1,3c1,2
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 135920 2004-09-29 04:54:33Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */
< /* add $OpenBSD: pfvar.h,v 1.194 2004/05/11 07:34:11 dhartmei Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 145836 2005-05-03 16:43:32Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
37a37
> #include <sys/param.h>
42a43
> #include <net/route.h>
66c67
< enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT,
---
> enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
87c88,109
< PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
>
> /* PFTM default values */
> #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
> #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
> #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
> #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
> #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
> #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
> #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
> #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
> #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
> #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
> #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
> #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
> #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
> #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
> #define PFTM_FRAG_VAL 30 /* Fragment expire */
> #define PFTM_INTERVAL_VAL 10 /* Expire interval */
> #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
> #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
>
94c116
< PF_ADDR_TABLE };
---
> PF_ADDR_TABLE, PF_ADDR_RTLABEL };
130a153,157
> #ifdef __FreeBSD__
> #define RTLABEL_LEN 32
> #endif
> char rtlabelname[RTLABEL_LEN];
> u_int32_t rtlabel;
368c395
< #define PF_MISMATCHAW(aw, x, af, not) \
---
> #define PF_MISMATCHAW(aw, x, af, neg) \
371a399,400
> ((aw)->type == PF_ADDR_RTLABEL && \
> !pf_rtlabel_match((x), (af), (aw))) || \
380c409
< (not) \
---
> (neg) \
396c425
< u_int8_t not;
---
> u_int8_t neg;
537a567,568
> #define PF_ANCHOR_NAME_SIZE 64
>
557,558d587
< #define PF_ANCHOR_NAME_SIZE 16
< char anchorname[PF_ANCHOR_NAME_SIZE];
562a592,593
> char overload_tblname[PF_TABLE_NAME_SIZE];
>
571a603
> struct pfr_ktable *overload_tbl;
580a613,617
> u_int32_t max_src_conn;
> struct {
> u_int32_t limit;
> u_int32_t seconds;
> } max_src_conn_rate;
584a622
> u_int32_t prob;
618a657,662
> u_int8_t anchor_relative;
> u_int8_t anchor_wildcard;
>
> #define PF_FLUSH 0x01
> #define PF_FLUSH_GLOBAL 0x02
> u_int8_t flush;
643a688,697
>
> struct pf_threshold {
> u_int32_t limit;
> #define PF_THRESHOLD_MULT 1000
> #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
> u_int32_t seconds;
> u_int32_t count;
> u_int32_t last;
> };
>
652a707,708
> u_int32_t conn;
> struct pf_threshold conn_rate;
661a718,721
> struct timeval pfss_last; /* time received last packet */
> u_int32_t pfss_tsecr; /* last echoed timestamp */
> u_int32_t pfss_tsval; /* largest timestamp */
> u_int32_t pfss_tsval0; /* original timestamp */
663,664c723,728
< #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
< u_int8_t pfss_ttl; /* stashed TTL */
---
> #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
> #define PFSS_PAWS 0x0010 /* stricter PAWS checks */
> #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */
> #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
> #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
> u_int8_t pfss_ttl; /* stashed TTL */
666c730
< u_int32_t pfss_ts_mod; /* timestamp modulation */
---
> u_int32_t pfss_ts_mod; /* timestamp modulation */
717a782
> u_int16_t tag;
726a792
> #define PFSTATE_STALE 0x04
735,737d800
< TAILQ_ENTRY(pf_ruleset) entries;
< #define PF_RULESET_NAME_SIZE 16
< char name[PF_RULESET_NAME_SIZE];
752,753c815,816
< TAILQ_HEAD(pf_rulesetqueue, pf_ruleset);
<
---
> RB_HEAD(pf_anchor_global, pf_anchor);
> RB_HEAD(pf_anchor_node, pf_anchor);
