 @@ -1,14 +1,14 @@
-/*	$NetBSD: fil.c,v 1.11 2013/09/12 20:03:10 martin Exp $	*/
+/*	$NetBSD: fil.c,v 1.12 2013/09/18 23:34:55 rmind Exp $	*/
 /*
  * Copyright (C) 2012 by Darren Reed.
+ *
  * See the IPFILTER.LICENCE file for details on licencing.
+ *
  * Id: fil.c,v 1.1.1.2 2012/07/22 13:45:07 darrenr Exp $
+ *
  */
 #if defined(KERNEL) || defined(_KERNEL)
 # undef KERNEL
 # undef _KERNEL
 # define        KERNEL	1
 @@ -128,27 +128,27 @@ struct file;
 #if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000)
 # include <sys/callout.h>
 extern struct callout ipf_slowtimer_ch;
 #endif
 #if defined(__OpenBSD__)
 # include <sys/timeout.h>
 extern struct timeout ipf_slowtimer_ch;
 #endif
 /* END OF INCLUDES */
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.11 2013/09/12 20:03:10 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.12 2013/09/18 23:34:55 rmind Exp $");
 #else
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
 static const char rcsid[] = "@(#)Id: fil.c,v 1.1.1.2 2012/07/22 13:45:07 darrenr Exp $";
 #endif
 #endif
 #ifndef	_KERNEL
 # include "ipf.h"
 # include "ipt.h"
 extern	int	opts;
 extern	int	blockreason;
 #endif /* _KERNEL */
 @@ -2395,34 +2395,28 @@ ipf_scanlist(fr_info_t *fin, u_32_t pass
 #if defined(IPFILTER_BPF)
 		case FR_T_BPFOPC :
 		case FR_T_BPFOPC_BUILTIN :
+		    {
 			u_char *mc;
 			int wlen;
 			if (*fin->fin_mp == NULL)
 				continue;
 			if (fin->fin_family != fr->fr_family)
 				continue;
 			mc = (u_char *)fin->fin_m;
 			wlen = fin->fin_dlen + fin->fin_hlen;
 #if defined(__NetBSD__)
 			if (!bpf_filter(bpf_def_ctx, NULL,
 			    fr->fr_data, mc, wlen, 0))
 				continue;
 #else
 			if (!bpf_filter(fr->fr_data, mc, wlen, 0))
 				continue;
 #endif
 			break;
+		    }
 #endif
 		case FR_T_CALLFUNC_BUILTIN :
+		    {
 			frentry_t *f;
 			f = (*fr->fr_func)(fin, &pass);
 			if (f != NULL)
 				fr = f;
 			else
 				continue;
 			break;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bpf.c,v 1.176 2013/09/09 20:53:51 christos Exp $	*/
+/*	$NetBSD: bpf.c,v 1.177 2013/09/18 23:34:55 rmind Exp $	*/
 /*
  * Copyright (c) 1990, 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
+ *
  * This code is derived from the Stanford/CMU enet packet filter,
  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
  * Berkeley Laboratory.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
 @@ -29,27 +29,27 @@
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)bpf.c	8.4 (Berkeley) 1/9/95
  * static char rcsid[] =
  * "Header: bpf.c,v 1.67 96/09/26 22:00:52 leres Exp ";
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.176 2013/09/09 20:53:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.177 2013/09/18 23:34:55 rmind Exp $");
 #if defined(_KERNEL_OPT)
 #include "opt_bpf.h"
 #include "sl.h"
 #include "strip.h"
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/buf.h>
 #include <sys/time.h>
 #include <sys/proc.h>
 @@ -1372,28 +1372,27 @@ bpf_deliver(struct bpf_if *bp, void *(*c
 	 */
 	for (d = bp->bif_dlist; d != NULL; d = d->bd_next) {
 		u_int slen;
 		if (!d->bd_seesent && !rcv) {
 			continue;
+		}
 		d->bd_rcount++;
 		bpf_gstats.bs_recv++;
 		if (d->bd_jitcode != NULL)
 			slen = d->bd_jitcode(pkt, pktlen, buflen);
 		else
-			slen = bpf_filter(bpf_def_ctx, NULL, d->bd_filter,
+			slen = bpf_filter(d->bd_filter, pkt, pktlen, buflen);
 			    pkt, pktlen, buflen);
 		if (!slen) {
 			continue;
+		}
 		if (!gottime) {
 			gottime = true;
 			nanotime(&ts);
+		}
 		catchpacket(d, pkt, pktlen, slen, cpfn, &ts);
+	}
+}
 /*

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bpf.h,v 1.61 2013/08/30 15:00:08 rmind Exp $	*/
+/*	$NetBSD: bpf.h,v 1.62 2013/09/18 23:34:55 rmind Exp $	*/
 /*
  * Copyright (c) 1990, 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
+ *
