ipfw: migrate ipfw to 32-bit size rule numbers
This changes ABI due to the changed opcodes and includes the
following:
- rule numbers and named object indexes converted to 32-bits
- all hardcoded maximum rule number was replaced with IPFW_DEFAULT_RULE macro
- now it is possible to grow maximum numbers or rules in build time
- several opcodes converted to ipfw_insn_u32 to keep rulenum: O_CALL, O_SKIPTO
- call stack modified to keep u32 rulenum. The behaviour of O_CALL opcode was changed to avoid possible packets looping. Now when call stack is overflowed or mbuf tag allocation failed, a packet will be dropped instead of skipping to next rule.
- 'return' action now have two modes to specify return point: 'next-rulenum' and 'next-rule'
- new lookup key added for O_IP_DST_LOOKUP opcode 'lookup rulenum'
- several opcodes converted to keep u32 named object indexes in special structure ipfw_insn_kidx
- tables related opcodes modified to use two structures: ipfw_insn_kidx and ipfw_insn_table
- added ability for table value matching for specific value type in 'table(name,valtype=value)' opcode
- dynamic states and eaction code converted to use u32 rulenum and named objects indexes
- added insntod() and insntoc() macros to cast to specific ipfw instruction type
- default sockopt version was changed to IP_FW3_OPVER=1
- FreeBSD 7-11 rule format support was removed
- added ability to generate special rtsock messages via log opcode
- added IP_FW_SKIPTO_CACHE sockopt to enable/disable skipto cache. It helps to reduce overhead when many rules are modified in batch.
- added ability to keep NAT64LSN states during sets swapping
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D46183