5 files changed, 48 insertions, 2 deletions

diff --git a/sys/net/if_pflog.h b/sys/net/if_pflog.h
index 0faeb7d..326b551 100644
--- a/sys/net/if_pflog.h
+++ b/sys/net/if_pflog.h
@@ -40,10 +40,14 @@ struct pfloghdr {
 	char		ruleset[PFLOG_RULESET_NAME_SIZE];
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
+#ifdef PF_USER_INFO
 	uid_t		uid;
 	pid_t		pid;
 	uid_t		rule_uid;
 	pid_t		rule_pid;
+#else
+	u_int32_t	ridentifier;
+#endif
 	u_int8_t	dir;
 	u_int8_t	pad[3];
 };
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 2936771..e46bb69 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -547,7 +547,11 @@ struct pf_rule {
 	u_int32_t		 rt_listid;
 	u_int32_t		 nr;
 	u_int32_t		 prob;
+#ifdef PF_USER_INFO
 	uid_t			 cuid;
+#else
+	u_int32_t		 cuid;
+#endif
 	pid_t			 cpid;
 
 	counter_u64_t		 states_cur;
@@ -1144,11 +1148,13 @@ struct pfi_kif {
 #define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */
 
 struct pf_pdesc {
+#ifdef PF_USER_INFO
 	struct {
 		int	 done;
 		uid_t	 uid;
 		gid_t	 gid;
 	}		 lookup;
+#endif
 	u_int64_t	 tot_len;	/* Make Mickey money */
 	union {
 		struct tcphdr		*tcp;
diff --git a/sys/netpfil/pf/if_pflog.c b/sys/netpfil/pf/if_pflog.c
index 1efd5e2..5c22806 100644
--- a/sys/netpfil/pf/if_pflog.c
+++ b/sys/netpfil/pf/if_pflog.c
@@ -209,7 +209,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
 		return (0);
 
 	bzero(&hdr, sizeof(hdr));
-	hdr.length = PFLOG_REAL_HDRLEN;
+	hdr.length = PFLOG_HDRLEN;
 	hdr.af = af;
 	hdr.action = rm->action;
 	hdr.reason = reason;
@@ -218,13 +218,16 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
 	if (am == NULL) {
 		hdr.rulenr = htonl(rm->nr);
 		hdr.subrulenr =  1;
+		hdr.ridentifier = rm->cuid;
 	} else {
 		hdr.rulenr = htonl(am->nr);
 		hdr.subrulenr = htonl(rm->nr);
+		hdr.ridentifier = rm->cuid;
 		if (ruleset != NULL && ruleset->anchor != NULL)
 			strlcpy(hdr.ruleset, ruleset->anchor->name,
 			    sizeof(hdr.ruleset));
 	}
+#ifdef PF_USER_INFO
 	/*
 	 * XXXGL: we avoid pf_socket_lookup() when we are holding
 	 * state lock, since this leads to unsafe LOR.
@@ -239,6 +242,7 @@ pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
 	hdr.pid = NO_PID;
 	hdr.rule_uid = rm->cuid;
 	hdr.rule_pid = rm->cpid;
+#endif
 	hdr.dir = dir;
 
 #ifdef INET
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 89a2716..eed1ac8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -2851,6 +2851,7 @@ pf_match_ieee8021q_pcp(u_int8_t op, u_int8_t pcp1, u_int8_t pcp2,
 	return (pf_match(op, pcp1, pcp2, mpcp));
 }
 
+#ifdef PF_USER_INFO
 static int
 pf_match_uid(u_int8_t op, uid_t a1, uid_t a2, uid_t u)
 {
@@ -2866,6 +2867,7 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g)
 		return (0);
 	return (pf_match(op, a1, a2, g));
 }
+#endif
 
 int
 pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag, int mtag)
@@ -3074,6 +3076,7 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a)
 		a->flags |= PFRULE_DN_IS_PIPE;
 }
 
