Update to FreeBSD head 2018-09-17

Git mirror commit 6c2192b1ef8c50788c751f878552526800b1e319.

Update #3472.

freebsd/sbin/pfctl/parse.h

@@ -65,66 +65,67 @@
 #define LIMIT 321
 #define LOGINTERFACE 322
 #define BLOCKPOLICY 323
-#define RANDOMID 324
-#define REQUIREORDER 325
-#define SYNPROXY 326
-#define FINGERPRINTS 327
-#define NOSYNC 328
-#define DEBUG 329
-#define SKIP 330
-#define HOSTID 331
-#define ANTISPOOF 332
-#define FOR 333
-#define INCLUDE 334
-#define BITMASK 335
-#define RANDOM 336
-#define SOURCEHASH 337
-#define ROUNDROBIN 338
-#define STATICPORT 339
-#define PROBABILITY 340
-#define ALTQ 341
-#define CBQ 342
-#define CODEL 343
-#define PRIQ 344
-#define HFSC 345
-#define FAIRQ 346
-#define BANDWIDTH 347
-#define TBRSIZE 348
-#define LINKSHARE 349
-#define REALTIME 350
-#define UPPERLIMIT 351
-#define QUEUE 352
-#define PRIORITY 353
-#define QLIMIT 354
-#define HOGS 355
-#define BUCKETS 356
-#define RTABLE 357
-#define TARGET 358
-#define INTERVAL 359
-#define LOAD 360
-#define RULESET_OPTIMIZATION 361
-#define PRIO 362
-#define STICKYADDRESS 363
-#define MAXSRCSTATES 364
-#define MAXSRCNODES 365
-#define SOURCETRACK 366
-#define GLOBAL 367
-#define RULE 368
-#define MAXSRCCONN 369
-#define MAXSRCCONNRATE 370
-#define OVERLOAD 371
-#define FLUSH 372
-#define SLOPPY 373
-#define TAGGED 374
-#define TAG 375
-#define IFBOUND 376
-#define FLOATING 377
-#define STATEPOLICY 378
-#define STATEDEFAULTS 379
-#define ROUTE 380
-#define SETTOS 381
-#define DIVERTTO 382
-#define DIVERTREPLY 383
-#define STRING 384
-#define NUMBER 385
-#define PORTBINARY 386
+#define FAILPOLICY 324
+#define RANDOMID 325
+#define REQUIREORDER 326
+#define SYNPROXY 327
+#define FINGERPRINTS 328
+#define NOSYNC 329
+#define DEBUG 330
+#define SKIP 331
+#define HOSTID 332
+#define ANTISPOOF 333
+#define FOR 334
+#define INCLUDE 335
+#define BITMASK 336
+#define RANDOM 337
+#define SOURCEHASH 338
+#define ROUNDROBIN 339
+#define STATICPORT 340
+#define PROBABILITY 341
+#define ALTQ 342
+#define CBQ 343
+#define CODEL 344
+#define PRIQ 345
+#define HFSC 346
+#define FAIRQ 347
+#define BANDWIDTH 348
+#define TBRSIZE 349
+#define LINKSHARE 350
+#define REALTIME 351
+#define UPPERLIMIT 352
+#define QUEUE 353
+#define PRIORITY 354
+#define QLIMIT 355
+#define HOGS 356
+#define BUCKETS 357
+#define RTABLE 358
+#define TARGET 359
+#define INTERVAL 360
+#define LOAD 361
+#define RULESET_OPTIMIZATION 362
+#define PRIO 363
+#define STICKYADDRESS 364
+#define MAXSRCSTATES 365
+#define MAXSRCNODES 366
+#define SOURCETRACK 367
+#define GLOBAL 368
+#define RULE 369
+#define MAXSRCCONN 370
+#define MAXSRCCONNRATE 371
+#define OVERLOAD 372
+#define FLUSH 373
+#define SLOPPY 374
+#define TAGGED 375
+#define TAG 376
+#define IFBOUND 377
+#define FLOATING 378
+#define STATEPOLICY 379
+#define STATEDEFAULTS 380
+#define ROUTE 381
+#define SETTOS 382
+#define DIVERTTO 383
+#define DIVERTREPLY 384
+#define STRING 385
+#define NUMBER 386
+#define PORTBINARY 387

