Knockd unable to start after upgrade from 15.0 to 15.1

Hello!

After upgrade from LEAP 15.0 to LEAP 15.1 on two machines, knockd is unable to start:

# /usr/sbin/knockd -D -v
config: new section: 'options'
config: log file: /var/log/knockd.log
config: interface: eth0
config: new section: 'opencloseANY'
config: opencloseANY: sequence: 11111:udp,22222:tcp,33333:udp,44444:tcp
config: opencloseANY: seq_timeout: 15
config: opencloseANY: start_command: /usr/sbin/iptables -I INPUT 4 -s %IP% -j ACCEPT
config: opencloseANY: cmd_timeout: 10
config: opencloseANY: stop_command: /bin/echo Leaving %IP% ...
ethernet interface detected
Local IP: 1xx.2xx.1xx.2xx
Adding pcap expression for door 'opencloseANY': (dst host 1xx.2xx.1xx.2xx and (((tcp dst port 22222 or 44444) and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg ) or (udp dst port 11111 or 33333)))
pcap: syntax error in filter expression: syntax error
waiting for child processes...
closing...

This is the conf file:

[options]
        logfile = /var/log/knockd.log
        Interface = eth0

[opencloseANY]
        sequence      = 11111:udp,22222:tcp,33333:udp,44444:tcp
        seq_timeout   = 15
        start_command = /usr/sbin/iptables -I INPUT 4 -s %IP% -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /bin/echo Leaving %IP% ...

Same config is working on both LEAP 15.0 and Tumbleweed

Help, please

Best regards
Sinisa Bandin

There appears to be a syntax error (command not written properly) related to your “stop_command” statement…
And I can’t see what the problem is because for some reason your statement is truncated and shows an elipsis (3 dots).
Unless you really do have only the ellipsis, you have to expand to view the full statement.
There is even the possibility that the full statement has been replaced by the ellipsis which would make your statement invalid.

Your config file also appears to be modeled after Example 2 in the knockd MAN page,
You might want to take a look more closely at the MAN page example to see how that works which appears fairly straightforward.

TSU

Both config file and command output are copied verbatim (only removed actual IP address).

stop_command is really only doing an “echo” with IP address and “…” at the end, and it is not part of the problem IMO.

Problem is somewhere here:

Adding pcap expression for door 'opencloseANY': (dst host 1xx.2xx.1xx.2xx and (((tcp dst port 22222 or 44444) and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg ) or (udp dst port 11111 or 33333)))
pcap: syntax error in filter expression: syntax error

As I mentioned, ABSOLUTELY the same config file is working in both LEAP 15.0 and Tumbleweed…

Is anybody here actualy using Knockd on LEAP 15.1, or can somebody just to test this?

Best regards
Siniša Bandin

Then that’s likely your problem.
That ellipsis represents information but is not the information, so it now becomes an issue how you’re copying your file…
If you copied the file without regard for its contents, then you’ve copied the file correctly.
On the other hand, if you opened the file and copied the contents into another file, you would have created a problem.

The ellipsis displays because your display (console window?) isn’t wide enough to display the entire text string, so the string is shortened(truncated) and the ellipsis is placed there to tell you there is more info that is not being displayed.

Another way to verify what I’ve described is to display the size of each file and compare, you should find the files that work the same size but the non-working file different eg

lr -d knockd.conf

TSU

“…” is part of the string that “echo” echoes to the log file.

With or without it, error message is the same.

Just ignore it completely… let say that last line of config file looks like this:

             stop_command  = /bin/echo "Nothing to see here"

(again: with or without quotes, result is the same).

So let me repeat the last question: “Is anybody here actualy using Knockd on LEAP 15.1, or can somebody just to test this?”

Thank you!

Btw: there is no “lr” command on my system, my screen IS wide enough, config file IS copied here exactly and scp-ed to LEAP 15.1 and Tumbleweed before testing. Same file without any changes was working on both now upgraded machines before upgrade to LEAP 15.1.

Took a closer look at your post,
I don’t know if anyone can replicate your problem without parameters you may be leaving out.
But, here is what I found…

Your problem actually has to do with this output

Adding pcap expression for door 'opencloseANY': (dst host 1xx.2xx.1xx.2xx and (((tcp dst port 22222 or 44444) and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg ) or (udp dst port 11111 or 33333)))

I’m unable to debug the statement, I’m pretty sure the problem is in there somewhere.
I found the statement with its variables in the knockd code, but didn’t identify exactly which variables in the statement mapped elsewhere to verify the values are correct. Unless this is boilerplate, you should verify the values make sense.

As for your knock and knockd commands…
I found that the “-v” option is valid for both client and server, so is valid how you used it in your client command.
The “-D” option for debugging is mentioned only for the server, not for the client so is probably ineffective the way you used it. If you implement it server-side, you’ll probably get better info in your log.

TSU

WTH? Didn’t I write it clearly? Only thing missing is real IP address, everything else is VERBATIM copy (so the “…” is just a string of three dots one after another without spaces in between which I want to be printed in log file just as “…”). So I really don’t understand what you are missing?

But, here is what I found…

Your problem actually has to do with this output

Adding pcap expression for door 'opencloseANY': (dst host 1xx.2xx.1xx.2xx and (((tcp dst port 22222 or 44444) and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg ) or (udp dst port 11111 or 33333)))

I’m unable to debug the statement, I’m pretty sure the problem is in there somewhere.

I found the statement with its variables in the knockd code, but didn’t identify exactly which variables in the statement mapped elsewhere to verify the values are correct. Unless this is boilerplate, you should verify the values make sense.

As for your knock and knockd commands…
I found that the “-v” option is valid for both client and server, so is valid how you used it in your client command.
The “-D” option for debugging is mentioned only for the server, not for the client so is probably ineffective the way you used it. If you implement it server-side, you’ll probably get better info in your log.

TSU

Did you actually test this on LEAP 15.1 or did you just copy-paste what I wrote in Google? Because I did it first, before asking here.
I know very well what -v and -D are, that is why I used them.

Nevertheless, I got a step further: debug output on working install looks like this

Adding pcap expression for door 'opencloseANY': (dst host 1xx.2yy.2xx.1yy and (((tcp dst port 11111 or 22222)) or (udp dst port 33333 or 44444)))

so no “tcpflags”.

In LEAP 15.1 this part is inserted even if there is no “tcpflags=fin|syn|rst|psh|ack|urg” option in config file.

**and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg**

It seems somebody tried to be inventive and change defaults, but missed some parenthesesss

Also, in case I have “tcpflags=syn” this is debug output on Tumbleweed:

Adding pcap expression for door 'opencloseANY': (dst host 195.201.22.70 and (((tcp dst port 11111 or 22222) and tcp[tcpflags] & tcp-syn != 0) or (udp dst port 33333 or 44444)))

and this is on LEAP 15.1

Adding pcap expression for door 'opencloseANY': (dst host 159.69.148.70 and (((tcp dst port 11111 or 22222) and tcp[tcpflags] & tcp-syn != 0** and tcp[tcpflags] & tcp-ack  and tcp[tcpflags] & tcp-urg **) or (udp dst port 33333 or 44444)))

Now, I really don’t have time to look at the code, but hopefully somebody can reach for the developers/maintainers…

Best regards,
Sinisa Bandin

Now the same problem is in Tumbleweed.

Somehow (I was looking at the source and could not find how?), string

tcp[tcpflags] & tcp-ack 

(or “…fin” or “…urg” or “…rst”) gets appended to pcap filter without matching “==” or “!=”.
Running tcpdump with same filter gives same error.
If I remove that part of filter string, I am able to run tcpdump.

I was also able to start knock if I explicitly add

        tcpflags      = syn,!ack,!fin,!rst,!psh,!urg

that is, explicitly set ALL “tcpflags” to some defined value.

Upstream source has not been touched since 2014., june 10, so 5 years exactly.
There are differences in source between openSUSE and Github versions, but if I compile Github version on Tumbleweed same thing happen.

I did not understand where is that extra string coming from, source looks quite simple and seems to do the right job, but then I fired up the debugger and found it in function “parseconfig”
When initializing “door” structure, everyting gets zero-ed except for the “flags”. Now flags get initialized to some undefined values, I suspect because memory randomization on allocate (wild guess).

All I did was to add:

*** 586,589 ****
--- 586,595 ----
                                door->one_time_sequences_fd = NULL;
                                door->pcap_filter_exp = NULL;
+                               door->flag_fin = DONT_CARE;
+                               door->flag_syn = DONT_CARE;
+                               door->flag_rst = DONT_CARE;
+                               door->flag_psh = DONT_CARE;
+                               door->flag_ack = DONT_CARE;
+                               door->flag_urg = DONT_CARE;
                                doors = list_add(doors, door);                        }

and now everything is good, knock works as expected. Now, this patch is for Github version, but openSUSE version is the same, only start line is ~513

After I found this, I remembered to take a look at the “issues” page on the Github, and (of course) I found the same issue dating back to January of 2018 :shame: with the same solution, but it never got into “master” branch.

Can this be implemented in openSUSE version?

Thanks.

One thing I forgot to mention is that I am using kernels from https://download.opensuse.org/repositories/Kernel:/stable/standard/ on LEAP 15.1, and whatever is current in Tumbleweed, so it appears that this problem came after kernel 5.1.3 (on 5.1.3 it still works, but on 5.1.6 and up it doesn’t)

exact same problem here on openSUSE LEAP 15.1 with kernel 4.12.14-lp151.28.4-default

Thank you for your detailed description which helped me to solve the problem for me.

I can confirm that

• knockd does not start anymore after upgrade from LEAP 15.0 to 15.1
• the config file worked for years under LEAP 15.0 and before
• the problem is due to a bogus filter string created if not all tcpflags are explicitly set
• the problem was solved for me after patching knockd.c as in the upstream patch https://github.com/jvinet/knock/pull/55/commits/4a5e12b2c01bd13d8d5ece5c8cbc6139ec2de765

I second the proposal to apply such patch to the openSUSE knockd since the package is not usable any more without such patch

I will file a bug report for that issue

here is the bug:
https://bugzilla.opensuse.org/show_bug.cgi?id=1138376

and a temporary solution (obs package with applied patch):
https://build.opensuse.org/project/show/home:brassh:branches:network:utilities