- Expire all sessions on flush. trunk
authorrmind <rmind@NetBSD.org>
Sun, 15 Jan 2012 00:49:47 +0000
branchtrunk
changeset 208191 564836abe1bc
parent 208190 73c45537ebb8
child 208192 edd415e5347a
- Expire all sessions on flush. - Enable checking for zero mask in IP{4,6}MATCH after npfctl changes. - Make locking symmetric for npf_ruleset_inspect(). - Sync function prototypes in npf(3) man page with reality. - Rename NPF_TABLE_RBTREE to NPF_TABLE_TREE.
lib/libnpf/npf.3
lib/libnpf/npf.c
lib/libnpf/npf.h
sys/net/npf/npf.c
sys/net/npf/npf.h
sys/net/npf/npf_ctl.c
sys/net/npf/npf_handler.c
sys/net/npf/npf_instr.c
sys/net/npf/npf_nat.c
sys/net/npf/npf_processor.c
sys/net/npf/npf_ruleset.c
sys/net/npf/npf_tableset.c
usr.sbin/npf/npfctl/npf_build.c
usr.sbin/npf/npfctl/npf_parse.y
usr.sbin/npf/npfctl/npf_var.c
usr.sbin/npf/npfctl/npfctl.c
usr.sbin/npf/npfctl/npfctl.h
--- a/lib/libnpf/npf.3	Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.3	Sun Jan 15 00:49:47 2012 +0000
@@ -1,6 +1,6 @@
-.\"	$NetBSD: npf.3,v 1.3 2011/03/22 07:28:41 jruoho Exp $
+.\"	$NetBSD: npf.3,v 1.4 2012/01/15 00:49:47 rmind Exp $
 .\"
-.\" Copyright (c) 2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 22, 2011
+.Dd January 14, 2012
 .Dt NPF 3
 .Os
 .Sh NAME
@@ -44,6 +44,8 @@
 .Fn npf_config_submit "nl_config_t *ncf" "int fd"
 .Ft void
 .Fn npf_config_destroy "nl_config_t *ncf"
+.Ft int
+.Fn npf_config_flush "int fd"
 .\" ---
 .Ft nl_rule_t *
 .Fn npf_rule_create "char *name" "uint32_t attr" "u_int if_idx"
@@ -67,13 +69,13 @@
 .Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp"
 .\" ---
 .Ft nl_nat_t *
-.Fn npf_nat_create "int type" "int flags" "u_int if_idx" \
+.Fn npf_nat_create "int type" "u_int flags" "u_int if_idx" \
 "npf_addr_t *addr" "int af" "in_port_t port"
 .Ft int
 .Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri"
 .\" ---
 .Ft nl_table_t *
-.Fn npf_table_create "int index" "int type"
+.Fn npf_table_create "u_int id" "int type"
 .Ft int
 .Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
 .Ft bool
@@ -84,7 +86,7 @@
 .Fn npf_table_destroy "nl_table_t *tl"
 .\" ---
 .Ft int
-.Fn npf_update_rule "int fd" "char *rname" "nl_rule_t *rl"
+.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
 .Ft int
 .Fn npf_sessions_send "int fd" "const char *fpath"
 .Ft int
@@ -109,6 +111,8 @@
 .It Fn npf_config_destroy "ncf"
 Destroy the configuration
 .Fa ncf .
+.It Fn npf_config_flush "fd"
+Flush the current configuration.
 .El
 .\" ---
 .Ss Rule interface
@@ -247,10 +251,10 @@
 .It Fn npf_table_create "index" "type"
 Create NPF table of specified type.
 The following types are supported:
-.Bl -tag -width "NPF_TABLE_RBTREE "
+.Bl -tag -width "NPF_TABLE_TREE "
 .It Dv NPF_TABLE_HASH
 Indicates to use hash table for storage.
-.It Dv NPF_TABLE_RBTREE
+.It Dv NPF_TABLE_TREE
 Indicates to use red-black tree for storage.
 Table is identified by
 .Fa index ,
--- a/lib/libnpf/npf.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $	*/
+/*	$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.5 2011/11/26 23:42:27 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2012/01/15 00:49:47 rmind Exp $");
 
