Link pf 4.1 to the build:

- move ftp-proxy from libexec to usr.sbin
 - add tftp-proxy
 - new altq mtag link

Approved by:	re (kensmith)

libexec/Makefile

@@ -8,7 +8,6 @@ SUBDIR=	atrun \
 	comsat \
 	fingerd \
 	ftpd \
-	${_ftp-proxy} \
 	getty \
 	lukemftpd \
 	${_mail.local} \
@@ -32,6 +31,7 @@ SUBDIR=	atrun \
 	tcpd \
 	telnetd \
 	tftpd \
+	${_tftp-proxy} \
 	${_ypxfr}
 
 .if ${MK_NIS} != "no"
@@ -40,7 +40,7 @@ _ypxfr=		ypxfr
 .endif
 
 .if ${MK_PF} != "no"
-_ftp-proxy=	ftp-proxy
+_tftp-proxy=	tftp-proxy
 .endif
 
 .if !defined(NO_PIC)

libexec/ftp-proxy/Makefile

@@ -1,12 +0,0 @@
-# $FreeBSD$
-
-.PATH:	${.CURDIR}/../../contrib/pf/ftp-proxy
-
-PROG=	ftp-proxy
-MAN=	ftp-proxy.8
-
-SRCS=   ftp-proxy.c getline.c util.c
-
-WARNS?=	2
-
-.include <bsd.prog.mk>

libexec/tftp-proxy/Makefile

@@ -0,0 +1,9 @@
+#	$FreeBSD$
+
+.PATH:	${.CURDIR}/../../contrib/pf/tftp-proxy
+
+PROG=	tftp-proxy
+SRCS=	tftp-proxy.c filter.c
+MAN=	tftp-proxy.8
+
+.include <bsd.prog.mk>

sbin/pfctl/Makefile

@@ -1,6 +1,7 @@
 # $FreeBSD$
 
 .PATH:	${.CURDIR}/../../contrib/pf/pfctl
+.PATH:	${.CURDIR}/../../sys/contrib/pf/net
 .PATH:	${.CURDIR}/../../contrib/pf/man
 
 PROG=	pfctl
@@ -9,6 +10,7 @@ MAN=	pfctl.8 pf.4 pflog.4 pfsync.4 pf.conf.5 pf.os.5
 SRCS = pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
 SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
 SRCS+= pfctl_optimize.c
+SRCS+= pf_ruleset.c
 
 CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
 CFLAGS+= -Wstrict-prototypes -I${.CURDIR}/../../contrib/pf/pfctl

sys/conf/files

@@ -327,16 +327,18 @@ contrib/pf/net/pf.c		optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_if.c		optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
-contrib/pf/net/pf_subr.c	optional pf \
-	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_ioctl.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_norm.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
-contrib/pf/net/pf_table.c	optional pf \
-	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_osfp.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_ruleset.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_subr.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_table.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/netinet/in4_cksum.c	optional pf inet
 crypto/blowfish/bf_ecb.c	optional ipsec 
 crypto/blowfish/bf_skey.c	optional crypto | ipsec 
@@ -1584,7 +1586,8 @@ net/if_disc.c			optional disc
 net/if_edsc.c			optional edsc
 net/if_ef.c			optional ef
 net/if_enc.c			optional enc
-net/if_ethersubr.c		optional ether
+net/if_ethersubr.c		optional ether \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
 net/if_faith.c			optional faith
 net/if_fddisubr.c		optional fddi
 net/if_fwsubr.c			optional fwip
@@ -1825,7 +1828,8 @@ netinet/ip_dummynet.c		optional dummynet
 netinet/ip_ecn.c		optional inet | inet6
 netinet/ip_encap.c		optional inet | inet6
 netinet/ip_fastfwd.c		optional inet
-netinet/ip_fw2.c		optional ipfirewall
+netinet/ip_fw2.c		optional ipfirewall \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
 netinet/ip_fw_pfil.c		optional ipfirewall
 netinet/ip_icmp.c		optional inet
 netinet/ip_input.c		optional inet

sys/contrib/altq/altq/altq_cbq.c

@@ -500,7 +500,7 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 {
 	cbq_state_t	*cbqp = (cbq_state_t *)ifq->altq_disc;
 	struct rm_class	*cl;
-	struct m_tag	*t;
+	struct pf_mtag	*t;
 	int		 len;
 
