]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/net/pfvar.h
xnu-7195.81.3.tar.gz
[apple/xnu.git] / bsd / net / pfvar.h
index d7ea4c6d1b1eb5efab7155c0989c6471a54f427d..6e0eb0ef5b2ba6f9a5d10a1d0b0aaa8ef5b2c6a9 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2017 Apple Inc. All rights reserved.
+ * Copyright (c) 2007-2019 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
@@ -95,27 +95,27 @@ extern "C" {
 
 
 #if BYTE_ORDER == BIG_ENDIAN
-#define        htobe64(x)      (x)
+#define htobe64(x)      (x)
 #else /* LITTLE ENDIAN */
-#define        htobe64(x)      __DARWIN_OSSwapInt64(x)
+#define htobe64(x)      __DARWIN_OSSwapInt64(x)
 #endif /* LITTLE_ENDIAN */
 
-#define        be64toh(x)      htobe64(x)
+#define be64toh(x)      htobe64(x)
 
 extern lck_rw_t *pf_perim_lock;
 extern lck_mtx_t *pf_lock;
 
 struct pool {
-       struct zone     *pool_zone;     /* pointer to backend zone */
-       const char      *pool_name;     /* name of pool */
-       unsigned int    pool_count;     /* # of outstanding elements */
-       unsigned int    pool_hiwat;     /* high watermark */
-       unsigned int    pool_limit;     /* hard limit */
-       unsigned int    pool_fails;     /* # of failed allocs due to limit */
+       struct zone     *pool_zone;     /* pointer to backend zone */
+       const char      *pool_name;     /* name of pool */
+       unsigned int    pool_count;     /* # of outstanding elements */
+       unsigned int    pool_hiwat;     /* high watermark */
+       unsigned int    pool_limit;     /* hard limit */
+       unsigned int    pool_fails;     /* # of failed allocs due to limit */
 };
 
-#define        PR_NOWAIT       FALSE
-#define        PR_WAITOK       TRUE
+#define PR_NOWAIT       FALSE
+#define PR_WAITOK       TRUE
 
 __private_extern__ void pool_init(struct pool *, size_t, unsigned int,
     unsigned int, int, const char *, void *);
@@ -130,15 +130,15 @@ __private_extern__ u_int64_t pf_calendar_time_second(void);
 #endif /* KERNEL */
 
 union sockaddr_union {
-       struct sockaddr         sa;
-       struct sockaddr_in      sin;
-       struct sockaddr_in6     sin6;
+       struct sockaddr         sa;
+       struct sockaddr_in      sin;
+       struct sockaddr_in6     sin6;
 };
 
-#define        PF_TCPS_PROXY_SRC       ((TCP_NSTATES)+0)
-#define        PF_TCPS_PROXY_DST       ((TCP_NSTATES)+1)
+#define PF_TCPS_PROXY_SRC       ((TCP_NSTATES)+0)
+#define PF_TCPS_PROXY_DST       ((TCP_NSTATES)+1)
 
-#define        PF_MD5_DIGEST_LENGTH    16
+#define PF_MD5_DIGEST_LENGTH    16
 #ifdef MD5_DIGEST_LENGTH
 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
 #error
@@ -153,28 +153,28 @@ struct pf_grev1_hdr;
 struct pf_esp_hdr;
 #endif /* KERNEL */
 
-#define PF_GRE_PPTP_VARIANT    0x01
+#define PF_GRE_PPTP_VARIANT     0x01
 
-enum   { PF_INOUT, PF_IN, PF_OUT };
-enum   { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
+enum    { PF_INOUT, PF_IN, PF_OUT };
+enum    { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
          PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP,
          PF_DUMMYNET, PF_NODUMMYNET, PF_NAT64, PF_NONAT64 };
-enum   { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
-         PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_DUMMYNET, 
+enum    { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
+         PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_DUMMYNET,
          PF_RULESET_MAX };
-enum   { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
+enum    { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
          PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
-enum   { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
-enum   { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
+enum    { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
+enum    { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
          PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
          PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
-enum   { PF_GET_NONE, PF_GET_CLR_CNTR };
+enum    { PF_GET_NONE, PF_GET_CLR_CNTR };
 
 /*
  * Note about PFTM_*: real indices into pf_rule.timeout[] come before
  * PFTM_MAX, special cases afterwards. See pf_state_expires().
  */
-enum   { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
+enum    { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
          PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
          PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
          PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
@@ -186,73 +186,73 @@ enum      { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
          PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED };
 
 /* PFTM default values */
-#define PFTM_TCP_FIRST_PACKET_VAL      120     /* First TCP packet */
-#define PFTM_TCP_OPENING_VAL           30      /* No response yet */
-#define PFTM_TCP_ESTABLISHED_VAL       (24 * 60 * 60)  /* Established */
-#define PFTM_TCP_CLOSING_VAL           (15 * 60)       /* Half closed */
-#define PFTM_TCP_FIN_WAIT_VAL          45      /* Got both FINs */
-#define PFTM_TCP_CLOSED_VAL            90      /* Got a RST */
-#define PFTM_UDP_FIRST_PACKET_VAL      60      /* First UDP packet */
-#define PFTM_UDP_SINGLE_VAL            30      /* Unidirectional */
-#define PFTM_UDP_MULTIPLE_VAL          60      /* Bidirectional */
-#define PFTM_ICMP_FIRST_PACKET_VAL     20      /* First ICMP packet */
-#define PFTM_ICMP_ERROR_REPLY_VAL      10      /* Got error response */
-#define PFTM_GREv1_FIRST_PACKET_VAL    120
-#define PFTM_GREv1_INITIATING_VAL      30
-#define PFTM_GREv1_ESTABLISHED_VAL     1800
-#define PFTM_ESP_FIRST_PACKET_VAL      120
-#define PFTM_ESP_INITIATING_VAL                30
-#define PFTM_ESP_ESTABLISHED_VAL       900
-#define PFTM_OTHER_FIRST_PACKET_VAL    60      /* First packet */
-#define PFTM_OTHER_SINGLE_VAL          30      /* Unidirectional */
-#define PFTM_OTHER_MULTIPLE_VAL                60      /* Bidirectional */
-#define PFTM_FRAG_VAL                  30      /* Fragment expire */
-#define PFTM_INTERVAL_VAL              10      /* Expire interval */
-#define PFTM_SRC_NODE_VAL              0       /* Source tracking */
-#define PFTM_TS_DIFF_VAL               30      /* Allowed TS diff */
-
-enum   { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
-enum   { PF_LIMIT_STATES,
+#define PFTM_TCP_FIRST_PACKET_VAL       120     /* First TCP packet */
+#define PFTM_TCP_OPENING_VAL            30      /* No response yet */
+#define PFTM_TCP_ESTABLISHED_VAL        (24 * 60 * 60)  /* Established */
+#define PFTM_TCP_CLOSING_VAL            (15 * 60)       /* Half closed */
+#define PFTM_TCP_FIN_WAIT_VAL           45      /* Got both FINs */
+#define PFTM_TCP_CLOSED_VAL             90      /* Got a RST */
+#define PFTM_UDP_FIRST_PACKET_VAL       60      /* First UDP packet */
+#define PFTM_UDP_SINGLE_VAL             30      /* Unidirectional */
+#define PFTM_UDP_MULTIPLE_VAL           60      /* Bidirectional */
+#define PFTM_ICMP_FIRST_PACKET_VAL      20      /* First ICMP packet */
+#define PFTM_ICMP_ERROR_REPLY_VAL       10      /* Got error response */
+#define PFTM_GREv1_FIRST_PACKET_VAL     120
+#define PFTM_GREv1_INITIATING_VAL       30
+#define PFTM_GREv1_ESTABLISHED_VAL      1800
+#define PFTM_ESP_FIRST_PACKET_VAL       120
+#define PFTM_ESP_INITIATING_VAL         30
+#define PFTM_ESP_ESTABLISHED_VAL        900
+#define PFTM_OTHER_FIRST_PACKET_VAL     60      /* First packet */
+#define PFTM_OTHER_SINGLE_VAL           30      /* Unidirectional */
+#define PFTM_OTHER_MULTIPLE_VAL         60      /* Bidirectional */
+#define PFTM_FRAG_VAL                   30      /* Fragment expire */
+#define PFTM_INTERVAL_VAL               10      /* Expire interval */
+#define PFTM_SRC_NODE_VAL               0       /* Source tracking */
+#define PFTM_TS_DIFF_VAL                30      /* Allowed TS diff */
+
+enum    { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
+enum    { PF_LIMIT_STATES,
          PF_LIMIT_APP_STATES,
          PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
          PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
-#define PF_POOL_IDMASK         0x0f
-enum   { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
+#define PF_POOL_IDMASK          0x0f
+enum    { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
          PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
-enum   { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
+enum    { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
          PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED,
          PF_ADDR_RANGE };
-#define PF_POOL_TYPEMASK       0x0f
-#define PF_POOL_STICKYADDR     0x20
-#define        PF_WSCALE_FLAG          0x80
-#define        PF_WSCALE_MASK          0x0f
+#define PF_POOL_TYPEMASK        0x0f
+#define PF_POOL_STICKYADDR      0x20
+#define PF_WSCALE_FLAG          0x80
+#define PF_WSCALE_MASK          0x0f
 
-#define        PF_LOG                  0x01
-#define        PF_LOG_ALL              0x02
-#define        PF_LOG_SOCKET_LOOKUP    0x04
+#define PF_LOG                  0x01
+#define PF_LOG_ALL              0x02
+#define PF_LOG_SOCKET_LOOKUP    0x04
 
 struct pf_addr {
        union {
-               struct in_addr          _v4addr;
-               struct in6_addr         _v6addr;
-               u_int8_t                _addr8[16];
-               u_int16_t               _addr16[8];
-               u_int32_t               _addr32[4];
-       } pfa;              /* 128-bit address */
-#define v4addr pfa._v4addr
-#define v6addr pfa._v6addr
-#define addr8  pfa._addr8
-#define addr16 pfa._addr16
-#define addr32 pfa._addr32
-};
-
-#define        PF_TABLE_NAME_SIZE       32
-
-#define PFI_AFLAG_NETWORK      0x01
-#define PFI_AFLAG_BROADCAST    0x02
-#define PFI_AFLAG_PEER         0x04
-#define PFI_AFLAG_MODEMASK     0x07
-#define PFI_AFLAG_NOALIAS      0x08
+               struct in_addr          _v4addr;
+               struct in6_addr         _v6addr;
+               u_int8_t                _addr8[16];
+               u_int16_t               _addr16[8];
+               u_int32_t               _addr32[4];
+       } pfa;              /* 128-bit address */
+#define v4addr  pfa._v4addr
+#define v6addr  pfa._v6addr
+#define addr8   pfa._addr8
+#define addr16  pfa._addr16
+#define addr32  pfa._addr32
+};
+
+#define PF_TABLE_NAME_SIZE       32
+
+#define PFI_AFLAG_NETWORK       0x01
+#define PFI_AFLAG_BROADCAST     0x02
+#define PFI_AFLAG_PEER          0x04
+#define PFI_AFLAG_MODEMASK      0x07
+#define PFI_AFLAG_NOALIAS       0x08
 
 #ifndef RTLABEL_LEN
 #define RTLABEL_LEN 32
@@ -261,55 +261,55 @@ struct pf_addr {
 struct pf_addr_wrap {
        union {
                struct {
-                       struct pf_addr           addr;
-                       struct pf_addr           mask;
-               }                        a;
-               char                     ifname[IFNAMSIZ];
-               char                     tblname[PF_TABLE_NAME_SIZE];
-               char                     rtlabelname[RTLABEL_LEN];
-               u_int32_t                rtlabel;
-       }                        v;
+                       struct pf_addr           addr;
+                       struct pf_addr           mask;
+               }                        a;
+               char                     ifname[IFNAMSIZ];
+               char                     tblname[PF_TABLE_NAME_SIZE];
+               char                     rtlabelname[RTLABEL_LEN];
+               u_int32_t                rtlabel;
+       }                        v;
        union {
 #ifdef KERNEL
-               struct pfi_dynaddr      *dyn    __attribute__((aligned(8)));
-               struct pfr_ktable       *tbl    __attribute__((aligned(8)));
+               struct pfi_dynaddr      *dyn    __attribute__((aligned(8)));
+               struct pfr_ktable       *tbl    __attribute__((aligned(8)));
 #else /* !KERNEL */
-               void                    *dyn    __attribute__((aligned(8)));
-               void                    *tbl    __attribute__((aligned(8)));
+               void                    *dyn    __attribute__((aligned(8)));
+               void                    *tbl    __attribute__((aligned(8)));
 #endif /* !KERNEL */
-               int                      dyncnt __attribute__((aligned(8)));
-               int                      tblcnt __attribute__((aligned(8)));
-       }                        p __attribute__((aligned(8)));
-       u_int8_t                 type;          /* PF_ADDR_* */
-       u_int8_t                 iflags;        /* PFI_AFLAG_* */
+               int                      dyncnt __attribute__((aligned(8)));
+               int                      tblcnt __attribute__((aligned(8)));
+       }                        p __attribute__((aligned(8)));
+       u_int8_t                 type;          /* PF_ADDR_* */
+       u_int8_t                 iflags;        /* PFI_AFLAG_* */
 };
 
 struct pf_port_range {
-       u_int16_t                       port[2];
-       u_int8_t                        op;
+       u_int16_t                       port[2];
+       u_int8_t                        op;
 };
 
 union pf_rule_xport {
-       struct pf_port_range    range;
-       u_int16_t               call_id;
-       u_int32_t               spi;
+       struct pf_port_range    range;
+       u_int16_t               call_id;
+       u_int32_t               spi;
 };
 
 #ifdef KERNEL
 struct pfi_dynaddr {
-       TAILQ_ENTRY(pfi_dynaddr)         entry;
-       struct pf_addr                   pfid_addr4;
-       struct pf_addr                   pfid_mask4;
-       struct pf_addr                   pfid_addr6;
-       struct pf_addr                   pfid_mask6;
-       struct pfr_ktable               *pfid_kt;
-       struct pfi_kif                  *pfid_kif;
-       void                            *pfid_hook_cookie;
-       int                              pfid_net;      /* mask or 128 */
-       int                              pfid_acnt4;    /* address count IPv4 */
-       int                              pfid_acnt6;    /* address count IPv6 */
-       sa_family_t                      pfid_af;       /* rule af */
-       u_int8_t                         pfid_iflags;   /* PFI_AFLAG_* */
+       TAILQ_ENTRY(pfi_dynaddr)         entry;
+       struct pf_addr                   pfid_addr4;
+       struct pf_addr                   pfid_mask4;
+       struct pf_addr                   pfid_addr6;
+       struct pf_addr                   pfid_mask6;
+       struct pfr_ktable               *pfid_kt;
+       struct pfi_kif                  *pfid_kif;
+       void                            *pfid_hook_cookie;
+       uint8_t                          pfid_net;      /* mask or 128 */
+       int                              pfid_acnt4;    /* address count IPv4 */
+       int                              pfid_acnt6;    /* address count IPv6 */
+       sa_family_t                      pfid_af;       /* rule af */
+       u_int8_t                         pfid_iflags;   /* PFI_AFLAG_* */
 };
 
 /*
@@ -317,21 +317,14 @@ struct pfi_dynaddr {
  */
 
 #if INET
-#if !INET6
-#define PF_INET_ONLY
-#endif /* ! INET6 */
 #endif /* INET */
 
-#if INET6
 #if !INET
 #define PF_INET6_ONLY
 #endif /* ! INET */
-#endif /* INET6 */
 
 #if INET
-#if INET6
 #define PF_INET_INET6
-#endif /* INET6 */
 #endif /* INET */
 
 #else /* !KERNEL */
@@ -448,13 +441,13 @@ struct pfi_dynaddr {
 
 #define PF_AINC(a, f) \
        do { \
-               (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
+               (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
        } while (0)
 
 #define PF_POOLMASK(a, b, c, d, f) \
        do { \
-               (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
-               (((c)->addr32[0] ^ 0xffffffff) & (d)->addr32[0]); \
+               (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
+               (((c)->addr32[0] ^ 0xffffffff) & (d)->addr32[0]); \
        } while (0)
 
 #endif /* PF_INET_ONLY */
@@ -462,58 +455,58 @@ struct pfi_dynaddr {
 #endif /* PF_INET_INET6 */
 
