Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 5 Jan 2021 22:37:54 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: e86bddea9fe6 - main - pf: Split pf_rule into kernel and user space versions
Message-ID:  <202101052237.105MbsJW081542@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=e86bddea9fe62d5093a1942cf21950b3c5ca62e5

commit e86bddea9fe62d5093a1942cf21950b3c5ca62e5
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2020-12-05 13:32:54 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-01-05 22:35:36 +0000

    pf: Split pf_rule into kernel and user space versions
    
    No functional change intended.
    
    MFC after:      2 weeks
    Sponsored by:   Orange Business Services
    Differential Revision:  https://reviews.freebsd.org/D27758
---
 sys/net/pfvar.h             | 234 +++++++++++++++++++++---------
 sys/netpfil/pf/if_pflog.c   |   4 +-
 sys/netpfil/pf/if_pfsync.c  |   2 +-
 sys/netpfil/pf/pf.c         | 124 ++++++++--------
 sys/netpfil/pf/pf.h         |  48 +++++++
 sys/netpfil/pf/pf_if.c      |   6 +-
 sys/netpfil/pf/pf_ioctl.c   | 337 ++++++++++++++++++++++++++++++++++----------
 sys/netpfil/pf/pf_lb.c      |  24 ++--
 sys/netpfil/pf/pf_norm.c    |  10 +-
 sys/netpfil/pf/pf_ruleset.c | 303 +++++++++++++++++++++++++++++++++++----
 sys/netpfil/pf/pf_table.c   |  36 ++---
 11 files changed, 857 insertions(+), 271 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index b726abf894fe..846c6b9015e7 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -293,11 +293,115 @@ extern struct sx pf_end_lock;
 #define PF_ALGNMNT(off) (((off) % 2) == 0)
 
 #ifdef _KERNEL
+
+union pf_krule_ptr {
+	struct pf_krule		*ptr;
+	u_int32_t		 nr;
+};
+
+struct pf_krule {
+	struct pf_rule_addr	 src;
+	struct pf_rule_addr	 dst;
+	union pf_krule_ptr	 skip[PF_SKIP_COUNT];
+	char			 label[PF_RULE_LABEL_SIZE];
+	char			 ifname[IFNAMSIZ];
+	char			 qname[PF_QNAME_SIZE];
+	char			 pqname[PF_QNAME_SIZE];
+	char			 tagname[PF_TAG_NAME_SIZE];
+	char			 match_tagname[PF_TAG_NAME_SIZE];
+
+	char			 overload_tblname[PF_TABLE_NAME_SIZE];
+
+	TAILQ_ENTRY(pf_krule)	 entries;
+	struct pf_pool		 rpool;
+
+	u_int64_t		 evaluations;
+	u_int64_t		 packets[2];
+	u_int64_t		 bytes[2];
+
+	struct pfi_kif		*kif;
+	struct pf_kanchor	*anchor;
+	struct pfr_ktable	*overload_tbl;
+
+	pf_osfp_t		 os_fingerprint;
+
+	int			 rtableid;
+	u_int32_t		 timeout[PFTM_MAX];
+	u_int32_t		 max_states;
+	u_int32_t		 max_src_nodes;
+	u_int32_t		 max_src_states;
+	u_int32_t		 max_src_conn;
+	struct {
+		u_int32_t		limit;
+		u_int32_t		seconds;
+	}			 max_src_conn_rate;
+	u_int32_t		 qid;
+	u_int32_t		 pqid;
+	u_int32_t		 rt_listid;
+	u_int32_t		 nr;
+	u_int32_t		 prob;
+	uid_t			 cuid;
+	pid_t			 cpid;
+
+	counter_u64_t		 states_cur;
+	counter_u64_t		 states_tot;
+	counter_u64_t		 src_nodes;
+
+	u_int16_t		 return_icmp;
+	u_int16_t		 return_icmp6;
+	u_int16_t		 max_mss;
+	u_int16_t		 tag;
+	u_int16_t		 match_tag;
+	u_int16_t		 scrub_flags;
+
+	struct pf_rule_uid	 uid;
+	struct pf_rule_gid	 gid;
+
+	u_int32_t		 rule_flag;
+	u_int8_t		 action;
+	u_int8_t		 direction;
+	u_int8_t		 log;
+	u_int8_t		 logif;
+	u_int8_t		 quick;
+	u_int8_t		 ifnot;
+	u_int8_t		 match_tag_not;
+	u_int8_t		 natpass;
+
+	u_int8_t		 keep_state;
+	sa_family_t		 af;
+	u_int8_t		 proto;
+	u_int8_t		 type;
+	u_int8_t		 code;
+	u_int8_t		 flags;
+	u_int8_t		 flagset;
+	u_int8_t		 min_ttl;
+	u_int8_t		 allow_opts;
+	u_int8_t		 rt;
+	u_int8_t		 return_ttl;
+	u_int8_t		 tos;
+	u_int8_t		 set_tos;
+	u_int8_t		 anchor_relative;
+	u_int8_t		 anchor_wildcard;
+
+	u_int8_t		 flush;
+	u_int8_t		 prio;
+	u_int8_t		 set_prio[2];
+
+	struct {
+		struct pf_addr		addr;
+		u_int16_t		port;
+	}			divert;
+
+	uint64_t		 u_states_cur;
+	uint64_t		 u_states_tot;
+	uint64_t		 u_src_nodes;
+};
+
 struct pf_ksrc_node {
 	LIST_ENTRY(pf_ksrc_node) entry;
 	struct pf_addr	 addr;
 	struct pf_addr	 raddr;
-	union pf_rule_ptr rule;
+	union pf_krule_ptr rule;
 	struct pfi_kif	*kif;
 	counter_u64_t	 bytes[2];
 	counter_u64_t	 packets[2];
@@ -374,6 +478,15 @@ struct pf_state_cmp {
 	u_int8_t		 pad[3];
 };
 
