summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/conf/GENERIC7
-rw-r--r--sys/conf/files8
-rw-r--r--sys/net/bpf.h3
-rw-r--r--sys/net/if_pfsync.c359
-rw-r--r--sys/net/if_pfsync.h84
-rw-r--r--sys/net/if_types.h3
-rw-r--r--sys/net/pf.c12
-rw-r--r--sys/net/pfvar.h4
8 files changed, 468 insertions, 12 deletions
diff --git a/sys/conf/GENERIC b/sys/conf/GENERIC
index f1898959859..d25b15e4800 100644
--- a/sys/conf/GENERIC
+++ b/sys/conf/GENERIC
@@ -1,4 +1,4 @@
-# $OpenBSD: GENERIC,v 1.91 2002/09/26 21:44:37 deraadt Exp $
+# $OpenBSD: GENERIC,v 1.92 2002/11/29 18:25:23 mickey Exp $
#
# Machine-independent option; used by all architectures for their
# GENERIC kernel
@@ -75,8 +75,9 @@ option PPP_BSDCOMP # PPP BSD compression
option PPP_DEFLATE
#option MROUTING # Multicast router
-pseudo-device pf 1 # packet filter
-pseudo-device pflog 1 # pf log if
+pseudo-device pf # packet filter
+pseudo-device pflog # pf log if
+pseudo-device pfsync # pf sync if
pseudo-device loop 2 # network loopback
pseudo-device bpfilter 8 # packet filter
pseudo-device sl 2 # CSLIP
diff --git a/sys/conf/files b/sys/conf/files
index eea613f9134..35bc319ecb2 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -1,4 +1,4 @@
-# $OpenBSD: files,v 1.257 2002/09/03 16:30:54 mickey Exp $
+# $OpenBSD: files,v 1.258 2002/11/29 18:25:23 mickey Exp $
# $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@@ -336,7 +336,6 @@ pseudo-device tun: ifnet
pseudo-device bpfilter: ifnet
pseudo-device strip: ifnet
pseudo-device enc: ifnet
-pseudo-device pflog: ifnet
pseudo-device bridge: ifnet, ether
pseudo-device vlan: ifnet, ether
pseudo-device sppp: ifnet
@@ -355,6 +354,10 @@ pseudo-device pf: ifnet
file net/pf.c pf needs-flag
file net/pf_norm.c pf
file net/pf_ioctl.c pf
+pseudo-device pflog: ifnet
+file net/if_pflog.c pflog needs-flag
+pseudo-device pfsync: ifnet
+file net/if_pfsync.c pfsync needs-flag
pseudo-device bio
file dev/bio.c bio needs-flag
@@ -644,7 +647,6 @@ file net/route.c
file net/rtsock.c
file net/slcompress.c sl | ppp | strip
file net/if_enc.c enc needs-count
-file net/if_pflog.c pflog needs-count
file net/if_gre.c gre needs-count
#file net/if_ieee1394subr.c ieee1394
file netccitt/ccitt_proto.c ccitt
diff --git a/sys/net/bpf.h b/sys/net/bpf.h
index 06b319e0226..8c0f26bffe4 100644
--- a/sys/net/bpf.h
+++ b/sys/net/bpf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bpf.h,v 1.18 2002/03/14 01:27:09 millert Exp $ */
+/* $OpenBSD: bpf.h,v 1.19 2002/11/29 18:25:22 mickey Exp $ */
/* $NetBSD: bpf.h,v 1.15 1996/12/13 07:57:33 mikel Exp $ */
/*
@@ -170,6 +170,7 @@ struct bpf_hdr {
#define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */
#define DLT_PFLOG 17 /* Packet filter logging */
+#define DLT_PFSYNC 18 /* Packet filter state syncing */
/*
* The instruction encodings.