 #ifdef KERNEL
-#define        PF_MISMATCHAW(aw, x, af, neg, ifp)                              \
-       (                                                               \
-               (((aw)->type == PF_ADDR_NOROUTE &&                      \
-                   pf_routable((x), (af), NULL)) ||                    \
-               (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL &&  \
-                   pf_routable((x), (af), (ifp))) ||                   \
-               ((aw)->type == PF_ADDR_RTLABEL &&                       \
-                   !pf_rtlabel_match((x), (af), (aw))) ||              \
-               ((aw)->type == PF_ADDR_TABLE &&                         \
-                   !pfr_match_addr((aw)->p.tbl, (x), (af))) ||         \
-               ((aw)->type == PF_ADDR_DYNIFTL &&                       \
-                   !pfi_match_addr((aw)->p.dyn, (x), (af))) ||         \
-               ((aw)->type == PF_ADDR_RANGE &&                         \
-                   !pf_match_addr_range(&(aw)->v.a.addr,               \
-                   &(aw)->v.a.mask, (x), (af))) ||                     \
-               ((aw)->type == PF_ADDR_ADDRMASK &&                      \
-                   !PF_AZERO(&(aw)->v.a.mask, (af)) &&                 \
-                   !PF_MATCHA(0, &(aw)->v.a.addr,                      \
-                   &(aw)->v.a.mask, (x), (af))))) !=                   \
-               (neg)                                                   \
+#define PF_MISMATCHAW(aw, x, af, neg, ifp)                              \
+       (                                                               \
+               (((aw)->type == PF_ADDR_NOROUTE &&                      \
+                   pf_routable((x), (af), NULL)) ||                    \
+               (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL &&  \
+                   pf_routable((x), (af), (ifp))) ||                   \
+               ((aw)->type == PF_ADDR_RTLABEL &&                       \
+                   !pf_rtlabel_match((x), (af), (aw))) ||              \
+               ((aw)->type == PF_ADDR_TABLE &&                         \
+                   !pfr_match_addr((aw)->p.tbl, (x), (af))) ||         \
+               ((aw)->type == PF_ADDR_DYNIFTL &&                       \
+                   !pfi_match_addr((aw)->p.dyn, (x), (af))) ||         \
+               ((aw)->type == PF_ADDR_RANGE &&                         \
+                   !pf_match_addr_range(&(aw)->v.a.addr,               \
+                   &(aw)->v.a.mask, (x), (af))) ||                     \
+               ((aw)->type == PF_ADDR_ADDRMASK &&                      \
+                   !PF_AZERO(&(aw)->v.a.mask, (af)) &&                 \
+                   !PF_MATCHA(0, &(aw)->v.a.addr,                      \
+                   &(aw)->v.a.mask, (x), (af))))) !=                   \
+               (neg)                                                   \
        )
 #endif /* KERNEL */
 
 struct pf_rule_uid {
-       uid_t            uid[2];
-       u_int8_t         op;
-       u_int8_t         _pad[3];
+       uid_t            uid[2];
+       u_int8_t         op;
+       u_int8_t         _pad[3];
 };
 
 struct pf_rule_gid {
-       uid_t            gid[2];
-       u_int8_t         op;
-       u_int8_t         _pad[3];
+       uid_t            gid[2];
+       u_int8_t         op;
+       u_int8_t         _pad[3];
 };
 
 struct pf_rule_addr {
-       struct pf_addr_wrap      addr;
-       union pf_rule_xport      xport;
-       u_int8_t                 neg;
+       struct pf_addr_wrap      addr;
+       union pf_rule_xport      xport;
+       u_int8_t                 neg;
 };
 
 struct pf_pooladdr {
-       struct pf_addr_wrap              addr;
-       TAILQ_ENTRY(pf_pooladdr)         entries;
+       struct pf_addr_wrap              addr;
+       TAILQ_ENTRY(pf_pooladdr)         entries;
 #if !defined(__LP64__)
-       u_int32_t                        _pad[2];
+       u_int32_t                        _pad[2];
 #endif /* !__LP64__ */
-       char                             ifname[IFNAMSIZ];
+       char                             ifname[IFNAMSIZ];
 #ifdef KERNEL
-       struct pfi_kif                  *kif    __attribute__((aligned(8)));
+       struct pfi_kif                  *kif    __attribute__((aligned(8)));
 #else /* !KERNEL */
-       void                            *kif    __attribute__((aligned(8)));
+       void                            *kif    __attribute__((aligned(8)));
 #endif /* !KERNEL */
 };
 
@@ -521,55 +514,55 @@ TAILQ_HEAD(pf_palist, pf_pooladdr);
 
 struct pf_poolhashkey {
        union {
-               u_int8_t                key8[16];
-               u_int16_t               key16[8];
-               u_int32_t               key32[4];
-       } pfk;              /* 128-bit hash key */
-#define key8   pfk.key8
-#define key16  pfk.key16
-#define key32  pfk.key32
+               u_int8_t                key8[16];
+               u_int16_t               key16[8];
+               u_int32_t               key32[4];
+       } pfk;              /* 128-bit hash key */
+#define key8    pfk.key8
+#define key16   pfk.key16
+#define key32   pfk.key32
 };
 
 struct pf_pool {
-       struct pf_palist         list;
+       struct pf_palist         list;
 #if !defined(__LP64__)
-       u_int32_t                _pad[2];
+       u_int32_t                _pad[2];
 #endif /* !__LP64__ */
 #ifdef KERNEL
-       struct pf_pooladdr      *cur            __attribute__((aligned(8)));
+       struct pf_pooladdr      *cur            __attribute__((aligned(8)));
 #else /* !KERNEL */
-       void                    *cur            __attribute__((aligned(8)));
+       void                    *cur            __attribute__((aligned(8)));
 #endif /* !KERNEL */
-       struct pf_poolhashkey    key            __attribute__((aligned(8)));
-       struct pf_addr           counter;
-       int                      tblidx;
-       u_int16_t                proxy_port[2];
-       u_int8_t                 port_op;
-       u_int8_t                 opts;
-       sa_family_t              af;
+       struct pf_poolhashkey    key            __attribute__((aligned(8)));
+       struct pf_addr           counter;
+       int                      tblidx;
+       u_int16_t                proxy_port[2];
+       u_int8_t                 port_op;
+       u_int8_t                 opts;
+       sa_family_t              af;
 };
 
 
 /* A packed Operating System description for fingerprinting */
 typedef u_int32_t pf_osfp_t;
-#define PF_OSFP_ANY    ((pf_osfp_t)0)
-#define PF_OSFP_UNKNOWN        ((pf_osfp_t)-1)
-#define PF_OSFP_NOMATCH        ((pf_osfp_t)-2)
+#define PF_OSFP_ANY     ((pf_osfp_t)0)
+#define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
+#define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
 
 struct pf_osfp_entry {
        SLIST_ENTRY(pf_osfp_entry) fp_entry;
 #if !defined(__LP64__)
-       u_int32_t               _pad;
+       u_int32_t               _pad;
 #endif /* !__LP64__ */
-       pf_osfp_t               fp_os;
-       int                     fp_enflags;
-#define PF_OSFP_EXPANDED       0x001           /* expanded entry */
-#define PF_OSFP_GENERIC                0x002           /* generic signature */
-#define PF_OSFP_NODETAIL       0x004           /* no p0f details */
-#define PF_OSFP_LEN    32
-       char                    fp_class_nm[PF_OSFP_LEN];
-       char                    fp_version_nm[PF_OSFP_LEN];
-       char                    fp_subtype_nm[PF_OSFP_LEN];
+       pf_osfp_t               fp_os;
+       int                     fp_enflags;
+#define PF_OSFP_EXPANDED        0x001           /* expanded entry */
+#define PF_OSFP_GENERIC         0x002           /* generic signature */
+#define PF_OSFP_NODETAIL        0x004           /* no p0f details */
+#define PF_OSFP_LEN     32
+       char                    fp_class_nm[PF_OSFP_LEN];
+       char                    fp_version_nm[PF_OSFP_LEN];
+       char                    fp_subtype_nm[PF_OSFP_LEN];
 };
 #define PF_OSFP_ENTRY_EQ(a, b) \
     ((a)->fp_os == (b)->fp_os && \
@@ -578,11 +571,11 @@ struct pf_osfp_entry {
     memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
 
 /* handle pf_osfp_t packing */
-#define _FP_RESERVED_BIT       1  /* For the special negative #defines */
-#define _FP_UNUSED_BITS                1
-#define _FP_CLASS_BITS         10 /* OS Class (Windows, Linux) */
-#define _FP_VERSION_BITS       10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
-#define _FP_SUBTYPE_BITS       10 /* patch level (NT SP4, SP3, ECN patch) */
+#define _FP_RESERVED_BIT        1  /* For the special negative #defines */
+#define _FP_UNUSED_BITS         1
+#define _FP_CLASS_BITS          10 /* OS Class (Windows, Linux) */
+#define _FP_VERSION_BITS        10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
+#define _FP_SUBTYPE_BITS        10 /* patch level (NT SP4, SP3, ECN patch) */
 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
        (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
            ((1 << _FP_CLASS_BITS) - 1); \
@@ -599,345 +592,350 @@ struct pf_osfp_entry {
 } while (0)
 
 /* the fingerprint of an OSes TCP SYN packet */
-typedef u_int64_t      pf_tcpopts_t;
+typedef u_int64_t       pf_tcpopts_t;
 struct pf_os_fingerprint {
        SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
-       pf_tcpopts_t            fp_tcpopts;     /* packed TCP options */
-       u_int16_t               fp_wsize;       /* TCP window size */
-       u_int16_t               fp_psize;       /* ip->ip_len */
-       u_int16_t               fp_mss;         /* TCP MSS */
-       u_int16_t               fp_flags;
-#define PF_OSFP_WSIZE_MOD      0x0001          /* Window modulus */
-#define PF_OSFP_WSIZE_DC       0x0002          /* Window don't care */
-#define PF_OSFP_WSIZE_MSS      0x0004          /* Window multiple of MSS */
-#define PF_OSFP_WSIZE_MTU      0x0008          /* Window multiple of MTU */
-#define PF_OSFP_PSIZE_MOD      0x0010          /* packet size modulus */
-#define PF_OSFP_PSIZE_DC       0x0020          /* packet size don't care */
-#define PF_OSFP_WSCALE         0x0040          /* TCP window scaling */
-#define PF_OSFP_WSCALE_MOD     0x0080          /* TCP window scale modulus */
-#define PF_OSFP_WSCALE_DC      0x0100          /* TCP window scale dont-care */
-#define PF_OSFP_MSS            0x0200          /* TCP MSS */
-#define PF_OSFP_MSS_MOD                0x0400          /* TCP MSS modulus */
-#define PF_OSFP_MSS_DC         0x0800          /* TCP MSS dont-care */
-#define PF_OSFP_DF             0x1000          /* IPv4 don't fragment bit */
-#define PF_OSFP_TS0            0x2000          /* Zero timestamp */
-#define PF_OSFP_INET6          0x4000          /* IPv6 */
-       u_int8_t                fp_optcnt;      /* TCP option count */
-       u_int8_t                fp_wscale;      /* TCP window scaling */
-       u_int8_t                fp_ttl;         /* IPv4 TTL */
-#define PF_OSFP_MAXTTL_OFFSET  40
+       pf_tcpopts_t            fp_tcpopts;     /* packed TCP options */
+       u_int16_t               fp_wsize;       /* TCP window size */
+       u_int16_t               fp_psize;       /* ip->ip_len */
+       u_int16_t               fp_mss;         /* TCP MSS */
+       u_int16_t               fp_flags;
+#define PF_OSFP_WSIZE_MOD       0x0001          /* Window modulus */
+#define PF_OSFP_WSIZE_DC        0x0002          /* Window don't care */
+#define PF_OSFP_WSIZE_MSS       0x0004          /* Window multiple of MSS */
+#define PF_OSFP_WSIZE_MTU       0x0008          /* Window multiple of MTU */
+#define PF_OSFP_PSIZE_MOD       0x0010          /* packet size modulus */
+#define PF_OSFP_PSIZE_DC        0x0020          /* packet size don't care */
+#define PF_OSFP_WSCALE          0x0040          /* TCP window scaling */
+#define PF_OSFP_WSCALE_MOD      0x0080          /* TCP window scale modulus */
+#define PF_OSFP_WSCALE_DC       0x0100          /* TCP window scale dont-care */
+#define PF_OSFP_MSS             0x0200          /* TCP MSS */
+#define PF_OSFP_MSS_MOD         0x0400          /* TCP MSS modulus */
+#define PF_OSFP_MSS_DC          0x0800          /* TCP MSS dont-care */
+#define PF_OSFP_DF              0x1000          /* IPv4 don't fragment bit */
+#define PF_OSFP_TS0             0x2000          /* Zero timestamp */
+#define PF_OSFP_INET6           0x4000          /* IPv6 */
+       u_int8_t                fp_optcnt;      /* TCP option count */
+       u_int8_t                fp_wscale;      /* TCP window scaling */
+       u_int8_t                fp_ttl;         /* IPv4 TTL */
+#define PF_OSFP_MAXTTL_OFFSET   40
 /* TCP options packing */
-#define PF_OSFP_TCPOPT_NOP     0x0             /* TCP NOP option */
-#define PF_OSFP_TCPOPT_WSCALE  0x1             /* TCP window scaling option */
-#define PF_OSFP_TCPOPT_MSS     0x2             /* TCP max segment size opt */
-#define PF_OSFP_TCPOPT_SACK    0x3             /* TCP SACK OK option */
-#define PF_OSFP_TCPOPT_TS      0x4             /* TCP timestamp option */
-#define PF_OSFP_TCPOPT_BITS    3               /* bits used by each option */
+#define PF_OSFP_TCPOPT_NOP      0x0             /* TCP NOP option */
+#define PF_OSFP_TCPOPT_WSCALE   0x1             /* TCP window scaling option */
+#define PF_OSFP_TCPOPT_MSS      0x2             /* TCP max segment size opt */
+#define PF_OSFP_TCPOPT_SACK     0x3             /* TCP SACK OK option */
+#define PF_OSFP_TCPOPT_TS       0x4             /* TCP timestamp option */
+#define PF_OSFP_TCPOPT_BITS     3               /* bits used by each option */
 #define PF_OSFP_MAX_OPTS \
-    (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
-    / PF_OSFP_TCPOPT_BITS
+    ((sizeof(pf_tcpopts_t) * 8) \
+    / PF_OSFP_TCPOPT_BITS)
 
-       SLIST_ENTRY(pf_os_fingerprint)  fp_next;
+       SLIST_ENTRY(pf_os_fingerprint)  fp_next;
 };
 
 struct pf_osfp_ioctl {
-       struct pf_osfp_entry    fp_os;
-       pf_tcpopts_t            fp_tcpopts;     /* packed TCP options */
-       u_int16_t               fp_wsize;       /* TCP window size */
-       u_int16_t               fp_psize;       /* ip->ip_len */
-       u_int16_t               fp_mss;         /* TCP MSS */
-       u_int16_t               fp_flags;
-       u_int8_t                fp_optcnt;      /* TCP option count */
-       u_int8_t                fp_wscale;      /* TCP window scaling */
-       u_int8_t                fp_ttl;         /* IPv4 TTL */
+       struct pf_osfp_entry    fp_os;
+       pf_tcpopts_t            fp_tcpopts;     /* packed TCP options */
+       u_int16_t               fp_wsize;       /* TCP window size */
+       u_int16_t               fp_psize;       /* ip->ip_len */
+       u_int16_t               fp_mss;         /* TCP MSS */
+       u_int16_t               fp_flags;
+       u_int8_t                fp_optcnt;      /* TCP option count */
+       u_int8_t                fp_wscale;      /* TCP window scaling */
+       u_int8_t                fp_ttl;         /* IPv4 TTL */
 
-       int                     fp_getnum;      /* DIOCOSFPGET number */
+       int                     fp_getnum;      /* DIOCOSFPGET number */
 };
 
 
 union pf_rule_ptr {
-       struct pf_rule          *ptr            __attribute__((aligned(8)));
-       u_int32_t                nr             __attribute__((aligned(8)));
+       struct pf_rule          *ptr            __attribute__((aligned(8)));
+       u_int32_t                nr             __attribute__((aligned(8)));
 } __attribute__((aligned(8)));
 
-#define        PF_ANCHOR_NAME_SIZE      64
+#define PF_ANCHOR_NAME_SIZE      64
 
 struct pf_rule {
-       struct pf_rule_addr      src;
-       struct pf_rule_addr      dst;
-#define PF_SKIP_IFP            0
-#define PF_SKIP_DIR            1
-#define PF_SKIP_AF             2
-#define PF_SKIP_PROTO          3
-#define PF_SKIP_SRC_ADDR       4
-#define PF_SKIP_SRC_PORT       5
-#define PF_SKIP_DST_ADDR       6
-#define PF_SKIP_DST_PORT       7
-#define PF_SKIP_COUNT          8
-       union pf_rule_ptr        skip[PF_SKIP_COUNT];
-#define PF_RULE_LABEL_SIZE      64
-       char                     label[PF_RULE_LABEL_SIZE];
-#define PF_QNAME_SIZE           64
-       char                     ifname[IFNAMSIZ];
-       char                     qname[PF_QNAME_SIZE];
-       char                     pqname[PF_QNAME_SIZE];
-#define        PF_TAG_NAME_SIZE         64
-       char                     tagname[PF_TAG_NAME_SIZE];
-       char                     match_tagname[PF_TAG_NAME_SIZE];
-
-       char                     overload_tblname[PF_TABLE_NAME_SIZE];
-
-       TAILQ_ENTRY(pf_rule)     entries;
+       struct pf_rule_addr      src;
+       struct pf_rule_addr      dst;
+#define PF_SKIP_IFP             0
+#define PF_SKIP_DIR             1
+#define PF_SKIP_AF              2
+#define PF_SKIP_PROTO           3
+#define PF_SKIP_SRC_ADDR        4
+#define PF_SKIP_SRC_PORT        5
+#define PF_SKIP_DST_ADDR        6
+#define PF_SKIP_DST_PORT        7
+#define PF_SKIP_COUNT           8
+       union pf_rule_ptr        skip[PF_SKIP_COUNT];
+#define PF_RULE_LABEL_SIZE       64
+       char                     label[PF_RULE_LABEL_SIZE];
+#define PF_QNAME_SIZE            64
+       char                     ifname[IFNAMSIZ];
+       char                     qname[PF_QNAME_SIZE];
+       char                     pqname[PF_QNAME_SIZE];
+#define PF_TAG_NAME_SIZE         64
+       char                     tagname[PF_TAG_NAME_SIZE];
+       char                     match_tagname[PF_TAG_NAME_SIZE];
+
+       char                     overload_tblname[PF_TABLE_NAME_SIZE];
+
+       TAILQ_ENTRY(pf_rule)     entries;
 #if !defined(__LP64__)
-       u_int32_t                _pad[2];
+       u_int32_t                _pad[2];
 #endif /* !__LP64__ */
-       struct pf_pool           rpool;
+       struct pf_pool           rpool;
 
-       u_int64_t                evaluations;
-       u_int64_t                packets[2];
-       u_int64_t                bytes[2];
+       u_int64_t                evaluations;
+       u_int64_t                packets[2];
+       u_int64_t                bytes[2];
 
-       u_int64_t                ticket;
-#define PF_OWNER_NAME_SIZE      64
-       char                     owner[PF_OWNER_NAME_SIZE];
-       u_int32_t                priority;
+       u_int64_t                ticket;
+#define PF_OWNER_NAME_SIZE       64
+       char                     owner[PF_OWNER_NAME_SIZE];
+       u_int32_t                priority;
 
