-.B ipnat
-[
-.B \-lnrsvCF
-]
-.B \-f <\fIfilename\fP>
-.SH DESCRIPTION
-.PP
-\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
-file for a set of rules which are to be added or removed from the IP NAT.
-.PP
-Each rule processed by \fBipnat\fP
-is added to the kernels internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to \fBipnat\fP.
-.SH OPTIONS
-.TP
-.B \-C
-delete all entries in the current NAT rule listing (NAT rules)
-.TP
-.B \-F
-delete all active entries in the current NAT translation table (currently
-active NAT mappings)
-.TP
-.B \-l
-Show the list of current NAT table entry mappings.
-.TP
-.B \-n
-This flag (no-change) prevents \fBipf\fP from actually making any ioctl
-calls or doing anything which would alter the currently running kernel.
-.TP
-.B \-s
-Retrieve and display NAT statistics
-.TP
-.B \-r
-Remove matching NAT rules rather than add them to the internal lists
-.TP
-.B \-v
-Turn verbose mode on.  Displays information relating to rule processing
-and active rules/table entries.
-.DT
-.SH FILES
-/dev/ipnat
-.SH SEE ALSO
-ipnat(5), ipf(8), ipfstat(8)
diff --git a/contrib/ipfilter/man/man.sed b/contrib/ipfilter/man/man.sed
deleted file mode 100644
index 0be8dab0dc7b..000000000000
--- a/contrib/ipfilter/man/man.sed
+++ /dev/null
@@ -1 +0,0 @@
-DF
.	Ä..–CVSD~MakefileDipf.1D€ipf.4D�ipf.5D‚
diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c
deleted file mode 100644
index e39b98fd76f3..000000000000
--- a/contrib/ipfilter/misc.c
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#if (SOLARIS2 >= 7)
-# define _SYS_VARARGS_H
-# define _VARARGS_H
-#endif
-#if defined(__STDC__)
-# include <stdarg.h>
-#else
-# include <varargs.h>
-#endif
-#include <stdio.h>
-#include <assert.h>
-#include <string.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/ip.h>
-#include <netinet/udp.h>
-#include <netinet/tcp.h>
-#include <netinet/ip_icmp.h>
-#include <net/if.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-#include "ipt.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)misc.c	1.3 2/4/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.9 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-
-void	printpacket(ip)
-ip_t	*ip;
-{
-	tcphdr_t	*tcp;
-	u_short	len;
-
-	if (ip->ip_v == 4)
-		len = ntohs(ip->ip_len);
-	else if (ip->ip_v == 6)
-		len = ntohs(((u_short *)ip)[2]) + 40;
-	else
-		len = 0;
-
-	if ((opts & OPT_HEX) == OPT_HEX) {
-		u_char *s;
-		int i;
-
-		for (s = (u_char *)ip, i = 0; i < len; i++) {
-			printf("%02x", *s++ & 0xff);
-			if (len - i > 1) {
-				i++;
-				printf("%02x", *s++ & 0xff);
-			}
-			if (i + 1 != len)
-				putchar(' ');
-		}
-		putchar('\n');
-		return;
-	}
-
-	if (ip->ip_v == 6) {
-		printpacket6(ip);
-		return;
-	}
-
-	tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
-	printf("ip %d(%d) %d", ntohs(ip->ip_len), ip->ip_hl << 2, ip->ip_p);
-	if (ip->ip_off & IP_OFFMASK)
-		printf(" @%d", ip->ip_off << 3);
-	(void)printf(" %s", inet_ntoa(ip->ip_src));
-	if (!(ip->ip_off & IP_OFFMASK))
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_sport));
-	(void)printf(" > ");
-	(void)printf("%s", inet_ntoa(ip->ip_dst));
-	if (!(ip->ip_off & IP_OFFMASK)) {
-		if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_dport));
-		if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags)) {
-			putchar(' ');
-			if (tcp->th_flags & TH_FIN)
-				putchar('F');
-			if (tcp->th_flags & TH_SYN)
-				putchar('S');
-			if (tcp->th_flags & TH_RST)
-				putchar('R');
-			if (tcp->th_flags & TH_PUSH)
-				putchar('P');
-			if (tcp->th_flags & TH_ACK)
-				putchar('A');
-			if (tcp->th_flags & TH_URG)
-				putchar('U');
-			if (tcp->th_flags & TH_ECN)
-				putchar('E');
-			if (tcp->th_flags & TH_CWR)
-				putchar('C');
-		}
-	}
-	putchar('\n');
-}
-
-
-/*
- * This is meant to work without the IPv6 header files being present or
- * the inet_ntop() library.
- */
-void	printpacket6(ip)
-ip_t	*ip;
-{
-	u_char *buf, p, hops;
-	u_short plen, *addrs;
-	tcphdr_t *tcp;
-	u_32_t flow;
-
-	buf = (u_char *)ip;
-	tcp = (tcphdr_t *)(buf + 40);
-	p = buf[6];
-	hops = buf[7];
-	flow = ntohl(*(u_32_t *)buf);
-	flow &= 0xfffff;
-	plen = ntohs(*((u_short *)buf +2));
-	addrs = (u_short *)buf + 4;
-
-	printf("ip6/%d %d %#x %d", buf[0] & 0xf, plen, flow, p);
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_sport));
-	printf(" >");
-	addrs += 8;
-	printf(" %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
-		ntohs(addrs[0]), ntohs(addrs[1]), ntohs(addrs[2]),
-		ntohs(addrs[3]), ntohs(addrs[4]), ntohs(addrs[5]),
-		ntohs(addrs[6]), ntohs(addrs[7]));
-	if (plen >= 4)
-		if (p == IPPROTO_TCP || p == IPPROTO_UDP)
-			(void)printf(",%d", ntohs(tcp->th_dport));
-	putchar('\n');
-}
-
-
-#if defined(__STDC__)
-void	verbose(char *fmt, ...)
-#else
-void	verbose(fmt, va_alist)
-char	*fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-	if (opts & OPT_VERBOSE)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
-
-
-#ifdef	__STDC__
-void	debug(char *fmt, ...)
-#else
-void	debug(fmt, va_alist)
-char *fmt;
-va_dcl
-#endif
-{
-	va_list pvar;
-
-	va_start(pvar, fmt);
-	if (opts & OPT_DEBUG)
-		vprintf(fmt, pvar);
-	va_end(pvar);
-}
diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c
deleted file mode 100644
index 4db9a9b06722..000000000000
--- a/contrib/ipfilter/ml_ipl.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- * responsibility and is not changed in any way.
- *
- * I hate legaleese, don't you ?
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-#include <sun/openprom.h>
-#endif
-
-#ifndef	IPL_NAME
-#define	IPL_NAME	"/dev/ipl"
-#endif
-
-extern	int	iplattach(), iplopen(), iplclose(), iplioctl(), iplread();
-extern	int	nulldev(), iplidentify(), errno;
-
-struct	cdevsw	ipldevsw = 
-{
-	iplopen, iplclose, iplread, nulldev,
-	iplioctl, nulldev, nulldev, nulldev,
-	0, nulldev,
-};
-
-
-struct	dev_ops	ipl_ops = 
-{
-	1,
-	iplidentify,
-	iplattach,
-	iplopen,
-	iplclose,
-	iplread,
-	NULL,		/* write */
-	NULL,		/* strategy */
-	NULL,		/* dump */
-	0,		/* psize */
-        iplioctl,
-	NULL,		/* reset */
-	NULL		/* mmap */
-};
-
-int	ipl_major = 0;
-
-#ifdef sun4m
-struct	vdldrv	vd = 
-{
-	VDMAGIC_PSEUDO,
-	"ipl",
-	&ipl_ops,
-	NULL,
-	&ipldevsw,
-	0,
-	0,
-	NULL,
-	NULL,
-	NULL,
-	0,
-	1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
-	VDMAGIC_PSEUDO,	/* magic */
-	"ipl",		/* name */
-#ifdef sun4c
-	&ipl_ops,	/* dev_ops */
-#else
-	NULL,		/* struct mb_ctlr *mb_ctlr */
-	NULL,		/* struct mb_driver *mb_driver */
-	NULL,		/* struct mb_device *mb_device */
-	0,		/* num ctlrs */
-	1,		/* numdevs */
-#endif /* sun4c */
-	NULL,		/* bdevsw */
-	&ipldevsw,	/* cdevsw */
-	0,		/* block major */
-	0,		/* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev();
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, vdi, vds)
-u_int	fc;
-struct	vddrv	*vdp;
-caddr_t	vdi;
-struct	vdstat	*vds;
-{
-	struct	vdlinkage *v;
-	int	i;
-
-	switch (fc)
-	{
-	case VDLOAD:
-		while (ipl_major < nchrdev &&
-		       cdevsw[ipl_major].d_open != vd_unuseddev)
-			ipl_major++;
-		if (ipl_major == nchrdev)
-			return ENODEV;
-		vd.Drv_charmajor = ipl_major;
-		vdp->vdd_vdtab = (struct vdlinkage *)&vd;
-		return ipl_attach(vdi);
-	case VDUNLOAD:
-		return unload(vdp, vdi);
-		
-	case VDSTAT:
-		return 0;
-
-	default:
-		return EIO;
-	}
-}
-
-static unload(vdp, vdi)
-	struct vddrv *vdp;
-	struct vdioctl_unload  *vdi;
-{
-	int	i;
-
-	(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
-	return ipldetach();
-}
-
-
-static	int	ipl_attach(vdi)
-struct	vdioctl_load	*vdi;
-{
-	struct	vnode	*vp;
-	struct	vattr	vattr;
-	int		error = 0, fmode = S_IFCHR|0600;
-
-	(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
-	vattr_null(&vattr);
-	vattr.va_type = MFTOVT(fmode);
-	vattr.va_mode = (fmode & 07777);
-	vattr.va_rdev = ipl_major<<8;
-
-	error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
-	if (error == 0)
-		VN_RELE(vp);
-	return iplattach(0);
-}
diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c
deleted file mode 100644
index 235a5af21f17..000000000000
--- a/contrib/ipfilter/mli_ipl.c
+++ /dev/null
@@ -1,596 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- * (C)opyright 1997 by Marc Boucher.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-
-/* TODO: (MARCXXX)
-	- ipl_init failure -> open ENODEV or whatever
-	- prevent multiple LKM loads
-	- surround access to ifnet structures by IFNET_LOCK()/IFNET_UNLOCK() ?
-	- m != m1 problem
-*/
-
-#include <sys/types.h>
-#include <sys/conf.h>
-#ifdef IPFILTER_LKM
-#include <sys/mload.h>
-#endif
-#include <sys/systm.h>
-#include <sys/errno.h>
-#include <net/if.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#ifdef IFF_DRVRLOCK /* IRIX6 */
-#include <sys/hashing.h>
-#include <netinet/in_var.h>
-#endif
-#include <sys/mbuf.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <netinet/ipfilter.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-
-/*#define IPFDEBUG 1*/
-
-unsigned IPL_EXTERN(devflag) = D_MP;
-#ifdef IPFILTER_LKM
-char *IPL_EXTERN(mversion) = M_VERSION;
-#endif
-
-kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw;
-kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
-
-int     (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
-
-#ifdef IPFILTER_LKM
-static int *ipff_addr = 0;
-static int ipff_value;
-static __psunsigned_t *ipfk_addr = 0;
-static __psunsigned_t ipfk_code[4];
-#endif
-
-typedef	struct	nif	{
-	struct	nif	*nf_next;
-	struct ifnet	*nf_ifp;
-#if IRIX < 605
-	int     (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *);
-#else
-	int     (*nf_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
-			     struct rtentry *);
-#endif
-	char	nf_name[IFNAMSIZ];
-	int	nf_unit;
-} nif_t;
-
-static nif_t *nif_head = 0;
-static int nif_interfaces = 0;
-extern int in_interfaces;
-
-extern ipnat_t *nat_list;
-
-static int
-#if IRIX < 605
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst)
-#else
-ipl_if_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
-	      struct rtentry *rt)
-#endif
-{
-	nif_t *nif;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	for (nif = nif_head; nif; nif = nif->nf_next)
-		if (nif->nf_ifp == ifp)
-			break;
-
-	MUTEX_EXIT(&ipfi_mutex);
-	if (!nif) {
-		printf("IP Filter: ipl_if_output intf %x NOT FOUND\n", ifp);
-		return ENETDOWN;
-	}
-
-#if	IPFDEBUG >= 4
-	static unsigned int cnt = 0;
-	if ((++cnt % 200) == 0)
-		printf("IP Filter: ipl_if_output(ifp=0x%lx, m=0x%lx, dst=0x%lx), m_type=%d m_flags=0x%lx m_off=0x%lx\n", ifp, m, dst, m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
-	if (fr_checkp) {
-		struct mbuf *m1 = m;
-		struct ip *ip;
-		int hlen;
-
-		switch(m->m_type) {
-		case MT_DATA:
-			if (m->m_flags & M_BCAST) {
-#if	IPFDEBUG >= 2
-				printf("IP Filter: ipl_if_output: passing M_BCAST\n");
-#endif
-				break;
-			}
-			/* FALLTHROUGH */
-		case MT_HEADER:
-#if	IPFDEBUG >= 4
-			if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
-				printf("IP Filter: ipl_if_output: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-				goto done;
-			}
-#endif
-			if (m->m_len < sizeof(char)) {
-				printf("IP Filter: ipl_if_output: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
-				goto done;
-			}
-			ip = mtod(m, struct ip *);
-			if (ip->ip_v != IPVERSION) {
-#if	IPFDEBUG >= 4
-				printf("IP Filter: ipl_if_output: bad ip_v m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-#endif
-				goto done;
-			}
-
-			hlen = ip->ip_hl << 2;
-			if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
-				return EHOSTUNREACH;
-
-			if (!m1)
-				return 0;
-
-			m = m1;
-			break;
-
-		default:
-			printf("IP Filter: ipl_if_output: bad m_type=%d m_flags=0x%lxm_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			break;
-		}
-	}
-done:
-#if IRIX < 605
-	return (*nif->nf_output)(ifp, m, dst);
-#else
-	return (*nif->nf_output)(ifp, m, dst, rt);
-#endif
-}
-
-int
-IPL_EXTERN(_kernel)(struct ifnet *rcvif, struct mbuf *m)
-{
-#if	IPFDEBUG >= 4
-	static unsigned int cnt = 0;
-	if ((++cnt % 200) == 0)
-		printf("IP Filter: ipl_ipfilter_kernel(rcvif=0x%lx, m=0x%lx\n", rcvif, m);
-#endif
-
-	/*
-	 * Check if we want to allow this packet to be processed.
-	 * Consider it to be bad if not.
-	 */
-	if (fr_checkp) {
-		struct mbuf *m1 = m;
-		struct ip *ip;
-		int hlen;
-
-		if ((m->m_type != MT_DATA) && (m->m_type != MT_HEADER)) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			return IPF_ACCEPTIT;
-		}
-
-#if	IPFDEBUG >= 4
-		if (!MBUF_IS_CLUSTER(m) && ((m->m_off < MMINOFF) || (m->m_off > MMAXOFF))) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad m_off m_type=%d m_flags=0x%lx m_off=0x%lx\n", m->m_type, (unsigned long)(m->m_flags), m->m_off);
-			return IPF_ACCEPTIT;
-		}
-#endif
-		if (m->m_len < sizeof(char)) {
-			printf("IP Filter: ipl_ipfilter_kernel: mbuf block too small (m_len=%d) for IP vers+hlen, m_type=%d m_flags=0x%lx\n", m->m_len, m->m_type, (unsigned long)(m->m_flags));
-			return IPF_ACCEPTIT;
-		}
-		ip = mtod(m, struct ip *);
-		if (ip->ip_v != IPVERSION) {
-			printf("IP Filter: ipl_ipfilter_kernel: bad ip_v\n");
-			m_freem(m);
-			return IPF_DROPIT;
-		}
-
-		hlen = ip->ip_hl << 2;
-		if ((*fr_checkp)(ip, hlen, rcvif, 0, &m1) || !m1)
-			return IPF_DROPIT;
-		if (m != m1)
-			printf("IP Filter: ipl_ipfilter_kernel: m != m1\n");
-	}
-
-	return IPF_ACCEPTIT;
-}
-
-static int
-ipfilterattach(void)
-{
-#ifdef IPFILTER_LKM
-	__psunsigned_t *addr_ff, *addr_fk;
-
-	st_findaddr("ipfilterflag", &addr_ff);
-#if	IPFDEBUG >= 4
-	printf("IP Filter: st_findaddr ipfilterflag=0x%lx\n", addr_ff);
-#endif
-	if (!addr_ff)
-		return ESRCH;
-
-	st_findaddr("ipfilter_kernel", &addr_fk);
-#if	IPFDEBUG >= 4
-	printf("IP Filter: st_findaddr ipfilter_kernel=0x%lx\n", addr_fk);
-#endif
-	if (!addr_fk)
-		return ESRCH;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	ipff_addr = (int *)addr_ff;
-	
-	ipff_value = *ipff_addr;
-	*ipff_addr = 0;
-
-
-	ipfk_addr = addr_fk;
-
-	bcopy(ipfk_addr, ipfk_code,
-		sizeof(ipfk_code));
-
-	/* write a "li t4, ipl_ipfilter_kernel" instruction */
-	ipfk_addr[0] = 0x3c0c0000 |
-		       (((__psunsigned_t)IPL_EXTERN(_kernel) >> 16) & 0xffff);
-	ipfk_addr[1] = 0x358c0000 |
-		       ((__psunsigned_t)IPL_EXTERN(_kernel) & 0xffff);
-	/* write a "jr t4" instruction" */
-	ipfk_addr[2] = 0x01800008;
-
-	/* write a "nop" instruction */
-	ipfk_addr[3] = 0;
-
-	icache_inval(ipfk_addr, sizeof(ipfk_code));
-
-	*ipff_addr = 1; /* enable ipfilter_kernel */
-
-	MUTEX_EXIT(&ipfi_mutex);
-#else
-	extern int ipfilterflag;
-
-	ipfilterflag = 1;
-#endif
-
-	return 0;
-}
-
-/*
- * attach the packet filter to each non-loopback interface that is running
- */
-static void
-nifattach()
-{
-	struct ifnet *ifp;
-	struct frentry *f;
-	ipnat_t *np;
-	nif_t *nif;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	for (ifp = ifnet; ifp; ifp = ifp->if_next) {
-		if ((!(ifp->if_flags & IFF_RUNNING)) ||
-			(ifp->if_flags & IFF_LOOPBACK))
-			continue;
-
-		/*
-		 * Look for entry already setup for this device
-		 */
-		for (nif = nif_head; nif; nif = nif->nf_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (nif)
-			continue;
-
-		if (ifp->if_output == ipl_if_output) {
-			printf("IP Filter: ERROR INTF 0x%lx STILL ATTACHED\n",
-				ifp);
-			continue;
-		}
-#if	IPFDEBUG >= 4
-		printf("IP Filter: nifattach nif %x opt %x\n",
-		       ifp, ifp->if_output);
-#endif
-		KMALLOC(nif, nif_t *);
-		if (!nif) {
-			printf("IP Filter: malloc(%d) for nif_t failed\n",
-			       sizeof(nif_t));
-			continue;
-		}
-
-		nif->nf_ifp = ifp;
-		strncpy(nif->nf_name, ifp->if_name, sizeof(nif->nf_name));
-		nif->nf_name[sizeof(nif->nf_name) - 1] = '\0';
-		nif->nf_unit = ifp->if_unit;
-
-		nif->nf_next = nif_head;
-		nif_head = nif;
-
-		/*
-		 * Activate any rules directly associated with this interface
-		 */
-		MUTEX_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][0]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				if (f->fr_ifname[0] &&
-				    (GETUNIT(f->fr_ifname, 4) == ifp))
-					f->fr_ifa = ifp;
-			}
-		}
-		for (f = ipfilter[1][0]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				if (f->fr_ifname[0] &&
-				    (GETUNIT(f->fr_ifname, 4) == ifp))
-					f->fr_ifa = ifp;
-			}
-		}
-		MUTEX_EXIT(&ipf_mutex);
-		MUTEX_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next) {
-			if ((np->in_ifp == (void *)-1)) {
-				if (np->in_ifname[0] &&
-				    (GETUNIT(np->in_ifname, 4) == ifp))
-					np->in_ifp = (void *)ifp;
-			}
-		}
-		MUTEX_EXIT(&ipf_nat);
-
-		nif->nf_output = ifp->if_output;
-		ifp->if_output = ipl_if_output;
-
-#if	IPFDEBUG >= 4
-		printf("IP Filter: nifattach: ifp(%lx)->if_output FROM %lx TO %lx\n",
-			ifp, nif->nf_output, ifp->if_output);
-#endif
-
-		printf("IP Filter: attach to [%s,%d]\n",
-			nif->nf_name, ifp->if_unit);
-	}
-	if (!nif_head)
-		printf("IP Filter: not attached to any interfaces\n");
-
-	nif_interfaces = in_interfaces;
-
-	MUTEX_EXIT(&ipfi_mutex);
-
-	return;
-}
-
-/*
- * look for bad consistancies between the list of interfaces the filter knows
- * about and those which are currently configured.
- */
-int
-ipfsync(void)
-{
-	register struct frentry *f;
-	register ipnat_t *np;
-	register nif_t *nif, **qp;
-	register struct ifnet *ifp;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	for (qp = &nif_head; (nif = *qp); ) {
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if ((nif->nf_ifp == ifp) &&
-			    (nif->nf_unit == ifp->if_unit) &&
-			    !strcmp(nif->nf_name, ifp->if_name)) {
-				break;
-			}
-		if (ifp) {
-			qp = &nif->nf_next;
-			continue;
-		}
-		printf("IP Filter: detaching [%s]\n", nif->nf_name);
-		*qp = nif->nf_next;
-
-		/*
-		 * Disable any rules directly associated with this interface
-		 */
-		MUTEX_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][0]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)nif->nf_ifp)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter[1][0]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)nif->nf_ifp)
-				f->fr_ifa = (struct ifnet *)-1;
-		MUTEX_EXIT(&ipf_mutex);
-		MUTEX_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next)
-			if (np->in_ifp == (void *)nif->nf_ifp)
-				np->in_ifp =(struct ifnet *)-1;
-		MUTEX_EXIT(&ipf_nat);
-
-		KFREE(nif);
-		nif = *qp;
-	}
-	MUTEX_EXIT(&ipfi_mutex);
-
-	nifattach();
-
-	return 0;
-}
-
-
-/*
- * unhook the IP filter from all defined interfaces with IP addresses
- */
-static void
-nifdetach()
-{
-	struct ifnet *ifp;
-	nif_t *nif, **qp;
-
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-	/*
-	 * Make two passes, first get rid of all the unknown devices, next
-	 * unlink known devices.
-	 */
-	for (qp = &nif_head; (nif = *qp); ) {
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (ifp) {
-			qp = &nif->nf_next;
-			continue;
-		}
-		printf("IP Filter: removing [%s]\n", nif->nf_name);
-		*qp = nif->nf_next;
-		KFREE(nif);
-	}
-
-	while ((nif = nif_head)) {
-		nif_head = nif->nf_next;
-		for (ifp = ifnet; ifp; ifp = ifp->if_next)
-			if (nif->nf_ifp == ifp)
-				break;
-		if (ifp) {
-			printf("IP Filter: detaching [%s,%d]\n",
-				nif->nf_name, ifp->if_unit);
-
-#if	IPFDEBUG >= 4
-			printf("IP Filter: nifdetach: ifp(%lx)->if_output FROM %lx TO %lx\n",
-				ifp, ifp->if_output, nif->nf_output);
-#endif
-			ifp->if_output = nif->nf_output;
-		}
-		KFREE(nif);
-	}
-	MUTEX_EXIT(&ipfi_mutex);
-
-	return;
-}
-
-
-static void
-ipfilterdetach(void)
-{
-#ifdef IPFILTER_LKM
-	MUTEX_ENTER(&ipfi_mutex); /* sets interrupt priority level to splhi */
-
-	if (ipff_addr) {
-		*ipff_addr = 0;
-
-		if (ipfk_addr)
-			bcopy(ipfk_code, ipfk_addr, sizeof(ipfk_code));
-
-		*ipff_addr = ipff_value;
-	}
-
-	MUTEX_EXIT(&ipfi_mutex);
-#else
-	extern int ipfilterflag;
-
-	ipfilterflag = 0;
-#endif
-}
-
-/* called by ipldetach() */
-void
-ipfilter_sgi_detach(void)
-{
-	nifdetach();
-
-	ipfilterdetach();
-}
-
-/* called by iplattach() */
-int
-ipfilter_sgi_attach(void)
-{
-	int error;
-
-	nif_interfaces = 0;
-
-	error = ipfilterattach();
-
-	if (!error)
-		nifattach();
-
-	return error;
-}
-
-/* this function is called from ipfr_slowtimer at 500ms intervals to
-   keep our interface list in sync */
-void
-ipfilter_sgi_intfsync(void)
-{
-	MUTEX_ENTER(&ipfi_mutex);
-	if (nif_interfaces != in_interfaces) {
-		/* if the number of interfaces has changed, resync */
-		MUTEX_EXIT(&ipfi_mutex);
-		ipfsync();
-	} else
-		MUTEX_EXIT(&ipfi_mutex);
-}
-
-#ifdef IPFILTER_LKM
-/* this routine should be treated as an interrupt routine and should
-   not call any routines that would cause it to sleep, such as: biowait(),
-   sleep(), psema() or delay().
-*/
-int
-IPL_EXTERN(unload)(void)
-{
-	int error = 0;
-
-	error = ipldetach();
-
-	LOCK_DEALLOC(ipl_mutex.l);
-	LOCK_DEALLOC(ipf_rw.l);
-	LOCK_DEALLOC(ipf_auth.l);
-	LOCK_DEALLOC(ipf_natfrag.l);
-	LOCK_DEALLOC(ipf_nat.l);
-	LOCK_DEALLOC(ipf_state.l);
-	LOCK_DEALLOC(ipf_frag.l);
-	LOCK_DEALLOC(ipf_mutex.l);
-	LOCK_DEALLOC(ipfi_mutex.l);
-
-	return error;
-}
-#endif
-
-void
-IPL_EXTERN(init)(void)
-{
-#ifdef IPFILTER_LKM
-	int error;
-#endif
-
-	ipfi_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-	ipl_mutex.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
-
-	if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l ||
-	    !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l ||
-	    !ipl_mutex.l)
-		panic("IP Filter: LOCK_ALLOC failed");
-
-#ifdef IPFILTER_LKM
-	error = iplattach();
-	if (error) {
-		IPL_EXTERN(unload)();
-	}
-#endif
-
-	return;
-}
-
diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c
deleted file mode 100644
index b170940e8921..000000000000
--- a/contrib/ipfilter/mln_ipl.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-
-
-#include <sys/param.h>
-
-/*
- * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
- * on those hooks.  We don't need any special mods with this!
