]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet/ip_fw2.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-4903.270.47.tar.gz
[apple/xnu.git] / bsd / netinet / ip_fw2.c
diff --git a/bsd/netinet/ip_fw2.c b/bsd/netinet/ip_fw2.c
index 9801fb7d3a3f93698c30084df0d05410be76020d..acbb060cba5f7b0071100305fc1b6d60477ddb03 100644 (file)
--- a/bsd/netinet/ip_fw2.c
+++ b/bsd/netinet/ip_fw2.c
@@ -1,3 +1,31 @@
+/*
+ * Copyright (c) 2004-2016 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+
 /*
  * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
  *
 /*
  * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
  *
@@ -36,13 +64,13 @@
 #error IPFIREWALL requires INET.
 #endif /* INET */
 
 #error IPFIREWALL requires INET.
 #endif /* INET */
 
-#ifdef IPFW2
-#include <machine/spl.h>
+#if IPFW2
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
+#include <sys/mcache.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
@@ -50,7 +78,11 @@
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
+#include <sys/kern_event.h>
+#include <sys/kauth.h>
+
 #include <net/if.h>
 #include <net/if.h>
+#include <net/net_kev.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -85,14 +117,14 @@
 #include <stdarg.h>
 
 /*
 #include <stdarg.h>
 
 /*
-#include <machine/in_cksum.h>
-*/     /* XXX for in_cksum */
+ #include <machine/in_cksum.h>
+ */    /* XXX for in_cksum */
 
 /*
  * XXX This one should go in sys/mbuf.h. It is used to avoid that
  * a firewall-generated packet loops forever through the firewall.
  */
 
 /*
  * XXX This one should go in sys/mbuf.h. It is used to avoid that
  * a firewall-generated packet loops forever through the firewall.
  */
-#ifndef        M_SKIP_FIREWALL
+#ifndef M_SKIP_FIREWALL
 #define M_SKIP_FIREWALL         0x4000
 #endif
 
 #define M_SKIP_FIREWALL         0x4000
 #endif
 
@@ -108,8 +140,7 @@ static u_int32_t set_disable;
 
 int fw_verbose;
 static int verbose_limit;
 
 int fw_verbose;
 static int verbose_limit;
-
-#define        IPFW_DEFAULT_RULE       65535
+extern int fw_bypass;
 
 #define IPFW_RULE_INACTIVE 1
 
 
 #define IPFW_RULE_INACTIVE 1
 
@@ -120,29 +151,68 @@ static struct ip_fw *layer3_chain;
 
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
 
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
-static int fw_debug = 1;
+static int fw_debug = 0;
 static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
 
 static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
 
+static void ipfw_kev_post_msg(u_int32_t );
+
+static int Get32static_len(void);
+static int Get64static_len(void);
+
 #ifdef SYSCTL_NODE
 #ifdef SYSCTL_NODE
-SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable,
-    CTLFLAG_RW,
-    &fw_enable, 0, "Enable ipfw");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW,
+
+static int ipfw_sysctl SYSCTL_HANDLER_ARGS;
+
+SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "Firewall");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &fw_enable, 0, ipfw_sysctl, "I", "Enable ipfw");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW | CTLFLAG_LOCKED,
     &autoinc_step, 0, "Rule number autincrement step");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
     &autoinc_step, 0, "Rule number autincrement step");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_one_pass, 0,
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug,
     &fw_one_pass, 0,
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_verbose, 0, "Log matches to ipfw rules");
     &fw_verbose, 0, "Log matches to ipfw rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW | CTLFLAG_LOCKED,
     &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
 
     &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
 
+/*
+ * IP FW Stealth Logging:
+ */
+typedef enum ipfw_stealth_stats_type {
+       IPFW_STEALTH_STATS_UDP,
+       IPFW_STEALTH_STATS_TCP,
+       IPFW_STEALTH_STATS_UDPv6,
+       IPFW_STEALTH_STATS_TCPv6,
+       IPFW_STEALTH_STATS_MAX,
+} ipfw_stealth_stats_type_t;
+
+#define IPFW_STEALTH_TIMEOUT_SEC 30
+
+#define DYN_KEEPALIVE_LEEWAY    15
+
+// Piggybagging Stealth stats with ipfw_tick().
+#define IPFW_STEALTH_TIMEOUT_FREQUENCY (30 / dyn_keepalive_period)
+
+static const char* ipfw_stealth_stats_str[IPFW_STEALTH_STATS_MAX] = {
+       "UDP", "TCP", "UDP v6", "TCP v6",
+};
+
+static uint32_t ipfw_stealth_stats_needs_flush = FALSE;
+static uint32_t ipfw_stealth_stats[IPFW_STEALTH_STATS_MAX];
+
+static void ipfw_stealth_flush_stats(void);
+void ipfw_stealth_stats_incr_udp(void);
+void ipfw_stealth_stats_incr_tcp(void);
+void ipfw_stealth_stats_incr_udpv6(void);
+void ipfw_stealth_stats_incr_tcpv6(void);
+
 /*
  * Description of dynamic rules.
  *
 /*
  * Description of dynamic rules.
  *
@@ -201,132 +271,676 @@ static u_int32_t dyn_short_lifetime = 5;
  * than dyn_keepalive_period.
  */
 
  * than dyn_keepalive_period.
  */
 
-static u_int32_t dyn_keepalive_interval = 20;
+static u_int32_t dyn_keepalive_interval = 25;
 static u_int32_t dyn_keepalive_period = 5;
 static u_int32_t dyn_keepalive_period = 5;
-static u_int32_t dyn_keepalive = 1;    /* do send keepalives */
+static u_int32_t dyn_keepalive = 1;     /* do send keepalives */
 
 
-static u_int32_t static_count; /* # of static rules */
-static u_int32_t static_len;   /* size in bytes of static rules */
-static u_int32_t dyn_count;            /* # of dynamic rules */
-static u_int32_t dyn_max = 4096;       /* max # of dynamic rules */
+static u_int32_t static_count;  /* # of static rules */
+static u_int32_t static_len;    /* size in bytes of static rules */
+static u_int32_t static_len_32; /* size in bytes of static rules for 32 bit client */
+static u_int32_t static_len_64; /* size in bytes of static rules for 64 bit client */
+static u_int32_t dyn_count;             /* # of dynamic rules */
+static u_int32_t dyn_max = 4096;        /* max # of dynamic rules */
 
 
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_buckets, 0, "Number of dyn. buckets");
     &dyn_buckets, 0, "Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD | CTLFLAG_LOCKED,
     &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
     &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD | CTLFLAG_LOCKED,
     &dyn_count, 0, "Number of dyn. rules");
     &dyn_count, 0, "Number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_max, 0, "Max number of dyn. rules");
     &dyn_max, 0, "Max number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD | CTLFLAG_LOCKED,
     &static_count, 0, "Number of static rules");
     &static_count, 0, "Number of static rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
     &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
     &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
     &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
     &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
     &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
     &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_keepalive, 0, "Enable keepalives for dyn. rules");
 
     &dyn_keepalive, 0, "Enable keepalives for dyn. rules");
 
+
+static int
+ipfw_sysctl SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2)
+       int error;
+
+       error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
+       if (error || !req->newptr) {
+               return error;
+       }
+
+       ipfw_kev_post_msg(KEV_IPFW_ENABLE);
+
+       return error;
+}
+
 #endif /* SYSCTL_NODE */
 
 
 #endif /* SYSCTL_NODE */
 
 
-static ip_fw_chk_t     ipfw_chk;
+static ip_fw_chk_t      ipfw_chk;
 
 /* firewall lock */
 lck_grp_t         *ipfw_mutex_grp;
 lck_grp_attr_t    *ipfw_mutex_grp_attr;
 lck_attr_t        *ipfw_mutex_attr;
 
 /* firewall lock */
 lck_grp_t         *ipfw_mutex_grp;
 lck_grp_attr_t    *ipfw_mutex_grp_attr;
 lck_attr_t        *ipfw_mutex_attr;
-lck_mtx_t         *ipfw_mutex;
-
-extern  void    ipfwsyslog( int level, char *format,...);
-
-#if DUMMYNET
-ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;     /* hook into dummynet */
-#endif /* DUMMYNET */
+decl_lck_mtx_data(, ipfw_mutex_data);
+lck_mtx_t         *ipfw_mutex = &ipfw_mutex_data;
 
 
-#define KEV_LOG_SUBCLASS 10
-#define IPFWLOGEVENT    0
+extern  void    ipfwsyslog( int level, const char *format, ...);
 
 #define         ipfwstring      "ipfw:"
 
 #define         ipfwstring      "ipfw:"
-static          size_t         ipfwstringlen;
+static          size_t          ipfwstringlen;
 
 
-#define dolog( a ) {           \
-       if ( fw_verbose == 2 )          /* Apple logging, log to ipfw.log */ \
-               ipfwsyslog a ;  \ 
-       else log a ;            \
+#define dolog( a ) {            \
+       if ( fw_verbose == 2 )          /* Apple logging, log to ipfw.log */ \
+               ipfwsyslog a ;  \
+       else log a ;            \
 }
 
 }
 
-void    ipfwsyslog( int level, char *format,...)
+#define RULESIZE64(rule)  (sizeof(struct ip_fw_64) + \
+                                                       ((struct ip_fw *)(rule))->cmd_len * 4 - 4)
+
+#define RULESIZE32(rule)  (sizeof(struct ip_fw_32) + \
+                                                       ((struct ip_fw *)(rule))->cmd_len * 4 - 4)
+
+void
+ipfwsyslog( int level, const char *format, ...)
 {
 {
-#define                msgsize         100
+#define         msgsize         100
 
 
-    struct kev_msg        ev_msg;
-    va_list             ap;
-    char                msgBuf[msgsize];
-    char                *dptr = msgBuf;
-    unsigned char       pri;
-    int                        loglen;
+       struct kev_msg        ev_msg;
+       va_list             ap;
+       char                msgBuf[msgsize];
+       char                *dptr = msgBuf;
+       unsigned char       pri;
+       int                 loglen;
 
 
+       bzero(msgBuf, msgsize);
+       bzero(&ev_msg, sizeof(struct kev_msg));
        va_start( ap, format );
        va_start( ap, format );
-        loglen = vsnprintf(msgBuf, msgsize, format, ap);
-        va_end( ap );
+       loglen = vsnprintf(msgBuf, msgsize, format, ap);
+       va_end( ap );
 
 
-        ev_msg.vendor_code    = KEV_VENDOR_APPLE;
-        ev_msg.kev_class      = KEV_NETWORK_CLASS;
-        ev_msg.kev_subclass   = KEV_LOG_SUBCLASS;
-        ev_msg.event_code         = IPFWLOGEVENT;
+       ev_msg.vendor_code    = KEV_VENDOR_APPLE;
+       ev_msg.kev_class      = KEV_NETWORK_CLASS;
+       ev_msg.kev_subclass   = KEV_LOG_SUBCLASS;
+       ev_msg.event_code         = IPFWLOGEVENT;
 
        /* get rid of the trailing \n */
 
        /* get rid of the trailing \n */
-       dptr[loglen-1] = 0;
-
-        pri = LOG_PRI(level);
-
-        /* remove "ipfw:" prefix if logging to ipfw log */
-        if ( !(strncmp( ipfwstring, msgBuf, ipfwstringlen))){
-                dptr = msgBuf+ipfwstringlen;
-        }
-       
-        ev_msg.dv[0].data_ptr = &pri;
-        ev_msg.dv[0].data_length = 1;
-        ev_msg.dv[1].data_ptr    = dptr;
-        ev_msg.dv[1].data_length = 100; /* bug in kern_post_msg, it can't handle size > 256-msghdr */
-        ev_msg.dv[2].data_length = 0;
-
-        kev_post_msg(&ev_msg);
+       if (loglen < msgsize) {
+               dptr[loglen - 1] = 0;
+       } else {
+               dptr[msgsize - 1] = 0;
+       }
+
+       pri = LOG_PRI(level);
+
+       /* remove "ipfw:" prefix if logging to ipfw log */
+       if (!(strncmp( ipfwstring, msgBuf, ipfwstringlen))) {
+               dptr = msgBuf + ipfwstringlen;
+       }
+
+       ev_msg.dv[0].data_ptr = &pri;
+       ev_msg.dv[0].data_length = 1;
+       ev_msg.dv[1].data_ptr    = dptr;
+       ev_msg.dv[1].data_length = 100; /* bug in kern_post_msg, it can't handle size > 256-msghdr */
+       ev_msg.dv[2].data_length = 0;
+
+       kev_post_msg(&ev_msg);
+}
+
+static inline void
+ipfw_stealth_stats_incr(uint32_t type)
+{
+       if (type >= IPFW_STEALTH_STATS_MAX) {
+               return;
+       }
+
+       ipfw_stealth_stats[type]++;
+
+       if (!ipfw_stealth_stats_needs_flush) {
+               ipfw_stealth_stats_needs_flush = TRUE;
+       }
+}
+
+void
+ipfw_stealth_stats_incr_udp(void)
+{
+       ipfw_stealth_stats_incr(IPFW_STEALTH_STATS_UDP);
+}
+
+void
+ipfw_stealth_stats_incr_tcp(void)
+{
+       ipfw_stealth_stats_incr(IPFW_STEALTH_STATS_TCP);
+}
+
+void
+ipfw_stealth_stats_incr_udpv6(void)
+{
+       ipfw_stealth_stats_incr(IPFW_STEALTH_STATS_UDPv6);
+}
+
+void
+ipfw_stealth_stats_incr_tcpv6(void)
+{
+       ipfw_stealth_stats_incr(IPFW_STEALTH_STATS_TCPv6);
+}
+
+static void
+ipfw_stealth_flush_stats(void)
+{
+       int i;
+
+       for (i = 0; i < IPFW_STEALTH_STATS_MAX; i++) {
+               if (ipfw_stealth_stats[i]) {
+                       ipfwsyslog(LOG_INFO, "Stealth Mode connection attempt to %s %d times",
+                           ipfw_stealth_stats_str[i], ipfw_stealth_stats[i]);
+                       ipfw_stealth_stats[i] = 0;
+               }
+       }
+       ipfw_stealth_stats_needs_flush = FALSE;
 }
 
 /*
  * This macro maps an ip pointer into a layer3 header pointer of type T
  */
 }
 
 /*
  * This macro maps an ip pointer into a layer3 header pointer of type T
  */
-#define        L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
+#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl))
 
 static __inline int
 icmptype_match(struct ip *ip, ipfw_insn_u32 *cmd)
 {
 
 static __inline int
 icmptype_match(struct ip *ip, ipfw_insn_u32 *cmd)
 {
-       int type = L3HDR(struct icmp,ip)->icmp_type;
+       int type = L3HDR(struct icmp, ip)->icmp_type;
 
 
-       return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1<<type)) );
+       return type <= ICMP_MAXTYPE && (cmd->d[0] & (1 << type));
 }
 
 }
 
-#define TT     ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \
+#define TT      ( (1 << ICMP_ECHO) | (1 << ICMP_ROUTERSOLICIT) | \
     (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) )
 
 static int
 is_icmp_query(struct ip *ip)
 {
        int type = L3HDR(struct icmp, ip)->icmp_type;
     (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) )
 
 static int
 is_icmp_query(struct ip *ip)
 {
        int type = L3HDR(struct icmp, ip)->icmp_type;
-       return (type <= ICMP_MAXTYPE && (TT & (1<<type)) );
+       return type <= ICMP_MAXTYPE && (TT & (1 << type));
 }
 #undef TT
 
