Merge the projects/pf/head branch, that was worked on for last six months,

into head. The most significant achievements in the new code:

 o Fine grained locking, thus much better performance.
 o Fixes to many problems in pf, that were specific to FreeBSD port.

New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.

  Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:

r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.

I'd like to thank people who participated in early testing:

Tested by:	Florian Smeets <flo freebsd.org>
Tested by:	Chekaluk Vitaly <artemrts ukr.net>
Tested by:	Ben Wilber <ben desync.com>
Tested by:	Ian FREISLICH <ianf cloudseed.co.za>

7 files changed, 28 insertions, 110 deletions

diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4
index 936a5a8..635078d 100644
--- a/contrib/pf/man/pf.4
+++ b/contrib/pf/man/pf.4
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 17 2011
+.Dd June 29 2012
 .Dt PF 4
 .Os
 .Sh NAME
@@ -75,6 +75,25 @@ separated by
 characters, similar to how file system hierarchies are laid out.
 The final component of the anchor path is the anchor under which
 operations will be performed.
+.Sh SYSCTL VARIABLES AND LOADER TUNABLES
+The following
+.Xr loader 8
+tunables are available.
+.Bl -tag -width indent
+.It Va net.pf.states_hashsize
+Size of hash tables that store states.
+Should be power of 2.
+Default value is 32768.
+.It Va net.pf.source_nodes_hashsize
+Size of hash table that store source nodes.
+Should be power of 2.
+Default value is 8192.
+.El
+.Pp
+Read only
+.Xr sysctl 8
+variables with matching names are provided to obtain current values
+at runtime.
 .Sh IOCTL INTERFACE
 .Nm
 supports the following
@@ -351,7 +370,6 @@ struct pf_status {
 	u_int64_t	scounters[SCNT_MAX];
 	u_int64_t	pcounters[2][2][3];
 	u_int64_t	bcounters[2][2];
-	u_int64_t	stateid;
 	u_int32_t	running;
 	u_int32_t	states;
 	u_int32_t	src_nodes;
@@ -493,7 +511,7 @@ struct pfioc_limit {
 };
 
 enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
-	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
+	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
 .Ed
 .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
 Get the hard
diff --git a/contrib/pf/man/pf.conf.5 b/contrib/pf/man/pf.conf.5
index dfec264..fc86111 100644
--- a/contrib/pf/man/pf.conf.5
+++ b/contrib/pf/man/pf.conf.5
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 31 2009
+.Dd June 29 2012
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -1421,7 +1421,7 @@ has the socket open where the packet is sourced from or destined to
 (depending on which socket is local).
 This is in addition to the normal information logged.
 .Pp
-Due to the problems described in the BUGS section only the first packet
+Only the first packet
 logged via
 .Ar log (all, user)
 will have the user credentials logged when using stateful matching.
@@ -1479,13 +1479,6 @@ of the following keywords:
 .Bl -tag -width xxxxxxxxxxxxxx -compact
 .It Ar any
 Any address.
-.It Ar route Aq Ar label
-Any address whose associated route has label
-.Aq Ar label .
-See
-.Xr route 4
-and
-.Xr route 8 .
 .It Ar no-route
 Any address which is not currently routable.
 .It Ar urpf-failed
@@ -1594,7 +1587,6 @@ pass in proto tcp from any to any port 25
 pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e
       to ! 10.1.2.3 port != ssh
 pass in proto tcp from any os "OpenBSD"
-pass in proto tcp from route "DTAG"
 .Ed
 .It Ar all
 This is equivalent to "from any to any".
@@ -2949,9 +2941,9 @@ proto-list     = ( proto-name | proto-number ) [ [ "," ] proto-list ]
 
 hosts          = "all" |
                  "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
-                 "{" host-list "}" | "route" string ) [ port ] [ os ]
+                 "{" host-list "}" ) [ port ] [ os ]
                  "to"   ( "any" | "no-route" | "self" | host |
-                 "{" host-list "}" | "route" string ) [ port ]
+                 "{" host-list "}" ) [ port ]
 
