7 files changed, 76 insertions, 109 deletions
diff --git a/pfctl/Makefile b/pfctl/Makefile
new file mode 100644
index 0000000000000..df74f88c63f26
--- /dev/null
+++ b/pfctl/Makefile
@@ -0,0 +1,18 @@
+#	$OpenBSD: Makefile,v 1.19 2006/12/24 18:52:43 miod Exp $
+
+PROG=	pfctl
+SRCS=	pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
+SRCS+=	pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
+SRCS+=	pfctl_optimize.c pf_ruleset.c
+CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
+CFLAGS+= -Wstrict-prototypes -I${.CURDIR}
+YFLAGS=
+MAN=	pfctl.8
+
+# Ruleset and Anchor handling
+.PATH: ${.CURDIR}/../../sys/net
+
+LDADD+=	-lm
+DPADD+=	${LIBM}
+
+.include <bsd.prog.mk>
diff --git a/pfctl/parse.y b/pfctl/parse.y
index ef5d77b6ec4ca..a491f3ead7da7 100644
--- a/pfctl/parse.y
+++ b/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.517 2007/02/03 23:26:40 dhartmei Exp $	*/
+/*	$OpenBSD: parse.y,v 1.519 2007/06/21 19:30:03 henning Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -425,7 +425,7 @@ typedef struct {
 %type	<v.number>		tos not yesno
 %type	<v.i>			no dir af fragcache optimizer
 %type	<v.i>			sourcetrack flush unaryop statelock
-%type	<v.b>			action nataction natpass scrubaction
+%type	<v.b>			action nataction natpasslog scrubaction
 %type	<v.b>			flags flag blockspec
 %type	<v.range>		port rport
 %type	<v.hashkey>		hashkey
@@ -3439,12 +3439,13 @@ redirection	: /* empty */			{ $$ = NULL; }
 		}
 		;
 
-natpass		: /* empty */	{ $$.b1 = $$.b2 = 0; }
-		| PASS		{ $$.b1 = 1; $$.b2 = 0; }
+natpasslog	: /* empty */	{ $$.b1 = $$.b2 = 0; $$.w2 = 0; }
+		| PASS		{ $$.b1 = 1; $$.b2 = 0; $$.w2 = 0; }
 		| PASS log	{ $$.b1 = 1; $$.b2 = $2.log; $$.w2 = $2.logif; }
+		| log		{ $$.b1 = 0; $$.b2 = $1.log; $$.w2 = $1.logif; }
 		;
 
-nataction	: no NAT natpass {
+nataction	: no NAT natpasslog {
 			if ($1 && $3.b1) {
 				yyerror("\"pass\" not valid with \"no\"");
 				YYERROR;
@@ -3457,7 +3458,7 @@ nataction	: no NAT natpass {
 			$$.w = $3.b2;
 			$$.w2 = $3.w2;
 		}
-		| no RDR natpass {
+		| no RDR natpasslog {
 			if ($1 && $3.b1) {
 				yyerror("\"pass\" not valid with \"no\"");
 				YYERROR;
@@ -3631,7 +3632,7 @@ natrule		: nataction interface af proto fromto tag tagged rtable
 		}
 		;
 
-binatrule	: no BINAT natpass interface af proto FROM host TO ipspec tag
+binatrule	: no BINAT natpasslog interface af proto FROM host TO ipspec tag
 		    tagged rtable redirection
 		{
 			struct pf_rule		binat;
diff --git a/pfctl/pf_print_state.c b/pfctl/pf_print_state.c
index e36b1fd94bff1..e4830a1268f67 100644
--- a/pfctl/pf_print_state.c
+++ b/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_print_state.c,v 1.44 2007/03/01 17:20:53 deraadt Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.45 2007/05/31 04:13:37 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -151,7 +151,7 @@ print_name(struct pf_addr *addr, sa_family_t af)
 }
 
 void
-print_host(struct pf_state_host *h, sa_family_t af, int opts)
+print_host(struct pfsync_state_host *h, sa_family_t af, int opts)
 {
 	u_int16_t p = ntohs(h->port);
 