 }
 #undef TT
 
+static int
+Get32static_len(void)
+{
+       int     diff;
+       int len = static_len_32;
+       struct ip_fw *rule;
+       char             *useraction;
+
+       for (rule = layer3_chain; rule; rule = rule->next) {
+               if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
+                       continue;
+               }
+               if (rule->act_ofs) {
+                       useraction =  (char*)ACTION_PTR( rule );
+                       if (((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE) {
+                               diff = sizeof(ipfw_insn_pipe) - sizeof(ipfw_insn_pipe_32);
+                               if (diff) {
+                                       len -= diff;
+                               }
+                       }
+               }
+       }
+       return len;
+}
+
+static int
+Get64static_len(void)
+{
+       int     diff;
+       int len = static_len_64;
+       struct ip_fw *rule;
+       char             *useraction;
+
+       for (rule = layer3_chain; rule; rule = rule->next) {
+               if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
+                       continue;
+               }
+               if (rule->act_ofs) {
+                       useraction =  (char *)ACTION_PTR( rule );
+                       if (((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE) {
+                               diff = sizeof(ipfw_insn_pipe_64) - sizeof(ipfw_insn_pipe);
+                               if (diff) {
+                                       len += diff;
+                               }
+                       }
+               }
+       }
+       return len;
+}
+
+static void
+copyto32fw_insn( struct ip_fw_32 *fw32, struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw32action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff = 0;
+       int                     actioncopysize;
+
+       end = ((char*)user_ip_fw->cmd) + cmdsize;
+       useraction = (char*)ACTION_PTR( user_ip_fw );
+       fw32action = (char*)fw32->cmd + (user_ip_fw->act_ofs * sizeof(uint32_t));
+       if ((justcmdsize = (fw32action - (char*)fw32->cmd))) {
+               bcopy( user_ip_fw->cmd, fw32->cmd, justcmdsize);
+       }
+       while (useraction < end) {
+               if (((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE) {
+                       actioncopysize = sizeof(ipfw_insn_pipe_32);
+                       ((ipfw_insn*)fw32action)->opcode = ((ipfw_insn*)useraction)->opcode;
+                       ((ipfw_insn*)fw32action)->arg1 = ((ipfw_insn*)useraction)->arg1;
+                       ((ipfw_insn*)fw32action)->len = F_INSN_SIZE(ipfw_insn_pipe_32);
+                       diff = ((ipfw_insn*)useraction)->len - ((ipfw_insn*)fw32action)->len;
+                       if (diff) {
+                               fw32->cmd_len -= diff;
+                       }
+               } else {
+                       actioncopysize =  (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1) * sizeof(uint32_t);
+                       bcopy( useraction, fw32action, actioncopysize );
+               }
+               useraction += (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1) * sizeof(uint32_t);
+               fw32action += actioncopysize;
+       }
+}
+
+static void
+copyto64fw_insn( struct ip_fw_64 *fw64, struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw64action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char *)user_ip_fw->cmd) + cmdsize;
+       useraction = (char*)ACTION_PTR( user_ip_fw );
+       if ((justcmdsize = (useraction - (char*)user_ip_fw->cmd))) {
+               bcopy( user_ip_fw->cmd, fw64->cmd, justcmdsize);
+       }
+       fw64action = (char*)fw64->cmd + justcmdsize;
+       while (useraction < end) {
+               if (((ipfw_insn*)user_ip_fw)->opcode == O_QUEUE || ((ipfw_insn*)user_ip_fw)->opcode == O_PIPE) {
+                       actioncopysize = sizeof(ipfw_insn_pipe_64);
+                       ((ipfw_insn*)fw64action)->opcode = ((ipfw_insn*)useraction)->opcode;
+                       ((ipfw_insn*)fw64action)->arg1 = ((ipfw_insn*)useraction)->arg1;
+                       ((ipfw_insn*)fw64action)->len = F_INSN_SIZE(ipfw_insn_pipe_64);
+                       diff = ((ipfw_insn*)fw64action)->len - ((ipfw_insn*)useraction)->len;
+                       if (diff) {
+                               fw64->cmd_len += diff;
+                       }
+               } else {
+                       actioncopysize = (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1) * sizeof(uint32_t);
+                       bcopy( useraction, fw64action, actioncopysize );
+               }
+               useraction += (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1) * sizeof(uint32_t);
+               fw64action += actioncopysize;
+       }
+}
+
+static void
+copyto32fw( struct ip_fw *user_ip_fw, struct ip_fw_32 *fw32, __unused size_t copysize)
+{
+       size_t  rulesize, cmdsize;
+
+       fw32->version = user_ip_fw->version;
+       fw32->context = CAST_DOWN_EXPLICIT( user32_addr_t, user_ip_fw->context);
+       fw32->next = CAST_DOWN_EXPLICIT(user32_addr_t, user_ip_fw->next);
+       fw32->next_rule = CAST_DOWN_EXPLICIT(user32_addr_t, user_ip_fw->next_rule);
+       fw32->act_ofs = user_ip_fw->act_ofs;
+       fw32->cmd_len = user_ip_fw->cmd_len;
+       fw32->rulenum = user_ip_fw->rulenum;
+       fw32->set = user_ip_fw->set;
+       fw32->set_masks[0] = user_ip_fw->set_masks[0];
+       fw32->set_masks[1] = user_ip_fw->set_masks[1];
+       fw32->pcnt = user_ip_fw->pcnt;
+       fw32->bcnt = user_ip_fw->bcnt;
+       fw32->timestamp = user_ip_fw->timestamp;
+       fw32->reserved_1 = user_ip_fw->reserved_1;
+       fw32->reserved_2 = user_ip_fw->reserved_2;
+       rulesize = sizeof(struct ip_fw_32) + (user_ip_fw->cmd_len * sizeof(ipfw_insn) - 4);
+       cmdsize = user_ip_fw->cmd_len * sizeof(u_int32_t);
+       copyto32fw_insn( fw32, user_ip_fw, cmdsize );
+}
+
+static void
+copyto64fw( struct ip_fw *user_ip_fw, struct ip_fw_64   *fw64, size_t copysize)
+{
+       size_t  rulesize, cmdsize;
+
+       fw64->version = user_ip_fw->version;
+       fw64->context = CAST_DOWN_EXPLICIT(__uint64_t, user_ip_fw->context);
+       fw64->next = CAST_DOWN_EXPLICIT(user64_addr_t, user_ip_fw->next);
+       fw64->next_rule = CAST_DOWN_EXPLICIT(user64_addr_t, user_ip_fw->next_rule);
+       fw64->act_ofs = user_ip_fw->act_ofs;
+       fw64->cmd_len = user_ip_fw->cmd_len;
+       fw64->rulenum = user_ip_fw->rulenum;
+       fw64->set = user_ip_fw->set;
+       fw64->set_masks[0] = user_ip_fw->set_masks[0];
+       fw64->set_masks[1] = user_ip_fw->set_masks[1];
+       fw64->pcnt = user_ip_fw->pcnt;
+       fw64->bcnt = user_ip_fw->bcnt;
+       fw64->timestamp = user_ip_fw->timestamp;
+       fw64->reserved_1 = user_ip_fw->reserved_1;
+       fw64->reserved_2 = user_ip_fw->reserved_2;
+       rulesize = sizeof(struct ip_fw_64) + (user_ip_fw->cmd_len * sizeof(ipfw_insn) - 4);
+       if (rulesize > copysize) {
+               cmdsize = copysize - sizeof(struct ip_fw_64) + 4;
+       } else {
+               cmdsize = user_ip_fw->cmd_len * sizeof(u_int32_t);
+       }
+       copyto64fw_insn( fw64, user_ip_fw, cmdsize);
+}
+
+static int
+copyfrom32fw_insn( struct ip_fw_32 *fw32, struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw32action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char*)fw32->cmd) + cmdsize;
+       fw32action = (char*)ACTION_PTR( fw32 );
+       if ((justcmdsize = (fw32action - (char*)fw32->cmd))) {
+               bcopy( fw32->cmd, user_ip_fw->cmd, justcmdsize);
+       }
+       useraction = (char*)user_ip_fw->cmd + justcmdsize;
+       while (fw32action < end) {
+               if (((ipfw_insn*)fw32action)->opcode == O_QUEUE || ((ipfw_insn*)fw32action)->opcode == O_PIPE) {
+                       actioncopysize = sizeof(ipfw_insn_pipe);
+                       ((ipfw_insn*)useraction)->opcode = ((ipfw_insn*)fw32action)->opcode;
+                       ((ipfw_insn*)useraction)->arg1 = ((ipfw_insn*)fw32action)->arg1;
+                       ((ipfw_insn*)useraction)->len = F_INSN_SIZE(ipfw_insn_pipe);
+                       diff = ((ipfw_insn*)useraction)->len - ((ipfw_insn*)fw32action)->len;
+                       if (diff) {
+                               /* readjust the cmd_len */
+                               user_ip_fw->cmd_len += diff;
+                       }
+               } else {
+                       actioncopysize = (F_LEN((ipfw_insn*)fw32action) ? (F_LEN((ipfw_insn*)fw32action)) : 1) * sizeof(uint32_t);
+                       bcopy( fw32action, useraction, actioncopysize );
+               }
+               fw32action += (F_LEN((ipfw_insn*)fw32action) ? (F_LEN((ipfw_insn*)fw32action)) : 1) * sizeof(uint32_t);
+               useraction += actioncopysize;
+       }
+
+       return useraction - (char*)user_ip_fw->cmd;
+}
+
+static int
+copyfrom64fw_insn( struct ip_fw_64 *fw64, struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw64action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char *)fw64->cmd) + cmdsize;
+       fw64action = (char*)ACTION_PTR( fw64 );
+       if ((justcmdsize = (fw64action - (char*)fw64->cmd))) {
+               bcopy( fw64->cmd, user_ip_fw->cmd, justcmdsize);
+       }
+       useraction = (char*)user_ip_fw->cmd + justcmdsize;
+       while (fw64action < end) {
+               if (((ipfw_insn*)fw64action)->opcode == O_QUEUE || ((ipfw_insn*)fw64action)->opcode == O_PIPE) {
+                       actioncopysize = sizeof(ipfw_insn_pipe);
+                       ((ipfw_insn*)useraction)->opcode = ((ipfw_insn*)fw64action)->opcode;
+                       ((ipfw_insn*)useraction)->arg1 = ((ipfw_insn*)fw64action)->arg1;
+                       ((ipfw_insn*)useraction)->len = F_INSN_SIZE(ipfw_insn_pipe);
+                       diff = ((ipfw_insn*)fw64action)->len - ((ipfw_insn*)useraction)->len;
+                       if (diff) {
+                               /* readjust the cmd_len */
+                               user_ip_fw->cmd_len -= diff;
+                       }
+               } else {
+                       actioncopysize = (F_LEN((ipfw_insn*)fw64action) ? (F_LEN((ipfw_insn*)fw64action)) : 1) * sizeof(uint32_t);
+                       bcopy( fw64action, useraction, actioncopysize );
+               }
+               fw64action += (F_LEN((ipfw_insn*)fw64action) ? (F_LEN((ipfw_insn*)fw64action)) : 1) * sizeof(uint32_t);
+               useraction += actioncopysize;
+       }
+       return useraction - (char*)user_ip_fw->cmd;
+}
+
+static size_t
+copyfrom32fw( struct ip_fw_32   *fw32, struct ip_fw *user_ip_fw, size_t copysize)
+{
+       size_t rulesize, cmdsize;
+
+       user_ip_fw->version = fw32->version;
+       user_ip_fw->context = CAST_DOWN(void *, fw32->context);
+       user_ip_fw->next = CAST_DOWN(struct ip_fw*, fw32->next);
+       user_ip_fw->next_rule = CAST_DOWN_EXPLICIT(struct ip_fw*, fw32->next_rule);
+       user_ip_fw->act_ofs = fw32->act_ofs;
+       user_ip_fw->cmd_len = fw32->cmd_len;
+       user_ip_fw->rulenum = fw32->rulenum;
+       user_ip_fw->set = fw32->set;
+       user_ip_fw->set_masks[0] = fw32->set_masks[0];
+       user_ip_fw->set_masks[1] = fw32->set_masks[1];
+       user_ip_fw->pcnt = fw32->pcnt;
+       user_ip_fw->bcnt = fw32->bcnt;
+       user_ip_fw->timestamp = fw32->timestamp;
+       user_ip_fw->reserved_1 = fw32->reserved_1;
+       user_ip_fw->reserved_2 = fw32->reserved_2;
+       rulesize = sizeof(struct ip_fw_32) + (fw32->cmd_len * sizeof(ipfw_insn) - 4);
+       if (rulesize > copysize) {
+               cmdsize = copysize - sizeof(struct ip_fw_32) - 4;
+       } else {
+               cmdsize = fw32->cmd_len * sizeof(ipfw_insn);
+       }
+       cmdsize = copyfrom32fw_insn( fw32, user_ip_fw, cmdsize);
+       return sizeof(struct ip_fw) + cmdsize - 4;
+}
+
+static size_t
+copyfrom64fw( struct ip_fw_64 *fw64, struct ip_fw *user_ip_fw, size_t copysize)
+{
+       size_t rulesize, cmdsize;
+
+       user_ip_fw->version = fw64->version;
+       user_ip_fw->context = CAST_DOWN_EXPLICIT( void *, fw64->context);
+       user_ip_fw->next = CAST_DOWN_EXPLICIT(struct ip_fw*, fw64->next);
+       user_ip_fw->next_rule = CAST_DOWN_EXPLICIT(struct ip_fw*, fw64->next_rule);
+       user_ip_fw->act_ofs = fw64->act_ofs;
+       user_ip_fw->cmd_len = fw64->cmd_len;
+       user_ip_fw->rulenum = fw64->rulenum;
+       user_ip_fw->set = fw64->set;
+       user_ip_fw->set_masks[0] = fw64->set_masks[0];
+       user_ip_fw->set_masks[1] = fw64->set_masks[1];
+       user_ip_fw->pcnt = fw64->pcnt;
+       user_ip_fw->bcnt = fw64->bcnt;
+       user_ip_fw->timestamp = fw64->timestamp;
+       user_ip_fw->reserved_1 = fw64->reserved_1;
+       user_ip_fw->reserved_2 = fw64->reserved_2;
+       //bcopy( fw64->cmd, user_ip_fw->cmd, fw64->cmd_len * sizeof(ipfw_insn));
+       rulesize = sizeof(struct ip_fw_64) + (fw64->cmd_len * sizeof(ipfw_insn) - 4);
+       if (rulesize > copysize) {
+               cmdsize = copysize - sizeof(struct ip_fw_64) - 4;
+       } else {
+               cmdsize = fw64->cmd_len * sizeof(ipfw_insn);
+       }
+       cmdsize = copyfrom64fw_insn( fw64, user_ip_fw, cmdsize);
+       return sizeof(struct ip_fw) + cmdsize - 4;
+}
+
+void
+externalize_flow_id(struct ipfw_flow_id *dst, struct ip_flow_id *src);
+void
+externalize_flow_id(struct ipfw_flow_id *dst, struct ip_flow_id *src)
+{
+       dst->dst_ip = src->dst_ip;
+       dst->src_ip = src->src_ip;
+       dst->dst_port = src->dst_port;
+       dst->src_port = src->src_port;
+       dst->proto = src->proto;
+       dst->flags = src->flags;
+}
+
+static
+void
+cp_dyn_to_comp_32( struct ipfw_dyn_rule_compat_32 *dyn_rule_vers1, int *len)
+{
+       struct ipfw_dyn_rule_compat_32 *dyn_last = NULL;
+       ipfw_dyn_rule   *p;
+       int i;
+
+       if (ipfw_dyn_v) {
+               for (i = 0; i < curr_dyn_buckets; i++) {
+                       for (p = ipfw_dyn_v[i]; p != NULL; p = p->next) {
+                               dyn_rule_vers1->chain = (user32_addr_t)(p->rule->rulenum);
+                               externalize_flow_id(&dyn_rule_vers1->id, &p->id);
+                               externalize_flow_id(&dyn_rule_vers1->mask, &p->id);
+                               dyn_rule_vers1->type = p->dyn_type;
+                               dyn_rule_vers1->expire = p->expire;
+                               dyn_rule_vers1->pcnt = p->pcnt;
+                               dyn_rule_vers1->bcnt = p->bcnt;
+                               dyn_rule_vers1->bucket = p->bucket;
+                               dyn_rule_vers1->state = p->state;
+
+                               dyn_rule_vers1->next = CAST_DOWN_EXPLICIT( user32_addr_t, p->next);
+                               dyn_last = dyn_rule_vers1;
+
+                               *len += sizeof(*dyn_rule_vers1);
+                               dyn_rule_vers1++;
+                       }
+               }
+
+               if (dyn_last != NULL) {
+                       dyn_last->next = ((user32_addr_t)0);
+               }
+       }
+}
+
+
+static
+void
+cp_dyn_to_comp_64( struct ipfw_dyn_rule_compat_64 *dyn_rule_vers1, int *len)
+{
+       struct ipfw_dyn_rule_compat_64 *dyn_last = NULL;
+       ipfw_dyn_rule   *p;
+       int i;
+
+       if (ipfw_dyn_v) {
+               for (i = 0; i < curr_dyn_buckets; i++) {
+                       for (p = ipfw_dyn_v[i]; p != NULL; p = p->next) {
+                               dyn_rule_vers1->chain = (user64_addr_t) p->rule->rulenum;
+                               externalize_flow_id(&dyn_rule_vers1->id, &p->id);
+                               externalize_flow_id(&dyn_rule_vers1->mask, &p->id);
+                               dyn_rule_vers1->type = p->dyn_type;
+                               dyn_rule_vers1->expire = p->expire;
+                               dyn_rule_vers1->pcnt = p->pcnt;
+                               dyn_rule_vers1->bcnt = p->bcnt;
+                               dyn_rule_vers1->bucket = p->bucket;
+                               dyn_rule_vers1->state = p->state;
+
+                               dyn_rule_vers1->next = CAST_DOWN(user64_addr_t, p->next);
+                               dyn_last = dyn_rule_vers1;
+
+                               *len += sizeof(*dyn_rule_vers1);
+                               dyn_rule_vers1++;
+                       }
+               }
+
+               if (dyn_last != NULL) {
+                       dyn_last->next = CAST_DOWN(user64_addr_t, NULL);
+               }
+       }
+}
+
+static int
+sooptcopyin_fw( struct sockopt *sopt, struct ip_fw *user_ip_fw, size_t *size )
+{
+       size_t  valsize, copyinsize = 0;
+       int     error = 0;
+
+       valsize = sopt->sopt_valsize;
+       if (size) {
+               copyinsize = *size;
+       }
+       if (proc_is64bit(sopt->sopt_p)) {
+               struct ip_fw_64 *fw64 = NULL;
+
+               if (valsize < sizeof(struct ip_fw_64)) {
+                       return EINVAL;
+               }
+               if (!copyinsize) {
+                       copyinsize = sizeof(struct ip_fw_64);
+               }
+               if (valsize > copyinsize) {
+                       sopt->sopt_valsize = valsize = copyinsize;
+               }
+
+               if (sopt->sopt_p != 0) {
+                       fw64 = _MALLOC(copyinsize, M_TEMP, M_WAITOK);
+                       if (fw64 == NULL) {
+                               return ENOBUFS;
+                       }
+                       if ((error = copyin(sopt->sopt_val, fw64, valsize)) != 0) {
+                               _FREE(fw64, M_TEMP);
+                               return error;
+                       }
+               } else {
+                       bcopy(CAST_DOWN(caddr_t, sopt->sopt_val), fw64, valsize);
+               }
+               valsize = copyfrom64fw( fw64, user_ip_fw, valsize );
+               _FREE( fw64, M_TEMP);
+       } else {
+               struct ip_fw_32 *fw32 = NULL;
+
+               if (valsize < sizeof(struct ip_fw_32)) {
+                       return EINVAL;
+               }
+               if (!copyinsize) {
+                       copyinsize = sizeof(struct ip_fw_32);
+               }
+               if (valsize > copyinsize) {
+                       sopt->sopt_valsize = valsize = copyinsize;
+               }
+
+               if (sopt->sopt_p != 0) {
+                       fw32 = _MALLOC(copyinsize, M_TEMP, M_WAITOK);
+                       if (fw32 == NULL) {
+                               return ENOBUFS;
+                       }
+                       if ((error = copyin(sopt->sopt_val, fw32, valsize)) != 0) {
+                               _FREE( fw32, M_TEMP);
+                               return error;
+                       }
+               } else {
+                       bcopy(CAST_DOWN(caddr_t, sopt->sopt_val), fw32, valsize);
+               }
+               valsize = copyfrom32fw( fw32, user_ip_fw, valsize);
+               _FREE( fw32, M_TEMP);
+       }
+       if (size) {
+               *size = valsize;
+       }
+       return error;
+}
+
 /*
  * The following checks use two arrays of 8 or 16 bits to store the
  * bits that we want set or clear, respectively. They are in the
 /*
  * The following checks use two arrays of 8 or 16 bits to store the
  * bits that we want set or clear, respectively. They are in the
@@ -345,11 +959,13 @@ flags_match(ipfw_insn *cmd, u_int8_t bits)
        u_char want_clear;
        bits = ~bits;
 
        u_char want_clear;
        bits = ~bits;
 
-       if ( ((cmd->arg1 & 0xff) & bits) != 0)
+       if (((cmd->arg1 & 0xff) & bits) != 0) {
                return 0; /* some bits we want set were clear */
                return 0; /* some bits we want set were clear */
+       }
        want_clear = (cmd->arg1 >> 8) & 0xff;
        want_clear = (cmd->arg1 >> 8) & 0xff;
-       if ( (want_clear & bits) != want_clear)
+       if ((want_clear & bits) != want_clear) {
                return 0; /* some bits we want clear were set */
                return 0; /* some bits we want clear were set */
+       }
        return 1;
 }
 
        return 1;
 }
 
@@ -358,22 +974,23 @@ ipopts_match(struct ip *ip, ipfw_insn *cmd)
 {
        int optlen, bits = 0;
        u_char *cp = (u_char *)(ip + 1);
 {
        int optlen, bits = 0;
        u_char *cp = (u_char *)(ip + 1);
-       int x = (ip->ip_hl << 2) - sizeof (struct ip);
+       int x = (ip->ip_hl << 2) - sizeof(struct ip);
 
        for (; x > 0; x -= optlen, cp += optlen) {
                int opt = cp[IPOPT_OPTVAL];
 
 
        for (; x > 0; x -= optlen, cp += optlen) {
                int opt = cp[IPOPT_OPTVAL];
 
-               if (opt == IPOPT_EOL)
+               if (opt == IPOPT_EOL) {
                        break;
                        break;
-               if (opt == IPOPT_NOP)
+               }
+               if (opt == IPOPT_NOP) {
                        optlen = 1;
                        optlen = 1;
-               else {
+               else {
                        optlen = cp[IPOPT_OLEN];
                        optlen = cp[IPOPT_OLEN];
-                       if (optlen <= 0 || optlen > x)
+                       if (optlen <= 0 || optlen > x) {
                                return 0; /* invalid or truncated */
                                return 0; /* invalid or truncated */
+                       }
                }
                switch (opt) {
                }
                switch (opt) {
-
                default:
                        break;
 
                default:
                        break;
 
@@ -394,31 +1011,32 @@ ipopts_match(struct ip *ip, ipfw_insn *cmd)
                        break;
                }
        }
                        break;
                }
        }
-       return (flags_match(cmd, bits));
+       return flags_match(cmd, bits);
 }
 
 static int
 tcpopts_match(struct ip *ip, ipfw_insn *cmd)
 {
        int optlen, bits = 0;
 }
 
 static int
 tcpopts_match(struct ip *ip, ipfw_insn *cmd)
 {
        int optlen, bits = 0;
-       struct tcphdr *tcp = L3HDR(struct tcphdr,ip);
+       struct tcphdr *tcp = L3HDR(struct tcphdr, ip);
        u_char *cp = (u_char *)(tcp + 1);
        int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
 
        for (; x > 0; x -= optlen, cp += optlen) {
                int opt = cp[0];
        u_char *cp = (u_char *)(tcp + 1);
        int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
 
        for (; x > 0; x -= optlen, cp += optlen) {
                int opt = cp[0];
-               if (opt == TCPOPT_EOL)
+               if (opt == TCPOPT_EOL) {
                        break;
                        break;
-               if (opt == TCPOPT_NOP)
+               }
+               if (opt == TCPOPT_NOP) {
                        optlen = 1;
                        optlen = 1;
-               else {
+               else {
                        optlen = cp[1];
                        optlen = cp[1];
-                       if (optlen <= 0)
+                       if (optlen <= 0) {
                                break;
                                break;
+                       }
                }
 
                switch (opt) {
                }
 
                switch (opt) {
-
                default:
                        break;
 
                default:
                        break;
 
@@ -446,40 +1064,46 @@ tcpopts_match(struct ip *ip, ipfw_insn *cmd)
                        break;
                }
        }
                        break;
                }
        }
-       return (flags_match(cmd, bits));
+       return flags_match(cmd, bits);
 }
 
 static int
 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
 {
 }
 
 static int
 iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
 {
-       if (ifp == NULL)        /* no iface with this packet, match fails */
+       if (ifp == NULL) {      /* no iface with this packet, match fails */
                return 0;
                return 0;
+       }
        /* Check by name or by IP address */
        if (cmd->name[0] != '\0') { /* match by name */
                /* Check unit number (-1 is wildcard) */
        /* Check by name or by IP address */
        if (cmd->name[0] != '\0') { /* match by name */
                /* Check unit number (-1 is wildcard) */
-               if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit)
-                       return(0);
+               if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit) {
+                       return 0;
+               }
                /* Check name */
                /* Check name */
-               if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ))
-                       return(1);
+               if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ)) {
+                       return 1;
+               }
        } else {
                struct ifaddr *ia;
 
                ifnet_lock_shared(ifp);
                TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
        } else {
                struct ifaddr *ia;
 
                ifnet_lock_shared(ifp);
                TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
-                       if (ia->ifa_addr == NULL)
-                               continue;
-                       if (ia->ifa_addr->sa_family != AF_INET)
+                       IFA_LOCK(ia);
+                       if (ia->ifa_addr->sa_family != AF_INET) {
+                               IFA_UNLOCK(ia);
                                continue;
                                continue;
+                       }
                        if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
                            (ia->ifa_addr))->sin_addr.s_addr) {
                        if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
                            (ia->ifa_addr))->sin_addr.s_addr) {
+                               IFA_UNLOCK(ia);
                                ifnet_lock_done(ifp);
                                ifnet_lock_done(ifp);
-                               return(1);      /* match */
+                               return 1;      /* match */
                        }
                        }
+                       IFA_UNLOCK(ia);
                }
                ifnet_lock_done(ifp);
        }
                }
                ifnet_lock_done(ifp);
        }
-       return(0);      /* no match, fail ... */
+       return 0;      /* no match, fail ... */
 }
 
 /*
 }
 
 /*
@@ -502,29 +1126,36 @@ verify_rev_path(struct in_addr src, struct ifnet *ifp)
        static struct route ro;
        struct sockaddr_in *dst;
 
        static struct route ro;
        struct sockaddr_in *dst;
 
+       bzero(&ro, sizeof(ro));
        dst = (struct sockaddr_in *)&(ro.ro_dst);
 
        /* Check if we've cached the route from the previous call. */
        if (src.s_addr != dst->sin_addr.s_addr) {
        dst = (struct sockaddr_in *)&(ro.ro_dst);
 
        /* Check if we've cached the route from the previous call. */
        if (src.s_addr != dst->sin_addr.s_addr) {
-               ro.ro_rt = NULL;
-
-               bzero(dst, sizeof(*dst));
                dst->sin_family = AF_INET;
                dst->sin_len = sizeof(*dst);
                dst->sin_addr = src;
 
                dst->sin_family = AF_INET;
                dst->sin_len = sizeof(*dst);
                dst->sin_addr = src;
 
-               rtalloc_ign(&ro, RTF_CLONING|RTF_PRCLONING);
+               rtalloc_ign(&ro, RTF_CLONING | RTF_PRCLONING, false);
        }
        }
-
-       if ((ro.ro_rt == NULL) || (ifp == NULL) ||
-           (ro.ro_rt->rt_ifp->if_index != ifp->if_index))
+       if (ro.ro_rt != NULL) {
+               RT_LOCK_SPIN(ro.ro_rt);
+       } else {
+               ROUTE_RELEASE(&ro);
+               return 0;       /* No route */
+       }
+       if ((ifp == NULL) ||
+           (ro.ro_rt->rt_ifp->if_index != ifp->if_index)) {
+               RT_UNLOCK(ro.ro_rt);
+               ROUTE_RELEASE(&ro);
                return 0;
                return 0;
-
+       }
+       RT_UNLOCK(ro.ro_rt);
+       ROUTE_RELEASE(&ro);
        return 1;
 }
 
 
        return 1;
 }
 
 
-static u_int64_t norule_counter;       /* counter for ipfw_log(NULL...) */
+static u_int64_t norule_counter;        /* counter for ipfw_log(NULL...) */
 
 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
 #define SNP(buf) buf, sizeof(buf)
 
 #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
 #define SNP(buf) buf, sizeof(buf)
@@ -535,35 +1166,40 @@ static u_int64_t norule_counter; /* counter for ipfw_log(NULL...) */
  */
 static void
 ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
  */
 static void
 ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
-       struct mbuf *m, struct ifnet *oif)
+    struct mbuf *m, struct ifnet *oif)
 {
 {
-       char *action;
+       const char *action;
        int limit_reached = 0;
        char ipv4str[MAX_IPv4_STR_LEN];
        char action2[40], proto[48], fragment[28];
        int limit_reached = 0;
        char ipv4str[MAX_IPv4_STR_LEN];
        char action2[40], proto[48], fragment[28];
-       
+
        fragment[0] = '\0';
        proto[0] = '\0';
 
        fragment[0] = '\0';
        proto[0] = '\0';
 
-       if (f == NULL) {        /* bogus pkt */
-               if (verbose_limit != 0 && norule_counter >= verbose_limit)
+       if (f == NULL) {        /* bogus pkt */
+               if (verbose_limit != 0 && norule_counter >= verbose_limit) {
                        return;
                        return;
+               }
                norule_counter++;
                norule_counter++;
-               if (norule_counter == verbose_limit)
+               if (norule_counter == verbose_limit) {
                        limit_reached = verbose_limit;
                        limit_reached = verbose_limit;
+               }
                action = "Refuse";
                action = "Refuse";
-       } else {        /* O_LOG is the first action, find the real one */
+       } else {        /* O_LOG is the first action, find the real one */
                ipfw_insn *cmd = ACTION_PTR(f);
                ipfw_insn_log *l = (ipfw_insn_log *)cmd;
 
                ipfw_insn *cmd = ACTION_PTR(f);
                ipfw_insn_log *l = (ipfw_insn_log *)cmd;
 
-               if (l->max_log != 0 && l->log_left == 0)
+               if (l->max_log != 0 && l->log_left == 0) {
                        return;
                        return;
+               }
                l->log_left--;
                l->log_left--;
-               if (l->log_left == 0)
+               if (l->log_left == 0) {
                        limit_reached = l->max_log;
                        limit_reached = l->max_log;
-               cmd += F_LEN(cmd);      /* point to first action */
-               if (cmd->opcode == O_PROB)
+               }
+               cmd += F_LEN(cmd);      /* point to first action */
+               if (cmd->opcode == O_PROB) {
                        cmd += F_LEN(cmd);
                        cmd += F_LEN(cmd);
+               }
 
                action = action2;
                switch (cmd->opcode) {
 
                action = action2;
                switch (cmd->opcode) {
@@ -572,13 +1208,14 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
                        break;
 
                case O_REJECT:
                        break;
 
                case O_REJECT:
-                       if (cmd->arg1==ICMP_REJECT_RST)
+                       if (cmd->arg1 == ICMP_REJECT_RST) {
                                action = "Reset";
                                action = "Reset";
-                       else if (cmd->arg1==ICMP_UNREACH_HOST)
+                       } else if (cmd->arg1 == ICMP_UNREACH_HOST) {
                                action = "Reject";
                                action = "Reject";
-                       else
+                       } else {
                                snprintf(SNPARGS(action2, 0), "Unreach %d",
                                snprintf(SNPARGS(action2, 0), "Unreach %d",
-                                       cmd->arg1);
+                                   cmd->arg1);
+                       }
                        break;
 
                case O_ACCEPT:
                        break;
 
                case O_ACCEPT:
@@ -589,23 +1226,23 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
                        break;
                case O_DIVERT:
                        snprintf(SNPARGS(action2, 0), "Divert %d",
                        break;
                case O_DIVERT:
                        snprintf(SNPARGS(action2, 0), "Divert %d",
-                               cmd->arg1);
+                           cmd->arg1);
                        break;
                case O_TEE:
                        snprintf(SNPARGS(action2, 0), "Tee %d",
                        break;
                case O_TEE:
                        snprintf(SNPARGS(action2, 0), "Tee %d",
-                               cmd->arg1);
+                           cmd->arg1);
                        break;
                case O_SKIPTO:
                        snprintf(SNPARGS(action2, 0), "SkipTo %d",
                        break;
                case O_SKIPTO:
                        snprintf(SNPARGS(action2, 0), "SkipTo %d",
-                               cmd->arg1);
+                           cmd->arg1);
                        break;
                case O_PIPE:
                        snprintf(SNPARGS(action2, 0), "Pipe %d",
                        break;
                case O_PIPE:
                        snprintf(SNPARGS(action2, 0), "Pipe %d",
-                               cmd->arg1);
+                           cmd->arg1);
                        break;
                case O_QUEUE:
                        snprintf(SNPARGS(action2, 0), "Queue %d",
                        break;
                case O_QUEUE:
                        snprintf(SNPARGS(action2, 0), "Queue %d",
-                               cmd->arg1);
+                           cmd->arg1);
                        break;
                case O_FORWARD_IP: {
                        ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
                        break;
                case O_FORWARD_IP: {
                        ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd;
@@ -615,19 +1252,20 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
                                break;
                        }
                        len = snprintf(SNPARGS(action2, 0), "Forward to %s",
                                break;
                        }
                        len = snprintf(SNPARGS(action2, 0), "Forward to %s",
-                               inet_ntop(AF_INET, &sa->sa.sin_addr, ipv4str, sizeof(ipv4str)));
-                       if (sa->sa.sin_port)
+                           inet_ntop(AF_INET, &sa->sa.sin_addr, ipv4str, sizeof(ipv4str)));
+                       if (sa->sa.sin_port) {
                                snprintf(SNPARGS(action2, len), ":%d",
                                    sa->sa.sin_port);
                        }
                                snprintf(SNPARGS(action2, len), ":%d",
                                    sa->sa.sin_port);
                        }
-                       break;
+               }
+               break;
                default:
                        action = "UNKNOWN";
                        break;
                }
        }
 
                default:
                        action = "UNKNOWN";
                        break;
                }
        }
 
