NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm! trunk
authorrmind <rmind@NetBSD.org>
Thu, 19 Sep 2013 01:49:07 +0000
branchtrunk
changeset 221211 00ce35cabce2
parent 221210 4cff8ccc954f
child 221212 2ac81e770115
NPF: G/C n-code in favour of BPF byte-code. Delete lots of code, mmm!
distrib/sets/lists/comp/mi
lib/libnpf/npf.c
lib/libnpf/npf.h
sys/modules/npf/Makefile
sys/net/npf/Makefile
sys/net/npf/files.npf
sys/net/npf/npf_ctl.c
sys/net/npf/npf_impl.h
sys/net/npf/npf_instr.c
sys/net/npf/npf_ncode.h
sys/net/npf/npf_processor.c
sys/net/npf/npf_ruleset.c
sys/rump/net/lib/libnpf/Makefile
usr.sbin/npf/npfctl/npf_disassemble.c
usr.sbin/npf/npfctl/npf_ncgen.c
usr.sbin/npf/npfctl/npfctl.h
usr.sbin/npf/npftest/libnpftest/Makefile
usr.sbin/npf/npftest/libnpftest/npf_processor_test.c
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
usr.sbin/npf/npftest/libnpftest/npf_test.h
usr.sbin/npf/npftest/npftest.c
usr.sbin/npf/npftest/npftest.h
--- a/distrib/sets/lists/comp/mi	Thu Sep 19 01:04:45 2013 +0000
+++ b/distrib/sets/lists/comp/mi	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: mi,v 1.1836 2013/09/10 16:51:24 pooka Exp $
+#	$NetBSD: mi,v 1.1837 2013/09/19 01:49:07 rmind Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -1980,7 +1980,7 @@
 ./usr/include/net/net_stats.h			comp-c-include
 ./usr/include/net/netisr.h			comp-c-include
 ./usr/include/net/npf.h				comp-c-include
-./usr/include/net/npf_ncode.h			comp-c-include
+./usr/include/net/npf_ncode.h			comp-obsolete		obsolete
 ./usr/include/net/pfil.h			comp-c-include
 ./usr/include/net/pfkeyv2.h			comp-c-include
 ./usr/include/net/pfvar.h			comp-c-include
--- a/lib/libnpf/npf.c	Thu Sep 19 01:04:45 2013 +0000
+++ b/lib/libnpf/npf.c	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.c,v 1.20 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf.c,v 1.21 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.20 2013/09/19 01:04:46 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.21 2013/09/19 01:49:07 rmind Exp $");
 
 #include <sys/types.h>
 #include <netinet/in_systm.h>
@@ -661,53 +661,6 @@
 	return rpname;
 }
 
-#if 1
-static int
-_npf_rule_foreach1(prop_array_t rules, nl_rule_callback_t func)
-{
-	prop_dictionary_t rldict;
-	prop_object_iterator_t it;
-	unsigned reduce[16], n;
-	unsigned nlevel;
-
-	if (!rules || prop_object_type(rules) != PROP_TYPE_ARRAY) {
-		return ENOENT;
-	}
-	it = prop_array_iterator(rules);
-	if (it == NULL) {
-		return ENOMEM;
-	}
-
-	nlevel = 0;
-	reduce[nlevel] = 0;
-	n = 0;
-
-	while ((rldict = prop_object_iterator_next(it)) != NULL) {
-		nl_rule_t nrl = { .nrl_dict = rldict };
-		uint32_t skipto = 0;
-
-		prop_dictionary_get_uint32(rldict, "skip-to", &skipto);
-		(*func)(&nrl, nlevel);
-		if (skipto) {
-			nlevel++;
-			reduce[nlevel] = skipto;
-		}
-		if (reduce[nlevel] == ++n) {
-			assert(nlevel > 0);
-			nlevel--;
-		}
-	}
-	prop_object_iterator_release(it);
-	return 0;
-}
-
-int
-_npf_rule_foreach(nl_config_t *ncf, nl_rule_callback_t func)
-{
-	return _npf_rule_foreach1(ncf->ncf_rules_list, func);
-}
-#endif
-
 int
 _npf_ruleset_list(int fd, const char *rname, nl_config_t *ncf)
 {
@@ -734,31 +687,6 @@
 	return error;
 }
 
-#if 1
-pri_t
-_npf_rule_getinfo(nl_rule_t *nrl, const char **rname, uint32_t *attr,
-    u_int *if_idx)
-{
-	prop_dictionary_t rldict = nrl->nrl_dict;
-	pri_t prio;
-
-	prop_dictionary_get_cstring_nocopy(rldict, "name", rname);
-	prop_dictionary_get_uint32(rldict, "attributes", attr);
-	prop_dictionary_get_int32(rldict, "priority", &prio);
-	prop_dictionary_get_uint32(rldict, "interface", if_idx);
-	return prio;
-}
-
-const void *
-_npf_rule_ncode(nl_rule_t *nrl, size_t *size)
-{
-	prop_dictionary_t rldict = nrl->nrl_dict;
-	prop_object_t obj = prop_dictionary_get(rldict, "code");
-	*size = prop_data_size(obj);
-	return prop_data_data_nocopy(obj);
-}
-#endif
-
 void
 npf_rule_destroy(nl_rule_t *rl)
 {
@@ -959,30 +887,6 @@
 	prop_dictionary_get_uint16(rldict, "translation-port", port);
 }
 
-#if 1
-int
-_npf_nat_foreach(nl_config_t *ncf, nl_rule_callback_t func)
-{
-	return _npf_rule_foreach1(ncf->ncf_nat_list, func);
-}
-
-void
-_npf_nat_getinfo(nl_nat_t *nt, int *type, u_int *flags, npf_addr_t *addr,
-    size_t *alen, in_port_t *port)
-{
-	prop_dictionary_t rldict = nt->nrl_dict;
-
-	prop_dictionary_get_int32(rldict, "type", type);
-	prop_dictionary_get_uint32(rldict, "flags", flags);
-
-	prop_object_t obj = prop_dictionary_get(rldict, "translation-ip");
-	*alen = prop_data_size(obj);
-	memcpy(addr, prop_data_data_nocopy(obj), *alen);
-
-	prop_dictionary_get_uint16(rldict, "translation-port", port);
-}
-#endif
-
 /*
  * TABLE INTERFACE.
  */
@@ -1133,26 +1037,6 @@
 	free(tl);
 }
 
-#if 1
-void
-_npf_table_foreach(nl_config_t *ncf, nl_table_callback_t func)
-{
-	prop_dictionary_t tldict;
-	prop_object_iterator_t it;
-
-	it = prop_array_iterator(ncf->ncf_table_list);
-	while ((tldict = prop_object_iterator_next(it)) != NULL) {
-		u_int id;
-		int type;
-
-		prop_dictionary_get_uint32(tldict, "id", &id);
-		prop_dictionary_get_int32(tldict, "type", &type);
-		(*func)(id, type);
-	}
-	prop_object_iterator_release(it);
-}
-#endif
-
 /*
  * ALG INTERFACE.
  */
--- a/lib/libnpf/npf.h	Thu Sep 19 01:04:45 2013 +0000
+++ b/lib/libnpf/npf.h	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.17 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.18 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -142,16 +142,6 @@
 void		_npf_config_error(nl_config_t *, nl_error_t *);
 void		_npf_config_setsubmit(nl_config_t *, const char *);
 int		_npf_ruleset_list(int, const char *, nl_config_t *);
-#if 1
-int		_npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
-pri_t		_npf_rule_getinfo(nl_rule_t *, const char **, uint32_t *,
-		    u_int *);
-const void *	_npf_rule_ncode(nl_rule_t *, size_t *);
-int		_npf_nat_foreach(nl_config_t *, nl_rule_callback_t);
-void		_npf_nat_getinfo(nl_nat_t *, int *, u_int *, npf_addr_t *,
-		    size_t *, in_port_t *);
-void		_npf_table_foreach(nl_config_t *, nl_table_callback_t);
-#endif
 void		_npf_debug_addif(nl_config_t *, struct ifaddrs *, u_int);
 
 /* The ALG interface is experimental */
--- a/sys/modules/npf/Makefile	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/modules/npf/Makefile	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,7 @@
-# $NetBSD: Makefile,v 1.14 2013/09/19 01:04:46 rmind Exp $
+# $NetBSD: Makefile,v 1.15 2013/09/19 01:49:07 rmind Exp $
+#
+# Public Domain.
+#
 
 .include "../Makefile.inc"
 
@@ -6,10 +9,9 @@
 
 KMOD=		npf
 
-SRCS=		npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
-SRCS+=		npf_bpf.c npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c
-SRCS+=		npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
-SRCS+=		npf_session.c npf_state.c npf_state_tcp.c
+SRCS=		npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c npf_bpf.c
+SRCS+=		npf_inet.c npf_mbuf.c npf_nat.c npf_ruleset.c npf_rproc.c
+SRCS+=		npf_sendpkt.c npf_session.c npf_state.c npf_state_tcp.c
 SRCS+=		npf_tableset.c npf_tableset_ptree.c npf_worker.c
 
 CPPFLAGS+=	-DINET6
--- a/sys/net/npf/Makefile	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/net/npf/Makefile	Thu Sep 19 01:49:07 2013 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.1 2010/08/22 18:56:22 rmind Exp $
+# $NetBSD: Makefile,v 1.2 2013/09/19 01:49:07 rmind Exp $
 #
 # Public Domain.
 #
 
 INCSDIR=	/usr/include/net
-INCS=		npf.h npf_ncode.h
+INCS=		npf.h
 
 .include <bsd.kinc.mk>
--- a/sys/net/npf/files.npf	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/net/npf/files.npf	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.npf,v 1.14 2013/09/19 01:04:46 rmind Exp $
+# $NetBSD: files.npf,v 1.15 2013/09/19 01:49:07 rmind Exp $
 #
 # Public Domain.
 #
@@ -14,9 +14,7 @@
 file	net/npf/npf_conf.c			npf
 file	net/npf/npf_ctl.c			npf
 file	net/npf/npf_handler.c			npf
-file	net/npf/npf_instr.c			npf
 file	net/npf/npf_mbuf.c			npf
-file	net/npf/npf_processor.c			npf
 file	net/npf/npf_bpf.c			npf
 file	net/npf/npf_ruleset.c			npf
 file	net/npf/npf_rproc.c			npf
--- a/sys/net/npf/npf_ctl.c	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/net/npf/npf_ctl.c	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.28 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.28 2013/09/19 01:04:46 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.29 2013/09/19 01:49:07 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -46,7 +46,6 @@
 
 #include <prop/proplib.h>
 
-#include "npf_ncode.h"
 #include "npf_impl.h"
 
 #if defined(DEBUG) || defined(DIAGNOSTIC)
@@ -250,37 +249,21 @@
     prop_dictionary_t errdict)
 {
 	const void *cptr;
-	int cerr, errat;
 	size_t clen;
 	void *bc;
 
+	if (type != NPF_CODE_BPF) {
+		return ENOTSUP;
+	}
 	cptr = prop_data_data_nocopy(obj);
 	if (cptr == NULL || (clen = prop_data_size(obj)) == 0) {
 		NPF_ERR_DEBUG(errdict);
 		return EINVAL;
 	}
-
-	switch (type) {
-	case NPF_CODE_NC:
-		if (clen > NPF_NCODE_LIMIT) {
-			NPF_ERR_DEBUG(errdict);
-			return ERANGE;
-		}
-		if ((cerr = npf_ncode_validate(cptr, clen, &errat)) != 0) {
-			prop_dictionary_set_int32(errdict, "code-error", cerr);
-			prop_dictionary_set_int32(errdict, "code-errat", errat);
-			return EINVAL;
-		}
-		break;
-	case NPF_CODE_BPF:
-		if (!npf_bpf_validate(cptr, clen)) {
-			return EINVAL;
-		}
-		break;
-	default:
-		return ENOTSUP;
+	if (!npf_bpf_validate(cptr, clen)) {
+		NPF_ERR_DEBUG(errdict);
+		return EINVAL;
 	}
-
 	bc = kmem_alloc(clen, KM_SLEEP);
 	memcpy(bc, cptr, clen);
 
--- a/sys/net/npf/npf_impl.h	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/net/npf/npf_impl.h	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.32 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.33 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -59,7 +59,6 @@
 #include <net/if.h>
 
 #include "npf.h"
-#include "npf_ncode.h"
 
 #ifdef _NPF_DEBUG
 #define	NPF_PRINTF(x)	printf x
@@ -101,7 +100,6 @@
 typedef npf_session_t *(*npf_alg_sfunc_t)(npf_cache_t *, nbuf_t *, int);
 typedef void (*npf_workfunc_t)(void);
 
-#define	NPF_NCODE_LIMIT		1024
 #define	NPF_TABLE_SLOTS		32
 
 /*
@@ -203,18 +201,6 @@
 		    const void *, bpfjit_function_t);
 bool		npf_bpf_validate(const void *, size_t);
 
-/* Complex instructions. */
-int		npf_match_ether(nbuf_t *, int, uint16_t, uint32_t *);
-int		npf_match_proto(const npf_cache_t *, uint32_t);
-int		npf_match_table(const npf_cache_t *, int, u_int);
-int		npf_match_ipmask(const npf_cache_t *, int,
-		    const npf_addr_t *, npf_netmask_t);
-int		npf_match_tcp_ports(const npf_cache_t *, int, uint32_t);
-int		npf_match_udp_ports(const npf_cache_t *, int, uint32_t);
-int		npf_match_icmp4(const npf_cache_t *, uint32_t);
-int		npf_match_icmp6(const npf_cache_t *, uint32_t);
-int		npf_match_tcpfl(const npf_cache_t *, uint32_t);
-
 /* Tableset interface. */
 void		npf_tableset_sysinit(void);
 void		npf_tableset_sysfini(void);
@@ -352,7 +338,6 @@
 
