…ength (fixes ASAN warning)
By default, fwknopd will now exit if the interface that it is sniffing goes down (patch contributed by Github user 'sgh7'). If this happens, it is expected that the native process monitoring feature in things like systemd or upstart will restart fwknopd. However, if fwknopd is not being monitored by systemd, upstart, or anything else, this behavior can be disabled with the EXIT_AT_INTF_DOWN variable in the fwknopd.conf file. If disabled, fwknopd will try to recover when a downed interface comes back up.
… check frequency The RULES_CHECK_THRESHOLD variable defines the number of times firewall rule expiration times must be checked before a "deep" check is run. This allows fwknopd to remove rules that contain a proper '_exp_<time>' even if a third party program added them instead of fwknopd. The default value for this variable is 20, and this typically results in this check being run every two seconds or so. To disable this type of checking altogether, set this variable to zero.
…he _exp_ prefix
…nce FWKNOP_INPUT almost never exists at startup
Github user Scotte noticed that in his setup a 'VSS-Monitoring ethernet trailer' was being added to incoming Ethernet frames that contained SPA packets. This caused base64 decoding to break because the packet data length was calculated from what libpcap returned for the frame (so these bytes became included in the SPA payload itself). This issue was reported as #163 on github. This commit has fwknopd calculate the SPA payload length using the length field in the IP header so that any trailing bytes in the Ethernet frame are not included. This solution also applies to the Ethernet Frame Check Sequence issue (#126).