-       if (hlen == 0) {        /* non-ip */
+       if (hlen == 0) {        /* non-ip */
                snprintf(SNPARGS(proto, 0), "MAC");
        } else {
                struct ip *ip = mtod(m, struct ip *);
                snprintf(SNPARGS(proto, 0), "MAC");
        } else {
                struct ip *ip = mtod(m, struct ip *);
@@ -652,36 +1290,39 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
                case IPPROTO_TCP:
                        len = snprintf(SNPARGS(proto, 0), "TCP %s",
                            inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
                case IPPROTO_TCP:
                        len = snprintf(SNPARGS(proto, 0), "TCP %s",
                            inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
-                       if (offset == 0)
+                       if (offset == 0) {
                                snprintf(SNPARGS(proto, len), ":%d %s:%d",
                                    ntohs(tcp->th_sport),
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)),
                                    ntohs(tcp->th_dport));
                                snprintf(SNPARGS(proto, len), ":%d %s:%d",
                                    ntohs(tcp->th_sport),
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)),
                                    ntohs(tcp->th_dport));
-                       else
+                       } else {
                                snprintf(SNPARGS(proto, len), " %s",
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)));
                                snprintf(SNPARGS(proto, len), " %s",
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)));
+                       }
                        break;
 
                case IPPROTO_UDP:
                        len = snprintf(SNPARGS(proto, 0), "UDP %s",
                        break;
 
                case IPPROTO_UDP:
                        len = snprintf(SNPARGS(proto, 0), "UDP %s",
-                               inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
-                       if (offset == 0)
+                           inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
+                       if (offset == 0) {
                                snprintf(SNPARGS(proto, len), ":%d %s:%d",
                                    ntohs(udp->uh_sport),
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)),
                                    ntohs(udp->uh_dport));
                                snprintf(SNPARGS(proto, len), ":%d %s:%d",
                                    ntohs(udp->uh_sport),
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)),
                                    ntohs(udp->uh_dport));
-                       else
+                       } else {
                                snprintf(SNPARGS(proto, len), " %s",
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)));
                                snprintf(SNPARGS(proto, len), " %s",
                                    inet_ntop(AF_INET, &ip->ip_dst, ipv4str, sizeof(ipv4str)));
+                       }
                        break;
 
                case IPPROTO_ICMP:
                        break;
 
                case IPPROTO_ICMP:
-                       if (offset == 0)
+                       if (offset == 0) {
                                len = snprintf(SNPARGS(proto, 0),
                                    "ICMP:%u.%u ",
                                    icmp->icmp_type, icmp->icmp_code);
                                len = snprintf(SNPARGS(proto, 0),
                                    "ICMP:%u.%u ",
                                    icmp->icmp_type, icmp->icmp_code);
-                       else
+                       } else {
                                len = snprintf(SNPARGS(proto, 0), "ICMP ");
                                len = snprintf(SNPARGS(proto, 0), "ICMP ");
+                       }
                        len += snprintf(SNPARGS(proto, len), "%s",
                            inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
                        snprintf(SNPARGS(proto, len), " %s",
                        len += snprintf(SNPARGS(proto, len), "%s",
                            inet_ntop(AF_INET, &ip->ip_src, ipv4str, sizeof(ipv4str)));
                        snprintf(SNPARGS(proto, len), " %s",
@@ -696,29 +1337,28 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
                        break;
                }
 
                        break;
                }
 
-               if (ip_off & (IP_MF | IP_OFFMASK))
+               if (ip_off & (IP_MF | IP_OFFMASK)) {
                        snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
                        snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)",
-                            ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
-                            offset << 3,
-                            (ip_off & IP_MF) ? "+" : "");
+                           ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2),
+                           offset << 3,
+                           (ip_off & IP_MF) ? "+" : "");
+               }
        }
        }
-       if (oif || m->m_pkthdr.rcvif)
-       {
+       if (oif || m->m_pkthdr.rcvif) {
                dolog((LOG_AUTHPRIV | LOG_INFO,
                    "ipfw: %d %s %s %s via %s%d%s\n",
                    f ? f->rulenum : -1,
                    action, proto, oif ? "out" : "in",
                    oif ? oif->if_name : m->m_pkthdr.rcvif->if_name,
                    oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit,
                dolog((LOG_AUTHPRIV | LOG_INFO,
                    "ipfw: %d %s %s %s via %s%d%s\n",
                    f ? f->rulenum : -1,
                    action, proto, oif ? "out" : "in",
                    oif ? oif->if_name : m->m_pkthdr.rcvif->if_name,
                    oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit,
-                   fragment)); 
-       }
-       else{
+                   fragment));
+       } else {
                dolog((LOG_AUTHPRIV | LOG_INFO,
                    "ipfw: %d %s %s [no if info]%s\n",
                    f ? f->rulenum : -1,
                    action, proto, fragment));
        }
                dolog((LOG_AUTHPRIV | LOG_INFO,
                    "ipfw: %d %s %s [no if info]%s\n",
                    f ? f->rulenum : -1,
                    action, proto, fragment));
        }
-       if (limit_reached){
+       if (limit_reached) {
                dolog((LOG_AUTHPRIV | LOG_NOTICE,
                    "ipfw: limit %d reached on entry %d\n",
                    limit_reached, f ? f->rulenum : -1));
                dolog((LOG_AUTHPRIV | LOG_NOTICE,
                    "ipfw: limit %d reached on entry %d\n",
                    limit_reached, f ? f->rulenum : -1));
@@ -731,7 +1371,7 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
  * and we want to find both in the same bucket.
  */
 static __inline int
  * and we want to find both in the same bucket.
  */
 static __inline int
-hash_packet(struct ipfw_flow_id *id)
+hash_packet(struct ip_flow_id *id)
 {
        u_int32_t i;
 
 {
        u_int32_t i;
 
@@ -746,23 +1386,23 @@ hash_packet(struct ipfw_flow_id *id)
  * head is a pointer to the head of the queue.
  * Modifies q and potentially also head.
  */
  * head is a pointer to the head of the queue.
  * Modifies q and potentially also head.
  */
-#define UNLINK_DYN_RULE(prev, head, q) {                               \
-       ipfw_dyn_rule *old_q = q;                                       \
-                                                                       \
-       /* remove a refcount to the parent */                           \
-       if (q->dyn_type == O_LIMIT)                                     \
-               q->parent->count--;                                     \
+#define UNLINK_DYN_RULE(prev, head, q) {                                \
+       ipfw_dyn_rule *old_q = q;                                       \
+                                                                        \
+       /* remove a refcount to the parent */                           \
+       if (q->dyn_type == O_LIMIT)                                     \
+               q->parent->count--;                                     \
        DEB(printf("ipfw: unlink entry 0x%08x %d -> 0x%08x %d, %d left\n",\
        DEB(printf("ipfw: unlink entry 0x%08x %d -> 0x%08x %d, %d left\n",\
-               (q->id.src_ip), (q->id.src_port),                       \
-               (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); )      \
-       if (prev != NULL)                                               \
-               prev->next = q = q->next;                               \
-       else                                                            \
-               head = q = q->next;                                     \
-       dyn_count--;                                                    \
+               (q->id.src_ip), (q->id.src_port),                       \
+               (q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); )      \
+       if (prev != NULL)                                               \
+               prev->next = q = q->next;                               \
+       else                                                            \
+               head = q = q->next;                                     \
+       dyn_count--;                                                    \
        _FREE(old_q, M_IPFW); }
 
        _FREE(old_q, M_IPFW); }
 
-#define TIME_LEQ(a,b)       ((int)((a)-(b)) <= 0)
+#define TIME_LEQ(a, b)       ((int)((a)-(b)) <= 0)
 
 /**
  * Remove dynamic rules pointing to "rule", or all of them if rule == NULL.
 
 /**
  * Remove dynamic rules pointing to "rule", or all of them if rule == NULL.
@@ -789,11 +1429,13 @@ remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me)
 
        getmicrotime(&timenow);
 
 
        getmicrotime(&timenow);
 
-       if (ipfw_dyn_v == NULL || dyn_count == 0)
+       if (ipfw_dyn_v == NULL || dyn_count == 0) {
                return;
                return;
+       }
        /* do not expire more than once per second, it is useless */
        /* do not expire more than once per second, it is useless */
-       if (!FORCE && last_remove == timenow.tv_sec)
+       if (!FORCE && last_remove == timenow.tv_sec) {
                return;
                return;
+       }
        last_remove = timenow.tv_sec;
 
        /*
        last_remove = timenow.tv_sec;
 
        /*
@@ -802,44 +1444,49 @@ remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me)
         * them in a second pass.
         */
 next_pass:
         * them in a second pass.
         */
 next_pass:
-       for (i = 0 ; i < curr_dyn_buckets ; i++) {
-               for (prev=NULL, q = ipfw_dyn_v[i] ; q ; ) {
+       for (i = 0; i < curr_dyn_buckets; i++) {
+               for (prev = NULL, q = ipfw_dyn_v[i]; q;) {
                        /*
                         * Logic can become complex here, so we split tests.
                         */
                        /*
                         * Logic can become complex here, so we split tests.
                         */
-                       if (q == keep_me)
+                       if (q == keep_me) {
                                goto next;
                                goto next;
-                       if (rule != NULL && rule != q->rule)
+                       }
+                       if (rule != NULL && rule != q->rule) {
                                goto next; /* not the one we are looking for */
                                goto next; /* not the one we are looking for */
+                       }
                        if (q->dyn_type == O_LIMIT_PARENT) {
                                /*
                                 * handle parent in the second pass,
                                 * record we need one.
                                 */
                                max_pass = 1;
                        if (q->dyn_type == O_LIMIT_PARENT) {
                                /*
                                 * handle parent in the second pass,
                                 * record we need one.
                                 */
                                max_pass = 1;
-                               if (pass == 0)
+                               if (pass == 0) {
                                        goto next;
                                        goto next;
-                               if (FORCE && q->count != 0 ) {
+                               }
+                               if (FORCE && q->count != 0) {
                                        /* XXX should not happen! */
                                        printf("ipfw: OUCH! cannot remove rule,"
                                        /* XXX should not happen! */
                                        printf("ipfw: OUCH! cannot remove rule,"
-                                            " count %d\n", q->count);
+                                           " count %d\n", q->count);
                                }
                        } else {
                                if (!FORCE &&
                                }
                        } else {
                                if (!FORCE &&
-                                   !TIME_LEQ( q->expire, timenow.tv_sec ))
+                                   !TIME_LEQ( q->expire, timenow.tv_sec )) {
                                        goto next;
                                        goto next;
+                               }
                        }
                        if (q->dyn_type != O_LIMIT_PARENT || !q->count) {
                                UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
                                continue;
                        }
 next:
                        }
                        if (q->dyn_type != O_LIMIT_PARENT || !q->count) {
                                UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
                                continue;
                        }
 next:
-                       prev=q;
-                       q=q->next;
+                       prev = q;
+                       q = q->next;
                }
        }
                }
        }
-       if (pass++ < max_pass)
+       if (pass++ < max_pass) {
                goto next_pass;
                goto next_pass;
+       }
 }
 
 
 }
 
 
@@ -847,60 +1494,62 @@ next:
  * lookup a dynamic rule.
  */
 static ipfw_dyn_rule *
  * lookup a dynamic rule.
  */
 static ipfw_dyn_rule *
-lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction,
-       struct tcphdr *tcp)
+lookup_dyn_rule(struct ip_flow_id *pkt, int *match_direction,
+    struct tcphdr *tcp)
 {
        /*
         * stateful ipfw extensions.
         * Lookup into dynamic session queue
         */
 {
        /*
         * stateful ipfw extensions.
         * Lookup into dynamic session queue
         */
-#define MATCH_REVERSE  0
-#define MATCH_FORWARD  1
-#define MATCH_NONE     2
-#define MATCH_UNKNOWN  3
+#define MATCH_REVERSE   0
+#define MATCH_FORWARD   1
+#define MATCH_NONE      2
+#define MATCH_UNKNOWN   3
 #define BOTH_SYN        (TH_SYN | (TH_SYN << 8))
 #define BOTH_FIN        (TH_FIN | (TH_FIN << 8))
 
        int i, dir = MATCH_NONE;
 #define BOTH_SYN        (TH_SYN | (TH_SYN << 8))
 #define BOTH_FIN        (TH_FIN | (TH_FIN << 8))
 
        int i, dir = MATCH_NONE;
-       ipfw_dyn_rule *prev, *q=NULL;
+       ipfw_dyn_rule *prev, *q = NULL;
        struct timeval timenow;
 
        getmicrotime(&timenow);
 
        struct timeval timenow;
 
        getmicrotime(&timenow);
 
-       if (ipfw_dyn_v == NULL)
-               goto done;      /* not found */
+       if (ipfw_dyn_v == NULL) {
+               goto done;      /* not found */
+       }
        i = hash_packet( pkt );
        i = hash_packet( pkt );
-       for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) {
-               if (q->dyn_type == O_LIMIT_PARENT && q->count)
+       for (prev = NULL, q = ipfw_dyn_v[i]; q != NULL;) {
+               if (q->dyn_type == O_LIMIT_PARENT && q->count) {
                        goto next;
                        goto next;
+               }
                if (TIME_LEQ( q->expire, timenow.tv_sec)) { /* expire entry */
                if (TIME_LEQ( q->expire, timenow.tv_sec)) { /* expire entry */
-                        int     dounlink = 1;
+                       int     dounlink = 1;
 
                        /* check if entry is TCP */
 
                        /* check if entry is TCP */
-                        if ( q->id.proto == IPPROTO_TCP )
-                        {
-                                /* do not delete an established TCP connection which hasn't been closed by both sides */
-                                if ( (q->state & (BOTH_SYN | BOTH_FIN)) != (BOTH_SYN | BOTH_FIN) )
-                                        dounlink = 0;
-                        }
-                        if ( dounlink ){
-                                UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
-                                continue;
-                        }
+                       if (q->id.proto == IPPROTO_TCP) {
+                               /* do not delete an established TCP connection which hasn't been closed by both sides */
+                               if ((q->state & (BOTH_SYN | BOTH_FIN)) != (BOTH_SYN | BOTH_FIN)) {
+                                       dounlink = 0;
+                               }
+                       }
+                       if (dounlink) {
+                               UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
+                               continue;
+                       }
                }
                if (pkt->proto == q->id.proto &&
                    q->dyn_type != O_LIMIT_PARENT) {
                        if (pkt->src_ip == q->id.src_ip &&
                            pkt->dst_ip == q->id.dst_ip &&
                            pkt->src_port == q->id.src_port &&
                }
                if (pkt->proto == q->id.proto &&
                    q->dyn_type != O_LIMIT_PARENT) {
                        if (pkt->src_ip == q->id.src_ip &&
                            pkt->dst_ip == q->id.dst_ip &&
                            pkt->src_port == q->id.src_port &&
-                           pkt->dst_port == q->id.dst_port ) {
+                           pkt->dst_port == q->id.dst_port) {
                                dir = MATCH_FORWARD;
                                break;
                        }
                        if (pkt->src_ip == q->id.dst_ip &&
                            pkt->dst_ip == q->id.src_ip &&
                            pkt->src_port == q->id.dst_port &&
                                dir = MATCH_FORWARD;
                                break;
                        }
                        if (pkt->src_ip == q->id.dst_ip &&
                            pkt->dst_ip == q->id.src_ip &&
                            pkt->src_port == q->id.dst_port &&
-                           pkt->dst_port == q->id.src_port ) {
+                           pkt->dst_port == q->id.src_port) {
                                dir = MATCH_REVERSE;
                                break;
                        }
                                dir = MATCH_REVERSE;
                                break;
                        }
@@ -909,49 +1558,50 @@ next:
                prev = q;
                q = q->next;
        }
                prev = q;
                q = q->next;
        }
-       if (q == NULL)
+       if (q == NULL) {
                goto done; /* q = NULL, not found */
                goto done; /* q = NULL, not found */
-
-       if ( prev != NULL) { /* found and not in front */
+       }
+       if (prev != NULL) {  /* found and not in front */
                prev->next = q->next;
                q->next = ipfw_dyn_v[i];
                ipfw_dyn_v[i] = q;
        }
        if (pkt->proto == IPPROTO_TCP) { /* update state according to flags */
                prev->next = q->next;
                q->next = ipfw_dyn_v[i];
                ipfw_dyn_v[i] = q;
        }
        if (pkt->proto == IPPROTO_TCP) { /* update state according to flags */
-               u_char flags = pkt->flags & (TH_FIN|TH_SYN|TH_RST);
+               u_char flags = pkt->flags & (TH_FIN | TH_SYN | TH_RST);
 
 
-               q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8);
+               q->state |= (dir == MATCH_FORWARD) ? flags : (flags << 8);
                switch (q->state) {
                switch (q->state) {
-               case TH_SYN:                            /* opening */
+               case TH_SYN:                            /* opening */
                        q->expire = timenow.tv_sec + dyn_syn_lifetime;
                        break;
 
                        q->expire = timenow.tv_sec + dyn_syn_lifetime;
                        break;
 
-               case BOTH_SYN:                  /* move to established */
-               case BOTH_SYN | TH_FIN :        /* one side tries to close */
-               case BOTH_SYN | (TH_FIN << 8) :
-                       if (tcp) {
-#define _SEQ_GE(a,b) ((int)(a) - (int)(b) >= 0)
-                           u_int32_t ack = ntohl(tcp->th_ack);
-                           if (dir == MATCH_FORWARD) {
-                               if (q->ack_fwd == 0 || _SEQ_GE(ack, q->ack_fwd))
-                                   q->ack_fwd = ack;
-                               else { /* ignore out-of-sequence */
-                                   break;
-                               }
-                           } else {
-                               if (q->ack_rev == 0 || _SEQ_GE(ack, q->ack_rev))
-                                   q->ack_rev = ack;
-                               else { /* ignore out-of-sequence */
-                                   break;
+               case BOTH_SYN:                  /* move to established */
+               case BOTH_SYN | TH_FIN:         /* one side tries to close */
+               case BOTH_SYN | (TH_FIN << 8):
+                       if (tcp) {
+#define _SEQ_GE(a, b) ((int)(a) - (int)(b) >= 0)
+                               u_int32_t ack = ntohl(tcp->th_ack);
+                               if (dir == MATCH_FORWARD) {
+                                       if (q->ack_fwd == 0 || _SEQ_GE(ack, q->ack_fwd)) {
+                                               q->ack_fwd = ack;
+                                       } else { /* ignore out-of-sequence */
+                                               break;
+                                       }
+                               } else {
+                                       if (q->ack_rev == 0 || _SEQ_GE(ack, q->ack_rev)) {
+                                               q->ack_rev = ack;
+                                       } else { /* ignore out-of-sequence */
+                                               break;
+                                       }
                                }
                                }
-                           }
                        }
                        q->expire = timenow.tv_sec + dyn_ack_lifetime;
                        break;
 
                        }
                        q->expire = timenow.tv_sec + dyn_ack_lifetime;
                        break;
 
-               case BOTH_SYN | BOTH_FIN:       /* both sides closed */
-                       if (dyn_fin_lifetime >= dyn_keepalive_period)
+               case BOTH_SYN | BOTH_FIN:       /* both sides closed */
+                       if (dyn_fin_lifetime >= dyn_keepalive_period) {
                                dyn_fin_lifetime = dyn_keepalive_period - 1;
                                dyn_fin_lifetime = dyn_keepalive_period - 1;
+                       }
                        q->expire = timenow.tv_sec + dyn_fin_lifetime;
                        break;
 
                        q->expire = timenow.tv_sec + dyn_fin_lifetime;
                        break;
 
@@ -961,11 +1611,13 @@ next:
                         * reset or some invalid combination, but can also
                         * occur if we use keep-state the wrong way.
                         */
                         * reset or some invalid combination, but can also
                         * occur if we use keep-state the wrong way.
                         */
-                       if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
+                       if ((q->state & ((TH_RST << 8) | TH_RST)) == 0) {
                                printf("invalid state: 0x%x\n", q->state);
                                printf("invalid state: 0x%x\n", q->state);
+                       }
 #endif
 #endif
-                       if (dyn_rst_lifetime >= dyn_keepalive_period)
+                       if (dyn_rst_lifetime >= dyn_keepalive_period) {
                                dyn_rst_lifetime = dyn_keepalive_period - 1;
                                dyn_rst_lifetime = dyn_keepalive_period - 1;
+                       }
                        q->expire = timenow.tv_sec + dyn_rst_lifetime;
                        break;
                }
                        q->expire = timenow.tv_sec + dyn_rst_lifetime;
                        break;
                }
@@ -976,8 +1628,9 @@ next:
                q->expire = timenow.tv_sec + dyn_short_lifetime;
        }
 done:
                q->expire = timenow.tv_sec + dyn_short_lifetime;
        }
 done:
-       if (match_direction)
+       if (match_direction) {
                *match_direction = dir;
                *match_direction = dir;
+       }
        return q;
 }
 
        return q;
 }
 
@@ -990,20 +1643,23 @@ realloc_dynamic_table(void)
         * default to 1024.
         */
 
         * default to 1024.
         */
 
-       if (dyn_buckets > 65536)
+       if (dyn_buckets > 65536) {
                dyn_buckets = 1024;
                dyn_buckets = 1024;
-       if ((dyn_buckets & (dyn_buckets-1)) != 0) { /* not a power of 2 */
+       }
+       if ((dyn_buckets & (dyn_buckets - 1)) != 0) { /* not a power of 2 */
                dyn_buckets = curr_dyn_buckets; /* reset */
                return;
        }
        curr_dyn_buckets = dyn_buckets;
                dyn_buckets = curr_dyn_buckets; /* reset */
                return;
        }
        curr_dyn_buckets = dyn_buckets;
-       if (ipfw_dyn_v != NULL)
+       if (ipfw_dyn_v != NULL) {
                _FREE(ipfw_dyn_v, M_IPFW);
                _FREE(ipfw_dyn_v, M_IPFW);
+       }
        for (;;) {
                ipfw_dyn_v = _MALLOC(curr_dyn_buckets * sizeof(ipfw_dyn_rule *),
        for (;;) {
                ipfw_dyn_v = _MALLOC(curr_dyn_buckets * sizeof(ipfw_dyn_rule *),
-                      M_IPFW, M_NOWAIT | M_ZERO);
-               if (ipfw_dyn_v != NULL || curr_dyn_buckets <= 2)
+                   M_IPFW, M_NOWAIT | M_ZERO);
+               if (ipfw_dyn_v != NULL || curr_dyn_buckets <= 2) {
                        break;
                        break;
+               }
                curr_dyn_buckets /= 2;
        }
 }
                curr_dyn_buckets /= 2;
        }
 }
@@ -1019,7 +1675,7 @@ realloc_dynamic_table(void)
  * - "parent" rules for the above (O_LIMIT_PARENT).
  */
 static ipfw_dyn_rule *
  * - "parent" rules for the above (O_LIMIT_PARENT).
  */
 static ipfw_dyn_rule *
-add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
+add_dyn_rule(struct ip_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
 {
        ipfw_dyn_rule *r;
        int i;
 {
        ipfw_dyn_rule *r;
        int i;
@@ -1030,15 +1686,16 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
        if (ipfw_dyn_v == NULL ||
            (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
                realloc_dynamic_table();
        if (ipfw_dyn_v == NULL ||
            (dyn_count == 0 && dyn_buckets != curr_dyn_buckets)) {
                realloc_dynamic_table();
-               if (ipfw_dyn_v == NULL)
+               if (ipfw_dyn_v == NULL) {
                        return NULL; /* failed ! */
                        return NULL; /* failed ! */
+               }
        }
        i = hash_packet(id);
 
        r = _MALLOC(sizeof *r, M_IPFW, M_NOWAIT | M_ZERO);
        if (r == NULL) {
 #if IPFW_DEBUG
        }
        i = hash_packet(id);
 
        r = _MALLOC(sizeof *r, M_IPFW, M_NOWAIT | M_ZERO);
        if (r == NULL) {
 #if IPFW_DEBUG
-               printf ("ipfw: sorry cannot allocate state\n");
+               printf("ipfw: sorry cannot allocate state\n");
 #endif
                return NULL;
        }
 #endif
                return NULL;
        }
@@ -1046,8 +1703,9 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
        /* increase refcount on parent, and set pointer */
        if (dyn_type == O_LIMIT) {
                ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule;
        /* increase refcount on parent, and set pointer */
        if (dyn_type == O_LIMIT) {
                ipfw_dyn_rule *parent = (ipfw_dyn_rule *)rule;
-               if ( parent->dyn_type != O_LIMIT_PARENT)
+               if (parent->dyn_type != O_LIMIT_PARENT) {
                        panic("invalid parent");
                        panic("invalid parent");
+               }
                parent->count++;
                r->parent = parent;
                rule = parent->rule;
                parent->count++;
                r->parent = parent;
                rule = parent->rule;
@@ -1065,10 +1723,10 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
        ipfw_dyn_v[i] = r;
        dyn_count++;
        DEB(printf("ipfw: add dyn entry ty %d 0x%08x %d -> 0x%08x %d, total %d\n",
        ipfw_dyn_v[i] = r;
        dyn_count++;
        DEB(printf("ipfw: add dyn entry ty %d 0x%08x %d -> 0x%08x %d, total %d\n",
-          dyn_type,
-          (r->id.src_ip), (r->id.src_port),
-          (r->id.dst_ip), (r->id.dst_port),
-          dyn_count ); )
+           dyn_type,
+           (r->id.src_ip), (r->id.src_port),
+           (r->id.dst_ip), (r->id.dst_port),
+           dyn_count ); )
        return r;
 }
 
        return r;
 }
 
@@ -1077,7 +1735,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule)
  * If the lookup fails, then install one.
  */
 static ipfw_dyn_rule *
  * If the lookup fails, then install one.
  */
 static ipfw_dyn_rule *
-lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
+lookup_dyn_parent(struct ip_flow_id *pkt, struct ip_fw *rule)
 {
        ipfw_dyn_rule *q;
        int i;
 {
        ipfw_dyn_rule *q;
        int i;
@@ -1087,18 +1745,20 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
 
        if (ipfw_dyn_v) {
                i = hash_packet( pkt );
 
        if (ipfw_dyn_v) {
                i = hash_packet( pkt );
-               for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next)
+               for (q = ipfw_dyn_v[i]; q != NULL; q = q->next) {
                        if (q->dyn_type == O_LIMIT_PARENT &&
                        if (q->dyn_type == O_LIMIT_PARENT &&
-                           rule== q->rule &&
+                           rule == q->rule &&
                            pkt->proto == q->id.proto &&
                            pkt->src_ip == q->id.src_ip &&
                            pkt->dst_ip == q->id.dst_ip &&
                            pkt->src_port == q->id.src_port &&
                            pkt->dst_port == q->id.dst_port) {
                                q->expire = timenow.tv_sec + dyn_short_lifetime;
                            pkt->proto == q->id.proto &&
                            pkt->src_ip == q->id.src_ip &&
                            pkt->dst_ip == q->id.dst_ip &&
                            pkt->src_port == q->id.src_port &&
                            pkt->dst_port == q->id.dst_port) {
                                q->expire = timenow.tv_sec + dyn_short_lifetime;
-                               DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);)
+                               DEB(printf("ipfw: lookup_dyn_parent found "
+                                   "0x%llx\n", (uint64_t)VM_KERNEL_ADDRPERM(q)); )
                                return q;
                        }
                                return q;
                        }
+               }
        }
        return add_dyn_rule(pkt, O_LIMIT_PARENT, rule);
 }
        }
        return add_dyn_rule(pkt, O_LIMIT_PARENT, rule);
 }
@@ -1111,7 +1771,7 @@ lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule)
  */
 static int
 install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
  */
 static int
 install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
-       struct ip_fw_args *args)
+    struct ip_fw_args *args)
 {
        static int last_log;
        struct timeval timenow;
 {
        static int last_log;
        struct timeval timenow;
@@ -1121,10 +1781,10 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
 
