Merge lp:~christof-mroz/hipl/hipfw-timeout into lp:hipl

Hi Christof!

[Full quote because we forgot to CC the merge proposal on launchpad]

On 03/18/2011 01:41 PM, Christof Mroz wrote:
> On Thu, 17 Mar 2011 19:07:34 +0100
> Stefan Götz <email address hidden> wrote:
>
>>> > > +#ifdef CONFIG_HIP_DEBUG
>>> > > +// this improves our chances of finding bugs in the timeout code
>>> > > +#define DEFAULT_CONNECTION_TIMEOUT 10; // 10 seconds
>>> > > +#define DEFAULT_CLEANUP_INTERVAL 5; // 5 seconds
>>> > > +#else
>>> > > +#define DEFAULT_CONNECTION_TIMEOUT (60 * 5); // 5 minutes
>>> > > +#define DEFAULT_CLEANUP_INTERVAL (60 * 60); // 1 minute
>>> > > +#endif
>> >
>> > [M] Please use typed constants instead of preprocessor macros where
>> > possible
> Unfortunately, defining DEFAULT_{CONNECTION_TIMEOUT,CLEANUP_INTERVAL} as
> constants leads to the following complaints:
>
> firewall/conntrack.c|98| error: initializer element is not constant
> firewall/conntrack.c|109| error: initializer element is not constant

Erch, yes, one can only do that in C++, not in C. Can we move HIPL to C++, pleeeeeease? ;-)

> I could set the globals directly depending on CONFIG_HIP_DEBUG, but that
> wouldn't look so neat in my opinion, especially considering the doxygen
> comments. Do you have a better idea?

No, I think preprocessor macros are our only solution.

>> > [L] Why is gettimeofday() replaced with time()?
> gettimeofday() returns more information than needed.
>
>> > [L] it seems to me that you rely on select() to unblock frequently
>> > enough to keep up with the cleanup schedule. While that is not a
>> > particularly strict schedule, would it make sense to integrate the
>> > value in 'cleanup_interval' with the timeout set for the select()
>> > call?
> The select() timeout is currently fixed to 1 second, I guess that's enough :)
> (It has been that way before I touched the code, so I don't know the reason)

Ah, i didn't check the code that far. It's alright then.

>> > [M] The function declaration and definition have different const
>> > qualifications for the 'list' arguments. I like the 'struct slist
>> > *const list' better :-) Annyoing that the compiler doesn't catch this.
> Fixed, thanks. Can't use const here because the pointer (or rather, the local
> copy of it) is modified during execution.

Ok

Stefan

Seems that test/firewall/conntrack.c is missing.

> Seems that test/firewall/conntrack.c is missing.

You're right, sry... just added it now.

Hi Christof!

> === modified file 'firewall/firewall.c'
> --- firewall/firewall.c 2011-03-22 10:31:37 +0000
> +++ firewall/firewall.c 2011-03-22 12:49:26 +0000
> @@ -1669,6 +1669,80 @@
> }
>
> /**
> + * Receive and process one message from hipd.
> + *
> + * @param msg A previously allocated message buffer.
> + * @return Zero on success, non-zero on error.
> + *
> + * @note The buffer @a msg is reused between calls because it is quite
> + * large.
> + */
> +static int hip_fw_handle_hipd_message(struct hip_common *msg)

[M] style: 'struct hip_common *const msg' for const correctness - sorry, I hadn't spotted this before

I know that some of the following is not your code, but it is fairly buggy, and in nasty ways, too - maybe it's something one could address as an aside in a different branch?

> +{
> + struct sockaddr_in6 sock_addr;
> + int msg_type, len, n;
> + int is_root, access_ok;
> + socklen_t alen;
> +
> + alen = sizeof(sock_addr);
> + n = recvfrom(hip_fw_async_sock, msg, sizeof(struct hip_common),
> + MSG_PEEK, (struct sockaddr *) &sock_addr, &alen);
> + if (n < 0) {
> + HIP_ERROR("Error receiving message header from daemon.\n");
> + return -1;
> + }

[H] unrelated: One should definitely check whether 'n' is equal to 'sizeof(struct hip_common)' because 'recvfrom()' might just have read a single byte but the remaining code will happily try to parse it as a valid message.

