struct pfr_tstats {

struct pfr_tstats {

	struct pfr_table pfrts_t;

	struct pfr_table pfrts_t;

	u_int64_t	 pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];

	u_int64_t	 pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];

	u_int64_t	 pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];

	u_int64_t	 pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];

	u_int64_t	 pfrts_match;

	u_int64_t	 pfrts_match;

	u_int64_t	 pfrts_nomatch;

	u_int64_t	 pfrts_nomatch;

	long		 pfrts_tzero;

	long		 pfrts_tzero;

	int		 pfrts_cnt;

	int		 pfrts_cnt;

	int		 pfrts_refcnt[PFR_REFCNT_MAX];

	int		 pfrts_refcnt[PFR_REFCNT_MAX];

};

};

#define	pfrts_name	pfrts_t.pfrt_name

#define	pfrts_name	pfrts_t.pfrt_name

#define pfrts_flags	pfrts_t.pfrt_flags

#define pfrts_flags	pfrts_t.pfrt_flags

#ifndef _SOCKADDR_UNION_DEFINED

#ifndef _SOCKADDR_UNION_DEFINED

#define	_SOCKADDR_UNION_DEFINED

#define	_SOCKADDR_UNION_DEFINED

union sockaddr_union {

union sockaddr_union {

	struct sockaddr		sa;

	struct sockaddr		sa;

	struct sockaddr_in	sin;

	struct sockaddr_in	sin;

	struct sockaddr_in6	sin6;

	struct sockaddr_in6	sin6;

};

};

#endif /* _SOCKADDR_UNION_DEFINED */

#endif /* _SOCKADDR_UNION_DEFINED */

struct pfr_kcounters {

struct pfr_kcounters {

};

};

SLIST_HEAD(pfr_kentryworkq, pfr_kentry);

SLIST_HEAD(pfr_kentryworkq, pfr_kentry);

struct pfr_kentry {

struct pfr_kentry {

	struct radix_node	 pfrke_node[2];

	struct radix_node	 pfrke_node[2];

	union sockaddr_union	 pfrke_sa;

	union sockaddr_union	 pfrke_sa;

	SLIST_ENTRY(pfr_kentry)	 pfrke_workq;

	SLIST_ENTRY(pfr_kentry)	 pfrke_workq;

	u_int8_t		 pfrke_af;

	u_int8_t		 pfrke_af;

	u_int8_t		 pfrke_net;

	u_int8_t		 pfrke_net;

	u_int8_t		 pfrke_not;

	u_int8_t		 pfrke_not;

	u_int8_t		 pfrke_mark;

	u_int8_t		 pfrke_mark;

};

};

SLIST_HEAD(pfr_ktableworkq, pfr_ktable);

SLIST_HEAD(pfr_ktableworkq, pfr_ktable);

RB_HEAD(pfr_ktablehead, pfr_ktable);

RB_HEAD(pfr_ktablehead, pfr_ktable);

struct pfr_ktable {

struct pfr_ktable {

	RB_ENTRY(pfr_ktable)	 pfrkt_tree;

	RB_ENTRY(pfr_ktable)	 pfrkt_tree;

	SLIST_ENTRY(pfr_ktable)	 pfrkt_workq;

	SLIST_ENTRY(pfr_ktable)	 pfrkt_workq;

	struct radix_node_head	*pfrkt_ip4;

	struct radix_node_head	*pfrkt_ip4;

	struct radix_node_head	*pfrkt_ip6;

	struct radix_node_head	*pfrkt_ip6;

	struct pfr_ktable	*pfrkt_shadow;

	struct pfr_ktable	*pfrkt_shadow;

	struct pfr_ktable	*pfrkt_root;

	struct pfr_ktable	*pfrkt_root;

	struct pf_ruleset	*pfrkt_rs;

	struct pf_ruleset	*pfrkt_rs;

	long			 pfrkt_larg;

	long			 pfrkt_larg;

	int			 pfrkt_nflags;

	int			 pfrkt_nflags;

};

};

#define pfrkt_name	pfrkt_t.pfrt_name

#define pfrkt_name	pfrkt_t.pfrt_name

#define pfrkt_anchor	pfrkt_t.pfrt_anchor

#define pfrkt_anchor	pfrkt_t.pfrt_anchor

#define pfrkt_ruleset	pfrkt_t.pfrt_ruleset

#define pfrkt_ruleset	pfrkt_t.pfrt_ruleset

#define pfrkt_flags	pfrkt_t.pfrt_flags

#define pfrkt_flags	pfrkt_t.pfrt_flags

/* keep synced with pfi_kif, used in RB_FIND */

/* keep synced with pfi_kif, used in RB_FIND */

struct pfi_kif_cmp {

struct pfi_kif_cmp {

	char				 pfik_name[IFNAMSIZ];

	char				 pfik_name[IFNAMSIZ];

