xref: /freebsd/sys/netpfil/ipfw/ip_fw_sockopt.c (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1 /*-
2  * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa
3  * Copyright (c) 2014 Yandex LLC
4  * Copyright (c) 2014 Alexander V. Chernikov
5  *
6  * Supported by: Valeria Paoli
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 /*
34  * Control socket and rule management routines for ipfw.
35  * Control is currently implemented via IP_FW3 setsockopt() code.
36  */
37 
38 #include "opt_ipfw.h"
39 #include "opt_inet.h"
40 #ifndef INET
41 #error IPFIREWALL requires INET.
42 #endif /* INET */
43 #include "opt_inet6.h"
44 
45 #include <sys/param.h>
46 #include <sys/systm.h>
47 #include <sys/malloc.h>
48 #include <sys/mbuf.h>	/* struct m_tag used by nested headers */
49 #include <sys/kernel.h>
50 #include <sys/lock.h>
51 #include <sys/priv.h>
52 #include <sys/proc.h>
53 #include <sys/rwlock.h>
54 #include <sys/rmlock.h>
55 #include <sys/socket.h>
56 #include <sys/socketvar.h>
57 #include <sys/sysctl.h>
58 #include <sys/syslog.h>
59 #include <sys/fnv_hash.h>
60 #include <net/if.h>
61 #include <net/route.h>
62 #include <net/vnet.h>
63 #include <vm/vm.h>
64 #include <vm/vm_extern.h>
65 
66 #include <netinet/in.h>
67 #include <netinet/ip_var.h> /* hooks */
68 #include <netinet/ip_fw.h>
69 
70 #include <netpfil/ipfw/ip_fw_private.h>
71 #include <netpfil/ipfw/ip_fw_table.h>
72 
73 #ifdef MAC
74 #include <security/mac/mac_framework.h>
75 #endif
76 
77 static int ipfw_ctl(struct sockopt *sopt);
78 static int check_ipfw_rule_body(ipfw_insn *cmd, int cmd_len,
79     struct rule_check_info *ci);
80 static int check_ipfw_rule1(struct ip_fw_rule *rule, int size,
81     struct rule_check_info *ci);
82 static int check_ipfw_rule0(struct ip_fw_rule0 *rule, int size,
83     struct rule_check_info *ci);
84 
85 #define	NAMEDOBJ_HASH_SIZE	32
86 
87 struct namedobj_instance {
88 	struct namedobjects_head	*names;
89 	struct namedobjects_head	*values;
90 	uint32_t nn_size;		/* names hash size */
91 	uint32_t nv_size;		/* number hash size */
92 	u_long *idx_mask;		/* used items bitmask */
93 	uint32_t max_blocks;		/* number of "long" blocks in bitmask */
94 	uint32_t count;			/* number of items */
95 	uint16_t free_off[IPFW_MAX_SETS];	/* first possible free offset */
96 	objhash_hash_f	*hash_f;
97 	objhash_cmp_f	*cmp_f;
98 };
99 #define	BLOCK_ITEMS	(8 * sizeof(u_long))	/* Number of items for ffsl() */
100 
101 static uint32_t objhash_hash_name(struct namedobj_instance *ni, void *key,
102     uint32_t kopt);
103 static uint32_t objhash_hash_idx(struct namedobj_instance *ni, uint32_t val);
104 static int objhash_cmp_name(struct named_object *no, void *name, uint32_t set);
105 
106 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
107 
108 static int dump_config(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
109     struct sockopt_data *sd);
110 static int add_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
111     struct sockopt_data *sd);
112 static int del_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
113     struct sockopt_data *sd);
114 static int clear_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
115     struct sockopt_data *sd);
116 static int move_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
117     struct sockopt_data *sd);
118 static int manage_sets(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
119     struct sockopt_data *sd);
120 static int dump_soptcodes(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
121     struct sockopt_data *sd);
122 static int dump_srvobjects(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
123     struct sockopt_data *sd);
124 
125 /* ctl3 handler data */
126 struct mtx ctl3_lock;
127 #define	CTL3_LOCK_INIT()	mtx_init(&ctl3_lock, "ctl3_lock", NULL, MTX_DEF)
128 #define	CTL3_LOCK_DESTROY()	mtx_destroy(&ctl3_lock)
129 #define	CTL3_LOCK()		mtx_lock(&ctl3_lock)
130 #define	CTL3_UNLOCK()		mtx_unlock(&ctl3_lock)
131 
132 static struct ipfw_sopt_handler *ctl3_handlers;
133 static size_t ctl3_hsize;
134 static uint64_t ctl3_refct, ctl3_gencnt;
135 #define	CTL3_SMALLBUF	4096			/* small page-size write buffer */
136 #define	CTL3_LARGEBUF	16 * 1024 * 1024	/* handle large rulesets */
137 
138 static int ipfw_flush_sopt_data(struct sockopt_data *sd);
139 
140 static struct ipfw_sopt_handler	scodes[] = {
141 	{ IP_FW_XGET,		0,	HDIR_GET,	dump_config },
142 	{ IP_FW_XADD,		0,	HDIR_BOTH,	add_rules },
143 	{ IP_FW_XDEL,		0,	HDIR_BOTH,	del_rules },
144 	{ IP_FW_XZERO,		0,	HDIR_SET,	clear_rules },
145 	{ IP_FW_XRESETLOG,	0,	HDIR_SET,	clear_rules },
146 	{ IP_FW_XMOVE,		0,	HDIR_SET,	move_rules },
147 	{ IP_FW_SET_SWAP,	0,	HDIR_SET,	manage_sets },
148 	{ IP_FW_SET_MOVE,	0,	HDIR_SET,	manage_sets },
149 	{ IP_FW_SET_ENABLE,	0,	HDIR_SET,	manage_sets },
150 	{ IP_FW_DUMP_SOPTCODES,	0,	HDIR_GET,	dump_soptcodes },
151 	{ IP_FW_DUMP_SRVOBJECTS,0,	HDIR_GET,	dump_srvobjects },
152 };
153 
154 static int
155 set_legacy_obj_kidx(struct ip_fw_chain *ch, struct ip_fw_rule0 *rule);
156 struct opcode_obj_rewrite *ipfw_find_op_rw(uint16_t opcode);
157 static int mark_object_kidx(struct ip_fw_chain *ch, struct ip_fw *rule,
158     uint32_t *bmask);
159 static void unref_rule_objects(struct ip_fw_chain *chain, struct ip_fw *rule);
160 static int export_objhash_ntlv(struct namedobj_instance *ni, uint16_t kidx,
161     struct sockopt_data *sd);
162 
163 /*
164  * Opcode object rewriter variables
165  */
166 struct opcode_obj_rewrite *ctl3_rewriters;
167 static size_t ctl3_rsize;
168 
169 /*
170  * static variables followed by global ones
171  */
172 
173 static VNET_DEFINE(uma_zone_t, ipfw_cntr_zone);
174 #define	V_ipfw_cntr_zone		VNET(ipfw_cntr_zone)
175 
176 void
177 ipfw_init_counters()
178 {
179 
180 	V_ipfw_cntr_zone = uma_zcreate("IPFW counters",
181 	    IPFW_RULE_CNTR_SIZE, NULL, NULL, NULL, NULL,
182 	    UMA_ALIGN_PTR, UMA_ZONE_PCPU);
183 }
184 
185 void
186 ipfw_destroy_counters()
187 {
188 
189 	uma_zdestroy(V_ipfw_cntr_zone);
190 }
191 
192 struct ip_fw *
193 ipfw_alloc_rule(struct ip_fw_chain *chain, size_t rulesize)
194 {
195 	struct ip_fw *rule;
196 
197 	rule = malloc(rulesize, M_IPFW, M_WAITOK | M_ZERO);
198 	rule->cntr = uma_zalloc(V_ipfw_cntr_zone, M_WAITOK | M_ZERO);
199 
200 	return (rule);
201 }
202 
203 static void
204 free_rule(struct ip_fw *rule)
205 {
206 
207 	uma_zfree(V_ipfw_cntr_zone, rule->cntr);
208 	free(rule, M_IPFW);
209 }
210 
211 
212 /*
213  * Find the smallest rule >= key, id.
214  * We could use bsearch but it is so simple that we code it directly
215  */
216 int
217 ipfw_find_rule(struct ip_fw_chain *chain, uint32_t key, uint32_t id)
218 {
219 	int i, lo, hi;
220 	struct ip_fw *r;
221 
222   	for (lo = 0, hi = chain->n_rules - 1; lo < hi;) {
223 		i = (lo + hi) / 2;
224 		r = chain->map[i];
225 		if (r->rulenum < key)
226 			lo = i + 1;	/* continue from the next one */
227 		else if (r->rulenum > key)
228 			hi = i;		/* this might be good */
229 		else if (r->id < id)
230 			lo = i + 1;	/* continue from the next one */
231 		else /* r->id >= id */
232 			hi = i;		/* this might be good */
233 	};
234 	return hi;
235 }
236 
237 /*
238  * Builds skipto cache on rule set @map.
239  */
240 static void
241 update_skipto_cache(struct ip_fw_chain *chain, struct ip_fw **map)
242 {
243 	int *smap, rulenum;
244 	int i, mi;
245 
246 	IPFW_UH_WLOCK_ASSERT(chain);
247 
248 	mi = 0;
249 	rulenum = map[mi]->rulenum;
250 	smap = chain->idxmap_back;
251 
252 	if (smap == NULL)
253 		return;
254 
255 	for (i = 0; i < 65536; i++) {
256 		smap[i] = mi;
257 		/* Use the same rule index until i < rulenum */
258 		if (i != rulenum || i == 65535)
259 			continue;
260 		/* Find next rule with num > i */
261 		rulenum = map[++mi]->rulenum;
262 		while (rulenum == i)
263 			rulenum = map[++mi]->rulenum;
264 	}
265 }
266 
267 /*
268  * Swaps prepared (backup) index with current one.
269  */
270 static void
271 swap_skipto_cache(struct ip_fw_chain *chain)
272 {
273 	int *map;
274 
275 	IPFW_UH_WLOCK_ASSERT(chain);
276 	IPFW_WLOCK_ASSERT(chain);
277 
278 	map = chain->idxmap;
279 	chain->idxmap = chain->idxmap_back;
280 	chain->idxmap_back = map;
281 }
282 
283 /*
284  * Allocate and initialize skipto cache.
285  */
286 void
287 ipfw_init_skipto_cache(struct ip_fw_chain *chain)
288 {
289 	int *idxmap, *idxmap_back;
290 
291 	idxmap = malloc(65536 * sizeof(uint32_t *), M_IPFW,
292 	    M_WAITOK | M_ZERO);
293 	idxmap_back = malloc(65536 * sizeof(uint32_t *), M_IPFW,
294 	    M_WAITOK | M_ZERO);
295 
296 	/*
297 	 * Note we may be called at any time after initialization,
298 	 * for example, on first skipto rule, so we need to
299 	 * provide valid chain->idxmap on return
300 	 */
301 
302 	IPFW_UH_WLOCK(chain);
303 	if (chain->idxmap != NULL) {
304 		IPFW_UH_WUNLOCK(chain);
305 		free(idxmap, M_IPFW);
306 		free(idxmap_back, M_IPFW);
307 		return;
308 	}
309 
310 	/* Set backup pointer first to permit building cache */
311 	chain->idxmap_back = idxmap_back;
312 	update_skipto_cache(chain, chain->map);
313 	IPFW_WLOCK(chain);
314 	/* It is now safe to set chain->idxmap ptr */
315 	chain->idxmap = idxmap;
316 	swap_skipto_cache(chain);
317 	IPFW_WUNLOCK(chain);
318 	IPFW_UH_WUNLOCK(chain);
319 }
320 
321 /*
322  * Destroys skipto cache.
323  */
324 void
325 ipfw_destroy_skipto_cache(struct ip_fw_chain *chain)
326 {
327 
328 	if (chain->idxmap != NULL)
329 		free(chain->idxmap, M_IPFW);
330 	if (chain->idxmap != NULL)
331 		free(chain->idxmap_back, M_IPFW);
332 }
333 
334 
335 /*
336  * allocate a new map, returns the chain locked. extra is the number
337  * of entries to add or delete.
338  */
339 static struct ip_fw **
340 get_map(struct ip_fw_chain *chain, int extra, int locked)
341 {
342 
343 	for (;;) {
344 		struct ip_fw **map;
345 		int i, mflags;
346 
347 		mflags = M_ZERO | ((locked != 0) ? M_NOWAIT : M_WAITOK);
348 
349 		i = chain->n_rules + extra;
350 		map = malloc(i * sizeof(struct ip_fw *), M_IPFW, mflags);
351 		if (map == NULL) {
352 			printf("%s: cannot allocate map\n", __FUNCTION__);
353 			return NULL;
354 		}
355 		if (!locked)
356 			IPFW_UH_WLOCK(chain);
357 		if (i >= chain->n_rules + extra) /* good */
358 			return map;
359 		/* otherwise we lost the race, free and retry */
360 		if (!locked)
361 			IPFW_UH_WUNLOCK(chain);
362 		free(map, M_IPFW);
363 	}
364 }
365 
366 /*
367  * swap the maps. It is supposed to be called with IPFW_UH_WLOCK
368  */
369 static struct ip_fw **
370 swap_map(struct ip_fw_chain *chain, struct ip_fw **new_map, int new_len)
371 {
372 	struct ip_fw **old_map;
373 
374 	IPFW_WLOCK(chain);
375 	chain->id++;
376 	chain->n_rules = new_len;
377 	old_map = chain->map;
378 	chain->map = new_map;
379 	swap_skipto_cache(chain);
380 	IPFW_WUNLOCK(chain);
381 	return old_map;
382 }
383 
384 
385 static void
386 export_cntr1_base(struct ip_fw *krule, struct ip_fw_bcounter *cntr)
387 {
388 
389 	cntr->size = sizeof(*cntr);
390 
391 	if (krule->cntr != NULL) {
392 		cntr->pcnt = counter_u64_fetch(krule->cntr);
393 		cntr->bcnt = counter_u64_fetch(krule->cntr + 1);
394 		cntr->timestamp = krule->timestamp;
395 	}
396 	if (cntr->timestamp > 0)
397 		cntr->timestamp += boottime.tv_sec;
398 }
399 
400 static void
401 export_cntr0_base(struct ip_fw *krule, struct ip_fw_bcounter0 *cntr)
402 {
403 
404 	if (krule->cntr != NULL) {
405 		cntr->pcnt = counter_u64_fetch(krule->cntr);
406 		cntr->bcnt = counter_u64_fetch(krule->cntr + 1);
407 		cntr->timestamp = krule->timestamp;
408 	}
409 	if (cntr->timestamp > 0)
410 		cntr->timestamp += boottime.tv_sec;
411 }
412 
413 /*
414  * Copies rule @urule from v1 userland format (current).
415  * to kernel @krule.
416  * Assume @krule is zeroed.
417  */
418 static void
419 import_rule1(struct rule_check_info *ci)
420 {
421 	struct ip_fw_rule *urule;
422 	struct ip_fw *krule;
423 
424 	urule = (struct ip_fw_rule *)ci->urule;
425 	krule = (struct ip_fw *)ci->krule;
426 
427 	/* copy header */
428 	krule->act_ofs = urule->act_ofs;
429 	krule->cmd_len = urule->cmd_len;
430 	krule->rulenum = urule->rulenum;
431 	krule->set = urule->set;
432 	krule->flags = urule->flags;
433 
434 	/* Save rulenum offset */
435 	ci->urule_numoff = offsetof(struct ip_fw_rule, rulenum);
436 
437 	/* Copy opcodes */
438 	memcpy(krule->cmd, urule->cmd, krule->cmd_len * sizeof(uint32_t));
439 }
440 
441 /*
442  * Export rule into v1 format (Current).
443  * Layout:
444  * [ ipfw_obj_tlv(IPFW_TLV_RULE_ENT)
445  *     [ ip_fw_rule ] OR
446  *     [ ip_fw_bcounter ip_fw_rule] (depends on rcntrs).
447  * ]
448  * Assume @data is zeroed.
449  */
450 static void
451 export_rule1(struct ip_fw *krule, caddr_t data, int len, int rcntrs)
452 {
453 	struct ip_fw_bcounter *cntr;
454 	struct ip_fw_rule *urule;
455 	ipfw_obj_tlv *tlv;
456 
457 	/* Fill in TLV header */
458 	tlv = (ipfw_obj_tlv *)data;
459 	tlv->type = IPFW_TLV_RULE_ENT;
460 	tlv->length = len;
461 
462 	if (rcntrs != 0) {
463 		/* Copy counters */
464 		cntr = (struct ip_fw_bcounter *)(tlv + 1);
465 		urule = (struct ip_fw_rule *)(cntr + 1);
466 		export_cntr1_base(krule, cntr);
467 	} else
468 		urule = (struct ip_fw_rule *)(tlv + 1);
469 
470 	/* copy header */
471 	urule->act_ofs = krule->act_ofs;
472 	urule->cmd_len = krule->cmd_len;
473 	urule->rulenum = krule->rulenum;
474 	urule->set = krule->set;
475 	urule->flags = krule->flags;
476 	urule->id = krule->id;
477 
478 	/* Copy opcodes */
479 	memcpy(urule->cmd, krule->cmd, krule->cmd_len * sizeof(uint32_t));
480 }
481 
482 
483 /*
484  * Copies rule @urule from FreeBSD8 userland format (v0)
485  * to kernel @krule.
486  * Assume @krule is zeroed.
487  */
488 static void
489 import_rule0(struct rule_check_info *ci)
490 {
491 	struct ip_fw_rule0 *urule;
492 	struct ip_fw *krule;
493 	int cmdlen, l;
494 	ipfw_insn *cmd;
495 	ipfw_insn_limit *lcmd;
496 	ipfw_insn_if *cmdif;
497 
498 	urule = (struct ip_fw_rule0 *)ci->urule;
499 	krule = (struct ip_fw *)ci->krule;
500 
501 	/* copy header */
502 	krule->act_ofs = urule->act_ofs;
503 	krule->cmd_len = urule->cmd_len;
504 	krule->rulenum = urule->rulenum;
505 	krule->set = urule->set;
506 	if ((urule->_pad & 1) != 0)
507 		krule->flags |= IPFW_RULE_NOOPT;
508 
509 	/* Save rulenum offset */
510 	ci->urule_numoff = offsetof(struct ip_fw_rule0, rulenum);
511 
512 	/* Copy opcodes */
513 	memcpy(krule->cmd, urule->cmd, krule->cmd_len * sizeof(uint32_t));
514 
515 	/*
516 	 * Alter opcodes:
517 	 * 1) convert tablearg value from 65335 to 0
518 	 * 2) Add high bit to O_SETFIB/O_SETDSCP values (to make room for targ).