755c818,821
< TAILQ_ENTRY(pf_anchor) entries;
---
> RB_ENTRY(pf_anchor) entry_global;
> RB_ENTRY(pf_anchor) entry_node;
> struct pf_anchor *parent;
> struct pf_anchor_node children;
757,758c823,825
< struct pf_rulesetqueue rulesets;
< int tables;
---
> char path[MAXPATHLEN];
> struct pf_ruleset ruleset;
> int refcnt; /* anchor rules */
759a827,828
> RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
> RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
761,762d829
< TAILQ_HEAD(pf_anchorqueue, pf_anchor);
<
764d830
< #define PF_INTERFACE_RULESET "_if"
777,778c843
< char pfrt_anchor[PF_ANCHOR_NAME_SIZE];
< char pfrt_ruleset[PF_RULESET_NAME_SIZE];
---
> char pfrt_anchor[MAXPATHLEN];
847a913
> u_int8_t pfrke_intrpool;
929a996,997
> #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
> #define PFI_IFLAG_SETABLE_MASK 0x0100 /* setable via DIOC{SET,CLR}IFFLAG */
947a1016,1017
> struct ether_header
> *eh;
952a1023
> #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */
969c1040,1049
< #define PFRES_MAX 6 /* total+1 */
---
> #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
> #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
> #define PFRES_IPOPTIONS 8 /* IP option */
> #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
> #define PFRES_BADSTATE 10 /* State mismatch */
> #define PFRES_STATEINS 11 /* State insertion failure */
> #define PFRES_MAXSTATES 12 /* State limit */
> #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
> #define PFRES_SYNPROXY 14 /* SYN proxy */
> #define PFRES_MAX 15 /* total+1 */
977a1058,1066
> "bad-timestamp", \
> "congestion", \
> "ip-option", \
> "proto-cksum", \
> "state-mismatch", \
> "state-insert", \
> "state-limit", \
> "src-limit", \
> "synproxy", \
980a1070,1090
> /* Counters for other things we want to keep track of */
> #define LCNT_STATES 0 /* states */
> #define LCNT_SRCSTATES 1 /* max-src-states */
> #define LCNT_SRCNODES 2 /* max-src-nodes */
> #define LCNT_SRCCONN 3 /* max-src-conn */
> #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
> #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
> #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
> #define LCNT_MAX 7 /* total+1 */
>
> #define LCNT_NAMES { \
> "max states per rule", \
> "max-src-states", \
> "max-src-nodes", \
> "max-src-conn", \
> "max-src-conn-rate", \
> "overload table insertion", \
> "overload flush states", \
> NULL \
> }
>
1034a1145
> u_int64_t lcounters[LCNT_MAX]; /* limit counters */
1137,1138c1248
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
1147,1148c1257,1258
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
> char anchor_call[MAXPATHLEN];
1229c1339
< struct pfioc_anchor {
---
> struct pfioc_ruleset {
1230a1341
> char path[MAXPATHLEN];
1234,1239d1344
< struct pfioc_ruleset {
< u_int32_t nr;
< char anchor[PF_ANCHOR_NAME_SIZE];
< char name[PF_RULESET_NAME_SIZE];
< };
<
1247,1248c1352
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
1305d1408
< #define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule)
1307d1409
< #define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule)
1330d1431
< #define DIOCBEGINALTQS _IOWR('D', 44, u_int32_t)
1332d1432
< #define DIOCCOMMITALTQS _IOWR('D', 46, u_int32_t)
1342,1343c1442
< #define DIOCGETANCHORS _IOWR('D', 56, struct pfioc_anchor)
< #define DIOCGETANCHOR _IOWR('D', 57, struct pfioc_anchor)
---
> /* XXX cut 55 - 57 */
1361,1362d1459
< #define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table)
< #define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table)
1374a1472,1473
> #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
> #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
1380c1479
< #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 91, struct pf_ifspeed)
1394c1493
< extern struct pf_anchorqueue pf_anchors;
---
> extern struct pf_anchor_global pf_anchors;
1416d1514
< extern void pf_update_anchor_rules(void);
1420c1518
< extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl;