freebsd/sbin/pfctl/parse.y

@@ -36,16 +36,19 @@
 
 #ifdef __rtems__
 #include "rtems-bsd-pfctl-namespace.h"
+
+/* Provided by kernel-space modules */
+#define	pf_find_or_create_ruleset _bsd_pf_find_or_create_ruleset
+#define	pf_anchor_setup _bsd_pf_anchor_setup
+#define	pf_remove_if_empty_ruleset _bsd_pf_remove_if_empty_ruleset
+
+#include <machine/rtems-bsd-program.h>
 #endif /* __rtems__ */
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#ifdef __rtems__
-#include <machine/rtems-bsd-program.h>
-#define	pf_find_or_create_ruleset _bsd_pf_find_or_create_ruleset
-#define	pf_anchor_setup _bsd_pf_anchor_setup
-#define	pf_remove_if_empty_ruleset _bsd_pf_remove_if_empty_ruleset
-#endif /* __rtems__ */
+#define PFIOC_USE_LATEST
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -96,6 +99,7 @@ static u_int16_t	 returnicmpdefault =
 static u_int16_t	 returnicmp6default =
 			    (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
 static int		 blockpolicy = PFRULE_DROP;
+static int		 failpolicy = PFRULE_DROP;
 static int		 require_order = 1;
 static int		 default_statelock;
 
@@ -302,7 +306,7 @@ static struct queue_opts {
 	struct node_queue_bw	queue_bwspec;
 	struct node_queue_opt	scheduler;
 	int			priority;
-	int			tbrsize;
+	unsigned int		tbrsize;
 	int			qlimit;
 } queue_opts;
 
@@ -472,8 +476,8 @@ int	parseport(char *, struct range *r, int);
 %token	MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL
 %token	NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
 %token	REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
-%token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
-%token	REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
+%token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY
+%token	RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
 %token	ANTISPOOF FOR INCLUDE
 %token	BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
 %token	ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
@@ -657,6 +661,20 @@ option		: SET OPTIMIZATION STRING		{
 				YYERROR;
 			blockpolicy = PFRULE_RETURN;
 		}
+		| SET FAILPOLICY DROP	{
+			if (pf->opts & PF_OPT_VERBOSE)
+				printf("set fail-policy drop\n");
+			if (check_rulestate(PFCTL_STATE_OPTION))
+				YYERROR;
+			failpolicy = PFRULE_DROP;
+		}
+		| SET FAILPOLICY RETURN {
+			if (pf->opts & PF_OPT_VERBOSE)
+				printf("set fail-policy return\n");
+			if (check_rulestate(PFCTL_STATE_OPTION))
+				YYERROR;
+			failpolicy = PFRULE_RETURN;
+		}
 		| SET REQUIREORDER yesno {
 			if (pf->opts & PF_OPT_VERBOSE)
 				printf("set require-order %s\n",
@@ -1625,8 +1643,8 @@ queue_opt	: BANDWIDTH bandwidth	{
 				yyerror("tbrsize cannot be respecified");
 				YYERROR;
 			}
-			if ($2 < 0 || $2 > 65535) {
-				yyerror("tbrsize too big: max 65535");
+			if ($2 < 0 || $2 > UINT_MAX) {
+				yyerror("tbrsize too big: max %u", UINT_MAX);
 				YYERROR;
 			}
 			queue_opts.marker |= QOM_TBRSIZE;
@@ -1675,10 +1693,10 @@ bandwidth	: STRING {
 				}
 			}
 			free($1);
-			$$.bw_absolute = (u_int32_t)bps;
+			$$.bw_absolute = (u_int64_t)bps;
 		}
 		| NUMBER {
-			if ($1 < 0 || $1 > UINT_MAX) {
+			if ($1 < 0 || $1 >= LLONG_MAX) {
 				yyerror("bandwidth number too big");
 				YYERROR;
 			}
@@ -2653,7 +2671,12 @@ probability	: STRING				{
 		;
 
 
-action		: PASS			{ $$.b1 = PF_PASS; $$.b2 = $$.w = 0; }
+action		: PASS 			{
+			$$.b1 = PF_PASS;
+			$$.b2 = failpolicy;
+			$$.w = returnicmpdefault;
+			$$.w2 = returnicmp6default;
+		}
 		| BLOCK blockspec	{ $$ = $2; $$.b1 = PF_DROP; }
 		;
 
@@ -5491,6 +5514,7 @@ lookup(char *s)
 		{ "drop",		DROP},
 		{ "drop-ovl",		FRAGDROP},
 		{ "dup-to",		DUPTO},
+		{ "fail-policy",	FAILPOLICY},
 		{ "fairq",		FAIRQ},
 		{ "fastroute",		FASTROUTE},
 		{ "file",		FILENAME},
@@ -5955,6 +5979,7 @@ parse_config(char *filename, struct pfctl *xpf)
 	returnicmp6default =
 	    (ICMP6_DST_UNREACH << 8) | ICMP6_DST_UNREACH_NOPORT;
 	blockpolicy = PFRULE_DROP;
+	failpolicy = PFRULE_DROP;
 	require_order = 1;
 
 	if ((file = pushfile(filename, 0)) == NULL) {

freebsd/sbin/pfctl/pfctl.c

@@ -40,17 +40,21 @@
  *
  */
 
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
 #ifdef __rtems__
 #define __need_getopt_newlib
 #include <getopt.h>
 #include <machine/rtems-bsd-program.h>
 #include <machine/rtems-bsd-commands.h>
+
+/* Provided by kernel-space modules */
 #define	pf_get_ruleset_number _bsd_pf_get_ruleset_number
 #define	pf_init_ruleset _bsd_pf_init_ruleset
 #endif /* __rtems__ */
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#define PFIOC_USE_LATEST
+
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -87,7 +91,7 @@ int	 pfctl_disable(int, int);
 int	 pfctl_clear_stats(int, int);
 int	 pfctl_get_skip_ifaces(void);
 int	 pfctl_check_skip_ifaces(char *);
-int	 pfctl_clear_skip_ifaces(struct pfctl *);
+int	 pfctl_adjust_skip_ifaces(struct pfctl *);
 int	 pfctl_clear_interface_flags(int, int);
 int	 pfctl_clear_rules(int, int, char *);
 int	 pfctl_clear_nat(int, int, char *);
@@ -114,6 +118,7 @@ int	 pfctl_show_nat(int, int, char *);
 int	 pfctl_show_src_nodes(int, int);
 int	 pfctl_show_states(int, const char *, int);
 int	 pfctl_show_status(int, int);
+int	 pfctl_show_running(int);
 int	 pfctl_show_timeouts(int, int);
 int	 pfctl_show_limits(int, int);
 void	 pfctl_debug(int, u_int32_t, int);
@@ -235,7 +240,7 @@ static const char * const clearopt_list[] = {
 static const char * const showopt_list[] = {
 	"nat", "queue", "rules", "Anchors", "Sources", "states", "info",
 	"Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
-	"all", NULL
+	"Running", "all", NULL
 };
 
 static const char * const tblcmdopt_list[] = {
@@ -340,21 +345,66 @@ int
 pfctl_check_skip_ifaces(char *ifname)
 {
 	struct pfi_kif		*p;
+	struct node_host	*h = NULL, *n = NULL;
 
-	PFRB_FOREACH(p, &skip_b)
-		if ((p->pfik_flags & PFI_IFLAG_SKIP) && !strcmp(ifname, p->pfik_name))
+	PFRB_FOREACH(p, &skip_b) {
+		if (!strcmp(ifname, p->pfik_name) &&
+		    (p->pfik_flags & PFI_IFLAG_SKIP))
 			p->pfik_flags &= ~PFI_IFLAG_SKIP;
+		if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
+			if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
+				continue;
+
+			for (n = h; n != NULL; n = n->next) {
+				if (p->pfik_ifp == NULL)
+					continue;
+				if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
+					continue;
+
+				p->pfik_flags &= ~PFI_IFLAG_SKIP;
+			}
+		}
+	}
 	return (0);
 }
 
