Sun Sep 16 13:47:43 2012 UTC ()

Implement dynamic NPF extensions interface.  An extension consists of
dynamically loaded module (.so) supplementing npfctl(8) and a kernel
module.  Move normalisation and logging functionality into their own
extensions.  More improvements to come.


(rmind)

diff -r1.635 -r1.636 src/distrib/sets/lists/base/shl.mi
diff -r1.47 -r1.48 src/distrib/sets/lists/modules/mi
diff -r1.188 -r1.189 src/lib/Makefile
diff -r1.2 -r1.3 src/lib/libnpf/Makefile
diff -r1.12 -r1.13 src/lib/libnpf/npf.c
diff -r1.10 -r1.11 src/lib/libnpf/npf.h
diff -r0 -r1.1 src/lib/npf/Makefile
diff -r0 -r1.1 src/lib/npf/Makefile.inc
diff -r0 -r1.1 src/lib/npf/ext_log/Makefile
diff -r0 -r1.1 src/lib/npf/ext_log/npfext_log.c
diff -r0 -r1.1 src/lib/npf/ext_log/shlib_version
diff -r0 -r1.1 src/lib/npf/ext_normalise/Makefile
diff -r0 -r1.1 src/lib/npf/ext_normalise/npfext_normalise.c
diff -r0 -r1.1 src/lib/npf/ext_normalise/shlib_version
diff -r1.110 -r1.111 src/sys/modules/Makefile
diff -r1.10 -r1.11 src/sys/modules/npf/Makefile
diff -r0 -r1.1 src/sys/modules/npf_ext_log/Makefile
diff -r0 -r1.1 src/sys/modules/npf_ext_normalise/Makefile
diff -r1.7 -r1.8 src/sys/net/npf/files.npf
diff -r1.12 -r1.13 src/sys/net/npf/npf.c
diff -r1.20 -r1.21 src/sys/net/npf/npf.h
diff -r1.17 -r1.18 src/sys/net/npf/npf_ctl.c
diff -r0 -r1.1 src/sys/net/npf/npf_ext_log.c
diff -r0 -r1.1 src/sys/net/npf/npf_ext_normalise.c
diff -r1.21 -r1.22 src/sys/net/npf/npf_handler.c
diff -r1.22 -r1.23 src/sys/net/npf/npf_impl.h
diff -r1.16 -r1.17 src/sys/net/npf/npf_inet.c
diff -r1.4 -r0 src/sys/net/npf/npf_log.c
diff -r1.2 -r1.3 src/sys/net/npf/npf_rproc.c
diff -r1.1 -r1.2 src/sys/rump/net/lib/libnpf/Makefile
diff -r1.7 -r1.8 src/usr.sbin/npf/npfctl/Makefile
diff -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_build.c
diff -r0 -r1.1 src/usr.sbin/npf/npfctl/npf_extmod.c
diff -r1.12 -r1.13 src/usr.sbin/npf/npfctl/npf_parse.y
diff -r1.5 -r1.6 src/usr.sbin/npf/npfctl/npf_scan.l
diff -r1.3 -r1.4 src/usr.sbin/npf/npfctl/npf_var.h
diff -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.c
diff -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.h

--- src/distrib/sets/lists/base/shl.mi 2012/08/08 14:08:02	1.635
+++ src/distrib/sets/lists/base/shl.mi 2012/09/16 13:47:43	1.636

 @@ -1,14 +1,14 @@
-# $NetBSD: shl.mi,v 1.635 2012/08/08 14:08:02 christos Exp $
+# $NetBSD: shl.mi,v 1.636 2012/09/16 13:47:43 rmind Exp $
+#
 # Note:	Don't delete entries from here - mark them as "obsolete" instead,
 #	unless otherwise stated below.
+#
 # Note:	Do not mark "old" major and major.minor shared libraries as
 #	"obsolete"; just remove the entry, as third-party applications
 #	may be linked against the old major shared library, and
 #	that is a symlink to the old major.minor shared library.
 #	e.g., "lib<name>.so.<N>" and "lib<name>.so.<N>.<M>"
 #	Exceptions to this rule may include shared libraries that
 #	are dlopen()ed at run-time, such as extra locales, etc.
+#
 # Note:	libtermcap and libtermlib are hardlinked and share the same version.
 @@ -716,26 +716,32 @@
 ./usr/lib/libwrap.so.1.0			base-net-shlib
 ./usr/lib/libz.so				base-sys-shlib
 ./usr/lib/libz.so.1				base-sys-shlib
 ./usr/lib/libz.so.1.0				base-sys-shlib
 ./usr/lib/libzfs.so				base-zfs-shlib		dynamicroot,zfs
 ./usr/lib/libzfs.so.0				base-zfs-shlib		dynamicroot,zfs
 ./usr/lib/libzfs.so.0.0				base-zfs-shlib		zfs,dynamicroot
 ./usr/lib/libzpool.so				base-zfs-shlib		dynamicroot,zfs
 ./usr/lib/libzpool.so.0				base-zfs-shlib		dynamicroot,zfs
 ./usr/lib/libzpool.so.0.0			base-zfs-shlib		zfs,dynamicroot
 ./usr/lib/libzpool_pic.a			base-zfs-shlib		zfs,dynamicroot
 ./usr/lib/lua/5.1/gpio.so                    	base-sys-shlib
 ./usr/lib/lua/5.1/sqlite.so                    	base-sys-shlib
 ./usr/lib/npf/ext_log.so			base-npf-shlib		npf
 ./usr/lib/npf/ext_log.so.0			base-npf-shlib		npf
 ./usr/lib/npf/ext_log.so.0.0			base-npf-shlib		npf
 ./usr/lib/npf/ext_normalise.so			base-npf-shlib		npf
 ./usr/lib/npf/ext_normalise.so.0		base-npf-shlib		npf
 ./usr/lib/npf/ext_normalise.so.0.0		base-npf-shlib		npf
 ./usr/lib/nss_mdns.so.0				base-obsolete		obsolete
 ./usr/lib/nss_mdnsd.so.0			base-mdns-shlib		mdns
 ./usr/lib/nss_multicast_dns.so.0		base-mdns-shlib		mdns
 ./usr/lib/security/pam_afslog.so.3		base-sys-shlib		kerberos,pam
 ./usr/lib/security/pam_chroot.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_deny.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_echo.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_exec.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_ftpusers.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_group.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_guest.so.3		base-sys-shlib		pam
 ./usr/lib/security/pam_krb5.so.3		base-sys-shlib		kerberos,pam
 ./usr/lib/security/pam_ksu.so.3			base-sys-shlib		kerberos,pam

--- src/distrib/sets/lists/modules/mi 2012/08/06 10:44:08	1.47
+++ src/distrib/sets/lists/modules/mi 2012/09/16 13:47:43	1.48

 @@ -1,14 +1,14 @@
-# $NetBSD: mi,v 1.47 2012/08/06 10:44:08 martin Exp $
+# $NetBSD: mi,v 1.48 2012/09/16 13:47:43 rmind Exp $
+#
 # Note: don't delete entries from here - mark them as "obsolete" instead.
+#
 # IMPORTANT:	When you add a module here, you have to add it twice to
 #		md.evbppc as well. evbppc does not use mi, because
 #		powerpc-4xx and powerpc-booke modules are incompatible.
 #		Sorry for any inconvenience this may cause, the management.
+#
 ./etc/mtree/set.modules				modules-sys-root	kmod
 ./stand/@MACHINE@				base-kernel-modules	kmod
 ./stand/@MACHINE@/@OSRELEASE@			base-kernel-modules	kmod
 ./@MODULEDIR@					base-kernel-modules	kmod
 ./@MODULEDIR@/accf_dataready			base-kernel-modules	kmod
 @@ -105,26 +105,30 @@
 ./@MODULEDIR@/nand/nand.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/nandemulator			base-kernel-modules	kmod
 ./@MODULEDIR@/nandemulator/nandemulator.kmod	base-kernel-modules	kmod
 ./@MODULEDIR@/nfs				base-kernel-modules	kmod
 ./@MODULEDIR@/nfs/nfs.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/nfsserver				base-kernel-modules	kmod
 ./@MODULEDIR@/nfsserver/nfsserver.kmod		base-kernel-modules	kmod
 ./@MODULEDIR@/nilfs				base-kernel-modules	kmod
 ./@MODULEDIR@/nilfs/nilfs.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/npf				base-kernel-modules	kmod
 ./@MODULEDIR@/npf/npf.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/npf_alg_icmp			base-kernel-modules	kmod
 ./@MODULEDIR@/npf_alg_icmp/npf_alg_icmp.kmod	base-kernel-modules	kmod
 ./@MODULEDIR@/npf_ext_log			base-kernel-modules	kmod
 ./@MODULEDIR@/npf_ext_log/npf_ext_log.kmod	base-kernel-modules	kmod
 ./@MODULEDIR@/npf_ext_normalise			base-kernel-modules	kmod
 ./@MODULEDIR@/npf_ext_normalise/npf_ext_normalise.kmod	base-kernel-modules	kmod
 ./@MODULEDIR@/ntfs				base-kernel-modules	kmod
 ./@MODULEDIR@/ntfs/ntfs.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/null				base-kernel-modules	kmod
 ./@MODULEDIR@/null/null.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/onewire				base-kernel-modules	kmod
 ./@MODULEDIR@/onewire/onewire.kmod		base-kernel-modules	kmod
 ./@MODULEDIR@/overlay				base-kernel-modules	kmod
 ./@MODULEDIR@/overlay/overlay.kmod		base-kernel-modules	kmod
 ./@MODULEDIR@/pciverbose			base-kernel-modules	kmod
 ./@MODULEDIR@/pciverbose/pciverbose.kmod	base-kernel-modules	kmod
 ./@MODULEDIR@/pf				base-kernel-modules	kmod
 ./@MODULEDIR@/pf/pf.kmod			base-kernel-modules	kmod
 ./@MODULEDIR@/portal				base-obsolete		obsolete

--- src/lib/Makefile 2012/08/17 16:22:27	1.188
+++ src/lib/Makefile 2012/09/16 13:47:41	1.189

 @@ -1,14 +1,14 @@
-#	$NetBSD: Makefile,v 1.188 2012/08/17 16:22:27 joerg Exp $
+#	$NetBSD: Makefile,v 1.189 2012/09/16 13:47:41 rmind Exp $
 #	from: @(#)Makefile	5.25.1.1 (Berkeley) 5/7/91
 .include <bsd.own.mk>
 SUBDIR=		csu .WAIT
 .if (${MKGCC} != "no")
 . if ${HAVE_GCC} == 4
 .  if (${USE_COMPILERCRTSTUFF} == "yes")
 SUBDIR+=	../gnu/lib/crtstuff4 .WAIT
 .  endif
 SUBDIR+=	../gnu/lib/libgcc4 .WAIT
 . else
 @@ -100,26 +100,27 @@ SUBDIR+=	libdm		# depends on libprop
 SUBDIR+=	libedit		# depends on libterminfo
 SUBDIR+=	libexecinfo 	# depends on libelf
 SUBDIR+=	libppath	# depends on libprop
 SUBDIR+=	libperfuse	# depends on libpuffs
 SUBDIR+=	libquota	# depends on libprop and librpcsvc
 SUBDIR+=	librefuse	# depends on libpuffs
 .if (${MKRUMP} != "no")
 SUBDIR+=	librumpuser	# depends on libpthread
 SUBDIR+=	librumphijack	# depends on librumpclient and libpthread
 .endif
 .if (${MKNPF} != "no")
 SUBDIR+=	libnpf		# depends on libprop
 SUBDIR+=	npf
 .endif
 .if (${MKCRYPTO} != "no")
 SUBDIR+=	../crypto/external/bsd/openssl/lib # depends on libcrypt
 .endif
 SUBDIR+=	../external/bsd/file/lib	# depends on libz
 .if (${MKISCSI} != "no")
 SUBDIR+=	../external/bsd/iscsi/lib	# depends on libpthread
 .endif
 SUBDIR+=	../external/bsd/libarchive/lib	# depends on libxz

--- src/lib/libnpf/Makefile 2012/03/21 05:37:42	1.2
+++ src/lib/libnpf/Makefile 2012/09/16 13:47:42	1.3

 @@ -1,20 +1,20 @@
-# $NetBSD: Makefile,v 1.2 2012/03/21 05:37:42 matt Exp $
+# $NetBSD: Makefile,v 1.3 2012/09/16 13:47:42 rmind Exp $
 .include <bsd.own.mk>
 LIB=		npf
 MAN=		npf.3
 SRCS=		npf.c
 INCS=		npf.h
 INCSDIR=	/usr/include
 LIBDPLIBS+=	prop ${.CURDIR}/../libprop
 LDADD+=		-lprop
 DPADD+=		${LIBPROP}
-WARNS?=		5
+WARNS=		5
-NOLINT=		# defined (note: deliberately)
+NOLINT=		# disabled deliberately
 .include <bsd.lib.mk>

--- src/lib/libnpf/npf.c 2012/08/15 18:44:56	1.12
+++ src/lib/libnpf/npf.c 2012/09/16 13:47:42	1.13

