Add support for active/inactive tablesets in the kernel.

Add table definition/initialisation construct in pfctl parser.
Add and fix documentation for pf.4 and pf.conf.5.
Tested on i386 and sparc64 by myself, macppc by Daniel.
ok dhartmei@

2 files changed, 118 insertions, 23 deletions

diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index e62ddc10572..69c8bf460c7 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.25 2002/12/29 20:07:34 cedric Exp $
+.\"	$OpenBSD: pf.4,v 1.26 2003/01/09 10:40:44 cedric Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -377,9 +377,14 @@ struct pfioc_table {
         int                      pfrio_ndel;
         int                      pfrio_nchange;
         int                      pfrio_flags;
+        int                      pfrio_ticket;
 };
 #define pfrio_exists    pfrio_nadd
 #define pfrio_nzero     pfrio_nadd
+#define pfrio_nmatch    pfrio_nadd
+#define pfrio_naddr     pfrio_size2
+#define pfrio_setflag   pfrio_size2
+#define pfrio_clrflag   pfrio_nadd
 .Ed
 .It Dv DIOCRADDTABLES Fa "struct pfioc_table"
 Creates one or more tables.
@@ -412,12 +417,12 @@ Add one or more addresses to a table.
 On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
 contains the list of pfr_addr structures to add.
 On exit, pfrio_nadd contains the number of addresses effectively added.
-.It Dv DIOCRDELTABLES Fa "struct pfioc_table"
+.It Dv DIOCRDELADDRS Fa "struct pfioc_table"
 Delete one or more addresses from a table.
 On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
 contains the list of pfr_addr structures to delete.
 On exit, pfrio_ndel contains the number of addresses effectively deleted.
-.It Dv DIOCRSETTABLES Fa "struct pfioc_table"
+.It Dv DIOCRSETADDRS Fa "struct pfioc_table"
 Replace the content of a table by a new address list.
 This is the most complicated command, which uses all the structure members.
 On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
@@ -450,22 +455,39 @@ On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
 contains a table of pfr_addr structures to test.
 On exit, the kernel update the pfr_addr table by setting the pfra_fback
 member appropriately.
-.It Dv DIOCRWRAPTABLE Fa "struct pfioc_table"
-Compute the SHA1 hash of a table and pack it into a pf_addr_wrap structure,
-along with a magic mask in the first word of the mask.
-On entry, pfrio_table contain the table id, and pfrio_buffer[pfrio_size]
-should contain a buffer large enough to contain one pf_addr_wrap structure.
-If the kernel should check if the table exists, then pfrio_exists must be
-set to a nonzero value.
-On exit, the kernel fill the pf_addr_wrap structure and set pfrio_exists
-if that flag was requested.
-.It Dv DIOCRUNWRTABLE Fa "struct pfioc_table"
-Do the opposite of
-.Dv DIOCRWRAPTABLE, and lookup a table from its hash value.
-On entry, pfrio_buffer[pfrio_size] should point to a pf_addr_wrap structure
-(a one-entry table).
-On exit, the kernel fills pfrio_table or returns ENOENT if it cannot find
-the matching table.
+.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table"
+Change the
+.Va const
+or
+.Va persist
+flag of a table. 
+On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures,
+and pfrio_setflag contain the flags to add, while pfrio_clrflag the flags to
+remove.
+On exit, pfrio_nchange and pfrio_ndel contains the number of tables altered
+or deleted by the kernel. Yes, tables can be deleted if one remove the
+.Va persist
+flag of an unreferenced table.
+.It Dv DIOCRINABEGIN Fa "struct pfioc_table"
+Starts a transaction with the inactive set of tables. Cleans up any leftover
+from a previous aborted transaction, and returns a new ticket.
+On exit, pfrio_ndel contains the number of leftover table deleted, and
+pfrio_ticket contain a valid ticket to use for the following two IOCTLs.
+.It Dv DIOCRINACOMMIT Fa "struct pfioc_table"
+Commit the inactive set of tables into the active set. While copying the
+addresses, do a best effort to keep statistics for addresses present before
+and after the commit.
+On entry, io->pfrio_ticket takes a valid ticket.
+On exit, io->pfrio_nadd and io->pfrio_nchange contains the number of tables
+added and altered by the commit operation.
+.It Dv DIOCRINADEFINE Fa "struct pfioc_table"
+Defines a table in the inactive set.
+On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+contains the list of pfr_addr structures to put in the table. A valid ticket
+must also be supplied to pfrio_ticket.
+On exit, pfrio_nadd contains 0 if the table was already defined in the
+inactive list, or 1 if a new table has been created. pfrio_naddr contains
+the number of addresses effectively put in the table.
 .El
 .Sh EXAMPLES
 The following example demonstrates how to use the DIOCNATLOOK command
