]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet/ip_fw2.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-1699.22.81.tar.gz
[apple/xnu.git] / bsd / netinet / ip_fw2.c
diff --git a/bsd/netinet/ip_fw2.c b/bsd/netinet/ip_fw2.c
index 84f8f0c1a8742f88d502b476c803c569aca7ac1f..bb66be5d7b64b5197be9afae9fa9913802846b4e 100644 (file)
--- a/bsd/netinet/ip_fw2.c
+++ b/bsd/netinet/ip_fw2.c
@@ -1,3 +1,31 @@
+/*
+ * Copyright (c) 2004-2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
+
 /*
  * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
  *
 /*
  * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
  *
@@ -36,7 +64,7 @@
 #error IPFIREWALL requires INET.
 #endif /* INET */
 
 #error IPFIREWALL requires INET.
 #endif /* INET */
 
-#ifdef IPFW2
+#if IPFW2
 #include <machine/spl.h>
 
 #include <sys/param.h>
 #include <machine/spl.h>
 
 #include <sys/param.h>
@@ -50,6 +78,8 @@
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/ucred.h>
+#include <sys/kern_event.h>
+
 #include <net/if.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <netinet/in.h>
@@ -108,6 +138,7 @@ static u_int32_t set_disable;
 
 int fw_verbose;
 static int verbose_limit;
 
 int fw_verbose;
 static int verbose_limit;
+extern int fw_bypass;
 
 #define        IPFW_DEFAULT_RULE       65535
 
 
 #define        IPFW_DEFAULT_RULE       65535
 
@@ -120,27 +151,35 @@ static struct ip_fw *layer3_chain;
 
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
 
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
-static int fw_debug = 1;
+static int fw_debug = 0;
 static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
 
 static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
 
+static void ipfw_kev_post_msg(u_int32_t );
+
+static int Get32static_len(void);
+static int Get64static_len(void);
+
 #ifdef SYSCTL_NODE
 #ifdef SYSCTL_NODE
-SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable,
-    CTLFLAG_RW,
-    &fw_enable, 0, "Enable ipfw");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW,
+
+static int ipfw_sysctl SYSCTL_HANDLER_ARGS;
+
+SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW|CTLFLAG_LOCKED, 0, "Firewall");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_LOCKED,
+    &fw_enable, 0, ipfw_sysctl, "I", "Enable ipfw");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW | CTLFLAG_LOCKED,
     &autoinc_step, 0, "Rule number autincrement step");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
     &autoinc_step, 0, "Rule number autincrement step");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_one_pass, 0,
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug,
     &fw_one_pass, 0,
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
-    CTLFLAG_RW,
+    CTLFLAG_RW | CTLFLAG_LOCKED,
     &fw_verbose, 0, "Log matches to ipfw rules");
     &fw_verbose, 0, "Log matches to ipfw rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW | CTLFLAG_LOCKED,
     &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
 
 /*
     &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
 
 /*
@@ -207,34 +246,52 @@ static u_int32_t dyn_keepalive = 1;       /* do send keepalives */
 
 static u_int32_t static_count; /* # of static rules */
 static u_int32_t static_len;   /* size in bytes of static rules */
 
 static u_int32_t static_count; /* # of static rules */
 static u_int32_t static_len;   /* size in bytes of static rules */
+static u_int32_t static_len_32;        /* size in bytes of static rules for 32 bit client */
+static u_int32_t static_len_64;        /* size in bytes of static rules for 64 bit client */
 static u_int32_t dyn_count;            /* # of dynamic rules */
 static u_int32_t dyn_max = 4096;       /* max # of dynamic rules */
 
 static u_int32_t dyn_count;            /* # of dynamic rules */
 static u_int32_t dyn_max = 4096;       /* max # of dynamic rules */
 
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_buckets, 0, "Number of dyn. buckets");
     &dyn_buckets, 0, "Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD | CTLFLAG_LOCKED,
     &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
     &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD | CTLFLAG_LOCKED,
     &dyn_count, 0, "Number of dyn. rules");
     &dyn_count, 0, "Number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_max, 0, "Max number of dyn. rules");
     &dyn_max, 0, "Max number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD | CTLFLAG_LOCKED,
     &static_count, 0, "Number of static rules");
     &static_count, 0, "Number of static rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
     &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
     &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
     &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
     &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
     &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
     &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW | CTLFLAG_LOCKED,
     &dyn_keepalive, 0, "Enable keepalives for dyn. rules");
 
     &dyn_keepalive, 0, "Enable keepalives for dyn. rules");
 
+
+static int
+ipfw_sysctl SYSCTL_HANDLER_ARGS
+{
+#pragma unused(arg1, arg2)
+       int error;
+       
+       error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
+       if (error || !req->newptr)
+               return (error);
+       
+       ipfw_kev_post_msg(KEV_IPFW_ENABLE);
+       
+       return error;
+}
+
 #endif /* SYSCTL_NODE */
 
 
 #endif /* SYSCTL_NODE */
 
 
@@ -246,7 +303,7 @@ lck_grp_attr_t    *ipfw_mutex_grp_attr;
 lck_attr_t        *ipfw_mutex_attr;
 lck_mtx_t         *ipfw_mutex;
 
 lck_attr_t        *ipfw_mutex_attr;
 lck_mtx_t         *ipfw_mutex;
 
-extern  void    ipfwsyslog( int level, char *format,...);
+extern  void    ipfwsyslog( int level, const char *format,...);
 
 #if DUMMYNET
 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;     /* hook into dummynet */
 
 #if DUMMYNET
 ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL;     /* hook into dummynet */
@@ -260,11 +317,17 @@ static          size_t            ipfwstringlen;
 
 #define dolog( a ) {           \
        if ( fw_verbose == 2 )          /* Apple logging, log to ipfw.log */ \
 
 #define dolog( a ) {           \
        if ( fw_verbose == 2 )          /* Apple logging, log to ipfw.log */ \
-               ipfwsyslog a ;  \ 
+               ipfwsyslog a ;  \
        else log a ;            \
 }
 
        else log a ;            \
 }
 
-void    ipfwsyslog( int level, char *format,...)
+#define RULESIZE64(rule)  (sizeof(struct ip_fw_64) + \
+                                                       ((struct ip_fw *)(rule))->cmd_len * 4 - 4)
+
+#define RULESIZE32(rule)  (sizeof(struct ip_fw_32) + \
+                                                       ((struct ip_fw *)(rule))->cmd_len * 4 - 4)
+
+void    ipfwsyslog( int level, const char *format,...)
 {
 #define                msgsize         100
 
 {
 #define                msgsize         100
 
@@ -275,6 +338,8 @@ void    ipfwsyslog( int level, char *format,...)
     unsigned char       pri;
     int                        loglen;
 
     unsigned char       pri;
     int                        loglen;
 
+       bzero(msgBuf, msgsize);
+       bzero(&ev_msg, sizeof(struct kev_msg));
        va_start( ap, format );
         loglen = vsnprintf(msgBuf, msgsize, format, ap);
         va_end( ap );
        va_start( ap, format );
         loglen = vsnprintf(msgBuf, msgsize, format, ap);
         va_end( ap );
@@ -327,6 +392,441 @@ is_icmp_query(struct ip *ip)
 }
 #undef TT
 
