Supersedes ports/59442 and previous hasty-fix, and fixes the following:

 - Build with __FreeBSD_version > 501114 (see bms commit)
 - Build with new route.h (no RTF_PRCLONING)
 - Don't use hardware assistance on framentation when DF is set.
 - Allow pftcpdump -w to be used with pfsync.

Found-by:	bento / Pyun YongHyeon
Submitted by:	Max Laier
PR:		ports/59548

4 files changed, 122 insertions, 26 deletions

diff --git a/security/pf/Makefile b/security/pf/Makefile
index 3e3aeaff2596..7ebf07fa1177 100644
--- a/security/pf/Makefile
+++ b/security/pf/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	pf_freebsd
 PORTVERSION=	2.00
+PORTREVISION=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://pf4freebsd.love2party.net/
 .if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
@@ -50,10 +51,6 @@ PLIST_SUB+=	WITH_ALTQ="@comment "
 IGNORE=		"Only for 5.0 and above"
 .endif
 
-.if ${OSVERSION} >= 501114
-EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-pf::pf.c
-.endif
-
 .if !exists(${SRC_BASE}/sys/Makefile) && \
     (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile))
 IGNORE=		"Kernel source files required"
diff --git a/security/pf/files/extra-patch-pf::pf.c b/security/pf/files/extra-patch-pf::pf.c
deleted file mode 100644
index 30be4db7683e..000000000000
--- a/security/pf/files/extra-patch-pf::pf.c
+++ /dev/null
@@ -1,22 +0,0 @@
-Update pf to be more in line with current TCP stack behaviour at
-5.2 code freeze point after andre's initial commit to decouple
-protocol-level stats from routing. --  bms@FreeBSD.org
-
---- pf/pf.c.orig	Wed Nov 19 11:51:34 2003
-+++ pf/pf.c	Wed Nov 19 11:53:42 2003
-@@ -1376,14 +1376,10 @@
- 		 */
- 		NTOHS(ip->ip_len);
- 		NTOHS(ip->ip_off);
--		ip_rtaddr(ip->ip_dst, &ro);
- 		PF_UNLOCK();
--		ip_output(m, (void *)NULL, &ro, 0, (void *)NULL,
-+		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
- 			(void *)NULL);
- 		PF_LOCK();
--		if(ro.ro_rt) {
--			RTFREE(ro.ro_rt);
--		}
- #else
- 		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
- 		    (void *)NULL);
diff --git a/security/pf/files/patch-ac b/security/pf/files/patch-ac
new file mode 100644
index 000000000000..ae562f0605d3
--- /dev/null
+++ b/security/pf/files/patch-ac
@@ -0,0 +1,98 @@
+--- pf/pf.c.orig	Fri Nov 21 14:32:14 2003
++++ pf/pf.c	Fri Nov 21 14:32:33 2003
+@@ -1250,8 +1250,10 @@
+ 	struct tcphdr	*th;
+ #if defined(__FreeBSD__)
+ 	struct ip 	*ip;
++#if (__FreeBSD_version < 501114)
+ 	struct route 	 ro;
+ #endif
++#endif
+ 	char *opt;
+ 
+ 	/* maximum segment size tcp option */
+@@ -1366,7 +1368,6 @@
+ 		h->ip_ttl = ttl ? ttl : ip_defttl;
+ 		h->ip_sum = 0;
+ #if defined(__FreeBSD__)
+-		bzero(&ro, sizeof(ro));
+ 		ip = mtod(m, struct ip *);
+ 		/*
+ 		 * XXX
+@@ -1376,6 +1377,8 @@
+ 		 */
+ 		NTOHS(ip->ip_len);
+ 		NTOHS(ip->ip_off);
++#if (__FreeBSD_version < 501114)
++		bzero(&ro, sizeof(ro));
+ 		ip_rtaddr(ip->ip_dst, &ro);
+ 		PF_UNLOCK();
+ 		ip_output(m, (void *)NULL, &ro, 0, (void *)NULL,
+@@ -1384,7 +1387,13 @@
+ 		if(ro.ro_rt) {
+ 			RTFREE(ro.ro_rt);
+ 		}
+-#else
++#else /* __FreeBSD_version >= 501114 */
++		PF_UNLOCK();
++		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
++			(void *)NULL);
++		PF_LOCK();
++#endif
++#else /* ! __FreeBSD__ */
+ 		ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
+ 		    (void *)NULL);
+ #endif
+@@ -2354,8 +2363,12 @@
+ 		dst->sin_len = sizeof(*dst);
+ 		dst->sin_addr = addr->v4;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ 		rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++		rtalloc_ign(&ro, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ 		rtalloc_noclone(&ro, NO_CLONING);
+ #endif
+ 		rt = ro.ro_rt;
+@@ -2370,9 +2383,13 @@
+ 		dst6->sin6_len = sizeof(*dst6);
+ 		dst6->sin6_addr = addr->v6;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ 		rtalloc_ign((struct route *)&ro6,
+ 		    (RTF_CLONING | RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++		rtalloc_ign((struct route *)&ro6, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ 		rtalloc_noclone((struct route *)&ro6, NO_CLONING);
+ #endif
+ 		rt = ro6.ro_rt;
+@@ -4731,8 +4748,12 @@
+ 	dst->sin_len = sizeof(*dst);
+ 	dst->sin_addr = addr->v4;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ 	rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++	rtalloc_ign(&ro, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ 	rtalloc_noclone(&ro, NO_CLONING);
+ #endif
+ 
+@@ -5044,7 +5065,8 @@
+ 	m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
+ 
+ 	if (ntohs(ip->ip_len) <= ifp->if_mtu ||
+-		ifp->if_hwassist & CSUM_FRAGMENT) {
++	    (ifp->if_hwassist & CSUM_FRAGMENT &&
++		((ip->ip_off & htons(IP_DF)) == 0))) {
+ 		/*
+ 		 * ip->ip_len = htons(ip->ip_len);
+ 		 * ip->ip_off = htons(ip->ip_off);
diff --git a/security/pf/files/patch-ad b/security/pf/files/patch-ad
new file mode 100644
index 000000000000..8473380dac8e
--- /dev/null
+++ b/security/pf/files/patch-ad
@@ -0,0 +1,23 @@
+--- freebsd_libpcap/savefile.c.orig	Fri Nov 21 14:35:34 2003
++++ freebsd_libpcap/savefile.c	Fri Nov 21 14:35:46 2003
+@@ -178,6 +178,9 @@
+ #define LINKTYPE_HDLC		112		/* NetBSD HDLC framing */
+ #define LINKTYPE_IPFILTER	116		/* IP Filter capture files */
+ #define LINKTYPE_PFLOG		117		/* OpenBSD DLT_PFLOG */
++#if defined(DLT_PFSYNC)
++#define LINKTYPE_PFSYNC		DLT_PFSYNC
++#endif
+ 
+ static struct linktype_map {
+ 	int	dlt;
+@@ -271,6 +274,10 @@
+ 	 *	defining DLT_* values that collide with those
+ 	 *	LINKTYPE_* values, either).
+ 	 */
++	{ DLT_PFLOG,		LINKTYPE_PFLOG },
++#if defined(DLT_PFSYNC)
++	{ DLT_PFSYNC,		LINKTYPE_PFSYNC },
++#endif
+ 	{ -1,			-1 }
+ };
+