@@ -180,7 +180,7 @@ print_host(struct pf_state_host *h, sa_family_t af, int opts)
 }
 
 void
-print_seq(struct pf_state_peer *p)
+print_seq(struct pfsync_state_peer *p)
 {
 	if (p->seqdiff)
 		printf("[%u + %u](+%u)", p->seqlo, p->seqhi - p->seqlo,
@@ -190,9 +190,9 @@ print_seq(struct pf_state_peer *p)
 }
 
 void
-print_state(struct pf_state *s, int opts)
+print_state(struct pfsync_state *s, int opts)
 {
-	struct pf_state_peer *src, *dst;
+	struct pfsync_state_peer *src, *dst;
 	struct protoent *p;
 	int min, sec;
 
@@ -203,7 +203,7 @@ print_state(struct pf_state *s, int opts)
 		src = &s->dst;
 		dst = &s->src;
 	}
-	printf("%s ", s->u.ifname);
+	printf("%s ", s->ifname);
 	if ((p = getprotobynumber(s->proto)) != NULL)
 		printf("%s ", p->p_name);
 	else
@@ -278,20 +278,23 @@ print_state(struct pf_state *s, int opts)
 		s->expire /= 60;
 		printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec);
 		printf(", %llu:%llu pkts, %llu:%llu bytes",
-		    s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]);
-		if (s->anchor.nr != -1)
-			printf(", anchor %u", s->anchor.nr);
-		if (s->rule.nr != -1)
-			printf(", rule %u", s->rule.nr);
-		if (s->src_node != NULL)
+		    pf_state_counter_from_pfsync(s->packets[0]),
+		    pf_state_counter_from_pfsync(s->packets[1]),
+		    pf_state_counter_from_pfsync(s->bytes[0]),
+		    pf_state_counter_from_pfsync(s->bytes[1]));
+		if (s->anchor != -1)
+			printf(", anchor %u", s->anchor);
+		if (s->rule != -1)
+			printf(", rule %u", s->rule);
+		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
 			printf(", source-track");
-		if (s->nat_src_node != NULL)
+		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
 			printf(", sticky-address");
 		printf("\n");
 	}
 	if (opts & PF_OPT_VERBOSE2) {
 		printf("   id: %016llx creatorid: %08x%s\n",
-		    betoh64(s->id), ntohl(s->creatorid),
+		    pf_state_counter_from_pfsync(s->id), ntohl(s->creatorid),
 		    ((s->sync_flags & PFSTATE_NOSYNC) ? " (no-sync)" : ""));
 	}
 }
diff --git a/pfctl/pfctl.8 b/pfctl/pfctl.8
index b5be8a1f624a3..4dfbc407aaeaf 100644
--- a/pfctl/pfctl.8
+++ b/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
+.\" $OpenBSD: pfctl.8,v 1.133 2007/07/01 11:38:51 henning Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 20, 2002
+.Dd $Mdocdate: May 31 2007 $
 .Dt PFCTL 8
 .Os
 .Sh NAME
@@ -42,14 +42,14 @@
 .Op Fl i Ar interface
 .Op Fl K Ar host | network
 .Op Fl k Ar host | network
-.Op Fl o Op Ar level
+.Op Fl o Ar level
 .Op Fl p Ar device
 .Op Fl s Ar modifier
-.Oo
-.Fl t Ar table
+.Xo
+.Oo Fl t Ar table
 .Fl T Ar command
-.Op Ar address ...
-.Oc
+.Op Ar address ... Oc
+.Xc
 .Op Fl x Ar level
 .Ek
 .Sh DESCRIPTION
@@ -209,7 +209,7 @@ Flush the NAT rules.
 Flush the queue rules.
 .It Fl F Cm rules
 Flush the filter rules.
-.It Fl F Cm state
+.It Fl F Cm states
 Flush the state table (NAT and filter).
 .It Fl F Cm Sources
 Flush the source tracking table.
@@ -296,58 +296,20 @@ Do not actually load rules, just parse them.
 .It Fl O
 Load only the options present in the rule file.
 Other rules and options are ignored.
-.It Fl o Op Ar level
-Control the ruleset optimizer.
-The ruleset optimizer attempts to improve rulesets by removing rule
-duplication and making better use of rule ordering.
+.It Fl o Ar level
+Control the ruleset optimizer, overriding any rule file settings.
 .Pp
 .Bl -tag -width xxxxxxxxxxxx -compact
 .It Fl o Cm none
 Disable the ruleset optimizer.
 .It Fl o Cm basic
 Enable basic ruleset optimizations.
+This is the default behaviour.
 .It Fl o Cm profile
 Enable basic ruleset optimizations with profiling.
 .El
-.Pp
-.Cm basic
-optimization does does four things:
-.Pp
-.Bl -enum -compact
-.It
-remove duplicate rules
-.It
-remove rules that are a subset of another rule
-.It
-combine multiple rules into a table when advantageous
-.It
-re-order the rules to improve evaluation performance
-.El
-.Pp
-If
-.Cm profile
-is specified, the currently loaded ruleset will be examined as a feedback
-profile to tailor the optimization of the
-.Ar quick
-rules to the actual network behavior.
-.Pp
-It is important to note that the ruleset optimizer will modify the ruleset
-to improve performance.
-A side effect of the ruleset modification is that per-rule accounting
-statistics will have different meanings than before.
-If per-rule accounting is important for billing purposes or whatnot, either
-the ruleset optimizer should not be used or a
-.Ar label
-field should be added to all of the accounting rules to act as optimization
-barriers.
-.Pp
-To retain compatibility with previous behaviour, a single
-.Fl o
-without any options will enable
-.Cm basic
-optimizations, and a second
-.Fl o
-will enable profiling.
+For further information on the ruleset optimizer, see
+.Xr pf.conf 5 .
 .It Fl p Ar device
 Use the device file
 .Ar device
@@ -402,7 +364,7 @@ If
 .Fl v
 is specified, all anchors attached under the target anchor will be
 displayed recursively.
-.It Fl s Cm state
+.It Fl s Cm states
 Show the contents of the state table.
 .It Fl s Cm Sources
 Show the contents of the source tracking table.
diff --git a/pfctl/pfctl.c b/pfctl/pfctl.c
index cf338c7d40bce..0aeb0fc780713 100644
--- a/pfctl/pfctl.c
+++ b/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.268 2007/06/30 18:25:08 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -201,11 +201,11 @@ static const struct {
 
 static const char *clearopt_list[] = {
 	"nat", "queue", "rules", "Sources",
-	"state", "info", "Tables", "osfp", "all", NULL
+	"states", "info", "Tables", "osfp", "all", NULL
 };
 
 static const char *showopt_list[] = {
-	"nat", "queue", "rules", "Anchors", "Sources", "state", "info",
+	"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
 	"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
 	"all", NULL
 };
@@ -220,7 +220,7 @@ static const char *debugopt_list[] = {
 };
 
 static const char *optiopt_list[] = {
-	"o", "none", "basic", "profile", NULL
+	"none", "basic", "profile", NULL
 };
 
 void
@@ -231,8 +231,8 @@ usage(void)
 	fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
 	fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
 	fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
-	fprintf(stderr, "[-k host | network ]\n");
-	fprintf(stderr, "\t[-o [level]] [-p device] [-s modifier ]\n");
+	fprintf(stderr, "[-k host | network]\n");
+	fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
 	fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
 	exit(1);
 }
@@ -998,7 +998,7 @@ int
 pfctl_show_states(int dev, const char *iface, int opts)
 {
 	struct pfioc_states ps;
-	struct pf_state *p;
+	struct pfsync_state *p;
 	char *inbuf = NULL, *newinbuf = NULL;
 	unsigned len = 0;
 	int i, dotitle = (opts & PF_OPT_SHOWALL);
@@ -1029,7 +1029,7 @@ pfctl_show_states(int dev, const char *iface, int opts)
 	}
 	p = ps.ps_states;
 	for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
-		if (iface != NULL && strcmp(p->u.ifname, iface))
+		if (iface != NULL && strcmp(p->ifname, iface))
 			continue;
 		if (dotitle) {
 			pfctl_print_title("STATES:");
@@ -1954,7 +1954,7 @@ main(int argc, char *argv[])
 	int	 ch;
 	int	 mode = O_RDONLY;
 	int	 opts = 0;
-	int	 optimize = 0;
+	int	 optimize = PF_OPTIMIZE_BASIC;
 	char	 anchorname[MAXPATHLEN];
 	char	*path;
 	FILE	*fin = NULL;
@@ -1963,7 +1963,7 @@ main(int argc, char *argv[])
 		usage();
 
 	while ((ch = getopt(argc, argv,
-	    "a:AdD:eqf:F:ghi:k:K:mnNOo::p:rRs:t:T:vx:z")) != -1) {
+	    "a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z")) != -1) {
 		switch (ch) {
 		case 'a':
 			anchoropt = optarg;
@@ -2039,24 +2039,11 @@ main(int argc, char *argv[])
 			loadopt |= PFCTL_FLAG_FILTER;
 			break;
 		case 'o':
-			if (optarg) {
-				optiopt = pfctl_lookup_option(optarg,
-				    optiopt_list);
-					if (optiopt == NULL) {
-					warnx("Unknown optimization '%s'",
-					    optarg);
-					usage();
-				}
-			}
-			if (opts & PF_OPT_OPTIMIZE) {
-				if (optiopt != NULL) {
-					warnx("Cannot specify -o multiple times"
-					    "with optimizer level");
-					usage();
-				}
-				optimize |= PF_OPTIMIZE_PROFILE;
+			optiopt = pfctl_lookup_option(optarg, optiopt_list);
+			if (optiopt == NULL) {
+				warnx("Unknown optimization '%s'", optarg);
+				usage();
 			}
-			optimize |= PF_OPTIMIZE_BASIC;
 			opts |= PF_OPT_OPTIMIZE;
 			break;
 		case 'O':
diff --git a/pfctl/pfctl.h b/pfctl/pfctl.h
index 9450a5586a04b..49cf6e75ec751 100644
--- a/pfctl/pfctl.h
+++ b/pfctl/pfctl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.h,v 1.40 2007/02/09 11:25:27 henning Exp $ */
+/*	$OpenBSD: pfctl.h,v 1.41 2007/05/31 04:13:37 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -112,9 +112,9 @@ struct pf_altq	*pfaltq_lookup(const char *);
 char		*rate2str(double);
 
 void	 print_addr(struct pf_addr_wrap *, sa_family_t, int);
-void	 print_host(struct pf_state_host *, sa_family_t, int);
-void	 print_seq(struct pf_state_peer *);
-void	 print_state(struct pf_state *, int);
+void	 print_host(struct pfsync_state_host *, sa_family_t, int);
+void	 print_seq(struct pfsync_state_peer *);
+void	 print_state(struct pfsync_state *, int);
 int	 unmask(struct pf_addr *, sa_family_t);
 
 int	 pfctl_cmdline_symset(char *);
diff --git a/pfctl/pfctl_altq.c b/pfctl/pfctl_altq.c
index b4faaa0446452..b2397fcd07853 100644
--- a/pfctl/pfctl_altq.c
+++ b/pfctl/pfctl_altq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_altq.c,v 1.91 2006/11/28 00:08:50 henning Exp $	*/
+/*	$OpenBSD: pfctl_altq.c,v 1.92 2007/05/27 05:15:17 claudio Exp $	*/
 
 /*
  * Copyright (c) 2002
@@ -1091,8 +1091,6 @@ getifspeed(char *ifname)
 	ifr.ifr_data = (caddr_t)&ifrdat;
 	if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
 		err(1, "SIOCGIFDATA");
-	if (shutdown(s, SHUT_RDWR) == -1)
-		err(1, "shutdown");
 	if (close(s))
 		err(1, "close");
 	return ((u_int32_t)ifrdat.ifi_baudrate);
@@ -1112,8 +1110,6 @@ getifmtu(char *ifname)
 		errx(1, "getifmtu: strlcpy");
 	if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == -1)
 		err(1, "SIOCGIFMTU");
-	if (shutdown(s, SHUT_RDWR) == -1)
-		err(1, "shutdown");
 	if (close(s))
 		err(1, "close");
 	if (ifr.ifr_mtu > 0)