519 	 * 3) convert table number in iface opcodes to u16
520 	 */
521 	l = krule->cmd_len;
522 	cmd = krule->cmd;
523 	cmdlen = 0;
524 
525 	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
526 		cmdlen = F_LEN(cmd);
527 
528 		switch (cmd->opcode) {
529 		/* Opcodes supporting tablearg */
530 		case O_TAG:
531 		case O_TAGGED:
532 		case O_PIPE:
533 		case O_QUEUE:
534 		case O_DIVERT:
535 		case O_TEE:
536 		case O_SKIPTO:
537 		case O_CALLRETURN:
538 		case O_NETGRAPH:
539 		case O_NGTEE:
540 		case O_NAT:
541 			if (cmd->arg1 == 65535)
542 				cmd->arg1 = IP_FW_TARG;
543 			break;
544 		case O_SETFIB:
545 		case O_SETDSCP:
546 			if (cmd->arg1 == 65535)
547 				cmd->arg1 = IP_FW_TARG;
548 			else
549 				cmd->arg1 |= 0x8000;
550 			break;
551 		case O_LIMIT:
552 			lcmd = (ipfw_insn_limit *)cmd;
553 			if (lcmd->conn_limit == 65535)
554 				lcmd->conn_limit = IP_FW_TARG;
555 			break;
556 		/* Interface tables */
557 		case O_XMIT:
558 		case O_RECV:
559 		case O_VIA:
560 			/* Interface table, possibly */
561 			cmdif = (ipfw_insn_if *)cmd;
562 			if (cmdif->name[0] != '\1')
563 				break;
564 
565 			cmdif->p.kidx = (uint16_t)cmdif->p.glob;
566 			break;
567 		}
568 	}
569 }
570 
571 /*
572  * Copies rule @krule from kernel to FreeBSD8 userland format (v0)
573  */
574 static void
575 export_rule0(struct ip_fw *krule, struct ip_fw_rule0 *urule, int len)
576 {
577 	int cmdlen, l;
578 	ipfw_insn *cmd;
579 	ipfw_insn_limit *lcmd;
580 	ipfw_insn_if *cmdif;
581 
582 	/* copy header */
583 	memset(urule, 0, len);
584 	urule->act_ofs = krule->act_ofs;
585 	urule->cmd_len = krule->cmd_len;
586 	urule->rulenum = krule->rulenum;
587 	urule->set = krule->set;
588 	if ((krule->flags & IPFW_RULE_NOOPT) != 0)
589 		urule->_pad |= 1;
590 
591 	/* Copy opcodes */
592 	memcpy(urule->cmd, krule->cmd, krule->cmd_len * sizeof(uint32_t));
593 
594 	/* Export counters */
595 	export_cntr0_base(krule, (struct ip_fw_bcounter0 *)&urule->pcnt);
596 
597 	/*
598 	 * Alter opcodes:
599 	 * 1) convert tablearg value from 0 to 65335
600 	 * 2) Remove highest bit from O_SETFIB/O_SETDSCP values.
601 	 * 3) convert table number in iface opcodes to int
602 	 */
603 	l = urule->cmd_len;
604 	cmd = urule->cmd;
605 	cmdlen = 0;
606 
607 	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
608 		cmdlen = F_LEN(cmd);
609 
610 		switch (cmd->opcode) {
611 		/* Opcodes supporting tablearg */
612 		case O_TAG:
613 		case O_TAGGED:
614 		case O_PIPE:
615 		case O_QUEUE:
616 		case O_DIVERT:
617 		case O_TEE:
618 		case O_SKIPTO:
619 		case O_CALLRETURN:
620 		case O_NETGRAPH:
621 		case O_NGTEE:
622 		case O_NAT:
623 			if (cmd->arg1 == IP_FW_TARG)
624 				cmd->arg1 = 65535;
625 			break;
626 		case O_SETFIB:
627 		case O_SETDSCP:
628 			if (cmd->arg1 == IP_FW_TARG)
629 				cmd->arg1 = 65535;
630 			else
631 				cmd->arg1 &= ~0x8000;
632 			break;
633 		case O_LIMIT:
634 			lcmd = (ipfw_insn_limit *)cmd;
635 			if (lcmd->conn_limit == IP_FW_TARG)
636 				lcmd->conn_limit = 65535;
637 			break;
638 		/* Interface tables */
639 		case O_XMIT:
640 		case O_RECV:
641 		case O_VIA:
642 			/* Interface table, possibly */
643 			cmdif = (ipfw_insn_if *)cmd;
644 			if (cmdif->name[0] != '\1')
645 				break;
646 
647 			cmdif->p.glob = cmdif->p.kidx;
648 			break;
649 		}
650 	}
651 }
652 
653 /*
654  * Add new rule(s) to the list possibly creating rule number for each.
655  * Update the rule_number in the input struct so the caller knows it as well.
656  * Must be called without IPFW_UH held
657  */
658 static int
659 commit_rules(struct ip_fw_chain *chain, struct rule_check_info *rci, int count)
660 {
661 	int error, i, insert_before, tcount;
662 	uint16_t rulenum, *pnum;
663 	struct rule_check_info *ci;
664 	struct ip_fw *krule;
665 	struct ip_fw **map;	/* the new array of pointers */
666 
667 	/* Check if we need to do table/obj index remap */
668 	tcount = 0;
669 	for (ci = rci, i = 0; i < count; ci++, i++) {
670 		if (ci->object_opcodes == 0)
671 			continue;
672 
673 		/*
674 		 * Rule has some object opcodes.
675 		 * We need to find (and create non-existing)
676 		 * kernel objects, and reference existing ones.
677 		 */
678 		error = ipfw_rewrite_rule_uidx(chain, ci);
679 		if (error != 0) {
680 
681 			/*
682 			 * rewrite failed, state for current rule
683 			 * has been reverted. Check if we need to
684 			 * revert more.
685 			 */
686 			if (tcount > 0) {
687 
688 				/*
689 				 * We have some more table rules
690 				 * we need to rollback.
691 				 */
692 
693 				IPFW_UH_WLOCK(chain);
694 				while (ci != rci) {
695 					ci--;
696 					if (ci->object_opcodes == 0)
697 						continue;
698 					unref_rule_objects(chain,ci->krule);
699 
700 				}
701 				IPFW_UH_WUNLOCK(chain);
702 
703 			}
704 
705 			return (error);
706 		}
707 
708 		tcount++;
709 	}
710 
711 	/* get_map returns with IPFW_UH_WLOCK if successful */
712 	map = get_map(chain, count, 0 /* not locked */);
713 	if (map == NULL) {
714 		if (tcount > 0) {
715 			/* Unbind tables */
716 			IPFW_UH_WLOCK(chain);
717 			for (ci = rci, i = 0; i < count; ci++, i++) {
718 				if (ci->object_opcodes == 0)
719 					continue;
720 
721 				unref_rule_objects(chain, ci->krule);
722 			}
723 			IPFW_UH_WUNLOCK(chain);
724 		}
725 
726 		return (ENOSPC);
727 	}
728 
729 	if (V_autoinc_step < 1)
730 		V_autoinc_step = 1;
731 	else if (V_autoinc_step > 1000)
732 		V_autoinc_step = 1000;
733 
734 	/* FIXME: Handle count > 1 */
735 	ci = rci;
736 	krule = ci->krule;
737 	rulenum = krule->rulenum;
738 
739 	/* find the insertion point, we will insert before */
740 	insert_before = rulenum ? rulenum + 1 : IPFW_DEFAULT_RULE;
741 	i = ipfw_find_rule(chain, insert_before, 0);
742 	/* duplicate first part */
743 	if (i > 0)
744 		bcopy(chain->map, map, i * sizeof(struct ip_fw *));
745 	map[i] = krule;
746 	/* duplicate remaining part, we always have the default rule */
747 	bcopy(chain->map + i, map + i + 1,
748 		sizeof(struct ip_fw *) *(chain->n_rules - i));
749 	if (rulenum == 0) {
750 		/* Compute rule number and write it back */
751 		rulenum = i > 0 ? map[i-1]->rulenum : 0;
752 		if (rulenum < IPFW_DEFAULT_RULE - V_autoinc_step)
753 			rulenum += V_autoinc_step;
754 		krule->rulenum = rulenum;
755 		/* Save number to userland rule */
756 		pnum = (uint16_t *)((caddr_t)ci->urule + ci->urule_numoff);
757 		*pnum = rulenum;
758 	}
759 
760 	krule->id = chain->id + 1;
761 	update_skipto_cache(chain, map);
762 	map = swap_map(chain, map, chain->n_rules + 1);
763 	chain->static_len += RULEUSIZE0(krule);
764 	IPFW_UH_WUNLOCK(chain);
765 	if (map)
766 		free(map, M_IPFW);
767 	return (0);
768 }
769 
770 /*
771  * Adds @rule to the list of rules to reap
772  */
773 void
774 ipfw_reap_add(struct ip_fw_chain *chain, struct ip_fw **head,
775     struct ip_fw *rule)
776 {
777 
778 	IPFW_UH_WLOCK_ASSERT(chain);
779 
780 	/* Unlink rule from everywhere */
781 	unref_rule_objects(chain, rule);
782 
783 	*((struct ip_fw **)rule) = *head;
784 	*head = rule;
785 }
786 
787 /*
788  * Reclaim storage associated with a list of rules.  This is
789  * typically the list created using remove_rule.
790  * A NULL pointer on input is handled correctly.
791  */
792 void
793 ipfw_reap_rules(struct ip_fw *head)
794 {
795 	struct ip_fw *rule;
796 
797 	while ((rule = head) != NULL) {
798 		head = *((struct ip_fw **)head);
799 		free_rule(rule);
800 	}
801 }
802 
803 /*
804  * Rules to keep are
805  *	(default || reserved || !match_set || !match_number)
806  * where
807  *   default ::= (rule->rulenum == IPFW_DEFAULT_RULE)
808  *	// the default rule is always protected
809  *
810  *   reserved ::= (cmd == 0 && n == 0 && rule->set == RESVD_SET)
811  *	// RESVD_SET is protected only if cmd == 0 and n == 0 ("ipfw flush")
812  *
813  *   match_set ::= (cmd == 0 || rule->set == set)
814  *	// set number is ignored for cmd == 0
815  *
816  *   match_number ::= (cmd == 1 || n == 0 || n == rule->rulenum)
817  *	// number is ignored for cmd == 1 or n == 0
818  *
819  */
820 int
821 ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt)
822 {
823 
824 	/* Don't match default rule for modification queries */
825 	if (rule->rulenum == IPFW_DEFAULT_RULE &&
826 	    (rt->flags & IPFW_RCFLAG_DEFAULT) == 0)
827 		return (0);
828 
829 	/* Don't match rules in reserved set for flush requests */
830 	if ((rt->flags & IPFW_RCFLAG_ALL) != 0 && rule->set == RESVD_SET)
831 		return (0);
832 
833 	/* If we're filtering by set, don't match other sets */
834 	if ((rt->flags & IPFW_RCFLAG_SET) != 0 && rule->set != rt->set)
835 		return (0);
836 
837 	if ((rt->flags & IPFW_RCFLAG_RANGE) != 0 &&
838 	    (rule->rulenum < rt->start_rule || rule->rulenum > rt->end_rule))
839 		return (0);
840 
841 	return (1);
842 }
843 
844 /*
845  * Delete rules matching range @rt.
846  * Saves number of deleted rules in @ndel.
847  *
848  * Returns 0 on success.
849  */
850 static int
851 delete_range(struct ip_fw_chain *chain, ipfw_range_tlv *rt, int *ndel)
852 {
853 	struct ip_fw *reap, *rule, **map;
854 	int end, start;
855 	int i, n, ndyn, ofs;
856 
857 	reap = NULL;
858 	IPFW_UH_WLOCK(chain);	/* arbitrate writers */
859 
860 	/*
861 	 * Stage 1: Determine range to inspect.
862 	 * Range is half-inclusive, e.g [start, end).
863 	 */
864 	start = 0;
865 	end = chain->n_rules - 1;
866 
867 	if ((rt->flags & IPFW_RCFLAG_RANGE) != 0) {
868 		start = ipfw_find_rule(chain, rt->start_rule, 0);
869 
870 		end = ipfw_find_rule(chain, rt->end_rule, 0);
871 		if (rt->end_rule != IPFW_DEFAULT_RULE)
872 			while (chain->map[end]->rulenum == rt->end_rule)
873 				end++;
874 	}
875 
876 	/* Allocate new map of the same size */
877 	map = get_map(chain, 0, 1 /* locked */);
878 	if (map == NULL) {
879 		IPFW_UH_WUNLOCK(chain);
880 		return (ENOMEM);
881 	}
882 
883 	n = 0;
884 	ndyn = 0;
885 	ofs = start;
886 	/* 1. bcopy the initial part of the map */
887 	if (start > 0)
888 		bcopy(chain->map, map, start * sizeof(struct ip_fw *));
889 	/* 2. copy active rules between start and end */
890 	for (i = start; i < end; i++) {
891 		rule = chain->map[i];
892 		if (ipfw_match_range(rule, rt) == 0) {
893 			map[ofs++] = rule;
894 			continue;
895 		}
896 
897 		n++;
898 		if (ipfw_is_dyn_rule(rule) != 0)
899 			ndyn++;
900 	}
901 	/* 3. copy the final part of the map */
902 	bcopy(chain->map + end, map + ofs,
903 		(chain->n_rules - end) * sizeof(struct ip_fw *));
904 	/* 4. recalculate skipto cache */
905 	update_skipto_cache(chain, map);
906 	/* 5. swap the maps (under UH_WLOCK + WHLOCK) */
907 	map = swap_map(chain, map, chain->n_rules - n);
908 	/* 6. Remove all dynamic states originated by deleted rules */
909 	if (ndyn > 0)
910 		ipfw_expire_dyn_rules(chain, rt);
911 	/* 7. now remove the rules deleted from the old map */
912 	for (i = start; i < end; i++) {
913 		rule = map[i];
914 		if (ipfw_match_range(rule, rt) == 0)
915 			continue;
916 		chain->static_len -= RULEUSIZE0(rule);
917 		ipfw_reap_add(chain, &reap, rule);
918 	}
919 	IPFW_UH_WUNLOCK(chain);
920 
921 	ipfw_reap_rules(reap);
922 	if (map != NULL)
923 		free(map, M_IPFW);
924 	*ndel = n;
925 	return (0);
926 }
927 
928 /*
929  * Changes set of given rule rannge @rt
930  * with each other.
931  *
932  * Returns 0 on success.
933  */
934 static int
935 move_range(struct ip_fw_chain *chain, ipfw_range_tlv *rt)
936 {
937 	struct ip_fw *rule;
938 	int i;
939 
940 	IPFW_UH_WLOCK(chain);
941 
942 	/*
943 	 * Move rules with matching paramenerts to a new set.
944 	 * This one is much more complex. We have to ensure
945 	 * that all referenced tables (if any) are referenced
946 	 * by given rule subset only. Otherwise, we can't move
947 	 * them to new set and have to return error.
948 	 */
949 	if (V_fw_tables_sets != 0) {
950 		if (ipfw_move_tables_sets(chain, rt, rt->new_set) != 0) {
951 			IPFW_UH_WUNLOCK(chain);
952 			return (EBUSY);
953 		}
954 	}
955 
956 	/* XXX: We have to do swap holding WLOCK */
957 	for (i = 0; i < chain->n_rules; i++) {
958 		rule = chain->map[i];
959 		if (ipfw_match_range(rule, rt) == 0)
960 			continue;
961 		rule->set = rt->new_set;
962 	}
963 
964 	IPFW_UH_WUNLOCK(chain);
965 
966 	return (0);
967 }
968 
969 /*
970  * Clear counters for a specific rule.
971  * Normally run under IPFW_UH_RLOCK, but these are idempotent ops
972  * so we only care that rules do not disappear.
973  */
974 static void
975 clear_counters(struct ip_fw *rule, int log_only)
976 {
977 	ipfw_insn_log *l = (ipfw_insn_log *)ACTION_PTR(rule);
978 
979 	if (log_only == 0)
980 		IPFW_ZERO_RULE_COUNTER(rule);
981 	if (l->o.opcode == O_LOG)
982 		l->log_left = l->max_log;
983 }
984 
985 /*
986  * Flushes rules counters and/or log values on matching range.
987  *
988  * Returns number of items cleared.
989  */
990 static int
991 clear_range(struct ip_fw_chain *chain, ipfw_range_tlv *rt, int log_only)
992 {
993 	struct ip_fw *rule;
994 	int num;
995 	int i;
996 
997 	num = 0;
998 	rt->flags |= IPFW_RCFLAG_DEFAULT;
999 
1000 	IPFW_UH_WLOCK(chain);	/* arbitrate writers */
1001 	for (i = 0; i < chain->n_rules; i++) {
1002 		rule = chain->map[i];
1003 		if (ipfw_match_range(rule, rt) == 0)
1004 			continue;
1005 		clear_counters(rule, log_only);
1006 		num++;
1007 	}
1008 	IPFW_UH_WUNLOCK(chain);
1009 
1010 	return (num);
1011 }
1012 
1013 static int
1014 check_range_tlv(ipfw_range_tlv *rt)
1015 {
1016 
1017 	if (rt->head.length != sizeof(*rt))
1018 		return (1);
1019 	if (rt->start_rule > rt->end_rule)
1020 		return (1);
1021 	if (rt->set >= IPFW_MAX_SETS || rt->new_set >= IPFW_MAX_SETS)
1022 		return (1);
1023 
1024 	if ((rt->flags & IPFW_RCFLAG_USER) != rt->flags)
1025 		return (1);
1026 
1027 	return (0);
1028 }
1029 
1030 /*
1031  * Delete rules matching specified parameters
1032  * Data layout (v0)(current):
1033  * Request: [ ipfw_obj_header ipfw_range_tlv ]
1034  * Reply: [ ipfw_obj_header ipfw_range_tlv ]
1035  *
1036  * Saves number of deleted rules in ipfw_range_tlv->new_set.
1037  *
1038  * Returns 0 on success.
