[hipl-commit] [trunk] Rev 4712: Header cleanup in firewall/

  • From: Artturi Karila <artturi.karila@xxxxxxxxxx>
  • To: hipl-commit@xxxxxxxxxxxxx
  • Date: Tue, 8 Jun 2010 10:28:37 +0300

Committer: Artturi Karila <artturi.karila@xxxxxxxxxx>
Date: 08/06/2010 at 10:28:37
Revision: 4712
Revision-id: artturi.karila@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Branch nick: trunk

Log:
  Header cleanup in firewall/
  
  Removed unused items, static'ed functions not in external use.

Modified:
  M  firewall/conntrack.c
  M  firewall/firewall_defines.h
  M  firewall/lsi.c
  M  firewall/lsi.h
  M  firewall/user_ipsec_esp.c
  M  firewall/user_ipsec_esp.h
  M  firewall/user_ipsec_sadb.c
  M  firewall/user_ipsec_sadb.h

=== modified file 'firewall/conntrack.c'
--- firewall/conntrack.c        2010-06-01 15:36:57 +0000
+++ firewall/conntrack.c        2010-06-08 07:28:34 +0000
@@ -112,10 +112,6 @@
               esp_tuple->tuple->direction);
 
     print_esp_addr_list(esp_tuple->dst_addr_list);
-
-    if (esp_tuple->dec_data) {
-        HIP_DEBUG("Decryption data for esp_tuple exists\n");
-    }
 }
 
 /**
@@ -539,10 +535,6 @@
             list = esp_tuple->dst_addr_list;
         }
 
-        if (esp_tuple->dec_data) {
-            free(esp_tuple->dec_data);
-        }
-
         esp_tuple->tuple = NULL;
         free(esp_tuple);
     }
@@ -1046,7 +1038,6 @@
         esp_tuple->dst_addr_list = update_esp_address(esp_tuple->dst_addr_list,
                                                       ip6_src, NULL);
         esp_tuple->tuple         = other_dir;
-        esp_tuple->dec_data      = NULL;
 
         other_dir->esp_tuples    = (SList *)
                                    append_to_slist((SList *) 
other_dir->esp_tuples, esp_tuple);
@@ -1120,8 +1111,6 @@
         esp_tuple->dst_addr_list = NULL;
         esp_tuple->dst_addr_list = update_esp_address(esp_tuple->dst_addr_list,
                                                       ip6_src, NULL);
-
-        esp_tuple->dec_data      = NULL;
         esp_tuple->tuple         = other_dir;
 
         insert_esp_tuple(esp_tuple);

=== modified file 'firewall/firewall_defines.h'
--- firewall/firewall_defines.h 2010-06-02 11:27:31 +0000
+++ firewall/firewall_defines.h 2010-06-08 07:28:34 +0000
@@ -66,7 +66,6 @@
     uint32_t                spi_update_id;
     SList *                 dst_addr_list;
     struct tuple *          tuple;
-    struct decryption_data *dec_data;
     /* tracking of the ESP SEQ number */
     uint32_t                seq_no;
     /* members needed for ESP protection extension */
@@ -89,13 +88,6 @@
     esp_cumulative_item_t   hash_buffer[MAX_RING_BUFFER_SIZE];
 };
 
-struct decryption_data {
-    int                   dec_alg;
-    int                   auth_len;
-    int                   key_len;
-    struct hip_crypto_key dec_key;
-};
-
 struct hip_data {
     struct in6_addr     src_hit;
     struct in6_addr     dst_hit;

=== modified file 'firewall/lsi.c'
--- firewall/lsi.c      2010-05-31 09:44:40 +0000
+++ firewall/lsi.c      2010-06-08 07:28:34 +0000
@@ -183,6 +183,102 @@
 }
 
 /**
+ * Executes the packet reinjection
+ *
+ *
+ * @param src_hit              ipv6 source address
+ * @param dst_hit              ipv6 destination address
+ * @param m                    pointer to the packet
+ * @param ipOrigTraffic        type of Traffic (IPv4 or IPv6)
+ * @param incoming             packet direction
+ * @return                     err during the reinjection
+ */
+static int hip_reinject_packet(const struct in6_addr *src_hit,
+                        const struct in6_addr *dst_hit,
+                        const ipq_packet_msg_t *m,
+                        const int ipOrigTraffic,
+                        const int incoming)
+{
+    int err              = 0;
+    int ip_hdr_size      = 0;
+    int packet_length    = 0;
+    int protocol         = 0;
+    int ttl              = 0;
+    uint8_t *msg              = NULL;
+    struct icmphdr *icmp = NULL;
+
+    if (ipOrigTraffic == 4) {
+        struct ip *iphdr = (struct ip *) m->payload;
+        ip_hdr_size = (iphdr->ip_hl * 4);
+        protocol    = iphdr->ip_p;
+        ttl         = iphdr->ip_ttl;
+        HIP_DEBUG_LSI("Ipv4 address src ", &(iphdr->ip_src));
+        HIP_DEBUG_LSI("Ipv4 address dst ", &(iphdr->ip_dst));
+    } else {
+        struct ip6_hdr *ip6_hdr = (struct ip6_hdr *) m->payload;
+        ip_hdr_size = sizeof(struct ip6_hdr);         //Fixed size
+        protocol    = ip6_hdr->ip6_nxt;
+        ttl         = ip6_hdr->ip6_hlim;
+        HIP_DEBUG_IN6ADDR("Orig packet src address: ", &(ip6_hdr->ip6_src));
+        HIP_DEBUG_IN6ADDR("Orig packet dst address: ", &(ip6_hdr->ip6_dst));
+        HIP_DEBUG_IN6ADDR("New packet src address:", src_hit);
+        HIP_DEBUG_IN6ADDR("New packet dst address: ", dst_hit);
+    }
+
+    if (m->data_len <= (BUFSIZE - ip_hdr_size)) {
+        packet_length = m->data_len - ip_hdr_size;
+        HIP_DEBUG("packet size smaller than buffer size\n");
+    } else {
+        packet_length = BUFSIZE - ip_hdr_size;
+        HIP_DEBUG("HIP packet size greater than buffer size\n");
+    }
+
+    /* Note: using calloc to zero memory region here because I think
+     * firewall_send_incoming_pkt() calculates checksum
+     * from too long region sometimes. See bug id 874 */
+    msg = calloc((packet_length + sizeof(struct ip)), 1);
+    memcpy(msg, (m->payload) + ip_hdr_size, packet_length);
+
+    if (protocol == IPPROTO_ICMP && incoming) {
+        icmp = (struct icmphdr *) msg;
+        HIP_DEBUG("incoming ICMP type=%d code=%d\n",
+                  icmp->type, icmp->code);
+        /* Manually built due to kernel messed up with the
+         * ECHO_REPLY message. Kernel was building an answer
+         * message with equals @src and @dst*/
+        if (icmp->type == ICMP_ECHO) {
+            icmp->type = ICMP_ECHOREPLY;
+            err        = hip_firewall_send_outgoing_pkt(dst_hit, src_hit,
+                                                        msg, packet_length,
+                                                        protocol);
+        } else {
+            err = hip_firewall_send_incoming_pkt(src_hit, dst_hit,
+                                                 msg, packet_length,
+                                                 protocol, ttl);
+        }
+    } else {
+        if (incoming) {
+            HIP_DEBUG("Firewall send to the kernel an incoming packet\n");
+            err = hip_firewall_send_incoming_pkt(src_hit,
+                                                 dst_hit, msg,
+                                                 packet_length,
+                                                 protocol, ttl);
+        } else {
+            HIP_DEBUG("Firewall send to the kernel an outgoing packet\n");
+            err = hip_firewall_send_outgoing_pkt(src_hit,
+                                                 dst_hit, msg,
+                                                 packet_length,
+                                                 protocol);
+        }
+    }
+
+    if (msg) {
+        free(msg);
+    }
+    return err;
+}
+
+/**
  * get the state of the bex for a pair of ip addresses.
  *
  * @param src_ip       input for finding the correct entries
@@ -465,156 +561,3 @@
 out_err:
     return err;
 }
-
-/**
- * Ask hipd the HIT of the peer corresponding to the give IP address. Works
- * similarly to the hip_request_peer_hit_from_hipd() function.
- *
- * @param peer_ip IP address of the peer
- * @param peer_hit write the HIT of the peer to this output variable
- * @param local_hit local HIT being used
- * @param src_tcp_port TCP source port
- * @param dst_tcp_port TCP destination port
- * @param fallback unused variable
- * @param reject unused variable
- *
- * @note the TCP ports are relevant only for the TCP extensions for opp. mode
- * @todo remove fallback and reject variables
- */
-int hip_request_peer_hit_from_hipd_at_firewall(const struct in6_addr *peer_ip,
-                                               struct in6_addr *peer_hit,
-                                               const struct in6_addr 
*local_hit,
-                                               in_port_t *src_tcp_port,
-                                               in_port_t *dst_tcp_port,
-                                               int *fallback,
-                                               int *reject)
-{
-    struct hip_common *msg = NULL;
-    int err                = 0;
-
-    *fallback = 1;
-    *reject   = 0;
-
-    HIP_IFE(!(msg = hip_msg_alloc()), -1);
-
-    /* build the message header */
-    HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_GET_PEER_HIT, 0),
-             -1, "build hdr failed\n");
-
-    HIP_IFEL(hip_build_param_contents(msg, (void *) (local_hit),
-                                      HIP_PARAM_HIT_LOCAL,
-                                      sizeof(struct in6_addr)),
-             -1, "build param HIP_PARAM_HIT  failed\n");
-
-    HIP_IFEL(hip_build_param_contents(msg, (void *) (peer_ip),
-                                      HIP_PARAM_IPV6_ADDR_PEER,
-                                      sizeof(struct in6_addr)),
-             -1, "build param HIP_PARAM_IPV6_ADDR failed\n");
-
-    /* this message has to be delivered with the async socket because
-     * opportunistic mode responds asynchronously */
-    HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock),
-             -1, "send msg failed\n");
-
-out_err:
-    if (msg) {
-        free(msg);
-    }
-    return err;
-}
-
-/**
- * Executes the packet reinjection
- *
- *
- * @param src_hit              ipv6 source address
- * @param dst_hit              ipv6 destination address
- * @param m                    pointer to the packet
- * @param ipOrigTraffic        type of Traffic (IPv4 or IPv6)
- * @param incoming             packet direction
- * @return                     err during the reinjection
- */
-int hip_reinject_packet(const struct in6_addr *src_hit,
-                        const struct in6_addr *dst_hit,
-                        const ipq_packet_msg_t *m,
-                        const int ipOrigTraffic,
-                        const int incoming)
-{
-    int err              = 0;
-    int ip_hdr_size      = 0;
-    int packet_length    = 0;
-    int protocol         = 0;
-    int ttl              = 0;
-    uint8_t *msg              = NULL;
-    struct icmphdr *icmp = NULL;
-
-    if (ipOrigTraffic == 4) {
-        struct ip *iphdr = (struct ip *) m->payload;
-        ip_hdr_size = (iphdr->ip_hl * 4);
-        protocol    = iphdr->ip_p;
-        ttl         = iphdr->ip_ttl;
-        HIP_DEBUG_LSI("Ipv4 address src ", &(iphdr->ip_src));
-        HIP_DEBUG_LSI("Ipv4 address dst ", &(iphdr->ip_dst));
-    } else {
-        struct ip6_hdr *ip6_hdr = (struct ip6_hdr *) m->payload;
-        ip_hdr_size = sizeof(struct ip6_hdr);         //Fixed size
-        protocol    = ip6_hdr->ip6_nxt;
-        ttl         = ip6_hdr->ip6_hlim;
-        HIP_DEBUG_IN6ADDR("Orig packet src address: ", &(ip6_hdr->ip6_src));
-        HIP_DEBUG_IN6ADDR("Orig packet dst address: ", &(ip6_hdr->ip6_dst));
-        HIP_DEBUG_IN6ADDR("New packet src address:", src_hit);
-        HIP_DEBUG_IN6ADDR("New packet dst address: ", dst_hit);
-    }
-
-    if (m->data_len <= (BUFSIZE - ip_hdr_size)) {
-        packet_length = m->data_len - ip_hdr_size;
-        HIP_DEBUG("packet size smaller than buffer size\n");
-    } else {
-        packet_length = BUFSIZE - ip_hdr_size;
-        HIP_DEBUG("HIP packet size greater than buffer size\n");
-    }
-
-    /* Note: using calloc to zero memory region here because I think
-     * firewall_send_incoming_pkt() calculates checksum
-     * from too long region sometimes. See bug id 874 */
-    msg = calloc((packet_length + sizeof(struct ip)), 1);
-    memcpy(msg, (m->payload) + ip_hdr_size, packet_length);
-
-    if (protocol == IPPROTO_ICMP && incoming) {
-        icmp = (struct icmphdr *) msg;
-        HIP_DEBUG("incoming ICMP type=%d code=%d\n",
-                  icmp->type, icmp->code);
-        /* Manually built due to kernel messed up with the
-         * ECHO_REPLY message. Kernel was building an answer
-         * message with equals @src and @dst*/
-        if (icmp->type == ICMP_ECHO) {
-            icmp->type = ICMP_ECHOREPLY;
-            err        = hip_firewall_send_outgoing_pkt(dst_hit, src_hit,
-                                                        msg, packet_length,
-                                                        protocol);
-        } else {
-            err = hip_firewall_send_incoming_pkt(src_hit, dst_hit,
-                                                 msg, packet_length,
-                                                 protocol, ttl);
-        }
-    } else {
-        if (incoming) {
-            HIP_DEBUG("Firewall send to the kernel an incoming packet\n");
-            err = hip_firewall_send_incoming_pkt(src_hit,
-                                                 dst_hit, msg,
-                                                 packet_length,
-                                                 protocol, ttl);
-        } else {
-            HIP_DEBUG("Firewall send to the kernel an outgoing packet\n");
-            err = hip_firewall_send_outgoing_pkt(src_hit,
-                                                 dst_hit, msg,
-                                                 packet_length,
-                                                 protocol);
-        }
-    }
-
-    if (msg) {
-        free(msg);
-    }
-    return err;
-}