 int
-pfctl_clear_skip_ifaces(struct pfctl *pf)
+pfctl_adjust_skip_ifaces(struct pfctl *pf)
 {
-	struct pfi_kif		*p;
+	struct pfi_kif		*p, *pp;
+	struct node_host	*h = NULL, *n = NULL;
+
+	PFRB_FOREACH(p, &skip_b) {
+		if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
+			continue;
+
+		pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
+		if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
+			continue;
+
+		for (n = h; n != NULL; n = n->next)
+			PFRB_FOREACH(pp, &skip_b) {
+				if (pp->pfik_ifp == NULL)
+					continue;
+
+				if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
+					continue;
+
+				if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
+					pfctl_set_interface_flags(pf,
+					    pp->pfik_name, PFI_IFLAG_SKIP, 1);
+				if (pp->pfik_flags & PFI_IFLAG_SKIP)
+					pp->pfik_flags &= ~PFI_IFLAG_SKIP;
+			}
+	}
+
+	PFRB_FOREACH(p, &skip_b) {
+		if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP))
+			continue;
+
+		pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
+	}
 
-	PFRB_FOREACH(p, &skip_b)
-		if (p->pfik_flags & PFI_IFLAG_SKIP)
-			pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
 	return (0);
 }
 
@@ -1180,6 +1230,20 @@ pfctl_show_status(int dev, int opts)
 	return (0);
 }
 
+int
+pfctl_show_running(int dev)
+{
+	struct pf_status status;
+
+	if (ioctl(dev, DIOCGETSTATUS, &status)) {
+		warn("DIOCGETSTATUS");
+		return (-1);
+	}
+
+	print_running(&status);
+	return (!status.running);
+}
+
 int
 pfctl_show_timeouts(int dev, int opts)
 {
@@ -1490,6 +1554,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
 	}
 
 	memset(&pa, 0, sizeof(pa));
+	pa.version = PFIOC_ALTQ_VERSION;
 	memset(&pf, 0, sizeof(pf));
 	memset(&trs, 0, sizeof(trs));
 	if ((path = calloc(1, MAXPATHLEN)) == NULL)
@@ -1548,7 +1613,7 @@ pfctl_rules(int dev, char *filename, int opts, int optimize,
 			goto _error;
 	}
 	if (loadopt & PFCTL_FLAG_OPTION)
-		pfctl_clear_skip_ifaces(&pf);
+		pfctl_adjust_skip_ifaces(&pf);
 
 	if ((pf.loadopt & PFCTL_FLAG_FILTER &&
 	    (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
@@ -1998,6 +2063,7 @@ pfctl_test_altqsupport(int dev, int opts)
 {
 	struct pfioc_altq pa;
 
+	pa.version = PFIOC_ALTQ_VERSION;
 	if (ioctl(dev, DIOCGETALTQS, &pa)) {
 		if (errno == ENODEV) {
 			if (opts & PF_OPT_VERBOSE)
@@ -2332,6 +2398,9 @@ main(int argc, char *argv[])
 		case 'i':
 			pfctl_show_status(dev, opts);
 			break;
+		case 'R':
+			error = pfctl_show_running(dev);
+			break;
 		case 't':
 			pfctl_show_timeouts(dev, opts);
 			break;
@@ -2449,7 +2518,7 @@ main(int argc, char *argv[])
 	}
 
 	if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
-	    !anchorname[0])
+	    !anchorname[0] && !(opts & PF_OPT_NOACTION))
 		if (pfctl_get_skip_ifaces())
 			error = 1;
 

freebsd/sbin/pfctl/pfctl_altq.c

@@ -24,12 +24,14 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
 #ifdef __rtems__
 #include <machine/rtems-bsd-program.h>
 #endif /* __rtems__ */
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#define PFIOC_USE_LATEST
+
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -40,6 +42,7 @@ __FBSDID("$FreeBSD$");
 
 #include <err.h>
 #include <errno.h>
+#include <inttypes.h>
 #include <limits.h>
 #include <math.h>
 #include <stdio.h>
@@ -100,14 +103,14 @@ static int		 gsc_add_seg(struct gen_sc *, double, double, double,
 static double		 sc_x2y(struct service_curve *, double);
 
