From owner-svn-src-vendor@FreeBSD.ORG Mon Aug 17 23:50:15 2009 Return-Path: Delivered-To: svn-src-vendor@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67C75106568B; Mon, 17 Aug 2009 23:50:15 +0000 (UTC) (envelope-from edwin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 57D808FC57; Mon, 17 Aug 2009 23:50:15 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7HNoFRI097024; Mon, 17 Aug 2009 23:50:15 GMT (envelope-from edwin@svn.freebsd.org) Received: (from edwin@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7HNoFa9097021; Mon, 17 Aug 2009 23:50:15 GMT (envelope-from edwin@svn.freebsd.org) Message-Id: <200908172350.n7HNoFa9097021@svn.freebsd.org> From: Edwin Groothuis Date: Mon, 17 Aug 2009 23:50:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r196350 - vendor/tzdata/dist X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2009 23:50:15 -0000 Author: edwin Date: Mon Aug 17 23:50:15 2009 New Revision: 196350 URL: http://svn.freebsd.org/changeset/base/196350 Log: Vendor import of tzdata2009l: - Egypt will go to Wintertime on 21 August 2009 - Heads up for a possible DST in Samoa Obtained from: ftp://elsie.nci.nih.gov/pub/ Modified: vendor/tzdata/dist/africa vendor/tzdata/dist/australasia Modified: vendor/tzdata/dist/africa ============================================================================== --- vendor/tzdata/dist/africa Mon Aug 17 21:23:53 2009 (r196349) +++ vendor/tzdata/dist/africa Mon Aug 17 23:50:15 2009 (r196350) @@ -1,5 +1,5 @@ # 
-# @(#)africa	8.22
+# @(#)africa	8.23
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -276,8 +276,27 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	23:00s
 # In 2009 (and for the next several years), Ramadan ends before the fourth
 # Thursday in September; Egypt is expected to revert to the last Thursday
 # in September.
+
+# From Steffen Thorsen (2009-08-11):
+# We have been able to confirm the August change with the Egyptian Cabinet 
+# Information and Decision Support Center:
+# 
+# http://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
+# 
+# 
+# The Middle East News Agency
+# 
+# http://www.mena.org.eg/index.aspx
+# 
+# also reports "Egypt starts winter time on August 21"
+# today in article numbered "71, 11/08/2009 12:25 GMT." 
+# Only the title above is available without a subscription to their service,
+# and can be found by searching for "winter" in their search engine
+# (at least today).
+
 Rule	Egypt	2008	only	-	Aug	lastThu	23:00s	0	-
-Rule	Egypt	2009	max	-	Sep	lastThu	23:00s	0	-
+Rule	Egypt	2009	only	-	Aug	20	23:00s	0	-
+Rule	Egypt	2010	max	-	Sep	lastThu	23:00s	0	-
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Cairo	2:05:00 -	LMT	1900 Oct

Modified: vendor/tzdata/dist/australasia
==============================================================================
--- vendor/tzdata/dist/australasia	Mon Aug 17 21:23:53 2009	(r196349)
+++ vendor/tzdata/dist/australasia	Mon Aug 17 23:50:15 2009	(r196350)
@@ -1,5 +1,5 @@
 # 
-# @(#)australasia	8.11
+# @(#)australasia	8.12
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -427,6 +427,22 @@ Zone Pacific/Pago_Pago	 12:37:12 -	LMT	1
 			-11:00	-	SST			# S=Samoa
 
 # Samoa
+
+# From Alexander Krivenyshev (2008-12-06):
+# The Samoa government (Western Samoa) may implement DST on the first Sunday of 
+# October 2009 (October 4, 2009) until the last Sunday of March 2010 (March 28, 
+# 2010). 
+# 
+# "Selected Committee reports to Cabinet on Daylight Saving Time",
+# Government of Samoa:
+# 
+# http://www.govt.ws/pr_article.cfm?pr_id=560
+# 
+# or
+# 
+# http://www.worldtimezone.com/dst_news/dst_news_samoa01.html
+# 
+
 Zone Pacific/Apia	 12:33:04 -	LMT	1879 Jul  5
 			-11:26:56 -	LMT	1911
 			-11:30	-	SAMT	1950		# Samoa Time

From owner-svn-src-vendor@FreeBSD.ORG  Mon Aug 17 23:50:58 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 516BF1065692;
	Mon, 17 Aug 2009 23:50:58 +0000 (UTC)
	(envelope-from edwin@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 28EF88FC51;
	Mon, 17 Aug 2009 23:50:58 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7HNow52097073;
	Mon, 17 Aug 2009 23:50:58 GMT (envelope-from edwin@svn.freebsd.org)
Received: (from edwin@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7HNow8P097072;
	Mon, 17 Aug 2009 23:50:58 GMT (envelope-from edwin@svn.freebsd.org)
Message-Id: <200908172350.n7HNow8P097072@svn.freebsd.org>
From: Edwin Groothuis 
Date: Mon, 17 Aug 2009 23:50:58 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196351 - vendor/tzdata/tzdata2009l
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Mon, 17 Aug 2009 23:50:58 -0000

Author: edwin
Date: Mon Aug 17 23:50:57 2009
New Revision: 196351
URL: http://svn.freebsd.org/changeset/base/196351

Log:
  Tag of tzdata2009l

Added:
  vendor/tzdata/tzdata2009l/
     - copied from r196350, vendor/tzdata/dist/

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:13:59 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E30D51065692;
	Tue, 18 Aug 2009 16:13:59 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id CBA338FC55;
	Tue, 18 Aug 2009 16:13:59 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGDxLx022014;
	Tue, 18 Aug 2009 16:13:59 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGDxSQ021986;
	Tue, 18 Aug 2009 16:13:59 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181613.n7IGDxSQ021986@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:13:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196360 - vendor-sys/pf/dist/net
	vendor-sys/pf/dist/netinet vendor/pf/dist/authpf
	vendor/pf/dist/ftp-proxy vendor/pf/dist/libevent
	vendor/pf/dist/man vendor/pf/dist/pfctl vendor/pf/dist...
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:14:00 -0000

Author: mlaier
Date: Tue Aug 18 16:13:59 2009
New Revision: 196360
URL: http://svn.freebsd.org/changeset/base/196360

Log:
  eri@ wants to start on porting the latest pf in his user space so we can
  finally have a new version in 9.0.  Import pf as of OPENBSD_4_5_BASE to help
  with that.

Added:
  vendor/pf/dist/man/pflow.4
Modified:
  vendor/pf/dist/authpf/Makefile
  vendor/pf/dist/authpf/authpf.8
  vendor/pf/dist/authpf/authpf.c
  vendor/pf/dist/authpf/pathnames.h
  vendor/pf/dist/ftp-proxy/Makefile
  vendor/pf/dist/ftp-proxy/filter.c
  vendor/pf/dist/ftp-proxy/filter.h
  vendor/pf/dist/ftp-proxy/ftp-proxy.8
  vendor/pf/dist/ftp-proxy/ftp-proxy.c
  vendor/pf/dist/libevent/buffer.c
  vendor/pf/dist/libevent/evbuffer.c
  vendor/pf/dist/libevent/event-internal.h
  vendor/pf/dist/libevent/event.c
  vendor/pf/dist/libevent/event.h
  vendor/pf/dist/libevent/evsignal.h
  vendor/pf/dist/libevent/kqueue.c
  vendor/pf/dist/libevent/log.c
  vendor/pf/dist/libevent/log.h
  vendor/pf/dist/libevent/poll.c
  vendor/pf/dist/libevent/select.c
  vendor/pf/dist/libevent/signal.c
  vendor/pf/dist/man/pf.4
  vendor/pf/dist/man/pf.conf.5
  vendor/pf/dist/man/pf.os.5
  vendor/pf/dist/man/pflog.4
  vendor/pf/dist/man/pfsync.4
  vendor/pf/dist/pfctl/Makefile
  vendor/pf/dist/pfctl/parse.y
  vendor/pf/dist/pfctl/pf_print_state.c
  vendor/pf/dist/pfctl/pfctl.8
  vendor/pf/dist/pfctl/pfctl.c
  vendor/pf/dist/pfctl/pfctl.h
  vendor/pf/dist/pfctl/pfctl_altq.c
  vendor/pf/dist/pfctl/pfctl_optimize.c
  vendor/pf/dist/pfctl/pfctl_osfp.c
  vendor/pf/dist/pfctl/pfctl_parser.c
  vendor/pf/dist/pfctl/pfctl_parser.h
  vendor/pf/dist/pfctl/pfctl_qstats.c
  vendor/pf/dist/pfctl/pfctl_radix.c
  vendor/pf/dist/pfctl/pfctl_table.c
  vendor/pf/dist/pflogd/Makefile
  vendor/pf/dist/pflogd/pflogd.8
  vendor/pf/dist/pflogd/pflogd.c
  vendor/pf/dist/pflogd/pflogd.h
  vendor/pf/dist/pflogd/privsep.c
  vendor/pf/dist/pflogd/privsep_fdpass.c
  vendor/pf/dist/tftp-proxy/Makefile
  vendor/pf/dist/tftp-proxy/filter.c
  vendor/pf/dist/tftp-proxy/filter.h
  vendor/pf/dist/tftp-proxy/tftp-proxy.8
  vendor/pf/dist/tftp-proxy/tftp-proxy.c

Changes in other areas also in this revision:
Added:
  vendor-sys/pf/dist/net/if_pflow.c
  vendor-sys/pf/dist/net/if_pflow.h
  vendor-sys/pf/dist/net/pf_lb.c
Modified:
  vendor-sys/pf/dist/net/if_pflog.c
  vendor-sys/pf/dist/net/if_pflog.h
  vendor-sys/pf/dist/net/if_pfsync.c
  vendor-sys/pf/dist/net/if_pfsync.h
  vendor-sys/pf/dist/net/pf.c
  vendor-sys/pf/dist/net/pf_if.c
  vendor-sys/pf/dist/net/pf_ioctl.c
  vendor-sys/pf/dist/net/pf_norm.c
  vendor-sys/pf/dist/net/pf_osfp.c
  vendor-sys/pf/dist/net/pf_ruleset.c
  vendor-sys/pf/dist/net/pf_table.c
  vendor-sys/pf/dist/net/pfvar.h
  vendor-sys/pf/dist/netinet/in4_cksum.c

Modified: vendor/pf/dist/authpf/Makefile
==============================================================================
--- vendor/pf/dist/authpf/Makefile	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/authpf/Makefile	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $
+#	$OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $
 
 PROG=	authpf
 MAN=	authpf.8

Modified: vendor/pf/dist/authpf/authpf.8
==============================================================================
--- vendor/pf/dist/authpf/authpf.8	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/authpf/authpf.8	Tue Aug 18 16:13:59 2009	(r196360)
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 14 2008 $
+.Dd $Mdocdate: March 18 2008 $
 .Dt AUTHPF 8
 .Os
 .Sh NAME
@@ -202,6 +202,9 @@ It is also possible to configure
 to only allow specific users access.
 This is done by listing their login names, one per line, in
 .Pa /etc/authpf/authpf.allow .
+A group of users can also be indicated by prepending "%" to the group name,
+and all members of a login class can be indicated by prepending "@" to the
+login class name.
 If "*" is found on a line, then all usernames match.
 If
 .Nm
@@ -314,7 +317,8 @@ They have a
 wireless network which they would like to protect from unauthorized use.
 To accomplish this, they create the file
 .Pa /etc/authpf/authpf.allow
-which lists their login ids, one per line.
+which lists their login ids, group prepended with "%", or login class
+prepended with "@", one per line.
 At this point, even if eve could authenticate to
 .Xr sshd 8 ,
 she would not be allowed to use the gateway.

