HIPL

Merge lp:~hipl-core/hipl/libnetfilter_queue into lp:hipl

  1. libnetfilter_queue
  2. Merge into trunk
Proposed by Pupu Toivonen
Status: Merged
Merged at revision: 6420
Proposed branch: lp:~hipl-core/hipl/libnetfilter_queue
Merge into: lp:hipl
Diff against target: 1233 lines (+300/-363)
17 files modified
INSTALL (+3/-3)
Makefile.am (+0/-1)
configure.ac (+2/-1)
debian/control (+2/-2)
hipfw/cert.c (+1/-0)
hipfw/hipfw.c (+251/-170)
hipfw/hipfw_defines.h (+16/-3)
hipfw/lsi.c (+4/-4)
hipfw/lsi.h (+5/-4)
hipfw/rewrite.c (+7/-8)
hipfw/rewrite.h (+2/-2)
packaging/hipl.spec (+2/-2)
packaging/openwrt/hipl/Makefile.in (+1/-1)
test/check_hipfw.c (+1/-2)
test/hipfw/rewrite.c (+0/-131)
test/hipfw/test_suites.h (+1/-2)
test/mocks.c (+2/-27)
To merge this branch: bzr merge lp:~hipl-core/hipl/libnetfilter_queue
Reviewer Review Type Date Requested Status
Miika Komu Approve
HIPL core team Pending
Review via email: mp+178080@code.launchpad.net

This proposal supersedes a proposal from 2013-07-29.

Description of the change

hipl-firewall has been ported from using the deprecated and recently deleted ip_queue (libipq) packet queue into using netfilter_queue. This fixes bug #1154974.

This solution reuses much of the code that was used to handle libipq packets by collecting the used fields into an imitating packet type hip_ipq_packet_msg and passing that around to the functions.

The unit test for hipfw/rewrite.c was removed because the functions it tests now behave a bit differently and the packet format is now different from the sample packet that was written in the source file as a hex string.

I have tested the firewall in action between three nodes. I first tested the LSI support by starting the firewall at each node using 'hipfw -Alk', letting the hosts establish a HIP connection and testing IPv4 connectivity using 'nc -4' and 'ssh -4' toward the LSI:s. The connections seemed to work well. I also tested the access control features of the firewall. By introducing rules in the firewall config file I successfully blocked HIP traffic to and from selected hosts based on their HITs, while allowing non-HIP traffic and traffic to hosts with different HITs. Also the other way worked, introducing rules to allow packets to and from selected HITs and drop to/from everyone else allowed connections to only those selected HITs. For following the state of the connections I used 'watch hipconf daemon get ha all' over an out-of-band ssh connection.

I also found that having the kernel modules ip_queue or ip6_queue (modules for the legacy libipq queue) loaded, hipfw would fail to start because it could not claim netfilter hooks for itself. Upon starting up, hipfw would try to load these modules; there was no problem with kernel versions 3.5.0 and above because loading the modules would fail, but older kernels would happily load the modules and block netfilter from getting initialized. This has now been fixed also.

To post a comment you must log in.
Revision history for this message
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal

Minor comments:

* hipfw.c:396: perror -> HIP_PERROR
* hipfw.c:675 unnecessary line breaks
* test/mocks.c: get rid of the "if 0" code
(* In some cases, I am sure if variable declaration code was necessary to be aligned; I always try to minimize the size of the diff)

Please fix these and request a new merge proposal asap. When you give the new merge proposal, please give a test report and explain why the unit tests were removed.

I suggest to merge the code on Friday noon if there are no other comments. Please be prepared to fix some nits later on if somebody else comments about the coding style. I think we can do this directly on the trunk because this fix is kind of urgent and should have been dealt earlier.

Thanks Juhani for this contribution! Good work.

review: Needs Fixing
Revision history for this message
Pupu Toivonen (scolphoy) wrote : Posted in a previous version of this proposal

Thank you for the feedback.

I made those minor changes. Aligning of the variable declarations was enforced by the commit hooks.
I'll write a report and resubmit the proposal soon.

Revision history for this message
Miika Komu (miika-iki) wrote :

Good! Please merge tomorrow if no further comments or requests for extended review time.

review: Approve
Revision history for this message
Christof Mroz (christof-mroz) wrote :

I didn't look at the changes in detail, but I like the careful approach.

This might render some ipq specific junk in rewrite.c obsolete: as I documented in the comment block near the start of the file, it helps deal with the fact that the ip_queue userspace buffer is managed by the library itself, without a documented maximum length (apart from the source code), so that appending data into this buffer is not safe (according to my understanding back then).
The midauth extension needs to enlarge captured packets.

If I understand nf_queue correctly, we read captured packets into our own userspace buffer now. If so, then it suffices to choose a big enough buffer (HIP_MAX_PACKET, IIRC). The support functions might still be handy for checking packet bounds, though.

Revision history for this message
Pupu Toivonen (scolphoy) wrote :

This is my understanding of the inner workings of nf_queue as well, that in NFQNL_COPY_PACKET mode, it feeds the whole packet along with the payload to the socket, and recv() reads it to our own buffer. Reading the underlying nfnetlink-code it looks like the metadata goes in the beginning of the buffer and the payload is placed after it. We can extract a pointer to the beginning of the payload using netfilter's message parsing functions. If we choose a convenient size (currently HIP_MAX_PACKET), we should be able to do whatever we like with it and pass it back to the kernel by giving the new length and this time the same buffer location to nfq_set_verdict.

I'll take a look at that rewrite.c if some of it in fact has gone obsolete / is doing unnecessary work but I think the current status is quite ready for merging as it does get hipfw at least working on the newer systems.

Revision history for this message
Christof Mroz (christof-mroz) wrote :

> I'll take a look at that rewrite.c if some of it in fact has gone obsolete /
> is doing unnecessary work but I think the current status is quite ready for
> merging as it does get hipfw at least working on the newer systems.

Absolutely; I did not mean to delay the merge.
A low-priority bug/feature request should suffice as a reminder.

Revision history for this message
Pupu Toivonen (scolphoy) wrote :

