Committer: Miika Komu <miika@xxxxxx> Date: Mon Feb 08 23:28:25 2010 +0200 Revision: 3559 Revision-id: miika@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Branch nick: trunk Log: Doxygen for conntrack.c Modified: M firewall/conntrack.c M firewall/datapkt.c M firewall/firewall_control.c M hipd/hipd.c M hipd/netdev.c M hipd/user.c M lib/core/misc.c === modified file 'firewall/conntrack.c' --- firewall/conntrack.c 2010-02-08 15:18:06 +0000 +++ firewall/conntrack.c 2010-02-08 21:28:25 +0000 @@ -1,3 +1,19 @@ +/** + * @file firewall/conntrack.c + * + * Distributed under <a href="http://www.gnu.org/licenses/gpl.txt";>GNU/GPL</a>. + * + * Connection tracker for HIP and ESP. It is inspired by the connection tracker in the Linux kernel. See the following publications for more details: + * - <a href="http://hipl.hiit.fi/papers/essi_dippa.pdf";>E. Vehmersalo, Host Identity Protocol Enabled Firewall: A Prototype Implementation and Analysis, Master's thesis, September 2005</a> + * - <a href="http://www.usenix.org/events/usenix07/poster.html";>Lindqvist, Janne; Vehmersalo, Essi; Komu, Miika; Manner, Jukka, Enterprise Network Packet Filtering for Mobile Cryptographic Identities, + * Usenix 2007 Annual Technical Conference, Santa Clara, CA, June 20, 2007</a> + * - Rene Hummen. Secure Identity-based Middlebox Functions using the Host Identity Protocol. Master's thesis, RWTH Aachen, 2009. + * + * @brief Connection tracker for HIP and ESP. + * + * @author Essi Vehmersalo + * @author Rene Hummen <rene.hummen@xxxxxxxxxxxxxx> + **/ #include <stdio.h> #ifdef HAVE_CONFIG_H @@ -55,6 +71,8 @@ /** * prints out the list of addresses of esp_addr_list * + * @param addr_list list of addresses + * */ static void print_esp_addr_list(const SList * addr_list) { @@ -73,6 +91,8 @@ /** * Prints information from a hip_tuple. + * + * @param hiptuple HIP tuple */ static void print_tuple(const struct hip_tuple * hiptuple) { @@ -92,6 +112,8 @@ /** * Prints information from an esp_tuple. + * + * @param esp_tuple ESP tuple */ static void print_esp_tuple(const struct esp_tuple * esp_tuple) { @@ -137,6 +159,13 @@ HIP_DEBUG("NULL\n"); } +/** + * Test if the given HIT belongs to the local host + * + * @param hit the HIT to be tested + * @return one if the HIT belongs to the local host or zero otherwise + * + */ static int hip_fw_hit_is_our(const hip_hit_t *hit) { /* Currently only checks default HIT */ @@ -145,7 +174,12 @@ /*------------tuple handling functions-------------*/ -/* forms a data based on the packet, returns a hip_data structure*/ +/** + * forms a data based on the HITs of the packet and returns a hip_data structure + * + * @param common a HIP control packet + * @return struct hip_data corresponding to the HITs of the packet + **/ static struct hip_data * get_hip_data(const struct hip_common * common) { struct hip_data * data = NULL; @@ -203,17 +237,21 @@ } #ifdef CONFIG_HIP_OPPORTUNISTIC -/* - * replaces the pseudo-hits of the opportunistic entries - * related to a particular peer with the real hit -*/ +/** + * Replace the pseudo HITs in opportunistic entries with real HITs (once + * the real HITs are known from the R1 packet) + * + * @param data hip_data data structure + * @param ip6_from the IP address from which the packet arrived from + * + */ static void update_peer_opp_info(const struct hip_data * data, - const struct in6_addr * ip6_from){ + const struct in6_addr * ip6_from){ struct _DList * list = (struct _DList *) hipList; hip_hit_t phit; HIP_DEBUG("updating opportunistic entries\n"); - //the pseudo hit is compared with the hit in the entries + /* the pseudo hit is compared with the hit in the entries */ hip_opportunistic_ipv6_to_hit(ip6_from, &phit, HIP_HIT_TYPE_HASH100); while(list) @@ -236,11 +274,16 @@ } #endif -/* fetches the hip_tuple from connection table. - * Returns the tuple or NULL, if not found. +/** Fetch a hip_tuple from the connection table. + * + * @param data packet information constructed from the packet + * @param type_hdr HIP control packet type (HIP_I1 etc) + * @param ip6_from the source