Currently fwknopd supports the iptables MASQUERADE target, but only if DNAT rules are also used. A use case reported by "spartan1833" to the fwknop mailing list is to have fwknopd gate communications that would otherwise be forwarded through a gateway. So, internal clients would have their default gateway set to the internal IP of the system running fwknopd, and would only be allowed to send packets through the gateway after producing a valid SPA packet. The main problem before this issue is closed is that currently NAT operations are applied to IP packets that are sent directly to the gateway IP where fwknopd is running. What needs to be changed is that ability for clients to send packets to arbitrary destination IP's (and therefore DNAT is not needed) and have fwknopd manage MASQUERADE accept rules.
Commit 6b7a3bb makes significant progress on this feature. More coming on this.
This feature is nearly complete with 8e6db3a
This feature is now complete for the upcoming 2.6.6 release.