        DEB(printf("ipfw: install state type %d 0x%08x %u -> 0x%08x %u\n",
            cmd->o.opcode,
 
        DEB(printf("ipfw: install state type %d 0x%08x %u -> 0x%08x %u\n",
            cmd->o.opcode,
-           (args->f_id.src_ip), (args->f_id.src_port),
-           (args->f_id.dst_ip), (args->f_id.dst_port) );)
+           (args->fwa_id.src_ip), (args->fwa_id.src_port),
+           (args->fwa_id.dst_ip), (args->fwa_id.dst_port)); )
 
 
-       q = lookup_dyn_rule(&args->f_id, NULL, NULL);
+       q = lookup_dyn_rule(&args->fwa_id, NULL, NULL);
 
        if (q != NULL) { /* should never occur */
                if (last_log != timenow.tv_sec) {
 
        if (q != NULL) { /* should never occur */
                if (last_log != timenow.tv_sec) {
@@ -1134,11 +1794,12 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
                return 0;
        }
 
                return 0;
        }
 
-       if (dyn_count >= dyn_max)
+       if (dyn_count >= dyn_max) {
                /*
                 * Run out of slots, try to remove any expired rule.
                 */
                remove_dyn_rule(NULL, (ipfw_dyn_rule *)1);
                /*
                 * Run out of slots, try to remove any expired rule.
                 */
                remove_dyn_rule(NULL, (ipfw_dyn_rule *)1);
+       }
 
        if (dyn_count >= dyn_max) {
                if (last_log != timenow.tv_sec) {
 
        if (dyn_count >= dyn_max) {
                if (last_log != timenow.tv_sec) {
@@ -1150,30 +1811,34 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
 
        switch (cmd->o.opcode) {
        case O_KEEP_STATE: /* bidir rule */
 
        switch (cmd->o.opcode) {
        case O_KEEP_STATE: /* bidir rule */
-               add_dyn_rule(&args->f_id, O_KEEP_STATE, rule);
+               add_dyn_rule(&args->fwa_id, O_KEEP_STATE, rule);
                break;
 
        case O_LIMIT: /* limit number of sessions */
                break;
 
        case O_LIMIT: /* limit number of sessions */
-           {
+       {
                u_int16_t limit_mask = cmd->limit_mask;
                u_int16_t limit_mask = cmd->limit_mask;
-               struct ipfw_flow_id id;
+               struct ip_flow_id id;
                ipfw_dyn_rule *parent;
 
                DEB(printf("ipfw: installing dyn-limit rule %d\n",
                ipfw_dyn_rule *parent;
 
                DEB(printf("ipfw: installing dyn-limit rule %d\n",
-                   cmd->conn_limit);)
+                   cmd->conn_limit); )
 
                id.dst_ip = id.src_ip = 0;
                id.dst_port = id.src_port = 0;
 
                id.dst_ip = id.src_ip = 0;
                id.dst_port = id.src_port = 0;
-               id.proto = args->f_id.proto;
-
-               if (limit_mask & DYN_SRC_ADDR)
-                       id.src_ip = args->f_id.src_ip;
-               if (limit_mask & DYN_DST_ADDR)
-                       id.dst_ip = args->f_id.dst_ip;
-               if (limit_mask & DYN_SRC_PORT)
-                       id.src_port = args->f_id.src_port;
-               if (limit_mask & DYN_DST_PORT)
-                       id.dst_port = args->f_id.dst_port;
+               id.proto = args->fwa_id.proto;
+
+               if (limit_mask & DYN_SRC_ADDR) {
+                       id.src_ip = args->fwa_id.src_ip;
+               }
+               if (limit_mask & DYN_DST_ADDR) {
+                       id.dst_ip = args->fwa_id.dst_ip;
+               }
+               if (limit_mask & DYN_SRC_PORT) {
+                       id.src_port = args->fwa_id.src_port;
+               }
+               if (limit_mask & DYN_DST_PORT) {
+                       id.dst_port = args->fwa_id.dst_port;
+               }
                parent = lookup_dyn_parent(&id, rule);
                if (parent == NULL) {
                        printf("ipfw: add parent failed\n");
                parent = lookup_dyn_parent(&id, rule);
                if (parent == NULL) {
                        printf("ipfw: add parent failed\n");
@@ -1193,34 +1858,34 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
                                return 1;
                        }
                }
                                return 1;
                        }
                }
-               add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent);
-           }
-               break;
+               add_dyn_rule(&args->fwa_id, O_LIMIT, (struct ip_fw *)parent);
+       }
+       break;
        default:
                printf("ipfw: unknown dynamic rule type %u\n", cmd->o.opcode);
                return 1;
        }
        default:
                printf("ipfw: unknown dynamic rule type %u\n", cmd->o.opcode);
                return 1;
        }
-       lookup_dyn_rule(&args->f_id, NULL, NULL); /* XXX just set lifetime */
+       lookup_dyn_rule(&args->fwa_id, NULL, NULL); /* XXX just set lifetime */
        return 0;
 }
 
 /*
        return 0;
 }
 
 /*
- * Transmit a TCP packet, containing either a RST or a keepalive.
+ * Generate a TCP packet, containing either a RST or a keepalive.
  * When flags & TH_RST, we are sending a RST packet, because of a
  * "reset" action matched the packet.
  * Otherwise we are sending a keepalive, and flags & TH_
  */
  * When flags & TH_RST, we are sending a RST packet, because of a
  * "reset" action matched the packet.
  * Otherwise we are sending a keepalive, and flags & TH_
  */
-static void
-send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
+static struct mbuf *
+send_pkt(struct ip_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
 {
        struct mbuf *m;
        struct ip *ip;
        struct tcphdr *tcp;
 {
        struct mbuf *m;
        struct ip *ip;
        struct tcphdr *tcp;
-       struct route sro;       /* fake route */
 
 
-       MGETHDR(m, M_DONTWAIT, MT_HEADER);
-       if (m == 0)
-               return;
+       MGETHDR(m, M_DONTWAIT, MT_HEADER);      /* MAC-OK */
+       if (m == 0) {
+               return NULL;
+       }
        m->m_pkthdr.rcvif = (struct ifnet *)0;
        m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
        m->m_data += max_linkhdr;
        m->m_pkthdr.rcvif = (struct ifnet *)0;
        m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
        m->m_data += max_linkhdr;
@@ -1238,14 +1903,15 @@ send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
        ip->ip_dst.s_addr = htonl(id->src_ip);
        tcp->th_sport = htons(id->dst_port);
        tcp->th_dport = htons(id->src_port);
        ip->ip_dst.s_addr = htonl(id->src_ip);
        tcp->th_sport = htons(id->dst_port);
        tcp->th_dport = htons(id->src_port);
-       if (flags & TH_RST) {   /* we are sending a RST */
+       if (flags & TH_RST) {   /* we are sending a RST */
                if (flags & TH_ACK) {
                        tcp->th_seq = htonl(ack);
                        tcp->th_ack = htonl(0);
                        tcp->th_flags = TH_RST;
                } else {
                if (flags & TH_ACK) {
                        tcp->th_seq = htonl(ack);
                        tcp->th_ack = htonl(0);
                        tcp->th_flags = TH_RST;
                } else {
-                       if (flags & TH_SYN)
+                       if (flags & TH_SYN) {
                                seq++;
                                seq++;
+                       }
                        tcp->th_seq = htonl(0);
                        tcp->th_ack = htonl(seq);
                        tcp->th_flags = TH_RST | TH_ACK;
                        tcp->th_seq = htonl(0);
                        tcp->th_ack = htonl(seq);
                        tcp->th_flags = TH_RST | TH_ACK;
@@ -1282,42 +1948,48 @@ send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
         */
        ip->ip_ttl = ip_defttl;
        ip->ip_len = m->m_pkthdr.len;
         */
        ip->ip_ttl = ip_defttl;
        ip->ip_len = m->m_pkthdr.len;
-       bzero (&sro, sizeof (sro));
-       ip_rtaddr(ip->ip_dst, &sro);
        m->m_flags |= M_SKIP_FIREWALL;
        m->m_flags |= M_SKIP_FIREWALL;
-       ip_output_list(m, 0, NULL, &sro, 0, NULL);
-       if (sro.ro_rt)
-               RTFREE(sro.ro_rt);
+
+       return m;
 }
 
 /*
  * sends a reject message, consuming the mbuf passed as an argument.
  */
 static void
 }
 
 /*
  * sends a reject message, consuming the mbuf passed as an argument.
  */
 static void
-send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
+send_reject(struct ip_fw_args *args, int code, int offset, __unused int ip_len)
 {
 {
-
        if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
                /* We need the IP header in host order for icmp_error(). */
        if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
                /* We need the IP header in host order for icmp_error(). */
-               if (args->eh != NULL) {
-                       struct ip *ip = mtod(args->m, struct ip *);
+               if (args->fwa_eh != NULL) {
+                       struct ip *ip = mtod(args->fwa_m, struct ip *);
                        ip->ip_len = ntohs(ip->ip_len);
                        ip->ip_off = ntohs(ip->ip_off);
                }
                        ip->ip_len = ntohs(ip->ip_len);
                        ip->ip_off = ntohs(ip->ip_off);
                }
-                args->m->m_flags |= M_SKIP_FIREWALL;
-               icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
-       } else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
+               args->fwa_m->m_flags |= M_SKIP_FIREWALL;
+               icmp_error(args->fwa_m, ICMP_UNREACH, code, 0L, 0);
+       } else if (offset == 0 && args->fwa_id.proto == IPPROTO_TCP) {
                struct tcphdr *const tcp =
                struct tcphdr *const tcp =
-                   L3HDR(struct tcphdr, mtod(args->m, struct ip *));
-               if ( (tcp->th_flags & TH_RST) == 0) {
-                       send_pkt(&(args->f_id), ntohl(tcp->th_seq),
-                               ntohl(tcp->th_ack),
-                               tcp->th_flags | TH_RST);
-               }
-               m_freem(args->m);
-       } else
-               m_freem(args->m);
-       args->m = NULL;
+                   L3HDR(struct tcphdr, mtod(args->fwa_m, struct ip *));
+               if ((tcp->th_flags & TH_RST) == 0) {
+                       struct mbuf *m;
+
+                       m = send_pkt(&(args->fwa_id), ntohl(tcp->th_seq),
+                           ntohl(tcp->th_ack),
+                           tcp->th_flags | TH_RST);
+                       if (m != NULL) {
+                               struct route sro;       /* fake route */
+
+                               bzero(&sro, sizeof(sro));
+                               ip_output(m, NULL, &sro, 0, NULL, NULL);
+                               ROUTE_RELEASE(&sro);
+                       }
+               }
+               m_freem(args->fwa_m);
+       } else {
+               m_freem(args->fwa_m);
+       }
+       args->fwa_m = NULL;
 }
 
 /**
 }
 
 /**
@@ -1343,14 +2015,19 @@ lookup_next_rule(struct ip_fw *me)
 
        /* look for action, in case it is a skipto */
        cmd = ACTION_PTR(me);
 
        /* look for action, in case it is a skipto */
        cmd = ACTION_PTR(me);
-       if (cmd->opcode == O_LOG)
+       if (cmd->opcode == O_LOG) {
                cmd += F_LEN(cmd);
                cmd += F_LEN(cmd);
-       if ( cmd->opcode == O_SKIPTO )
-               for (rule = me->next; rule ; rule = rule->next)
-                       if (rule->rulenum >= cmd->arg1)
+       }
+       if (cmd->opcode == O_SKIPTO) {
+               for (rule = me->next; rule; rule = rule->next) {
+                       if (rule->rulenum >= cmd->arg1) {
                                break;
                                break;
-       if (rule == NULL)                       /* failure or not a skipto */
+                       }
+               }
+       }
+       if (rule == NULL) {                     /* failure or not a skipto */
                rule = me->next;
                rule = me->next;
+       }
        me->next_rule = rule;
        return rule;
 }
        me->next_rule = rule;
        return rule;
 }
@@ -1363,24 +2040,24 @@ lookup_next_rule(struct ip_fw *me)
  *
  * Parameters:
  *
  *
  * Parameters:
  *
- *     args->m (in/out) The packet; we set to NULL when/if we nuke it.
+ *     args->fwa_m     (in/out) The packet; we set to NULL when/if we nuke it.
  *             Starts with the IP header.
  *             Starts with the IP header.
- *     args->eh (in)   Mac header if present, or NULL for layer3 packet.
- *     args->oif       Outgoing interface, or NULL if packet is incoming.
+ *     args->fwa_eh (in)       Mac header if present, or NULL for layer3 packet.
+ *     args->fwa_oif   Outgoing interface, or NULL if packet is incoming.
  *             The incoming interface is in the mbuf. (in)
  *             The incoming interface is in the mbuf. (in)
- *     args->divert_rule (in/out)
+ *     args->fwa_divert_rule (in/out)
  *             Skip up to the first rule past this rule number;
  *             upon return, non-zero port number for divert or tee.
  *
  *             Skip up to the first rule past this rule number;
  *             upon return, non-zero port number for divert or tee.
  *
- *     args->rule      Pointer to the last matching rule (in/out)
- *     args->next_hop  Socket we are forwarding to (out).
- *     args->f_id      Addresses grabbed from the packet (out)
+ *     args->fwa_ipfw_rule     Pointer to the last matching rule (in/out)
+ *     args->fwa_next_hop      Socket we are forwarding to (out).
+ *     args->fwa_id    Addresses grabbed from the packet (out)
  *
  * Return value:
  *
  *     IP_FW_PORT_DENY_FLAG    the packet must be dropped.
  *     0       The packet is to be accepted and routed normally OR
  *
  * Return value:
  *
  *     IP_FW_PORT_DENY_FLAG    the packet must be dropped.
  *     0       The packet is to be accepted and routed normally OR
- *             the packet was denied/rejected and has been dropped;
+ *              the packet was denied/rejected and has been dropped;
  *             in the latter case, *m is equal to NULL upon return.
  *     port    Divert the packet to port, with these caveats:
  *
  *             in the latter case, *m is equal to NULL upon return.
  *     port    Divert the packet to port, with these caveats:
  *
@@ -1403,10 +2080,10 @@ ipfw_chk(struct ip_fw_args *args)
         * the implementation of the various instructions to make sure
         * that they still work.
         *
         * the implementation of the various instructions to make sure
         * that they still work.
         *
-        * args->eh     The MAC header. It is non-null for a layer2
+        * args->fwa_eh The MAC header. It is non-null for a layer2
         *      packet, it is NULL for a layer-3 packet.
         *
         *      packet, it is NULL for a layer-3 packet.
         *
-        * m | args->m  Pointer to the mbuf, as received from the caller.
+        * m | args->fwa_m      Pointer to the mbuf, as received from the caller.
         *      It may change if ipfw_chk() does an m_pullup, or if it
         *      consumes the packet because it calls send_reject().
         *      XXX This has to change, so that ipfw_chk() never modifies
         *      It may change if ipfw_chk() does an m_pullup, or if it
         *      consumes the packet because it calls send_reject().
         *      XXX This has to change, so that ipfw_chk() never modifies
@@ -1415,25 +2092,25 @@ ipfw_chk(struct ip_fw_args *args)
         *      in sync with it (the packet is  supposed to start with
         *      the ip header).
         */
         *      in sync with it (the packet is  supposed to start with
         *      the ip header).
         */
-       struct mbuf *m = args->m;
+       struct mbuf *m = args->fwa_m;
        struct ip *ip = mtod(m, struct ip *);
 
        /*
        struct ip *ip = mtod(m, struct ip *);
 
        /*
-        * oif | args->oif      If NULL, ipfw_chk has been called on the
+        * oif | args->fwa_oif  If NULL, ipfw_chk has been called on the
         *      inbound path (ether_input, bdg_forward, ip_input).
         *      If non-NULL, ipfw_chk has been called on the outbound path
         *      (ether_output, ip_output).
         */
         *      inbound path (ether_input, bdg_forward, ip_input).
         *      If non-NULL, ipfw_chk has been called on the outbound path
         *      (ether_output, ip_output).
         */
-       struct ifnet *oif = args->oif;
+       struct ifnet *oif = args->fwa_oif;
 
 
-       struct ip_fw *f = NULL;         /* matching rule */
+       struct ip_fw *f = NULL;         /* matching rule */
        int retval = 0;
 
        /*
         * hlen The length of the IPv4 header.
         *      hlen >0 means we have an IPv4 packet.
         */
        int retval = 0;
 
        /*
         * hlen The length of the IPv4 header.
         *      hlen >0 means we have an IPv4 packet.
         */
-       u_int hlen = 0;         /* hlen >0 means we have an IP pkt */
+       u_int hlen = 0;         /* hlen >0 means we have an IP pkt */
 
        /*
         * offset       The offset of a fragment. offset != 0 means that
 
        /*
         * offset       The offset of a fragment. offset != 0 means that
@@ -1458,16 +2135,25 @@ ipfw_chk(struct ip_fw_args *args)
         *      Only valid for IPv4 packets.
         */
        u_int8_t proto;
         *      Only valid for IPv4 packets.
         */
        u_int8_t proto;
-       u_int16_t src_port = 0, dst_port = 0;   /* NOTE: host format    */
-       struct in_addr src_ip, dst_ip;          /* NOTE: network format */
-       u_int16_t ip_len=0;
+       u_int16_t src_port = 0, dst_port = 0;   /* NOTE: host format    */
+       struct in_addr src_ip = { 0 }, dst_ip = { 0 };          /* NOTE: network format */
+       u_int16_t ip_len = 0;
        int pktlen;
        int dyn_dir = MATCH_UNKNOWN;
        ipfw_dyn_rule *q = NULL;
        struct timeval timenow;
 
        int pktlen;
        int dyn_dir = MATCH_UNKNOWN;
        ipfw_dyn_rule *q = NULL;
        struct timeval timenow;
 
-       if (m->m_flags & M_SKIP_FIREWALL) {
-               return 0;       /* accept */
+       if (m->m_flags & M_SKIP_FIREWALL || fw_bypass) {
+               return 0;       /* accept */
+       }
+
+       /*
+        * Clear packet chain if we find one here.
+        */
+
+       if (m->m_nextpkt != NULL) {
+               m_freem_list(m->m_nextpkt);
+               m->m_nextpkt = NULL;
        }
 
        lck_mtx_lock(ipfw_mutex);
        }
 
        lck_mtx_lock(ipfw_mutex);
@@ -1475,28 +2161,29 @@ ipfw_chk(struct ip_fw_args *args)
        getmicrotime(&timenow);
        /*
         * dyn_dir = MATCH_UNKNOWN when rules unchecked,
        getmicrotime(&timenow);
        /*
         * dyn_dir = MATCH_UNKNOWN when rules unchecked,
-        *      MATCH_NONE when checked and not matched (q = NULL),
+        *      MATCH_NONE when checked and not matched (q = NULL),
         *      MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
         */
 
        pktlen = m->m_pkthdr.len;
         *      MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
         */
 
        pktlen = m->m_pkthdr.len;
-       if (args->eh == NULL ||         /* layer 3 packet */
-               ( m->m_pkthdr.len >= sizeof(struct ip) &&
-                   ntohs(args->eh->ether_type) == ETHERTYPE_IP))
-                       hlen = ip->ip_hl << 2;
+       if (args->fwa_eh == NULL ||             /* layer 3 packet */
+           (m->m_pkthdr.len >= sizeof(struct ip) &&
+           ntohs(args->fwa_eh->ether_type) == ETHERTYPE_IP)) {
+               hlen = ip->ip_hl << 2;
+       }
 
        /*
         * Collect parameters into local variables for faster matching.
         */
 
        /*
         * Collect parameters into local variables for faster matching.
         */
-       if (hlen == 0) {        /* do not grab addresses for non-ip pkts */
-               proto = args->f_id.proto = 0;   /* mark f_id invalid */
+       if (hlen == 0) {        /* do not grab addresses for non-ip pkts */
+               proto = args->fwa_id.proto = 0; /* mark f_id invalid */
                goto after_ip_checks;
        }
 
                goto after_ip_checks;
        }
 
-       proto = args->f_id.proto = ip->ip_p;
+       proto = args->fwa_id.proto = ip->ip_p;
        src_ip = ip->ip_src;
        dst_ip = ip->ip_dst;
        src_ip = ip->ip_src;
        dst_ip = ip->ip_dst;
-       if (args->eh != NULL) { /* layer 2 packets are as on the wire */
+       if (args->fwa_eh != NULL) { /* layer 2 packets are as on the wire */
                offset = ntohs(ip->ip_off) & IP_OFFMASK;
                ip_len = ntohs(ip->ip_len);
        } else {
                offset = ntohs(ip->ip_off) & IP_OFFMASK;
                ip_len = ntohs(ip->ip_len);
        } else {
@@ -1505,44 +2192,44 @@ ipfw_chk(struct ip_fw_args *args)
        }
        pktlen = ip_len < pktlen ? ip_len : pktlen;
 
        }
        pktlen = ip_len < pktlen ? ip_len : pktlen;
 
-#define PULLUP_TO(len)                                         \
-               do {                                            \
-                       if ((m)->m_len < (len)) {               \
-                           args->m = m = m_pullup(m, (len));   \
-                           if (m == 0)                         \
-                               goto pullup_failed;             \
-                           ip = mtod(m, struct ip *);          \
-                       }                                       \
-               } while (0)
+#define PULLUP_TO(len)                                          \
+               do {                                            \
+                       if ((m)->m_len < (len)) {               \
+                           args->fwa_m = m = m_pullup(m, (len));       \
+                           if (m == 0)                         \
+                               goto pullup_failed;             \
+                           ip = mtod(m, struct ip *);          \
+                       }                                       \
+               } while (0)
 
        if (offset == 0) {
                switch (proto) {
                case IPPROTO_TCP:
 
        if (offset == 0) {
                switch (proto) {
                case IPPROTO_TCP:
-                   {
+               {
                        struct tcphdr *tcp;
 
