foundry27 : Post

Forum Topic - Unable to load packet filter lsm: (7 Items)

View: as

Yona Shaposhnik(deleted)

02/12/2020 8:48 AM

post120251

I'm trying to compile and load the simple packet filter from documentation (http://www.qnx.com/developers/docs/7.0.0/
index.html#com.qnx.doc.core_networking/topic/filtering_PF.html) 
I use SDP 7.0 and RTOS vm on vmware also 7.0 version.

the code compiles successfully:

qcc -Wl,-E -Vgcc_ntox86 -c -Wp,-MMD,build/x86-release/src/filter_1.d,-MT,build/x86-release/src/filter_1.o -o build/x86-
release/src/filter_1.o -I /home/alexandr/qnx700/target/qnx7/usr/include/io-pkt/ -Wall -fmessage-length=0 -O2 -fPIC  src/
filter_1.c
src/filter_1.c: In function 'deinit_module':
src/filter_1.c:67:16: warning: implicit declaration of function 'pfil_head_get' [-Wimplicit-function-declaration]
     pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
                ^
src/filter_1.c:67:14: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
              ^
src/filter_1.c:71:5: warning: implicit declaration of function 'pfil_remove_hook' [-Wimplicit-function-declaration]
     pfil_remove_hook(input_hook, NULL, PFIL_IN | PFIL_WAITOK,
     ^
src/filter_1.c:75:14: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     pfh_inet = pfil_head_get(PFIL_TYPE_IFNET, 0);
              ^
src/filter_1.c: In function 'pfil_entry':
src/filter_1.c:95:14: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
              ^
src/filter_1.c:99:5: warning: implicit declaration of function 'pfil_add_hook' [-Wimplicit-function-declaration]
     pfil_add_hook(input_hook, NULL, PFIL_IN | PFIL_WAITOK,
     ^
src/filter_1.c:104:14: warning: assignment makes pointer from integer without a cast [-Wint-conversion]
     pfh_inet = pfil_head_get(PFIL_TYPE_IFNET,0);
              ^
qcc -Wl,-E -Vgcc_ntox86 -shared -o build/x86-release/libfilter_1.so   build/x86-release/src/filter_1.o 

but when I try to load my lsm:

# mount -vvv -Tio-pkt /root/lsm-filter.so 
Parsed: mount from [/root/lsm-filter.so] mount on [NULL] type [io-pkt] 
exec: mount_io-pkt -o rw -o implied -o nostat /root/lsm-filter.so /
Using internal mount (mount_io-pkt not found)
Type    [io-pkt] Flags 0x80080000 
Device  [/root/lsm-filter.so] Directory [/] 
Options [NULL] 
mount: Can't mount / (type io-pkt) 
mount: Possible reason: No such device or address

and in slog I can see only such line:

Feb 12 13:48:15.543                    iopkt.81934          main_buffer      0  Unable to load /root/lsm-filter.so: 
(null)

did anybody face such problem? could anybody help me with this?

Nick Reilly

02/12/2020 8:59 AM

post120252

Re: Unable to load packet filter lsm

Take a look at net/pfil.h and you will find all those warnings you are getting are because you are building without 
_KERNEL and QNX_MFIB defined. If you define those then that should clean up your warnings and the symbols should then 
correspond to those in io-pkt and your code should work.

Yona Shaposhnik(deleted)

02/12/2020 11:45 AM

post120253

Re: Unable to load packet filter lsm

I added those defines and warnings gone. But I still have the same error by lsm mount.

Nick Reilly

02/12/2020 12:56 PM

post120254

Re: Unable to load packet filter lsm

io-pkt will call the entry function in the lsm so add some debugging prints to that to determine what is going wrong.

Yona Shaposhnik(deleted)

02/13/2020 3:43 AM

post120257

Re: Unable to load packet filter lsm

I added extra logs, but it looks like lsm loading failed before my code execution. Maybe I do something wrong, but I 
didn't find any more information about packet filter development in official documentation.

I just want to intercept network traffic from/to my network device.