Ok. Btw, I just verified that the packet payload indeed does get copied in our own buffer. The pointer to the payload seems to constantly point to 60 bytes after the beginning of the buffer, meaning that we need to make it bigger if we want to allow the payload to grow to that full HIP_MAX_PACKET length. I do not know yet if the 60 bytes is guaranteed, so at least for the time being the stuff in rewrite.c remains relevant.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'INSTALL'
2--- INSTALL 2013-03-31 13:42:34 +0000
3+++ INSTALL 2013-08-01 14:18:46 +0000
4@@ -33,7 +33,7 @@
5 -------------
6 - required:
7 apt-get install autoconf automake libtool make gcc libssl-dev iptables-dev \
8- libnet-ip-perl libnet-dns-perl bzr
9+ libnet-ip-perl libnet-dns-perl bzr libnetfilter-queue-dev
10 - optional:
11 apt-get install xmlto doxygen check libconfig8-dev miredo
12 - binary packages:
13@@ -43,7 +43,7 @@
14 -------------
15 - required:
16 yum install autoconf automake libtool make gcc openssl-devel iptables-devel \
17- perl-Net-IP perl-Net-DNS bzr
18+ perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel
19 - optional:
20 yum install xmlto doxygen check-devel libconfig-devel miredo
21 - binary packages:
22@@ -53,7 +53,7 @@
23 --------
24 - required:
25 zypper install autoconf automake libtool make gcc libopenssl-devel iptables-devel \
26- perl-Net-IP perl-Net-DNS bzr
27+ perl-Net-IP perl-Net-DNS bzr libnetfilter_queue-devel
28 - optional:
29 zypper install xmlto doxygen check-devel
30 - binary packages:
31
32=== modified file 'Makefile.am'
33--- Makefile.am 2013-03-25 06:43:57 +0000
34+++ Makefile.am 2013-08-01 14:18:46 +0000
35@@ -223,7 +223,6 @@
36 test/hipfw/line_parser.c \
37 test/hipfw/midauth.c \
38 test/hipfw/port_bindings.c \
39- test/hipfw/rewrite.c \
40 $(hipfw_hipfw_sources)
41
42 test_check_libcore_SOURCES = test/check_libcore.c \
43
44=== modified file 'configure.ac'
45--- configure.ac 2013-01-29 11:37:45 +0000
46+++ configure.ac 2013-08-01 14:18:46 +0000
47@@ -137,7 +137,8 @@
48 [ac_cv_use_firewall],
49 [ac_cv_use_firewall=yes])
50 if test x"$ac_cv_use_firewall" = x"yes"; then
51- AC_CHECK_LIB(ipq, ipq_create_handle,, [AC_MSG_ERROR([libipq not found])])
52+ AC_CHECK_LIB(netfilter_queue, nfq_create_queue,, [AC_MSG_ERROR([libnetfilter_queue not found])])
53+ AC_CHECK_LIB(nfnetlink, nlif_query,, [AC_MSG_ERROR([libnfnetlink not found])])
54 AC_CHECK_LIB(config, config_setting_index,,
55 [AC_MSG_WARN([libconfig not found, using default config])])
56 AC_DEFINE(CONFIG_HIP_FIREWALL)
57
58=== modified file 'debian/control'
59--- debian/control 2013-01-29 11:37:45 +0000
60+++ debian/control 2013-08-01 14:18:46 +0000
61@@ -2,7 +2,7 @@
62 Section: net
63 Priority: optional
64 Maintainer: HIPL team <hipl-dev@freelists.org>
65-Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m
66+Build-Depends: debhelper (>= 7), python, libconfig8-dev, libssl-dev, iptables-dev, autoconf, xmlto, w3m, libnetfilter-queue-dev
67 Standards-Version: 3.9.1
68 Homepage: http://launchpad.net/hipl
69
70@@ -28,7 +28,7 @@
71
72 Package: hipl-firewall
73 Architecture: any
74-Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables
75+Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, iptables, libnetfilter-queue1
76 Suggests: hipl-doc
77 Description: HIP for Linux multi-purpose firewall daemon
78 The Host Identity Protocol (HIP) and the related architecture form a proposal
79
80=== modified file 'hipfw/cert.c'
81--- hipfw/cert.c 2012-05-12 06:54:33 +0000
82+++ hipfw/cert.c 2013-08-01 14:18:46 +0000
83@@ -37,6 +37,7 @@
84 #include <stdio.h>
85 #include <stdlib.h>
86 #include <string.h>
87+#include <errno.h>
88 #include <netinet/in.h>
89 #include <linux/netfilter.h>
90 #include <linux/netfilter_ipv6.h>
91
92=== modified file 'hipfw/hipfw.c'
93--- hipfw/hipfw.c 2012-07-19 12:00:32 +0000
94+++ hipfw/hipfw.c 2013-08-01 14:18:46 +0000
95@@ -1,5 +1,5 @@
96 /*
97- * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University.
98+ * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University.
99 *
100 * Permission is hereby granted, free of charge, to any person
101 * obtaining a copy of this software and associated documentation
102@@ -45,13 +45,13 @@
103
104 #define _BSD_SOURCE
105
106-#include <libipq.h>
107 #include <limits.h>
108 #include <stdio.h>
109 #include <stdlib.h>
110 #include <string.h>
111 #include <strings.h>
112 #include <unistd.h>
113+#include <errno.h>
114 #include <arpa/inet.h>
115 #include <netinet/in.h>
116 #include <netinet/ip.h>
117@@ -63,6 +63,7 @@
118 #include <sys/utsname.h>
119 #include <sys/wait.h>
120 #include <linux/netfilter_ipv4.h>
121+#include <libnetfilter_queue/libnetfilter_queue.h>
122
123 #include "libcore/builder.h"
124 #include "libcore/capability.h"
125@@ -181,9 +182,9 @@
126 "failed to initialize userspace ipsec\n");
127
128 // queue incoming ESP over IPv4 and IPv4 UDP encapsulated traffic
129- system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE");
130- system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");
131- system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");
132+ system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
133+ system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
134+ system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
135
136 /* no need to queue outgoing ICMP, TCP and UDP sent to LSIs as
137 * this is handled elsewhere */
138@@ -191,13 +192,13 @@
139 /* queue incoming ESP over IPv6
140 *
141 * @note this is where you would want to add IPv6 UDP encapsulation */
142- system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE");
143+ system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
144
145 // queue outgoing ICMP, TCP and UDP sent to HITs
146- system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE");
147- system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE");
148- system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j QUEUE");
149- system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE");
150+ system_print("ip6tables -I HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // IPv6-ICMP
151+ system_print("ip6tables -I HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // TCP
152+ system_print("ip6tables -I HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // ICMP
153+ system_print("ip6tables -I HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1"); // UDP
154 } else if (ver_c < 27) {
155 HIP_INFO("You are using kernel version %s. Userspace ipsec should"
156 " be used with versions below 2.6.27.\n", name.release);
157@@ -223,15 +224,16 @@
158 HIP_IFEL(userspace_ipsec_uninit(), -1, "failed to uninit user ipsec\n");
159
160 // delete all rules previously set up for this extension
161- system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null");
162- system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE 2> /dev/null");
163- system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE 2> /dev/null");
164-
165- system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE 2> /dev/null");
166-
167- system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j QUEUE 2> /dev/null");