Modified: vendor/pf/dist/authpf/authpf.c
==============================================================================
--- vendor/pf/dist/authpf/authpf.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/authpf/authpf.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@@ -32,6 +32,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -43,7 +44,7 @@
 
 static int	read_config(FILE *);
 static void	print_message(char *);
-static int	allowed_luser(char *);
+static int	allowed_luser(struct passwd *);
 static int	check_luser(char *, char *);
 static int	remove_stale_rulesets(void);
 static int	recursive_ruleset_purge(char *, char *);
@@ -58,6 +59,7 @@ char	tablename[PF_TABLE_NAME_SIZE] = "au
 int	user_ip = 1;	/* controls whether $user_ip is set */
 
 FILE	*pidfp;
+int	pidfd = -1;
 char	 luser[MAXLOGNAME];	/* username */
 char	 ipsrc[256];		/* ip as a string */
 char	 pidfile[MAXPATHLEN];	/* we save pid in this file. */
@@ -78,7 +80,7 @@ extern char *__progname;	/* program name
 int
 main(int argc, char *argv[])
 {
-	int		 lockcnt = 0, n, pidfd;
+	int		 lockcnt = 0, n;
 	FILE		*config;
 	struct in6_addr	 ina;
 	struct passwd	*pw;
@@ -93,7 +95,7 @@ main(int argc, char *argv[])
 
 	config = fopen(PATH_CONFFILE, "r");
 	if (config == NULL) {
-		syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);
+		syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);
 		exit(1);
 	}
 
@@ -186,6 +188,14 @@ main(int argc, char *argv[])
 		goto die;
 	}
 
+	signal(SIGTERM, need_death);
+	signal(SIGINT, need_death);
+	signal(SIGALRM, need_death);
+	signal(SIGPIPE, need_death);
+	signal(SIGHUP, need_death);
+	signal(SIGQUIT, need_death);
+	signal(SIGTSTP, need_death);
+
 	/*
 	 * If someone else is already using this ip, then this person
 	 * wants to switch users - so kill the old process and exit
@@ -239,15 +249,17 @@ main(int argc, char *argv[])
 		}
 
 		/*
-		 * we try to kill the previous process and acquire the lock
+		 * We try to kill the previous process and acquire the lock
 		 * for 10 seconds, trying once a second. if we can't after
-		 * 10 attempts we log an error and give up
+		 * 10 attempts we log an error and give up.
 		 */
-		if (++lockcnt > 10) {
-			syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
-			    otherpid);
+		if (want_death || ++lockcnt > 10) {
+			if (!want_death)
+				syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",
+				    otherpid);
 			fclose(pidfp);
 			pidfp = NULL;
+			pidfd = -1;
 			goto dogdeath;
 		}
 		sleep(1);
@@ -258,6 +270,7 @@ main(int argc, char *argv[])
 		 */
 		fclose(pidfp);
 		pidfp = NULL;
+		pidfd = -1;
 	} while (1);
 	
 	/* whack the group list */
@@ -275,7 +288,7 @@ main(int argc, char *argv[])
 	}
 	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
 
-	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {
+	if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {
 		syslog(LOG_INFO, "user %s prohibited", luser);
 		do_death(0);
 	}
@@ -306,13 +319,6 @@ main(int argc, char *argv[])
 		do_death(0);
 	}
 
-	signal(SIGTERM, need_death);
-	signal(SIGINT, need_death);
-	signal(SIGALRM, need_death);
-	signal(SIGPIPE, need_death);
-	signal(SIGHUP, need_death);
-	signal(SIGQUIT, need_death);
-	signal(SIGTSTP, need_death);
 	while (1) {
 		printf("\r\nHello %s. ", luser);
 		printf("You are authenticated from host \"%s\"\r\n", ipsrc);
@@ -434,6 +440,7 @@ print_message(char *filename)
  * allowed_luser checks to see if user "luser" is allowed to
  * use this gateway by virtue of being listed in an allowed
  * users file, namely /etc/authpf/authpf.allow .
+ * Users may be listed by , %, or @.
  *
  * If /etc/authpf/authpf.allow does not exist, then we assume that
  * all users who are allowed in by sshd(8) are permitted to
@@ -442,7 +449,7 @@ print_message(char *filename)
  * the session terminates in the same manner as being banned.
  */
 static int
-allowed_luser(char *luser)
+allowed_luser(struct passwd *pw)
 {
 	char	*buf, *lbuf;
 	int	 matched;
@@ -474,8 +481,14 @@ allowed_luser(char *luser)
 		 * "public" gateway, such as it is, so let
 		 * everyone use it.
 		 */
+		int gl_init = 0, ngroups = NGROUPS + 1;
+		gid_t groups[NGROUPS + 1];
+
 		lbuf = NULL;
+		matched = 0;
+
 		while ((buf = fgetln(f, &len))) {
+			
 			if (buf[len - 1] == '\n')
 				buf[len - 1] = '\0';
 			else {
@@ -486,7 +499,40 @@ allowed_luser(char *luser)
 				buf = lbuf;
 			}
 
-			matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;
+			if (buf[0] == '@') {
+				/* check login class */
+				if (strcmp(pw->pw_class, buf + 1) == 0)
+					matched++;
+			} else if (buf[0] == '%') {
+				/* check group membership */
+				int cnt; 
+				struct group *group;
+
+				if ((group = getgrnam(buf + 1)) == NULL) {
+					syslog(LOG_ERR,
+					    "invalid group '%s' in %s (%s)",
+					    buf + 1, PATH_ALLOWFILE,
+				 	    strerror(errno));
+					return (0);
+				}
+
+				if (!gl_init) {
+					(void) getgrouplist(pw->pw_name,
+					    pw->pw_gid, groups, &ngroups);
+					gl_init++;
+				}
+			
+				for ( cnt = 0; cnt < ngroups; cnt++) {
+					if (group->gr_gid == groups[cnt]) {
+						matched++;
+						break;
+					}
+				}
+			} else {
+				/* check username and wildcard */
+				matched = strcmp(pw->pw_name, buf) == 0 ||
+				    strcmp("*", buf) == 0;
+			}
 
 			if (lbuf != NULL) {
 				free(lbuf);
@@ -494,10 +540,10 @@ allowed_luser(char *luser)
 			}
 
 			if (matched)
-				return (1); /* matched an allowed username */
+				return (1); /* matched an allowed user/group */
 		}
 		syslog(LOG_INFO, "denied access to %s: not listed in %s",
-		    luser, PATH_ALLOWFILE);
+		    pw->pw_name, PATH_ALLOWFILE);
 
 		/* reuse buf */
 		buf = "\n\nSorry, you are not allowed to use this facility!\n";
@@ -878,7 +924,7 @@ do_death(int active)
 			authpf_kill_states();
 		}
 	}
-	if (pidfile[0] && (pidfp != NULL))
+	if (pidfile[0] && pidfd != -1)
 		if (unlink(pidfile) == -1)
 			syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
 	exit(ret);

Modified: vendor/pf/dist/authpf/pathnames.h
==============================================================================
--- vendor/pf/dist/authpf/pathnames.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/authpf/pathnames.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $	*/
+/*	$OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $	*/
 
 /*
  * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)

Modified: vendor/pf/dist/ftp-proxy/Makefile
==============================================================================
--- vendor/pf/dist/ftp-proxy/Makefile	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/ftp-proxy/Makefile	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.3 2006/11/26 11:31:13 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.2 2005/06/07 14:12:07 camield Exp $
 
 PROG=	ftp-proxy
 SRCS=	ftp-proxy.c filter.c

Modified: vendor/pf/dist/ftp-proxy/filter.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/filter.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/ftp-proxy/filter.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: filter.c,v 1.8 2008/06/13 07:25:26 claudio Exp $ */
+/*	$OpenBSD: filter.c,v 1.7 2008/02/26 18:52:53 henning Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Camiel Dobbelaar, 

Modified: vendor/pf/dist/ftp-proxy/filter.h
==============================================================================
--- vendor/pf/dist/ftp-proxy/filter.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/ftp-proxy/filter.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: filter.h,v 1.4 2007/08/01 09:31:41 henning Exp $ */
+/*	$OpenBSD: filter.h,v 1.3 2005/06/07 14:12:07 camield Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Camiel Dobbelaar, 

Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.8
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.8	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.8	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ftp-proxy.8,v 1.11 2008/02/26 18:52:53 henning Exp $
+.\"	$OpenBSD: ftp-proxy.8,v 1.10 2007/08/01 15:45:41 jmc Exp $
 .\"
 .\" Copyright (c) 2004, 2005 Camiel Dobbelaar, 
 .\"

Modified: vendor/pf/dist/ftp-proxy/ftp-proxy.c
==============================================================================
--- vendor/pf/dist/ftp-proxy/ftp-proxy.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/ftp-proxy/ftp-proxy.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ftp-proxy.c,v 1.19 2008/06/13 07:25:26 claudio Exp $ */
+/*	$OpenBSD: ftp-proxy.c,v 1.18 2008/04/22 02:22:22 joel Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Camiel Dobbelaar, 

Modified: vendor/pf/dist/libevent/buffer.c
==============================================================================
--- vendor/pf/dist/libevent/buffer.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/buffer.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: buffer.c,v 1.14 2007/03/19 15:12:49 millert Exp $	*/
+
 /*
  * Copyright (c) 2002, 2003 Niels Provos 
  * All rights reserved.
@@ -62,7 +64,7 @@ struct evbuffer *
 evbuffer_new(void)
 {
 	struct evbuffer *buffer;
-	
+
 	buffer = calloc(1, sizeof(struct evbuffer));
 
 	return (buffer);
@@ -76,7 +78,7 @@ evbuffer_free(struct evbuffer *buffer)
 	free(buffer);
 }
 
-/* 
+/*
  * This is a destructive add.  The data from one buffer moves into
  * the other buffer.
  */
@@ -104,16 +106,16 @@ evbuffer_add_buffer(struct evbuffer *out
 		SWAP(outbuf, inbuf);
 		SWAP(inbuf, &tmp);
 
-		/* 
+		/*
 		 * Optimization comes with a price; we need to notify the
 		 * buffer if necessary of the changes. oldoff is the amount
-		 * of data that we transfered from inbuf to outbuf
+		 * of data that we transferred from inbuf to outbuf
 		 */
 		if (inbuf->off != oldoff && inbuf->cb != NULL)
 			(*inbuf->cb)(inbuf, oldoff, inbuf->off, inbuf->cbarg);
 		if (oldoff && outbuf->cb != NULL)
 			(*outbuf->cb)(outbuf, 0, oldoff, outbuf->cbarg);
-		
+
 		return (0);
 	}
 