 }
 #undef TT
 
+static int
+Get32static_len()
+{
+       int     diff;
+       int len = static_len_32;
+       struct ip_fw *rule;
+       char             *useraction;
+
+       for (rule = layer3_chain; rule ; rule = rule->next) {
+               if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
+                       continue;
+               }
+               if ( rule->act_ofs ){
+                       useraction =  (char*)ACTION_PTR( rule ); 
+                       if ( ((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE){
+                               diff = sizeof(ipfw_insn_pipe) - sizeof(ipfw_insn_pipe_32);
+                               if (diff)
+                                       len -= diff;
+                       }
+               }
+       }
+       return len;
+}
+
+static int
+Get64static_len()
+{
+       int     diff;
+       int len = static_len_64;
+       struct ip_fw *rule;
+       char             *useraction;
+
+       for (rule = layer3_chain; rule ; rule = rule->next) {
+               if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
+                       continue;
+               }
+               if ( rule->act_ofs ){
+                       useraction =  (char *)ACTION_PTR( rule ); 
+                       if ( ((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE){
+                               diff = sizeof(ipfw_insn_pipe_64) - sizeof(ipfw_insn_pipe);
+                               if (diff)
+                                       len += diff;
+                       }
+               }
+       }
+       return len;
+}
+
+static void 
+copyto32fw_insn( struct ip_fw_32 *fw32 , struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw32action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff=0;
+       int                     actioncopysize;
+
+       end = ((char*)user_ip_fw->cmd) + cmdsize;
+       useraction = (char*)ACTION_PTR( user_ip_fw );
+       fw32action = (char*)fw32->cmd + (user_ip_fw->act_ofs * sizeof(uint32_t));
+       if ( ( justcmdsize = ( fw32action - (char*)fw32->cmd)))
+               bcopy( user_ip_fw->cmd, fw32->cmd, justcmdsize); 
+       while ( useraction < end ){
+               if ( ((ipfw_insn*)useraction)->opcode == O_QUEUE || ((ipfw_insn*)useraction)->opcode == O_PIPE){
+                       actioncopysize = sizeof(ipfw_insn_pipe_32);
+                       ((ipfw_insn*)fw32action)->opcode = ((ipfw_insn*)useraction)->opcode;
+                       ((ipfw_insn*)fw32action)->arg1 = ((ipfw_insn*)useraction)->arg1;
+                       ((ipfw_insn*)fw32action)->len = F_INSN_SIZE(ipfw_insn_pipe_32);
+                       diff = ((ipfw_insn*)useraction)->len - ((ipfw_insn*)fw32action)->len;
+                       if ( diff ){
+                               fw32->cmd_len -= diff;
+                       }
+               } else{
+                       actioncopysize =  (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1 ) * sizeof(uint32_t);
+                       bcopy( useraction, fw32action, actioncopysize );
+               }
+               useraction += (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1 ) * sizeof(uint32_t);
+               fw32action += actioncopysize;
+       }
+}
+
+static void
+copyto64fw_insn( struct ip_fw_64 *fw64 , struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw64action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char *)user_ip_fw->cmd) + cmdsize;
+       useraction = (char*)ACTION_PTR( user_ip_fw );
+       if ( (justcmdsize = (useraction - (char*)user_ip_fw->cmd)))
+               bcopy( user_ip_fw->cmd, fw64->cmd, justcmdsize); 
+       fw64action = (char*)fw64->cmd + justcmdsize;
+       while ( useraction < end ){
+               if ( ((ipfw_insn*)user_ip_fw)->opcode == O_QUEUE || ((ipfw_insn*)user_ip_fw)->opcode == O_PIPE){
+                       actioncopysize = sizeof(ipfw_insn_pipe_64);
+                       ((ipfw_insn*)fw64action)->opcode = ((ipfw_insn*)useraction)->opcode;
+                       ((ipfw_insn*)fw64action)->arg1 = ((ipfw_insn*)useraction)->arg1;
+                       ((ipfw_insn*)fw64action)->len = F_INSN_SIZE(ipfw_insn_pipe_64);
+                       diff = ((ipfw_insn*)fw64action)->len - ((ipfw_insn*)useraction)->len;
+                       if (diff)
+                               fw64->cmd_len += diff;
+                       
+               } else{
+                       actioncopysize = (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1 ) * sizeof(uint32_t);
+                       bcopy( useraction, fw64action, actioncopysize );
+               }
+               useraction += (F_LEN((ipfw_insn*)useraction) ? (F_LEN((ipfw_insn*)useraction)) : 1 ) * sizeof(uint32_t);
+               fw64action += actioncopysize;
+       }
+}
+
+static void 
+copyto32fw( struct ip_fw *user_ip_fw, struct ip_fw_32 *fw32 , __unused size_t copysize)
+{
+       size_t  rulesize, cmdsize;
+       
+       fw32->version = user_ip_fw->version;
+       fw32->context = CAST_DOWN_EXPLICIT( user32_addr_t, user_ip_fw->context);
+       fw32->next = CAST_DOWN_EXPLICIT(user32_addr_t, user_ip_fw->next);
+       fw32->next_rule = CAST_DOWN_EXPLICIT(user32_addr_t, user_ip_fw->next_rule);
+       fw32->act_ofs = user_ip_fw->act_ofs;
+       fw32->cmd_len = user_ip_fw->cmd_len;
+       fw32->rulenum = user_ip_fw->rulenum;
+       fw32->set = user_ip_fw->set;
+       fw32->set_masks[0] = user_ip_fw->set_masks[0];
+       fw32->set_masks[1] = user_ip_fw->set_masks[1];
+       fw32->pcnt = user_ip_fw->pcnt;
+       fw32->bcnt = user_ip_fw->bcnt;
+       fw32->timestamp = user_ip_fw->timestamp;
+       fw32->reserved_1 = user_ip_fw->reserved_1;
+       fw32->reserved_2 = user_ip_fw->reserved_2;
+       rulesize = sizeof(struct ip_fw_32) + (user_ip_fw->cmd_len * sizeof(ipfw_insn) - 4);
+       cmdsize = user_ip_fw->cmd_len * sizeof(u_int32_t);
+       copyto32fw_insn( fw32, user_ip_fw, cmdsize );
+}
+
+static void
+copyto64fw( struct ip_fw *user_ip_fw, struct ip_fw_64  *fw64, size_t copysize)
+{
+       size_t  rulesize, cmdsize;
+
+       fw64->version = user_ip_fw->version;
+       fw64->context = CAST_DOWN_EXPLICIT(__uint64_t, user_ip_fw->context);
+       fw64->next = CAST_DOWN_EXPLICIT(user64_addr_t, user_ip_fw->next);
+       fw64->next_rule = CAST_DOWN_EXPLICIT(user64_addr_t, user_ip_fw->next_rule);
+       fw64->act_ofs = user_ip_fw->act_ofs;
+       fw64->cmd_len = user_ip_fw->cmd_len;
+       fw64->rulenum = user_ip_fw->rulenum;
+       fw64->set = user_ip_fw->set;
+       fw64->set_masks[0] = user_ip_fw->set_masks[0];
+       fw64->set_masks[1] = user_ip_fw->set_masks[1];
+       fw64->pcnt = user_ip_fw->pcnt;
+       fw64->bcnt = user_ip_fw->bcnt;
+       fw64->timestamp = user_ip_fw->timestamp;
+       fw64->reserved_1 = user_ip_fw->reserved_1;
+       fw64->reserved_2 = user_ip_fw->reserved_2;
+       rulesize = sizeof(struct ip_fw_64) + (user_ip_fw->cmd_len * sizeof(ipfw_insn) - 4);
+       if (rulesize > copysize)
+               cmdsize = copysize - sizeof(struct ip_fw_64) + 4;
+       else
+               cmdsize = user_ip_fw->cmd_len * sizeof(u_int32_t);
+       copyto64fw_insn( fw64, user_ip_fw, cmdsize);
+}
+
+static int
+copyfrom32fw_insn( struct ip_fw_32 *fw32 , struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw32action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char*)fw32->cmd) + cmdsize;
+       fw32action = (char*)ACTION_PTR( fw32 );
+       if ((justcmdsize = (fw32action - (char*)fw32->cmd)))
+               bcopy( fw32->cmd, user_ip_fw->cmd, justcmdsize); 
+       useraction = (char*)user_ip_fw->cmd + justcmdsize;
+       while ( fw32action < end ){
+               if ( ((ipfw_insn*)fw32action)->opcode == O_QUEUE || ((ipfw_insn*)fw32action)->opcode == O_PIPE){
+                       actioncopysize = sizeof(ipfw_insn_pipe);
+                       ((ipfw_insn*)useraction)->opcode = ((ipfw_insn*)fw32action)->opcode;
+                       ((ipfw_insn*)useraction)->arg1 = ((ipfw_insn*)fw32action)->arg1;
+                       ((ipfw_insn*)useraction)->len = F_INSN_SIZE(ipfw_insn_pipe);
+                       diff = ((ipfw_insn*)useraction)->len - ((ipfw_insn*)fw32action)->len;
+                       if (diff){
+                               /* readjust the cmd_len */
+                               user_ip_fw->cmd_len += diff;
+                       }
+               } else{
+                       actioncopysize = (F_LEN((ipfw_insn*)fw32action) ? (F_LEN((ipfw_insn*)fw32action)) : 1 ) * sizeof(uint32_t);
+                       bcopy( fw32action, useraction, actioncopysize );
+               }
+               fw32action += (F_LEN((ipfw_insn*)fw32action) ? (F_LEN((ipfw_insn*)fw32action)) : 1 ) * sizeof(uint32_t);
+               useraction += actioncopysize;
+       }
+
+       return( useraction - (char*)user_ip_fw->cmd );
+}
+
+static int
+copyfrom64fw_insn( struct ip_fw_64 *fw64 , struct ip_fw *user_ip_fw, int cmdsize)
+{
+       char            *end;
+       char            *fw64action;
+       char            *useraction;
+       int                     justcmdsize;
+       int                     diff;
+       int                     actioncopysize;
+
+       end = ((char *)fw64->cmd) + cmdsize ;
+       fw64action = (char*)ACTION_PTR( fw64 );
+       if ( (justcmdsize = (fw64action - (char*)fw64->cmd)))
+               bcopy( fw64->cmd, user_ip_fw->cmd, justcmdsize); 
+       useraction = (char*)user_ip_fw->cmd + justcmdsize;
+       while ( fw64action < end ){
+               if ( ((ipfw_insn*)fw64action)->opcode == O_QUEUE || ((ipfw_insn*)fw64action)->opcode == O_PIPE){
