Skip to content
GitLab
切换分支/标签
查找文件 BlameHistoryPermalink
要在任何这些版本中查找此项目存储库的状态,请检查 标签。.
ChangeLog 48.37 KiB
在Web IDE中打开
1 
fwknop-2.6.10 (08/06/2018):
2 
    - [server] Add MAX_FW_TIMEOUT to access.conf stanzas to allow a maximum
3 
      number of seconds for client-specified timeouts in SPA packets. This
4 
      fixes issue #226 which was spotted by Jeremiah Rothschild.
5 
    - [server] Bug fix in CMD_EXEC mode to make sure to call exit() upon any
6 
      error from execvpe(). Without this fix, additional fwknopd processes
7 
      would be started upon a user specifying a command without the necessary
8 
      permissions. This bug was reported by Stephen Isard.
9 
    - [build] Jérémie Courrèges-Anglas and Ingo Feinerer contributed a patch
10 
      to fix endian detection on OpenBSD systems based on information
11 
      contained here: https://www.opengroup.org/austin/docs/austin_514.txt
12 
    - [client/server] (Michael Stair) Added client and server infrastructure
13 
      written in Erlang. See the erlang/ directory.
14
15 
fwknop-2.6.9 (06/08/2016):
16 
    - (Jonathan Bennett) Added support for the SHA3 "Keccak" algorithm
17 
      (specifically SHA3_256 and SHA3_512) for SPA HMAC and digest checking.
18 
      Enabling SHA3 from the fwknop client command line is done with the '-m'
19 
      option for the embedded SPA digest, or with the --hmac-digest-type
20 
      argument for the HMAC. On the server side, SHA3_256 or SHA3_512 can be
21 
      required for incoming SPA packet HMAC'c via the HMAC_DIGEST_TYPE
22 
      configuration variable in access.conf stanzas. The SHA3 implementation
23 
      is from, Keyak and Ketje Teams, namely, Guido Bertoni, Joan Daemen,
24 
      Michael Peeters, Gilles Van Assche and Ronny Van Keer - see:
25 
      http://keyak.noekeon.org/
26 
    - (Damien Stuart) Added support for libnetfilter_queue so that fwknopd can
27 
      acquire SPA packets via the NFQ target. This feature is enabled with a
28 
      new command line switch '--enable-nfq-capture' for the configure script,
29 
      and libpcap is not required in this mode. In support of capturing SPA
30 
      packets via the NFQ target, new configuration variables have been added
31 
      to the fwknopd.conf file: ENABLE_NFQ_CAPTURE, NFQ_INTERFACE, NFQ_PORT,
32 
      NFQ_TABLE, NFQ_CHAIN, NFQ_QUEUE_NUMBER, and NFQ_LOOP_SLEEP.
33 
    - (Vlad Glagolev) Added support for deriving the source IP from the
34 
      X-Forwarded-For HTTP header when SPA packets are sent over HTTP
35 
      connections.
36 
    - Bug fix in command open/close cycle feature to ensure that the first
37 
      successful match on a valid incoming SPA packet finishes all access.conf
38 
      stanza processing. That is, no other stanzas should be looked at after
39 
      the first match, and this is consistent with other SPA modes (such as
40 
      basic access requests). This bug was reported by Jonathan Bennett.
41 
    - (Jonathan Bennett) Various fixes and enhancements to the test suite to
42 
      extend code coverage to new code, ensure valgrind bytes lost detection
43 
      works for amount of memory less than 10 bytes, better timing strategy
44 
      for fwknop client/server interactions, and more.
45
46 
fwknop-2.6.8 (12/23/2015):
47 
    - [server] Added a major new feature that allows fwknopd to easily
48 
      integrate with third-party devices and software. This done through the
49 
      addition of a generic "command open" and "command close" capability, and
50 
      a set of variable substitutions are supported such as '$SRC', '$PORT',
51 
      and '$PROTO'. This feature is designed to allow the user to switch out
52 
      the default firewall - iptables, firewalld, ipfw, or PF - for something
53 
      complete different. For example, here is a write-up on using this feature
54 
      to integrate SPA operations with ipset:
55
56 
        https://cipherdyne.org/blog/2015/12/single-packet-authorization-and-third-party-devices.html
57
58 
    - [server] (Jonathan Bennett) Added new access.conf directives
59 
      '%include <file>' and '%include_folder <directory>'. This allows more
60 
      access stanzas to be defined in other locations in the filesystem, and
61 
      this can be adventageous in some scenarios by letting non-privledged
62 
      users define their own encryption and authentication keys for SPA
63 
      operations. This way, users do not need write access to the main
64 
      /etc/fwknop/access.conf file to change keys around or define new ones.
65 
    - [server] Bug fix to not send the TCP server a TERM signal even when it is
66 
      not running when fwknopd receives a HUP signal.
67 
    - [libfko] Bug fix for a crash that could be triggered in
68 
      fko_set_username() when a username that is 64 chars or longer is
69 
      specified. This crash cannot be triggered in fwknopd even if an SPA
70 
      packet contains such a username however due to additional protections in
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
the SPA decoding routines. Further, this bug does not apply to the main fwknop client either because the maximal username size is truncated down below 64 bytes. Hence, this bug only applies to client-side software that is directly using libfko calling the fko_set_username() function. - [test suite] Code coverage is now at 90.7% counted by lines. The complete coverage report for the 2.6.8 release is available here: https://www.cipherdyne.org/fwknop/lcov-results/ fwknop-2.6.7 (08/24/2015): - [server] When command execution is enabled with ENABLE_CMD_EXEC for an access.conf stanza, added support for running commands via sudo. This was suggested by Github user 'freegigi' (issue #159) as a means to provide command filtering using the powerful sudoers syntax. This feature is implemented by prefixing any incoming command from a valid SPA packet with the sudo command along with optional user and group requirements as defined by the following new access.conf variables: ENABLE_CMD_SUDO_EXEC, CMD_SUDO_EXEC_USER, and CMD_SUDO_EXEC_GROUP. - [server] Kevin Layer reported a bug to the fwknop mailing list that simultaneous NAT access for two different access.conf stanza was not functioning properly. After some diagnosis, this was a result of rule_exists() not properly detecting and differentiating existing DNAT rules from new ones with different port numbers when 'iptables -C' support is not available. This was against iptables-1.4.7, and has been fixed in this release of fwknop (tracked as issue #162). - [server] Added --key-gen to fwknopd. This feature was suggested by Jonathan Bennett, and will help with ease of use efforts. The first platform to take advantage of this will likely be OpenWRT thanks to Jonathan. - [server] By default, fwknopd will now exit if the interface that it is sniffing goes down (patch contributed by Github user 'sgh7'). If this happens, it is expected that the native process monitoring feature in things like systemd or upstart will restart fwknopd. However, if fwknopd is not being monitored by systemd, upstart, or anything else, this behavior can be disabled with the EXIT_AT_INTF_DOWN variable in the fwknopd.conf file. If disabled, fwknopd will try to recover when a downed interface comes back up. - [extras] Added a script from Jonathan Bennett at extras/console-qr/console-qr.sh to generate QR codes from fwknopd access.conf keys. - [build] Added --with-firewalld to the autoconf configure script. This is a synonym for --with-firewall-cmd to avoid confusion. Some package maintainers use --with-firewalld to build fwknop. fwknop-2.6.6 (04/23/2015): - [server] Add the ability for fwknopd to function as an generic SPA gateway. This allows scenarios such as the fwknopd system providing DHCP addresses to client systems, but those systems would be blocking by default from accessing the broader Internet until a valid SPA packet is sent to the gateway. Two new access.conf variables support this feature: DISABLE_DNAT (do not build any DNAT rules for forwarded connections) and FORWARD_ALL (allow all traffic to be forwarded instead of specific services requested within an SPA packet). So far, this feature is only supported on systems running iptables or firewalld. The idea was contributed by "spartan1833" to the fwknop mailing list, and this became issue 131 on github. - [server] Bug fix when compiled with --enable-udp-server to not include pcap.h, which is likely not installed whenever libpcap is also not installed. This bug was reported by Alexander Kozhevnikov. - [android] (Dan Brooks) Contributed a patch for the Android client app to add the definition of custom server udp port. This is similar to the --server-port argument offered by the main fwknop client. - [test suite] Handle versions of lcov that don't have the --rc argument which is normally used to force the creation of branch coverage stats when code coverage reports are created. - [build] Add --enable-asan-support to autoconf configure script to enable Google's Address Sanitizer (ASan) support. This feature is used during the testing phase for new fwknop releases. Running fwknop under the complete test suite (and also under AFL) with ASan support compiled in did not turn up any new bugs.