+#define	PFSTATE_ALLOWOPTS	0x01
+#define	PFSTATE_SLOPPY		0x02
+/*  was	PFSTATE_PFLOW		0x04 */
+#define	PFSTATE_NOSYNC		0x08
+#define	PFSTATE_ACK		0x10
+#define	PFSTATE_SETPRIO		0x0200
+#define	PFSTATE_SETMASK   (PFSTATE_SETPRIO)
+
+#ifdef _KERNEL
 struct pf_state {
 	u_int64_t		 id;
 	u_int32_t		 creatorid;
@@ -386,9 +499,9 @@ struct pf_state {
 	LIST_ENTRY(pf_state)	 entry;
 	struct pf_state_peer	 src;
 	struct pf_state_peer	 dst;
-	union pf_rule_ptr	 rule;
-	union pf_rule_ptr	 anchor;
-	union pf_rule_ptr	 nat_rule;
+	union pf_krule_ptr	 rule;
+	union pf_krule_ptr	 anchor;
+	union pf_krule_ptr	 nat_rule;
 	struct pf_addr		 rt_addr;
 	struct pf_state_key	*key[2];	/* addresses stack and wire  */
 	struct pfi_kif		*kif;
@@ -403,13 +516,6 @@ struct pf_state {
 	u_int16_t		 tag;
 	u_int8_t		 log;
 	u_int8_t		 state_flags;
-#define	PFSTATE_ALLOWOPTS	0x01
-#define	PFSTATE_SLOPPY		0x02
-/*  was	PFSTATE_PFLOW		0x04 */
-#define	PFSTATE_NOSYNC		0x08
-#define	PFSTATE_ACK		0x10
-#define	PFSTATE_SETPRIO		0x0200
-#define	PFSTATE_SETMASK   (PFSTATE_SETPRIO)
 	u_int8_t		 timeout;
 	u_int8_t		 sync_state; /* PFSYNC_S_x */
 
@@ -417,6 +523,7 @@ struct pf_state {
 	u_int8_t		 sync_updates;
 	u_int8_t		_tail[3];
 };
+#endif
 
 /*
  * Unified state structures for pulling states out of the kernel
@@ -501,11 +608,11 @@ void			pfsync_state_export(struct pfsync_state *,
 			    struct pf_state *);
 
 /* pflog */
-struct pf_ruleset;
+struct pf_kruleset;
 struct pf_pdesc;
 typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
-    u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *,
-    struct pf_ruleset *, struct pf_pdesc *, int);
+    u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *,
+    struct pf_kruleset *, struct pf_pdesc *, int);
 extern pflog_packet_t		*pflog_packet_ptr;
 
 #endif /* _KERNEL */
@@ -563,42 +670,42 @@ extern pflog_packet_t		*pflog_packet_ptr;
 	d += ntohl(s[1]);					\
 } while (0)
 
-TAILQ_HEAD(pf_rulequeue, pf_rule);
+TAILQ_HEAD(pf_krulequeue, pf_krule);
 
-struct pf_anchor;
+struct pf_kanchor;
 
-struct pf_ruleset {
+struct pf_kruleset {
 	struct {
-		struct pf_rulequeue	 queues[2];
+		struct pf_krulequeue	 queues[2];
 		struct {
-			struct pf_rulequeue	*ptr;
-			struct pf_rule		**ptr_array;
+			struct pf_krulequeue	*ptr;
+			struct pf_krule		**ptr_array;
 			u_int32_t		 rcount;
 			u_int32_t		 ticket;
 			int			 open;
 		}			 active, inactive;
 	}			 rules[PF_RULESET_MAX];
-	struct pf_anchor	*anchor;
+	struct pf_kanchor	*anchor;
 	u_int32_t		 tticket;
 	int			 tables;
 	int			 topen;
 };
 
-RB_HEAD(pf_anchor_global, pf_anchor);
-RB_HEAD(pf_anchor_node, pf_anchor);
-struct pf_anchor {
-	RB_ENTRY(pf_anchor)	 entry_global;
-	RB_ENTRY(pf_anchor)	 entry_node;
-	struct pf_anchor	*parent;
-	struct pf_anchor_node	 children;
+RB_HEAD(pf_kanchor_global, pf_kanchor);
+RB_HEAD(pf_kanchor_node, pf_kanchor);
+struct pf_kanchor {
+	RB_ENTRY(pf_kanchor)	 entry_global;
+	RB_ENTRY(pf_kanchor)	 entry_node;
+	struct pf_kanchor	*parent;
+	struct pf_kanchor_node	 children;
 	char			 name[PF_ANCHOR_NAME_SIZE];
 	char			 path[MAXPATHLEN];
-	struct pf_ruleset	 ruleset;
+	struct pf_kruleset	 ruleset;
 	int			 refcnt;	/* anchor rules */
 	int			 match;	/* XXX: used for pfctl black magic */
 };
-RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
-RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
+RB_PROTOTYPE(pf_kanchor_global, pf_kanchor, entry_global, pf_anchor_compare);
+RB_PROTOTYPE(pf_kanchor_node, pf_kanchor, entry_node, pf_kanchor_compare);
 
 #define PF_RESERVED_ANCHOR	"_pf"
 
@@ -625,7 +732,7 @@ RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
 				 PFR_TFLAG_REFDANCHOR	| \
 				 PFR_TFLAG_COUNTERS)
 