@@ -196,7 +198,7 @@ evbuffer_remove(struct evbuffer *buf, vo
 
 	memcpy(data, buf->buffer, nread);
 	evbuffer_drain(buf, nread);
-	
+
 	return (nread);
 }
 
@@ -371,7 +373,7 @@ evbuffer_read(struct evbuffer *buf, int 
 		if (n < EVBUFFER_MAX_READ)
 			n = EVBUFFER_MAX_READ;
 	}
-#endif	
+#endif
 	if (howmuch < 0 || howmuch > n)
 		howmuch = n;
 

Modified: vendor/pf/dist/libevent/evbuffer.c
==============================================================================
--- vendor/pf/dist/libevent/evbuffer.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/evbuffer.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: evbuffer.c,v 1.10 2007/03/19 15:12:49 millert Exp $	*/
+
 /*
  * Copyright (c) 2002-2004 Niels Provos 
  * All rights reserved.
@@ -64,7 +66,7 @@ bufferevent_add(struct event *ev, int ti
 	return (event_add(ev, ptv));
 }
 
-/* 
+/*
  * This callback is executed when the size of the input buffer changes.
  * We use it to apply back pressure on the reading side.
  */
@@ -73,7 +75,7 @@ void
 bufferevent_read_pressure_cb(struct evbuffer *buf, size_t old, size_t now,
     void *arg) {
 	struct bufferevent *bufev = arg;
-	/* 
+	/*
 	 * If we are below the watermark then reschedule reading if it's
 	 * still enabled.
 	 */
@@ -288,7 +290,7 @@ bufferevent_free(struct bufferevent *buf
  */
 
 int
-bufferevent_write(struct bufferevent *bufev, void *data, size_t size)
+bufferevent_write(struct bufferevent *bufev, const void *data, size_t size)
 {
 	int res;
 

Modified: vendor/pf/dist/libevent/event-internal.h
==============================================================================
--- vendor/pf/dist/libevent/event-internal.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/event-internal.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: event-internal.h,v 1.4 2007/03/19 15:12:49 millert Exp $	*/
+
 /*
  * Copyright (c) 2000-2004 Niels Provos 
  * All rights reserved.

Modified: vendor/pf/dist/libevent/event.c
==============================================================================
--- vendor/pf/dist/libevent/event.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/event.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: event.c,v 1.18 2008/05/02 06:09:11 brad Exp $	*/
+
 /*
  * Copyright (c) 2000-2004 Niels Provos 
  * All rights reserved.
@@ -38,7 +40,7 @@
 #include 
 #ifdef HAVE_SYS_TIME_H
 #include 
-#else 
+#else
 #include 
 #endif
 #include 
@@ -180,7 +182,7 @@ RB_PROTOTYPE(event_tree, event, ev_timeo
 RB_GENERATE(event_tree, event, ev_timeout_node, compare);
 
 
-void *
+struct event_base *
 event_init(void)
 {
 	int i;
@@ -194,13 +196,13 @@ event_init(void)
 
 	detect_monotonic();
 	gettime(&base->event_tv);
-	
+
 	RB_INIT(&base->timetree);
 	TAILQ_INIT(&base->eventqueue);
 	TAILQ_INIT(&base->sig.signalqueue);
 	base->sig.ev_signal_pair[0] = -1;
 	base->sig.ev_signal_pair[1] = -1;
-	
+
 	base->evbase = NULL;
 	for (i = 0; eventops[i] && !base->evbase; i++) {
 		base->evsel = eventops[i];
@@ -321,7 +323,7 @@ event_process_active(struct event_base *
 
 	for (ev = TAILQ_FIRST(activeq); ev; ev = TAILQ_FIRST(activeq)) {
 		event_queue_remove(base, ev, EVLIST_ACTIVE);
-		
+
 		/* Allows deletes to work */
 		ncalls = ev->ev_ncalls;
 		ev->ev_pncalls = &ncalls;
@@ -430,7 +432,7 @@ event_base_loop(struct event_base *base,
 			 */
 			timerclear(&tv);
 		}
-		
+
 		/* If we have no events, we just exit */
 		if (!event_haveevents(base)) {
 			event_debug(("%s: no events registered.", __func__));
@@ -439,7 +441,6 @@ event_base_loop(struct event_base *base,
 
 		res = evsel->dispatch(base, evbase, tv_p);
 
-
 		if (res == -1)
 			return (-1);
 
@@ -652,7 +653,7 @@ event_add(struct event *ev, struct timev
 				/* Abort loop */
 				*ev->ev_pncalls = 0;
 			}
-			
+
 			event_queue_remove(base, ev, EVLIST_ACTIVE);
 		}
 
@@ -913,10 +914,10 @@ event_queue_insert(struct event_base *ba
 const char *
 event_get_version(void)
 {
-	return (VERSION);
+	return (LIBEVENT_VERSION);
 }
 
-/* 
+/*
  * No thread-safe interface needed - the information should be the same
  * for all threads.
  */

Modified: vendor/pf/dist/libevent/event.h
==============================================================================
--- vendor/pf/dist/libevent/event.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/event.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: event.h,v 1.19 2008/05/02 06:09:11 brad Exp $	*/
+
 /*
  * Copyright (c) 2000-2004 Niels Provos 
  * All rights reserved.
@@ -43,6 +45,8 @@ typedef unsigned char u_char;
 typedef unsigned short u_short;
 #endif
 
+#define LIBEVENT_VERSION	"1.3e"
+
 #define EVLIST_TIMEOUT	0x01
 #define EVLIST_INSERTED	0x02
 #define EVLIST_SIGNAL	0x04
@@ -141,7 +145,7 @@ struct eventop {
 	void (*dealloc)(struct event_base *, void *);
 };
 
-void *event_init(void);
+struct event_base *event_init(void);
 int event_dispatch(void);
 int event_base_dispatch(struct event_base *);
 void event_base_free(struct event_base *);
@@ -169,12 +173,6 @@ int event_base_loopexit(struct event_bas
 #define evtimer_pending(ev, tv)		event_pending(ev, EV_TIMEOUT, tv)
 #define evtimer_initialized(ev)		((ev)->ev_flags & EVLIST_INIT)
 
-#define timeout_add(ev, tv)		event_add(ev, tv)
-#define timeout_set(ev, cb, arg)	event_set(ev, -1, 0, cb, arg)
-#define timeout_del(ev)			event_del(ev)
-#define timeout_pending(ev, tv)		event_pending(ev, EV_TIMEOUT, tv)
-#define timeout_initialized(ev)		((ev)->ev_flags & EVLIST_INIT)
-
 #define signal_add(ev, tv)		event_add(ev, tv)
 #define signal_set(ev, x, cb, arg)	\
 	event_set(ev, x, EV_SIGNAL|EV_PERSIST, cb, arg)
@@ -264,7 +262,8 @@ struct bufferevent *bufferevent_new(int 
 int bufferevent_base_set(struct event_base *base, struct bufferevent *bufev);
 int bufferevent_priority_set(struct bufferevent *bufev, int pri);
 void bufferevent_free(struct bufferevent *bufev);
-int bufferevent_write(struct bufferevent *bufev, void *data, size_t size);
+int bufferevent_write(struct bufferevent *bufev,
+    const void *data, size_t size);
 int bufferevent_write_buffer(struct bufferevent *bufev, struct evbuffer *buf);
 size_t bufferevent_read(struct bufferevent *bufev, void *data, size_t size);
 int bufferevent_enable(struct bufferevent *bufev, short event);
@@ -292,7 +291,7 @@ int evbuffer_read(struct evbuffer *, int
 u_char *evbuffer_find(struct evbuffer *, const u_char *, size_t);
 void evbuffer_setcb(struct evbuffer *, void (*)(struct evbuffer *, size_t, size_t, void *), void *);
 
-/* 
+/*
  * Marshaling tagged data - We assume that all tags are inserted in their
  * numeric order - so that unknown tags will always be higher than the
  * known ones - and we can just ignore the end of an event buffer.

Modified: vendor/pf/dist/libevent/evsignal.h
==============================================================================
--- vendor/pf/dist/libevent/evsignal.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/evsignal.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: evsignal.h,v 1.2 2004/04/28 06:53:12 brad Exp $	*/
+
 /*
  * Copyright 2000-2002 Niels Provos 
  * All rights reserved.

Modified: vendor/pf/dist/libevent/kqueue.c
==============================================================================
--- vendor/pf/dist/libevent/kqueue.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/kqueue.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kqueue.c,v 1.5 2002/07/10 14:41:31 art Exp $	*/
+/*	$OpenBSD: kqueue.c,v 1.23 2007/09/02 15:19:18 deraadt Exp $	*/
 
 /*
  * Copyright 2000-2002 Niels Provos 
@@ -97,14 +97,14 @@ kq_init(struct event_base *base)
 	struct kqop *kqueueop;
 
 	/* Disable kqueue when this environment variable is set */
-	if (getenv("EVENT_NOKQUEUE"))
+	if (!issetugid() && getenv("EVENT_NOKQUEUE"))
 		return (NULL);
 
 	if (!(kqueueop = calloc(1, sizeof(struct kqop))))
 		return (NULL);
 
 	/* Initalize the kernel queue */
-	
+
 	if ((kq = kqueue()) == -1) {
 		event_warn("kqueue");
 		free (kqueueop);
@@ -114,12 +114,12 @@ kq_init(struct event_base *base)
 	kqueueop->kq = kq;
 
 	/* Initalize fields */
-	kqueueop->changes = malloc(NEVENT * sizeof(struct kevent));
+	kqueueop->changes = calloc(NEVENT, sizeof(struct kevent));
 	if (kqueueop->changes == NULL) {
 		free (kqueueop);
 		return (NULL);
 	}
-	kqueueop->events = malloc(NEVENT * sizeof(struct kevent));
+	kqueueop->events = calloc(NEVENT, sizeof(struct kevent));
 	if (kqueueop->events == NULL) {
 		free (kqueueop->changes);
 		free (kqueueop);
@@ -131,7 +131,7 @@ kq_init(struct event_base *base)
 	kqueueop->changes[0].ident = -1;
 	kqueueop->changes[0].filter = EVFILT_READ;
 	kqueueop->changes[0].flags = EV_ADD;
-	/* 
+	/*
 	 * If kqueue works, then kevent will succeed, and it will
 	 * stick an error in events[0].  If kqueue is broken, then
 	 * kevent will fail.
@@ -195,7 +195,7 @@ kq_insert(struct kqop *kqop, struct keve
 	memcpy(&kqop->changes[kqop->nchanges++], kev, sizeof(struct kevent));
 
 	event_debug(("%s: fd %d %s%s",
-		 __func__, kev->ident, 
+		 __func__, kev->ident,
 		 kev->filter == EVFILT_READ ? "EVFILT_READ" : "EVFILT_WRITE",
 		 kev->flags == EV_DELETE ? " (del)" : ""));
 
