Typical covscan complaint, non-empty fall throughs should be marked as such. There was but a single case which should break instead, namely in libebt_log.c: It is not critical, since the next case merely asserts 'invert' being zero (which can't be as it was checked before). But while being at it, introduce log_chk_inv() to consolidate the semantically equal cases for the various log types. Signed-off-by: Phil Sutter <phil@xxxxxx> --- extensions/libebt_log.c | 28 +++++++++++++--------------- extensions/libxt_set.c | 5 +++++ iptables/nft-shared.c | 1 + 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c index a86bdebaaae0a..8858cf0e22c00 100644 --- a/extensions/libebt_log.c +++ b/extensions/libebt_log.c @@ -92,6 +92,14 @@ static void brlog_init(struct xt_entry_target *t) loginfo->loglevel = LOG_NOTICE; } +static unsigned int log_chk_inv(int inv, unsigned int bit, const char *suffix) +{ + if (inv) + xtables_error(PARAMETER_PROBLEM, + "Unexpected `!' after --log%s", suffix); + return bit; +} + static int brlog_parse(int c, char **argv, int invert, unsigned int *flags, const void *entry, struct xt_entry_target **target) { @@ -125,26 +133,16 @@ static int brlog_parse(int c, char **argv, int invert, unsigned int *flags, "Problem with the log-level"); break; case LOG_IP: - if (invert) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-ip"); - loginfo->bitmask |= EBT_LOG_IP; + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP, "-ip"); break; case LOG_ARP: - if (invert) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-arp"); - loginfo->bitmask |= EBT_LOG_ARP; + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_ARP, "-arp"); + break; case LOG_LOG: - if (invert) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log"); + loginfo->bitmask |= log_chk_inv(invert, 0, ""); break; case LOG_IP6: - if (invert) - xtables_error(PARAMETER_PROBLEM, - "Unexpected `!' after --log-ip6"); - loginfo->bitmask |= EBT_LOG_IP6; + loginfo->bitmask |= log_chk_inv(invert, EBT_LOG_IP6, "-ip6"); break; default: return 0; diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c index 679c04c75b0f6..16921023a22f8 100644 --- a/extensions/libxt_set.c +++ b/extensions/libxt_set.c @@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags, case '2': fprintf(stderr, "--set option deprecated, please use --match-set\n"); + /* fall through */ case '1': /* --match-set <set> <flag>[,<flag> */ if (info->u.flags[0]) xtables_error(PARAMETER_PROBLEM, @@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags, case '2': fprintf(stderr, "--set option deprecated, please use --match-set\n"); + /* fall through */ case '1': /* --match-set <set> <flag>[,<flag> */ if (info->dim) xtables_error(PARAMETER_PROBLEM, @@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags, case '2': fprintf(stderr, "--set option deprecated, please use --match-set\n"); + /* fall through */ case '1': /* --match-set <set> <flag>[,<flag> */ if (info->dim) xtables_error(PARAMETER_PROBLEM, @@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags, case '2': fprintf(stderr, "--set option deprecated, please use --match-set\n"); + /* fall through */ case '1': /* --match-set <set> <flag>[,<flag> */ if (info->match_set.dim) xtables_error(PARAMETER_PROBLEM, @@ -583,6 +587,7 @@ set_parse_v4(int c, char **argv, int invert, unsigned int *flags, case '2': fprintf(stderr, "--set option deprecated, please use --match-set\n"); + /* fall through */ case '1': /* --match-set <set> <flag>[,<flag> */ if (info->match_set.dim) xtables_error(PARAMETER_PROBLEM, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index c8414294833c5..a38ffd3aa1145 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -547,6 +547,7 @@ void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) break;; case NFT_GOTO: nft_goto = true; + /* fall through */ case NFT_JUMP: jumpto = chain; break; -- 2.18.0