+                       actioncopysize = sizeof(ipfw_insn_pipe);
+                       ((ipfw_insn*)useraction)->opcode = ((ipfw_insn*)fw64action)->opcode;
+                       ((ipfw_insn*)useraction)->arg1 = ((ipfw_insn*)fw64action)->arg1;
+                       ((ipfw_insn*)useraction)->len = F_INSN_SIZE(ipfw_insn_pipe);
+                       diff = ((ipfw_insn*)fw64action)->len - ((ipfw_insn*)useraction)->len; 
+                       if (diff) {
+                               /* readjust the cmd_len */
+                               user_ip_fw->cmd_len -= diff;
+                       }
+               } else{
+                       actioncopysize = (F_LEN((ipfw_insn*)fw64action) ? (F_LEN((ipfw_insn*)fw64action)) : 1 ) * sizeof(uint32_t);
+                       bcopy( fw64action, useraction, actioncopysize );
+               }
+               fw64action += (F_LEN((ipfw_insn*)fw64action) ? (F_LEN((ipfw_insn*)fw64action)) : 1 ) * sizeof(uint32_t); 
+               useraction += actioncopysize;
+       }
+       return( useraction - (char*)user_ip_fw->cmd );
+}
+
+static size_t 
+copyfrom32fw( struct ip_fw_32  *fw32, struct ip_fw *user_ip_fw, size_t copysize)
+{
+       size_t rulesize, cmdsize;
+        
+       user_ip_fw->version = fw32->version;
+       user_ip_fw->context = CAST_DOWN(void *, fw32->context);
+       user_ip_fw->next = CAST_DOWN(struct ip_fw*, fw32->next);
+       user_ip_fw->next_rule = CAST_DOWN_EXPLICIT(struct ip_fw*, fw32->next_rule);
+       user_ip_fw->act_ofs = fw32->act_ofs;
+       user_ip_fw->cmd_len = fw32->cmd_len;
+       user_ip_fw->rulenum = fw32->rulenum;
+       user_ip_fw->set = fw32->set;
+       user_ip_fw->set_masks[0] = fw32->set_masks[0];
+       user_ip_fw->set_masks[1] = fw32->set_masks[1];
+       user_ip_fw->pcnt = fw32->pcnt;
+       user_ip_fw->bcnt = fw32->bcnt;
+       user_ip_fw->timestamp = fw32->timestamp;
+       user_ip_fw->reserved_1 = fw32->reserved_1;
+       user_ip_fw->reserved_2 = fw32->reserved_2;
+       rulesize = sizeof(struct ip_fw_32) + (fw32->cmd_len * sizeof(ipfw_insn) - 4);
+       if ( rulesize > copysize )
+               cmdsize = copysize - sizeof(struct ip_fw_32)-4;
+       else
+               cmdsize = fw32->cmd_len * sizeof(ipfw_insn);
+       cmdsize = copyfrom32fw_insn( fw32, user_ip_fw, cmdsize);
+       return( sizeof(struct ip_fw) + cmdsize - 4);
+}
+
+static size_t 
+copyfrom64fw( struct ip_fw_64 *fw64, struct ip_fw *user_ip_fw, size_t copysize)
+{
+       size_t rulesize, cmdsize;
+       
+       user_ip_fw->version = fw64->version;
+       user_ip_fw->context = CAST_DOWN_EXPLICIT( void *, fw64->context);
+       user_ip_fw->next = CAST_DOWN_EXPLICIT(struct ip_fw*, fw64->next);
+       user_ip_fw->next_rule = CAST_DOWN_EXPLICIT(struct ip_fw*, fw64->next_rule);
+       user_ip_fw->act_ofs = fw64->act_ofs;
+       user_ip_fw->cmd_len = fw64->cmd_len;
+       user_ip_fw->rulenum = fw64->rulenum;
+       user_ip_fw->set = fw64->set;
+       user_ip_fw->set_masks[0] = fw64->set_masks[0];
+       user_ip_fw->set_masks[1] = fw64->set_masks[1];
+       user_ip_fw->pcnt = fw64->pcnt;
+       user_ip_fw->bcnt = fw64->bcnt;
+       user_ip_fw->timestamp = fw64->timestamp;
+       user_ip_fw->reserved_1 = fw64->reserved_1;
+       user_ip_fw->reserved_2 = fw64->reserved_2;
+       //bcopy( fw64->cmd, user_ip_fw->cmd, fw64->cmd_len * sizeof(ipfw_insn));
+       rulesize = sizeof(struct ip_fw_64) + (fw64->cmd_len * sizeof(ipfw_insn) - 4);
+       if ( rulesize > copysize )
+               cmdsize = copysize - sizeof(struct ip_fw_64)-4;
+       else
+               cmdsize = fw64->cmd_len * sizeof(ipfw_insn);
+       cmdsize = copyfrom64fw_insn( fw64, user_ip_fw, cmdsize);
+       return( sizeof(struct ip_fw) + cmdsize - 4);
+}
+
+static
+void cp_dyn_to_comp_32( struct ipfw_dyn_rule_compat_32 *dyn_rule_vers1, int *len)
+{
+       struct ipfw_dyn_rule_compat_32 *dyn_last=NULL;
+       ipfw_dyn_rule   *p;
+       int i;
+
+       if (ipfw_dyn_v) {
+               for (i = 0; i < curr_dyn_buckets; i++) {
+                       for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next) {
+                               dyn_rule_vers1->chain = (user32_addr_t)(p->rule->rulenum);
+                               dyn_rule_vers1->id = p->id;
+                               dyn_rule_vers1->mask = p->id;
+                               dyn_rule_vers1->type = p->dyn_type;
+                               dyn_rule_vers1->expire = p->expire;
+                               dyn_rule_vers1->pcnt = p->pcnt;
+                               dyn_rule_vers1->bcnt = p->bcnt;
+                               dyn_rule_vers1->bucket = p->bucket;
+                               dyn_rule_vers1->state = p->state;
+                               
+                               dyn_rule_vers1->next = CAST_DOWN_EXPLICIT( user32_addr_t, p->next);
+                               dyn_last = dyn_rule_vers1;
+                               
+                               *len += sizeof(*dyn_rule_vers1);
+                               dyn_rule_vers1++;
+                       }
+               }
+               
+               if (dyn_last != NULL) {
+                       dyn_last->next = ((user32_addr_t)0);
+               }
+       }
+}
+
+
+static
+void cp_dyn_to_comp_64( struct ipfw_dyn_rule_compat_64 *dyn_rule_vers1, int *len)
+{
+       struct ipfw_dyn_rule_compat_64 *dyn_last=NULL;
+       ipfw_dyn_rule   *p;
+       int i;
+
+       if (ipfw_dyn_v) {
+               for (i = 0; i < curr_dyn_buckets; i++) {
+                       for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next) {
+                               dyn_rule_vers1->chain = (user64_addr_t) p->rule->rulenum;
+                               dyn_rule_vers1->id = p->id;
+                               dyn_rule_vers1->mask = p->id;
+                               dyn_rule_vers1->type = p->dyn_type;
+                               dyn_rule_vers1->expire = p->expire;
+                               dyn_rule_vers1->pcnt = p->pcnt;
+                               dyn_rule_vers1->bcnt = p->bcnt;
+                               dyn_rule_vers1->bucket = p->bucket;
+                               dyn_rule_vers1->state = p->state;
+                               
+                               dyn_rule_vers1->next = CAST_DOWN(user64_addr_t, p->next);
+                               dyn_last = dyn_rule_vers1;
+                               
+                               *len += sizeof(*dyn_rule_vers1);
+                               dyn_rule_vers1++;
+                       }
+               }
+               
+               if (dyn_last != NULL) {
+                       dyn_last->next = CAST_DOWN(user64_addr_t, NULL);
+               }
+       }
+}
+
+static int
+sooptcopyin_fw( struct sockopt *sopt, struct ip_fw *user_ip_fw, size_t *size )
+{
+       size_t  valsize, copyinsize = 0;
+       int     error = 0;
+
+       valsize = sopt->sopt_valsize;   
+       if ( size )
+               copyinsize = *size;
+       if (proc_is64bit(sopt->sopt_p)) {
+               struct ip_fw_64 *fw64=NULL;
+               
+               if ( valsize < sizeof(struct ip_fw_64) ) {
+                       return(EINVAL);
+               }
+               if ( !copyinsize )
+                       copyinsize = sizeof(struct ip_fw_64);
+               if ( valsize > copyinsize )
+                       sopt->sopt_valsize = valsize = copyinsize;
+                       
+               if ( sopt->sopt_p != 0) {
+                       fw64 = _MALLOC(copyinsize, M_TEMP, M_WAITOK);
+                       if ( fw64 == NULL )
+                               return(ENOBUFS);
+                       if ((error = copyin(sopt->sopt_val, fw64, valsize)) != 0){
+                               _FREE(fw64, M_TEMP);
+                               return error;
+                       }
+               }
+               else {
+                       bcopy(CAST_DOWN(caddr_t, sopt->sopt_val), fw64, valsize);
+               }
+               valsize = copyfrom64fw( fw64, user_ip_fw, valsize );
+               _FREE( fw64, M_TEMP);
+       }else {
+               struct ip_fw_32 *fw32=NULL;
+       
+               if ( valsize < sizeof(struct ip_fw_32) ) {
+                       return(EINVAL);
+               }
+               if ( !copyinsize)
+                       copyinsize = sizeof(struct ip_fw_32);
+               if ( valsize > copyinsize)
+                       sopt->sopt_valsize = valsize = copyinsize;
+                       
+               if ( sopt->sopt_p != 0) {
+                       fw32 = _MALLOC(copyinsize, M_TEMP, M_WAITOK);
+                       if ( fw32 == NULL )
+                               return(ENOBUFS);
+                       if ( (error = copyin(sopt->sopt_val, fw32, valsize)) != 0){
+                               _FREE( fw32, M_TEMP);
+                               return( error );
+                       }
+               }
+               else {
+                       bcopy(CAST_DOWN(caddr_t, sopt->sopt_val), fw32, valsize);
+               }
+               valsize = copyfrom32fw( fw32, user_ip_fw, valsize);
+               _FREE( fw32, M_TEMP);
+       }
+       if ( size )
+               *size = valsize;
+       return error;
+}
+
 /*
  * The following checks use two arrays of 8 or 16 bits to store the
  * bits that we want set or clear, respectively. They are in the
 /*
  * The following checks use two arrays of 8 or 16 bits to store the
  * bits that we want set or clear, respectively. They are in the
@@ -467,15 +967,18 @@ iface_match(struct ifnet *ifp, ipfw_insn_if *cmd)
 
