Revert change that benno apparently commited by mistake and breaks build
on gcc architectures. ok florian@

A pf rule with a "on rdomain n" with nonexisting rdomain n will cause an

pfctl: DIOCADDRULE: Device busy

error when loading the ruleset, with no information which rule caused
the problem and no indication that the problem is the rdomain
<nonexisting>.

This diff makes pfctl check if the rdomain really exists when parsing
the config.

ok bluhm@

remove altq bits here, too
(i was convinced i committed that yesterday already, hrm)

config bits for the bandwidth shaping part of the new queueing subsystem
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen

Remove m88k compiler flags tweak which is no longer necessary since a long time
already.

Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").

anchor on fxp0 {
pass in proto tcp port 22
}

The anchor name is optional on inline loaded anchors.

testing ckuethe@
ok henning@ dhartmei@

'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@

Work around an uncovered gcc problem on m88k until it receives proper cure.

Actually use SRCS+= so that we don't have a wrapped line.

include path fixes for gcc3.
tests otto@, okay millert@

Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001

first attack at pfctl queue statistics, to be displayed with pfctl -vsq

This commit is dedicated to the cute KLM girls who made part of this
possible with giving me a seat in the plane where you actually have enough
place to hack. Thanks, girls.

ok markus@ dhartmei@

Bring in userland code for accessing PF radix tables.
ok dhartmei@ mcbride@

style

altq and pf merged

this isn't 100% done yet: the print_ stuff isn't finished, some features
will be added later, and there is no documetation yet, but committing now
enables a few more people to work on.

print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc,
debugging help also pb and camiel. lots of good ideas by theo.

"commit now" theo philipp daniel

oooooooopsie

bit more clue in rdr/nat rules wrt address family examination
don't take the af from host_node structs based on interface lookups, most
interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will
at least have one IP address specified from whoch we take the af for the
whole rule. The rare exceptional cases require the user to specify the af.

ok frantzen@

split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok

get rid of cleanfiles by getting rid of cleanfiles; markus@ ok

add a yacc parser for pf.conf and nat.conf, with help from mickey@,
plus: -n now turns off all operations, and just parses the conf files
ok deraadt@

Add -Wall

pfctl now has a manpage. likely needs fleshing out.

Move and rename packet filter userland.
grr. CVS: making easy things difficult, and directory operations impossible.

remove altq bits here, too
(i was convinced i committed that yesterday already, hrm)

config bits for the bandwidth shaping part of the new queueing subsystem
syntax worked out with many in ljubljana using a whiteboard, testing &
looking over by many, ok phessler sthen

Remove m88k compiler flags tweak which is no longer necessary since a long time
already.

Load all rules into memory before loading into the kernel, and add support
for anchors loaded inline in pf.conf, enclosed in a brace-delimited
block ("{" "}").

anchor on fxp0 {
pass in proto tcp port 22
}

The anchor name is optional on inline loaded anchors.

testing ckuethe@
ok henning@ dhartmei@

'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules
ok henning@ mcbride@. man page help from jmc@

Work around an uncovered gcc problem on m88k until it receives proper cure.

Actually use SRCS+= so that we don't have a wrapped line.

include path fixes for gcc3.
tests otto@, okay millert@

Add Michal Zalewski's p0f v2 style passive OS fingerprinting to PF.
Exposes the source IP's operating system to the filter language.
Interesting policy decisions are now enforceable:
. block proto tcp from any os SCO
. block proto tcp from any os Windows to any port smtp
. rdr ... from any os "Windows 98" to port WWW -> 127.0.0.1 port 8001

first attack at pfctl queue statistics, to be displayed with pfctl -vsq

This commit is dedicated to the cute KLM girls who made part of this
possible with giving me a seat in the plane where you actually have enough
place to hack. Thanks, girls.

ok markus@ dhartmei@

Bring in userland code for accessing PF radix tables.
ok dhartmei@ mcbride@

style

altq and pf merged

this isn't 100% done yet: the print_ stuff isn't finished, some features
will be added later, and there is no documetation yet, but committing now
enables a few more people to work on.

print_altq_node stuff hacked by Daniel at euroBSDcon; lotsa stuff from kjc,
debugging help also pb and camiel. lots of good ideas by theo.

"commit now" theo philipp daniel

oooooooopsie

bit more clue in rdr/nat rules wrt address family examination
don't take the af from host_node structs based on interface lookups, most
interfaces will have both IPv4 and IPv6 addresses. Most rdr/nat rules will
at least have one IP address specified from whoch we take the af for the
whole rule. The rare exceptional cases require the user to specify the af.

ok frantzen@

split out the pf_state printing functions to be used elsewhere, no functional change; dhartmei@ ok

get rid of cleanfiles by getting rid of cleanfiles; markus@ ok

add a yacc parser for pf.conf and nat.conf, with help from mickey@,
plus: -n now turns off all operations, and just parses the conf files
ok deraadt@

Add -Wall

pfctl now has a manpage. likely needs fleshing out.

Move and rename packet filter userland.
grr. CVS: making easy things difficult, and directory operations impossible.