 #ifdef KERNEL
-       struct pfi_kif          *kif            __attribute__((aligned(8)));
+       struct pfi_kif          *kif            __attribute__((aligned(8)));
 #else /* !KERNEL */
-       void                    *kif            __attribute__((aligned(8)));
+       void                    *kif            __attribute__((aligned(8)));
 #endif /* !KERNEL */
-       struct pf_anchor        *anchor         __attribute__((aligned(8)));
+       struct pf_anchor        *anchor         __attribute__((aligned(8)));
 #ifdef KERNEL
-       struct pfr_ktable       *overload_tbl   __attribute__((aligned(8)));
+       struct pfr_ktable       *overload_tbl   __attribute__((aligned(8)));
 #else /* !KERNEL */
-       void                    *overload_tbl   __attribute__((aligned(8)));
+       void                    *overload_tbl   __attribute__((aligned(8)));
 #endif /* !KERNEL */
 
-       pf_osfp_t                os_fingerprint __attribute__((aligned(8)));
+       pf_osfp_t                os_fingerprint __attribute__((aligned(8)));
 
-       unsigned int             rtableid;
-       u_int32_t                timeout[PFTM_MAX];
-       u_int32_t                states;
-       u_int32_t                max_states;
-       u_int32_t                src_nodes;
-       u_int32_t                max_src_nodes;
-       u_int32_t                max_src_states;
-       u_int32_t                max_src_conn;
+       unsigned int             rtableid;
+       u_int32_t                timeout[PFTM_MAX];
+       u_int32_t                states;
+       u_int32_t                max_states;
+       u_int32_t                src_nodes;
+       u_int32_t                max_src_nodes;
+       u_int32_t                max_src_states;
+       u_int32_t                max_src_conn;
        struct {
-               u_int32_t               limit;
-               u_int32_t               seconds;
-       }                        max_src_conn_rate;
-       u_int32_t                qid;
-       u_int32_t                pqid;
-       u_int32_t                rt_listid;
-       u_int32_t                nr;
-       u_int32_t                prob;
-       uid_t                    cuid;
-       pid_t                    cpid;
-
-       u_int16_t                return_icmp;
-       u_int16_t                return_icmp6;
-       u_int16_t                max_mss;
-       u_int16_t                tag;
-       u_int16_t                match_tag;
-
-       struct pf_rule_uid       uid;
-       struct pf_rule_gid       gid;
-
-       u_int32_t                rule_flag;
-       u_int8_t                 action;
-       u_int8_t                 direction;
-       u_int8_t                 log;
-       u_int8_t                 logif;
-       u_int8_t                 quick;
-       u_int8_t                 ifnot;
-       u_int8_t                 match_tag_not;
-       u_int8_t                 natpass;
-
-#define PF_STATE_NORMAL                0x1
-#define PF_STATE_MODULATE      0x2
-#define PF_STATE_SYNPROXY      0x3
-       u_int8_t                 keep_state;
-       sa_family_t              af;
-       u_int8_t                 proto;
-       u_int8_t                 type;
-       u_int8_t                 code;
-       u_int8_t                 flags;
-       u_int8_t                 flagset;
-       u_int8_t                 min_ttl;
-       u_int8_t                 allow_opts;
-       u_int8_t                 rt;
-       u_int8_t                 return_ttl;
+               u_int32_t               limit;
+               u_int32_t               seconds;
+       }                        max_src_conn_rate;
+       u_int32_t                qid;
+       u_int32_t                pqid;
+       u_int32_t                rt_listid;
+       u_int32_t                nr;
+       u_int32_t                prob;
+       uid_t                    cuid;
+       pid_t                    cpid;
+
+       u_int16_t                return_icmp;
+       u_int16_t                return_icmp6;
+       u_int16_t                max_mss;
+       u_int16_t                tag;
+       u_int16_t                match_tag;
+
+       struct pf_rule_uid       uid;
+       struct pf_rule_gid       gid;
+
+       u_int32_t                rule_flag;
+       u_int8_t                 action;
+       u_int8_t                 direction;
+       u_int8_t                 log;
+       u_int8_t                 logif;
+       u_int8_t                 quick;
+       u_int8_t                 ifnot;
+       u_int8_t                 match_tag_not;
+       u_int8_t                 natpass;
+
+#define PF_STATE_NORMAL         0x1
+#define PF_STATE_MODULATE       0x2
+#define PF_STATE_SYNPROXY       0x3
+       u_int8_t                 keep_state;
+       sa_family_t              af;
+       u_int8_t                 proto;
+       u_int8_t                 type;
+       u_int8_t                 code;
+       u_int8_t                 flags;
+       u_int8_t                 flagset;
+       u_int8_t                 min_ttl;
+       u_int8_t                 allow_opts;
+       u_int8_t                 rt;
+       u_int8_t                 return_ttl;
 
 /* service class categories */
-#define        SCIDX_MASK              0x0f
-#define        SC_BE                   0x10
-#define        SC_BK_SYS               0x11
-#define        SC_BK                   0x12
-#define        SC_RD                   0x13
-#define        SC_OAM                  0x14
-#define        SC_AV                   0x15
-#define        SC_RV                   0x16
-#define        SC_VI                   0x17
-#define        SC_VO                   0x18
-#define        SC_CTL                  0x19
+#define SCIDX_MASK              0x0f
+#define SC_BE                   0x10
+#define SC_BK_SYS               0x11
+#define SC_BK                   0x12
+#define SC_RD                   0x13
+#define SC_OAM                  0x14
+#define SC_AV                   0x15
+#define SC_RV                   0x16
+#define SC_VI                   0x17
+#define SC_SIG                  0x17
+#define SC_VO                   0x18
+#define SC_CTL                  0x19
 
 /* diffserve code points */
-#define        DSCP_MASK               0xfc
-#define        DSCP_CUMASK             0x03
-#define        DSCP_EF                 0xb8
-#define        DSCP_AF11               0x28
-#define        DSCP_AF12               0x30
-#define        DSCP_AF13               0x38
-#define        DSCP_AF21               0x48
-#define        DSCP_AF22               0x50
-#define        DSCP_AF23               0x58
-#define        DSCP_AF31               0x68
-#define        DSCP_AF32               0x70
-#define        DSCP_AF33               0x78
-#define        DSCP_AF41               0x88
-#define        DSCP_AF42               0x90
-#define        DSCP_AF43               0x98
-#define        AF_CLASSMASK            0xe0
-#define        AF_DROPPRECMASK         0x18
-       u_int8_t                 tos;
-       u_int8_t                 anchor_relative;
-       u_int8_t                 anchor_wildcard;
-
-#define PF_FLUSH               0x01
-#define PF_FLUSH_GLOBAL                0x02
-       u_int8_t                 flush;
-
-       u_int8_t                proto_variant;
-       u_int8_t                extfilter; /* Filter mode [PF_EXTFILTER_xxx] */
-       u_int8_t                extmap;    /* Mapping mode [PF_EXTMAP_xxx] */
+#define DSCP_MASK               0xfc
+#define DSCP_CUMASK             0x03
+#define DSCP_EF                 0xb8
+#define DSCP_AF11               0x28
+#define DSCP_AF12               0x30
+#define DSCP_AF13               0x38
+#define DSCP_AF21               0x48
+#define DSCP_AF22               0x50
+#define DSCP_AF23               0x58
+#define DSCP_AF31               0x68
+#define DSCP_AF32               0x70
+#define DSCP_AF33               0x78
+#define DSCP_AF41               0x88
+#define DSCP_AF42               0x90
+#define DSCP_AF43               0x98
+#define AF_CLASSMASK            0xe0
+#define AF_DROPPRECMASK         0x18
+       u_int8_t                 tos;
+       u_int8_t                 anchor_relative;
+       u_int8_t                 anchor_wildcard;
+
+#define PF_FLUSH                0x01
+#define PF_FLUSH_GLOBAL         0x02
+       u_int8_t                 flush;
+
+       u_int8_t                proto_variant;
+       u_int8_t                extfilter; /* Filter mode [PF_EXTFILTER_xxx] */
+       u_int8_t                extmap;    /* Mapping mode [PF_EXTMAP_xxx] */
        u_int32_t               dnpipe;
        u_int32_t               dntype;
 };
 
 /* pf device identifiers */
-#define PFDEV_PF               0
-#define PFDEV_PFM              1
-#define PFDEV_MAX              2
+#define PFDEV_PF                0
+#define PFDEV_PFM               1
+#define PFDEV_MAX               2
 
 /* rule flags */
-#define        PFRULE_DROP             0x0000
-#define        PFRULE_RETURNRST        0x0001
-#define        PFRULE_FRAGMENT         0x0002
-#define        PFRULE_RETURNICMP       0x0004
-#define        PFRULE_RETURN           0x0008
-#define        PFRULE_NOSYNC           0x0010
-#define PFRULE_SRCTRACK                0x0020  /* track source states */
-#define PFRULE_RULESRCTRACK    0x0040  /* per rule */
+#define PFRULE_DROP             0x0000
+#define PFRULE_RETURNRST        0x0001
+#define PFRULE_FRAGMENT         0x0002
+#define PFRULE_RETURNICMP       0x0004
+#define PFRULE_RETURN           0x0008
+#define PFRULE_NOSYNC           0x0010
+#define PFRULE_SRCTRACK         0x0020  /* track source states */
+#define PFRULE_RULESRCTRACK     0x0040  /* per rule */
 
 /* scrub flags */
-#define        PFRULE_NODF             0x0100
-#define        PFRULE_FRAGCROP         0x0200  /* non-buffering frag cache */
-#define        PFRULE_FRAGDROP         0x0400  /* drop funny fragments */
-#define PFRULE_RANDOMID                0x0800
-#define PFRULE_REASSEMBLE_TCP  0x1000
+#define PFRULE_NODF             0x0100
+#define PFRULE_FRAGCROP         0x0200  /* non-buffering frag cache */
+#define PFRULE_FRAGDROP         0x0400  /* drop funny fragments */
+#define PFRULE_RANDOMID         0x0800
+#define PFRULE_REASSEMBLE_TCP   0x1000
 
 /* rule flags for TOS/DSCP/service class differentiation */
-#define        PFRULE_TOS              0x2000
-#define        PFRULE_DSCP             0x4000
-#define        PFRULE_SC               0x8000
+#define PFRULE_TOS              0x2000
+#define PFRULE_DSCP             0x4000
+#define PFRULE_SC               0x8000
 
 /* rule flags again */
-#define        PFRULE_IFBOUND          0x00010000      /* if-bound */
-#define        PFRULE_PFM              0x00020000      /* created by pfm device */
+#define PFRULE_IFBOUND          0x00010000      /* if-bound */
+#define PFRULE_PFM              0x00020000      /* created by pfm device */
 
-#define        PFSTATE_HIWAT           10000   /* default state table size */
-#define        PFSTATE_ADAPT_START     6000    /* default adaptive timeout start */
-#define        PFSTATE_ADAPT_END       12000   /* default adaptive timeout end */
+#define PFSTATE_HIWAT           10000   /* default state table size */
+#define PFSTATE_ADAPT_START     6000    /* default adaptive timeout start */
+#define PFSTATE_ADAPT_END       12000   /* default adaptive timeout end */
 
-#define        PFAPPSTATE_HIWAT        10000   /* default same as state table */
+#define PFAPPSTATE_HIWAT        10000   /* default same as state table */
+
+/* PF reserved special purpose tags */
+#define PF_TAG_NAME_SYSTEM_SERVICE    "com.apple.pf.system_service_tag"
+#define PF_TAG_NAME_STACK_DROP        "com.apple.pf.stack_drop_tag"
 
 enum pf_extmap {
-       PF_EXTMAP_APD   = 1,    /* Address-port-dependent mapping */
-       PF_EXTMAP_AD,           /* Address-dependent mapping */
-       PF_EXTMAP_EI            /* Endpoint-independent mapping */
+       PF_EXTMAP_APD   = 1,    /* Address-port-dependent mapping */
+       PF_EXTMAP_AD,           /* Address-dependent mapping */
+       PF_EXTMAP_EI            /* Endpoint-independent mapping */
 };
 
 enum pf_extfilter {
-       PF_EXTFILTER_APD = 1,   /* Address-port-dependent filtering */
-       PF_EXTFILTER_AD,        /* Address-dependent filtering */
-       PF_EXTFILTER_EI         /* Endpoint-independent filtering */
+       PF_EXTFILTER_APD = 1,   /* Address-port-dependent filtering */
+       PF_EXTFILTER_AD,        /* Address-dependent filtering */
+       PF_EXTFILTER_EI         /* Endpoint-independent filtering */
 };
 
 struct pf_threshold {
-       u_int32_t       limit;
-#define        PF_THRESHOLD_MULT       1000
-#define PF_THRESHOLD_MAX       0xffffffff / PF_THRESHOLD_MULT
-       u_int32_t       seconds;
-       u_int32_t       count;
-       u_int32_t       last;
+       u_int32_t       limit;
+#define PF_THRESHOLD_MULT       1000
+#define PF_THRESHOLD_MAX        0xffffffff / PF_THRESHOLD_MULT
+       u_int32_t       seconds;
+       u_int32_t       count;
+       u_int32_t       last;
 };
 
 struct pf_src_node {
        RB_ENTRY(pf_src_node) entry;
-       struct pf_addr   addr;
-       struct pf_addr   raddr;
+       struct pf_addr   addr;
+       struct pf_addr   raddr;
        union pf_rule_ptr rule;
 #ifdef KERNEL
-       struct pfi_kif  *kif;
+       struct pfi_kif  *kif;
 #else /* !KERNEL */
-       void            *kif;
+       void            *kif;
 #endif /* !KERNEL */
-       u_int64_t        bytes[2];
-       u_int64_t        packets[2];
-       u_int32_t        states;
-       u_int32_t        conn;
-       struct pf_threshold     conn_rate;
-       u_int64_t        creation;
-       u_int64_t        expire;
-       sa_family_t      af;
-       u_int8_t         ruletype;
+       u_int64_t        bytes[2];
+       u_int64_t        packets[2];
+       u_int32_t        states;
+       u_int32_t        conn;
+       struct pf_threshold     conn_rate;
+       u_int64_t        creation;
+       u_int64_t        expire;
+       sa_family_t      af;
+       u_int8_t         ruletype;
 };
 
-#define PFSNODE_HIWAT          10000   /* default source node table size */
+#define PFSNODE_HIWAT           10000   /* default source node table size */
 
 #ifdef KERNEL
 struct pf_state_scrub {
-       struct timeval  pfss_last;      /* time received last packet    */
-       u_int32_t       pfss_tsecr;     /* last echoed timestamp        */
-       u_int32_t       pfss_tsval;     /* largest timestamp            */
-       u_int32_t       pfss_tsval0;    /* original timestamp           */
-       u_int16_t       pfss_flags;
-#define PFSS_TIMESTAMP 0x0001          /* modulate timestamp           */
-#define PFSS_PAWS      0x0010          /* stricter PAWS checks         */
-#define PFSS_PAWS_IDLED        0x0020          /* was idle too long.  no PAWS  */
-#define PFSS_DATA_TS   0x0040          /* timestamp on data packets    */
-#define PFSS_DATA_NOTS 0x0080          /* no timestamp on data packets */
-       u_int8_t        pfss_ttl;       /* stashed TTL                  */
-       u_int8_t        pad;
-       u_int32_t       pfss_ts_mod;    /* timestamp modulation         */
+       struct timeval  pfss_last;      /* time received last packet    */
+       u_int32_t       pfss_tsecr;     /* last echoed timestamp        */
+       u_int32_t       pfss_tsval;     /* largest timestamp            */
+       u_int32_t       pfss_tsval0;    /* original timestamp           */
+       u_int16_t       pfss_flags;
+#define PFSS_TIMESTAMP  0x0001          /* modulate timestamp          */
+#define PFSS_PAWS       0x0010          /* stricter PAWS checks                */
+#define PFSS_PAWS_IDLED 0x0020          /* was idle too long.  no PAWS */
+#define PFSS_DATA_TS    0x0040          /* timestamp on data packets   */
+#define PFSS_DATA_NOTS  0x0080          /* no timestamp on data packets        */
+       u_int8_t        pfss_ttl;       /* stashed TTL                  */
+       u_int8_t        pad;
+       u_int32_t       pfss_ts_mod;    /* timestamp modulation         */
 };
 #endif /* KERNEL */
 
 union pf_state_xport {
-       u_int16_t       port;
-       u_int16_t       call_id;
-       u_int32_t       spi;
+       u_int16_t       port;
+       u_int16_t       call_id;
+       u_int32_t       spi;
 };
 
 struct pf_state_host {
-       struct pf_addr          addr;
-       union pf_state_xport    xport;
+       struct pf_addr          addr;
+       union pf_state_xport    xport;
 };
 
 #ifdef KERNEL
 struct pf_state_peer {
-       u_int32_t       seqlo;          /* Max sequence number sent     */
-       u_int32_t       seqhi;          /* Max the other end ACKd + win */
-       u_int32_t       seqdiff;        /* Sequence number modulator    */
-       u_int16_t       max_win;        /* largest window (pre scaling) */
-       u_int8_t        state;          /* active state level           */
-       u_int8_t        wscale;         /* window scaling factor        */
-       u_int16_t       mss;            /* Maximum segment size option  */
-       u_int8_t        tcp_est;        /* Did we reach TCPS_ESTABLISHED */
-       struct pf_state_scrub   *scrub; /* state is scrubbed            */
-       u_int8_t        pad[3];
+       u_int32_t       seqlo;          /* Max sequence number sent     */
+       u_int32_t       seqhi;          /* Max the other end ACKd + win */
+       u_int32_t       seqdiff;        /* Sequence number modulator    */
+       u_int16_t       max_win;        /* largest window (pre scaling) */
+       u_int8_t        state;          /* active state level           */
+       u_int8_t        wscale;         /* window scaling factor        */
+       u_int16_t       mss;            /* Maximum segment size option  */
+       u_int8_t        tcp_est;        /* Did we reach TCPS_ESTABLISHED */
+       struct pf_state_scrub   *scrub; /* state is scrubbed            */
+       u_int8_t        pad[3];
 };
 