                ifnet_lock_shared(ifp);
                TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
 
                ifnet_lock_shared(ifp);
                TAILQ_FOREACH(ia, &ifp->if_addrhead, ifa_link) {
-                       if (ia->ifa_addr == NULL)
-                               continue;
-                       if (ia->ifa_addr->sa_family != AF_INET)
+                       IFA_LOCK(ia);
+                       if (ia->ifa_addr->sa_family != AF_INET) {
+                               IFA_UNLOCK(ia);
                                continue;
                                continue;
+                       }
                        if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
                            (ia->ifa_addr))->sin_addr.s_addr) {
                        if (cmd->p.ip.s_addr == ((struct sockaddr_in *)
                            (ia->ifa_addr))->sin_addr.s_addr) {
+                               IFA_UNLOCK(ia);
                                ifnet_lock_done(ifp);
                                return(1);      /* match */
                        }
                                ifnet_lock_done(ifp);
                                return(1);      /* match */
                        }
+                       IFA_UNLOCK(ia);
                }
                ifnet_lock_done(ifp);
        }
                }
                ifnet_lock_done(ifp);
        }
@@ -515,11 +1018,16 @@ verify_rev_path(struct in_addr src, struct ifnet *ifp)
 
                rtalloc_ign(&ro, RTF_CLONING|RTF_PRCLONING);
        }
 
                rtalloc_ign(&ro, RTF_CLONING|RTF_PRCLONING);
        }
-
-       if ((ro.ro_rt == NULL) || (ifp == NULL) ||
-           (ro.ro_rt->rt_ifp->if_index != ifp->if_index))
-               return 0;
-
+       if (ro.ro_rt != NULL)
+               RT_LOCK_SPIN(ro.ro_rt);
+       else
+               return 0;       /* No route */
+       if ((ifp == NULL) ||
+               (ro.ro_rt->rt_ifp->if_index != ifp->if_index)) {
+                       RT_UNLOCK(ro.ro_rt);
+                       return 0;
+        }
+       RT_UNLOCK(ro.ro_rt);
        return 1;
 }
 
        return 1;
 }
 
@@ -537,7 +1045,7 @@ static void
 ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
        struct mbuf *m, struct ifnet *oif)
 {
 ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh,
        struct mbuf *m, struct ifnet *oif)
 {
-       char *action;
+       const char *action;
        int limit_reached = 0;
        char ipv4str[MAX_IPv4_STR_LEN];
        char action2[40], proto[48], fragment[28];
        int limit_reached = 0;
        char ipv4str[MAX_IPv4_STR_LEN];
        char action2[40], proto[48], fragment[28];
@@ -1205,22 +1713,21 @@ install_state(struct ip_fw *rule, ipfw_insn_limit *cmd,
 }
 
 /*
 }
 
 /*
- * Transmit a TCP packet, containing either a RST or a keepalive.
+ * Generate a TCP packet, containing either a RST or a keepalive.
  * When flags & TH_RST, we are sending a RST packet, because of a
  * "reset" action matched the packet.
  * Otherwise we are sending a keepalive, and flags & TH_
  */
  * When flags & TH_RST, we are sending a RST packet, because of a
  * "reset" action matched the packet.
  * Otherwise we are sending a keepalive, and flags & TH_
  */
-static void
+static struct mbuf *
 send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
 {
        struct mbuf *m;
        struct ip *ip;
        struct tcphdr *tcp;
 send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
 {
        struct mbuf *m;
        struct ip *ip;
        struct tcphdr *tcp;
-       struct route sro;       /* fake route */
 
 
-       MGETHDR(m, M_DONTWAIT, MT_HEADER);
+       MGETHDR(m, M_DONTWAIT, MT_HEADER);      /* MAC-OK */
        if (m == 0)
        if (m == 0)
-               return;
+               return NULL;
        m->m_pkthdr.rcvif = (struct ifnet *)0;
        m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
        m->m_data += max_linkhdr;
        m->m_pkthdr.rcvif = (struct ifnet *)0;
        m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr);
        m->m_data += max_linkhdr;
@@ -1282,19 +1789,16 @@ send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags)
         */
        ip->ip_ttl = ip_defttl;
        ip->ip_len = m->m_pkthdr.len;
         */
        ip->ip_ttl = ip_defttl;
        ip->ip_len = m->m_pkthdr.len;
-       bzero (&sro, sizeof (sro));
-       ip_rtaddr(ip->ip_dst, &sro);
        m->m_flags |= M_SKIP_FIREWALL;
        m->m_flags |= M_SKIP_FIREWALL;
-       ip_output_list(m, 0, NULL, &sro, 0, NULL);
-       if (sro.ro_rt)
-               RTFREE(sro.ro_rt);
+       
+       return m;
 }
 
 /*
  * sends a reject message, consuming the mbuf passed as an argument.
  */
 static void
 }
 
 /*
  * sends a reject message, consuming the mbuf passed as an argument.
  */
 static void
-send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
+send_reject(struct ip_fw_args *args, int code, int offset, __unused int ip_len)
 {
 
        if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
 {
 
        if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */
@@ -1304,15 +1808,25 @@ send_reject(struct ip_fw_args *args, int code, int offset, int ip_len)
                        ip->ip_len = ntohs(ip->ip_len);
                        ip->ip_off = ntohs(ip->ip_off);
                }
                        ip->ip_len = ntohs(ip->ip_len);
                        ip->ip_off = ntohs(ip->ip_off);
                }
-                args->m->m_flags |= M_SKIP_FIREWALL;
+               args->m->m_flags |= M_SKIP_FIREWALL;
                icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
        } else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
                struct tcphdr *const tcp =
                    L3HDR(struct tcphdr, mtod(args->m, struct ip *));
                if ( (tcp->th_flags & TH_RST) == 0) {
                icmp_error(args->m, ICMP_UNREACH, code, 0L, 0);
        } else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) {
                struct tcphdr *const tcp =
                    L3HDR(struct tcphdr, mtod(args->m, struct ip *));
                if ( (tcp->th_flags & TH_RST) == 0) {
-                       send_pkt(&(args->f_id), ntohl(tcp->th_seq),
+                       struct mbuf *m;
+                       
+                       m = send_pkt(&(args->f_id), ntohl(tcp->th_seq),
                                ntohl(tcp->th_ack),
                                tcp->th_flags | TH_RST);
                                ntohl(tcp->th_ack),
                                tcp->th_flags | TH_RST);
+                       if (m != NULL) {
+                               struct route sro;       /* fake route */
+                               
+                               bzero (&sro, sizeof (sro));
+                               ip_output_list(m, 0, NULL, &sro, 0, NULL, NULL);
+                               if (sro.ro_rt)
+                                       RTFREE(sro.ro_rt);
+                       }
                }
                m_freem(args->m);
        } else
                }
                m_freem(args->m);
        } else
@@ -1459,17 +1973,26 @@ ipfw_chk(struct ip_fw_args *args)
         */
        u_int8_t proto;
        u_int16_t src_port = 0, dst_port = 0;   /* NOTE: host format    */
         */
        u_int8_t proto;
        u_int16_t src_port = 0, dst_port = 0;   /* NOTE: host format    */
-       struct in_addr src_ip, dst_ip;          /* NOTE: network format */
+       struct in_addr src_ip = { 0 } , dst_ip = { 0 };         /* NOTE: network format */
        u_int16_t ip_len=0;
        int pktlen;
        int dyn_dir = MATCH_UNKNOWN;
        ipfw_dyn_rule *q = NULL;
        struct timeval timenow;
 
        u_int16_t ip_len=0;
        int pktlen;
        int dyn_dir = MATCH_UNKNOWN;
        ipfw_dyn_rule *q = NULL;
        struct timeval timenow;
 
-       if (m->m_flags & M_SKIP_FIREWALL) {
+       if (m->m_flags & M_SKIP_FIREWALL || fw_bypass) {
                return 0;       /* accept */
        }
 
                return 0;       /* accept */
        }
 
+       /* 
+        * Clear packet chain if we find one here.
+        */
+       
+       if (m->m_nextpkt != NULL) {
+               m_freem_list(m->m_nextpkt);
+               m->m_nextpkt = NULL;
+       }
+       
        lck_mtx_lock(ipfw_mutex);
 
        getmicrotime(&timenow);
        lck_mtx_lock(ipfw_mutex);
 
        getmicrotime(&timenow);
@@ -1693,7 +2216,7 @@ check_body:
                                            dst_ip, htons(dst_port),
                                            wildcard, NULL);
 
                                            dst_ip, htons(dst_port),
                                            wildcard, NULL);
 
