1:18 p.m.
Signed-off-by: Daniel Henrique Barboza <danielhb413(a)gmail.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 132 +++++++++-------------
1 file changed, 56 insertions(+), 76 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 50db150151..70743983ef 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -367,13 +367,12 @@ ebtablesHandleEthHdr(virFirewallPtr fw,
{
char macaddr[VIR_MAC_STRING_BUFLEN];
char macmask[VIR_MAC_STRING_BUFLEN];
- int ret = -1;
if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACAddr)) {
if (printDataType(vars,
macaddr, sizeof(macaddr),
ðHdr->dataSrcMACAddr) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
reverse ? "-d" : "-s",
@@ -385,7 +384,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw,
if (printDataType(vars,
macmask, sizeof(macmask),
ðHdr->dataSrcMACMask) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s/%s", macaddr, macmask);
@@ -398,7 +397,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw,
if (printDataType(vars,
macaddr, sizeof(macaddr),
ðHdr->dataDstMACAddr) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
reverse ? "-s" : "-d",
@@ -410,7 +409,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw,
if (printDataType(vars,
macmask, sizeof(macmask),
ðHdr->dataDstMACMask) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s/%s", macaddr, macmask);
@@ -419,9 +418,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw,
}
}
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
@@ -789,7 +786,6 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw,
bool *srcmacskipped)
{
char macaddr[VIR_MAC_STRING_BUFLEN];
- int ret = -1;
*srcmacskipped = false;
@@ -802,7 +798,7 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw,
if (printDataType(vars,
macaddr, sizeof(macaddr),
srcMacAddr) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-m", "mac",
@@ -815,9 +811,7 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw,
NULL);
}
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
@@ -837,7 +831,6 @@ iptablesHandleIPHdr(virFirewallPtr fw,
const char *dst = "--destination";
const char *srcrange = "--src-range";
const char *dstrange = "--dst-range";
- int ret = -1;
if (directionIn) {
src = "--destination";
@@ -850,7 +843,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataSrcIPAddr) < 0)
- goto cleanup;
+ return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr))
virFirewallRuleAddArg(fw, fwrule, "!");
@@ -861,7 +854,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataSrcIPMask) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s/%s", ipaddr, number);
@@ -872,7 +865,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataSrcIPFrom) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-m", "iprange",
@@ -886,7 +879,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddralt, sizeof(ipaddralt),
&ipHdr->dataSrcIPTo) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s-%s", ipaddr, ipaddralt);
@@ -899,7 +892,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataDstIPAddr) < 0)
- goto cleanup;
+ return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr))
virFirewallRuleAddArg(fw, fwrule, "!");
@@ -909,7 +902,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataDstIPMask) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s/%s", ipaddr, number);
@@ -920,7 +913,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataDstIPFrom) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-m", "iprange",
@@ -933,7 +926,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
ipaddralt, sizeof(ipaddralt),
&ipHdr->dataDstIPTo) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s-%s", ipaddr, ipaddralt);
@@ -946,7 +939,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataDSCP) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-m", "dscp",
@@ -967,9 +960,7 @@ iptablesHandleIPHdr(virFirewallPtr fw,
}
}
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
@@ -983,7 +974,6 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw,
char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))];
char str[MAX_IPSET_NAME_LENGTH];
- int ret = -1;
if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) &&
HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) {
@@ -991,7 +981,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw,
if (printDataType(vars,
str, sizeof(str),
&ipHdr->dataIPSet) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-m", "set",
@@ -1001,7 +991,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw,
if (printDataTypeDirection(vars,
str, sizeof(str),
&ipHdr->dataIPSetFlags, directionIn) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArg(fw, fwrule, str);
}
@@ -1011,7 +1001,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw,
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataConnlimitAbove) < 0)
- goto cleanup;
+ return -1;
/* place connlimit after potential -m state --state ...
