Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 13 Jul 2020 17:51:04 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r363164 - head/sbin/ipfw
Message-ID:  <202007131751.06DHp4KX002359@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: markj
Date: Mon Jul 13 17:51:04 2020
New Revision: 363164
URL: https://svnweb.freebsd.org/changeset/base/363164

Log:
  ipfw(8): Fix most warnings with the default WARNS level.
  
  - Add missing const and static qualifiers.
  - Avoid shadowing the global "co" by renaming it to "g_co".
  - Avoid mixing signedness in loop bound checks.
  - Leave -Wcast-align warnings disabled for now.
  
  Reviewed by:	ae, melifaro
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D25456

Modified:
  head/sbin/ipfw/Makefile
  head/sbin/ipfw/altq.c
  head/sbin/ipfw/dummynet.c
  head/sbin/ipfw/ipfw2.c
  head/sbin/ipfw/ipfw2.h
  head/sbin/ipfw/ipv6.c
  head/sbin/ipfw/main.c
  head/sbin/ipfw/nat.c
  head/sbin/ipfw/nat64clat.c
  head/sbin/ipfw/nat64lsn.c
  head/sbin/ipfw/nat64stl.c
  head/sbin/ipfw/nptv6.c
  head/sbin/ipfw/tables.c

Modified: head/sbin/ipfw/Makefile
==============================================================================
--- head/sbin/ipfw/Makefile	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/Makefile	Mon Jul 13 17:51:04 2020	(r363164)
@@ -6,7 +6,6 @@ PACKAGE=ipfw
 PROG=	ipfw
 SRCS=	ipfw2.c dummynet.c ipv6.c main.c nat.c tables.c
 SRCS+=	nat64clat.c nat64lsn.c nat64stl.c nptv6.c
-WARNS?=	2
 
 .if ${MK_PF} != "no"
 SRCS+=	altq.c
@@ -17,3 +16,5 @@ LIBADD=	jail util
 MAN=	ipfw.8
 
 .include <bsd.prog.mk>
+
+CWARNFLAGS+= -Wno-cast-align

Modified: head/sbin/ipfw/altq.c
==============================================================================
--- head/sbin/ipfw/altq.c	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/altq.c	Mon Jul 13 17:51:04 2020	(r363164)
@@ -140,7 +140,7 @@ altq_qid_to_name(u_int32_t qid)
 }
 
 void
-print_altq_cmd(struct buf_pr *bp, ipfw_insn_altq *altqptr)
+print_altq_cmd(struct buf_pr *bp, const ipfw_insn_altq *altqptr)
 {
 	if (altqptr) {
 		const char *qname;

Modified: head/sbin/ipfw/dummynet.c
==============================================================================
--- head/sbin/ipfw/dummynet.c	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/dummynet.c	Mon Jul 13 17:51:04 2020	(r363164)
@@ -166,8 +166,8 @@ enum {
 #define PIE_SCALE (1L<<PIE_FIX_POINT_BITS)
 
 /* integer to time */
-void 
-us_to_time(int t,char *strt)
+static void
+us_to_time(int t, char *strt)
 {
 	if (t < 0)
 		strt[0]='\0';
@@ -221,7 +221,7 @@ time_to_us(const char *s)
 
  
 /* Get AQM or scheduler extra parameters  */
-void
+static void
 get_extra_parms(uint32_t nr, char *out, int subtype)
 { 
 	struct dn_extra_parms *ep;
@@ -586,7 +586,7 @@ list_pipes(struct dn_id *oid, struct dn_id *end)
 		break;
 	    }
 	case DN_CMD_GET:
-	    if (co.verbose)
+	    if (g_co.verbose)
 		printf("answer for cmd %d, len %d\n", oid->type, oid->id);
 	    break;
 	case DN_SCH: {
@@ -636,7 +636,7 @@ list_pipes(struct dn_id *oid, struct dn_id *end)
 		sprintf(bwbuf, "%7.3f bit/s ", b);
 
 	    if (humanize_number(burst, sizeof(burst), p->burst,
-		    "", HN_AUTOSCALE, 0) < 0 || co.verbose)
+		    "", HN_AUTOSCALE, 0) < 0 || g_co.verbose)
 		sprintf(burst, "%d", (int)p->burst);
 	    sprintf(buf, "%05d: %s %4d ms burst %s",
 		p->link_nr % DN_MAX_ID, bwbuf, p->delay, burst);
@@ -1317,7 +1317,7 @@ ipfw_config_pipe(int ac, char **av)
 	o_next(&buf, sizeof(struct dn_id), DN_CMD_CONFIG);
 	base->id = DN_API_VERSION;
 
-	switch (co.do_pipe) {
+	switch (g_co.do_pipe) {
 	case 1: /* "pipe N config ..." */
 		/* Allocate space for the WF2Q+ scheduler, its link
 		 * and the FIFO flowset. Set the number, but leave
@@ -1893,7 +1893,7 @@ parse_range(int ac, char *av[], uint32_t *v, int len)
 		}
 		n++;
 		/* translate if 'pipe list' */
-		if (co.do_pipe == 1) {
+		if (g_co.do_pipe == 1) {
 			v[0] += DN_MAX_ID;
 			v[1] += DN_MAX_ID;
 		}
@@ -1947,7 +1947,7 @@ dummynet_list(int ac, char *av[], int show_counters)
 	if (max_size < sizeof(struct dn_flow))
 		max_size = sizeof(struct dn_flow);
 
-	switch (co.do_pipe) {
+	switch (g_co.do_pipe) {
 	case 1:
 		oid->subtype = DN_LINK;	/* list pipe */
 		break;

Modified: head/sbin/ipfw/ipfw2.c
==============================================================================
--- head/sbin/ipfw/ipfw2.c	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/ipfw2.c	Mon Jul 13 17:51:04 2020	(r363164)
@@ -57,7 +57,7 @@
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
 
-struct cmdline_opts co;	/* global options */
+struct cmdline_opts g_co;	/* global options */
 
 struct format_opts {
 	int bcwidth;
@@ -74,7 +74,7 @@ struct format_opts {
 
 int resvd_set_number = RESVD_SET;
 
-int ipfw_socket = -1;
+static int ipfw_socket = -1;
 
 #define	CHECK_LENGTH(v, len) do {				\
 	if ((v) < (len))					\
@@ -395,8 +395,8 @@ static int ipfw_show_config(struct cmdline_opts *co, s
 static void ipfw_list_tifaces(void);
 
 struct tidx;
-static uint16_t pack_object(struct tidx *tstate, char *name, int otype);
-static uint16_t pack_table(struct tidx *tstate, char *name);
+static uint16_t pack_object(struct tidx *tstate, const char *name, int otype);
+static uint16_t pack_table(struct tidx *tstate, const char *name);
 
 static char *table_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx);
 static void object_sort_ctlv(ipfw_obj_ctlv *ctlv);
@@ -456,7 +456,7 @@ bp_flush(struct buf_pr *b)
  * Returns number of bytes that should have been printed.
  */
 int
-bprintf(struct buf_pr *b, char *format, ...)
+bprintf(struct buf_pr *b, const char *format, ...)
 {
 	va_list args;
 	int i;
@@ -466,7 +466,7 @@ bprintf(struct buf_pr *b, char *format, ...)
 	i = vsnprintf(b->ptr, b->avail, format, args);
 	va_end(args);
 
-	if (i > b->avail || i < 0) {
+	if (i < 0 || (size_t)i > b->avail) {
 		/* Overflow or print error */
 		b->avail = 0;
 	} else {
@@ -569,7 +569,7 @@ do_cmd(int optname, void *optval, uintptr_t optlen)
 {
 	int i;
 
-	if (co.test_only)
+	if (g_co.test_only)
 		return 0;
 
 	if (ipfw_socket == -1)
@@ -606,7 +606,7 @@ int
 do_set3(int optname, ip_fw3_opheader *op3, size_t optlen)
 {
 
-	if (co.test_only)
+	if (g_co.test_only)
 		return (0);
 
 	if (ipfw_socket == -1)
@@ -635,7 +635,7 @@ do_get3(int optname, ip_fw3_opheader *op3, size_t *opt
 	int error;
 	socklen_t len;
 
-	if (co.test_only)
+	if (g_co.test_only)
 		return (0);
 
 	if (ipfw_socket == -1)
@@ -725,7 +725,8 @@ match_value(struct _s_x *p, int value)
 }
 
 size_t
-concat_tokens(char *buf, size_t bufsize, struct _s_x *table, char *delimiter)
+concat_tokens(char *buf, size_t bufsize, struct _s_x *table,
+    const char *delimiter)
 {
 	struct _s_x *pt;
 	int l;
@@ -788,7 +789,7 @@ print_flags_buffer(char *buf, size_t sz, struct _s_x *
 		
 		set &= ~list[i].x;
 		l = snprintf(buf, sz, "%s%s", comma, list[i].s);
-		if (l >= sz)
+		if (l < 0 || (size_t)l >= sz)
 			return;
 		comma = ",";
 		buf += l;
@@ -856,13 +857,13 @@ print_port(struct buf_pr *bp, int proto, uint16_t port
 	if (proto == IPPROTO_ETHERTYPE) {
 		char const *s;
 
-		if (co.do_resolv && (s = match_value(ether_types, port)) )
+		if (g_co.do_resolv && (s = match_value(ether_types, port)) )
 			bprintf(bp, "%s", s);
 		else
 			bprintf(bp, "0x%04x", port);
 	} else {
 		struct servent *se = NULL;
-		if (co.do_resolv) {
+		if (g_co.do_resolv) {
 			struct protoent *pe = getprotobynumber(proto);
 
 			se = getservbyport(htons(port), pe ? pe->p_name : NULL);
@@ -893,9 +894,9 @@ static struct _s_x _port_name[] = {
  * XXX todo: add support for mask.
  */
 static void
-print_newports(struct buf_pr *bp, ipfw_insn_u16 *cmd, int proto, int opcode)
+print_newports(struct buf_pr *bp, const ipfw_insn_u16 *cmd, int proto, int opcode)
 {
-	uint16_t *p = cmd->ports;
+	const uint16_t *p = cmd->ports;
 	int i;
 	char const *sep;
 
@@ -906,7 +907,7 @@ print_newports(struct buf_pr *bp, ipfw_insn_u16 *cmd, 
 		bprintf(bp, " %s", sep);
 	}
 	sep = " ";
-	for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
+	for (i = F_LEN((const ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
 		bprintf(bp, "%s", sep);
 		print_port(bp, proto, p[0]);
 		if (p[0] != p[1]) {
@@ -1134,7 +1135,7 @@ print_reject_code(struct buf_pr *bp, uint16_t code)
  * len is the max length in bits.
  */
 int
-contigmask(uint8_t *p, int len)
+contigmask(const uint8_t *p, int len)
 {
 	int i, n;
 
@@ -1152,7 +1153,7 @@ contigmask(uint8_t *p, int len)
  * There is a specialized check for f_tcpflags.
  */
 static void
-print_flags(struct buf_pr *bp, char const *name, ipfw_insn *cmd,
+print_flags(struct buf_pr *bp, char const *name, const ipfw_insn *cmd,
     struct _s_x *list)
 {
 	char const *comma = "";
@@ -1185,12 +1186,13 @@ print_flags(struct buf_pr *bp, char const *name, ipfw_
  * Print the ip address contained in a command.
  */
 static void
-print_ip(struct buf_pr *bp, const struct format_opts *fo, ipfw_insn_ip *cmd)
+print_ip(struct buf_pr *bp, const struct format_opts *fo,
+    const ipfw_insn_ip *cmd)
 {
 	struct hostent *he = NULL;
-	struct in_addr *ia;
-	uint32_t len = F_LEN((ipfw_insn *)cmd);
-	uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
+	const struct in_addr *ia;
+	const uint32_t *a = ((const ipfw_insn_u32 *)cmd)->d;
+	uint32_t len = F_LEN((const ipfw_insn *)cmd);
 	char *t;
 
 	bprintf(bp, " ");
@@ -1200,7 +1202,8 @@ print_ip(struct buf_pr *bp, const struct format_opts *
 
 		if (d < sizeof(lookup_key)/sizeof(lookup_key[0]))
 			arg = match_value(rule_options, lookup_key[d]);
-		t = table_search_ctlv(fo->tstate, ((ipfw_insn *)cmd)->arg1);
+		t = table_search_ctlv(fo->tstate,
+		    ((const ipfw_insn *)cmd)->arg1);
 		bprintf(bp, "lookup %s %s", arg, t);
 		return;
 	}
@@ -1210,7 +1213,8 @@ print_ip(struct buf_pr *bp, const struct format_opts *
 	}
 	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
 	    cmd->o.opcode == O_IP_DST_LOOKUP) {
-		t = table_search_ctlv(fo->tstate, ((ipfw_insn *)cmd)->arg1);
+		t = table_search_ctlv(fo->tstate,
+		    ((const ipfw_insn *)cmd)->arg1);
 		bprintf(bp, "table(%s", t);
 		if (len == F_INSN_SIZE(ipfw_insn_u32))
 			bprintf(bp, ",%u", *a);
@@ -1218,16 +1222,18 @@ print_ip(struct buf_pr *bp, const struct format_opts *
 		return;
 	}
 	if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
-		uint32_t x, *map = (uint32_t *)&(cmd->mask);
+		const uint32_t *map = (const uint32_t *)&cmd->mask;
+		struct in_addr addr;
+		uint32_t x;
 		int i, j;
 		char comma = '{';
 
 		x = cmd->o.arg1 - 1;
-		x = htonl( ~x );
-		cmd->addr.s_addr = htonl(cmd->addr.s_addr);
-		bprintf(bp, "%s/%d", inet_ntoa(cmd->addr),
-			contigmask((uint8_t *)&x, 32));
-		x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
+		x = htonl(~x);
+		addr.s_addr = htonl(cmd->addr.s_addr);
+		bprintf(bp, "%s/%d", inet_ntoa(addr),
+		    contigmask((uint8_t *)&x, 32));
+		x = cmd->addr.s_addr;
 		x &= 0xff; /* base */
 		/*
 		 * Print bits and ranges.
@@ -1258,19 +1264,19 @@ print_ip(struct buf_pr *bp, const struct format_opts *
     for (len = len / 2; len > 0; len--, a += 2) {
 	int mb =	/* mask length */
 	    (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
-		32 : contigmask((uint8_t *)&(a[1]), 32);
-	if (mb == 32 && co.do_resolv)
-		he = gethostbyaddr((char *)&(a[0]), sizeof(in_addr_t),
+		32 : contigmask((const uint8_t *)&(a[1]), 32);
+	if (mb == 32 && g_co.do_resolv)
+		he = gethostbyaddr((const char *)&(a[0]), sizeof(in_addr_t),
 		    AF_INET);
 	if (he != NULL)		/* resolved to name */
 		bprintf(bp, "%s", he->h_name);
 	else if (mb == 0)	/* any */
 		bprintf(bp, "any");
 	else {		/* numeric IP followed by some kind of mask */
-		ia = (struct in_addr *)&a[0];
+		ia = (const struct in_addr *)&a[0];
 		bprintf(bp, "%s", inet_ntoa(*ia));
 		if (mb < 0) {
-			ia = (struct in_addr *)&a[1];
+			ia = (const struct in_addr *)&a[1];
 			bprintf(bp, ":%s", inet_ntoa(*ia));
 		} else if (mb < 32)
 			bprintf(bp, "/%d", mb);
@@ -1284,7 +1290,7 @@ print_ip(struct buf_pr *bp, const struct format_opts *
  * prints a MAC address/mask pair
  */
 static void
-format_mac(struct buf_pr *bp, uint8_t *addr, uint8_t *mask)
+format_mac(struct buf_pr *bp, const uint8_t *addr, const uint8_t *mask)
 {
 	int l = contigmask(mask, 48);
 