Nick Reilly

02/13/2020 9:34 AM

post120259

Re: Unable to load packet filter lsm

Either the dlopen() isn't able to open your library (bad path to it, bad permissions, built for the wrong processor type
 etc) or the dlsym() isn't finding the "iopkt_lsm_entry" symbol that is generated by the line at the end of the file:

struct _iopkt_lsm_entry IOPKT_LSM_ENTRY_SYM(pfil) =
  IOPKT_LSM_ENTRY_SYM_INIT(pfil_entry);

Yona Shaposhnik(deleted)

02/13/2020 10:03 AM

post120261

Re: Unable to load packet filter lsm

My vm is x86 architecture:
# uname -m 
x86pc
and my lsm library has the same permissions as lsm-pf-v4.so does:
# ls -l /lib/dll/lsm-libfilter.so 
-rwxrwxr-x   1 root      root           7384 Feb 13 14:43 /lib/dll/lsm-libfilter.so
# ls -l /lib/dll/lsm-pf-v4.so      
-rwxrwxr-x   1 root      root         239208 Feb 28  2017 /lib/dll/lsm-pf-v4.so

my code:
#include <sys/types.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/conf.h>
#include <sys/socket.h>
#include <sys/mbuf.h>
#include <net/if.h>
#include <net/pfil.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/slog.h>
#include <sys/slogcodes.h>
#include "sys/io-pkt.h"
#include "nw_datastruct.h"


static int input_hook(void *arg, struct mbuf **m,
                      struct ifnet *ifp, int dir, int fib)
{
    slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
                      _SLOG_ERROR, "input");
    return 0;
}

static int output_hook(void *arg, struct mbuf **m,
                       struct ifnet *ifp, int dir, int fib)
{
    slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
                      _SLOG_ERROR, "output");
    return 0;
}


static int deinit_module(void);
static int iface_hook(void *arg, struct mbuf **m,
                      struct ifnet *ifp, int dir, int fib)
{
	slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
	                  _SLOG_ERROR,"Iface hook called ... ");
    if (m == (struct mbuf **)PFIL_IFNET_ATTACH) {
    	slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
    	                  _SLOG_ERROR,"Interface attached\n");
    } else if (m == (struct mbuf **)PFIL_IFNET_DETACH) {
    	slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
    	                  _SLOG_ERROR,"Interface detached\n");
        deinit_module();
    }
    return 0;
}

static int ifacecfg_hook(void *arg, struct mbuf **m,
                         struct ifnet *ifp, int dir, int fib)
{

	slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
	                  _SLOG_ERROR,"Iface cfg hook called with 0x%p\n", m);

    return 0;
}

static int deinit_module(void)
{
    struct pfil_head *pfh_inet;
    pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
    if (pfh_inet == NULL) {
        return ESRCH;
    }
    pfil_remove_hook(input_hook, NULL, PFIL_IN | PFIL_WAITOK,
                     pfh_inet);
    pfil_remove_hook(output_hook, NULL, PFIL_OUT | PFIL_WAITOK,
                     pfh_inet);
    pfh_inet = pfil_head_get(PFIL_TYPE_IFNET, 0);
        if (pfh_inet == NULL) {
            return ESRCH;
        }

    pfil_remove_hook(ifacecfg_hook, NULL, PFIL_IFNET, pfh_inet);

    pfil_remove_hook(iface_hook, NULL, PFIL_IFNET | PFIL_WAITOK,
                         pfh_inet);
    slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
                  _SLOG_ERROR,
				  "Unloaded pfil hook\n");

    return 0;
}

int pfil_entry(void *dll_hdl, struct _iopkt_self *iopkt,
               char *options)
{
	printf("pfil_entry+++++++++ enter\n");
    struct pfil_head *pfh_inet;
    pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
    if (pfh_inet == NULL) {
        return ESRCH;
    }
    pfil_add_hook(input_hook, NULL, PFIL_IN | PFIL_WAITOK,
                  pfh_inet);
    pfil_add_hook(output_hook, NULL, PFIL_OUT | PFIL_WAITOK,
                  pfh_inet);

    pfh_inet = pfil_head_get(PFIL_TYPE_IFNET,0);
        if (pfh_inet == NULL) {
            return ESRCH;
        }

    pfil_add_hook(iface_hook, NULL, PFIL_IFNET, pfh_inet);
    pfil_add_hook(ifacecfg_hook, NULL, PFIL_IFADDR, pfh_inet);

    slogf(_SLOG_SETCODE(_SLOGC_TEST, 2),
                      _SLOG_ERROR, "Loaded pfil hook\n");

    return 0;
}

struct _iopkt_lsm_entry IOPKT_LSM_ENTRY_SYM(pfil) =
  IOPKT_LSM_ENTRY_SYM_INIT(pfil_entry);


and Makefile:
ARTIFACT = libfilter_1.so

#Build architecture/variant string, possible...

View Full Message

Return

The text you entered is not a valid object ID
More Information
Object IDs begin with an object prefix and end with a number. For example, if you enter
artf2345
the application will jump directly to an artifact with the ID artf2345. Some valid object prefixes are:
artf	for an artifact
doc	for a document
page	for a project page
topc	for a discussion topic
wiki	for a wiki page