84  * Check if we have enough space in cmd buffer. Note that since
85  * first 8? u32 words are reserved by reserved header, full cmd
93 #define	CHECK_CMDLEN	CHECK_LENGTH(cblen, F_LEN((ipfw_insn *)cmd))
596  * do_set3 - pass ipfw control cmd to kernel
623  * do_get3 - pass ipfw control cmd to kernel
896 print_newports(struct buf_pr *bp, ipfw_insn_u16 *cmd, int proto, int opcode)
898 	uint16_t *p = cmd->ports;
909 	for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
989 fill_newports(ipfw_insn_u16 *cmd, char *av, int proto, int cblen)
991 	uint16_t a, b, *p = cmd->ports;
1029 		cmd->o.len |= i + 1;	/* leave F_NOT and F_OR untouched */
1038 fill_dscp(ipfw_insn *cmd, char *av, int cblen)
1044 	cmd->opcode = O_DSCP;
1045 	cmd->len |= F_INSN_SIZE(ipfw_insn_u32) + 1;
1049 	low = (uint32_t *)(cmd + 1);
1155 print_flags(struct buf_pr *bp, char const *name, ipfw_insn *cmd,
1160 	uint8_t set = cmd->arg1 & 0xff;
1161 	uint8_t clear = (cmd->arg1 >> 8) & 0xff;
1188 print_ip(struct buf_pr *bp, const struct format_opts *fo, ipfw_insn_ip *cmd)
1192 	uint32_t len = F_LEN((ipfw_insn *)cmd);
1193 	uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
1197 	if (cmd->o.opcode == O_IP_DST_LOOKUP && len > F_INSN_SIZE(ipfw_insn_u32)) {
1203 		t = table_search_ctlv(fo->tstate, ((ipfw_insn *)cmd)->arg1);
1207 	if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
1211 	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
1212 	    cmd->o.opcode == O_IP_DST_LOOKUP) {
1213 		t = table_search_ctlv(fo->tstate, ((ipfw_insn *)cmd)->arg1);
1220 	if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
1221 		uint32_t x, *map = (uint32_t *)&(cmd->mask);
1225 		x = cmd->o.arg1 - 1;
1227 		cmd->addr.s_addr = htonl(cmd->addr.s_addr);
1228 		bprintf(bp, "%s/%d", inet_ntoa(cmd->addr),
1230 		x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
1238 		for (i=0; i < cmd->o.arg1; i++)
1240 				for (j=i+1; j < cmd->o.arg1; j++)
1260 	    (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
1315 fill_icmptypes(ipfw_insn_u32 *cmd, char *av)
1319 	cmd->d[0] = 0;
1332 		cmd->d[0] |= 1 << type;
1334 	cmd->o.opcode = O_ICMPTYPE;
1335 	cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
1339 print_icmptypes(struct buf_pr *bp, ipfw_insn_u32 *cmd)
1346 		if ( (cmd->d[0] & (1 << (i))) == 0)
1354 print_dscp(struct buf_pr *bp, ipfw_insn_u32 *cmd)
1362 	v = cmd->d;
1377 #define	insntod(cmd, type)	((ipfw_insn_ ## type *)(cmd))
1414 is_printed_opcode(struct show_state *state, const ipfw_insn *cmd)
1417 	return (state->printed[cmd - state->rule->cmd]);
1421 mark_printed(struct show_state *state, const ipfw_insn *cmd)
1424 	state->printed[cmd - state->rule->cmd] = 1;
1446     struct show_state *state, ipfw_insn *cmd)
1454 	if (is_printed_opcode(state, cmd))
1456 	if ((cmd->len & F_OR) != 0 && state->or_block == 0)
1458 	if (cmd->opcode != O_IN && (cmd->len & F_NOT) != 0)
1461 	switch (cmd->opcode) {
1463 		d = 1.0 * insntod(cmd, u32)->d[0] / 0x7fffffff;
1476 		print_ip(bp, fo, insntod(cmd, ip));
1485 		print_ip(bp, fo, insntod(cmd, ip));
