1,2c1,2
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130397 2004-06-13 01:36:31Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130613 2004-06-16 23:24:02Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */
69a70
> enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
90,91c91,92
< PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_MAX,
< PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
> PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
93c94
< enum { PF_LIMIT_STATES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
---
> enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
99a101
> #define PF_POOL_STICKYADDR 0x20
119a122,127
> #define PFI_AFLAG_NETWORK 0x01
> #define PFI_AFLAG_BROADCAST 0x02
> #define PFI_AFLAG_PEER 0x04
> #define PFI_AFLAG_MODEMASK 0x07
> #define PFI_AFLAG_NOALIAS 0x08
>
130c138
< struct pf_addr_dyn *dyn;
---
> struct pfi_dynaddr *dyn;
131a140
> int dyncnt;
134a144
> u_int8_t iflags; /* PFI_AFLAG_* */
139,149c149,161
< struct pf_addr_dyn {
< char ifname[IFNAMSIZ];
< struct ifnet *ifp;
< struct pf_addr *addr;
< sa_family_t af;
< #ifdef __FreeBSD__
< eventhandler_tag hook_cookie;
< #else
< void *hook_cookie;
< #endif
< u_int8_t undefined;
---
> struct pfi_dynaddr {
> struct pf_addr pfid_addr4;
> struct pf_addr pfid_mask4;
> struct pf_addr pfid_addr6;
> struct pf_addr pfid_mask6;
> struct pfr_ktable *pfid_kt;
> struct pfi_kif *pfid_kif;
> void *pfid_hook_cookie;
> int pfid_net; /* optional mask, or 128 */
> int pfid_acnt4; /* address count, IPv4 */
> int pfid_acnt6; /* address count, IPv6 */
> sa_family_t pfid_af; /* rule address family */
> u_int8_t pfid_iflags; /* PFI_AFLAG_* */
215d226
< #endif
216a228,243
> /* prototyped for pf_subr.c */
> struct hook_desc {
> TAILQ_ENTRY(hook_desc) hd_list;
> void (*hd_fn)(void *);
> void *hd_arg;
> };
> TAILQ_HEAD(hook_desc_head, hook_desc);
>
> void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *);
> void hook_disestablish(struct hook_desc_head *, void *);
> void dohooks(struct hook_desc_head *, int);
>
> #define HOOK_REMOVE 0x01
> #define HOOK_FREE 0x02
> #endif /* __FreeBSD__ */
>
353,356c380
< ((aw)->p.dyn->undefined || \
< (!PF_AZERO(&(aw)->v.a.mask, (af)) && \
< !PF_MATCHA(0, &(aw)->v.a.addr, \
< &(aw)->v.a.mask, (x), (af))))) || \
---
> !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
385c409
< struct ifnet *ifp;
---
> struct pfi_kif *kif;
534d557
< u_int32_t timeout[PFTM_MAX];
552c575
< struct ifnet *ifp;
---
> struct pfi_kif *kif;
555a579,580
>
> u_int32_t timeout[PFTM_MAX];
557a583,585
> u_int32_t src_nodes;
> u_int32_t max_src_nodes;
> u_int32_t max_src_states;
603a632,634
> #define PFRULE_NOSYNC 0x0010
> #define PFRULE_SRCTRACK 0x0020 /* track source states */
> #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
611a643,646
> /* rule flags again */
> #define PFRULE_IFBOUND 0x00010000 /* if-bound */
> #define PFRULE_GRBOUND 0x00020000 /* group-bound */
>
613a649,662
> struct pf_src_node {
> RB_ENTRY(pf_src_node) entry;
> struct pf_addr addr;
> struct pf_addr raddr;
> union pf_rule_ptr rule;
> struct pfi_kif *kif;
> u_int32_t bytes;
> u_int32_t packets;
> u_int32_t states;
> u_int32_t creation;
> u_int32_t expire;
> sa_family_t af;
> u_int8_t ruletype;
> };
614a664,665
> #define PFSNODE_HIWAT 10000 /* default source node table size */
>
639a691,692
> TAILQ_HEAD(pf_state_queue, pf_state);
>
640a694,704
> u_int64_t id;
> union {
> struct {
> RB_ENTRY(pf_state) entry_lan_ext;
> RB_ENTRY(pf_state) entry_ext_gwy;
> RB_ENTRY(pf_state) entry_id;
> TAILQ_ENTRY(pf_state) entry_updates;
> struct pfi_kif *kif;
> } s;
> char ifname[IFNAMSIZ];
> } u;
650c714,716
< struct ifnet *rt_ifp;
---
> struct pfi_kif *rt_kif;
