Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Dec 1, 2011
  1. Added FORCE_NAT mode to the access.conf file

    This commit adds a new configuration variable "FORCE_NAT" to the access.conf
        For any valid SPA packet, force the requested connection to be NAT'd
        through to the specified (usually internal) IP and port value.  This is
        useful if there are multiple internal systems running a service such as
        SSHD, and you want to give transparent access to only one internal system
        for each stanza in the access.conf file.  This way, multiple external
        users can each directly access only one internal system per SPA key.
    This commit also implements a few minor code cleanups.
Commits on Nov 29, 2011
  1. Added access stanza expiration feature, multiple access stanza bug fix

    This commit does two major things:
    1) Two new access.conf variables are added "ACCESS_EXPIRE" and
    "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
    to modify the access.conf file and restart fwknopd.
    2) Allow an access stanza that matches the SPA source address to not
    automatically short circuit other stanzas if there is an error (such as when
    there are multiple encryption keys involved and an incoming SPA packet is
    meant for, say, the second stanza and the first therefore doesn't allow
    proper decryption).
Commits on Nov 4, 2011
  1. Fixed fwknopd memory leak, several other fixes and updates

    This commit does several things.  First, a memory leak in fwknopd has been
    fixed by ensuring to free access.conf stanzas.  This bug was found with the
    new test suite running in --enable-valgrind mode.  Here is what some of the
    valgrind output looked like to find the leak:
    ==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
    ==19217==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==19217==    by 0x52F6B81: strdup (strdup.c:43)
    ==19217==    by 0x10FC8B: add_acc_string (access.c:49)
    ==19217==    by 0x1105C8: parse_access_file (access.c:756)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x10FEC0: add_source_mask (access.c:88)
    ==19217==    by 0x110100: expand_acc_source (access.c:191)
    ==19217==    by 0x1104B0: parse_access_file (access.c:500)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x1103E4: parse_access_file (access.c:551)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217== LEAK SUMMARY:
    ==19217==    definitely lost: 152 bytes in 1 blocks
    ==19217==    indirectly lost: 31 bytes in 3 blocks
    ==19217==      possibly lost: 0 bytes in 0 blocks
    ==19217==    still reachable: 8 bytes in 1 blocks
    ==19217==         suppressed: 0 bytes in 0 blocks
    Second, this commit changes how fwknopd acquires packet data with
    pcap_dispatch() - packets are now processed within the callback function
    process_packet() that is provided to pcap_dispatch(), the global packet
    counter is incremented by the return value from pcap_dispatch() (since this is
    the number of packets processed per pcap loop), and there are two new
    fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
    number of packets that pcap_dispatch() should process per loop and the number
    of microseconds that fwknopd should sleep per loop respectively.  Without this
    change, it was fairly easy to cause fwknopd to miss packets by creating bursts
    of packets that would all be processed one at time with the usleep() delay
    between each.  For fwknopd deployed on a busy network and with a permissive
    pcap filter (i.e. something other than the default that causes fwknopd to look
    at, say, TCP ACK's), this change should help.
    Third, the criteria that a packet must reach before data copying into the
    buffer designed for SPA processing has been tightened.  A packet less than
    /greater than the minimum/maximum expected sizes is ignored before data is
    copied, and the base64 check is done as well.
Commits on Oct 21, 2011
  1. Added --digest-file and --pid-file args

    Added --digest-file and --pid-file args so that the user can easily alter
    these paths from the command line.
Commits on Oct 18, 2011
  1. Added --fw-list-all and --fw-flush

    Added new command line options --fw-list-all and --fw-flush to allow all
    firewall rules to be displayed including those not created by fwknopd, and
    allow all firewall rules created by fwknopd to be deleted.
    Also switched -D config dump output to stdout.
Commits on Oct 14, 2011
  1. minor typo fix

Commits on Sep 13, 2011
  1. minor typo fix: fwkop -> fwknop

Commits on Aug 11, 2011
  1. Added --pcap-filter to the fwknopd command line

    To override the value of the PCAP_FILTER variable in the fwknopd.conf
    config file, a new fwknopd command line argument "--pcap-filter" was
    added.  This assists in various activities by making it trivial to
    change how fwknopd acquires packet data without editing the fwknopd.conf
    file.  Here is an example:
    fwknopd -i lo -f --pcap-filter "udp port 12345"
Commits on Jul 7, 2011
  1. @damienstuart

    Set FD_CLOEXEC on pid file descriptor.

    damienstuart committed
    Added support for setting the URL for resolving source IP via command-line or the .fwknoprc file.
Commits on Nov 26, 2010
  1. Minor comment and documentation tweaks. Add the python directory whic…

    Damien Stuart committed
    …h contains my first cut at a libfko Python wrapper module.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@302 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Aug 29, 2010
  1. Minor fwknopd man page tweak.