 /* Debugging routines. */
 void		npf_addr_dump(const npf_addr_t *);
-void		npf_rulenc_dump(const npf_rule_t *);
 void		npf_sessions_dump(void);
 void		npf_state_dump(const npf_state_t *);
 void		npf_nat_dump(const npf_nat_t *);
--- a/sys/net/npf/npf_instr.c	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,238 +0,0 @@
-/*	$NetBSD: npf_instr.c,v 1.16 2013/02/09 03:35:32 rmind Exp $	*/
-
-/*-
- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This material is based upon work partially supported by The
- * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * NPF complex instructions.
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.16 2013/02/09 03:35:32 rmind Exp $");
-
-#include <sys/param.h>
-#include <sys/types.h>
-
-#include <net/if.h>
-#include <net/ethertypes.h>
-#include <net/if_ether.h>
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-
-#include "npf_impl.h"
-
-#define	NPF_PORTRANGE_MATCH(r, p)	(p >= (r >> 16) && p <= (r & 0xffff))
-
-/*
- * npf_match_ether: find and check Ethernet with possible VLAN headers.
- *
- * => Stores value in the register for advancing to layer 3 header.
- * => Returns zero on success or -1 on failure.
- */
-int
-npf_match_ether(nbuf_t *nbuf, int sd, uint16_t ethertype, uint32_t *r)
-{
-	const u_int off = nbuf_offset(nbuf);
-	bool vlan = false;
-	void *nptr;
-	u_int offby;
-	uint16_t val16;
-
-	/* Ethernet header: check EtherType. */
-	offby = offsetof(struct ether_header, ether_type);
-	*r = 0;
-again:
-	if ((nptr = nbuf_advance(nbuf, offby, sizeof(uint16_t))) == NULL) {
-		return -1;
-	}
-	memcpy(&val16, nptr, sizeof(val16));
-	*r += offby;
-
-	/* Handle VLAN tags. */
-	if (val16 == ETHERTYPE_VLAN && !vlan) {
-		offby = sizeof(uint32_t);
-		vlan = true;
-		goto again;
-	}
-
-	/* Restore the offset. */
-	nbuf_reset(nbuf);
-	nbuf_advance(nbuf, off, 0);
-
-	if (val16 != ETHERTYPE_IP) {
-		return -1;
-	}
-	*r += ETHER_TYPE_LEN;
-	return 0;
-}
-
-/*
- * npf_match_proto: match IP address length and/or layer 4 protocol.
- */
-int
-npf_match_proto(const npf_cache_t *npc, uint32_t ap)
-{
-	const int alen = (ap >> 8) & 0xff;
-	const int proto = ap & 0xff;
-
-	KASSERT(npf_iscached(npc, NPC_IP46));
-	if (alen && npc->npc_alen != alen) {
-		return -1;
-	}
-	return (proto != 0xff && npc->npc_proto != proto) ? -1 : 0;
-}
-
-/*
- * npf_match_table: match IP address against NPF table.
- */
-int
-npf_match_table(const npf_cache_t *npc, int sd, u_int tid)
-{
-	npf_tableset_t *tblset = npf_config_tableset();
-	const npf_addr_t *addr = sd ? npc->npc_srcip : npc->npc_dstip;
-	const int alen = npc->npc_alen;
-
-	KASSERT(npf_iscached(npc, NPC_IP46));
-
-	/* Match address against NPF table. */
-	return npf_table_lookup(tblset, tid, alen, addr) ? -1 : 0;
-}
-
-/*
- * npf_match_ipmask: match an address against netaddr/mask.
- */
-int
-npf_match_ipmask(const npf_cache_t *npc, int szsd,
-    const npf_addr_t *maddr, npf_netmask_t mask)
-{
-	const int alen = szsd >> 1;
-	const npf_addr_t *addr;
-
-	KASSERT(npf_iscached(npc, NPC_IP46));
-	if (npc->npc_alen != alen) {
-		return -1;
-	}
-	addr = (szsd & 0x1) ? npc->npc_srcip : npc->npc_dstip;
-	return npf_addr_cmp(maddr, NPF_NO_NETMASK, addr, mask, alen) ? -1 : 0;
-}
-
-/*
- * npf_match_tcp_ports: match TCP port in header against the range.
- */
-int
-npf_match_tcp_ports(const npf_cache_t *npc, int sd, uint32_t prange)
-{
-	const struct tcphdr *th = npc->npc_l4.tcp;
-	const in_port_t p = sd ? th->th_sport : th->th_dport;
-
-	KASSERT(npf_iscached(npc, NPC_TCP));
-
-	/* Match against the port range. */
-	return NPF_PORTRANGE_MATCH(prange, p) ? 0 : -1;
-}
-
-/*
- * npf_match_udp_ports: match UDP port in header against the range.
- */
-int
-npf_match_udp_ports(const npf_cache_t *npc, int sd, uint32_t prange)
-{
-	const struct udphdr *uh = npc->npc_l4.udp;
-	const in_port_t p = sd ? uh->uh_sport : uh->uh_dport;
-
-	KASSERT(npf_iscached(npc, NPC_UDP));
-
-	/* Match against the port range. */
-	return NPF_PORTRANGE_MATCH(prange, p) ? 0 : -1;
-}
-
-/*
- * npf_match_icmp4: match ICMPv4 packet.
- */
-int
-npf_match_icmp4(const npf_cache_t *npc, uint32_t tc)
-{
-	const struct icmp *ic = npc->npc_l4.icmp;
-
-	KASSERT(npf_iscached(npc, NPC_ICMP));
-
-	/* Match code/type, if required. */
-	if ((1 << 31) & tc) {
-		const uint8_t type = (tc >> 8) & 0xff;
-		if (type != ic->icmp_type) {
-			return -1;
-		}
-	}
-	if ((1 << 30) & tc) {
-		const uint8_t code = tc & 0xff;
-		if (code != ic->icmp_code) {
-			return -1;
-		}
-	}
-	return 0;
-}
-
-/*
- * npf_match_icmp6: match ICMPv6 packet.
- */
-int
-npf_match_icmp6(const npf_cache_t *npc, uint32_t tc)
-{
-	const struct icmp6_hdr *ic6 = npc->npc_l4.icmp6;
-
-	KASSERT(npf_iscached(npc, NPC_ICMP));
-
-	/* Match code/type, if required. */
-	if ((1 << 31) & tc) {
-		const uint8_t type = (tc >> 8) & 0xff;
-		if (type != ic6->icmp6_type) {
-			return -1;
-		}
-	}
-	if ((1 << 30) & tc) {
-		const uint8_t code = tc & 0xff;
-		if (code != ic6->icmp6_code) {
-			return -1;
-		}
-	}
-	return 0;
-}
-
-/*
- * npf_match_tcpfl: match TCP flags.
- */
-int
-npf_match_tcpfl(const npf_cache_t *npc, uint32_t fl)
-{
-	const uint8_t tcpfl = (fl >> 8) & 0xff, mask = fl & 0xff;
-	const struct tcphdr *th = npc->npc_l4.tcp;
-
-	KASSERT(npf_iscached(npc, NPC_TCP));
-	return (th->th_flags & mask) == tcpfl ? 0 : -1;
-}
--- a/sys/net/npf/npf_ncode.h	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,370 +0,0 @@
-/*	$NetBSD: npf_ncode.h,v 1.11 2013/02/09 03:35:32 rmind Exp $	*/
-
-/*-
- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This material is based upon work partially supported by The
- * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * NPF n-code interface.
- *
- * WARNING: Backwards compatibilty is not _yet_ maintained and instructions
- * or their codes may (or may not) change.  Expect ABI breakage.
- */
-
-#ifndef _NPF_NCODE_H_
-#define _NPF_NCODE_H_
-
-#include "npf.h"
-
-#if defined(_KERNEL)
-/*
- * N-code processing, validation & building.
- */
-int	npf_ncode_process(npf_cache_t *, const void *, nbuf_t *, const int);
-int	npf_ncode_validate(const void *, size_t, int *);
-#endif
-
-/* Error codes. */
-#define	NPF_ERR_OPCODE		-1	/* Invalid instruction. */
-#define	NPF_ERR_JUMP		-2	/* Invalid jump (e.g. out of range). */
-#define	NPF_ERR_REG		-3	/* Invalid register. */
-#define	NPF_ERR_INVAL		-4	/* Invalid argument value. */
-#define	NPF_ERR_RANGE		-5	/* Processing out of range. */
-
-/* Number of registers: [0..N] */
-#define	NPF_NREGS		4
-
-/* Maximum loop count. */
-#define	NPF_LOOP_LIMIT		100
-
-/* Shift to check if CISC-like instruction. */
-#define	NPF_CISC_SHIFT		7
-#define	NPF_CISC_OPCODE(insn)	(insn >> NPF_CISC_SHIFT)
-
-/*
- * RISC-like n-code instructions.
- */
-
-/* Return, advance, jump, tag and invalidate instructions. */
-#define	NPF_OPCODE_RET			0x00
-#define	NPF_OPCODE_ADVR			0x01
-#define	NPF_OPCODE_J			0x02
-#define	NPF_OPCODE_INVL			0x03
-#define	NPF_OPCODE_TAG			0x04
-
-/* Set and load instructions. */
-#define	NPF_OPCODE_MOVE			0x10
-#define	NPF_OPCODE_LW			0x11
-
-/* Compare and jump instructions. */
-#define	NPF_OPCODE_CMP			0x21
-#define	NPF_OPCODE_CMPR			0x22
-#define	NPF_OPCODE_BEQ			0x23
-#define	NPF_OPCODE_BNE			0x24
-#define	NPF_OPCODE_BGT			0x25
-#define	NPF_OPCODE_BLT			0x26
-
-/* Arithmetic instructions. */
-#define	NPF_OPCODE_ADD			0x30
-#define	NPF_OPCODE_SUB			0x31
-#define	NPF_OPCODE_MULT			0x32
-#define	NPF_OPCODE_DIV			0x33
-
-/* Bitwise instructions. */
-#define	NPF_OPCODE_NOT			0x40
-#define	NPF_OPCODE_AND			0x41
-#define	NPF_OPCODE_OR			0x42
-#define	NPF_OPCODE_XOR			0x43
-#define	NPF_OPCODE_SLL			0x44
-#define	NPF_OPCODE_SRL			0x45
-
-/*
- * CISC-like n-code instructions.
- */
-
-#define	NPF_OPCODE_ETHER		0x80
-#define	NPF_OPCODE_PROTO		0x81
-
-#define	NPF_OPCODE_IP4MASK		0x90
-#define	NPF_OPCODE_TABLE		0x91
-#define	NPF_OPCODE_ICMP4		0x92
-#define	NPF_OPCODE_IP6MASK		0x93
-#define	NPF_OPCODE_ICMP6		0x94
-
-#define	NPF_OPCODE_TCP_PORTS		0xa0
-#define	NPF_OPCODE_UDP_PORTS		0xa1
-#define	NPF_OPCODE_TCP_FLAGS		0xa2
-
-#ifdef NPF_OPCODES_STRINGS
-
-# define	NPF_OPERAND_NONE		0
-# define	NPF_OPERAND_REGISTER		1
-# define	NPF_OPERAND_KEY			2
-# define	NPF_OPERAND_VALUE		3
-# define	NPF_OPERAND_SD			4
-# define		NPF_OPERAND_SD_SRC		1
-# define		NPF_OPERAND_SD_DST		0
-# define	NPF_OPERAND_REL_ADDRESS		5
-# define	NPF_OPERAND_NET_ADDRESS4	6
-# define	NPF_OPERAND_NET_ADDRESS6	7
-# define	NPF_OPERAND_ETHER_TYPE		8
-# define	NPF_OPERAND_SUBNET		9
-# define	NPF_OPERAND_LENGTH		10
-# define	NPF_OPERAND_TABLE_ID		11
-# define	NPF_OPERAND_ICMP_TYPE_CODE	12
-# define	NPF_OPERAND_TCP_FLAGS_MASK	13
-# define	NPF_OPERAND_PORT_RANGE		14
-# define	NPF_OPERAND_PROTO		15
-
-static const struct npf_instruction {
-	const char *	name;
-	uint8_t		op[4];
-} npf_instructions[] = {
-	[NPF_OPCODE_RET] = {
-		.name = "ret",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-		},
-	},
-	[NPF_OPCODE_ADVR] = {
-		.name = "advr",
-		.op = {
-			[0] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_J] = {
-		.name = "j",
-		.op = {
-			[0] = NPF_OPERAND_REL_ADDRESS,
-		},
-	},
-	[NPF_OPCODE_INVL] = {
-		.name = "invl",
-	},
-	[NPF_OPCODE_TAG] = {
-		.name = "tag",
-		.op = {
-			[0] = NPF_OPERAND_KEY,
-			[1] = NPF_OPERAND_VALUE,
-		},
-	},
-	[NPF_OPCODE_MOVE] = {
-		.name = "move",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_LW] = {
-		.name = "lw",
-		.op = {
-			[0] = NPF_OPERAND_LENGTH,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_CMP] = {
-		.name = "cmp",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_CMPR] = {
-		.name = "cmpr",
-		.op = {
-			[0] = NPF_OPERAND_REGISTER,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_BEQ] = {
-		.name = "beq",
-		.op = {
-			[0] = NPF_OPERAND_REL_ADDRESS,
-		},
-	},
-	[NPF_OPCODE_BNE] = {
-		.name = "bne",
-		.op = {
-			[0] = NPF_OPERAND_REL_ADDRESS,
-		},
-	},
-	[NPF_OPCODE_BGT] = {
-		.name = "bge",
-		.op = {
-			[0] = NPF_OPERAND_REL_ADDRESS,
-		},
-	},
-	[NPF_OPCODE_BLT] = {
-		.name = "blt",
-		.op = {
-			[0] = NPF_OPERAND_REL_ADDRESS,
-		},
-	},
-	[NPF_OPCODE_ADD] = {
-		.name = "add",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_SUB] = {
-		.name = "sub",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_MULT] = {
-		.name = "mult",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_DIV] = {
-		.name = "div",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_NOT] = {
-		.name = "not",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_AND] = {
-		.name = "and",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_OR] = {
-		.name = "or",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_XOR] = {
-		.name = "xor",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_SLL] = {
-		.name = "sll",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_SRL] = {
-		.name = "srl",
-		.op = {
-			[0] = NPF_OPERAND_VALUE,
-			[1] = NPF_OPERAND_REGISTER,
-		},
-	},
-	[NPF_OPCODE_ETHER] = {
-		.name = "ether",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_NET_ADDRESS4,
-			[2] = NPF_OPERAND_ETHER_TYPE,
-		},
-	},
-	[NPF_OPCODE_PROTO] = {
-		.name = "proto",
-		.op = {
-			[0] = NPF_OPERAND_PROTO,
-		},
-	},
-	[NPF_OPCODE_IP4MASK] = {
-		.name = "ip4mask",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_NET_ADDRESS4,
-			[2] = NPF_OPERAND_SUBNET,
-		},
-	},
-	[NPF_OPCODE_TABLE] = {
-		.name = "table",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_TABLE_ID,
-		},
-	},
-	[NPF_OPCODE_ICMP4] = {
-		.name = "icmp4",
-		.op = {
-			[0] = NPF_OPERAND_ICMP_TYPE_CODE,
-		},
-	},
-	[NPF_OPCODE_ICMP6] = {
-		.name = "icmp6",
-		.op = {
-			[0] = NPF_OPERAND_ICMP_TYPE_CODE,
-		},
-	},
-	[NPF_OPCODE_IP6MASK] = {
-		.name = "ip6mask",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_NET_ADDRESS6,
-			[2] = NPF_OPERAND_SUBNET,
-		},
-	},
-	[NPF_OPCODE_TCP_PORTS] = {
-		.name = "tcp_ports",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_PORT_RANGE,
-		},
-	},
-	[NPF_OPCODE_UDP_PORTS] = {
-		.name = "udp_ports",
-		.op = {
-			[0] = NPF_OPERAND_SD,
-			[1] = NPF_OPERAND_PORT_RANGE,
-		},
-	},
-	[NPF_OPCODE_TCP_FLAGS] = {
-		.name = "tcp_flags",
-		.op = {
-			[0] = NPF_OPERAND_TCP_FLAGS_MASK,
-		},
-	},
-};
-#endif /* NPF_OPCODES_STRINGS */
-
-#endif /* _NET_NPF_NCODE_H_ */
--- a/sys/net/npf/npf_processor.c	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,573 +0,0 @@
-/*	$NetBSD: npf_processor.c,v 1.15 2013/02/09 03:35:32 rmind Exp $	*/
-
-/*-
- * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This material is based upon work partially supported by The
- * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * NPF n-code processor.
- *	Inspired by the Berkeley Packet Filter.
- *
- * Few major design goals are:
- *
- * - Keep engine lightweight, well abstracted and simple.
- * - Avoid knowledge of internal network buffer structures (e.g. mbuf).
- * - Avoid knowledge of network protocols.
- *
- * There are two instruction sets: RISC-like and CISC-like.  The later are
- * instructions to cover most common filter cases, and reduce interpretation
- * overhead.  These instructions use protocol knowledge and are supposed to
- * be fully optimized.
- *
- * N-code memory address and thus instructions should be word aligned.
- * All processing is done in 32 bit words, since both instructions (their
- * codes) and arguments use 32 bits words.
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.15 2013/02/09 03:35:32 rmind Exp $");
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/kmem.h>
-
-#include "npf_impl.h"
-#include "npf_ncode.h"
-
-/*
- * nc_fetch_word: fetch a word (32 bits) from the n-code and increase
- * instruction pointer by one word.
- */
-static inline const void *
