(command.CommandList
  children: [
    (command.Simple
      blame_tok: <sysctl>
      more_env: []
      words: [{<sysctl>} {<security.mac.portacl>}]
      redirects: [
        (Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})
        (Redir op:<Id.Redir_GreatAnd '2>&'> loc:(redir_loc.Fd fd:2) arg:{<1>})
      ]
      do_fork: T
    )
    (command.If
      if_kw: <Id.KW_If if>
      arms: [
        (IfArm
          keyword: <Id.KW_If if>
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (command.Simple
                      blame_tok: <Id.Lit_LBracket '['>
                      more_env: []
                      words: [
                        {<Id.Lit_LBracket '['>}
                        {($ Id.VSub_QMark '?')}
                        {<-ne>}
                        {<0>}
                        {<Id.Lit_RBracket ']'>}
                      ]
                      redirects: []
                      do_fork: T
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          then_kw: <Id.KW_Then then>
          action: [
            (command.Simple
              blame_tok: <echo>
              more_env: []
              words: [{<echo>} {(DQ <'1..0 # SKIP MAC_PORTACL is unavailable.'>)}]
              redirects: []
              do_fork: T
            )
            (command.ControlFlow keyword:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [17 30]
        )
      ]
      else_action: []
      fi_kw: <Id.KW_Fi fi>
      redirects: []
    )
    (command.If
      if_kw: <Id.KW_If if>
      arms: [
        (IfArm
          keyword: <Id.KW_If if>
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (command.Simple
                      blame_tok: <Id.Lit_LBracket '['>
                      more_env: []
                      words: [
                        {<Id.Lit_LBracket '['>}
                        {
                          (CommandSub
                            left_token: <Id.Left_DollarParen '$('>
                            child: 
                              (command.Simple
                                blame_tok: <id>
                                more_env: []
                                words: [{<id>} {<-u>}]
                                redirects: []
                                do_fork: T
                              )
                            right: <Id.Eof_RParen _>
                          )
                        }
                        {<-ne>}
                        {<0>}
                        {<Id.Lit_RBracket ']'>}
                      ]
                      redirects: []
                      do_fork: T
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          then_kw: <Id.KW_Then then>
          action: [
            (command.Simple
              blame_tok: <echo>
              more_env: []
              words: [{<echo>} {(DQ <'1..0 # SKIP testcases must be run as root'>)}]
              redirects: []
              do_fork: T
            )
            (command.ControlFlow keyword:<Id.ControlFlow_Exit exit> arg_word:{<0>})
          ]
          spids: [46 63]
        )
      ]
      else_action: []
      fi_kw: <Id.KW_Fi fi>
      redirects: []
    )
    (command.ShAssignment
      left: <Id.Lit_VarLike 'ntest='>
      pairs: [
        (AssignPair
          left: <Id.Lit_VarLike 'ntest='>
          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'ntest='> name:ntest)
          op: assign_op.Equal
          rhs: {<1>}
        )
      ]
      redirects: []
    )
    (command.ShFunction
      name_tok: <check_bind>
      name: check_bind
      body: 
        (BraceGroup
          left: <Id.Lit_LBrace '{'>
          children: [
            (command.Simple
              blame_tok: <local>
              more_env: []
              words: [{<local>} {<host>} {<idtype>} {<name>} {<proto>} {<port>} {<udpflag>}]
              redirects: []
              do_fork: T
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'host='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'host='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'host='> name:host)
                  op: assign_op.Equal
                  rhs: {(DQ <127.0.0.1>)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'idtype='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'idtype='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'idtype='> name:idtype)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 1)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'name='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'name='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'name='> name:name)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 2)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'proto='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'proto='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'proto='> name:proto)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 3)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'port='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'port='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'port='> name:port)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 4)}
                )
              ]
              redirects: []
            )
            (command.AndOr
              children: [
                (command.Simple
                  blame_tok: <Id.Lit_LBracket '['>
                  more_env: []
                  words: [
                    {<Id.Lit_LBracket '['>}
                    {(DQ (${ Id.VSub_Name proto))}
                    {<Id.Lit_Equals '='>}
                    {(DQ <udp>)}
                    {<Id.Lit_RBracket ']'>}
                  ]
                  redirects: []
                  do_fork: T
                )
                (command.ShAssignment
                  left: <Id.Lit_VarLike 'udpflag='>
                  pairs: [
