@zigc/lib 0.17.0-dev.332 → 0.17.0-dev.340

package/libc/include/generic-openbsd/net/if_sppp.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_sppp.h,v 1.31 2025/01/15 06:15:44 dlg Exp $	*/
+/*	$OpenBSD: if_sppp.h,v 1.32 2025/11/02 08:04:04 dlg Exp $	*/
 /*	$NetBSD: if_sppp.h,v 1.2.2.1 1999/04/04 06:57:39 explorer Exp $	*/
 
 /*
@@ -174,6 +174,7 @@ struct sppp {
 	time_t	pp_last_receive;	/* peer's last "sign of life" */
 	time_t	pp_last_activity;	/* second of last payload data s/r */
 	enum ppp_phase pp_phase;	/* phase we're currently in */
+	struct task pp_autodial;
 	int	state[IDX_COUNT];	/* state machine */
 	u_char  confid[IDX_COUNT];	/* id of last configuration request */
 	int	rst_counter[IDX_COUNT];	/* restart counter */

package/libc/include/generic-openbsd/net/if_trunk.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_trunk.h,v 1.32 2025/03/02 21:28:32 bluhm Exp $	*/
+/*	$OpenBSD: if_trunk.h,v 1.33 2025/11/24 23:40:00 dlg Exp $	*/
 
 /*
  * Copyright (c) 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -159,6 +159,8 @@ struct trunk_softc;
 struct trunk_port {
 	struct ifnet			*tp_if;		/* physical interface */
 	struct trunk_softc		*tp_trunk;	/* parent trunk */
+	struct refcnt			tp_refs;
+	struct ether_port		tp_ether_port;
 	u_int8_t			tp_lladdr[ETHER_ADDR_LEN];
 	caddr_t				tp_psc;		/* protocol data */
 
@@ -172,7 +174,6 @@ struct trunk_port {
 	int	(*tp_ioctl)(struct ifnet *, u_long, caddr_t);
 	int	(*tp_output)(struct ifnet *, struct mbuf *, struct sockaddr *,
 		    struct rtentry *);
-	void	(*tp_input)(struct ifnet *, struct mbuf *, struct netstack *);
 
 	SLIST_ENTRY(trunk_port)		tp_entries;
 };

package/libc/include/generic-openbsd/net/if_types.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_types.h,v 1.24 2022/01/02 22:36:04 jsg Exp $	*/
+/*	$OpenBSD: if_types.h,v 1.25 2026/03/23 08:42:22 jsg Exp $	*/
 /*	$NetBSD: if_types.h,v 1.17 2000/10/26 06:51:31 onoe Exp $	*/
 
 /*
@@ -175,7 +175,7 @@
 #define	IFT_A12MPPSWITCH	   0x82	/* Avalon Parallel Processor */
 #define	IFT_TUNNEL		   0x83	/* Encapsulation interface */
 #define	IFT_COFFEE		   0x84	/* coffee pot */
-#define	IFT_CES			   0x85	/* Circiut Emulation Service */
+#define	IFT_CES			   0x85	/* Circuit Emulation Service */
 #define	IFT_ATMSUBINTERFACE	   0x86	/* (x)  ATM Sub Interface */
 #define	IFT_L2VLAN		   0x87	/* Layer 2 Virtual LAN using 802.1Q */
 #define	IFT_L3IPVLAN		   0x88	/* Layer 3 Virtual LAN - IP Protocol */

package/libc/include/generic-openbsd/net/if_var.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_var.h,v 1.139 2025/07/19 16:40:40 mvs Exp $	*/
+/*	$OpenBSD: if_var.h,v 1.148 2026/03/22 23:14:00 bluhm Exp $	*/
 /*	$NetBSD: if.h,v 1.23 1996/05/07 02:40:27 thorpej Exp $	*/
 
