Changeset 1201

Timestamp:

08/12/08 22:03:02 (4 months ago)

Author:

mbr

Message:

merged -r 1181:1200 file:///home/mbr/svn/fwknop_repos/fwknop/branches/fwknop-redhat-integration into trunk for Mirek's patches

Files:

• fwknop/trunk/CREDITS (modified) (1 diff)
• fwknop/trunk/ChangeLog (modified) (1 diff)
• fwknop/trunk/Class-MethodMaker (deleted)
• fwknop/trunk/Crypt-CBC (deleted)
• fwknop/trunk/Crypt-Rijndael (deleted)
• fwknop/trunk/Digest-SHA (deleted)
• fwknop/trunk/GnuPG-Interface (deleted)
• fwknop/trunk/INSTALL (modified) (1 diff)
• fwknop/trunk/IPTables-ChainMgr (deleted)
• fwknop/trunk/IPTables-Parse (deleted)
• fwknop/trunk/Makefile (modified) (1 diff)
• fwknop/trunk/Net-IPv4Addr (deleted)
• fwknop/trunk/Net-Pcap (deleted)
• fwknop/trunk/Net-Ping-External (deleted)
• fwknop/trunk/Net-RawIP (deleted)
• fwknop/trunk/NetPacket (deleted)
• fwknop/trunk/TermReadKey (deleted)
• fwknop/trunk/Unix-Syslog (deleted)
• fwknop/trunk/deps (copied) (copied from fwknop/branches/fwknop-redhat-integration/deps)
• fwknop/trunk/fwknop (modified) (18 diffs)
• fwknop/trunk/fwknop_funcs.c (modified) (1 diff)
• fwknop/trunk/fwknop_serv (modified) (4 diffs)
• fwknop/trunk/fwknopd (modified) (27 diffs)
• fwknop/trunk/init-scripts/fwknop-init.redhat (modified) (4 diffs)
• fwknop/trunk/install.pl (modified) (4 diffs)
• fwknop/trunk/knoptm (modified) (7 diffs)
• fwknop/trunk/packaging/fwknop-nodeps.spec (copied) (copied from fwknop/branches/fwknop-redhat-integration/packaging/fwknop-nodeps.spec)
• fwknop/trunk/packaging/fwknop.spec (modified) (10 diffs)
• fwknop/trunk/test/fwknop_test.pl (modified) (1 diff)

fwknop/trunk/CREDITS

@@ -204 +204 @@
-    - Suggested that the "C" locale be set by default so that gpg process
-      output would always be correctly interpreted.
+
+Mirek Trmac
+    - Contributed patches to allow fwknop to be bundled with Fedora.  These
+      patches included the following, and all were sponsored by Red Hat:
+
+        Updates to fwknopd to remove the NetPacket module as a dependency
+      (this is a particularly important update since it assists with getting
+      fwknop bundled with Debian as well).  The patch manually decodes the
+      network and transport layer headers.
+        A patch to make the fwknop init script not start fwknopd by default
+      on Red Hat systems.  This patch also supports Fedora init script
+      conventions better (i.e. fwknop instead of the fwknopd name for the lock
+      file in /var/lock/subsys).
+        Updated the fwknop Makefile to respect the OPTS variable which is used
+      in the RPM spec file.
+        Bugfix in fwknop_serv to support the variable expansion code from
+      fwknopd.  This was important for the TCPSERV_PID_FILE file which is
+      defined as $FWKNOP_RUN_DIR/fwknop_serv.pid.
+        Updated fwknopd to use the Net::Pcap API valid in Net::Pcap 0.14 for
+      the datalink() function (used to detect the datalink layer type).

fwknop/trunk/ChangeLog

@@ +1 @@
+fwknop-1.9.7 (08//2008):
+    - Mirek Trmac from Red Hat contributed several patches so that fwknop can
+      be bundled within the Fedora Linux distribution.  These patches
+      implemented the following changes:
+
+        Updates to fwknopd to remove the NetPacket module as a dependency
+      (this is a particularly important update since it assists with getting
+      fwknop bundled with Debian as well).  The patch manually decodes the
+      network and transport layer headers.
+        A patch to make the fwknop init script not start fwknopd by default
+      on Red Hat systems.  This patch also supports Fedora init script
+      conventions better (i.e. fwknop instead of the fwknopd name for the lock
+      file in /var/lock/subsys).
+        Updated the fwknop Makefile to respect the OPTS variable which is used
+      in the RPM spec file.
+        Bugfix in fwknop_serv to support the variable expansion code from
+      fwknopd.  This was important for the TCPSERV_PID_FILE file which is
+      defined as $FWKNOP_RUN_DIR/fwknop_serv.pid.
+        Updated fwknopd to use the Net::Pcap API valid in Net::Pcap-0.14 for
+      the datalink() function (used to detect the datalink layer type).
+
+    - Updated fwknop, fwknopd, and knoptm to import perl modules out of the
+      /usr/lib/fwknop/ directory if it exists.  This allows the perl module
+      path to be manipulated via the --Lib-dir command line argument and
+      'require' statements instead of the old 'use module' strategy.
+
-fwknop-1.9.6 (07/18/2008):
-    - SPA packets are base64-encoded by the fwknop client, and this encoding

fwknop/trunk/INSTALL

@@ -10 +10 @@
-this case fwknop can only be used as an authentication client against an
-fwknop server on a different system.
+
+DEPENDENCIES:
+    fwknop requires several perl modules that may or may not already be
+installed on your Linux system.  These modules are included in the deps/
+directory in the fwknop sources (unless you have installed one of the -nodeps
+tarballs), and the list of modules is:
+
+Class-MethodMaker
+Crypt-CBC
+Crypt-Rijndael
+Digest-SHA
+GnuPG-Interface
+IPTables-ChainMgr
+IPTables-Parse
+Net-IPv4Addr
+Net-Pcap
+Net-RawIP
+TermReadKey
+Unix-Syslog

fwknop/trunk/Makefile

@@ -25 +25 @@
-#
-
+OPTS = -Wall -O
+
-### default
-all : knopmd.c knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c fwknop.h
--Wall -O
--Wall -O
+$(OPTS)
+$(OPTS)
-
-### debug mode

fwknop/trunk/fwknop

@@ -5 +5 @@
-# File: fwknop
-#
+# URL: http://www.cipherdyne.org/fwknop
+#
-# Purpose: fwknop implements an authorization scheme known as Single Packet
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-#
-# Author: Michael Rash (mbr@cipherdyne.org)
@@ -21 +29 @@
-# Copyright (C) 2004-2008 Michael Rash (mbr@cipherdyne.org)
-#
-(GNU Public License)
+- GNU Public License version 2
-#
-#    This program is distributed in the hope that it will be useful,
@@ -38 +46 @@
-#
-
-use lib '/usr/lib/fwknop';
-use Crypt::CBC;
-use Net::IPv4Addr qw(ipv4_in_network);
-use Net::Ping::External qw(ping);
-use IO::Socket;
-use IO::Handle;
@@ -47 +51 @@
-use Data::Dumper;
-use POSIX;
-use Term::ReadKey;
-use Getopt::Long;
-use strict;
@@ -56 +59 @@
-($rev_num) = $revision_svn =~ m|\$Rev.*:\s+(\S+)|;
-
+my $lib_dir = '/usr/lib/fwknop';
-my $print_version = 0;
-my $print_help    = 0;
@@ -258 +262 @@
-$digest_type = $SHA256_DIGEST if $use_sha256;
-
+### import fwknop perl modules
+&import_perl_modules();
+
-### this is only necessary for older versions of perl (newer versions
-### call srand() automatically at the first usage of rand() if srand()
@@ -812 +819 @@
-sub pcap_Rijndael_encrypt_msg() {
-    my $msg = shift;
+
+    require Crypt::CBC;
-
-    my $cipher = Crypt::CBC->new({
@@ -1025 +1034 @@
-        ### the remote firewall is configued to not reply at all
-        if ($proto eq 'icmp') {
+            require Net::Ping::External;
+            Net::Ping::External->import(qw/ping/);
-            print "    icmp echo request -> $knock_dst\n";
-            ping(hostname => "$knock_dst", count => 1, timeout => 1);
@@ -1057 +1068 @@
-    my @encrypted_seq = ();
-
+    require Crypt::CBC;
+
-    my $cipher = Crypt::CBC->new({
-        'key'    => $enc_key,
@@ -1289 +1302 @@
-        my $try = 0;
-        my $max_tries = 20;
- 'noecho'
+('noecho')
-        KEY: while (1) {
-            $try++;
@@ -1299 +1312 @@
-                print "Encryption Key: ";
-            }
- 0
+(0)
-            next KEY unless defined $ans;
-            next KEY unless $ans =~ /\S/;
@@ -1316 +1329 @@
-            }
-        }
- 'normal'
+('normal')
-        print "\n";
-
@@ -1333 +1346 @@
-    }
-    return;
+}
+
+sub import_perl_modules() {
+
+    my $mod_paths_ar = &get_mod_paths();
+
+    if ($#$mod_paths_ar > -1) {  ### /usr/lib/fwknop/ exists
+        push @$mod_paths_ar, @INC;
+        splice @INC, 0, $#$mod_paths_ar+1, @$mod_paths_ar;
+    }
+
+    if ($debug) {
+        print STDERR "[+] import_perl_modules(): The \@INC array:\n";
+        print STDERR "$_\n" for @INC;
+    }
+
+    require Net::IPv4Addr;
+    require Term::ReadKey;
+
+    Term::ReadKey->import(qw/ReadMode ReadLine/);
+    Net::IPv4Addr->import(qw/ipv4_in_network/);
+
+    return;
+}
+
+sub get_mod_paths() {
+
+    my @paths = ();
+
+    unless (-d $lib_dir) {
+        my $dir_tmp = $lib_dir;
+        $dir_tmp =~ s|lib/|lib64/|;
+        if (-d $dir_tmp) {
+            $lib_dir = $dir_tmp;
+        } else {
+            return [];
+        }
+    }
+
+    opendir D, $lib_dir or die "[*] Could not open $lib_dir: $!";
+    my @dirs = readdir D;
+    closedir D;
+
+    push @paths, $lib_dir;
+
+    for my $dir (@dirs) {
+        ### get directories like "/usr/lib/fwknop/x86_64-linux"
+        next unless -d "$lib_dir/$dir";
+        push @paths, "$lib_dir/$dir"
+            if $dir =~ m|linux| or $dir =~ m|thread|;
+    }
+    return \@paths;
-}
-
@@ -1432 +1497 @@
-sub handle_server_auth_method() {
-    if (lc($server_auth_method) eq 'crypt') {
- 'noecho'
+('noecho')
-        while (1) {
-            $quiet == 1 ? print "UNIX crypt() password: "
-                : print "    UNIX crypt() password: ";
- 0
+(0)
-            chomp $ans;
-            next unless $ans =~ /\S/;
@@ -1442 +1507 @@
-            last;
-        }
- 'normal'
+('normal')
-        print "\n";
-        return;
@@ -1550 +1615 @@
-        'Include-gpg-prefix' => \$include_base64_gnupg_prefix,
-        'Test-mode'      => \$test_mode,
+        'Lib-dir=s'      => \$lib_dir,
-        'LC_ALL=s'       => \$locale,
-        'locale=s'       => \$locale,
@@ -1795 +1861 @@
-                                 arguments as in the previous invocation.
-                                 The args are stored in ~/fwknop.run.
-L, --Last-host <host>
+-Last-host <host>    
-    --gpg-signing-key <key ID> - ID for key used to sign GnuPG encrypted
-                                 message (e.g. "0xABCD1234").
@@ -1924 +1990 @@
-                                 knock sequence (synonym for -D).
-    -d, --debug                - Run fwknop in debugging mode.
+    --Lib-dir <path>           - Path to the perl modules directory (not
+                                 usually necessary).
-    --locale <locale>          - Manually define a locale setting.
-    --no-locale                - Don't set the locale to anything (the

fwknop/trunk/fwknop_funcs.c

@@ -60 +60 @@
-
-    /* read the first line of the pid_file, which will contain the
-md
+nop
-    if (fgets(pid_line, MAX_PID_SIZE+1, pidfile_ptr) == NULL) {
-        return;

fwknop/trunk/fwknop_serv

@@ -62 +62 @@
-
-### trivial loop; we just want the local TCP stack to accept connections;
-it 
+
-while (my $client = $server->accept()) {
-
@@ -94 +94 @@
-    ### import config
-    &import_config();
+
+    ### expand any embedded vars within config values
+    &expand_vars();
-
-    ### make sure all the vars we need are actually in the config file.
@@ -170 +173 @@
-    while (<C>) {
-        next if /^\s*#/;
-
-
-
-
+
+
-        }
-    }
@@ -179 +180 @@
-    return;
-}
+
+sub expand_vars() {
+
+    my $has_sub_var = 1;
+    my $resolve_ctr = 0;
+
+    while ($has_sub_var) {
+        $resolve_ctr++;
+        $has_sub_var = 0;
+        if ($resolve_ctr >= 20) {
+            die "[*] Exceeded maximum variable resolution counter.";
+        }
+        for my $var (keys %config) {
+            my $val = $config{$var};
+            if ($val =~ m|\$(\w+)|) {
+                my $sub_var = $1;
+                die "[*] sub-ver $sub_var not allowed within same ",
+                    "variable $var" if $sub_var eq $var;
+                if (defined $config{$sub_var}) {
+                    $val =~ s|\$$sub_var|$config{$sub_var}|;
+                    $config{$var} = $val;
+                } else {
+                    die "[*] sub-var \"$sub_var\" not defined in ",
+                        "config for var: $var."
+                }
+                $has_sub_var = 1;
+            }
+        }
+    }
+    return;
+}

fwknop/trunk/fwknopd

@@ -18 +18 @@
-#          page.
-#
+#          More information can be found in the fwknop(8) and fwknopd(8) man
+#          pages, and also online here:
+#
+#          http://www.cipherdyne.org/fwknop/docs/
+#
-# Author: Michael Rash (mbr@cipherdyne.org)
-#
@@ -24 +29 @@
-# Copyright (C) 2004-2008 Michael Rash (mbr@cipherdyne.org)
-#
-(GNU Public License)
+- GNU Public License version 2
-#
-#    This program is distributed in the hope that it will be useful,
@@ -41 +46 @@
-#
-
-use lib '/usr/lib/fwknop';
-use Crypt::CBC;
-use Unix::Syslog qw(:subs :macros);
-use Net::IPv4Addr qw(ipv4_in_network);
-use Net::Pcap;
-use NetPacket::IP;
-use NetPacket::UDP;
-use NetPacket::TCP;
-use NetPacket::ICMP;
-use NetPacket::Ethernet;
-use IO::Socket;
-use IO::Handle;
@@ -93 +88 @@
-my $packet_ctr     = 0;
-my $packet_limit   = 0;
+my $lib_dir        = '';
-my $fw_list        = 0;
-my $fw_type        = '';
@@ -100 +96 @@
-my $test_mode      = 0;
-my $verbose        = 0;
-use_gpg     
+imported_gpg
-my $os_ipt_log     = '';
-my $cmdline_intf   = '';
@@ -110 +106 @@
-my $build_ipt_config = 0;
-my $skipped_first_loop = 0;
+my $imported_crypt_cbc = 0;
-my $pcap_sleep_interval = 1;  ### seconds
-my $imported_iptables_modules = 0;
@@ -214 +211 @@
-    'T' => $tcp_timestamp_type
-);
+
+my $ETH_HDR_LEN      = 14;
+my $MIN_IP_HDR_LEN   = 20;
+my $MIN_ICMP_HDR_LEN = 4;
+my $UDP_HDR_LEN      = 8;
+my $MIN_TCP_HDR_LEN  = 20;
-
-my %access_keys = (
@@ -286 +289 @@
-    ### we are parsing the pcap file created by the ulogd pcap
-    ### writer, or in sniffing mode against an interface
+
+    require Net::Pcap;
+
-    &pcap_loop();
-}
@@ -304 +310 @@
-    eval {
-        if (not $PCAP_COOKED_INTF and $Net::Pcap::VERSION > 0.05) {
-pcap_
-pcap_
+
+
-                print STDERR "[+] Detected Linux Cooked Interface.\n" if $debug;
-                $PCAP_COOKED_INTF = 1;
@@ -393 +399 @@
-    my $src_ip     = '';
-    my $proto      = '';
-obj
+data
-
-    if ($debug) {
@@ -421 +427 @@
-    if ($config{'AUTH_MODE'} eq 'ULOG_PCAP') {
-        ### The ulogd pcap writer does not include link layer information
-NetPacket::IP->
+&ip_
-    } else {
-        if ($config{'FIREWALL_TYPE'} eq 'ipfw' and $cmdline_intf eq 'lo0') {
@@ -429 +435 @@
-            $pkt =~ s/^.{4}// if $pkt =~ /^[^\x45].{3}\x45/;
-
-NetPacket::IP->
+&ip_
-        } else {
-            if ($PCAP_COOKED_INTF) {
-                $ether_data = unpack("x[16]a*", $pkt);
-            } else {
-NetPacket::Ethernet::
-
-NetPacket::IP->
+&ethernet_
+
+&ip_
-        }
-    }
@@ -447 +453 @@
-
-    if ($proto == 1) {
-obj = NetPacket::ICMP->decode
+data = &icmp_decode_data
-    } elsif ($proto == 6) {
-obj = NetPacket::TCP->decode
+data = &tcp_decode_data
-    } elsif ($proto == 17) {
-obj = NetPacket::UDP->decode
+data = &udp_decode_data
-    } else {
-        return;
@@ -459 +465 @@
-    ### any valid SPA message will be longer than 10 bytes, but this
-    ### check is better than nothing
-unless defined $transport_obj->{'data'}
+if $transport_data eq ""
-
-    my $enc_msg_len = 0;
-obj->{'data'}
+data
-    if (10 < $enc_msg_len and $enc_msg_len < 1500) {
-        print STDERR localtime() . " [+] Data len: $enc_msg_len bytes\n"
@@ -474 +480 @@
-    if ($debug) {
-        ### make sure not to print non-printable stuff
-obj->{'data'}
+data
-        $data_tmp =~ s/[^\x20-\x7e]/NA/g;
-        print STDERR localtime() .
@@ -483 +489 @@
-            print STDERR localtime() .
-                "     Raw packet data (hex dump, minus packet headers):\n";
-obj->{'data'}
+data
-        }
-    }
@@ -489 +495 @@
-    ### see if this packet is worthy of being granted access through
-    ### the firewall
-obj->{'data'}
+data
-
-    &collect_warn_die_msgs();
-
-    return;
+}
+
+sub ethernet_strip() {
+    my $pkt = shift;
+
+    my $eth_data = '';
+
+    if (length($pkt) >= $ETH_HDR_LEN) {
+        $eth_data = substr($pkt, $ETH_HDR_LEN);
+    }
+    ### Silently return '' for short frames
+    return $eth_data;
+}
+
+sub ip_addr_bytes_to_string() {
+    my $bytes = shift;
+
+    my ($a, $b, $c, $d) = unpack('C[4]', $bytes);
+    return "$a.$b.$c.$d";
+}
+
+sub ip_decode() {
+    my $pkt = shift;
+
+    my $ip = {};
+    if (length($pkt) >= $MIN_IP_HDR_LEN and $pkt =~ /^\x45/) {
+        (my $ver_ihl, $ip->{'tos'}, $ip->{'len'}, $ip->{'id'}, my $flags_frag,
+         $ip->{'ttl'}, $ip->{'proto'}, $ip->{'cksum'}, my $src_ip, my $dest_ip)
+            = unpack("CCnnnCCna[4]a[4]", $pkt);
+        $ip->{'ver'} = $ver_ihl >> 4;
+        $ip->{'hlen'} = $ver_ihl & 0x0F;
+        $ip->{'flags'} = $flags_frag >> 13;
+        $ip->{'foffset'} = ($flags_frag & 0x1FFF) * 8;
+        $ip->{'src_ip'} = &ip_addr_bytes_to_string($src_ip);
+        $ip->{'dest_ip'} = &ip_addr_bytes_to_string($dest_ip);
+        my $data_start = $ip->{'hlen'} * 4;
+        if ($data_start >= $MIN_IP_HDR_LEN) {
+            $ip->{'data'} = substr($pkt, $data_start);
+        }
+    }
+    return $ip;
+}
+
+sub icmp_decode_data() {
+    my $icmp = shift;
+
+    my $icmp_data = '';
+    if (length($icmp) >= $MIN_ICMP_HDR_LEN) {
+        $icmp_data = substr($icmp, $MIN_ICMP_HDR_LEN);
+    }
+    ### Silently return '' for short packets
+    return $icmp_data;
+}
+
+sub tcp_decode_data() {
+    my $tcp = shift;
+
+    my $tcp_data = '';
+
+    if (length($tcp) >= $MIN_TCP_HDR_LEN) {
+
+        my $data_start = 4 * (ord(substr($tcp, 12, 1)) >> 4);
+        if ($data_start >= $MIN_TCP_HDR_LEN) {
+            $tcp_data = substr($tcp, $data_start);
+        }
+    }
+    ### Silently return '' for short packets
+    return $tcp_data;
+}
+
+sub udp_decode_data() {
+    my $udp = shift;
+
+    my $udp_data = '';
+    if (length($udp) >= $UDP_HDR_LEN) {
+        $udp_data = substr($udp, $UDP_HDR_LEN);
+    }
+    ### Silently return '' for short packets
+    return $udp_data;
-}
-
@@ -2299 +2384 @@
-        &hex_dump(decode_base64($msg));
-    }
+
-    my $cipher = Crypt::CBC->new({
-        'key'    => $enc_key,
@@ -3274 +3360 @@
-                    $access_hsh{'DATA_COLLECT_MODE'} = $ENCRYPT_SEQUENCE;
-                } elsif ($line =~ /^\s*KEY:\s*(.*)\s*;/) {
+                    require Crypt::CBC unless $imported_crypt_cbc;
+                    $imported_crypt_cbc = 1;
-                    $access_hsh{'KEY'} = $1;
-                    ### pad with zeros to the key size
@@ -3280 +3368 @@
-                    }
-                } elsif ($line =~ /^\s*GPG_REMOTE_ID:\s*(.*)\s*;/) {
-use
-use
+imported
+imported
-                    my @arr = split /\s*\,\s*/, $1;
-                    for my $gpg_key_id (@arr) {
@@ -3287 +3375 @@
-                    }
-                } elsif ($line =~ /^\s*GPG_DECRYPT_ID:\s*(.*)\s*;/) {
-use
-use
+imported
+imported
-                    $access_hsh{'GPG_DECRYPT_ID'} = $1;
-                } elsif ($line =~ /^\s*GPG_DECRYPT_PW:\s*(.*)\s*;/) {
-use
-use
+imported
+imported
-                    $access_hsh{'GPG_DECRYPT_PW'} = $1;
-                } elsif ($line =~ /^\s*GPG_HOME_DIR:\s*(\S+)\s*;/) {
-use
-use
+imported
+imported
-                    $access_hsh{'GPG_HOME_DIR'} = $1;
-                } elsif ($line =~ /^\s*FILE_PCAP\s*;/) {
@@ -3776 +3864 @@
-        'LC_ALL=s'       => \$cmdline_locale,
-        'locale=s'       => \$cmdline_locale,
+        'Lib-dir=s'      => \$lib_dir,
-        'no-LC_ALL'      => \$no_locale,
-        'no-locale'      => \$no_locale,
@@ -3956 +4045 @@
-    ### make sure command paths are correct
-    &check_commands() unless $os_fprint_only;
+
+    ### import fwknop perl modules
+    &import_perl_modules();
-
-    if ($fw_del_ip) {
@@ -4653 +4745 @@
-}
-
+sub import_perl_modules() {
+
+    my $mod_paths_ar = &get_mod_paths();
+
+    if ($#$mod_paths_ar > -1) {  ### /usr/lib/fwknop/ exists
+        push @$mod_paths_ar, @INC;
+        splice @INC, 0, $#$mod_paths_ar+1, @$mod_paths_ar;
+    }
+
+    if ($debug) {
+        print STDERR "[+] import_perl_modules(): The \@INC array:\n";
+        print STDERR "$_\n" for @INC;
+    }
+
+    require Unix::Syslog unless $config{'ALERTING_METHODS'} =~ /no.?syslog/i;
+
+    Unix::Syslog->import(qw(:subs :macros))
+        unless $config{'ALERTING_METHODS'} =~ /no.?syslog/i;
+
+    require Net::IPv4Addr;
+    Net::IPv4Addr->import(qw/ipv4_in_network/);
+
+    return;
+}
+
+sub get_mod_paths() {
+
+    my @paths = ();
+
+    $config{'FWKNOP_MOD_DIR'} = $lib_dir if $lib_dir;
+
+    unless (-d $config{'FWKNOP_MOD_DIR'}) {
+        my $dir_tmp = $config{'FWKNOP_MOD_DIR'};
+        $dir_tmp =~ s|lib/|lib64/|;
+        if (-d $dir_tmp) {
+            $config{'FWKNOP_MOD_DIR'} = $dir_tmp;
+        } else {
+            return [];
+        }
+    }
+
+    opendir D, $config{'FWKNOP_MOD_DIR'}
+        or die "[*] Could not open $config{'FWKNOP_MOD_DIR'}: $!";
+    my @dirs = readdir D;
+    closedir D;
+
+    push @paths, $config{'FWKNOP_MOD_DIR'};
+
+    for my $dir (@dirs) {
+        ### get directories like "/usr/lib/fwknop/x86_64-linux"
+        next unless -d "$config{'FWKNOP_MOD_DIR'}/$dir";
+        push @paths, "$config{'FWKNOP_MOD_DIR'}/$dir"
+            if $dir =~ m|linux| or $dir =~ m|thread|;
+    }
+    return \@paths;
+}
+
-sub import_digests() {
-
@@ -4938 +5087 @@
-            SNAT_TRANSLATE_IP PROC_IP_FORWARD_FILE ENABLE_PROC_IP_FORWARD
-            MIN_SPA_PKT_LEN ENABLE_IPT_LOCAL_NAT LOCALE ENABLE_SYSLOG_FILE
-
+ FWKNOP_MOD_DIR
-    ) {
-        die "[*] Required variable $var is not defined in $config_file"
@@ -4989 +5138 @@
-                                 key information) when running in --debug
-                                 and --verbose mode.
-L, --Linux-cooked-intf
+-Linux-cooked-intf    
-                                 interface is a "Linux Cooked" interface.
-                                 This is useful when fwknopd uses a version
@@ -4995 +5144 @@
-                                 pcap_datalink_val_to_name() function or
-                                 have the pcap_datali.al file.
+    --Lib-dir <path>           - Path to the perl modules directory (not
+                                 usually necessary).
-    -d, --debug                - Run fwknopd in debugging mode.
-    --locale <locale>          - Manually define a locale setting.

fwknop/trunk/init-scripts/fwknop-init.redhat

@@ -3 +3 @@
-# Startup script for fwknop
-#
-345
+-
-# description: The FireWall KNock OPerator (fwknop)
-# processname: fwknop
@@ -27 +27 @@
-    echo
-    if [ $RETVAL -eq 0 ]; then
-d
+
-    fi
-    ;;
@@ -37 +37 @@
-        killproc fwknopd
-    RETVAL=$?
-d
+
-    echo
-    if [ -f /var/run/fwknop/knopmd.pid ]; then
@@ -68 +68 @@
-    restart
-    ;;
-
-d
+|try-restart
+
-    ;;
-*)
-    echo "Usage: fwknop {start|stop|status|restart|reload|condrestart}"
-1
+3
-esac

fwknop/trunk/install.pl

@@ -69 +69 @@
-my $data_method = '';
-my $runlevel = -1;
+my $deps_dir = 'deps';
-my $init_dir = '/etc/init.d';
-my $init_name = 'fwknop';
@@ -240 +241 @@
-&import_config();
-
+### see if the deps/ directory exists, and if not then we are installing
+### from the -nodeps sources so don't install any perl modules
+$skip_module_install = 1 unless -d $deps_dir;
+
-### check to see if we are installing as a non-root user
-&check_non_root_user() unless $client_install;
@@ -384 +389 @@
-            &install_perl_module($mod_href);
-        }
-    }
-
-    ### special case the NetPacket::<proto> modules since the NetPacket
-    ### directory is just for the base class, and we need to make sure
-    ### we have each of the NetPacket::IP, NetPacket::ICMP, NetPacket::UDP,
-    ### and NetPacket::TCP modules.
-    unless ($skip_module_install or $client_install) {
-        chdir 'NetPacket' or die "[*] Could not chdir NetPacket directory: $!";
-        unless (-e 'Makefile.PL') {
-            die "[*] Your NetPacket source directory appears to be incomplete!\n",
-                "    Download the latest sources from ",
-                "http://www.cipherdyne.org\n";
-        }
-        system "$cmds{'make'} clean" if -e 'Makefile';
-        system "$cmds{'perl'} Makefile.PL PREFIX=$config{'FWKNOP_MOD_DIR'} " .
-            "LIB=$config{'FWKNOP_MOD_DIR'}";
-        system $cmds{'make'};
-#        system "$cmds{'make'} test";
-        system "$cmds{'make'} install";
-        chdir $src_dir or die "[*] Could not chdir $src_dir: $!";
-    }
-
@@ -1169 +1154 @@
-sub install_perl_module() {
-    my $mod_hr = shift;
+
+    chdir $src_dir or die "[*] Could not chdir $src_dir: $!";
+    chdir $deps_dir or die "[*] Could not chdir($deps_dir): $!";
-
-    for my $key qw/module force-install client-mode-install mod-dir/ {

fwknop/trunk/knoptm

@@ -40 +40 @@
-#
-
-use lib '/usr/lib/fwknop';
-use Unix::Syslog qw(:subs :macros);
-use Net::IPv4Addr qw(ipv4_in_network);
-use IO::Socket;
-use IO::Handle;
@@ -62 +59 @@
-my $print_ver  = 0;
-my $debug      = 0;
+my $lib_dir    = '';
-my $die_msg    = '';
-my $warn_msg   = '';
@@ -95 +93 @@
-    'no-voluntary-exits' => \$no_voluntary_exits,
-    'no-logs'   => \$no_logs,
+    'Lib-dir=s' => \$lib_dir,
-    'LC_ALL=s'  => \$cmdline_locale,
-    'locale=s'  => \$cmdline_locale,
@@ -536 +535 @@
-    ### make sure all the vars we need are actually in the config file.
-    &required_vars();
+
+    ### import all necessary perl modules
+    &import_perl_modules();
-
-    ### validate config
@@ -744 +746 @@
-            KNOPTM_SYSLOG_FACILITY KNOPTM_SYSLOG_PRIORITY
-            ENABLE_VOLUNTARY_EXITS EXIT_INTERVAL FWKNOP_PID_FILE
-
+ FWKNOP_MOD_DIR
-    ) {
-
@@ -844 +846 @@
-    }
-    return;
+}
+
+sub import_perl_modules() {
+
+    my $mod_paths_ar = &get_mod_paths();
+
+    if ($#$mod_paths_ar > -1) {  ### /usr/lib/fwknop/ exists
+        push @$mod_paths_ar, @INC;
+        splice @INC, 0, $#$mod_paths_ar+1, @$mod_paths_ar;
+    }
+
+    if ($debug) {
+        print STDERR "[+] import_perl_modules(): The \@INC array:\n";
+        print STDERR "$_\n" for @INC;
+    }
+
+    require Unix::Syslog unless $config{'ALERTING_METHODS'} =~ /no.?syslog/i;
+
+    Unix::Syslog->import(qw(:subs :macros))
+        unless $config{'ALERTING_METHODS'} =~ /no.?syslog/i;
+
+    require Net::IPv4Addr;
+    Net::IPv4Addr->import(qw/ipv4_in_network/);