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
new file mode 100644
index 00000000000..a2b8b25c8cf
--- /dev/null
+++ b/sys/net/if_pfsync.c
@@ -0,0 +1,359 @@
+/* $OpenBSD: if_pfsync.c,v 1.1 2002/11/29 18:25:22 mickey Exp $ */
+
+/*
+ * Copyright (c) 2002 Michael Shalayeff
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "bpfilter.h"
+#include "pfsync.h"
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/time.h>
+#include <sys/mbuf.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/timeout.h>
+
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/route.h>
+#include <net/bpf.h>
+
+#ifdef INET
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#endif
+
+#ifdef INET6
+#ifndef INET
+#include <netinet/in.h>
+#endif
+#include <netinet6/nd6.h>
+#endif /* INET6 */
+
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
+
+#define PFSYNCMTU \
+ (sizeof(struct pfsync_header) + sizeof(struct pf_state) * 4)
+#define PFSYNC_MINMTU \
+ (sizeof(struct pfsync_header) + sizeof(struct pf_state))
+
+#ifdef PFSYNCDEBUG
+#define DPRINTF(x) do { if (pfsyncdebug) printf x ; } while (0)
+int pfsyncdebug;
+#else
+#define DPRINTF(x)
+#endif
+
+struct pfsync_softc pfsyncif;
+
+void pfsyncattach(int);
+int pfsyncoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
+ struct rtentry *);
+int pfsyncioctl(struct ifnet *, u_long, caddr_t);
+void pfsyncrtrequest(int, struct rtentry *, struct sockaddr *);
+void pfsyncstart(struct ifnet *);
+
+struct mbuf *pfsync_get_mbuf(struct pfsync_softc *sc, u_int8_t action);
+int pfsync_sendout(struct pfsync_softc *sc);
+void pfsync_timeout(void *v);
+
+extern int ifqmaxlen;
+
+void
+pfsyncattach(int npfsync)
+{
+ struct ifnet *ifp;
+
+ pfsyncif.sc_mbuf = NULL;
+ pfsyncif.sc_ptr = NULL;
+ pfsyncif.sc_count = 8;
+ ifp = &pfsyncif.sc_if;
+ strcpy(ifp->if_xname, "pfsync0");
+ ifp->if_softc = &pfsyncif;
+ ifp->if_mtu = PFSYNCMTU;
+ ifp->if_ioctl = pfsyncioctl;
+ ifp->if_output = pfsyncoutput;
+ ifp->if_start = pfsyncstart;
+ ifp->if_type = IFT_PFSYNC;
+ ifp->if_snd.ifq_maxlen = ifqmaxlen;
+ ifp->if_hdrlen = PFSYNC_HDRLEN;
+ timeout_set(&pfsyncif.sc_tmo, pfsync_timeout, &pfsyncif);
+ if_attach(ifp);
+ if_alloc_sadl(ifp);
+
+#if NBPFILTER > 0
+ bpfattach(&pfsyncif.sc_if.if_bpf, ifp, DLT_PFSYNC, PFSYNC_HDRLEN);
+#endif
+}
+
+/*
+ * Start output on the pfsync interface.
