diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index aca1b38672..6f1887977b 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -364,13 +364,12 @@ ebtablesHandleEthHdr(virFirewallPtr fw, { char macaddr[VIR_MAC_STRING_BUFLEN]; char macmask[VIR_MAC_STRING_BUFLEN]; - int ret = -1; if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACAddr)) { if (printDataType(vars, macaddr, sizeof(macaddr), ðHdr->dataSrcMACAddr) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, reverse ? "-d" : "-s", @@ -382,7 +381,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw, if (printDataType(vars, macmask, sizeof(macmask), ðHdr->dataSrcMACMask) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s/%s", macaddr, macmask); @@ -395,7 +394,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw, if (printDataType(vars, macaddr, sizeof(macaddr), ðHdr->dataDstMACAddr) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, reverse ? "-s" : "-d", @@ -407,7 +406,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw, if (printDataType(vars, macmask, sizeof(macmask), ðHdr->dataDstMACMask) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s/%s", macaddr, macmask); @@ -416,9 +415,7 @@ ebtablesHandleEthHdr(virFirewallPtr fw, } } - ret = 0; - cleanup: - return ret; + return 0; } @@ -786,7 +783,6 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw, bool *srcmacskipped) { char macaddr[VIR_MAC_STRING_BUFLEN]; - int ret = -1; *srcmacskipped = false; @@ -799,7 +795,7 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw, if (printDataType(vars, macaddr, sizeof(macaddr), srcMacAddr) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-m", "mac", @@ -812,9 +808,7 @@ iptablesHandleSrcMacAddr(virFirewallPtr fw, NULL); } - ret = 0; - cleanup: - return ret; + return 0; } @@ -834,7 +828,6 @@ iptablesHandleIPHdr(virFirewallPtr fw, const char *dst = "--destination"; const char *srcrange = "--src-range"; const char *dstrange = "--dst-range"; - int ret = -1; if (directionIn) { src = "--destination"; @@ -847,7 +840,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddr, sizeof(ipaddr), &ipHdr->dataSrcIPAddr) < 0) - goto cleanup; + return -1; if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr)) virFirewallRuleAddArg(fw, fwrule, "!"); @@ -858,7 +851,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, number, sizeof(number), &ipHdr->dataSrcIPMask) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s/%s", ipaddr, number); @@ -869,7 +862,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddr, sizeof(ipaddr), &ipHdr->dataSrcIPFrom) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-m", "iprange", @@ -883,7 +876,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddralt, sizeof(ipaddralt), &ipHdr->dataSrcIPTo) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s-%s", ipaddr, ipaddralt); @@ -896,7 +889,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddr, sizeof(ipaddr), &ipHdr->dataDstIPAddr) < 0) - goto cleanup; + return -1; if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr)) virFirewallRuleAddArg(fw, fwrule, "!"); @@ -906,7 +899,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, number, sizeof(number), &ipHdr->dataDstIPMask) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s/%s", ipaddr, number); @@ -917,7 +910,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddr, sizeof(ipaddr), &ipHdr->dataDstIPFrom) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-m", "iprange", @@ -930,7 +923,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, ipaddralt, sizeof(ipaddralt), &ipHdr->dataDstIPTo) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s-%s", ipaddr, ipaddralt); @@ -943,7 +936,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, if (printDataType(vars, number, sizeof(number), &ipHdr->dataDSCP) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-m", "dscp", @@ -964,9 +957,7 @@ iptablesHandleIPHdr(virFirewallPtr fw, } } - ret = 0; - cleanup: - return ret; + return 0; } @@ -980,7 +971,6 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw, char number[MAX(INT_BUFSIZE_BOUND(uint32_t), INT_BUFSIZE_BOUND(int))]; char str[MAX_IPSET_NAME_LENGTH]; - int ret = -1; if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) && HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) { @@ -988,7 +978,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw, if (printDataType(vars, str, sizeof(str), &ipHdr->dataIPSet) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-m", "set", @@ -998,7 +988,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw, if (printDataTypeDirection(vars, str, sizeof(str), &ipHdr->dataIPSetFlags, directionIn) < 0) - goto cleanup; + return -1; virFirewallRuleAddArg(fw, fwrule, str); } @@ -1008,7 +998,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw, if (printDataType(vars, number, sizeof(number), &ipHdr->dataConnlimitAbove) < 0) - goto cleanup; + return -1; /* place connlimit after potential -m state --state ... since this is the most useful order */ @@ -1032,9 +1022,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewallPtr fw, NULL); } - ret = 0; - cleanup: - return ret; + return 0; } @@ -1178,7 +1166,6 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, bool hasICMPType = false; virFirewallRulePtr fwrule; size_t fwruleargs; - int ret = -1; PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -1197,14 +1184,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.tcpHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.tcpHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) { char *flags; @@ -1213,11 +1200,11 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, virFirewallRuleAddArg(fw, fwrule, "--tcp-flags"); if (!