1039  */
1040 static int
1041 del_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
1042     struct sockopt_data *sd)
1043 {
1044 	ipfw_range_header *rh;
1045 	int error, ndel;
1046 
1047 	if (sd->valsize != sizeof(*rh))
1048 		return (EINVAL);
1049 
1050 	rh = (ipfw_range_header *)ipfw_get_sopt_space(sd, sd->valsize);
1051 
1052 	if (check_range_tlv(&rh->range) != 0)
1053 		return (EINVAL);
1054 
1055 	ndel = 0;
1056 	if ((error = delete_range(chain, &rh->range, &ndel)) != 0)
1057 		return (error);
1058 
1059 	/* Save number of rules deleted */
1060 	rh->range.new_set = ndel;
1061 	return (0);
1062 }
1063 
1064 /*
1065  * Move rules/sets matching specified parameters
1066  * Data layout (v0)(current):
1067  * Request: [ ipfw_obj_header ipfw_range_tlv ]
1068  *
1069  * Returns 0 on success.
1070  */
1071 static int
1072 move_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
1073     struct sockopt_data *sd)
1074 {
1075 	ipfw_range_header *rh;
1076 
1077 	if (sd->valsize != sizeof(*rh))
1078 		return (EINVAL);
1079 
1080 	rh = (ipfw_range_header *)ipfw_get_sopt_space(sd, sd->valsize);
1081 
1082 	if (check_range_tlv(&rh->range) != 0)
1083 		return (EINVAL);
1084 
1085 	return (move_range(chain, &rh->range));
1086 }
1087 
1088 /*
1089  * Clear rule accounting data matching specified parameters
1090  * Data layout (v0)(current):
1091  * Request: [ ipfw_obj_header ipfw_range_tlv ]
1092  * Reply: [ ipfw_obj_header ipfw_range_tlv ]
1093  *
1094  * Saves number of cleared rules in ipfw_range_tlv->new_set.
1095  *
1096  * Returns 0 on success.
1097  */
1098 static int
1099 clear_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
1100     struct sockopt_data *sd)
1101 {
1102 	ipfw_range_header *rh;
1103 	int log_only, num;
1104 	char *msg;
1105 
1106 	if (sd->valsize != sizeof(*rh))
1107 		return (EINVAL);
1108 
1109 	rh = (ipfw_range_header *)ipfw_get_sopt_space(sd, sd->valsize);
1110 
1111 	if (check_range_tlv(&rh->range) != 0)
1112 		return (EINVAL);
1113 
1114 	log_only = (op3->opcode == IP_FW_XRESETLOG);
1115 
1116 	num = clear_range(chain, &rh->range, log_only);
1117 
1118 	if (rh->range.flags & IPFW_RCFLAG_ALL)
1119 		msg = log_only ? "All logging counts reset" :
1120 		    "Accounting cleared";
1121 	else
1122 		msg = log_only ? "logging count reset" : "cleared";
1123 
1124 	if (V_fw_verbose) {
1125 		int lev = LOG_SECURITY | LOG_NOTICE;
1126 		log(lev, "ipfw: %s.\n", msg);
1127 	}
1128 
1129 	/* Save number of rules cleared */
1130 	rh->range.new_set = num;
1131 	return (0);
1132 }
1133 
1134 static void
1135 enable_sets(struct ip_fw_chain *chain, ipfw_range_tlv *rt)
1136 {
1137 	uint32_t v_set;
1138 
1139 	IPFW_UH_WLOCK_ASSERT(chain);
1140 
1141 	/* Change enabled/disabled sets mask */
1142 	v_set = (V_set_disable | rt->set) & ~rt->new_set;
1143 	v_set &= ~(1 << RESVD_SET); /* set RESVD_SET always enabled */
1144 	IPFW_WLOCK(chain);
1145 	V_set_disable = v_set;
1146 	IPFW_WUNLOCK(chain);
1147 }
1148 
1149 static void
1150 swap_sets(struct ip_fw_chain *chain, ipfw_range_tlv *rt, int mv)
1151 {
1152 	struct ip_fw *rule;
1153 	int i;
1154 
1155 	IPFW_UH_WLOCK_ASSERT(chain);
1156 
1157 	/* Swap or move two sets */
1158 	for (i = 0; i < chain->n_rules - 1; i++) {
1159 		rule = chain->map[i];
1160 		if (rule->set == rt->set)
1161 			rule->set = rt->new_set;
1162 		else if (rule->set == rt->new_set && mv == 0)
1163 			rule->set = rt->set;
1164 	}
1165 	if (V_fw_tables_sets != 0)
1166 		ipfw_swap_tables_sets(chain, rt->set, rt->new_set, mv);
1167 }
1168 
1169 /*
1170  * Swaps or moves set
1171  * Data layout (v0)(current):
1172  * Request: [ ipfw_obj_header ipfw_range_tlv ]
1173  *
1174  * Returns 0 on success.
1175  */
1176 static int
1177 manage_sets(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
1178     struct sockopt_data *sd)
1179 {
1180 	ipfw_range_header *rh;
1181 
1182 	if (sd->valsize != sizeof(*rh))
1183 		return (EINVAL);
1184 
1185 	rh = (ipfw_range_header *)ipfw_get_sopt_space(sd, sd->valsize);
1186 
1187 	if (rh->range.head.length != sizeof(ipfw_range_tlv))
1188 		return (1);
1189 
1190 	IPFW_UH_WLOCK(chain);
1191 	switch (op3->opcode) {
1192 	case IP_FW_SET_SWAP:
1193 	case IP_FW_SET_MOVE:
1194 		swap_sets(chain, &rh->range, op3->opcode == IP_FW_SET_MOVE);
1195 		break;
1196 	case IP_FW_SET_ENABLE:
1197 		enable_sets(chain, &rh->range);
1198 		break;
1199 	}
1200 	IPFW_UH_WUNLOCK(chain);
1201 
1202 	return (0);
1203 }
1204 
1205 /**
1206  * Remove all rules with given number, or do set manipulation.
1207  * Assumes chain != NULL && *chain != NULL.
1208  *
1209  * The argument is an uint32_t. The low 16 bit are the rule or set number;
1210  * the next 8 bits are the new set; the top 8 bits indicate the command:
1211  *
1212  *	0	delete rules numbered "rulenum"
1213  *	1	delete rules in set "rulenum"
1214  *	2	move rules "rulenum" to set "new_set"
1215  *	3	move rules from set "rulenum" to set "new_set"
1216  *	4	swap sets "rulenum" and "new_set"
1217  *	5	delete rules "rulenum" and set "new_set"
1218  */
1219 static int
1220 del_entry(struct ip_fw_chain *chain, uint32_t arg)
1221 {
1222 	uint32_t num;	/* rule number or old_set */
1223 	uint8_t cmd, new_set;
1224 	int do_del, ndel;
1225 	int error = 0;
1226 	ipfw_range_tlv rt;
1227 
1228 	num = arg & 0xffff;
1229 	cmd = (arg >> 24) & 0xff;
1230 	new_set = (arg >> 16) & 0xff;
1231 
1232 	if (cmd > 5 || new_set > RESVD_SET)
1233 		return EINVAL;
1234 	if (cmd == 0 || cmd == 2 || cmd == 5) {
1235 		if (num >= IPFW_DEFAULT_RULE)
1236 			return EINVAL;
1237 	} else {
1238 		if (num > RESVD_SET)	/* old_set */
1239 			return EINVAL;
1240 	}
1241 
1242 	/* Convert old requests into new representation */
1243 	memset(&rt, 0, sizeof(rt));
1244 	rt.start_rule = num;
1245 	rt.end_rule = num;
1246 	rt.set = num;
1247 	rt.new_set = new_set;
1248 	do_del = 0;
1249 
1250 	switch (cmd) {
1251 	case 0: /* delete rules numbered "rulenum" */
1252 		if (num == 0)
1253 			rt.flags |= IPFW_RCFLAG_ALL;
1254 		else
1255 			rt.flags |= IPFW_RCFLAG_RANGE;
1256 		do_del = 1;
1257 		break;
1258 	case 1: /* delete rules in set "rulenum" */
1259 		rt.flags |= IPFW_RCFLAG_SET;
1260 		do_del = 1;
1261 		break;
1262 	case 5: /* delete rules "rulenum" and set "new_set" */
1263 		rt.flags |= IPFW_RCFLAG_RANGE | IPFW_RCFLAG_SET;
1264 		rt.set = new_set;
1265 		rt.new_set = 0;
1266 		do_del = 1;
1267 		break;
1268 	case 2: /* move rules "rulenum" to set "new_set" */
1269 		rt.flags |= IPFW_RCFLAG_RANGE;
1270 		break;
1271 	case 3: /* move rules from set "rulenum" to set "new_set" */
1272 		IPFW_UH_WLOCK(chain);
1273 		swap_sets(chain, &rt, 1);
1274 		IPFW_UH_WUNLOCK(chain);
1275 		return (0);
1276 	case 4: /* swap sets "rulenum" and "new_set" */
1277 		IPFW_UH_WLOCK(chain);
1278 		swap_sets(chain, &rt, 0);
1279 		IPFW_UH_WUNLOCK(chain);
1280 		return (0);
1281 	default:
1282 		return (ENOTSUP);
1283 	}
1284 
1285 	if (do_del != 0) {
1286 		if ((error = delete_range(chain, &rt, &ndel)) != 0)
1287 			return (error);
1288 
1289 		if (ndel == 0 && (cmd != 1 && num != 0))
1290 			return (EINVAL);
1291 
1292 		return (0);
1293 	}
1294 
1295 	return (move_range(chain, &rt));
1296 }
1297 
1298 /**
1299  * Reset some or all counters on firewall rules.
1300  * The argument `arg' is an u_int32_t. The low 16 bit are the rule number,
1301  * the next 8 bits are the set number, the top 8 bits are the command:
1302  *	0	work with rules from all set's;
1303  *	1	work with rules only from specified set.
1304  * Specified rule number is zero if we want to clear all entries.
1305  * log_only is 1 if we only want to reset logs, zero otherwise.
1306  */
1307 static int
1308 zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only)
1309 {
1310 	struct ip_fw *rule;
1311 	char *msg;
1312 	int i;
1313 
1314 	uint16_t rulenum = arg & 0xffff;
1315 	uint8_t set = (arg >> 16) & 0xff;
1316 	uint8_t cmd = (arg >> 24) & 0xff;
1317 
1318 	if (cmd > 1)
1319 		return (EINVAL);
1320 	if (cmd == 1 && set > RESVD_SET)
1321 		return (EINVAL);
1322 
1323 	IPFW_UH_RLOCK(chain);
1324 	if (rulenum == 0) {
1325 		V_norule_counter = 0;
1326 		for (i = 0; i < chain->n_rules; i++) {
1327 			rule = chain->map[i];
1328 			/* Skip rules not in our set. */
1329 			if (cmd == 1 && rule->set != set)
1330 				continue;
1331 			clear_counters(rule, log_only);
1332 		}
1333 		msg = log_only ? "All logging counts reset" :
1334 		    "Accounting cleared";
1335 	} else {
1336 		int cleared = 0;
1337 		for (i = 0; i < chain->n_rules; i++) {
1338 			rule = chain->map[i];
1339 			if (rule->rulenum == rulenum) {
1340 				if (cmd == 0 || rule->set == set)
1341 					clear_counters(rule, log_only);
1342 				cleared = 1;
1343 			}
1344 			if (rule->rulenum > rulenum)
1345 				break;
1346 		}
1347 		if (!cleared) {	/* we did not find any matching rules */
1348 			IPFW_UH_RUNLOCK(chain);
1349 			return (EINVAL);
1350 		}
1351 		msg = log_only ? "logging count reset" : "cleared";
1352 	}
1353 	IPFW_UH_RUNLOCK(chain);
1354 
1355 	if (V_fw_verbose) {
1356 		int lev = LOG_SECURITY | LOG_NOTICE;
1357 
1358 		if (rulenum)
1359 			log(lev, "ipfw: Entry %d %s.\n", rulenum, msg);
1360 		else
1361 			log(lev, "ipfw: %s.\n", msg);
1362 	}
1363 	return (0);
1364 }
1365 
1366 
1367 /*
1368  * Check rule head in FreeBSD11 format
1369  *
1370  */
1371 static int
1372 check_ipfw_rule1(struct ip_fw_rule *rule, int size,
1373     struct rule_check_info *ci)
1374 {
1375 	int l;
1376 
1377 	if (size < sizeof(*rule)) {
1378 		printf("ipfw: rule too short\n");
1379 		return (EINVAL);
1380 	}
1381 
1382 	/* Check for valid cmd_len */
1383 	l = roundup2(RULESIZE(rule), sizeof(uint64_t));
1384 	if (l != size) {
1385 		printf("ipfw: size mismatch (have %d want %d)\n", size, l);
1386 		return (EINVAL);
1387 	}
1388 	if (rule->act_ofs >= rule->cmd_len) {
1389 		printf("ipfw: bogus action offset (%u > %u)\n",
1390 		    rule->act_ofs, rule->cmd_len - 1);
1391 		return (EINVAL);
1392 	}
1393 
1394 	if (rule->rulenum > IPFW_DEFAULT_RULE - 1)
1395 		return (EINVAL);
1396 
1397 	return (check_ipfw_rule_body(rule->cmd, rule->cmd_len, ci));
1398 }
1399 
1400 /*
1401  * Check rule head in FreeBSD8 format
1402  *
1403  */
1404 static int
1405 check_ipfw_rule0(struct ip_fw_rule0 *rule, int size,
1406     struct rule_check_info *ci)
1407 {
1408 	int l;
1409 
1410 	if (size < sizeof(*rule)) {
1411 		printf("ipfw: rule too short\n");
1412 		return (EINVAL);
1413 	}
1414 
1415 	/* Check for valid cmd_len */
1416 	l = sizeof(*rule) + rule->cmd_len * 4 - 4;
1417 	if (l != size) {
1418 		printf("ipfw: size mismatch (have %d want %d)\n", size, l);
1419 		return (EINVAL);
1420 	}
1421 	if (rule->act_ofs >= rule->cmd_len) {
1422 		printf("ipfw: bogus action offset (%u > %u)\n",
1423 		    rule->act_ofs, rule->cmd_len - 1);
1424 		return (EINVAL);
1425 	}
1426 
1427 	if (rule->rulenum > IPFW_DEFAULT_RULE - 1)
1428 		return (EINVAL);
1429 
1430 	return (check_ipfw_rule_body(rule->cmd, rule->cmd_len, ci));
1431 }
1432 
1433 static int
1434 check_ipfw_rule_body(ipfw_insn *cmd, int cmd_len, struct rule_check_info *ci)
1435 {
1436 	int cmdlen, l;
1437 	int have_action;
1438 
1439 	have_action = 0;
1440 
1441 	/*
1442 	 * Now go for the individual checks. Very simple ones, basically only
1443 	 * instruction sizes.