-nc_fetch_word(const void *iptr, uint32_t *a)
-{
-	const uint32_t *tptr = (const uint32_t *)iptr;
-
-	KASSERT(ALIGNED_POINTER(iptr, uint32_t));
-	*a = *tptr++;
-	return tptr;
-}
-
-/*
- * nc_fetch_double: fetch two words (2 x 32 bits) from the n-code and
- * increase instruction pointer by two words.
- */
-static inline const void *
-nc_fetch_double(const void *iptr, uint32_t *a, uint32_t *b)
-{
-	const uint32_t *tptr = (const uint32_t *)iptr;
-
-	KASSERT(ALIGNED_POINTER(iptr, uint32_t));
-	*a = *tptr++;
-	*b = *tptr++;
-	return tptr;
-}
-
-/*
- * nc_jump: helper function to jump to specified line (32 bit word)
- * in the n-code, fetch a word, and update the instruction pointer.
- */
-static inline const void *
-nc_jump(const void *iptr, int n, u_int *lcount)
-{
-
-	/* Detect infinite loops. */
-	if (__predict_false(*lcount == 0)) {
-		return NULL;
-	}
-	*lcount = *lcount - 1;
-	return (const uint32_t *)iptr + n;
-}
-
-/*
- * npf_ncode_process: process n-code using data of the specified packet.
- *
- * => Argument nbuf (network buffer) is opaque to this function.
- * => Chain of nbufs (and their data) should be protected from any change.
- * => N-code memory address and thus instructions should be aligned.
- * => N-code should be protected from any change.
- * => Routine prevents from infinite loop.
- */
-int
-npf_ncode_process(npf_cache_t *npc, const void *ncode,
-    nbuf_t *nbuf, const int layer)
-{
-	/* N-code instruction pointer. */
-	const void *	i_ptr;
-	/* Virtual registers. */
-	uint32_t	regs[NPF_NREGS];
-	/* Local, state variables. */
-	uint32_t d, i, n;
-	npf_addr_t addr;
-	u_int lcount;
-	int cmpval;
-
-	nbuf_reset(nbuf);
-	i_ptr = ncode;
-	regs[0] = layer;
-
-	lcount = NPF_LOOP_LIMIT;
-	cmpval = 0;
-
-process_next:
-	/*
-	 * Loop must always start on instruction, therefore first word
-	 * should be an opcode.  Most used instructions are checked first.
-	 */
-	i_ptr = nc_fetch_word(i_ptr, &d);
-	if (__predict_true(NPF_CISC_OPCODE(d))) {
-		/* It is a CISC-like instruction. */
-		goto cisc_like;
-	}
-
-	/*
-	 * RISC-like instructions.
-	 *
-	 * - ADVR, LW, CMP, CMPR
-	 * - BEQ, BNE, BGT, BLT
-	 * - RET, TAG, MOVE
-	 * - AND, J, INVL
-	 */
-	switch (d) {
-	case NPF_OPCODE_ADVR:
-		i_ptr = nc_fetch_word(i_ptr, &i);	/* Register */
-		KASSERT(i < NPF_NREGS);
-		if (!nbuf_advance(nbuf, regs[i], 0)) {
-			goto fail;
-		}
-		break;
-	case NPF_OPCODE_LW: {
-		void *n_ptr;
-
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Size, register */
-		KASSERT(i < NPF_NREGS);
-		KASSERT(n >= sizeof(uint8_t) && n <= sizeof(uint32_t));
-
-		n_ptr = nbuf_ensure_contig(nbuf, n);
-		if (nbuf_flag_p(nbuf, NBUF_DATAREF_RESET)) {
-			npf_recache(npc, nbuf);
-		}
-		if (n_ptr == NULL) {
-			goto fail;
-		}
-		memcpy(&regs[i], n_ptr, n);
-		break;
-	}
-	case NPF_OPCODE_CMP:
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Value, register */
-		KASSERT(i < NPF_NREGS);
-		if (n != regs[i]) {
-			cmpval = (n > regs[i]) ? 1 : -1;
-		} else {
-			cmpval = 0;
-		}
-		break;
-	case NPF_OPCODE_CMPR:
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Value, register */
-		KASSERT(i < NPF_NREGS);
-		if (regs[n] != regs[i]) {
-			cmpval = (regs[n] > regs[i]) ? 1 : -1;
-		} else {
-			cmpval = 0;
-		}
-		break;
-	case NPF_OPCODE_BEQ:
-		i_ptr = nc_fetch_word(i_ptr, &n);	/* N-code line */
-		if (cmpval == 0)
-			goto make_jump;
-		break;
-	case NPF_OPCODE_BNE:
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		if (cmpval != 0)
-			goto make_jump;
-		break;
-	case NPF_OPCODE_BGT:
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		if (cmpval > 0)
-			goto make_jump;
-		break;
-	case NPF_OPCODE_BLT:
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		if (cmpval < 0)
-			goto make_jump;
-		break;
-	case NPF_OPCODE_RET:
-		(void)nc_fetch_word(i_ptr, &n);		/* Return value */
-		return n;
-	case NPF_OPCODE_TAG:
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Key, value */
-		if (nbuf_add_tag(nbuf, n, i)) {
-			goto fail;
-		}
-		break;
-	case NPF_OPCODE_MOVE:
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Value, register */
-		KASSERT(i < NPF_NREGS);
-		regs[i] = n;
-		break;
-	case NPF_OPCODE_AND:
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);	/* Value, register */
-		KASSERT(i < NPF_NREGS);
-		regs[i] = n & regs[i];
-		break;
-	case NPF_OPCODE_J:
-		i_ptr = nc_fetch_word(i_ptr, &n);	/* N-code line */
-make_jump:
-		i_ptr = nc_jump(i_ptr, n - 2, &lcount);
-		if (__predict_false(i_ptr == NULL)) {
-			goto fail;
-		}
-		break;
-	case NPF_OPCODE_INVL:
-		/* Invalidate all cached data. */
-		npc->npc_info = 0;
-		break;
-	default:
-		/* Invalid instruction. */
-		KASSERT(false);
-	}
-	goto process_next;
-
-cisc_like:
-	/*
-	 * CISC-like instructions.
-	 */
-	switch (d) {
-	case NPF_OPCODE_IP4MASK:
-		/* Source/destination, network address, subnet. */
-		i_ptr = nc_fetch_word(i_ptr, &d);
-		i_ptr = nc_fetch_double(i_ptr, &addr.s6_addr32[0], &n);
-		cmpval = npf_iscached(npc, NPC_IP46) ? npf_match_ipmask(npc,
-		    (sizeof(struct in_addr) << 1) | (d & 0x1),
-		    &addr, (npf_netmask_t)n) : -1;
-		break;
-	case NPF_OPCODE_IP6MASK:
-		/* Source/destination, network address, subnet. */
-		i_ptr = nc_fetch_word(i_ptr, &d);
-		i_ptr = nc_fetch_double(i_ptr,
-		    &addr.s6_addr32[0], &addr.s6_addr32[1]);
-		i_ptr = nc_fetch_double(i_ptr,
-		    &addr.s6_addr32[2], &addr.s6_addr32[3]);
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_iscached(npc, NPC_IP46) ? npf_match_ipmask(npc,
-		    (sizeof(struct in6_addr) << 1) | (d & 0x1),
-		    &addr, (npf_netmask_t)n) : -1;
-		break;
-	case NPF_OPCODE_TABLE:
-		/* Source/destination, NPF table ID. */
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);
-		cmpval = npf_iscached(npc, NPC_IP46) ?
-		    npf_match_table(npc, n, i) : -1;
-		break;
-	case NPF_OPCODE_TCP_PORTS:
-		/* Source/destination, port range. */
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);
-		cmpval = npf_iscached(npc, NPC_TCP) ?
-		    npf_match_tcp_ports(npc, n, i) : -1;
-		break;
-	case NPF_OPCODE_UDP_PORTS:
-		/* Source/destination, port range. */
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);
-		cmpval = npf_iscached(npc, NPC_UDP) ?
-		    npf_match_udp_ports(npc, n, i) : -1;
-		break;
-	case NPF_OPCODE_TCP_FLAGS:
-		/* TCP flags/mask. */
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_iscached(npc, NPC_TCP) ?
-		    npf_match_tcpfl(npc, n) : -1;
-		break;
-	case NPF_OPCODE_ICMP4:
-		/* ICMP type/code. */
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_iscached(npc, NPC_ICMP) ?
-		    npf_match_icmp4(npc, n) : -1;
-		break;
-	case NPF_OPCODE_ICMP6:
-		/* ICMP type/code. */
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_iscached(npc, NPC_ICMP) ?
-		    npf_match_icmp6(npc, n) : -1;
-		break;
-	case NPF_OPCODE_PROTO:
-		i_ptr = nc_fetch_word(i_ptr, &n);
-		cmpval = npf_iscached(npc, NPC_IP46) ?
-		    npf_match_proto(npc, n) : -1;
-		break;
-	case NPF_OPCODE_ETHER:
-		/* Source/destination, reserved, ethernet type. */
-		i_ptr = nc_fetch_word(i_ptr, &d);
-		i_ptr = nc_fetch_double(i_ptr, &n, &i);
-		cmpval = npf_match_ether(nbuf, d, i, &regs[NPF_NREGS - 1]);
-		break;
-	default:
-		/* Invalid instruction. */
-		KASSERT(false);
-	}
-	goto process_next;
-fail:
-	/* Failure case. */
-	return -1;
-}
-
-/*
- * nc_ptr_check: validate that instruction pointer is not out of range.
- * If not - advance by number of arguments and fetch specified argument.
- */
-static int
-nc_ptr_check(uintptr_t *iptr, const void *nc, size_t sz,
-    u_int nargs, uint32_t *val, u_int r)
-{
-	const uint32_t *tptr = (const uint32_t *)*iptr;
-	u_int i;
-
-	KASSERT(ALIGNED_POINTER(*iptr, uint32_t));
-	KASSERT(nargs > 0);
-
-	if ((uintptr_t)tptr < (uintptr_t)nc)
-		return NPF_ERR_JUMP;
-
-	if ((uintptr_t)tptr + (nargs * sizeof(uint32_t)) > (uintptr_t)nc + sz)
-		return NPF_ERR_RANGE;
-
-	for (i = 1; i <= nargs; i++) {
-		if (val && i == r) {
-			*val = *tptr;
-		}
-		tptr++;
-	}
-	*iptr = (uintptr_t)tptr;
-	return 0;
-}
-
-/*
- * nc_insn_check: validate the instruction and its arguments.
- */
-static int
-nc_insn_check(const uintptr_t optr, const void *nc, size_t sz,
-    size_t *adv, size_t *jmp, bool *ret)
-{
-	uintptr_t iptr = optr;
-	uint32_t regidx, val;
-	int error;
-
-	/* Fetch the instruction code. */
-	error = nc_ptr_check(&iptr, nc, sz, 1, &val, 1);
-	if (error)
-		return error;
-
-	regidx = 0;
-	*ret = false;
-	*jmp = 0;
-
-	/*
-	 * RISC-like instructions.
-	 */
-	switch (val) {
-	case NPF_OPCODE_ADVR:
-		error = nc_ptr_check(&iptr, nc, sz, 1, &regidx, 1);
-		break;
-	case NPF_OPCODE_LW:
-		error = nc_ptr_check(&iptr, nc, sz, 1, &val, 1);
-		if (error || val < sizeof(uint8_t) || val > sizeof(uint32_t)) {
-			return error ? error : NPF_ERR_INVAL;
-		}
-		error = nc_ptr_check(&iptr, nc, sz, 1, &regidx, 1);
-		break;
-	case NPF_OPCODE_CMP:
-		error = nc_ptr_check(&iptr, nc, sz, 2, &regidx, 2);
-		break;
-	case NPF_OPCODE_BEQ:
-	case NPF_OPCODE_BNE:
-	case NPF_OPCODE_BGT:
-	case NPF_OPCODE_BLT:
-		error = nc_ptr_check(&iptr, nc, sz, 1, &val, 1);
-		/* Validate jump address. */
-		goto jmp_check;
-
-	case NPF_OPCODE_RET:
-		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
-		*ret = true;
-		break;
-	case NPF_OPCODE_TAG:
-		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
-		break;
-	case NPF_OPCODE_MOVE:
-		error = nc_ptr_check(&iptr, nc, sz, 2, &regidx, 2);
-		break;
-	case NPF_OPCODE_CMPR:
-		error = nc_ptr_check(&iptr, nc, sz, 1, &regidx, 1);
-		/* Handle first register explicitly. */
-		if (error || (u_int)regidx < NPF_NREGS) {
-			return error ? error : NPF_ERR_REG;
-		}
-		error = nc_ptr_check(&iptr, nc, sz, 1, &regidx, 1);
-		break;
-	case NPF_OPCODE_AND:
-		error = nc_ptr_check(&iptr, nc, sz, 2, &regidx, 2);
-		break;
-	case NPF_OPCODE_J:
-		error = nc_ptr_check(&iptr, nc, sz, 1, &val, 1);
-jmp_check:
-		/*
-		 * We must check for JMP 0 i.e. to oneself.  Pass the jump
-		 * address to the caller, it will validate if it is correct.
-		 */
-		if (error == 0 && val == 0) {
-			return NPF_ERR_JUMP;
-		}
-		*jmp = val * sizeof(uint32_t);
-		break;
-	case NPF_OPCODE_INVL:
-		break;
-	/*
-	 * CISC-like instructions.
-	 */
-	case NPF_OPCODE_IP4MASK:
-		error = nc_ptr_check(&iptr, nc, sz, 3, &val, 3);
-		if (error) {
-			return error;
-		}
-		if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
-			return NPF_ERR_INVAL;
-		}
-		break;
-	case NPF_OPCODE_IP6MASK:
-		error = nc_ptr_check(&iptr, nc, sz, 6, &val, 6);
-		if (error) {
-			return error;
-		}
-		if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
-			return NPF_ERR_INVAL;
-		}
-		break;
-	case NPF_OPCODE_TABLE:
-		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
-		break;
-	case NPF_OPCODE_TCP_PORTS:
-		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
-		break;
-	case NPF_OPCODE_UDP_PORTS:
-		error = nc_ptr_check(&iptr, nc, sz, 2, NULL, 0);
-		break;
-	case NPF_OPCODE_TCP_FLAGS:
-		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
-		break;
-	case NPF_OPCODE_ICMP4:
-	case NPF_OPCODE_ICMP6:
-		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
-		break;
-	case NPF_OPCODE_PROTO:
-		error = nc_ptr_check(&iptr, nc, sz, 1, NULL, 0);
-		break;
-	case NPF_OPCODE_ETHER:
-		error = nc_ptr_check(&iptr, nc, sz, 3, NULL, 0);
-		break;
-	default:
-		/* Invalid instruction. */
-		return NPF_ERR_OPCODE;
-	}
-	if (error) {
-		return error;
-	}
-	if ((u_int)regidx >= NPF_NREGS) {
-		/* Invalid register. */
-		return NPF_ERR_REG;
-	}
-	*adv = iptr - optr;
-	return 0;
-}
-
-/*
- * nc_jmp_check: validate that jump address points to the instruction.
- * Loop from the begining of n-code until we hit jump address or error.
- */
-static inline int
-nc_jmp_check(const void *nc, size_t sz, const uintptr_t jaddr)
-{
-	uintptr_t iaddr = (uintptr_t)nc;
-	int error;
-
-	KASSERT(iaddr != jaddr);
-	do {
-		size_t _jmp, adv;
-		bool _ret;
-
-		error = nc_insn_check(iaddr, nc, sz, &adv, &_jmp, &_ret);
-		if (error) {
-			break;
-		}
-		iaddr += adv;
-
-	} while (iaddr != jaddr);
-
-	return error;
-}
-
-/*
- * npf_ncode_validate: validate n-code.
- * Performs the following operations:
- *
- * - Checks that each instruction is valid (i.e. existing opcode).
- * - Validates registers i.e. that their indexes are correct.
- * - Checks that jumps are within n-code and to the instructions.
- * - Checks that n-code returns, and processing is within n-code memory.
- */
-int
-npf_ncode_validate(const void *nc, size_t sz, int *errat)
-{
-	const uintptr_t nc_end = (uintptr_t)nc + sz;
-	uintptr_t iptr = (uintptr_t)nc;
-	int error;
-	bool ret;
-
-	do {
-		size_t jmp, adv;
-
-		/* Validate instruction and its arguments. */
-		error = nc_insn_check(iptr, nc, sz, &adv, &jmp, &ret);
-		if (error)
-			break;
-
-		/* If jumping, check that address points to the instruction. */
-		if (jmp && nc_jmp_check(nc, sz, iptr + jmp)) {
-			/* Note: the actual error might be different. */
-			return NPF_ERR_JUMP;
-		}
-
-		/* Advance and check for the end of n-code memory block. */
-		iptr += adv;
-
-	} while (iptr != nc_end);
-
-	if (!error) {
-		error = ret ? 0 : NPF_ERR_RANGE;
-	}
-	*errat = (iptr - (uintptr_t)nc) / sizeof(uint32_t);
-	return error;
-}
--- a/sys/net/npf/npf_ruleset.c	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/net/npf/npf_ruleset.c	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.24 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.25 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.24 2013/09/19 01:04:46 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.25 2013/09/19 01:49:07 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -50,7 +50,6 @@
 #include <net/pfil.h>
 #include <net/if.h>
 
