[hipl-dev] [Merge] lp:~hipl-core/hipl/opp-removal into lp:hipl
- From: René Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
- To: mp+45730@xxxxxxxxxxxxxxxxxx
- Date: Mon, 10 Jan 2011 18:30:49 -0000
René Hummen has proposed merging lp:~hipl-core/hipl/opp-removal into lp:hipl.
Requested reviews:
HIPL core team (hipl-core)
For more details, see:
https://code.launchpad.net/~hipl-core/hipl/opp-removal/+merge/45730
This branch aims at decreasing the code size of the project by removing
(mostly) unused opportunistic BEX functionality (handshake, where IPs are
known, but HITs are unkown). Specifically, it removes the oppdb and oppipdb
from hipd. Both databases were designed to minimize the delay introduced by
implementations of the opportunistic BEX mode of HIP. Furthermore, this branch
removes the opportunistic mode implementation in the firewall. As a result,
HIPL no longer supports triggering opportunistic HIP connections by
applications.
After applying this branch to trunk, HIPL should still support responding to an
opportunistic I1 as well as opportunistic registration with a HIP server.
NOTE: While the normal BEX is still fully functional, I did not check the
opportunistic mode due to not available setup.
--
https://code.launchpad.net/~hipl-core/hipl/opp-removal/+merge/45730
Your team HIPL core team is requested to review the proposed merge of
lp:~hipl-core/hipl/opp-removal into lp:hipl.
=== modified file 'Makefile.am'
--- Makefile.am 2010-12-28 18:47:10 +0000
+++ Makefile.am 2011-01-10 18:30:48 +0000
@@ -124,11 +124,6 @@
hipd_hipd_SOURCES += hipd/pisa.c
endif
-if HIP_OPPORTUNISTIC
-hipd_hipd_SOURCES += hipd/oppdb.c \
- hipd/oppipdb.c
-endif
-
firewall_hipfw_SOURCES = firewall/cache.c \
firewall/conntrack.c \
firewall/dlist.c \
@@ -146,7 +141,6 @@
firewall/port_bindings.c \
firewall/reinject.c \
firewall/rule_management.c \
- firewall/sysopp.c \
firewall/user_ipsec_api.c \
firewall/user_ipsec_esp.c \
firewall/user_ipsec_fw_msg.c \
=== modified file 'doc/HOWTO.xml.in'
--- doc/HOWTO.xml.in 2011-01-06 19:50:27 +0000
+++ doc/HOWTO.xml.in 2011-01-10 18:30:48 +0000
@@ -1056,29 +1056,7 @@
hipconf command also to @sysconfdir@/hipd_config and restart hipd.
</para>
</section>
- <section id="sec_advanced_methods">
- <title>Experimental Methods</title>
- <para>
- These methods are experimental. Use with care and only if you know
what you are doing!
- </para>
- <para>
- 1. Use the opportunistic mode as described in
- <xref linkend="opportunistic" />. This method works with both IPv4 and
- IPv6 applications. It does not require any HIP name configuration at
all.
- </para>
- <para>
- 1a. Running a single IPv6-enabled application using HIP:
<emphasis>hipconf run opp <EXECUTABLE></emphasis>
- </para>
- <para>
- 1b. Enabling HIP for all applications in bash shell (add to bashrc if
you want to set this permanently): <emphasis>export
LD_PRELOAD=libopphip.so:libhiptool.so</emphasis>
- </para>
- <para>
- 2. Use the system-based opportunistic mode as instructed in
- <xref linkend="sys_based_opp_mode" />. Does not require either
- any kind of HIP name configuration at all.
- </para>
- </section>
-
+
<section id="ch_tips_for_hip">
<title>Tips for Using HIP with Some Applications</title>
<section id="sec_using_hip_proxy">
@@ -2796,249 +2774,6 @@
<chapter id="ch_exp_extensions">
<title>Other Experimental HIP Extensions</title>
- <section id="opportunistic">
- <title>Using Opportunistic mode</title>
- <itemizedlist>
- <listitem><para>
- Opportunistic mode has two benefits. First, you don't have to know
- the HIT of the peer. This is makes HIP more suitable to "ad-hoc"
- environments where preconfiguration of HITs is difficult. Second, the
- opp. mode implementation allows the use of IPv4 addresses at the
- application. This way, even IPv4-only legacy applications can benefit
- from the security and mobility features of HIP.
- </para></listitem>
- <listitem><para>
- Opportunistic mode is compiled on by default. In order to use
Opportunistic mode enabled HIP, the following steps are needed:
- </para></listitem>
- <listitem><para>
- Move to top level of HIPL
- </para></listitem>
- <listitem><para>
- e.g. cd hipl
- </para></listitem>
- <listitem><para>
- Run autoreconf
- </para></listitem>
- <listitem><para>
- autoreconf --install
- </para></listitem>
- <listitem><para>
- Run configure
- </para></listitem>
- <listitem><para>
- ./configure
- </para></listitem>
- <listitem><para>
- Run make
- </para></listitem>
- <listitem><para>
- make
- </para></listitem>
- <listitem><para>
- Run make install
- </para></listitem>
- <listitem><para>
- make install
- </para></listitem>
- <listitem><para>
- Run hip daemon on both "crash" and "oops"
- </para></listitem>
- <listitem><para>
- hipd
- </para></listitem>
- <listitem><para>
- Use the hipconf tool to set up HIP Opportunistic mode on both
- hosts manually. "hipconf set opp on|off" is used to
- enable/disable opportunistic mode. By default it is on.
- </para></listitem>
- <listitem><para>
- Now the opportunistic mode is enabled. To test Opportunistic mode,
you need to remove crash's HITs and name from @sysconfdir@/hosts, and then
following the steps in <xref linkend="ch_basictest" />.
- </para></listitem>
- </itemizedlist>
-
- <para>
- HIPL supports also opportunistic mode that is uses TCP options to
- detect whether peer supports HIP or not. This is particularly
- useful in networking environments without HIP look up
- infrastructure (DNS/etc) and where the number of HIP hosts
- is small. This "advanced" version of the opportunistic mode
- enables fast and backwards compatible fallback to non-HIP
- communications for TCP connections when the peer does not support
- HIP. To use the opportunistic mode, start both the hipd and hipfw (e.g.
with option -A).
- Then instruct "hipconf set opp advanced" and use the opportunistic mode as
instructed
- earlier in this section.
-</para>
-
- <section id="efficient_HIP_detection">
- <title>Opportunistic mode with efficient detection of peer HIP
capability</title>
- <para>
- The normal HIP opportunistic mode experiences a delay when
- a HIP peer tries to communicate with a non-HIP peer. This happens
- because the initiator waits for a HIP response before falling
- back on normal TCP communication. The efficient detection of
- peer HIP capability enables us to detect peer HIP capability or
- the lack thereof. If we detect that the peer supports HIP, we
- continue the HIP opportunistic communication. Otherwise,
- communication falls back on plain TCP. Efficient detection of
- peer HIP capability is enabled with the second of the following
- commands.
- </para>
- <para>
- As an example, we run the HIP daemon first.
- </para>
- <para>
- 1. hipd
- </para>
- <para>
- Afterwards, we run the firewall as shown in the following command. The
- firewall is needed in case the peer does not support HIP, because it
- captures the incoming TCP SYN_ACK packet and notifies the HIPD of the
- lack of HIP support at the peer:
- </para>
- <para>
- 2. hipfw -dA
- </para>
- <para>
- Then, we enable efficient, undelayed detection of peer HIP
- capability with the following command:
- </para>
- <para>
- 3. hipconf set opp advanced
- </para>
- <para>
- To try the feature, we initiate a TCP connection using the HIP
- opportunistic library:
- </para>
- <para>
- 4. hipconf run opp wget IP-number
- </para>
- <para>
- One thing to stress here is that the receiver should also run the
- firewall and enable the efficient HIP opportunistic mode in order
- to be ensure being detected correctly. If this feature is not enabled
- at the receiver, correct detection depends on the relative latency of a
- TCP and a HIP packet.
- </para>
- <para>
- The enabling at the receiver is done by executing step 2 after
- the HIP daemon has started.
- </para>
- </section>
-
- <section id="sys_based_opp_mode">
- <title>System-based opportunistic mode (experimental)</title>
- <para>
- The system-based opportunistic mode enables HIP communication
- without the use of the opportunistic library. If the peer does
- not support HIP, communication falls back on normal TCP
- communication.
- </para>
- <para>
- The system-based opportunistic mode is implemented at the HIP
- firewall. It is enabled with the -o option as shown below:
- </para>
- <para>
- hipfw -dAo
- </para>
- <para>
- Following is an example of all the steps to be followed at two peers
- for using the system-based opportunistic mode between them.
- </para>
- <para>
- At the responder, one can execute these steps:
- </para>
- <para>
- 1. hipd
- </para>
- <para>
- 2. hipfw -Aod
- </para>
- <para>
- 3. nc -l 1111
- </para>
- <para>
- At the initiator, one can execute these steps:
- </para>
- <para>
- 1. hipd
- </para>
- <para>
- 2. hipfw -dAo
- </para>
- <para>
- 3. nc <responder-ip> 1111
- </para>
- </section>
-
-<!--
- <section>
-
- <title>Accessing the kernel peer list</title>
- <itemizedlist>
- <listitem>
- <para>You can access the kernel's list of known HIP peers using the
native
- getendpointinfo name resolution interface.</para>
- </listitem>
- <listitem>
- <para>By default, the interface first checks the @sysconfdir@/hosts
file for
- a matching host. If one is not found, the kernel is queried for its
- list of known HIP peers and the list is examined for matches.</para>
- </listitem>
- <listitem>
- <para>To only check the kernel list, set the hints.ei_flags to
- AI_HIP | AI_KERNEL_LIST. This will use only the kernel list and will
- not check the hosts file.</para>
- </listitem>
- <listitem>
- <para>To retrieve the list of known peers from the kernel, set the
- hints.ei_flags to AI_HIP | AI_KERNEL_LIST and the nodename to NULL.
- This will query the kernel for the list and return the entire
- list.</para>
- </listitem>
- </itemizedlist>
- </section>
--->
-
-
- <section id="ch_datapacket_mode">
- <title>Data packet mode (experimental)</title>
-
- <para>
- HIPL supports the extensions defined in
- <ulink url="http://tools.ietf.org/html/draft-nikander-hip-hiccups"; />.
Support for the extensions
- is very experimental and may not interoperate with other extensions in
HIPL. The data packet mode does not
- support sequence numbers, UDP encapsulation nor switching to ESP yet.
Next, we'll give an example how to try out the extension:
- </para>
-
- <para>
- Start HIP software as follows both at the client and server host:
- </para>
-
-<programlisting>
-# hipd -k
-# hipfw -Aid
-# hipconf datapacket on
-</programlisting>
-
- <para>
- Notice that the last command can be also configured to
@sysconfdir@/hipd_config
- </para>
-
- <para>
- Then execute at the client:
- </para>
-
-<programlisting>
-ping6 <HIT_OF_THE_SERVER>
-</programlisting>
-
- <para>
- Please do not take <HIT_OF_THE_SERVER> literally. You should replace
it with the
- actual HIT of the server.
- </para>
- </section>
- </section>
-
<section id="ch_shotgun">
<title>"Shotgun" Extension</title>
=== modified file 'firewall/cache.c'
--- firewall/cache.c 2011-01-09 22:18:11 +0000
+++ firewall/cache.c 2011-01-10 18:30:48 +0000
@@ -63,7 +63,7 @@
*
* @return the allocated cache entry
*/
-struct hip_hadb_user_info_state *hip_cache_create_hl_entry(void)
+static struct hip_hadb_user_info_state *hip_cache_create_hl_entry(void)
{
struct hip_hadb_user_info_state *entry = NULL;
int err = 0;
@@ -232,25 +232,6 @@
}
/**
- * Delete a database entry identified by HITs, LSIs or IPs
- *
- * @param local local identifier or locator (optional)
- * @param peer peer identifier or locator
- * @param type whether the parameters are HITs, LSIs or IPs
- */
-void hip_firewall_cache_db_del_entry(const void *local, const void *peer,
- enum fw_cache_query_type type)
-{
- struct hip_hadb_user_info_state *entry;
-
- entry = hip_firewall_cache_db_match(local, peer, type, 0);
- if (entry) {
- hip_ht_delete(firewall_cache_db, entry);
- free(entry);
- }
-}
-
-/**
* Generate the hash information that is used to index the cache table
*
* @param ptr pointer to the hit used to make the hash
@@ -353,44 +334,3 @@
out_err:
return err;
}
-
-/**
- * Update the HIT and state information of an entry identified by a pair
- * of IP addresses. Used for opportunistic base exchange.