                    (AssignPair
                      left: <Id.Lit_VarLike 'udpflag='>
                      lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'udpflag='> name:udpflag)
                      op: assign_op.Equal
                      rhs: {(DQ <-u>)}
                    )
                  ]
                  redirects: []
                )
              ]
              ops: [<Id.Op_DAmp _>]
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'out='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'out='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'out='> name:out)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (CommandSub
                        left_token: <Id.Left_DollarParen '$('>
                        child: 
                          (command.CommandList
                            children: [
                              (command.Case
                                case_kw: <Id.KW_Case case>
                                to_match: (case_arg.Word w:{(DQ (${ Id.VSub_Name idtype))})
                                arms_start: <Id.KW_In in>
                                arms: [
                                  (CaseArm
                                    left: <uid>
                                    pattern: (pat.Words words:[{<uid>} {<gid>}])
                                    middle: <Id.Right_CasePat _>
                                    action: [
                                      (command.Sentence
                                        child: 
                                          (command.Subshell
                                            left: <Id.Op_LParen _>
                                            child: 
                                              (command.Pipeline
                                                children: [
                                                  (command.Simple
                                                    blame_tok: <echo>
                                                    more_env: []
                                                    words: [{<echo>} {<-n>}]
                                                    redirects: []
                                                    do_fork: T
                                                  )
                                                  (command.Simple
                                                    blame_tok: <su>
                                                    more_env: []
                                                    words: [
                                                      {<su>}
                                                      {<-m>}
                                                      {(${ Id.VSub_Name name)}
                                                      {<-c>}
                                                      {
                                                        (DQ <'nc '> (${ Id.VSub_Name udpflag) 
                                                          <' -l -w 10 '> ($ Id.VSub_DollarName host) <' '> ($ Id.VSub_DollarName port)
                                                        )
                                                      }
                                                    ]
                                                    redirects: [
                                                      (Redir
                                                        op: <Id.Redir_GreatAnd '2>&'>
                                                        loc: (redir_loc.Fd fd:2)
                                                        arg: {<1>}
                                                      )
                                                    ]
                                                    do_fork: T
                                                  )
                                                ]
                                                ops: [<Id.Op_Pipe _>]
                                              )
                                            right: <Id.Right_Subshell _>
                                            redirects: []
                                          )
                                        terminator: <Id.Op_Amp _>
                                      )
                                    ]
                                    right: <Id.Op_DSemi _>
                                  )
                                  (CaseArm
                                    left: <jail>
                                    pattern: (pat.Words words:[{<jail>}])
                                    middle: <Id.Right_CasePat _>
                                    action: [
                                      (command.Simple
                                        blame_tok: <kill>
                                        more_env: []
                                        words: [{<kill>} {($ Id.VSub_Dollar '$')}]
                                        redirects: []
                                        do_fork: T
                                      )
                                    ]
                                    right: <Id.Op_DSemi _>
                                  )
                                  (CaseArm
                                    left: <Id.Lit_Star '*'>
                                    pattern: (pat.Words words:[{<Id.Lit_Star '*'>}])
                                    middle: <Id.Right_CasePat _>
                                    action: [
                                      (command.Simple
                                        blame_tok: <kill>
                                        more_env: []
                                        words: [{<kill>} {($ Id.VSub_Dollar '$')}]
                                        redirects: []
