-* fwknop tasks
- This is the main todo org mode file for the fwknop project
-** COMPLETED
- This bucket is for completed tasks.
-*** [client] Update to not send SPA packet if Ctrl-C is used
- :CLOSED: <2012-11-08 Thu>
- The client currently sends an SPA packet when an encryption key is
- requested but the user tries to exit out with Ctrl-C.
- - Completed by Franck Joncourt.
-*** [server] Add the ability to process pcap files offline
- :CLOSED: <2012-11-08 Thu>
- Leverage pcap_open_offline() to process pcap files from disk instead of
- sniffing the network live.
- - Added a new '--pcap-file <file>' option for this purpose.
-*** Add --disable-gpg arg to the autoconf configure script
- :CLOSED: <2012-10-31 Wed>
- There needs to be a way to easily disable libgpgme usage even if it is
- installed - this could be done with a new --disable-gpg argument to the
- configure script.
- - Added --disable-gpg to the autoconf configure script (via configure.ac)
-*** [client] Add --icmp-type and --icmp-code args
- :CLOSED: <2012-10-11 Thu>
- For SPA packets sent over ICMP via raw socket, allow the user to specify
- the ICMP type and code.
-*** [server] For Ubuntu systems, have fwknopd managed by upstart
- :CLOSED: <2012-09-27 Thu>
- fwknopd can benefit from upstart management and monitoring on Ubuntu
- systems.
- - Added the extras/upstart/fwknop.conf file so that standard upstart
- commands like "service fwknop start" can be issued.
-*** [server] ipfw active/expire sets cannot be the same
- :CLOSED: <2012-08-16 Thu>
- Add a check to ensure that active and expire sets are not the same value in
- fwknopd.conf, and add a corresponding test in the test suite.
-*** Release fwknop-2.0.2
- :CLOSED: <2012-08-18 Sat>
- Make the fwknop-2.0.2 release.
-*** Release fwknop-2.0.3
- :CLOSED: <2012-09-03 Mon>
- Make the fwknop-2.0.3 release.
-*** Update fwknopd man page for GPG_ALLOW_NO_PW
- :CLOSED: <2012-08-14 Tue>
-*** Preserve existing configs under 'make install'
- :CLOSED: <2012-08-13 Mon>
- - The current 'make install' behavior overwrites any existing fwknopd config
- files from a previous installation.
- - Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the
- fwknopd.conf file already exists, and similarly for the access.conf
- file.
-*** fwknopd iptables comment match detection
- :CLOSED: <2012-08-12 Sun>
- Hank Leininger suggested that fwknopd do better detection for the iptables
- comment match since it is required for the expiration of SPA rules.
-*** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
- :CLOSED: <2012-08-12 Sun>
- Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
-*** [server] access.c parsing: allow no KEY variable if GPG keys are used.
- :CLOSED: <2012-10-02 Tue>
- The access.c parsing code currently throws an error if there is not KEY
- variable in an access stanza even if GPG_ALLOW_NO_PW is set.
-** [server] Add PF NAT support for OpenBSD systems
- fwknopd already supports various NAT modes on iptables, but it should be
- extended to support NAT on PF firewalls.
+* COMPLETED
+ This bucket is for completed tasks.
** Fix MIPS compilation error
+ :CLOSED: <2012-11-09 Fri>
Franck Joncourt reported the following bug compiling fwknop MIPS via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689064
- libtool: link: gcc -g -O2 -Wformat -Werror=format-security -Wall -g -O2
- -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wall -fstack-protector-all
- -fstack-protector -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z -Wl,relro -Wl,-z
- -Wl,now -o .libs/fwknop fwknop-fwknop.o fwknop-config_init.o
- fwknop-spa_comm.o fwknop-utils.o fwknop-http_resolve_host.o
+ libtool: link: gcc -g -O2 -Wformat -Werror=format-security -Wall -g -O2
+ -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wall -fstack-protector-all
+ -fstack-protector -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z -Wl,relro -Wl,-z
+ -Wl,now -o .libs/fwknop fwknop-fwknop.o fwknop-config_init.o
+ fwknop-spa_comm.o fwknop-utils.o fwknop-http_resolve_host.o
fwknop-getpasswd.o ../lib/.libs/libfko.so
- /usr/bin/ld: fwknop-fwknop.o: relocation R_MIPS_26 against `getenv' can not
+ /usr/bin/ld: fwknop-fwknop.o: relocation R_MIPS_26 against `getenv' can not
be used when making a shared object; recompile with -fPIC
fwknop-fwknop.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
Update: the problem appears to be caused by manually specifying the CFLAGS
variable while not also specifying the LDFLAGS variable.
+ :<2012-11-09 Fri> This issue has been fixed through the Debian build
+ process, and Franck has indicated that no changes are required within
+ fwknop.
+
+** [client] Update to not send SPA packet if Ctrl-C is used
+ :CLOSED: <2012-11-08 Thu>
+ The client currently sends an SPA packet when an encryption key is
+ requested but the user tries to exit out with Ctrl-C.
+ - Completed by Franck Joncourt.
+** [server] Add the ability to process pcap files offline
+ :CLOSED: <2012-11-08 Thu>
+ Leverage pcap_open_offline() to process pcap files from disk instead of
+ sniffing the network live.
+ - Added a new '--pcap-file <file>' option for this purpose.
+** Add --disable-gpg arg to the autoconf configure script
+ :CLOSED: <2012-10-31 Wed>
+ There needs to be a way to easily disable libgpgme usage even if it is
+ installed - this could be done with a new --disable-gpg argument to the
+ configure script.
+ - Added --disable-gpg to the autoconf configure script (via configure.ac)
+** [client] Add --icmp-type and --icmp-code args
+ :CLOSED: <2012-10-11 Thu>
+ For SPA packets sent over ICMP via raw socket, allow the user to specify
+ the ICMP type and code.
+** [server] For Ubuntu systems, have fwknopd managed by upstart
+ :CLOSED: <2012-09-27 Thu>
+ fwknopd can benefit from upstart management and monitoring on Ubuntu
+ systems.
+ - Added the extras/upstart/fwknop.conf file so that standard upstart
+ commands like "service fwknop start" can be issued.
+** [server] ipfw active/expire sets cannot be the same
+ :CLOSED: <2012-08-16 Thu>
+ Add a check to ensure that active and expire sets are not the same value in
+ fwknopd.conf, and add a corresponding test in the test suite.
+** Release fwknop-2.0.2
+ :CLOSED: <2012-08-18 Sat>
+ Make the fwknop-2.0.2 release.
+** Release fwknop-2.0.3
+ :CLOSED: <2012-09-03 Mon>
+ Make the fwknop-2.0.3 release.
+** Update fwknopd man page for GPG_ALLOW_NO_PW
+ :CLOSED: <2012-08-14 Tue>
+** Preserve existing configs under 'make install'
+ :CLOSED: <2012-08-13 Mon>
+ - The current 'make install' behavior overwrites any existing fwknopd config
+ files from a previous installation.
+ - Updated to install fwknopd.conf -> /etc/fwknop/fwknopd.conf.inst if the
+ fwknopd.conf file already exists, and similarly for the access.conf
+ file.
+** fwknopd iptables comment match detection
+ :CLOSED: <2012-08-12 Sun>
+ Hank Leininger suggested that fwknopd do better detection for the iptables
+ comment match since it is required for the expiration of SPA rules.
+** Set restrictive permissions on /etc/fwknop/ directory and /etc/fwknop/* files
+ :CLOSED: <2012-08-12 Sun>
+ Current default permissions on /etc/fwknop/ and /etc/fwknop/* are too lax.
+** [server] access.c parsing: allow no KEY variable if GPG keys are used.
+ :CLOSED: <2012-10-02 Tue>
+ The access.c parsing code currently throws an error if there is not KEY
+ variable in an access stanza even if GPG_ALLOW_NO_PW is set.
+* TODO
+ This bucket is for new tasks.
+** [server] Add PF NAT support for OpenBSD systems
+ fwknopd already supports various NAT modes on iptables, but it should be
+ extended to support NAT on PF firewalls.
** [server] Add access variable to require particular IP's even when REQUIRE_SOURCE is used
The SOURCE variable only applies to the IP header. Add analogous filtering
for the allow IP that is encrypted within an SPA payload.
** [test suite] client/server only tests
When only the client or server is being installed on a system, the test
suite should be able to run only the relevant tests.
-
** Implement SPA over IPv6
It is important to eventually fully support SPA over IPv6.
projects / fwknop.git / commitdiff