=== modified file 'firewall/lsi.h'
--- firewall/lsi.h      2010-05-26 10:28:47 +0000
+++ firewall/lsi.h      2010-06-08 07:28:34 +0000
@@ -31,18 +31,4 @@
 
 int hip_is_packet_lsi_reinjection(hip_lsi_t *lsi);
 
-int hip_reinject_packet(const struct in6_addr *src_hit,
-                        const struct in6_addr *dst_hit,
-                        const ipq_packet_msg_t *m,
-                        const int ipOrigTraffic,
-                        const int incoming);
-
-int hip_request_peer_hit_from_hipd_at_firewall(const struct in6_addr *peer_ip,
-                                               struct in6_addr *peer_hit,
-                                               const struct in6_addr 
*local_hit,
-                                               in_port_t *src_tcp_port,
-                                               in_port_t *dst_tcp_port,
-                                               int *fallback,
-                                               int *reject);
-
 #endif /* HIP_FIREWALL_LSI_H */

=== modified file 'firewall/user_ipsec_esp.c'
--- firewall/user_ipsec_esp.c   2010-06-01 15:27:26 +0000
+++ firewall/user_ipsec_esp.c   2010-06-08 07:28:34 +0000
@@ -88,6 +88,66 @@
     udp_hdr->check = 0;
 }
 