- *
- * @param ip_our local IP to search for (optional)
- * @param ip_peer peer IP to search for
- * @param hit_our new local hit (optional)
- * @param hit_peer new peer hit (optional)
- * @param state new state
- * @return 0 on success, negative on error
- */
-
-int hip_firewall_cache_update_entry(const struct in6_addr *ip_our,
- const struct in6_addr *ip_peer,
- const struct in6_addr *hit_our,
- const struct in6_addr *hit_peer,
- int state)
-{
- int err = 0;
- struct hip_hadb_user_info_state *entry;
-
- HIP_IFEL(!ip_peer, -1, "Need peer IP to search\n");
-
- entry = hip_firewall_cache_db_match(ip_our, ip_peer, FW_CACHE_IP, 0);
- HIP_IFEL(!entry, -1, "No cache entry found\n");
-
- if (hit_our) {
- ipv6_addr_copy(&entry->hit_our, hit_our);
- }
- if (hit_peer) {
- /* A hash of the peer HIT is used as the key. Re-add to update. */
- hip_ht_delete(firewall_cache_db, entry);
- ipv6_addr_copy(&entry->hit_peer, hit_peer);
- hip_ht_add(firewall_cache_db, entry);
- }
- entry->state = state;
-
-out_err:
- return err;
-}
=== modified file 'firewall/cache.h'
--- firewall/cache.h 2011-01-04 13:57:31 +0000
+++ firewall/cache.h 2011-01-10 18:30:48 +0000
@@ -38,23 +38,12 @@
enum
fw_cache_query_type type,
int query_daemon);
-void hip_firewall_cache_db_del_entry(const void *local, const void *peer,
- enum fw_cache_query_type type);
-
void hip_firewall_cache_init_hldb(void);
-struct hip_hadb_user_info_state *hip_cache_create_hl_entry(void);
-
void hip_firewall_cache_delete_hldb(int);
int hip_firewall_cache_set_bex_state(const struct in6_addr *hit_s,
const struct in6_addr *hit_r,
int state);
-int hip_firewall_cache_update_entry(const struct in6_addr *ip_our,
- const struct in6_addr *ip_peer,
- const struct in6_addr *hit_our,
- const struct in6_addr *hit_peer,
- int state);
-
#endif /* HIP_FIREWALL_CACHE_H */
=== modified file 'firewall/firewall.c'
--- firewall/firewall.c 2011-01-10 10:14:22 +0000
+++ firewall/firewall.c 2011-01-10 18:30:48 +0000
@@ -98,15 +98,13 @@
#include "rule_management.h"
#include "user_ipsec_api.h"
#include "firewall.h"
-#include "sysopp.h"
/* packet types handled by the firewall */
#define OTHER_PACKET 0
#define HIP_PACKET 1
#define ESP_PACKET 2
-#define TCP_PACKET 3
-#define FW_PROTO_NUM 4 /* number of packet types */
+#define FW_PROTO_NUM 3 /* number of packet types */
/* location of the lock file */
#define HIP_FIREWALL_LOCK_FILE HIPL_LOCKDIR "/hip_firewall.lock"
@@ -145,7 +143,6 @@
int filter_traffic = HIP_FW_FILTER_TRAFFIC_BY_DEFAULT;
int hip_kernel_ipsec_fallback = 0;
int hip_lsi_support = 0;
-int system_based_opp_mode = 0;
int esp_relay = 0;
int hip_esp_protection = 0;
#ifdef CONFIG_HIP_MIDAUTH
@@ -194,7 +191,6 @@
printf(" -I = as -i, also allow fallback to kernel ipsec when exiting
hipfw\n");
printf(" -e = use esp protection extension (also sets -i)\n");
printf(" -l = activate lsi support\n");
- printf(" -o = system-based opportunistic mode\n\n");
printf(" -p = run with lowered priviledges. iptables rules will not
be flushed on exit\n");
printf(" -h = print this help\n");
#ifdef CONFIG_HIP_MIDAUTH
@@ -413,31 +409,9 @@
}
/**
- * Initialize packet capture rules for system-based opportunistic mode
+ * Initialize all basic and extended packet capture rules
*
* @return zero on success and non-zero on failure
- */
-static int hip_fw_init_system_based_opp_mode(void)
-{
- int err = 0;
-
- if (system_based_opp_mode) {
- system_print("iptables -N HIPFWOPP-INPUT");
- system_print("iptables -N HIPFWOPP-OUTPUT");
-
- system_print("iptables -I HIPFW-OUTPUT ! -d 127.0.0.1 -j QUEUE");
- system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j QUEUE");
-
- system_print("iptables -I HIPFW-INPUT -j HIPFWOPP-INPUT");
- system_print("iptables -I HIPFW-OUTPUT -j HIPFWOPP-OUTPUT");
- }
-
- return err;
-}
-
-
-/*
- * Initialize rules for filtering traffic
*
*/
static void firewall_init_filter_traffic(void)
@@ -512,7 +486,6 @@
firewall_init_filter_traffic();
- HIP_IFEL(hip_fw_init_system_based_opp_mode(), -1, "failed to load
extension\n");
HIP_IFEL(hip_fw_init_lsi_support(), -1, "failed to load extension\n");
HIP_IFEL(hip_fw_init_userspace_ipsec(), -1, "failed to load extension\n");
HIP_IFEL(hip_fw_init_esp_prot(), -1, "failed to load extension\n");
@@ -568,33 +541,6 @@
esp_relay = 0;
}
-/**
- * Uninitialize packet capture rules for system-based opportunistic mode
- *
- * @return zero on success and non-zero on failure
- */
-static int hip_fw_uninit_system_based_opp_mode(void)
-{
- int err = 0;
-
- if (system_based_opp_mode) {
- system_based_opp_mode = 0;
-
- system_print("iptables -D HIPFW-INPUT -j HIPFWOPP-INPUT");
- system_print("iptables -D HIPFW-OUTPUT -j HIPFWOPP-OUTPUT");
-
- system_print("iptables -D HIPFW-OUTPUT ! -d 127.0.0.1 -j QUEUE");
- system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j QUEUE");
-
- system_print("iptables -F HIPFWOPP-INPUT");
- system_print("iptables -F HIPFWOPP-OUTPUT");
- system_print("iptables -X HIPFWOPP-INPUT");
- system_print("iptables -X HIPFWOPP-OUTPUT");
- }
-
- return err;
-}
-
/*-------------------HELPER FUNCTIONS---------------------*/
/**
@@ -686,7 +632,6 @@
hip_firewall_cache_delete_hldb(1);
hip_port_bindings_uninit();
- hip_fw_uninit_system_based_opp_mode();
hip_fw_flush_iptables();
/* rules have to be removed first, otherwise HIP packets won't pass through
* at this time any more */
@@ -1080,61 +1025,9 @@
}
/*
- * Handle packet capture for outbound HIP packets. The rules are as follows:
- *
- * Output:
- *
- * - HIP:
- * 1. default rule checks for hip
- * 1. filter_hip
- *
- * - ESP:
- * 1. default rule checks for esp
- * 2. filter_esp
- *
- * - TCP:
- * 1. default rule checks for non-hip
- * 2.
- * - destination is hit (userspace ipsec output)
- * - destination is lsi (lsi output)
- * - destination not hit or lsi
- * 1. opp tcp filtering (TBD)
- *
- * - Other
- * - Same as with TCP except no opp tcp filtering
- *
- * Input:
- *
- * - HIP:
- * 1. default rule checks for hip
- * 2. filter_hip
- *
- * - ESP:
- * 1. default rule checks for hip
- * 2. filter_esp
- * 3. userspace_ipsec input
- * 4. lsi input
- *
- * - Other:
- * - Same as with TCP except no opp tcp input
- *
- * - TCP:
- * 1. default rule checks for non-hip
- * 2. opp tcp input
- *
- * Forward:
- *
- * - HIP:
- * 1. None
- *
- * - ESP:
- * 1. None
- *
- * - TCP:
- * 1. Proxy input
- *
- * - Other:
- * 2. Proxy input
+ * Handle packet capture for outbound HIP packets.
+ *
+ * @note hooks HIP message filtering.
*
* @param ctx packet context
*
@@ -1143,7 +1036,7 @@
static int hip_fw_handle_hip_output(struct hip_fw_context *ctx){
int verdict = accept_hip_esp_traffic_by_default;
- HIP_DEBUG("hip_fw_handle_hip_output \n");
+ HIP_DEBUG("\n");
if (filter_traffic) {
verdict = filter_hip(&ctx->src,
@@ -1162,7 +1055,9 @@
}
/**
- * Process an ESP packet from the outbound packet queue
+ * Process an ESP packet from the outbound packet queue.
+ *
+ * @note hooks ESP filtering
*
* @param ctx the packet context
*
@@ -1184,7 +1079,9 @@
}
/**
- * Process an ESP packet from the outbound packet capture queue
+ * Process any other packet from the outbound packet capture queue
+ *
+ * @note hooks userspace IPsec and LSI
*
* @param ctx the packet context
*
@@ -1205,14 +1102,11 @@
// check if this is a reinjected packet
if (def_hit && IN6_ARE_ADDR_EQUAL(&ctx->dst, def_hit)) {
// let the packet pass through directly
- verdict = 1;
+ verdict = ACCEPT;
} else {
- // distinguish ipsec and data mode here
- if (hip_userspace_ipsec) {
- verdict = !hip_fw_userspace_ipsec_output(ctx);
- }
+ verdict = !hip_fw_userspace_ipsec_output(ctx);
}
- } else if (ctx->ip_version == 4) {
+ } else if (ctx->ip_version == 4 && hip_lsi_support) {
hip_lsi_t src_lsi, dst_lsi;
IPV6_TO_IPV4_MAP(&(ctx->src), &src_lsi);
@@ -1221,15 +1115,12 @@
/* LSI HOOKS */
if (IS_LSI32(dst_lsi.s_addr) && hip_lsi_support) {
if (hip_is_packet_lsi_reinjection(&dst_lsi)) {
- verdict = 1;
+ verdict = ACCEPT;
} else {
hip_fw_handle_outgoing_lsi(ctx->ipq_packet,
&src_lsi, &dst_lsi);
- verdict = 0; /* Reject the packet */
+ verdict = DROP; /* Reject the packet */
}
- } else if (system_based_opp_mode) {
- verdict = hip_fw_handle_outgoing_system_based_opp(ctx,
- accept_normal_traffic_by_default);
}
}
@@ -1239,22 +1130,10 @@
}
/**
- * Process a TCP packet from the outbound packet capture queue
- *
- * @param ctx the packet context
- *
- * @return the verdict (1 for pass and 0 for drop)
- */
-static int hip_fw_handle_tcp_output(struct hip_fw_context *ctx)
-{
- HIP_DEBUG("\n");
-
- return hip_fw_handle_other_output(ctx);
-}
-
-/**
* Process a HIP packet from the forward packet capture queue
*
+ * @note hooks middlebox authentication
+ *
* @param ctx the packet context
*
* @return the verdict (1 for pass and 0 for drop)
@@ -1274,93 +1153,17 @@
return hip_fw_handle_hip_output(ctx);
}
-/**
- * Process an ESP packet from the forward packet capture queue
- *
- * @param ctx the packet context
- *
- * @return the verdict (1 for pass and 0 for drop)
- */
-static int hip_fw_handle_esp_forward(struct hip_fw_context *ctx)
-{
- int verdict = accept_hip_esp_traffic_by_default;
-
- HIP_DEBUG("\n");
- if (filter_traffic) {
- // check if this belongs to one of the connections pass through
- verdict = filter_esp(ctx);
- } else {
- verdict = ACCEPT;
- }
-
- return verdict;
-}
-
-/**
- * Process a TCP packet from the forward packet capture queue
- *
- * @param ctx the packet context, required because of the handler format
- *
- * @return the verdict (1 for pass and 0 for drop)
- */
-static int hip_fw_handle_tcp_forward(UNUSED struct hip_fw_context *ctx)
-{
- HIP_DEBUG("\n");
-
- return 0;
-}
-
-/**
- * Process another (not HIP, ESP, TCP) packet from the inbound packet
- * capture queue. May result in LSI or SysOPP Transformation.
- *
- * @param ctx the packet context
- *
- * @return the verdict (1 for pass and 0 for drop)
- */
-static int hip_fw_handle_other_input(struct hip_fw_context *ctx)
-{
- int verdict = accept_normal_traffic_by_default;
- int ip_hits = ipv6_addr_is_hit(&ctx->src) &&
- ipv6_addr_is_hit(&ctx->dst);
-
- HIP_DEBUG("\n");
-
- if (ip_hits) {
- if (hip_lsi_support || system_based_opp_mode) {
- verdict = hip_fw_handle_incoming_hit(ctx->ipq_packet,
- &ctx->src,
- &ctx->dst,
- hip_lsi_support);
- }
- }
-
- /* No need to check default rules as it is handled by the
- * iptables rules */
- return verdict;
-}
-
-/**
- * Process a HIP packet from the input packet capture queue
- *
- * @param ctx the packet context
- *
- * @return the verdict (1 for pass and 0 for drop)
- */
-static int hip_fw_handle_hip_input(struct hip_fw_context *ctx)
-{
- int verdict = accept_hip_esp_traffic_by_default;
-
- HIP_DEBUG("hip_fw_handle_hip_input()\n");
-
- verdict = hip_fw_handle_hip_output(ctx);
-
- return verdict;
-}
+/* hip_fw_handle_esp_forward is the same as hip_fw_handle_esp_output */
+
+/* no need for hip_fw_handle_other_forward */
+
+/* hip_fw_handle_hip_input is the same as hip_fw_handle_hip_output */
/**
* Process an ESP packet from the inbound packet capture queue
*
+ * @note hooks ESP filtering and userspace IPsec
+ *
* @param ctx the packet context
*
* @return the verdict (1 for pass and 0 for drop)
@@ -1379,8 +1182,6 @@
}
if (verdict && hip_userspace_ipsec) {
- HIP_DEBUG("userspace ipsec input\n");
- // added by Tao Wan
verdict = !hip_fw_userspace_ipsec_input(ctx);
}
@@ -1388,26 +1189,32 @@
}
/**
- * Process a TCP packet from the inbound packet capture queue
+ * Process any other packet from the inbound packet capture queue.