address of the control packet + * @return the tuple or NULL, if not found. */ -static struct tuple * get_tuple_by_hip(const struct hip_data * data, const uint8_t type_hdr, - const struct in6_addr * ip6_from) +static struct tuple * get_tuple_by_hip(const struct hip_data * data, + const uint8_t type_hdr, + const struct in6_addr * ip6_from) { struct hip_tuple * tuple; DList * list = (DList *) hipList; @@ -259,9 +302,8 @@ } #ifdef CONFIG_HIP_OPPORTUNISTIC - //if the entry was not found, we check - //if it was an opportunistic entry and - //place the real peer hit in the entries + /* In the case the entry was not found, place the real peer HIT in + the entries if the HIT happened to be an opportunistic one */ if(type_hdr == HIP_R1){ update_peer_opp_info(data, ip6_from); return get_tuple_by_hip(data, -1, ip6_from); @@ -273,11 +315,14 @@ } /** - * returns esp_address structure if one is found with address matching - * the argument, otherwise NULL; + * Find an entry from the given list that matches to the given address + * + * @param addr_list the list to be searched for + * @param addr the address to matched from the list + * @return the entry from the list that matched to the given address, or NULL if not found */ static struct esp_address * get_esp_address(const SList * addr_list, - const struct in6_addr * addr) + const struct in6_addr * addr) { const SList * list = addr_list; struct esp_address * esp_addr; @@ -303,8 +348,14 @@ } /** - * Insert address into list of addresses. If same address exists already - * the update_id is repplaced with the new value. Returns the address list. + * Insert an address into a list of addresses. If same address exists already, + * the update_id is replaced with the new value. + * + * @param addr_list the address list + * @param addr the address to be added + * @param upd_id update id + * + * @return the address list */ static SList * update_esp_address(SList * addr_list, const struct in6_addr * addr, @@ -343,8 +394,12 @@ } /** - * Finds esp tuple from espList that matches the argument spi and contains the + * Find esp tuple from espList that matches the argument spi and contains the * argument ip address + * + * @param dst_addr the destination address to be searched for + * @param spi the SPI number to be searched for + * @return a tuple matching to the address and SPI or NULL if not found */ static struct tuple * get_tuple_by_esp(const struct in6_addr * dst_addr, const uint32_t spi) { @@ -376,7 +431,10 @@ /** * find esp_tuple from a list that matches the argument spi value - * returns NULL is no such esp_tuple is found + * + * @esp_list the list to be searched for + * @spi the SPI number to the matched from the list + * @return the matching ESP tuple or NULL if not found */ struct esp_tuple * find_esp_tuple(const SList * esp_list, const uint32_t spi) { @@ -398,7 +456,13 @@ return NULL; } -/* initialize and insert connection*/ +/** + * initialize and store a new HIP/ESP connnection into the connection table + * + * @param data the connection-related data to be inserted + * @param src source IP address from the packet + * @param dst destination IP address from the packet + */ static void insert_new_connection(const struct hip_data * data, const struct in6_addr *src, const struct in6_addr *dst){ HIP_DEBUG("insert_new_connection\n"); struct connection * connection = NULL; @@ -460,7 +524,12 @@ //print_data(data); } -static void insert_esp_tuple(const struct esp_tuple * esp_tuple ) +/** + * Insert a new ESP tuple to the connection tracker + * + * @param esp_tuple the ESP tuple to be inserted + */ +static void insert_esp_tuple(const struct esp_tuple * esp_tuple) { espList = (DList *) append_to_list((DList *)espList, (void *)esp_tuple); @@ -470,7 +539,9 @@ } /** - * free hip_tuple structure + * deallocate memory of a compound hip_tuple structure with all of its pointers + * + * @param hip_tuple the hip tuple to be freed */ static void free_hip_tuple(struct hip_tuple * hip_tuple) { @@ -501,7 +572,9 @@ } /** - * free esp_tuple structure + * deallocate an esp_tuple