xref: /titanic_50/usr/src/cmd/ipf/tools/ipfcomp.c (revision 0b34e8c78a6d6aaaa55fc757aa445b3b5c50d9d2)
1 /*
2  * Copyright (C) 1993-2001 by Darren Reed.
3  *
4  * See the IPFILTER.LICENCE file for details on licencing.
5  *
6  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
7  * Use is subject to license terms.
8  */
9 
10 #include "ipf.h"
11 
12 
13 typedef struct {
14 	int c;
15 	int e;
16 	int n;
17 	int p;
18 	int s;
19 } mc_t;
20 
21 
22 static char *portcmp[] = { "*", "==", "!=", "<", ">", "<=", ">=", "**", "***" };
23 static int count = 0;
24 
25 int intcmp __P((const void *, const void *));
26 static void indent __P((FILE *, int));
27 static void printeq __P((FILE *, char *, int, int, int));
28 static void printipeq __P((FILE *, char *, int, int, int));
29 static void addrule __P((FILE *, frentry_t *));
30 static void printhooks __P((FILE *, int, int, frgroup_t *));
31 static void emitheader __P((frgroup_t *, u_int, u_int));
32 static void emitGroup __P((int, int, void *, frentry_t *, char *,
33 			   u_int, u_int));
34 static void emittail __P((void));
35 static void printCgroup __P((int, frentry_t *, mc_t *, char *));
36 
37 #define	FRC_IFN	0
38 #define	FRC_V	1
39 #define	FRC_P	2
40 #define	FRC_FL	3
41 #define	FRC_TOS	4
42 #define	FRC_TTL	5
43 #define	FRC_SRC	6
44 #define	FRC_DST	7
45 #define	FRC_TCP	8
46 #define	FRC_SP	9
47 #define	FRC_DP	10
48 #define	FRC_OPT	11
49 #define	FRC_SEC	12
50 #define	FRC_ATH	13
51 #define	FRC_ICT	14
52 #define	FRC_ICC	15
53 #define	FRC_MAX	16
54 
55 
56 static	FILE	*cfile = NULL;
57 
58 /*
59  * This is called once per filter rule being loaded to emit data structures
60  * required.
61  */
printc(fr)62 void printc(fr)
63 frentry_t *fr;
64 {
65 	fripf_t *ipf;
66 	u_long *ulp;
67 	char *and;
68 	FILE *fp;
69 	int i;
70 
71 	if (fr->fr_v != 4)
72 		return;
73 	if ((fr->fr_type != FR_T_IPF) && (fr->fr_type != FR_T_NONE))
74 		return;
75 	if ((fr->fr_type == FR_T_IPF) &&
76 	    ((fr->fr_datype != FRI_NORMAL) || (fr->fr_satype != FRI_NORMAL)))
77 		return;
78 	ipf = fr->fr_ipf;
79 
80 	if (cfile == NULL)
81 		cfile = fopen("ip_rules.c", "w");
82 	if (cfile == NULL)
83 		return;
84 	fp = cfile;
85 	if (count == 0) {
86 		fprintf(fp, "/*\n");
87  		fprintf(fp, "* Copyright (C) 1993-2000 by Darren Reed.\n");
88  		fprintf(fp, "*\n");
89  		fprintf(fp, "* Redistribution and use in source and binary forms are permitted\n");
90  		fprintf(fp, "* provided that this notice is preserved and due credit is given\n");
91  		fprintf(fp, "* to the original author and the contributors.\n");
92  		fprintf(fp, "*/\n\n");
93 
94 		fprintf(fp, "#include <sys/types.h>\n");
95 		fprintf(fp, "#include <sys/time.h>\n");
96 		fprintf(fp, "#include <sys/socket.h>\n");
97 		fprintf(fp, "#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n");
98 		fprintf(fp, "# include <sys/systm.h>\n");
99 		fprintf(fp, "#endif\n");
100 		fprintf(fp, "#include <sys/errno.h>\n");
101 		fprintf(fp, "#include <sys/param.h>\n");
102 		fprintf(fp,
103 "#if !defined(__SVR4) && !defined(__svr4__) && !defined(__hpux)\n");
104 		fprintf(fp, "# include <sys/mbuf.h>\n");
105 		fprintf(fp, "#endif\n");
106 		fprintf(fp,
107 "#if defined(__FreeBSD__) && (__FreeBSD_version > 220000)\n");
108 		fprintf(fp, "# include <sys/sockio.h>\n");
109 		fprintf(fp, "#else\n");
110 		fprintf(fp, "# include <sys/ioctl.h>\n");
111 		fprintf(fp, "#endif /* FreeBSD */\n");
112 		fprintf(fp, "#include <net/if.h>\n");
113 		fprintf(fp, "#include <netinet/in.h>\n");
114 		fprintf(fp, "#include <netinet/in_systm.h>\n");
115 		fprintf(fp, "#include <netinet/ip.h>\n");
116 		fprintf(fp, "#include <netinet/tcp.h>\n");
117 		fprintf(fp, "#include \"netinet/ip_compat.h\"\n");
118 		fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n");
119 		fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n");
120 		fprintf(fp, "#ifndef _KERNEL\n");
121 		fprintf(fp, "# include <string.h>\n");
122 		fprintf(fp, "#endif /* _KERNEL */\n");
123 		fprintf(fp, "\n");
124 		fprintf(fp, "#ifdef IPFILTER_COMPILED\n");
125 	}
126 
127 	addrule(fp, fr);
128 	fr->fr_type |= FR_T_BUILTIN;
129 	and = "";
130 	fr->fr_ref = 1;
131 	i = sizeof(*fr);
132 	if (i & -(1 - sizeof(*ulp)))
133 		i += sizeof(u_long);
134 	for (i /= sizeof(u_long), ulp = (u_long *)fr; i > 0; i--) {
135 		fprintf(fp, "%s%#lx", and, *ulp++);
136 		and = ", ";
137 	}
138 	fprintf(fp, "\n};\n");
139 	fr->fr_type &= ~FR_T_BUILTIN;
140 
141 	count++;
142 
143 	fflush(fp);
144 }
145 
146 
147 static frgroup_t *groups = NULL;
148 
149 
addrule(fp,fr)150 static void addrule(fp, fr)
151 FILE *fp;
152 frentry_t *fr;
153 {
154 	frentry_t *f, **fpp;
155 	frgroup_t *g;
156 	u_long *ulp;
157 	char *and;
158 	int i;
159 
160 	f = (frentry_t *)malloc(sizeof(*f));
161 	if (f == NULL) {
162 		fprintf(stderr, "out of memory\n");
163 		exit(1);
164 	}
165 	bcopy((char *)fr, (char *)f, sizeof(*fr));
166 	if (fr->fr_ipf) {
167 		f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf));
168 		if (f->fr_ipf == NULL) {
169 			fprintf(stderr, "out of memory\n");
