4 files changed, 28 insertions, 101 deletions

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 5d2e1ebd1f8..1c4950dac5b 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.132 2009/11/22 22:34:50 henning Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.133 2009/11/23 16:03:10 henning Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -430,8 +430,6 @@ pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
 	sp->state_flags = st->state_flags;
 	if (st->src_node)
 		sp->sync_flags |= PFSYNC_FLAG_SRCNODE;
-	if (st->nat_src_node)
-		sp->sync_flags |= PFSYNC_FLAG_NATSRCNODE;
 
 	bcopy(&st->id, &sp->id, sizeof(sp->id));
 	sp->creatorid = st->creatorid;
@@ -446,10 +444,7 @@ pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
 		sp->anchor = htonl(-1);
 	else
 		sp->anchor = htonl(st->anchor.ptr->nr);
-	if (st->nat_rule.ptr == NULL)
-		sp->nat_rule = htonl(-1);
-	else
-		sp->nat_rule = htonl(st->nat_rule.ptr->nr);
+	sp->nat_rule = htonl(-1);	/* left for compat, nat_rule is gone */
 
 	pf_state_counter_hton(st->packets[0], sp->packets[0]);
 	pf_state_counter_hton(st->packets[1], sp->packets[1]);
@@ -572,14 +567,13 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
 	pf_state_peer_ntoh(&sp->dst, &st->dst);
 
 	st->rule.ptr = r;
-	st->nat_rule.ptr = NULL;
 	st->anchor.ptr = NULL;
 	st->rt_kif = NULL;
 
 	st->pfsync_time = time_uptime;
 	st->sync_state = PFSYNC_S_NONE;
 
-	/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
+	/* XXX when we have anchors, use STATE_INC_COUNTERS */
 	r->states_cur++;
 	r->states_tot++;
 
@@ -587,7 +581,7 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t flags)
 		SET(st->state_flags, PFSTATE_NOSYNC);
 
 	if (pf_state_insert(kif, skw, sks, st) != 0) {
-		/* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
+		/* XXX when we have anchors, use STATE_DEC_COUNTERS */
 		r->states_cur--;
 		error = EEXIST;
 		goto cleanup_state;
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 552bf56e423..3e93613aee2 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.670 2009/11/22 22:34:50 henning Exp $ */
+/*	$OpenBSD: pf.c,v 1.671 2009/11/23 16:03:10 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -275,10 +275,6 @@ enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK };
 			s->anchor.ptr->states_cur++;		\
 			s->anchor.ptr->states_tot++;		\
 		}						\
-		if (s->nat_rule.ptr != NULL) {			\
-			s->nat_rule.ptr->states_cur++;		\
-			s->nat_rule.ptr->states_tot++;		\
-		}						\
 		SLIST_FOREACH(mrm, &s->match_rules, entry) {	\
 			mrm->r->states_cur++;			\
 			mrm->r->states_tot++;			\
@@ -288,8 +284,6 @@ enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_SOLICITED, PF_ICMP_MULTI_LINK };
 #define STATE_DEC_COUNTERS(s)					\
 	do {							\
 		struct pf_rule_item *mrm;			\
-		if (s->nat_rule.ptr != NULL)			\
-			s->nat_rule.ptr->states_cur--;		\
 		if (s->anchor.ptr != NULL)			\
 			s->anchor.ptr->states_cur--;		\
 		s->rule.ptr->states_cur--;			\
@@ -1103,16 +1097,7 @@ pf_src_tree_remove_state(struct pf_state *s)
 			s->src_node->expire = time_second + timeout;
 		}
 	}
-	if (s->nat_src_node != s->src_node && s->nat_src_node != NULL) {
-		if (--s->nat_src_node->states <= 0) {
-			timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
-			if (!timeout)
-				timeout =
-				    pf_default_rule.timeout[PFTM_SRC_NODE];
-			s->nat_src_node->expire = time_second + timeout;
-		}
-	}
-	s->src_node = s->nat_src_node = NULL;
+	s->src_node = NULL;
 }
 
 /* callers should be at splsoftnet */
@@ -1162,10 +1147,6 @@ pf_free_state(struct pf_state *cur)
 	if (--cur->rule.ptr->states_cur <= 0 &&
 	    cur->rule.ptr->src_nodes <= 0)
 		pf_rm_rule(NULL, cur->rule.ptr);
-	if (cur->nat_rule.ptr != NULL)
-		if (--cur->nat_rule.ptr->states_cur <= 0 &&
-			cur->nat_rule.ptr->src_nodes <= 0)
-			pf_rm_rule(NULL, cur->nat_rule.ptr);
 	if (cur->anchor.ptr != NULL)
 		if (--cur->anchor.ptr->states_cur <= 0)
 			pf_rm_rule(NULL, cur->anchor.ptr);
@@ -5415,7 +5396,7 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
 	u_short			 action, reason = 0, log = 0;
 	struct mbuf		*m = *m0;
 	struct ip		*h;
-	struct pf_rule		*a = NULL, *r = &pf_default_rule, *tr, *nr;
+	struct pf_rule		*a = NULL, *r = &pf_default_rule;
 	struct pf_state		*s = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_pdesc		 pd;
@@ -5688,16 +5669,10 @@ done:
 	}
 
 	if (log) {
-		struct pf_rule		*lr;
 		struct pf_rule_item	*ri;
 