> struct pf_src_node *src_node;
> struct pf_src_node *nat_src_node;
652a719
> u_int32_t pfsync_time;
654a722
> u_int32_t creatorid;
661c729,732
< u_int8_t pad[2];
---
> u_int8_t sync_flags;
> #define PFSTATE_NOSYNC 0x01
> #define PFSTATE_FROMSYNC 0x02
> u_int8_t pad;
664,672d734
< struct pf_tree_node {
< RB_ENTRY(pf_tree_node) entry;
< struct pf_state *state;
< struct pf_addr addr[2];
< u_int16_t port[2];
< sa_family_t af;
< u_int8_t proto;
< };
<
685a748
> int open;
704a768,770
> #define PF_RESERVED_ANCHOR "_pf"
> #define PF_INTERFACE_RULESET "_if"
>
790a857
> long pfrkt_larg;
795,796c862,863
< #define pfrkt_anchor pfrkt_t.pfrt_anchor
< #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
---
> #define pfrkt_anchor pfrkt_t.pfrt_anchor
> #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
805a873,927
> RB_HEAD(pf_state_tree_lan_ext, pf_state);
> RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state,
> u.s.entry_lan_ext, pf_state_compare_lan_ext);
>
> RB_HEAD(pf_state_tree_ext_gwy, pf_state);
> RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state,
> u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
>
> struct pfi_if {
> char pfif_name[IFNAMSIZ];
> u_int64_t pfif_packets[2][2][2];
> u_int64_t pfif_bytes[2][2][2];
> u_int64_t pfif_addcnt;
> u_int64_t pfif_delcnt;
> long pfif_tzero;
> int pfif_states;
> int pfif_rules;
> int pfif_flags;
> };
>
> TAILQ_HEAD(pfi_grouphead, pfi_kif);
> TAILQ_HEAD(pfi_statehead, pfi_kif);
> RB_HEAD(pfi_ifhead, pfi_kif);
> struct pfi_kif {
> struct pfi_if pfik_if;
> RB_ENTRY(pfi_kif) pfik_tree;
> struct pf_state_tree_lan_ext pfik_lan_ext;
> struct pf_state_tree_ext_gwy pfik_ext_gwy;
> struct pfi_grouphead pfik_grouphead;
> TAILQ_ENTRY(pfi_kif) pfik_instances;
> TAILQ_ENTRY(pfi_kif) pfik_w_states;
> struct hook_desc_head *pfik_ah_head;
> void *pfik_ah_cookie;
> struct pfi_kif *pfik_parent;
> struct ifnet *pfik_ifp;
> int pfik_states;
> int pfik_rules;
> };
> #define pfik_name pfik_if.pfif_name
> #define pfik_packets pfik_if.pfif_packets
> #define pfik_bytes pfik_if.pfif_bytes
> #define pfik_tzero pfik_if.pfif_tzero
> #define pfik_flags pfik_if.pfif_flags
> #define pfik_addcnt pfik_if.pfif_addcnt
> #define pfik_delcnt pfik_if.pfif_delcnt
> #define pfik_states pfik_if.pfif_states
> #define pfik_rules pfik_if.pfif_rules
>
> #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
> #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
> #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
> #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
> #define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
> #define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */
>
816a939,941
> struct pf_addr baddr; /* address before translation */
> struct pf_addr naddr; /* address after translation */
> struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */
884a1010,1013
> #define SCNT_SRC_NODE_SEARCH 0
> #define SCNT_SRC_NODE_INSERT 1
> #define SCNT_SRC_NODE_REMOVALS 2
> #define SCNT_MAX 3
902a1032
> u_int64_t scounters[SCNT_MAX];
904a1035
> u_int64_t stateid;
906a1038
> u_int32_t src_nodes;
908a1041
> u_int32_t hostid;
1039a1173
> char psk_ifname[IFNAMSIZ];
1051a1186,1195
> struct pfioc_src_nodes {
> int psn_len;
> union {
> caddr_t psu_buf;
> struct pf_src_node *psu_src_nodes;
> } psn_u;
> #define psn_buf psn_u.psu_buf
> #define psn_src_nodes psn_u.psu_src_nodes
> };
>
1091a1236,1248
> #define PF_RULESET_ALTQ (PF_RULESET_MAX)
> #define PF_RULESET_TABLE (PF_RULESET_MAX+1)
> struct pfioc_trans {
> int size; /* number of elements */
> int esize; /* size of each element in bytes */
> struct pfioc_trans_e {
> int rs_num;
> char anchor[PF_ANCHOR_NAME_SIZE];
> char ruleset[PF_RULESET_NAME_SIZE];