-struct pf_anchor_stackframe;
+struct pf_kanchor_stackframe;
 
 struct pfr_table {
 	char			 pfrt_anchor[MAXPATHLEN];
@@ -707,6 +814,7 @@ struct pfr_kcounters {
 	((kc)->pfrkc_counters +				\
 	    (dir) * PFR_OP_ADDR_MAX * PFR_TYPE_MAX + (op) * PFR_TYPE_MAX + (t))
 
+#ifdef _KERNEL
 SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
 struct pfr_kentry {
 	struct radix_node	 pfrke_node[2];
@@ -729,7 +837,7 @@ struct pfr_ktable {
 	struct radix_node_head	*pfrkt_ip6;
 	struct pfr_ktable	*pfrkt_shadow;
 	struct pfr_ktable	*pfrkt_root;
-	struct pf_ruleset	*pfrkt_rs;
+	struct pf_kruleset	*pfrkt_rs;
 	long			 pfrkt_larg;
 	int			 pfrkt_nflags;
 };
@@ -745,6 +853,7 @@ struct pfr_ktable {
 #define pfrkt_match	pfrkt_kts.pfrkts_match
 #define pfrkt_nomatch	pfrkt_kts.pfrkts_nomatch
 #define pfrkt_tzero	pfrkt_kts.pfrkts_tzero
+#endif
 
 /* keep synced with pfi_kif, used in RB_FIND */
 struct pfi_kif_cmp {
@@ -789,7 +898,7 @@ struct pf_pdesc {
 		void			*any;
 	} hdr;
 
-	struct pf_rule	*nat_rule;	/* nat/rdr rule applied to packet */
+	struct pf_krule	*nat_rule;	/* nat/rdr rule applied to packet */
 	struct pf_addr	*src;		/* src address */
 	struct pf_addr	*dst;		/* dst address */
 	u_int16_t *sport;
@@ -1294,7 +1403,7 @@ VNET_DECLARE(struct pf_altqqueue *,	 pf_altqs_inactive);
 VNET_DECLARE(struct pf_altqqueue *,	 pf_altq_ifs_inactive);
 #define	V_pf_altq_ifs_inactive		 VNET(pf_altq_ifs_inactive)
 
-VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rules);
+VNET_DECLARE(struct pf_krulequeue, pf_unlinked_rules);
 #define	V_pf_unlinked_rules	VNET(pf_unlinked_rules)
 
 void				 pf_initialize(void);
@@ -1304,7 +1413,7 @@ void				 pf_cleanup(void);
 
 struct pf_mtag			*pf_get_mtag(struct mbuf *);
 
-extern void			 pf_calc_skip_steps(struct pf_rulequeue *);
+extern void			 pf_calc_skip_steps(struct pf_krulequeue *);
 #ifdef ALTQ
 extern	void			 pf_altq_ifnet_event(struct ifnet *, int);
 #endif
@@ -1351,7 +1460,7 @@ extern struct pf_state		*pf_find_state_byid(uint64_t, uint32_t);
 extern struct pf_state		*pf_find_state_all(struct pf_state_key_cmp *,
 				    u_int, int *);
 extern struct pf_ksrc_node	*pf_find_src_node(struct pf_addr *,
-				    struct pf_rule *, sa_family_t, int);
+				    struct pf_krule *, sa_family_t, int);
 extern void			 pf_unlink_src_node(struct pf_ksrc_node *);
 extern u_int			 pf_free_src_nodes(struct pf_ksrc_node_list *);
 extern void			 pf_print_state(struct pf_state *);
@@ -1363,11 +1472,11 @@ extern u_int16_t		 pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
 
 VNET_DECLARE(struct ifnet *,		 sync_ifp);
 #define	V_sync_ifp		 	 VNET(sync_ifp);
-VNET_DECLARE(struct pf_rule,		 pf_default_rule);
+VNET_DECLARE(struct pf_krule,		 pf_default_rule);
 #define	V_pf_default_rule		  VNET(pf_default_rule)
 extern void			 pf_addrcpy(struct pf_addr *, struct pf_addr *,
 				    u_int8_t);
-void				pf_free_rule(struct pf_rule *);
+void				pf_free_rule(struct pf_krule *);
 
 #ifdef INET
 int	pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
@@ -1429,7 +1538,7 @@ void	pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
 int	pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, sa_family_t);
 void	pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
 struct pfr_ktable *
-	pfr_attach_table(struct pf_ruleset *, char *);
+	pfr_attach_table(struct pf_kruleset *, char *);
 void	pfr_detach_table(struct pfr_ktable *);
 int	pfr_clr_tables(struct pfr_table *, int *, int);
 int	pfr_add_tables(struct pfr_table *, int, int *, int);
@@ -1483,7 +1592,7 @@ void		 pfi_get_ifaces(const char *, struct pfi_kif *, int *);
 int		 pfi_set_flags(const char *, int);
 int		 pfi_clear_flags(const char *, int);
 
-int		 pf_match_tag(struct mbuf *, struct pf_rule *, int *, int);
+int		 pf_match_tag(struct mbuf *, struct pf_krule *, int *, int);
 int		 pf_tag_packet(struct mbuf *, struct pf_pdesc *, int);
 int		 pf_addr_cmp(struct pf_addr *, struct pf_addr *,
 		    sa_family_t);
@@ -1502,25 +1611,24 @@ VNET_DECLARE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
 #endif /* _KERNEL */
 