};

};

struct pfi_kif {

struct pfi_kif {

	char				 pfik_name[IFNAMSIZ];

	char				 pfik_name[IFNAMSIZ];

	union {

	union {

		RB_ENTRY(pfi_kif)	 _pfik_tree;

		RB_ENTRY(pfi_kif)	 _pfik_tree;

		PFRW_DYNADDR_UPDATE

		PFRW_DYNADDR_UPDATE

	}	 pfrw_op;

	}	 pfrw_op;

	union {

	union {

		struct pfr_addr		*pfrw1_addr;

		struct pfr_addr		*pfrw1_addr;

		struct pfr_astats	*pfrw1_astats;

		struct pfr_astats	*pfrw1_astats;

		struct pfr_kentryworkq	*pfrw1_workq;

		struct pfr_kentryworkq	*pfrw1_workq;

		struct pfr_kentry	*pfrw1_kentry;

		struct pfr_kentry	*pfrw1_kentry;

		struct pfi_dynaddr	*pfrw1_dyn;

		struct pfi_dynaddr	*pfrw1_dyn;

	}	 pfrw_1;

	}	 pfrw_1;

	int	 pfrw_free;

	int	 pfrw_free;

};

};

#define	pfrw_addr	pfrw_1.pfrw1_addr

#define	pfrw_addr	pfrw_1.pfrw1_addr

#define	pfrw_astats	pfrw_1.pfrw1_astats

#define	pfrw_astats	pfrw_1.pfrw1_astats

#define	pfrw_workq	pfrw_1.pfrw1_workq

#define	pfrw_workq	pfrw_1.pfrw1_workq

#define	pfrw_kentry	pfrw_1.pfrw1_kentry

#define	pfrw_kentry	pfrw_1.pfrw1_kentry

#define	pfrw_dyn	pfrw_1.pfrw1_dyn

#define	pfrw_dyn	pfrw_1.pfrw1_dyn

#define	pfrw_cnt	pfrw_free

#define	pfrw_cnt	pfrw_free

#define	senderr(e)	do { rv = (e); goto _bad; } while (0)

#define	senderr(e)	do { rv = (e); goto _bad; } while (0)

static MALLOC_DEFINE(M_PFTABLE, "pf_table", "pf(4) tables structures");

static MALLOC_DEFINE(M_PFTABLE, "pf_table", "pf(4) tables structures");

static VNET_DEFINE(uma_zone_t, pfr_kentry_z);

static VNET_DEFINE(uma_zone_t, pfr_kentry_z);

#define	V_pfr_kentry_z		VNET(pfr_kentry_z)

#define	V_pfr_kentry_z		VNET(pfr_kentry_z)

static struct pf_addr	 pfr_ffaddr = {

static struct pf_addr	 pfr_ffaddr = {

	.addr32 = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }

	.addr32 = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }

};

};

static void		 pfr_copyout_addr(struct pfr_addr *,

static void		 pfr_copyout_addr(struct pfr_addr *,

			    struct pfr_kentry *ke);

			    struct pfr_kentry *ke);

static int		 pfr_validate_addr(struct pfr_addr *);

static int		 pfr_validate_addr(struct pfr_addr *);

static void		 pfr_enqueue_addrs(struct pfr_ktable *,

static void		 pfr_enqueue_addrs(struct pfr_ktable *,

			    struct pfr_kentryworkq *, int *, int);

			    struct pfr_kentryworkq *, int *, int);

struct pfr_table	 pfr_nulltable;

struct pfr_table	 pfr_nulltable;

int			 pfr_ktable_cnt;

int			 pfr_ktable_cnt;

void

void

pfr_initialize(void)

pfr_initialize(void)

{

{

	V_pfr_kentry_z = uma_zcreate("pf table entries",

	V_pfr_kentry_z = uma_zcreate("pf table entries",

	    sizeof(struct pfr_kentry), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,

	    sizeof(struct pfr_kentry), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,

	    0);

	    0);

	V_pf_limits[PF_LIMIT_TABLE_ENTRIES].zone = V_pfr_kentry_z;

	V_pf_limits[PF_LIMIT_TABLE_ENTRIES].zone = V_pfr_kentry_z;