> u_int32_t ticket;
> } *array;
> };
>
1099a1257,1259
> #ifdef _KERNEL
> #define PFR_FLAG_USERIOCTL 0x10000000
> #endif
1120a1281,1294
> #define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
> #define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
> #define PFI_FLAG_ALLMASK 0x0003
>
> struct pfioc_iface {
> char pfiio_name[IFNAMSIZ];
> void *pfiio_buffer;
> int pfiio_esize;
> int pfiio_size;
> int pfiio_nzero;
> int pfiio_flags;
> };
>
>
1133c1307
< #define DIOCCLRSTATES _IO ('D', 18)
---
> #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
1188a1363,1370
> #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans)
> #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans)
> #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans)
> #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
> #define DIOCCLRSRCNODES _IO('D', 85)
> #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
> #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
> #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface)
1194c1376
< #define DIOCGIFSPEED _IOWR('D', 81, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed)
1198,1200c1380,1382
< RB_HEAD(pf_state_tree, pf_tree_node);
< RB_PROTOTYPE(pf_state_tree, pf_tree_node, entry, pf_state_compare);
< extern struct pf_state_tree tree_lan_ext, tree_ext_gwy;
---
> RB_HEAD(pf_src_tree, pf_src_node);
> RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
> extern struct pf_src_tree tree_src_tracking;
1202,1203c1384,1391
< extern struct pf_anchorqueue pf_anchors;
< extern struct pf_ruleset pf_main_ruleset;
---
> RB_HEAD(pf_state_tree_id, pf_state);
> RB_PROTOTYPE(pf_state_tree_id, pf_state,
> entry_id, pf_state_compare_id);
> extern struct pf_state_tree_id tree_id;
> extern struct pf_state_queue state_updates;
>
> extern struct pf_anchorqueue pf_anchors;
> extern struct pf_ruleset pf_main_ruleset;
1205c1393
< extern struct pf_poolqueue pf_pools[2];
---
> extern struct pf_poolqueue pf_pools[2];
1207,1208c1395,1397
< extern struct pf_altqqueue pf_altqs[2];
< extern struct pf_palist pf_pabuf;
---
> extern struct pf_altqqueue pf_altqs[2];
> extern struct pf_palist pf_pabuf;
> extern struct pfi_kif **pfi_index2kif;
1210d1398
<
1212a1401
> extern int altqs_inactive_open;
1222,1225d1410
< extern int pf_dynaddr_setup(struct pf_addr_wrap *,
< sa_family_t);
< extern void pf_dynaddr_copyout(struct pf_addr_wrap *);
< extern void pf_dynaddr_remove(struct pf_addr_wrap *);
1227,1228d1411
< extern void pf_rule_set_qid(struct pf_rulequeue *);
< extern u_int32_t pf_qname_to_qid(char *);
1231c1414
< extern uma_zone_t pf_tree_pl, pf_rule_pl, pf_addr_pl;
---
> extern uma_zone_t pf_src_tree_pl, pf_rule_pl;
1235a1419
> extern uma_zone_t pfi_addr_pl;
1237c1421
< extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl;
---
> extern struct pool pf_src_tree_pl, pf_rule_pl;
1241a1426
> extern void pf_purge_expired_src_nodes(void);
1243,1245c1428,1436
< extern int pf_insert_state(struct pf_state *);
< extern struct pf_state *pf_find_state(struct pf_state_tree *,
< struct pf_tree_node *);
---
> extern int pf_insert_state(struct pfi_kif *,
> struct pf_state *);
> extern int pf_insert_src_node(struct pf_src_node **,
> struct pf_rule *, struct pf_addr *,
> sa_family_t);
> void pf_src_tree_remove_state(struct pf_state *);
> extern struct pf_state *pf_find_state_byid(struct pf_state *);
> extern struct pf_state *pf_find_state_all(struct pf_state *key,
> u_int8_t tree, int *more);
1248c1439,1441
< extern struct pf_ruleset *pf_find_or_create_ruleset(char *, char *);
---
> extern struct pf_ruleset *pf_find_or_create_ruleset(
> char[PF_ANCHOR_NAME_SIZE],
> char[PF_RULESET_NAME_SIZE]);
1252c1445
< extern struct ifnet *status_ifp;
---
