minor addition of the local_spa.key file for 'make dist'

[fwknop.git] / ChangeLog-v2.0rc5

commit 7a231a3b72758d93b4b9425fd403247aa2018499
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:21:31 2011 -0500

    added local_spa.key file

commit 3d0ceccf65010a84dd30fc5e9c567e24f03104ce
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:20:39 2011 -0500

    added local_spa.key file

commit 710f98a9b572cd126cd3f662b29244bc0d6e6533
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:16:38 2011 -0500

    minor addition of the CREDITS file for 'make dist'

commit 9bcd7cb137103db89400f4f652ab834e05ea5eba
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:16:03 2011 -0500

    Added the CREDITS file for 'make dist'

commit 3b2ec921be16db4bcccb4a0bfe13ebdb620a5b31
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:11:58 2011 -0500

    change log doc updates

commit 474a18b57d054939e6f4063d5ef491b4cee4a240
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 22:10:47 2011 -0500

    Added various files to Makefile.am so that 'make dist' continues to work

commit 690fe25fa4201af8f76c28450177581ce14a1459
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 21:14:31 2011 -0500

    added CREDITS file, bumped software version, added ChangeLog files

commit bcba9d6bdef6032a992e64a8bd6bd7604b83b006
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Dec 5 21:14:14 2011 -0500

    added CREDITS file, bumped software version, added ChangeLog files

commit 893b89a3eba5fa9945095f8df4460f912fdb0cbc
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Dec 3 21:21:29 2011 -0500

    minor compiler warning fix on OpenBSD

commit 860b4527a455d1d50f2b563f4939ee1990b53bd8
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Dec 3 13:10:35 2011 -0500

    minor compile fixes for FreeBSD

commit 9b7c1a8ce69fe51337458cce4e7b5e9cb3d7654b
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Nov 30 20:51:19 2011 -0500

    Added FORCE_NAT mode to the access.conf file
    
    This commit adds a new configuration variable "FORCE_NAT" to the access.conf
    file:
    
        For any valid SPA packet, force the requested connection to be NAT'd
        through to the specified (usually internal) IP and port value.  This is
        useful if there are multiple internal systems running a service such as
        SSHD, and you want to give transparent access to only one internal system
        for each stanza in the access.conf file.  This way, multiple external
        users can each directly access only one internal system per SPA key.
    
    This commit also implements a few minor code cleanups.

commit 8585958e6e164d47c3d9dc106d4a15aee18599b9
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Nov 28 23:20:11 2011 -0500

    minor newline fix for access.conf output dump

commit 2a1243fee6d618096bc402b5a56ae3c2670b8b50
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Nov 28 23:18:07 2011 -0500

    memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336

commit b280f5cde0246cdef33dee3f8be66a2bcef77336
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Nov 28 22:03:21 2011 -0500

    Added access stanza expiration feature, multiple access stanza bug fix
    
    This commit does two major things:
    
    1) Two new access.conf variables are added "ACCESS_EXPIRE" and
    "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
    to modify the access.conf file and restart fwknopd.
    
    2) Allow an access stanza that matches the SPA source address to not
    automatically short circuit other stanzas if there is an error (such as when
    there are multiple encryption keys involved and an incoming SPA packet is
    meant for, say, the second stanza and the first therefore doesn't allow
    proper decryption).

commit 9e884e9759362ce401bf77dab819b24e10caca62
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 22 22:56:48 2011 -0500

    added SPA packet aging tests

commit 72a4353fd850c099816f6e1acb9fad12bcb2ff27
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 22 22:56:36 2011 -0500

    bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already)

commit 644b9e943214ed6ede762af72f395b73ea03faf0
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 22 22:40:26 2011 -0500

    added test for --test mode in the fwknop client

commit 0015da44427bf988372818b26916a6229e9f68ca
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 22 22:34:10 2011 -0500

    bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options

commit 05b189ff4fe61c7149efcf4f18cada14553e6dbe
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 22 22:13:27 2011 -0500

    added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access

commit dd2deec73dc5f0d630ab86e92fe1e0073d692414
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Nov 18 23:23:50 2011 -0500

    added tests for various access.conf variables

commit 63498c9032bfe74bc91de5d6607391e7b7cdfe36
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Nov 17 21:17:50 2011 -0500

    added IP/subnet match tests, added --Anonymize-results mode

commit 34cd0c7a78a62e1df2533641ca08adaaafa2aa7d
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Nov 15 21:45:51 2011 -0500

    simplified the client/server interaction code, started on IP filtering tests, added spoof username tests

commit 3d94aaa9205e5703c50635b9007efab485d9b2da
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Nov 10 22:54:25 2011 -0500

    minor test wording consolidation

commit 50b48147c0392cd91f7ad83af56b20d0abbd3c3e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Nov 10 22:33:32 2011 -0500

    This commit fixes two memory leaks and adds a common exit function.
    
    The two memory leaks were found with the test suite running in
    --enable-valgrind mode - here are the relevant error messages:
    
    For fwknopd server GPG clean up:
    
    ==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2
    ==345==   at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==345==   by 0x52F6B81: strdup (strdup.c:43)
    ==345==   by 0x10FA57: add_string_list_ent (access.c:308)
    ==345==   by 0x110513: parse_access_file (access.c:387)
    ==345==   by 0x10B5FB: main (fwknopd.c:193)
    
    For fwknop client rc file processing:
    
    ==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12
    ==8045==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==8045==    by 0x50A53AA: __fopen_internal (iofopen.c:76)
    ==8045==    by 0x10C3FF: process_rc (config_init.c:446)
    ==8045==    by 0x10C8F6: config_init (config_init.c:671)
    ==8045==    by 0x10AC9E: main (fwknop.c:62)
    
    There is also a new clean_exit() function that makes it easier to ensure that
    resources are deallocated upon existing.

commit 9ebd55f52289d5904fbde3b8838ca92c7271d9e9
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Nov 10 22:33:00 2011 -0500

    remove CMD timestamps for --diff mode

commit 9e19b8bc267031900c555c55fc5c1e54b6093461
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Nov 6 13:51:23 2011 -0500

    added --diff mode to the test suite to compare results from one execution to the next

commit a5a3c06ef225c737acbd21c6cedd1a94f1a6c484
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Nov 4 23:46:31 2011 -0400

    consolidated several test functions into a single generic_exec() function

commit f41a26b389605311a21a95a9ad2b23f460ed02ee
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Nov 3 22:15:19 2011 -0400

    Fixed fwknopd memory leak, several other fixes and updates
    
    This commit does several things.  First, a memory leak in fwknopd has been
    fixed by ensuring to free access.conf stanzas.  This bug was found with the
    new test suite running in --enable-valgrind mode.  Here is what some of the
    valgrind output looked like to find the leak:
    
    ==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5
    ==19217==    at 0x4C2815C: malloc (vg_replace_malloc.c:236)
    ==19217==    by 0x52F6B81: strdup (strdup.c:43)
    ==19217==    by 0x10FC8B: add_acc_string (access.c:49)
    ==19217==    by 0x1105C8: parse_access_file (access.c:756)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x10FEC0: add_source_mask (access.c:88)
    ==19217==    by 0x110100: expand_acc_source (access.c:191)
    ==19217==    by 0x1104B0: parse_access_file (access.c:500)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
    ==19217==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
    ==19217==    by 0x1103E4: parse_access_file (access.c:551)
    ==19217==    by 0x10B79B: main (fwknopd.c:194)
    ==19217==
    ==19217== LEAK SUMMARY:
    ==19217==    definitely lost: 152 bytes in 1 blocks
    ==19217==    indirectly lost: 31 bytes in 3 blocks
    ==19217==      possibly lost: 0 bytes in 0 blocks
    ==19217==    still reachable: 8 bytes in 1 blocks
    ==19217==         suppressed: 0 bytes in 0 blocks
    
    Second, this commit changes how fwknopd acquires packet data with
    pcap_dispatch() - packets are now processed within the callback function
    process_packet() that is provided to pcap_dispatch(), the global packet
    counter is incremented by the return value from pcap_dispatch() (since this is
    the number of packets processed per pcap loop), and there are two new
    fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the
    number of packets that pcap_dispatch() should process per loop and the number
    of microseconds that fwknopd should sleep per loop respectively.  Without this
    change, it was fairly easy to cause fwknopd to miss packets by creating bursts
    of packets that would all be processed one at time with the usleep() delay
    between each.  For fwknopd deployed on a busy network and with a permissive
    pcap filter (i.e. something other than the default that causes fwknopd to look
    at, say, TCP ACK's), this change should help.
    
    Third, the criteria that a packet must reach before data copying into the
    buffer designed for SPA processing has been tightened.  A packet less than
    /greater than the minimum/maximum expected sizes is ignored before data is
    copied, and the base64 check is done as well.

commit 97a8d751c1b02271e812701d4cb938833d36918a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Oct 30 22:14:00 2011 -0400

    added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns

commit 044ea54d936745e29c856de71818f0497633d531
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 29 23:49:29 2011 -0400

    updated client SPA verbose message to include the server IP/host

commit 8e4b45dd568ef86ba773605662a5d058be714d33
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 29 23:48:42 2011 -0400

    minor looping criteria update for valgrind tests

commit ea3e81787121e56e1a44cc0a5ee3b9ba64c4f5eb
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 29 16:59:57 2011 -0400

    [test-suite] added the ability to run all fwknop tests through valgrind

commit f999e2e6720021328e2f34bf57d05b8081d8ffae
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 29 16:55:28 2011 -0400

    bugfix to return preprocess_spa_data() result properly to calling function

commit b1b830f744b01e0a3f0d4a19b6d38dd51afaae1f
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 28 23:01:06 2011 -0400

    update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces

commit cde71b1b274cae5af3b6e986e5ac369d79c0cc3a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 28 23:00:26 2011 -0400

    minor whitespace removal

commit dbbbe60fe4b6908bff56d026d886381c83a44087
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 28 22:59:52 2011 -0400

    added stack protection detection for OpenBSD systems

commit 2e96ece4b074beff06aaca2f51bd90c84bfeeef8
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 28 22:42:27 2011 -0400

    Update to ensure libfko.so path is detected properly on OpenBSD

commit 464dbe95d07657794aaac9e230153ffd84a2ed06
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 27 21:51:55 2011 -0400

    Update to print all firewall commands in --verbose mode
    
    This commit makes it easier to determine exactly which commands fwknopd
    runs in --verbose mode when interacting with the underlying firewall.
    This commit also adds --verbose --verbose mode to the test suite.

commit 6388e8ac7fab3d89b164862c9e113fed37e9f397
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Oct 25 21:00:40 2011 -0400

    added 'const' to function prototype vars where possible
    
    Added the 'const' qualifier to function prototype variables where possible.
    In addition, reduced some functions to file-scope with 'static' where possible.
    
    Also made a few minor changes to remove extra whitespace, and fixed a bug
    in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.

commit 85377267e299118d5302afde3dfeed426b353879
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Oct 24 21:52:13 2011 -0400

    compiler warning fix for sscanf() on freebsd
    
    This commit fixes the following gcc warning on freebsd systems:
    
    replay_cache.c: In function 'replay_file_cache_init':
    replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *'

commit 1c6fc0f3f80e086b43471e756f8249015fe2e4b2
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Oct 24 20:48:56 2011 -0400

    update to detect loopback interface

commit 3299fb25815bcec09b5410d3393ab806f8b78a68
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Oct 24 20:48:20 2011 -0400

    minor whitespace removal

commit c9860811f5de4b28f674d53d16b1bca10f12bed8
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 22:29:27 2011 -0400

    added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier

commit 50bcc537eea23e9cd269a51e63d9da525c0a91ac
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 22:06:00 2011 -0400

    added digest cache validation after GPG tests

commit 1b8606461cc21108b190f871bf2d8b0929589fce
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 21:54:22 2011 -0400

    minor update to match include/exclude criteria on the whole test message

commit 9e3a4b4c920444df10b6a74eb574a542091adbfc
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 21:29:44 2011 -0400

    extended packet validity tests in GPG mode

commit 09e6ed1405436b975cb41c89dc2517f0e73c54bb
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 16:48:30 2011 -0400

    added first GPG complete cycle SPA test

commit 2d9dbe1fca011cd6bf726b86fb21af97da11ce49
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 15:19:54 2011 -0400

    minor whitespace removal

commit e4f4ee78253f1f44c8809173ad2209ba8364e2c5
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 14:25:56 2011 -0400

    added test to validate digest.cache structure

commit 266150218a021894e6dab0a8b4d7525183fe004a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 10:57:25 2011 -0400

    added -P bpf test for complete SPA cycle over non standard SPA port

commit 0ab39a64a5b86babdd0c5f7412fe160bca13cb69
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Oct 22 10:48:37 2011 -0400

    added -P bpf filter test

commit 6848983b474d4571b1434a349d10ac21b278ebda
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 21 23:43:08 2011 -0400

    added Rijndael SPA validity tests

commit 081b58d9510e4bbafb6dd57b4e55a02d7105e43a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 21 23:13:24 2011 -0400

    added rule timeout detection

commit 9b816ed29af1be3a259d9c154418cbe624c2a93f
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 21 22:55:45 2011 -0400

    added replay attack detection test

commit 0bda4ee1e5f671c2e64a2b961de2f2ed0f9170a5
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Oct 21 22:54:49 2011 -0400

    minor removal of whitespace

commit caf458ad3fb2ce9408035630869e877f0c97768d
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 20 23:33:41 2011 -0400

    added first complete SPA cycle test

commit 44598fd7dd6be8207bae512b8b6e13f08e265d2a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 20 23:31:59 2011 -0400

    Added --digest-file and --pid-file args
    
    Added --digest-file and --pid-file args so that the user can easily alter
    these paths from the command line.

commit 6f699f7e5d28ac1d8e66d66b9cedb3094a35439e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 20 00:06:58 2011 -0400

    added client/server interaction test capability

commit b8571bcc05cc81448b8d52ef8eef71f2eaefa987
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Oct 18 21:28:38 2011 -0400

    Minor PID string length fix
    
    Changed PID string length to 7 to accomodate an ending newline and NULL
    char when writing to the fwknopd .pid file.  Without this fix, with a
    5 digit PID the trailing newline would be truncated (no room for the
    ending NULL char).

commit 0e7a0e9a378c5b9605228075718f53012e87cadd
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Oct 17 23:03:28 2011 -0400

    Added --fw-list-all and --fw-flush
    
    Added new command line options --fw-list-all and --fw-flush to allow all
    firewall rules to be displayed including those not created by fwknopd, and
    allow all firewall rules created by fwknopd to be deleted.
    
    Also switched -D config dump output to stdout.

commit e479e776dbd848ba82e65e22b35e7e479a788161
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Oct 17 22:55:01 2011 -0400

    Added usage of sudo for recompilation test
    
    The test suite now recompiles fwknop only if the --enable-recompile-check
    option is used, and if so, uses sudo (if installed) to have the resulting
    binaries own by the original user (instead of by root).  Also made a couple
    of API changes to create test output files automatically if they don't
    exist.

commit 11c240c41b74c110068b8748b28a074ac121608c
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 22:44:35 2011 -0400

    minor update to allow fw rules to be dumped before parsing the access.conf file

commit e36c833f554f59312c02e5efec0bbc77ab0ee301
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 22:02:21 2011 -0400

    minor whitespace fixes

commit 9962dc08088b31d116b7b5d41bf8e3ced8cfa814
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 20:59:30 2011 -0400

    minor wording update netfilter -> iptables

commit 45ecc6f39932271f7a70b1fe8dec99dc9d2438c0
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 20:41:12 2011 -0400

    minor bugfix to ensure that the proper firewall is used to collect system specs

commit 103cd2a8fb0ebe7919a5647ae90a9425242ca0ae
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 20:30:05 2011 -0400

    added the test/conf/ directory for config files use by the test suite

commit 6f0d2c509121de45f470dae4c17b6a7e46ea19d0
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 20:29:37 2011 -0400

    minor typo fix

commit 64160a0c57aee0c406be5158836fe10b3f38e3f9
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 13 20:29:19 2011 -0400

    started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance

commit a1f4a65f27b73ebe5744c7ae4bf64a0876032e13
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Oct 12 23:37:28 2011 -0400

    interim commit to add major functionality to the fwknop test suite

commit 4a41ecc9556fedd4bb04206081b4096a2fddaeee
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Oct 12 23:36:51 2011 -0400

    removed

commit 88d8eb03b30a03ebb43a7da33c5f65d2de2c3289
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Oct 12 23:36:04 2011 -0400

    minor update to switch to stdout when exiting with success

commit 41c0be29b7a3ea6a0c859b43e43ccdc3aa5e30ba
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 6 23:02:29 2011 -0400

    switched --help output to stdout from stderr

commit 26f58a705dbdf9a07e430fc2558871d491c27d63
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Oct 6 22:53:27 2011 -0400

    minor update to account for hardening-check return values

commit 1a3e1caffe707e71fd3cf99ffaa4547f7fda017a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Tue Oct 4 23:15:04 2011 -0400

    Initial start on a test suite
    
    This commit begins development on a comprehensive test suite for fwknop.
    The initial tests are focused on compilation correctness and security options
    as determined by the "hardening-check" script from Kees Cook of the Debian
    security team.

commit 05f3cec96a03251d1a308d90200c9dc479ae4558
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Sep 25 21:12:30 2011 -0400

    Added --help usage information
    
    With the --help command line argument, the following information is printed:
    
    $ ./fwknop-launcher-lsof.pl --help
    
    Usage: fwknop-launcher-lsof.pl [options]
    
    Options:
    
        -c,  --config     <file>   - Path to fwknop-launcher.conf config file.
        -l,  --lsof-cmd   <path>   - Path to lsof command.
        -f,  --fwknop-cmd <path>   - Path to fwknop client command.
        -s,  --sleep   <seconds>   - Specify sleep interval (default:
                                     1 seconds)
        -n   --no-daemon           - Run in foreground mode.
        -u,  --user   <username>   - Specify username (usually this is not
                                     needed).
             --home-dir <dir>      - Path to user's home directory (usually
                                     this is not needed).
        -v   --verbose             - Print verbose information to the terminal
                                     (requires --no-daemon).
             --help                - Print usage info and exit.

commit 71ea0c6bfd3be6ff8d95e6f1d1029394e51c07f4
Merge: 7748423 35ee5a2
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Sep 25 21:02:54 2011 -0400

    Merge branch 'master' into fwknop-launcher

commit 7748423b15958fedfcaeb942f3f26cdc5b40dcde
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Sep 24 22:24:30 2011 -0400

    Added the fwknop lsof launcher under the extras/ directory
    
    The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
    lightweight daemon that allows the user to not have to manually run the fwknop
    client when attempting to gain access to a service that is protected by Single
    Packet Authorization via fwknopd.  This is accomplished by checking the output
    of lsof to look for pending connections in the SYN_SENT state, which (usually)
    indicate that a remote firewall is blocking the attempted connection.  At this
    point, the launcher executes the fwknop client with the --get-key arg (so the
    user must place the key in the local filesystem) to generate an SPA packet for
    the attempted connection.  The remote fwknopd daemon will reconfigure the
    firewall to allow temporary access, and this usually happens fast enough that
    the original connection attempt will then succeed.
    
    The idea for this was originally for a pcap-based connection watcher by
    Sebastien Jeanquier.

commit 35ee5a202debe2e7c15227f7704753c977281de2
Merge: 35abc34 668ed90
Author: Michael Rash <michael.rash@gmail.com>
Date:   Wed Sep 21 18:10:16 2011 -0700

    Merge pull request #5 from maxkas/master
    
    Fwknop client for iPhone devices - contributed by Max Kastanas

commit 668ed9033f601f052fe58ebf87a8eff144b50fcf
Author: Max Kastanas <max2idea@users.sf.net>
Date:   Fri Sep 16 22:51:53 2011 -0700

    Codebase of Fwknop client for iOS (iPhone) devices

commit 35abc349ab91ff40f0706a66e9ba50188cb94cb2
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Sep 12 23:04:41 2011 -0400

    minor typo fix: fwkop -> fwknop

commit f693a2721cf499815853639c8dfb924ab4c427cd
Merge: e07ccdd 87416c0
Author: Damien Stuart <dstuart@dstuart.org>
Date:   Sat Sep 10 11:30:09 2011 -0400

    Merge branch 'master' of https://github.com/mrash/fwknop

commit e07ccdd5508c488a818790c16728ebdc13be284c
Author: Damien Stuart <dstuart@dstuart.org>
Date:   Sat Sep 10 11:25:08 2011 -0400

    Added the cmd_opts.h file to server and client's  Makefile.am so they are included with make dist.

commit 87416c0cdf544ff636ea963bd90f1f22dd7ca49a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Fri Sep 9 22:09:37 2011 -0400

    Replaced all strcpy() calls with strlcpy()
    
    OpenBSD especially gives compiler warnings whenever strcpy() is used.  All such
    calls have been replaced with strlcpy().

commit 0b8c4890758bfd6612780c28041d7b1e3e9f1a15
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Sep 8 23:44:50 2011 -0400

    Added read-only relocations and immediate bindings
    
    Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations
    and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
    systems too).  This commit adds these security features back in as linker
    options by only changing LDFLAGS as opposed to also adding the corresponding
    flags to CFLAGS.  The end result is that the following errors are fixed:
    
    gcc: -z: linker input file unused because linking not done
    gcc: relro: linker input file unused because linking not done

commit c65e25c6568c53d44d0163ebd4889260466bcdfa
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Sep 8 21:33:52 2011 -0400

    Check for active_rules > 0 before decrementing
    
    In the fw_config struct the active_rules member is unsigned, so this change
    ensures that we don't try to decrement it below zero whenever a firewall rule
    is deleted or an error condition occurs.

commit 88b6d44f1f70daf951cf7e1d237114f96ad30a9a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Thu Sep 8 00:20:20 2011 -0400

    Update to make _exp_ string a #define
    
    Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
    that the prefix can easily be changed. so
    that the prefix can easily be changed. so
    that the prefix can easily be changed. so
    that the prefix can easily be changed.

commit 2531896ebf98d80380f462b4fae9e16940206a40
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Sep 7 23:24:18 2011 -0400

    Added the ability to delete PF rules
    
    This commit adds the ability to fwknopd to delete PF rules after the SPA timer
    expires.  The strategy implemented is similar to iptables and ipfw, except
    that all PF rules are added to an 'anchor', and deleting a specific expired
    rule is done by listing all rules in the anchor and reinstantiating it via
    'pfctl -a <anchor> -f -' with the expired rule deleted.  fwknopd uses the
    "_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
    interfaces with iptables (via the 'comment' match), and ipfw (via the
    "//<comment>" feature).

commit f9810904c36c270a5d19111ae7566c6d410bed4a
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Sep 3 21:00:12 2011 -0400

    minor comment typo fixes

commit d60dde17b71b898a821a60d9a1166c32436c17c2
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Sep 3 14:50:28 2011 -0400

    PF rules are now added to the fwknop anchor
    
    This commit implements the ability to add PF firewall rules to the fwknop
    anchor after a valid SPA packet is sniffed off the wire.  A subsequent commit
    will add the ability to delete these rules.

commit 6938f7a6aecb1395f750c56a4e10489d6d060fc9
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 28 13:37:23 2011 -0400

    Minor copyright holder update
    
    Minor copyright holder update

commit 10ff421e1ef86c1b437645764abe11819a88c292
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sun Aug 28 13:27:15 2011 -0400

    For PF firewalls implemented a check for an active fwknop anchor
    
    This commit ensures that for PF firewalls that the fwknop anchor is active and
    linked into the running PF policy.  This is accomplished by looking for the
    string 'anchor "fwknop"' in the output of "pfctl -s rules".  If the anchor
    exists, then fwknopd will be able to influence traffic via rules added and
    removed from the fwknop anchor.

commit 5bc5ef4305cafd26ee3faaf5eefb3f6b9f05441e
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Aug 27 11:07:19 2011 -0400

    Added --fw-list info to --help
    
    Added --fw-list output to usage info when --help is specified from the command
    line.

commit 0649ef924a8c979fd815c2d2e8416a16aeabeb62
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Sat Aug 27 10:57:17 2011 -0400

    PF support on OpenBSD in progress, fwknop --fw-list now works
    
    This is the first commit that has fwknopd interact with the PF firewall on
    OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).

commit dcf2d94bf675a906c570814d9cd65e2a1bfd2e77
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 24 23:55:36 2011 -0400

    Added autoconf check for pf firewalls
    
    On OpenBSD systems fwknop now checks for pf firewalls via autoconf.  The next
    step will be to fill in support for pf via the C code.

commit 649b7a88c1d6caa0e3760c7694b9d5b5b855dd4c
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Wed Aug 24 23:17:45 2011 -0400

    Disabled read-only relocations and immediate binding compiler protections
    
    Similarly to FreeBSD systems, gcc throws the following warnings with read-only
    relcations and immediate binding protections - disbabled for now:
    
    gcc: -z: linker input file unused because linking not done
    gcc: relro: linker input file unused because linking not done
    gcc: -z: linker input file unused because linking not done
    gcc: now: linker input file unused because linking not done

commit 47da588003b9bf1645a97823cfa940b8c5a93071
Author: Michael Rash <mbr@cipherdyne.org>
Date:   Mon Aug 22 21:39:28 2011 -0400

    removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files