From 780d7a24ee639e80e3e3ccfa9537035de30fda5d Mon Sep 17 00:00:00 2001 From: Sepherosa Ziehau Date: Wed, 6 Sep 2017 13:42:15 +0800 Subject: [PATCH] ipfw: Stringent assertions. --- sys/net/ipfw/ip_fw2.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/sys/net/ipfw/ip_fw2.c b/sys/net/ipfw/ip_fw2.c index 369526628c..93c2de5dcf 100644 --- a/sys/net/ipfw/ip_fw2.c +++ b/sys/net/ipfw/ip_fw2.c @@ -3857,6 +3857,8 @@ ipfw_alt_delete_rule(uint16_t rulenum) struct ipfw_context *ctx = ipfw_ctx[mycpuid]; struct netmsg_del dmsg; + ASSERT_NETISR0; + /* * Locate first rule to delete */ @@ -3930,6 +3932,8 @@ ipfw_alt_delete_ruleset(uint8_t set) struct ip_fw *rule; struct ipfw_context *ctx = ipfw_ctx[mycpuid]; + ASSERT_NETISR0; + /* * Check whether the 'set' exists. If it exists, * then check whether any rules within the set will @@ -3988,6 +3992,8 @@ ipfw_alt_move_rule(uint16_t rulenum, uint8_t set) struct ip_fw *rule; struct ipfw_context *ctx = ipfw_ctx[mycpuid]; + ASSERT_NETISR0; + /* * Locate first rule to move */ @@ -4034,6 +4040,8 @@ ipfw_alt_move_ruleset(uint8_t from_set, uint8_t to_set) struct netmsg_del dmsg; struct netmsg_base *nmsg; + ASSERT_NETISR0; + bzero(&dmsg, sizeof(dmsg)); nmsg = &dmsg.base; netmsg_init(nmsg, NULL, &curthread->td_msgport, MSGF_PRIORITY, @@ -4069,6 +4077,8 @@ ipfw_alt_swap_ruleset(uint8_t set1, uint8_t set2) struct netmsg_del dmsg; struct netmsg_base *nmsg; + ASSERT_NETISR0; + bzero(&dmsg, sizeof(dmsg)); nmsg = &dmsg.base; netmsg_init(nmsg, NULL, &curthread->td_msgport, MSGF_PRIORITY, @@ -4099,6 +4109,8 @@ ipfw_ctl_alter(uint32_t arg) uint8_t cmd, new_set; int error = 0; + ASSERT_NETISR0; + rulenum = arg & 0xffff; cmd = (arg >> 24) & 0xff; new_set = (arg >> 16) & 0xff; @@ -4207,6 +4219,8 @@ ipfw_ctl_zero_entry(int rulenum, int log_only) const char *msg; struct ipfw_context *ctx = ipfw_ctx[mycpuid]; + ASSERT_NETISR0; + bzero(&zmsg, sizeof(zmsg)); nmsg = &zmsg.base; netmsg_init(nmsg, NULL, &curthread->td_msgport, MSGF_PRIORITY, @@ -4460,6 +4474,8 @@ ipfw_ctl_add_rule(struct sockopt *sopt) size_t size; uint32_t rule_flags; int error; + + ASSERT_NETISR0; size = sopt->sopt_valsize; if (size > (sizeof(uint32_t) * IPFW_RULE_SIZE_MAX) || @@ -4492,6 +4508,7 @@ ipfw_copy_rule(const struct ipfw_context *ctx, const struct ip_fw *rule, int i; #endif + ASSERT_NETISR0; KASSERT(rule->cpuid == 0, ("rule does not belong to cpu0")); ioc_rule->act_ofs = rule->act_ofs; @@ -4675,6 +4692,8 @@ ipfw_ctl_get_rules(struct sockopt *sopt) size_t size; int state_cnt; + ASSERT_NETISR0; + /* * pass up a copy of the current rules. Static rules * come first (the last of which has number IPFW_DEFAULT_RULE), @@ -4747,6 +4766,8 @@ ipfw_ctl_set_disable(uint32_t disable, uint32_t enable) struct netmsg_base nmsg; uint32_t set_disable; + ASSERT_NETISR0; + /* IPFW_DEFAULT_SET is always enabled */ enable |= (1 << IPFW_DEFAULT_SET); set_disable = (ipfw_ctx[mycpuid]->ipfw_set_disable | disable) & ~enable; @@ -4769,6 +4790,8 @@ ipfw_ctl(struct sockopt *sopt) uint32_t *masks; size_t size; + ASSERT_NETISR0; + error = 0; switch (sopt->sopt_name) { @@ -5225,6 +5248,8 @@ ipfw_sysctl_enable_dispatch(netmsg_t nmsg) { int enable = nmsg->lmsg.u.ms_result; + ASSERT_NETISR0; + if (fw_enable == enable) goto reply; @@ -5367,6 +5392,8 @@ ipfw_init_dispatch(netmsg_t nmsg) struct netmsg_ipfw fwmsg; int error = 0, cpu; + ASSERT_NETISR0; + if (IPFW_LOADED) { kprintf("IP firewall already loaded\n"); error = EEXIST; @@ -5465,6 +5492,8 @@ ipfw_fini_dispatch(netmsg_t nmsg) struct netmsg_base nm; int error = 0, cpu; + ASSERT_NETISR0; + if (ipfw_gd.ipfw_refcnt != 0) { error = EBUSY; goto reply; -- 2.11.4.GIT