1492 		print_ip6(bp, insntod(cmd, ip6));
1499 		print_ip6(bp, insntod(cmd, ip6));
1502 		print_flow6id(bp, insntod(cmd, u32));
1506 		print_newports(bp, insntod(cmd, u16), state->proto,
1508 		    (HAVE_SRCIP | HAVE_DSTIP) ?  cmd->opcode: 0);
1511 		pe = getprotobynumber(cmd->arg1);
1517 			bprintf(bp, " %u", cmd->arg1);
1518 		state->proto = cmd->arg1;
1521 		print_mac(bp, insntod(cmd, mac));
1524 		print_newports(bp, insntod(cmd, u16),
1525 		    IPPROTO_ETHERTYPE, cmd->opcode);
1531 		bprintf(bp, " fib %u", cmd->arg1);
1537 		bprintf(bp, cmd->len & F_NOT ? " out" : " in");
1540 		switch (cmd->arg1) {
1551 			bprintf(bp, " diverted-?<%u>", cmd->arg1);
1561 		if (cmd->opcode == O_XMIT)
1563 		else if (cmd->opcode == O_RECV)
1565 		else /* if (cmd->opcode == O_VIA) */
1567 		switch (insntod(cmd, if)->name[0]) {
1570 			    inet_ntoa(insntod(cmd, if)->p.ip));
1575 			    insntod(cmd, if)->p.kidx));
1579 			    insntod(cmd, if)->name);
1583 		s = table_search_ctlv(fo->tstate, cmd->arg1);
1585 		if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))
1586 			bprintf(bp, ",%u", insntod(cmd, u32)->d[0]);
1595 		if (F_LEN(cmd) == 1) {
1596 			switch (cmd->opcode) {
1616 			bprintf(bp, " %s %u", s, cmd->arg1);
1618 			print_newports(bp, insntod(cmd, u16), 0,
1619 			    cmd->opcode);
1622 		bprintf(bp, " ipver %u", cmd->arg1);
1625 		bprintf(bp, " ipprecedence %u", cmd->arg1 >> 5);
1628 		print_dscp(bp, insntod(cmd, u32));
1631 		print_flags(bp, "ipoptions", cmd, f_ipopts);
1634 		print_flags(bp, "iptos", cmd, f_iptos);
1637 		print_icmptypes(bp, insntod(cmd, u32));
1643 		print_flags(bp, "tcpflags", cmd, f_tcpflags);
1646 		print_flags(bp, "tcpoptions", cmd, f_tcpopts);
1650 		    ntohl(insntod(cmd, u32)->d[0]));
1654 		    ntohl(insntod(cmd, u32)->d[0]));
1657 		pwd = getpwuid(insntod(cmd, u32)->d[0]);
1662 			    insntod(cmd, u32)->d[0]);
1665 		grp = getgrgid(insntod(cmd, u32)->d[0]);
1670 			    insntod(cmd, u32)->d[0]);
1673 		bprintf(bp, " jail %d", insntod(cmd, u32)->d[0]);
1688 		bprintf(bp, " // %s", (char *)(cmd + 1));
1696 		    object_search_ctlv(fo->tstate, cmd->arg1,
1704 		print_limit_mask(bp, insntod(cmd, limit));
1706 		    object_search_ctlv(fo->tstate, cmd->arg1,
1720 		print_icmp6types(bp, insntod(cmd, u32));
1723 		print_ext6hdr(bp, cmd);
1726 		if (F_LEN(cmd) == 1)
1727 			bprint_uint_arg(bp, " tagged ", cmd->arg1);
1729 			print_newports(bp, insntod(cmd, u16),
1736 		bprintf(bp, " [opcode %d len %d]", cmd->opcode,
1737 		    cmd->len);
1739 	if (cmd->len & F_OR) {
1746 	mark_printed(state, cmd);
1755 	ipfw_insn *cmd;
1758 	for (l = state->rule->act_ofs, cmd = state->rule->cmd;
1759 	    l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
1761 		if (opcode >= 0 && cmd->opcode != opcode)
1767 		if (cmd->opcode == O_NOP && opcode != O_NOP)
1769 		if (!print_instruction(bp, fo, state, cmd))
1771 		return (cmd);
1777 print_fwd(struct buf_pr *bp, const ipfw_insn *cmd)
1784 	if (cmd->opcode == O_FORWARD_IP) {
1785 		sa = insntod(cmd, sa);
1792 		sa6 = insntod(cmd, sa6);
1806     struct show_state *state, const ipfw_insn *cmd)
1810 	if (is_printed_opcode(state, cmd))
1812 	switch (cmd->opcode) {
1815 		if (cmd->arg1 != 0)
1816 			s = object_search_ctlv(fo->tstate, cmd->arg1,
1832 		if (cmd->arg1 == ICMP_REJECT_RST)
1834 		else if (cmd->arg1 == ICMP_REJECT_ABORT)
1836 		else if (cmd->arg1 == ICMP_UNREACH_HOST)
1839 			print_reject_code(bp, cmd->arg1);
1842 		if (cmd->arg1 == ICMP6_UNREACH_RST)
1844 		else if (cmd->arg1 == ICMP6_UNREACH_ABORT)
1847 			print_unreach6_code(bp, cmd->arg1);
1850 		bprint_uint_arg(bp, "skipto ", cmd->arg1);
1853 		bprint_uint_arg(bp, "pipe ", cmd->arg1);
1856 		bprint_uint_arg(bp, "queue ", cmd->arg1);
1859 		bprint_uint_arg(bp, "divert ", cmd->arg1);
1862 		bprint_uint_arg(bp, "tee ", cmd->arg1);
1865 		bprint_uint_arg(bp, "netgraph ", cmd->arg1);
1868 		bprint_uint_arg(bp, "ngtee ", cmd->arg1);
1872 		print_fwd(bp, cmd);
1875 		if (insntod(cmd, log)->max_log > 0)
1877 			    insntod(cmd, log)->max_log);
1883 		print_altq_cmd(bp, insntod(cmd, altq));
1887 		bprint_uint_arg(bp, cmd->len & F_NOT ? " untag ":
1888 		    " tag ", cmd->arg1);
1891 		if (cmd->arg1 != IP_FW_NAT44_GLOBAL)
1892 			bprint_uint_arg(bp, "nat ", cmd->arg1);
1897 		if (cmd->arg1 == IP_FW_TARG)
1898 			bprint_uint_arg(bp, "setfib ", cmd->arg1);
1900 			bprintf(bp, "setfib %u", cmd->arg1 & 0x7FFF);
1912 		state->eaction = cmd;
1913 		s = object_search_ctlv(fo->tstate, cmd->arg1,
1933 		s = object_search_ctlv(fo->tstate, cmd->arg1, 0);
1936 			    cmd->arg1, IPFW_TLV_EACTION_NAME(
1948 		if (cmd->len == F_INSN_SIZE(ipfw_insn))
1949 			bprintf(bp, " %u", cmd->arg1);
1952 			    cmd->len * sizeof(uint32_t));
1955 		if (cmd->arg1 == IP_FW_TARG) {
1959 		s = match_value(f_ipdscp, cmd->arg1 & 0x3F);
1963 			bprintf(bp, "setdscp %u", cmd->arg1 & 0x3F);
1969 		if (cmd->len & F_NOT)
1972 			bprint_uint_arg(bp, "call ", cmd->arg1);
1976 			cmd->opcode, cmd->len);
1978 	mark_printed(state, cmd);
1988 	ipfw_insn *cmd;
1992 	    cmd = ACTION_PTR(state->rule); l > 0;
1993 	    l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
1994 		if (cmd->opcode != opcode)
1996 		if (!print_action_instruction(bp, fo, state, cmd))
1998 		return (cmd);
2007 	ipfw_insn *cmd;
2012 	for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2013 	    l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2014 		switch (cmd->opcode) {
2020 			if (cmd->len & F_OR)
2025 			if (cmd->len & F_OR)
2039 	cmd = NULL;
2041 		cmd = print_opcode(bp, fo, state, ip4 > ip6 ? O_IP4: O_IP6);
2042 	if (cmd != NULL && (cmd->len & F_OR))
2043 		cmd = print_opcode(bp, fo, state, ip4 > ip6 ? O_IP6: O_IP4);
2044 	if (cmd == NULL || (cmd->len & F_OR))
2046 			cmd = print_opcode(bp, fo, state, O_PROTO);
2047 			if (cmd == NULL || (cmd->len & F_OR) == 0)
2072 	ipfw_insn *cmd;
2076 	for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2077 	    l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2078 		if (match_opcode(cmd->opcode, opcodes, nops))
2080 		else if (cmd->opcode == portop)