1444 	 */
1445 	for (l = cmd_len; l > 0 ; l -= cmdlen, cmd += cmdlen) {
1446 		cmdlen = F_LEN(cmd);
1447 		if (cmdlen > l) {
1448 			printf("ipfw: opcode %d size truncated\n",
1449 			    cmd->opcode);
1450 			return EINVAL;
1451 		}
1452 		switch (cmd->opcode) {
1453 		case O_PROBE_STATE:
1454 		case O_KEEP_STATE:
1455 		case O_PROTO:
1456 		case O_IP_SRC_ME:
1457 		case O_IP_DST_ME:
1458 		case O_LAYER2:
1459 		case O_IN:
1460 		case O_FRAG:
1461 		case O_DIVERTED:
1462 		case O_IPOPT:
1463 		case O_IPTOS:
1464 		case O_IPPRECEDENCE:
1465 		case O_IPVER:
1466 		case O_SOCKARG:
1467 		case O_TCPFLAGS:
1468 		case O_TCPOPTS:
1469 		case O_ESTAB:
1470 		case O_VERREVPATH:
1471 		case O_VERSRCREACH:
1472 		case O_ANTISPOOF:
1473 		case O_IPSEC:
1474 #ifdef INET6
1475 		case O_IP6_SRC_ME:
1476 		case O_IP6_DST_ME:
1477 		case O_EXT_HDR:
1478 		case O_IP6:
1479 #endif
1480 		case O_IP4:
1481 		case O_TAG:
1482 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
1483 				goto bad_size;
1484 			break;
1485 
1486 		case O_FIB:
1487 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
1488 				goto bad_size;
1489 			if (cmd->arg1 >= rt_numfibs) {
1490 				printf("ipfw: invalid fib number %d\n",
1491 					cmd->arg1);
1492 				return EINVAL;
1493 			}
1494 			break;
1495 
1496 		case O_SETFIB:
1497 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
1498 				goto bad_size;
1499 			if ((cmd->arg1 != IP_FW_TARG) &&
1500 			    ((cmd->arg1 & 0x7FFF) >= rt_numfibs)) {
1501 				printf("ipfw: invalid fib number %d\n",
1502 					cmd->arg1 & 0x7FFF);
1503 				return EINVAL;
1504 			}
1505 			goto check_action;
1506 
1507 		case O_UID:
1508 		case O_GID:
1509 		case O_JAIL:
1510 		case O_IP_SRC:
1511 		case O_IP_DST:
1512 		case O_TCPSEQ:
1513 		case O_TCPACK:
1514 		case O_PROB:
1515 		case O_ICMPTYPE:
1516 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
1517 				goto bad_size;
1518 			break;
1519 
1520 		case O_LIMIT:
1521 			if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
1522 				goto bad_size;
1523 			break;
1524 
1525 		case O_LOG:
1526 			if (cmdlen != F_INSN_SIZE(ipfw_insn_log))
1527 				goto bad_size;
1528 
1529 			((ipfw_insn_log *)cmd)->log_left =
1530 			    ((ipfw_insn_log *)cmd)->max_log;
1531 
1532 			break;
1533 
1534 		case O_IP_SRC_MASK:
1535 		case O_IP_DST_MASK:
1536 			/* only odd command lengths */
1537 			if ((cmdlen & 1) == 0)
1538 				goto bad_size;
1539 			break;
1540 
1541 		case O_IP_SRC_SET:
1542 		case O_IP_DST_SET:
1543 			if (cmd->arg1 == 0 || cmd->arg1 > 256) {
1544 				printf("ipfw: invalid set size %d\n",
1545 					cmd->arg1);
1546 				return EINVAL;
1547 			}
1548 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
1549 			    (cmd->arg1+31)/32 )
1550 				goto bad_size;
1551 			break;
1552 
1553 		case O_IP_SRC_LOOKUP:
1554 		case O_IP_DST_LOOKUP:
1555 			if (cmd->arg1 >= V_fw_tables_max) {
1556 				printf("ipfw: invalid table number %d\n",
1557 				    cmd->arg1);
1558 				return (EINVAL);
1559 			}
1560 			if (cmdlen != F_INSN_SIZE(ipfw_insn) &&
1561 			    cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1 &&
1562 			    cmdlen != F_INSN_SIZE(ipfw_insn_u32))
1563 				goto bad_size;
1564 			ci->object_opcodes++;
1565 			break;
1566 		case O_IP_FLOW_LOOKUP:
1567 			if (cmd->arg1 >= V_fw_tables_max) {
1568 				printf("ipfw: invalid table number %d\n",
1569 				    cmd->arg1);
1570 				return (EINVAL);
1571 			}
1572 			if (cmdlen != F_INSN_SIZE(ipfw_insn) &&
1573 			    cmdlen != F_INSN_SIZE(ipfw_insn_u32))
1574 				goto bad_size;
1575 			ci->object_opcodes++;
1576 			break;
1577 		case O_MACADDR2:
1578 			if (cmdlen != F_INSN_SIZE(ipfw_insn_mac))
1579 				goto bad_size;
1580 			break;
1581 
1582 		case O_NOP:
1583 		case O_IPID:
1584 		case O_IPTTL:
1585 		case O_IPLEN:
1586 		case O_TCPDATALEN:
1587 		case O_TCPWIN:
1588 		case O_TAGGED:
1589 			if (cmdlen < 1 || cmdlen > 31)
1590 				goto bad_size;
1591 			break;
1592 
1593 		case O_DSCP:
1594 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1)
1595 				goto bad_size;
1596 			break;
1597 
1598 		case O_MAC_TYPE:
1599 		case O_IP_SRCPORT:
1600 		case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */
1601 			if (cmdlen < 2 || cmdlen > 31)
1602 				goto bad_size;
1603 			break;
1604 
1605 		case O_RECV:
1606 		case O_XMIT:
1607 		case O_VIA:
1608 			if (cmdlen != F_INSN_SIZE(ipfw_insn_if))
1609 				goto bad_size;
1610 			ci->object_opcodes++;
1611 			break;
1612 
1613 		case O_ALTQ:
1614 			if (cmdlen != F_INSN_SIZE(ipfw_insn_altq))
1615 				goto bad_size;
1616 			break;
1617 
1618 		case O_PIPE:
1619 		case O_QUEUE:
1620 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
1621 				goto bad_size;
1622 			goto check_action;
1623 
1624 		case O_FORWARD_IP:
1625 			if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
1626 				goto bad_size;
1627 			goto check_action;
1628 #ifdef INET6
1629 		case O_FORWARD_IP6:
1630 			if (cmdlen != F_INSN_SIZE(ipfw_insn_sa6))
1631 				goto bad_size;
1632 			goto check_action;
1633 #endif /* INET6 */
1634 
1635 		case O_DIVERT:
1636 		case O_TEE:
1637 			if (ip_divert_ptr == NULL)
1638 				return EINVAL;
1639 			else
1640 				goto check_size;
1641 		case O_NETGRAPH:
1642 		case O_NGTEE:
1643 			if (ng_ipfw_input_p == NULL)
1644 				return EINVAL;
1645 			else
1646 				goto check_size;
1647 		case O_NAT:
1648 			if (!IPFW_NAT_LOADED)
1649 				return EINVAL;
1650 			if (cmdlen != F_INSN_SIZE(ipfw_insn_nat))
1651  				goto bad_size;
1652  			goto check_action;
1653 		case O_FORWARD_MAC: /* XXX not implemented yet */
1654 		case O_CHECK_STATE:
1655 		case O_COUNT:
1656 		case O_ACCEPT:
1657 		case O_DENY:
1658 		case O_REJECT:
1659 		case O_SETDSCP:
1660 #ifdef INET6
1661 		case O_UNREACH6:
1662 #endif
1663 		case O_SKIPTO:
1664 		case O_REASS:
1665 		case O_CALLRETURN:
1666 check_size:
1667 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
1668 				goto bad_size;
1669 check_action:
1670 			if (have_action) {
1671 				printf("ipfw: opcode %d, multiple actions"
1672 					" not allowed\n",
1673 					cmd->opcode);
1674 				return (EINVAL);
1675 			}
1676 			have_action = 1;
1677 			if (l != cmdlen) {
1678 				printf("ipfw: opcode %d, action must be"
1679 					" last opcode\n",
1680 					cmd->opcode);
1681 				return (EINVAL);
1682 			}
1683 			break;
1684 #ifdef INET6
1685 		case O_IP6_SRC:
1686 		case O_IP6_DST:
1687 			if (cmdlen != F_INSN_SIZE(struct in6_addr) +
1688 			    F_INSN_SIZE(ipfw_insn))
1689 				goto bad_size;
1690 			break;
1691 
1692 		case O_FLOW6ID:
1693 			if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
1694 			    ((ipfw_insn_u32 *)cmd)->o.arg1)
1695 				goto bad_size;
1696 			break;
1697 
1698 		case O_IP6_SRC_MASK:
1699 		case O_IP6_DST_MASK:
1700 			if ( !(cmdlen & 1) || cmdlen > 127)
1701 				goto bad_size;
1702 			break;
1703 		case O_ICMP6TYPE:
1704 			if( cmdlen != F_INSN_SIZE( ipfw_insn_icmp6 ) )
1705 				goto bad_size;
1706 			break;
1707 #endif
1708 
1709 		default:
1710 			switch (cmd->opcode) {
1711 #ifndef INET6
1712 			case O_IP6_SRC_ME:
1713 			case O_IP6_DST_ME:
1714 			case O_EXT_HDR:
1715 			case O_IP6:
1716 			case O_UNREACH6:
1717 			case O_IP6_SRC:
1718 			case O_IP6_DST:
1719 			case O_FLOW6ID:
1720 			case O_IP6_SRC_MASK:
1721 			case O_IP6_DST_MASK:
1722 			case O_ICMP6TYPE:
1723 				printf("ipfw: no IPv6 support in kernel\n");
1724 				return (EPROTONOSUPPORT);
1725 #endif
1726 			default:
1727 				printf("ipfw: opcode %d, unknown opcode\n",
1728 					cmd->opcode);
1729 				return (EINVAL);
1730 			}
1731 		}
1732 	}
1733 	if (have_action == 0) {
1734 		printf("ipfw: missing action\n");
1735 		return (EINVAL);
1736 	}
1737 	return 0;
1738 
1739 bad_size:
1740 	printf("ipfw: opcode %d size %d wrong\n",
1741 		cmd->opcode, cmdlen);
1742 	return (EINVAL);
1743 }
1744 
1745 
1746 /*
1747  * Translation of requests for compatibility with FreeBSD 7.2/8.
1748  * a static variable tells us if we have an old client from userland,
1749  * and if necessary we translate requests and responses between the
1750  * two formats.
1751  */
1752 static int is7 = 0;
1753 
1754 struct ip_fw7 {
1755 	struct ip_fw7	*next;		/* linked list of rules     */
1756 	struct ip_fw7	*next_rule;	/* ptr to next [skipto] rule    */
1757 	/* 'next_rule' is used to pass up 'set_disable' status      */
1758 
1759 	uint16_t	act_ofs;	/* offset of action in 32-bit units */
1760 	uint16_t	cmd_len;	/* # of 32-bit words in cmd */
1761 	uint16_t	rulenum;	/* rule number          */
1762 	uint8_t		set;		/* rule set (0..31)     */
1763 	// #define RESVD_SET   31  /* set for default and persistent rules */
1764 	uint8_t		_pad;		/* padding          */
1765 	// uint32_t        id;             /* rule id, only in v.8 */
1766 	/* These fields are present in all rules.           */
1767 	uint64_t	pcnt;		/* Packet counter       */
1768 	uint64_t	bcnt;		/* Byte counter         */
1769 	uint32_t	timestamp;	/* tv_sec of last match     */
1770 
1771 	ipfw_insn	cmd[1];		/* storage for commands     */
1772 };
1773 
1774 static int convert_rule_to_7(struct ip_fw_rule0 *rule);
1775 static int convert_rule_to_8(struct ip_fw_rule0 *rule);
1776 
1777 #ifndef RULESIZE7
1778 #define RULESIZE7(rule)  (sizeof(struct ip_fw7) + \
1779 	((struct ip_fw7 *)(rule))->cmd_len * 4 - 4)
1780 #endif
1781 
1782 
1783 /*
1784  * Copy the static and dynamic rules to the supplied buffer
1785  * and return the amount of space actually used.
1786  * Must be run under IPFW_UH_RLOCK
1787  */
1788 static size_t
1789 ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space)
1790 {
1791 	char *bp = buf;
1792 	char *ep = bp + space;
1793 	struct ip_fw *rule;
1794 	struct ip_fw_rule0 *dst;
1795 	int error, i, l, warnflag;
1796 	time_t	boot_seconds;
1797 
1798 	warnflag = 0;
1799 
1800         boot_seconds = boottime.tv_sec;
1801 	for (i = 0; i < chain->n_rules; i++) {
1802 		rule = chain->map[i];
1803 
1804 		if (is7) {
1805 		    /* Convert rule to FreeBSd 7.2 format */
1806 		    l = RULESIZE7(rule);
1807 		    if (bp + l + sizeof(uint32_t) <= ep) {
1808 			bcopy(rule, bp, l + sizeof(uint32_t));
1809 			error = set_legacy_obj_kidx(chain,
1810 			    (struct ip_fw_rule0 *)bp);
1811 			if (error != 0)
1812 				return (0);
1813 			error = convert_rule_to_7((struct ip_fw_rule0 *) bp);
1814 			if (error)
1815 				return 0; /*XXX correct? */
1816 			/*
1817 			 * XXX HACK. Store the disable mask in the "next"
1818 			 * pointer in a wild attempt to keep the ABI the same.
1819 			 * Why do we do this on EVERY rule?
1820 			 */
1821 			bcopy(&V_set_disable,
1822 				&(((struct ip_fw7 *)bp)->next_rule),
1823 				sizeof(V_set_disable));
1824 			if (((struct ip_fw7 *)bp)->timestamp)
1825 			    ((struct ip_fw7 *)bp)->timestamp += boot_seconds;
1826 			bp += l;
1827 		    }
1828 		    continue; /* go to next rule */
1829 		}
1830 
1831 		l = RULEUSIZE0(rule);
1832 		if (bp + l > ep) { /* should not happen */
1833 			printf("overflow dumping static rules\n");
1834 			break;
1835 		}
1836 		dst = (struct ip_fw_rule0 *)bp;
1837 		export_rule0(rule, dst, l);
1838 		error = set_legacy_obj_kidx(chain, dst);
1839 
1840 		/*
1841 		 * XXX HACK. Store the disable mask in the "next"
1842 		 * pointer in a wild attempt to keep the ABI the same.
1843 		 * Why do we do this on EVERY rule?
1844 		 *
1845 		 * XXX: "ipfw set show" (ab)uses IP_FW_GET to read disabled mask
1846 		 * so we need to fail _after_ saving at least one mask.
1847 		 */
1848 		bcopy(&V_set_disable, &dst->next_rule, sizeof(V_set_disable));
1849 		if (dst->timestamp)
1850 			dst->timestamp += boot_seconds;
1851 		bp += l;
1852 
1853 		if (error != 0) {
1854 			if (error == 2) {
1855 				/* Non-fatal table rewrite error. */
1856 				warnflag = 1;
1857 				continue;
1858 			}
1859 			printf("Stop on rule %d. Fail to convert table\n",
1860 			    rule->rulenum);
1861 			break;
1862 		}
1863 	}
1864 	if (warnflag != 0)
1865 		printf("ipfw: process %s is using legacy interfaces,"
1866 		    " consider rebuilding\n", "");
1867 	ipfw_get_dynamic(chain, &bp, ep); /* protected by the dynamic lock */
1868 	return (bp - (char *)buf);
1869 }
1870 
1871 
1872 struct dump_args {
1873 	uint32_t	b;	/* start rule */
1874 	uint32_t	e;	/* end rule */
1875 	uint32_t	rcount;	/* number of rules */
1876 	uint32_t	rsize;	/* rules size */
1877 	uint32_t	tcount;	/* number of tables */
1878 	int		rcounters;	/* counters */
1879 };
1880 
1881 void
1882 ipfw_export_obj_ntlv(struct named_object *no, ipfw_obj_ntlv *ntlv)
1883 {
1884 
1885 	ntlv->head.type = no->etlv;
1886 	ntlv->head.length = sizeof(*ntlv);
1887 	ntlv->idx = no->kidx;
1888 	strlcpy(ntlv->name, no->name, sizeof(ntlv->name));
1889 }
1890 
1891 /*
1892  * Export named object info in instance @ni, identified by @kidx
1893  * to ipfw_obj_ntlv. TLV is allocated from @sd space.
1894  *
1895  * Returns 0 on success.
1896  */
1897 static int
1898 export_objhash_ntlv(struct namedobj_instance *ni, uint16_t kidx,
1899     struct sockopt_data *sd)
1900 {
1901 	struct named_object *no;
1902 	ipfw_obj_ntlv *ntlv;
1903 
1904 	no = ipfw_objhash_lookup_kidx(ni, kidx);
1905 	KASSERT(no != NULL, ("invalid object kernel index passed"));
1906 
1907 	ntlv = (ipfw_obj_ntlv *)ipfw_get_sopt_space(sd, sizeof(*ntlv));
1908 	if (ntlv == NULL)
1909 		return (ENOMEM);
1910 
1911 	ipfw_export_obj_ntlv(no, ntlv);
1912 	return (0);
1913 }
1914 
1915 /*
1916  * Dumps static rules with table TLVs in buffer @sd.
1917  *
1918  * Returns 0 on success.
1919  */
1920 static int
1921 dump_static_rules(struct ip_fw_chain *chain, struct dump_args *da,
1922     uint32_t *bmask, struct sockopt_data *sd)
1923 {
1924 	int error;
1925 	int i, l;
1926 	uint32_t tcount;
1927 	ipfw_obj_ctlv *ctlv;
1928 	struct ip_fw *krule;
1929 	struct namedobj_instance *ni;
1930 	caddr_t dst;
1931 
1932 	/* Dump table names first (if any) */
1933 	if (da->tcount > 0) {
1934 		/* Header first */
1935 		ctlv = (ipfw_obj_ctlv *)ipfw_get_sopt_space(sd, sizeof(*ctlv));
1936 		if (ctlv == NULL)
1937 			return (ENOMEM);
1938 		ctlv->head.type = IPFW_TLV_TBLNAME_LIST;
1939 		ctlv->head.length = da->tcount * sizeof(ipfw_obj_ntlv) +
1940 		    sizeof(*ctlv);
1941 		ctlv->count = da->tcount;
1942 		ctlv->objsize = sizeof(ipfw_obj_ntlv);
1943 	}
1944 
1945 	i = 0;
1946 	tcount = da->tcount;
1947 	ni = ipfw_get_table_objhash(chain);
1948 	while (tcount > 0) {
1949 		if ((bmask[i / 32] & (1 << (i % 32))) == 0) {
1950 			i++;
1951 			continue;
1952 		}
1953 
1954 		/* Jump to shared named object bitmask */
1955 		if (i >= IPFW_TABLES_MAX) {
1956 			ni = CHAIN_TO_SRV(chain);
1957 			i -= IPFW_TABLES_MAX;
1958 			bmask += IPFW_TABLES_MAX / 32;
1959 		}
1960 
1961 		if ((error = export_objhash_ntlv(ni, i, sd)) != 0)
1962 			return (error);
1963 
1964 		i++;
1965 		tcount--;
1966 	}
1967 
1968 	/* Dump rules */
1969 	ctlv = (ipfw_obj_ctlv *)ipfw_get_sopt_space(sd, sizeof(*ctlv));
1970 	if (ctlv == NULL)
1971 		return (ENOMEM);
1972 	ctlv->head.type = IPFW_TLV_RULE_LIST;
1973 	ctlv->head.length = da->rsize + sizeof(*ctlv);
1974 	ctlv->count = da->rcount;
1975 
1976 	for (i = da->b; i < da->e; i++) {
1977 		krule = chain->map[i];
1978 
1979 		l = RULEUSIZE1(krule) + sizeof(ipfw_obj_tlv);
1980 		if (da->rcounters != 0)
1981 			l += sizeof(struct ip_fw_bcounter);
1982 		dst = (caddr_t)ipfw_get_sopt_space(sd, l);
1983 		if (dst == NULL)
1984 			return (ENOMEM);
1985 
1986 		export_rule1(krule, dst, l, da->rcounters);
1987 	}
1988 
1989 	return (0);
1990 }
1991 
1992 /*
1993  * Marks every object index used in @rule with bit in @bmask.
1994  * Used to generate bitmask of referenced tables/objects for given ruleset
1995  * or its part.
1996  *
1997  * Returns number of newly-referenced objects.
1998  */
1999 static int
2000 mark_object_kidx(struct ip_fw_chain *ch, struct ip_fw *rule,
2001     uint32_t *bmask)
2002 {
2003 	int cmdlen, l, count;
2004 	ipfw_insn *cmd;
2005 	uint16_t kidx;
2006 	struct opcode_obj_rewrite *rw;
2007 	int bidx;
2008 	uint8_t subtype;
2009 
2010 	l = rule->cmd_len;
2011 	cmd = rule->cmd;
2012 	cmdlen = 0;
2013 	count = 0;
2014 	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
2015 		cmdlen = F_LEN(cmd);
2016 
2017 		rw = ipfw_find_op_rw(cmd->opcode);
2018 		if (rw == NULL)
2019 			continue;
2020 
2021 		if (rw->classifier(cmd, &kidx, &subtype) != 0)
2022 			continue;
2023 
2024 		bidx = kidx / 32;
2025 		/* Maintain separate bitmasks for table and non-table objects */
2026 		if (rw->etlv != IPFW_TLV_TBL_NAME)
2027 			bidx += IPFW_TABLES_MAX / 32;
2028 
2029 		if ((bmask[bidx] & (1 << (kidx % 32))) == 0)
2030 			count++;
2031 
2032 		bmask[bidx] |= 1 << (kidx % 32);
2033 	}
2034 
2035 	return (count);
2036 }
2037 
2038 /*
2039  * Dumps requested objects data
2040  * Data layout (version 0)(current):
2041  * Request: [ ipfw_cfg_lheader ] + IPFW_CFG_GET_* flags
2042  *   size = ipfw_cfg_lheader.size
2043  * Reply: [ ipfw_cfg_lheader
2044  *   [ ipfw_obj_ctlv(IPFW_TLV_TBL_LIST) ipfw_obj_ntlv x N ] (optional)
2045  *   [ ipfw_obj_ctlv(IPFW_TLV_RULE_LIST)
2046  *     ipfw_obj_tlv(IPFW_TLV_RULE_ENT) [ ip_fw_bcounter (optional) ip_fw_rule ]
2047  *   ] (optional)
2048  *   [ ipfw_obj_ctlv(IPFW_TLV_STATE_LIST) ipfw_obj_dyntlv x N ] (optional)
2049  * ]
2050  * * NOTE IPFW_TLV_STATE_LIST has the single valid field: objsize.
