commit 7a231a3b72758d93b4b9425fd403247aa2018499 Author: Michael Rash Date: Mon Dec 5 22:21:31 2011 -0500 added local_spa.key file commit 3d0ceccf65010a84dd30fc5e9c567e24f03104ce Author: Michael Rash Date: Mon Dec 5 22:20:39 2011 -0500 added local_spa.key file commit 710f98a9b572cd126cd3f662b29244bc0d6e6533 Author: Michael Rash Date: Mon Dec 5 22:16:38 2011 -0500 minor addition of the CREDITS file for 'make dist' commit 9bcd7cb137103db89400f4f652ab834e05ea5eba Author: Michael Rash Date: Mon Dec 5 22:16:03 2011 -0500 Added the CREDITS file for 'make dist' commit 3b2ec921be16db4bcccb4a0bfe13ebdb620a5b31 Author: Michael Rash Date: Mon Dec 5 22:11:58 2011 -0500 change log doc updates commit 474a18b57d054939e6f4063d5ef491b4cee4a240 Author: Michael Rash Date: Mon Dec 5 22:10:47 2011 -0500 Added various files to Makefile.am so that 'make dist' continues to work commit 690fe25fa4201af8f76c28450177581ce14a1459 Author: Michael Rash Date: Mon Dec 5 21:14:31 2011 -0500 added CREDITS file, bumped software version, added ChangeLog files commit bcba9d6bdef6032a992e64a8bd6bd7604b83b006 Author: Michael Rash Date: Mon Dec 5 21:14:14 2011 -0500 added CREDITS file, bumped software version, added ChangeLog files commit 893b89a3eba5fa9945095f8df4460f912fdb0cbc Author: Michael Rash Date: Sat Dec 3 21:21:29 2011 -0500 minor compiler warning fix on OpenBSD commit 860b4527a455d1d50f2b563f4939ee1990b53bd8 Author: Michael Rash Date: Sat Dec 3 13:10:35 2011 -0500 minor compile fixes for FreeBSD commit 9b7c1a8ce69fe51337458cce4e7b5e9cb3d7654b Author: Michael Rash Date: Wed Nov 30 20:51:19 2011 -0500 Added FORCE_NAT mode to the access.conf file This commit adds a new configuration variable "FORCE_NAT" to the access.conf file: For any valid SPA packet, force the requested connection to be NAT'd through to the specified (usually internal) IP and port value. This is useful if there are multiple internal systems running a service such as SSHD, and you want to give transparent access to only one internal system for each stanza in the access.conf file. This way, multiple external users can each directly access only one internal system per SPA key. This commit also implements a few minor code cleanups. commit 8585958e6e164d47c3d9dc106d4a15aee18599b9 Author: Michael Rash Date: Mon Nov 28 23:20:11 2011 -0500 minor newline fix for access.conf output dump commit 2a1243fee6d618096bc402b5a56ae3c2670b8b50 Author: Michael Rash Date: Mon Nov 28 23:18:07 2011 -0500 memory leak bugfix as a follow up to commit b280f5cde0246cdef33dee3f8be66a2bcef77336 commit b280f5cde0246cdef33dee3f8be66a2bcef77336 Author: Michael Rash Date: Mon Nov 28 22:03:21 2011 -0500 Added access stanza expiration feature, multiple access stanza bug fix This commit does two major things: 1) Two new access.conf variables are added "ACCESS_EXPIRE" and "ACCESS_EXPIRE_EPOCH" to allow access stanzas to be expired without having to modify the access.conf file and restart fwknopd. 2) Allow an access stanza that matches the SPA source address to not automatically short circuit other stanzas if there is an error (such as when there are multiple encryption keys involved and an incoming SPA packet is meant for, say, the second stanza and the first therefore doesn't allow proper decryption). commit 9e884e9759362ce401bf77dab819b24e10caca62 Author: Michael Rash Date: Tue Nov 22 22:56:48 2011 -0500 added SPA packet aging tests commit 72a4353fd850c099816f6e1acb9fad12bcb2ff27 Author: Michael Rash Date: Tue Nov 22 22:56:36 2011 -0500 bug fix to exclude SPA packets with timestamps in the future that are too great (old packets were properly excluded already) commit 644b9e943214ed6ede762af72f395b73ea03faf0 Author: Michael Rash Date: Tue Nov 22 22:40:26 2011 -0500 added test for --test mode in the