1069     }
1070 
1071     // Target IPs and subnets:
1072     return compareAddrs(r1.targets[0], r2.targets[0]);
1073 }
1074 
1075 
1076 /**
1077  * Returns an object containing ipf rule text and enough data to sort on
1078  */
1079 function ipfRuleObj(opts) {
1080     var dir = opts.direction;
1081     var rule = opts.rule;
1082 
1083     var targets = Array.isArray(opts.targets) ?
1084         opts.targets : [ opts.targets ];
1085 
1086     // ipfilter uses /etc/protocols which calls ICMPv6 'ipv6-icmp'
1087     var ipfProto = (rule.protocol === 'icmp6') ? 'ipv6-icmp' : rule.protocol;
1088 










1089     var sortObj = {
1090         action: rule.action,
1091         direction: dir,
1092         priority: rule.priority,
1093         protocol: rule.protocol,
1094         header: util.format('\n# rule=%s, version=%s, %s=%s',
1095             rule.uuid, rule.version, opts.type, opts.value),
1096         v4text: [],
1097         v6text: [],
1098         targets: targets,
1099         protoTargets: rule.protoTargets,
1100         type: opts.type,
1101         uuid: rule.uuid,
1102         value: opts.value,
1103         version: rule.version,
1104         uuidTag: (features.feature[FEATURE_INOUT_UUID] && rule.uuid) ?
1105             sprintf(' set-tag(uuid=%s)', rule.uuid) : ''
1106     };
1107 
1108     if (opts.type === 'wildcard' && opts.value === 'any') {
1109         rule.protoTargets.forEach(function (t) {
1110             var wild = util.format('%s %s quick proto %s from any to any %s',
1111                 rule.action === 'allow' ? 'pass' : 'block',
1112                 dir === 'from' ? 'out' : 'in',
1113                 ipfProto,
1114                 protoTarget(rule, t));
1115             if (rule.protocol !== 'icmp6')
1116                 sortObj.v4text.push(wild);
1117             if (rule.protocol !== 'icmp')
1118                 sortObj.v6text.push(wild);
1119         });
1120 
1121         return sortObj;
1122     }
1123 
1124     targets.forEach(function (target) {
1125         var isv6 = target.indexOf(':') !== -1;

1246 
1247                 conf[uuid] = conf[uuid].concat(otherSideRules);
1248             });
1249         });
1250     });
1251 
1252     var toReturn = [];
1253     for (var vm in conf) {
1254         var rulesIncluded = {};
1255         var ipf4Conf = [
1256             '# DO NOT EDIT THIS FILE. THIS FILE IS AUTO-GENERATED BY fwadm(1M)',
1257             '# AND MAY BE OVERWRITTEN AT ANY TIME.',
1258             '#',
1259             '# File generated at ' + date.toString(),
1260             '#',
1261             ''];
1262         var ipf6Conf = ipf4Conf.slice();
1263         var iks = hasKey(keepInboundState, vm) ? keepInboundState[vm] : {};
1264 
1265         conf[vm].sort(compareRules).forEach(function (sortObj) {
1266             assert.string(sortObj.uuidTag, 'sortObj.uuidTag');
1267             var ktxt = KEEP_FRAGS;
1268             if (sortObj.uuidTag !== ''
1269                 || (sortObj.direction === 'from' && sortObj.action === 'allow')
1270                 || (sortObj.direction === 'to' && iks[sortObj.protocol])) {
1271                 ktxt += KEEP_STATE + sortObj.uuidTag;
1272             }
1273 
1274             if (!hasKey(rulesIncluded, sortObj.uuid)) {
1275                 rulesIncluded[sortObj.uuid] = [];
1276             }
1277             rulesIncluded[sortObj.uuid].push(sortObj.direction);
1278 
1279             ipf4Conf.push(sortObj.header);
1280             ipf6Conf.push(sortObj.header);
1281 
1282             sortObj.v4text.forEach(function (line) {
1283                 ipf4Conf.push(line + ktxt);
1284             });
1285             sortObj.v6text.forEach(function (line) {
1286                 ipf6Conf.push(line + ktxt);
1287             });
1288         });
1289 
1290         log.debug(rulesIncluded, 'VM %s: generated ipf(6).conf', vm);
1291 