 TAILQ_HEAD(pf_state_queue, pf_state);
@@ -947,7 +945,7 @@ struct pf_pdesc;
 struct pf_app_state;
 
 typedef void (*pf_app_handler)(struct pf_state *, int, int, struct pf_pdesc *,
-       struct pfi_kif *);
+    struct pfi_kif *);
 
 typedef int (*pf_app_compare)(struct pf_app_state *, struct pf_app_state *);
 
@@ -964,9 +962,9 @@ struct pf_ike_state {
 };
 
 struct pf_app_state {
-       pf_app_handler  handler;
-       pf_app_compare  compare_lan_ext;
-       pf_app_compare  compare_ext_gwy;
+       pf_app_handler  handler;
+       pf_app_compare  compare_lan_ext;
+       pf_app_compare  compare_ext_gwy;
        union {
                struct pf_pptp_state pptp;
                struct pf_grev1_state grev1;
@@ -980,12 +978,12 @@ struct pf_state_key_cmp {
        struct pf_state_host gwy;
        struct pf_state_host ext_lan;
        struct pf_state_host ext_gwy;
-       sa_family_t      af_lan;
-       sa_family_t      af_gwy;
-       u_int8_t         proto;
-       u_int8_t         direction;
-       u_int8_t         proto_variant;
-       struct pf_app_state     *app_state;
+       sa_family_t      af_lan;
+       sa_family_t      af_gwy;
+       u_int8_t         proto;
+       u_int8_t         direction;
+       u_int8_t         proto_variant;
+       struct pf_app_state     *app_state;
 };
 
 TAILQ_HEAD(pf_statelist, pf_state);
@@ -995,35 +993,35 @@ struct pf_state_key {
        struct pf_state_host gwy;
        struct pf_state_host ext_lan;
        struct pf_state_host ext_gwy;
-       sa_family_t      af_lan;
-       sa_family_t      af_gwy;
-       u_int8_t         proto;
-       u_int8_t         direction;
-       u_int8_t         proto_variant;
-       struct pf_app_state     *app_state;
-       u_int32_t        flowsrc;
-       u_int32_t        flowhash;
+       sa_family_t      af_lan;
+       sa_family_t      af_gwy;
+       u_int8_t         proto;
+       u_int8_t         direction;
+       u_int8_t         proto_variant;
+       struct pf_app_state     *app_state;
+       u_int32_t        flowsrc;
+       u_int32_t        flowhash;
 
-       RB_ENTRY(pf_state_key)   entry_lan_ext;
-       RB_ENTRY(pf_state_key)   entry_ext_gwy;
-       struct pf_statelist      states;
-       u_int32_t        refcnt;
+       RB_ENTRY(pf_state_key)   entry_lan_ext;
+       RB_ENTRY(pf_state_key)   entry_ext_gwy;
+       struct pf_statelist      states;
+       u_int32_t        refcnt;
 };
 
 
 /* keep synced with struct pf_state, used in RB_FIND */
 struct pf_state_cmp {
-       u_int64_t        id;
-       u_int32_t        creatorid;
-       u_int32_t        pad;
+       u_int64_t        id;
+       u_int32_t        creatorid;
+       u_int32_t        pad;
 };
 
 /* flowhash key (12-bytes multiple for performance) */
 struct pf_flowhash_key {
-       struct pf_state_host    ap1;    /* address+port blob 1 */
-       struct pf_state_host    ap2;    /* address+port blob 2 */
-       u_int32_t               af;
-       u_int32_t               proto;
+       struct pf_state_host    ap1;    /* address+port blob 1 */
+       struct pf_state_host    ap2;    /* address+port blob 2 */
+       u_int32_t               af;
+       u_int32_t               proto;
 };
 #endif /* KERNEL */
 
@@ -1032,159 +1030,159 @@ TAILQ_HEAD(hook_desc_head, hook_desc);
 
 #ifdef KERNEL
 struct pf_state {
-       u_int64_t                id;
-       u_int32_t                creatorid;
-       u_int32_t                pad;
-
-       TAILQ_ENTRY(pf_state)    entry_list;
-       TAILQ_ENTRY(pf_state)    next;
-       RB_ENTRY(pf_state)       entry_id;
-       struct pf_state_peer     src;
-       struct pf_state_peer     dst;
-       union pf_rule_ptr        rule;
-       union pf_rule_ptr        anchor;
-       union pf_rule_ptr        nat_rule;
-       struct pf_addr           rt_addr;
-       struct hook_desc_head    unlink_hooks;
-       struct pf_state_key     *state_key;
-       struct pfi_kif          *kif;
-       struct pfi_kif          *rt_kif;
-       struct pf_src_node      *src_node;
-       struct pf_src_node      *nat_src_node;
-       u_int64_t                packets[2];
-       u_int64_t                bytes[2];
-       u_int64_t                creation;
-       u_int64_t                expire;
-       u_int64_t                pfsync_time;
-       u_int16_t                tag;
-       u_int8_t                 log;
-       u_int8_t                 allow_opts;
-       u_int8_t                 timeout;
-       u_int8_t                 sync_flags;
+       u_int64_t                id;
+       u_int32_t                creatorid;
+       u_int32_t                pad;
+
+       TAILQ_ENTRY(pf_state)    entry_list;
+       TAILQ_ENTRY(pf_state)    next;
+       RB_ENTRY(pf_state)       entry_id;
+       struct pf_state_peer     src;
+       struct pf_state_peer     dst;
+       union pf_rule_ptr        rule;
+       union pf_rule_ptr        anchor;
+       union pf_rule_ptr        nat_rule;
+       struct pf_addr           rt_addr;
+       struct hook_desc_head    unlink_hooks;
+       struct pf_state_key     *state_key;
+       struct pfi_kif          *kif;
+       struct pfi_kif          *rt_kif;
+       struct pf_src_node      *src_node;
+       struct pf_src_node      *nat_src_node;
+       u_int64_t                packets[2];
+       u_int64_t                bytes[2];
+       u_int64_t                creation;
+       u_int64_t                expire;
+       u_int64_t                pfsync_time;
+       u_int16_t                tag;
+       u_int8_t                 log;
+       u_int8_t                 allow_opts;
+       u_int8_t                 timeout;
+       u_int8_t                 sync_flags;
 };
 #endif /* KERNEL */
 
-#define        PFSTATE_NOSYNC   0x01
-#define        PFSTATE_FROMSYNC 0x02
-#define        PFSTATE_STALE    0x04
+#define PFSTATE_NOSYNC   0x01
+#define PFSTATE_FROMSYNC 0x02
+#define PFSTATE_STALE    0x04
 
-#define        __packed        __attribute__((__packed__))
+#define __packed        __attribute__((__packed__))
 
 /*
  * Unified state structures for pulling states out of the kernel
  * used by pfsync(4) and the pf(4) ioctl.
  */
 struct pfsync_state_scrub {
-       u_int16_t       pfss_flags;
-       u_int8_t        pfss_ttl;       /* stashed TTL          */
-#define PFSYNC_SCRUB_FLAG_VALID        0x01
-       u_int8_t        scrub_flag;
-       u_int32_t       pfss_ts_mod;    /* timestamp modulation */
+       u_int16_t       pfss_flags;
+       u_int8_t        pfss_ttl;       /* stashed TTL          */
+#define PFSYNC_SCRUB_FLAG_VALID         0x01
+       u_int8_t        scrub_flag;
+       u_int32_t       pfss_ts_mod;    /* timestamp modulation */
 } __packed;
 
 struct pfsync_state_host {
-       struct pf_addr          addr;
-       union pf_state_xport    xport;
-       u_int16_t               pad[2];
+       struct pf_addr          addr;
+       union pf_state_xport    xport;
+       u_int16_t               pad[2];
 } __packed;
 
 struct pfsync_state_peer {
-       struct pfsync_state_scrub scrub;        /* state is scrubbed    */
-       u_int32_t       seqlo;          /* Max sequence number sent     */
-       u_int32_t       seqhi;          /* Max the other end ACKd + win */
-       u_int32_t       seqdiff;        /* Sequence number modulator    */
-       u_int16_t       max_win;        /* largest window (pre scaling) */
-       u_int16_t       mss;            /* Maximum segment size option  */
-       u_int8_t        state;          /* active state level           */
-       u_int8_t        wscale;         /* window scaling factor        */
-       u_int8_t        pad[6];
+       struct pfsync_state_scrub scrub;        /* state is scrubbed    */
+       u_int32_t       seqlo;          /* Max sequence number sent     */
+       u_int32_t       seqhi;          /* Max the other end ACKd + win */
+       u_int32_t       seqdiff;        /* Sequence number modulator    */
+       u_int16_t       max_win;        /* largest window (pre scaling) */
+       u_int16_t       mss;            /* Maximum segment size option  */
+       u_int8_t        state;          /* active state level           */
+       u_int8_t        wscale;         /* window scaling factor        */
+       u_int8_t        pad[6];
 } __packed;
 
 struct pfsync_state {
-       u_int32_t        id[2];
-       char             ifname[IFNAMSIZ];
+       u_int32_t        id[2];
+       char             ifname[IFNAMSIZ];
        struct pfsync_state_host lan;
        struct pfsync_state_host gwy;
        struct pfsync_state_host ext_lan;
        struct pfsync_state_host ext_gwy;
        struct pfsync_state_peer src;
        struct pfsync_state_peer dst;
-       struct pf_addr   rt_addr;
+       struct pf_addr   rt_addr;
        struct hook_desc_head unlink_hooks;
 #if !defined(__LP64__)
-       u_int32_t       _pad[2];
+       u_int32_t       _pad[2];
 #endif /* !__LP64__ */
-       u_int32_t        rule;
-       u_int32_t        anchor;
-       u_int32_t        nat_rule;
-       u_int64_t        creation;
-       u_int64_t        expire;
-       u_int32_t        packets[2][2];
-       u_int32_t        bytes[2][2];
-       u_int32_t        creatorid;
-       u_int16_t        tag;
-       sa_family_t      af_lan;
-       sa_family_t      af_gwy;
-       u_int8_t         proto;
-       u_int8_t         direction;
-       u_int8_t         log;
-       u_int8_t         allow_opts;
-       u_int8_t         timeout;
-       u_int8_t         sync_flags;
-       u_int8_t         updates;
-       u_int8_t         proto_variant;
-       u_int8_t         __pad;
-       u_int32_t        flowhash;
+       u_int32_t        rule;
+       u_int32_t        anchor;
+       u_int32_t        nat_rule;
+       u_int64_t        creation;
+       u_int64_t        expire;
+       u_int32_t        packets[2][2];
+       u_int32_t        bytes[2][2];
+       u_int32_t        creatorid;
+       u_int16_t        tag;
+       sa_family_t      af_lan;
+       sa_family_t      af_gwy;
+       u_int8_t         proto;
+       u_int8_t         direction;
+       u_int8_t         log;
+       u_int8_t         allow_opts;
+       u_int8_t         timeout;
+       u_int8_t         sync_flags;
+       u_int8_t         updates;
+       u_int8_t         proto_variant;
+       u_int8_t         __pad;
+       u_int32_t        flowhash;
 } __packed;
 
-#define PFSYNC_FLAG_COMPRESS   0x01
-#define PFSYNC_FLAG_STALE      0x02
-#define PFSYNC_FLAG_SRCNODE    0x04
-#define PFSYNC_FLAG_NATSRCNODE 0x08
+#define PFSYNC_FLAG_COMPRESS    0x01
+#define PFSYNC_FLAG_STALE       0x02
+#define PFSYNC_FLAG_SRCNODE     0x04
+#define PFSYNC_FLAG_NATSRCNODE  0x08
 
 #ifdef KERNEL
 /* for copies to/from userland via pf_ioctl() */
-#define pf_state_peer_to_pfsync(s, d) do {     \
-       (d)->seqlo = (s)->seqlo;                \
-       (d)->seqhi = (s)->seqhi;                \
-       (d)->seqdiff = (s)->seqdiff;            \
-       (d)->max_win = (s)->max_win;            \
-       (d)->mss = (s)->mss;                    \
-       (d)->state = (s)->state;                \
-       (d)->wscale = (s)->wscale;              \
-       if ((s)->scrub) {                                               \
-               (d)->scrub.pfss_flags =                                 \
-                   (s)->scrub->pfss_flags & PFSS_TIMESTAMP;            \
-               (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;             \
-               (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod;       \
-               (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;        \
-       }                                                               \
+#define pf_state_peer_to_pfsync(s, d) do {      \
+       (d)->seqlo = (s)->seqlo;                \
+       (d)->seqhi = (s)->seqhi;                \
+       (d)->seqdiff = (s)->seqdiff;            \
+       (d)->max_win = (s)->max_win;            \
+       (d)->mss = (s)->mss;                    \
+       (d)->state = (s)->state;                \
+       (d)->wscale = (s)->wscale;              \
+       if ((s)->scrub) {                                               \
+               (d)->scrub.pfss_flags =                                 \
+                   (s)->scrub->pfss_flags & PFSS_TIMESTAMP;            \
+               (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;             \
+               (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod;       \
+               (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;        \
+       }                                                               \
 } while (0)
 
-#define pf_state_peer_from_pfsync(s, d) do {   \
-       (d)->seqlo = (s)->seqlo;                \
-       (d)->seqhi = (s)->seqhi;                \
-       (d)->seqdiff = (s)->seqdiff;            \
-       (d)->max_win = (s)->max_win;            \
-       (d)->mss = ntohs((s)->mss);             \
-       (d)->state = (s)->state;                \
-       (d)->wscale = (s)->wscale;              \
-       if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID &&         \
-           (d)->scrub != NULL) {                                       \
-               (d)->scrub->pfss_flags =                                \
-                   ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;      \
-               (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;             \
-               (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod;       \
-       }                                                               \
+#define pf_state_peer_from_pfsync(s, d) do {    \
+       (d)->seqlo = (s)->seqlo;                \
+       (d)->seqhi = (s)->seqhi;                \
+       (d)->seqdiff = (s)->seqdiff;            \
+       (d)->max_win = (s)->max_win;            \
+       (d)->mss = ntohs((s)->mss);             \
+       (d)->state = (s)->state;                \
+       (d)->wscale = (s)->wscale;              \
+       if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID &&         \
+           (d)->scrub != NULL) {                                       \
+               (d)->scrub->pfss_flags =                                \
+                   ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;      \
+               (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;             \
+               (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod;       \
+       }                                                               \
 } while (0)
 #endif /* KERNEL */
 
-#define pf_state_counter_to_pfsync(s, d) do {                  \
-       d[0] = (s>>32)&0xffffffff;                              \
-       d[1] = s&0xffffffff;                                    \
+#define pf_state_counter_to_pfsync(s, d) do {                   \
+       d[0] = (s>>32)&0xffffffff;                              \
+       d[1] = s&0xffffffff;                                    \
 } while (0)
 
-#define pf_state_counter_from_pfsync(s)                \
+#define pf_state_counter_from_pfsync(s)         \
        (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
 
 
@@ -1195,34 +1193,34 @@ struct pf_anchor;
 
 struct pf_ruleset {
        struct {
-               struct pf_rulequeue      queues[2];
+               struct pf_rulequeue      queues[2];
                struct {
-                       struct pf_rulequeue     *ptr;
-                       struct pf_rule          **ptr_array;
-                       u_int32_t                rcount;
-                       u_int32_t                ticket;
-                       int                      open;
-               }                        active, inactive;
-       }                        rules[PF_RULESET_MAX];
-       struct pf_anchor        *anchor;
-       u_int32_t                tticket;
-       int                      tables;
-       int                      topen;
+                       struct pf_rulequeue     *ptr;
+                       struct pf_rule          **ptr_array;
+                       u_int32_t                rcount;
+                       u_int32_t                ticket;
+                       int                      open;
+               }                        active, inactive;
+       }                        rules[PF_RULESET_MAX];
+       struct pf_anchor        *anchor;
+       u_int32_t                tticket;
+       int                      tables;
+       int                      topen;
 };
 
 RB_HEAD(pf_anchor_global, pf_anchor);
 RB_HEAD(pf_anchor_node, pf_anchor);
 struct pf_anchor {
-       RB_ENTRY(pf_anchor)      entry_global;
-       RB_ENTRY(pf_anchor)      entry_node;
-       struct pf_anchor        *parent;
-       struct pf_anchor_node    children;
-       char                     name[PF_ANCHOR_NAME_SIZE];
-       char                     path[MAXPATHLEN];
-       struct pf_ruleset        ruleset;
-       int                      refcnt;        /* anchor rules */
-       int                      match;
-       char                     owner[PF_OWNER_NAME_SIZE];
+       RB_ENTRY(pf_anchor)      entry_global;
+       RB_ENTRY(pf_anchor)      entry_node;
+       struct pf_anchor        *parent;
+       struct pf_anchor_node    children;
+       char                     name[PF_ANCHOR_NAME_SIZE];
+       char                     path[MAXPATHLEN];
+       struct pf_ruleset        ruleset;
+       int                      refcnt;        /* anchor rules */
+       int                      match;
+       char                     owner[PF_OWNER_NAME_SIZE];
 };
 #ifdef KERNEL
 RB_PROTOTYPE_SC(__private_extern__, pf_anchor_global, pf_anchor, entry_global,
@@ -1234,116 +1232,116 @@ RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
 #endif /* !KERNEL */
 
-#define PF_RESERVED_ANCHOR     "_pf"
+#define PF_RESERVED_ANCHOR      "_pf"
 