- */
-#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
-    (defined(NetBSD1_2) && NetBSD1_2 > 1)
-# define NETBSD_PF
-#endif
-
-#include <sys/systm.h>
-#include <sys/conf.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <sys/proc.h>
-#include <sys/uio.h>
-#include <sys/kernel.h>
-#include <sys/vnode.h>
-#include <sys/namei.h>
-#include <sys/malloc.h>
-#include <sys/mount.h>
-#include <sys/exec.h>
-#include <sys/mbuf.h>
-#include <net/if.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <net/route.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <sys/lkm.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-#if !defined(__NetBSD_Version__) || __NetBSD_Version__ < 103050000
-#define vn_lock(v,f) VOP_LOCK(v)
-#endif
-
-#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
-#define	VOP_LEASE	LEASE_CHECK
-#endif
-
-#ifndef	MIN
-#define	MIN(a,b)	(((a)<(b))?(a):(b))
-#endif
-
-
-extern	int	lkmenodev __P((void));
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int	if_ipl_lkmentry __P((struct lkm_table *, int, int));
-#else
-#if defined(OpenBSD)
-int	if_ipl __P((struct lkm_table *, int, int));
-#else
-int	xxxinit __P((struct lkm_table *, int, int));
-#endif
-#endif
-static	int	ipl_unload __P((void));
-static	int	ipl_load __P((void));
-static	int	ipl_remove __P((void));
-static	int	iplaction __P((struct lkm_table *, int));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-
-
-#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
-    (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
-# if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-extern const struct cdevsw ipl_cdevsw;
-# else
-struct	cdevsw	ipldevsw = 
-{
-	iplopen,		/* open */
-	iplclose,		/* close */
-	iplread,		/* read */
-	0,			/* write */
-	iplioctl,		/* ioctl */
-	0,			/* stop */
-	0,			/* tty */
-	0,			/* select */
-	0,			/* mmap */
-	NULL			/* strategy */
-};
-# endif
-#else
-struct	cdevsw	ipldevsw = 
-{
-	iplopen,		/* open */
-	iplclose,		/* close */
-	iplread,		/* read */
-	(void *)nullop,		/* write */
-	iplioctl,		/* ioctl */
-	(void *)nullop,		/* stop */
-#ifndef OpenBSD
-	(void *)nullop,		/* reset */
-#endif
-	(void *)NULL,		/* tty */
-	(void *)nullop,		/* select */
-	(void *)nullop,		/* mmap */
-	NULL			/* strategy */
-};
-#endif
-int	ipl_major = 0;
-
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-MOD_DEV(IPL_VERSION, "ipl", NULL, -1, &ipl_cdevsw, -1);
-#else
-MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
-#endif
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-
-#if (NetBSD >= 199706) || (defined(OpenBSD) && (OpenBSD >= 200211))
-int if_ipl_lkmentry(lkmtp, cmd, ver)
-#else
-#if defined(OpenBSD)
-int if_ipl(lkmtp, cmd, ver)
-#else
-int xxxinit(lkmtp, cmd, ver)
-#endif
-#endif
-struct lkm_table *lkmtp;
-int cmd, ver;
-{
-	DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
-}
-
-#ifdef OpenBSD
-int lkmexists __P((struct lkm_table *)); /* defined in /sys/kern/kern_lkm.c */
-#endif
-
-static int iplaction(lkmtp, cmd)
-struct lkm_table *lkmtp;
-int cmd;
-{
-	struct lkm_dev *args = lkmtp->private.lkm_dev;
-	int err = 0;
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
-	int i;
-#endif
-
-	switch (cmd)
-	{
-	case LKM_E_LOAD :
-		if (lkmexists(lkmtp))
-			return EEXIST;
-
-#if !defined(__NetBSD__) || (__NetBSD_Version__ < 106080000)
-		for (i = 0; i < nchrdev; i++)
-			if (cdevsw[i].d_open == (dev_type_open((*)))lkmenodev ||
-			    cdevsw[i].d_open == iplopen)
-				break;
-		if (i == nchrdev) {
-			printf("IP Filter: No free cdevsw slots\n");
-			return ENODEV;
-		}
-
-		ipl_major = i;
-		args->lkm_offset = i;   /* slot in cdevsw[] */
-#else
-		err = devsw_attach(args->lkm_devname,
-				   args->lkm_bdev, &args->lkm_bdevmaj,
-				   args->lkm_cdev, &args->lkm_cdevmaj);
-		if (err != 0)
-			return (err);
-		ipl_major = args->lkm_cdevmaj;
-#endif
-		printf("IP Filter: loaded into slot %d\n", ipl_major);
-		return ipl_load();
-	case LKM_E_UNLOAD :
-#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000)
-		devsw_detach(args->lkm_bdev, args->lkm_cdev);
-		args->lkm_bdevmaj = -1;
-		args->lkm_cdevmaj = -1;
-#endif
-		err = ipl_unload();
-		if (!err)
-			printf("IP Filter: unloaded from slot %d\n",
-			       ipl_major);
-		break;
-	case LKM_E_STAT :
-		break;
-	default:
-		err = EIO;
-		break;
-	}
-	return err;
-}
-
-
-static int ipl_remove()
-{
-	char *name;
-	struct nameidata nd;
-	int error, i;
-
-        for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return (error);
-		VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
-#ifdef OpenBSD
-		VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc);
-#else
-# if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000)
-		vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY);
-# endif
-#endif
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
-	}
-	return 0;
-}
-
-
-static int ipl_unload()
-{
-	int error = 0;
-
-	/*
-	 * Unloading - remove the filter rule check from the IP
-	 * input/output stream.
-	 */
-#if defined(__NetBSD__)
-	error = ipl_disable();
-#else
-	error = ipldetach();
-#endif
-
-	if (!error)
-		error = ipl_remove();
-	return error;
-}
-
-
-static int ipl_load()
-{
-	struct nameidata nd;
-	struct vattr vattr;
-	int error = 0, fmode = S_IFCHR|0600, i;
-	char *name;
-
-	/*
-	 * XXX Remove existing device nodes prior to creating new ones
-	 * XXX using the assigned LKM device slot's major number.  In a
-	 * XXX perfect world we could use the ones specified by cdevsw[].
-	 */
-	(void)ipl_remove();
-
-	error = ipl_enable();
-	if (error)
-		return error;
-
-	for (i = 0; (name = ipf_devfiles[i]); i++) {
-		NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, name, curproc);
-		if ((error = namei(&nd)))
-			return error;
-		if (nd.ni_vp != NULL) {
-			VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
-			if (nd.ni_dvp == nd.ni_vp)
-				vrele(nd.ni_dvp);
-			else
-				vput(nd.ni_dvp);
-			vrele(nd.ni_vp);
-			return (EEXIST);
-		}
-		VATTR_NULL(&vattr);
-		vattr.va_type = VCHR;
-		vattr.va_mode = (fmode & 07777);
-		vattr.va_rdev = (ipl_major << 8) | i;
-		VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
-		error = VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
-		if (error)
-			return error;
-	}
-	return error;
-}
diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c
deleted file mode 100644
index 5a70ab9d35a1..000000000000
--- a/contrib/ipfilter/mls_ipl.c
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/*
- * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
- * its own major char number! Way cool patch!
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/conf.h>
-#include <sys/syslog.h>
-#include <sys/buf.h>
-#include <sys/mbuf.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/vnode.h>
-#include <sundev/mbvar.h>
-#include <sun/autoconf.h>
-#include <sun/vddrv.h>
-#if defined(sun4c) || defined(sun4m)
-# include <sun/openprom.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/tcpip.h>
-#include <net/if.h>
-#include "ipl.h"
-#include "ip_compat.h"
-#include "ip_fil.h"
-
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)mls_ipl.c	2.6 10/15/95 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $";
-#endif
-
-extern	int	ipldetach __P((void));
-#ifndef	IPFILTER_LOG
-#define	iplread	nulldev
-#endif
-extern	int	nulldev __P((void));
-extern	int	errno;
-extern	int	iplidentify __P((char *));
-
-extern int nodev __P((void));
-
-static	int	unload __P((void));
-static	int	ipl_attach __P((void));
-int	xxxinit __P((u_int, struct vddrv *, caddr_t, struct vdstat *));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-
-
-struct	cdevsw	ipldevsw = 
-{
-	iplopen, iplclose, iplread, nulldev,
-	iplioctl, nulldev, nulldev, nulldev,
-	0, nulldev,
-};
-
-
-struct	dev_ops	ipl_ops = 
-{
-	1,
-	iplidentify,
-	iplattach,
-	iplopen,
-	iplclose,
-	iplread,
-	NULL,		/* write */
-	NULL,		/* strategy */
-	NULL,		/* dump */
-	0,		/* psize */
-        iplioctl,
-	NULL,		/* reset */
-	NULL		/* mmap */
-};
-
-int	ipl_major = 0;
-
-#ifdef sun4m
-struct	vdldrv	vd = 
-{
-	VDMAGIC_PSEUDO,
-	IPL_VERSION,
-	&ipl_ops,
-	NULL,
-	&ipldevsw,
-	0,
-	0,
-	NULL,
-	NULL,
-	NULL,
-	0,
-	1,
-};
-#else /* sun4m */
-struct vdldrv vd =
-{
-	VDMAGIC_PSEUDO,	/* magic */
-	IPL_VERSION,
-#ifdef sun4c
-	&ipl_ops,	/* dev_ops */
-#else
-	NULL,		/* struct mb_ctlr *mb_ctlr */
-	NULL,		/* struct mb_driver *mb_driver */
-	NULL,		/* struct mb_device *mb_device */
-	0,		/* num ctlrs */
-	1,		/* numdevs */
-#endif /* sun4c */
-	NULL,		/* bdevsw */
-	&ipldevsw,	/* cdevsw */
-	0,		/* block major */
-	0,		/* char major */
-};
-#endif /* sun4m */
-
-extern int vd_unuseddev __P((void));
-extern struct cdevsw cdevsw[];
-extern int nchrdev;
-
-xxxinit(fc, vdp, data, vds)
-u_int	fc;
-struct	vddrv	*vdp;
-caddr_t	data;
-struct	vdstat	*vds;
-{
-	struct vdioctl_load *vdi = (struct vdioctl_load *)data;
-
-	switch (fc)
-	{
-	case VDLOAD:
-	    {
-		struct vdconf *vdc;
-		if (vdi && vdi->vdi_userconf)
-			for (vdc = vdi->vdi_userconf; vdc->vdc_type; vdc++)
-				if (vdc->vdc_type == VDCCHARMAJOR) {
-					ipl_major = vdc->vdc_data;
-					break;
-				}
-
-		if (!ipl_major) {
-			while (ipl_major < nchrdev &&
-			       cdevsw[ipl_major].d_open != vd_unuseddev)
-				ipl_major++;
-			if (ipl_major == nchrdev)
-				return ENODEV;
-		}
-		vdp->vdd_vdtab = (struct vdlinkage *)&vd;
-		vd.Drv_charmajor = ipl_major;
-		return ipl_attach();
-	    }
-	case VDUNLOAD:
-		return unload();
-	case VDSTAT:
-		return 0;
-	default:
-		return EIO;
-	}
-}
-
-
-static	int	unload()
-{
-	char *name;
-	int err, i;
-
-	err = ipldetach();
-	if (err)
-		return err;
-	for (i = 0; (name = ipf_devfiles[i]); i++)
-		(void) vn_remove(name, UIO_SYSSPACE, FILE);
-	return 0;
-}
-
-
-static	int	ipl_attach()
-{
-	struct vnode *vp;
-	struct vattr vattr;
-	int error = 0, fmode = S_IFCHR|0600, i;
-	char *name;
-
-	error = iplattach();
-	if (error)
-		return error;
-
-        for (i = 0; (name = ipf_devfiles[i]); i++) {
-		(void) vn_remove(name, UIO_SYSSPACE, FILE);
-		vattr_null(&vattr);
-		vattr.va_type = MFTOVT(fmode);
-		vattr.va_mode = (fmode & 07777);
-		vattr.va_rdev = (ipl_major << 8) | i;
-
-		error = vn_create(name, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
-		if (error) {
-			printf("IP Filter: vn_create(%s) = %d\n", name, error);
-			break;
-		} else {
-			VN_RELE(vp);
-		}
-	}
-	return error;
-}
diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c
deleted file mode 100644
index 72462340b1a5..000000000000
--- a/contrib/ipfilter/natparse.c
+++ /dev/null
@@ -1,902 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-# include <strings.h>
-#else
-# include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char sccsid[] ="@(#)ipnat.c	1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.29 2003/05/15 17:45:34 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-
-extern	void	printnat __P((ipnat_t *, int));
-extern	int	countbits __P((u_32_t));
-extern	char	*proto;
-
-ipnat_t	*natparse __P((char *, int, int *));
-void	natparsefile __P((int, char *, int));
-void	nat_setgroupmap __P((struct ipnat *));
-
-
-void nat_setgroupmap(n)
-ipnat_t *n;
-{
-	if (n->in_outmsk == n->in_inmsk)
-		n->in_ippip = 1;
-	else if (n->in_flags & IPN_AUTOPORTMAP) {
-		n->in_ippip = ~ntohl(n->in_inmsk);
-		if (n->in_outmsk != 0xffffffff)
-			n->in_ippip /= (~ntohl(n->in_outmsk) + 1);
-		n->in_ippip++;
-		if (n->in_ippip == 0)
-			n->in_ippip = 1;
-		n->in_ppip = USABLE_PORTS / n->in_ippip;
-	} else {
-		n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk);
-		n->in_nip = 0;
-		if (!(n->in_ppip = n->in_pmin))
-			n->in_ppip = 1;
-		n->in_ippip = USABLE_PORTS / n->in_ppip;
-	}
-}
-
-
-/*
- * Parse a line of input from the ipnat configuration file
- *
- * status:
- *	< 0	error
- *	= 0	OK
- *	> 0	programmer error
- */
-ipnat_t *natparse(line, linenum, status)
-char *line;
-int linenum;
-int *status;
-{
-	static ipnat_t ipn;
-	struct protoent *pr;
-	char *dnetm = NULL, *dport = NULL;
-	char *s, *t, *cps[31], **cpp;
-	int i, cnt;
-	char *port1a = NULL, *port1b = NULL, *port2a = NULL;
-
-	*status = 100;		/* default to error */
-	proto = NULL;
-
-	/*
-	 * Search for end of line and comment marker, advance of leading spaces
-	 */
-	if ((s = strchr(line, '\n')))
-		*s = '\0';
-	if ((s = strchr(line, '#')))
-		*s = '\0';
-	while (*line && isspace(*line))
-		line++;
-	if (!*line) {
-		*status = 0;
-		return NULL;
-	}
-
-	bzero((char *)&ipn, sizeof(ipn));
-	cnt = 0;
-
-	/*
-	 * split line upto into segments.
-	 */
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp = cps;
-
-	/*
-	 * Check first word is a recognised keyword and then is the interface
-	 */
-	if (!strcasecmp(*cpp, "map"))
-		ipn.in_redir = NAT_MAP;
-	else if (!strcasecmp(*cpp, "map-block"))
-		ipn.in_redir = NAT_MAPBLK;
-	else if (!strcasecmp(*cpp, "rdr"))
-		ipn.in_redir = NAT_REDIRECT;
-	else if (!strcasecmp(*cpp, "bimap"))
-		ipn.in_redir = NAT_BIMAP;
-	else {
-		fprintf(stderr, "%d: unknown mapping: \"%s\"\n",
-			linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp++;
-
-	strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1);
-	ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
-	cpp++;
-
-	/*
-	 * If the first word after the interface is "from" or is a ! then
-	 * the expanded syntax is being used so parse it differently.
-	 */
-	if (!strcasecmp(*cpp, "from") || (**cpp == '!')) {
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			if (strcasecmp(*cpp, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		} else if (**cpp == '!') {
-			if (strcasecmp(*cpp + 1, "from")) {
-				fprintf(stderr, "Missing from after !\n");
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_flags |= IPN_NOTSRC;
-		}
-		if ((ipn.in_flags & IPN_NOTSRC) &&
-		    (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) {
-			fprintf(stderr, "Cannot use '! from' with map\n");
-			*status = -1;
-			return NULL;
-		}
-
-		ipn.in_flags |= IPN_FILTER;
-		cpp++;
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport,
-				     &ipn.in_scmp, &ipn.in_stop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_inip,
-				     (u_32_t *)&ipn.in_inmsk, &ipn.in_sport,
-				     &ipn.in_scmp, &ipn.in_stop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		}
-
-		if (!strcmp(*cpp, "!")) {
-			cpp++;
-			ipn.in_flags |= IPN_NOTDST;
-		} else if (**cpp == '!') {
-			(*cpp)++;
-			ipn.in_flags |= IPN_NOTDST;
-		}
-
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if ((ipn.in_flags & IPN_NOTDST) &&
-		    (ipn.in_redir & (NAT_REDIRECT))) {
-			fprintf(stderr, "Cannot use '! to' with rdr\n");
-			*status = -1;
-			return NULL;
-		}
-
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_outip,
-				     (u_32_t *)&ipn.in_outmsk, &ipn.in_dport,
-				     &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmin = htons(ipn.in_dport);
-		} else {
-			if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip,
-				     (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport,
-				     &ipn.in_dcmp, &ipn.in_dtop, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-		}
-	} else {
-		s = *cpp;
-		if (!s) {
-			fprintf(stderr, "%d: short line\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		t = strchr(s, '/');
-		if (!t) {
-			fprintf(stderr, "%d: no netmask on LHS\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		*t++ = '\0';
-		if (ipn.in_redir == NAT_REDIRECT) {
-			if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1){
-				*status = -1;
-				return NULL;
-			}
-			if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-			if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr, "%d: short line\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-
-	/*
-	 * If it is a standard redirect then we expect it to have a port
-	 * match after the hostmask.
-	 */
-	if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
-		if (strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 1st port\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (isdigit(**cpp) && (s = strchr(*cpp, '-')))
-			*s++ = '\0';
-		else
-			s = NULL;
-
-		port1a = *cpp++;
-
-		if (!strcmp(*cpp, "-")) {
-			cpp++;
-			s = *cpp++;
-		}
-
-		if (s)
-			port1b = s;
-		else
-			ipn.in_pmax = ipn.in_pmin;
-	}
-
-	/*
-	 * In the middle of the NAT rule syntax is -> to indicate the
-	 * direction of translation.
-	 */
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (->)\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (strcmp(*cpp, "->")) {
-		fprintf(stderr, "%d: missing ->\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	cpp++;
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing fields (%s)\n",
-			linenum, ipn.in_redir ? "destination" : "target");
-		*status = -1;
-		return NULL;
-	}
-
-	if (ipn.in_redir == NAT_MAP) {
-		if (!strcasecmp(*cpp, "range")) {
-			cpp++;
-			ipn.in_flags |= IPN_IPRANGE;
-			if (!*cpp) {
-				fprintf(stderr, "%d: missing fields (%s)\n",
-					linenum,
-					ipn.in_redir ? "destination":"target");
-				*status = -1;
-				return NULL;
-			}
-		}
-	}
-
-	if (ipn.in_flags & IPN_IPRANGE) {
-		dnetm = strrchr(*cpp, '-');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1))
-					dnetm = *(cpp + 1);
-		} else
-			*dnetm++ = '\0';
-		if (dnetm == NULL || *dnetm == '\0') {
-			fprintf(stderr,
-				"%d: desination range not specified\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	} else if (ipn.in_redir != NAT_REDIRECT) {
-		dnetm = strrchr(*cpp, '/');
-		if (dnetm == NULL) {
-			cpp++;
-			if (*cpp && !strcasecmp(*cpp, "netmask"))
-				dnetm = *++cpp;
-		}
-		if (dnetm == NULL) {
-			fprintf(stderr,
-				"%d: missing fields (dest netmask)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (*dnetm == '/')
-			*dnetm++ = '\0';
-	}
-
-	if (ipn.in_redir == NAT_REDIRECT) {
-		dnetm = strchr(*cpp, ',');
-		if (dnetm != NULL) {
-			ipn.in_flags |= IPN_SPLIT;
-			*dnetm++ = '\0';
-		}
-		if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) {
-			*status = -1;
-			return NULL;
-		}
-#if SOLARIS
-		if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) {
-			fprintf(stderr,
-				"localhost as destination not supported\n");
-			*status = -1;
-			return NULL;
-		}
-#endif
-	} else {
-		if (!strcmp(*cpp, ipn.in_ifname))
-			*cpp = "0";
-		if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) {
-			*status = -1;
-			return NULL;
-		}
-	}
-	cpp++;
-
-	if (ipn.in_redir & NAT_MAPBLK) {
-		if (*cpp) {
-			if (strcasecmp(*cpp, "ports")) {
-				fprintf(stderr,
-					"%d: expected \"ports\" - got \"%s\"\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-			if (*cpp == NULL) {
-				fprintf(stderr,
-					"%d: missing argument to \"ports\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-			if (!strcasecmp(*cpp, "auto"))
-				ipn.in_flags |= IPN_AUTOPORTMAP;
-			else
-				ipn.in_pmin = atoi(*cpp);
-			cpp++;
-		} else
-			ipn.in_pmin = 0;
-	} else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
-		if (*cpp && (strrchr(*cpp, '/') != NULL)) {
-			fprintf(stderr, "%d: No netmask supported in %s\n",
-				linenum, "destination host for redirect");
-			*status = -1;
-			return NULL;
-		}
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: Missing destination port %s\n",
-				linenum, "in redirect");
-			*status = -1;
-			return NULL;
-		}
-
-		/* If it's a in_redir, expect target port */
-
-		if (strcasecmp(*cpp, "port")) {
-			fprintf(stderr, "%d: missing fields - 2nd port (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing fields (destination port)\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		port2a = *cpp++;
-	} 
-	if (dnetm && *dnetm == '/')
-		*dnetm++ = '\0';
-
-	if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) {
-		if (ipn.in_flags & IPN_IPRANGE) {
-			if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm,
-				    linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) {
-			*status = -1;
-			return NULL;
-		}
-	} else {
-		if (ipn.in_flags & IPN_SPLIT) {
-			if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm,
-				    linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-		} else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)){
-			*status = -1;
-			return NULL;
-		}
-		if (!*cpp) {
-			ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */
-			proto = "tcp";
-		} else {
-			proto = *cpp++;
-			if (!strcasecmp(proto, "tcp"))
-				ipn.in_flags |= IPN_TCP;
-			else if (!strcasecmp(proto, "udp"))
-				ipn.in_flags |= IPN_UDP;
-			else if (!strcasecmp(proto, "tcp/udp"))
-				ipn.in_flags |= IPN_TCPUDP;
-			else if (!strcasecmp(proto, "tcpudp")) {
-				ipn.in_flags |= IPN_TCPUDP;
-				proto = "tcp/udp";
-			} else if (!strcasecmp(proto, "ip"))
-				ipn.in_flags |= IPN_ANY;
-			else {
-				ipn.in_flags |= IPN_ANY;
-				if ((pr = getprotobyname(proto)))
-					ipn.in_p = pr->p_proto;
-				else {
-					if (!isdigit(*proto)) {
-						fprintf(stderr,
-						"%d: Unknown protocol %s\n",
-							linenum, proto);
-						*status = -1;
-						return NULL;
-					} else
-						ipn.in_p = atoi(proto);
-				}
-			}
-			if ((ipn.in_flags & IPN_TCPUDP) == 0) {
-				port1a = "0";
-				port2a = "0";
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "round-robin")) {
-				cpp++;
-				ipn.in_flags |= IPN_ROUNDR;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "frag")) {
-				cpp++;
-				ipn.in_flags |= IPN_FRAG;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "age")) {
-				cpp++;
-				if (!*cpp) {
-					fprintf(stderr,
-						"%d: age with no parameters\n",
-						linenum);
-					*status = -1;
-					return NULL;
-				}
-
-				ipn.in_age[0] = atoi(*cpp);
-				s = index(*cpp, '/');
-				if (s != NULL)
-					ipn.in_age[1] = atoi(s + 1);
-				else
-					ipn.in_age[1] = ipn.in_age[0];
-				cpp++;
-			}
-
-			if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-				cpp++;
-				if (*cpp) {
-					ipn.in_mssclamp = atoi(*cpp);
-					cpp++;
-				} else {
-					fprintf(stderr,
-					   "%d: mssclamp with no parameters\n",
-						linenum);
-					*status = -1;
-					return NULL;
-				}
-			}
-
-			if (*cpp) {
-				fprintf(stderr,
-				"%d: extra junk at the end of the line: %s\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-		}
-	}
-
-	if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) {
-		if (!portnum(port1a, &ipn.in_pmin, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_pmin = htons(ipn.in_pmin);
-		if (port1b != NULL) {
-			if (!portnum(port1b, &ipn.in_pmax, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmax = htons(ipn.in_pmax);
-		} else
-			ipn.in_pmax = ipn.in_pmin;
-	}
-
-	if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) {
-		if (!portnum(port2a, &ipn.in_pnext, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_pnext = htons(ipn.in_pnext);
-	}
-
-	if (!(ipn.in_flags & IPN_SPLIT))
-		ipn.in_inip &= ipn.in_inmsk;
-	if ((ipn.in_flags & IPN_IPRANGE) == 0)
-		ipn.in_outip &= ipn.in_outmsk;
-	ipn.in_srcip &= ipn.in_srcmsk;
-
-	if ((ipn.in_redir & NAT_MAPBLK) != 0)
-		nat_setgroupmap(&ipn);
-
-	if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
-		cpp++;
-		ipn.in_flags |= IPN_FRAG;
-	}
-
-	if (!*cpp) {
-		*status = 0;
-		return &ipn;
-	}
-
-	if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) {
-		u_short pport;
-
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use proxy with bimap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing parameter for \"proxy\"\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		dport = NULL;
-
-		if (!strcasecmp(*cpp, "port")) {
-			cpp++;
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"port\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-
-			dport = *cpp;
-			cpp++;
-
-			if (!*cpp) {
-				fprintf(stderr,
-					"%d: missing parameter for \"proxy\"\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else {
-			fprintf(stderr,
-				"%d: missing keyword \"port\"\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if ((proto = index(*cpp, '/'))) {
-			*proto++ = '\0';
-			if ((pr = getprotobyname(proto)))
-				ipn.in_p = pr->p_proto;
-			else
-				ipn.in_p = atoi(proto);
-		} else
-			ipn.in_p = 0;
-
-		if (dport && !portnum(dport, &pport, linenum))
-			return NULL;
-		if (ipn.in_dcmp != 0) {
-			if (pport != ipn.in_dport) {
-				fprintf(stderr,
-					"%d: mismatch in port numbers\n",
-					linenum);
-				return NULL;
-			}
-		} else
-			ipn.in_dport = htons(pport);
-
