Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Oct 2013 18:59:58 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r257186 - in head: contrib/libpcap sys/contrib/altq/altq sys/net
Message-ID:  <201310261859.r9QIxw57090334@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius
Date: Sat Oct 26 18:59:58 2013
New Revision: 257186
URL: http://svnweb.freebsd.org/changeset/base/257186

Log:
  Start splitting pfvar.h into internal and external parts.
  
  - Provide pf_altq.h that has only stuff needed for ALTQ.
  - Start pf.h, that would have all constant values and
    eventually non-kernel structures.
  - Build ALTQ w/o pfvar.h, include if_var.h, that before
    came via pollution.
  - Build tcpdump w/o pfvar.h.
  
  Sponsored by:	Netflix
  Sponsored by:	Nginx, Inc.

Added:
  head/sys/net/pf.h
     - copied, changed from r257177, head/sys/net/pfvar.h
  head/sys/net/pf_altq.h
     - copied, changed from r257177, head/sys/net/pfvar.h
Modified:
  head/contrib/libpcap/grammar.y
  head/sys/contrib/altq/altq/altq_cbq.c
  head/sys/contrib/altq/altq/altq_cdnr.c
  head/sys/contrib/altq/altq/altq_hfsc.c
  head/sys/contrib/altq/altq/altq_priq.c
  head/sys/contrib/altq/altq/altq_red.c
  head/sys/contrib/altq/altq/altq_rio.c
  head/sys/contrib/altq/altq/altq_rmclass.c
  head/sys/contrib/altq/altq/altq_subr.c
  head/sys/net/pfvar.h

Modified: head/contrib/libpcap/grammar.y
==============================================================================
--- head/contrib/libpcap/grammar.y	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/contrib/libpcap/grammar.y	Sat Oct 26 18:59:58 2013	(r257186)
@@ -56,7 +56,7 @@ struct rtentry;
 #include "gencode.h"
 #ifdef HAVE_NET_PFVAR_H
 #include <net/if.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
 #include <net/if_pflog.h>
 #endif
 #include "ieee80211.h"

Modified: head/sys/contrib/altq/altq/altq_cbq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_cbq.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_cbq.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -54,9 +54,12 @@
 #endif
 
 #include <net/if.h>
+#include <net/if_var.h>
 #include <netinet/in.h>
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
 #include <altq/altq.h>
 #include <altq/altq_cbq.h>
 #ifdef ALTQ3_COMPAT

Modified: head/sys/contrib/altq/altq/altq_cdnr.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_cdnr.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_cdnr.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -55,6 +55,7 @@
 #include <netinet/ip6.h>
 #endif
 
+#include <altq/if_altq.h>
 #include <altq/altq.h>
 #ifdef ALTQ3_COMPAT
 #include <altq/altq_conf.h>

Modified: head/sys/contrib/altq/altq/altq_hfsc.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_hfsc.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_hfsc.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -66,9 +66,12 @@
 #endif /* ALTQ3_COMPAT */
 
 #include <net/if.h>
+#include <net/if_var.h>
 #include <netinet/in.h>
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
 #include <altq/altq.h>
 #include <altq/altq_hfsc.h>
 #ifdef ALTQ3_COMPAT

Modified: head/sys/contrib/altq/altq/altq_priq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_priq.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_priq.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -51,9 +51,12 @@
 #include <sys/queue.h>
 
 #include <net/if.h>
+#include <net/if_var.h>
 #include <netinet/in.h>
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
 #include <altq/altq.h>
 #ifdef ALTQ3_COMPAT
 #include <altq/altq_conf.h>

Modified: head/sys/contrib/altq/altq/altq_red.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_red.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_red.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -86,6 +86,7 @@
 #endif /* ALTQ3_COMPAT */
 
 #include <net/if.h>
+#include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -94,7 +95,9 @@
 #include <netinet/ip6.h>
 #endif
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
 #include <altq/altq.h>
 #include <altq/altq_red.h>
 #ifdef ALTQ3_COMPAT

Modified: head/sys/contrib/altq/altq/altq_rio.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_rio.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_rio.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -81,6 +81,7 @@
 #endif
 
 #include <net/if.h>
+#include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -89,7 +90,8 @@
 #include <netinet/ip6.h>
 #endif
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
 #include <altq/altq.h>
 #include <altq/altq_cdnr.h>
 #include <altq/altq_red.h>

Modified: head/sys/contrib/altq/altq/altq_rmclass.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_rmclass.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_rmclass.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -59,12 +59,14 @@
 #endif
 
 #include <net/if.h>
+#include <net/if_var.h>
 #ifdef ALTQ3_COMPAT
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #endif
 
+#include <altq/if_altq.h>
 #include <altq/altq.h>
 #include <altq/altq_rmclass.h>
 #include <altq/altq_rmclass_debug.h>

Modified: head/sys/contrib/altq/altq/altq_subr.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_subr.c	Sat Oct 26 18:47:10 2013	(r257185)
+++ head/sys/contrib/altq/altq/altq_subr.c	Sat Oct 26 18:59:58 2013	(r257186)
@@ -49,6 +49,7 @@
 #include <sys/queue.h>
 
