execvp() is (usually) equivalent to execvpe(), without enforcing any
change to the environment. However, unlike execvp(), execvpe() is not
standardized by POSIX, and may therefore not be available nor detected
when configuring the project (like on NetBSD).
No place could be found in fwknop to be using execvpe() and changing the
environment. Therefore it seems only logical (and safer) to use execvp()
instead.
This also updates the tests to reflect this change.
With this commit PF rules are added correctly regardless of whether ALTQ support
is available or not. Thanks to Barry Allard for discovering and reporting this
issue. Closes issue #121 on github.
This commit updates all authorship and copyright information to include a
standard header that references the AUTHORS and CREDITS file. This standard
header was written by the Debian legal team at the request of Franck Joncourt.
Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed. so
that the prefix can easily be changed.
This commit adds the ability to fwknopd to delete PF rules after the SPA timer
expires. The strategy implemented is similar to iptables and ipfw, except
that all PF rules are added to an 'anchor', and deleting a specific expired
rule is done by listing all rules in the anchor and reinstantiating it via
'pfctl -a <anchor> -f -' with the expired rule deleted. fwknopd uses the
"_exp_<expire time>" convention in a PF rule label similarly to how fwknopd
interfaces with iptables (via the 'comment' match), and ipfw (via the
"//<comment>" feature).
This commit implements the ability to add PF firewall rules to the fwknop
anchor after a valid SPA packet is sniffed off the wire. A subsequent commit
will add the ability to delete these rules.
This commit ensures that for PF firewalls that the fwknop anchor is active and
linked into the running PF policy. This is accomplished by looking for the
string 'anchor "fwknop"' in the output of "pfctl -s rules". If the anchor
exists, then fwknopd will be able to influence traffic via rules added and
removed from the fwknop anchor.