fwknop client commit 0015da44427bf988372818b26916a6229e9f68ca Author: Michael Rash Date: Tue Nov 22 22:34:10 2011 -0500 bug fix to honor the fwknop client --time-offset-plus and --time-offset-minus options commit 05b189ff4fe61c7149efcf4f18cada14553e6dbe Author: Michael Rash Date: Tue Nov 22 22:13:27 2011 -0500 added DNAT mode tests, minor memory leak fix in NAT mode, added fwknopd check for ENABLE_IPT_FORWARDING variable before attempting NAT access commit dd2deec73dc5f0d630ab86e92fe1e0073d692414 Author: Michael Rash Date: Fri Nov 18 23:23:50 2011 -0500 added tests for various access.conf variables commit 63498c9032bfe74bc91de5d6607391e7b7cdfe36 Author: Michael Rash Date: Thu Nov 17 21:17:50 2011 -0500 added IP/subnet match tests, added --Anonymize-results mode commit 34cd0c7a78a62e1df2533641ca08adaaafa2aa7d Author: Michael Rash Date: Tue Nov 15 21:45:51 2011 -0500 simplified the client/server interaction code, started on IP filtering tests, added spoof username tests commit 3d94aaa9205e5703c50635b9007efab485d9b2da Author: Michael Rash Date: Thu Nov 10 22:54:25 2011 -0500 minor test wording consolidation commit 50b48147c0392cd91f7ad83af56b20d0abbd3c3e Author: Michael Rash Date: Thu Nov 10 22:33:32 2011 -0500 This commit fixes two memory leaks and adds a common exit function. The two memory leaks were found with the test suite running in --enable-valgrind mode - here are the relevant error messages: For fwknopd server GPG clean up: ==345== 9 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==345== at 0x4C2815C: malloc (vg_replace_malloc.c:236) ==345== by 0x52F6B81: strdup (strdup.c:43) ==345== by 0x10FA57: add_string_list_ent (access.c:308) ==345== by 0x110513: parse_access_file (access.c:387) ==345== by 0x10B5FB: main (fwknopd.c:193) For fwknop client rc file processing: ==8045== 568 bytes in 1 blocks are still reachable in loss record 12 of 12 ==8045== at 0x4C2815C: malloc (vg_replace_malloc.c:236) ==8045== by 0x50A53AA: __fopen_internal (iofopen.c:76) ==8045== by 0x10C3FF: process_rc (config_init.c:446) ==8045== by 0x10C8F6: config_init (config_init.c:671) ==8045== by 0x10AC9E: main (fwknop.c:62) There is also a new clean_exit() function that makes it easier to ensure that resources are deallocated upon existing. commit 9ebd55f52289d5904fbde3b8838ca92c7271d9e9 Author: Michael Rash Date: Thu Nov 10 22:33:00 2011 -0500 remove CMD timestamps for --diff mode commit 9e19b8bc267031900c555c55fc5c1e54b6093461 Author: Michael Rash Date: Sun Nov 6 13:51:23 2011 -0500 added --diff mode to the test suite to compare results from one execution to the next commit a5a3c06ef225c737acbd21c6cedd1a94f1a6c484 Author: Michael Rash Date: Fri Nov 4 23:46:31 2011 -0400 consolidated several test functions into a single generic_exec() function commit f41a26b389605311a21a95a9ad2b23f460ed02ee Author: Michael Rash Date: Thu Nov 3 22:15:19 2011 -0400 Fixed fwknopd memory leak, several other fixes and updates This commit does several things. First, a memory leak in fwknopd has been fixed by ensuring to free access.conf stanzas. This bug was found with the new test suite running in --enable-valgrind mode. Here is what some of the valgrind output looked like to find the leak: ==19217== 11 bytes in 1 blocks are indirectly lost in loss record 3 of 5 ==19217== at 0x4C2815C: malloc (vg_replace_malloc.c:236) ==19217== by 0x52F6B81: strdup (strdup.c:43) ==19217== by 0x10FC8B: add_acc_string (access.c:49) ==19217== by 0x1105C8: parse_access_file (access.c:756) ==19217== by 0x10B79B: main (fwknopd.c:194) ==19217== ==19217== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 5 ==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467) ==19217== by 0x10FEC0: add_source_mask (access.c:88) ==19217== by 0x110100: expand_acc_source (access.c:191) ==19217== by 0x1104B0: parse_access_file (access.c:500) ==19217== by 0x10B79B: main (fwknopd.c:194) ==19217== ==19217== 183 (152 direct, 31 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5 ==19217== at 0x4C27480: calloc (vg_replace_malloc.c:467) ==19217== by 0x1103E4: parse_access_file (access.c:551) ==19217== by 0x10B79B: main (fwknopd.c:194) ==19217== ==19217== LEAK SUMMARY: ==19217== definitely lost: 152 bytes in 1 blocks ==19217== indirectly lost: 31 bytes in 3 blocks ==19217== possibly lost: 0 bytes in 0 blocks ==19217== still reachable: 8 bytes in 1 blocks ==19217== suppressed: 0 bytes in 0 blocks Second, this commit changes how fwknopd acquires packet data with pcap_dispatch() - packets are now processed within the callback function process_packet() that is provided to pcap_dispatch(), the global packet counter is incremented by the return value from pcap_dispatch() (since this is the number of packets processed per pcap loop), and there are two new fwknopd.conf variables PCAP_DISPATCH_COUNT and PCAP_LOOP_SLEEP to control the number of packets that pcap_dispatch() should process per loop and the number of microseconds that fwknopd should sleep per loop respectively. Without this change, it was fairly easy to cause fwknopd to miss packets by creating bursts of packets that would all be processed one at time with the usleep() delay between each. For fwknopd deployed on a busy network and with a permissive pcap filter (i.e. something other than the default that causes fwknopd to look at, say, TCP ACK's), this change should help. Third, the criteria that a packet must reach before data copying into the buffer designed for SPA processing has been tightened. A packet less than /greater than the minimum/maximum expected sizes is ignored before data is copied, and the base64 check is done as well. commit 97a8d751c1b02271e812701d4cb938833d36918a Author: Michael Rash Date: Sun Oct 30 22:14:00 2011 -0400 added complete SPA cycle tests for tcp ports 23 and 9418 (git), and for udp 53 dns commit 044ea54d936745e29c856de71818f0497633d531 Author: Michael Rash Date: Sat Oct 29 23:49:29 2011 -0400 updated client SPA verbose message to include the server IP/host commit 8e4b45dd568ef86ba773605662a5d058be714d33 Author: Michael Rash Date: Sat Oct 29 23:48:42 2011 -0400 minor looping criteria update for valgrind tests commit ea3e81787121e56e1a44cc0a5ee3b9ba64c4f5eb Author: Michael Rash Date: Sat Oct 29 16:59:57 2011 -0400 [test-suite] added the ability to run all fwknop tests through valgrind commit f999e2e6720021328e2f34bf57d05b8081d8ffae Author: Michael Rash Date: Sat Oct 29 16:55:28 2011 -0400 bugfix to return preprocess_spa_data() result properly to calling function commit b1b830f744b01e0a3f0d4a19b6d38dd51afaae1f Author: Michael Rash Date: Fri Oct 28 23:01:06 2011 -0400 update to remove packet direction requirement when sniffing on OpenBSD loopback interfaces commit cde71b1b274cae5af3b6e986e5ac369d79c0cc3a Author: Michael Rash Date: Fri Oct 28 23:00:26 2011 -0400 minor whitespace removal commit dbbbe60fe4b6908bff56d026d886381c83a44087 Author: Michael Rash Date: Fri Oct 28 22:59:52 2011 -0400 added stack protection detection for OpenBSD systems commit 2e96ece4b074beff06aaca2f51bd90c84bfeeef8 Author: Michael Rash Date: Fri Oct 28 22:42:27 2011 -0400 Update to ensure libfko.so path is detected properly on OpenBSD commit 464dbe95d07657794aaac9e230153ffd84a2ed06 Author: Michael Rash Date: Thu Oct 27 21:51:55 2011 -0400 Update to print all firewall commands in --verbose mode This commit makes it easier to determine exactly which commands fwknopd runs in --verbose mode when interacting with the underlying firewall. This commit also adds --verbose --verbose mode to the test suite. commit 