 #ifdef __FreeBSD__
-u_int32_t	getifspeed(int, char *);
+u_int64_t	getifspeed(int, char *);
 #else
 u_int32_t	 getifspeed(char *);
 #endif
 u_long		 getifmtu(char *);
 int		 eval_queue_opts(struct pf_altq *, struct node_queue_opt *,
-		     u_int32_t);
-u_int32_t	 eval_bwspec(struct node_queue_bw *, u_int32_t);
+		     u_int64_t);
+u_int64_t	 eval_bwspec(struct node_queue_bw *, u_int64_t);
 void		 print_hfsc_sc(const char *, u_int, u_int, u_int,
 		     const struct node_hfsc_sc *);
 void		 print_fairq_sc(const char *, u_int, u_int, u_int,
@@ -270,7 +273,8 @@ int
 eval_pfaltq(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
     struct node_queue_opt *opts)
 {
-	u_int	rate, size, errors = 0;
+	u_int64_t	rate;
+	u_int		size, errors = 0;
 
 	if (bw->bw_absolute > 0)
 		pa->ifbandwidth = bw->bw_absolute;
@@ -287,6 +291,15 @@ eval_pfaltq(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
 		} else if ((pa->ifbandwidth = eval_bwspec(bw, rate)) == 0)
 			pa->ifbandwidth = rate;
 
+	/*
+	 * Limit bandwidth to UINT_MAX for schedulers that aren't 64-bit ready.
+	 */
+	if ((pa->scheduler != ALTQT_HFSC) && (pa->ifbandwidth > UINT_MAX)) {
+		pa->ifbandwidth = UINT_MAX;
+		warnx("interface %s bandwidth limited to %" PRIu64 " bps "
+		    "because selected scheduler is 32-bit limited\n", pa->ifname,
+		    pa->ifbandwidth);
+	}
 	errors += eval_queue_opts(pa, opts, pa->ifbandwidth);
 
 	/* if tbrsize is not specified, use heuristics */
@@ -298,11 +311,11 @@ eval_pfaltq(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
 			size = 4;
 		else if (rate <= 200 * 1000 * 1000)
 			size = 8;
-		else
+		else if (rate <= 2500 * 1000 * 1000ULL)
 			size = 24;
+		else
+			size = 128;
 		size = size * getifmtu(pa->ifname);
-		if (size > 0xffff)
-			size = 0xffff;
 		pa->tbrsize = size;
 	}
 	return (errors);
@@ -350,7 +363,7 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
 {
 	/* should be merged with expand_queue */
 	struct pf_altq	*if_pa, *parent, *altq;
-	u_int32_t	 bwsum;
+	u_int64_t	 bwsum;
 	int		 error = 0;
 
 	/* find the corresponding interface and copy fields used by queues */
@@ -384,7 +397,7 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
 	if (pa->scheduler == ALTQT_CBQ || pa->scheduler == ALTQT_HFSC ||
 		pa->scheduler == ALTQT_FAIRQ) {
 		pa->bandwidth = eval_bwspec(bw,
-		    parent == NULL ? 0 : parent->bandwidth);
+		    parent == NULL ? pa->ifbandwidth : parent->bandwidth);
 
 		if (pa->bandwidth > pa->ifbandwidth) {
 			fprintf(stderr, "bandwidth for %s higher than "
@@ -415,7 +428,8 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
 		}
 	}
 
-	if (eval_queue_opts(pa, opts, parent == NULL? 0 : parent->bandwidth))
+	if (eval_queue_opts(pa, opts,
+		parent == NULL ? pa->ifbandwidth : parent->bandwidth))
 		return (1);
 
 	switch (pa->scheduler) {
@@ -509,12 +523,13 @@ cbq_compute_idletime(struct pfctl *pf, struct pf_altq *pa)
 		 * this causes integer overflow in kernel!
 		 * (bandwidth < 6Kbps when max_pkt_size=1500)
 		 */
-		if (pa->bandwidth != 0 && (pf->opts & PF_OPT_QUIET) == 0)
+		if (pa->bandwidth != 0 && (pf->opts & PF_OPT_QUIET) == 0) {
 			warnx("queue bandwidth must be larger than %s",
 			    rate2str(ifnsPerByte * (double)opts->maxpktsize /
 			    (double)INT_MAX * (double)pa->ifbandwidth));
 			fprintf(stderr, "cbq: queue %s is too slow!\n",
 			    pa->qname);
+		}
 		nsPerByte = (double)(INT_MAX / opts->maxpktsize);
 	}
 
