HIPL

Merge lp:~hipl-core/hipl/libnetfilter_queue into lp:hipl

  1. libnetfilter_queue
  2. Merge into trunk
Proposed by Pupu Toivonen
Status: Superseded
Proposed branch: lp:~hipl-core/hipl/libnetfilter_queue
Merge into: lp:hipl
Diff against target: 1233 lines (+300/-363)
17 files modified
INSTALL (+3/-3)
Makefile.am (+0/-1)
configure.ac (+2/-1)
debian/control (+2/-2)
hipfw/cert.c (+1/-0)
hipfw/hipfw.c (+251/-170)
hipfw/hipfw_defines.h (+16/-3)
hipfw/lsi.c (+4/-4)
hipfw/lsi.h (+5/-4)
hipfw/rewrite.c (+7/-8)
hipfw/rewrite.h (+2/-2)
packaging/hipl.spec (+2/-2)
packaging/openwrt/hipl/Makefile.in (+1/-1)
test/check_hipfw.c (+1/-2)
test/hipfw/rewrite.c (+0/-131)
test/hipfw/test_suites.h (+1/-2)
test/mocks.c (+2/-27)
To merge this branch: bzr merge lp:~hipl-core/hipl/libnetfilter_queue
Reviewer Review Type Date Requested Status
Miika Komu Needs Fixing
Review via email: mp+177456@code.launchpad.net

This proposal has been superseded by a proposal from 2013-08-01.

Description of the change

hipl-firewall has been ported from using the deprecated and recently deleted ip_queue (libipq) packet queue into using netfilter_queue. This fixes bug #1154974.

This solution reuses much of the code that was used to handle libipq packets by collecting the used fields into an imitating packet type hip_ipq_packet_msg and passing that around to the functions.

To post a comment you must log in.
Revision history for this message
Miika Komu (miika-iki) wrote :

Minor comments:

* hipfw.c:396: perror -> HIP_PERROR
* hipfw.c:675 unnecessary line breaks
* test/mocks.c: get rid of the "if 0" code
(* In some cases, I am sure if variable declaration code was necessary to be aligned; I always try to minimize the size of the diff)

Please fix these and request a new merge proposal asap. When you give the new merge proposal, please give a test report and explain why the unit tests were removed.

I suggest to merge the code on Friday noon if there are no other comments. Please be prepared to fix some nits later on if somebody else comments about the coding style. I think we can do this directly on the trunk because this fix is kind of urgent and should have been dealt earlier.

Thanks Juhani for this contribution! Good work.

review: Needs Fixing
lp:~hipl-core/hipl/libnetfilter_queue updated
6440. By Pupu Toivonen

Minor changes.

Call to perror changed to HIP_PERROR.
Removed a couple of extra newlines.
Removed commented-out code from mocks.c.

Revision history for this message
Pupu Toivonen (scolphoy) wrote :

Thank you for the feedback.

I made those minor changes. Aligning of the variable declarations was enforced by the commit hooks.
I'll write a report and resubmit the proposal soon.

