Merge remote-tracking branch 's1061123/nft_support' into nft_support

Conflicts: miniupnpd/Makefile.linux_nft miniupnpd/netfilter_nft/README.md miniupnpd/netfilter_nft/nftnlrdr.c miniupnpd/netfilter_nft/nftnlrdr_misc.c
2015-04-30 10:49:11 +02:00 · 2015-04-30 10:49:11 +02:00 · 42a5e2ae22
parent f8c122034c 8fedfdc4ae
commit 42a5e2ae22
13 changed files with 165 additions and 77 deletions
--- a/miniupnpc-async/miniupnpc-async.c
+++ b/miniupnpc-async/miniupnpc-async.c
@ -703,6 +703,7 @@ static int upnpc_build_soap_request(upnpc_t * p, const char * url,
 	body = malloc(body_len + 1);
 	if(body == NULL) {
 		p->state = EError;
 		free(args_xml);
 		return -1;
 	}
 	if(snprintf(body, body_len + 1, fmt_soap, action, service, args_xml?args_xml:"", action) != body_len) {
@ -712,6 +713,7 @@ static int upnpc_build_soap_request(upnpc_t * p, const char * url,
 	args_xml = NULL;
 	if(!parseURL(url, hostname, &port, &path, &scope_id)) {
 		p->state = EError;
 		free(body);
 		return -1;
 	}
 	if(port != 80)
--- a/miniupnpc-libevent/miniupnpc-libevent.c
+++ b/miniupnpc-libevent/miniupnpc-libevent.c
@ -614,6 +614,7 @@ static int upnpc_send_soap_request(upnpc_device_t * p, const char * url,
 	body_len = snprintf(NULL, 0, fmt_soap, method, service, args_xml?args_xml:"", method);
 	body = malloc(body_len + 1);
 	if(body == NULL) {
 		free(args_xml);
 		return -1;
 	}
 	if(snprintf(body, body_len + 1, fmt_soap, method, service, args_xml?args_xml:"", method) != body_len) {
@ -622,6 +623,7 @@ static int upnpc_send_soap_request(upnpc_device_t * p, const char * url,
 	free(args_xml);
 	args_xml = NULL;
 	if(!parseURL(url, hostname, &port, &path, &scope_id)) {
 		free(body);
 		return -1;
 	}
 	if(port != 80)
--- a/miniupnpc/CMakeLists.txt
+++ b/miniupnpc/CMakeLists.txt
@ -30,7 +30,7 @@ endif (NO_GETADDRINFO)
 if (NOT WIN32)
  add_definitions (-DMINIUPNPC_SET_SOCKET_TIMEOUT)
-  add_definitions (-D_BSD_SOURCE -D_POSIX_C_SOURCE=200112L)
+  add_definitions (-D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112L)
 else (NOT WIN32)
  add_definitions (-D_WIN32_WINNT=0x0501) # XP or higher for getnameinfo and friends
 endif (NOT WIN32)
@ -86,8 +86,7 @@ endif (NOT WIN32 AND NOT CMAKE_SYSTEM_NAME STREQUAL "AmigaOS")
 if (WIN32)
  set_source_files_properties (${MINIUPNPC_SOURCES} PROPERTIES
-                                                    COMPILE_DEFINITIONS MINIUPNP_STATICLIB
+                                                    COMPILE_DEFINITIONS "MINIUPNP_STATICLIB;MINIUPNP_EXPORTS"
                                                    COMPILE_DEFINITIONS MINIUPNP_EXPORTS
  )
 endif (WIN32)
--- a/miniupnpc/Changelog.txt
+++ b/miniupnpc/Changelog.txt
@ -1,6 +1,12 @@
-$Id: Changelog.txt,v 1.202 2014/11/17 19:10:28 nanard Exp $
+$Id: Changelog.txt,v 1.203 2015/04/27 15:50:19 nanard Exp $
 miniUPnP client Changelog.