                                        do_fork: T
                                      )
                                    ]
                                  )
                                ]
                                arms_end: <Id.KW_Esac esac>
                                redirects: []
                              )
                              (command.Simple
                                blame_tok: <sleep>
                                more_env: []
                                words: [{<sleep>} {<0.3>}]
                                redirects: []
                                do_fork: T
                              )
                              (command.Pipeline
                                children: [
                                  (command.Simple
                                    blame_tok: <echo>
                                    more_env: []
                                    words: [{<echo>}]
                                    redirects: []
                                    do_fork: T
                                  )
                                  (command.Simple
                                    blame_tok: <nc>
                                    more_env: []
                                    words: [
                                      {<nc>}
                                      {(${ Id.VSub_Name udpflag)}
                                      {<-w>}
                                      {<10>}
                                      {($ Id.VSub_DollarName host)}
                                      {($ Id.VSub_DollarName port)}
                                    ]
                                    redirects: [
                                      (Redir
                                        op: <Id.Redir_Great '>'>
                                        loc: (redir_loc.Fd fd:1)
                                        arg: {<'/dev/null'>}
                                      )
                                      (Redir
                                        op: <Id.Redir_GreatAnd '2>&'>
                                        loc: (redir_loc.Fd fd:2)
                                        arg: {<1>}
                                      )
                                    ]
                                    do_fork: T
                                  )
                                ]
                                ops: [<Id.Op_Pipe _>]
                              )
                              (command.Simple
                                blame_tok: <wait>
                                more_env: []
                                words: [{<wait>}]
                                redirects: []
                                do_fork: T
                              )
                            ]
                          )
                        right: <Id.Eof_RParen _>
                      )
                    }
                )
              ]
              redirects: []
            )
            (command.Case
              case_kw: <Id.KW_Case case>
              to_match: (case_arg.Word w:{(DQ (${ Id.VSub_Name out))})
              arms_start: <Id.KW_In in>
              arms: [
                (CaseArm
                  left: <Id.Left_DoubleQuote '"'>
                  pattern: 
                    (pat.Words
                      words: [
                        {(DQ <'nc: Permission denied'>) <Id.Lit_Star '*'>}
                        {(DQ <'nc: Operation not permitted'>) <Id.Lit_Star '*'>}
                      ]
                    )
                  middle: <Id.Right_CasePat _>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [{<echo>} {<fl>}]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  right: <Id.Op_DSemi _>
                )
                (CaseArm
                  left: <Id.Left_DoubleQuote '"'>
                  pattern: (pat.Words words:[{(DQ )}])
                  middle: <Id.Right_CasePat _>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [{<echo>} {<ok>}]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  right: <Id.Op_DSemi _>
                )
                (CaseArm
                  left: <Id.Lit_Star '*'>
                  pattern: (pat.Words words:[{<Id.Lit_Star '*'>}])
                  middle: <Id.Right_CasePat _>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [{<echo>} {(${ Id.VSub_Name out)}]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  right: <Id.Op_DSemi _>
                )
              ]
              arms_end: <Id.KW_Esac esac>
              redirects: []
            )
          ]
          redirects: []
          right: <Id.Lit_RBrace '}'>
        )
    )
    (command.ShFunction
      name_tok: <bind_test>
      name: bind_test
      body: 
        (BraceGroup
          left: <Id.Lit_LBrace '{'>
          children: [
            (command.Simple
              blame_tok: <local>
              more_env: []
              words: [
                {<local>}
                {<expect_without_rule>}
                {<expect_with_rule>}
                {<idtype>}
                {<name>}
                {<proto>}
                {<port>}
              ]
              redirects: []
              do_fork: T
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'expect_without_rule='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'expect_without_rule='>
                  lhs: 
                    (sh_lhs_expr.Name
                      left: <Id.Lit_VarLike 'expect_without_rule='>
                      name: expect_without_rule
                    )
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 1)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'expect_with_rule='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'expect_with_rule='>
                  lhs: 
                    (sh_lhs_expr.Name