-#include "npf_ncode.h"
 #include "npf_impl.h"
 
 struct npf_ruleset {
@@ -498,7 +497,7 @@
 }
 
 /*
- * npf_rule_alloc: allocate a rule and copy n-code from user-space.
+ * npf_rule_alloc: allocate a rule and initialise it.
  */
 npf_rule_t *
 npf_rule_alloc(prop_dictionary_t rldict)
@@ -555,13 +554,13 @@
 void
 npf_rule_setcode(npf_rule_t *rl, const int type, void *code, size_t size)
 {
+	KASSERT(type == NPF_CODE_BPF);
 	rl->r_type = type;
 	rl->r_code = code;
 	rl->r_clen = size;
 #if 0
 	/* Perform BPF JIT if possible. */
-	if (type == NPF_CODE_BPF && (membar_consumer(),
-	    bpfjit_module_ops.bj_generate_code != NULL)) {
+	if (membar_consumer(), bpfjit_module_ops.bj_generate_code != NULL) {
 		KASSERT(rl->r_jcode == NULL);
 		rl->r_jcode = bpfjit_module_ops.bj_generate_code(code, size);
 		rl->r_code = NULL;
@@ -663,7 +662,6 @@
     const int di_mask, const int layer)
 {
 	const ifnet_t *ifp = nbuf->nb_ifp;
-	const void *code;
 
 	/* Match the interface. */
 	if (rl->r_ifid && rl->r_ifid != ifp->if_index) {
@@ -682,16 +680,8 @@
 		KASSERT(rl->r_code == NULL);
 		return true;
 	}
-
-	switch (rl->r_type) {
-	case NPF_CODE_BPF:
-		return npf_bpf_filter(npc, nbuf, rl->r_code, rl->r_jcode) != 0;
-	case NPF_CODE_NC:
-		return npf_ncode_process(npc, code, nbuf, layer) == 0;
-	default:
-		KASSERT(false);
-	}
-	return false;
+	KASSERT(rl->r_type == NPF_CODE_BPF);
+	return npf_bpf_filter(npc, nbuf, rl->r_code, rl->r_jcode) != 0;
 }
 
 /*
@@ -721,7 +711,7 @@
 /*
  * npf_ruleset_inspect: inspect the packet against the given ruleset.
  *
- * Loop through the rules in the set and run n-code processor of each rule
+ * Loop through the rules in the set and run the byte-code of each rule
  * against the packet (nbuf chain).  If sub-ruleset is found, inspect it.
  *
  * => Caller is responsible for nbuf chain protection.
@@ -797,21 +787,3 @@
 	*retfl = rl->r_attr;
 	return (rl->r_attr & NPF_RULE_PASS) ? 0 : ENETUNREACH;
 }
-
-#if defined(DDB) || defined(_NPF_TESTING)
-
-void
-npf_rulenc_dump(const npf_rule_t *rl)
-{
-	const uint32_t *op = rl->r_code;
-	size_t n = rl->r_clen;
-
-	while (n) {
-		printf("\t> |0x%02x|\n", (uint32_t)*op);
-		op++;
-		n -= sizeof(*op);
-	}
-	printf("-> %s\n", (rl->r_attr & NPF_RULE_PASS) ? "pass" : "block");
-}
-
-#endif
--- a/sys/rump/net/lib/libnpf/Makefile	Thu Sep 19 01:04:45 2013 +0000
+++ b/sys/rump/net/lib/libnpf/Makefile	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.7 2013/06/02 02:20:04 rmind Exp $
+#	$NetBSD: Makefile,v 1.8 2013/09/19 01:49:07 rmind Exp $
 #
 # Public Domain.
 #
@@ -7,10 +7,9 @@
 
 LIB=	rumpnet_npf
 
-SRCS=	npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c
-SRCS+=	npf_inet.c npf_instr.c npf_mbuf.c npf_nat.c
-SRCS+=	npf_processor.c npf_ruleset.c npf_rproc.c npf_sendpkt.c
-SRCS+=	npf_session.c npf_state.c npf_state_tcp.c
+SRCS=	npf.c npf_alg.c npf_conf.c npf_ctl.c npf_handler.c npf_bpf.c 
+SRCS+=	npf_inet.c npf_mbuf.c npf_nat.c npf_ruleset.c npf_rproc.c 
+SRCS+=	npf_sendpkt.c npf_session.c npf_state.c npf_state_tcp.c
 SRCS+=	npf_tableset.c npf_tableset_ptree.c npf_worker.c
 SRCS+=	if_npflog.c
 