 #include <net/if.h>
+#include <net/if_var.h>
 #include <net/if_dl.h>
 #include <net/if_types.h>
 #ifdef __FreeBSD__
@@ -64,7 +65,8 @@
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
 #include <altq/altq.h>
 #ifdef ALTQ3_COMPAT
 #include <altq/altq_conf.h>

Copied and modified: head/sys/net/pf.h (from r257177, head/sys/net/pfvar.h)
==============================================================================
--- head/sys/net/pfvar.h	Sat Oct 26 18:03:36 2013	(r257177, copy source)
+++ head/sys/net/pf.h	Sat Oct 26 18:59:58 2013	(r257186)
@@ -30,18 +30,8 @@
  *	$FreeBSD$
  */
 
-#ifndef _NET_PFVAR_H_
-#define _NET_PFVAR_H_
-
-#include <sys/param.h>
-#include <sys/queue.h>
-#include <sys/refcount.h>
-#include <sys/tree.h>
-
-#include <net/radix.h>
-#include <netinet/in.h>
-
-#include <net/pf_mtag.h>
+#ifndef	_NET_PF_H_
+#define	_NET_PFAR_H_
 
 #define	PF_TCPS_PROXY_SRC	((TCP_NSTATES)+0)
 #define	PF_TCPS_PROXY_DST	((TCP_NSTATES)+1)
@@ -119,1082 +109,6 @@ enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE
 #define	PF_LOG_ALL		0x02
 #define	PF_LOG_SOCKET_LOOKUP	0x04
 