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf.c,v 1.12 2012/08/15 18:44:56 rmind Exp $	*/
+/*	$NetBSD: npf.c,v 1.13 2012/09/16 13:47:42 rmind Exp $	*/
 /*-
  * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -20,27 +20,27 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.12 2012/08/15 18:44:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.13 2012/09/16 13:47:42 rmind Exp $");
 #include <sys/types.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <net/if.h>
 #include <prop/proplib.h>
 #include <stdlib.h>
 #include <string.h>
 #include <assert.h>
 #include <errno.h>
 #include <err.h>
 @@ -68,26 +68,31 @@ struct nl_config {
 struct nl_rule {
 	prop_dictionary_t	nrl_dict;
 };
 struct nl_rproc {
 	prop_dictionary_t	nrp_dict;
 };
 struct nl_table {
 	prop_dictionary_t	ntl_dict;
 };
 struct nl_ext {
 	const char *		nxt_name;
 	prop_dictionary_t	nxt_dict;
 };
 /*
  * CONFIGURATION INTERFACE.
  */
 nl_config_t *
 npf_config_create(void)
+{
 	nl_config_t *ncf;
 	ncf = calloc(1, sizeof(*ncf));
 	if (ncf == NULL) {
 		return NULL;
+	}
 @@ -240,26 +245,63 @@ _npf_prop_array_lookup(prop_array_t arra
 	it = prop_array_iterator(array);
 	while ((dict = prop_object_iterator_next(it)) != NULL) {
 		const char *lname;
 		prop_dictionary_get_cstring_nocopy(dict, key, &lname);
 		if (strcmp(name, lname) == 0)
 			break;
+	}
 	prop_object_iterator_release(it);
 	return dict ? true : false;
+}
 /*
  * NPF EXTENSION INTERFACE.
  */
 nl_ext_t *
 npf_ext_construct(const char *name)
+{
 	nl_ext_t *ext;
 	ext = malloc(sizeof(*ext));
 	if (ext == NULL) {
 		return NULL;
+	}
 	ext->nxt_name = strdup(name);
 	if (ext->nxt_name == NULL) {
 		free(ext);
 		return NULL;
+	}
 	ext->nxt_dict = prop_dictionary_create();
 	return ext;
+}
 void
 npf_ext_param_u32(nl_ext_t *ext, const char *key, uint32_t val)
+{
 	prop_dictionary_t extdict = ext->nxt_dict;
 	prop_dictionary_set_uint32(extdict, key, val);
+}
 void
 npf_ext_param_bool(nl_ext_t *ext, const char *key, bool val)
+{
 	prop_dictionary_t extdict = ext->nxt_dict;
 	prop_dictionary_set_bool(extdict, key, val);
+}
 /*
  * RULE INTERFACE.
  */
 nl_rule_t *
 npf_rule_create(const char *name, uint32_t attr, u_int if_idx)
+{
 	prop_dictionary_t rldict;
 	nl_rule_t *rl;
 	rl = malloc(sizeof(*rl));
 	if (rl == NULL) {
 		return NULL;
+	}
 @@ -357,26 +399,27 @@ _npf_rule_foreach1(prop_array_t rules, u
 	it = prop_array_iterator(rules);
 	if (it == NULL) {
 		return ENOMEM;
+	}
 	while ((rldict = prop_object_iterator_next(it)) != NULL) {
 		prop_array_t subrules;
 		nl_rule_t nrl;
 		nrl.nrl_dict = rldict;
 		(*func)(&nrl, nlevel);
 		subrules = prop_dictionary_get(rldict, "subrules");
 		(void)_npf_rule_foreach1(subrules, nlevel + 1, func);
 		prop_object_release(subrules);
+	}
 	prop_object_iterator_release(it);
 	return 0;
+}
 int
 _npf_rule_foreach(nl_config_t *ncf, nl_rule_callback_t func)
+{
 	return _npf_rule_foreach1(ncf->ncf_rules_list, 0, func);
+}
 pri_t
 @@ -418,77 +461,74 @@ npf_rule_destroy(nl_rule_t *rl)
 	prop_object_release(rl->nrl_dict);
 	free(rl);
+}
 /*
  * RULE PROCEDURE INTERFACE.
  */
 nl_rproc_t *
 npf_rproc_create(const char *name)
+{
 	prop_dictionary_t rpdict;
 	prop_array_t extcalls;
 	nl_rproc_t *nrp;
 	nrp = malloc(sizeof(nl_rproc_t));
 	if (nrp == NULL) {
 		return NULL;
+	}
 	rpdict = prop_dictionary_create();
 	if (rpdict == NULL) {
 		free(nrp);
 		return NULL;
+	}
 	prop_dictionary_set_cstring(rpdict, "name", name);
 	nrp->nrp_dict = rpdict;
 	return nrp;
-bool
+	extcalls = prop_array_create();
-npf_rproc_exists_p(nl_config_t *ncf, const char *name)
+	if (extcalls == NULL) {
 		prop_object_release(rpdict);
 		free(nrp);
 		return NULL;
+	}
 	prop_dictionary_set(rpdict, "extcalls", extcalls);
 	prop_object_release(extcalls);
-	return _npf_prop_array_lookup(ncf->ncf_rproc_list, "name", name);
+	nrp->nrp_dict = rpdict;
 	return nrp;
+}
 int
-_npf_rproc_setnorm(nl_rproc_t *rp, bool rnd, bool no_df, u_int minttl,
+npf_rproc_extcall(nl_rproc_t *rp, nl_ext_t *ext)
     u_int maxmss)
+{
 	prop_dictionary_t rpdict = rp->nrp_dict;
-	uint32_t fl = 0;
+	prop_dictionary_t extdict = ext->nxt_dict;
 	prop_array_t extcalls;
 	prop_dictionary_set_bool(rpdict, "randomize-id", rnd);
 	prop_dictionary_set_bool(rpdict, "no-df", no_df);
 	prop_dictionary_set_uint32(rpdict, "min-ttl", minttl);
 	prop_dictionary_set_uint32(rpdict, "max-mss", maxmss);
-	prop_dictionary_get_uint32(rpdict, "flags", &fl);
+	extcalls = prop_dictionary_get(rpdict, "extcalls");
-	prop_dictionary_set_uint32(rpdict, "flags", fl | NPF_RPROC_NORMALIZE);
+	if (_npf_prop_array_lookup(extcalls, "name", ext->nxt_name)) {
 		return EEXIST;
+	}
 	prop_dictionary_set_cstring(extdict, "name", ext->nxt_name);
 	prop_array_add(extcalls, extdict);
 	return 0;
+}
-int
+bool
-_npf_rproc_setlog(nl_rproc_t *rp, u_int if_idx)
+npf_rproc_exists_p(nl_config_t *ncf, const char *name)
+{
 	prop_dictionary_t rpdict = rp->nrp_dict;
 	uint32_t fl = 0;
 	prop_dictionary_set_uint32(rpdict, "log-interface", if_idx);
-	prop_dictionary_get_uint32(rpdict, "flags", &fl);
+	return _npf_prop_array_lookup(ncf->ncf_rproc_list, "name", name);
 	prop_dictionary_set_uint32(rpdict, "flags", fl | NPF_RPROC_LOG);
 	return 0;
+}
 int
 npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp)
+{
 	prop_dictionary_t rpdict = rp->nrp_dict;
 	const char *name;
 	if (!prop_dictionary_get_cstring_nocopy(rpdict, "name", &name)) {
 		return EINVAL;
+	}
 	if (npf_rproc_exists_p(ncf, name)) {
 		return EEXIST;

--- src/lib/libnpf/npf.h 2012/08/12 03:35:14	1.10
+++ src/lib/libnpf/npf.h 2012/09/16 13:47:42	1.11

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf.h,v 1.10 2012/08/12 03:35:14 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.11 2012/09/16 13:47:42 rmind Exp $	*/
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,44 +25,46 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef _NPF_LIB_H_
 #define _NPF_LIB_H_
 #include <sys/types.h>
 #include <net/npf.h>
 #ifdef _NPF_TESTING
 #include "testing.h"
 #endif
 __BEGIN_DECLS
 struct nl_config;
 struct nl_rule;
 struct nl_rproc;
 struct nl_table;
 typedef struct nl_config	nl_config_t;
 typedef struct nl_rule		nl_rule_t;
 typedef struct nl_rproc		nl_rproc_t;
 typedef struct nl_table		nl_table_t;
 typedef struct nl_rule		nl_nat_t;
 typedef struct nl_ext		nl_ext_t;
 typedef int (*npfext_initfunc_t)(void);
 typedef nl_ext_t *(*npfext_consfunc_t)(const char *);
 typedef int (*npfext_paramfunc_t)(nl_ext_t *, const char *, const char *);
 #ifdef _NPF_PRIVATE
 typedef struct {
 	int		ne_id;
 	char *		ne_source_file;
 	u_int		ne_source_line;
 	int		ne_ncode_error;
 	int		ne_ncode_errat;
 } nl_error_t;
 typedef void (*nl_rule_callback_t)(nl_rule_t *, unsigned);
 typedef void (*nl_table_callback_t)(unsigned, int);
 @@ -71,34 +73,39 @@ typedef void (*nl_table_callback_t)(unsi
 #define	NPF_CODE_NCODE		1
 #define	NPF_CODE_BPF		2
 #define	NPF_PRI_NEXT		(-1)
 #define	NPF_MAX_TABLE_ID	(16)
 nl_config_t *	npf_config_create(void);
 int		npf_config_submit(nl_config_t *, int);
 void		npf_config_destroy(nl_config_t *);
 nl_config_t *	npf_config_retrieve(int, bool *, bool *);
 int		npf_config_flush(int);
 nl_ext_t *	npf_ext_construct(const char *name);
 void		npf_ext_param_u32(nl_ext_t *, const char *, uint32_t);
 void		npf_ext_param_bool(nl_ext_t *, const char *, bool);
 nl_rule_t *	npf_rule_create(const char *, uint32_t, u_int);
 int		npf_rule_setcode(nl_rule_t *, int, const void *, size_t);
 int		npf_rule_setproc(nl_config_t *, nl_rule_t *, const char *);
 bool		npf_rule_exists_p(nl_config_t *, const char *);
 int		npf_rule_insert(nl_config_t *, nl_rule_t *, nl_rule_t *, pri_t);
 void		npf_rule_destroy(nl_rule_t *);
 nl_rproc_t *	npf_rproc_create(const char *);
 int		npf_rproc_extcall(nl_rproc_t *, nl_ext_t *);
 bool		npf_rproc_exists_p(nl_config_t *, const char *);
 int		npf_rproc_insert(nl_config_t *, nl_rproc_t *);
 nl_nat_t *	npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t);
 int		npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
 nl_table_t *	npf_table_create(u_int, int);
 int		npf_table_add_entry(nl_table_t *, const int,
 		    const npf_addr_t *, const npf_netmask_t);
 bool		npf_table_exists_p(nl_config_t *, u_int);
 int		npf_table_insert(nl_config_t *, nl_table_t *);
 void		npf_table_destroy(nl_table_t *);
 @@ -110,23 +117,21 @@ int		npf_sessions_recv(int, const char *
 #include <ifaddrs.h>
 void		_npf_config_error(nl_config_t *, nl_error_t *);
 void		_npf_config_setsubmit(nl_config_t *, const char *);
 int		_npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
 pri_t		_npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *,
 		    u_int *);
 const void *	_npf_rule_ncode(nl_rule_t *, size_t *);
 const char *	_npf_rule_rproc(nl_rule_t *);
 int		_npf_nat_foreach(nl_config_t *, nl_rule_callback_t);
 void		_npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *,
 		    size_t *, in_port_t *);
 int		_npf_rproc_setnorm(nl_rproc_t *, bool, bool, u_int, u_int);
 int		_npf_rproc_setlog(nl_rproc_t *, u_int);
 void		_npf_table_foreach(nl_config_t *, nl_table_callback_t);
 void		_npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int);
 #endif
 __END_DECLS
 #endif	/* _NPF_LIB_H_ */

# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:41 rmind Exp $

.include <bsd.own.mk>

.if ${MKPIC} != "no"

SUBDIR=		ext_log ext_normalise

.endif

.include <bsd.subdir.mk>

# $NetBSD: Makefile.inc,v 1.1 2012/09/16 13:47:42 rmind Exp $

WARNS=		5
MKLINT=		no

.if exists(${.CURDIR}/../../Makefile.inc)
.include "${.CURDIR}/../../Makefile.inc"
.endif

# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $

.include <bsd.own.mk>

LIBISMODULE= yes
LIBDIR=	/usr/lib/npf

LIB=	ext_log

SRCS=	npfext_log.c
WARNS=	5

.include <bsd.lib.mk>

/*	$NetBSD: npfext_log.c,v 1.1 2012/09/16 13:47:42 rmind Exp $	*/

/*-
 * Copyright (c) 2012 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Mindaugas Rasiukevicius.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__RCSID("$NetBSD: npfext_log.c,v 1.1 2012/09/16 13:47:42 rmind Exp $");

#include <sys/types.h>
#include <net/if.h>

#include <string.h>
#include <assert.h>
#include <errno.h>

#include <npf.h>

int		npfext_log_init(void);
nl_ext_t *	npfext_log_construct(const char *);
int		npfext_log_param(nl_ext_t *, const char *, const char *);

int
npfext_log_init(void)
{
	/* Nothing to initialise. */
	return 0;
}

nl_ext_t *
npfext_log_construct(const char *name)
{
	assert(strcmp(name, "log") == 0);
	return npf_ext_construct(name);
}

int
npfext_log_param(nl_ext_t *ext, const char *param, const char *val __unused)
{
	unsigned long if_idx;

	assert(param != NULL);

	if_idx = if_nametoindex(param);
	if (if_idx == 0) {
		return EINVAL;
	}
	npf_ext_param_u32(ext, "log-interface", if_idx);
	return 0;
}

# $NetBSD: shlib_version,v 1.1 2012/09/16 13:47:42 rmind Exp $

major=0
minor=0

# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $

.include <bsd.own.mk>

LIBISMODULE= yes
LIBDIR=	/usr/lib/npf

LIB=	ext_normalise

SRCS=	npfext_normalise.c
WARNS=	5

.include <bsd.lib.mk>

/*	$NetBSD: npfext_normalise.c,v 1.1 2012/09/16 13:47:42 rmind Exp $	*/

/*-
 * Copyright (c) 2012 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__RCSID("$NetBSD: npfext_normalise.c,v 1.1 2012/09/16 13:47:42 rmind Exp $");

#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <errno.h>

#include <npf.h>

int		npfext_normalise_init(void);
nl_ext_t *	npfext_normalise_construct(const char *);
int		npfext_normalise_param(nl_ext_t *, const char *, const char *);

int
npfext_normalise_init(void)
{
	/* Nothing to initialise. */
	return 0;
}

nl_ext_t *
npfext_normalise_construct(const char *name)
{
	assert(strcmp(name, "normalise") == 0);
	return npf_ext_construct(name);
}

int
npfext_normalise_param(nl_ext_t *ext, const char *param, const char *val)
{
	enum ptype {
		PARAM_BOOL,
		PARAM_U32
	};
	static const struct param {
		const char *	name;
		enum ptype	type;
		bool		reqval;
	} params[] = {
		{ "random-id",	PARAM_BOOL,	false	},
		{ "no-df",	PARAM_BOOL,	false	},
		{ "min-ttl",	PARAM_U32,	true	},
		{ "max-mss",	PARAM_U32,	true	},
	};

	for (unsigned i = 0; i < __arraycount(params); i++) {
		const char *name = params[i].name;

		if (strcmp(name, param) != 0) {
			continue;
		}
		if (val == NULL && params[i].reqval) {
			return EINVAL;
		}

		switch (params[i].type) {
		case PARAM_BOOL:
			npf_ext_param_bool(ext, name, true);
			break;
		case PARAM_U32:
			npf_ext_param_u32(ext, name, atol(val));
			break;
		default:
			assert(false);
		}
		return 0;
	}

