Large count of “FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL” messages in the log #337
Description
First of all thanks for this useful software.
When fwknopd is configured for multiple user access (multiple stanzas with “SOURCE ANY” directive in access.conf) I get in the log multiple FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL before the packet is matched to the right stanza. Repetition count depends on which stanza is matched. Repetition count changes by changing order of the stanzas in the access.conf.
For example I get the message once in daemon.log for authorization packet matching second stanza in access.conf:
fwknopd[xxx]:(stanza #1) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #1) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #2) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 udp/12345, expires at xxxxxxxxxxxx
fwknopd[xxx]: Removed rule 1 from FWKNOP_INPUT with expire time of xxxxxxxxxxxx
or 5 times for the 6th stanza in access.conf:
fwknopd[xxx]: (stanza #1) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #1) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #2) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #2) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #3) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #3) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #4) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #4) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #5) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: [xxx.xxx.xxx.xxx] (stanza #5) Error creating fko context: Args contain invalid data: FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL
fwknopd[xxx]: (stanza #6) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/12346, expires at xxxxxxxxxxxx
fwknopd[xxx]: Removed rule 1 from FWKNOP_INPUT with expire time of xxxxxxxxxxxx
and never when the packet matches 1st stanza in access.conf.
fwknopd[xxx]: (stanza #1) SPA Packet from IP: xxx.xxx.xxx.xxx received with access source match
fwknopd[xxx]: Added access rule to FWKNOP_INPUT for xxx.xxx.xxx.xxx -> 0.0.0.0/0 tcp/22, expires at xxxxxxxxxxxx
I like that I have the info when the authorization packet arrives, even if it is invalid but it looks like the authorization packet is compared sequentially to all stanzas and all failures in the loop are logged.
Is it possible to log this “FKO_ERROR_INVALID_DATA_HMAC_COMPAREFAIL” message only once for each received packet by changing the default settings of fwknopd?
I would like to set fwknopd in such a way that this message would never get logged if packet matches a stanza so the log does not get spammed.
Of course I would like to still get this message if (once) when none of the stanzas could be matched to the received packet.
My system is:
“Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux”
with:
“fwknopd server 2.6.10, compiled for firewall bin: /usr/sbin/iptables”