Merge remote-tracking branch 's1061123/nft_support' into nft_support

Conflicts:
	miniupnpd/Makefile.linux_nft
	miniupnpd/netfilter_nft/README.md
	miniupnpd/netfilter_nft/nftnlrdr.c
	miniupnpd/netfilter_nft/nftnlrdr_misc.c

miniupnpc-async/miniupnpc-async.c

@@ -703,6 +703,7 @@ static int upnpc_build_soap_request(upnpc_t * p, const char * url,
 	body = malloc(body_len + 1);
 	if(body == NULL) {
 		p->state = EError;
+		free(args_xml);
 		return -1;
 	}
 	if(snprintf(body, body_len + 1, fmt_soap, action, service, args_xml?args_xml:"", action) != body_len) {
@@ -712,6 +713,7 @@ static int upnpc_build_soap_request(upnpc_t * p, const char * url,
 	args_xml = NULL;
 	if(!parseURL(url, hostname, &port, &path, &scope_id)) {
 		p->state = EError;
+		free(body);
 		return -1;
 	}
 	if(port != 80)

miniupnpc-libevent/miniupnpc-libevent.c

@@ -614,6 +614,7 @@ static int upnpc_send_soap_request(upnpc_device_t * p, const char * url,
 	body_len = snprintf(NULL, 0, fmt_soap, method, service, args_xml?args_xml:"", method);
 	body = malloc(body_len + 1);
 	if(body == NULL) {
+		free(args_xml);
 		return -1;
 	}
 	if(snprintf(body, body_len + 1, fmt_soap, method, service, args_xml?args_xml:"", method) != body_len) {
@@ -622,6 +623,7 @@ static int upnpc_send_soap_request(upnpc_device_t * p, const char * url,
 	free(args_xml);
 	args_xml = NULL;
 	if(!parseURL(url, hostname, &port, &path, &scope_id)) {
+		free(body);
 		return -1;
 	}
 	if(port != 80)

miniupnpc/CMakeLists.txt

@@ -30,7 +30,7 @@ endif (NO_GETADDRINFO)
 
 if (NOT WIN32)
   add_definitions (-DMINIUPNPC_SET_SOCKET_TIMEOUT)
-  add_definitions (-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112L)
+  add_definitions (-D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112L)
 else (NOT WIN32)
   add_definitions (-D_WIN32_WINNT=0x0501) # XP or higher for getnameinfo and friends
 endif (NOT WIN32)
@@ -86,8 +86,7 @@ endif (NOT WIN32 AND NOT CMAKE_SYSTEM_NAME STREQUAL "AmigaOS")
 
 if (WIN32)
   set_source_files_properties (${MINIUPNPC_SOURCES} PROPERTIES
-                                                    COMPILE_DEFINITIONS MINIUPNP_STATICLIB
-                                                    COMPILE_DEFINITIONS MINIUPNP_EXPORTS
+                                                    COMPILE_DEFINITIONS "MINIUPNP_STATICLIB;MINIUPNP_EXPORTS"
   )
 endif (WIN32)
 

miniupnpc/Changelog.txt

@@ -1,6 +1,12 @@
-$Id: Changelog.txt,v 1.202 2014/11/17 19:10:28 nanard Exp $
+$Id: Changelog.txt,v 1.203 2015/04/27 15:50:19 nanard Exp $
 miniUPnP client Changelog.
 
+2015/04/27:
+  _BSD_SOURCE is deprecated in favor of _DEFAULT_SOURCE
+  fix CMakeLists.txt COMPILE_DEFINITIONS
+  fix getDevicesFromMiniSSDPD() not setting scope_id
+  improve -r command of upnpc command line tool
+
 2014/11/17:
   search all :
     upnpDiscoverDevices() / upnpDiscoverAll() functions

miniupnpc/Makefile

@@ -35,7 +35,7 @@ CFLAGS += -W -Wstrict-prototypes
 CFLAGS += -fno-common
 CFLAGS += -DMINIUPNPC_SET_SOCKET_TIMEOUT
 CFLAGS += -DMINIUPNPC_GET_SRC_ADDR
-CFLAGS += -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112L
+CFLAGS += -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112L
 CFLAGS += -ansi
 # -DNO_GETADDRINFO
 INSTALL = install