+ *
+ * @note hooks LSI
*
* @param ctx the packet context
*
* @return the verdict (1 for pass and 0 for drop)
*/
-static int hip_fw_handle_tcp_input(struct hip_fw_context *ctx)
+static int hip_fw_handle_other_input(struct hip_fw_context *ctx)
{
int verdict = accept_normal_traffic_by_default;
HIP_DEBUG("\n");
- // any incoming plain TCP packet might be an opportunistic I1
- HIP_DEBUG_HIT("hit src", &ctx->src);
- HIP_DEBUG_HIT("hit dst", &ctx->dst);
-
- // as we should never receive TCP with HITs, this will only apply
- // to IPv4 TCP
- verdict = hip_fw_handle_other_input(ctx);
-
+ if (ipv6_addr_is_hit(&ctx->src) &&
+ ipv6_addr_is_hit(&ctx->dst) &&
+ hip_lsi_support) {
+
+ verdict = hip_fw_handle_incoming_hit(ctx->ipq_packet,
+ &ctx->src,
+ &ctx->dst,
+ hip_lsi_support);
+ }
+
+ /* No need to check default rules as it is handled by the
+ * iptables rules */
return verdict;
}
@@ -1429,20 +1236,16 @@
// funtion pointers for the respective packet handlers
fw_handlers[NF_IP_LOCAL_IN][OTHER_PACKET] = hip_fw_handle_other_input;
- fw_handlers[NF_IP_LOCAL_IN][HIP_PACKET] = hip_fw_handle_hip_input;
+ fw_handlers[NF_IP_LOCAL_IN][HIP_PACKET] = hip_fw_handle_hip_output;
fw_handlers[NF_IP_LOCAL_IN][ESP_PACKET] = hip_fw_handle_esp_input;
- fw_handlers[NF_IP_LOCAL_IN][TCP_PACKET] = hip_fw_handle_tcp_input;
fw_handlers[NF_IP_LOCAL_OUT][OTHER_PACKET] = hip_fw_handle_other_output;
fw_handlers[NF_IP_LOCAL_OUT][HIP_PACKET] = hip_fw_handle_hip_output;
fw_handlers[NF_IP_LOCAL_OUT][ESP_PACKET] = hip_fw_handle_esp_output;
- fw_handlers[NF_IP_LOCAL_OUT][TCP_PACKET] = hip_fw_handle_tcp_output;
//apply rules for forwarded hip and esp traffic
fw_handlers[NF_IP_FORWARD][HIP_PACKET] = hip_fw_handle_hip_forward;
- fw_handlers[NF_IP_FORWARD][ESP_PACKET] = hip_fw_handle_esp_forward;
- //do not drop those files by default
- fw_handlers[NF_IP_FORWARD][TCP_PACKET] = hip_fw_handle_tcp_forward;
+ fw_handlers[NF_IP_FORWARD][ESP_PACKET] = hip_fw_handle_esp_output;
HIP_DEBUG("Enabling forwarding for IPv4 and IPv6\n");
system_print("echo 1 >/proc/sys/net/ipv4/conf/all/forwarding");
@@ -1483,7 +1286,6 @@
* Currently supported types: type
* - plain HIP control packet 1
* - ESP packet 2
- * - TCP packet 3 (for opportunistic TCP handshake)
*
* Unsupported types -> type 0
*
@@ -1496,7 +1298,7 @@
const unsigned char *buf,
const int ip_version)
{
- int ip_hdr_len, err = 0;
+ int err = 0;
// length of packet starting at udp header
uint16_t udp_len = 0;
struct udphdr *udphdr = NULL;
@@ -1529,10 +1331,9 @@
/* ip_hl is given in multiple of 4 bytes
*
* NOTE: not sizeof(struct ip) as we might have options */
- ip_hdr_len = (iphdr->ip_hl * 4);
- // needed for opportunistic TCP
- ctx->ip_hdr_len = ip_hdr_len;
- HIP_DEBUG("ip_hdr_len is: %d\n", ip_hdr_len);
+ ctx->ip_hdr_len = (iphdr->ip_hl * 4);
+
+ HIP_DEBUG("ip_hdr_len is: %d\n", ctx->ip_hdr_len);
HIP_DEBUG("total length: %u\n", ntohs(iphdr->ip_len));
HIP_DEBUG("ttl: %u\n", iphdr->ip_ttl);
HIP_DEBUG("packet length (ipq): %u\n", ctx->ipq_packet->data_len);
@@ -1553,7 +1354,7 @@
ctx->packet_type = HIP_PACKET;
ctx->transport_hdr.hip = (struct hip_common *)
- (((char *) iphdr) + ip_hdr_len);
+ (((char *) iphdr) + ctx->ip_hdr_len);
goto end_init;
} else if (iphdr->ip_p == IPPROTO_ESP) {
@@ -1562,19 +1363,7 @@
ctx->packet_type = ESP_PACKET;
ctx->transport_hdr.esp = (struct hip_esp *)
- (((char *) iphdr) + ip_hdr_len);
-
- goto end_init;
- } else if (iphdr->ip_p == IPPROTO_TCP) {
- // this might be a TCP packet for opportunistic mode
- HIP_DEBUG("plain TCP packet\n");
-
- ctx->packet_type = TCP_PACKET;
- ctx->transport_hdr.tcp = (struct tcphdr*)
- (((char *) iphdr) + ip_hdr_len);
-
- HIP_DEBUG("src port: %u\n", ntohs(ctx->transport_hdr.tcp->source));
- HIP_DEBUG("dst port: %u\n", ntohs(ctx->transport_hdr.tcp->dest));
+ (((char *) iphdr) + ctx->ip_hdr_len);
goto end_init;
} else if (iphdr->ip_p != IPPROTO_UDP) {
@@ -1587,7 +1376,7 @@
// need UDP header to look for encapsulated ESP
udp_len = ntohs(iphdr->ip_len);
udphdr = ((struct udphdr *)
- (((char *) iphdr) + ip_hdr_len));
+ (((char *) iphdr) + ctx->ip_hdr_len));
// add UDP header to context
ctx->udp_encap_hdr = udphdr;
@@ -1597,10 +1386,8 @@
ctx->ip_hdr.ipv6 = ip6_hdr;
// Ipv6 has fixed header length
- ip_hdr_len = sizeof(struct ip6_hdr);
- // needed for opportunistic TCP
- ctx->ip_hdr_len = ip_hdr_len;
- HIP_DEBUG("ip_hdr_len is: %d\n", ip_hdr_len);
+ ctx->ip_hdr_len = sizeof(struct ip6_hdr);
+ HIP_DEBUG("ip_hdr_len is: %d\n", ctx->ip_hdr_len);
HIP_DEBUG("payload length: %u\n", ntohs(ip6_hdr->ip6_plen));
HIP_DEBUG("ttl: %u\n", ip6_hdr->ip6_hlim);
HIP_DEBUG("packet length (ipq): %u\n", ctx->ipq_packet->data_len);
@@ -1634,18 +1421,6 @@
(((char *) ip6_hdr) + sizeof(struct ip6_hdr));
goto end_init;
- } else if (ip6_hdr->ip6_nxt == IPPROTO_TCP) {
- // this might be a TCP packet for opportunistic mode
- HIP_DEBUG("plain TCP packet\n");
-
- ctx->packet_type = TCP_PACKET;
- ctx->transport_hdr.tcp = (struct tcphdr*)
- (((char *) ip6_hdr) + sizeof(struct
ip6_hdr));
-
- HIP_DEBUG("src port: %u\n", ntohs(ctx->transport_hdr.tcp->source));
- HIP_DEBUG("dst port: %u\n", ntohs(ctx->transport_hdr.tcp->dest));
-
- goto end_init;
} else if (ip6_hdr->ip6_nxt != IPPROTO_UDP) {
// if it's not UDP either, it's unsupported
HIP_DEBUG("some other packet\n");
@@ -1663,7 +1438,7 @@
* -> handle this */
udp_len = ntohs(ip6_hdr->ip6_plen);
udphdr = ((struct udphdr *)
- (((char *) ip6_hdr) + ip_hdr_len));
+ (((char *) ip6_hdr) + ctx->ip_hdr_len));
// add udp header to context
ctx->udp_encap_hdr = udphdr;
@@ -1988,7 +1763,7 @@
hip_set_logdebug(LOGDEBUG_ALL);
- while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmopvV")) != -1) {
+ while ((ch = getopt(argc, argv, "aAbcdef:FhHiIklmpvV")) != -1) {
switch (ch) {
case 'A':
accept_hip_esp_traffic_by_default = 1;
@@ -2037,9 +1812,6 @@
use_midauth = 1;
break;
#endif
- case 'o':
- system_based_opp_mode = 1;
- break;
case 'p':
limit_capabilities = 1;
break;
@@ -2111,7 +1883,7 @@
"connecting socket failed\n");
/* Starting hipfw does not always work when hipfw starts first -miika */
- if (hip_userspace_ipsec || hip_lsi_support || system_based_opp_mode) {
+ if (hip_userspace_ipsec || hip_lsi_support) {
hip_fw_wait_for_hipd();
}
=== modified file 'firewall/firewall_control.c'
--- firewall/firewall_control.c 2010-11-30 14:50:30 +0000
+++ firewall/firewall_control.c 2011-01-10 18:30:48 +0000
@@ -49,7 +49,6 @@
#include "firewall.h"
#include "user_ipsec_fw_msg.h"
#include "firewall_control.h"
-#include "sysopp.h"
/**
* Change the state of hadb state cache in the firewall
@@ -131,11 +130,6 @@
HIP_IFEL(handle_sa_flush_all_request(), -1,
"hip userspace sadb flush all did NOT succeed\n");
break;
- case HIP_MSG_GET_PEER_HIT:
- if (system_based_opp_mode) {
- err = hip_fw_sys_opp_set_peer_hit(msg);
- }
- break;
case HIP_MSG_TURN_INFO:
break;
case HIP_MSG_RESET_FIREWALL_DB:
=== removed file 'firewall/sysopp.c'
--- firewall/sysopp.c 2011-01-04 14:10:46 +0000
+++ firewall/sysopp.c 1970-01-01 00:00:00 +0000
@@ -1,226 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-/**
- * @file
- * System-based opportunistic mode for HIP. In contrast to the library-based
- * opportunistic mode, this code hooks by iptables instead of LD_PRELOAD.
- * See the following papers for more information:
- *
- * - <a href="http://hipl.hiit.fi/hipl/thesis_teresa_finez.pdf";>T. Finez,
- * Backwards Compatibility Experimentation with Host Identity Protocol
- * and Legacy Software and Networks , final project, December 2008</a>
- * - <a href="http://www.iki.fi/miika/docs/ccnc09.pdf";>
- * Miika Komu and Janne Lindqvist, Leap-of-Faith Security is Enough
- * for IP Mobility, 6th Annual IEEE Consumer
- * Communications & Networking Conference IEEE CCNC 2009, Las Vegas,
- * Nevada, January 2009</a>
- *
- * @brief System-based opportunistic mode for HIP
- * @author Teresa Finez
- * @author Miika Komu <miika@xxxxxx>
- */
-
-#define _BSD_SOURCE
-
-#include <arpa/inet.h>
-#include <sys/socket.h>
-
-#include "lib/core/builder.h"
-#include "lib/core/hostid.h"
-#include "lib/core/ife.h"
-#include "lib/core/message.h"
-#include "lib/core/prefix.h"
-#include "cache.h"
-#include "firewall.h"
-#include "helpers.h"
-#include "lsi.h"
-#include "sysopp.h"
-
-/**
- * flush iptables rules for system-based opportunistic mode
- */
-void hip_fw_flush_system_based_opp_chains(void)
-{
- system_print("iptables -F HIPFWOPP-INPUT");
- system_print("iptables -F HIPFWOPP-OUTPUT");
-}
-
-/**
- * Ask hipd to contact a peer in opportunistic mode
- *
- * @param peer_ip IP address of the peer
- * @param local_hit local HIT to use
- *
- */
-static int hip_fw_trigger_opportunistic_bex(const struct in6_addr *peer_ip,
- const struct in6_addr *local_hit)
-{
- struct hip_common *msg = NULL;
- int err = 0;
-
- HIP_IFE(!(msg = hip_msg_alloc()), -1);
-
- /* build the message header */
- HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_GET_PEER_HIT, 0),
- -1, "build hdr failed\n");
-
- HIP_IFEL(hip_build_param_contents(msg, local_hit,
- HIP_PARAM_HIT_LOCAL,
- sizeof(struct in6_addr)),
- -1, "build param HIP_PARAM_HIT failed\n");
-
- HIP_IFEL(hip_build_param_contents(msg, peer_ip,
- HIP_PARAM_IPV6_ADDR_PEER,
- sizeof(struct in6_addr)),
- -1, "build param HIP_PARAM_IPV6_ADDR failed\n");
-
- /* this message has to be delivered with the async socket because
- * opportunistic mode responds asynchronously */
- HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock),
- -1, "send msg failed\n");
-
-out_err:
- free(msg);
- return err;
-}
-
-/**
- * Add a by-pass rule to skip opportunistic processing for a peer
- * that was found non-HIP capable. Offers a significant speed up.
- *
- * @param ctx the packet context
- * @param verdict the verdict to assign for the packet
- */
-static void hip_fw_add_non_hip_peer(const struct hip_fw_context *ctx,
- const int verdict)
-{
- char command[64];
- char addr_str[INET_ADDRSTRLEN];
- struct in_addr addr_v4;
-
- IPV6_TO_IPV4_MAP(&ctx->dst, &addr_v4);
-
- if (!inet_ntop(AF_INET, &addr_v4, addr_str,
- sizeof(struct sockaddr_in))) {
- HIP_ERROR("inet_ntop() failed\n");
- return;
- }
-
- HIP_DEBUG("Adding rule for non-hip-capable peer: %s\n", addr_str);
-
- snprintf(command, sizeof(command),
- "iptables -I HIPFWOPP-INPUT -s %s -j %s",
- addr_str, verdict ? "ACCEPT" : "DROP");
- system_print(command);
-
- snprintf(command, sizeof(command),
- "iptables -I HIPFWOPP-OUTPUT -d %s -j %s",
- addr_str, verdict ? "ACCEPT" : "DROP");
- system_print(command);
-
- /* The cache entry is no longer necessary. Let's free it. */
- hip_firewall_cache_db_del_entry(&ctx->src, &ctx->dst, FW_CACHE_IP);
-}
-
-/**
- * Checks if the outgoing packet has already ESTABLISHED
- * the Base Exchange with the peer host. In case the BEX
- * is not done, it triggers it. Otherwise, it looks up
- * in the local database the necessary information for
- * doing the packet reinjection with HITs.