  * This code is derived from the Stanford/CMU enet packet filter,
  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
  * Berkeley Laboratory.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
 @@ -374,38 +374,35 @@ bpf_mtap_sl_out(struct ifnet *_ifp, u_ch
 void     bpf_setops(void);
 void     bpf_ops_handover_enter(struct bpf_ops *);
 void     bpf_ops_handover_exit(void);
 void	 bpfilterattach(int);
 struct bpf_ctx;
 typedef struct bpf_ctx bpf_ctx_t;
 typedef uint32_t (*bpf_copfunc_t)(const struct mbuf *, void *,
     uint32_t, uint32_t *);
 extern bpf_ctx_t *bpf_def_ctx;
 bpf_ctx_t *bpf_create(void);
 void	bpf_destroy(bpf_ctx_t *);
 int	bpf_set_cop(bpf_ctx_t *, const bpf_copfunc_t *, size_t);
-u_int	bpf_filter(bpf_ctx_t *, void *, const struct bpf_insn *,
+u_int	bpf_filter_ext(bpf_ctx_t *, void *, const struct bpf_insn *,
 	    const u_char *, u_int, u_int);
-int	bpf_validate(const struct bpf_insn *, int);
+int	bpf_validate_ext(bpf_ctx_t *, const struct bpf_insn *, int);
-#else
+#endif
 int	bpf_validate(const struct bpf_insn *, int);
 u_int	bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
 #endif
 __END_DECLS
 /*
  * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
  */
 #define BPF_MEMWORDS 16
 #endif /* !_NET_BPF_H_ */

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bpf_filter.c,v 1.57 2013/08/30 15:00:08 rmind Exp $	*/
+/*	$NetBSD: bpf_filter.c,v 1.58 2013/09/18 23:34:55 rmind Exp $	*/
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
  *	The Regents of the University of California.  All rights reserved.
+ *
  * This code is derived from the Stanford/CMU enet packet filter,
  * (net/enet.c) distributed as part of 4.3BSD, and code contributed
  * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
  * Berkeley Laboratory.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
 @@ -27,52 +27,51 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)bpf_filter.c	8.1 (Berkeley) 6/10/93
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.57 2013/08/30 15:00:08 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.58 2013/09/18 23:34:55 rmind Exp $");
 #if 0
 #if !(defined(lint) || defined(KERNEL))
 static const char rcsid[] =
     "@(#) Header: bpf_filter.c,v 1.33 97/04/26 13:37:18 leres Exp  (LBL)";
 #endif
 #endif
 #include <sys/param.h>
 #include <sys/time.h>
 #include <sys/kmem.h>
 #include <sys/endian.h>
 #include <net/bpf.h>
 #ifdef _KERNEL
 struct bpf_ctx {
 	const bpf_copfunc_t *	copfuncs;
 	size_t			nfuncs;
 };
 /* Default BPF context (zeroed). */
-static bpf_ctx_t		bpf_def_ctx1;
+static bpf_ctx_t		bpf_def_ctx;
 bpf_ctx_t *			bpf_def_ctx = &bpf_def_ctx1;
 bpf_ctx_t *
 bpf_create(void)
+{
 	return kmem_zalloc(sizeof(bpf_ctx_t), KM_SLEEP);
+}
 void
 bpf_destroy(bpf_ctx_t *bc)
+{
 	kmem_free(bc, sizeof(bpf_ctx_t));
+}
 @@ -169,28 +168,36 @@ m_xbyte(const struct mbuf *m, uint32_t k
+}
 #else /* _KERNEL */
 #include <stdlib.h>
 #endif /* !_KERNEL */
 #include <net/bpf.h>
 /*
  * Execute the filter program starting at pc on the packet p
  * wirelen is the length of the original packet
  * buflen is the amount of data present
  */
 #ifdef _KERNEL
 u_int
-bpf_filter(bpf_ctx_t *bc, void *arg, const struct bpf_insn *pc,
+bpf_filter(const struct bpf_insn *pc, const u_char *p, u_int wirelen,
     u_int buflen)
+{
 	return bpf_filter_ext(&bpf_def_ctx, NULL, pc, p, wirelen, buflen);
+}
 u_int
 bpf_filter_ext(bpf_ctx_t *bc, void *arg, const struct bpf_insn *pc,
     const u_char *p, u_int wirelen, u_int buflen)
 #else
 u_int
 bpf_filter(const struct bpf_insn *pc, const u_char *p, u_int wirelen,
     u_int buflen)
 #endif
+{
 	uint32_t A, X, k;
 	uint32_t mem[BPF_MEMWORDS];
 #ifdef _KERNEL
 	KASSERT(bc != NULL);
 #endif
 @@ -537,29 +544,41 @@ bpf_filter(const struct bpf_insn *pc, co
 /*
  * Return true if the 'fcode' is a valid filter program.