 #ifdef _KERNEL
-VNET_DECLARE(struct pf_anchor_global,		 pf_anchors);
+VNET_DECLARE(struct pf_kanchor_global,		 pf_anchors);
 #define	V_pf_anchors				 VNET(pf_anchors)
-VNET_DECLARE(struct pf_anchor,			 pf_main_anchor);
+VNET_DECLARE(struct pf_kanchor,			 pf_main_anchor);
 #define	V_pf_main_anchor			 VNET(pf_main_anchor)
 #define pf_main_ruleset	V_pf_main_anchor.ruleset
-#endif
 
-/* these ruleset functions can be linked into userland programs (pfctl) */
 int			 pf_get_ruleset_number(u_int8_t);
-void			 pf_init_ruleset(struct pf_ruleset *);
-int			 pf_anchor_setup(struct pf_rule *,
-			    const struct pf_ruleset *, const char *);
-int			 pf_anchor_copyout(const struct pf_ruleset *,
-			    const struct pf_rule *, struct pfioc_rule *);
-void			 pf_anchor_remove(struct pf_rule *);
-void			 pf_remove_if_empty_ruleset(struct pf_ruleset *);
-struct pf_ruleset	*pf_find_ruleset(const char *);
-struct pf_ruleset	*pf_find_or_create_ruleset(const char *);
+void			 pf_init_kruleset(struct pf_kruleset *);
+int			 pf_kanchor_setup(struct pf_krule *,
+			    const struct pf_kruleset *, const char *);
+int			 pf_kanchor_copyout(const struct pf_kruleset *,
+			    const struct pf_krule *, struct pfioc_rule *);
+void			 pf_kanchor_remove(struct pf_krule *);
+void			 pf_remove_if_empty_kruleset(struct pf_kruleset *);
+struct pf_kruleset	*pf_find_kruleset(const char *);
+struct pf_kruleset	*pf_find_or_create_kruleset(const char *);
 void			 pf_rs_initialize(void);
+#endif
 
 /* The fingerprint functions can be linked into userland programs (tcpdump) */
 int	pf_osfp_add(struct pf_osfp_ioctl *);
@@ -1536,21 +1644,21 @@ int	pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
 #ifdef _KERNEL
 void			 pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
 
-void			 pf_step_into_anchor(struct pf_anchor_stackframe *, int *,
-			    struct pf_ruleset **, int, struct pf_rule **,
-			    struct pf_rule **, int *);
-int			 pf_step_out_of_anchor(struct pf_anchor_stackframe *, int *,
-			    struct pf_ruleset **, int, struct pf_rule **,
-			    struct pf_rule **, int *);
+void			 pf_step_into_anchor(struct pf_kanchor_stackframe *, int *,
+			    struct pf_kruleset **, int, struct pf_krule **,
+			    struct pf_krule **, int *);
+int			 pf_step_out_of_anchor(struct pf_kanchor_stackframe *, int *,
+			    struct pf_kruleset **, int, struct pf_krule **,
+			    struct pf_krule **, int *);
 
-int			 pf_map_addr(u_int8_t, struct pf_rule *,
+int			 pf_map_addr(u_int8_t, struct pf_krule *,
 			    struct pf_addr *, struct pf_addr *,
 			    struct pf_addr *, struct pf_ksrc_node **);
-struct pf_rule		*pf_get_translation(struct pf_pdesc *, struct mbuf *,
+struct pf_krule		*pf_get_translation(struct pf_pdesc *, struct mbuf *,
 			    int, int, struct pfi_kif *, struct pf_ksrc_node **,
 			    struct pf_state_key **, struct pf_state_key **,
 			    struct pf_addr *, struct pf_addr *,
-			    uint16_t, uint16_t, struct pf_anchor_stackframe *);
+			    uint16_t, uint16_t, struct pf_kanchor_stackframe *);
 
 struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
 			    struct pf_addr *, u_int16_t, u_int16_t);
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 87e674f46942..030f75c2507e 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -202,8 +202,8 @@ pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 
 static int
 pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
-    u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
-    struct pf_ruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
+    u_int8_t reason, struct pf_krule *rm, struct pf_krule *am,
+    struct pf_kruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
 {
 	struct ifnet *ifn;
 	struct pfloghdr hdr;
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 2f696698e3eb..83ca4b969636 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -463,7 +463,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
 	struct pfsync_state_key *kw, *ks;
 	struct pf_state	*st = NULL;
 	struct pf_state_key *skw = NULL, *sks = NULL;
-	struct pf_rule *r = NULL;
+	struct pf_krule *r = NULL;
 	struct pfi_kif	*kif;
 	int error;
 
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 6f393bd62698..469e6b0bc32f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -181,7 +181,7 @@ struct pf_overload_entry {
 	struct pf_addr  		addr;
 	sa_family_t			af;
 	uint8_t				dir;
-	struct pf_rule  		*rule;
+	struct pf_krule  		*rule;
 };
 
 SLIST_HEAD(pf_overload_head, pf_overload_entry);
@@ -196,7 +196,7 @@ MTX_SYSINIT(pf_overloadqueue_mtx, &pf_overloadqueue_mtx,
 #define	PF_OVERLOADQ_LOCK()	mtx_lock(&pf_overloadqueue_mtx)
 #define	PF_OVERLOADQ_UNLOCK()	mtx_unlock(&pf_overloadqueue_mtx)
 
