Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
@ 2002-04-22  6:47 Peter Bieringer
  2002-04-22  7:22 ` Andi Kleen
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Bieringer @ 2002-04-22  6:47 UTC (permalink / raw)
  To: Maillist netdev

Hi,

I found a for me strange issue and need help to dig a little bit into
because I'm running out of knowledge.

Pls. don't comment the use of commercial firewalls on Linux ;-)

Running a Check Point Firewall (NG FP-2) on Linux (RHL kernel
2.4.9-31, OpenSSH 2.9 and 3.1) this loads its big firewall module
into the kernel. 

First question: 
how can I check, which kernel network hooks it use? Are there any
tools available?

Now further on...

"No problem" scenario:
Linux is IPv4-only, openssh bound to 0.0.0.0, incoming SSH traffic is
accepted and CP state table is updated

"Problematic" scenario:
Linux has ipv6 module loaded, openssh bound to ::, now following
happen:

incoming SSH traffic (still IPv4) is accepted, CP updates the initial
connection timer but never update its state table to state
"established". The initial timer is still updated after each
keystroke, but if timeout occurs (default 60s), the connection will
break.

Looks like CP never sees (or recognizes) packets leaving the
firewalled host from a dual-stack application.

Second question:
Can I trace such issues? Is there a toolset available which shows me
which way a packet run in network kernel?

BTW: incoming SSH traffic via IPv6 is completly unrecognized and
therefore quietly accepted. Looks like CP never sees or recognize
incoming IPv6 packets at all - same issue, if on a IPv4-netfiltererd
box the IPv6-netfilter was forgotten...

TIA,
        Peter

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22  6:47 Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6 Peter Bieringer
@ 2002-04-22  7:22 ` Andi Kleen
  2002-04-22  8:53   ` Peter Bieringer
  2002-04-22 13:05   ` Peter Bieringer
  0 siblings, 2 replies; 8+ messages in thread
From: Andi Kleen @ 2002-04-22  7:22 UTC (permalink / raw)
  To: Peter Bieringer; +Cc: Maillist netdev

On Mon, Apr 22, 2002 at 08:47:13AM +0200, Peter Bieringer wrote:
> Looks like CP never sees (or recognizes) packets leaving the
> firewalled host from a dual-stack application.

Linux has no "generic" firewall hooks, only protocol specific ones.  
Checkpoint is probably using the v4 specific ones only.
Other protocols can be received (by registering a protocol to ETH_P_ALL via
SOCK_PACKET or in the kernel), but not stolen from protocol handlers. 

2.2 had no working firewall chains for IPv6, 2.4 has a v6 netfilter
interface.

BTW the CheckPoint module seems to leak routes too at least on 2.2, 
there are regular reports of that.

> BTW: incoming SSH traffic via IPv6 is completly unrecognized and
> therefore quietly accepted. Looks like CP never sees or recognize
> incoming IPv6 packets at all - same issue, if on a IPv4-netfiltererd
> box the IPv6-netfilter was forgotten...

Sounds like a serious CheckPoint bug.

-Andi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22  7:22 ` Andi Kleen
@ 2002-04-22  8:53   ` Peter Bieringer
  2002-04-22 10:06     ` Andi Kleen
  2002-04-22 13:05   ` Peter Bieringer
  1 sibling, 1 reply; 8+ messages in thread
From: Peter Bieringer @ 2002-04-22  8:53 UTC (permalink / raw)
  To: Andi Kleen; +Cc: Peter Bieringer, Maillist netdev


Hi Andi,

thanks for fast answering, need only a short explanation now:

Andi Kleen writes:

> On Mon, Apr 22, 2002 at 08:47:13AM +0200, Peter Bieringer wrote:
> > Looks like CP never sees (or recognizes) packets leaving the
> > firewalled host from a dual-stack application.
> 
> Linux has no "generic" firewall hooks, only protocol specific ones.  
> Checkpoint is probably using the v4 specific ones only.
> Other protocols can be received (by registering a protocol to ETH_P_ALL via
> SOCK_PACKET or in the kernel), but not stolen from protocol handlers. 

Is such IPv4 hook not seeing packets leaving a dual-stack application like
openssh? Is there any scheme (the way such packet takes) available for
visualisation.

TIA,
 Peter

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22  8:53   ` Peter Bieringer
@ 2002-04-22 10:06     ` Andi Kleen
  2002-04-22 12:47       ` Peter Bieringer
  0 siblings, 1 reply; 8+ messages in thread
From: Andi Kleen @ 2002-04-22 10:06 UTC (permalink / raw)
  To: Peter Bieringer; +Cc: Andi Kleen, Maillist netdev

On Mon, Apr 22, 2002 at 08:53:45AM +0000, Peter Bieringer wrote:
> Is such IPv4 hook not seeing packets leaving a dual-stack application like
> openssh? Is there any scheme (the way such packet takes) available for
> visualisation.

The v4 hook only sees packets that are sent as v4. The v6 hook only v6.
It has nothing to do with the application using v4-mapped-on-v6 sockets 
or not.

-Andi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22 10:06     ` Andi Kleen
@ 2002-04-22 12:47       ` Peter Bieringer
  2002-04-22 12:54         ` Andi Kleen
  0 siblings, 1 reply; 8+ messages in thread
From: Peter Bieringer @ 2002-04-22 12:47 UTC (permalink / raw)
  To: Andi Kleen; +Cc: Peter Bieringer, Maillist netdev


Andi Kleen writes:

> On Mon, Apr 22, 2002 at 08:53:45AM +0000, Peter Bieringer wrote:
> > Is such IPv4 hook not seeing packets leaving a dual-stack application like
> > openssh? Is there any scheme (the way such packet takes) available for
> > visualisation.
> 
> The v4 hook only sees packets that are sent as v4. The v6 hook only v6.
> It has nothing to do with the application using v4-mapped-on-v6 sockets 
> or not.

Thanks for reply. Is there any tool available which can display which
application has registered which network hooks?

TIA,
 Peter

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22 12:47       ` Peter Bieringer
@ 2002-04-22 12:54         ` Andi Kleen
  0 siblings, 0 replies; 8+ messages in thread
From: Andi Kleen @ 2002-04-22 12:54 UTC (permalink / raw)
  To: Peter Bieringer; +Cc: Andi Kleen, Maillist netdev

On Mon, Apr 22, 2002 at 12:47:37PM +0000, Peter Bieringer wrote:
> 
> Andi Kleen writes:
> 
> > On Mon, Apr 22, 2002 at 08:53:45AM +0000, Peter Bieringer wrote:
> > > Is such IPv4 hook not seeing packets leaving a dual-stack application like
> > > openssh? Is there any scheme (the way such packet takes) available for
> > > visualisation.
> > 
> > The v4 hook only sees packets that are sent as v4. The v6 hook only v6.
> > It has nothing to do with the application using v4-mapped-on-v6 sockets 
> > or not.
> 
> Thanks for reply. Is there any tool available which can display which
> application has registered which network hooks?

Only a kernel debugger (gdb vmlinux /proc/kcore) 

-Andi

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22  7:22 ` Andi Kleen
  2002-04-22  8:53   ` Peter Bieringer
@ 2002-04-22 13:05   ` Peter Bieringer
  2002-04-22 13:08     ` Andi Kleen
  1 sibling, 1 reply; 8+ messages in thread
From: Peter Bieringer @ 2002-04-22 13:05 UTC (permalink / raw)
  To: Andi Kleen; +Cc: Peter Bieringer, Maillist netdev


Andi Kleen writes:

> BTW the CheckPoint module seems to leak routes too at least on 2.2, 
> there are regular reports of that.

Can you explain what's happen? Perhaps caused by their implementation of
NAT.

 Peter

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6
  2002-04-22 13:05   ` Peter Bieringer
@ 2002-04-22 13:08     ` Andi Kleen
  0 siblings, 0 replies; 8+ messages in thread
From: Andi Kleen @ 2002-04-22 13:08 UTC (permalink / raw)
  To: Peter Bieringer; +Cc: Andi Kleen, Maillist netdev

On Mon, Apr 22, 2002 at 01:05:46PM +0000, Peter Bieringer wrote:
> 
> Andi Kleen writes:
> 
> > BTW the CheckPoint module seems to leak routes too at least on 2.2, 
> > there are regular reports of that.
> 
> Can you explain what's happen? Perhaps caused by their implementation of
> NAT.

I have no idea what happens exactly, except that there were several reports
to this list of users who ran into problems with an overflowing routing cache.
All they had in common was that they run CheckPoint on 2.2.  There were no
other such reports from non BreakPoint users. I may be fixed in the 2.4
version of their module.

-Andi

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2002-04-22 13:08 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-04-22  6:47 Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6 Peter Bieringer
2002-04-22  7:22 ` Andi Kleen
2002-04-22  8:53   ` Peter Bieringer
2002-04-22 10:06     ` Andi Kleen
2002-04-22 12:47       ` Peter Bieringer
2002-04-22 12:54         ` Andi Kleen
2002-04-22 13:05   ` Peter Bieringer
2002-04-22 13:08     ` Andi Kleen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).