D29644.id87031.diff
No OneTemporary
Actions

Size

49 KB

Referenced Files

None

Subscribers

None

D29644.id87031.diff
View Options

	Index: contrib/pf/ftp-proxy/filter.c
	===================================================================
	--- contrib/pf/ftp-proxy/filter.c
	+++ contrib/pf/ftp-proxy/filter.c
	@@ -50,7 +50,11 @@
	struct sockaddr_in6 *);

	static struct pfioc_pooladdr pfp;
	-static struct pfioc_rule pfr;
	+static struct pfctl_rule pfrule;
	+static char pfanchor[PF_ANCHOR_NAME_SIZE];
	+static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
	+static uint32_t pfticket;
	+static uint32_t pfpool_ticket;
	static struct pfioc_trans pft;
	static struct pfioc_trans_e pfte[TRANS_SIZE];
	static int dev, rule_log;
	@@ -68,9 +72,9 @@
	if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port) == -1)
	return (-1);

	- pfr.rule.direction = dir;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.direction = dir;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -99,14 +103,14 @@
	&satosin6(nat)->sin6_addr.s6_addr, 16);
	memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
	}
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	- pfr.rule.rpool.proxy_port[0] = nat_range_low;
	- pfr.rule.rpool.proxy_port[1] = nat_range_high;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.rpool.proxy_port[0] = nat_range_low;
	+ pfrule.rpool.proxy_port[1] = nat_range_high;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -134,13 +138,13 @@
	&satosin6(rdr)->sin6_addr.s6_addr, 16);
	memset(&pfp.addr.addr.v.a.mask.addr8, 255, 16);
	}
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	- pfr.rule.rpool.proxy_port[0] = rdr_port;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.rpool.proxy_port[0] = rdr_port;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -237,21 +241,21 @@
	}

	memset(&pfp, 0, sizeof pfp);
	- memset(&pfr, 0, sizeof pfr);
	+ memset(&pfrule, 0, sizeof pfrule);
	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
	getpid(), id);
	strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
	- strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
	+ strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);

	switch (rs_num) {
	case PF_RULESET_FILTER:
	- pfr.ticket = pfte[TRANS_FILTER].ticket;
	+ pfticket = pfte[TRANS_FILTER].ticket;
	break;
	case PF_RULESET_NAT:
	- pfr.ticket = pfte[TRANS_NAT].ticket;
	+ pfticket = pfte[TRANS_NAT].ticket;
	break;
	case PF_RULESET_RDR:
	- pfr.ticket = pfte[TRANS_RDR].ticket;
	+ pfticket = pfte[TRANS_RDR].ticket;
	break;
	default:
	errno = EINVAL;
	@@ -259,30 +263,30 @@
	}
	if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
	return (-1);
	- pfr.pool_ticket = pfp.ticket;
	+ pfpool_ticket = pfp.ticket;

	/* Generic for all rule types. */
	- pfr.rule.af = src->sa_family;
	- pfr.rule.proto = IPPROTO_TCP;
	- pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
	- pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
	+ pfrule.af = src->sa_family;
	+ pfrule.proto = IPPROTO_TCP;
	+ pfrule.src.addr.type = PF_ADDR_ADDRMASK;
	+ pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
	if (src->sa_family == AF_INET) {
	- memcpy(&pfr.rule.src.addr.v.a.addr.v4,
	+ memcpy(&pfrule.src.addr.v.a.addr.v4,
	&satosin(src)->sin_addr.s_addr, 4);
	- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
	- memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
	+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
	+ memcpy(&pfrule.dst.addr.v.a.addr.v4,
	&satosin(dst)->sin_addr.s_addr, 4);
	- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
	+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
	} else {
	- memcpy(&pfr.rule.src.addr.v.a.addr.v6,
	+ memcpy(&pfrule.src.addr.v.a.addr.v6,
	&satosin6(src)->sin6_addr.s6_addr, 16);
	- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
	- memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
	+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
	+ memcpy(&pfrule.dst.addr.v.a.addr.v6,
	&satosin6(dst)->sin6_addr.s6_addr, 16);
	- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
	+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
	}
	- pfr.rule.dst.port_op = PF_OP_EQ;
	- pfr.rule.dst.port[0] = htons(d_port);
	+ pfrule.dst.port_op = PF_OP_EQ;
	+ pfrule.dst.port[0] = htons(d_port);

	switch (rs_num) {
	case PF_RULESET_FILTER:
	@@ -291,32 +295,32 @@
	* from $src to $dst port = $d_port flags S/SA keep state
	* (max 1) [queue qname] [tag tagname]
	*/
	- pfr.rule.action = PF_PASS;
	- pfr.rule.quick = 1;
	- pfr.rule.log = rule_log;
	- pfr.rule.keep_state = 1;
	- pfr.rule.flags = TH_SYN;
	- pfr.rule.flagset = (TH_SYN\|TH_ACK);
	- pfr.rule.max_states = 1;
	+ pfrule.action = PF_PASS;
	+ pfrule.quick = 1;
	+ pfrule.log = rule_log;
	+ pfrule.keep_state = 1;
	+ pfrule.flags = TH_SYN;
	+ pfrule.flagset = (TH_SYN\|TH_ACK);
	+ pfrule.max_states = 1;
	if (qname != NULL)
	- strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
	+ strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
	if (tagname != NULL) {
	- pfr.rule.quick = 0;
	- strlcpy(pfr.rule.tagname, tagname,
	- sizeof pfr.rule.tagname);
	+ pfrule.quick = 0;
	+ strlcpy(pfrule.tagname, tagname,
	+ sizeof pfrule.tagname);
	}
	break;
	case PF_RULESET_NAT:
	/*
	* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
	*/
	- pfr.rule.action = PF_NAT;
	+ pfrule.action = PF_NAT;
	break;
	case PF_RULESET_RDR:
	/*
	* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
	*/
	- pfr.rule.action = PF_RDR;
	+ pfrule.action = PF_RDR;
	break;
	default:
	errno = EINVAL;
	Index: contrib/pf/tftp-proxy/filter.c
	===================================================================
	--- contrib/pf/tftp-proxy/filter.c
	+++ contrib/pf/tftp-proxy/filter.c
	@@ -54,7 +54,11 @@
	struct sockaddr_in6 *, u_int8_t);

	static struct pfioc_pooladdr pfp;
	-static struct pfioc_rule pfr;
	+static struct pfctl_rule pfrule;
	+static uint32_t pfticket;
	+static uint32_t pfpool_ticket;
	+static char pfanchor[PF_ANCHOR_NAME_SIZE];
	+static char pfanchor_call[PF_ANCHOR_NAME_SIZE];
	static struct pfioc_trans pft;
	static struct pfioc_trans_e pfte[TRANS_SIZE];
	static int dev, rule_log;
	@@ -72,9 +76,9 @@
	if (prepare_rule(id, PF_RULESET_FILTER, src, dst, d_port, proto) == -1)
	return (-1);

	- pfr.rule.direction = dir;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.direction = dir;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -106,10 +110,10 @@
	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
	return (-1);

	- pfr.rule.rpool.proxy_port[0] = nat_range_low;
	- pfr.rule.rpool.proxy_port[1] = nat_range_high;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.rpool.proxy_port[0] = nat_range_low;
	+ pfrule.rpool.proxy_port[1] = nat_range_high;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -140,9 +144,9 @@
	if (ioctl(dev, DIOCADDADDR, &pfp) == -1)
	return (-1);

	- pfr.rule.rpool.proxy_port[0] = rdr_port;
	- if (libpfctl_add_rule(dev, &pfr.rule, pfr.anchor, pfr.anchor_call,
	- pfr.ticket, pfr.pool_ticket))
	+ pfrule.rpool.proxy_port[0] = rdr_port;
	+ if (libpfctl_add_rule(dev, &pfrule, pfanchor, pfanchor_call,
	+ pfticket, pfpool_ticket))
	return (-1);

	return (0);
	@@ -244,21 +248,21 @@
	}

	memset(&pfp, 0, sizeof pfp);
	- memset(&pfr, 0, sizeof pfr);
	+ memset(&pfrule, 0, sizeof pfrule);
	snprintf(an, PF_ANCHOR_NAME_SIZE, "%s/%d.%d", FTP_PROXY_ANCHOR,
	getpid(), id);
	strlcpy(pfp.anchor, an, PF_ANCHOR_NAME_SIZE);
	- strlcpy(pfr.anchor, an, PF_ANCHOR_NAME_SIZE);
	+ strlcpy(pfanchor, an, PF_ANCHOR_NAME_SIZE);

	switch (rs_num) {
	case PF_RULESET_FILTER:
	- pfr.ticket = pfte[TRANS_FILTER].ticket;
	+ pfticket = pfte[TRANS_FILTER].ticket;
	break;
	case PF_RULESET_NAT:
	- pfr.ticket = pfte[TRANS_NAT].ticket;
	+ pfticket = pfte[TRANS_NAT].ticket;
	break;
	case PF_RULESET_RDR:
	- pfr.ticket = pfte[TRANS_RDR].ticket;
	+ pfticket = pfte[TRANS_RDR].ticket;
	break;
	default:
	errno = EINVAL;
	@@ -266,30 +270,30 @@
	}
	if (ioctl(dev, DIOCBEGINADDRS, &pfp) == -1)
	return (-1);
	- pfr.pool_ticket = pfp.ticket;
	+ pfpool_ticket = pfp.ticket;

	/* Generic for all rule types. */
	- pfr.rule.af = src->sa_family;
	- pfr.rule.proto = proto;
	- pfr.rule.src.addr.type = PF_ADDR_ADDRMASK;
	- pfr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
	+ pfrule.af = src->sa_family;
	+ pfrule.proto = proto;
	+ pfrule.src.addr.type = PF_ADDR_ADDRMASK;
	+ pfrule.dst.addr.type = PF_ADDR_ADDRMASK;
	if (src->sa_family == AF_INET) {
	- memcpy(&pfr.rule.src.addr.v.a.addr.v4,
	+ memcpy(&pfrule.src.addr.v.a.addr.v4,
	&satosin(src)->sin_addr.s_addr, 4);
	- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 4);
	- memcpy(&pfr.rule.dst.addr.v.a.addr.v4,
	+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 4);
	+ memcpy(&pfrule.dst.addr.v.a.addr.v4,
	&satosin(dst)->sin_addr.s_addr, 4);
	- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 4);
	+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 4);
	} else {
	- memcpy(&pfr.rule.src.addr.v.a.addr.v6,
	+ memcpy(&pfrule.src.addr.v.a.addr.v6,
	&satosin6(src)->sin6_addr.s6_addr, 16);
	- memset(&pfr.rule.src.addr.v.a.mask.addr8, 255, 16);
	- memcpy(&pfr.rule.dst.addr.v.a.addr.v6,
	+ memset(&pfrule.src.addr.v.a.mask.addr8, 255, 16);
	+ memcpy(&pfrule.dst.addr.v.a.addr.v6,
	&satosin6(dst)->sin6_addr.s6_addr, 16);
	- memset(&pfr.rule.dst.addr.v.a.mask.addr8, 255, 16);
	+ memset(&pfrule.dst.addr.v.a.mask.addr8, 255, 16);
	}
	- pfr.rule.dst.port_op = PF_OP_EQ;
	- pfr.rule.dst.port[0] = htons(d_port);
	+ pfrule.dst.port_op = PF_OP_EQ;
	+ pfrule.dst.port[0] = htons(d_port);

	switch (rs_num) {
	case PF_RULESET_FILTER:
	@@ -298,34 +302,34 @@
	* from $src to $dst port = $d_port flags S/SAFR keep state
	* (max 1) [queue qname]
	*/
	- pfr.rule.action = PF_PASS;
	- pfr.rule.quick = 1;
	- pfr.rule.log = rule_log;
	- pfr.rule.keep_state = 1;
	+ pfrule.action = PF_PASS;
	+ pfrule.quick = 1;
	+ pfrule.log = rule_log;
	+ pfrule.keep_state = 1;
	#ifdef __FreeBSD__
	- pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
	- pfr.rule.flagset = (proto == IPPROTO_TCP ?
	+ pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : 0);
	+ pfrule.flagset = (proto == IPPROTO_TCP ?
	(TH_SYN\|TH_ACK\|TH_FIN\|TH_RST) : 0);
	#else
	- pfr.rule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
	- pfr.rule.flagset = (proto == IPPROTO_TCP ?
	+ pfrule.flags = (proto == IPPROTO_TCP ? TH_SYN : NULL);
	+ pfrule.flagset = (proto == IPPROTO_TCP ?
	(TH_SYN\|TH_ACK\|TH_FIN\|TH_RST) : NULL);
	#endif
	- pfr.rule.max_states = 1;
	+ pfrule.max_states = 1;
	if (qname != NULL)
	- strlcpy(pfr.rule.qname, qname, sizeof pfr.rule.qname);
	+ strlcpy(pfrule.qname, qname, sizeof pfrule.qname);
	break;
	case PF_RULESET_NAT:
	/*
	* nat inet[6] proto tcp from $src to $dst port $d_port -> $nat
	*/
	- pfr.rule.action = PF_NAT;
	+ pfrule.action = PF_NAT;
	break;
	case PF_RULESET_RDR:
	/*
	* rdr inet[6] proto tcp from $src to $dst port $d_port -> $rdr
	*/
	- pfr.rule.action = PF_RDR;
	+ pfrule.action = PF_RDR;
	break;
	default:
	errno = EINVAL;
	Index: lib/libpfctl/libpfctl.h
	===================================================================
	--- lib/libpfctl/libpfctl.h
	+++ lib/libpfctl/libpfctl.h
	@@ -36,11 +36,147 @@