@@ -241,7 +241,7 @@ kq_dispatch(struct event_base *base, voi
 		int which = 0;
 
 		if (events[i].flags & EV_ERROR) {
-			/* 
+			/*
 			 * Error messages that can happen, when a delete fails.
 			 *   EBADF happens when the file discriptor has been
 			 *   closed,
@@ -301,7 +301,7 @@ kq_add(void *arg, struct event *ev)
 		if (!(ev->ev_events & EV_PERSIST))
 			kev.flags |= EV_ONESHOT;
 		kev.udata = PTR_TO_UDATA(ev);
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 
@@ -324,7 +324,7 @@ kq_add(void *arg, struct event *ev)
 		if (!(ev->ev_events & EV_PERSIST))
 			kev.flags |= EV_ONESHOT;
 		kev.udata = PTR_TO_UDATA(ev);
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 
@@ -339,7 +339,7 @@ kq_add(void *arg, struct event *ev)
 		if (!(ev->ev_events & EV_PERSIST))
 			kev.flags |= EV_ONESHOT;
 		kev.udata = PTR_TO_UDATA(ev);
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 
@@ -365,7 +365,7 @@ kq_del(void *arg, struct event *ev)
 		kev.ident = nsignal;
 		kev.filter = EVFILT_SIGNAL;
 		kev.flags = EV_DELETE;
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 
@@ -381,7 +381,7 @@ kq_del(void *arg, struct event *ev)
 		kev.ident = ev->ev_fd;
 		kev.filter = EVFILT_READ;
 		kev.flags = EV_DELETE;
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 
@@ -393,7 +393,7 @@ kq_del(void *arg, struct event *ev)
 		kev.ident = ev->ev_fd;
 		kev.filter = EVFILT_WRITE;
 		kev.flags = EV_DELETE;
-		
+
 		if (kq_insert(kqop, &kev) == -1)
 			return (-1);
 

Modified: vendor/pf/dist/libevent/log.c
==============================================================================
--- vendor/pf/dist/libevent/log.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/log.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: err.c,v 1.2 2002/06/25 15:50:15 mickey Exp $	*/
+/*	$OpenBSD: log.c,v 1.4 2005/05/04 03:17:48 brad Exp $	*/
 
 /*
  * log.c
@@ -102,7 +102,7 @@ void
 event_err(int eval, const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_ERR, errno, fmt, ap);
 	va_end(ap);
@@ -113,7 +113,7 @@ void
 event_warn(const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_WARN, errno, fmt, ap);
 	va_end(ap);
@@ -123,7 +123,7 @@ void
 event_errx(int eval, const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_ERR, -1, fmt, ap);
 	va_end(ap);
@@ -134,7 +134,7 @@ void
 event_warnx(const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_WARN, -1, fmt, ap);
 	va_end(ap);
@@ -144,7 +144,7 @@ void
 event_msgx(const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_MSG, -1, fmt, ap);
 	va_end(ap);
@@ -154,7 +154,7 @@ void
 _event_debugx(const char *fmt, ...)
 {
 	va_list ap;
-	
+
 	va_start(ap, fmt);
 	_warn_helper(_EVENT_LOG_DEBUG, -1, fmt, ap);
 	va_end(ap);

Modified: vendor/pf/dist/libevent/log.h
==============================================================================
--- vendor/pf/dist/libevent/log.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/log.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,3 +1,5 @@
+/*	$OpenBSD: log.h,v 1.4 2007/03/19 15:12:49 millert Exp $	*/
+
 /*
  * Copyright (c) 2000-2004 Niels Provos 
  * All rights reserved.

Modified: vendor/pf/dist/libevent/poll.c
==============================================================================
--- vendor/pf/dist/libevent/poll.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/poll.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: poll.c,v 1.2 2002/06/25 15:50:15 mickey Exp $	*/
+/*	$OpenBSD: poll.c,v 1.13 2006/11/26 15:24:34 brad Exp $	*/
 
 /*
  * Copyright 2000-2003 Niels Provos 
@@ -89,7 +89,7 @@ poll_init(struct event_base *base)
 	struct pollop *pollop;
 
 	/* Disable poll when this environment variable is set */
-	if (getenv("EVENT_NOPOLL"))
+	if (!issetugid() && getenv("EVENT_NOPOLL"))
 		return (NULL);
 
 	if (!(pollop = calloc(1, sizeof(struct pollop))))
@@ -179,6 +179,7 @@ poll_dispatch(struct event_base *base, v
 	for (i = 0; i < nfds; i++) {
 		int what = pop->event_set[i].revents;
 		struct event *r_ev = NULL, *w_ev = NULL;
+
 		if (!what)
 			continue;
 
@@ -356,7 +357,7 @@ poll_del(void *arg, struct event *ev)
 
 	--pop->nfds;
 	if (i != pop->nfds) {
-		/* 
+		/*
 		 * Shift the last pollfd down into the now-unoccupied
 		 * position.
 		 */

Modified: vendor/pf/dist/libevent/select.c
==============================================================================
--- vendor/pf/dist/libevent/select.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/select.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $	*/
+/*	$OpenBSD: select.c,v 1.13 2007/03/19 15:12:49 millert Exp $	*/
 
 /*
  * Copyright 2000-2002 Niels Provos 
@@ -96,7 +96,7 @@ select_init(struct event_base *base)
 	struct selectop *sop;
 
 	/* Disable select when this environment variable is set */
-	if (getenv("EVENT_NOSELECT"))
+	if (!issetugid() && getenv("EVENT_NOSELECT"))
 		return (NULL);
 
 	if (!(sop = calloc(1, sizeof(struct selectop))))

Modified: vendor/pf/dist/libevent/signal.c
==============================================================================
--- vendor/pf/dist/libevent/signal.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/libevent/signal.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: select.c,v 1.2 2002/06/25 15:50:15 mickey Exp $	*/
+/*	$OpenBSD: signal.c,v 1.11 2007/03/19 15:12:49 millert Exp $	*/
 
 /*
  * Copyright 2000-2002 Niels Provos 
@@ -85,7 +85,7 @@ evsignal_cb(int fd, short what, void *ar
 void
 evsignal_init(struct event_base *base)
 {
-	/* 
+	/*
 	 * Our signal handler is going to write to one end of the socket
 	 * pair to wake up our event loop.  The event loop then scans for
 	 * signals that got delivered.

Modified: vendor/pf/dist/man/pf.4
==============================================================================
--- vendor/pf/dist/man/pf.4	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/man/pf.4	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
+.\"	$OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: September 4 2008 $
 .Dt PF 4
 .Os
 .Sh NAME
@@ -1050,12 +1050,14 @@ internal interface description.
 The filtering process is the same as for
 .Dv DIOCIGETIFACES .
 .Bd -literal
-#define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */
+#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
 .Ed
 .It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
 Works as
 .Dv DIOCSETIFFLAG
 above but clears the flags.
+.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
+Explicitly remove source tracking nodes.
 .El
 .Sh FILES
 .Bl -tag -width /dev/pf -compact
@@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
 .Xr ioctl 2 ,
 .Xr bridge 4 ,
 .Xr pflog 4 ,
+.Xr pflow 4 ,
 .Xr pfsync 4 ,
 .Xr pfctl 8 ,
 .Xr altq 9

Modified: vendor/pf/dist/man/pf.conf.5
==============================================================================
--- vendor/pf/dist/man/pf.conf.5	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/man/pf.conf.5	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2008 $
+.Dd $Mdocdate: October 2 2008 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -517,6 +517,16 @@ For example:
 .Bd -literal -offset indent
 set state-policy if-bound
 .Ed
+.It Ar set state-defaults
+The
+.Ar state-defaults
+option sets the state options for states created from rules
+without an explicit
+.Ar keep state .
+For example:
+.Bd -literal -offset indent
+set state-defaults pflow, no-sync
+.Ed
 .It Ar set hostid
 The 32-bit
 .Ar hostid
@@ -901,7 +911,7 @@ Defines a list of subqueues to create on
 .El
 .Pp
 In the following example, the interface dc0
-should queue up to 5 Mbit/s in four second-level queues using
+should queue up to 5Mbps in four second-level queues using
 Class Based Queueing.
 Those four queues will be shown in a later example.
 .Bd -literal -offset indent
@@ -1488,7 +1498,7 @@ Translates to the network(s) attached to
 .It Ar :broadcast
 Translates to the interface's broadcast address(es).
 .It Ar :peer
-Translates to the point to point interface's peer address(es).
+Translates to the point-to-point interface's peer address(es).
 .It Ar :0
 Do not include interface aliases.
 .El
@@ -2098,6 +2108,10 @@ easier.
 This is intended to be used in situations where one does not see all
 packets of a connection, e.g. in asymmetric routing situations.
 Cannot be used with modulate or synproxy state.
+.It Ar pflow
+States created by this rule are exported on the
+.Xr pflow 4
+interface.
 .El
 .Pp
 Multiple options can be specified, separated by commas:
@@ -2821,6 +2835,7 @@ option         = "set" ( [ "timeout" ( t
                  [ "loginterface" ( interface-name | "none" ) ] |
                  [ "block-policy" ( "drop" | "return" ) ] |
                  [ "state-policy" ( "if-bound" | "floating" ) ]
+                 [ "state-defaults" state-opts ]
                  [ "require-order" ( "yes" | "no" ) ]
                  [ "fingerprints" filename ] |
                  [ "skip on" ifspec ] |
@@ -2963,7 +2978,7 @@ tos            = ( "lowdelay" | "through
                  [ "0x" ] number )
 
 state-opts     = state-opt [ [ "," ] state-opts ]
-state-opt      = ( "max" number | "no-sync" | timeout | sloppy |
+state-opt      = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
                  "source-track" [ ( "rule" | "global" ) ] |
                  "max-src-nodes" number | "max-src-states" number |
                  "max-src-conn" number |
@@ -3026,6 +3041,7 @@ Service name database.
 .Xr ip 4 ,
 .Xr ip6 4 ,
 .Xr pf 4 ,
+.Xr pflow 4 ,
 .Xr pfsync 4 ,
 .Xr route 4 ,
 .Xr tcp 4 ,

Modified: vendor/pf/dist/man/pf.os.5
==============================================================================
--- vendor/pf/dist/man/pf.os.5	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/man/pf.os.5	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
+.\"	$OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen 
 .\"

Modified: vendor/pf/dist/man/pflog.4
==============================================================================
--- vendor/pf/dist/man/pflog.4	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor/pf/dist/man/pflog.4	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
+.\"	$OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Tobias Weingartner
 .\" All rights reserved.

Added: vendor/pf/dist/man/pflow.4
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ vendor/pf/dist/man/pflow.4	Tue Aug 18 16:13:59 2009	(r196360)
@@ -0,0 +1,113 @@
+.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
+.\"
+.\" Copyright (c) 2008 Henning Brauer 
+.\" Copyright (c) 2008 Joerg Goltermann 
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 28 2008 $
+.Dt PFLOW 4
+.Os
+.Sh NAME
+.Nm pflow
+.Nd kernel interface for pflow data export
+.Sh SYNOPSIS
+.Cd "pseudo-device pflow"
+.Sh DESCRIPTION
+The

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:14:00 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 04DAA106568B;
	Tue, 18 Aug 2009 16:14:00 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id E19328FC62;
	Tue, 18 Aug 2009 16:13:59 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGDxfM022025;
	Tue, 18 Aug 2009 16:13:59 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGDxYr022018;
	Tue, 18 Aug 2009 16:13:59 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181613.n7IGDxYr022018@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:13:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor-sys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196360 - vendor-sys/pf/dist/net
	vendor-sys/pf/dist/netinet vendor/pf/dist/authpf
	vendor/pf/dist/ftp-proxy vendor/pf/dist/libevent
	vendor/pf/dist/man vendor/pf/dist/pfctl vendor/pf/dist...
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:14:00 -0000

Author: mlaier
Date: Tue Aug 18 16:13:59 2009
New Revision: 196360
URL: http://svn.freebsd.org/changeset/base/196360

Log:
  eri@ wants to start on porting the latest pf in his user space so we can
  finally have a new version in 9.0.  Import pf as of OPENBSD_4_5_BASE to help
  with that.

