This commit adds a new configuration variable "FORCE_NAT" to the access.conf
file:
For any valid SPA packet, force the requested connection to be NAT'd
through to the specified (usually internal) IP and port value. This is
useful if there are multiple internal systems running a service such as
SSHD, and you want to give transparent access to only one internal system
for each stanza in the access.conf file. This way, multiple external
users can each directly access only one internal system per SPA key.
This commit also implements a few minor code cleanups.
This commit does two major things:
1) Two new access.conf variables are added "ACCESS_EXPIRE" and
"ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having
to modify the access.conf file and restart fwknopd.
2) Allow an access stanza that matches the SPA source address to not
automatically short circuit other stanzas if there is an error (such as when
there are multiple encryption keys involved and an incoming SPA packet is
meant for, say, the second stanza and the first therefore doesn't allow
proper decryption).
This commit makes it easier to determine exactly which commands fwknopd
runs in --verbose mode when interacting with the underlying firewall.
This commit also adds --verbose --verbose mode to the test suite.
Added the 'const' qualifier to function prototype variables where possible.
In addition, reduced some functions to file-scope with 'static' where possible.
Also made a few minor changes to remove extra whitespace, and fixed a bug
in create_fwknoprc() to ensure the new fwknoprc filehandle is closed.
Added new command line options --fw-list-all and --fw-flush to allow all
firewall rules to be displayed including those not created by fwknopd, and
allow all firewall rules created by fwknopd to be deleted.
Also switched -D config dump output to stdout.
In the fw_config struct the active_rules member is unsigned, so this change
ensures that we don't try to decrement it below zero whenever a firewall rule
is deleted or an error condition occurs.
Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.
This commit fixes several compiler warnings like the following (now that -Wall
is the default):
config_init.h:68: warning: ‘cmd_opts’ defined but not used
Upon the receipt of a valid SPA packet, a check is done to make sure that
a jump rule from the appropriate built-in iptables chains exists to the
fwknop chains. Such rules could have been deleted by other manipulations
of the iptables policy, so it is important to ensure they exist. Running
in foreground (-f) mode, here is an illustration of the jump rule being
added after it got deleted:
SPA Packet from IP: 127.0.0.1 received.
Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
Added Rule to FWKNOP_INPUT for 127.0.0.1, tcp/22 expires at 1313680648