-struct pf_addr {
-	union {
-		struct in_addr		v4;
-		struct in6_addr		v6;
-		u_int8_t		addr8[16];
-		u_int16_t		addr16[8];
-		u_int32_t		addr32[4];
-	} pfa;		    /* 128-bit address */
-#define v4	pfa.v4
-#define v6	pfa.v6
-#define addr8	pfa.addr8
-#define addr16	pfa.addr16
-#define addr32	pfa.addr32
-};
-
-#define	PF_TABLE_NAME_SIZE	 32
-
-#define PFI_AFLAG_NETWORK	0x01
-#define PFI_AFLAG_BROADCAST	0x02
-#define PFI_AFLAG_PEER		0x04
-#define PFI_AFLAG_MODEMASK	0x07
-#define PFI_AFLAG_NOALIAS	0x08
-
-struct pf_addr_wrap {
-	union {
-		struct {
-			struct pf_addr		 addr;
-			struct pf_addr		 mask;
-		}			 a;
-		char			 ifname[IFNAMSIZ];
-		char			 tblname[PF_TABLE_NAME_SIZE];
-	}			 v;
-	union {
-		struct pfi_dynaddr	*dyn;
-		struct pfr_ktable	*tbl;
-		int			 dyncnt;
-		int			 tblcnt;
-	}			 p;
-	u_int8_t		 type;		/* PF_ADDR_* */
-	u_int8_t		 iflags;	/* PFI_AFLAG_* */
-};
-
-#ifdef _KERNEL
-
-struct pfi_dynaddr {
-	TAILQ_ENTRY(pfi_dynaddr)	 entry;
-	struct pf_addr			 pfid_addr4;
-	struct pf_addr			 pfid_mask4;
-	struct pf_addr			 pfid_addr6;
-	struct pf_addr			 pfid_mask6;
-	struct pfr_ktable		*pfid_kt;
-	struct pfi_kif			*pfid_kif;
-	int				 pfid_net;	/* mask or 128 */
-	int				 pfid_acnt4;	/* address count IPv4 */
-	int				 pfid_acnt6;	/* address count IPv6 */
-	sa_family_t			 pfid_af;	/* rule af */
-	u_int8_t			 pfid_iflags;	/* PFI_AFLAG_* */
-};
-
-/*
- * Address manipulation macros
- */
-#define	HTONL(x)	(x) = htonl((__uint32_t)(x))
-#define	HTONS(x)	(x) = htons((__uint16_t)(x))
-#define	NTOHL(x)	(x) = ntohl((__uint32_t)(x))
-#define	NTOHS(x)	(x) = ntohs((__uint16_t)(x))
-
-#define	PF_NAME		"pf"
-
-#define	PF_HASHROW_ASSERT(h)	mtx_assert(&(h)->lock, MA_OWNED)
-#define	PF_HASHROW_LOCK(h)	mtx_lock(&(h)->lock)
-#define	PF_HASHROW_UNLOCK(h)	mtx_unlock(&(h)->lock)
-
-#define	PF_STATE_LOCK(s)						\
-	do {								\
-		struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)];	\
-		PF_HASHROW_LOCK(_ih);					\
-	} while (0)
-
-#define	PF_STATE_UNLOCK(s)						\
-	do {								\
-		struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH((s))];	\
-		PF_HASHROW_UNLOCK(_ih);					\
-	} while (0)
-
-#ifdef INVARIANTS
-#define	PF_STATE_LOCK_ASSERT(s)						\
-	do {								\
-		struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)];	\
-		PF_HASHROW_ASSERT(_ih);					\
-	} while (0)
-#else /* !INVARIANTS */
-#define	PF_STATE_LOCK_ASSERT(s)		do {} while (0)
-#endif /* INVARIANTS */
-
-extern struct mtx pf_unlnkdrules_mtx;
-#define	PF_UNLNKDRULES_LOCK()	mtx_lock(&pf_unlnkdrules_mtx)
-#define	PF_UNLNKDRULES_UNLOCK()	mtx_unlock(&pf_unlnkdrules_mtx)
-
-extern struct rwlock pf_rules_lock;
-#define	PF_RULES_RLOCK()	rw_rlock(&pf_rules_lock)
-#define	PF_RULES_RUNLOCK()	rw_runlock(&pf_rules_lock)
-#define	PF_RULES_WLOCK()	rw_wlock(&pf_rules_lock)
-#define	PF_RULES_WUNLOCK()	rw_wunlock(&pf_rules_lock)
-#define	PF_RULES_ASSERT()	rw_assert(&pf_rules_lock, RA_LOCKED)
-#define	PF_RULES_RASSERT()	rw_assert(&pf_rules_lock, RA_RLOCKED)
-#define	PF_RULES_WASSERT()	rw_assert(&pf_rules_lock, RA_WLOCKED)
-
-#define	PF_MODVER	1
-#define	PFLOG_MODVER	1
-#define	PFSYNC_MODVER	1
-
-#define	PFLOG_MINVER	1
-#define	PFLOG_PREFVER	PFLOG_MODVER
-#define	PFLOG_MAXVER	1
-#define	PFSYNC_MINVER	1
-#define	PFSYNC_PREFVER	PFSYNC_MODVER
-#define	PFSYNC_MAXVER	1
-
-#ifdef INET
-#ifndef INET6
-#define	PF_INET_ONLY
-#endif /* ! INET6 */
-#endif /* INET */
-
-#ifdef INET6
-#ifndef INET
-#define	PF_INET6_ONLY
-#endif /* ! INET */
-#endif /* INET6 */
-
-#ifdef INET
-#ifdef INET6
-#define	PF_INET_INET6
-#endif /* INET6 */
-#endif /* INET */
-
-#else
-
-#define	PF_INET_INET6
-
-#endif /* _KERNEL */
-
-/* Both IPv4 and IPv6 */
-#ifdef PF_INET_INET6
-
-#define PF_AEQ(a, b, c) \
-	((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \
-	((a)->addr32[3] == (b)->addr32[3] && \
-	(a)->addr32[2] == (b)->addr32[2] && \
-	(a)->addr32[1] == (b)->addr32[1] && \
-	(a)->addr32[0] == (b)->addr32[0])) \