  * The constraints are that each jump be forward and to a valid
  * code, that memory accesses are within valid ranges (to the
  * extent that this can be checked statically; loads of packet
  * data have to be, and are, also checked at run time), and that
  * the code terminates with either an accept or reject.
+ *
  * The kernel needs to be able to verify an application's filter code.
  * Otherwise, a bogus program could easily crash the system.
  */
 __CTASSERT(BPF_MEMWORDS == sizeof(uint16_t) * NBBY);
 #if defined(KERNEL) || defined(_KERNEL)
 int
 bpf_validate(const struct bpf_insn *f, int signed_len)
+{
 	return bpf_validate_ext(&bpf_def_ctx, f, signed_len);
+}
 int
 bpf_validate_ext(bpf_ctx_t *bc, const struct bpf_insn *f, int signed_len)
 #else
 int
 bpf_validate(const struct bpf_insn *f, int signed_len)
 #endif
+{
 	u_int i, from, len, ok = 0;
 	const struct bpf_insn *p;
 #if defined(KERNEL) || defined(_KERNEL)
 	uint16_t *mem, invalid;
 	size_t size;
 #endif
 	len = (u_int)signed_len;
 	if (len < 1)
 		return 0;
 #if defined(KERNEL) || defined(_KERNEL)
 	if (len > BPF_MAXINSNS)
 		return 0;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: if_ppp.c,v 1.140 2013/08/30 15:00:08 rmind Exp $	*/
+/*	$NetBSD: if_ppp.c,v 1.141 2013/09/18 23:34:55 rmind Exp $	*/
 /*	Id: if_ppp.c,v 1.6 1997/03/04 03:33:00 paulus Exp 	*/
 /*
  * if_ppp.c - Point-to-Point Protocol (PPP) Asynchronous driver.
+ *
  * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
+ *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -92,27 +92,27 @@
 /* from NetBSD: if_ppp.c,v 1.15.2.2 1994/07/28 05:17:58 cgd Exp */
 /*
  * XXX IMP ME HARDER
+ *
  * This is an explanation of that comment.  This code used to use
  * splimp() to block both network and tty interrupts.  However,
  * that call is deprecated.  So, we have replaced the uses of
  * splimp() with splhigh() in order to applomplish what it needs
  * to accomplish, and added that happy little comment.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.140 2013/08/30 15:00:08 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.141 2013/09/18 23:34:55 rmind Exp $");
 #include "ppp.h"
 #include "opt_inet.h"
 #include "opt_gateway.h"
 #include "opt_ppp.h"
 #ifdef INET
 #define VJC
 #endif
 #define PPP_COMPRESS
 #include <sys/param.h>
 @@ -936,37 +936,37 @@ pppoutput(struct ifnet *ifp, struct mbuf
     if (sc->sc_flags & SC_LOG_OUTPKT) {
 	printf("%s output: ", ifp->if_xname);
 	pppdumpm(m0);
+    }
     if ((protocol & 0x8000) == 0) {
 #ifdef PPP_FILTER
 	/*
 	 * Apply the pass and active filters to the packet,
 	 * but only if it is a data packet.