	V_pf_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;

	V_pf_limits[PF_LIMIT_TABLE_ENTRIES].limit = PFR_KENTRY_HIWAT;

}

}

void

void

pfr_cleanup(void)

pfr_cleanup(void)

{

{

	uma_zdestroy(V_pfr_kentry_z);

	uma_zdestroy(V_pfr_kentry_z);

}

}

int

int

pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)

pfr_clr_addrs(struct pfr_table *tbl, int *ndel, int flags)

{

{

	struct pfr_ktable	*kt;

	struct pfr_ktable	*kt;

	struct pfr_kentryworkq	 workq;

	struct pfr_kentryworkq	 workq;

	PF_RULES_WASSERT();

	PF_RULES_WASSERT();

		return (ESRCH);

		return (ESRCH);

	if (kt->pfrkt_cnt > *size) {

	if (kt->pfrkt_cnt > *size) {

		*size = kt->pfrkt_cnt;

		*size = kt->pfrkt_cnt;

		return (0);

		return (0);

	}

	}

	bzero(&w, sizeof(w));

	bzero(&w, sizeof(w));

	w.pfrw_op = PFRW_GET_ASTATS;

	w.pfrw_op = PFRW_GET_ASTATS;

	w.pfrw_astats = addr;

	w.pfrw_astats = addr;

	w.pfrw_free = kt->pfrkt_cnt;

	w.pfrw_free = kt->pfrkt_cnt;

	rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);

	rv = kt->pfrkt_ip4->rnh_walktree(&kt->pfrkt_ip4->rh, pfr_walktree, &w);

	if (!rv)

	if (!rv)

		rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,

		rv = kt->pfrkt_ip6->rnh_walktree(&kt->pfrkt_ip6->rh,

		    pfr_walktree, &w);

		    pfr_walktree, &w);

	if (!rv && (flags & PFR_FLAG_CLSTATS)) {

	if (!rv && (flags & PFR_FLAG_CLSTATS)) {

		pfr_enqueue_addrs(kt, &workq, NULL, 0);

		pfr_enqueue_addrs(kt, &workq, NULL, 0);

		pfr_clstats_kentries(&workq, tzero, 0);

		pfr_clstats_kentries(&workq, tzero, 0);

	}

	}

	if (rv)

	if (rv)

		return (rv);

		return (rv);

		if (exact && ke && KENTRY_NETWORK(ke))

		if (exact && ke && KENTRY_NETWORK(ke))

			ke = NULL;

			ke = NULL;

	}

	}

	return (ke);

	return (ke);

}

}

static struct pfr_kentry *

static struct pfr_kentry *

pfr_create_kentry(struct pfr_addr *ad)

pfr_create_kentry(struct pfr_addr *ad)

{

{

	struct pfr_kentry	*ke;

	struct pfr_kentry	*ke;

	ke =  uma_zalloc(V_pfr_kentry_z, M_NOWAIT | M_ZERO);

	ke =  uma_zalloc(V_pfr_kentry_z, M_NOWAIT | M_ZERO);

	if (ke == NULL)

	if (ke == NULL)

		return (NULL);

		return (NULL);

	if (ad->pfra_af == AF_INET)

	if (ad->pfra_af == AF_INET)

		FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);

		FILLIN_SIN(ke->pfrke_sa.sin, ad->pfra_ip4addr);

	else if (ad->pfra_af == AF_INET6)

	else if (ad->pfra_af == AF_INET6)

		FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);

		FILLIN_SIN6(ke->pfrke_sa.sin6, ad->pfra_ip6addr);

	ke->pfrke_af = ad->pfra_af;

	ke->pfrke_af = ad->pfra_af;

	ke->pfrke_net = ad->pfra_net;

	ke->pfrke_net = ad->pfra_net;

	ke->pfrke_not = ad->pfra_not;

	ke->pfrke_not = ad->pfra_not;

	return (ke);

	return (ke);

}

}

static void

static void

pfr_destroy_kentries(struct pfr_kentryworkq *workq)

pfr_destroy_kentries(struct pfr_kentryworkq *workq)

{

{

	struct pfr_kentry	*p, *q;

	struct pfr_kentry	*p, *q;

	for (p = SLIST_FIRST(workq); p != NULL; p = q) {

	for (p = SLIST_FIRST(workq); p != NULL; p = q) {

		q = SLIST_NEXT(p, pfrke_workq);

		q = SLIST_NEXT(p, pfrke_workq);

		pfr_destroy_kentry(p);

		pfr_destroy_kentry(p);

