Rearchitecture of the userland/kernel IOCTL interface for transactions.

This brings us close to 100% atomicity for a "pfctl -f pf.conf" command.
(some splxxx work remain in the kernel). Basically, improvements are:

   - Anchors/Rulesets cannot disappear unexpectedly anymore.
   - No more leftover in the kernel if "pfctl -f" fail.
   - Commit is now done in a single atomic IOCTL.

WARNING: The kernel code is fully backward compatible, but the new
pfctl/authpf userland utilities will only run on a new kernel.

The following ioctls are deprecated (i.e. will be deleted sooner or
later, depending on how many 3rd party utilities use them and how soon
they can be upgraded):

   - DIOCBEGINRULES
   - DIOCCOMMITRULES
   - DIOCBEGINALTQS
   - DIOCCOMMITALTQS
   - DIOCRINABEGIN
   - DIOCRINADEFINE

They are replaced by the following ioctls (yes, PF(4) will follow)
which operate on a vector of rulesets:

   - DIOCXBEGIN
   - DIOCXCOMMIT
   - DIOCXROLLBACK

Ok dhartmei@ mcbride@

1 files changed, 44 insertions, 1 deletions

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 7c051ac4bd4..24d5c3fc13c 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.175 2003/09/18 20:27:58 cedric Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.176 2003/09/26 21:44:09 cedric Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -31,6 +31,7 @@
  */
 
 #include <sys/types.h>
+#include <sys/ioctl.h>
 #include <sys/socket.h>
 #include <net/if.h>
 #include <netinet/in.h>
@@ -1284,3 +1285,45 @@ append_addr_host(struct pfr_buffer *b, struct node_host *n, int test, int not)
 
 	return (0);
 }
+
+int
+pfctl_add_trans(struct pfr_buffer *buf, int rs_num, const char *anchor,
+    const char *ruleset) 
+{
+	struct pfioc_trans_e trans;
+
+	bzero(&trans, sizeof(trans));
+	trans.rs_num = rs_num;
+	if (strlcpy(trans.anchor, anchor,
+	    sizeof(trans.anchor)) >= sizeof(trans.anchor) ||
+	    strlcpy(trans.ruleset, ruleset,
+	    sizeof(trans.ruleset)) >= sizeof(trans.ruleset))
+		errx(1, "pfctl_add_trans: strlcpy");
+
+	return pfr_buf_add(buf, &trans);
+}
+
+u_int32_t
+pfctl_get_ticket(struct pfr_buffer *buf, int rs_num, const char *anchor,
+    const char *ruleset) 
+{
+	struct pfioc_trans_e *p;
+	
+	PFRB_FOREACH(p, buf)
+		if (rs_num == p->rs_num && !strcmp(anchor, p->anchor) &&
+		    !strcmp(ruleset, p->ruleset))
+			return (p->ticket);
+	errx(1, "pfr_get_ticket: assertion failed");
+}
+
+int
+pfctl_trans(int dev, struct pfr_buffer *buf, int cmd, int from)
+{
+	struct pfioc_trans trans;
+
+	bzero(&trans, sizeof(trans));
+	trans.size = buf->pfrb_size - from;
+	trans.esize = sizeof(struct pfioc_trans_e);
+	trans.array = ((struct pfioc_trans_e *)buf->pfrb_caddr) + from;
+	return ioctl(dev, cmd, &trans);
+}