--- //depot/vendor/freebsd/src/libexec/Makefile	2006/03/17 19:37:53
+++ //depot/user/mlaier/pfsrc/libexec/Makefile	2007/06/06 14:44:00
@@ -8,7 +8,6 @@
 	comsat \
 	fingerd \
 	ftpd \
-	${_ftp-proxy} \
 	getty \
 	lukemftpd \
 	${_mail.local} \
@@ -39,10 +38,6 @@
 _ypxfr=		ypxfr
 .endif
 
-.if ${MK_PF} != "no"
-_ftp-proxy=	ftp-proxy
-.endif
-
 .if !defined(NO_PIC)
 _rtld-elf=	rtld-elf
 .endif
--- //depot/vendor/freebsd/src/sbin/pfctl/Makefile	2006/04/13 14:39:22
+++ //depot/user/mlaier/pfsrc/sbin/pfctl/Makefile	2007/06/06 11:53:39
@@ -1,6 +1,7 @@
 # $FreeBSD: src/sbin/pfctl/Makefile,v 1.6 2006/04/13 12:49:24 ru Exp $
 
 .PATH:	${.CURDIR}/../../contrib/pf/pfctl
+.PATH:	${.CURDIR}/../../sys/contrib/pf/net
 .PATH:	${.CURDIR}/../../contrib/pf/man
 
 PROG=	pfctl
@@ -9,6 +10,7 @@
 SRCS = pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
 SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
 SRCS+= pfctl_optimize.c
+SRCS+= pf_ruleset.c
 
 CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
 CFLAGS+= -Wstrict-prototypes -I${.CURDIR}/../../contrib/pf/pfctl
--- //depot/vendor/freebsd/src/sys/conf/files	2007/06/05 00:18:25
+++ //depot/user/mlaier/pfsrc/sys/conf/files	2007/06/07 15:47:18
@@ -327,16 +327,18 @@
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_if.c		optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
-contrib/pf/net/pf_subr.c	optional pf \
-	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_ioctl.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_norm.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_osfp.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_ruleset.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
+contrib/pf/net/pf_subr.c	optional pf \
+	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/net/pf_table.c	optional pf \
 	compile-with "${NORMAL_C} -I$S/contrib/pf"
-contrib/pf/net/pf_osfp.c	optional pf \
-	compile-with "${NORMAL_C} -I$S/contrib/pf"
 contrib/pf/netinet/in4_cksum.c	optional pf inet
 crypto/blowfish/bf_ecb.c	optional ipsec ipsec_esp
 crypto/blowfish/bf_skey.c	optional crypto | ipsec ipsec_esp
--- //depot/vendor/freebsd/src/sys/modules/pf/Makefile	2006/09/12 04:26:21
+++ //depot/user/mlaier/pfsrc/sys/modules/pf/Makefile	2007/06/05 15:17:06
@@ -7,6 +7,7 @@
 
 KMOD=	pf
 SRCS = 	pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c \
+	pf_ruleset.c \
 	in4_cksum.c \
 	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h
 
--- //depot/vendor/freebsd/src/sys/net/if_ethersubr.c	2007/05/29 12:43:19
+++ //depot/user/mlaier/pfsrc/sys/net/if_ethersubr.c	2007/06/07 14:19:00
@@ -300,8 +300,7 @@
 	 * on the wire). However, we don't do that here for security
 	 * reasons and compatibility with the original behavior.
 	 */
-	if ((ifp->if_flags & IFF_SIMPLEX) && loop_copy &&
-	    m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) == NULL) {
+	if ((ifp->if_flags & IFF_SIMPLEX) && loop_copy) {
 		int csum_flags = 0;
 