--- a/usr.sbin/npf/npfctl/npf_disassemble.c	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,762 +0,0 @@
-/*	$NetBSD: npf_disassemble.c,v 1.18 2013/09/19 01:04:45 rmind Exp $	*/
-
-/*-
- * Copyright (c) 2012 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Christos Zoulas.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * NPF n-code disassembler.
- *
- * FIXME: config generation should be redesigned..
- */
-#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_disassemble.c,v 1.18 2013/09/19 01:04:45 rmind Exp $");
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <err.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-#include <net/if.h>
-
-#define NPF_OPCODES_STRINGS
-#include <net/npf_ncode.h>
-
-#include "npfctl.h"
-
-enum {
-	NPF_SHOW_SRCADDR,
-	NPF_SHOW_DSTADDR,
-	NPF_SHOW_SRCPORT,
-	NPF_SHOW_DSTPORT,
-	NPF_SHOW_PROTO,
-	NPF_SHOW_FAMILY,
-	NPF_SHOW_ICMP,
-	NPF_SHOW_TCPF,
-	NPF_SHOW_COUNT,
-};
-
-struct nc_inf {
-	FILE *			ni_fp;
-	const uint32_t *	ni_buf;
-	size_t			ni_left;
-	const uint32_t *	ni_ipc;
-	const uint32_t *	ni_pc;
-
-	/* Jump target array, its size and current index. */
-	const uint32_t **	ni_targs;
-	size_t			ni_targsize;
-	size_t			ni_targidx;
-
-	/* Other meta-data. */
-	npfvar_t *		ni_vlist[NPF_SHOW_COUNT];
-	int			ni_proto;
-	bool			ni_srcdst;
-};
-
-static size_t
-npfctl_ncode_get_target(const nc_inf_t *ni, const uint32_t *pc)
-{
-	for (size_t i = 0; i < ni->ni_targidx; i++) {
-		if (ni->ni_targs[i] == pc)
-			return i;
-	}
-	return (size_t)-1;
-}
-
-static size_t
-npfctl_ncode_add_target(nc_inf_t *ni, const uint32_t *pc)
-{
-	size_t i = npfctl_ncode_get_target(ni, pc);
-
-	/* If found, just return the index. */
-	if (i != (size_t)-1) {
-		return i;
-	}
-
-	/* Grow array, if needed, and add a new target. */
-	if (ni->ni_targidx == ni->ni_targsize) {
-		ni->ni_targsize += 16;
-		ni->ni_targs = erealloc(ni->ni_targs,
-		    ni->ni_targsize * sizeof(uint32_t));
-	}
-	assert(ni->ni_targidx < ni->ni_targsize);
-	i = ni->ni_targidx++;
-	ni->ni_targs[i] = pc;
-	return i;
-}
-
-static void
-npfctl_ncode_add_vp(nc_inf_t *ni, char *buf, unsigned idx)
-{
-	npfvar_t *vl = ni->ni_vlist[idx];
-
-	if (vl == NULL) {
-		vl = npfvar_create(".list");
-		ni->ni_vlist[idx] = vl;
-	}
-	npfvar_t *vp = npfvar_create(".string");
-	npfvar_add_element(vp, NPFVAR_STRING, buf, strlen(buf) + 1);
-	npfvar_add_elements(vl, vp);
-}
-
-static void
-npf_tcpflags2str(char *buf, unsigned tfl)
-{
-	int i = 0;
-
-	if (tfl & TH_FIN)	buf[i++] = 'F';
-	if (tfl & TH_SYN)	buf[i++] = 'S';
-	if (tfl & TH_RST)	buf[i++] = 'R';
-	if (tfl & TH_PUSH)	buf[i++] = 'P';
-	if (tfl & TH_ACK)	buf[i++] = 'A';
-	if (tfl & TH_URG)	buf[i++] = 'U';
-	if (tfl & TH_ECE)	buf[i++] = 'E';
-	if (tfl & TH_CWR)	buf[i++] = 'C';
-	buf[i] = '\0';
-}
-
-static const char *
-npfctl_ncode_operand(nc_inf_t *ni, char *buf, size_t bufsiz, uint8_t operand)
-{
-	const uint32_t op = *ni->ni_pc;
-	struct sockaddr_storage ss;
-	unsigned advance;
-
-	/* Advance by one is a default for most cases. */
-	advance = 1;
-
-	switch (operand) {
-	case NPF_OPERAND_NONE:
-		abort();
-
-	case NPF_OPERAND_REGISTER:
-		if (op & ~0x3) {
-			warnx("invalid register operand 0x%x at offset %td",
-			    op, ni->ni_pc - ni->ni_buf);
-			return NULL;
-		}
-		snprintf(buf, bufsiz, "R%d", op);
-		break;
-
-	case NPF_OPERAND_KEY:
-		snprintf(buf, bufsiz, "key=<0x%x>", op);
-		break;
-
-	case NPF_OPERAND_VALUE:
-		snprintf(buf, bufsiz, "value=<0x%x>", op);
-		break;
-
-	case NPF_OPERAND_SD:
-		if (op & ~0x1) {
-			warnx("invalid src/dst operand 0x%x at offset %td",
-			    op, ni->ni_pc - ni->ni_buf);
-			return NULL;
-		}
-		bool srcdst = (op == NPF_OPERAND_SD_SRC);
-		if (ni) {
-			ni->ni_srcdst = srcdst;
-		}
-		snprintf(buf, bufsiz, "%s", srcdst ? "SRC" : "DST");
-		break;
-
-	case NPF_OPERAND_REL_ADDRESS:
-		snprintf(buf, bufsiz, "L%zu",
-		    npfctl_ncode_add_target(ni, ni->ni_ipc + op));
-		break;
-
-	case NPF_OPERAND_NET_ADDRESS4: {
-		struct sockaddr_in *sin = (void *)&ss;
-		sin->sin_len = sizeof(*sin);
-		sin->sin_family = AF_INET;
-		sin->sin_port = 0;
-		memcpy(&sin->sin_addr, ni->ni_pc, sizeof(sin->sin_addr));
-		sockaddr_snprintf(buf, bufsiz, "%a", (struct sockaddr *)sin);
-		if (ni) {
-			npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
-			    NPF_SHOW_SRCADDR : NPF_SHOW_DSTADDR);
-		}
-		advance = sizeof(sin->sin_addr) / sizeof(op);
-		break;
-	}
-	case NPF_OPERAND_NET_ADDRESS6: {
-		struct sockaddr_in6 *sin6 = (void *)&ss;
-		sin6->sin6_len = sizeof(*sin6);
-		sin6->sin6_family = AF_INET6;
-		sin6->sin6_port = 0;
-		sin6->sin6_scope_id = 0;
-		memcpy(&sin6->sin6_addr, ni->ni_pc, sizeof(sin6->sin6_addr));
-		sockaddr_snprintf(buf, bufsiz, "%a", (struct sockaddr *)sin6);
-		if (ni) {
-			npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
-			    NPF_SHOW_SRCADDR : NPF_SHOW_DSTADDR);
-		}
-		advance = sizeof(sin6->sin6_addr) / sizeof(op);
-		break;
-	}
-	case NPF_OPERAND_ETHER_TYPE:
-		snprintf(buf, bufsiz, "ether=0x%x", op);
-		break;
-
-	case NPF_OPERAND_PROTO: {
-		uint8_t addrlen = (op >> 8) & 0xff;
-		uint8_t proto = op & 0xff;
-
-		snprintf(buf, bufsiz, "addrlen=%u, proto=%u", addrlen, proto);
-		if (!ni) {
-			break;
-		}
-		switch (proto) {
-		case 0xff:
-			/* None. */
-			break;
-		case IPPROTO_TCP:
-			ni->ni_proto |= NC_MATCH_TCP;
-			break;
-		case IPPROTO_UDP:
-			ni->ni_proto |= NC_MATCH_UDP;
-			break;
-		case IPPROTO_ICMP:
-			ni->ni_proto |= NC_MATCH_ICMP;
-			/* FALLTHROUGH */
-		default:
-			snprintf(buf, bufsiz, "proto %d", proto);
-			npfctl_ncode_add_vp(ni, buf, NPF_SHOW_PROTO);
-			break;
-		}
-		switch (addrlen) {
-		case 4:
-		case 16:
-			snprintf(buf, bufsiz, "family inet%s",
-			    addrlen == 16 ? "6" : "");
-			npfctl_ncode_add_vp(ni, buf, NPF_SHOW_FAMILY);
-			break;
-		}
-		break;
-	}
-	case NPF_OPERAND_SUBNET: {
-		snprintf(buf, bufsiz, "/%d", op);
-		if (ni && op != NPF_NO_NETMASK) {
-			npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
-			    NPF_SHOW_SRCADDR : NPF_SHOW_DSTADDR);
-		}
-		break;
-	}
-	case NPF_OPERAND_LENGTH:
-		snprintf(buf, bufsiz, "length=%d", op);
-		break;
-
-	case NPF_OPERAND_TABLE_ID:
-		if (ni) {
-			snprintf(buf, bufsiz, "<%d>", op);
-			npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
-			    NPF_SHOW_SRCADDR : NPF_SHOW_DSTADDR);
-		}
-		snprintf(buf, bufsiz, "id=%d", op);
-		break;
-
-	case NPF_OPERAND_ICMP_TYPE_CODE: {
-		uint8_t type = (op & 31) ? op >> 8 : 0;
-		uint8_t code = (op & 30) ? op & 0xff : 0;
-
-		if (op & ~0xc000ffff) {
-			warnx("invalid icmp/type operand 0x%x at offset %td",
-			    op, ni->ni_pc - ni->ni_buf);
-			return NULL;
-		}
-		snprintf(buf, bufsiz, "type=%d, code=%d", type, code);
-		if (!ni) {
-			break;
-		}
-		ni->ni_proto |= NC_MATCH_ICMP;
-		if (*ni->ni_ipc == NPF_OPCODE_ICMP6) {
-			snprintf(buf, bufsiz, "proto \"ipv6-icmp\"");
-			npfctl_ncode_add_vp(ni, buf, NPF_SHOW_PROTO);
-		}
-		if (type || code) {
-			snprintf(buf, bufsiz,
-			    "icmp-type %d code %d", type, code);
-			npfctl_ncode_add_vp(ni, buf, NPF_SHOW_ICMP);
-		}
-		break;
-	}
-	case NPF_OPERAND_TCP_FLAGS_MASK: {
-		uint8_t tf = op >> 8, tf_mask = op & 0xff;
-		if (op & ~0xffff) {
-			warnx("invalid flags/mask operand 0x%x at offset %td",
-			    op, ni->ni_pc - ni->ni_buf);
-			return NULL;
-		}
-		char tf_buf[16], tfm_buf[16];
-		npf_tcpflags2str(tf_buf, tf);
-		npf_tcpflags2str(tfm_buf, tf_mask);
-		snprintf(buf, bufsiz, "flags %s/%s", tf_buf, tfm_buf);
-		if (ni) {
-			ni->ni_proto |= NC_MATCH_TCP;
-			npfctl_ncode_add_vp(ni, buf, NPF_SHOW_TCPF);
-		}
-		break;
-	}
-	case NPF_OPERAND_PORT_RANGE: {
-		in_port_t p1 = ntohs(op >> 16), p2 = ntohs(op & 0xffff);
-
-		if (p1 == p2) {
-			snprintf(buf, bufsiz, "%d", p1);
-		} else {
-			snprintf(buf, bufsiz, "%d-%d", p1, p2);
-		}
-
-		if (!ni) {
-			break;
-		}
-		switch (*ni->ni_ipc) {
-		case NPF_OPCODE_TCP_PORTS:
-			ni->ni_proto |= NC_MATCH_TCP;
-			break;
-		case NPF_OPCODE_UDP_PORTS:
-			ni->ni_proto |= NC_MATCH_UDP;
-			break;
-		}
-		int sd = ni->ni_srcdst ?  NPF_SHOW_SRCPORT : NPF_SHOW_DSTPORT;
-		if (ni->ni_vlist[sd]) {
-			break;
-		}
-		npfctl_ncode_add_vp(ni, buf, sd);
-		break;
-	}
-	default:
-		warnx("invalid operand %d at offset %td",
-		    operand, ni->ni_pc - ni->ni_buf);
-		return NULL;
-	}
-
-	if (ni->ni_left < sizeof(op) * advance) {
-		warnx("ran out of bytes");
-		return NULL;
-	}
-	ni->ni_pc += advance;
-	ni->ni_left -= sizeof(op) * advance;
-	return buf;
-}
-
-nc_inf_t *
-npfctl_ncode_disinf(FILE *fp)
-{
-	nc_inf_t *ni = ecalloc(1, sizeof(nc_inf_t));
-
-	memset(ni, 0, sizeof(nc_inf_t));
-	ni->ni_fp = fp;
-	return ni;
-}
-
-int
-npfctl_ncode_disassemble(nc_inf_t *ni, const void *v, size_t len)
-{
-	FILE *fp = ni->ni_fp;
-	int error = -1;
-
-	ni->ni_buf = v;
-	ni->ni_left = len;
-	ni->ni_pc = v;
-
-	while (ni->ni_left) {
-		const struct npf_instruction *insn;
-		const uint32_t opcode = *ni->ni_pc;
-		size_t target;
-
-		/* Get the opcode. */
-		if (opcode & ~0xff) {
-			warnx("invalid opcode 0x%x at offset (%td)",
-			    opcode, ni->ni_pc - ni->ni_buf);
-			goto out;
-		}
-		insn = &npf_instructions[opcode];
-		if (insn->name == NULL) {
-			warnx("invalid opcode 0x%x at offset (%td)",
-			    opcode, ni->ni_pc - ni->ni_buf);
-			goto out;
-		}
-
-		/*
-		 * Lookup target array and prefix with the label,
-		 * if this opcode is a jump target.
-		 */
-		ni->ni_ipc = ni->ni_pc;
-		target = npfctl_ncode_get_target(ni, ni->ni_pc);
-		if (fp) {
-			if (target != (size_t)-1) {
-				fprintf(fp, "L%zu:", target);
-			}
-			fprintf(fp, "\t%s", insn->name);
-		}
-		if (ni->ni_left < sizeof(opcode)) {
-			warnx("ran out of bytes");
-			return -1;
-		}
-		ni->ni_left -= sizeof(opcode);
-		ni->ni_pc++;
-		for (size_t i = 0; i < __arraycount(insn->op); i++) {
-			const uint8_t o = insn->op[i];
-			const char *op;
-			char buf[256];
-
-			if (o == NPF_OPERAND_NONE) {
-				break;
-			}
-			op = npfctl_ncode_operand(ni, buf, sizeof(buf), o);
-			if (op == NULL) {
-				goto out;
-			}
-			if (fp) {
-				fprintf(fp, "%s%s", i == 0 ? " " : ", ", op);
-			}
-		}
-		if (fp) {
-			fprintf(fp, "\n");
-		}
-	}
-	error = 0;
-out:
-	free(ni->ni_targs);
-	return error;
-}
-
-static void
-npfctl_show_fromto(const char *name, npfvar_t *vl, bool showany)
-{
-	size_t count = npfvar_get_count(vl);
-	char *s;
-
-	switch (count) {
-	case 0:
-		if (showany) {
-			printf("%s any ", name);
-		}
-		return;
-	case 1:
-		s = npfvar_get_data(vl, NPFVAR_STRING, 0);
-		printf("%s %s ", name, s);
-		return;
-	}
-	printf("%s%s", name, " { ");
-	for (size_t i = 0; i < count; i++) {
-		s = npfvar_get_data(vl, NPFVAR_STRING, i);
-		printf("%s%s", (i && s[0] != '/') ? ", " : "", s);
-	}
-	printf(" } ");
-	npfvar_destroy(vl);
-}
-
-static bool
-npfctl_show_ncode(const void *nc, size_t len)
-{
-	nc_inf_t *ni = npfctl_ncode_disinf(NULL);
-	bool any, protoshown = false;
-	npfvar_t *vl;
-
-	if (npfctl_ncode_disassemble(ni, nc, len) != 0) {
-		printf("<< ncode >> ");
-		return true;
-	}
-
-	if ((vl = ni->ni_vlist[NPF_SHOW_FAMILY]) != NULL) {
-		printf("%s ", npfvar_expand_string(vl));
-		npfvar_destroy(vl);
-	}
-
-	if ((vl = ni->ni_vlist[NPF_SHOW_PROTO]) != NULL) {
-		printf("%s ", npfvar_expand_string(vl));
-		npfvar_destroy(vl);
-		protoshown = true;
-	}
-
-	switch (ni->ni_proto) {
-	case NC_MATCH_TCP:
-		if (!protoshown) {
-			printf("proto tcp ");
-		}
-		if ((vl = ni->ni_vlist[NPF_SHOW_TCPF]) != NULL) {
-			printf("%s ", npfvar_expand_string(vl));
-			npfvar_destroy(vl);
-		}
-		break;
-	case NC_MATCH_ICMP:
-		if (!protoshown) {
-			printf("proto icmp ");
-		}
-		if ((vl = ni->ni_vlist[NPF_SHOW_ICMP]) != NULL) {
-			printf("%s ", npfvar_expand_string(vl));
-			npfvar_destroy(vl);
-		}
-		break;
-	case NC_MATCH_UDP:
-		if (!protoshown) {
-			printf("proto udp ");
-		}
-		break;
-	default:
-		break;
-	}
-
-	any = false;
-	if (ni->ni_vlist[NPF_SHOW_SRCADDR] || ni->ni_vlist[NPF_SHOW_SRCPORT]) {
-		npfctl_show_fromto("from", ni->ni_vlist[NPF_SHOW_SRCADDR], true);
-		npfctl_show_fromto("port", ni->ni_vlist[NPF_SHOW_SRCPORT], false);
-		any = true;
-	}
-	if (ni->ni_vlist[NPF_SHOW_DSTADDR] || ni->ni_vlist[NPF_SHOW_DSTPORT]) {
-		npfctl_show_fromto("to", ni->ni_vlist[NPF_SHOW_DSTADDR], true);
-		npfctl_show_fromto("port", ni->ni_vlist[NPF_SHOW_DSTPORT], false);
-		any = true;
-	}
-
-	free(ni);
-	return any;
-}
-
-#define	NPF_RSTICMP		(NPF_RULE_RETRST | NPF_RULE_RETICMP)
-
-static const struct attr_keyword_mapent {
-	uint32_t	mask;
-	uint32_t	flags;
-	const char *	onmatch;
-	const char *	nomatch;
-} attr_keyword_map[] = {
-	{ NPF_RULE_PASS,	NPF_RULE_PASS,	"pass",		"block"	},
-	{ NPF_RSTICMP,		NPF_RSTICMP,	"return",	NULL	},
-	{ NPF_RSTICMP,		NPF_RULE_RETRST,"return-rst",	NULL	},
-	{ NPF_RSTICMP,		NPF_RULE_RETICMP,"return-icmp",	NULL	},
-	{ NPF_RULE_STATEFUL,	NPF_RULE_STATEFUL,"stateful",	NULL	},
-	{ NPF_RULE_DIMASK,	NPF_RULE_IN,	"in",		NULL	},
-	{ NPF_RULE_DIMASK,	NPF_RULE_OUT,	"out",		NULL	},
-	{ NPF_RULE_FINAL,	NPF_RULE_FINAL,	"final",	NULL	},
-};
-
-static int rules_seen = 0;
-
-/*
- * FIXME: This mess needs a complete rewrite..
- */
-
-static void
-npfctl_show_rule(nl_rule_t *nrl, unsigned nlevel)
-{
-	static int grouplvl = -1;
-	rule_group_t rg;
-	const char *rproc;
-	const void *nc;
-	size_t nclen;
-	u_int n;
-
-	memset(&rg, 0, sizeof(rg));
-	_npf_rule_getinfo(nrl, &rg.rg_name, &rg.rg_attr, &rg.rg_ifnum);
-	rules_seen++;
-
-	/* Get the interface, if any. */
-	char ifnamebuf[IFNAMSIZ], *ifname = NULL;
-	if (rg.rg_ifnum) {
-		ifname = if_indextoname(rg.rg_ifnum, ifnamebuf);
-	}
-
-	if (grouplvl >= 0 && (unsigned)grouplvl >= nlevel) {
-		for (n = 0; n < nlevel; n++) {
-			printf("\t");
-		}
-		printf("}\n\n");
-		grouplvl--;
-	}
-	for (n = 0; n < nlevel; n++) {
-		printf("\t");
-	}
-
-	if (rg.rg_attr & NPF_RULE_GROUP) {
-		const char *rname = rg.rg_name;
-
-		grouplvl = nlevel;
-		if (rg.rg_attr == (NPF_RULE_GROUP| NPF_RULE_IN | NPF_RULE_OUT)
-		    && rname == NULL && rg.rg_ifnum == 0) {
-			puts("group (default) {");
-			return;
-		}
-		printf("group (name \"%s\"", rname == NULL ? "" : rname);
-		if (ifname) {
-			printf(", interface %s", ifname);
-		}
-		if (rg.rg_attr & NPF_RULE_DYNAMIC) {
-			printf(", dynamic");
-		}
-		puts(") {");
-		return;
-	}
-
-	/*
-	 * Rule case.  First, unparse the attributes.
-	 */
-	for (unsigned i = 0; i < __arraycount(attr_keyword_map); i++) {
-		const struct attr_keyword_mapent *ak = &attr_keyword_map[i];
-
-		if ((rg.rg_attr & ak->mask) == ak->flags) {
-			printf("%s ", ak->onmatch);
-		} else if (ak->nomatch) {
-			printf("%s ", ak->nomatch);
-		}
-	}
-
-	if (ifname) {
-		printf("on %s ", ifname);
-	}
-
-	nc = _npf_rule_ncode(nrl, &nclen);
-	if (!nc || !npfctl_show_ncode(nc, nclen)) {
-		printf("all ");
-	}
-
-	if ((rproc = npf_rule_getproc(nrl)) != NULL) {
-		printf("apply \"%s\"", rproc);
-	}
-	puts("");
-}
-
-static void
-npfctl_show_table(unsigned id, int type)
-{
-	printf("table <%u> type %s\n", id,
-		(type == NPF_TABLE_HASH) ? "hash" :
-		(type == NPF_TABLE_TREE) ? "tree" :
-		"unknown"
-	);
-}
-
-static void
-npfctl_show_nat(nl_rule_t *nrl, unsigned nlevel)
-{
-	rule_group_t rg;
-	nl_nat_t *nt = nrl;
-	npf_addr_t taddr;
-	in_port_t port;
-	size_t alen;
-	u_int flags;
-	int type;
-
-	/* TODO: bi-NAT */
-
-	_npf_rule_getinfo(nrl, &rg.rg_name, &rg.rg_attr, &rg.rg_ifnum);
-
-	/* Get the interface, if any. */
-	char ifnamebuf[IFNAMSIZ], *ifname = NULL;
-	if (rg.rg_ifnum) {
-		ifname = if_indextoname(rg.rg_ifnum, ifnamebuf);
-	}
-	_npf_nat_getinfo(nt, &type, &flags, &taddr, &alen, &port);
-
-	char *taddrbuf, tportbuf[16];
-
-	taddrbuf = npfctl_print_addrmask(alen, &taddr, 0);
-	if (port) {
-		snprintf(tportbuf, sizeof(tportbuf), " port %d", ntohs(port));
-	}
-
-	const char *seg1 = "any", *seg2 = "any", *sp1 = "", *sp2 = "", *mt;
-	switch (type) {
-	case NPF_NATIN:
-		mt = "<-";
-		seg1 = taddrbuf;
-		sp1 = port ? tportbuf : "";
-		break;
-	case NPF_NATOUT:
-		mt = "->";
-		seg2 = taddrbuf;
-		sp2 = port ? tportbuf : "";
-		break;
-	default:
-		assert(false);
-	}
-	printf("map %s dynamic %s%s %s %s%s pass ", ifname,
-	    seg1, sp1, mt, seg2, sp2);
-	free(taddrbuf);
-
-	const void *nc;
-	size_t nclen;
-
-	nc = _npf_rule_ncode(nrl, &nclen);
-	printf("%s\n", (!nc || !npfctl_show_ncode(nc, nclen)) ? " any " : "");
-}
-
-int
-npfctl_config_show(int fd)
-{
-	nl_config_t *ncf;
-	bool active, loaded;
-	int error = 0;
-
-	if (fd) {
-		ncf = npf_config_retrieve(fd, &active, &loaded);
-		if (ncf == NULL) {
-			return errno;
-		}
-		printf("Filtering:\t%s\nConfiguration:\t%s\n\n",
-		    active ? "active" : "inactive",
-		    loaded ? "loaded" : "empty");
-	} else {
-		ncf = npfctl_config_ref();
-		loaded = true;
-	}
-
-	if (loaded) {
-		_npf_table_foreach(ncf, npfctl_show_table);
-		puts("");
-		error = _npf_nat_foreach(ncf, npfctl_show_nat);
-		puts("");
-		if (!error) {
-			error = _npf_rule_foreach(ncf, npfctl_show_rule);
-			if (rules_seen)
-				puts("}");
-		}
-	}
-	npf_config_destroy(ncf);
-	return error;
-}
-
-int
-npfctl_ruleset_show(int fd, const char *ruleset_name)
-{
-	nl_config_t *ncf;
-	int error;
-
-	ncf = npf_config_create();
-	if ((error = _npf_ruleset_list(fd, ruleset_name, ncf)) != 0) {
-		return error;
-	}
-	error = _npf_rule_foreach(ncf, npfctl_show_rule);
-	npf_config_destroy(ncf);
-	return error;
-}
--- a/usr.sbin/npf/npfctl/npf_ncgen.c	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,441 +0,0 @@
-/*	$NetBSD: npf_ncgen.c,v 1.15 2012/11/15 22:20:27 rmind Exp $	*/
-
-/*-
- * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This material is based upon work partially supported by The
- * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * N-code generation interface.
- */
-
-#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_ncgen.c,v 1.15 2012/11/15 22:20:27 rmind Exp $");
-
-#include <stdlib.h>
-#include <stddef.h>
-#include <inttypes.h>
-#include <err.h>
-
-#include "npfctl.h"
-
-/* Reduce re-allocations by expanding in 64 byte blocks. */
-#define	NC_ALLOC_MASK		(64 - 1)
-#define	NC_ALLOC_ROUND(x)	(((x) + NC_ALLOC_MASK) & ~NC_ALLOC_MASK)
-
-struct nc_ctx {
-	/*
-	 * Original buffer address, size of the buffer and instruction
-	 * pointer for appending n-code fragments.
-	 */
-	void *			nc_buf;
-	void *			nc_iptr;
-	size_t			nc_len;
-	/* Expected number of words for diagnostic check. */
-	size_t			nc_expected;
-	/* List of jump values, length of the memory and iterator. */
-	ptrdiff_t *		nc_jmp_list;
-	size_t			nc_jmp_len;
-	size_t			nc_jmp_it;
-	/* Current logical operation for a group and saved iterator. */
-	size_t			nc_saved_it;
-};
-
-/*
- * npfctl_ncgen_getptr: return the instruction pointer and make sure that
- * buffer is large enough to add a new fragment of a given size.
- */
-static uint32_t *
-npfctl_ncgen_getptr(nc_ctx_t *ctx, size_t nwords)
-{
-	size_t offset, reqlen;
-
-	/* Save the number of expected words for diagnostic check. */
-	assert(ctx->nc_expected == 0);
-	ctx->nc_expected = (sizeof(uint32_t) * nwords);
-
-	/*
-	 * Calculate the required length.  If buffer size is large enough,
-	 * just return the pointer.
-	 */
-	offset = (uintptr_t)ctx->nc_iptr - (uintptr_t)ctx->nc_buf;
-	assert(offset <= ctx->nc_len);
-	reqlen = offset + ctx->nc_expected;
-	if (reqlen < ctx->nc_len) {
-		return ctx->nc_iptr;
-	}
-
-	/* Otherwise, re-allocate the buffer and update the pointers. */
-	ctx->nc_len = NC_ALLOC_ROUND(reqlen);
-	ctx->nc_buf = erealloc(ctx->nc_buf, ctx->nc_len);
-	ctx->nc_iptr = (uint8_t *)ctx->nc_buf + offset;
-	return ctx->nc_iptr;
-}
-
-/*
- * npfctl_ncgen_putptr: perform a diagnostic check whether expected words
- * were appended and save the instruction pointer.
- */
-static void
-npfctl_ncgen_putptr(nc_ctx_t *ctx, void *nc)
-{
-	ptrdiff_t diff = (uintptr_t)nc - (uintptr_t)ctx->nc_iptr;
-
-	if ((ptrdiff_t)ctx->nc_expected != diff) {
-		errx(EXIT_FAILURE, "unexpected n-code fragment size "
-		    "(expected words %zu, diff %td)", ctx->nc_expected, diff);
-	}
-	ctx->nc_expected = 0;
-	ctx->nc_iptr = nc;
-}
-
-/*
- * npfctl_ncgen_addjmp: add the compare/jump opcode, dummy value and
- * its pointer into the list.
- */
-static void
-npfctl_ncgen_addjmp(nc_ctx_t *ctx, uint32_t **nc_ptr)
-{
-	size_t reqlen, i = ctx->nc_jmp_it++;
-	uint32_t *nc = *nc_ptr;
-
-	reqlen = NC_ALLOC_ROUND(ctx->nc_jmp_it * sizeof(ptrdiff_t));
-
-	if (reqlen > NC_ALLOC_ROUND(ctx->nc_jmp_len)) {
-		ctx->nc_jmp_list = erealloc(ctx->nc_jmp_list, reqlen);
-		ctx->nc_jmp_len = reqlen;
-	}
-
-	/* Save the offset (note: we cannot save the pointer). */
-	ctx->nc_jmp_list[i] = (uintptr_t)nc - (uintptr_t)ctx->nc_buf;
-
-	/* Note: if OR grouping case, BNE will be replaced with BEQ. */
-	*nc++ = NPF_OPCODE_BNE;
-	*nc++ = 0xdeadbeef;
-	*nc_ptr = nc;
-}
-
-/*
- * npfctl_ncgen_create: new n-code generation context.
- */
-nc_ctx_t *
-npfctl_ncgen_create(void)
-{
-	return ecalloc(1, sizeof(nc_ctx_t));
-}
-
-/*
- * npfctl_ncgen_complete: complete generation, destroy the context and
- * return a pointer to the final buffer containing n-code.
- */
-void *
-npfctl_ncgen_complete(nc_ctx_t *ctx, size_t *sz)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 4 /* words */);
-	ptrdiff_t foff;
-	size_t i;
-
-	assert(ctx->nc_saved_it == 0);
-
-	/* Success path (return 0x0). */
-	*nc++ = NPF_OPCODE_RET;
-	*nc++ = 0x0;
-
-	/* Failure path (return 0xff). */
-	foff = ((uintptr_t)nc - (uintptr_t)ctx->nc_buf) / sizeof(uint32_t);
-	*nc++ = NPF_OPCODE_RET;
-	*nc++ = 0xff;
-
-	/* + 4 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-
-	/* Change the jump values. */
-	for (i = 0; i < ctx->nc_jmp_it; i++) {
-		ptrdiff_t off = ctx->nc_jmp_list[i] / sizeof(uint32_t);
-		uint32_t *jmpop = (uint32_t *)ctx->nc_buf + off;
-		uint32_t *jmpval = jmpop + 1;
-
-		assert(foff > off);
-		assert(*jmpop == NPF_OPCODE_BNE);
-		assert(*jmpval == 0xdeadbeef);
-		*jmpval = foff - off;
-	}
-
-	/* Return the buffer, destroy the context. */
-	void *buf = ctx->nc_buf;
-	*sz = (uintptr_t)ctx->nc_iptr - (uintptr_t)ctx->nc_buf;
-	free(ctx->nc_jmp_list);
-	free(ctx);
-	return buf;
-}
-
-/*
- * npfctl_ncgen_group: begin a logical group.
- */
-void
-npfctl_ncgen_group(nc_ctx_t *ctx)
-{
-	assert(ctx->nc_expected == 0);
-	assert(ctx->nc_saved_it == 0);
-	ctx->nc_saved_it = ctx->nc_jmp_it;
-}
-
-/*
- * npfctl_ncgen_endgroup: end a logical group, fix up the code accordingly.
- */
-void
-npfctl_ncgen_endgroup(nc_ctx_t *ctx)
-{
-	uint32_t *nc;
-
-	/* If there are no fragments or only one - nothing to do. */
-	if ((ctx->nc_jmp_it - ctx->nc_saved_it) <= 1) {
-		ctx->nc_saved_it = 0;
-		return;
-	}
-
-	/* Append failure return for OR grouping. */
-	nc = npfctl_ncgen_getptr(ctx, 2 /* words */);
-	*nc++ = NPF_OPCODE_RET;
-	*nc++ = 0xff;
-	npfctl_ncgen_putptr(ctx, nc);
-
-	/* Update any group jumps values on success to the current point. */
-	for (size_t i = ctx->nc_saved_it; i < ctx->nc_jmp_it; i++) {
-		ptrdiff_t off = ctx->nc_jmp_list[i] / sizeof(uint32_t);
-		uint32_t *jmpop = (uint32_t *)ctx->nc_buf + off;
-		uint32_t *jmpval = jmpop + 1;
-
-		assert(*jmpop == NPF_OPCODE_BNE);
-		assert(*jmpval == 0xdeadbeef);
-
-		*jmpop = NPF_OPCODE_BEQ;
-		*jmpval = nc - jmpop;
-		ctx->nc_jmp_list[i] = 0;
-	}
-
-	/* Reset the iterator. */
-	ctx->nc_jmp_it = ctx->nc_saved_it;
-	ctx->nc_saved_it = 0;
-}
-
-/*
- * npfctl_gennc_v6cidr: fragment to match IPv6 CIDR.
- */
-void
-npfctl_gennc_v6cidr(nc_ctx_t *ctx, int opts, const npf_addr_t *netaddr,
-    const npf_netmask_t mask)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 9 /* words */);
-	const uint32_t *addr = (const uint32_t *)netaddr;
-
-	assert(((opts & NC_MATCH_SRC) != 0) ^ ((opts & NC_MATCH_DST) != 0));
-	assert((mask && mask <= NPF_MAX_NETMASK) || mask == NPF_NO_NETMASK);
-
-	/* OP, direction, netaddr/subnet (7 words) */
-	*nc++ = NPF_OPCODE_IP6MASK;
-	*nc++ = (opts & (NC_MATCH_DST | NC_MATCH_SRC)) >> 1;
-	*nc++ = addr[0];
-	*nc++ = addr[1];
-	*nc++ = addr[2];
-	*nc++ = addr[3];
-	*nc++ = mask;
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 9 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_v4cidr: fragment to match IPv4 CIDR.
- */
-void
-npfctl_gennc_v4cidr(nc_ctx_t *ctx, int opts, const npf_addr_t *netaddr,
-    const npf_netmask_t mask)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 6 /* words */);
-	const uint32_t *addr = (const uint32_t *)netaddr;
-
-	assert(((opts & NC_MATCH_SRC) != 0) ^ ((opts & NC_MATCH_DST) != 0));
-	assert((mask && mask <= NPF_MAX_NETMASK) || mask == NPF_NO_NETMASK);
-
-	/* OP, direction, netaddr/subnet (4 words) */
-	*nc++ = NPF_OPCODE_IP4MASK;
-	*nc++ = (opts & (NC_MATCH_DST | NC_MATCH_SRC)) >> 1;
-	*nc++ = addr[0];
-	*nc++ = mask;
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 6 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_ports: fragment to match TCP or UDP ports.
- */
-void
-npfctl_gennc_ports(nc_ctx_t *ctx, int opts, in_port_t from, in_port_t to)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 5 /* words */);
-
-	assert(((opts & NC_MATCH_SRC) != 0) ^ ((opts & NC_MATCH_DST) != 0));
-	assert(((opts & NC_MATCH_TCP) != 0) ^ ((opts & NC_MATCH_UDP) != 0));
-
-	/* OP, direction, port range (3 words). */
-	*nc++ = (opts & NC_MATCH_TCP) ?
-	    NPF_OPCODE_TCP_PORTS : NPF_OPCODE_UDP_PORTS;
-	*nc++ = (opts & (NC_MATCH_DST | NC_MATCH_SRC)) >> 1;
-	*nc++ = ((uint32_t)from << 16) | to;
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 5 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_icmp: fragment to match ICMP type and code.
- */
-void
-npfctl_gennc_icmp(nc_ctx_t *ctx, int type, int code)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 4 /* words */);
-
-	/* OP, code, type (2 words) */
-	*nc++ = NPF_OPCODE_ICMP4;
-	*nc++ = (type == -1 ? 0 : (1 << 31) | ((type & 0xff) << 8)) |
-		(code == -1 ? 0 : (1 << 30) | (code & 0xff));
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 4 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_icmp6: fragment to match ICMPV6 type and code.
- */
-void
-npfctl_gennc_icmp6(nc_ctx_t *ctx, int type, int code)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 4 /* words */);
-
-	/* OP, code, type (2 words) */
-	*nc++ = NPF_OPCODE_ICMP6;
-	*nc++ = (type == -1 ? 0 : (1 << 31) | ((type & 0xff) << 8)) |
-		(code == -1 ? 0 : (1 << 30) | (code & 0xff));
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 4 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_tbl: fragment to match IPv4 source/destination address of
- * the packet against table specified by ID.
- */
-void
-npfctl_gennc_tbl(nc_ctx_t *ctx, int opts, u_int tableid)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 5 /* words */);
-
-	assert(((opts & NC_MATCH_SRC) != 0) ^ ((opts & NC_MATCH_DST) != 0));
-
-	/* OP, direction, table ID (3 words). */
-	*nc++ = NPF_OPCODE_TABLE;
-	*nc++ = (opts & (NC_MATCH_DST | NC_MATCH_SRC)) >> 1;
-	*nc++ = tableid;
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 5 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_tcpfl: fragment to match TCP flags/mask.
- */
-void
-npfctl_gennc_tcpfl(nc_ctx_t *ctx, uint8_t tf, uint8_t tf_mask)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 4 /* words */);
-
-	/* OP, code, type (2 words) */
-	*nc++ = NPF_OPCODE_TCP_FLAGS;
-	*nc++ = (tf << 8) | tf_mask;
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 4 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-/*
- * npfctl_gennc_proto: fragment to match the protocol.
- */
-void
-npfctl_gennc_proto(nc_ctx_t *ctx, uint8_t addrlen, uint8_t proto)
-{
-	uint32_t *nc = npfctl_ncgen_getptr(ctx, 4 /* words */);
-
-	/* OP, code, type (2 words) */
-	*nc++ = NPF_OPCODE_PROTO;
-	*nc++ = ((addrlen & 0xff) << 8) | (proto & 0xff);
-
-	/* Comparison block (2 words). */
-	npfctl_ncgen_addjmp(ctx, &nc);
-
-	/* + 4 words. */
-	npfctl_ncgen_putptr(ctx, nc);
-}
-
-void
-npfctl_ncgen_print(const void *code, size_t len)
-{
-#if 0
-	const uint32_t *op = code;
-
-	while (len) {
-		printf("\t> |0x%02x|\n", (u_int)*op++);
-		len -= sizeof(*op);
-	}
-#else
-	nc_inf_t *ni = npfctl_ncode_disinf(stdout);
-	npfctl_ncode_disassemble(ni, code, len);
-	free(ni);
-#endif
-}
--- a/usr.sbin/npf/npfctl/npfctl.h	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.h	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.h,v 1.30 2013/09/19 01:04:45 rmind Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.31 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -141,83 +141,32 @@
  * BFF byte-code generation interface.
  */
 
-#define	NPFCTL_USE_BPF	1
-
 typedef struct npf_bpf npf_bpf_t;
 
 #define	MATCH_DST	0x01
 #define	MATCH_SRC	0x02
 
 enum {
-	BM_IPVER,
-	BM_PROTO,
-	BM_SRC_CIDR,
-	BM_SRC_TABLE,
-	BM_DST_CIDR,
-	BM_DST_TABLE,
-	BM_SRC_PORTS,
-	BM_DST_PORTS,
-	BM_TCPFL,
-	BM_ICMP_TYPE,
+	BM_IPVER, BM_PROTO, BM_SRC_CIDR, BM_SRC_TABLE, BM_DST_CIDR,
+	BM_DST_TABLE, BM_SRC_PORTS, BM_DST_PORTS, BM_TCPFL, BM_ICMP_TYPE,
 	BM_ICMP_CODE,
 };
 
-npf_bpf_t *npfctl_bpf_create(void);
+npf_bpf_t *	npfctl_bpf_create(void);
 struct bpf_program *npfctl_bpf_complete(npf_bpf_t *);
-const void *npfctl_bpf_bmarks(npf_bpf_t *, size_t *);
-void	npfctl_bpf_destroy(npf_bpf_t *);
-
-void	npfctl_bpf_group(npf_bpf_t *);
-void	npfctl_bpf_endgroup(npf_bpf_t *);
+const void *	npfctl_bpf_bmarks(npf_bpf_t *, size_t *);
+void		npfctl_bpf_destroy(npf_bpf_t *);
 
-void	npfctl_bpf_proto(npf_bpf_t *, sa_family_t, int);
-void	npfctl_bpf_cidr(npf_bpf_t *, u_int, sa_family_t,
-	    const npf_addr_t *, const npf_netmask_t);
-void	npfctl_bpf_ports(npf_bpf_t *, u_int, in_port_t, in_port_t);
-void	npfctl_bpf_tcpfl(npf_bpf_t *, uint8_t, uint8_t);
-void	npfctl_bpf_icmp(npf_bpf_t *, int, int);
-void	npfctl_bpf_table(npf_bpf_t *, u_int, u_int);
-
-/*
- * N-code generation interface.
- */
-
-typedef struct nc_ctx nc_ctx_t;
-
-#define	NC_MATCH_DST		0x01
-#define	NC_MATCH_SRC		0x02
+void		npfctl_bpf_group(npf_bpf_t *);
+void		npfctl_bpf_endgroup(npf_bpf_t *);
 