 2015/04/27:
  _BSD_SOURCE is deprecated in favor of _DEFAULT_SOURCE
  fix CMakeLists.txt COMPILE_DEFINITIONS
  fix getDevicesFromMiniSSDPD() not setting scope_id
  improve -r command of upnpc command line tool
 2014/11/17:
  search all :
    upnpDiscoverDevices() / upnpDiscoverAll() functions
--- a/miniupnpc/Makefile
+++ b/miniupnpc/Makefile
@ -35,7 +35,7 @@ CFLAGS += -W -Wstrict-prototypes
 CFLAGS += -fno-common
 CFLAGS += -DMINIUPNPC_SET_SOCKET_TIMEOUT
 CFLAGS += -DMINIUPNPC_GET_SRC_ADDR
-CFLAGS += -D_BSD_SOURCE -D_POSIX_C_SOURCE=200112L
+CFLAGS += -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_POSIX_C_SOURCE=200112L
 CFLAGS += -ansi
 # -DNO_GETADDRINFO
 INSTALL = install
--- a/miniupnpc/minissdpc.c
+++ b/miniupnpc/minissdpc.c
@ -126,6 +126,7 @@ getDevicesFromMiniSSDPD(const char * devtype, const char * socketpath)
 		memcpy(tmp->buffer + urlsize + 1, p, stsize);
 		p += stsize;
 		tmp->buffer[urlsize+1+stsize] = '\0';
 		tmp->scope_id = 0;	/* default value. scope_id is not available with MiniSSDPd */
 		devlist = tmp;
 		/* added for compatibility with recent versions of MiniSSDPd
 		 * >= 2007/12/19 */
--- a/miniupnpc/upnpc.c
+++ b/miniupnpc/upnpc.c
@ -16,6 +16,7 @@
 /* for IPPROTO_TCP / IPPROTO_UDP */
 #include <netinet/in.h>
 #endif
 #include <ctype.h>
 #include "miniwget.h"
 #include "miniupnpc.h"
 #include "upnpcommands.h"
@ -41,6 +42,22 @@ const char * protofix(const char * proto)
 	return 0;
 }
 /* is_int() checks if parameter is an integer or not
 * 1 for integer
 * 0 for not an integer */
 int is_int(char const* s)
 {
 	if(s == NULL)
 		return 0;
 	while(*s) {
 		/* #define isdigit(c) ((c) >= '0' && (c) <= '9') */
 		if(!isdigit(*s))
 			return 0;
 		s++;
 	}
 	return 1;
 }
 static void DisplayInfos(struct UPNPUrls * urls,
                         struct IGDdatas * data)
 {
@ -577,7 +594,8 @@ int main(int argc, char ** argv)
 		}
 	}
-	if(!command || (command == 'a' && commandargc<4)
+	if(!command
 	   || (command == 'a' && commandargc<4)
 	   || (command == 'd' && argc<2)
 	   || (command == 'r' && argc<2)
 	   || (command == 'A' && commandargc<6)
@ -591,7 +609,7 @@ int main(int argc, char ** argv)
 		fprintf(stderr, "       \t%s [options] -L\n\t\tList redirections (using GetListOfPortMappings (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -n ip port external_port protocol [duration]\n\t\tAdd (any) port redirection allowing IGD to use alternative external_port (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -N external_port_start external_port_end protocol [manage]\n\t\tDelete range of port redirections (for IGD:2 only)\n", argv[0]);
-		fprintf(stderr, "       \t%s [options] -r port1 protocol1 [port2 protocol2] [...]\n\t\tAdd all redirections to the current host\n", argv[0]);
+		fprintf(stderr, "       \t%s [options] -r port1 [external_port1] protocol1 [port2 [external_port2] protocol2] [...]\n\t\tAdd all redirections to the current host\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time\n\t\tAdd Pinhole (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -U uniqueID new_lease_time\n\t\tUpdate Pinhole (for IGD:2 only)\n", argv[0]);
 		fprintf(stderr, "       \t%s [options] -C uniqueID\n\t\tCheck if Pinhole is Working (for IGD:2 only)\n", argv[0]);
@ -699,13 +717,29 @@ int main(int argc, char ** argv)
 				GetConnectionStatus(&urls, &data);
 				break;
 			case 'r':
-				for(i=0; i<commandargc; i+=2)
+				i = 0;
 				while(i<commandargc)
 				{
-					/*printf("port %s protocol %s\n", argv[i], argv[i+1]);*/
+					if(!is_int(commandargv[i])) {
 						/* 1st parameter not an integer : error */
 						fprintf(stderr, "command -r : %s is not an port number\n", commandargv[i]);
 						retcode = 1;
 						break;
 					} else if(is_int(commandargv[i+1])){
 						/* 2nd parameter is an integer : <port> <external_port> <protocol> */
 						SetRedirectAndTest(&urls, &data,
 								   lanaddr, commandargv[i],
 								   commandargv[i+1], commandargv[i+2], "0",
 								   description, 0);
 						i+=3;	/* 3 parameters parsed */
 					} else {
 						/* 2nd parameter not an integer : <port> <protocol> */
 						SetRedirectAndTest(&urls, &data,
 								   lanaddr, commandargv[i],
 								   commandargv[i], commandargv[i+1], "0",
 								   description, 0);
 						i+=2;	/* 2 parameters parsed */
 					}
 				}
 				break;
 			case 'A':
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@ -1,4 +1,14 @@
-$Id: Changelog.txt,v 1.395 2015/02/10 15:01:02 nanard Exp $
+$Id: Changelog.txt,v 1.398 2015/04/26 14:43:27 nanard Exp $
 2015/04/26:
  Remove dependency to libnfnetlink
  fix typos in miniupnpd.conf
 2015/03/09:
  fix get_portmappings_in_range() for linux/netfilter
 2015/03/07:
  don't die when IPv6 is enabled and interface has no IPv4 address
 2015/02/10:
  IP wildcard for AddPinhole() is empty string
--- a/miniupnpd/minissdp.c
+++ b/miniupnpd/minissdp.c
@ -1169,6 +1169,8 @@ SendSSDPGoodbye(int * sockets, int n_sockets)
 	for(j=0; j<n_sockets; j++)
 	{
 		if(sockets[j] < 0)
 			continue;
 #ifdef ENABLE_IPV6
 		ipv6 = j & 1;
 		if(ipv6) {
--- a/miniupnpd/miniupnpd.conf
+++ b/miniupnpd/miniupnpd.conf
@ -1,143 +1,141 @@
 # WAN network interface
 #ext_ifname=eth1
 #ext_ifname=xl1
-# if the WAN interface has several IP addresses, you
+# If the WAN interface has several IP addresses, you
 # can specify the one to use below
 #ext_ip=
 # LAN network interfaces IPs / networks
-# there can be multiple listening ips for SSDP traffic.
+# There can be multiple listening IPs for SSDP traffic
-# should be under the form nnn.nnn.nnn.nnn/nn
+# It can be IP address or network interface name (ie. "eth0")
-# It can also be the network interface name (ie "eth0")
+# It is mandatory to use the network interface name in order to enable IPv6
 # It if mandatory to use the network interface name to enable IPv6
 # HTTP is available on all interfaces.
-# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
+# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
-# address associated with the subnet follows. for example :
+# address associated with the subnet follows. For example:
 #  listening_ip=192.168.0.1/24 88.22.44.13
 #listening_ip=192.168.0.1/24
 #listening_ip=10.5.0.0/16
 #listening_ip=eth0
 # CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
-# be sure to assign the correct interfaces to LAN and WAN and consider
+# Be sure to assign the correct interfaces to LAN and WAN and consider
 # implementing UPnP permission rules at the bottom of this configuration file
-# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
+# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
 #http_port=0
-# port for HTTPS. set to 0 for autoselect (default)
+# Port for HTTPS. Set to 0 for autoselect (default)
 #https_port=0
-# path to the unix socket used to communicate with MiniSSDPd
+# Path to the UNIX socket used to communicate with MiniSSDPd
 # If running, MiniSSDPd will manage M-SEARCH answering.
 # default is /var/run/minissdpd.sock
 #minissdpdsocket=/var/run/minissdpd.sock
-# enable NAT-PMP support (default is no)
+# Enable NAT-PMP support (default is no)
 #enable_natpmp=yes
-# enable UPNP support (default is yes)
+# Enable UPNP support (default is yes)
 #enable_upnp=no
-# PCP :
+# PCP
-# configure minimal and maximal lifetime of the port mapping in seconds
+# Configure the minimum and maximum lifetime of a port mapping in seconds
 # 120s and 86400s (24h) are suggested values from PCP-base
 #min_lifetime=120
 #max_lifetime=86400
-# chain names for netfilter (not used for pf or ipf).
+# Chain names for netfilter (not used for pf or ipf).
 # default is MINIUPNPD for both
 #upnp_forward_chain=forwardUPnP
 #upnp_nat_chain=UPnP
-# lease file location
+# Lease file location
 #lease_file=/var/log/upnp.leases
-# to enable the next few runtime options, see compile time
+# To enable the next few runtime options, see compile time
 # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
-# name of this service, default is "`uname -s` router"
+# Name of this service, default is "`uname -s` router"
 #friendly_name=MiniUPnPd router
-# manufacturer name, default is "`uname -s`"
+# Manufacturer name, default is "`uname -s`"
 #manufacturer_name=Manufacturer corp
-# manufacturer url, default is URL of OS verndor
+# Manufacturer URL, default is URL of OS vendor
 #manufacturer_url=http://miniupnp.free.fr/
-# model name, default is "`uname -s` router"
+# Model name, default is "`uname -s` router"
 #model_name=Router Model
-# model description, default is "`uname -s` router"
+# Model description, default is "`uname -s` router"
 #model_description=Very Secure Router - Model
-# model url, default is URL of OS vendor
+# Model URL, default is URL of OS vendor
 #model_url=http://miniupnp.free.fr/
-# bitrates reported by daemon in bits per second
+# Bitrates reported by daemon in bits per second
 # by default miniupnpd tries to get WAN interface speed
 #bitrate_up=1000000
 #bitrate_down=10000000
-# "secure" mode : when enabled, UPnP client are allowed to add mappings only
+# Secure Mode, UPnP clients can only add mappings to their own IP
 # to their IP.
 #secure_mode=yes
 secure_mode=no
-# default presentation url is http address on port 80
+# Default presentation URL is HTTP address on port 80
 # If set to an empty string, no presentationURL element will appear
 # in the XML description of the device, which prevents MS Windows
 # from displaying an icon in the "Network Connections" panel.
 #presentation_url=http://www.mylan/index.php
-# report system uptime instead of daemon uptime
+# Report system uptime instead of daemon uptime
 system_uptime=yes
-# notify interval in seconds. default is 30 seconds.
+# Notify interval in seconds. default is 30 seconds.
 #notify_interval=240
 notify_interval=60
-# unused rules cleaning.
+# Unused rules cleaning.
 # never remove any rule before this threshold for the number
 # of redirections is exceeded. default to 20
 #clean_ruleset_threshold=10
-# clean process work interval in seconds. default to 0 (disabled).
+# Clean process work interval in seconds. default to 0 (disabled).
 # a 600 seconds (10 minutes) interval makes sense
 clean_ruleset_interval=600
-# log packets in pf (default is no)
+# Log packets in pf (default is no)
 #packet_log=no
-# anchor name in pf (default is miniupnpd)
+# Anchor name in pf (default is miniupnpd)
 #anchor=miniupnpd
 # ALTQ queue in pf
-# filter rules must be used for this to be used.
+# Filter rules must be used for this to be used.
 # compile with PF_ENABLE_FILTER_RULES (see config.h file)
 #queue=queue_name1
-# tag name in pf
+# Tag name in pf
 #tag=tag_name1
-# make filter rules in pf quick or not. default is yes
+# Make filter rules in pf quick or not. default is yes
 # active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
 #quickrules=no
-# uuid : generate your own with "make genuuid"
+# UUID, generate your own UUID with "make genuuid"
 uuid=00000000-0000-0000-0000-000000000000
-# serial and model number the daemon will report to clients
+# Daemon's serial and model number when reporting to clients
-# in its XML description
+# (in XML description)
 #serial=12345678
 #model_number=1
 # UPnP permission rules
-# (allow|deny) (external port range) ip/mask (internal port range)
+# (allow|deny) (external port range) IP/mask (internal port range)