- *
- * @param *ctx the contect of the packet
- * @param default_verdict default verdict for the packet
- * @return the verdict for the packet
- */
-int hip_fw_handle_outgoing_system_based_opp(const struct hip_fw_context *ctx,
- const int default_verdict)
-{
- struct hip_hadb_user_info_state *entry_peer = NULL;
- int verdict;
-
- HIP_DEBUG("\n");
-
- if (hip_firewall_cache_db_match(&ctx->dst, &ctx->src, FW_CACHE_IP, 0)) {
- /* Peer is src and we are dst on an outgoing packet. */
- HIP_DEBUG("Packet is reinjection.\n");
- return 1;
- }
-
- entry_peer = hip_firewall_cache_db_match(&ctx->src, &ctx->dst,
- FW_CACHE_IP, 1);
-
- if (entry_peer) {
- if (entry_peer->state == HIP_STATE_ESTABLISHED &&
- !ipv6_addr_cmp(hip_fw_get_default_hit(), &entry_peer->hit_our)) {
- hip_reinject_packet(&entry_peer->hit_our, &entry_peer->hit_peer,
- ctx->ipq_packet, 4, 0);
- verdict = 0;
- } else if (entry_peer->state == HIP_STATE_FAILED) {
- hip_fw_add_non_hip_peer(ctx, default_verdict);
- verdict = default_verdict;
- } else {
- verdict = 0;
- }
- } else {
- HIP_DEBUG("Initiate bex at firewall\n");
- hip_fw_trigger_opportunistic_bex(&ctx->dst, hip_fw_get_default_hit());
- verdict = 0;
- }
-
- return verdict;
-}
-
-/**
- * based on the parameters in a message, assign the HITs and IP addresses
- * to a given firewall entry
- *
- * @param msg the message containing HITs and IP addresses
- * @return zero on success or negative on error
- */
-int hip_fw_sys_opp_set_peer_hit(const struct hip_common *msg)
-{
- int err = 0, state;
- const hip_hit_t *local_hit, *peer_hit;
- const struct in6_addr *peer_addr;
- const struct in6_addr *local_addr;
-
- local_hit = hip_get_param_contents(msg, HIP_PARAM_HIT_LOCAL);
- peer_hit = hip_get_param_contents(msg, HIP_PARAM_HIT_PEER);
- local_addr = hip_get_param_contents(msg, HIP_PARAM_IPV6_ADDR_LOCAL);
- peer_addr = hip_get_param_contents(msg, HIP_PARAM_IPV6_ADDR_PEER);
-
- if (peer_hit) {
- state = HIP_STATE_ESTABLISHED;
- } else {
- state = HIP_STATE_FAILED;
- }
-
- hip_firewall_cache_update_entry(local_addr, peer_addr,
- local_hit, peer_hit, state);
-
- return err;
-}
=== removed file 'firewall/sysopp.h'
--- firewall/sysopp.h 2011-01-04 14:10:46 +0000
+++ firewall/sysopp.h 1970-01-01 00:00:00 +0000
@@ -1,39 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-#ifndef HIP_FIREWALL_SYSOPP_H
-#define HIP_FIREWALL_SYSOPP_H
-
-#define _BSD_SOURCE
-
-#include "lib/core/protodefs.h"
-#include "firewall_defines.h"
-
-int hip_fw_handle_outgoing_system_based_opp(const struct hip_fw_context *ctx,
- const int default_verdict);
-int hip_fw_sys_opp_set_peer_hit(const struct hip_common *msg);
-void hip_fw_flush_system_based_opp_chains(void);
-
-#endif /* HIP_FIREWALL_SYSOPP_H */
=== modified file 'hipd/close.c'
--- hipd/close.c 2011-01-09 22:18:11 +0000
+++ hipd/close.c 2011-01-10 18:30:48 +0000
@@ -54,7 +54,6 @@
#include "hiprelay.h"
#include "input.h"
#include "maintenance.h"
-#include "oppipdb.h"
#include "output.h"
#include "user.h"
#include "close.h"
@@ -90,11 +89,6 @@
goto out_err;
}
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- /* Check and remove the IP of the peer from the opp non-HIP database */
- hip_oppipdb_delentry(&(entry->peer_addr));
-#endif
-
if (!(entry->state == HIP_STATE_ESTABLISHED) && delete_ha_info) {
HIP_DEBUG("Not sending CLOSE message, invalid hip state " \
"in current host association. State is %s.\n",
@@ -489,11 +483,6 @@
HIP_DEBUG("CLOSED\n");
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- /* Check and remove the IP of the peer from the opp non-HIP database */
- hip_oppipdb_delentry(&ctx->hadb_entry->peer_addr);
-#endif
-
HIP_IFEL(hip_del_peer_info(&ctx->hadb_entry->hit_our,
&ctx->hadb_entry->hit_peer),
-1, "Deleting peer info failed\n");
=== modified file 'hipd/hadb.c'
--- hipd/hadb.c 2011-01-10 17:51:29 +0000
+++ hipd/hadb.c 2011-01-10 18:30:48 +0000
@@ -94,7 +94,6 @@
#include "input.h"
#include "keymat.h"
#include "netdev.h"
-#include "oppdb.h"
#include "output.h"
#include "hadb.h"
@@ -912,10 +911,6 @@
*/
int hip_del_peer_info_entry(struct hip_hadb_state *ha)
{
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- struct hip_opp_blocking_request *opp_entry = NULL;
-#endif
-
HIP_LOCK_HA(ha);
/* by now, if everything is according to plans, the refcnt
@@ -924,19 +919,8 @@
HIP_DEBUG_HIT("peer HIT", &ha->hit_peer);
hip_delete_hit_sp_pair(&ha->hit_peer, &ha->hit_our, 1);
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- opp_entry = hip_oppdb_find_by_ip(&ha->peer_addr);
-#endif
-
- /* Delete hadb entry before oppdb entry to avoid a loop */
hip_hadb_delete_state(ha);
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- if (opp_entry) {
- hip_oppdb_entry_clean_up(opp_entry);
- }
-#endif
-
HIP_UNLOCK_HA(ha);
return 0;
=== modified file 'hipd/hipd.h'
--- hipd/hipd.h 2011-01-07 16:15:14 +0000
+++ hipd/hipd.h 2011-01-10 18:30:48 +0000
@@ -41,10 +41,6 @@
#define HIP_SELECT_TIMEOUT 1
#define HIP_RETRANSMIT_MAX 5
#define HIP_RETRANSMIT_INTERVAL 1 /* seconds */
-#define HIP_OPP_WAIT 5 /* seconds */
-#define HIP_OPP_FALLBACK_INTERVAL 1 /* seconds */
-#define HIP_OPP_FALLBACK_INIT \
- (HIP_OPP_FALLBACK_INTERVAL / HIP_SELECT_TIMEOUT)
/* the interval with which the hadb entries are checked for retransmissions */
#define HIP_RETRANSMIT_INIT \
(HIP_RETRANSMIT_INTERVAL / HIP_SELECT_TIMEOUT)
=== modified file 'hipd/init.c'
--- hipd/init.c 2011-01-10 17:51:29 +0000
+++ hipd/init.c 2011-01-10 18:30:48 +0000
@@ -83,8 +83,6 @@
#include "nat.h"
#include "netdev.h"
#include "nsupdate.h"
-#include "oppdb.h"
-#include "oppipdb.h"
#include "output.h"
#include "pkt_handling.h"
#include "registration.h"
@@ -952,10 +950,6 @@
lmod_uninit_packet_types();
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- hip_oppdb_uninit();
-#endif
-
#ifdef CONFIG_HIP_RVS
HIP_INFO("Uninitializing RVS / HIP relay database and whitelist.\n");
hip_relay_uninit();
@@ -1113,22 +1107,12 @@
signal(SIGTERM, hip_close);
signal(SIGCHLD, hip_sig_chld);
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- HIP_IFEL(hip_init_oppip_db(), -1,
- "Cannot initialize opportunistic mode IP database for " \
- "non HIP capable hosts!\n");
-#endif
HIP_IFEL((hip_init_cipher() < 0), 1, "Unable to init ciphers.\n");
HIP_IFE(init_random_seed(), -1);
hip_init_hadb();
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- hip_init_opp_db();
-#endif
-
-
/* Resolve our current addresses, afterwards the events from kernel
* will maintain the list This needs to be done before opening
* NETLINK_ROUTE! See the comment about address_count global var. */
=== modified file 'hipd/input.c'
--- hipd/input.c 2011-01-10 17:51:29 +0000
+++ hipd/input.c 2011-01-10 18:30:48 +0000
@@ -83,8 +83,6 @@
#include "keymat.h"
#include "maintenance.h"
#include "netdev.h"
-#include "oppdb.h"
-#include "oppipdb.h"
#include "output.h"
#include "pisa.h"
#include "pkt_handling.h"
@@ -495,6 +493,62 @@
}
/**
+ * fetch an hadb entry corresponding to a pseudo HIT
+ *
+ * @param init_hit the local HIT of the Initiator
+ * @param resp_addr the remote IP address of the Responder from
+ * which to calculate the pseudo HIT
+ * @return a host association or NULL if not found
+ */
+static struct hip_hadb_state *hip_opp_get_hadb_entry(const hip_hit_t * const
init_hit,
+ const struct in6_addr *
const resp_addr)
+{
+ struct hip_hadb_state *entry_tmp = NULL;
+ hip_hit_t phit;
+ int err = 0;
+
+ HIP_DEBUG_HIT("resp_addr=", resp_addr);
+ HIP_IFEL(hip_opportunistic_ipv6_to_hit(resp_addr, &phit,
+ HIP_HIT_TYPE_HASH100), -1,
+ "hip_opportunistic_ipv6_to_hit failed\n");
+
+ HIP_ASSERT(hit_is_opportunistic_hit(&phit));
+
+ entry_tmp = hip_hadb_find_byhits(init_hit, &phit);
+
+out_err:
+ return entry_tmp;
+}
+
+/**
+ * find a host association based on I1 or R1 message
+ *
+ * @param msg the I1 or R2 message
+ * @param src_addr the source address of the message
+ * @return the host association or NULL if not found
+ */
+static struct hip_hadb_state *hip_opp_get_hadb_entry_i1_r1(struct hip_common
*msg,
+ const struct
in6_addr * const src_addr)
+{
+ hip_hdr type = hip_get_msg_type(msg);
+ struct hip_hadb_state *entry = NULL;
+
+ if (type == HIP_I1) {
+ if (!ipv6_addr_is_null(&msg->hitr)) {
+ goto out_err;
+ }
+ hip_get_default_hit(&msg->hitr);
+ } else if (type == HIP_R1) {
+ entry = hip_opp_get_hadb_entry(&msg->hitr, src_addr);
+ } else {
+ HIP_ASSERT(0);
+ }
+
+out_err:
+ return entry;
+}
+
+/**
* Decides what action to take for an incoming HIP control packet.
*
* @param *ctx Pointer to the packet context, containing all
@@ -557,11 +611,9 @@
}
#ifdef CONFIG_HIP_OPPORTUNISTIC
- if (!ctx->hadb_entry &&
- (type == HIP_I1 || type == HIP_R1)) {
- ctx->hadb_entry =
- hip_oppdb_get_hadb_entry_i1_r1(ctx->input_msg,
- &ctx->src_addr);
+ if (!ctx->hadb_entry && (type == HIP_I1 || type == HIP_R1)) {
+ ctx->hadb_entry = hip_opp_get_hadb_entry_i1_r1(ctx->input_msg,
+ &ctx->src_addr);
}
#endif
@@ -676,6 +728,61 @@
}
/**
+ * Process an incoming R1 packet for an opportunistic connection
+ *
+ * @param ctx the packet context
+ * @return zero on success or negative on failure
+ */
+static int hip_handle_opp_r1(struct hip_packet_context *ctx)
+{
+ struct hip_hadb_state *opp_entry = NULL;
+ hip_hit_t phit;
+ int err = 0;
+
+ opp_entry = ctx->hadb_entry;
+
+ HIP_DEBUG_HIT("peer hit", &ctx->input_msg->hits);
+ HIP_DEBUG_HIT("local hit", &ctx->input_msg->hitr);
+
+ HIP_IFEL(hip_hadb_add_peer_info_complete(&ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ NULL,
+ &ctx->dst_addr,
+ &ctx->src_addr,
+ NULL),
+ -1, "Failed to insert peer map\n");
+
+ HIP_IFEL(!(ctx->hadb_entry = hip_hadb_find_byhits(&ctx->input_msg->hits,
+ &ctx->input_msg->hitr)),
+ -1, "Did not find opp entry\n");
+
+ HIP_IFEL(hip_init_us(ctx->hadb_entry, &ctx->input_msg->hitr),
+ -1, "hip_init_us failed\n");
+ /* old HA has state 2, new HA has state 1, so copy it */
+ ctx->hadb_entry->state = opp_entry->state;
+ /* For service registration routines */
+ ctx->hadb_entry->local_controls = opp_entry->local_controls;
+ ctx->hadb_entry->peer_controls = opp_entry->peer_controls;
+
+ if (hip_replace_pending_requests(opp_entry, ctx->hadb_entry) == -1) {
+ HIP_DEBUG("RVS: Error moving the pending requests to a new HA");
+ }
+
+ HIP_DEBUG_HIT("peer hit", &ctx->input_msg->hits);
+ HIP_DEBUG_HIT("local hit", &ctx->input_msg->hitr);
+
+ HIP_IFEL(hip_opportunistic_ipv6_to_hit(&ctx->src_addr, &phit,
+ HIP_HIT_TYPE_HASH100),
+ -1, "pseudo hit conversion failed\n");
+
+ hip_del_peer_info_entry(opp_entry);
+
+out_err:
+
+ return err;
+}
+
+/**
* Check a received R1 control packet.