-#define	NC_MATCH_TCP		0x04
-#define	NC_MATCH_UDP		0x08
-#define	NC_MATCH_ICMP		0x10
-#define	NC_MATCH_ICMP6		0x20
-
-nc_ctx_t *	npfctl_ncgen_create(void);
-void *		npfctl_ncgen_complete(nc_ctx_t *, size_t *);
-void		npfctl_ncgen_print(const void *, size_t);
-
-void		npfctl_ncgen_group(nc_ctx_t *);
-void		npfctl_ncgen_endgroup(nc_ctx_t *);
-
-void		npfctl_gennc_v4cidr(nc_ctx_t *, int, const npf_addr_t *,
-		    const npf_netmask_t);
-void		npfctl_gennc_v6cidr(nc_ctx_t *, int, const npf_addr_t *,
-		    const npf_netmask_t);
-void		npfctl_gennc_ports(nc_ctx_t *, int, in_port_t, in_port_t);
-void		npfctl_gennc_icmp(nc_ctx_t *, int, int);
-void		npfctl_gennc_icmp6(nc_ctx_t *, int, int);
-void		npfctl_gennc_tbl(nc_ctx_t *, int, u_int);
-void		npfctl_gennc_tcpfl(nc_ctx_t *, uint8_t, uint8_t);
-void		npfctl_gennc_proto(nc_ctx_t *ctx, uint8_t, uint8_t);
-
-/*
- * N-code disassembler.
- */
-
-typedef struct nc_inf nc_inf_t;
-
-nc_inf_t *	npfctl_ncode_disinf(FILE *);
-int		npfctl_ncode_disassemble(nc_inf_t *, const void *, size_t);
+void		npfctl_bpf_proto(npf_bpf_t *, sa_family_t, int);
+void		npfctl_bpf_cidr(npf_bpf_t *, u_int, sa_family_t,
+		    const npf_addr_t *, const npf_netmask_t);
+void		npfctl_bpf_ports(npf_bpf_t *, u_int, in_port_t, in_port_t);
+void		npfctl_bpf_tcpfl(npf_bpf_t *, uint8_t, uint8_t);
+void		npfctl_bpf_icmp(npf_bpf_t *, int, int);
+void		npfctl_bpf_table(npf_bpf_t *, u_int, u_int);
 
 /*
  * Configuration building interface.
--- a/usr.sbin/npf/npftest/libnpftest/Makefile	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npftest/libnpftest/Makefile	Thu Sep 19 01:49:07 2013 +0000
@@ -12,7 +12,6 @@
 SRCS+=		npf_mbuf_subr.c
 
 SRCS+=		npf_nbuf_test.c
-SRCS+=		npf_processor_test.c
 SRCS+=		npf_bpf_test.c
 SRCS+=		npf_table_test.c
 SRCS+=		npf_state_test.c
--- a/usr.sbin/npf/npftest/libnpftest/npf_processor_test.c	Thu Sep 19 01:04:45 2013 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,213 +0,0 @@
-/*	$NetBSD: npf_processor_test.c,v 1.4 2012/12/24 19:05:48 rmind Exp $	*/
-
-/*
- * NPF n-code processor test.
- *
- * Public Domain.
- */
-
-#include <sys/types.h>
-#include <sys/endian.h>
-
-#include "npf_impl.h"
-#include "npf_ncode.h"
-#include "npf_test.h"
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define	IP4(a, b, c, d)	((a << 0) | (b << 8) | (c << 16) | (d << 24))
-#elif BYTE_ORDER == BIG_ENDIAN
-#define	IP4(a, b, c, d)	((a << 24) | (b << 16) | (c << 8) | (d << 0))
-#endif
-
-#define	PORTS(a, b)	((htons(a) << 16) | htons(b))
-
-static const uint32_t nc_match[] = {
-	NPF_OPCODE_CMP,		NPF_LAYER_3,	0,
-	NPF_OPCODE_BEQ,		0x0c,
-	NPF_OPCODE_ETHER,	0x00,	0x00,	htons(ETHERTYPE_IP),
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_ADVR,	3,
-	NPF_OPCODE_IP4MASK,	0x01,	IP4(192,168,2,0),	24,
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_TCP_PORTS,	0x00,	PORTS(80, 80),
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_RET,		0x00
-};
-
-static const uint32_t nc_nmatch[] = {
-	NPF_OPCODE_CMP,		NPF_LAYER_3,	0,
-	NPF_OPCODE_BEQ,		0x0c,
-	NPF_OPCODE_ETHER,	0x00,	0x00,	htons(ETHERTYPE_IP),
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_ADVR,	3,
-	NPF_OPCODE_IP4MASK,	0x01,	IP4(192,168,2,1),	32,
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_RET,		0x00
-};
-
-static const uint32_t nc_rmatch[] = {
-	NPF_OPCODE_MOVE,	offsetof(struct ip, ip_src),	1,
-	NPF_OPCODE_ADVR,	1,
-	NPF_OPCODE_LW,		sizeof(in_addr_t),		0,
-	NPF_OPCODE_CMP,		IP4(192,168,2,100),		0,
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_MOVE,	sizeof(struct ip) - offsetof(struct ip, ip_src)
-				+ offsetof(struct tcphdr, th_sport),	1,
-	NPF_OPCODE_ADVR,	1,
-	NPF_OPCODE_LW,		2 * sizeof(in_port_t),		0,
-	NPF_OPCODE_CMP,		htonl((15000 << 16) | 80),	0,
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_RET,		0x01
-};
-
-static const uint32_t nc_inval[] = {
-	NPF_OPCODE_BEQ,		0x05,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_RET,		0x01
-};
-
-static const uint32_t nc_match6[] = {
-	NPF_OPCODE_IP6MASK,	0x01,	htonl(0xfe80 << 16), 0x0, 0x0, 0x0, 10,
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_TCP_PORTS,	0x00,	PORTS(80, 80),
-	NPF_OPCODE_BEQ,		0x04,
-	NPF_OPCODE_RET,		0xff,
-	NPF_OPCODE_RET,		0x00
-};
-
-static struct mbuf *
-fill_packet(int proto, bool ether)
-{
-	struct mbuf *m;
-	struct ip *ip;
-	struct tcphdr *th;
-
-	if (ether) {
-		m = mbuf_construct_ether(IPPROTO_TCP);
-	} else {
-		m = mbuf_construct(IPPROTO_TCP);
-	}
-	th = mbuf_return_hdrs(m, ether, &ip);
-	ip->ip_src.s_addr = inet_addr("192.168.2.100");
-	ip->ip_dst.s_addr = inet_addr("10.0.0.1");
-	th->th_sport = htons(15000);
-	th->th_dport = htons(80);
-	return m;
-}
-
-static struct mbuf *
-fill_packet6(int proto)
-{
-	uint16_t src[] = {
-	    htons(0xfe80), 0x0, 0x0, 0x0,
-	    htons(0x2a0), htons(0xc0ff), htons(0xfe10), htons(0x1234)
-	};
-	uint16_t dst[] = {
-	    htons(0xfe80), 0x0, 0x0, 0x0,
-	    htons(0x2a0), htons(0xc0ff), htons(0xfe10), htons(0x1111)
-	};
-	struct mbuf *m;
-	struct ip6_hdr *ip;
-	struct tcphdr *th;
-
-	m = mbuf_construct6(proto);
-	(void)mbuf_return_hdrs(m, false, (struct ip **)&ip);
-	memcpy(&ip->ip6_src, src, sizeof(ip->ip6_src));
-	memcpy(&ip->ip6_dst, dst, sizeof(ip->ip6_src));
-
-	th = (void *)(ip + 1);
-	th->th_sport = htons(15000);
-	th->th_dport = htons(80);
-	return m;
-}
-
-static bool
-retcode_fail_p(const char *msg, bool verbose, int ret, int expected)
-{
-	bool fail = (ret != expected);
-
-	if (verbose) {
-		printf("%-25s\t%-4d == %4d\t-> %s\n",
-		    msg, ret, expected, fail ? "fail" : "ok");
-	}
-	return fail;
-}
-
-static void
-npf_nc_cachetest(struct mbuf *m, npf_cache_t *npc, nbuf_t *nbuf)
-{
-	const void *dummy_ifp = (void *)0xdeadbeef;
-
-	nbuf_init(nbuf, m, dummy_ifp);
-	memset(npc, 0, sizeof(npf_cache_t));
-	npf_cache_all(npc, nbuf);
-}
-
-bool
-npf_processor_test(bool verbose)
-{
-	npf_cache_t npc;
-	struct mbuf *m;
-	nbuf_t nbuf;
-	int errat, ret;
-	bool fail = false;
-
-#if 0
-	/* Layer 2 (Ethernet + IP + TCP). */
-	ret = npf_ncode_validate(nc_match, sizeof(nc_match), &errat);
-	fail |= retcode_fail_p("Ether validation", verbose, ret, 0);
-
-	m = fill_packet(IPPROTO_TCP, true);
-	npf_nc_cachetest(m, &npc, &nbuf);
-	ret = npf_ncode_process(&npc, nc_match, &nbuf, NPF_LAYER_2);
-	fail |= retcode_fail_p("Ether", verbose, ret, 0);
-	m_freem(m);
-#endif
-
-	/* Layer 3 (IP + TCP). */
-	m = fill_packet(IPPROTO_TCP, false);
-	npf_nc_cachetest(m, &npc, &nbuf);
-	ret = npf_ncode_process(&npc, nc_match, &nbuf, NPF_LAYER_3);
-	fail |= retcode_fail_p("IPv4 mask 1", verbose, ret, 0);
-
-	/* Non-matching IPv4 case. */
-	ret = npf_ncode_validate(nc_nmatch, sizeof(nc_nmatch), &errat);
-	fail |= retcode_fail_p("IPv4 mask 2 validation", verbose, ret, 0);
-
-	npf_nc_cachetest(m, &npc, &nbuf);
-	ret = npf_ncode_process(&npc, nc_nmatch, &nbuf, NPF_LAYER_3);
-	fail |= retcode_fail_p("IPv4 mask 2", verbose, ret, 255);
-
-	/* Invalid n-code case. */
-	ret = npf_ncode_validate(nc_inval, sizeof(nc_inval), &errat);
-	fail |= retcode_fail_p("Invalid n-code", verbose, ret, NPF_ERR_JUMP);
-
-	/* RISC-like insns. */
-	ret = npf_ncode_validate(nc_rmatch, sizeof(nc_rmatch), &errat);
-	fail |= retcode_fail_p("RISC-like n-code validation", verbose, ret, 0);
-
-	npf_nc_cachetest(m, &npc, &nbuf);
-	ret = npf_ncode_process(&npc, nc_rmatch, &nbuf, NPF_LAYER_3);
-	fail |= retcode_fail_p("RISC-like n-code", verbose, ret, 1);
-	m_freem(m);
-
-	/* IPv6 matching. */
-	ret = npf_ncode_validate(nc_match6, sizeof(nc_match6), &errat);
-	fail |= retcode_fail_p("IPv6 mask validation", verbose, ret, 0);
-
-	m = fill_packet6(IPPROTO_TCP);
-	npf_nc_cachetest(m, &npc, &nbuf);
-	ret = npf_ncode_process(&npc, nc_match6, &nbuf, NPF_LAYER_3);
-	fail |= retcode_fail_p("IPv6 mask", verbose, ret, 0);
-	m_freem(m);
-
-	return !fail;
-}
--- a/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_rule_test.c,v 1.8 2013/09/19 01:04:46 rmind Exp $	*/
+/*	$NetBSD: npf_rule_test.c,v 1.9 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*
  * NPF ruleset test.
@@ -89,9 +89,6 @@
 	rl = npf_ruleset_inspect(&npc, &nbuf, npf_config_ruleset(),
 	    di, NPF_LAYER_3);
 	if (rl) {
-		if (verbose) {
-			npf_rulenc_dump(rl);
-		}
 		error = npf_rule_conclude(rl, &retfl);
 	} else {
 		error = ENOENT;
--- a/usr.sbin/npf/npftest/libnpftest/npf_test.h	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npftest/libnpftest/npf_test.h	Thu Sep 19 01:49:07 2013 +0000
@@ -39,7 +39,6 @@
 void		mbuf_icmp_append(struct mbuf *, struct mbuf *);
 
 bool		npf_nbuf_test(bool);
-bool		npf_processor_test(bool);
 bool		npf_bpf_test(bool);
 bool		npf_table_test(bool);
 bool		npf_state_test(bool);
--- a/usr.sbin/npf/npftest/npftest.c	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npftest/npftest.c	Thu Sep 19 01:49:07 2013 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npftest.c,v 1.9 2013/09/19 01:04:45 rmind Exp $	*/
+/*	$NetBSD: npftest.c,v 1.10 2013/09/19 01:49:07 rmind Exp $	*/
 
 /*
  * NPF testing framework.
@@ -52,7 +52,7 @@
 describe_tests(void)
 {
 	printf(	"nbuf\tbasic npf mbuf handling\n"
-		"processor\tncode processing\n"
+		"bpf\tBPF coprocessor\n"
 		"table\ttable handling\n"
 		"state\tstate handling and processing\n"
 		"rule\trule processing\n"
@@ -227,12 +227,6 @@
 			tname_matched = true;
 		}
 
-		if (!testname || strcmp("processor", testname) == 0) {
-			ok = rumpns_npf_processor_test(verbose);
-			fail |= result("processor", ok);
-			tname_matched = true;
-		}
-
 		if (!testname || strcmp("table", testname) == 0) {
 			ok = rumpns_npf_table_test(verbose);
 			fail |= result("table", ok);
--- a/usr.sbin/npf/npftest/npftest.h	Thu Sep 19 01:04:45 2013 +0000
+++ b/usr.sbin/npf/npftest/npftest.h	Thu Sep 19 01:49:07 2013 +0000
@@ -18,7 +18,6 @@
 		    unsigned, bool, int64_t *);
 
 bool		rumpns_npf_nbuf_test(bool);
-bool		rumpns_npf_processor_test(bool);
 bool		rumpns_npf_bpf_test(bool);
 bool		rumpns_npf_table_test(bool);
 bool		rumpns_npf_state_test(bool);