-		if (s != NULL && s->nat_rule.ptr != NULL &&
-		    s->nat_rule.ptr->log & PF_LOG_ALL)
-			lr = s->nat_rule.ptr;
-		else
-			lr = r;
-		if (log & PF_LOG_FORCE || lr->log & PF_LOG_ALL)
-			PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, lr, a,
+		if (log & PF_LOG_FORCE || r->log & PF_LOG_ALL)
+			PFLOG_PACKET(kif, h, m, AF_INET, dir, reason, r, a,
 			    ruleset, &pd);
 		if (s) {
 			SLIST_FOREACH(ri, &s->match_rules, entry)
@@ -5721,18 +5696,10 @@ done:
 		if (s != NULL) {
 			struct pf_rule_item	*ri;
 
-			if (s->nat_rule.ptr != NULL) {
-				s->nat_rule.ptr->packets[dirndx]++;
-				s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
-			}
 			if (s->src_node != NULL) {
 				s->src_node->packets[dirndx]++;
 				s->src_node->bytes[dirndx] += pd.tot_len;
 			}
-			if (s->nat_src_node != NULL) {
-				s->nat_src_node->packets[dirndx]++;
-				s->nat_src_node->bytes[dirndx] += pd.tot_len;
-			}
 			dirndx = (dir == s->direction) ? 0 : 1;
 			s->packets[dirndx]++;
 			s->bytes[dirndx] += pd.tot_len;
@@ -5741,24 +5708,20 @@ done:
 				ri->r->bytes[dirndx] += pd.tot_len;
 			}
 		}
-		tr = r;
-		nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
-		if (nr != NULL && r == &pf_default_rule)
-			tr = nr;
-		if (tr->src.addr.type == PF_ADDR_TABLE)
-			pfr_update_stats(tr->src.addr.p.tbl,
+		if (r->src.addr.type == PF_ADDR_TABLE)
+			pfr_update_stats(r->src.addr.p.tbl,
 			    (s == NULL) ? pd.src :
 			    &s->key[(s->direction == PF_IN)]->
 				addr[(s->direction == PF_OUT)],
 			    pd.af, pd.tot_len, dir == PF_OUT,
-			    r->action == PF_PASS, tr->src.neg);
-		if (tr->dst.addr.type == PF_ADDR_TABLE)
-			pfr_update_stats(tr->dst.addr.p.tbl,
+			    r->action == PF_PASS, r->src.neg);
+		if (r->dst.addr.type == PF_ADDR_TABLE)
+			pfr_update_stats(r->dst.addr.p.tbl,
 			    (s == NULL) ? pd.dst :
 			    &s->key[(s->direction == PF_IN)]->
 				addr[(s->direction == PF_IN)],
 			    pd.af, pd.tot_len, dir == PF_OUT,
-			    r->action == PF_PASS, tr->dst.neg);
+			    r->action == PF_PASS, r->dst.neg);
 	}
 
 	switch (action) {
@@ -5793,7 +5756,7 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
 	u_short			 action, reason = 0, log = 0;
 	struct mbuf		*m = *m0, *n = NULL;
 	struct ip6_hdr		*h;
-	struct pf_rule		*a = NULL, *r = &pf_default_rule, *tr, *nr;
+	struct pf_rule		*a = NULL, *r = &pf_default_rule;
 	struct pf_state		*s = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_pdesc		 pd;
@@ -6142,17 +6105,9 @@ done:
 		action = PF_DIVERT;
 	}
 
