Hello, An enclosed diff removes ~90 lines of "#if !IPFW2" dead code and a little "FreeBSD_version" snipped. The purpose is to make the code a little bit easier to read and maintain. Is it desirable to commit it in HEAD and MFC to RELENG_5? Are there any objections/drawbacks? Index: lib/libalias/alias_db.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v retrieving revision 1.61 diff -u -r1.61 alias_db.c --- lib/libalias/alias_db.c 6 Jul 2004 12:13:28 -0000 1.61 +++ lib/libalias/alias_db.c 5 Sep 2004 12:19:50 -0000 _at__at_ -2473,17 +2473,12 _at__at_ file, but making variables global is evil too. ****************/ -#ifndef IPFW2 -#define IPFW2 1 /* use new ipfw code */ -#endif - /* Firewall include files */ #include <net/if.h> #include <netinet/ip_fw.h> #include <string.h> #include <err.h> -#if IPFW2 /* support for new firewall code */ /* * helper function, updates the pointer to cmd with the length * of the current command, and also cleans up the first word of _at__at_ -2554,8 +2549,6 _at__at_ return ((char *)cmd - (char *)buf); } -#endif /* IPFW2 */ - static void ClearAllFWHoles(struct libalias *la); _at__at_ -2648,7 +2641,6 _at__at_ * add fwhole accept tcp from OAddr OPort to DAddr DPort add fwhole * accept tcp from DAddr DPort to OAddr OPort */ -#if IPFW2 if (GetOriginalPort(lnk) != 0 && GetDestPort(lnk) != 0) { u_int32_t rulebuf[255]; int i; _at__at_ -2669,46 +2661,6 _at__at_ if (r) err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); } -#else /* !IPFW2, old code to generate ipfw rule */ - - /* Build generic part of the two rules */ - rule.fw_number = fwhole; - IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ - IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ - rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT; - rule.fw_prot = IPPROTO_TCP; - rule.fw_smsk.s_addr = INADDR_BROADCAST; - rule.fw_dmsk.s_addr = INADDR_BROADCAST; - - /* Build and apply specific part of the rules */ - rule.fw_src = GetOriginalAddress(lnk); - rule.fw_dst = GetDestAddress(lnk); - rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(lnk)); - rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(lnk)); - - /* - * Skip non-bound links - XXX should not be strictly necessary, but - * seems to leave hole if not done. Leak of non-bound links? (Code - * should be left even if the problem is fixed - it is a clear - * optimization) - */ - if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) { - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); -#endif - rule.fw_src = GetDestAddress(lnk); - rule.fw_dst = GetOriginalAddress(lnk); - rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(lnk)); - rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(lnk)); - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); -#endif - } -#endif /* !IPFW2 */ /* Indicate hole applied */ lnk->data.tcp->fwhole = fwhole; fw_setfield(la, la->fireWallField, fwhole); _at__at_ -2732,14 +2684,8 _at__at_ return; memset(&rule, 0, sizeof rule); /* useless for ipfw2 */ -#if IPFW2 while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL, &fwhole, sizeof fwhole)); -#else /* !IPFW2 */ - rule.fw_number = fwhole; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, - &rule, sizeof rule)); -#endif /* !IPFW2 */ fw_clrfield(la, la->fireWallField, fwhole); lnk->data.tcp->fwhole = -1; } _at__at_ -2757,14 +2703,9 _at__at_ memset(&rule, 0, sizeof rule); for (i = la->fireWallBaseNum; i < la->fireWallBaseNum + la->fireWallNumNums; i++) { -#if IPFW2 int r = i; while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r)); -#else /* !IPFW2 */ - rule.fw_number = i; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule)); -#endif /* !IPFW2 */ } /* XXX: third arg correct here ? /phk */ memset(la->fireWallField, 0, la->fireWallNumNums); Index: sys/netinet/ip_dummynet.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.c,v retrieving revision 1.84 diff -u -r1.84 ip_dummynet.c --- sys/netinet/ip_dummynet.c 25 Aug 2004 09:31:30 -0000 1.84 +++ sys/netinet/ip_dummynet.c 5 Sep 2004 12:17:45 -0000 _at__at_ -1063,7 +1063,6 _at__at_ struct dn_flow_set * locate_flowset(int pipe_nr, struct ip_fw *rule) { -#if IPFW2 struct dn_flow_set *fs; ipfw_insn *cmd = rule->cmd + rule->act_ofs; _at__at_ -1079,11 +1078,6 _at__at_ return fs; if (cmd->opcode == O_QUEUE) -#else /* !IPFW2 */ - struct dn_flow_set *fs = NULL ; - - if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE ) -#endif /* !IPFW2 */ for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next) ; else { _at__at_ -1094,16 +1088,11 _at__at_ fs = &(p1->fs) ; } /* record for the future */ -#if IPFW2 #ifdef __i386__ ((ipfw_insn_pipe *)cmd)->pipe_ptr = fs; #else bcopy(&fs, & ((ipfw_insn_pipe *)cmd)->pipe_ptr, sizeof(fs)); #endif -#else - if (fs != NULL) - rule->pipe_ptr = fs; -#endif return fs ; } _at__at_ -1131,20 +1120,14 _at__at_ u_int64_t len = m->m_pkthdr.len ; struct dn_flow_queue *q = NULL ; int is_pipe; -#if IPFW2 ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs; -#endif KASSERT(m->m_nextpkt == NULL, ("dummynet_io: mbuf queue passed to dummynet")); -#if IPFW2 if (cmd->opcode == O_LOG) cmd += F_LEN(cmd); is_pipe = (cmd->opcode == O_PIPE); -#else - is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE; -#endif pipe_nr &= 0xffff ; Index: sys/netinet/ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.90 diff -u -r1.90 ip_fw.h --- sys/netinet/ip_fw.h 19 Aug 2004 17:38:47 -0000 1.90 +++ sys/netinet/ip_fw.h 5 Sep 2004 12:18:00 -0000 _at__at_ -27,7 +27,6 _at__at_ #ifndef _IPFW2_H #define _IPFW2_H -#define IPFW2 1 /* * The kernel representation of ipfw rules is made of a list of Index: sys/netinet/ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.74 diff -u -r1.74 ip_fw2.c --- sys/netinet/ip_fw2.c 26 Aug 2004 14:18:30 -0000 1.74 +++ sys/netinet/ip_fw2.c 5 Sep 2004 12:20:16 -0000 _at__at_ -43,8 +43,6 _at__at_ #endif /* INET */ #endif -#define IPFW2 1 -#if IPFW2 #include <sys/param.h> #include <sys/systm.h> #include <sys/malloc.h> _at__at_ -3089,14 +3087,9 _at__at_ */ if (sopt->sopt_name == IP_FW_ADD || (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) { -#if __FreeBSD_version >= 500034 error = securelevel_ge(sopt->sopt_td->td_ucred, 3); if (error) return (error); -#else /* FreeBSD 4.x */ - if (securelevel >= 3) - return (EPERM); -#endif } error = 0; _at__at_ -3436,5 +3429,3 _at__at_ IPFW_LOCK_DESTROY(&layer3_chain); printf("IP firewall unloaded\n"); } - -#endif /* IPFW2 */ %%% -- Maxim KonovalovReceived on Mon Sep 06 2004 - 07:32:59 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:10 UTC