+#ifdef PF_USER_INFO
 int
 pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
 {
@@ -3153,6 +3156,7 @@ pf_socket_lookup(int direction, struct pf_pdesc *pd, struct mbuf *m)
 
 	return (1);
 }
+#endif
 
 static u_int8_t
 pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af)
@@ -3344,12 +3348,14 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 
 	PF_RULES_RASSERT();
 
+#ifdef PF_USER_INFO
 	if (inp != NULL) {
 		INP_LOCK_ASSERT(inp);
 		pd->lookup.uid = inp->inp_cred->cr_uid;
 		pd->lookup.gid = inp->inp_cred->cr_groups[0];
 		pd->lookup.done = 1;
 	}
+#endif
 
 	switch (pd->proto) {
 	case IPPROTO_TCP:
@@ -3572,6 +3578,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		    (r->flagset & th->th_flags) != r->flags)
 			r = TAILQ_NEXT(r, entries);
 		/* tcp/udp only. uid.op always 0 in other cases */
+#ifdef PF_USER_INFO
 		else if (r->uid.op && (pd->lookup.done || (pd->lookup.done =
 		    pf_socket_lookup(direction, pd, m), 1)) &&
 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
@@ -3583,6 +3590,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
 		    pd->lookup.gid))
 			r = TAILQ_NEXT(r, entries);
+#endif
 		else if (r->ieee8021q_pcp.op &&
 		    !pf_match_ieee8021q_pcp(r->ieee8021q_pcp.op,
 		    r->ieee8021q_pcp.pcp[0], r->ieee8021q_pcp.pcp[1], m))
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index cacae58..146a56f 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1168,7 +1168,9 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		rule->states_cur = counter_u64_alloc(M_WAITOK);
 		rule->states_tot = counter_u64_alloc(M_WAITOK);
 		rule->src_nodes = counter_u64_alloc(M_WAITOK);
+#ifdef PF_USER_INFO
 		rule->cuid = td->td_ucred->cr_ruid;
+#endif
 		rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
 		TAILQ_INIT(&rule->rpool.list);
 
@@ -1194,7 +1196,6 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			    V_ticket_pabuf));
 			ERROUT(EBUSY);
 		}
-
 		tail = TAILQ_LAST(ruleset->rules[rs_num].inactive.ptr,
 		    pf_rulequeue);
 		if (tail)
@@ -1273,8 +1274,29 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		}
 
 		rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
+#ifndef PF_USER_INFO
+		if (rule->cuid) {
+			tail = TAILQ_FIRST(ruleset->rules[rs_num].active.ptr);
+			while ((tail != NULL) && (tail->cuid != rule->cuid))
+				tail = TAILQ_NEXT(tail, entries);
+			if (tail != NULL) {
+				rule->evaluations = tail->evaluations;
+				rule->packets[0] = tail->packets[0];
+				rule->packets[1] = tail->packets[1];
+				rule->bytes[0] = tail->bytes[0];
+				rule->bytes[1] = tail->bytes[1];
+			} else {
+				rule->evaluations = rule->packets[0] = rule->packets[1] =
+				    rule->bytes[0] = rule->bytes[1] = 0;
+			}
+		} else {
+			rule->evaluations = rule->packets[0] = rule->packets[1] =
+			    rule->bytes[0] = rule->bytes[1] = 0;
+		}
+#else
 		rule->evaluations = rule->packets[0] = rule->packets[1] =
 		    rule->bytes[0] = rule->bytes[1] = 0;
+#endif
 		TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
 		    rule, entries);
 		ruleset->rules[rs_num].inactive.rcount++;
@@ -1424,7 +1446,9 @@ DIOCADDRULE_error:
 			newrule->states_cur = counter_u64_alloc(M_WAITOK);
 			newrule->states_tot = counter_u64_alloc(M_WAITOK);
 			newrule->src_nodes = counter_u64_alloc(M_WAITOK);
+#ifdef PF_USER_INFO
 			newrule->cuid = td->td_ucred->cr_ruid;
+#endif
 			newrule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
 			TAILQ_INIT(&newrule->rpool.list);
 		}