o Clean up interface between ip_fw_chk() and its callers:

- ip_fw_chk() returns action as function return value. Field retval is
  removed from args structure. Action is not flag any more. It is one
  of integer constants.
- Any action-specific cookies are returned either in new "cookie" field
  in args structure (dummynet, future netgraph glue), or in mbuf tag
  attached to packet (divert, tee, some future action).

o Convert parsing of return value from ip_fw_chk() in ipfw_check_{in,out}()
  to a switch structure, so that the functions are more readable, and a future
  actions can be added with less modifications.

Approved by:	andre
MFC after:	2 months

1 files changed, 12 insertions, 4 deletions

diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index e73d701..de92951 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -417,9 +417,17 @@ typedef struct	_ipfw_table {
  */
 #ifdef _KERNEL
 
-#define	IP_FW_PORT_DYNT_FLAG		0x00010000
-#define	IP_FW_PORT_TEE_FLAG		0x00020000
-#define	IP_FW_PORT_DENY_FLAG		0x00040000
+/* Return values from ipfw_chk() */
+enum {
+	IP_FW_PASS = 0,
+	IP_FW_DENY,
+	IP_FW_DIVERT,
+	IP_FW_TEE,
+	IP_FW_DUMMYNET,
+	IP_FW_NETGRAPH,
+};
+
+/* flags for divert mtag */
 #define	IP_FW_DIVERT_LOOPBACK_FLAG	0x00080000
 #define	IP_FW_DIVERT_OUTPUT_FLAG	0x00100000
 
@@ -438,7 +446,7 @@ struct ip_fw_args {
 	int flags;			/* for dummynet			*/
 
 	struct ipfw_flow_id f_id;	/* grabbed from IP header	*/
-	u_int32_t	retval;
+	u_int32_t	cookie;		/* a cookie depending on rule action */
 	struct inpcb	*inp;
 };