structure along with all of its pointers + * + * @param esp_tuple the ESP tuple to be freed */ static void free_esp_tuple(struct esp_tuple * esp_tuple) { @@ -533,9 +606,9 @@ } /** - * frees dynamically allocated parts and removes hip and esp tuples - * relating to it + * deallocate dynamically allocated parts of a tuple along with its associated HIP and ESP tuples * + * @param tuple the tuple to be freed */ static void remove_tuple(struct tuple * tuple) { @@ -577,8 +650,9 @@ } /** - * removes connection and all hip end esp tuples relating to it + * removes a connection (both way tuples) along with its associated HIP and ESP tuples * + * @param connection the connection to be freed */ static void remove_connection(struct connection * connection) { @@ -604,20 +678,25 @@ } /** - * creates new esp_tuple from parameters. - * if spis dont match or other failure occurs returns NULL + * create new ESP tuple based on the given parameters + * + * @param esp_info a pointer to the ESP info parameter in the control message + * @param locator a pointer to the locator + * @param seq a pointer to the sequence number + * @param tuple a pointer to the corresponding tuple + * @return the created tuple (caller frees) or NULL on failure (e.g. SPIs do not match) */ static struct esp_tuple *esp_tuple_from_esp_info_locator(const struct hip_esp_info * esp_info, - const struct hip_locator * locator, - const struct hip_seq * seq, - struct tuple * tuple) + const struct hip_locator * locator, + const struct hip_seq * seq, + struct tuple * tuple) { struct esp_tuple * new_esp = NULL; struct hip_locator_info_addr_item * locator_addr = NULL; int n = 0; if(esp_info && locator && esp_info->new_spi == esp_info->old_spi) { HIP_DEBUG("esp_tuple_from_esp_info_locator: new spi 0x%lx\n", esp_info->new_spi); - //check that old spi is found + /* check that old spi is found */ new_esp = (struct esp_tuple *) malloc(sizeof(struct esp_tuple)); memset(new_esp, 0, sizeof(struct esp_tuple)); new_esp->spi = ntohl(esp_info->new_spi); @@ -657,12 +736,16 @@ } /** - * creates new esp_tuple from parameters - * if spis don't match or other failure occurs returns NULL + * create a new esp_tuple from the given parameters + * + * @param esp_info a pointer to an ESP info parameter in the control message + * @param addr a pointer to an address + * @param tuple a pointer to a tuple structure + * @return the created ESP tuple (caller frees) or NULL on failure (e.g. SPIs don't match) */ static struct esp_tuple * esp_tuple_from_esp_info(const struct hip_esp_info * esp_info, - const struct in6_addr * addr, - struct tuple * tuple) + const struct in6_addr * addr, + struct tuple * tuple) { struct esp_tuple * new_esp = NULL; if(esp_info) @@ -687,8 +770,14 @@ /** - * initialize and insert connection based on esp_info and locator - * returns 1 if succesful 0 otherwise. not used currently + * initialize and insert connection based on the given parameters from UPDATE packet + * + * @param data a pointer a HIP data structure + * @param esp_info a pointer to an ESP info data structure + * @param locator a pointer to a locator + * @param seq a pointer to a sequence number + * + * returns 1 if succesful 0 otherwise (latter does not occur currently) */ static int insert_connection_from_update(const struct hip_data * data, const struct hip_esp_info * esp_info, @@ -772,12 +861,18 @@ /** - * handles parameters for r1 packet. returns 1 if packet - * ok. if verify_responder parameter true, store responder HI - * for verifying signatures + * Process an R1 packet. This function also stores the HI of the Responder + * to be able to verify signatures also later. The HI is stored only if the + * signature in R1 was valid. + * + * @param common the R1 packet + * @param tuple the corresponding connection tuple + * @param verify_responder currently unused + * + * @return one if the packet was ok or zero otherwise */ -//8.6 at base draft. first check signature then store hi +// first check signature then store hi static int handle_r1(struct hip_common * common, struct tuple * tuple, int verify_responder) { @@ -844,12 +939,18 @@ } /** - * handles parameters for i2 packet. if packet is ok returns 1, otherwise 0; + * Process an I2 packet. If connection already exists, the esp tuple is just + * added to the existing connection. This occurs, for example, when connection + * is re-established. In such a case, the old ESP tuples are not removed. If an + * attacker spoofs an I2 or R2, the valid peers are still able to send data. + * + * @param ip6_src the source address of the I2 packet + * @param ip6_dst the destination address of the I2 packet + * @param common the I2 packet + * @param tuple the connection tracking tuple corresponding to the I2 packet + * + * @return one on success or zero failure */ -//if connection already exists and the esp tuple is just added to the existing -//connection. this for example when connection is re-established. the old esp -//tuples are not removed. if attacker spoofs an i2 or r2, the valid peers are -//still able to send data static int handle_i2(const struct in6_addr * ip6_src, const struct in6_addr * ip6_dst, struct hip_common * common, struct tuple * tuple) { @@ -967,7 +1068,25 @@ } /** - * @todo: document me + * Hipfw has an experimental mode which allows it to act as an ESP Relay to pass e.g. + * p2p-unfriendly NAT boxes. It is assumed that the same host is running + * also a HIP relay. This function adjusts the connection tracking so that + * the ESP relaying functionality works. As the end-hosts set up their IPsec + * SAs based on the IP address of the Relay, it must effectively implement + * source NATting to forward the ESP packets succesfully. At the moment, the relay + * adjusts connection tracking on based on the R2 packet. + * + * @todo implement the same handling for UPDATE + * @see http://hipl.hiit.fi/bugzilla/show_bug.cgi?id=871 + * + * @param ip6_src the source address of the R2 + * @param ip6_dst the destination address of the R2 + * @param common the R2 packet + * @param tuple the connection tracking tuple corresponding to the R2 packet + * @param esp_tuple the connection tracking ESP tuple corresponding to the R2 packet + * @param ctx packet context + * + * @return zero on success and non-zero on error */ static int hip_handle_esp_in_udp_relay_r2(const struct in6_addr * ip6_src, const struct in6_addr * ip6_dst, const struct hip_common * common, struct tuple * tuple, @@ -1027,12 +1146,20 @@ /** - * handles parameters for r2 packet. if packet is ok returns 1, otherwise 0; + * Process an R2 packet. If connection already exists, the esp tuple is + * just added to the existing connection. This occurs, for example, when + * the connection is re-established. In such a case, the old esp + * tuples are not removed. If an attacker spoofs an I2 or R2, the + * valid peers are still able to send data. + * + * @param ip6_src the source address of the R2 + * @param ip6_dst the destination address of the R2 + * @param common the R2 packet + * @param tuple the connection tracking tuple corresponding to the R2 packet + * @param ctx packet context + * + * @return one if packet was processed successfully or zero otherwise */ -//if connection already exists and the esp tuple is just added to the existing -//connection. this for example when connection is re-established. the old esp -//tuples are not removed. if attacker spoofs an i2 or r2, the valid peers are -//still able to send data static int handle_r2(const struct in6_addr * ip6_src, const struct in6_addr * ip6_dst, const struct hip_common * common, struct tuple * tuple, hip_fw_context_t *ctx) @@ -1115,10 +1242,15 @@ /** - * updates esp tuple according to parameters - * esp_info or locator may be null and spi or ip_addr is - * not updated in that case - * returns 1 if successful 0 otherwise + * Update an existing ESP tuple according to the given parameters Argument + * esp_info or locator may be null. SPI or ip_addr will not be updated in that case. + * + * @param esp_info a pointer to the ESP info parameter in the control message + * @param locator a pointer to the locator + * @param seq a pointer to the sequence number + * @param esp_tuple a pointer to the ESP tuple to be updated + * + * @return 1 if successful, or 0 otherwise */ static int update_esp_tuple(const struct hip_esp_info * esp_info, const struct hip_locator * locator, @@ -1241,20 +1373,25 @@ } /** - * check parameters for update packet. if packet ok returns 1, otherwise 0 + * Process an UPDATE packet. When announcing new spis/addresses, the other + * end may still keep sending data with old spis and addresses. Therefore, + * old values are valid until an ack is received. + * + * @todo: SPI parameters did not work earlier and could not be used for creating + * connection state for updates - check if the situation is still the same + * + * @param ip6_src the source address of the R2 + * @param ip6_dst the destination address of the R2 + * @param common the R2 packet + * @param tuple the connection tracking tuple corresponding to the R2 packet + * + * @return one if packet was processed successfully or zero otherwise */ -// When announcing new spis/addresses, the other end may still keep sending -// data with old spis and addresses -> -// old values are valid until ack is received -// SPI parameters don't work in current HIPL -> can not be used for creating -// connection state for updates static int handle_update(const struct in6_addr * ip6_src, - const struct in6_addr * ip6_dst, - const struct hip_common * common, - struct tuple * tuple) + const struct in6_addr * ip6_dst, + const struct hip_common * common, + struct tuple * tuple) { - //Anything that can come out of an update packet - //struct hip_tlv_common * param = NULL; struct hip_seq * seq = NULL; struct hip_esp_info * esp_info = NULL; struct hip_ack * ack = NULL; @@ -1270,7 +1407,7 @@ _HIP_DEBUG("handle_update\n"); - // get params from UPDATE message + /* get params from UPDATE message */ seq = (struct hip_seq *) hip_get_param(common, HIP_PARAM_SEQ); esp_info = (struct hip_esp_info *) hip_get_param(common, HIP_PARAM_ESP_INFO); ack = (struct hip_ack *) hip_get_param(common, HIP_PARAM_ACK); @@ -1284,14 +1421,14 @@ if(spi) _HIP_DEBUG("handle_update: spi param, spi: 0x%lx \n", ntohl(spi->spi)); - // connection changed to a path going through this firewall + /* connection changed to a path going through this firewall */ if(tuple == NULL) { _HIP_DEBUG("unknown connection\n"); - // TODO this should only be the case, if (old_spi == 0) != new_spi -> check + // @todo this should only be the case, if (old_spi == 0) != new_spi -> check - // attempt to create state for new connection + /* attempt to create state for new connection */ if(esp_info && locator && seq) { struct hip_data *data = NULL; @@ -1312,7 +1449,7 @@ * NOTE: modify this regardingly! */ if(!insert_connection_from_update(data, esp_info, locator, seq)) { - // insertion failed + /* insertion failed */ HIP_DEBUG("connection insertion failed\n"); free(data); @@ -1320,7 +1457,7 @@ goto out_err; } - // insertion successful -> go on + /* insertion successful -> go on */ tuple = get_tuple_by_hits(&common->hits, &common->hitr); @@ -1349,7 +1486,7 @@ } else { - // unknown connection, but insufficient parameters to set up state + /* unknown connection, but insufficient parameters to set up state */ HIP_DEBUG("insufficient parameters to create new connection with UPDATE\n"); err = 0; @@ -1358,8 +1495,7 @@ } else { - // we already know this connection - + /* we already know this connection */ SList * other_dir_esps = NULL; struct esp_tuple * esp_tuple = NULL; @@ -1376,7 +1512,7 @@ if(seq != NULL) { - //announces something new + /* announces something new */ _HIP_DEBUG("handle_update: seq found, update id %d\n", seq->update_id); } @@ -1387,8 +1523,8 @@ */ if(esp_info && locator && seq) { - // handling single esp_info and locator parameters - // Readdress with mobile-initiated rekey + /* Handling single esp_info and locator parameters + Readdress with mobile-initiated rekey */ _HIP_DEBUG("handle_update: esp_info and locator found\n"); @@ -1418,10 +1554,10 @@ } } -// why would we want to do that? We