2051  * The rest (size, count) are set to zero and needs to be ignored.
2052  *
2053  * Returns 0 on success.
2054  */
2055 static int
2056 dump_config(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
2057     struct sockopt_data *sd)
2058 {
2059 	ipfw_cfg_lheader *hdr;
2060 	struct ip_fw *rule;
2061 	size_t sz, rnum;
2062 	uint32_t hdr_flags;
2063 	int error, i;
2064 	struct dump_args da;
2065 	uint32_t *bmask;
2066 
2067 	hdr = (ipfw_cfg_lheader *)ipfw_get_sopt_header(sd, sizeof(*hdr));
2068 	if (hdr == NULL)
2069 		return (EINVAL);
2070 
2071 	error = 0;
2072 	bmask = NULL;
2073 	/* Allocate needed state. Note we allocate 2xspace mask, for table&srv  */
2074 	if (hdr->flags & IPFW_CFG_GET_STATIC)
2075 		bmask = malloc(IPFW_TABLES_MAX / 4, M_TEMP, M_WAITOK | M_ZERO);
2076 
2077 	IPFW_UH_RLOCK(chain);
2078 
2079 	/*
2080 	 * STAGE 1: Determine size/count for objects in range.
2081 	 * Prepare used tables bitmask.
2082 	 */
2083 	sz = sizeof(ipfw_cfg_lheader);
2084 	memset(&da, 0, sizeof(da));
2085 
2086 	da.b = 0;
2087 	da.e = chain->n_rules;
2088 
2089 	if (hdr->end_rule != 0) {
2090 		/* Handle custom range */
2091 		if ((rnum = hdr->start_rule) > IPFW_DEFAULT_RULE)
2092 			rnum = IPFW_DEFAULT_RULE;
2093 		da.b = ipfw_find_rule(chain, rnum, 0);
2094 		rnum = hdr->end_rule;
2095 		rnum = (rnum < IPFW_DEFAULT_RULE) ? rnum+1 : IPFW_DEFAULT_RULE;
2096 		da.e = ipfw_find_rule(chain, rnum, 0) + 1;
2097 	}
2098 
2099 	if (hdr->flags & IPFW_CFG_GET_STATIC) {
2100 		for (i = da.b; i < da.e; i++) {
2101 			rule = chain->map[i];
2102 			da.rsize += RULEUSIZE1(rule) + sizeof(ipfw_obj_tlv);
2103 			da.rcount++;
2104 			/* Update bitmask of used objects for given range */
2105 			da.tcount += mark_object_kidx(chain, rule, bmask);
2106 		}
2107 		/* Add counters if requested */
2108 		if (hdr->flags & IPFW_CFG_GET_COUNTERS) {
2109 			da.rsize += sizeof(struct ip_fw_bcounter) * da.rcount;
2110 			da.rcounters = 1;
2111 		}
2112 
2113 		if (da.tcount > 0)
2114 			sz += da.tcount * sizeof(ipfw_obj_ntlv) +
2115 			    sizeof(ipfw_obj_ctlv);
2116 		sz += da.rsize + sizeof(ipfw_obj_ctlv);
2117 	}
2118 
2119 	if (hdr->flags & IPFW_CFG_GET_STATES)
2120 		sz += ipfw_dyn_get_count() * sizeof(ipfw_obj_dyntlv) +
2121 		     sizeof(ipfw_obj_ctlv);
2122 
2123 
2124 	/*
2125 	 * Fill header anyway.
2126 	 * Note we have to save header fields to stable storage
2127 	 * buffer inside @sd can be flushed after dumping rules
2128 	 */
2129 	hdr->size = sz;
2130 	hdr->set_mask = ~V_set_disable;
2131 	hdr_flags = hdr->flags;
2132 	hdr = NULL;
2133 
2134 	if (sd->valsize < sz) {
2135 		error = ENOMEM;
2136 		goto cleanup;
2137 	}
2138 
2139 	/* STAGE2: Store actual data */
2140 	if (hdr_flags & IPFW_CFG_GET_STATIC) {
2141 		error = dump_static_rules(chain, &da, bmask, sd);
2142 		if (error != 0)
2143 			goto cleanup;
2144 	}
2145 
2146 	if (hdr_flags & IPFW_CFG_GET_STATES)
2147 		error = ipfw_dump_states(chain, sd);
2148 
2149 cleanup:
2150 	IPFW_UH_RUNLOCK(chain);
2151 
2152 	if (bmask != NULL)
2153 		free(bmask, M_TEMP);
2154 
2155 	return (error);
2156 }
2157 
2158 int
2159 ipfw_check_object_name_generic(const char *name)
2160 {
2161 	int nsize;
2162 
2163 	nsize = sizeof(((ipfw_obj_ntlv *)0)->name);
2164 	if (strnlen(name, nsize) == nsize)
2165 		return (EINVAL);
2166 	if (name[0] == '\0')
2167 		return (EINVAL);
2168 	return (0);
2169 }
2170 
2171 /*
2172  * Creates non-existent objects referenced by rule.
2173  *
2174  * Return 0 on success.
2175  */
2176 int
2177 create_objects_compat(struct ip_fw_chain *ch, ipfw_insn *cmd,
2178     struct obj_idx *oib, struct obj_idx *pidx, struct tid_info *ti)
2179 {
2180 	struct opcode_obj_rewrite *rw;
2181 	struct obj_idx *p;
2182 	uint16_t kidx;
2183 	int error;
2184 
2185 	/*
2186 	 * Compatibility stuff: do actual creation for non-existing,
2187 	 * but referenced objects.
2188 	 */
2189 	for (p = oib; p < pidx; p++) {
2190 		if (p->kidx != 0)
2191 			continue;
2192 
2193 		ti->uidx = p->uidx;
2194 		ti->type = p->type;
2195 		ti->atype = 0;
2196 
2197 		rw = ipfw_find_op_rw((cmd + p->off)->opcode);
2198 		KASSERT(rw != NULL, ("Unable to find handler for op %d",
2199 		    (cmd + p->off)->opcode));
2200 
2201 		error = rw->create_object(ch, ti, &kidx);
2202 		if (error == 0) {
2203 			p->kidx = kidx;
2204 			continue;
2205 		}
2206 
2207 		/*
2208 		 * Error happened. We have to rollback everything.
2209 		 * Drop all already acquired references.
2210 		 */
2211 		IPFW_UH_WLOCK(ch);
2212 		unref_oib_objects(ch, cmd, oib, pidx);
2213 		IPFW_UH_WUNLOCK(ch);
2214 
2215 		return (error);
2216 	}
2217 
2218 	return (0);
2219 }
2220 
2221 /*
2222  * Compatibility function for old ipfw(8) binaries.
2223  * Rewrites table/nat kernel indices with userland ones.
2224  * Convert tables matching '/^\d+$/' to their atoi() value.
2225  * Use number 65535 for other tables.
2226  *
2227  * Returns 0 on success.
2228  */
2229 static int
2230 set_legacy_obj_kidx(struct ip_fw_chain *ch, struct ip_fw_rule0 *rule)
2231 {
2232 	int cmdlen, error, l;
2233 	ipfw_insn *cmd;
2234 	uint16_t kidx, uidx;
2235 	struct named_object *no;
2236 	struct opcode_obj_rewrite *rw;
2237 	uint8_t subtype;
2238 	char *end;
2239 	long val;
2240 
2241 	error = 0;
2242 
2243 	l = rule->cmd_len;
2244 	cmd = rule->cmd;
2245 	cmdlen = 0;
2246 	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
2247 		cmdlen = F_LEN(cmd);
2248 
2249 		rw = ipfw_find_op_rw(cmd->opcode);
2250 		if (rw == NULL)
2251 			continue;
2252 
2253 		/* Check if is index in given opcode */
2254 		if (rw->classifier(cmd, &kidx, &subtype) != 0)
2255 			continue;
2256 
2257 		/* Try to find referenced kernel object */
2258 		no = rw->find_bykidx(ch, kidx);
2259 		if (no == NULL)
2260 			continue;
2261 
2262 		val = strtol(no->name, &end, 10);
2263 		if (*end == '\0' && val < 65535) {
2264 			uidx = val;
2265 		} else {
2266 
2267 			/*
2268 			 * We are called via legacy opcode.
2269 			 * Save error and show table as fake number
2270 			 * not to make ipfw(8) hang.
2271 			 */
2272 			uidx = 65535;
2273 			error = 2;
2274 		}
2275 
2276 		rw->update(cmd, uidx);
2277 	}
2278 
2279 	return (error);
2280 }
2281 
2282 
2283 /*
2284  * Unreferences all already-referenced objects in given @cmd rule,
2285  * using information in @oib.
2286  *
2287  * Used to rollback partially converted rule on error.
2288  */
2289 void
2290 unref_oib_objects(struct ip_fw_chain *ch, ipfw_insn *cmd, struct obj_idx *oib,
2291     struct obj_idx *end)
2292 {
2293 	struct opcode_obj_rewrite *rw;
2294 	struct named_object *no;
2295 	struct obj_idx *p;
2296 
2297 	IPFW_UH_WLOCK_ASSERT(ch);
2298 
2299 	for (p = oib; p < end; p++) {
2300 		if (p->kidx == 0)
2301 			continue;
2302 
2303 		rw = ipfw_find_op_rw((cmd + p->off)->opcode);
2304 		KASSERT(rw != NULL, ("Unable to find handler for op %d",
2305 		    (cmd + p->off)->opcode));
2306 
2307 		/* Find & unref by existing idx */
2308 		no = rw->find_bykidx(ch, p->kidx);
2309 		KASSERT(no != NULL, ("Ref'd object %d disappeared", p->kidx));
2310 		no->refcnt--;
2311 	}
2312 }
2313 
2314 /*
2315  * Remove references from every object used in @rule.
2316  * Used at rule removal code.
2317  */
2318 static void
2319 unref_rule_objects(struct ip_fw_chain *ch, struct ip_fw *rule)
2320 {
2321 	int cmdlen, l;
2322 	ipfw_insn *cmd;
2323 	struct named_object *no;
2324 	uint16_t kidx;
2325 	struct opcode_obj_rewrite *rw;
2326 	uint8_t subtype;
2327 
2328 	IPFW_UH_WLOCK_ASSERT(ch);
2329 
2330 	l = rule->cmd_len;
2331 	cmd = rule->cmd;
2332 	cmdlen = 0;
2333 	for ( ;	l > 0 ; l -= cmdlen, cmd += cmdlen) {
2334 		cmdlen = F_LEN(cmd);
2335 
2336 		rw = ipfw_find_op_rw(cmd->opcode);
2337 		if (rw == NULL)
2338 			continue;
2339 		if (rw->classifier(cmd, &kidx, &subtype) != 0)
2340 			continue;
2341 
2342 		no = rw->find_bykidx(ch, kidx);
2343 
2344 		KASSERT(no != NULL, ("table id %d not found", kidx));
2345 		KASSERT(no->subtype == subtype,
2346 		    ("wrong type %d (%d) for table id %d",
2347 		    no->subtype, subtype, kidx));
2348 		KASSERT(no->refcnt > 0, ("refcount for table %d is %d",
2349 		    kidx, no->refcnt));
2350 
2351 		if (no->refcnt == 1 && rw->destroy_object != NULL)
2352 			rw->destroy_object(ch, no);
2353 		else
2354 			no->refcnt--;
2355 	}
2356 }
2357 
2358 
2359 /*
2360  * Find and reference object (if any) stored in instruction @cmd.
2361  *
2362  * Saves object info in @pidx, sets
2363  *  - @found to 1 if object was found and references
2364  *  - @unresolved to 1 if object should exists but not found
2365  *
2366  * Returns non-zero value in case of error.
2367  */
2368 int
2369 ref_opcode_object(struct ip_fw_chain *ch, ipfw_insn *cmd, struct tid_info *ti,
2370     struct obj_idx *pidx, int *found, int *unresolved)
2371 {
2372 	struct named_object *no;
2373 	struct opcode_obj_rewrite *rw;
2374 	int error;
2375 
2376 	*found = 0;
2377 	*unresolved = 0;
2378 
2379 	/* Check if this opcode is candidate for rewrite */
2380 	rw = ipfw_find_op_rw(cmd->opcode);
2381 	if (rw == NULL)
2382 		return (0);
2383 
2384 	/* Check if we need to rewrite this opcode */
2385 	if (rw->classifier(cmd, &ti->uidx, &ti->type) != 0)
2386 		return (0);
2387 
2388 	/* Need to rewrite. Save necessary fields */
2389 	pidx->uidx = ti->uidx;
2390 	pidx->type = ti->type;
2391 
2392 	/* Try to find referenced kernel object */
2393 	error = rw->find_byname(ch, ti, &no);
2394 	if (error != 0)
2395 		return (error);
2396 	if (no == NULL) {
2397 		*unresolved = 1;
2398 		return (0);
2399 	}
2400 
2401 	/* Found. bump refcount */
2402 	*found = 1;
2403 	no->refcnt++;
2404 	pidx->kidx = no->kidx;
2405 
2406 	return (0);
2407 }
2408 
2409 /*
2410  * Adds one or more rules to ipfw @chain.
2411  * Data layout (version 0)(current):
2412  * Request:
2413  * [
2414  *   ip_fw3_opheader
2415  *   [ ipfw_obj_ctlv(IPFW_TLV_TBL_LIST) ipfw_obj_ntlv x N ] (optional *1)
2416  *   [ ipfw_obj_ctlv(IPFW_TLV_RULE_LIST) ip_fw x N ] (*2) (*3)
2417  * ]
2418  * Reply:
2419  * [
2420  *   ip_fw3_opheader
2421  *   [ ipfw_obj_ctlv(IPFW_TLV_TBL_LIST) ipfw_obj_ntlv x N ] (optional)
2422  *   [ ipfw_obj_ctlv(IPFW_TLV_RULE_LIST) ip_fw x N ]
2423  * ]
2424  *
2425  * Rules in reply are modified to store their actual ruleset number.
2426  *
2427  * (*1) TLVs inside IPFW_TLV_TBL_LIST needs to be sorted ascending
2428  * accoring to their idx field and there has to be no duplicates.
2429  * (*2) Numbered rules inside IPFW_TLV_RULE_LIST needs to be sorted ascending.
2430  * (*3) Each ip_fw structure needs to be aligned to u64 boundary.
2431  *
2432  * Returns 0 on success.
2433  */
2434 static int
2435 add_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
2436     struct sockopt_data *sd)
2437 {
2438 	ipfw_obj_ctlv *ctlv, *rtlv, *tstate;
2439 	ipfw_obj_ntlv *ntlv;
2440 	int clen, error, idx;
2441 	uint32_t count, read;
2442 	struct ip_fw_rule *r;
2443 	struct rule_check_info rci, *ci, *cbuf;
2444 	int i, rsize;
2445 
2446 	op3 = (ip_fw3_opheader *)ipfw_get_sopt_space(sd, sd->valsize);
2447 	ctlv = (ipfw_obj_ctlv *)(op3 + 1);
2448 
2449 	read = sizeof(ip_fw3_opheader);
2450 	rtlv = NULL;
2451 	tstate = NULL;
2452 	cbuf = NULL;
2453 	memset(&rci, 0, sizeof(struct rule_check_info));
2454 
2455 	if (read + sizeof(*ctlv) > sd->valsize)
2456 		return (EINVAL);
2457 
2458 	if (ctlv->head.type == IPFW_TLV_TBLNAME_LIST) {
2459 		clen = ctlv->head.length;
2460 		/* Check size and alignment */
2461 		if (clen > sd->valsize || clen < sizeof(*ctlv))
2462 			return (EINVAL);
2463 		if ((clen % sizeof(uint64_t)) != 0)
2464 			return (EINVAL);
2465 
2466 		/*
2467 		 * Some table names or other named objects.
2468 		 * Check for validness.
2469 		 */
2470 		count = (ctlv->head.length - sizeof(*ctlv)) / sizeof(*ntlv);
2471 		if (ctlv->count != count || ctlv->objsize != sizeof(*ntlv))
2472 			return (EINVAL);
2473 
2474 		/*
2475 		 * Check each TLV.
2476 		 * Ensure TLVs are sorted ascending and
2477 		 * there are no duplicates.
2478 		 */
2479 		idx = -1;
2480 		ntlv = (ipfw_obj_ntlv *)(ctlv + 1);
2481 		while (count > 0) {
2482 			if (ntlv->head.length != sizeof(ipfw_obj_ntlv))
2483 				return (EINVAL);
2484 
2485 			error = ipfw_check_object_name_generic(ntlv->name);
2486 			if (error != 0)
2487 				return (error);
2488 
2489 			if (ntlv->idx <= idx)
2490 				return (EINVAL);
2491 
2492 			idx = ntlv->idx;
2493 			count--;
2494 			ntlv++;
2495 		}
2496 
2497 		tstate = ctlv;
2498 		read += ctlv->head.length;
2499 		ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + ctlv->head.length);
2500 	}
2501 
2502 	if (read + sizeof(*ctlv) > sd->valsize)
2503 		return (EINVAL);
2504 
2505 	if (ctlv->head.type == IPFW_TLV_RULE_LIST) {
2506 		clen = ctlv->head.length;
2507 		if (clen + read > sd->valsize || clen < sizeof(*ctlv))
2508 			return (EINVAL);
2509 		if ((clen % sizeof(uint64_t)) != 0)
2510 			return (EINVAL);
2511 
2512 		/*
2513 		 * TODO: Permit adding multiple rules at once
2514 		 */
2515 		if (ctlv->count != 1)
2516 			return (ENOTSUP);
2517 
2518 		clen -= sizeof(*ctlv);
2519 
2520 		if (ctlv->count > clen / sizeof(struct ip_fw_rule))
2521 			return (EINVAL);
2522 
2523 		/* Allocate state for each rule or use stack */
2524 		if (ctlv->count == 1) {
2525 			memset(&rci, 0, sizeof(struct rule_check_info));
2526 			cbuf = &rci;
2527 		} else
2528 			cbuf = malloc(ctlv->count * sizeof(*ci), M_TEMP,
2529 			    M_WAITOK | M_ZERO);
2530 		ci = cbuf;
2531 
2532 		/*
2533 		 * Check each rule for validness.