 	IFQ_LOCK_ASSERT(ifq);
@@ -520,8 +520,8 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 		return (ENOBUFS);
 	}
 	cl = NULL;
-	if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL)
-		cl = clh_to_clp(cbqp, ((struct altq_tag *)(t+1))->qid);
+	if ((t = pf_find_mtag(m)) != NULL)
+		cl = clh_to_clp(cbqp, t->qid);
 #ifdef ALTQ3_COMPAT
 	else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL)
 		cl = pktattr->pattr_class;

sys/contrib/altq/altq/altq_hfsc.c

@@ -693,7 +693,7 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 {
 	struct hfsc_if	*hif = (struct hfsc_if *)ifq->altq_disc;
 	struct hfsc_class *cl;
-	struct m_tag *t;
+	struct pf_mtag *t;
 	int len;
 
 	IFQ_LOCK_ASSERT(ifq);
@@ -713,8 +713,8 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 		return (ENOBUFS);
 	}
 	cl = NULL;
-	if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL)
-		cl = clh_to_clp(hif, ((struct altq_tag *)(t+1))->qid);
+	if ((t = pf_find_mtag(m)) != NULL)
+		cl = clh_to_clp(hif, t->qid);
 #ifdef ALTQ3_COMPAT
 	else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL)
 		cl = pktattr->pattr_class;

sys/contrib/altq/altq/altq_priq.c

@@ -461,7 +461,7 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 {
 	struct priq_if	*pif = (struct priq_if *)ifq->altq_disc;
 	struct priq_class *cl;
-	struct m_tag *t;
+	struct pf_mtag *t;
 	int len;
 
 	IFQ_LOCK_ASSERT(ifq);
@@ -481,8 +481,8 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr)
 		return (ENOBUFS);
 	}
 	cl = NULL;
-	if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL)
-		cl = clh_to_clp(pif, ((struct altq_tag *)(t+1))->qid);
+	if ((t = pf_find_mtag(m)) != NULL)
+		cl = clh_to_clp(pif, t->qid);
 #ifdef ALTQ3_COMPAT
 	else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL)
 		cl = pktattr->pattr_class;

sys/contrib/altq/altq/altq_red.c

@@ -514,16 +514,12 @@ int
 mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags)
 {
 	struct mbuf	*m0;
-	struct m_tag	*t;
-	struct altq_tag	*at;
+	struct pf_mtag	*at;
 	void		*hdr;
 	int		 af;
 
-	t = m_tag_find(m, PACKET_TAG_PF_QID, NULL);
-	if (t != NULL) {
-		at = (struct altq_tag *)(t + 1);
-		if (at == NULL)
-			return (0);
+	at = pf_find_mtag(m);
+	if (at != NULL) {
 		af = at->af;
 		hdr = at->hdr;
 #ifdef ALTQ3_COMPAT

sys/contrib/pf/net/pf_mtag.h

@@ -0,0 +1,82 @@
+/*	$FreeBSD$	*/
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef _NET_PF_MTAG_H_
+#define _NET_PF_MTAG_H_
+
+#ifdef _KERNEL
+
+#define	PF_TAG_GENERATED		0x01
+#define	PF_TAG_FRAGCACHE		0x02
+#define	PF_TAG_TRANSLATE_LOCALHOST	0x04
+
+struct pf_mtag {
+	void		*hdr;		/* saved hdr pos in mbuf, for ECN */
+	u_int		 rtableid;	/* alternate routing table id */
+	u_int32_t	 qid;		/* queue id */
+	u_int16_t	 tag;		/* tag id */
+	u_int8_t	 flags;
+	u_int8_t	 routed;
+	sa_family_t	 af;		/* for ECN */
+};
+
+static __inline struct pf_mtag *pf_find_mtag(struct mbuf *);
+static __inline struct pf_mtag *pf_get_mtag(struct mbuf *);
+
+static __inline struct pf_mtag *
+pf_find_mtag(struct mbuf *m)
+{
+	struct m_tag	*mtag;
+
+	if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL)
+		return (NULL);
+
+	return ((struct pf_mtag *)(mtag + 1));
+}
+
+static __inline struct pf_mtag *
+pf_get_mtag(struct mbuf *m)
+{
+	struct m_tag	*mtag;
+
+	if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) {
+		mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag),
+		    M_NOWAIT);
+		if (mtag == NULL)
+			return (NULL);
+		bzero(mtag + 1, sizeof(struct pf_mtag));
+		m_tag_prepend(m, mtag);
+	}
+
+	return ((struct pf_mtag *)(mtag + 1));
+}
+#endif /* _KERNEL */
+#endif /* _NET_PF_MTAG_H_ */

sys/modules/ipfw/Makefile

@@ -9,6 +9,7 @@ SRCS=	ip_fw2.c ip_fw_pfil.c
 SRCS+=	opt_inet6.h opt_ipsec.h opt_mac.h
 