+ */
+void
+pfsyncstart(struct ifnet *ifp)
+{
+ struct mbuf *m;
+ int s;
+
+ for (;;) {
+ s = splimp();
+ IF_DROP(&ifp->if_snd);
+ IF_DEQUEUE(&ifp->if_snd, m);
+ splx(s);
+
+ if (m == NULL)
+ return;
+ else
+ m_freem(m);
+ }
+}
+
+int
+pfsyncoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+ struct rtentry *rt)
+{
+ m_freem(m);
+ return (0);
+}
+
+/* ARGSUSED */
+void
+pfsyncrtrequest(int cmd, struct rtentry *rt, struct sockaddr *sa)
+{
+ if (rt)
+ rt->rt_rmx.rmx_mtu = PFSYNCMTU;
+}
+
+/* ARGSUSED */
+int
+pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+ struct pfsync_softc *sc = ifp->if_softc;
+ struct ifreq *ifr = (struct ifreq *)data;
+ int s;
+
+ switch (cmd) {
+ case SIOCSIFADDR:
+ case SIOCAIFADDR:
+ case SIOCSIFDSTADDR:
+ case SIOCSIFFLAGS:
+ if (ifp->if_flags & IFF_UP)
+ ifp->if_flags |= IFF_RUNNING;
+ else
+ ifp->if_flags &= ~IFF_RUNNING;
+ break;
+ case SIOCSIFMTU:
+ if (ifr->ifr_mtu < PFSYNC_MINMTU)
+ return (EINVAL);
+ if (ifr->ifr_mtu > MCLBYTES)
+ ifr->ifr_mtu = MCLBYTES;
+ s = splnet();
+ if (ifr->ifr_mtu < ifp->if_mtu)
+ pfsync_sendout(sc);
+ sc->sc_count = (ifr->ifr_mtu - sizeof(struct pfsync_header)) /
+ sizeof(struct pf_state);
+ ifp->if_mtu = sizeof(struct pfsync_header) +
+ sc->sc_count * sizeof(struct pf_state);
+ splx(s);
+ break;
+ default:
+ return (ENOTTY);
+ }
+
+ return (0);
+}
+
+struct mbuf *
+pfsync_get_mbuf(sc, action)
+ struct pfsync_softc *sc;
+ u_int8_t action;
+{
+ extern int hz;
+ struct pfsync_header *h;
+ struct mbuf *m;
+ int len;
+
+ MGETHDR(m, M_DONTWAIT, MT_DATA);
+ if (m == NULL) {
+ sc->sc_if.if_oerrors++;
+ return (NULL);
+ }
+
+ len = sc->sc_if.if_mtu;
+ if (len > MHLEN) {
+ MCLGET(m, M_DONTWAIT);
+ if ((m->m_flags & M_EXT) == 0) {
+ m_free(m);
+ sc->sc_if.if_oerrors++;
+ return (NULL);
+ }
+ }
+ m->m_pkthdr.rcvif = NULL;
+ m->m_pkthdr.len = m->m_len = len;
+ MH_ALIGN(m, m->m_len);
+
+ h = mtod(m, struct pfsync_header *);
+ h->version = PFSYNC_VERSION;
+ h->af = 0;
+ h->count = 0;
+ h->action = action;
+
+ sc->sc_mbuf = m;
+ sc->sc_ptr = (struct pf_state *)((char *)h + PFSYNC_HDRLEN);
+ timeout_add(&sc->sc_tmo, hz);
+
+ return (m);
+}
+
+int
+pfsync_pack_state(action, st)
+ u_int8_t action;
+ struct pf_state *st;
+{
+ extern struct timeval time;
+ struct ifnet *ifp = &pfsyncif.sc_if;
+ struct pfsync_softc *sc = ifp->if_softc;
+ struct pfsync_header *h;
+ struct pf_state *sp;
+ struct pf_rule *r = st->rule.ptr;
+ struct mbuf *m;
+ u_long secs;
+ int s, ret;
+
+ if (action >= PFSYNC_ACT_MAX)
+ return (EINVAL);
+
+ s = splnet();
+ m = sc->sc_mbuf;
+ if (m == NULL) {
+ if ((m = pfsync_get_mbuf(sc, action)) == NULL) {
+ splx(s);
+ return (ENOMEM);
+ }
+ h = mtod(m, struct pfsync_header *);
+ } else {
+ h = mtod(m, struct pfsync_header *);
+ if (h->action != action) {
+ pfsync_sendout(sc);
+ if ((m = pfsync_get_mbuf(sc, action)) == NULL) {
+ splx(s);
+ return (ENOMEM);
+ }
+ h = mtod(m, struct pfsync_header *);