-VNET_DEFINE(struct pf_rulequeue, pf_unlinked_rules);
+VNET_DEFINE(struct pf_krulequeue, pf_unlinked_rules);
 struct mtx pf_unlnkdrules_mtx;
 MTX_SYSINIT(pf_unlnkdrules_mtx, &pf_unlnkdrules_mtx, "pf unlinked rules",
     MTX_DEF);
@@ -230,34 +230,34 @@ static void		 pf_change_icmp(struct pf_addr *, u_int16_t *,
 			    u_int16_t *, u_int16_t *, u_int16_t *,
 			    u_int16_t *, u_int8_t, sa_family_t);
 static void		 pf_send_tcp(struct mbuf *,
-			    const struct pf_rule *, sa_family_t,
+			    const struct pf_krule *, sa_family_t,
 			    const struct pf_addr *, const struct pf_addr *,
 			    u_int16_t, u_int16_t, u_int32_t, u_int32_t,
 			    u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
 			    u_int16_t, struct ifnet *);
 static void		 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,
-			    sa_family_t, struct pf_rule *);
+			    sa_family_t, struct pf_krule *);
 static void		 pf_detach_state(struct pf_state *);
 static int		 pf_state_key_attach(struct pf_state_key *,
 			    struct pf_state_key *, struct pf_state *);
 static void		 pf_state_key_detach(struct pf_state *, int);
 static int		 pf_state_key_ctor(void *, int, void *, int);
 static u_int32_t	 pf_tcp_iss(struct pf_pdesc *);
-static int		 pf_test_rule(struct pf_rule **, struct pf_state **,
+static int		 pf_test_rule(struct pf_krule **, struct pf_state **,
 			    int, struct pfi_kif *, struct mbuf *, int,
-			    struct pf_pdesc *, struct pf_rule **,
-			    struct pf_ruleset **, struct inpcb *);
-static int		 pf_create_state(struct pf_rule *, struct pf_rule *,
-			    struct pf_rule *, struct pf_pdesc *,
+			    struct pf_pdesc *, struct pf_krule **,
+			    struct pf_kruleset **, struct inpcb *);
+static int		 pf_create_state(struct pf_krule *, struct pf_krule *,
+			    struct pf_krule *, struct pf_pdesc *,
 			    struct pf_ksrc_node *, struct pf_state_key *,
 			    struct pf_state_key *, struct mbuf *, int,
 			    u_int16_t, u_int16_t, int *, struct pfi_kif *,
 			    struct pf_state **, int, u_int16_t, u_int16_t,
 			    int);
-static int		 pf_test_fragment(struct pf_rule **, int,
+static int		 pf_test_fragment(struct pf_krule **, int,
 			    struct pfi_kif *, struct mbuf *, void *,
-			    struct pf_pdesc *, struct pf_rule **,
-			    struct pf_ruleset **);
+			    struct pf_pdesc *, struct pf_krule **,
+			    struct pf_kruleset **);
 static int		 pf_tcp_track_full(struct pf_state_peer *,
 			    struct pf_state_peer *, struct pf_state **,
 			    struct pfi_kif *, struct mbuf *, int,
@@ -295,20 +295,20 @@ static struct pf_state	*pf_find_state(struct pfi_kif *,
 static int		 pf_src_connlimit(struct pf_state **);
 static void		 pf_overload_task(void *v, int pending);
 static int		 pf_insert_src_node(struct pf_ksrc_node **,
-			    struct pf_rule *, struct pf_addr *, sa_family_t);
+			    struct pf_krule *, struct pf_addr *, sa_family_t);
 static u_int		 pf_purge_expired_states(u_int, int);
 static void		 pf_purge_unlinked_rules(void);
 static int		 pf_mtag_uminit(void *, int, int);
 static void		 pf_mtag_free(struct m_tag *);
 #ifdef INET
-static void		 pf_route(struct mbuf **, struct pf_rule *, int,
+static void		 pf_route(struct mbuf **, struct pf_krule *, int,
 			    struct ifnet *, struct pf_state *,
 			    struct pf_pdesc *, struct inpcb *);
 #endif /* INET */
 #ifdef INET6
 static void		 pf_change_a6(struct pf_addr *, u_int16_t *,
 			    struct pf_addr *, u_int8_t);
-static void		 pf_route6(struct mbuf **, struct pf_rule *, int,
+static void		 pf_route6(struct mbuf **, struct pf_krule *, int,
 			    struct ifnet *, struct pf_state *,
 			    struct pf_pdesc *, struct inpcb *);
 #endif /* INET6 */
@@ -678,7 +678,7 @@ pf_overload_task(void *v, int pending)
  * allocate and insert a new one.
  */
 struct pf_ksrc_node *
-pf_find_src_node(struct pf_addr *src, struct pf_rule *rule, sa_family_t af,
+pf_find_src_node(struct pf_addr *src, struct pf_krule *rule, sa_family_t af,
 	int returnlocked)
 {
 	struct pf_srchash *sh;
@@ -716,7 +716,7 @@ pf_free_src_node(struct pf_ksrc_node *sn)
 }
 
 static int
-pf_insert_src_node(struct pf_ksrc_node **sn, struct pf_rule *rule,
+pf_insert_src_node(struct pf_ksrc_node **sn, struct pf_krule *rule,
     struct pf_addr *src, sa_family_t af)
 {
 
@@ -1806,8 +1806,8 @@ relock:
 static void
 pf_purge_unlinked_rules()
 {
-	struct pf_rulequeue tmpq;
-	struct pf_rule *r, *r1;
+	struct pf_krulequeue tmpq;
+	struct pf_krule *r, *r1;
 