 CFLAGS+= -DIPFIREWALL
+CFLAGS+= -I${.CURDIR}/../../contrib/pf
 #
 #If you want it verbose
 #CFLAGS+= -DIPFIREWALL_VERBOSE

sys/modules/pf/Makefile

@@ -7,6 +7,7 @@
 
 KMOD=	pf
 SRCS = 	pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c \
+	pf_ruleset.c \
 	in4_cksum.c \
 	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h
 
@@ -23,6 +24,11 @@ opt_inet6.h:
 
 opt_bpf.h:
 	echo "#define DEV_BPF 1" > opt_bpf.h
+
+# pflog can be loaded as a module, have the additional checks turned on
+opt_pf.h:
+	echo "#define DEV_PF 1" > opt_pf.h
+	echo "#define DEF_PFLOG 1" >> opt_pf.h
 .endif
 
 .include <bsd.kmod.mk>

sys/net/if_ethersubr.c

@@ -60,6 +60,7 @@
 #include <net/ethernet.h>
 #include <net/if_bridgevar.h>
 #include <net/if_vlan_var.h>
+#include <net/pf_mtag.h>
 
 #if defined(INET) || defined(INET6)
 #include <netinet/in.h>
@@ -151,6 +152,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m,
 	int error, hdrcmplt = 0;
 	u_char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN];
 	struct ether_header *eh;
+	struct pf_mtag *t;
 	int loop_copy = 1;
 	int hlen;	/* link layer header length */
 
@@ -301,7 +303,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m,
 	 * reasons and compatibility with the original behavior.
 	 */
 	if ((ifp->if_flags & IFF_SIMPLEX) && loop_copy &&
-	    m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) == NULL) {
+	    ((t = pf_find_mtag(m)) == NULL || !t->routed)) {
 		int csum_flags = 0;
 
 		if (m->m_pkthdr.csum_flags & CSUM_IP)

sys/netinet/ip_fw2.c

@@ -66,6 +66,7 @@
 #include <net/if.h>
 #include <net/radix.h>
 #include <net/route.h>
+#include <net/pf_mtag.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
@@ -3058,24 +3059,21 @@ check_body:
 				break;
 
 			case O_ALTQ: {
-				struct altq_tag *at;
+				struct pf_mtag *at;
 				ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
 
 				match = 1;
-				mtag = m_tag_find(m, PACKET_TAG_PF_QID, NULL);
-				if (mtag != NULL)
+				at = pf_find_mtag(m);
+				if (at != NULL && at->qid != 0)
 					break;
-				mtag = m_tag_get(PACKET_TAG_PF_QID,
-						sizeof(struct altq_tag),
-						M_NOWAIT);
-				if (mtag == NULL) {
+				at = pf_get_mtag(m);
+				if (at == NULL) {
 					/*
 					 * Let the packet fall back to the
 					 * default ALTQ.
 					 */
 					break;
 				}
-				at = (struct altq_tag *)(mtag+1);
 				at->qid = altq->qid;
 				if (is_ipv4)
 					at->af = AF_INET;

sys/netinet6/in6.h

@@ -350,6 +350,11 @@ extern const struct in6_addr in6addr_linklocal_allrouters;
 #define IN6_IS_SCOPE_LINKLOCAL(a)	\
 	((IN6_IS_ADDR_LINKLOCAL(a)) ||	\
 	 (IN6_IS_ADDR_MC_LINKLOCAL(a)))
+#define	IN6_IS_SCOPE_EMBED(a)			\
+	((IN6_IS_ADDR_LINKLOCAL(a)) ||		\
+	 (IN6_IS_ADDR_MC_LINKLOCAL(a)) || 	\
+	 (IN6_IS_ADDR_MC_INTFACELOCAL(a)))
+                          
 