*
* @param packet_type The packet type of the control message (RFC 5201, 5.3.)
@@ -709,8 +816,6 @@
"Dropping.\n");
#ifdef CONFIG_HIP_OPPORTUNISTIC
- /* Check and remove the IP of the peer from the opp non-HIP database */
- hip_oppipdb_delentry(&ctx->hadb_entry->peer_addr);
/* Replace the opportunistic entry with one using the peer HIT
* before further operations */
if (hit_is_opportunistic_hit(&ctx->hadb_entry->hit_peer)) {
@@ -1134,10 +1239,6 @@
ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
hip_hadb_insert_state(ctx->hadb_entry);
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- /* Check and remove the IP of the peer from the opp non-HIP database */
- hip_oppipdb_delentry(&(ctx->hadb_entry->peer_addr));
-#endif
HIP_INFO("Reached ESTABLISHED state\n");
HIP_INFO("Handshake completed\n");
=== modified file 'hipd/maintenance.c'
--- hipd/maintenance.c 2011-01-03 19:36:44 +0000
+++ hipd/maintenance.c 2011-01-10 18:30:48 +0000
@@ -60,7 +60,6 @@
#include "hidb.h"
#include "hipd.h"
#include "init.h"
-#include "oppdb.h"
#include "output.h"
#include "maintenance.h"
@@ -74,7 +73,6 @@
int hip_firewall_sock_lsi_fd = -1;
float retrans_counter = HIP_RETRANSMIT_INIT;
-float opp_fallback_counter = HIP_OPP_FALLBACK_INIT;
float precreate_counter = HIP_R1_PRECREATE_INIT;
float queue_counter = QUEUE_CHECK_INIT;
int force_exit_counter = FORCE_EXIT_COUNTER_START;
@@ -152,26 +150,6 @@
return err;
}
-#ifdef CONFIG_HIP_OPPORTUNISTIC
-/**
- * scan for opportunistic connections that should time out
- * and give up (fall back to normal TCP/IP)
- *
- * @return zero on success or negative on failure
- */
-static int hip_scan_opp_fallback(void)
-{
- int err = 0;
- time_t current_time;
- time(¤t_time);
-
- HIP_IFEL(hip_for_each_opp(hip_handle_opp_fallback, ¤t_time), 0,
- "for_each_ha err.\n");
-out_err:
- return err;
-}
-#endif
-
/**
* deliver pending retransmissions for all host associations
*
@@ -306,17 +284,6 @@
retrans_counter--;
}
-#ifdef CONFIG_HIP_OPPORTUNISTIC
-
- if (opp_fallback_counter < 0) {
- HIP_IFEL(hip_scan_opp_fallback(), -1,
- "retransmission scan failed\n");
- opp_fallback_counter = HIP_OPP_FALLBACK_INIT;
- } else {
- opp_fallback_counter--;
- }
-#endif
-
if (precreate_counter < 0) {
HIP_IFEL(hip_recreate_all_precreated_r1_packets(), -1,
"Failed to recreate puzzles\n");
@@ -366,7 +333,7 @@
/**
* Update firewall on host association state. Currently used by the
- * LSI and system-based opportunistic mode in the firewall.
+ * LSI mode in the firewall.
*
* @param action HIP_MSG_FW_UPDATE_DB or HIP_MSG_FW_BEX_DONE
* @param hit_s optional source HIT
=== removed file 'hipd/oppdb.c'
--- hipd/oppdb.c 2011-01-09 22:18:11 +0000
+++ hipd/oppdb.c 1970-01-01 00:00:00 +0000
@@ -1,739 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-/**
- * @file
- * Opportunistic mode databases for lib/opphip and HIP registration. The
system-based
- * opportunistic mode in the firewall uses also this functionality to trigger
an
- * opportunistic base base exchange. See the following publication on the
details:
- *
- * <a href="http://www.iki.fi/miika/docs/ccnc09.pdf";>
- * Miika Komu and Janne Lindqvist, Leap-of-Faith Security is Enough
- * for IP Mobility, 6th Annual IEEE Consumer
- * Communications & Networking Conference IEEE CCNC 2009, Las Vegas,
- * Nevada, January 2009</a>
- *
- * The pseudo HIT is mentioned on multiple places in this file. When hipd sends
- * the opportunistic I1, the destination HIT is NULL. For this reason, we don't
- * know the Responder HIT until receiving the R2. During this unawareness
period,
- * we use a "pseudo HIT" to denote the Responder. It is calculated by
extracting
- * part of the IP address of the Responder and prefixing it with HIT prefix
and some
- * additional zeroes. Once the R1 received, the opportunistic database entry
can
- * be removed and the pseudo HIT becomes unnecessary. Consequtive opportunistic
- * mode connections with the same Responder are cached and the pseudo HIT is
not needed.
- *
- * The opportunistic mode supports also "fallback" which occurs with
- * peers that do not support HIP. When the peer does not support HIP,
- * hipd notices it after a certain time out in maintenance.c loop
- * because there was no R1 response. The handlers in this function
- * then send a "reject" message to the blocked opportunistic library
- * process which means that it should proceed without HIP. Consequtive
- * rejects are faster because they are cached.
- *
- * @author Bing Zhou <bingzhou@xxxxxxxxx>
- */
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <openssl/lhash.h>
-
-#include "lib/core/builder.h"
-#include "lib/core/common.h"
-#include "lib/core/debug.h"
-#include "lib/core/hit.h"
-#include "lib/core/ife.h"
-#include "lib/core/list.h"
-#include "lib/core/prefix.h"
-#include "lib/core/protodefs.h"
-#include "config.h"
-#include "accessor.h"
-#include "hadb.h"
-#include "hidb.h"
-#include "hipd.h"
-#include "netdev.h"
-#include "oppipdb.h"
-#include "output.h"
-#include "registration.h"
-#include "user.h"
-#include "oppdb.h"
-
-
-#define HIP_LOCK_OPP_INIT(entry)
-#define HIP_UNLOCK_OPP_INIT(entry)
-#define HIP_LOCK_OPP(entry)
-#define HIP_UNLOCK_OPP(entry)
-#define HIP_OPPDB_SIZE 533
-
-struct hip_opp_info {
- hip_hit_t local_hit;
- hip_hit_t real_peer_hit;
- hip_hit_t pseudo_peer_hit;
- struct in6_addr local_addr;
- struct in6_addr peer_addr;
-};
-
-HIP_HASHTABLE *oppdb;
-
-/**
- * hashing function for the hashtable implementation
- *
- * @param ptr a pointer to a hip_opp_blocking_request structure
- * @return the calculated hash
- */
-static unsigned long hip_oppdb_hash_hit(const void *ptr)
-{
- const struct hip_opp_blocking_request *entry = ptr;
- uint8_t hash[HIP_AH_SHA_LEN];
-
- hip_build_digest(HIP_DIGEST_SHA1, &entry->peer_phit,
- sizeof(hip_hit_t) + sizeof(struct sockaddr_in6),
- hash);
-
- return *((unsigned long *) hash);
-}
-
-/**
- * matching function for the hashtable implementation
- *
- * Note that when this function is called, the hashes of the two hash table
- * entries provided as arguments are known to be equal.
- * The point of this function is to allow the hash table to determine whether
- * the entries (or rather the part used to calculate the hash) themselves are
- * equal or whether they are different and this is just a hash collision.
- *
- * @param ptr1 a pointer to a hip_opp_block structure
- * @param ptr2 a pointer to a hip_opp_block structure
- * @return zero on match or non-zero otherwise
- */
-static int hip_oppdb_match_hit(const void *ptr1, const void *ptr2)
-{
- const struct hip_opp_blocking_request *b1 = ptr1;
- const struct hip_opp_blocking_request *b2 = ptr2;
- return memcmp(&b1->peer_phit, &b2->peer_phit, sizeof(hip_hit_t) +
sizeof(struct sockaddr_in6));
-}
-
-/**
- * delete an opportunistic database entry
- *
- * @param entry the entry to be deleted
- */
-static void hip_oppdb_del_entry_by_entry(struct hip_opp_blocking_request
*entry)
-{
- struct hip_opp_blocking_request *deleted;
-
- HIP_LOCK_OPP(entry);
- deleted = hip_ht_delete(oppdb, entry);
- HIP_UNLOCK_OPP(entry);
- free(deleted);
-}
-
-/**
- * expire an opportunistic connection
- *
- * @param opp_entry the entry to be expired
- * @return zero on success or negative on error
- */
-int hip_oppdb_entry_clean_up(struct hip_opp_blocking_request *opp_entry)
-{
- int err = 0;
-
- /** @todo this does not support multiple multiple opp
- connections: a better solution might be trash collection */
-
- HIP_ASSERT(opp_entry);
- hip_del_peer_info(&opp_entry->peer_phit,
- &opp_entry->our_real_hit);
- hip_oppdb_del_entry_by_entry(opp_entry);
- return err;
-}
-
-/**
- * a for-each iterator function for the opportunistic database
- *
- * @param func a callback iterator function
- * @param opaque an extra parameter to be passed to the callback
- * @return zero on success and non-zero on error
- */
-int hip_for_each_opp(int (*func)(struct hip_opp_blocking_request *entry,
- void *opaq),
- void *opaque)
-{
- int i = 0, fail = 0;
- struct hip_opp_blocking_request *this;
- LHASH_NODE *item, *tmp;
-
- if (!func) {
- return -EINVAL;
- }
-
- HIP_LOCK_HT(&opp_db);
- list_for_each_safe(item, tmp, oppdb, i)
- {
- this = list_entry(item);
- fail = func(this, opaque);
- if (fail) {
- goto out_err;
- }
- }
-out_err:
- HIP_UNLOCK_HT(&opp_db);
- return fail;
-}
-
-/**
- * an iterator function for uninitializing the opportunistic database
- *
- * @param entry the entry to be uninitialized
- * @param arg needed because of the iterator signature
- * @return zero
- */
-static int hip_oppdb_uninit_wrap(struct hip_opp_blocking_request *entry,
- UNUSED void *arg)
-{
- hip_oppdb_del_entry_by_entry(entry);
- return 0;
-}
-
-/**
- * uninitialize the whole opportunistic database
- */
-void hip_oppdb_uninit(void)
-{
- hip_for_each_opp(hip_oppdb_uninit_wrap, NULL);
- hip_ht_uninit(oppdb);
- oppdb = NULL;
-}
-
-/**
- * Unblock a caller from the opportunistic library
- *
- * @param app_id the UDP port of the local library process
- * @param opp_info information related to the opportunistic connection
- * @return zero on success or negative on failure
- */
-static int hip_opp_unblock_app(const struct sockaddr_in6 *app_id,
- struct hip_opp_info *opp_info)
-{
- struct hip_common *message = NULL;
- int err = 0, n;
-
- HIP_IFEL((app_id->sin6_port == 0), 0, "Zero port, ignore\n");
-
- HIP_IFE(!(message = hip_msg_alloc()), -1);
- HIP_IFEL(hip_build_user_hdr(message, HIP_MSG_GET_PEER_HIT, 0), -1,
- "build user header failed\n");
-
- if (!opp_info) {
- goto skip_hit_addr;
- }
-
- if (!ipv6_addr_any(&opp_info->real_peer_hit)) {
- HIP_IFEL(hip_build_param_contents(message, &opp_info->real_peer_hit,
- HIP_PARAM_HIT_PEER,
- sizeof(hip_hit_t)), -1,
- "building peer real hit failed\n");
- }
-
- if (!ipv6_addr_any(&opp_info->local_hit)) {
- HIP_IFEL(hip_build_param_contents(message, &opp_info->local_hit,
- HIP_PARAM_HIT_LOCAL,
- sizeof(hip_hit_t)), -1,
- "building local hit failed\n");
- }
-
- if (!ipv6_addr_any(&opp_info->peer_addr)) {
- HIP_IFEL(hip_build_param_contents(message, &opp_info->peer_addr,
- HIP_PARAM_IPV6_ADDR_PEER,
- sizeof(struct in6_addr)), -1,
- "building peer addr failed\n");
- }
-
- if (!ipv6_addr_any(&opp_info->local_addr)) {
- HIP_IFEL(hip_build_param_contents(message, &opp_info->local_addr,
- HIP_PARAM_IPV6_ADDR_LOCAL,
- sizeof(struct in6_addr)), -1,
