Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Apr 19, 2015
  1. @Coacher

    server: remove extra '/run' subdir from paths

    Coacher authored
    Having extra '/run' subdirectory hardcoded into paths used for options
    'digest-file', 'pid-file', 'run-dir' is counterintuitive and can lead to
    bogus directory layouts when 'localstatedir' differs from the default
    For example, if 'localstatedir' is set to '/run', which is a common and
    recommended substitute for /var/run in many distros nowadays, then
    fwknop files will be placed under /run/run/fwknop.
    This changeset removes extra '/run' subdirectory from all relevant paths
    by changing DEF_RUN_DIR. Default value of 'localstatedir' is changed to
    '/var/run' so users who relied on the previous behaviour won't have to
    bother changing anything.
    This is tested and works. Gentoo have this patch applied since 2.6.0.
Commits on Apr 18, 2015
  1. ChangeLog and doc updates

Commits on Nov 29, 2014
  1. @DigitalDJ

    Fix type on man asciidoc

    DigitalDJ authored
  2. @DigitalDJ
Commits on Nov 26, 2014
Commits on Nov 23, 2014
Commits on Nov 15, 2014
Commits on Oct 14, 2014
Commits on Sep 29, 2014
Commits on Sep 28, 2014
  1. Use the fwknop User-Agent for wget SSL external IP resolutions

    Bug fix to ensure that a User-Agent string can be specified when the
    fwknop client uses wget via SSL to resolve the external IP address. This
    closes issue #134 on github reported by Barry Allard. The fwknop now
    uses the wget '-U' option to specify the User-Agent string with a
    default of "Fwknop/<version>". In addition, a new command line argument
    "--use-wget-user-agent" to allow the default wget User-Agent string to
    apply instead.
Commits on Aug 27, 2014
Commits on Jul 28, 2014
Commits on Jul 25, 2014
  1. [client] Updated IP resolution mode -R to use SSL

    External IP resolution via '-R' (or '--resolve-ip-http') is now done via SSL by
    default. The IP resolution URL is now '';,
    and a warning is generated in '-R' mode whenever a non-HTTPS URL is specified
    (it is safer just to use the default). The fwknop client leverages 'wget' for
    this operation since that is cleaner than having fwknop link against an SSL
Commits on Jun 6, 2014
  1. add --fault-injection-tag support to the client/server/libfko

    This is a significant commit to add the ability to leverage libfko fault
    injections from both the fwknop client and server command lines via a
    new option '--fault-injection-tag <tag name>'.  This option is used by
    the test suite with the tests/ tests.
Commits on May 8, 2014
Commits on May 4, 2014
Commits on Apr 30, 2014
  1. [test suite] significant test coverage update

    This commit adds a lot of test coverage support as guided by gcov +
    Also added the --no-ipt-check-support option to fwknopd (this is only
    useful in practice on older Linux distros where 'iptables -C' is not
    available, but it helps with test coverage).
Commits on Mar 25, 2014
  1. [client+server] verify GnuPG signatures by default

    - [server] When GnuPG is used, the default now is to require that
    incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
    access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
    is no longer necessary in order to authenticate SPA packets via the
    GnuPG signature. Verification of GnuPG signatures can be disabled with a
    new access.conf variable GPG_DISABLE_SIG, but this is NOT a
    recommended configuration.
    - [client+server] Add --gpg-exe command line argument and GPG_EXE
    config variable to ~/.fwknoprc and the access.conf file so that the path
    to GnuPG can be changed from the default /usr/bin/gpg path.
Commits on Jan 3, 2014
  1. (Marek Wrzosek) Update docs to reflect random 'digits' use instead of…

    … 'bytes'
    Suggested doc update to fwknop man pages to accurately describe the usage
    of digits instead of bytes for SPA random data.  About 53 bits of entropy
    are actually used, although this is in addition to the 64-bit random salt
    in for key derivation used by PBKDF1 in Rjindael CBC mode.
Commits on Dec 14, 2013
  1. [server] added FORCE_MASQUERADE to fwknopd(8) man page, closes #101

    This commit completes the addition of generalized NAT (both DNAT and
    SNAT) capabilities to access.conf stanzas.
Commits on Dec 5, 2013
  1. [server] Added FORCE_SNAT to access.conf stanzas.

    Added FORCE_SNAT to the access.conf file so that per-access stanza SNAT
    criteria can be specified for SPA access.
Commits on Aug 9, 2013
Commits on Jul 30, 2013
  1. @fjoncourt
Commits on Jul 29, 2013
Commits on Jul 28, 2013
  1. @fjoncourt
  2. @fjoncourt
Commits on Jul 10, 2013
Commits on Jun 30, 2013
Commits on Jun 29, 2013
Commits on Jun 28, 2013
  1. bump version to 2.5, minor fwknopd -S exit status update

    This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to
    signal incompatibility with older libfko versions.  Backwards compatibility is
    maintained in SPA packet construction, but function prototypes in libfko-2.0 are
    no longer compatible with older versions.
    This commit also returns non-zero exit status under 'fwknopd --status' if there
    is no existing fwknopd process.  This is better than always exiting with a zero
    status regardless of whether fwknopd is already running or not, and adds a level
    of scriptability to --status usage.  This change was suggested by George Herlin.
Commits on Jun 21, 2013
Commits on Jun 20, 2013
Commits on Jun 19, 2013
  1. [client] add GPG_ALLOW_NO_SIGNING_PW and --gpg-no-signing-pw

    This change brings similar functionality to the client as the GPG_ALLOW_NO_PW
    keyword in the server access.conf file.  Although this option is less likely
    to be used than the analogous server functionality, it stands to reason that
    the client should offer this feature.  The test suite has also been updated to
    not use the --get-key option for the 'no password' GPG tests.
Commits on Jun 16, 2013
Something went wrong with that request. Please try again.