Date: Thu, 20 Aug 2009 17:55:45 GMT From: Tatsiana Elavaya <tsel@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 167544 for review Message-ID: <200908201755.n7KHtj6W075425@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=167544 Change 167544 by tsel@tsel_mz on 2009/08/20 17:54:49 Add ipfw.hll.8 man page Simplify language by removing if/cond tokens Fix anonymous conditions support bug Fix grammar conflicts Implement labels Affected files ... .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/Makefile#5 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.8#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.c#5 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.h#5 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/parse.y#5 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/subr.c#4 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/Makefile#4 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name1#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name2#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name3#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name3.err#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_man#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_man.output#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test0#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test1.err#3 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test10#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test10.output#1 add .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test2#3 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test3#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test4#4 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test5#3 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test6#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test7#3 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test8#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test9#2 edit .. //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/token.l#4 edit .. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/Makefile#4 edit .. //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#13 edit Differences ... ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/Makefile#5 (text+ko) ==== @@ -1,5 +1,5 @@ PROG= ipfw.hll -NO_MAN= +MAN= ipfw.hll.8 SRCS= parse.y token.l ipfw.hll.c subr.c WARNS?= 2 @@ -11,7 +11,7 @@ DPADD= ${LIBL} LDADD= -ll -DEBUG_FLAGS+= -g -O0 -DIPFW_HLL_DEBUG +#DEBUG_FLAGS+= -g -O0 -DIPFW_HLL_DEBUG .PHONY: test test: ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.c#5 (text+ko) ==== @@ -188,7 +188,7 @@ static void usage(void) { - fprintf(stderr, "usage: ipfw.hll [-gh] [-n rulenum] [-i increment] file\n"); + fprintf(stderr, "usage: ipfw.hll [-gh] [-n rulenum] [-i increment] [file]\n"); exit(EX_USAGE); } ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/ipfw.hll.h#5 (text+ko) ==== @@ -74,12 +74,19 @@ }; struct var { - TAILQ_ENTRY(var) vars_entries; + TAILQ_ENTRY(var) var_entries; char *name; char *value; int lineno; }; +struct label { + TAILQ_ENTRY(label) label_entries; + char *name; + struct rule *rule; + int lineno; +}; + extern struct ruleset *toplevel_ruleset; void *safe_calloc(int size); @@ -100,4 +107,7 @@ struct var * var_alloc(void); struct var * var_lookup(char *name); void var_insert(struct var *var); +struct label * label_alloc(void); +struct label * label_lookup(char *name); +void label_insert(struct label *label); ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/parse.y#5 (text+ko) ==== @@ -54,21 +54,21 @@ %token<str> STR %token<str> ACTION +%token COLON %token DEFINE %token RULESET %token SET %token CALL %token SEMICOLON -%token IF %token THEN %token BLOCK_BEGIN %token BLOCK_END %type<condset> define_cond cond_body cond_list -%type<cond> cond cond_cmd_list -%type<ruleset> define_ruleset rule_body rule_list -%type<rule> rule rule_tail rule_action rule_action_list -%type<cmd> cond_cmd cond_tail +%type<cond> cond +%type<ruleset> define_ruleset rule_body rule_list toprule_list +%type<rule> rule rule_action rule_action_list toprule label +%type<cmd> cond_cmd %type<str> id str %type<var> define_var @@ -77,22 +77,32 @@ %% begin - : define_list rule_list + : space body + ; + +body + : define_list toprule_list { - if ($2 == NULL) - errx(EX_DATAERR, "%s:%d: top level ruleset is empty", yyfile, yyline); toplevel_ruleset = $2; } + | define_list + { + errx(EX_DATAERR, "%s:%d: top level ruleset is empty", yyfile, yyline); + } + ; + +space + : + | space SEMICOLON ; define_list : - | define_list define_block + | define_list define_block space ; define_block - : SEMICOLON - | define_var + : define_var | define_cond | define_ruleset ; @@ -108,9 +118,9 @@ } define_cond - : DEFINE id cond_body SEMICOLON + : DEFINE id space cond_body SEMICOLON { - $$ = $3; + $$ = $4; $$->lineno = $2.lineno; $$->name = $2.s; condsets_insert($$); @@ -118,9 +128,9 @@ ; define_ruleset - : RULESET id rule_body SEMICOLON + : RULESET id space rule_body SEMICOLON { - $$ = $3; + $$ = $4; $$->lineno = $2.lineno; $$->name = $2.s; rulesets_insert($$); @@ -130,78 +140,92 @@ cond_body : BLOCK_BEGIN cond_list BLOCK_END { $$ = $2; } + | BLOCK_BEGIN BLOCK_END + { $$ = condset_alloc(); } rule_body : BLOCK_BEGIN rule_list BLOCK_END { $$ = $2; } + | BLOCK_BEGIN BLOCK_END + { $$ = ruleset_alloc(); } cond_list - : - { $$ = NULL; } - | cond_list cond cond_tail SEMICOLON + : SEMICOLON + { + $$ = condset_alloc(); + } + | cond SEMICOLON + { + $$ = condset_alloc(); + if ($1 != NULL) { + TAILQ_INSERT_TAIL(&$$->conds, $1, cond_entries); + } + } + | cond_list SEMICOLON + { + $$ = $1; + } + | cond_list cond SEMICOLON { + $$ = $1; if ($2 != NULL) { - if ($1 == NULL) - $1 = condset_alloc(); - if ($3 != NULL) { - TAILQ_INSERT_TAIL(&$2->cmds, $3, cmd_entries); - } TAILQ_INSERT_TAIL(&$1->conds, $2, cond_entries); } - $$ = $1; } ; -rule_list - : - { $$ = NULL; } - | rule_list rule SEMICOLON +toprule_list + : toprule { - if ($2 != NULL) { - if ($1 == NULL) - $1 = ruleset_alloc(); - TAILQ_INSERT_TAIL(&$1->rules, $2, rule_entries); + $$ = ruleset_alloc(); + if ($1 != NULL) { + $$->lineno = $1->lineno; + TAILQ_INSERT_TAIL(&$$->rules, $1, rule_entries); } - $$ = $1; + } + | toprule_list toprule + { + if ($2 != NULL) + TAILQ_INSERT_TAIL(&$$->rules, $2, rule_entries); } - ; -cond - : - { $$ = NULL; } - | IF cond_cmd_list - { $$ = $2; } - ; +toprule + : label + { $$ = $1; } + | rule + { $$ = $1; } -cond_tail - : - { $$ = NULL; } - | cond_body - { - $$ = cmd_alloc(); - $$->cmd_condset = $1; +rule_list + : rule + { + $$ = ruleset_alloc(); + if ($1 != NULL) { + TAILQ_INSERT_TAIL(&$$->rules, $1, rule_entries); + } + } + | rule_list rule + { + $$ = $1; + if ($2 != NULL) { + TAILQ_INSERT_TAIL(&$$->rules, $2, rule_entries); + } } ; rule - : + : SEMICOLON { $$ = NULL; } - | rule_action - { $$ = $1; } - | cond THEN rule_tail + | THEN space rule_action SEMICOLON + { $$ = $3; } + | cond SEMICOLON { - $$ = $3; - $$->cond = $1; + $$ = NULL; + yyerror("rule action is not specified"); } - ; - -rule_tail - : rule_action - { $$ = $1; } - | rule_body + | cond THEN space rule_action SEMICOLON { - $$ = rule_alloc(); - $$->action_ruleset = $1; + $$ = $4; + $$->cond = $1; } ; @@ -218,6 +242,11 @@ { $$ = $1; } + | rule_body + { + $$ = rule_alloc(); + $$->action_ruleset = $1; + } ; rule_action_list @@ -254,16 +283,41 @@ } ; -cond_cmd_list - : { $$ = NULL; } - | cond_cmd_list cond_cmd +label + : id COLON SEMICOLON + { + struct label *label; + struct cmd *cmd; + char **p; + char *cmds[] = { + "alias", $1.s, + "count", "all", "from", "any", "to", "any", NULL + }; + + $$ = rule_alloc(); + $$->lineno = $1.lineno; + for (p = cmds; *p != NULL; p++) { + cmd = cmd_alloc(); + cmd->cmd = strdup(*p); + TAILQ_INSERT_TAIL(&$$->actions, cmd, cmd_entries); + } + label = label_alloc(); + label->lineno = $1.lineno; + label->rule = $$; + label->name = strdup($1.s); + label_insert(label); + } + +cond + : cond_cmd + { + $$ = cond_alloc(); + TAILQ_INSERT_TAIL(&$$->cmds, $1, cmd_entries); + } + | cond cond_cmd { - if ($1 == NULL) { - $1 = cond_alloc(); - } - - TAILQ_INSERT_TAIL(&$1->cmds, $2, cmd_entries); $$ = $1; + TAILQ_INSERT_TAIL(&$$->cmds, $2, cmd_entries); } ; @@ -278,9 +332,11 @@ } | cond_body { - $$ = cmd_alloc(); - $$->lineno = $1->lineno; - $$->cmd_condset = $1; + if ($1 != NULL) { + $$ = cmd_alloc(); + $$->lineno = $1->lineno; + $$->cmd_condset = $1; + } } | str { @@ -335,10 +391,19 @@ void yyerror(char *s) { - if (yytext) - warnx("%s:%d: '%s': %s", yyfile, yyline, yytext, s); +int line; +char *text; + + line = yyline; + text = yytext; + if (yytext && yytext[0] == '\n' && yytext[1] == '\0') { + line--; + text = NULL; + } + if (text) + warnx("%s:%d: '%s': %s", yyfile, line, text, s); else - warnx("%s:%d: %s", yyfile, yyline, s); + warnx("%s:%d: %s", yyfile, line, s); } ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/subr.c#4 (text+ko) ==== @@ -12,6 +12,7 @@ static TAILQ_HEAD(, ruleset) rulesets = TAILQ_HEAD_INITIALIZER(rulesets); static TAILQ_HEAD(, condset) condsets = TAILQ_HEAD_INITIALIZER(condsets); static TAILQ_HEAD(, var) vars = TAILQ_HEAD_INITIALIZER(vars); +static TAILQ_HEAD(, label) labels = TAILQ_HEAD_INITIALIZER(labels); void *safe_calloc(int size) { @@ -220,7 +221,7 @@ { struct var *r; - TAILQ_FOREACH(r, &vars, vars_entries) { + TAILQ_FOREACH(r, &vars, var_entries) { if (strcmp(r->name, name) == 0) return (r); } @@ -236,6 +237,39 @@ if (dup != NULL) errx(EX_DATAERR, "%s:%d: variable '%s' is already defined at line %d", yyfile, var->lineno, var->name, dup->lineno); - TAILQ_INSERT_TAIL(&vars, var, vars_entries); + TAILQ_INSERT_TAIL(&vars, var, var_entries); +} + +struct label * +label_alloc(void) +{ + struct label *r; + + r = safe_calloc(sizeof(struct label)); + return (r); +} + +struct label * +label_lookup(char *name) +{ + struct label *r; + + TAILQ_FOREACH(r, &labels, label_entries) { + if (strcmp(r->name, name) == 0) + return (r); + } + return (NULL); +} + +void +label_insert(struct label *label) +{ + struct label *dup; + + dup = label_lookup(label->name); + if (dup != NULL) + errx(EX_DATAERR, "%s:%d: label '%s' is already defined at line %d", + yyfile, label->lineno, label->name, dup->lineno); + TAILQ_INSERT_TAIL(&labels, label, label_entries); } ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/Makefile#4 (text+ko) ==== @@ -1,5 +1,6 @@ -TESTS+= test0 test1 test2 test3 test4 test5 test6 test7 test8 test9 -TESTS+= t_dup_name1 t_dup_name2 +TESTS+= test0 test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 +TESTS+= t_dup_name1 t_dup_name2 t_dup_name3 +TESTS+= t_man all: test ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name1#2 (text+ko) ==== @@ -1,16 +1,16 @@ define q { - cond q11 q12 - cond q21 q22 + q11 q12 + q21 q22 } define q { - cond w11 w12 - cond w21 w22 + w11 w12 + w21 w22 } define q { - cond w11 w12 - cond w21 w22 + w11 w12 + w21 w22 } -cond c1 c2 @q => allow +c1 c2 @q => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/t_dup_name2#2 (text+ko) ==== @@ -1,10 +1,10 @@ define q { - cond q11 q12 - cond q21 q22 + q11 q12 + q21 q22 } ruleset q { - allow + => allow } -cond c1 c2 @q => allow +c1 c2 @q => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test0#2 (text+ko) ==== @@ -1,7 +1,7 @@ # comment # comment 2 - cond c1 c2 => allow # comment + c1 c2 => allow # comment -cond c3 c4 => deny +c3 c4 => deny ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test1.err#3 (text+ko) ==== @@ -1,1 +1,1 @@ -ipfw.hll: <stdin>:1: 'error': syntax error +ipfw.hll: <stdin>:1: rule action is not specified ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test2#3 (text+ko) ==== @@ -1,9 +1,9 @@ # sdfsdf define c1 { - cond q1 q2 + q1 q2; }; ruleset r1 { - if c1 then drop + @c1 => drop; }; ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test3#2 (text+ko) ==== @@ -6,7 +6,7 @@ X = "nested bb ${var_a} cc ${var_a} nested" -cond ${var_a} c1 c2 => allow -cond c3 ${VAR2} c4 => allow -cond c5 c6 ${X} => allow +${var_a} c1 c2 => allow +c3 ${VAR2} c4 => allow +c5 c6 ${X} => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test4#4 (text+ko) ==== @@ -1,15 +1,15 @@ define q { - cond q11 q12 - cond q21 q22 + q11 q12 + q21 q22 } define w { - cond w11 w12 - cond w21 w22 + w11 w12 + w21 w22 } -cond c1 c2 @q => allow -cond c3 @q c4 => allow -cond c1 c2 c3 c4 @w => allow -cond c3 @w @q c4 => allow -cond @w c5 c6 @q => allow +c1 c2 @q => allow +c3 @q c4 => allow +c1 c2 c3 c4 @w => allow +c3 @w @q c4 => allow +@w c5 c6 @q => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test5#3 (text+ko) ==== @@ -1,22 +1,22 @@ ruleset r2 { - cond r2-c1 => allow - cond r2-c2 => deny + r2-c1 => allow + r2-c2 => deny } ruleset r1 { - cond r1-c1 => allow - cond r1-c2 => @r2 - cond r1-c3 => @r2 + r1-c1 => allow + r1-c2 => @r2 + r1-c3 => @r2 } ruleset r0 { - if c1 => { - if c1-1 c1-2 then allow - deny + c1 => { + c1-1 c1-2 => allow + => deny } - if c2 then deny - if c3 => @r1 + c2 => deny + c3 => @r1 } -@r0 +=> @r0 ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test6#2 (text+ko) ==== @@ -1,16 +1,16 @@ define e { - cond e11 e12 - cond e21 e22 + e11 e12 + e21 e22 } define w { - cond w11 @e w12 - cond @e w21 w22 + w11 @e w12 + @e w21 w22 } define q { - cond @w q11 q12 - cond q21 q22 @w + @w q11 q12 + q21 q22 @w } -cond c1 @q c2 => allow +c1 @q c2 => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test7#3 (text+ko) ==== @@ -1,34 +1,40 @@ # set of predicates = set of ipfw options containing no actions (allow, deny, ...) -define predicate_1 { - cond src-ip 1.2.3.4 dsp-ip 1.2.3.0/24 - cond src-ip 6.7.8.9 dst-ip 6.7.8.0/24 +define predicate_1 +{ + src-ip 1.2.3.4 dsp-ip 1.2.3.0/24 + src-ip 6.7.8.9 dst-ip 6.7.8.0/24 } -define predicate_2 { - cond proto tcp - cond proto udp +define predicate_2 +{ + proto tcp + proto udp } -define predicate_3 { - cond via bridge1 - cond via bridge2 +define predicate_3 +{ + via bridge1 + via bridge2 } -define predicate_4_nested { - cond @predicate_1 @predicate_2 - cond @predicate_3 tagged 1010 +define predicate_4_nested +{ + @predicate_1 @predicate_2 + @predicate_3 tagged 1010 } # ruleset = set of ipfw rules # rule is just like generic ipfw rule but can contain predicates -ruleset ruleset_1 { - if @predicate_1 => { - if proto tcp then allow - deny +ruleset ruleset_1 +{ + @predicate_1 => + { + proto tcp => allow + => deny } - if proto udp then deny + proto udp => deny } # unnamed = default ruleset -if @predicate_1 @predicate_2 @predicate_3 then allow -if @predicate_3 then @ruleset_1 +@predicate_1 @predicate_2 @predicate_3 => allow +@predicate_3 => @ruleset_1 ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test8#2 (text+ko) ==== @@ -1,1 +1,1 @@ -if c1 c2 c3 { cond w1; cond w2 } => allow +c1 c2 c3 { w1; w2 } => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/test/test9#2 (text+ko) ==== @@ -7,65 +7,65 @@ # RFC1918 nets define private_nets { - cond 10.0.0.0/8 - cond 172.16.0.0/12 - cond 192.168.0.0/16 + 10.0.0.0/8 + 172.16.0.0/12 + 192.168.0.0/16 } define reserved_nets { - cond 0.0.0.0/8 - cond 169.254.0.0/16 - cond 192.0.2.0/24 - cond 224.0.0.0/4 - cond 240.0.0.0/4 + 0.0.0.0/8 + 169.254.0.0/16 + 192.0.2.0/24 + 224.0.0.0/4 + 240.0.0.0/4 } define spoofed { - cond src-ip ${inet} in via ${oif} - cond src-ip ${onet} in via ${iif} + src-ip ${inet} in via ${oif} + src-ip ${onet} in via ${iif} } # Stop spoofing -if @spoofed => deny +@spoofed => deny # Stop RFC1918 nets on the outside interface -if dst-ip @private_nets via ${oif} => deny +dst-ip @private_nets via ${oif} => deny # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface -if dst-ip @reserved_nets via ${oif} => deny +dst-ip @reserved_nets via ${oif} => deny # Stop RFC1918 nets on the outside interface -if src-ip @private_nets via ${oif} => deny +src-ip @private_nets via ${oif} => deny # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface -if src-ip @reserved_nets via ${oif} => deny +src-ip @reserved_nets via ${oif} => deny # Allow TCP through if setup succeeded -if tcp from any to any established => allow +tcp from any to any established => allow # Allow IP fragments to pass through -if all from any to any frag => pass +all from any to any frag => pass # Allow setup of incoming email, www, dns -if proto tcp dst-ip me setup dst-port { cond 25; cond 80; cond 53; } => allow +proto tcp dst-ip me setup dst-port { 25; 80; 53; } => allow # Allow access to our DNS -if proto tcp dst-ip me dst-port 53 setup => allow -if proto udp dst-ip me => { - cond src-port 53 => allow - cond dst-port 53 => allow +proto tcp dst-ip me dst-port 53 setup => allow +proto udp dst-ip me => { + src-port 53 => allow + dst-port 53 => allow } # Reject&Log all setup of incoming connections from the outside -if log proto tcp in via ${oif} setup => deny +log proto tcp in via ${oif} setup => deny # Allow setup of any other TCP connection -if proto tcp setup => allow +proto tcp setup => allow # Allow DNS queries out in the world -if proto udp src-ip me keep-state dst-port { cond 53; cond 123; } => allow +proto udp src-ip me keep-state dst-port { 53; 123; } => allow ==== //depot/projects/soc2009/tsel_ipfw/libexec/ipfw.hll/token.l#4 (text+ko) ==== @@ -81,10 +81,9 @@ [ \t]+ ; ";" { return SEMICOLON; } +":" { return COLON; } "@" { return CALL; } "=" { return SET; } -"if" { return IF; } -"cond" { return IF; } "then" { return THEN; } ">>" { return THEN; } "=>" { return THEN; } ==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/Makefile#4 (text+ko) ==== @@ -5,6 +5,6 @@ WARNS?= 2 LDADD= -lutil MAN= ipfw.8 -DEBUG_FLAGS+= -g +DEBUG_FLAGS+= -g -I${.CURDIR}/../../sys .include <bsd.prog.mk> ==== //depot/projects/soc2009/tsel_ipfw/sbin/ipfw/ipfw2.c#13 (text+ko) ==== @@ -2250,11 +2250,12 @@ optimization_filter_groups(struct insn_match_group_head *head) { struct insn_match_group *g, *g_tmp; + size_t sz; int labels_max, group_count; - group_count = sizeof(labels_max); + sz = sizeof(labels_max); if (sysctlbyname("net.inet.ip.fw.optimization_buf_max", &labels_max, - &group_count, NULL, 0) == -1) { + &sz, NULL, 0) == -1) { errx(EX_DATAERR, "optimization not supported"); } labels_max *= 8 / 2; /* 2 bits long per label. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908201755.n7KHtj6W075425>