Lines Matching +full:tlv +full:- +full:layout
1 /*-
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
75 static int ipfw_socket = -1;
206 {"src-addr", DYN_SRC_ADDR},
207 {"src-port", DYN_SRC_PORT},
208 {"dst-addr", DYN_DST_ADDR},
209 {"dst-port", DYN_DST_PORT},
220 * Note, we cannot use "-:&/" in the names because they are field
222 * end-delimiter, because a type of 0 can be legal.
251 { "tcp-setmss", TOK_TCPSETMSS },
279 { "check-state", TOK_CHECKSTATE },
288 { "tcp-setmss", TOK_TCPSETMSS },
306 { "dst-ip", LOOKUP_DST_IP },
307 { "src-ip", LOOKUP_SRC_IP },
308 { "dst-port", LOOKUP_DST_PORT },
309 { "src-port", LOOKUP_SRC_PORT },
310 { "dst-mac", LOOKUP_DST_MAC },
311 { "src-mac", LOOKUP_SRC_MAC },
326 { "set-limit", TOK_SETLIMIT },
327 { "keep-state", TOK_KEEPSTATE },
328 { "record-state", TOK_RECORDSTATE },
333 { "diverted-loopback", TOK_DIVERTEDLOOPBACK },
334 { "diverted-output", TOK_DIVERTEDOUTPUT },
366 { "dst-ip", TOK_DSTIP },
367 { "src-ip", TOK_SRCIP },
368 { "dst-port", TOK_DSTPORT },
369 { "src-port", TOK_SRCPORT },
370 { "dst-mac", TOK_DSTMAC },
371 { "src-mac", TOK_SRCMAC },
375 { "mac-type", TOK_MACTYPE },
383 { "flow-id", TOK_FLOWID },
388 { "dst-ipv6", TOK_DSTIP6 },
389 { "dst-ip6", TOK_DSTIP6 },
390 { "src-ipv6", TOK_SRCIP6 },
391 { "src-ip6", TOK_SRCIP6 },
395 { "defer-action", TOK_SKIPACTION },
396 { "defer-immediate-action", TOK_SKIPACTION },
448 if ((b->buf = calloc(1, size)) == NULL)
451 b->ptr = b->buf;
452 b->size = size;
453 b->avail = b->size;
462 free(b->buf);
472 b->ptr = b->buf;
473 b->avail = b->size;
474 b->buf[0] = '\0';
492 i = vsnprintf(b->ptr, b->avail, format, args);
495 if (i < 0 || (size_t)i > b->avail) {
497 b->avail = 0;
499 b->ptr += i;
500 b->avail -= i;
503 b->needed += i;
509 * Special values printer for tablearg-aware opcodes.
583 return (-01);
598 * Selected options or negative -> getsockopt
618 if (ipfw_socket == -1)
629 optname = -optname;
639 * do_set3 - pass ipfw control cmd to kernel
645 * Calls setsockopt() with IP_FW3 as kernel-visible opcode.
652 op3->opcode = optname;
667 if (ipfw_socket == -1)
677 * do_get3 - pass ipfw control cmd to kernel
683 * Calls getsockopt() with IP_FW3 as kernel-visible opcode.
692 op3->opcode = optname;
707 if (ipfw_socket == -1)
722 * with the string (-1 in case of failure).
730 for (pt = table ; i && pt->s != NULL ; pt++)
731 if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
732 return pt->x;
733 return (-1);
742 * -1 for non-matched records
743 * -2 if more than one records match @string.
754 for (pt = table ; i != 0 && pt->s != NULL ; pt++) {
755 if (strncmp(pt->s, string, i) != 0)
762 return (m->x);
764 return (c > 0 ? -2: -1);
786 for (; p->s != NULL; p++)
787 if (p->x == value)
788 return p->s;
800 for (sz = 0, pt = table ; pt->s != NULL; pt++) {
801 l = snprintf(buf + sz, bufsize - sz, "%s%s",
802 (sz == 0) ? "" : delimiter, pt->s);
837 return (-1);
861 sz -=l;
867 * and 0 if they match exactly or the first string is a sub-string
869 * first string is a sub-string of the second.
882 warnx("DEPRECATED: '%s' matched '%s' as a sub-string",
889 * and 0 if they match exactly or the second string is a sub-string
934 se = getservbyport(htons(port), pe ? pe->p_name : NULL);
937 bprintf(bp, "%s", se->s_name);
944 {"dst-port", O_IP_DSTPORT},
945 {"src-port", O_IP_SRCPORT},
949 {"mac-type", O_MAC_TYPE},
958 * Print the values in a list 16-bit items of the types above.
964 const uint16_t *p = cmd->ports;
975 for (i = F_LEN((const ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
979 bprintf(bp, "-");
990 * proto == -1 disables the protocol check;
1002 *end = s; /* default - not found */
1017 buf = safe_calloc(s1 - s + 1, 1);
1030 if (i != -1) { /* found */
1041 se = getservbyname(buf, pe ? pe->p_name : NULL);
1045 return ntohs(se->s_port);
1057 uint16_t a, b, *p = cmd->ports;
1069 case '-': /* a range */
1072 /* Reject expressions like '1-abc' or '1-2-3'. */
1095 cmd->o.len |= i + 1; /* leave F_NOT and F_OR untouched */
1110 cmd->opcode = O_DSCP;
1111 cmd->len |= F_INSN_SIZE(ipfw_insn_u32) + 1;
1128 if ((code = match_token(f_ipdscp, s)) == -1)
1137 *high |= 1 << (code - 32);
1154 cmd->opcode = O_MARK;
1155 cmd->len |= F_INSN_SIZE(ipfw_insn_u32) + 1;
1165 cmd->arg1 = IP_FW_TARG;
1169 cmd->arg1 |= 0x8000;
1191 { "net-unknown", ICMP_UNREACH_NET_UNKNOWN },
1192 { "host-unknown", ICMP_UNREACH_HOST_UNKNOWN },
1194 { "net-prohib", ICMP_UNREACH_NET_PROHIB },
1195 { "host-prohib", ICMP_UNREACH_HOST_PROHIB },
1198 { "filter-prohib", ICMP_UNREACH_FILTER_PROHIB },
1199 { "host-precedence", ICMP_UNREACH_HOST_PRECEDENCE },
1200 { "precedence-cutoff", ICMP_UNREACH_PRECEDENCE_CUTOFF },
1231 * or -1 if the mask is not contiguous.
