[hipl-commit] [trunk] Rev 4242: dead code removal: part II (firewall subdirectory)
- From: Diego Biurrun <diego@xxxxxxxxxx>
- To: hipl-commit@xxxxxxxxxxxxx
- Date: Tue, 13 Apr 2010 13:58:05 +0300
Committer: Diego Biurrun <diego@xxxxxxxxxx>
Date: 13/04/2010 at 13:58:05
Revision: 4242
Revision-id: diego@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Branch nick: trunk
Log:
dead code removal: part II (firewall subdirectory)
Modified:
M firewall/conntrack.c
M firewall/conntrack.h
M firewall/firewall.c
M firewall/firewall_defines.h
M firewall/lsi.c
M firewall/proxy.c
M firewall/rule_management.h
M firewall/user_ipsec_api.c
M firewall/user_ipsec_esp.c
=== modified file 'firewall/conntrack.c'
--- firewall/conntrack.c 2010-04-13 10:36:12 +0000
+++ firewall/conntrack.c 2010-04-13 10:57:54 +0000
@@ -468,7 +468,6 @@
connection->state = STATE_ESTABLISHED;
//set time stamp
- //g_get_current_time(&connection->time_stamp);
gettimeofday(&connection->time_stamp, NULL);
#ifdef HIP_CONFIG_MIDAUTH
connection->pisa_state = PISA_STATE_DISALLOW;
@@ -481,7 +480,6 @@
#ifdef CONFIG_HIP_HIPPROXY
connection->original.hipproxy = hip_proxy_status;
#endif /* CONFIG_HIP_HIPPROXY */
- //connection->original.esp_tuple->tuple = &connection->original;
connection->original.connection = connection;
connection->original.hip_tuple = (struct hip_tuple *)
malloc(sizeof(struct hip_tuple));
memset(connection->original.hip_tuple, 0, sizeof(struct hip_tuple));
@@ -808,7 +806,6 @@
#ifdef CONFIG_HIP_HIPPROXY
connection->original.hipproxy = hip_proxy_status;
#endif /* CONFIG_HIP_HIPPROXY */
- //connection->original.esp_tuple->tuple = &connection->original;
connection->original.connection = connection;
connection->original.hip_tuple = (struct hip_tuple *)
malloc(sizeof(struct hip_tuple));
connection->original.hip_tuple->tuple = &connection->original;
@@ -974,9 +971,6 @@
HIP_DEBUG("verify_responder: %i\n", verify_responder);
- // this should always be done
- //if (verify_responder)
-
// handling HOST_ID param
HIP_IFEL(!(host_id = (struct hip_host_id *) hip_get_param(common,
HIP_PARAM_HOST_ID)),
@@ -1587,13 +1581,12 @@
//addresses have the update id
temp_tuple_list = esp_tuples;
struct esp_tuple *esp_tuple;
- SList *original_addr_list, *addr_list,
+ SList *addr_list,
*delete_addr_list = NULL, *delete_original_list = NULL;
int found = 0;
while (temp_tuple_list) {
esp_tuple = (struct esp_tuple *) temp_tuple_list->data;
- // original_addr_list = esp_tuple->dst_addr_list;
//is ack for changing spi?
if (esp_tuple->spi_update_id == *upd_id) {
@@ -1679,9 +1672,6 @@
{
int err = 1;
- // set timeout UAL + MSL ++ (?)
- // long int timeout = 20; TODO: Should this be UAL + MSL?