	}

	}

}

}

static void

static void

pfr_destroy_kentry(struct pfr_kentry *ke)

pfr_destroy_kentry(struct pfr_kentry *ke)

{

{

	uma_zfree(V_pfr_kentry_z, ke);

	uma_zfree(V_pfr_kentry_z, ke);

}

}

static void

static void

pfr_insert_kentries(struct pfr_ktable *kt,

pfr_insert_kentries(struct pfr_ktable *kt,

    struct pfr_kentryworkq *workq, long tzero)

    struct pfr_kentryworkq *workq, long tzero)

{

{

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	int			 rv, n = 0;

	int			 rv, n = 0;

	SLIST_FOREACH(p, workq, pfrke_workq) {

	SLIST_FOREACH(p, workq, pfrke_workq) {

		rv = pfr_route_kentry(kt, p);

		rv = pfr_route_kentry(kt, p);

		if (rv) {

		if (rv) {

			printf("pfr_insert_kentries: cannot route entry "

			printf("pfr_insert_kentries: cannot route entry "

			    "(code=%d).\n", rv);

			    "(code=%d).\n", rv);

			break;

			break;

		}

		}

		n++;

		n++;

	}

	}

	kt->pfrkt_cnt += n;

	kt->pfrkt_cnt += n;

}

}

int

int

pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)

pfr_insert_kentry(struct pfr_ktable *kt, struct pfr_addr *ad, long tzero)

{

{

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	int			 rv;

	int			 rv;

	if (p != NULL)

	if (p != NULL)

		return (0);

		return (0);

	p = pfr_create_kentry(ad);

	p = pfr_create_kentry(ad);

	if (p == NULL)

	if (p == NULL)

		return (ENOMEM);

		return (ENOMEM);

	rv = pfr_route_kentry(kt, p);

	rv = pfr_route_kentry(kt, p);

	if (rv)

	if (rv)

		return (rv);

		return (rv);

	kt->pfrkt_cnt++;

	kt->pfrkt_cnt++;

	return (0);

	return (0);

}

}

static void

static void

pfr_remove_kentries(struct pfr_ktable *kt,

pfr_remove_kentries(struct pfr_ktable *kt,

    struct pfr_kentryworkq *workq)

    struct pfr_kentryworkq *workq)

{

{

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	SLIST_FOREACH(p, workq, pfrke_workq)

	SLIST_FOREACH(p, workq, pfrke_workq)

		pfr_unroute_kentry(kt, p);

		pfr_unroute_kentry(kt, p);

}

}

static void

static void

pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)

pfr_clstats_kentries(struct pfr_kentryworkq *workq, long tzero, int negchange)

{

{

	struct pfr_kentry	*p;

	struct pfr_kentry	*p;

	SLIST_FOREACH(p, workq, pfrke_workq) {

	SLIST_FOREACH(p, workq, pfrke_workq) {

		if (negchange)

		if (negchange)

			p->pfrke_not = !p->pfrke_not;

			p->pfrke_not = !p->pfrke_not;

		}

		}

	}

	}

}

}

static void

static void

pfr_reset_feedback(struct pfr_addr *addr, int size)

pfr_reset_feedback(struct pfr_addr *addr, int size)

{

{

	struct pfr_addr	*ad;

	struct pfr_addr	*ad;

	int		i;

	int		i;

	for (i = 0, ad = addr; i < size; i++, ad++)

	for (i = 0, ad = addr; i < size; i++, ad++)

		ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;

		ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr;

	else if (ad->pfra_af == AF_INET6)

	else if (ad->pfra_af == AF_INET6)

		ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;

		ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr;

}

}

static int

static int

pfr_walktree(struct radix_node *rn, void *arg)

pfr_walktree(struct radix_node *rn, void *arg)

{

{

	struct pfr_kentry	*ke = (struct pfr_kentry *)rn;

	struct pfr_kentry	*ke = (struct pfr_kentry *)rn;

	struct pfr_walktree	*w = arg;

	struct pfr_walktree	*w = arg;

	switch (w->pfrw_op) {

	switch (w->pfrw_op) {

	case PFRW_MARK:

	case PFRW_MARK:

		ke->pfrke_mark = 0;

		ke->pfrke_mark = 0;

		break;

		break;

	case PFRW_SWEEP:

	case PFRW_SWEEP:

		if (ke->pfrke_mark)

		if (ke->pfrke_mark)

			break;

			break;