 #define IFA6_IS_DEPRECATED(a) \
 	((a)->ia6_lifetime.ia6t_pltime != ND6_INFINITE_LIFETIME && \

sys/sys/mbuf.h

@@ -833,12 +833,8 @@ struct mbuf	*m_unshare(struct mbuf *, int how);
 #define	PACKET_TAG_DIVERT			17 /* divert info */
 #define	PACKET_TAG_IPFORWARD			18 /* ipforward info */
 #define	PACKET_TAG_MACLABEL	(19 | MTAG_PERSISTENT) /* MAC label */
-#define	PACKET_TAG_PF_ROUTED			21 /* PF routed, avoid loops */
-#define	PACKET_TAG_PF_FRAGCACHE			22 /* PF fragment cached */
-#define	PACKET_TAG_PF_QID			23 /* PF ALTQ queue id */
-#define	PACKET_TAG_PF_TAG			24 /* PF tagged */
+#define	PACKET_TAG_PF				21 /* PF + ALTQ information */
 #define	PACKET_TAG_RTSOCKFAM			25 /* rtsock sa family */
-#define	PACKET_TAG_PF_TRANSLATE_LOCALHOST	26 /* PF translate localhost */
 #define	PACKET_TAG_IPOPTIONS			27 /* Saved IP options */
 #define	PACKET_TAG_CARP                         28 /* CARP info */
 

usr.sbin/Makefile

@@ -56,6 +56,7 @@ SUBDIR=	ac \
 	fdwrite \
 	flowctl \
 	freebsd-update \
+	${_ftp-proxy} \
 	fwcontrol \
 	getfmac \
 	getpmac \
@@ -228,6 +229,10 @@ _bluetooth=	bluetooth
 _keyserv=	keyserv
 .endif
 
+.if ${MK_PF} != "no"
+_ftp-proxy=	ftp-proxy
+.endif
+
 .if ${MK_INET6} != "no"
 _faithd=	faithd
 _ip6addrctl=	ip6addrctl

usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c

@@ -60,7 +60,7 @@ enum { PASS, BLOCK };
 #define PFI_IFTYPE_DETACHED	2
 
 struct pfi_entry {
-	struct pfi_if	pfi;
+	struct pfi_kif	pfi;
 	u_int		index;
 	TAILQ_ENTRY(pfi_entry) link;
 };
@@ -544,83 +544,83 @@ pf_iftable(struct snmp_context __unused *ctx, struct snmp_value *val,
 
 	switch (which) {
 		case LEAF_pfInterfacesIfDescr:
-			return (string_get(val, e->pfi.pfif_name, -1));
+			return (string_get(val, e->pfi.pfik_name, -1));
 		case LEAF_pfInterfacesIfType:
 			val->v.integer = PFI_IFTYPE_INSTANCE;
 			break;
 		case LEAF_pfInterfacesIfTZero:
 			val->v.uint32 =
-			    (time(NULL) - e->pfi.pfif_tzero) * 100;
+			    (time(NULL) - e->pfi.pfik_tzero) * 100;
 			break;
 		case LEAF_pfInterfacesIfRefsState:
-			val->v.uint32 = e->pfi.pfif_states;
+			val->v.uint32 = e->pfi.pfik_states;
 			break;
 		case LEAF_pfInterfacesIfRefsRule:
-			val->v.uint32 = e->pfi.pfif_rules;
+			val->v.uint32 = e->pfi.pfik_rules;
 			break;
 		case LEAF_pfInterfacesIf4BytesInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][IN][PASS];
+			    e->pfi.pfik_bytes[IPV4][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf4BytesInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][IN][BLOCK];
+			    e->pfi.pfik_bytes[IPV4][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4BytesOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][OUT][PASS];
+			    e->pfi.pfik_bytes[IPV4][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf4BytesOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][OUT][BLOCK];
+			    e->pfi.pfik_bytes[IPV4][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4PktsInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][IN][PASS];
+			    e->pfi.pfik_packets[IPV4][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf4PktsInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][IN][BLOCK];
+			    e->pfi.pfik_packets[IPV4][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4PktsOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][OUT][PASS];
+			    e->pfi.pfik_packets[IPV4][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf4PktsOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][OUT][BLOCK];
+			    e->pfi.pfik_packets[IPV4][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6BytesInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][IN][PASS];
+			    e->pfi.pfik_bytes[IPV6][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf6BytesInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][IN][BLOCK];
+			    e->pfi.pfik_bytes[IPV6][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6BytesOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][OUT][PASS];
+			    e->pfi.pfik_bytes[IPV6][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf6BytesOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][OUT][BLOCK];
+			    e->pfi.pfik_bytes[IPV6][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6PktsInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][IN][PASS];
+			    e->pfi.pfik_packets[IPV6][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf6PktsInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][IN][BLOCK];
+			    e->pfi.pfik_packets[IPV6][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6PktsOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][OUT][PASS];
+			    e->pfi.pfik_packets[IPV6][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf6PktsOutBlock:
 			val->v.counter64 = 
-			    e->pfi.pfif_packets[IPV6][OUT][BLOCK];
+			    e->pfi.pfik_packets[IPV6][OUT][BLOCK];
 			break;
 