> extern struct ifnet *sync_ifp;
1273c1466
< int pflog_packet(struct ifnet *, struct mbuf *, sa_family_t, u_int8_t,
---
> int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
1283,1285c1476,1478
< int pf_normalize_ip(struct mbuf **, int, struct ifnet *, u_short *);
< int pf_normalize_ip6(struct mbuf **, int, struct ifnet *, u_short *);
< int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, int, int, void *,
---
> int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *);
> int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *);
> int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
1302a1496
> void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
1326a1521
> int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int);
1330a1526,1550
> void pfi_initialize(void);
> #ifdef __FreeBSD__
> void pfi_cleanup(void);
> #endif
> void pfi_attach_clone(struct if_clone *);
> void pfi_attach_ifnet(struct ifnet *);
> void pfi_detach_ifnet(struct ifnet *);
> struct pfi_kif *pfi_lookup_create(const char *);
> struct pfi_kif *pfi_lookup_if(const char *);
> int pfi_maybe_destroy(struct pfi_kif *);
> struct pfi_kif *pfi_attach_rule(const char *);
> void pfi_detach_rule(struct pfi_kif *);
> void pfi_attach_state(struct pfi_kif *);
> void pfi_detach_state(struct pfi_kif *);
> int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
> void pfi_dynaddr_copyout(struct pf_addr_wrap *);
> void pfi_dynaddr_remove(struct pf_addr_wrap *);
> void pfi_fill_oldstatus(struct pf_status *);
> int pfi_clr_istats(const char *, int *, int);
> int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
> int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
> sa_family_t);
>
> extern struct pfi_statehead pfi_statehead;
>
1334a1555,1557
> u_int32_t pf_qname2qid(char *);
> void pf_qid2qname(u_int32_t, char *);
> void pf_qid_unref(u_int32_t);
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130397 2004-06-13 01:36:31Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130613 2004-06-16 23:24:02Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */
69a70
> enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
90,91c91,92
< PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_MAX,
< PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
> PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
93c94
< enum { PF_LIMIT_STATES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
---
> enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
99a101
> #define PF_POOL_STICKYADDR 0x20
119a122,127
> #define PFI_AFLAG_NETWORK 0x01
> #define PFI_AFLAG_BROADCAST 0x02
> #define PFI_AFLAG_PEER 0x04
> #define PFI_AFLAG_MODEMASK 0x07
> #define PFI_AFLAG_NOALIAS 0x08
>
130c138
< struct pf_addr_dyn *dyn;
---
> struct pfi_dynaddr *dyn;
131a140
> int dyncnt;
134a144
> u_int8_t iflags; /* PFI_AFLAG_* */
139,149c149,161
< struct pf_addr_dyn {
< char ifname[IFNAMSIZ];
< struct ifnet *ifp;
< struct pf_addr *addr;
< sa_family_t af;
< #ifdef __FreeBSD__
< eventhandler_tag hook_cookie;
< #else
< void *hook_cookie;
< #endif
< u_int8_t undefined;
---
> struct pfi_dynaddr {
> struct pf_addr pfid_addr4;
> struct pf_addr pfid_mask4;
> struct pf_addr pfid_addr6;
> struct pf_addr pfid_mask6;
> struct pfr_ktable *pfid_kt;
> struct pfi_kif *pfid_kif;
> void *pfid_hook_cookie;
> int pfid_net; /* optional mask, or 128 */
> int pfid_acnt4; /* address count, IPv4 */
> int pfid_acnt6; /* address count, IPv6 */
> sa_family_t pfid_af; /* rule address family */
> u_int8_t pfid_iflags; /* PFI_AFLAG_* */
215d226
< #endif
216a228,243
> /* prototyped for pf_subr.c */
> struct hook_desc {
> TAILQ_ENTRY(hook_desc) hd_list;
> void (*hd_fn)(void *);
> void *hd_arg;
> };
> TAILQ_HEAD(hook_desc_head, hook_desc);