2534 		 * Ensure numbered rules are sorted ascending
2535 		 * and properly aligned
2536 		 */
2537 		idx = 0;
2538 		r = (struct ip_fw_rule *)(ctlv + 1);
2539 		count = 0;
2540 		error = 0;
2541 		while (clen > 0) {
2542 			rsize = roundup2(RULESIZE(r), sizeof(uint64_t));
2543 			if (rsize > clen || ctlv->count <= count) {
2544 				error = EINVAL;
2545 				break;
2546 			}
2547 
2548 			ci->ctlv = tstate;
2549 			error = check_ipfw_rule1(r, rsize, ci);
2550 			if (error != 0)
2551 				break;
2552 
2553 			/* Check sorting */
2554 			if (r->rulenum != 0 && r->rulenum < idx) {
2555 				printf("rulenum %d idx %d\n", r->rulenum, idx);
2556 				error = EINVAL;
2557 				break;
2558 			}
2559 			idx = r->rulenum;
2560 
2561 			ci->urule = (caddr_t)r;
2562 
2563 			rsize = roundup2(rsize, sizeof(uint64_t));
2564 			clen -= rsize;
2565 			r = (struct ip_fw_rule *)((caddr_t)r + rsize);
2566 			count++;
2567 			ci++;
2568 		}
2569 
2570 		if (ctlv->count != count || error != 0) {
2571 			if (cbuf != &rci)
2572 				free(cbuf, M_TEMP);
2573 			return (EINVAL);
2574 		}
2575 
2576 		rtlv = ctlv;
2577 		read += ctlv->head.length;
2578 		ctlv = (ipfw_obj_ctlv *)((caddr_t)ctlv + ctlv->head.length);
2579 	}
2580 
2581 	if (read != sd->valsize || rtlv == NULL || rtlv->count == 0) {
2582 		if (cbuf != NULL && cbuf != &rci)
2583 			free(cbuf, M_TEMP);
2584 		return (EINVAL);
2585 	}
2586 
2587 	/*
2588 	 * Passed rules seems to be valid.
2589 	 * Allocate storage and try to add them to chain.
2590 	 */
2591 	for (i = 0, ci = cbuf; i < rtlv->count; i++, ci++) {
2592 		clen = RULEKSIZE1((struct ip_fw_rule *)ci->urule);
2593 		ci->krule = ipfw_alloc_rule(chain, clen);
2594 		import_rule1(ci);
2595 	}
2596 
2597 	if ((error = commit_rules(chain, cbuf, rtlv->count)) != 0) {
2598 		/* Free allocate krules */
2599 		for (i = 0, ci = cbuf; i < rtlv->count; i++, ci++)
2600 			free(ci->krule, M_IPFW);
2601 	}
2602 
2603 	if (cbuf != NULL && cbuf != &rci)
2604 		free(cbuf, M_TEMP);
2605 
2606 	return (error);
2607 }
2608 
2609 /*
2610  * Lists all sopts currently registered.
2611  * Data layout (v0)(current):
2612  * Request: [ ipfw_obj_lheader ], size = ipfw_obj_lheader.size
2613  * Reply: [ ipfw_obj_lheader ipfw_sopt_info x N ]
2614  *
2615  * Returns 0 on success
2616  */
2617 static int
2618 dump_soptcodes(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
2619     struct sockopt_data *sd)
2620 {
2621 	struct _ipfw_obj_lheader *olh;
2622 	ipfw_sopt_info *i;
2623 	struct ipfw_sopt_handler *sh;
2624 	uint32_t count, n, size;
2625 
2626 	olh = (struct _ipfw_obj_lheader *)ipfw_get_sopt_header(sd,sizeof(*olh));
2627 	if (olh == NULL)
2628 		return (EINVAL);
2629 	if (sd->valsize < olh->size)
2630 		return (EINVAL);
2631 
2632 	CTL3_LOCK();
2633 	count = ctl3_hsize;
2634 	size = count * sizeof(ipfw_sopt_info) + sizeof(ipfw_obj_lheader);
2635 
2636 	/* Fill in header regadless of buffer size */
2637 	olh->count = count;
2638 	olh->objsize = sizeof(ipfw_sopt_info);
2639 
2640 	if (size > olh->size) {
2641 		olh->size = size;
2642 		CTL3_UNLOCK();
2643 		return (ENOMEM);
2644 	}
2645 	olh->size = size;
2646 
2647 	for (n = 1; n <= count; n++) {
2648 		i = (ipfw_sopt_info *)ipfw_get_sopt_space(sd, sizeof(*i));
2649 		KASSERT(i != 0, ("previously checked buffer is not enough"));
2650 		sh = &ctl3_handlers[n];
2651 		i->opcode = sh->opcode;
2652 		i->version = sh->version;
2653 		i->refcnt = sh->refcnt;
2654 	}
2655 	CTL3_UNLOCK();
2656 
2657 	return (0);
2658 }
2659 
2660 /*
2661  * Compares two opcodes.
2662  * Used both in qsort() and bsearch().
2663  *
2664  * Returns 0 if match is found.
2665  */
2666 static int
2667 compare_opcodes(const void *_a, const void *_b)
2668 {
2669 	const struct opcode_obj_rewrite *a, *b;
2670 
2671 	a = (const struct opcode_obj_rewrite *)_a;
2672 	b = (const struct opcode_obj_rewrite *)_b;
2673 
2674 	if (a->opcode < b->opcode)
2675 		return (-1);
2676 	else if (a->opcode > b->opcode)
2677 		return (1);
2678 
2679 	return (0);
2680 }
2681 
2682 /*
2683  * Finds opcode object rewriter based on @code.
2684  *
2685  * Returns pointer to handler or NULL.
2686  */
2687 struct opcode_obj_rewrite *
2688 ipfw_find_op_rw(uint16_t opcode)
2689 {
2690 	struct opcode_obj_rewrite *rw, h;
2691 
2692 	memset(&h, 0, sizeof(h));
2693 	h.opcode = opcode;
2694 
2695 	rw = (struct opcode_obj_rewrite *)bsearch(&h, ctl3_rewriters,
2696 	    ctl3_rsize, sizeof(h), compare_opcodes);
2697 
2698 	return (rw);
2699 }
2700 
2701 int
2702 classify_opcode_kidx(ipfw_insn *cmd, uint16_t *puidx)
2703 {
2704 	struct opcode_obj_rewrite *rw;
2705 	uint8_t subtype;
2706 
2707 	rw = ipfw_find_op_rw(cmd->opcode);
2708 	if (rw == NULL)
2709 		return (1);
2710 
2711 	return (rw->classifier(cmd, puidx, &subtype));
2712 }
2713 
2714 void
2715 update_opcode_kidx(ipfw_insn *cmd, uint16_t idx)
2716 {
2717 	struct opcode_obj_rewrite *rw;
2718 
2719 	rw = ipfw_find_op_rw(cmd->opcode);
2720 	KASSERT(rw != NULL, ("No handler to update opcode %d", cmd->opcode));
2721 	rw->update(cmd, idx);
2722 }
2723 
2724 void
2725 ipfw_init_obj_rewriter()
2726 {
2727 
2728 	ctl3_rewriters = NULL;
2729 	ctl3_rsize = 0;
2730 }
2731 
2732 void
2733 ipfw_destroy_obj_rewriter()
2734 {
2735 
2736 	if (ctl3_rewriters != NULL)
2737 		free(ctl3_rewriters, M_IPFW);
2738 	ctl3_rewriters = NULL;
2739 	ctl3_rsize = 0;
2740 }
2741 
2742 /*
2743  * Adds one or more opcode object rewrite handlers to the global array.
2744  * Function may sleep.
2745  */
2746 void
2747 ipfw_add_obj_rewriter(struct opcode_obj_rewrite *rw, size_t count)
2748 {
2749 	size_t sz;
2750 	struct opcode_obj_rewrite *tmp;
2751 
2752 	CTL3_LOCK();
2753 
2754 	for (;;) {
2755 		sz = ctl3_rsize + count;
2756 		CTL3_UNLOCK();
2757 		tmp = malloc(sizeof(*rw) * sz, M_IPFW, M_WAITOK | M_ZERO);
2758 		CTL3_LOCK();
2759 		if (ctl3_rsize + count <= sz)
2760 			break;
2761 
2762 		/* Retry */
2763 		free(tmp, M_IPFW);
2764 	}
2765 
2766 	/* Merge old & new arrays */
2767 	sz = ctl3_rsize + count;
2768 	memcpy(tmp, ctl3_rewriters, ctl3_rsize * sizeof(*rw));
2769 	memcpy(&tmp[ctl3_rsize], rw, count * sizeof(*rw));
2770 	qsort(tmp, sz, sizeof(*rw), compare_opcodes);
2771 	/* Switch new and free old */
2772 	if (ctl3_rewriters != NULL)
2773 		free(ctl3_rewriters, M_IPFW);
2774 	ctl3_rewriters = tmp;
2775 	ctl3_rsize = sz;
2776 
2777 	CTL3_UNLOCK();
2778 }
2779 
2780 /*
2781  * Removes one or more object rewrite handlers from the global array.
2782  */
2783 int
2784 ipfw_del_obj_rewriter(struct opcode_obj_rewrite *rw, size_t count)
2785 {
2786 	size_t sz;
2787 	struct opcode_obj_rewrite *tmp, *h;
2788 	int i;
2789 
2790 	CTL3_LOCK();
2791 
2792 	for (i = 0; i < count; i++) {
2793 		tmp = &rw[i];
2794 		h = ipfw_find_op_rw(tmp->opcode);
2795 		if (h == NULL)
2796 			continue;
2797 
2798 		sz = (ctl3_rewriters + ctl3_rsize - (h + 1)) * sizeof(*h);
2799 		memmove(h, h + 1, sz);
2800 		ctl3_rsize--;
2801 	}
2802 
2803 	if (ctl3_rsize == 0) {
2804 		if (ctl3_rewriters != NULL)
2805 			free(ctl3_rewriters, M_IPFW);
2806 		ctl3_rewriters = NULL;
2807 	}
2808 
2809 	CTL3_UNLOCK();
2810 
2811 	return (0);
2812 }
2813 
2814 static void
2815 export_objhash_ntlv_internal(struct namedobj_instance *ni,
2816     struct named_object *no, void *arg)
2817 {
2818 	struct sockopt_data *sd;
2819 	ipfw_obj_ntlv *ntlv;
2820 
2821 	sd = (struct sockopt_data *)arg;
2822 	ntlv = (ipfw_obj_ntlv *)ipfw_get_sopt_space(sd, sizeof(*ntlv));
2823 	if (ntlv == NULL)
2824 		return;
2825 	ipfw_export_obj_ntlv(no, ntlv);
2826 }
2827 
2828 /*
2829  * Lists all service objects.
2830  * Data layout (v0)(current):
2831  * Request: [ ipfw_obj_lheader ] size = ipfw_cfg_lheader.size
2832  * Reply: [ ipfw_obj_lheader [ ipfw_obj_ntlv x N ] (optional) ]
2833  * Returns 0 on success
2834  */
2835 static int
2836 dump_srvobjects(struct ip_fw_chain *chain, ip_fw3_opheader *op3,
2837     struct sockopt_data *sd)
2838 {
2839 	ipfw_obj_lheader *hdr;
2840 	int count;
2841 
2842 	hdr = (ipfw_obj_lheader *)ipfw_get_sopt_header(sd, sizeof(*hdr));
2843 	if (hdr == NULL)
2844 		return (EINVAL);
2845 
2846 	IPFW_UH_RLOCK(chain);
2847 	count = ipfw_objhash_count(CHAIN_TO_SRV(chain));
2848 	hdr->size = sizeof(ipfw_obj_lheader) + count * sizeof(ipfw_obj_ntlv);
2849 	if (sd->valsize < hdr->size) {
2850 		IPFW_UH_RUNLOCK(chain);
2851 		return (ENOMEM);
2852 	}
2853 	hdr->count = count;
2854 	hdr->objsize = sizeof(ipfw_obj_ntlv);
2855 	if (count > 0)
2856 		ipfw_objhash_foreach(CHAIN_TO_SRV(chain),
2857 		    export_objhash_ntlv_internal, sd);
2858 	IPFW_UH_RUNLOCK(chain);
2859 	return (0);
2860 }
2861 
2862 /*
2863  * Compares two sopt handlers (code, version and handler ptr).
2864  * Used both as qsort() and bsearch().
2865  * Does not compare handler for latter case.
2866  *
2867  * Returns 0 if match is found.
2868  */
2869 static int
2870 compare_sh(const void *_a, const void *_b)
2871 {
2872 	const struct ipfw_sopt_handler *a, *b;
2873 
2874 	a = (const struct ipfw_sopt_handler *)_a;
2875 	b = (const struct ipfw_sopt_handler *)_b;
2876 
2877 	if (a->opcode < b->opcode)
2878 		return (-1);
2879 	else if (a->opcode > b->opcode)
2880 		return (1);
2881 
2882 	if (a->version < b->version)
2883 		return (-1);
2884 	else if (a->version > b->version)
2885 		return (1);
2886 
2887 	/* bsearch helper */
2888 	if (a->handler == NULL)
2889 		return (0);
2890 
2891 	if ((uintptr_t)a->handler < (uintptr_t)b->handler)
2892 		return (-1);
2893 	else if ((uintptr_t)b->handler > (uintptr_t)b->handler)
2894 		return (1);
2895 
2896 	return (0);
2897 }
2898 
2899 /*
2900  * Finds sopt handler based on @code and @version.
2901  *
2902  * Returns pointer to handler or NULL.
2903  */
2904 static struct ipfw_sopt_handler *
2905 find_sh(uint16_t code, uint8_t version, sopt_handler_f *handler)
2906 {
2907 	struct ipfw_sopt_handler *sh, h;
2908 
2909 	memset(&h, 0, sizeof(h));
2910 	h.opcode = code;
2911 	h.version = version;
2912 	h.handler = handler;
2913 
2914 	sh = (struct ipfw_sopt_handler *)bsearch(&h, ctl3_handlers,
2915 	    ctl3_hsize, sizeof(h), compare_sh);
2916 
2917 	return (sh);
2918 }
2919 
2920 static int
2921 find_ref_sh(uint16_t opcode, uint8_t version, struct ipfw_sopt_handler *psh)
2922 {
2923 	struct ipfw_sopt_handler *sh;
2924 
2925 	CTL3_LOCK();
2926 	if ((sh = find_sh(opcode, version, NULL)) == NULL) {
2927 		CTL3_UNLOCK();
2928 		printf("ipfw: ipfw_ctl3 invalid option %d""v""%d\n",
2929 		    opcode, version);
2930 		return (EINVAL);
2931 	}
2932 	sh->refcnt++;
2933 	ctl3_refct++;
2934 	/* Copy handler data to requested buffer */
2935 	*psh = *sh;
2936 	CTL3_UNLOCK();
2937 
2938 	return (0);
2939 }
2940 
2941 static void
2942 find_unref_sh(struct ipfw_sopt_handler *psh)
2943 {
2944 	struct ipfw_sopt_handler *sh;
2945 
2946 	CTL3_LOCK();
2947 	sh = find_sh(psh->opcode, psh->version, NULL);
2948 	KASSERT(sh != NULL, ("ctl3 handler disappeared"));
2949 	sh->refcnt--;
2950 	ctl3_refct--;
2951 	CTL3_UNLOCK();
2952 }
2953 
2954 void
2955 ipfw_init_sopt_handler()
2956 {
2957 
2958 	CTL3_LOCK_INIT();
2959 	IPFW_ADD_SOPT_HANDLER(1, scodes);
2960 }
2961 
2962 void
2963 ipfw_destroy_sopt_handler()
2964 {
2965 
2966 	IPFW_DEL_SOPT_HANDLER(1, scodes);
2967 	CTL3_LOCK_DESTROY();
2968 }
2969 
2970 /*
2971  * Adds one or more sockopt handlers to the global array.
2972  * Function may sleep.
2973  */
2974 void
2975 ipfw_add_sopt_handler(struct ipfw_sopt_handler *sh, size_t count)
2976 {
2977 	size_t sz;
2978 	struct ipfw_sopt_handler *tmp;
2979 
2980 	CTL3_LOCK();
2981 
2982 	for (;;) {
2983 		sz = ctl3_hsize + count;
2984 		CTL3_UNLOCK();
2985 		tmp = malloc(sizeof(*sh) * sz, M_IPFW, M_WAITOK | M_ZERO);
2986 		CTL3_LOCK();
2987 		if (ctl3_hsize + count <= sz)
2988 			break;
2989 
2990 		/* Retry */
2991 		free(tmp, M_IPFW);
2992 	}
2993 
2994 	/* Merge old & new arrays */
2995 	sz = ctl3_hsize + count;
2996 	memcpy(tmp, ctl3_handlers, ctl3_hsize * sizeof(*sh));
2997 	memcpy(&tmp[ctl3_hsize], sh, count * sizeof(*sh));
2998 	qsort(tmp, sz, sizeof(*sh), compare_sh);
2999 	/* Switch new and free old */
3000 	if (ctl3_handlers != NULL)
3001 		free(ctl3_handlers, M_IPFW);
3002 	ctl3_handlers = tmp;
3003 	ctl3_hsize = sz;
3004 	ctl3_gencnt++;
3005 
3006 	CTL3_UNLOCK();
3007 }
3008 
3009 /*
3010  * Removes one or more sockopt handlers from the global array.
3011  */
3012 int
3013 ipfw_del_sopt_handler(struct ipfw_sopt_handler *sh, size_t count)
3014 {
3015 	size_t sz;
3016 	struct ipfw_sopt_handler *tmp, *h;
3017 	int i;
3018 
3019 	CTL3_LOCK();
3020 
3021 	for (i = 0; i < count; i++) {
3022 		tmp = &sh[i];
3023 		h = find_sh(tmp->opcode, tmp->version, tmp->handler);
3024 		if (h == NULL)
3025 			continue;
3026 
3027 		sz = (ctl3_handlers + ctl3_hsize - (h + 1)) * sizeof(*h);
3028 		memmove(h, h + 1, sz);
3029 		ctl3_hsize--;
3030 	}
3031 
3032 	if (ctl3_hsize == 0) {
3033 		if (ctl3_handlers != NULL)
3034 			free(ctl3_handlers, M_IPFW);
3035 		ctl3_handlers = NULL;
3036 	}
3037 
3038 	ctl3_gencnt++;
3039 
3040 	CTL3_UNLOCK();
3041 
3042 	return (0);
3043 }
3044 
3045 /*
3046  * Writes data accumulated in @sd to sockopt buffer.