-#define PFR_TFLAG_PERSIST      0x00000001
-#define PFR_TFLAG_CONST                0x00000002
-#define PFR_TFLAG_ACTIVE       0x00000004
-#define PFR_TFLAG_INACTIVE     0x00000008
-#define PFR_TFLAG_REFERENCED   0x00000010
-#define PFR_TFLAG_REFDANCHOR   0x00000020
-#define PFR_TFLAG_USRMASK      0x00000003
-#define PFR_TFLAG_SETMASK      0x0000003C
-#define PFR_TFLAG_ALLMASK      0x0000003F
+#define PFR_TFLAG_PERSIST       0x00000001
+#define PFR_TFLAG_CONST         0x00000002
+#define PFR_TFLAG_ACTIVE        0x00000004
+#define PFR_TFLAG_INACTIVE      0x00000008
+#define PFR_TFLAG_REFERENCED    0x00000010
+#define PFR_TFLAG_REFDANCHOR    0x00000020
+#define PFR_TFLAG_USRMASK       0x00000003
+#define PFR_TFLAG_SETMASK       0x0000003C
+#define PFR_TFLAG_ALLMASK       0x0000003F
 
 struct pfr_table {
-       char                     pfrt_anchor[MAXPATHLEN];
-       char                     pfrt_name[PF_TABLE_NAME_SIZE];
-       u_int32_t                pfrt_flags;
-       u_int8_t                 pfrt_fback;
+       char                     pfrt_anchor[MAXPATHLEN];
+       char                     pfrt_name[PF_TABLE_NAME_SIZE];
+       uint32_t                 pfrt_flags;
+       uint8_t                  pfrt_fback;
 };
 
 enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED,
-       PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
-       PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX };
+       PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
+       PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX };
 
 struct pfr_addr {
        union {
-               struct in_addr   _pfra_ip4addr;
-               struct in6_addr  _pfra_ip6addr;
-       }                pfra_u;
-       u_int8_t         pfra_af;
-       u_int8_t         pfra_net;
-       u_int8_t         pfra_not;
-       u_int8_t         pfra_fback;
+               struct in_addr   _pfra_ip4addr;
+               struct in6_addr  _pfra_ip6addr;
+       }                pfra_u;
+       uint8_t          pfra_af;
+       uint8_t          pfra_net;
+       uint8_t          pfra_not;
+       uint8_t          pfra_fback;
 };
-#define        pfra_ip4addr    pfra_u._pfra_ip4addr
-#define        pfra_ip6addr    pfra_u._pfra_ip6addr
+#define pfra_ip4addr    pfra_u._pfra_ip4addr
+#define pfra_ip6addr    pfra_u._pfra_ip6addr
 
 enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX };
 enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX };
-#define PFR_OP_XPASS   PFR_OP_ADDR_MAX
+#define PFR_OP_XPASS    PFR_OP_ADDR_MAX
 
 struct pfr_astats {
-       struct pfr_addr  pfras_a;
+       struct pfr_addr  pfras_a;
 #if !defined(__LP64__)
-       u_int32_t        _pad;
+       uint32_t         _pad;
 #endif /* !__LP64__ */
-       u_int64_t        pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-       u_int64_t        pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-       u_int64_t        pfras_tzero;
+       uint64_t         pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+       uint64_t         pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+       uint64_t         pfras_tzero;
 };
 
 enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX };
 
 struct pfr_tstats {
        struct pfr_table pfrts_t;
-       u_int64_t        pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
-       u_int64_t        pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
-       u_int64_t        pfrts_match;
-       u_int64_t        pfrts_nomatch;
-       u_int64_t        pfrts_tzero;
-       int              pfrts_cnt;
-       int              pfrts_refcnt[PFR_REFCNT_MAX];
+       u_int64_t        pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
+       u_int64_t        pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
+       u_int64_t        pfrts_match;
+       u_int64_t        pfrts_nomatch;
+       u_int64_t        pfrts_tzero;
+       int              pfrts_cnt;
+       int              pfrts_refcnt[PFR_REFCNT_MAX];
 #if !defined(__LP64__)
-       u_int32_t        _pad;
+       u_int32_t        _pad;
 #endif /* !__LP64__ */
 };
-#define        pfrts_name      pfrts_t.pfrt_name
-#define pfrts_flags    pfrts_t.pfrt_flags
+#define pfrts_name      pfrts_t.pfrt_name
+#define pfrts_flags     pfrts_t.pfrt_flags
 
 #ifdef KERNEL
 SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
 struct pfr_kentry {
-       struct radix_node        pfrke_node[2];
-       union sockaddr_union     pfrke_sa;
-       u_int64_t                pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-       u_int64_t                pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-       SLIST_ENTRY(pfr_kentry)  pfrke_workq;
-       u_int64_t                pfrke_tzero;
-       u_int8_t                 pfrke_af;
-       u_int8_t                 pfrke_net;
-       u_int8_t                 pfrke_not;
-       u_int8_t                 pfrke_mark;
-       u_int8_t                 pfrke_intrpool;
+       struct radix_node        pfrke_node[2];
+       union sockaddr_union     pfrke_sa;
+       u_int64_t                pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+       u_int64_t                pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+       SLIST_ENTRY(pfr_kentry)  pfrke_workq;
+       u_int64_t                pfrke_tzero;
+       u_int8_t                 pfrke_af;
+       u_int8_t                 pfrke_net;
+       u_int8_t                 pfrke_not;
+       u_int8_t                 pfrke_mark;
+       u_int8_t                 pfrke_intrpool;
 };
 
 SLIST_HEAD(pfr_ktableworkq, pfr_ktable);
 RB_HEAD(pfr_ktablehead, pfr_ktable);
 struct pfr_ktable {
-       struct pfr_tstats        pfrkt_ts;
-       RB_ENTRY(pfr_ktable)     pfrkt_tree;
-       SLIST_ENTRY(pfr_ktable)  pfrkt_workq;
-       struct radix_node_head  *pfrkt_ip4;
-       struct radix_node_head  *pfrkt_ip6;
-       struct pfr_ktable       *pfrkt_shadow;
-       struct pfr_ktable       *pfrkt_root;
-       struct pf_ruleset       *pfrkt_rs;
-       u_int64_t                pfrkt_larg;
-       u_int32_t                pfrkt_nflags;
-};
-#define pfrkt_t                pfrkt_ts.pfrts_t
-#define pfrkt_name     pfrkt_t.pfrt_name
-#define pfrkt_anchor   pfrkt_t.pfrt_anchor
-#define pfrkt_ruleset  pfrkt_t.pfrt_ruleset
-#define pfrkt_flags    pfrkt_t.pfrt_flags
-#define pfrkt_cnt      pfrkt_ts.pfrts_cnt
-#define pfrkt_refcnt   pfrkt_ts.pfrts_refcnt
-#define pfrkt_packets  pfrkt_ts.pfrts_packets
-#define pfrkt_bytes    pfrkt_ts.pfrts_bytes
-#define pfrkt_match    pfrkt_ts.pfrts_match
-#define pfrkt_nomatch  pfrkt_ts.pfrts_nomatch
-#define pfrkt_tzero    pfrkt_ts.pfrts_tzero
+       struct pfr_tstats        pfrkt_ts;
+       RB_ENTRY(pfr_ktable)     pfrkt_tree;
+       SLIST_ENTRY(pfr_ktable)  pfrkt_workq;
+       struct radix_node_head  *pfrkt_ip4;
+       struct radix_node_head  *pfrkt_ip6;
+       struct pfr_ktable       *pfrkt_shadow;
+       struct pfr_ktable       *pfrkt_root;
+       struct pf_ruleset       *pfrkt_rs;
+       u_int64_t                pfrkt_larg;
+       u_int32_t                pfrkt_nflags;
+};
+#define pfrkt_t         pfrkt_ts.pfrts_t
+#define pfrkt_name      pfrkt_t.pfrt_name
+#define pfrkt_anchor    pfrkt_t.pfrt_anchor
+#define pfrkt_ruleset   pfrkt_t.pfrt_ruleset
+#define pfrkt_flags     pfrkt_t.pfrt_flags
+#define pfrkt_cnt       pfrkt_ts.pfrts_cnt
+#define pfrkt_refcnt    pfrkt_ts.pfrts_refcnt
+#define pfrkt_packets   pfrkt_ts.pfrts_packets
+#define pfrkt_bytes     pfrkt_ts.pfrts_bytes
+#define pfrkt_match     pfrkt_ts.pfrts_match
+#define pfrkt_nomatch   pfrkt_ts.pfrts_nomatch
+#define pfrkt_tzero     pfrkt_ts.pfrts_tzero
 
 RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
 RB_PROTOTYPE_SC(__private_extern__, pf_state_tree_lan_ext, pf_state_key,
@@ -1356,26 +1354,21 @@ RB_PROTOTYPE_SC(__private_extern__, pf_state_tree_ext_gwy, pf_state_key,
 RB_HEAD(pfi_ifhead, pfi_kif);
 
 /* state tables */
-extern struct pf_state_tree_lan_ext     pf_statetbl_lan_ext;
-extern struct pf_state_tree_ext_gwy     pf_statetbl_ext_gwy;
-
-/* keep synced with pfi_kif, used in RB_FIND */
-struct pfi_kif_cmp {
-       char                             pfik_name[IFNAMSIZ];
-};
+extern struct pf_state_tree_lan_ext      pf_statetbl_lan_ext;
+extern struct pf_state_tree_ext_gwy      pf_statetbl_ext_gwy;
 
 struct pfi_kif {
-       char                             pfik_name[IFNAMSIZ];
-       RB_ENTRY(pfi_kif)                pfik_tree;
-       u_int64_t                        pfik_packets[2][2][2];
-       u_int64_t                        pfik_bytes[2][2][2];
-       u_int64_t                        pfik_tzero;
-       int                              pfik_flags;
-       void                            *pfik_ah_cookie;
-       struct ifnet                    *pfik_ifp;
-       int                              pfik_states;
-       int                              pfik_rules;
-       TAILQ_HEAD(, pfi_dynaddr)        pfik_dynaddrs;
+       char                             pfik_name[IFNAMSIZ];
+       RB_ENTRY(pfi_kif)                pfik_tree;
+       u_int64_t                        pfik_packets[2][2][2];
+       u_int64_t                        pfik_bytes[2][2][2];
+       u_int64_t                        pfik_tzero;
+       int                              pfik_flags;
+       void                            *pfik_ah_cookie;
+       struct ifnet                    *pfik_ifp;
+       int                              pfik_states;
+       int                              pfik_rules;
+       TAILQ_HEAD(, pfi_dynaddr)        pfik_dynaddrs;
 };
 
 enum pfi_kif_refs {
@@ -1388,98 +1381,95 @@ struct pfi_uif {
 #else /* !KERNEL */
 struct pfi_kif {
 #endif /* !KERNEL */
-       char                             pfik_name[IFNAMSIZ];
-       u_int64_t                        pfik_packets[2][2][2];
-       u_int64_t                        pfik_bytes[2][2][2];
-       u_int64_t                        pfik_tzero;
-       int                              pfik_flags;
-       int                              pfik_states;
-       int                              pfik_rules;
+       char                             pfik_name[IFNAMSIZ];
+       u_int64_t                        pfik_packets[2][2][2];
+       u_int64_t                        pfik_bytes[2][2][2];
+       u_int64_t                        pfik_tzero;
+       int                              pfik_flags;
+       int                              pfik_states;
+       int                              pfik_rules;
 #if !defined(__LP64__)
-       u_int32_t                        _pad;
+       u_int32_t                        _pad;
 #endif /* !__LP64__ */
 };
 
-#define PFI_IFLAG_SKIP         0x0100  /* skip filtering on interface */
+#define PFI_IFLAG_SKIP          0x0100  /* skip filtering on interface */
 
 #ifdef KERNEL
 struct pf_pdesc {
        struct {
-               int      done;
-               uid_t    uid;
-               gid_t    gid;
-               pid_t    pid;
-       }                lookup;
-       u_int64_t        tot_len;       /* Make Mickey money */
+               int      done;
+               uid_t    uid;
+               gid_t    gid;
+               pid_t    pid;
+       }                lookup;
+       u_int64_t        tot_len;       /* Make Mickey money */
        union {
-               struct tcphdr           *tcp;
-               struct udphdr           *udp;
-               struct icmp             *icmp;
-#if INET6
-               struct icmp6_hdr        *icmp6;
-#endif /* INET6 */
-               struct pf_grev1_hdr     *grev1;
-               struct pf_esp_hdr       *esp;
-               void                    *any;
+               struct tcphdr           *tcp;
+               struct udphdr           *udp;
+               struct icmp             *icmp;
+               struct icmp6_hdr        *icmp6;
+               struct pf_grev1_hdr     *grev1;
+               struct pf_esp_hdr       *esp;
+               void                    *any;
        } hdr;
 
        /* XXX TODO: Change baddr and naddr to *saddr */
-       struct pf_addr   baddr;         /* src address before translation */
-       struct pf_addr   bdaddr;        /* dst address before translation */
-       struct pf_addr   naddr;         /* src address after translation */
-       struct pf_addr   ndaddr;        /* dst address after translation */
-       struct pf_rule  *nat_rule;      /* nat/rdr rule applied to packet */
-       struct pf_addr  *src;
-       struct pf_addr  *dst;
-       struct ether_header
-                       *eh;
-       pbuf_t          *mp;
-       int             lmw;            /* lazy writable offset */
-       struct pf_mtag  *pf_mtag;
-       u_int16_t       *ip_sum;
-       u_int32_t        off;           /* protocol header offset */
-       u_int32_t        hdrlen;        /* protocol header length */
-       u_int32_t        p_len;         /* total length of payload */
-       u_int16_t        flags;         /* Let SCRUB trigger behavior in */
-                                       /* state code. Easier than tags */
-#define PFDESC_TCP_NORM        0x0001          /* TCP shall be statefully scrubbed */
-#define PFDESC_IP_REAS 0x0002          /* IP frags would've been reassembled */
-#define PFDESC_IP_FRAG 0x0004          /* This is a fragment */
-       sa_family_t      af;
-       sa_family_t      naf;           /*  address family after translation */
-       u_int8_t         proto;
-       u_int8_t         tos;
-       u_int8_t         ttl;
-       u_int8_t         proto_variant;
-       mbuf_svc_class_t sc;            /* mbuf service class (MBUF_SVC) */
-       u_int32_t        pktflags;      /* mbuf packet flags (PKTF) */
-       u_int32_t        flowsrc;       /* flow source (FLOWSRC) */
-       u_int32_t        flowhash;      /* flow hash to identify the sender */
+       struct pf_addr   baddr;         /* src address before translation */
+       struct pf_addr   bdaddr;        /* dst address before translation */
+       struct pf_addr   naddr;         /* src address after translation */
+       struct pf_addr   ndaddr;        /* dst address after translation */
+       struct pf_rule  *nat_rule;      /* nat/rdr rule applied to packet */
+       struct pf_addr  *src;
+       struct pf_addr  *dst;
+       struct ether_header     *eh;
+       pbuf_t          *mp;
+       int             lmw;            /* lazy writable offset */
+       struct pf_mtag  *pf_mtag;
+       u_int16_t       *ip_sum;
+       u_int32_t        off;           /* protocol header offset */
+       u_int32_t        hdrlen;        /* protocol header length */
+       u_int32_t        p_len;         /* total length of payload */
+       u_int16_t        flags;         /* Let SCRUB trigger behavior in */
+                                       /* state code. Easier than tags */
+#define PFDESC_TCP_NORM 0x0001          /* TCP shall be statefully scrubbed */
+#define PFDESC_IP_REAS  0x0002          /* IP frags would've been reassembled */
+#define PFDESC_IP_FRAG  0x0004          /* This is a fragment */
+       sa_family_t      af;
+       sa_family_t      naf;           /*  address family after translation */
+       u_int8_t         proto;
+       u_int8_t         tos;
+       u_int8_t         ttl;
+       u_int8_t         proto_variant;
+       mbuf_svc_class_t sc;            /* mbuf service class (MBUF_SVC) */
+       u_int32_t        pktflags;      /* mbuf packet flags (PKTF) */
+       u_int32_t        flowsrc;       /* flow source (FLOWSRC) */
+       u_int32_t        flowhash;      /* flow hash to identify the sender */
 };
 #endif /* KERNEL */
 
 /* flags for RDR options */
-#define PF_DPORT_RANGE 0x01            /* Dest port uses range */
-#define PF_RPORT_RANGE 0x02            /* RDR'ed port uses range */
+#define PF_DPORT_RANGE  0x01            /* Dest port uses range */
+#define PF_RPORT_RANGE  0x02            /* RDR'ed port uses range */
 
 /* Reasons code for passing/dropping a packet */
-#define PFRES_MATCH    0               /* Explicit match of a rule */
-#define PFRES_BADOFF   1               /* Bad offset for pull_hdr */
-#define PFRES_FRAG     2               /* Dropping following fragment */
-#define PFRES_SHORT    3               /* Dropping short packet */
-#define PFRES_NORM     4               /* Dropping by normalizer */
-#define PFRES_MEMORY   5               /* Dropped due to lacking mem */
-#define PFRES_TS       6               /* Bad TCP Timestamp (RFC1323) */
-#define PFRES_CONGEST  7               /* Congestion (of ipintrq) */
-#define PFRES_IPOPTIONS 8              /* IP option */
-#define PFRES_PROTCKSUM 9              /* Protocol checksum invalid */
-#define PFRES_BADSTATE 10              /* State mismatch */
-#define PFRES_STATEINS 11              /* State insertion failure */
-#define PFRES_MAXSTATES        12              /* State limit */
-#define PFRES_SRCLIMIT 13              /* Source node/conn limit */
-#define PFRES_SYNPROXY 14              /* SYN proxy */
-#define PFRES_DUMMYNET 15              /* Dummynet */
-#define PFRES_MAX      16              /* total+1 */
+#define PFRES_MATCH     0               /* Explicit match of a rule */
+#define PFRES_BADOFF    1               /* Bad offset for pull_hdr */
+#define PFRES_FRAG      2               /* Dropping following fragment */
+#define PFRES_SHORT     3               /* Dropping short packet */
+#define PFRES_NORM      4               /* Dropping by normalizer */
+#define PFRES_MEMORY    5               /* Dropped due to lacking mem */
+#define PFRES_TS        6               /* Bad TCP Timestamp (RFC1323) */
+#define PFRES_CONGEST   7               /* Congestion (of ipintrq) */
+#define PFRES_IPOPTIONS 8               /* IP option */
+#define PFRES_PROTCKSUM 9               /* Protocol checksum invalid */
+#define PFRES_BADSTATE  10              /* State mismatch */
+#define PFRES_STATEINS  11              /* State insertion failure */
+#define PFRES_MAXSTATES 12              /* State limit */
+#define PFRES_SRCLIMIT  13              /* Source node/conn limit */
+#define PFRES_SYNPROXY  14              /* SYN proxy */
+#define PFRES_DUMMYNET  15              /* Dummynet */
+#define PFRES_MAX       16              /* total+1 */
 