miniupnpc/minissdpc.c

@@ -126,6 +126,7 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
 		memcpy(tmp->buffer + urlsize + 1, p, stsize);
 		p += stsize;
 		tmp->buffer[urlsize+1+stsize] = '\0';
+		tmp->scope_id = 0;	/* default value. scope_id is not available with MiniSSDPd */
 		devlist = tmp;
 		/* added for compatibility with recent versions of MiniSSDPd
 		 * >= 2007/12/19 */

miniupnpc/upnpc.c

@@ -16,6 +16,7 @@
 /* for IPPROTO_TCP / IPPROTO_UDP */
 #include <netinet/in.h>
 #endif
+#include <ctype.h>
 #include "miniwget.h"
 #include "miniupnpc.h"
 #include "upnpcommands.h"
@@ -41,6 +42,22 @@ const char * protofix(const char * proto)
 	return 0;
 }
 
+/* is_int() checks if parameter is an integer or not
+ * 1 for integer
+ * 0 for not an integer */
+int is_int(char const* s)
+{
+	if(s == NULL)
+		return 0;
+	while(*s) {
+		/* #define isdigit(c) ((c) >= '0' && (c) <= '9') */
+		if(!isdigit(*s))
+			return 0;
+		s++;
+	}
+	return 1;
+}
+
 static void DisplayInfos(struct UPNPUrls * urls,
                          struct IGDdatas * data)
 {
@@ -577,7 +594,8 @@ int main(int argc, char ** argv)
 		}
 	}
 
-	if(!command || (command == 'a' && commandargc<4)
+	if(!command
+	   || (command == 'a' && commandargc<4)
 	   || (command == 'd' && argc<2)
 	   || (command == 'r' && argc<2)
 	   || (command == 'A' && commandargc<6)
@@ -591,7 +609,7 @@ int main(int argc, char ** argv)
 		fprintf(stderr, "       \t%s [options] -L\n\t\tList redirections (using GetListOfPortMappings (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -n ip port external_port protocol [duration]\n\t\tAdd (any) port redirection allowing IGD to use alternative external_port (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -N external_port_start external_port_end protocol [manage]\n\t\tDelete range of port redirections (for IGD:2 only)\n", argv[0]);
-		fprintf(stderr, "       \t%s [options] -r port1 protocol1 [port2 protocol2] [...]\n\t\tAdd all redirections to the current host\n", argv[0]);
+		fprintf(stderr, "       \t%s [options] -r port1 [external_port1] protocol1 [port2 [external_port2] protocol2] [...]\n\t\tAdd all redirections to the current host\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time\n\t\tAdd Pinhole (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -U uniqueID new_lease_time\n\t\tUpdate Pinhole (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -C uniqueID\n\t\tCheck if Pinhole is Working (for IGD:2 only)\n", argv[0]);
@@ -699,13 +717,29 @@ int main(int argc, char ** argv)
 				GetConnectionStatus(&urls, &data);
 				break;
 			case 'r':
-				for(i=0; i<commandargc; i+=2)
+				i = 0;
+				while(i<commandargc)
 				{
-					/*printf("port %s protocol %s\n", argv[i], argv[i+1]);*/
-					SetRedirectAndTest(&urls, &data,
-							   lanaddr, commandargv[i],
-							   commandargv[i], commandargv[i+1], "0",
-							   description, 0);
+					if(!is_int(commandargv[i])) {
+						/* 1st parameter not an integer : error */
+						fprintf(stderr, "command -r : %s is not an port number\n", commandargv[i]);
+						retcode = 1;
+						break;
+					} else if(is_int(commandargv[i+1])){
+						/* 2nd parameter is an integer : <port> <external_port> <protocol> */
+						SetRedirectAndTest(&urls, &data,
+								   lanaddr, commandargv[i],
+								   commandargv[i+1], commandargv[i+2], "0",
+								   description, 0);
+						i+=3;	/* 3 parameters parsed */
+					} else {
+						/* 2nd parameter not an integer : <port> <protocol> */
+						SetRedirectAndTest(&urls, &data,
+								   lanaddr, commandargv[i],
+								   commandargv[i], commandargv[i+1], "0",
+								   description, 0);
+						i+=2;	/* 2 parameters parsed */
+					}
 				}
 				break;
 			case 'A':

