[BUG] Server with --enable-nfq-capture ignores packets if client has an IP starting with "5.220." or smaller #377
Description
After upgrading to Debian 13 today we encountered an issue where the fwknob client was not working on only one of many machines and we pinned the issue down to the machine having a "low" IP address.
How to reproduce
- Have a client with an IP address starting with
5.220.or below - Start the server with
--enable-nfq-capture --foreground --verbose - Execute
fwknopon the client
Expected behavior
fwknopworks normally- The server prints some debug logs
Observed behvior
fwknopdoes not work- The server prints nothing
Technical details
It seems like in server/process_packet.c every packet is treated as ethernet packet. When NFQ capture is enabled and an IP package is parsed, its first two octets of the IP address are assumed to be the ethernet_type, which they obviously are not.
fwknop/server/process_packet.c
Line 104 in 7605573
Then later on the alleged "ethernet type" is used to determine an offset inside the package. So "low" IP addresses below 5.220. will cause this condition to evaluate to false:
fwknop/server/process_packet.c
Line 115 in 7605573
So the parser will jump into the else branch where an offset of 3 is automatically applied:
fwknop/server/process_packet.c
Line 123 in 7605573
We would actually expect an offset of 0. But now that it was set to 3, it will cause the whole packet to be parsed incorrectly.
Note: This also affects other IP address ranges.
It will fail for IP addresses starting with 170.170. because of this condition:
fwknop/server/process_packet.c
Line 119 in 7605573
It will also fail for IP adresses starting with 129.0 because of this condition:
fwknop/server/process_packet.c
Line 106 in 7605573
Workaround
We were able to resolve the issue by using --udp-server instead of --enable-nfq-capture.