[server] added --pcap-any-direction along with config file support

From the config file comments:

This variable controls whether fwknopd is permitted to sniff SPA packets
regardless of whether they are received on the sniffing interface or sent
from the sniffing interface.  In the later case, this can be useful to have
fwknopd sniff SPA packets that are forwarded through a system and destined
for a different network.  If the sniffing interface is the egress interface
for such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them.  The default is "N" so that fwknopd only looks for SPA
packets that are received on the sniffin

PCAP_ANY_DIRECTION         N;

server/cmd_opts.h

@@ -47,6 +47,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "PCAP_FILTER",
     "PCAP_DISPATCH_COUNT",
     "PCAP_LOOP_SLEEP",
+    "PCAP_ANY_DIRECTION",
     "MAX_SNIFF_BYTES",
     "ENABLE_SPA_PACKET_AGING",
     "MAX_SPA_PACKET_AGE",
@@ -117,6 +118,7 @@ enum {
     FW_FLUSH,
     GPG_HOME_DIR,
     PCAP_FILE,
+    PCAP_ANY_DIRECTION,
     ROTATE_DIGEST_CACHE,
     NOOP /* Just to be a marker for the end */
 };
@@ -147,6 +149,7 @@ static struct option cmd_opts[] =
     {"override-config",     1, NULL, 'O' },
     {"pcap-file",           1, NULL, PCAP_FILE },
     {"pcap-filter",         1, NULL, 'P'},
+    {"pcap-any-direction",  0, NULL, PCAP_ANY_DIRECTION },
     {"pid-file",            1, NULL, 'p'},
     {"restart",             0, NULL, 'R'},
     {"status",              0, NULL, 'S'},

server/config_init.c

@@ -836,6 +836,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
             case PCAP_FILE:
                 set_config_entry(opts, CONF_PCAP_FILE, optarg);
                 break;
+            case PCAP_ANY_DIRECTION:
+                opts->pcap_any_direction = 1;
+                break;
             case ROTATE_DIGEST_CACHE:
                 opts->rotate_digest_cache = 1;
                 break;

server/fwknopd.conf

@@ -128,6 +128,18 @@
 #
 #PCAP_FILE                   /some/path/to/file.pcap;
 
+# This variable controls whether fwknopd is permitted to sniff SPA packets
+# regardless of whether they are received on the sniffing interface or sent
+# from the sniffing interface.  In the later case, this can be useful to have
+# fwknopd sniff SPA packets that are forwarded through a system and destined
+# for a different network.  If the sniffing interface is the egress interface
+# for such packets, then this variable will need to be set to "Y" in order for
+# fwknopd to see them.  The default is "N" so that fwknopd only looks for SPA
+# packets that are received on the sniffing interface (note that this is
+# independent of promiscuous mode).
+#
+# PCAP_ANY_DIRECTION        N;
+
 ##############################################################################
 # NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
 #       This is a possible future feature of fwknopd.

server/fwknopd_common.h

@@ -87,6 +87,7 @@
 #define DEF_PCAP_FILTER                 "udp port 62201"
 #define DEF_PCAP_DISPATCH_COUNT         "0"
 #define DEF_PCAP_LOOP_SLEEP             "100000" /* a tenth of a second (in microseconds) */
+#define DEF_PCAP_ANY_DIRECTION          "N"
 #define DEF_ENABLE_SPA_PACKET_AGING     "Y"
 #define DEF_MAX_SPA_PACKET_AGE          "120"
 #define DEF_ENABLE_DIGEST_PERSISTENCE   "Y"
@@ -188,6 +189,7 @@ enum {
     CONF_PCAP_FILTER,
     CONF_PCAP_DISPATCH_COUNT,
     CONF_PCAP_LOOP_SLEEP,
+    CONF_PCAP_ANY_DIRECTION,
     CONF_MAX_SNIFF_BYTES,
     CONF_ENABLE_SPA_PACKET_AGING,
     CONF_MAX_SPA_PACKET_AGE,
@@ -454,6 +456,13 @@ typedef struct fko_srv_options
     unsigned char   test;               /* Test mode flag */
     unsigned char   verbose;            /* Verbose mode flag */
 
+    /* Flag for permitting SPA packets regardless of directionality test
+     * w.r.t. the sniffing interface.  This can sometimes be useful for SPA
+     * packets that are sent _through_ a system and fwknopd is sniffing on
+     * the outbound interface as far as these packets are concerned.
+    */
+    unsigned char   pcap_any_direction;
+
     int             data_link_offset;
     int             tcp_server_pid;
     int             lock_fd;

server/pcap_capture.c

@@ -174,7 +174,8 @@ pcap_capture(fko_srv_options_t *opts)
 
     /* We are only interested on seeing packets coming into the interface.
     */
-    if (set_direction && (pcap_file_mode == 0)
+    if ((opts->pcap_any_direction == 0)
+            && (set_direction == 1) && (pcap_file_mode == 0)
             && (pcap_setdirection(pcap, PCAP_D_IN) < 0))
         if(opts->verbose)
             log_msg(LOG_WARNING, "[*] Warning: pcap error on setdirection: %s.",

test/test-fwknop.pl

@@ -1368,7 +1368,8 @@ sub iptables_no_flush_init_exit() {
     my $rv = 1;
 
     &run_cmd("LD_LIBRARY_PATH=$lib_dir $valgrind_str $fwknopdCmd " .
-        "--fw-flush --verbose --verbose", $cmd_out_tmp, $curr_test_file);
+        "$default_server_conf_args --fw-flush --verbose --verbose",
+        $cmd_out_tmp, $curr_test_file);
 
     if ($test_hr->{'insert_rule_before_exec'}) {
         ### first create the fwknop chains and add a rule, then check for
@@ -1382,7 +1383,8 @@ sub iptables_no_flush_init_exit() {
 
     if ($test_hr->{'search_for_rule_after_exit'}) {
         &run_cmd("LD_LIBRARY_PATH=$lib_dir $valgrind_str $fwknopdCmd " .
-            "--fw-list --verbose --verbose", $cmd_out_tmp, $curr_test_file);
+            "$default_server_conf_args --fw-list --verbose --verbose",
+            $cmd_out_tmp, $curr_test_file);
         $rv = 0 unless &file_find_regex([qr/ACCEPT.*$fake_ip\s.*dpt\:1234/],
             $MATCH_ALL, $APPEND_RESULTS, $curr_test_file);
     }
@@ -5689,7 +5691,8 @@ sub file_find_regex() {
         return 0 if $tries == 5;
     }
 
-    open F, "< $file" or (print Dumper $re_ar and die "[*] Could not open $file: $!");
+    open F, "< $file" or
+        (&write_test_file("[-] Could not open $file: $!\n", $file) and return 0);
     while (<F>) {
         push @file_lines, $_;
     }