-                               if (pcb == NULL || pcb->inp_socket == NULL)
+                               if (pcb == NULL || pcb->inp_socket == NULL) 
                                        break;
 #if __FreeBSD_version < 500034
 #define socheckuid(a,b)        (kauth_cred_getuid((a)->so_cred) != (b))
                                        break;
 #if __FreeBSD_version < 500034
 #define socheckuid(a,b)        (kauth_cred_getuid((a)->so_cred) != (b))
@@ -1714,6 +2237,8 @@ check_body:
                                                (gid_t)((ipfw_insn_u32 *)cmd)->d[0], &match);
                                }
 #endif
                                                (gid_t)((ipfw_insn_u32 *)cmd)->d[0], &match);
                                }
 #endif
+                               /* release reference on pcb */
+                               in_pcb_checkstate(pcb, WNT_RELEASE, 0);
                                }
 
                        break;
                                }
 
                        break;
@@ -2104,7 +2629,7 @@ check_body:
                                 * if the packet is not ICMP (or is an ICMP
                                 * query), and it is not multicast/broadcast.
                                 */
                                 * if the packet is not ICMP (or is an ICMP
                                 * query), and it is not multicast/broadcast.
                                 */
-                               if (hlen > 0 &&
+                               if (hlen > 0 && offset == 0 &&
                                    (proto != IPPROTO_ICMP ||
                                     is_icmp_query(ip)) &&
                                    !(m->m_flags & (M_BCAST|M_MCAST)) &&
                                    (proto != IPPROTO_ICMP ||
                                     is_icmp_query(ip)) &&
                                    !(m->m_flags & (M_BCAST|M_MCAST)) &&
@@ -2216,7 +2741,6 @@ static int
 add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 {
        struct ip_fw *rule, *f, *prev;
 add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 {
        struct ip_fw *rule, *f, *prev;
-       int s;
        int l = RULESIZE(input_rule);
 
        if (*head == NULL && input_rule->rulenum != IPFW_DEFAULT_RULE)
        int l = RULESIZE(input_rule);
 
        if (*head == NULL && input_rule->rulenum != IPFW_DEFAULT_RULE)
@@ -2284,6 +2808,8 @@ add_rule(struct ip_fw **head, struct ip_fw *input_rule)
 done:
        static_count++;
        static_len += l;
 done:
        static_count++;
        static_len += l;
+       static_len_32 += RULESIZE32(input_rule);
+       static_len_64 += RULESIZE64(input_rule);
        DEB(printf("ipfw: installed rule %d, static count now %d\n",
                rule->rulenum, static_count);)
        return (0);
        DEB(printf("ipfw: installed rule %d, static count now %d\n",
                rule->rulenum, static_count);)
        return (0);
@@ -2312,6 +2838,8 @@ delete_rule(struct ip_fw **head, struct ip_fw *prev, struct ip_fw *rule)
                prev->next = n;
        static_count--;
        static_len -= l;
                prev->next = n;
        static_count--;
        static_len -= l;
+       static_len_32 -= RULESIZE32(rule);
+       static_len_64 -= RULESIZE64(rule);
 
 #if DUMMYNET
        if (DUMMYNET_LOADED)
 
 #if DUMMYNET
        if (DUMMYNET_LOADED)
@@ -2421,6 +2949,8 @@ mark_inactive(struct ip_fw **prev, struct ip_fw **rule)
                (*rule)->reserved_1 = IPFW_RULE_INACTIVE;
                static_count--;
                static_len -= l;
                (*rule)->reserved_1 = IPFW_RULE_INACTIVE;
                static_count--;
                static_len -= l;
+               static_len_32 -= RULESIZE32(*rule);
+               static_len_64 -= RULESIZE64(*rule);
                
                timeout(flush_inactive, *rule, 30*hz); /* 30 sec. */
        }
                
                timeout(flush_inactive, *rule, 30*hz); /* 30 sec. */
        }
@@ -2477,7 +3007,6 @@ static int
 del_entry(struct ip_fw **chain, u_int32_t arg)
 {
        struct ip_fw *prev = NULL, *rule = *chain;
 del_entry(struct ip_fw **chain, u_int32_t arg)
 {
        struct ip_fw *prev = NULL, *rule = *chain;
-       int s;
        u_int16_t rulenum;      /* rule or old_set */
        u_int8_t cmd, new_set;
 
        u_int16_t rulenum;      /* rule or old_set */
        u_int8_t cmd, new_set;
 
@@ -2513,12 +3042,12 @@ del_entry(struct ip_fw **chain, u_int32_t arg)
                 */
                flush_rule_ptrs();
                while (rule->rulenum == rulenum) {
                 */
                flush_rule_ptrs();
                while (rule->rulenum == rulenum) {
-                       ipfw_insn       *cmd = ACTION_PTR(rule);
+                       ipfw_insn       *insn = ACTION_PTR(rule);
                        
                        /* keep forwarding rules around so struct isn't 
                         * deleted while pointer is still in use elsewhere
                         */
                        
                        /* keep forwarding rules around so struct isn't 
                         * deleted while pointer is still in use elsewhere
                         */
-                       if (cmd->opcode == O_FORWARD_IP) {
+                       if (insn->opcode == O_FORWARD_IP) {
                                mark_inactive(&prev, &rule);
                        }
                        else {
                                mark_inactive(&prev, &rule);
                        }
                        else {
@@ -2531,12 +3060,12 @@ del_entry(struct ip_fw **chain, u_int32_t arg)
                flush_rule_ptrs();
                while (rule->rulenum < IPFW_DEFAULT_RULE) {
                        if (rule->set == rulenum) {
                flush_rule_ptrs();
                while (rule->rulenum < IPFW_DEFAULT_RULE) {
                        if (rule->set == rulenum) {
-                               ipfw_insn       *cmd = ACTION_PTR(rule);
+                               ipfw_insn       *insn = ACTION_PTR(rule);
                                
                                /* keep forwarding rules around so struct isn't 
                                 * deleted while pointer is still in use elsewhere
                                 */
                                
                                /* keep forwarding rules around so struct isn't 
                                 * deleted while pointer is still in use elsewhere
                                 */
-                               if (cmd->opcode == O_FORWARD_IP) {
+                               if (insn->opcode == O_FORWARD_IP) {
                                        mark_inactive(&prev, &rule);
                                }
                                else {
                                        mark_inactive(&prev, &rule);
                                }
                                else {
@@ -2599,8 +3128,7 @@ static int
 zero_entry(int rulenum, int log_only)
 {
        struct ip_fw *rule;
 zero_entry(int rulenum, int log_only)
 {
        struct ip_fw *rule;
-       int s;
-       char *msg;
+       const char *msg;
 
        if (rulenum == 0) {
                norule_counter = 0;
 
        if (rulenum == 0) {
                norule_counter = 0;
@@ -2827,6 +3355,22 @@ bad_size:
 }
 
 
 }
 
 
+static void
+ipfw_kev_post_msg(u_int32_t event_code)
+{
+       struct kev_msg          ev_msg;
+
+       bzero(&ev_msg, sizeof(struct kev_msg));
+       
+       ev_msg.vendor_code = KEV_VENDOR_APPLE;
+       ev_msg.kev_class = KEV_FIREWALL_CLASS;
+       ev_msg.kev_subclass = KEV_IPFW_SUBCLASS;
+       ev_msg.event_code = event_code;
+
+       kev_post_msg(&ev_msg);
+
+}
+
 /**
  * {set|get}sockopt parser.
  */
 /**
  * {set|get}sockopt parser.
  */
@@ -2836,9 +3380,11 @@ ipfw_ctl(struct sockopt *sopt)
 #define        RULE_MAXSIZE    (256*sizeof(u_int32_t))
        u_int32_t api_version;
        int command;
 #define        RULE_MAXSIZE    (256*sizeof(u_int32_t))
        u_int32_t api_version;
        int command;
-       int error, s;
+       int error;
        size_t size;
        size_t size;
+       size_t  rulesize = RULE_MAXSIZE;
        struct ip_fw *bp , *buf, *rule;
        struct ip_fw *bp , *buf, *rule;
+       int     is64user = 0;
        
        /* copy of orig sopt to send to ipfw_get_command_and_version() */
        struct sockopt tmp_sopt = *sopt; 
        
        /* copy of orig sopt to send to ipfw_get_command_and_version() */
        struct sockopt tmp_sopt = *sopt; 
@@ -2864,14 +3410,18 @@ ipfw_ctl(struct sockopt *sopt)
 
        /* first get the command and version, then do conversion as necessary */
        error = ipfw_get_command_and_version(&tmp_sopt, &command, &api_version);
 
        /* first get the command and version, then do conversion as necessary */
        error = ipfw_get_command_and_version(&tmp_sopt, &command, &api_version);
-       
        if (error) {
                /* error getting the version */
                return error;
        }
        
        if (error) {
                /* error getting the version */
                return error;
        }
        
+       if (proc_is64bit(sopt->sopt_p))
+               is64user = 1;
+
        switch (command) {
        case IP_FW_GET:
        switch (command) {
        case IP_FW_GET:
+       {
+               size_t  dynrulesize;
                /*
                 * pass up a copy of the current rules. Static rules
                 * come first (the last of which has number IPFW_DEFAULT_RULE),
                /*
                 * pass up a copy of the current rules. Static rules
                 * come first (the last of which has number IPFW_DEFAULT_RULE),
@@ -2879,9 +3429,18 @@ ipfw_ctl(struct sockopt *sopt)
                 * The last dynamic rule has NULL in the "next" field.
                 */
                lck_mtx_lock(ipfw_mutex);
                 * The last dynamic rule has NULL in the "next" field.
                 */
                lck_mtx_lock(ipfw_mutex);
-               size = static_len;      /* size of static rules */
-               if (ipfw_dyn_v)         /* add size of dyn.rules */
-                       size += (dyn_count * sizeof(ipfw_dyn_rule));
+                                               
+               if (is64user){
+                       size = Get64static_len();
+                       dynrulesize = sizeof(ipfw_dyn_rule_64);
+                       if (ipfw_dyn_v)
+                               size += (dyn_count * dynrulesize);
+               }else {
+                       size = Get32static_len();
+                       dynrulesize = sizeof(ipfw_dyn_rule_32);
+                       if (ipfw_dyn_v)
+                               size += (dyn_count * dynrulesize);
+               }
 
