By default, fwknopd will now exit if the interface that it is
sniffing goes down (patch contributed by Github user 'sgh7'). If this
happens, it is expected that the native process monitoring feature in
things like systemd or upstart will restart fwknopd. However, if fwknopd
is not being monitored by systemd, upstart, or anything else, this
behavior can be disabled with the EXIT_AT_INTF_DOWN variable in the
fwknopd.conf file. If disabled, fwknopd will try to recover when a
downed interface comes back up.
The RULES_CHECK_THRESHOLD variable defines the number of times firewall rule
expiration times must be checked before a "deep" check is run. This allows
fwknopd to remove rules that contain a proper '_exp_<time>' even if a third party
program added them instead of fwknopd. The default value for this variable is 20,
and this typically results in this check being run every two seconds or so. To
disable this type of checking altogether, set this variable to zero.
This is a significant commit to add the ability to leverage libfko fault
injections from both the fwknop client and server command lines via a
new option '--fault-injection-tag <tag name>'. This option is used by
the test suite with the tests/fault_injection.pl tests.
This commit adds a lot of test coverage support as guided by gcov +
lcov.
Also added the --no-ipt-check-support option to fwknopd (this is only
useful in practice on older Linux distros where 'iptables -C' is not
available, but it helps with test coverage).
- [server] When GnuPG is used, the default now is to require that
incoming SPA packets are signed by a key listed in GPG_REMOTE_ID for each
access.conf stanza. In other words, the usage of GPG_REQUIRE_SIG
is no longer necessary in order to authenticate SPA packets via the
GnuPG signature. Verification of GnuPG signatures can be disabled with a
new access.conf variable GPG_DISABLE_SIG, but this is NOT a
recommended configuration.
- [client+server] Add --gpg-exe command line argument and GPG_EXE
config variable to ~/.fwknoprc and the access.conf file so that the path
to GnuPG can be changed from the default /usr/bin/gpg path.
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
This commit implements a single shared utility function for checking the
validaty of an IPv4 address, and both libfko and the fwknopd server use it
now. The client will be updated as well.
