[hipl-commit] [trunk] Rev 3985: fixed conntracking of updates
- From: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
- To: hipl-commit@xxxxxxxxxxxxx
- Date: Wed, 17 Mar 2010 17:32:36 +0200
Committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
Date: 17/03/2010 at 17:32:36
Revision: 3985
Revision-id: rene.hummen@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Branch nick: trunk
Log:
fixed conntracking of updates
to the firewall there's no difference between updates including rekeying
or not.
IMPORTANT: In general the connection tracking is in bad shape! Per
connection state is established as early as possible instead
of taking advantage of the late state creation design of HIP.
Furthermore, the distinction between different update packets
is very messy, probably incomplete and might even be wrong
for certain combinations. I also noticed that NOTIFY packets
would be allowed to pass through although expected them to
contain signatures and threw an error.
Modified:
M firewall/conntrack.c
=== modified file 'firewall/conntrack.c'
--- firewall/conntrack.c 2010-03-17 14:42:04 +0000
+++ firewall/conntrack.c 2010-03-17 15:27:26 +0000
@@ -1484,47 +1484,21 @@
_HIP_DEBUG("handle_update: esp_info and locator found\n");
- /* TODO check processing of SPI
- *
- * old_spi == 0, new_spi = x means that host is requesting a new SA
- * old_spi == new_spi means only location update
- * old_spi != new_spi means esp_tuple update */
- if (esp_info->old_spi != esp_info->new_spi) { //update
existing
- esp_tuple = find_esp_tuple(other_dir_esps,
ntohl(esp_info->old_spi));
-
- if (!esp_tuple) {
- _HIP_DEBUG("No suitable esp_tuple found for updating\n");
-
- err = 0;
- goto out_err;
- }
-
- if (!update_esp_tuple(esp_info, locator, seq, esp_tuple)) {
- _HIP_DEBUG("failed to update the esp_tuple\n");
-
- err = 0;
- goto out_err;
- }
- }
-
-/* why would we want to do that? We already know this connection and this is a
U1 */
-#if 0
- } else { /* create new esp_tuple */
- new_esp = esp_tuple_from_esp_info_locator(esp_info, locator, seq,
- other_dir_tuple);
-
- if (new_esp == NULL) {
- //locator must contain address for this spi
- err = 0;
- goto out_err;
- }
-
- other_dir_tuple->esp_tuples = (SList *) append_to_slist((SList *)
-
other_dir_esps, (void *) new_esp);
-
- insert_esp_tuple(new_esp);
- }
-#endif
+ esp_tuple = find_esp_tuple(other_dir_esps,
ntohl(esp_info->old_spi));
+
+ if (!esp_tuple) {
+ _HIP_DEBUG("No suitable esp_tuple found for updating\n");
+
+ err = 0;
+ goto out_err;
+ }
+
+ if (!update_esp_tuple(esp_info, locator, seq, esp_tuple)) {
+ _HIP_DEBUG("failed to update the esp_tuple\n");
+
+ err = 0;
+ goto out_err;
+ }
} else if (locator && seq) {
/* Readdress without rekeying */
Other related posts:
- » [hipl-commit] [trunk] Rev 3985: fixed conntracking of updates - Rene Hummen