@@ -1303,7 +1309,7 @@ format_mac(struct buf_pr *bp, uint8_t *addr, uint8_t *
 }
 
 static void
-print_mac(struct buf_pr *bp, ipfw_insn_mac *mac)
+print_mac(struct buf_pr *bp, const ipfw_insn_mac *mac)
 {
 
 	bprintf(bp, " MAC");
@@ -1336,7 +1342,7 @@ fill_icmptypes(ipfw_insn_u32 *cmd, char *av)
 }
 
 static void
-print_icmptypes(struct buf_pr *bp, ipfw_insn_u32 *cmd)
+print_icmptypes(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
 {
 	int i;
 	char sep= ' ';
@@ -1351,12 +1357,12 @@ print_icmptypes(struct buf_pr *bp, ipfw_insn_u32 *cmd)
 }
 
 static void
-print_dscp(struct buf_pr *bp, ipfw_insn_u32 *cmd)
+print_dscp(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
 {
+	const uint32_t *v;
+	const char *code;
 	int i = 0;
-	uint32_t *v;
 	char sep= ' ';
-	const char *code;
 
 	bprintf(bp, " dscp");
 	v = cmd->d;
@@ -1374,7 +1380,7 @@ print_dscp(struct buf_pr *bp, ipfw_insn_u32 *cmd)
 	}
 }
 
-#define	insntod(cmd, type)	((ipfw_insn_ ## type *)(cmd))
+#define	insntod(cmd, type)	((const ipfw_insn_ ## type *)(cmd))
 struct show_state {
 	struct ip_fw_rule	*rule;
 	const ipfw_insn		*eaction;
@@ -1443,7 +1449,7 @@ print_limit_mask(struct buf_pr *bp, const ipfw_insn_li
 
 static int
 print_instruction(struct buf_pr *bp, const struct format_opts *fo,
-    struct show_state *state, ipfw_insn *cmd)
+    struct show_state *state, const ipfw_insn *cmd)
 {
 	struct protoent *pe;
 	struct passwd *pwd;
@@ -1685,7 +1691,7 @@ print_instruction(struct buf_pr *bp, const struct form
 		bprintf(bp, " ipsec");
 		break;
 	case O_NOP:
-		bprintf(bp, " // %s", (char *)(cmd + 1));
+		bprintf(bp, " // %s", (const char *)(cmd + 1));
 		break;
 	case O_KEEP_STATE:
 		if (state->flags & HAVE_PROBE_STATE)
@@ -1777,8 +1783,8 @@ static void
 print_fwd(struct buf_pr *bp, const ipfw_insn *cmd)
 {
 	char buf[INET6_ADDRSTRLEN + IF_NAMESIZE + 2];
-	ipfw_insn_sa6 *sa6;
-	ipfw_insn_sa *sa;
+	const ipfw_insn_sa6 *sa6;
+	const ipfw_insn_sa *sa;
 	uint16_t port;
 
 	if (cmd->opcode == O_FORWARD_IP) {
@@ -2056,7 +2062,7 @@ print_proto(struct buf_pr *bp, struct format_opts *fo,
 static int
 match_opcode(int opcode, const int opcodes[], size_t nops)
 {
-	int i;
+	size_t i;
 
 	for (i = 0; i < nops; i++)
 		if (opcode == opcodes[i])
@@ -2138,10 +2144,10 @@ static void
 show_static_rule(struct cmdline_opts *co, struct format_opts *fo,
     struct buf_pr *bp, struct ip_fw_rule *rule, struct ip_fw_bcounter *cntr)
 {
+	static int twidth = 0;
 	struct show_state state;
 	ipfw_insn *cmd;
-	static int twidth = 0;
-	int i;
+	size_t i;
 
 	/* Print # DISABLED or skip the rule */
 	if ((fo->set_mask & (1 << rule->set)) == 0) {
@@ -2361,7 +2367,7 @@ void
 ipfw_sets_handler(char *av[])
 {
 	ipfw_range_tlv rt;
-	char *msg;
+	const char *msg;
 	size_t size;
 	uint32_t masks[2];
 	int i;
@@ -2378,7 +2384,7 @@ ipfw_sets_handler(char *av[])
 		ipfw_cfg_lheader *cfg;
 
 		memset(&fo, 0, sizeof(fo));
-		if (ipfw_get_config(&co, &fo, &cfg, &size) != 0)
+		if (ipfw_get_config(&g_co, &fo, &cfg, &size) != 0)
 			err(EX_OSERR, "requesting config failed");
 
 		for (i = 0, msg = "disable"; i < RESVD_SET; i++)
@@ -2507,7 +2513,7 @@ typedef void state_cb(struct cmdline_opts *co, struct 
 
 static void
 prepare_format_dyn(struct cmdline_opts *co, struct format_opts *fo,
-    void *arg, void *_state)
+    void *arg __unused, void *_state)
 {
 	ipfw_dyn_rule *d;
 	int width;
@@ -2701,11 +2707,11 @@ ipfw_list(int ac, char *av[], int show_counters)
 	uint32_t rnum;
 	char *endptr;
 
