Merge lp:~hipl-core/hipl/libnetfilter_queue into lp:hipl
- libnetfilter_queue
- Merge into trunk
Status: | Superseded | ||||
---|---|---|---|---|---|
Proposed branch: | lp:~hipl-core/hipl/libnetfilter_queue | ||||
Merge into: | lp:hipl | ||||
Diff against target: |
1233 lines (+300/-363) 17 files modified
INSTALL (+3/-3) Makefile.am (+0/-1) configure.ac (+2/-1) debian/control (+2/-2) hipfw/cert.c (+1/-0) hipfw/hipfw.c (+251/-170) hipfw/hipfw_defines.h (+16/-3) hipfw/lsi.c (+4/-4) hipfw/lsi.h (+5/-4) hipfw/rewrite.c (+7/-8) hipfw/rewrite.h (+2/-2) packaging/hipl.spec (+2/-2) packaging/openwrt/hipl/Makefile.in (+1/-1) test/check_hipfw.c (+1/-2) test/hipfw/rewrite.c (+0/-131) test/hipfw/test_suites.h (+1/-2) test/mocks.c (+2/-27) |
||||
To merge this branch: | bzr merge lp:~hipl-core/hipl/libnetfilter_queue | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Miika Komu | Needs Fixing | ||
Review via email: mp+177456@code.launchpad.net |
This proposal has been superseded by a proposal from 2013-08-01.
Commit message
Description of the change
hipl-firewall has been ported from using the deprecated and recently deleted ip_queue (libipq) packet queue into using netfilter_queue. This fixes bug #1154974.
This solution reuses much of the code that was used to handle libipq packets by collecting the used fields into an imitating packet type hip_ipq_packet_msg and passing that around to the functions.
- 6440. By Pupu Toivonen
-
Minor changes.
Call to perror changed to HIP_PERROR.
Removed a couple of extra newlines.
Removed commented-out code from mocks.c.
Pupu Toivonen (scolphoy) wrote : | # |
Thank you for the feedback.
I made those minor changes. Aligning of the variable declarations was enforced by the commit hooks.
I'll write a report and resubmit the proposal soon.
Unmerged revisions
Preview Diff
1 | === modified file 'INSTALL' |
2 | --- INSTALL 2013-03-31 13:42:34 +0000 |
3 | +++ INSTALL 2013-08-01 12:26:32 +0000 |
4 | @@ -33,7 +33,7 @@ |
5 | ------------- |
6 | - required: |
7 | apt-get install autoconf automake libtool make gcc libssl-dev iptables-dev \ |
8 | - libnet-ip-perl libnet-dns-perl bzr |
9 | + libnet-ip-perl libnet-dns-perl bzr libnetfilter-queue-dev |
10 | - optional: |
11 | apt-get install xmlto doxygen check libconfig8-dev miredo |
12 | - binary packages: |
13 | @@ -43,7 +43,7 @@ |
14 | ------------- |
15 | - required: |
16 | yum install autoconf automake libtool make gcc openssl-devel iptables-devel \ |
17 | - perl-Net-IP perl-Net-DNS bzr |
18 | + perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel |
19 | - optional: |
20 | yum install xmlto doxygen check-devel libconfig-devel miredo |
21 | - binary packages: |
22 | @@ -53,7 +53,7 @@ |
23 | -------- |
24 | - required: |
25 | zypper install autoconf automake libtool make gcc libopenssl-devel iptables-devel \ |
26 | - perl-Net-IP perl-Net-DNS bzr |
27 | + perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel |
28 | - optional: |
29 | zypper install xmlto doxygen check-devel |
30 | - binary packages: |
31 | |
32 | === modified file 'Makefile.am' |
33 | --- Makefile.am 2013-03-25 06:43:57 +0000 |
34 | +++ Makefile.am 2013-08-01 12:26:32 +0000 |
35 | @@ -223,7 +223,6 @@ |
36 | test/hipfw/line_parser.c \ |
37 | test/hipfw/midauth.c \ |
38 | test/hipfw/port_bindings.c \ |
39 | - test/hipfw/rewrite.c \ |
40 | $(hipfw_hipfw_sources) |
41 | |
42 | test_check_libcore_SOURCES = test/check_libcore.c \ |
43 | |
44 | === modified file 'configure.ac' |
45 | --- configure.ac 2013-01-29 11:37:45 +0000 |
46 | +++ configure.ac 2013-08-01 12:26:32 +0000 |
47 | @@ -137,7 +137,8 @@ |
48 | [ac_cv_use_firewall], |
49 | [ac_cv_use_firewall=yes]) |
50 | if test x"$ac_cv_use_firewall" = x"yes"; then |
51 | - AC_CHECK_LIB(ipq, ipq_create_handle,, [AC_MSG_ERROR([libipq not found])]) |
52 | + AC_CHECK_LIB(netfilter_queue, nfq_create_queue,, [AC_MSG_ERROR([libnetfilter_queue not found])]) |
53 | + AC_CHECK_LIB(nfnetlink, nlif_query,, [AC_MSG_ERROR([libnfnetlink not found])]) |
54 | AC_CHECK_LIB(config, config_setting_index,, |
55 | [AC_MSG_WARN([libconfig not found, using default config])]) |
56 | AC_DEFINE(CONFIG_HIP_FIREWALL) |
57 | |
58 | === modified file 'debian/control' |
59 | --- debian/control 2013-01-29 11:37:45 +0000 |
60 | +++ debian/control 2013-08-01 12:26:32 +0000 |
61 | @@ -2,7 +2,7 @@ |
62 | Section: net |
63 | Priority: optional |
64 | Maintainer: HIPL team <hipl-dev@freelists.org> |
65 | -Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m |
66 | +Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m, libnetfilter-queue-dev |
67 | Standards-Version: 3.9.1 |
68 | Homepage: http://launchpad.net/hipl |
69 | |
70 | @@ -28,7 +28,7 @@ |
71 | |
72 | Package: hipl-firewall |
73 | Architecture: any |
74 | -Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables |
75 | +Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables, libnetfilter-queue1 |
76 | Suggests: hipl-doc |
77 | Description: HIP for Linux multi-purpose firewall daemon |
78 | The Host Identity Protocol (HIP) and the related architecture form a proposal |
79 | |
80 | === modified file 'hipfw/cert.c' |
81 | --- hipfw/cert.c 2012-05-12 06:54:33 +0000 |
82 | +++ hipfw/cert.c 2013-08-01 12:26:32 +0000 |
83 | @@ -37,6 +37,7 @@ |
84 | #include <stdio.h> |
85 | #include <stdlib.h> |
86 | #include <string.h> |
87 | +#include <errno.h> |
88 | #include <netinet/in.h> |
89 | #include <linux/netfilter.h> |
90 | #include <linux/netfilter_ipv6.h> |
91 | |
92 | === modified file 'hipfw/hipfw.c' |
93 | --- hipfw/hipfw.c 2012-07-19 12:00:32 +0000 |
94 | +++ hipfw/hipfw.c 2013-08-01 12:26:32 +0000 |
95 | @@ -1,5 +1,5 @@ |
96 | /* |
97 | - * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University. |
98 | + * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University. |
99 | * |
100 | * Permission is hereby granted, free of charge, to any person |
101 | * obtaining a copy of this software and associated documentation |
102 | @@ -45,13 +45,13 @@ |
103 | |
104 | #define _BSD_SOURCE |
105 | |
106 | -#include <libipq.h> |
107 | #include <limits.h> |
108 | #include <stdio.h> |
109 | #include <stdlib.h> |
110 | #include <string.h> |
111 | #include <strings.h> |
112 | #include <unistd.h> |
113 | +#include <errno.h> |
114 | #include <arpa/inet.h> |
115 | #include <netinet/in.h> |
116 | #include <netinet/ip.h> |
117 | @@ -63,6 +63,7 @@ |
118 | #include <sys/utsname.h> |
119 | #include <sys/wait.h> |
120 | #include <linux/netfilter_ipv4.h> |
121 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
122 | |
123 | #include "libcore/builder.h" |
124 | #include "libcore/capability.h" |
125 | @@ -181,9 +182,9 @@ |
126 | "failed to initialize userspace ipsec\n"); |
127 | |
128 | // queue incoming ESP over IPv4 and IPv4 UDP encapsulated traffic |
129 | - system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE"); |
130 | - system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE"); |
131 | - system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE"); |
132 | + system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0"); |
133 | + system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
134 | + system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
135 | |
136 | /* no need to queue outgoing ICMP, TCP and UDP sent to LSIs as |
137 | * this is handled elsewhere */ |
138 | @@ -191,13 +192,13 @@ |
139 | /* queue incoming ESP over IPv6 |
140 | * |
141 | * @note this is where you would want to add IPv6 UDP encapsulation */ |
142 | - system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE"); |
143 | + system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1"); |
144 | |
145 | // queue outgoing ICMP, TCP and UDP sent to HITs |
146 | - system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE"); |
147 | - system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE"); |
148 | - system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j QUEUE"); |
149 | - system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE"); |
150 | + system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // IPv6-ICMP |
151 | + system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // TCP |
152 | + system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // ICMP |
153 | + system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // UDP |
154 | } else if (ver_c < 27) { |
155 | HIP_INFO("You are using kernel version %s. Userspace ipsec should" |
156 | " be used with versions below 2.6.27.\n", name.release); |
157 | @@ -223,15 +224,16 @@ |
158 | HIP_IFEL(userspace_ipsec_uninit(), -1, "failed to uninit user ipsec\n"); |
159 | |
160 | // delete all rules previously set up for this extension |
161 | - system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null"); |
162 | - system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE 2> /dev/null"); |
163 | - system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE 2> /dev/null"); |
164 | - |
165 | - system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null"); |
166 | - |
167 | - system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE 2> /dev/null"); |
168 | - system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE 2> /dev/null"); |
169 | - system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE 2> /dev/null"); |
170 | + system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0 2> /dev/null"); // ESP |
171 | + system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP |
172 | + system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP |
173 | + |
174 | + system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-crypt |
175 | + |
176 | + system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-ICMP |
177 | + system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // TCP |
178 | + system_print("ip6tables -D HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // ICMP |
179 | + system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // UDP |
180 | } |
181 | |
182 | out_err: |
183 | @@ -327,7 +329,7 @@ |
184 | static int fw_init_lsi_support(void) |
185 | { |
186 | struct hip_common *msg = NULL; |
187 | - int err = 0; |
188 | + int err = 0; |
189 | |
190 | if (hip_lsi_support) { |
191 | if (!(msg = hip_msg_alloc())) { |
192 | @@ -343,11 +345,11 @@ |
193 | free(msg); |
194 | |
195 | // add the rule |
196 | - system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE"); |
197 | + system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0"); |
198 | |
199 | /* LSI support: incoming HIT packets, captured to decide if |
200 | * HITs may be mapped to LSIs */ |
201 | - system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j QUEUE"); |
202 | + system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); |
203 | } |
204 | |
205 | return err; |
206 | @@ -361,16 +363,16 @@ |
207 | static int fw_uninit_lsi_support(void) |
208 | { |
209 | struct hip_common *msg = NULL; |
210 | - int err = 0; |
211 | + int err = 0; |
212 | |
213 | if (hip_lsi_support) { |
214 | // set global variable to off |
215 | hip_lsi_support = 0; |
216 | |
217 | // remove the rule |
218 | - system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE 2> /dev/null"); |
219 | + system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0 2> /dev/null"); |
220 | |
221 | - system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j QUEUE 2> /dev/null"); |
222 | + system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); |
223 | |
224 | if (!(msg = hip_msg_alloc())) { |
225 | HIP_ERROR("failed to allocate memory\n"); |
226 | @@ -396,37 +398,37 @@ |
227 | if (filter_traffic) { |
228 | // this will allow the firewall to handle HIP traffic |
229 | // HIP protocol |
230 | - system_print("iptables -I HIPFW-FORWARD -p 139 -j QUEUE"); |
231 | + system_print("iptables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0"); |
232 | // ESP protocol |
233 | - system_print("iptables -I HIPFW-FORWARD -p 50 -j QUEUE"); |
234 | + system_print("iptables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0"); |
235 | // UDP encapsulation for HIP |
236 | - system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE"); |
237 | - system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE"); |
238 | - |
239 | - system_print("iptables -I HIPFW-INPUT -p 139 -j QUEUE"); |
240 | - system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE"); |
241 | - system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE"); |
242 | - system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE"); |
243 | - |
244 | - system_print("iptables -I HIPFW-OUTPUT -p 139 -j QUEUE"); |
245 | - system_print("iptables -I HIPFW-OUTPUT -p 50 -j QUEUE"); |
246 | - system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE"); |
247 | - system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE"); |
248 | - |
249 | - system_print("ip6tables -I HIPFW-FORWARD -p 139 -j QUEUE"); |
250 | - system_print("ip6tables -I HIPFW-FORWARD -p 50 -j QUEUE"); |
251 | - system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE"); |
252 | - system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE"); |
253 | - |
254 | - system_print("ip6tables -I HIPFW-INPUT -p 139 -j QUEUE"); |
255 | - system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE"); |
256 | - system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE"); |
257 | - system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE"); |
258 | - |
259 | - system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j QUEUE"); |
260 | - system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j QUEUE"); |
261 | - system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE"); |
262 | - system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE"); |
263 | + system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
264 | + system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
265 | + |
266 | + system_print("iptables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0"); |
267 | + system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0"); |
268 | + system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
269 | + system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
270 | + |
271 | + system_print("iptables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0"); |
272 | + system_print("iptables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0"); |
273 | + system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
274 | + system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
275 | + |
276 | + system_print("ip6tables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1"); |
277 | + system_print("ip6tables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1"); |
278 | + system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
279 | + system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
280 | + |
281 | + system_print("ip6tables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1"); |
282 | + system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1"); |
283 | + system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
284 | + system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
285 | + |
286 | + system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1"); |
287 | + system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1"); |
288 | + system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
289 | + system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
290 | } |
291 | } |
292 | |
293 | @@ -435,35 +437,35 @@ |
294 | */ |
295 | static void firewall_uninit_filter_traffic(void) |
296 | { |
297 | - system_print("iptables -D HIPFW-FORWARD -p 139 -j QUEUE"); |
298 | - system_print("iptables -D HIPFW-FORWARD -p 50 -j QUEUE"); |
299 | - system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE"); |
300 | - system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE"); |
301 | - |
302 | - system_print("iptables -D HIPFW-INPUT -p 139 -j QUEUE"); |
303 | - system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE"); |
304 | - system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE"); |
305 | - system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE"); |
306 | - |
307 | - system_print("iptables -D HIPFW-OUTPUT -p 139 -j QUEUE"); |
308 | - system_print("iptables -D HIPFW-OUTPUT -p 50 -j QUEUE"); |
309 | - system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE"); |
310 | - system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE"); |
311 | - |
312 | - system_print("ip6tables -D HIPFW-FORWARD -p 139 -j QUEUE"); |
313 | - system_print("ip6tables -D HIPFW-FORWARD -p 50 -j QUEUE"); |
314 | - system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE"); |
315 | - system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE"); |
316 | - |
317 | - system_print("ip6tables -D HIPFW-INPUT -p 139 -j QUEUE"); |
318 | - system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE"); |
319 | - system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE"); |
320 | - system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE"); |
321 | - |
322 | - system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j QUEUE"); |
323 | - system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j QUEUE"); |
324 | - system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE"); |
325 | - system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE"); |
326 | + system_print("iptables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0"); |
327 | + system_print("iptables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0"); |
328 | + system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
329 | + system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
330 | + |
331 | + system_print("iptables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0"); |
332 | + system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0"); |
333 | + system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
334 | + system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
335 | + |
336 | + system_print("iptables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0"); |
337 | + system_print("iptables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0"); |
338 | + system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0"); |
339 | + system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0"); |
340 | + |
341 | + system_print("ip6tables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1"); |
342 | + system_print("ip6tables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1"); |
343 | + system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
344 | + system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
345 | + |
346 | + system_print("ip6tables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1"); |
347 | + system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1"); |
348 | + system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
349 | + system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
350 | + |
351 | + system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1"); |
352 | + system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1"); |
353 | + system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1"); |
354 | + system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1"); |
355 | } |
356 | |
357 | /** |
358 | @@ -530,8 +532,9 @@ |
359 | { |
360 | int err = 0; |
361 | |
362 | - if (esp_relay == 0) |
363 | + if (esp_relay == 0) { |
364 | return 0; |
365 | + } |
366 | |
367 | /* Required for ESP relay and might not be active */ |
368 | if (!filter_traffic) { |
369 | @@ -727,7 +730,7 @@ |
370 | char cmd[40]; |
371 | int mod_total; |
372 | const char *mod_name[] = { |
373 | - "ip_queue", "ip6_queue", "iptable_filter", "ip6table_filter" |
374 | + "iptable_filter", "ip6table_filter" |
375 | }; |
376 | |
377 | mod_total = sizeof(mod_name) / sizeof(char *); |
378 | @@ -1296,6 +1299,43 @@ |
379 | } |
380 | |
381 | /** |
382 | + * Build packet imitating the legacy libipq packets. |
383 | + * |
384 | + * This is to get a compilable version of the firewall out sooner, |
385 | + * converting other functions to use |
386 | + */ |
387 | +static int build_ipq_packet(struct nfq_data *nfa, struct hip_ipq_packet_msg *ptr) |
388 | +{ |
389 | + struct nfqnl_msg_packet_hdr *ph; |
390 | + struct nlif_handle *nlifh; |
391 | + ph = nfq_get_msg_packet_hdr(nfa); |
392 | + |
393 | + // Open handle to read interface names from |
394 | + nlifh = nlif_open(); |
395 | + if (nlifh == NULL) { |
396 | + HIP_PERROR("nlif_open failed during build_ipq_packet"); |
397 | + return -1; |
398 | + } |
399 | + nlif_query(nlifh); // query the interface table |
400 | + |
401 | + // Populate the packet struct |
402 | + ptr->packet_id = ntohl(ph->packet_id); |
403 | + ptr->hook = ph->hook; |
404 | + nfq_get_indev_name(nlifh, nfa, ptr->indev_name); |
405 | + nfq_get_outdev_name(nlifh, nfa, ptr->outdev_name); |
406 | + ptr->data_len = nfq_get_payload(nfa, (void *) &ptr->payload); // (void *) because old netfilter_queue used (char **) and |
407 | + // current uses (unsigned char **). For this application |
408 | + // either one is fine, but if we choose one, strict type |
409 | + // checking causes compilation to fail for the other. |
410 | + // Casting to (void *) omits compiler type checking and |
411 | + // transfers the responsibility to the programmer. |
412 | + |
413 | + // Close the interface handle |
414 | + nlif_close(nlifh); |
415 | + return 1; |
416 | +} |
417 | + |
418 | +/** |
419 | * |
420 | * Initialize context for a packet. The context stores e.g. the packet type and |
421 | * possibly encapsulating packet type. It also stores useful pointers IP and |
422 | @@ -1308,28 +1348,31 @@ |
423 | * Unsupported types -> type 0 |
424 | * |
425 | * @param ctx the context. |
426 | - * @param buf a pointer to a IP packet. |
427 | + * @param nfa a pointer to the netfilter packet. |
428 | * @param ip_version the IP version for this packet |
429 | * @return One if @c hdr is a HIP packet, zero otherwise. |
430 | */ |
431 | static int fw_init_context(struct hip_fw_context *ctx, |
432 | - const unsigned char *buf, |
433 | + struct nfq_data *nfa, |
434 | const int ip_version) |
435 | { |
436 | int err = 0; |
437 | // length of packet starting at udp header |
438 | - uint16_t udp_len = 0; |
439 | - struct udphdr *udphdr = NULL; |
440 | - int udp_encap_zero_bytes = 0; |
441 | + uint16_t udp_len = 0; |
442 | + struct udphdr *udphdr = NULL; |
443 | + int udp_encap_zero_bytes = 0; |
444 | + static struct hip_ipq_packet_msg packet; |
445 | |
446 | // same context memory as for packets before -> re-init |
447 | memset(ctx, 0, sizeof(struct hip_fw_context)); |
448 | + memset(&packet, 0, sizeof(struct hip_ipq_packet_msg)); |
449 | |
450 | // default assumption |
451 | ctx->packet_type = OTHER_PACKET; |
452 | |
453 | // add whole packet to context and ip version |
454 | - ctx->ipq_packet = ipq_get_packet(buf); |
455 | + ctx->ipq_packet = &packet; |
456 | + build_ipq_packet(nfa, ctx->ipq_packet); |
457 | |
458 | // check if packet is to big for the buffer |
459 | if (ctx->ipq_packet->data_len > HIP_MAX_PACKET) { |
460 | @@ -1549,9 +1592,9 @@ |
461 | * @param handle the handle for the packets. |
462 | * @param packet_id the packet ID. |
463 | */ |
464 | -static void allow_packet(struct ipq_handle *handle, unsigned long packet_id) |
465 | +static void allow_packet(struct nfq_q_handle *handle, unsigned long packet_id) |
466 | { |
467 | - ipq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL); |
468 | + nfq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL); |
469 | |
470 | HIP_DEBUG("Packet accepted \n\n"); |
471 | } |
472 | @@ -1562,88 +1605,84 @@ |
473 | * @param handle the handle for the packets. |
474 | * @param packet_id the packet ID. |
475 | */ |
476 | -static void drop_packet(struct ipq_handle *handle, unsigned long packet_id) |
477 | +static void drop_packet(struct nfq_q_handle *handle, unsigned long packet_id) |
478 | { |
479 | - ipq_set_verdict(handle, packet_id, NF_DROP, 0, NULL); |
480 | + nfq_set_verdict(handle, packet_id, NF_DROP, 0, NULL); |
481 | |
482 | HIP_DEBUG("Packet dropped \n\n"); |
483 | } |
484 | |
485 | /** |
486 | * Analyze a packet. |
487 | - * |
488 | - * @param buf the packet to be analyzed |
489 | - * @param hndl a file handle to the ipqueue |
490 | - * @param ip_version the type of traffic: 4 - ipv4; 6 - ipv6. |
491 | - * @param ctx packet context |
492 | - * |
493 | - * @return always 0 |
494 | + * This is a callback function for netfilter_queue. |
495 | + * |
496 | + * @param qh the netfilter queue handle |
497 | + * @param nfmsg the netfilter message |
498 | + * @param nfa the netfilter packet, header and payload |
499 | + * @param data |
500 | + * @param ip_version the IP version used |
501 | */ |
502 | -static int fw_handle_packet(unsigned char *buf, struct ipq_handle *hndl, |
503 | - const int ip_version, struct hip_fw_context *ctx) |
504 | +static int fw_handle_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, |
505 | + struct nfq_data *nfa, void *data, const int ip_version) |
506 | { |
507 | - // assume DROP |
508 | - int verdict = 0; |
509 | - |
510 | - /* waits for queue messages to arrive from ip_queue and |
511 | - * copies them into a supplied buffer */ |
512 | - if (ipq_read(hndl, buf, HIP_MAX_PACKET, 0) < 0) { |
513 | - HIP_PERROR("ipq_read failed: "); |
514 | - // TODO this error needs to be handled seperately -> die(hndl)? |
515 | - goto out_err; |
516 | - } |
517 | - |
518 | - /* queued messages may be a packet messages or an error messages */ |
519 | - switch (ipq_message_type(buf)) { |
520 | - case IPQM_PACKET: |
521 | - HIP_DEBUG("Received ipqm packet\n"); |
522 | - // no goto -> go on with processing the message below |
523 | - break; |
524 | - case NLMSG_ERROR: |
525 | - HIP_ERROR("Received error message (%d): %s\n", ipq_get_msgerr(buf), |
526 | - ipq_errstr()); |
527 | - goto out_err; |
528 | - break; |
529 | - default: |
530 | - HIP_DEBUG("Unsupported libipq packet\n"); |
531 | - goto out_err; |
532 | - break; |
533 | - } |
534 | + static struct hip_fw_context ctx; // static because of heavy re-use. |
535 | + int verdict = 0; // assume DROP |
536 | + |
537 | + // Intentionally unused, remove compiler warnings. |
538 | + (void) nfmsg; |
539 | + (void) data; |
540 | + |
541 | + |
542 | + HIP_DEBUG("Entering netfilter callback for IPv%d\n", ip_version); |
543 | |
544 | // set up firewall context |
545 | - if (fw_init_context(ctx, buf, ip_version)) { |
546 | + if (fw_init_context(&ctx, nfa, ip_version)) { |
547 | goto out_err; |
548 | } |
549 | |
550 | - HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx->ipq_packet->hook, |
551 | - ctx->packet_type); |
552 | + HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx.ipq_packet->hook, |
553 | + ctx.packet_type); |
554 | |
555 | // match context with rules |
556 | - if (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type]) { |
557 | - verdict = (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type])(ctx); |
558 | + if (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type]) { |
559 | + verdict = (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type])(&ctx); |
560 | } else { |
561 | - HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n"); |
562 | + HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n", ctx.ipq_packet->hook, |
563 | + ctx.packet_type); |
564 | } |
565 | |
566 | + |
567 | out_err: |
568 | if (verdict) { |
569 | - if (ctx->modified == 0) { |
570 | + if (ctx.modified == 0) { |
571 | HIP_DEBUG("=== Verdict: allow packet ===\n"); |
572 | - allow_packet(hndl, ctx->ipq_packet->packet_id); |
573 | + allow_packet(qh, ctx.ipq_packet->packet_id); |
574 | } else { |
575 | HIP_DEBUG("=== Verdict: allow modified packet ===\n"); |
576 | - allow_modified_packet(hndl, ctx); |
577 | + allow_modified_packet(qh, &ctx); |
578 | } |
579 | } else { |
580 | HIP_DEBUG("=== Verdict: drop packet ===\n"); |
581 | - drop_packet(hndl, ctx->ipq_packet->packet_id); |
582 | + drop_packet(qh, ctx.ipq_packet->packet_id); |
583 | } |
584 | |
585 | - // nothing to clean up here as we re-use buf, hndl and ctx |
586 | + // nothing to clean up here. |
587 | |
588 | return 0; |
589 | } |
590 | |
591 | +static int netfilter_callback_ipv4(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, |
592 | + struct nfq_data *nfa, void *data) |
593 | +{ |
594 | + return fw_handle_packet(qh, nfmsg, nfa, data, 4); |
595 | +} |
596 | + |
597 | +static int netfilter_callback_ipv6(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, |
598 | + struct nfq_data *nfa, void *data) |
599 | +{ |
600 | + return fw_handle_packet(qh, nfmsg, nfa, data, 6); |
601 | +} |
602 | + |
603 | /** |
604 | * Receive and process one message from hipd. |
605 | * |
606 | @@ -1763,14 +1802,16 @@ |
607 | const bool kill_old, |
608 | const bool limit_capabilities) |
609 | { |
610 | - int err = 0, highest_descriptor, i; |
611 | - struct ipq_handle *h4 = NULL, *h6 = NULL; |
612 | - struct hip_common *msg = NULL; |
613 | - struct sockaddr_in6 sock_addr = { 0 }; |
614 | - fd_set read_fdset; |
615 | - struct timeval timeout; |
616 | - unsigned char buf[HIP_MAX_PACKET]; |
617 | - struct hip_fw_context ctx; |
618 | + int err = 0, highest_descriptor, i; |
619 | + struct nfq_handle *h4 = NULL, *h6 = NULL; |
620 | + struct nfq_q_handle *h4_q = NULL, *h6_q = NULL; |
621 | + int h4_fd = 0, h6_fd = 0; |
622 | + int nfq_packet_length; |
623 | + struct hip_common *msg = NULL; |
624 | + struct sockaddr_in6 sock_addr = { 0 }; |
625 | + fd_set read_fdset; |
626 | + struct timeval timeout; |
627 | + char buf[HIP_MAX_PACKET]; |
628 | |
629 | #ifdef CONFIG_HIP_PERFORMANCE |
630 | HIP_DEBUG("Creating perf set\n"); |
631 | @@ -1848,19 +1889,39 @@ |
632 | firewall_probe_kernel_modules(); |
633 | |
634 | // create firewall queue handles for IPv4 traffic |
635 | - HIP_IFEL(!(h4 = ipq_create_handle(0, PF_INET)), -1, |
636 | - "ipq_create_handle(): %s\n", ipq_errstr()); |
637 | - HIP_IFEL(ipq_set_mode(h4, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1, |
638 | - "ipq_set_mode(): %s\n", ipq_errstr()); |
639 | + HIP_IFEL(!(h4 = nfq_open()), -1, |
640 | + "nfq_open(): %s\n", "Error during nfq_open(), IPv4"); |
641 | + HIP_IFEL((nfq_unbind_pf(h4, AF_INET) < 0), -1, |
642 | + "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv4). Is the obsolete 'ip_queue' kernel module loaded?"); // Unbinding any previous handlers |
643 | + HIP_IFEL((nfq_bind_pf(h4, AF_INET) < 0), -1, |
644 | + "nfq_bind(): %s\n", "Error during nfq_bind(), IPv4"); |
645 | + HIP_IFEL(!(h4_q = nfq_create_queue(h4, 0, &netfilter_callback_ipv4, NULL)), -1, |
646 | + "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv4"); |
647 | + HIP_IFEL(nfq_set_mode(h4_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1, |
648 | + "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv4"); |
649 | HIP_DEBUG("IPv4 handle created (mode COPY_PACKET)\n"); |
650 | |
651 | // create firewall queue handles for IPv6 traffic |
652 | - HIP_IFEL(!(h6 = ipq_create_handle(0, PF_INET6)), -1, |
653 | - "ipq_create_handle(): %s\n", ipq_errstr()); |
654 | - HIP_IFEL(ipq_set_mode(h6, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1, |
655 | - "ipq_set_mode(): %s\n", ipq_errstr()); |
656 | + HIP_IFEL(!(h6 = nfq_open()), -1, |
657 | + "nfq_open(): %s\n", "Error during nfq_open(), IPv6"); |
658 | + HIP_IFEL((nfq_unbind_pf(h6, AF_INET6) < 0), -1, |
659 | + "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv6). Is the obsolete 'ip6_queue' kernel module loaded?"); // Unbinding any previous handlers |
660 | + HIP_IFEL((nfq_bind_pf(h6, AF_INET6) < 0), -1, |
661 | + "nfq_bind(): %s\n", "Error during nfq_bind(), IPv6"); |
662 | + HIP_IFEL(!(h6_q = nfq_create_queue(h6, 1, &netfilter_callback_ipv6, NULL)), -1, |
663 | + "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv6"); |
664 | + HIP_IFEL(nfq_set_mode(h6_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1, |
665 | + "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv6"); |
666 | HIP_DEBUG("IPv6 handle created (mode COPY_PACKET)\n"); |
667 | |
668 | + // Create file handles for the queues |
669 | + HIP_IFEL(!(h4_fd = nfq_fd(h4)), -1, |
670 | + "nfq_fd(): %s\n", "Unable to get file descriptor, IPv4"); |
671 | + HIP_DEBUG("IPv4 file descriptor created\n"); |
672 | + HIP_IFEL(!(h6_fd = nfq_fd(h6)), -1, |
673 | + "nfq_fd(): %s\n", "Unable to get file descriptor, IPv6"); |
674 | + HIP_DEBUG("IPv6 file descriptor created\n"); |
675 | + |
676 | // set up ip(6)tables rules and firewall extensions |
677 | HIP_IFEL(firewall_init(), -1, "Firewall init failed\n"); |
678 | |
679 | @@ -1868,8 +1929,8 @@ |
680 | HIP_IFEL(hip_set_lowcapability(), -1, "Failed to reduce privileges\n"); |
681 | } |
682 | |
683 | - highest_descriptor = hip_fw_async_sock > h4->fd ? hip_fw_async_sock : h4->fd; |
684 | - highest_descriptor = h6->fd > highest_descriptor ? h6->fd : highest_descriptor; |
685 | + highest_descriptor = hip_fw_async_sock > h4_fd ? hip_fw_async_sock : h4_fd; |
686 | + highest_descriptor = h6_fd > highest_descriptor ? h6_fd : highest_descriptor; |
687 | |
688 | /* Allocate message. */ |
689 | HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Insufficient memory\n"); |
690 | @@ -1885,8 +1946,8 @@ |
691 | // set up file descriptors for select |
692 | FD_ZERO(&read_fdset); |
693 | FD_SET(hip_fw_async_sock, &read_fdset); |
694 | - FD_SET(h4->fd, &read_fdset); |
695 | - FD_SET(h6->fd, &read_fdset); |
696 | + FD_SET(h4_fd, &read_fdset); |
697 | + FD_SET(h6_fd, &read_fdset); |
698 | |
699 | timeout.tv_sec = HIP_SELECT_TIMEOUT; |
700 | timeout.tv_usec = 0; |
701 | @@ -1899,14 +1960,26 @@ |
702 | continue; |
703 | } |
704 | |
705 | - if (FD_ISSET(h4->fd, &read_fdset)) { |
706 | - HIP_DEBUG("received IPv4 packet from iptables queue\n"); |
707 | - err = fw_handle_packet(buf, h4, 4, &ctx); |
708 | + if (FD_ISSET(h4_fd, &read_fdset)) { |
709 | + nfq_packet_length = recv(h4_fd, buf, HIP_MAX_PACKET, 0); |
710 | + if (nfq_packet_length == -1) { |
711 | + err = errno; |
712 | + HIP_PERROR("Error reading received IPv4 packet.\n"); |
713 | + } else if (nfq_packet_length > 0) { |
714 | + HIP_DEBUG("received IPv4 packet from iptables queue\n"); |
715 | + err = nfq_handle_packet(h4, buf, nfq_packet_length); |
716 | + } |
717 | } |
718 | |
719 | - if (FD_ISSET(h6->fd, &read_fdset)) { |
720 | - HIP_DEBUG("received IPv6 packet from iptables queue\n"); |
721 | - err = fw_handle_packet(buf, h6, 6, &ctx); |
722 | + if (FD_ISSET(h6_fd, &read_fdset)) { |
723 | + nfq_packet_length = recv(h6_fd, buf, HIP_MAX_PACKET, 0); |
724 | + if (nfq_packet_length == -1) { |
725 | + err = errno; |
726 | + HIP_PERROR("Error reading received IPv6 packet.\n"); |
727 | + } else if (nfq_packet_length > 0) { |
728 | + HIP_DEBUG("received IPv6 packet from iptables queue\n"); |
729 | + err = nfq_handle_packet(h6, buf, nfq_packet_length); |
730 | + } |
731 | } |
732 | |
733 | if (FD_ISSET(hip_fw_async_sock, &read_fdset)) { |
734 | @@ -1919,11 +1992,19 @@ |
735 | } |
736 | |
737 | out_err: |
738 | + if (h4_q) { |
739 | + nfq_destroy_queue(h4_q); |
740 | + } |
741 | if (h4) { |
742 | - ipq_destroy_handle(h4); |
743 | + // nfq_unbind_pf(h4, AF_INET); /* This command is dangerous because it unbinds other programs too */ |
744 | + nfq_close(h4); |
745 | + } |
746 | + if (h6_q) { |
747 | + nfq_destroy_queue(h6_q); |
748 | } |
749 | if (h6) { |
750 | - ipq_destroy_handle(h6); |
751 | + // nfq_unbind_pf(h6, AF_INET6); /* This command is dangerous because it unbinds other programs too */ |
752 | + nfq_close(h6); |
753 | } |
754 | if (hip_fw_async_sock) { |
755 | close(hip_fw_async_sock); |
756 | |
757 | === modified file 'hipfw/hipfw_defines.h' |
758 | --- hipfw/hipfw_defines.h 2012-05-12 06:54:33 +0000 |
759 | +++ hipfw/hipfw_defines.h 2013-08-01 12:26:32 +0000 |
760 | @@ -1,5 +1,5 @@ |
761 | /* |
762 | - * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University. |
763 | + * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University. |
764 | * |
765 | * Permission is hereby granted, free of charge, to any person |
766 | * obtaining a copy of this software and associated documentation |
767 | @@ -28,13 +28,13 @@ |
768 | |
769 | #define _BSD_SOURCE |
770 | |
771 | -#include <libipq.h> |
772 | #include <stdint.h> |
773 | #include <stdbool.h> |
774 | #include <netinet/in.h> |
775 | #include <netinet/ip6.h> |
776 | #include <netinet/tcp.h> |
777 | #include <netinet/udp.h> |
778 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
779 | |
780 | #include "libcore/common.h" |
781 | #include "libcore/linkedlist.h" |
782 | @@ -53,6 +53,19 @@ |
783 | }; |
784 | |
785 | /** |
786 | + * @note Backwards-compatibility header with the depracated libipq library |
787 | + * |
788 | + */ |
789 | +typedef struct hip_ipq_packet_msg { |
790 | + unsigned long packet_id; |
791 | + unsigned int hook; |
792 | + char indev_name[IFNAMSIZ]; |
793 | + char outdev_name[IFNAMSIZ]; |
794 | + size_t data_len; |
795 | + unsigned char *payload; |
796 | +} hip_ipq_packet_msg_t; |
797 | + |
798 | +/** |
799 | * @note When adding new members, check if hip_fw_context_enable_write() needs |
800 | * to be updated as well. |
801 | * @see hip_fw_context_enable_write() |
802 | @@ -60,7 +73,7 @@ |
803 | */ |
804 | struct hip_fw_context { |
805 | // queued packet |
806 | - ipq_packet_msg_t *ipq_packet; |
807 | + hip_ipq_packet_msg_t *ipq_packet; |
808 | |
809 | // IP layer information |
810 | int ip_version; /* 4, 6 */ |
811 | |
812 | === modified file 'hipfw/lsi.c' |
813 | --- hipfw/lsi.c 2012-05-12 06:54:33 +0000 |
814 | +++ hipfw/lsi.c 2013-08-01 12:26:32 +0000 |
815 | @@ -44,7 +44,6 @@ |
816 | |
817 | #define _BSD_SOURCE |
818 | |
819 | -#include <libipq.h> |
820 | #include <stdint.h> |
821 | #include <stdlib.h> |
822 | #include <string.h> |
823 | @@ -54,6 +53,7 @@ |
824 | #include <netinet/ip_icmp.h> |
825 | #include <netinet/tcp.h> |
826 | #include <netinet/udp.h> |
827 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
828 | |
829 | #include "libcore/builder.h" |
830 | #include "libcore/icomm.h" |
831 | @@ -204,7 +204,7 @@ |
832 | */ |
833 | static int reinject_packet(const struct in6_addr *src_hit, |
834 | const struct in6_addr *dst_hit, |
835 | - const ipq_packet_msg_t *m, |
836 | + const hip_ipq_packet_msg_t *m, |
837 | const int ip_orig_traffic, |
838 | const int incoming) |
839 | { |
840 | @@ -292,7 +292,7 @@ |
841 | * @return 1 if translation not done |
842 | * 0 if packet reinjected with lsis as addresses |
843 | */ |
844 | -int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m, |
845 | +int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m, |
846 | const struct in6_addr *ip_src, |
847 | const struct in6_addr *ip_dst, |
848 | const int lsi_support) |
849 | @@ -384,7 +384,7 @@ |
850 | * @param lsi_dst destination LSI |
851 | * @return err during the BEX |
852 | */ |
853 | -int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m, struct in_addr *lsi_src, |
854 | +int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m, struct in_addr *lsi_src, |
855 | struct in_addr *lsi_dst) |
856 | { |
857 | int err = 0; |
858 | |
859 | === modified file 'hipfw/lsi.h' |
860 | --- hipfw/lsi.h 2012-05-12 06:54:33 +0000 |
861 | +++ hipfw/lsi.h 2013-08-01 12:26:32 +0000 |
862 | @@ -1,5 +1,5 @@ |
863 | /* |
864 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
865 | + * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University. |
866 | * |
867 | * Permission is hereby granted, free of charge, to any person |
868 | * obtaining a copy of this software and associated documentation |
869 | @@ -28,10 +28,11 @@ |
870 | |
871 | #define _BSD_SOURCE |
872 | |
873 | -#include <libipq.h> |
874 | #include <netinet/in.h> |
875 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
876 | |
877 | #include "libcore/protodefs.h" |
878 | +#include "hipfw_defines.h" |
879 | |
880 | int hip_trigger_bex(const struct in6_addr *src_hit, |
881 | const struct in6_addr *dst_hit, |
882 | @@ -39,12 +40,12 @@ |
883 | const hip_lsi_t *dst_lsi, |
884 | const struct in6_addr *src_ip, |
885 | const struct in6_addr *dst_ip); |
886 | -int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m, |
887 | +int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m, |
888 | const struct in6_addr *ip_src, |
889 | const struct in6_addr *ip_dst, |
890 | const int lsi_support); |
891 | |
892 | -int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m, |
893 | +int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m, |
894 | struct in_addr *ip_src, |
895 | struct in_addr *ip_dst); |
896 | |
897 | |
898 | === modified file 'hipfw/rewrite.c' |
899 | --- hipfw/rewrite.c 2012-05-12 06:54:33 +0000 |
900 | +++ hipfw/rewrite.c 2013-08-01 12:26:32 +0000 |
901 | @@ -1,5 +1,5 @@ |
902 | /* |
903 | - * Copyright (c) 2011 Aalto University and RWTH Aachen University. |
904 | + * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University. |
905 | * |
906 | * Permission is hereby granted, free of charge, to any person |
907 | * obtaining a copy of this software and associated documentation |
908 | @@ -54,17 +54,16 @@ |
909 | * more thoroughly, these optimizations should be considered hacks (and |
910 | * are thus not used here). |
911 | * |
912 | - * @author Christof Mroz <christof.mroz@rwth-aachen.de> |
913 | */ |
914 | |
915 | #define _BSD_SOURCE |
916 | |
917 | #include <netinet/in.h> |
918 | -#include <linux/netfilter.h> |
919 | -#include <libipq.h> |
920 | #include <limits.h> |
921 | #include <stdlib.h> |
922 | #include <string.h> |
923 | +#include <linux/netfilter.h> |
924 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
925 | |
926 | #include "libcore/builder.h" |
927 | #include "libcore/debug.h" |
928 | @@ -75,8 +74,8 @@ |
929 | static const bool assume_ipq_buffer_sufficient = false; |
930 | |
931 | struct scratch_buffer { |
932 | - ipq_packet_msg_t ipq; |
933 | - uint8_t *payload[HIP_MAX_PACKET]; |
934 | + hip_ipq_packet_msg_t ipq; |
935 | + uint8_t *payload[HIP_MAX_PACKET]; |
936 | } __attribute__((packed)); // no gaps between header and payload |
937 | |
938 | static struct scratch_buffer scratch_buffer; |
939 | @@ -316,7 +315,7 @@ |
940 | * @param handle libipq file handle |
941 | * @param ctx The current packet context. |
942 | */ |
943 | -void allow_modified_packet(struct ipq_handle *const handle, |
944 | +void allow_modified_packet(struct nfq_q_handle *const handle, |
945 | struct hip_fw_context *const ctx) |
946 | { |
947 | HIP_ASSERT(ctx->modified); |
948 | @@ -373,7 +372,7 @@ |
949 | } |
950 | } |
951 | |
952 | - ipq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT, |
953 | + nfq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT, |
954 | ctx->ipq_packet->data_len, ctx->ipq_packet->payload); |
955 | HIP_DEBUG("Packet accepted with modifications\n\n"); |
956 | } |
957 | |
958 | === modified file 'hipfw/rewrite.h' |
959 | --- hipfw/rewrite.h 2011-11-25 13:52:20 +0000 |
960 | +++ hipfw/rewrite.h 2013-08-01 12:26:32 +0000 |
961 | @@ -1,5 +1,5 @@ |
962 | /* |
963 | - * Copyright (c) 2011 Aalto University and RWTH Aachen University. |
964 | + * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University. |
965 | * |
966 | * Permission is hereby granted, free of charge, to any person |
967 | * obtaining a copy of this software and associated documentation |
968 | @@ -33,7 +33,7 @@ |
969 | |
970 | bool hipfw_splice_param(struct hip_fw_context *const ctx, |
971 | const struct hip_tlv_common *const param); |
972 | -void allow_modified_packet(struct ipq_handle *const handle, |
973 | +void allow_modified_packet(struct nfq_q_handle *const handle, |
974 | struct hip_fw_context *const ctx); |
975 | |
976 | #endif /* HIPL_HIPFW_REWRITE_H */ |
977 | |
978 | === modified file 'packaging/hipl.spec' |
979 | --- packaging/hipl.spec 2013-01-29 11:49:17 +0000 |
980 | +++ packaging/hipl.spec 2013-08-01 12:26:32 +0000 |
981 | @@ -7,7 +7,7 @@ |
982 | Vendor: InfraHIP |
983 | License: GPLv2 |
984 | Group: System Environment/Daemons |
985 | -BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.3 |
986 | +BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.3 libnetfilter_queue-devel |
987 | BuildRoot: %{_tmppath}/%{name}-%{version}-root |
988 | |
989 | %description |
990 | @@ -55,7 +55,7 @@ |
991 | HIP for Linux IPsec key management and mobility daemon. |
992 | |
993 | %package firewall |
994 | -Requires: openssl iptables |
995 | +Requires: openssl iptables libnetfilter_queue |
996 | Summary: HIPL multi-purpose firewall daemon |
997 | Group: System Environment/Daemons |
998 | %description firewall |
999 | |
1000 | === modified file 'packaging/openwrt/hipl/Makefile.in' |
1001 | --- packaging/openwrt/hipl/Makefile.in 2012-03-19 12:32:25 +0000 |
1002 | +++ packaging/openwrt/hipl/Makefile.in 2013-08-01 12:26:32 +0000 |
1003 | @@ -57,7 +57,7 @@ |
1004 | |
1005 | define Package/hipl-firewall |
1006 | $(call Package/hipl/Default) |
1007 | - DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue |
1008 | + DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue +libnetfilter-queue |
1009 | TITLE:=HIPL firewall |
1010 | endef |
1011 | |
1012 | |
1013 | === modified file 'test/check_hipfw.c' |
1014 | --- test/check_hipfw.c 2011-11-25 13:52:20 +0000 |
1015 | +++ test/check_hipfw.c 2013-08-01 12:26:32 +0000 |
1016 | @@ -1,5 +1,5 @@ |
1017 | /* |
1018 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1019 | + * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University. |
1020 | * |
1021 | * Permission is hereby granted, free of charge, to any person |
1022 | * obtaining a copy of this software and associated documentation |
1023 | @@ -38,7 +38,6 @@ |
1024 | srunner_add_suite(sr, firewall_line_parser()); |
1025 | srunner_add_suite(sr, firewall_midauth()); |
1026 | srunner_add_suite(sr, firewall_port_bindings()); |
1027 | - srunner_add_suite(sr, firewall_rewrite()); |
1028 | |
1029 | srunner_run_all(sr, CK_NORMAL); |
1030 | number_failed = srunner_ntests_failed(sr); |
1031 | |
1032 | === removed file 'test/hipfw/rewrite.c' |
1033 | --- test/hipfw/rewrite.c 2012-05-12 06:54:33 +0000 |
1034 | +++ test/hipfw/rewrite.c 1970-01-01 00:00:00 +0000 |
1035 | @@ -1,131 +0,0 @@ |
1036 | -/* |
1037 | - * Copyright (c) 2011-2012 Aalto University and RWTH Aachen University. |
1038 | - * |
1039 | - * Permission is hereby granted, free of charge, to any person |
1040 | - * obtaining a copy of this software and associated documentation |
1041 | - * files (the "Software"), to deal in the Software without |
1042 | - * restriction, including without limitation the rights to use, |
1043 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1044 | - * copies of the Software, and to permit persons to whom the |
1045 | - * Software is furnished to do so, subject to the following |
1046 | - * conditions: |
1047 | - * |
1048 | - * The above copyright notice and this permission notice shall be |
1049 | - * included in all copies or substantial portions of the Software. |
1050 | - * |
1051 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1052 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1053 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1054 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1055 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1056 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1057 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1058 | - * OTHER DEALINGS IN THE SOFTWARE. |
1059 | - */ |
1060 | - |
1061 | -#define _BSD_SOURCE |
1062 | - |
1063 | -#include <check.h> |
1064 | -#include <stdlib.h> |
1065 | -#include <string.h> |
1066 | - |
1067 | -#include "hipfw/hipfw_defines.h" |
1068 | -#include "libcore/common.h" |
1069 | -#include "modules/midauth/hipd/midauth.h" |
1070 | -#include "modules/midauth/lib/midauth_builder.h" |
1071 | -#include "test/mocks.h" |
1072 | -#include "test_suites.h" |
1073 | - |
1074 | -#include "hipfw/hipfw.c" |
1075 | - |
1076 | - |
1077 | -static const unsigned char tmp_ipq_packet[] = "\xA0\x85\x07\x12\x00\x88\xFF\xFF\x00\x00" |
1078 | - "\x00\x00\x00\x00\x00\x00\xD3\x98\x81\x4E\x00\x00\x00\x00\x27\x21\x0D" |
1079 | - "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x65\x74\x68\x31\x00\x00\x00\x00" |
1080 | - "\x00\x00\x00\x00\x00\x00\x00\x00\x65\x74\x68\x32\x00\x00\x00\x00\x00" |
1081 | - "\x00\x00\x00\x00\x00\x00\x00\x08\x00\x01\x00\x06\x08\x00\x27\x45\x4D" |
1082 | - "\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA0\x02\x00\x00\x00\x00\x00" |
1083 | - "\x00\x45\x00\x02\xA0\x00\x00\x40\x00\x3F\x11\xB3\xEF\xC0\xA8\x01\x0A" |
1084 | - "\xC0\xA8\x03\x03\x29\x04\x29\x04\x02\x8C\x00\x00\x00\x00\x00\x00\x3B" |
1085 | - "\x4F\x03\x11\x00\x00\x00\x00\x20\x01\x00\x1B\xD8\xB0\x77\xF0\xC6\x17" |
1086 | - "\x71\x70\xDE\xD7\xF3\x20\x20\x01\x00\x17\x5D\xF8\xC4\x26\x98\xE5\x5F" |
1087 | - "\xA2\x28\x6D\x28\x47\x00\x41\x00\x0C\x00\x00\x00\x48\x00\x00\x00\x00" |
1088 | - "\x2D\x4A\x07\x08\x01\x41\x00\x14\x00\x00\x48\x49\x90\x7D\xD8\x95\x84" |
1089 | - "\xB3\x8D\xDC\x18\x25\xF9\x65\xE3\x31\x3E\xDD\x01\x42\x00\x1C\x01\x02" |
1090 | - "\x82\xEC\x42\x00\x00\x00\x00\x00\x5A\x3C\x03\x14\x9A\x0E\x9D\xCA\xF0" |
1091 | - "\x19\xAD\x2B\xBA\x43\x33\x66\xF8\xB2\x02\x01\x00\xC3\x03\x00\xC0\x7C" |
1092 | - "\xDA\x02\x1F\xB7\xFE\x85\xBB\xD1\x93\xFD\xB2\xFB\xC0\xB1\xAD\x09\x61" |
1093 | - "\x1F\x8E\xDD\x8F\x1B\xFC\xC3\x97\xA1\xCE\x4C\x55\x85\xB4\x4A\x8B\x66" |
1094 | - "\x93\x2A\xDF\x85\xC0\x3A\x84\xA2\x22\x4F\xB3\xF9\x6F\xC5\x54\x23\x9D" |
1095 | - "\xC2\x03\xEB\xB9\x55\xA4\xF0\x19\xC0\x2B\x4C\xD1\xBF\xC9\x04\xF5\x32" |
1096 | - "\xAB\x39\xEF\x7B\xF9\xA7\xAB\x5A\xC5\x27\x5E\x21\x83\x48\xB0\x8E\x19" |
1097 | - "\xB4\x51\x2B\xBA\x79\x00\x62\x70\x48\xF3\x44\xAE\x49\xD4\xC9\x20\x74" |
1098 | - "\x38\x0D\x11\xCA\xB3\x6F\x03\x47\x9A\x39\xA5\xFB\xC0\x70\xD6\xB5\xB6" |
1099 | - "\x35\x08\xB4\xB0\x33\x19\xF9\x07\x3C\x82\x7D\x3C\x16\x0C\x74\x9A\x1F" |
1100 | - "\x9B\xB2\xE6\xB3\xC7\xB3\x08\xE2\x10\x66\x23\x95\xF6\x00\xC7\x57\x8B" |
1101 | - "\x19\x83\x9E\x6F\xB6\x9D\x6A\x44\x25\xF1\xFD\x45\xFB\xD4\xD9\xE8\xA7" |
1102 | - "\xD5\xF9\xA7\xA5\xFB\xA3\x23\xD2\xDE\x67\x15\x9C\x6C\xFB\x5B\x08\xAC" |
1103 | - "\x7F\xC9\xF9\xD7\x00\x02\x41\x00\x02\x00\x01\x00\x00\x02\xC1\x00\x92" |
1104 | - "\x00\x88\x10\x06\x02\x02\xFF\x05\x03\x01\x00\x01\xD6\xBD\x7C\x86\xC3" |
1105 | - "\x4A\xA3\x93\x7F\xD9\x82\xBD\x22\xF1\xC7\x4F\x72\x76\x4F\x2F\x68\xF7" |
1106 | - "\x4F\x9D\xCE\xF3\xAE\xD4\x3B\x13\x5D\xC1\xF7\xF8\x09\x4E\xB4\xCD\x82" |
1107 | - "\x6F\xF8\xD1\x70\x01\x4E\xC0\x64\x82\xF1\x7E\x21\x54\x62\x73\x08\xEA" |
1108 | - "\x0A\x66\x1B\xA7\x9A\x4A\xAA\x17\x56\x77\x1D\x4D\x0D\xD2\x19\x92\xA0" |
1109 | - "\xAC\xF7\x23\x62\xE2\xF0\xFB\x1E\x73\x19\x16\x61\x1B\x85\x02\x42\x4B" |
1110 | - "\x89\x46\x09\x71\x42\x6F\x40\x8E\x62\x31\xA6\x4F\x17\x45\xF2\x7B\xFA" |
1111 | - "\xF2\xB6\xC8\x87\x37\x3A\xDF\xBB\x10\xE8\xDA\x97\x31\x6C\x38\xDF\xD0" |
1112 | - "\x97\x45\x84\x39\x61\x6C\x69\x63\x65\x00\x00\x00\x0F\xFF\x00\x04\x00" |
1113 | - "\x00\x00\x01\xF0\x41\x00\x14\xE7\x35\x6F\x89\x30\x3E\x1E\xA7\xFB\x93" |
1114 | - "\x8B\xBE\xD1\x34\x1F\x35\xB8\xE0\x82\x0C\xF1\x01\x00\x81\x05\xA6\xA2" |
1115 | - "\x75\xEF\xA8\xC3\x9C\x64\x9E\x9A\xDA\xFB\x38\xB4\x05\x8C\x6A\x6E\x5B" |
1116 | - "\x59\x9F\x11\x5B\xA6\xC0\x05\x42\xA6\x0D\x9C\x62\x17\x0E\x23\xB6\x3B" |
1117 | - "\x15\xB8\xEC\x6F\xE3\xB6\x6E\x80\x76\x97\xBE\x5B\x5B\x1A\x90\x30\xDF" |
1118 | - "\x1F\x32\x2C\x4E\x22\x20\x0B\xD4\x2B\x5B\x7C\xEF\x27\xEA\xB9\x80\x27" |
1119 | - "\xEF\xBC\xB4\xAF\x97\x2A\xD5\x86\xDA\xEE\x2C\xF0\x8B\x45\x00\x10\xE1" |
1120 | - "\x3A\x95\x35\xAC\x7C\xA8\x88\xC1\x60\xB9\x71\xD3\xE2\x29\xF7\x75\xD0" |
1121 | - "\x7E\x27\x1B\x21\x43\xAE\xBB\x08\xE1\x6B\x9E\x1E\xB9\x55\x89\xE3\x2B" |
1122 | - "\x29\x06\x4A\xA2\x90\x98\x38\x00\x00\x00"; |
1123 | -static const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1124 | - "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1125 | - |
1126 | -#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1127 | -START_TEST(hipfw_splice_param_NULL_ctx) |
1128 | -{ |
1129 | - struct hip_common *tmp_msg = NULL; |
1130 | - const struct hip_tlv_common *param = NULL; |
1131 | - |
1132 | - tmp_msg = hip_msg_alloc(); |
1133 | - hip_build_param_challenge_request(tmp_msg, 0, 0, opaque, |
1134 | - MIDAUTH_DEFAULT_NONCE_LENGTH); |
1135 | - param = hip_get_param(tmp_msg, HIP_PARAM_CHALLENGE_REQUEST); |
1136 | - |
1137 | - fail_unless(hipfw_splice_param(NULL, param) == false, NULL); |
1138 | -} |
1139 | -END_TEST |
1140 | - |
1141 | -START_TEST(hipfw_splice_param_NULL_param) |
1142 | -{ |
1143 | - struct hip_fw_context ctx; |
1144 | - |
1145 | - mock_ipq = true; |
1146 | - mock_ipq_pkt_len = ARRAY_SIZE(tmp_ipq_packet); |
1147 | - |
1148 | - fail_unless(fw_init_context(&ctx, tmp_ipq_packet, 4) == 0, NULL); |
1149 | - fail_unless(hipfw_splice_param(&ctx, NULL) == false, NULL); |
1150 | -} |
1151 | -END_TEST |
1152 | -#endif |
1153 | - |
1154 | -Suite *firewall_rewrite(void) |
1155 | -{ |
1156 | - Suite *s = suite_create("hipfw/rewrite"); |
1157 | - TCase *tc_rewrite = tcase_create("rewrite"); |
1158 | - |
1159 | -#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1160 | - tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_ctx, 1); |
1161 | - tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_param, 1); |
1162 | -#endif |
1163 | - suite_add_tcase(s, tc_rewrite); |
1164 | - |
1165 | - return s; |
1166 | -} |
1167 | |
1168 | === modified file 'test/hipfw/test_suites.h' |
1169 | --- test/hipfw/test_suites.h 2011-11-25 17:56:24 +0000 |
1170 | +++ test/hipfw/test_suites.h 2013-08-01 12:26:32 +0000 |
1171 | @@ -1,5 +1,5 @@ |
1172 | /* |
1173 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1174 | + * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University. |
1175 | * |
1176 | * Permission is hereby granted, free of charge, to any person |
1177 | * obtaining a copy of this software and associated documentation |
1178 | @@ -34,6 +34,5 @@ |
1179 | Suite *firewall_line_parser(void); |
1180 | Suite *firewall_midauth(void); |
1181 | Suite *firewall_port_bindings(void); |
1182 | -Suite *firewall_rewrite(void); |
1183 | |
1184 | #endif /* HIPL_TEST_FIREWALL_TEST_SUITES_H */ |
1185 | |
1186 | === modified file 'test/mocks.c' |
1187 | --- test/mocks.c 2011-10-19 11:57:13 +0000 |
1188 | +++ test/mocks.c 2013-08-01 12:26:32 +0000 |
1189 | @@ -1,5 +1,5 @@ |
1190 | /* |
1191 | - * Copyright (c) 2011 Aalto University and RWTH Aachen University. |
1192 | + * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University. |
1193 | * |
1194 | * Permission is hereby granted, free of charge, to any person |
1195 | * obtaining a copy of this software and associated documentation |
1196 | @@ -87,7 +87,7 @@ |
1197 | #include <stdlib.h> |
1198 | #include <string.h> |
1199 | #include <time.h> |
1200 | -#include <libipq.h> |
1201 | +#include <libnetfilter_queue/libnetfilter_queue.h> |
1202 | |
1203 | #include "mocks.h" |
1204 | |
1205 | @@ -190,28 +190,3 @@ |
1206 | |
1207 | return EXIT_SUCCESS; |
1208 | } |
1209 | - |
1210 | -/*** ipq_get_packet(3) ***/ |
1211 | -bool mock_ipq = false; |
1212 | -unsigned int mock_ipq_pkt_len = 0; |
1213 | - |
1214 | -/** |
1215 | - * ipq_get_packet(3) mock function. Controlled by the ::mock_ipq flag. |
1216 | - * |
1217 | - * @param buf contents of the returned ipq_packet_msg_t |
1218 | - * @return a fully filled ipq_packet_msg_t |
1219 | - * |
1220 | - * @note The buffer length is required for this mock function. You can provide |
1221 | - * it via the ::mock_ipq_pkt_len flag. |
1222 | - */ |
1223 | -ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf) |
1224 | -{ |
1225 | - if (!mock_ipq) { |
1226 | - ipq_packet_msg_t *(*original)(const unsigned char *) = get_original(ipq_get_packet, "ipq_get_packet"); |
1227 | - return original(buf); |
1228 | - } else { |
1229 | - char *tmp = malloc(mock_ipq_pkt_len); |
1230 | - memcpy(tmp, buf, mock_ipq_pkt_len); |
1231 | - return (ipq_packet_msg_t *) tmp; |
1232 | - } |
1233 | -} |
Minor comments:
* hipfw.c:396: perror -> HIP_PERROR
* hipfw.c:675 unnecessary line breaks
* test/mocks.c: get rid of the "if 0" code
(* In some cases, I am sure if variable declaration code was necessary to be aligned; I always try to minimize the size of the diff)
Please fix these and request a new merge proposal asap. When you give the new merge proposal, please give a test report and explain why the unit tests were removed.
I suggest to merge the code on Friday noon if there are no other comments. Please be prepared to fix some nits later on if somebody else comments about the coding style. I think we can do this directly on the trunk because this fix is kind of urgent and should have been dealt earlier.
Thanks Juhani for this contribution! Good work.