Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

PCAP_LOOP_SLEEP bug fix to 1/10th of a second

[server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
microseconds).  This was supposed to be the default anyway, but C
Anthony Risinger reported a bug where fwknopd was consuming more
resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
default to 1/100th of a second - this has been fixed.
  • Loading branch information...
commit 5387242ce99bf705d1f30d63a1b5b7cdfdcf517a 1 parent 6255bff
@mrash authored
View
4 CREDITS
@@ -24,3 +24,7 @@ Andy Rowland
access.conf file would result in access requests that matched the second
stanza to always be treated as a replay attack. This has been fixed for
the fwknop-2.0.1 release.
+
+C Anthony Risinger
+ - Caught a bug where the default PCAP_LOOP_SLEEP value was 1/100th of a
+ second instead of the intended default of 1/10th of a second.
View
15 ChangeLog
@@ -1,5 +1,5 @@
fwknop-2.0.1 (07//2012):
- - Bug fix where the same encryption key used for two stanzas in
+ - [server] Bug fix where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the
second stanza to always be treated as a replay attack. This has been
fixed for the fwknop-2.0.1 release, and was reported by Andy Rowland. Now
@@ -9,8 +9,13 @@ fwknop-2.0.1 (07//2012):
digest list right after the first access.conf stanza match, so when SPA
packet data matched the second access.conf stanza a matching replay
digest would already be there.
- - Added SPA message validation calls to fko decoding routines to help
- ensure that SPA messages conform to expected values.
+ - [server] Updated PCAP_LOOP_SLEEP default to 1/10th of a second (in
+ microseconds). This was supposed to be the default anyway, but C
+ Anthony Risinger reported a bug where fwknopd was consuming more
+ resources than necessary, and the cause was PCAP_LOOP_SLEEP set by
+ default to 1/100th of a second - this has been fixed.
+ - [libfko] Added SPA message validation calls to fko decoding routines to
+ help ensure that SPA messages conform to expected values.
- Bug fix for PF firewalls: updated the PF anchor check to not rely on
listing the PF policy - fwknopd now uses 'pfctl -s Anchor' instead.
- [test suite] Added parsing of valgrind output to produce a listing of
@@ -20,8 +25,8 @@ fwknop-2.0.1 (07//2012):
instead of libfko.so. This fixes the existence check for libfko.
- [test suite] Added tests for --nat-local mode.
- [client] Fixed several minor memory leaks caught by valgrind.
- - Minor gcc warning fix: fko_decode.c:43:17: warning: variable ‘edata_size’
- set but not used [-Wunused-but-set-variable].
+ - [libfko] Minor gcc warning fix: fko_decode.c:43:17: warning: variable
+ ‘edata_size’ set but not used [-Wunused-but-set-variable].
fwknop-2.0 (01/02/2012):
- This is the first production release that has been completely re-written
View
2  server/config_init.h
@@ -36,7 +36,7 @@
/* For integer variable range checking
*/
-#define RCHK_MAX_PCAP_LOOP_SLEEP 100000 /* microseconds */
+#define RCHK_MAX_PCAP_LOOP_SLEEP 10000000 /* microseconds, 10 seconds */
#define RCHK_MAX_SPA_PACKET_AGE 100000 /* seconds, can disable */
#define RCHK_MAX_SNIFF_BYTES 1514
#define RCHK_MAX_TCPSERV_PORT 65535
View
4 server/fwknopd.conf
@@ -74,8 +74,8 @@
#PCAP_DISPATCH_COUNT 0;
# Sets the number of microseconds to passed as an argument to usleep() in
-# the pcap loop. The default is 10000, or 1/10th of a second.
-#PCAP_LOOP_SLEEP 10000;
+# the pcap loop. The default is 100000 microseconds, or 1/10th of a second.
+#PCAP_LOOP_SLEEP 100000;
# Allow SPA clients to request access to services through an iptables
# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
View
2  server/fwknopd_common.h
@@ -86,7 +86,7 @@
#define DEF_ENABLE_PCAP_PROMISC "N"
#define DEF_PCAP_FILTER "udp port 62201"
#define DEF_PCAP_DISPATCH_COUNT "0"
-#define DEF_PCAP_LOOP_SLEEP "10000" /* a tenth of a second */
+#define DEF_PCAP_LOOP_SLEEP "100000" /* a tenth of a second (in microseconds) */
#define DEF_ENABLE_SPA_PACKET_AGING "Y"
#define DEF_MAX_SPA_PACKET_AGE "120"
#define DEF_ENABLE_DIGEST_PERSISTENCE "Y"
Please sign in to comment.
Something went wrong with that request. Please try again.