3047  * Zeroes internal @sd buffer.
3048  */
3049 static int
3050 ipfw_flush_sopt_data(struct sockopt_data *sd)
3051 {
3052 	struct sockopt *sopt;
3053 	int error;
3054 	size_t sz;
3055 
3056 	sz = sd->koff;
3057 	if (sz == 0)
3058 		return (0);
3059 
3060 	sopt = sd->sopt;
3061 
3062 	if (sopt->sopt_dir == SOPT_GET) {
3063 		error = copyout(sd->kbuf, sopt->sopt_val, sz);
3064 		if (error != 0)
3065 			return (error);
3066 	}
3067 
3068 	memset(sd->kbuf, 0, sd->ksize);
3069 	sd->ktotal += sz;
3070 	sd->koff = 0;
3071 	if (sd->ktotal + sd->ksize < sd->valsize)
3072 		sd->kavail = sd->ksize;
3073 	else
3074 		sd->kavail = sd->valsize - sd->ktotal;
3075 
3076 	/* Update sopt buffer data */
3077 	sopt->sopt_valsize = sd->ktotal;
3078 	sopt->sopt_val = sd->sopt_val + sd->ktotal;
3079 
3080 	return (0);
3081 }
3082 
3083 /*
3084  * Ensures that @sd buffer has contigious @neeeded number of
3085  * bytes.
3086  *
3087  * Returns pointer to requested space or NULL.
3088  */
3089 caddr_t
3090 ipfw_get_sopt_space(struct sockopt_data *sd, size_t needed)
3091 {
3092 	int error;
3093 	caddr_t addr;
3094 
3095 	if (sd->kavail < needed) {
3096 		/*
3097 		 * Flush data and try another time.
3098 		 */
3099 		error = ipfw_flush_sopt_data(sd);
3100 
3101 		if (sd->kavail < needed || error != 0)
3102 			return (NULL);
3103 	}
3104 
3105 	addr = sd->kbuf + sd->koff;
3106 	sd->koff += needed;
3107 	sd->kavail -= needed;
3108 	return (addr);
3109 }
3110 
3111 /*
3112  * Requests @needed contigious bytes from @sd buffer.
3113  * Function is used to notify subsystem that we are
3114  * interesed in first @needed bytes (request header)
3115  * and the rest buffer can be safely zeroed.
3116  *
3117  * Returns pointer to requested space or NULL.
3118  */
3119 caddr_t
3120 ipfw_get_sopt_header(struct sockopt_data *sd, size_t needed)
3121 {
3122 	caddr_t addr;
3123 
3124 	if ((addr = ipfw_get_sopt_space(sd, needed)) == NULL)
3125 		return (NULL);
3126 
3127 	if (sd->kavail > 0)
3128 		memset(sd->kbuf + sd->koff, 0, sd->kavail);
3129 
3130 	return (addr);
3131 }
3132 
3133 /*
3134  * New sockopt handler.
3135  */
3136 int
3137 ipfw_ctl3(struct sockopt *sopt)
3138 {
3139 	int error, locked;
3140 	size_t size, valsize;
3141 	struct ip_fw_chain *chain;
3142 	char xbuf[256];
3143 	struct sockopt_data sdata;
3144 	struct ipfw_sopt_handler h;
3145 	ip_fw3_opheader *op3 = NULL;
3146 
3147 	error = priv_check(sopt->sopt_td, PRIV_NETINET_IPFW);
3148 	if (error != 0)
3149 		return (error);
3150 
3151 	if (sopt->sopt_name != IP_FW3)
3152 		return (ipfw_ctl(sopt));
3153 
3154 	chain = &V_layer3_chain;
3155 	error = 0;
3156 
3157 	/* Save original valsize before it is altered via sooptcopyin() */
3158 	valsize = sopt->sopt_valsize;
3159 	memset(&sdata, 0, sizeof(sdata));
3160 	/* Read op3 header first to determine actual operation */
3161 	op3 = (ip_fw3_opheader *)xbuf;
3162 	error = sooptcopyin(sopt, op3, sizeof(*op3), sizeof(*op3));
3163 	if (error != 0)
3164 		return (error);
3165 	sopt->sopt_valsize = valsize;
3166 
3167 	/*
3168 	 * Find and reference command.
3169 	 */
3170 	error = find_ref_sh(op3->opcode, op3->version, &h);
3171 	if (error != 0)
3172 		return (error);
3173 
3174 	/*
3175 	 * Disallow modifications in really-really secure mode, but still allow
3176 	 * the logging counters to be reset.
3177 	 */
3178 	if ((h.dir & HDIR_SET) != 0 && h.opcode != IP_FW_XRESETLOG) {
3179 		error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
3180 		if (error != 0) {
3181 			find_unref_sh(&h);
3182 			return (error);
3183 		}
3184 	}
3185 
3186 	/*
3187 	 * Fill in sockopt_data structure that may be useful for
3188 	 * IP_FW3 get requests.
3189 	 */
3190 	locked = 0;
3191 	if (valsize <= sizeof(xbuf)) {
3192 		/* use on-stack buffer */
3193 		sdata.kbuf = xbuf;
3194 		sdata.ksize = sizeof(xbuf);
3195 		sdata.kavail = valsize;
3196 	} else {
3197 
3198 		/*
3199 		 * Determine opcode type/buffer size:
3200 		 * allocate sliding-window buf for data export or
3201 		 * contigious buffer for special ops.
3202 		 */
3203 		if ((h.dir & HDIR_SET) != 0) {
3204 			/* Set request. Allocate contigous buffer. */
3205 			if (valsize > CTL3_LARGEBUF) {
3206 				find_unref_sh(&h);
3207 				return (EFBIG);
3208 			}
3209 
3210 			size = valsize;
3211 		} else {
3212 			/* Get request. Allocate sliding window buffer */
3213 			size = (valsize<CTL3_SMALLBUF) ? valsize:CTL3_SMALLBUF;
3214 
3215 			if (size < valsize) {
3216 				/* We have to wire user buffer */
3217 				error = vslock(sopt->sopt_val, valsize);
3218 				if (error != 0)
3219 					return (error);
3220 				locked = 1;
3221 			}
3222 		}
3223 
3224 		sdata.kbuf = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
3225 		sdata.ksize = size;
3226 		sdata.kavail = size;
3227 	}
3228 
3229 	sdata.sopt = sopt;
3230 	sdata.sopt_val = sopt->sopt_val;
3231 	sdata.valsize = valsize;
3232 
3233 	/*
3234 	 * Copy either all request (if valsize < bsize_max)
3235 	 * or first bsize_max bytes to guarantee most consumers
3236 	 * that all necessary data has been copied).
3237 	 * Anyway, copy not less than sizeof(ip_fw3_opheader).
3238 	 */
3239 	if ((error = sooptcopyin(sopt, sdata.kbuf, sdata.ksize,
3240 	    sizeof(ip_fw3_opheader))) != 0)
3241 		return (error);
3242 	op3 = (ip_fw3_opheader *)sdata.kbuf;
3243 
3244 	/* Finally, run handler */
3245 	error = h.handler(chain, op3, &sdata);
3246 	find_unref_sh(&h);
3247 
3248 	/* Flush state and free buffers */
3249 	if (error == 0)
3250 		error = ipfw_flush_sopt_data(&sdata);
3251 	else
3252 		ipfw_flush_sopt_data(&sdata);
3253 
3254 	if (locked != 0)
3255 		vsunlock(sdata.sopt_val, valsize);
3256 
3257 	/* Restore original pointer and set number of bytes written */
3258 	sopt->sopt_val = sdata.sopt_val;
3259 	sopt->sopt_valsize = sdata.ktotal;
3260 	if (sdata.kbuf != xbuf)
3261 		free(sdata.kbuf, M_TEMP);
3262 
3263 	return (error);
3264 }
3265 
3266 /**
3267  * {set|get}sockopt parser.
3268  */
3269 int
3270 ipfw_ctl(struct sockopt *sopt)
3271 {
3272 #define	RULE_MAXSIZE	(512*sizeof(u_int32_t))
3273 	int error;
3274 	size_t size, valsize;
3275 	struct ip_fw *buf;
3276 	struct ip_fw_rule0 *rule;
3277 	struct ip_fw_chain *chain;
3278 	u_int32_t rulenum[2];
3279 	uint32_t opt;
3280 	struct rule_check_info ci;
3281 	IPFW_RLOCK_TRACKER;
3282 
3283 	chain = &V_layer3_chain;
3284 	error = 0;
3285 
3286 	/* Save original valsize before it is altered via sooptcopyin() */
3287 	valsize = sopt->sopt_valsize;
3288 	opt = sopt->sopt_name;
3289 
3290 	/*
3291 	 * Disallow modifications in really-really secure mode, but still allow
3292 	 * the logging counters to be reset.
3293 	 */
3294 	if (opt == IP_FW_ADD ||
3295 	    (sopt->sopt_dir == SOPT_SET && opt != IP_FW_RESETLOG)) {
3296 		error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
3297 		if (error != 0)
3298 			return (error);
3299 	}
3300 
3301 	switch (opt) {
3302 	case IP_FW_GET:
3303 		/*
3304 		 * pass up a copy of the current rules. Static rules
3305 		 * come first (the last of which has number IPFW_DEFAULT_RULE),
3306 		 * followed by a possibly empty list of dynamic rule.
3307 		 * The last dynamic rule has NULL in the "next" field.
3308 		 *
3309 		 * Note that the calculated size is used to bound the
3310 		 * amount of data returned to the user.  The rule set may
3311 		 * change between calculating the size and returning the
3312 		 * data in which case we'll just return what fits.
3313 		 */
3314 		for (;;) {
3315 			int len = 0, want;
3316 
3317 			size = chain->static_len;
3318 			size += ipfw_dyn_len();
3319 			if (size >= sopt->sopt_valsize)
3320 				break;
3321 			buf = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
3322 			IPFW_UH_RLOCK(chain);
3323 			/* check again how much space we need */
3324 			want = chain->static_len + ipfw_dyn_len();
3325 			if (size >= want)
3326 				len = ipfw_getrules(chain, buf, size);
3327 			IPFW_UH_RUNLOCK(chain);
3328 			if (size >= want)
3329 				error = sooptcopyout(sopt, buf, len);
3330 			free(buf, M_TEMP);
3331 			if (size >= want)
3332 				break;
3333 		}
3334 		break;
3335 
3336 	case IP_FW_FLUSH:
3337 		/* locking is done within del_entry() */
3338 		error = del_entry(chain, 0); /* special case, rule=0, cmd=0 means all */
3339 		break;
3340 
3341 	case IP_FW_ADD:
3342 		rule = malloc(RULE_MAXSIZE, M_TEMP, M_WAITOK);
3343 		error = sooptcopyin(sopt, rule, RULE_MAXSIZE,
3344 			sizeof(struct ip_fw7) );
3345 
3346 		memset(&ci, 0, sizeof(struct rule_check_info));
3347 
3348 		/*
3349 		 * If the size of commands equals RULESIZE7 then we assume
3350 		 * a FreeBSD7.2 binary is talking to us (set is7=1).
3351 		 * is7 is persistent so the next 'ipfw list' command
3352 		 * will use this format.
3353 		 * NOTE: If wrong version is guessed (this can happen if
3354 		 *       the first ipfw command is 'ipfw [pipe] list')
3355 		 *       the ipfw binary may crash or loop infinitly...
3356 		 */
3357 		size = sopt->sopt_valsize;
3358 		if (size == RULESIZE7(rule)) {
3359 		    is7 = 1;
3360 		    error = convert_rule_to_8(rule);
3361 		    if (error) {
3362 			free(rule, M_TEMP);
3363 			return error;
3364 		    }
3365 		    size = RULESIZE(rule);
3366 		} else
3367 		    is7 = 0;
3368 		if (error == 0)
3369 			error = check_ipfw_rule0(rule, size, &ci);
3370 		if (error == 0) {
3371 			/* locking is done within add_rule() */
3372 			struct ip_fw *krule;
3373 			krule = ipfw_alloc_rule(chain, RULEKSIZE0(rule));
3374 			ci.urule = (caddr_t)rule;
3375 			ci.krule = krule;
3376 			import_rule0(&ci);
3377 			error = commit_rules(chain, &ci, 1);
3378 			if (!error && sopt->sopt_dir == SOPT_GET) {
3379 				if (is7) {
3380 					error = convert_rule_to_7(rule);
3381 					size = RULESIZE7(rule);
3382 					if (error) {
3383 						free(rule, M_TEMP);
3384 						return error;
3385 					}
3386 				}
3387 				error = sooptcopyout(sopt, rule, size);
3388 			}
3389 		}
3390 		free(rule, M_TEMP);
3391 		break;
3392 
3393 	case IP_FW_DEL:
3394 		/*
3395 		 * IP_FW_DEL is used for deleting single rules or sets,
3396 		 * and (ab)used to atomically manipulate sets. Argument size
3397 		 * is used to distinguish between the two:
3398 		 *    sizeof(u_int32_t)
3399 		 *	delete single rule or set of rules,
3400 		 *	or reassign rules (or sets) to a different set.
3401 		 *    2*sizeof(u_int32_t)
3402 		 *	atomic disable/enable sets.
3403 		 *	first u_int32_t contains sets to be disabled,
3404 		 *	second u_int32_t contains sets to be enabled.
3405 		 */
3406 		error = sooptcopyin(sopt, rulenum,
3407 			2*sizeof(u_int32_t), sizeof(u_int32_t));
3408 		if (error)
3409 			break;
3410 		size = sopt->sopt_valsize;
3411 		if (size == sizeof(u_int32_t) && rulenum[0] != 0) {
3412 			/* delete or reassign, locking done in del_entry() */
3413 			error = del_entry(chain, rulenum[0]);
3414 		} else if (size == 2*sizeof(u_int32_t)) { /* set enable/disable */
3415 			IPFW_UH_WLOCK(chain);
3416 			V_set_disable =
3417 			    (V_set_disable | rulenum[0]) & ~rulenum[1] &
3418 			    ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
3419 			IPFW_UH_WUNLOCK(chain);
3420 		} else
3421 			error = EINVAL;
3422 		break;
3423 
3424 	case IP_FW_ZERO:
3425 	case IP_FW_RESETLOG: /* argument is an u_int_32, the rule number */
3426 		rulenum[0] = 0;
3427 		if (sopt->sopt_val != 0) {
3428 		    error = sooptcopyin(sopt, rulenum,
3429 			    sizeof(u_int32_t), sizeof(u_int32_t));
3430 		    if (error)
3431 			break;
3432 		}
3433 		error = zero_entry(chain, rulenum[0],
3434 			sopt->sopt_name == IP_FW_RESETLOG);
3435 		break;
3436 
3437 	/*--- TABLE opcodes ---*/
3438 	case IP_FW_TABLE_ADD:
3439 	case IP_FW_TABLE_DEL:
3440 		{
3441 			ipfw_table_entry ent;
3442 			struct tentry_info tei;
3443 			struct tid_info ti;
3444 			struct table_value v;
3445 
3446 			error = sooptcopyin(sopt, &ent,
3447 			    sizeof(ent), sizeof(ent));
3448 			if (error)
3449 				break;
3450 
3451 			memset(&tei, 0, sizeof(tei));
3452 			tei.paddr = &ent.addr;
3453 			tei.subtype = AF_INET;
3454 			tei.masklen = ent.masklen;
3455 			ipfw_import_table_value_legacy(ent.value, &v);
3456 			tei.pvalue = &v;
3457 			memset(&ti, 0, sizeof(ti));
3458 			ti.uidx = ent.tbl;
3459 			ti.type = IPFW_TABLE_CIDR;
3460 
3461 			error = (opt == IP_FW_TABLE_ADD) ?
