3 years agoAdded --help usage information fwknop-2.0.0 fwknop-launcher
Michael Rash [Mon, 26 Sep 2011 01:12:30 +0000]
Added --help usage information

With the --help command line argument, the following information is printed:

$ ./fwknop-launcher-lsof.pl --help

Usage: fwknop-launcher-lsof.pl [options]


    -c,  --config     <file>   - Path to fwknop-launcher.conf config file.
    -l,  --lsof-cmd   <path>   - Path to lsof command.
    -f,  --fwknop-cmd <path>   - Path to fwknop client command.
    -s,  --sleep   <seconds>   - Specify sleep interval (default:
                                 1 seconds)
    -n   --no-daemon           - Run in foreground mode.
    -u,  --user   <username>   - Specify username (usually this is not
         --home-dir <dir>      - Path to user's home directory (usually
                                 this is not needed).
    -v   --verbose             - Print verbose information to the terminal
                                 (requires --no-daemon).
         --help                - Print usage info and exit.

3 years agoMerge branch 'master' into fwknop-launcher
Michael Rash [Mon, 26 Sep 2011 01:02:54 +0000]
Merge branch 'master' into fwknop-launcher

3 years agoAdded the fwknop lsof launcher under the extras/ directory
Michael Rash [Sun, 25 Sep 2011 02:24:30 +0000]
Added the fwknop lsof launcher under the extras/ directory

The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a
lightweight daemon that allows the user to not have to manually run the fwknop
client when attempting to gain access to a service that is protected by Single
Packet Authorization via fwknopd.  This is accomplished by checking the output
of lsof to look for pending connections in the SYN_SENT state, which (usually)
indicate that a remote firewall is blocking the attempted connection.  At this
point, the launcher executes the fwknop client with the --get-key arg (so the
user must place the key in the local filesystem) to generate an SPA packet for
the attempted connection.  The remote fwknopd daemon will reconfigure the
firewall to allow temporary access, and this usually happens fast enough that
the original connection attempt will then succeed.

The idea for this was originally for a pcap-based connection watcher by
Sebastien Jeanquier.

3 years agoMerge pull request #5 from maxkas/master
Michael Rash [Thu, 22 Sep 2011 01:10:16 +0000]
Merge pull request #5 from maxkas/master

Fwknop client for iPhone devices - contributed by Max Kastanas

3 years agoCodebase of Fwknop client for iOS (iPhone) devices
Max Kastanas [Sat, 17 Sep 2011 05:51:53 +0000]
Codebase of Fwknop client for iOS (iPhone) devices

3 years agominor typo fix: fwkop -> fwknop
Michael Rash [Tue, 13 Sep 2011 03:04:41 +0000]
minor typo fix: fwkop -> fwknop

3 years agoMerge branch 'master' of https://github.com/mrash/fwknop
Damien Stuart [Sat, 10 Sep 2011 15:30:09 +0000]
Merge branch 'master' of https://github.com/mrash/fwknop

3 years agoAdded the cmd_opts.h file to server and client's Makefile.am so they are included...
Damien Stuart [Sat, 10 Sep 2011 15:25:08 +0000]
Added the cmd_opts.h file to server and client's  Makefile.am so they are included with make dist.

3 years agoReplaced all strcpy() calls with strlcpy()
Michael Rash [Sat, 10 Sep 2011 02:09:37 +0000]
Replaced all strcpy() calls with strlcpy()

OpenBSD especially gives compiler warnings whenever strcpy() is used.  All such
calls have been replaced with strlcpy().

3 years agoAdded read-only relocations and immediate bindings
Michael Rash [Fri, 9 Sep 2011 03:44:50 +0000]
Added read-only relocations and immediate bindings

Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations
and immediate bindings for FreeBSD systems (and the same was done for OpenBSD
systems too).  This commit adds these security features back in as linker
options by only changing LDFLAGS as opposed to also adding the corresponding
flags to CFLAGS.  The end result is that the following errors are fixed:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done

3 years agoCheck for active_rules > 0 before decrementing
Michael Rash [Fri, 9 Sep 2011 01:33:52 +0000]
Check for active_rules > 0 before decrementing

In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.

3 years agoUpdate to make _exp_ string a #define openbsd_pf_support
Michael Rash [Thu, 8 Sep 2011 04:20:20 +0000]
Update to make _exp_ string a #define

Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.

3 years agoAdded the ability to delete PF rules
Michael Rash [Thu, 8 Sep 2011 03:24:18 +0000]
Added the ability to delete PF rules

This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires.  The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted.  fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).

3 years agominor comment typo fixes
Michael Rash [Sun, 4 Sep 2011 01:00:12 +0000]
minor comment typo fixes

3 years agoPF rules are now added to the fwknop anchor
Michael Rash [Sat, 3 Sep 2011 18:50:28 +0000]
PF rules are now added to the fwknop anchor

This commit implements the ability to add PF firewall rules to the fwknop
anchor after a valid SPA packet is sniffed off the wire.  A subsequent commit
will add the ability to delete these rules.

3 years agoMinor copyright holder update
Michael Rash [Sun, 28 Aug 2011 17:37:23 +0000]
Minor copyright holder update

Minor copyright holder update

3 years agoFor PF firewalls implemented a check for an active fwknop anchor
Michael Rash [Sun, 28 Aug 2011 17:27:15 +0000]
For PF firewalls implemented a check for an active fwknop anchor

This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy.  This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules".  If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.

3 years agoAdded --fw-list info to --help
Michael Rash [Sat, 27 Aug 2011 15:07:19 +0000]
Added --fw-list info to --help

Added --fw-list output to usage info when --help is specified from the command

3 years agoPF support on OpenBSD in progress, fwknop --fw-list now works
Michael Rash [Sat, 27 Aug 2011 14:57:17 +0000]
PF support on OpenBSD in progress, fwknop --fw-list now works

This is the first commit that has fwknopd interact with the PF firewall on
OpenBSD (via fwknopd --fw-list to show any active fwknopd rules).

3 years agoAdded autoconf check for pf firewalls
Michael Rash [Thu, 25 Aug 2011 03:55:36 +0000]
Added autoconf check for pf firewalls

On OpenBSD systems fwknop now checks for pf firewalls via autoconf.  The next
step will be to fill in support for pf via the C code.

3 years agoDisabled read-only relocations and immediate binding compiler protections
Michael Rash [Thu, 25 Aug 2011 03:17:45 +0000]
Disabled read-only relocations and immediate binding compiler protections

Similarly to FreeBSD systems, gcc throws the following warnings with read-only
relcations and immediate binding protections - disbabled for now:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done

3 years agoremoved 2.0.0 branch specific ChangeLog, ShortLog and diffstat files
Michael Rash [Tue, 23 Aug 2011 01:39:28 +0000]
removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files

3 years agobumped version to 2.0.0rc4 fwknop-2.0.0rc4
Michael Rash [Sun, 21 Aug 2011 18:06:41 +0000]
bumped version to 2.0.0rc4

3 years agoAdded version specific ChangeLog, ShortLog, and diffstat files.
Michael Rash [Sun, 21 Aug 2011 18:02:25 +0000]
Added version specific ChangeLog, ShortLog, and diffstat files.

Added version specific ChangeLog, ShortLog, and diffstat files (these go all
the way back to the beginning of the svn import since 2.0.0 will be the
first official non-"rc" release of the new C code).

3 years agoUpdated ChangeLog with all changes from 2.0.0-rc3
Michael Rash [Sun, 21 Aug 2011 18:00:16 +0000]
Updated ChangeLog with all changes from 2.0.0-rc3

Updated ChangeLog with all changes from 2.0.0-rc3

3 years agoBug fix for ipfw firewalls to not always require seeing 'Dynamic' rules
Michael Rash [Sun, 21 Aug 2011 17:50:16 +0000]
Bug fix for ipfw firewalls to not always require seeing 'Dynamic' rules

This commit fixes an issue on ipfw firewalls where fwknopd would always require
seeing ipfw 'Dynamic' rules associated with newly added connections.  But, such
connections may never be established for various reasons.  Previous to this
commit the following warning was frequently generated by fwknopd:

Unexpected error: did not find 'Dynamic rules' string in list output.