 # A port range is <min port>-<max port> or <port> if there is only
 # one port in the range.
-# ip/mask format must be nn.nn.nn.nn/nn
+# IP/mask format must be nnn.nnn.nnn.nnn/nn
-# it is advised to only allow redirection of port above 1024
+# It is advised to only allow redirection of port >= 1024
-# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
+# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
 # The following default ruleset allows specific LAN side IP addresses
-# to request only ephemeral ports. it is recommended that users
+# to request only ephemeral ports. It is recommended that users
 # modify the IP ranges to match their own internal networks, and
 # also consider implementing network-specific restrictions
 # CAUTION: failure to enforce any rules may permit insecure requests to be made!
@ -146,4 +144,3 @@ allow 1024-65535 192.168.1.0/24 1024-65535
 allow 1024-65535 192.168.0.0/23 22
 allow 12345 192.168.7.113/32 54321
 deny 0-65535 0.0.0.0/0 0-65535
--- a/miniupnpd/netfilter/iptcrdr.c
+++ b/miniupnpd/netfilter/iptcrdr.c
@ -1434,13 +1434,13 @@ get_portmappings_in_range(unsigned short startport, unsigned short endport,
 							break;
 						}
 						array = tmp;
 					}
 					array[*number] = eport;
 					(*number)++;
 				}
 			}
 		}
 	}
 	}
 	if(h)
 #ifdef IPTABLES_143
 		iptc_free(h);
--- a/miniupnpd/netfilter_nft/nftnlrdr.c
+++ b/miniupnpd/netfilter_nft/nftnlrdr.c
@ -39,6 +39,12 @@
 #include "nftnlrdr_misc.h"
 #ifdef DEBUG
 #define d_printf(x) do { printf x; } while (0)
 #else
 #define d_printf(x)
 #endif
 /* dummy init and shutdown functions */
 int init_redirect(void)
 {
@ -58,9 +64,10 @@ add_redirect_rule2(const char * ifname,
 		   const char * desc, unsigned int timestamp)
 {
 	struct nft_rule *r;
 	UNUSED(rhost);
 	UNUSED(timestamp);
-        printf("add redirect rule2(%s, %s, %u, %s, %u, %d, %s)!\n",
+        d_printf(("add redirect rule2(%s, %s, %u, %s, %u, %d, %s)!\n",
-	       ifname, rhost, eport, iaddr, iport, proto, desc);
+	          ifname, rhost, eport, iaddr, iport, proto, desc));
 	r = rule_set_dnat(NFPROTO_IPV4, ifname, proto,
 			  0, eport, 
 			  inet_addr(iaddr), iport,  desc, NULL);
@ -83,7 +90,7 @@ add_peer_redirect_rule2(const char * ifname,
 	struct nft_rule *r;
 	UNUSED(ifname); UNUSED(timestamp);
-        printf("add peer redirect rule2()!\n");
+        d_printf(("add peer redirect rule2()!\n"));
 	r = rule_set_snat(NFPROTO_IPV4, proto, 
 			  inet_addr(rhost), rport, 
 			  inet_addr(eaddr), eport, 
@ -107,8 +114,8 @@ add_filter_rule2(const char * ifname,
 	struct nft_rule *r = NULL;
 	in_addr_t rhost_addr = 0;
-	printf("add_filter_rule2(%s, %s, %s, %d, %d, %d, %s)\n",
+	d_printf(("add_filter_rule2(%s, %s, %s, %d, %d, %d, %s)\n",
-	       ifname, rhost, iaddr, eport, iport, proto, desc);
+	          ifname, rhost, iaddr, eport, iport, proto, desc));
 	if (rhost != NULL && strcmp(rhost, "") != 0) {
            rhost_addr = inet_addr(rhost);
        }
@ -148,7 +155,7 @@ delete_redirect_and_filter_rules(unsigned short eport, int proto)
        uint16_t iport = 0;
        extern void print_rule(rule_t *r) ;
-	printf("delete_redirect_and_filter_rules(%d %d)\n", eport, proto);
+	d_printf(("delete_redirect_and_filter_rules(%d %d)\n", eport, proto));
 	reflesh_nft_cache(NFPROTO_IPV4);