6388e8ac7fab3d89b164862c9e113fed37e9f397 Author: Michael Rash Date: Tue Oct 25 21:00:40 2011 -0400 added 'const' to function prototype vars where possible Added the 'const' qualifier to function prototype variables where possible. In addition, reduced some functions to file-scope with 'static' where possible. Also made a few minor changes to remove extra whitespace, and fixed a bug in create_fwknoprc() to ensure the new fwknoprc filehandle is closed. commit 85377267e299118d5302afde3dfeed426b353879 Author: Michael Rash Date: Mon Oct 24 21:52:13 2011 -0400 compiler warning fix for sscanf() on freebsd This commit fixes the following gcc warning on freebsd systems: replay_cache.c: In function 'replay_file_cache_init': replay_cache.c:312: warning: format '%ld' expects type 'long int *', but argument 9 has type 'time_t *' commit 1c6fc0f3f80e086b43471e756f8249015fe2e4b2 Author: Michael Rash Date: Mon Oct 24 20:48:56 2011 -0400 update to detect loopback interface commit 3299fb25815bcec09b5410d3393ab806f8b78a68 Author: Michael Rash Date: Mon Oct 24 20:48:20 2011 -0400 minor whitespace removal commit c9860811f5de4b28f674d53d16b1bca10f12bed8 Author: Michael Rash Date: Sat Oct 22 22:29:27 2011 -0400 added LD_LIBRARY_PATH to all fwknop/fwknopd commands to make manual command execution easier commit 50bcc537eea23e9cd269a51e63d9da525c0a91ac Author: Michael Rash Date: Sat Oct 22 22:06:00 2011 -0400 added digest cache validation after GPG tests commit 1b8606461cc21108b190f871bf2d8b0929589fce Author: Michael Rash Date: Sat Oct 22 21:54:22 2011 -0400 minor update to match include/exclude criteria on the whole test message commit 9e3a4b4c920444df10b6a74eb574a542091adbfc Author: Michael Rash Date: Sat Oct 22 21:29:44 2011 -0400 extended packet validity tests in GPG mode commit 09e6ed1405436b975cb41c89dc2517f0e73c54bb Author: Michael Rash Date: Sat Oct 22 16:48:30 2011 -0400 added first GPG complete cycle SPA test commit 2d9dbe1fca011cd6bf726b86fb21af97da11ce49 Author: Michael Rash Date: Sat Oct 22 15:19:54 2011 -0400 minor whitespace removal commit e4f4ee78253f1f44c8809173ad2209ba8364e2c5 Author: Michael Rash Date: Sat Oct 22 14:25:56 2011 -0400 added test to validate digest.cache structure commit 266150218a021894e6dab0a8b4d7525183fe004a Author: Michael Rash Date: Sat Oct 22 10:57:25 2011 -0400 added -P bpf test for complete SPA cycle over non standard SPA port commit 0ab39a64a5b86babdd0c5f7412fe160bca13cb69 Author: Michael Rash Date: Sat Oct 22 10:48:37 2011 -0400 added -P bpf filter test commit 6848983b474d4571b1434a349d10ac21b278ebda Author: Michael Rash Date: Fri Oct 21 23:43:08 2011 -0400 added Rijndael SPA validity tests commit 081b58d9510e4bbafb6dd57b4e55a02d7105e43a Author: Michael Rash Date: Fri Oct 21 23:13:24 2011 -0400 added rule timeout detection commit 9b816ed29af1be3a259d9c154418cbe624c2a93f Author: Michael Rash Date: Fri Oct 21 22:55:45 2011 -0400 added replay attack detection test commit 0bda4ee1e5f671c2e64a2b961de2f2ed0f9170a5 Author: Michael Rash Date: Fri Oct 21 22:54:49 2011 -0400 minor removal of whitespace commit caf458ad3fb2ce9408035630869e877f0c97768d Author: Michael Rash Date: Thu Oct 20 23:33:41 2011 -0400 added first complete SPA cycle test commit 44598fd7dd6be8207bae512b8b6e13f08e265d2a Author: Michael Rash Date: Thu Oct 20 23:31:59 2011 -0400 Added --digest-file and --pid-file args Added --digest-file and --pid-file args so that the user can easily alter these paths from the command line. commit 6f699f7e5d28ac1d8e66d66b9cedb3094a35439e Author: Michael Rash Date: Thu Oct 20 00:06:58 2011 -0400 added client/server interaction test capability commit b8571bcc05cc81448b8d52ef8eef71f2eaefa987 Author: Michael Rash Date: Tue Oct 18 21:28:38 2011 -0400 Minor PID string length fix Changed PID string length to 7 to