diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 9d95ec46a47e..c70aaa2912d4 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -2859,7 +2859,7 @@ ipfw_add(int ac, char *av[]) if (have_tag) errx(EX_USAGE, "tag and untag cannot be " "specified more than once"); - GET_UINT_ARG(tag, 1, IPFW_DEFAULT_RULE - 1, i, + GET_UINT_ARG(tag, IPFW_ARG_MIN, IPFW_ARG_MAX, i, rule_action_params); have_tag = cmd; fill_cmd(cmd, O_TAG, (i == TOK_TAG) ? 0: F_NOT, tag); @@ -3336,7 +3336,7 @@ ipfw_add(int ac, char *av[]) if (c->limit_mask == 0) errx(EX_USAGE, "limit: missing limit mask"); - GET_UINT_ARG(c->conn_limit, 1, IPFW_DEFAULT_RULE - 1, + GET_UINT_ARG(c->conn_limit, IPFW_ARG_MIN, IPFW_ARG_MAX, TOK_LIMIT, rule_options); ac--; av++; @@ -3464,7 +3464,7 @@ ipfw_add(int ac, char *av[]) else { uint16_t tag; - GET_UINT_ARG(tag, 1, IPFW_DEFAULT_RULE - 1, + GET_UINT_ARG(tag, IPFW_ARG_MIN, IPFW_ARG_MAX, TOK_TAGGED, rule_options); fill_cmd(cmd, O_TAGGED, 0, tag); } diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index a137ceee2867..5602e9e85339 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa + * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -42,6 +42,20 @@ */ #define IPFW_TABLES_MAX 128 +/* + * Most commands (queue, pipe, tag, untag, limit...) can have a 16-bit + * argument between 1 and 65534. The value 0 is unused, the value + * 65535 (IP_FW_TABLEARG) is used to represent 'tablearg', i.e. the + * can be 1..65534, or 65535 to indicate the use of a 'tablearg' + * result of the most recent table() lookup. + * Note that 16bit is only a historical limit, resulting from + * the use of a 16-bit fields for that value. In reality, we can have + * 2^32 pipes, queues, tag values and so on, and use 0 as a tablearg. + */ +#define IPFW_ARG_MIN 1 +#define IPFW_ARG_MAX 65534 +#define IP_FW_TABLEARG 65535 /* XXX should use 0 */ + /* * The kernel representation of ipfw rules is made of a list of * 'instructions' (for all practical purposes equivalent to BPF @@ -239,8 +253,6 @@ typedef struct _ipfw_insn { /* template for instructions */ */ #define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) -#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ - /* * This is used to store an array of 16-bit entries (ports etc.) */ @@ -558,13 +570,13 @@ typedef struct _ipfw_table { ipfw_table_entry ent[0]; /* entries */ } ipfw_table; -#define IP_FW_TABLEARG 65535 - /* * Main firewall chains definitions and global var's definitions. */ #ifdef _KERNEL +#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ + /* Return values from ipfw_chk() */ enum { IP_FW_PASS = 0,