Added:
  vendor-sys/pf/dist/net/if_pflow.c
  vendor-sys/pf/dist/net/if_pflow.h
  vendor-sys/pf/dist/net/pf_lb.c
Modified:
  vendor-sys/pf/dist/net/if_pflog.c
  vendor-sys/pf/dist/net/if_pflog.h
  vendor-sys/pf/dist/net/if_pfsync.c
  vendor-sys/pf/dist/net/if_pfsync.h
  vendor-sys/pf/dist/net/pf.c
  vendor-sys/pf/dist/net/pf_if.c
  vendor-sys/pf/dist/net/pf_ioctl.c
  vendor-sys/pf/dist/net/pf_norm.c
  vendor-sys/pf/dist/net/pf_osfp.c
  vendor-sys/pf/dist/net/pf_ruleset.c
  vendor-sys/pf/dist/net/pf_table.c
  vendor-sys/pf/dist/net/pfvar.h
  vendor-sys/pf/dist/netinet/in4_cksum.c

Changes in other areas also in this revision:
Added:
  vendor/pf/dist/man/pflow.4
Modified:
  vendor/pf/dist/authpf/Makefile
  vendor/pf/dist/authpf/authpf.8
  vendor/pf/dist/authpf/authpf.c
  vendor/pf/dist/authpf/pathnames.h
  vendor/pf/dist/ftp-proxy/Makefile
  vendor/pf/dist/ftp-proxy/filter.c
  vendor/pf/dist/ftp-proxy/filter.h
  vendor/pf/dist/ftp-proxy/ftp-proxy.8
  vendor/pf/dist/ftp-proxy/ftp-proxy.c
  vendor/pf/dist/libevent/buffer.c
  vendor/pf/dist/libevent/evbuffer.c
  vendor/pf/dist/libevent/event-internal.h
  vendor/pf/dist/libevent/event.c
  vendor/pf/dist/libevent/event.h
  vendor/pf/dist/libevent/evsignal.h
  vendor/pf/dist/libevent/kqueue.c
  vendor/pf/dist/libevent/log.c
  vendor/pf/dist/libevent/log.h
  vendor/pf/dist/libevent/poll.c
  vendor/pf/dist/libevent/select.c
  vendor/pf/dist/libevent/signal.c
  vendor/pf/dist/man/pf.4
  vendor/pf/dist/man/pf.conf.5
  vendor/pf/dist/man/pf.os.5
  vendor/pf/dist/man/pflog.4
  vendor/pf/dist/man/pfsync.4
  vendor/pf/dist/pfctl/Makefile
  vendor/pf/dist/pfctl/parse.y
  vendor/pf/dist/pfctl/pf_print_state.c
  vendor/pf/dist/pfctl/pfctl.8
  vendor/pf/dist/pfctl/pfctl.c
  vendor/pf/dist/pfctl/pfctl.h
  vendor/pf/dist/pfctl/pfctl_altq.c
  vendor/pf/dist/pfctl/pfctl_optimize.c
  vendor/pf/dist/pfctl/pfctl_osfp.c
  vendor/pf/dist/pfctl/pfctl_parser.c
  vendor/pf/dist/pfctl/pfctl_parser.h
  vendor/pf/dist/pfctl/pfctl_qstats.c
  vendor/pf/dist/pfctl/pfctl_radix.c
  vendor/pf/dist/pfctl/pfctl_table.c
  vendor/pf/dist/pflogd/Makefile
  vendor/pf/dist/pflogd/pflogd.8
  vendor/pf/dist/pflogd/pflogd.c
  vendor/pf/dist/pflogd/pflogd.h
  vendor/pf/dist/pflogd/privsep.c
  vendor/pf/dist/pflogd/privsep_fdpass.c
  vendor/pf/dist/tftp-proxy/Makefile
  vendor/pf/dist/tftp-proxy/filter.c
  vendor/pf/dist/tftp-proxy/filter.h
  vendor/pf/dist/tftp-proxy/tftp-proxy.8
  vendor/pf/dist/tftp-proxy/tftp-proxy.c

Modified: vendor-sys/pf/dist/net/if_pflog.c
==============================================================================
--- vendor-sys/pf/dist/net/if_pflog.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor-sys/pf/dist/net/if_pflog.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pflog.c,v 1.27 2007/12/20 02:53:02 brad Exp $	*/
+/*	$OpenBSD: if_pflog.c,v 1.26 2007/10/18 21:58:18 mpf Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and 

Modified: vendor-sys/pf/dist/net/if_pflog.h
==============================================================================
--- vendor-sys/pf/dist/net/if_pflog.h	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor-sys/pf/dist/net/if_pflog.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pflog.h,v 1.14 2006/10/25 11:27:01 henning Exp $ */
+/* $OpenBSD: if_pflog.h,v 1.13 2006/10/23 12:46:09 henning Exp $ */
 /*
  * Copyright 2001 Niels Provos 
  * All rights reserved.