-	if (co.test_only) {
+	if (g_co.test_only) {
 		fprintf(stderr, "Testing only, list disabled\n");
 		return;
 	}
-	if (co.do_pipe) {
+	if (g_co.do_pipe) {
 		dummynet_list(ac, av, show_counters);
 		return;
 	}
@@ -2731,17 +2737,17 @@ ipfw_list(int ac, char *av[], int show_counters)
 	/* get configuraion from kernel */
 	cfg = NULL;
 	sfo.show_counters = show_counters;
-	sfo.show_time = co.do_time;
-	if (co.do_dynamic != 2)
+	sfo.show_time = g_co.do_time;
+	if (g_co.do_dynamic != 2)
 		sfo.flags |= IPFW_CFG_GET_STATIC;
-	if (co.do_dynamic != 0)
+	if (g_co.do_dynamic != 0)
 		sfo.flags |= IPFW_CFG_GET_STATES;
 	if ((sfo.show_counters | sfo.show_time) != 0)
 		sfo.flags |= IPFW_CFG_GET_COUNTERS;
-	if (ipfw_get_config(&co, &sfo, &cfg, &sz) != 0)
+	if (ipfw_get_config(&g_co, &sfo, &cfg, &sz) != 0)
 		err(EX_OSERR, "retrieving config failed");
 
-	error = ipfw_show_config(&co, &sfo, cfg, sz, ac, av);
+	error = ipfw_show_config(&g_co, &sfo, cfg, sz, ac, av);
 
 	free(cfg);
 
@@ -2974,7 +2980,8 @@ ipfw_check_object_name(const char *name)
 	return (0);
 }
 
-static char *default_state_name = "default";
+static const char *default_state_name = "default";
+
 static int
 state_check_name(const char *name)
 {
@@ -3000,10 +3007,10 @@ eaction_check_name(const char *name)
 }
 
 static uint16_t
-pack_object(struct tidx *tstate, char *name, int otype)
+pack_object(struct tidx *tstate, const char *name, int otype)
 {
-	int i;
 	ipfw_obj_ntlv *ntlv;
+	uint32_t i;
 
 	for (i = 0; i < tstate->count; i++) {
 		if (strcmp(tstate->idx[i].name, name) != 0)
@@ -3037,7 +3044,7 @@ pack_object(struct tidx *tstate, char *name, int otype
 }
 
 static uint16_t
-pack_table(struct tidx *tstate, char *name)
+pack_table(struct tidx *tstate, const char *name)
 {
 
 	if (table_check_name(name) != 0)
@@ -3116,7 +3123,7 @@ fill_ip(ipfw_insn_ip *cmd, char *av, int cblen, struct
 	int masklen;
 	char md, nd = '\0';
 
-	CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn) + 2 + len);
+	CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn) + 2 + len);
 
 	if (p) {
 		md = *p;
@@ -3314,7 +3321,7 @@ ipfw_delete(char *av[])
 		/* Do not allow using the following syntax:
 		 *	ipfw set N delete set M
 		 */
-		if (co.use_set)
+		if (g_co.use_set)
 			errx(EX_DATAERR, "invalid syntax");
 		do_set = 1;	/* delete set */
 		av++;
@@ -3327,10 +3334,10 @@ ipfw_delete(char *av[])
 		if (*sep== '-')
 			j = strtol(sep + 1, NULL, 10);
 		av++;
-		if (co.do_nat) {
+		if (g_co.do_nat) {
 			exitval = ipfw_delete_nat(i);
-		} else if (co.do_pipe) {
-			exitval = ipfw_delete_pipe(co.do_pipe, i);
+		} else if (g_co.do_pipe) {
+			exitval = ipfw_delete_pipe(g_co.do_pipe, i);
 		} else {
 			memset(&rt, 0, sizeof(rt));
 			if (do_set != 0) {
@@ -3343,24 +3350,24 @@ ipfw_delete(char *av[])
 					rt.flags |= IPFW_RCFLAG_ALL;
 				else
 					rt.flags |= IPFW_RCFLAG_RANGE;
-				if (co.use_set != 0) {
-					rt.set = co.use_set - 1;
+				if (g_co.use_set != 0) {
+					rt.set = g_co.use_set - 1;
 					rt.flags |= IPFW_RCFLAG_SET;
 				}
 			}
-			if (co.do_dynamic == 2)
+			if (g_co.do_dynamic == 2)
 				rt.flags |= IPFW_RCFLAG_DYNAMIC;
 			i = do_range_cmd(IP_FW_XDEL, &rt);
 			if (i != 0) {
 				exitval = EX_UNAVAILABLE;
-				if (co.do_quiet)
+				if (g_co.do_quiet)
 					continue;
 				warn("rule %u: setsockopt(IP_FW_XDEL)",
 				    rt.start_rule);
 			} else if (rt.new_set == 0 && do_set == 0 &&
-			    co.do_dynamic != 2) {
+			    g_co.do_dynamic != 2) {
 				exitval = EX_UNAVAILABLE;
-				if (co.do_quiet)
+				if (g_co.do_quiet)
 					continue;
 				if (rt.start_rule != rt.end_rule)
 					warnx("no rules rules in %u-%u range",
@@ -3371,7 +3378,7 @@ ipfw_delete(char *av[])
 			}
 		}
 	}
-	if (exitval != EX_OK && co.do_force == 0)
+	if (exitval != EX_OK && g_co.do_force == 0)
 		exit(exitval);
 }
 
@@ -3696,7 +3703,7 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cb
 	struct in6_addr a;
 	char *host, *ch, buf[INET6_ADDRSTRLEN];
 	ipfw_insn *ret = NULL;
-	int len;
+	size_t len;
 
