Status: | Superseded |
---|---|
Proposed branch: | lp:~martin-lp/hipl/hipfwconf |
Merge into: | lp:hipl |
Diff against target: |
887 lines (+345/-124) 11 files modified
firewall/conntrack.c (+53/-0) firewall/conntrack.h (+2/-0) firewall/firewall.c (+32/-17) firewall/firewall.h (+3/-1) firewall/firewall_control.c (+30/-3) firewall/firewall_control.h (+2/-2) hipd/init.c (+1/-1) lib/core/conf.c (+150/-71) lib/core/conf.h (+5/-0) lib/core/message.c (+66/-29) lib/core/message.h (+1/-0) |
To merge this branch: | bzr merge lp:~martin-lp/hipl/hipfwconf |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Diego Biurrun | Needs Fixing | ||
Miika Komu | Approve | ||
Review via email: mp+80830@code.launchpad.net |
This proposal supersedes a proposal from 2011-10-24.
This proposal has been superseded by a proposal from 2011-11-07.
Commit message
Description of the change
This branch introduces changes to get the currently active connection from the firewall.
This is a resubmitted merge proposal:
instead of using a separate binary option 1 of the previous discussion is implemented:
> 1) add an extra keyword to the hipconf command line: hipconf (daemon | firewall) COMMAND
Summed up changes since the last proposal (revision 6116ff.):
Keywords to address hipd / hipfw are daemon and firewall and defined in lib/core/conf.h.
The hipconf help print has been updated.
Config file syntax does not have to be changed as only hipd parses configs via hipconf and the daemon
keyword is hardcoded.
From what I've tested everything works as before. I do not know all hipconf options or how to apply them
so I did not test them all. Please have a look if everything seems right.
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal | # |
On Mon, Oct 24, 2011 at 03:49:25PM +0000, Miika Komu wrote:
> Review: Needs Information
>
> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
Seconded. I'm terribly suspicious of this whole hipconf thing and
whether or not it is a good idea. IIUC authentication is nonexistent
and it's not clear to me what the advantage to rereading a config
file is.
Diego
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
Another benefit of merged functionality is to allow reading of static information from /etc/hip/
René Hummen (rene-hummen) wrote : Posted in a previous version of this proposal | # |
On 24.10.2011, at 17:49, Miika Komu wrote:
> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
There are three ways to implement this functionality:
1) add an extra keyword to the hipconf command line: hipconf (daemon | firewall) COMMAND
2) add firewall queries as command parameter: hipconf get firewall-ha
3) implement as separate binary using libcore.
(1) would require some changes to hipconf command line parsing and would render the old user API broken. Furthermore, it would require an even longer parameter list for getting specific information. For these reasons, I would not want to implement this option.
(2) is somewhat inconsistent with the current syntax, but I would be fine with that. Only minor changes to the current proposal would be required.
(3) doesn't break the user API and clearly separates hipd configuration from hipfw status querying. This is my preferred option.
Opinions and other proposals are welcome.
Ciao,
René
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
René Hummen (rene-hummen) wrote : Posted in a previous version of this proposal | # |
Forgot to include launchpad.
Begin forwarded message:
> From: René Hummen <email address hidden>
> Date: 27. Oktober 2011 15:41:06 MESZ
> To: <email address hidden>
> Subject: Re: [hipl-dev] Re: [Merge] lp:~martin-lp/hipl/hipfwconf into lp:hipl
>
> On 24.10.2011, at 19:27, Diego Biurrun wrote:
>> On Mon, Oct 24, 2011 at 03:49:25PM +0000, Miika Komu wrote:
>>> Review: Needs Information
>>>
>>> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
>>
>> Seconded. I'm terribly suspicious of this whole hipconf thing and
>> whether or not it is a good idea. IIUC authentication is nonexistent
>> and it's not clear to me what the advantage to rereading a config
>> file is.
>
> The issue of having one or multiple binaries aside, I think hipconf should rather be a hipstatus tool. I.e., hipd and hipfw should be configured via config files (with reload functionality) and the the current run-time status should be requestable via hipstatus. However, this is not as it's done in HIPL at the moment. Instead, reading the config file mimics calls to hipconf in order to set up the hipd. hipfwconf, on the other hand, only provides status information.
>
> Do I see volunteers who are willing to fix this hipconf-based configuration issue? :)
>
> Ciao,
> René
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
René Hummen (rene-hummen) wrote : Posted in a previous version of this proposal | # |
On 25.10.2011, at 09:42, Miika Komu wrote:
> Another benefit of merged functionality is to allow reading of static information from /etc/hip/
I don't see your point here. Can you please explain. By the way, hipfwconf wraps around libcore the same way hipconf does.
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
> IIUC authentication is nonexistent
This a fallacy, it does have authentication. Critical functions are allowed only for root.
> and it's not clear to me what the advantage to rereading a config
> file is.
Obviously, changing of parameters during run time.
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
> On 25.10.2011, at 09:42, Miika Komu wrote:
> > Another benefit of merged functionality is to allow reading of static
> information from /etc/hip/
>
> I don't see your point here. Can you please explain. By the way, hipfwconf
> wraps around libcore the same way hipconf does.
You mean that you can set hipfwconf parameters from /etc/hip/
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
> On 24.10.2011, at 17:49, Miika Komu wrote:
> > Why separate binary just for configuring hipfw? Why this can't be embedded
> into hipconf?
>
> There are three ways to implement this functionality:
> 1) add an extra keyword to the hipconf command line: hipconf (daemon |
> firewall) COMMAND
> 2) add firewall queries as command parameter: hipconf get firewall-ha
Either of these would work for me. Probably 1 is a bit cleaner.
> 3) implement as separate binary using libcore.
I'll counterargument against this below.
> (1) would require some changes to hipconf command line parsing and would
> render the old user API broken. Furthermore, it would require an even longer
> parameter list for getting specific information. For these reasons, I would
> not want to implement this option.
Who cares if the API is changes, really? By breaking, you mean /etc/hip/
> (2) is somewhat inconsistent with the current syntax, but I would be fine with
> that. Only minor changes to the current proposal would be required.
I would be fine with this.
> (3) doesn't break the user API and clearly separates hipd configuration from
> hipfw status querying. This is my preferred option.
Proposal 3 also fragments the HIP administrative interface into two. You suggest that we'll have one read-only interface and another writeable. I believe in a more unified interface and I fail see why we should disperse. It doesn't sound very responsible to say something is bad, but leave it as it is and switch to new tool?
What do you mean by "hipconf-based configuration issue"?
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal | # |
On Thu, Oct 27, 2011 at 01:31:29PM +0000, René Hummen wrote:
> On 24.10.2011, at 17:49, Miika Komu wrote:
> > Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
>
> There are three ways to implement this functionality:
> 1) add an extra keyword to the hipconf command line: hipconf (daemon | firewall) COMMAND
> 2) add firewall queries as command parameter: hipconf get firewall-ha
> 3) implement as separate binary using libcore.
>
> (1) would require some changes to hipconf command line parsing and
> would render the old user API broken. Furthermore, it would require an
> even longer parameter list for getting specific information. For these
> reasons, I would not want to implement this option.
alias hipdconf="hipconf daemon"
alias hipfwconf="hipconf firewall"
Diego
Diego Biurrun (diego-biurrun) wrote : | # |
review needs-fixing
On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>
> --- Makefile.am 2011-10-17 18:14:10 +0000
> +++ Makefile.am 2011-10-31 18:21:26 +0000
> @@ -90,8 +90,8 @@
>
> -tools_
> -tools_
> +tools_
> +tools_
unrelated
Diego
Miika Komu (miika-iki) wrote : | # |
hip_send_
hip_send_
lib/core/
Also, I would like to hear a test report with some existing hipconf options to understand that legacy support still works. For example, try the following:
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all
<wait few secs>
* hipconf nat none
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all
<wait few secs>
* hipconf nat plain-udp
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all
<wait few secs>
* hipconf nat port 1111
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all
Does it do what expected?
Other than this, I am satisfied with this commit.
David Martin (martin-lp) wrote : | # |
Hi,
On Mon, Oct 31, 2011 at 9:58 PM, Diego Biurrun <email address hidden> wrote:
> On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>> --- Makefile.am 2011-10-17 18:14:10 +0000
>> +++ Makefile.am 2011-10-31 18:21:26 +0000
>> @@ -90,8 +90,8 @@
>>
>> -tools_
>> -tools_
>> +tools_
>> +tools_
>
> unrelated
That's not really unrelated but unintended. Forgot to reindent after removing the hipfwconf line. Fixed now.
- 6108. By Diego Biurrun
-
packaging: port package building script to openSUSE
- 6109. By Diego Biurrun
-
INSTALL: Add list of required packages for OpenSUSE.
David Martin (martin-lp) wrote : | # |
Hi,
On Wed, Nov 2, 2011 at 8:32 AM, Miika Komu <email address hidden> wrote:
> Review: Needs Fixing
>
> hip_send_
You are right, that has been some pretty evil piece of copy-paste. Fixed this in revision 6121.
> The same goes for hip_send_
What exactly do you mean?
> lib/core/
I changed it where hipconf_usage was used but this may have not been clear enough.
I've fixed it in revision 6122. Should be better now.
> Also, I would like to hear a test report with some existing hipconf options to understand that legacy support still works. For example, try the following:
>
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat none
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat plain-udp
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat port 1111
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> Does it do what expected?
Did not test that yet but I'll have a look into it and report back.
Miika Komu (miika-iki) wrote : | # |
Hi,
On 11/02/2011 01:04 PM, David Martin wrote:
>> The same goes for hip_send_
> What exactly do you mean?
the functions offer very similar functionality (copy paste).
David Martin (martin-lp) wrote : | # |
Hi again,
On Wed, Nov 2, 2011 at 12:25 PM, Miika Komu <email address hidden> wrote:
> On 11/02/2011 01:04 PM, David Martin wrote:
>>>
>>> The same goes for hip_send_
>>> hip_handle_
>>
>> What exactly do you mean?
>
> the functions offer very similar functionality (copy paste).
Sorry for being a bit dense but I'm still not sure what you mean.
hip_handle_
hipconf messages. hip_send_
since the last commit is nothing more than a wrapper for send_recv_
Maybe you mean hip_handle_msg() in firewall_control.c which basically does the same
as hip_handle_
branch and I see no reason to merge them together. It would result in an even bigger
and even more unwieldy function. The firewall does receive user messages of the same
message type, but it acts differently on them than hipd. I think it's reasonable to keep them
apart. We should think about renaming them to make their purpose more obvious but this
is out of scope of this branch.
Miika Komu (miika-iki) wrote : | # |
Sorry, I mean fw_handle_
David Martin (martin-lp) wrote : | # |
Hi,
On Wed, Nov 2, 2011 at 3:26 PM, Miika Komu <email address hidden> wrote:
> Sorry, I mean fw_handle_
You are right. But if I see it correctly those two weren't really touched by this branch so I would
say it's not related. Feel free to change it in trunk. :)))
PS: Fixed non-compiling make doxygen and added error-handling for wrong process keywords in the last two revisions.
PPS: Had a look at your proposed commands as well. They seem to work alright as far as I can judge. Here's a log:
martin@
Mapped v4 to v6.
mapped v6: 10.0.3.1
Sending user message 2 to HIPD on socket 3
Sent 88 bytes
Waiting to receive daemon info.
88 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.
martin@
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
248 bytes received from HIP daemon.
HA is UNASSOCIATED
Shotgun mode is off.
Broadcast mode is off.
Local HIT: 2001:0017:
Peer HIT: 2001:0017:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.1
Local IP: 10.0.3.1
Local NAT traversal UDP port: 10500
Peer IP: 10.0.3.1
Peer NAT traversal UDP port: 10500
Peer hostname:
martin@
Sending user message 68 to HIPD on socket 3
Sent 64 bytes
Waiting to receive daemon info.
64 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.
martin@
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
40 bytes received from HIP daemon.
martin@
<snip>
martin@
<snip>
martin@
<snip>
HA is UNASSOCIATED
Shotgun mode is off.
Broadcast mode is off.
Local HIT: 2001:0017:
Peer HIT: 2001:0017:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.1
Local IP: 10.0.3.1
Local NAT traversal UDP port: 0
Peer IP: 10.0.3.1
Peer NAT traversal UDP port: 0
Peer hostname:
martin@
<snip>
martin@
<snip>
HA is UNASSOCIATED
Shotgun mode is off.
Broadcast mode is off.
Local HIT: 2001:0017:
Peer HIT: 2001:0017:
Local LSI: 1.0.0.1
Peer LSI: 1.0.0.1
Local IP: 10.0.3.1
Local NAT traversal UDP port: 10500
Peer IP: 10.0.3.1
Peer NAT traversal UDP port: 10500
Peer hostname:
martin@
René Hummen (rene-hummen) wrote : Posted in a previous version of this proposal | # |
On 27.10.2011, at 16:37, Miika Komu wrote:
>> On 25.10.2011, at 09:42, Miika Komu wrote:
>>> Another benefit of merged functionality is to allow reading of static
>> information from /etc/hip/
>>
>> I don't see your point here. Can you please explain. By the way, hipfwconf
>> wraps around libcore the same way hipconf does.
>
> You mean that you can set hipfwconf parameters from /etc/hip/
Hmmm, I'm not sure what this discussion was about exactly. Maybe some clarification as to what kind of functionality this branch is supposed to introduce: it allows to request status information from hipfw at run-time. However, it does not allow for run-time configuration right now. Of course, it would be easy to extend hipfw with this functionality, but I don't see that this desirable.
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
- 6110. By René Hummen
-
merge lp:~rene-hummen/hipl/logging
This merge updates the logging facilities of HIPL and adds a new log
level "LOW".Macros are now mapped to the debug levels as follows:
============== ======= ======= ======= ======
| NONE | DIE, ASSERT
-------------- ------- ------- ------- -------
| LOW | DIE, ASSERT, ERROR
-------------- ------- ------- ------- -------
| MEDIUM | DIE, ASSERT, ERROR, INFO
-------------- ------- ------- ------- -------
| ALL | DIE, ASSERT, ERROR, INFO, DEBUG
============== ======= ======= ======= ======= Also see merge proposal:
https://code.launchpad .net/~rene- hummen/ hipl/logging/ +merge/ 81065
Miika Komu (miika-iki) wrote : | # |
> Hmmm, I'm not sure what this discussion was about exactly. Maybe some clarification as to what kind of functionality
> this branch is supposed to introduce: it allows to request status information from hipfw at run-time. However, it
> does not allow for run-time configuration right now. Of course, it would be easy to extend hipfw with this
> functionality, but I don't see that this desirable.
Never mind (now hipd_config can be used to trigger hipfw actions as well).
David Martin (martin-lp) wrote : | # |
Diego, your opinion? :)
Diego Biurrun (diego-biurrun) wrote : | # |
review needs-fixing
On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>
> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
> @@ -54,6 +54,11 @@
>
> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
> +/* keywords used to identify hipd / hipfw as target of hipconf command */
> +#define HIPCONF_
> +#define HIPCONF_
These appear unused outside of conf.c.
Diego
Diego Biurrun (diego-biurrun) wrote : | # |
On Fri, Nov 04, 2011 at 12:07:34PM +0000, David Martin wrote:
> Diego, your opinion? :)
I said enough to reject it already, just added some more ;)
Diego
David Martin (martin-lp) wrote : | # |
Hi,
On Fri, Nov 4, 2011 at 1:25 PM, Diego Biurrun <email address hidden> wrote:
> On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>>
>> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
>> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
>> @@ -54,6 +54,11 @@
>>
>> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
>> +/* keywords used to identify hipd / hipfw as target of hipconf command */
>> +#define HIPCONF_
>> +#define HIPCONF_
>
> These appear unused outside of conf.c.
Nope, using them in lib/core/message.c as well. Did you pull the latest revisions?
On Fri, Nov 4, 2011 at 1:29 PM, Diego Biurrun <email address hidden> wrote:
> I said enough to reject it already, just added some more ;)
Well, other than you being terribly suspicious of hipconf in general you did not say
aynthing. And that's not very constructive. :p
Diego Biurrun (diego-biurrun) wrote : | # |
On Fri, Nov 04, 2011 at 12:53:25PM +0000, David Martin wrote:
> On Fri, Nov 4, 2011 at 1:25 PM, Diego Biurrun <email address hidden> wrote:
> > On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
> >>
> >> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
> >> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
> >> @@ -54,6 +54,11 @@
> >>
> >> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
> >> +/* keywords used to identify hipd / hipfw as target of hipconf command */
> >> +#define HIPCONF_
> >> +#define HIPCONF_
> >
> > These appear unused outside of conf.c.
>
> Nope, using them in lib/core/message.c as well. Did you pull the latest revisions?
Of course not! I don't pull anything to review your work, why would I?
I just sit here and read emails. I should not have to care about you
committing new revisions somewhere I'm not looking.
> On Fri, Nov 4, 2011 at 1:29 PM, Diego Biurrun <email address hidden> wrote:
> > I said enough to reject it already, just added some more ;)
>
> Well, other than you being terribly suspicious of hipconf in general you did not say
> aynthing. And that's not very constructive. :p
I said there were unrelated stray changes - that's ground enough not to
commit it so I did not bother to look in detail at a version that will
not be pushed anyway ;)
Diego
- 6111. By Miika Komu
-
Fixed an annoyance in a maintainer script
From bug #795846: The "make syncrepo" target seems to unnecessarily copy also
old packages to the repository. Fixed by including the revision number also. - 6112. By David Martin
-
Cosmetics: Move comment in queue_packet() to where it belongs.
- 6113. By David Martin
-
Make hipconf_usage string static as it is local to lib/core/conf.c.
- 6126. By David Martin
-
Cosmetics: fix leftover indentation in Makefile.am.
- 6127. By David Martin
-
Refactor hip_send_
recv_daemon_ info_internal( ) to avoid code duplication. send_recv_
daemon_ info_internal( ) is now called send_recv_ info_internal( )
and gets the destination port as an additional parameter. This way it will
be used to communicate with both hipd and hipfw. As a consequence
hip_send_recv_firewall_ info() has been reduced to a simple wrapper call. - 6128. By David Martin
-
Make hipconf and config file usage more clear.
- 6129. By David Martin
-
Add error handling for process keyword in lib/core/conf.{c, h}.
Comparing an enum to a -1 return value is not good. Add UNKNOWN_KEYWORD
as error return value for conf_get_process().Exit hipconf when an invalid target process keyword is specified and
print an error notice as well. - 6130. By David Martin
-
Fix missing / leftover doxygen documentation.
- 6131. By David Martin
-
Apply new hipconf syntax to doc/HOWTO.xml.in.
- 6132. By David Martin
-
Add daemon keyword to commands in hipdnsproxy.in.
- 6133. By David Martin
-
Apply changed hipconf usage to documentation in sourcefiles.
- 6134. By David Martin
-
Fix some stray error messages referring incorrectly only to the HIP daemon.
Make them more generic by adding the firewall as well.
- 6135. By David Martin
-
Correct header #include ordering in firewall_control.c.
- 6136. By David Martin
-
Make hipfwconf_usage static as it's local to conf.c.
- 6137. By David Martin
-
Cosmetics: Fix typo in conf_get_process() documentation.
- 6138. By David Martin
-
Make daemon_name enum static, it is local to lib/core/conf.c.
- 6139. By David Martin
-
Refer to daemon in error messages instead of mentioning both hipd and hipfw.
- 6140. By David Martin
-
Use 'the' when referring to the daemon in conf.c/message.c error messages.
Sounds a lot better this way.
- 6141. By David Martin
-
Move daemon_name enum to lib/core/conf.c as it is only used there.
- 6142. By David Martin
-
Return enum daemon_name instead of int in conf_get_process().
If we have got a named enum for that purpose we may as well use it.
- 6143. By David Martin
-
Make conf_get_process() const-correct.
Unmerged revisions
Preview Diff
1 | === modified file 'firewall/conntrack.c' |
2 | --- firewall/conntrack.c 2011-10-25 21:14:16 +0000 |
3 | +++ firewall/conntrack.c 2011-11-02 14:51:25 +0000 |
4 | @@ -2244,3 +2244,56 @@ |
5 | remove_connection(conn_list->data); |
6 | } |
7 | } |
8 | + |
9 | +/** |
10 | + * Prepare given message with host association info from the tracked connections. |
11 | + * |
12 | + * @param msg The message where the info is written. |
13 | + * @return 0 on success |
14 | + * -1 on error |
15 | + */ |
16 | +int hip_fw_handle_get_ha_info(struct hip_common *msg) |
17 | +{ |
18 | + struct hip_hadb_user_info_state hid = { { { { 0 } } } }; |
19 | + struct slist *iter_conn; |
20 | + struct connection *conn; |
21 | + struct hip_data *data; |
22 | + |
23 | + if (!msg) { |
24 | + HIP_ERROR("Missing message parameter.\n"); |
25 | + return -1; |
26 | + } |
27 | + |
28 | + if (conn_list == NULL) { |
29 | + HIP_DEBUG("No tracked connections to return.\n"); |
30 | + return 0; |
31 | + } |
32 | + |
33 | + hip_msg_init(msg); |
34 | + if (hip_build_user_hdr(msg, HIP_MSG_GET_HA_INFO, 0) < 0) { |
35 | + HIP_ERROR("Failed to build GET_HA_INFO message header.\n"); |
36 | + return -1; |
37 | + } |
38 | + |
39 | + iter_conn = conn_list; |
40 | + while (iter_conn) { |
41 | + conn = iter_conn->data; |
42 | + data = conn->original.hip_tuple->data; |
43 | + |
44 | + // build HA_INFO with info from connection initiator |
45 | + hid.state = conn->state; |
46 | + ipv6_addr_copy(&hid.hit_our, &data->src_hit); |
47 | + ipv6_addr_copy(&hid.hit_peer, &data->dst_hit); |
48 | + hid.nat_udp_port_local = conn->original.src_port; |
49 | + hid.nat_udp_port_peer = conn->original.dst_port; |
50 | + |
51 | + if (hip_build_param_contents(msg, &hid, HIP_PARAM_HA_INFO, sizeof(hid)) < 0) { |
52 | + HIP_ERROR("Failed to build initiator HA_INFO parameter.\n"); |
53 | + return -1; |
54 | + } |
55 | + |
56 | + iter_conn = iter_conn->next; |
57 | + } |
58 | + |
59 | + return 0; |
60 | +} |
61 | |
62 | === modified file 'firewall/conntrack.h' |
63 | --- firewall/conntrack.h 2011-07-18 16:31:37 +0000 |
64 | +++ firewall/conntrack.h 2011-11-02 14:51:25 +0000 |
65 | @@ -63,4 +63,6 @@ |
66 | void hip_fw_conntrack_periodic_cleanup(void); |
67 | void hip_fw_uninit_conntrack(void); |
68 | |
69 | +int hip_fw_handle_get_ha_info(struct hip_common *msg); |
70 | + |
71 | #endif /* HIP_FIREWALL_CONNTRACK_H */ |
72 | |
73 | === modified file 'firewall/firewall.c' |
74 | --- firewall/firewall.c 2011-10-30 11:41:51 +0000 |
75 | +++ firewall/firewall.c 2011-11-02 14:51:25 +0000 |
76 | @@ -1672,7 +1672,7 @@ |
77 | n = recvfrom(hip_fw_async_sock, msg, sizeof(struct hip_common), |
78 | MSG_PEEK, (struct sockaddr *) &sock_addr, &alen); |
79 | if (n < 0) { |
80 | - HIP_ERROR("Error receiving message header from daemon.\n"); |
81 | + HIP_ERROR("Error receiving message header.\n"); |
82 | return -1; |
83 | } |
84 | |
85 | @@ -1701,24 +1701,13 @@ |
86 | (struct sockaddr *) &sock_addr, &alen); |
87 | |
88 | if (n < 0) { |
89 | - HIP_ERROR("Error receiving message parameters from daemon.\n"); |
90 | + HIP_ERROR("Error receiving message parameters.\n"); |
91 | return -1; |
92 | } |
93 | |
94 | HIP_ASSERT(n == len); |
95 | |
96 | - if (ntohs(sock_addr.sin6_port) != HIP_DAEMON_LOCAL_PORT) { |
97 | - int type = hip_get_msg_type(msg); |
98 | - if (type == HIP_MSG_FW_BEX_DONE) { |
99 | - HIP_DEBUG("HIP_MSG_FW_BEX_DONE\n"); |
100 | - HIP_DEBUG("%d == %d\n", ntohs(sock_addr.sin6_port), |
101 | - HIP_DAEMON_LOCAL_PORT); |
102 | - } |
103 | - HIP_DEBUG("Drop, message not from hipd\n"); |
104 | - return -1; |
105 | - } |
106 | - |
107 | - if (hip_handle_msg(msg) < 0) { |
108 | + if (hip_handle_msg(msg, (struct sockaddr *) &sock_addr) < 0) { |
109 | HIP_ERROR("Error handling message\n"); |
110 | return -1; |
111 | } |
112 | @@ -1847,8 +1836,6 @@ |
113 | sock_addr.sin6_addr = in6addr_loopback; |
114 | HIP_IFEL(bind(hip_fw_async_sock, (struct sockaddr *) &sock_addr, sizeof(sock_addr)), -1, |
115 | "Bind on firewall socket addr failed. Give -k option to kill old hipfw\n"); |
116 | - HIP_IFEL(hip_daemon_connect(hip_fw_async_sock), -1, |
117 | - "connecting socket failed\n"); |
118 | |
119 | /* Starting hipfw does not always work when hipfw starts first -miika */ |
120 | if (hip_userspace_ipsec || hip_lsi_support) { |
121 | @@ -1944,7 +1931,7 @@ |
122 | } |
123 | |
124 | if (FD_ISSET(hip_fw_async_sock, &read_fdset)) { |
125 | - HIP_DEBUG("****** Received HIPD message ******\n"); |
126 | + HIP_DEBUG("****** Received user message ******\n"); |
127 | err = fw_handle_hipd_message(msg); |
128 | } |
129 | |
130 | @@ -2009,3 +1996,31 @@ |
131 | |
132 | return &default_lsi; |
133 | } |
134 | + |
135 | +/** |
136 | + * Send a message via the firewall socket for asynchronous messages. |
137 | + * Caller is responsible for setting up the message. |
138 | + * |
139 | + * @param msg The message to be sent. |
140 | + * @param addr The destination address. |
141 | + * |
142 | + * @return 0 on success |
143 | + * -1 on error |
144 | + */ |
145 | +int hip_fw_send_message(const struct hip_common *const msg, |
146 | + const struct sockaddr *const addr) |
147 | +{ |
148 | + uint16_t len; |
149 | + |
150 | + if (msg == NULL || addr == NULL) { |
151 | + HIP_ERROR("Empty message or address.\n"); |
152 | + return -1; |
153 | + } |
154 | + |
155 | + len = hip_get_msg_total_len(msg); |
156 | + if (sendto(hip_fw_async_sock, msg, len, 0, addr, hip_sockaddr_len(addr)) != len) { |
157 | + return -1; |
158 | + } |
159 | + |
160 | + return 0; |
161 | +} |
162 | |
163 | === modified file 'firewall/firewall.h' |
164 | --- firewall/firewall.h 2011-04-05 16:44:22 +0000 |
165 | +++ firewall/firewall.h 2011-11-02 14:51:25 +0000 |
166 | @@ -1,5 +1,5 @@ |
167 | /* |
168 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
169 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
170 | * |
171 | * Permission is hereby granted, free of charge, to any person |
172 | * obtaining a copy of this software and associated documentation |
173 | @@ -55,5 +55,7 @@ |
174 | void hip_fw_uninit_esp_relay(void); |
175 | hip_hit_t *hip_fw_get_default_hit(void); |
176 | hip_lsi_t *hip_fw_get_default_lsi(void); |
177 | +int hip_fw_send_message(const struct hip_common *const msg, |
178 | + const struct sockaddr *const addr); |
179 | |
180 | #endif /* HIP_FIREWALL_FIREWALL_H */ |
181 | |
182 | === modified file 'firewall/firewall_control.c' |
183 | --- firewall/firewall_control.c 2011-10-25 21:14:16 +0000 |
184 | +++ firewall/firewall_control.c 2011-11-02 14:51:25 +0000 |
185 | @@ -38,10 +38,12 @@ |
186 | #include <string.h> |
187 | #include <netinet/in.h> |
188 | |
189 | +#include "conntrack.h" |
190 | #include "lib/core/builder.h" |
191 | #include "lib/core/debug.h" |
192 | #include "lib/core/ife.h" |
193 | #include "lib/core/message.h" |
194 | +#include "lib/core/prefix.h" |
195 | #include "lib/core/protodefs.h" |
196 | #include "cache.h" |
197 | #include "firewall.h" |
198 | @@ -91,12 +93,13 @@ |
199 | } |
200 | |
201 | /** |
202 | - * distribute a message from hipd to the respective extension handler |
203 | + * distribute a user message to the respective extension handler |
204 | * |
205 | - * @param msg pointer to the received user message |
206 | + * @param msg pointer to the received user message |
207 | + * @param addr destination address for a reply |
208 | * @return 0 on success, else -1 |
209 | */ |
210 | -int hip_handle_msg(struct hip_common *msg) |
211 | +int hip_handle_msg(struct hip_common *msg, struct sockaddr *addr) |
212 | { |
213 | int type, err = 0; |
214 | struct hip_common *msg_out = NULL; |
215 | @@ -150,12 +153,36 @@ |
216 | HIP_IFEL(hip_send_recv_daemon_info(msg_out, 1, hip_fw_sock), -1, |
217 | "Couldn't notify daemon of firewall presence\n"); |
218 | break; |
219 | + case HIP_MSG_GET_HA_INFO: |
220 | + HIP_IFEL(hip_fw_handle_get_ha_info(msg), -1, |
221 | + "Could not handle GET_HA message.\n"); |
222 | + HIP_IFEL(hip_fw_send_message(msg, addr), -1, |
223 | + "Could not send HA reply.\n"); |
224 | + break; |
225 | default: |
226 | HIP_ERROR("Unhandled message type %d\n", type); |
227 | err = -1; |
228 | break; |
229 | } |
230 | + |
231 | out_err: |
232 | + if (hip_get_msg_response(msg)) { |
233 | + HIP_DEBUG("Send response\n"); |
234 | + if (err) { |
235 | + hip_hdr msg_type = hip_get_msg_type(msg); |
236 | + hip_msg_init(msg); |
237 | + hip_build_user_hdr(msg, msg_type, 0); |
238 | + hip_set_msg_err(msg, 1); |
239 | + } |
240 | + HIP_DEBUG("Sending message (type=%d) response\n", |
241 | + hip_get_msg_type(msg)); |
242 | + if (hip_fw_send_message(msg, addr) == -1) { |
243 | + err = -1; |
244 | + } else { |
245 | + HIP_DEBUG("Response sent ok\n"); |
246 | + } |
247 | + } |
248 | + |
249 | free(msg_out); |
250 | return err; |
251 | } |
252 | |
253 | === modified file 'firewall/firewall_control.h' |
254 | --- firewall/firewall_control.h 2010-10-15 15:29:14 +0000 |
255 | +++ firewall/firewall_control.h 2011-11-02 14:51:25 +0000 |
256 | @@ -1,5 +1,5 @@ |
257 | /* |
258 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
259 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
260 | * |
261 | * Permission is hereby granted, free of charge, to any person |
262 | * obtaining a copy of this software and associated documentation |
263 | @@ -28,6 +28,6 @@ |
264 | |
265 | #include "lib/core/protodefs.h" |
266 | |
267 | -int hip_handle_msg(struct hip_common *msg); |
268 | +int hip_handle_msg(struct hip_common *msg, struct sockaddr *addr); |
269 | |
270 | #endif /* HIP_FIREWALL_FIREWALL_CONTROL_H */ |
271 | |
272 | === modified file 'hipd/init.c' |
273 | --- hipd/init.c 2011-10-30 11:54:44 +0000 |
274 | +++ hipd/init.c 2011-11-02 14:51:25 +0000 |
275 | @@ -164,7 +164,7 @@ |
276 | } |
277 | |
278 | #define HIPL_CONFIG_FILE_EX \ |
279 | - "# Format of this file is as with hipconf, but without hipconf prefix\n\ |
280 | + "# Format of this file is as with hipconf, but without \"hipconf daemon\" prefix\n\ |
281 | # add hi default # add all four HITs (see bug id 592127)\n\ |
282 | # add map HIT IP # preload some HIT-to-IP mappings to hipd\n\ |
283 | # add service rvs # the host acts as HIP rendezvous (see also HIPL_SYSCONFDIR/relay_config)\n\ |
284 | |
285 | === modified file 'lib/core/conf.c' |
286 | --- lib/core/conf.c 2011-10-31 17:38:04 +0000 |
287 | +++ lib/core/conf.c 2011-11-02 14:51:25 +0000 |
288 | @@ -181,6 +181,11 @@ |
289 | /* #define TYPE_RELAY 22 */ |
290 | |
291 | /** |
292 | + * The daemon process to be configured by the conf command. |
293 | + */ |
294 | +enum daemon_name daemon_name; |
295 | + |
296 | +/** |
297 | * A help string containing the usage of @c hipconf and also |
298 | * @c HIPL_SYSCONFDIR/hipd_config. |
299 | * |
300 | @@ -188,6 +193,9 @@ |
301 | * for the action. |
302 | */ |
303 | const char *hipconf_usage = |
304 | + HIPCONF_HIPD_KEYWORD |
305 | + " <command>\n\n" |
306 | + "HIP daemon commands:\n" |
307 | "add map <hit> <ip> [lsi]\n" |
308 | "get map <hit | lsi>\n" |
309 | "del hi <hit> | all\n" |
310 | @@ -226,6 +234,51 @@ |
311 | ; |
312 | |
313 | /** |
314 | + * A help string containing the usage of @c hipfwconf. |
315 | + * |
316 | + * @note If you added a new action, do not forget to add a brief usage below |
317 | + * for the action. |
318 | + */ |
319 | +const char *hipfwconf_usage = |
320 | + HIPCONF_HIPFW_KEYWORD |
321 | + " <command>\n\n" |
322 | + "HIP firewall commands:\n" |
323 | + "get ha <hit> | all\n"; |
324 | + |
325 | +/** |
326 | + * Send a message to hipd or hipfw and optionally receive an answer. |
327 | + * |
328 | + * @param msg The message to be sent. The respective answer will be stored |
329 | + * here as well. |
330 | + * @param send_only 1 if no response from hipd should be requested. |
331 | + * 0 if it should block until a response from hipd is received. |
332 | + * This option has no effect when sending messages to hipfw. |
333 | + * |
334 | + * @return 0 on success |
335 | + * -1 on error |
336 | + */ |
337 | +static int send_receive_message(struct hip_common *msg, |
338 | + const int send_only) |
339 | +{ |
340 | + if (daemon_name == HIP_DAEMON) { |
341 | + if (hip_send_recv_daemon_info(msg, send_only, 0)) { |
342 | + HIP_ERROR("Failed to send user message to the HIP daemon.\n"); |
343 | + return -1; |
344 | + } |
345 | + } else if (daemon_name == HIP_FIREWALL) { |
346 | + if (hip_send_recv_firewall_info(msg)) { |
347 | + HIP_ERROR("Failed to send user message to the HIP firewall.\n"); |
348 | + return -1; |
349 | + } |
350 | + } else { |
351 | + HIP_ERROR("Destination daemon process unknown.\n"); |
352 | + return -1; |
353 | + } |
354 | + |
355 | + return 0; |
356 | +} |
357 | + |
358 | +/** |
359 | * Query hipd for the HITs of the local host |
360 | * |
361 | * @param msg input/output message for the query/response for hipd |
362 | @@ -510,6 +563,25 @@ |
363 | /* Non-static functions -> global scope */ |
364 | |
365 | /** |
366 | + * Map daemon / firewall keyboard to its respective enum. |
367 | + * |
368 | + * @param argv an array of strings (command line args to hipconf) |
369 | + * @return HIP_DAEMON in case of hipd keyword |
370 | + * HIP_FIREWALL in case of hipfw keyword |
371 | + * UNKNOWN_KEYWORD else |
372 | + */ |
373 | +static int conf_get_process(const char *argv[]) |
374 | +{ |
375 | + if (!strcmp(HIPCONF_HIPD_KEYWORD, argv[1])) { |
376 | + return HIP_DAEMON; |
377 | + } else if (!strcmp(HIPCONF_HIPFW_KEYWORD, argv[1])) { |
378 | + return HIP_FIREWALL; |
379 | + } |
380 | + |
381 | + return UNKNOWN_KEYWORD; |
382 | +} |
383 | + |
384 | +/** |
385 | * Map a symbolic hipconf action (=add/del) into a number |
386 | * |
387 | * @param argv an array of strings (command line args to hipconf) |
388 | @@ -526,61 +598,61 @@ |
389 | { |
390 | int ret = -1; |
391 | |
392 | - if (!strcmp("add", argv[1])) { |
393 | + if (!strcmp("add", argv[2])) { |
394 | ret = ACTION_ADD; |
395 | - } else if (!strcmp("del", argv[1])) { |
396 | + } else if (!strcmp("del", argv[2])) { |
397 | ret = ACTION_DEL; |
398 | - } else if (!strcmp("new", argv[1])) { |
399 | + } else if (!strcmp("new", argv[2])) { |
400 | ret = ACTION_NEW; |
401 | - } else if (!strcmp("get", argv[1])) { |
402 | + } else if (!strcmp("get", argv[2])) { |
403 | ret = ACTION_GET; |
404 | - } else if (!strcmp("set", argv[1])) { |
405 | + } else if (!strcmp("set", argv[2])) { |
406 | ret = ACTION_SET; |
407 | - } else if (!strcmp("inc", argv[1])) { |
408 | + } else if (!strcmp("inc", argv[2])) { |
409 | ret = ACTION_INC; |
410 | - } else if (!strcmp("dec", argv[1])) { |
411 | + } else if (!strcmp("dec", argv[2])) { |
412 | ret = ACTION_DEC; |
413 | - } else if (!strcmp("rst", argv[1])) { |
414 | + } else if (!strcmp("rst", argv[2])) { |
415 | ret = ACTION_RST; |
416 | - } else if (!strcmp("run", argv[1])) { |
417 | + } else if (!strcmp("run", argv[2])) { |
418 | ret = ACTION_RUN; |
419 | - } else if (!strcmp("load", argv[1])) { |
420 | + } else if (!strcmp("load", argv[2])) { |
421 | ret = ACTION_LOAD; |
422 | - } else if (!strcmp("heartbeat", argv[1])) { |
423 | + } else if (!strcmp("heartbeat", argv[2])) { |
424 | ret = ACTION_HEARTBEAT; |
425 | - } else if (!strcmp("locator", argv[1])) { |
426 | + } else if (!strcmp("locator", argv[2])) { |
427 | ret = ACTION_LOCATOR; |
428 | - } else if (!strcmp("debug", argv[1])) { |
429 | + } else if (!strcmp("debug", argv[2])) { |
430 | ret = ACTION_DEBUG; |
431 | - } else if (!strcmp("transform", argv[1])) { |
432 | + } else if (!strcmp("transform", argv[2])) { |
433 | ret = ACTION_TRANSORDER; |
434 | - } else if (!strcmp("reinit", argv[1])) { |
435 | + } else if (!strcmp("reinit", argv[2])) { |
436 | ret = ACTION_REINIT; |
437 | - } else if (!strcmp("manual-update", argv[1])) { |
438 | + } else if (!strcmp("manual-update", argv[2])) { |
439 | ret = ACTION_MANUAL_UPDATE; |
440 | - } else if (!strcmp("hit-to-lsi", argv[1])) { |
441 | + } else if (!strcmp("hit-to-lsi", argv[2])) { |
442 | ret = ACTION_HIT_TO_LSI; |
443 | - } else if (!strcmp("nsupdate", argv[1])) { |
444 | + } else if (!strcmp("nsupdate", argv[2])) { |
445 | ret = ACTION_NSUPDATE; |
446 | - } else if (!strcmp("hit-to-ip-set", argv[1])) { |
447 | + } else if (!strcmp("hit-to-ip-set", argv[2])) { |
448 | ret = ACTION_HIT_TO_IP_SET; |
449 | - } else if (!strcmp("hit-to-ip", argv[1])) { |
450 | + } else if (!strcmp("hit-to-ip", argv[2])) { |
451 | ret = ACTION_HIT_TO_IP; |
452 | - } else if (!strcmp("shotgun", argv[1])) { |
453 | + } else if (!strcmp("shotgun", argv[2])) { |
454 | ret = ACTION_SHOTGUN; |
455 | - } else if (!strcmp("lsi-to-hit", argv[1])) { |
456 | + } else if (!strcmp("lsi-to-hit", argv[2])) { |
457 | ret = ACTION_LSI_TO_HIT; |
458 | - } else if (!strcmp("nat", argv[1])) { |
459 | - if (!strcmp("port", argv[2])) { |
460 | - if (!strcmp("local", argv[3])) { |
461 | + } else if (!strcmp("nat", argv[2])) { |
462 | + if (!strcmp("port", argv[3])) { |
463 | + if (!strcmp("local", argv[4])) { |
464 | ret = ACTION_NAT_LOCAL_PORT; |
465 | - } else if (!strcmp("peer", argv[3])) { |
466 | + } else if (!strcmp("peer", argv[4])) { |
467 | ret = ACTION_NAT_PEER_PORT; |
468 | } |
469 | } else { |
470 | ret = ACTION_NAT; |
471 | } |
472 | - } else if (!strcmp("broadcast", argv[1])) { |
473 | + } else if (!strcmp("broadcast", argv[2])) { |
474 | ret = ACTION_BROADCAST; |
475 | } |
476 | |
477 | @@ -670,45 +742,45 @@ |
478 | ret = TYPE_HA; |
479 | } else if (!strcmp("shotgun", text)) { |
480 | ret = TYPE_SHOTGUN; |
481 | - } else if ((!strcmp("all", text)) && (strcmp("rst", argv[1]) == 0)) { |
482 | - ret = TYPE_RST; |
483 | - } else if ((!strcmp("peer_hit", text)) && (strcmp("rst", argv[1]) == 0)) { |
484 | - ret = TYPE_RST; |
485 | - } else if (strcmp("nat", argv[1]) == 0) { |
486 | - if (argv[2] && strcmp("port", argv[2]) == 0) { |
487 | - if (argv[3] && strcmp("local", argv[3]) == 0) { |
488 | + } else if ((!strcmp("all", text)) && (strcmp("rst", argv[2]) == 0)) { |
489 | + ret = TYPE_RST; |
490 | + } else if ((!strcmp("peer_hit", text)) && (strcmp("rst", argv[2]) == 0)) { |
491 | + ret = TYPE_RST; |
492 | + } else if (strcmp("nat", argv[2]) == 0) { |
493 | + if (argv[3] && strcmp("port", argv[3]) == 0) { |
494 | + if (argv[4] && strcmp("local", argv[4]) == 0) { |
495 | ret = TYPE_NAT_LOCAL_PORT; |
496 | - } else if (argv[3] && strcmp("peer", argv[3]) == 0) { |
497 | + } else if (argv[4] && strcmp("peer", argv[4]) == 0) { |
498 | ret = TYPE_NAT_PEER_PORT; |
499 | } |
500 | } else { |
501 | ret = TYPE_NAT; |
502 | } |
503 | - } else if (strcmp("locator", argv[1]) == 0) { |
504 | + } else if (strcmp("locator", argv[2]) == 0) { |
505 | ret = TYPE_LOCATOR; |
506 | } else if (!strcmp("debug", text)) { |
507 | ret = TYPE_DEBUG; |
508 | } else if (!strcmp("order", text)) { |
509 | ret = TYPE_ORDER; |
510 | - } else if (strcmp("heartbeat", argv[1]) == 0) { |
511 | + } else if (strcmp("heartbeat", argv[2]) == 0) { |
512 | ret = TYPE_HEARTBEAT; |
513 | } else if (!strcmp("ttl", text)) { |
514 | ret = TYPE_TTL; |
515 | } else if (!strcmp("config", text)) { |
516 | ret = TYPE_CONFIG; |
517 | - } else if (strcmp("manual-update", argv[1]) == 0) { |
518 | + } else if (strcmp("manual-update", argv[2]) == 0) { |
519 | ret = TYPE_MANUAL_UPDATE; |
520 | - } else if (strcmp("hit-to-lsi", argv[1]) == 0) { |
521 | + } else if (strcmp("hit-to-lsi", argv[2]) == 0) { |
522 | ret = TYPE_HIT_TO_LSI; |
523 | - } else if (strcmp("nsupdate", argv[1]) == 0) { |
524 | + } else if (strcmp("nsupdate", argv[2]) == 0) { |
525 | ret = TYPE_NSUPDATE; |
526 | - } else if (strcmp("hit-to-ip-set", argv[1]) == 0) { |
527 | + } else if (strcmp("hit-to-ip-set", argv[2]) == 0) { |
528 | ret = TYPE_HIT_TO_IP_SET; |
529 | - } else if (strcmp("hit-to-ip", argv[1]) == 0) { |
530 | + } else if (strcmp("hit-to-ip", argv[2]) == 0) { |
531 | ret = TYPE_HIT_TO_IP; |
532 | - } else if (strcmp("lsi-to-hit", argv[1]) == 0) { |
533 | + } else if (strcmp("lsi-to-hit", argv[2]) == 0) { |
534 | ret = TYPE_LSI_TO_HIT; |
535 | - } else if (strcmp("broadcast", argv[1]) == 0) { |
536 | + } else if (strcmp("broadcast", argv[2]) == 0) { |
537 | ret = TYPE_BROADCAST; |
538 | } else { |
539 | HIP_DEBUG("ERROR: NO MATCHES FOUND \n"); |
540 | @@ -725,7 +797,7 @@ |
541 | * here in the switch(action) block. |
542 | * @param action integer value for an action |
543 | * @return an index for argv[], which indicates the type argument. |
544 | - * Usually either 1 or 2. |
545 | + * Usually either 2 or 3. |
546 | */ |
547 | static int conf_get_type_arg(int action) |
548 | { |
549 | @@ -753,15 +825,15 @@ |
550 | case ACTION_HIT_TO_IP: |
551 | case ACTION_HIT_TO_IP_SET: |
552 | case ACTION_BROADCAST: |
553 | + type_arg = 3; |
554 | + break; |
555 | + case ACTION_MANUAL_UPDATE: |
556 | + case ACTION_HIT_TO_LSI: |
557 | + case ACTION_LSI_TO_HIT: |
558 | + case ACTION_DEBUG: |
559 | + case ACTION_SHOTGUN: |
560 | type_arg = 2; |
561 | break; |
562 | - case ACTION_MANUAL_UPDATE: |
563 | - case ACTION_HIT_TO_LSI: |
564 | - case ACTION_LSI_TO_HIT: |
565 | - case ACTION_DEBUG: |
566 | - case ACTION_SHOTGUN: |
567 | - type_arg = 1; |
568 | - break; |
569 | default: |
570 | break; |
571 | } |
572 | @@ -2042,10 +2114,10 @@ |
573 | HIP_IFEL(optc > 1, -1, "Too many arguments\n"); |
574 | |
575 | HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_GET_HA_INFO, 0), -1, |
576 | - "Building of daemon header failed\n"); |
577 | + "Building of user msg header failed\n"); |
578 | |
579 | - HIP_IFEL(hip_send_recv_daemon_info(msg, send_only, 0), -1, |
580 | - "send recv daemon info\n"); |
581 | + HIP_IFEL(send_receive_message(msg, send_only), -1, |
582 | + "send recv info\n"); |
583 | |
584 | while ((current_param = hip_get_next_param(msg, current_param))) { |
585 | ha = hip_get_param_contents_direct(current_param); |
586 | @@ -2313,8 +2385,9 @@ |
587 | *comment = '\0'; |
588 | } |
589 | |
590 | - /* prefix the contents of the line with" hipconf" */ |
591 | - res_len = sprintf(str, "hipconf %s", c); |
592 | + /* prefix the contents of the line with" hipconf HIPCONF_HIPD_KEYWORD" |
593 | + * Only hipd parses config files as hipconf commands, hardcode it as target */ |
594 | + res_len = sprintf(str, "hipconf %s %s", HIPCONF_HIPD_KEYWORD, c); |
595 | if (str[res_len] == '\n') { |
596 | str[res_len] = '\0'; |
597 | } |
598 | @@ -2327,7 +2400,6 @@ |
599 | args[i++] = token; |
600 | token = strtok(NULL, " \t"); |
601 | } |
602 | - |
603 | err = hip_do_hipconf(i, args, 1); |
604 | if (err) { |
605 | HIP_ERROR("Error on the following line: %s\n", line); |
606 | @@ -2451,9 +2523,18 @@ |
607 | struct hip_common *msg = NULL; |
608 | |
609 | /* Check that we have at least one command line argument. */ |
610 | - if (argc < 2) { |
611 | - HIP_ERROR("Invalid arguments.\n\n%s usage:\n%s\n", |
612 | - argv[0], hipconf_usage); |
613 | + if (argc < 3) { |
614 | + HIP_ERROR("Invalid arguments.\nUsage to communicate with HIP daemon:\n %s %s\n" |
615 | + "\nUsage to communicate with HIP firewall:\n %s %s\n", |
616 | + argv[0], hipconf_usage, argv[0], hipfwconf_usage); |
617 | + return -1; |
618 | + } |
619 | + |
620 | + /* set context for this conf command */ |
621 | + daemon_name = conf_get_process(argv); |
622 | + if (daemon_name == UNKNOWN_KEYWORD) { |
623 | + HIP_ERROR("Invalid target process argument '%s'. Expected '%s' or '%s'.\n", |
624 | + argv[1], HIPCONF_HIPD_KEYWORD, HIPCONF_HIPFW_KEYWORD); |
625 | return -1; |
626 | } |
627 | |
628 | @@ -2461,14 +2542,14 @@ |
629 | action = conf_get_action(argv); |
630 | |
631 | if (action == -1) { |
632 | - HIP_ERROR("Invalid action argument '%s'\n", argv[1]); |
633 | + HIP_ERROR("Invalid action argument '%s'\n", argv[2]); |
634 | return -1; |
635 | } |
636 | |
637 | /* Check that we have at least the minimum number of arguments |
638 | * for the given action. */ |
639 | - if (argc < conf_check_action_argc(action) + 2) { |
640 | - HIP_ERROR("Not enough arguments given for the action '%s'\n", argv[1]); |
641 | + if (argc < conf_check_action_argc(action) + 3) { |
642 | + HIP_ERROR("Not enough arguments given for the action '%s'\n", argv[2]); |
643 | return -1; |
644 | } |
645 | |
646 | @@ -2496,14 +2577,14 @@ |
647 | /* Call handler function from the handler function pointer |
648 | * array at index "type" with given commandline arguments. |
649 | * The functions build a hip_common message. */ |
650 | - if (argc == 3) { |
651 | - err = (*action_handler[type])(msg, action, &argv[2], argc - 3, send_only); |
652 | + if (argc == 4) { |
653 | + err = (*action_handler[type])(msg, action, &argv[3], argc - 4, send_only); |
654 | } else { |
655 | - err = (*action_handler[type])(msg, action, &argv[3], argc - 3, send_only); |
656 | + err = (*action_handler[type])(msg, action, &argv[4], argc - 4, send_only); |
657 | } |
658 | |
659 | if (err != 0) { |
660 | - HIP_ERROR("Failed to send a message to the HIP daemon.\n"); |
661 | + HIP_ERROR("Failed to send user message.\n"); |
662 | goto out_err; |
663 | } |
664 | |
665 | @@ -2512,9 +2593,7 @@ |
666 | goto out_err; |
667 | } |
668 | |
669 | - /* Send message to hipd */ |
670 | - HIP_IFEL(hip_send_recv_daemon_info(msg, send_only, 0), -1, |
671 | - "Failed to send user message to the HIP daemon.\n"); |
672 | + send_receive_message(msg, send_only); |
673 | |
674 | HIP_INFO("User message was sent successfully to the HIP daemon.\n"); |
675 | |
676 | |
677 | === modified file 'lib/core/conf.h' |
678 | --- lib/core/conf.h 2011-08-15 14:11:56 +0000 |
679 | +++ lib/core/conf.h 2011-11-02 14:51:25 +0000 |
680 | @@ -54,6 +54,11 @@ |
681 | #define ACTION_ADD 1 |
682 | #define ACTION_NEW 3 |
683 | |
684 | +enum daemon_name { HIP_DAEMON, HIP_FIREWALL, UNKNOWN_KEYWORD }; |
685 | +/* keywords used to identify hipd / hipfw as target of hipconf command */ |
686 | +#define HIPCONF_HIPD_KEYWORD "daemon" |
687 | +#define HIPCONF_HIPFW_KEYWORD "firewall" |
688 | + |
689 | int hip_handle_exec_app(int fork, int type, int argc, |
690 | const char *const argv[]); |
691 | int hip_do_hipconf(int argc, const char *argv[], int send_only); |
692 | |
693 | === modified file 'lib/core/message.c' |
694 | --- lib/core/message.c 2011-10-25 21:44:47 +0000 |
695 | +++ lib/core/message.c 2011-11-02 14:51:25 +0000 |
696 | @@ -86,6 +86,7 @@ |
697 | #include <sys/time.h> |
698 | #include <sys/types.h> |
699 | |
700 | +#include "lib/core/conf.h" |
701 | #include "lib/tool/nlink.h" |
702 | #include "builder.h" |
703 | #include "common.h" |
704 | @@ -178,6 +179,30 @@ |
705 | } |
706 | |
707 | /** |
708 | + * Connect a socket to the loopback address of hipd or hipfw. |
709 | + * |
710 | + * @param hip_user_sock The socket to connect. |
711 | + * @param port The port to connect. |
712 | + * @return zero on success and negative on failure |
713 | + * @note currently only SOCK_DGRAM and AF_INET6 are supported |
714 | + */ |
715 | +static int hip_connect(int hip_user_sock, int port) |
716 | +{ |
717 | + struct sockaddr_in6 addr = { 0 }; |
718 | + |
719 | + addr.sin6_family = AF_INET6; |
720 | + addr.sin6_port = htons(port); |
721 | + addr.sin6_addr = in6addr_loopback; |
722 | + |
723 | + if (connect(hip_user_sock, (struct sockaddr *) &addr, sizeof(addr))) { |
724 | + HIP_ERROR("connection failed: %s\n", strerror(errno)); |
725 | + return -1; |
726 | + } |
727 | + |
728 | + return 0; |
729 | +} |
730 | + |
731 | +/** |
732 | * Connect a socket to the loop back address of hipd |
733 | * |
734 | * @param hip_user_sock The socket to connect. Currently only SOCK_DGRAM |
735 | @@ -187,21 +212,7 @@ |
736 | */ |
737 | int hip_daemon_connect(int hip_user_sock) |
738 | { |
739 | - int err = 0; |
740 | - struct sockaddr_in6 daemon_addr = { 0 }; |
741 | - // We're using system call here add thus resetting errno. |
742 | - errno = 0; |
743 | - |
744 | - daemon_addr.sin6_family = AF_INET6; |
745 | - daemon_addr.sin6_port = htons(HIP_DAEMON_LOCAL_PORT); |
746 | - daemon_addr.sin6_addr = in6addr_loopback; |
747 | - |
748 | - HIP_IFEL(connect(hip_user_sock, (struct sockaddr *) &daemon_addr, |
749 | - sizeof(daemon_addr)), -1, "connection to daemon failed\n"); |
750 | - |
751 | -out_err: |
752 | - |
753 | - return err; |
754 | + return hip_connect(hip_user_sock, HIP_DAEMON_LOCAL_PORT); |
755 | } |
756 | |
757 | /** |
758 | @@ -319,23 +330,30 @@ |
759 | #define EHIP 500 |
760 | |
761 | /** |
762 | - * Send and receive data with hipd. Do not call this function directly, use |
763 | - * hip_send_recv_daemon_info instead! |
764 | + * Send and receive data with hipd or hipfw. Do not call this function directly, |
765 | + * use hip_send_recv_daemon_info or hip_send_recv_firewall_info instead! |
766 | * |
767 | - * @param msg the message to send to hipd |
768 | + * @param msg The message to send to hipd or hipfw |
769 | * @param opt_socket Optional socket to use for the message exchange. When |
770 | * set to zero, the function creates a temporary socket |
771 | * and closes it after the transaction is completed. |
772 | + * @param port The port to send the message to. |
773 | * @return zero on success and negative on failure |
774 | * @note currently only SOCK_DGRAM and AF_INET6 are supported |
775 | */ |
776 | -static int send_recv_daemon_info_internal(struct hip_common *msg, |
777 | - int opt_socket) |
778 | +static int send_recv_info_internal(struct hip_common *msg, int opt_socket, int port) |
779 | { |
780 | int hip_user_sock = 0, err = 0, n = 0, len = 0; |
781 | struct sockaddr_in6 addr = { 0 }; |
782 | uint8_t msg_type_old, msg_type_new; |
783 | + const char *receiver; |
784 | |
785 | + /* determine receiver to print correct debug / error messages */ |
786 | + if (port == HIP_FIREWALL_PORT) { |
787 | + receiver = HIPCONF_HIPFW_KEYWORD; |
788 | + } else { |
789 | + receiver = HIPCONF_HIPD_KEYWORD; |
790 | + } |
791 | msg_type_old = hip_get_msg_type(msg); |
792 | |
793 | // We're using system call here and thus resetting errno. |
794 | @@ -354,9 +372,9 @@ |
795 | HIP_IFEL(daemon_bind_socket(hip_user_sock, |
796 | (struct sockaddr *) &addr), -1, |
797 | "bind failed\n"); |
798 | - /* Connect to hipd. Otherwise e.g. "hipconf get ha all" |
799 | + /* Connect to hipd or hipfw. Otherwise e.g. "hipconf daemon get ha all" |
800 | * blocks when hipd is not running. */ |
801 | - HIP_IFEL(hip_daemon_connect(hip_user_sock), -1, |
802 | + HIP_IFEL(hip_connect(hip_user_sock, port), -1, |
803 | "connect failed\n"); |
804 | } |
805 | |
806 | @@ -368,14 +386,18 @@ |
807 | /* Require a response from hipd */ |
808 | hip_set_msg_response(msg, 1); |
809 | |
810 | - n = sendto_hipd(hip_user_sock, msg, len); |
811 | + if (port == HIP_FIREWALL_PORT) { |
812 | + n = send(hip_user_sock, msg, len, 0); |
813 | + } else { |
814 | + n = sendto_hipd(hip_user_sock, msg, len); |
815 | + } |
816 | if (n < len) { |
817 | - HIP_ERROR("Could not send message to daemon.\n"); |
818 | + HIP_ERROR("Could not send message to %s.\n", receiver); |
819 | err = -ECOMM; |
820 | goto out_err; |
821 | } |
822 | |
823 | - HIP_DEBUG("Waiting to receive daemon info.\n"); |
824 | + HIP_DEBUG("Waiting to receive %s info.\n", receiver); |
825 | |
826 | if ((len = peek_recv_total_len(hip_user_sock, 0, HIP_DEFAULT_MSG_TIMEOUT)) < 0) { |
827 | err = len; |
828 | @@ -390,14 +412,14 @@ |
829 | "Message sync problem. Expected %d, got %d\n", |
830 | msg_type_old, msg_type_new); |
831 | |
832 | - HIP_DEBUG("%d bytes received from HIP daemon\n", n); |
833 | + HIP_DEBUG("%d bytes received from HIP %s.\n", n, receiver); |
834 | |
835 | if (n == 0) { |
836 | - HIP_INFO("The HIP daemon has performed an orderly shutdown.\n"); |
837 | + HIP_INFO("The HIP %s has performed an orderly shutdown.\n", receiver); |
838 | // Note. This is not an error condition, thus we return zero. |
839 | goto out_err; |
840 | } else if (n < (int) sizeof(struct hip_common)) { |
841 | - HIP_ERROR("Could not receive message from daemon.\n"); |
842 | + HIP_ERROR("Could not receive message from %s.\n", receiver); |
843 | goto out_err; |
844 | } |
845 | |
846 | @@ -442,7 +464,7 @@ |
847 | struct sockaddr_in6 addr = { 0 }; |
848 | |
849 | if (!send_only) { |
850 | - return send_recv_daemon_info_internal(msg, opt_socket); |
851 | + return send_recv_info_internal(msg, opt_socket, HIP_DAEMON_LOCAL_PORT); |
852 | } |
853 | |
854 | if (opt_socket) { |
855 | @@ -479,6 +501,21 @@ |
856 | } |
857 | |
858 | /** |
859 | + * A generic function to send messages to hipfw with subsequent reply. This will |
860 | + * block the process until the hipfw sends the response or a predefined timeout |
861 | + * is exceeded. |
862 | + * |
863 | + * @param msg An input/output parameter. As input, contains the |
864 | + * message to be sent to hipfw. As output, hipfw response |
865 | + * will be written here. |
866 | + * @return zero on success and negative on failure. |
867 | + */ |
868 | +int hip_send_recv_firewall_info(struct hip_common *const msg) |
869 | +{ |
870 | + return send_recv_info_internal(msg, 0, HIP_FIREWALL_PORT); |
871 | +} |
872 | + |
873 | +/** |
874 | * Read an interprocess (user) message |
875 | * |
876 | * @param sockfd a socket from where to read |
877 | |
878 | === modified file 'lib/core/message.h' |
879 | --- lib/core/message.h 2011-08-15 14:11:56 +0000 |
880 | +++ lib/core/message.h 2011-11-02 14:51:25 +0000 |
881 | @@ -46,5 +46,6 @@ |
882 | int hip_send_recv_daemon_info(struct hip_common *msg, |
883 | int send_only, |
884 | int opt_socket); |
885 | +int hip_send_recv_firewall_info(struct hip_common *const msg); |
886 | |
887 | #endif /* HIP_LIB_CORE_MESSAGE_H */ |
Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?