---
> extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl, pfr_kentry_pl2;
1431a1530
> extern void pf_purge_expired_state(struct pf_state *);
1440a1540,1541
> extern void pf_print_state(struct pf_state *);
> extern void pf_print_flags(u_int8_t);
1442,1445c1543,1544
< extern struct pf_ruleset *pf_find_ruleset(char *, char *);
< extern struct pf_ruleset *pf_find_or_create_ruleset(
< char[PF_ANCHOR_NAME_SIZE],
< char[PF_RULESET_NAME_SIZE]);
---
> extern struct pf_ruleset *pf_find_ruleset(const char *);
> extern struct pf_ruleset *pf_find_or_create_ruleset(const char *);
1460c1559,1560
< int pf_test(int, struct ifnet *, struct mbuf **, struct inpcb *);
---
> int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *,
> struct inpcb *);
1462c1562
< int pf_test(int, struct ifnet *, struct mbuf **);
---
> int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
1468c1568,1569
< int pf_test6(int, struct ifnet *, struct mbuf **, struct inpcb *);
---
> int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *,
> struct inpcb *);
1470c1571
< int pf_test6(int, struct ifnet *, struct mbuf **);
---
> int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
1490,1491c1591,1594
< int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *);
< int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *);
---
> int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
> struct pf_pdesc *);
> int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
> struct pf_pdesc *);
1498,1499c1601,1602
< u_short *, struct tcphdr *, struct pf_state_peer *,
< struct pf_state_peer *, int *);
---
> u_short *, struct tcphdr *, struct pf_state *,
> struct pf_state_peer *, struct pf_state_peer *, int *);
1503a1607
> int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
1521a1626
> int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
1559a1665,1666
> int pfi_set_flags(const char *, int);
> int pfi_clear_flags(const char *, int);
1566a1674
> void pf_tag_ref(u_int16_t);
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 135920 2004-09-29 04:54:33Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */
< /* add $OpenBSD: pfvar.h,v 1.194 2004/05/11 07:34:11 dhartmei Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 145836 2005-05-03 16:43:32Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
37a37
> #include <sys/param.h>
42a43
> #include <net/route.h>
66c67
< enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT,
---
> enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
87c88,109
< PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
>
> /* PFTM default values */
> #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
> #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
> #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
> #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
> #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
> #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
> #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
> #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
> #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
> #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
> #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
> #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
> #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
> #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
> #define PFTM_FRAG_VAL 30 /* Fragment expire */
> #define PFTM_INTERVAL_VAL 10 /* Expire interval */
> #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
> #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
>
94c116
< PF_ADDR_TABLE };
---
> PF_ADDR_TABLE, PF_ADDR_RTLABEL };
130a153,157
> #ifdef __FreeBSD__
> #define RTLABEL_LEN 32
> #endif
> char rtlabelname[RTLABEL_LEN];
> u_int32_t rtlabel;
368c395
< #define PF_MISMATCHAW(aw, x, af, not) \
---
> #define PF_MISMATCHAW(aw, x, af, neg) \
371a399,400
> ((aw)->type == PF_ADDR_RTLABEL && \
> !pf_rtlabel_match((x), (af), (aw))) || \