+ }
+ }
+
+ sp = sc->sc_ptr++;
+ h->count++;
+ bzero(sp, sizeof(*sp));
+
+ sp->lan = st->lan; HTONS(sp->lan.port);
+ sp->gwy = st->gwy; HTONS(sp->gwy.port);
+ sp->ext = st->ext; HTONS(sp->ext.port);
+
+ pf_state_peer_hton(&st->src, &sp->src);
+ pf_state_peer_hton(&st->dst, &sp->dst);
+
+ sp->rt_addr = st->rt_addr;
+ secs = time.tv_sec;
+ sp->creation = htonl(secs - st->creation);
+ if (st->expire <= secs)
+ sp->expire = htonl(0);
+ else
+ sp->expire = htonl(st->expire - secs);
+ sp->packets = htonl(st->packets);
+ sp->bytes = htonl(st->bytes);
+ if (r == NULL)
+ sp->rule.nr = htonl(-1);
+ else
+ sp->rule.nr = htonl(r->nr);
+ sp->af = st->af;
+ sp->proto = st->proto;
+ sp->direction = st->direction;
+ sp->log = st->log;
+ sp->allow_opts = st->allow_opts;
+
+ ret = 0;
+ if (h->count == sc->sc_count)
+ ret = pfsync_sendout(sc);
+
+ splx(s);
+ return (0);
+}
+
+int
+pfsync_clear_state(st)
+ struct pf_state *st;
+{
+ struct ifnet *ifp = &pfsyncif.sc_if;
+ struct pfsync_softc *sc = ifp->if_softc;
+ struct mbuf *m = sc->sc_mbuf;
+ int s, ret;
+
+ s = splnet();
+ if (m == NULL && (m = pfsync_get_mbuf(sc, PFSYNC_ACT_CLR)) == NULL) {
+ splx(s);
+ return (ENOMEM);
+ }
+
+ ret = (pfsync_sendout(sc));
+ splx(s);
+ return (ret);
+}
+
+void
+pfsync_timeout(void *v)
+{
+ struct pfsync_softc *sc = v;
+ int s;
+
+ s = splnet();
+ pfsync_sendout(sc);
+ splx(s);
+}
+
+int
+pfsync_sendout(sc)
+ struct pfsync_softc *sc;
+{
+ struct ifnet *ifp = &sc->sc_if;
+ struct mbuf *m = sc->sc_mbuf;
+
+ timeout_del(&sc->sc_tmo);
+ sc->sc_mbuf = NULL;
+ sc->sc_ptr = NULL;
+
+#if NBPFILTER > 0
+ if (ifp->if_bpf)
+ bpf_mtap(ifp->if_bpf, m);
+#endif
+
+ m_freem(m);
+
+ return (0);
+}
diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h
new file mode 100644
index 00000000000..d05b202b2d6
--- /dev/null
+++ b/sys/net/if_pfsync.h
@@ -0,0 +1,84 @@
+/* $OpenBSD: if_pfsync.h,v 1.1 2002/11/29 18:25:22 mickey Exp $ */
+
+/*
+ * Copyright (c) 2001 Michael Shalayeff
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_PFSYNC_H_
+#define _NET_IF_PFSYNC_H_
+
+#ifdef _KERNEL
+struct pfsync_softc {
+ struct ifnet sc_if;
+
+ struct timeout sc_tmo;
+ struct mbuf *sc_mbuf; /* current cummulative mbuf */
+ struct pf_state *sc_ptr; /* current ongoing state */
+ int sc_count; /* number of states in one mtu */
+};
+#endif
+
+struct pfsync_header {
+ u_int8_t version;
+#define PFSYNC_VERSION 1
+ u_int8_t af;
+ u_int8_t action;
+#define PFSYNC_ACT_CLR 0
+#define PFSYNC_ACT_INS 1
+#define PFSYNC_ACT_UPD 2
+#define PFSYNC_ACT_DEL 3
+#define PFSYNC_ACT_MAX 4
+ u_int8_t count;
+};
+
+#define PFSYNC_HDRLEN sizeof(struct pfsync_header)
+#define PFSYNC_ACTIONS \
+ "CLR ST", "INS ST", "UPD ST", "DEL ST"
+
+#define pf_state_peer_hton(s,d) do { \
+ (d)->seqlo = htonl((s)->seqlo); \
+ (d)->seqhi = htonl((s)->seqhi); \
+ (d)->seqdiff = htonl((s)->seqdiff); \
+ (d)->max_win = htons((s)->max_win); \
+ (d)->state = (s)->state; \