 		if (m->m_pkthdr.csum_flags & CSUM_IP)
--- //depot/vendor/freebsd/src/sys/netinet6/in6.h	2006/03/28 12:52:24
+++ //depot/user/mlaier/pfsrc/sys/netinet6/in6.h	2007/06/05 01:03:14
@@ -350,6 +350,11 @@
 #define IN6_IS_SCOPE_LINKLOCAL(a)	\
 	((IN6_IS_ADDR_LINKLOCAL(a)) ||	\
 	 (IN6_IS_ADDR_MC_LINKLOCAL(a)))
+#define	IN6_IS_SCOPE_EMBED(a)			\
+	((IN6_IS_ADDR_LINKLOCAL(a)) ||		\
+	 (IN6_IS_ADDR_MC_LINKLOCAL(a)) || 	\
+	 (IN6_IS_ADDR_MC_INTFACELOCAL(a)))
+                          
 
 #define IFA6_IS_DEPRECATED(a) \
 	((a)->ia6_lifetime.ia6t_pltime != ND6_INFINITE_LIFETIME && \
--- //depot/vendor/freebsd/src/sys/sys/mbuf.h	2007/04/15 06:32:19
+++ //depot/user/mlaier/pfsrc/sys/sys/mbuf.h	2007/06/07 14:02:05
@@ -833,12 +833,9 @@
 #define	PACKET_TAG_DIVERT			17 /* divert info */
 #define	PACKET_TAG_IPFORWARD			18 /* ipforward info */
 #define	PACKET_TAG_MACLABEL	(19 | MTAG_PERSISTENT) /* MAC label */
-#define	PACKET_TAG_PF_ROUTED			21 /* PF routed, avoid loops */
-#define	PACKET_TAG_PF_FRAGCACHE			22 /* PF fragment cached */
-#define	PACKET_TAG_PF_QID			23 /* PF ALTQ queue id */
-#define	PACKET_TAG_PF_TAG			24 /* PF tagged */
+#define	PACKET_TAG_PF				21 /* PF + ALTQ information */
+#define	PACKET_TAG_PF_QID			23 /* XXX: ALTQ information */
 #define	PACKET_TAG_RTSOCKFAM			25 /* rtsock sa family */
-#define	PACKET_TAG_PF_TRANSLATE_LOCALHOST	26 /* PF translate localhost */
 #define	PACKET_TAG_IPOPTIONS			27 /* Saved IP options */
 #define	PACKET_TAG_CARP                         28 /* CARP info */
 
--- //depot/vendor/freebsd/src/usr.sbin/Makefile	2007/01/29 07:42:01
+++ //depot/user/mlaier/pfsrc/usr.sbin/Makefile	2007/06/06 14:44:00
@@ -56,6 +56,7 @@
 	fdwrite \
 	flowctl \
 	freebsd-update \
+	${_ftp-proxy} \
 	fwcontrol \
 	getfmac \
 	getpmac \
@@ -229,6 +230,10 @@
 _keyserv=	keyserv
 .endif
 
+.if ${MK_PF} != "no"
+_ftp-proxy=	ftp-proxy
+.endif
+
 .if ${MK_INET6} != "no"
 _faithd=	faithd
 _ip6addrctl=	ip6addrctl
--- //depot/vendor/freebsd/src/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c	2005/11/30 21:37:39
+++ //depot/user/mlaier/pfsrc/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c	2007/06/06 15:22:20
@@ -60,7 +60,7 @@
 #define PFI_IFTYPE_DETACHED	2
 
 struct pfi_entry {
-	struct pfi_if	pfi;
+	struct pfi_kif	pfi;
 	u_int		index;
 	TAILQ_ENTRY(pfi_entry) link;
 };
@@ -544,83 +544,83 @@
 