-		(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
-		cpp++;
-
-	} else if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "portmap")) {
-		if (ipn.in_redir == NAT_BIMAP) {
-			fprintf(stderr, "%d: cannot use portmap with bimap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr,
-				"%d: missing expression following portmap\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "tcp"))
-			ipn.in_flags |= IPN_TCP;
-		else if (!strcasecmp(*cpp, "udp"))
-			ipn.in_flags |= IPN_UDP;
-		else if (!strcasecmp(*cpp, "tcpudp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else if (!strcasecmp(*cpp, "tcp/udp"))
-			ipn.in_flags |= IPN_TCPUDP;
-		else {
-			fprintf(stderr,
-				"%d: expected protocol name - got \"%s\"\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		proto = *cpp;
-		cpp++;
-
-		if (!*cpp) {
-			fprintf(stderr, "%d: no port range found\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		if (!strcasecmp(*cpp, "auto")) {
-			ipn.in_flags |= IPN_AUTOPORTMAP;
-			ipn.in_pmin = htons(1024);
-			ipn.in_pmax = htons(65535);
-			nat_setgroupmap(&ipn);
-			cpp++;
-		} else {
-			if (!(t = strchr(*cpp, ':'))) {
-				fprintf(stderr,
-					"%d: no port range in \"%s\"\n",
-					linenum, *cpp);
-				*status = -1;
-				return NULL;
-			}
-			*t++ = '\0';
-			if (!portnum(*cpp, &ipn.in_pmin, linenum) ||
-			    !portnum(t, &ipn.in_pmax, linenum)) {
-				*status = -1;
-				return NULL;
-			}
-			ipn.in_pmin = htons(ipn.in_pmin);
-			ipn.in_pmax = htons(ipn.in_pmax);
-			cpp++;
-		}
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "frag")) {
-		cpp++;
-		ipn.in_flags |= IPN_FRAG;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "age")) {
-		cpp++;
-		if (!*cpp) {
-			fprintf(stderr, "%d: age with no parameters\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		ipn.in_age[0] = atoi(*cpp);
-		s = index(*cpp, '/');
-		if (s != NULL)
-			ipn.in_age[1] = atoi(s + 1);
-		else
-			ipn.in_age[1] = ipn.in_age[0];
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "mssclamp")) {
-		cpp++;
-		if (*cpp) {
-			ipn.in_mssclamp = atoi(*cpp);
-			cpp++;
-		} else {
-			fprintf(stderr, "%d: mssclamp with no parameters\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-
-	if (*cpp) {
-		fprintf(stderr, "%d: extra junk at the end of the line: %s\n",
-			linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-
-	*status = 0;
-	return &ipn;
-}
-
-
-void natparsefile(fd, file, opts)
-int fd;
-char *file;
-int opts;
-{
-	char	line[512], *s;
-	ipnat_t	*np;
-	FILE	*fp;
-	int	linenum = 0;
-	int	parsestatus;
-
-	if (strcmp(file, "-")) {
-		if (!(fp = fopen(file, "r"))) {
-			fprintf(stderr, "%s: open: %s\n", file,
-				STRERROR(errno));
-			exit(1);
-		}
-	} else
-		fp = stdin;
-
-	while (fgets(line, sizeof(line) - 1, fp)) {
-		linenum++;
-		line[sizeof(line) - 1] = '\0';
-		if ((s = strchr(line, '\n')))
-			*s = '\0';
-
-		parsestatus = 1;
-		np = natparse(line, linenum, &parsestatus);
-		if (parsestatus != 0) {
-			if (*line) {
-				fprintf(stderr, "%d: syntax error in \"%s\"\n",
-					linenum, line);
-			}
-			fprintf(stderr, "%s: %s error (%d), quitting\n",
-			    file,
-			    ((parsestatus < 0)? "parse": "internal"),
-			    parsestatus);
-			exit(1);
-		}
-		if (np) {
-			if ((opts & OPT_VERBOSE) && np)
-				printnat(np, opts);
-			if (!(opts & OPT_NODO)) {
-				if (!(opts & OPT_REMOVE)) {
-					if (ioctl(fd, SIOCADNAT, &np) == -1) {
-						fprintf(stderr, "%d:",
-							linenum);
-						perror("ioctl(SIOCADNAT)");
-					}
-				} else if (ioctl(fd, SIOCRMNAT, &np) == -1) {
-					fprintf(stderr, "%d:", linenum);
-					perror("ioctl(SIOCRMNAT)");
-				}
-			}
-		}
-	}
-	if (fp != stdin)
-		fclose(fp);
-}
diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c
deleted file mode 100644
index 825a5e346dd0..000000000000
--- a/contrib/ipfilter/opt.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#ifndef	linux
-#include <netinet/ip_var.h>
-#endif
-#include <netinet/tcp.h>
-#include <net/if.h>
-#include <arpa/inet.h>
-#include "ip_compat.h"
-#include <netinet/tcpip.h>
-#include "ip_fil.h"
-#include "ipf.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)opt.c	1.8 4/10/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.3 2002/12/06 11:40:27 darrenr Exp $";
-#endif
-
-extern	int	opts;
-
-struct	ipopt_names	ionames[] ={
-	{ IPOPT_NOP,	0x000001,	1,	"nop" },
-	{ IPOPT_RR,	0x000002,	7,	"rr" },		/* 1 route */
-	{ IPOPT_ZSU,	0x000004,	3,	"zsu" },
-	{ IPOPT_MTUP,	0x000008,	3,	"mtup" },
-	{ IPOPT_MTUR,	0x000010,	3,	"mtur" },
-	{ IPOPT_ENCODE,	0x000020,	3,	"encode" },
-	{ IPOPT_TS,	0x000040,	8,	"ts" },		/* 1 TS */
-	{ IPOPT_TR,	0x000080,	3,	"tr" },
-	{ IPOPT_SECURITY,0x000100,	11,	"sec" },
-	{ IPOPT_SECURITY,0x000100,	11,	"sec-class" },
-	{ IPOPT_LSRR,	0x000200,	7,	"lsrr" },	/* 1 route */
-	{ IPOPT_E_SEC,	0x000400,	3,	"e-sec" },
-	{ IPOPT_CIPSO,	0x000800,	3,	"cipso" },
-	{ IPOPT_SATID,	0x001000,	4,	"satid" },
-	{ IPOPT_SSRR,	0x002000,	7,	"ssrr" },	/* 1 route */
-	{ IPOPT_ADDEXT,	0x004000,	3,	"addext" },
-	{ IPOPT_VISA,	0x008000,	3,	"visa" },
-	{ IPOPT_IMITD,	0x010000,	3,	"imitd" },
-	{ IPOPT_EIP,	0x020000,	3,	"eip" },
-	{ IPOPT_FINN,	0x040000,	3,	"finn" },
-	{ 0, 		0,	0,	(char *)NULL }     /* must be last */
-};
-
-struct	ipopt_names	secclass[] = {
-	{ IPSO_CLASS_RES4,	0x01,	0, "reserv-4" },
-	{ IPSO_CLASS_TOPS,	0x02,	0, "topsecret" },
-	{ IPSO_CLASS_SECR,	0x04,	0, "secret" },
-	{ IPSO_CLASS_RES3,	0x08,	0, "reserv-3" },
-	{ IPSO_CLASS_CONF,	0x10,	0, "confid" },
-	{ IPSO_CLASS_UNCL,	0x20,	0, "unclass" },
-	{ IPSO_CLASS_RES2,	0x40,	0, "reserv-2" },
-	{ IPSO_CLASS_RES1,	0x80,	0, "reserv-1" },
-	{ 0, 0, 0, NULL }	/* must be last */
-};
-
-
-static	u_char	seclevel __P((char *));
-int addipopt __P((char *, struct ipopt_names *, int, char *));
-
-static u_char seclevel(slevel)
-char *slevel;
-{
-	struct ipopt_names *so;
-
-	for (so = secclass; so->on_name; so++)
-		if (!strcasecmp(slevel, so->on_name))
-			break;
-
-	if (!so->on_name) {
-		fprintf(stderr, "no such security level: %s\n", slevel);
-		return 0;
-	}
-	return (u_char)so->on_value;
-}
-
-
-int addipopt(op, io, len, class)
-char *op;
-struct ipopt_names *io;
-int len;
-char *class;
-{
-	int olen = len;
-	struct in_addr ipadr;
-	u_short val;
-	u_char lvl;
-	char *s;
-
-	if ((len + io->on_siz) > 48) {
-		fprintf(stderr, "options too long\n");
-		return 0;
-	}
-	len += io->on_siz;
-	*op++ = io->on_value;
-	if (io->on_siz > 1) {
-		s = op;
-		*op++ = io->on_siz;
-		*op++ = IPOPT_MINOFF;
-
-		if (class) {
-			switch (io->on_value)
-			{
-			case IPOPT_SECURITY :
-				lvl = seclevel(class);
-				*(op - 1) = lvl;
-				break;
-			case IPOPT_LSRR :
-			case IPOPT_SSRR :
-				ipadr.s_addr = inet_addr(class);
-				s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4;
-				bcopy((char *)&ipadr, op, sizeof(ipadr));
-				break;
-			case IPOPT_SATID :
-				val = atoi(class);
-				bcopy((char *)&val, op, 2);
-				break;
-			}
-		}
-
-		op += io->on_siz - 3;
-		if (len & 3) {
-			*op++ = IPOPT_NOP;
-			len++;
-		}
-	}
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "bo: %s %d %#x: %d\n",
-			io->on_name, io->on_value, io->on_bit, len);
-	return len - olen;
-}
-
-
-u_32_t buildopts(cp, op, len)
-char *cp, *op;
-int len;
-{
-	struct ipopt_names *io;
-	u_32_t msk = 0;
-	char *s, *t;
-	int inc;
-
-	for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
-		if ((t = strchr(s, '=')))
-			*t++ = '\0';
-		for (io = ionames; io->on_name; io++) {
-			if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
-				continue;
-			if ((inc = addipopt(op, io, len, t))) {
-				op += inc;
-				len += inc;
-			}
-			msk |= io->on_bit;
-			break;
-		}
-		if (!io->on_name) {
-			fprintf(stderr, "unknown IP option name %s\n", s);
-			return 0;
-		}
-	}
-	*op++ = IPOPT_EOL;
-	len++;
-	return len;
-}
diff --git a/contrib/ipfilter/opt_inet6.h b/contrib/ipfilter/opt_inet6.h
deleted file mode 100644
index 43e7657e1ae3..000000000000
--- a/contrib/ipfilter/opt_inet6.h
+++ /dev/null
@@ -1 +0,0 @@
-#define INET6
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
deleted file mode 100644
index 0d8a617d4aa3..000000000000
--- a/contrib/ipfilter/parse.c
+++ /dev/null
@@ -1,1510 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include <syslog.h>
-#include "ip_compat.h"
-#include "ip_fil.h"
-#include "ipf.h"
-#include "facpri.h"
-
-#if !defined(lint)
-static const char sccsid[] = "@(#)parse.c	1.44 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $";
-#endif
-
-extern	struct	ipopt_names	ionames[], secclass[];
-extern	int	opts;
-extern	int	use_inet6;
-
-int	addicmp __P((char ***, struct frentry *, int));
-int	extras __P((char ***, struct frentry *, int));
-
-int	icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int));
-int	to_interface __P((frdest_t *, char *, int));
-void	print_toif __P((char *, frdest_t *));
-void	optprint __P((u_short *, u_long, u_long));
-int	loglevel __P((char **, u_int *, int));
-void	printlog __P((frentry_t *));
-void	printifname __P((char *, char *, void *));
-
-extern	char	*proto;
-extern	char	flagset[];
-extern	u_char	flags[];
-
-
-/* parse()
- *
- * parse a line read from the input filter rule file
- *
- * status:
- *	< 0	error
- *	= 0	OK
- *	> 0	programmer error
- */
-struct	frentry	*parse(line, linenum, status)
-char	*line;
-int     linenum;
-int	*status;	/* good, bad, or indifferent */
-{
-	static	struct	frentry	fil;
-	char	*cps[31], **cpp, *endptr, *s;
-	struct	protoent	*p = NULL;
-	int	i, cnt = 1, j, ch;
-	u_int	k;
-
-	*status = 100;	/* default to error */
-
-	while (*line && isspace(*line))
-		line++;
-	if (!*line) {
-		*status = 0;
-		return NULL;
-	}
-
-	bzero((char *)&fil, sizeof(fil));
-	fil.fr_mip.fi_v = 0xf;
-	fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
-	fil.fr_loglevel = 0xffff;
-
-	/*
-	 * break line up into max of 20 segments
-	 */
-	if (opts & OPT_DEBUG)
-		fprintf(stderr, "parse [%s]\n", line);
-	for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
-		cps[++i] = strtok(NULL, " \b\t\r\n");
-	cps[i] = NULL;
-
-	if (cnt < 3) {
-		fprintf(stderr, "%d: not enough segments in line\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	cpp = cps;
-	/*
-	 * The presence of an '@' followed by a number gives the position in
-	 * the current rule list to insert this one.
-	 */
-	if (**cpp == '@')
-		fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
-
-
-	/*
-	 * Check the first keyword in the rule and any options that are
-	 * expected to follow it.
-	 */
-	if (!strcasecmp("block", *cpp)) {
-		fil.fr_flags |= FR_BLOCK;
-		if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
-		    (i = 19))
-			fil.fr_flags |= FR_FAKEICMP;
-		else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11))
-			fil.fr_flags |= FR_RETICMP;
-		if (fil.fr_flags & FR_RETICMP) {
-			cpp++;
-			if (strlen(*cpp) == i) {
-				if (*(cpp + 1) && **(cpp +1) == '(') {
-					cpp++;
-					i = 0;
-				} else
-					i = -1;
-			}
-
-			/*
-			 * The ICMP code is not required to follow in ()'s
-			 */
-			if ((i >= 0) && (*(*cpp + i) == '(')) {
-				i++;
-				j = icmpcode(*cpp + i);
-				if (j == -1) {
-					fprintf(stderr,
-					"%d: unrecognised icmp code %s\n",
-						linenum, *cpp + 20);
-					*status = -1;
-					return NULL;
-				}
-				fil.fr_icode = j;
-			}
-		} else if (!strcasecmp(*(cpp+1), "return-rst")) {
-			fil.fr_flags |= FR_RETRST;
-			cpp++;
-		}
-	} else if (!strcasecmp("count", *cpp)) {
-		fil.fr_flags |= FR_ACCOUNT;
-	} else if (!strcasecmp("pass", *cpp)) {
-		fil.fr_flags |= FR_PASS;
-	} else if (!strcasecmp("nomatch", *cpp)) {
-		fil.fr_flags |= FR_NOMATCH;
-	} else if (!strcasecmp("auth", *cpp)) {
-		fil.fr_flags |= FR_AUTH;
-		if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
-			fil.fr_flags |= FR_RETRST;
-			cpp++;
-		}
-	} else if (!strcasecmp("preauth", *cpp)) {
-		 fil.fr_flags |= FR_PREAUTH;
-	} else if (!strcasecmp("skip", *cpp)) {
-		cpp++;
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_skip = k;
-		else {
-			fprintf(stderr, "%d: integer must follow skip\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	} else if (!strcasecmp("log", *cpp)) {
-		fil.fr_flags |= FR_LOG;
-		if (!strcasecmp(*(cpp+1), "body")) {
-			fil.fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "first")) {
-			fil.fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*(cpp+1), "or-block")) {
-			fil.fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (!strcasecmp(*(cpp+1), "level")) {
-			cpp++;
-			if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
-				/* NB loglevel prints its own error message */
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-		}
-	} else {
-		/*
-		 * Doesn't start with one of the action words
-		 */
-		fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
-		*status = -1;
-		return NULL;
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * Get the direction for filtering.  Impose restrictions on direction
-	 * if blocking with returning ICMP or an RST has been requested.
-	 */
-	if (!strcasecmp("in", *cpp))
-		fil.fr_flags |= FR_INQUE;
-	else if (!strcasecmp("out", *cpp)) {
-		fil.fr_flags |= FR_OUTQUE;
-		if (fil.fr_flags & FR_RETICMP) {
-			fprintf(stderr,
-				"%d: Can only use return-icmp with 'in'\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		} else if (fil.fr_flags & FR_RETRST) {
-			fprintf(stderr,
-				"%d: Can only use return-rst with 'in'\n", 
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-	if (!*++cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	if (!strcasecmp("log", *cpp)) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing source specification\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (fil.fr_flags & FR_PASS)
-			fil.fr_flags |= FR_LOGP;
-		else if (fil.fr_flags & FR_BLOCK)
-			fil.fr_flags |= FR_LOGB;
-		if (*cpp && !strcasecmp(*cpp, "body")) {
-			fil.fr_flags |= FR_LOGBODY;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "first")) {
-			fil.fr_flags |= FR_LOGFIRST;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "or-block")) {
-			if (!(fil.fr_flags & FR_PASS)) {
-				fprintf(stderr,
-					"%d: or-block must be used with pass\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-			fil.fr_flags |= FR_LOGORBLOCK;
-			cpp++;
-		}
-		if (*cpp && !strcasecmp(*cpp, "level")) {
-			if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) {
-				*status = -1;
-				return NULL;
-			}
-			cpp++;
-			cpp++;
-		}
-	}
-
-	if (*cpp && !strcasecmp("quick", *cpp)) {
-		if (fil.fr_skip != 0) {
-			fprintf(stderr, "%d: cannot use skip with quick\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-		fil.fr_flags |= FR_QUICK;
-	}
-
-	/*
-	 * Parse rule options that are available if a rule is tied to an
-	 * interface.
-	 */
-	*fil.fr_ifname = '\0';
-	*fil.fr_oifname = '\0';
-	if (*cpp && !strcasecmp(*cpp, "on")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: interface name missing\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		s = index(*cpp, ',');
-		if (s != NULL) {
-			*s++ = '\0';
-			(void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
-			fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
-		} else
-			strcpy(fil.fr_ifnames[1], "*");
-
-		(void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
-		fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
-
-		cpp++;
-		if (!*cpp) {
-			if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
-				fprintf(stderr,
-					"%d: %s can only be used with TCP\n",
-					linenum, "return-rst");
-				*status = -1;
-				return NULL;
-			}
-			*status = 0;
-			return &fil;
-		}
-
-		if (*cpp) {
-			if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
-				cpp++;
-				if (to_interface(&fil.fr_dif, *cpp, linenum)) {
-					*status = -1;
-					return NULL;
-				}
-				cpp++;
-			}
-			if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) {
-				cpp++;
-				if (to_interface(&fil.fr_tif, *cpp, linenum)) {
-					*status = -1;
-					return NULL;
-				}
-				cpp++;
-			} else if (*cpp && !strcasecmp(*cpp, "fastroute")) {
-				if (!(fil.fr_flags & FR_INQUE)) {
-					fprintf(stderr,
-						"can only use %s with 'in'\n",
-						"fastroute");
-					*status = -1;
-					return NULL;
-				}
-				fil.fr_flags |= FR_FASTROUTE;
-				cpp++;
-			}
-		}
-
-		/*
-		 * Set the "other" interface name.  Lets you specify both
-		 * inbound and outbound interfaces for state rules.  Do not
-		 * prevent both interfaces from being the same.
-		 */
-		strcpy(fil.fr_ifnames[3], "*");
-		if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
-		    ((((fil.fr_flags & FR_INQUE) != 0) &&
-		      (strcasecmp(*cpp, "out-via") == 0)) ||
-		     (((fil.fr_flags & FR_OUTQUE) != 0) &&
-		      (strcasecmp(*cpp, "in-via") == 0)))) {
-			cpp++;
-
-			s = index(*cpp, ',');
-			if (s != NULL) {
-				*s++ = '\0';
-				(void)strncpy(fil.fr_ifnames[3], s,
-					      IFNAMSIZ - 1);
-				fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
-			}
-
-			(void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
-			fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
-			cpp++;
-		} else
-			strcpy(fil.fr_ifnames[2], "*");
-	}
-	if (*cpp && !strcasecmp(*cpp, "tos")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: tos missing value\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_tos = strtol(*cpp, NULL, 0);
-		fil.fr_mip.fi_tos = 0xff;
-		cpp++;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "ttl")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: ttl missing hopcount value\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoi(*cpp, &i, 0, 255))
-			fil.fr_ttl = i;
-		else {
-			fprintf(stderr, "%d: invalid ttl (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_mip.fi_ttl = 0xff;
-		cpp++;
-	}
-
-	/*
-	 * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
-	 */
-	proto = NULL;
-	if (*cpp && !strcasecmp(*cpp, "proto")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: protocol name missing\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		proto = *cpp++;
-		if (!strcasecmp(proto, "tcp/udp")) {
-			fil.fr_ip.fi_fl |= FI_TCPUDP;
-			fil.fr_mip.fi_fl |= FI_TCPUDP;
-		} else if (use_inet6 && !strcasecmp(proto, "icmp")) {
-			fprintf(stderr,
-"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
-				linenum);
-		} else {
-			if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
-				fprintf(stderr,
-					"%d: unknown protocol (%s)\n",
-					linenum, proto);
-				*status = -1;
-				return NULL;
-			}
-			if (p)
-				fil.fr_proto = p->p_proto;
-			else if (isdigit(*proto)) {
-				i = (int)strtol(proto, &endptr, 0);
-				if (*endptr != '\0' || i < 0 || i > 255) {
-					fprintf(stderr,
-						"%d: unknown protocol (%s)\n",
-						linenum, proto);
-					*status = -1;
-					return NULL;		
-				}
-				fil.fr_proto = i;
-			}
-			fil.fr_mip.fi_p = 0xff;
-		}
-	}
-	if ((fil.fr_proto != IPPROTO_TCP) &&
-	    ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) {
-		fprintf(stderr, "%d: %s can only be used with TCP\n",
-			linenum, "return-rst");
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * get the from host and bit mask to use against packets
-	 */
-
-	if (!*cpp) {
-		fprintf(stderr, "%d: missing source specification\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (!strcasecmp(*cpp, "all")) {
-		cpp++;
-		if (!*cpp) {
-			*status = 0;
-			return &fil;
-		}
-	} else {
-		if (strcasecmp(*cpp, "from")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after from\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (!strcmp(*cpp, "!")) {
-			fil.fr_flags |= FR_NOTSRCIP;
-			if (!*++cpp) {
-				fprintf(stderr,
-					"%d: missing host after from\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else if (**cpp == '!') {
-			fil.fr_flags |= FR_NOTSRCIP;
-			(*cpp)++;
-		}
-		ch = 0;
-		if (hostmask(&cpp, (u_32_t *)&fil.fr_src,
-			     (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch,
-			     &fil.fr_stop, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-		if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
-		    (fil.fr_proto != IPPROTO_UDP) &&
-		    !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
-			fprintf(stderr,
-				"%d: cannot use port and neither tcp or udp\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		fil.fr_scmp = ch;
-		if (!*cpp) {
-			fprintf(stderr, "%d: missing to fields\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		/*
-		 * do the same for the to field (destination host)
-		 */
-		if (strcasecmp(*cpp, "to")) {
-			fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: missing host after to\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		ch = 0;
-		if (!strcmp(*cpp, "!")) {
-			fil.fr_flags |= FR_NOTDSTIP;
-			if (!*++cpp) {
-				fprintf(stderr,
-					"%d: missing host after from\n",
-					linenum);
-				*status = -1;
-				return NULL;
-			}
-		} else if (**cpp == '!') {
-			fil.fr_flags |= FR_NOTDSTIP;
-			(*cpp)++;
-		}
-		if (hostmask(&cpp, (u_32_t *)&fil.fr_dst,
-			     (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch,
-			     &fil.fr_dtop, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) &&
-		    (fil.fr_proto != IPPROTO_UDP) &&
-		    !(fil.fr_ip.fi_fl & FI_TCPUDP)) {
-			fprintf(stderr,
-				"%d: cannot use port and neither tcp or udp\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-
-		fil.fr_dcmp = ch;
-	}
-
-	/*
-	 * check some sanity, make sure we don't have icmp checks with tcp
-	 * or udp or visa versa.
-	 */
-	if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) &&
-	    fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) {
-		fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) {
-		fprintf(stderr, "%d: icmp comparisons on wrong protocol\n",
-			linenum);
-		*status = -1;
-		return NULL;
-	}
-
-	if (!*cpp) {
-		*status = 0;
-		return &fil;
-	}
-
-	if (*cpp && !strcasecmp(*cpp, "flags")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: no flags present\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum);
-		cpp++;
-	}
-
-	/*
-	 * extras...
-	 */
-	if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") ||
-	     !strcasecmp(*cpp, "and")))
-		if (extras(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-	/*
-	 * icmp types for use with the icmp protocol
-	 */
-	if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
-		if (fil.fr_proto != IPPROTO_ICMP &&
-		    fil.fr_proto != IPPROTO_ICMPV6) {
-			fprintf(stderr,
-				"%d: icmp with wrong protocol (%d)\n",
-				linenum, fil.fr_proto);
-			*status = -1;
-			return NULL;
-		}
-		if (addicmp(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-		fil.fr_icmp = htons(fil.fr_icmp);
-		fil.fr_icmpm = htons(fil.fr_icmpm);
-	}
-
-	/*
-	 * Keep something...
-	 */
-	while (*cpp && !strcasecmp(*cpp, "keep"))
-		if (addkeep(&cpp, &fil, linenum)) {
-			*status = -1;
-			return NULL;
-		}
-
-	/*
-	 * This is here to enforce the old interface binding behaviour.
-	 * That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
-	 */
-	if (fil.fr_flags & FR_KEEPSTATE) {
-		if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
-			bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
-			      sizeof(fil.fr_ifnames[3]));
-			strncpy(fil.fr_ifnames[2], "*",
-				sizeof(fil.fr_ifnames[3]));
-		}
-	}
-
-	/*
-	 * head of a new group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "head")) {
-		if (fil.fr_skip != 0) {
-			fprintf(stderr, "%d: cannot use skip with head\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (!*++cpp) {
-			fprintf(stderr, "%d: head without group #\n", linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_grhead = (u_32_t)k;
-		else {
-			fprintf(stderr, "%d: invalid group (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-	}
-
-	/*
-	 * head of a new group ?
-	 */
-	if (*cpp && !strcasecmp(*cpp, "group")) {
-		if (!*++cpp) {
-			fprintf(stderr, "%d: group without group #\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-		if (ratoui(*cpp, &k, 0, UINT_MAX))
-			fil.fr_group = k;
-		else {
-			fprintf(stderr, "%d: invalid group (%s)\n",
-				linenum, *cpp);
-			*status = -1;
-			return NULL;
-		}
-		cpp++;
-	}
-
-	/*
-	 * leftovers...yuck
-	 */
-	if (*cpp && **cpp) {
-		fprintf(stderr, "%d: unknown words at end: [", linenum);
-		for (; *cpp; cpp++)
-			fprintf(stderr, "%s ", *cpp);
-		fprintf(stderr, "]\n");
-		*status = -1;
-		return NULL;
-	}
-
-	/*
-	 * lazy users...