>
> void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *);
> void hook_disestablish(struct hook_desc_head *, void *);
> void dohooks(struct hook_desc_head *, int);
>
> #define HOOK_REMOVE 0x01
> #define HOOK_FREE 0x02
> #endif /* __FreeBSD__ */
>
353,356c380
< ((aw)->p.dyn->undefined || \
< (!PF_AZERO(&(aw)->v.a.mask, (af)) && \
< !PF_MATCHA(0, &(aw)->v.a.addr, \
< &(aw)->v.a.mask, (x), (af))))) || \
---
> !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
385c409
< struct ifnet *ifp;
---
> struct pfi_kif *kif;
534d557
< u_int32_t timeout[PFTM_MAX];
552c575
< struct ifnet *ifp;
---
> struct pfi_kif *kif;
555a579,580
>
> u_int32_t timeout[PFTM_MAX];
557a583,585
> u_int32_t src_nodes;
> u_int32_t max_src_nodes;
> u_int32_t max_src_states;
603a632,634
> #define PFRULE_NOSYNC 0x0010
> #define PFRULE_SRCTRACK 0x0020 /* track source states */
> #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
611a643,646
> /* rule flags again */
> #define PFRULE_IFBOUND 0x00010000 /* if-bound */
> #define PFRULE_GRBOUND 0x00020000 /* group-bound */
>
613a649,662
> struct pf_src_node {
> RB_ENTRY(pf_src_node) entry;
> struct pf_addr addr;
> struct pf_addr raddr;
> union pf_rule_ptr rule;
> struct pfi_kif *kif;
> u_int32_t bytes;
> u_int32_t packets;
> u_int32_t states;
> u_int32_t creation;
> u_int32_t expire;
> sa_family_t af;
> u_int8_t ruletype;
> };
614a664,665
> #define PFSNODE_HIWAT 10000 /* default source node table size */
>
639a691,692
> TAILQ_HEAD(pf_state_queue, pf_state);
>
640a694,704
> u_int64_t id;
> union {
> struct {
> RB_ENTRY(pf_state) entry_lan_ext;
> RB_ENTRY(pf_state) entry_ext_gwy;
> RB_ENTRY(pf_state) entry_id;
> TAILQ_ENTRY(pf_state) entry_updates;
> struct pfi_kif *kif;
> } s;
> char ifname[IFNAMSIZ];
> } u;
650c714,716
< struct ifnet *rt_ifp;
---
> struct pfi_kif *rt_kif;
> struct pf_src_node *src_node;
> struct pf_src_node *nat_src_node;
652a719
> u_int32_t pfsync_time;
654a722
> u_int32_t creatorid;
661c729,732
< u_int8_t pad[2];
---
> u_int8_t sync_flags;
> #define PFSTATE_NOSYNC 0x01
> #define PFSTATE_FROMSYNC 0x02
> u_int8_t pad;
664,672d734
< struct pf_tree_node {
< RB_ENTRY(pf_tree_node) entry;
< struct pf_state *state;
< struct pf_addr addr[2];
< u_int16_t port[2];
< sa_family_t af;
< u_int8_t proto;
< };
<
685a748
> int open;
704a768,770
> #define PF_RESERVED_ANCHOR "_pf"
> #define PF_INTERFACE_RULESET "_if"
>
790a857
> long pfrkt_larg;
795,796c862,863
< #define pfrkt_anchor pfrkt_t.pfrt_anchor
< #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
---
> #define pfrkt_anchor pfrkt_t.pfrt_anchor
> #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
805a873,927
> RB_HEAD(pf_state_tree_lan_ext, pf_state);
> RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state,
> u.s.entry_lan_ext, pf_state_compare_lan_ext);
>
> RB_HEAD(pf_state_tree_ext_gwy, pf_state);
> RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state,
> u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
>
> struct pfi_if {
> char pfif_name[IFNAMSIZ];
> u_int64_t pfif_packets[2][2][2];
> u_int64_t pfif_bytes[2][2][2];
> u_int64_t pfif_addcnt;
> u_int64_t pfif_delcnt;
> long pfif_tzero;
> int pfif_states;
> int pfif_rules;
> int pfif_flags;
> };
>
> TAILQ_HEAD(pfi_grouphead, pfi_kif);
> TAILQ_HEAD(pfi_statehead, pfi_kif);
> RB_HEAD(pfi_ifhead, pfi_kif);
> struct pfi_kif {
> struct pfi_if pfik_if;
> RB_ENTRY(pfi_kif) pfik_tree;
> struct pf_state_tree_lan_ext pfik_lan_ext;
> struct pf_state_tree_ext_gwy pfik_ext_gwy;
> struct pfi_grouphead pfik_grouphead;
> TAILQ_ENTRY(pfi_kif) pfik_instances;
> TAILQ_ENTRY(pfi_kif) pfik_w_states;
> struct hook_desc_head *pfik_ah_head;
> void *pfik_ah_cookie;
> struct pfi_kif *pfik_parent;
> struct ifnet *pfik_ifp;
> int pfik_states;
> int pfik_rules;
> };
> #define pfik_name pfik_if.pfif_name
> #define pfik_packets pfik_if.pfif_packets
> #define pfik_bytes pfik_if.pfif_bytes
> #define pfik_tzero pfik_if.pfif_tzero
> #define pfik_flags pfik_if.pfif_flags
> #define pfik_addcnt pfik_if.pfif_addcnt
> #define pfik_delcnt pfik_if.pfif_delcnt
> #define pfik_states pfik_if.pfif_states
> #define pfik_rules pfik_if.pfif_rules
>
> #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
> #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
> #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
> #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
> #define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
> #define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */
>
816a939,941
> struct pf_addr baddr; /* address before translation */
> struct pf_addr naddr; /* address after translation */
> struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */
884a1010,1013
> #define SCNT_SRC_NODE_SEARCH 0
> #define SCNT_SRC_NODE_INSERT 1
> #define SCNT_SRC_NODE_REMOVALS 2
> #define SCNT_MAX 3
902a1032
> u_int64_t scounters[SCNT_MAX];
904a1035
> u_int64_t stateid;
906a1038
> u_int32_t src_nodes;
908a1041
> u_int32_t hostid;
1039a1173
> char psk_ifname[IFNAMSIZ];
1051a1186,1195
> struct pfioc_src_nodes {
> int psn_len;
> union {
> caddr_t psu_buf;
> struct pf_src_node *psu_src_nodes;
> } psn_u;
> #define psn_buf psn_u.psu_buf
> #define psn_src_nodes psn_u.psu_src_nodes
> };
>
1091a1236,1248
> #define PF_RULESET_ALTQ (PF_RULESET_MAX)
> #define PF_RULESET_TABLE (PF_RULESET_MAX+1)
> struct pfioc_trans {
> int size; /* number of elements */
> int esize; /* size of each element in bytes */
> struct pfioc_trans_e {
> int rs_num;
> char anchor[PF_ANCHOR_NAME_SIZE];
> char ruleset[PF_RULESET_NAME_SIZE];
> u_int32_t ticket;
> } *array;
> };
>
1099a1257,1259
> #ifdef _KERNEL
> #define PFR_FLAG_USERIOCTL 0x10000000
> #endif
1120a1281,1294
> #define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
> #define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
> #define PFI_FLAG_ALLMASK 0x0003
>
> struct pfioc_iface {
> char pfiio_name[IFNAMSIZ];
> void *pfiio_buffer;
> int pfiio_esize;
> int pfiio_size;
> int pfiio_nzero;
> int pfiio_flags;
> };
>
>
1133c1307
< #define DIOCCLRSTATES _IO ('D', 18)
---
> #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
1188a1363,1370
> #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans)
> #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans)
> #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans)
> #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
> #define DIOCCLRSRCNODES _IO('D', 85)
> #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
> #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
> #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface)
1194c1376
< #define DIOCGIFSPEED _IOWR('D', 81, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed)
1198,1200c1380,1382
< RB_HEAD(pf_state_tree, pf_tree_node);
< RB_PROTOTYPE(pf_state_tree, pf_tree_node, entry, pf_state_compare);
< extern struct pf_state_tree tree_lan_ext, tree_ext_gwy;
---
> RB_HEAD(pf_src_tree, pf_src_node);
> RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
> extern struct pf_src_tree tree_src_tracking;
1202,1203c1384,1391
< extern struct pf_anchorqueue pf_anchors;
< extern struct pf_ruleset pf_main_ruleset;
---
> RB_HEAD(pf_state_tree_id, pf_state);
> RB_PROTOTYPE(pf_state_tree_id, pf_state,
> entry_id, pf_state_compare_id);
> extern struct pf_state_tree_id tree_id;
> extern struct pf_state_queue state_updates;
>
> extern struct pf_anchorqueue pf_anchors;
> extern struct pf_ruleset pf_main_ruleset;
1205c1393
< extern struct pf_poolqueue pf_pools[2];
---
> extern struct pf_poolqueue pf_pools[2];
1207,1208c1395,1397
< extern struct pf_altqqueue pf_altqs[2];
< extern struct pf_palist pf_pabuf;
---
> extern struct pf_altqqueue pf_altqs[2];
> extern struct pf_palist pf_pabuf;
> extern struct pfi_kif **pfi_index2kif;
1210d1398
<
1212a1401
> extern int altqs_inactive_open;
1222,1225d1410
< extern int pf_dynaddr_setup(struct pf_addr_wrap *,
< sa_family_t);
< extern void pf_dynaddr_copyout(struct pf_addr_wrap *);
< extern void pf_dynaddr_remove(struct pf_addr_wrap *);
1227,1228d1411
< extern void pf_rule_set_qid(struct pf_rulequeue *);
< extern u_int32_t pf_qname_to_qid(char *);
1231c1414
< extern uma_zone_t pf_tree_pl, pf_rule_pl, pf_addr_pl;
---
> extern uma_zone_t pf_src_tree_pl, pf_rule_pl;
1235a1419
> extern uma_zone_t pfi_addr_pl;
1237c1421
< extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl;
---
> extern struct pool pf_src_tree_pl, pf_rule_pl;
1241a1426
> extern void pf_purge_expired_src_nodes(void);
1243,1245c1428,1436
< extern int pf_insert_state(struct pf_state *);
< extern struct pf_state *pf_find_state(struct pf_state_tree *,
< struct pf_tree_node *);
---
> extern int pf_insert_state(struct pfi_kif *,
> struct pf_state *);
> extern int pf_insert_src_node(struct pf_src_node **,
> struct pf_rule *, struct pf_addr *,
> sa_family_t);
> void pf_src_tree_remove_state(struct pf_state *);
> extern struct pf_state *pf_find_state_byid(struct pf_state *);
> extern struct pf_state *pf_find_state_all(struct pf_state *key,
> u_int8_t tree, int *more);
1248c1439,1441
< extern struct pf_ruleset *pf_find_or_create_ruleset(char *, char *);
---
> extern struct pf_ruleset *pf_find_or_create_ruleset(
> char[PF_ANCHOR_NAME_SIZE],
> char[PF_RULESET_NAME_SIZE]);
1252c1445
< extern struct ifnet *status_ifp;
---
> extern struct ifnet *sync_ifp;
1273c1466
< int pflog_packet(struct ifnet *, struct mbuf *, sa_family_t, u_int8_t,
---
> int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
1283,1285c1476,1478
< int pf_normalize_ip(struct mbuf **, int, struct ifnet *, u_short *);
< int pf_normalize_ip6(struct mbuf **, int, struct ifnet *, u_short *);
< int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, int, int, void *,
---
> int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *);
> int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *);
> int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
1302a1496
> void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
1326a1521
> int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int);
1330a1526,1550
> void pfi_initialize(void);
> #ifdef __FreeBSD__
> void pfi_cleanup(void);
> #endif
> void pfi_attach_clone(struct if_clone *);
> void pfi_attach_ifnet(struct ifnet *);
> void pfi_detach_ifnet(struct ifnet *);
> struct pfi_kif *pfi_lookup_create(const char *);
> struct pfi_kif *pfi_lookup_if(const char *);
> int pfi_maybe_destroy(struct pfi_kif *);
> struct pfi_kif *pfi_attach_rule(const char *);
> void pfi_detach_rule(struct pfi_kif *);
> void pfi_attach_state(struct pfi_kif *);
> void pfi_detach_state(struct pfi_kif *);
> int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
> void pfi_dynaddr_copyout(struct pf_addr_wrap *);
> void pfi_dynaddr_remove(struct pf_addr_wrap *);
> void pfi_fill_oldstatus(struct pf_status *);
> int pfi_clr_istats(const char *, int *, int);
> int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
> int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
> sa_family_t);
>
> extern struct pfi_statehead pfi_statehead;
>
1334a1555,1557
> u_int32_t pf_qname2qid(char *);
> void pf_qid2qname(u_int32_t, char *);
> void pf_qid_unref(u_int32_t);