380c409
< (not) \
---
> (neg) \
396c425
< u_int8_t not;
---
> u_int8_t neg;
537a567,568
> #define PF_ANCHOR_NAME_SIZE 64
>
557,558d587
< #define PF_ANCHOR_NAME_SIZE 16
< char anchorname[PF_ANCHOR_NAME_SIZE];
562a592,593
> char overload_tblname[PF_TABLE_NAME_SIZE];
>
571a603
> struct pfr_ktable *overload_tbl;
580a613,617
> u_int32_t max_src_conn;
> struct {
> u_int32_t limit;
> u_int32_t seconds;
> } max_src_conn_rate;
584a622
> u_int32_t prob;
618a657,662
> u_int8_t anchor_relative;
> u_int8_t anchor_wildcard;
>
> #define PF_FLUSH 0x01
> #define PF_FLUSH_GLOBAL 0x02
> u_int8_t flush;
643a688,697
>
> struct pf_threshold {
> u_int32_t limit;
> #define PF_THRESHOLD_MULT 1000
> #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
> u_int32_t seconds;
> u_int32_t count;
> u_int32_t last;
> };
>
652a707,708
> u_int32_t conn;
> struct pf_threshold conn_rate;
661a718,721
> struct timeval pfss_last; /* time received last packet */
> u_int32_t pfss_tsecr; /* last echoed timestamp */
> u_int32_t pfss_tsval; /* largest timestamp */
> u_int32_t pfss_tsval0; /* original timestamp */
663,664c723,728
< #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
< u_int8_t pfss_ttl; /* stashed TTL */
---
> #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
> #define PFSS_PAWS 0x0010 /* stricter PAWS checks */
> #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */
> #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
> #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
> u_int8_t pfss_ttl; /* stashed TTL */
666c730
< u_int32_t pfss_ts_mod; /* timestamp modulation */
---
> u_int32_t pfss_ts_mod; /* timestamp modulation */
717a782
> u_int16_t tag;
726a792
> #define PFSTATE_STALE 0x04
735,737d800
< TAILQ_ENTRY(pf_ruleset) entries;
< #define PF_RULESET_NAME_SIZE 16
< char name[PF_RULESET_NAME_SIZE];
752,753c815,816
< TAILQ_HEAD(pf_rulesetqueue, pf_ruleset);
<
---
> RB_HEAD(pf_anchor_global, pf_anchor);
> RB_HEAD(pf_anchor_node, pf_anchor);
755c818,821
< TAILQ_ENTRY(pf_anchor) entries;
---
> RB_ENTRY(pf_anchor) entry_global;
> RB_ENTRY(pf_anchor) entry_node;
> struct pf_anchor *parent;
> struct pf_anchor_node children;
757,758c823,825
< struct pf_rulesetqueue rulesets;
< int tables;
---
> char path[MAXPATHLEN];
> struct pf_ruleset ruleset;
> int refcnt; /* anchor rules */
759a827,828
> RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
> RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
761,762d829
< TAILQ_HEAD(pf_anchorqueue, pf_anchor);
<
764d830
< #define PF_INTERFACE_RULESET "_if"
777,778c843
< char pfrt_anchor[PF_ANCHOR_NAME_SIZE];
< char pfrt_ruleset[PF_RULESET_NAME_SIZE];
---
> char pfrt_anchor[MAXPATHLEN];
847a913
> u_int8_t pfrke_intrpool;
929a996,997
> #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
> #define PFI_IFLAG_SETABLE_MASK 0x0100 /* setable via DIOC{SET,CLR}IFFLAG */
947a1016,1017
> struct ether_header
> *eh;
952a1023
> #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */
969c1040,1049
< #define PFRES_MAX 6 /* total+1 */
---
> #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
> #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
> #define PFRES_IPOPTIONS 8 /* IP option */
> #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
> #define PFRES_BADSTATE 10 /* State mismatch */
> #define PFRES_STATEINS 11 /* State insertion failure */
> #define PFRES_MAXSTATES 12 /* State limit */
> #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
> #define PFRES_SYNPROXY 14 /* SYN proxy */
> #define PFRES_MAX 15 /* total+1 */
977a1058,1066
> "bad-timestamp", \
> "congestion", \
> "ip-option", \
> "proto-cksum", \
> "state-mismatch", \
> "state-insert", \
> "state-limit", \
> "src-limit", \
> "synproxy", \
980a1070,1090
> /* Counters for other things we want to keep track of */
> #define LCNT_STATES 0 /* states */
> #define LCNT_SRCSTATES 1 /* max-src-states */
> #define LCNT_SRCNODES 2 /* max-src-nodes */
> #define LCNT_SRCCONN 3 /* max-src-conn */
> #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