Added: vendor-sys/pf/dist/net/if_pflow.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ vendor-sys/pf/dist/net/if_pflow.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -0,0 +1,621 @@
+/*	$OpenBSD: if_pflow.c,v 1.9 2009/01/03 21:47:32 gollo Exp $	*/
+
+/*
+ * Copyright (c) 2008 Henning Brauer 
+ * Copyright (c) 2008 Joerg Goltermann 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#ifdef INET
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#endif /* INET */
+
+#include 
+#include 
+
+#include "bpfilter.h"
+#include "pflow.h"
+
+#define PFLOW_MINMTU	\
+    (sizeof(struct pflow_header) + sizeof(struct pflow_flow))
+
+#ifdef PFLOWDEBUG
+#define DPRINTF(x)	do { printf x ; } while (0)
+#else
+#define DPRINTF(x)
+#endif
+
+SLIST_HEAD(, pflow_softc) pflowif_list;
+struct pflowstats	 pflowstats;
+
+void	pflowattach(int);
+int	pflow_clone_create(struct if_clone *, int);
+int	pflow_clone_destroy(struct ifnet *);
+void	pflow_setmtu(struct pflow_softc *, int);
+int	pflowoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
+	    struct rtentry *);
+int	pflowioctl(struct ifnet *, u_long, caddr_t);
+void	pflowstart(struct ifnet *);
+
+struct mbuf *pflow_get_mbuf(struct pflow_softc *);
+int	pflow_sendout(struct pflow_softc *);
+int	pflow_sendout_mbuf(struct pflow_softc *, struct mbuf *);
+void	pflow_timeout(void *);
+void	copy_flow_data(struct pflow_flow *, struct pflow_flow *,
+	struct pf_state *, int, int);
+int	pflow_pack_flow(struct pf_state *, struct pflow_softc *);
+int	pflow_get_dynport(void);
+int	export_pflow_if(struct pf_state*, struct pflow_softc *);
+int	copy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc);
+
+struct if_clone	pflow_cloner =
+    IF_CLONE_INITIALIZER("pflow", pflow_clone_create,
+    pflow_clone_destroy);
+
+/* from in_pcb.c */
+extern int ipport_hifirstauto;
+extern int ipport_hilastauto;
+
+/* from kern/kern_clock.c; incremented each clock tick. */
+extern int ticks;
+
+void
+pflowattach(int npflow)
+{
+	SLIST_INIT(&pflowif_list);
+	if_clone_attach(&pflow_cloner);
+}
+
+int
+pflow_clone_create(struct if_clone *ifc, int unit)
+{
+	struct ifnet		*ifp;
+	struct pflow_softc	*pflowif;
+
+	if ((pflowif = malloc(sizeof(*pflowif),
+	    M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
+		return (ENOMEM);
+
+	pflowif->sc_sender_ip.s_addr = INADDR_ANY;
+	pflowif->sc_sender_port = pflow_get_dynport();
+
+	pflowif->sc_imo.imo_membership = malloc(
+	    (sizeof(struct in_multi *) * IP_MIN_MEMBERSHIPS), M_IPMOPTS,
+	    M_WAITOK|M_ZERO);
+	pflowif->sc_imo.imo_max_memberships = IP_MIN_MEMBERSHIPS;
+	pflowif->sc_receiver_ip.s_addr = 0;
+	pflowif->sc_receiver_port = 0;
+	pflowif->sc_sender_ip.s_addr = INADDR_ANY;
+	pflowif->sc_sender_port = pflow_get_dynport();
+	ifp = &pflowif->sc_if;
+	snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflow%d", unit);
+	ifp->if_softc = pflowif;
+	ifp->if_ioctl = pflowioctl;
+	ifp->if_output = pflowoutput;
+	ifp->if_start = pflowstart;
+	ifp->if_type = IFT_PFLOW;
+	ifp->if_snd.ifq_maxlen = ifqmaxlen;
+	ifp->if_hdrlen = PFLOW_HDRLEN;
+	ifp->if_flags = IFF_UP;
+	ifp->if_flags &= ~IFF_RUNNING;	/* not running, need receiver */
+	pflow_setmtu(pflowif, ETHERMTU);
+	timeout_set(&pflowif->sc_tmo, pflow_timeout, pflowif);
+	if_attach(ifp);
+	if_alloc_sadl(ifp);
+
+#if NBPFILTER > 0
+	bpfattach(&pflowif->sc_if.if_bpf, ifp, DLT_RAW, 0);
+#endif
+
+	/* Insert into list of pflows */
+	SLIST_INSERT_HEAD(&pflowif_list, pflowif, sc_next);
+	return (0);
+}
+
+int
+pflow_clone_destroy(struct ifnet *ifp)
+{
+	struct pflow_softc	*sc = ifp->if_softc;
+	int			 s;
+
+	s = splnet();
+	pflow_sendout(sc);
+#if NBPFILTER > 0
+	bpfdetach(ifp);
+#endif
+	if_detach(ifp);
+	SLIST_REMOVE(&pflowif_list, sc, pflow_softc, sc_next);
+	free(sc->sc_imo.imo_membership, M_IPMOPTS);
+	free(sc, M_DEVBUF);
+	splx(s);
+	return (0);
+}
+
+/*
+ * Start output on the pflow interface.
+ */
+void
+pflowstart(struct ifnet *ifp)
+{
+	struct mbuf	*m;
+	int		 s;
+
+	for (;;) {
+		s = splnet();
+		IF_DROP(&ifp->if_snd);
+		IF_DEQUEUE(&ifp->if_snd, m);
+		splx(s);
+
+		if (m == NULL)
+			return;
+		m_freem(m);
+	}
+}
+
+int
+pflowoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+	struct rtentry *rt)
+{
+	m_freem(m);
+	return (0);
+}
+
+/* ARGSUSED */
+int
+pflowioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+	struct proc		*p = curproc;
+	struct pflow_softc	*sc = ifp->if_softc;
+	struct ifreq		*ifr = (struct ifreq *)data;
+	struct pflowreq		 pflowr;
+	int			 s, error;
+
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCAIFADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFFLAGS:
+		if ((ifp->if_flags & IFF_UP) &&
+		    sc->sc_receiver_ip.s_addr != 0 &&
+		    sc->sc_receiver_port != 0) {
+			ifp->if_flags |= IFF_RUNNING;
+			sc->sc_gcounter=pflowstats.pflow_flows;
+		} else
+			ifp->if_flags &= ~IFF_RUNNING;
+		break;
+	case SIOCSIFMTU:
+		if (ifr->ifr_mtu < PFLOW_MINMTU)
+			return (EINVAL);
+		if (ifr->ifr_mtu > MCLBYTES)
+			ifr->ifr_mtu = MCLBYTES;
+		s = splnet();
+		if (ifr->ifr_mtu < ifp->if_mtu)
+			pflow_sendout(sc);
+		pflow_setmtu(sc, ifr->ifr_mtu);
+		splx(s);
+		break;
+
+	case SIOCGETPFLOW:
+		bzero(&pflowr, sizeof(pflowr));
+
+		pflowr.sender_ip = sc->sc_sender_ip;
+		pflowr.receiver_ip = sc->sc_receiver_ip;
+		pflowr.receiver_port = sc->sc_receiver_port;
+
+		if ((error = copyout(&pflowr, ifr->ifr_data,
+		    sizeof(pflowr))))
+			return (error);
+		break;
+
+	case SIOCSETPFLOW:
+		if ((error = suser(p, p->p_acflag)) != 0)
+			return (error);
+		if ((error = copyin(ifr->ifr_data, &pflowr,
+		    sizeof(pflowr))))
+			return (error);
+
+		s = splnet();
+		pflow_sendout(sc);
+		splx(s);
+
+		if (pflowr.addrmask & PFLOW_MASK_DSTIP)
+			sc->sc_receiver_ip = pflowr.receiver_ip;
+		if (pflowr.addrmask & PFLOW_MASK_DSTPRT)
+			sc->sc_receiver_port = pflowr.receiver_port;
+		if (pflowr.addrmask & PFLOW_MASK_SRCIP)
+			sc->sc_sender_ip.s_addr = pflowr.sender_ip.s_addr;
+
+		if ((ifp->if_flags & IFF_UP) &&
+		    sc->sc_receiver_ip.s_addr != 0 &&
+		    sc->sc_receiver_port != 0) {
+			ifp->if_flags |= IFF_RUNNING;
+			sc->sc_gcounter=pflowstats.pflow_flows;
+		} else
+			ifp->if_flags &= ~IFF_RUNNING;
+
+		break;
+
+	default:
+		return (ENOTTY);
+	}
+	return (0);
+}
+
+void
+pflow_setmtu(struct pflow_softc *sc, int mtu_req)
+{
+	int	mtu;
+
+	if (sc->sc_pflow_ifp && sc->sc_pflow_ifp->if_mtu < mtu_req)
+		mtu = sc->sc_pflow_ifp->if_mtu;
+	else
+		mtu = mtu_req;
+
+	sc->sc_maxcount = (mtu - sizeof(struct pflow_header) -
+	    sizeof (struct udpiphdr)) / sizeof(struct pflow_flow);
+	if (sc->sc_maxcount > PFLOW_MAXFLOWS)
+	    sc->sc_maxcount = PFLOW_MAXFLOWS;
+	sc->sc_if.if_mtu = sizeof(struct pflow_header) +
+	    sizeof (struct udpiphdr) + 
+	    sc->sc_maxcount * sizeof(struct pflow_flow);
+}
+
+struct mbuf *
+pflow_get_mbuf(struct pflow_softc *sc)
+{
+	struct pflow_header	 h;
+	struct mbuf		*m;
+
+	MGETHDR(m, M_DONTWAIT, MT_DATA);
+	if (m == NULL) {
+		pflowstats.pflow_onomem++;
+		return (NULL);
+	}
+
+	MCLGET(m, M_DONTWAIT);
+	if ((m->m_flags & M_EXT) == 0) {
+		m_free(m);
+		pflowstats.pflow_onomem++;
+		return (NULL);
+	}
+
+	m->m_len = m->m_pkthdr.len = 0;
+	m->m_pkthdr.rcvif = NULL;
+
+	/* populate pflow_header */
+	h.reserved1 = 0;
+	h.reserved2 = 0;
+	h.count = 0;
+	h.version = htons(PFLOW_VERSION);
+	h.flow_sequence = htonl(sc->sc_gcounter);
+	h.engine_type = PFLOW_ENGINE_TYPE;
+	h.engine_id = PFLOW_ENGINE_ID;
+	m_copyback(m, 0, PFLOW_HDRLEN, &h);
+
+	sc->sc_count = 0;
+	timeout_add_sec(&sc->sc_tmo, PFLOW_TIMEOUT);
+	return (m);
+}
+
+void
+copy_flow_data(struct pflow_flow *flow1, struct pflow_flow *flow2,
+    struct pf_state *st, int src, int dst)
+{
+	struct pf_state_key	*sk = st->key[PF_SK_WIRE];
+
+	flow1->src_ip = flow2->dest_ip = sk->addr[src].v4.s_addr;
+	flow1->src_port = flow2->dest_port = sk->port[src];
+	flow1->dest_ip = flow2->src_ip = sk->addr[dst].v4.s_addr;
+	flow1->dest_port = flow2->src_port = sk->port[dst];
+
+	flow1->dest_as = flow2->src_as =
+	    flow1->src_as = flow2->dest_as = 0;
+	flow1->if_index_out = flow2->if_index_in =
+	    flow1->if_index_in = flow2->if_index_out = 0;
+	flow1->dest_mask = flow2->src_mask =
+	    flow1->src_mask = flow2->dest_mask = 0;
+
+	flow1->flow_packets = htonl(st->packets[0]);
+	flow2->flow_packets = htonl(st->packets[1]);
+	flow1->flow_octets = htonl(st->bytes[0]);
+	flow2->flow_octets = htonl(st->bytes[1]);
+
+	flow1->flow_start = flow2->flow_start = htonl(st->creation * 1000);
+	flow1->flow_finish = flow2->flow_finish = htonl(time_second * 1000);
+	flow1->tcp_flags = flow2->tcp_flags = 0;
+	flow1->protocol = flow2->protocol = sk->proto;
+	flow1->tos = flow2->tos = st->rule.ptr->tos;
+}
+
+int
+export_pflow(struct pf_state *st)
+{
+	struct pflow_softc	*sc = NULL;
+	struct pf_state_key	*sk = st->key[PF_SK_WIRE];
+
+	if (sk->af != AF_INET)
+		return (0);
+
+	SLIST_FOREACH(sc, &pflowif_list, sc_next) {
+		export_pflow_if(st, sc);
+	}
+
+	return (0);
+}
+
+int
+export_pflow_if(struct pf_state *st, struct pflow_softc *sc)
+{
+	struct pf_state		 pfs_copy;
+	struct ifnet		*ifp = &sc->sc_if;
+	u_int64_t		 bytes[2];
+	int			 ret = 0;
+
+	if (!(ifp->if_flags & IFF_RUNNING))
+		return (0);
+
+	if ((st->bytes[0] < (u_int64_t)PFLOW_MAXBYTES)
+	    && (st->bytes[1] < (u_int64_t)PFLOW_MAXBYTES))
+		return (pflow_pack_flow(st, sc));
+
+	/* flow > PFLOW_MAXBYTES need special handling */
+	bcopy(st, &pfs_copy, sizeof(pfs_copy));
+	bytes[0] = pfs_copy.bytes[0];
+	bytes[1] = pfs_copy.bytes[1];
+
+	while (bytes[0] > PFLOW_MAXBYTES) {
+		pfs_copy.bytes[0] = PFLOW_MAXBYTES;
+		pfs_copy.bytes[1] = 0;
+
+		if ((ret = pflow_pack_flow(&pfs_copy, sc)) != 0)
+			return (ret);
+		if ((bytes[0] - PFLOW_MAXBYTES) > 0)
+			bytes[0] -= PFLOW_MAXBYTES;
+	}
+
+	while (bytes[1] > (u_int64_t)PFLOW_MAXBYTES) {
+		pfs_copy.bytes[1] = PFLOW_MAXBYTES;
+		pfs_copy.bytes[0] = 0;
+
+		if ((ret = pflow_pack_flow(&pfs_copy, sc)) != 0)
+			return (ret);
+		if ((bytes[1] - PFLOW_MAXBYTES) > 0)
+			bytes[1] -= PFLOW_MAXBYTES;
+	}
+
+	pfs_copy.bytes[0] = bytes[0];
+	pfs_copy.bytes[1] = bytes[1];
+
+	return (pflow_pack_flow(&pfs_copy, sc));
+}
+
+int
+copy_flow_to_m(struct pflow_flow *flow, struct pflow_softc *sc)
+{
+	int		s, ret = 0;
+
+	s = splnet();
+	if (sc->sc_mbuf == NULL) {
+		if ((sc->sc_mbuf = pflow_get_mbuf(sc)) == NULL) {
+			splx(s);
+			return (ENOBUFS);
+		}
+	}
+	m_copyback(sc->sc_mbuf, PFLOW_HDRLEN +
+	    (sc->sc_count * sizeof (struct pflow_flow)),
+	    sizeof (struct pflow_flow), flow);
+
+	if (pflowstats.pflow_flows == sc->sc_gcounter)
+		pflowstats.pflow_flows++;
+	sc->sc_gcounter++;
+	sc->sc_count++;
+
+	if (sc->sc_count >= sc->sc_maxcount)
+		ret = pflow_sendout(sc);
+
+	splx(s);
+	return(ret);
+}
+
+int
+pflow_pack_flow(struct pf_state *st, struct pflow_softc *sc)
+{
+	struct pflow_flow	 flow1;
+	struct pflow_flow	 flow2;
+	int			 ret = 0;
+
+	bzero(&flow1, sizeof(flow1));
+	bzero(&flow2, sizeof(flow2));
+
+	if (st->direction == PF_OUT)
+		copy_flow_data(&flow1, &flow2, st, 1, 0);
+	else
+		copy_flow_data(&flow1, &flow2, st, 0, 1);
+
+	if (st->bytes[0] != 0) /* first flow from state */
+		ret = copy_flow_to_m(&flow1, sc);
+
+	if (st->bytes[1] != 0) /* second flow from state */
+		ret = copy_flow_to_m(&flow2, sc);
+
+	return (ret);
+}
+
+void
+pflow_timeout(void *v)
+{
+	struct pflow_softc	*sc = v;
+	int			 s;
+
+	s = splnet();
+	pflow_sendout(sc);
+	splx(s);
+}
+
+/* This must be called in splnet() */
+int
+pflow_sendout(struct pflow_softc *sc)
+{
+	struct mbuf		*m = sc->sc_mbuf;
+	struct pflow_header	*h;
+	struct ifnet		*ifp = &sc->sc_if;
+
+	timeout_del(&sc->sc_tmo);
+
+	if (m == NULL)
+		return (0);
+
+	sc->sc_mbuf = NULL;
+	if (!(ifp->if_flags & IFF_RUNNING)) {
+		m_freem(m);
+		return (0);
+	}
+
+	pflowstats.pflow_packets++;
+	h = mtod(m, struct pflow_header *);
+	h->count = htons(sc->sc_count);
+
+	/* populate pflow_header */
+	h->uptime_ms = htonl(time_uptime * 1000);
+	h->time_sec = htonl(time_second);
+	h->time_nanosec = htonl(ticks);
+
+	return (pflow_sendout_mbuf(sc, m));
+}
+
+int
+pflow_sendout_mbuf(struct pflow_softc *sc, struct mbuf *m)
+{
+	struct udpiphdr	*ui;
+	u_int16_t	 len = m->m_pkthdr.len;
+	struct ifnet	*ifp = &sc->sc_if;
+	struct ip	*ip;
+	int		 err;
+
+	/* UDP Header*/
+	M_PREPEND(m, sizeof(struct udpiphdr), M_DONTWAIT);
+	if (m == NULL) {
+		pflowstats.pflow_onomem++;
+		return (ENOBUFS);
+	}
+
+	ui = mtod(m, struct udpiphdr *);
+	ui->ui_pr = IPPROTO_UDP;
+	ui->ui_src = sc->sc_sender_ip;
+	ui->ui_sport = sc->sc_sender_port;
+	ui->ui_dst = sc->sc_receiver_ip;
+	ui->ui_dport = sc->sc_receiver_port;
+	ui->ui_ulen = htons(sizeof (struct udphdr) + len);
+
+	ip = (struct ip *)ui;
+	ip->ip_v = IPVERSION;
+	ip->ip_hl = sizeof(struct ip) >> 2;
+	ip->ip_id = htons(ip_randomid());
+	ip->ip_off = htons(IP_DF);
+	ip->ip_tos = IPTOS_LOWDELAY;
+	ip->ip_ttl = IPDEFTTL;
+	ip->ip_len = htons(sizeof (struct udpiphdr) + len);
+
+	/*
+	 * Compute the pseudo-header checksum; defer further checksumming
+	 * until ip_output() or hardware (if it exists).
+	 */
+	m->m_pkthdr.csum_flags |= M_UDPV4_CSUM_OUT;
+	ui->ui_sum = in_cksum_phdr(ui->ui_src.s_addr,
+	    ui->ui_dst.s_addr, htons(len + sizeof(struct udphdr) +
+	    IPPROTO_UDP));
+
+#if NBPFILTER > 0
+	if (ifp->if_bpf) {
+		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
+		bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
+	}
+#endif
+
+	sc->sc_if.if_opackets++;
+	sc->sc_if.if_obytes += m->m_pkthdr.len;
+
+	if ((err = ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL))) {
+		pflowstats.pflow_oerrors++;
+		sc->sc_if.if_oerrors++;
+	}
+	return (err);
+}
+
+int
+pflow_get_dynport(void)
+{
+	u_int16_t	tmp, low, high, cut;
+
+	low = ipport_hifirstauto;     /* sysctl */
+	high = ipport_hilastauto;
+
+	cut = arc4random_uniform(1 + high - low) + low;
+
+	for (tmp = cut; tmp <= high; ++(tmp)) {
+		if (!in_baddynamic(tmp, IPPROTO_UDP))
+			return (htons(tmp));
+	}
+
+	for (tmp = cut - 1; tmp >= low; --(tmp)) {
+		if (!in_baddynamic(tmp, IPPROTO_UDP))
+			return (htons(tmp));
+	}
+
+	return (htons(ipport_hilastauto)); /* XXX */
+}
+
+int
+pflow_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
+    void *newp, size_t newlen)
+{
+	if (namelen != 1)
+		return (ENOTDIR);
+
+	switch (name[0]) {
+	case NET_PFLOW_STATS:
+		if (newp != NULL)
+			return (EPERM);
+		return (sysctl_struct(oldp, oldlenp, newp, newlen,
+		    &pflowstats, sizeof(pflowstats)));
+	default:
+		return (EOPNOTSUPP);
+	}
+	return (0);
+}