-
-#define PF_ANEQ(a, b, c) \
-	((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
-	((a)->addr32[3] != (b)->addr32[3] || \
-	(a)->addr32[2] != (b)->addr32[2] || \
-	(a)->addr32[1] != (b)->addr32[1] || \
-	(a)->addr32[0] != (b)->addr32[0])) \
-
-#define PF_AZERO(a, c) \
-	((c == AF_INET && !(a)->addr32[0]) || \
-	(!(a)->addr32[0] && !(a)->addr32[1] && \
-	!(a)->addr32[2] && !(a)->addr32[3] )) \
-
-#define PF_MATCHA(n, a, m, b, f) \
-	pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
-	pf_addrcpy(a, b, f)
-
-#define PF_AINC(a, f) \
-	pf_addr_inc(a, f)
-
-#define PF_POOLMASK(a, b, c, d, f) \
-	pf_poolmask(a, b, c, d, f)
-
-#else
-
-/* Just IPv6 */
-
-#ifdef PF_INET6_ONLY
-
-#define PF_AEQ(a, b, c) \
-	((a)->addr32[3] == (b)->addr32[3] && \
-	(a)->addr32[2] == (b)->addr32[2] && \
-	(a)->addr32[1] == (b)->addr32[1] && \
-	(a)->addr32[0] == (b)->addr32[0]) \
-
-#define PF_ANEQ(a, b, c) \
-	((a)->addr32[3] != (b)->addr32[3] || \
-	(a)->addr32[2] != (b)->addr32[2] || \
-	(a)->addr32[1] != (b)->addr32[1] || \
-	(a)->addr32[0] != (b)->addr32[0]) \
-
-#define PF_AZERO(a, c) \
-	(!(a)->addr32[0] && \
-	!(a)->addr32[1] && \
-	!(a)->addr32[2] && \
-	!(a)->addr32[3] ) \
-
-#define PF_MATCHA(n, a, m, b, f) \
-	pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
-	pf_addrcpy(a, b, f)
-
-#define PF_AINC(a, f) \
-	pf_addr_inc(a, f)
-
-#define PF_POOLMASK(a, b, c, d, f) \
-	pf_poolmask(a, b, c, d, f)
-
-#else
-
-/* Just IPv4 */
-#ifdef PF_INET_ONLY
-
-#define PF_AEQ(a, b, c) \
-	((a)->addr32[0] == (b)->addr32[0])
-
-#define PF_ANEQ(a, b, c) \
-	((a)->addr32[0] != (b)->addr32[0])
-
-#define PF_AZERO(a, c) \
-	(!(a)->addr32[0])
-
-#define PF_MATCHA(n, a, m, b, f) \
-	pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
-	(a)->v4.s_addr = (b)->v4.s_addr
-
-#define PF_AINC(a, f) \
-	do { \
-		(a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
-	} while (0)
-
-#define PF_POOLMASK(a, b, c, d, f) \
-	do { \
-		(a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
-		(((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
-	} while (0)
-
-#endif /* PF_INET_ONLY */
-#endif /* PF_INET6_ONLY */
-#endif /* PF_INET_INET6 */
-
-/*
- * XXX callers not FIB-aware in our version of pf yet.
- * OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio.
- */
-#define	PF_MISMATCHAW(aw, x, af, neg, ifp, rtid)			\
-	(								\
-		(((aw)->type == PF_ADDR_NOROUTE &&			\
-		    pf_routable((x), (af), NULL, (rtid))) ||		\
-		(((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL &&	\
-		    pf_routable((x), (af), (ifp), (rtid))) ||		\
-		((aw)->type == PF_ADDR_TABLE &&				\
-		    !pfr_match_addr((aw)->p.tbl, (x), (af))) ||		\
-		((aw)->type == PF_ADDR_DYNIFTL &&			\
-		    !pfi_match_addr((aw)->p.dyn, (x), (af))) ||		\
-		((aw)->type == PF_ADDR_RANGE &&				\
-		    !pf_match_addr_range(&(aw)->v.a.addr,		\
-		    &(aw)->v.a.mask, (x), (af))) ||			\
-		((aw)->type == PF_ADDR_ADDRMASK &&			\
-		    !PF_AZERO(&(aw)->v.a.mask, (af)) &&			\
-		    !PF_MATCHA(0, &(aw)->v.a.addr,			\
-		    &(aw)->v.a.mask, (x), (af))))) !=			\
-		(neg)							\
-	)
-
-
-struct pf_rule_uid {
-	uid_t		 uid[2];
-	u_int8_t	 op;
-};
-
-struct pf_rule_gid {
-	uid_t		 gid[2];
-	u_int8_t	 op;
-};
-
-struct pf_rule_addr {
-	struct pf_addr_wrap	 addr;
-	u_int16_t		 port[2];
-	u_int8_t		 neg;
-	u_int8_t		 port_op;
-};
-
-struct pf_pooladdr {
-	struct pf_addr_wrap		 addr;
-	TAILQ_ENTRY(pf_pooladdr)	 entries;
-	char				 ifname[IFNAMSIZ];
-	struct pfi_kif			*kif;
-};
-
-TAILQ_HEAD(pf_palist, pf_pooladdr);
-
-struct pf_poolhashkey {
-	union {
-		u_int8_t		key8[16];
-		u_int16_t		key16[8];
-		u_int32_t		key32[4];
-	} pfk;		    /* 128-bit hash key */
-#define key8	pfk.key8
-#define key16	pfk.key16
-#define key32	pfk.key32
-};
-
-struct pf_pool {
-	struct pf_palist	 list;
-	struct pf_pooladdr	*cur;
-	struct pf_poolhashkey	 key;
-	struct pf_addr		 counter;
-	int			 tblidx;
-	u_int16_t		 proxy_port[2];