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@288 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 16, 2010
  1. Per Franck Joncourt - Corrected misspelled word in fwknopd man page a…

    Damien Stuart committed
    …nd access.conf.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@266 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 13, 2010
  1. added --fw-list arg to the fwknopd daemon to list all current firewal…

    …l rules for any running fwknopd process
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@260 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 11, 2010
  1. Added the fwknopd_errors.[ch] files which provides the get_errstr() a…

    Damien Stuart committed
    …nd fwknopd_errstr() functions. The get_errstr() function takes and error_code, tries to determine the type, then calls the appropriate xxx_errstr function to return a description string. Fixed some minor errors in the libfko API docs.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@258 510a4753-2344-4c79-9c09-4d669213fbeb
  2. Reworked how man pages are generated. Now, man pages in the client an…

    Damien Stuart committed
    …d server directory are "fwknop(d)" and a target was added to to create the man pages while doing variable substitutions based on directives specified via the configure script. Minor tweak to fwknop.spec file.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@251 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 10, 2010
  1. Slightly revamped how signals were setup.

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@250 510a4753-2344-4c79-9c09-4d669213fbeb
  2. Modified top-level so the legacy perl stuff is not packag…

    Damien Stuart committed
    …ed into the distribution tar file. More cleanup of the fwknopd man page.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@249 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 9, 2010
  1. Manpage updates

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@247 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 6, 2010
  1. Added installation hook to set the perms on the .conf files to 600 du…

    Damien Stuart committed
    …ring make install. Minot doc tweak.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@235 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 5, 2010
  1. Added .fwknoprc file creation and processing. This allows for saved d…

    Damien Stuart committed
    …efault and named configuration profiles. Updated fwknop manpage to reflect the new capability. Also cleaned up messages (errors, info) from the program.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@234 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jul 4, 2010
  1. More cleanup. Removed the direction field (src, dst, both) from the c…

    Damien Stuart committed
    …hain configuration directives. Remove the HOSTNAME parameter as it was not used.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@232 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jun 29, 2010
  1. Added the GPG signature checking code. Added GPG_REQUIRE_SIG and GPG_…

    Damien Stuart committed
    …IGNORE_SIG_VERIFY_ERROR parameters to access.conf. Implement the checking of GPG signature IDs against the GPG_REOMOTE_ID list.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@227 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jun 27, 2010
  1. More tweaks, clean-up and documentation tweaks for the first release.…

    Damien Stuart committed
    … Made client http-proxy option allow case insensitive match and to take an option :port as part of the argument.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@225 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jun 24, 2010
  1. Start of cleanup for beta release candidate. Removed locale-related c…

    Damien Stuart committed
    …ode (for now) as it was breaking some things like logging. removed some unimplemented and/or unused parameters and config directives (as well as thier respective documentation references. Added a --rotate-digest-cache command-line arg to force a rename of the digest cache file and start a new one.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@224 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jun 19, 2010
  1. Mostly documentation file updates.

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@218 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Feb 9, 2010
  1. Added an initial fwknopd.8 man page (and source asciidoc). Added the …

    Damien Stuart committed
    …--locale and --no-locale command-line option support. The set_config_entry function now allows setting a config entry to NULL to clear and free it.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@209 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Feb 6, 2010
  1. Fixed libfko so gpgme engine is gpg by default. Added functions to li…

    Damien Stuart committed
    …bfko to set/get path to gpgme engine. Fixed some memory leaks. Reworkd the get_user_pw routine. Added code in fwknopd to put back the "hQ" string on the front of incoming GPG-encypted message data. Removed the previously add pretty-print routine to configure. Updated configure to check for path to gpg executable. Updated docs accordingly.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@205 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jan 30, 2010
  1. Added additional sanity checks and clean-up of access.conf processing…

    Damien Stuart committed
    … and functionality. Fixes require source and added check for required username. Added fallback to use GPG_DECRYPT_PW if it was set and the normal KEY failed with a decyption error. Fixed packet count checks to allow a limit of 0 to mean unlimited number of packets.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@203 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jan 16, 2010
  1. added --server-cmd arg to fwknop client man page and help output

    git-svn-id: file:///home/mbr/svn/fwknop/trunk@197 510a4753-2344-4c79-9c09-4d669213fbeb
  2. added --last-cmd argument to fwknop(8) man page via the…

    …ciidoc file
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@196 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Jan 5, 2010
  1. Updated changelog. Made the match the changes mad…

    Damien Stuart committed
    …e to the fwknopd.8 manpage.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@188 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Dec 7, 2009
  1. Fixed bug in signal handling when libpcap version 1.0 is used. Minor …

    Damien Stuart committed
    …doc update.
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@170 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Sep 14, 2009
  1. Added some more (stubbed-in) server code and functions. Minor doc tweak.

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@148 510a4753-2344-4c79-9c09-4d669213fbeb
Commits on Sep 5, 2009
  1. Minor manpage tweak

    Damien Stuart committed
    git-svn-id: file:///home/mbr/svn/fwknop/trunk@140 510a4753-2344-4c79-9c09-4d669213fbeb
Something went wrong with that request. Please try again.