	/* Invalid parameter, if not found. */
	return EINVAL;
}

# $NetBSD: shlib_version,v 1.1 2012/09/16 13:47:42 rmind Exp $

major=0
minor=0

--- src/sys/modules/Makefile 2012/08/06 10:31:41	1.110
+++ src/sys/modules/Makefile 2012/09/16 13:47:41	1.111

 @@ -1,14 +1,14 @@
-#	$NetBSD: Makefile,v 1.110 2012/08/06 10:31:41 martin Exp $
+#	$NetBSD: Makefile,v 1.111 2012/09/16 13:47:41 rmind Exp $
 .include <bsd.own.mk>
 # For all platforms
 SUBDIR=		accf_dataready
 SUBDIR+=	accf_httpready
 SUBDIR+=	adosfs
 SUBDIR+=	aio
 SUBDIR+=	bpf
 SUBDIR+=	cd9660
 SUBDIR+=	coda
 SUBDIR+=	coda5
 @@ -38,26 +38,28 @@ SUBDIR+=	layerfs
 SUBDIR+=	lfs
 SUBDIR+=	mfs
 SUBDIR+=	miiverbose
 SUBDIR+=	miniroot
 SUBDIR+=	mqueue
 SUBDIR+=	msdos
 SUBDIR+=	nand
 SUBDIR+=	nandemulator
 SUBDIR+=	nfs
 SUBDIR+=	nfsserver
 SUBDIR+=	nilfs
 SUBDIR+=	npf
 SUBDIR+=	npf_alg_icmp
 SUBDIR+=	npf_ext_log
 SUBDIR+=	npf_ext_normalise
 SUBDIR+=	ntfs
 SUBDIR+=	null
 SUBDIR+=	onewire
 SUBDIR+=	overlay
 SUBDIR+=	pciverbose
 SUBDIR+=	pf
 SUBDIR+=	ppp_bsdcomp
 SUBDIR+=	ppp_deflate
 SUBDIR+=	procfs
 SUBDIR+=	ptyfs
 SUBDIR+=	puffs
 SUBDIR+=	putter
 SUBDIR+=	scsiverbose

--- src/sys/modules/npf/Makefile 2012/08/12 03:35:14	1.10
+++ src/sys/modules/npf/Makefile 2012/09/16 13:47:42	1.11

 @@ -1,17 +1,17 @@
-# $NetBSD: Makefile,v 1.10 2012/08/12 03:35:14 rmind Exp $
+# $NetBSD: Makefile,v 1.11 2012/09/16 13:47:42 rmind Exp $
 .include "../Makefile.inc"
 .PATH:		${S}/net/npf
 KMOD=		npf
 SRCS=		npf.c npf_alg.c npf_ctl.c npf_handler.c
-SRCS+=		npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
+SRCS+=		npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c
 SRCS+=		npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
 SRCS+=		npf_session.c npf_state.c npf_state_tcp.c
 SRCS+=		npf_tableset.c npf_tableset_ptree.c
 CPPFLAGS+=	-DINET6
 .include <bsd.kmodule.mk>

# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:42 rmind Exp $

.include "../Makefile.inc"

.PATH:		${S}/net/npf

KMOD=		npf_ext_log

SRCS=		npf_ext_log.c

.include <bsd.kmodule.mk>

# $NetBSD: Makefile,v 1.1 2012/09/16 13:47:43 rmind Exp $

.include "../Makefile.inc"

.PATH:		${S}/net/npf

KMOD=		npf_ext_normalise

SRCS=		npf_ext_normalise.c

.include <bsd.kmodule.mk>

--- src/sys/net/npf/files.npf 2012/07/15 00:22:59	1.7
+++ src/sys/net/npf/files.npf 2012/09/16 13:47:41	1.8

 @@ -1,14 +1,14 @@
-# $NetBSD: files.npf,v 1.7 2012/07/15 00:22:59 rmind Exp $
+# $NetBSD: files.npf,v 1.8 2012/09/16 13:47:41 rmind Exp $
+#
 # Public Domain.
+#
+#
 # NPF pseudo device and modules.
+#
 defpseudo	npf:	ifnet
 # Core
 file	net/npf/npf.c				npf
 file	net/npf/npf_ctl.c			npf
 @@ -17,17 +17,20 @@ file	net/npf/npf_instr.c			npf
 file	net/npf/npf_mbuf.c			npf
 file	net/npf/npf_processor.c			npf
 file	net/npf/npf_ruleset.c			npf
 file	net/npf/npf_rproc.c			npf
 file	net/npf/npf_tableset.c			npf
 file	net/npf/npf_tableset_ptree.c		npf
 file	net/npf/npf_inet.c			npf
 file	net/npf/npf_session.c			npf
 file	net/npf/npf_state.c			npf
 file	net/npf/npf_state_tcp.c			npf
 file	net/npf/npf_nat.c			npf
 file	net/npf/npf_alg.c			npf
 file	net/npf/npf_sendpkt.c			npf
 file	net/npf/npf_log.c			npf
 # Built-in extensions.
 file	net/npf/npf_ext_log.c			npf
 file	net/npf/npf_ext_normalise.c		npf
 # ALGs
 file	net/npf/npf_alg_icmp.c			npf

--- src/sys/net/npf/npf.c 2012/07/15 00:23:00	1.12
+++ src/sys/net/npf/npf.c 2012/09/16 13:47:41	1.13

 @@ -1,17 +1,17 @@
-/*	$NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $	*/
+/*	$NetBSD: npf.c,v 1.13 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF main: dynamic load/initialisation and unload routines.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.12 2012/07/15 00:23:00 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.13 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/conf.h>
 #include <sys/kauth.h>
 #include <sys/kmem.h>
 #include <sys/lwp.h>
 #include <sys/module.h>
 #include <sys/percpu.h>
 #include <sys/rwlock.h>
 #include <sys/socketvar.h>
 @@ -97,27 +97,27 @@ npf_init(void)
 	npf_ruleset_t *rset, *nset;
 	npf_tableset_t *tset;
 	prop_dictionary_t dict;
 	int error = 0;
 	rw_init(&npf_lock);
 	npf_stats_percpu = percpu_alloc(NPF_STATS_SIZE);
 	npf_sysctl = NULL;
 	npf_tableset_sysinit();
 	npf_session_sysinit();
 	npf_nat_sysinit();
 	npf_alg_sysinit();
-	npflogattach(1);
+	npf_ext_sysinit();
 	/* Load empty configuration. */
 	dict = prop_dictionary_create();
 	rset = npf_ruleset_create();
 	tset = npf_tableset_create();
 	nset = npf_ruleset_create();
 	npf_reload(dict, rset, tset, nset, true);
 	KASSERT(npf_core != NULL);
 #ifdef _MODULE
 	/* Attach /dev/npf device. */
 	error = devsw_attach("npf", NULL, &bmajor, &npf_cdevsw, &cmajor);
 	if (error) {
 @@ -126,34 +126,34 @@ npf_init(void)
+	}
 #endif
 	return error;
+}
 static int
 npf_fini(void)
+{
 	/* At first, detach device and remove pfil hooks. */
 #ifdef _MODULE
 	devsw_detach(NULL, &npf_cdevsw);
 #endif
 	npflogdetach();
 	npf_pfil_unregister();
 	/* Flush all sessions, destroy configuration (ruleset, etc). */
 	npf_session_tracking(false);
 	npf_core_destroy(npf_core);
 	/* Finally, safe to destroy the subsystems. */
 	npf_ext_sysfini();
 	npf_alg_sysfini();
 	npf_nat_sysfini();
 	npf_session_sysfini();
 	npf_tableset_sysfini();
 	if (npf_sysctl) {
 		sysctl_teardown(&npf_sysctl);
+	}
 	percpu_free(npf_stats_percpu, NPF_STATS_SIZE);
 	rw_destroy(&npf_lock);
 	return 0;
+}
 @@ -161,27 +161,27 @@ npf_fini(void)
 /*
  * Module interface.
  */
 static int
 npf_modcmd(modcmd_t cmd, void *arg)
+{
 	switch (cmd) {
 	case MODULE_CMD_INIT:
 		return npf_init();
 	case MODULE_CMD_FINI:
 		return npf_fini();
 	case MODULE_CMD_AUTOUNLOAD:
-		if (npf_pfil_registered_p() || !npf_default_pass()) {
+		if (npf_autounload_p()) {
 			return EBUSY;
+		}
 		break;
 	default:
 		return ENOTTY;
+	}
 	return 0;
+}
 void
 npfattach(int nunits)
+{
 @@ -360,26 +360,32 @@ prop_dictionary_t
 npf_core_dict(void)
+{
 	KASSERT(rw_lock_held(&npf_lock));
 	return npf_core->n_dict;
+}
 bool
 npf_default_pass(void)
+{
 	KASSERT(rw_lock_held(&npf_lock));
 	return npf_core->n_default_pass;
+}
 bool
 npf_autounload_p(void)
+{
 	return !npf_pfil_registered_p() && npf_default_pass();
+}
 /*
  * NPF statistics interface.
  */
 void
 npf_stats_inc(npf_stats_t st)
+{
 	uint64_t *stats = percpu_getref(npf_stats_percpu);
 	stats[st]++;
 	percpu_putref(npf_stats_percpu);
+}
 void

--- src/sys/net/npf/npf.h 2012/07/19 21:52:29	1.20
+++ src/sys/net/npf/npf.h 2012/09/16 13:47:41	1.21

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf.h,v 1.20 2012/07/19 21:52:29 spz Exp $	*/
+/*	$NetBSD: npf.h,v 1.21 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -35,46 +35,46 @@
 #ifndef _NPF_NET_H_
 #define _NPF_NET_H_
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <prop/proplib.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
-#define	NPF_VERSION		5
+#define	NPF_VERSION		6
 /*
  * Public declarations and definitions.
  */
 /* Storage of address (both for IPv4 and IPv6) and netmask */
 typedef struct in6_addr		npf_addr_t;
 typedef uint8_t			npf_netmask_t;
 #define	NPF_MAX_NETMASK		(128)
 #define	NPF_NO_NETMASK		((npf_netmask_t)~0)
 #if defined(_KERNEL)
-/* Network buffer. */
+#define	NPF_DECISION_BLOCK	0
-typedef void			nbuf_t;
+#define	NPF_DECISION_PASS	1
-struct npf_rproc;
+#define	NPF_EXT_MODULE(name, req)	\
-typedef struct npf_rproc	npf_rproc_t;
+    MODULE(MODULE_CLASS_MISC, name, "npf," req)
 /*
  * Packet information cache.
  */
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/icmp6.h>
 #define	NPC_IP4		0x01	/* Indicates fetched IPv4 header. */
 #define	NPC_IP6		0x02	/* Indicates IPv6 header. */
 @@ -123,55 +123,82 @@ static inline int
 npf_cache_ipproto(const npf_cache_t *npc)
+{
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	return npc->npc_next_proto;
+}
 static inline u_int
 npf_cache_hlen(const npf_cache_t *npc)
+{
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	return npc->npc_hlen;
+}
-/* Network buffer interface. */
+/*
  * Network buffer interface.
  */
 typedef void	nbuf_t;
 void *		nbuf_dataptr(void *);
 void *		nbuf_advance(nbuf_t **, void *, u_int);
 int		nbuf_advfetch(nbuf_t **, void **, u_int, size_t, void *);
 int		nbuf_advstore(nbuf_t **, void **, u_int, size_t, void *);
 int		nbuf_fetch_datum(nbuf_t *, void *, size_t, void *);
 int		nbuf_store_datum(nbuf_t *, void *, size_t, void *);
 int		nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
 int		nbuf_find_tag(nbuf_t *, uint32_t, void **);
 /*
  * NPF extensions and rule procedure interface.
  */
 struct npf_rproc;
 typedef struct npf_rproc	npf_rproc_t;
 void		npf_rproc_assign(npf_rproc_t *, void *);
 typedef struct {
 	unsigned int	version;
 	void *		ctx;
 	int		(*ctor)(npf_rproc_t *, prop_dictionary_t);
 	void		(*dtor)(npf_rproc_t *, void *);
 	void		(*proc)(npf_cache_t *, nbuf_t *, void *, int *);
 } npf_ext_ops_t;
 void *		npf_ext_register(const char *, const npf_ext_ops_t *);
 int		npf_ext_unregister(void *);
 /*
  * Misc.
  */
 bool		npf_autounload_p(void);
 #endif	/* _KERNEL */
 /* Rule attributes. */
 #define	NPF_RULE_PASS			0x0001
 #define	NPF_RULE_DEFAULT		0x0002
 #define	NPF_RULE_FINAL			0x0004
 #define	NPF_RULE_STATEFUL		0x0008
 #define	NPF_RULE_RETRST			0x0010
 #define	NPF_RULE_RETICMP		0x0020
 #define	NPF_RULE_IN			0x10000000
 #define	NPF_RULE_OUT			0x20000000
 #define	NPF_RULE_DIMASK			(NPF_RULE_IN | NPF_RULE_OUT)
 /* Rule procedure flags. */
 #define	NPF_RPROC_LOG			0x0001
 #define	NPF_RPROC_NORMALIZE		0x0002
 /* Address translation types and flags. */
 #define	NPF_NATIN			1
 #define	NPF_NATOUT			2
 #define	NPF_NAT_PORTS			0x01
 #define	NPF_NAT_PORTMAP			0x02
 /* Table types. */
 #define	NPF_TABLE_HASH			1
 #define	NPF_TABLE_TREE			2
 /* Layers. */
 #define	NPF_LAYER_2			2
 @@ -206,29 +233,26 @@ typedef enum {
 	/* Session and NAT entries. */
 	NPF_STAT_SESSION_CREATE,
 	NPF_STAT_SESSION_DESTROY,
 	NPF_STAT_NAT_CREATE,
 	NPF_STAT_NAT_DESTROY,
 	/* Invalid state cases. */
 	NPF_STAT_INVALID_STATE,
 	NPF_STAT_INVALID_STATE_TCP1,
 	NPF_STAT_INVALID_STATE_TCP2,
 	NPF_STAT_INVALID_STATE_TCP3,
 	/* Raced packets. */
 	NPF_STAT_RACE_SESSION,
 	NPF_STAT_RACE_NAT,
 	/* Rule procedure cases. */
 	NPF_STAT_RPROC_LOG,
 	NPF_STAT_RPROC_NORM,
 	/* Fragments. */
 	NPF_STAT_FRAGMENTS,
 	NPF_STAT_REASSEMBLY,
 	NPF_STAT_REASSFAIL,
 	/* Other errors. */
 	NPF_STAT_ERROR,
 	/* Count (last). */
 	NPF_STATS_COUNT
 } npf_stats_t;
 #define	NPF_STATS_SIZE		(sizeof(uint64_t) * NPF_STATS_COUNT)
 /*