 	LIST_FOREACH(p, &head, entry) {
 		if (p->eport == eport && p->proto == proto && 
@ -199,8 +206,12 @@ get_peer_rule_by_index(int index,
 	rule_t *r;
 	UNUSED(timestamp); UNUSED(packets); UNUSED(bytes);
-        printf("get_peer_rule_by_index()\n");
+        d_printf(("get_peer_rule_by_index()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
 	if (peer_cache == NULL) {
 		return -1;
 	}
 	for (i = 0; peer_cache[i] != NULL; i++) {
 		if (index == i) {
 			r = peer_cache[i];
@ -281,8 +292,12 @@ get_redirect_rule_by_index(int index,
 	rule_t *r;
 	UNUSED(timestamp); UNUSED(packets); UNUSED(bytes);
-        printf("get_redirect_rule_by_index()\n");
+        d_printf(("get_redirect_rule_by_index()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
 	if (redirect_cache == NULL) {
 		return -1;
 	}
 	for (i = 0; redirect_cache[i] != NULL; i++) {
 		if (index == i) {
 			r = redirect_cache[i];
@ -344,7 +359,7 @@ get_nat_redirect_rule(const char * nat_chain_name, const char * ifname,
 	UNUSED(packets);
 	UNUSED(bytes);
-        printf("get_nat_redirect_rule()\n");
+        d_printf(("get_nat_redirect_rule()\n"));
 	reflesh_nft_cache(NFPROTO_IPV4);
 	LIST_FOREACH(p, &head, entry) {
@ -380,7 +395,7 @@ get_portmappings_in_range(unsigned short startport, unsigned short endport,
 	unsigned short *array;
 	unsigned short *tmp;
-        printf("get_portmappings_in_range()\n");
+        d_printf(("get_portmappings_in_range()\n"));
 	*number = 0;
 	capacity = 128;
 	array = calloc(capacity, sizeof(unsigned short));
--- a/miniupnpd/netfilter_nft/nftnlrdr_misc.c
+++ b/miniupnpd/netfilter_nft/nftnlrdr_misc.c
@ -36,6 +36,12 @@
 #include "../macros.h"
 #include "../upnpglobalvars.h"
 #ifdef DEBUG
 #define d_printf(x) do { printf x; } while (0)
 #else
 #define d_printf(x)
 #endif
 #define RULE_CACHE_INVALID  0
 #define RULE_CACHE_VALID    1
@ -177,7 +183,7 @@ print_rule(rule_t *r)
 		       iaddr_str, r->eport, r->packets, r->bytes);
 		break;
 	default:
-		printf("XXX: unknown type: %d\n", r->type);
+		printf("nftables: unknown type: %d\n", r->type);
 	}
 }
@ -466,7 +472,7 @@ rule_expr_cb(struct nft_rule_expr *e, void *data)
 	} else if (strncmp("immediate", attr_name, sizeof("immediate")) == 0) {
 		parse_rule_immediate(e, r);
 	} else {
-		printf("unknown attr: %s\n", attr_name);
+		syslog(LOG_ERR, "unknown attr: %s\n", attr_name);
 	} 
 	return MNL_CB_OK;
 }
@ -550,8 +556,15 @@ reflesh_nft_redirect_cache(void)
 	int i;
 	uint32_t len;
 	if (redirect_cache != NULL) {
 		free(redirect_cache);
 	}
 	len = rule_list_length - rule_list_peer_length;
 	if (len == 0) {
 		redirect_cache = NULL;
 		return;
 	} 
 	redirect_cache = (rule_t **)malloc(sizeof(rule_t *) * len);
 	bzero(redirect_cache, sizeof(rule_t *) * len);
@ -573,7 +586,13 @@ reflesh_nft_peer_cache(void)
 	rule_t *p;
 	int i;
 	if (peer_cache != NULL) {
 		free(peer_cache);
 	}
 	if (rule_list_peer_length == 0) {
 		peer_cache = NULL;
 		return;
 	}
 	peer_cache = (rule_t **)malloc(
 		sizeof(rule_t *) * rule_list_peer_length);
 	bzero(peer_cache, sizeof(rule_t *) * rule_list_peer_length);
@ -599,8 +618,9 @@ reflesh_nft_cache(uint32_t family)
 	rule_t *p1, *p2;
 	int ret;
-	if (rule_list_validate == RULE_CACHE_VALID)
+	if (rule_list_validate == RULE_CACHE_VALID) {
 		return;
 	}
 	t = NULL;
 	p1 = LIST_FIRST(&head);