168- system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j QUEUE 2> /dev/null");
169- system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j QUEUE 2> /dev/null");
170+ system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0 2> /dev/null"); // ESP
171+ system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP
172+ system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0 2> /dev/null"); // UDP
173+
174+ system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-crypt
175+
176+ system_print("ip6tables -D HIPFW-OUTPUT -p 58 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // IPv6-ICMP
177+ system_print("ip6tables -D HIPFW-OUTPUT -p 6 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // TCP
178+ system_print("ip6tables -D HIPFW-OUTPUT -p 1 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // ICMP
179+ system_print("ip6tables -D HIPFW-OUTPUT -p 17 -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null"); // UDP
180 }
181
182 out_err:
183@@ -327,7 +329,7 @@
184 static int fw_init_lsi_support(void)
185 {
186 struct hip_common *msg = NULL;
187- int err = 0;
188+ int err = 0;
189
190 if (hip_lsi_support) {
191 if (!(msg = hip_msg_alloc())) {
192@@ -343,11 +345,11 @@
193 free(msg);
194
195 // add the rule
196- system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE");
197+ system_print("iptables -I HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0");
198
199 /* LSI support: incoming HIT packets, captured to decide if
200 * HITs may be mapped to LSIs */
201- system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j QUEUE");
202+ system_print("ip6tables -I HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1");
203 }
204
205 return err;
206@@ -361,16 +363,16 @@
207 static int fw_uninit_lsi_support(void)
208 {
209 struct hip_common *msg = NULL;
210- int err = 0;
211+ int err = 0;
212
213 if (hip_lsi_support) {
214 // set global variable to off
215 hip_lsi_support = 0;
216
217 // remove the rule
218- system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j QUEUE 2> /dev/null");
219+ system_print("iptables -D HIPFW-OUTPUT -d " HIP_FULL_LSI_STR " -j NFQUEUE --queue-num 0 2> /dev/null");
220
221- system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j QUEUE 2> /dev/null");
222+ system_print("ip6tables -D HIPFW-INPUT -d 2001:0010::/28 -j NFQUEUE --queue-num 1 2> /dev/null");
223
224 if (!(msg = hip_msg_alloc())) {
225 HIP_ERROR("failed to allocate memory\n");
226@@ -396,37 +398,37 @@
227 if (filter_traffic) {
228 // this will allow the firewall to handle HIP traffic
229 // HIP protocol
230- system_print("iptables -I HIPFW-FORWARD -p 139 -j QUEUE");
231+ system_print("iptables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0");
232 // ESP protocol
233- system_print("iptables -I HIPFW-FORWARD -p 50 -j QUEUE");
234+ system_print("iptables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0");
235 // UDP encapsulation for HIP
236- system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");
237- system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");
238-
239- system_print("iptables -I HIPFW-INPUT -p 139 -j QUEUE");
240- system_print("iptables -I HIPFW-INPUT -p 50 -j QUEUE");
241- system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");
242- system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");
243-
244- system_print("iptables -I HIPFW-OUTPUT -p 139 -j QUEUE");
245- system_print("iptables -I HIPFW-OUTPUT -p 50 -j QUEUE");
246- system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");
247- system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");
248-
249- system_print("ip6tables -I HIPFW-FORWARD -p 139 -j QUEUE");
250- system_print("ip6tables -I HIPFW-FORWARD -p 50 -j QUEUE");
251- system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");
252- system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");
253-
254- system_print("ip6tables -I HIPFW-INPUT -p 139 -j QUEUE");
255- system_print("ip6tables -I HIPFW-INPUT -p 50 -j QUEUE");
256- system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");
257- system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");
258-
259- system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j QUEUE");
260- system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j QUEUE");
261- system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");
262- system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");
263+ system_print("iptables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
264+ system_print("iptables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
265+
266+ system_print("iptables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0");
267+ system_print("iptables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
268+ system_print("iptables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
269+ system_print("iptables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
270+
271+ system_print("iptables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0");
272+ system_print("iptables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0");
273+ system_print("iptables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
274+ system_print("iptables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
275+
276+ system_print("ip6tables -I HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1");
277+ system_print("ip6tables -I HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1");
278+ system_print("ip6tables -I HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
279+ system_print("ip6tables -I HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
280+
281+ system_print("ip6tables -I HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1");
282+ system_print("ip6tables -I HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
283+ system_print("ip6tables -I HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
284+ system_print("ip6tables -I HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
285+
286+ system_print("ip6tables -I HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1");
287+ system_print("ip6tables -I HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1");
288+ system_print("ip6tables -I HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
289+ system_print("ip6tables -I HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
290 }
291 }
292
293@@ -435,35 +437,35 @@
294 */
295 static void firewall_uninit_filter_traffic(void)
296 {
297- system_print("iptables -D HIPFW-FORWARD -p 139 -j QUEUE");
298- system_print("iptables -D HIPFW-FORWARD -p 50 -j QUEUE");
299- system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");
300- system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");
301-
302- system_print("iptables -D HIPFW-INPUT -p 139 -j QUEUE");
303- system_print("iptables -D HIPFW-INPUT -p 50 -j QUEUE");
304- system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");
305- system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");
306-
307- system_print("iptables -D HIPFW-OUTPUT -p 139 -j QUEUE");
308- system_print("iptables -D HIPFW-OUTPUT -p 50 -j QUEUE");
309- system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");