 /*
@@ -40,7 +40,7 @@
 
 #include <sys/queue.h>
 #include <sys/mbuf.h>
-#include <sys/srp.h>
+#include <sys/smr.h>
 #include <sys/refcnt.h>
 #include <sys/task.h>
 #include <sys/timeout.h>
@@ -81,6 +81,7 @@
  *	K	kernel lock
  *	N	net lock
  *	T	if_tmplist_lock
+ *	m	interface multicast rwlock if_maddrlock
  *
  *  For SRP related structures that allow lock-free reads, the write lock
  *  is indicated below.
@@ -92,9 +93,12 @@ struct task;
 struct cpumem;
 
 struct netstack {
-	struct route		ns_route;
-	struct mbuf_list	ns_tcp_ml;
-	struct mbuf_list	ns_tcp6_ml;
+	struct mbuf_list	 ns_input;
+	struct mbuf_list	 ns_proto;
+
+	struct route		 ns_route;
+	struct mbuf_list	 ns_tcp_ml;
+	struct mbuf_list	 ns_tcp6_ml;
 };
 
 /*
@@ -141,6 +145,8 @@ enum if_counters {
  * (Would like to call this struct ``if'', but C isn't PL/1.)
  */
 TAILQ_HEAD(ifnet_head, ifnet);		/* the actual queue head */
+struct carp_softc;
+SMR_LIST_HEAD(carp_iflist, carp_softc);
 
 struct ifnet {				/* and the entries */
 	void	*if_softc;		/* [I] lower-level data for this if */
@@ -148,8 +154,9 @@ struct ifnet {				/* and the entries */
 	TAILQ_ENTRY(ifnet) if_list;	/* [NK] all struct ifnets are chained */
 	TAILQ_ENTRY(ifnet) if_tmplist;	/* [T] temporary list */
 	TAILQ_HEAD(, ifaddr) if_addrlist; /* [N] list of addresses per if */
-	TAILQ_HEAD(, ifmaddr) if_maddrlist; /* [N] list of multicast records */
+	TAILQ_HEAD(, ifmaddr) if_maddrlist; /* [m] list of multicast records */
 	TAILQ_HEAD(, ifg_list) if_groups; /* [N] list of groups per if */
+	struct rwlock if_maddrlock;
 	struct task_list if_addrhooks;	/* [I] address change callbacks */
 	struct task_list if_linkstatehooks; /* [I] link change callbacks*/
 	struct task_list if_detachhooks; /* [I] detach callbacks */
@@ -163,9 +170,11 @@ struct ifnet {				/* and the entries */
 	caddr_t if_mcast6;		/* used by IPv6 multicast code */
 	caddr_t	if_pf_kif;		/* pf interface abstraction */
 	union {
-		struct srpl carp_s;	/* carp if list (used by !carp ifs) */
-		unsigned int carp_idx;	/* index of carpdev (used by carp
-						ifs) */
+		/* carp if list (used by IFT_ETHER) */
+		struct carp_iflist carp_s;
+
+		/* index of carpdev (used by IFT_CARP) */
+		unsigned int carp_idx;
 	} if_carp_ptr;
 #define if_carp		if_carp_ptr.carp_s
 #define if_carpdevidx	if_carp_ptr.carp_idx
@@ -254,6 +263,7 @@ struct ifaddr {
 	struct	ifnet *ifa_ifp;		/* back-pointer to interface */
 	TAILQ_ENTRY(ifaddr) ifa_list;	/* [N] list of addresses for
 					    interface */
+	TAILQ_ENTRY(ifaddr) ifa_tmplist;/* [T] temporary list */
 	u_int	ifa_flags;		/* interface flags, see below */
 	struct	refcnt ifa_refcnt;	/* number of `rt_ifa` references */
 	int	ifa_metric;		/* cost of going out this interface */
@@ -265,10 +275,10 @@ struct ifaddr {
  * Interface multicast address.
  */
 struct ifmaddr {
-	struct sockaddr		*ifma_addr;	/* Protocol address */
-	unsigned int		 ifma_ifidx;	/* Index of the interface */
+	TAILQ_ENTRY(ifmaddr)	 ifma_list;	/* [m] Per-interface list */
+	struct sockaddr		*ifma_addr;	/* [I] Protocol address */
 	struct refcnt		 ifma_refcnt;	/* Count of references */
-	TAILQ_ENTRY(ifmaddr)	 ifma_list;	/* Per-interface list */
+	unsigned int		 ifma_ifidx;	/* [I] Index of the interface */
 };
 
