build from HEAD yields "fwknop: fko_set_spa_message: Error 100 - Invalid allow IP address in the SPA message data"

Question

build from HEAD yields "fwknop: fko_set_spa_message: Error 100 - Invalid allow IP address in the SPA message data"

e40 opened this issue 6 months ago · comments

and the knocking does not happen.

I reset by to the HEAD before the activity today and fwknop works for me. This is my config, in case it's now invalid:

[default]
ALLOW_IP            source

[gremlin]
SPA_SERVER          gremlinssh.foo.com
ACCESS              tcp/64208
NAT_ACCESS          XX.YY.ZZ.77,22
SPOOF_USER          foobar

Damien Stuart · Answer 1 · Mon Jan 29 2024 03:10:36 GMT+0800 (China Standard Time)

Found the the commit that introduced the regression and reverted it. What I thought was an innocuous change broke the decode/dcrypt processing of the SPA packet.

…

-Damien

On 1/27/24 4:30 PM, e40 ***@***.***> wrote: and the knocking does not happen. I reset by to the HEAD before the activity today and |fwknop| works for me. This is my config, in case it's now invalid: |[default] ALLOW_IP source [gremlin] SPA_SERVER gremlinssh.foo.com ACCESS tcp/64208 NAT_ACCESS XX.YY.ZZ.77,22 SPOOF_USER foobar | — Reply to this email directly, view it on GitHub <#363>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGRNJD5HSLFLENHHZZUHLTYQVWYVAVCNFSM6AAAAABCNUKLG6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEYDGOBRHE4DANI>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

e40 · Answer 2 · Mon Jan 29 2024 03:29:10 GMT+0800 (China Standard Time)

Sorry about that. I guess I didn't test it fully. My bad.

It is curious how the seemingly dead code impacted things.