-	 */
-	if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
-		fprintf(stderr, "%d: TCP protocol not specified\n", linenum);
-		*status = -1;
-		return NULL;
-	}
-	if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
-	    (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
-		if (!fil.fr_proto) {
-			fil.fr_ip.fi_fl |= FI_TCPUDP;
-			fil.fr_mip.fi_fl |= FI_TCPUDP;
-		} else {
-			fprintf(stderr,
-				"%d: port comparisons for non-TCP/UDP\n",
-				linenum);
-			*status = -1;
-			return NULL;
-		}
-	}
-/*
-	if ((fil.fr_flags & FR_KEEPFRAG) &&
-	    (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
-		fprintf(stderr,
-			"%d: must use 'with frags' with 'keep frags'\n",
-			linenum);
-		*status = -1;
-		return NULL;
-	}
-*/
-	*status = 0;
-	return &fil;
-}
-
-
-int loglevel(cpp, facpri, linenum)
-char **cpp;
-u_int *facpri;
-int linenum;
-{
-	int fac, pri;
-	char *s;
-
-	fac = 0;
-	pri = 0;
-	if (!*++cpp) {
-		fprintf(stderr, "%d: %s\n", linenum,
-			"missing identifier after level");
-		return -1;
-	}
-
-	s = index(*cpp, '.');
-	if (s) {
-		*s++ = '\0';
-		fac = fac_findname(*cpp);
-		if (fac == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown facility", *cpp);
-			return -1;
-		}
-		pri = pri_findname(s);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", s);
-			return -1;
-		}
-	} else {
-		pri = pri_findname(*cpp);
-		if (pri == -1) {
-			fprintf(stderr, "%d: %s %s\n", linenum,
-				"Unknown priority", *cpp);
-			return -1;
-		}
-	}
-	*facpri = fac|pri;
-	return 0;
-}
-
-
-int to_interface(fdp, to, linenum)
-frdest_t *fdp;
-char *to;
-int linenum;
-{
-	char *s;
-
-	s = index(to, ':');
-	fdp->fd_ifp = NULL;
-	if (s) {
-		*s++ = '\0';
-		if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum) == -1)
-			return -1;
-	}
-	(void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
-	fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
-	return 0;
-}
-
-
-void print_toif(tag, fdp)
-char *tag;
-frdest_t *fdp;
-{
-	printf("%s %s%s", tag, fdp->fd_ifname,
-		     (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
-#ifdef	USE_INET6
-	if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
-		char ipv6addr[80];
-
-		inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
-			  sizeof(fdp->fd_ip6));
-		printf(":%s", ipv6addr);
-	} else
-#endif
-	if (fdp->fd_ip.s_addr)
-		printf(":%s", inet_ntoa(fdp->fd_ip));
-	putchar(' ');
-}
-
-
-/*
- * deal with extra bits on end of the line
- */
-int	extras(cp, fr, linenum)
-char	***cp;
-struct	frentry	*fr;
-int     linenum;
-{
-	u_short	secmsk;
-	u_long	opts;
-	int	notopt;
-	char	oflags;
-
-	opts = 0;
-	secmsk = 0;
-	notopt = 0;
-	(*cp)++;
-	if (!**cp)
-		return -1;
-
-	while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
-	       !strcasecmp(**cp, "not") || !strncasecmp(**cp, "opt", 3) ||
-	       !strncasecmp(**cp, "frag", 4) || !strcasecmp(**cp, "no") ||
-	       !strcasecmp(**cp, "short"))) {
-		if (***cp == 'n' || ***cp == 'N') {
-			notopt = 1;
-			(*cp)++;
-			continue;
-		} else if (***cp == 'i' || ***cp == 'I') {
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_OPTIONS;
-			fr->fr_mip.fi_fl |= FI_OPTIONS;
-			goto nextopt;
-		} else if (***cp == 'f' || ***cp == 'F') {
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_FRAG;
-			fr->fr_mip.fi_fl |= FI_FRAG;
-			goto nextopt;
-		} else if (***cp == 'o' || ***cp == 'O') {
-			if (!*(*cp + 1)) {
-				fprintf(stderr,
-					"%d: opt missing arguements\n",
-					linenum);
-				return -1;
-			}
-			(*cp)++;
-			if (!(opts = optname(cp, &secmsk, linenum)))
-				return -1;
-			oflags = FI_OPTIONS;
-		} else if (***cp == 's' || ***cp == 'S') {
-			if (fr->fr_tcpf) {
-				fprintf(stderr,
-				"%d: short cannot be used with TCP flags\n",
-					linenum);
-				return -1;
-			}
-
-			if (!notopt)
-				fr->fr_ip.fi_fl |= FI_SHORT;
-			fr->fr_mip.fi_fl |= FI_SHORT;
-			goto nextopt;
-		} else
-			return -1;
-
-		if (!notopt || !opts)
-			fr->fr_mip.fi_fl |= oflags;
-		if (notopt) {
-		  if (!secmsk) {
-				fr->fr_mip.fi_optmsk |= opts;
-		  } else {
-				fr->fr_mip.fi_optmsk |= (opts & ~0x0100);
-		  }
-		} else {
-				fr->fr_mip.fi_optmsk |= opts;
-		}
-		fr->fr_mip.fi_secmsk |= secmsk;
-
-		if (notopt) {
-			fr->fr_ip.fi_fl &= (~oflags & 0xf);
-			fr->fr_ip.fi_optmsk &= ~opts;
-			fr->fr_ip.fi_secmsk &= ~secmsk;
-		} else {
-			fr->fr_ip.fi_fl |= oflags;
-			fr->fr_ip.fi_optmsk |= opts;
-			fr->fr_ip.fi_secmsk |= secmsk;
-		}
-nextopt:
-		notopt = 0;
-		opts = 0;
-		oflags = 0;
-		secmsk = 0;
-		(*cp)++;
-	}
-	return 0;
-}
-
-
-u_32_t optname(cp, sp, linenum)
-char ***cp;
-u_short *sp;
-int linenum;
-{
-	struct ipopt_names *io, *so;
-	u_long msk = 0;
-	u_short smsk = 0;
-	char *s;
-	int sec = 0;
-
-	for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-		for (io = ionames; io->on_name; io++)
-			if (!strcasecmp(s, io->on_name)) {
-				msk |= io->on_bit;
-				break;
-			}
-		if (!io->on_name) {
-			fprintf(stderr, "%d: unknown IP option name %s\n",
-				linenum, s);
-			return 0;
-		}
-		if (!strcasecmp(s, "sec-class"))
-			sec = 1;
-	}
-
-	if (sec && !*(*cp + 1)) {
-		fprintf(stderr, "%d: missing security level after sec-class\n",
-			linenum);
-		return 0;
-	}
-
-	if (sec) {
-		(*cp)++;
-		for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
-			for (so = secclass; so->on_name; so++)
-				if (!strcasecmp(s, so->on_name)) {
-					smsk |= so->on_bit;
-					break;
-				}
-			if (!so->on_name) {
-				fprintf(stderr,
-					"%d: no such security level: %s\n",
-					linenum, s);
-				return 0;
-			}
-		}
-		if (smsk)
-			*sp = smsk;
-	}
-	return msk;
-}
-
-
-#ifdef __STDC__
-void optprint(u_short *sec, u_long optmsk, u_long optbits)
-#else
-void optprint(sec, optmsk, optbits)
-u_short *sec;
-u_long optmsk, optbits;
-#endif
-{
-	u_short secmsk = sec[0], secbits = sec[1];
-	struct ipopt_names *io, *so;
-	char *s;
-
-	s = " opt ";
-	for (io = ionames; io->on_name; io++)
-		if ((io->on_bit & optmsk) &&
-		    ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
-			if ((io->on_value != IPOPT_SECURITY) ||
-			    (!secmsk && !secbits)) {
-				printf("%s%s", s, io->on_name);
-				if (io->on_value == IPOPT_SECURITY)
-					io++;
-				s = ",";
-			}
-		}
-
-
-	if (secmsk & secbits) {
-		printf("%ssec-class", s);
-		s = " ";
-		for (so = secclass; so->on_name; so++)
-			if ((secmsk & so->on_bit) &&
-			    ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
-				printf("%s%s", s, so->on_name);
-				s = ",";
-			}
-	}
-
-	if ((optmsk && (optmsk != optbits)) ||
-	    (secmsk && (secmsk != secbits))) {
-		s = " ";
-		printf(" not opt");
-		if (optmsk != optbits) {
-			for (io = ionames; io->on_name; io++)
-				if ((io->on_bit & optmsk) &&
-				    ((io->on_bit & optmsk) !=
-				     (io->on_bit & optbits))) {
-					if ((io->on_value != IPOPT_SECURITY) ||
-					    (!secmsk && !secbits)) {
-						printf("%s%s", s, io->on_name);
-						s = ",";
-						if (io->on_value ==
-						    IPOPT_SECURITY)
-							io++;
-					} else
-						io++;
-				}
-		}
-
-		if (secmsk != secbits) {
-			printf("%ssec-class", s);
-			s = " ";
-			for (so = secclass; so->on_name; so++)
-				if ((so->on_bit & secmsk) &&
-				    ((so->on_bit & secmsk) !=
-				     (so->on_bit & secbits))) {
-					printf("%s%s", s, so->on_name);
-					s = ",";
-				}
-		}
-	}
-}
-
-char	*icmptypes[] = {
-	"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
-	"redir", (char *)NULL, (char *)NULL, "echo", "routerad",
-	"routersol", "timex", "paramprob", "timest", "timestrep",
-	"inforeq", "inforep", "maskreq", "maskrep", "END"
-};
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addicmp(cp, fp, linenum)
-char ***cp;
-struct frentry	*fp;
-int linenum;
-{
-	char	**t;
-	int	i;
-
-	(*cp)++;
-	if (!**cp)
-		return -1;
-
-	if (isdigit(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr,
-				"%d: Invalid icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else if (fp->fr_proto == IPPROTO_ICMPV6) {
-		fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified, %s",
-			linenum, **cp, "(use numeric value instead)\n");
-		return -1;
-	} else {
-		for (t = icmptypes, i = 0; ; t++, i++) {
-			if (!*t)
-				continue;
-			if (!strcasecmp("END", *t)) {
-				i = -1;
-				break;
-			}
-			if (!strcasecmp(*t, **cp))
-				break;
-		}
-		if (i == -1) {
-			fprintf(stderr,
-				"%d: Invalid icmp-type (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	fp->fr_icmp = (u_short)(i << 8);
-	fp->fr_icmpm = (u_short)0xff00;
-	(*cp)++;
-	if (!**cp)
-		return 0;
-
-	if (**cp && strcasecmp("code", **cp))
-		return 0;
-	(*cp)++;
-	if (isdigit(***cp)) {
-		if (!ratoi(**cp, &i, 0, 255)) {
-			fprintf(stderr, 
-				"%d: Invalid icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	} else {
-		i = icmpcode(**cp);
-		if (i == -1) {
-			fprintf(stderr, 
-				"%d: Invalid icmp code (%s) specified\n",
-				linenum, **cp);
-			return -1;
-		}
-	}
-	i &= 0xff;
-	fp->fr_icmp |= (u_short)i;
-	fp->fr_icmpm = (u_short)0xffff;
-	(*cp)++;
-	return 0;
-}
-
-
-#define	MAX_ICMPCODE	15
-
-char	*icmpcodes[] = {
-	"net-unr", "host-unr", "proto-unr", "port-unr", "needfrag",
-	"srcfail", "net-unk", "host-unk", "isolate", "net-prohib",
-	"host-prohib", "net-tos", "host-tos", "filter-prohib", "host-preced",
-	"preced-cutoff", NULL };
-/*
- * Return the number for the associated ICMP unreachable code.
- */
-int icmpcode(str)
-char *str;
-{
-	char	*s;
-	int	i, len;
-
-	if ((s = strrchr(str, ')')))
-		*s = '\0';
-	if (isdigit(*str)) {
-		if (!ratoi(str, &i, 0, 255))
-			return -1;
-		else
-			return i;
-	}
-	len = strlen(str);
-	for (i = 0; icmpcodes[i]; i++)
-		if (!strncasecmp(str, icmpcodes[i], MIN(len,
-				 strlen(icmpcodes[i])) ))
-			return i;
-	return -1;
-}
-
-
-/*
- * set the icmp field to the correct type if "icmp" word is found
- */
-int addkeep(cp, fp, linenum)
-char ***cp;
-struct frentry	*fp;
-int linenum; 
-{
-	char *s;
-
-	(*cp)++;
-	if (!**cp) {
-		fprintf(stderr, "%d: Missing keyword after keep\n",
-			linenum);
-		return -1;
-	}
-
-	if (strcasecmp(**cp, "state") == 0)
-		fp->fr_flags |= FR_KEEPSTATE;
-	else if (strncasecmp(**cp, "frag", 4) == 0)
-		fp->fr_flags |= FR_KEEPFRAG;
-	else if (strcasecmp(**cp, "state-age") == 0) {
-		if (fp->fr_ip.fi_p == IPPROTO_TCP) {
-			fprintf(stderr, "%d: cannot use state-age with tcp\n",
-				linenum);
-			return -1;
-		}
-		if ((fp->fr_flags & FR_KEEPSTATE) == 0) {
-			fprintf(stderr, "%d: state-age with no 'keep state'\n",
-				linenum);
-			return -1;
-		}
-		(*cp)++;
-		if (!**cp) {
-			fprintf(stderr, "%d: state-age with no arg\n",
-				linenum);
-			return -1;
-		}
-		fp->fr_age[0] = atoi(**cp);
-		s = index(**cp, '/');
-		if (s != NULL) {
-			s++;
-			fp->fr_age[1] = atoi(s);
-		} else
-			fp->fr_age[1] = fp->fr_age[0];
-	} else {
-		fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
-			linenum, **cp);
-		return -1;
-	}
-	(*cp)++;
-	return 0;
-}
-
-
-void printifname(format, name, ifp)
-char *format, *name;
-void *ifp;
-{
-	printf("%s%s", format, name);
-	if ((ifp == NULL) && strcmp(name, "-") && strcmp(name, "*"))
-		printf("(!)");
-}
-
-
-/*
- * print the filter structure in a useful way
- */
-void printfr(fp)
-struct frentry	*fp;
-{
-	struct protoent	*p;
-	u_short	sec[2];
-	char *s;
-	u_char *t;
-	int pr;
-
-	if (fp->fr_flags & FR_PASS)
-		printf("pass");
-	if (fp->fr_flags & FR_NOMATCH)
-		printf("nomatch");
-	else if (fp->fr_flags & FR_BLOCK) {
-		printf("block");
-		if (fp->fr_flags & FR_RETICMP) {
-			if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
-				printf(" return-icmp-as-dest");
-			else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
-				printf(" return-icmp");
-			if (fp->fr_icode) {
-				if (fp->fr_icode <= MAX_ICMPCODE)
-					printf("(%s)",
-						icmpcodes[(int)fp->fr_icode]);
-				else
-					printf("(%d)", fp->fr_icode);
-			}
-		} else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-			printf(" return-rst");
-	} else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
-		printlog(fp);
-	} else if (fp->fr_flags & FR_ACCOUNT)
-		printf("count");
-	else if (fp->fr_flags & FR_AUTH) {
-		printf("auth");
-		if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
-			printf(" return-rst");
-	} else if (fp->fr_flags & FR_PREAUTH)
-		printf("preauth");
-	else if (fp->fr_skip)
-		printf("skip %hu", fp->fr_skip);
-
-	if (fp->fr_flags & FR_OUTQUE)
-		printf(" out ");
-	else
-		printf(" in ");
-
-	if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
-	    ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
-		printlog(fp);
-		putchar(' ');
-	}
-
-	if (fp->fr_flags & FR_QUICK)
-		printf("quick ");
-
-	if (*fp->fr_ifname) {
-		printifname("on ", fp->fr_ifname, fp->fr_ifa);
-		if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*"))
-			printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]);
-		putchar(' ');
-
-		if (*fp->fr_dif.fd_ifname)
-			print_toif("dup-to", &fp->fr_dif);
-		if (*fp->fr_tif.fd_ifname)
-			print_toif("to", &fp->fr_tif);
-		if (fp->fr_flags & FR_FASTROUTE)
-			printf("fastroute ");
-
-		if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) ||
-		    (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) {
-			if (fp->fr_flags & FR_OUTQUE)
-				printf("in-via ");
-			else
-				printf("out-via ");
-
-			if (*fp->fr_ifnames[2]) {
-				printifname("", fp->fr_ifnames[2],
-					    fp->fr_ifas[2]);
-				putchar(',');
-			}
-
-			if (*fp->fr_ifnames[3])
-				printifname("", fp->fr_ifnames[3],
-					    fp->fr_ifas[3]);
-			putchar(' ');
-		}
-	}
-
-	if (fp->fr_mip.fi_tos)
-		printf("tos %#x ", fp->fr_tos);
-	if (fp->fr_mip.fi_ttl)
-		printf("ttl %d ", fp->fr_ttl);
-	if (fp->fr_ip.fi_fl & FI_TCPUDP) {
-			printf("proto tcp/udp ");
-			pr = -1;
-	} else if ((pr = fp->fr_mip.fi_p)) {
-		if ((p = getprotobynumber(fp->fr_proto)))
-			printf("proto %s ", p->p_name);
-		else
-			printf("proto %d ", fp->fr_proto);
-	}
-
-	printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
-	printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr,
-		      (u_32_t *)&fp->fr_smsk.s_addr);
-	if (fp->fr_scmp)
-		printportcmp(pr, &fp->fr_tuc.ftu_src);
-
-	printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
-	printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr,
-		      (u_32_t *)&fp->fr_dmsk.s_addr);
-	if (fp->fr_dcmp)
-		printportcmp(pr, &fp->fr_tuc.ftu_dst);
-
-	if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) ||
-	    (fp->fr_mip.fi_fl & ~FI_TCPUDP) ||
-	    fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
-	    fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
-		printf(" with");
-		if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
-		    fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
-			sec[0] = fp->fr_mip.fi_secmsk;
-			sec[1] = fp->fr_ip.fi_secmsk;
-			optprint(sec,
-				 fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk);
-		} else if (fp->fr_mip.fi_fl & FI_OPTIONS) {
-			if (!(fp->fr_ip.fi_fl & FI_OPTIONS))
-				printf(" not");
-			printf(" ipopt");
-		}
-		if (fp->fr_mip.fi_fl & FI_SHORT) {
-			if (!(fp->fr_ip.fi_fl & FI_SHORT))
-				printf(" not");
-			printf(" short");
-		}
-		if (fp->fr_mip.fi_fl & FI_FRAG) {
-			if (!(fp->fr_ip.fi_fl & FI_FRAG))
-				printf(" not");
-			printf(" frag");
-		}
-	}
-	if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm != 0) {
-		int	type = fp->fr_icmp, code;
-
-		type = ntohs(fp->fr_icmp);
-		code = type & 0xff;
-		type /= 256;
-		if (type < (sizeof(icmptypes) / sizeof(char *) - 1) &&
-		    icmptypes[type])
-			printf(" icmp-type %s", icmptypes[type]);
-		else
-			printf(" icmp-type %d", type);
-		if (ntohs(fp->fr_icmpm) & 0xff)
-			printf(" code %d", code);
-	}
-	if (fp->fr_proto == IPPROTO_ICMPV6 && fp->fr_icmpm != 0) {
-		int	type = fp->fr_icmp, code;
-
-		type = ntohs(fp->fr_icmp);
-		code = type & 0xff;
-		type /= 256;
-		printf(" icmp-type %d", type);
-		if (ntohs(fp->fr_icmpm) & 0xff)
-			printf(" code %d", code);
-	}
-	if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
-		printf(" flags ");
-		if (fp->fr_tcpf & ~TCPF_ALL)
-			printf("0x%x", fp->fr_tcpf);
-		else
-			for (s = flagset, t = flags; *s; s++, t++)
-				if (fp->fr_tcpf & *t)
-					(void)putchar(*s);
-		if (fp->fr_tcpfm) {
-			(void)putchar('/');
-			if (fp->fr_tcpfm & ~TCPF_ALL)
-				printf("0x%x", fp->fr_tcpfm);
-			else
-				for (s = flagset, t = flags; *s; s++, t++)
-					if (fp->fr_tcpfm & *t)
-						(void)putchar(*s);
-		}
-	}
-
-	if (fp->fr_flags & FR_KEEPSTATE)
-		printf(" keep state");
-	if (fp->fr_flags & FR_KEEPFRAG)
-		printf(" keep frags");
-	if (fp->fr_age[0] != 0 || fp->fr_age[1]!= 0)
-		printf(" state-age %u/%u", fp->fr_age[0], fp->fr_age[1]);
-	if (fp->fr_grhead)
-		printf(" head %d", fp->fr_grhead);
-	if (fp->fr_group)
-		printf(" group %d", fp->fr_group);
-	(void)putchar('\n');
-}
-
-void	binprint(fp)
-struct frentry *fp;
-{
-	int i = sizeof(*fp), j = 0;
-	u_char *s;
-
-	for (s = (u_char *)fp; i; i--, s++) {
-		j++;
-		printf("%02x ", *s);
-		if (j == 16) {
-			printf("\n");
-			j = 0;
-		}
-	}
-	putchar('\n');
-	(void)fflush(stdout);
-}
-
-
-void printlog(fp)
-frentry_t *fp;
-{
-	char *s, *u;
-
-	printf("log");
-	if (fp->fr_flags & FR_LOGBODY)
-		printf(" body");
-	if (fp->fr_flags & FR_LOGFIRST)
-		printf(" first");
-	if (fp->fr_flags & FR_LOGORBLOCK)
-		printf(" or-block");
-	if (fp->fr_loglevel != 0xffff) {
-		printf(" level ");
-		if (fp->fr_loglevel & LOG_FACMASK) {
-			s = fac_toname(fp->fr_loglevel);
-			if (s == NULL)
-				s = "!!!";
-		} else
-			s = "";
-		u = pri_toname(fp->fr_loglevel);
-		if (u == NULL)
-			u = "!!!";
-		if (*s)
-			printf("%s.%s", s, u);
-		else
-			printf("%s", u);
-	}
-}
diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h
deleted file mode 100644
index aa2479811a89..000000000000
--- a/contrib/ipfilter/pcap.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * $Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $
- */
-/*
- * This header file is constructed to match the version described by
- * PCAP_VERSION_MAJ.
- *
- * The structure largely derives from libpcap which wouldn't include
- * nicely without bpf.
- */
-typedef	struct	pcap_filehdr	{
-	u_int	pc_id;
-	u_short	pc_v_maj;
-	u_short	pc_v_min;
-	u_int	pc_zone;
-	u_int	pc_sigfigs;
-	u_int	pc_slen;
-	u_int	pc_type;
-} pcaphdr_t;
-
-#define	TCPDUMP_MAGIC		0xa1b2c3d4
-
-#define	PCAP_VERSION_MAJ	2
-
-typedef	struct	pcap_pkthdr	{
-	struct	timeval	ph_ts;
-	u_int	ph_clen;
-	u_int	ph_len;
-} pcappkt_t;
-
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
deleted file mode 100644
index 5a12b32165bd..000000000000
--- a/contrib/ipfilter/printnat.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- * Copyright (C) 1993-2001 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- *
- * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <stdio.h>
-#include <string.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <sys/types.h>
-#if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#else
-#include <sys/byteorder.h>
-#endif
-#include <sys/time.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stddef.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
-# include <sys/ioccom.h>
-# include <sys/sysmacros.h>
-#endif
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include <netdb.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <resolv.h>
-#include <ctype.h>
-#include "netinet/ip_compat.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_nat.h"
-#include "netinet/ip_state.h"
-#include "netinet/ip_proxy.h"
-#include "ipf.h"
-#include "kmem.h"
-
-#if	defined(sun) && !SOLARIS2
-# define	STRERROR(x)	sys_errlist[x]
-extern	char	*sys_errlist[];
-#else
-# define	STRERROR(x)	strerror(x)
-#endif
-
-#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.15 2003/03/22 15:31:49 darrenr Exp $";
-#endif
-
-
-#if	SOLARIS
-#define	bzero(a,b)	memset(a,0,b)
-#endif
-#ifdef	USE_INET6
-extern	int	use_inet6;
-#endif
-
-extern	char	thishost[MAXHOSTNAMELEN];
-
-extern	int	countbits __P((u_32_t));
-
-void	printnat __P((ipnat_t *, int));
-char	*getnattype __P((ipnat_t *));
-void	printactivenat __P((nat_t *, int));
-void	printhostmap __P((hostmap_t *, u_int));
-char	*getsumd __P((u_32_t));
-
-static void	printaps __P((ap_session_t *, int));
-
-static void printaps(aps, opts)
-ap_session_t *aps;
-int opts;
-{
-	ipsec_pxy_t ipsec;
-	ap_session_t ap;
-	ftpinfo_t ftp;
-	aproxy_t apr;
-	raudio_t ra;
-
-	if (kmemcpy((char *)&ap, (long)aps, sizeof(ap)))
-		return;
-	if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr)))
-		return;
-	printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label,
-		apr.apr_p, apr.apr_ref, apr.apr_flags);
-	printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags);
-#ifdef	USE_QUAD_T
-	printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes,
-		(unsigned long long)ap.aps_pkts);
-#else
-	printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts);
-#endif
-	printf(" data %s size %d\n", ap.aps_data ? "YES" : "NO", ap.aps_psiz);
-	if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) {
-		printf("\t\tstate[%u,%u], sel[%d,%d]\n",
-			ap.aps_state[0], ap.aps_state[1],
-			ap.aps_sel[0], ap.aps_sel[1]);
-#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \
-    (__FreeBSD_version >= 300000) || defined(OpenBSD)
-		printf("\t\tseq: off %hd/%hd min %x/%x\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %x/%x\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#else
-		printf("\t\tseq: off %hd/%hd min %lx/%lx\n",
-			ap.aps_seqoff[0], ap.aps_seqoff[1],
-			ap.aps_seqmin[0], ap.aps_seqmin[1]);
-		printf("\t\tack: off %hd/%hd min %lx/%lx\n",
-			ap.aps_ackoff[0], ap.aps_ackoff[1],
-			ap.aps_ackmin[0], ap.aps_ackmin[1]);
-#endif
-	}
-
-	if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) {
-		if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra)))
-			return;
-		printf("\tReal Audio Proxy:\n");
-		printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n",
-			ra.rap_seenpna, ra.rap_version, ra.rap_eos);
-		printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf);
-		printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n",
-			ra.rap_plport, ra.rap_prport, ra.rap_srport);
-	} else if (!strcmp(apr.apr_label, "ftp") &&
-		   (ap.aps_psiz == sizeof(ftp))) {
-		if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp)))
-			return;
-		printf("\tFTP Proxy:\n");
-		printf("\t\tpassok: %d\n", ftp.ftp_passok);
-		ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
-		printf("\tClient:\n");
-		printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
-			ftp.ftp_side[0].ftps_seq[1],
-			ftp.ftp_side[0].ftps_seq[0],
-			ftp.ftp_side[0].ftps_len,
-			ftp.ftp_side[0].ftps_junk, ftp.ftp_side[0].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n\tServer:\n");
-		printf("\t\tseq %08x%08x len %d junk %d cmds %d\n",
-			ftp.ftp_side[1].ftps_seq[1],
-			ftp.ftp_side[1].ftps_seq[0],
-			ftp.ftp_side[1].ftps_len,
-			ftp.ftp_side[1].ftps_junk, ftp.ftp_side[1].ftps_cmds);
-		printf("\t\tbuf [");
-		printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
-		printf("]\n");
-	} else if (!strcmp(apr.apr_label, "ipsec") &&
-		   (ap.aps_psiz == sizeof(ipsec))) {
-		if (kmemcpy((char *)&ipsec, (long)ap.aps_data, sizeof(ipsec)))
-			return;
-		printf("\tIPSec Proxy:\n");
-		printf("\t\tICookie %08x%08x RCookie %08x%08x %s\n",
-			(u_int)ntohl(ipsec.ipsc_icookie[0]),
-			(u_int)ntohl(ipsec.ipsc_icookie[1]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[0]),
-			(u_int)ntohl(ipsec.ipsc_rcookie[1]),
-			ipsec.ipsc_rckset ? "(Set)" : "(Not set)");
-	}
-}
-
-
-/*
- * Get a nat filter type given its kernel address.
- */
-char *getnattype(ipnat)
-ipnat_t *ipnat;
-{
-	static char unknownbuf[20];
-	ipnat_t ipnatbuff;
-	char *which;
-
-	if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
-					sizeof(ipnatbuff))))
-		return "???";
-
-	switch (ipnatbuff.in_redir)
-	{
-	case NAT_MAP :
-		which = "MAP";
-		break;
-	case NAT_MAPBLK :
-		which = "MAP-BLOCK";
-		break;
-	case NAT_REDIRECT :
-		which = "RDR";
-		break;
-	case NAT_BIMAP :
-		which = "BIMAP";
-		break;
-	default :
-		sprintf(unknownbuf, "unknown(%04x)",
-			ipnatbuff.in_redir & 0xffffffff);
-		which = unknownbuf;
-		break;
-	}
-	return which;
-}
-
-
-void printactivenat(nat, opts)
-nat_t *nat;
-int opts;
-{
-	u_int hv1, hv2;
-
-	printf("%s %-15s", getnattype(nat->nat_ptr), inet_ntoa(nat->nat_inip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_inport));
-
-	printf(" <- -> %-15s",inet_ntoa(nat->nat_outip));
-
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %-5hu", ntohs(nat->nat_outport));
-
-	printf(" [%s", inet_ntoa(nat->nat_oip));
-	if ((nat->nat_flags & IPN_TCPUDP) != 0)
-		printf(" %hu", ntohs(nat->nat_oport));
-	printf("]");
-
-	if (opts & OPT_VERBOSE) {
-		printf("\n\tage %lu use %hu sumd %s/",
-			nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0]));
-		hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
-				  0xffffffff),
-		hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport,
-				  NAT_TABLE_SZ),
-		hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
-				  0xffffffff),
-		hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
-				  NAT_TABLE_SZ),
-		printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
-			getsumd(nat->nat_sumd[1]), nat->nat_p,
-			hv1, hv2, nat->nat_flags,
-			nat->nat_drop[0], nat->nat_drop[1]);
-		printf("\tifp %s ", getifname(nat->nat_ifp));
-#ifdef	USE_QUAD_T
-		printf("bytes %qu pkts %qu",
-			(unsigned long long)nat->nat_bytes,
-			(unsigned long long)nat->nat_pkts);
-#else
-		printf("bytes %lu pkts %lu", nat->nat_bytes, nat->nat_pkts);
-#endif
-#if SOLARIS
-		printf(" %lx", nat->nat_ipsumd);
-#endif
-	}
-
-	putchar('\n');
-	if (nat->nat_aps)
-		printaps(nat->nat_aps, opts);
-}
-
-
-void printhostmap(hmp, hv)
-hostmap_t *hmp;
-u_int hv;
-{
-	printf("%s -> ", inet_ntoa(hmp->hm_realip));
-	printf("%s ", inet_ntoa(hmp->hm_mapip));
-	printf("(use = %d hv = %u)\n", hmp->hm_ref, hv);
-}
-
-
-char *getsumd(sum)
-u_32_t sum;
-{
-	static char sumdbuf[17];
-
-	if (sum & NAT_HW_CKSUM)
-		sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff);
-	else
-		sprintf(sumdbuf, "%#0x", sum);
-	return sumdbuf;
-}
-
-
-/*
- * Print out a NAT rule
- */
-void printnat(np, opts)
-ipnat_t *np;
-int opts;
-{
-	struct	protoent	*pr;
-	struct	servent	*sv;
-	int	bits;
-
-	pr = getprotobynumber(np->in_p);
-
-	switch (np->in_redir)
-	{
-	case NAT_REDIRECT :
-		printf("rdr");
-		break;
-	case NAT_MAP :
-		printf("map");
-		break;
-	case NAT_MAPBLK :
-		printf("map-block");
-		break;
-	case NAT_BIMAP :
-		printf("bimap");
-		break;
-	default :
-		fprintf(stderr, "unknown value for in_redir: %#x\n",
-			np->in_redir);
-		break;
-	}
-
-	printf(" %s ", np->in_ifname);
-
-	if (np->in_flags & IPN_FILTER) {
-		if (np->in_flags & IPN_NOTSRC)
-			printf("! ");
-		printf("from ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_inip,
-				      (u_32_t *)&np->in_inmsk);
-		}
-		if (np->in_scmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_src);
-
-		if (np->in_flags & IPN_NOTDST)
-			printf(" !");
-		printf(" to ");
-		if (np->in_redir == NAT_REDIRECT) {
-			printhostmask(4, (u_32_t *)&np->in_outip,
-				      (u_32_t *)&np->in_outmsk);
-		} else {
-			printhostmask(4, (u_32_t *)&np->in_srcip,
-				      (u_32_t *)&np->in_srcmsk);
-		}
-		if (np->in_dcmp)
-			printportcmp(np->in_p, &np->in_tuc.ftu_dst);
-	}
-
-	if (np->in_redir == NAT_REDIRECT) {
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s", inet_ntoa(np->in_out[0]));
-			bits = countbits(np->in_out[1].s_addr);
-			if (bits != -1)
-				printf("/%d ", bits);
-			else
-				printf("/%s ", inet_ntoa(np->in_out[1]));
-			printf("port %d", ntohs(np->in_pmin));
-			if (np->in_pmax != np->in_pmin)
-				printf("- %d", ntohs(np->in_pmax));
-		}
-		printf(" -> %s", inet_ntoa(np->in_in[0]));
-		if (np->in_flags & IPN_SPLIT)
-			printf(",%s", inet_ntoa(np->in_in[1]));
-		printf(" port %d", ntohs(np->in_pnext));
-		if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-			printf(" tcp/udp");
-		else if ((np->in_flags & IPN_TCP) == IPN_TCP)
-			printf(" tcp");
-		else if ((np->in_flags & IPN_UDP) == IPN_UDP)
-			printf(" udp");
-		else if (np->in_p == 0)
-			printf(" ip");
-		else if (np->in_p != 0) {
-			if (pr != NULL)
-				printf(" %s", pr->p_name);
-			else
-				printf(" %d", np->in_p);
-		}
-		if (np->in_flags & IPN_ROUNDR)
-			printf(" round-robin");
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0])
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		if (np->in_mssclamp)
-			printf(" mssclamp %u", np->in_mssclamp);
-		printf("\n");
-		if (opts & OPT_DEBUG)
-			printf("\tspc %lu flg %#x max %u use %d\n",
-			       np->in_space, np->in_flags,
-			       np->in_pmax, np->in_use);
-	} else {
-		if (!(np->in_flags & IPN_FILTER)) {
-			printf("%s/", inet_ntoa(np->in_in[0]));
-			bits = countbits(np->in_in[1].s_addr);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_in[1]));
-		}
-		printf(" -> ");
-		if (np->in_flags & IPN_IPRANGE) {
-			printf("range %s-", inet_ntoa(np->in_out[0]));
-			printf("%s", inet_ntoa(np->in_out[1]));
-		} else {
-			printf("%s/", inet_ntoa(np->in_out[0]));
-			bits = countbits(np->in_out[1].s_addr);
-			if (bits != -1)
-				printf("%d", bits);
-			else
-				printf("%s", inet_ntoa(np->in_out[1]));
-		}
-		if (*np->in_plabel) {
-			printf(" proxy port");
-			if (np->in_dcmp != 0)
-				np->in_dport = htons(np->in_dport);
-			if (np->in_dport != 0) {
-				if (pr != NULL)
-					sv = getservbyport(np->in_dport,
-							   pr->p_name);
-				else
-					sv = getservbyport(np->in_dport, NULL);
-				if (sv != NULL)
-					printf(" %s", sv->s_name);
-				else
-					printf(" %hu", ntohs(np->in_dport));
-			}
-			printf(" %.*s/", (int)sizeof(np->in_plabel),
-				np->in_plabel);
-			if (pr != NULL)
-				fputs(pr->p_name, stdout);
-			else
-				printf("%d", np->in_p);
-		} else if (np->in_redir == NAT_MAPBLK) {
-			if ((np->in_pmin == 0) &&
-			    (np->in_flags & IPN_AUTOPORTMAP))
-				printf(" ports auto");
-			else
-				printf(" ports %d", np->in_pmin);
-			if (opts & OPT_DEBUG)
-				printf("\n\tip modulous %d", np->in_pmax);
-		} else if (np->in_pmin || np->in_pmax) {
-			printf(" portmap");
-			if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
-				printf(" tcp/udp");
-			else if (np->in_flags & IPN_TCP)
-				printf(" tcp");
-			else if (np->in_flags & IPN_UDP)
-				printf(" udp");
-			if (np->in_flags & IPN_AUTOPORTMAP) {
-				printf(" auto");
-				if (opts & OPT_DEBUG)
-					printf(" [%d:%d %d %d]",
-					       ntohs(np->in_pmin),
-					       ntohs(np->in_pmax),
-					       np->in_ippip, np->in_ppip);
-			} else {
-				printf(" %d:%d", ntohs(np->in_pmin),
-				       ntohs(np->in_pmax));
-			}
-		}
-		if (np->in_flags & IPN_FRAG)
-			printf(" frag");
-		if (np->in_age[0])
-			printf(" age %d/%d", np->in_age[0], np->in_age[1]);
-		printf("\n");
-		if (opts & OPT_DEBUG) {
-			struct in_addr nip;
-
-			nip.s_addr = htonl(np->in_nextip.s_addr);
-
-			printf("\tspace %lu nextip %s pnext %d", np->in_space,
-			       inet_ntoa(nip), np->in_pnext);
-			printf(" flags %x use %u\n",
-			       np->in_flags, np->in_use);
-		}
-	}
-}
diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c
deleted file mode 100644
index 624493b4686c..000000000000
--- a/contrib/ipfilter/printstate.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/*
- * Copyright (C) 2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-#if defined(__sgi) && (IRIX > 602)
-# include <sys/ptimers.h>
-#endif
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/in_systm.h>
-#include <net/if.h>
-#include <stdio.h>
-#if __FreeBSD_version >= 300000
-# include <net/if_var.h>
-#endif
-#include "kmem.h"
-#include "netinet/ip_compat.h"
-#include "ipf.h"
-#include "netinet/ip_fil.h"
-#include "netinet/ip_state.h"
-
-#define	PRINTF	(void)printf
-#define	FPRINTF	(void)fprintf
-
-ipstate_t *printstate(sp, opts)
-ipstate_t *sp;
-int opts;
-{
-	ipstate_t ips;
-
-	if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips)))
-		return NULL;
-
-	PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4));
-	PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n",
-		hostname(ips.is_v, &ips.is_dst.in4),
-		ips.is_age, ips.is_pass, ips.is_p,
-		ips.is_state[0], ips.is_state[1]);
-#ifdef	USE_QUAD_T
-	PRINTF("\tpkts %qu bytes %qu", (unsigned long long) ips.is_pkts,
-		(unsigned long long) ips.is_bytes);
-#else
-	PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes);
-#endif
-	if (ips.is_p == IPPROTO_TCP) {
-#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
-(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
-		PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
-			ntohs(ips.is_sport), ntohs(ips.is_dport),
-			ips.is_send, ips.is_dend,
-			ips.is_maxsend, ips.is_maxdend);
-		PRINTF("\t%u<<%d:%u<<%d",
-			ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
-			ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#else
-		PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n",
-			ntohs(ips.is_sport), ntohs(ips.is_dport),
-			ips.is_send, ips.is_dend,
-			ips.is_maxsend, ips.is_maxdend);
-		PRINTF("\t%u<<%d:%u<<%d",
-			ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
-			ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
-#endif
-	} else if (ips.is_p == IPPROTO_UDP)
-		PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
-			ntohs(ips.is_dport));
-	else if (ips.is_p == IPPROTO_ICMP
-#ifdef	USE_INET6
-		 || ips.is_p == IPPROTO_ICMPV6
-#endif
-		)
-		PRINTF(" id %hu seq %hu type %d", ntohs(ips.is_icmp.ics_id),
-			ntohs(ips.is_icmp.ics_seq), ips.is_icmp.ics_type);
-
-	PRINTF("\n\t");
-
-	/*
-	 * Print out bits set in the result code for the state being
-	 * kept as they would for a rule.
-	 */
-	if (ips.is_pass & FR_PASS) {
-		PRINTF("pass");
-	} else if (ips.is_pass & FR_BLOCK) {
-		PRINTF("block");
-		switch (ips.is_pass & FR_RETMASK)
-		{
-		case FR_RETICMP :
-			PRINTF(" return-icmp");
-			break;
-		case FR_FAKEICMP :
-			PRINTF(" return-icmp-as-dest");
-			break;
-		case FR_RETRST :
-			PRINTF(" return-rst");
-			break;
-		default :
-			break;
-		}
-	} else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) {
-			PRINTF("log");
-		if (ips.is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (ips.is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-	} else if (ips.is_pass & FR_ACCOUNT)
-		PRINTF("count");
-
-	if (ips.is_pass & FR_OUTQUE)
-		PRINTF(" out");
-	else
-		PRINTF(" in");
-
-	if ((ips.is_pass & FR_LOG) != 0) {
-		PRINTF(" log");
-		if (ips.is_pass & FR_LOGBODY)
-			PRINTF(" body");
-		if (ips.is_pass & FR_LOGFIRST)
-			PRINTF(" first");
-		if (ips.is_pass & FR_LOGORBLOCK)
-			PRINTF(" or-block");
-	}
-	if (ips.is_pass & FR_QUICK)
-		PRINTF(" quick");
-	if (ips.is_pass & FR_KEEPFRAG)
-		PRINTF(" keep frags");
-	/* a given; no? */
-	if (ips.is_pass & FR_KEEPSTATE)
-		PRINTF(" keep state");
-	PRINTF("\tIPv%d", ips.is_v);
-	PRINTF("\n");
-
-	PRINTF("\tpkt_flags & %x(%x) = %x,\t",
-		ips.is_flags & 0xf, ips.is_flags,
-		ips.is_flags >> 4);
-	PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk,
-		ips.is_opt);
-	PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n",
-		ips.is_secmsk, ips.is_sec, ips.is_authmsk,
-		ips.is_auth);
-	PRINTF("\tinterfaces: in %s", getifname(ips.is_ifp[0]));
-	PRINTF(",%s", getifname(ips.is_ifp[1]));
-	PRINTF(" out %s", getifname(ips.is_ifp[2]));
-	PRINTF(",%s\n", getifname(ips.is_ifp[3]));
-
-	return ips.is_next;
-}
diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c
deleted file mode 100644
index 6a67433c61a9..000000000000
--- a/contrib/ipfilter/relay.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Sample program to be used as a transparent proxy.
- *
- * Must be executed with permission enough to do an ioctl on /dev/ipl
- * or equivalent.  This is just a sample and is only alpha quality.
- * - Darren Reed (8 April 1996)
- */
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/errno.h>
-#include <sys/syslog.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <sys/socket.h>
-#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000)
-# include <poll.h>
-# define USE_POLL
-#endif
-#include "ip_nat.h"
-
-#define	RELAY_BUFSZ	8192
-
-char	ibuff[RELAY_BUFSZ];
-char	obuff[RELAY_BUFSZ];
-
-int relay(ifd, ofd, rfd)
-int ifd, ofd, rfd;
-{
-#ifdef	USE_POLL
-	struct pollfd set[3];
-#else
-	fd_set	rfds, wfds;
-#endif
-	char	*irh, *irt, *rrh, *rrt;
-	char	*iwh, *iwt, *rwh, *rwt;
-	int	nfd, n, rw;
-
-	irh = irt = ibuff;
-	iwh = iwt = obuff;
-	nfd = ifd;
-	if (nfd < ofd)
-		nfd = ofd;
-	if (nfd < rfd)
-		nfd = rfd;
-
-#ifdef	USE_POLL
-	set[0].fd = rfd;
-	set[1].fd = ifd;
-	set[2].fd = ofd;
-#endif
-
-	while (1) {
-#ifdef	USE_POLL
-		set[0].events = (iwh < (obuff + RELAY_BUFSZ) ? POLLIN : 0) |
-				(irh > irt ? POLLOUT : 0);
-		set[1].events = (irh < (ibuff + RELAY_BUFSZ) ? POLLIN : 0);
-		set[2].events = (iwh > iwt ? POLLOUT : 0);
-
-		switch ((n = poll(set, 3, INFTIM)))
-#else
-		FD_ZERO(&rfds);
-		FD_ZERO(&wfds);
-		if (irh > irt)
-			FD_SET(rfd, &wfds);
-		if (irh < (ibuff + RELAY_BUFSZ))
-			FD_SET(ifd, &rfds);
-		if (iwh > iwt)
-			FD_SET(ofd, &wfds);
-		if (iwh < (obuff + RELAY_BUFSZ))
-			FD_SET(rfd, &rfds);
-
-		switch ((n = select(nfd + 1, &rfds, &wfds, NULL, NULL)))
-#endif
-		{
-		case -1 :
-		case 0 :
-			return -1;
-		default :
-#ifdef	USE_POLL
-			if (set[1].revents & POLLIN)
-#else
-			if (FD_ISSET(ifd, &rfds))
-#endif
-			{
-				rw = read(ifd, irh, ibuff + RELAY_BUFSZ - irh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				irh += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[2].revents & POLLOUT)
-#else
-			if (n && FD_ISSET(ofd, &wfds))
-#endif
-			{
-				rw = write(ofd, iwt, iwh  - iwt);
-				if (rw == -1)
-					return -1;
-				iwt += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[0].revents & POLLIN)
-#else
-			if (n && FD_ISSET(rfd, &rfds))
-#endif
-			{
-				rw = read(rfd, iwh, obuff + RELAY_BUFSZ - iwh);
-				if (rw == -1)
-					return -1;
-				if (rw == 0)
-					return 0;
-				iwh += rw;
-				n--;
-			}
-#ifdef	USE_POLL
-			if (set[0].revents & POLLOUT)
-#else
-			if (n && FD_ISSET(rfd, &wfds))
-#endif
-			{
-				rw = write(rfd, irt, irh  - irt);
-				if (rw == -1)
-					return -1;
-				irt += rw;
-				n--;
-			}
-			if (irh == irt)
-				irh = irt = ibuff;
-			if (iwh == iwt)
-				iwh = iwt = obuff;
-		}
-	}
-}
-
-main(argc, argv)
-int argc;
-char *argv[];
-{
-	struct	sockaddr_in	sin;
-	natlookup_t	nl;
-	natlookup_t	*nlp = &nl;
-	int	fd, sl = sizeof(sl), se;
-
-	openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON);
-	if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) {
-		se = errno;
-		perror("open");
-		errno = se;
-		syslog(LOG_ERR, "open: %m\n");
-		exit(-1);
-	}
-
-	bzero(&nl, sizeof(nl));
-	nl.nl_flags = IPN_TCP;
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getsockname(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getsockname");
-		errno = se;
-		syslog(LOG_ERR, "getsockname: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_inip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_inport = sin.sin_port;
-	}
-
-	bzero(&sin, sizeof(sin));
-	sin.sin_family = AF_INET;
-	sl = sizeof(sin);
-	if (getpeername(0, (struct sockaddr *)&sin, &sl) == -1) {
-		se = errno;
-		perror("getpeername");
-		errno = se;
-		syslog(LOG_ERR, "getpeername: %m\n");
-		exit(-1);
-	} else {
-		nl.nl_outip.s_addr = sin.sin_addr.s_addr;
-		nl.nl_outport = sin.sin_port;
-	}
-
-	if (ioctl(fd, SIOCGNATL, &nlp) == -1) {
-		se = errno;
-		perror("ioctl");
-		errno = se;
-		syslog(LOG_ERR, "ioctl: %m\n");
-		exit(-1);
-	}
-
-	sin.sin_port = nl.nl_realport;
-	sin.sin_addr = nl.nl_realip;
-	sl = sizeof(sin);
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (connect(fd, (struct sockaddr *)&sin, sl) == -1) {
-		se = errno;
-		perror("connect");
-		errno = se;
-		syslog(LOG_ERR, "connect: %m\n");
-		exit(-1);
-	}
-
-	(void) ioctl(fd, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(0, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-	(void) ioctl(1, F_SETFL, ioctl(fd, F_GETFL, 0)|O_NONBLOCK);
-
-	syslog(LOG_NOTICE, "connected to %s,%d\n", inet_ntoa(sin.sin_addr),
-		ntohs(sin.sin_port));
-	if (relay(0, 1, fd) == -1) {
-		se = errno;
-		perror("relay");
-		errno = se;
-		syslog(LOG_ERR, "relay: %m\n");
-		exit(-1);
-	}
-	exit(0);
-}
diff --git a/contrib/ipfilter/rules/rules.sed b/contrib/ipfilter/rules/rules.sed
deleted file mode 100644
index 050d9b6ab710..000000000000
--- a/contrib/ipfilter/rules/rules.sed
+++ /dev/null
@@ -1,5 +0,0 @@
-WÆ
.	Ä..'&CVSWÜ	example.1WÝ
-example.10WÞ
-example.11Wß
-example.12Wà
-example.13Wá	example.2Wâ	example.3Wã	example.4Wä	example.5Wå	example.6Wæ	example.7Wç	example.8Wè	example.9Wé
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
deleted file mode 100644
index aa139d3b042a..000000000000
--- a/contrib/ipfilter/solaris.c
+++ /dev/null
@@ -1,2131 +0,0 @@
-/*
- * Copyright (C) 1993-2002 by Darren Reed.
- *
- * See the IPFILTER.LICENCE file for details on licencing.
- */
-/* #pragma ident   "@(#)solaris.c	1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $"
-
-#include <sys/systm.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/errno.h>
-#include <sys/uio.h>
-#include <sys/buf.h>
-#include <sys/modctl.h>
-#include <sys/open.h>
-#include <sys/kmem.h>
-#include <sys/conf.h>
-#include <sys/cmn_err.h>
-#include <sys/stat.h>
-#include <sys/cred.h>
-#include <sys/dditypes.h>
-#include <sys/stream.h>
-#include <sys/poll.h>
-#include <sys/autoconf.h>
-#include <sys/byteorder.h>
-#include <sys/socket.h>
-#include <sys/dlpi.h>
-#include <sys/stropts.h>
-#include <sys/sockio.h>
-#include <net/if.h>
-#if SOLARIS2 >= 6
-# include <net/if_types.h>
-#endif
-#include <net/af.h>
-#include <net/route.h>
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/if_ether.h>
-#include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#include <netinet/tcp.h>
-#include <netinet/udp.h>
-#include <netinet/tcpip.h>
-#include <netinet/ip_icmp.h>
-#include <sys/ddi.h>
-#include <sys/sunddi.h>
-#include "ip_compat.h"
-#include "ipl.h"
-#include "ip_fil.h"
-#include "ip_nat.h"
-#include "ip_state.h"
-
-
-char	_depends_on[] = "drv/ip";
-
-
-void	solipdrvattach __P((void));
-int	solipdrvdetach __P((void));
-
-void	solattach __P((void));
-int	soldetach __P((void));
-
-extern	struct	filterstats	frstats[];
-extern	KRWLOCK_T	ipf_mutex, ipfs_mutex, ipf_nat, ipf_solaris;
-extern	kmutex_t	ipf_rw;
-extern	int	fr_running;
-extern	int	fr_flags;
-
-extern ipnat_t *nat_list;
-
-static	qif_t	*qif_head = NULL;
-static	int	ipf_getinfo __P((dev_info_t *, ddi_info_cmd_t,
-				 void *, void **));
-static	int	ipf_probe __P((dev_info_t *));
-static	int	ipf_identify __P((dev_info_t *));
-static	int	ipf_attach __P((dev_info_t *, ddi_attach_cmd_t));
-static	int	ipf_detach __P((dev_info_t *, ddi_detach_cmd_t));
-static	qif_t	*qif_from_queue __P((queue_t *));
-static	void	fr_donotip __P((int, qif_t *, queue_t *, mblk_t *,
-				mblk_t *, ip_t *, size_t));
-static	char	*ipf_devfiles[] = { IPL_NAME, IPL_NAT, IPL_STATE, IPL_AUTH,
-				    NULL };
-static	int	(*ipf_ip_inp) __P((queue_t *, mblk_t *)) = NULL;
-
-
-#if SOLARIS2 >= 7
-extern	void	ipfr_slowtimer __P((void *));
-timeout_id_t	ipfr_timer_id;
-static	timeout_id_t	synctimeoutid = 0;
-#else
-extern	void	ipfr_slowtimer __P((void));
-int	ipfr_timer_id;
-static	int	synctimeoutid = 0;
-#endif
-int	ipf_debug = 0;
-int	ipf_debug_verbose = 0;
-
-/* #undef	IPFDEBUG	1 */
-/* #undef	IPFDEBUG_VERBOSE	1 */
-#ifdef	IPFDEBUG
-void	printire __P((ire_t *));
-#endif
-#define	isdigit(x)	((x) >= '0' && (x) <= '9')
-
-static int	fr_precheck __P((mblk_t **, queue_t *, qif_t *, int));
-
-
-static struct cb_ops ipf_cb_ops = {
-	iplopen,
-	iplclose,
-	nodev,		/* strategy */
-	nodev,		/* print */
-	nodev,		/* dump */
-	iplread,
-	nodev,		/* write */
-	iplioctl,	/* ioctl */
-	nodev,		/* devmap */
-	nodev,		/* mmap */
-	nodev,		/* segmap */
-	nochpoll,	/* poll */
-	ddi_prop_op,
-	NULL,
-	D_MTSAFE,
-#if SOLARIS2 > 4
-	CB_REV,
-	nodev,		/* aread */
-	nodev,		/* awrite */
-#endif
-};
-
-static struct dev_ops ipf_ops = {
-	DEVO_REV,
-	0,
-	ipf_getinfo,
-	ipf_identify,
-	ipf_probe,
-	ipf_attach,
-	ipf_detach,
-	nodev,		/* reset */
-	&ipf_cb_ops,
-	(struct bus_ops *)0
-};
-
-extern struct mod_ops mod_driverops;
-static struct modldrv iplmod = {
-	&mod_driverops, IPL_VERSION, &ipf_ops };
-static struct modlinkage modlink1 = { MODREV_1, &iplmod, NULL };
-
-#if SOLARIS2 >= 6
-static	size_t	hdrsizes[57][2] = {
-	{ 0, 0 },
-	{ IFT_OTHER, 0 },
-	{ IFT_1822, 14 },	/* 14 for ire0 ?? */
-	{ IFT_HDH1822, 0 },
-	{ IFT_X25DDN, 0 },
-	{ IFT_X25, 0 },
-	{ IFT_ETHER, 14 },
-	{ IFT_ISO88023, 14 },
-	{ IFT_ISO88024, 0 },
-	{ IFT_ISO88025, 0 },
-	{ IFT_ISO88026, 0 },
-	{ IFT_STARLAN, 0 },
-	{ IFT_P10, 0 },
-	{ IFT_P80, 0 },
-	{ IFT_HY, 0 },
-	{ IFT_FDDI, 24 },
-	{ IFT_LAPB, 0 },
-	{ IFT_SDLC, 0 },
-	{ IFT_T1, 0 },
-	{ IFT_CEPT, 0 },
-	{ IFT_ISDNBASIC, 0 },
-	{ IFT_ISDNPRIMARY, 0 },
-	{ IFT_PTPSERIAL, 0 },
-	{ IFT_PPP, 0 },
-	{ IFT_LOOP, 0 },
-	{ IFT_EON, 0 },
-	{ IFT_XETHER, 0 },
-	{ IFT_NSIP, 0 },
-	{ IFT_SLIP, 0 },
-	{ IFT_ULTRA, 0 },
-	{ IFT_DS3, 0 },
-	{ IFT_SIP, 0 },
-	{ IFT_FRELAY, 0 },
-	{ IFT_RS232, 0 },
-	{ IFT_PARA, 0 },
-	{ IFT_ARCNET, 0 },
-	{ IFT_ARCNETPLUS, 0 },
-	{ IFT_ATM, 0 },
-	{ IFT_MIOX25, 0 },
-	{ IFT_SONET, 0 },
-	{ IFT_X25PLE, 0 },
-	{ IFT_ISO88022LLC, 0 },
-	{ IFT_LOCALTALK, 0 },
-	{ IFT_SMDSDXI, 0 },
-	{ IFT_FRELAYDCE, 0 },
-	{ IFT_V35, 0 },
-	{ IFT_HSSI, 0 },
-	{ IFT_HIPPI, 0 },
-	{ IFT_MODEM, 0 },
-	{ IFT_AAL5, 0 },
-	{ IFT_SONETPATH, 0 },
-	{ IFT_SONETVT, 0 },
-	{ IFT_SMDSICIP, 0 },
-	{ IFT_PROPVIRTUAL, 0 },
-	{ IFT_PROPMUX, 0 },
-};
-#endif /* SOLARIS2 >= 6 */
-
-static dev_info_t *ipf_dev_info = NULL;
-
-
-int _init()
-{
-	int ipfinst;
-
-	ipfinst = mod_install(&modlink1);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst);
-#endif
-	return ipfinst;
-}
-
-
-int _fini(void)
-{
-	int ipfinst;
-
-	ipfinst = mod_remove(&modlink1);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst);
-#endif
-	return ipfinst;
-}
-
-
-int _info(modinfop)
-struct modinfo *modinfop;
-{
-	int ipfinst;
-
-	ipfinst = mod_info(&modlink1, modinfop);
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x",
-			modinfop, ipfinst);
-#endif
-	if (fr_running > 0)
-		ipfsync();
-	return ipfinst;
-}
-
-
-static int ipf_probe(dip)
-dev_info_t *dip;
-{
-	if (fr_running < 0)
-		return DDI_PROBE_FAILURE;
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_probe(%x)", dip);
-#endif
-	return DDI_PROBE_SUCCESS;
-}
-
-
-static int ipf_identify(dip)
-dev_info_t *dip;
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_identify(%x)", dip);
-#endif
-	if (strcmp(ddi_get_name(dip), "ipf") == 0)
-		return (DDI_IDENTIFIED);
-	return (DDI_NOT_IDENTIFIED);
-}
-
-
-static void ipf_ire_walk(ire, arg)
-ire_t *ire;
-void *arg;
-{
-	qif_t *qif = arg;
-
-	if ((ire->ire_type == IRE_CACHE) &&
-#if SOLARIS2 >= 6
-	    (ire->ire_ipif != NULL) &&
-	    (ire->ire_ipif->ipif_ill == qif->qf_ill)
-#else
-	    (ire_to_ill(ire) == qif->qf_ill)
-#endif
-	    ) {
-#if SOLARIS2 >= 8
-		mblk_t *m = ire->ire_fp_mp;
-#else
-		mblk_t *m = ire->ire_ll_hdr_mp;
-#endif
-		if (m != NULL)
-			qif->qf_hl = m->b_wptr - m->b_rptr;
-	}
-}
-
-
-static int ipf_attach(dip, cmd)
-dev_info_t *dip;
-ddi_attach_cmd_t cmd;
-{
-#ifdef	IPFDEBUG
-	int instance;
-
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_attach(%x,%x)", dip, cmd);
-#endif
-	switch (cmd) {
-	case DDI_ATTACH:
-		if (fr_running < 0)
-			break;
-#ifdef	IPFDEBUG
-		instance = ddi_get_instance(dip);
-
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: attach ipf instance %d", instance);
-#endif
-		if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		if (ddi_create_minor_node(dip, "ipauth", S_IFCHR, IPL_LOGAUTH,
-					  DDI_PSEUDO, 0) == DDI_FAILURE) {
-			ddi_remove_minor_node(dip, NULL);
-			goto attach_failed;
-		}
-		ipf_dev_info = dip;
-		sync();
-		/*
-		 * Initialize mutex's
-		 */
-		if (iplattach() == -1)
-			goto attach_failed;
-		/*
-		 * Lock people out while we set things up.