+} while (0)
+
+#define pf_state_peer_ntoh(s,d) do { \
+ (d)->seqlo = ntohl((s)->seqlo); \
+ (d)->seqhi = ntohl((s)->seqhi); \
+ (d)->seqdiff = ntohl((s)->seqdiff); \
+ (d)->max_win = ntohs((s)->max_win); \
+ (d)->state = (s)->state; \
+} while (0)
+
+#ifdef _KERNEL
+int pfsync_clear_state __P((struct pf_state *));
+int pfsync_pack_state __P((u_int8_t, struct pf_state *));
+#define pfsync_insert_state(st) pfsync_pack_state(PFSYNC_ACT_INS, (st))
+#define pfsync_update_state(st) pfsync_pack_state(PFSYNC_ACT_UPD, (st))
+#define pfsync_delete_state(st) pfsync_pack_state(PFSYNC_ACT_DEL, (st))
+#endif
+
+#endif /* _NET_IF_PFSYNC_H_ */
diff --git a/sys/net/if_types.h b/sys/net/if_types.h
index 9871575813b..2ca4a5b2b35 100644
--- a/sys/net/if_types.h
+++ b/sys/net/if_types.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_types.h,v 1.13 2002/05/30 01:21:08 itojun Exp $ */
+/* $OpenBSD: if_types.h,v 1.14 2002/11/29 18:25:22 mickey Exp $ */
/* $NetBSD: if_types.h,v 1.17 2000/10/26 06:51:31 onoe Exp $ */
/*
@@ -268,5 +268,6 @@
#define IFT_FAITH 0xf3
#define IFT_ENC 0xf4 /* Encapsulation */
#define IFT_PFLOG 0xf5 /* Packet filter logging */
+#define IFT_PFSYNC 0xf6 /* Packet filter state syncing */
#endif /* _NET_IF_TYPES_H_ */
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 416235f14fb..fc8dd350d78 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.264 2002/11/28 12:07:37 mcbride Exp $ */
+/* $OpenBSD: pf.c,v 1.265 2002/11/29 18:25:22 mickey Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -36,6 +36,7 @@
#include "bpfilter.h"
#include "pflog.h"
+#include "pfsync.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -51,7 +52,6 @@
#include <net/if_types.h>
#include <net/bpf.h>
#include <net/route.h>
-#include <net/if_pflog.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -70,6 +70,8 @@
#include <dev/rndvar.h>
#include <net/pfvar.h>
+#include <net/if_pflog.h>
+#include <net/if_pfsync.h>
#ifdef INET6
#include <netinet/ip6.h>
@@ -444,6 +446,9 @@ pf_insert_state(struct pf_state *state)
pf_status.fcounters[FCNT_STATE_INSERT]++;
pf_status.states++;
+#if NPFSYNC
+ pfsync_insert_state(state);
+#endif
return (0);
}
@@ -489,6 +494,9 @@ pf_purge_expired_states(void)
KASSERT(peer->state == cur->state);
RB_REMOVE(pf_state_tree, &tree_lan_ext, peer);
+#if NPFSYNC
+ pfsync_delete_state(cur->state);
+#endif
if (cur->state->rule.ptr != NULL)
cur->state->rule.ptr->states--;
pool_put(&pf_state_pl, cur->state);
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 5ddefb2121f..4583e62ecf3 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.105 2002/11/28 12:07:37 mcbride Exp $ */
+/* $OpenBSD: pfvar.h,v 1.106 2002/11/29 18:25:23 mickey Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -371,7 +371,7 @@ struct pf_state {
struct pf_state_peer dst;
union {
struct pf_rule *ptr;
- u_int16_t nr;
+ u_int32_t nr;
} rule;
struct pf_addr rt_addr;
struct ifnet *rt_ifp;