Tweak existing header and other build infrastructure to be able to build

pf/pflog/pfsync as modules. Do not list them in NOTES or modules/Makefile
(i.e. do not connect it to any (automatic) builds - yet).

Approved by: bms(mentor)

sys/boot/forth/loader.conf

@@ -171,6 +171,9 @@ if_tap_load="NO"		# Ethernet tunnel software network interface
 if_tun_load="NO"		# Tunnel driver (user process ppp)
 if_vlan_load="NO"		# IEEE 802.1Q VLAN network interface
 ipfw_load="NO"			# Firewall
+pfsync_load="NO"		# pfsync pseudo interface
+pflog_load="NO"			# pflog pseudo interface
+pf_load="NO"			# packet filter
 
 
 ##############################################################

sys/conf/files

@@ -206,6 +206,14 @@ contrib/ipfilter/netinet/ip_nat.c	optional ipfilter inet
 contrib/ipfilter/netinet/ip_proxy.c	optional ipfilter inet
 contrib/ipfilter/netinet/ip_state.c	optional ipfilter inet
 contrib/ipfilter/netinet/mlfk_ipl.c	optional ipfilter inet
+contrib/pf/net/if_pflog.c		optional pflog
+contrib/pf/net/if_pfsync.c		optional pfsync
+contrib/pf/net/pf.c			optional pf nowerror
+contrib/pf/net/pf_ioctl.c		optional pf
+contrib/pf/net/pf_norm.c		optional pf
+contrib/pf/net/pf_table.c		optional pf
+contrib/pf/net/pf_osfp.c		optional pf
+contrib/pf/netinet/in4_cksum.c		optional pf inet
 crypto/blowfish/bf_ecb.c	optional ipsec ipsec_esp
 crypto/blowfish/bf_skey.c	optional ipsec ipsec_esp
 crypto/cast128/cast128.c	optional ipsec ipsec_esp

sys/conf/kern.pre.mk

@@ -32,6 +32,9 @@ INCLUDES+= -I$S/contrib/dev/acpica
 # ... and the same for ipfilter
 INCLUDES+= -I$S/contrib/ipfilter
 
+# ... and the same for pf
+INCLUDES+= -I$S/contrib/pf
+
 # ... and the same for Atheros HAL
 INCLUDES+= -I$S/contrib/dev/ath -I$S/contrib/dev/ath/freebsd
 

sys/conf/options

@@ -322,6 +322,9 @@ BOOTP_NFSROOT		opt_bootp.h
 BOOTP_NFSV3		opt_bootp.h
 BOOTP_WIRED_TO		opt_bootp.h
 BRIDGE			opt_bdg.h
+DEV_PF			opt_pf.h
+DEV_PFLOG		opt_pf.h
+DEV_PFSYNC		opt_pf.h
 ETHER_II		opt_ef.h
 ETHER_8023		opt_ef.h
 ETHER_8022		opt_ef.h

sys/contrib/pf/net/pfvar.h

@@ -156,6 +156,11 @@ struct pf_addr_dyn {
 #if defined(__FreeBSD__)
 #define splsoftnet()	splnet()
 
+#define	HTONL(x)	(x) = htonl((__uint32_t)(x))
+#define	HTONS(x)	(x) = htons((__uint16_t)(x))
+#define	NTOHL(x)	(x) = ntohl((__uint32_t)(x))
+#define	NTOHS(x)	(x) = ntohs((__uint16_t)(x))
+
 #define PF_NAME		"pf"
 
 #define PR_NOWAIT	M_NOWAIT

sys/modules/pf/Makefile

@@ -0,0 +1,30 @@
+# $FreeBSD$
+
+.PATH: ${.CURDIR}/../../contrib/pf/net
+.PATH: ${.CURDIR}/../../contrib/pf/netinet
+
+KMOD=	pf
+SRCS = 	pf.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c \
+	in4_cksum.c \
+	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_random_ip_id.h
+
+CFLAGS+=  -Wall -I${.CURDIR}/../../contrib/pf
+
+opt_pf.h:
+	echo "#define DEV_PF 1" > opt_pf.h
+	echo "#define DEV_PFLOG 1" >> opt_pf.h
+	echo "#define DEV_PFSYNC 1" >> opt_pf.h
+
+opt_inet.h:
+	echo "#define INET 1" > opt_inet.h
+
+opt_inet6.h:
+	echo "#define INET6 1" > opt_inet6.h
+
+opt_bpf.h:
+	echo "#define DEV_BPF 1" > opt_bpf.h
+
+opt_random_ip_id.h:
+	echo "#define RANDOM_IP_ID 1" > opt_random_ip_id.h
+
+.include <bsd.kmod.mk>

sys/modules/pflog/Makefile

@@ -0,0 +1,25 @@
+# $FreeBSD$
+
+.PATH: ${.CURDIR}/../../contrib/pf/net
+
+KMOD=	pflog
+SRCS = 	if_pflog.c \
+	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h
+
+CFLAGS+=  -Wall -I${.CURDIR}/../../contrib/pf
+
+opt_pf.h:
+	echo "#define DEV_PF 1" > opt_pf.h
+	echo "#define DEV_PFLOG 1" >> opt_pf.h
+	echo "#define DEV_PFSYNC 1" >> opt_pf.h
+
+opt_inet.h:
+	echo "#define INET 1" > opt_inet.h
+
+opt_inet6.h:
+	echo "#define INET6 1" > opt_inet6.h
+
+opt_bpf.h:
+	echo "#define DEV_BPF 1" > opt_bpf.h
+
+.include <bsd.kmod.mk>

sys/modules/pfsync/Makefile

@@ -0,0 +1,25 @@
+# $FreeBSD$
+
+.PATH: ${.CURDIR}/../../contrib/pf/net
+
+KMOD=	pfsync
+SRCS = 	if_pfsync.c \
+	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h
+
+CFLAGS+=  -Wall -I${.CURDIR}/../../contrib/pf
+
+opt_pf.h:
+	echo "#define DEV_PF 1" > opt_pf.h
+	echo "#define DEV_PFLOG 1" >> opt_pf.h
+	echo "#define DEV_PFSYNC 1" >> opt_pf.h
+
+opt_inet.h:
+	echo "#define INET 1" > opt_inet.h
+
+opt_inet6.h:
+	echo "#define INET6 1" > opt_inet6.h
+
+opt_bpf.h:
+	echo "#define DEV_BPF 1" > opt_bpf.h
+
+.include <bsd.kmod.mk>

sys/net/bpf.h

@@ -250,6 +250,7 @@ struct bpf_hdr {
  * in capture-file headers.
  */
 #define DLT_PFLOG	117
+#define DLT_PFSYNC	121
 
 /*
  * Registered for Cisco-internal use.

sys/net/if_types.h

@@ -249,4 +249,6 @@
 #define	IFT_GIF		0xf0
 #define	IFT_PVC		0xf1
 #define	IFT_FAITH	0xf2
+#define	IFT_PFLOG	0xf6
+#define	IFT_PFSYNC	0xf7
 #endif /* !_NET_IF_TYPES_H_ */

sys/netinet/icmp_var.h

@@ -78,6 +78,7 @@ struct	icmpstat {
 
 #ifdef _KERNEL
 SYSCTL_DECL(_net_inet_icmp);
+extern struct icmpstat icmpstat;	/* icmp statistics */
 extern int badport_bandlim(int);
 #define BANDLIM_UNLIMITED -1
 #define BANDLIM_ICMP_UNREACH 0

sys/netinet/ip_icmp.c

@@ -82,7 +82,7 @@
  * host table maintenance routines.
  */
 
-static struct	icmpstat icmpstat;
+struct	icmpstat icmpstat;
 SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RW,
 	&icmpstat, icmpstat, "");
 
@@ -148,6 +148,7 @@ icmp_error(n, type, code, dest, destifp)
 	register unsigned oiplen = oip->ip_hl << 2;
 	register struct icmp *icp;
 	register struct mbuf *m;
+	register struct m_tag *mtag;
 	unsigned icmplen;
 
 #ifdef ICMPPRINTFS
@@ -235,6 +236,16 @@ icmp_error(n, type, code, dest, destifp)
 	nip->ip_hl = 5;
 	nip->ip_p = IPPROTO_ICMP;
 	nip->ip_tos = 0;
+	/* 
+	 * XXX: Move PF_GENERATED m_tag to new packet, if it exists.
+	 *	This should be replaced by unified flags/tags for
+	 *	pf/ipfw/ipf and future pfil_hook applications.
+	 */
+	mtag = m_tag_find(n, PACKET_TAG_PF_GENERATED, NULL);
+	if (mtag != NULL) {
+		m_tag_unlink(n, mtag);
+		m_tag_prepend(m, mtag);
+	}
 	icmp_reflect(m);
 
 freeit:

sys/netinet/ip_icmp.h

@@ -153,8 +153,11 @@ struct icmp {
 #define		ICMP_REDIRECT_HOST	1		/* for host */
 #define		ICMP_REDIRECT_TOSNET	2		/* for tos and net */
 #define		ICMP_REDIRECT_TOSHOST	3		/* for tos and host */
+#define	ICMP_ALTHOSTADDR	6		/* alternate host address */
 #define	ICMP_ECHO		8		/* echo service */
 #define	ICMP_ROUTERADVERT	9		/* router advertisement */
+#define		ICMP_ROUTERADVERT_NORMAL		0	/* normal advertisement */
+#define		ICMP_ROUTERADVERT_NOROUTE_COMMON	16	/* selective routing */
 #define	ICMP_ROUTERSOLICIT	10		/* router solicitation */
 #define	ICMP_TIMXCEED		11		/* time exceeded, code: */
 #define		ICMP_TIMXCEED_INTRANS	0		/* ttl==0 in transit */
@@ -169,8 +172,20 @@ struct icmp {
 #define	ICMP_IREQREPLY		16		/* information reply */
 #define	ICMP_MASKREQ		17		/* address mask request */
 #define	ICMP_MASKREPLY		18		/* address mask reply */
+#define	ICMP_TRACEROUTE		30		/* traceroute */
+#define	ICMP_DATACONVERR	31		/* data conversion error */
+#define	ICMP_MOBILE_REDIRECT	32		/* mobile host redirect */
+#define	ICMP_IPV6_WHEREAREYOU	33		/* IPv6 where-are-you */
+#define	ICMP_IPV6_IAMHERE	34		/* IPv6 i-am-here */
+#define	ICMP_MOBILE_REGREQUEST	35		/* mobile registration req */
+#define	ICMP_MOBILE_REGREPLY	36		/* mobile registration reply */
+#define	ICMP_SKIP		39		/* SKIP */
+#define	ICMP_PHOTURIS		40		/* Photuris */
+#define		ICMP_PHOTURIS_UNKNOWN_INDEX	1	/* unknown sec index */
+#define		ICMP_PHOTURIS_AUTH_FAILED	2	/* auth failed */
+#define		ICMP_PHOTURIS_DECRYPT_FAILED	3	/* decrypt failed */
 
-#define	ICMP_MAXTYPE		18
+#define	ICMP_MAXTYPE		40
 
 #define	ICMP_INFOTYPE(type) \
 	((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \

sys/netinet/ip_id.c

@@ -58,12 +58,13 @@
  */
 
 #include "opt_random_ip_id.h"
+#include "opt_pf.h"
 #include <sys/param.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/random.h>
 
-#ifdef RANDOM_IP_ID
+#if defined(RANDOM_IP_ID) || defined(DEV_PF)
 #define RU_OUT  180		/* Time after wich will be reseeded */
 #define RU_MAX	30000		/* Uniq cycle, avoid blackjack prediction */
 #define RU_GEN	2		/* Starting generator */
@@ -208,4 +209,4 @@ ip_randomid(void)
 	return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x,RU_N)) | ru_msb;
 }
 
-#endif /* RANDOM_IP_ID */
+#endif /* RANDOM_IP_ID || DEV_PF */

sys/netinet6/in6_ifattach.c

@@ -668,8 +668,10 @@ in6_ifattach(ifp, altifp)
 	switch (ifp->if_type) {
 #ifdef IFT_BRIDGE	/* OpenBSD 2.8, NetBSD 1.6 */
 	case IFT_BRIDGE:
-		return;
 #endif
+	case IFT_PFLOG:
+	case IFT_PFSYNC:
+		return;
 	}
 
 	/*

sys/sys/limits.h

@@ -66,6 +66,9 @@
 #define	LONG_MAX	__LONG_MAX	/* max for a long */
 #define	LONG_MIN	__LONG_MIN	/* min for a long */
 
+#define	UID_MAX		UINT_MAX	/* max value for a uid_t */
+#define	GID_MAX		UINT_MAX	/* max value for a gid_t */
+
 #ifdef __LONG_LONG_SUPPORTED
 #define	ULLONG_MAX	__ULLONG_MAX	/* max for an unsigned long long */
 #define	LLONG_MAX	__LLONG_MAX	/* max for a long long */

sys/sys/mbuf.h

@@ -552,6 +552,11 @@ struct	mbuf *
 #define	PACKET_TAG_DIVERT			17 /* divert info */
 #define	PACKET_TAG_IPFORWARD			18 /* ipforward info */
 #define	PACKET_TAG_MACLABEL	(19 | MTAG_PERSISTENT) /* MAC label */
+#define	PACKET_TAG_PF_GENERATED	(20 | MTAG_PERSISTENT) /* PF, pass always */
+#define	PACKET_TAG_PF_ROUTED			21 /* PF routed, avoid loops */
+#define	PACKET_TAG_PF_FRAGCACHE			22 /* PF fragment cached */
+#define	PACKET_TAG_PF_QID			23 /* PF ALTQ queue id */
+#define	PACKET_TAG_PF_TAG			24 /* PF tagged */
 
 /* Packet tag routines. */
 struct	m_tag 	*m_tag_alloc(u_int32_t, int, int, int);