 		default:
@@ -911,7 +911,7 @@ static int
 pfi_refresh(void)
 {
 	struct pfioc_iface io;
-	struct pfi_if *p = NULL;
+	struct pfi_kif *p = NULL;
 	struct pfi_entry *e;
 	int i, numifs = 1;
 
@@ -925,11 +925,10 @@ pfi_refresh(void)
 	}
 
 	bzero(&io, sizeof(io));
-	io.pfiio_flags = PFI_FLAG_INSTANCE;
-	io.pfiio_esize = sizeof(struct pfi_if);
+	io.pfiio_esize = sizeof(struct pfi_kif);
 
 	for (;;) {
-		p = reallocf(p, numifs * sizeof(struct pfi_if));
+		p = reallocf(p, numifs * sizeof(struct pfi_kif));
 		if (p == NULL) {
 			syslog(LOG_ERR, "pfi_refresh(): reallocf() numifs=%d: %s",
 			    numifs, strerror(errno));
@@ -955,7 +954,7 @@ pfi_refresh(void)
 		if (e == NULL)
 			goto err1;
 		e->index = i + 1;
-		memcpy(&e->pfi, p+i, sizeof(struct pfi_if));
+		memcpy(&e->pfi, p+i, sizeof(struct pfi_kif));
 		TAILQ_INSERT_TAIL(&pfi_table, e, link);
 	}
 

usr.sbin/ftp-proxy/Makefile

@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+SUBDIR= libevent ftp-proxy
+
+.include <bsd.subdir.mk>

usr.sbin/ftp-proxy/Makefile.inc

@@ -0,0 +1,5 @@
+# $FreeBSD$
+
+LIBEVENT= ${.OBJDIR}/../libevent/libevent.a
+
+.include "../Makefile.inc"

usr.sbin/ftp-proxy/ftp-proxy/Makefile

@@ -0,0 +1,18 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR}/../../../contrib/pf/ftp-proxy
+
+PROG=	ftp-proxy
+MAN=	ftp-proxy.8
+
+SRCS=   ftp-proxy.c filter.c
+
+CFLAGS+= -I${.CURDIR}/../../../contrib/pf/libevent
+CFLAGS+= -I${.CURDIR}/../../../sys/contrib/pf
+
+DPADD=	${LIBEVENT}
+LDADD=	${LIBEVENT}
+
+WARNS?=	2
+
+.include <bsd.prog.mk>

usr.sbin/ftp-proxy/libevent/Makefile

@@ -0,0 +1,25 @@
+# $FreeBSD$
+
+.PATH:	${.CURDIR}/../../../contrib/pf/libevent
+
+
+LIB=	event
+INTERNALLIB=yes
+SRCS=	buffer.c evbuffer.c event.c kqueue.c log.c poll.c select.c signal.c
+HDRS=	event.h
+
+CFLAGS+= -I${.CURDIR} \
+	-DHAVE_CLOCK_GETTIME \
+	-DHAVE_FCNTL_H \
+	-DHAVE_POLL \
+	-DHAVE_SELECT \
+	-DHAVE_SETFD \
+	-DHAVE_STDARG_H \
+	-DHAVE_SYS_IOCTL_H \
+	-DHAVE_SYS_TIME_H \
+	-DHAVE_UNISTD_H \
+	-DHAVE_VASPRINTF \
+	-DHAVE_WORKING_KQUEUE \
+	-DVERSION='"1.3b"'
+
+.include <bsd.lib.mk>