IPFW2 #if's removal
Maxim Konovalov
maxim at macomnet.ru
Mon Sep 6 02:32:59 PDT 2004
Hello,
An enclosed diff removes ~90 lines of "#if !IPFW2" dead code and a
little "FreeBSD_version" snipped. The purpose is to make the code a
little bit easier to read and maintain. Is it desirable to commit it
in HEAD and MFC to RELENG_5? Are there any objections/drawbacks?
Index: lib/libalias/alias_db.c
===================================================================
RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v
retrieving revision 1.61
diff -u -r1.61 alias_db.c
--- lib/libalias/alias_db.c 6 Jul 2004 12:13:28 -0000 1.61
+++ lib/libalias/alias_db.c 5 Sep 2004 12:19:50 -0000
@@ -2473,17 +2473,12 @@
file, but making variables global is evil too.
****************/
-#ifndef IPFW2
-#define IPFW2 1 /* use new ipfw code */
-#endif
-
/* Firewall include files */
#include <net/if.h>
#include <netinet/ip_fw.h>
#include <string.h>
#include <err.h>
-#if IPFW2 /* support for new firewall code */
/*
* helper function, updates the pointer to cmd with the length
* of the current command, and also cleans up the first word of
@@ -2554,8 +2549,6 @@
return ((char *)cmd - (char *)buf);
}
-#endif /* IPFW2 */
-
static void ClearAllFWHoles(struct libalias *la);
@@ -2648,7 +2641,6 @@
* add fwhole accept tcp from OAddr OPort to DAddr DPort add fwhole
* accept tcp from DAddr DPort to OAddr OPort
*/
-#if IPFW2
if (GetOriginalPort(lnk) != 0 && GetDestPort(lnk) != 0) {
u_int32_t rulebuf[255];
int i;
@@ -2669,46 +2661,6 @@
if (r)
err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)");
}
-#else /* !IPFW2, old code to generate ipfw rule */
-
- /* Build generic part of the two rules */
- rule.fw_number = fwhole;
- IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */
- IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */
- rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT;
- rule.fw_prot = IPPROTO_TCP;
- rule.fw_smsk.s_addr = INADDR_BROADCAST;
- rule.fw_dmsk.s_addr = INADDR_BROADCAST;
-
- /* Build and apply specific part of the rules */
- rule.fw_src = GetOriginalAddress(lnk);
- rule.fw_dst = GetDestAddress(lnk);
- rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(lnk));
- rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(lnk));
-
- /*
- * Skip non-bound links - XXX should not be strictly necessary, but
- * seems to leave hole if not done. Leak of non-bound links? (Code
- * should be left even if the problem is fixed - it is a clear
- * optimization)
- */
- if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) {
- r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
-#ifdef DEBUG
- if (r)
- err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)");
-#endif
- rule.fw_src = GetDestAddress(lnk);
- rule.fw_dst = GetOriginalAddress(lnk);
- rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(lnk));
- rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(lnk));
- r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
-#ifdef DEBUG
- if (r)
- err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)");
-#endif
- }
-#endif /* !IPFW2 */
/* Indicate hole applied */
lnk->data.tcp->fwhole = fwhole;
fw_setfield(la, la->fireWallField, fwhole);
@@ -2732,14 +2684,8 @@
return;
memset(&rule, 0, sizeof rule); /* useless for ipfw2 */
-#if IPFW2
while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL,
&fwhole, sizeof fwhole));
-#else /* !IPFW2 */
- rule.fw_number = fwhole;
- while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL,
- &rule, sizeof rule));
-#endif /* !IPFW2 */
fw_clrfield(la, la->fireWallField, fwhole);
lnk->data.tcp->fwhole = -1;
}
@@ -2757,14 +2703,9 @@
memset(&rule, 0, sizeof rule);
for (i = la->fireWallBaseNum; i < la->fireWallBaseNum + la->fireWallNumNums; i++) {
-#if IPFW2
int r = i;
while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r));
-#else /* !IPFW2 */
- rule.fw_number = i;
- while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule));
-#endif /* !IPFW2 */
}
/* XXX: third arg correct here ? /phk */
memset(la->fireWallField, 0, la->fireWallNumNums);
Index: sys/netinet/ip_dummynet.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.c,v
retrieving revision 1.84
diff -u -r1.84 ip_dummynet.c
--- sys/netinet/ip_dummynet.c 25 Aug 2004 09:31:30 -0000 1.84
+++ sys/netinet/ip_dummynet.c 5 Sep 2004 12:17:45 -0000
@@ -1063,7 +1063,6 @@
struct dn_flow_set *
locate_flowset(int pipe_nr, struct ip_fw *rule)
{
-#if IPFW2
struct dn_flow_set *fs;
ipfw_insn *cmd = rule->cmd + rule->act_ofs;
@@ -1079,11 +1078,6 @@
return fs;
if (cmd->opcode == O_QUEUE)
-#else /* !IPFW2 */
- struct dn_flow_set *fs = NULL ;
-
- if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE )
-#endif /* !IPFW2 */
for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next)
;
else {
@@ -1094,16 +1088,11 @@
fs = &(p1->fs) ;
}
/* record for the future */
-#if IPFW2
#ifdef __i386__
((ipfw_insn_pipe *)cmd)->pipe_ptr = fs;
#else
bcopy(&fs, & ((ipfw_insn_pipe *)cmd)->pipe_ptr, sizeof(fs));
#endif
-#else
- if (fs != NULL)
- rule->pipe_ptr = fs;
-#endif
return fs ;
}
@@ -1131,20 +1120,14 @@
u_int64_t len = m->m_pkthdr.len ;
struct dn_flow_queue *q = NULL ;
int is_pipe;
-#if IPFW2
ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs;
-#endif
KASSERT(m->m_nextpkt == NULL,
("dummynet_io: mbuf queue passed to dummynet"));
-#if IPFW2
if (cmd->opcode == O_LOG)
cmd += F_LEN(cmd);
is_pipe = (cmd->opcode == O_PIPE);
-#else
- is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE;
-#endif
pipe_nr &= 0xffff ;
Index: sys/netinet/ip_fw.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v
retrieving revision 1.90
diff -u -r1.90 ip_fw.h
--- sys/netinet/ip_fw.h 19 Aug 2004 17:38:47 -0000 1.90
+++ sys/netinet/ip_fw.h 5 Sep 2004 12:18:00 -0000
@@ -27,7 +27,6 @@
#ifndef _IPFW2_H
#define _IPFW2_H
-#define IPFW2 1
/*
* The kernel representation of ipfw rules is made of a list of
Index: sys/netinet/ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.74
diff -u -r1.74 ip_fw2.c
--- sys/netinet/ip_fw2.c 26 Aug 2004 14:18:30 -0000 1.74
+++ sys/netinet/ip_fw2.c 5 Sep 2004 12:20:16 -0000
@@ -43,8 +43,6 @@
#endif /* INET */
#endif
-#define IPFW2 1
-#if IPFW2
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
@@ -3089,14 +3087,9 @@
*/
if (sopt->sopt_name == IP_FW_ADD ||
(sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
-#if __FreeBSD_version >= 500034
error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
if (error)
return (error);
-#else /* FreeBSD 4.x */
- if (securelevel >= 3)
- return (EPERM);
-#endif
}
error = 0;
@@ -3436,5 +3429,3 @@
IPFW_LOCK_DESTROY(&layer3_chain);
printf("IP firewall unloaded\n");
}
-
-#endif /* IPFW2 */
%%%
--
Maxim Konovalov
More information about the freebsd-current
mailing list