-		 */
-		WRITE_ENTER(&ipf_solaris);
-		solattach();
-		solipdrvattach();
-		RWLOCK_EXIT(&ipf_solaris);
-		cmn_err(CE_CONT, "%s, attaching complete.\n",
-			ipfilter_version);
-		sync();
-		if (fr_running == 0)
-			fr_running = 1;
-		if (ipfr_timer_id == 0)
-			ipfr_timer_id = timeout(ipfr_slowtimer, NULL,
-						drv_usectohz(500000));
-		if (fr_running == 1)
-			return DDI_SUCCESS;
-#if SOLARIS2 >= 8
-	case DDI_RESUME :
-	case DDI_PM_RESUME :
-		if (ipfr_timer_id == 0)
-			ipfr_timer_id = timeout(ipfr_slowtimer, NULL,
-						drv_usectohz(500000));
-		return DDI_SUCCESS;
-#endif
-	default:
-		return DDI_FAILURE;
-	}
-
-attach_failed:
-	cmn_err(CE_NOTE, "IP Filter: failed to attach\n");
-	/*
-	 * Use our own detach routine to toss
-	 * away any stuff we allocated above.
-	 */
-	(void) ipf_detach(dip, DDI_DETACH);
-	return DDI_FAILURE;
-}
-
-
-static int ipf_detach(dip, cmd)
-dev_info_t *dip;
-ddi_detach_cmd_t cmd;
-{
-	int i;
-
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_detach(%x,%x)", dip, cmd);
-#endif
-	switch (cmd) {
-	case DDI_DETACH:
-		if (fr_running <= 0)
-			break;
-		/*
-		 * Make sure we're the only one's modifying things.  With
-		 * this lock others should just fall out of the loop.
-		 */
-		mutex_enter(&ipf_rw);
-		if (ipfr_timer_id != 0) {
-			untimeout(ipfr_timer_id);
-			ipfr_timer_id = 0;
-		}
-		mutex_exit(&ipf_rw);
-		WRITE_ENTER(&ipf_solaris);
-		mutex_enter(&ipf_rw);
-		if (fr_running <= 0) {
-			mutex_exit(&ipf_rw);
-			return DDI_FAILURE;
-		}
-		fr_running = -1;
-		mutex_exit(&ipf_rw);
-		/* NOTE: ipf_solaris rwlock is released in ipldetach */
-
-		/*
-		 * Undo what we did in ipf_attach, freeing resources
-		 * and removing things we installed.  The system
-		 * framework guarantees we are not active with this devinfo
-		 * node in any other entry points at this time.
-		 */
-		ddi_prop_remove_all(dip);
-		i = ddi_get_instance(dip);
-		ddi_remove_minor_node(dip, NULL);
-		sync();
-		i = solipdrvdetach();
-		if (i > 0) {
-			cmn_err(CE_CONT, "IP Filter: still attached (%d)\n", i);
-			return DDI_FAILURE;
-		}
-		if (!soldetach()) {
-			cmn_err(CE_CONT, "%s detached\n", ipfilter_version);
-			return (DDI_SUCCESS);
-		}
-#if SOLARIS2 >= 8
-	case DDI_SUSPEND :
-	case DDI_PM_SUSPEND :
-		if (ipfr_timer_id != 0) {
-			untimeout(ipfr_timer_id);
-			ipfr_timer_id = 0;
-		}
-		if (synctimeoutid) {
-			untimeout(synctimeoutid);
-			synctimeoutid = 0;
-		}
-		return DDI_SUCCESS;
-#endif
-	default:
-		return (DDI_FAILURE);
-	}
-	return DDI_FAILURE;
-}
-
-
-static int ipf_getinfo(dip, infocmd, arg, result)
-dev_info_t *dip;
-ddi_info_cmd_t infocmd;
-void *arg, **result;
-{
-	int error;
-
-	if (fr_running <= 0)
-		return DDI_FAILURE;
-	error = DDI_FAILURE;
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: ipf_getinfo(%x,%x,%x)",
-			dip, infocmd, arg);
-#endif
-	switch (infocmd) {
-	case DDI_INFO_DEVT2DEVINFO:
-		*result = ipf_dev_info;
-		error = DDI_SUCCESS;
-		break;
-	case DDI_INFO_DEVT2INSTANCE:
-		*result = (void *)getminor((dev_t) arg);
-		error = DDI_SUCCESS;
-		break;
-	default:
-		break;
-	}
-	return (error);
-}
-
-/*
- * find the filter structure setup for this queue
- */
-static qif_t *qif_from_queue(q)
-queue_t *q;
-{
-	qif_t *qif;
-
-	for (qif = qif_head; qif; qif = qif->qf_next)
-		if ((qif->qf_iptr == q->q_ptr) || (qif->qf_optr == q->q_ptr))
-			break;
-	return qif;
-}
-
-
-/*
- * OK, this is pretty scrappy code, but then it's essentially just here for
- * debug purposes and that's it.  Packets should not normally come through
- * here, and if they do, well, we would like to see as much information as
- * possible about them and what they claim to hold.
- */
-void fr_donotip(out, qif, q, m, mt, ip, off)
-int out;
-qif_t *qif;
-queue_t *q;
-mblk_t *m, *mt;
-ip_t *ip;
-size_t off;
-{
-	u_char *s, outb[256], *t;
-	int i;
-
-	outb[0] = '\0';
-	outb[1] = '\0';
-	outb[2] = '\0';
-	outb[3] = '\0';
-	s = ip ? (u_char *)ip : outb;
-	if (!ip && (m == mt) && m->b_cont && (MTYPE(m) != M_DATA))
-		m = m->b_cont;
-
-	cmn_err(CE_CONT, " !IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n",
-		qif ? qif->qf_name : "?", out, qif ? qif->qf_hl : -1, q,
-		q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL,
-		mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr,
-		m->b_wptr - m->b_rptr, off, ip);
-	cmn_err(CE_CONT, "%02x%02x%02x%02x\n", *s, *(s+1), *(s+2), *(s+3));
-	while (m != mt) {
-		i = 0;
-		t = outb;
-		s = mt->b_rptr;
-		sprintf((char *)t, "%d:", MTYPE(mt));
-		t += strlen((char *)t);
-		for (; (i < 100) && (s < mt->b_wptr); i++) {
-			sprintf((char *)t, "%02x%s", *s++,
-				((i & 3) == 3) ? " " : "");
-			t += ((i & 3) == 3) ? 3 : 2;
-		}
-		*t++ = '\n';
-		*t = '\0';
-		cmn_err(CE_CONT, "%s", outb);
-		mt = mt->b_cont;
-	}
-	i = 0;
-	t = outb;
-	s = m->b_rptr;
-	sprintf((char *)t, "%d:", MTYPE(m));
-	t += strlen((char *)t);
-	for (; (i < 100) && (s < m->b_wptr); i++) {
-		sprintf((char *)t, "%02x%s", *s++, ((i & 3) == 3) ? " " : "");
-		t += ((i & 3) == 3) ? 3 : 2;
-	}
-	*t++ = '\n';
-	*t = '\0';
-	cmn_err(CE_CONT, "%s", outb);
-}
-
-
-/*
- * find the first data mblk, if present, in the chain we're processing.  Also
- * make a few sanity checks to try prevent the filter from causing a panic -
- * none of the nice IP sanity checks (including checksumming) should have been
- * done yet (for incoming packets) - dangerous!
- */
-static int fr_precheck(mp, q, qif, out)
-mblk_t **mp;
-queue_t *q;
-qif_t *qif;
-int out;
-{
-	register mblk_t *m, *mt = *mp;
-	register ip_t *ip;
-	size_t hlen, len, off, off2, mlen, iphlen, plen, woff;
-	int err, synced = 0, sap, p, realigned = 0, multi = 0;
-	u_char *bp;
-#if SOLARIS2 >= 8
-	ip6_t *ip6;
-#endif
-#ifndef	sparc
-	u_short __ipoff;
-#endif
-tryagain:
-	ip = NULL;
-	m = NULL;
-	/*
-	 * If there is only M_DATA for a packet going out, then any header
-	 * information (which would otherwise appear in an M_PROTO mblk before
-	 * the M_DATA) is prepended before the IP header.  We need to set the
-	 * offset to account for this. - see MMM
-	 */
-	off = (out) ? qif->qf_hl : 0;
-
-	/*
-	 * If the message protocol block indicates that there isn't a data
-	 * block following it, just return back.
-	 */
-	bp = (u_char *)ALIGN32(mt->b_rptr);
-	if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) {
-		dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp;
-		if (dl->dl_primitive == DL_UNITDATA_IND) {
-			multi = dl->dl_group_address;
-			m = mt->b_cont;
-			/*
-			 * This is a complete kludge to try and work around
-			 * some bizarre packets which drop through into
-			 * fr_donotip.
-			 */
-			if (m && multi && ((*((u_char *)m->b_rptr) == 0x0) &&
-			    ((*((u_char *)m->b_rptr + 2) == 0x45)))) {
-				ip = (ip_t *)(m->b_rptr + 2);
-				off = 2;
-			} else
-				off = 0;
-		} else if (dl->dl_primitive != DL_UNITDATA_REQ) {
-			ip = (ip_t *)dl;
-			if ((ip->ip_v == IPVERSION) &&
-			    (ip->ip_hl == (sizeof(*ip) >> 2)) &&
-			    (ntohs(ip->ip_len) == mt->b_wptr - mt->b_rptr)) {
-				off = 0;
-				m = mt;
-			} else {
-				frstats[out].fr_notdata++;
-				return 0;
-			}
-		}
-	}
-
-	/*
-	 * Find the first data block, count the data blocks in this chain and
-	 * the total amount of data.
-	 */
-	if (ip == NULL)
-		for (m = mt; m && (MTYPE(m) != M_DATA); m = m->b_cont)
-			off = 0;	/* Any non-M_DATA cancels the offset */
-
-	if (!m) {
-		frstats[out].fr_nodata++;
-		return 0;	/* No data blocks */
-	}
-
-	ip = (ip_t *)(m->b_rptr + off);		/* MMM */
-
-	/*
-	 * We might have a 1st data block which is really M_PROTO, i.e. it is
-	 * only big enough for the link layer header
-	 */
-	while ((u_char *)ip >= m->b_wptr) {
-		len = (u_char *)ip - m->b_wptr;
-		m = m->b_cont;
-		if (m == NULL)
-			return 0;	/* not enough data for IP */
-		ip = (ip_t *)(m->b_rptr + len);
-	}
-	off = (u_char *)ip - m->b_rptr;
-	if (off != 0)
-		m->b_rptr = (u_char *)ip;
-
-	len = m->b_wptr - m->b_rptr;
-	if (m->b_wptr < m->b_rptr) {
-		cmn_err(CE_NOTE, "!IP Filter: Bad packet: wptr %p < rptr %p",
-			m->b_wptr, m->b_rptr);
-		frstats[out].fr_bad++;
-		return -1;
-	}
-
-	mlen = msgdsize(m);
-	sap = qif->qf_ill->ill_sap;
-
-	if (sap == 0x800) {
-		u_short tlen;
-
-		hlen = sizeof(*ip);
-
-		/* XXX - might not be aligned (from ppp?) */
-		((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
-		((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
-
-		plen = ntohs(tlen);
-
-		sap = 0;
-	}
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP) {
-		u_short tlen;
-
-		hlen = sizeof(ip6_t);
-		ip6 = (ip6_t *)ip;
-		/* XXX - might not be aligned (from ppp?) */
-		((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0];
-		((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1];
-		plen = ntohs(tlen);
-		if (!plen)
-			return -1;	/* Jumbo gram */
-		plen += sizeof(*ip6);
-	}
-#endif
-	else {
-		plen = 0;
-		hlen = 0;
-		sap = -1;
-	}
-
-	/*
-	 * Ok, the IP header isn't on a 32bit aligned address so junk it.
-	 */
-	if (((u_long)ip & 0x3) || (plen > mlen) || (len < hlen) ||
-	    (sap == -1)) {
-		mblk_t *m1, *m2;
-		u_char *s, c;
-		int v;
-
-		/*
-		 * Junk using pullupmsg - it's next to useless.
-		 */
-fixalign:
-		if (off)
-			m->b_rptr -= off;
-		c = *(u_char *)ip;
-		c >>= 4;
-		if (c != 4
-#if SOLARIS2 >= 8
-		    && c != 6
-#endif
-		) {
-			frstats[out].fr_notip++;
-			return (fr_flags & FF_BLOCKNONIP) ? -1 : 0;
-		}
-
-		if (realigned)
-			return -1;
-		realigned = 1;
-		off2 = (size_t)((u_long)ip & 0x3);
-		if (off2)
-			off2 = 4 - off2;
-		len = msgdsize(m);
-		m2 = allocb(len + off2, BPRI_HI);
-		if (m2 == NULL) {
-			frstats[out].fr_pull[1]++;
-			return -1;
-		}
-
-		MTYPE(m2) = M_DATA;
-		if (m->b_rptr != (u_char *)ip)
-			m2->b_rptr += off2;
-		m2->b_wptr = m2->b_rptr + len;
-		m1 = m;
-		s = (u_char *)m->b_rptr;
-		for (bp = m2->b_rptr; m1 && (bp < m2->b_wptr); bp += len) {
-			len = MIN(m1->b_wptr - s, m2->b_wptr - bp);
-			bcopy(s, bp, len);
-			m1 = m1->b_cont;
-			if (m1)
-				s = m1->b_rptr;
-		}
-
-		if (mt != m && mt->b_cont == m && !off) {
-			/*
-			 * check if the buffer we're changing is chained in-
-			 * between other buffers and unlink/relink as required.
-			 */
-			(void) unlinkb(mt);	/* should return 'm' */
-			m1 = unlinkb(m);
-			if (m1)
-				linkb(m2, m1);
-			freemsg(m);
-			linkb(mt, m2);
-		} else {
-			if (m == mt) {
-				m1 = unlinkb(mt);
-				if (m1)
-					linkb(m2, m1);
-			}
-			freemsg(mt);
-			*mp = m2;
-			mt = m2;
-		}
-
-		frstats[out].fr_pull[0]++;
-		synced = 1;
-		off = 0;
-		goto tryagain;
-	}
-
-	if (((sap == 0) && (ip->ip_v != IP_VERSION))
-#if SOLARIS2 >= 8
-	    || ((sap == IP6_DL_SAP) && ((ip6->ip6_vfc >> 4) != 6))
-#endif
-	) {
-		m->b_rptr -= off;
-		return -2;
-	}
-
-#ifndef	sparc
-# if SOLARIS2 >= 8
-	if (sap == IP6_DL_SAP) {
-		ip6->ip6_plen = plen - sizeof(*ip6);
-	} else {
-# endif
-		__ipoff = (u_short)ip->ip_off;
-
-		ip->ip_len = plen;
-		ip->ip_off = ntohs(__ipoff);
-# if SOLARIS2 >= 8
-	}
-# endif
-#endif
-	if (sap == 0)
-		iphlen = ip->ip_hl << 2;
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP)
-		iphlen = sizeof(ip6_t);
-#endif
-
-	if ((
-#if SOLARIS2 >= 8
-	     (sap == IP6_DL_SAP) && (mlen < plen)) ||
-	    ((sap == 0) &&
-#endif
-	     ((iphlen < hlen) || (iphlen > plen) || (mlen < plen)))) {
-		/*
-		 * Bad IP packet or not enough data/data length mismatches
-		 */
-#ifndef	sparc
-# if SOLARIS2 >= 8
-		if (sap == IP6_DL_SAP) {
-			ip6->ip6_plen = htons(plen - sizeof(*ip6));
-		} else {
-# endif
-			__ipoff = (u_short)ip->ip_off;
-
-			ip->ip_len = htons(plen);
-			ip->ip_off = htons(__ipoff);
-# if SOLARIS2 >= 8
-		}
-# endif
-#endif
-		m->b_rptr -= off;
-		frstats[out].fr_bad++;
-		return -1;
-	}
-
-	/*
-	 * Make hlen the total size of the IP header plus TCP/UDP/ICMP header
-	 * (if it is one of these three).
-	 */
-	if (sap == 0)
-		p = ip->ip_p;
-#if SOLARIS2 >= 8
-	else if (sap == IP6_DL_SAP)
-		p = ip6->ip6_nxt;
-
-	if ((sap == IP6_DL_SAP) || ((ip->ip_off & IP_OFFMASK) == 0))
-#else
-	if ((ip->ip_off & IP_OFFMASK) == 0)
-#endif
-		switch (p)
-		{
-		case IPPROTO_TCP :
-			hlen += sizeof(tcphdr_t);
-			break;
-		case IPPROTO_UDP :
-			hlen += sizeof(udphdr_t);
-			break;
-		case IPPROTO_ICMP :
-			/* 76 bytes is enough for a complete ICMP error. */
-			hlen += 76 + sizeof(icmphdr_t);
-			break;
-		default :
-			break;
-		}
-
-	woff = 0;
-	if (hlen > mlen) {
-		hlen = mlen;
-	} else if (m->b_wptr - m->b_rptr > plen) {
-		woff = m->b_wptr - m->b_rptr - plen;
-		m->b_wptr -= woff;
-	}
-
-	/*
-	 * If we don't have enough data in the mblk or we haven't yet copied
-	 * enough (above), then copy some more.
-	 */
-	if ((hlen > len)) {
-		if (!pullupmsg(m, (int)hlen)) {
-			cmn_err(CE_NOTE, "pullupmsg failed");
-			frstats[out].fr_pull[1]++;
-			return -1;
-		}
-		frstats[out].fr_pull[0]++;
-		ip = (ip_t *)ALIGN32(m->b_rptr);
-	}
-	qif->qf_m = m;
-	qif->qf_q = q;
-	qif->qf_off = off;
-	qif->qf_len = len;
-	err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp);
-	if (err == 2) {
-		goto fixalign;
-	}
-	/*
-	 * Copy back the ip header data if it was changed, we haven't yet
-	 * freed the message and we aren't going to drop the packet.
-	 * BUT only do this if there were no changes to the buffer, else
-	 * we can't be sure that the ip pointer is still correct!
-	 */
-	if (*mp != NULL) {
-		if (*mp == mt) {
-			m->b_wptr += woff;
-			m->b_rptr -= off;
-#ifndef	sparc
-# if SOLARIS2 >= 8
-			if (sap == IP6_DL_SAP) {
-				ip6->ip6_plen = htons(plen - sizeof(*ip6));
-			} else {
-# endif
-				__ipoff = (u_short)ip->ip_off;
-				/*
-				 * plen is useless because of NAT.
-				 */
-				ip->ip_len = htons(ip->ip_len);
-				ip->ip_off = htons(__ipoff);
-# if SOLARIS2 >= 8
-			}
-# endif
-#endif
-		} else
-			cmn_err(CE_NOTE,
-				"!IP Filter: *mp %p mt %p %s", *mp, mt,
-				"mblk changed, cannot revert ip_len, ip_off");
-	}
-	return err;
-}
-
-
-/*
- * Only called for M_IOCACK messages
- */
-void fr_qif_update(qif, mp)
-qif_t *qif;
-mblk_t *mp;
-{
-	struct iocblk *iocp;
-
-	if (!qif || !mp)
-		return;
-	iocp = (struct iocblk *)mp->b_rptr;
-	if (mp->b_cont && (iocp->ioc_cmd == DL_IOC_HDR_INFO)) {
-		mp = mp->b_cont;
-		if (MTYPE(mp) == M_PROTO && mp->b_cont) {
-			mp = mp->b_cont;
-			if (MTYPE(mp) == M_DATA) {
-				qif->qf_hl = mp->b_wptr - mp->b_rptr;
-			}
-		}
-	}
-}
-
-
-int fr_qin(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
-	qif_t qf, *qif;
-
-#ifdef	IPFDEBUG_VERBOSE
-	if (ipf_debug_verbose)
-		cmn_err(CE_CONT,
-			"fr_qin(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
-			q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
-			msgdsize(mb));
-#endif
-
-	/*
-	 * IPFilter is still in the packet path but not enabled.  Drop whatever
-	 * it is that has come through.
-	 */
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	type = MTYPE(mb);
-
-	/*
-	 * If a mblk has more than one reference, make a copy, filter that and
-	 * free a reference to the original.
-	 */
-	if (mb->b_datap->db_ref > 1) {
-		mblk_t *m1;
-
-		m1 = copymsg(mb);
-		if (!m1) {
-			frstats[0].fr_drop++;
-			mb->b_prev = NULL;
-			freemsg(mb);
-			return 0;
-		}
-		mb->b_prev = NULL;
-		freemsg(mb);
-		mb = m1;
-		frstats[0].fr_copy++;
-	}
-
-	READ_ENTER(&ipf_solaris);
-again:
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-	READ_ENTER(&ipfs_mutex);
-	if (!(qif = qif_from_queue(q))) {
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (&qif->qf_rqinit == q->q_qinfo && qif->qf_rqinfo &&
-					qif->qf_rqinfo->qi_putp) {
-				pnext = qif->qf_rqinfo->qi_putp;
-				frstats[0].fr_notip++;
-				RWLOCK_EXIT(&ipfs_mutex);
-				if (!synced) {
-					ipfsync();
-					synced = 1;
-					goto again;
-				}
-				RWLOCK_EXIT(&ipf_solaris);
-				/* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */
-				return (*pnext)(q, mb);
-			}
-		RWLOCK_EXIT(&ipfs_mutex);
-		if (!synced) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		cmn_err(CE_WARN,
-			"!IP Filter: dropped: fr_qin(%x,%x): type %x qif %x",
-			q, mb, type, qif);
-		cmn_err(CE_CONT,
-			"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
-			q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
-			q->q_nbsrv);
-		cmn_err(CE_CONT, "!IP Filter: info: putp %x srvp %x info %x\n",
-			q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp,
-#if SOLARIS > 3
-			q->q_qinfo->qi_infop
-#else
-			0
-#endif
-			);
-		frstats[0].fr_drop++;
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-
-	qif->qf_incnt++;
-	pnext = qif->qf_rqinfo->qi_putp;
-	if (type == M_IOCACK)
-		fr_qif_update(qif, mb);
-	bcopy((char *)qif, (char *)&qf, sizeof(qf));
-	if (datamsg(type) || (type == M_BREAK))
-		err = fr_precheck(&mb, q, &qf, 0);
-
-	RWLOCK_EXIT(&ipfs_mutex);
-
-	if ((err == 0) && (mb != NULL)) {
-		if (pnext) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-
-		cmn_err(CE_WARN,
-			"!IP Filter: inp NULL: qif %x %s q %x info %x",
-			qif, qf.qf_name, q, q->q_qinfo);
-	}
-
-	if (err == -2) {
-		if (synced == 0) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		frstats[0].fr_notip++;
-		if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-	}
-	
-
-	if (mb) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return 1;
-}
-
-
-int fr_qout(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	int (*pnext) __P((queue_t *, mblk_t *)), type, synced = 0, err = 0;
-	qif_t qf, *qif;
-
-#ifdef	IPFDEBUG_VERBOSE
-	if (ipf_debug_verbose)
-		cmn_err(CE_CONT,
-			"fr_qout(%lx,%lx) ptr %lx type 0x%x ref %d len %d\n",
-			q, q->q_ptr, mb, MTYPE(mb), mb->b_datap->db_ref,
-			msgdsize(mb));
-#endif
-
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	type = MTYPE(mb);
-
-#if SOLARIS2 >= 6
-	if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) &&
-	    (mb->b_datap->db_ref > 1))
-#else
-	if (mb->b_datap->db_ref > 1)
-#endif
-	{
-		mblk_t *m1;
-
-		m1 = copymsg(mb);
-		if (!m1) {
-			frstats[1].fr_drop++;
-			mb->b_prev = NULL;
-			freemsg(mb);
-			return 0;
-		}
-		mb->b_prev = NULL;
-		freemsg(mb);
-		mb = m1;
-		frstats[1].fr_copy++;
-	}
-
-	READ_ENTER(&ipf_solaris);
-again:
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-	READ_ENTER(&ipfs_mutex);
-	if (!(qif = qif_from_queue(q))) {
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (&qif->qf_wqinit == q->q_qinfo && qif->qf_wqinfo &&
-					qif->qf_wqinfo->qi_putp) {
-				pnext = qif->qf_wqinfo->qi_putp;
-				RWLOCK_EXIT(&ipfs_mutex);
-				frstats[1].fr_notip++;
-				if (!synced) {
-					ipfsync();
-					synced = 1;
-					goto again;
-				}
-				/* fr_donotip(1, NULL, q, mb, mb, NULL, 0); */
-				RWLOCK_EXIT(&ipf_solaris);
-				return (*pnext)(q, mb);
-			}
-		RWLOCK_EXIT(&ipfs_mutex);
-		if (!synced) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		cmn_err(CE_WARN,
-			"!IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x",
-			q, mb, type, qif);
-		cmn_err(CE_CONT,
-			"!IP Filter: info %x next %x ptr %x fsrv %x bsrv %x\n",
-			q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv,
-			q->q_nbsrv);
-		cmn_err(CE_CONT, "!IP Filter: info: putp %x srvp %x info %x\n",
-			q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp,
-#if SOLARIS > 3
-			q->q_qinfo->qi_infop
-#else
-			0
-#endif
-			);
-		if (q->q_nfsrv)
-			cmn_err(CE_CONT,
-				"!IP Filter: nfsrv: info %x next %x ptr %x\n",
-				q->q_nfsrv->q_qinfo, q->q_nfsrv->q_next,
-				q->q_nfsrv->q_ptr);
-		if (q->q_nbsrv)
-			cmn_err(CE_CONT,
-				"!IP Filter: nbsrv: info %x next %x ptr %x\n",
-				q->q_nbsrv->q_qinfo, q->q_nbsrv->q_next,
-				q->q_nbsrv->q_ptr);
-		frstats[1].fr_drop++;
-		mb->b_prev = NULL;
-		freemsg(mb);
-		RWLOCK_EXIT(&ipf_solaris);
-		return 0;
-	}
-
-	qif->qf_outcnt++;
-	pnext = qif->qf_wqinfo->qi_putp;
-	if (type == M_IOCACK)
-		fr_qif_update(qif, mb);
-	bcopy((char *)qif, (char *)&qf, sizeof(qf));
-	if (datamsg(type) || (type == M_BREAK))
-		err = fr_precheck(&mb, q, &qf, 1);
-
-	RWLOCK_EXIT(&ipfs_mutex);
-
-	if ((err == 0) && (mb != NULL)) {
-		if (pnext) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-
-		cmn_err(CE_WARN,
-			"!IP Filter: outp NULL: qif %x %s q %x info %x",
-			qif, qf.qf_name, q, q->q_qinfo);
-	}
-
-	if (err == -2) {
-		if (synced == 0) {
-			ipfsync();
-			synced = 1;
-			goto again;
-		}
-		frstats[1].fr_notip++;
-		if (!(fr_flags & FF_BLOCKNONIP) && (pnext != NULL)) {
-			RWLOCK_EXIT(&ipf_solaris);
-			return (*pnext)(q, mb);
-		}
-	}
-
-	if (mb) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return 1;
-}
-
-
-void ipf_synctimeout(arg)
-void *arg;
-{
-	if (fr_running < 0)
-		return;
-	READ_ENTER(&ipf_solaris);
-	ipfsync();
-	WRITE_ENTER(&ipfs_mutex);
-	synctimeoutid = 0;
-	RWLOCK_EXIT(&ipfs_mutex);
-	RWLOCK_EXIT(&ipf_solaris);
-}
-
-
-static int ipf_ip_qin(q, mb)
-queue_t *q;
-mblk_t *mb;
-{
-	struct iocblk *ioc;
-	int ret;
-
-	if (fr_running <= 0) {
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-
-	if (MTYPE(mb) != M_IOCTL)
-		return (*ipf_ip_inp)(q, mb);
-
-	READ_ENTER(&ipf_solaris);
-	if (fr_running <= 0) {
-		RWLOCK_EXIT(&ipf_solaris);
-		mb->b_prev = NULL;
-		freemsg(mb);
-		return 0;
-	}
-	ioc = (struct iocblk *)mb->b_rptr;
-
-	switch (ioc->ioc_cmd)
-	{
-	case DL_IOC_HDR_INFO:
-		fr_qif_update(qif_from_queue(q), mb);
-		break;
-	case I_LINK:
-	case I_UNLINK:
-	case SIOCSIFADDR:
-	case SIOCSIFFLAGS:
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: ipf_ip_qin() M_IOCTL type=0x%x",
-				ioc->ioc_cmd);
-#endif
-		WRITE_ENTER(&ipfs_mutex);
-		if (synctimeoutid == 0) {
-			synctimeoutid = timeout(ipf_synctimeout,
-						NULL,
-						drv_usectohz(1000000) /*1 sec*/
-					);
-		}
-		RWLOCK_EXIT(&ipfs_mutex);
-		break;
-	default:
-		break;
-	}
-	RWLOCK_EXIT(&ipf_solaris);
-	return (*ipf_ip_inp)(q, mb);
-}
-
-static int ipdrvattcnt = 0;
-extern struct streamtab ipinfo;
-
-void solipdrvattach()
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx",
-			ipdrvattcnt, &ipinfo);
-#endif
-
-	if (++ipdrvattcnt == 1) {
-		if (ipf_ip_inp == NULL) {
-			ipf_ip_inp = ipinfo.st_wrinit->qi_putp;
-			ipinfo.st_wrinit->qi_putp = ipf_ip_qin;
-		}
-	}
-}
-
-int solipdrvdetach()
-{
-#ifdef	IPFDEBUG
-	if (ipf_debug)
-		cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx",
-			ipdrvattcnt, &ipinfo);
-#endif
-
-	WRITE_ENTER(&ipfs_mutex);
-	if (--ipdrvattcnt <= 0) {
-		if (ipf_ip_inp && (ipinfo.st_wrinit->qi_putp == ipf_ip_qin)) {
-			ipinfo.st_wrinit->qi_putp = ipf_ip_inp;
-			ipf_ip_inp = NULL;
-		}
-		if (synctimeoutid) {
-			untimeout(synctimeoutid);
-			synctimeoutid = 0;
-		}
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	return ipdrvattcnt;
-}
-
-/*
- * attach the packet filter to each interface that is defined as having an
- * IP address associated with it and save some of the info. for that struct
- * so we're not out of date as soon as the ill disappears - but we must sync
- * to be correct!