2085 	for (l = state->rule->act_ofs, cmd = state->rule->cmd;
2086 	    l > 0 && count > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2087 		if (!match_opcode(cmd->opcode, opcodes, nops))
2089 		print_instruction(bp, fo, state, cmd);
2090 		if ((cmd->len & F_OR) == 0)
2099 		for (l = state->rule->act_ofs, cmd = state->rule->cmd, pf = 0;
2100 		    l > 0; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
2101 			if (cmd->opcode != portop) {
2102 				pf = (cmd->len & F_OR);
2106 			if (pf == 0 && (cmd->len & F_OR) == 0)
2107 				print_instruction(bp, fo, state, cmd);
2142 	ipfw_insn *cmd;
2197 	cmd = print_opcode(bp, fo, &state, O_PROB);
2200 		cmd = print_action(bp, fo, &state, action_opcodes[i]);
2201 		if (cmd == NULL)
2204 		switch (cmd->opcode) {
2248 	cmd = print_opcode(bp, fo, &state, O_NOP);
2249 	if (co->comment_only != 0 && cmd == NULL)
2338 do_range_cmd(int cmd, ipfw_range_tlv *rt)
2349 	if (do_get3(cmd, &rh.opheader, &sz) != 0)
2372 	uint8_t cmd;
2415 			cmd = IP_FW_XMOVE;
2418 			cmd = IP_FW_SET_MOVE; /* Move set to new one */
2424 		if (cmd == IP_FW_XMOVE) {
2430 		if (!isdigit(*(av[0])) || (cmd == 3 && rt.set > RESVD_SET) ||
2431 			(cmd == 2 && rt.start_rule == IPFW_DEFAULT_RULE) )
2435 		i = do_range_cmd(cmd, &rt);
2438 			    cmd == IP_FW_SET_MOVE ? "set": "rule");
3053 fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode,
3056 	uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
3070 	cmd->opcode = opcode;
3071 	cmd->arg1 = uidx;
3073 		cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
3076 		cmd->len |= F_INSN_SIZE(ipfw_insn);
3092 fill_ip(ipfw_insn_ip *cmd, char *av, int cblen, struct tidx *tstate)
3095 	uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
3097 	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
3103 		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
3108 		fill_table(&cmd->o, av, O_IP_DST_LOOKUP, tstate);
3178 		uint32_t *map = (uint32_t *)&cmd->mask;
3186 		cmd->o.arg1 = 1<<(32-i);	/* map length		*/
3188 		cmd->o.opcode = O_IP_DST_SET;	/* default */
3189 		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
3190 		for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
3195 		high = low + cmd->o.arg1 - 1;
3249 		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
3258 		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
3266     cmd->o.len |= len+1;
3290 fill_flags_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode,
3299 	cmd->opcode = opcode;
3300 	cmd->len =  (cmd->len & (F_NOT | F_OR)) | 1;
3301 	cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
3390 fill_iface(ipfw_insn_if *cmd, char *arg, int cblen, struct tidx *tstate)
3395 	cmd->name[0] = '\0';
3396 	cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
3402 		cmd->o.len = 0;		/* effectively ignore this command */
3413 		cmd->name[0] = '\1'; /* Special value indicating table */
3414 		cmd->p.kidx = uidx;
3416 		strlcpy(cmd->name, arg, sizeof(cmd->name));
3417 		cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
3418 	} else if (!inet_aton(arg, &cmd->p.ip))
3471  * helper function, updates the pointer to cmd with the length
3476 next_cmd(ipfw_insn *cmd, int *len)
3478 	*len -= F_LEN(cmd);
3480 	cmd += F_LEN(cmd);
3481 	bzero(cmd, sizeof(*cmd));
3482 	return cmd;
3489 fill_comment(ipfw_insn *cmd, char **av, int cblen)
3492 	char *p = (char *)(cmd + 1);
3494 	cmd->opcode = O_NOP;
3495 	cmd->len =  (cmd->len & (F_NOT | F_OR));
3506 	cmd->len =  (cmd->len & (F_NOT | F_OR)) | l;
3522 fill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
3524 	cmd->opcode = opcode;
3525 	cmd->len =  ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
3526 	cmd->arg1 = arg;
3534 add_mac(ipfw_insn *cmd, char *av[], int cblen)
3541 	cmd->opcode = O_MACADDR2;
3542 	cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
3545 	mac = (ipfw_insn_mac *)cmd;
3549 	return cmd;
3553 add_mactype(ipfw_insn *cmd, char *av, int cblen)
3558 		fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE,
3560 		cmd->opcode = O_MAC_TYPE;
3561 		return cmd;
3567 add_proto0(ipfw_insn *cmd, char *av, u_char *protop)
3580 	fill_cmd(cmd, O_PROTO, 0, proto);
3582 	return cmd;
3586 add_proto(ipfw_insn *cmd, char *av, u_char *protop)
3594 		fill_cmd(cmd, O_IP4, 0, 0);
3598 		fill_cmd(cmd, O_IP6, 0, 0);
3600 		return add_proto0(cmd, av, protop);
3603 	return cmd;
3607 add_proto_compat(ipfw_insn *cmd, char *av, u_char *protop)
3615 		fill_cmd(cmd, O_IP4, 0, 0);
3619 		fill_cmd(cmd, O_IP6, 0, 0);
3621 		return add_proto0(cmd, av, protop);
3624 	return cmd;
3628 add_srcip(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
3630 	fill_ip((ipfw_insn_ip *)cmd, av, cblen, tstate);
3631 	if (cmd->opcode == O_IP_DST_SET)			/* set */
3632 		cmd->opcode = O_IP_SRC_SET;
3633 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
3634 		cmd->opcode = O_IP_SRC_LOOKUP;
3635 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
3636 		cmd->opcode = O_IP_SRC_ME;
3637 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
3638 		cmd->opcode = O_IP_SRC;
3640 		cmd->opcode = O_IP_SRC_MASK;
3641 	return cmd;
3645 add_dstip(ipfw_insn *cmd, char *av, int cblen, struct tidx *tstate)
3647 	fill_ip((ipfw_insn_ip *)cmd, av, cblen, tstate);
3648 	if (cmd->opcode == O_IP_DST_SET)			/* set */
3650 	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
3652 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
3653 		cmd->opcode = O_IP_DST_ME;
3654 	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
3655 		cmd->opcode = O_IP_DST;
3657 		cmd->opcode = O_IP_DST_MASK;
3658 	return cmd;
3682 add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode, int cblen)
3688 	if (fill_newports((ipfw_insn_u16 *)cmd, av, proto, cblen)) {
3690 		cmd->opcode = opcode;
3691 		return cmd;
3697 add_src(ipfw_insn *cmd, char *av, u_char proto, int cblen, struct tidx *tstate)
3716 		ret = add_srcip6(cmd, av, cblen, tstate);
3720 		ret = add_srcip(cmd, av, cblen, tstate);
3722 		ret = cmd;
3728 add_dst(ipfw_insn *cmd, char *av, u_char proto, int cblen, struct tidx *tstate)