-
HIP_DEBUG("\n");
#ifdef CONFIG_HIP_PERFORMANCE
@@ -1692,11 +1682,6 @@
tuple->state = STATE_CLOSING;
- //if (!timeoutChecking)
- // init_timeout_checking(timeout);
- //else
- // timeoutValue = timeout;
-
out_err:
#ifdef CONFIG_HIP_PERFORMANCE
HIP_DEBUG("Stop and write PERF_HANDLE_CLOSE\n");
@@ -1935,7 +1920,6 @@
if (err && tuple) {
// update time_stamp only on valid packets
// for new connections time_stamp is set when creating
- //g_get_current_time(&tuple->connection->time_stamp);
if (tuple->connection) {
gettimeofday(&tuple->connection->time_stamp, NULL);
} else {
@@ -2066,9 +2050,6 @@
// match packet against known connections
HIP_DEBUG("filtering ESP packet against known connections...\n");
- //g_mutex_lock(connectionTableMutex);
- //HIP_DEBUG("filter_esp_state: locked mutex\n");
-
tuple = get_tuple_by_esp(dst_addr, spi);
//ESP packet cannot start a connection
if (!tuple) {
@@ -2118,8 +2099,6 @@
gettimeofday(&tuple->connection->time_stamp, NULL);
}
- //g_mutex_unlock(connectionTableMutex);
-
HIP_DEBUG("verdict %d \n", err);
return err;
@@ -2145,10 +2124,6 @@
// FIXME results in unsafe use in filter_hip()
int return_value = -1; //invalid value
- _HIP_DEBUG("\n");
- //g_mutex_lock(connectionTableMutex);
- _HIP_DEBUG("filter_state:locked mutex\n");
-
// get data form the buffer and put it in a new data structure
data = get_hip_data(buf);
// look up the tuple in the database
@@ -2203,7 +2178,6 @@
option->accept_mobile, ctx);
out_err:
- //g_mutex_unlock(connectionTableMutex);
_HIP_DEBUG("filter state: returning %d \n", return_value);
return return_value;
@@ -2228,10 +2202,6 @@
struct tuple *tuple = NULL;
int verdict = 0;
- _HIP_DEBUG("\n");
- //g_mutex_lock(connectionTableMutex);
- _HIP_DEBUG("locked mutex\n");
-
// convert to new data type
data = get_hip_data(buf);
// look up tuple in the db
@@ -2243,9 +2213,6 @@
// are not filtered here
verdict = check_packet(ip6_src, ip6_dst, buf, tuple, 0, 1, ctx);
- //g_mutex_unlock(connectionTableMutex);
- _HIP_DEBUG("unlocked mutex\n");
-
free(data);
return verdict;
=== modified file 'firewall/conntrack.h'
--- firewall/conntrack.h 2010-04-09 21:10:27 +0000
+++ firewall/conntrack.h 2010-04-13 10:57:54 +0000
@@ -31,8 +31,6 @@
const struct in6_addr *ip6_dst,
struct hip_common *buf, hip_fw_context_t *ctx);
-void init_timeout_checking(long int timeout_val);
-
struct esp_tuple *find_esp_tuple(const SList *esp_list, const uint32_t spi);
struct tuple *get_tuple_by_hits(const struct in6_addr *src_hit,
const struct in6_addr *dst_hit);
=== modified file 'firewall/firewall.c'
--- firewall/firewall.c 2010-04-13 10:46:05 +0000
+++ firewall/firewall.c 2010-04-13 10:57:54 +0000
@@ -817,7 +817,6 @@
#endif
HIP_DEBUG("Closing firewall...\n");
//hip_uninit_proxy_db();
- //hip_uninit_conn_db();
firewall_exit();
exit(signal);
}
@@ -1078,7 +1077,6 @@
while (list != NULL) {
match = 1;
rule = (struct rule *) list->data;
- //print_rule(rule);
// check src_hit if defined in rule
if (match && rule->src_hit) {
@@ -1145,25 +1143,6 @@
match);
}
-/* NOTE: HI does not make sense as a filter criteria as filtering by HITs and
- * matching to transmitted HI is supposed to provide a similar level of
- * security. Furthermore, signature verification is done in conntracking.
- * -- Rene
- * TODO think about removing this in firewall_control.conf as well
- */
-#if 0
- // if HI defined in rule, verify signature now
- // - late as it's an expensive operation
- // - checks that the message src is the src defined in the _rule_
- if (match && rule->src_hi) {
- _HIP_DEBUG("src_hi\n");
-
- if (!match_hi(rule->src_hi, buf)) {
- match = 0;
- }
- }
-#endif
-
/* check if packet matches state from connection tracking
* must be last, so not called if packet is going to be
* dropped */
@@ -2106,9 +2085,6 @@
system_print("ip6tables -I OUTPUT -j HIPFW-OUTPUT");
system_print("ip6tables -I FORWARD -j HIPFW-FORWARD");
- //HIP_IFEL(!(msg = hip_msg_alloc()), -1, "malloc\n");
- //HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_PING, 0), -1, "hdr\n")
-
while (hip_fw_get_default_hit() == NULL) {
HIP_DEBUG("Sleeping until hipd is running...\n");
sleep(1);
@@ -2396,7 +2372,6 @@
HIP_IFEL(hip_set_lowcapability(0), -1, "Failed to reduce priviledges");
}
#endif
- //init_timeout_checking(timeout);
#ifdef CONFIG_HIP_HIPPROXY
//send hipproxy status request before the control thread running.