                        PULLUP_TO(hlen + sizeof(struct tcphdr));
                        tcp = L3HDR(struct tcphdr, ip);
                        dst_port = tcp->th_dport;
                        src_port = tcp->th_sport;
                        struct tcphdr *tcp;
 
                        PULLUP_TO(hlen + sizeof(struct tcphdr));
                        tcp = L3HDR(struct tcphdr, ip);
                        dst_port = tcp->th_dport;
                        src_port = tcp->th_sport;
-                       args->f_id.flags = tcp->th_flags;
-                       }
-                       break;
+                       args->fwa_id.flags = tcp->th_flags;
+               }
+               break;
 
                case IPPROTO_UDP:
 
                case IPPROTO_UDP:
-                   {
+               {
                        struct udphdr *udp;
 
                        PULLUP_TO(hlen + sizeof(struct udphdr));
                        udp = L3HDR(struct udphdr, ip);
                        dst_port = udp->uh_dport;
                        src_port = udp->uh_sport;
                        struct udphdr *udp;
 
                        PULLUP_TO(hlen + sizeof(struct udphdr));
                        udp = L3HDR(struct udphdr, ip);
                        dst_port = udp->uh_dport;
                        src_port = udp->uh_sport;
-                       }
-                       break;
+               }
+               break;
 
                case IPPROTO_ICMP:
 
                case IPPROTO_ICMP:
-                       PULLUP_TO(hlen + 4);    /* type, code and checksum. */
-                       args->f_id.flags = L3HDR(struct icmp, ip)->icmp_type;
+                       PULLUP_TO(hlen + 4);    /* type, code and checksum. */
+                       args->fwa_id.flags = L3HDR(struct icmp, ip)->icmp_type;
                        break;
 
                default:
                        break;
 
                default:
@@ -1551,13 +2238,13 @@ ipfw_chk(struct ip_fw_args *args)
 #undef PULLUP_TO
        }
 
 #undef PULLUP_TO
        }
 
-       args->f_id.src_ip = ntohl(src_ip.s_addr);
-       args->f_id.dst_ip = ntohl(dst_ip.s_addr);
-       args->f_id.src_port = src_port = ntohs(src_port);
-       args->f_id.dst_port = dst_port = ntohs(dst_port);
+       args->fwa_id.src_ip = ntohl(src_ip.s_addr);
+       args->fwa_id.dst_ip = ntohl(dst_ip.s_addr);
+       args->fwa_id.src_port = src_port = ntohs(src_port);
+       args->fwa_id.dst_port = dst_port = ntohs(dst_port);
 
 after_ip_checks:
 
 after_ip_checks:
-       if (args->rule) {
+       if (args->fwa_ipfw_rule) {
                /*
                 * Packet has already been tagged. Look for the next rule
                 * to restart processing.
                /*
                 * Packet has already been tagged. Look for the next rule
                 * to restart processing.
@@ -1571,31 +2258,33 @@ after_ip_checks:
                        return 0;
                }
 
                        return 0;
                }
 
-               f = args->rule->next_rule;
-               if (f == NULL)
-                       f = lookup_next_rule(args->rule);
+               f = args->fwa_ipfw_rule->next_rule;
+               if (f == NULL) {
+                       f = lookup_next_rule(args->fwa_ipfw_rule);
+               }
        } else {
                /*
                 * Find the starting rule. It can be either the first
                 * one, or the one after divert_rule if asked so.
                 */
        } else {
                /*
                 * Find the starting rule. It can be either the first
                 * one, or the one after divert_rule if asked so.
                 */
-               int skipto = args->divert_rule;
+               int skipto = args->fwa_divert_rule;
 
                f = layer3_chain;
 
                f = layer3_chain;
-               if (args->eh == NULL && skipto != 0) {
+               if (args->fwa_eh == NULL && skipto != 0) {
                        if (skipto >= IPFW_DEFAULT_RULE) {
                                lck_mtx_unlock(ipfw_mutex);
                        if (skipto >= IPFW_DEFAULT_RULE) {
                                lck_mtx_unlock(ipfw_mutex);
-                               return(IP_FW_PORT_DENY_FLAG); /* invalid */
+                               return IP_FW_PORT_DENY_FLAG; /* invalid */
                        }
                        }
-                       while (f && f->rulenum <= skipto)
+                       while (f && f->rulenum <= skipto) {
                                f = f->next;
                                f = f->next;
-                       if (f == NULL) {        /* drop packet */
+                       }
+                       if (f == NULL) {        /* drop packet */
                                lck_mtx_unlock(ipfw_mutex);
                                lck_mtx_unlock(ipfw_mutex);
-                               return(IP_FW_PORT_DENY_FLAG);
+                               return IP_FW_PORT_DENY_FLAG;
                        }
                }
        }
                        }
                }
        }
-       args->divert_rule = 0;  /* reset to avoid confusion later */
+       args->fwa_divert_rule = 0;      /* reset to avoid confusion later */
 
        /*
         * Now scan the rules, and parse microinstructions for each rule.
 
        /*
         * Now scan the rules, and parse microinstructions for each rule.
@@ -1609,12 +2298,13 @@ again:
                if (f->reserved_1 == IPFW_RULE_INACTIVE) {
                        continue;
                }
                if (f->reserved_1 == IPFW_RULE_INACTIVE) {
                        continue;
                }
-               
-               if (set_disable & (1 << f->set) )
+
+               if (set_disable & (1 << f->set)) {
                        continue;
                        continue;
+               }
 
                skip_or = 0;
 
                skip_or = 0;
-               for (l = f->cmd_len, cmd = f->cmd ; l > 0 ;
+               for (l = f->cmd_len, cmd = f->cmd; l > 0;
                    l -= cmdlen, cmd += cmdlen) {
                        int match;
 
                    l -= cmdlen, cmd += cmdlen) {
                        int match;
 
@@ -1633,9 +2323,10 @@ check_body:
                         * the following instructions to be skipped until
                         * past the one with the F_OR bit clear.
                         */
                         * the following instructions to be skipped until
                         * past the one with the F_OR bit clear.
                         */
-                       if (skip_or) {          /* skip this instruction */
-                               if ((cmd->len & F_OR) == 0)
-                                       skip_or = 0;    /* next one is good */
+                       if (skip_or) {          /* skip this instruction */
+                               if ((cmd->len & F_OR) == 0) {
+                                       skip_or = 0;    /* next one is good */
+                               }
                                continue;
                        }
                        match = 0; /* set to 1 if we succeed */
                                continue;
                        }
                        match = 0; /* set to 1 if we succeed */
@@ -1666,57 +2357,62 @@ check_body:
                                 * as this ensures that we have an IPv4
                                 * packet with the ports info.
                                 */
                                 * as this ensures that we have an IPv4
                                 * packet with the ports info.
                                 */
-                               if (offset!=0)
-                                       break;
-                                       
-                           {
-                               struct inpcbinfo *pi;
-                               int wildcard;
-                               struct inpcb *pcb;
-
-                               if (proto == IPPROTO_TCP) {
-                                       wildcard = 0;
-                                       pi = &tcbinfo;
-                               } else if (proto == IPPROTO_UDP) {
-                                       wildcard = 1;
-                                       pi = &udbinfo;
-                               } else
+                               if (offset != 0) {
                                        break;
                                        break;
+                               }
+
+                               {
+                                       struct inpcbinfo *pi;
+                                       int wildcard;
+                                       struct inpcb *pcb;
+
+                                       if (proto == IPPROTO_TCP) {
+                                               wildcard = 0;
+                                               pi = &tcbinfo;
+                                       } else if (proto == IPPROTO_UDP) {
+                                               wildcard = 1;
+                                               pi = &udbinfo;
+                                       } else {
+                                               break;
+                                       }
 
 
-                               pcb =  (oif) ?
-                                       in_pcblookup_hash(pi,
+                                       pcb =  (oif) ?
+                                           in_pcblookup_hash(pi,
                                            dst_ip, htons(dst_port),
                                            src_ip, htons(src_port),
                                            wildcard, oif) :
                                            dst_ip, htons(dst_port),
                                            src_ip, htons(src_port),
                                            wildcard, oif) :
-                                       in_pcblookup_hash(pi,
+                                           in_pcblookup_hash(pi,
                                            src_ip, htons(src_port),
                                            dst_ip, htons(dst_port),
                                            wildcard, NULL);
 
                                            src_ip, htons(src_port),
                                            dst_ip, htons(dst_port),
                                            wildcard, NULL);
 
-                               if (pcb == NULL || pcb->inp_socket == NULL)
-                                       break;
+                                       if (pcb == NULL || pcb->inp_socket == NULL) {
+                                               break;
+                                       }
 #if __FreeBSD_version < 500034
 #if __FreeBSD_version < 500034
-#define socheckuid(a,b)        (kauth_cred_getuid((a)->so_cred) != (b))
+#define socheckuid(a, b) (kauth_cred_getuid((a)->so_cred) != (b))
 #endif
 #endif
-                               if (cmd->opcode == O_UID) {
-                                       match = 
+                                       if (cmd->opcode == O_UID) {
+                                               match =
 #ifdef __APPLE__
 #ifdef __APPLE__
-                                               (pcb->inp_socket->so_uid == (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
+                                                   (kauth_cred_getuid(pcb->inp_socket->so_cred) == (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
 #else
 #else
-                                               !socheckuid(pcb->inp_socket,
-                                                  (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
+                                                   !socheckuid(pcb->inp_socket,
+                                                       (uid_t)((ipfw_insn_u32 *)cmd)->d[0]);
 #endif
 #endif
-                               } 
+                                       }
 #ifndef __APPLE__
 #ifndef __APPLE__
-                               else  {
-                                       match = 0;
-                                       kauth_cred_ismember_gid(pcb->inp_socket->so_cred, 
-                                               (gid_t)((ipfw_insn_u32 *)cmd)->d[0], &match);
-                               }
+                                       else {
+                                               match = 0;
+                                               kauth_cred_ismember_gid(pcb->inp_socket->so_cred,
+                                                   (gid_t)((ipfw_insn_u32 *)cmd)->d[0], &match);
+                                       }
 #endif
 #endif
+                                       /* release reference on pcb */
+                                       in_pcb_checkstate(pcb, WNT_RELEASE, 0);
                                }
 
                                }
 
-                       break;
+                               break;
 
                        case O_RECV:
                                match = iface_match(m->m_pkthdr.rcvif,
 
                        case O_RECV:
                                match = iface_match(m->m_pkthdr.rcvif,
@@ -1733,31 +2429,32 @@ check_body:
                                break;
 
                        case O_MACADDR2:
                                break;
 
                        case O_MACADDR2:
-                               if (args->eh != NULL) { /* have MAC header */
+                               if (args->fwa_eh != NULL) {     /* have MAC header */
                                        u_int32_t *want = (u_int32_t *)
                                        u_int32_t *want = (u_int32_t *)
-                                               ((ipfw_insn_mac *)cmd)->addr;
+                                           ((ipfw_insn_mac *)cmd)->addr;
                                        u_int32_t *mask = (u_int32_t *)
                                        u_int32_t *mask = (u_int32_t *)
-                                               ((ipfw_insn_mac *)cmd)->mask;
-                                       u_int32_t *hdr = (u_int32_t *)args->eh;
+                                           ((ipfw_insn_mac *)cmd)->mask;
+                                       u_int32_t *hdr = (u_int32_t *)args->fwa_eh;
 
                                        match =
 
                                        match =
-                                           ( want[0] == (hdr[0] & mask[0]) &&
-                                             want[1] == (hdr[1] & mask[1]) &&
-                                             want[2] == (hdr[2] & mask[2]) );
+                                           (want[0] == (hdr[0] & mask[0]) &&
+                                           want[1] == (hdr[1] & mask[1]) &&
+                                           want[2] == (hdr[2] & mask[2]));
                                }
                                break;
 
                        case O_MAC_TYPE:
                                }
                                break;
 
                        case O_MAC_TYPE:
-                               if (args->eh != NULL) {
+                               if (args->fwa_eh != NULL) {
                                        u_int16_t t =
                                        u_int16_t t =
-                                           ntohs(args->eh->ether_type);
+                                           ntohs(args->fwa_eh->ether_type);
                                        u_int16_t *p =
                                            ((ipfw_insn_u16 *)cmd)->ports;
                                        int i;
 
                                        u_int16_t *p =
                                            ((ipfw_insn_u16 *)cmd)->ports;
                                        int i;
 
-                                       for (i = cmdlen - 1; !match && i>0;
-                                           i--, p += 2)
-                                               match = (t>=p[0] && t<=p[1]);
+                                       for (i = cmdlen - 1; !match && i > 0;
+                                           i--, p += 2) {
+                                               match = (t >= p[0] && t <= p[1]);
+                                       }
                                }
                                break;
 
                                }
                                break;
 
@@ -1765,12 +2462,12 @@ check_body:
                                match = (hlen > 0 && offset != 0);
                                break;
 
                                match = (hlen > 0 && offset != 0);
                                break;
 
-                       case O_IN:      /* "out" is "not in" */
+                       case O_IN:      /* "out" is "not in" */
                                match = (oif == NULL);
                                break;
 
                        case O_LAYER2:
                                match = (oif == NULL);
                                break;
 
                        case O_LAYER2:
-                               match = (args->eh != NULL);
+                               match = (args->fwa_eh != NULL);
                                break;
 
                        case O_PROTO:
                                break;
 
                        case O_PROTO:
@@ -1790,14 +2487,15 @@ check_body:
                        case O_IP_SRC_MASK:
                        case O_IP_DST_MASK:
                                if (hlen > 0) {
                        case O_IP_SRC_MASK:
                        case O_IP_DST_MASK:
                                if (hlen > 0) {
-                                   uint32_t a =
-                                       (cmd->opcode == O_IP_DST_MASK) ?
+                                       uint32_t a =
+                                           (cmd->opcode == O_IP_DST_MASK) ?
                                            dst_ip.s_addr : src_ip.s_addr;
                                            dst_ip.s_addr : src_ip.s_addr;
-                                   uint32_t *p = ((ipfw_insn_u32 *)cmd)->d;
-                                   int i = cmdlen-1;
+                                       uint32_t *p = ((ipfw_insn_u32 *)cmd)->d;
+                                       int i = cmdlen - 1;
 
 
-                                   for (; !match && i>0; i-= 2, p+= 2)
-                                       match = (p[0] == (a & p[1]));
+                                       for (; !match && i > 0; i -= 2, p += 2) {
+                                               match = (p[0] == (a & p[1]));
+                                       }
                                }
                                break;
 
                                }
                                break;
 
@@ -1813,18 +2511,19 @@ check_body:
                        case O_IP_DST_SET:
                        case O_IP_SRC_SET:
                                if (hlen > 0) {
                        case O_IP_DST_SET:
                        case O_IP_SRC_SET:
                                if (hlen > 0) {
-                                       u_int32_t *d = (u_int32_t *)(cmd+1);
+                                       u_int32_t *d = (u_int32_t *)(cmd + 1);
                                        u_int32_t addr =
                                            cmd->opcode == O_IP_DST_SET ?
                                        u_int32_t addr =
                                            cmd->opcode == O_IP_DST_SET ?
-                                               args->f_id.dst_ip :
-                                               args->f_id.src_ip;
-
-                                           if (addr < d[0])
-                                                   break;
-                                           addr -= d[0]; /* subtract base */
-                                           match = (addr < cmd->arg1) &&
-                                               ( d[ 1 + (addr>>5)] &
-                                                 (1<<(addr & 0x1f)) );
+                                           args->fwa_id.dst_ip :
+                                           args->fwa_id.src_ip;
+
+                                       if (addr < d[0]) {
+                                               break;
+                                       }
+                                       addr -= d[0];     /* subtract base */
+                                       match = (addr < cmd->arg1) &&
+                                           (d[1 + (addr >> 5)] &
+                                           (1 << (addr & 0x1f)));
                                }
                                break;
 
                                }
                                break;
 
@@ -1850,28 +2549,29 @@ check_body:
                                 * to guarantee that we have an IPv4
                                 * packet with port info.
                                 */
                                 * to guarantee that we have an IPv4
                                 * packet with port info.
                                 */
-                               if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP)
+                               if ((proto == IPPROTO_UDP || proto == IPPROTO_TCP)
                                    && offset == 0) {
                                        u_int16_t x =
                                            (cmd->opcode == O_IP_SRCPORT) ?
                                    && offset == 0) {
                                        u_int16_t x =
                                            (cmd->opcode == O_IP_SRCPORT) ?
-                                               src_port : dst_port ;
+                                           src_port : dst_port;
                                        u_int16_t *p =
                                            ((ipfw_insn_u16 *)cmd)->ports;
                                        int i;
 
                                        u_int16_t *p =
                                            ((ipfw_insn_u16 *)cmd)->ports;
                                        int i;
 
-                                       for (i = cmdlen - 1; !match && i>0;
-                                           i--, p += 2)
-                                               match = (x>=p[0] && x<=p[1]);
+                                       for (i = cmdlen - 1; !match && i > 0;
+                                           i--, p += 2) {
+                                               match = (x >= p[0] && x <= p[1]);
+                                       }
                                }
                                break;
 
                        case O_ICMPTYPE:
                                }
                                break;
 
                        case O_ICMPTYPE:
-                               match = (offset == 0 && proto==IPPROTO_ICMP &&
-                                   icmptype_match(ip, (ipfw_insn_u32 *)cmd) );
+                               match = (offset == 0 && proto == IPPROTO_ICMP &&
+                                   icmptype_match(ip, (ipfw_insn_u32 *)cmd));
                                break;
 
                        case O_IPOPT:
                                break;
 
                        case O_IPOPT:
-                               match = (hlen > 0 && ipopts_match(ip, cmd) );
+                               match = (hlen > 0 && ipopts_match(ip, cmd));
                                break;
 
                        case O_IPVER:
                                break;
 
                        case O_IPVER:
@@ -1881,32 +2581,34 @@ check_body:
                        case O_IPID:
                        case O_IPLEN:
                        case O_IPTTL:
                        case O_IPID:
                        case O_IPLEN:
                        case O_IPTTL:
-                               if (hlen > 0) { /* only for IP packets */
-                                   uint16_t x;
-                                   uint16_t *p;
-                                   int i;
-
-                                   if (cmd->opcode == O_IPLEN)
-                                       x = ip_len;
-                                   else if (cmd->opcode == O_IPTTL)
-                                       x = ip->ip_ttl;
-                                   else /* must be IPID */
-                                       x = ntohs(ip->ip_id);
-                                   if (cmdlen == 1) {
-                                       match = (cmd->arg1 == x);
-                                       break;
-                                   }
-                                   /* otherwise we have ranges */
-                                   p = ((ipfw_insn_u16 *)cmd)->ports;
-                                   i = cmdlen - 1;
-                                   for (; !match && i>0; i--, p += 2)
-                                       match = (x >= p[0] && x <= p[1]);
+                               if (hlen > 0) { /* only for IP packets */
+                                       uint16_t x;
+                                       uint16_t *p;
+                                       int i;
+
+                                       if (cmd->opcode == O_IPLEN) {
+                                               x = ip_len;
+                                       } else if (cmd->opcode == O_IPTTL) {
+                                               x = ip->ip_ttl;
+                                       } else { /* must be IPID */
+                                               x = ntohs(ip->ip_id);
+                                       }
+                                       if (cmdlen == 1) {
+                                               match = (cmd->arg1 == x);
+                                               break;
+                                       }
+                                       /* otherwise we have ranges */
+                                       p = ((ipfw_insn_u16 *)cmd)->ports;
+                                       i = cmdlen - 1;
+                                       for (; !match && i > 0; i--, p += 2) {
+                                               match = (x >= p[0] && x <= p[1]);
+                                       }
                                }
                                break;
 
                        case O_IPPRECEDENCE:
                                match = (hlen > 0 &&
                                }
                                break;
 
                        case O_IPPRECEDENCE:
                                match = (hlen > 0 &&
-                                   (cmd->arg1 == (ip->ip_tos & 0xe0)) );
+                                   (cmd->arg1 == (ip->ip_tos & 0xe0)));
                                break;
 
                        case O_IPTOS:
                                break;
 
                        case O_IPTOS:
@@ -1917,7 +2619,7 @@ check_body:
                        case O_TCPFLAGS:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    flags_match(cmd,
                        case O_TCPFLAGS:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    flags_match(cmd,
-                                       L3HDR(struct tcphdr,ip)->th_flags));
+                                   L3HDR(struct tcphdr, ip)->th_flags));
                                break;
 
                        case O_TCPOPTS:
                                break;
 
                        case O_TCPOPTS:
@@ -1928,37 +2630,38 @@ check_body:
                        case O_TCPSEQ:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    ((ipfw_insn_u32 *)cmd)->d[0] ==
                        case O_TCPSEQ:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    ((ipfw_insn_u32 *)cmd)->d[0] ==
-                                       L3HDR(struct tcphdr,ip)->th_seq);
+                                   L3HDR(struct tcphdr, ip)->th_seq);
                                break;
 
                        case O_TCPACK:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    ((ipfw_insn_u32 *)cmd)->d[0] ==
                                break;
 
                        case O_TCPACK:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    ((ipfw_insn_u32 *)cmd)->d[0] ==
-                                       L3HDR(struct tcphdr,ip)->th_ack);
+                                   L3HDR(struct tcphdr, ip)->th_ack);
                                break;
 
                        case O_TCPWIN:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    cmd->arg1 ==
                                break;
 
                        case O_TCPWIN:
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                    cmd->arg1 ==
-                                       L3HDR(struct tcphdr,ip)->th_win);
+                                   L3HDR(struct tcphdr, ip)->th_win);
                                break;
 
                        case O_ESTAB:
                                /* reject packets which have SYN only */
                                /* XXX should i also check for TH_ACK ? */
                                match = (proto == IPPROTO_TCP && offset == 0 &&
                                break;
 
                        case O_ESTAB:
                                /* reject packets which have SYN only */
                                /* XXX should i also check for TH_ACK ? */
                                match = (proto == IPPROTO_TCP && offset == 0 &&
-                                   (L3HDR(struct tcphdr,ip)->th_flags &
-                                    (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
+                                   (L3HDR(struct tcphdr, ip)->th_flags &
+                                   (TH_RST | TH_ACK | TH_SYN)) != TH_SYN);
                                break;
 
                        case O_LOG:
                                break;
 
                        case O_LOG:
-                               if (fw_verbose)
-                                       ipfw_log(f, hlen, args->eh, m, oif);
+                               if (fw_verbose) {
+                                       ipfw_log(f, hlen, args->fwa_eh, m, oif);
+                               }
                                match = 1;
                                break;
 
                        case O_PROB:
                                match = 1;
                                break;
 
                        case O_PROB:
-                               match = (random()<((ipfw_insn_u32 *)cmd)->d[0]);
+                               match = (random() < ((ipfw_insn_u32 *)cmd)->d[0]);
                                break;
 
                        case O_VERREVPATH:
                                break;
 
                        case O_VERREVPATH:
@@ -2039,10 +2742,10 @@ check_body:
                                 * to be run first).
                                 */
                                if (dyn_dir == MATCH_UNKNOWN &&
                                 * to be run first).
                                 */
                                if (dyn_dir == MATCH_UNKNOWN &&
-                                   (q = lookup_dyn_rule(&args->f_id,
-                                    &dyn_dir, proto == IPPROTO_TCP ?
-                                       L3HDR(struct tcphdr, ip) : NULL))
-                                       != NULL) {
+                                   (q = lookup_dyn_rule(&args->fwa_id,
+                                   &dyn_dir, proto == IPPROTO_TCP ?
+                                   L3HDR(struct tcphdr, ip) : NULL))
+                                   != NULL) {
                                        /*
                                         * Found dynamic entry, update stats
                                         * and jump to the 'action' part of
                                        /*
                                         * Found dynamic entry, update stats
                                         * and jump to the 'action' part of
@@ -2060,26 +2763,28 @@ check_body:
                                 * skip to next rule, if PROBE_STATE just
                                 * ignore and continue with next opcode.
                                 */
                                 * skip to next rule, if PROBE_STATE just
                                 * ignore and continue with next opcode.
                                 */
-                               if (cmd->opcode == O_CHECK_STATE)
+                               if (cmd->opcode == O_CHECK_STATE) {
                                        goto next_rule;
                                        goto next_rule;
+                               }
                                match = 1;
                                break;
 
                        case O_ACCEPT:
                                match = 1;
                                break;
 
                        case O_ACCEPT:
-                               retval = 0;     /* accept */
+                               retval = 0;     /* accept */
                                goto done;
 
                        case O_PIPE:
                        case O_QUEUE:
                                goto done;
 
                        case O_PIPE:
                        case O_QUEUE:
-                               args->rule = f; /* report matching rule */
+                               args->fwa_ipfw_rule = f; /* report matching rule */
                                retval = cmd->arg1 | IP_FW_PORT_DYNT_FLAG;
                                goto done;
 
                        case O_DIVERT:
                        case O_TEE:
                                retval = cmd->arg1 | IP_FW_PORT_DYNT_FLAG;
                                goto done;
 