3747 		ret = add_dstip6(cmd, av, cblen, tstate);
3751 		ret = add_dstip(cmd, av, cblen, tstate);
3753 		ret = cmd;
3782 	ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
3810 	cmd = (ipfw_insn *)cmdbuf;
4222 			ipfw_insn_log *c = (ipfw_insn_log *)cmd;
4229 			cmd->len = F_INSN_SIZE(ipfw_insn_log);
4231 			cmd->opcode = O_LOG;
4259 			ipfw_insn_altq *a = (ipfw_insn_altq *)cmd;
4266 			cmd->len = F_INSN_SIZE(ipfw_insn_altq);
4268 			cmd->opcode = O_ALTQ;
4284 			have_tag = cmd;
4285 			fill_cmd(cmd, O_TAG, (i == TOK_TAG) ? 0: F_NOT, tag);
4293 		cmd = next_cmd(cmd, &cblen);
4301 			fill_comment(cmd, av, cblen);
4302 			cmd = next_cmd(cmd, &cblen);
4336 		if (cmd->len & F_NOT)				\
4338 		cmd->len |= F_NOT;				\
4352 	first_cmd = cmd;
4365 		add_mac(cmd, av);	/* exits in case of errors */
4366 		cmd = next_cmd(cmd);
4370 		if (add_mactype(cmd, av[0]))
4371 			cmd = next_cmd(cmd);
4383 	if (add_proto_compat(cmd, *av, &proto)) {
4385 		if (F_LEN(cmd) != 0) {
4386 			prev = cmd;
4387 			cmd = next_cmd(cmd, &cblen);
4389 	} else if (first_cmd != cmd) {
4397 	first_cmd = cmd; /* update pointer to use in compact form */
4412 	if (add_src(cmd, *av, proto, cblen, tstate)) {
4414 		if (F_LEN(cmd) != 0) {	/* ! any */
4415 			prev = cmd;
4416 			cmd = next_cmd(cmd, &cblen);
4428 		    add_ports(cmd, *av, proto, O_IP_SRCPORT, cblen)) {
4430 			if (F_LEN(cmd) != 0)
4431 				cmd = next_cmd(cmd, &cblen);
4448 	if (add_dst(cmd, *av, proto, cblen, tstate)) {
4450 		if (F_LEN(cmd) != 0) {	/* ! any */
4451 			prev = cmd;
4452 			cmd = next_cmd(cmd, &cblen);
4464 		    add_ports(cmd, *av, proto, O_IP_DSTPORT, cblen)) {
4466 			if (F_LEN(cmd) != 0)
4467 				cmd = next_cmd(cmd, &cblen);
4470 	if (first_cmd == cmd)
4477 		ipfw_insn_u32 *cmd32;	/* alias for cmd */
4480 		cmd32 = (ipfw_insn_u32 *)cmd;
4483 			if (cmd->len & F_NOT)
4485 			cmd->len = F_NOT;
4492 			if (cmd->len & F_NOT)
4494 			cmd->len = F_NOT;
4517 			fill_cmd(cmd, O_IN, 0, 0);
4521 			cmd->len ^= F_NOT; /* toggle F_NOT */
4522 			fill_cmd(cmd, O_IN, 0, 0);
4526 			fill_cmd(cmd, O_DIVERTED, 0, 3);
4530 			fill_cmd(cmd, O_DIVERTED, 0, 1);
4534 			fill_cmd(cmd, O_DIVERTED, 0, 2);
4538 			fill_cmd(cmd, O_FRAG, 0, 0);
4542 			fill_cmd(cmd, O_LAYER2, 0, 0);
4550 			fill_iface((ipfw_insn_if *)cmd, av[0], cblen, tstate);
4552 			if (F_LEN(cmd) == 0)	/* not a valid address */
4555 				cmd->opcode = O_XMIT;
4557 				cmd->opcode = O_RECV;
4559 				cmd->opcode = O_VIA;
4564 			fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
4570 			fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av, cblen);
4577 			    if (!add_ports(cmd, *av, 0, O_IPTTL, cblen))
4580 			    fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
4587 			    if (!add_ports(cmd, *av, 0, O_IPID, cblen))
4590 			    fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
4597 			    if (!add_ports(cmd, *av, 0, O_IPLEN, cblen))
4600 			    fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
4606 			fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
4612 			fill_cmd(cmd, O_IPPRECEDENCE, 0,