                /*
                 * XXX todo: if the user passes a short length just to know
 
                /*
                 * XXX todo: if the user passes a short length just to know
@@ -2899,41 +3458,94 @@ ipfw_ctl(struct sockopt *sopt)
 
                bp = buf;
                for (rule = layer3_chain; rule ; rule = rule->next) {
 
                bp = buf;
                for (rule = layer3_chain; rule ; rule = rule->next) {
-                       int i = RULESIZE(rule);
-                       
+       
                        if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                                continue;
                        }
                        if (rule->reserved_1 == IPFW_RULE_INACTIVE) {
                                continue;
                        }
-                       bcopy(rule, bp, i);
-                       bcopy(&set_disable, &(bp->next_rule),
-                           sizeof(set_disable));
-                       bp = (struct ip_fw *)((char *)bp + i);
+                       
+                       if (is64user){
+                               int rulesize_64;
+
+                               copyto64fw( rule, (struct ip_fw_64 *)bp, size);
+                               bcopy(&set_disable, &(( (struct ip_fw_64*)bp)->next_rule), sizeof(set_disable));
+                               /* do not use macro RULESIZE64 since we want RULESIZE for ip_fw_64 */
+                               rulesize_64 = sizeof(struct ip_fw_64) + ((struct ip_fw_64 *)(bp))->cmd_len * 4 - 4;
+                               bp = (struct ip_fw *)((char *)bp + rulesize_64);
+                       }else{
+                               int rulesize_32;
+
+                               copyto32fw( rule, (struct ip_fw_32*)bp, size);
+                               bcopy(&set_disable, &(( (struct ip_fw_32*)bp)->next_rule), sizeof(set_disable));
+                               /* do not use macro RULESIZE32 since we want RULESIZE for ip_fw_32 */
+                               rulesize_32 = sizeof(struct ip_fw_32) + ((struct ip_fw_32 *)(bp))->cmd_len * 4 - 4;
+                               bp = (struct ip_fw *)((char *)bp + rulesize_32);
+                       }
                }
                if (ipfw_dyn_v) {
                        int i;
                }
                if (ipfw_dyn_v) {
                        int i;
-                       ipfw_dyn_rule *p, *dst, *last = NULL;
-
-                       dst = (ipfw_dyn_rule *)bp;
+                       ipfw_dyn_rule *p;
+                       char *dst, *last = NULL;
+                       
+                       dst = (char *)bp;
                        for (i = 0 ; i < curr_dyn_buckets ; i++ )
                                for ( p = ipfw_dyn_v[i] ; p != NULL ;
                        for (i = 0 ; i < curr_dyn_buckets ; i++ )
                                for ( p = ipfw_dyn_v[i] ; p != NULL ;
-                                   p = p->next, dst++ ) {
-                                       bcopy(p, dst, sizeof *p);
-                                       bcopy(&(p->rule->rulenum), &(dst->rule),
-                                           sizeof(p->rule->rulenum));
-                                       /*
-                                        * store a non-null value in "next".
-                                        * The userland code will interpret a
-                                        * NULL here as a marker
-                                        * for the last dynamic rule.
-                                        */
-                                       bcopy(&dst, &dst->next, sizeof(dst));
-                                       last = dst ;
-                                       dst->expire =
-                                           TIME_LEQ(dst->expire, timenow.tv_sec) ?
-                                               0 : dst->expire - timenow.tv_sec ;
+                                   p = p->next, dst += dynrulesize ) {
+                                       if ( is64user ){
+                                               ipfw_dyn_rule_64        *ipfw_dyn_dst;
+                                               
+                                               ipfw_dyn_dst = (ipfw_dyn_rule_64 *)dst;
+                                               /*
+                                                * store a non-null value in "next".
+                                                * The userland code will interpret a
+                                                * NULL here as a marker
+                                                * for the last dynamic rule.
+                                                */
+                                               ipfw_dyn_dst->next = CAST_DOWN_EXPLICIT(user64_addr_t, dst);
+                                               ipfw_dyn_dst->rule = p->rule->rulenum;
+                                               ipfw_dyn_dst->parent = CAST_DOWN(user64_addr_t, p->parent);
+                                               ipfw_dyn_dst->pcnt = p->pcnt;
+                                               ipfw_dyn_dst->bcnt = p->bcnt;
+                                               ipfw_dyn_dst->id = p->id;
+                                               ipfw_dyn_dst->expire =
+                                                       TIME_LEQ(p->expire, timenow.tv_sec) ?
+                                                       0 : p->expire - timenow.tv_sec;
+                                               ipfw_dyn_dst->bucket = p->bucket;
+                                               ipfw_dyn_dst->state = p->state;
+                                               ipfw_dyn_dst->ack_fwd = p->ack_fwd;
+                                               ipfw_dyn_dst->ack_rev = p->ack_rev;
+                                               ipfw_dyn_dst->dyn_type = p->dyn_type;
+                                               ipfw_dyn_dst->count = p->count;
+                                               last = (char*)&ipfw_dyn_dst->next;
+                                       } else {
+                                               ipfw_dyn_rule_32        *ipfw_dyn_dst;
+                                               
+                                               ipfw_dyn_dst = (ipfw_dyn_rule_32 *)dst;
+                                               /*
+                                                * store a non-null value in "next".
+                                                * The userland code will interpret a
+                                                * NULL here as a marker
+                                                * for the last dynamic rule.
+                                                */
+                                               ipfw_dyn_dst->next = CAST_DOWN_EXPLICIT(user32_addr_t, dst);
+                                               ipfw_dyn_dst->rule = p->rule->rulenum;
+                                               ipfw_dyn_dst->parent = CAST_DOWN_EXPLICIT(user32_addr_t, p->parent);
+                                               ipfw_dyn_dst->pcnt = p->pcnt;
+                                               ipfw_dyn_dst->bcnt = p->bcnt;
+                                               ipfw_dyn_dst->id = p->id;
+                                               ipfw_dyn_dst->expire =
+                                                       TIME_LEQ(p->expire, timenow.tv_sec) ?
+                                                       0 : p->expire - timenow.tv_sec;
+                                               ipfw_dyn_dst->bucket = p->bucket;
+                                               ipfw_dyn_dst->state = p->state;
+                                               ipfw_dyn_dst->ack_fwd = p->ack_fwd;
+                                               ipfw_dyn_dst->ack_rev = p->ack_rev;
+                                               ipfw_dyn_dst->dyn_type = p->dyn_type;
+                                               ipfw_dyn_dst->count = p->count;
+                                               last = (char*)&ipfw_dyn_dst->next;
+                                       }
                                }
                        if (last != NULL) /* mark last dynamic rule */
                                }
                        if (last != NULL) /* mark last dynamic rule */
-                               bzero(&last->next, sizeof(last));
+                               bzero(last, sizeof(last));
                }
                lck_mtx_unlock(ipfw_mutex);
 
                }
                lck_mtx_unlock(ipfw_mutex);
 
@@ -2956,7 +3568,7 @@ ipfw_ctl(struct sockopt *sopt)
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                        int j = RULESIZE(bp);
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                        int j = RULESIZE(bp);
-                                       ipfw_convert_from_latest(bp, rule_vers0, api_version);
+                                       ipfw_convert_from_latest(bp, rule_vers0, api_version, is64user);
                                        bp = (struct ip_fw *)((char *)bp + j);
                                        len += sizeof(*rule_vers0);
                                        rule_vers0++;
                                        bp = (struct ip_fw *)((char *)bp + j);
                                        len += sizeof(*rule_vers0);
                                        rule_vers0++;
@@ -2967,63 +3579,56 @@ ipfw_ctl(struct sockopt *sopt)
                        }
                } else if (api_version == IP_FW_VERSION_1) {
                        int     i, len = 0, buf_size;
                        }
                } else if (api_version == IP_FW_VERSION_1) {
                        int     i, len = 0, buf_size;
-                       struct ip_fw_compat     *buf2, *rule_vers1;
-                       struct ipfw_dyn_rule_compat     *dyn_rule_vers1, *dyn_last = NULL;
-                       ipfw_dyn_rule   *p;
+                       struct ip_fw_compat     *buf2;
+                       size_t  ipfwcompsize;
+                       size_t  ipfwdyncompsize;
+                       char    *rule_vers1;
 
                        lck_mtx_lock(ipfw_mutex);
 