3 years agoBug fix for missing set existence check on ipfw firewalls
Michael Rash [Sun, 21 Aug 2011 17:28:16 +0000]
Bug fix for missing set existence check on ipfw firewalls

This commit fixes an issues on systems running the ipfw firewall where the
'set' where fwknopd puts new access rules was attempted to be deleted without
first checking to see whether it exists.  The following errors would be
generated (now fixed):

ipfw: rule 16777217: setsockopt(IP_FW_DEL): Invalid argument
Error 17664 from cmd:'/sbin/ipfw delete set 1':
Fatal: Errors detected during ipfw rules initialization.

3 years agoBug fix to create the digest.cache file at init
Michael Rash [Sun, 21 Aug 2011 02:34:24 +0000]
Bug fix to create the digest.cache file at init

Bug fix to ensure that the digest.cache file gets created at fwknopd init time
so fwknopd does not throw the following error:

Error opening digest cache file. Incoming digests will not be remembered.

3 years agoOn FreeBSD, made gpgme header path inclusion optional
Michael Rash [Sun, 21 Aug 2011 02:02:21 +0000]
On FreeBSD, made gpgme header path inclusion optional

If gpgme is installed on FreeBSD systems it appears that
-I/usr/local/include/gpgme must be added to the include path, but this change
only adds the path if gpgme is installed and going to be used.

3 years agoFixed a few minor compiler warnings on FreeBSD
Michael Rash [Sat, 20 Aug 2011 17:33:00 +0000]
Fixed a few minor compiler warnings on FreeBSD

This commit fixes a few warnings about possible uninitialized and unused

3 years agoOn FreeBSD disable read-only relocations and immediate binding protections
Michael Rash [Sat, 20 Aug 2011 17:19:33 +0000]
On FreeBSD disable read-only relocations and immediate binding protections

gcc on FreeBSD generates the following errors when the -Wl,-z,relro -Wl,-z,now
flags are used:

gcc: -z: linker input file unused because linking not done
gcc: relro: linker input file unused because linking not done
gcc: -z: linker input file unused because linking not done
gcc: now: linker input file unused because linking not done

3 years agoUpdate to suppress additional compiler warning
Michael Rash [Sat, 20 Aug 2011 16:56:30 +0000]
Update to suppress additional compiler warning

This change fixes the following compiler warning that was seen with many of
the source files in server/

fwknopd_common.h:223: warning: ‘config_map’ defined but not used

3 years agoMinor restructuring to suppress compiler "defined but not used warnings"
Michael Rash [Sat, 20 Aug 2011 16:34:57 +0000]
Minor restructuring to suppress compiler "defined but not used warnings"

This commit fixes several compiler warnings like the following (now that -Wall
is the default):

config_init.h:68: warning: ‘cmd_opts’ defined but not used

3 years agominor commit to fix minor compilations warnings
Michael Rash [Sat, 20 Aug 2011 02:00:16 +0000]
minor commit to fix minor compilations warnings

3 years agoAdded -Wall for all gcc warnings during compile
Michael Rash [Sat, 20 Aug 2011 01:14:24 +0000]
Added -Wall for all gcc warnings during compile

Enable gcc compilation to include -Wall for all warnings (can be disabled
with --disable-wall to ./configure).

3 years agoBug fix for ./configure args to disable compile time security options
Michael Rash [Sat, 20 Aug 2011 00:51:50 +0000]
Bug fix for ./configure args to disable compile time security options

The ./configure script would generate the following error for the attempted
use of the --without-stackprotector (and other related options like

configure: WARNING: unrecognized options: --without-stackprotect

3 years agoadded the VERSION file fwknop-2.0.0-rc3
Michael Rash [Fri, 19 Aug 2011 02:26:52 +0000]
added the VERSION file

3 years agoBumped version to fwknop-2.0.0-rc3
Michael Rash [Fri, 19 Aug 2011 02:25:12 +0000]
Bumped version to fwknop-2.0.0-rc3

Bumped version to fwknop-2.0.0-rc3

3 years agoAdded ChangeLog derived from git commit messages.
Michael Rash [Fri, 19 Aug 2011 01:13:58 +0000]
Added ChangeLog derived from git commit messages.

There will be branch and release specific ChangeLog files as well.

3 years agoRenamed ChangeLog -> ChangeLog.old for new ChangeLog handling
Michael Rash [Fri, 19 Aug 2011 01:10:09 +0000]
Renamed ChangeLog -> ChangeLog.old for new ChangeLog handling

The ChangeLog will be derived from commit messages.

3 years agoUpdate to add any missing iptables jump rules
Michael Rash [Fri, 19 Aug 2011 00:37:31 +0000]
Update to add any missing iptables jump rules

Upon the receipt of a valid SPA packet, a check is done to make sure that
a jump rule from the appropriate built-in iptables chains exists to the
fwknop chains.  Such rules could have been deleted by other manipulations
of the iptables policy, so it is important to ensure they exist.  Running
in foreground (-f) mode, here is an illustration of the jump rule being
added after it got deleted:

SPA Packet from IP: received.
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
Added Rule to FWKNOP_INPUT for, tcp/22 expires at 1313680648

3 years agoUpdate to force base64 check for all SPA data
Michael Rash [Thu, 18 Aug 2011 01:24:03 +0000]
Update to force base64 check for all SPA data

Previous to this change a check was done for base64 characters in incoming
SPA data only up to MIN_SPA_DATA_SIZE.  This check may be reinstantiated for
SPA packets that are delivered over HTTP (and the packet data is embedded
within a URL that may also contain non-base64 chars), but in the meantime the
fwknopd daemon should not accept SPA packets over arbitrary ports with any
non-base64 chars.

3 years agoUpdated replay warnings to include proto/port info optional_dbm_support
Michael Rash [Thu, 18 Aug 2011 01:07:35 +0000]
Updated replay warnings to include proto/port info

Replay warnings now include port and protocol information.  Here is an example:

SPA Packet from IP: received.
Replay detected from source IP:
        Destination proto/port: 17/62201
            Original source IP:
       Original dst proto/port: 17/62201
                 Entry created: 08/17/11 21:06:07
                  First replay: 08/17/11 21:06:32
                   Last replay: 08/17/11 21:06:45
                  Replay count: 7

3 years agoAdded stack protection, PIE, fortify source, etc.
Michael Rash [Thu, 18 Aug 2011 00:36:28 +0000]
Added stack protection, PIE, fortify source, etc.

Added various security options that can be enabled at compile time.  These
options include everything that the "hardening-check" script written by Kees
Cook checks for.  After this change, the hardening-check script produces the
following output against the fwknopd binary:

$ hardening-check server/.libs/fwknopd
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

One of the compile outputs (for example) that shows the new options is:

/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -fstack-protector-all -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -MT fko_decode.lo -MD -MP -MF .deps/fko_decode.Tpo -c -o fko_decode.lo fko_decode.c

From the hardening-check man page, here is a description of each of these

       hardening-check - check binaries for security hardening features

       Examine a given set of ELF binaries and check for several security
       hardening features, failing if they are not all found.

       This utility checks a given list of ELF binaries for several security
       hardening features that can be compiled into an executable.  These
       features are:

       Position Independent Executable
               This indicates that the executable was built in such a way
               (PIE) that the "text" section of the program can be relocated
               in memory.  To take full advantage of this feature, the
               executing kernel must support text Address Space Layout
               Randomization (ASLR).

       Stack Protected
               This indicates that the executable was compiled with the
               gcc(1) option -fstack-protector.  The program will be
               resistant to have its stack overflowed.

       Fortify Source functions
               This indicates that the executable was compiled with
               -D_FORTIFY_SOURCE=2 and -O2 or higher.  This causes certain
               unsafe glibc functions with their safer counterparts (e.g.
               strncpy instead of strcpy).

       Read-only relocations
               This indicates that the executable was build with -Wl,-z,relro
               to have ELF markings (RELRO) that ask the runtime linker to
               mark any regions of the relocation table as "read-only" if
               they were resolved before execution begins.  This reduces the
               possible areas of memory in a program that can be used by an
               attacker that performs a successful memory corruption exploit.

       Immediate binding
               This indicates that the executable was built with -Wl,-z,now
               to have ELF markings (BIND_NOW) that ask the runtime linker to
               resolve all relocations before starting program execution.
               When combined with RELRO above, this further reduces the
               regions of memory available to memory corruption attacks.

3 years agoMinor variable cleanup to fix compiler warnings
Michael Rash [Mon, 15 Aug 2011 02:46:09 +0000]
Minor variable cleanup to fix compiler warnings

Minor cleanup to fix compiler warnings about unused variables.

3 years agoAdded fwknop-2.0.0rc2 openwrt support from Jonathan Bennett
Michael Rash [Mon, 15 Aug 2011 01:55:29 +0000]
Added fwknop-2.0.0rc2 openwrt support from Jonathan Bennett

Applied a patch sent from Jonathan Bennett to add fwknop-2.0.0rc2 support to
openwrt.  One thing to note about this patch is that the +libgdbm library
dependency has been removed because fwknop now implements its own digest
tracking file without needing gdbm/ndbm on the system.

3 years agoImplemented memory clean up for digest cache list
Michael Rash [Sun, 14 Aug 2011 23:42:50 +0000]
Implemented memory clean up for digest cache list

Upon fwknopd shutdown, a new function free_replay_list() is now called in order
to free heap allocated memory dedicated to SPA digest tracking.  Without this
fix, valgrind reports the following (some output snipped):

valgrind --leak-check=full ./server/.libs/fwknopd -f -i lo -P "udp port 62201"

==30864== 431 (48 direct, 383 indirect) bytes in 1 blocks are definitely lost in loss record 17 of 17
==30864==    at 0x4C27480: calloc (vg_replace_malloc.c:467)
==30864==    by 0x407CB7: replay_check_file_cache (replay_cache.c:461)
==30864==    by 0x407B69: replay_check (replay_cache.c:413)
==30864==    by 0x405813: incoming_spa (incoming_spa.c:363)
==30864==    by 0x406275: pcap_capture (pcap_capture.c:223)
==30864==    by 0x40317D: main (fwknopd.c:297)

3 years agoConsolidated replay warnings in a single function
Michael Rash [Sun, 14 Aug 2011 16:36:25 +0000]
Consolidated replay warnings in a single function

For both the simple digest file cache and the gdbm/ndbm tracking methods, all
replay warnings are generated by a single function "replay_warning()".

3 years agoAdded digest file import code
Michael Rash [Sun, 14 Aug 2011 02:35:52 +0000]
Added digest file import code

The digest file is now imported as a linked list of digest cache entries at
init time for SPA replay attack detection.

3 years agoAdded source port and protocol to digest tracking
Michael Rash [Sun, 14 Aug 2011 01:00:54 +0000]
Added source port and protocol to digest tracking

Added the source port and protocol fields to valid SPA packets in the digest
cache.  This can help to discover replay trends.  The format of the digest
file cache is now:

<digest> <proto> <src_ip> <src_port> <dst_ip> <dst_port> <time>

3 years agoAdded dst IP to tracked SPA data
Michael Rash [Sat, 13 Aug 2011 02:00:44 +0000]
Added dst IP to tracked SPA data

The digest cache now contains destination IP addresses of valid SPA packets.
The complete format is now:

<digest> <src_ip> <dst_ip> <creation time>

3 years agoStarted on code to parse the digest cache file
Michael Rash [Sat, 13 Aug 2011 01:43:07 +0000]
Started on code to parse the digest cache file

At init time fwknopd will read in the digest cache file into the in-memory
linked list of digests for SPA replay detection. This commit starts on this
code, but the file format does not yet include destination IP addresses
(to be added in an upcoming commit).

3 years agoImplemented linked list cache of SPA digests
Michael Rash [Sat, 13 Aug 2011 00:16:00 +0000]
Implemented linked list cache of SPA digests

When not using gdbm/ndbm support (the default now), fwknopd implements a linked
list of SPA packet digests for replay attack detection along with writing
digest data in ascii text down to disk (in the CONF_DIGEST_FILE file).