-	u_int8_t		 opts;
-};
-
-
-/* A packed Operating System description for fingerprinting */
-typedef u_int32_t pf_osfp_t;
-#define PF_OSFP_ANY	((pf_osfp_t)0)
-#define PF_OSFP_UNKNOWN	((pf_osfp_t)-1)
-#define PF_OSFP_NOMATCH	((pf_osfp_t)-2)
-
-struct pf_osfp_entry {
-	SLIST_ENTRY(pf_osfp_entry) fp_entry;
-	pf_osfp_t		fp_os;
-	int			fp_enflags;
-#define PF_OSFP_EXPANDED	0x001		/* expanded entry */
-#define PF_OSFP_GENERIC		0x002		/* generic signature */
-#define PF_OSFP_NODETAIL	0x004		/* no p0f details */
-#define PF_OSFP_LEN	32
-	char			fp_class_nm[PF_OSFP_LEN];
-	char			fp_version_nm[PF_OSFP_LEN];
-	char			fp_subtype_nm[PF_OSFP_LEN];
-};
-#define PF_OSFP_ENTRY_EQ(a, b) \
-    ((a)->fp_os == (b)->fp_os && \
-    memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
-    memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
-    memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
-
-/* handle pf_osfp_t packing */
-#define _FP_RESERVED_BIT	1  /* For the special negative #defines */
-#define _FP_UNUSED_BITS		1
-#define _FP_CLASS_BITS		10 /* OS Class (Windows, Linux) */
-#define _FP_VERSION_BITS	10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
-#define _FP_SUBTYPE_BITS	10 /* patch level (NT SP4, SP3, ECN patch) */
-#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
-	(class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
-	    ((1 << _FP_CLASS_BITS) - 1); \
-	(version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
-	    ((1 << _FP_VERSION_BITS) - 1);\
-	(subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
-} while(0)
-#define PF_OSFP_PACK(osfp, class, version, subtype) do { \
-	(osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
-	    + _FP_SUBTYPE_BITS); \
-	(osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
-	    _FP_SUBTYPE_BITS; \
-	(osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
-} while(0)
-
-/* the fingerprint of an OSes TCP SYN packet */
-typedef u_int64_t	pf_tcpopts_t;
-struct pf_os_fingerprint {
-	SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
-	pf_tcpopts_t		fp_tcpopts;	/* packed TCP options */
-	u_int16_t		fp_wsize;	/* TCP window size */
-	u_int16_t		fp_psize;	/* ip->ip_len */
-	u_int16_t		fp_mss;		/* TCP MSS */
-	u_int16_t		fp_flags;
-#define PF_OSFP_WSIZE_MOD	0x0001		/* Window modulus */
-#define PF_OSFP_WSIZE_DC	0x0002		/* Window don't care */
-#define PF_OSFP_WSIZE_MSS	0x0004		/* Window multiple of MSS */
-#define PF_OSFP_WSIZE_MTU	0x0008		/* Window multiple of MTU */
-#define PF_OSFP_PSIZE_MOD	0x0010		/* packet size modulus */
-#define PF_OSFP_PSIZE_DC	0x0020		/* packet size don't care */
-#define PF_OSFP_WSCALE		0x0040		/* TCP window scaling */
-#define PF_OSFP_WSCALE_MOD	0x0080		/* TCP window scale modulus */
-#define PF_OSFP_WSCALE_DC	0x0100		/* TCP window scale dont-care */
-#define PF_OSFP_MSS		0x0200		/* TCP MSS */
-#define PF_OSFP_MSS_MOD		0x0400		/* TCP MSS modulus */
-#define PF_OSFP_MSS_DC		0x0800		/* TCP MSS dont-care */
-#define PF_OSFP_DF		0x1000		/* IPv4 don't fragment bit */
-#define PF_OSFP_TS0		0x2000		/* Zero timestamp */
-#define PF_OSFP_INET6		0x4000		/* IPv6 */
-	u_int8_t		fp_optcnt;	/* TCP option count */
-	u_int8_t		fp_wscale;	/* TCP window scaling */
-	u_int8_t		fp_ttl;		/* IPv4 TTL */
-#define PF_OSFP_MAXTTL_OFFSET	40
-/* TCP options packing */
-#define PF_OSFP_TCPOPT_NOP	0x0		/* TCP NOP option */
-#define PF_OSFP_TCPOPT_WSCALE	0x1		/* TCP window scaling option */
-#define PF_OSFP_TCPOPT_MSS	0x2		/* TCP max segment size opt */
-#define PF_OSFP_TCPOPT_SACK	0x3		/* TCP SACK OK option */
-#define PF_OSFP_TCPOPT_TS	0x4		/* TCP timestamp option */
-#define PF_OSFP_TCPOPT_BITS	3		/* bits used by each option */
-#define PF_OSFP_MAX_OPTS \
-    (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
-    / PF_OSFP_TCPOPT_BITS
-
-	SLIST_ENTRY(pf_os_fingerprint)	fp_next;
-};
-
-struct pf_osfp_ioctl {
-	struct pf_osfp_entry	fp_os;