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'INSTALL'
--- INSTALL 2013-03-31 13:42:34 +0000
+++ INSTALL 2013-08-01 12:26:32 +0000
@@ -33,7 +33,7 @@
33-------------33-------------
34- required:34- required:
35 apt-get install autoconf automake libtool make gcc libssl-dev iptables-dev \35 apt-get install autoconf automake libtool make gcc libssl-dev iptables-dev \
36 libnet-ip-perl libnet-dns-perl bzr36 libnet-ip-perl libnet-dns-perl bzr libnetfilter-queue-dev
37- optional:37- optional:
38 apt-get install xmlto doxygen check libconfig8-dev miredo38 apt-get install xmlto doxygen check libconfig8-dev miredo
39- binary packages:39- binary packages:
@@ -43,7 +43,7 @@
43-------------43-------------
44- required:44- required:
45 yum install autoconf automake libtool make gcc openssl-devel iptables-devel \45 yum install autoconf automake libtool make gcc openssl-devel iptables-devel \
46 perl-Net-IP perl-Net-DNS bzr46 perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel
47- optional:47- optional:
48 yum install xmlto doxygen check-devel libconfig-devel miredo48 yum install xmlto doxygen check-devel libconfig-devel miredo
49- binary packages:49- binary packages:
@@ -53,7 +53,7 @@
53--------53--------
54- required:54- required:
55 zypper install autoconf automake libtool make gcc libopenssl-devel iptables-devel \55 zypper install autoconf automake libtool make gcc libopenssl-devel iptables-devel \
56 perl-Net-IP perl-Net-DNS bzr56 perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel
57- optional:57- optional:
58 zypper install xmlto doxygen check-devel58 zypper install xmlto doxygen check-devel
59- binary packages:59- binary packages:
6060
=== modified file 'Makefile.am'
--- Makefile.am 2013-03-25 06:43:57 +0000
+++ Makefile.am 2013-08-01 12:26:32 +0000
@@ -223,7 +223,6 @@
223 test/hipfw/line_parser.c \223 test/hipfw/line_parser.c \
224 test/hipfw/midauth.c \224 test/hipfw/midauth.c \
225 test/hipfw/port_bindings.c \225 test/hipfw/port_bindings.c \
226 test/hipfw/rewrite.c \
227 $(hipfw_hipfw_sources)226 $(hipfw_hipfw_sources)
228227
229test_check_libcore_SOURCES = test/check_libcore.c \228test_check_libcore_SOURCES = test/check_libcore.c \
230229
=== modified file 'configure.ac'
--- configure.ac 2013-01-29 11:37:45 +0000
+++ configure.ac 2013-08-01 12:26:32 +0000
@@ -137,7 +137,8 @@
137 [ac_cv_use_firewall],137 [ac_cv_use_firewall],
138 [ac_cv_use_firewall=yes])138 [ac_cv_use_firewall=yes])
139if test x"$ac_cv_use_firewall" = x"yes"; then139if test x"$ac_cv_use_firewall" = x"yes"; then
140 AC_CHECK_LIB(ipq, ipq_create_handle,, [AC_MSG_ERROR([libipq not found])])140 AC_CHECK_LIB(netfilter_queue, nfq_create_queue,, [AC_MSG_ERROR([libnetfilter_queue not found])])
141 AC_CHECK_LIB(nfnetlink, nlif_query,, [AC_MSG_ERROR([libnfnetlink not found])])
141 AC_CHECK_LIB(config, config_setting_index,,142 AC_CHECK_LIB(config, config_setting_index,,
142 [AC_MSG_WARN([libconfig not found, using default config])])143 [AC_MSG_WARN([libconfig not found, using default config])])
143 AC_DEFINE(CONFIG_HIP_FIREWALL)144 AC_DEFINE(CONFIG_HIP_FIREWALL)
144145
=== modified file 'debian/control'
--- debian/control 2013-01-29 11:37:45 +0000
+++ debian/control 2013-08-01 12:26:32 +0000
@@ -2,7 +2,7 @@
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: HIPL team <hipl-dev@freelists.org>4Maintainer: HIPL team <hipl-dev@freelists.org>
5Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m5Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m, libnetfilter-queue-dev
6Standards-Version: 3.9.16Standards-Version: 3.9.1
7Homepage: http://launchpad.net/hipl7Homepage: http://launchpad.net/hipl
88
@@ -28,7 +28,7 @@
2828
29Package: hipl-firewall29Package: hipl-firewall
30Architecture: any30Architecture: any
31Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables31Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables, libnetfilter-queue1
32Suggests: hipl-doc32Suggests: hipl-doc
33Description: HIP for Linux multi-purpose firewall daemon33Description: HIP for Linux multi-purpose firewall daemon
34 The Host Identity Protocol (HIP) and the related architecture form a proposal34 The Host Identity Protocol (HIP) and the related architecture form a proposal
3535
=== modified file 'hipfw/cert.c'
--- hipfw/cert.c 2012-05-12 06:54:33 +0000
+++ hipfw/cert.c 2013-08-01 12:26:32 +0000
@@ -37,6 +37,7 @@
37#include <stdio.h>37#include <stdio.h>
38#include <stdlib.h>38#include <stdlib.h>
39#include <string.h>39#include <string.h>
40#include <errno.h>
40#include <netinet/in.h>41#include <netinet/in.h>
41#include <linux/netfilter.h>42#include <linux/netfilter.h>
42#include <linux/netfilter_ipv6.h>43#include <linux/netfilter_ipv6.h>
4344
=== modified file 'hipfw/hipfw.c'
--- hipfw/hipfw.c 2012-07-19 12:00:32 +0000
+++ hipfw/hipfw.c 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University.2 * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -45,13 +45,13 @@
4545
46#define _BSD_SOURCE46#define _BSD_SOURCE
4747
48#include <libipq.h>
49#include <limits.h>48#include <limits.h>
50#include <stdio.h>49#include <stdio.h>
51#include <stdlib.h>50#include <stdlib.h>
52#include <string.h>51#include <string.h>
53#include <strings.h>52#include <strings.h>
54#include <unistd.h>53#include <unistd.h>
54#include <errno.h>
55#include <arpa/inet.h>55#include <arpa/inet.h>
56#include <netinet/in.h>56#include <netinet/in.h>
57#include <netinet/ip.h>57#include <netinet/ip.h>
@@ -63,6 +63,7 @@
63#include <sys/utsname.h>63#include <sys/utsname.h>
64#include <sys/wait.h>64#include <sys/wait.h>
65#include <linux/netfilter_ipv4.h>65#include <linux/netfilter_ipv4.h>
66#include <libnetfilter_queue/libnetfilter_queue.h>
6667
67#include "libcore/builder.h"68#include "libcore/builder.h"
68#include "libcore/capability.h"69#include "libcore/capability.h"
@@ -181,9 +182,9 @@
181 "failed to initialize userspace ipsec\n");182 "failed to initialize userspace ipsec\n");
182183
183 // queue incoming ESP over IPv4 and IPv4 UDP encapsulated traffic184 // queue incoming ESP over IPv4 and IPv4 UDP encapsulated traffic
184 system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE");185 system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
185 system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");186 system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
186 system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");187 system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
187188
188 /* no need to queue outgoing ICMP, TCP and UDP sent to LSIs as189 /* no need to queue outgoing ICMP, TCP and UDP sent to LSIs as
189 * this is handled elsewhere */190 * this is handled elsewhere */
@@ -191,13 +192,13 @@
191 /* queue incoming ESP over IPv6192 /* queue incoming ESP over IPv6
192 *193 *
193 * @note this is where you would want to add IPv6 UDP encapsulation */194 * @note this is where you would want to add IPv6 UDP encapsulation */
194 system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE");195 system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
195196
196 // queue outgoing ICMP, TCP and UDP sent to HITs197 // queue outgoing ICMP, TCP and UDP sent to HITs
197 system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE");198 system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // IPv6-ICMP
198 system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE");199 system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // TCP
199 system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j QUEUE");200 system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // ICMP
200 system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE");201 system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // UDP
201 } else if (ver_c < 27) {202 } else if (ver_c < 27) {
202 HIP_INFO("You are using kernel version %s. Userspace ipsec should"203 HIP_INFO("You are using kernel version %s. Userspace ipsec should"
203 " be used with versions below 2.6.27.\n", name.release);204 " be used with versions below 2.6.27.\n", name.release);
@@ -223,15 +224,16 @@
223 HIP_IFEL(userspace_ipsec_uninit(), -1, "failed to uninit user ipsec\n");224 HIP_IFEL(userspace_ipsec_uninit(), -1, "failed to uninit user ipsec\n");
224225
225 // delete all rules previously set up for this extension226 // delete all rules previously set up for this extension
226 system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null");227 system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0 2> /dev/null"); // ESP
227 system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE 2> /dev/null");228 system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP
228 system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE 2> /dev/null");229 system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP
229230
230 system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null");231 system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-crypt
231232
232 system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE 2> /dev/null");233 system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-ICMP
233 system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE 2> /dev/null");234 system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // TCP
234 system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE 2> /dev/null");235 system_print("ip6tables -D HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // ICMP
236 system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // UDP
235 }237 }
236238
237out_err:239out_err:
@@ -327,7 +329,7 @@
327static int fw_init_lsi_support(void)329static int fw_init_lsi_support(void)
328{330{
329 struct hip_common *msg = NULL;331 struct hip_common *msg = NULL;
330 int err = 0;332 int err = 0;
331333
332 if (hip_lsi_support) {334 if (hip_lsi_support) {
333 if (!(msg = hip_msg_alloc())) {335 if (!(msg = hip_msg_alloc())) {
@@ -343,11 +345,11 @@
343 free(msg);345 free(msg);
344346
345 // add the rule347 // add the rule
346 system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE");348 system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0");
347349
348 /* LSI support: incoming HIT packets, captured to decide if350 /* LSI support: incoming HIT packets, captured to decide if
349 * HITs may be mapped to LSIs */351 * HITs may be mapped to LSIs */
350 system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j QUEUE");352 system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1");
351 }353 }
352354
353 return err;355 return err;
@@ -361,16 +363,16 @@
361static int fw_uninit_lsi_support(void)363static int fw_uninit_lsi_support(void)
362{364{
363 struct hip_common *msg = NULL;365 struct hip_common *msg = NULL;
364 int err = 0;366 int err = 0;
365367
366 if (hip_lsi_support) {368 if (hip_lsi_support) {
367 // set global variable to off369 // set global variable to off
368 hip_lsi_support = 0;370 hip_lsi_support = 0;
369371
370 // remove the rule372 // remove the rule
371 system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE 2> /dev/null");373 system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0 2> /dev/null");
372374
373 system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j QUEUE 2> /dev/null");375 system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null");
374376
375 if (!(msg = hip_msg_alloc())) {377 if (!(msg = hip_msg_alloc())) {
376 HIP_ERROR("failed to allocate memory\n");378 HIP_ERROR("failed to allocate memory\n");
@@ -396,37 +398,37 @@
396 if (filter_traffic) {398 if (filter_traffic) {
397 // this will allow the firewall to handle HIP traffic399 // this will allow the firewall to handle HIP traffic
398 // HIP protocol400 // HIP protocol
399 system_print("iptables -I HIPFW-FORWARD -p 139 -j QUEUE");401 system_print("iptables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0");
400 // ESP protocol402 // ESP protocol
401 system_print("iptables -I HIPFW-FORWARD -p 50 -j QUEUE");403 system_print("iptables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0");
402 // UDP encapsulation for HIP404 // UDP encapsulation for HIP
403 system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");405 system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
404 system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");406 system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
405407
406 system_print("iptables -I HIPFW-INPUT -p 139 -j QUEUE");408 system_print("iptables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0");
407 system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE");409 system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
408 system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");410 system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
409 system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");411 system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
410412
411 system_print("iptables -I HIPFW-OUTPUT -p 139 -j QUEUE");413 system_print("iptables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0");
412 system_print("iptables -I HIPFW-OUTPUT -p 50 -j QUEUE");414 system_print("iptables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0");
413 system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");415 system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
414 system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");416 system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
415417
416 system_print("ip6tables -I HIPFW-FORWARD -p 139 -j QUEUE");418 system_print("ip6tables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1");
417 system_print("ip6tables -I HIPFW-FORWARD -p 50 -j QUEUE");419 system_print("ip6tables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1");
418 system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");420 system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
419 system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");421 system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
420422
421 system_print("ip6tables -I HIPFW-INPUT -p 139 -j QUEUE");423 system_print("ip6tables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1");
422 system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE");424 system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
423 system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");425 system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
424 system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");426 system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
425427
426 system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j QUEUE");428 system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1");
427 system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j QUEUE");429 system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1");
428 system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");430 system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
429 system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");431 system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
430 }432 }
431}433}
432434
@@ -435,35 +437,35 @@
435 */437 */
436static void firewall_uninit_filter_traffic(void)438static void firewall_uninit_filter_traffic(void)
437{439{
438 system_print("iptables -D HIPFW-FORWARD -p 139 -j QUEUE");440 system_print("iptables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0");
439 system_print("iptables -D HIPFW-FORWARD -p 50 -j QUEUE");441 system_print("iptables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0");
440 system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");442 system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
441 system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");443 system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
442444
443 system_print("iptables -D HIPFW-INPUT -p 139 -j QUEUE");445 system_print("iptables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0");
444 system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE");446 system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
445 system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");447 system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
446 system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");448 system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
447449
448 system_print("iptables -D HIPFW-OUTPUT -p 139 -j QUEUE");450 system_print("iptables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0");
449 system_print("iptables -D HIPFW-OUTPUT -p 50 -j QUEUE");451 system_print("iptables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0");
450 system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");452 system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
451 system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");453 system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
452454
453 system_print("ip6tables -D HIPFW-FORWARD -p 139 -j QUEUE");455 system_print("ip6tables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1");
454 system_print("ip6tables -D HIPFW-FORWARD -p 50 -j QUEUE");456 system_print("ip6tables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1");
455 system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");457 system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
456 system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");458 system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
457459
458 system_print("ip6tables -D HIPFW-INPUT -p 139 -j QUEUE");460 system_print("ip6tables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1");
459 system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE");461 system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
460 system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");462 system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
461 system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");463 system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
462464
463 system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j QUEUE");465 system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1");
464 system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j QUEUE");466 system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1");
465 system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");467 system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
466 system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");468 system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
467}469}
468470
469/**471/**
@@ -530,8 +532,9 @@
530{532{
531 int err = 0;533 int err = 0;
532534
533 if (esp_relay == 0)535 if (esp_relay == 0) {
534 return 0;536 return 0;
537 }
535538
536 /* Required for ESP relay and might not be active */539 /* Required for ESP relay and might not be active */
537 if (!filter_traffic) {540 if (!filter_traffic) {
@@ -727,7 +730,7 @@
727 char cmd[40];730 char cmd[40];
728 int mod_total;731 int mod_total;
729 const char *mod_name[] = {732 const char *mod_name[] = {
730 "ip_queue", "ip6_queue", "iptable_filter", "ip6table_filter"733 "iptable_filter", "ip6table_filter"
731 };734 };
732735
733 mod_total = sizeof(mod_name) / sizeof(char *);736 mod_total = sizeof(mod_name) / sizeof(char *);
@@ -1296,6 +1299,43 @@
1296}1299}
12971300
1298/**1301/**
1302 * Build packet imitating the legacy libipq packets.
1303 *
1304 * This is to get a compilable version of the firewall out sooner,
1305 * converting other functions to use
1306 */
1307static int build_ipq_packet(struct nfq_data *nfa, struct hip_ipq_packet_msg *ptr)
1308{
1309 struct nfqnl_msg_packet_hdr *ph;
1310 struct nlif_handle *nlifh;
1311 ph = nfq_get_msg_packet_hdr(nfa);
1312
1313 // Open handle to read interface names from
1314 nlifh = nlif_open();
1315 if (nlifh == NULL) {
1316 HIP_PERROR("nlif_open failed during build_ipq_packet");
1317 return -1;
1318 }
1319 nlif_query(nlifh); // query the interface table
1320
1321 // Populate the packet struct
1322 ptr->packet_id = ntohl(ph->packet_id);
1323 ptr->hook = ph->hook;
1324 nfq_get_indev_name(nlifh, nfa, ptr->indev_name);
1325 nfq_get_outdev_name(nlifh, nfa, ptr->outdev_name);
1326 ptr->data_len = nfq_get_payload(nfa, (void *) &ptr->payload); // (void *) because old netfilter_queue used (char **) and
1327 // current uses (unsigned char **). For this application
1328 // either one is fine, but if we choose one, strict type
1329 // checking causes compilation to fail for the other.
1330 // Casting to (void *) omits compiler type checking and
1331 // transfers the responsibility to the programmer.
1332
1333 // Close the interface handle
1334 nlif_close(nlifh);
1335 return 1;
1336}
1337
1338/**
1299 *1339 *
1300 * Initialize context for a packet. The context stores e.g. the packet type and1340 * Initialize context for a packet. The context stores e.g. the packet type and
1301 * possibly encapsulating packet type. It also stores useful pointers IP and1341 * possibly encapsulating packet type. It also stores useful pointers IP and
@@ -1308,28 +1348,31 @@
1308 * Unsupported types -> type 01348 * Unsupported types -> type 0
1309 *1349 *
1310 * @param ctx the context.1350 * @param ctx the context.
1311 * @param buf a pointer to a IP packet.1351 * @param nfa a pointer to the netfilter packet.
1312 * @param ip_version the IP version for this packet1352 * @param ip_version the IP version for this packet
1313 * @return One if @c hdr is a HIP packet, zero otherwise.1353 * @return One if @c hdr is a HIP packet, zero otherwise.
1314 */1354 */
1315static int fw_init_context(struct hip_fw_context *ctx,1355static int fw_init_context(struct hip_fw_context *ctx,
1316 const unsigned char *buf,1356 struct nfq_data *nfa,
1317 const int ip_version)1357 const int ip_version)
1318{1358{
1319 int err = 0;1359 int err = 0;
1320 // length of packet starting at udp header1360 // length of packet starting at udp header
1321 uint16_t udp_len = 0;1361 uint16_t udp_len = 0;
1322 struct udphdr *udphdr = NULL;1362 struct udphdr *udphdr = NULL;
1323 int udp_encap_zero_bytes = 0;1363 int udp_encap_zero_bytes = 0;
1364 static struct hip_ipq_packet_msg packet;
13241365
1325 // same context memory as for packets before -> re-init1366 // same context memory as for packets before -> re-init
1326 memset(ctx, 0, sizeof(struct hip_fw_context));1367 memset(ctx, 0, sizeof(struct hip_fw_context));
1368 memset(&packet, 0, sizeof(struct hip_ipq_packet_msg));
13271369
1328 // default assumption1370 // default assumption
1329 ctx->packet_type = OTHER_PACKET;1371 ctx->packet_type = OTHER_PACKET;
13301372
1331 // add whole packet to context and ip version1373 // add whole packet to context and ip version
1332 ctx->ipq_packet = ipq_get_packet(buf);1374 ctx->ipq_packet = &packet;
1375 build_ipq_packet(nfa, ctx->ipq_packet);
13331376
1334 // check if packet is to big for the buffer1377 // check if packet is to big for the buffer
1335 if (ctx->ipq_packet->data_len > HIP_MAX_PACKET) {1378 if (ctx->ipq_packet->data_len > HIP_MAX_PACKET) {
@@ -1549,9 +1592,9 @@
1549 * @param handle the handle for the packets.1592 * @param handle the handle for the packets.
1550 * @param packet_id the packet ID.1593 * @param packet_id the packet ID.
1551 */1594 */
1552static void allow_packet(struct ipq_handle *handle, unsigned long packet_id)1595static void allow_packet(struct nfq_q_handle *handle, unsigned long packet_id)
1553{1596{
1554 ipq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL);1597 nfq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL);
15551598
1556 HIP_DEBUG("Packet accepted \n\n");1599 HIP_DEBUG("Packet accepted \n\n");
1557}1600}
@@ -1562,88 +1605,84 @@
1562 * @param handle the handle for the packets.1605 * @param handle the handle for the packets.
1563 * @param packet_id the packet ID.1606 * @param packet_id the packet ID.
1564 */1607 */
1565static void drop_packet(struct ipq_handle *handle, unsigned long packet_id)1608static void drop_packet(struct nfq_q_handle *handle, unsigned long packet_id)
1566{1609{
1567 ipq_set_verdict(handle, packet_id, NF_DROP, 0, NULL);1610 nfq_set_verdict(handle, packet_id, NF_DROP, 0, NULL);
15681611
1569 HIP_DEBUG("Packet dropped \n\n");1612 HIP_DEBUG("Packet dropped \n\n");
1570}1613}
15711614
1572/**1615/**
1573 * Analyze a packet.1616 * Analyze a packet.
1574 *1617 * This is a callback function for netfilter_queue.
1575 * @param buf the packet to be analyzed1618 *
1576 * @param hndl a file handle to the ipqueue1619 * @param qh the netfilter queue handle
1577 * @param ip_version the type of traffic: 4 - ipv4; 6 - ipv6.1620 * @param nfmsg the netfilter message
1578 * @param ctx packet context1621 * @param nfa the netfilter packet, header and payload
1579 *1622 * @param data
1580 * @return always 01623 * @param ip_version the IP version used
1581 */1624 */
1582static int fw_handle_packet(unsigned char *buf, struct ipq_handle *hndl,1625static int fw_handle_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
1583 const int ip_version, struct hip_fw_context *ctx)1626 struct nfq_data *nfa, void *data, const int ip_version)
1584{1627{
1585 // assume DROP1628 static struct hip_fw_context ctx; // static because of heavy re-use.
1586 int verdict = 0;1629 int verdict = 0; // assume DROP
15871630
1588 /* waits for queue messages to arrive from ip_queue and1631 // Intentionally unused, remove compiler warnings.
1589 * copies them into a supplied buffer */1632 (void) nfmsg;
1590 if (ipq_read(hndl, buf, HIP_MAX_PACKET, 0) < 0) {1633 (void) data;
1591 HIP_PERROR("ipq_read failed: ");1634
1592 // TODO this error needs to be handled seperately -> die(hndl)?1635
1593 goto out_err;1636 HIP_DEBUG("Entering netfilter callback for IPv%d\n", ip_version);
1594 }
1595
1596 /* queued messages may be a packet messages or an error messages */
1597 switch (ipq_message_type(buf)) {
1598 case IPQM_PACKET:
1599 HIP_DEBUG("Received ipqm packet\n");
1600 // no goto -> go on with processing the message below
1601 break;
1602 case NLMSG_ERROR:
1603 HIP_ERROR("Received error message (%d): %s\n", ipq_get_msgerr(buf),
1604 ipq_errstr());
1605 goto out_err;
1606 break;
1607 default:
1608 HIP_DEBUG("Unsupported libipq packet\n");
1609 goto out_err;
1610 break;
1611 }
16121637
1613 // set up firewall context1638 // set up firewall context
1614 if (fw_init_context(ctx, buf, ip_version)) {1639 if (fw_init_context(&ctx, nfa, ip_version)) {
1615 goto out_err;1640 goto out_err;
1616 }1641 }
16171642
1618 HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx->ipq_packet->hook,1643 HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx.ipq_packet->hook,
1619 ctx->packet_type);1644 ctx.packet_type);
16201645
1621 // match context with rules1646 // match context with rules
1622 if (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type]) {1647 if (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type]) {
1623 verdict = (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type])(ctx);1648 verdict = (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type])(&ctx);
1624 } else {1649 } else {
1625 HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n");1650 HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n", ctx.ipq_packet->hook,
1651 ctx.packet_type);
1626 }1652 }
16271653
1654
1628out_err:1655out_err:
1629 if (verdict) {1656 if (verdict) {
1630 if (ctx->modified == 0) {1657 if (ctx.modified == 0) {
1631 HIP_DEBUG("=== Verdict: allow packet ===\n");1658 HIP_DEBUG("=== Verdict: allow packet ===\n");
1632 allow_packet(hndl, ctx->ipq_packet->packet_id);1659 allow_packet(qh, ctx.ipq_packet->packet_id);
1633 } else {1660 } else {
1634 HIP_DEBUG("=== Verdict: allow modified packet ===\n");1661 HIP_DEBUG("=== Verdict: allow modified packet ===\n");
1635 allow_modified_packet(hndl, ctx);1662 allow_modified_packet(qh, &ctx);
1636 }1663 }
1637 } else {1664 } else {
1638 HIP_DEBUG("=== Verdict: drop packet ===\n");1665 HIP_DEBUG("=== Verdict: drop packet ===\n");
1639 drop_packet(hndl, ctx->ipq_packet->packet_id);1666 drop_packet(qh, ctx.ipq_packet->packet_id);
1640 }1667 }
16411668
1642 // nothing to clean up here as we re-use buf, hndl and ctx1669 // nothing to clean up here.
16431670
1644 return 0;1671 return 0;
1645}1672}
16461673
1674static int netfilter_callback_ipv4(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
1675 struct nfq_data *nfa, void *data)
1676{
1677 return fw_handle_packet(qh, nfmsg, nfa, data, 4);
1678}
1679
1680static int netfilter_callback_ipv6(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
1681 struct nfq_data *nfa, void *data)
1682{
1683 return fw_handle_packet(qh, nfmsg, nfa, data, 6);
1684}
1685
1647/**1686/**
1648 * Receive and process one message from hipd.1687 * Receive and process one message from hipd.
1649 *1688 *
@@ -1763,14 +1802,16 @@
1763 const bool kill_old,1802 const bool kill_old,
1764 const bool limit_capabilities)1803 const bool limit_capabilities)
1765{1804{
1766 int err = 0, highest_descriptor, i;1805 int err = 0, highest_descriptor, i;
1767 struct ipq_handle *h4 = NULL, *h6 = NULL;1806 struct nfq_handle *h4 = NULL, *h6 = NULL;
1768 struct hip_common *msg = NULL;1807 struct nfq_q_handle *h4_q = NULL, *h6_q = NULL;
1769 struct sockaddr_in6 sock_addr = { 0 };1808 int h4_fd = 0, h6_fd = 0;
1770 fd_set read_fdset;1809 int nfq_packet_length;
1771 struct timeval timeout;1810 struct hip_common *msg = NULL;
1772 unsigned char buf[HIP_MAX_PACKET];1811 struct sockaddr_in6 sock_addr = { 0 };
1773 struct hip_fw_context ctx;1812 fd_set read_fdset;
1813 struct timeval timeout;
1814 char buf[HIP_MAX_PACKET];
17741815
1775#ifdef CONFIG_HIP_PERFORMANCE1816#ifdef CONFIG_HIP_PERFORMANCE
1776 HIP_DEBUG("Creating perf set\n");1817 HIP_DEBUG("Creating perf set\n");
@@ -1848,19 +1889,39 @@
1848 firewall_probe_kernel_modules();1889 firewall_probe_kernel_modules();
18491890
1850 // create firewall queue handles for IPv4 traffic1891 // create firewall queue handles for IPv4 traffic
1851 HIP_IFEL(!(h4 = ipq_create_handle(0, PF_INET)), -1,1892 HIP_IFEL(!(h4 = nfq_open()), -1,
1852 "ipq_create_handle(): %s\n", ipq_errstr());1893 "nfq_open(): %s\n", "Error during nfq_open(), IPv4");
1853 HIP_IFEL(ipq_set_mode(h4, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,1894 HIP_IFEL((nfq_unbind_pf(h4, AF_INET) < 0), -1,
1854 "ipq_set_mode(): %s\n", ipq_errstr());1895 "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv4). Is the obsolete 'ip_queue' kernel module loaded?"); // Unbinding any previous handlers
1896 HIP_IFEL((nfq_bind_pf(h4, AF_INET) < 0), -1,
1897 "nfq_bind(): %s\n", "Error during nfq_bind(), IPv4");
1898 HIP_IFEL(!(h4_q = nfq_create_queue(h4, 0, &netfilter_callback_ipv4, NULL)), -1,
1899 "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv4");
1900 HIP_IFEL(nfq_set_mode(h4_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
1901 "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv4");
1855 HIP_DEBUG("IPv4 handle created (mode COPY_PACKET)\n");1902 HIP_DEBUG("IPv4 handle created (mode COPY_PACKET)\n");
18561903
1857 // create firewall queue handles for IPv6 traffic1904 // create firewall queue handles for IPv6 traffic
1858 HIP_IFEL(!(h6 = ipq_create_handle(0, PF_INET6)), -1,1905 HIP_IFEL(!(h6 = nfq_open()), -1,
1859 "ipq_create_handle(): %s\n", ipq_errstr());1906 "nfq_open(): %s\n", "Error during nfq_open(), IPv6");
1860 HIP_IFEL(ipq_set_mode(h6, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,1907 HIP_IFEL((nfq_unbind_pf(h6, AF_INET6) < 0), -1,
1861 "ipq_set_mode(): %s\n", ipq_errstr());1908 "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv6). Is the obsolete 'ip6_queue' kernel module loaded?"); // Unbinding any previous handlers
1909 HIP_IFEL((nfq_bind_pf(h6, AF_INET6) < 0), -1,
1910 "nfq_bind(): %s\n", "Error during nfq_bind(), IPv6");
1911 HIP_IFEL(!(h6_q = nfq_create_queue(h6, 1, &netfilter_callback_ipv6, NULL)), -1,
1912 "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv6");
1913 HIP_IFEL(nfq_set_mode(h6_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
1914 "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv6");
1862 HIP_DEBUG("IPv6 handle created (mode COPY_PACKET)\n");1915 HIP_DEBUG("IPv6 handle created (mode COPY_PACKET)\n");
18631916
1917 // Create file handles for the queues
1918 HIP_IFEL(!(h4_fd = nfq_fd(h4)), -1,
1919 "nfq_fd(): %s\n", "Unable to get file descriptor, IPv4");
1920 HIP_DEBUG("IPv4 file descriptor created\n");
1921 HIP_IFEL(!(h6_fd = nfq_fd(h6)), -1,
1922 "nfq_fd(): %s\n", "Unable to get file descriptor, IPv6");
1923 HIP_DEBUG("IPv6 file descriptor created\n");
1924
1864 // set up ip(6)tables rules and firewall extensions1925 // set up ip(6)tables rules and firewall extensions
1865 HIP_IFEL(firewall_init(), -1, "Firewall init failed\n");1926 HIP_IFEL(firewall_init(), -1, "Firewall init failed\n");
18661927
@@ -1868,8 +1929,8 @@
1868 HIP_IFEL(hip_set_lowcapability(), -1, "Failed to reduce privileges\n");1929 HIP_IFEL(hip_set_lowcapability(), -1, "Failed to reduce privileges\n");
1869 }1930 }
18701931
1871 highest_descriptor = hip_fw_async_sock > h4->fd ? hip_fw_async_sock : h4->fd;1932 highest_descriptor = hip_fw_async_sock > h4_fd ? hip_fw_async_sock : h4_fd;
1872 highest_descriptor = h6->fd > highest_descriptor ? h6->fd : highest_descriptor;1933 highest_descriptor = h6_fd > highest_descriptor ? h6_fd : highest_descriptor;
18731934
1874 /* Allocate message. */1935 /* Allocate message. */
1875 HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Insufficient memory\n");1936 HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Insufficient memory\n");
@@ -1885,8 +1946,8 @@
1885 // set up file descriptors for select1946 // set up file descriptors for select
1886 FD_ZERO(&read_fdset);1947 FD_ZERO(&read_fdset);
1887 FD_SET(hip_fw_async_sock, &read_fdset);1948 FD_SET(hip_fw_async_sock, &read_fdset);
1888 FD_SET(h4->fd, &read_fdset);1949 FD_SET(h4_fd, &read_fdset);
1889 FD_SET(h6->fd, &read_fdset);1950 FD_SET(h6_fd, &read_fdset);
18901951
1891 timeout.tv_sec = HIP_SELECT_TIMEOUT;1952 timeout.tv_sec = HIP_SELECT_TIMEOUT;
1892 timeout.tv_usec = 0;1953 timeout.tv_usec = 0;
@@ -1899,14 +1960,26 @@
1899 continue;1960 continue;
1900 }1961 }
19011962
1902 if (FD_ISSET(h4->fd, &read_fdset)) {1963 if (FD_ISSET(h4_fd, &read_fdset)) {
1903 HIP_DEBUG("received IPv4 packet from iptables queue\n");1964 nfq_packet_length = recv(h4_fd, buf, HIP_MAX_PACKET, 0);
1904 err = fw_handle_packet(buf, h4, 4, &ctx);1965 if (nfq_packet_length == -1) {
1966 err = errno;
1967 HIP_PERROR("Error reading received IPv4 packet.\n");
1968 } else if (nfq_packet_length > 0) {
1969 HIP_DEBUG("received IPv4 packet from iptables queue\n");
1970 err = nfq_handle_packet(h4, buf, nfq_packet_length);
1971 }
1905 }1972 }
19061973
1907 if (FD_ISSET(h6->fd, &read_fdset)) {1974 if (FD_ISSET(h6_fd, &read_fdset)) {
1908 HIP_DEBUG("received IPv6 packet from iptables queue\n");1975 nfq_packet_length = recv(h6_fd, buf, HIP_MAX_PACKET, 0);
1909 err = fw_handle_packet(buf, h6, 6, &ctx);1976 if (nfq_packet_length == -1) {
1977 err = errno;
1978 HIP_PERROR("Error reading received IPv6 packet.\n");
1979 } else if (nfq_packet_length > 0) {
1980 HIP_DEBUG("received IPv6 packet from iptables queue\n");
1981 err = nfq_handle_packet(h6, buf, nfq_packet_length);
1982 }
1910 }1983 }
19111984
1912 if (FD_ISSET(hip_fw_async_sock, &read_fdset)) {1985 if (FD_ISSET(hip_fw_async_sock, &read_fdset)) {
@@ -1919,11 +1992,19 @@
1919 }1992 }
19201993
1921out_err:1994out_err:
1995 if (h4_q) {
1996 nfq_destroy_queue(h4_q);
1997 }
1922 if (h4) {1998 if (h4) {
1923 ipq_destroy_handle(h4);1999 // nfq_unbind_pf(h4, AF_INET); /* This command is dangerous because it unbinds other programs too */
2000 nfq_close(h4);
2001 }
2002 if (h6_q) {
2003 nfq_destroy_queue(h6_q);
1924 }2004 }
1925 if (h6) {2005 if (h6) {
1926 ipq_destroy_handle(h6);2006 // nfq_unbind_pf(h6, AF_INET6); /* This command is dangerous because it unbinds other programs too */
2007 nfq_close(h6);
1927 }2008 }
1928 if (hip_fw_async_sock) {2009 if (hip_fw_async_sock) {
1929 close(hip_fw_async_sock);2010 close(hip_fw_async_sock);
19302011
=== modified file 'hipfw/hipfw_defines.h'
--- hipfw/hipfw_defines.h 2012-05-12 06:54:33 +0000
+++ hipfw/hipfw_defines.h 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University.2 * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -28,13 +28,13 @@
2828
29#define _BSD_SOURCE29#define _BSD_SOURCE
3030
31#include <libipq.h>
32#include <stdint.h>31#include <stdint.h>
33#include <stdbool.h>32#include <stdbool.h>
34#include <netinet/in.h>33#include <netinet/in.h>
35#include <netinet/ip6.h>34#include <netinet/ip6.h>
36#include <netinet/tcp.h>35#include <netinet/tcp.h>
37#include <netinet/udp.h>36#include <netinet/udp.h>
37#include <libnetfilter_queue/libnetfilter_queue.h>
3838
39#include "libcore/common.h"39#include "libcore/common.h"
40#include "libcore/linkedlist.h"40#include "libcore/linkedlist.h"
@@ -53,6 +53,19 @@
53};53};
5454
55/**55/**
56 * @note Backwards-compatibility header with the depracated libipq library
57 *
58 */
59typedef struct hip_ipq_packet_msg {
60 unsigned long packet_id;
61 unsigned int hook;
62 char indev_name[IFNAMSIZ];
63 char outdev_name[IFNAMSIZ];
64 size_t data_len;
65 unsigned char *payload;
66} hip_ipq_packet_msg_t;
67
68/**
56 * @note When adding new members, check if hip_fw_context_enable_write() needs69 * @note When adding new members, check if hip_fw_context_enable_write() needs
57 * to be updated as well.70 * to be updated as well.
58 * @see hip_fw_context_enable_write()71 * @see hip_fw_context_enable_write()
@@ -60,7 +73,7 @@
60 */73 */
61struct hip_fw_context {74struct hip_fw_context {
62 // queued packet75 // queued packet
63 ipq_packet_msg_t *ipq_packet;76 hip_ipq_packet_msg_t *ipq_packet;
6477
65 // IP layer information78 // IP layer information
66 int ip_version; /* 4, 6 */79 int ip_version; /* 4, 6 */
6780
=== modified file 'hipfw/lsi.c'
--- hipfw/lsi.c 2012-05-12 06:54:33 +0000
+++ hipfw/lsi.c 2013-08-01 12:26:32 +0000
@@ -44,7 +44,6 @@
4444
45#define _BSD_SOURCE45#define _BSD_SOURCE
4646
47#include <libipq.h>
48#include <stdint.h>47#include <stdint.h>
49#include <stdlib.h>48#include <stdlib.h>
50#include <string.h>49#include <string.h>
@@ -54,6 +53,7 @@
54#include <netinet/ip_icmp.h>53#include <netinet/ip_icmp.h>
55#include <netinet/tcp.h>54#include <netinet/tcp.h>
56#include <netinet/udp.h>55#include <netinet/udp.h>
56#include <libnetfilter_queue/libnetfilter_queue.h>
5757
58#include "libcore/builder.h"58#include "libcore/builder.h"
59#include "libcore/icomm.h"59#include "libcore/icomm.h"
@@ -204,7 +204,7 @@
204 */204 */
205static int reinject_packet(const struct in6_addr *src_hit,205static int reinject_packet(const struct in6_addr *src_hit,
206 const struct in6_addr *dst_hit,206 const struct in6_addr *dst_hit,
207 const ipq_packet_msg_t *m,207 const hip_ipq_packet_msg_t *m,
208 const int ip_orig_traffic,208 const int ip_orig_traffic,
209 const int incoming)209 const int incoming)
210{210{
@@ -292,7 +292,7 @@
292 * @return 1 if translation not done292 * @return 1 if translation not done
293 * 0 if packet reinjected with lsis as addresses293 * 0 if packet reinjected with lsis as addresses
294 */294 */
295int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m,295int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m,
296 const struct in6_addr *ip_src,296 const struct in6_addr *ip_src,
297 const struct in6_addr *ip_dst,297 const struct in6_addr *ip_dst,
298 const int lsi_support)298 const int lsi_support)
@@ -384,7 +384,7 @@
384 * @param lsi_dst destination LSI384 * @param lsi_dst destination LSI
385 * @return err during the BEX385 * @return err during the BEX
386 */386 */
387int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m, struct in_addr *lsi_src,387int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m, struct in_addr *lsi_src,
388 struct in_addr *lsi_dst)388 struct in_addr *lsi_dst)
389{389{
390 int err = 0;390 int err = 0;
391391
=== modified file 'hipfw/lsi.h'
--- hipfw/lsi.h 2012-05-12 06:54:33 +0000
+++ hipfw/lsi.h 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2010 Aalto University and RWTH Aachen University.2 * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -28,10 +28,11 @@
2828
29#define _BSD_SOURCE29#define _BSD_SOURCE
3030
31#include <libipq.h>
32#include <netinet/in.h>31#include <netinet/in.h>
32#include <libnetfilter_queue/libnetfilter_queue.h>
3333
34#include "libcore/protodefs.h"34#include "libcore/protodefs.h"
35#include "hipfw_defines.h"
3536
36int hip_trigger_bex(const struct in6_addr *src_hit,37int hip_trigger_bex(const struct in6_addr *src_hit,
37 const struct in6_addr *dst_hit,38 const struct in6_addr *dst_hit,
@@ -39,12 +40,12 @@
39 const hip_lsi_t *dst_lsi,40 const hip_lsi_t *dst_lsi,
40 const struct in6_addr *src_ip,41 const struct in6_addr *src_ip,
41 const struct in6_addr *dst_ip);42 const struct in6_addr *dst_ip);
42int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m,43int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m,
43 const struct in6_addr *ip_src,44 const struct in6_addr *ip_src,
44 const struct in6_addr *ip_dst,45 const struct in6_addr *ip_dst,
45 const int lsi_support);46 const int lsi_support);
4647
47int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m,48int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m,
48 struct in_addr *ip_src,49 struct in_addr *ip_src,
49 struct in_addr *ip_dst);50 struct in_addr *ip_dst);
5051
5152
=== modified file 'hipfw/rewrite.c'
--- hipfw/rewrite.c 2012-05-12 06:54:33 +0000
+++ hipfw/rewrite.c 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2011 Aalto University and RWTH Aachen University.2 * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -54,17 +54,16 @@
54 * more thoroughly, these optimizations should be considered hacks (and54 * more thoroughly, these optimizations should be considered hacks (and
55 * are thus not used here).55 * are thus not used here).
56 *56 *
57 * @author Christof Mroz <christof.mroz@rwth-aachen.de>
58 */57 */
5958
60#define _BSD_SOURCE59#define _BSD_SOURCE
6160
62#include <netinet/in.h>61#include <netinet/in.h>
63#include <linux/netfilter.h>
64#include <libipq.h>
65#include <limits.h>62#include <limits.h>
66#include <stdlib.h>63#include <stdlib.h>
67#include <string.h>64#include <string.h>
65#include <linux/netfilter.h>
66#include <libnetfilter_queue/libnetfilter_queue.h>
6867
69#include "libcore/builder.h"68#include "libcore/builder.h"
70#include "libcore/debug.h"69#include "libcore/debug.h"
@@ -75,8 +74,8 @@
75static const bool assume_ipq_buffer_sufficient = false;74static const bool assume_ipq_buffer_sufficient = false;
7675
77struct scratch_buffer {76struct scratch_buffer {
78 ipq_packet_msg_t ipq;77 hip_ipq_packet_msg_t ipq;
79 uint8_t *payload[HIP_MAX_PACKET];78 uint8_t *payload[HIP_MAX_PACKET];
80} __attribute__((packed)); // no gaps between header and payload79} __attribute__((packed)); // no gaps between header and payload
8180
82static struct scratch_buffer scratch_buffer;81static struct scratch_buffer scratch_buffer;
@@ -316,7 +315,7 @@
316 * @param handle libipq file handle315 * @param handle libipq file handle
317 * @param ctx The current packet context.316 * @param ctx The current packet context.
318 */317 */
319void allow_modified_packet(struct ipq_handle *const handle,318void allow_modified_packet(struct nfq_q_handle *const handle,
320 struct hip_fw_context *const ctx)319 struct hip_fw_context *const ctx)
321{320{
322 HIP_ASSERT(ctx->modified);321 HIP_ASSERT(ctx->modified);
@@ -373,7 +372,7 @@
373 }372 }
374 }373 }
375374
376 ipq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT,375 nfq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT,
377 ctx->ipq_packet->data_len, ctx->ipq_packet->payload);376 ctx->ipq_packet->data_len, ctx->ipq_packet->payload);
378 HIP_DEBUG("Packet accepted with modifications\n\n");377 HIP_DEBUG("Packet accepted with modifications\n\n");
379}378}
380379
=== modified file 'hipfw/rewrite.h'
--- hipfw/rewrite.h 2011-11-25 13:52:20 +0000
+++ hipfw/rewrite.h 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2011 Aalto University and RWTH Aachen University.2 * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -33,7 +33,7 @@
3333
34bool hipfw_splice_param(struct hip_fw_context *const ctx,34bool hipfw_splice_param(struct hip_fw_context *const ctx,
35 const struct hip_tlv_common *const param);35 const struct hip_tlv_common *const param);
36void allow_modified_packet(struct ipq_handle *const handle,36void allow_modified_packet(struct nfq_q_handle *const handle,
37 struct hip_fw_context *const ctx);37 struct hip_fw_context *const ctx);
3838
39#endif /* HIPL_HIPFW_REWRITE_H */39#endif /* HIPL_HIPFW_REWRITE_H */
4040
=== modified file 'packaging/hipl.spec'
--- packaging/hipl.spec 2013-01-29 11:49:17 +0000
+++ packaging/hipl.spec 2013-08-01 12:26:32 +0000
@@ -7,7 +7,7 @@
7Vendor: InfraHIP7Vendor: InfraHIP
8License: GPLv28License: GPLv2
9Group: System Environment/Daemons9Group: System Environment/Daemons
10BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.310BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.3 libnetfilter_queue-devel
11BuildRoot: %{_tmppath}/%{name}-%{version}-root11BuildRoot: %{_tmppath}/%{name}-%{version}-root
1212
13%description13%description
@@ -55,7 +55,7 @@
55HIP for Linux IPsec key management and mobility daemon.55HIP for Linux IPsec key management and mobility daemon.
5656
57%package firewall57%package firewall
58Requires: openssl iptables58Requires: openssl iptables libnetfilter_queue
59Summary: HIPL multi-purpose firewall daemon59Summary: HIPL multi-purpose firewall daemon
60Group: System Environment/Daemons60Group: System Environment/Daemons
61%description firewall61%description firewall
6262
=== modified file 'packaging/openwrt/hipl/Makefile.in'
--- packaging/openwrt/hipl/Makefile.in 2012-03-19 12:32:25 +0000
+++ packaging/openwrt/hipl/Makefile.in 2013-08-01 12:26:32 +0000
@@ -57,7 +57,7 @@
5757
58define Package/hipl-firewall58define Package/hipl-firewall
59 $(call Package/hipl/Default)59 $(call Package/hipl/Default)
60 DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue60 DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue +libnetfilter-queue
61 TITLE:=HIPL firewall61 TITLE:=HIPL firewall
62endef62endef
6363
6464
=== modified file 'test/check_hipfw.c'
--- test/check_hipfw.c 2011-11-25 13:52:20 +0000
+++ test/check_hipfw.c 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2010 Aalto University and RWTH Aachen University.2 * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -38,7 +38,6 @@
38 srunner_add_suite(sr, firewall_line_parser());38 srunner_add_suite(sr, firewall_line_parser());
39 srunner_add_suite(sr, firewall_midauth());39 srunner_add_suite(sr, firewall_midauth());
40 srunner_add_suite(sr, firewall_port_bindings());40 srunner_add_suite(sr, firewall_port_bindings());
41 srunner_add_suite(sr, firewall_rewrite());
4241
43 srunner_run_all(sr, CK_NORMAL);42 srunner_run_all(sr, CK_NORMAL);
44 number_failed = srunner_ntests_failed(sr);43 number_failed = srunner_ntests_failed(sr);
4544
=== removed file 'test/hipfw/rewrite.c'
--- test/hipfw/rewrite.c 2012-05-12 06:54:33 +0000
+++ test/hipfw/rewrite.c 1970-01-01 00:00:00 +0000
@@ -1,131 +0,0 @@
1/*
2 * Copyright (c) 2011-2012 Aalto University and RWTH Aachen University.
3 *
4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation
6 * files (the "Software"), to deal in the Software without
7 * restriction, including without limitation the rights to use,
8 * copy, modify, merge, publish, distribute, sublicense, and/or sell