3462 			    add_table_entry(chain, &ti, &tei, 0, 1) :
3463 			    del_table_entry(chain, &ti, &tei, 0, 1);
3464 		}
3465 		break;
3466 
3467 
3468 	case IP_FW_TABLE_FLUSH:
3469 		{
3470 			u_int16_t tbl;
3471 			struct tid_info ti;
3472 
3473 			error = sooptcopyin(sopt, &tbl,
3474 			    sizeof(tbl), sizeof(tbl));
3475 			if (error)
3476 				break;
3477 			memset(&ti, 0, sizeof(ti));
3478 			ti.uidx = tbl;
3479 			error = flush_table(chain, &ti);
3480 		}
3481 		break;
3482 
3483 	case IP_FW_TABLE_GETSIZE:
3484 		{
3485 			u_int32_t tbl, cnt;
3486 			struct tid_info ti;
3487 
3488 			if ((error = sooptcopyin(sopt, &tbl, sizeof(tbl),
3489 			    sizeof(tbl))))
3490 				break;
3491 			memset(&ti, 0, sizeof(ti));
3492 			ti.uidx = tbl;
3493 			IPFW_RLOCK(chain);
3494 			error = ipfw_count_table(chain, &ti, &cnt);
3495 			IPFW_RUNLOCK(chain);
3496 			if (error)
3497 				break;
3498 			error = sooptcopyout(sopt, &cnt, sizeof(cnt));
3499 		}
3500 		break;
3501 
3502 	case IP_FW_TABLE_LIST:
3503 		{
3504 			ipfw_table *tbl;
3505 			struct tid_info ti;
3506 
3507 			if (sopt->sopt_valsize < sizeof(*tbl)) {
3508 				error = EINVAL;
3509 				break;
3510 			}
3511 			size = sopt->sopt_valsize;
3512 			tbl = malloc(size, M_TEMP, M_WAITOK);
3513 			error = sooptcopyin(sopt, tbl, size, sizeof(*tbl));
3514 			if (error) {
3515 				free(tbl, M_TEMP);
3516 				break;
3517 			}
3518 			tbl->size = (size - sizeof(*tbl)) /
3519 			    sizeof(ipfw_table_entry);
3520 			memset(&ti, 0, sizeof(ti));
3521 			ti.uidx = tbl->tbl;
3522 			IPFW_RLOCK(chain);
3523 			error = ipfw_dump_table_legacy(chain, &ti, tbl);
3524 			IPFW_RUNLOCK(chain);
3525 			if (error) {
3526 				free(tbl, M_TEMP);
3527 				break;
3528 			}
3529 			error = sooptcopyout(sopt, tbl, size);
3530 			free(tbl, M_TEMP);
3531 		}
3532 		break;
3533 
3534 	/*--- NAT operations are protected by the IPFW_LOCK ---*/
3535 	case IP_FW_NAT_CFG:
3536 		if (IPFW_NAT_LOADED)
3537 			error = ipfw_nat_cfg_ptr(sopt);
3538 		else {
3539 			printf("IP_FW_NAT_CFG: %s\n",
3540 			    "ipfw_nat not present, please load it");
3541 			error = EINVAL;
3542 		}
3543 		break;
3544 
3545 	case IP_FW_NAT_DEL:
3546 		if (IPFW_NAT_LOADED)
3547 			error = ipfw_nat_del_ptr(sopt);
3548 		else {
3549 			printf("IP_FW_NAT_DEL: %s\n",
3550 			    "ipfw_nat not present, please load it");
3551 			error = EINVAL;
3552 		}
3553 		break;
3554 
3555 	case IP_FW_NAT_GET_CONFIG:
3556 		if (IPFW_NAT_LOADED)
3557 			error = ipfw_nat_get_cfg_ptr(sopt);
3558 		else {
3559 			printf("IP_FW_NAT_GET_CFG: %s\n",
3560 			    "ipfw_nat not present, please load it");
3561 			error = EINVAL;
3562 		}
3563 		break;
3564 
3565 	case IP_FW_NAT_GET_LOG:
3566 		if (IPFW_NAT_LOADED)
3567 			error = ipfw_nat_get_log_ptr(sopt);
3568 		else {
3569 			printf("IP_FW_NAT_GET_LOG: %s\n",
3570 			    "ipfw_nat not present, please load it");
3571 			error = EINVAL;
3572 		}
3573 		break;
3574 
3575 	default:
3576 		printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name);
3577 		error = EINVAL;
3578 	}
3579 
3580 	return (error);
3581 #undef RULE_MAXSIZE
3582 }
3583 #define	RULE_MAXSIZE	(256*sizeof(u_int32_t))
3584 
3585 /* Functions to convert rules 7.2 <==> 8.0 */
3586 static int
3587 convert_rule_to_7(struct ip_fw_rule0 *rule)
3588 {
3589 	/* Used to modify original rule */
3590 	struct ip_fw7 *rule7 = (struct ip_fw7 *)rule;
3591 	/* copy of original rule, version 8 */
3592 	struct ip_fw_rule0 *tmp;
3593 
3594 	/* Used to copy commands */
3595 	ipfw_insn *ccmd, *dst;
3596 	int ll = 0, ccmdlen = 0;
3597 
3598 	tmp = malloc(RULE_MAXSIZE, M_TEMP, M_NOWAIT | M_ZERO);
3599 	if (tmp == NULL) {
3600 		return 1; //XXX error
3601 	}
3602 	bcopy(rule, tmp, RULE_MAXSIZE);
3603 
3604 	/* Copy fields */
3605 	//rule7->_pad = tmp->_pad;
3606 	rule7->set = tmp->set;
3607 	rule7->rulenum = tmp->rulenum;
3608 	rule7->cmd_len = tmp->cmd_len;
3609 	rule7->act_ofs = tmp->act_ofs;
3610 	rule7->next_rule = (struct ip_fw7 *)tmp->next_rule;
3611 	rule7->cmd_len = tmp->cmd_len;
3612 	rule7->pcnt = tmp->pcnt;
3613 	rule7->bcnt = tmp->bcnt;
3614 	rule7->timestamp = tmp->timestamp;
3615 
3616 	/* Copy commands */
3617 	for (ll = tmp->cmd_len, ccmd = tmp->cmd, dst = rule7->cmd ;
3618 			ll > 0 ; ll -= ccmdlen, ccmd += ccmdlen, dst += ccmdlen) {
3619 		ccmdlen = F_LEN(ccmd);
3620 
3621 		bcopy(ccmd, dst, F_LEN(ccmd)*sizeof(uint32_t));
3622 
3623 		if (dst->opcode > O_NAT)
3624 			/* O_REASS doesn't exists in 7.2 version, so
3625 			 * decrement opcode if it is after O_REASS
3626 			 */
3627 			dst->opcode--;
3628 
3629 		if (ccmdlen > ll) {
3630 			printf("ipfw: opcode %d size truncated\n",
3631 				ccmd->opcode);
3632 			return EINVAL;
3633 		}
3634 	}
3635 	free(tmp, M_TEMP);
3636 
3637 	return 0;
3638 }
3639 
3640 static int
3641 convert_rule_to_8(struct ip_fw_rule0 *rule)
3642 {
3643 	/* Used to modify original rule */
3644 	struct ip_fw7 *rule7 = (struct ip_fw7 *) rule;
3645 
3646 	/* Used to copy commands */
3647 	ipfw_insn *ccmd, *dst;
3648 	int ll = 0, ccmdlen = 0;
3649 
3650 	/* Copy of original rule */
3651 	struct ip_fw7 *tmp = malloc(RULE_MAXSIZE, M_TEMP, M_NOWAIT | M_ZERO);
3652 	if (tmp == NULL) {
3653 		return 1; //XXX error
3654 	}
3655 
3656 	bcopy(rule7, tmp, RULE_MAXSIZE);
3657 
3658 	for (ll = tmp->cmd_len, ccmd = tmp->cmd, dst = rule->cmd ;
3659 			ll > 0 ; ll -= ccmdlen, ccmd += ccmdlen, dst += ccmdlen) {
3660 		ccmdlen = F_LEN(ccmd);
3661 
3662 		bcopy(ccmd, dst, F_LEN(ccmd)*sizeof(uint32_t));
3663 
3664 		if (dst->opcode > O_NAT)
3665 			/* O_REASS doesn't exists in 7.2 version, so
3666 			 * increment opcode if it is after O_REASS
3667 			 */
3668 			dst->opcode++;
3669 
3670 		if (ccmdlen > ll) {
3671 			printf("ipfw: opcode %d size truncated\n",
3672 			    ccmd->opcode);
3673 			return EINVAL;
3674 		}
3675 	}
3676 
3677 	rule->_pad = tmp->_pad;
3678 	rule->set = tmp->set;
3679 	rule->rulenum = tmp->rulenum;
3680 	rule->cmd_len = tmp->cmd_len;
3681 	rule->act_ofs = tmp->act_ofs;
3682 	rule->next_rule = (struct ip_fw *)tmp->next_rule;
3683 	rule->cmd_len = tmp->cmd_len;
3684 	rule->id = 0; /* XXX see if is ok = 0 */
3685 	rule->pcnt = tmp->pcnt;
3686 	rule->bcnt = tmp->bcnt;
3687 	rule->timestamp = tmp->timestamp;
3688 
3689 	free (tmp, M_TEMP);
3690 	return 0;
3691 }
3692 
3693 /*
3694  * Named object api
3695  *
3696  */
3697 
3698 void
3699 ipfw_init_srv(struct ip_fw_chain *ch)
3700 {
3701 
3702 	ch->srvmap = ipfw_objhash_create(IPFW_OBJECTS_DEFAULT);
3703 	ch->srvstate = malloc(sizeof(void *) * IPFW_OBJECTS_DEFAULT,
3704 	    M_IPFW, M_WAITOK | M_ZERO);
3705 }
3706 
3707 void
3708 ipfw_destroy_srv(struct ip_fw_chain *ch)
3709 {
3710 
3711 	free(ch->srvstate, M_IPFW);
3712 	ipfw_objhash_destroy(ch->srvmap);
3713 }
3714 
3715 /*
3716  * Allocate new bitmask which can be used to enlarge/shrink
3717  * named instance index.
3718  */
3719 void
3720 ipfw_objhash_bitmap_alloc(uint32_t items, void **idx, int *pblocks)
3721 {
3722 	size_t size;
3723 	int max_blocks;
3724 	u_long *idx_mask;
3725 
3726 	KASSERT((items % BLOCK_ITEMS) == 0,
3727 	   ("bitmask size needs to power of 2 and greater or equal to %zu",
3728 	    BLOCK_ITEMS));
3729 
3730 	max_blocks = items / BLOCK_ITEMS;
3731 	size = items / 8;
3732 	idx_mask = malloc(size * IPFW_MAX_SETS, M_IPFW, M_WAITOK);
3733 	/* Mark all as free */
3734 	memset(idx_mask, 0xFF, size * IPFW_MAX_SETS);
3735 	*idx_mask &= ~(u_long)1; /* Skip index 0 */
3736 
3737 	*idx = idx_mask;
3738 	*pblocks = max_blocks;
3739 }
3740 
3741 /*
3742  * Copy current bitmask index to new one.
3743  */
3744 void
3745 ipfw_objhash_bitmap_merge(struct namedobj_instance *ni, void **idx, int *blocks)
3746 {
3747 	int old_blocks, new_blocks;
3748 	u_long *old_idx, *new_idx;
3749 	int i;
3750 
3751 	old_idx = ni->idx_mask;
3752 	old_blocks = ni->max_blocks;
3753 	new_idx = *idx;
3754 	new_blocks = *blocks;
3755 
3756 	for (i = 0; i < IPFW_MAX_SETS; i++) {
3757 		memcpy(&new_idx[new_blocks * i], &old_idx[old_blocks * i],
3758 		    old_blocks * sizeof(u_long));
3759 	}
3760 }
3761 
3762 /*
3763  * Swaps current @ni index with new one.
3764  */
3765 void
3766 ipfw_objhash_bitmap_swap(struct namedobj_instance *ni, void **idx, int *blocks)
3767 {
3768 	int old_blocks;
3769 	u_long *old_idx;
3770 
3771 	old_idx = ni->idx_mask;
3772 	old_blocks = ni->max_blocks;
3773 
3774 	ni->idx_mask = *idx;
3775 	ni->max_blocks = *blocks;
3776 
3777 	/* Save old values */
3778 	*idx = old_idx;
3779 	*blocks = old_blocks;
3780 }
3781 
3782 void
3783 ipfw_objhash_bitmap_free(void *idx, int blocks)
3784 {
3785 
3786 	free(idx, M_IPFW);
3787 }
3788 
3789 /*
3790  * Creates named hash instance.
3791  * Must be called without holding any locks.
3792  * Return pointer to new instance.
3793  */
3794 struct namedobj_instance *
3795 ipfw_objhash_create(uint32_t items)
3796 {
3797 	struct namedobj_instance *ni;
3798 	int i;
3799 	size_t size;
3800 
3801 	size = sizeof(struct namedobj_instance) +
3802 	    sizeof(struct namedobjects_head) * NAMEDOBJ_HASH_SIZE +
3803 	    sizeof(struct namedobjects_head) * NAMEDOBJ_HASH_SIZE;
3804 
3805 	ni = malloc(size, M_IPFW, M_WAITOK | M_ZERO);
3806 	ni->nn_size = NAMEDOBJ_HASH_SIZE;
3807 	ni->nv_size = NAMEDOBJ_HASH_SIZE;
3808 
3809 	ni->names = (struct namedobjects_head *)(ni +1);
3810 	ni->values = &ni->names[ni->nn_size];
3811 
3812 	for (i = 0; i < ni->nn_size; i++)
3813 		TAILQ_INIT(&ni->names[i]);
3814 
3815 	for (i = 0; i < ni->nv_size; i++)
3816 		TAILQ_INIT(&ni->values[i]);
3817 
3818 	/* Set default hashing/comparison functions */
3819 	ni->hash_f = objhash_hash_name;
3820 	ni->cmp_f = objhash_cmp_name;
3821 
3822 	/* Allocate bitmask separately due to possible resize */
3823 	ipfw_objhash_bitmap_alloc(items, (void*)&ni->idx_mask, &ni->max_blocks);
3824 
3825 	return (ni);
3826 }
3827 
3828 void
3829 ipfw_objhash_destroy(struct namedobj_instance *ni)
3830 {
3831 
3832 	free(ni->idx_mask, M_IPFW);
3833 	free(ni, M_IPFW);
3834 }
3835 
3836 void
3837 ipfw_objhash_set_funcs(struct namedobj_instance *ni, objhash_hash_f *hash_f,
3838     objhash_cmp_f *cmp_f)
3839 {
3840 
3841 	ni->hash_f = hash_f;
3842 	ni->cmp_f = cmp_f;
3843 }
3844 
3845 static uint32_t
3846 objhash_hash_name(struct namedobj_instance *ni, void *name, uint32_t set)
3847 {
3848 
3849 	return (fnv_32_str((char *)name, FNV1_32_INIT));
3850 }
3851 
3852 static int
3853 objhash_cmp_name(struct named_object *no, void *name, uint32_t set)
3854 {
3855 
3856 	if ((strcmp(no->name, (char *)name) == 0) && (no->set == set))
3857 		return (0);
3858 
3859 	return (1);
3860 }
3861 
3862 static uint32_t
3863 objhash_hash_idx(struct namedobj_instance *ni, uint32_t val)
3864 {
3865 	uint32_t v;
3866 
3867 	v = val % (ni->nv_size - 1);
3868 
3869 	return (v);
3870 }
3871 
3872 struct named_object *
3873 ipfw_objhash_lookup_name(struct namedobj_instance *ni, uint32_t set, char *name)
3874 {
3875 	struct named_object *no;
3876 	uint32_t hash;
3877 
3878 	hash = ni->hash_f(ni, name, set) % ni->nn_size;
3879 
3880 	TAILQ_FOREACH(no, &ni->names[hash], nn_next) {
3881 		if (ni->cmp_f(no, name, set) == 0)
3882 			return (no);
3883 	}
3884 
3885 	return (NULL);
3886 }
3887 
3888 /*
3889  * Find named object by name, considering also its TLV type.
3890  */
3891 struct named_object *
3892 ipfw_objhash_lookup_name_type(struct namedobj_instance *ni, uint32_t set,
3893     uint32_t type, char *name)
3894 {
3895 	struct named_object *no;
3896 	uint32_t hash;
3897 
3898 	hash = ni->hash_f(ni, name, set) % ni->nn_size;
3899 
3900 	TAILQ_FOREACH(no, &ni->names[hash], nn_next) {
3901 		if (ni->cmp_f(no, name, set) == 0 && no->etlv == type)
3902 			return (no);
3903 	}
3904 
3905 	return (NULL);
3906 }
3907 
3908 struct named_object *
3909 ipfw_objhash_lookup_kidx(struct namedobj_instance *ni, uint16_t kidx)
3910 {
3911 	struct named_object *no;
3912 	uint32_t hash;
3913 
3914 	hash = objhash_hash_idx(ni, kidx);
3915 
3916 	TAILQ_FOREACH(no, &ni->values[hash], nv_next) {
3917 		if (no->kidx == kidx)
3918 			return (no);
3919 	}
3920 
3921 	return (NULL);
3922 }
3923 
3924 int
3925 ipfw_objhash_same_name(struct namedobj_instance *ni, struct named_object *a,
3926     struct named_object *b)
3927 {
3928 
3929 	if ((strcmp(a->name, b->name) == 0) && a->set == b->set)
3930 		return (1);
3931 
3932 	return (0);
3933 }
3934 
3935 void
3936 ipfw_objhash_add(struct namedobj_instance *ni, struct named_object *no)
3937 {
3938 	uint32_t hash;
3939 
3940 	hash = ni->hash_f(ni, no->name, no->set) % ni->nn_size;
3941 	TAILQ_INSERT_HEAD(&ni->names[hash], no, nn_next);
3942 
3943 	hash = objhash_hash_idx(ni, no->kidx);
3944 	TAILQ_INSERT_HEAD(&ni->values[hash], no, nv_next);
3945 
3946 	ni->count++;
3947 }
3948 
3949 void
3950 ipfw_objhash_del(struct namedobj_instance *ni, struct named_object *no)
3951 {
3952 	uint32_t hash;
3953 
3954 	hash = ni->hash_f(ni, no->name, no->set) % ni->nn_size;
3955 	TAILQ_REMOVE(&ni->names[hash], no, nn_next);
3956 
3957 	hash = objhash_hash_idx(ni, no->kidx);
3958 	TAILQ_REMOVE(&ni->values[hash], no, nv_next);
3959 
3960 	ni->count--;
3961 }
3962 
3963 uint32_t
3964 ipfw_objhash_count(struct namedobj_instance *ni)
3965 {
3966 
3967 	return (ni->count);
3968 }
3969 
3970 /*
3971  * Runs @func for each found named object.
3972  * It is safe to delete objects from callback
3973  */
3974 void
3975 ipfw_objhash_foreach(struct namedobj_instance *ni, objhash_cb_t *f, void *arg)
3976 {
3977 	struct named_object *no, *no_tmp;
3978 	int i;
3979 
3980 	for (i = 0; i < ni->nn_size; i++) {
3981 		TAILQ_FOREACH_SAFE(no, &ni->names[i], nn_next, no_tmp)
3982 			f(ni, no, arg);
3983 	}
3984 }
3985 
3986 /*
3987  * Removes index from given set.
3988  * Returns 0 on success.
3989  */
3990 int
3991 ipfw_objhash_free_idx(struct namedobj_instance *ni, uint16_t idx)
3992 {
3993 	u_long *mask;
3994 	int i, v;
3995 
3996 	i = idx / BLOCK_ITEMS;
3997 	v = idx % BLOCK_ITEMS;
3998 
3999 	if (i >= ni->max_blocks)
4000 		return (1);
4001 
4002 	mask = &ni->idx_mask[i];
4003 
4004 	if ((*mask & ((u_long)1 << v)) != 0)
4005 		return (1);
4006 
4007 	/* Mark as free */
4008 	*mask |= (u_long)1 << v;
4009 
4010 	/* Update free offset */
4011 	if (ni->free_off[0] > i)
4012 		ni->free_off[0] = i;
4013 
4014 	return (0);
4015 }
4016 
4017 /*
4018  * Allocate new index in given instance and stores in in @pidx.
4019  * Returns 0 on success.
4020  */
4021 int
4022 ipfw_objhash_alloc_idx(void *n, uint16_t *pidx)
4023 {
4024 	struct namedobj_instance *ni;
4025 	u_long *mask;
4026 	int i, off, v;
4027 
4028 	ni = (struct namedobj_instance *)n;
4029 
4030 	off = ni->free_off[0];
4031 	mask = &ni->idx_mask[off];
4032 
4033 	for (i = off; i < ni->max_blocks; i++, mask++) {
4034 		if ((v = ffsl(*mask)) == 0)
4035 			continue;
4036 
4037 		/* Mark as busy */
4038 		*mask &= ~ ((u_long)1 << (v - 1));
4039 
4040 		ni->free_off[0] = i;
4041 
4042 		v = BLOCK_ITEMS * i + v - 1;
4043 
4044 		*pidx = v;
4045 		return (0);
4046 	}
4047 
4048 	return (1);
4049 }
4050 
4051 /* end of file */
4052