 	/*
 	 * If we have overloading task pending, then we'd
@@ -2032,9 +2032,9 @@ pf_print_flags(u_int8_t f)
 	} while (0)
 
 void
-pf_calc_skip_steps(struct pf_rulequeue *rules)
+pf_calc_skip_steps(struct pf_krulequeue *rules)
 {
-	struct pf_rule *cur, *prev, *head[PF_SKIP_COUNT];
+	struct pf_krule *cur, *prev, *head[PF_SKIP_COUNT];
 	int i;
 
 	cur = TAILQ_FIRST(rules);
@@ -2440,7 +2440,7 @@ pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc *pd,
 }
 
 static void
-pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
+pf_send_tcp(struct mbuf *replyto, const struct pf_krule *r, sa_family_t af,
     const struct pf_addr *saddr, const struct pf_addr *daddr,
     u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,
     u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,
@@ -2600,7 +2600,7 @@ pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
 }
 
 static void
-pf_return(struct pf_rule *r, struct pf_rule *nr, struct pf_pdesc *pd,
+pf_return(struct pf_krule *r, struct pf_krule *nr, struct pf_pdesc *pd,
     struct pf_state_key *sk, int off, struct mbuf *m, struct tcphdr *th,
     struct pfi_kif *kif, u_int16_t bproto_sum, u_int16_t bip_sum, int hdrlen,
     u_short *reason)
@@ -2714,7 +2714,7 @@ pf_match_ieee8021q_pcp(u_int8_t prio, struct mbuf *m)
 
 static void
 pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
-    struct pf_rule *r)
+    struct pf_krule *r)
 {
 	struct pf_send_entry *pfse;
 	struct mbuf *m0;
@@ -2902,7 +2902,7 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
 }
 
 int
-pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag)
+pf_match_tag(struct mbuf *m, struct pf_krule *r, int *tag, int mtag)
 {
 	if (*tag == -1)
 		*tag = mtag;
@@ -2926,10 +2926,10 @@ pf_tag_packet(struct mbuf *m, struct pf_pdesc *pd, int tag)
 }
 
 #define	PF_ANCHOR_STACKSIZE	32
-struct pf_anchor_stackframe {
-	struct pf_ruleset	*rs;
-	struct pf_rule		*r;	/* XXX: + match bit */
-	struct pf_anchor	*child;
+struct pf_kanchor_stackframe {
+	struct pf_kruleset	*rs;
+	struct pf_krule		*r;	/* XXX: + match bit */
+	struct pf_kanchor	*child;
 };
 
 /*
@@ -2939,18 +2939,18 @@ struct pf_anchor_stackframe {
 #define	PF_ANCHORSTACK_MASK	(PF_ANCHORSTACK_MATCH)
 
 #define	PF_ANCHOR_MATCH(f)	((uintptr_t)(f)->r & PF_ANCHORSTACK_MATCH)
-#define	PF_ANCHOR_RULE(f)	(struct pf_rule *)			\
+#define	PF_ANCHOR_RULE(f)	(struct pf_krule *)			\
 				((uintptr_t)(f)->r & ~PF_ANCHORSTACK_MASK)
 #define	PF_ANCHOR_SET_MATCH(f)	do { (f)->r = (void *) 			\
 				((uintptr_t)(f)->r | PF_ANCHORSTACK_MATCH);  \
 } while (0)
 
 void
-pf_step_into_anchor(struct pf_anchor_stackframe *stack, int *depth,
-    struct pf_ruleset **rs, int n, struct pf_rule **r, struct pf_rule **a,
+pf_step_into_anchor(struct pf_kanchor_stackframe *stack, int *depth,
+    struct pf_kruleset **rs, int n, struct pf_krule **r, struct pf_krule **a,
     int *match)
 {
-	struct pf_anchor_stackframe	*f;
+	struct pf_kanchor_stackframe	*f;
 
 	PF_RULES_RASSERT();
 
@@ -2967,9 +2967,9 @@ pf_step_into_anchor(struct pf_anchor_stackframe *stack, int *depth,
 	f->rs = *rs;
 	f->r = *r;
 	if ((*r)->anchor_wildcard) {
-		struct pf_anchor_node *parent = &(*r)->anchor->children;
+		struct pf_kanchor_node *parent = &(*r)->anchor->children;
 
-		if ((f->child = RB_MIN(pf_anchor_node, parent)) == NULL) {
+		if ((f->child = RB_MIN(pf_kanchor_node, parent)) == NULL) {
 			*r = NULL;
 			return;
 		}
@@ -2982,12 +2982,12 @@ pf_step_into_anchor(struct pf_anchor_stackframe *stack, int *depth,
 }
 
 int
-pf_step_out_of_anchor(struct pf_anchor_stackframe *stack, int *depth,
-    struct pf_ruleset **rs, int n, struct pf_rule **r, struct pf_rule **a,
+pf_step_out_of_anchor(struct pf_kanchor_stackframe *stack, int *depth,
+    struct pf_kruleset **rs, int n, struct pf_krule **r, struct pf_krule **a,
     int *match)
 {
-	struct pf_anchor_stackframe	*f;
-	struct pf_rule *fr;
+	struct pf_kanchor_stackframe	*f;
+	struct pf_krule *fr;
 	int quick = 0;
 
 	PF_RULES_RASSERT();
@@ -2998,7 +2998,7 @@ pf_step_out_of_anchor(struct pf_anchor_stackframe *stack, int *depth,
 		f = stack + *depth - 1;
 		fr = PF_ANCHOR_RULE(f);
 		if (f->child != NULL) {
-			struct pf_anchor_node *parent;
+			struct pf_kanchor_node *parent;
 