1233 * This effectively works on masks in big-endian (network) format.
1236 * First bit is bit 7 of the first byte -- note, for MAC addresses,
1246 if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
1249 if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
1250 return -1; /* mask not contiguous */
1264 uint8_t set = cmd->arg1 & 0xff;
1265 uint8_t clear = (cmd->arg1 >> 8) & 0xff;
1297 const uint32_t *a = ((const ipfw_insn_u32 *)cmd)->d;
1302 if (cmd->o.opcode == O_IP_DST_LOOKUP && len > F_INSN_SIZE(ipfw_insn_u32)) {
1306 t = table_search_ctlv(fo->tstate,
1307 ((const ipfw_insn *)cmd)->arg1);
1311 if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
1315 if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
1316 cmd->o.opcode == O_IP_DST_LOOKUP) {
1317 t = table_search_ctlv(fo->tstate,
1318 ((const ipfw_insn *)cmd)->arg1);
1325 if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
1326 const uint32_t *map = (const uint32_t *)&cmd->mask;
1332 x = cmd->o.arg1 - 1;
1334 addr.s_addr = htonl(cmd->addr.s_addr);
1337 x = cmd->addr.s_addr;
1345 for (i=0; i < cmd->o.arg1; i++)
1347 for (j=i+1; j < cmd->o.arg1; j++)
1352 bprintf(bp, "-%d", j-1+x);
1353 i = j-1;
1365 for (len = len / 2; len > 0; len--, a += 2) {
1367 (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
1373 bprintf(bp, "%s", he->h_name);
1403 if (l == -1)
1417 format_mac(bp, mac->addr, mac->mask);
1418 format_mac(bp, mac->addr + 6, mac->mask + 6);
1430 t = table_search_ctlv(fo->tstate, cmd->arg1);
1433 bprintf(bp, ",%u", ((const ipfw_insn_u32 *)cmd)->d[0]);
1442 cmd->d[0] = 0;
1455 cmd->d[0] |= 1 << type;
1457 cmd->o.opcode = O_ICMPTYPE;
1458 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
1469 if ( (cmd->d[0] & (1 << (i))) == 0)
1485 v = cmd->d;
1518 state->printed = calloc(rule->cmd_len, sizeof(uint8_t));
1519 if (state->printed == NULL)
1521 state->rule = rule;
1522 state->eaction = NULL;
1523 state->flags = 0;
1524 state->proto = 0;
1525 state->or_block = 0;
1533 free(state->printed);
1540 return (state->printed[cmd - state->rule->cmd]);
1547 state->printed[cmd - state->rule->cmd] = 1;
1557 for (x = limit->limit_mask; p->x != 0; p++) {
1558 if ((x & p->x) == p->x) {
1559 x &= ~p->x;
1560 bprintf(bp, "%s%s", comma, p->s);
1564 bprint_uint_arg(bp, " ", limit->conn_limit);
1579 if ((cmd->len & F_OR) != 0 && state->or_block == 0)
1581 if (cmd->opcode != O_IN && (cmd->len & F_NOT) != 0)
1584 switch (cmd->opcode) {
1586 d = 1.0 * insntod(cmd, u32)->d[0] / 0x7fffffff;
1590 state->flags |= HAVE_PROBE_STATE;
1597 if (state->flags & HAVE_SRCIP)
1598 bprintf(bp, " src-ip");
1606 if (state->flags & HAVE_DSTIP)
1607 bprintf(bp, " dst-ip");
1613 if (state->flags & HAVE_SRCIP)
1614 bprintf(bp, " src-ip6");
1620 if (state->flags & HAVE_DSTIP)
1621 bprintf(bp, " dst-ip6");
1625 bprintf(bp, " src-mac");
1629 bprintf(bp, " dst-mac");
1637 print_newports(bp, insntod(cmd, u16), state->proto,
1638 (state->flags & (HAVE_SRCIP | HAVE_DSTIP)) ==
1639 (HAVE_SRCIP | HAVE_DSTIP) ? cmd->opcode: 0);
1642 pe = getprotobynumber(cmd->arg1);
1643 if (state->flags & HAVE_PROTO)
1646 bprintf(bp, " %s", pe->p_name);
1648 bprintf(bp, " %u", cmd->arg1);
1649 state->proto = cmd->arg1;
1656 IPPROTO_ETHERTYPE, cmd->opcode);
1662 bprintf(bp, " fib %u", cmd->arg1);
1668 bprintf(bp, cmd->len & F_NOT ? " out" : " in");
1671 switch (cmd->arg1) {
1676 bprintf(bp, " diverted-output");
1679 bprintf(bp, " diverted-loopback");
1682 bprintf(bp, " diverted-?<%u>", cmd->arg1);
1692 if (cmd->opcode == O_XMIT)
1694 else if (cmd->opcode == O_RECV)
1696 else /* if (cmd->opcode == O_VIA) */
1698 switch (insntod(cmd, if)->name[0]) {
1701 inet_ntoa(insntod(cmd, if)->p.ip));
1705 table_search_ctlv(fo->tstate,
1706 insntod(cmd, if)->p.kidx));
1710 insntod(cmd, if)->name);
1714 s = table_search_ctlv(fo->tstate, cmd->arg1);
1717 bprintf(bp, ",%u", insntod(cmd, u32)->d[0]);
1727 switch (cmd->opcode) {
1750 bprintf(bp, " %s %u", s, cmd->arg1);
1753 cmd->opcode);
1756 bprintf(bp, " ipver %u", cmd->arg1);
1759 bprintf(bp, " ipprecedence %u", cmd->arg1 >> 5);
1784 ntohl(insntod(cmd, u32)->d[0]));
1788 ntohl(insntod(cmd, u32)->d[0]));