accomodate an ending newline and NULL char when writing to the fwknopd .pid file. Without this fix, with a 5 digit PID the trailing newline would be truncated (no room for the ending NULL char). commit 0e7a0e9a378c5b9605228075718f53012e87cadd Author: Michael Rash Date: Mon Oct 17 23:03:28 2011 -0400 Added --fw-list-all and --fw-flush Added new command line options --fw-list-all and --fw-flush to allow all firewall rules to be displayed including those not created by fwknopd, and allow all firewall rules created by fwknopd to be deleted. Also switched -D config dump output to stdout. commit e479e776dbd848ba82e65e22b35e7e479a788161 Author: Michael Rash Date: Mon Oct 17 22:55:01 2011 -0400 Added usage of sudo for recompilation test The test suite now recompiles fwknop only if the --enable-recompile-check option is used, and if so, uses sudo (if installed) to have the resulting binaries own by the original user (instead of by root). Also made a couple of API changes to create test output files automatically if they don't exist. commit 11c240c41b74c110068b8748b28a074ac121608c Author: Michael Rash Date: Thu Oct 13 22:44:35 2011 -0400 minor update to allow fw rules to be dumped before parsing the access.conf file commit e36c833f554f59312c02e5efec0bbc77ab0ee301 Author: Michael Rash Date: Thu Oct 13 22:02:21 2011 -0400 minor whitespace fixes commit 9962dc08088b31d116b7b5d41bf8e3ced8cfa814 Author: Michael Rash Date: Thu Oct 13 20:59:30 2011 -0400 minor wording update netfilter -> iptables commit 45ecc6f39932271f7a70b1fe8dec99dc9d2438c0 Author: Michael Rash Date: Thu Oct 13 20:41:12 2011 -0400 minor bugfix to ensure that the proper firewall is used to collect system specs commit 103cd2a8fb0ebe7919a5647ae90a9425242ca0ae Author: Michael Rash Date: Thu Oct 13 20:30:05 2011 -0400 added the test/conf/ directory for config files use by the test suite commit 6f0d2c509121de45f470dae4c17b6a7e46ea19d0 Author: Michael Rash Date: Thu Oct 13 20:29:37 2011 -0400 minor typo fix commit 64160a0c57aee0c406be5158836fe10b3f38e3f9 Author: Michael Rash Date: Thu Oct 13 20:29:19 2011 -0400 started on basic SPA generation, updated to use LD_LIBRARY_PATH for local libfko instance commit a1f4a65f27b73ebe5744c7ae4bf64a0876032e13 Author: Michael Rash Date: Wed Oct 12 23:37:28 2011 -0400 interim commit to add major functionality to the fwknop test suite commit 4a41ecc9556fedd4bb04206081b4096a2fddaeee Author: Michael Rash Date: Wed Oct 12 23:36:51 2011 -0400 removed commit 88d8eb03b30a03ebb43a7da33c5f65d2de2c3289 Author: Michael Rash Date: Wed Oct 12 23:36:04 2011 -0400 minor update to switch to stdout when exiting with success commit 41c0be29b7a3ea6a0c859b43e43ccdc3aa5e30ba Author: Michael Rash Date: Thu Oct 6 23:02:29 2011 -0400 switched --help output to stdout from stderr commit 26f58a705dbdf9a07e430fc2558871d491c27d63 Author: Michael Rash Date: Thu Oct 6 22:53:27 2011 -0400 minor update to account for hardening-check return values commit 1a3e1caffe707e71fd3cf99ffaa4547f7fda017a Author: Michael Rash Date: Tue Oct 4 23:15:04 2011 -0400 Initial start on a test suite This commit begins development on a comprehensive test suite for fwknop. The initial tests are focused on compilation correctness and security options as determined by the "hardening-check" script from Kees Cook of the Debian security team. commit 05f3cec96a03251d1a308d90200c9dc479ae4558 Author: Michael Rash Date: Sun Sep 25 21:12:30 2011 -0400 Added --help usage information With the --help command line argument, the following information is printed: $ ./fwknop-launcher-lsof.pl --help Usage: fwknop-launcher-lsof.pl [options] Options: -c, --config - Path to fwknop-launcher.conf config file. -l, --lsof-cmd - Path to lsof command. -f, --fwknop-cmd - Path to fwknop client