310- system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");
311-
312- system_print("ip6tables -D HIPFW-FORWARD -p 139 -j QUEUE");
313- system_print("ip6tables -D HIPFW-FORWARD -p 50 -j QUEUE");
314- system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j QUEUE");
315- system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j QUEUE");
316-
317- system_print("ip6tables -D HIPFW-INPUT -p 139 -j QUEUE");
318- system_print("ip6tables -D HIPFW-INPUT -p 50 -j QUEUE");
319- system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j QUEUE");
320- system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j QUEUE");
321-
322- system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j QUEUE");
323- system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j QUEUE");
324- system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j QUEUE");
325- system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j QUEUE");
326+ system_print("iptables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 0");
327+ system_print("iptables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 0");
328+ system_print("iptables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
329+ system_print("iptables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
330+
331+ system_print("iptables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 0");
332+ system_print("iptables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 0");
333+ system_print("iptables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
334+ system_print("iptables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
335+
336+ system_print("iptables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 0");
337+ system_print("iptables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 0");
338+ system_print("iptables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 0");
339+ system_print("iptables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 0");
340+
341+ system_print("ip6tables -D HIPFW-FORWARD -p 139 -j NFQUEUE --queue-num 1");
342+ system_print("ip6tables -D HIPFW-FORWARD -p 50 -j NFQUEUE --queue-num 1");
343+ system_print("ip6tables -D HIPFW-FORWARD -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
344+ system_print("ip6tables -D HIPFW-FORWARD -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
345+
346+ system_print("ip6tables -D HIPFW-INPUT -p 139 -j NFQUEUE --queue-num 1");
347+ system_print("ip6tables -D HIPFW-INPUT -p 50 -j NFQUEUE --queue-num 1");
348+ system_print("ip6tables -D HIPFW-INPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
349+ system_print("ip6tables -D HIPFW-INPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
350+
351+ system_print("ip6tables -D HIPFW-OUTPUT -p 139 -j NFQUEUE --queue-num 1");
352+ system_print("ip6tables -D HIPFW-OUTPUT -p 50 -j NFQUEUE --queue-num 1");
353+ system_print("ip6tables -D HIPFW-OUTPUT -p 17 --dport 10500 -j NFQUEUE --queue-num 1");
354+ system_print("ip6tables -D HIPFW-OUTPUT -p 17 --sport 10500 -j NFQUEUE --queue-num 1");
355 }
356
357 /**
358@@ -530,8 +532,9 @@
359 {
360 int err = 0;
361
362- if (esp_relay == 0)
363+ if (esp_relay == 0) {
364 return 0;
365+ }
366
367 /* Required for ESP relay and might not be active */
368 if (!filter_traffic) {
369@@ -727,7 +730,7 @@
370 char cmd[40];
371 int mod_total;
372 const char *mod_name[] = {
373- "ip_queue", "ip6_queue", "iptable_filter", "ip6table_filter"
374+ "iptable_filter", "ip6table_filter"
375 };
376
377 mod_total = sizeof(mod_name) / sizeof(char *);
378@@ -1296,6 +1299,43 @@
379 }
380
381 /**
382+ * Build packet imitating the legacy libipq packets.
383+ *
384+ * This is to get a compilable version of the firewall out sooner,
385+ * converting other functions to use
386+ */
387+static int build_ipq_packet(struct nfq_data *nfa, struct hip_ipq_packet_msg *ptr)
388+{
389+ struct nfqnl_msg_packet_hdr *ph;
390+ struct nlif_handle *nlifh;
391+ ph = nfq_get_msg_packet_hdr(nfa);
392+
393+ // Open handle to read interface names from
394+ nlifh = nlif_open();
395+ if (nlifh == NULL) {
396+ HIP_PERROR("nlif_open failed during build_ipq_packet");
397+ return -1;
398+ }
399+ nlif_query(nlifh); // query the interface table
400+
401+ // Populate the packet struct
402+ ptr->packet_id = ntohl(ph->packet_id);
403+ ptr->hook = ph->hook;
404+ nfq_get_indev_name(nlifh, nfa, ptr->indev_name);
405+ nfq_get_outdev_name(nlifh, nfa, ptr->outdev_name);
406+ ptr->data_len = nfq_get_payload(nfa, (void *) &ptr->payload); // (void *) because old netfilter_queue used (char **) and
407+ // current uses (unsigned char **). For this application
408+ // either one is fine, but if we choose one, strict type
409+ // checking causes compilation to fail for the other.
410+ // Casting to (void *) omits compiler type checking and
411+ // transfers the responsibility to the programmer.
412+
413+ // Close the interface handle
414+ nlif_close(nlifh);
415+ return 1;
416+}
417+
418+/**
419 *
420 * Initialize context for a packet. The context stores e.g. the packet type and
421 * possibly encapsulating packet type. It also stores useful pointers IP and
422@@ -1308,28 +1348,31 @@
423 * Unsupported types -> type 0
424 *
425 * @param ctx the context.
426- * @param buf a pointer to a IP packet.
427+ * @param nfa a pointer to the netfilter packet.
428 * @param ip_version the IP version for this packet
429 * @return One if @c hdr is a HIP packet, zero otherwise.
430 */
431 static int fw_init_context(struct hip_fw_context *ctx,
432- const unsigned char *buf,
433+ struct nfq_data *nfa,
434 const int ip_version)
435 {
436 int err = 0;
437 // length of packet starting at udp header
438- uint16_t udp_len = 0;
439- struct udphdr *udphdr = NULL;
440- int udp_encap_zero_bytes = 0;
441+ uint16_t udp_len = 0;
442+ struct udphdr *udphdr = NULL;
443+ int udp_encap_zero_bytes = 0;
444+ static struct hip_ipq_packet_msg packet;
445
446 // same context memory as for packets before -> re-init
447 memset(ctx, 0, sizeof(struct hip_fw_context));
448+ memset(&packet, 0, sizeof(struct hip_ipq_packet_msg));
449
450 // default assumption
451 ctx->packet_type = OTHER_PACKET;
452
453 // add whole packet to context and ip version
454- ctx->ipq_packet = ipq_get_packet(buf);
455+ ctx->ipq_packet = &packet;
456+ build_ipq_packet(nfa, ctx->ipq_packet);
457
458 // check if packet is to big for the buffer
459 if (ctx->ipq_packet->data_len > HIP_MAX_PACKET) {
460@@ -1549,9 +1592,9 @@
461 * @param handle the handle for the packets.
462 * @param packet_id the packet ID.
463 */
464-static void allow_packet(struct ipq_handle *handle, unsigned long packet_id)
465+static void allow_packet(struct nfq_q_handle *handle, unsigned long packet_id)
466 {
467- ipq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL);
468+ nfq_set_verdict(handle, packet_id, NF_ACCEPT, 0, NULL);
469
470 HIP_DEBUG("Packet accepted \n\n");
471 }
472@@ -1562,88 +1605,84 @@
473 * @param handle the handle for the packets.
474 * @param packet_id the packet ID.
475 */
476-static void drop_packet(struct ipq_handle *handle, unsigned long packet_id)
477+static void drop_packet(struct nfq_q_handle *handle, unsigned long packet_id)