@@ -2521,7 +2496,6 @@
if (err < 0) {
HIP_ERROR("Error handling message\n");
continue;
- //goto out_err;
}
}
}
=== modified file 'firewall/firewall_defines.h'
--- firewall/firewall_defines.h 2010-04-09 21:10:27 +0000
+++ firewall/firewall_defines.h 2010-04-13 10:57:54 +0000
@@ -19,8 +19,6 @@
#include "esp_prot_defines.h"
#include "common_types.h"
-//int hip_proxy_status;
-
typedef struct hip_fw_context {
// queued packet
@@ -43,7 +41,6 @@
struct tcphdr * tcp;
} transport_hdr;
struct udphdr *udp_encap_hdr;
- //uint32_t spi;
int modified;
} hip_fw_context_t;
=== modified file 'firewall/lsi.c'
--- firewall/lsi.c 2010-04-09 15:20:38 +0000
+++ firewall/lsi.c 2010-04-13 10:57:54 +0000
@@ -273,11 +273,9 @@
break;
case IPPROTO_ICMPV6:
HIP_DEBUG("ICMPv6 packet\n");
- //goto out_err;
break;
default:
HIP_DEBUG("Unhandled packet %d\n", ip6_hdr->ip6_nxt);
- //goto out_err;
break;
}
=== modified file 'firewall/proxy.c'
--- firewall/proxy.c 2010-04-13 10:46:05 +0000
+++ firewall/proxy.c 2010-04-13 10:57:54 +0000
@@ -44,12 +44,6 @@
HIP_IFEL(hip_build_user_hdr(msg,
HIP_MSG_HIPPROXY_STATUS_REQUEST, 0),
-1, "Build hdr failed\n");
-
- //n = hip_sendto(msg, &hip_firewall_addr);
-
- //n = sendto(hip_fw_sock, msg, hip_get_msg_total_len(msg),
- // 0,(struct sockaddr *)dst, sizeof(struct sockaddr_in6));
-
HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_sock), -1,
"HIP_HIPPROXY_STATUS_REQUEST: Sendto HIPD failed.\n");
HIP_DEBUG("HIP_HIPPROXY_STATUS_REQUEST: Sendto hipd ok.\n");
@@ -120,7 +114,6 @@
int err = 0;
char *param = 0;
struct hip_common *msg = NULL;
- //struct gaih_addrtuple *at = NULL;
HIP_IFEL(!(msg = hip_msg_alloc()), -1, "malloc failed\n");
HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_DEFAULT_HIT, 0),
@@ -919,10 +912,8 @@
}
HIP_DEBUG("Previous checksum: %X\n", (tcp->check));
-//tcp->check = htons(0);
if (src_is_ipv4 && dst_is_ipv4) {
- //struct tcphdr * tcptemp;
HIP_DEBUG("src_addr and dst_aadr are ipv4!\n");
iphdr->ip_v = 4;
iphdr->ip_hl = sizeof(struct ip) >> 2;
@@ -1053,7 +1044,6 @@
HIP_DEBUG_HIT("proxy_hit:", proxy_hit);
HIP_DEBUG_IN6ADDR("src_addr:", src_addr);
- //hip_get_local_hit_wrapper(&proxy_hit);
conn_entry = hip_proxy_conn_find_by_portinfo(proxy_hit, src_addr,
protocol, port_client, port_peer);
if (conn_entry) {
@@ -1195,7 +1185,6 @@
HIP_DEBUG("client port %d peer port %d\n", port_client, port_peer);
entry = hip_proxy_find_by_addr(src_addr, dst_addr);
- //hip_get_local_hit_wrapper(&proxy_hit);
if (entry == NULL) {
hip_proxy_add_entry(src_addr, dst_addr);
=== modified file 'firewall/rule_management.h'
--- firewall/rule_management.h 2010-04-10 09:12:33 +0000
+++ firewall/rule_management.h 2010-04-13 10:57:54 +0000
@@ -60,8 +60,6 @@
};
/*-------------- RULES ------------*/
-
-//void print_rule(const struct rule * rule);
void print_rule_tables(void);
void read_rule_file(const char *file_name);
=== modified file 'firewall/user_ipsec_api.c'
--- firewall/user_ipsec_api.c 2010-04-09 21:10:27 +0000
+++ firewall/user_ipsec_api.c 2010-04-13 10:57:54 +0000
@@ -359,8 +359,6 @@
hip_sockaddr_len(&local_sockaddr));
if (err < decrypted_packet_len) {
HIP_DEBUG("sendto() failed\n");
- //printf("sendto() failed\n");
-
err = -1;
} else {
HIP_DEBUG("new packet SUCCESSFULLY re-inserted into network stack\n");
=== modified file 'firewall/user_ipsec_esp.c'
--- firewall/user_ipsec_esp.c 2010-04-09 15:20:38 +0000
+++ firewall/user_ipsec_esp.c 2010-04-13 10:57:54 +0000
@@ -569,7 +569,6 @@
case HIP_ESP_NULL_MD5:
// even if hash digest might be longer, we are only using this much
here
alen = ICV_LENGTH;
- //alen = MD5_DIGEST_LENGTH;
// length of the authenticated payload, includes ESP header
elen = in_len - alen;
@@ -598,7 +597,6 @@
case HIP_ESP_AES_SHA1:
// even if hash digest might be longer, we are only using this much
here
alen = ICV_LENGTH;
- //alen = SHA_DIGEST_LENGTH;
// length of the encrypted payload
elen = in_len - alen;
Other related posts:
- » [hipl-commit] [trunk] Rev 4242: dead code removal: part II (firewall subdirectory) - Diego Biurrun