 ipspec         = "any" | host | "{" host-list "}"
 host           = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
@@ -3048,28 +3040,6 @@ Protocol name database.
 .It Pa /etc/services
 Service name database.
 .El
-.Sh BUGS
-Due to a lock order reversal (LOR) with the socket layer, the use of the
-.Ar group
-and
-.Ar user
-filter parameter in conjuction with a Giant-free netstack
-can result in a deadlock.
-A workaround is available under the
-.Va debug.pfugidhack
-sysctl which is automatically enabled when a
-.Ar user
-/
-.Ar group
-rule is added or
-.Ar log (user)
-is specified.
-.Pp
-Route labels are not supported by the
-.Fx
-.Xr route 4
-system.
-Rules with a route label do not match any traffic.
 .Sh SEE ALSO
 .Xr altq 4 ,
 .Xr carp 4 ,
@@ -3080,7 +3050,6 @@ Rules with a route label do not match any traffic.
 .Xr pf 4 ,
 .Xr pflow 4 ,
 .Xr pfsync 4 ,
-.Xr route 4 ,
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
@@ -3090,7 +3059,6 @@ Rules with a route label do not match any traffic.
 .Xr ftp-proxy 8 ,
 .Xr pfctl 8 ,
 .Xr pflogd 8 ,
-.Xr route 8
 .Sh HISTORY
 The
 .Nm
diff --git a/contrib/pf/pfctl/parse.y b/contrib/pf/pfctl/parse.y
index f798cac..99c26c0 100644
--- a/contrib/pf/pfctl/parse.y
+++ b/contrib/pf/pfctl/parse.y
@@ -159,8 +159,7 @@ enum	{ PF_STATE_OPT_MAX, PF_STATE_OPT_NOSYNC, PF_STATE_OPT_SRCTRACK,
 	    PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
 	    PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
 	    PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
-	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, 
-	    PF_STATE_OPT_PFLOW };
+	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, };
 
 enum	{ PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
 
@@ -451,7 +450,7 @@ int	parseport(char *, struct range *r, int);
 %token	QUEUE PRIORITY QLIMIT RTABLE
 %token	LOAD RULESET_OPTIMIZATION
 %token	STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
-%token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW
+%token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
 %token	TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
 %token	DIVERTTO DIVERTREPLY
 %token	<v.string>		STRING
@@ -2081,15 +2080,6 @@ pfrule		: action dir logquick interface route af proto fromto
 					}
 					r.rule_flag |= PFRULE_STATESLOPPY;
 					break;
-				case PF_STATE_OPT_PFLOW:
-					if (r.rule_flag & PFRULE_PFLOW) {
-						yyerror("state pflow "
-						    "option: multiple "
-						    "definitions");
-						YYERROR;
-					}
-					r.rule_flag |= PFRULE_PFLOW;
-					break;
 				case PF_STATE_OPT_TIMEOUT:
 					if (o->data.timeout.number ==
 					    PFTM_ADAPTIVE_START ||
@@ -2909,26 +2899,6 @@ host		: STRING			{
 			$$->next = NULL;
 			$$->tail = $$;
 		}
-		| ROUTE	STRING		{
-			$$ = calloc(1, sizeof(struct node_host));
-			if ($$ == NULL) {
-				free($2);
-				err(1, "host: calloc");
-			}
-			$$->addr.type = PF_ADDR_RTLABEL;
-			if (strlcpy($$->addr.v.rtlabelname, $2,
-			    sizeof($$->addr.v.rtlabelname)) >=
-			    sizeof($$->addr.v.rtlabelname)) {
-				yyerror("route label too long, max %u chars",
-				    sizeof($$->addr.v.rtlabelname) - 1);
-				free($2);
-				free($$);
-				YYERROR;
-			}
-			$$->next = NULL;
-			$$->tail = $$;
-			free($2);
-		}
 		;
 
 number		: NUMBER
@@ -3597,14 +3567,6 @@ state_opt_item	: MAXIMUM NUMBER		{
 			$$->next = NULL;
 			$$->tail = $$;
 		}
-		| PFLOW {
-			$$ = calloc(1, sizeof(struct node_state_opt));
-			if ($$ == NULL)
-				err(1, "state_opt_item: calloc");
-			$$->type = PF_STATE_OPT_PFLOW;
-			$$->next = NULL;
-			$$->tail = $$;
-		}
 		| STRING NUMBER			{
 			int	i;
 
@@ -5320,7 +5282,6 @@ lookup(char *s)
 		{ "out",		OUT},
 		{ "overload",		OVERLOAD},
 		{ "pass",		PASS},
-		{ "pflow",		PFLOW},
 		{ "port",		PORT},
 		{ "priority",		PRIORITY},
 		{ "priq",		PRIQ},
diff --git a/contrib/pf/pfctl/pf_print_state.c b/contrib/pf/pfctl/pf_print_state.c
index 0698516..d6637b4 100644
--- a/contrib/pf/pfctl/pf_print_state.c
+++ b/contrib/pf/pfctl/pf_print_state.c
@@ -119,9 +119,6 @@ print_addr(struct pf_addr_wrap *addr, sa_family_t af, int verbose)
 	case PF_ADDR_URPFFAILED:
 		printf("urpf-failed");
 		return;
-	case PF_ADDR_RTLABEL:
-		printf("route \"%s\"", addr->v.rtlabelname);
-		return;
 	default:
 		printf("?");
 		return;
@@ -339,8 +336,6 @@ print_state(struct pfsync_state *s, int opts)
 			printf(", rule %u", ntohl(s->rule));
 		if (s->state_flags & PFSTATE_SLOPPY)
 			printf(", sloppy");
-		if (s->state_flags & PFSTATE_PFLOW)
-			printf(", pflow");
 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
 			printf(", source-track");
 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)
diff --git a/contrib/pf/pfctl/pfctl.c b/contrib/pf/pfctl/pfctl.c
index 8b07a2b..90a2bb5 100644
--- a/contrib/pf/pfctl/pfctl.c
+++ b/contrib/pf/pfctl/pfctl.c
@@ -144,7 +144,6 @@ static const struct {
 	{ "states",		PF_LIMIT_STATES },
 	{ "src-nodes",		PF_LIMIT_SRC_NODES },
 	{ "frags",		PF_LIMIT_FRAGS },
-	{ "tables",		PF_LIMIT_TABLES },
 	{ "table-entries",	PF_LIMIT_TABLE_ENTRIES },
 	{ NULL,			0 }
 };
@@ -1553,9 +1552,6 @@ pfctl_fopen(const char *name, const char *mode)
 void
 pfctl_init_options(struct pfctl *pf)
 {
-	int64_t mem;
-	int mib[2];
-	size_t size;
 
 	pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
 	pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
@@ -1581,21 +1577,8 @@ pfctl_init_options(struct pfctl *pf)
 	pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
 	pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
 	pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
-	pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
 	pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
 
-	mib[0] = CTL_HW;
-#ifdef __FreeBSD__
-	mib[1] = HW_PHYSMEM;
-#else
-	mib[1] = HW_PHYSMEM64;
-#endif
-	size = sizeof(mem);
-	if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1)
-		err(1, "sysctl");
-	if (mem <= 100*1024*1024)
-		pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; 
-
 	pf->debug = PF_DEBUG_URGENT;
 }
 
diff --git a/contrib/pf/pfctl/pfctl_parser.c b/contrib/pf/pfctl/pfctl_parser.c
index d45b9b7..f248995 100644
--- a/contrib/pf/pfctl/pfctl_parser.c
+++ b/contrib/pf/pfctl/pfctl_parser.c
@@ -955,12 +955,6 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric)
 			printf("sloppy");
 			opts = 0;
 		}
-		if (r->rule_flag & PFRULE_PFLOW) {
-			if (!opts)
-				printf(", ");
-			printf("pflow");
-			opts = 0;
-		}
 		for (i = 0; i < PFTM_MAX; ++i)
 			if (r->timeout[i]) {
 				int j;
diff --git a/contrib/pf/pfctl/pfctl_table.c b/contrib/pf/pfctl/pfctl_table.c
index 257c014..f3a1efd 100644
--- a/contrib/pf/pfctl/pfctl_table.c
+++ b/contrib/pf/pfctl/pfctl_table.c
@@ -621,8 +621,7 @@ print_iface(struct pfi_kif *p, int opts)
 	if (!(opts & PF_OPT_VERBOSE2))
 		return;
 	printf("\tCleared:     %s", ctime(&tzero));
-	printf("\tReferences:  [ States:  %-18d Rules: %-18d ]\n",
-	    p->pfik_states, p->pfik_rules);
+	printf("\tReferences:  %-18d\n", p->pfik_rulerefs);
 	for (i = 0; i < 8; i++) {
 		af = (i>>2) & 1;
 		dir = (i>>1) &1;