This is a significant commit to allow all ports and protocols to be
NAT'd in conjunction with FORWARD ACCEPT rules. This commit is in
support of 6b7a3bbdae295c29a15a59385e637bd391858bc2 to allow fwknopd to
function as an SPA gateway.
This is a significant commit that allows iptables firewalls to be used
as an "SPA gateway" for all ports/protocols upon providing a valid SPA
packet. Additional commits will be made to extend this capability, but
this commit adds two new access.conf keywords: FORWARD_ALL and
DISABLE_DNAT. These are used in conjunction to add ACCEPT rules for all
ports/protocols in the FORWARD chain, and also disable DNAT rules at the
same time. Then, by buildling the SNAT chain to provide translation for
an internal network (where an SPA cliet is located), but DROP all
forwarded traffic by default at the same time, SPA can be used to gain
access to the internet. So, this would allow, say, an RFC 1918 internal
network to have IP's assigned via DHCP but they wouldn't be able to
access the internet before sending a SPA packet to the gateway. This
scenario was suggested by spartan1833 to the fwknop list and tracked via
github issue 131.
Additional commits will be made to fully support this feature.
and fwknopd_utests binaries.
When profil coverage is enbaled, lcov filee are parsed by test-fwknop.pl and added
to the main profil coverage report in the output directory.
Running make from the main directory build the c-unit test suites if enabled.
When validating access.conf stanzas make sure that one of
GPG_REMOTE_ID or GPG_FINGERPRINT_ID is specified whenever GnuPG
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
Add a new GPG_FINGERPRINT_ID variable to the access.conf file
so that full GnuPG fingerprints can be required for incoming SPA packets
in addition to the appreviated GnuPG signatures listed in GPG_REMOTE_ID.
From the test suite, an example fingerprint is
GPG_FINGERPRINT_ID 00CC95F05BC146B6AC4038C9E36F443C6A3FAD56
This commit fixes the following leak found by valgrind:
==6241== 568 bytes in 1 blocks are still reachable in loss record 1 of 1
==6241== at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6241== by 0x551537A: __fopen_internal (iofopen.c:73)
==6241== by 0x118C8E: parse_access_file (access.c:1143)
==6241== by 0x10F134: main (fwknopd.c:250)
This commit adds a lot of test coverage support as guided by gcov +
lcov.
Also added the --no-ipt-check-support option to fwknopd (this is only
useful in practice on older Linux distros where 'iptables -C' is not
available, but it helps with test coverage).
- [server] When GnuPG is used, the default now is to require that
incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
is no longer necessary in order to authenticate SPA packets via the
GnuPG signature. Verification of GnuPG signatures can be disabled with a
new access.conf variable GPG_DISABLE_SIG, but this is NOT a
recommended configuration.
- [client+server] Add --gpg-exe command line argument and GPG_EXE
config variable to ~/.fwknoprc and the access.conf file so that the path
to GnuPG can be changed from the default /usr/bin/gpg path.
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
This commit implements a single shared utility function for checking the
validaty of an IPv4 address, and both libfko and the fwknopd server use it
now. The client will be updated as well.