Added: vendor-sys/pf/dist/net/if_pflow.h
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ vendor-sys/pf/dist/net/if_pflow.h	Tue Aug 18 16:13:59 2009	(r196360)
@@ -0,0 +1,120 @@
+/*	$OpenBSD: if_pflow.h,v 1.4 2009/01/03 21:47:32 gollo Exp $	*/
+
+/*
+ * Copyright (c) 2008 Henning Brauer 
+ * Copyright (c) 2008 Joerg Goltermann 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER IN
+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _NET_IF_PFLOW_H_
+#define _NET_IF_PFLOW_H_
+
+#define PFLOW_ID_LEN	sizeof(u_int64_t)
+
+#define PFLOW_MAXFLOWS 30
+#define PFLOW_VERSION 5
+#define PFLOW_ENGINE_TYPE 42
+#define PFLOW_ENGINE_ID 42
+#define PFLOW_MAXBYTES 0xffffffff
+#define PFLOW_TIMEOUT 30
+
+struct pflow_flow {
+	u_int32_t	src_ip;
+	u_int32_t	dest_ip;
+	u_int32_t	nexthop_ip;
+	u_int16_t	if_index_in;
+	u_int16_t	if_index_out;
+	u_int32_t	flow_packets;
+	u_int32_t	flow_octets;
+	u_int32_t	flow_start;
+	u_int32_t	flow_finish;
+	u_int16_t	src_port;
+	u_int16_t	dest_port;
+	u_int8_t	pad1;
+	u_int8_t	tcp_flags;
+	u_int8_t	protocol;
+	u_int8_t	tos;
+	u_int16_t	src_as;
+	u_int16_t	dest_as;
+	u_int8_t	src_mask;
+	u_int8_t	dest_mask;
+	u_int16_t	pad2;
+} __packed;
+
+#ifdef _KERNEL
+
+extern int pflow_ok;
+
+struct pflow_softc {
+	struct ifnet		 sc_if;
+	struct ifnet		*sc_pflow_ifp;
+
+	unsigned int		 sc_count;
+	unsigned int		 sc_maxcount;
+	u_int64_t		 sc_gcounter;
+	struct ip_moptions	 sc_imo;
+	struct timeout		 sc_tmo;
+	struct in_addr		 sc_sender_ip;
+	u_int16_t		 sc_sender_port;
+	struct in_addr		 sc_receiver_ip;
+	u_int16_t		 sc_receiver_port;
+	struct mbuf		*sc_mbuf;	/* current cumulative mbuf */
+	SLIST_ENTRY(pflow_softc) sc_next;
+};
+
+extern struct pflow_softc	*pflowif;
+
+#endif /* _KERNEL */
+
+struct pflow_header {
+	u_int16_t	version;
+	u_int16_t	count;
+	u_int32_t	uptime_ms;
+	u_int32_t	time_sec;
+	u_int32_t	time_nanosec;
+	u_int32_t	flow_sequence;
+	u_int8_t	engine_type;
+	u_int8_t	engine_id;
+	u_int8_t	reserved1;
+	u_int8_t	reserved2;
+} __packed;
+
+#define PFLOW_HDRLEN sizeof(struct pflow_header)
+
+struct pflowstats {
+	u_int64_t	pflow_flows;
+	u_int64_t	pflow_packets;
+	u_int64_t	pflow_onomem;
+	u_int64_t	pflow_oerrors;
+};
+
+/*
+ * Configuration structure for SIOCSETPFLOW SIOCGETPFLOW
+ */
+struct pflowreq {
+	struct in_addr		sender_ip;
+	struct in_addr		receiver_ip;
+	u_int16_t		receiver_port;
+	u_int16_t		addrmask;
+#define PFLOW_MASK_SRCIP	0x01
+#define PFLOW_MASK_DSTIP	0x02
+#define PFLOW_MASK_DSTPRT	0x04
+};
+
+#ifdef _KERNEL
+int export_pflow(struct pf_state *);
+int pflow_sysctl(int *, u_int,  void *, size_t *, void *, size_t);
+#endif /* _KERNEL */
+
+#endif /* _NET_IF_PFLOW_H_ */

Modified: vendor-sys/pf/dist/net/if_pfsync.c
==============================================================================
--- vendor-sys/pf/dist/net/if_pfsync.c	Tue Aug 18 14:00:25 2009	(r196359)
+++ vendor-sys/pf/dist/net/if_pfsync.c	Tue Aug 18 16:13:59 2009	(r196360)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.98 2008/06/29 08:42:15 mcbride Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.110 2009/02/24 05:39:19 dlg Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -26,6 +26,21 @@
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/*
+ * Copyright (c) 2009 David Gwynne 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
 
 #include 
 #include 
@@ -37,16 +52,17 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
 #include 
-#include 
 
 #ifdef	INET
 #include 
@@ -70,15 +86,132 @@
 #include "bpfilter.h"
 #include "pfsync.h"
 
-#define PFSYNC_MINMTU	\
-    (sizeof(struct pfsync_header) + sizeof(struct pf_state))
+#define PFSYNC_MINPKT ( \
+	sizeof(struct ip) + \
+	sizeof(struct pfsync_header) + \
+	sizeof(struct pfsync_subheader) + \
+	sizeof(struct pfsync_eof))
 
