foundry27 : Post

Forum Topic - Examining packet filter in/out chain from within a hook: (1 Item)

View: as

peter graham(deleted)

04/15/2016 1:24 PM

post116111

Examining packet filter in/out chain from within a hook

To help diagnose a difficult-to-reproduce issue with an io-pkt filter I've built, I've made a filter that attaches both 
to the head and tail of the input and output filter queues. It also walks the filter chain when added (via the 
pfil_entry function), and it seems to list all the filters correctly. For each incoming packet, the filter is called 
twice: once from the head of the filter chain, and once from the tail. The filter I'm trying to troubleshoot is one that
 wraps our own IPSec implementation. So, for incoming packets, I expect to see an AH header on one side of the filter 
chain, but not on the other. And this is what I observe:

Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook BEGIN                                          
                                                                                                                        
                                                                                                                        
                                                                                                                        
                               
Apr 15 09:26:12 localhost io-pkt-v4-hc: Src: 192.168.3.54   Dst: 226.0.0.1  If: en0 Proto: IPPROTO_AH   Len: 160    ID: 
19955   Sum: 50520
Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_input_hook END         

(IPSec filter is called in here)

Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_input_hook BEGIN 
Apr 15 09:26:12 localhost io-pkt-v4-hc: Src: 192.168.3.54   Dst: 226.0.0.1  If: en0 Proto: IPPROTO_UDP  Len: 136    ID: 
19955   Sum: 50578
Apr 15 09:26:12 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_input_hook END         


You can see the incoming packet has an AH header, and after IPSec handles the packet, it's just the UDP packet that was 
wrapped by the AH header.  So far, so good. But outgoing packets don't seem to behave this way:

Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook BEGIN                                          
                                                                                                                        
                                                                                                                        
                                                                                                                        
                               
Apr 15 09:26:13 localhost io-pkt-v4-hc: Src: 192.168.2.21   Dst: 226.0.0.1  If: en0 Proto: IPPROTO_UDP  Len: 54 ID: 
63543   Sum: 8200
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_HEAD:QNX_DEBUG_output_hook END    

(IPSec filter is called in here)

Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_output_hook BEGIN  
Apr 15 09:26:13 localhost io-pkt-v4-hc: Src: 192.168.2.21   Dst: 226.0.0.1  If: en0 Proto: IPPROTO_UDP  Len: 54 ID: 
63543   Sum: 8200
Apr 15 09:26:13 localhost io-pkt-v4-hc: QUEUE_TAIL:QNX_DEBUG_output_hook END    

Both the filter on the head and tail of the output hook chain show there's no AH header. However, a tcpdump  locally and
 on a remote computer show the AH header is present.  Is outgoing traffic handled fundamentally different than the input
? I know the IPSec filter is working, but I don't see the changes it makes from other filters in the output chain.

Return

The text you entered is not a valid object ID
More Information
Object IDs begin with an object prefix and end with a number. For example, if you enter
artf2345
the application will jump directly to an artifact with the ID artf2345. Some valid object prefixes are:
artf	for an artifact
doc	for a document
page	for a project page
topc	for a discussion topic
wiki	for a wiki page