- "building local addr failed\n");
- }
-
-skip_hit_addr:
-
- HIP_DEBUG("Unblocking caller at port %d\n", ntohs(app_id->sin6_port));
- n = hip_sendto_user(message, (const struct sockaddr *) app_id);
-
- if (n < 0) {
- HIP_ERROR("hip_sendto_user() failed.\n");
- err = -1;
- goto out_err;
- }
-out_err:
- free(message);
- return err;
-}
-
-/**
- * unblock all opportunistic connections with a certain remote host
- *
- * @param entry the opportunistic mode connection
- * @param ptr the pseudo HIT denoting the remote host
- * @return zero on success or negative on error
- */
-static int hip_oppdb_unblock_group(struct hip_opp_blocking_request *entry,
- void *ptr)
-{
- struct hip_opp_info *opp_info = ptr;
- int err = 0;
-
- if (ipv6_addr_cmp(&entry->peer_phit, &opp_info->pseudo_peer_hit) != 0) {
- goto out_err;
- }
-
- HIP_IFEL(hip_opp_unblock_app(&entry->caller, opp_info),
- 1, "unblock failed\n");
-
- hip_oppdb_del_entry_by_entry(entry);
-
-out_err:
- return err;
-}
-
-/**
- * create a opportunistic mode database entry
- *
- * @return the created databased entry (caller deallocates)
- */
-static struct hip_opp_blocking_request *hip_create_opp_block_entry(void)
-{
- struct hip_opp_blocking_request *entry = NULL;
-
- entry = calloc(1, sizeof(struct hip_opp_blocking_request));
- if (!entry) {
- HIP_ERROR("struct hip_opp_blocking_request memory allocation
failed.\n");
- return NULL;
- }
-
- HIP_LOCK_OPP_INIT(entry);
- time(&entry->creation_time);
- HIP_UNLOCK_OPP_INIT(entry);
-
- return entry;
-}
-
-/**
- * dump the contents of the database
- */
-static void hip_oppdb_dump(void)
-{
- int i;
- struct hip_opp_blocking_request *this;
- LHASH_NODE *item, *tmp;
-
- HIP_DEBUG("start oppdb dump\n");
- HIP_LOCK_HT(&oppdb);
-
- list_for_each_safe(item, tmp, oppdb, i)
- {
- this = list_entry(item);
-
- HIP_DEBUG_HIT("this->peer_phit",
- &this->peer_phit);
- HIP_DEBUG_HIT("this->our_real_hit",
- &this->our_real_hit);
- }
-
- HIP_UNLOCK_HT(&oppdb);
- HIP_DEBUG("end oppdb dump\n");
-}
-
-/**
- * add an opportunistic mode connection entry to the database
- *
- * @param phit_peer the pseudo HIT of peer
- * @param hit_our local HIT
- * @param ip_peer remote IP address
- * @param ip_our local IP address
- * @param caller the UDP port of the local library process
- * @return zero on success or negative on failure
- */
-static int hip_oppdb_add_entry(const hip_hit_t *phit_peer,
- const hip_hit_t *hit_our,
- const struct in6_addr *ip_peer,
- const struct in6_addr *ip_our,
- const struct sockaddr_in6 *caller)
-{
- int err = 0;
- struct hip_opp_blocking_request *new_item = NULL;
-
- new_item = hip_create_opp_block_entry();
- if (!new_item) {
- HIP_ERROR("new_item malloc failed\n");
- err = -ENOMEM;
- return err;
- }
-
- if (phit_peer) {
- ipv6_addr_copy(&new_item->peer_phit, phit_peer);
- }
- ipv6_addr_copy(&new_item->our_real_hit, hit_our);
- if (ip_peer) {
- ipv6_addr_copy(&new_item->peer_ip, ip_peer);
- }
- if (ip_our) {
- ipv6_addr_copy(&new_item->our_ip, ip_our);
- }
- memcpy(&new_item->caller, caller, sizeof(struct sockaddr_in6));
-
- err = hip_ht_add(oppdb, new_item);
- hip_oppdb_dump();
-
- return err;
-}
-
-/**
- * initialize the opportunistic database
- */
-void hip_init_opp_db(void)
-{
- oppdb = hip_ht_init(hip_oppdb_hash_hit, hip_oppdb_match_hit);
-}
-
-/**
- * fetch an hadb entry corresponding to a pseudo HIT
- *
- * @param init_hit the local HIT of the Initiator
- * @param resp_addr the remote IP address of the Responder from
- * which to calculate the pseudo HIT
- * @return a host assocition or NULL if not found
- */
-static struct hip_hadb_state *hip_oppdb_get_hadb_entry(hip_hit_t *init_hit,
- struct in6_addr
*resp_addr)
-{
- struct hip_hadb_state *entry_tmp = NULL;
- hip_hit_t phit;
- int err = 0;
-
- HIP_DEBUG_HIT("resp_addr=", resp_addr);
- HIP_IFEL(hip_opportunistic_ipv6_to_hit(resp_addr, &phit,
- HIP_HIT_TYPE_HASH100), -1,
- "hip_opportunistic_ipv6_to_hit failed\n");
-
- HIP_ASSERT(hit_is_opportunistic_hit(&phit));
-
- entry_tmp = hip_hadb_find_byhits(init_hit, &phit);
-
-out_err:
- return entry_tmp;
-}
-
-/**
- * find a host association based on I1 or R1 message
- *
- * @param msg the I1 or R2 message
- * @param src_addr the source address of the message
- * @return the host association or NULL if not found
- */
-struct hip_hadb_state *hip_oppdb_get_hadb_entry_i1_r1(struct hip_common *msg,
- struct in6_addr
*src_addr)
-{
- hip_hdr type = hip_get_msg_type(msg);
- struct hip_hadb_state *entry = NULL;
-
- if (type == HIP_I1) {
- if (!ipv6_addr_is_null(&msg->hitr)) {
- goto out_err;
- }
- hip_get_default_hit(&msg->hitr);
- } else if (type == HIP_R1) {
- entry = hip_oppdb_get_hadb_entry(&msg->hitr, src_addr);
- } else {
- HIP_ASSERT(0);
- }
-
-out_err:
- return entry;
-}
-
-/**
- * process an incoming R1 packet for an opportunistic connection
- *
- * @param ctx the packet context
- * @return zero on success or negative on failure
- */
-int hip_handle_opp_r1(struct hip_packet_context *ctx)
-{
- struct hip_opp_info opp_info;
- struct hip_hadb_state *opp_entry;
- hip_hit_t phit;
- int err = 0;
-
- opp_entry = ctx->hadb_entry;
-
- HIP_DEBUG_HIT("peer hit", &ctx->input_msg->hits);
- HIP_DEBUG_HIT("local hit", &ctx->input_msg->hitr);
-
- HIP_IFEL(hip_hadb_add_peer_info_complete(&ctx->input_msg->hitr,
- &ctx->input_msg->hits,
- NULL,
- &ctx->dst_addr,
- &ctx->src_addr,
- NULL),
- -1, "Failed to insert peer map\n");
-
- HIP_IFEL(!(ctx->hadb_entry = hip_hadb_find_byhits(&ctx->input_msg->hits,
- &ctx->input_msg->hitr)),
- -1, "Did not find opp entry\n");
-
- HIP_IFEL(hip_init_us(ctx->hadb_entry, &ctx->input_msg->hitr),
- -1, "hip_init_us failed\n");
- /* old HA has state 2, new HA has state 1, so copy it */
- ctx->hadb_entry->state = opp_entry->state;
- /* For service registration routines */
- ctx->hadb_entry->local_controls = opp_entry->local_controls;
- ctx->hadb_entry->peer_controls = opp_entry->peer_controls;
-
- if (hip_replace_pending_requests(opp_entry, ctx->hadb_entry) == -1) {
- HIP_DEBUG("RVS: Error moving the pending requests to a new HA");
- }
-
- HIP_DEBUG_HIT("peer hit", &ctx->input_msg->hits);
- HIP_DEBUG_HIT("local hit", &ctx->input_msg->hitr);
-
- HIP_IFEL(hip_opportunistic_ipv6_to_hit(&ctx->src_addr, &phit,
- HIP_HIT_TYPE_HASH100),
- -1, "pseudo hit conversion failed\n");
-
- ipv6_addr_copy(&opp_info.real_peer_hit, &ctx->input_msg->hits);
- ipv6_addr_copy(&opp_info.pseudo_peer_hit, &phit);
- ipv6_addr_copy(&opp_info.local_hit, &ctx->input_msg->hitr);
- ipv6_addr_copy(&opp_info.local_addr, &ctx->dst_addr);
- ipv6_addr_copy(&opp_info.peer_addr, &ctx->src_addr);
-
- hip_for_each_opp(hip_oppdb_unblock_group, &opp_info);
- hip_del_peer_info_entry(opp_entry);
-
-out_err:
-
- return err;
-}
-
-/**
- * add an entry to the opportunistic mode dabase and host association
- * database (with pseudo HIT)
- *
- * @param dst_ip the remote IP address of the Responder
- * @param hit_our the local HIT of the Initiator
- * @param caller the UDP port of the local library process
- * @return the created host association
- */
-struct hip_hadb_state *hip_opp_add_map(const struct in6_addr *dst_ip,
- const struct in6_addr *hit_our,
- const struct sockaddr_in6 *caller)
-{
- int err = 0;
- struct in6_addr opp_hit, src_ip;
- struct hip_hadb_state *ha = NULL;
- hip_oppip_t *oppip_entry = NULL;
-
- HIP_DEBUG_IN6ADDR("Peer's IP ", dst_ip);
-
- HIP_IFEL(hip_select_source_address(&src_ip,
- dst_ip), -1,
- "Cannot find source address\n");
-
- HIP_IFEL(hip_opportunistic_ipv6_to_hit(dst_ip, &opp_hit,
- HIP_HIT_TYPE_HASH100),
- -1, "Opp HIT conversion failed\n");
-
- HIP_ASSERT(hit_is_opportunistic_hit(&opp_hit));
-
- HIP_DEBUG_HIT("opportunistic hashed hit", &opp_hit);
-
- if ((oppip_entry = hip_oppipdb_find_byip(dst_ip))) {
- HIP_DEBUG("Old mapping exist \n");
-
- if ((ha = hip_hadb_find_byhits(hit_our, &opp_hit))) {
- goto out_err;
- }
-
- HIP_DEBUG("No entry found. Adding new map.\n");
- hip_oppipdb_del_entry_by_entry(oppip_entry, NULL);
- }
-
- /* No previous contact, new host. Let's do the opportunistic magic */
-
- err = hip_hadb_add_peer_info_complete(hit_our, &opp_hit, NULL, &src_ip,
dst_ip, NULL);
-
- HIP_IFEL(!(ha = hip_hadb_find_byhits(hit_our, &opp_hit)), -1,
- "Did not find entry\n");
-
- /* Override the receiving function */
- /* @todo is this function set needed? */
- //ha->hadb_rcv_func->hip_receive_r1 = hip_receive_opp_r1;
-
- HIP_IFEL(hip_oppdb_add_entry(&opp_hit, hit_our, dst_ip, &src_ip,
- caller), -1, "Add db failed\n");
-
-out_err:
- return ha;
-}
-
-/**
- * check if it is time for an opportunistic connection to
- * time out and make it happen when needed
- *
- * @param entry the database entry for the opportunistic connection
- * @param current_time the current time
- * @return zero on success or negative on failure
- */
-int hip_handle_opp_fallback(struct hip_opp_blocking_request *entry,
- void *current_time)
-{
- int err = 0, disable_fallback = 0;
- time_t *now = current_time;
- struct in6_addr *addr;
-
- if (!disable_fallback && (*now - HIP_OPP_WAIT > entry->creation_time)) {
- struct hip_opp_info info;
-
- memset(&info, 0, sizeof(info));
- ipv6_addr_copy(&info.peer_addr, &entry->peer_ip);
-
- addr = &entry->peer_ip;
- hip_oppipdb_add_entry(addr);
- HIP_DEBUG("Timeout for opp entry, falling back to\n");
- err = hip_opp_unblock_app(&entry->caller, &info);
- HIP_DEBUG("Fallback returned %d\n", err);
- err = hip_oppdb_entry_clean_up(entry);
- memset(&now, 0, sizeof(now));
- }
-
- return err;
-}
-
-/**
- * check if a remote host is not capable of HIP
- *
- * @param ip_peer: pointer to the ip of the host to check whether
- * it is HIP capable or not
- * @return pointer to the entry if the remote host does not definitely support
HIP or
- * NULL if it is potentially HIP capable
- */
-struct hip_opp_blocking_request *hip_oppdb_find_by_ip(const struct in6_addr
*ip_peer)
-{
- int i = 0;
- struct hip_opp_blocking_request *this, *ret = NULL;
- LHASH_NODE *item, *tmp;
-
- if (oppdb == NULL)
- return NULL;
-
- HIP_LOCK_HT(&opp_db);
- list_for_each_safe(item, tmp, oppdb, i)
- {
- this = list_entry(item);
- if (ipv6_addr_cmp(&this->peer_ip, ip_peer) == 0) {
- HIP_DEBUG("The ip was found in oppdb. Peer non-HIP capable.\n");
- ret = this;
- break;
- }
- }
-
- HIP_UNLOCK_HT(&opp_db);
- return ret;
-}
-
-/**
- * Trigger opportunistic I1 to obtain the HIT of the Responder.