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 761b6a80997..ebd120a5ce0 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.162 2002/12/30 23:58:46 mcbride Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.163 2003/01/09 10:40:44 cedric Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -40,7 +40,7 @@ packet filter modifies, drops or passes packets according to rules or
 definitions specified in
 .Nm pf.conf .
 .Pp
-There are six types of statement in
+There are seven types of statement in
 .Nm pf.conf :
 .Bl -tag -width xxxx
 .It Macros
@@ -59,6 +59,10 @@ other addresses.
 .It Packet Filtering
 Stateful and stateless packet filtering provides rule-based blocking or
 passing of packets.
+.It Table Definition
+Radix tables provide an effective way to match the source or destination
+address of packets against big and changing collections of addresses and
+CIDR networks.
 .El
 .Pp
 The types of statement should be grouped and appear in
@@ -724,11 +728,13 @@ addresses and ports.
 Addresses can be specified in CIDR notation (matching netblocks), as
 symbolic host names or interface names, or as any of the following keywords:
 .Pp
-.Bl -tag -width no-route -compact
+.Bl -tag -width "<table>" -compact
 .It Pa any
 Means any address.
 .It Pa no-route
 Means any address which is not currently routable.
+.It Pa <table>
+Means any address that matches the given table.
 .El
 .Pp
 Host name resolution and interface to address translation are done at
@@ -1013,6 +1019,69 @@ option prevents
 .Xr pf 4
 from modifying the source port on tcp and udp packets.
 .El
+.Sh TABLES
+Tables are named structures which can hold a collections of addresses and
+networks.
+Internally, they are implemented as PATRICIA trees, like the kernel routing
+table.
+Tables can be used as the source or destination of filter rules,
+.Pa scrub
+rules
+or
+.Pa nat
+rules where it makes sense.
+They cannot, however, be used for things like the redirect address of a
+.Pa rdr
+rule,
+.Pa dup-to
+construct or similar, as one would guess.
+.Pp
+Tables may be defined with the following two attributes:
+.Bl -tag -width persist
+.It Pa persist
+The
+.Pa persist
+flag inform the kernel that we want to keep the table even when no rule
+refer to that table.
+If that flag is not set, the kernel will automagically remove the table
+when the last rule refering to it is flushed.
+.It Pa const
+The
+.Pa const
+flag prevent the user to alter the content of the table once it has been
+created.
+Without that flag,
+.Xr pfctl 8
+can be used to add or remove addresses from the table at any time, even
+when running with
+.Xr securelevel 7
+= 2.
+.El
+.Pp
+Tables can be defined with any of the following 
+.Xr pfctl 8
+mechanism:
+.Bl -tag -width "manually"
+.It Pa manually 
+Persistant tables can be manually created with the
+.Pa create
+option of pfctl, before or after the ruleset has been loaded.
+.It Pa pf.conf
+Table definitions can be placed directly in this file, and loaded at the
+same time as other rules are loaded, atomically.
+Table definitions inside
+.Pa pf.conf
+use the
+.Pa table
+statement, and are especially useful to define non-persistant tables.
+The content of preexisting tables defined without initializer ('{' and '}')
+is not altered when (re-)loaded from
+.Pa pf.conf.
+.El
+.Pp
+When the resolver is called to add a hostname to a table,
+.Pa all
+resulting IP addresses are placed into the table, IPv4 as well as IPv6.
 .Sh STATEFUL INSPECTION
 .Xr pf 4
 is a stateful packet filter, which means it can track the state of
@@ -1590,6 +1659,9 @@ rdr-rule       = [ "no" ] "rdr" "on" ifspec [ af ] [ protospec ]
 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
                  "for" ( interface-name | "{" interface-list "}" ) [ af ]
 
+table-rule     = "table "<" tablename ">" [ "persist" ] [ "const" ]
+		 [ "{" [ table-address [ "," ] ]* "}" ]
+
 altq-rule      = "altq" "on" interface-name queueopts-list
                  "queue" queue-list
 queue-rule     = "queue" string queueopts-list queue-list
@@ -1627,11 +1699,12 @@ hosts          = "all" |
                  "{" host-list "}" ) [ port ]
 
 ipspec         = "any" | host | "{" host-list "}"
-host           = [ "!" ] address [ "/" mask-bits ]
+host           = [ "!" ] ( address [ "/" mask-bits ] | "<" table ">" )
 redirhost      = address [ "/" mask-bits ]
 routehost      = ( interface-name [ address [ "/" mask-bits ] ] )
 address        = ( interface-name | "(" interface-name ")" | host-name |
                  ipv4-dotted-quad | ipv6-coloned-hex )
+table-address  = hostname | ipv4-dotted-quad | ipv6-coloned-hex
 host-list      = host [ [ "," ] host-list ]
 redirhost-list = redirhost [ [","] redirhost-list ]
 routehost-list = routehost [ [","] routehost-list ]