command. -s, --sleep - Specify sleep interval (default: 1 seconds) -n --no-daemon - Run in foreground mode. -u, --user - Specify username (usually this is not needed). --home-dir - Path to user's home directory (usually this is not needed). -v --verbose - Print verbose information to the terminal (requires --no-daemon). --help - Print usage info and exit. commit 71ea0c6bfd3be6ff8d95e6f1d1029394e51c07f4 Merge: 7748423 35ee5a2 Author: Michael Rash Date: Sun Sep 25 21:02:54 2011 -0400 Merge branch 'master' into fwknop-launcher commit 7748423b15958fedfcaeb942f3f26cdc5b40dcde Author: Michael Rash Date: Sat Sep 24 22:24:30 2011 -0400 Added the fwknop lsof launcher under the extras/ directory The fwknop lsof launcher (extras/fwknop-launcher/fwknop-launcher-lsof.pl) is a lightweight daemon that allows the user to not have to manually run the fwknop client when attempting to gain access to a service that is protected by Single Packet Authorization via fwknopd. This is accomplished by checking the output of lsof to look for pending connections in the SYN_SENT state, which (usually) indicate that a remote firewall is blocking the attempted connection. At this point, the launcher executes the fwknop client with the --get-key arg (so the user must place the key in the local filesystem) to generate an SPA packet for the attempted connection. The remote fwknopd daemon will reconfigure the firewall to allow temporary access, and this usually happens fast enough that the original connection attempt will then succeed. The idea for this was originally for a pcap-based connection watcher by Sebastien Jeanquier. commit 35ee5a202debe2e7c15227f7704753c977281de2 Merge: 35abc34 668ed90 Author: Michael Rash Date: Wed Sep 21 18:10:16 2011 -0700 Merge pull request #5 from maxkas/master Fwknop client for iPhone devices - contributed by Max Kastanas commit 668ed9033f601f052fe58ebf87a8eff144b50fcf Author: Max Kastanas Date: Fri Sep 16 22:51:53 2011 -0700 Codebase of Fwknop client for iOS (iPhone) devices commit 35abc349ab91ff40f0706a66e9ba50188cb94cb2 Author: Michael Rash Date: Mon Sep 12 23:04:41 2011 -0400 minor typo fix: fwkop -> fwknop commit f693a2721cf499815853639c8dfb924ab4c427cd Merge: e07ccdd 87416c0 Author: Damien Stuart Date: Sat Sep 10 11:30:09 2011 -0400 Merge branch 'master' of https://github.com/mrash/fwknop commit e07ccdd5508c488a818790c16728ebdc13be284c Author: Damien Stuart Date: Sat Sep 10 11:25:08 2011 -0400 Added the cmd_opts.h file to server and client's Makefile.am so they are included with make dist. commit 87416c0cdf544ff636ea963bd90f1f22dd7ca49a Author: Michael Rash Date: Fri Sep 9 22:09:37 2011 -0400 Replaced all strcpy() calls with strlcpy() OpenBSD especially gives compiler warnings whenever strcpy() is used. All such calls have been replaced with strlcpy(). commit 0b8c4890758bfd6612780c28041d7b1e3e9f1a15 Author: Michael Rash Date: Thu Sep 8 23:44:50 2011 -0400 Added read-only relocations and immediate bindings Commit 4248b2687054b38e79e2ab9eecf71e5b299172f4 removed read-only relocations and immediate bindings for FreeBSD systems (and the same was done for OpenBSD systems too). This commit adds these security features back in as linker options by only changing LDFLAGS as opposed to also adding the corresponding flags to CFLAGS. The end result is that the following errors are fixed: gcc: -z: linker input file unused because linking not done gcc: relro: linker input file unused because linking not done commit c65e25c6568c53d44d0163ebd4889260466bcdfa Author: Michael Rash Date: Thu Sep 8 21:33:52 2011 -0400 Check for active_rules > 0 before decrementing In the fw_config struct the active_rules member is unsigned, so this change ensures that we don't try to decrement it below zero whenever a firewall rule is deleted or an error condition occurs. commit 88b6d44f1f70daf951cf7e1d237114f96ad30a9a Author: Michael Rash Date: Thu Sep 8 00:20:20 2011 -0400 Update to make _exp_ string a #define Replaced all instances of "_exp_" with the #define EXPIRE_COMMENT_PREFIX so that the prefix can easily be changed. so that the prefix can easily be changed. so that the prefix can easily be changed. so that the prefix can easily be changed. commit 2531896ebf98d80380f462b4fae9e16940206a40 Author: Michael Rash Date: Wed Sep 7 23:24:18 2011 -0400 Added the ability to delete PF rules This commit adds the ability to fwknopd to delete PF rules after the SPA timer expires. The strategy implemented is similar to iptables and ipfw, except that all PF rules are added to an 'anchor', and deleting a specific expired rule is done by listing all rules in the anchor and reinstantiating it via 'pfctl -a -f -' with the expired rule deleted. fwknopd uses the "_exp_" convention in a PF rule label similarly to how fwknopd interfaces with iptables (via the 'comment' match), and ipfw (via the "//" feature). commit f9810904c36c270a5d19111ae7566c6d410bed4a Author: Michael Rash Date: Sat Sep 3 21:00:12 2011 -0400 minor comment typo fixes commit d60dde17b71b898a821a60d9a1166c32436c17c2 Author: Michael Rash Date: Sat Sep 3 14:50:28 2011 -0400 PF rules are now added to the fwknop anchor This commit implements the ability to add PF firewall rules to the fwknop anchor after a valid SPA packet is sniffed off the wire. A subsequent commit will add the ability to delete these rules. commit 6938f7a6aecb1395f750c56a4e10489d6d060fc9 Author: Michael Rash Date: Sun Aug 28 13:37:23 2011 -0400 Minor copyright holder update Minor copyright holder update commit 10ff421e1ef86c1b437645764abe11819a88c292 Author: Michael Rash Date: Sun Aug 28 13:27:15 2011 -0400 For PF firewalls implemented a check for an active fwknop anchor This commit ensures that for PF firewalls that the fwknop anchor is active and linked into the running PF policy. This is accomplished by looking for the string 'anchor "fwknop"' in the output of "pfctl -s rules". If the anchor exists, then fwknopd will be able to influence traffic via rules added and removed from the fwknop anchor. commit 5bc5ef4305cafd26ee3faaf5eefb3f6b9f05441e Author: Michael Rash Date: Sat Aug 27 11:07:19 2011 -0400 Added --fw-list info to --help Added --fw-list output to usage info when --help is specified from the command line. commit 0649ef924a8c979fd815c2d2e8416a16aeabeb62 Author: Michael Rash Date: Sat Aug 27 10:57:17 2011 -0400 PF support on OpenBSD in progress, fwknop --fw-list now works This is the first commit that has fwknopd interact with the PF firewall on OpenBSD (via fwknopd --fw-list to show any active fwknopd rules). commit dcf2d94bf675a906c570814d9cd65e2a1bfd2e77 Author: Michael Rash Date: Wed Aug 24 23:55:36 2011 -0400 Added autoconf check for pf firewalls On OpenBSD systems fwknop now checks for pf firewalls via autoconf. The next step will be to fill in support for pf via the C code. commit 649b7a88c1d6caa0e3760c7694b9d5b5b855dd4c Author: Michael Rash Date: Wed Aug 24 23:17:45 2011 -0400 Disabled read-only relocations and immediate binding compiler protections Similarly to FreeBSD systems, gcc throws the following warnings with read-only relcations and immediate binding protections - disbabled for now: gcc: -z: linker input file unused because linking not done gcc: relro: linker input file unused because linking not done gcc: -z: linker input file unused because linking not done gcc: now: linker input file unused because linking not done commit 47da588003b9bf1645a97823cfa940b8c5a93071 Author: Michael Rash Date: Mon Aug 22 21:39:28 2011 -0400 removed 2.0.0 branch specific ChangeLog, ShortLog and diffstat files