                      left: <Id.Lit_VarLike 'expect_with_rule='>
                      name: expect_with_rule
                    )
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 2)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'idtype='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'idtype='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'idtype='> name:idtype)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 3)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'name='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'name='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'name='> name:name)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 4)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'proto='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'proto='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'proto='> name:proto)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 5)}
                )
              ]
              redirects: []
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'port='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'port='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'port='> name:port)
                  op: assign_op.Equal
                  rhs: {(${ Id.VSub_Number 6)}
                )
              ]
              redirects: []
            )
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [{<sysctl>} {<security.mac.portacl.rules> <Id.Lit_Equals '='>}]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'out='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'out='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'out='> name:out)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (CommandSub
                        left_token: <Id.Left_DollarParen '$('>
                        child: 
                          (command.Simple
                            blame_tok: <check_bind>
                            more_env: []
                            words: [
                              {<check_bind>}
                              {(${ Id.VSub_Name idtype)}
                              {(${ Id.VSub_Name name)}
                              {(${ Id.VSub_Name proto)}
                              {(${ Id.VSub_Name port)}
                            ]
                            redirects: []
                            do_fork: T
                          )
                        right: <Id.Eof_RParen _>
                      )
                    }
                )
              ]
              redirects: []
            )
            (command.If
              if_kw: <Id.KW_If if>
              arms: [
                (IfArm
                  keyword: <Id.KW_If if>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ (${ Id.VSub_Name expect_without_rule))}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [{<echo>} {(DQ <'ok '> (${ Id.VSub_Name ntest))}]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  spids: [439 460]
                )
                (IfArm
                  keyword: <Id.KW_Elif elif>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <ok>)}
                                {<-o>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <fl>)}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [
                        {<echo>}
                        {
                          (DQ <'not ok '> (${ Id.VSub_Name ntest) <' # \''> (${ Id.VSub_Name out) 
                            <'\' != \''> (${ Id.VSub_Name expect_without_rule) <'\''>
                          )
                        }
                      ]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  spids: [473 506]
                )
              ]
              else_kw: <Id.KW_Else else>
              else_action: [
                (command.Simple
                  blame_tok: <echo>
                  more_env: []
                  words: [
                    {<echo>}
                    {
                      (DQ <'not ok '> (${ Id.VSub_Name ntest) <' # unexpected output: \''> 
                        (${ Id.VSub_Name out) <'\''>
                      )
                    }
                  ]
                  redirects: []
                  do_fork: T
                )
              ]
              fi_kw: <Id.KW_Fi fi>
              redirects: []
            )
            (command.Simple
              blame_tok: <Id.Lit_Colon ':'>
              more_env: []
              words: [
                {<Id.Lit_Colon ':'>}
                {
                  (word_part.ArithSub
                    left: <Id.Left_DollarDParen '$(('>
                    anode: 
                      (arith_expr.BinaryAssign
                        op_id: Id.Arith_PlusEqual
                        left: ($ Id.Lit_ArithVarLike ntest)
                        right: {<Id.Lit_Digits 1>}
                      )
                    right: <Id.Right_DollarDParen _>
                  )
                }
              ]
              redirects: []
              do_fork: T
            )
            (command.If
              if_kw: <Id.KW_If if>
              arms: [
                (IfArm
                  keyword: <Id.KW_If if>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name idtype))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <uid>)}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.ShAssignment
                      left: <Id.Lit_VarLike 'idstr='>
                      pairs: [
                        (AssignPair
                          left: <Id.Lit_VarLike 'idstr='>
                          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'idstr='> name:idstr)
                          op: assign_op.Equal
                          rhs: 
                            {
                              (CommandSub
                                left_token: <Id.Left_DollarParen '$('>