478 {
479- ipq_set_verdict(handle, packet_id, NF_DROP, 0, NULL);
480+ nfq_set_verdict(handle, packet_id, NF_DROP, 0, NULL);
481
482 HIP_DEBUG("Packet dropped \n\n");
483 }
484
485 /**
486 * Analyze a packet.
487- *
488- * @param buf the packet to be analyzed
489- * @param hndl a file handle to the ipqueue
490- * @param ip_version the type of traffic: 4 - ipv4; 6 - ipv6.
491- * @param ctx packet context
492- *
493- * @return always 0
494+ * This is a callback function for netfilter_queue.
495+ *
496+ * @param qh the netfilter queue handle
497+ * @param nfmsg the netfilter message
498+ * @param nfa the netfilter packet, header and payload
499+ * @param data
500+ * @param ip_version the IP version used
501 */
502-static int fw_handle_packet(unsigned char *buf, struct ipq_handle *hndl,
503- const int ip_version, struct hip_fw_context *ctx)
504+static int fw_handle_packet(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
505+ struct nfq_data *nfa, void *data, const int ip_version)
506 {
507- // assume DROP
508- int verdict = 0;
509-
510- /* waits for queue messages to arrive from ip_queue and
511- * copies them into a supplied buffer */
512- if (ipq_read(hndl, buf, HIP_MAX_PACKET, 0) < 0) {
513- HIP_PERROR("ipq_read failed: ");
514- // TODO this error needs to be handled seperately -> die(hndl)?
515- goto out_err;
516- }
517-
518- /* queued messages may be a packet messages or an error messages */
519- switch (ipq_message_type(buf)) {
520- case IPQM_PACKET:
521- HIP_DEBUG("Received ipqm packet\n");
522- // no goto -> go on with processing the message below
523- break;
524- case NLMSG_ERROR:
525- HIP_ERROR("Received error message (%d): %s\n", ipq_get_msgerr(buf),
526- ipq_errstr());
527- goto out_err;
528- break;
529- default:
530- HIP_DEBUG("Unsupported libipq packet\n");
531- goto out_err;
532- break;
533- }
534+ static struct hip_fw_context ctx; // static because of heavy re-use.
535+ int verdict = 0; // assume DROP
536+
537+ // Intentionally unused, remove compiler warnings.
538+ (void) nfmsg;
539+ (void) data;
540+
541+
542+ HIP_DEBUG("Entering netfilter callback for IPv%d\n", ip_version);
543
544 // set up firewall context
545- if (fw_init_context(ctx, buf, ip_version)) {
546+ if (fw_init_context(&ctx, nfa, ip_version)) {
547 goto out_err;
548 }
549
550- HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx->ipq_packet->hook,
551- ctx->packet_type);
552+ HIP_DEBUG("packet hook=%d, packet type=%d\n", ctx.ipq_packet->hook,
553+ ctx.packet_type);
554
555 // match context with rules
556- if (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type]) {
557- verdict = (fw_handlers[ctx->ipq_packet->hook][ctx->packet_type])(ctx);
558+ if (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type]) {
559+ verdict = (fw_handlers[ctx.ipq_packet->hook][ctx.packet_type])(&ctx);
560 } else {
561- HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n");
562+ HIP_DEBUG("Ignoring, no handler for hook (%d) with type (%d)\n", ctx.ipq_packet->hook,
563+ ctx.packet_type);
564 }
565
566+
567 out_err:
568 if (verdict) {
569- if (ctx->modified == 0) {
570+ if (ctx.modified == 0) {
571 HIP_DEBUG("=== Verdict: allow packet ===\n");
572- allow_packet(hndl, ctx->ipq_packet->packet_id);
573+ allow_packet(qh, ctx.ipq_packet->packet_id);
574 } else {
575 HIP_DEBUG("=== Verdict: allow modified packet ===\n");
576- allow_modified_packet(hndl, ctx);
577+ allow_modified_packet(qh, &ctx);
578 }
579 } else {
580 HIP_DEBUG("=== Verdict: drop packet ===\n");
581- drop_packet(hndl, ctx->ipq_packet->packet_id);
582+ drop_packet(qh, ctx.ipq_packet->packet_id);
583 }
584
585- // nothing to clean up here as we re-use buf, hndl and ctx
586+ // nothing to clean up here.
587
588 return 0;
589 }
590
591+static int netfilter_callback_ipv4(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
592+ struct nfq_data *nfa, void *data)
593+{
594+ return fw_handle_packet(qh, nfmsg, nfa, data, 4);
595+}
596+
597+static int netfilter_callback_ipv6(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
598+ struct nfq_data *nfa, void *data)
599+{
600+ return fw_handle_packet(qh, nfmsg, nfa, data, 6);
601+}
602+
603 /**
604 * Receive and process one message from hipd.
605 *
606@@ -1763,14 +1802,16 @@
607 const bool kill_old,
608 const bool limit_capabilities)
609 {
610- int err = 0, highest_descriptor, i;
611- struct ipq_handle *h4 = NULL, *h6 = NULL;
612- struct hip_common *msg = NULL;
613- struct sockaddr_in6 sock_addr = { 0 };
614- fd_set read_fdset;
615- struct timeval timeout;
616- unsigned char buf[HIP_MAX_PACKET];
617- struct hip_fw_context ctx;
618+ int err = 0, highest_descriptor, i;
619+ struct nfq_handle *h4 = NULL, *h6 = NULL;
620+ struct nfq_q_handle *h4_q = NULL, *h6_q = NULL;
621+ int h4_fd = 0, h6_fd = 0;
622+ int nfq_packet_length;
623+ struct hip_common *msg = NULL;
624+ struct sockaddr_in6 sock_addr = { 0 };
625+ fd_set read_fdset;
626+ struct timeval timeout;
627+ char buf[HIP_MAX_PACKET];
628
629 #ifdef CONFIG_HIP_PERFORMANCE
630 HIP_DEBUG("Creating perf set\n");
631@@ -1848,19 +1889,39 @@
632 firewall_probe_kernel_modules();
633
634 // create firewall queue handles for IPv4 traffic
635- HIP_IFEL(!(h4 = ipq_create_handle(0, PF_INET)), -1,
636- "ipq_create_handle(): %s\n", ipq_errstr());
637- HIP_IFEL(ipq_set_mode(h4, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
638- "ipq_set_mode(): %s\n", ipq_errstr());
639+ HIP_IFEL(!(h4 = nfq_open()), -1,
640+ "nfq_open(): %s\n", "Error during nfq_open(), IPv4");
641+ HIP_IFEL((nfq_unbind_pf(h4, AF_INET) < 0), -1,
642+ "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv4). Is the obsolete 'ip_queue' kernel module loaded?"); // Unbinding any previous handlers
643+ HIP_IFEL((nfq_bind_pf(h4, AF_INET) < 0), -1,
644+ "nfq_bind(): %s\n", "Error during nfq_bind(), IPv4");
645+ HIP_IFEL(!(h4_q = nfq_create_queue(h4, 0, &netfilter_callback_ipv4, NULL)), -1,
646+ "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv4");
647+ HIP_IFEL(nfq_set_mode(h4_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
648+ "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv4");
649 HIP_DEBUG("IPv4 handle created (mode COPY_PACKET)\n");
650
651 // create firewall queue handles for IPv6 traffic
652- HIP_IFEL(!(h6 = ipq_create_handle(0, PF_INET6)), -1,
653- "ipq_create_handle(): %s\n", ipq_errstr());
654- HIP_IFEL(ipq_set_mode(h6, IPQ_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
655- "ipq_set_mode(): %s\n", ipq_errstr());
656+ HIP_IFEL(!(h6 = nfq_open()), -1,
657+ "nfq_open(): %s\n", "Error during nfq_open(), IPv6");
658+ HIP_IFEL((nfq_unbind_pf(h6, AF_INET6) < 0), -1,
659+ "nfq_unbind(): %s\n", "Error during Netfilter initialization (IPv6). Is the obsolete 'ip6_queue' kernel module loaded?"); // Unbinding any previous handlers
660+ HIP_IFEL((nfq_bind_pf(h6, AF_INET6) < 0), -1,
661+ "nfq_bind(): %s\n", "Error during nfq_bind(), IPv6");
662+ HIP_IFEL(!(h6_q = nfq_create_queue(h6, 1, &netfilter_callback_ipv6, NULL)), -1,
663+ "nfq_create_queue(): %s\n", "Error during nfq_create_queue(), IPv6");
664+ HIP_IFEL(nfq_set_mode(h6_q, NFQNL_COPY_PACKET, HIP_MAX_PACKET) == -1, -1,
665+ "nfq_set_mode(): %s\n", "Error during nfq_set_mode(), IPv6");
666 HIP_DEBUG("IPv6 handle created (mode COPY_PACKET)\n");
667
668+ // Create file handles for the queues
669+ HIP_IFEL(!(h4_fd = nfq_fd(h4)), -1,
670+ "nfq_fd(): %s\n", "Unable to get file descriptor, IPv4");
671+ HIP_DEBUG("IPv4 file descriptor created\n");
672+ HIP_IFEL(!(h6_fd = nfq_fd(h6)), -1,
673+ "nfq_fd(): %s\n", "Unable to get file descriptor, IPv6");
674+ HIP_DEBUG("IPv6 file descriptor created\n");
675+
676 // set up ip(6)tables rules and firewall extensions
677 HIP_IFEL(firewall_init(), -1, "Firewall init failed\n");
678
679@@ -1868,8 +1929,8 @@
680 HIP_IFEL(hip_set_lowcapability(), -1, "Failed to reduce privileges\n");
681 }
682
683- highest_descriptor = hip_fw_async_sock > h4->fd ? hip_fw_async_sock : h4->fd;
684- highest_descriptor = h6->fd > highest_descriptor ? h6->fd : highest_descriptor;
685+ highest_descriptor = hip_fw_async_sock > h4_fd ? hip_fw_async_sock : h4_fd;
686+ highest_descriptor = h6_fd > highest_descriptor ? h6_fd : highest_descriptor;
687
688 /* Allocate message. */
689 HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Insufficient memory\n");
690@@ -1885,8 +1946,8 @@
691 // set up file descriptors for select
692 FD_ZERO(&read_fdset);
693 FD_SET(hip_fw_async_sock, &read_fdset);
694- FD_SET(h4->fd, &read_fdset);
695- FD_SET(h6->fd, &read_fdset);
696+ FD_SET(h4_fd, &read_fdset);
697+ FD_SET(h6_fd, &read_fdset);
698
699 timeout.tv_sec = HIP_SELECT_TIMEOUT;
700 timeout.tv_usec = 0;
701@@ -1899,14 +1960,26 @@
702 continue;
703 }
704
705- if (FD_ISSET(h4->fd, &read_fdset)) {
706- HIP_DEBUG("received IPv4 packet from iptables queue\n");
707- err = fw_handle_packet(buf, h4, 4, &ctx);
708+ if (FD_ISSET(h4_fd, &read_fdset)) {
709+ nfq_packet_length = recv(h4_fd, buf, HIP_MAX_PACKET, 0);
710+ if (nfq_packet_length == -1) {
711+ err = errno;
712+ HIP_PERROR("Error reading received IPv4 packet.\n");
713+ } else if (nfq_packet_length > 0) {
714+ HIP_DEBUG("received IPv4 packet from iptables queue\n");
715+ err = nfq_handle_packet(h4, buf, nfq_packet_length);
716+ }
717 }
718
719- if (FD_ISSET(h6->fd, &read_fdset)) {
720- HIP_DEBUG("received IPv6 packet from iptables queue\n");
721- err = fw_handle_packet(buf, h6, 6, &ctx);
722+ if (FD_ISSET(h6_fd, &read_fdset)) {
723+ nfq_packet_length = recv(h6_fd, buf, HIP_MAX_PACKET, 0);
724+ if (nfq_packet_length == -1) {
725+ err = errno;
726+ HIP_PERROR("Error reading received IPv6 packet.\n");
727+ } else if (nfq_packet_length > 0) {
728+ HIP_DEBUG("received IPv6 packet from iptables queue\n");
729+ err = nfq_handle_packet(h6, buf, nfq_packet_length);
730+ }
731 }
732
733 if (FD_ISSET(hip_fw_async_sock, &read_fdset)) {
734@@ -1919,11 +1992,19 @@
735 }
736
737 out_err:
738+ if (h4_q) {
739+ nfq_destroy_queue(h4_q);
740+ }
741 if (h4) {
742- ipq_destroy_handle(h4);
743+ // nfq_unbind_pf(h4, AF_INET); /* This command is dangerous because it unbinds other programs too */
744+ nfq_close(h4);
745+ }
746+ if (h6_q) {
747+ nfq_destroy_queue(h6_q);
748 }
749 if (h6) {
750- ipq_destroy_handle(h6);
751+ // nfq_unbind_pf(h6, AF_INET6); /* This command is dangerous because it unbinds other programs too */
752+ nfq_close(h6);
753 }
754 if (hip_fw_async_sock) {
755 close(hip_fw_async_sock);
756
757=== modified file 'hipfw/hipfw_defines.h'
758--- hipfw/hipfw_defines.h 2012-05-12 06:54:33 +0000
759+++ hipfw/hipfw_defines.h 2013-08-01 14:18:46 +0000
760@@ -1,5 +1,5 @@
761 /*
762- * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University.
763+ * Copyright (c) 2010-2013 Aalto University and RWTH Aachen University.
764 *
765 * Permission is hereby granted, free of charge, to any person
766 * obtaining a copy of this software and associated documentation
767@@ -28,13 +28,13 @@
768
769 #define _BSD_SOURCE
770
771-#include <libipq.h>
772 #include <stdint.h>
773 #include <stdbool.h>
774 #include <netinet/in.h>
775 #include <netinet/ip6.h>
776 #include <netinet/tcp.h>
777 #include <netinet/udp.h>
778+#include <libnetfilter_queue/libnetfilter_queue.h>
779
780 #include "libcore/common.h"
781 #include "libcore/linkedlist.h"
782@@ -53,6 +53,19 @@
783 };
784
785 /**
786+ * @note Backwards-compatibility header with the depracated libipq library
787+ *
788+ */
789+typedef struct hip_ipq_packet_msg {
790+ unsigned long packet_id;
791+ unsigned int hook;
792+ char indev_name[IFNAMSIZ];
793+ char outdev_name[IFNAMSIZ];
794+ size_t data_len;
795+ unsigned char *payload;
796+} hip_ipq_packet_msg_t;
797+
798+/**
799 * @note When adding new members, check if hip_fw_context_enable_write() needs
800 * to be updated as well.
801 * @see hip_fw_context_enable_write()
802@@ -60,7 +73,7 @@
803 */
804 struct hip_fw_context {
805 // queued packet
806- ipq_packet_msg_t *ipq_packet;
807+ hip_ipq_packet_msg_t *ipq_packet;
808
809 // IP layer information
810 int ip_version; /* 4, 6 */
811
812=== modified file 'hipfw/lsi.c'
813--- hipfw/lsi.c 2012-05-12 06:54:33 +0000
814+++ hipfw/lsi.c 2013-08-01 14:18:46 +0000
815@@ -44,7 +44,6 @@
816
817 #define _BSD_SOURCE
818
819-#include <libipq.h>
820 #include <stdint.h>
821 #include <stdlib.h>
822 #include <string.h>
823@@ -54,6 +53,7 @@
824 #include <netinet/ip_icmp.h>
825 #include <netinet/tcp.h>
826 #include <netinet/udp.h>
827+#include <libnetfilter_queue/libnetfilter_queue.h>
828
829 #include "libcore/builder.h"
830 #include "libcore/icomm.h"
831@@ -204,7 +204,7 @@
832 */
833 static int reinject_packet(const struct in6_addr *src_hit,
834 const struct in6_addr *dst_hit,
835- const ipq_packet_msg_t *m,
836+ const hip_ipq_packet_msg_t *m,
837 const int ip_orig_traffic,
838 const int incoming)
839 {
840@@ -292,7 +292,7 @@
841 * @return 1 if translation not done
842 * 0 if packet reinjected with lsis as addresses
843 */
844-int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m,
845+int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m,
846 const struct in6_addr *ip_src,
847 const struct in6_addr *ip_dst,
848 const int lsi_support)
849@@ -384,7 +384,7 @@
850 * @param lsi_dst destination LSI
851 * @return err during the BEX
852 */
853-int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m, struct in_addr *lsi_src,
854+int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m, struct in_addr *lsi_src,
855 struct in_addr *lsi_dst)
856 {
857 int err = 0;
858
859=== modified file 'hipfw/lsi.h'
860--- hipfw/lsi.h 2012-05-12 06:54:33 +0000
861+++ hipfw/lsi.h 2013-08-01 14:18:46 +0000
862@@ -1,5 +1,5 @@
863 /*
864- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
865+ * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
866 *
867 * Permission is hereby granted, free of charge, to any person
868 * obtaining a copy of this software and associated documentation
869@@ -28,10 +28,11 @@
870
871 #define _BSD_SOURCE
872
873-#include <libipq.h>
874 #include <netinet/in.h>
875+#include <libnetfilter_queue/libnetfilter_queue.h>
876
877 #include "libcore/protodefs.h"
878+#include "hipfw_defines.h"
879
880 int hip_trigger_bex(const struct in6_addr *src_hit,
881 const struct in6_addr *dst_hit,
882@@ -39,12 +40,12 @@
883 const hip_lsi_t *dst_lsi,
884 const struct in6_addr *src_ip,
885 const struct in6_addr *dst_ip);
886-int hip_fw_handle_incoming_hit(const ipq_packet_msg_t *m,
887+int hip_fw_handle_incoming_hit(const hip_ipq_packet_msg_t *m,
888 const struct in6_addr *ip_src,
889 const struct in6_addr *ip_dst,
890 const int lsi_support);
891
892-int hip_fw_handle_outgoing_lsi(ipq_packet_msg_t *m,
893+int hip_fw_handle_outgoing_lsi(hip_ipq_packet_msg_t *m,
894 struct in_addr *ip_src,
895 struct in_addr *ip_dst);
896
897
898=== modified file 'hipfw/rewrite.c'
899--- hipfw/rewrite.c 2012-05-12 06:54:33 +0000
900+++ hipfw/rewrite.c 2013-08-01 14:18:46 +0000
901@@ -1,5 +1,5 @@
902 /*
903- * Copyright (c) 2011 Aalto University and RWTH Aachen University.
904+ * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
905 *
906 * Permission is hereby granted, free of charge, to any person
907 * obtaining a copy of this software and associated documentation
908@@ -54,17 +54,16 @@
909 * more thoroughly, these optimizations should be considered hacks (and
910 * are thus not used here).
911 *
912- * @author Christof Mroz <christof.mroz@rwth-aachen.de>
913 */
914
915 #define _BSD_SOURCE
916
917 #include <netinet/in.h>
918-#include <linux/netfilter.h>
919-#include <libipq.h>
920 #include <limits.h>
921 #include <stdlib.h>
922 #include <string.h>
923+#include <linux/netfilter.h>
924+#include <libnetfilter_queue/libnetfilter_queue.h>
925
926 #include "libcore/builder.h"
927 #include "libcore/debug.h"
928@@ -75,8 +74,8 @@
929 static const bool assume_ipq_buffer_sufficient = false;
930
931 struct scratch_buffer {
932- ipq_packet_msg_t ipq;
933- uint8_t *payload[HIP_MAX_PACKET];
934+ hip_ipq_packet_msg_t ipq;
935+ uint8_t *payload[HIP_MAX_PACKET];
936 } __attribute__((packed)); // no gaps between header and payload
937
938 static struct scratch_buffer scratch_buffer;
939@@ -316,7 +315,7 @@
940 * @param handle libipq file handle
941 * @param ctx The current packet context.
942 */
943-void allow_modified_packet(struct ipq_handle *const handle,
944+void allow_modified_packet(struct nfq_q_handle *const handle,
945 struct hip_fw_context *const ctx)
946 {
947 HIP_ASSERT(ctx->modified);
948@@ -373,7 +372,7 @@
949 }
950 }
951
952- ipq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT,
953+ nfq_set_verdict(handle, ctx->ipq_packet->packet_id, NF_ACCEPT,
954 ctx->ipq_packet->data_len, ctx->ipq_packet->payload);
955 HIP_DEBUG("Packet accepted with modifications\n\n");
956 }
957
958=== modified file 'hipfw/rewrite.h'
959--- hipfw/rewrite.h 2011-11-25 13:52:20 +0000
960+++ hipfw/rewrite.h 2013-08-01 14:18:46 +0000
961@@ -1,5 +1,5 @@
962 /*
963- * Copyright (c) 2011 Aalto University and RWTH Aachen University.
964+ * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
965 *
966 * Permission is hereby granted, free of charge, to any person
967 * obtaining a copy of this software and associated documentation
968@@ -33,7 +33,7 @@
969
970 bool hipfw_splice_param(struct hip_fw_context *const ctx,
971 const struct hip_tlv_common *const param);
972-void allow_modified_packet(struct ipq_handle *const handle,
973+void allow_modified_packet(struct nfq_q_handle *const handle,
974 struct hip_fw_context *const ctx);
975
976 #endif /* HIPL_HIPFW_REWRITE_H */
977
978=== modified file 'packaging/hipl.spec'
979--- packaging/hipl.spec 2013-01-29 11:49:17 +0000
980+++ packaging/hipl.spec 2013-08-01 14:18:46 +0000
981@@ -7,7 +7,7 @@
982 Vendor: InfraHIP
983 License: GPLv2
984 Group: System Environment/Daemons
985-BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.3
986+BuildRequires: gcc autoconf automake libtool xmlto w3m openssl-devel iptables-devel python >= 2.4.3 libnetfilter_queue-devel
987 BuildRoot: %{_tmppath}/%{name}-%{version}-root
988
989 %description
990@@ -55,7 +55,7 @@
991 HIP for Linux IPsec key management and mobility daemon.
992
993 %package firewall
994-Requires: openssl iptables
995+Requires: openssl iptables libnetfilter_queue
996 Summary: HIPL multi-purpose firewall daemon
997 Group: System Environment/Daemons
998 %description firewall
999
1000=== modified file 'packaging/openwrt/hipl/Makefile.in'
1001--- packaging/openwrt/hipl/Makefile.in 2012-03-19 12:32:25 +0000
1002+++ packaging/openwrt/hipl/Makefile.in 2013-08-01 14:18:46 +0000
1003@@ -57,7 +57,7 @@
1004
1005 define Package/hipl-firewall
1006 $(call Package/hipl/Default)
1007- DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue
1008+ DEPENDS:=+libconfig +iptables +ip6tables +kmod-ipt-queue +libnetfilter-queue
1009 TITLE:=HIPL firewall
1010 endef
1011
1012
1013=== modified file 'test/check_hipfw.c'
1014--- test/check_hipfw.c 2011-11-25 13:52:20 +0000
1015+++ test/check_hipfw.c 2013-08-01 14:18:46 +0000
1016@@ -1,5 +1,5 @@
1017 /*
1018- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
1019+ * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
1020 *
1021 * Permission is hereby granted, free of charge, to any person
1022 * obtaining a copy of this software and associated documentation
1023@@ -38,7 +38,6 @@
1024 srunner_add_suite(sr, firewall_line_parser());
1025 srunner_add_suite(sr, firewall_midauth());
1026 srunner_add_suite(sr, firewall_port_bindings());
1027- srunner_add_suite(sr, firewall_rewrite());
1028
1029 srunner_run_all(sr, CK_NORMAL);
1030 number_failed = srunner_ntests_failed(sr);
1031
1032=== removed file 'test/hipfw/rewrite.c'
1033--- test/hipfw/rewrite.c 2012-05-12 06:54:33 +0000
1034+++ test/hipfw/rewrite.c 1970-01-01 00:00:00 +0000
1035@@ -1,131 +0,0 @@
1036-/*
1037- * Copyright (c) 2011-2012 Aalto University and RWTH Aachen University.
1038- *
1039- * Permission is hereby granted, free of charge, to any person
1040- * obtaining a copy of this software and associated documentation
1041- * files (the "Software"), to deal in the Software without
1042- * restriction, including without limitation the rights to use,
1043- * copy, modify, merge, publish, distribute, sublicense, and/or sell
1044- * copies of the Software, and to permit persons to whom the
1045- * Software is furnished to do so, subject to the following
1046- * conditions:
1047- *
1048- * The above copyright notice and this permission notice shall be
1049- * included in all copies or substantial portions of the Software.
1050- *
1051- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
1052- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
1053- * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
1054- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
1055- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
1056- * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
1057- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
1058- * OTHER DEALINGS IN THE SOFTWARE.
1059- */
1060-
1061-#define _BSD_SOURCE
1062-
1063-#include <check.h>
1064-#include <stdlib.h>
1065-#include <string.h>
1066-
1067-#include "hipfw/hipfw_defines.h"
1068-#include "libcore/common.h"
1069-#include "modules/midauth/hipd/midauth.h"
1070-#include "modules/midauth/lib/midauth_builder.h"
1071-#include "test/mocks.h"
1072-#include "test_suites.h"
1073-
1074-#include "hipfw/hipfw.c"
1075-
1076-
1077-static const unsigned char tmp_ipq_packet[] = "\xA0\x85\x07\x12\x00\x88\xFF\xFF\x00\x00"
1078- "\x00\x00\x00\x00\x00\x00\xD3\x98\x81\x4E\x00\x00\x00\x00\x27\x21\x0D"