@@ -720,7 +735,7 @@ static int
 eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
 {
 	struct pf_altq		*altq, *parent;
-	struct hfsc_opts	*opts;
+	struct hfsc_opts_v1	*opts;
 	struct service_curve	 sc;
 
 	opts = &pa->pq_u.hfsc_opts;
@@ -1012,7 +1027,7 @@ check_commit_fairq(int dev __unused, int opts __unused, struct pf_altq *pa)
 static int
 print_hfsc_opts(const struct pf_altq *a, const struct node_queue_opt *qopts)
 {
-	const struct hfsc_opts		*opts;
+	const struct hfsc_opts_v1	*opts;
 	const struct node_hfsc_sc	*rtsc, *lssc, *ulsc;
 
 	opts = &a->pq_u.hfsc_opts;
@@ -1333,7 +1348,7 @@ rate2str(double rate)
  * FreeBSD does not have SIOCGIFDATA.
  * To emulate this, DIOCGIFSPEED ioctl added to pf.
  */
-u_int32_t
+u_int64_t
 getifspeed(int pfdev, char *ifname)
 {
 	struct pf_ifspeed io;
@@ -1344,7 +1359,7 @@ getifspeed(int pfdev, char *ifname)
 		errx(1, "getifspeed: strlcpy");
 	if (ioctl(pfdev, DIOCGIFSPEED, &io) == -1)
 		err(1, "DIOCGIFSPEED");
-	return ((u_int32_t)io.baudrate);
+	return (io.baudrate);
 }
 #else
 u_int32_t
@@ -1399,7 +1414,7 @@ getifmtu(char *ifname)
 
 int
 eval_queue_opts(struct pf_altq *pa, struct node_queue_opt *opts,
-    u_int32_t ref_bw)
+    u_int64_t ref_bw)
 {
 	int	errors = 0;
 
@@ -1475,11 +1490,21 @@ eval_queue_opts(struct pf_altq *pa, struct node_queue_opt *opts,
 	return (errors);
 }
 
-u_int32_t
-eval_bwspec(struct node_queue_bw *bw, u_int32_t ref_bw)
+/*
+ * If absolute bandwidth if set, return the lesser of that value and the
+ * reference bandwidth.  Limiting to the reference bandwidth allows simple
+ * limiting of configured bandwidth parameters for schedulers that are
+ * 32-bit limited, as the root/interface bandwidth (top-level reference
+ * bandwidth) will be properly limited in that case.
+ *
+ * Otherwise, if the absolute bandwidth is not set, return given percentage
+ * of reference bandwidth.
+ */
+u_int64_t
+eval_bwspec(struct node_queue_bw *bw, u_int64_t ref_bw)
 {
 	if (bw->bw_absolute > 0)
-		return (bw->bw_absolute);
+		return (MIN(bw->bw_absolute, ref_bw));
 
 	if (bw->bw_percent > 0)
 		return (ref_bw / 100 * bw->bw_percent);

freebsd/sbin/pfctl/pfctl_parser.c

@@ -628,6 +628,12 @@ print_status(struct pf_status *s, int opts)
 	}
 }
 
+void
+print_running(struct pf_status *status)
+{
+	printf("%s\n", status->running ? "Enabled" : "Disabled");
+}
+
 void
 print_src_node(struct pf_src_node *sn, int opts)
 {

freebsd/sbin/pfctl/pfctl_parser.h

@@ -134,7 +134,7 @@ struct node_os {
 };
 
 struct node_queue_bw {
-	u_int32_t	bw_absolute;
+	u_int64_t	bw_absolute;
 	u_int16_t	bw_percent;
 };
 
