Two main changes here:

 + implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week

1 files changed, 2 insertions, 2 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index bd09521..012a3c4 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -143,7 +143,7 @@ ip_output(m0, opt, ro, flags, imo)
 #ifdef IPFIREWALL_FORWARD
 	int fwd_rewrite_src = 0;
 #endif
-	struct ip_fw_chain *rule = NULL;
+	struct ip_fw *rule = NULL;
   
 #ifdef IPDIVERT
 	/* Get and reset firewall cookie */
@@ -165,7 +165,7 @@ ip_output(m0, opt, ro, flags, imo)
              * processing was already done, and we need to go down.
              * Get parameters from the header.
              */
-            rule = (struct ip_fw_chain *)(m->m_data) ;
+            rule = (struct ip_fw *)(m->m_data) ;
 	    opt = NULL ;
 	    ro = & ( ((struct dn_pkt *)m)->ro ) ;
 	    imo = NULL ;