Github user Scotte noticed that in his setup a 'VSS-Monitoring ethernet trailer'
was being added to incoming Ethernet frames that contained SPA packets. This
caused base64 decoding to break because the packet data length was calculated
from what libpcap returned for the frame (so these bytes became included in the
SPA payload itself). This issue was reported as #163 on github.
This commit has fwknopd calculate the SPA payload length using the length field
in the IP header so that any trailing bytes in the Ethernet frame are not
included. This solution also applies to the Ethernet Frame Check Sequence issue
(#126).
This is a significant commit that allows fwknopd to delete expired rules
from the firewall policy regardless of whether fwknopd is tracking them.
That is, a third party program could insert rules into the fwknopd
chains (iptables for now, but this will be extended to the other
firewalls) in order to take advantage of fwknopd rule deletion.
This commit fixes a bug where zero_cmd_buffers() was being called against the
wrong buffer as SPA rules were supposed to be deleted. Although multiple
iterations of check_firewall_rules() would have compensated, some rules would
not have been deleted as quickly as they should have in multi-rule scenarios.
This is a significant commit for issue #162 where fwknopd is not properly
detecting rules (particularly NAT rules) on systems running older versions
of iptables where -C support is not offered. A new capability of searching
the output of an external command and getting the first matching line was
added with the search_extcmd_getline() function.
Here is an example for the client-rc.sh wrapper script to have it also
generate code coverage results for afl-fuzz (afl-cov is enabled via two
environmental variables AFL_COV and CODE_DIR).
$ cd /tmp/afl-ramdisk/fwknop.git/test/afl/
$ AFL_COV=1 CODE_DIR=/home/mbr/git/fwknop.git ./fuzzing-wrappers/client-rc.sh
The typical work flow when generating gcov coverage results is:
- compile fwknop with coverage support
- run the test suite
- hack on fwknop
- re-run the test suite to see what coverage has been added
This work flow is much more common than collecting coverage results
for a complete test suite run. Therefore, this commit switches the
default behavior in --enable-complete mode (which enables coverage
support) to not zero-out coverage counters. A new argument
--enable-profile-coverage-init zeros the counters in preparation
for a global coverage run.