1079- "\x00\x00\x00\x00\x00\x02\x00\x00\x00\x65\x74\x68\x31\x00\x00\x00\x00"
1080- "\x00\x00\x00\x00\x00\x00\x00\x00\x65\x74\x68\x32\x00\x00\x00\x00\x00"
1081- "\x00\x00\x00\x00\x00\x00\x00\x08\x00\x01\x00\x06\x08\x00\x27\x45\x4D"
1082- "\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\xA0\x02\x00\x00\x00\x00\x00"
1083- "\x00\x45\x00\x02\xA0\x00\x00\x40\x00\x3F\x11\xB3\xEF\xC0\xA8\x01\x0A"
1084- "\xC0\xA8\x03\x03\x29\x04\x29\x04\x02\x8C\x00\x00\x00\x00\x00\x00\x3B"
1085- "\x4F\x03\x11\x00\x00\x00\x00\x20\x01\x00\x1B\xD8\xB0\x77\xF0\xC6\x17"
1086- "\x71\x70\xDE\xD7\xF3\x20\x20\x01\x00\x17\x5D\xF8\xC4\x26\x98\xE5\x5F"
1087- "\xA2\x28\x6D\x28\x47\x00\x41\x00\x0C\x00\x00\x00\x48\x00\x00\x00\x00"
1088- "\x2D\x4A\x07\x08\x01\x41\x00\x14\x00\x00\x48\x49\x90\x7D\xD8\x95\x84"
1089- "\xB3\x8D\xDC\x18\x25\xF9\x65\xE3\x31\x3E\xDD\x01\x42\x00\x1C\x01\x02"
1090- "\x82\xEC\x42\x00\x00\x00\x00\x00\x5A\x3C\x03\x14\x9A\x0E\x9D\xCA\xF0"
1091- "\x19\xAD\x2B\xBA\x43\x33\x66\xF8\xB2\x02\x01\x00\xC3\x03\x00\xC0\x7C"
1092- "\xDA\x02\x1F\xB7\xFE\x85\xBB\xD1\x93\xFD\xB2\xFB\xC0\xB1\xAD\x09\x61"
1093- "\x1F\x8E\xDD\x8F\x1B\xFC\xC3\x97\xA1\xCE\x4C\x55\x85\xB4\x4A\x8B\x66"
1094- "\x93\x2A\xDF\x85\xC0\x3A\x84\xA2\x22\x4F\xB3\xF9\x6F\xC5\x54\x23\x9D"
1095- "\xC2\x03\xEB\xB9\x55\xA4\xF0\x19\xC0\x2B\x4C\xD1\xBF\xC9\x04\xF5\x32"
1096- "\xAB\x39\xEF\x7B\xF9\xA7\xAB\x5A\xC5\x27\x5E\x21\x83\x48\xB0\x8E\x19"
1097- "\xB4\x51\x2B\xBA\x79\x00\x62\x70\x48\xF3\x44\xAE\x49\xD4\xC9\x20\x74"
1098- "\x38\x0D\x11\xCA\xB3\x6F\x03\x47\x9A\x39\xA5\xFB\xC0\x70\xD6\xB5\xB6"
1099- "\x35\x08\xB4\xB0\x33\x19\xF9\x07\x3C\x82\x7D\x3C\x16\x0C\x74\x9A\x1F"
1100- "\x9B\xB2\xE6\xB3\xC7\xB3\x08\xE2\x10\x66\x23\x95\xF6\x00\xC7\x57\x8B"
1101- "\x19\x83\x9E\x6F\xB6\x9D\x6A\x44\x25\xF1\xFD\x45\xFB\xD4\xD9\xE8\xA7"
1102- "\xD5\xF9\xA7\xA5\xFB\xA3\x23\xD2\xDE\x67\x15\x9C\x6C\xFB\x5B\x08\xAC"
1103- "\x7F\xC9\xF9\xD7\x00\x02\x41\x00\x02\x00\x01\x00\x00\x02\xC1\x00\x92"
1104- "\x00\x88\x10\x06\x02\x02\xFF\x05\x03\x01\x00\x01\xD6\xBD\x7C\x86\xC3"
1105- "\x4A\xA3\x93\x7F\xD9\x82\xBD\x22\xF1\xC7\x4F\x72\x76\x4F\x2F\x68\xF7"
1106- "\x4F\x9D\xCE\xF3\xAE\xD4\x3B\x13\x5D\xC1\xF7\xF8\x09\x4E\xB4\xCD\x82"
1107- "\x6F\xF8\xD1\x70\x01\x4E\xC0\x64\x82\xF1\x7E\x21\x54\x62\x73\x08\xEA"
1108- "\x0A\x66\x1B\xA7\x9A\x4A\xAA\x17\x56\x77\x1D\x4D\x0D\xD2\x19\x92\xA0"
1109- "\xAC\xF7\x23\x62\xE2\xF0\xFB\x1E\x73\x19\x16\x61\x1B\x85\x02\x42\x4B"
1110- "\x89\x46\x09\x71\x42\x6F\x40\x8E\x62\x31\xA6\x4F\x17\x45\xF2\x7B\xFA"
1111- "\xF2\xB6\xC8\x87\x37\x3A\xDF\xBB\x10\xE8\xDA\x97\x31\x6C\x38\xDF\xD0"
1112- "\x97\x45\x84\x39\x61\x6C\x69\x63\x65\x00\x00\x00\x0F\xFF\x00\x04\x00"
1113- "\x00\x00\x01\xF0\x41\x00\x14\xE7\x35\x6F\x89\x30\x3E\x1E\xA7\xFB\x93"
1114- "\x8B\xBE\xD1\x34\x1F\x35\xB8\xE0\x82\x0C\xF1\x01\x00\x81\x05\xA6\xA2"
1115- "\x75\xEF\xA8\xC3\x9C\x64\x9E\x9A\xDA\xFB\x38\xB4\x05\x8C\x6A\x6E\x5B"
1116- "\x59\x9F\x11\x5B\xA6\xC0\x05\x42\xA6\x0D\x9C\x62\x17\x0E\x23\xB6\x3B"
1117- "\x15\xB8\xEC\x6F\xE3\xB6\x6E\x80\x76\x97\xBE\x5B\x5B\x1A\x90\x30\xDF"
1118- "\x1F\x32\x2C\x4E\x22\x20\x0B\xD4\x2B\x5B\x7C\xEF\x27\xEA\xB9\x80\x27"
1119- "\xEF\xBC\xB4\xAF\x97\x2A\xD5\x86\xDA\xEE\x2C\xF0\x8B\x45\x00\x10\xE1"
1120- "\x3A\x95\x35\xAC\x7C\xA8\x88\xC1\x60\xB9\x71\xD3\xE2\x29\xF7\x75\xD0"
1121- "\x7E\x27\x1B\x21\x43\xAE\xBB\x08\xE1\x6B\x9E\x1E\xB9\x55\x89\xE3\x2B"
1122- "\x29\x06\x4A\xA2\x90\x98\x38\x00\x00\x00";
1123-static const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b"
1124- "\x02\x42\x02\x15\x06\x08\x49\x50\x0c";
1125-
1126-#ifdef HAVE_TCASE_ADD_EXIT_TEST
1127-START_TEST(hipfw_splice_param_NULL_ctx)
1128-{
1129- struct hip_common *tmp_msg = NULL;
1130- const struct hip_tlv_common *param = NULL;
1131-
1132- tmp_msg = hip_msg_alloc();
1133- hip_build_param_challenge_request(tmp_msg, 0, 0, opaque,
1134- MIDAUTH_DEFAULT_NONCE_LENGTH);
1135- param = hip_get_param(tmp_msg, HIP_PARAM_CHALLENGE_REQUEST);
1136-
1137- fail_unless(hipfw_splice_param(NULL, param) == false, NULL);
1138-}
1139-END_TEST
1140-
1141-START_TEST(hipfw_splice_param_NULL_param)
1142-{
1143- struct hip_fw_context ctx;
1144-
1145- mock_ipq = true;
1146- mock_ipq_pkt_len = ARRAY_SIZE(tmp_ipq_packet);
1147-
1148- fail_unless(fw_init_context(&ctx, tmp_ipq_packet, 4) == 0, NULL);
1149- fail_unless(hipfw_splice_param(&ctx, NULL) == false, NULL);
1150-}
1151-END_TEST
1152-#endif
1153-
1154-Suite *firewall_rewrite(void)
1155-{
1156- Suite *s = suite_create("hipfw/rewrite");
1157- TCase *tc_rewrite = tcase_create("rewrite");
1158-
1159-#ifdef HAVE_TCASE_ADD_EXIT_TEST
1160- tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_ctx, 1);
1161- tcase_add_exit_test(tc_rewrite, hipfw_splice_param_NULL_param, 1);
1162-#endif
1163- suite_add_tcase(s, tc_rewrite);
1164-
1165- return s;
1166-}
1167
1168=== modified file 'test/hipfw/test_suites.h'
1169--- test/hipfw/test_suites.h 2011-11-25 17:56:24 +0000
1170+++ test/hipfw/test_suites.h 2013-08-01 14:18:46 +0000
1171@@ -1,5 +1,5 @@
1172 /*
1173- * Copyright (c) 2010 Aalto University and RWTH Aachen University.
1174+ * Copyright (c) 2010, 2013 Aalto University and RWTH Aachen University.
1175 *
1176 * Permission is hereby granted, free of charge, to any person
1177 * obtaining a copy of this software and associated documentation
1178@@ -34,6 +34,5 @@
1179 Suite *firewall_line_parser(void);
1180 Suite *firewall_midauth(void);
1181 Suite *firewall_port_bindings(void);
1182-Suite *firewall_rewrite(void);
1183
1184 #endif /* HIPL_TEST_FIREWALL_TEST_SUITES_H */
1185
1186=== modified file 'test/mocks.c'
1187--- test/mocks.c 2011-10-19 11:57:13 +0000
1188+++ test/mocks.c 2013-08-01 14:18:46 +0000
1189@@ -1,5 +1,5 @@
1190 /*
1191- * Copyright (c) 2011 Aalto University and RWTH Aachen University.
1192+ * Copyright (c) 2011, 2013 Aalto University and RWTH Aachen University.
1193 *
1194 * Permission is hereby granted, free of charge, to any person
1195 * obtaining a copy of this software and associated documentation
1196@@ -87,7 +87,7 @@
1197 #include <stdlib.h>
1198 #include <string.h>
1199 #include <time.h>
1200-#include <libipq.h>
1201+#include <libnetfilter_queue/libnetfilter_queue.h>
1202
1203 #include "mocks.h"
1204
1205@@ -190,28 +190,3 @@
1206
1207 return EXIT_SUCCESS;
1208 }
1209-
1210-/*** ipq_get_packet(3) ***/
1211-bool mock_ipq = false;
1212-unsigned int mock_ipq_pkt_len = 0;
1213-
1214-/**
1215- * ipq_get_packet(3) mock function. Controlled by the ::mock_ipq flag.
1216- *
1217- * @param buf contents of the returned ipq_packet_msg_t
1218- * @return a fully filled ipq_packet_msg_t
1219- *
1220- * @note The buffer length is required for this mock function. You can provide
1221- * it via the ::mock_ipq_pkt_len flag.
1222- */
1223-ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf)
1224-{
1225- if (!mock_ipq) {
1226- ipq_packet_msg_t *(*original)(const unsigned char *) = get_original(ipq_get_packet, "ipq_get_packet");
1227- return original(buf);
1228- } else {
1229- char *tmp = malloc(mock_ipq_pkt_len);
1230- memcpy(tmp, buf, mock_ipq_pkt_len);
1231- return (ipq_packet_msg_t *) tmp;
1232- }
1233-}

Subscribers

People subscribed via source and target branches

to all changes: