mirrors/knockd
1
0
Fork 0
mirror of https://salsa.debian.org/debian/knockd synced 2026-01-11 21:42:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: mirrors:debian/0.5-3
Branches Tags
mirrors:master mirrors:pristine-tar mirrors:upstream
mirrors:debian/0.8-2 mirrors:debian/0.8-1 mirrors:upstream/0.8 mirrors:debian/0.7-1 mirrors:upstream/0.7 mirrors:upstream/0.5 mirrors:debian/0.5-3
...
compare: mirrors:master
Branches Tags
mirrors:master mirrors:pristine-tar mirrors:upstream
mirrors:debian/0.8-2 mirrors:debian/0.8-1 mirrors:upstream/0.8 mirrors:debian/0.7-1 mirrors:upstream/0.7 mirrors:upstream/0.5 mirrors:debian/0.5-3

39 Commits
debian/0.5 ... master

Author SHA1 Message Date
Leo Antunes
eede056afa update changelog for 0.8-2 
Gbp-Dch: Ignore
 2021-11-02 23:40:40 +01:00
Leo Antunes
688ef43fba systemd: downgrade ProtectSystem to "true" from "full" 
this should enable interacting with tools such as ufw

Closes: #927883
 2021-11-02 23:35:15 +01:00
Leo Antunes
521ba0fe1b add changelog for 0.8-1 
Gbp-Dch: Ignore
 2021-10-19 12:16:18 +02:00
Leo Antunes
9ae659c94d d/control: switch from d/compat to debhelper-compat dep 2021-10-19 12:15:06 +02:00
Leo Antunes
e09f46d282 d/copyright: add missing license block 2021-10-19 00:02:11 +02:00
Leo Antunes
7495e2b15c d/patches: fix manpage to match debian config 2021-10-18 23:58:06 +02:00
Leo Antunes
ca7bf832d0 d/knockd.service: only start when online 2021-10-18 23:55:28 +02:00
Leo Antunes
614debf189 d/control: use HTTPS for Vcs-Git URL 2021-10-18 23:51:56 +02:00
Leo Antunes
a626515f12 d/rules: fix permissions for /etc/knockd.conf 
Closes: #902022
 2021-10-18 23:50:47 +02:00
Leo Antunes
3009b44006 d/control: remove unnecessary deps 2021-10-18 23:50:28 +02:00
Leo Antunes
bfe2e959c9 d/rules: remove old dh options 2021-10-18 23:44:35 +02:00
Leo Antunes
07da25fbbb d/upstream/metadata: add 2021-10-18 23:36:56 +02:00
Leo Antunes
e87735fcd9 d.knockd.service: ensure service is enabled 
Closes: #868015
 2021-10-18 23:31:28 +02:00
Leo Antunes
3ef12dbadd update patches for improved DEP3 2021-10-18 23:25:43 +02:00
Leo Antunes
15d6b105fc drop reap_child_procs.patch (merged upstream) 2021-10-18 23:15:31 +02:00
Leo Antunes
75a1e52e91 debian: add gbp.conf 2021-10-18 23:04:02 +02:00
Leo Antunes
2243dcaf7b Update upstream source from tag 'upstream/0.8' 
Update to upstream version '0.8'
with Debian dir e7bfd7ea6c
 2021-10-17 11:13:19 +02:00
Leo Antunes
74aada02ef New upstream version 0.8 2021-10-17 11:13:19 +02:00
Leo Antunes
6cf96b87b4 debian: bump to up-to-date formats overall 2021-10-17 11:11:32 +02:00
Leo Antunes
ab774823da debian: update VCS fields 2021-10-17 10:54:31 +02:00
Ondřej Nový
208f130f9c d/control: Fix wrong Vcs-* 2018-10-01 09:49:01 +02:00
Ondřej Nový
37fcd4c14b d/control: Remove trailing whitespaces 2018-10-01 09:49:00 +02:00
Ondřej Nový
f96235603a d/changelog: Remove trailing whitespaces 2018-10-01 09:48:59 +02:00
Leo Antunes
dd2ba213e1 add changelog entry for 0.7-1 
Gbp-Dch: ignore
 2016-10-27 22:51:00 +02:00
Leo Antunes
47e7d5a199 add watch file 2016-10-27 22:51:00 +02:00
Leo Antunes
da6afdd232 debian/control: add VCS URL 2016-10-27 22:51:00 +02:00
Leo Antunes
fcf14cede6 remove knock client docs from installation 
otherwise we end up with multiple documentation copies in the single
binary package
 2016-10-27 22:51:00 +02:00
Leo Antunes
49e3f86395 add hardening flags 2016-10-27 22:50:59 +02:00
Leo Antunes
c808032abf init: add dependency on $remote_fs 2016-10-27 22:50:59 +02:00
Leo Antunes
4033472622 add systemd support (closes: #729663) 2016-10-27 22:50:59 +02:00
Leo Antunes
6cbc047eac switch to source/format 3.0 (quilt) 2016-10-27 22:50:59 +02:00
Leo Antunes
37c3759022 remove debian/docs (README deleted upstream) 
Gbp-Dch: ignore
 2016-10-27 22:50:59 +02:00
Leo Antunes
bc9c096d07 drop patches/manpage_cmd_timeout: fixed upstream 2016-10-27 22:50:59 +02:00
Leo Antunes
f0eed1b587 drop patches/include_limits_h: fixed upstream 2016-10-27 22:50:59 +02:00
Leo Antunes
b966c89c1e migrate to dh >= 9 short notation 2016-10-27 22:50:46 +02:00
Leo Antunes
0b63eacbe6 update homepage url 2016-09-28 19:50:23 +02:00
Leo Antunes
48f78ca518 bump policy to 3.9.8 (no changes) 2016-09-28 19:49:52 +02:00
Leo Antunes
b2567e2868 New upstream version 0.7 2016-09-28 19:41:01 +02:00
Leo Antunes
3ad5f21391 Merge tag 'upstream/0.7' 
Upstream version 0.7
 2016-09-28 19:41:01 +02:00
47 changed files with 10606 additions and 8813 deletions
Expand all files Collapse all files