@@ -257,6 +257,7 @@ void	print_src_node(struct pf_src_node *, int);
 void	print_rule(struct pf_rule *, const char *, int, int);
 void	print_tabledef(const char *, int, int, struct node_tinithead *);
 void	print_status(struct pf_status *, int);
+void	print_running(struct pf_status *);
 
 int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
 	    struct node_queue_opt *);
@@ -314,6 +315,7 @@ int			 unmask(struct pf_addr *, sa_family_t);
 void			 ifa_load(void);
 int			 get_socket_domain(void);
 struct node_host	*ifa_exists(const char *);
+struct node_host	*ifa_grouplookup(const char *ifa_name, int flags);
 struct node_host	*ifa_lookup(const char *, int);
 struct node_host	*host(const char *);
 

freebsd/sbin/pfctl/pfctl_qstats.c

@@ -22,12 +22,14 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
 #ifdef __rtems__
 #include <machine/rtems-bsd-program.h>
 #endif /* __rtems__ */
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#define PFIOC_USE_LATEST
+
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -165,6 +167,7 @@ pfctl_update_qstats(int dev, struct pf_altq_node **root)
 	memset(&pa, 0, sizeof(pa));
 	memset(&pq, 0, sizeof(pq));
 	memset(&qstats, 0, sizeof(qstats));
+	pa.version = PFIOC_ALTQ_VERSION;
 	if (ioctl(dev, DIOCGETALTQS, &pa)) {
 		warn("DIOCGETALTQS");
 		return (-1);
@@ -194,6 +197,7 @@ pfctl_update_qstats(int dev, struct pf_altq_node **root)
 			pq.ticket = pa.ticket;
 			pq.buf = &qstats.data;
 			pq.nbytes = sizeof(qstats.data);
+			pq.version = altq_stats_version(pa.altq.scheduler);
 			if (ioctl(dev, DIOCGETQSTATS, &pq)) {
 				warn("DIOCGETQSTATS");
 				return (-1);

freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h

@@ -79,13 +79,13 @@
 #define pfctl_add_pool _bsd_pfctl_pfctl_add_pool
 #define pfctl_add_rule _bsd_pfctl_pfctl_add_rule
 #define pfctl_addrprefix _bsd_pfctl_pfctl_addrprefix
+#define pfctl_adjust_skip_ifaces _bsd_pfctl_pfctl_adjust_skip_ifaces
 #define pfctl_check_skip_ifaces _bsd_pfctl_pfctl_check_skip_ifaces
 #define pfctl_clear_altq _bsd_pfctl_pfctl_clear_altq
 #define pfctl_clear_interface_flags _bsd_pfctl_pfctl_clear_interface_flags
 #define pfctl_clear_nat _bsd_pfctl_pfctl_clear_nat
 #define pfctl_clear_pool _bsd_pfctl_pfctl_clear_pool
 #define pfctl_clear_rules _bsd_pfctl_pfctl_clear_rules
-#define pfctl_clear_skip_ifaces _bsd_pfctl_pfctl_clear_skip_ifaces
 #define pfctl_clear_src_nodes _bsd_pfctl_pfctl_clear_src_nodes
 #define pfctl_clear_states _bsd_pfctl_pfctl_clear_states
 #define pfctl_clear_stats _bsd_pfctl_pfctl_clear_stats
@@ -125,6 +125,7 @@
 #define pfctl_show_limits _bsd_pfctl_pfctl_show_limits
 #define pfctl_show_nat _bsd_pfctl_pfctl_show_nat
 #define pfctl_show_rules _bsd_pfctl_pfctl_show_rules
+#define pfctl_show_running _bsd_pfctl_pfctl_show_running
 #define pfctl_show_src_nodes _bsd_pfctl_pfctl_show_src_nodes
 #define pfctl_show_states _bsd_pfctl_pfctl_show_states
 #define pfctl_show_status _bsd_pfctl_pfctl_show_status
@@ -210,6 +211,7 @@
 #define print_pool _bsd_pfctl_print_pool
 #define print_port _bsd_pfctl_print_port
 #define print_rule _bsd_pfctl_print_rule
+#define print_running _bsd_pfctl_print_running
 #define print_src_node _bsd_pfctl_print_src_node
 #define print_status _bsd_pfctl_print_status
 #define print_tabledef _bsd_pfctl_print_tabledef

freebsd/sbin/pfctl/rtems-bsd-pfctl-parse-data.h

@@ -8,6 +8,7 @@ RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static char pushback_buffer[]);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int blockpolicy);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int debug);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int default_statelock);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int failpolicy);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int parseindex);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int pushback_index);
 RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int require_order);