9 files changed, 187 insertions, 130 deletions
diff --git a/sys/net/if_pflog.c b/sys/net/if_pflog.c
index fc3aa9ed802..d9daa9f195c 100644
--- a/sys/net/if_pflog.c
+++ b/sys/net/if_pflog.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pflog.c,v 1.74 2016/04/29 08:55:03 krw Exp $	*/
+/*	$OpenBSD: if_pflog.c,v 1.75 2016/10/26 21:07:22 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and 
@@ -52,9 +52,9 @@
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
 
 #ifdef INET6
 #include <netinet/ip6.h>
@@ -62,6 +62,7 @@
 #endif /* INET6 */
 
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 #include <net/if_pflog.h>
 
 #define PFLOGMTU	(32768 + MHLEN + MLEN)
@@ -297,16 +298,7 @@ pflog_bpfcopy(const void *src_arg, void *dst_arg, size_t len)
 	u_int			 count;
 	u_char			*dst, *mdst;
 	int			 afto, hlen, mlen, off;
-	union pf_headers {
-		struct tcphdr		tcp;
-		struct udphdr		udp;
-		struct icmp		icmp;
-#ifdef INET6
-		struct icmp6_hdr	icmp6;
-		struct mld_hdr		mld;
-		struct nd_neighbor_solicit nd_ns;
-#endif /* INET6 */
-	} pdhdrs;
+	union pf_headers	 pdhdrs;
 
 	struct pf_pdesc		 pd;
 	struct pf_addr		 osaddr, odaddr;
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 455e65d8e88..cd9eeeaa899 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.993 2016/10/20 23:18:43 sashan Exp $ */
+/*	$OpenBSD: pf.c,v 1.994 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -63,20 +63,29 @@
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp_var.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_seq.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-#include <netinet/in_pcb.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcp_fsm.h>
+#include <netinet/udp.h>
 #include <netinet/udp_var.h>
-#include <netinet/icmp_var.h>
 #include <netinet/ip_divert.h>
 
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+#include <netinet/icmp6.h>
+#include <netinet6/nd6.h>
+#include <netinet6/ip6_divert.h>
+#endif /* INET6 */
+
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 #if NPFLOG > 0
 #include <net/if_pflog.h>
@@ -90,15 +99,6 @@
 #include <net/if_pfsync.h>
 #endif /* NPFSYNC > 0 */
 
-#ifdef INET6
-#include <netinet6/in6_var.h>
-#include <netinet/ip6.h>
-#include <netinet6/ip6_var.h>
-#include <netinet/icmp6.h>
-#include <netinet6/nd6.h>
-#include <netinet6/ip6_divert.h>
-#endif /* INET6 */
-
 #ifdef DDB
 #include <machine/db_machdep.h>
 #include <ddb/db_interface.h>
@@ -126,22 +126,6 @@ struct pf_anchor_stackframe {
 	struct pf_anchor			*child;
 } pf_anchor_stack[64];
 
-/*
- * Cannot fold into pf_pdesc directly, unknown storage size outside pf.c.
- * Keep in sync with union pf_headers in pflog_bpfcopy() in if_pflog.c.
- */
-union pf_headers {
-	struct tcphdr		tcp;
-	struct udphdr		udp;
-	struct icmp		icmp;
-#ifdef INET6
-	struct icmp6_hdr	icmp6;
-	struct mld_hdr		mld;
-	struct nd_neighbor_solicit nd_ns;
-#endif /* INET6 */
-};
-
-
 struct pool		 pf_src_tree_pl, pf_rule_pl, pf_queue_pl;
 struct pool		 pf_state_pl, pf_state_key_pl, pf_state_item_pl;
 struct pool		 pf_rule_item_pl, pf_sn_item_pl;
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 1c30c4bdad0..6c774eb6bbf 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.302 2016/09/27 04:57:17 dlg Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.303 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -55,6 +55,8 @@
 #include <sys/syslog.h>
 #include <uvm/uvm_extern.h>
 
+#include <crypto/md5.h>
+
 #include <net/if.h>
 #include <net/if_var.h>
 #include <net/route.h>
@@ -62,22 +64,25 @@
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
 #include <netinet/ip_icmp.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#endif /* INET6 */
 
-#include <crypto/md5.h>
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 #if NPFSYNC > 0
 #include <netinet/ip_ipsp.h>
 #include <net/if_pfsync.h>
 #endif /* NPFSYNC > 0 */
 
-#ifdef INET6
-#include <netinet/ip6.h>
-#include <netinet/in_pcb.h>
-#endif /* INET6 */
-
 void			 pfattach(int);
 void			 pf_thread_create(void *);
 int			 pfopen(dev_t, int, int, struct proc *);
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 93b73ebe86a..a9328cbb4bd 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_lb.c,v 1.57 2016/09/27 04:57:17 dlg Exp $ */
+/*	$OpenBSD: pf_lb.c,v 1.58 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -61,18 +61,24 @@
 
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/icmp_var.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_seq.h>
-#include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
 #include <netinet/tcp_timer.h>
+#include <netinet/udp.h>
 #include <netinet/udp_var.h>
-#include <netinet/icmp_var.h>
 #include <netinet/if_ether.h>
-#include <netinet/in_pcb.h>
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#endif /* INET6 */
 
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 #if NPFLOG > 0
 #include <net/if_pflog.h>
@@ -86,11 +92,6 @@
 #include <net/if_pfsync.h>
 #endif /* NPFSYNC > 0 */
 
-#ifdef INET6
-#include <netinet/ip6.h>
-#include <netinet/icmp6.h>
-#endif /* INET6 */
-
 u_int64_t		 pf_hash(struct pf_addr *, struct pf_addr *,
 			    struct pf_poolhashkey *, sa_family_t);
 int			 pf_get_sport(struct pf_pdesc *, struct pf_rule *,
diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 043ba6b54b7..6a68280d54b 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.194 2016/09/27 04:57:17 dlg Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.195 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -40,28 +40,29 @@
 #include <sys/pool.h>
 #include <sys/syslog.h>
 
+#include <net/if.h>
+#include <net/if_var.h>
+#include <net/if_pflog.h>
+
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
+#include <netinet/ip_icmp.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/udp.h>
-#include <netinet/ip_icmp.h>
-
-#include <net/if.h>
-#include <net/if_var.h>
-#include <net/if_pflog.h>
 
 #ifdef INET6
+#include <netinet6/in6_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
-#include <netinet6/in6_var.h>
-#include <netinet6/nd6.h>
 #include <netinet/icmp6.h>
+#include <netinet6/nd6.h>
 #endif /* INET6 */
 
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 struct pf_frent {
 	TAILQ_ENTRY(pf_frent) fr_next;
diff --git a/sys/net/pf_osfp.c b/sys/net/pf_osfp.c
index 5e571444d71..4e98517449d 100644
--- a/sys/net/pf_osfp.c
+++ b/sys/net/pf_osfp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_osfp.c,v 1.37 2016/09/15 02:00:18 dlg Exp $ */
+/*	$OpenBSD: pf_osfp.c,v 1.38 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
@@ -27,15 +27,21 @@
 #include <sys/mbuf.h>
 #include <sys/syslog.h>
 
+#include <net/if.h>
+
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <netinet/ip_icmp.h>
 #include <netinet/tcp.h>
+#include <netinet/udp.h>
 
-#include <net/if.h>
-#include <net/pfvar.h>
-
+#ifdef INET6
 #include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#endif /* INET6 */
 
+#include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 #ifdef _KERNEL
 typedef struct pool pool_t;
diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c
index 21f12502a3f..091185c715c 100644
--- a/sys/net/pf_table.c
+++ b/sys/net/pf_table.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_table.c,v 1.120 2016/09/27 04:57:17 dlg Exp $	*/
+/*	$OpenBSD: pf_table.c,v 1.121 2016/10/26 21:07:22 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -38,9 +38,21 @@
 #include <sys/syslog.h>
 