 			/*
 			 * This block traverses through
@@ -3014,7 +3014,7 @@ pf_step_out_of_anchor(struct pf_anchor_stackframe *stack, int *depth,
 				PF_ANCHOR_SET_MATCH(f);
 				*match = 0;
 			}
-			f->child = RB_NEXT(pf_anchor_node, parent, f->child);
+			f->child = RB_NEXT(pf_kanchor_node, parent, f->child);
 			if (f->child != NULL) {
 				*rs = &f->child->ruleset;
 				*r = TAILQ_FIRST((*rs)->rules[n].active.ptr);
@@ -3324,16 +3324,16 @@ pf_tcp_iss(struct pf_pdesc *pd)
 }
 
 static int
-pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
+pf_test_rule(struct pf_krule **rm, struct pf_state **sm, int direction,
     struct pfi_kif *kif, struct mbuf *m, int off, struct pf_pdesc *pd,
-    struct pf_rule **am, struct pf_ruleset **rsm, struct inpcb *inp)
+    struct pf_krule **am, struct pf_kruleset **rsm, struct inpcb *inp)
 {
-	struct pf_rule		*nr = NULL;
+	struct pf_krule		*nr = NULL;
 	struct pf_addr		* const saddr = pd->src;
 	struct pf_addr		* const daddr = pd->dst;
 	sa_family_t		 af = pd->af;
-	struct pf_rule		*r, *a = NULL;
-	struct pf_ruleset	*ruleset = NULL;
+	struct pf_krule		*r, *a = NULL;
+	struct pf_kruleset	*ruleset = NULL;
 	struct pf_ksrc_node	*nsn = NULL;
 	struct tcphdr		*th = pd->hdr.tcp;
 	struct pf_state_key	*sk = NULL, *nk = NULL;
@@ -3346,7 +3346,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 	u_int16_t		 sport = 0, dport = 0;
 	u_int16_t		 bproto_sum = 0, bip_sum = 0;
 	u_int8_t		 icmptype = 0, icmpcode = 0;
-	struct pf_anchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
+	struct pf_kanchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
 
 	PF_RULES_RASSERT();
 
@@ -3698,7 +3698,7 @@ cleanup:
 }
 
 static int
-pf_create_state(struct pf_rule *r, struct pf_rule *nr, struct pf_rule *a,
+pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a,
     struct pf_pdesc *pd, struct pf_ksrc_node *nsn, struct pf_state_key *nk,
     struct pf_state_key *sk, struct mbuf *m, int off, u_int16_t sport,
     u_int16_t dport, int *rewrite, struct pfi_kif *kif, struct pf_state **sm,
@@ -3960,18 +3960,18 @@ csfailed:
 }
 
 static int
-pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
-    struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_rule **am,
-    struct pf_ruleset **rsm)
+pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kif *kif,
+    struct mbuf *m, void *h, struct pf_pdesc *pd, struct pf_krule **am,
+    struct pf_kruleset **rsm)
 {
-	struct pf_rule		*r, *a = NULL;
-	struct pf_ruleset	*ruleset = NULL;
+	struct pf_krule		*r, *a = NULL;
+	struct pf_kruleset	*ruleset = NULL;
 	sa_family_t		 af = pd->af;
 	u_short			 reason;
 	int			 tag = -1;
 	int			 asd = 0;
 	int			 match = 0;
-	struct pf_anchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
+	struct pf_kanchor_stackframe	anchor_stack[PF_ANCHOR_STACKSIZE];
 
 	PF_RULES_RASSERT();
 
@@ -5463,7 +5463,7 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif,
 
 #ifdef INET
 static void
-pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
+pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
     struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)
 {
 	struct mbuf		*m0, *m1;
@@ -5626,7 +5626,7 @@ bad:
 
 #ifdef INET6
 static void
-pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
+pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
     struct pf_state *s, struct pf_pdesc *pd, struct inpcb *inp)
 {
 	struct mbuf		*m0;
@@ -5893,9 +5893,9 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
 	struct mbuf		*m = *m0;
 	struct ip		*h = NULL;
 	struct m_tag		*ipfwtag;
-	struct pf_rule		*a = NULL, *r = &V_pf_default_rule, *tr, *nr;
+	struct pf_krule		*a = NULL, *r = &V_pf_default_rule, *tr, *nr;
 	struct pf_state		*s = NULL;
-	struct pf_ruleset	*ruleset = NULL;
+	struct pf_kruleset	*ruleset = NULL;
 	struct pf_pdesc		 pd;
 	int			 off, dirndx, pqid = 0;
 
@@ -6185,7 +6185,7 @@ done:
 	}
 
 	if (log) {
-		struct pf_rule *lr;
+		struct pf_krule *lr;
 
 		if (s != NULL && s->nat_rule.ptr != NULL &&
 		    s->nat_rule.ptr->log & PF_LOG_ALL)
@@ -6283,9 +6283,9 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
 	struct mbuf		*m = *m0, *n = NULL;
 	struct m_tag		*mtag;
 	struct ip6_hdr		*h = NULL;
-	struct pf_rule		*a = NULL, *r = &V_pf_default_rule, *tr, *nr;
+	struct pf_krule		*a = NULL, *r = &V_pf_default_rule, *tr, *nr;
 	struct pf_state		*s = NULL;
-	struct pf_ruleset	*ruleset = NULL;
+	struct pf_kruleset	*ruleset = NULL;
 	struct pf_pdesc		 pd;
 	int			 off, terminal = 0, dirndx, rh_cnt = 0, pqid = 0;
 
@@ -6585,7 +6585,7 @@ done:
 		printf("pf: divert(9) is not supported for IPv6\n");
 
 	if (log) {
-		struct pf_rule *lr;
+		struct pf_krule *lr;
 
 		if (s != NULL && s->nat_rule.ptr != NULL &&
 		    s->nat_rule.ptr->log & PF_LOG_ALL)
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index aa6409bcbaa9..4e73d815aece 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -35,6 +35,8 @@
 #ifndef	_NET_PF_H_
 #define	_NET_PF_H_
 
+#include <sys/tree.h>
+
 #define	PF_TCPS_PROXY_SRC	((TCP_NSTATES)+0)
 #define	PF_TCPS_PROXY_DST	((TCP_NSTATES)+1)
 
@@ -569,4 +571,50 @@ struct pf_src_node {
 
 #define PFSNODE_HIWAT		10000	/* default source node table size */
 
+TAILQ_HEAD(pf_rulequeue, pf_rule);
+
+struct pf_anchor;
+
+struct pf_ruleset {
+	struct {
+		struct pf_rulequeue	 queues[2];
+		struct {
+			struct pf_rulequeue	*ptr;
+			struct pf_rule		**ptr_array;
+			u_int32_t		 rcount;
+			u_int32_t		 ticket;
+			int			 open;
+		}			 active, inactive;
+	}			 rules[PF_RULESET_MAX];
+	struct pf_anchor	*anchor;
+	u_int32_t		 tticket;
+	int			 tables;
+	int			 topen;
+};
+
+RB_HEAD(pf_anchor_global, pf_anchor);
+RB_HEAD(pf_anchor_node, pf_anchor);
+struct pf_anchor {
+	RB_ENTRY(pf_anchor)	 entry_global;
+	RB_ENTRY(pf_anchor)	 entry_node;
+	struct pf_anchor	*parent;
+	struct pf_anchor_node	 children;
+	char			 name[PF_ANCHOR_NAME_SIZE];
+	char			 path[MAXPATHLEN];
+	struct pf_ruleset	 ruleset;
+	int			 refcnt;	/* anchor rules */
+	int			 match;	/* XXX: used for pfctl black magic */
+};
+RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
+RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
+
+/* these ruleset functions can be linked into userland programs (pfctl) */
+int			 pf_get_ruleset_number(u_int8_t);
+void			 pf_init_ruleset(struct pf_ruleset *);
+int			 pf_anchor_setup(struct pf_rule *,
+			    const struct pf_ruleset *, const char *);
+void			 pf_remove_if_empty_ruleset(struct pf_ruleset *);
+struct pf_ruleset	*pf_find_ruleset(const char *);
+struct pf_ruleset	*pf_find_or_create_ruleset(const char *);
+
 #endif	/* _NET_PF_H_ */
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index 24179f9f3e63..f8862a9416b5 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -403,7 +403,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
 	struct epoch_tracker	 et;
 	struct pfi_dynaddr	*dyn;
 	char			 tblname[PF_TABLE_NAME_SIZE];
-	struct pf_ruleset	*ruleset = NULL;
+	struct pf_kruleset	*ruleset = NULL;
 	struct pfi_kif		*kif;
 	int			 rv = 0;
 
@@ -441,7 +441,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
 	if (dyn->pfid_net != 128)
 		snprintf(tblname + strlen(tblname),
 		    sizeof(tblname) - strlen(tblname), "/%d", dyn->pfid_net);
-	if ((ruleset = pf_find_or_create_ruleset(PF_RESERVED_ANCHOR)) == NULL) {
+	if ((ruleset = pf_find_or_create_kruleset(PF_RESERVED_ANCHOR)) == NULL) {
 		rv = ENOMEM;
 		goto _bad;
 	}
@@ -467,7 +467,7 @@ _bad:
 	if (dyn->pfid_kt != NULL)
 		pfr_detach_table(dyn->pfid_kt);
 	if (ruleset != NULL)
-		pf_remove_if_empty_ruleset(ruleset);
+		pf_remove_if_empty_kruleset(ruleset);
 	if (dyn->pfid_kif != NULL)
 		pfi_kif_unref(dyn->pfid_kif);
 	free(dyn, PFI_MTYPE);
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bb7034f27daf..4b5ad44ab01d 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -109,11 +109,11 @@ static void		 pf_qid_unref(u_int32_t);
 #endif /* ALTQ */
 static int		 pf_begin_rules(u_int32_t *, int, const char *);
 static int		 pf_rollback_rules(u_int32_t, int, char *);
-static int		 pf_setup_pfsync_matching(struct pf_ruleset *);
-static void		 pf_hash_rule(MD5_CTX *, struct pf_rule *);
+static int		 pf_setup_pfsync_matching(struct pf_kruleset *);
+static void		 pf_hash_rule(MD5_CTX *, struct pf_krule *);
 static void		 pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
 static int		 pf_commit_rules(u_int32_t, int, char *);
-static int		 pf_addr_setup(struct pf_ruleset *,
+static int		 pf_addr_setup(struct pf_kruleset *,
 			    struct pf_addr_wrap *, sa_family_t);
 static void		 pf_addr_copyout(struct pf_addr_wrap *);
 static void		 pf_src_node_copy(const struct pf_ksrc_node *,
@@ -125,7 +125,7 @@ static int		 pf_import_kaltq(struct pfioc_altq_v1 *,
 			    struct pf_altq *, size_t);
 #endif /* ALTQ */
 
-VNET_DEFINE(struct pf_rule,	pf_default_rule);
+VNET_DEFINE(struct pf_krule,	pf_default_rule);
 
 #ifdef ALTQ
 VNET_DEFINE_STATIC(int,		pf_altq_running);
@@ -271,7 +271,7 @@ pfattach_vnet(void)
 	V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
 
 	RB_INIT(&V_pf_anchors);
-	pf_init_ruleset(&pf_main_ruleset);
+	pf_init_kruleset(&pf_main_ruleset);
 
 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
*** 1385 LINES SKIPPED ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101052237.105MbsJW081542>