1069     }
1070 
1071     // Target IPs and subnets:
1072     return compareAddrs(r1.targets[0], r2.targets[0]);
1073 }
1074 
1075 
1076 /**
1077  * Returns an object containing ipf rule text and enough data to sort on
1078  */
1079 function ipfRuleObj(opts) {
1080     var dir = opts.direction;
1081     var rule = opts.rule;
1082 
1083     var targets = Array.isArray(opts.targets) ?
1084         opts.targets : [ opts.targets ];
1085 
1086     // ipfilter uses /etc/protocols which calls ICMPv6 'ipv6-icmp'
1087     var ipfProto = (rule.protocol === 'icmp6') ? 'ipv6-icmp' : rule.protocol;
1088 
1089     var readtags = [];
1090     if (features.feature[FEATURE_INOUT_UUID]) {
1091         if (rule.uuid) {
1092             readtags.push(util.format('uuid=%s', rule.uuid));
1093         }
1094         if (rule.log) {
1095             readtags.push('cfwlog');
1096         }
1097     }
1098 
1099     var sortObj = {
1100         action: rule.action,
1101         direction: dir,
1102         priority: rule.priority,
1103         protocol: rule.protocol,
1104         header: util.format('\n# rule=%s, version=%s, %s=%s',
1105             rule.uuid, rule.version, opts.type, opts.value),
1106         v4text: [],
1107         v6text: [],
1108         targets: targets,
1109         protoTargets: rule.protoTargets,
1110         type: opts.type,
1111         uuid: rule.uuid,
1112         value: opts.value,
1113         version: rule.version,
1114         allTags: readtags.length !== 0 ?
1115             util.format(' set-tag(%s)', readtags.join(', ')) : ''
1116     };
1117 
1118     if (opts.type === 'wildcard' && opts.value === 'any') {
1119         rule.protoTargets.forEach(function (t) {
1120             var wild = util.format('%s %s quick proto %s from any to any %s',
1121                 rule.action === 'allow' ? 'pass' : 'block',
1122                 dir === 'from' ? 'out' : 'in',
1123                 ipfProto,
1124                 protoTarget(rule, t));
1125             if (rule.protocol !== 'icmp6')
1126                 sortObj.v4text.push(wild);
1127             if (rule.protocol !== 'icmp')
1128                 sortObj.v6text.push(wild);
1129         });
1130 
1131         return sortObj;
1132     }
1133 
1134     targets.forEach(function (target) {
1135         var isv6 = target.indexOf(':') !== -1;

1256 
1257                 conf[uuid] = conf[uuid].concat(otherSideRules);
1258             });
1259         });
1260     });
1261 
1262     var toReturn = [];
1263     for (var vm in conf) {
1264         var rulesIncluded = {};
1265         var ipf4Conf = [
1266             '# DO NOT EDIT THIS FILE. THIS FILE IS AUTO-GENERATED BY fwadm(1M)',
1267             '# AND MAY BE OVERWRITTEN AT ANY TIME.',
1268             '#',
1269             '# File generated at ' + date.toString(),
1270             '#',
1271             ''];
1272         var ipf6Conf = ipf4Conf.slice();
1273         var iks = hasKey(keepInboundState, vm) ? keepInboundState[vm] : {};
1274 
1275         conf[vm].sort(compareRules).forEach(function (sortObj) {
1276             assert.string(sortObj.allTags, 'sortObj.allTags');
1277             var ktxt = KEEP_FRAGS;
1278             if (sortObj.allTags !== ''
1279                 || (sortObj.direction === 'from' && sortObj.action === 'allow')
1280                 || (sortObj.direction === 'to' && iks[sortObj.protocol])) {
1281                 ktxt += KEEP_STATE + sortObj.allTags;
1282             }
1283 
1284             if (!hasKey(rulesIncluded, sortObj.uuid)) {
1285                 rulesIncluded[sortObj.uuid] = [];
1286             }
1287             rulesIncluded[sortObj.uuid].push(sortObj.direction);
1288 
1289             ipf4Conf.push(sortObj.header);
1290             ipf6Conf.push(sortObj.header);
1291 
1292             sortObj.v4text.forEach(function (line) {
1293                 ipf4Conf.push(line + ktxt);
1294             });
1295             sortObj.v6text.forEach(function (line) {
1296                 ipf6Conf.push(line + ktxt);
1297             });
1298         });
1299 
1300         log.debug(rulesIncluded, 'VM %s: generated ipf(6).conf', vm);
1301