Committer: Diego Biurrun <diego@xxxxxxxxxx> Date: 13/04/2010 at 13:58:05 Revision: 4242 Revision-id: diego@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Branch nick: trunk Log: dead code removal: part II (firewall subdirectory) Modified: M firewall/conntrack.c M firewall/conntrack.h M firewall/firewall.c M firewall/firewall_defines.h M firewall/lsi.c M firewall/proxy.c M firewall/rule_management.h M firewall/user_ipsec_api.c M firewall/user_ipsec_esp.c === modified file 'firewall/conntrack.c' --- firewall/conntrack.c 2010-04-13 10:36:12 +0000 +++ firewall/conntrack.c 2010-04-13 10:57:54 +0000 @@ -468,7 +468,6 @@ connection->state = STATE_ESTABLISHED; //set time stamp - //g_get_current_time(&connection->time_stamp); gettimeofday(&connection->time_stamp, NULL); #ifdef HIP_CONFIG_MIDAUTH connection->pisa_state = PISA_STATE_DISALLOW; @@ -481,7 +480,6 @@ #ifdef CONFIG_HIP_HIPPROXY connection->original.hipproxy = hip_proxy_status; #endif /* CONFIG_HIP_HIPPROXY */ - //connection->original.esp_tuple->tuple = &connection->original; connection->original.connection = connection; connection->original.hip_tuple = (struct hip_tuple *) malloc(sizeof(struct hip_tuple)); memset(connection->original.hip_tuple, 0, sizeof(struct hip_tuple)); @@ -808,7 +806,6 @@ #ifdef CONFIG_HIP_HIPPROXY connection->original.hipproxy = hip_proxy_status; #endif /* CONFIG_HIP_HIPPROXY */ - //connection->original.esp_tuple->tuple = &connection->original; connection->original.connection = connection; connection->original.hip_tuple = (struct hip_tuple *) malloc(sizeof(struct hip_tuple)); connection->original.hip_tuple->tuple = &connection->original; @@ -974,9 +971,6 @@ HIP_DEBUG("verify_responder: %i\n", verify_responder); - // this should always be done - //if (verify_responder) - // handling HOST_ID param HIP_IFEL(!(host_id = (struct hip_host_id *) hip_get_param(common, HIP_PARAM_HOST_ID)), @@ -1587,13 +1581,12 @@ //addresses have the update id temp_tuple_list = esp_tuples; struct esp_tuple *esp_tuple; - SList *original_addr_list, *addr_list, + SList *addr_list, *delete_addr_list = NULL, *delete_original_list = NULL; int found = 0; while (temp_tuple_list) { esp_tuple = (struct esp_tuple *) temp_tuple_list->data; - // original_addr_list = esp_tuple->dst_addr_list; //is ack for changing spi? if (esp_tuple->spi_update_id == *upd_id) { @@ -1679,9 +1672,6 @@ { int err = 1; - // set timeout UAL + MSL ++ (?) - // long int timeout = 20; TODO: Should this be UAL + MSL? - HIP_DEBUG("\n"); #ifdef CONFIG_HIP_PERFORMANCE @@ -1692,11 +1682,6 @@ tuple->state = STATE_CLOSING; - //if (!timeoutChecking) - // init_timeout_checking(timeout); - //else - // timeoutValue = timeout; - out_err: #ifdef CONFIG_HIP_PERFORMANCE HIP_DEBUG("Stop and write PERF_HANDLE_CLOSE\n"); @@ -1935,7 +1920,6 @@ if (err && tuple) { // update time_stamp only on valid packets // for new connections time_stamp is set when creating - //g_get_current_time(&tuple->connection->time_stamp); if (tuple->connection) { gettimeofday(&tuple->connection->time_stamp, NULL); } else { @@ -2066,9 +2050,6 @@ // match packet against known connections HIP_DEBUG("filtering ESP packet against known connections...