> +
> + // making sure user messages are received from hipd
> + // resetting vars to 0 because it is a loop
> + msg_type = hip_get_msg_type(msg);
> + is_root = (ntohs(sock_addr.sin6_port) < 1024);

[H] unrelated: Holy moly - the sock_addr handling is screwed up because it is assumed that it contains an IPv6 address. That can not be assumed at all in the general case. First, one should pass a 'struct sockaddr_storage' object to 'recvfrom()'. Second, one should then check whether the returned address is in fact an IPv6 address before treating it as such.

> + if (is_root) {
> + access_ok = 1;
> + } else if (!is_root &&
> + (msg_type >= HIP_MSG_ANY_MIN &&
> + msg_type <= HIP_MSG_ANY_MAX)) {
> + access_ok = 1;
> + }
> + if (!access_ok) {
> + HIP_ERROR("The sender of the message is not trusted.\n");
> + return -1;
> + }

[L] unrelated: The whole is_root and access_ok shebang could be replaced with:

if (ntohs(sock_addr.sin6_port) >= 1024 &&
    (msg_type < HIP_MSG_ANY_MIN || msg_type > HIP_MSG_ANY_MAX)) {
    HIP_ERROR("The sender of the message is not trusted.\n");
    return -1;
}

> +
> + alen = sizeof(sock_addr);
> + len = hip_get_msg_total_len(msg);
> +
> + HIP_DEBUG("Receiving message type %d (%d bytes)\n",
> + hip_get_msg_type(msg), len);
> + n = recvfrom(hip_fw_async_sock, msg, len, 0,
> + (struct sockaddr *) &sock_addr, &alen);

[H] unrelated: 'len' must be sanity checked against the amount of memory allocated for 'msg' in order to prevent a buffer overrun, which, at this point, can be caused by grafted messages from unprivilege...

> > +static int hip_fw_handle_hipd_message(struct hip_common *msg)
>
> [M] style: 'struct hip_common *const msg' for const correctness - sorry, I
> hadn't spotted this before

Done, thanks.

> I know that some of the following is not your code, but it is fairly buggy,
> and in nasty ways, too - maybe it's something one could address as an
> aside in a different branch?

If so, domain sockets or fifos should be considered for access control (and, really, because they're exactly made for local IPC).

> > +
> > + // making sure user messages are received from hipd
> > + // resetting vars to 0 because it is a loop
> > + msg_type = hip_get_msg_type(msg);
> > + is_root = (ntohs(sock_addr.sin6_port) < 1024);
>
> [H] unrelated: Holy moly - the sock_addr handling is screwed up because it is
> assumed that it contains an IPv6 address. That can not be assumed at all in
> the general case. First, one should pass a 'struct sockaddr_storage' object to
> 'recvfrom()'. Second, one should then check whether the returned address is in
> fact an IPv6 address before treating it as such.

Just curious: how could this happen for an AF_INET6 datagram socket, like in this case?
hipfw maintains both an AF_INET and AF_INET6 at another place socket, for example, and I assume because either one listens only on one kind of address?

> > +/**
> > + * Find an element in the singly linked list.
> > + *
> > + * @param list The linked list.
> > + * @param data The element to find.
> > + * @return The element in the linked list, or NULL if not found.
> > + */
> > +struct slist *find_in_slist(struct slist *list, const void *const data)
>
> [M] would 'const struct slist *list' work for better const correctness?

Unfortunately, the const qualifier would propagate to the return value, which can't be const.

> > [H] unrelated: Holy moly - the sock_addr handling is screwed up because it
> is
> > assumed that it contains an IPv6 address. That can not be assumed at all in
> > the general case. First, one should pass a 'struct sockaddr_storage' object
> to
> > 'recvfrom()'. Second, one should then check whether the returned address is
> in
> > fact an IPv6 address before treating it as such.
>
> Just curious: how could this happen for an AF_INET6 datagram socket, like in
> this case?

Oh, well I guess they can't. I was assuming the general case of not knowing the type of the source address. Personally, I would still do this sanity check, just in case.

> > > +struct slist *find_in_slist(struct slist *list, const void *const data)
> >
> > [M] would 'const struct slist *list' work for better const correctness?
>
> Unfortunately, the const qualifier would propagate to the return value, which
> can't be const.

Ok

 review needs-fixing

On Tue, Mar 22, 2011 at 12:49:33PM +0000, Christof Mroz wrote:
> Christof Mroz has proposed merging lp:~christof-mroz/hipl/hipfw-timeout into lp:hipl.
>
> --- Makefile.am 2011-03-22 10:31:37 +0000
> +++ Makefile.am 2011-03-22 12:49:26 +0000
> @@ -193,10 +193,28 @@
> endif
>
>
> -test_check_firewall_SOURCES = test/check_firewall.c \
> - test/firewall/file_buffer.c \
> - test/firewall/line_parser.c \
> - test/firewall/port_bindings.c
> +test_check_firewall_SOURCES = test/check_firewall.c \
> + test/firewall/file_buffer.c \
> + test/firewall/line_parser.c \
> + test/firewall/port_bindings.c \
> + test/firewall/conntrack.c \

alphabetical order

> + firewall/cache.c \
> + firewall/dlist.c \
> + firewall/esp_prot_api.c \
> + firewall/esp_prot_config.c \
> + firewall/esp_prot_conntrack.c \
> + firewall/esp_prot_fw_msg.c \
> + firewall/firewall.c \
> + firewall/firewall_control.c \
> + firewall/helpers.c \
> + firewall/hslist.c \
> + firewall/lsi.c \
> + firewall/reinject.c \
> + firewall/rule_management.c \
> + firewall/user_ipsec_api.c \
> + firewall/user_ipsec_esp.c \
> + firewall/user_ipsec_fw_msg.c \
> + firewall/user_ipsec_sadb.c

Doh, why?

> --- firewall/firewall.c 2011-03-22 10:31:37 +0000
> +++ firewall/firewall.c 2011-03-22 12:49:26 +0000
> @@ -1669,6 +1669,80 @@
>
> + // making sure user messages are received from hipd
> + // resetting vars to 0 because it is a loop
> + msg_type = hip_get_msg_type(msg);
> + is_root = (ntohs(sock_addr.sin6_port) < 1024);

pointless parentheses

> --- firewall/main.c 2011-03-22 10:31:37 +0000
> +++ firewall/main.c 2011-03-22 12:49:26 +0000
> --- test/check_firewall.c 2011-02-18 14:39:38 +0000
> +++ test/check_firewall.c 2011-03-22 12:49:26 +0000
> @@ -34,6 +34,7 @@
> SRunner *sr = srunner_create(firewall_file_buffer());
> srunner_add_suite(sr, firewall_line_parser());
> srunner_add_suite(sr, firewall_port_bindings());
> + srunner_add_suite(sr, firewall_conntrack());

nit: alphabetical order

> --- test/firewall/conntrack.c 1970-01-01 00:00:00 +0000
> +++ test/firewall/conntrack.c 2011-03-22 12:49:26 +0000
> @@ -0,0 +1,107 @@
> +
> +static struct connection *setup_connection(void) {

Put the { on the next line.

> --- test/firewall/test_suites.h 2011-02-18 14:39:38 +0000
> +++ test/firewall/test_suites.h 2011-03-22 12:49:26 +...

On Thu, 24 Mar 2011 15:27:30 +0100, Diego Biurrun <email address hidden> wrote:

>> + firewall/cache.c \
>> + firewall/dlist.c \
>> + firewall/esp_prot_api.c \
>> + firewall/esp_prot_config.c \
>> + firewall/esp_prot_conntrack.c \
>> + firewall/esp_prot_fw_msg.c \
>> + firewall/firewall.c \
>> + firewall/firewall_control.c \
>> + firewall/helpers.c \
>> + firewall/hslist.c \
>> + firewall/lsi.c \
>> + firewall/reinject.c \
>> + firewall/rule_management.c \
>> + firewall/user_ipsec_api.c \
>> + firewall/user_ipsec_esp.c \
>> + firewall/user_ipsec_fw_msg.c \
>> + firewall/user_ipsec_sadb.c
>
> Doh, why?

Ugly, I know... I use a tiny bit of code from firewall/conntrack.c in one
test, but this triggers a whole cascade of dependencies. Do you know of a
way to tell ld to use more "fine-grained" dependencies, ignoring symbols
that aren't actually referenced? As far as I see, it's pure coincidence
that the other tests are more self-contained.

>
>> --- firewall/firewall.c 2011-03-22 10:31:37 +0000
>> +++ firewall/firewall.c 2011-03-22 12:49:26 +0000
>> @@ -1669,6 +1669,80 @@
>>
>> + // making sure user messages are received from hipd
>> + // resetting vars to 0 because it is a loop
>> + msg_type = hip_get_msg_type(msg);
>> + is_root = (ntohs(sock_addr.sin6_port) < 1024);
>
> pointless parentheses

Not fixed: Copy & Pasted that, and as Stefan pointed out it would be
better to fix this function from scratch.

On Thu, Mar 24, 2011 at 03:54:47PM +0100, Christof Mroz wrote:
> On Thu, 24 Mar 2011 15:27:30 +0100, Diego Biurrun <email address hidden> wrote:
>
>>> + firewall/cache.c \
>>> + firewall/dlist.c \
>>> + firewall/esp_prot_api.c \
>>> + firewall/esp_prot_config.c \
>>> + firewall/esp_prot_conntrack.c \
>>> + firewall/esp_prot_fw_msg.c \
>>> + firewall/firewall.c \
>>> + firewall/firewall_control.c \
>>> + firewall/helpers.c \
>>> + firewall/hslist.c \
>>> + firewall/lsi.c \
>>> + firewall/reinject.c \
>>> + firewall/rule_management.c \
>>> + firewall/user_ipsec_api.c \
>>> + firewall/user_ipsec_esp.c \
>>> + firewall/user_ipsec_fw_msg.c \
>>> + firewall/user_ipsec_sadb.c
>>
>> Doh, why?
>
> Ugly, I know... I use a tiny bit of code from firewall/conntrack.c in one
> test, but this triggers a whole cascade of dependencies. Do you know of a
> way to tell ld to use more "fine-grained" dependencies, ignoring symbols
> that aren't actually referenced? As far as I see, it's pure coincidence
> that the other tests are more self-contained.

What do you mean by "use a tiny bit of code"?

I don't see why you need to add any of these files at all.
Dependencies should be worked out automatically.

Diego

On Thu, 24 Mar 2011 16:18:47 +0100, Diego Biurrun <email address hidden> wrote:

>> Ugly, I know... I use a tiny bit of code from firewall/conntrack.c in
>> one test, but this triggers a whole cascade of dependencies. Do you
>> know of a way to tell ld to use more "fine-grained" dependencies,
>> ignoring symbols that aren't actually referenced? As far as I see,
>> it's pure coincidence that the other tests are more self-contained.
>
> What do you mean by "use a tiny bit of code"?

I mean that only a fraction of the symbols exported by all those object
files is needed in the unit test.

> I don't see why you need to add any of these files at all.
> Dependencies should be worked out automatically.

Put more simply: If I remove all these other files and run "make check", I
get errors about missing symbols, and I don't know what to do about it
(other than including way more symbols than necessary into the build).
Please try and see for yourself.

What do you think of simply appending firewall_hipfw_SOURCES to the list?
Wouldn't blow up Makefile.am so much.

On Thu, Mar 24, 2011 at 04:33:09PM +0100, Christof Mroz wrote:
>
> What do you think of simply appending firewall_hipfw_SOURCES to the list?
> Wouldn't blow up Makefile.am so much.

This would be much cleaner.

Diego

On Thu, 24 Mar 2011 19:14:00 +0100, Diego Biurrun <email address hidden> wrote:

> On Thu, Mar 24, 2011 at 04:33:09PM +0100, Christof Mroz wrote:
>>
>> What do you think of simply appending firewall_hipfw_SOURCES to the
>> list?
>> Wouldn't blow up Makefile.am so much.
>
> This would be much cleaner.

The following happens to work, are you fine with that?

=== modified file 'Makefile.am'
--- Makefile.am 2011-03-24 14:37:48 +0000
+++ Makefile.am 2011-03-24 19:00:18 +0000
@@ -193,28 +193,12 @@
  endif

-test_check_firewall_SOURCES = test/check_firewall.c \
- test/firewall/conntrack.c \
- test/firewall/file_buffer.c \
- test/firewall/line_parser.c \
- test/firewall/port_bindings.c \
- firewall/cache.c \
- firewall/dlist.c \
- firewall/esp_prot_api.c \
- firewall/esp_prot_config.c \
- firewall/esp_prot_conntrack.c \
- firewall/esp_prot_fw_msg.c \
- firewall/firewall.c \
- firewall/firewall_control.c \
- firewall/helpers.c \
- firewall/hslist.c \
- firewall/lsi.c \
- firewall/reinject.c \
- firewall/rule_management.c \
- firewall/user_ipsec_api.c \
- firewall/user_ipsec_esp.c \
- firewall/user_ipsec_fw_msg.c \
- firewall/user_ipsec_sadb.c
+test_check_firewall_SOURCES = test/check_firewall.c \
+ test/firewall/conntrack.c \
+ test/firewall/file_buffer.c \
+ test/firewall/line_parser.c \
+ test/firewall/port_bindings.c \
+ $(firewall_hipfw_SOURCES)

  if HIP_MIDAUTH
  test_check_firewall_SOURCES += firewall/midauth.c \
@@ -246,6 +230,8 @@
  tools_hipconf_LDADD = lib/core/libhipcore.la
  tools_pisacert_LDADD = lib/core/libhipcore.la

+test_check_firewall_LDFLAGS = -Wl,-zmuldefs
+
  dist_sbin_SCRIPTS = tools/hipdnskeyparse/hipdnskeyparse \
                      tools/hipdnsproxy/hipdnsproxy \
                      tools/nsupdate.pl

-zmuldefs is necessary because we have multiple symbol definitions here
(which point to equivalent code though, apart from main()). This option
causes ld to prefer those objects listed first, which in turn belong to
the sources listed first.

One question though, since you know more about the build system than me:
Why are the LDFLAGS passed to gcc verbatim, i.e., why is the -Wl
necessary? Shouldn't gcc's (or make's?) ld child process pick up the
LDFLAGS instead, which would render...

On Thu, Mar 24, 2011 at 08:08:37PM +0100, Christof Mroz wrote:
> On Thu, 24 Mar 2011 19:14:00 +0100, Diego Biurrun <email address hidden> wrote:
>
>> On Thu, Mar 24, 2011 at 04:33:09PM +0100, Christof Mroz wrote:
>>>
>>> What do you think of simply appending firewall_hipfw_SOURCES to the
>>> list? Wouldn't blow up Makefile.am so much.
>>
>> This would be much cleaner.
>
> The following happens to work, are you fine with that?

I implemented something better I think. Just pull from trunk.

Diego

The connection tracking functionality of the hipfw can be turned off with the -F option. How do your changes cope with this fact?

Did you test that "hipfw -F" is also running as expected? Especially, the call "hip_fw_conntrack_periodic_cleanup(time(NULL));" might cause problems in this case.

On Sun, 27 Mar 2011 15:39:29 +0200, René Hummen
<email address hidden> wrote:

> The connection tracking functionality of the hipfw can be turned off
> with the -F option. How do your changes cope with this fact?
>
> Did you test that "hipfw -F" is also running as expected? Especially,
> the call "hip_fw_conntrack_periodic_cleanup(time(NULL));" might cause
> problems in this case.

No connection tracking means no connections to iterate through and time
out.
I'll add an explicit check though, for clarity and forward compatibility.