 /*
@@ -337,6 +347,9 @@ int	if_enqueue_ifq(struct ifnet *, struct mbuf *);
 void	if_input(struct ifnet *, struct mbuf_list *);
 void	if_vinput(struct ifnet *, struct mbuf *, struct netstack *);
 void	if_input_process(struct ifnet *, struct mbuf_list *, unsigned int);
+void	if_input_proto(struct ifnet *, struct mbuf *,
+	    void (*)(struct ifnet *, struct mbuf *, struct netstack *),
+	    struct netstack *);
 int	if_input_local(struct ifnet *, struct mbuf *, sa_family_t,
 	    struct netstack *);
 int	if_output_ml(struct ifnet *, struct mbuf_list *,
@@ -351,6 +364,15 @@ void	p2p_rtrequest(struct ifnet *, int, struct rtentry *);
 void	p2p_input(struct ifnet *, struct mbuf *, struct netstack *);
 int	p2p_bpf_mtap(caddr_t, const struct mbuf *, u_int);
 
+/* this is a helper for if_input_process and similar functions */
+static inline void
+if_input_process_proto(struct ifnet *ifp, struct mbuf *m, struct netstack *ns)
+{
+	void (*input)(struct ifnet *, struct mbuf *, struct netstack *);
+	input = m->m_pkthdr.ph_cookie;
+	(*input)(ifp, m, ns);
+}
+
 struct	ifaddr *ifa_ifwithaddr(const struct sockaddr *, u_int);
 struct	ifaddr *ifa_ifwithdstaddr(const struct sockaddr *, u_int);
 struct	ifaddr *ifaof_ifpforaddr(const struct sockaddr *, struct ifnet *);

package/libc/include/generic-openbsd/net/netisr.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: netisr.h,v 1.61 2023/07/06 04:55:05 dlg Exp $	*/
+/*	$OpenBSD: netisr.h,v 1.62 2025/10/30 17:30:46 mvs Exp $	*/
 /*	$NetBSD: netisr.h,v 1.12 1995/08/12 23:59:24 mycroft Exp $	*/
 
 /*
@@ -44,7 +44,6 @@
 #define NETISR_IP	2		/* same as AF_INET */
 #define NETISR_ARP	18		/* same as AF_LINK */
 #define NETISR_IPV6	24		/* same as AF_INET6 */
-#define NETISR_PIPEX	27		/* for pipex processing */
 #define NETISR_PPP	28		/* for PPP processing */
 #define NETISR_BRIDGE	29		/* for bridge processing */
 #define NETISR_PPPOE	30		/* for pppoe processing */
@@ -63,7 +62,6 @@ void	ipintr(void);
 void	ip6intr(void);
 void	pppintr(void);
 void	bridgeintr(void);
-void	pipexintr(void);
 void	pppoeintr(void);
 
 #define	schednetisr(anisr)						\

package/libc/include/generic-openbsd/net/pfvar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.543 2025/04/14 20:02:34 sf Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.548 2026/02/05 03:26:00 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -479,6 +479,13 @@ union pf_rule_ptr {
 #define	PF_ANCHOR_HIWAT		 512
 #define	PF_OPTIMIZER_TABLE_PFX	"__automatic_"
 
+enum {
+	PF_LIMITER_NOMATCH,
+	PF_LIMITER_BLOCK
+};
+
+#define	PF_LIMITER_DEFAULT	PF_LIMITER_BLOCK
+
 struct pf_rule {
 	struct pf_rule_addr	 src;
 	struct pf_rule_addr	 dst;
@@ -591,6 +598,14 @@ struct pf_rule {
 	u_int8_t		 set_prio[2];
 	sa_family_t		 naf;
 	u_int8_t		 rcvifnot;
+	struct {
+		u_int8_t	 id;
+		int		 limiter_action;
+	} 			 statelim;
+	struct {
+		u_int8_t	 id;
+		int		 limiter_action;
+	}			 sourcelim;
 
 	struct {
 		struct pf_addr		addr;
@@ -1502,6 +1517,133 @@ struct pfioc_synflwats {
 	u_int32_t	lowat;
 };
 
+#define PF_STATELIM_NAME_LEN	16	/* kstat istr */
+#define PF_STATELIM_DESCR_LEN	64
+
+struct pfioc_statelim {
+	u_int32_t	ticket;
+
+	char		name[PF_STATELIM_NAME_LEN];
+	uint32_t	id;
+#define PF_STATELIM_ID_NONE	0
+#define PF_STATELIM_ID_MIN	1
+#define PF_STATELIM_ID_MAX	255	/* fits in pf_state uint8_t */
+
+	/* limit on the total number of states */
+	unsigned int	limit;
+#define PF_STATELIM_LIMIT_MIN	1
+#define PF_STATELIM_LIMIT_MAX	(1 << 24) /* pf is pretty scalable */
+
+	/* rate limit on the creation of states */
+	struct {
+		unsigned int	limit;
+		unsigned int	seconds;
+	}		rate;
+
+	char		description[PF_STATELIM_DESCR_LEN];
+
+	/* kernel state for GET ioctls */
+	unsigned int	inuse;		/* gauge */
+	uint64_t	admitted;	/* counter */
+	uint64_t	hardlimited;	/* counter */
+	uint64_t	ratelimited;	/* counter */
+};
+
+#define PF_SOURCELIM_NAME_LEN	16	/* kstat istr */
+#define PF_SOURCELIM_DESCR_LEN	64
+
+struct pfioc_sourcelim {
+	u_int32_t	ticket;
+
+	char		name[PF_SOURCELIM_NAME_LEN];
+	uint32_t	id;
+#define PF_SOURCELIM_ID_NONE	0
+#define PF_SOURCELIM_ID_MIN	1
+#define PF_SOURCELIM_ID_MAX	255	/* fits in pf_state uint8_t */
+
+	/* limit on the total number of address entries */
+	unsigned int	entries;
+
+	/* limit on the number of states per address entry */
+	unsigned int	limit;
+
+	/* rate limit on the creation of states by an address entry */
+	struct {
+		unsigned int	limit;
+		unsigned int	seconds;
+	}		rate;
+
+	/*
+	 * when the number of states on an entry exceeds hwm, add
+	 * the address to the specified table. when the number of
+	 * states goes below lwm, remove it from the table.
+	 */
+	char		overload_tblname[PF_TABLE_NAME_SIZE];
+	unsigned int	overload_hwm;
+	unsigned int	overload_lwm;
+
+	/*
+	 * mask addresses before they're used for entries. /64s
+	 * everywhere for inet6 makes it easy to use too much memory.
+	 */ 
+	unsigned int	inet_prefix;
+	unsigned int	inet6_prefix;
+
+	char		description[PF_SOURCELIM_DESCR_LEN];
+
+	/* kernel state for GET ioctls */
+	unsigned int	nentries;	/* gauge */
+	unsigned int	inuse;		/* gauge */
+
+	uint64_t	addrallocs;	/* counter */
+	uint64_t	addrnomem;	/* counter */
+	uint64_t	admitted;	/* counter */
+	uint64_t	addrlimited;	/* counter */
+	uint64_t	hardlimited;	/* counter */
+	uint64_t	ratelimited;	/* counter */
+};
+
+struct pfioc_source_entry {
+	sa_family_t	af;
+	unsigned int	rdomain;
+	struct pf_addr	addr;
+
+	/* stats */
+
+	unsigned int	inuse;		/* gauge */
+	uint64_t	admitted;	/* counter */
+	uint64_t	hardlimited;	/* counter */
+	uint64_t	ratelimited;	/* counter */
+};
+
+struct pfioc_source {
+	char		name[PF_SOURCELIM_NAME_LEN];
+	uint32_t	id;
+
+	/* copied from the parent source limiter */
+
+	unsigned int	inet_prefix;
+	unsigned int	inet6_prefix;
+	unsigned int	limit;
+
+	/* source entries */
+	size_t		entry_size;	/* sizeof(struct pfioc_source_entry) */
+
+	struct pfioc_source_entry *key;
+	struct pfioc_source_entry *entries;
+	size_t		entrieslen;	/* bytes */
+};
+
+struct pfioc_source_kill {
+	char		name[PF_SOURCELIM_NAME_LEN];
+	uint32_t	id;
+	unsigned int	rdomain;
+	sa_family_t	af;
+	struct pf_addr	addr;
+
+	unsigned int	rmstates;	/* kill the states too? */
+};
+
 /*
  * ioctl operations
  */
@@ -1570,6 +1712,15 @@ struct pfioc_synflwats {
 #define DIOCSETSYNCOOKIES	_IOWR('D', 98, u_int8_t)
 #define DIOCGETSYNFLWATS	_IOWR('D', 99, struct pfioc_synflwats)
 #define DIOCXEND	_IOWR('D', 100, u_int32_t)
+#define DIOCADDSTATELIM		_IOW('D', 101, struct pfioc_statelim)
+#define DIOCADDSOURCELIM	_IOW('D', 102, struct pfioc_sourcelim)
+#define DIOCGETSTATELIM		_IOWR('D', 103, struct pfioc_statelim)
+#define DIOCGETSOURCELIM	_IOWR('D', 104, struct pfioc_sourcelim)
+#define DIOCGETSOURCE		_IOWR('D', 105, struct pfioc_source)
+#define DIOCGETNSTATELIM	_IOWR('D', 106, struct pfioc_statelim)
+#define DIOCGETNSOURCELIM	_IOWR('D', 107, struct pfioc_sourcelim)
+#define DIOCGETNSOURCE		_IOWR('D', 108, struct pfioc_source)
+#define DIOCCLRSOURCE		_IOWR('D', 109, struct pfioc_source_kill)
 