already know this connection and this is a U1 +/* why would we want to do that? We already know this connection and this is a U1 */ #if 0 - } else //create new esp_tuple - { + } else /* create new esp_tuple */ + { new_esp = esp_tuple_from_esp_info_locator(esp_info, locator, seq, other_dir_tuple); @@ -1441,7 +1577,7 @@ } else if(locator && seq) { - // Readdress without rekeying + /* Readdress without rekeying */ _HIP_DEBUG("handle_update: locator found\n"); esp_tuple = find_esp_tuple(other_dir_esps, ntohl(esp_info->new_spi)); @@ -1452,7 +1588,7 @@ err = 0; goto out_err; - // if mobile host spi not intercepted, but valid + /* if mobile host spi not intercepted, but valid */ } if(!update_esp_tuple(NULL, locator, seq, esp_tuple)) @@ -1463,7 +1599,7 @@ } else if(esp_info && seq) { - //replying to Readdress with mobile-initiated rekey + /* replying to Readdress with mobile-initiated rekey */ _HIP_DEBUG("handle_update: esp_info found old:0x%lx new:0x%lx\n", ntohl(esp_info->old_spi), ntohl(esp_info->new_spi)); @@ -1481,7 +1617,7 @@ err = 0; goto out_err; - } else//connection state is being established from update + } else /* connection state is being established from update */ { struct esp_tuple * new_esp = esp_tuple_from_esp_info( esp_info, ip6_src, other_dir_tuple); @@ -1503,7 +1639,7 @@ { esp_tuple = find_esp_tuple(other_dir_esps, ntohl(esp_info->old_spi)); - // only add new tuple, if we don't already have it + /* only add new tuple, if we don't already have it */ if(esp_tuple == NULL) { struct esp_tuple * new_esp = esp_tuple_from_esp_info(esp_info, @@ -1621,9 +1757,9 @@ { _HIP_DEBUG("handle_update: echo found res\n"); } - } + } - // everything should be set now in order to process eventual anchor params + /* everything should be set now in order to process eventual anchor params */ HIP_IFEL(esp_prot_conntrack_update(common, tuple), -1, "failed to process anchor parameter\n"); @@ -1632,9 +1768,14 @@ } /** - * the sending party wishes to close HIP association. - * requires new I1.. if any more data is to be sent. - * so, the spi tuple may be removed + * Process a CLOSE packet + * + * @param ip6_src the source address of the CLOSE packet + * @param ip6_dst the destination address of the CLOSE packet + * @param common the CLOSE packet + * @param tuple the connection tracking tuple corresponding to the CLOSE packet + * + * @return one if packet was processed successfully or zero otherwise */ static int handle_close(const struct in6_addr * ip6_src, const struct in6_addr * ip6_dst, @@ -1671,14 +1812,19 @@ } /** - * the sending party agrees to close HIP association. - * requires new I1.. if any more data is to be sent. - * so, the spi tuple may be removed + * Process CLOSE_ACK and remove the connection. + * + * @param ip6_src the source address of the CLOSE_ACK + * @param ip6_dst the destination address of the CLOSE_ACK + * @param common the CLOSE_ACK packet + * @param tuple the connection tracking tuple corresponding to the CLOSE_ACK packet + * + * @return one if packet was processed successfully or zero otherwise */ int handle_close_ack(const struct in6_addr * ip6_src, - const struct in6_addr * ip6_dst, - const struct hip_common * common, - struct tuple * tuple) + const struct in6_addr * ip6_dst, + const struct hip_common * common, + struct tuple * tuple) { int err = 1; @@ -1703,18 +1849,26 @@ } /** - * handles hip parameters and returns verdict for packet. - * tuple parameter is NULL for new connection. - * returns 1 if packet ok otherwise 0 - * + * Process a HIP packet using the connection tracking procedures and issue + * a verdict. + * + * @param ip6_src source address of the packet + * @param ip6_dst destination address of the packet + * @param common the packet to be processed + * @param tuple the tuple or NULL if a new connection + * @param verify_responder currently unused + * @param accept_mobile process UPDATE packets + * @param ctx context for the packet + * + * @return 1 if packet if passed the verifications or otherwise 0 */ static int check_packet(const struct in6_addr * ip6_src, - const struct in6_addr * ip6_dst, - struct hip_common * common, - struct tuple * tuple, - const int verify_responder, - const int accept_mobile, - hip_fw_context_t *ctx) + const struct in6_addr * ip6_dst, + struct hip_common * common, + struct tuple * tuple, + const int verify_responder, + const int accept_mobile, + hip_fw_context_t *ctx) { #ifdef CONFIG_HIP_OPPORTUNISTIC hip_hit_t phit; @@ -1727,7 +1881,6 @@ // new connection can only be started with I1 of from update packets // when accept_mobile is true - //Prabhu add a checking for DATA Packets if(!(tuple || common->type_hdr == HIP_I1 || common->type_hdr == HIP_DATA || (common->type_hdr == HIP_UPDATE && accept_mobile))) { @@ -1778,8 +1931,6 @@ } - //This if added by Prabhu to check the HIP_DATA packets - if(hip_datapacket_mode && common->type_hdr == HIP_DATA) { hip_hit_t *def_hit = hip_fw_get_default_hit(); @@ -1792,7 +1943,6 @@ HIP_DEBUG_HIT("Receiver HIT :",&common->hitr); - //TEMP ADDED BY PRABHU TO CHECK IF WE HAVE RIGHT SIGN if( handle_hip_data(common) != 0 ) { HIP_DEBUG("NOT A VALID HIP PACKET"); @@ -1815,7 +1965,6 @@ err = 1; } else { - //TODO : PRABHU HIP_DEBUG(" Aleady a connection \n"); // Need to filter HIP_DATA packet state //Check for Seq Ack Sig, time @@ -1932,7 +2081,13 @@ } /** - * ESP relay (works only with UDP encapsulated IPv4 packets) + * ESP relay. Requires the HIP relay service on the same host. + * + * @todo Currently works only with UDP encapsulated IPv4 packets. + * + * @param ctx context for the packet + * @param tuple the tuple corresponding to the packet + * @return zero on success or non-zero on failure */ static int relay_esp_in_udp(const hip_fw_context_t * ctx, const struct tuple *tuple) { struct iphdr *iph = (struct iphdr *) ctx->ipq_packet->payload; @@ -1977,6 +2132,9 @@ * Filters esp packet. The entire rule structure is passed as an argument * and the HIT options are also filtered here with information from the * connection. + * + * @param ctx context for the packet + * @return verdict for the packet (zero means drop, one means pass) */ int filter_esp_state(const hip_fw_context_t * ctx) { @@ -2071,7 +2229,17 @@ return err; } -//check the verdict in rule, so connections can only be created when necessary +/** + * Filter connection tracking state (in general) + * + * @param ip6_src source IP address of the control packet + * @param ip6_dst destination IP address of the packet + * @param buf the control packet + * @param option special state options to be checked + * @param accept force accepting of the packet if set to one + * @param ctx context for the control packet + * @return verdict for the packet (zero means drop, one means pass, negative error) + */ int filter_state(const struct in6_addr * ip6_src, const struct in6_addr * ip6_dst, struct hip_common * buf, const struct state_option * option, const int accept, hip_fw_context_t *ctx) @@ -2095,16 +2263,14 @@ free(data); // cases where packet does not match - if (!tuple) - { + if (!tuple) { if((option->int_opt.value == CONN_NEW && !option->int_opt.boolean) || (option->int_opt.value == CONN_ESTABLISHED && option->int_opt.boolean)) { return_value = 0; goto out_err; } - } else - { + } else { if((option->int_opt.value == CONN_ESTABLISHED && !option->int_opt.boolean) || (option->int_opt.value == CONN_NEW && option->int_opt.boolean)) @@ -2157,14 +2323,19 @@ } /** - * packet is accepted by filtering rules but has not been - * filtered through any state rules - * needs to be registered by connection tracking + * Packet is accepted by filtering rules but has not been + * filtered through any state rules. Find the the tuples for the packet + * and pass on for more filtering. + * + * @param ip6_src source IP address of the control packet + * @param ip6_dst destination IP address of the control packet + * @param buf the control packet + * @param ctx context for the control packet */ void conntrack(const struct in6_addr * ip6_src, - const struct in6_addr * ip6_dst, - struct hip_common * buf, - hip_fw_context_t *ctx) + const struct in6_addr * ip6_dst, + struct