diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 13a0996b7d9e..c3c90d845ca4 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -6,10 +6,10 @@ * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright + * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * + * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -118,15 +118,15 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, &autoinc_step, 0, "Rule number autincrement step"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass, - CTLFLAG_RW | CTLFLAG_SECURE, - &fw_one_pass, 0, + CTLFLAG_RW | CTLFLAG_SECURE, + &fw_one_pass, 0, "Only do a single pass through ipfw when using dummynet(4)"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "Enable printing of debug ip_fw statements"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE, &fw_verbose, 0, "Log matches to ipfw rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); /* @@ -186,7 +186,7 @@ static u_int32_t dyn_short_lifetime = 5; * dyn_rst_lifetime and dyn_fin_lifetime should be strictly lower * than dyn_keepalive_period. */ - + static u_int32_t dyn_keepalive_interval = 20; static u_int32_t dyn_keepalive_period = 5; static u_int32_t dyn_keepalive = 1; /* do send keepalives */ @@ -496,7 +496,7 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh, ntohs(sa->sa.sin_port)); } break; - default: + default: action = "UNKNOWN"; break; } @@ -1058,7 +1058,7 @@ send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) struct route sro; /* fake route */ MGETHDR(m, M_DONTWAIT, MT_HEADER); - if (m == 0) + if (m == 0) return; m->m_pkthdr.rcvif = (struct ifnet *)0; m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr); @@ -1164,7 +1164,7 @@ send_reject(struct ip_fw_args *args, int code, int offset, int ip_len) * This never returns NULL -- in case we do not have an exact match, * the next rule is returned. When the ruleset is changed, * pointers are flushed so we are always correct. - */ + */ static struct ip_fw * lookup_next_rule(struct ip_fw *me) @@ -1220,7 +1220,7 @@ lookup_next_rule(struct ip_fw *me) * 16 bits as a dummynet pipe number instead of diverting */ -static int +static int ipfw_chk(struct ip_fw_args *args) { /* @@ -1585,7 +1585,7 @@ ipfw_chk(struct ip_fw_args *args) ((ipfw_insn_ip *)cmd)->addr.s_addr == src_ip.s_addr); break; - + case O_IP_SRC_MASK: match = (hlen > 0 && ((ipfw_insn_ip *)cmd)->addr.s_addr == @@ -1601,7 +1601,7 @@ ipfw_chk(struct ip_fw_args *args) match = (tif != NULL); } break; - + case O_IP_DST_SET: case O_IP_SRC_SET: if (hlen > 0) { @@ -1641,7 +1641,7 @@ ipfw_chk(struct ip_fw_args *args) match = (tif != NULL); } break; - + case O_IP_SRCPORT: case O_IP_DSTPORT: /* @@ -1842,7 +1842,7 @@ ipfw_chk(struct ip_fw_args *args) args->rule = f; /* report matching rule */ retval = cmd->arg1 | IP_FW_PORT_DYNT_FLAG; goto done; - + case O_DIVERT: case O_TEE: if (args->eh) /* not on layer 2 */ @@ -1913,7 +1913,7 @@ ipfw_chk(struct ip_fw_args *args) } /* end of inner for, scan opcodes */ next_rule:; /* try next rule */ - + } /* end of outer for, scan rules */ printf("+++ ipfw: ouch!, skip past end of rules, denying packet\n"); return(IP_FW_PORT_DENY_FLAG); @@ -1957,10 +1957,9 @@ flush_pipe_ptrs(struct dn_flow_set *match) for (rule = layer3_chain; rule; rule = rule->next) { ipfw_insn_pipe *cmd = (ipfw_insn_pipe *)ACTION_PTR(rule); - + if (cmd->o.opcode != O_PIPE && cmd->o.opcode != O_QUEUE) continue; - if (match == NULL || cmd->pipe_ptr == match) cmd->pipe_ptr = NULL; } @@ -2100,7 +2099,7 @@ free_chain(struct ip_fw **chain, int kill_default) * * The argument is an u_int32_t. The low 16 bit are the rule or set number, * the next 8 bits are the new set, the top 8 bits are the command: - * + * * 0 delete rules with given number * 1 delete rules with given set number * 2 move rules with given number to new set @@ -2130,7 +2129,7 @@ del_entry(struct ip_fw **chain, u_int32_t arg) if (rulenum > 30) return EINVAL; } - + switch (cmd) { case 0: /* delete rules with given number */ /* @@ -2339,7 +2338,7 @@ check_ipfw_struct(struct ip_fw *rule, int size) case O_LOG: if (cmdlen != F_INSN_SIZE(ipfw_insn_log)) goto bad_size; - + ((ipfw_insn_log *)cmd)->log_left = ((ipfw_insn_log *)cmd)->max_log; @@ -2548,7 +2547,7 @@ ipfw_ctl(struct sockopt *sopt) * On the other hand, the risk is that we end up with * a very inconsistent ruleset, so better keep the lock * around the whole cycle. - * + * * XXX this code can be improved by resetting the head of * the list to point to the default rule, and then freeing * the old list without the need for a lock. @@ -2726,7 +2725,7 @@ ipfw_modevent(module_t mod, int type, void *unused) { int s; int err = 0; - + switch (type) { case MOD_LOAD: s = splimp();