                                child: 
                                  (command.Simple
                                    blame_tok: <id>
                                    more_env: []
                                    words: [{<id>} {<-u>} {(${ Id.VSub_Name name)}]
                                    redirects: []
                                    do_fork: T
                                  )
                                right: <Id.Eof_RParen _>
                              )
                            }
                        )
                      ]
                      redirects: []
                    )
                  ]
                  spids: [564 583]
                )
                (IfArm
                  keyword: <Id.KW_Elif elif>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name idtype))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <gid>)}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.ShAssignment
                      left: <Id.Lit_VarLike 'idstr='>
                      pairs: [
                        (AssignPair
                          left: <Id.Lit_VarLike 'idstr='>
                          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'idstr='> name:idstr)
                          op: assign_op.Equal
                          rhs: 
                            {
                              (CommandSub
                                left_token: <Id.Left_DollarParen '$('>
                                child: 
                                  (command.Simple
                                    blame_tok: <id>
                                    more_env: []
                                    words: [{<id>} {<-g>} {(${ Id.VSub_Name name)}]
                                    redirects: []
                                    do_fork: T
                                  )
                                right: <Id.Eof_RParen _>
                              )
                            }
                        )
                      ]
                      redirects: []
                    )
                  ]
                  spids: [598 617]
                )
              ]
              else_kw: <Id.KW_Else else>
              else_action: [
                (command.ShAssignment
                  left: <Id.Lit_VarLike 'idstr='>
                  pairs: [
                    (AssignPair
                      left: <Id.Lit_VarLike 'idstr='>
                      lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'idstr='> name:idstr)
                      op: assign_op.Equal
                      rhs: {(${ Id.VSub_Name name)}
                    )
                  ]
                  redirects: []
                )
              ]
              fi_kw: <Id.KW_Fi fi>
              redirects: []
            )
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [
                {<sysctl>}
                {<security.mac.portacl.rules> <Id.Lit_Equals '='> (${ Id.VSub_Name idtype) 
                  <Id.Lit_Colon ':'> (${ Id.VSub_Name idstr) <Id.Lit_Colon ':'> (${ Id.VSub_Name proto) <Id.Lit_Colon ':'> 
                  (${ Id.VSub_Name port)
                }
              ]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
            (command.ShAssignment
              left: <Id.Lit_VarLike 'out='>
              pairs: [
                (AssignPair
                  left: <Id.Lit_VarLike 'out='>
                  lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'out='> name:out)
                  op: assign_op.Equal
                  rhs: 
                    {
                      (CommandSub
                        left_token: <Id.Left_DollarParen '$('>
                        child: 
                          (command.Simple
                            blame_tok: <check_bind>
                            more_env: []
                            words: [
                              {<check_bind>}
                              {(${ Id.VSub_Name idtype)}
                              {(${ Id.VSub_Name name)}
                              {(${ Id.VSub_Name proto)}
                              {(${ Id.VSub_Name port)}
                            ]
                            redirects: []
                            do_fork: T
                          )
                        right: <Id.Eof_RParen _>
                      )
                    }
                )
              ]
              redirects: []
            )
            (command.If
              if_kw: <Id.KW_If if>
              arms: [
                (IfArm
                  keyword: <Id.KW_If if>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ (${ Id.VSub_Name expect_with_rule))}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [{<echo>} {(DQ <'ok '> (${ Id.VSub_Name ntest))}]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  spids: [690 711]
                )
                (IfArm
                  keyword: <Id.KW_Elif elif>
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.Simple
                              blame_tok: <Id.Lit_LBracket '['>
                              more_env: []
                              words: [
                                {<Id.Lit_LBracket '['>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <ok>)}
                                {<-o>}
                                {(DQ (${ Id.VSub_Name out))}
                                {<Id.Lit_Equals '='>}
                                {(DQ <fl>)}
                                {<Id.Lit_RBracket ']'>}
                              ]
                              redirects: []
                              do_fork: T
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  then_kw: <Id.KW_Then then>
                  action: [
                    (command.Simple
                      blame_tok: <echo>
                      more_env: []
                      words: [
                        {<echo>}
                        {
                          (DQ <'not ok '> (${ Id.VSub_Name ntest) <' # \''> (${ Id.VSub_Name out) 
                            <'\' != \''> (${ Id.VSub_Name expect_with_rule) <'\''>
                          )
                        }
                      ]
                      redirects: []
                      do_fork: T
                    )
                  ]
                  spids: [724 757]
                )
              ]
              else_kw: <Id.KW_Else else>
              else_action: [
                (command.Simple
                  blame_tok: <echo>
                  more_env: []
                  words: [
                    {<echo>}
                    {
                      (DQ <'not ok '> (${ Id.VSub_Name ntest) <' # unexpected output: \''> 
                        (${ Id.VSub_Name out) <'\''>
                      )
                    }
                  ]
                  redirects: []
                  do_fork: T
                )
              ]
              fi_kw: <Id.KW_Fi fi>
              redirects: []
            )
            (command.Simple
              blame_tok: <Id.Lit_Colon ':'>
              more_env: []
              words: [
                {<Id.Lit_Colon ':'>}
                {
                  (word_part.ArithSub
                    left: <Id.Left_DollarDParen '$(('>
                    anode: 
                      (arith_expr.BinaryAssign
                        op_id: Id.Arith_PlusEqual
                        left: ($ Id.Lit_ArithVarLike ntest)
                        right: {<Id.Lit_Digits 1>}
                      )
                    right: <Id.Right_DollarDParen _>
                  )
                }
              ]
              redirects: []
              do_fork: T
            )
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [{<sysctl>} {<security.mac.portacl.rules> <Id.Lit_Equals '='>}]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
          ]
          redirects: []
          right: <Id.Lit_RBrace '}'>
        )
    )
    (command.ShAssignment
      left: <Id.Lit_VarLike 'reserved_high='>
      pairs: [
        (AssignPair
          left: <Id.Lit_VarLike 'reserved_high='>
          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'reserved_high='> name:reserved_high)
          op: assign_op.Equal
          rhs: 
            {
              (CommandSub
                left_token: <Id.Left_DollarParen '$('>
                child: 
                  (command.Simple
                    blame_tok: <sysctl>
                    more_env: []
                    words: [{<sysctl>} {<-n>} {<net.inet.ip.portrange.reservedhigh>}]
                    redirects: []
                    do_fork: T
                  )
                right: <Id.Eof_RParen _>
              )
            }
        )
      ]
      redirects: []
    )
    (command.ShAssignment
      left: <Id.Lit_VarLike 'suser_exempt='>
      pairs: [
        (AssignPair
          left: <Id.Lit_VarLike 'suser_exempt='>
          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'suser_exempt='> name:suser_exempt)
          op: assign_op.Equal
          rhs: 
            {
              (CommandSub
                left_token: <Id.Left_DollarParen '$('>
                child: 
                  (command.Simple
                    blame_tok: <sysctl>
                    more_env: []
                    words: [{<sysctl>} {<-n>} {<security.mac.portacl.suser_exempt>}]
                    redirects: []
                    do_fork: T
                  )
                right: <Id.Eof_RParen _>
              )
            }
        )
      ]
      redirects: []
    )
    (command.ShAssignment
      left: <Id.Lit_VarLike 'port_high='>
      pairs: [
        (AssignPair
          left: <Id.Lit_VarLike 'port_high='>
          lhs: (sh_lhs_expr.Name left:<Id.Lit_VarLike 'port_high='> name:port_high)
          op: assign_op.Equal
          rhs: 
            {
              (CommandSub
                left_token: <Id.Left_DollarParen '$('>
                child: 
                  (command.Simple
                    blame_tok: <sysctl>
                    more_env: []
                    words: [{<sysctl>} {<-n>} {<security.mac.portacl.port_high>}]
                    redirects: []
                    do_fork: T
                  )
                right: <Id.Eof_RParen _>
              )
            }
        )
      ]
      redirects: []
    )
    (command.ShFunction
      name_tok: <restore_settings>
      name: restore_settings
      body: 
        (BraceGroup
          left: <Id.Lit_LBrace '{'>
          children: [
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [
                {<sysctl>}
                {<-n>}
                {<net.inet.ip.portrange.reservedhigh> <Id.Lit_Equals '='> 
                  (${ Id.VSub_Name reserved_high)
                }
              ]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [
                {<sysctl>}
                {<-n>}
                {<security.mac.portacl.suser_exempt> <Id.Lit_Equals '='> 
                  (${ Id.VSub_Name suser_exempt)
                }
              ]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
            (command.Simple
              blame_tok: <sysctl>
              more_env: []
              words: [
                {<sysctl>}
                {<-n>}
                {<security.mac.portacl.port_high> <Id.Lit_Equals '='> (${ Id.VSub_Name port_high)}
              ]
              redirects: [(Redir op:<Id.Redir_Great '>'> loc:(redir_loc.Fd fd:1) arg:{<'/dev/null'>})]
              do_fork: T
            )
          ]
          redirects: []
          right: <Id.Lit_RBrace '}'>
        )
    )
  ]
)