 #define PFRES_NAMES { \
        "match", \
@@ -1502,14 +1492,14 @@ struct pf_pdesc {
 }
 
 /* Counters for other things we want to keep track of */
-#define LCNT_STATES            0       /* states */
-#define LCNT_SRCSTATES         1       /* max-src-states */
-#define LCNT_SRCNODES          2       /* max-src-nodes */
-#define LCNT_SRCCONN           3       /* max-src-conn */
-#define LCNT_SRCCONNRATE       4       /* max-src-conn-rate */
-#define LCNT_OVERLOAD_TABLE    5       /* entry added to overload table */
-#define LCNT_OVERLOAD_FLUSH    6       /* state entries flushed */
-#define LCNT_MAX               7       /* total+1 */
+#define LCNT_STATES             0       /* states */
+#define LCNT_SRCSTATES          1       /* max-src-states */
+#define LCNT_SRCNODES           2       /* max-src-nodes */
+#define LCNT_SRCCONN            3       /* max-src-conn */
+#define LCNT_SRCCONNRATE        4       /* max-src-conn-rate */
+#define LCNT_OVERLOAD_TABLE     5       /* entry added to overload table */
+#define LCNT_OVERLOAD_FLUSH     6       /* state entries flushed */
+#define LCNT_MAX                7       /* total+1 */
 
 #define LCNT_NAMES { \
        "max states per rule", \
@@ -1523,11 +1513,11 @@ struct pf_pdesc {
 }
 
 /* UDP state enumeration */
-#define PFUDPS_NO_TRAFFIC      0
-#define PFUDPS_SINGLE          1
-#define PFUDPS_MULTIPLE                2
+#define PFUDPS_NO_TRAFFIC       0
+#define PFUDPS_SINGLE           1
+#define PFUDPS_MULTIPLE         2
 
-#define PFUDPS_NSTATES         3       /* number of state levels */
+#define PFUDPS_NSTATES          3       /* number of state levels */
 
 #define PFUDPS_NAMES { \
        "NO_TRAFFIC", \
@@ -1537,11 +1527,11 @@ struct pf_pdesc {
 }
 
 /* GREv1 protocol state enumeration */
-#define PFGRE1S_NO_TRAFFIC             0
-#define PFGRE1S_INITIATING             1
-#define PFGRE1S_ESTABLISHED            2
+#define PFGRE1S_NO_TRAFFIC              0
+#define PFGRE1S_INITIATING              1
+#define PFGRE1S_ESTABLISHED             2
 
-#define PFGRE1S_NSTATES                        3       /* number of state levels */
+#define PFGRE1S_NSTATES                 3       /* number of state levels */
 
 #define PFGRE1S_NAMES { \
        "NO_TRAFFIC", \
@@ -1550,20 +1540,20 @@ struct pf_pdesc {
        NULL \
 }
 
-#define PFESPS_NO_TRAFFIC      0
-#define PFESPS_INITIATING      1
-#define PFESPS_ESTABLISHED     2
+#define PFESPS_NO_TRAFFIC       0
+#define PFESPS_INITIATING       1
+#define PFESPS_ESTABLISHED      2
 
-#define PFESPS_NSTATES         3       /* number of state levels */
+#define PFESPS_NSTATES          3       /* number of state levels */
 
 #define PFESPS_NAMES { "NO_TRAFFIC", "INITIATING", "ESTABLISHED", NULL }
 
 /* Other protocol state enumeration */
-#define PFOTHERS_NO_TRAFFIC    0
-#define PFOTHERS_SINGLE                1
-#define PFOTHERS_MULTIPLE      2
+#define PFOTHERS_NO_TRAFFIC     0
+#define PFOTHERS_SINGLE         1
+#define PFOTHERS_MULTIPLE       2
 
-#define PFOTHERS_NSTATES       3       /* number of state levels */
+#define PFOTHERS_NSTATES        3       /* number of state levels */
 
 #define PFOTHERS_NAMES { \
        "NO_TRAFFIC", \
@@ -1572,220 +1562,214 @@ struct pf_pdesc {
        NULL \
 }
 
-#define FCNT_STATE_SEARCH      0
-#define FCNT_STATE_INSERT      1
-#define FCNT_STATE_REMOVALS    2
-#define FCNT_MAX               3
+#define FCNT_STATE_SEARCH       0
+#define FCNT_STATE_INSERT       1
+#define FCNT_STATE_REMOVALS     2
+#define FCNT_MAX                3
 
-#define SCNT_SRC_NODE_SEARCH   0
-#define SCNT_SRC_NODE_INSERT   1
-#define SCNT_SRC_NODE_REMOVALS 2
-#define SCNT_MAX               3
+#define SCNT_SRC_NODE_SEARCH    0
+#define SCNT_SRC_NODE_INSERT    1
+#define SCNT_SRC_NODE_REMOVALS  2
+#define SCNT_MAX                3
 
 #ifdef KERNEL
 #define ACTION_SET(a, x) \
        do { \
-               if ((a) != NULL) \
-                       *(a) = (x); \
+               if ((a) != NULL) \
+                       *(a) = (x); \
        } while (0)
 
 #define REASON_SET(a, x) \
        do { \
-               if ((a) != NULL) \
-                       *(a) = (x); \
-               if (x < PFRES_MAX) \
-                       pf_status.counters[x]++; \
+               if ((a) != NULL) \
+                       *(a) = (x); \
+               if (x < PFRES_MAX) \
+                       pf_status.counters[x]++; \
        } while (0)
 #endif /* KERNEL */
 
 struct pf_status {
-       u_int64_t       counters[PFRES_MAX];
-       u_int64_t       lcounters[LCNT_MAX];    /* limit counters */
-       u_int64_t       fcounters[FCNT_MAX];
-       u_int64_t       scounters[SCNT_MAX];
-       u_int64_t       pcounters[2][2][3];
-       u_int64_t       bcounters[2][2];
-       u_int64_t       stateid;
-       u_int32_t       running;
-       u_int32_t       states;
-       u_int32_t       src_nodes;
-       u_int64_t       since                   __attribute__((aligned(8)));
-       u_int32_t       debug;
-       u_int32_t       hostid;
-       char            ifname[IFNAMSIZ];
-       u_int8_t        pf_chksum[PF_MD5_DIGEST_LENGTH];
+       u_int64_t       counters[PFRES_MAX];
+       u_int64_t       lcounters[LCNT_MAX];    /* limit counters */
+       u_int64_t       fcounters[FCNT_MAX];
+       u_int64_t       scounters[SCNT_MAX];
+       u_int64_t       pcounters[2][2][3];
+       u_int64_t       bcounters[2][2];
+       u_int64_t       stateid;
+       u_int32_t       running;
+       u_int32_t       states;
+       u_int32_t       src_nodes;
+       u_int64_t       since                   __attribute__((aligned(8)));
+       u_int32_t       debug;
+       u_int32_t       hostid;
+       char            ifname[IFNAMSIZ];
+       u_int8_t        pf_chksum[PF_MD5_DIGEST_LENGTH];
 };
 
 struct cbq_opts {
-       u_int32_t       minburst;
-       u_int32_t       maxburst;
-       u_int32_t       pktsize;
-       u_int32_t       maxpktsize;
-       u_int32_t       ns_per_byte;
-       u_int32_t       maxidle;
-       int32_t         minidle;
-       u_int32_t       offtime;
-       u_int32_t       flags;
+       u_int32_t       minburst;
+       u_int32_t       maxburst;
+       u_int32_t       pktsize;
+       u_int32_t       maxpktsize;
+       u_int32_t       ns_per_byte;
+       u_int32_t       maxidle;
+       int32_t         minidle;
+       u_int32_t       offtime;
+       u_int32_t       flags;
 };
 
 struct priq_opts {
-       u_int32_t       flags;
-};
-
-struct qfq_opts {
-       u_int32_t       flags;
-       u_int32_t       lmax;
+       u_int32_t       flags;
 };
 
 struct hfsc_opts {
        /* real-time service curve */
-       u_int64_t       rtsc_m1;        /* slope of the 1st segment in bps */
-       u_int64_t       rtsc_d;         /* the x-projection of m1 in msec */
-       u_int64_t       rtsc_m2;        /* slope of the 2nd segment in bps */
-       u_int32_t       rtsc_fl;        /* service curve flags */
+       u_int64_t       rtsc_m1;        /* slope of the 1st segment in bps */
+       u_int64_t       rtsc_d;         /* the x-projection of m1 in msec */
+       u_int64_t       rtsc_m2;        /* slope of the 2nd segment in bps */
+       u_int32_t       rtsc_fl;        /* service curve flags */
 #if !defined(__LP64__)
-       u_int32_t       _pad;
+       u_int32_t       _pad;
 #endif /* !__LP64__ */
        /* link-sharing service curve */
-       u_int64_t       lssc_m1;
-       u_int64_t       lssc_d;
-       u_int64_t       lssc_m2;
-       u_int32_t       lssc_fl;
+       u_int64_t       lssc_m1;
+       u_int64_t       lssc_d;
+       u_int64_t       lssc_m2;
+       u_int32_t       lssc_fl;
 #if !defined(__LP64__)
-       u_int32_t       __pad;
+       u_int32_t       __pad;
 #endif /* !__LP64__ */
        /* upper-limit service curve */
-       u_int64_t       ulsc_m1;
-       u_int64_t       ulsc_d;
-       u_int64_t       ulsc_m2;
-       u_int32_t       ulsc_fl;
-       u_int32_t       flags;          /* scheduler flags */
+       u_int64_t       ulsc_m1;
+       u_int64_t       ulsc_d;
+       u_int64_t       ulsc_m2;
+       u_int32_t       ulsc_fl;
+       u_int32_t       flags;          /* scheduler flags */
 };
 
 struct fairq_opts {
-       u_int32_t       nbuckets;       /* hash buckets */
-       u_int32_t       flags;
-       u_int64_t       hogs_m1;        /* hog detection bandwidth */
+       u_int32_t       nbuckets;       /* hash buckets */
+       u_int32_t       flags;
+       u_int64_t       hogs_m1;        /* hog detection bandwidth */
 
        /* link-sharing service curve */
-       u_int64_t       lssc_m1;
-       u_int64_t       lssc_d;
-       u_int64_t       lssc_m2;
+       u_int64_t       lssc_m1;
+       u_int64_t       lssc_d;
+       u_int64_t       lssc_m2;
 };
 
 /* bandwidth types */
-#define PF_ALTQ_BW_ABSOLUTE    1       /* bw in absolute value (bps) */
-#define PF_ALTQ_BW_PERCENT     2       /* bandwidth in percentage */
+#define PF_ALTQ_BW_ABSOLUTE     1       /* bw in absolute value (bps) */
+#define PF_ALTQ_BW_PERCENT      2       /* bandwidth in percentage */
 
 /* ALTQ rule flags */
-#define        PF_ALTQF_TBR            0x1     /* enable Token Bucket Regulator */
+#define PF_ALTQF_TBR            0x1     /* enable Token Bucket Regulator */
 
 /* queue rule flags */
-#define        PF_ALTQ_QRF_WEIGHT      0x1     /* weight instead of priority */
+#define PF_ALTQ_QRF_WEIGHT      0x1     /* weight instead of priority */
 
 struct pf_altq {
-       char                     ifname[IFNAMSIZ];
+       char                     ifname[IFNAMSIZ];
 
        /* discipline-specific state */
-       void                    *altq_disc __attribute__((aligned(8)));
-       TAILQ_ENTRY(pf_altq)     entries __attribute__((aligned(8)));
+       void                    *altq_disc __attribute__((aligned(8)));
+       TAILQ_ENTRY(pf_altq)     entries __attribute__((aligned(8)));
 #if !defined(__LP64__)
-       u_int32_t               _pad[2];
+       u_int32_t               _pad[2];
 #endif /* !__LP64__ */
 
-       u_int32_t                aflags;        /* ALTQ rule flags */
-       u_int32_t                bwtype;        /* bandwidth type */
+       u_int32_t                aflags;        /* ALTQ rule flags */
+       u_int32_t                bwtype;        /* bandwidth type */
 
        /* scheduler spec */
-       u_int32_t                scheduler;     /* scheduler type */
-       u_int32_t                tbrsize;       /* tokenbucket regulator size */
-       u_int64_t                ifbandwidth;   /* interface bandwidth */
+       u_int32_t                scheduler;     /* scheduler type */
+       u_int32_t                tbrsize;       /* tokenbucket regulator size */
+       u_int64_t                ifbandwidth;   /* interface bandwidth */
 
        /* queue spec */
-       char                     qname[PF_QNAME_SIZE];  /* queue name */
-       char                     parent[PF_QNAME_SIZE]; /* parent name */
-       u_int32_t                parent_qid;    /* parent queue id */
-       u_int32_t                qrflags;       /* queue rule flags */
+       char                     qname[PF_QNAME_SIZE];  /* queue name */
+       char                     parent[PF_QNAME_SIZE]; /* parent name */
+       u_int32_t                parent_qid;    /* parent queue id */
+       u_int32_t                qrflags;       /* queue rule flags */
        union {
-               u_int32_t        priority;      /* priority */
-               u_int32_t        weight;        /* weight */
+               u_int32_t        priority;      /* priority */
+               u_int32_t        weight;        /* weight */
        };
-       u_int32_t                qlimit;        /* queue size limit */
-       u_int32_t                flags;         /* misc flags */
+       u_int32_t                qlimit;        /* queue size limit */
+       u_int32_t                flags;         /* misc flags */
 #if !defined(__LP64__)
-       u_int32_t               __pad;
+       u_int32_t               __pad;
 #endif /* !__LP64__ */
-       u_int64_t                bandwidth;     /* queue bandwidth */
+       u_int64_t                bandwidth;     /* queue bandwidth */
        union {
-               struct cbq_opts          cbq_opts;
-               struct priq_opts         priq_opts;
-               struct hfsc_opts         hfsc_opts;
-               struct fairq_opts        fairq_opts;
-               struct qfq_opts          qfq_opts;
+               struct cbq_opts          cbq_opts;
+               struct priq_opts         priq_opts;
+               struct hfsc_opts         hfsc_opts;
+               struct fairq_opts        fairq_opts;
        } pq_u;
 
-       u_int32_t                qid;           /* return value */
+       u_int32_t                qid;           /* return value */
 };
 
 struct pf_tagname {
-       TAILQ_ENTRY(pf_tagname) entries;
-       char                    name[PF_TAG_NAME_SIZE];
-       u_int16_t               tag;
-       int                     ref;
+       TAILQ_ENTRY(pf_tagname) entries;
+       char                    name[PF_TAG_NAME_SIZE];
+       u_int16_t               tag;
+       int                     ref;
 };
 
-#define PFFRAG_FRENT_HIWAT     5000    /* Number of fragment entries */
-#define PFFRAG_FRAG_HIWAT      1000    /* Number of fragmented packets */
-#define PFFRAG_FRCENT_HIWAT    50000   /* Number of fragment cache entries */
-#define PFFRAG_FRCACHE_HIWAT   10000   /* Number of fragment descriptors */
+#define PFFRAG_FRENT_HIWAT      5000    /* Number of fragment entries */
+#define PFFRAG_FRAG_HIWAT       1000    /* Number of fragmented packets */
+#define PFFRAG_FRCENT_HIWAT     50000   /* Number of fragment cache entries */
+#define PFFRAG_FRCACHE_HIWAT    10000   /* Number of fragment descriptors */
 
-#define PFR_KTABLE_HIWAT       1000    /* Number of tables */
-#define PFR_KENTRY_HIWAT       200000  /* Number of table entries */
-#define PFR_KENTRY_HIWAT_SMALL 100000  /* Number of table entries (tiny hosts) */
+#define PFR_KTABLE_HIWAT        1000    /* Number of tables */
+#define PFR_KENTRY_HIWAT        200000  /* Number of table entries */
+#define PFR_KENTRY_HIWAT_SMALL  100000  /* Number of table entries (tiny hosts) */
 
