minor documentation updates

client/config_init.c

@@ -2619,6 +2619,8 @@ usage(void)
       "     --gpg-encryption        Use GPG encryption (default is Rijndael).\n"
       "     --gpg-recipient-key     Specify the recipient GPG key name or ID.\n"
       "     --gpg-signer-key        Specify the signer's GPG key name or ID.\n"
+      "     --gpg-no-signing-pw     Allow no signing password if none associated\n"
+      "                             with GPG key.\n"
       "     --gpg-home-dir          Specify the GPG home directory.\n"
       "     --gpg-agent             Use GPG agent if available.\n"
       "     --gpg-exe               Set path to GPG binary.\n"

doc/fwknopd.man.asciidoc

@@ -81,7 +81,8 @@ COMMAND-LINE OPTIONS
 
 *-D, --dump-config*::
     Dump the configuration values that *fwknopd* derives from the
-    '@sysconfdir@/fwknop/fwknopd.conf' (or override files) and '@sysconfdir@/fwknop/access.conf' on stderr.
+    '@sysconfdir@/fwknop/fwknopd.conf' (or override files) and
+    '@sysconfdir@/fwknop/access.conf' on stderr.
 
 *--dump-serv-err-codes*::
     Dump all possible *fwknopd* error codes to stdout and exit. This option is
@@ -358,6 +359,15 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
     ``EXIT_AT_INTF_DOWN'' variable. If disabled, fwknopd will try to recover
     when a downed interface comes back up.
 
+*ENABLE_RULE_PREPEND* '<Y/N>'::
+    For systems running iptables or firewalld, have *fwknopd* insert new SPA
+    rules at the beginning of the relevant chain (such as ``FWKNOP_INPUT'') instead
+    of appending them to the end of the chain. This causes newly created rules to
+    have precedence over older ones.
+
+*ENABLE_NAT_DNS* '<Y/N>'::
+    Allow fwknopd to resolve hostnames in NAT access messages.
+
 *GPG_HOME_DIR* '<path>'::
     If GPG keys are used instead of a Rijndael symmetric key, this is
     the default GPG keys directory. Note that each access stanza in
@@ -380,6 +390,11 @@ the '@sysconfdir@/fwknop/fwknopd.conf' file for additional details.
     over TCP/80 connections and a web server should be running on the same
     server as *fwknopd*.
 
+*ENABLE_X_FORWARDED_FOR* '<Y/N>'::
+    Allows *fwknopd* to use the X-Forwarded-for header from a captured SPA
+    packet over HTTP as the source IP. This can happen when using SPA through
+    an HTTP proxy.
+
 *ENABLE_TCP_SERVER* '<Y/N>'::
     Enable the fwknopd TCP server. This is a "dummy" TCP server that will
     accept TCP connection requests on the specified TCPSERV_PORT.

server/fwknopd.conf

@@ -140,21 +140,21 @@
 # Allow fwknopd to acquire SPA data from HTTP requests (generated with the
 # fwknop client in --HTTP mode).  Note that the PCAP_FILTER variable would
 # need to be updated when this is enabled to sniff traffic over TCP/80
-# connections
+# connections.
 #
 #ENABLE_SPA_OVER_HTTP        N;
 
-# Allow fwknopd to resolve hostnames in NAT access messages
+# Allow fwknopd to resolve hostnames in NAT access messages.
 #ENABLE_NAT_DNS              Y;
 
-# Allows using the X-Forwarded-for header from a captured packet as the
-# Source IP.
+# Allows the use of the X-Forwarded-for header from a captured packet as the
+# Source IP. This can happen when using SPA through an HTTP proxy.
 #
 #ENABLE_X_FORWARDED_FOR      N;
 
 # Instead of appending new firewall rules to the bottom of the chain, this
-# option inserts rules at the top of the chain.  This causes later rules
-# to have precedence over earlier rules.
+# option inserts rules at the top of the chain. This causes newly created
+# rules to have precedence over older ones.
 #
 #ENABLE_RULE_PREPEND         N;