 #ifdef _KERNEL
 
@@ -1723,6 +1874,8 @@ int	pfr_clr_tstats(struct pfr_table *, int, int *, int);
 int	pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
 int	pfr_clr_addrs(struct pfr_table *, int *, int);
 int	pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, time_t);
+int	pfr_remove_kentry(struct pfr_ktable *, struct pfr_addr *);
+
 int	pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
 	    int);
 int	pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,

package/libc/include/generic-openbsd/net/pfvar_priv.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar_priv.h,v 1.38 2024/09/07 22:41:55 aisha Exp $	*/
+/*	$OpenBSD: pfvar_priv.h,v 1.42 2026/02/05 03:26:00 dlg Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -39,6 +39,7 @@
 
 #include <sys/rwlock.h>
 #include <sys/mutex.h>
+#include <sys/pclock.h>
 #include <sys/percpu.h>
 
 /*
@@ -47,6 +48,45 @@
  */
 
 struct pfsync_deferral;
+struct kstat;
+
+/*
+ * PF state links
+ *
+ * This is used to augment a struct pf_state so it can be
+ * tracked/referenced by the state and source address limiter things.
+ * Each limiter maintains a list of the states they "own", and these
+ * state links are what the limiters use to wire a state into their
+ * lists.
+ *
+ * Without PF state links, the pf_state struct would have to grow
+ * a lot to support a feature that may not be used.
+ *
+ * pfl_entry is used by the pools to add states to their list.
+ * pfl_state allows the pools to get from their list of states to
+ * the states themselves.
+ *
+ * pfl_link allows operations on states (well, delete) to be able
+ * to quickly locate the pf_state_link struct so they can be unwired
+ * from the pools.
+ */
+
+#define PF_STATE_LINK_TYPE_STATELIM	1
+#define PF_STATE_LINK_TYPE_SOURCELIM	2
+
+struct pf_state_link {
+	/* used by source/state pools to get to states */
+	TAILQ_ENTRY(pf_state_link)	 pfl_link;
+
+	/* used by pf_state to get to source/state pools */
+	SLIST_ENTRY(pf_state_link)	 pfl_linkage;
+
+	struct pf_state			*pfl_state;
+	unsigned int			 pfl_type;
+};
+
+TAILQ_HEAD(pf_state_link_list, pf_state_link);
+SLIST_HEAD(pf_state_linkage, pf_state_link);
 
 /*
  * pf state items - links from pf_state_key to pf_states
@@ -144,6 +184,9 @@ struct pf_state {
 	u_int16_t		 if_index_out;	/* [I] */
 	u_int16_t		 delay;		/* [I] */
 	u_int8_t		 rt;		/* [I] */
+	uint8_t			 statelim;
+	uint8_t			 sourcelim;
+	struct pf_state_linkage	 linkage;
 };
 
 RBT_HEAD(pf_state_tree_id, pf_state);
@@ -256,6 +299,214 @@ struct pf_state_list {
 	.pfs_rwl	= RWLOCK_INITIALIZER("pfstates"),		\
 }
 