	#include <netpfil/pf/pf.h>

	+struct pfctl_anchor;
	+
	+struct pfctl_rule {
	+ struct pf_rule_addr src;
	+ struct pf_rule_addr dst;
	+ union pf_rule_ptr skip[PF_SKIP_COUNT];
	+ char label[PF_RULE_LABEL_SIZE];
	+ char ifname[IFNAMSIZ];
	+ char qname[PF_QNAME_SIZE];
	+ char pqname[PF_QNAME_SIZE];
	+ char tagname[PF_TAG_NAME_SIZE];
	+ char match_tagname[PF_TAG_NAME_SIZE];
	+
	+ char overload_tblname[PF_TABLE_NAME_SIZE];
	+
	+ TAILQ_ENTRY(pfctl_rule) entries;
	+ struct pf_pool rpool;
	+
	+ u_int64_t evaluations;
	+ u_int64_t packets[2];
	+ u_int64_t bytes[2];
	+
	+ struct pfi_kif *kif;
	+ struct pfctl_anchor *anchor;
	+ struct pfr_ktable *overload_tbl;
	+
	+ pf_osfp_t os_fingerprint;
	+
	+ int rtableid;
	+ u_int32_t timeout[PFTM_MAX];
	+ u_int32_t max_states;
	+ u_int32_t max_src_nodes;
	+ u_int32_t max_src_states;
	+ u_int32_t max_src_conn;
	+ struct {
	+ u_int32_t limit;
	+ u_int32_t seconds;
	+ } max_src_conn_rate;
	+ u_int32_t qid;
	+ u_int32_t pqid;
	+ u_int32_t nr;
	+ u_int32_t prob;
	+ uid_t cuid;
	+ pid_t cpid;
	+
	+ counter_u64_t states_cur;
	+ counter_u64_t states_tot;
	+ counter_u64_t src_nodes;
	+
	+ u_int16_t return_icmp;
	+ u_int16_t return_icmp6;
	+ u_int16_t max_mss;
	+ u_int16_t tag;
	+ u_int16_t match_tag;
	+ u_int16_t scrub_flags;
	+
	+ struct pf_rule_uid uid;
	+ struct pf_rule_gid gid;
	+
	+ u_int32_t rule_flag;
	+ u_int8_t action;
	+ u_int8_t direction;
	+ u_int8_t log;
	+ u_int8_t logif;
	+ u_int8_t quick;
	+ u_int8_t ifnot;
	+ u_int8_t match_tag_not;
	+ u_int8_t natpass;
	+
	+ u_int8_t keep_state;
	+ sa_family_t af;
	+ u_int8_t proto;
	+ u_int8_t type;
	+ u_int8_t code;
	+ u_int8_t flags;
	+ u_int8_t flagset;
	+ u_int8_t min_ttl;
	+ u_int8_t allow_opts;
	+ u_int8_t rt;
	+ u_int8_t return_ttl;
	+ u_int8_t tos;
	+ u_int8_t set_tos;
	+ u_int8_t anchor_relative;
	+ u_int8_t anchor_wildcard;
	+
	+ u_int8_t flush;
	+ u_int8_t prio;
	+ u_int8_t set_prio[2];
	+
	+ struct {
	+ struct pf_addr addr;
	+ u_int16_t port;
	+ } divert;
	+
	+ uint64_t u_states_cur;
	+ uint64_t u_states_tot;
	+ uint64_t u_src_nodes;
	+};
	+
	+TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
	+
	+struct pfctl_ruleset {
	+ struct {
	+ struct pfctl_rulequeue queues[2];
	+ struct {
	+ struct pfctl_rulequeue *ptr;
	+ struct pfctl_rule **ptr_array;
	+ u_int32_t rcount;
	+ u_int32_t ticket;
	+ int open;
	+ } active, inactive;
	+ } rules[PF_RULESET_MAX];
	+ struct pfctl_anchor *anchor;
	+ u_int32_t tticket;
	+ int tables;
	+ int topen;
	+};
	+
	+RB_HEAD(pfctl_anchor_global, pfctl_anchor);
	+RB_HEAD(pfctl_anchor_node, pfctl_anchor);
	+struct pfctl_anchor {
	+ RB_ENTRY(pfctl_anchor) entry_global;
	+ RB_ENTRY(pfctl_anchor) entry_node;
	+ struct pfctl_anchor *parent;
	+ struct pfctl_anchor_node children;
	+ char name[PF_ANCHOR_NAME_SIZE];
	+ char path[MAXPATHLEN];
	+ struct pfctl_ruleset ruleset;
	+ int refcnt; /* anchor rules */
	+ int match; /* XXX: used for pfctl black magic */
	+};
	+RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
	+ pf_anchor_compare);
	+RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
	+ pf_anchor_compare);
	+
	int libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
	- const char anchor, u_int32_t ruleset, struct pf_rule rule,
	+ const char anchor, u_int32_t ruleset, struct pfctl_rule rule,
	char *anchor_call);
	-int libpfctl_add_rule(int dev, const struct pf_rule r, const char anchor,
	- const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket);
	+int libpfctl_add_rule(int dev, const struct pfctl_rule *r,
	+ const char anchor, const char anchor_call, u_int32_t ticket,
	+ u_int32_t pool_ticket);

	#endif
	-
	Index: lib/libpfctl/libpfctl.c
	===================================================================
	--- lib/libpfctl/libpfctl.c
	+++ lib/libpfctl/libpfctl.c
	@@ -256,7 +256,7 @@

	static void
	pfctl_nv_add_divert(nvlist_t nvparent, const char name,
	- const struct pf_rule *r)
	+ const struct pfctl_rule *r)
	{
	nvlist_t *nvl = nvlist_create(0);

	@@ -267,14 +267,14 @@
	}

	static void
	-pf_nvdivert_to_divert(const nvlist_t nvl, struct pf_rule rule)
	+pf_nvdivert_to_divert(const nvlist_t nvl, struct pfctl_rule rule)
	{
	pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &rule->divert.addr);
	rule->divert.port = nvlist_get_number(nvl, "port");
	}

	static void
	-pf_nvrule_to_rule(const nvlist_t nvl, struct pf_rule rule)
	+pf_nvrule_to_rule(const nvlist_t nvl, struct pfctl_rule rule)
	{
	const uint64_t *skip;
	size_t skipcount;
	@@ -373,7 +373,7 @@
	}

	int
	-libpfctl_add_rule(int dev, const struct pf_rule r, const char anchor,
	+libpfctl_add_rule(int dev, const struct pfctl_rule r, const char anchor,
	const char *anchor_call, u_int32_t ticket, u_int32_t pool_ticket)
	{
	struct pfioc_nv nv;
	@@ -482,7 +482,7 @@

	int
	libpfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
	- u_int32_t ruleset, struct pf_rule rule, char anchor_call)
	+ u_int32_t ruleset, struct pfctl_rule rule, char anchor_call)
	{
	struct pfioc_nv nv;
	nvlist_t *nvl;
	Index: sbin/pfctl/parse.y
	===================================================================
	--- sbin/pfctl/parse.y
	+++ sbin/pfctl/parse.y
	@@ -317,10 +317,10 @@
	int disallow_table(struct node_host , const char );
	int disallow_urpf_failed(struct node_host , const char );
	int disallow_alias(struct node_host , const char );
	-int rule_consistent(struct pf_rule *, int);
	-int filter_consistent(struct pf_rule *, int);
	-int nat_consistent(struct pf_rule *);
	-int rdr_consistent(struct pf_rule *);
	+int rule_consistent(struct pfctl_rule *, int);
	+int filter_consistent(struct pfctl_rule *, int);
	+int nat_consistent(struct pfctl_rule *);
	+int rdr_consistent(struct pfctl_rule *);
	int process_tabledef(char , struct table_opts );
	void expand_label_str(char , size_t, const char , const char *);
	void expand_label_if(const char , char , size_t, const char *);
	@@ -333,7 +333,7 @@
	void expand_label(char , size_t, const char , u_int8_t,
	struct node_host , struct node_port , struct node_host *,
	struct node_port *, u_int8_t);
	-void expand_rule(struct pf_rule , struct node_if ,
	+void expand_rule(struct pfctl_rule , struct node_if ,
	struct node_host , struct node_proto , struct node_os *,
	struct node_host , struct node_port , struct node_host *,
	struct node_port , struct node_uid , struct node_gid *,
	@@ -348,10 +348,10 @@

	int check_rulestate(int);
	int getservice(char *);
	-int rule_label(struct pf_rule , char );
	+int rule_label(struct pfctl_rule , char );
	int rt_tableid_max(void);

	-void mv_rules(struct pf_ruleset , struct pf_ruleset );
	+void mv_rules(struct pfctl_ruleset , struct pfctl_ruleset );
	void decide_address_family(struct node_host , sa_family_t );
	void remove_invalid_hosts(struct node_host *, sa_family_t );
	int invalid_redirect(struct node_host *, sa_family_t);
	@@ -788,7 +788,7 @@
	pfa_anchor : '{'
	{
	char ta[PF_ANCHOR_NAME_SIZE];
	- struct pf_ruleset *rs;
	+ struct pfctl_ruleset *rs;

	/* steping into a brace anchor */
	pf->asd++;
	@@ -814,7 +814,7 @@
	anchorrule : ANCHOR anchorname dir quick interface af proto fromto
	filter_opts pfa_anchor
	{
	- struct pf_rule r;
	+ struct pfctl_rule r;
	struct node_proto *proto;

	if (check_rulestate(PFCTL_STATE_FILTER)) {
	@@ -833,7 +833,7 @@
	memset(&r, 0, sizeof(r));
	if (pf->astack[pf->asd + 1]) {
	/* move inline rules into relative location */
	- pf_anchor_setup(&r,
	+ pfctl_anchor_setup(&r,
	&pf->astack[pf->asd]->ruleset,
	$2 ? $2 : pf->alast->name);

	@@ -946,7 +946,7 @@
	pf->astack[pf->asd + 1] = NULL;
	}
	\| NATANCHOR string interface af proto fromto rtable {
	- struct pf_rule r;
	+ struct pfctl_rule r;

	if (check_rulestate(PFCTL_STATE_NAT)) {
	free($2);
	@@ -967,7 +967,7 @@
	free($2);
	}
	\| RDRANCHOR string interface af proto fromto rtable {
	- struct pf_rule r;
	+ struct pfctl_rule r;

	if (check_rulestate(PFCTL_STATE_NAT)) {
	free($2);
	@@ -1009,7 +1009,7 @@
	free($2);
	}
	\| BINATANCHOR string interface af proto fromto rtable {
	- struct pf_rule r;
	+ struct pfctl_rule r;

	if (check_rulestate(PFCTL_STATE_NAT)) {
	free($2);
	@@ -1087,7 +1087,7 @@

	scrubrule : scrubaction dir logquick interface af proto fromto scrub_opts
	{
	- struct pf_rule r;
	+ struct pfctl_rule r;

	if (check_rulestate(PFCTL_STATE_SCRUB))
	YYERROR;
	@@ -1247,7 +1247,7 @@
	;

	antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts {
	- struct pf_rule r;
	+ struct pfctl_rule r;
	struct node_host h = NULL, hh;
	struct node_if i, j;

	@@ -2022,7 +2022,7 @@
	pfrule : action dir logquick interface route af proto fromto
	filter_opts
	{
	- struct pf_rule r;
	+ struct pfctl_rule r;
	struct node_state_opt *o;
	struct node_proto *proto;
	int srctrack = 0;
	@@ -4071,7 +4071,7 @@
	natrule : nataction interface af proto fromto tag tagged rtable
	redirpool pool_opts
	{
	- struct pf_rule r;
	+ struct pfctl_rule r;

	if (check_rulestate(PFCTL_STATE_NAT))
	YYERROR;
	@@ -4230,7 +4230,7 @@
	binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag
	tagged rtable redirection
	{
	- struct pf_rule binat;
	+ struct pfctl_rule binat;
	struct pf_pooladdr *pa;

	if (check_rulestate(PFCTL_STATE_NAT))
	@@ -4615,7 +4615,7 @@
	}

	int
	-rule_consistent(struct pf_rule *r, int anchor_call)
	+rule_consistent(struct pfctl_rule *r, int anchor_call)
	{
	int problems = 0;

	@@ -4643,7 +4643,7 @@
	}

	int
	-filter_consistent(struct pf_rule *r, int anchor_call)
	+filter_consistent(struct pfctl_rule *r, int anchor_call)
	{
	int problems = 0;

	@@ -4706,13 +4706,13 @@
	}

	int
	-nat_consistent(struct pf_rule *r)
	+nat_consistent(struct pfctl_rule *r)
	{
	return (0); /* yeah! */
	}

	int
	-rdr_consistent(struct pf_rule *r)
	+rdr_consistent(struct pfctl_rule *r)
	{
	int problems = 0;

	@@ -5248,7 +5248,7 @@
	}

	void
	-expand_rule(struct pf_rule *r,
	+expand_rule(struct pfctl_rule *r,
	struct node_if interfaces, struct node_host rpool_hosts,
	struct node_proto protos, struct node_os src_oses,
	struct node_host src_hosts, struct node_port src_ports,
	@@ -6080,10 +6080,10 @@
	}

	void
	-mv_rules(struct pf_ruleset src, struct pf_ruleset dst)
	+mv_rules(struct pfctl_ruleset src, struct pfctl_ruleset dst)
	{
	int i;
	- struct pf_rule *r;
	+ struct pfctl_rule *r;

	for (i = 0; i < PF_RULESET_MAX; ++i) {
	while ((r = TAILQ_FIRST(src->rules[i].active.ptr))
	@@ -6214,7 +6214,7 @@
	}

	int
	-rule_label(struct pf_rule r, char s)
	+rule_label(struct pfctl_rule r, char s)
	{
	if (s) {
	if (strlcpy(r->label, s, sizeof(r->label)) >=
	Index: sbin/pfctl/pf_ruleset.c
	===================================================================
	--- sbin/pfctl/pf_ruleset.c
	+++ sbin/pfctl/pf_ruleset.c
	@@ -73,22 +73,23 @@
	#define DPFPRINTF(format, x...) ((void)0)
	#endif /* PFDEBUG */

	-struct pf_anchor_global pf_anchors;
	-struct pf_anchor pf_main_anchor;
	+struct pfctl_anchor_global pf_anchors;
	+struct pfctl_anchor pf_main_anchor;
	#undef V_pf_anchors
	#define V_pf_anchors pf_anchors
	#undef pf_main_ruleset
	#define pf_main_ruleset pf_main_anchor.ruleset

	-static __inline int pf_anchor_compare(struct pf_anchor *,
	- struct pf_anchor *);
	-static struct pf_anchor pf_find_anchor(const char );
	+static __inline int pf_anchor_compare(struct pfctl_anchor *,
	+ struct pfctl_anchor *);
	+static struct pfctl_anchor pf_find_anchor(const char );

	-RB_GENERATE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
	-RB_GENERATE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
	+RB_GENERATE(pfctl_anchor_global, pfctl_anchor, entry_global,
	+ pf_anchor_compare);
	+RB_GENERATE(pfctl_anchor_node, pfctl_anchor, entry_node, pf_anchor_compare);

	static __inline int
	-pf_anchor_compare(struct pf_anchor a, struct pf_anchor b)
	+pf_anchor_compare(struct pfctl_anchor a, struct pfctl_anchor b)
	{
	int c = strcmp(a->path, b->path);

	@@ -126,11 +127,11 @@
	}

	void
	-pf_init_ruleset(struct pf_ruleset *ruleset)
	+pf_init_ruleset(struct pfctl_ruleset *ruleset)
	{
	int i;

	- memset(ruleset, 0, sizeof(struct pf_ruleset));
	+ memset(ruleset, 0, sizeof(struct pfctl_ruleset));
	for (i = 0; i < PF_RULESET_MAX; i++) {
	TAILQ_INIT(&ruleset->rules[i].queues[0]);
	TAILQ_INIT(&ruleset->rules[i].queues[1]);
	@@ -139,24 +140,24 @@
	}
	}

	-static struct pf_anchor *
	+static struct pfctl_anchor *
	pf_find_anchor(const char *path)
	{
	- struct pf_anchor key, found;
	+ struct pfctl_anchor key, found;

	- key = (struct pf_anchor )rs_malloc(sizeof(key));
	+ key = (struct pfctl_anchor )rs_malloc(sizeof(key));
	if (key == NULL)
	return (NULL);
	strlcpy(key->path, path, sizeof(key->path));
	- found = RB_FIND(pf_anchor_global, &V_pf_anchors, key);
	+ found = RB_FIND(pfctl_anchor_global, &V_pf_anchors, key);
	rs_free(key);
	return (found);
	}

	-struct pf_ruleset *
	+struct pfctl_ruleset *
	pf_find_ruleset(const char *path)
	{
	- struct pf_anchor *anchor;
	+ struct pfctl_anchor *anchor;

	while (*path == '/')
	path++;
	@@ -169,12 +170,12 @@
	return (&anchor->ruleset);
	}