hip_common * buf, + hip_fw_context_t *ctx) { struct hip_data * data; struct tuple * tuple; @@ -2191,8 +2362,12 @@ } /** - * Returns the tuple or NULL, if not found. - * fetches the hip_tuple from connection table. + * Fetches the wanted hip_tuple from the connection table. + * + * @param src_hit source HIT of the tuple + * @param dst_hit destination HIT of the tuple + * + * @return the tuple matching to the given HITs or NULL if not found */ struct tuple * get_tuple_by_hits(const struct in6_addr * src_hit, const struct in6_addr *dst_hit){ DList * list = (DList *) hipList; === modified file 'firewall/datapkt.c' --- firewall/datapkt.c 2010-01-21 13:37:11 +0000 +++ firewall/datapkt.c 2010-02-08 21:28:25 +0000 @@ -216,7 +216,6 @@ return err; } -//Prabhu enable datapacket mode input int hip_fw_userspace_datapacket_input(const hip_fw_context_t *ctx) { int err = 0; @@ -351,7 +350,7 @@ ipv6_addr_cmp(&hit, &common->hits), -1, "Unable to verify HOST_ID mapping to src HIT\n"); - /* Fix Prabhu..Due to some message.c constraints, + /* @todo Due to some message.c constraints, common->type_hdr was set to 1 when signing the data.. So set it to 1 when verifying and then reset it back */ common->payload_proto = 1; === modified file 'firewall/firewall_control.c' --- firewall/firewall_control.c 2010-02-08 19:17:05 +0000 +++ firewall/firewall_control.c 2010-02-08 21:28:25 +0000 @@ -178,18 +178,14 @@ HIP_DEBUG("Disabling ESP relay\n"); hip_fw_uninit_esp_relay(); break; - //Prabhu enable hip datapacket mode case SO_HIP_SET_DATAPACKET_MODE_ON: HIP_DEBUG("Setting HIP DATA PACKET MODE ON \n "); hip_datapacket_mode = 1; break; - - //Prabhu enable hip datapacket mode case SO_HIP_SET_DATAPACKET_MODE_OFF: HIP_DEBUG("Setting HIP DATA PACKET MODE OFF \n "); hip_datapacket_mode = 0; break; - case SO_HIP_FW_FLUSH_SYS_OPP_HIP: if (system_based_opp_mode) { HIP_DEBUG("Flushing system-based opportunistic mode " \ === modified file 'hipd/hipd.c' --- hipd/hipd.c 2010-02-08 15:18:06 +0000 +++ hipd/hipd.c 2010-02-08 21:28:25 +0000 @@ -151,7 +151,7 @@ */ int hip_use_userspace_ipsec = 0; -int hip_use_userspace_data_packet_mode = 0 ; //Prabhu Data Packet mode support +int hip_use_userspace_data_packet_mode = 0 ; int esp_prot_active = 0; int esp_prot_num_transforms = 0; === modified file 'hipd/netdev.c' --- hipd/netdev.c 2010-02-08 15:18:06 +0000 +++ hipd/netdev.c 2010-02-08 21:28:25 +0000 @@ -1106,7 +1106,7 @@ //add_address_to_list(addr, if_index /*acq->sel.ifindex*/); - /* Prabhu if datapacket mode is set then dont send I1. + /* If datapacket mode is set then dont send I1. Instead, reply with data packet mode message type. */ if (hip_use_userspace_data_packet_mode) { goto out_err; === modified file 'hipd/user.c' --- hipd/user.c 2010-02-08 15:18:06 +0000 +++ hipd/user.c 2010-02-08 21:28:25 +0000 @@ -1081,7 +1081,7 @@ break; } - case SO_HIP_SET_DATAPACKET_MODE_ON: //Prabhu Enable DataPacket Mode + case SO_HIP_SET_DATAPACKET_MODE_ON: { struct sockaddr_in6 sock_addr; HIP_DEBUG("SO_HIP_SET_DATAPACKET_MODE_ON\n"); @@ -1105,7 +1105,7 @@ break; } - case SO_HIP_SET_DATAPACKET_MODE_OFF: //Prabhu Enable DataPacket Mode + case SO_HIP_SET_DATAPACKET_MODE_OFF: { struct sockaddr_in6 sock_addr_1; HIP_DEBUG("SO_HIP_SET_DATAPACKET_MODE_OFF\n"); === modified file 'lib/core/misc.c' --- lib/core/misc.c 2010-02-08 15:18:06 +0000 +++ lib/core/misc.c 2010-02-08 21:28:25 +0000 @@ -32,6 +32,19 @@ in_port_t hip_peer_nat_udp_port = HIP_NAT_UDP_PORT; #ifdef CONFIG_HIP_OPPORTUNISTIC +/** + * Convert a given IP address into a pseudo HIT + * + * @param ip an IPv4 or IPv6 address address + * @param hit a pseudo HIT generated from the IP address + * @param hit_type the type of the HIT + * @return zero on success and non-zero on failure + * @see <a + * href="http://hipl.hiit.fi/hipl/thesis_teresa_finez.pdf";>T. Finez, + * Backwards Compatibility Experimentation with Host Identity Protocol + * and Legacy Software and Networks , final project, December 2008</a> + + */ int hip_opportunistic_ipv6_to_hit(const struct in6_addr *ip, struct in6_addr *hit, int hit_type){