- *
- * @param msg contains information on the Responder's IP address
- * and the local HIT to use for the connection
- * @param src the UDP port number of the calling library process
- * @return zero on success or negative on failure
- */
-int hip_opp_get_peer_hit(struct hip_common *msg,
- const struct sockaddr_in6 *src)
-{
- int err = 0;
- struct in6_addr phit, dst_ip, our_hit, our_addr;
- const struct in6_addr *ptr;
- struct hip_hadb_state *ha;
-
- ptr = hip_get_param_contents(msg, HIP_PARAM_HIT_LOCAL);
- HIP_IFEL(!ptr, -1, "No local hit in msg\n");
- memcpy(&our_hit, ptr, sizeof(our_hit));
- HIP_DEBUG_HIT("our_hit", &our_hit);
-
- ptr = hip_get_param_contents(msg, HIP_PARAM_IPV6_ADDR_PEER);
- HIP_IFEL(!ptr, -1, "No peer ip in msg\n");
- memcpy(&dst_ip, ptr, sizeof(dst_ip));
- HIP_DEBUG_HIT("dst_ip", &dst_ip);
-
- HIP_IFEL(hip_select_source_address(&our_addr, &dst_ip),
- -1, "Cannot find source address\n");
-
- /* Check if we've previously contacted the host and found it
- * non-HIP capable*/
- if (hip_oppipdb_find_byip(&dst_ip)) {
- hip_msg_init(msg);
- /* A message without peer HIT indicates a non-HIP capable peer */
- HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_GET_PEER_HIT, 0), -1,
- "Building of user header failed\n");
- HIP_IFEL(hip_build_param_contents(msg,
- &dst_ip,
- HIP_PARAM_IPV6_ADDR_PEER,
- sizeof(struct in6_addr)),
- -1, "build param HIP_PARAM_HIT failed: %s\n");
- HIP_IFEL((hip_sendto_user(msg, (const struct sockaddr *) src) < 0),
- -1, "send to user failed\n");
- goto out_err;
- }
-
- /* No previous contact, new host. Let's do the opportunistic magic */
-
- HIP_IFEL(hip_opportunistic_ipv6_to_hit(&dst_ip, &phit,
- HIP_HIT_TYPE_HASH100),
- -1, "Opp HIT conversion failed\n");
-
- HIP_ASSERT(hit_is_opportunistic_hit(&phit));
-
- HIP_DEBUG_HIT("phit", &phit);
-
- hip_hadb_add_peer_info_complete(&our_hit, &phit, NULL,
- &our_addr, &dst_ip, NULL);
-
- HIP_IFEL(!(ha = hip_hadb_find_byhits(&our_hit, &phit)),
- -1, "Did not find hadb entry\n");
-
- HIP_IFEL(hip_oppdb_add_entry(&phit, &our_hit, &dst_ip, NULL, src),
- -1, "Add to oppdb failed\n");
-
- HIP_IFEL(hip_send_i1(&our_hit, &phit, ha), -1, "sending of I1 failed\n");
-
-out_err:
- return err;
-}
=== removed file 'hipd/oppdb.h'
--- hipd/oppdb.h 2011-01-04 17:21:26 +0000
+++ hipd/oppdb.h 1970-01-01 00:00:00 +0000
@@ -1,77 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-/**
- * @file
- * @author Bing Zhou <bingzhou@xxxxxxxxx>
- */
-
-#ifndef HIP_HIPD_OPPDB_H
-#define HIP_HIPD_OPPDB_H
-
-#include <stdint.h>
-#include <netinet/in.h>
-
-#include "lib/core/protodefs.h"
-#include "lib/core/state.h"
-
-
-struct hip_opp_blocking_request {
- hip_hit_t peer_phit;
- struct sockaddr_in6 caller;
- hip_hit_t our_real_hit;
-
- time_t creation_time;
- struct in6_addr peer_ip;
- struct in6_addr our_ip;
- uint8_t proxy_flag; //0: normal connection, 1: connection
through proxy
-};
-
-void hip_init_opp_db(void);
-int hip_handle_opp_fallback(struct hip_opp_blocking_request *entry,
- void *current_time);
-struct hip_opp_blocking_request *hip_oppdb_find_byhits(const hip_hit_t *phit,
- struct sockaddr_in6
*src);
-struct hip_opp_blocking_request *hip_oppdb_find_by_ip(const struct in6_addr
*ip_peer);
-struct hip_hadb_state *hip_get_opp_hadb_entry(hip_hit_t *resp_hit,
- struct in6_addr *resp_addr);
-int hip_oppdb_del_entry(const hip_hit_t *phit, const struct sockaddr_in6 *src);
-void hip_oppdb_uninit(void);
-int hip_oppdb_entry_clean_up(struct hip_opp_blocking_request *opp_entry);
-
-struct hip_hadb_state *hip_opp_add_map(const struct in6_addr *dst_ip,
- const struct in6_addr *hit_our,
- const struct sockaddr_in6 *caller);
-
-struct hip_hadb_state *hip_oppdb_get_hadb_entry_i1_r1(struct hip_common *msg,
- struct in6_addr
*src_addr);
-int hip_handle_opp_r1(struct hip_packet_context *ctx);
-int hip_for_each_opp(int (*func)(struct hip_opp_blocking_request *entry,
- void *opaq),
- void *opaque);
-int hip_opp_get_peer_hit(struct hip_common *msg,
- const struct sockaddr_in6 *src);
-
-#endif /* HIP_HIPD_OPPDB_H */
=== removed file 'hipd/oppipdb.c'
--- hipd/oppipdb.c 2011-01-09 22:18:11 +0000
+++ hipd/oppipdb.c 1970-01-01 00:00:00 +0000
@@ -1,231 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-/**
- * @file
- * This file defines handling functions for opportunistic mode to remember
- * IP's which are not HIP capable. This means faster communication in second
- * connection attempts to these hosts. Otherwise it would always take the same
- * fallback timeout (about 5 secs) to make new connection to hosts which don't
- * support HIP.
- *
- * @author Antti Partanen
- * @author Alberto Garcia
- */
-
-#include <errno.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "lib/core/builder.h"
-#include "lib/core/common.h"
-#include "lib/core/debug.h"
-#include "lib/core/list.h"
-#include "lib/core/prefix.h"
-#include "oppipdb.h"
-
-#define HIP_LOCK_OPPIP(entry)
-#define HIP_UNLOCK_OPPIP(entry)
-
-HIP_HASHTABLE *oppipdb;
-
-/**
- * Generates the hash information that is used to index the table
- *
- * @param ptr: pointer to the ip address used to make the hash
- *
- * @return hash information
- */
-static unsigned long hip_oppipdb_hash_ip(const void *ptr)
-{
- uint8_t hash[HIP_AH_SHA_LEN];
-
- hip_build_digest(HIP_DIGEST_SHA1, ptr, sizeof(hip_oppip_t), hash);
-
- return *((unsigned long *) hash);
-}
-
-/**
- * Compares two ip addresses.
- *
- * Note that when this function is called, the hashes of the two hash table
- * entries provided as arguments are known to be equal.
- * The point of this function is to allow the hash table to determine whether
- * the entries (or rather the part used to calculate the hash) themselves are
- * equal or whether they are different and this is just a hash collision.
- *
- * @param ptr1: pointer to the first ip address to compare
- * @param ptr2: pointer to the second ip address to compare
- *
- * @return 0 if the ips are identical, 1 if they are different
- */
-static int hip_oppipdb_match_ip(const void *ptr1, const void *ptr2)
-{
- return memcmp(ptr1, ptr2, sizeof(hip_oppip_t));
-}
-
-/**
- * Map a function to every entry in the oppipdb hash table
- *
- * @param func mapper function to apply to all entries
- * @param opaque opaque data for the mapper function
- *
- * @return negative value if an error occurs. If an error occurs during
traversal of
- * the oppipdb hash table, then the traversal is stopped and function returns.
- * Returns the last return value of applying the mapper function to the last
- * element in the hash table.
- */
-int hip_for_each_oppip(void (*func)(hip_oppip_t *entry, void *opaq), void
*opaque)
-{
- int i = 0;
- hip_oppip_t *this;
- LHASH_NODE *item, *tmp;
-
- if (!func) {
- return -EINVAL;
- }
-
- HIP_LOCK_HT(&oppipdb);
- list_for_each_safe(item, tmp, oppipdb, i)
- {
- this = list_entry(item);
- func(this, opaque);
- }
-
- HIP_UNLOCK_HT(&oppipdb);
- return 0;
-}
-
-/**
- * Deletes an entry that is present in oppipdb hash table
- *
- * @param entry pointer to the entry to delete
- * @param arg needed because of the the iterator signature
- */
-void hip_oppipdb_del_entry_by_entry(hip_oppip_t *entry, UNUSED void *arg)
-{
- HIP_LOCK_OPPIP(entry);
- hip_ht_delete(oppipdb, entry);
- HIP_UNLOCK_OPPIP(entry);
- free(entry);
-}
-
-/**
- * Allocates and initilizes the node to store the information
- * in the oppipdb hash table
- *
- * @return pointer to the allocated structure
- */
-static hip_oppip_t *hip_create_oppip_entry(void)
-{
- hip_oppip_t *entry = NULL;
-
- entry = calloc(1, sizeof(hip_oppip_t));
- if (!entry) {
- HIP_ERROR("hip_oppip_t memory allocation failed.\n");
- return NULL;
- }
-
- return entry;
-}
-
-/**
- * Adds a new entry to the oppipdb hash table.
- * This table stores the ip addresses of the hosts that are not HIP capable.
- *
- * @param ip_peer: pointer to the ip of the non-HIP capable host
- * to be added to the table
- * @return 0 or the value being added on success; -ENOMEM on malloc failure
- */
-int hip_oppipdb_add_entry(const struct in6_addr *ip_peer)
-{
- int err = 0;
- hip_oppip_t *new_item = NULL;
-
- new_item = hip_create_oppip_entry();
- if (!new_item) {
- HIP_ERROR("new_item malloc failed\n");
- err = -ENOMEM;
- return err;
- }
-
- ipv6_addr_copy(new_item, ip_peer);
-
- err = hip_ht_add(oppipdb, new_item);
-
- return err;
-}
-
-/**
- * Creates and initializes the oppipdb hash table
- *
- * @return 0 on success
- */
-int hip_init_oppip_db(void)
-{
- oppipdb = hip_ht_init(hip_oppipdb_hash_ip, hip_oppipdb_match_ip);
- return 0;
-}
-
-/**
- * Seeks an ip within the oppipdb hash table.
- * If the ip is found in the table, that host is not HIP capable.
- *
- * @param ip_peer: pointer to the ip of the host to check whether
- * it is HIP capable
- * @return pointer to the entry if the ip is found in the table; NULL otherwise
- */
-hip_oppip_t *hip_oppipdb_find_byip(const struct in6_addr *ip_peer)
-{
- hip_oppip_t *ret = NULL;
-
- ret = hip_ht_find(oppipdb, ip_peer);
- if (!ret) {
- HIP_DEBUG("The ip was not present in oppipdb. Peer HIP capable.\n");
- } else {
- HIP_DEBUG("The ip was found in oppipdb. Peer non-HIP capable.\n");
- }
-
- return ret;
-}
-
-/**
- * This function should be called after receiving an R1 from the peer and after
- * a successful base exchange in the opportunistic mode. It checks whether an
- * address of a HIP capable host is found from database. If the address is
- * found, it is deleted from the database; since the host is actually HIP
capable.
- *
- * @param ip_peer: pointer to the ip of the HIP-capable host
- */
-void hip_oppipdb_delentry(const struct in6_addr *ip_peer)
-{
- hip_oppip_t *ret;
-
- if ((ret = hip_oppipdb_find_byip(ip_peer))) {
- HIP_DEBUG_IN6ADDR("HIP capable host found in oppipbd (non-HIP hosts
database). Deleting it from oppipdb.", ip_peer);
- hip_oppipdb_del_entry_by_entry(ret, NULL);
- }
-}
=== removed file 'hipd/oppipdb.h'
--- hipd/oppipdb.h 2010-10-15 15:29:14 +0000
+++ hipd/oppipdb.h 1970-01-01 00:00:00 +0000
@@ -1,48 +0,0 @@
-/*
- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use,
- * copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following
- * conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
- * OTHER DEALINGS IN THE SOFTWARE.
- */
-
-/**
- * @file
- * @author Antti Partanen
- * @author Alberto Garcia
- */
-
-#ifndef HIP_HIPD_OPPIPDB_H
-#define HIP_HIPD_OPPIPDB_H
-
-#include <netinet/in.h>
-
-
-typedef struct in6_addr hip_oppip_t;
-
-int hip_for_each_oppip(void (*func)(hip_oppip_t *entry, void *opaq), void
*opaque);
-void hip_oppipdb_del_entry_by_entry(hip_oppip_t *entry, void *arg);
-int hip_oppipdb_add_entry(const struct in6_addr *ip_peer);
-int hip_init_oppip_db(void);
-hip_oppip_t *hip_oppipdb_find_byip(const struct in6_addr *ip_peer);
-void hip_oppipdb_delentry(const struct in6_addr *ip_peer);
-void hip_oppipdb_uninit(void);
-
-#endif /* HIP_HIPD_OPPIPDB_H */
=== modified file 'hipd/output.c'
--- hipd/output.c 2011-01-10 17:51:29 +0000
+++ hipd/output.c 2011-01-10 18:30:48 +0000
@@ -85,7 +85,6 @@
*
* @param i1 a pointer to a i1 packet common header with source and
* destination HITs.
- * @param dst_hit destination HIT (used only for the opportunistic TCP
extension)
* @param local_addr a pointer to our IPv6 or IPv4-in-IPv6 format IPv4 address.
* If local_addr is NULL, the packet is sent from all
addresses.
* @param peer_addr a pointer to peer IPv6 or IPv4-in-IPv6 format IPv4
address.
@@ -93,10 +92,8 @@
* @param dst_port not used.
* @param entry a pointer to the current host association database state.
* @return zero on success, or negative error value on error.