miniupnpd/Changelog.txt

@@ -1,4 +1,14 @@
-$Id: Changelog.txt,v 1.395 2015/02/10 15:01:02 nanard Exp $
+$Id: Changelog.txt,v 1.398 2015/04/26 14:43:27 nanard Exp $
+
+2015/04/26:
+  Remove dependency to libnfnetlink
+  fix typos in miniupnpd.conf
+
+2015/03/09:
+  fix get_portmappings_in_range() for linux/netfilter
+
+2015/03/07:
+  don't die when IPv6 is enabled and interface has no IPv4 address
 
 2015/02/10:
   IP wildcard for AddPinhole() is empty string

miniupnpd/minissdp.c

@@ -1169,6 +1169,8 @@ SendSSDPGoodbye(int * sockets, int n_sockets)
 
 	for(j=0; j<n_sockets; j++)
 	{
+		if(sockets[j] < 0)
+			continue;
 #ifdef ENABLE_IPV6
 		ipv6 = j & 1;
 		if(ipv6) {

miniupnpd/miniupnpd.conf

@@ -1,143 +1,141 @@
 # WAN network interface
 #ext_ifname=eth1
 #ext_ifname=xl1
-# if the WAN interface has several IP addresses, you
+# If the WAN interface has several IP addresses, you
 # can specify the one to use below
 #ext_ip=
 
 # LAN network interfaces IPs / networks
-# there can be multiple listening ips for SSDP traffic.
-# should be under the form nnn.nnn.nnn.nnn/nn
-# It can also be the network interface name (ie "eth0")
-# It if mandatory to use the network interface name to enable IPv6
+# There can be multiple listening IPs for SSDP traffic
+# It can be IP address or network interface name (ie. "eth0")
+# It is mandatory to use the network interface name in order to enable IPv6
 # HTTP is available on all interfaces.
-# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
-# address associated with the subnet follows. for example :
+# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
+# address associated with the subnet follows. For example:
 #  listening_ip=192.168.0.1/24 88.22.44.13
 #listening_ip=192.168.0.1/24
 #listening_ip=10.5.0.0/16
 #listening_ip=eth0
 # CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
-# be sure to assign the correct interfaces to LAN and WAN and consider
+# Be sure to assign the correct interfaces to LAN and WAN and consider
 # implementing UPnP permission rules at the bottom of this configuration file
 
-# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
+# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
 #http_port=0
-# port for HTTPS. set to 0 for autoselect (default)
+# Port for HTTPS. Set to 0 for autoselect (default)
 #https_port=0
 
-# path to the unix socket used to communicate with MiniSSDPd
+# Path to the UNIX socket used to communicate with MiniSSDPd
 # If running, MiniSSDPd will manage M-SEARCH answering.
 # default is /var/run/minissdpd.sock
 #minissdpdsocket=/var/run/minissdpd.sock
 
-# enable NAT-PMP support (default is no)
+# Enable NAT-PMP support (default is no)
 #enable_natpmp=yes
 
-# enable UPNP support (default is yes)
+# Enable UPNP support (default is yes)
 #enable_upnp=no
 
-# PCP :
-# configure minimal and maximal lifetime of the port mapping in seconds
+# PCP
+# Configure the minimum and maximum lifetime of a port mapping in seconds
 # 120s and 86400s (24h) are suggested values from PCP-base
 #min_lifetime=120
 #max_lifetime=86400
 
-# chain names for netfilter (not used for pf or ipf).
+# Chain names for netfilter (not used for pf or ipf).
 # default is MINIUPNPD for both
 #upnp_forward_chain=forwardUPnP
 #upnp_nat_chain=UPnP
 