                        case O_DIVERT:
                        case O_TEE:
-                               if (args->eh) /* not on layer 2 */
+                               if (args->fwa_eh) { /* not on layer 2 */
                                        break;
                                        break;
-                               args->divert_rule = f->rulenum;
+                               }
+                               args->fwa_divert_rule = f->rulenum;
                                retval = (cmd->opcode == O_DIVERT) ?
                                    cmd->arg1 :
                                    cmd->arg1 | IP_FW_PORT_TEE_FLAG;
                                retval = (cmd->opcode == O_DIVERT) ?
                                    cmd->arg1 :
                                    cmd->arg1 | IP_FW_PORT_TEE_FLAG;
@@ -2087,14 +2792,16 @@ check_body:
 
                        case O_COUNT:
                        case O_SKIPTO:
 
                        case O_COUNT:
                        case O_SKIPTO:
-                               f->pcnt++;      /* update stats */
+                               f->pcnt++;      /* update stats */
                                f->bcnt += pktlen;
                                f->timestamp = timenow.tv_sec;
                                f->bcnt += pktlen;
                                f->timestamp = timenow.tv_sec;
-                               if (cmd->opcode == O_COUNT)
+                               if (cmd->opcode == O_COUNT) {
                                        goto next_rule;
                                        goto next_rule;
+                               }
                                /* handle skipto */
                                /* handle skipto */
-                               if (f->next_rule == NULL)
+                               if (f->next_rule == NULL) {
                                        lookup_next_rule(f);
                                        lookup_next_rule(f);
+                               }
                                f = f->next_rule;
                                goto again;
 
                                f = f->next_rule;
                                goto again;
 
@@ -2104,26 +2811,28 @@ check_body:
                                 * if the packet is not ICMP (or is an ICMP
                                 * query), and it is not multicast/broadcast.
                                 */
                                 * if the packet is not ICMP (or is an ICMP
                                 * query), and it is not multicast/broadcast.
                                 */
-                               if (hlen > 0 &&
+                               if (hlen > 0 && offset == 0 &&
                                    (proto != IPPROTO_ICMP ||
                                    (proto != IPPROTO_ICMP ||
-                                    is_icmp_query(ip)) &&
-                                   !(m->m_flags & (M_BCAST|M_MCAST)) &&
+                                   is_icmp_query(ip)) &&
+                                   !(m->m_flags & (M_BCAST | M_MCAST)) &&
                                    !IN_MULTICAST(dst_ip.s_addr)) {
                                        send_reject(args, cmd->arg1,
                                    !IN_MULTICAST(dst_ip.s_addr)) {
                                        send_reject(args, cmd->arg1,
-                                           offset,ip_len);
-                                       m = args->m;
+                                           offset, ip_len);
+                                       m = args->fwa_m;
                                }
                                }
-                               /* FALLTHROUGH */
+                       /* FALLTHROUGH */
                        case O_DENY:
                                retval = IP_FW_PORT_DENY_FLAG;
                                goto done;
 
                        case O_FORWARD_IP:
                        case O_DENY:
                                retval = IP_FW_PORT_DENY_FLAG;
                                goto done;
 
                        case O_FORWARD_IP:
-                               if (args->eh)   /* not valid on layer2 pkts */
+                               if (args->fwa_eh) {     /* not valid on layer2 pkts */
                                        break;
                                        break;
-                               if (!q || dyn_dir == MATCH_FORWARD)
-                                       args->next_hop =
+                               }
+                               if (!q || dyn_dir == MATCH_FORWARD) {
+                                       args->fwa_next_hop =
                                            &((ipfw_insn_sa *)cmd)->sa;
                                            &((ipfw_insn_sa *)cmd)->sa;
+                               }
                                retval = 0;
                                goto done;
 
                                retval = 0;
                                goto done;
 
@@ -2131,25 +2840,26 @@ check_body:
                                panic("-- unknown opcode %d\n", cmd->opcode);
                        } /* end of switch() on opcodes */
 
                                panic("-- unknown opcode %d\n", cmd->opcode);
                        } /* end of switch() on opcodes */
 
-                       if (cmd->len & F_NOT)
+                       if (cmd->len & F_NOT) {
                                match = !match;
                                match = !match;
+                       }
 
                        if (match) {
 
                        if (match) {
-                               if (cmd->len & F_OR)
+                               if (cmd->len & F_OR) {
                                        skip_or = 1;
                                        skip_or = 1;
+                               }
                        } else {
                        } else {
-                               if (!(cmd->len & F_OR)) /* not an OR block, */
-                                       break;          /* try next rule    */
-                       }
-
-               }       /* end of inner for, scan opcodes */
-
-next_rule:;            /* try next rule                */
+                               if (!(cmd->len & F_OR)) { /* not an OR block, */
+                                       break;          /* try next rule    */
+                               }
+                       }
+               }       /* end of inner for, scan opcodes */
 
 
-       }               /* end of outer for, scan rules */
+next_rule:      ;       /* try next rule               */
+       }               /* end of outer for, scan rules */
        printf("ipfw: ouch!, skip past end of rules, denying packet\n");
        lck_mtx_unlock(ipfw_mutex);
        printf("ipfw: ouch!, skip past end of rules, denying packet\n");
        lck_mtx_unlock(ipfw_mutex);
-       return(IP_FW_PORT_DENY_FLAG);
+       return IP_FW_PORT_DENY_FLAG;
 
 done:
        /* Update statistics */
 
 done:
        /* Update statistics */
@@ -2160,10 +2870,11 @@ done:
        return retval;
 
 pullup_failed:
        return retval;
 
 pullup_failed:
-       if (fw_verbose)
+       if (fw_verbose) {
                printf("ipfw: pullup failed\n");
                printf("ipfw: pullup failed\n");
+       }
        lck_mtx_unlock(ipfw_mutex);
        lck_mtx_unlock(ipfw_mutex);
-       return(IP_FW_PORT_DENY_FLAG);
+       return IP_FW_PORT_DENY_FLAG;
 }
 
 /*
 }
 
 /*
@@ -2176,8 +2887,9 @@ flush_rule_ptrs(void)
 {
        struct ip_fw *rule;
 
 {
        struct ip_fw *rule;
 
-       for (rule = layer3_chain; rule; rule = rule->next)
+       for (rule = layer3_chain; rule; rule = rule->next) {
                rule->next_rule = NULL;
                rule->next_rule = NULL;
+       }
 }
 
 /*
 }
 
 /*
@@ -2193,8 +2905,9 @@ flush_pipe_ptrs(struct dn_flow_set *match)
        for (rule = layer3_chain; rule; rule = rule->next) {
                ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)ACTION_PTR(rule);
 
        for (rule = layer3_chain; rule; rule = rule->next) {
                ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)ACTION_PTR(rule);
 
-               if (cmd->o.opcode != O_PIPE && cmd->o.opcode != O_QUEUE)
+               if (cmd->o.opcode != O_PIPE && cmd->o.opcode != O_QUEUE) {
                        continue;
                        continue;
+               }
                /*
                 * XXX Use bcmp/bzero to handle pipe_ptr to overcome
                 * possible alignment problems on 64-bit architectures.
                /*
                 * XXX Use bcmp/bzero to handle pipe_ptr to overcome
                 * possible alignment problems on 64-bit architectures.
@@ -2202,8 +2915,9 @@ flush_pipe_ptrs(struct dn_flow_set *match)
                 * much about efficiency.
                 */
                if (match == NULL ||
                 * much about efficiency.
                 */
                if (match == NULL ||
-                   !bcmp(&cmd->pipe_ptr, &match, sizeof(match)) )
+                   !bcmp(&cmd->pipe_ptr, &match, sizeof(match))) {
                        bzero(&cmd->pipe_ptr, sizeof(cmd->pipe_ptr));
                        bzero(&cmd->pipe_ptr, sizeof(cmd->pipe_ptr));
+               }
        }
 }
 
        }
 }
 
@@ -2216,19 +2930,18 @@ static int
 add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 {
        struct ip_fw *rule, *f, *prev;
 add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 {
        struct ip_fw *rule, *f, *prev;
-       int s;
        int l = RULESIZE(input_rule);
 
        int l = RULESIZE(input_rule);
 
-       if (*head == NULL && input_rule->rulenum != IPFW_DEFAULT_RULE)
-               return (EINVAL);
+       if (*head == NULL && input_rule->rulenum != IPFW_DEFAULT_RULE) {
+               return EINVAL;
+       }
 
 
-       rule = _MALLOC(l, M_IPFW, M_WAIT);
+       rule = _MALLOC(l, M_IPFW, M_WAIT | M_ZERO);
        if (rule == NULL) {
                printf("ipfw2: add_rule MALLOC failed\n");
        if (rule == NULL) {
                printf("ipfw2: add_rule MALLOC failed\n");
-               return (ENOSPC);
+               return ENOSPC;
        }
        }
-       
-       bzero(rule, l);
+
        bcopy(input_rule, rule, l);
 
        rule->next = NULL;
        bcopy(input_rule, rule, l);
 
        rule->next = NULL;
@@ -2238,30 +2951,33 @@ add_rule(struct ip_fw **head, struct ip_fw *input_rule)
        rule->bcnt = 0;
        rule->timestamp = 0;
 
        rule->bcnt = 0;
        rule->timestamp = 0;
 
-       if (*head == NULL) {    /* default rule */
+       if (*head == NULL) {    /* default rule */
                *head = rule;
                goto done;
                *head = rule;
                goto done;
-        }
+       }
 
        /*
         * If rulenum is 0, find highest numbered rule before the
         * default rule, and add autoinc_step
         */
 
        /*
         * If rulenum is 0, find highest numbered rule before the
         * default rule, and add autoinc_step
         */
-       if (autoinc_step < 1)
+       if (autoinc_step < 1) {
                autoinc_step = 1;
                autoinc_step = 1;
-       else if (autoinc_step > 1000)
+       } else if (autoinc_step > 1000) {
                autoinc_step = 1000;
                autoinc_step = 1000;
+       }
        if (rule->rulenum == 0) {
                /*
                 * locate the highest numbered rule before default
                 */
                for (f = *head; f; f = f->next) {
        if (rule->rulenum == 0) {
                /*
                 * locate the highest numbered rule before default
                 */
                for (f = *head; f; f = f->next) {
-                       if (f->rulenum == IPFW_DEFAULT_RULE)
+                       if (f->rulenum == IPFW_DEFAULT_RULE) {
                                break;
                                break;
+                       }
                        rule->rulenum = f->rulenum;
                }
                        rule->rulenum = f->rulenum;
                }
-               if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step)
+               if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step) {
                        rule->rulenum += autoinc_step;
                        rule->rulenum += autoinc_step;
+               }
                input_rule->rulenum = rule->rulenum;
        }
 
                input_rule->rulenum = rule->rulenum;
        }
 
@@ -2284,9 +3000,11 @@ add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 done:
        static_count++;
        static_len += l;
 done:
        static_count++;
        static_len += l;
+       static_len_32 += RULESIZE32(input_rule);
+       static_len_64 += RULESIZE64(input_rule);
        DEB(printf("ipfw: installed rule %d, static count now %d\n",
        DEB(printf("ipfw: installed rule %d, static count now %d\n",
-               rule->rulenum, static_count);)
-       return (0);
+           rule->rulenum, static_count); )
+       return 0;
 }
 
 /**
 }
 
 /**
@@ -2306,16 +3024,20 @@ delete_rule(struct ip_fw **head, struct ip_fw *prev, struct ip_fw *rule)
 
        n = rule->next;
        remove_dyn_rule(rule, NULL /* force removal */);
 
        n = rule->next;
        remove_dyn_rule(rule, NULL /* force removal */);
-       if (prev == NULL)
+       if (prev == NULL) {
                *head = n;
                *head = n;
-       else
+       } else {
                prev->next = n;
                prev->next = n;
+       }
        static_count--;
        static_len -= l;
        static_count--;
        static_len -= l;
+       static_len_32 -= RULESIZE32(rule);
+       static_len_64 -= RULESIZE64(rule);
 
 #if DUMMYNET
 
 #if DUMMYNET
-       if (DUMMYNET_LOADED)
-               ip_dn_ruledel_ptr(rule);
+       if (DUMMYNET_LOADED) {
+               dn_ipfw_rule_delete(rule);
+       }
 #endif /* DUMMYNET */
        _FREE(rule, M_IPFW);
        return n;
 #endif /* DUMMYNET */
        _FREE(rule, M_IPFW);
        return n;
@@ -2326,54 +3048,55 @@ static void
 print_chain(struct ip_fw **chain)
 {
        struct ip_fw *rule = *chain;
 print_chain(struct ip_fw **chain)
 {
        struct ip_fw *rule = *chain;
-       
+
        for (; rule; rule = rule->next) {
        for (; rule; rule = rule->next) {
-               ipfw_insn       *cmd = ACTION_PTR(rule);
-               
+               ipfw_insn       *cmd = ACTION_PTR(rule);
+
                printf("ipfw: rule->rulenum = %d\n", rule->rulenum);
                printf("ipfw: rule->rulenum = %d\n", rule->rulenum);
-               
+
                if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                        printf("ipfw: rule->reserved = IPFW_RULE_INACTIVE\n");
                }
                if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                        printf("ipfw: rule->reserved = IPFW_RULE_INACTIVE\n");
                }
-               
+
                switch (cmd->opcode) {
                switch (cmd->opcode) {
-                       case O_DENY:
-                               printf("ipfw: ACTION: Deny\n");
-                               break;
-       
-                       case O_REJECT:
-                               if (cmd->arg1==ICMP_REJECT_RST)
-                                       printf("ipfw: ACTION: Reset\n");
-                               else if (cmd->arg1==ICMP_UNREACH_HOST)
-                                       printf("ipfw: ACTION: Reject\n");
-                               break;
-       
-                       case O_ACCEPT:
-                               printf("ipfw: ACTION: Accept\n");
-                               break;
-                       case O_COUNT:
-                               printf("ipfw: ACTION: Count\n");
-                               break;
-                       case O_DIVERT:
-                               printf("ipfw: ACTION: Divert\n");
-                               break;
-                       case O_TEE:
-                               printf("ipfw: ACTION: Tee\n");
-                               break;
-                       case O_SKIPTO:
-                               printf("ipfw: ACTION: SkipTo\n");
-                               break;
-                       case O_PIPE:
-                               printf("ipfw: ACTION: Pipe\n");
-                               break;
-                       case O_QUEUE:
-                               printf("ipfw: ACTION: Queue\n");
-                               break;
-                       case O_FORWARD_IP:
-                               printf("ipfw: ACTION: Forward\n");
-                               break;
-                       default:
-                               printf("ipfw: invalid action! %d\n", cmd->opcode);
+               case O_DENY:
+                       printf("ipfw: ACTION: Deny\n");
+                       break;
+
+               case O_REJECT:
+                       if (cmd->arg1 == ICMP_REJECT_RST) {
+                               printf("ipfw: ACTION: Reset\n");
+                       } else if (cmd->arg1 == ICMP_UNREACH_HOST) {
+                               printf("ipfw: ACTION: Reject\n");
+                       }
+                       break;
+
+               case O_ACCEPT:
+                       printf("ipfw: ACTION: Accept\n");
+                       break;
+               case O_COUNT:
+                       printf("ipfw: ACTION: Count\n");
+                       break;
+               case O_DIVERT:
+                       printf("ipfw: ACTION: Divert\n");
+                       break;
+               case O_TEE:
+                       printf("ipfw: ACTION: Tee\n");
+                       break;
+               case O_SKIPTO:
+                       printf("ipfw: ACTION: SkipTo\n");
+                       break;
+               case O_PIPE:
+                       printf("ipfw: ACTION: Pipe\n");
+                       break;
+               case O_QUEUE:
+                       printf("ipfw: ACTION: Queue\n");
+                       break;
+               case O_FORWARD_IP:
+                       printf("ipfw: ACTION: Forward\n");
+                       break;
+               default:
+                       printf("ipfw: invalid action! %d\n", cmd->opcode);
                }
        }
 }
                }
        }
 }
@@ -2384,28 +3107,26 @@ flush_inactive(void *param)
 {
        struct ip_fw *inactive_rule = (struct ip_fw *)param;
        struct ip_fw *rule, *prev;
 {
        struct ip_fw *inactive_rule = (struct ip_fw *)param;
        struct ip_fw *rule, *prev;
-       
+
        lck_mtx_lock(ipfw_mutex);
        lck_mtx_lock(ipfw_mutex);
-       
-       for (rule = layer3_chain, prev = NULL; rule; ) {
+
+       for (rule = layer3_chain, prev = NULL; rule;) {
                if (rule == inactive_rule && rule->reserved_1 == IPFW_RULE_INACTIVE) {
                        struct ip_fw *n = rule;
                if (rule == inactive_rule && rule->reserved_1 == IPFW_RULE_INACTIVE) {
                        struct ip_fw *n = rule;
-                       
+
                        if (prev == NULL) {
                                layer3_chain = rule->next;
                        if (prev == NULL) {
                                layer3_chain = rule->next;
-                       }
-                       else {
+                       } else {
                                prev->next = rule->next;
                        }
                        rule = rule->next;
                        _FREE(n, M_IPFW);
                                prev->next = rule->next;
                        }
                        rule = rule->next;
                        _FREE(n, M_IPFW);
-               }
-               else {
+               } else {
                        prev = rule;
                        rule = rule->next;
                }
        }
                        prev = rule;
                        rule = rule->next;
                }
        }
-       
+
 #if DEBUG_INACTIVE_RULES
        print_chain(&layer3_chain);
 #endif
 #if DEBUG_INACTIVE_RULES
        print_chain(&layer3_chain);
 #endif
@@ -2415,16 +3136,18 @@ flush_inactive(void *param)
 static void
 mark_inactive(struct ip_fw **prev, struct ip_fw **rule)
 {
 static void
 mark_inactive(struct ip_fw **prev, struct ip_fw **rule)
 {
-       int                     l = RULESIZE(*rule);
+       int                     l = RULESIZE(*rule);
 
        if ((*rule)->reserved_1 != IPFW_RULE_INACTIVE) {
                (*rule)->reserved_1 = IPFW_RULE_INACTIVE;
                static_count--;
                static_len -= l;
 
        if ((*rule)->reserved_1 != IPFW_RULE_INACTIVE) {
                (*rule)->reserved_1 = IPFW_RULE_INACTIVE;
                static_count--;
                static_len -= l;
-               
-               timeout(flush_inactive, *rule, 30*hz); /* 30 sec. */
+               static_len_32 -= RULESIZE32(*rule);
+               static_len_64 -= RULESIZE64(*rule);
+
+               timeout(flush_inactive, *rule, 30 * hz); /* 30 sec. */
        }
        }
-       
+
        *prev = *rule;
        *rule = (*rule)->next;
 }
        *prev = *rule;
        *rule = (*rule)->next;
 }
@@ -2440,24 +3163,23 @@ free_chain(struct ip_fw **chain, int kill_default)
        struct ip_fw *prev, *rule;
 
        flush_rule_ptrs(); /* more efficient to do outside the loop */
        struct ip_fw *prev, *rule;
 
        flush_rule_ptrs(); /* more efficient to do outside the loop */
-       for (prev = NULL, rule = *chain; rule ; )
+       for (prev = NULL, rule = *chain; rule;) {
                if (kill_default || rule->set != RESVD_SET) {
                if (kill_default || rule->set != RESVD_SET) {
-                       ipfw_insn       *cmd = ACTION_PTR(rule);
-                       
-                       /* skip over forwarding rules so struct isn't 
+                       ipfw_insn       *cmd = ACTION_PTR(rule);
+
+                       /* skip over forwarding rules so struct isn't
                         * deleted while pointer is still in use elsewhere
                         */
                        if (cmd->opcode == O_FORWARD_IP) {
                                mark_inactive(&prev, &rule);
                         * deleted while pointer is still in use elsewhere
                         */
                        if (cmd->opcode == O_FORWARD_IP) {
                                mark_inactive(&prev, &rule);
-                       }
-                       else {
+                       } else {
                                rule = delete_rule(chain, prev, rule);
                        }
                                rule = delete_rule(chain, prev, rule);
                        }
-               }
-               else {
+               } else {
                        prev = rule;
                        rule = rule->next;
                }
                        prev = rule;
                        rule = rule->next;
                }
+       }
 }
 
 /**
 }
 
 /**
@@ -2477,35 +3199,40 @@ static int
 del_entry(struct ip_fw **chain, u_int32_t arg)
 {
        struct ip_fw *prev = NULL, *rule = *chain;
 del_entry(struct ip_fw **chain, u_int32_t arg)
 {
        struct ip_fw *prev = NULL, *rule = *chain;
-       int s;
-       u_int16_t rulenum;      /* rule or old_set */
+       u_int16_t rulenum;      /* rule or old_set */
        u_int8_t cmd, new_set;
 
        rulenum = arg & 0xffff;
        cmd = (arg >> 24) & 0xff;
        new_set = (arg >> 16) & 0xff;
 
        u_int8_t cmd, new_set;
 
        rulenum = arg & 0xffff;
        cmd = (arg >> 24) & 0xff;
        new_set = (arg >> 16) & 0xff;
 
-       if (cmd > 4)
+       if (cmd > 4) {
                return EINVAL;
                return EINVAL;
-       if (new_set > RESVD_SET)
+       }
+       if (new_set > RESVD_SET) {
                return EINVAL;
                return EINVAL;
+       }
        if (cmd == 0 || cmd == 2) {
        if (cmd == 0 || cmd == 2) {
-               if (rulenum >= IPFW_DEFAULT_RULE)
+               if (rulenum >= IPFW_DEFAULT_RULE) {
                        return EINVAL;
                        return EINVAL;
+               }
        } else {
        } else {
-               if (rulenum > RESVD_SET)        /* old_set */
+               if (rulenum > RESVD_SET) {      /* old_set */
                        return EINVAL;
                        return EINVAL;
+               }
        }
 
        switch (cmd) {
        }
 
        switch (cmd) {
-       case 0: /* delete rules with given number */
+       case 0: /* delete rules with given number */
                /*
                 * locate first rule to delete
                 */
                /*
                 * locate first rule to delete
                 */
-               for (; rule->rulenum < rulenum; prev = rule, rule = rule->next)
+               for (; rule->rulenum < rulenum; prev = rule, rule = rule->next) {
                        ;
                        ;
-               if (rule->rulenum != rulenum)
+               }
+               if (rule->rulenum != rulenum) {
                        return EINVAL;
                        return EINVAL;
+               }
 
                /*
                 * flush pointers outside the loop, then delete all matching
 
                /*
                 * flush pointers outside the loop, then delete all matching
@@ -2513,61 +3240,64 @@ del_entry(struct ip_fw **chain, u_int32_t arg)
                 */
                flush_rule_ptrs();
                while (rule->rulenum == rulenum) {
                 */
                flush_rule_ptrs();
                while (rule->rulenum == rulenum) {
-                       ipfw_insn       *cmd = ACTION_PTR(rule);
-                       
-                       /* keep forwarding rules around so struct isn't 
+                       ipfw_insn       *insn = ACTION_PTR(rule);
+
+                       /* keep forwarding rules around so struct isn't
                         * deleted while pointer is still in use elsewhere
                         */
                         * deleted while pointer is still in use elsewhere
                         */
-                       if (cmd->opcode == O_FORWARD_IP) {
+                       if (insn->opcode == O_FORWARD_IP) {
                                mark_inactive(&prev, &rule);
                                mark_inactive(&prev, &rule);
-                       }
-                       else {
+                       } else {
                                rule = delete_rule(chain, prev, rule);
                        }
                }
                break;
 
                                rule = delete_rule(chain, prev, rule);
                        }
                }
                break;
 
-       case 1: /* delete all rules with given set number */
+       case 1: /* delete all rules with given set number */
                flush_rule_ptrs();
                while (rule->rulenum < IPFW_DEFAULT_RULE) {
                        if (rule->set == rulenum) {
                flush_rule_ptrs();
                while (rule->rulenum < IPFW_DEFAULT_RULE) {
                        if (rule->set == rulenum) {
-                               ipfw_insn       *cmd = ACTION_PTR(rule);
-                               
-                               /* keep forwarding rules around so struct isn't 
+                               ipfw_insn       *insn = ACTION_PTR(rule);
+
+                               /* keep forwarding rules around so struct isn't
                                 * deleted while pointer is still in use elsewhere
                                 */
                                 * deleted while pointer is still in use elsewhere
                                 */
-                               if (cmd->opcode == O_FORWARD_IP) {
+                               if (insn->opcode == O_FORWARD_IP) {
                                        mark_inactive(&prev, &rule);
                                        mark_inactive(&prev, &rule);
-                               }
-                               else {
+                               } else {
                                        rule = delete_rule(chain, prev, rule);
                                }
                                        rule = delete_rule(chain, prev, rule);
                                }
-                       }
-                       else {
+                       } else {
                                prev = rule;
                                rule = rule->next;
                        }
                }
                break;
 
                                prev = rule;
                                rule = rule->next;
                        }
                }
                break;
 