170 			exit(1);
171 		}
172 		bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf,
173 		      sizeof(*fr->fr_ipf));
174 	}
175 
176 	f->fr_next = NULL;
177 	for (g = groups; g != NULL; g = g->fg_next)
178 		if ((strncmp(g->fg_name, f->fr_group, FR_GROUPLEN) == 0) &&
179 		    (g->fg_flags == (f->fr_flags & FR_INOUT)))
180 			break;
181 
182 	if (g == NULL) {
183 		g = (frgroup_t *)calloc(1, sizeof(*g));
184 		if (g == NULL) {
185 			fprintf(stderr, "out of memory\n");
186 			exit(1);
187 		}
188 		g->fg_next = groups;
189 		groups = g;
190 		g->fg_head = f;
191 		bcopy(f->fr_group, g->fg_name, FR_GROUPLEN);
192 		g->fg_ref = 0;
193 		g->fg_flags = f->fr_flags & FR_INOUT;
194 	}
195 
196 	for (fpp = &g->fg_start; *fpp != NULL; )
197 		fpp = &((*fpp)->fr_next);
198 	*fpp = f;
199 
200 	if (fr->fr_dsize > 0) {
201 		fprintf(fp, "\
202 static u_long ipf%s_rule_data_%s_%u[] = {\n",
203 			f->fr_flags & FR_INQUE ? "in" : "out",
204 			g->fg_name, g->fg_ref);
205 		and = "";
206 		i = fr->fr_dsize;
207 		ulp = fr->fr_data;
208 		for (i /= sizeof(u_long); i > 0; i--) {
209 			fprintf(fp, "%s%#lx", and, *ulp++);
210 			and = ", ";
211 		}
212 		fprintf(fp, "\n};\n");
213 	}
214 
215 	fprintf(fp, "\nstatic u_long %s_rule_%s_%d[] = {\n",
216 		f->fr_flags & FR_INQUE ? "in" : "out", g->fg_name, g->fg_ref);
217 
218 	g->fg_ref++;
219 
220 	if (f->fr_grhead != 0) {
221 		for (g = groups; g != NULL; g = g->fg_next)
222 			if ((strncmp(g->fg_name, f->fr_grhead,
223 				     FR_GROUPLEN) == 0) &&
224 			    g->fg_flags == (f->fr_flags & FR_INOUT))
225 				break;
226 		if (g == NULL) {
227 			g = (frgroup_t *)calloc(1, sizeof(*g));
228 			if (g == NULL) {
229 				fprintf(stderr, "out of memory\n");
230 				exit(1);
231 			}
232 			g->fg_next = groups;
233 			groups = g;
234 			g->fg_head = f;
235 			bcopy(f->fr_grhead, g->fg_name, FR_GROUPLEN);
236 			g->fg_ref = 0;
237 			g->fg_flags = f->fr_flags & FR_INOUT;
238 		}
239 	}
240 }
241 
242 
intcmp(c1,c2)243 int intcmp(c1, c2)
244 const void *c1, *c2;
245 {
246 	const mc_t *i1 = (const mc_t *)c1, *i2 = (const mc_t *)c2;
247 
248 	if (i1->n == i2->n) {
249 		return i1->c - i2->c;
250 	}
251 	return i2->n - i1->n;
252 }
253 
254 
indent(fp,in)255 static void indent(fp, in)
256 FILE *fp;
257 int in;
258 {
259 	for (; in; in--)
260 		fputc('\t', fp);
261 }
262 
printeq(fp,var,m,max,v)263 static void printeq(fp, var, m, max, v)
264 FILE *fp;
265 char *var;
266 int m, max, v;
267 {
268 	if (m == max)
269 		fprintf(fp, "%s == %#x) {\n", var, v);
270 	else
271 		fprintf(fp, "(%s & %#x) == %#x) {\n", var, m, v);
272 }
273 
274 /*
275  * Parameters: var - IP# being compared
276  *             fl - 0 for positive match, 1 for negative match
277  *             m - netmask
278  *             v - required address
279  */
printipeq(fp,var,fl,m,v)280 static void printipeq(fp, var, fl, m, v)
281 FILE *fp;
282 char *var;
283 int fl, m, v;
284 {
285 	if (m == 0xffffffff)
286 		fprintf(fp, "%s ", var);
287 	else
288 		fprintf(fp, "(%s & %#x) ", var, m);
289 	fprintf(fp, "%c", fl ? '!' : '=');
290 	fprintf(fp, "= %#x) {\n", v);
291 }
292 
293 
emit(num,dir,v,fr)294 void emit(num, dir, v, fr)
295 int num, dir;
296 void *v;
297 frentry_t *fr;
298 {
299 	u_int incnt, outcnt;
300 	frgroup_t *g;
301 	frentry_t *f;
302 
303 	for (g = groups; g != NULL; g = g->fg_next) {
304 		if (dir == 0 || dir == -1) {
305 			if ((g->fg_flags & FR_INQUE) == 0)
306 				continue;
307 			for (incnt = 0, f = g->fg_start; f != NULL;
308 			     f = f->fr_next)
309 				incnt++;
310 			emitGroup(num, dir, v, fr, g->fg_name, incnt, 0);
311 		}
312 		if (dir == 1 || dir == -1) {
313 			if ((g->fg_flags & FR_OUTQUE) == 0)
314 				continue;
315 			for (outcnt = 0, f = g->fg_start; f != NULL;
316 			     f = f->fr_next)
317 				outcnt++;
318 			emitGroup(num, dir, v, fr, g->fg_name, 0, outcnt);
319 		}
320 	}
321 
322 	if (num == -1 && dir == -1) {
323 		for (g = groups; g != NULL; g = g->fg_next) {
324 			if ((g->fg_flags & FR_INQUE) != 0) {
325 				for (incnt = 0, f = g->fg_start; f != NULL;
326 				     f = f->fr_next)
327 					incnt++;
328 				if (incnt > 0)
329 					emitheader(g, incnt, 0);
330 			}
331 			if ((g->fg_flags & FR_OUTQUE) != 0) {
332 				for (outcnt = 0, f = g->fg_start; f != NULL;
333 				     f = f->fr_next)
334 					outcnt++;
335 				if (outcnt > 0)
336 					emitheader(g, 0, outcnt);
337 			}
338 		}
339 		emittail();
340 		fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n");
341 	}
342 
343 }
344 
345 
emitheader(grp,incount,outcount)346 static void emitheader(grp, incount, outcount)
347 frgroup_t *grp;
348 u_int incount, outcount;
349 {
350 	static FILE *fph = NULL;
351 	frgroup_t *g;
352 
353 	if (fph == NULL) {
354 		fph = fopen("ip_rules.h", "w");
355 		if (fph == NULL)
356 			return;
357 
358 		fprintf(fph, "extern int ipfrule_add __P((void));\n");
359 		fprintf(fph, "extern int ipfrule_remove __P((void));\n");
360 	}
361 
362 	printhooks(cfile, incount, outcount, grp);
363 
364 	if (incount) {
365 		fprintf(fph, "\n\
366 extern frentry_t *ipfrule_match_in_%s __P((fr_info_t *, u_32_t *));\n\
367 extern frentry_t *ipf_rules_in_%s[%d];\n",
368 			grp->fg_name, grp->fg_name, incount);
369 
370 		for (g = groups; g != grp; g = g->fg_next)
371 			if ((strncmp(g->fg_name, grp->fg_name,
372 				     FR_GROUPLEN) == 0) &&
373 			    g->fg_flags == grp->fg_flags)
374 				break;
375 		if (g == grp) {
376 			fprintf(fph, "\n\
377 extern int ipfrule_add_in_%s __P((void));\n\
378 extern int ipfrule_remove_in_%s __P((void));\n", grp->fg_name, grp->fg_name);
379 		}
380 	}
381 	if (outcount) {
382 		fprintf(fph, "\n\
383 extern frentry_t *ipfrule_match_out_%s __P((fr_info_t *, u_32_t *));\n\
384 extern frentry_t *ipf_rules_out_%s[%d];\n",
385 			grp->fg_name, grp->fg_name, outcount);
386 
387 		for (g = groups; g != grp; g = g->fg_next)
388 			if ((strncmp(g->fg_name, grp->fg_name,
389 				     FR_GROUPLEN) == 0) &&
390 			    g->fg_flags == grp->fg_flags)
391 				break;
392 		if (g == grp) {
393 			fprintf(fph, "\n\
394 extern int ipfrule_add_out_%s __P((void));\n\
395 extern int ipfrule_remove_out_%s __P((void));\n",
396 				grp->fg_name, grp->fg_name);
397 		}
398 	}
399 }
400 
emittail()401 static void emittail()
402 {
403 	frgroup_t *g;
404 
405 	fprintf(cfile, "\n\
406 int ipfrule_add()\n\
407 {\n\
408 	int err;\n\
409 \n");
410 	for (g = groups; g != NULL; g = g->fg_next)
411 		fprintf(cfile, "\
412 	err = ipfrule_add_%s_%s();\n\
413 	if (err != 0)\n\
414 		return err;\n",
415 			(g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
416 	fprintf(cfile, "\
417 	return 0;\n");
418 	fprintf(cfile, "}\n\
419 \n");
420 
421 	fprintf(cfile, "\n\
422 int ipfrule_remove()\n\
423 {\n\
424 	int err;\n\
425 \n");
426 	for (g = groups; g != NULL; g = g->fg_next)
427 		fprintf(cfile, "\
428 	err = ipfrule_remove_%s_%s();\n\
429 	if (err != 0)\n\
430 		return err;\n",
431 			(g->fg_flags & FR_INQUE) ? "in" : "out", g->fg_name);
432 	fprintf(cfile, "\
433 	return 0;\n");
434 	fprintf(cfile, "}\n");
435 }
436 
437 
emitGroup(num,dir,v,fr,group,incount,outcount)438 static void emitGroup(num, dir, v, fr, group, incount, outcount)
439 int num, dir;
440 void *v;
441 frentry_t *fr;
442 char *group;
443 u_int incount, outcount;
444 {
445 	static FILE *fp = NULL;
446 	static int header[2] = { 0, 0 };
447 	static char egroup[FR_GROUPLEN] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
448 	static int openfunc = 0;
449 	static mc_t *n = NULL;
450 	static int sin = 0;
451 	frentry_t *f;
452 	frgroup_t *g;
453 	fripf_t *ipf;
454 	int i, in, j;
455 	mc_t *m = v;
456 
457 	if (fp == NULL)
458 		fp = cfile;
459 	if (fp == NULL)
460 		return;
461 	if (strncmp(egroup, group, FR_GROUPLEN)) {
462 		for (sin--; sin > 0; sin--) {
463 			indent(fp, sin);
464 			fprintf(fp, "}\n");
465 		}
466 		if (openfunc == 1) {
467 			fprintf(fp, "\treturn fr;\n}\n");
468 			openfunc = 0;
469 			if (n != NULL) {
470 				free(n);
471 				n = NULL;
472 			}
473 		}
474 		sin = 0;
475 		header[0] = 0;
476 		header[1] = 0;
477 		strncpy(egroup, group, FR_GROUPLEN);
478 	} else if (openfunc == 1 && num < 0) {
479 		if (n != NULL) {
480 			free(n);
481 			n = NULL;
482 		}
483 		for (sin--; sin > 0; sin--) {
484 			indent(fp, sin);
485 			fprintf(fp, "}\n");
486 		}
487 		if (openfunc == 1) {
488 			fprintf(fp, "\treturn fr;\n}\n");
489 			openfunc = 0;
490 		}
491 	}
492 
493 	if (dir == -1)
494 		return;
495 
496 	for (g = groups; g != NULL; g = g->fg_next) {
497 		if (dir == 0 && (g->fg_flags & FR_INQUE) == 0)
498 			continue;
499 		else if (dir == 1 && (g->fg_flags & FR_OUTQUE) == 0)
500 			continue;
501 		if (strncmp(g->fg_name, group, FR_GROUPLEN) != 0)
502 			continue;
503 		break;
504 	}
505 
506 	/*
507 	 * Output the array of pointers to rules for this group.
508 	 */
509 	if (num == -2 && dir == 0 && header[0] == 0 && incount != 0) {
510 		fprintf(fp, "\nfrentry_t *ipf_rules_in_%s[%d] = {",
511 			group, incount);
512 		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
513 			if ((f->fr_flags & FR_INQUE) == 0)
514 				continue;
515 			if ((i & 1) == 0) {
516 				fprintf(fp, "\n\t");
517 			}
518 			fprintf(fp,
519 				"(frentry_t *)&in_rule_%s_%d",
520 				f->fr_group, i);
521 			if (i + 1 < incount)
522 				fprintf(fp, ", ");
523 			i++;
524 		}
525 		fprintf(fp, "\n};\n");
526 	}
527 
528 	if (num == -2 && dir == 1 && header[1] == 0 && outcount != 0) {
529 		fprintf(fp, "\nfrentry_t *ipf_rules_out_%s[%d] = {",
530 			group, outcount);
531 		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
532 			if ((f->fr_flags & FR_OUTQUE) == 0)
533 				continue;
534 			if ((i & 1) == 0) {
535 				fprintf(fp, "\n\t");
536 			}
537 			fprintf(fp,
538 				"(frentry_t *)&out_rule_%s_%d",
539 				f->fr_group, i);
540 			if (i + 1 < outcount)
541 				fprintf(fp, ", ");
542 			i++;
543 		}
544 		fprintf(fp, "\n};\n");
545 		fp = NULL;
546 	}
547 
548 	if (num < 0)
549 		return;
550 
551 	in = 0;
552 	ipf = fr->fr_ipf;
553 
554 	/*
555 	 * If the function header has not been printed then print it now.