		/* FALLTHROUGH */

		/* FALLTHROUGH */

	case PFRW_ENQUEUE:

	case PFRW_ENQUEUE:

		if (w->pfrw_free-- > 0) {

		if (w->pfrw_free-- > 0) {

			pfr_copyout_addr(w->pfrw_addr, ke);

			pfr_copyout_addr(w->pfrw_addr, ke);

			w->pfrw_addr++;

			w->pfrw_addr++;

		}

		}

		break;

		break;

	case PFRW_GET_ASTATS:

	case PFRW_GET_ASTATS:

		if (w->pfrw_free-- > 0) {

		if (w->pfrw_free-- > 0) {

			struct pfr_astats as;

			struct pfr_astats as;

			pfr_copyout_addr(&as.pfras_a, ke);

			pfr_copyout_addr(&as.pfras_a, ke);

			} else {

			} else {

				bzero(as.pfras_packets, sizeof(as.pfras_packets));

				bzero(as.pfras_packets, sizeof(as.pfras_packets));

				bzero(as.pfras_bytes, sizeof(as.pfras_bytes));

				bzero(as.pfras_bytes, sizeof(as.pfras_bytes));

				as.pfras_a.pfra_fback = PFR_FB_NOCOUNT;

				as.pfras_a.pfra_fback = PFR_FB_NOCOUNT;

			}

			}

			bcopy(&as, w->pfrw_astats, sizeof(as));

			bcopy(&as, w->pfrw_astats, sizeof(as));

			w->pfrw_astats++;

			w->pfrw_astats++;

		}

		}

		break;

		break;

	case PFRW_POOL_GET:

	case PFRW_POOL_GET:

		if (ke->pfrke_not)

		if (ke->pfrke_not)

			break; /* negative entries are ignored */

			break; /* negative entries are ignored */

		if (!w->pfrw_cnt--) {

		if (!w->pfrw_cnt--) {

			w->pfrw_kentry = ke;

			w->pfrw_kentry = ke;

}

}

int

int

pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,

pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size,

	int flags)

	int flags)

{

{

	struct pfr_ktable	*p;

	struct pfr_ktable	*p;

	struct pfr_ktableworkq	 workq;

	struct pfr_ktableworkq	 workq;

	int			 n, nn;

	int			 n, nn;

	long			 tzero = time_second;

	long			 tzero = time_second;

	/* XXX PFR_FLAG_CLSTATS disabled */

	/* XXX PFR_FLAG_CLSTATS disabled */

	ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);

	ACCEPT_FLAGS(flags, PFR_FLAG_ALLRSETS);

	if (pfr_fix_anchor(filter->pfrt_anchor))

	if (pfr_fix_anchor(filter->pfrt_anchor))

		return (EINVAL);

		return (EINVAL);

	n = nn = pfr_table_count(filter, flags);

	n = nn = pfr_table_count(filter, flags);

	if (n < 0)

	if (n < 0)

		return (ENOENT);

		return (ENOENT);

	if (n > *size) {

	if (n > *size) {

		*size = n;

		*size = n;

		return (0);

		return (0);

	}

	}

	SLIST_INIT(&workq);

	SLIST_INIT(&workq);

	RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {

	RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) {

		if (pfr_skip_table(filter, p, flags))

		if (pfr_skip_table(filter, p, flags))

			continue;

			continue;

		if (n-- <= 0)

		if (n-- <= 0)

			continue;

			continue;

		SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);

		SLIST_INSERT_HEAD(&workq, p, pfrkt_workq);

	}

	}

	if (flags & PFR_FLAG_CLSTATS)

	if (flags & PFR_FLAG_CLSTATS)

		pfr_clstats_ktables(&workq, tzero,

		pfr_clstats_ktables(&workq, tzero,

		    flags & PFR_FLAG_ADDRSTOO);

		    flags & PFR_FLAG_ADDRSTOO);

	KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));

	KASSERT(n == 0, ("%s: corruption detected (%d)", __func__, n));

	*size = nn;

	*size = nn;

	return (0);

	return (0);

			next = SLIST_NEXT(p, pfrke_workq);	/* XXX */

			next = SLIST_NEXT(p, pfrke_workq);	/* XXX */

			pfr_copyout_addr(&ad, p);

			pfr_copyout_addr(&ad, p);

			q = pfr_lookup_addr(kt, &ad, 1);

			q = pfr_lookup_addr(kt, &ad, 1);

			if (q != NULL) {

			if (q != NULL) {

				if (q->pfrke_not != p->pfrke_not)

				if (q->pfrke_not != p->pfrke_not)