-# lease file location
+# Lease file location
 #lease_file=/var/log/upnp.leases
 
-# to enable the next few runtime options, see compile time
+# To enable the next few runtime options, see compile time
 # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
 
-# name of this service, default is "`uname -s` router"
+# Name of this service, default is "`uname -s` router"
 #friendly_name=MiniUPnPd router
 
-# manufacturer name, default is "`uname -s`"
+# Manufacturer name, default is "`uname -s`"
 #manufacturer_name=Manufacturer corp
 
-# manufacturer url, default is URL of OS verndor
+# Manufacturer URL, default is URL of OS vendor
 #manufacturer_url=http://miniupnp.free.fr/
 
-# model name, default is "`uname -s` router"
+# Model name, default is "`uname -s` router"
 #model_name=Router Model
 
-# model description, default is "`uname -s` router"
+# Model description, default is "`uname -s` router"
 #model_description=Very Secure Router - Model
 
-# model url, default is URL of OS vendor
+# Model URL, default is URL of OS vendor
 #model_url=http://miniupnp.free.fr/
 
-# bitrates reported by daemon in bits per second
+# Bitrates reported by daemon in bits per second
 # by default miniupnpd tries to get WAN interface speed
 #bitrate_up=1000000
 #bitrate_down=10000000
 
-# "secure" mode : when enabled, UPnP client are allowed to add mappings only
-# to their IP.
+# Secure Mode, UPnP clients can only add mappings to their own IP
 #secure_mode=yes
 secure_mode=no
 
-# default presentation url is http address on port 80
+# Default presentation URL is HTTP address on port 80
 # If set to an empty string, no presentationURL element will appear
 # in the XML description of the device, which prevents MS Windows
 # from displaying an icon in the "Network Connections" panel.
 #presentation_url=http://www.mylan/index.php
 
-# report system uptime instead of daemon uptime
+# Report system uptime instead of daemon uptime
 system_uptime=yes
 
-# notify interval in seconds. default is 30 seconds.
+# Notify interval in seconds. default is 30 seconds.
 #notify_interval=240
 notify_interval=60
 
-# unused rules cleaning.
+# Unused rules cleaning.
 # never remove any rule before this threshold for the number
 # of redirections is exceeded. default to 20
 #clean_ruleset_threshold=10
-# clean process work interval in seconds. default to 0 (disabled).
+# Clean process work interval in seconds. default to 0 (disabled).
 # a 600 seconds (10 minutes) interval makes sense
 clean_ruleset_interval=600
 
-# log packets in pf (default is no)
+# Log packets in pf (default is no)
 #packet_log=no
 
-# anchor name in pf (default is miniupnpd)
+# Anchor name in pf (default is miniupnpd)
 #anchor=miniupnpd
 
 # ALTQ queue in pf
-# filter rules must be used for this to be used.
+# Filter rules must be used for this to be used.
 # compile with PF_ENABLE_FILTER_RULES (see config.h file)
 #queue=queue_name1
 
-# tag name in pf
+# Tag name in pf
 #tag=tag_name1
 
-# make filter rules in pf quick or not. default is yes
+# Make filter rules in pf quick or not. default is yes
 # active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
 #quickrules=no
 
-# uuid : generate your own with "make genuuid"
+# UUID, generate your own UUID with "make genuuid"
 uuid=00000000-0000-0000-0000-000000000000
 
-# serial and model number the daemon will report to clients
-# in its XML description
+# Daemon's serial and model number when reporting to clients
+# (in XML description)
 #serial=12345678
 #model_number=1
 