since this is the most useful order */
@@ -1035,9 +1025,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw,
NULL);
}
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
@@ -1181,7 +1169,6 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
bool hasICMPType = false;
virFirewallRulePtr fwrule;
size_t fwruleargs;
- int ret = -1;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
@@ -1200,14 +1187,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.tcpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.tcpHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) {
char *flags;
@@ -1216,11 +1203,11 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
virFirewallRuleAddArg(fw, fwrule, "--tcp-flags");
if (!(flags =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask)))
- goto cleanup;
+ return -1;
virFirewallRuleAddArg(fw, fwrule, flags);
VIR_FREE(flags);
if (!(flags =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags)))
- goto cleanup;
+ return -1;
virFirewallRuleAddArg(fw, fwrule, flags);
VIR_FREE(flags);
}
@@ -1229,13 +1216,13 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
vars,
&rule->p.tcpHdrFilter.portData,
directionIn) < 0)
- goto cleanup;
+ return -1;
if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPOption)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.tcpHdrFilter.dataTCPOption) < 0)
- goto cleanup;
+ return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption))
virFirewallRuleAddArg(fw, fwrule, "!");
@@ -1259,20 +1246,20 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.udpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.udpHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandlePortData(fw, fwrule,
vars,
&rule->p.udpHdrFilter.portData,
directionIn) < 0)
- goto cleanup;
+ return -1;
break;
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
@@ -1289,14 +1276,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.udpliteHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.udpliteHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
break;
@@ -1314,14 +1301,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.espHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.espHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
break;
@@ -1339,14 +1326,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.ahHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.ahHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
break;
@@ -1364,20 +1351,20 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.sctpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.sctpHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandlePortData(fw, fwrule,
vars,
&rule->p.sctpHdrFilter.portData,
directionIn) < 0)
- goto cleanup;
+ return -1;
break;
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
@@ -1400,14 +1387,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.icmpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.icmpHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
const char *parm;
@@ -1416,8 +1403,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
if (maySkipICMP) {
virFirewallRemoveRule(fw, fwrule);
- ret = 0;
- goto cleanup;
+ return 0;
}
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
@@ -1428,7 +1414,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
if (printDataType(vars,
number, sizeof(number),
&rule->p.icmpHdrFilter.dataICMPType) < 0)
- goto cleanup;
+ return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType))
virFirewallRuleAddArg(fw, fwrule, "!");
@@ -1438,7 +1424,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
if (printDataType(vars,
numberalt, sizeof(numberalt),
&rule->p.icmpHdrFilter.dataICMPCode) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgFormat(fw, fwrule,
"%s/%s", number, numberalt);
@@ -1461,14 +1447,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.igmpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.igmpHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
break;
@@ -1486,14 +1472,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
&rule->p.allHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto cleanup;
+ return -1;
if (iptablesHandleIPHdr(fw, fwrule,
vars,
&rule->p.allHdrFilter.ipHdr,
directionIn,
&skipRule, &skipMatch) < 0)
- goto cleanup;
+ return -1;
break;
@@ -1501,7 +1487,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Unexpected protocol %d"),
rule->prtclType);
- goto cleanup;
+ return -1;
}
if ((srcMacSkipped &&
@@ -1540,14 +1526,12 @@ _iptablesCreateRuleInstance(virFirewallPtr fw,
vars,
&rule->p.allHdrFilter.ipHdr,
directionIn) < 0)
- goto cleanup;
+ return -1;
virFirewallRuleAddArgList(fw, fwrule,
"-j", target, NULL);
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
@@ -2483,8 +2467,6 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
const char *ifname,
virNWFilterVarCombIterPtr vars)
{
- int ret = -1;
-
if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
@@ -2495,7 +2477,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
ifname,
vars,
rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT) < 0)
- goto cleanup;
+ return -1;
}
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
@@ -2507,7 +2489,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
ifname,
vars,
false) < 0)
- goto cleanup;
+ return -1;
}
} else {
virFirewallLayer layer;
@@ -2518,7 +2500,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
} else {
virReportError(VIR_ERR_OPERATION_FAILED,
"%s", _("unexpected protocol type"));
- goto cleanup;
+ return -1;
}
if (iptablesCreateRuleInstance(fw,
@@ -2526,12 +2508,10 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
rule,
ifname,
vars) < 0)
- goto cleanup;
+ return -1;
}
- ret = 0;
- cleanup:
- return ret;
+ return 0;
}
--
2.21.0