From owner-freebsd-current@FreeBSD.ORG Mon Sep 6 09:32:59 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EC6416A4CE for ; Mon, 6 Sep 2004 09:32:59 +0000 (GMT) Received: from mp2.macomnet.net (mp2.macomnet.net [195.128.64.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD1CF43D53 for ; Mon, 6 Sep 2004 09:32:57 +0000 (GMT) (envelope-from maxim@macomnet.ru) Received-SPF: pass (mp2.macomnet.net: domain of maxim@macomnet.ru designates 127.0.0.1 as permitted sender) receiver=mp2.macomnet.net; client_ip=127.0.0.1; envelope-from=maxim@macomnet.ru; Received: from localhost (oifyjhrv@localhost [127.0.0.1]) by mp2.macomnet.net (8.12.11/8.12.11) with ESMTP id i869WtsU020417 for ; Mon, 6 Sep 2004 13:32:55 +0400 (MSD) (envelope-from maxim@macomnet.ru) Date: Mon, 6 Sep 2004 13:32:55 +0400 (MSD) From: Maxim Konovalov To: current@freebsd.org Message-ID: <20040906132805.G20402@mp2.macomnet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: IPFW2 #if's removal X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 09:32:59 -0000 Hello, An enclosed diff removes ~90 lines of "#if !IPFW2" dead code and a little "FreeBSD_version" snipped. The purpose is to make the code a little bit easier to read and maintain. Is it desirable to commit it in HEAD and MFC to RELENG_5? Are there any objections/drawbacks? Index: lib/libalias/alias_db.c =================================================================== RCS file: /home/ncvs/src/lib/libalias/alias_db.c,v retrieving revision 1.61 diff -u -r1.61 alias_db.c --- lib/libalias/alias_db.c 6 Jul 2004 12:13:28 -0000 1.61 +++ lib/libalias/alias_db.c 5 Sep 2004 12:19:50 -0000 @@ -2473,17 +2473,12 @@ file, but making variables global is evil too. ****************/ -#ifndef IPFW2 -#define IPFW2 1 /* use new ipfw code */ -#endif - /* Firewall include files */ #include #include #include #include -#if IPFW2 /* support for new firewall code */ /* * helper function, updates the pointer to cmd with the length * of the current command, and also cleans up the first word of @@ -2554,8 +2549,6 @@ return ((char *)cmd - (char *)buf); } -#endif /* IPFW2 */ - static void ClearAllFWHoles(struct libalias *la); @@ -2648,7 +2641,6 @@ * add fwhole accept tcp from OAddr OPort to DAddr DPort add fwhole * accept tcp from DAddr DPort to OAddr OPort */ -#if IPFW2 if (GetOriginalPort(lnk) != 0 && GetDestPort(lnk) != 0) { u_int32_t rulebuf[255]; int i; @@ -2669,46 +2661,6 @@ if (r) err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); } -#else /* !IPFW2, old code to generate ipfw rule */ - - /* Build generic part of the two rules */ - rule.fw_number = fwhole; - IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ - IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ - rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT; - rule.fw_prot = IPPROTO_TCP; - rule.fw_smsk.s_addr = INADDR_BROADCAST; - rule.fw_dmsk.s_addr = INADDR_BROADCAST; - - /* Build and apply specific part of the rules */ - rule.fw_src = GetOriginalAddress(lnk); - rule.fw_dst = GetDestAddress(lnk); - rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(lnk)); - rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(lnk)); - - /* - * Skip non-bound links - XXX should not be strictly necessary, but - * seems to leave hole if not done. Leak of non-bound links? (Code - * should be left even if the problem is fixed - it is a clear - * optimization) - */ - if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) { - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); -#endif - rule.fw_src = GetDestAddress(lnk); - rule.fw_dst = GetOriginalAddress(lnk); - rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(lnk)); - rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(lnk)); - r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); -#ifdef