--- src/sys/net/npf/npf_ctl.c 2012/08/15 18:44:56	1.17
+++ src/sys/net/npf/npf_ctl.c 2012/09/16 13:47:41	1.18

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ctl.c,v 1.17 2012/08/15 18:44:56 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.18 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -27,27 +27,27 @@
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF device control.
+ *
  * Implementation of (re)loading, construction of tables and rules.
  * NPF proplib(9) dictionary consumer.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.17 2012/08/15 18:44:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.18 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <prop/proplib.h>
 #include "npf_ncode.h"
 #include "npf_impl.h"
 #if defined(DEBUG) || defined(DIAGNOSTIC)
 #define	NPF_ERR_DEBUG(e) \
 	prop_dictionary_set_cstring_nocopy((e), "source-file", __FILE__); \
 	prop_dictionary_set_uint32((e), "source-line", __LINE__);
 @@ -152,49 +152,71 @@ npf_mk_tables(npf_tableset_t *tblset, pr
 			break;
+	}
 	prop_object_iterator_release(it);
 	/*
 	 * Note: in a case of error, caller will free the tableset.
 	 */
 	return error;
+}
 static npf_rproc_t *
 npf_mk_rproc(prop_array_t rprocs, const char *rpname)
+{
 	prop_object_iterator_t it;
-	prop_dictionary_t rpdict;
+	prop_dictionary_t rpdict, extdict;
 	prop_array_t extlist;
 	npf_rproc_t *rp;
 	const char *name;
 	uint64_t rpval;
 	it = prop_array_iterator(rprocs);
 	while ((rpdict = prop_object_iterator_next(it)) != NULL) {
-		const char *iname;
+		prop_dictionary_get_cstring_nocopy(rpdict, "name", &name);
-		prop_dictionary_get_cstring_nocopy(rpdict, "name", &iname);
+		KASSERT(name != NULL);
-		KASSERT(iname != NULL);
+		if (strcmp(rpname, name) == 0)
 		if (strcmp(rpname, iname) == 0)
 			break;
+	}
 	prop_object_iterator_release(it);
-	if (rpdict == NULL) {
+	if (!rpdict) {
 		return NULL;
+	}
 	CTASSERT(sizeof(uintptr_t) <= sizeof(uint64_t));
-	if (!prop_dictionary_get_uint64(rpdict, "rproc-ptr", &rpval)) {
+	if (prop_dictionary_get_uint64(rpdict, "rproc-ptr", &rpval)) {
-		rp = npf_rproc_create(rpdict);
+		return (npf_rproc_t *)(uintptr_t)rpval;
+	}
 	extlist = prop_dictionary_get(rpdict, "extcalls");
 	if (prop_object_type(extlist) != PROP_TYPE_ARRAY) {
 		return NULL;
+	}
 	rp = npf_rproc_create(rpdict);
 	if (!rp) {
 		return NULL;
+	}
 	it = prop_array_iterator(extlist);
 	while ((extdict = prop_object_iterator_next(it)) != NULL) {
 		if (!prop_dictionary_get_cstring_nocopy(extdict,
 		    "name", &name) || npf_ext_construct(name, rp, extdict)) {
 			npf_rproc_release(rp);
 			rp = NULL;
 			break;
+		}
+	}
 	prop_object_iterator_release(it);
 	if (rp) {
 		rpval = (uint64_t)(uintptr_t)rp;
 		prop_dictionary_set_uint64(rpdict, "rproc-ptr", rpval);
 	} else {
 		rp = (npf_rproc_t *)(uintptr_t)rpval;
+	}
 	return rp;
+}
 static int __noinline
 npf_mk_ncode(prop_object_t obj, void **code, size_t *csize,
     prop_dictionary_t errdict)
+{
 	const void *ncptr;
 	int nc_err, errat;
 	size_t nc_size;
 	void *nc;
 @@ -232,60 +254,60 @@ npf_mk_singlerule(prop_dictionary_t rldi
 	const char *rnm;
 	npf_rproc_t *rp;
 	prop_object_t obj;
 	size_t nc_size;
 	void *nc;
 	int p, error;
 	/* Rule - dictionary. */
 	if (prop_object_type(rldict) != PROP_TYPE_DICTIONARY) {
 		NPF_ERR_DEBUG(errdict);
 		return EINVAL;
+	}
 	/* Make the rule procedure, if any. */
 	if (rps && prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rnm)) {
 		rp = npf_mk_rproc(rps, rnm);
 		if (rp == NULL) {
 			NPF_ERR_DEBUG(errdict);
 			error = EINVAL;
 			goto err;
+		}
 	} else {
 		rp = NULL;
+	}
 	error = 0;
 	obj = prop_dictionary_get(rldict, "ncode");
 	if (obj) {
 		/* N-code (binary data). */
 		error = npf_mk_ncode(obj, &nc, &nc_size, errdict);
 		if (error) {
 			goto err;
+		}
 	} else {
 		/* No n-code. */
 		nc = NULL;
 		nc_size = 0;
+	}
 	/* Check for rule procedure. */
 	if (rps && prop_dictionary_get_cstring_nocopy(rldict, "rproc", &rnm)) {
 		rp = npf_mk_rproc(rps, rnm);
 		if (rp == NULL) {
 			if (nc) {
 				npf_ncode_free(nc, nc_size);	/* XXX */
 			NPF_ERR_DEBUG(errdict);
 			error = EINVAL;
 			goto err;
 	} else {
 		rp = NULL;
 	/* Finally, allocate and return the rule. */
 	*rl = npf_rule_alloc(rldict, rp, nc, nc_size);
 	KASSERT(*rl != NULL);
 	return 0;
 err:
 	if (rp) {
 		npf_rproc_release(rp);
+	}
 	prop_dictionary_get_int32(rldict, "priority", &p); /* XXX */
 	prop_dictionary_set_int32(errdict, "id", p);
 	return error;
+}
 static int __noinline
 npf_mk_subrules(npf_ruleset_t *rlset, prop_array_t rules, prop_array_t rprocs,
     prop_dictionary_t errdict)
+{
 	prop_object_iterator_t it;
 	prop_dictionary_t rldict;
 	int error = 0;
 @@ -501,32 +523,33 @@ fail:
 		npf_ruleset_destroy(nset);
+	}
 	if (rlset) {
 		npf_ruleset_destroy(rlset);
+	}
 	if (tblset) {
 		npf_tableset_destroy(tblset);
+	}
 	if (error) {
 		prop_object_release(npf_dict);
+	}
 	/* Error report. */
 	prop_dictionary_set_int32(errdict, "errno", error);
 #ifndef _NPF_TESTING
 	prop_dictionary_set_int32(errdict, "errno", error);
 	prop_dictionary_copyout_ioctl(pref, cmd, errdict);
 #endif
 	prop_object_release(errdict);
-	return 0;
+	error = 0;
 #endif
 	return error;
+}
 int
 npfctl_getconf(u_long cmd, void *data)
+{
 	struct plistref *pref = data;
 	prop_dictionary_t npf_dict;
 	int error;
 	npf_core_enter();
 	npf_dict = npf_core_dict();
 	prop_dictionary_set_bool(npf_dict, "active", npf_pfil_registered_p());
 	error = prop_dictionary_copyout_ioctl(pref, cmd, npf_dict);

/*	$NetBSD: npf_ext_log.c,v 1.1 2012/09/16 13:47:41 rmind Exp $	*/

/*-
 * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This material is based upon work partially supported by The
 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * NPF logging extension.
 */

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: npf_ext_log.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");

#include <sys/types.h>
#include <sys/module.h>

#include <sys/conf.h>
#include <sys/kmem.h>
#include <sys/mbuf.h>
#include <sys/mutex.h>
#include <sys/queue.h>

#include <net/if.h>
#include <net/if_types.h>
#include <net/bpf.h>

#include "npf_impl.h"

NPF_EXT_MODULE(npf_ext_log, "");

#define	NPFEXT_LOG_VER		1

static void *		npf_ext_log_id;

typedef struct {
	unsigned int	if_idx;
} npf_ext_log_t;

typedef struct npflog_softc {
	LIST_ENTRY(npflog_softc)	sc_entry;
	kmutex_t			sc_lock;
	ifnet_t				sc_if;
	int				sc_unit;
} npflog_softc_t;

static int	npflog_clone_create(struct if_clone *, int);
static int	npflog_clone_destroy(ifnet_t *);

static LIST_HEAD(, npflog_softc)	npflog_if_list	__cacheline_aligned;
static struct if_clone			npflog_cloner =
    IF_CLONE_INITIALIZER("npflog", npflog_clone_create, npflog_clone_destroy);

void
npflogattach(int nunits)
{

	LIST_INIT(&npflog_if_list);
	if_clone_attach(&npflog_cloner);
}

void
npflogdetach(void)
{
	npflog_softc_t *sc;

	while ((sc = LIST_FIRST(&npflog_if_list)) != NULL) {
		npflog_clone_destroy(&sc->sc_if);
	}
	if_clone_detach(&npflog_cloner);
}

static int
npflog_ioctl(ifnet_t *ifp, u_long cmd, void *data)
{
	npflog_softc_t *sc = ifp->if_softc;
	int error = 0;

	mutex_enter(&sc->sc_lock);
	switch (cmd) {
	case SIOCINITIFADDR:
		ifp->if_flags |= (IFF_UP | IFF_RUNNING);
		break;
	default:
		error = ifioctl_common(ifp, cmd, data);
		break;
	}
	mutex_exit(&sc->sc_lock);
	return error;
}

static int
npflog_clone_create(struct if_clone *ifc, int unit)
{
	npflog_softc_t *sc;
	ifnet_t *ifp;

	sc = kmem_zalloc(sizeof(npflog_softc_t), KM_SLEEP);
	mutex_init(&sc->sc_lock, MUTEX_DEFAULT, IPL_SOFTNET);

	ifp = &sc->sc_if;
	ifp->if_softc = sc;

	if_initname(ifp, "npflog", unit);
	ifp->if_type = IFT_OTHER;
	ifp->if_dlt = DLT_NULL;
	ifp->if_ioctl = npflog_ioctl;

	KERNEL_LOCK(1, NULL);
	if_attach(ifp);
	if_alloc_sadl(ifp);
	bpf_attach(ifp, DLT_NULL, 0);
	LIST_INSERT_HEAD(&npflog_if_list, sc, sc_entry);
	KERNEL_UNLOCK_ONE(NULL);

	return 0;
}

static int
npflog_clone_destroy(ifnet_t *ifp)
{
	npflog_softc_t *sc = ifp->if_softc;

	KERNEL_LOCK(1, NULL);
	LIST_REMOVE(sc, sc_entry);
	bpf_detach(ifp);
	if_detach(ifp);
	KERNEL_UNLOCK_ONE(NULL);

	mutex_destroy(&sc->sc_lock);
	kmem_free(sc, sizeof(npflog_softc_t));
	return 0;
}

static int
npf_log_ctor(npf_rproc_t *rp, prop_dictionary_t params)
{
	npf_ext_log_t *meta;

	meta = kmem_zalloc(sizeof(npf_ext_log_t), KM_SLEEP);
	prop_dictionary_get_uint32(params, "log-interface", &meta->if_idx);
	npf_rproc_assign(rp, meta);
	return 0;
}

static void
npf_log_dtor(npf_rproc_t *rp, void *meta)
{
	kmem_free(meta, sizeof(npf_ext_log_t));
}

static void
npf_log(npf_cache_t *npc, nbuf_t *nbuf, void *meta, int *decision)
{
	const npf_ext_log_t *log = meta;
	struct mbuf *m = nbuf;
	ifnet_t *ifp;
	int family;

	/* Set the address family. */
	if (npf_iscached(npc, NPC_IP4)) {
		family = AF_INET;
	} else if (npf_iscached(npc, NPC_IP6)) {
		family = AF_INET6;
	} else {
		family = AF_UNSPEC;
	}

	KERNEL_LOCK(1, NULL);

	/* Find a pseudo-interface to log. */
	ifp = if_byindex(log->if_idx);
	if (ifp == NULL) {
		/* No interface. */
		KERNEL_UNLOCK_ONE(NULL);
		return;
	}

	/* Pass through BPF. */
	ifp->if_opackets++;
	ifp->if_obytes += m->m_pkthdr.len;
	bpf_mtap_af(ifp, family, m);
	KERNEL_UNLOCK_ONE(NULL);
}

/*
 * Module interface.
 */
static int
npf_ext_log_modcmd(modcmd_t cmd, void *arg)
{
	static const npf_ext_ops_t npf_log_ops = {
		.version	= NPFEXT_LOG_VER,
		.ctx		= NULL,
		.ctor		= npf_log_ctor,
		.dtor		= npf_log_dtor,
		.proc		= npf_log
	};
	int error;

	switch (cmd) {
	case MODULE_CMD_INIT:
		/*
		 * Initialise the NPF logging extension.
		 */
		npflogattach(1);
		npf_ext_log_id = npf_ext_register("log", &npf_log_ops);
		if (!npf_ext_log_id) {
			npflogdetach();
			return EEXIST;
		}
		break;

	case MODULE_CMD_FINI:
		error = npf_ext_unregister(npf_ext_log_id);
		if (error) {
			return error;
		}
		npflogdetach();
		break;

	case MODULE_CMD_AUTOUNLOAD:
		/* Allow auto-unload only if NPF permits it. */
		return npf_autounload_p() ? 0 : EBUSY;

	default:
		return ENOTTY;
	}
	return 0;
}

/*	$NetBSD: npf_ext_normalise.c,v 1.1 2012/09/16 13:47:41 rmind Exp $	*/

/*-
 * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: npf_ext_normalise.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");

#include <sys/types.h>
#include <sys/module.h>
#include <sys/kmem.h>

#include <net/if.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/in_var.h>

#include "npf.h"
#include "npf_impl.h"

/*
 * NPF extension module definition and the identifier.
 */
NPF_EXT_MODULE(npf_ext_normalise, "");

#define	NPFEXT_NORMALISE_VER	1

static void *		npf_ext_normalise_id;

/*
 * Normalisation parameters.
 */
typedef struct {
	u_int		n_minttl;
	u_int		n_maxmss;
	bool		n_random_id;
	bool		n_no_df;
} npf_normalise_t;

/*
 * npf_normalise_ctor: a constructor for the normalisation rule procedure
 * with the given parameters.
 */
static int
npf_normalise_ctor(npf_rproc_t *rp, prop_dictionary_t params)
{
	npf_normalise_t *np;

	/* Create a structure for normalisation parameters. */
	np = kmem_zalloc(sizeof(npf_normalise_t), KM_SLEEP);

