Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jul 26, 2015
Commits on Jul 25, 2015
  1. [test suite] fix sudo user tests

Commits on Jul 24, 2015
  1. [test suite] ensure HMAC key string is equal to SHA512_BLOCK_LEN in l…

    …ength (fixes ASAN warning)
Commits on Jul 22, 2015
Commits on Jul 21, 2015
  1. @micha137

    Fix some typos

    micha137 authored
Commits on Jul 19, 2015
  1. @Coacher
Commits on Jul 18, 2015
  1. [server] interface goes down will cause fwknopd to exit

    By default, fwknopd will now exit if the interface that it is
    sniffing goes down (patch contributed by Github user 'sgh7'). If this
    happens, it is expected that the native process monitoring feature in
    things like systemd or upstart will restart fwknopd. However, if fwknopd
    is not being monitored by systemd, upstart, or anything else, this
    behavior can be disabled with the EXIT_AT_INTF_DOWN variable in the
    fwknopd.conf file. If disabled, fwknopd will try to recover when a
    downed interface comes back up.
  2. [server] Added RULES_CHECK_THRESHOLD to define 'deep' rule expiration…

    … check frequency
    The RULES_CHECK_THRESHOLD variable defines the number of times firewall rule
    expiration times must be checked before a "deep" check is run. This allows
    fwknopd to remove rules that contain a proper '_exp_<time>' even if a third party
    program added them instead of fwknopd. The default value for this variable is 20,
    and this typically results in this check being run every two seconds or so. To
    disable this type of checking altogether, set this variable to zero.
  3. Merge pull request #161 from sgh7/master

    [server] daemon exits if listened-to interface goes down
Commits on Jul 17, 2015
  1. [server] switch chain_exists() log message to LOG_DEBUG upon error si…

    …nce FWKNOP_INPUT almost never exists at startup
  2. [server] Calculate payload length from IP header

    Github user Scotte noticed that in his setup a 'VSS-Monitoring ethernet trailer'
    was being added to incoming Ethernet frames that contained SPA packets. This
    caused base64 decoding to break because the packet data length was calculated
    from what libpcap returned for the frame (so these bytes became included in the
    SPA payload itself). This issue was reported as #163 on github.
    This commit has fwknopd calculate the SPA payload length using the length field
    in the IP header so that any trailing bytes in the Ethernet frame are not
    included. This solution also applies to the Ethernet Frame Check Sequence issue
Commits on Jul 16, 2015
Commits on Jul 15, 2015
Commits on Jul 14, 2015
Something went wrong with that request. Please try again.