	-struct pf_ruleset *
	+struct pfctl_ruleset *
	pf_find_or_create_ruleset(const char *path)
	{
	char p, q, *r;
	- struct pf_ruleset *ruleset;
	- struct pf_anchor anchor = NULL, dup, *parent = NULL;
	+ struct pfctl_ruleset *ruleset;
	+ struct pfctl_anchor anchor = NULL, dup, *parent = NULL;

	if (path[0] == 0)
	return (&pf_main_ruleset);
	@@ -212,7 +213,7 @@
	rs_free(p);
	return (NULL);
	}
	- anchor = (struct pf_anchor )rs_malloc(sizeof(anchor));
	+ anchor = (struct pfctl_anchor )rs_malloc(sizeof(anchor));
	if (anchor == NULL) {
	rs_free(p);
	return (NULL);
	@@ -225,7 +226,7 @@
	strlcat(anchor->path, "/", sizeof(anchor->path));
	}
	strlcat(anchor->path, anchor->name, sizeof(anchor->path));
	- if ((dup = RB_INSERT(pf_anchor_global, &V_pf_anchors, anchor)) !=
	+ if ((dup = RB_INSERT(pfctl_anchor_global, &V_pf_anchors, anchor)) !=
	NULL) {
	printf("pf_find_or_create_ruleset: RB_INSERT1 "
	"'%s' '%s' collides with '%s' '%s'\n",
	@@ -236,13 +237,13 @@
	}
	if (parent != NULL) {
	anchor->parent = parent;
	- if ((dup = RB_INSERT(pf_anchor_node, &parent->children,
	+ if ((dup = RB_INSERT(pfctl_anchor_node, &parent->children,
	anchor)) != NULL) {
	printf("pf_find_or_create_ruleset: "
	"RB_INSERT2 '%s' '%s' collides with "
	"'%s' '%s'\n", anchor->path, anchor->name,
	dup->path, dup->name);
	- RB_REMOVE(pf_anchor_global, &V_pf_anchors,
	+ RB_REMOVE(pfctl_anchor_global, &V_pf_anchors,
	anchor);
	rs_free(anchor);
	rs_free(p);
	@@ -262,9 +263,9 @@
	}

	void
	-pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
	+pf_remove_if_empty_ruleset(struct pfctl_ruleset *ruleset)
	{
	- struct pf_anchor *parent;
	+ struct pfctl_anchor *parent;
	int i;

	while (ruleset != NULL) {
	@@ -278,9 +279,9 @@
	!TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) \|\|
	ruleset->rules[i].inactive.open)
	return;
	- RB_REMOVE(pf_anchor_global, &V_pf_anchors, ruleset->anchor);
	+ RB_REMOVE(pfctl_anchor_global, &V_pf_anchors, ruleset->anchor);
	if ((parent = ruleset->anchor->parent) != NULL)
	- RB_REMOVE(pf_anchor_node, &parent->children,
	+ RB_REMOVE(pfctl_anchor_node, &parent->children,
	ruleset->anchor);
	rs_free(ruleset->anchor);
	if (parent == NULL)
	@@ -289,11 +290,11 @@
	}
	}
	int
	-pf_anchor_setup(struct pf_rule r, const struct pf_ruleset s,
	+pfctl_anchor_setup(struct pfctl_rule r, const struct pfctl_ruleset s,
	const char *name)
	{
	char p, path;
	- struct pf_ruleset *ruleset;
	+ struct pfctl_ruleset *ruleset;

	r->anchor = NULL;
	r->anchor_relative = 0;
	@@ -314,7 +315,7 @@
	strlcpy(path, s->anchor->path, MAXPATHLEN);
	while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
	if (!path[0]) {
	- printf("pf_anchor_setup: .. beyond root\n");
	+ printf("pfctl_anchor_setup: .. beyond root\n");
	rs_free(path);
	return (1);
	}
	@@ -336,7 +337,7 @@
	ruleset = pf_find_or_create_ruleset(path);
	rs_free(path);
	if (ruleset == NULL \|\| ruleset->anchor == NULL) {
	- printf("pf_anchor_setup: ruleset\n");
	+ printf("pfctl_anchor_setup: ruleset\n");
	return (1);
	}
	r->anchor = ruleset->anchor;
	Index: sbin/pfctl/pfctl.h
	===================================================================
	--- sbin/pfctl/pfctl.h
	+++ sbin/pfctl/pfctl.h
	@@ -36,6 +36,8 @@
	#ifndef _PFCTL_H_
	#define _PFCTL_H_

	+#include <libpfctl.h>
	+
	enum pfctl_show { PFCTL_SHOW_RULES, PFCTL_SHOW_LABELS, PFCTL_SHOW_NOTHING };

	enum { PFRB_TABLES = 1, PFRB_TSTATS, PFRB_ADDRS, PFRB_ASTATS,
	@@ -129,11 +131,11 @@
	int pfctl_trans(int, struct pfr_buffer *, u_long, int);

	int pf_get_ruleset_number(u_int8_t);
	-void pf_init_ruleset(struct pf_ruleset *);
	-int pf_anchor_setup(struct pf_rule *,
	- const struct pf_ruleset , const char );
	-void pf_remove_if_empty_ruleset(struct pf_ruleset *);
	-struct pf_ruleset pf_find_ruleset(const char );
	-struct pf_ruleset pf_find_or_create_ruleset(const char );
	+void pf_init_ruleset(struct pfctl_ruleset *);
	+int pfctl_anchor_setup(struct pfctl_rule *,
	+ const struct pfctl_ruleset , const char );
	+void pf_remove_if_empty_ruleset(struct pfctl_ruleset *);
	+struct pfctl_ruleset pf_find_ruleset(const char );
	+struct pfctl_ruleset pf_find_or_create_ruleset(const char );

	#endif /* _PFCTL_H_ */
	Index: sbin/pfctl/pfctl.c
	===================================================================
	--- sbin/pfctl/pfctl.c
	+++ sbin/pfctl/pfctl.c
	@@ -94,7 +94,7 @@
	int pfctl_load_hostid(struct pfctl *, u_int32_t);
	int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
	char *);
	-void pfctl_print_rule_counters(struct pf_rule *, int);
	+void pfctl_print_rule_counters(struct pfctl_rule *, int);
	int pfctl_show_rules(int, char , int, enum pfctl_show, char , int);
	int pfctl_show_nat(int, int, char *);
	int pfctl_show_src_nodes(int, int);
	@@ -106,14 +106,14 @@
	void pfctl_debug(int, u_int32_t, int);
	int pfctl_test_altqsupport(int, int);
	int pfctl_show_anchors(int, int, char *);
	-int pfctl_ruleset_trans(struct pfctl , char , struct pf_anchor *);
	+int pfctl_ruleset_trans(struct pfctl , char , struct pfctl_anchor *);
	int pfctl_load_ruleset(struct pfctl , char ,
	- struct pf_ruleset *, int, int);
	-int pfctl_load_rule(struct pfctl , char , struct pf_rule *, int);
	+ struct pfctl_ruleset *, int, int);
	+int pfctl_load_rule(struct pfctl , char , struct pfctl_rule *, int);
	const char pfctl_lookup_option(char , const char * const *);

	-static struct pf_anchor_global pf_anchors;
	-static struct pf_anchor pf_main_anchor;
	+static struct pfctl_anchor_global pf_anchors;
	+static struct pfctl_anchor pf_main_anchor;
	static struct pfr_buffer skip_b;

	static const char *clearopt;
	@@ -862,7 +862,7 @@
	}

	void
	-pfctl_print_rule_counters(struct pf_rule *rule, int opts)
	+pfctl_print_rule_counters(struct pfctl_rule *rule, int opts)
	{
	if (opts & PF_OPT_DEBUG) {
	const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
	@@ -914,6 +914,7 @@
	char *anchorname, int depth)
	{
	struct pfioc_rule pr;
	+ struct pfctl_rule rule;
	u_int32_t nr, mnr, header = 0;
	int rule_numbers = opts & (PF_OPT_VERBOSE2 \| PF_OPT_DEBUG);
	int numeric = opts & PF_OPT_NUMERIC;
	@@ -954,12 +955,12 @@
	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
	- &pr.rule, pr.anchor_call)) {
	+ &rule, pr.anchor_call)) {
	warn("DIOCGETRULENV");
	goto error;
	}

	- if (pfctl_get_pool(dev, &pr.rule.rpool,
	+ if (pfctl_get_pool(dev, &rule.rpool,
	nr, pr.ticket, PF_SCRUB, path) != 0)
	goto error;

	@@ -967,16 +968,16 @@
	case PFCTL_SHOW_LABELS:
	break;
	case PFCTL_SHOW_RULES:
	- if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
	+ if (rule.label[0] && (opts & PF_OPT_SHOWALL))
	labels = 1;
	- print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
	+ print_rule(&rule, pr.anchor_call, rule_numbers, numeric);
	printf("\n");
	- pfctl_print_rule_counters(&pr.rule, opts);
	+ pfctl_print_rule_counters(&rule, opts);
	break;
	case PFCTL_SHOW_NOTHING:
	break;
	}
	- pfctl_clear_pool(&pr.rule.rpool);
	+ pfctl_clear_pool(&rule.rpool);
	}
	pr.rule.action = PF_PASS;
	if (ioctl(dev, DIOCGETRULES, &pr)) {
	@@ -987,36 +988,36 @@
	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	if (libpfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
	- &pr.rule, pr.anchor_call)) {
	+ &rule, pr.anchor_call)) {
	warn("DIOCGETRULE");
	goto error;
	}

	- if (pfctl_get_pool(dev, &pr.rule.rpool,
	+ if (pfctl_get_pool(dev, &rule.rpool,
	nr, pr.ticket, PF_PASS, path) != 0)
	goto error;

	switch (format) {
	case PFCTL_SHOW_LABELS:
	- if (pr.rule.label[0]) {
	+ if (rule.label[0]) {
	printf("%s %llu %llu %llu %llu"
	" %llu %llu %llu %ju\n",
	- pr.rule.label,
	- (unsigned long long)pr.rule.evaluations,
	- (unsigned long long)(pr.rule.packets[0] +
	- pr.rule.packets[1]),
	- (unsigned long long)(pr.rule.bytes[0] +
	- pr.rule.bytes[1]),
	- (unsigned long long)pr.rule.packets[0],
	- (unsigned long long)pr.rule.bytes[0],
	- (unsigned long long)pr.rule.packets[1],
	- (unsigned long long)pr.rule.bytes[1],
	- (uintmax_t)pr.rule.u_states_tot);
	+ rule.label,
	+ (unsigned long long)rule.evaluations,
	+ (unsigned long long)(rule.packets[0] +
	+ rule.packets[1]),
	+ (unsigned long long)(rule.bytes[0] +
	+ rule.bytes[1]),
	+ (unsigned long long)rule.packets[0],
	+ (unsigned long long)rule.bytes[0],
	+ (unsigned long long)rule.packets[1],
	+ (unsigned long long)rule.bytes[1],
	+ (uintmax_t)rule.u_states_tot);
	}
	break;
	case PFCTL_SHOW_RULES:
	brace = 0;
	- if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
	+ if (rule.label[0] && (opts & PF_OPT_SHOWALL))
	labels = 1;
	INDENT(depth, !(opts & PF_OPT_VERBOSE));
	if (pr.anchor_call[0] &&
	@@ -1032,12 +1033,12 @@
	} else
	p = &pr.anchor_call[0];

	- print_rule(&pr.rule, p, rule_numbers, numeric);
	+ print_rule(&rule, p, rule_numbers, numeric);
	if (brace)
	printf(" {\n");
	else
	printf("\n");
	- pfctl_print_rule_counters(&pr.rule, opts);
	+ pfctl_print_rule_counters(&rule, opts);
	if (brace) {
	pfctl_show_rules(dev, path, opts, format,
	p, depth + 1);
	@@ -1048,7 +1049,7 @@
	case PFCTL_SHOW_NOTHING:
	break;
	}
	- pfctl_clear_pool(&pr.rule.rpool);
	+ pfctl_clear_pool(&rule.rpool);
	}
	path[len] = '\0';
	return (0);
	@@ -1062,6 +1063,7 @@
	pfctl_show_nat(int dev, int opts, char *anchorname)
	{
	struct pfioc_rule pr;
	+ struct pfctl_rule rule;
	u_int32_t mnr, nr;
	static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
	int i, dotitle = opts & PF_OPT_SHOWALL;
	@@ -1078,22 +1080,22 @@
	for (nr = 0; nr < mnr; ++nr) {
	pr.nr = nr;
	if (libpfctl_get_rule(dev, nr, pr.ticket, anchorname,
	- nattype[i], &pr.rule, pr.anchor_call)) {
	+ nattype[i], &rule, pr.anchor_call)) {
	warn("DIOCGETRULE");
	return (-1);
	}
	- if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
	+ if (pfctl_get_pool(dev, &rule.rpool, nr,
	pr.ticket, nattype[i], anchorname) != 0)
	return (-1);
	if (dotitle) {
	pfctl_print_title("TRANSLATION RULES:");
	dotitle = 0;
	}
	- print_rule(&pr.rule, pr.anchor_call,
	+ print_rule(&rule, pr.anchor_call,
	opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
	printf("\n");
	- pfctl_print_rule_counters(&pr.rule, opts);
	- pfctl_clear_pool(&pr.rule.rpool);
	+ pfctl_print_rule_counters(&rule, opts);
	+ pfctl_clear_pool(&rule.rpool);
	}
	}
	return (0);
	@@ -1291,11 +1293,11 @@
	}

	int
	-pfctl_add_rule(struct pfctl pf, struct pf_rule r, const char *anchor_call)
	+pfctl_add_rule(struct pfctl pf, struct pfctl_rule r, const char *anchor_call)
	{
	u_int8_t rs_num;
	- struct pf_rule *rule;
	- struct pf_ruleset *rs;
	+ struct pfctl_rule *rule;
	+ struct pfctl_ruleset *rs;
	char *p;

	rs_num = pf_get_ruleset_number(r->action);
	@@ -1338,7 +1340,7 @@
	}

	int
	-pfctl_ruleset_trans(struct pfctl pf, char path, struct pf_anchor *a)
	+pfctl_ruleset_trans(struct pfctl pf, char path, struct pfctl_anchor *a)
	{
	int osize = pf->trans->pfrb_size;

	@@ -1368,10 +1370,10 @@
	}

	int
	-pfctl_load_ruleset(struct pfctl pf, char path, struct pf_ruleset *rs,
	+pfctl_load_ruleset(struct pfctl pf, char path, struct pfctl_ruleset *rs,
	int rs_num, int depth)
	{
	- struct pf_rule *r;
	+ struct pfctl_rule *r;
	int error, len = strlen(path);
	int brace = 0;

	@@ -1428,7 +1430,7 @@
	}

	int
	-pfctl_load_rule(struct pfctl pf, char path, struct pf_rule *r, int depth)
	+pfctl_load_rule(struct pfctl pf, char path, struct pfctl_rule *r, int depth)
	{
	u_int8_t rs_num = pf_get_ruleset_number(r->action);
	char *name;
	@@ -1507,7 +1509,7 @@
	struct pfr_buffer *t, buf;
	struct pfioc_altq pa;
	struct pfctl pf;
	- struct pf_ruleset *rs;
	+ struct pfctl_ruleset *rs;
	struct pfr_table trs;
	char *path;
	int osize;
	Index: sbin/pfctl/pfctl_optimize.c
	===================================================================
	--- sbin/pfctl/pfctl_optimize.c
	+++ sbin/pfctl/pfctl_optimize.c
	@@ -100,8 +100,8 @@
	#define PF_RULE_FIELD(field, ty) \
	{#field, \
	ty, \
	- offsetof(struct pf_rule, field), \
	- sizeof(((struct pf_rule *)0)->field)}
	+ offsetof(struct pfctl_rule, field), \
	+ sizeof(((struct pfctl_rule *)0)->field)}


	/*
	@@ -214,10 +214,10 @@
	int addrs_equal(struct pf_rule_addr , struct pf_rule_addr );
	int block_feedback(struct pfctl , struct superblock );
	int combine_rules(struct pfctl , struct superblock );
	-void comparable_rule(struct pf_rule , const struct pf_rule , int);
	+void comparable_rule(struct pfctl_rule , const struct pfctl_rule , int);
	int construct_superblocks(struct pfctl , struct pf_opt_queue ,
	struct superblocks *);
	-void exclude_supersets(struct pf_rule , struct pf_rule );
	+void exclude_supersets(struct pfctl_rule , struct pfctl_rule );
	int interface_group(const char *);
	int load_feedback_profile(struct pfctl , struct superblocks );
	int optimize_superblock(struct pfctl , struct superblock );
	@@ -226,25 +226,25 @@
	struct pf_opt_rule , struct pf_skip_step );
	int remove_identical_rules(struct pfctl , struct superblock );
	int reorder_rules(struct pfctl , struct superblock , int);
	-int rules_combineable(struct pf_rule , struct pf_rule );
	+int rules_combineable(struct pfctl_rule , struct pfctl_rule );
	void skip_append(struct superblock , int, struct pf_skip_step ,
	struct pf_opt_rule *);
	int skip_compare(int, struct pf_skip_step , struct pf_opt_rule );
	void skip_init(void);
	-int skip_cmp_af(struct pf_rule , struct pf_rule );
	-int skip_cmp_dir(struct pf_rule , struct pf_rule );
	-int skip_cmp_dst_addr(struct pf_rule , struct pf_rule );
	-int skip_cmp_dst_port(struct pf_rule , struct pf_rule );
	-int skip_cmp_ifp(struct pf_rule , struct pf_rule );
	-int skip_cmp_proto(struct pf_rule , struct pf_rule );
	-int skip_cmp_src_addr(struct pf_rule , struct pf_rule );
	-int skip_cmp_src_port(struct pf_rule , struct pf_rule );
	+int skip_cmp_af(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_dir(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_dst_addr(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_dst_port(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_ifp(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_proto(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_src_addr(struct pfctl_rule , struct pfctl_rule );
	+int skip_cmp_src_port(struct pfctl_rule , struct pfctl_rule );
	int superblock_inclusive(struct superblock , struct pf_opt_rule );
	void superblock_free(struct pfctl , struct superblock );


	-static int (skip_comparitors[PF_SKIP_COUNT])(struct pf_rule ,
	- struct pf_rule *);
	+static int (skip_comparitors[PF_SKIP_COUNT])(struct pfctl_rule ,
	+ struct pfctl_rule *);
	static const char *skip_comparitors_names[PF_SKIP_COUNT];
	#define PF_SKIP_COMPARITORS { \
	{ "ifp", PF_SKIP_IFP, skip_cmp_ifp }, \
	@@ -262,14 +262,14 @@


	int
	-pfctl_optimize_ruleset(struct pfctl pf, struct pf_ruleset rs)
	+pfctl_optimize_ruleset(struct pfctl pf, struct pfctl_ruleset rs)
	{
	struct superblocks superblocks;
	struct pf_opt_queue opt_queue;
	struct superblock *block;
	struct pf_opt_rule *por;
	- struct pf_rule *r;
	- struct pf_rulequeue *old_rules;
	+ struct pfctl_rule *r;
	+ struct pfctl_rulequeue *old_rules;

	DEBUG("optimizing ruleset");
	memset(&table_buffer, 0, sizeof(table_buffer));
	@@ -450,7 +450,7 @@
	remove_identical_rules(struct pfctl pf, struct superblock block)
	{
	struct pf_opt_rule por1, por2, por_next, por2_next;
	- struct pf_rule a, a2, b, b2;
	+ struct pfctl_rule a, a2, b, b2;

	for (por1 = TAILQ_FIRST(&block->sb_rules); por1; por1 = por_next) {
	por_next = TAILQ_NEXT(por1, por_entry);
	@@ -818,7 +818,7 @@
	TAILQ_HEAD( , pf_opt_rule) queue;
	struct pf_opt_rule por1, por2;
	u_int64_t total_count = 0;
	- struct pf_rule a, b;
	+ struct pfctl_rule a, b;


	/*
	@@ -888,7 +888,7 @@
	struct pf_opt_rule *por;
	struct pf_opt_queue queue;
	struct pfioc_rule pr;
	- struct pf_rule a, b;
	+ struct pfctl_rule a, b, rule;
	int nr, mnr;

	TAILQ_INIT(&queue);
	@@ -904,7 +904,7 @@

	DEBUG("Loading %d active rules for a feedback profile", mnr);
	for (nr = 0; nr < mnr; ++nr) {
	- struct pf_ruleset *rs;
	+ struct pfctl_ruleset *rs;
	if ((por = calloc(1, sizeof(*por))) == NULL) {
	warn("calloc");
	return (1);
	@@ -912,11 +912,11 @@
	pr.nr = nr;

	if (libpfctl_get_rule(pf->dev, nr, pr.ticket, "", PF_PASS,
	- &pr.rule, pr.anchor_call)) {
	+ &rule, pr.anchor_call)) {
	warn("DIOCGETRULENV");
	return (1);
	}
	- memcpy(&por->por_rule, &pr.rule, sizeof(por->por_rule));
	+ memcpy(&por->por_rule, &rule, sizeof(por->por_rule));
	rs = pf_find_or_create_ruleset(pr.anchor_call);
	por->por_rule.anchor = rs->anchor;
	if (TAILQ_EMPTY(&por->por_rule.rpool.list))
	@@ -924,9 +924,9 @@
	sizeof(por->por_rule.rpool));
	TAILQ_INSERT_TAIL(&queue, por, por_entry);

	- /* XXX pfctl_get_pool(pf->dev, &pr.rule.rpool, nr, pr.ticket,
	+ /* XXX pfctl_get_pool(pf->dev, &rule.rpool, nr, pr.ticket,
	* PF_PASS, pf->anchor) ???
	- * ... pfctl_clear_pool(&pr.rule.rpool)
	+ * ... pfctl_clear_pool(&rule.rpool)
	*/
	}

	@@ -977,7 +977,7 @@
	skip_compare(int skipnum, struct pf_skip_step *skiplist,
	struct pf_opt_rule *por)
	{
	- struct pf_rule a, b;
	+ struct pfctl_rule a, b;
	if (skipnum >= PF_SKIP_COUNT \|\| skipnum < 0)
	errx(1, "skip_compare() out of bounds");
	a = &por->por_rule;
	@@ -1053,7 +1053,7 @@

	/* Compare two rules AF field for skiplist construction */
	int
	-skip_cmp_af(struct pf_rule a, struct pf_rule b)
	+skip_cmp_af(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (a->af != b->af \|\| a->af == 0)
	return (1);
	@@ -1062,7 +1062,7 @@

	/* Compare two rules DIRECTION field for skiplist construction */
	int
	-skip_cmp_dir(struct pf_rule a, struct pf_rule b)
	+skip_cmp_dir(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (a->direction == 0 \|\| a->direction != b->direction)
	return (1);
	@@ -1071,7 +1071,7 @@

	/* Compare two rules DST Address field for skiplist construction */
	int
	-skip_cmp_dst_addr(struct pf_rule a, struct pf_rule b)
	+skip_cmp_dst_addr(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (a->dst.neg != b->dst.neg \|\|
	a->dst.addr.type != b->dst.addr.type)
	@@ -1111,7 +1111,7 @@

	/* Compare two rules DST port field for skiplist construction */
	int
	-skip_cmp_dst_port(struct pf_rule a, struct pf_rule b)
	+skip_cmp_dst_port(struct pfctl_rule a, struct pfctl_rule b)
	{
	/* XXX if (a->proto != b->proto && a->proto != 0 && b->proto != 0
	* && (a->proto == IPPROTO_TCP \|\| a->proto == IPPROTO_UDP \|\|
	@@ -1127,7 +1127,7 @@

	/* Compare two rules IFP field for skiplist construction */
	int
	-skip_cmp_ifp(struct pf_rule a, struct pf_rule b)
	+skip_cmp_ifp(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (strcmp(a->ifname, b->ifname) \|\| a->ifname[0] == '\0')
	return (1);
	@@ -1136,14 +1136,14 @@

	/* Compare two rules PROTO field for skiplist construction */
	int
	-skip_cmp_proto(struct pf_rule a, struct pf_rule b)
	+skip_cmp_proto(struct pfctl_rule a, struct pfctl_rule b)
	{
	return (a->proto != b->proto \|\| a->proto == 0);
	}