 #include <sys/types.h>
 #include <netinet/in_systm.h>
@@ -56,6 +56,7 @@
 	pri_t			ncf_nat_pri;
 	/* Custom file to externalise property-list. */
 	const char *		ncf_plist;
+	bool			ncf_flush;
 };
 
 struct nl_rule {
@@ -92,6 +93,7 @@
 	ncf->ncf_nat_pri = 1;
 
 	ncf->ncf_plist = NULL;
+	ncf->ncf_flush = false;
 
 	return ncf;
 }
@@ -111,6 +113,7 @@
 	prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
 	prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
 	prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
+	prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
 
 	if (plist) {
 		if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
@@ -123,6 +126,22 @@
 	return error;
 }
 
+int
+npf_config_flush(int fd)
+{
+	nl_config_t *ncf;
+	int error;
+
+	ncf = npf_config_create();
+	if (ncf == NULL) {
+		return ENOMEM;
+	}
+	ncf->ncf_flush = true;
+	error = npf_config_submit(ncf, fd);
+	npf_config_destroy(ncf);
+	return error;
+}
+
 void
 npf_config_destroy(nl_config_t *ncf)
 {
@@ -510,7 +529,6 @@
  */
 
 int
-/*ARGSUSED*/
 npf_update_rule(int fd, const char *rname __unused, nl_rule_t *rl)
 {
 	prop_dictionary_t rldict = rl->nrl_dict;
--- a/lib/libnpf/npf.h	Sun Jan 15 00:25:33 2012 +0000
+++ b/lib/libnpf/npf.h	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.4 2011/11/26 23:42:27 christos Exp $	*/
+/*	$NetBSD: npf.h,v 1.5 2012/01/15 00:49:47 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011 The NetBSD Foundation, Inc.
@@ -63,6 +63,7 @@
 nl_config_t *	npf_config_create(void);
 int		npf_config_submit(nl_config_t *, int);
 void		npf_config_destroy(nl_config_t *);
+int		npf_config_flush(int);
 #ifdef _NPF_PRIVATE
 void		_npf_config_setsubmit(nl_config_t *, const char *);
 #endif
--- a/sys/net/npf/npf.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $	*/
+/*	$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.6 2011/11/06 13:08:04 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.7 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -285,9 +285,6 @@
 	/* Unlock.  Everything goes "live" now. */
 	rw_exit(&npf_lock);
 
-	/* Turn on/off session tracking accordingly. */
-	npf_session_tracking(true);
-
 	if (onc) {
 		/* Destroy unloaded structures. */
 		npf_core_destroy(onc);
--- a/sys/net/npf/npf.h	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf.h	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf.h,v 1.11 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf.h,v 1.12 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -248,7 +248,7 @@
 
 /* Table types. */
 #define	NPF_TABLE_HASH			1
-#define	NPF_TABLE_RBTREE		2
+#define	NPF_TABLE_TREE			2
 
 /* Layers. */
 #define	NPF_LAYER_2			2
--- a/sys/net/npf/npf_ctl.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_ctl.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.10 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.11 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/conf.h>
@@ -376,6 +376,7 @@
 	npf_ruleset_t *rlset = NULL;
 	npf_ruleset_t *nset = NULL;
 	prop_dictionary_t dict;
+	bool flush;
 	int error;
 
 	/* Retrieve the dictionary. */
@@ -413,12 +414,18 @@
 		goto fail;
 	}
 
+	flush = false;
+	prop_dictionary_get_bool(dict, "flush", &flush);
+
 	/*
 	 * Finally - reload ruleset, tableset and NAT policies.
 	 * Operation will be performed as a single transaction.
 	 */
 	npf_reload(rlset, tblset, nset);
 
+	/* Turn on/off session tracking accordingly. */
+	npf_session_tracking(!flush);
+
 	/* Done.  Since data is consumed now, we shall not destroy it. */
 	tblset = NULL;
 	rlset = NULL;
--- a/sys/net/npf/npf_handler.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_handler.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.11 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.12 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -156,6 +156,7 @@
 	rlset = npf_core_ruleset();
 	rl = npf_ruleset_inspect(&npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
 	if (rl == NULL) {
+		npf_core_exit();
 		if (default_pass) {
 			npf_stats_inc(NPF_STAT_PASS_DEFAULT);
 			goto pass;
--- a/sys/net/npf/npf_instr.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_instr.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_instr.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -50,9 +50,9 @@
 #define	NPF_PORTRANGE_MATCH(r, p)	(p >= (r >> 16) && p <= (r & 0xffff))
 