+/*
+ * State limiter
+ */
+
+struct pf_statelim {
+	RBT_ENTRY(pf_statelim)		 pfstlim_id_tree;
+	RBT_ENTRY(pf_statelim)		 pfstlim_nm_tree;
+	TAILQ_ENTRY(pf_statelim)	 pfstlim_list;
+	struct kstat			*pfstlim_ks;
+
+	uint32_t			 pfstlim_id;
+	char				 pfstlim_nm[PF_STATELIM_NAME_LEN];
+
+	/* config */
+
+	unsigned int			 pfstlim_limit;
+	struct {
+		unsigned int			limit;
+		unsigned int			seconds;
+	}				 pfstlim_rate;
+
+	/* run state */
+	struct pc_lock			 pfstlim_lock;
+
+	/* rate limiter */
+	uint64_t			 pfstlim_rate_ts;
+	uint64_t			 pfstlim_rate_token;
+	uint64_t			 pfstlim_rate_bucket;
+
+	unsigned int			 pfstlim_inuse;
+	struct pf_state_link_list	 pfstlim_states;
+
+	/* counters */
+
+	struct {
+		uint64_t			admitted;
+		uint64_t			hardlimited;
+		uint64_t			ratelimited;
+	}				 pfstlim_counters;
+
+	struct {
+		time_t				created;
+		time_t				updated;
+		time_t				cleared;
+	}				 pfstlim_timestamps;
+};
+
+RBT_HEAD(pf_statelim_id_tree, pf_statelim);
+RBT_PROTOTYPE(pf_statelim_id_tree, pf_statelim, pfstlim_id_tree, cmp);
+
+RBT_HEAD(pf_statelim_nm_tree, pf_statelim);
+RBT_PROTOTYPE(pf_statelim_nm_tree, pf_statelim, pfstlim_nm_tree, cmp);
+
+TAILQ_HEAD(pf_statelim_list, pf_statelim);
+
+extern struct pf_statelim_id_tree pf_statelim_id_tree_active;
+extern struct pf_statelim_list pf_statelim_list_active;
+
+extern struct pf_statelim_id_tree pf_statelim_id_tree_inactive;
+extern struct pf_statelim_nm_tree pf_statelim_nm_tree_inactive;
+extern struct pf_statelim_list pf_statelim_list_inactive;
+
+static inline unsigned int
+pf_statelim_enter(struct pf_statelim *pfstlim)
+{
+	return (pc_sprod_enter(&pfstlim->pfstlim_lock));
+}
+
+static inline void
+pf_statelim_leave(struct pf_statelim *pfstlim, unsigned int gen)
+{
+	pc_sprod_leave(&pfstlim->pfstlim_lock, gen);
+}
+
+/*
+ * Source address pools
+ */
+
+struct pf_sourcelim;
+
+struct pf_source {
+	RBT_ENTRY(pf_source)		 pfsr_tree;
+	RBT_ENTRY(pf_source)		 pfsr_ioc_tree;
+	struct pf_sourcelim		*pfsr_parent;
+
+	sa_family_t			 pfsr_af;
+	u_int16_t			 pfsr_rdomain;
+	struct pf_addr			 pfsr_addr;
+
+	/* run state */
+
+	unsigned int			 pfsr_inuse;
+	unsigned int			 pfsr_intable;
+	struct pf_state_link_list	 pfsr_states;
+	time_t				 pfsr_empty_ts;
+	TAILQ_ENTRY(pf_source)		 pfsr_empty_gc;
+
+	/* rate limiter */
+	uint64_t			 pfsr_rate_ts;
+
+	struct {
+		uint64_t			admitted;
+		uint64_t			hardlimited;
+		uint64_t			ratelimited;
+	}				 pfsr_counters;
+};
+
+RBT_HEAD(pf_source_tree, pf_source);
+RBT_PROTOTYPE(pf_source_tree, pf_source, pfsr_tree, cmp);
+
+RBT_HEAD(pf_source_ioc_tree, pf_source);
+RBT_PROTOTYPE(pf_source_ioc_tree, pf_source, pfsr_ioc_tree, cmp);
+
+TAILQ_HEAD(pf_source_list, pf_source);
+
+struct pf_sourcelim {
+	RBT_ENTRY(pf_sourcelim)		 pfsrlim_id_tree;
+	RBT_ENTRY(pf_sourcelim)		 pfsrlim_nm_tree;