> #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
> #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
> #define LCNT_MAX 7 /* total+1 */
>
> #define LCNT_NAMES { \
> "max states per rule", \
> "max-src-states", \
> "max-src-nodes", \
> "max-src-conn", \
> "max-src-conn-rate", \
> "overload table insertion", \
> "overload flush states", \
> NULL \
> }
>
1034a1145
> u_int64_t lcounters[LCNT_MAX]; /* limit counters */
1137,1138c1248
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
1147,1148c1257,1258
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
> char anchor_call[MAXPATHLEN];
1229c1339
< struct pfioc_anchor {
---
> struct pfioc_ruleset {
1230a1341
> char path[MAXPATHLEN];
1234,1239d1344
< struct pfioc_ruleset {
< u_int32_t nr;
< char anchor[PF_ANCHOR_NAME_SIZE];
< char name[PF_RULESET_NAME_SIZE];
< };
<
1247,1248c1352
< char anchor[PF_ANCHOR_NAME_SIZE];
< char ruleset[PF_RULESET_NAME_SIZE];
---
> char anchor[MAXPATHLEN];
1305d1408
< #define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule)
1307d1409
< #define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule)
1330d1431
< #define DIOCBEGINALTQS _IOWR('D', 44, u_int32_t)
1332d1432
< #define DIOCCOMMITALTQS _IOWR('D', 46, u_int32_t)
1342,1343c1442
< #define DIOCGETANCHORS _IOWR('D', 56, struct pfioc_anchor)
< #define DIOCGETANCHOR _IOWR('D', 57, struct pfioc_anchor)
---
> /* XXX cut 55 - 57 */
1361,1362d1459
< #define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table)
< #define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table)
1374a1472,1473
> #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
> #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
1380c1479
< #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 91, struct pf_ifspeed)
1394c1493
< extern struct pf_anchorqueue pf_anchors;
---
> extern struct pf_anchor_global pf_anchors;
1416d1514
< extern void pf_update_anchor_rules(void);
1420c1518
< extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl;
---
> extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl, pfr_kentry_pl2;
1431a1530
> extern void pf_purge_expired_state(struct pf_state *);
1440a1540,1541
> extern void pf_print_state(struct pf_state *);
> extern void pf_print_flags(u_int8_t);
1442,1445c1543,1544
< extern struct pf_ruleset *pf_find_ruleset(char *, char *);
< extern struct pf_ruleset *pf_find_or_create_ruleset(
< char[PF_ANCHOR_NAME_SIZE],
< char[PF_RULESET_NAME_SIZE]);
---
> extern struct pf_ruleset *pf_find_ruleset(const char *);
> extern struct pf_ruleset *pf_find_or_create_ruleset(const char *);
1460c1559,1560
< int pf_test(int, struct ifnet *, struct mbuf **, struct inpcb *);
---
> int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *,
> struct inpcb *);
1462c1562
< int pf_test(int, struct ifnet *, struct mbuf **);
---
> int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
1468c1568,1569
< int pf_test6(int, struct ifnet *, struct mbuf **, struct inpcb *);
---
> int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *,
> struct inpcb *);
1470c1571
< int pf_test6(int, struct ifnet *, struct mbuf **);
---
> int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
1490,1491c1591,1594
< int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *);
< int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *);
---
> int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
> struct pf_pdesc *);
> int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
> struct pf_pdesc *);
1498,1499c1601,1602
< u_short *, struct tcphdr *, struct pf_state_peer *,
< struct pf_state_peer *, int *);
---
> u_short *, struct tcphdr *, struct pf_state *,
> struct pf_state_peer *, struct pf_state_peer *, int *);
1503a1607
> int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
1521a1626
> int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
1559a1665,1666
> int pfi_set_flags(const char *, int);
> int pfi_clear_flags(const char *, int);
1566a1674
> void pf_tag_ref(u_int16_t);