 /*
- * npf_match_ether: find and check Ethernet and possible VLAN headers.
+ * npf_match_ether: find and check Ethernet with possible VLAN headers.
  *
- * => Stores value in to advance to layer 3 header (usually, IPv4).
+ * => Stores value in the register for advancing to layer 3 header.
  * => Returns zero on success or -1 on failure.
  */
 int
@@ -127,11 +127,6 @@
 		}
 		KASSERT(npf_iscached(npc, NPC_IP46));
 	}
-#if 1	/* XXX */
-	if (mask == 0) {
-		return 0;
-	}
-#endif
 	addr = sd ? npc->npc_srcip : npc->npc_dstip;
 	if (mask != NPF_NO_NETMASK) {
 		npf_calculate_masked_addr(&cmpaddr, addr, mask);
--- a/sys/net/npf/npf_nat.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_nat.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2011 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.8 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -402,6 +402,7 @@
 	rlset = npf_core_natset();
 	rl = npf_ruleset_inspect(npc, nbuf, rlset, ifp, di, NPF_LAYER_3);
 	if (rl == NULL) {
+		npf_core_exit();
 		return NULL;
 	}
 	np = npf_rule_getnat(rl);
--- a/sys/net/npf/npf_processor.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_processor.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
@@ -54,7 +54,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.7 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_processor.c,v 1.8 2012/01/15 00:49:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -283,13 +283,14 @@
 		cmpval = npf_match_ether(nbuf, d, n, i, &regs[NPF_NREGS - 1]);
 		break;
 	case NPF_OPCODE_IP4MASK:
-		/* Source/destination, network address, subnet mask. */
+		/* Source/destination, network address, subnet. */
 		i_ptr = nc_fetch_word(i_ptr, &d);
 		i_ptr = nc_fetch_double(i_ptr, &addr.s6_addr32[0], &n);
 		cmpval = npf_match_ipmask(npc, nbuf, n_ptr, d, &addr,
 		    (npf_netmask_t)n);
 		break;
 	case NPF_OPCODE_IP6MASK:
+		/* Source/destination, network address, subnet. */
 		i_ptr = nc_fetch_word(i_ptr, &d);
 		i_ptr = nc_fetch_double(i_ptr,
 		    &addr.s6_addr32[0], &addr.s6_addr32[1]);
@@ -455,7 +456,7 @@
 		if (error) {
 			return error;
 		}
-		if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
+		if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
 			return NPF_ERR_INVAL;
 		}
 		break;
@@ -464,7 +465,7 @@
 		if (error) {
 			return error;
 		}
-		if (/* XXX !val ||*/ (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
+		if (!val || (val > NPF_MAX_NETMASK && val != NPF_NO_NETMASK)) {
 			return NPF_ERR_INVAL;
 		}
 		break;
--- a/sys/net/npf/npf_ruleset.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_ruleset.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.8 2011/12/08 23:36:57 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -458,8 +458,7 @@
  * Loop through the rules in the set and run n-code processor of each rule
  * against the packet (nbuf chain).  If sub-ruleset is found, inspect it.
  *
- * => If not found, core ruleset lock is released.
- * => Caller should protect the nbuf chain.
+ * => Caller is responsible for nbuf chain protection.
  */
 npf_rule_t *
 npf_ruleset_inspect(npf_cache_t *npc, nbuf_t *nbuf, npf_ruleset_t *mainrlset,
@@ -508,9 +507,6 @@
 		final_rl = NULL;
 		goto again;
 	}
-	if (final_rl == NULL) {
-		npf_core_exit();
-	}
 	return final_rl;
 }
 
--- a/sys/net/npf/npf_tableset.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/sys/net/npf/npf_tableset.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,7 +1,7 @@
-/*	$NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $	*/
+/*	$NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $	*/
 
 /*-
- * Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+ * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This material is based upon work partially supported by The
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.8 2011/11/29 20:05:30 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9 2012/01/15 00:49:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -208,7 +208,7 @@
 