 /*
  * ioctl parameter structures
  */
 
 struct pfioc_pooladdr {
-       u_int32_t                action;
-       u_int32_t                ticket;
-       u_int32_t                nr;
-       u_int32_t                r_num;
-       u_int8_t                 r_action;
-       u_int8_t                 r_last;
-       u_int8_t                 af;
-       char                     anchor[MAXPATHLEN];
-       struct pf_pooladdr       addr;
+       u_int32_t                action;
+       u_int32_t                ticket;
+       u_int32_t                nr;
+       u_int32_t                r_num;
+       u_int8_t                 r_action;
+       u_int8_t                 r_last;
+       u_int8_t                 af;
+       char                     anchor[MAXPATHLEN];
+       struct pf_pooladdr       addr;
 };
 
 struct pfioc_rule {
-       u_int32_t        action;
-       u_int32_t        ticket;
-       u_int32_t        pool_ticket;
-       u_int32_t        nr;
-       char             anchor[MAXPATHLEN];
-       char             anchor_call[MAXPATHLEN];
-       struct pf_rule   rule;
+       u_int32_t        action;
+       u_int32_t        ticket;
+       u_int32_t        pool_ticket;
+       u_int32_t        nr;
+       char             anchor[MAXPATHLEN];
+       char             anchor_call[MAXPATHLEN];
+       struct pf_rule   rule;
 };
 
 struct pfioc_natlook {
-       struct pf_addr   saddr;
-       struct pf_addr   daddr;
-       struct pf_addr   rsaddr;
-       struct pf_addr   rdaddr;
-       union pf_state_xport    sxport;
-       union pf_state_xport    dxport;
-       union pf_state_xport    rsxport;
-       union pf_state_xport    rdxport;
-       sa_family_t      af;
-       u_int8_t         proto;
-       u_int8_t         proto_variant;
-       u_int8_t         direction;
+       struct pf_addr   saddr;
+       struct pf_addr   daddr;
+       struct pf_addr   rsaddr;
+       struct pf_addr   rdaddr;
+       union pf_state_xport    sxport;
+       union pf_state_xport    dxport;
+       union pf_state_xport    rsxport;
+       union pf_state_xport    rdxport;
+       sa_family_t      af;
+       u_int8_t         proto;
+       u_int8_t         proto_variant;
+       u_int8_t         direction;
 };
 
 struct pfioc_state {
-       struct pfsync_state     state;
+       struct pfsync_state     state;
 };
 
 struct pfioc_src_node_kill {
@@ -1796,48 +1780,48 @@ struct pfioc_src_node_kill {
 };
 
 struct pfioc_state_addr_kill {
-       struct pf_addr_wrap             addr;
-       u_int8_t                        reserved_[3];
-       u_int8_t                        neg;
-       union pf_rule_xport             xport;
+       struct pf_addr_wrap             addr;
+       u_int8_t                        reserved_[3];
+       u_int8_t                        neg;
+       union pf_rule_xport             xport;
 };
 
 struct pfioc_state_kill {
        /* XXX returns the number of states killed in psk_af */
-       sa_family_t             psk_af;
-       u_int8_t                psk_proto;
-       u_int8_t                psk_proto_variant;
-       u_int8_t                _pad;
-       struct pfioc_state_addr_kill    psk_src;
-       struct pfioc_state_addr_kill    psk_dst;
-       char                    psk_ifname[IFNAMSIZ];
-       char                    psk_ownername[PF_OWNER_NAME_SIZE];
+       sa_family_t             psk_af;
+       u_int8_t                psk_proto;
+       u_int8_t                psk_proto_variant;
+       u_int8_t                _pad;
+       struct pfioc_state_addr_kill    psk_src;
+       struct pfioc_state_addr_kill    psk_dst;
+       char                    psk_ifname[IFNAMSIZ];
+       char                    psk_ownername[PF_OWNER_NAME_SIZE];
 };
 
 struct pfioc_states {
-       int     ps_len;
+       int     ps_len;
        union {
-               caddr_t                  psu_buf;
-               struct pfsync_state     *psu_states;
+               caddr_t                  psu_buf;
+               struct pfsync_state     *psu_states;
        } ps_u __attribute__((aligned(8)));
-#define ps_buf         ps_u.psu_buf
-#define ps_states      ps_u.psu_states
+#define ps_buf          ps_u.psu_buf
+#define ps_states       ps_u.psu_states
 };
 
 #ifdef KERNEL
 struct pfioc_states_32 {
-       int     ps_len;
+       int     ps_len;
        union {
-               user32_addr_t           psu_buf;
-               user32_addr_t           psu_states;
+               user32_addr_t           psu_buf;
+               user32_addr_t           psu_states;
        } ps_u __attribute__((aligned(8)));
 };
 
 struct pfioc_states_64 {
-       int     ps_len;
+       int     ps_len;
        union {
-               user64_addr_t           psu_buf;
-               user64_addr_t           psu_states;
+               user64_addr_t           psu_buf;
+               user64_addr_t           psu_states;
        } ps_u __attribute__((aligned(8)));
 };
 #endif /* KERNEL */
@@ -1845,16 +1829,16 @@ struct pfioc_states_64 {
 #define PFTOK_PROCNAME_LEN    64
 #pragma pack(1)
 struct pfioc_token {
-       u_int64_t                       token_value;
-       u_int64_t                       timestamp;
-       pid_t                           pid;
-       char                            proc_name[PFTOK_PROCNAME_LEN];
+       u_int64_t                       token_value;
+       u_int64_t                       timestamp;
+       pid_t                           pid;
+       char                            proc_name[PFTOK_PROCNAME_LEN];
 };
 #pragma pack()
 
 struct pfioc_kernel_token {
-       SLIST_ENTRY(pfioc_kernel_token) next;
-       struct pfioc_token              token;
+       SLIST_ENTRY(pfioc_kernel_token) next;
+       struct pfioc_token              token;
 };
 
 struct pfioc_remove_token {
@@ -1863,293 +1847,293 @@ struct pfioc_remove_token {
 };
 
 struct pfioc_tokens {
-       int     size;
+       int     size;
        union {
-               caddr_t                         pgtu_buf;
-               struct pfioc_token              *pgtu_tokens;
+               caddr_t                         pgtu_buf;
+               struct pfioc_token              *pgtu_tokens;
        } pgt_u __attribute__((aligned(8)));
-#define pgt_buf                pgt_u.pgtu_buf
-#define pgt_tokens     pgt_u.pgtu_tokens
+#define pgt_buf         pgt_u.pgtu_buf
+#define pgt_tokens      pgt_u.pgtu_tokens
 };
 
 #ifdef KERNEL
 struct pfioc_tokens_32 {
-       int     size;
+       int     size;
        union {
-               user32_addr_t           pgtu_buf;
-               user32_addr_t           pgtu_tokens;
+               user32_addr_t           pgtu_buf;
+               user32_addr_t           pgtu_tokens;
        } pgt_u __attribute__((aligned(8)));
 };
 
 struct pfioc_tokens_64 {
-       int     size;
+       int     size;
        union {
-               user64_addr_t           pgtu_buf;
-               user64_addr_t           pgtu_tokens;
+               user64_addr_t           pgtu_buf;
+               user64_addr_t           pgtu_tokens;
        } pgt_u __attribute__((aligned(8)));
 };
 #endif /* KERNEL */
 
 
 struct pfioc_src_nodes {
-       int     psn_len;
+       int     psn_len;
        union {
-               caddr_t                 psu_buf;
-               struct pf_src_node      *psu_src_nodes;
+               caddr_t                 psu_buf;
+               struct pf_src_node      *psu_src_nodes;
        } psn_u __attribute__((aligned(8)));
-#define psn_buf                psn_u.psu_buf
-#define psn_src_nodes  psn_u.psu_src_nodes
+#define psn_buf         psn_u.psu_buf
+#define psn_src_nodes   psn_u.psu_src_nodes
 };
 
 #ifdef KERNEL
 struct pfioc_src_nodes_32 {
-       int     psn_len;
+       int     psn_len;
        union {
-               user32_addr_t           psu_buf;
-               user32_addr_t           psu_src_nodes;
+               user32_addr_t           psu_buf;
+               user32_addr_t           psu_src_nodes;
        } psn_u __attribute__((aligned(8)));
 };
 
 struct pfioc_src_nodes_64 {
-       int     psn_len;
+       int     psn_len;
        union {
-               user64_addr_t           psu_buf;
-               user64_addr_t           psu_src_nodes;
+               user64_addr_t           psu_buf;
+               user64_addr_t           psu_src_nodes;
        } psn_u __attribute__((aligned(8)));
 };
 #endif /* KERNEL */
 
 struct pfioc_if {
-       char             ifname[IFNAMSIZ];
+       char             ifname[IFNAMSIZ];
 };
 
 struct pfioc_tm {
-       int              timeout;
-       int              seconds;
+       int              timeout;
+       int              seconds;
 };
 
 struct pfioc_limit {
-       int              index;
-       unsigned         limit;
+       int              index;
+       unsigned         limit;
 };
 
 struct pfioc_altq {
-       u_int32_t        action;
-       u_int32_t        ticket;
-       u_int32_t        nr;
-       struct pf_altq   altq                   __attribute__((aligned(8)));
+       u_int32_t        action;
+       u_int32_t        ticket;
+       u_int32_t        nr;
+       struct pf_altq   altq                   __attribute__((aligned(8)));
 };
 
 struct pfioc_qstats {
-       u_int32_t        ticket;
-       u_int32_t        nr;
-       void            *buf                    __attribute__((aligned(8)));
-       int              nbytes                 __attribute__((aligned(8)));
-       u_int8_t         scheduler;
+       u_int32_t        ticket;
+       u_int32_t        nr;
+       void            *buf                    __attribute__((aligned(8)));
+       int              nbytes                 __attribute__((aligned(8)));
+       u_int8_t         scheduler;
 };
 
 struct pfioc_ruleset {
-       u_int32_t        nr;
-       char             path[MAXPATHLEN];
-       char             name[PF_ANCHOR_NAME_SIZE];
+       u_int32_t        nr;
+       char             path[MAXPATHLEN];
+       char             name[PF_ANCHOR_NAME_SIZE];
 };
 
-#define PF_RULESET_ALTQ                (PF_RULESET_MAX)
-#define PF_RULESET_TABLE       (PF_RULESET_MAX+1)
+#define PF_RULESET_ALTQ         (PF_RULESET_MAX)
+#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
 struct pfioc_trans {
-       int              size;  /* number of elements */
-       int              esize; /* size of each element in bytes */
+       int              size;  /* number of elements */
+       int              esize; /* size of each element in bytes */
        struct pfioc_trans_e {
-               int             rs_num;
-               char            anchor[MAXPATHLEN];
-               u_int32_t       ticket;
+               int             rs_num;
+               char            anchor[MAXPATHLEN];
+               u_int32_t       ticket;
        } *array __attribute__((aligned(8)));
 };
 
 #ifdef KERNEL
 struct pfioc_trans_32 {
-       int              size;  /* number of elements */
-       int              esize; /* size of each element in bytes */
-       user32_addr_t    array __attribute__((aligned(8)));
+       int              size;  /* number of elements */
+       int              esize; /* size of each element in bytes */
+       user32_addr_t    array __attribute__((aligned(8)));
 };
 
 struct pfioc_trans_64 {
-       int              size;  /* number of elements */
-       int              esize; /* size of each element in bytes */
-       user64_addr_t    array __attribute__((aligned(8)));
+       int              size;  /* number of elements */
+       int              esize; /* size of each element in bytes */
+       user64_addr_t    array __attribute__((aligned(8)));
 };
 #endif /* KERNEL */
 
 
-#define PFR_FLAG_ATOMIC                0x00000001
-#define PFR_FLAG_DUMMY         0x00000002
-#define PFR_FLAG_FEEDBACK      0x00000004
-#define PFR_FLAG_CLSTATS       0x00000008
-#define PFR_FLAG_ADDRSTOO      0x00000010
-#define PFR_FLAG_REPLACE       0x00000020
-#define PFR_FLAG_ALLRSETS      0x00000040
-#define PFR_FLAG_ALLMASK       0x0000007F
+#define PFR_FLAG_ATOMIC         0x00000001
+#define PFR_FLAG_DUMMY          0x00000002
+#define PFR_FLAG_FEEDBACK       0x00000004
+#define PFR_FLAG_CLSTATS        0x00000008
+#define PFR_FLAG_ADDRSTOO       0x00000010
+#define PFR_FLAG_REPLACE        0x00000020
+#define PFR_FLAG_ALLRSETS       0x00000040
+#define PFR_FLAG_ALLMASK        0x0000007F
 #ifdef KERNEL
-#define PFR_FLAG_USERIOCTL     0x10000000
+#define PFR_FLAG_USERIOCTL      0x10000000
 #endif /* KERNEL */
 
 struct pfioc_table {
-       struct pfr_table         pfrio_table;
-       void                    *pfrio_buffer   __attribute__((aligned(8)));
-       int                      pfrio_esize    __attribute__((aligned(8)));
-       int                      pfrio_size;
-       int                      pfrio_size2;
-       int                      pfrio_nadd;
-       int                      pfrio_ndel;
-       int                      pfrio_nchange;
-       int                      pfrio_flags;
-       u_int32_t                pfrio_ticket;
-};
-#define        pfrio_exists    pfrio_nadd
-#define        pfrio_nzero     pfrio_nadd
-#define        pfrio_nmatch    pfrio_nadd
-#define pfrio_naddr    pfrio_size2
-#define pfrio_setflag  pfrio_size2
-#define pfrio_clrflag  pfrio_nadd
+       struct pfr_table         pfrio_table;
+       void                    *pfrio_buffer   __attribute__((aligned(8)));
+       int                      pfrio_esize    __attribute__((aligned(8)));
+       int                      pfrio_size;
+       int                      pfrio_size2;
+       int                      pfrio_nadd;
+       int                      pfrio_ndel;
+       int                      pfrio_nchange;
+       int                      pfrio_flags;
+       u_int32_t                pfrio_ticket;
+};
+#define pfrio_exists    pfrio_nadd
+#define pfrio_nzero     pfrio_nadd
+#define pfrio_nmatch    pfrio_nadd
+#define pfrio_naddr     pfrio_size2
+#define pfrio_setflag   pfrio_size2
+#define pfrio_clrflag   pfrio_nadd
 
 #ifdef KERNEL
 struct pfioc_table_32 {
-       struct pfr_table         pfrio_table;
-       user32_addr_t            pfrio_buffer   __attribute__((aligned(8)));
-       int                      pfrio_esize    __attribute__((aligned(8)));
-       int                      pfrio_size;
-       int                      pfrio_size2;
-       int                      pfrio_nadd;
-       int                      pfrio_ndel;
-       int                      pfrio_nchange;
-       int                      pfrio_flags;
-       u_int32_t                pfrio_ticket;
+       struct pfr_table         pfrio_table;
+       user32_addr_t            pfrio_buffer   __attribute__((aligned(8)));
+       int                      pfrio_esize    __attribute__((aligned(8)));
+       int                      pfrio_size;
+       int                      pfrio_size2;
+       int                      pfrio_nadd;
+       int                      pfrio_ndel;
+       int                      pfrio_nchange;
+       int                      pfrio_flags;
+       u_int32_t                pfrio_ticket;
 };
 
 struct pfioc_table_64 {
-       struct pfr_table         pfrio_table;
-       user64_addr_t            pfrio_buffer   __attribute__((aligned(8)));
-       int                      pfrio_esize    __attribute__((aligned(8)));
-       int                      pfrio_size;
-       int                      pfrio_size2;
-       int                      pfrio_nadd;
-       int                      pfrio_ndel;
-       int                      pfrio_nchange;
-       int                      pfrio_flags;
-       u_int32_t                pfrio_ticket;
+       struct pfr_table         pfrio_table;
+       user64_addr_t            pfrio_buffer   __attribute__((aligned(8)));
+       int                      pfrio_esize    __attribute__((aligned(8)));
+       int                      pfrio_size;
+       int                      pfrio_size2;
+       int                      pfrio_nadd;
+       int                      pfrio_ndel;
+       int                      pfrio_nchange;
+       int                      pfrio_flags;
+       u_int32_t                pfrio_ticket;
 };
 #endif /* KERNEL */
 
 struct pfioc_iface {
-       char     pfiio_name[IFNAMSIZ];
-       void    *pfiio_buffer                   __attribute__((aligned(8)));
-       int      pfiio_esize                    __attribute__((aligned(8)));
-       int      pfiio_size;
-       int      pfiio_nzero;
-       int      pfiio_flags;
+       char     pfiio_name[IFNAMSIZ];
+       void    *pfiio_buffer                   __attribute__((aligned(8)));
+       int      pfiio_esize                    __attribute__((aligned(8)));
+       int      pfiio_size;
+       int      pfiio_nzero;
+       int      pfiio_flags;
 };
 
 #ifdef KERNEL
 struct pfioc_iface_32 {
-       char     pfiio_name[IFNAMSIZ];
-       user32_addr_t pfiio_buffer              __attribute__((aligned(8)));
-       int      pfiio_esize                    __attribute__((aligned(8)));
-       int      pfiio_size;
-       int      pfiio_nzero;
-       int      pfiio_flags;
+       char     pfiio_name[IFNAMSIZ];
+       user32_addr_t pfiio_buffer              __attribute__((aligned(8)));
+       int      pfiio_esize                    __attribute__((aligned(8)));
+       int      pfiio_size;
+       int      pfiio_nzero;
+       int      pfiio_flags;
 };
 
 struct pfioc_iface_64 {
-       char     pfiio_name[IFNAMSIZ];
-       user64_addr_t pfiio_buffer              __attribute__((aligned(8)));
-       int      pfiio_esize                    __attribute__((aligned(8)));
-       int      pfiio_size;
-       int      pfiio_nzero;
-       int      pfiio_flags;
+       char     pfiio_name[IFNAMSIZ];
+       user64_addr_t pfiio_buffer              __attribute__((aligned(8)));
+       int      pfiio_esize                    __attribute__((aligned(8)));
+       int      pfiio_size;
+       int      pfiio_nzero;
+       int      pfiio_flags;
 };
 #endif /* KERNEL */
 
 struct pf_ifspeed {
-       char                    ifname[IFNAMSIZ];
-       u_int64_t               baudrate;
+       char                    ifname[IFNAMSIZ];
+       u_int64_t               baudrate;
 };
 