 	/* Copy first address in set if needed */
 	if ((ch = strpbrk(av, "/,")) != NULL) {
@@ -3727,7 +3734,7 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb
 	struct in6_addr a;
 	char *host, *ch, buf[INET6_ADDRSTRLEN];
 	ipfw_insn *ret = NULL;
-	int len;
+	size_t len;
 
 	/* Copy first address in set if needed */
 	if ((ch = strpbrk(av, "/,")) != NULL) {
@@ -3764,7 +3771,7 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cb
  * various match patterns, log/altq actions, and the actual action.
  *
  */
-void
+static void
 compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate)
 {
 	/*
@@ -4250,7 +4257,7 @@ chkarg:
 				len = sizeof(c->max_log);
 				if (sysctlbyname("net.inet.ip.fw.verbose_limit",
 				    &c->max_log, &len, NULL, 0) == -1) {
-					if (co.test_only) {
+					if (g_co.test_only) {
 						c->max_log = 0;
 						break;
 					}
@@ -5138,10 +5145,10 @@ done:
 static int
 compare_ntlv(const void *_a, const void *_b)
 {
-	ipfw_obj_ntlv *a, *b;
+	const ipfw_obj_ntlv *a, *b;
 
-	a = (ipfw_obj_ntlv *)_a;
-	b = (ipfw_obj_ntlv *)_b;
+	a = (const ipfw_obj_ntlv *)_a;
+	b = (const ipfw_obj_ntlv *)_b;
 
 	if (a->set < b->set)
 		return (-1);
@@ -5178,11 +5185,11 @@ struct object_kt {
 static int
 compare_object_kntlv(const void *k, const void *v)
 {
-	ipfw_obj_ntlv *ntlv;
+	const ipfw_obj_ntlv *ntlv;
 	struct object_kt key;
 
-	key = *((struct object_kt *)k);
-	ntlv = (ipfw_obj_ntlv *)v;
+	key = *((const struct object_kt *)k);
+	ntlv = (const ipfw_obj_ntlv *)v;
 
 	if (key.uidx < ntlv->idx)
 		return (-1);
@@ -5318,14 +5325,14 @@ ipfw_add(char *av[])
 	if (do_get3(IP_FW_XADD, op3, &sz) != 0)
 		err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_XADD");
 
-	if (!co.do_quiet) {
+	if (!g_co.do_quiet) {
 		struct format_opts sfo;
 		struct buf_pr bp;
 		memset(&sfo, 0, sizeof(sfo));
 		sfo.tstate = tstate;
 		sfo.set_mask = (uint32_t)(-1);
 		bp_alloc(&bp, 4096);
-		show_static_rule(&co, &sfo, &bp, rule, NULL);
+		show_static_rule(&g_co, &sfo, &bp, rule, NULL);
 		printf("%s", bp.buf);
 		bp_free(&bp);
 	}
@@ -5361,7 +5368,7 @@ ipfw_zero(int ac, char *av[], int optname)
 		rt.flags = IPFW_RCFLAG_ALL;
 		if (do_range_cmd(optname, &rt) < 0)
 			err(EX_UNAVAILABLE, "setsockopt(IP_FW_X%s)", name);
-		if (!co.do_quiet)
+		if (!g_co.do_quiet)
 			printf("%s.\n", optname == IP_FW_XZERO ?
 			    "Accounting cleared":"Logging counts reset");
 
@@ -5379,8 +5386,8 @@ ipfw_zero(int ac, char *av[], int optname)
 			rt.start_rule = arg;
 			rt.end_rule = arg;
 			rt.flags |= IPFW_RCFLAG_RANGE;
-			if (co.use_set != 0) {
-				rt.set = co.use_set - 1;
+			if (g_co.use_set != 0) {
+				rt.set = g_co.use_set - 1;
 				rt.flags |= IPFW_RCFLAG_SET;
 			}
 			if (do_range_cmd(optname, &rt) != 0) {
@@ -5390,7 +5397,7 @@ ipfw_zero(int ac, char *av[], int optname)
 			} else if (rt.new_set == 0) {
 				printf("Entry %d not found\n", arg);
 				failed = EX_UNAVAILABLE;
-			} else if (!co.do_quiet)
+			} else if (!g_co.do_quiet)
 				printf("Entry %d %s.\n", arg,
 				    optname == IP_FW_XZERO ?
 					"cleared" : "logging count reset");
@@ -5408,7 +5415,7 @@ ipfw_flush(int force)
 {
 	ipfw_range_tlv rt;
 
-	if (!force && !co.do_quiet) { /* need to ask user */
+	if (!force && !g_co.do_quiet) { /* need to ask user */
 		int c;
 
 		printf("Are you sure? [yn] ");
@@ -5423,21 +5430,21 @@ ipfw_flush(int force)
 		if (c == 'N')	/* user said no */
 			return;
 	}
-	if (co.do_pipe) {
+	if (g_co.do_pipe) {
 		dummynet_flush();
 		return;
 	}
 	/* `ipfw set N flush` - is the same that `ipfw delete set N` */
 	memset(&rt, 0, sizeof(rt));
-	if (co.use_set != 0) {
-		rt.set = co.use_set - 1;
+	if (g_co.use_set != 0) {
+		rt.set = g_co.use_set - 1;
 		rt.flags = IPFW_RCFLAG_SET;
 	} else
 		rt.flags = IPFW_RCFLAG_ALL;
 	if (do_range_cmd(IP_FW_XDEL, &rt) != 0)
 			err(EX_UNAVAILABLE, "setsockopt(IP_FW_XDEL)");
-	if (!co.do_quiet)
-		printf("Flushed all %s.\n", co.do_pipe ? "pipes" : "rules");
+	if (!g_co.do_quiet)
+		printf("Flushed all %s.\n", g_co.do_pipe ? "pipes" : "rules");
 }
 