 # UPnP permission rules
-# (allow|deny) (external port range) ip/mask (internal port range)
+# (allow|deny) (external port range) IP/mask (internal port range)
 # A port range is <min port>-<max port> or <port> if there is only
 # one port in the range.
-# ip/mask format must be nn.nn.nn.nn/nn
-# it is advised to only allow redirection of port above 1024
-# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
+# IP/mask format must be nnn.nnn.nnn.nnn/nn
+# It is advised to only allow redirection of port >= 1024
+# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
 # The following default ruleset allows specific LAN side IP addresses
-# to request only ephemeral ports. it is recommended that users
+# to request only ephemeral ports. It is recommended that users
 # modify the IP ranges to match their own internal networks, and
 # also consider implementing network-specific restrictions
 # CAUTION: failure to enforce any rules may permit insecure requests to be made!
@@ -146,4 +144,3 @@ allow 1024-65535 192.168.1.0/24 1024-65535
 allow 1024-65535 192.168.0.0/23 22
 allow 12345 192.168.7.113/32 54321
 deny 0-65535 0.0.0.0/0 0-65535
-

miniupnpd/netfilter/iptcrdr.c

@@ -1434,9 +1434,9 @@ get_portmappings_in_range(unsigned short startport, unsigned short endport,
 							break;
 						}
 						array = tmp;
-						array[*number] = eport;
-						(*number)++;
 					}
+					array[*number] = eport;
+					(*number)++;
 				}
 			}
 		}

miniupnpd/netfilter_nft/nftnlrdr.c

@@ -39,6 +39,12 @@
 
 #include "nftnlrdr_misc.h"
 
+#ifdef DEBUG
+#define d_printf(x) do { printf x; } while (0)
+#else
+#define d_printf(x)
+#endif
+
 /* dummy init and shutdown functions */
 int init_redirect(void)
 {
@@ -58,9 +64,10 @@ add_redirect_rule2(const char * ifname,
 		   const char * desc, unsigned int timestamp)
 {
 	struct nft_rule *r;
+	UNUSED(rhost);
 	UNUSED(timestamp);
-        printf("add redirect rule2(%s, %s, %u, %s, %u, %d, %s)!\n",
-	       ifname, rhost, eport, iaddr, iport, proto, desc);
+        d_printf(("add redirect rule2(%s, %s, %u, %s, %u, %d, %s)!\n",
+	          ifname, rhost, eport, iaddr, iport, proto, desc));
 	r = rule_set_dnat(NFPROTO_IPV4, ifname, proto,
 			  0, eport, 
 			  inet_addr(iaddr), iport,  desc, NULL);
@@ -83,7 +90,7 @@ add_peer_redirect_rule2(const char * ifname,
 	struct nft_rule *r;
 	UNUSED(ifname); UNUSED(timestamp);
 
-        printf("add peer redirect rule2()!\n");
+        d_printf(("add peer redirect rule2()!\n"));
 	r = rule_set_snat(NFPROTO_IPV4, proto, 
 			  inet_addr(rhost), rport, 
 			  inet_addr(eaddr), eport, 
@@ -107,8 +114,8 @@ add_filter_rule2(const char * ifname,
 	struct nft_rule *r = NULL;
 	in_addr_t rhost_addr = 0;
 
-	printf("add_filter_rule2(%s, %s, %s, %d, %d, %d, %s)\n",
-	       ifname, rhost, iaddr, eport, iport, proto, desc);
+	d_printf(("add_filter_rule2(%s, %s, %s, %d, %d, %d, %s)\n",
+	          ifname, rhost, iaddr, eport, iport, proto, desc));
 	if (rhost != NULL && strcmp(rhost, "") != 0) {
             rhost_addr = inet_addr(rhost);
         }
@@ -148,7 +155,7 @@ delete_redirect_and_filter_rules(unsigned short eport, int proto)
         uint16_t iport = 0;
         extern void print_rule(rule_t *r) ;
 
-	printf("delete_redirect_and_filter_rules(%d %d)\n", eport, proto);
+	d_printf(("delete_redirect_and_filter_rules(%d %d)\n", eport, proto));
 	reflesh_nft_cache(NFPROTO_IPV4);
 	LIST_FOREACH(p, &head, entry) {
 		if (p->eport == eport && p->proto == proto && 
@@ -199,8 +206,12 @@ get_peer_rule_by_index(int index,
 	rule_t *r;
 	UNUSED(timestamp); UNUSED(packets); UNUSED(bytes);
 