\n"); - //g_mutex_lock(connectionTableMutex); - //HIP_DEBUG("filter_esp_state: locked mutex\n"); - tuple = get_tuple_by_esp(dst_addr, spi); //ESP packet cannot start a connection if (!tuple) { @@ -2118,8 +2099,6 @@ gettimeofday(&tuple->connection->time_stamp, NULL); } - //g_mutex_unlock(connectionTableMutex); - HIP_DEBUG("verdict %d \n", err); return err; @@ -2145,10 +2124,6 @@ // FIXME results in unsafe use in filter_hip() int return_value = -1; //invalid value - _HIP_DEBUG("\n"); - //g_mutex_lock(connectionTableMutex); - _HIP_DEBUG("filter_state:locked mutex\n"); - // get data form the buffer and put it in a new data structure data = get_hip_data(buf); // look up the tuple in the database @@ -2203,7 +2178,6 @@ option->accept_mobile, ctx); out_err: - //g_mutex_unlock(connectionTableMutex); _HIP_DEBUG("filter state: returning %d \n", return_value); return return_value; @@ -2228,10 +2202,6 @@ struct tuple *tuple = NULL; int verdict = 0; - _HIP_DEBUG("\n"); - //g_mutex_lock(connectionTableMutex); - _HIP_DEBUG("locked mutex\n"); - // convert to new data type data = get_hip_data(buf); // look up tuple in the db @@ -2243,9 +2213,6 @@ // are not filtered here verdict = check_packet(ip6_src, ip6_dst, buf, tuple, 0, 1, ctx); - //g_mutex_unlock(connectionTableMutex); - _HIP_DEBUG("unlocked mutex\n"); - free(data); return verdict; === modified file 'firewall/conntrack.h' --- firewall/conntrack.h 2010-04-09 21:10:27 +0000 +++ firewall/conntrack.h 2010-04-13 10:57:54 +0000 @@ -31,8 +31,6 @@ const struct in6_addr *ip6_dst, struct hip_common *buf, hip_fw_context_t *ctx); -void init_timeout_checking(long int timeout_val); - struct esp_tuple *find_esp_tuple(const SList *esp_list, const uint32_t spi); struct tuple *get_tuple_by_hits(const struct in6_addr *src_hit, const struct in6_addr *dst_hit); === modified file 'firewall/firewall.c' --- firewall/firewall.c 2010-04-13 10:46:05 +0000 +++ firewall/firewall.c 2010-04-13 10:57:54 +0000 @@ -817,7 +817,6 @@ #endif HIP_DEBUG("Closing firewall...\n"); //hip_uninit_proxy_db(); - //hip_uninit_conn_db(); firewall_exit(); exit(signal); } @@ -1078,7 +1077,6 @@ while (list != NULL) { match = 1; rule = (struct rule *) list->data; - //print_rule(rule); // check src_hit if defined in rule if (match && rule->src_hit) { @@ -1145,25 +1143,6 @@ match); } -/* NOTE: HI does not make sense as a filter criteria as filtering by HITs and - * matching to transmitted HI is supposed to provide a similar level of - * security. Furthermore, signature verification is done in conntracking. - * -- Rene - * TODO think about removing this in firewall_control.conf as well - */ -#if 0 - // if HI defined in rule, verify signature now - // - late as it's an expensive operation - // - checks that the message src is the src defined in the _rule_ - if (match && rule->src_hi) { - _HIP_DEBUG("src_hi\n"); - - if (!match_hi(rule->src_hi, buf)) { - match = 0; - } - } -#endif - /* check if packet matches state from connection tracking * must be last, so not called if packet is going to be * dropped */ @@ -2106,9 +2085,6 @@ system_print("ip6tables -I OUTPUT -j HIPFW-OUTPUT"); system_print("ip6tables -I FORWARD -j HIPFW-FORWARD"); - //HIP_IFEL(!(msg = hip_msg_alloc()), -1, "malloc\n"); - //HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_PING, 0), -1, "hdr\n") - while (hip_fw_get_default_hit() == NULL) { HIP_DEBUG("Sleeping until hipd is running...\n"); sleep(1); @@ -2396,7 +2372,6 @@ HIP_IFEL(hip_set_lowcapability(0), -1, "Failed to reduce priviledges"); } #endif - //init_timeout_checking(timeout); #ifdef CONFIG_HIP_HIPPROXY //send hipproxy status request before the control thread running. @@ -2521,7 +2496,6 @@ if (err < 0) { HIP_ERROR("Error handling message\n"); continue; - //goto out_err; } } } === modified file 'firewall/firewall_defines.h' --- firewall/firewall_defines.h 2010-04-09 21:10:27 +0000 +++ firewall/firewall_defines.h 2010-04-13 10:57:54 +0000 @@ -19,8 +19,6 @@ #include "esp_prot_defines.h" #include "common_types.h" -//int hip_proxy_status; - typedef struct hip_fw_context { // queued packet @@ -43,7 +41,6 @@ struct tcphdr * tcp; } transport_hdr; struct udphdr *udp_encap_hdr; - //uint32_t spi; int modified; } hip_fw_context_t; === modified file 'firewall/lsi.c' --- firewall/lsi.c 2010-04-09 15:20:38 +0000 +++ firewall/lsi.c 2010-04-13 10:57:54 +0000 @@ -273,11 +273,9 @@ break; case IPPROTO_ICMPV6: HIP_DEBUG("ICMPv6 packet\n"); - //goto out_err; break; default: HIP_DEBUG("Unhandled packet %d\n", ip6_hdr->ip6_nxt); - //goto out_err; break; } === modified file 'firewall/proxy.c' --- firewall/proxy.c 2010-04-13 10:46:05 +0000 +++ firewall/proxy.c 2010-04-13 10:57:54 +0000 @@ -44,12 +44,6 @@ HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_HIPPROXY_STATUS_REQUEST, 0), -1, "Build hdr failed\n"); - - //n = hip_sendto(msg, &hip_firewall_addr); - - //n = sendto(hip_fw_sock, msg, hip_get_msg_total_len(msg), - // 0,(struct sockaddr *)dst, sizeof(struct sockaddr_in6)); - HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_sock), -1, "HIP_HIPPROXY_STATUS_REQUEST: Sendto HIPD failed.\n"); HIP_DEBUG("HIP_HIPPROXY_STATUS_REQUEST: Sendto hipd ok.\n"); @@ -120,7 +114,6 @@ int err = 0; char *param = 0; struct hip_common *msg = NULL; - //struct gaih_addrtuple *at = NULL; HIP_IFEL(!(msg = hip_msg_alloc()), -1, "malloc failed\n"); HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_DEFAULT_HIT, 0), @@ -919,10 +912,8 @@ } HIP_DEBUG("Previous checksum: %X\n", (tcp->check)); -//tcp->check = htons(0); if (src_is_ipv4 && dst_is_ipv4) { - //struct tcphdr * tcptemp; HIP_DEBUG("src_addr and dst_aadr are ipv4!\n"); iphdr->ip_v = 4; iphdr->ip_hl = sizeof(struct ip) >> 2; @@ -1053,7 +1044,6 @@ HIP_DEBUG_HIT("proxy_hit:", proxy_hit); HIP_DEBUG_IN6ADDR("src_addr:", src_addr); - //hip_get_local_hit_wrapper(&proxy_hit); conn_entry = hip_proxy_conn_find_by_portinfo(proxy_hit, src_addr, protocol, port_client, port_peer); if (conn_entry) { @@ -1195,7 +1185,6 @@ HIP_DEBUG("client port %d peer port %d\n", port_client, port_peer); entry = hip_proxy_find_by_addr(src_addr, dst_addr); - //hip_get_local_hit_wrapper(&proxy_hit); if (entry == NULL) { hip_proxy_add_entry(src_addr, dst_addr); === modified file 'firewall/rule_management.h' --- firewall/rule_management.h 2010-04-10 09:12:33 +0000 +++ firewall/rule_management.h 2010-04-13 10:57:54 +0000 @@ -60,8 +60,6 @@ }; /*-------------- RULES ------------*/ - -//void print_rule(const struct rule * rule); void print_rule_tables(void); void read_rule_file(const char *file_name); === modified file 'firewall/user_ipsec_api.c' --- firewall/user_ipsec_api.c 2010-04-09 21:10:27 +0000 +++ firewall/user_ipsec_api.c 2010-04-13 10:57:54 +0000 @@ -359,8 +359,6 @@ hip_sockaddr_len(&local_sockaddr)); if (err < decrypted_packet_len) { HIP_DEBUG("sendto() failed\n"); - //printf("sendto() failed\n"); - err = -1; } else { HIP_DEBUG("new packet SUCCESSFULLY re-inserted into network stack\n"); === modified file 'firewall/user_ipsec_esp.c' --- firewall/user_ipsec_esp.c 2010-04-09 15:20:38 +0000 +++ firewall/user_ipsec_esp.c 2010-04-13 10:57:54 +0000 @@ -569,7 +569,6 @@ case HIP_ESP_NULL_MD5: // even if hash digest might be longer, we are only using this much here alen = ICV_LENGTH; - //alen = MD5_DIGEST_LENGTH; // length of the authenticated payload, includes ESP header elen = in_len - alen; @@ -598,7 +597,6 @@ case HIP_ESP_AES_SHA1: // even if hash digest might be longer, we are only using this much here alen = ICV_LENGTH; - //alen = SHA_DIGEST_LENGTH; // length of the encrypted payload elen = in_len - alen;