                        lck_mtx_lock(ipfw_mutex);
-                       buf_size = static_count * sizeof(struct ip_fw_compat) +
-                                               dyn_count * sizeof(struct ipfw_dyn_rule_compat);
+                       if ( is64user ){
+                               ipfwcompsize = sizeof(struct ip_fw_compat_64);
+                               ipfwdyncompsize = sizeof(struct ipfw_dyn_rule_compat_64);
+                       } else {
+                               ipfwcompsize = sizeof(struct ip_fw_compat_32);
+                               ipfwdyncompsize = sizeof(struct ipfw_dyn_rule_compat_32);
+                       }
+                               
+                       buf_size = static_count * ipfwcompsize + 
+                                               dyn_count * ipfwdyncompsize;
                                                
                        buf2 = _MALLOC(buf_size, M_TEMP, M_WAITOK);
                        if (buf2 == 0) {
                                lck_mtx_unlock(ipfw_mutex);
                                error = ENOBUFS;
                        }
                                                
                        buf2 = _MALLOC(buf_size, M_TEMP, M_WAITOK);
                        if (buf2 == 0) {
                                lck_mtx_unlock(ipfw_mutex);
                                error = ENOBUFS;
                        }
-                       
                        if (!error) {
                                bp = buf;
                        if (!error) {
                                bp = buf;
-                               rule_vers1 = buf2;
+                               rule_vers1 = (char*)buf2;
                                
                                /* first do static rules */
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
                                
                                /* first do static rules */
                                for (i = 0; i < static_count; i++) {
                                        /* static rules have different sizes */
-                                       int j = RULESIZE(bp);
-                                       ipfw_convert_from_latest(bp, rule_vers1, api_version);
-                                       bp = (struct ip_fw *)((char *)bp + j);
-                                       len += sizeof(*rule_vers1);
-                                       rule_vers1++;
-                               }
-                       
-                               /* now do dynamic rules */
-                               dyn_rule_vers1 = (struct ipfw_dyn_rule_compat *)rule_vers1;
-                               if (ipfw_dyn_v) {
-                                       for (i = 0; i < curr_dyn_buckets; i++) {
-                                               for ( p = ipfw_dyn_v[i] ; p != NULL ; p = p->next) {
-                                                       (int) dyn_rule_vers1->chain = p->rule->rulenum;
-                                                       dyn_rule_vers1->id = p->id;
-                                                       dyn_rule_vers1->mask = p->id;
-                                                       dyn_rule_vers1->type = p->dyn_type;
-                                                       dyn_rule_vers1->expire = p->expire;
-                                                       dyn_rule_vers1->pcnt = p->pcnt;
-                                                       dyn_rule_vers1->bcnt = p->bcnt;
-                                                       dyn_rule_vers1->bucket = p->bucket;
-                                                       dyn_rule_vers1->state = p->state;
-                                                       
-                                                       dyn_rule_vers1->next = dyn_rule_vers1;
-                                                       dyn_last = dyn_rule_vers1;
-                                                       
-                                                       len += sizeof(*dyn_rule_vers1);
-                                                       dyn_rule_vers1++;
-                                               }
-                                       }
-                                       
-                                       if (dyn_last != NULL) {
-                                               dyn_last->next = NULL;
+                                       if ( is64user ){
+                                               int rulesize_64;
+                                               ipfw_convert_from_latest(bp, (void *)rule_vers1, api_version, is64user);
+                                               rulesize_64 = sizeof(struct ip_fw_64) + ((struct ip_fw_64 *)(bp))->cmd_len * 4 - 4;
+                                               bp = (struct ip_fw *)((char *)bp + rulesize_64);
+                                       }else {
+                                               int rulesize_32;
+                                               ipfw_convert_from_latest(bp, (void *)rule_vers1, api_version, is64user);
+                                               rulesize_32 = sizeof(struct ip_fw_32) + ((struct ip_fw_32 *)(bp))->cmd_len * 4 - 4;
+                                               bp = (struct ip_fw *)((char *)bp + rulesize_32);
                                        }
                                        }
+                                       len += ipfwcompsize;
+                                       rule_vers1 += ipfwcompsize;
                                }
                                }
+                               /* now do dynamic rules */
+                               if ( is64user )
+                                       cp_dyn_to_comp_64( (struct ipfw_dyn_rule_compat_64 *)rule_vers1, &len);
+                               else 
+                                       cp_dyn_to_comp_32( (struct ipfw_dyn_rule_compat_32 *)rule_vers1, &len);
+
                                lck_mtx_unlock(ipfw_mutex);
                                lck_mtx_unlock(ipfw_mutex);
-                               
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
                                error = sooptcopyout(sopt, buf2, len);
                                _FREE(buf2, M_TEMP);
                        }
@@ -3033,7 +3638,8 @@ ipfw_ctl(struct sockopt *sopt)
                
                _FREE(buf, M_TEMP);
                break;
                
                _FREE(buf, M_TEMP);
                break;
-
+       }
+       
        case IP_FW_FLUSH:
                /*
                 * Normally we cannot release the lock on each iteration.
        case IP_FW_FLUSH:
                /*
                 * Normally we cannot release the lock on each iteration.
@@ -3050,6 +3656,7 @@ ipfw_ctl(struct sockopt *sopt)
 
                lck_mtx_lock(ipfw_mutex);
                free_chain(&layer3_chain, 0 /* keep default rule */);
 
                lck_mtx_lock(ipfw_mutex);
                free_chain(&layer3_chain, 0 /* keep default rule */);
+               fw_bypass = 1;
 #if DEBUG_INACTIVE_RULES
                        print_chain(&layer3_chain);
 #endif
 #if DEBUG_INACTIVE_RULES
                        print_chain(&layer3_chain);
 #endif
@@ -3057,6 +3664,8 @@ ipfw_ctl(struct sockopt *sopt)
                break;
 
        case IP_FW_ADD:
                break;
 
        case IP_FW_ADD:
+       {
+               size_t savedsopt_valsize=0;
                rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK);
                if (rule == 0) {
                        error = ENOBUFS;
                rule = _MALLOC(RULE_MAXSIZE, M_TEMP, M_WAITOK);
                if (rule == 0) {
                        error = ENOBUFS;
@@ -3066,11 +3675,12 @@ ipfw_ctl(struct sockopt *sopt)
                bzero(rule, RULE_MAXSIZE);
 
                if (api_version != IP_FW_CURRENT_API_VERSION) {
                bzero(rule, RULE_MAXSIZE);
 
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, rule, api_version);
+                       error = ipfw_convert_to_latest(sopt, rule, api_version, is64user);
                }
                else {
                }
                else {
-                       error = sooptcopyin(sopt, rule, RULE_MAXSIZE,
-                               sizeof(struct ip_fw) );
+                       savedsopt_valsize = sopt->sopt_valsize;   /* it might get modified in sooptcopyin_fw */
+                       error = sooptcopyin_fw( sopt, rule, &rulesize); 
+
                }
                
                if (!error) {
                }
                
                if (!error) {
@@ -3079,11 +3689,14 @@ ipfw_ctl(struct sockopt *sopt)
                                 * adjust sopt_valsize to match what would be expected.
                                 */
                                sopt->sopt_valsize = RULESIZE(rule);
                                 * adjust sopt_valsize to match what would be expected.
                                 */
                                sopt->sopt_valsize = RULESIZE(rule);
+                               rulesize = RULESIZE(rule);
                        }
                        }
-                       error = check_ipfw_struct(rule, sopt->sopt_valsize);
+                       error = check_ipfw_struct(rule, rulesize);
                        if (!error) {
                                lck_mtx_lock(ipfw_mutex);
                                error = add_rule(&layer3_chain, rule);
                        if (!error) {
                                lck_mtx_lock(ipfw_mutex);
                                error = add_rule(&layer3_chain, rule);
+                               if (!error && fw_bypass)
+                                       fw_bypass = 0;
                                lck_mtx_unlock(ipfw_mutex);
                                
                                size = RULESIZE(rule);
                                lck_mtx_unlock(ipfw_mutex);
                                
                                size = RULESIZE(rule);
@@ -3092,19 +3705,30 @@ ipfw_ctl(struct sockopt *sopt)
                                        if (api_version == IP_FW_VERSION_0) {
                                                struct ip_old_fw        rule_vers0;
                                                
                                        if (api_version == IP_FW_VERSION_0) {
                                                struct ip_old_fw        rule_vers0;
                                                
-                                               ipfw_convert_from_latest(rule, &rule_vers0, api_version);
+                                               ipfw_convert_from_latest(rule, &rule_vers0, api_version, is64user);
                                                sopt->sopt_valsize = sizeof(struct ip_old_fw);
                                                
                                                error = sooptcopyout(sopt, &rule_vers0, sizeof(struct ip_old_fw));
                                        } else if (api_version == IP_FW_VERSION_1) {
                                                struct ip_fw_compat     rule_vers1;
                                                sopt->sopt_valsize = sizeof(struct ip_old_fw);
                                                
                                                error = sooptcopyout(sopt, &rule_vers0, sizeof(struct ip_old_fw));
                                        } else if (api_version == IP_FW_VERSION_1) {
                                                struct ip_fw_compat     rule_vers1;
-               
-                                               ipfw_convert_from_latest(rule, &rule_vers1, api_version);
+                                               ipfw_convert_from_latest(rule, &rule_vers1, api_version, is64user);
                                                sopt->sopt_valsize = sizeof(struct ip_fw_compat);
                                                
                                                error = sooptcopyout(sopt, &rule_vers1, sizeof(struct ip_fw_compat));
                                        } else {
                                                sopt->sopt_valsize = sizeof(struct ip_fw_compat);
                                                