22
.gitignore vendored Normal file
View File

@@ -0,0 +1,22 @@
*.o
*~
.deps
.dirstamp
/Makefile
/Makefile.in
/aclocal.m4
/autom4te.cache/
/compile
/config.h
/config.h.in
/config.log
/config.status
/configure
/depcomp
/doc/*.1
/install-sh
/knock
/knock-*.tar.*
/knockd
/missing
/stamp-h1

16
CONTRIBUTERS Normal file
View File

@@ -0,0 +1,16 @@
Many thanks to everybody who has helped to improve knockd in some way. This is
a fairly old project, and some contributer names have almost surely been lost
along the way. Thanks to the unsung heroes too.
- airwoflgh <paul.rogers@flumps.org>
- catbref <misc-github@talk2dom.com>
- Diego Elio Pettenò <flameeyes@flameeyes.eu>
- Dima Krasner <dima@dimakrasner.com>
- Jonathon Reinhart <jonathon.reinhart@gmail.com>
- Marius Hoch <hoo@online.de>
- Michael Weiss <dev.primeos@gmail.com>
- Oswald Buddenhagen <ossi@kde.org>
- Sébastien Valat <sebastien.valat@gmail.com>
- TDFKAOlli <TDFKAOlli@ish.de>
- Ximin Luo <infinity0@pwned.gg>
- vriera <Vincent.Riera@imgtec.com>

2
COPYING
View File

@@ -2,7 +2,7 @@
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

44
ChangeLog
View File

@@ -1,5 +1,49 @@
VERSION DESCRIPTION
-----------------------------------------------------------------------------
0.8 - Multiple fixes (#67, #77)
- IPv6 support (Sebastien Valat)
0.7.8 - Fix for Issue #33, #34 and #35 contributed by Alexander
Rumyanstev.
0.7.7 - Fix for Issue #7 & #17 contributed by Michael G<>hler.
All IPs assigned to a single interface are now listened on.
- Fix for compile warning on OSX where daemon() is deprecated.
- Fix for Issue #15 - list.c OpenBSD segfault: change malloc
to calloc.
0.7.6 - Fix for Issue #13 where similar sequences are not detected
correctly.
0.7.5 - Added Greg Kuchyt's knock_add script but updated to be a
generic IPTables helper that also deletes rules
0.7.4 - Patches from Michael G<>hler
- Updated gitignore to include additional autoconf files.
- Updated Makefile to fix deprecated warning on CPPFLAG
-D_BSD_SOURCE.
0.7.3 - Patches from Jonathon Reinhart
- Fixed PCAP filter for PSH flag detection.
- Patches from Christos Triantafyllidis
- Updated FSF address.
0.7.2 - Patches from Paul Rogers
- Applied missing fixes from issue #16 - OpenBSD build
issues, reordering of headers, scoping DLT_LINUX_SLL for
Linux only, for -> while loop in sniff() cleanup.
0.7.1 - Patches from Paul Rogers
- Fixed issue #2 - SIGHUP (reload) now listens for new
sequences in the config file.
- Fixed issue #26 - knockd now fails if a malformed config
file is read during SIGHUP (reload).
0.7 - Patches from Oswald Buddenhagen:
- Document the 'target' configuration directive.
- Merging OS-specific networking code to reduce LOCs and the
sea of #ifdefs.
- Added 50ms timeout to pcap_open_live() to reduce CPU usage
on network-heavy hosts. Pcap recommends we not use zero.
0.6 - Patches from Oswald Buddenhagen:
- Cleanup: Don't null-check before free
- Cleanup: Consolidate flag-check logic
- Accept single-knock sequences
- Introduce a 'target' configuration directive, enabling
knockd to react to connect attempts to a target host.
Useful in cases where knockd is on a router and you want
to send a target a wakeup packet.
0.5 - Added ability to change the knocking protocol (TCP/UDP) on a
per-port basis using the knock client (instead of the -u
switch)

23
Makefile.am Normal file
View File

@@ -0,0 +1,23 @@
AM_CPPFLAGS=-D_DEFAULT_SOURCE
AM_CFLAGS=-g -Wall -pedantic -fno-exceptions -D_BSD_SOURCE
bin_PROGRAMS = knock
man_MANS = doc/knock.1
if BUILD_KNOCKD
sbin_PROGRAMS = knockd
dist_sbin_SCRIPTS = src/knock_helper_ipt.sh
man_MANS += doc/knockd.1
sysconf_DATA = knockd.conf
endif
dist_doc_DATA = README.md TODO ChangeLog COPYING
knock_SOURCES = src/knock.c
knockd_SOURCES = src/knockd.c src/list.c src/list.h src/knock_helper_ipt.sh
%.1: %.1.in
sed -e "s/#VERSION#/$(VERSION)/" $< > $@
EXTRA_DIST = doc/knock.1 doc/knock.1.in doc/knockd.1 doc/knockd.1.in knockd.conf
CLEANFILES = $(man_MANS)

1067
Makefile.in
View File

File diff suppressed because it is too large Load Diff

53
README
View File

@@ -1,53 +0,0 @@
knock :: A port-knocking implementation
=======================================
Copyright (c) 2004-2005, Judd Vinet <jvinet@zeroflux.org>
=========
ABOUT
=========
This is a port-knocking server/client. Port-knocking is a method where a
server can sniff one of its interfaces for a special "knock" sequence of
port-hits. When detected, it will run a specified event bound to that port
knock sequence. These port-hits need not be on open ports, since we use
libpcap to sniff the raw interface traffic.
===========
EXAMPLE
===========
The example below could be used to run a strict (DENY policy) firewall that
can only be accessed after a successful knock sequence.
1) Client sends four TCP SYN packets to Server, at the following ports:
38281, 29374, 4921, 54918
2) Server detects this and runs an iptables command to open port 22 to Client.
3) Client connects to Server via SSH and does whatever it needs to do.
4) Client sends four more TCP SYN packets to Server:
37281, 8529, 40127, 10100
5) Server detects this and runs another iptables to close port 22 to Client.
====================
KNOCKING CLIENTS
====================
The accompanying knock client is very basic. If you want to more advanced
knocks (eg, setting specific tcp flags) then you should take look at hping,
sendip or packit.
http://freshmeat.net/projects/hping/
http://freshmeat.net/projects/sendip/
http://freshmeat.net/projects/packit/
=========================
OTHER IMPLEMENTATIONS
=========================
Here are some other implementations of port-knocking:
http://sourceforge.net/projects/pasmal/
http://doorman.sourceforge.net/

