From 8f423e8b89915b0b1c6ae37b9d505d37f2c18315 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Mon, 6 May 2013 22:23:59 -0400
Subject: [PATCH] [server] added --pcap-any-direction along with config file
 support

From the config file comments:

This variable controls whether fwknopd is permitted to sniff SPA packets
regardless of whether they are received on the sniffing interface or sent
from the sniffing interface.  In the later case, this can be useful to have
fwknopd sniff SPA packets that are forwarded through a system and destined
for a different network.  If the sniffing interface is the egress interface
for such packets, then this variable will need to be set to "Y" in order for
fwknopd to see them.  The default is "N" so that fwknopd only looks for SPA
packets that are received on the sniffin

PCAP_ANY_DIRECTION         N;
---
 server/cmd_opts.h       |  3 +++
 server/config_init.c    |  3 +++
 server/fwknopd.conf     | 12 ++++++++++++
 server/fwknopd_common.h |  9 +++++++++
 server/pcap_capture.c   |  3 ++-
 test/test-fwknop.pl     |  9 ++++++---
 6 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/server/cmd_opts.h b/server/cmd_opts.h
index e806d7da..37920d00 100644
--- a/server/cmd_opts.h
+++ b/server/cmd_opts.h
@@ -47,6 +47,7 @@ static char *config_map[NUMBER_OF_CONFIG_ENTRIES] = {
     "PCAP_FILTER",
     "PCAP_DISPATCH_COUNT",
     "PCAP_LOOP_SLEEP",
+    "PCAP_ANY_DIRECTION",
     "MAX_SNIFF_BYTES",
     "ENABLE_SPA_PACKET_AGING",
     "MAX_SPA_PACKET_AGE",
@@ -117,6 +118,7 @@ enum {
     FW_FLUSH,
     GPG_HOME_DIR,
     PCAP_FILE,
+    PCAP_ANY_DIRECTION,
     ROTATE_DIGEST_CACHE,
     NOOP /* Just to be a marker for the end */
 };
@@ -147,6 +149,7 @@ static struct option cmd_opts[] =
     {"override-config",     1, NULL, 'O' },
     {"pcap-file",           1, NULL, PCAP_FILE },
     {"pcap-filter",         1, NULL, 'P'},
+    {"pcap-any-direction",  0, NULL, PCAP_ANY_DIRECTION },
     {"pid-file",            1, NULL, 'p'},
     {"restart",             0, NULL, 'R'},
     {"status",              0, NULL, 'S'},
diff --git a/server/config_init.c b/server/config_init.c
index 202df8b1..b51e85ec 100644
--- a/server/config_init.c
+++ b/server/config_init.c
@@ -836,6 +836,9 @@ config_init(fko_srv_options_t *opts, int argc, char **argv)
             case PCAP_FILE:
                 set_config_entry(opts, CONF_PCAP_FILE, optarg);
                 break;
+            case PCAP_ANY_DIRECTION:
+                opts->pcap_any_direction = 1;
+                break;
             case ROTATE_DIGEST_CACHE:
                 opts->rotate_digest_cache = 1;
                 break;
diff --git a/server/fwknopd.conf b/server/fwknopd.conf
index c23c5a5b..ec247b1c 100644
--- a/server/fwknopd.conf
+++ b/server/fwknopd.conf
@@ -128,6 +128,18 @@
 #
 #PCAP_FILE                   /some/path/to/file.pcap;
 