DEBUG - if (r) - err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)"); -#endif - } -#endif /* !IPFW2 */ /* Indicate hole applied */ lnk->data.tcp->fwhole = fwhole; fw_setfield(la, la->fireWallField, fwhole); @@ -2732,14 +2684,8 @@ return; memset(&rule, 0, sizeof rule); /* useless for ipfw2 */ -#if IPFW2 while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL, &fwhole, sizeof fwhole)); -#else /* !IPFW2 */ - rule.fw_number = fwhole; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, - &rule, sizeof rule)); -#endif /* !IPFW2 */ fw_clrfield(la, la->fireWallField, fwhole); lnk->data.tcp->fwhole = -1; } @@ -2757,14 +2703,9 @@ memset(&rule, 0, sizeof rule); for (i = la->fireWallBaseNum; i < la->fireWallBaseNum + la->fireWallNumNums; i++) { -#if IPFW2 int r = i; while (!setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r)); -#else /* !IPFW2 */ - rule.fw_number = i; - while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule)); -#endif /* !IPFW2 */ } /* XXX: third arg correct here ? /phk */ memset(la->fireWallField, 0, la->fireWallNumNums); Index: sys/netinet/ip_dummynet.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.c,v retrieving revision 1.84 diff -u -r1.84 ip_dummynet.c --- sys/netinet/ip_dummynet.c 25 Aug 2004 09:31:30 -0000 1.84 +++ sys/netinet/ip_dummynet.c 5 Sep 2004 12:17:45 -0000 @@ -1063,7 +1063,6 @@ struct dn_flow_set * locate_flowset(int pipe_nr, struct ip_fw *rule) { -#if IPFW2 struct dn_flow_set *fs; ipfw_insn *cmd = rule->cmd + rule->act_ofs; @@ -1079,11 +1078,6 @@ return fs; if (cmd->opcode == O_QUEUE) -#else /* !IPFW2 */ - struct dn_flow_set *fs = NULL ; - - if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE ) -#endif /* !IPFW2 */ for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next) ; else { @@ -1094,16 +1088,11 @@ fs = &(p1->fs) ; } /* record for the future */ -#if IPFW2 #ifdef __i386__ ((ipfw_insn_pipe *)cmd)->pipe_ptr = fs; #else bcopy(&fs, & ((ipfw_insn_pipe *)cmd)->pipe_ptr, sizeof(fs)); #endif -#else - if (fs != NULL) - rule->pipe_ptr = fs; -#endif return fs ; } @@ -1131,20 +1120,14 @@ u_int64_t len = m->m_pkthdr.len ; struct dn_flow_queue *q = NULL ; int is_pipe; -#if IPFW2 ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs; -#endif KASSERT(m->m_nextpkt == NULL, ("dummynet_io: mbuf queue passed to dummynet")); -#if IPFW2 if (cmd->opcode == O_LOG) cmd += F_LEN(cmd); is_pipe = (cmd->opcode == O_PIPE); -#else - is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE; -#endif pipe_nr &= 0xffff ; Index: sys/netinet/ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.90 diff -u -r1.90 ip_fw.h --- sys/netinet/ip_fw.h 19 Aug 2004 17:38:47 -0000 1.90 +++ sys/netinet/ip_fw.h 5 Sep 2004 12:18:00 -0000 @@ -27,7 +27,6 @@ #ifndef _IPFW2_H #define _IPFW2_H -#define IPFW2 1 /* * The kernel representation of ipfw rules is made of a list of Index: sys/netinet/ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.74 diff -u -r1.74 ip_fw2.c --- sys/netinet/ip_fw2.c 26 Aug 2004 14:18:30 -0000 1.74 +++ sys/netinet/ip_fw2.c 5 Sep 2004 12:20:16 -0000 @@ -43,8 +43,6 @@ #endif /* INET */ #endif -#define IPFW2 1 -#if IPFW2 #include #include #include @@ -3089,14 +3087,9 @@ */ if (sopt->sopt_name == IP_FW_ADD || (sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) { -#if __FreeBSD_version >= 500034 error = securelevel_ge(sopt->sopt_td->td_ucred, 3); if (error) return (error); -#else /* FreeBSD 4.x */ - if (securelevel >= 3) - return (EPERM); -#endif } error = 0; @@ -3436,5 +3429,3 @@ IPFW_LOCK_DESTROY(&layer3_chain); printf("IP firewall unloaded\n"); } - -#endif /* IPFW2 */ %%% -- Maxim Konovalov