556 	 */
557 	if (header[dir] == 0) {
558 		int pdst = 0, psrc = 0;
559 
560 		openfunc = 1;
561 		fprintf(fp, "\nfrentry_t *ipfrule_match_%s_%s(fin, passp)\n",
562 			(dir == 0) ? "in" : "out", group);
563 		fprintf(fp, "fr_info_t *fin;\n");
564 		fprintf(fp, "u_32_t *passp;\n");
565 		fprintf(fp, "{\n");
566 		fprintf(fp, "\tfrentry_t *fr = NULL;\n");
567 
568 		/*
569 		 * Print out any variables that need to be declared.
570 		 */
571 		for (f = g->fg_start, i = 0; f != NULL; f = f->fr_next) {
572 			if (incount + outcount > m[FRC_SRC].e + 1)
573 				psrc = 1;
574 			if (incount + outcount > m[FRC_DST].e + 1)
575 				pdst = 1;
576 		}
577 		if (psrc == 1)
578 			fprintf(fp, "\tu_32_t src = ntohl(%s);\n",
579 				"fin->fin_fi.fi_saddr");
580 		if (pdst == 1)
581 			fprintf(fp, "\tu_32_t dst = ntohl(%s);\n",
582 				"fin->fin_fi.fi_daddr");
583 	}
584 
585 	for (i = 0; i < FRC_MAX; i++) {
586 		switch(m[i].c)
587 		{
588 		case FRC_IFN :
589 			if (*fr->fr_ifname)
590 				m[i].s = 1;
591 			break;
592 		case FRC_V :
593 			if (ipf != NULL && ipf->fri_mip.fi_v != 0)
594 				m[i].s = 1;
595 			break;
596 		case FRC_FL :
597 			if (ipf != NULL && ipf->fri_mip.fi_flx != 0)
598 				m[i].s = 1;
599 			break;
600 		case FRC_P :
601 			if (ipf != NULL && ipf->fri_mip.fi_p != 0)
602 				m[i].s = 1;
603 			break;
604 		case FRC_TTL :
605 			if (ipf != NULL && ipf->fri_mip.fi_ttl != 0)
606 				m[i].s = 1;
607 			break;
608 		case FRC_TOS :
609 			if (ipf != NULL && ipf->fri_mip.fi_tos != 0)
610 				m[i].s = 1;
611 			break;
612 		case FRC_TCP :
613 			if (ipf == NULL)
614 				break;
615 			if ((ipf->fri_ip.fi_p == IPPROTO_TCP) &&
616 			    fr->fr_tcpfm != 0)
617 				m[i].s = 1;
618 			break;
619 		case FRC_SP :
620 			if (ipf == NULL)
621 				break;
622 			if (fr->fr_scmp == FR_INRANGE)
623 				m[i].s = 1;
624 			else if (fr->fr_scmp == FR_OUTRANGE)
625 				m[i].s = 1;
626 			else if (fr->fr_scmp != 0)
627 				m[i].s = 1;
628 			break;
629 		case FRC_DP :
630 			if (ipf == NULL)
631 				break;
632 			if (fr->fr_dcmp == FR_INRANGE)
633 				m[i].s = 1;
634 			else if (fr->fr_dcmp == FR_OUTRANGE)
635 				m[i].s = 1;
636 			else if (fr->fr_dcmp != 0)
637 				m[i].s = 1;
638 			break;
639 		case FRC_SRC :
640 			if (ipf == NULL)
641 				break;
642 			if (fr->fr_satype == FRI_LOOKUP) {
643 				;
644 			} else if ((fr->fr_smask != 0) ||
645 				   (fr->fr_flags & FR_NOTSRCIP) != 0)
646 				m[i].s = 1;
647 			break;
648 		case FRC_DST :
649 			if (ipf == NULL)
650 				break;
651 			if (fr->fr_datype == FRI_LOOKUP) {
652 				;
653 			} else if ((fr->fr_dmask != 0) ||
654 				   (fr->fr_flags & FR_NOTDSTIP) != 0)
655 				m[i].s = 1;
656 			break;
657 		case FRC_OPT :
658 			if (ipf == NULL)
659 				break;
660 			if (fr->fr_optmask != 0)
661 				m[i].s = 1;
662 			break;
663 		case FRC_SEC :
664 			if (ipf == NULL)
665 				break;
666 			if (fr->fr_secmask != 0)
667 				m[i].s = 1;
668 			break;
669 		case FRC_ATH :
670 			if (ipf == NULL)
671 				break;
672 			if (fr->fr_authmask != 0)
673 				m[i].s = 1;
674 			break;
675 		case FRC_ICT :
676 			if (ipf == NULL)
677 				break;
678 			if ((fr->fr_icmpm & 0xff00) != 0)
679 				m[i].s = 1;
680 			break;
681 		case FRC_ICC :
682 			if (ipf == NULL)
683 				break;
684 			if ((fr->fr_icmpm & 0xff) != 0)
685 				m[i].s = 1;
686 			break;
687 		}
688 	}
689 
690 	if (!header[dir]) {
691 		fprintf(fp, "\n");
692 		header[dir] = 1;
693 		sin = 0;
694 	}
695 
696 	qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
697 
698 	if (n) {
699 		/*
700 		 * Calculate the indentation interval upto the last common
701 		 * common comparison being made.
702 		 */
703 		for (i = 0, in = 1; i < FRC_MAX; i++) {
704 			if (n[i].c != m[i].c)
705 				break;
706 			if (n[i].s != m[i].s)
707 				break;
708 			if (n[i].s) {
709 				if (n[i].n && (n[i].n > n[i].e)) {
710 					m[i].p++;
711 					in += m[i].p;
712 					break;
713 				}
714 				if (n[i].e > 0) {
715 					in++;
716 				} else
717 					break;
718 			}
719 		}
720 		if (sin != in) {
721 			for (j = sin - 1; j >= in; j--) {
722 				indent(fp, j);
723 				fprintf(fp, "}\n");
724 			}
725 		}
726 	} else {
727 		in = 1;
728 		i = 0;
729 	}
730 
731 	/*
732 	 * print out C code that implements a filter rule.
733 	 */
734 	for (; i < FRC_MAX; i++) {
735 		switch(m[i].c)
736 		{
737 		case FRC_IFN :
738 			if (m[i].s) {
739 				indent(fp, in);
740 				fprintf(fp, "if (fin->fin_ifp == ");
741 				fprintf(fp, "ipf_rules_%s_%s[%d]->fr_ifa) {\n",
742 					dir ? "out" : "in", group, num);
743 				in++;
744 			}
745 			break;
746 		case FRC_V :
747 			if (m[i].s) {
748 				indent(fp, in);
749 				fprintf(fp, "if (fin->fin_v == %d) {\n",
750 					ipf->fri_ip.fi_v);
751 				in++;
752 			}
753 			break;
754 		case FRC_FL :
755 			if (m[i].s) {
756 				indent(fp, in);
757 				fprintf(fp, "if (");
758 				printeq(fp, "fin->fin_flx",
759 				        ipf->fri_mip.fi_flx, 0xf,
760 					ipf->fri_ip.fi_flx);
761 				in++;
762 			}
763 			break;
764 		case FRC_P :
765 			if (m[i].s) {
766 				indent(fp, in);
767 				fprintf(fp, "if (fin->fin_p == %d) {\n",
768 					ipf->fri_ip.fi_p);
769 				in++;
770 			}
771 			break;
772 		case FRC_TTL :
773 			if (m[i].s) {
774 				indent(fp, in);
775 				fprintf(fp, "if (");
776 				printeq(fp, "fin->fin_ttl",
777 					ipf->fri_mip.fi_ttl, 0xff,
778 					ipf->fri_ip.fi_ttl);
779 				in++;
780 			}
781 			break;
782 		case FRC_TOS :
783 			if (m[i].s) {
784 				indent(fp, in);
785 				fprintf(fp, "if (fin->fin_tos");
786 				printeq(fp, "fin->fin_tos",
787 					ipf->fri_mip.fi_tos, 0xff,
788 					ipf->fri_ip.fi_tos);
789 				in++;
790 			}
791 			break;
792 		case FRC_TCP :
793 			if (m[i].s) {
794 				indent(fp, in);
795 				fprintf(fp, "if (");
796 				printeq(fp, "fin->fin_tcpf", fr->fr_tcpfm,
797 					0xff, fr->fr_tcpf);
798 				in++;
799 			}
800 			break;
801 		case FRC_SP :
802 			if (!m[i].s)
803 				break;
804 			if (fr->fr_scmp == FR_INRANGE) {
805 				indent(fp, in);
806 				fprintf(fp, "if ((fin->fin_data[0] > %d) && ",
807 					fr->fr_sport);
808 				fprintf(fp, "(fin->fin_data[0] < %d)",
809 					fr->fr_stop);
810 				fprintf(fp, ") {\n");
811 				in++;
812 			} else if (fr->fr_scmp == FR_OUTRANGE) {
813 				indent(fp, in);
814 				fprintf(fp, "if ((fin->fin_data[0] < %d) || ",
815 					fr->fr_sport);
816 				fprintf(fp, "(fin->fin_data[0] > %d)",
817 					fr->fr_stop);
818 				fprintf(fp, ") {\n");
819 				in++;
820 			} else if (fr->fr_scmp) {
821 				indent(fp, in);
822 				fprintf(fp, "if (fin->fin_data[0] %s %d)",
823 					portcmp[fr->fr_scmp], fr->fr_sport);
824 				fprintf(fp, " {\n");
825 				in++;
826 			}
827 			break;
828 		case FRC_DP :
829 			if (!m[i].s)
830 				break;
831 			if (fr->fr_dcmp == FR_INRANGE) {
832 				indent(fp, in);
833 				fprintf(fp, "if ((fin->fin_data[1] > %d) && ",
834 					fr->fr_dport);
835 				fprintf(fp, "(fin->fin_data[1] < %d)",
836 					fr->fr_dtop);
837 				fprintf(fp, ") {\n");
838 				in++;
839 			} else if (fr->fr_dcmp == FR_OUTRANGE) {
840 				indent(fp, in);
841 				fprintf(fp, "if ((fin->fin_data[1] < %d) || ",
842 					fr->fr_dport);
843 				fprintf(fp, "(fin->fin_data[1] > %d)",
844 					fr->fr_dtop);
845 				fprintf(fp, ") {\n");
846 				in++;
847 			} else if (fr->fr_dcmp) {
848 				indent(fp, in);
849 				fprintf(fp, "if (fin->fin_data[1] %s %d)",
850 					portcmp[fr->fr_dcmp], fr->fr_dport);
851 				fprintf(fp, " {\n");
852 				in++;
853 			}
854 			break;
855 		case FRC_SRC :
856 			if (!m[i].s)
857 				break;
858 			if (fr->fr_satype == FRI_LOOKUP) {
859 				;
860 			} else if ((fr->fr_smask != 0) ||
861 				   (fr->fr_flags & FR_NOTSRCIP) != 0) {
862 				indent(fp, in);
863 				fprintf(fp, "if (");
864 				printipeq(fp, "src",
865 					  fr->fr_flags & FR_NOTSRCIP,
866 					  fr->fr_smask, fr->fr_saddr);
867 				in++;
868 			}
869 			break;
870 		case FRC_DST :
871 			if (!m[i].s)
872 				break;
873 			if (fr->fr_datype == FRI_LOOKUP) {
874 				;
875 			} else if ((fr->fr_dmask != 0) ||
876 				   (fr->fr_flags & FR_NOTDSTIP) != 0) {
877 				indent(fp, in);
878 				fprintf(fp, "if (");
879 				printipeq(fp, "dst",
880 					  fr->fr_flags & FR_NOTDSTIP,
881 					  fr->fr_dmask, fr->fr_daddr);
882 				in++;
883 			}
884 			break;
885 		case FRC_OPT :
886 			if (m[i].s) {
887 				indent(fp, in);
888 				fprintf(fp, "if (");
889 				printeq(fp, "fin->fin_fi.fi_optmsk",
890 					fr->fr_optmask, 0xffffffff,
891 				        fr->fr_optbits);
892 				in++;
893 			}
894 			break;
895 		case FRC_SEC :
896 			if (m[i].s) {
897 				indent(fp, in);
898 				fprintf(fp, "if (");
899 				printeq(fp, "fin->fin_fi.fi_secmsk",
900 					fr->fr_secmask, 0xffff,
901 					fr->fr_secbits);
902 				in++;
903 			}
904 			break;
905 		case FRC_ATH :
906 			if (m[i].s) {
907 				indent(fp, in);
908 				fprintf(fp, "if (");
909 				printeq(fp, "fin->fin_fi.fi_authmsk",
910 					fr->fr_authmask, 0xffff,
911 					fr->fr_authbits);
912 				in++;
913 			}
914 			break;
915 		case FRC_ICT :
916 			if (m[i].s) {
917 				indent(fp, in);
918 				fprintf(fp, "if (");
919 				printeq(fp, "fin->fin_data[0]",
920 					fr->fr_icmpm & 0xff00, 0xffff,
921 					fr->fr_icmp & 0xff00);
922 				in++;
923 			}
924 			break;
925 		case FRC_ICC :
926 			if (m[i].s) {
927 				indent(fp, in);
928 				fprintf(fp, "if (");
929 				printeq(fp, "fin->fin_data[0]",
930 					fr->fr_icmpm & 0xff, 0xffff,
931 					fr->fr_icmp & 0xff);
932 				in++;
933 			}
934 			break;
935 		}
936 
937 	}
938 
939 	indent(fp, in);
940 	if (fr->fr_flags & FR_QUICK) {
941 		fprintf(fp, "return (frentry_t *)&%s_rule_%s_%d;\n",
942 			fr->fr_flags & FR_INQUE ? "in" : "out",
943 			fr->fr_group, num);
944 	} else {
945 		fprintf(fp, "fr = (frentry_t *)&%s_rule_%s_%d;\n",
946 			fr->fr_flags & FR_INQUE ? "in" : "out",
947 			fr->fr_group, num);
948 	}
949 	if (n == NULL) {
950 		n = (mc_t *)malloc(sizeof(*n) * FRC_MAX);
951 		if (n == NULL) {
952 			fprintf(stderr, "out of memory\n");
953 			exit(1);
954 		}
955 	}
956 	bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX);
957 	sin = in;
958 }
959 
960 
printC(dir)961 void printC(dir)
962 int dir;
963 {
964 	static mc_t *m = NULL;
965 	frgroup_t *g;
966 
967 	if (m == NULL) {
968 		m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX);
969 		if (m == NULL) {
970 			fprintf(stderr, "out of memory\n");
971 			exit(1);
972 		}
973 	}
974 
975 	for (g = groups; g != NULL; g = g->fg_next) {
976 		if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0))
977 			printCgroup(dir, g->fg_start, m, g->fg_name);
978 		if ((dir == 1) && ((g->fg_flags & FR_OUTQUE) != 0))
979 			printCgroup(dir, g->fg_start, m, g->fg_name);
980 	}
981 
982 	emit(-1, dir, m, NULL);
983 }
984 
985 
986 /*
987  * Now print out code to implement all of the rules.
988  */
printCgroup(dir,top,m,group)989 static void printCgroup(dir, top, m, group)
990 int dir;
991 frentry_t *top;
992 mc_t *m;
993 char *group;
994 {
995 	frentry_t *fr, *fr1;
996 	int i, n, rn;
997 	u_int count;
998 
999 	for (count = 0, fr1 = top; fr1 != NULL; fr1 = fr1->fr_next) {
1000 		if ((dir == 0) && ((fr1->fr_flags & FR_INQUE) != 0))
1001 			count++;
1002 		else if ((dir == 1) && ((fr1->fr_flags & FR_OUTQUE) != 0))
1003 			count++;
1004 	}
1005 
1006 	if (dir == 0)
1007 		emitGroup(-2, dir, m, fr1, group, count, 0);
1008 	else if (dir == 1)
1009 		emitGroup(-2, dir, m, fr1, group, 0, count);
1010 
1011 	/*
1012 	 * Before printing each rule, check to see how many of its fields are
1013 	 * matched by subsequent rules.
1014 	 */
1015 	for (fr1 = top, rn = 0; fr1 != NULL; fr1 = fr1->fr_next, rn++) {
1016 		if (!dir && !(fr1->fr_flags & FR_INQUE))
1017 			continue;
1018 		if (dir && !(fr1->fr_flags & FR_OUTQUE))
1019 			continue;
1020 		n = 0xfffffff;
1021 
1022 		for (i = 0; i < FRC_MAX; i++)
1023 			m[i].e = 0;
1024 		qsort(m, FRC_MAX, sizeof(mc_t), intcmp);
1025 
1026 		for (i = 0; i < FRC_MAX; i++) {
1027 			m[i].c = i;
1028 			m[i].e = 0;
1029 			m[i].n = 0;
1030 			m[i].s = 0;
1031 		}
1032 
1033 		for (fr = fr1->fr_next; fr; fr = fr->fr_next) {
1034 			if (!dir && !(fr->fr_flags & FR_INQUE))
1035 				continue;
1036 			if (dir && !(fr->fr_flags & FR_OUTQUE))
1037 				continue;
1038 
1039 			if ((n & 0x0001) &&
1040 			    !strcmp(fr1->fr_ifname, fr->fr_ifname)) {
1041 				m[FRC_IFN].e++;
1042 				m[FRC_IFN].n++;
1043 			} else
1044 				n &= ~0x0001;
1045 
1046 			if ((n & 0x0002) && (fr1->fr_v == fr->fr_v)) {
1047 				m[FRC_V].e++;
1048 				m[FRC_V].n++;
1049 			} else
1050 				n &= ~0x0002;
1051 
1052 			if ((n & 0x0004) &&
1053 			    (fr->fr_type == fr1->fr_type) &&
1054 			    (fr->fr_type == FR_T_IPF) &&
1055 			    (fr1->fr_mip.fi_flx == fr->fr_mip.fi_flx) &&
1056 			    (fr1->fr_ip.fi_flx == fr->fr_ip.fi_flx)) {
1057 				m[FRC_FL].e++;
1058 				m[FRC_FL].n++;
1059 			} else
1060 				n &= ~0x0004;
1061 
1062 			if ((n & 0x0008) &&
1063 			    (fr->fr_type == fr1->fr_type) &&
1064 			    (fr->fr_type == FR_T_IPF) &&
1065 			    (fr1->fr_proto == fr->fr_proto)) {
1066 				m[FRC_P].e++;
1067 				m[FRC_P].n++;
1068 			} else
1069 				n &= ~0x0008;
1070 
1071 			if ((n & 0x0010) &&
1072 			    (fr->fr_type == fr1->fr_type) &&
1073 			    (fr->fr_type == FR_T_IPF) &&
1074 			    (fr1->fr_ttl == fr->fr_ttl)) {
1075 				m[FRC_TTL].e++;
1076 				m[FRC_TTL].n++;
1077 			} else
1078 				n &= ~0x0010;
1079 
1080 			if ((n & 0x0020) &&
1081 			    (fr->fr_type == fr1->fr_type) &&
1082 			    (fr->fr_type == FR_T_IPF) &&
1083 			    (fr1->fr_tos == fr->fr_tos)) {
1084 				m[FRC_TOS].e++;
1085 				m[FRC_TOS].n++;
1086 			} else
1087 				n &= ~0x0020;
1088 
1089 			if ((n & 0x0040) &&
1090 			    (fr->fr_type == fr1->fr_type) &&
1091 			    (fr->fr_type == FR_T_IPF) &&
1092 			    ((fr1->fr_tcpfm == fr->fr_tcpfm) &&
1093 			    (fr1->fr_tcpf == fr->fr_tcpf))) {
1094 				m[FRC_TCP].e++;
1095 				m[FRC_TCP].n++;
1096 			} else
1097 				n &= ~0x0040;
1098 
1099 			if ((n & 0x0080) &&
1100 			    (fr->fr_type == fr1->fr_type) &&
1101 			    (fr->fr_type == FR_T_IPF) &&
1102 			    ((fr1->fr_scmp == fr->fr_scmp) &&
1103 			     (fr1->fr_stop == fr->fr_stop) &&
1104 			     (fr1->fr_sport == fr->fr_sport))) {
1105 				m[FRC_SP].e++;
1106 				m[FRC_SP].n++;
1107 			} else
1108 				n &= ~0x0080;
1109 
1110 			if ((n & 0x0100) &&
1111 			    (fr->fr_type == fr1->fr_type) &&
1112 			    (fr->fr_type == FR_T_IPF) &&
1113 			    ((fr1->fr_dcmp == fr->fr_dcmp) &&
1114 			     (fr1->fr_dtop == fr->fr_dtop) &&
1115 			     (fr1->fr_dport == fr->fr_dport))) {
1116 				m[FRC_DP].e++;
1117 				m[FRC_DP].n++;
1118 			} else
1119 				n &= ~0x0100;
1120 
1121 			if ((n & 0x0200) &&
1122 			    (fr->fr_type == fr1->fr_type) &&
1123 			    (fr->fr_type == FR_T_IPF) &&
1124 			    ((fr1->fr_satype == FRI_LOOKUP) &&
1125 			    (fr->fr_satype == FRI_LOOKUP) &&
1126 			    (fr1->fr_srcnum == fr->fr_srcnum))) {
1127 				m[FRC_SRC].e++;
1128 				m[FRC_SRC].n++;
1129 			} else if ((n & 0x0200) &&
1130 				   (fr->fr_type == fr1->fr_type) &&
1131 				   (fr->fr_type == FR_T_IPF) &&
1132 				   (((fr1->fr_flags & FR_NOTSRCIP) ==
1133 				    (fr->fr_flags & FR_NOTSRCIP)))) {
1134 					if ((fr1->fr_smask == fr->fr_smask) &&
1135 					    (fr1->fr_saddr == fr->fr_saddr))
1136 						m[FRC_SRC].e++;
1137 					else
1138 						n &= ~0x0200;
1139 					if (fr1->fr_smask &&
1140 					    (fr1->fr_saddr & fr1->fr_smask) ==
1141 					    (fr->fr_saddr & fr1->fr_smask)) {
1142 						m[FRC_SRC].n++;
1143 						n |= 0x0200;
1144 					}
1145 			} else {
1146 				n &= ~0x0200;
1147 			}
1148 
1149 			if ((n & 0x0400) &&
1150 			    (fr->fr_type == fr1->fr_type) &&
1151 			    (fr->fr_type == FR_T_IPF) &&
1152 			    ((fr1->fr_datype == FRI_LOOKUP) &&
1153 			    (fr->fr_datype == FRI_LOOKUP) &&
1154 			    (fr1->fr_dstnum == fr->fr_dstnum))) {
1155 				m[FRC_DST].e++;
1156 				m[FRC_DST].n++;
1157 			} else if ((n & 0x0400) &&
1158 				   (fr->fr_type == fr1->fr_type) &&
1159 				   (fr->fr_type == FR_T_IPF) &&
1160 				   (((fr1->fr_flags & FR_NOTDSTIP) ==
1161 				    (fr->fr_flags & FR_NOTDSTIP)))) {
1162 					if ((fr1->fr_dmask == fr->fr_dmask) &&
1163 					    (fr1->fr_daddr == fr->fr_daddr))
1164 						m[FRC_DST].e++;
1165 					else
1166 						n &= ~0x0400;
1167 					if (fr1->fr_dmask &&
1168 					    (fr1->fr_daddr & fr1->fr_dmask) ==
1169 					    (fr->fr_daddr & fr1->fr_dmask)) {
1170 						m[FRC_DST].n++;
1171 						n |= 0x0400;
1172 					}
1173 			} else {
1174 				n &= ~0x0400;
1175 			}
1176 
1177 			if ((n & 0x0800) &&
1178 			    (fr->fr_type == fr1->fr_type) &&
1179 			    (fr->fr_type == FR_T_IPF) &&
1180 			    (fr1->fr_optmask == fr->fr_optmask) &&
1181 			    (fr1->fr_optbits == fr->fr_optbits)) {
1182 				m[FRC_OPT].e++;
1183 				m[FRC_OPT].n++;
1184 			} else
1185 				n &= ~0x0800;
1186 
1187 			if ((n & 0x1000) &&
1188 			    (fr->fr_type == fr1->fr_type) &&
1189 			    (fr->fr_type == FR_T_IPF) &&
1190 			    (fr1->fr_secmask == fr->fr_secmask) &&
1191 			    (fr1->fr_secbits == fr->fr_secbits)) {
1192 				m[FRC_SEC].e++;
1193 				m[FRC_SEC].n++;
1194 			} else
1195 				n &= ~0x1000;
1196 
1197 			if ((n & 0x10000) &&
1198 			    (fr->fr_type == fr1->fr_type) &&
1199 			    (fr->fr_type == FR_T_IPF) &&
1200 			    (fr1->fr_authmask == fr->fr_authmask) &&
1201 			    (fr1->fr_authbits == fr->fr_authbits)) {
1202 				m[FRC_ATH].e++;
1203 				m[FRC_ATH].n++;
1204 			} else
1205 				n &= ~0x10000;
1206 
1207 			if ((n & 0x20000) &&
1208 			    (fr->fr_type == fr1->fr_type) &&
1209 			    (fr->fr_type == FR_T_IPF) &&
1210 			    ((fr1->fr_icmpm & 0xff00) ==