- */
-void solattach()
-{
-	queue_t *in, *out;
-	struct frentry *f;
-	qif_t *qif, *qf2;
-	ipnat_t *np;
-	size_t len;
-	ill_t *il;
-
-	for (il = ill_g_head; il; il = il->ill_next) {
-		in = il->ill_rq;
-		if (!in || !il->ill_wq)
-			continue;
-
-		out = il->ill_wq->q_next;
-
-		WRITE_ENTER(&ipfs_mutex);
-		/*
-		 * Look for entry already setup for this device
-		 */
-		for (qif = qif_head; qif; qif = qif->qf_next)
-			if (qif->qf_iptr == in->q_ptr &&
-			    qif->qf_optr == out->q_ptr)
-				break;
-		if (qif) {
-			RWLOCK_EXIT(&ipfs_mutex);
-			continue;
-		}
-#ifdef	IPFDEBUGX
-		if (ipf_debug)
-		cmn_err(CE_NOTE,
-			"IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x",
-			il, in->q_ptr,  out->q_ptr, in->q_qinfo->qi_putp,
-			out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo);
-#endif
-		KMALLOC(qif, qif_t *);
-		if (!qif) {
-			cmn_err(CE_WARN,
-				"IP Filter: malloc(%d) for qif_t failed",
-				sizeof(qif_t));
-			RWLOCK_EXIT(&ipfs_mutex);
-			continue;
-		}
-
-		if (in->q_qinfo->qi_putp == fr_qin) {
-			for (qf2 = qif_head; qf2; qf2 = qf2->qf_next)
-				if (&qf2->qf_rqinit == in->q_qinfo) {
-					qif->qf_rqinfo = qf2->qf_rqinfo;
-					break;
-				}
-			if (!qf2) {
-#ifdef	IPFDEBUGX
-				if (ipf_debug)
-				cmn_err(CE_WARN,
-					"IP Filter: rq:%s put %x qi %x",
-					il->ill_name, in->q_qinfo->qi_putp,
-					in->q_qinfo);
-#endif
-				RWLOCK_EXIT(&ipfs_mutex);
-				KFREE(qif);
-				continue;
-			}
-		} else
-			qif->qf_rqinfo = in->q_qinfo;
-
-		if (out->q_qinfo->qi_putp == fr_qout) {
-			for (qf2 = qif_head; qf2; qf2 = qf2->qf_next)
-				if (&qf2->qf_wqinit == out->q_qinfo) {
-					qif->qf_wqinfo = qf2->qf_wqinfo;
-					break;
-				}
-			if (!qf2) {
-#ifdef	IPFDEBUGX
-				if (ipf_debug)
-				cmn_err(CE_WARN,
-					"IP Filter: wq:%s put %x qi %x",
-					il->ill_name, out->q_qinfo->qi_putp,
-					out->q_qinfo);
-#endif
-				RWLOCK_EXIT(&ipfs_mutex);
-				KFREE(qif);
-				continue;
-			}
-		} else
-			qif->qf_wqinfo = out->q_qinfo;
-
-		qif->qf_ill = il;
-		qif->qf_in = in;
-		qif->qf_out = out;
-		qif->qf_iptr = in->q_ptr;
-		qif->qf_optr = out->q_ptr;
-#if SOLARIS2 < 8
-		qif->qf_hl = il->ill_hdr_length;
-#else
-		{
-		ire_t *ire;
-		mblk_t *m;
-
-		qif->qf_hl = 0;
-		qif->qf_sap = il->ill_sap;
-# if 0
-		/*
-		 * Can't seem to lookup a route for the IP address on the
-		 * interface itself.
-		 */
-		ire = ire_route_lookup(il->ill_ipif->ipif_lcl_addr, 0xffffffff,
-					0, 0, NULL, NULL, NULL,
-					MATCH_IRE_DSTONLY|MATCH_IRE_RECURSIVE);
-		if ((ire != NULL) && (m = ire->ire_fp_mp))
-			qif->qf_hl = m->b_wptr - m->b_rptr;
-# endif
-		if ((qif->qf_hl == 0) && (il->ill_type > 0) &&
-		    (il->ill_type < 0x37) &&
-		    (hdrsizes[il->ill_type][0] == il->ill_type))
-			qif->qf_hl = hdrsizes[il->ill_type][1];
-
-		/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
-		if (il->ill_type == IFT_ETHER &&
-		    il->ill_name[0] == 'c' && il->ill_name[1] == 'e' &&
-		    isdigit(il->ill_name[2]) && il->ill_name_length >= 6) {
-			cmn_err(CE_NOTE, "VLAN HACK ENABLED");
-			qif->qf_hl += 4;
-		}
-		/* DREADFUL VLAN HACK - JUST HERE TO CHECK IT WORKS */
-
-		if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER)
-			cmn_err(CE_WARN,
-				"Unknown layer 2 header size for %s type %d",
-				il->ill_name, il->ill_type);
-		}
-
-		/*
-		 * XXX Awful hack for PPP; fix when PPP/snoop fixed.
-		 */
-		if (il->ill_type == IFT_ETHER && !il->ill_bcast_addr_length)
-			qif->qf_hl = 0;
-#endif
-		strncpy(qif->qf_name, il->ill_name, sizeof(qif->qf_name));
-		qif->qf_name[sizeof(qif->qf_name) - 1] = '\0';
-
-		qif->qf_next = qif_head;
-		qif_head = qif;
-
-		/*
-		 * Activate any rules directly associated with this interface
-		 */
-		WRITE_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-		for (f = ipfilter[1][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-#if SOLARIS2 >= 8
-		for (f = ipfilter6[0][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-		for (f = ipfilter6[1][fr_active]; f; f = f->fr_next) {
-			if ((f->fr_ifa == (struct ifnet *)-1)) {
-				len = strlen(f->fr_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, f->fr_ifname, len))
-					f->fr_ifa = il;
-			}
-		}
-#endif
-		RWLOCK_EXIT(&ipf_mutex);
-		WRITE_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next) {
-			if ((np->in_ifp == (struct ifnet *)-1)) {
-				len = strlen(np->in_ifname) + 1;
-				if ((len != 0) &&
-				    (len == (size_t)il->ill_name_length) &&
-				    !strncmp(il->ill_name, np->in_ifname, len))
-					np->in_ifp = il;
-			}
-		}
-		RWLOCK_EXIT(&ipf_nat);
-
-		bcopy((caddr_t)qif->qf_rqinfo, (caddr_t)&qif->qf_rqinit,
-		      sizeof(struct qinit));
-		qif->qf_rqinit.qi_putp = fr_qin;
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: solattach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-				in, in->q_qinfo, &qif->qf_rqinit);
-#endif
-		in->q_qinfo = &qif->qf_rqinit;
-
-		bcopy((caddr_t)qif->qf_wqinfo, (caddr_t)&qif->qf_wqinit,
-		      sizeof(struct qinit));
-		qif->qf_wqinit.qi_putp = fr_qout;
-#ifdef	IPFDEBUG
-		if (ipf_debug)
-			cmn_err(CE_NOTE,
-				"IP Filter: solattach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-				out, out->q_qinfo, &qif->qf_wqinit);
-#endif
-		out->q_qinfo = &qif->qf_wqinit;
-
-		ire_walk(ipf_ire_walk, (char *)qif);
-		RWLOCK_EXIT(&ipfs_mutex);
-		cmn_err(CE_CONT, "IP Filter: attach to [%s,%d] - %s\n",
-			qif->qf_name, il->ill_ppa,
-#if SOLARIS2 >= 8
-			il->ill_isv6 ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-	}
-	if (!qif_head)
-		cmn_err(CE_CONT, "IP Filter: not attached to any interfaces\n");
-	return;
-}
-
-
-/*
- * look for bad consistancies between the list of interfaces the filter knows
- * about and those which are currently configured.
- */
-int ipfsync()
-{
-	register struct frentry *f;
-	register ipnat_t *np;
-	register qif_t *qif, **qp;
-	register ill_t *il;
-	queue_t *in, *out;
-
-	WRITE_ENTER(&ipfs_mutex);
-	for (qp = &qif_head; (qif = *qp); ) {
-		for (il = ill_g_head; il; il = il->ill_next)
-			if ((qif->qf_ill == il) &&
-			    !strcmp(qif->qf_name, il->ill_name)) {
-#if SOLARIS2 < 8
-				mblk_t	*m = il->ill_hdr_mp;
-
-				qif->qf_hl = il->ill_hdr_length;
-				if (m && qif->qf_hl != (m->b_wptr - m->b_rptr))
-					cmn_err(CE_NOTE,
-						"IP Filter: ILL Header Length Mismatch\n");
-#endif
-				break;
-			}
-		if (il) {
-			qp = &qif->qf_next;
-			continue;
-		}
-		cmn_err(CE_CONT, "IP Filter: detaching [%s] - %s\n",
-			qif->qf_name,
-#if SOLARIS2 >= 8
-			(qif->qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-		*qp = qif->qf_next;
-
-		/*
-		 * Disable any rules directly associated with this interface
-		 */
-		WRITE_ENTER(&ipf_nat);
-		for (np = nat_list; np; np = np->in_next)
-			if (np->in_ifp == (void *)qif->qf_ill)
-				np->in_ifp = (struct ifnet *)-1;
-		RWLOCK_EXIT(&ipf_nat);
-		WRITE_ENTER(&ipf_mutex);
-		for (f = ipfilter[0][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter[1][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-#if SOLARIS2 >= 8
-		for (f = ipfilter6[0][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-		for (f = ipfilter6[1][fr_active]; f; f = f->fr_next)
-			if (f->fr_ifa == (void *)qif->qf_ill)
-				f->fr_ifa = (struct ifnet *)-1;
-#endif
-
-#if 0 /* XXX */
-		/*
-		 * As well as the ill disappearing when a device is unplumb'd,
-		 * it also appears that the associated queue structures also
-		 * disappear - at least in the case of ppp, which is the most
-		 * volatile here.  Thanks to Greg for finding this problem.
-		 */
-		/*
-		 * Restore q_qinfo pointers in interface queues
-		 */
-		out = qif->qf_out;
-		in = qif->qf_in;
-		if (in) {
-# ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: ipfsync: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-					in, in->q_qinfo, qif->qf_rqinfo);
-# endif
-			in->q_qinfo = qif->qf_rqinfo;
-		}
-		if (out) {
-# ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: ipfsync: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-					out, out->q_qinfo, qif->qf_wqinfo);
-# endif
-			out->q_qinfo = qif->qf_wqinfo;
-		}
-#endif /* XXX */
-		RWLOCK_EXIT(&ipf_mutex);
-		KFREE(qif);
-		qif = *qp;
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	solattach();
-
-	frsync();
-	/*
-	 * Resync. any NAT `connections' using this interface and its IP #.
-	 */
-	for (il = ill_g_head; il; il = il->ill_next) {
-		ip_natsync((void *)il);
-		ip_statesync((void *)il);
-	}
-	return 0;
-}
-
-
-/*
- * unhook the IP filter from all defined interfaces with IP addresses
- */
-int soldetach()
-{
-	queue_t *in, *out;
-	qif_t *qif, **qp;
-	ill_t *il;
-
-	WRITE_ENTER(&ipfs_mutex);
-	/*
-	 * Make two passes, first get rid of all the unknown devices, next
-	 * unlink known devices.
-	 */
-	for (qp = &qif_head; (qif = *qp); ) {
-		for (il = ill_g_head; il; il = il->ill_next)
-			if (qif->qf_ill == il)
-				break;
-		if (il) {
-			qp = &qif->qf_next;
-			continue;
-		}
-		cmn_err(CE_CONT, "IP Filter: removing [%s]\n", qif->qf_name);
-		*qp = qif->qf_next;
-		KFREE(qif);
-	}
-
-	while ((qif = qif_head)) {
-		qif_head = qif->qf_next;
-		for (il = ill_g_head; il; il = il->ill_next)
-			if (qif->qf_ill == il)
-				break;
-		if (il) {
-			in = qif->qf_in;
-			out = qif->qf_out;
-			cmn_err(CE_CONT, "IP Filter: detaching [%s,%d] - %s\n",
-				qif->qf_name, il->ill_ppa,
-#if SOLARIS2 >= 8
-			(qif->qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4"
-#else
-			"IPv4"
-#endif
-			);
-
-#ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: soldetach: in queue(%lx)->q_qinfo FROM %lx TO %lx",
-					in, in->q_qinfo, qif->qf_rqinfo);
-#endif
-			in->q_qinfo = qif->qf_rqinfo;
-
-			/*
-			 * and the write queue...
-			 */
-#ifdef	IPFDEBUG
-			if (ipf_debug)
-				cmn_err(CE_NOTE,
-					"IP Filter: soldetach: out queue(%lx)->q_qinfo FROM %lx TO %lx",
-					out, out->q_qinfo, qif->qf_wqinfo);
-#endif
-			out->q_qinfo = qif->qf_wqinfo;
-		}
-		KFREE(qif);
-	}
-	RWLOCK_EXIT(&ipfs_mutex);
-	return ipldetach();
-}
-
-
-#ifdef	IPFDEBUG
-void printire(ire)
-ire_t *ire;
-{
-	if (!ipf_debug)
-		return;
-	printf("ire: ll_hdr_mp %p rfq %p stq %p src_addr %x max_frag %d\n",
-# if SOLARIS2 >= 8
-		NULL,
-# else
-		ire->ire_ll_hdr_mp,
-# endif
-		ire->ire_rfq, ire->ire_stq,
-		ire->ire_src_addr, ire->ire_max_frag);
-	printf("ire: mask %x addr %x gateway_addr %x type %d\n",
-		ire->ire_mask, ire->ire_addr, ire->ire_gateway_addr,
-		ire->ire_type);
-	printf("ire: ll_hdr_length %d ll_hdr_saved_mp %p\n",
-		ire->ire_ll_hdr_length,
-# if SOLARIS2 >= 8
-		NULL
-# else
-		ire->ire_ll_hdr_saved_mp
-# endif
-		);
-}
-#endif
-
-
-int ipfr_fastroute(ip, mb, mpp, fin, fdp)
-ip_t *ip;
-mblk_t *mb, **mpp;
-fr_info_t *fin;
-frdest_t *fdp;
-{
-#ifdef	USE_INET6
-	ip6_t *ip6 = (ip6_t *)ip;
-#endif
-	ire_t *ir, *dir, *gw;
-	struct in_addr dst;
-	queue_t *q = NULL;
-	mblk_t *mp = NULL;
-	size_t hlen = 0;
-	frentry_t *fr;
-	frdest_t fd;
-	ill_t *ifp;
-	u_char *s;
-	qif_t *qf;
-	int p;
-
-#ifndef	sparc
-	u_short __iplen, __ipoff;
-#endif
-	qf = fin->fin_qif;
-
-	/*
-	 * If this is a duplicate mblk then we want ip to point at that
-	 * data, not the original, if and only if it is already pointing at
-	 * the current mblk data.
-	 */
-	if ((ip == (ip_t *)qf->qf_m->b_rptr) && (qf->qf_m != mb))
-		ip = (ip_t *)mb->b_rptr;
-
-	/*
-	 * If there is another M_PROTO, we don't want it
-	 */
-	if (*mpp != mb) {
-		mp = *mpp;
-		(void) unlinkb(mp);
-		mp = (*mpp)->b_cont;
-		(*mpp)->b_cont = NULL;
-		(*mpp)->b_prev = NULL;
-		freemsg(*mpp);
-		*mpp = mp;
-	}
-
-	if (!fdp) {
-		ipif_t *ipif;
-
-		ifp = fin->fin_ifp;
-		ipif = ifp->ill_ipif;
-		if (!ipif)
-			goto bad_fastroute;
-#if SOLARIS2 > 5
-		ir = ire_ctable_lookup(ipif->ipif_local_addr, 0, IRE_LOCAL,
-				       NULL, NULL, MATCH_IRE_TYPE);
-#else
-		ir = ire_lookup_myaddr(ipif->ipif_local_addr);
-#endif
-		if (!ir)
-			ir = (ire_t *)-1;
-
-		fd.fd_ifp = (struct ifnet *)ir;
-		fd.fd_ip = ip->ip_dst;
-		fdp = &fd;
-	}
-
-	ir = (ire_t *)fdp->fd_ifp;
-
-	if (fdp->fd_ip.s_addr)
-		dst = fdp->fd_ip;
-	else
-		dst.s_addr = fin->fin_fi.fi_daddr;
-
-#if SOLARIS2 >= 6
-	gw = NULL;
-	if (fin->fin_v == 4) {
-		p = ip->ip_p;
-		dir = ire_route_lookup(dst.s_addr, 0xffffffff, 0, 0, NULL,
-					&gw, NULL, MATCH_IRE_DSTONLY|
-					MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE);
-	}
-# ifdef	USE_INET6
-	else if (fin->fin_v == 6) {
-		p = ip6->ip6_nxt;
-		dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0,
-					NULL, &gw, NULL, MATCH_IRE_DSTONLY|
-					MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE);
-	}
-# endif
-#else
-	dir = ire_lookup(dst.s_addr);
-#endif
-#if SOLARIS2 < 8
-	if (dir)
-		if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
-			dir = NULL;
-#else
-	if (dir)
-		if (!dir->ire_fp_mp || !dir->ire_dlureq_mp)
-			dir = NULL;
-#endif
-
-	if (!ir)
-		ir = dir;
-
-	if (ir && dir) {
-		ifp = ire_to_ill(ir);
-		if (ifp == NULL)
-			goto bad_fastroute;
-		fr = fin->fin_fr;
-
-		/*
-		 * In case we're here due to "to <if>" being used with
-		 * "keep state", check that we're going in the correct
-		 * direction.