 #include <net/if.h>
+
 #include <netinet/in.h>
+#include <netinet/ip.h>
 #include <netinet/ip_ipsp.h>
+#include <netinet/ip_icmp.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet/icmp6.h>
+#endif /* INET6 */
+
 #include <net/pfvar.h>
+#include <net/pfvar_priv.h>
 
 #define ACCEPT_FLAGS(flags, oklist)		\
 	do {					\
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 1dfffb7cc0b..872016f4584 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.441 2016/10/18 13:28:01 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.442 2016/10/26 21:07:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1156,63 +1156,6 @@ enum pfi_kif_refs {
 #define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */
 #define PFI_IFLAG_ANY		0x0200	/* match any non-loopback interface */
 
-struct pf_pdesc {
-	struct {
-		int	 done;
-		uid_t	 uid;
-		gid_t	 gid;
-		pid_t	 pid;
-	}		 lookup;
-	u_int64_t	 tot_len;	/* Make Mickey money */
-	union {
-		struct tcphdr		*tcp;
-		struct udphdr		*udp;
-		struct icmp		*icmp;
-#ifdef INET6
-		struct icmp6_hdr	*icmp6;
-#endif /* INET6 */
-		void			*any;
-	} hdr;
-
-	struct pf_addr	 nsaddr;	/* src address after NAT */
-	struct pf_addr	 ndaddr;	/* dst address after NAT */
-
-	struct pfi_kif	*kif;		/* incoming interface */
-	struct mbuf	*m;		/* mbuf containing the packet */
-	struct pf_addr	*src;		/* src address */
-	struct pf_addr	*dst;		/* dst address */
-	u_int16_t	*pcksum;	/* proto cksum */
-	u_int16_t	*sport;
-	u_int16_t	*dport;
-	u_int16_t	 osport;
-	u_int16_t	 odport;
-	u_int16_t	 nsport;	/* src port after NAT */
-	u_int16_t	 ndport;	/* dst port after NAT */
-
-	u_int32_t	 off;		/* protocol header offset */
-	u_int32_t	 hdrlen;	/* protocol header length */
-	u_int32_t	 p_len;		/* length of protocol payload */
-	u_int32_t	 extoff;	/* extentsion header offset */
-	u_int32_t	 fragoff;	/* fragment header offset */
-	u_int32_t	 jumbolen;	/* length from v6 jumbo header */
-	u_int32_t	 badopts;	/* v4 options or v6 routing headers */
-
-	u_int16_t	 rdomain;	/* original routing domain */
-	u_int16_t	 virtual_proto;
-#define PF_VPROTO_FRAGMENT	256
-	sa_family_t	 af;
-	sa_family_t	 naf;
-	u_int8_t	 proto;
-	u_int8_t	 tos;
-	u_int8_t	 ttl;
-	u_int8_t	 dir;		/* direction */
-	u_int8_t	 sidx;		/* key index for source */
-	u_int8_t	 didx;		/* key index for destination */
-	u_int8_t	 destchg;	/* flag set when destination changed */
-	u_int8_t	 pflog;		/* flags for packet logging */
-};
-
-
 /* flags for RDR options */
 #define PF_DPORT_RANGE	0x01		/* Dest port uses range */
 #define PF_RPORT_RANGE	0x02		/* RDR'ed port uses range */
@@ -1641,6 +1584,8 @@ struct pfioc_iface {
 #define DIOCGETQSTATS	_IOWR('D', 96, struct pfioc_qstats)
 
 #ifdef _KERNEL
+struct pf_pdesc;
+
 RB_HEAD(pf_src_tree, pf_src_node);
 RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
 extern struct pf_src_tree tree_src_tracking;
@@ -1862,6 +1807,8 @@ extern struct pf_anchor_global	pf_anchors;
 extern struct pf_anchor		pf_main_anchor;
 #define pf_main_ruleset		pf_main_anchor.ruleset
 