-	if (log) {
-		struct pf_rule *lr;
-
-		if (s != NULL && s->nat_rule.ptr != NULL &&
-		    s->nat_rule.ptr->log & PF_LOG_ALL)
-			lr = s->nat_rule.ptr;
-		else
-			lr = r;
-		PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, lr, a, ruleset,
+	if (log)
+		PFLOG_PACKET(kif, h, m, AF_INET6, dir, reason, r, a, ruleset,
 		    &pd);
-	}
 
 	kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS] += pd.tot_len;
 	kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS]++;
@@ -6166,38 +6121,26 @@ done:
 			a->bytes[dirndx] += pd.tot_len;
 		}
 		if (s != NULL) {
-			if (s->nat_rule.ptr != NULL) {
-				s->nat_rule.ptr->packets[dirndx]++;
-				s->nat_rule.ptr->bytes[dirndx] += pd.tot_len;
-			}
 			if (s->src_node != NULL) {
 				s->src_node->packets[dirndx]++;
 				s->src_node->bytes[dirndx] += pd.tot_len;
 			}
-			if (s->nat_src_node != NULL) {
-				s->nat_src_node->packets[dirndx]++;
-				s->nat_src_node->bytes[dirndx] += pd.tot_len;
-			}
 			dirndx = (dir == s->direction) ? 0 : 1;
 			s->packets[dirndx]++;
 			s->bytes[dirndx] += pd.tot_len;
 		}
-		tr = r;
-		nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule;
-		if (nr != NULL && r == &pf_default_rule)
-			tr = nr;
-		if (tr->src.addr.type == PF_ADDR_TABLE)
-			pfr_update_stats(tr->src.addr.p.tbl,
+		if (r->src.addr.type == PF_ADDR_TABLE)
+			pfr_update_stats(r->src.addr.p.tbl,
 			    (s == NULL) ? pd.src :
 			    &s->key[(s->direction == PF_IN)]->addr[0],
 			    pd.af, pd.tot_len, dir == PF_OUT,
-			    r->action == PF_PASS, tr->src.neg);
-		if (tr->dst.addr.type == PF_ADDR_TABLE)
-			pfr_update_stats(tr->dst.addr.p.tbl,
+			    r->action == PF_PASS, r->src.neg);
+		if (r->dst.addr.type == PF_ADDR_TABLE)
+			pfr_update_stats(r->dst.addr.p.tbl,
 			    (s == NULL) ? pd.dst :
 			    &s->key[(s->direction == PF_IN)]->addr[1],
 			    pd.af, pd.tot_len, dir == PF_OUT,
-			    r->action == PF_PASS, tr->dst.neg);
+			    r->action == PF_PASS, r->dst.neg);
 	}
 
 	switch (action) {
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 0602a298466..013c27c72b0 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.226 2009/11/22 22:34:50 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.227 2009/11/23 16:03:10 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2793,10 +2793,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		struct pf_src_node	*n;
 		struct pf_state		*state;
 
-		RB_FOREACH(state, pf_state_tree_id, &tree_id) {
+		RB_FOREACH(state, pf_state_tree_id, &tree_id)
 			state->src_node = NULL;
-			state->nat_src_node = NULL;
-		}
 		RB_FOREACH(n, pf_src_tree, &tree_src_tracking) {
 			n->expire = 1;
 			n->states = 0;
@@ -2825,12 +2823,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 				/* Handle state to src_node linkage */
 				if (sn->states != 0) {
 					RB_FOREACH(s, pf_state_tree_id,
-					    &tree_id) {
+					    &tree_id)
 						if (s->src_node == sn)
 							s->src_node = NULL;
-						if (s->nat_src_node == sn)
-							s->nat_src_node = NULL;
-					}
 					sn->states = 0;
 				}
 				sn->expire = 1;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 398eb806c94..8f153cd49bd 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.299 2009/11/22 22:34:50 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.300 2009/11/23 16:03:10 henning Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -344,7 +344,6 @@ struct pfi_dynaddr {
 		(neg)							\
 	)
 
-
 struct pf_rule_uid {
 	uid_t		 uid[2];
 	u_int8_t	 op;
@@ -393,7 +392,6 @@ struct pf_pool {
 	u_int8_t		 opts;
 };
 
-
 /* A packed Operating System description for fingerprinting */
 typedef u_int32_t pf_osfp_t;
 #define PF_OSFP_ANY	((pf_osfp_t)0)
@@ -768,13 +766,11 @@ struct pf_state {
 	struct pf_rule_slist	 match_rules;
 	union pf_rule_ptr	 rule;
 	union pf_rule_ptr	 anchor;
-	union pf_rule_ptr	 nat_rule;
 	struct pf_addr		 rt_addr;
 	struct pf_state_key	*key[2];	/* addresses stack and wire  */
 	struct pfi_kif		*kif;
 	struct pfi_kif		*rt_kif;
 	struct pf_src_node	*src_node;
-	struct pf_src_node	*nat_src_node;
 	u_int64_t		 packets[2];
 	u_int64_t		 bytes[2];
 	u_int32_t		 creation;
@@ -1134,7 +1130,6 @@ struct pf_pdesc {
 		void			*any;
 	} hdr;
 
-	struct pf_rule	*nat_rule;	/* nat/rdr rule applied to packet */
 	struct ether_header
 			*eh;
 	struct pf_addr	*src;		/* src address */