-		 */
-		if ((fr != NULL) && (fdp->fd_ifp != NULL) &&
-		    (fin->fin_rev != 0) && (fdp == &fr->fr_tif))
-			return 1;
-
-		fin->fin_ifp = ifp;
-		if (fin->fin_out == 0) {
-			fin->fin_fr = ipacct[1][fr_active];
-			if ((fin->fin_fr != NULL) &&
-			    (fr_scanlist(FR_NOMATCH, ip, fin, mb)&FR_ACCOUNT)){
-				ATOMIC_INCL(frstats[1].fr_acct);
-			}
-			fin->fin_fr = NULL;
-			if (!fr || !(fr->fr_flags & FR_RETMASK))
-				(void) fr_checkstate(ip, fin);
-			(void) ip_natout(ip, fin);
-		}
-#ifndef	sparc
-		if (fin->fin_v == 4) {
-			__iplen = (u_short)ip->ip_len,
-			__ipoff = (u_short)ip->ip_off;
-
-			ip->ip_len = htons(__iplen);
-			ip->ip_off = htons(__ipoff);
-		}
-#endif
-
-#if SOLARIS2 < 8
-		mp = dir->ire_ll_hdr_mp;
-		hlen = dir->ire_ll_hdr_length;
-#else
-		mp = dir->ire_fp_mp;
-		hlen = mp ? mp->b_wptr - mp->b_rptr : 0;
-		mp = dir->ire_dlureq_mp;
-#endif
-		if (mp != NULL) {
-			s = mb->b_rptr;
-			if (
-#if SOLARIS2 >= 6
-			    (dohwcksum &&
-			     ifp->ill_ick.ick_magic == ICK_M_CTL_MAGIC) ||
-#endif
-			    (hlen && (s - mb->b_datap->db_base) >= hlen)) {
-				s -= hlen;
-				mb->b_rptr = (u_char *)s;
-				bcopy((char *)mp->b_rptr, (char *)s, hlen);
-			} else {
-				mblk_t	*mp2;
-
-				mp2 = copyb(mp);
-				if (!mp2)
-					goto bad_fastroute;
-				linkb(mp2, mb);
-				mb = mp2;
-			}
-		}
-		*mpp = mb;
-
-		if (ir->ire_stq)
-			q = ir->ire_stq;
-		else if (ir->ire_rfq)
-			q = WR(ir->ire_rfq);
-		if (q) {
-			mb->b_prev = NULL;
-			mb->b_queue = q;
-			RWLOCK_EXIT(&ipfs_mutex);
-			RWLOCK_EXIT(&ipf_solaris);
-#if SOLARIS2 >= 6
-			if ((p == IPPROTO_TCP) && dohwcksum &&
-			    (ifp->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) {
-				tcphdr_t *tcp;
-				u_32_t t;
-
-				tcp = (tcphdr_t *)((char *)ip + fin->fin_hlen);
-				t = ip->ip_src.s_addr;
-				t += ip->ip_dst.s_addr;
-				t += 30;
-				t = (t & 0xffff) + (t >> 16);
-				tcp->th_sum = t & 0xffff;
-			}
-#endif
-			putnext(q, mb);
-			READ_ENTER(&ipf_solaris);
-			READ_ENTER(&ipfs_mutex);
-			ipl_frouteok[0]++;
-			*mpp = NULL;
-			return 0;
-		}
-	}
-bad_fastroute:
-	mb->b_prev = NULL;
-	freemsg(mb);
-	ipl_frouteok[1]++;
-	*mpp = NULL;
-	return -1;
-}
-
-
-void copyout_mblk(m, off, len, buf)
-mblk_t *m;
-size_t off, len;
-char *buf;
-{
-	u_char *s, *bp = (u_char *)buf;
-	size_t mlen, olen, clen;
-
-	for (; m && len; m = m->b_cont) {
-		if (MTYPE(m) != M_DATA)
-			continue;
-		s = m->b_rptr;
-		mlen = m->b_wptr - s;
-		olen = MIN(off, mlen);
-		if ((olen == mlen) || (olen < off)) {
-			off -= olen;
-			continue;
-		} else if (olen) {
-			off -= olen;
-			s += olen;
-			mlen -= olen;
-		}
-		clen = MIN(mlen, len);
-		bcopy(s, bp, clen);
-		len -= clen;
-		bp += clen;
-	}
-}
-
-
-void copyin_mblk(m, off, len, buf)
-mblk_t *m;
-size_t off, len;
-char *buf;
-{
-	u_char *s, *bp = (u_char *)buf;
-	size_t mlen, olen, clen;
-
-	for (; m && len; m = m->b_cont) {
-		if (MTYPE(m) != M_DATA)
-			continue;
-		s = m->b_rptr;
-		mlen = m->b_wptr - s;
-		olen = MIN(off, mlen);
-		if ((olen == mlen) || (olen < off)) {
-			off -= olen;
-			continue;
-		} else if (olen) {
-			off -= olen;
-			s += olen;
-			mlen -= olen;
-		}
-		clen = MIN(mlen, len);
-		bcopy(bp, s, clen);
-		len -= clen;
-		bp += clen;
-	}
-}
-
-
-int fr_verifysrc(ipa, ifp)
-struct in_addr ipa;
-void *ifp;
-{
-	ire_t *ir, *dir, *gw;
-
-#if SOLARIS2 >= 6
-	dir = ire_route_lookup(ipa.s_addr, 0xffffffff, 0, 0, NULL, &gw, NULL,
-				MATCH_IRE_DSTONLY|MATCH_IRE_DEFAULT|
-				MATCH_IRE_RECURSIVE);
-#else
-	dir = ire_lookup(ipa.s_addr);
-#endif
-
-	if (!dir)
-		return 0;
-	return (ire_to_ill(dir) == ifp);
-}
diff --git a/contrib/ipfilter/test/expected/1 b/contrib/ipfilter/test/expected/1
deleted file mode 100644
index 93b733336d39..000000000000
--- a/contrib/ipfilter/test/expected/1
+++ /dev/null
@@ -1,16 +0,0 @@
-block
-block
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/10 b/contrib/ipfilter/test/expected/10
deleted file mode 100644
index bc0d83ec88f2..000000000000
--- a/contrib/ipfilter/test/expected/10
+++ /dev/null
@@ -1,108 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-block
-block
-nomatch
-nomatch
-nomatch
-block
-pass
-pass
-nomatch
-nomatch
-nomatch
-pass
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-block
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-pass
-pass
-pass
-pass
-pass
-block
-block
-nomatch
-block
-nomatch
-block
-pass
-pass
-nomatch
-pass
-nomatch
-pass
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-nomatch
-nomatch
-block
diff --git a/contrib/ipfilter/test/expected/11 b/contrib/ipfilter/test/expected/11
deleted file mode 100644
index eb00875e01a9..000000000000
--- a/contrib/ipfilter/test/expected/11
+++ /dev/null
@@ -1,66 +0,0 @@
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/12 b/contrib/ipfilter/test/expected/12
deleted file mode 100644
index f94cf768273a..000000000000
--- a/contrib/ipfilter/test/expected/12
+++ /dev/null
@@ -1,54 +0,0 @@
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
diff --git a/contrib/ipfilter/test/expected/14 b/contrib/ipfilter/test/expected/14
deleted file mode 100644
index d06d92b3e02a..000000000000
--- a/contrib/ipfilter/test/expected/14
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/2 b/contrib/ipfilter/test/expected/2
deleted file mode 100644
index 03b71cdb9ea9..000000000000
--- a/contrib/ipfilter/test/expected/2
+++ /dev/null
@@ -1,36 +0,0 @@
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/3 b/contrib/ipfilter/test/expected/3
deleted file mode 100644
index d06d92b3e02a..000000000000
--- a/contrib/ipfilter/test/expected/3
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/4 b/contrib/ipfilter/test/expected/4
deleted file mode 100644
index d06d92b3e02a..000000000000
--- a/contrib/ipfilter/test/expected/4
+++ /dev/null
@@ -1,40 +0,0 @@
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-block
-block
-block
-block
-block
-pass
-pass
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/5 b/contrib/ipfilter/test/expected/5
deleted file mode 100644
index bc805805f136..000000000000
--- a/contrib/ipfilter/test/expected/5
+++ /dev/null
@@ -1,1344 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/6 b/contrib/ipfilter/test/expected/6
deleted file mode 100644
index bc805805f136..000000000000
--- a/contrib/ipfilter/test/expected/6
+++ /dev/null
@@ -1,1344 +0,0 @@
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-block
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-block
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/7 b/contrib/ipfilter/test/expected/7
deleted file mode 100644
index c53d6eaa0cb9..000000000000
--- a/contrib/ipfilter/test/expected/7
+++ /dev/null
@@ -1,54 +0,0 @@
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
diff --git a/contrib/ipfilter/test/expected/8 b/contrib/ipfilter/test/expected/8
deleted file mode 100644
index 398058a5ec52..000000000000
--- a/contrib/ipfilter/test/expected/8
+++ /dev/null
@@ -1,36 +0,0 @@
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-block
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
diff --git a/contrib/ipfilter/test/expected/9 b/contrib/ipfilter/test/expected/9
deleted file mode 100644
index a4572e6e94e0..000000000000
--- a/contrib/ipfilter/test/expected/9
+++ /dev/null
@@ -1,108 +0,0 @@
-block
-block
-block
-block
-block
-block
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-pass
-pass
-pass
-pass
-block
-block
-nomatch
-nomatch
-nomatch
-nomatch
-pass
-pass
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-nomatch
-block
-block
-nomatch
diff --git a/contrib/ipfilter/test/expected/expected.sed b/contrib/ipfilter/test/expected/expected.sed
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/contrib/ipfilter/test/expected/expected.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/input/1 b/contrib/ipfilter/test/input/1
deleted file mode 100644
index 7c3ae8a3a3db..000000000000
--- a/contrib/ipfilter/test/input/1
+++ /dev/null
@@ -1,4 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-out 127.0.0.1 127.0.0.1
-out 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/10 b/contrib/ipfilter/test/input/10
deleted file mode 100644
index 254cee7316ff..000000000000
--- a/contrib/ipfilter/test/input/10
+++ /dev/null
@@ -1,6 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/11 b/contrib/ipfilter/test/input/11
deleted file mode 100644
index 4eda58eac04e..000000000000
--- a/contrib/ipfilter/test/input/11
+++ /dev/null
@@ -1,11 +0,0 @@
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F
-in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
-in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
-in on e1 udp 1.1.1.1,1 4.4.4.4,53
-in on e1 udp 2.2.2.2,2 4.4.4.4,53
-in on e0 udp 4.4.4.4,53 1.1.1.1,1
-in on e0 udp 4.4.4.4,1023 1.1.1.1,2049
-in on e0 udp 4.4.4.4,2049 1.1.1.1,1023
diff --git a/contrib/ipfilter/test/input/12 b/contrib/ipfilter/test/input/12
deleted file mode 100644
index 5d9c1de3590d..000000000000
--- a/contrib/ipfilter/test/input/12
+++ /dev/null
@@ -1,35 +0,0 @@
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  SYN
-45 00 0028 0000 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 02 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF  ACK
-45 00 0028 0000 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 ACK
-45 00 0028 0000 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-45 00 001c 0000 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 ACK
-45 00 001c 0000 6001 3f 06 0000 01010101 02010101
-00000000 50 10 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-45 00 0014 0000 6000 3f 11 0000 01010101 02010101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 0018 0000 2000 3f 11 0000 01010101 02010101
-0035 0035
-
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
-45 00 001c 0000 2000 3f 11 0000 01010101 02010101
-0001 0001 0004 0000
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 001c 0000 2000 3f 11 0000 01010101 02010101
-0035 0035 0004 0000
-
diff --git a/contrib/ipfilter/test/input/13 b/contrib/ipfilter/test/input/13
deleted file mode 100644
index 56ec16d99b83..000000000000
--- a/contrib/ipfilter/test/input/13
+++ /dev/null
@@ -1,39 +0,0 @@
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF,MF,FO=0  SYN
-45 00 0028 0001 4000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 02 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP MF  ACK
-45 00 0024 0002 2000 3f 06 0000 01010101 02010101
-0401001900000000 0000000050102000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP FO=2  ACK
-45 00 002c 0002 0002 3f 06 0000 01010101 02010101
-0000000000010203 0405060708090a0b 0c0d0e0f10111213
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF MF FO=0 SYN
-45 00 0028 0003 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000 00000000 50 10 2000 0000 0000
-
-# 1.1.1.1,1025 -> 2.1.1.1,25 TTL=63 TCP DF FO=0
-45 00 001c 0004 6000 3f 06 0000 01010101 02010101
-0401 0019 00000000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 TCP DF FO=1 SYN
-45 00 001c 0005 6001 3f 06 0000 01010101 02010101
-00000000 50 10 2000
-
-# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP DF MF FO=0
-45 00 0014 0006 6000 3f 11 0000 01010101 02010101
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
-45 00 0018 0007 2000 3f 11 0000 01010101 02010101
-0035 0035
-
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
-45 00 001c 0008 2000 3f 11 0000 01010101 02010101
-0035003500040000
-
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1
-45 00 001c 0008 0001 3f 11 0000 01010101 02010101
-0000000000000000
-
diff --git a/contrib/ipfilter/test/input/14 b/contrib/ipfilter/test/input/14
deleted file mode 100644
index 16a806ffec7b..000000000000
--- a/contrib/ipfilter/test/input/14
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/2 b/contrib/ipfilter/test/input/2
deleted file mode 100644
index d168af0c716a..000000000000
--- a/contrib/ipfilter/test/input/2
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 127.0.0.1,1 127.0.0.1,21
-in tcp 1.1.1.1,1 1.2.1.1,21
-in udp 127.0.0.1,1 127.0.0.1,21
-in udp 1.1.1.1,1 1.2.1.1,21
-in icmp 127.0.0.1 127.0.0.1
-in icmp 1.1.1.1 1.2.1.1
diff --git a/contrib/ipfilter/test/input/3 b/contrib/ipfilter/test/input/3
deleted file mode 100644
index 16a806ffec7b..000000000000
--- a/contrib/ipfilter/test/input/3
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.2.1.1
-in 1.1.1.2 1.2.1.1
-in 1.1.2.2 1.2.1.1
-in 1.2.2.2 1.2.1.1
diff --git a/contrib/ipfilter/test/input/4 b/contrib/ipfilter/test/input/4
deleted file mode 100644
index 2956d1b15454..000000000000
--- a/contrib/ipfilter/test/input/4
+++ /dev/null
@@ -1,5 +0,0 @@
-in 127.0.0.1 127.0.0.1
-in 1.1.1.1 1.1.1.1
-in 1.1.1.1 1.1.1.2
-in 1.1.1.1 1.1.2.2
-in 1.1.1.1 1.2.2.2
diff --git a/contrib/ipfilter/test/input/5 b/contrib/ipfilter/test/input/5
deleted file mode 100644
index 41600c10763b..000000000000
--- a/contrib/ipfilter/test/input/5
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 1.1.1.1,0 2.2.2.2,2222
-in tcp 1.1.1.1,1 2.2.2.2,2222
-in tcp 1.1.1.1,23 2.2.2.2,2222
-in tcp 1.1.1.1,21 2.2.2.2,2222
-in tcp 1.1.1.1,1023 2.2.2.2,2222
-in tcp 1.1.1.1,1024 2.2.2.2,2222
-in tcp 1.1.1.1,1025 2.2.2.2,2222
-in tcp 1.1.1.1,32767 2.2.2.2,2222
-in tcp 1.1.1.1,32768 2.2.2.2,2222
-in tcp 1.1.1.1,65535 2.2.2.2,2222
-in tcp 1.1.1.1,5999 2.2.2.2,2222
-in tcp 1.1.1.1,6000 2.2.2.2,2222
-in tcp 1.1.1.1,6009 2.2.2.2,2222
-in tcp 1.1.1.1,6010 2.2.2.2,2222
-in udp 1.1.1.1,0 2.2.2.2,2222
-in udp 1.1.1.1,1 2.2.2.2,2222
-in udp 1.1.1.1,23 2.2.2.2,2222
-in udp 1.1.1.1,21 2.2.2.2,2222
-in udp 1.1.1.1,1023 2.2.2.2,2222
-in udp 1.1.1.1,1024 2.2.2.2,2222
-in udp 1.1.1.1,1025 2.2.2.2,2222
-in udp 1.1.1.1,32767 2.2.2.2,2222
-in udp 1.1.1.1,32768 2.2.2.2,2222
-in udp 1.1.1.1,65535 2.2.2.2,2222
-in udp 1.1.1.1,5999 2.2.2.2,2222
-in udp 1.1.1.1,6000 2.2.2.2,2222
-in udp 1.1.1.1,6009 2.2.2.2,2222
-in udp 1.1.1.1,6010 2.2.2.2,2222
diff --git a/contrib/ipfilter/test/input/6 b/contrib/ipfilter/test/input/6
deleted file mode 100644
index 21f0be3336c5..000000000000
--- a/contrib/ipfilter/test/input/6
+++ /dev/null
@@ -1,28 +0,0 @@
-in tcp 2.2.2.2,2222 1.1.1.1,0
-in tcp 2.2.2.2,2222 1.1.1.1,1
-in tcp 2.2.2.2,2222 1.1.1.1,23
-in tcp 2.2.2.2,2222 1.1.1.1,21
-in tcp 2.2.2.2,2222 1.1.1.1,1023
-in tcp 2.2.2.2,2222 1.1.1.1,1024
-in tcp 2.2.2.2,2222 1.1.1.1,1025
-in tcp 2.2.2.2,2222 1.1.1.1,32767
-in tcp 2.2.2.2,2222 1.1.1.1,32768
-in tcp 2.2.2.2,2222 1.1.1.1,65535
-in tcp 2.2.2.2,2222 1.1.1.1,5999
-in tcp 2.2.2.2,2222 1.1.1.1,6000
-in tcp 2.2.2.2,2222 1.1.1.1,6009
-in tcp 2.2.2.2,2222 1.1.1.1,6010
-in udp 2.2.2.2,2222 1.1.1.1,0
-in udp 2.2.2.2,2222 1.1.1.1,1
-in udp 2.2.2.2,2222 1.1.1.1,23
-in udp 2.2.2.2,2222 1.1.1.1,21
-in udp 2.2.2.2,2222 1.1.1.1,1023
-in udp 2.2.2.2,2222 1.1.1.1,1024
-in udp 2.2.2.2,2222 1.1.1.1,1025
-in udp 2.2.2.2,2222 1.1.1.1,32767
-in udp 2.2.2.2,2222 1.1.1.1,32768
-in udp 2.2.2.2,2222 1.1.1.1,65535
-in udp 2.2.2.2,2222 1.1.1.1,5999
-in udp 2.2.2.2,2222 1.1.1.1,6000
-in udp 2.2.2.2,2222 1.1.1.1,6009
-in udp 2.2.2.2,2222 1.1.1.1,6010
diff --git a/contrib/ipfilter/test/input/7 b/contrib/ipfilter/test/input/7
deleted file mode 100644
index 2721af2fb71e..000000000000
--- a/contrib/ipfilter/test/input/7
+++ /dev/null
@@ -1,9 +0,0 @@
-in icmp 1.1.1.1 2.1.1.1 echo
-in icmp 1.1.1.1 2.1.1.1 echo,1
-in icmp 1.1.1.1 2.1.1.1 echo,3
-in icmp 1.1.1.1 2.1.1.1 unreach
-in icmp 1.1.1.1 2.1.1.1 unreach,1
-in icmp 1.1.1.1 2.1.1.1 unreach,3
-in icmp 1.1.1.1 2.1.1.1 echorep
-in icmp 1.1.1.1 2.1.1.1 echorep,1
-in icmp 1.1.1.1 2.1.1.1 echorep,3
diff --git a/contrib/ipfilter/test/input/8 b/contrib/ipfilter/test/input/8
deleted file mode 100644
index cace511fbeb8..000000000000
--- a/contrib/ipfilter/test/input/8
+++ /dev/null
@@ -1,6 +0,0 @@
-in tcp 1.1.1.1,1 2.1.2.2,1 S
-in tcp 1.1.1.1,1 2.1.2.2,1 SA
-in tcp 1.1.1.1,1 2.1.2.2,1 SF
-in tcp 1.1.1.1,1 2.1.2.2,1 SFPAUR
-in tcp 1.1.1.1,1 2.1.2.2,1 PAU
-in tcp 1.1.1.1,1 2.1.2.2,1 A
diff --git a/contrib/ipfilter/test/input/9 b/contrib/ipfilter/test/input/9
deleted file mode 100644
index 33f3be392a7d..000000000000
--- a/contrib/ipfilter/test/input/9
+++ /dev/null
@@ -1,6 +0,0 @@
-in 1.1.1.1 2.1.1.1 opt lsrr
-in 1.1.1.1 2.1.1.1 opt lsrr,ssrr
-in 1.1.1.1 2.1.1.1 opt ts
-in 1.1.1.1 2.1.1.1 opt sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt ssrr,sec-class=topsecret
-in 1.1.1.1 2.1.1.1 opt sec
diff --git a/contrib/ipfilter/test/input/input.sed b/contrib/ipfilter/test/input/input.sed
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/contrib/ipfilter/test/input/input.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/input/ipf6-1 b/contrib/ipfilter/test/input/ipf6-1
deleted file mode 100644
index 8cc2d175dc24..000000000000
--- a/contrib/ipfilter/test/input/ipf6-1
+++ /dev/null
@@ -1,26 +0,0 @@
-[out,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 0013 ff02 0000 0000 0000
-0000 0001 ff01 000b 8700 ea32 0000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0101 0048 5487 5c6f
-
-[in,de0]
-6000 0000 0020 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8800 5322 6000 0000
-ef00 0000 0000 0000 0000 0000 0001 000b
-0201 0800 2071 cce1
-
-[out,de0]
-6000 0000 0010 3a40 ef00 0000 0000 0000
-0000 0000 0001 0013 ef00 0000 0000 0000
-0000 0000 0001 000b 8000 3210 06ff 0002
-9ec3 3c3c 8a82 0300
-
-[in,de0]
-6000 0000 0010 3aff ef00 0000 0000 0000
-0000 0000 0001 000b ef00 0000 0000 0000
-0000 0000 0001 0013 8100 3110 06ff 0002
-9ec3 3c3c 8a82 0300
-
diff --git a/contrib/ipfilter/test/regress/1 b/contrib/ipfilter/test/regress/1
deleted file mode 100644
index 6a2ede9e31c0..000000000000
--- a/contrib/ipfilter/test/regress/1
+++ /dev/null
@@ -1,4 +0,0 @@
-block in all
-pass in all
-block out all
-pass out all
diff --git a/contrib/ipfilter/test/regress/10 b/contrib/ipfilter/test/regress/10
deleted file mode 100644
index 355298308e72..000000000000
--- a/contrib/ipfilter/test/regress/10
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with not ipopts
-pass in from any to any with not opt sec-class topsecret
-block in from any to any with not opt ssrr,sec-class topsecret
-pass in from any to any with not opt ssrr,sec-class topsecret
-block in from any to any with not opt ts,sec-class topsecret
-pass in from any to any with not opt ts,sec-class topsecret
-block in from any to any with not opt sec-class secret
-pass in from any to any with not opt sec-class secret
-block in from any to any with not opt lsrr,ssrr
-pass in from any to any with not opt lsrr,ssrr
-pass in from any to any with not ipopts
-block in from any to any with not opt lsrr
-pass in from any to any with not opt lsrr
-block in from any to any with not opt ssrr,ts
-pass in from any to any with not opt ssrr,ts
-block in from any to any with not opt rr
-pass in from any to any with not opt rr
-block in from any to any with not opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/11 b/contrib/ipfilter/test/regress/11
deleted file mode 100644
index 0bf0a2a7322d..000000000000
--- a/contrib/ipfilter/test/regress/11
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any to any port = 23 flags S/SA keep state
-block in proto tcp from any to any port = 23 flags S/SA keep state
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto udp from any to any port = 53 keep state
-block in proto udp from any to any port = 53 keep state
diff --git a/contrib/ipfilter/test/regress/12 b/contrib/ipfilter/test/regress/12
deleted file mode 100644
index c29f839aa502..000000000000
--- a/contrib/ipfilter/test/regress/12
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any port > 1024 to any port = 25 with not short
-pass in proto tcp from any port > 1024 to any port = 25
-block in proto tcp from any to any with short
-block in proto tcp from any to any with frag
-pass in proto udp from any port = 53 to any port = 53
-block in proto udp from any port = 53 to any port = 53 with not short
diff --git a/contrib/ipfilter/test/regress/13 b/contrib/ipfilter/test/regress/13
deleted file mode 100644
index f123e4781c86..000000000000
--- a/contrib/ipfilter/test/regress/13
+++ /dev/null
@@ -1,6 +0,0 @@
-pass in proto tcp from any to any port = 25 flags S/SA keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep frags
-pass in proto udp from any to any port = 53 keep frags
-block in proto udp from any to any port = 53 keep frags
-pass in proto tcp from any to any port = 25 flags S/SA keep state keep frags
-block in proto tcp from any to any port = 25 flags S/SA keep state keep frags
diff --git a/contrib/ipfilter/test/regress/14 b/contrib/ipfilter/test/regress/14
deleted file mode 100644
index aa54af8df11d..000000000000
--- a/contrib/ipfilter/test/regress/14
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from !1.1.1.1 to any
-pass in from 1.1.1.1 to !any
-block in from 1.1.1.1/24 to !any
-pass in from !1.1.1.1/24 to any
-block in from !1.1.1.1/16 to any
-pass in from 1.1.1.1/16 to !any
-block in from 1.1.1.1/0 to !any
-pass in from !1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/2 b/contrib/ipfilter/test/regress/2
deleted file mode 100644
index e2f02a46e283..000000000000
--- a/contrib/ipfilter/test/regress/2
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any
-pass in proto tcp from any to any
-block in proto udp from any to any
-pass in proto udp from any to any
-block in proto icmp from any to any
-pass in proto icmp from any to any
diff --git a/contrib/ipfilter/test/regress/3 b/contrib/ipfilter/test/regress/3
deleted file mode 100644
index ee80729cfc9b..000000000000
--- a/contrib/ipfilter/test/regress/3
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from 1.1.1.1 to any
-pass in from 1.1.1.1 to any
-block in from 1.1.1.1/24 to any
-pass in from 1.1.1.1/24 to any
-block in from 1.1.1.1/16 to any
-pass in from 1.1.1.1/16 to any
-block in from 1.1.1.1/0 to any
-pass in from 1.1.1.1/0 to any
diff --git a/contrib/ipfilter/test/regress/4 b/contrib/ipfilter/test/regress/4
deleted file mode 100644
index bc8af2f0cae2..000000000000
--- a/contrib/ipfilter/test/regress/4
+++ /dev/null
@@ -1,8 +0,0 @@
-block in from any to 1.1.1.1
-pass in from any to 1.1.1.1
-block in from any to 1.1.1.1/24
-pass in from any to 1.1.1.1/24
-block in from any to 1.1.1.1/16
-pass in from any to 1.1.1.1/16
-block in from any to 1.1.1.1/0
-pass in from any to 1.1.1.1/0
diff --git a/contrib/ipfilter/test/regress/5 b/contrib/ipfilter/test/regress/5
deleted file mode 100644
index 998eabd4b10b..000000000000
--- a/contrib/ipfilter/test/regress/5
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any port = 23 to any
-block in proto udp from any port = 23 to any
-block in proto tcp/udp from any port = 23 to any
-pass in proto tcp from any port <= 1023 to any
-pass in proto udp from any port <= 1023 to any
-pass in proto tcp/udp from any port <= 1023 to any
-block in proto tcp from any port >= 1024 to any
-block in proto udp from any port >= 1024 to any
-block in proto tcp/udp from any port >= 1024 to any
-pass in proto tcp from any port >= 1024 to any
-pass in proto udp from any port >= 1024 to any
-pass in proto tcp/udp from any port >= 1024 to any
-block in proto tcp from any port 0 >< 512 to any
-block in proto udp from any port 0 >< 512 to any
-block in proto tcp/udp from any port 0 >< 512 to any
-pass in proto tcp from any port 0 >< 512 to any
-pass in proto udp from any port 0 >< 512 to any
-pass in proto tcp/udp from any port 0 >< 512 to any
-block in proto tcp from any port 6000 <> 6009 to any
-block in proto udp from any port 6000 <> 6009 to any
-block in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port 6000 <> 6009 to any
-pass in proto udp from any port 6000 <> 6009 to any
-pass in proto tcp/udp from any port 6000 <> 6009 to any
-pass in proto tcp from any port = 23 to any
-pass in proto udp from any port = 23 to any
-pass in proto tcp/udp from any port = 23 to any
-block in proto tcp from any port != 21 to any
-block in proto udp from any port != 21 to any
-block in proto tcp/udp from any port != 21 to any
-pass in proto tcp from any port != 21 to any
-pass in proto udp from any port != 21 to any
-pass in proto tcp/udp from any port != 21 to any
-block in proto tcp from any port < 1024 to any
-block in proto udp from any port < 1024 to any
-block in proto tcp/udp from any port < 1024 to any
-pass in proto tcp from any port < 1024 to any
-pass in proto udp from any port < 1024 to any
-pass in proto tcp/udp from any port < 1024 to any
-block in proto tcp from any port > 1023 to any
-block in proto udp from any port > 1023 to any
-block in proto tcp/udp from any port > 1023 to any
-pass in proto tcp from any port > 1023 to any
-pass in proto udp from any port > 1023 to any
-pass in proto tcp/udp from any port > 1023 to any
-block in proto tcp from any port <= 1023 to any
-block in proto udp from any port <= 1023 to any
-block in proto tcp/udp from any port <= 1023 to any
diff --git a/contrib/ipfilter/test/regress/6 b/contrib/ipfilter/test/regress/6
deleted file mode 100644
index 291f09adcdbc..000000000000
--- a/contrib/ipfilter/test/regress/6
+++ /dev/null
@@ -1,48 +0,0 @@
-block in proto tcp from any to any port = 23
-block in proto udp from any to any port = 23
-block in proto tcp/udp from any to any port = 23
-pass in proto tcp from any to any port <= 1023
-pass in proto udp from any to any port <= 1023
-pass in proto tcp/udp from any to any port <= 1023
-block in proto tcp from any to any port >= 1024
-block in proto udp from any to any port >= 1024
-block in proto tcp/udp from any to any port >= 1024
-pass in proto tcp from any to any port >= 1024
-pass in proto udp from any to any port >= 1024
-pass in proto tcp/udp from any to any port >= 1024
-block in proto tcp from any to any port 0 >< 512
-block in proto udp from any to any port 0 >< 512
-block in proto tcp/udp from any to any port 0 >< 512
-pass in proto tcp from any to any port 0 >< 512
-pass in proto udp from any to any port 0 >< 512
-pass in proto tcp/udp from any to any port 0 >< 512
-block in proto tcp from any to any port 6000 <> 6009
-block in proto udp from any to any port 6000 <> 6009
-block in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port 6000 <> 6009
-pass in proto udp from any to any port 6000 <> 6009
-pass in proto tcp/udp from any to any port 6000 <> 6009
-pass in proto tcp from any to any port = 23
-pass in proto udp from any to any port = 23
-pass in proto tcp/udp from any to any port = 23
-block in proto tcp from any to any port != 21
-block in proto udp from any to any port != 21
-block in proto tcp/udp from any to any port != 21
-pass in proto tcp from any to any port != 21
-pass in proto udp from any to any port != 21
-pass in proto tcp/udp from any to any port != 21
-block in proto tcp from any to any port < 1024
-block in proto udp from any to any port < 1024
-block in proto tcp/udp from any to any port < 1024
-pass in proto tcp from any to any port < 1024
-pass in proto udp from any to any port < 1024
-pass in proto tcp/udp from any to any port < 1024
-block in proto tcp from any to any port > 1023
-block in proto udp from any to any port > 1023
-block in proto tcp/udp from any to any port > 1023
-pass in proto tcp from any to any port > 1023
-pass in proto udp from any to any port > 1023
-pass in proto tcp/udp from any to any port > 1023
-block in proto tcp from any to any port <= 1023
-block in proto udp from any to any port <= 1023
-block in proto tcp/udp from any to any port <= 1023
diff --git a/contrib/ipfilter/test/regress/7 b/contrib/ipfilter/test/regress/7
deleted file mode 100644
index 6848a688a374..000000000000
--- a/contrib/ipfilter/test/regress/7
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto icmp from any to any icmp-type echo
-pass in proto icmp from any to any icmp-type echo
-block in proto icmp from any to any icmp-type unreach code 3
-pass in proto icmp from any to any icmp-type unreach code 3
-block in proto icmp from any to any icmp-type echorep
-pass in proto icmp from any to any icmp-type echorep
diff --git a/contrib/ipfilter/test/regress/8 b/contrib/ipfilter/test/regress/8
deleted file mode 100644
index 0f28fd261148..000000000000
--- a/contrib/ipfilter/test/regress/8
+++ /dev/null
@@ -1,6 +0,0 @@
-block in proto tcp from any to any flags S
-pass in proto tcp from any to any flags S
-block in proto tcp from any to any flags S/SA
-pass in proto tcp from any to any flags S/SA
-block in proto tcp from any to any flags S/APU
-pass in proto tcp from any to any flags S/APU
diff --git a/contrib/ipfilter/test/regress/9 b/contrib/ipfilter/test/regress/9
deleted file mode 100644
index 17bc96737877..000000000000
--- a/contrib/ipfilter/test/regress/9
+++ /dev/null
@@ -1,18 +0,0 @@
-block in from any to any with ipopts
-pass in from any to any with opt sec-class topsecret
-block in from any to any with opt ssrr,sec-class topsecret
-pass in from any to any with opt ssrr,sec-class topsecret
-block in from any to any with opt ts,sec-class topsecret
-pass in from any to any with opt ts,sec-class topsecret
-block in from any to any with opt sec-class secret
-pass in from any to any with opt sec-class secret
-block in from any to any with opt lsrr,ssrr
-pass in from any to any with opt lsrr,ssrr
-pass in from any to any with ipopts
-block in from any to any with opt lsrr
-pass in from any to any with opt lsrr
-block in from any to any with opt ssrr,ts
-pass in from any to any with opt ssrr,ts
-block in from any to any with opt rr
-pass in from any to any with opt rr
-block in from any to any with opt sec-class topsecret
diff --git a/contrib/ipfilter/test/regress/ipf6-1 b/contrib/ipfilter/test/regress/ipf6-1
deleted file mode 100644
index 814dfd6cd664..000000000000
--- a/contrib/ipfilter/test/regress/ipf6-1
+++ /dev/null
@@ -1,3 +0,0 @@
-block in all
-block out all
-pass out proto 58 all keep state
diff --git a/contrib/ipfilter/test/regress/regress.sed b/contrib/ipfilter/test/regress/regress.sed
deleted file mode 100644
index e69de29bb2d1..000000000000
--- a/contrib/ipfilter/test/regress/regress.sed
+++ /dev/null
diff --git a/contrib/ipfilter/test/test.sed b/contrib/ipfilter/test/test.sed
deleted file mode 100644
index 3ce0cb16415e..000000000000
--- a/contrib/ipfilter/test/test.sed
+++ /dev/null
@@ -1,6 +0,0 @@
-	Ç
.	Ä..0þCVSGexpected0ÇinputDG$regress
- 
-.cvsignore
-!Makefile
-"dotest
-#hextest