 @@ -18,27 +18,27 @@
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.49 2020/05/30 14:16:56 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.50 2022/06/07 16:27:24 christos Exp $");
 #include <sys/types.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 #if !defined(_NPF_STANDALONE)
 #include <sys/ioctl.h>
 #endif
 #include <netinet/in_systm.h>
 #include <netinet/in.h>
 #include <net/if.h>
 #include <stdlib.h>
 #include <string.h>
 @@ -196,26 +196,40 @@ _npf_rules_process(nl_config_t *ncf, nvl
 		if (nvlist_exists_nvlist_array(rule_dict, "subrules")) {
 			unsigned idx;
 			_npf_rules_process(ncf, rule_dict, "subrules");
 			idx = ncf->ncf_rule_count; // post-recursion index
 			nvlist_add_number(rule_dict, "skip-to", idx);
+		}
 		assert(nvlist_error(rule_dict) == 0);
+	}
 	free(items);
+}
 /*
  * _npf_init_error: initialize the error structure with the message
  * from the current error number
  */
 static int
 _npf_init_error(int error, npf_error_t *errinfo)
+{
 	if (error && errinfo) {
 		memset(errinfo, 0, sizeof(*errinfo));
 		errinfo->error_msg = strerror(error);
+	}
 	return error;
+}
 /*
  * _npf_extract_error: check the error number field and extract the
  * error details into the npf_error_t structure.
  */
 static int
 _npf_extract_error(nvlist_t *resp, npf_error_t *errinfo)
+{
 	int error;
 	error = dnvlist_get_number(resp, "errno", 0);
 	if (error && errinfo) {
 		memset(errinfo, 0, sizeof(npf_error_t));
 		errinfo->id = dnvlist_get_number(resp, "id", 0);
 @@ -336,27 +350,27 @@ npf_config_create(void)
+}
 int
 npf_config_submit(nl_config_t *ncf, int fd, npf_error_t *errinfo)
+{
 	nvlist_t *resp = NULL;
 	int error;
 	/* Ensure the config is built. */
 	(void)npf_config_build(ncf);
 	error = _npf_xfer_fd(fd, IOC_NPF_LOAD, ncf->ncf_dict, &resp);
 	if (error) {
-		return error;
+		return _npf_init_error(errno, errinfo);
+	}
 	error = _npf_extract_error(resp, errinfo);
 	nvlist_destroy(resp);
 	return error;
+}
 nl_config_t *
 npf_config_retrieve(int fd)
+{
 	nl_config_t *ncf;
 	nvlist_t *req, *resp = NULL;
 	int error;
 @@ -1248,32 +1262,32 @@ npf_table_insert(nl_config_t *ncf, nl_ta
 	nvlist_destroy(tl->table_dict);
 	free(tl);
 	return 0;
+}
 int
 npf_table_replace(int fd, nl_table_t *tl, npf_error_t *errinfo)
+{
 	nvlist_t *resp = NULL;
 	int error;
 	/* Ensure const tables are built. */
 	if ((error = _npf_table_build_const(tl)) != 0) {
-		return error;
+		return _npf_init_error(errno, errinfo);
+	}
 	error = _npf_xfer_fd(fd, IOC_NPF_TABLE_REPLACE, tl->table_dict, &resp);
 	if (error) {
 		assert(resp == NULL);
-		return errno;
+		return _npf_init_error(errno, errinfo);
+	}
 	error = _npf_extract_error(resp, errinfo);
 	nvlist_destroy(resp);
 	return error;
+}
 nl_table_t *
 npf_table_iterate(nl_config_t *ncf, nl_iter_t *iter)
+{
 	const nvlist_t *table_dict;
 	unsigned i = *iter;
 	table_dict = _npf_dataset_getelement(ncf->ncf_dict, "tables", i);