 	 */
 	if (sc->sc_pass_filt_out.bf_insns != 0
-	    && bpf_filter(bpf_def_ctx, NULL, sc->sc_pass_filt_out.bf_insns,
+	    && bpf_filter(sc->sc_pass_filt_out.bf_insns,
 			  (u_char *)m0, len, 0) == 0) {
 	    error = 0;		/* drop this packet */
 	    goto bad;
+	}
 	/*
 	 * Update the time we sent the most recent packet.
 	 */
 	if (sc->sc_active_filt_out.bf_insns == 0
-	    || bpf_filter(bpf_def_ctx, NULL, sc->sc_active_filt_out.bf_insns,
+	    || bpf_filter(sc->sc_active_filt_out.bf_insns,
 			  (u_char *)m0, len, 0))
 	    sc->sc_last_sent = time_second;
 #else
 	/*
 	 * Update the time we sent the most recent packet.
 	 */
 	sc->sc_last_sent = time_second;
 #endif /* PPP_FILTER */
+    }
     /*
      * See if bpf wants to look at the packet.
      */
 @@ -1574,34 +1574,34 @@ ppp_inproc(struct ppp_softc *sc, struct
 	    m->m_len = ilen;
+	}
+    }
     m->m_pkthdr.len = ilen;
     m->m_pkthdr.rcvif = ifp;
     if ((proto & 0x8000) == 0) {
 #ifdef PPP_FILTER
 	/*
 	 * See whether we want to pass this packet, and
 	 * if it counts as link activity.
 	 */
 	if (sc->sc_pass_filt_in.bf_insns != 0
-	    && bpf_filter(bpf_def_ctx, NULL, sc->sc_pass_filt_in.bf_insns,
+	    && bpf_filter(sc->sc_pass_filt_in.bf_insns,
 			  (u_char *)m, ilen, 0) == 0) {
 	    /* drop this packet */
 	    m_freem(m);
 	    return;
+	}
 	if (sc->sc_active_filt_in.bf_insns == 0
-	    || bpf_filter(bpf_def_ctx, NULL, sc->sc_active_filt_in.bf_insns,
+	    || bpf_filter(sc->sc_active_filt_in.bf_insns,
 			  (u_char *)m, ilen, 0))
 	    sc->sc_last_recv = time_second;
 #else
 	/*
 	 * Record the time that we received this packet.
 	 */
 	sc->sc_last_recv = time_second;
 #endif /* PPP_FILTER */
+    }
     /* See if bpf wants to look at the packet. */
     bpf_mtap(&sc->sc_if, m);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: npf_ruleset.c,v 1.22 2013/08/30 15:00:08 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.23 2013/09/18 23:34:55 rmind Exp $	*/
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
  * All rights reserved.
+ *
  * This material is based upon work partially supported by The
  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -24,27 +24,27 @@
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * NPF ruleset module.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.22 2013/08/30 15:00:08 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.23 2013/09/18 23:34:55 rmind Exp $");
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/atomic.h>
 #include <sys/kmem.h>
 #include <sys/queue.h>
 #include <sys/mbuf.h>
 #include <sys/types.h>
 #include <net/bpf.h>
 #include <net/bpfjit.h>
 #include <net/pfil.h>
 @@ -671,28 +671,27 @@ npf_rule_inspect(npf_cache_t *npc, nbuf_
+	}
 	/* Execute the byte-code, if any. */
 	if ((code = rl->r_code) == NULL) {
 		return true;
+	}
 	switch (rl->r_type) {
 	case NPF_CODE_NC:
 		return npf_ncode_process(npc, code, nbuf, layer) == 0;
 	case NPF_CODE_BPF: {
 		struct mbuf *m = nbuf_head_mbuf(nbuf);
 		size_t pktlen = m_length(m);
-		return bpf_filter(bpf_def_ctx, NULL, code,
+		return bpf_filter(code, (unsigned char *)m, pktlen, 0) != 0;
 		    (unsigned char *)m, pktlen, 0) != 0;
+	}
 	default:
 		KASSERT(false);
+	}
 	return false;
+}
 /*
  * npf_rule_reinspect: re-inspect the dynamic rule by iterating its list.
  * This is only for the dynamic rules.  Subrules cannot have nested rules.
  */
 static npf_rule_t *
 npf_rule_reinspect(npf_cache_t *npc, nbuf_t *nbuf, const npf_rule_t *drl,