summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--kerberosIV/man/krb.conf.569
-rw-r--r--kerberosIV/man/krb.realms.555
-rw-r--r--sbin/ipfstat/ipfstat.8163
-rw-r--r--share/man/man4/ipl.4122
-rw-r--r--usr.sbin/map-mbone/map-mbone.8176
5 files changed, 325 insertions, 260 deletions
diff --git a/kerberosIV/man/krb.conf.5 b/kerberosIV/man/krb.conf.5
index b6ad8483d52..6876f66fd61 100644
--- a/kerberosIV/man/krb.conf.5
+++ b/kerberosIV/man/krb.conf.5
@@ -26,34 +26,53 @@
.\"this software for any purpose. It is provided "as is" without express
.\"or implied warranty.
.\"
-.\" $OpenBSD: krb.conf.5,v 1.6 1999/02/27 08:49:49 deraadt Exp $
-.TH KRB.CONF 5 "Kerberos Version 4.0" "MIT Project Athena"
-.SH NAME
-krb.conf \- Kerberos configuration file
-.SH DESCRIPTION
-.I krb.conf
+.\" $OpenBSD: krb.conf.5,v 1.7 1999/07/04 15:34:52 aaron Exp $
+.Dd 15 June, 1999
+.Os
+.Dt KRB.CONF 5
+.Sh NAME
+.Nm krb.conf
+.Nd Kerberos configuration file
+.Sh DESCRIPTION
+.Nm
contains configuration information describing the Kerberos realm and the
Kerberos key distribution center (KDC) servers for known realms.
-.PP
-.I krb.conf
-contains the name of the local realm in the first
-line, followed by lines indicating realm/host
-entries. The first token is a realm name, and the second is the hostname
-of a host running a KDC for that realm.
-The words "admin server" following the hostname indicate that
-the host also provides an administrative database server.
-
-A hash sign (#) as a first character of the krb.conf file disables kerberos
-authentication on the system.
-
-For example:
-.nf
-.in +1i
+.Pp
+The first line of
+.Nm
+contains the name of the local realm. If the first character in the first line
+is a hash sign
+.Pf ( Ql # ) ,
+then Kerberos authentication is disabled.
+.Pp
+Subsequent lines are of the form
+.Bd -ragged -offset indent
+.Fa realm
+.Fa KDC_server
+.Op admin server
+.Ed
+.Pp
+where
+.Fa realm
+is a Kerberos realm name and
+.Fa KDC_server
+is the name of a host running a KDC for
+.Fa realm .
+The words
+.Dq admin server
+following
+.Fa KDC_server
+indicate that the host also provides an administrative database server.
+.Pp
+.Sh EXAMPLES
+A krb.conf file for a host in the ATHENA.MIT.EDU realm might look like:
+.Bd -literal -offset indent
ATHENA.MIT.EDU
ATHENA.MIT.EDU kerberos-1.mit.edu admin server
ATHENA.MIT.EDU kerberos-2.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu admin server
-.in -1i
-.SH SEE ALSO
-krb.realms(5), krb_get_krbhst(3), krb_get_lrealm(3)
-
+.Ed
+.Sh SEE ALSO
+.Xr krb_get_krbhst 3 ,
+.Xr krb_get_lrealm 3 ,
+.Xr krb.realms 5
diff --git a/kerberosIV/man/krb.realms.5 b/kerberosIV/man/krb.realms.5
index 3e48b53e024..6626622d55f 100644
--- a/kerberosIV/man/krb.realms.5
+++ b/kerberosIV/man/krb.realms.5
@@ -26,36 +26,39 @@
.\"this software for any purpose. It is provided "as is" without express
.\"or implied warranty.
.\"
-.\" $OpenBSD: krb.realms.5,v 1.5 1999/02/27 08:49:49 deraadt Exp $
-.TH KRB.REALMS 5 "Kerberos Version 4.0" "MIT Project Athena"
-.SH NAME
-krb.realms \- host to Kerberos realm translation file
-.SH DESCRIPTION
-.I krb.realms
+.\" $OpenBSD: krb.realms.5,v 1.6 1999/07/04 15:34:52 aaron Exp $
+.Dd 15 June, 1999
+.Os
+.Dt KRB.REALMS 5
+.Sh NAME
+.Nm krb.realms
+.Nd host to Kerberos realm translation file
+.Sh DESCRIPTION
+.Nm
provides a translation from a hostname to the Kerberos realm name for
the services provided by that host.
-.PP
+.Pp
Each line of the translation file is in one of the following forms
-(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU):
-.nf
-.in +5n
+.Pf ( Fa domain_name
+should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU):
+.Bd -literal -offset indent
host_name kerberos_realm
domain_name kerberos_realm
-.in -5n
-.fi
-If a hostname exactly matches the
-.I host_name
-field in a line of the first
-form, the corresponding realm is the realm of the host.
-If a hostname does not match any
-.I host_name
-in the file, but its
-domain exactly matches the
-.I domain_name
-field in a line of the second
-form, the corresponding realm is the realm of the host.
-.PP
+.Ed
+.Pp
+If a hostname exactly matches the
+.Fa host_name
+field in a line of the first form, the corresponding
+.Fa kerberos_realm
+is the realm of the host. If a hostname does not match any
+.Fa host_name
+in the file, but its domain exactly matches the
+.Fa domain_name
+field in a line of the second form, the corresponding
+.Fa kerberos_realm
+is the realm of the host.
+.Pp
If no translation entry applies, the host's realm is considered to be
the hostname's domain portion converted to upper case.
-.SH SEE ALSO
-krb_realmofhost(3)
+.Sh SEE ALSO
+.Xr krb_realmofhost 3
diff --git a/sbin/ipfstat/ipfstat.8 b/sbin/ipfstat/ipfstat.8
index c41169c80e6..37aa01f1852 100644
--- a/sbin/ipfstat/ipfstat.8
+++ b/sbin/ipfstat/ipfstat.8
@@ -1,83 +1,104 @@
-.\" $OpenBSD: ipfstat.8,v 1.11 1999/02/10 22:12:53 deraadt Exp $
-.TH ipfstat 8
-.SH NAME
-ipfstat \- reports on packet filter statistics and filter list
-.SH SYNOPSIS
-.B ipfstat
-[
-.B \-aAfhIinosv
-] [
-.B \-d
-<device>
-]
-.SH DESCRIPTION
-.PP
-\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
-\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
-To run and work, it needs to be able to read both /dev/kmem and the
-kernel itself.
-.PP
-The default behaviour of \fBipfstat\fP
-is to retrieve and display the accumulated statistics which have been
-accumulated over time as the kernel has put packets through the filter.
-.SH OPTIONS
-.TP
-.B \-a
-Display the accounting filter list and show bytes counted against each rule.
-.TP
-.B \-A
+.\" $OpenBSD: ipfstat.8,v 1.12 1999/07/04 15:34:52 aaron Exp $
+.Dd 13 June, 1999
+.Os
+.Dt ipfstat 8
+.Sh NAME
+.Nm ipfstat
+.Nd reports on packet filter statistics and filter lists
+.Sh SYNOPSIS
+.Nm ipfstat
+.Op Fl aAfhIinosv
+.Op Fl d Ar device
+.Sh DESCRIPTION
+By default
+.Nm
+displays current kernel statistics gathered
+as a result of applying the filters in place (if any) to packets going through
+the kernel.
+.Pp
+When supplied with either
+.Fl i
+or
+.Fl o ,
+it will retrieve and display
+the appropriate list of filter rules currently installed and in use by the
+kernel.
+.Pp
+.Nm
+examines
+.Pa /dev/kmem
+using the symbols
+.Sy _fr_flags ,
+.Sy _frstats ,
+.Sy _filterin ,
+and
+.Sy _filterout .
+To run and work, it needs to be able to read both
+.Pa /dev/kmem
+and the kernel itself.
+.Sh OPTIONS
+.Bl -tag -width "-d device"
+.It Fl a
+Display the accounting filter list and show bytes counted against each rule. Used
+with
+.Fl i
+or
+.Fl o .
+.It Fl A
Display packet authentication statistics.
-.TP
-.BR \-d \0<device>
-Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
-.TP
-.B \-f
+.It Fl d Ar device
+Use
+.Ar device
+instead of
+.Pa /dev/ipl
+for interfacing with the kernel.
+.It Fl f
Show fragment state information (statistics) and held state information (in
the kernel) if any is present.
-.TP
-.B \-h
-Show per-rule the number of times each one scores a "hit". For use in
-combination with \fB\-i\fP.
-.TP
-.B \-i
+.It Fl h
+Show per-rule the number of times each one scores a
+.Sq hit .
+For use in
+combination with
+.Fl i .
+.It Fl i
Display the filter list used for the input side of the kernel IP processing.
-.TP
-.B \-I
-Swap between retrieving "inactive"/"active" filter list details. For use
-in combination with \fB\-i\fP.
-.TP
-.B \-n
-Show the "rule number" for each rule as it is printed.
-.TP
-.B \-o
+.It Fl I
+Swap between retrieving
+.Sq inactive
+/
+.Sq active
+filter list details. For use in combination with
+.Fl i .
+.It Fl n
+Show the rule number for each rule as it is printed.
+.It Fl o
Display the filter list used for the output side of the kernel IP processing.
-.TP
-.B \-s
+.It Fl s
Show packet/flow state information (statistics) and held state information (in
the kernel) if any is present.
-.TP
-.B \-v
-Turn verbose mode on. Displays more debugging information.
-.SH SYNOPSIS
-The role of \fBipfstat\fP is to display current kernel statistics gathered
-as a result of applying the filters in place (if any) to packets going in and
-out of the kernel. This is the default operation when no command line
-parameters are present.
-.PP
-When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
-the appropriate list of filter rules currently installed and in use by the
-kernel.
-.SH FILES
-/dev/kmem
-.br
-/dev/ipl
+.It Fl v
+Turn verbose mode on. Displays more debugging information.
+.El
+.Sh FILES
+.Pa /dev/kmem
.br
-/dev/ipstate
+.Pa /dev/ipl
.br
-/bsd
-.SH SEE ALSO
-ipf(8), ipftest(1), ipnat(8), ipf(4), ipl(4), ipnat(4), ipf(5), ipnat(5), ipmon(8)
+.Pa /dev/ipstate
.br
+.Pa /bsd
+.Sh SEE ALSO
+.Xr ipftest 1 ,
+.Xr ipf 4 ,
+.Xr ipl 4 ,
+.Xr ipnat 4 ,
+.Xr ipf 5 ,
+.Xr ipnat 5 ,
+.Xr ipf 8 ,
+.Xr ipmon 8 ,
+.Xr ipnat 8 ,
+.Pp
http://coombs.anu.edu.au/ipfilter/
-.SH BUGS
+.Sh BUGS
If you find any, please send email to me at darrenr@pobox.com.
diff --git a/share/man/man4/ipl.4 b/share/man/man4/ipl.4
index 7a28b88f915..d7de70920c0 100644
--- a/share/man/man4/ipl.4
+++ b/share/man/man4/ipl.4
@@ -1,63 +1,79 @@
-.TH IPL 4
-.SH NAME
-ipl - IP packet log device
-.SH DESCRIPTION
-The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
-packet headers of packets you wish to log. If a packet header is to be
-logged, the entire header is logged (including any IP options - TCP/UDP
-options are not included when it calculates header size) or not at all.
-The packet contents is also logged after the header.
-.LP
-.PP
-Prepending every packet header logged is a structure containing information
-relevant to the packet following and why it was logged. The structure's
-format is as follows:
-.LP
-.nf
-struct ipl_ci {
- u_long sec; /* time when the packet was logged */
- u_long usec;
- u_long plen; /* length of packet data logged */
- u_short hlen; /* length of headers logged */
- u_short rule; /* rule number (for log ...) or 0 if result = log */
- u_long flags:24; /* XXX FIXME do we care about the extra bytes? */
-#if (defined(OpenBSD) && (OpenBSD <= 1991011) && (OpenBSD >= 199606))
- u_long filler:8; /* XXX FIXME do we care? */
- u_char ifname[IFNAMSIZ];
-#else
- u_long unit:8;
- u_char ifname[4];
-#endif
-};
-.nf
-.PP
+.Dd 13 June, 1999
+.Os
+.Dt IPL 4
+.Sh NAME
+.Nm ipl
+.Nd IP packet log device
+.Sh DESCRIPTION
+The
+.Nm
+pseudo device's purpose is to provide an easy way to gather
+packet headers of packets you wish to log. If a packet header is to be
+logged, either the entire header (including any
+.Tn IP
+options \(en
+.Tn TCP/UDP
+options are not included when it calculates header size) is logged or nothing.
+Up to 128 bytes of the packet content are logged after the header.
+.Pp
+Prepending every packet header logged are two structures containing information
+relevant to the packet following and why it was logged. The first structure
+is
+.Fa iplog
+and the second is
+.Fa ipflog .
+Both are declared in
+.Pa netinet/ip_fil.h .
+and their formats are as follows:
+.Bd -literal -offset indent
+struct iplog {
+ u_long ipl_magic; /* IPL_MAGIC 0x49504c4d 'IPLM' */
+ u_long ipl_sec;
+ u_long ipl_usec;
+ u_int ipl_len;
+ u_int ipl_count;
+ size_t ipl_dsize;
+ struct iplog *ipl_next;
+}
+
+struct ipflog {
+ u_char fl_ifname[IFNAMSIZ];
+ u_char fl_plen; /* extra data after hlen */
+ u_char fl_hlen; /* length of IP headers saved */
+ u_short fl_rule; /* assume < 64k rules, total */
+ u_short fl_group;
+ u_32_t fl_flags;
+}
+.Ed
+.Pp
In the case of the header causing the buffer to finish on a non-32bit
-boundary, padding will be `appended' to ensure that the next log entry
+boundary, padding will be appended to ensure that the next log entry
is aligned to a 32bit boundary.
-.LP
-.PP
-If the packet contents is more than 128 bytes, then only 128 bytes of the
-packet contents is logged. Should the packet contents finish on a non-32bit
+.Pp
+If the packet content is more than 128 bytes, only
+the first 128 bytes of the
+packet content are logged. Should the packet content finish on a non-32bit
boundary, then the last few bytes are not logged to ensure the log entry
is aligned to a 32bit boundary.
-
-\fBipl\fP is a read-only (sequential) character pseudo-device.
-
-The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
+.Pp
+.Nm
+is a read-only (sequential) character pseudo-device.
+.Pp
+The ioctls which are loaded with this device can be found under
+.Xr ipf 4 .
The only ioctl which is used for logging and doesn't affect the filter is:
-.LP
-.nf
- ioctl(fd, SIOCIPFFB, int *)
-.fi
-.PP
+.Pp
+.Dl Fn ioctl fd SIOCIPFFB "int *"
+.Pp
This ioctl flushes the log buffer and returns the number of bytes flushed.
-.PP
+.Pp
There is currently no support for non-blocking IO with this device, meaning
all read operations should be considered blocking in nature (if there is no
data to read, it will sleep until some is made available).
-.SH SEE ALSO
-ipf(4), ipmon(8)
-.SH BUGS
+.Sh SEE ALSO
+.Xr ipf 4 ,
+.Xr ipmon 8
+.Sh BUGS
Packet headers are dropped when the internal buffer (static size) fills.
-.SH FILES
-/dev/ipl0
+.Sh FILES
+.Pa /dev/ipl
diff --git a/usr.sbin/map-mbone/map-mbone.8 b/usr.sbin/map-mbone/map-mbone.8
index 9a472b8e00c..260561d5bd7 100644
--- a/usr.sbin/map-mbone/map-mbone.8
+++ b/usr.sbin/map-mbone/map-mbone.8
@@ -1,91 +1,97 @@
.\" $NetBSD: map-mbone.8,v 1.2 1995/10/03 23:16:53 thorpej Exp $
.\"
-.TH MAP-MBONE 8
-.UC 5
-.SH NAME
-map-mbone \- Multicast connection mapper
-.SH SYNOPSIS
-.B /usr/sbin/map-mbone
-[
-.B \-d
-.I debug_level
-] [
-.B \-f
-] [
-.B \-g
-] [
-.B \-n
-] [
-.B \-r
-.I retry_count
-] [
-.B \-t
-.I timeout_count
-] [
-.B starting_router
-]
-.SH DESCRIPTION
-.I map-mbone
+.Dd 13 June, 1999
+.Os
+.Dt MAP-MBONE 8
+.Sh NAME
+.Nm map-mbone
+.Nd Multicast connection mapper
+.Sh SYNOPSIS
+.Nm map-mbone
+.Op Fl d Ar level
+.Op Fl fgn
+.Op Fl r Ar count
+.Op Fl t Ar seconds
+.Op Ar starting_router
+.Sh DESCRIPTION
+.Nm
attempts to display all multicast routers that are reachable from the multicast
-.I starting_router.
-If not specified on the command line, the default multicast
-.I starting_router
-is the localhost.
-.PP
-.I map-mbone
-traverses neighboring multicast routers by sending the ASK_NEIGHBORS IGMP
-message to the multicast starting_router. If this multicast router responds,
-the version number and a list of their neighboring multicast router addresses is
-part of that response. If the responding router has recent multicast version
-number, then
-.I map-mbone
-requests additional information such as metrics, thresholds, and flags from the
-multicast router. For each new occurrence of neighboring multicast router in
-the reply and provided the flooding option has been selected, then
-.I map-mbone
-asks each of this multicast router for a list of neighbors. This search
-for unique routers will continue until no new neighboring multicast routers
-are reported.
-.br
-.ne 5
-.SH INVOCATION
-.PP
-"\-d" option sets the debug level. When the debug level is greater than the
-default value of 0, addition debugging messages are printed. Regardless of
-the debug level, an error condition, will always write an error message and will
+router
+.Ar starting_router .
+If not specified on the command line,
+.Ar starting_router
+is
+.Sq localhost .
+.Pp
+.Nm
+sends an
+.Dv ASK_NEIGHBORS
+.Tn IGMP
+message to
+.Ar starting_router .
+A response contains the
+multicast version number
+of
+.Ar starting_router
+and the addresses of
+all its neighboring multicast routers.
+If the multicast version number is recent, then
+.Nm
+requests additional information such as metrics, thresholds, and flags.
+
+If a recursive search has been requested (see
+.Fl f ) ,
+.Nm
+repeats the above operation for each new
+multicast router in the list of neighbors and
+continues the process until no new multicast routers are reported.
+.Pp
+.Nm
+must be run as root.
+.Pp
+.Em Options
+.Bl -tag -width "-t seconds"
+.It Fl d Ar level
+sets the debug level to
+.Ar level .
+When the debug level is greater than
+0, addition debugging messages are printed to stderr. Regardless of
+the debug level, an error condition will always write an error message and will
cause
-.I map-mbone
+.Nm
to terminate.
-Non-zero debug levels have the following effects:
-.IP "level 1"
-packet warnings are printed to stderr.
-.IP "level 2"
-all level 1 messages plus notifications down networks are printed to stderr.
-.IP "level 3"
-all level 2 messages plus notifications of all packet
-timeouts are printed to stderr.
-.PP
-"\-f" option sets flooding option. Flooding allows the recursive search
-of neighboring multicast routers and is enable by default when starting_router
-is not used.
-.PP
-"\-g" option sets graphing in GraphEd format.
-.PP
-"\-n" option disables the DNS lookup for the multicast routers names.
-.PP
-"\-r retry_count" sets the neighbor query retry limit. Default is 1 retry.
-.PP
-"\-t timeout_count" sets the number of seconds to wait for a neighbor query
-reply before retrying. Default timeout is 2 seconds.
-.PP
-.SH IMPORTANT NOTE
-.I map-mbone
-must be run as root.
-.PP
-.SH SEE ALSO
-.BR mrouted (8) ,
-.BR mrinfo (8) ,
-.BR mtrace (8)
-.PP
-.SH AUTHOR
+Non-zero debug levels are
+.Bl -tag -width "1: " -offset indent
+.It 1 :
+print packet warnings, plus level 0 messages.
+.It 2 :
+print notifications of down networks, plus level 1 messages.
+.It 3 :
+print notifications of all packet timeouts, plus level 2 messages.
+.El
+.Pp
+Default is 0.
+.It Fl f
+causes a recursive (flooding) search. If no
+.Ar starting_router
+is specified, a recursive search is always performed.
+.It Fl g
+sets graphing format to GraphEd format.
+.It Fl n
+disables DNS lookup for the names of the multicast routers.
+.It Fl r Ar count
+sets the neighbor query retry limit to
+.Ar count .
+Default is 1.
+.It Fl t Ar seconds
+sets the number of seconds to wait for a neighbor query
+reply before retrying to
+.Ar seconds .
+Default is 2.
+.Sh SEE ALSO
+.Xr mrouted 8 ,
+.Xr mrinfo 8 ,
+.Xr mtrace 8
+.Pp
+.Sh AUTHOR
Pavel Curtis