 	switch (which) {
 		case LEAF_pfInterfacesIfDescr:
-			return (string_get(val, e->pfi.pfif_name, -1));
+			return (string_get(val, e->pfi.pfik_name, -1));
 		case LEAF_pfInterfacesIfType:
 			val->v.integer = PFI_IFTYPE_INSTANCE;
 			break;
 		case LEAF_pfInterfacesIfTZero:
 			val->v.uint32 =
-			    (time(NULL) - e->pfi.pfif_tzero) * 100;
+			    (time(NULL) - e->pfi.pfik_tzero) * 100;
 			break;
 		case LEAF_pfInterfacesIfRefsState:
-			val->v.uint32 = e->pfi.pfif_states;
+			val->v.uint32 = e->pfi.pfik_states;
 			break;
 		case LEAF_pfInterfacesIfRefsRule:
-			val->v.uint32 = e->pfi.pfif_rules;
+			val->v.uint32 = e->pfi.pfik_rules;
 			break;
 		case LEAF_pfInterfacesIf4BytesInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][IN][PASS];
+			    e->pfi.pfik_bytes[IPV4][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf4BytesInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][IN][BLOCK];
+			    e->pfi.pfik_bytes[IPV4][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4BytesOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][OUT][PASS];
+			    e->pfi.pfik_bytes[IPV4][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf4BytesOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV4][OUT][BLOCK];
+			    e->pfi.pfik_bytes[IPV4][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4PktsInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][IN][PASS];
+			    e->pfi.pfik_packets[IPV4][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf4PktsInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][IN][BLOCK];
+			    e->pfi.pfik_packets[IPV4][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf4PktsOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][OUT][PASS];
+			    e->pfi.pfik_packets[IPV4][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf4PktsOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV4][OUT][BLOCK];
+			    e->pfi.pfik_packets[IPV4][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6BytesInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][IN][PASS];
+			    e->pfi.pfik_bytes[IPV6][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf6BytesInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][IN][BLOCK];
+			    e->pfi.pfik_bytes[IPV6][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6BytesOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][OUT][PASS];
+			    e->pfi.pfik_bytes[IPV6][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf6BytesOutBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_bytes[IPV6][OUT][BLOCK];
+			    e->pfi.pfik_bytes[IPV6][OUT][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6PktsInPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][IN][PASS];
+			    e->pfi.pfik_packets[IPV6][IN][PASS];
 			break;
 		case LEAF_pfInterfacesIf6PktsInBlock:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][IN][BLOCK];
+			    e->pfi.pfik_packets[IPV6][IN][BLOCK];
 			break;
 		case LEAF_pfInterfacesIf6PktsOutPass:
 			val->v.counter64 =
-			    e->pfi.pfif_packets[IPV6][OUT][PASS];
+			    e->pfi.pfik_packets[IPV6][OUT][PASS];
 			break;
 		case LEAF_pfInterfacesIf6PktsOutBlock:
 			val->v.counter64 = 
-			    e->pfi.pfif_packets[IPV6][OUT][BLOCK];
+			    e->pfi.pfik_packets[IPV6][OUT][BLOCK];
 			break;
 
 		default:
@@ -911,7 +911,7 @@
 pfi_refresh(void)
 {
 	struct pfioc_iface io;
-	struct pfi_if *p = NULL;
+	struct pfi_kif *p = NULL;
 	struct pfi_entry *e;
 	int i, numifs = 1;
 
@@ -925,11 +925,10 @@
 	}
 
 	bzero(&io, sizeof(io));
-	io.pfiio_flags = PFI_FLAG_INSTANCE;
-	io.pfiio_esize = sizeof(struct pfi_if);
+	io.pfiio_esize = sizeof(struct pfi_kif);
 
 	for (;;) {
-		p = reallocf(p, numifs * sizeof(struct pfi_if));
+		p = reallocf(p, numifs * sizeof(struct pfi_kif));
 		if (p == NULL) {
 			syslog(LOG_ERR, "pfi_refresh(): reallocf() numifs=%d: %s",
 			    numifs, strerror(errno));
@@ -955,7 +954,7 @@
 		if (e == NULL)
 			goto err1;
 		e->index = i + 1;
-		memcpy(&e->pfi, p+i, sizeof(struct pfi_if));
+		memcpy(&e->pfi, p+i, sizeof(struct pfi_kif));
 		TAILQ_INSERT_TAIL(&pfi_table, e, link);
 	}