* Issue warning while requesting ruleset with new tables via legacy binary.

Convert each unresolved table as table 65535 (which cannot be used normally).
* Perform s/^ipfw_// for add_table_entry, del_table_entry and flush_table since
  these are internal functions exported to keep legacy interface.
* Remove macro TABLE_SET. Operations with tables can be done in any set, the only
  thing net.inet.ip.fw.tables_sets affects is the set in which tables are looked
  up while binding them to the rule.

sys/netpfil/ipfw/ip_fw_sockopt.c

@@ -974,9 +974,11 @@ ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space)
 	char *bp = buf;
 	char *ep = bp + space;
 	struct ip_fw *rule, *dst;
-	int error, i, l;
+	int error, i, l, warnflag;
 	time_t	boot_seconds;
 
+	warnflag = 0;
+
         boot_seconds = boottime.tv_sec;
 	for (i = 0; i < chain->n_rules; i++) {
 		rule = chain->map[i];
@@ -1032,11 +1034,19 @@ ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space)
 		bp += l;
 
 		if (error != 0) {
+			if (error == 2) {
+				/* Non-fatal table rewrite error. */
+				warnflag = 1;
+				continue;
+			}
 			printf("Stop on rule %d. Fail to convert table\n",
 			    rule->rulenum);
 			break;
 		}
 	}
+	if (warnflag != 0)
+		printf("ipfw: process %s is using legacy interfaces,"
+		    " consider rebuilding\n", "");
 	ipfw_get_dynamic(chain, &bp, ep); /* protected by the dynamic lock */
 	return (bp - (char *)buf);
 }
@@ -1740,8 +1750,8 @@ ipfw_ctl(struct sockopt *sopt)
 			ti.type = IPFW_TABLE_CIDR;
 
 			error = (opt == IP_FW_TABLE_ADD) ?
-			    ipfw_add_table_entry(chain, &ti, &tei) :
-			    ipfw_del_table_entry(chain, &ti, &tei);
+			    add_table_entry(chain, &ti, &tei) :
+			    del_table_entry(chain, &ti, &tei);
 		}
 		break;
 
@@ -1757,7 +1767,7 @@ ipfw_ctl(struct sockopt *sopt)
 				break;
 			memset(&ti, 0, sizeof(ti));
 			ti.uidx = tbl;
-			error = ipfw_flush_table(chain, &ti);
+			error = flush_table(chain, &ti);
 		}
 		break;
 

sys/netpfil/ipfw/ip_fw_table.c

@@ -115,7 +115,6 @@ static int ipfw_modify_table_v1(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
     struct sockopt_data *sd);
 
 static int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti);
-static int flush_table(struct ip_fw_chain *ch, struct tid_info *ti);
 
 static struct table_algo *find_table_algo(struct tables_config *tableconf,
     struct tid_info *ti, char *name);
@@ -127,7 +126,7 @@ static struct table_algo *find_table_algo(struct tables_config *tableconf,
 
 
 int
-ipfw_add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
+add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
     struct tentry_info *tei)
 {
 	struct table_config *tc, *tc_new;
@@ -250,7 +249,7 @@ ipfw_add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
 }
 
 int
-ipfw_del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
+del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
     struct tentry_info *tei)
 {
 	struct table_config *tc;
@@ -362,8 +361,8 @@ ipfw_modify_table_v0(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
 	ti.type = xent->type;
 
 	error = (op3->opcode == IP_FW_TABLE_XADD) ?
-	    ipfw_add_table_entry(ch, &ti, &tei) :
-	    ipfw_del_table_entry(ch, &ti, &tei);
+	    add_table_entry(ch, &ti, &tei) :
+	    del_table_entry(ch, &ti, &tei);
 
 	return (error);
 }
@@ -422,8 +421,8 @@ ipfw_modify_table_v1(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
 	ti.tlen = oh->ntlv.head.length;
 
 	error = (oh->opheader.opcode == IP_FW_TABLE_XADD) ?
-	    ipfw_add_table_entry(ch, &ti, &tei) :
-	    ipfw_del_table_entry(ch, &ti, &tei);
+	    add_table_entry(ch, &ti, &tei) :
+	    del_table_entry(ch, &ti, &tei);
 
 	return (error);
 }
@@ -442,9 +441,9 @@ ipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
 	oh = (struct _ipfw_obj_header *)op3;
 	objheader_to_ti(oh, &ti);
 
