Ubuntu
knockd package

knockd does not work on additional IP address of a NIC

Bug #1873186 reported by Zizzy Zizzy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
knockd (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

systemd networkd in use. OVH server.

I've been pulling my hair out for an hour trying to get knockd to work on a secondary IP assigned to the primary NIC. (It works fine if I change the IP to the primary when knocking, but that is not the required or desired use.)

I've tried adding the secondary IP as a virtual NIC named "failover", then configuring knockd to use the NIC "failover". This does not work, and "ifconfig failover" actually shows no packets going through the NIC, even though the IP configured on the virtual NIC is working fine.

I can't find any docs or answered questions about this issue. I was hoping to stumble upon an undocumented option to force knockd to listed on a particular IP.

If knockd is really attached to the NIC and supposedly just listening to syn for a particular port, then it should work. Instead, it appears to be latching on the the primary IP of the NIC and ignoring all other IP's on that NIC.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"

Kernel 4.15.0-96-generic
knockd package: 0.7-1ubuntu1.18.04.2 amd64

Any help is much appreciated.

Tags: ip secondary
Revision history for this message
Zizzy Zizzy (zizzyzizzy) wrote :

To clarify "does not work", the TCP (or UDP) knock on the configured port is never detected when using the secondary IP. If I switch to the primary IP, it works exactly as expected.

Revision history for this message
Zizzy Zizzy (zizzyzizzy) wrote :

Debug mode on, the PCAP rule shows the correct secondary IP, but it will not actually detect the knock on that IP.

Adding pcap expression for door '25568': (dst host xx.xx.xx.76 and (((tcp dst port 25568 or 25568 or 25568) and tcp[tcpflags] & tcp-syn != 0)))

Revision history for this message
Dan Streetman (ddstreet) wrote :

I think you need to use the "Target" knockd config param, otherwise it uses the interface's primary ip addr. See 'man knockd' and scroll to the bottom, in the "KNOCK/EVENT DIRECTIVES" section.

Changed in knockd (Ubuntu):
status: New → Invalid
Revision history for this message
Zizzy Zizzy (zizzyzizzy) wrote :

YES! That fixed the issue! THANK YOU! I was up until 3 AM trying to sort that out. No clue how I missed that directive in the man page. Zombie eyes, I guess.

One this that still bothers me - As I stated in the debug comment, the PCAP filters are INDEED CORRECT and show the correct (supposed) IP in the expression when I tried using a virtual NIC, so why wasn't that actually working as expected?

Revision history for this message
Dan Streetman (ddstreet) wrote :

> One this that still bothers me - As I stated in the debug comment, the PCAP filters are INDEED CORRECT and show the correct (supposed) IP in the expression when I tried using a virtual NIC, so why wasn't that actually working as expected?

I don't know your *exact* system network config so I can't say for sure, but your comment "...shows no packets going through the NIC" sounds to me like your problem. You can't just create a random nic in your system and expect external packets to arrive on it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.