-       case 2: /* move rules with given number to new set */
-               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-                       if (rule->rulenum == rulenum)
+       case 2: /* move rules with given number to new set */
+               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next) {
+                       if (rule->rulenum == rulenum) {
                                rule->set = new_set;
                                rule->set = new_set;
+                       }
+               }
                break;
 
        case 3: /* move rules with given set number to new set */
                break;
 
        case 3: /* move rules with given set number to new set */
-               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-                       if (rule->set == rulenum)
+               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next) {
+                       if (rule->set == rulenum) {
                                rule->set = new_set;
                                rule->set = new_set;
+                       }
+               }
                break;
 
        case 4: /* swap two sets */
                break;
 
        case 4: /* swap two sets */
-               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next)
-                       if (rule->set == rulenum)
+               for (; rule->rulenum < IPFW_DEFAULT_RULE; rule = rule->next) {
+                       if (rule->set == rulenum) {
                                rule->set = new_set;
                                rule->set = new_set;
-                       else if (rule->set == new_set)
+                       } else if (rule->set == new_set) {
                                rule->set = rulenum;
                                rule->set = rulenum;
+                       }
+               }
                break;
        }
        return 0;
                break;
        }
        return 0;
@@ -2585,8 +3315,9 @@ clear_counters(struct ip_fw *rule, int log_only)
                rule->bcnt = rule->pcnt = 0;
                rule->timestamp = 0;
        }
                rule->bcnt = rule->pcnt = 0;
                rule->timestamp = 0;
        }
-       if (l->o.opcode == O_LOG)
+       if (l->o.opcode == O_LOG) {
                l->log_left = l->max_log;
                l->log_left = l->max_log;
+       }
 }
 
 /**
 }
 
 /**
@@ -2599,22 +3330,22 @@ static int
 zero_entry(int rulenum, int log_only)
 {
        struct ip_fw *rule;
 zero_entry(int rulenum, int log_only)
 {
        struct ip_fw *rule;
-       int s;
-       char *msg;
+       const char *msg;
 
        if (rulenum == 0) {
                norule_counter = 0;
 
        if (rulenum == 0) {
                norule_counter = 0;
-               for (rule = layer3_chain; rule; rule = rule->next)
+               for (rule = layer3_chain; rule; rule = rule->next) {
                        clear_counters(rule, log_only);
                        clear_counters(rule, log_only);
+               }
                msg = log_only ? "ipfw: All logging counts reset.\n" :
                msg = log_only ? "ipfw: All logging counts reset.\n" :
-                               "ipfw: Accounting cleared.\n";
+                   "ipfw: Accounting cleared.\n";
        } else {
                int cleared = 0;
                /*
                 * We can have multiple rules with the same number, so we
                 * need to clear them all.
                 */
        } else {
                int cleared = 0;
                /*
                 * We can have multiple rules with the same number, so we
                 * need to clear them all.
                 */
-               for (rule = layer3_chain; rule; rule = rule->next)
+               for (rule = layer3_chain; rule; rule = rule->next) {
                        if (rule->rulenum == rulenum) {
                                while (rule && rule->rulenum == rulenum) {
                                        clear_counters(rule, log_only);
                        if (rule->rulenum == rulenum) {
                                while (rule && rule->rulenum == rulenum) {
                                        clear_counters(rule, log_only);
@@ -2623,16 +3354,17 @@ zero_entry(int rulenum, int log_only)
                                cleared = 1;
                                break;
                        }
                                cleared = 1;
                                break;
                        }
-               if (!cleared)   /* we did not find any matching rules */
-                       return (EINVAL);
+               }
+               if (!cleared) { /* we did not find any matching rules */
+                       return EINVAL;
+               }
                msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
                msg = log_only ? "ipfw: Entry %d logging count reset.\n" :
-                               "ipfw: Entry %d cleared.\n";
+                   "ipfw: Entry %d cleared.\n";
        }
        }
-       if (fw_verbose)
-       {
+       if (fw_verbose) {
                dolog((LOG_AUTHPRIV | LOG_NOTICE, msg, rulenum));
        }
                dolog((LOG_AUTHPRIV | LOG_NOTICE, msg, rulenum));
        }
-       return (0);
+       return 0;
 }
 
 /*
 }
 
 /*
@@ -2643,32 +3375,32 @@ static int
 check_ipfw_struct(struct ip_fw *rule, int size)
 {
        int l, cmdlen = 0;
 check_ipfw_struct(struct ip_fw *rule, int size)
 {
        int l, cmdlen = 0;
-       int have_action=0;
+       int have_action = 0;
        ipfw_insn *cmd;
 
        if (size < sizeof(*rule)) {
                printf("ipfw: rule too short\n");
        ipfw_insn *cmd;
 
        if (size < sizeof(*rule)) {
                printf("ipfw: rule too short\n");
-               return (EINVAL);
+               return EINVAL;
        }
        /* first, check for valid size */
        l = RULESIZE(rule);
        if (l != size) {
                printf("ipfw: size mismatch (have %d want %d)\n", size, l);
        }
        /* first, check for valid size */
        l = RULESIZE(rule);
        if (l != size) {
                printf("ipfw: size mismatch (have %d want %d)\n", size, l);
-               return (EINVAL);
+               return EINVAL;
        }
        /*
         * Now go for the individual checks. Very simple ones, basically only
         * instruction sizes.
         */
        }
        /*
         * Now go for the individual checks. Very simple ones, basically only
         * instruction sizes.
         */
-       for (l = rule->cmd_len, cmd = rule->cmd ;
-                       l > 0 ; l -= cmdlen, cmd += cmdlen) {
+       for (l = rule->cmd_len, cmd = rule->cmd;
+           l > 0; l -= cmdlen, cmd += cmdlen) {
                cmdlen = F_LEN(cmd);
                if (cmdlen > l) {
                        printf("ipfw: opcode %d size truncated\n",
                            cmd->opcode);
                        return EINVAL;
                }
                cmdlen = F_LEN(cmd);
                if (cmdlen > l) {
                        printf("ipfw: opcode %d size truncated\n",
                            cmd->opcode);
                        return EINVAL;
                }
-               DEB(printf("ipfw: opcode %d\n", cmd->opcode);)
+               DEB(printf("ipfw: opcode %d\n", cmd->opcode); )
                switch (cmd->opcode) {
                case O_PROBE_STATE:
                case O_KEEP_STATE:
                switch (cmd->opcode) {
                case O_PROBE_STATE:
                case O_KEEP_STATE:
@@ -2688,8 +3420,9 @@ check_ipfw_struct(struct ip_fw *rule, int size)
                case O_ESTAB:
                case O_VERREVPATH:
                case O_IPSEC:
                case O_ESTAB:
                case O_VERREVPATH:
                case O_IPSEC:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
                case O_UID:
 #ifndef __APPLE__
                        break;
                case O_UID:
 #ifndef __APPLE__
@@ -2701,22 +3434,25 @@ check_ipfw_struct(struct ip_fw *rule, int size)
                case O_TCPACK:
                case O_PROB:
                case O_ICMPTYPE:
                case O_TCPACK:
                case O_PROB:
                case O_ICMPTYPE:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_u32))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_LIMIT:
                        break;
 
                case O_LIMIT:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_limit))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_limit)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_LOG:
                        break;
 
                case O_LOG:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_log))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_log)) {
                                goto bad_size;
                                goto bad_size;
-                               
+                       }
+
                        /* enforce logging limit */
                        if (fw_verbose &&
                        /* enforce logging limit */
                        if (fw_verbose &&
-                               ((ipfw_insn_log *)cmd)->max_log == 0 && verbose_limit != 0) {
+                           ((ipfw_insn_log *)cmd)->max_log == 0 && verbose_limit != 0) {
                                ((ipfw_insn_log *)cmd)->max_log = verbose_limit;
                        }
 
                                ((ipfw_insn_log *)cmd)->max_log = verbose_limit;
                        }
 
@@ -2728,58 +3464,66 @@ check_ipfw_struct(struct ip_fw *rule, int size)
                case O_IP_SRC_MASK:
                case O_IP_DST_MASK:
                        /* only odd command lengths */
                case O_IP_SRC_MASK:
                case O_IP_DST_MASK:
                        /* only odd command lengths */
-                       if ( !(cmdlen & 1) || cmdlen > 31)
+                       if (!(cmdlen & 1) || cmdlen > 31) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_IP_SRC_SET:
                case O_IP_DST_SET:
                        if (cmd->arg1 == 0 || cmd->arg1 > 256) {
                                printf("ipfw: invalid set size %d\n",
                        break;
 
                case O_IP_SRC_SET:
                case O_IP_DST_SET:
                        if (cmd->arg1 == 0 || cmd->arg1 > 256) {
                                printf("ipfw: invalid set size %d\n",
-                                       cmd->arg1);
+                                   cmd->arg1);
                                return EINVAL;
                        }
                        if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
                                return EINVAL;
                        }
                        if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) +
-                           (cmd->arg1+31)/32 )
+                           (cmd->arg1 + 31) / 32) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_MACADDR2:
                        break;
 
                case O_MACADDR2:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_mac))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_mac)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_NOP:
                case O_IPID:
                case O_IPTTL:
                case O_IPLEN:
                        break;
 
                case O_NOP:
                case O_IPID:
                case O_IPTTL:
                case O_IPLEN:
-                       if (cmdlen < 1 || cmdlen > 31)
+                       if (cmdlen < 1 || cmdlen > 31) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_MAC_TYPE:
                case O_IP_SRCPORT:
                case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */
                        break;
 
                case O_MAC_TYPE:
                case O_IP_SRCPORT:
                case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */
-                       if (cmdlen < 2 || cmdlen > 31)
+                       if (cmdlen < 2 || cmdlen > 31) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_RECV:
                case O_XMIT:
                case O_VIA:
                        break;
 
                case O_RECV:
                case O_XMIT:
                case O_VIA:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_if))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_if)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        break;
 
                case O_PIPE:
                case O_QUEUE:
                        break;
 
                case O_PIPE:
                case O_QUEUE:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_pipe))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_pipe)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        goto check_action;
 
                case O_FORWARD_IP:
                        goto check_action;
 
                case O_FORWARD_IP:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn_sa))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn_sa)) {
                                goto bad_size;
                                goto bad_size;
+                       }
                        goto check_action;
 
                case O_FORWARD_MAC: /* XXX not implemented yet */
                        goto check_action;
 
                case O_FORWARD_MAC: /* XXX not implemented yet */
@@ -2791,26 +3535,27 @@ check_ipfw_struct(struct ip_fw *rule, int size)
                case O_SKIPTO:
                case O_DIVERT:
                case O_TEE:
                case O_SKIPTO:
                case O_DIVERT:
                case O_TEE:
-                       if (cmdlen != F_INSN_SIZE(ipfw_insn))
+                       if (cmdlen != F_INSN_SIZE(ipfw_insn)) {
                                goto bad_size;
                                goto bad_size;
+                       }
 check_action:
                        if (have_action) {
                                printf("ipfw: opcode %d, multiple actions"
 check_action:
                        if (have_action) {
                                printf("ipfw: opcode %d, multiple actions"
-                                       " not allowed\n",
-                                       cmd->opcode);
+                                   " not allowed\n",
+                                   cmd->opcode);
                                return EINVAL;
                        }
                        have_action = 1;
                        if (l != cmdlen) {
                                printf("ipfw: opcode %d, action must be"
                                return EINVAL;
                        }
                        have_action = 1;
                        if (l != cmdlen) {
                                printf("ipfw: opcode %d, action must be"
-                                       " last opcode\n",
-                                       cmd->opcode);
+                                   " last opcode\n",
+                                   cmd->opcode);
                                return EINVAL;
                        }
                        break;
                default:
                        printf("ipfw: opcode %d, unknown opcode\n",
                                return EINVAL;
                        }
                        break;
                default:
                        printf("ipfw: opcode %d, unknown opcode\n",
-                               cmd->opcode);
+                           cmd->opcode);
                        return EINVAL;
                }
        }
                        return EINVAL;
                }
        }
@@ -2822,30 +3567,47 @@ check_action:
 
 bad_size:
        printf("ipfw: opcode %d size %d wrong\n",
 
 bad_size:
        printf("ipfw: opcode %d size %d wrong\n",
-               cmd->opcode, cmdlen);
+           cmd->opcode, cmdlen);
        return EINVAL;
 }
 
 
        return EINVAL;
 }
 
 
+static void
+ipfw_kev_post_msg(u_int32_t event_code)
+{
+       struct kev_msg          ev_msg;
+
+       bzero(&ev_msg, sizeof(struct kev_msg));
+
+       ev_msg.vendor_code = KEV_VENDOR_APPLE;
+       ev_msg.kev_class = KEV_FIREWALL_CLASS;
+       ev_msg.kev_subclass = KEV_IPFW_SUBCLASS;
+       ev_msg.event_code = event_code;
+
+       kev_post_msg(&ev_msg);
+}
+
 /**
  * {set|get}sockopt parser.
  */
 static int
 ipfw_ctl(struct sockopt *sopt)
 {
 /**
  * {set|get}sockopt parser.
  */
 static int
 ipfw_ctl(struct sockopt *sopt)
 {
-#define        RULE_MAXSIZE    (256*sizeof(u_int32_t))
+#define RULE_MAXSIZE    (256*sizeof(u_int32_t))
        u_int32_t api_version;
        int command;
        u_int32_t api_version;
        int command;
-       int error, s;
+       int error;
        size_t size;
        size_t size;
-       struct ip_fw *bp , *buf, *rule;
-       
+       size_t  rulesize = RULE_MAXSIZE;
+       struct ip_fw *bp, *buf, *rule;
+       int     is64user = 0;
+
        /* copy of orig sopt to send to ipfw_get_command_and_version() */
        /* copy of orig sopt to send to ipfw_get_command_and_version() */
-       struct sockopt tmp_sopt = *sopt; 
+       struct sockopt tmp_sopt = *sopt;
        struct timeval timenow;
 
        getmicrotime(&timenow);
        struct timeval timenow;
 
        getmicrotime(&timenow);
-       
+
        /*
         * Disallow modifications in really-really secure mode, but still allow
         * the logging counters to be reset.
        /*
         * Disallow modifications in really-really secure mode, but still allow
         * the logging counters to be reset.
@@ -2854,24 +3616,31 @@ ipfw_ctl(struct sockopt *sopt)
            (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
 #if __FreeBSD_version >= 500034
                error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
            (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
 #if __FreeBSD_version >= 500034
                error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
-               if (error)
-                       return (error);
+               if (error) {
+                       return error;
+               }
 #else /* FreeBSD 4.x */
 #else /* FreeBSD 4.x */
-               if (securelevel >= 3)
-                       return (EPERM);
+               if (securelevel >= 3) {
+                       return EPERM;
+               }
 #endif
        }
 
        /* first get the command and version, then do conversion as necessary */
        error = ipfw_get_command_and_version(&tmp_sopt, &command, &api_version);
 #endif
        }
 
        /* first get the command and version, then do conversion as necessary */
        error = ipfw_get_command_and_version(&tmp_sopt, &command, &api_version);
-       
        if (error) {
                /* error getting the version */
                return error;
        }
        if (error) {
                /* error getting the version */
                return error;
        }
-       
+
+       if (proc_is64bit(sopt->sopt_p)) {
+               is64user = 1;
+       }
+
        switch (command) {
        case IP_FW_GET:
        switch (command) {
        case IP_FW_GET:
+       {
+               size_t  dynrulesize;
                /*
                 * pass up a copy of the current rules. Static rules
                 * come first (the last of which has number IPFW_DEFAULT_RULE),
                /*
                 * pass up a copy of the current rules. Static rules
                 * come first (the last of which has number IPFW_DEFAULT_RULE),
@@ -2879,154 +3648,223 @@ ipfw_ctl(struct sockopt *sopt)
                 * The last dynamic rule has NULL in the "next" field.
                 */
                lck_mtx_lock(ipfw_mutex);
                 * The last dynamic rule has NULL in the "next" field.
                 */
                lck_mtx_lock(ipfw_mutex);
-               size = static_len;      /* size of static rules */
-               if (ipfw_dyn_v)         /* add size of dyn.rules */
-                       size += (dyn_count * sizeof(ipfw_dyn_rule));
+
+               if (is64user) {
+                       size = Get64static_len();
+                       dynrulesize = sizeof(ipfw_dyn_rule_64);
+                       if (ipfw_dyn_v) {
+                               size += (dyn_count * dynrulesize);
+                       }
+               } else {
+                       size = Get32static_len();
+                       dynrulesize = sizeof(ipfw_dyn_rule_32);
+                       if (ipfw_dyn_v) {
+                               size += (dyn_count * dynrulesize);
+                       }
+               }
 
                /*
                 * XXX todo: if the user passes a short length just to know
                 * how much room is needed, do not bother filling up the
                 * buffer, just jump to the sooptcopyout.
                 */
 
                /*
                 * XXX todo: if the user passes a short length just to know
                 * how much room is needed, do not bother filling up the
                 * buffer, just jump to the sooptcopyout.
                 */
-               buf = _MALLOC(size, M_TEMP, M_WAITOK);
+               buf = _MALLOC(size, M_TEMP, M_WAITOK | M_ZERO);
                if (buf == 0) {
                        lck_mtx_unlock(ipfw_mutex);
                        error = ENOBUFS;
                        break;
                }
                if (buf == 0) {
                        lck_mtx_unlock(ipfw_mutex);
                        error = ENOBUFS;
                        break;
                }
-               
-               bzero(buf, size);
 
                bp = buf;
 
                bp = buf;
-               for (rule = layer3_chain; rule ; rule = rule->next) {
-                       int i = RULESIZE(rule);
-                       
+               for (rule = layer3_chain; rule; rule = rule->next) {
                        if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                                continue;
                        }
                        if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                                continue;
                        }
-                       bcopy(rule, bp, i);
-                       bcopy(&set_disable, &(bp->next_rule),
-                           sizeof(set_disable));
-                       bp = (struct ip_fw *)((char *)bp + i);
+
+                       if (is64user) {
+                               int rulesize_64;
+
+                               copyto64fw( rule, (struct ip_fw_64 *)bp, size);
+                               bcopy(&set_disable, &(((struct ip_fw_64*)bp)->next_rule), sizeof(set_disable));
+                               /* do not use macro RULESIZE64 since we want RULESIZE for ip_fw_64 */
+                               rulesize_64 = sizeof(struct ip_fw_64) + ((struct ip_fw_64 *)(bp))->cmd_len * 4 - 4;
+                               bp = (struct ip_fw *)((char *)bp + rulesize_64);
+                       } else {
+                               int rulesize_32;
+
+                               copyto32fw( rule, (struct ip_fw_32*)bp, size);
+                               bcopy(&set_disable, &(((struct ip_fw_32*)bp)->next_rule), sizeof(set_disable));
+                               /* do not use macro RULESIZE32 since we want RULESIZE for ip_fw_32 */
+                               rulesize_32 = sizeof(struct ip_fw_32) + ((struct ip_fw_32 *)(bp))->cmd_len * 4 - 4;
+                               bp = (struct ip_fw *)((char *)bp + rulesize_32);
+                       }
                }
                if (ipfw_dyn_v) {
                        int i;
                }
                if (ipfw_dyn_v) {
                        int i;
-                       ipfw_dyn_rule *p, *dst, *last = NULL;
-
-                       dst = (ipfw_dyn_rule *)bp;
-                       for (i = 0 ; i < curr_dyn_buckets ; i++ )
-                               for ( p = ipfw_dyn_v[i] ; p != NULL ;
-                                   p = p->next, dst++ ) {
-                                       bcopy(p, dst, sizeof *p);
-                                       bcopy(&(p->rule->rulenum), &(dst->rule),
-                                           sizeof(p->rule->rulenum));
-                                       /*
-                                        * store a non-null value in "next".
-                                        * The userland code will interpret a
-                                        * NULL here as a marker
-                                        * for the last dynamic rule.
-                                        */
-                                       bcopy(&dst, &dst->next, sizeof(dst));
-                                       last = dst ;
-                                       dst->expire =
-                                           TIME_LEQ(dst->expire, timenow.tv_sec) ?
-                                               0 : dst->expire - timenow.tv_sec ;
+                       ipfw_dyn_rule *p;
+                       char *dst, *last = NULL;
+
+                       dst = (char *)bp;
+                       for (i = 0; i < curr_dyn_buckets; i++) {
+                               for (p = ipfw_dyn_v[i]; p != NULL;
+                                   p = p->next, dst += dynrulesize) {
+                                       if (is64user) {
+                                               ipfw_dyn_rule_64        *ipfw_dyn_dst;
+
+                                               ipfw_dyn_dst = (ipfw_dyn_rule_64 *)dst;
+                                               /*
+                                                * store a non-null value in "next".
+                                                * The userland code will interpret a
+                                                * NULL here as a marker
+                                                * for the last dynamic rule.
+                                                */
+                                               ipfw_dyn_dst->next = CAST_DOWN_EXPLICIT(user64_addr_t, dst);
+                                               ipfw_dyn_dst->rule = p->rule->rulenum;
+                                               ipfw_dyn_dst->parent = CAST_DOWN(user64_addr_t, p->parent);
+                                               ipfw_dyn_dst->pcnt = p->pcnt;
+                                               ipfw_dyn_dst->bcnt = p->bcnt;
+                                               externalize_flow_id(&ipfw_dyn_dst->id, &p->id);
+                                               ipfw_dyn_dst->expire =
+                                                   TIME_LEQ(p->expire, timenow.tv_sec) ?
+                                                   0 : p->expire - timenow.tv_sec;
+                                               ipfw_dyn_dst->bucket = p->bucket;
+                                               ipfw_dyn_dst->state = p->state;
+                                               ipfw_dyn_dst->ack_fwd = p->ack_fwd;
+                                               ipfw_dyn_dst->ack_rev = p->ack_rev;
+                                               ipfw_dyn_dst->dyn_type = p->dyn_type;
+                                               ipfw_dyn_dst->count = p->count;
+                                               last = (char*)ipfw_dyn_dst;
+                                       } else {
+                                               ipfw_dyn_rule_32        *ipfw_dyn_dst;
+
+                                               ipfw_dyn_dst = (ipfw_dyn_rule_32 *)dst;
+                                               /*
+                                                * store a non-null value in "next".
+                                                * The userland code will interpret a
+                                                * NULL here as a marker
+                                                * for the last dynamic rule.
+                                                */
+                                               ipfw_dyn_dst->next = CAST_DOWN_EXPLICIT(user32_addr_t, dst);
+                                               ipfw_dyn_dst->rule = p->rule->rulenum;
+                                               ipfw_dyn_dst->parent = CAST_DOWN_EXPLICIT(user32_addr_t, p->parent);
+                                               ipfw_dyn_dst->pcnt = p->pcnt;
+                                               ipfw_dyn_dst->bcnt = p->bcnt;
+                                               externalize_flow_id(&ipfw_dyn_dst->id, &p->id);
+                                               ipfw_dyn_dst->expire =
+                                                   TIME_LEQ(p->expire, timenow.tv_sec) ?
+                                                   0 : p->expire - timenow.tv_sec;
+                                               ipfw_dyn_dst->bucket = p->bucket;
+                                               ipfw_dyn_dst->state = p->state;
+                                               ipfw_dyn_dst->ack_fwd = p->ack_fwd;
+                                               ipfw_dyn_dst->ack_rev = p->ack_rev;
+                                               ipfw_dyn_dst->dyn_type = p->dyn_type;
+                                               ipfw_dyn_dst->count = p->count;
+                                               last = (char*)ipfw_dyn_dst;
+                                       }
                                }
                                }
-                       if (last != NULL) /* mark last dynamic rule */
-                               bzero(&last->next, sizeof(last));
+                       }
+                       /* mark last dynamic rule */
+                       if (last != NULL) {
+                               if (is64user) {
+                                       ((ipfw_dyn_rule_64 *)last)->next = 0;
+                               } else {
+                                       ((ipfw_dyn_rule_32 *)last)->next = 0;
+                               }
+                       }
                }
                lck_mtx_unlock(ipfw_mutex);
 
                /* convert back if necessary and copyout */
                if (api_version == IP_FW_VERSION_0) {
                }
                lck_mtx_unlock(ipfw_mutex);
 
                /* convert back if necessary and copyout */
                if (api_version == IP_FW_VERSION_0) {
-                       int     i, len = 0;
-                       struct ip_old_fw        *buf2, *rule_vers0;
-                       
-                       buf2 = _MALLOC(static_count * sizeof(struct ip_old_fw), M_TEMP, M_WAITOK);
+                       int     i, len = 0;
+                       struct ip_old_fw        *buf2, *rule_vers0;
+
+                       lck_mtx_lock(ipfw_mutex);
+                       buf2 = _MALLOC(static_count * sizeof(struct ip_old_fw), M_TEMP, M_WAITOK | M_ZERO);
                        if (buf2 == 0) {
                        if (buf2 == 0) {
+                               lck_mtx_unlock(ipfw_mutex);
                                error = ENOBUFS;
                        }
                                error = ENOBUFS;
                        }
-                       
+
                        if (!error) {
                                bp = buf;
                                rule_vers0 = buf2;
                        if (!error) {
                                bp = buf;
                                rule_vers0 = buf2;
-                               
+
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                        int j = RULESIZE(bp);
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                        int j = RULESIZE(bp);
-                                       ipfw_convert_from_latest(bp, rule_vers0, api_version);
+                                       ipfw_convert_from_latest(bp, rule_vers0, api_version, is64user);
                                        bp = (struct ip_fw *)((char *)bp + j);
                                        len += sizeof(*rule_vers0);
                                        rule_vers0++;
                                }
                                        bp = (struct ip_fw *)((char *)bp + j);
                                        len += sizeof(*rule_vers0);
                                        rule_vers0++;
                                }
+                               lck_mtx_unlock(ipfw_mutex);
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
                } else if (api_version == IP_FW_VERSION_1) {
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
                } else if (api_version == IP_FW_VERSION_1) {
-                       int     i, len = 0, buf_size;
-                       struct ip_fw_compat     *buf2, *rule_vers1;
-                       struct ipfw_dyn_rule_compat     *dyn_rule_vers1, *dyn_last = NULL;
-                       ipfw_dyn_rule   *p;
-
-                       buf_size = static_count * sizeof(struct ip_fw_compat) +
-                                               dyn_count * sizeof(struct ipfw_dyn_rule_compat);
-                                               
-                       buf2 = _MALLOC(buf_size, M_TEMP, M_WAITOK);
+                       int     i, len = 0, buf_size;
+                       struct ip_fw_compat     *buf2;
+                       size_t  ipfwcompsize;
+                       size_t  ipfwdyncompsize;
+                       char    *rule_vers1;
+
+                       lck_mtx_lock(ipfw_mutex);
+                       if (is64user) {
+                               ipfwcompsize = sizeof(struct ip_fw_compat_64);
+                               ipfwdyncompsize = sizeof(struct ipfw_dyn_rule_compat_64);
+                       } else {
+                               ipfwcompsize = sizeof(struct ip_fw_compat_32);
+                               ipfwdyncompsize = sizeof(struct ipfw_dyn_rule_compat_32);
+                       }
+
+                       buf_size = static_count * ipfwcompsize +
+                           dyn_count * ipfwdyncompsize;
+
+                       buf2 = _MALLOC(buf_size, M_TEMP, M_WAITOK | M_ZERO);
                        if (buf2 == 0) {
                        if (buf2 == 0) {
+                               lck_mtx_unlock(ipfw_mutex);
                                error = ENOBUFS;
                        }
                                error = ENOBUFS;
                        }
-                       
                        if (!error) {
                                bp = buf;
                        if (!error) {
                                bp = buf;
-                               rule_vers1 = buf2;
-                               
+                               rule_vers1 = (char*)buf2;
+
                                /* first do static rules */
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                /* first do static rules */
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
-                                       int j = RULESIZE(bp);
-                                       ipfw_convert_from_latest(bp, rule_vers1, api_version);
-                                       bp = (struct ip_fw *)((char *)bp + j);
-                                       len += sizeof(*rule_vers1);
-                                       rule_vers1++;
+                                       if (is64user) {
+                                               int rulesize_64;
+                                               ipfw_convert_from_latest(bp, (void *)rule_vers1, api_version, is64user);
+                                               rulesize_64 = sizeof(struct ip_fw_64) + ((struct ip_fw_64 *)(bp))->cmd_len * 4 - 4;
+                                               bp = (struct ip_fw *)((char *)bp + rulesize_64);
+                                       } else {
+                                               int rulesize_32;
+                                               ipfw_convert_from_latest(bp, (void *)rule_vers1, api_version, is64user);
+                                               rulesize_32 = sizeof(struct ip_fw_32) + ((struct ip_fw_32 *)(bp))->cmd_len * 4 - 4;
+                                               bp = (struct ip_fw *)((char *)bp + rulesize_32);
+                                       }
+                                       len += ipfwcompsize;
+                                       rule_vers1 += ipfwcompsize;
                                }
                                }
-                       
                                /* now do dynamic rules */
                                /* now do dynamic rules */
-                               dyn_rule_vers1 = (struct ipfw_dyn_rule_compat *)rule_vers1;
-                               if (ipfw_dyn_v) {
-                                       for (i = 0; i < curr_dyn_buckets; i++) {
-                                               for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next) {
-                                                       (int) dyn_rule_vers1->chain = p->rule->rulenum;
-                                                       dyn_rule_vers1->id = p->id;
-                                                       dyn_rule_vers1->mask = p->id;
-                                                       dyn_rule_vers1->type = p->dyn_type;
-                                                       dyn_rule_vers1->expire = p->expire;
-                                                       dyn_rule_vers1->pcnt = p->pcnt;
-                                                       dyn_rule_vers1->bcnt = p->bcnt;
-                                                       dyn_rule_vers1->bucket = p->bucket;
-                                                       dyn_rule_vers1->state = p->state;
-                                                       
-                                                       dyn_rule_vers1->next = dyn_rule_vers1;
-                                                       dyn_last = dyn_rule_vers1;
-                                                       
-                                                       len += sizeof(*dyn_rule_vers1);
-                                                       dyn_rule_vers1++;
-                                               }
-                                       }
-                                       
-                                       if (dyn_last != NULL) {
-                                               dyn_last->next = NULL;
-                                       }
+                               if (is64user) {
+                                       cp_dyn_to_comp_64((struct ipfw_dyn_rule_compat_64 *)rule_vers1, &len);
+                               } else {
+                                       cp_dyn_to_comp_32((struct ipfw_dyn_rule_compat_32 *)rule_vers1, &len);
                                }
                                }
-                               
+
+                               lck_mtx_unlock(ipfw_mutex);
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
                } else {
                        error = sooptcopyout(sopt, buf, size);
                }
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
                } else {
                        error = sooptcopyout(sopt, buf, size);
                }
-               
+
                _FREE(buf, M_TEMP);
                break;
                _FREE(buf, M_TEMP);
                break;
+       }
 
        case IP_FW_FLUSH:
                /*
 
        case IP_FW_FLUSH:
                /*
@@ -3044,95 +3882,109 @@ ipfw_ctl(struct sockopt *sopt)
 
                lck_mtx_lock(ipfw_mutex);
                free_chain(&layer3_chain, 0 /* keep default rule */);
 
                lck_mtx_lock(ipfw_mutex);
                free_chain(&layer3_chain, 0 /* keep default rule */);
+               fw_bypass = 1;
 #if DEBUG_INACTIVE_RULES
 #if DEBUG_INACTIVE_RULES
-                       print_chain(&layer3_chain);
+               print_chain(&layer3_chain);
 #endif
                lck_mtx_unlock(ipfw_mutex);
                break;
 
        case IP_FW_ADD:
 #endif
                lck_mtx_unlock(ipfw_mutex);
                break;
 
        case IP_FW_ADD:
-               rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK);
+       {
+               size_t savedsopt_valsize = 0;
+               rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK | M_ZERO);
                if (rule == 0) {
                        error = ENOBUFS;
                        break;
                }
                if (rule == 0) {
                        error = ENOBUFS;
                        break;
                }
-               
-               bzero(rule, RULE_MAXSIZE);
 
                if (api_version != IP_FW_CURRENT_API_VERSION) {
 
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, rule, api_version);
-               }
-               else {
-                       error = sooptcopyin(sopt, rule, RULE_MAXSIZE,
-                               sizeof(struct ip_fw) );
+                       error = ipfw_convert_to_latest(sopt, rule, api_version, is64user);
+               } else {
+                       savedsopt_valsize = sopt->sopt_valsize;   /* it might get modified in sooptcopyin_fw */
+                       error = sooptcopyin_fw( sopt, rule, &rulesize);
                }
                }
-               
+
                if (!error) {
                        if ((api_version == IP_FW_VERSION_0) || (api_version == IP_FW_VERSION_1)) {
                                /* the rule has already been checked so just
                                 * adjust sopt_valsize to match what would be expected.
                                 */
                                sopt->sopt_valsize = RULESIZE(rule);
                if (!error) {
                        if ((api_version == IP_FW_VERSION_0) || (api_version == IP_FW_VERSION_1)) {
                                /* the rule has already been checked so just
                                 * adjust sopt_valsize to match what would be expected.
                                 */
                                sopt->sopt_valsize = RULESIZE(rule);
+                               rulesize = RULESIZE(rule);
                        }
                        }
-                       error = check_ipfw_struct(rule, sopt->sopt_valsize);
+                       error = check_ipfw_struct(rule, rulesize);
                        if (!error) {
                                lck_mtx_lock(ipfw_mutex);
                                error = add_rule(&layer3_chain, rule);
                        if (!error) {
                                lck_mtx_lock(ipfw_mutex);
                                error = add_rule(&layer3_chain, rule);
+                               if (!error && fw_bypass) {
+                                       fw_bypass = 0;
+                               }
                                lck_mtx_unlock(ipfw_mutex);
                                lck_mtx_unlock(ipfw_mutex);
-                               
+
                                size = RULESIZE(rule);
                                if (!error && sopt->sopt_dir == SOPT_GET) {
                                        /* convert back if necessary and copyout */
                                        if (api_version == IP_FW_VERSION_0) {
                                size = RULESIZE(rule);
                                if (!error && sopt->sopt_dir == SOPT_GET) {
                                        /* convert back if necessary and copyout */
                                        if (api_version == IP_FW_VERSION_0) {
-                                               struct ip_old_fw        rule_vers0;
-                                               
-                                               ipfw_convert_from_latest(rule, &rule_vers0, api_version);
+                                               struct ip_old_fw        rule_vers0 = {};
+
+                                               ipfw_convert_from_latest(rule, &rule_vers0, api_version, is64user);
                                                sopt->sopt_valsize = sizeof(struct ip_old_fw);
                                                sopt->sopt_valsize = sizeof(struct ip_old_fw);
-                                               
+
                                                error = sooptcopyout(sopt, &rule_vers0, sizeof(struct ip_old_fw));
                                        } else if (api_version == IP_FW_VERSION_1) {
                                                error = sooptcopyout(sopt, &rule_vers0, sizeof(struct ip_old_fw));
                                        } else if (api_version == IP_FW_VERSION_1) {
-                                               struct ip_fw_compat     rule_vers1;
-               
-                                               ipfw_convert_from_latest(rule, &rule_vers1, api_version);
+                                               struct ip_fw_compat     rule_vers1 = {};
+                                               ipfw_convert_from_latest(rule, &rule_vers1, api_version, is64user);
                                                sopt->sopt_valsize = sizeof(struct ip_fw_compat);
                                                sopt->sopt_valsize = sizeof(struct ip_fw_compat);
-                                               
+
                                                error = sooptcopyout(sopt, &rule_vers1, sizeof(struct ip_fw_compat));
                                        } else {
                                                error = sooptcopyout(sopt, &rule_vers1, sizeof(struct ip_fw_compat));
                                        } else {
-                                               error = sooptcopyout(sopt, rule, size);
+                                               char *userrule;
+                                               userrule = _MALLOC(savedsopt_valsize, M_TEMP, M_WAITOK | M_ZERO);
+                                               if (userrule == NULL) {
+                                                       userrule = (char*)rule;
+                                               }
+                                               if (proc_is64bit(sopt->sopt_p)) {
+                                                       copyto64fw( rule, (struct ip_fw_64*)userrule, savedsopt_valsize);
+                                               } else {
+                                                       copyto32fw( rule, (struct ip_fw_32*)userrule, savedsopt_valsize);
+                                               }
+                                               error = sooptcopyout(sopt, userrule, savedsopt_valsize);
+                                               if (userrule) {
+                                                       _FREE(userrule, M_TEMP);
+                                               }
                                        }
                                }
                        }
                }
                                        }
                                }
                        }
                }
-               
+
                _FREE(rule, M_TEMP);
                break;
                _FREE(rule, M_TEMP);
                break;
-
+       }
        case IP_FW_DEL:
        {
                /*
                 * IP_FW_DEL is used for deleting single rules or sets,
        case IP_FW_DEL:
        {
                /*
                 * IP_FW_DEL is used for deleting single rules or sets,
-                * and (ab)used to atomically manipulate sets. 
+                * and (ab)used to atomically manipulate sets.
                 * rule->rulenum != 0 indicates single rule delete
                 * rule->set_masks used to manipulate sets
                 * rule->rulenum != 0 indicates single rule delete
                 * rule->set_masks used to manipulate sets
-                * rule->set_masks[0] contains info on sets to be 
+                * rule->set_masks[0] contains info on sets to be
                 *      disabled, swapped, or moved
                 * rule->set_masks[1] contains sets to be enabled.
                 */
                 *      disabled, swapped, or moved
                 * rule->set_masks[1] contains sets to be enabled.
                 */
-                
+
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
-               struct ip_fw    temp_rule;
-               u_int32_t       arg;
-               u_int8_t        cmd;
-               
+               struct ip_fw    temp_rule;
+               u_int32_t       arg;
+               u_int8_t        cmd;
+
                bzero(&temp_rule, sizeof(struct ip_fw));
                if (api_version != IP_FW_CURRENT_API_VERSION) {
                bzero(&temp_rule, sizeof(struct ip_fw));
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version);
-               }
-               else {
-                       error = sooptcopyin(sopt, &temp_rule, sizeof(struct ip_fw),
-                               sizeof(struct ip_fw) );
+                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version, is64user);
+               } else {
+                       error = sooptcopyin_fw(sopt, &temp_rule, 0 );
                }
 
                if (!error) {
                }
 
                if (!error) {
@@ -3140,32 +3992,33 @@ ipfw_ctl(struct sockopt *sopt)
                         * single rules or atomically manipulating sets
                         */
                        lck_mtx_lock(ipfw_mutex);
                         * single rules or atomically manipulating sets
                         */
                        lck_mtx_lock(ipfw_mutex);
-                       
+
                        arg = temp_rule.set_masks[0];
                        cmd = (arg >> 24) & 0xff;
                        arg = temp_rule.set_masks[0];
                        cmd = (arg >> 24) & 0xff;
-                       
+
                        if (temp_rule.rulenum) {
                                /* single rule */
                                error = del_entry(&layer3_chain, temp_rule.rulenum);
 #if DEBUG_INACTIVE_RULES
                                print_chain(&layer3_chain);
 #endif
                        if (temp_rule.rulenum) {
                                /* single rule */
                                error = del_entry(&layer3_chain, temp_rule.rulenum);
 #if DEBUG_INACTIVE_RULES
                                print_chain(&layer3_chain);
 #endif
-                       }
-                       else if (cmd) {
+                       } else if (cmd) {
                                /* set reassignment - see comment above del_entry() for details */
                                error = del_entry(&layer3_chain, temp_rule.set_masks[0]);
 #if DEBUG_INACTIVE_RULES
                                print_chain(&layer3_chain);
 #endif
                                /* set reassignment - see comment above del_entry() for details */
                                error = del_entry(&layer3_chain, temp_rule.set_masks[0]);
 #if DEBUG_INACTIVE_RULES
                                print_chain(&layer3_chain);
 #endif
-                       }
-                       else if (temp_rule.set_masks[0] != 0 ||
-                               temp_rule.set_masks[1] != 0) {
+                       } else if (temp_rule.set_masks[0] != 0 ||
+                           temp_rule.set_masks[1] != 0) {
                                /* set enable/disable */
                                set_disable =
                                /* set enable/disable */
                                set_disable =
-                                       (set_disable | temp_rule.set_masks[0]) & ~temp_rule.set_masks[1] &
-                                       ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
+                                   (set_disable | temp_rule.set_masks[0]) & ~temp_rule.set_masks[1] &
+                                   ~(1 << RESVD_SET);   /* set RESVD_SET always enabled */
+                       }
+
+                       if (!layer3_chain->next) {
+                               fw_bypass = 1;
                        }
                        }
-                                               
                        lck_mtx_unlock(ipfw_mutex);
                }
                break;
                        lck_mtx_unlock(ipfw_mutex);
                }
                break;
@@ -3176,15 +4029,15 @@ ipfw_ctl(struct sockopt *sopt)
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
-               struct ip_fw    temp_rule = { 0 };
-               
+               struct ip_fw temp_rule;
+
+               bzero(&temp_rule, sizeof(struct ip_fw));
+
                if (api_version != IP_FW_CURRENT_API_VERSION) {
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version);
-               }
-               else {
+                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version, is64user);
+               } else {
                        if (sopt->sopt_val != 0) {
                        if (sopt->sopt_val != 0) {
-                               error = sooptcopyin(sopt, &temp_rule, sizeof(struct ip_fw),
-                                       sizeof(struct ip_fw) );
+                               error = sooptcopyin_fw( sopt, &temp_rule, 0);
                        }
                }
 
                        }
                }
 
@@ -3200,7 +4053,27 @@ ipfw_ctl(struct sockopt *sopt)
                error = EINVAL;
        }
 
                error = EINVAL;
        }
 
-       return (error);
+       if (error != EINVAL) {
+               switch (command) {
+               case IP_FW_ADD:
+               case IP_OLD_FW_ADD:
+                       ipfw_kev_post_msg(KEV_IPFW_ADD);
+                       break;
+               case IP_OLD_FW_DEL:
+               case IP_FW_DEL:
+                       ipfw_kev_post_msg(KEV_IPFW_DEL);
+                       break;
+               case IP_FW_FLUSH:
+               case IP_OLD_FW_FLUSH:
+                       ipfw_kev_post_msg(KEV_IPFW_FLUSH);
+                       break;
+
+               default:
+                       break;
+               }
+       }
+
+       return error;
 }
 
 /**
 }
 
 /**
@@ -3217,41 +4090,80 @@ struct ip_fw *ip_fw_default_rule;
  * every dyn_keepalive_period
  */
 static void
  * every dyn_keepalive_period
  */
 static void
-ipfw_tick(void * __unused unused)
+ipfw_tick(__unused void * unused)
 {
 {
+       struct mbuf *m0, *m, *mnext, **mtailp;
        int i;
        int i;
-       int s;
        ipfw_dyn_rule *q;
        struct timeval timenow;
        ipfw_dyn_rule *q;
        struct timeval timenow;
+       static int stealth_cnt = 0;
 
 
+       if (ipfw_stealth_stats_needs_flush) {
+               stealth_cnt++;
+               if (!(stealth_cnt % IPFW_STEALTH_TIMEOUT_FREQUENCY)) {
+                       ipfw_stealth_flush_stats();
+               }
+       }
 
 
-       if (dyn_keepalive == 0 || ipfw_dyn_v == NULL || dyn_count == 0)
+       if (dyn_keepalive == 0 || ipfw_dyn_v == NULL || dyn_count == 0) {
                goto done;
                goto done;
+       }
 
        getmicrotime(&timenow);
 
 
        getmicrotime(&timenow);
 
+       /*
+        * We make a chain of packets to go out here -- not deferring
+        * until after we drop the ipfw lock would result
+        * in a lock order reversal with the normal packet input -> ipfw
+        * call stack.
+        */
+       m0 = NULL;
+       mtailp = &m0;
+
        lck_mtx_lock(ipfw_mutex);
        lck_mtx_lock(ipfw_mutex);
-       for (i = 0 ; i < curr_dyn_buckets ; i++) {
-               for (q = ipfw_dyn_v[i] ; q ; q = q->next ) {
-                       if (q->dyn_type == O_LIMIT_PARENT)
+       for (i = 0; i < curr_dyn_buckets; i++) {
+               for (q = ipfw_dyn_v[i]; q; q = q->next) {
+                       if (q->dyn_type == O_LIMIT_PARENT) {
                                continue;
                                continue;
-                       if (q->id.proto != IPPROTO_TCP)
+                       }
+                       if (q->id.proto != IPPROTO_TCP) {
                                continue;
                                continue;
-                       if ( (q->state & BOTH_SYN) != BOTH_SYN)
+                       }
+                       if ((q->state & BOTH_SYN) != BOTH_SYN) {
                                continue;
                                continue;
-                       if (TIME_LEQ( timenow.tv_sec+dyn_keepalive_interval,
-                           q->expire))
-                               continue;       /* too early */
-                       if (TIME_LEQ(q->expire, timenow.tv_sec))
-                               continue;       /* too late, rule expired */
+                       }
+                       if (TIME_LEQ( timenow.tv_sec + dyn_keepalive_interval,
+                           q->expire)) {
+                               continue;       /* too early */
+                       }
+                       if (TIME_LEQ(q->expire, timenow.tv_sec)) {
+                               continue;       /* too late, rule expired */
+                       }
+                       *mtailp = send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN);
+                       if (*mtailp != NULL) {
+                               mtailp = &(*mtailp)->m_nextpkt;
+                       }
 
 
-                       send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN);
-                       send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0);
+                       *mtailp = send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0);
+                       if (*mtailp != NULL) {
+                               mtailp = &(*mtailp)->m_nextpkt;
+                       }
                }
        }
        lck_mtx_unlock(ipfw_mutex);
                }
        }
        lck_mtx_unlock(ipfw_mutex);
+
+       for (m = mnext = m0; m != NULL; m = mnext) {
+               struct route sro;       /* fake route */
+
+               mnext = m->m_nextpkt;
+               m->m_nextpkt = NULL;
+               bzero(&sro, sizeof(sro));
+               ip_output(m, NULL, &sro, 0, NULL, NULL);
+               ROUTE_RELEASE(&sro);
+       }
 done:
 done:
-       timeout(ipfw_tick, NULL, dyn_keepalive_period*hz);
+       timeout_with_leeway(ipfw_tick, NULL, dyn_keepalive_period * hz,
+           DYN_KEEPALIVE_LEEWAY * hz);
 }
 
 void
 }
 
 void
@@ -3263,12 +4175,7 @@ ipfw_init(void)
        ipfw_mutex_grp_attr = lck_grp_attr_alloc_init();
        ipfw_mutex_grp = lck_grp_alloc_init("ipfw", ipfw_mutex_grp_attr);
        ipfw_mutex_attr = lck_attr_alloc_init();
        ipfw_mutex_grp_attr = lck_grp_attr_alloc_init();
        ipfw_mutex_grp = lck_grp_alloc_init("ipfw", ipfw_mutex_grp_attr);
        ipfw_mutex_attr = lck_attr_alloc_init();
-       lck_attr_setdefault(ipfw_mutex_attr);
-
-       if ((ipfw_mutex = lck_mtx_alloc_init(ipfw_mutex_grp, ipfw_mutex_attr)) == NULL) {
-               printf("ipfw_init: can't alloc ipfw_mutex\n");
-               return;
-       }
+       lck_mtx_init(ipfw_mutex, ipfw_mutex_grp, ipfw_mutex_attr);
 
        layer3_chain = NULL;
 
 
        layer3_chain = NULL;
 
@@ -3282,48 +4189,37 @@ ipfw_init(void)
        default_rule.cmd[0].len = 1;
        default_rule.cmd[0].opcode =
 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
        default_rule.cmd[0].len = 1;
        default_rule.cmd[0].opcode =
 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
-                               1 ? O_ACCEPT :
+           (1) ? O_ACCEPT :
 #endif
 #endif
-                               O_DENY;
+           O_DENY;
 
        if (add_rule(&layer3_chain, &default_rule)) {
                printf("ipfw2: add_rule failed adding default rule\n");
                printf("ipfw2 failed initialization!!\n");
                fw_enable = 0;
 
        if (add_rule(&layer3_chain, &default_rule)) {
                printf("ipfw2: add_rule failed adding default rule\n");
                printf("ipfw2 failed initialization!!\n");
                fw_enable = 0;
-       }
-       else {
+       } else {
                ip_fw_default_rule = layer3_chain;
                ip_fw_default_rule = layer3_chain;
-#if 0
-               /* Radar 3920649, don't print unncessary messages to the log */
-               printf("ipfw2 initialized, divert %s, "
-                       "rule-based forwarding enabled, default to %s, logging ",
-       #ifdef IPDIVERT
-                       "enabled",
-       #else
-                       "disabled",
-       #endif
-                       default_rule.cmd[0].opcode == O_ACCEPT ? "accept" : "deny");
-#endif
-       
+
        #ifdef IPFIREWALL_VERBOSE
                fw_verbose = 1;
        #endif
        #ifdef IPFIREWALL_VERBOSE_LIMIT
                verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
        #endif
        #ifdef IPFIREWALL_VERBOSE
                fw_verbose = 1;
        #endif
        #ifdef IPFIREWALL_VERBOSE_LIMIT
                verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
        #endif
-               if (fw_verbose == 0)
-                       printf("disabled\n");
-               else if (verbose_limit == 0)
-                       printf("unlimited\n");
-               else
-                       printf("limited to %d packets/entry by default\n",
-                               verbose_limit);
+               if (fw_verbose) {
+                       if (!verbose_limit) {
+                               printf("ipfw2 verbose logging enabled: unlimited logging by default\n");
+                       } else {
+                               printf("ipfw2 verbose logging enabled: limited to %d packets/entry by default\n",
+                                   verbose_limit);
+                       }
+               }
        }
 
        ip_fw_chk_ptr = ipfw_chk;
        ip_fw_ctl_ptr = ipfw_ctl;
 
        }
 
        ip_fw_chk_ptr = ipfw_chk;
        ip_fw_ctl_ptr = ipfw_ctl;
 
-        ipfwstringlen = strlen( ipfwstring );
+       ipfwstringlen = strlen( ipfwstring );
 
        timeout(ipfw_tick, NULL, hz);
 }
 
        timeout(ipfw_tick, NULL, hz);
 }
mirror of XNU