	/* IP ID randomisation and IP_DF flag cleansing. */
	prop_dictionary_get_bool(params, "random-id", &np->n_random_id);
	prop_dictionary_get_bool(params, "no-df", &np->n_no_df);

	/* Minimum IP TTL and maximum TCP MSS. */
	prop_dictionary_get_uint32(params, "min-ttl", &np->n_minttl);
	prop_dictionary_get_uint32(params, "max-mss", &np->n_maxmss);

	/* Assign the parameters for this rule procedure. */
	npf_rproc_assign(rp, np);
	return 0;
}

/*
 * npf_normalise_dtor: a destructor for a normalisation rule procedure.
 */
static void
npf_normalise_dtor(npf_rproc_t *rp, void *params)
{
	/* Free our meta-data, associated with the procedure. */
	kmem_free(params, sizeof(npf_normalise_t));
}

/*
 * npf_normalise_ip4: routine to normalise IPv4 header (randomise ID,
 * clear "don't fragment" and/or enforce minimum TTL).
 */
static inline bool
npf_normalise_ip4(npf_cache_t *npc, nbuf_t *nbuf, npf_normalise_t *np)
{
	void *n_ptr = nbuf_dataptr(nbuf);
	struct ip *ip = &npc->npc_ip.v4;
	uint16_t cksum = ip->ip_sum;
	uint16_t ip_off = ip->ip_off;
	uint8_t ttl = ip->ip_ttl;
	u_int minttl = np->n_minttl;
	u_int offby = 0;

	KASSERT(np->n_random_id || np->n_no_df || minttl);

	/* Randomise IPv4 ID. */
	if (np->n_random_id) {
		uint16_t oid = ip->ip_id, nid;

		nid = htons(ip_randomid(ip_ids, 0));
		offby = offsetof(struct ip, ip_id);
		if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(nid), &nid)) {
			return false;
		}
		cksum = npf_fixup16_cksum(cksum, oid, nid);
		ip->ip_id = nid;
	}

	/* IP_DF flag cleansing. */
	if (np->n_no_df && (ip_off & htons(IP_DF)) != 0) {
		uint16_t nip_off = ip_off & ~htons(IP_DF);

		if (nbuf_advstore(&nbuf, &n_ptr,
		    offsetof(struct ip, ip_off) - offby,
		    sizeof(uint16_t), &nip_off)) {
			return false;
		}
		cksum = npf_fixup16_cksum(cksum, ip_off, nip_off);
		ip->ip_off = nip_off;
		offby = offsetof(struct ip, ip_off);
	}

	/* Enforce minimum TTL. */
	if (minttl && ttl < minttl) {
		if (nbuf_advstore(&nbuf, &n_ptr,
		    offsetof(struct ip, ip_ttl) - offby,
		    sizeof(uint8_t), &minttl)) {
			return false;
		}
		cksum = npf_fixup16_cksum(cksum, ttl, minttl);
		ip->ip_ttl = minttl;
		offby = offsetof(struct ip, ip_ttl);
	}

	/* Update IPv4 checksum. */
	offby = offsetof(struct ip, ip_sum) - offby;
	if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
		return false;
	}
	ip->ip_sum = cksum;
	return true;
}

/*
 * npf_normalise: the main routine to normalise IPv4 and/or TCP headers.
 */
static void
npf_normalise(npf_cache_t *npc, nbuf_t *nbuf, void *params, int *decision)
{
	npf_normalise_t *np = params;
	void *n_ptr = nbuf_dataptr(nbuf);
	struct tcphdr *th = &npc->npc_l4.tcp;
	u_int offby, maxmss = np->n_maxmss;
	uint16_t cksum, mss;
	int wscale;

	/* Skip, if already blocking. */
	if (*decision == NPF_DECISION_BLOCK) {
		return;
	}

	/* Normalise IPv4. */
	if (npf_iscached(npc, NPC_IP4) && (np->n_random_id || np->n_minttl)) {
		if (!npf_normalise_ip4(npc, nbuf, np)) {
			return;
		}
	} else if (!npf_iscached(npc, NPC_IP6)) {
		/* If not IPv6, then nothing to do. */
		return;
	}

	/*
	 * TCP Maximum Segment Size (MSS) "clamping".  Only if SYN packet.
	 * Fetch MSS and check whether rewrite to lower is needed.
	 */
	if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) ||
	    (th->th_flags & TH_SYN) == 0) {
		/* Not required; done. */
		return;
	}
	mss = 0;
	if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
		return;
	}
	if (ntohs(mss) <= maxmss) {
		/* Nothing else to do. */
		return;
	}

	/* Calculate TCP checksum, then rewrite MSS and the checksum. */
	maxmss = htons(maxmss);
	cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
	th->th_sum = cksum;
	mss = maxmss;
	if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
		return;
	}
	offby = npf_cache_hlen(npc) + offsetof(struct tcphdr, th_sum);
	if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
		return;
	}
}

static int
npf_ext_normalise_modcmd(modcmd_t cmd, void *arg)
{
	static const npf_ext_ops_t npf_normalise_ops = {
		.version	= NPFEXT_NORMALISE_VER,
		.ctx		= NULL,
		.ctor		= npf_normalise_ctor,
		.dtor		= npf_normalise_dtor,
		.proc		= npf_normalise
	};

	switch (cmd) {
	case MODULE_CMD_INIT:
		/*
		 * Initialise normalisation module.  Register the "normalise"
		 * extension and its calls.
		 */
		npf_ext_normalise_id =
		    npf_ext_register("normalise", &npf_normalise_ops);
		return npf_ext_normalise_id ? 0 : EEXIST;

	case MODULE_CMD_FINI:
		/* Unregister the normalisation rule procedure. */
		return npf_ext_unregister(npf_ext_normalise_id);

	case MODULE_CMD_AUTOUNLOAD:
		return npf_autounload_p() ? 0 : EBUSY;

	default:
		return ENOTTY;
	}
	return 0;
}

--- src/sys/net/npf/npf_handler.c 2012/08/12 03:35:14	1.21
+++ src/sys/net/npf/npf_handler.c 2012/09/16 13:47:41	1.22

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.22 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF packet handler.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.21 2012/08/12 03:35:14 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.22 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
 #include <net/if.h>
 #include <net/pfil.h>
 #include <sys/socketvar.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/ip_var.h>
 @@ -197,30 +197,31 @@ npf_packet_handler(void *arg, struct mbu
 		if (se) {
 			npf_session_setpass(se, rp);
+		}
+	}
 pass:
 	decision = NPF_DECISION_PASS;
 	KASSERT(error == 0);
 	/*
 	 * Perform NAT.
 	 */
 	error = npf_do_nat(&npc, se, nbuf, ifp, di);
 block:
 	/*
-	 * Execute rule procedure, if any.
+	 * Execute the rule procedure, if any is associated.
 	 * It may reverse the decision from pass to block.
 	 */
 	if (rp) {
-		npf_rproc_run(&npc, nbuf, rp, error);
+		npf_rproc_run(&npc, nbuf, rp, &decision);
+	}
 out:
 	/*
 	 * Release the reference on a session.  Release the reference on a
 	 * rule procedure only if there was no association.
 	 */
 	if (se) {
 		npf_session_release(se);
 	} else if (rp) {
 		npf_rproc_release(rp);
+	}
 	/* Pass the packet if decided and there is no error. */

--- src/sys/net/npf/npf_impl.h 2012/08/15 19:47:38	1.22
+++ src/sys/net/npf/npf_impl.h 2012/09/16 13:47:41	1.23

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_impl.h,v 1.22 2012/08/15 19:47:38 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.23 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -84,29 +84,26 @@ struct npf_sehash;
 struct npf_tblent;
 struct npf_table;
 typedef struct npf_sehash	npf_sehash_t;
 typedef struct npf_tblent	npf_tblent_t;
 typedef struct npf_table	npf_table_t;
 typedef npf_table_t *		npf_tableset_t;
 /*
  * DEFINITIONS.
  */
 #define	NPF_DECISION_BLOCK	0
 #define	NPF_DECISION_PASS	1
 typedef bool (*npf_algfunc_t)(npf_cache_t *, nbuf_t *, void *);
 #define	NPF_NCODE_LIMIT		1024
 #define	NPF_TABLE_SLOTS		32
 /*
  * SESSION STATE STRUCTURES
  */
 #define	NPF_FLOW_FORW		0
 #define	NPF_FLOW_BACK		1
 typedef struct {
 @@ -147,27 +144,26 @@ int		npfctl_getconf(u_long, void *);
 int		npfctl_sessions_save(u_long, void *);
 int		npfctl_sessions_load(u_long, void *);
 int		npfctl_update_rule(u_long, void *);
 int		npfctl_table(void *);
 void		npf_stats_inc(npf_stats_t);
 void		npf_stats_dec(npf_stats_t);
 /* Packet filter hooks. */
 int		npf_pfil_register(void);
 void		npf_pfil_unregister(void);
 bool		npf_pfil_registered_p(void);
 int		npf_packet_handler(void *, struct mbuf **, ifnet_t *, int);
 void		npf_log_packet(npf_cache_t *, nbuf_t *, int);
 /* Protocol helpers. */
 bool		npf_fetch_ip(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_tcp(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_udp(npf_cache_t *, nbuf_t *, void *);
 bool		npf_fetch_icmp(npf_cache_t *, nbuf_t *, void *);
 int		npf_cache_all(npf_cache_t *, nbuf_t *);
 bool		npf_rwrip(npf_cache_t *, nbuf_t *, void *, const int,
 		    npf_addr_t *);
 bool		npf_rwrport(npf_cache_t *, nbuf_t *, void *, const int,
 		    in_port_t);
 bool		npf_rwrcksum(npf_cache_t *, nbuf_t *, void *, const int,
 @@ -176,27 +172,26 @@ bool		npf_rwrcksum(npf_cache_t *, nbuf_t
 uint16_t	npf_fixup16_cksum(uint16_t, uint16_t, uint16_t);
 uint16_t	npf_fixup32_cksum(uint16_t, uint32_t, uint32_t);
 uint16_t	npf_addr_cksum(uint16_t, int, npf_addr_t *, npf_addr_t *);
 uint32_t	npf_addr_sum(const int, const npf_addr_t *, const npf_addr_t *);
 int		npf_addr_cmp(const npf_addr_t *, const npf_netmask_t,
 		    const npf_addr_t *, const npf_netmask_t, const int);
 void		npf_addr_mask(const npf_addr_t *, const npf_netmask_t,
 		    const int, npf_addr_t *);
 int		npf_tcpsaw(const npf_cache_t *, tcp_seq *, tcp_seq *,
 		    uint32_t *);
 bool		npf_fetch_tcpopts(const npf_cache_t *, nbuf_t *,
 		    uint16_t *, int *);
 bool		npf_normalize(npf_cache_t *, nbuf_t *, bool, bool, u_int, u_int);
 bool		npf_return_block(npf_cache_t *, nbuf_t *, const int);
 /* Complex instructions. */
 int		npf_match_ether(nbuf_t *, int, int, uint16_t, uint32_t *);
 int		npf_match_proto(npf_cache_t *, nbuf_t *, void *, uint32_t);
 int		npf_match_table(npf_cache_t *, nbuf_t *, void *,
 		    const int, const u_int);
 int		npf_match_ipmask(npf_cache_t *, nbuf_t *, void *,
 		    const int, const npf_addr_t *, const npf_netmask_t);
 int		npf_match_tcp_ports(npf_cache_t *, nbuf_t *, void *,
 		    const int, const uint32_t);
 int		npf_match_udp_ports(npf_cache_t *, nbuf_t *, void *,
 		    const int, const uint32_t);
 @@ -242,30 +237,35 @@ void		npf_ruleset_freealg(npf_ruleset_t
 npf_rule_t *	npf_ruleset_inspect(npf_cache_t *, nbuf_t *, npf_ruleset_t *,
 		    const ifnet_t *, const int, const int);
 int		npf_rule_apply(npf_cache_t *, nbuf_t *, npf_rule_t *, int *);
 /* Rule interface. */
 npf_rule_t *	npf_rule_alloc(prop_dictionary_t, npf_rproc_t *, void *, size_t);
 void		npf_rule_free(npf_rule_t *);
 npf_ruleset_t *	npf_rule_subset(npf_rule_t *);
 npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *);
 void		npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *);
 npf_rproc_t *	npf_rule_getrproc(npf_rule_t *);
 void		npf_ext_sysinit(void);
 void		npf_ext_sysfini(void);
 int		npf_ext_construct(const char *,
 		    npf_rproc_t *, prop_dictionary_t);
 npf_rproc_t *	npf_rproc_create(prop_dictionary_t);
 void		npf_rproc_acquire(npf_rproc_t *);
 void		npf_rproc_release(npf_rproc_t *);
-void		npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int);
+void		npf_rproc_run(npf_cache_t *, nbuf_t *, npf_rproc_t *, int *);
 /* Session handling interface. */
 void		npf_session_sysinit(void);
 void		npf_session_sysfini(void);
 int		npf_session_tracking(bool);
 npf_sehash_t *	sess_htable_create(void);
 void		sess_htable_destroy(npf_sehash_t *);
 void		sess_htable_reload(npf_sehash_t *);
 npf_session_t *	npf_session_inspect(npf_cache_t *, nbuf_t *,
 		    const ifnet_t *, const int, int *);
 npf_session_t *	npf_session_establish(const npf_cache_t *, nbuf_t *,

--- src/sys/net/npf/npf_inet.c 2012/07/21 17:11:01	1.16
+++ src/sys/net/npf/npf_inet.c 2012/09/16 13:47:41	1.17

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_inet.c,v 1.16 2012/07/21 17:11:01 rmind Exp $	*/
+/*	$NetBSD: npf_inet.c,v 1.17 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -29,39 +29,38 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * Various procotol related helper routines.
+ *
  * This layer manipulates npf_cache_t structure i.e. caches requested headers
  * and stores which information was cached in the information bit field.
  * It is also responsibility of this layer to update or invalidate the cache
  * on rewrites (e.g. by translation routines).
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.16 2012/07/21 17:11:01 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.17 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <net/pfil.h>
 #include <net/if.h>
 #include <net/ethertypes.h>
 #include <net/if_ether.h>
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <netinet/ip_icmp.h>
 #include "npf_impl.h"
 /*
  * npf_fixup{16,32}_cksum: update IPv4 checksum.
  */
 uint16_t
 @@ -650,137 +649,24 @@ npf_rwrcksum(npf_cache_t *npc, nbuf_t *n
 		offby += offsetof(struct udphdr, uh_sum);
 		oport = (di == PFIL_OUT) ? &uh->uh_sport : &uh->uh_dport;
+	}
 	*cksum = npf_addr_cksum(*cksum, npc->npc_alen, oaddr, addr);
 	*cksum = npf_fixup16_cksum(*cksum, *oport, port);
 	/* Advance to TCP/UDP checksum and rewrite it. */
 	if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(uint16_t), cksum)) {
 		return false;
+	}
 	return true;
+}
 static inline bool
 npf_normalize_ip4(npf_cache_t *npc, nbuf_t *nbuf,
     bool rnd, bool no_df, int minttl)
 	void *n_ptr = nbuf_dataptr(nbuf);
 	struct ip *ip = &npc->npc_ip.v4;
 	uint16_t cksum = ip->ip_sum;
 	uint16_t ip_off = ip->ip_off;
 	uint8_t ttl = ip->ip_ttl;
 	u_int offby = 0;
 	KASSERT(rnd || minttl || no_df);
 	/* Randomize IPv4 ID. */
 	if (rnd) {
 		uint16_t oid = ip->ip_id, nid;
 		nid = htons(ip_randomid(ip_ids, 0));
 		offby = offsetof(struct ip, ip_id);
 		if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(nid), &nid)) {
 			return false;
 		cksum = npf_fixup16_cksum(cksum, oid, nid);
 		ip->ip_id = nid;
 	/* IP_DF flag cleansing. */
 	if (no_df && (ip_off & htons(IP_DF)) != 0) {
 		uint16_t nip_off = ip_off & ~htons(IP_DF);
 		if (nbuf_advstore(&nbuf, &n_ptr,
 		    offsetof(struct ip, ip_off) - offby,
 		    sizeof(uint16_t), &nip_off)) {
 			return false;
 		cksum = npf_fixup16_cksum(cksum, ip_off, nip_off);
 		ip->ip_off = nip_off;
 		offby = offsetof(struct ip, ip_off);
 	/* Enforce minimum TTL. */
 	if (minttl && ttl < minttl) {
 		if (nbuf_advstore(&nbuf, &n_ptr,
 		    offsetof(struct ip, ip_ttl) - offby,
 		    sizeof(uint8_t), &minttl)) {
 			return false;
 		cksum = npf_fixup16_cksum(cksum, ttl, minttl);
 		ip->ip_ttl = minttl;
 		offby = offsetof(struct ip, ip_ttl);
 	/* Update IP checksum. */
 	offby = offsetof(struct ip, ip_sum) - offby;
 	if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
 		return false;
 	ip->ip_sum = cksum;
 	return true;
 bool
 npf_normalize(npf_cache_t *npc, nbuf_t *nbuf,
     bool no_df, bool rnd, u_int minttl, u_int maxmss)
 	void *n_ptr = nbuf_dataptr(nbuf);
 	struct tcphdr *th = &npc->npc_l4.tcp;
 	uint16_t cksum, mss;
 	u_int offby;
 	int wscale;
 	/* Normalize IPv4. */
 	if (npf_iscached(npc, NPC_IP4) && (rnd || minttl)) {
 		if (!npf_normalize_ip4(npc, nbuf, rnd, no_df, minttl)) {
 			return false;
 	} else if (!npf_iscached(npc, NPC_IP4)) {
 		/* XXX: no IPv6 */
 		return false;
 	/*
 	 * TCP Maximum Segment Size (MSS) "clamping".  Only if SYN packet.
 	 * Fetch MSS and check whether rewrite to lower is needed.
 	 */
 	if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) ||
 	    (th->th_flags & TH_SYN) == 0) {
 		/* Not required; done. */
 		return true;
 	mss = 0;
 	if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
 		return false;
 	if (ntohs(mss) <= maxmss) {
 		return true;
 	/* Calculate TCP checksum, then rewrite MSS and the checksum. */
 	maxmss = htons(maxmss);
 	cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
 	th->th_sum = cksum;
 	mss = maxmss;
 	if (!npf_fetch_tcpopts(npc, nbuf, &mss, &wscale)) {
 		return false;
 	offby = npf_cache_hlen(npc) + offsetof(struct tcphdr, th_sum);
 	if (nbuf_advstore(&nbuf, &n_ptr, offby, sizeof(cksum), &cksum)) {
 		return false;
 	return true;
 #if defined(DDB) || defined(_NPF_TESTING)
 void
 npf_addr_dump(const npf_addr_t *addr)
+{
 	printf("IP[%x:%x:%x:%x]\n",
 	    addr->s6_addr32[0], addr->s6_addr32[1],
 	    addr->s6_addr32[2], addr->s6_addr32[3]);
+}
 #endif

--- src/sys/net/npf/npf_rproc.c 2012/02/20 00:18:20	1.2
+++ src/sys/net/npf/npf_rproc.c 2012/09/16 13:47:41	1.3

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_rproc.c,v 1.2 2012/02/20 00:18:20 rmind Exp $	*/
+/*	$NetBSD: npf_rproc.c,v 1.3 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -20,113 +20,254 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * NPF rule procedure interface.
+ * NPF extension and rule procedure interface.
  */
 #include <sys/cdefs.h>
 __KERNEL_RCSID(0, "$NetBSD");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/kmem.h>
 #include <sys/mutex.h>
 #include "npf_impl.h"
-#define	NPF_RNAME_LEN		16
+#define	EXT_NAME_LEN		32
 typedef struct npf_ext {
 	char			ext_callname[EXT_NAME_LEN];
 	LIST_ENTRY(npf_ext)	ext_entry;
 	const npf_ext_ops_t *	ext_ops;
 	unsigned		ext_refcnt;
 } npf_ext_t;
 #define	RPROC_NAME_LEN		32
 #define	RPROC_EXT_COUNT		16
 /* Rule procedure structure. */
 struct npf_rproc {
-	/* Name. */
+	/* Name, reference count and flags. */
-	char			rp_name[NPF_RNAME_LEN];
+	char			rp_name[RPROC_NAME_LEN];
 	/* Reference count. */
 	u_int			rp_refcnt;
 	uint32_t		rp_flags;
-	/* Normalisation options. */
+	/* Associated extensions and their metadata . */
-	bool			rp_rnd_ipid;
+	unsigned		rp_ext_count;
-	bool			rp_no_df;
+	npf_ext_t *		rp_ext[RPROC_EXT_COUNT];
-	u_int			rp_minttl;
+	void *			rp_ext_meta[RPROC_EXT_COUNT];
 	u_int			rp_maxmss;
 	/* Logging interface. */
 	u_int			rp_log_ifid;
 };
 static LIST_HEAD(, npf_ext)	ext_list	__cacheline_aligned;
 static kmutex_t			ext_lock	__cacheline_aligned;
 void
 npf_ext_sysinit(void)
+{
 	mutex_init(&ext_lock, MUTEX_DEFAULT, IPL_NONE);
 	LIST_INIT(&ext_list);
+}
 void
 npf_ext_sysfini(void)
+{
 	KASSERT(LIST_EMPTY(&ext_list));
 	mutex_destroy(&ext_lock);
+}
 /*
  * NPF extension management for the rule procedures.
  */
 static npf_ext_t *
 npf_ext_lookup(const char *name)
+{
 	npf_ext_t *ext = NULL;
 	KASSERT(mutex_owned(&ext_lock));
 	LIST_FOREACH(ext, &ext_list, ext_entry)
 		if (strcmp(ext->ext_callname, name) == 0)
 			break;
 	return ext;
+}
 void *
 npf_ext_register(const char *name, const npf_ext_ops_t *ops)
+{
 	npf_ext_t *ext;
 	ext = kmem_zalloc(sizeof(npf_ext_t), KM_SLEEP);
 	strlcpy(ext->ext_callname, name, EXT_NAME_LEN);
 	ext->ext_ops = ops;
 	mutex_enter(&ext_lock);
 	if (npf_ext_lookup(name)) {
 		mutex_exit(&ext_lock);
 		kmem_free(ext, sizeof(npf_ext_t));
 		return NULL;
+	}
 	LIST_INSERT_HEAD(&ext_list, ext, ext_entry);
 	mutex_exit(&ext_lock);
 	return (void *)ext;
+}
 int
 npf_ext_unregister(void *extid)
+{
 	npf_ext_t *ext = extid;
 	/*
 	 * Check if in-use first (re-check with the lock held).
 	 */
 	if (ext->ext_refcnt) {
 		return EBUSY;
+	}
 	mutex_enter(&ext_lock);
 	if (ext->ext_refcnt) {
 		mutex_exit(&ext_lock);
 		return EBUSY;
+	}
 	KASSERT(npf_ext_lookup(ext->ext_callname));
 	LIST_REMOVE(ext, ext_entry);
 	mutex_exit(&ext_lock);
 	kmem_free(ext, sizeof(npf_ext_t));
 	return 0;
+}
 int
 npf_ext_construct(const char *name, npf_rproc_t *rp, prop_dictionary_t params)
+{
 	const npf_ext_ops_t *extops;
 	npf_ext_t *ext;
 	unsigned i;
 	int error;
 	if (rp->rp_ext_count >= RPROC_EXT_COUNT) {
 		return ENOSPC;
+	}
 	mutex_enter(&ext_lock);
 	ext = npf_ext_lookup(name);
 	if (ext) {
 		atomic_inc_uint(&ext->ext_refcnt);
 		extops = ext->ext_ops;
 		KASSERT(extops != NULL);
+	}
 	mutex_exit(&ext_lock);
 	if (!ext) {
 		return ENOENT;
+	}
 	error = extops->ctor(rp, params);
 	if (error) {
 		atomic_dec_uint(&ext->ext_refcnt);
 		return error;
+	}
 	i = rp->rp_ext_count++;
 	rp->rp_ext[i] = ext;
 	return 0;
+}
 /*
  * Rule procedure management.
  */
 /*
  * npf_rproc_create: construct a new rule procedure, lookup and associate
  * the extension calls with it.
  */
 npf_rproc_t *
 npf_rproc_create(prop_dictionary_t rpdict)
+{
 	const char *name;
 	npf_rproc_t *rp;
 	const char *rname;
 	if (!prop_dictionary_get_cstring_nocopy(rpdict, "name", &name)) {
 		return NULL;
+	}
 	rp = kmem_intr_zalloc(sizeof(npf_rproc_t), KM_SLEEP);
 	rp->rp_refcnt = 1;
-	/* Name and flags. */
+	strlcpy(rp->rp_name, name, RPROC_NAME_LEN);
 	prop_dictionary_get_cstring_nocopy(rpdict, "name", &rname);
 	strlcpy(rp->rp_name, rname, NPF_RNAME_LEN);
 	prop_dictionary_get_uint32(rpdict, "flags", &rp->rp_flags);
 	/* Logging interface ID (integer). */
 	prop_dictionary_get_uint32(rpdict, "log-interface", &rp->rp_log_ifid);
 	/* IP ID randomisation and IP_DF flag cleansing. */
 	prop_dictionary_get_bool(rpdict, "randomize-id", &rp->rp_rnd_ipid);
 	prop_dictionary_get_bool(rpdict, "no-df", &rp->rp_no_df);
 	/* Minimum IP TTL and maximum TCP MSS. */
 	prop_dictionary_get_uint32(rpdict, "min-ttl", &rp->rp_minttl);
 	prop_dictionary_get_uint32(rpdict, "max-mss", &rp->rp_maxmss);
 	return rp;
+}
 /*
  * npf_rproc_acquire: acquire the reference on the rule procedure.
  */
 void
 npf_rproc_acquire(npf_rproc_t *rp)
+{
 	atomic_inc_uint(&rp->rp_refcnt);
+}
 /*
  * npf_rproc_release: drop the reference count and destroy the rule
  * procedure on the last reference.
  */
 void
 npf_rproc_release(npf_rproc_t *rp)
+{
 	/* Destroy on last reference. */
 	KASSERT(rp->rp_refcnt > 0);
 	if (atomic_dec_uint_nv(&rp->rp_refcnt) != 0) {
 		return;
+	}
 	/* XXXintr */
 	for (unsigned i = 0; i < rp->rp_ext_count; i++) {
 		npf_ext_t *ext = rp->rp_ext[i];
 		const npf_ext_ops_t *extops = ext->ext_ops;
 		extops->dtor(rp, rp->rp_ext_meta[i]);
 		atomic_dec_uint(&ext->ext_refcnt);
+	}
 	kmem_intr_free(rp, sizeof(npf_rproc_t));
+}
 void
-npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int error)
+npf_rproc_assign(npf_rproc_t *rp, void *params)
+{
-	const uint32_t flags = rp->rp_flags;
+	unsigned i = rp->rp_ext_count;
 	/* Note: params may be NULL. */
 	KASSERT(i < RPROC_EXT_COUNT);
 	rp->rp_ext_meta[i] = params;
+}
 /*
  * npf_rproc_run: run the rule procedure by executing each extension call.
+ *
  * => Reference on the rule procedure must be held.
  */
 void
 npf_rproc_run(npf_cache_t *npc, nbuf_t *nbuf, npf_rproc_t *rp, int *decision)
+{
 	const unsigned extcount = rp->rp_ext_count;
 	KASSERT(rp->rp_refcnt > 0);
-	/* Normalise the packet, if required. */
+	for (unsigned i = 0; i < extcount; i++) {
-	if ((flags & NPF_RPROC_NORMALIZE) != 0 && !error) {
+		const npf_ext_t *ext = rp->rp_ext[i];
-		(void)npf_normalize(npc, nbuf,
+		const npf_ext_ops_t *extops = ext->ext_ops;
 		    rp->rp_rnd_ipid, rp->rp_no_df,
 		    rp->rp_minttl, rp->rp_maxmss);
 		npf_stats_inc(NPF_STAT_RPROC_NORM);
-	/* Log packet, if required. */
+		KASSERT(ext->ext_refcnt > 0);
-	if ((flags & NPF_RPROC_LOG) != 0) {
+		extops->proc(npc, nbuf, rp->rp_ext_meta[i], decision);
 		npf_log_packet(npc, nbuf, rp->rp_log_ifid);
 		npf_stats_inc(NPF_STAT_RPROC_LOG);
+	}
+}

--- src/sys/rump/net/lib/libnpf/Makefile 2012/08/14 22:31:44	1.1
+++ src/sys/rump/net/lib/libnpf/Makefile 2012/09/16 13:47:42	1.2

 @@ -1,24 +1,28 @@
-#	$NetBSD: Makefile,v 1.1 2012/08/14 22:31:44 rmind Exp $
+#	$NetBSD: Makefile,v 1.2 2012/09/16 13:47:42 rmind Exp $
+#
 # Public Domain.
+#
 .PATH:	${.CURDIR}/../../../../net/npf
 LIB=	rumpnet_npf
 SRCS=	npf.c npf_alg.c npf_ctl.c npf_handler.c
-SRCS+=	npf_inet.c npf_instr.c npf_log.c npf_mbuf.c npf_nat.c
+SRCS+=	npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c
 SRCS+=	npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
 SRCS+=	npf_session.c npf_state.c npf_state_tcp.c
 SRCS+=	npf_tableset.c npf_tableset_ptree.c
 SRCS+=	npf_alg_icmp.c
 SRCS+=	npf_ext_log.c npf_ext_normalise.c
 SRCS+=	component.c
-WARNS=	4
+WARNS=	5
 CPPFLAGS+=	-D_NPF_TESTING
 CPPFLAGS+=	-I${.CURDIR}/../../../librump/rumpvfs
 .include <bsd.lib.mk>
 .include <bsd.klinks.mk>

--- src/usr.sbin/npf/npfctl/Makefile 2012/05/30 21:30:07	1.7
+++ src/usr.sbin/npf/npfctl/Makefile 2012/09/16 13:47:41	1.8

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.7 2012/05/30 21:30:07 rmind Exp $
+# $NetBSD: Makefile,v 1.8 2012/09/16 13:47:41 rmind Exp $
 PROG=		npfctl
 MAN=		npfctl.8 npf.conf.5
 SRCS=		npfctl.c npf_var.c npf_data.c npf_ncgen.c npf_build.c \
-		npf_disassemble.c
+		npf_extmod.c npf_disassemble.c
 CPPFLAGS+=	-I${.CURDIR}
 SRCS+=		npf_scan.l npf_parse.y
 YHEADER=	1
 LDADD+=		-lnpf -lprop -lutil -ly
 DPADD+=		${LIBNPF} ${LIBPROP} ${LIBUTIL}
-WARNS?=		4
+WARNS=		5
-NOLINT=		# disabled (note: deliberately)
+NOLINT=		# disabled deliberately
 .include <bsd.prog.mk>

--- src/usr.sbin/npf/npfctl/npf_build.c 2012/08/12 03:35:13	1.13
+++ src/usr.sbin/npf/npfctl/npf_build.c 2012/09/16 13:47:41	1.14

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_build.c,v 1.13 2012/08/12 03:35:13 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,34 +24,35 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * npfctl(8) building of the configuration.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.13 2012/08/12 03:35:13 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <stdlib.h>
 #include <inttypes.h>
 #include <string.h>
 #include <errno.h>
 #include <err.h>
 #include "npfctl.h"
 static nl_config_t *		npf_conf = NULL;
 static nl_rule_t *		current_group = NULL;
 static bool			npf_debug = false;
 static bool			defgroup_set = false;
 void
 npfctl_config_init(bool debug)
+{
 @@ -367,98 +368,76 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam
+	}
 	assert(code && len > 0);
 	if (npf_rule_setcode(rl, NPF_CODE_NCODE, code, len) == -1) {
 		errx(EXIT_FAILURE, "npf_rule_setcode failed");
+	}
 	free(code);
 	return true;
+}
 static void
 npfctl_build_rpcall(nl_rproc_t *rp, const char *name, npfvar_t *args)
+{
-	/*
+	npf_extmod_t *extmod;
-	 * XXX/TODO: Hardcoded for the first release.  However,
+	nl_ext_t *extcall;
-	 * rule procedures will become fully dynamic modules.
+	int error;
 	 */
-	bool log = false, norm = false;
+	extmod = npf_extmod_get(name, &extcall);
-	bool rnd = false, no_df = false;
+	if (extmod == NULL) {
 	int minttl = 0, maxmss = 0;
 	if (strcmp(name, "log") == 0) {
 		log = true;
 	} else if (strcmp(name, "normalise") == 0) {
 		norm = true;
 	} else {
 		yyerror("unknown rule procedure '%s'", name);
+	}
 	for (size_t i = 0; i < npfvar_get_count(args); i++) {
-		module_arg_t *arg;
+		const char *param, *value;
-		const char *aval;
+		proc_param_t *p;
 		arg = npfvar_get_data(args, NPFVAR_MODULE_ARG, i);
 		aval = arg->ma_name;
-		if (log) {
+		p = npfvar_get_data(args, NPFVAR_PROC_PARAM, i);
-			u_int if_idx = npfctl_find_ifindex(aval);
+		param = p->pp_param;
-			_npf_rproc_setlog(rp, if_idx);
+		value = p->pp_value;
 			return;
 		error = npf_extmod_param(extmod, extcall, param, value);
 		switch (error) {
-		const int type = npfvar_get_type(arg->ma_opts, 0);
+		case EINVAL:
-		if (type != -1 && type != NPFVAR_NUM) {
+			yyerror("invalid parameter '%s'", param);
-			yyerror("option '%s' is not numeric", aval);
+		default:
 			break;
 		unsigned long *opt;
 		if (strcmp(aval, "random-id") == 0) {
 			rnd = true;
 		} else if (strcmp(aval, "min-ttl") == 0) {
 			opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
 			minttl = *opt;
 		} else if (strcmp(aval, "max-mss") == 0) {
 			opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
 			maxmss = *opt;
 		} else if (strcmp(aval, "no-df") == 0) {
 			no_df = true;
 		} else {
 			yyerror("unknown argument '%s'", aval);
+		}
+	}
-	assert(norm == true);
+	error = npf_rproc_extcall(rp, extcall);
-	_npf_rproc_setnorm(rp, rnd, no_df, minttl, maxmss);
+	if (error) {
 		yyerror(error == EEXIST ?
 		    "duplicate procedure call" : "unexpected error");
+	}
+}
 /*
  * npfctl_build_rproc: create and insert a rule procedure.
  */
 void
 npfctl_build_rproc(const char *name, npfvar_t *procs)
+{
 	nl_rproc_t *rp;
 	size_t i;
 	rp = npf_rproc_create(name);
 	if (rp == NULL) {
 		errx(EXIT_FAILURE, "npf_rproc_create failed");
+	}
 	npf_rproc_insert(npf_conf, rp);
 	for (i = 0; i < npfvar_get_count(procs); i++) {
-		proc_op_t *po = npfvar_get_data(procs, NPFVAR_PROC_OP, i);
+		proc_call_t *pc = npfvar_get_data(procs, NPFVAR_PROC, i);
-		npfctl_build_rpcall(rp, po->po_name, po->po_opts);
+		npfctl_build_rpcall(rp, pc->pc_name, pc->pc_opts);
+	}
+}
 /*
  * npfctl_build_group: create a group, insert into the global ruleset
  * and update the current group pointer.
  */
 void
 npfctl_build_group(const char *name, int attr, u_int if_idx)
+{
 	const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT);
 	nl_rule_t *rl;
 @@ -488,27 +467,27 @@ npfctl_build_rule(int attr, u_int if_idx
+{
 	nl_rule_t *rl;
 	rl = npf_rule_create(NULL, attr, if_idx);
 	npfctl_build_ncode(rl, family, op, fopts, false);
 	if (rproc && npf_rule_setproc(npf_conf, rl, rproc) != 0) {
 		yyerror("rule procedure '%s' is not defined", rproc);
+	}
 	assert(current_group != NULL);
 	npf_rule_insert(npf_conf, current_group, rl, NPF_PRI_NEXT);
+}
 /*
- * npfctl_build_onenat: create a single NAT policy of a specified
+ * npfctl_build_nat: create a single NAT policy of a specified
  * type with a given filter options.
  */
 static void
 npfctl_build_nat(int type, u_int if_idx, sa_family_t family,
     const addr_port_t *ap, const filt_opts_t *fopts, bool binat)
+{
 	const opt_proto_t op = { .op_proto = -1, .op_opts = NULL };
 	fam_addr_mask_t *am;
 	in_port_t port;
 	nl_nat_t *nat;
 	if (!ap->ap_netaddr) {
 		yyerror("%s network segment is not specified",
 @@ -544,56 +523,56 @@ npfctl_build_nat(int type, u_int if_idx,
+		}
 		nat = npf_nat_create(NPF_NATIN, !binat ? NPF_NAT_PORTS : 0,
 		    if_idx, &am->fam_addr, am->fam_family, port);
 		break;
 	default:
 		assert(false);
+	}
 	npfctl_build_ncode(nat, family, &op, fopts, false);
 	npf_nat_insert(npf_conf, nat, NPF_PRI_NEXT);
+}
 /*
- * npfctl_build_nat: validate and create NAT policies.
+ * npfctl_build_natseg: validate and create NAT policies.
  */
 void
 npfctl_build_natseg(int sd, int type, u_int if_idx, const addr_port_t *ap1,
     const addr_port_t *ap2, const filt_opts_t *fopts)
+{
 	sa_family_t af = AF_INET;
 	filt_opts_t imfopts;
 	bool binat;
 	if (sd == NPFCTL_NAT_STATIC) {
 		yyerror("static NAT is not yet supported");
+	}
 	assert(sd == NPFCTL_NAT_DYNAMIC);
 	assert(if_idx != 0);
 	/*
 	 * Bi-directional NAT is a combination of inbound NAT and outbound
 	 * NAT policies.  Note that the translation address is local IP and
 	 * the filter criteria is inverted accordingly.
 	 */
 	binat = (NPF_NATIN | NPF_NATOUT) == type;
 	/*
 	 * If the filter criteria is not specified explicitly, apply implicit
-	 * filtering according to the given network segements.
+	 * filtering according to the given network segments.
+	 *
 	 * Note: filled below, depending on the type.
 	 */
-	if (!fopts) {
+	if (__predict_true(!fopts)) {
 		fopts = &imfopts;
+	}
 	if (type & NPF_NATIN) {
 		memset(&imfopts, 0, sizeof(filt_opts_t));
 		memcpy(&imfopts.fo_to, ap2, sizeof(addr_port_t));
 		npfctl_build_nat(NPF_NATIN, if_idx, af, ap1, fopts, binat);
+	}
 	if (type & NPF_NATOUT) {
 		memset(&imfopts, 0, sizeof(filt_opts_t));
 		memcpy(&imfopts.fo_from, ap1, sizeof(addr_port_t));
 		npfctl_build_nat(NPF_NATOUT, if_idx, af, ap2, fopts, binat);
+	}

/*	$NetBSD: npf_extmod.c,v 1.1 2012/09/16 13:47:41 rmind Exp $	*/

/*-
 * Copyright (c) 2012 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Mindaugas Rasiukevicius.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * npfctl(8) extension loading interface.
 */

#include <sys/cdefs.h>
__RCSID("$NetBSD: npf_extmod.c,v 1.1 2012/09/16 13:47:41 rmind Exp $");

#include <stdlib.h>
#include <inttypes.h>
#include <string.h>
#include <err.h>
#include <dlfcn.h>

#include "npfctl.h"

struct npf_extmod {
	char *			name;
	npfext_initfunc_t	init;
	npfext_consfunc_t	cons;
	npfext_paramfunc_t	param;
	struct npf_extmod *	next;
};

static npf_extmod_t *		npf_extmod_list;

static void *
npf_extmod_sym(void *handle, const char *name, const char *func)
{
	char buf[64];
	void *sym;

	snprintf(buf, sizeof(buf), "npfext_%s_%s", name, func);
	sym = dlsym(handle, buf);
	if (sym == NULL) {
		errx(EXIT_FAILURE, "dlsym: %s", dlerror());
	}
	return sym;
}

static npf_extmod_t *
npf_extmod_load(const char *name)
{
	npf_extmod_t *ext;
	void *handle;
	char extlib[PATH_MAX];

	snprintf(extlib, sizeof(extlib), "/usr/lib/npf/ext_%s.so", name);
	handle = dlopen(extlib, RTLD_LAZY | RTLD_LOCAL);
	if (handle == NULL) {
		errx(EXIT_FAILURE, "dlopen: %s", dlerror());
	}

	ext = zalloc(sizeof(npf_extmod_t));
	ext->name = xstrdup(name);
	ext->init = npf_extmod_sym(handle, name, "init");
	ext->cons = npf_extmod_sym(handle, name, "construct");
	ext->param = npf_extmod_sym(handle, name, "param");

	/* Initialise the module. */
	if (ext->init() != 0) {
		free(ext);
		return NULL;
	}

	ext->next = npf_extmod_list;
	npf_extmod_list = ext;
	return ext;
}

npf_extmod_t *
npf_extmod_get(const char *name, nl_ext_t **extcall)
{
	npf_extmod_t *extmod = npf_extmod_list;

	while (extmod) {
		if ((strcmp(extmod->name, name) == 0) &&
		    (*extcall = extmod->cons(name)) != NULL) {
			return extmod;
		}
		extmod = extmod->next;
	}

	extmod = npf_extmod_load(name);
	if (extmod && (*extcall = extmod->cons(name)) != NULL) {
		return extmod;
	}

	return NULL;
}

int
npf_extmod_param(npf_extmod_t *extmod, nl_ext_t *ext,
    const char *param, const char *val)
{
	return extmod->param(ext, param, val);
}

--- src/usr.sbin/npf/npfctl/npf_parse.y 2012/08/12 03:35:13	1.12
+++ src/usr.sbin/npf/npfctl/npf_parse.y 2012/09/16 13:47:41	1.13

