* Fix displaying dynamic rules for large rulesets.

* Clean up some comments.

sys/netinet/ip_fw.h

@@ -72,8 +72,7 @@ typedef struct _ip_fw3_opheader {
 	uint16_t reserved[2];	/* Align to 64-bit boundary */
 } ip_fw3_opheader;
 
-
+/* IP_FW3 opcodes */
-/* IPFW extented tables support */
 #define	IP_FW_TABLE_XADD	86	/* add entry */
 #define	IP_FW_TABLE_XDEL	87	/* delete entry */
 #define	IP_FW_TABLE_XGETSIZE	88	/* get table size (deprecated) */
@@ -98,32 +97,6 @@ typedef struct _ip_fw3_opheader {
 #define	IP_FW_TABLES_ALIST	108	/* list table algorithms */
 #define	IP_FW_TABLE_XSWAP	109	/* swap two tables */
 
-/*
- * Usage guidelines:
- *
- * IP_FW_TABLE_XLIST(ver 1): Dumps all table data
- *   Request(getsockopt): [ ipfw_obj_lheader ], size = ipfw_xtable_info.size
- *   Reply: [ ipfw_obj_lheader ipfw_xtable_info ipfw_table_xentry x N ]
- *
- * IP_FW_TABLE_XDESTROY: Destroys given table
- *   Request(setsockopt): [ ipfw_obj_header ]
- *
- * IP_FW_TABLES_XGETSIZE: Get buffer size needed to list info for all tables.
- *   Request(getsockopt): [ empty ], size = sizeof(ipfw_obj_lheader)
- *   Reply: [ ipfw_obj_lheader ]
- *
- * IP_FW_TABLES_XLIST: Lists all tables currently available in kernel.
- *   Request(getsockopt): [ ipfw_obj_lheader ], size = ipfw_obj_lheader.size
- *   Reply: [ ipfw_obj_lheader ipfw_xtable_info x N ]
- *
- * IP_FW_TABLE_XINFO: Store table info to buffer.
- *   Request(getsockopt): [ ipfw_obj_header ipfw_xtable_info(empty)]
- *   Reply: [ ipfw_obj_header ipfw_xtable_info ]
- *
- * IP_FW_TABLE_XFLUSH: Removes all data from given table leaving type etc..
- *   Request(setsockopt): [ ipfw_obj_header ]
- */
-
 /*
  * The kernel representation of ipfw rules is made of a list of
  * 'instructions' (for all practical purposes equivalent to BPF

sys/netpfil/ipfw/ip_fw_sockopt.c

@@ -1927,7 +1927,8 @@ dump_config(struct ip_fw_chain *chain, struct sockopt_data *sd)
 {
 	ipfw_cfg_lheader *hdr;
 	struct ip_fw *rule;
-	uint32_t sz, rnum;
+	size_t sz, rnum;
+	uint32_t hdr_flags;
 	int error, i;
 	struct dump_args da;
 	uint32_t *bmask;
@@ -1987,27 +1988,33 @@ dump_config(struct ip_fw_chain *chain, struct sockopt_data *sd)
 		sz += ipfw_dyn_get_count() * sizeof(ipfw_obj_dyntlv) +
 		     sizeof(ipfw_obj_ctlv);
 
-	/* Fill header anyway */
+
+	/*
+	 * Fill header anyway.
+	 * Note we have to save header fields to stable storage
+	 * buffer inside @sd can be flushed after dumping rules
+	 */
 	hdr->size = sz;
 	hdr->set_mask = ~V_set_disable;
+	hdr_flags = hdr->flags;
+	hdr = NULL;
 
 	if (sd->valsize < sz) {
-		IPFW_UH_RUNLOCK(chain);
+		error = ENOMEM;
-		return (ENOMEM);
+		goto cleanup;
 	}
 
 	/* STAGE2: Store actual data */
-	if (hdr->flags & IPFW_CFG_GET_STATIC) {
+	if (hdr_flags & IPFW_CFG_GET_STATIC) {
 		error = dump_static_rules(chain, &da, bmask, sd);
-		if (error != 0) {
+		if (error != 0)
-			IPFW_UH_RUNLOCK(chain);
+			goto cleanup;
-			return (error);
-		}
 	}
 
-	if (hdr->flags & IPFW_CFG_GET_STATES)
+	if (hdr_flags & IPFW_CFG_GET_STATES)
 		error = ipfw_dump_states(chain, sd);
 
+cleanup:
 	IPFW_UH_RUNLOCK(chain);
 
 	if (bmask != NULL)

sys/netpfil/ipfw/ip_fw_table.c

@@ -107,7 +107,6 @@ static int create_table_internal(struct ip_fw_chain *ch, struct tid_info *ti,
     struct table_algo **pta, uint16_t *pkidx, int ref);
 static void link_table(struct ip_fw_chain *ch, struct table_config *tc);
 static void unlink_table(struct ip_fw_chain *ch, struct table_config *tc);
-static void free_table_state(void **state, void **xstate, uint8_t type);
 static int export_tables(struct ip_fw_chain *ch, ipfw_obj_lheader *olh,
     struct sockopt_data *sd);
 static void export_table_info(struct ip_fw_chain *ch, struct table_config *tc,