(flags = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask))) - goto cleanup; + return -1; virFirewallRuleAddArg(fw, fwrule, flags); VIR_FREE(flags); if (!(flags = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags))) - goto cleanup; + return -1; virFirewallRuleAddArg(fw, fwrule, flags); VIR_FREE(flags); } @@ -1226,13 +1213,13 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, vars, &rule->p.tcpHdrFilter.portData, directionIn) < 0) - goto cleanup; + return -1; if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPOption)) { if (printDataType(vars, number, sizeof(number), &rule->p.tcpHdrFilter.dataTCPOption) < 0) - goto cleanup; + return -1; if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption)) virFirewallRuleAddArg(fw, fwrule, "!"); @@ -1256,20 +1243,20 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.udpHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.udpHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; if (iptablesHandlePortData(fw, fwrule, vars, &rule->p.udpHdrFilter.portData, directionIn) < 0) - goto cleanup; + return -1; break; case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: @@ -1286,14 +1273,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.udpliteHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.udpliteHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; break; @@ -1311,14 +1298,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.espHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.espHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; break; @@ -1336,14 +1323,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.ahHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.ahHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; break; @@ -1361,20 +1348,20 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.sctpHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.sctpHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; if (iptablesHandlePortData(fw, fwrule, vars, &rule->p.sctpHdrFilter.portData, directionIn) < 0) - goto cleanup; + return -1; break; case VIR_NWFILTER_RULE_PROTOCOL_ICMP: @@ -1397,14 +1384,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.icmpHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.icmpHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) { const char *parm; @@ -1413,8 +1400,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, if (maySkipICMP) { virFirewallRemoveRule(fw, fwrule); - ret = 0; - goto cleanup; + return 0; } if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) @@ -1425,7 +1411,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, if (printDataType(vars, number, sizeof(number), &rule->p.icmpHdrFilter.dataICMPType) < 0) - goto cleanup; + return -1; if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType)) virFirewallRuleAddArg(fw, fwrule, "!"); @@ -1435,7 +1421,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, if (printDataType(vars, numberalt, sizeof(numberalt), &rule->p.icmpHdrFilter.dataICMPCode) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgFormat(fw, fwrule, "%s/%s", number, numberalt); @@ -1458,14 +1444,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.igmpHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.igmpHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; break; @@ -1483,14 +1469,14 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, &rule->p.allHdrFilter.dataSrcMACAddr, directionIn, &srcMacSkipped) < 0) - goto cleanup; + return -1; if (iptablesHandleIPHdr(fw, fwrule, vars, &rule->p.allHdrFilter.ipHdr, directionIn, &skipRule, &skipMatch) < 0) - goto cleanup; + return -1; break; @@ -1498,7 +1484,7 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, virReportError(VIR_ERR_INTERNAL_ERROR, _("Unexpected protocol %d"), rule->prtclType); - goto cleanup; + return -1; } if ((srcMacSkipped && @@ -1537,14 +1523,12 @@ _iptablesCreateRuleInstance(virFirewallPtr fw, vars, &rule->p.allHdrFilter.ipHdr, directionIn) < 0) - goto cleanup; + return -1; virFirewallRuleAddArgList(fw, fwrule, "-j", target, NULL); - ret = 0; - cleanup: - return ret; + return 0; } @@ -2475,8 +2459,6 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw, const char *ifname, virNWFilterVarCombIterPtr vars) { - int ret = -1; - if (virNWFilterRuleIsProtocolEthernet(rule)) { if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT || rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) { @@ -2487,7 +2469,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw, ifname, vars, rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) < 0) - goto cleanup; + return -1; } if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN || @@ -2499,7 +2481,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw, ifname, vars, false) < 0) - goto cleanup; + return -1; } } else { virFirewallLayer layer; @@ -2510,7 +2492,7 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw, } else { virReportError(VIR_ERR_OPERATION_FAILED, "%s", _("unexpected protocol type")); - goto cleanup; + return -1; } if (iptablesCreateRuleInstance(fw, @@ -2518,12 +2500,10 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw, rule, ifname, vars) < 0) - goto cleanup; + return -1; } - ret = 0; - cleanup: - return ret; + return 0; }