hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00198
[Branch ~christof-mroz/hipl/hipfw-performance] Rev 4941: Add iptables rules for INPUT and OUTPUT hooks too.
------------------------------------------------------------
revno: 4941
committer: Christof Mroz <christof.mroz@xxxxxxxxxxxxxx>
branch nick: hipfw-performance
timestamp: Wed 2010-09-15 15:59:27 +0200
message:
Add iptables rules for INPUT and OUTPUT hooks too.
modified:
firewall/conntrack.c
firewall/firewall_defines.h
--
lp:~christof-mroz/hipl/hipfw-performance
https://code.launchpad.net/~christof-mroz/hipl/hipfw-performance
Your team HIPL core team is subscribed to branch lp:~christof-mroz/hipl/hipfw-performance.
To unsubscribe from this branch go to https://code.launchpad.net/~christof-mroz/hipl/hipfw-performance/+edit-subscription
=== modified file 'firewall/conntrack.c'
--- firewall/conntrack.c 2010-09-13 19:45:52 +0000
+++ firewall/conntrack.c 2010-09-15 13:59:27 +0000
@@ -38,6 +38,7 @@
#define _BSD_SOURCE
+#include <limits.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
@@ -48,6 +49,7 @@
#include <openssl/dsa.h>
#include <openssl/rsa.h>
#include <sys/time.h>
+#include <linux/netfilter_ipv4.h>
#include "lib/core/builder.h"
#include "lib/core/debug.h"
@@ -327,7 +329,6 @@
* @todo Test rules using userspace_ipsec, Relay, LSI, sys-opp, midauth,
* light-update and esp_prot configurations.
* @todo Test with different byte ordering.
- * @todo Inbound and outbound tables.
*
* @see update_esp_address
* @see free_esp_tuple
@@ -335,8 +336,9 @@
static int hip_fw_manage_esp_rule(const struct esp_tuple *esp_tuple,
const struct in6_addr *dest, int insert)
{
- int err = 0;
- const char *flag = insert ? "-I" : "-D";
+ int err = 0;
+ const char *flag = insert ? "-I" : "-D";
+ const char *table = NULL;
if (hip_userspace_ipsec || prefer_userspace) {
return 0;
@@ -351,7 +353,25 @@
return 0;
}
+ switch(esp_tuple->tuple->hook) {
+ case NF_IP_LOCAL_IN:
+ table = "HIPFW-INPUT";
+ break;
+ case NF_IP_FORWARD:
+ table = "HIPFW-FORWARD";
+ break;
+ case NF_IP_LOCAL_OUT:
+ table = "HIPFW-OUT";
+ break;
+ default:
+ HIP_ERROR("Packet was received via unsupported netfilter hook %d\n",
+ esp_tuple->tuple->hook);
+ err = 1;
+ goto out_err;
+ }
+
HIP_DEBUG("insert = %d\n", insert);
+ HIP_DEBUG("table = %s\n", table);
HIP_DEBUG("esp_tuple->spi = 0x%08X\n", esp_tuple->spi);
HIP_DEBUG_IN6ADDR("src ip", &esp_tuple->tuple->src_ip);
HIP_DEBUG_IN6ADDR("dest ip", dest);
@@ -371,14 +391,14 @@
* we may use a simple u32 Pattern. Here, '4&0x1FFF=0' ensures
* we're not processing a fragmented packet.
*/
- system_printf("iptables %s HIPFW-FORWARD -p UDP "
+ system_printf("iptables %s %s -p UDP "
"--dport 10500 --sport 10500 -d %s -m u32 "
"--u32 '4&0x1FFF=0 && 0>>22&0x3C@8=0x%08X' -j ACCEPT",
- flag, daddr, esp_tuple->spi);
+ flag, table, daddr, esp_tuple->spi);
} else {
- system_printf("iptables %s HIPFW-FORWARD -p 50 "
+ system_printf("iptables %s %s -p 50 "
"-d %s -m esp --espspi 0x%08X -j ACCEPT",
- flag, daddr, esp_tuple->spi);
+ flag, table, daddr, esp_tuple->spi);
}
} else {
@@ -387,9 +407,9 @@
"inet_ntop: %s", strerror(errno));
HIP_ASSERT(!esp_tuple->tuple->connection->udp_encap);
- system_printf("ip6tables %s HIPFW-FORWARD -p 50 "
+ system_printf("ip6tables %s %s -p 50 "
"-d %s -m esp --espspi 0x%08X -j ACCEPT",
- flag, daddr, esp_tuple->spi);
+ flag, table, daddr, esp_tuple->spi);
}
out_err:
@@ -1716,6 +1736,8 @@
} else {
HIP_DEBUG("Tuple connection NULL, could not timestamp\n");
}
+
+ tuple->hook = ctx->ipq_packet->hook;
}
HIP_DEBUG("udp_encap_hdr=%p tuple=%p err=%d\n", ctx->udp_encap_hdr, tuple, err);
=== modified file 'firewall/firewall_defines.h'
--- firewall/firewall_defines.h 2010-09-13 14:26:30 +0000
+++ firewall/firewall_defines.h 2010-09-15 13:59:27 +0000
@@ -135,6 +135,7 @@
int direction;
struct connection *connection;
int state;
+ int hook;
uint32_t lupdate_seq;
int esp_relay;
struct in6_addr esp_relay_daddr;