+struct tcphdr;
+
 /* these ruleset functions can be linked into userland programs (pfctl) */
 void			 pf_init_ruleset(struct pf_ruleset *);
 int			 pf_anchor_setup(struct pf_rule *,
diff --git a/sys/net/pfvar_priv.h b/sys/net/pfvar_priv.h
new file mode 100644
index 00000000000..5d1570c7353
--- /dev/null
+++ b/sys/net/pfvar_priv.h
@@ -0,0 +1,109 @@
+/*	$OpenBSD: pfvar_priv.h,v 1.1 2016/10/26 21:07:22 bluhm Exp $	*/
+
+/*
+ * Copyright (c) 2001 Daniel Hartmeier
+ * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org>
+ * Copyright (c) 2016 Alexander Bluhm <bluhm@openbsd.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *    - Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *    - Redistributions in binary form must reproduce the above
+ *      copyright notice, this list of conditions and the following
+ *      disclaimer in the documentation and/or other materials provided
+ *      with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef _NET_PFVAR_PRIV_H_
+#define _NET_PFVAR_PRIV_H_
+
+#ifdef _KERNEL
+
+union pf_headers {
+	struct tcphdr           tcp;
+	struct udphdr           udp;
+	struct icmp             icmp;
+#ifdef INET6
+	struct icmp6_hdr        icmp6;
+	struct mld_hdr          mld;
+	struct nd_neighbor_solicit nd_ns;
+#endif /* INET6 */
+};
+
+struct pf_pdesc {
+	struct {
+		int	 done;
+		uid_t	 uid;
+		gid_t	 gid;
+		pid_t	 pid;
+	}		 lookup;
+	u_int64_t	 tot_len;	/* Make Mickey money */
+	union {
+		struct tcphdr		*tcp;
+		struct udphdr		*udp;
+		struct icmp		*icmp;
+#ifdef INET6
+		struct icmp6_hdr	*icmp6;
+#endif /* INET6 */
+		void			*any;
+	} hdr;
+
+	struct pf_addr	 nsaddr;	/* src address after NAT */
+	struct pf_addr	 ndaddr;	/* dst address after NAT */
+
+	struct pfi_kif	*kif;		/* incoming interface */
+	struct mbuf	*m;		/* mbuf containing the packet */
+	struct pf_addr	*src;		/* src address */
+	struct pf_addr	*dst;		/* dst address */
+	u_int16_t	*pcksum;	/* proto cksum */
+	u_int16_t	*sport;
+	u_int16_t	*dport;
+	u_int16_t	 osport;
+	u_int16_t	 odport;
+	u_int16_t	 nsport;	/* src port after NAT */
+	u_int16_t	 ndport;	/* dst port after NAT */
+
+	u_int32_t	 off;		/* protocol header offset */
+	u_int32_t	 hdrlen;	/* protocol header length */
+	u_int32_t	 p_len;		/* length of protocol payload */
+	u_int32_t	 extoff;	/* extentsion header offset */
+	u_int32_t	 fragoff;	/* fragment header offset */
+	u_int32_t	 jumbolen;	/* length from v6 jumbo header */
+	u_int32_t	 badopts;	/* v4 options or v6 routing headers */
+
+	u_int16_t	 rdomain;	/* original routing domain */
+	u_int16_t	 virtual_proto;
+#define PF_VPROTO_FRAGMENT	256
+	sa_family_t	 af;
+	sa_family_t	 naf;
+	u_int8_t	 proto;
+	u_int8_t	 tos;
+	u_int8_t	 ttl;
+	u_int8_t	 dir;		/* direction */
+	u_int8_t	 sidx;		/* key index for source */
+	u_int8_t	 didx;		/* key index for destination */
+	u_int8_t	 destchg;	/* flag set when destination changed */
+	u_int8_t	 pflog;		/* flags for packet logging */
+};
+
+#endif /* _KERNEL */
+
+#endif /* _NET_PFVAR_PRIV_H_ */