 /*
  * ioctl operations
  */
 
-#define DIOCSTART      _IO  ('D',  1)
-#define DIOCSTOP       _IO  ('D',  2)
-#define DIOCADDRULE    _IOWR('D',  4, struct pfioc_rule)
-#define DIOCGETSTARTERS        _IOWR('D',  5, struct pfioc_tokens)
-#define DIOCGETRULES   _IOWR('D',  6, struct pfioc_rule)
-#define DIOCGETRULE    _IOWR('D',  7, struct pfioc_rule)
-#define DIOCSTARTREF   _IOR ('D',  8, u_int64_t)
-#define DIOCSTOPREF    _IOWR('D',  9, struct pfioc_remove_token)
+#define DIOCSTART       _IO  ('D',  1)
+#define DIOCSTOP        _IO  ('D',  2)
+#define DIOCADDRULE     _IOWR('D',  4, struct pfioc_rule)
+#define DIOCGETSTARTERS _IOWR('D',  5, struct pfioc_tokens)
+#define DIOCGETRULES    _IOWR('D',  6, struct pfioc_rule)
+#define DIOCGETRULE     _IOWR('D',  7, struct pfioc_rule)
+#define DIOCSTARTREF    _IOR ('D',  8, u_int64_t)
+#define DIOCSTOPREF     _IOWR('D',  9, struct pfioc_remove_token)
 /* XXX cut 10 - 17 */
-#define DIOCCLRSTATES  _IOWR('D', 18, struct pfioc_state_kill)
-#define DIOCGETSTATE   _IOWR('D', 19, struct pfioc_state)
-#define DIOCSETSTATUSIF        _IOWR('D', 20, struct pfioc_if)
-#define DIOCGETSTATUS  _IOWR('D', 21, struct pf_status)
-#define DIOCCLRSTATUS  _IO  ('D', 22)
-#define DIOCNATLOOK    _IOWR('D', 23, struct pfioc_natlook)
-#define DIOCSETDEBUG   _IOWR('D', 24, u_int32_t)
-#define DIOCGETSTATES  _IOWR('D', 25, struct pfioc_states)
-#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
-#define DIOCINSERTRULE _IOWR('D',  27, struct pfioc_rule)
-#define DIOCDELETERULE _IOWR('D',  28, struct pfioc_rule)
-#define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm)
-#define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm)
-#define DIOCADDSTATE   _IOWR('D', 37, struct pfioc_state)
-#define DIOCCLRRULECTRS        _IO  ('D', 38)
-#define DIOCGETLIMIT   _IOWR('D', 39, struct pfioc_limit)
-#define DIOCSETLIMIT   _IOWR('D', 40, struct pfioc_limit)
-#define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill)
-#define DIOCSTARTALTQ  _IO  ('D', 42)
-#define DIOCSTOPALTQ   _IO  ('D', 43)
-#define DIOCADDALTQ    _IOWR('D', 45, struct pfioc_altq)
-#define DIOCGETALTQS   _IOWR('D', 47, struct pfioc_altq)
-#define DIOCGETALTQ    _IOWR('D', 48, struct pfioc_altq)
-#define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq)
-#define DIOCGETQSTATS  _IOWR('D', 50, struct pfioc_qstats)
-#define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr)
-#define DIOCADDADDR    _IOWR('D', 52, struct pfioc_pooladdr)
-#define DIOCGETADDRS   _IOWR('D', 53, struct pfioc_pooladdr)
-#define DIOCGETADDR    _IOWR('D', 54, struct pfioc_pooladdr)
-#define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr)
+#define DIOCCLRSTATES   _IOWR('D', 18, struct pfioc_state_kill)
+#define DIOCGETSTATE    _IOWR('D', 19, struct pfioc_state)
+#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
+#define DIOCGETSTATUS   _IOWR('D', 21, struct pf_status)
+#define DIOCCLRSTATUS   _IO  ('D', 22)
+#define DIOCNATLOOK     _IOWR('D', 23, struct pfioc_natlook)
+#define DIOCSETDEBUG    _IOWR('D', 24, u_int32_t)
+#define DIOCGETSTATES   _IOWR('D', 25, struct pfioc_states)
+#define DIOCCHANGERULE  _IOWR('D', 26, struct pfioc_rule)
+#define DIOCINSERTRULE  _IOWR('D',  27, struct pfioc_rule)
+#define DIOCDELETERULE  _IOWR('D',  28, struct pfioc_rule)
+#define DIOCSETTIMEOUT  _IOWR('D', 29, struct pfioc_tm)
+#define DIOCGETTIMEOUT  _IOWR('D', 30, struct pfioc_tm)
+#define DIOCADDSTATE    _IOWR('D', 37, struct pfioc_state)
+#define DIOCCLRRULECTRS _IO  ('D', 38)
+#define DIOCGETLIMIT    _IOWR('D', 39, struct pfioc_limit)
+#define DIOCSETLIMIT    _IOWR('D', 40, struct pfioc_limit)
+#define DIOCKILLSTATES  _IOWR('D', 41, struct pfioc_state_kill)
+#define DIOCSTARTALTQ   _IO  ('D', 42)
+#define DIOCSTOPALTQ    _IO  ('D', 43)
+#define DIOCADDALTQ     _IOWR('D', 45, struct pfioc_altq)
+#define DIOCGETALTQS    _IOWR('D', 47, struct pfioc_altq)
+#define DIOCGETALTQ     _IOWR('D', 48, struct pfioc_altq)
+#define DIOCCHANGEALTQ  _IOWR('D', 49, struct pfioc_altq)
+#define DIOCGETQSTATS   _IOWR('D', 50, struct pfioc_qstats)
+#define DIOCBEGINADDRS  _IOWR('D', 51, struct pfioc_pooladdr)
+#define DIOCADDADDR     _IOWR('D', 52, struct pfioc_pooladdr)
+#define DIOCGETADDRS    _IOWR('D', 53, struct pfioc_pooladdr)
+#define DIOCGETADDR     _IOWR('D', 54, struct pfioc_pooladdr)
+#define DIOCCHANGEADDR  _IOWR('D', 55, struct pfioc_pooladdr)
 /* XXX cut 55 - 57 */
-#define        DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
-#define        DIOCGETRULESET  _IOWR('D', 59, struct pfioc_ruleset)
-#define        DIOCRCLRTABLES  _IOWR('D', 60, struct pfioc_table)
-#define        DIOCRADDTABLES  _IOWR('D', 61, struct pfioc_table)
-#define        DIOCRDELTABLES  _IOWR('D', 62, struct pfioc_table)
-#define        DIOCRGETTABLES  _IOWR('D', 63, struct pfioc_table)
-#define        DIOCRGETTSTATS  _IOWR('D', 64, struct pfioc_table)
-#define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table)
-#define        DIOCRCLRADDRS   _IOWR('D', 66, struct pfioc_table)
-#define        DIOCRADDADDRS   _IOWR('D', 67, struct pfioc_table)
-#define        DIOCRDELADDRS   _IOWR('D', 68, struct pfioc_table)
-#define        DIOCRSETADDRS   _IOWR('D', 69, struct pfioc_table)
-#define        DIOCRGETADDRS   _IOWR('D', 70, struct pfioc_table)
-#define        DIOCRGETASTATS  _IOWR('D', 71, struct pfioc_table)
-#define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table)
-#define        DIOCRTSTADDRS   _IOWR('D', 73, struct pfioc_table)
-#define        DIOCRSETTFLAGS  _IOWR('D', 74, struct pfioc_table)
-#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table)
-#define DIOCOSFPFLUSH  _IO('D', 78)
-#define DIOCOSFPADD    _IOWR('D', 79, struct pf_osfp_ioctl)
-#define DIOCOSFPGET    _IOWR('D', 80, struct pf_osfp_ioctl)
-#define DIOCXBEGIN     _IOWR('D', 81, struct pfioc_trans)
-#define DIOCXCOMMIT    _IOWR('D', 82, struct pfioc_trans)
-#define DIOCXROLLBACK  _IOWR('D', 83, struct pfioc_trans)
-#define DIOCGETSRCNODES        _IOWR('D', 84, struct pfioc_src_nodes)
-#define DIOCCLRSRCNODES        _IO('D', 85)
-#define DIOCSETHOSTID  _IOWR('D', 86, u_int32_t)
-#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
-#define DIOCSETIFFLAG  _IOWR('D', 89, struct pfioc_iface)
-#define DIOCCLRIFFLAG  _IOWR('D', 90, struct pfioc_iface)
+#define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
+#define DIOCGETRULESET  _IOWR('D', 59, struct pfioc_ruleset)
+#define DIOCRCLRTABLES  _IOWR('D', 60, struct pfioc_table)
+#define DIOCRADDTABLES  _IOWR('D', 61, struct pfioc_table)
+#define DIOCRDELTABLES  _IOWR('D', 62, struct pfioc_table)
+#define DIOCRGETTABLES  _IOWR('D', 63, struct pfioc_table)
+#define DIOCRGETTSTATS  _IOWR('D', 64, struct pfioc_table)
+#define DIOCRCLRTSTATS  _IOWR('D', 65, struct pfioc_table)
+#define DIOCRCLRADDRS   _IOWR('D', 66, struct pfioc_table)
+#define DIOCRADDADDRS   _IOWR('D', 67, struct pfioc_table)
+#define DIOCRDELADDRS   _IOWR('D', 68, struct pfioc_table)
+#define DIOCRSETADDRS   _IOWR('D', 69, struct pfioc_table)
+#define DIOCRGETADDRS   _IOWR('D', 70, struct pfioc_table)
+#define DIOCRGETASTATS  _IOWR('D', 71, struct pfioc_table)
+#define DIOCRCLRASTATS  _IOWR('D', 72, struct pfioc_table)
+#define DIOCRTSTADDRS   _IOWR('D', 73, struct pfioc_table)
+#define DIOCRSETTFLAGS  _IOWR('D', 74, struct pfioc_table)
+#define DIOCRINADEFINE  _IOWR('D', 77, struct pfioc_table)
+#define DIOCOSFPFLUSH   _IO('D', 78)
+#define DIOCOSFPADD     _IOWR('D', 79, struct pf_osfp_ioctl)
+#define DIOCOSFPGET     _IOWR('D', 80, struct pf_osfp_ioctl)
+#define DIOCXBEGIN      _IOWR('D', 81, struct pfioc_trans)
+#define DIOCXCOMMIT     _IOWR('D', 82, struct pfioc_trans)
+#define DIOCXROLLBACK   _IOWR('D', 83, struct pfioc_trans)
+#define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
+#define DIOCCLRSRCNODES _IO('D', 85)
+#define DIOCSETHOSTID   _IOWR('D', 86, u_int32_t)
+#define DIOCIGETIFACES  _IOWR('D', 87, struct pfioc_iface)
+#define DIOCSETIFFLAG   _IOWR('D', 89, struct pfioc_iface)
+#define DIOCCLRIFFLAG   _IOWR('D', 90, struct pfioc_iface)
 #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
-#define        DIOCGIFSPEED    _IOWR('D', 92, struct pf_ifspeed)
+#define DIOCGIFSPEED    _IOWR('D', 92, struct pf_ifspeed)
 
 #ifdef KERNEL
 RB_HEAD(pf_src_tree, pf_src_node);
@@ -2164,11 +2148,11 @@ extern struct pf_state_tree_id tree_id;
 extern struct pf_state_queue state_list;
 
 TAILQ_HEAD(pf_poolqueue, pf_pool);
-extern struct pf_poolqueue     pf_pools[2];
-extern struct pf_palist        pf_pabuf;
-extern u_int32_t               ticket_pabuf;
-extern struct pf_poolqueue     *pf_pools_active;
-extern struct pf_poolqueue     *pf_pools_inactive;
+extern struct pf_poolqueue      pf_pools[2];
+extern struct pf_palist pf_pabuf;
+extern u_int32_t                ticket_pabuf;
+extern struct pf_poolqueue      *pf_pools_active;
+extern struct pf_poolqueue      *pf_pools_inactive;
 
 __private_extern__ int pf_tbladdr_setup(struct pf_ruleset *,
     struct pf_addr_wrap *);
@@ -2185,7 +2169,7 @@ extern struct pool pf_app_state_pl;
 extern struct thread *pf_purge_thread;
 
 __private_extern__ void pfinit(void);
-__private_extern__ void pf_purge_thread_fn(void *, wait_result_t);
+__private_extern__ void pf_purge_thread_fn(void *, wait_result_t) __dead2;
 __private_extern__ void pf_purge_expired_src_nodes(void);
 __private_extern__ void pf_purge_expired_states(u_int32_t);
 __private_extern__ void pf_unlink_state(struct pf_state *);
@@ -2211,7 +2195,6 @@ __private_extern__ void pf_rm_rule(struct pf_rulequeue *, struct pf_rule *);
 struct ip_fw_args;
 
 extern boolean_t is_nlc_enabled_glb;
-extern boolean_t pf_is_nlc_enabled(void);
 
 #if INET
 __private_extern__ int pf_test(int, struct ifnet *, pbuf_t **,
@@ -2220,7 +2203,6 @@ __private_extern__ int pf_test_mbuf(int, struct ifnet *, struct mbuf **,
     struct ether_header *, struct ip_fw_args *);
 #endif /* INET */
 
-#if INET6
 __private_extern__ int pf_test6(int, struct ifnet *, pbuf_t **,
     struct ether_header *, struct ip_fw_args *);
 __private_extern__ int pf_test6_mbuf(int, struct ifnet *, struct mbuf **,
@@ -2228,7 +2210,10 @@ __private_extern__ int pf_test6_mbuf(int, struct ifnet *, struct mbuf **,
 __private_extern__ void pf_poolmask(struct pf_addr *, struct pf_addr *,
     struct pf_addr *, struct pf_addr *, u_int8_t);
 __private_extern__ void pf_addr_inc(struct pf_addr *, sa_family_t);
-#endif /* INET6 */
+__private_extern__ int pf_normalize_ip6(pbuf_t *, int, struct pfi_kif *,
+    u_short *, struct pf_pdesc *);
+__private_extern__ int pf_refragment6(struct ifnet *, pbuf_t **,
+    struct pf_fragment_tag *);
 
 __private_extern__ void *pf_lazy_makewritable(struct pf_pdesc *,
     pbuf_t *, int);
@@ -2253,8 +2238,6 @@ __private_extern__ void pf_normalize_init(void);
 __private_extern__ int pf_normalize_isempty(void);
 __private_extern__ int pf_normalize_ip(pbuf_t *, int, struct pfi_kif *,
     u_short *, struct pf_pdesc *);
-__private_extern__ int pf_normalize_ip6(pbuf_t *, int, struct pfi_kif *,
-    u_short *, struct pf_pdesc *);
 __private_extern__ int pf_normalize_tcp(int, struct pfi_kif *, pbuf_t *,
     int, int, void *, struct pf_pdesc *);
 __private_extern__ void pf_normalize_tcp_cleanup(struct pf_state *);
@@ -2348,7 +2331,7 @@ __private_extern__ void pf_tag_unref(u_int16_t);
 __private_extern__ int pf_tag_packet(pbuf_t *, struct pf_mtag *,
     int, unsigned int, struct pf_pdesc *);
 __private_extern__ void pf_step_into_anchor(int *, struct pf_ruleset **, int,
-    struct pf_rule **, struct pf_rule **,  int *);
+    struct pf_rule **, struct pf_rule **, int *);
 __private_extern__ int pf_step_out_of_anchor(int *, struct pf_ruleset **, int,
     struct pf_rule **, struct pf_rule **, int *);
 __private_extern__ u_int32_t pf_qname2qid(char *);
@@ -2359,10 +2342,10 @@ extern struct pf_status pf_status;
 extern struct pool pf_frent_pl, pf_frag_pl;
 
 struct pf_pool_limit {
-       void            *pp;
-       unsigned         limit;
+       void            *pp;
+       unsigned         limit;
 };
-extern struct pf_pool_limit    pf_pool_limits[PF_LIMIT_MAX];
+extern struct pf_pool_limit     pf_pool_limits[PF_LIMIT_MAX];
 
 __private_extern__ int pf_af_hook(struct ifnet *, struct mbuf **,
     struct mbuf **, unsigned int, int, struct ip_fw_args *);
@@ -2375,7 +2358,7 @@ __private_extern__ void pf_ifnet_hook(struct ifnet *, int);
  */
 extern struct pf_anchor_global pf_anchors;
 extern struct pf_anchor pf_main_anchor;
-#define pf_main_ruleset        pf_main_anchor.ruleset
+#define pf_main_ruleset pf_main_anchor.ruleset
 
 extern int pf_is_enabled;
 extern int16_t pf_nat64_configured;
@@ -2402,7 +2385,7 @@ __private_extern__ int pf_osfp_add(struct pf_osfp_ioctl *);
 __private_extern__ struct pf_osfp_enlist *pf_osfp_fingerprint(struct pf_pdesc *,
     pbuf_t *, int, const struct tcphdr *);
 __private_extern__ struct pf_osfp_enlist *pf_osfp_fingerprint_hdr(
-    const struct ip *, const struct ip6_hdr *, const struct tcphdr *);
+       const struct ip *, const struct ip6_hdr *, const struct tcphdr *);
 __private_extern__ void pf_osfp_flush(void);
 __private_extern__ int pf_osfp_get(struct pf_osfp_ioctl *);
 __private_extern__ void pf_osfp_initialize(void);
@@ -2412,10 +2395,14 @@ __private_extern__ struct pf_mtag *pf_find_mtag(struct mbuf *);
 __private_extern__ struct pf_mtag *pf_find_mtag_pbuf(pbuf_t *);
 __private_extern__ struct pf_mtag *pf_get_mtag(struct mbuf *);
 __private_extern__ struct pf_mtag *pf_get_mtag_pbuf(pbuf_t *);
+__private_extern__ struct pf_fragment_tag * pf_find_fragment_tag_pbuf(pbuf_t *);
+__private_extern__ struct pf_fragment_tag * pf_find_fragment_tag(struct mbuf *);
+__private_extern__ struct pf_fragment_tag * pf_copy_fragment_tag(struct mbuf *,
+    struct pf_fragment_tag *, int);
 #else /* !KERNEL */
 extern struct pf_anchor_global pf_anchors;
 extern struct pf_anchor pf_main_anchor;
-#define pf_main_ruleset        pf_main_anchor.ruleset
+#define pf_main_ruleset pf_main_anchor.ruleset
 
 /* these ruleset functions can be linked into userland programs (pfctl) */
 extern int pf_get_ruleset_number(u_int8_t);