NetBSD Problem Report #55066

From frchuckz@gmail.com  Thu Mar 12 17:19:01 2020
Return-Path: <frchuckz@gmail.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 8D4DE1A9213
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 12 Mar 2020 17:19:01 +0000 (UTC)
Message-Id: <20200312171857.C99D755C85@ave.localdomain>
Date: Thu, 12 Mar 2020 13:18:57 -0400 (EDT)
From: frchuckz@gmail.com
Reply-To: frchuckz@gmail.com
To: gnats-bugs@NetBSD.org
Subject: KEYDEBUG_MATCH natt port logging
X-Send-Pr-Version: 3.95

>Number:         55066
>Category:       kern
>Synopsis:       port numbers printed in network byte order instead of host byte order
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 12 17:20:00 +0000 2020
>Closed-Date:    Mon Mar 16 01:02:32 +0000 2020
>Last-Modified:  Tue Mar 17 17:15:01 +0000 2020
>Originator:     Chuck Zmudzinski
>Release:        NetBSD 9.99.49
>Organization:
	NetBSD User 
>Environment:


System: NetBSD ave 9.99.49 NetBSD 9.99.49 (XEN3_DOMU) #0: Thu Mar 12 03:01:46 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/xen/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
When debugging using sysctl net.key.debug=8 which enables KEYDEBUG_MATCH
logging, the port numbers are printed in network byte order which
complicates debugging because the human readable port and service
numbers are in host byte order. This is also inconsistent with the way
port numbers are logged with the IPSEC_DEBUG kernel compile option set.   
>How-To-Repeat:
Set sysctl net.key.debug value to 8 and configure the kernel logging
level to debug, then configure an IPSEC connection that	uses NAT-T
and view the logs. One will see the port number for NAT-T is printed
not as the human readable port/service number of 4500 but htons(4500)
or 37905. Optionally, one can also compile and run a kernel with the
IPSEC_DEBUG option set and see the inconsistency in logging the NAT-T
port numbers because the ports will be printed in host byte order
from the IPSECLOG macros, but in network byte order from the 
KEYDEBUG_MATCH macros. N.B.: This will create a very verbose log
with these logging and debugging settings, so don't forget to revert
the logging and debugging settings after testing.

I saw this problem when debugging a port of OpenBSD's IKEv2
iked daemon to NetBSD, but it should also be seen with any IPSEC
connection through a NAT box configured using racoon or any other
IKEv1 or IKEv2 daemon.

>Fix:
The fix is trivial.
Applyng this patch to the current version of src/sys/netipsec/key.c
fixes the problem:

--- key.c.orig	2020-03-12 11:53:42.491524911 -0400
+++ key.c	2020-03-12 12:02:02.558350963 -0400
@@ -4770,7 +4770,7 @@
 	case PORT_STRICT:
 		if (port1 != port2) {
 			KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
-			    "port fail %d != %d\n", port1, port2);
+			    "port fail %d != %d\n", ntohs(port1), ntohs(port2));
 			return 1;
 		}
 		return 0;
@@ -4822,9 +4822,9 @@
 		KEYDEBUG_PRINTF(KEYDEBUG_MATCH,
 		    "addr success %s[%d] == %s[%d]\n",
 		    (in_print(s1, sizeof(s1), &sin1->sin_addr), s1),
-		    sin1->sin_port,
+		    ntohs(sin1->sin_port),
 		    (in_print(s2, sizeof(s2), &sin2->sin_addr), s2),
-		    sin2->sin_port);
+		    ntohs(sin2->sin_port));
 		break;
 	case AF_INET6:
 		sin61 = (const struct sockaddr_in6 *)sa1;	

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->pending-pullups
State-Changed-By: knakahara@NetBSD.org
State-Changed-When: Fri, 13 Mar 2020 07:45:14 +0000
State-Changed-Why:
Fix by sys/netipsec/key.c:r1.271


State-Changed-From-To: pending-pullups->closed
State-Changed-By: knakahara@NetBSD.org
State-Changed-When: Mon, 16 Mar 2020 01:02:32 +0000
State-Changed-Why:
pulled up by pullup-8 #1520 and pullup-9 #780, thanks.


From: Chuck Zmudzinski <frchuckz@gmail.com>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/55066 (port numbers printed in network byte order instead of
 host byte order)
Date: Tue, 17 Mar 2020 13:11:57 -0400

 On 3/15/2020 9:02 PM, knakahara@NetBSD.org wrote:
 > Synopsis: port numbers printed in network byte order instead of host byte order
 >
 > State-Changed-From-To: pending-pullups->closed
 > State-Changed-By: knakahara@NetBSD.org
 > State-Changed-When: Mon, 16 Mar 2020 01:02:32 +0000
 > State-Changed-Why:
 > pulled up by pullup-8 #1520 and pullup-9 #780, thanks.
 >
 >
 >
 I gratefully acknowledge the quick fix. thank you.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.