A bunch of minor changes to the code (see below) for readability, code size

and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.

BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).

OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.

Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.

keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations

initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.

merge zero_entry() and resetlog_entry(), they use basically the
same code.

clean up and reduce replication of code for removing rules,
both for readability and code size.

introduce a separate lifetime for dynamic UDP rules.

fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)

restructure dynamic rule descriptors

introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).

1 files changed, 19 insertions, 8 deletions

diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 0498172..ba5d36c 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -373,10 +373,17 @@ show_ipfw(struct ip_fw *chain)
 	}
 
 	if (chain->fw_flg & IP_FW_F_KEEP_S) {
-		if (chain->next_rule_ptr)
-		    printf(" keep-state %d", (int)chain->next_rule_ptr);
-		else
-		    printf(" keep-state");
+	    u_long x = (u_long)chain->next_rule_ptr;
+	    u_char type = (x) & 0xff ;
+
+	    switch(type) {
+	    default:
+		printf(" *** unknown type ***");
+		break ;
+	    case DYN_KEEP_STATE:
+		printf(" keep-state");
+		break;
+	    }
 	}
 	/* Direction */
 	if (chain->fw_flg & IP_FW_BRIDGED)
@@ -565,12 +572,16 @@ show_dyn_ipfw(struct ipfw_dyn_rule *d)
 	if (!d->expire && !do_expired)
 		return;
 	
-	printf("%05d %qu %qu (T %d, # %d) ty %d",
+	printf("%05d %qu %qu (T %ds, slot %d)",
 	    (int)(d->chain),
 	    d->pcnt, d->bcnt,
 	    d->expire,
-	    d->bucket,
-	    d->type);
+	    d->bucket);
+	switch (d->dyn_type) {
+	case DYN_KEEP_STATE: /* bidir, no mask */
+	    printf(" <->");
+	    break;
+	}
 
 	if (do_resolv && (pe = getprotobynumber(d->id.proto)) != NULL)
 		printf(" %s,", pe->p_name);
@@ -581,7 +592,7 @@ show_dyn_ipfw(struct ipfw_dyn_rule *d)
 	printf(" %s", inet_ntoa(a));
 	printf(" %d", d->id.src_port);
 	
-	switch (d->type) {
+	switch (d->dyn_type) {
 	default: /* bidir, no mask */
 		printf(" <->");
 		break;