Project Home
Project Home		 Wiki
Wiki		 Discussion Forums
Discussions		 Project Information
Project Info
Networking/Discussion/General/"Missing" IP headers and pfil order/List of Posts
Forum Topic - "Missing" IP headers and pfil order: (6 Items)
   
Update
peter graham(deleted)
02/02/2016 3:36 PM
post115659
"Missing" IP headers and pfil order   
I have a packet filter that operates on AH-encapsulated UDP packets, and while tcpdump shows the AH header is there, it 
is not available when my packet filter hook is called (at least, it isn't as far as I can tell.  The source and 
destination are correct, but the ip_p field in the iphdr is only ever IPPROTO_UDP). I thought maybe something above my 
hook in the stack was de-encapsulating the packet, but I haven't been able to find a way to test this. Any thoughts on 
where I should look, or other possible causes?
Nick Reilly
02/02/2016 3:53 PM
post115660
Re: "Missing" IP headers and pfil order   
You need to add the "pfil_ipsec" option to the command line. From the io-pkt documentation

pfil_ipsec
(io-pkt-v4-hc and io-pkt-v6-hc only) Run packet filters on packets before encryption. The default is to do it after 
encryption.
peter graham(deleted)
02/03/2016 8:43 AM
post115662
Re: "Missing" IP headers and pfil order   
I'm actually integrating a third-party IPSec product into a packet filter, and not using QNX's IPSec. Is this command 
still relevant in this case? I can't find any reference to pfil_ipsec in the QNX docs or on the forums
Nick Reilly
02/03/2016 8:53 AM
post115663
Re: "Missing" IP headers and pfil order   
For the documentation on this see the io-pkt documentation at:
http://www.qnx.com/developers/docs/am11/index.jsp?topic=%2Fcom.qnx.doc.neutrino.utilities%2Ftopic%2Fi%2Fio-pkt.html

I've noticed that it is missing from the "use" information and have filed a bug to address this.

Whether you need pfil_ipsec is going to depend on if you have set the "ipsec" option on the command line or not. If the 
ipsec option is enabled then the fact that it is an IPSec protocol (inner protocol is IPv4, IPv6, ESP, AH or IPComp) 
flags it as an IPSec packet and the pfil hooks will not see the packet until it is decrypted unless pfil_ipsec is set.

If the ipsec option is not set then all packets will be sent to the pfil hooks straight away.
peter graham(deleted)
02/03/2016 11:14 AM
post115665
Re: "Missing" IP headers and pfil order   
Thanks again for the quick reply! I'm not enabling QNX's IPSec (and actually changed the startup io-pkt-v4-hc command to
 io-pkt-v4 to try to eliminate any additional behavior). I've attached a screenshot of the output I'm seeing, which 
shows the AH packets, but in the input hook, ip_p is IPPROTO_UDP (17).  I think one thing I'm not unclear on is whether 
or not something else in the filter chain is modifying the packet before my filter is called. Is there a way to view the
 actual chain? I tried some searching online but wasn't able to come up with anything that seemed to be what I was 
looking for.  I feel like I'm missing something simple but can't pin it down.
Attachment: Image qnx_pfil_input_hook.png 57.2 KB
Nick Reilly
02/03/2016 12:51 PM
post115667
Re: "Missing" IP headers and pfil order   
The only way to see what is in the chain would be to walk the TAILQ yourself, see pfil_run_hooks() in the NetBSD code:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net/pfil.c?rev=1.28&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

Return


  A subsidiary of BlackBerry             All content ©2004-2013, QNX Software Systems