4619 			fill_dscp(cmd, *av, cblen);
4625 			fill_flags_cmd(cmd, O_IPOPT, f_ipopts, *av);
4631 			fill_flags_cmd(cmd, O_IPTOS, f_iptos, *av);
4642 			cmd->opcode = O_UID;
4648 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4660 			cmd->opcode = O_GID;
4666 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4677 			cmd->opcode = O_JAIL;
4696 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4702 			fill_cmd(cmd, O_ESTAB, 0, 0);
4706 			fill_cmd(cmd, O_TCPFLAGS, 0,
4713 			    if (!add_ports(cmd, *av, 0, O_TCPDATALEN, cblen))
4716 			    fill_cmd(cmd, O_TCPDATALEN, 0,
4723 			fill_flags_cmd(cmd, O_TCPOPTS, f_tcpopts, *av);
4730 			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
4731 			cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
4740 				if (add_ports(cmd, *av, 0,
4746 				fill_cmd(cmd, i == TOK_TCPWIN ? O_TCPWIN :
4753 			cmd->opcode = O_TCPFLAGS;
4754 			fill_flags_cmd(cmd, O_TCPFLAGS, f_tcpflags, *av);
4778 			have_state = cmd;
4780 			fill_cmd(cmd, O_KEEP_STATE, 0, uidx);
4786 			ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
4795 			have_state = cmd;
4798 			cmd->len = F_INSN_SIZE(ipfw_insn_limit);
4800 			cmd->opcode = O_LIMIT;
4821 				cmd->arg1 = pack_object(tstate, *av + 1,
4825 				cmd->arg1 = pack_object(tstate,
4832 			if (add_proto(cmd, *av, &proto)) {
4841 			if (add_srcip(cmd, *av, cblen, tstate)) {
4848 			if (add_dstip(cmd, *av, cblen, tstate)) {
4855 			if (add_srcip6(cmd, *av, cblen, tstate)) {
4862 			if (add_dstip6(cmd, *av, cblen, tstate)) {
4870 			    add_ports(cmd, *av, proto, O_IP_SRCPORT, cblen)) {
4879 			    add_ports(cmd, *av, proto, O_IP_DSTPORT, cblen)) {
4887 			if (add_mac(cmd, av, cblen))
4893 			if (!add_mactype(cmd, *av, cblen))
4899 			fill_cmd(cmd, O_VERREVPATH, 0, 0);
4903 			fill_cmd(cmd, O_VERSRCREACH, 0, 0);
4907 			fill_cmd(cmd, O_ANTISPOOF, 0, 0);
4911 			fill_cmd(cmd, O_IPSEC, 0, 0);
4915 			fill_cmd(cmd, O_IP6, 0, 0);
4919 			fill_cmd(cmd, O_IP4, 0, 0);
4923 			fill_ext6hdr( cmd, *av );
4931 			fill_flow6( (ipfw_insn_u32 *) cmd, *av, cblen);
4936 			fill_comment(cmd, av, cblen);
4942 				if (!add_ports(cmd, *av, 0, O_TAGGED, cblen))
4951 				fill_cmd(cmd, O_TAGGED, 0, tag);
4958 			fill_cmd(cmd, O_FIB, 0, strtoul(*av, NULL, 0));
4962 			fill_cmd(cmd, O_SOCKARG, 0, 0);
4966 			ipfw_insn_u32 *c = (ipfw_insn_u32 *)cmd;
4971 			cmd->opcode = O_IP_DST_LOOKUP;
4972 			cmd->len |= F_INSN_SIZE(ipfw_insn) + 2;
4986 			cmd->arg1 = j;
4995 			fill_table(cmd, *av, O_IP_FLOW_LOOKUP, tstate);
5003 			have_skipcmd = cmd;
5004 			fill_cmd(cmd, O_SKIP_ACTION, 0, 0);
5010 		if (F_LEN(cmd) > 0) {	/* prepare to advance */
5011 			prev = cmd;
5012 			cmd = next_cmd(cmd, &cblen);
5029 	dst = (ipfw_insn *)rule->cmd;
5053 	for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
5094 	rule->act_ofs = dst - rule->cmd;
5126 	rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
5520 	NEED1("internal cmd required");
5523 		errx(EX_USAGE, "invalid internal sub-cmd: %s", *av);

Indexes created Tue Jun 18 09:53:56 MDT 2024