 static struct _s_x intcmds[] = {
@@ -5473,13 +5480,13 @@ lookup_eaction_name(ipfw_obj_ntlv *ntlv, int cnt, uint
 }
 
 static void
-ipfw_list_objects(int ac, char *av[])
+ipfw_list_objects(int ac __unused, char *av[] __unused)
 {
 	ipfw_obj_lheader req, *olh;
 	ipfw_obj_ntlv *ntlv;
 	const char *name;
 	size_t sz;
-	int i;
+	uint32_t i;
 
 	memset(&req, 0, sizeof(req));
 	sz = sizeof(req);
@@ -5577,10 +5584,10 @@ ipfw_get_tracked_ifaces(ipfw_obj_lheader **polh)
 static int
 ifinfo_cmp(const void *a, const void *b)
 {
-	ipfw_iface_info *ia, *ib;
+	const ipfw_iface_info *ia, *ib;
 
-	ia = (ipfw_iface_info *)a;
-	ib = (ipfw_iface_info *)b;
+	ia = (const ipfw_iface_info *)a;
+	ib = (const ipfw_iface_info *)b;
 
 	return (stringnum_cmp(ia->ifname, ib->ifname));
 }
@@ -5591,11 +5598,12 @@ ifinfo_cmp(const void *a, const void *b)
  * Returns 0 on success.
  */
 static void
-ipfw_list_tifaces()
+ipfw_list_tifaces(void)
 {
 	ipfw_obj_lheader *olh;
 	ipfw_iface_info *info;
-	int i, error;
+	uint32_t i;
+	int error;
 
 	if ((error = ipfw_get_tracked_ifaces(&olh)) != 0)
 		err(EX_OSERR, "Unable to request ipfw tracked interface list");

Modified: head/sbin/ipfw/ipfw2.h
==============================================================================
--- head/sbin/ipfw/ipfw2.h	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/ipfw2.h	Mon Jul 13 17:51:04 2020	(r363164)
@@ -51,7 +51,7 @@ struct cmdline_opts {
 	int	do_sort;	/* field to sort results (0 = no) */
 		/* valid fields are 1 and above */
 
-	int	use_set;	/* work with specified set number */
+	uint32_t use_set;	/* work with specified set number */
 		/* 0 means all sets, otherwise apply to set use_set - 1 */
 
 };
@@ -62,7 +62,7 @@ enum {
 	TIMESTAMP_NUMERIC,
 };
 
-extern struct cmdline_opts co;
+extern struct cmdline_opts g_co;
 
 /*
  * _s_x is a structure that stores a string <-> token pairs, used in
@@ -331,7 +331,7 @@ struct buf_pr {
 int pr_u64(struct buf_pr *bp, uint64_t *pd, int width);
 int bp_alloc(struct buf_pr *b, size_t size);
 void bp_free(struct buf_pr *b);
-int bprintf(struct buf_pr *b, char *format, ...);
+int bprintf(struct buf_pr *b, const char *format, ...);
 
 
 /* memory allocation support */
@@ -349,7 +349,7 @@ int match_token_relaxed(struct _s_x *table, const char
 int get_token(struct _s_x *table, const char *string, const char *errbase);
 char const *match_value(struct _s_x *p, int value);
 size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table,
-    char *delimiter);
+    const char *delimiter);
 int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set,
     uint32_t *clear);
 void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set);
@@ -361,7 +361,7 @@ int do_get3(int optname, struct _ip_fw3_opheader *op3,
 
 struct in6_addr;
 void n2mask(struct in6_addr *mask, int n);
-int contigmask(uint8_t *p, int len);
+int contigmask(const uint8_t *p, int len);
 
 /*
  * Forward declarations to avoid include way too many headers.
@@ -409,7 +409,7 @@ int ipfw_check_nat64prefix(const struct in6_addr *pref
 /* altq.c */
 void altq_set_enabled(int enabled);
 u_int32_t altq_name_to_qid(const char *name);
-void print_altq_cmd(struct buf_pr *bp, struct _ipfw_insn_altq *altqptr);
+void print_altq_cmd(struct buf_pr *bp, const struct _ipfw_insn_altq *altqptr);
 #else
 #define NO_ALTQ
 #endif
@@ -421,10 +421,10 @@ int ipfw_delete_pipe(int pipe_or_queue, int n);
 
 /* ipv6.c */
 void print_unreach6_code(struct buf_pr *bp, uint16_t code);
-void print_ip6(struct buf_pr *bp, struct _ipfw_insn_ip6 *cmd);
-void print_flow6id(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
-void print_icmp6types(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
-void print_ext6hdr(struct buf_pr *bp, struct _ipfw_insn *cmd );
+void print_ip6(struct buf_pr *bp, const struct _ipfw_insn_ip6 *cmd);
+void print_flow6id(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd);
+void print_icmp6types(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd);
+void print_ext6hdr(struct buf_pr *bp, const struct _ipfw_insn *cmd);
 
 struct tidx;
 struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen,

Modified: head/sbin/ipfw/ipv6.c
==============================================================================
--- head/sbin/ipfw/ipv6.c	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/ipv6.c	Mon Jul 13 17:51:04 2020	(r363164)
@@ -85,14 +85,14 @@ print_unreach6_code(struct buf_pr *bp, uint16_t code)
  * Print the ip address contained in a command.
  */
 void
-print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd)
+print_ip6(struct buf_pr *bp, const ipfw_insn_ip6 *cmd)
 {
 	char trad[255];
 	struct hostent *he = NULL;
-	struct in6_addr *a = &(cmd->addr6);
+	const struct in6_addr *a = &(cmd->addr6);
 	int len, mb;
 
-	len = F_LEN((ipfw_insn *) cmd) - 1;
+	len = F_LEN((const ipfw_insn *)cmd) - 1;
 	if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
 		bprintf(bp, " me6");
 		return;
@@ -112,10 +112,11 @@ print_ip6(struct buf_pr *bp, ipfw_insn_ip6 *cmd)
 		/* mask length */
 		mb = (cmd->o.opcode == O_IP6_SRC ||
 		    cmd->o.opcode == O_IP6_DST) ?  128:
-		    contigmask((uint8_t *)&(a[1]), 128);
+		    contigmask((const uint8_t *)&(a[1]), 128);
 
-		if (mb == 128 && co.do_resolv)
-			he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
+		if (mb == 128 && g_co.do_resolv)
+			he = gethostbyaddr((const char *)a, sizeof(*a),
+			    AF_INET6);
 
 		if (he != NULL)	     /* resolved to name */
 			bprintf(bp, "%s", he->h_name);
@@ -142,7 +143,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cb
 {
        uint8_t type;
 
-       CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
+       CHECK_LENGTH(cblen, (int)F_INSN_SIZE(ipfw_insn_icmp6));
        memset(cmd, 0, sizeof(*cmd));
        while (*av) {
 	       if (*av == ',')
@@ -165,7 +166,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cb
 }
 
 void
-print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd)
+print_icmp6types(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
 {
 	int i, j;
 	char sep= ' ';
@@ -181,7 +182,7 @@ print_icmp6types(struct buf_pr *bp, ipfw_insn_u32 *cmd
 }
 
 void
-print_flow6id(struct buf_pr *bp, ipfw_insn_u32 *cmd)
+print_flow6id(struct buf_pr *bp, const ipfw_insn_u32 *cmd)
 {
 	uint16_t i, limit = cmd->o.arg1;
 	char sep = ',';
@@ -257,7 +258,7 @@ fill_ext6hdr( ipfw_insn *cmd, char *av)
 }
 
 void
-print_ext6hdr(struct buf_pr *bp, ipfw_insn *cmd )
+print_ext6hdr(struct buf_pr *bp, const ipfw_insn *cmd )
 {
 	char sep = ' ';
 
@@ -364,7 +365,8 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, stru
 		int masklen;
 		char md = '\0';
 
-		CHECK_LENGTH(cblen, 1 + len + 2 * F_INSN_SIZE(struct in6_addr));
+		CHECK_LENGTH(cblen,
+		    1 + len + 2 * (int)F_INSN_SIZE(struct in6_addr));
 
 		if ((q = strchr(av, ',')) ) {
 			*q = '\0';
@@ -453,7 +455,8 @@ fill_flow6( ipfw_insn_u32 *cmd, char *av, int cblen)
 	cmd->d[0] = 0;	  /* Initializing the base number*/
 
 	while (s) {
-		CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
+		CHECK_LENGTH(cblen,
+		    (int)F_INSN_SIZE(ipfw_insn_u32) + nflow + 1);
 
 		av = strsep( &s, ",") ;
 		type = strtoul(av, &av, 0);

Modified: head/sbin/ipfw/main.c
==============================================================================
--- head/sbin/ipfw/main.c	Mon Jul 13 17:20:20 2020	(r363163)
+++ head/sbin/ipfw/main.c	Mon Jul 13 17:51:04 2020	(r363164)
@@ -226,8 +226,8 @@ ipfw_main(int oldac, char **oldav)
 	av[ac] = NULL;
 
 	/* Set the force flag for non-interactive processes */
-	if (!co.do_force)
-		co.do_force = !isatty(STDIN_FILENO);
+	if (!g_co.do_force)
+		g_co.do_force = !isatty(STDIN_FILENO);
 
 #ifdef EMULATE_SYSCTL /* sysctl emulation */
 	if ( ac >= 2 && !strcmp(av[1], "sysctl")) {
@@ -269,20 +269,20 @@ ipfw_main(int oldac, char **oldav)
 			break;
 
 		case 'b':
-			co.comment_only = 1;
-			co.do_compact = 1;
+			g_co.comment_only = 1;
+			g_co.do_compact = 1;
 			break;
 
 		case 'c':
-			co.do_compact = 1;
+			g_co.do_compact = 1;
 			break;
 
 		case 'd':
-			co.do_dynamic = 1;
+			g_co.do_dynamic = 1;
 			break;
 
 		case 'D':
-			co.do_dynamic = 2;
+			g_co.do_dynamic = 2;
 			break;
 
 		case 'e':
@@ -290,7 +290,7 @@ ipfw_main(int oldac, char **oldav)
 			break;
 
 		case 'f':

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007131751.06DHp4KX002359>