3 years agoMerge branch 'master' into optional_dbm_support
Michael Rash [Thu, 11 Aug 2011 02:41:18 +0000]
Merge branch 'master' into optional_dbm_support

3 years agoAdded --pcap-filter to the fwknopd command line
Michael Rash [Thu, 11 Aug 2011 02:38:01 +0000]
Added --pcap-filter to the fwknopd command line

To override the value of the PCAP_FILTER variable in the fwknopd.conf
config file, a new fwknopd command line argument "--pcap-filter" was
added.  This assists in various activities by making it trivial to
change how fwknopd acquires packet data without editing the fwknopd.conf
file.  Here is an example:

fwknopd -i lo -f --pcap-filter "udp port 12345"

3 years agoUpdated digest file path for gdbm/ndbm support
Michael Rash [Thu, 11 Aug 2011 02:07:25 +0000]
Updated digest file path for gdbm/ndbm support

If fwknopd is compiled with --disable-file-cache to the ./configure script
then it will assume that the default filename is "digest_db.cache" for the
digest cache.  If the file cache method is used (this is the default), then
"digest.cache" is the default filename.  A new variable DIGEST_DB_FILE in
the fwknopd.conf file controls the digest filename if gdbm/ndbm support is

3 years agoAdded autoconf support for non-dbm file cache.
Michael Rash [Thu, 11 Aug 2011 00:56:42 +0000]
Added autoconf support for non-dbm file cache.

This change starts on support for a simple file-based cache mechanism
for tracking SPA digests.  This removes the libgdbm/libndbm dependency
by default, but it can be re-enabled with the --disable-file-cache
argument to the ./configure script.

3 years agoMinor rename in support of non-dbm file cache
Michael Rash [Tue, 9 Aug 2011 02:49:28 +0000]
Minor rename in support of non-dbm file cache

Added the optional_dbm_support branch and made a minor renaming change
on this branch for the coming non-dbm file cache support.

3 years agoBug fix for uninitialized variable found with splint static analyzer
Michael Rash [Tue, 9 Aug 2011 02:24:22 +0000]
Bug fix for uninitialized variable found with splint static analyzer

In the save_args() function the args_str_len variable was being used before
being initialized as reported via the splint static code analysis tool.  Here
is the splint output that found this bug:

client/fwknop.c:650:13: Variable args_str_len used before definition
  An rvalue is used that may not be initialized to a value on some execution
  path. (Use -usedef to inhibit warning)

3 years agoSet FD_CLOEXEC on pid file descriptor.
Damien Stuart [Thu, 7 Jul 2011 12:12:49 +0000]
Set FD_CLOEXEC on pid file descriptor.
Added support for setting the URL for resolving source IP via command-line or the .fwknoprc file.

3 years agoRemoved legacy $Id$ tags from svn
Michael Rash [Sun, 19 Jun 2011 00:53:40 +0000]
Removed legacy $Id$ tags from svn

$Id$ tags don't really mean anything to git so they have been removed from all
source files.

4 years agoAdded a no-digest-cache configure option and capability (though it is not recommended).
Damien Stuart [Sun, 27 Mar 2011 02:38:41 +0000]
Added a no-digest-cache configure option and capability (though it is not recommended).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@313 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoFix check and handling of ndbm as an option for the digest cache.
Damien Stuart [Sat, 26 Mar 2011 16:33:02 +0000]
Fix check and handling of ndbm as an option for the digest cache.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@312 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded python/fko.py to Makefile.am so it is also included in distributions. Minor...
Damien Stuart [Sat, 12 Feb 2011 13:18:31 +0000]
Added python/fko.py to Makefile.am so it is also included in distributions.  Minor tweak to address compile error on Mac os X.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@311 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMinor update to the android README
Damien Stuart [Sun, 2 Jan 2011 03:32:46 +0000]
Minor update to the android README

git-svn-id: file:///home/mbr/svn/fwknop/trunk@310 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdding Max Kastanas's fwknop client app code for Android
Damien Stuart [Sun, 2 Jan 2011 02:58:53 +0000]
Adding Max Kastanas's fwknop client app code for Android

git-svn-id: file:///home/mbr/svn/fwknop/trunk@309 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoRemoved unnecessary include.
Damien Stuart [Sat, 1 Jan 2011 21:00:24 +0000]
Removed unnecessary include.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@308 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdditional docs and classes added to the fko python module. Minor tweak and bumped...
Damien Stuart [Sun, 5 Dec 2010 15:44:01 +0000]
Additional docs and classes added to the fko python module.  Minor tweak and bumped version in the fwknop.spec file.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@307 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoFixed bug where libfko would segfault if fko_get_spa_data() was called before fko_spa...
Damien Stuart [Sun, 5 Dec 2010 14:57:01 +0000]
Fixed bug where libfko would segfault if fko_get_spa_data() was called before fko_spa_data_final() was called (and successful).  Added include of time.h in fko.h.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@306 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoDo not need parens around expression in if statements in python (still learning).
Damien Stuart [Sat, 4 Dec 2010 21:57:34 +0000]
Do not need parens around expression in if statements in python (still learning).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@305 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded pydoc text to the fko python module. Minot tweak to setup.py.
Damien Stuart [Sat, 4 Dec 2010 04:12:17 +0000]
Added pydoc text to the fko python module. Minot tweak to setup.py.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@304 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded the Fko class code to wrap the _fko wrapper around libfko.
Damien Stuart [Sat, 27 Nov 2010 03:18:58 +0000]
Added the Fko class code to wrap the _fko wrapper around libfko.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@303 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMinor comment and documentation tweaks. Add the python directory which contains...
Damien Stuart [Fri, 26 Nov 2010 15:51:00 +0000]
Minor comment and documentation tweaks.  Add the python directory which contains my first cut at a libfko Python wrapper module.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@302 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded code to zero out rcfile path before setting it. Also added a bounds check...
Damien Stuart [Sun, 14 Nov 2010 00:16:32 +0000]
Added code to zero out rcfile path before setting it.  Also added a bounds check to that as well.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@301 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoUpdated the GPL blurb at the top of the source files. Added some missing copyright...
Damien Stuart [Sat, 13 Nov 2010 03:04:36 +0000]
Updated the GPL blurb at the top of the source files.  Added some missing copyright statements (Thanks to Franck Joncourt).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@300 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoUpdated perl module for additional error messages.
Damien Stuart [Wed, 10 Nov 2010 15:30:09 +0000]
Updated perl module for additional error messages.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@299 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoBumped version to rc3 (even though we may go straight to release) and lib rev to 3.
Damien Stuart [Sun, 31 Oct 2010 01:45:28 +0000]
Bumped version to rc3 (even though we may go straight to release) and lib rev to 3.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@298 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoUpdate added HAVE_ERRNO_H 1 to win32/config.h.
Damien Stuart [Sun, 31 Oct 2010 01:36:25 +0000]
Update added HAVE_ERRNO_H 1 to win32/config.h.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@297 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoNeeded to bump libfko revision to 2 do identify as part of newer dist.
Damien Stuart [Sat, 30 Oct 2010 16:19:54 +0000]
Needed to bump libfko revision to 2 do identify as part of newer dist.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@295 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoPut the usleep back pcap_capture (oops).
Damien Stuart [Sat, 23 Oct 2010 17:34:47 +0000]
Put the usleep back pcap_capture (oops).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@293 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoTweaks to the fwknop.spec file
Damien Stuart [Thu, 21 Oct 2010 02:39:57 +0000]
Tweaks to the fwknop.spec file

git-svn-id: file:///home/mbr/svn/fwknop/trunk@291 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoSet pcap non-block mode back on unless it is a freebsd system. Server verbose output...
Damien Stuart [Thu, 21 Oct 2010 01:53:04 +0000]
Set pcap non-block mode back on unless it is a freebsd system. Server verbose output no longer shows access key or GPG password.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@290 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoFixed handling of man page generation in Makefile.am so it works from alternate build...
Damien Stuart [Sun, 17 Oct 2010 02:52:21 +0000]
Fixed handling of man page generation in Makefile.am so it works from alternate build directories.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@289 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMinor fwknopd man page tweak.
Damien Stuart [Sun, 29 Aug 2010 02:06:13 +0000]
Minor fwknopd man page tweak.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@288 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMade autoconf print an error message indicating ipf is not supported if it is specifi...
Damien Stuart [Sun, 29 Aug 2010 01:50:58 +0000]
Made autoconf print an error message indicating ipf is not supported if it is specified.  Changelog updates.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@287 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMade fw_cleanup not remove rules from the expired rule set. Added code to read in...
Damien Stuart [Sun, 29 Aug 2010 01:32:04 +0000]
Made fw_cleanup not remove rules from the expired rule set.  Added code to read in any existing expired rules into the rule_map at startup.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@286 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoWrapped #ifdef around a linux-specific chunk.
Damien Stuart [Fri, 27 Aug 2010 22:09:36 +0000]
Wrapped #ifdef around a linux-specific chunk.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@285 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoMissed a config file update on the last check-in.
Damien Stuart [Thu, 26 Aug 2010 22:56:47 +0000]
Missed a config file update on the last check-in.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@284 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded rule expire and purge for ipfw. Almost there...
Damien Stuart [Tue, 24 Aug 2010 03:09:35 +0000]
Added rule expire and purge for ipfw.  Almost there...

git-svn-id: file:///home/mbr/svn/fwknop/trunk@283 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoStart of addition of access requests via ipfw.
Damien Stuart [Mon, 23 Aug 2010 02:43:43 +0000]
Start of addition of access requests via ipfw.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@282 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agominor off-by-one fix for home directory path separator
Michael Rash [Sat, 14 Aug 2010 01:26:42 +0000]
minor off-by-one fix for home directory path separator

git-svn-id: file:///home/mbr/svn/fwknop/trunk@281 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agominor bug fix to account for PATH_SEP being defined as a character instead of a string
Michael Rash [Thu, 12 Aug 2010 02:19:03 +0000]
minor bug fix to account for PATH_SEP being defined as a character instead of a string

git-svn-id: file:///home/mbr/svn/fwknop/trunk@280 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoRefactored firewall rule code to separate files by firewall type. Stubbed in ipfw...
Damien Stuart [Tue, 10 Aug 2010 02:29:09 +0000]
Refactored firewall rule code to separate files by firewall type.  Stubbed in ipfw and ipf firewall types.  Updated autoconf to set a firewall type and path depending on configure arguments.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@279 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoUncommented call to check_firewall_rules (left in while debugging freebsd build).
Damien Stuart [Sun, 8 Aug 2010 19:01:36 +0000]
Uncommented call to check_firewall_rules (left in while debugging freebsd build).

git-svn-id: file:///home/mbr/svn/fwknop/trunk@278 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoOops left out new header for last update.
Damien Stuart [Sun, 8 Aug 2010 18:56:53 +0000]
Oops left out new header for last update.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@277 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoUpdates to accomodate building and compiling on FreeBSD systems.
Damien Stuart [Sun, 8 Aug 2010 18:53:35 +0000]
Updates to accomodate building and compiling on FreeBSD systems.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@276 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoTweaks to autoconf files.
Damien Stuart [Sun, 1 Aug 2010 02:13:03 +0000]
Tweaks to autoconf files.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@275 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoAdded some OpenWRT-related files to the extras directory.
Damien Stuart [Sat, 31 Jul 2010 19:11:22 +0000]
Added some OpenWRT-related files to the extras directory.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@274 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoFixed issue with spaces in in access.conf comma-separated values. Fixed issue with...
Damien Stuart [Sat, 31 Jul 2010 18:04:08 +0000]
Fixed issue with spaces in in access.conf comma-separated values.  Fixed issue with GPG signature check being forced when GPG_REMOTE_ID is set and GPG_REQUIRE_SIG was "N". Updated dependency in the spec file. Updates to ChangeLog.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@273 510a4753-2344-4c79-9c09-4d669213fbeb

4 years agoBug fix for USE_NDBM variable so that client-only builds work. The specific
Michael Rash [Thu, 29 Jul 2010 11:01:53 +0000]
Bug fix for USE_NDBM variable so that client-only builds work.  The specific
error before the patch along with the command line invocation of the
"configure" script appear below:

$ ./configure --prefix=/usr --disable-server
configure: error: conditional "USE_NDBM" was never defined.
Usually this means the macro was only invoked conditionally.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@272 510a4753-2344-4c79-9c09-4d669213fbeb