+# This variable controls whether fwknopd is permitted to sniff SPA packets
+# regardless of whether they are received on the sniffing interface or sent
+# from the sniffing interface.  In the later case, this can be useful to have
+# fwknopd sniff SPA packets that are forwarded through a system and destined
+# for a different network.  If the sniffing interface is the egress interface
+# for such packets, then this variable will need to be set to "Y" in order for
+# fwknopd to see them.  The default is "N" so that fwknopd only looks for SPA
+# packets that are received on the sniffing interface (note that this is
+# independent of promiscuous mode).
+#
+# PCAP_ANY_DIRECTION        N;
+
 ##############################################################################
 # NOTE: The following EXTERNAL_CMD functionality is not yet implemented.
 #       This is a possible future feature of fwknopd.
diff --git a/server/fwknopd_common.h b/server/fwknopd_common.h
index 71022371..2f6a10ad 100644
--- a/server/fwknopd_common.h
+++ b/server/fwknopd_common.h
@@ -87,6 +87,7 @@
 #define DEF_PCAP_FILTER                 "udp port 62201"
 #define DEF_PCAP_DISPATCH_COUNT         "0"
 #define DEF_PCAP_LOOP_SLEEP             "100000" /* a tenth of a second (in microseconds) */
+#define DEF_PCAP_ANY_DIRECTION          "N"
 #define DEF_ENABLE_SPA_PACKET_AGING     "Y"
 #define DEF_MAX_SPA_PACKET_AGE          "120"
 #define DEF_ENABLE_DIGEST_PERSISTENCE   "Y"
@@ -188,6 +189,7 @@ enum {
     CONF_PCAP_FILTER,
     CONF_PCAP_DISPATCH_COUNT,
     CONF_PCAP_LOOP_SLEEP,
+    CONF_PCAP_ANY_DIRECTION,
     CONF_MAX_SNIFF_BYTES,
     CONF_ENABLE_SPA_PACKET_AGING,
     CONF_MAX_SPA_PACKET_AGE,
@@ -454,6 +456,13 @@ typedef struct fko_srv_options
     unsigned char   test;               /* Test mode flag */
     unsigned char   verbose;            /* Verbose mode flag */
 
+    /* Flag for permitting SPA packets regardless of directionality test
+     * w.r.t. the sniffing interface.  This can sometimes be useful for SPA
+     * packets that are sent _through_ a system and fwknopd is sniffing on
+     * the outbound interface as far as these packets are concerned.
+    */
+    unsigned char   pcap_any_direction;
+
     int             data_link_offset;
     int             tcp_server_pid;
     int             lock_fd;
diff --git a/server/pcap_capture.c b/server/pcap_capture.c
index d5d1af73..159b48f5 100644
--- a/server/pcap_capture.c
+++ b/server/pcap_capture.c
@@ -174,7 +174,8 @@ pcap_capture(fko_srv_options_t *opts)
 
     /* We are only interested on seeing packets coming into the interface.
     */
-    if (set_direction && (pcap_file_mode == 0)
+    if ((opts->pcap_any_direction == 0)
+            && (set_direction == 1) && (pcap_file_mode == 0)
             && (pcap_setdirection(pcap, PCAP_D_IN) < 0))
         if(opts->verbose)
             log_msg(LOG_WARNING, "[*] Warning: pcap error on setdirection: %s.",
diff --git a/test/test-fwknop.pl b/test/test-fwknop.pl
index e08cbb51..364aa183 100755
--- a/test/test-fwknop.pl
+++ b/test/test-fwknop.pl
@@ -1368,7 +1368,8 @@ sub iptables_no_flush_init_exit() {
     my $rv = 1;
 
     &run_cmd("LD_LIBRARY_PATH=$lib_dir $valgrind_str $fwknopdCmd " .
-        "--fw-flush --verbose --verbose", $cmd_out_tmp, $curr_test_file);
+        "$default_server_conf_args --fw-flush --verbose --verbose",
+        $cmd_out_tmp, $curr_test_file);
 
     if ($test_hr->{'insert_rule_before_exec'}) {
         ### first create the fwknop chains and add a rule, then check for
@@ -1382,7 +1383,8 @@ sub iptables_no_flush_init_exit() {
 
     if ($test_hr->{'search_for_rule_after_exit'}) {
         &run_cmd("LD_LIBRARY_PATH=$lib_dir $valgrind_str $fwknopdCmd " .
-            "--fw-list --verbose --verbose", $cmd_out_tmp, $curr_test_file);
+            "$default_server_conf_args --fw-list --verbose --verbose",
+            $cmd_out_tmp, $curr_test_file);
         $rv = 0 unless &file_find_regex([qr/ACCEPT.*$fake_ip\s.*dpt\:1234/],
             $MATCH_ALL, $APPEND_RESULTS, $curr_test_file);
     }
@@ -5689,7 +5691,8 @@ sub file_find_regex() {
         return 0 if $tries == 5;
     }
 
-    open F, "< $file" or (print Dumper $re_ar and die "[*] Could not open $file: $!");
+    open F, "< $file" or
+        (&write_test_file("[-] Could not open $file: $!\n", $file) and return 0);
     while (<F>) {
         push @file_lines, $_;
     }