 	t = kmem_zalloc(sizeof(npf_table_t), KM_SLEEP);
 	switch (type) {
-	case NPF_TABLE_RBTREE:
+	case NPF_TABLE_TREE:
 		rb_tree_init(&t->t_rbtree, &table_rbtree_ops);
 		break;
 	case NPF_TABLE_HASH:
@@ -247,7 +247,7 @@
 		}
 		hashdone(t->t_hashl, HASH_LIST, t->t_hashmask);
 		break;
-	case NPF_TABLE_RBTREE:
+	case NPF_TABLE_TREE:
 		while ((e = rb_tree_iterate(&t->t_rbtree, NULL,
 		    RB_DIR_LEFT)) != NULL) {
 			rb_tree_remove_node(&t->t_rbtree, e);
@@ -331,7 +331,7 @@
 	if (tset[tid] != NULL) {
 		return EEXIST;
 	}
-	if (type != NPF_TABLE_RBTREE && type != NPF_TABLE_HASH) {
+	if (type != NPF_TABLE_TREE && type != NPF_TABLE_HASH) {
 		return EINVAL;
 	}
 	return 0;
@@ -384,7 +384,7 @@
 			error = EEXIST;
 		}
 		break;
-	case NPF_TABLE_RBTREE:
+	case NPF_TABLE_TREE:
 		/* Insert entry.  Returns false, if duplicate. */
 		if (rb_tree_insert_node(&t->t_rbtree, e) != e) {
 			error = EEXIST;
@@ -444,7 +444,7 @@
 			error = ESRCH;
 		}
 		break;
-	case NPF_TABLE_RBTREE:
+	case NPF_TABLE_TREE:
 		/* Key: (address & mask). */
 		npf_calculate_masked_addr(&val, addr, mask);
 		e = rb_tree_find_node(&t->t_rbtree, &val);
@@ -491,7 +491,7 @@
 				break;
 		}
 		break;
-	case NPF_TABLE_RBTREE:
+	case NPF_TABLE_TREE:
 		e = rb_tree_find_node(&t->t_rbtree, addr);
 		KASSERT(e && npf_compare_cidr(addr, e->te_mask, &e->te_addr,
 		    NPF_NO_NETMASK) == 0);
--- a/usr.sbin/npf/npfctl/npf_build.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.1 2012/01/08 21:34:21 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.2 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -79,21 +79,6 @@
 	return error;
 }
 
-int
-npfctl_config_flush(int fd)
-{
-	int ret;
-
-	/* Pass empty configuration to flush. */
-	npfctl_config_init(false);
-	defgroup_set = true;
-	ret = npfctl_config_send(fd);
-	if (ret) {
-		return ret;
-	}
-	return npf_sessions_send(fd, NULL);
-}
-
 bool
 npfctl_table_exists_p(const char *id)
 {
--- a/usr.sbin/npf/npfctl/npf_parse.y	Sun Jan 15 00:25:33 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_parse.y,v 1.2 2012/01/12 20:41:33 christos Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.3 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -240,7 +240,7 @@
 
 table_type
 	: HASH		{ $$ = NPF_TABLE_HASH; }
-	| TREE		{ $$ = NPF_TABLE_RBTREE; }
+	| TREE		{ $$ = NPF_TABLE_TREE; }
 	;
 
 table_store
--- a/usr.sbin/npf/npfctl/npf_var.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_var.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $	*/
+/*	$NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_var.c,v 1.2 2012/01/12 20:41:33 christos Exp $");
+__RCSID("$NetBSD: npf_var.c,v 1.3 2012/01/15 00:49:48 rmind Exp $");
 
 #include <stdlib.h>
 #include <string.h>
@@ -217,9 +217,10 @@
 		el = el->e_next;
 	}
 
-	if (vp->v_type == NPFVAR_VAR_ID)
-		return npfvar_get_data1(npfvar_lookup(el->e_data), type, 0,
-			level + 1);
+	if (vp->v_type == NPFVAR_VAR_ID) {
+		npfvar_t *rvp = npfvar_lookup(el->e_data);
+		return npfvar_get_data1(rvp, type, 0, level + 1);
+	}
 	return el->e_data;
 }
 
--- a/usr.sbin/npf/npfctl/npfctl.c	Sun Jan 15 00:25:33 2012 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.c	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.8 2012/01/08 21:34:21 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.9 2012/01/15 00:49:48 rmind Exp $");
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -239,7 +239,7 @@
 		ret = npfctl_config_send(fd);
 		break;
 	case NPFCTL_FLUSH:
-		ret = npfctl_config_flush(fd);
+		ret = npf_config_flush(fd);
 		break;
 	case NPFCTL_TABLE:
 		if (argc < 5) {
--- a/usr.sbin/npf/npfctl/npfctl.h	Sun Jan 15 00:25:33 2012 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.h	Sun Jan 15 00:49:47 2012 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.h,v 1.9 2012/01/10 23:39:32 joerg Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.10 2012/01/15 00:49:48 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -144,7 +144,6 @@
 
 void		npfctl_config_init(bool);
 int		npfctl_config_send(int);
-int		npfctl_config_flush(int);
 
 void		npfctl_build_rproc(const char *, npfvar_t *);
 void		npfctl_build_group(const char *, int, u_int);