- * @todo remove the dst_hit parameter? test with the opportunistic TCP
extension
*/
static int hip_send_i1_pkt(struct hip_common *i1,
- UNUSED const hip_hit_t *dst_hit,
struct in6_addr *local_addr,
struct in6_addr *peer_addr,
in_port_t src_port,
@@ -204,7 +201,6 @@
local_addr = &entry->our_addr;
err = hip_send_i1_pkt(i1,
- dst_hit,
local_addr,
&peer_addr,
entry->local_udp_port,
@@ -219,7 +215,6 @@
ipv6_addr_copy(&peer_addr, &addr->address);
err = hip_send_i1_pkt(i1,
- dst_hit,
NULL,
&peer_addr,
entry->local_udp_port,
=== modified file 'hipd/user.c'
--- hipd/user.c 2011-01-04 19:22:24 +0000
+++ hipd/user.c 2011-01-10 18:30:48 +0000
@@ -86,7 +86,6 @@
#include "nat.h"
#include "netdev.h"
#include "nsupdate.h"
-#include "oppdb.h"
#include "output.h"
#include "registration.h"
#include "user.h"
@@ -253,6 +252,10 @@
int err = 0, msg_type = 0, reti = 0;
int access_ok = 0, is_root = 0;
const struct hip_tlv_common *param = NULL;
+#ifdef CONFIG_HIP_OPPORTUNISTIC
+ struct in6_addr opp_hit, src_ip;
+ struct in6_addr hit_local;
+#endif
HIP_ASSERT(src->sin6_family == AF_INET6);
HIP_DEBUG("User message from port %d\n", htons(src->sin6_port));
@@ -366,11 +369,6 @@
dst_hit = hip_get_param_contents(msg, HIP_PARAM_HIT);
hip_dec_cookie_difficulty();
break;
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- case HIP_MSG_GET_PEER_HIT:
- err = hip_opp_get_peer_hit(msg, src);
- break;
-#endif
case HIP_MSG_CERT_SPKI_VERIFY:
{
HIP_DEBUG("Got an request to verify SPKI cert\n");
@@ -434,9 +432,6 @@
struct sockaddr_in6 sock_addr6;
struct sockaddr_in sock_addr;
struct in6_addr server_addr, hitr;
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- struct in6_addr *hit_local;
-#endif
/* Get RVS IP address, HIT and requested lifetime given as
* commandline parameters to hipconf. */
@@ -490,7 +485,7 @@
HIP_IFEL(hip_hadb_add_peer_info(dst_hit, dst_ip,
NULL, NULL),
-1, "Error on adding server " \
- "HIT to IP address mapping to the hadb.\n");
+ "HIT to IP address mapping to the hadb.\n");
/* Fetch the hadb entry just created. */
entry = hip_hadb_try_to_find_by_peer_hit(dst_hit);
@@ -504,12 +499,39 @@
}
#ifdef CONFIG_HIP_OPPORTUNISTIC
else {
- hit_local = malloc(sizeof(struct in6_addr));
- HIP_IFEL(hip_get_default_hit(hit_local), -1,
+ HIP_IFEL(hip_get_default_hit(&hit_local), -1,
"Error retrieving default HIT \n");
- entry = hip_opp_add_map(dst_ip, hit_local, src);
+
+ HIP_IFEL(hip_opportunistic_ipv6_to_hit(dst_ip,
+ &opp_hit,
+ HIP_HIT_TYPE_HASH100),
+ -1,
+ "Opportunistic HIT conversion failed\n");
+
+ HIP_ASSERT(hit_is_opportunistic_hit(&opp_hit));
+
+ HIP_DEBUG_HIT("Opportunistic HIT", &opp_hit);
+
+ HIP_IFEL(hip_select_source_address(&src_ip,
+ dst_ip),
+ -1,
+ "Cannot find source address\n");
+
+ HIP_IFEL(hip_hadb_add_peer_info_complete(&hit_local,
+ &opp_hit,
+ NULL,
+ &src_ip,
+ dst_ip,
+ NULL),
+ -1,
+ "failed to add peer information to hadb\n");
+
+ HIP_IFEL(!(entry = hip_hadb_find_byhits(&hit_local, &opp_hit)),
+ -1,
+ "Did not find entry\n");
}
#endif
+
reg_types = reg_req->reg_type;
type_count = hip_get_param_contents_len(reg_req) -
sizeof(reg_req->lifetime);
=== modified file 'lib/core/builder.c'
--- lib/core/builder.c 2011-01-10 18:06:59 +0000
+++ lib/core/builder.c 2011-01-10 18:30:48 +0000
@@ -1120,7 +1120,6 @@
case HIP_MSG_CONF_PUZZLE_SET: return "HIP_MSG_CONF_PUZZLE_SET";
case HIP_MSG_CONF_PUZZLE_INC: return "HIP_MSG_CONF_PUZZLE_INC";
case HIP_MSG_CONF_PUZZLE_DEC: return "HIP_MSG_CONF_PUZZLE_DEC";
- case HIP_MSG_SET_OPPORTUNISTIC_MODE: return
"HIP_MSG_SET_OPPORTUNISTIC_MODE";
case HIP_MSG_SET_DEBUG_ALL: return "HIP_MSG_SET_DEBUG_ALL";
case HIP_MSG_SET_DEBUG_MEDIUM: return "HIP_MSG_SET_DEBUG_MEDIUM";
case HIP_MSG_SET_DEBUG_NONE: return "HIP_MSG_SET_DEBUG_NONE";
@@ -1132,9 +1131,6 @@
case HIP_MSG_HIT_TO_IP_ON: return "HIP_MSG_HIT_TO_IP_ON";
case HIP_MSG_HIT_TO_IP_OFF: return "HIP_MSG_HIT_TO_IP_OFF";
case HIP_MSG_HIT_TO_IP_SET: return "HIP_MSG_HIT_TO_IP_SET";
- case HIP_MSG_SET_OPPTCP_ON: return "HIP_MSG_SET_OPPTCP_ON";
- case HIP_MSG_SET_OPPTCP_OFF: return "HIP_MSG_SET_OPPTCP_OFF";
- case HIP_MSG_OPPTCP_SEND_TCP_PACKET: return
"HIP_MSG_OPPTCP_SEND_TCP_PACKET";
case HIP_MSG_TRANSFORM_ORDER: return "HIP_MSG_TRANSFORM_ORDER";
case HIP_MSG_OFFER_RVS: return "HIP_MSG_OFFER_RVS";
case HIP_MSG_CANCEL_RVS: return "HIP_MSG_CANCEL_RVS";
=== modified file 'lib/core/conf.c'
--- lib/core/conf.c 2011-01-09 22:18:11 +0000
+++ lib/core/conf.c 2011-01-10 18:30:48 +0000
@@ -155,7 +155,7 @@
/* free slot */
#define TYPE_PUZZLE 6
#define TYPE_NAT 7
-#define TYPE_OPP EXEC_LOADLIB_OPP /* Should be 8 */
+/* unused, was TYPE_OPP 8 */
/* unused, was TYPE_BLIND 9 */
#define TYPE_SERVICE 10
#define TYPE_CONFIG 11
@@ -168,7 +168,7 @@
#define TYPE_DAEMON 19
#define TYPE_LOCATOR 20
/* free slots */
-#define TYPE_OPPTCP 23
+/* unused, was TYPE_OPPTCP 23 */
#define TYPE_ORDER 24
/* free slots */
#define TYPE_HEARTBEAT 27
@@ -219,9 +219,6 @@
"Client side:\n"
"\tadd server rvs|relay|full-relay [HIT] <IP|hostname> <lifetime in
seconds>\n"
"\tdel server rvs|relay|full-relay [HIT] <IP|hostname>\n"
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- "set opp normal|advanced|none\n"
-#endif
"heartbeat <seconds> (0 seconds means off)\n"
"get ha all|HIT\n"
"locator on|off|get\n"
@@ -700,11 +697,6 @@
} else if ((!strcmp("mode", text)) && (strcmp("handover", argv[1]) == 0)) {
ret = TYPE_HANDOVER;
}
-#ifdef CONFIG_HIP_OPPORTUNISTIC
- else if (!strcmp("opp", text)) {
- ret = TYPE_OPP;
- }
-#endif
else if (!strcmp("order", text)) {
ret = TYPE_ORDER;
} else if (strcmp("heartbeat", argv[1]) == 0) {
@@ -867,7 +859,7 @@
hip_hit_t hit;
struct in6_addr ipv6;
int err = 0, seconds = 0, i = 0, number_of_regtypes = 0, reg_type = 0;
- int index_of_hit = 0, index_of_ip = 0, opp_mode = 0;;
+ int index_of_hit = 0, index_of_ip = 0, opp_mode = 0;
uint8_t lifetime = 0, *reg_types = NULL;
time_t seconds_from_lifetime = 0;
@@ -1747,66 +1739,6 @@
}
/**
- * Handles the hipconf commands where the type is @c opp.
- *
- * @param msg a pointer to the buffer where the message for kernel will
- * be written.
- * @param action the numeric action identifier for the action to be performed.
- * @param opt an array of pointers to the command line arguments after
- * the action and type.
- * @param optc the number of elements in the array.
- * @param send_only currently unused
- * @return zero on success, or negative error value on error.
- */
-static int hip_conf_handle_opp(struct hip_common *msg,
- int action,
- const char *opt[],
- int optc,
- UNUSED int send_only)
-{
- unsigned int oppmode = 0;
- int err = 0;
-
- if (action == ACTION_RUN) {
- return hip_handle_exec_app(0, EXEC_LOADLIB_OPP, optc, &opt[0]);
- }
- if (optc != 1) {
- HIP_ERROR("Incorrect number of arguments\n");
- err = -EINVAL;
- goto out;
- }
-
- if (!strcmp("normal", opt[0])) {
- oppmode = 1;
- } else if (!strcmp("advanced", opt[0])) {
- oppmode = 2;
- } else if (!strcmp("none", opt[0])) {
- oppmode = 0;
- } else {
- HIP_ERROR("Invalid argument\n");
- err = -EINVAL;
- goto out;
- }
-
- /* Build the message header */
- err = hip_build_user_hdr(msg, HIP_MSG_SET_OPPORTUNISTIC_MODE, 0);
- if (err) {
- HIP_ERROR("Failed to build user message header.: %s\n", strerror(err));
- goto out;
- }
-
- err = hip_build_param_contents(msg, &oppmode, HIP_PARAM_UINT,
- sizeof(unsigned int));
- if (err) {
- HIP_ERROR("build param oppmode failed: %s\n", strerror(err));
- goto out;
- }
-
-out:
- return err;
-}
-
-/**
* Translate a HIT to an LSI
*
* @param msg input/output message for the query/response for hipd
@@ -2166,8 +2098,7 @@
* @note In order to this function to work properly, "make install"
* must be executed to install libraries to right paths. Also library
* paths must be set right.
- * @see exec_app_types EXEC_LOADLIB_OPP, EXEC_LOADLIB_HIP and
- * EXEC_LOADLIB_NONE
+ * @see exec_app_types EXEC_LOADLIB_HIP and EXEC_LOADLIB_NONE
*
*/
int hip_handle_exec_app(int do_fork, int type, int argc,
@@ -2203,9 +2134,6 @@
HIP_DEBUG("Executing %s.\n", argv[0]);
if (type == EXEC_LOADLIB_HIP) {
libs[0] = strdup("libhiptool.so");
- } else if (type == EXEC_LOADLIB_OPP) {
- libs[0] = strdup("libopphip.so");
- libs[1] = strdup("libhiptool.so");
}
hip_append_pathtolib(libs, lib_all, LIB_LENGTH);
@@ -2587,7 +2515,7 @@
NULL, /* 5: unused, was TYPE_BOS */
hip_conf_handle_puzzle, /* 6: TYPE_PUZZLE */
hip_conf_handle_nat, /* 7: TYPE_NAT */
- hip_conf_handle_opp, /* 8: TYPE_OPP */
+ NULL, /* 8: unused, was TYPE_OPP */
NULL, /* 9: unused, was TYPE_BLIND */
hip_conf_handle_service, /* 10: TYPE_SERVICE */
/* Any server side registration action. */
=== modified file 'lib/core/conf.h'
--- lib/core/conf.h 2011-01-03 19:36:44 +0000
+++ lib/core/conf.h 2011-01-10 18:30:48 +0000
@@ -49,13 +49,6 @@
* These values are used for TYPE_xxx macros.
*/
-/** @defgroup exec_app_types Execute application types
- * @{
- * Execute application with opportunistic library preloaded.
- * @see handle_exec_application()
- */
-#define EXEC_LOADLIB_OPP 8
-
/**
* Execute application with hip-libraries preloaded.
* Overides example getaddrinfo().
=== modified file 'lib/core/hashtable.c'
--- lib/core/hashtable.c 2010-10-19 02:38:50 +0000
+++ lib/core/hashtable.c 2011-01-10 18:30:48 +0000
@@ -41,8 +41,6 @@
* @brief Hashtable wrappers for OpenSSL lhash implementation
*
* @author Miika Komu <miika@xxxxxx>
- * @see lib/opphip/wrap_db.c for a minimal hash table implementation
- * example
*/
#include <limits.h>
=== modified file 'lib/core/icomm.h'
--- lib/core/icomm.h 2010-12-28 18:21:49 +0000
+++ lib/core/icomm.h 2011-01-10 18:30:48 +0000
@@ -93,8 +93,6 @@
#define HIP_MSG_CONF_PUZZLE_SET 74
#define HIP_MSG_CONF_PUZZLE_INC 75
#define HIP_MSG_CONF_PUZZLE_DEC 76
-/* free slot */
-#define HIP_MSG_SET_OPPORTUNISTIC_MODE 78
/* Free slots here */
#define HIP_MSG_SET_DEBUG_ALL 82
#define HIP_MSG_SET_DEBUG_MEDIUM 83
@@ -107,13 +105,12 @@
#define HIP_MSG_SET_LOCATOR_ON 89
#define HIP_MSG_SET_LOCATOR_OFF 90
/* Free slots here */
-#define HIP_MSG_SET_OPPTCP_ON 94
-#define HIP_MSG_SET_OPPTCP_OFF 95
#define HIP_MSG_RESET_FIREWALL_DB 98
-#define HIP_MSG_OPPTCP_SEND_TCP_PACKET 99
+/* Free slots here */
+
#define HIP_MSG_TRANSFORM_ORDER 100
/** Socket option for the server to offer the RVS service. (server side) */
=== modified file 'modules/update/hipd/update_legacy.c'
--- modules/update/hipd/update_legacy.c 2011-01-09 22:18:11 +0000
+++ modules/update/hipd/update_legacy.c 2011-01-10 18:30:48 +0000
@@ -39,7 +39,6 @@
#include "config.h"
#include "hipd/hipd.h"
#include "hipd/maintenance.h"
-#include "hipd/oppipdb.h"
#include "lib/core/builder.h"
#include "lib/core/debug.h"
#include "lib/core/ife.h"
Other related posts:
