diff options
| author | oleg <oleg@FreeBSD.org> | 2012-02-28 21:53:39 +0000 |
|---|---|---|
| committer | oleg <oleg@FreeBSD.org> | 2012-02-28 21:53:39 +0000 |
| commit | 983a52b2c0a9fdb68c2bd523ae16c395c98c8ecc (patch) | |
| tree | 9eea1f1d55ce61e41c768d8971b27aa9a60effef | |
| parent | e045194768da36c96be83da30e4aaa8179f2ac11 (diff) | |
| download | FreeBSD-src-983a52b2c0a9fdb68c2bd523ae16c395c98c8ecc.zip FreeBSD-src-983a52b2c0a9fdb68c2bd523ae16c395c98c8ecc.tar.gz | |
lookup_dyn_rule_locked(): style(9) cleanup
MFC after: 1 month
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_dynamic.c | 126 |
1 files changed, 62 insertions, 64 deletions
diff --git a/sys/netinet/ipfw/ip_fw_dynamic.c b/sys/netinet/ipfw/ip_fw_dynamic.c index 7239054..6a9e63c 100644 --- a/sys/netinet/ipfw/ip_fw_dynamic.c +++ b/sys/netinet/ipfw/ip_fw_dynamic.c @@ -390,72 +390,68 @@ ipfw_remove_dyn_children(struct ip_fw *rule) IPFW_DYN_UNLOCK(); } -/** - * lookup a dynamic rule, locked version +/* + * Lookup a dynamic rule, locked version. */ static ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, struct tcphdr *tcp) { /* - * stateful ipfw extensions. - * Lookup into dynamic session queue + * Stateful ipfw extensions. + * Lookup into dynamic session queue. */ #define MATCH_REVERSE 0 #define MATCH_FORWARD 1 #define MATCH_NONE 2 #define MATCH_UNKNOWN 3 int i, dir = MATCH_NONE; - ipfw_dyn_rule *prev, *q=NULL; + ipfw_dyn_rule *prev, *q = NULL; IPFW_DYN_LOCK_ASSERT(); if (V_ipfw_dyn_v == NULL) - goto done; /* not found */ - i = hash_packet( pkt ); - for (prev=NULL, q = V_ipfw_dyn_v[i] ; q != NULL ; ) { + goto done; /* not found */ + i = hash_packet(pkt); + for (prev = NULL, q = V_ipfw_dyn_v[i]; q != NULL;) { if (q->dyn_type == O_LIMIT_PARENT && q->count) goto next; - if (TIME_LEQ( q->expire, time_uptime)) { /* expire entry */ + if (TIME_LEQ(q->expire, time_uptime)) { /* expire entry */ UNLINK_DYN_RULE(prev, V_ipfw_dyn_v[i], q); continue; } - if (pkt->proto == q->id.proto && - q->dyn_type != O_LIMIT_PARENT) { - if (IS_IP6_FLOW_ID(pkt)) { - if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), - &(q->id.src_ip6)) && - IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), - &(q->id.dst_ip6)) && + if (pkt->proto != q->id.proto || q->dyn_type == O_LIMIT_PARENT) + goto next; + + if (IS_IP6_FLOW_ID(pkt)) { + if (IN6_ARE_ADDR_EQUAL(&pkt->src_ip6, &q->id.src_ip6) && + IN6_ARE_ADDR_EQUAL(&pkt->dst_ip6, &q->id.dst_ip6) && pkt->src_port == q->id.src_port && - pkt->dst_port == q->id.dst_port ) { + pkt->dst_port == q->id.dst_port) { dir = MATCH_FORWARD; break; - } - if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), - &(q->id.dst_ip6)) && - IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), - &(q->id.src_ip6)) && - pkt->src_port == q->id.dst_port && - pkt->dst_port == q->id.src_port ) { - dir = MATCH_REVERSE; - break; - } - } else { - if (pkt->src_ip == q->id.src_ip && - pkt->dst_ip == q->id.dst_ip && - pkt->src_port == q->id.src_port && - pkt->dst_port == q->id.dst_port ) { - dir = MATCH_FORWARD; - break; - } - if (pkt->src_ip == q->id.dst_ip && - pkt->dst_ip == q->id.src_ip && - pkt->src_port == q->id.dst_port && - pkt->dst_port == q->id.src_port ) { - dir = MATCH_REVERSE; - break; - } + } + if (IN6_ARE_ADDR_EQUAL(&pkt->src_ip6, &q->id.dst_ip6) && + IN6_ARE_ADDR_EQUAL(&pkt->dst_ip6, &q->id.src_ip6) && + pkt->src_port == q->id.dst_port && + pkt->dst_port == q->id.src_port) { + dir = MATCH_REVERSE; + break; + } + } else { + if (pkt->src_ip == q->id.src_ip && + pkt->dst_ip == q->id.dst_ip && + pkt->src_port == q->id.src_port && + pkt->dst_port == q->id.dst_port) { + dir = MATCH_FORWARD; + break; + } + if (pkt->src_ip == q->id.dst_ip && + pkt->dst_ip == q->id.src_ip && + pkt->src_port == q->id.dst_port && + pkt->dst_port == q->id.src_port) { + dir = MATCH_REVERSE; + break; } } next: @@ -463,43 +459,45 @@ next: q = q->next; } if (q == NULL) - goto done; /* q = NULL, not found */ + goto done; /* q = NULL, not found */ - if ( prev != NULL) { /* found and not in front */ + if (prev != NULL) { /* found and not in front */ prev->next = q->next; q->next = V_ipfw_dyn_v[i]; V_ipfw_dyn_v[i] = q; } if (pkt->proto == IPPROTO_TCP) { /* update state according to flags */ - u_char flags = pkt->_flags & (TH_FIN|TH_SYN|TH_RST); + uint32_t ack; + u_char flags = pkt->_flags & (TH_FIN | TH_SYN | TH_RST); #define BOTH_SYN (TH_SYN | (TH_SYN << 8)) #define BOTH_FIN (TH_FIN | (TH_FIN << 8)) - q->state |= (dir == MATCH_FORWARD ) ? flags : (flags << 8); + q->state |= (dir == MATCH_FORWARD) ? flags : (flags << 8); switch (q->state) { - case TH_SYN: /* opening */ + case TH_SYN: /* opening */ q->expire = time_uptime + V_dyn_syn_lifetime; break; case BOTH_SYN: /* move to established */ - case BOTH_SYN | TH_FIN : /* one side tries to close */ - case BOTH_SYN | (TH_FIN << 8) : - if (tcp) { + case BOTH_SYN | TH_FIN: /* one side tries to close */ + case BOTH_SYN | (TH_FIN << 8): #define _SEQ_GE(a,b) ((int)(a) - (int)(b) >= 0) - u_int32_t ack = ntohl(tcp->th_ack); - if (dir == MATCH_FORWARD) { + if (tcp == NULL) { + q->expire = time_uptime + V_dyn_ack_lifetime; + break; + } + + ack = ntohl(tcp->th_ack); + if (dir == MATCH_FORWARD) { if (q->ack_fwd == 0 || _SEQ_GE(ack, q->ack_fwd)) - q->ack_fwd = ack; - else { /* ignore out-of-sequence */ - break; - } - } else { + q->ack_fwd = ack; + else /* ignore out-of-sequence */ + break; + } else { if (q->ack_rev == 0 || _SEQ_GE(ack, q->ack_rev)) - q->ack_rev = ack; - else { /* ignore out-of-sequence */ - break; - } - } + q->ack_rev = ack; + else /* ignore out-of-sequence */ + break; } q->expire = time_uptime + V_dyn_ack_lifetime; break; @@ -531,9 +529,9 @@ next: q->expire = time_uptime + V_dyn_short_lifetime; } done: - if (match_direction) + if (match_direction != NULL) *match_direction = dir; - return q; + return (q); } ipfw_dyn_rule * |
