Index: etc/rc.network
===================================================================
RCS file: /export/ncvs/src/etc/rc.network,v
retrieving revision 1.74.2.23
diff -u -r1.74.2.23 rc.network
--- etc/rc.network	2001/08/17 07:26:38	1.74.2.23
+++ etc/rc.network	2001/10/14 08:11:18
@@ -309,7 +309,7 @@
 			case ${firewall_logging} in
 			[Yy][Ee][Ss] | '')
 				echo 'Firewall logging=YES'
-				sysctl -w net.inet.ip.fw.verbose=1 >/dev/null
+				sysctl -w net.inet.ip.fw.verbose="${firewall_verbose:-1}" >/dev/null
 				;;
 			*)
 				;;
Index: sbin/ipfw/ipfw.8
===================================================================
RCS file: /export/ncvs/src/sbin/ipfw/ipfw.8,v
retrieving revision 1.63.2.16
diff -u -r1.63.2.16 ipfw.8
--- sbin/ipfw/ipfw.8	2001/10/27 23:05:48	1.63.2.16
+++ sbin/ipfw/ipfw.8	2001/11/02 09:10:09
@@ -459,6 +459,15 @@
 Logging may then be re-enabled by clearing the logging counter
 or the packet counter for that entry.
 .Pp
+Logging of additional IP and TCP information is available by setting
+bits in the value of 
+.Em net.inet.ip.fw.verbose .
+If the 2-bit is set, additional IP information is included in each log
+entry. If the 4-bit is set, additional TCP information is
+included. (The baseline information is included whenever
+.Em net.inet.ip.fw.verbose
+is non-zero.)
+.Pp
 Console logging and the log limit are adjustable dynamically
 through the
 .Xr sysctl 8
Index: etc/defaults//rc.conf
===================================================================
RCS file: /export/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.53.2.41
diff -u -r1.53.2.41 rc.conf
--- etc/defaults//rc.conf	2001/10/10 15:56:25	1.53.2.41
+++ etc/defaults//rc.conf	2001/10/14 08:11:18
@@ -49,6 +49,7 @@
 firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"           # Set to YES to enable events logging
+firewall_verbose="1"		# Set verbosity level, 0 to 3.
 firewall_flags=""		# Flags passed to ipfw when type is a file
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.26
diff -u -r1.131.2.26 ip_fw.c
--- sys/netinet/ip_fw.c	2001/10/04 01:56:01	1.131.2.26
+++ sys/netinet/ip_fw.c	2001/10/11 23:33:54
@@ -471,7 +471,7 @@
     struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl);
     u_int64_t count;
     char *action;
-    char action2[32], proto[47], name[18], fragment[27];
+    char action2[32], proto[74], name[18], fragment[27], ipvals[44];
     int len;
 
     count = f ? f->fw_pcnt : ++counter;
@@ -555,9 +555,16 @@
 		    len += snprintf(SNPARGS(proto, len), " ");
 	    len += snprintf(SNPARGS(proto, len), "%s",
 		inet_ntoa(ip->ip_dst));
-	    if (offset == 0)
-		    snprintf(SNPARGS(proto, len), ":%d",
+	    if (offset == 0) {
+		    len += snprintf(SNPARGS(proto, len), ":%d",
 			ntohs(tcp->th_dport));
+		    if (fw_verbose > 2)
+			    snprintf(SNPARGS(proto, len),
+				" f=%02x s=%08lx a=%08lx",
+				tcp->th_flags,
+				ntohl(tcp->th_seq),
+				ntohl(tcp->th_ack));
+	    }
 	    break;
     case IPPROTO_UDP:
 	    len = snprintf(SNPARGS(proto, 0), "UDP %s",
@@ -597,15 +604,23 @@
 		     (ip->ip_off & IP_MF) ? "+" : "");
     else
 	    fragment[0] = '\0';
+
+    if (fw_verbose > 1)
+	    snprintf(SNPARGS(ipvals, 0), " [tos 0x%02x] (ttl %u, id %u, len %u)",
+		     ip->ip_tos, ip->ip_ttl, ntohs(ip->ip_id), ip_len);
+    else
+	    ipvals[0] = '\0';
+
     if (oif)
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n",
-		name, action, proto, oif->if_name, oif->if_unit, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s%s\n",
+		name, action, proto, oif->if_name, oif->if_unit, fragment,
+		ipvals);
     else if (rif)
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s\n", name,
-		action, proto, rif->if_name, rif->if_unit, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s in via %s%d%s%s\n", name,
+		action, proto, rif->if_name, rif->if_unit, fragment, ipvals);
     else
-	    log(LOG_SECURITY | LOG_INFO, "%s %s %s%s\n", name, action,
-		proto, fragment);
+	    log(LOG_SECURITY | LOG_INFO, "%s %s %s%s%s\n", name, action,
+		proto, fragment, ipvals);
     if ((f ? f->fw_logamount != 0 : 1) &&
 	count == (f ? f->fw_loghighest : fw_verbose_limit))
 	    log(LOG_SECURITY | LOG_NOTICE,