                                                error = sooptcopyout(sopt, &rule_vers1, sizeof(struct ip_fw_compat));
                                        } else {
-                                               error = sooptcopyout(sopt, rule, size);
+                                               char *userrule;
+                                               userrule = _MALLOC(savedsopt_valsize, M_TEMP, M_WAITOK);
+                                               if ( userrule == NULL )
+                                                       userrule = (char*)rule;
+                                               if (proc_is64bit(sopt->sopt_p)){
+                                                       copyto64fw( rule, (struct ip_fw_64*)userrule, savedsopt_valsize);
+                                               }
+                                               else {
+                                                               copyto32fw( rule, (struct ip_fw_32*)userrule, savedsopt_valsize);
+                                               }
+                                               error = sooptcopyout(sopt, userrule, savedsopt_valsize);
+                                               if ( userrule )
+                                                       _FREE(userrule, M_TEMP);
                                        }
                                }
                        }
                                        }
                                }
                        }
@@ -3112,7 +3736,7 @@ ipfw_ctl(struct sockopt *sopt)
                
                _FREE(rule, M_TEMP);
                break;
                
                _FREE(rule, M_TEMP);
                break;
-
+       }
        case IP_FW_DEL:
        {
                /*
        case IP_FW_DEL:
        {
                /*
@@ -3134,11 +3758,10 @@ ipfw_ctl(struct sockopt *sopt)
                
                bzero(&temp_rule, sizeof(struct ip_fw));
                if (api_version != IP_FW_CURRENT_API_VERSION) {
                
                bzero(&temp_rule, sizeof(struct ip_fw));
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version);
+                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version, is64user);
                }
                else {
                }
                else {
-                       error = sooptcopyin(sopt, &temp_rule, sizeof(struct ip_fw),
-                               sizeof(struct ip_fw) );
+                       error = sooptcopyin_fw(sopt, &temp_rule, 0 );
                }
 
                if (!error) {
                }
 
                if (!error) {
@@ -3171,7 +3794,9 @@ ipfw_ctl(struct sockopt *sopt)
                                        (set_disable | temp_rule.set_masks[0]) & ~temp_rule.set_masks[1] &
                                        ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
                        }
                                        (set_disable | temp_rule.set_masks[0]) & ~temp_rule.set_masks[1] &
                                        ~(1<<RESVD_SET); /* set RESVD_SET always enabled */
                        }
-                                               
+                       
+                       if (!layer3_chain->next)
+                               fw_bypass = 1;
                        lck_mtx_unlock(ipfw_mutex);
                }
                break;
                        lck_mtx_unlock(ipfw_mutex);
                }
                break;
@@ -3182,15 +3807,16 @@ ipfw_ctl(struct sockopt *sopt)
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
                /* there is only a simple rule passed in
                 * (no cmds), so use a temp struct to copy
                 */
-               struct ip_fw    temp_rule = { 0 };
+               struct ip_fw temp_rule;
+               
+               bzero(&temp_rule, sizeof(struct ip_fw));
                
                if (api_version != IP_FW_CURRENT_API_VERSION) {
                
                if (api_version != IP_FW_CURRENT_API_VERSION) {
-                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version);
+                       error = ipfw_convert_to_latest(sopt, &temp_rule, api_version, is64user);
                }
                else {
                        if (sopt->sopt_val != 0) {
                }
                else {
                        if (sopt->sopt_val != 0) {
-                               error = sooptcopyin(sopt, &temp_rule, sizeof(struct ip_fw),
-                                       sizeof(struct ip_fw) );
+                               error = sooptcopyin_fw( sopt, &temp_rule, 0); 
                        }
                }
 
                        }
                }
 
@@ -3206,6 +3832,26 @@ ipfw_ctl(struct sockopt *sopt)
                error = EINVAL;
        }
 
                error = EINVAL;
        }
 
+       if (error != EINVAL) {
+               switch (command) {
+                       case IP_FW_ADD:
+                       case IP_OLD_FW_ADD:
+                               ipfw_kev_post_msg(KEV_IPFW_ADD);
+                               break;
+                       case IP_OLD_FW_DEL:
+                       case IP_FW_DEL:
+                               ipfw_kev_post_msg(KEV_IPFW_DEL);
+                               break;
+                       case IP_FW_FLUSH:
+                       case IP_OLD_FW_FLUSH:
+                               ipfw_kev_post_msg(KEV_IPFW_FLUSH);
+                               break;
+
+                       default:
+                               break;
+               }
+       }
+
        return (error);
 }
 
        return (error);
 }
 
@@ -3223,19 +3869,27 @@ struct ip_fw *ip_fw_default_rule;
  * every dyn_keepalive_period
  */
 static void
  * every dyn_keepalive_period
  */
 static void
-ipfw_tick(void * __unused unused)
+ipfw_tick(__unused void * unused)
 {
 {
+       struct mbuf *m0, *m, *mnext, **mtailp;
        int i;
        int i;
-       int s;
        ipfw_dyn_rule *q;
        struct timeval timenow;
 
        ipfw_dyn_rule *q;
        struct timeval timenow;
 
-
        if (dyn_keepalive == 0 || ipfw_dyn_v == NULL || dyn_count == 0)
                goto done;
 
        getmicrotime(&timenow);
 
        if (dyn_keepalive == 0 || ipfw_dyn_v == NULL || dyn_count == 0)
                goto done;
 
        getmicrotime(&timenow);
 
+       /*
+        * We make a chain of packets to go out here -- not deferring
+        * until after we drop the ipfw lock would result
+        * in a lock order reversal with the normal packet input -> ipfw
+        * call stack.
+        */
+       m0 = NULL;
+       mtailp = &m0;
+       
        lck_mtx_lock(ipfw_mutex);
        for (i = 0 ; i < curr_dyn_buckets ; i++) {
                for (q = ipfw_dyn_v[i] ; q ; q = q->next ) {
        lck_mtx_lock(ipfw_mutex);
        for (i = 0 ; i < curr_dyn_buckets ; i++) {
                for (q = ipfw_dyn_v[i] ; q ; q = q->next ) {
@@ -3251,11 +3905,27 @@ ipfw_tick(void * __unused unused)
                        if (TIME_LEQ(q->expire, timenow.tv_sec))
                                continue;       /* too late, rule expired */
 
                        if (TIME_LEQ(q->expire, timenow.tv_sec))
                                continue;       /* too late, rule expired */
 
-                       send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN);
-                       send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0);
+                       *mtailp = send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN);
+                       if (*mtailp != NULL)
+                               mtailp = &(*mtailp)->m_nextpkt;
+
+                       *mtailp = send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0);
+                       if (*mtailp != NULL)
+                               mtailp = &(*mtailp)->m_nextpkt;
                }
        }
        lck_mtx_unlock(ipfw_mutex);
                }
        }
        lck_mtx_unlock(ipfw_mutex);
+       
+       for (m = mnext = m0; m != NULL; m = mnext) {
+               struct route sro;       /* fake route */
+
+               mnext = m->m_nextpkt;
+               m->m_nextpkt = NULL;
+               bzero (&sro, sizeof (sro));
+               ip_output_list(m, 0, NULL, &sro, 0, NULL, NULL);
+               if (sro.ro_rt)
+                       RTFREE(sro.ro_rt);
+       }
 done:
        timeout(ipfw_tick, NULL, dyn_keepalive_period*hz);
 }
 done:
        timeout(ipfw_tick, NULL, dyn_keepalive_period*hz);
 }
@@ -3298,17 +3968,6 @@ ipfw_init(void)
        }
        else {
                ip_fw_default_rule = layer3_chain;
        }
        else {
                ip_fw_default_rule = layer3_chain;
-#if 0
-               /* Radar 3920649, don't print unncessary messages to the log */
-               printf("ipfw2 initialized, divert %s, "
-                       "rule-based forwarding enabled, default to %s, logging ",
-       #ifdef IPDIVERT
-                       "enabled",
-       #else
-                       "disabled",
-       #endif
-                       default_rule.cmd[0].opcode == O_ACCEPT ? "accept" : "deny");
-#endif
        
        #ifdef IPFIREWALL_VERBOSE
                fw_verbose = 1;
        
        #ifdef IPFIREWALL_VERBOSE
                fw_verbose = 1;
@@ -3316,13 +3975,13 @@ ipfw_init(void)
        #ifdef IPFIREWALL_VERBOSE_LIMIT
                verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
        #endif
        #ifdef IPFIREWALL_VERBOSE_LIMIT
                verbose_limit = IPFIREWALL_VERBOSE_LIMIT;
        #endif
-               if (fw_verbose == 0)
-                       printf("disabled\n");
-               else if (verbose_limit == 0)
-                       printf("unlimited\n");
-               else
-                       printf("limited to %d packets/entry by default\n",
-                               verbose_limit);
+               if (fw_verbose) {
+                       if (!verbose_limit)
+                               printf("ipfw2 verbose logging enabled: unlimited logging by default\n");
+                       else
+                               printf("ipfw2 verbose logging enabled: limited to %d packets/entry by default\n",
+                                       verbose_limit);
+               }
        }
 
        ip_fw_chk_ptr = ipfw_chk;
        }
 
        ip_fw_chk_ptr = ipfw_chk;
@@ -3334,3 +3993,4 @@ ipfw_init(void)
 }
 
 #endif /* IPFW2 */
 }
 
 #endif /* IPFW2 */
+
mirror of XNU