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_parse.y,v 1.12 2012/08/12 03:35:13 rmind Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.13 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Martin Husemann and Christos Zoulas.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -120,46 +120,48 @@ yyerror(const char *fmt, ...)
 %token			TABLE
 %token			TCP
 %token			TO
 %token			TREE
 %token			TYPE
 %token	<num>		ICMP
 %token	<num>		ICMP6
 %token	<num>		HEX
 %token	<str>		IDENTIFIER
 %token	<str>		IPV4ADDR
 %token	<str>		IPV6ADDR
 %token	<num>		NUM
 %token	<fpnum>		FPNUM
 %token	<str>		STRING
 %token	<str>		TABLE_ID
 %token	<str>		VAR_ID
 %type	<str>		addr, some_name, list_elem, table_store
-%type	<str>		opt_apply
+%type	<str>		proc_param_val, opt_apply
 %type	<num>		ifindex, port, opt_final, on_iface
 %type	<num>		block_or_pass, rule_dir, block_opts, opt_family
 %type	<num>		opt_stateful, icmp_type, table_type, map_sd, map_type
 %type	<var>		addr_or_iface, port_range, icmp_type_and_code
 %type	<var>		filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
-%type	<var>		modulearg_opts, procs, proc_op, modulearg, moduleargs
+%type	<var>		procs, proc_call, proc_param_list, proc_param
 %type	<addrport>	mapseg
 %type	<filtopts>	filt_opts, all_or_filt_opts
 %type	<optproto>	opt_proto
 %type	<rulegroup>	group_attr, group_opt
 %union {
 	char *		str;
 	unsigned long	num;
 	double		fpnum;
 	addr_port_t	addrport;
 	filt_opts_t	filtopts;
 	npfvar_t *	var;
 	opt_proto_t	optproto;
 	rule_group_t	rulegroup;
+}
 %%
 input
 	: lines
+	;
 @@ -285,84 +287,73 @@ map
+	{
 		npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL);
+	}
+	;
 rproc
 	: PROCEDURE STRING CURLY_OPEN procs CURLY_CLOSE
+	{
 		npfctl_build_rproc($2, $4);
+	}
+	;
 procs
-	: proc_op SEPLINE procs	{ $$ = npfvar_add_elements($1, $3); }
+	: proc_call SEPLINE procs
 	| proc_op		{ $$ = $1; }
 		$$ = npfvar_add_elements($1, $3);
+	}
 	| proc_call	{ $$ = $1; }
+	;
-proc_op
+proc_call
-	: IDENTIFIER COLON moduleargs
+	: IDENTIFIER COLON proc_param_list
+	{
-		proc_op_t po;
+		proc_call_t pc;
-		po.po_name = xstrdup($1);
+		pc.pc_name = xstrdup($1);
-		po.po_opts = $3;
+		pc.pc_opts = $3;
-		$$ = npfvar_create(".proc_ops");
+		$$ = npfvar_create(".proc_call");
-		npfvar_add_element($$, NPFVAR_PROC_OP, &po, sizeof(po));
+		npfvar_add_element($$, NPFVAR_PROC, &pc, sizeof(pc));
+	}
 	|	{ $$ = NULL; }
+	;
-moduleargs
+proc_param_list
-	: modulearg COMMA moduleargs
+	: proc_param COMMA proc_param_list
+	{
 		$$ = npfvar_add_elements($1, $3);
+	}
-	| modulearg	{ $$ = $1; }
+	| proc_param	{ $$ = $1; }
 	|		{ $$ = NULL; }
+	;
-modulearg
+proc_param
-	: some_name modulearg_opts
+	/* Key and value pair. */
 	: some_name proc_param_val
+	{
-		module_arg_t ma;
+		proc_param_t pp;
-		ma.ma_name = xstrdup($1);
+		pp.pp_param = xstrdup($1);
-		ma.ma_opts = $2;
+		pp.pp_value = $2 ? xstrdup($2) : NULL;
-		$$ = npfvar_create(".module_arg");
+		$$ = npfvar_create(".proc_param");
-		npfvar_add_element($$, NPFVAR_MODULE_ARG, &ma, sizeof(ma));
+		npfvar_add_element($$, NPFVAR_PROC_PARAM, &pp, sizeof(pp));
+	}
+	;
-modulearg_opts
+proc_param_val
-	: STRING modulearg_opts
+	: some_name	{ $$ = $1; }
 	| NUM		{ (void)asprintf(&$$, "%ld", $1); }
-		npfvar_t *vp = npfvar_create(".modstring");
+	| FPNUM		{ (void)asprintf(&$$, "%lf", $1); }
-		npfvar_add_element(vp, NPFVAR_STRING, $1, strlen($1) + 1);
+	|		{ $$ = NULL; }
 		$$ = $2 ? npfvar_add_elements($2, vp) : vp;
 	| IDENTIFIER modulearg_opts
 		npfvar_t *vp = npfvar_create(".modident");
 		npfvar_add_element(vp, NPFVAR_IDENTIFIER, $1, strlen($1) + 1);
 		$$ = $2 ? npfvar_add_elements($2, vp) : vp;
 	| NUM modulearg_opts
 		npfvar_t *vp = npfvar_create(".modnum");
 		npfvar_add_element(vp, NPFVAR_NUM, &$1, sizeof($1));
 		$$ = $2 ? npfvar_add_elements($2, vp) : vp;
 	|	{ $$ = NULL; }
+	;
 group
 	: GROUP PAR_OPEN group_attr PAR_CLOSE
+	{
 		npfctl_build_group($3.rg_name, $3.rg_attr, $3.rg_ifnum);
+	}
 	  ruleset
+	;
 group_attr
 	: group_opt COMMA group_attr
+	{

--- src/usr.sbin/npf/npfctl/npf_scan.l 2012/07/19 21:52:29	1.5
+++ src/usr.sbin/npf/npfctl/npf_scan.l 2012/09/16 13:47:41	1.6

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_scan.l,v 1.5 2012/07/19 21:52:29 spz Exp $	*/
+/*	$NetBSD: npf_scan.l,v 1.6 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Martin Husemann.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -21,26 +21,27 @@
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 %{
 #include <stdio.h>
 #include <stdlib.h>
 #include <err.h>
 #include "npfctl.h"
 #include "npf_parse.h"
 int	yycolumn;
 #define	YY_USER_ACTION	yycolumn += yyleng;
 %}
 %option noyywrap nounput noinput
 @@ -105,26 +106,33 @@ any			return ANY;
 "("			return PAR_OPEN;
 ")"			return PAR_CLOSE;
 ","			return COMMA;
 "="			return EQ;
 "0x"[0-9a-fA-F]+ {
 			char *endp, *buf = zalloc(yyleng + 1);
 			buf[yyleng] = 0;
 			yylval.num = strtoul(buf+2, &endp, 16);
 			free(buf);
 			return HEX;
+		}
 {NUMBER}"."{NUMBER} {
 			char *endp, *buf = xstrndup(yytext, yyleng);
 			yylval.fpnum = strtod(buf, &endp);
 			free(buf);
 			return FPNUM;
+		}
 [0-9a-fA-F]+":"[0-9a-fA-F:]* {
 			yylval.str = xstrndup(yytext, yyleng);
 			return IPV6ADDR;
+		}
 {NUMBER}"."[0-9][0-9.]* {
 			yylval.str = xstrndup(yytext, yyleng);
 			return IPV4ADDR;
+		}
 {NUMBER}	{
 			char *endp, *buf = xstrndup(yytext, yyleng);
 			yylval.num = strtoul(buf, &endp, 10);

--- src/usr.sbin/npf/npfctl/npf_var.h 2012/07/19 21:52:29	1.3
+++ src/usr.sbin/npf/npfctl/npf_var.h 2012/09/16 13:47:41	1.4

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_var.h,v 1.3 2012/07/19 21:52:29 spz Exp $	*/
+/*	$NetBSD: npf_var.h,v 1.4 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This code is derived from software contributed to The NetBSD Foundation
  * by Christos Zoulas.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -25,45 +25,55 @@
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef _NPF_VAR_H_
 #define _NPF_VAR_H_
 #define	NPFVAR_STRING		0
 #define	NPFVAR_IDENTIFIER	1
 #define	NPFVAR_VAR_ID		2
-#define NPFVAR_NUM		3
+#define	NPFVAR_NUM		3
-#define NPFVAR_PORT_RANGE	4
+#define	NPFVAR_PORT_RANGE	4
 /* Note: primitive types are equivalent. */
-#define NPFVAR_PRIM		NPFVAR_PORT_RANGE
+#define	NPFVAR_PRIM		NPFVAR_PORT_RANGE
-#define NPFVAR_TYPE(x)		(((x) > NPFVAR_PRIM) ? (x) : 0)
+#define	NPFVAR_TYPE(x)		(((x) > NPFVAR_PRIM) ? (x) : 0)
 #define	NPFVAR_TABLE		5
 #define	NPFVAR_FAM		6
-#define	NPFVAR_TCPFLAG		7
+#define	NPFVAR_PROC		7
-#define	NPFVAR_ICMP		8
+#define	NPFVAR_PROC_PARAM	8
-#define	NPFVAR_PROC_OP		9
+#define	NPFVAR_TCPFLAG		9
-#define	NPFVAR_MODULE_ARG	10
+#define	NPFVAR_ICMP		10
 #define	NPFVAR_ICMP6		11
 #ifdef _NPFVAR_PRIVATE
 static const char *npfvar_types[ ] = {
-	"string", "identifier", "var_id", "num", "table", "fam", "port_range",
+	[NPFVAR_STRING]		= "string",
-	"tcpflag", "icmp", "proc_op", "module_arg", "icmp6"
+	[NPFVAR_IDENTIFIER]	= "identifier",
 	[NPFVAR_VAR_ID]		= "var_id",
 	[NPFVAR_NUM]		= "num",
 	[NPFVAR_PORT_RANGE]	= "port-range",
 	[NPFVAR_TABLE]		= "table",
 	[NPFVAR_FAM]		= "fam",
 	[NPFVAR_PROC]		= "proc",
 	[NPFVAR_PROC_PARAM]	= "proc_param",
 	[NPFVAR_TCPFLAG]	= "tcpflag",
 	[NPFVAR_ICMP]		= "icmp",
 	[NPFVAR_ICMP6]		= "icmp6"
 };
 #endif
 struct npfvar;
 typedef struct npfvar npfvar_t;
 npfvar_t *	npfvar_create(const char *);
 npfvar_t *	npfvar_lookup(const char *);
 const char *	npfvar_type(size_t);
 void		npfvar_add(npfvar_t *);
 npfvar_t *	npfvar_add_element(npfvar_t *, int, const void *, size_t);
 npfvar_t *	npfvar_add_elements(npfvar_t *, npfvar_t *);
 void		npfvar_destroy(npfvar_t *);

--- src/usr.sbin/npf/npfctl/npfctl.c 2012/09/01 19:08:01	1.19
+++ src/usr.sbin/npf/npfctl/npfctl.c 2012/09/16 13:47:41	1.20

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npfctl.c,v 1.19 2012/09/01 19:08:01 rmind Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.20 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -20,27 +20,27 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.19 2012/09/01 19:08:01 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.20 2012/09/16 13:47:41 rmind Exp $");
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 @@ -191,30 +191,26 @@ npfctl_print_stats(int fd)
 		{ NPF_STAT_NAT_CREATE,		"NAT entry allocations"	},
 		{ NPF_STAT_NAT_DESTROY,		"NAT entry destructions"},
 		{ -1, "Invalid packet state cases"			},
 		{ NPF_STAT_INVALID_STATE,	"cases in total"	},
 		{ NPF_STAT_INVALID_STATE_TCP1,	"TCP case I"		},
 		{ NPF_STAT_INVALID_STATE_TCP2,	"TCP case II"		},
 		{ NPF_STAT_INVALID_STATE_TCP3,	"TCP case III"		},
 		{ -1, "Packet race cases"				},
 		{ NPF_STAT_RACE_NAT,		"NAT association race"	},
 		{ NPF_STAT_RACE_SESSION,	"duplicate session race"},
 		{ -1, "Rule procedure cases"				},
 		{ NPF_STAT_RPROC_LOG,		"packets logged"	},
 		{ NPF_STAT_RPROC_NORM,		"packets normalised"	},
 		{ -1, "Fragmentation"					},
 		{ NPF_STAT_FRAGMENTS,		"fragments"		},
 		{ NPF_STAT_REASSEMBLY,		"reassembled"		},
 		{ NPF_STAT_REASSFAIL,		"failed reassembly"	},
 		{ -1, "Other"						},
 		{ NPF_STAT_ERROR,		"unexpected errors"	},
 	};
 	uint64_t *st = zalloc(NPF_STATS_SIZE);
 	if (ioctl(fd, IOC_NPF_STATS, &st) != 0) {
 		err(EXIT_FAILURE, "ioctl(IOC_NPF_STATS)");
+	}

--- src/usr.sbin/npf/npfctl/npfctl.h 2012/08/12 03:35:13	1.19
+++ src/usr.sbin/npf/npfctl/npfctl.h 2012/09/16 13:47:41	1.20

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npfctl.h,v 1.19 2012/08/12 03:35:13 rmind Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.20 2012/09/16 13:47:41 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -69,60 +69,70 @@ typedef struct filt_opts {
 } filt_opts_t;
 typedef struct opt_proto {
 	int		op_proto;
 	npfvar_t *	op_opts;
 } opt_proto_t;
 typedef struct rule_group {
 	const char *	rg_name;
 	uint32_t	rg_attr;
 	u_int		rg_ifnum;
 } rule_group_t;
-typedef struct proc_op {
+typedef struct proc_call {
-	const char *	po_name;
+	const char *	pc_name;
-	npfvar_t *	po_opts;
+	npfvar_t *	pc_opts;
-} proc_op_t;
+} proc_call_t;
-typedef struct module_arg {
+typedef struct proc_param {
-	const char *	ma_name;
+	const char *	pp_param;
-	npfvar_t *	ma_opts;
+	const char *	pp_value;
-} module_arg_t;
+} proc_param_t;
 void		yyerror(const char *, ...) __printflike(1, 2) __dead;
 void *		zalloc(size_t);
 void *		xrealloc(void *, size_t);
 char *		xstrdup(const char *);
 char *		xstrndup(const char *, size_t);
 void		npfctl_print_error(const nl_error_t *);
 bool		npfctl_table_exists_p(const char *);
 int		npfctl_protono(const char *);
 in_port_t	npfctl_portno(const char *);
 uint8_t		npfctl_icmpcode(int, uint8_t, const char *);
 uint8_t		npfctl_icmptype(int, const char *);
 unsigned long   npfctl_find_ifindex(const char *);
 npfvar_t *	npfctl_parse_tcpflag(const char *);
 npfvar_t *	npfctl_parse_table_id(const char *);
 npfvar_t * 	npfctl_parse_icmp(int, int, int);
 npfvar_t *	npfctl_parse_iface(const char *);
 npfvar_t *	npfctl_parse_port_range(in_port_t, in_port_t);
 npfvar_t *	npfctl_parse_port_range_variable(const char *);
 npfvar_t *	npfctl_parse_fam_addr_mask(const char *, const char *,
 		    unsigned long *);
 bool		npfctl_parse_cidr(char *, fam_addr_mask_t *, int *);
 /*
  * NPF extension loading.
  */
 typedef struct npf_extmod npf_extmod_t;
 npf_extmod_t *	npf_extmod_get(const char *, nl_ext_t **);
 int		npf_extmod_param(npf_extmod_t *, nl_ext_t *,
 		    const char *, const char *);
 /*
  * N-code generation interface.
  */
 typedef struct nc_ctx nc_ctx_t;
 #define	NC_MATCH_DST		0x01
 #define	NC_MATCH_SRC		0x02
 #define	NC_MATCH_TCP		0x04
 #define	NC_MATCH_UDP		0x08
 #define	NC_MATCH_ICMP		0x10
 #define	NC_MATCH_ICMP6		0x20