					SLIST_INSERT_HEAD(&changeq, q,

					SLIST_INSERT_HEAD(&changeq, q,

					    pfrke_workq);

					    pfrke_workq);

				q->pfrke_mark = 1;

				q->pfrke_mark = 1;

				SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);

				SLIST_INSERT_HEAD(&garbageq, p, pfrke_workq);

			} else {

			} else {

				SLIST_INSERT_HEAD(&addq, p, pfrke_workq);

				SLIST_INSERT_HEAD(&addq, p, pfrke_workq);

			}

			}

		}

		}

		pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);

		pfr_enqueue_addrs(kt, &delq, NULL, ENQUEUE_UNMARKED_ONLY);

		pfr_insert_kentries(kt, &addq, tzero);

		pfr_insert_kentries(kt, &addq, tzero);

		pfr_remove_kentries(kt, &delq);

		pfr_remove_kentries(kt, &delq);

		pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);

		pfr_clstats_kentries(&changeq, tzero, INVERT_NEG_FLAG);

		pfr_destroy_kentries(&garbageq);

		pfr_destroy_kentries(&garbageq);

	} else {

	} else {

		/* kt cannot contain addresses */

		/* kt cannot contain addresses */

	struct pfr_ktable	*p;

	struct pfr_ktable	*p;

	SLIST_FOREACH(p, workq, pfrkt_workq)

	SLIST_FOREACH(p, workq, pfrkt_workq)

		pfr_clstats_ktable(p, tzero, recurse);

		pfr_clstats_ktable(p, tzero, recurse);

}

}

static void

static void

pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)

pfr_clstats_ktable(struct pfr_ktable *kt, long tzero, int recurse)

{

{

	struct pfr_kentryworkq	 addrq;

	struct pfr_kentryworkq	 addrq;

	if (recurse) {

	if (recurse) {

		pfr_enqueue_addrs(kt, &addrq, NULL, 0);

		pfr_enqueue_addrs(kt, &addrq, NULL, 0);

		pfr_clstats_kentries(&addrq, tzero, 0);

		pfr_clstats_kentries(&addrq, tzero, 0);

	}

	}

	kt->pfrkt_tzero = tzero;

	kt->pfrkt_tzero = tzero;

}

}

static struct pfr_ktable *

static struct pfr_ktable *

pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)

pfr_create_ktable(struct pfr_table *tbl, long tzero, int attachruleset)

{

{

	struct pfr_ktable	*kt;

	struct pfr_ktable	*kt;

	struct pf_ruleset	*rs;

	struct pf_ruleset	*rs;

	PF_RULES_WASSERT();

	PF_RULES_WASSERT();

	kt = malloc(sizeof(*kt), M_PFTABLE, M_NOWAIT|M_ZERO);

	kt = malloc(sizeof(*kt), M_PFTABLE, M_NOWAIT|M_ZERO);

	if (kt == NULL)

	if (kt == NULL)

		return (NULL);

		return (NULL);

	kt->pfrkt_t = *tbl;

	kt->pfrkt_t = *tbl;

	if (attachruleset) {

	if (attachruleset) {

		rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);

		rs = pf_find_or_create_ruleset(tbl->pfrt_anchor);

		if (!rs) {

		if (!rs) {

			pfr_destroy_ktable(kt, 0);

			pfr_destroy_ktable(kt, 0);

			return (NULL);

			return (NULL);

		}

		}

		kt->pfrkt_rs = rs;

		kt->pfrkt_rs = rs;

		rs->tables++;

		rs->tables++;

	}

	}

	if (!rn_inithead((void **)&kt->pfrkt_ip4,

	if (!rn_inithead((void **)&kt->pfrkt_ip4,

	    offsetof(struct sockaddr_in, sin_addr) * 8) ||

	    offsetof(struct sockaddr_in, sin_addr) * 8) ||

	    !rn_inithead((void **)&kt->pfrkt_ip6,

	    !rn_inithead((void **)&kt->pfrkt_ip6,

	    offsetof(struct sockaddr_in6, sin6_addr) * 8)) {

	    offsetof(struct sockaddr_in6, sin6_addr) * 8)) {

		pfr_destroy_ktable(kt, 0);

		pfr_destroy_ktable(kt, 0);

		return (NULL);

		return (NULL);

	}

	}

	kt->pfrkt_tzero = tzero;

	kt->pfrkt_tzero = tzero;

	return (kt);

	return (kt);

	for (p = SLIST_FIRST(workq); p; p = q) {

	for (p = SLIST_FIRST(workq); p; p = q) {

		q = SLIST_NEXT(p, pfrkt_workq);

		q = SLIST_NEXT(p, pfrkt_workq);

		pfr_destroy_ktable(p, flushaddr);

		pfr_destroy_ktable(p, flushaddr);

	}

	}

}

}

static void

static void

pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)

pfr_destroy_ktable(struct pfr_ktable *kt, int flushaddr)

{

{

	struct pfr_kentryworkq	 addrq;

	struct pfr_kentryworkq	 addrq;

	if (flushaddr) {

	if (flushaddr) {

		pfr_enqueue_addrs(kt, &addrq, NULL, 0);

		pfr_enqueue_addrs(kt, &addrq, NULL, 0);

		pfr_clean_node_mask(kt, &addrq);

		pfr_clean_node_mask(kt, &addrq);

		pfr_destroy_kentries(&addrq);

		pfr_destroy_kentries(&addrq);

	}

	}

	if (kt->pfrkt_ip4 != NULL)

	if (kt->pfrkt_ip4 != NULL)

		rn_detachhead((void **)&kt->pfrkt_ip4);

		rn_detachhead((void **)&kt->pfrkt_ip4);

	if (kt->pfrkt_ip6 != NULL)

	if (kt->pfrkt_ip6 != NULL)

		rn_detachhead((void **)&kt->pfrkt_ip6);

		rn_detachhead((void **)&kt->pfrkt_ip6);

	if (kt->pfrkt_shadow != NULL)

	if (kt->pfrkt_shadow != NULL)

		pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);

		pfr_destroy_ktable(kt->pfrkt_shadow, flushaddr);

	if (kt->pfrkt_rs != NULL) {

	if (kt->pfrkt_rs != NULL) {

		kt->pfrkt_rs->tables--;

		kt->pfrkt_rs->tables--;

		pf_remove_if_empty_ruleset(kt->pfrkt_rs);

		pf_remove_if_empty_ruleset(kt->pfrkt_rs);

	}

	}

	free(kt, M_PFTABLE);

	free(kt, M_PFTABLE);

}

}

static int

static int

pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)

pfr_ktable_compare(struct pfr_ktable *p, struct pfr_ktable *q)

{

{

	int d;

	int d;

	if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))

	if ((d = strncmp(p->pfrkt_name, q->pfrkt_name, PF_TABLE_NAME_SIZE)))

		return (d);

		return (d);

		bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));

		bcopy(a, &sin6.sin6_addr, sizeof(sin6.sin6_addr));

		ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);

		ke = (struct pfr_kentry *)rn_match(&sin6, &kt->pfrkt_ip6->rh);

		if (ke && KENTRY_RNF_ROOT(ke))

		if (ke && KENTRY_RNF_ROOT(ke))

			ke = NULL;

			ke = NULL;

		break;

		break;

	    }

	    }

#endif /* INET6 */

#endif /* INET6 */

	}

	}

	match = (ke && !ke->pfrke_not);

	match = (ke && !ke->pfrke_not);

	if (match)

	if (match)

	else

	else

	return (match);

	return (match);

}

}

void

void

pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,

pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af,

    u_int64_t len, int dir_out, int op_pass, int notrule)

    u_int64_t len, int dir_out, int op_pass, int notrule)

{

{

	struct pfr_kentry	*ke = NULL;

	struct pfr_kentry	*ke = NULL;

	if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)

	if (!(kt->pfrkt_flags & PFR_TFLAG_ACTIVE) && kt->pfrkt_root != NULL)

	    }

	    }

#endif /* INET6 */

#endif /* INET6 */

	default:

	default:

		panic("%s: unknown address family %u", __func__, af);

		panic("%s: unknown address family %u", __func__, af);

	}

	}

	if ((ke == NULL || ke->pfrke_not) != notrule) {

	if ((ke == NULL || ke->pfrke_not) != notrule) {

		if (op_pass != PFR_OP_PASS)

		if (op_pass != PFR_OP_PASS)

			printf("pfr_update_stats: assertion failed.\n");

			printf("pfr_update_stats: assertion failed.\n");

		op_pass = PFR_OP_XPASS;

		op_pass = PFR_OP_XPASS;

	}

	}

	if (ke != NULL && op_pass != PFR_OP_XPASS &&

	if (ke != NULL && op_pass != PFR_OP_XPASS &&

	    (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {

	    (kt->pfrkt_flags & PFR_TFLAG_COUNTERS)) {

	}

	}

}

}

struct pfr_ktable *

struct pfr_ktable *

pfr_attach_table(struct pf_ruleset *rs, char *name)

pfr_attach_table(struct pf_ruleset *rs, char *name)

{

{

	struct pfr_ktable	*kt, *rt;

	struct pfr_ktable	*kt, *rt;

	struct pfr_table	 tbl;

	struct pfr_table	 tbl;

	struct pf_anchor	*ac = rs->anchor;

	struct pf_anchor	*ac = rs->anchor;

	if (pidx != NULL)

	if (pidx != NULL)

		idx = *pidx;

		idx = *pidx;

	if (counter != NULL && idx >= 0)

	if (counter != NULL && idx >= 0)

		use_counter = 1;

		use_counter = 1;

	if (idx < 0)

	if (idx < 0)

		idx = 0;

		idx = 0;

_next_block:

_next_block:

	ke = pfr_kentry_byidx(kt, idx, af);

	ke = pfr_kentry_byidx(kt, idx, af);

	if (ke == NULL) {

	if (ke == NULL) {

		return (1);

		return (1);

	}

	}

	pfr_prepare_network(&umask, af, ke->pfrke_net);

	pfr_prepare_network(&umask, af, ke->pfrke_net);

	cur = SUNION2PF(&ke->pfrke_sa, af);

	cur = SUNION2PF(&ke->pfrke_sa, af);

	mask = SUNION2PF(&umask, af);

	mask = SUNION2PF(&umask, af);

	if (use_counter) {

	if (use_counter) {

		/* is supplied address within block? */

		/* is supplied address within block? */

		if (!PF_MATCHA(0, cur, mask, counter, af)) {

		if (!PF_MATCHA(0, cur, mask, counter, af)) {

			/* no, go to next block in table */

			/* no, go to next block in table */

		PF_ACPY(addr, counter, af);

		PF_ACPY(addr, counter, af);

	} else {

	} else {

		/* use first address of block */

		/* use first address of block */

		PF_ACPY(addr, cur, af);

		PF_ACPY(addr, cur, af);

	}

	}

	if (!KENTRY_NETWORK(ke)) {

	if (!KENTRY_NETWORK(ke)) {

		/* this is a single IP address - no possible nested block */

		/* this is a single IP address - no possible nested block */

		PF_ACPY(counter, addr, af);

		PF_ACPY(counter, addr, af);

		*pidx = idx;

		*pidx = idx;

		return (0);

		return (0);

	}

	}

	for (;;) {

	for (;;) {

		/* we don't want to use a nested block */

		/* we don't want to use a nested block */

		switch (af) {

		switch (af) {

		case AF_INET:

		case AF_INET:

			ke2 = (struct pfr_kentry *)rn_match(&uaddr,

			ke2 = (struct pfr_kentry *)rn_match(&uaddr,

			    &kt->pfrkt_ip4->rh);

			    &kt->pfrkt_ip4->rh);

			break;

			break;

		case AF_INET6:

		case AF_INET6:

			ke2 = (struct pfr_kentry *)rn_match(&uaddr,

			ke2 = (struct pfr_kentry *)rn_match(&uaddr,

			    &kt->pfrkt_ip6->rh);

			    &kt->pfrkt_ip6->rh);

			break;

			break;

		}

		}

		/* no need to check KENTRY_RNF_ROOT() here */

		/* no need to check KENTRY_RNF_ROOT() here */

		if (ke2 == ke) {

		if (ke2 == ke) {

			/* lookup return the same block - perfect */

			/* lookup return the same block - perfect */

			PF_ACPY(counter, addr, af);

			PF_ACPY(counter, addr, af);

			*pidx = idx;

			*pidx = idx;

			return (0);

			return (0);

		}

		}

		/* we need to increase the counter past the nested block */

		/* we need to increase the counter past the nested block */

		pfr_prepare_network(&umask, AF_INET, ke2->pfrke_net);

		pfr_prepare_network(&umask, AF_INET, ke2->pfrke_net);

		PF_POOLMASK(addr, addr, SUNION2PF(&umask, af), &pfr_ffaddr, af);

		PF_POOLMASK(addr, addr, SUNION2PF(&umask, af), &pfr_ffaddr, af);

		PF_AINC(addr, af);

		PF_AINC(addr, af);

		if (!PF_MATCHA(0, cur, mask, addr, af)) {

		if (!PF_MATCHA(0, cur, mask, addr, af)) {

			/* ok, we reached the end of our main block */

			/* ok, we reached the end of our main block */

			/* go to next block in table */

			/* go to next block in table */