-	if (opt == IP_FW_TABLE_XDESTROY)
+	if (op3->opcode == IP_FW_TABLE_XDESTROY)
 		error = destroy_table(ch, &ti);
-	else if (opt == IP_FW_TABLE_XFLUSH)
+	else if (op3->opcode == IP_FW_TABLE_XFLUSH)
 		error = flush_table(ch, &ti);
 	else
 		return (ENOTSUP);
@@ -459,7 +458,7 @@ ipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
  *
  * Returns 0 on success
  */
-static int
+int
 flush_table(struct ip_fw_chain *ch, struct tid_info *ti)
 {
 	struct namedobj_instance *ni;
@@ -1000,8 +999,6 @@ ipfw_create_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
 	}
 
 	objheader_to_ti(oh, &ti);
-	/* Create table in set 0 by default */
-	ti->set = TABLE_SET(ti->set);
 	ti.type = i->type;
 
 	ni = CHAIN_TO_NI(ch);
@@ -1739,18 +1736,16 @@ bind_table_rule(struct ip_fw_chain *ch, struct ip_fw *rule,
 int
 ipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule)
 {
-	int cmdlen, l;
+	int cmdlen, error, l;
 	ipfw_insn *cmd;
-	uint32_t set;
-	uint16_t kidx;
+	uint16_t kidx, uidx;
 	uint8_t type;
 	struct named_object *no;
 	struct namedobj_instance *ni;
 
 	ni = CHAIN_TO_NI(chain);
+	error = 0;
 
-	set = TABLE_SET(rule->set);
-	
 	l = rule->cmd_len;
 	cmd = rule->cmd;
 	cmdlen = 0;
@@ -1763,13 +1758,22 @@ ipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule)
 		if ((no = ipfw_objhash_lookup_kidx(ni, kidx)) == NULL)
 			return (1);
 
-		if (no->compat == 0)
-			return (2);
+		uidx = no->uidx;
+		if (no->compat == 0) {
 
-		update_table_opcode(cmd, no->uidx);
+			/*
+			 * We are called via legacy opcode.
+			 * Save error and show table as fake number
+			 * not to make ipfw(8) hang.
+			 */
+			uidx = 65535;
+			error = 2;
+		}
+
+		update_table_opcode(cmd, uidx);
 	}
 
-	return (0);
+	return (error);
 }
 
 /*
@@ -1853,7 +1857,12 @@ ipfw_rewrite_table_uidx(struct ip_fw_chain *chain,
 	ftype = 0;
 
 	memset(&ti, 0, sizeof(ti));
-	ti.set = TABLE_SET(ci->krule->set);
+
+	/*
+	 * Use default set for looking up tables (old way) or
+	 * use set rule is assigned to (new way).
+	 */
+	ti.set = (V_fw_tables_sets != 0) ? ci->krule->set : 0;
 	if (ci->ctlv != NULL) {
 		ti.tlvs = (void *)(ci->ctlv + 1);
 		ti.tlen = ci->ctlv->head.length - sizeof(ipfw_obj_ctlv);
@@ -2039,14 +2048,11 @@ ipfw_unbind_table_rule(struct ip_fw_chain *chain, struct ip_fw *rule)
 	ipfw_insn *cmd;
 	struct namedobj_instance *ni;
 	struct named_object *no;
-	uint32_t set;
 	uint16_t kidx;
 	uint8_t type;
 
 	ni = CHAIN_TO_NI(chain);
 
-	set = TABLE_SET(rule->set);
-
 	l = rule->cmd_len;
 	cmd = rule->cmd;
 	cmdlen = 0;

sys/netpfil/ipfw/ip_fw_table.h

@@ -116,13 +116,15 @@ int ipfw_create_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
     struct sockopt_data *sd);
 int ipfw_modify_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
     struct sockopt_data *sd);
-int ipfw_add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
+/* Exported to support legacy opcodes */
+int add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
     struct tentry_info *tei);
-int ipfw_del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
+int del_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
     struct tentry_info *tei);
+int flush_table(struct ip_fw_chain *ch, struct tid_info *ti);
 
-int ipfw_destroy_table(struct ip_fw_chain *ch, struct tid_info *ti);
-int ipfw_flush_table(struct ip_fw_chain *ch, struct tid_info *ti);
+int ipfw_flush_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3,
+    struct sockopt_data *sd);
 int ipfw_rewrite_table_uidx(struct ip_fw_chain *chain,
     struct rule_check_info *ci);
 int ipfw_rewrite_table_kidx(struct ip_fw_chain *chain, struct ip_fw *rule);