peter graham(deleted)
|
Examining packet filter in/out chain from within a hook
|
peter graham(deleted)
04/15/2016 1:24 PM
post116111
|
Examining packet filter in/out chain from within a hook
To help diagnose a difficult-to-reproduce issue with an io-pkt filter I've built, I've made a filter that attaches both
to the head and tail of the input and output filter queues. It also walks the filter chain when added (via the
pfil_entry function), and it seems to list all the filters correctly. For each incoming packet, the filter is called
twice: once from the head of the filter chain, and once from the tail. The filter I'm trying to troubleshoot is one that
wraps our own IPSec implementation. So, for incoming packets, I expect to see an AH header on one side of the filter
chain, but not on the other. And this is what I observe:
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook BEGIN
Apr 15 09:26:12 localhost io-pkt-v4-hc: Src: 192.168.3.54 Dst: 226.0.0.1 If: en0 Proto: IPPROTO_AH Len: 160 ID:
19955 Sum: 50520
Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_input_hook END
(IPSec filter is called in here)
Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_input_hook BEGIN
Apr 15 09:26:12 localhost io-pkt-v4-hc: Src: 192.168.3.54 Dst: 226.0.0.1 If: en0 Proto: IPPROTO_UDP Len: 136 ID:
19955 Sum: 50578
Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_input_hook END
You can see the incoming packet has an AH header, and after IPSec handles the packet, it's just the UDP packet that was
wrapped by the AH header. So far, so good. But outgoing packets don't seem to behave this way:
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook BEGIN
Apr 15 09:26:13 localhost io-pkt-v4-hc: Src: 192.168.2.21 Dst: 226.0.0.1 If: en0 Proto: IPPROTO_UDP Len: 54 ID:
63543 Sum: 8200
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook END
(IPSec filter is called in here)
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_output_hook BEGIN
Apr 15 09:26:13 localhost io-pkt-v4-hc: Src: 192.168.2.21 Dst: 226.0.0.1 If: en0 Proto: IPPROTO_UDP Len: 54 ID:
63543 Sum: 8200
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_output_hook END
Both the filter on the head and tail of the output hook chain show there's no AH header. However, a tcpdump locally and
on a remote computer show the AH header is present. Is outgoing traffic handled fundamentally different than the input
? I know the IPSec filter is working, but I don't see the changes it makes from other filters in the output chain.
|
|
|