	/* Compare two rules SRC addr field for skiplist construction */
	int
	-skip_cmp_src_addr(struct pf_rule a, struct pf_rule b)
	+skip_cmp_src_addr(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (a->src.neg != b->src.neg \|\|
	a->src.addr.type != b->src.addr.type)
	@@ -1183,7 +1183,7 @@

	/* Compare two rules SRC port field for skiplist construction */
	int
	-skip_cmp_src_port(struct pf_rule a, struct pf_rule b)
	+skip_cmp_src_port(struct pfctl_rule a, struct pfctl_rule b)
	{
	if (a->src.port_op == PF_OP_NONE \|\| a->src.port_op != b->src.port_op \|\|
	a->src.port[0] != b->src.port[0] \|\|
	@@ -1204,7 +1204,7 @@
	struct {
	char *name;
	int skipnum;
	- int (func)(struct pf_rule , struct pf_rule *);
	+ int (func)(struct pfctl_rule , struct pfctl_rule *);
	} comps[] = PF_SKIP_COMPARITORS;
	int skipnum, i;

	@@ -1397,9 +1397,9 @@
	* Are we allowed to combine these two rules
	*/
	int
	-rules_combineable(struct pf_rule p1, struct pf_rule p2)
	+rules_combineable(struct pfctl_rule p1, struct pfctl_rule p2)
	{
	- struct pf_rule a, b;
	+ struct pfctl_rule a, b;

	comparable_rule(&a, p1, COMBINED);
	comparable_rule(&b, p2, COMBINED);
	@@ -1413,7 +1413,7 @@
	int
	superblock_inclusive(struct superblock block, struct pf_opt_rule por)
	{
	- struct pf_rule a, b;
	+ struct pfctl_rule a, b;
	int i, j;

	/* First check for hard breaks */
	@@ -1528,7 +1528,7 @@
	* Make a rule that can directly compared by memcmp()
	*/
	void
	-comparable_rule(struct pf_rule dst, const struct pf_rule src, int type)
	+comparable_rule(struct pfctl_rule dst, const struct pfctl_rule src, int type)
	{
	int i;
	/*
	@@ -1553,7 +1553,7 @@
	* with memcmp()
	*/
	void
	-exclude_supersets(struct pf_rule super, struct pf_rule sub)
	+exclude_supersets(struct pfctl_rule super, struct pfctl_rule sub)
	{
	if (super->ifname[0] == '\0')
	memset(sub->ifname, 0, sizeof(sub->ifname));
	Index: sbin/pfctl/pfctl_parser.h
	===================================================================
	--- sbin/pfctl/pfctl_parser.h
	+++ sbin/pfctl/pfctl_parser.h
	@@ -36,6 +36,8 @@
	#ifndef _PFCTL_PARSER_H_
	#define _PFCTL_PARSER_H_

	+#include <libpfctl.h>
	+
	#define PF_OSFP_FILE "/etc/pf.os"

	#define PF_OPT_DISABLE 0x0001
	@@ -82,12 +84,12 @@
	int brace;
	int tdirty; /* kernel dirty */
	#define PFCTL_ANCHOR_STACK_DEPTH 64
	- struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
	+ struct pfctl_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
	struct pfioc_pooladdr paddr;
	struct pfioc_altq *paltq;
	struct pfioc_queue *pqueue;
	struct pfr_buffer *trans;
	- struct pf_anchor anchor, alast;
	+ struct pfctl_anchor anchor, alast;
	const char *ruleset;

	/* 'set foo' options */
	@@ -239,7 +241,7 @@

	/* optimizer pf_rule container */
	struct pf_opt_rule {
	- struct pf_rule por_rule;
	+ struct pfctl_rule por_rule;
	struct pf_opt_tbl *por_src_tbl;
	struct pf_opt_tbl *por_dst_tbl;
	u_int64_t por_profile_count;
	@@ -250,9 +252,9 @@
	TAILQ_HEAD(pf_opt_queue, pf_opt_rule);

	int pfctl_rules(int, char , int, int, char , struct pfr_buffer *);
	-int pfctl_optimize_ruleset(struct pfctl , struct pf_ruleset );
	+int pfctl_optimize_ruleset(struct pfctl , struct pfctl_ruleset );

	-int pfctl_add_rule(struct pfctl , struct pf_rule , const char *);
	+int pfctl_add_rule(struct pfctl , struct pfctl_rule , const char *);
	int pfctl_add_altq(struct pfctl , struct pf_altq );
	int pfctl_add_pool(struct pfctl , struct pf_pool , sa_family_t);
	void pfctl_move_pool(struct pf_pool , struct pf_pool );
	@@ -272,7 +274,7 @@

	void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
	void print_src_node(struct pf_src_node *, int);
	-void print_rule(struct pf_rule , const char , int, int);
	+void print_rule(struct pfctl_rule , const char , int, int);
	void print_tabledef(const char , int, int, struct node_tinithead );
	void print_status(struct pf_status *, int);
	void print_running(struct pf_status *);
	Index: sbin/pfctl/pfctl_parser.c
	===================================================================
	--- sbin/pfctl/pfctl_parser.c
	+++ sbin/pfctl/pfctl_parser.c
	@@ -694,7 +694,7 @@
	}

	void
	-print_rule(struct pf_rule r, const char anchor_call, int verbose, int numeric)
	+print_rule(struct pfctl_rule r, const char anchor_call, int verbose, int numeric)
	{
	static const char *actiontypes[] = { "pass", "block", "scrub",
	"no scrub", "nat", "no nat", "binat", "no binat", "rdr", "no rdr" };
	Index: usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
	===================================================================
	--- usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
	+++ usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
	@@ -1515,6 +1515,7 @@
	pfl_scan_ruleset(const char *path)
	{
	struct pfioc_rule pr;
	+ struct pfctl_rule rule;
	struct pfl_entry *e;
	u_int32_t nr, i;

	@@ -1529,14 +1530,14 @@

	for (nr = pr.nr, i = 0; i < nr; i++) {
	pr.nr = i;
	- if (libpfctl_add_rule(dev, &pr.rule, pr.anchor, pr.anchor_call,
	+ if (libpfctl_add_rule(dev, &rule, pr.anchor, pr.anchor_call,
	pr.ticket, pr.pool_ticket)) {
	syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE):"
	" %s", strerror(errno));
	goto err;
	}

	- if (pr.rule.label[0]) {
	+ if (rule.label[0]) {
	e = (struct pfl_entry )malloc(sizeof(e));
	if (e == NULL)
	goto err;
	@@ -1544,13 +1545,13 @@
	strlcpy(e->name, path, sizeof(e->name));
	if (path[0])
	strlcat(e->name, "/", sizeof(e->name));
	- strlcat(e->name, pr.rule.label, sizeof(e->name));
	+ strlcat(e->name, rule.label, sizeof(e->name));

	- e->evals = pr.rule.evaluations;
	- e->bytes[IN] = pr.rule.bytes[IN];
	- e->bytes[OUT] = pr.rule.bytes[OUT];
	- e->pkts[IN] = pr.rule.packets[IN];
	- e->pkts[OUT] = pr.rule.packets[OUT];
	+ e->evals = rule.evaluations;
	+ e->bytes[IN] = rule.bytes[IN];
	+ e->bytes[OUT] = rule.bytes[OUT];
	+ e->pkts[IN] = rule.packets[IN];
	+ e->pkts[OUT] = rule.packets[OUT];
	e->index = ++pfl_table_count;

	TAILQ_INSERT_TAIL(&pfl_table, e, link);

File Metadata

Mime Type: text/plain
Expires: Thu, Feb 26, 6:07 AM (14 h, 2 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 29001638
Default Alt Text: D29644.id87031.diff (49 KB)

D29644.id87031.diffNo OneTemporaryActions

D29644.id87031.diffView Options

File Metadata

Event Timeline

D29644.id87031.diff
No OneTemporary
Actions

D29644.id87031.diff
View Options