1791 pwd = getpwuid(insntod(cmd, u32)->d[0]);
1793 bprintf(bp, " uid %s", pwd->pw_name);
1796 insntod(cmd, u32)->d[0]);
1799 grp = getgrgid(insntod(cmd, u32)->d[0]);
1801 bprintf(bp, " gid %s", grp->gr_name);
1804 insntod(cmd, u32)->d[0]);
1807 bprintf(bp, " jail %d", insntod(cmd, u32)->d[0]);
1825 if (state->flags & HAVE_PROBE_STATE)
1826 bprintf(bp, " keep-state");
1828 bprintf(bp, " record-state");
1830 object_search_ctlv(fo->tstate, cmd->arg1,
1834 if (state->flags & HAVE_PROBE_STATE)
1837 bprintf(bp, " set-limit");
1840 object_search_ctlv(fo->tstate, cmd->arg1,
1844 if (state->flags & HAVE_PROTO)
1849 if (state->flags & HAVE_PROTO)
1861 bprint_uint_arg(bp, " tagged ", cmd->arg1);
1867 bprintf(bp, " defer-immediate-action");
1871 if (cmd->arg1 == IP_FW_TARG)
1875 ((const ipfw_insn_u32 *)cmd)->d[0]);
1877 if (((const ipfw_insn_u32 *)cmd)->d[1] != 0xFFFFFFFF)
1879 ((const ipfw_insn_u32 *)cmd)->d[1]);
1883 bprintf(bp, " [opcode %d len %d]", cmd->opcode,
1884 cmd->len);
1886 if (cmd->len & F_OR) {
1888 state->or_block = 1;
1889 } else if (state->or_block != 0) {
1891 state->or_block = 0;
1905 for (l = state->rule->act_ofs, cmd = state->rule->cmd;
1906 l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
1908 if (opcode >= 0 && cmd->opcode != opcode)
1914 if (cmd->opcode == O_NOP && opcode != O_NOP)
1931 if (cmd->opcode == O_FORWARD_IP) {
1933 port = sa->sa.sin_port;
1934 if (sa->sa.sin_addr.s_addr == INADDR_ANY)
1937 bprintf(bp, "fwd %s", inet_ntoa(sa->sa.sin_addr));
1940 port = sa6->sa.sin6_port;
1942 if (getnameinfo((const struct sockaddr *)&sa6->sa,
1959 switch (cmd->opcode) {
1961 bprintf(bp, "check-state");
1962 if (cmd->arg1 != 0)
1963 s = object_search_ctlv(fo->tstate, cmd->arg1,
1979 if (cmd->arg1 == ICMP_REJECT_RST)
1981 else if (cmd->arg1 == ICMP_REJECT_ABORT)
1983 else if (cmd->arg1 == ICMP_UNREACH_HOST)
1985 else if (cmd->arg1 == ICMP_UNREACH_NEEDFRAG &&
1986 cmd->len == F_INSN_SIZE(ipfw_insn_u16))
1988 ((const ipfw_insn_u16 *)cmd)->ports[0]);
1990 print_reject_code(bp, cmd->arg1);
1993 if (cmd->arg1 == ICMP6_UNREACH_RST)
1995 else if (cmd->arg1 == ICMP6_UNREACH_ABORT)
1998 print_unreach6_code(bp, cmd->arg1);
2001 bprint_uint_arg(bp, "skipto ", cmd->arg1);
2004 bprint_uint_arg(bp, "pipe ", cmd->arg1);
2007 bprint_uint_arg(bp, "queue ", cmd->arg1);
2010 bprint_uint_arg(bp, "divert ", cmd->arg1);
2013 bprint_uint_arg(bp, "tee ", cmd->arg1);
2016 bprint_uint_arg(bp, "netgraph ", cmd->arg1);
2019 bprint_uint_arg(bp, "ngtee ", cmd->arg1);
2026 if (insntod(cmd, log)->max_log > 0)
2028 insntod(cmd, log)->max_log);
2038 bprint_uint_arg(bp, cmd->len & F_NOT ? " untag ":
2039 " tag ", cmd->arg1);
2042 if (cmd->arg1 != IP_FW_NAT44_GLOBAL)
2043 bprint_uint_arg(bp, "nat ", cmd->arg1);
2048 if (cmd->arg1 == IP_FW_TARG)
2049 bprint_uint_arg(bp, "setfib ", cmd->arg1);
2051 bprintf(bp, "setfib %u", cmd->arg1 & 0x7FFF);
2056 * each other opcodes - O_EXTERNAL_ACTION and
2063 state->eaction = cmd;
2064 s = object_search_ctlv(fo->tstate, cmd->arg1,
2066 if (match_token(rule_eactions, s) != -1)
2072 if (state->eaction == NULL)
2077 * the rule, we specify zero TLV type for
2081 * we calculate TLV type using IPFW_TLV_EACTION_NAME()
2084 s = object_search_ctlv(fo->tstate, cmd->arg1, 0);
2086 s = object_search_ctlv(fo->tstate,
2087 cmd->arg1, IPFW_TLV_EACTION_NAME(
2088 state->eaction->arg1));
2092 if (state->eaction == NULL)
2099 if (cmd->len == F_INSN_SIZE(ipfw_insn))
2100 bprintf(bp, " %u", cmd->arg1);
2103 cmd->len * sizeof(uint32_t));
2106 if (cmd->arg1 == IP_FW_TARG) {
2110 s = match_value(f_ipdscp, cmd->arg1 & 0x3F);
2114 bprintf(bp, "setdscp %u", cmd->arg1 & 0x3F);
2120 if (cmd->len & F_NOT)
2123 bprint_uint_arg(bp, "call ", cmd->arg1);
2126 if (cmd->arg1 == IP_FW_TARG) {
2130 bprintf(bp, "setmark %#x", ((const ipfw_insn_u32 *)cmd)->d[0]);
2134 cmd->opcode, cmd->len);
2149 for (l = state->rule->cmd_len - state->rule->act_ofs,
2150 cmd = ACTION_PTR(state->rule); l > 0;
2151 l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2152 if (cmd->opcode != opcode)
2170 for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2171 l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2172 switch (cmd->opcode) {
2178 if (cmd->len & F_OR)
2183 if (cmd->len & F_OR)
2191 state->proto = IPPROTO_IP;
2192 state->flags |= HAVE_PROTO;
2200 if (cmd != NULL && (cmd->len & F_OR))
2202 if (cmd == NULL || (cmd->len & F_OR))
2203 for (l = proto; l > 0; l--) {
2205 if (cmd == NULL || (cmd->len & F_OR) == 0)
2209 state->flags |= HAVE_PROTO;
2210 if (state->proto == 0 && ip6 != 0)
2211 state->proto = IPPROTO_IPV6;
2234 for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2235 l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2236 if (match_opcode(cmd->opcode, opcodes, nops))
2238 else if (cmd->opcode == portop)
2243 for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2244 l > 0 && count > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2245 if (!match_opcode(cmd->opcode, opcodes, nops))
2248 if ((cmd->len & F_OR) == 0)
2250 count--;
2257 for (l = state->rule->act_ofs, cmd = state->rule->cmd, pf = 0;
2258 l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2259 if (cmd->opcode != portop) {
2260 pf = (cmd->len & F_OR);
2264 if (pf == 0 && (cmd->len & F_OR) == 0)
2269 state->flags |= flag;
2305 if ((fo->set_mask & (1 << rule->set)) == 0) {
2307 if (!co->show_sets)
2316 bprintf(bp, "%05u ", rule->rulenum);
2321 if (fo->pcwidth > 0 || fo->bcwidth > 0) {
2322 pr_u64(bp, &cntr->pcnt, fo->pcwidth);
2323 pr_u64(bp, &cntr->bcnt, fo->bcwidth);
2327 if (co->do_time == TIMESTAMP_NUMERIC)
2328 bprintf(bp, "%10u ", cntr->timestamp);
2329 else if (co->do_time == TIMESTAMP_STRING) {
2338 if (cntr->timestamp > 0) {
2339 t = _long_to_time(cntr->timestamp);
2351 if (co->show_sets)
2352 bprintf(bp, "set %d ", rule->set);
2362 switch (cmd->opcode) {
2378 if (co->comment_only != 0)
2381 if (rule->flags & IPFW_RULE_JUSTOPTS) {
2387 if (co->do_compact != 0 && (rule->flags & IPFW_RULE_NOOPT))
2402 while (print_opcode(bp, fo, &state, -1))
2407 if (co->comment_only != 0 && cmd == NULL)
2422 if (d->expire == 0 && d->dyn_type != O_LIMIT_PARENT)
2425 bcopy(&d->rule, &rulenum, sizeof(rulenum));
2427 if (fo->pcwidth > 0 || fo->bcwidth > 0) {
2429 pr_u64(bp, &d->pcnt, fo->pcwidth);
2430 pr_u64(bp, &d->bcnt, fo->bcwidth);
2431 bprintf(bp, "(%ds)", d->expire);
2433 switch (d->dyn_type) {
2435 bprintf(bp, " PARENT %d", d->count);
2445 if ((pe = getprotobynumber(d->id.proto)) != NULL)
2446 bprintf(bp, " %s", pe->p_name);
2448 bprintf(bp, " proto %u", d->id.proto);
2450 if (d->id.addr_type == 4) {
2451 a.s_addr = htonl(d->id.src_ip);
2452 bprintf(bp, " %s %d", inet_ntoa(a), d->id.src_port);
2454 a.s_addr = htonl(d->id.dst_ip);
2455 bprintf(bp, " <-> %s %d", inet_ntoa(a), d->id.dst_port);
2456 } else if (d->id.addr_type == 6) {
2457 bprintf(bp, " %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf,
2458 sizeof(buf)), d->id.src_port);
2459 bprintf(bp, " <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6,
2460 buf, sizeof(buf)), d->id.dst_port);
2462 bprintf(bp, " UNKNOWN <-> UNKNOWN");
2463 if (d->kidx != 0)
2464 bprintf(bp, " :%s", object_search_ctlv(fo->tstate,
2465 d->kidx, IPFW_TLV_STATE_NAME));
2469 if (co->verbose) {
2470 bprintf(bp, " state 0x%08x%s", d->state,
2471 d->state ? " ": ",");
2472 if (d->state & IPFW_DYN_ORPHANED)
2474 if ((d->state & BOTH_SYN) == BOTH_SYN)
2477 if (d->state & TH_SYN)
2479 if (d->state & (TH_SYN << 8))
2482 if ((d->state & BOTH_FIN) == BOTH_FIN)
2485 if (d->state & TH_FIN)
2487 if (d->state & (TH_FIN << 8))
2490 bprintf(bp, " f_ack 0x%x, r_ack 0x%x", d->ack_fwd,
2491 d->ack_rev);
2508 return (-1);
2510 rt->new_set = rh.range.new_set;
2515 * This one handles all set-related commands
2546 if ((cfg->set_mask & (1<<i)) == 0) {
2550 msg = (cfg->set_mask != (uint32_t)-1) ? " enable" : "enable";
2552 if ((cfg->set_mask & (1<<i)) != 0) {
2679 fo->dcnt++;
2681 if (fo->show_counters == 0)
2684 if (co->use_set) {
2686 bcopy((char *)&d->rule + sizeof(uint16_t), &set,
2688 if (set != co->use_set - 1)
2692 width = pr_u64(NULL, &d->pcnt, 0);
2693 if (width > fo->pcwidth)
2694 fo->pcwidth = width;
2696 width = pr_u64(NULL, &d->bcnt, 0);
2697 if (width > fo->bcwidth)
2698 fo->bcwidth = width;
2708 ipfw_obj_tlv *tlv;
2716 switch (ctlv->head.type) {
2719 sz -= sizeof(*ctlv);
2729 tlv = (ipfw_obj_tlv *)base;
2730 if (tlv->type != ttype)
2733 fptr(co, fo, farg, tlv + 1);
2734 sz -= tlv->length;
2735 base += tlv->length;
2753 if (fo->show_counters != 0) {
2755 rtlv = (ipfw_obj_tlv *)((caddr_t)rtlv + rtlv->length)) {
2757 r = (struct ip_fw_rule *)((caddr_t)cntr + cntr->size);
2759 if (co->use_set && r->set != co->use_set - 1)
2763 width = pr_u64(NULL, &cntr->pcnt, 0);
2768 width = pr_u64(NULL, &cntr->bcnt, 0);
2773 fo->bcwidth = bcwidth;
2774 fo->pcwidth = pcwidth;
2776 fo->dcnt = 0;
2777 if (co->do_dynamic && dynsz > 0)
2790 rtlv = (ipfw_obj_tlv *)((caddr_t)rtlv + rtlv->length)) {
2792 if ((fo->show_counters | fo->show_time) != 0) {
2794 r = (struct ip_fw_rule *)((caddr_t)cntr + cntr->size);
2799 if (r->rulenum > fo->last)
2801 if (co->use_set && r->set != co->use_set - 1)
2803 if (r->rulenum >= fo->first && r->rulenum <= fo->last) {
2805 printf("%s", bp->buf);
2826 bcopy(&d->rule, &rulenum, sizeof(rulenum));
2827 if (rulenum > fo->last)
2829 if (co->use_set) {
2830 bcopy((char *)&d->rule + sizeof(uint16_t),
2832 if (set != co->use_set - 1)
2835 if (rulenum >= fo->first) {
2837 printf("%s\n", bp->buf);
2872 ac--;
2878 for (lac = ac, lav = av; lac != 0; lac--) {
2883 if (*endptr == '-')
2928 * Handle tablenames TLV first, if any
2936 fo->set_mask = cfg->set_mask;
2939 if (ctlv->head.type == IPFW_TLV_TBLNAME_LIST) {
2941 fo->tstate = ctlv;
2942 readsz += ctlv->head.length;
2943 ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + ctlv->head.length);
2946 if (cfg->flags & IPFW_CFG_GET_STATIC) {
2948 if (ctlv->head.type == IPFW_TLV_RULE_LIST) {
2950 rcnt = ctlv->count;
2951 readsz += ctlv->head.length;
2953 ctlv->head.length);
2957 if ((cfg->flags & IPFW_CFG_GET_STATES) && (readsz != sz)) {
2959 dynsz = sz - readsz;
2972 fo->first = 0;
2973 fo->last = IPFW_DEFAULT_RULE;
2974 if (cfg->flags & IPFW_CFG_GET_STATIC)
2977 if (co->do_dynamic && dynsz > 0) {
2978 printf("## Dynamic rules (%d %zu):\n", fo->dcnt,
2988 for (lac = ac, lav = av; lac != 0; lac--) {
2990 fo->last = fo->first = strtoul(*lav++, &endptr, 10);
2991 if (*endptr == '-')
2992 fo->last = strtoul(endptr + 1, &endptr, 10);
2995 warnx("invalid rule number: %s", *(lav - 1));
2999 if ((cfg->flags & IPFW_CFG_GET_STATIC) == 0)
3006 if (fo->first == fo->last)
3007 warnx("rule %u does not exist", fo->first);
3009 warnx("no rules in range %u-%u",
3010 fo->first, fo->last);
3014 if (co->do_dynamic && dynsz > 0) {
3016 for (lac = ac, lav = av; lac != 0; lac--) {
3017 fo->last = fo->first = strtoul(*lav++, &endptr, 10);
3018 if (*endptr == '-')
3019 fo->last = strtoul(endptr+1, &endptr, 10);
3050 if (co->test_only != 0) {
3065 cfg->flags = fo->flags;
3066 cfg->start_rule = fo->first;
3067 cfg->end_rule = fo->last;
3069 if (do_get3(IP_FW_XGET, &cfg->opheader, &sz) != 0) {
3077 if (sz < cfg->size)
3078 sz = cfg->size;
3098 return(-1);
3099 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
3118 * Check that name is null-terminated and contains
3120 * [a-zA-Z0-9\-_\.]{1,63}
3128 c == '-' || c == '.')
3155 if (match_token(rule_actions, name) != -1 &&
3156 match_token(rule_action_params, name) != -1)
3167 for (i = 0; i < tstate->count; i++) {
3168 if (strcmp(tstate->idx[i].name, name) != 0)
3170 if (tstate->idx[i].set != tstate->set)
3172 if (tstate->idx[i].head.type != otype)
3175 return (tstate->idx[i].idx);
3178 if (tstate->count + 1 > tstate->size) {
3179 tstate->size += 4;
3180 tstate->idx = realloc(tstate->idx, tstate->size *
3182 if (tstate->idx == NULL)
3186 ntlv = &tstate->idx[i];
3188 strlcpy(ntlv->name, name, sizeof(ntlv->name));
3189 ntlv->head.type = otype;
3190 ntlv->head.length = sizeof(ipfw_obj_ntlv);
3191 ntlv->set = tstate->set;
3192 ntlv->idx = ++tstate->counter;
3193 tstate->count++;
3195 return (ntlv->idx);
3212 uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
3226 cmd->opcode = opcode;
3227 cmd->arg1 = uidx;
3229 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
3232 cmd->len |= F_INSN_SIZE(ipfw_insn);
3245 * We can have multiple comma-separated address/mask entries.
3251 uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
3253 cmd->o.len &= ~F_LEN_MASK; /* zero len */
3259 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
3264 fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
3304 d[1] = htonl(~0U << (32 - masklen));
3307 d[1] = htonl(~0U << (32 - 24));
3308 *(--p) = md;
3312 *(--p) = md;
3334 uint32_t *map = (uint32_t *)&cmd->mask;
3342 cmd->o.arg1 = 1<<(32-i); /* map length */
3344 cmd->o.opcode = O_IP_DST_SET; /* default */
3345 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
3346 for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
3351 high = low + cmd->o.arg1 - 1;
3354 * of addresses within a mask, e.g. 45-63. i = -1 means we
3357 i = -1; /* previous value in a range */
3365 if (i != -1)
3366 errx(EX_DATAERR, "incomplete range %d-", i);
3370 errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
3372 a -= low;
3373 if (i == -1) /* no previous in range */
3377 errx(EX_DATAERR, "invalid range %d-%d",
3379 if (*s == '-')
3380 errx(EX_DATAERR, "double '-' in range");
3384 i = -1;
3385 if (*s == '-')
3405 if (cmd->o.len & F_NOT) { /* "not any" never matches */
3414 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
3422 cmd->o.len |= len+1;
3436 for (; n > 0; p++, n -= 8) {
3455 cmd->opcode = opcode;
3456 cmd->len = (cmd->len & (F_NOT | F_OR)) | 1;
3457 cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
3486 if (*sep== '-')
3506 rt.set = g_co.use_set - 1;
3525 warnx("no rules in %u-%u range",
3551 cmd->name[0] = '\0';
3552 cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
3558 cmd->o.len = 0; /* effectively ignore this command */
3569 cmd->name[0] = '\1'; /* Special value indicating table */
3570 cmd->p.kidx = uidx;
3572 strlcpy(cmd->name, arg, sizeof(cmd->name));
3573 cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
3574 } else if (!inet_aton(arg, &cmd->p.ip))
3603 if (p[ptr - optr - 1] == '/') { /* mask len */
3607 for (i = 0; ml > 0 && i < ETHER_ADDR_LEN; ml -= 8, i++)
3608 mask[i] = (ml >= 8) ? 0xff: (~0) << (8 - ml);
3634 *len -= F_LEN(cmd);
3650 cmd->opcode = O_NOP;
3651 cmd->len = (cmd->len & (F_NOT | F_OR));
3662 cmd->len = (cmd->len & (F_NOT | F_OR)) | l;
3670 *(--p) = '\0';
3680 cmd->opcode = opcode;
3681 cmd->len = ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
3682 cmd->arg1 = arg;
3697 cmd->opcode = O_MACADDR2;
3698 cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
3702 get_mac_addr_mask(av[0], mac->addr, mac->mask); /* dst */
3703 get_mac_addr_mask(av[1], &(mac->addr[ETHER_ADDR_LEN]),
3704 &(mac->mask[ETHER_ADDR_LEN])); /* src */
3713 if (strcmp(av, "any") != 0) { /* we have a non-null type */
3716 cmd->opcode = O_MAC_TYPE;
3733 proto = pe->p_proto;
3787 if (cmd->opcode == O_IP_DST_SET) /* set */
3788 cmd->opcode = O_IP_SRC_SET;
3789 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
3790 cmd->opcode = O_IP_SRC_LOOKUP;
3792 cmd->opcode = O_IP_SRC_ME;
3794 cmd->opcode = O_IP_SRC;
3796 cmd->opcode = O_IP_SRC_MASK;
3804 if (cmd->opcode == O_IP_DST_SET) /* set */
3806 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
3809 cmd->opcode = O_IP_DST_ME;
3811 cmd->opcode = O_IP_DST;
3813 cmd->opcode = O_IP_DST_MASK;
3844 { "dst-port", TOK_OR },
3845 { "src-port", TOK_OR },
3847 { "keep-state", TOK_OR },
3864 if (match_token(f_reserved_keywords, av) != -1)
3869 cmd->opcode = opcode;
3885 len = ch - av;
3916 len = ch - av;
3940 uint32_t arg1 = (uint32_t)(-1);
3959 if (arg1 == (uint32_t)(-1))
3970 if (arg1 != (uint32_t)(-1))
3978 return (ntohs(s->s_port));
3989 * (generated if the rule includes a keep-state option), then the
4013 ipfw_insn *have_state = NULL; /* any state-related option */
4037 rblen -= sizeof(struct ip_fw_rule) / sizeof(uint32_t);
4040 cblen -= F_INSN_SIZE(ipfw_insn_u32) + 1;
4042 #define CHECK_RBUFLEN(len) { CHECK_LENGTH(rblen, len); rblen -= len; }
4043 #define CHECK_ACTLEN CHECK_LENGTH(ablen, action->len)
4047 /* [rule N] -- Rule number optional */
4049 rule->rulenum = atoi(*av);
4053 /* [set N] -- set number (0..RESVD_SET), optional */
4058 rule->set = set;
4059 tstate->set = set;
4063 /* [prob D] -- match probability, optional */
4072 /* action -- mandatory */
4076 action->len = 1; /* default */
4081 action->opcode = O_CHECK_STATE;
4084 action->arg1 = pack_object(tstate,
4090 action->arg1 = 0;
4092 action->arg1 = pack_object(tstate, *av + 1,
4104 action->opcode = O_REJECT;
4105 action->arg1 = ICMP_REJECT_ABORT;
4109 action->opcode = O_UNREACH6;
4110 action->arg1 = ICMP6_UNREACH_ABORT;
4114 action->opcode = O_ACCEPT;
4118 action->opcode = O_DENY;
4119 action->arg1 = 0;
4123 action->opcode = O_REJECT;
4124 action->arg1 = ICMP_UNREACH_HOST;
4128 action->opcode = O_REJECT;
4129 action->arg1 = ICMP_REJECT_RST;
4133 action->opcode = O_UNREACH6;
4134 action->arg1 = ICMP6_UNREACH_RST;
4138 action->opcode = O_REJECT;
4140 action->arg1 = get_reject_code(*av);
4142 if (action->arg1 == ICMP_UNREACH_NEEDFRAG && isdigit(**av)) {
4148 *(av - 1));
4149 action->len = F_INSN_SIZE(ipfw_insn_u16);
4150 ((ipfw_insn_u16 *)action)->ports[0] = mtu;
4156 action->opcode = O_UNREACH6;
4158 action->arg1 = get_unreach6_code(*av);
4163 action->opcode = O_COUNT;
4167 action->opcode = O_NAT;
4168 action->len = F_INSN_SIZE(ipfw_insn_nat);
4171 action->arg1 = IP_FW_NAT44_GLOBAL;
4173 action->arg1 = arg_or_targ(av[0], *(av - 1));
4177 action->opcode = O_QUEUE;
4178 action->arg1 = arg_or_targ(av[0], *(av - 1));
4182 action->opcode = O_PIPE;
4183 action->arg1 = arg_or_targ(av[0], *(av - 1));
4187 action->opcode = O_SKIPTO;
4188 action->arg1 = arg_or_targ(av[0], *(av - 1));
4192 action->opcode = O_NETGRAPH;
4193 action->arg1 = arg_or_targ(av[0], *(av - 1));
4197 action->opcode = O_NGTEE;
4198 action->arg1 = arg_or_targ(av[0], *(av - 1));
4202 action->opcode = O_DIVERT;
4203 action->arg1 = get_divert_port(av[0], *(av - 1));
4207 action->opcode = O_TEE;
4208 action->arg1 = get_divert_port(av[0], *(av - 1));
4212 action->opcode = O_CALLRETURN;
4213 action->arg1 = arg_or_targ(av[0], *(av - 1));
4219 * Locate the address-port separator (':' or ',').
4240 * Are we an bracket-enclosed IPv6 address?
4246 * locate the address-port separator (':' or ',')
4280 family = res->ai_family;
4281 memcpy(&result, res->ai_addr, res->ai_addrlen);
4287 action->opcode = O_FORWARD_IP;
4288 action->len = F_INSN_SIZE(ipfw_insn_sa);
4296 p->sa.sin_len = sizeof(struct sockaddr_in);
4297 p->sa.sin_family = AF_INET;
4298 p->sa.sin_port = port_number;
4299 p->sa.sin_addr.s_addr =
4300 ((struct sockaddr_in *)&result)->sin_addr.s_addr;
4304 action->opcode = O_FORWARD_IP6;
4305 action->len = F_INSN_SIZE(ipfw_insn_sa6);
4308 p->sa.sin6_len = sizeof(struct sockaddr_in6);
4309 p->sa.sin6_family = AF_INET6;
4310 p->sa.sin6_port = port_number;
4311 p->sa.sin6_flowinfo = 0;
4312 p->sa.sin6_scope_id =
4313 ((struct sockaddr_in6 *)&result)->sin6_scope_id;
4314 bcopy(&((struct sockaddr_in6*)&result)->sin6_addr,
4315 &p->sa.sin6_addr, sizeof(p->sa.sin6_addr));
4324 action->opcode = O_COUNT;
4325 av--; /* go back... */
4333 action->opcode = O_SETFIB;
4336 action->arg1 = IP_FW_TARG;
4338 action->arg1 = strtoul(*av, NULL, 10);
4340 NULL, 0) == -1)
4342 if (action->arg1 >= numfibs) /* Temporary */
4344 /* Add high-order bit to fib to make room for tablearg*/
4345 action->arg1 |= 0x8000;
4355 action->opcode = O_SETDSCP;
4358 action->arg1 = IP_FW_TARG;
4361 if ((code = match_token(f_ipdscp, *av)) == -1)
4363 action->arg1 = code;
4365 action->arg1 = strtoul(*av, NULL, 10);
4367 * Add high-order bit to DSCP to make room
4370 action->arg1 |= 0x8000;
4377 action->opcode = O_REASS;
4385 action->opcode = O_SETMARK;
4386 action->len = F_INSN_SIZE(ipfw_insn_u32);
4389 action->arg1 = IP_FW_TARG;
4391 ((ipfw_insn_u32 *)action)->d[0] =
4394 action->arg1 |= 0x8000;
4405 idx = pack_object(tstate, "tcp-setmss", IPFW_TLV_EACTION);
4411 action->len = 1;
4422 av--;
4423 if (match_token(rule_eactions, *av) == -1)
4446 action->len = 1;
4452 * External action instance object has TLV type depended
4454 * currently don't know this index, use zero as TLV type.
4466 * [altq queuename] -- altq tag, optional
4467 * [log [logamount N]] -- log, optional
4472 while (av[0] != NULL && (i = match_token(rule_action_params, *av)) != -1) {
4484 cmd->len = F_INSN_SIZE(ipfw_insn_log);
4486 cmd->opcode = O_LOG;
4494 c->max_log = l;
4497 len = sizeof(c->max_log);
4499 &c->max_log, &len, NULL, 0) == -1) {
4501 c->max_log = 0;
4521 cmd->len = F_INSN_SIZE(ipfw_insn_altq);
4523 cmd->opcode = O_ALTQ;
4524 a->qid = altq_name_to_qid(*av);
4551 if (have_state) { /* must be a check-state, we are done */
4554 /* check-state has a comment */
4591 if (cmd->len & F_NOT) \
4593 cmd->len |= F_NOT; \
4601 prev->len |= F_OR; \
4622 av += 2; /* dst-mac and src-mac */
4627 av++; /* any or mac-type */
4647 rule->flags |= IPFW_RULE_JUSTOPTS;
4726 rule->flags |= IPFW_RULE_NOOPT;
4738 if (cmd->len & F_NOT)
4740 cmd->len = F_NOT;
4747 if (cmd->len & F_NOT)
4749 cmd->len = F_NOT;
4755 prev->len |= F_OR;
4776 cmd->len ^= F_NOT; /* toggle F_NOT */
4825 cmd->opcode = O_XMIT;
4827 cmd->opcode = O_RECV;
4829 cmd->opcode = O_VIA;
4846 if (strpbrk(*av, "-,")) {
4856 if (strpbrk(*av, "-,")) {
4866 if (strpbrk(*av, "-,")) {
4912 cmd->opcode = O_UID;
4917 cmd32->d[0] = pwd->pw_uid;
4918 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4930 cmd->opcode = O_GID;
4935 cmd32->d[0] = grp->gr_gid;
4936 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4947 cmd->opcode = O_JAIL;
4949 * If av is a number, then we'll just pass it as-is. If
4965 cmd32->d[0] = (uint32_t)jid;
4966 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4982 if (strpbrk(*av, "-,")) {
5000 cmd->len = F_INSN_SIZE(ipfw_insn_u32);
5001 cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
5002 cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
5009 if (strpbrk(*av, "-,")) {
5023 cmd->opcode = O_TCPFLAGS;
5033 errx(EX_USAGE, "keep-state or record-state cannot be part "
5036 errx(EX_USAGE, "only one of keep-state, record-state, "
5037 " limit and set-limit is allowed");
5061 "limit or set-limit cannot be part of an or block");
5063 errx(EX_USAGE, "only one of keep-state, record-state, "
5064 " limit and set-limit is allowed");
5068 cmd->len = F_INSN_SIZE(ipfw_insn_limit);
5070 cmd->opcode = O_LIMIT;
5071 c->limit_mask = c->conn_limit = 0;
5076 c->limit_mask |= val;
5080 if (c->limit_mask == 0)
5083 GET_UINT_ARG(c->conn_limit, IPFW_ARG_MIN, IPFW_ARG_MAX,
5091 cmd->arg1 = pack_object(tstate, *av + 1,
5095 cmd->arg1 = pack_object(tstate,
5215 errx( EX_USAGE, "flow-id filter is active "
5227 if (av[0] && strpbrk(*av, "-,")) {
5256 cmd->opcode = O_IP_DST_LOOKUP;
5257 cmd->len |= F_INSN_SIZE(ipfw_insn) + 2;
5259 if (i == -1)
5261 __PAST_END(c->d, 1) = i;
5267 cmd->arg1 = i;
5282 errx(EX_USAGE, "only one defer-action "
5306 warnx("Rule contains \"defer-immediate-action\" "
5307 "and doesn't contain any state-related options.");
5311 * If we have a keep-state option, the first instruction
5316 dst = (ipfw_insn *)rule->cmd;
5322 dst->opcode = O_PROB;
5323 dst->len = 2;
5325 dst += dst->len;
5331 if (have_state && have_state->opcode != O_CHECK_STATE && !have_rstate) {
5332 fill_cmd(dst, O_PROBE_STATE, 0, have_state->arg1);
5344 switch (src->opcode) {
5361 if (have_state && have_state->opcode != O_CHECK_STATE) {
5381 rule->act_ofs = dst - rule->cmd;
5413 rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
5414 *rbufsize = (char *)dst - (char *)rule;
5425 if (a->set < b->set)
5426 return (-1);
5427 else if (a->set > b->set)
5430 if (a->idx < b->idx)
5431 return (-1);
5432 else if (a->idx > b->idx)
5435 if (a->head.type < b->head.type)
5436 return (-1);
5437 else if (a->head.type > b->head.type)
5450 qsort(ctlv + 1, ctlv->count, ctlv->objsize, compare_ntlv);
5466 if (key.uidx < ntlv->idx)
5467 return (-1);
5468 else if (key.uidx > ntlv->idx)
5471 if (key.type < ntlv->head.type)
5472 return (-1);
5473 else if (key.type > ntlv->head.type)
5496 ntlv = bsearch(&key, (ctlv + 1), ctlv->count, ctlv->objsize,
5500 return (ntlv->name);
5514 * Data layout:
5556 rbufsize -= default_off;
5575 ctlv->head.type = IPFW_TLV_TBLNAME_LIST;
5576 ctlv->head.length = sizeof(ipfw_obj_ctlv) + tlen;
5577 ctlv->count = ts.count;
5578 ctlv->objsize = sizeof(ipfw_obj_ntlv);
5583 ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + ctlv->head.length);
5584 ctlv->head.type = IPFW_TLV_RULE_LIST;
5585 ctlv->head.length = sizeof(ipfw_obj_ctlv) + rlen;
5586 ctlv->count = 1;
5592 ctlv->head.type = IPFW_TLV_RULE_LIST;
5593 ctlv->head.length = sizeof(ipfw_obj_ctlv) + rlen;
5594 ctlv->count = 1;
5605 sfo.set_mask = (uint32_t)(-1);
5635 av++; ac--;
5662 rt.set = g_co.use_set - 1;
5679 av++; ac--;
5709 /* `ipfw set N flush` - is the same that `ipfw delete set N` */
5712 rt.set = g_co.use_set - 1;
5773 olh->size = sz;
5774 if (do_get3(IP_FW_DUMP_SRVOBJECTS, &olh->opheader, &sz) != 0) {
5779 if (olh->count > 0)
5784 for (i = 0; i < olh->count; i++) {
5785 name = match_value(otypes, ntlv->head.type);
5788 (ipfw_obj_ntlv *)(olh + 1), olh->count,
5789 ntlv->head.type);
5792 ntlv->idx, ntlv->head.type, ntlv->name);
5795 ntlv->idx, name, ntlv->name);
5806 ac--; av++;
5809 if ((tcmd = match_token(intcmds, *av)) == -1)
5810 errx(EX_USAGE, "invalid internal sub-cmd: %s", *av);
5846 olh->size = sz;
5847 if (do_get3(IP_FW_XIFLIST, &olh->opheader, &sz) != 0) {
5864 return (stringnum_cmp(ia->ifname, ib->ifname));
5883 qsort(olh + 1, olh->count, olh->objsize, ifinfo_cmp);
5886 for (i = 0; i < olh->count; i++) {
5887 if (info->flags & IPFW_IFFLAG_RESOLVED)
5889 info->ifname, info->ifindex, info->refcnt,
5890 info->gencnt);
5893 info->ifname, info->refcnt, info->gencnt);
5894 info = (ipfw_iface_info *)((caddr_t)info + olh->objsize);