-	pf_tcpopts_t		fp_tcpopts;	/* packed TCP options */
-	u_int16_t		fp_wsize;	/* TCP window size */
-	u_int16_t		fp_psize;	/* ip->ip_len */
-	u_int16_t		fp_mss;		/* TCP MSS */
-	u_int16_t		fp_flags;
-	u_int8_t		fp_optcnt;	/* TCP option count */
-	u_int8_t		fp_wscale;	/* TCP window scaling */
-	u_int8_t		fp_ttl;		/* IPv4 TTL */
-
-	int			fp_getnum;	/* DIOCOSFPGET number */
-};
-
-
-union pf_rule_ptr {
-	struct pf_rule		*ptr;
-	u_int32_t		 nr;
-};
-
-#define	PF_ANCHOR_NAME_SIZE	 64
-
-struct pf_rule {
-	struct pf_rule_addr	 src;
-	struct pf_rule_addr	 dst;
-#define PF_SKIP_IFP		0
-#define PF_SKIP_DIR		1
-#define PF_SKIP_AF		2
-#define PF_SKIP_PROTO		3
-#define PF_SKIP_SRC_ADDR	4
-#define PF_SKIP_SRC_PORT	5
-#define PF_SKIP_DST_ADDR	6
-#define PF_SKIP_DST_PORT	7
-#define PF_SKIP_COUNT		8
-	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
-#define PF_RULE_LABEL_SIZE	 64
-	char			 label[PF_RULE_LABEL_SIZE];
-#define PF_QNAME_SIZE		 64
-	char			 ifname[IFNAMSIZ];
-	char			 qname[PF_QNAME_SIZE];
-	char			 pqname[PF_QNAME_SIZE];
-#define	PF_TAG_NAME_SIZE	 64
-	char			 tagname[PF_TAG_NAME_SIZE];
-	char			 match_tagname[PF_TAG_NAME_SIZE];
-
-	char			 overload_tblname[PF_TABLE_NAME_SIZE];
-
-	TAILQ_ENTRY(pf_rule)	 entries;
-	struct pf_pool		 rpool;
-
-	u_int64_t		 evaluations;
-	u_int64_t		 packets[2];
-	u_int64_t		 bytes[2];
-
-	struct pfi_kif		*kif;
-	struct pf_anchor	*anchor;
-	struct pfr_ktable	*overload_tbl;
-
-	pf_osfp_t		 os_fingerprint;
-
-	int			 rtableid;
-	u_int32_t		 timeout[PFTM_MAX];
-	u_int32_t		 states_cur;
-	u_int32_t		 states_tot;
-	u_int32_t		 max_states;
-	u_int32_t		 src_nodes;
-	u_int32_t		 max_src_nodes;
-	u_int32_t		 max_src_states;
-	u_int32_t		 spare1;			/* netgraph */
-	u_int32_t		 max_src_conn;
-	struct {
-		u_int32_t		limit;
-		u_int32_t		seconds;
-	}			 max_src_conn_rate;
-	u_int32_t		 qid;
-	u_int32_t		 pqid;
-	u_int32_t		 rt_listid;
-	u_int32_t		 nr;
-	u_int32_t		 prob;
-	uid_t			 cuid;
-	pid_t			 cpid;
-
-	u_int16_t		 return_icmp;
-	u_int16_t		 return_icmp6;
-	u_int16_t		 max_mss;
-	u_int16_t		 tag;
-	u_int16_t		 match_tag;
-	u_int16_t		 spare2;			/* netgraph */
-
-	struct pf_rule_uid	 uid;
-	struct pf_rule_gid	 gid;
-
-	u_int32_t		 rule_flag;
-	u_int8_t		 action;
-	u_int8_t		 direction;
-	u_int8_t		 log;
-	u_int8_t		 logif;
-	u_int8_t		 quick;
-	u_int8_t		 ifnot;
-	u_int8_t		 match_tag_not;
-	u_int8_t		 natpass;
-
-#define PF_STATE_NORMAL		0x1
-#define PF_STATE_MODULATE	0x2
-#define PF_STATE_SYNPROXY	0x3
-	u_int8_t		 keep_state;
-	sa_family_t		 af;
-	u_int8_t		 proto;
-	u_int8_t		 type;
-	u_int8_t		 code;
-	u_int8_t		 flags;
-	u_int8_t		 flagset;
-	u_int8_t		 min_ttl;
-	u_int8_t		 allow_opts;
-	u_int8_t		 rt;
-	u_int8_t		 return_ttl;
-	u_int8_t		 tos;
-	u_int8_t		 set_tos;
-	u_int8_t		 anchor_relative;
-	u_int8_t		 anchor_wildcard;
-
-#define PF_FLUSH		0x01
-#define PF_FLUSH_GLOBAL		0x02
-	u_int8_t		 flush;
-
-	struct {
-		struct pf_addr		addr;
-		u_int16_t		port;
-	}			divert;
-};
-
-/* rule flags */
-#define	PFRULE_DROP		0x0000
-#define	PFRULE_RETURNRST	0x0001
-#define	PFRULE_FRAGMENT		0x0002
-#define	PFRULE_RETURNICMP	0x0004
-#define	PFRULE_RETURN		0x0008
-#define	PFRULE_NOSYNC		0x0010
-#define PFRULE_SRCTRACK		0x0020  /* track source states */
-#define PFRULE_RULESRCTRACK	0x0040  /* per rule */
-#define	PFRULE_REFS		0x0080	/* rule has references */
-
-/* scrub flags */
-#define	PFRULE_NODF		0x0100
-#define	PFRULE_FRAGCROP		0x0200	/* non-buffering frag cache */
-#define	PFRULE_FRAGDROP		0x0400	/* drop funny fragments */
-#define PFRULE_RANDOMID		0x0800
-#define PFRULE_REASSEMBLE_TCP	0x1000
-#define PFRULE_SET_TOS		0x2000
-
-/* rule flags again */
-#define PFRULE_IFBOUND		0x00010000	/* if-bound */
-#define PFRULE_STATESLOPPY	0x00020000	/* sloppy state tracking */
-
-#define PFSTATE_HIWAT		10000	/* default state table size */
-#define PFSTATE_ADAPT_START	6000	/* default adaptive timeout start */
-#define PFSTATE_ADAPT_END	12000	/* default adaptive timeout end */
-
-
-struct pf_threshold {
-	u_int32_t	limit;
-#define	PF_THRESHOLD_MULT	1000
-#define PF_THRESHOLD_MAX	0xffffffff / PF_THRESHOLD_MULT
-	u_int32_t	seconds;
-	u_int32_t	count;
-	u_int32_t	last;
-};
-
-struct pf_src_node {
-	LIST_ENTRY(pf_src_node) entry;
-	struct pf_addr	 addr;
-	struct pf_addr	 raddr;
-	union pf_rule_ptr rule;
-	struct pfi_kif	*kif;
-	u_int64_t	 bytes[2];
-	u_int64_t	 packets[2];
-	u_int32_t	 states;
-	u_int32_t	 conn;
-	struct pf_threshold	conn_rate;
-	u_int32_t	 creation;
-	u_int32_t	 expire;
-	sa_family_t	 af;
-	u_int8_t	 ruletype;
-};
-
-#define PFSNODE_HIWAT		10000	/* default source node table size */
-
-struct pf_state_scrub {
-	struct timeval	pfss_last;	/* time received last packet	*/
-	u_int32_t	pfss_tsecr;	/* last echoed timestamp	*/
-	u_int32_t	pfss_tsval;	/* largest timestamp		*/
-	u_int32_t	pfss_tsval0;	/* original timestamp		*/
-	u_int16_t	pfss_flags;
-#define PFSS_TIMESTAMP	0x0001		/* modulate timestamp		*/
-#define PFSS_PAWS	0x0010		/* stricter PAWS checks		*/
-#define PFSS_PAWS_IDLED	0x0020		/* was idle too long.  no PAWS	*/
-#define PFSS_DATA_TS	0x0040		/* timestamp on data packets	*/
-#define PFSS_DATA_NOTS	0x0080		/* no timestamp on data packets	*/
-	u_int8_t	pfss_ttl;	/* stashed TTL			*/
-	u_int8_t	pad;
-	u_int32_t	pfss_ts_mod;	/* timestamp modulation		*/
-};
-
-struct pf_state_host {
-	struct pf_addr	addr;
-	u_int16_t	port;
-	u_int16_t	pad;
-};
-
-struct pf_state_peer {
-	struct pf_state_scrub	*scrub;	/* state is scrubbed		*/
-	u_int32_t	seqlo;		/* Max sequence number sent	*/
-	u_int32_t	seqhi;		/* Max the other end ACKd + win	*/
-	u_int32_t	seqdiff;	/* Sequence number modulator	*/
-	u_int16_t	max_win;	/* largest window (pre scaling)	*/
-	u_int16_t	mss;		/* Maximum segment size option	*/
-	u_int8_t	state;		/* active state level		*/
-	u_int8_t	wscale;		/* window scaling factor	*/
-	u_int8_t	tcp_est;	/* Did we reach TCPS_ESTABLISHED */
-	u_int8_t	pad[1];
-};
-
-/* Keep synced with struct pf_state_key. */
-struct pf_state_key_cmp {
-	struct pf_addr	 addr[2];
-	u_int16_t	 port[2];
-	sa_family_t	 af;
-	u_int8_t	 proto;
-	u_int8_t	 pad[2];
-};
-
-struct pf_state_key {
-	struct pf_addr	 addr[2];
-	u_int16_t	 port[2];
-	sa_family_t	 af;
-	u_int8_t	 proto;
-	u_int8_t	 pad[2];
-
-	LIST_ENTRY(pf_state_key) entry;
-	TAILQ_HEAD(, pf_state)	 states[2];
-};
-
-/* Keep synced with struct pf_state. */
-struct pf_state_cmp {
-	u_int64_t		 id;
-	u_int32_t		 creatorid;
-	u_int8_t		 direction;
-	u_int8_t		 pad[3];
-};
-
-struct pf_state {
-	u_int64_t		 id;
-	u_int32_t		 creatorid;
-	u_int8_t		 direction;
-	u_int8_t		 pad[3];
-
-	u_int			 refs;
-	TAILQ_ENTRY(pf_state)	 sync_list;
-	TAILQ_ENTRY(pf_state)	 key_list[2];
-	LIST_ENTRY(pf_state)	 entry;
-	struct pf_state_peer	 src;
-	struct pf_state_peer	 dst;
-	union pf_rule_ptr	 rule;
-	union pf_rule_ptr	 anchor;
-	union pf_rule_ptr	 nat_rule;
-	struct pf_addr		 rt_addr;
-	struct pf_state_key	*key[2];	/* addresses stack and wire  */
-	struct pfi_kif		*kif;
-	struct pfi_kif		*rt_kif;
-	struct pf_src_node	*src_node;
-	struct pf_src_node	*nat_src_node;
-	u_int64_t		 packets[2];
-	u_int64_t		 bytes[2];
-	u_int32_t		 creation;
-	u_int32_t	 	 expire;
-	u_int32_t		 pfsync_time;
-	u_int16_t		 tag;
-	u_int8_t		 log;
-	u_int8_t		 state_flags;
-#define	PFSTATE_ALLOWOPTS	0x01
-#define	PFSTATE_SLOPPY		0x02
-/*  was	PFSTATE_PFLOW		0x04 */
-#define	PFSTATE_NOSYNC		0x08
-#define	PFSTATE_ACK		0x10
-	u_int8_t		 timeout;
-	u_int8_t		 sync_state; /* PFSYNC_S_x */
-
-	/* XXX */
-	u_int8_t		 sync_updates;
-	u_int8_t		_tail[3];
-};
-
-/*
- * Unified state structures for pulling states out of the kernel
- * used by pfsync(4) and the pf(4) ioctl.
- */
-struct pfsync_state_scrub {
-	u_int16_t	pfss_flags;
-	u_int8_t	pfss_ttl;	/* stashed TTL		*/
-#define PFSYNC_SCRUB_FLAG_VALID		0x01
-	u_int8_t	scrub_flag;
-	u_int32_t	pfss_ts_mod;	/* timestamp modulation	*/
-} __packed;
-
-struct pfsync_state_peer {
-	struct pfsync_state_scrub scrub;	/* state is scrubbed	*/
-	u_int32_t	seqlo;		/* Max sequence number sent	*/
-	u_int32_t	seqhi;		/* Max the other end ACKd + win	*/
-	u_int32_t	seqdiff;	/* Sequence number modulator	*/
-	u_int16_t	max_win;	/* largest window (pre scaling)	*/
-	u_int16_t	mss;		/* Maximum segment size option	*/
-	u_int8_t	state;		/* active state level		*/
-	u_int8_t	wscale;		/* window scaling factor	*/
-	u_int8_t	pad[6];
-} __packed;
-
-struct pfsync_state_key {
-	struct pf_addr	 addr[2];
-	u_int16_t	 port[2];
-};
-
-struct pfsync_state {
-	u_int64_t	 id;
-	char		 ifname[IFNAMSIZ];
-	struct pfsync_state_key	key[2];
-	struct pfsync_state_peer src;
-	struct pfsync_state_peer dst;
-	struct pf_addr	 rt_addr;
-	u_int32_t	 rule;
-	u_int32_t	 anchor;
-	u_int32_t	 nat_rule;
-	u_int32_t	 creation;
-	u_int32_t	 expire;
-	u_int32_t	 packets[2][2];
-	u_int32_t	 bytes[2][2];
-	u_int32_t	 creatorid;
-	sa_family_t	 af;
-	u_int8_t	 proto;
-	u_int8_t	 direction;
-	u_int8_t	 __spare[2];
-	u_int8_t	 log;
-	u_int8_t	 state_flags;
-	u_int8_t	 timeout;
-	u_int8_t	 sync_flags;
-	u_int8_t	 updates;
-} __packed;
-
-#ifdef _KERNEL
-/* pfsync */
-typedef int		pfsync_state_import_t(struct pfsync_state *, u_int8_t);
-typedef	void		pfsync_insert_state_t(struct pf_state *);
-typedef	void		pfsync_update_state_t(struct pf_state *);
-typedef	void		pfsync_delete_state_t(struct pf_state *);
-typedef void		pfsync_clear_states_t(u_int32_t, const char *);
-typedef int		pfsync_defer_t(struct pf_state *, struct mbuf *);
-
-extern pfsync_state_import_t	*pfsync_state_import_ptr;
-extern pfsync_insert_state_t	*pfsync_insert_state_ptr;
-extern pfsync_update_state_t	*pfsync_update_state_ptr;
-extern pfsync_delete_state_t	*pfsync_delete_state_ptr;
-extern pfsync_clear_states_t	*pfsync_clear_states_ptr;
-extern pfsync_defer_t		*pfsync_defer_ptr;
-
-void			pfsync_state_export(struct pfsync_state *,
-			    struct pf_state *);
-
-/* pflog */
-struct pf_ruleset;
-struct pf_pdesc;
-typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
-    u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *,
-    struct pf_ruleset *, struct pf_pdesc *, int);
-extern pflog_packet_t		*pflog_packet_ptr;
-
-#define	V_pf_end_threads	VNET(pf_end_threads)
-#endif /* _KERNEL */
-
-#define	PFSYNC_FLAG_SRCNODE	0x04
-#define	PFSYNC_FLAG_NATSRCNODE	0x08
-
-/* for copies to/from network byte order */
-/* ioctl interface also uses network byte order */
-#define pf_state_peer_hton(s,d) do {		\
-	(d)->seqlo = htonl((s)->seqlo);		\
-	(d)->seqhi = htonl((s)->seqhi);		\
-	(d)->seqdiff = htonl((s)->seqdiff);	\
-	(d)->max_win = htons((s)->max_win);	\
-	(d)->mss = htons((s)->mss);		\
-	(d)->state = (s)->state;		\
-	(d)->wscale = (s)->wscale;		\
-	if ((s)->scrub) {						\
-		(d)->scrub.pfss_flags = 				\
-		    htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP);	\
-		(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;		\
-		(d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
-		(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;	\
-	}								\
-} while (0)
-
-#define pf_state_peer_ntoh(s,d) do {		\
-	(d)->seqlo = ntohl((s)->seqlo);		\
-	(d)->seqhi = ntohl((s)->seqhi);		\
-	(d)->seqdiff = ntohl((s)->seqdiff);	\
-	(d)->max_win = ntohs((s)->max_win);	\
-	(d)->mss = ntohs((s)->mss);		\
-	(d)->state = (s)->state;		\
-	(d)->wscale = (s)->wscale;		\
-	if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && 	\
-	    (d)->scrub != NULL) {					\
-		(d)->scrub->pfss_flags =				\
-		    ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;	\
-		(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;		\
-		(d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
-	}								\
-} while (0)
-
-#define pf_state_counter_hton(s,d) do {				\
-	d[0] = htonl((s>>32)&0xffffffff);			\

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310261859.r9QIxw57090334>