1211 			     (fr->fr_icmpm & 0xff00)) &&
1212 			    ((fr1->fr_icmp & 0xff00) ==
1213 			     (fr->fr_icmp & 0xff00))) {
1214 				m[FRC_ICT].e++;
1215 				m[FRC_ICT].n++;
1216 			} else
1217 				n &= ~0x20000;
1218 
1219 			if ((n & 0x40000) &&
1220 			    (fr->fr_type == fr1->fr_type) &&
1221 			    (fr->fr_type == FR_T_IPF) &&
1222 			    ((fr1->fr_icmpm & 0xff) == (fr->fr_icmpm & 0xff)) &&
1223 			    ((fr1->fr_icmp & 0xff) == (fr->fr_icmp & 0xff))) {
1224 				m[FRC_ICC].e++;
1225 				m[FRC_ICC].n++;
1226 			} else
1227 				n &= ~0x40000;
1228 		}
1229 		/*msort(m);*/
1230 
1231 		if (dir == 0)
1232 			emitGroup(rn, dir, m, fr1, group, count, 0);
1233 		else if (dir == 1)
1234 			emitGroup(rn, dir, m, fr1, group, 0, count);
1235 	}
1236 }
1237 
printhooks(fp,in,out,grp)1238 static void printhooks(fp, in, out, grp)
1239 FILE *fp;
1240 int in;
1241 int out;
1242 frgroup_t *grp;
1243 {
1244 	frentry_t *fr;
1245 	char *group;
1246 	int dogrp, i;
1247 	char *instr;
1248 
1249 	group = grp->fg_name;
1250 	dogrp = 0;
1251 
1252 	if (in && out) {
1253 		fprintf(stderr,
1254 			"printhooks called with both in and out set\n");
1255 		exit(1);
1256 	}
1257 
1258 	if (in) {
1259 		instr = "in";
1260 	} else if (out) {
1261 		instr = "out";
1262 	} else {
1263 		instr = "???";
1264 	}
1265 	fprintf(fp, "static frentry_t ipfrule_%s_%s;\n", instr, group);
1266 
1267 	fprintf(fp, "\
1268 \n\
1269 int ipfrule_add_%s_%s()\n", instr, group);
1270 	fprintf(fp, "\
1271 {\n\
1272 	int i, j, err = 0, max;\n\
1273 	frentry_t *fp;\n");
1274 
1275 	if (dogrp)
1276 		fprintf(fp, "\
1277 	frgroup_t *fg;\n");
1278 
1279 	fprintf(fp, "\n");
1280 
1281 	for (i = 0, fr = grp->fg_start; fr != NULL; i++, fr = fr->fr_next)
1282 		if (fr->fr_dsize > 0) {
1283 			fprintf(fp, "\
1284 	ipf_rules_%s_%s[%d]->fr_data = &ipf%s_rule_data_%s_%u;\n",
1285 				instr, grp->fg_name, i,
1286 				instr, grp->fg_name, i);
1287 		}
1288 	fprintf(fp, "\
1289 	max = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *);\n\
1290 	for (i = 0; i < max; i++) {\n\
1291 		fp = ipf_rules_%s_%s[i];\n\
1292 		fp->fr_next = NULL;\n", instr, group, instr, group);
1293 
1294 	fprintf(fp, "\
1295 		for (j = i + 1; j < max; j++)\n\
1296 			if (strncmp(fp->fr_group,\n\
1297 				    ipf_rules_%s_%s[j]->fr_group,\n\
1298 				    FR_GROUPLEN) == 0) {\n\
1299 				fp->fr_next = ipf_rules_%s_%s[j];\n\
1300 				break;\n\
1301 			}\n", instr, group, instr, group);
1302 	if (dogrp)
1303 		fprintf(fp, "\
1304 \n\
1305 		if (fp->fr_grhead != 0) {\n\
1306 			fg = fr_addgroup(fp->fr_grhead, fp, FR_INQUE,\n\
1307 					 IPL_LOGIPF, 0);\n\
1308 			if (fg != NULL)\n\
1309 				fp->fr_grp = &fg->fg_start;\n\
1310 		}\n");
1311 	fprintf(fp, "\
1312 	}\n\
1313 \n\
1314 	fp = &ipfrule_%s_%s;\n", instr, group);
1315 		fprintf(fp, "\
1316 	bzero((char *)fp, sizeof(*fp));\n\
1317 	fp->fr_type = FR_T_CALLFUNC|FR_T_BUILTIN;\n\
1318 	fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\
1319 	fp->fr_data = (void *)ipf_rules_%s_%s[0];\n",
1320 		(in != 0) ? "IN" : "OUT", instr, group);
1321 	fprintf(fp, "\
1322 	fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n",
1323 		instr, group);
1324 
1325 	fprintf(fp, "\
1326 	fp->fr_v = 4;\n\
1327 	fp->fr_func = (ipfunc_t)ipfrule_match_%s_%s;\n\
1328 	err = frrequest(IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, fr_active, 0);\n",
1329 			instr, group);
1330 	fprintf(fp, "\treturn err;\n}\n");
1331 
1332 	fprintf(fp, "\n\n\
1333 int ipfrule_remove_%s_%s()\n", instr, group);
1334 	fprintf(fp, "\
1335 {\n\
1336 	int err = 0, i;\n\
1337 	frentry_t *fp;\n\
1338 \n\
1339 	/*\n\
1340 	 * Try to remove the %sbound rule.\n", instr);
1341 
1342 	fprintf(fp, "\
1343 	 */\n\
1344 	if (ipfrule_%s_%s.fr_ref > 0) {\n", instr, group);
1345 
1346 	fprintf(fp, "\
1347 		err = EBUSY;\n\
1348 	} else {\n");
1349 
1350 	fprintf(fp, "\
1351 		i = sizeof(ipf_rules_%s_%s)/sizeof(frentry_t *) - 1;\n\
1352 		for (; i >= 0; i--) {\n\
1353 			fp = ipf_rules_%s_%s[i];\n\
1354 			if (fp->fr_ref > 1) {\n\
1355 				err = EBUSY;\n\
1356 				break;\n\
1357 			}\n\
1358 		}\n\
1359 	}\n\
1360 	if (err == 0)\n\
1361 		err = frrequest(IPL_LOGIPF, SIOCDELFR,\n\
1362 				(caddr_t)&ipfrule_%s_%s, fr_active, 0);\n",
1363 		instr, group, instr, group, instr, group);
1364 	fprintf(fp, "\
1365 	if (err)\n\
1366 		return err;\n\
1367 \n\n");
1368 
1369 	fprintf(fp, "\treturn err;\n}\n");
1370 }
1371