Merge lp:~martin-lp/hipl/hipfwconf into lp:hipl

Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?

On Mon, Oct 24, 2011 at 03:49:25PM +0000, Miika Komu wrote:
> Review: Needs Information
>
> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?

Seconded. I'm terribly suspicious of this whole hipconf thing and
whether or not it is a good idea. IIUC authentication is nonexistent
and it's not clear to me what the advantage to rereading a config
file is.

Diego

Another benefit of merged functionality is to allow reading of static information from /etc/hip/hipd_config

On 24.10.2011, at 17:49, Miika Komu wrote:
> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?

There are three ways to implement this functionality:
1) add an extra keyword to the hipconf command line: hipconf (daemon | firewall) COMMAND
2) add firewall queries as command parameter: hipconf get firewall-ha
3) implement as separate binary using libcore.

(1) would require some changes to hipconf command line parsing and would render the old user API broken. Furthermore, it would require an even longer parameter list for getting specific information. For these reasons, I would not want to implement this option.
(2) is somewhat inconsistent with the current syntax, but I would be fine with that. Only minor changes to the current proposal would be required.
(3) doesn't break the user API and clearly separates hipd configuration from hipfw status querying. This is my preferred option.

Opinions and other proposals are welcome.

Ciao,
René

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

Forgot to include launchpad.

Begin forwarded message:
> From: René Hummen <email address hidden>
> Date: 27. Oktober 2011 15:41:06 MESZ
> To: <email address hidden>
> Subject: Re: [hipl-dev] Re: [Merge] lp:~martin-lp/hipl/hipfwconf into lp:hipl
>
> On 24.10.2011, at 19:27, Diego Biurrun wrote:
>> On Mon, Oct 24, 2011 at 03:49:25PM +0000, Miika Komu wrote:
>>> Review: Needs Information
>>>
>>> Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
>>
>> Seconded. I'm terribly suspicious of this whole hipconf thing and
>> whether or not it is a good idea. IIUC authentication is nonexistent
>> and it's not clear to me what the advantage to rereading a config
>> file is.
>
> The issue of having one or multiple binaries aside, I think hipconf should rather be a hipstatus tool. I.e., hipd and hipfw should be configured via config files (with reload functionality) and the the current run-time status should be requestable via hipstatus. However, this is not as it's done in HIPL at the moment. Instead, reading the config file mimics calls to hipconf in order to set up the hipd. hipfwconf, on the other hand, only provides status information.
>
> Do I see volunteers who are willing to fix this hipconf-based configuration issue? :)
>
> Ciao,
> René

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

On 25.10.2011, at 09:42, Miika Komu wrote:
> Another benefit of merged functionality is to allow reading of static information from /etc/hip/hipd_config

I don't see your point here. Can you please explain. By the way, hipfwconf wraps around libcore the same way hipconf does.

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

> IIUC authentication is nonexistent

This a fallacy, it does have authentication. Critical functions are allowed only for root.

> and it's not clear to me what the advantage to rereading a config
> file is.

Obviously, changing of parameters during run time.

> On 25.10.2011, at 09:42, Miika Komu wrote:
> > Another benefit of merged functionality is to allow reading of static
> information from /etc/hip/hipd_config
>
> I don't see your point here. Can you please explain. By the way, hipfwconf
> wraps around libcore the same way hipconf does.

You mean that you can set hipfwconf parameters from /etc/hip/hipd_config ? Did you test this?

> On 24.10.2011, at 17:49, Miika Komu wrote:
> > Why separate binary just for configuring hipfw? Why this can't be embedded
> into hipconf?
>
> There are three ways to implement this functionality:
> 1) add an extra keyword to the hipconf command line: hipconf (daemon |
> firewall) COMMAND
> 2) add firewall queries as command parameter: hipconf get firewall-ha

Either of these would work for me. Probably 1 is a bit cleaner.

> 3) implement as separate binary using libcore.

I'll counterargument against this below.

> (1) would require some changes to hipconf command line parsing and would
> render the old user API broken. Furthermore, it would require an even longer
> parameter list for getting specific information. For these reasons, I would
> not want to implement this option.

Who cares if the API is changes, really? By breaking, you mean /etc/hip/hipd_config? The file could be prefixed with a "daemon" with a simple regexp when you start hipd (if we would choose #1).

> (2) is somewhat inconsistent with the current syntax, but I would be fine with
> that. Only minor changes to the current proposal would be required.

I would be fine with this.

> (3) doesn't break the user API and clearly separates hipd configuration from
> hipfw status querying. This is my preferred option.

Proposal 3 also fragments the HIP administrative interface into two. You suggest that we'll have one read-only interface and another writeable. I believe in a more unified interface and I fail see why we should disperse. It doesn't sound very responsible to say something is bad, but leave it as it is and switch to new tool?

What do you mean by "hipconf-based configuration issue"?

On Thu, Oct 27, 2011 at 01:31:29PM +0000, René Hummen wrote:
> On 24.10.2011, at 17:49, Miika Komu wrote:
> > Why separate binary just for configuring hipfw? Why this can't be embedded into hipconf?
>
> There are three ways to implement this functionality:
> 1) add an extra keyword to the hipconf command line: hipconf (daemon | firewall) COMMAND
> 2) add firewall queries as command parameter: hipconf get firewall-ha
> 3) implement as separate binary using libcore.
>
> (1) would require some changes to hipconf command line parsing and
> would render the old user API broken. Furthermore, it would require an
> even longer parameter list for getting specific information. For these
> reasons, I would not want to implement this option.

alias hipdconf="hipconf daemon"
alias hipfwconf="hipconf firewall"

Diego

 review needs-fixing

On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>
> --- Makefile.am 2011-10-17 18:14:10 +0000
> +++ Makefile.am 2011-10-31 18:21:26 +0000
> @@ -90,8 +90,8 @@
>
> -tools_hipconf_SOURCES = tools/hipconf.c
> -tools_pisacert_SOURCES = tools/pisacert.c
> +tools_hipconf_SOURCES = tools/hipconf.c
> +tools_pisacert_SOURCES = tools/pisacert.c

unrelated

Diego

hip_send_recv_firewall_info() has been copy-pasted from hip_send_recv_daemon_info(). The same goes for
hip_send_recv_firewall_info() and hip_handle_user_msg(). Code reuse?

lib/core/conf.c:hipconf_usage is not updated accordingly. Same goes for hipd/init.c:HIPL_CONFIG_FILE_EX. Otherwise, nobody will know about your extensions.

Also, I would like to hear a test report with some existing hipconf options to understand that legacy support still works. For example, try the following:

* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all

<wait few secs>

* hipconf nat none
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all

<wait few secs>

* hipconf nat plain-udp
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all

<wait few secs>

* hipconf nat port 1111
* hipconf add map HIT IP
* hipconf get ha all
* hipconf rst all

Does it do what expected?

Other than this, I am satisfied with this commit.

Hi,

On Mon, Oct 31, 2011 at 9:58 PM, Diego Biurrun <email address hidden> wrote:
> On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>> --- Makefile.am 2011-10-17 18:14:10 +0000
>> +++ Makefile.am 2011-10-31 18:21:26 +0000
>> @@ -90,8 +90,8 @@
>>
>> -tools_hipconf_SOURCES = tools/hipconf.c
>> -tools_pisacert_SOURCES = tools/pisacert.c
>> +tools_hipconf_SOURCES = tools/hipconf.c
>> +tools_pisacert_SOURCES = tools/pisacert.c
>
> unrelated

That's not really unrelated but unintended. Forgot to reindent after removing the hipfwconf line. Fixed now.

Hi,

On Wed, Nov 2, 2011 at 8:32 AM, Miika Komu <email address hidden> wrote:
> Review: Needs Fixing
>
> hip_send_recv_firewall_info() has been copy-pasted from hip_send_recv_daemon_info().

You are right, that has been some pretty evil piece of copy-paste. Fixed this in revision 6121.

> The same goes for hip_send_recv_firewall_info() and hip_handle_user_msg(). Code reuse?

What exactly do you mean?

> lib/core/conf.c:hipconf_usage is not updated accordingly. Same goes for hipd/init.c:HIPL_CONFIG_FILE_EX. Otherwise, nobody will know about your extensions.

I changed it where hipconf_usage was used but this may have not been clear enough.
I've fixed it in revision 6122. Should be better now.

> Also, I would like to hear a test report with some existing hipconf options to understand that legacy support still works. For example, try the following:
>
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat none
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat plain-udp
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> <wait few secs>
>
> * hipconf nat port 1111
> * hipconf add map HIT IP
> * hipconf get ha all
> * hipconf rst all
>
> Does it do what expected?

Did not test that yet but I'll have a look into it and report back.

Hi,

On 11/02/2011 01:04 PM, David Martin wrote:
>> The same goes for hip_send_recv_firewall_info() and hip_handle_user_msg(). Code reuse?
> What exactly do you mean?

the functions offer very similar functionality (copy paste).

Hi again,

On Wed, Nov 2, 2011 at 12:25 PM, Miika Komu <email address hidden> wrote:
> On 11/02/2011 01:04 PM, David Martin wrote:
>>>
>>> The same goes for hip_send_recv_firewall_info() and
>>> hip_handle_user_msg(). Code reuse?
>>
>> What exactly do you mean?
>
> the functions offer very similar functionality (copy paste).

Sorry for being a bit dense but I'm still not sure what you mean.
hip_handle_user_msg() is an enormous beast of a function dealing with all incoming
hipconf messages. hip_send_recv_firewall_info() sends messages to hipfw and
since the last commit is nothing more than a wrapper for send_recv_info_internal().

Maybe you mean hip_handle_msg() in firewall_control.c which basically does the same
as hip_handle_user_msg() only for the firewall. It has not really been touched in this
branch and I see no reason to merge them together. It would result in an even bigger
and even more unwieldy function. The firewall does receive user messages of the same
message type, but it acts differently on them than hipd. I think it's reasonable to keep them
apart. We should think about renaming them to make their purpose more obvious but this
is out of scope of this branch.

Sorry, I mean fw_handle_hipd_message() and hip_handle_user_msg(). It seems that the beginning of the functions is copy paste. You could extract the beginning into another function and call it in the other two.

Hi,

On Wed, Nov 2, 2011 at 3:26 PM, Miika Komu <email address hidden> wrote:
> Sorry, I mean fw_handle_hipd_message() and hip_handle_user_msg(). It seems that the beginning of the functions is copy paste. You could extract the beginning into another function and call it in the other two.

You are right. But if I see it correctly those two weren't really touched by this branch so I would
say it's not related. Feel free to change it in trunk. :)))

PS: Fixed non-compiling make doxygen and added error-handling for wrong process keywords in the last two revisions.

PPS: Had a look at your proposed commands as well. They seem to work alright as far as I can judge. Here's a log:

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon add map 2001:17:e5ab:56b2:3b45:419f:f784:af6a 10.0.3.1
Mapped v4 to v6.
mapped v6: 10.0.3.1
Sending user message 2 to HIPD on socket 3
Sent 88 bytes
Waiting to receive daemon info.
88 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
248 bytes received from HIP daemon.
HA is UNASSOCIATED
 Shotgun mode is off.
 Broadcast mode is off.
 Local HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Peer HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.1
 Local IP: 10.0.3.1
 Local NAT traversal UDP port: 10500
 Peer IP: 10.0.3.1
 Peer NAT traversal UDP port: 10500
 Peer hostname:

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon rst all
Sending user message 68 to HIPD on socket 3
Sent 64 bytes
Waiting to receive daemon info.
64 bytes received from HIP daemon.
User message was sent successfully to the HIP daemon.

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon get ha all
Sending user message 22 to HIPD on socket 3
Sent 40 bytes
Waiting to receive daemon info.
40 bytes received from HIP daemon.

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon nat none
<snip>

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon add map 2001:17:e5ab:56b2:3b45:419f:f784:af6a 10.0.3.1
<snip>

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon get ha all
<snip>
HA is UNASSOCIATED
 Shotgun mode is off.
 Broadcast mode is off.
 Local HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Peer HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.1
 Local IP: 10.0.3.1
 Local NAT traversal UDP port: 0
 Peer IP: 10.0.3.1
 Peer NAT traversal UDP port: 0
 Peer hostname:

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon nat plain-udp
<snip>

martin@pisa1:~/src/hipl/hipl_hipfwconf$ sudo tools/hipconf daemon get ha all
<snip>
HA is UNASSOCIATED
 Shotgun mode is off.
 Broadcast mode is off.
 Local HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Peer HIT: 2001:0017:e5ab:56b2:3b45:419f:f784:af6a
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.1
 Local IP: 10.0.3.1
 Local NAT traversal UDP port: 10500
 Peer IP: 10.0.3.1
 Peer NAT traversal UDP port: 10500
 Peer hostname:

martin@pisa1:~/src/hipl/hipl_hi...

On 27.10.2011, at 16:37, Miika Komu wrote:
>> On 25.10.2011, at 09:42, Miika Komu wrote:
>>> Another benefit of merged functionality is to allow reading of static
>> information from /etc/hip/hipd_config
>>
>> I don't see your point here. Can you please explain. By the way, hipfwconf
>> wraps around libcore the same way hipconf does.
>
> You mean that you can set hipfwconf parameters from /etc/hip/hipd_config ? Did you test this?

Hmmm, I'm not sure what this discussion was about exactly. Maybe some clarification as to what kind of functionality this branch is supposed to introduce: it allows to request status information from hipfw at run-time. However, it does not allow for run-time configuration right now. Of course, it would be easy to extend hipfw with this functionality, but I don't see that this desirable.

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

> Hmmm, I'm not sure what this discussion was about exactly. Maybe some clarification as to what kind of functionality
> this branch is supposed to introduce: it allows to request status information from hipfw at run-time. However, it
> does not allow for run-time configuration right now. Of course, it would be easy to extend hipfw with this
> functionality, but I don't see that this desirable.

Never mind (now hipd_config can be used to trigger hipfw actions as well).

Diego, your opinion? :)

 review needs-fixing

On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>
> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
> @@ -54,6 +54,11 @@
>
> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
> +/* keywords used to identify hipd / hipfw as target of hipconf command */
> +#define HIPCONF_HIPD_KEYWORD "daemon"
> +#define HIPCONF_HIPFW_KEYWORD "firewall"

These appear unused outside of conf.c.

Diego

On Fri, Nov 04, 2011 at 12:07:34PM +0000, David Martin wrote:
> Diego, your opinion? :)

I said enough to reject it already, just added some more ;)

Diego

Hi,

On Fri, Nov 4, 2011 at 1:25 PM, Diego Biurrun <email address hidden> wrote:
> On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
>>
>> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
>> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
>> @@ -54,6 +54,11 @@
>>
>> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
>> +/* keywords used to identify hipd / hipfw as target of hipconf command */
>> +#define HIPCONF_HIPD_KEYWORD "daemon"
>> +#define HIPCONF_HIPFW_KEYWORD "firewall"
>
> These appear unused outside of conf.c.

Nope, using them in lib/core/message.c as well. Did you pull the latest revisions?

On Fri, Nov 4, 2011 at 1:29 PM, Diego Biurrun <email address hidden> wrote:
> I said enough to reject it already, just added some more ;)

Well, other than you being terribly suspicious of hipconf in general you did not say
aynthing. And that's not very constructive. :p

On Fri, Nov 04, 2011 at 12:53:25PM +0000, David Martin wrote:
> On Fri, Nov 4, 2011 at 1:25 PM, Diego Biurrun <email address hidden> wrote:
> > On Mon, Oct 31, 2011 at 06:22:27PM +0000, David Martin wrote:
> >>
> >> --- lib/core/conf.h 2011-08-15 14:11:56 +0000
> >> +++ lib/core/conf.h 2011-10-31 18:21:26 +0000
> >> @@ -54,6 +54,11 @@
> >>
> >> +enum daemon_name { HIP_DAEMON, HIP_FIREWALL };
> >> +/* keywords used to identify hipd / hipfw as target of hipconf command */
> >> +#define HIPCONF_HIPD_KEYWORD "daemon"
> >> +#define HIPCONF_HIPFW_KEYWORD "firewall"
> >
> > These appear unused outside of conf.c.
>
> Nope, using them in lib/core/message.c as well. Did you pull the latest revisions?

Of course not! I don't pull anything to review your work, why would I?
I just sit here and read emails. I should not have to care about you
committing new revisions somewhere I'm not looking.

> On Fri, Nov 4, 2011 at 1:29 PM, Diego Biurrun <email address hidden> wrote:
> > I said enough to reject it already, just added some more ;)
>
> Well, other than you being terribly suspicious of hipconf in general you did not say
> aynthing. And that's not very constructive. :p

I said there were unrelated stray changes - that's ground enough not to
commit it so I did not bother to look in detail at a version that will
not be pushed anyway ;)

Diego

Good work!

Sorry, I stumbled on a problem after hitting the Approve button. "hipconf daemon" is needed now for all existing commands, right? If yes, then this need to be properly adjusted in:

* doc/HOWTO.xml.in
* lib/core/conf.c
* lib/core/hostid.c
* lib/core/message.c
* lib/tool/nlink.c
* hipd/nat.c
* tools/hipdnsproxy/hipdnsproxy.in
* firewall/conntrack.c
* firewall/cache.c

Scan for "hipconf" in the files and adjust where appropiate.

Hi,

On Mon, Nov 7, 2011 at 3:33 PM, Miika Komu <email address hidden> wrote:
> Review: Needs Fixing
>
> Sorry, I stumbled on a problem after hitting the Approve button. "hipconf daemon" is needed now for all existing commands, right? If yes, then this need to be properly adjusted in:
>
> * doc/HOWTO.xml.in
> * lib/core/conf.c
> * lib/core/hostid.c
> * lib/core/message.c
> * lib/tool/nlink.c
> * hipd/nat.c
> * tools/hipdnsproxy/hipdnsproxy.in
> * firewall/conntrack.c
> * firewall/cache.c
>
> Scan for "hipconf" in the files and adjust where appropiate.

Good catch! Should've thought about grepping through the other files to find hipconf occurances. I would have missed the *.in for sure though.

Fixed this and will resubmit the proposal.