Make the sorting of IPFW rules an option. You don't want it to sort them.

>>>WARNING<<<  you may have to revisit your firewall setup.

sys/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.235 1996/01/30 22:53:44 mpp Exp $
+#	$Id: LINT,v 1.236 1996/02/02 06:55:33 pst Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -193,6 +193,8 @@ options		HDLC			#X.25 link layer for serial lines
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
+# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
+# don't want that, it's only there to be backward compatible.
 # IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
@@ -202,6 +204,7 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
+options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
 options		IPACCT			#ipaccounting
 options		TCPDEBUG
 

sys/i386/conf/LINT

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.235 1996/01/30 22:53:44 mpp Exp $
+#	$Id: LINT,v 1.236 1996/02/02 06:55:33 pst Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -193,6 +193,8 @@ options		HDLC			#X.25 link layer for serial lines
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
+# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
+# don't want that, it's only there to be backward compatible.
 # IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
@@ -202,6 +204,7 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
+options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
 options		IPACCT			#ipaccounting
 options		TCPDEBUG
 

sys/i386/conf/NOTES

@@ -2,7 +2,7 @@
 # LINT -- config file for checking all the sources, tries to pull in
 #	as much of the source tree as it can.
 #
-#	$Id: LINT,v 1.235 1996/01/30 22:53:44 mpp Exp $
+#	$Id: LINT,v 1.236 1996/02/02 06:55:33 pst Exp $
 #
 # NB: You probably don't want to try running a kernel built from this
 # file.  Instead, you should start from GENERIC, and add options from
@@ -193,6 +193,8 @@ options		HDLC			#X.25 link layer for serial lines
 # IPFIREWALL enables support for IP firewall construction, in
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE does
 # the obvious thing.
+# IPFIREWALL_ORDER_RULES makes the ipfw code sort the rules.  You
+# don't want that, it's only there to be backward compatible.
 # IPACCT enables IP accounting.
 #
 # TCPDEBUG is undocumented.
@@ -202,6 +204,7 @@ options		MROUTING		# Multicast routing
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about
 					# dropped packets
+options		IPFIREWALL_ORDER_RULES	# bogusly sort rules.
 options		IPACCT			#ipaccounting
 options		TCPDEBUG
 

sys/netinet/ip_fw.c

@@ -11,7 +11,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.26 1995/11/14 20:34:10 phk Exp $
+ *	$Id: ip_fw.c,v 1.27 1995/12/02 19:37:59 bde Exp $
  */
 
 /*
@@ -643,6 +643,7 @@ add_entry(chainptr, frwl)
 	} else {
 		chtmp_prev = NULL;
 		for (chtmp = *chainptr; chtmp != NULL; chtmp = chtmp->fw_next) {
+#ifdef IPFIREWALL_ORDER_RULES
 
 			addb4 = 0;
 
@@ -777,6 +778,7 @@ add_entry(chainptr, frwl)
 				splx(s);
 				return 0;
 			}
+#endif /* IPFIREWALL_ORDER_RULES */
 			chtmp_prev = chtmp;
 		}
 		if (chtmp_prev != NULL)