-        printf("get_peer_rule_by_index()\n");
+        d_printf(("get_peer_rule_by_index()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
+	if (peer_cache == NULL) {
+		return -1;
+	}
+
 	for (i = 0; peer_cache[i] != NULL; i++) {
 		if (index == i) {
 			r = peer_cache[i];
@@ -281,8 +292,12 @@ get_redirect_rule_by_index(int index,
 	rule_t *r;
 	UNUSED(timestamp); UNUSED(packets); UNUSED(bytes);
 
-        printf("get_redirect_rule_by_index()\n");
+        d_printf(("get_redirect_rule_by_index()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
+	if (redirect_cache == NULL) {
+		return -1;
+	}
+
 	for (i = 0; redirect_cache[i] != NULL; i++) {
 		if (index == i) {
 			r = redirect_cache[i];
@@ -344,7 +359,7 @@ get_nat_redirect_rule(const char * nat_chain_name, const char * ifname,
 	UNUSED(packets);
 	UNUSED(bytes);
 
-        printf("get_nat_redirect_rule()\n");
+        d_printf(("get_nat_redirect_rule()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
 
 	LIST_FOREACH(p, &head, entry) {
@@ -380,7 +395,7 @@ get_portmappings_in_range(unsigned short startport, unsigned short endport,
 	unsigned short *array;
 	unsigned short *tmp;
 
-        printf("get_portmappings_in_range()\n");
+        d_printf(("get_portmappings_in_range()\n"));
 	*number = 0;
 	capacity = 128;
 	array = calloc(capacity, sizeof(unsigned short));

miniupnpd/netfilter_nft/nftnlrdr_misc.c

@@ -36,6 +36,12 @@
 #include "../macros.h"
 #include "../upnpglobalvars.h"
 
+#ifdef DEBUG
+#define d_printf(x) do { printf x; } while (0)
+#else
+#define d_printf(x)
+#endif
+
 #define RULE_CACHE_INVALID  0
 #define RULE_CACHE_VALID    1
 
@@ -177,7 +183,7 @@ print_rule(rule_t *r)
 		       iaddr_str, r->eport, r->packets, r->bytes);
 		break;
 	default:
-		printf("XXX: unknown type: %d\n", r->type);
+		printf("nftables: unknown type: %d\n", r->type);
 	}
 }
 
@@ -466,7 +472,7 @@ rule_expr_cb(struct nft_rule_expr *e, void *data)
 	} else if (strncmp("immediate", attr_name, sizeof("immediate")) == 0) {
 		parse_rule_immediate(e, r);
 	} else {
-		printf("unknown attr: %s\n", attr_name);
+		syslog(LOG_ERR, "unknown attr: %s\n", attr_name);
 	} 
 	return MNL_CB_OK;
 }
@@ -550,8 +556,15 @@ reflesh_nft_redirect_cache(void)
 	int i;
 	uint32_t len;
 
-	free(redirect_cache);
+	if (redirect_cache != NULL) {
+		free(redirect_cache);
+	}
 	len = rule_list_length - rule_list_peer_length;
+	if (len == 0) {
+		redirect_cache = NULL;
+		return;
+	} 
+
 	redirect_cache = (rule_t **)malloc(sizeof(rule_t *) * len);
 	bzero(redirect_cache, sizeof(rule_t *) * len);
 
@@ -573,7 +586,13 @@ reflesh_nft_peer_cache(void)
 	rule_t *p;
 	int i;
 
-	free(peer_cache);
+	if (peer_cache != NULL) {
+		free(peer_cache);
+	}
+	if (rule_list_peer_length == 0) {
+		peer_cache = NULL;
+		return;
+	}
 	peer_cache = (rule_t **)malloc(
 		sizeof(rule_t *) * rule_list_peer_length);
 	bzero(peer_cache, sizeof(rule_t *) * rule_list_peer_length);
@@ -599,8 +618,9 @@ reflesh_nft_cache(uint32_t family)
 	rule_t *p1, *p2;
 	int ret;
 
-	if (rule_list_validate == RULE_CACHE_VALID)
+	if (rule_list_validate == RULE_CACHE_VALID) {
 		return;
+	}
 
 	t = NULL;
 	p1 = LIST_FIRST(&head);