Instead of using a heuristic to decide whether to display

table 'values' as IP addresses, use an explicit argument (-i).
This is a 'POLA' issue. This is a low risk change and should be MFC'd
to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3.
(not sure about 6.2).

Fix suggested by: Eugene Grosbein
PR: 	120720
MFC After: 3 days

2 files changed, 14 insertions, 6 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 67ed262..0ea3b7a 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -218,6 +218,11 @@ Do not ask for confirmation for commands that can cause problems
 if misused,
 .No i.e. Cm flush .
 If there is no tty associated with the process, this is implied.
+.It Fl i
+While listing a table (see the
+.Sx LOOKUP TABLES
+section below for more information on lookup tables), format values
+as IP addresses. By default, values are shown as integers.
 .It Fl n
 Only check syntax of the command strings, without actually passing
 them to the kernel.
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index f5b3ae9..1366ab2 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -66,6 +66,7 @@
 #include <alias.h>
 
 int
+		do_value_as_ip,		/* show table value as IP */
 		do_resolv,		/* Would try to resolve all */
 		do_time,		/* Show time stamps */
 		do_quiet,		/* Be quiet in add and flush */
@@ -5898,22 +5899,20 @@ table_handler(int ac, char *av[])
 		if (do_cmd(IP_FW_TABLE_LIST, tbl, (uintptr_t)&l) < 0)
 			err(EX_OSERR, "getsockopt(IP_FW_TABLE_LIST)");
 		for (a = 0; a < tbl->cnt; a++) {
-			/* Heuristic to print it the right way */
-			/* values < 64k are printed as numbers */
 			unsigned int tval;
 			tval = tbl->ent[a].value;
-			if (tval > 0xffff) {
+			if (do_value_as_ip) {
 			    char tbuf[128];
 			    strncpy(tbuf, inet_ntoa(*(struct in_addr *)
 				&tbl->ent[a].addr), 127);
-			    /* inet_ntoa expects host order */
+			    /* inet_ntoa expects network order */
 			    tval = htonl(tval);
 			    printf("%s/%u %s\n", tbuf, tbl->ent[a].masklen,
 			        inet_ntoa(*(struct in_addr *)&tval));
 			} else {
 			    printf("%s/%u %u\n",
 			        inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
-			        tbl->ent[a].masklen, tbl->ent[a].value);
+			        tbl->ent[a].masklen, tval);
 			}
 		}
 	} else
@@ -6096,7 +6095,7 @@ ipfw_main(int oldac, char **oldav)
 	save_av = av;
 
 	optind = optreset = 0;
-	while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
+	while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1)
 		switch (ch) {
 		case 'a':
 			do_acct = 1;
@@ -6128,6 +6127,10 @@ ipfw_main(int oldac, char **oldav)
 			help();
 			break;	/* NOTREACHED */
 
+		case 'i':
+			do_value_as_ip = 1;
+			break;
+
 		case 'n':
 			test_only = 1;
 			break;