9 * copies of the Software, and to permit persons to whom the
10 * Software is furnished to do so, subject to the following
11 * conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
18 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
20 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
21 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
22 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
23 * OTHER DEALINGS IN THE SOFTWARE.
24 */
25
26#define _BSD_SOURCE
27
28#include <check.h>
29#include <stdlib.h>
30#include <string.h>
31
32#include "hipfw/hipfw_defines.h"
33#include "libcore/common.h"
34#include "modules/midauth/hipd/midauth.h"
35#include "modules/midauth/lib/midauth_builder.h"
36#include "test/mocks.h"
37#include "test_suites.h"
38
39#include "hipfw/hipfw.c"
40
41
42static const unsigned char tmp_ipq_packet[] = "\xA0\x85\x07\x12\x00\x88\xFF\xFF\x00\x00"
43 "\x00\x00\x00\x00\x00\x00\xD3\x98\x81\x4E\x00\x00\x00\x00\x27\x21\x0D"
44 "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x65\x74\x68\x31\x00\x00\x00\x00"
45 "\x00\x00\x00\x00\x00\x00\x00\x00\x65\x74\x68\x32\x00\x00\x00\x00\x00"
46 "\x00\x00\x00\x00\x00\x00\x00\x08\x00\x01\x00\x06\x08\x00\x27\x45\x4D"
47 "\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA0\x02\x00\x00\x00\x00\x00"
48 "\x00\x45\x00\x02\xA0\x00\x00\x40\x00\x3F\x11\xB3\xEF\xC0\xA8\x01\x0A"
49 "\xC0\xA8\x03\x03\x29\x04\x29\x04\x02\x8C\x00\x00\x00\x00\x00\x00\x3B"
50 "\x4F\x03\x11\x00\x00\x00\x00\x20\x01\x00\x1B\xD8\xB0\x77\xF0\xC6\x17"
51 "\x71\x70\xDE\xD7\xF3\x20\x20\x01\x00\x17\x5D\xF8\xC4\x26\x98\xE5\x5F"
52 "\xA2\x28\x6D\x28\x47\x00\x41\x00\x0C\x00\x00\x00\x48\x00\x00\x00\x00"
53 "\x2D\x4A\x07\x08\x01\x41\x00\x14\x00\x00\x48\x49\x90\x7D\xD8\x95\x84"
54 "\xB3\x8D\xDC\x18\x25\xF9\x65\xE3\x31\x3E\xDD\x01\x42\x00\x1C\x01\x02"
55 "\x82\xEC\x42\x00\x00\x00\x00\x00\x5A\x3C\x03\x14\x9A\x0E\x9D\xCA\xF0"
56 "\x19\xAD\x2B\xBA\x43\x33\x66\xF8\xB2\x02\x01\x00\xC3\x03\x00\xC0\x7C"
57 "\xDA\x02\x1F\xB7\xFE\x85\xBB\xD1\x93\xFD\xB2\xFB\xC0\xB1\xAD\x09\x61"
58 "\x1F\x8E\xDD\x8F\x1B\xFC\xC3\x97\xA1\xCE\x4C\x55\x85\xB4\x4A\x8B\x66"
59 "\x93\x2A\xDF\x85\xC0\x3A\x84\xA2\x22\x4F\xB3\xF9\x6F\xC5\x54\x23\x9D"
60 "\xC2\x03\xEB\xB9\x55\xA4\xF0\x19\xC0\x2B\x4C\xD1\xBF\xC9\x04\xF5\x32"
61 "\xAB\x39\xEF\x7B\xF9\xA7\xAB\x5A\xC5\x27\x5E\x21\x83\x48\xB0\x8E\x19"
62 "\xB4\x51\x2B\xBA\x79\x00\x62\x70\x48\xF3\x44\xAE\x49\xD4\xC9\x20\x74"
63 "\x38\x0D\x11\xCA\xB3\x6F\x03\x47\x9A\x39\xA5\xFB\xC0\x70\xD6\xB5\xB6"
64 "\x35\x08\xB4\xB0\x33\x19\xF9\x07\x3C\x82\x7D\x3C\x16\x0C\x74\x9A\x1F"
65 "\x9B\xB2\xE6\xB3\xC7\xB3\x08\xE2\x10\x66\x23\x95\xF6\x00\xC7\x57\x8B"
66 "\x19\x83\x9E\x6F\xB6\x9D\x6A\x44\x25\xF1\xFD\x45\xFB\xD4\xD9\xE8\xA7"
67 "\xD5\xF9\xA7\xA5\xFB\xA3\x23\xD2\xDE\x67\x15\x9C\x6C\xFB\x5B\x08\xAC"
68 "\x7F\xC9\xF9\xD7\x00\x02\x41\x00\x02\x00\x01\x00\x00\x02\xC1\x00\x92"
69 "\x00\x88\x10\x06\x02\x02\xFF\x05\x03\x01\x00\x01\xD6\xBD\x7C\x86\xC3"
70 "\x4A\xA3\x93\x7F\xD9\x82\xBD\x22\xF1\xC7\x4F\x72\x76\x4F\x2F\x68\xF7"
71 "\x4F\x9D\xCE\xF3\xAE\xD4\x3B\x13\x5D\xC1\xF7\xF8\x09\x4E\xB4\xCD\x82"
72 "\x6F\xF8\xD1\x70\x01\x4E\xC0\x64\x82\xF1\x7E\x21\x54\x62\x73\x08\xEA"
73 "\x0A\x66\x1B\xA7\x9A\x4A\xAA\x17\x56\x77\x1D\x4D\x0D\xD2\x19\x92\xA0"
74 "\xAC\xF7\x23\x62\xE2\xF0\xFB\x1E\x73\x19\x16\x61\x1B\x85\x02\x42\x4B"
75 "\x89\x46\x09\x71\x42\x6F\x40\x8E\x62\x31\xA6\x4F\x17\x45\xF2\x7B\xFA"
76 "\xF2\xB6\xC8\x87\x37\x3A\xDF\xBB\x10\xE8\xDA\x97\x31\x6C\x38\xDF\xD0"
77 "\x97\x45\x84\x39\x61\x6C\x69\x63\x65\x00\x00\x00\x0F\xFF\x00\x04\x00"
78 "\x00\x00\x01\xF0\x41\x00\x14\xE7\x35\x6F\x89\x30\x3E\x1E\xA7\xFB\x93"
79 "\x8B\xBE\xD1\x34\x1F\x35\xB8\xE0\x82\x0C\xF1\x01\x00\x81\x05\xA6\xA2"
80 "\x75\xEF\xA8\xC3\x9C\x64\x9E\x9A\xDA\xFB\x38\xB4\x05\x8C\x6A\x6E\x5B"
81 "\x59\x9F\x11\x5B\xA6\xC0\x05\x42\xA6\x0D\x9C\x62\x17\x0E\x23\xB6\x3B"
82 "\x15\xB8\xEC\x6F\xE3\xB6\x6E\x80\x76\x97\xBE\x5B\x5B\x1A\x90\x30\xDF"
83 "\x1F\x32\x2C\x4E\x22\x20\x0B\xD4\x2B\x5B\x7C\xEF\x27\xEA\xB9\x80\x27"
84 "\xEF\xBC\xB4\xAF\x97\x2A\xD5\x86\xDA\xEE\x2C\xF0\x8B\x45\x00\x10\xE1"
85 "\x3A\x95\x35\xAC\x7C\xA8\x88\xC1\x60\xB9\x71\xD3\xE2\x29\xF7\x75\xD0"
86 "\x7E\x27\x1B\x21\x43\xAE\xBB\x08\xE1\x6B\x9E\x1E\xB9\x55\x89\xE3\x2B"
87 "\x29\x06\x4A\xA2\x90\x98\x38\x00\x00\x00";
88static const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b"
89 "\x02\x42\x02\x15\x06\x08\x49\x50\x0c";
90
91#ifdef HAVE_TCASE_ADD_EXIT_TEST
92START_TEST(hipfw_splice_param_NULL_ctx)
93{
94 struct hip_common *tmp_msg = NULL;
95 const struct hip_tlv_common *param = NULL;
96
97 tmp_msg = hip_msg_alloc();
98 hip_build_param_challenge_request(tmp_msg, 0, 0, opaque,
99 MIDAUTH_DEFAULT_NONCE_LENGTH);
100 param = hip_get_param(tmp_msg, HIP_PARAM_CHALLENGE_REQUEST);
101
102 fail_unless(hipfw_splice_param(NULL, param) == false, NULL);
103}
104END_TEST
105
106START_TEST(hipfw_splice_param_NULL_param)
107{
108 struct hip_fw_context ctx;
109
110 mock_ipq = true;
111 mock_ipq_pkt_len = ARRAY_SIZE(tmp_ipq_packet);
112
113 fail_unless(fw_init_context(&ctx, tmp_ipq_packet, 4) == 0, NULL);
114 fail_unless(hipfw_splice_param(&ctx, NULL) == false, NULL);
115}
116END_TEST
117#endif
118
119Suite *firewall_rewrite(void)
120{
121 Suite *s = suite_create("hipfw/rewrite");
122 TCase *tc_rewrite = tcase_create("rewrite");
123
124#ifdef HAVE_TCASE_ADD_EXIT_TEST
125 tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_ctx, 1);
126 tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_param, 1);
127#endif
128 suite_add_tcase(s, tc_rewrite);
129
130 return s;
131}
1320
=== modified file 'test/hipfw/test_suites.h'
--- test/hipfw/test_suites.h 2011-11-25 17:56:24 +0000
+++ test/hipfw/test_suites.h 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2010 Aalto University and RWTH Aachen University.2 * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -34,6 +34,5 @@
34Suite *firewall_line_parser(void);34Suite *firewall_line_parser(void);
35Suite *firewall_midauth(void);35Suite *firewall_midauth(void);
36Suite *firewall_port_bindings(void);36Suite *firewall_port_bindings(void);
37Suite *firewall_rewrite(void);
3837
39#endif /* HIPL_TEST_FIREWALL_TEST_SUITES_H */38#endif /* HIPL_TEST_FIREWALL_TEST_SUITES_H */
4039
=== modified file 'test/mocks.c'
--- test/mocks.c 2011-10-19 11:57:13 +0000
+++ test/mocks.c 2013-08-01 12:26:32 +0000
@@ -1,5 +1,5 @@
1/*1/*
2 * Copyright (c) 2011 Aalto University and RWTH Aachen University.2 * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
3 *3 *
4 * Permission is hereby granted, free of charge, to any person4 * Permission is hereby granted, free of charge, to any person
5 * obtaining a copy of this software and associated documentation5 * obtaining a copy of this software and associated documentation
@@ -87,7 +87,7 @@
87#include <stdlib.h>87#include <stdlib.h>
88#include <string.h>88#include <string.h>
89#include <time.h>89#include <time.h>
90#include <libipq.h>90#include <libnetfilter_queue/libnetfilter_queue.h>
9191
92#include "mocks.h"92#include "mocks.h"
9393
@@ -190,28 +190,3 @@
190190
191 return EXIT_SUCCESS;191 return EXIT_SUCCESS;
192}192}
193
194/*** ipq_get_packet(3) ***/
195bool mock_ipq = false;
196unsigned int mock_ipq_pkt_len = 0;
197
198/**
199 * ipq_get_packet(3) mock function. Controlled by the ::mock_ipq flag.
200 *
201 * @param buf contents of the returned ipq_packet_msg_t
202 * @return a fully filled ipq_packet_msg_t
203 *
204 * @note The buffer length is required for this mock function. You can provide
205 * it via the ::mock_ipq_pkt_len flag.
206 */
207ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf)
208{
209 if (!mock_ipq) {
210 ipq_packet_msg_t *(*original)(const unsigned char *) = get_original(ipq_get_packet, "ipq_get_packet");
211 return original(buf);
212 } else {
213 char *tmp = malloc(mock_ipq_pkt_len);
214 memcpy(tmp, buf, mock_ipq_pkt_len);
215 return (ipq_packet_msg_t *) tmp;
216 }
217}

Subscribers

People subscribed via source and target branches

to all changes: