From owner-svn-src-all@freebsd.org  Sun Aug 14 16:32:25 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 22603BB9CDD;
 Sun, 14 Aug 2016 16:32:25 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D045B1D08;
 Sun, 14 Aug 2016 16:32:24 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7EGWOpv091261;
 Sun, 14 Aug 2016 16:32:24 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7EGWNEv091251;
 Sun, 14 Aug 2016 16:32:23 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201608141632.u7EGWNEv091251@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sun, 14 Aug 2016 16:32:23 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r304084 - in releng/11.0: sbin/ipfw sys/netinet
 sys/netpfil/ipfw
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Aug 2016 16:32:25 -0000

Author: ae
Date: Sun Aug 14 16:32:23 2016
New Revision: 304084
URL: https://svnweb.freebsd.org/changeset/base/304084

Log:
  Merge from stable/11 r304079:
    Restore "nat global" support.
  
    Now zero value of arg1 used to specify "tablearg", use the old "tablearg"
    value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace
    hardcoded magic number to specify "nat global". Also replace 65535 magic
    number with corresponding macro. Fix typo in comments.
  
    PR:		211256
  Approved by:	re (kib)

Modified:
  releng/11.0/sbin/ipfw/ipfw2.c
  releng/11.0/sys/netinet/ip_fw.h
  releng/11.0/sys/netpfil/ipfw/ip_fw2.c
  releng/11.0/sys/netpfil/ipfw/ip_fw_sockopt.c
Directory Properties:
  releng/11.0/   (props changed)

Modified: releng/11.0/sbin/ipfw/ipfw2.c
==============================================================================
--- releng/11.0/sbin/ipfw/ipfw2.c	Sun Aug 14 15:52:00 2016	(r304083)
+++ releng/11.0/sbin/ipfw/ipfw2.c	Sun Aug 14 16:32:23 2016	(r304084)
@@ -1575,7 +1575,7 @@ show_static_rule(struct cmdline_opts *co
 			break;
 
 		case O_NAT:
-			if (cmd->arg1 != 0)
+			if (cmd->arg1 != IP_FW_NAT44_GLOBAL)
 				bprint_uint_arg(bp, "nat ", cmd->arg1);
 			else
 				bprintf(bp, "nat global");
@@ -3733,7 +3733,7 @@ compile_rule(char *av[], uint32_t *rbuf,
 		action->len = F_INSN_SIZE(ipfw_insn_nat);
 		CHECK_ACTLEN;
 		if (*av != NULL && _substrcmp(*av, "global") == 0) {
-			action->arg1 = 0;
+			action->arg1 = IP_FW_NAT44_GLOBAL;
 			av++;
 			break;
 		} else

Modified: releng/11.0/sys/netinet/ip_fw.h
==============================================================================
--- releng/11.0/sys/netinet/ip_fw.h	Sun Aug 14 15:52:00 2016	(r304083)
+++ releng/11.0/sys/netinet/ip_fw.h	Sun Aug 14 16:32:23 2016	(r304084)
@@ -60,6 +60,7 @@
 #define	IPFW_ARG_MAX		65534
 #define IP_FW_TABLEARG		65535	/* Compat value for old clients */
 #define	IP_FW_TARG		0	/* Current tablearg value */
+#define	IP_FW_NAT44_GLOBAL	65535	/* arg1 value for "nat global" */
 
 /*
  * Number of entries in the call stack of the call/return commands.

Modified: releng/11.0/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- releng/11.0/sys/netpfil/ipfw/ip_fw2.c	Sun Aug 14 15:52:00 2016	(r304083)
+++ releng/11.0/sys/netpfil/ipfw/ip_fw2.c	Sun Aug 14 16:32:23 2016	(r304084)
@@ -2489,7 +2489,7 @@ do {								\
 
 				set_match(args, f_pos, chain);
 				/* Check if this is 'global' nat rule */
-				if (cmd->arg1 == 0) {
+				if (cmd->arg1 == IP_FW_NAT44_GLOBAL) {
 					retval = ipfw_nat_ptr(args, NULL, m);
 					break;
 				}

Modified: releng/11.0/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- releng/11.0/sys/netpfil/ipfw/ip_fw_sockopt.c	Sun Aug 14 15:52:00 2016	(r304083)
+++ releng/11.0/sys/netpfil/ipfw/ip_fw_sockopt.c	Sun Aug 14 16:32:23 2016	(r304084)
@@ -524,9 +524,11 @@ import_rule0(struct rule_check_info *ci)
 
 	/*
 	 * Alter opcodes:
-	 * 1) convert tablearg value from 65335 to 0
-	 * 2) Add high bit to O_SETFIB/O_SETDSCP values (to make room for targ).
+	 * 1) convert tablearg value from 65535 to 0
+	 * 2) Add high bit to O_SETFIB/O_SETDSCP values (to make room
+	 *    for targ).
 	 * 3) convert table number in iface opcodes to u16
+	 * 4) convert old `nat global` into new 65535
 	 */
 	l = krule->cmd_len;
 	cmd = krule->cmd;
@@ -548,19 +550,21 @@ import_rule0(struct rule_check_info *ci)
 		case O_NETGRAPH:
 		case O_NGTEE:
 		case O_NAT:
-			if (cmd->arg1 == 65535)
+			if (cmd->arg1 == IP_FW_TABLEARG)
 				cmd->arg1 = IP_FW_TARG;
+			else if (cmd->arg1 == 0)
+				cmd->arg1 = IP_FW_NAT44_GLOBAL;
 			break;
 		case O_SETFIB:
 		case O_SETDSCP:
-			if (cmd->arg1 == 65535)
+			if (cmd->arg1 == IP_FW_TABLEARG)
 				cmd->arg1 = IP_FW_TARG;
 			else
 				cmd->arg1 |= 0x8000;
 			break;
 		case O_LIMIT:
 			lcmd = (ipfw_insn_limit *)cmd;
-			if (lcmd->conn_limit == 65535)
+			if (lcmd->conn_limit == IP_FW_TABLEARG)
 				lcmd->conn_limit = IP_FW_TARG;
 			break;
 		/* Interface tables */
@@ -606,7 +610,7 @@ export_rule0(struct ip_fw *krule, struct
 
 	/*
 	 * Alter opcodes:
-	 * 1) convert tablearg value from 0 to 65335
+	 * 1) convert tablearg value from 0 to 65535
 	 * 2) Remove highest bit from O_SETFIB/O_SETDSCP values.
 	 * 3) convert table number in iface opcodes to int
 	 */
@@ -631,19 +635,21 @@ export_rule0(struct ip_fw *krule, struct
 		case O_NGTEE:
 		case O_NAT:
 			if (cmd->arg1 == IP_FW_TARG)
-				cmd->arg1 = 65535;
+				cmd->arg1 = IP_FW_TABLEARG;
+			else if (cmd->arg1 == IP_FW_NAT44_GLOBAL)
+				cmd->arg1 = 0;
 			break;
 		case O_SETFIB:
 		case O_SETDSCP:
 			if (cmd->arg1 == IP_FW_TARG)
-				cmd->arg1 = 65535;
+				cmd->arg1 = IP_FW_TABLEARG;
 			else
 				cmd->arg1 &= ~0x8000;
 			break;
 		case O_LIMIT:
 			lcmd = (ipfw_insn_limit *)cmd;
 			if (lcmd->conn_limit == IP_FW_TARG)
-				lcmd->conn_limit = 65535;
+				lcmd->conn_limit = IP_FW_TABLEARG;
 			break;
 		/* Interface tables */
 		case O_XMIT: