cipherdyne.org

12 January, 2009

The 1.9.10 release of fwknop is ready for download. This release adds a few new features such as the ability to send SPA packets over HTTP requests, and the ability to sniff interfaces without requiring any IP address to be assigned. Several minor bug fixes were made as well such as restoring the ability to send SPA packets over ICMP and properly decode them on the fwknopd server system.

Here is the complete ChangeLog:

• Added the ability to send SPA packet over HTTP to a webserver. This requires that the same running fwknopd is also running a webserver, or that ENABLE_TCP_SERVER is enabled so that fwknopd spawns fwknop_serv to listen on a real TCP socket. Sending SPA packets over HTTP is accomplished with a new command line argument --HTTP on the fwknop client command line, and via a new configuration variable ENABLE_SPA_OVER_HTTP in the fwknop.conf file.
• Added ENABLE_EXTERNAL_CMDS for fwknopd to control whether the EXTERNAL_CMD_OPEN and EXTERNAL_CMD_CLOSE directives are used (instead of just checking whether they are set to __NONE__).
• Bug fix to make sure to properly construct hash reference for the "include" command list for the check_commands() function when checking for the mail command.
• Bug fix for fwknopd to not require Net::Pcap::lookupnet() to succeed on interfaces with no IPv4 address assigned. This function sets the IP and netmask of the local interface, but if fwknopd sniffs an interface without any IP assigned, then such information will not necessarily exist.
• Bug fix to add --Override config support to knopwatchd (Franck Joncourt).
• Bug fix to add client timeout (--fw-timeout) support to both forward NAT and local NAT modes (Damien Stuart). This required increasing the number of expected fields in decrypted SPA packets in fwknopd.
• Bug fix in the install.pl script for Cygwin systems (or others where a client-mode only install is done) to take into account the newer perl library path handling code.
• Updated minimum ICMP header length to 8 bytes in fwknopd to accept spoofed SPA packets over ICMP echo requests.
• Added config dumping support to knopwatchd with -D (Franck Joncourt).
• Minor code cleanups and updates to knopwatched (such as the usage of isspace() to allow tab chars between variable names and values in the fwknop.conf file (Franck Joncourt).
• Added ENABLE_COOKED_INTF to force fwknopd to always treat the sniffing interface as the "cooked" interface type found on Linux.
• Updated knopwatchd to allow more than one overwrite file (Franck Joncourt).
• Added --Single-mod-install to the perl installer so that individual module dependencies can be installed piecemeal.
• (Test suite): Bug fix for the proper usage of the 'ps' command on FreeBSD and Mac OS X systems. The test suite now runs successfully on these systems after this fix.
• (Test suite): Added the ability to test sending SPA packets over established TCP connections with the fwknop_serv daemon.
• (Test suite): Added support for collecting *.warn and *.die output for each test as it is executed and appending this data to each test output file.