-#ifdef PFSYNCDEBUG
-#define DPRINTF(x)    do { if (pfsyncdebug) printf x ; } while (0)
-int pfsyncdebug;
-#else
-#define DPRINTF(x)
-#endif
+struct pfsync_pkt {
+	struct ip *ip;
+	struct in_addr src;
+	u_int8_t flags;
+};
+
+int	pfsync_input_hmac(struct mbuf *, int);
+
+int	pfsync_upd_tcp(struct pf_state *, struct pfsync_state_peer *,
+	    struct pfsync_state_peer *);
+
+int	pfsync_in_clr(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_ins(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_iack(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_upd(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_upd_c(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_ureq(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_del(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_del_c(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_bus(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_tdb(struct pfsync_pkt *, struct mbuf *, int, int);
+int	pfsync_in_eof(struct pfsync_pkt *, struct mbuf *, int, int);
+
+int	pfsync_in_error(struct pfsync_pkt *, struct mbuf *, int, int);
+
+int	(*pfsync_acts[])(struct pfsync_pkt *, struct mbuf *, int, int) = {
+	pfsync_in_clr,			/* PFSYNC_ACT_CLR */
+	pfsync_in_ins,			/* PFSYNC_ACT_INS */
+	pfsync_in_iack,			/* PFSYNC_ACT_INS_ACK */
+	pfsync_in_upd,			/* PFSYNC_ACT_UPD */
+	pfsync_in_upd_c,		/* PFSYNC_ACT_UPD_C */
+	pfsync_in_ureq,			/* PFSYNC_ACT_UPD_REQ */
+	pfsync_in_del,			/* PFSYNC_ACT_DEL */
+	pfsync_in_del_c,		/* PFSYNC_ACT_DEL_C */
+	pfsync_in_error,		/* PFSYNC_ACT_INS_F */
+	pfsync_in_error,		/* PFSYNC_ACT_DEL_F */
+	pfsync_in_bus,			/* PFSYNC_ACT_BUS */
+	pfsync_in_tdb,			/* PFSYNC_ACT_TDB */
+	pfsync_in_eof			/* PFSYNC_ACT_EOF */
+};
+
+struct pfsync_q {
+	int		(*write)(struct pf_state *, struct mbuf *, int);
+	size_t		len;
+	u_int8_t	action;
+};
+
+/* we have one of these for every PFSYNC_S_ */
+int	pfsync_out_state(struct pf_state *, struct mbuf *, int);
+int	pfsync_out_iack(struct pf_state *, struct mbuf *, int);
+int	pfsync_out_upd_c(struct pf_state *, struct mbuf *, int);
+int	pfsync_out_del(struct pf_state *, struct mbuf *, int);
+
+struct pfsync_q pfsync_qs[] = {
+	{ pfsync_out_state, sizeof(struct pfsync_state),   PFSYNC_ACT_INS },
+	{ pfsync_out_iack,  sizeof(struct pfsync_ins_ack), PFSYNC_ACT_INS_ACK },
+	{ pfsync_out_state, sizeof(struct pfsync_state),   PFSYNC_ACT_UPD },
+	{ pfsync_out_upd_c, sizeof(struct pfsync_upd_c),   PFSYNC_ACT_UPD_C },
+	{ pfsync_out_del,   sizeof(struct pfsync_del_c),   PFSYNC_ACT_DEL_C }
+};
+
+void	pfsync_q_ins(struct pf_state *, int);
+void	pfsync_q_del(struct pf_state *);
+
+struct pfsync_upd_req_item {
+	TAILQ_ENTRY(pfsync_upd_req_item)	ur_entry;
+	struct pfsync_upd_req			ur_msg;
+};
+TAILQ_HEAD(pfsync_upd_reqs, pfsync_upd_req_item);
+
+struct pfsync_deferral {
+	TAILQ_ENTRY(pfsync_deferral)		 pd_entry;
+	struct pf_state				*pd_st;
+	struct mbuf				*pd_m;
+	struct timeout				 pd_tmo;
+};
+TAILQ_HEAD(pfsync_deferrals, pfsync_deferral);
+
+#define PFSYNC_PLSIZE	MAX(sizeof(struct pfsync_upd_req_item), \
+			    sizeof(struct pfsync_deferral))
+
+int	pfsync_out_tdb(struct tdb *, struct mbuf *, int);
+
+struct pfsync_softc {
+	struct ifnet		 sc_if;
+	struct ifnet		*sc_sync_if;
+
+	struct pool		 sc_pool;
+
+	struct ip_moptions	 sc_imo;
+
+	struct in_addr		 sc_sync_peer;
+	u_int8_t		 sc_maxupdates;
+
+	struct ip		 sc_template;
+
+	struct pf_state_queue	 sc_qs[PFSYNC_S_COUNT];
+	size_t			 sc_len;
+
+	struct pfsync_upd_reqs	 sc_upd_req_list;
+
+	struct pfsync_deferrals	 sc_deferrals;
+	u_int			 sc_deferred;
+
+	void			*sc_plus;
+	size_t			 sc_pluslen;
+
+	u_int32_t		 sc_ureq_sent;
+	int			 sc_bulk_tries;
+	struct timeout		 sc_bulkfail_tmo;
+
+	u_int32_t		 sc_ureq_received;
+	struct pf_state		*sc_bulk_next;
+	struct pf_state		*sc_bulk_last;
+	struct timeout		 sc_bulk_tmo;
+
+	TAILQ_HEAD(, tdb)	 sc_tdb_q;
+
+	struct timeout		 sc_tmo;
+};
 
 struct pfsync_softc	*pfsyncif = NULL;
 struct pfsyncstats	 pfsyncstats;
@@ -86,7 +219,6 @@ struct pfsyncstats	 pfsyncstats;
 void	pfsyncattach(int);
 int	pfsync_clone_create(struct if_clone *, int);
 int	pfsync_clone_destroy(struct ifnet *);
-void	pfsync_setmtu(struct pfsync_softc *, int);
 int	pfsync_alloc_scrub_memory(struct pfsync_state_peer *,
 	    struct pf_state_peer *);
 void	pfsync_update_net_tdb(struct pfsync_tdb *);
@@ -95,17 +227,31 @@ int	pfsyncoutput(struct ifnet *, struct 
 int	pfsyncioctl(struct ifnet *, u_long, caddr_t);
 void	pfsyncstart(struct ifnet *);
 
-struct mbuf *pfsync_get_mbuf(struct pfsync_softc *, u_int8_t, void **);
-int	pfsync_request_update(struct pfsync_state_upd *, struct in_addr *);
-int	pfsync_sendout(struct pfsync_softc *);
+struct mbuf *pfsync_if_dequeue(struct ifnet *);
+struct mbuf *pfsync_get_mbuf(struct pfsync_softc *);
+
+void	pfsync_deferred(struct pf_state *, int);
+void	pfsync_undefer(struct pfsync_deferral *, int);
+void	pfsync_defer_tmo(void *);
+
+void	pfsync_request_update(u_int32_t, u_int64_t);
+void	pfsync_update_state_req(struct pf_state *);
+
+void	pfsync_drop(struct pfsync_softc *);
+void	pfsync_sendout(void);
+void	pfsync_send_plus(void *, size_t);
 int	pfsync_tdb_sendout(struct pfsync_softc *);
 int	pfsync_sendout_mbuf(struct pfsync_softc *, struct mbuf *);
 void	pfsync_timeout(void *);
 void	pfsync_tdb_timeout(void *);
 void	pfsync_send_bus(struct pfsync_softc *, u_int8_t);
+
+void	pfsync_bulk_start(void);
+void	pfsync_bulk_status(u_int8_t);
 void	pfsync_bulk_update(void *);
-void	pfsync_bulkfail(void *);
+void	pfsync_bulk_fail(void *);
 
+#define PFSYNC_MAX_BULKTRIES	12
 int	pfsync_sync_ok;
 
 struct if_clone	pfsync_cloner =
@@ -119,46 +265,52 @@ pfsyncattach(int npfsync)
 int
 pfsync_clone_create(struct if_clone *ifc, int unit)

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:16:48 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AE8FD106568E;
	Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 8201A8FC52;
	Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGGmTh022133;
	Tue, 18 Aug 2009 16:16:48 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGGm11022132;
	Tue, 18 Aug 2009 16:16:48 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181616.n7IGGm11022132@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196361 - vendor-sys/pf/4.5 vendor/pf/4.5
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:16:48 -0000

Author: mlaier
Date: Tue Aug 18 16:16:48 2009
New Revision: 196361
URL: http://svn.freebsd.org/changeset/base/196361

Log:
  Tag for pf 4.5

Added:
  vendor/pf/4.5/
     - copied from r196360, vendor/pf/dist/

Changes in other areas also in this revision:
Added:
  vendor-sys/pf/4.5/
     - copied from r196360, vendor-sys/pf/dist/

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:16:48 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CE5951065690;
	Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id A17268FC55;
	Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGGmDo022138;
	Tue, 18 Aug 2009 16:16:48 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGGmae022137;
	Tue, 18 Aug 2009 16:16:48 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181616.n7IGGmae022137@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:16:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor-sys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196361 - vendor-sys/pf/4.5 vendor/pf/4.5
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:16:48 -0000

Author: mlaier
Date: Tue Aug 18 16:16:48 2009
New Revision: 196361
URL: http://svn.freebsd.org/changeset/base/196361

Log:
  Tag for pf 4.5

Added:
  vendor-sys/pf/4.5/
     - copied from r196360, vendor-sys/pf/dist/

Changes in other areas also in this revision:
Added:
  vendor/pf/4.5/
     - copied from r196360, vendor/pf/dist/

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:21:08 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2DCA8106568D;
	Tue, 18 Aug 2009 16:21:08 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A8578FC60;
	Tue, 18 Aug 2009 16:21:08 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGL8lZ022261;
	Tue, 18 Aug 2009 16:21:08 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGL8LU022259;
	Tue, 18 Aug 2009 16:21:08 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181621.n7IGL8LU022259@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:21:07 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor-sys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196362 - vendor-sys/pf/dist/net
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:21:08 -0000

Author: mlaier
Date: Tue Aug 18 16:21:07 2009
New Revision: 196362
URL: http://svn.freebsd.org/changeset/base/196362

Log:
  Import 4.5-002 fix

Modified:
  vendor-sys/pf/dist/net/pf.c

Modified: vendor-sys/pf/dist/net/pf.c
==============================================================================
--- vendor-sys/pf/dist/net/pf.c	Tue Aug 18 16:16:48 2009	(r196361)
+++ vendor-sys/pf/dist/net/pf.c	Tue Aug 18 16:21:07 2009	(r196362)
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.633 2009/02/16 00:31:25 dlg Exp $ */
+/*	$OpenBSD: pf.c,v 1.634 2009/02/27 12:37:45 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -5243,6 +5243,15 @@ pf_test(int dir, struct ifnet *ifp, stru
 		break;
 	}
 
+#ifdef INET6
+	case IPPROTO_ICMPV6: {
+		action = PF_DROP;
+		DPFPRINTF(PF_DEBUG_MISC,
+		    ("pf: dropping IPv4 packet with ICMPv6 payload\n"));
+		goto done;
+	}
+#endif
+
 	default:
 		action = pf_test_state_other(&s, dir, kif, m, &pd);
 		if (action == PF_PASS) {
@@ -5597,6 +5606,13 @@ pf_test6(int dir, struct ifnet *ifp, str
 		break;
 	}
 
+	case IPPROTO_ICMP: {
+		action = PF_DROP;
+		DPFPRINTF(PF_DEBUG_MISC,
+		    ("pf: dropping IPv6 packet with ICMPv4 payload\n"));
+		goto done;
+	}
+
 	case IPPROTO_ICMPV6: {
 		struct icmp6_hdr	ih;
 

From owner-svn-src-vendor@FreeBSD.ORG  Tue Aug 18 16:23:10 2009
Return-Path: 
Delivered-To: svn-src-vendor@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 02A6E106568D;
	Tue, 18 Aug 2009 16:23:10 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id CA7718FC57;
	Tue, 18 Aug 2009 16:23:09 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7IGN9xv022348;
	Tue, 18 Aug 2009 16:23:09 GMT (envelope-from mlaier@svn.freebsd.org)
Received: (from mlaier@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7IGN9PT022347;
	Tue, 18 Aug 2009 16:23:09 GMT (envelope-from mlaier@svn.freebsd.org)
Message-Id: <200908181623.n7IGN9PT022347@svn.freebsd.org>
From: Max Laier 
Date: Tue, 18 Aug 2009 16:23:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor-sys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196363 - vendor-sys/pf/4.5.002
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
	
List-Unsubscribe: , 
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
X-List-Received-Date: Tue, 18 Aug 2009 16:23:10 -0000

Author: mlaier
Date: Tue Aug 18 16:23:09 2009
New Revision: 196363
URL: http://svn.freebsd.org/changeset/base/196363

Log:
  Tag for pf 4.5.002 (named after OpenBSD errata numbering)

Added:
  vendor-sys/pf/4.5.002/
     - copied from r196362, vendor-sys/pf/dist/