+	TAILQ_ENTRY(pf_sourcelim)	 pfsrlim_list;
+	struct kstat			*pfsrlim_ks;
+
+	uint32_t			 pfsrlim_id;
+	char				 pfsrlim_nm[PF_SOURCELIM_NAME_LEN];
+	unsigned int			 pfsrlim_disabled;
+
+	/* config */
+
+	unsigned int			 pfsrlim_entries;
+	unsigned int			 pfsrlim_limit;
+	unsigned int			 pfsrlim_ipv4_prefix;
+	unsigned int			 pfsrlim_ipv6_prefix;
+
+	struct {
+		unsigned int			limit;
+		unsigned int			seconds;
+	}				 pfsrlim_rate;
+
+	struct {
+		char				name[PF_TABLE_NAME_SIZE];
+		unsigned int			hwm;
+		unsigned int			lwm;
+	        struct pfr_ktable		*table;
+	}				 pfsrlim_overload;
+
+	/* run state */
+	struct pc_lock			 pfsrlim_lock;
+
+	struct pf_addr			 pfsrlim_ipv4_mask;
+	struct pf_addr			 pfsrlim_ipv6_mask;
+
+	uint64_t			 pfsrlim_rate_token;
+	uint64_t			 pfsrlim_rate_bucket;
+
+	/* number of pf_sources */
+	unsigned int			 pfsrlim_nsources;
+	struct pf_source_tree		 pfsrlim_sources;
+	struct pf_source_ioc_tree	 pfsrlim_ioc_sources;
+
+	struct {
+		/* number of times pf_source was allocated */
+		uint64_t			addrallocs;
+		/* state was rejected because the address limit was hit */
+		uint64_t			addrlimited;
+		/* no memory to create address thing */
+		uint64_t			addrnomem;
+
+		/* sum of pf_source inuse gauges */
+		uint64_t			inuse;
+		/* sum of pf_source admitted counters */
+		uint64_t			admitted;
+		/* sum of pf_source hardlimited counters */
+		uint64_t			hardlimited;
+		/* sum of pf_source ratelimited counters */
+		uint64_t			ratelimited;
+	}				 pfsrlim_counters;
+};
+
+RBT_HEAD(pf_sourcelim_id_tree, pf_sourcelim);
+RBT_PROTOTYPE(pf_sourcelim_id_tree, pf_sourcelim, pfsrlim_id_tree, cmp);
+
+RBT_HEAD(pf_sourcelim_nm_tree, pf_sourcelim);
+RBT_PROTOTYPE(pf_sourcelim_nm_tree, pf_sourcelim, pfsrlim_nm_tree, cmp);
+
+TAILQ_HEAD(pf_sourcelim_list, pf_sourcelim);
+
+extern struct pf_sourcelim_id_tree pf_sourcelim_id_tree_active;
+extern struct pf_sourcelim_list pf_sourcelim_list_active;
+
+extern struct pf_sourcelim_id_tree pf_sourcelim_id_tree_inactive;
+extern struct pf_sourcelim_nm_tree pf_sourcelim_nm_tree_inactive;
+extern struct pf_sourcelim_list pf_sourcelim_list_inactive;
+
+static inline unsigned int
+pf_sourcelim_enter(struct pf_sourcelim *pfsrlim)
+{
+	return (pc_sprod_enter(&pfsrlim->pfsrlim_lock));
+}
+
+static inline void
+pf_sourcelim_leave(struct pf_sourcelim *pfsrlim, unsigned int gen)
+{
+	pc_sprod_leave(&pfsrlim->pfsrlim_lock, gen);
+}
+
+/*
+ * pf internals
+ */
+
 extern struct rwlock pf_lock;
 
 struct pf_pdesc {
@@ -429,6 +680,10 @@ u_int16_t		pf_pkt_hash(sa_family_t, uint8_t,
 			    const struct pf_addr *, const struct pf_addr *,
 			    uint16_t, uint16_t);
 
+void			pf_status_init(void);
+void			pf_status_clear(void);
+void			pf_status_read(struct pf_status *);
+
 #endif /* _KERNEL */
 
 #endif /* _NET_PFVAR_PRIV_H_ */