Index: src/etc/rc.network
===================================================================
RCS file: /export/ncvs/src/etc/rc.network,v
retrieving revision 1.110
diff -u -r1.110 rc.network
--- src/etc/rc.network	2001/11/01 12:39:01	1.110
+++ src/etc/rc.network	2001/11/01 23:13:45
@@ -355,7 +355,7 @@
 			case ${firewall_logging} in
 			[Yy][Ee][Ss] | '')
 				echo 'Firewall logging=YES'
-				sysctl -w net.inet.ip.fw.verbose=1 >/dev/null
+				sysctl -w net.inet.ip.fw.verbose="${firewall_verbose:-1}" >/dev/null
 				;;
 			*)
 				;;
Index: src/etc/defaults/rc.conf
===================================================================
RCS file: /export/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.130
diff -u -r1.130 rc.conf
--- src/etc/defaults/rc.conf	2001/10/20 04:33:02	1.130
+++ src/etc/defaults/rc.conf	2001/11/02 03:10:44
@@ -51,6 +51,8 @@
 firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"           # Set to YES to enable events logging
+firewall_verbose="1"		# Set value of net.inet.ip.fw.verbose,
+				# see ipfw(8) for details
 firewall_flags=""		# Flags passed to ipfw when type is a file
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
Index: src/sbin/ipfw/ipfw.8
===================================================================
RCS file: /export/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.93
diff -u -r1.93 ipfw.8
--- src/sbin/ipfw/ipfw.8	2001/10/14 22:46:05	1.93
+++ src/sbin/ipfw/ipfw.8	2001/11/02 02:58:16
@@ -474,6 +474,15 @@
 Logging may then be re-enabled by clearing the logging counter
 or the packet counter for that entry.
 .Pp
+Logging of additional IP and TCP information is available by setting
+bits in the value of 
+.Em net.inet.ip.fw.verbose .
+If the 2-bit is set, additional IP information is included in each log
+entry. If the 4-bit is set, additional TCP information is
+included. (The baseline information is included whenever
+.Em net.inet.ip.fw.verbose
+is non-zero.)
+.Pp
 Console logging and the log limit are adjustable dynamically
 through the
 .Xr sysctl 8
Index: src/sys/netinet/ip_fw.c
===================================================================
RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.173
diff -u -r1.173 ip_fw.c
--- src/sys/netinet/ip_fw.c	2001/10/05 07:06:31	1.173
+++ src/sys/netinet/ip_fw.c	2001/11/02 02:25:50
@@ -508,6 +508,14 @@
 	return(1);
 }
 
+
+/*
+ * Extended logging options are passed to the routine run-time via 
+ * the net.inet.ip.fw.verbose sysctl(8) variable; see ipfw(8).
+ */
+#define	LOGOPT_IP	0x02
+#define	LOGOPT_TCP	0x04
+
 static void
 ipfw_report(struct ip_fw *f, struct ip *ip, int offset, int ip_len,
 	struct ifnet *rif, struct ifnet *oif)
@@ -517,7 +525,7 @@
     struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
     u_int64_t count;
     char *action;
-    char action2[32], proto[47], name[18], fragment[27];
+    char action2[32], proto[74], name[18], fragment[27], ipvals[44];
     int len;
 
     count = f ? f->fw_pcnt : ++counter;
@@ -599,9 +607,16 @@
 		    len += snprintf(SNPARGS(proto, len), " ");
 	    len += snprintf(SNPARGS(proto, len), "%s",
 		inet_ntoa(ip->ip_dst));
-	    if (offset == 0)
-		    snprintf(SNPARGS(proto, len), ":%d",
+	    if (offset == 0) {
+		    len += snprintf(SNPARGS(proto, len), ":%d",
 			ntohs(tcp->th_dport));
+		    if (fw_verbose & LOGOPT_TCP)
+			    snprintf(SNPARGS(proto, len),
+				" f=%02x s=%08x a=%08x",
+				tcp->th_flags,
+				ntohl(tcp->th_seq),
+				ntohl(tcp->th_ack));
+	    }
 	    break;
     case IPPROTO_UDP:
 	    len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -641,15 +656,23 @@
 		     (ip->ip_off & IP_MF) ? "+" : "");
     else
 	    fragment[0] = '\0';
+
+    if (fw_verbose & LOGOPT_IP)
+	    snprintf(SNPARGS(ipvals, 0), " [tos 0x%02x] (ttl %u, id %u, len %u)",
+		     ip->ip_tos, ip->ip_ttl, ntohs(ip->ip_id), ip_len);
+    else
+	    ipvals[0] = '\0';
+
     if (oif)
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
-		name, action, proto, oif->if_name, oif->if_unit, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s%s\n",
+		name, action, proto, oif->if_name, oif->if_unit, fragment,
+		ipvals);
     else if (rif)
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s\n", name,
-		action, proto, rif->if_name, rif->if_unit, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s%s\n", name,
+		action, proto, rif->if_name, rif->if_unit, fragment, ipvals);
     else
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
-		proto, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s%s%s\n", name, action,
+		proto, fragment, ipvals);
     if ((f ? f->fw_logamount != 0 : 1) &&
 	count == (f ? f->fw_loghighest : fw_verbose_limit))
 	    log(LOG_SECURITY | LOG_NOTICE,