+/* XX TODO copy as much header information as possible */
+
+/** adds an IPv4-header to the packet
+ *
+ * @param ip_hdr        pointer to location where IPv4 header should be 
written to
+ * @param src_addr      IPv4 source address
+ * @param dst_addr      IPv4 destination address
+ * @param packet_len    packet length
+ * @param next_hdr      next header value
+ */
+static void add_ipv4_header(struct ip *ip_hdr, const struct in6_addr *src_addr,
+                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
+                     const uint8_t next_hdr)
+{
+    struct in_addr src_in_addr;
+    struct in_addr dst_in_addr;
+    IPV6_TO_IPV4_MAP(src_addr, &src_in_addr);
+    IPV6_TO_IPV4_MAP(dst_addr, &dst_in_addr);
+
+    // set changed values
+    ip_hdr->ip_v          = 4;
+    /* assume no options */
+    ip_hdr->ip_hl         = 5;
+    ip_hdr->ip_tos        = 0;
+    ip_hdr->ip_len        = packet_len;
+    /* assume that we have no fragmentation */
+    ip_hdr->ip_id         = 0;
+    ip_hdr->ip_off        = 0;
+    ip_hdr->ip_ttl        = 255;
+    ip_hdr->ip_p          = next_hdr;
+    ip_hdr->ip_sum        = 0;
+    ip_hdr->ip_src.s_addr = src_in_addr.s_addr;
+    ip_hdr->ip_dst.s_addr = dst_in_addr.s_addr;
+
+    /* recalculate the header checksum, does not include payload */
+    ip_hdr->ip_sum        = checksum_ip(ip_hdr, ip_hdr->ip_hl);
+}
+
+/** adds an IPv6-header to the packet
+ *
+ * @param ip6_hdr       pointer to location where IPv6 header should be 
written to
+ * @param src_addr      IPv6 source address
+ * @param dst_addr      IPv6 destination address
+ * @param packet_len    packet length
+ * @param next_hdr      next header value
+ */
+static void add_ipv6_header(struct ip6_hdr *ip6_hdr, const struct in6_addr 
*src_addr,
+                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
+                     const uint8_t next_hdr)
+{
+    ip6_hdr->ip6_flow = 0;     /* zero the version (4), TC (8) and flow-ID 
(20) */
+    /* set version to 6 and leave first 4 bits of TC at 0 */
+    ip6_hdr->ip6_vfc  = 0x60;
+    ip6_hdr->ip6_plen = htons(packet_len - sizeof(struct ip6_hdr));
+    ip6_hdr->ip6_nxt  = next_hdr;
+    ip6_hdr->ip6_hlim = 255;
+    memcpy(&ip6_hdr->ip6_src, src_addr, sizeof(struct in6_addr));
+    memcpy(&ip6_hdr->ip6_dst, dst_addr, sizeof(struct in6_addr));
+}
+
 /** creates a packet according to BEET mode ESP specification
  *
  * @param ctx                   packet context
@@ -740,63 +800,3 @@
 out_err:
     return err;
 }
-
-/* XX TODO copy as much header information as possible */
-
-/** adds an IPv4-header to the packet
- *
- * @param ip_hdr        pointer to location where IPv4 header should be 
written to
- * @param src_addr      IPv4 source address
- * @param dst_addr      IPv4 destination address
- * @param packet_len    packet length
- * @param next_hdr      next header value
- */
-void add_ipv4_header(struct ip *ip_hdr, const struct in6_addr *src_addr,
-                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
-                     const uint8_t next_hdr)
-{
-    struct in_addr src_in_addr;
-    struct in_addr dst_in_addr;
-    IPV6_TO_IPV4_MAP(src_addr, &src_in_addr);
-    IPV6_TO_IPV4_MAP(dst_addr, &dst_in_addr);
-
-    // set changed values
-    ip_hdr->ip_v          = 4;
-    /* assume no options */
-    ip_hdr->ip_hl         = 5;
-    ip_hdr->ip_tos        = 0;
-    ip_hdr->ip_len        = packet_len;
-    /* assume that we have no fragmentation */
-    ip_hdr->ip_id         = 0;
-    ip_hdr->ip_off        = 0;
-    ip_hdr->ip_ttl        = 255;
-    ip_hdr->ip_p          = next_hdr;
-    ip_hdr->ip_sum        = 0;
-    ip_hdr->ip_src.s_addr = src_in_addr.s_addr;
-    ip_hdr->ip_dst.s_addr = dst_in_addr.s_addr;
-
-    /* recalculate the header checksum, does not include payload */
-    ip_hdr->ip_sum        = checksum_ip(ip_hdr, ip_hdr->ip_hl);
-}
-
-/** adds an IPv6-header to the packet
- *
- * @param ip6_hdr       pointer to location where IPv6 header should be 
written to
- * @param src_addr      IPv6 source address
- * @param dst_addr      IPv6 destination address
- * @param packet_len    packet length
- * @param next_hdr      next header value
- */
-void add_ipv6_header(struct ip6_hdr *ip6_hdr, const struct in6_addr *src_addr,
-                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
-                     const uint8_t next_hdr)
-{
-    ip6_hdr->ip6_flow = 0;     /* zero the version (4), TC (8) and flow-ID 
(20) */
-    /* set version to 6 and leave first 4 bits of TC at 0 */
-    ip6_hdr->ip6_vfc  = 0x60;
-    ip6_hdr->ip6_plen = htons(packet_len - sizeof(struct ip6_hdr));
-    ip6_hdr->ip6_nxt  = next_hdr;
-    ip6_hdr->ip6_hlim = 255;
-    memcpy(&ip6_hdr->ip6_src, src_addr, sizeof(struct in6_addr));
-    memcpy(&ip6_hdr->ip6_dst, dst_addr, sizeof(struct in6_addr));
-}

=== modified file 'firewall/user_ipsec_esp.h'
--- firewall/user_ipsec_esp.h   2010-06-01 15:27:26 +0000
+++ firewall/user_ipsec_esp.h   2010-06-08 07:28:34 +0000
@@ -47,11 +47,5 @@
 int hip_beet_mode_input(const hip_fw_context_t *ctx, hip_sa_entry_t *entry,
                         unsigned char *decrypted_packet,
                         uint16_t *decrypted_packet_len);
-void add_ipv4_header(struct ip *ip_hdr, const struct in6_addr *src_addr,
-                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
-                     const uint8_t next_hdr);
-void add_ipv6_header(struct ip6_hdr *ip6_hdr, const struct in6_addr *src_addr,
-                     const struct in6_addr *dst_addr, const uint16_t 
packet_len,
-                     const uint8_t next_hdr);
 
 #endif /* HIP_FIREWALL_USER_IPSEC_ESP_H*/

=== modified file 'firewall/user_ipsec_sadb.c'
--- firewall/user_ipsec_sadb.c  2010-06-01 15:11:10 +0000
+++ firewall/user_ipsec_sadb.c  2010-06-08 07:28:34 +0000
@@ -46,6 +46,13 @@
 /* the length of the hash value used for indexing */
 #define INDEX_HASH_LENGTH       SHA_DIGEST_LENGTH
 
+/* Structure for demultiplexing inbound ipsec packets, indexed by dst_addr and 
spi */
+typedef struct hip_link_entry {
+    struct in6_addr  dst_addr;        /* destination address of outer IP 
header */
+    uint32_t         spi;             /* ipsec spi, needed for demultiplexing 
incoming packets */
+    hip_sa_entry_t * linked_sa_entry; /* direct link to sa entry */
+} hip_link_entry_t;
+
 /* database storing the sa entries, indexed by src _and_ dst hits */
 HIP_HASHTABLE *sadb   = NULL;
 /* database storing shortcuts to sa entries for incoming packets */

=== modified file 'firewall/user_ipsec_sadb.h'
--- firewall/user_ipsec_sadb.h  2010-06-01 15:11:10 +0000
+++ firewall/user_ipsec_sadb.h  2010-06-08 07:28:34 +0000
@@ -68,14 +68,6 @@
     uint32_t               next_free;           /* next buffer entry to be 
used for cumulative packet auth */
 } hip_sa_entry_t;
 
-/* Structure for demultiplexing inbound ipsec packets, indexed by dst_addr and 
spi */
-typedef struct hip_link_entry {
-    struct in6_addr  dst_addr;        /* destination address of outer IP 
header */
-    uint32_t         spi;             /* ipsec spi, needed for demultiplexing 
incoming packets */
-    hip_sa_entry_t * linked_sa_entry; /* direct link to sa entry */
-} hip_link_entry_t;
-
-
 int hip_sadb_init(void);
 int hip_sadb_uninit(void);
 int hip_sadb_add(int direction,

Other related posts:

  • » [hipl-commit] [trunk] Rev 4712: Header cleanup in firewall/ - Artturi Karila