56
README.md Normal file
View File

@@ -0,0 +1,56 @@
## knock: A port-knocking implementation
Copyright (c) 2004, Judd Vinet <jvinet@zeroflux.org>
### ABOUT
This is a port-knocking server/client. Port-knocking is a method where a
server can sniff one of its interfaces for a special "knock" sequence of
port-hits. When detected, it will run a specified event bound to that port
knock sequence. These port-hits need not be on open ports, since we use
libpcap to sniff the raw interface traffic.
### BUILDING
To build knockd, make sure you have libpcap and the autoconf tools
installed. Then run the following:
$ autoreconf -fi
$ ./configure --prefix=/usr/local
$ make
$ sudo make install
### EXAMPLE
The example below could be used to run a strict (DENY policy) firewall that
can only be accessed after a successful knock sequence.
1. Client sends four TCP SYN packets to Server, at the following ports:
38281, 29374, 4921, 54918
2. Server detects this and runs an iptables command to open port 22 to
Client.
3. Client connects to Server via SSH and does whatever it needs to do.
4. Client sends four more TCP SYN packets to Server: 37281, 8529,
40127, 10100
5. Server detects this and runs another iptables command to close port
22 to Client.
### KNOCKING CLIENTS
The accompanying knock client is very basic. If you want to do more advanced
knocks (eg, setting specific tcp flags) then you should take look at more
powerful clients.
- [sendip](http://freshmeat.net/projects/sendip/)
### OTHER IMPLEMENTATIONS
Here are some other implementations of port-knocking:
- [pasmal](http://sourceforge.net/projects/pasmal/)
- [doorman](http://doorman.sourceforge.net/)

1132
aclocal.m4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

348
compile Executable file
View File

@@ -0,0 +1,348 @@
#! /bin/sh
# Wrapper for compilers which do not understand '-c -o'.
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
nl='
'
# We need space, tab and new line, in precisely that order. Quoting is
# there to prevent tools from complaining about whitespace usage.
IFS=" "" $nl"
file_conv=
# func_file_conv build_file lazy
# Convert a $build file to $host form and store it in $file
# Currently only supports Windows hosts. If the determined conversion
# type is listed in (the comma separated) LAZY, no conversion will
# take place.
func_file_conv ()
{
file=$1
case $file in
/ | /[!/]*) # absolute file, and not a UNC file
if test -z "$file_conv"; then
# lazily determine how to convert abs files
case `uname -s` in
MINGW*)
file_conv=mingw
;;
CYGWIN* | MSYS*)
file_conv=cygwin
;;
*)
file_conv=wine
;;
esac
fi
case $file_conv/,$2, in
*,$file_conv,*)
;;
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
cygwin/* | msys/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
file=`winepath -w "$file" || echo "$file"`
;;
esac
;;
esac
}
# func_cl_dashL linkdir
# Make cl look for libraries in LINKDIR
func_cl_dashL ()
{
func_file_conv "$1"
if test -z "$lib_path"; then
lib_path=$file
else
lib_path="$lib_path;$file"
fi
linker_opts="$linker_opts -LIBPATH:$file"
}
# func_cl_dashl library
# Do a library search-path lookup for cl
func_cl_dashl ()
{
lib=$1
found=no
save_IFS=$IFS
IFS=';'
for dir in $lib_path $LIB
do
IFS=$save_IFS
if $shared && test -f "$dir/$lib.dll.lib"; then
found=yes
lib=$dir/$lib.dll.lib
break
fi
if test -f "$dir/$lib.lib"; then
found=yes
lib=$dir/$lib.lib
break
fi
if test -f "$dir/lib$lib.a"; then
found=yes
lib=$dir/lib$lib.a
break
fi
done
IFS=$save_IFS
if test "$found" != yes; then
lib=$lib.lib
fi
}
# func_cl_wrapper cl arg...
# Adjust compile command to suit cl
func_cl_wrapper ()
{
# Assume a capable shell
lib_path=
shared=:
linker_opts=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
eat=1
case $2 in
*.o | *.[oO][bB][jJ])
func_file_conv "$2"
set x "$@" -Fo"$file"
shift
;;
*)
func_file_conv "$2"
set x "$@" -Fe"$file"
shift
;;
esac
;;
-I)
eat=1
func_file_conv "$2" mingw
set x "$@" -I"$file"
shift
;;
-I*)
func_file_conv "${1#-I}" mingw
set x "$@" -I"$file"
shift
;;
-l)
eat=1
func_cl_dashl "$2"
set x "$@" "$lib"
shift
;;
-l*)
func_cl_dashl "${1#-l}"
set x "$@" "$lib"
shift
;;
-L)
eat=1
func_cl_dashL "$2"
;;
-L*)
func_cl_dashL "${1#-L}"
;;
-static)
shared=false
;;
-Wl,*)
arg=${1#-Wl,}
save_ifs="$IFS"; IFS=','
for flag in $arg; do
IFS="$save_ifs"
linker_opts="$linker_opts $flag"
done
IFS="$save_ifs"
;;
-Xlinker)
eat=1
linker_opts="$linker_opts $2"
;;
-*)
set x "$@" "$1"
shift
;;
*.cc | *.CC | *.cxx | *.CXX | *.[cC]++)
func_file_conv "$1"
set x "$@" -Tp"$file"
shift
;;
*.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO])
func_file_conv "$1" mingw
set x "$@" "$file"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -n "$linker_opts"; then
linker_opts="-link$linker_opts"
fi
exec "$@" $linker_opts
exit 1
}
eat=
case $1 in
'')
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand '-c -o'.
Remove '-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file 'INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "compile $scriptversion"
exit $?
;;
cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \
icl | *[/\\]icl | icl.exe | *[/\\]icl.exe )
func_cl_wrapper "$@" # Doesn't return...
;;
esac
ofile=
cfile=
for arg
do
if test -n "$eat"; then
eat=
else
case $1 in
-o)
# configure might choose to run compile as 'compile cc -o foo foo.c'.
# So we strip '-o arg' only if arg is an object.
eat=1
case $2 in
*.o | *.obj)
ofile=$2
;;
*)
set x "$@" -o "$2"
shift
;;
esac
;;
*.c)
cfile=$1
set x "$@" "$1"
shift
;;
*)
set x "$@" "$1"
shift
;;
esac
fi
shift
done
if test -z "$ofile" || test -z "$cfile"; then
# If no '-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# '.c' file was seen then we are probably linking. That is also
# ok.
exec "$@"
fi
# Name of file we expect compiler to create.
cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'`
# Create the lock directory.
# Note: use '[/\\:.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d
while true; do
if mkdir "$lockdir" >/dev/null 2>&1; then
break
fi
sleep 1
done
# FIXME: race condition here if user kills between mkdir and trap.
trap "rmdir '$lockdir'; exit 1" 1 2 15
# Run the compile.
"$@"
ret=$?
if test -f "$cofile"; then
test "$cofile" = "$ofile" || mv "$cofile" "$ofile"
elif test -f "${cofile}bj"; then
test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile"
fi
rmdir "$lockdir"
exit $ret
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:

1321
config.guess vendored
View File

File diff suppressed because it is too large Load Diff

183
config.h.in
View File

@@ -1,95 +1,43 @@
/* config.h.in. Generated from configure.ac by autoheader. */
/* Define to 1 if you have the <arpa/inet.h> header file. */
#undef HAVE_ARPA_INET_H
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
#undef HAVE_DOPRNT
/* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK
/* Define to 1 if you have the `inet_ntoa' function. */
#undef HAVE_INET_NTOA
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
/* Define to 1 if you have the `pcap' library (-lpcap). */
#undef HAVE_LIBPCAP
/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
to 0 otherwise. */
#undef HAVE_MALLOC
/* Define to 1 if you have the `memmove' function. */
#undef HAVE_MEMMOVE
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the <netdb.h> header file. */
#undef HAVE_NETDB_H
/* Define to 1 if you have the <netinet/in.h> header file. */
#undef HAVE_NETINET_IN_H
/* Define to 1 if you have the <pcap.h> header file. */
#undef HAVE_PCAP_H
/* Define to 1 if you have the <minix/config.h> header file. */
#undef HAVE_MINIX_CONFIG_H
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdio.h> header file. */
#undef HAVE_STDIO_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define to 1 if you have the `strcasecmp' function. */
#undef HAVE_STRCASECMP
/* Define to 1 if you have the `strdup' function. */
#undef HAVE_STRDUP
/* Define to 1 if you have the <strings.h> header file. */
#undef HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define to 1 if you have the `strstr' function. */
#undef HAVE_STRSTR
/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define to 1 if you have the <sys/socket.h> header file. */
#undef HAVE_SYS_SOCKET_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
#undef HAVE_SYS_WAIT_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define to 1 if you have the `vfork' function. */
#undef HAVE_VFORK
/* Define to 1 if you have the <wchar.h> header file. */
#undef HAVE_WCHAR_H
/* Define to 1 if you have the <vfork.h> header file. */
#undef HAVE_VFORK_H
/* Define to 1 if you have the `vprintf' function. */
#undef HAVE_VPRINTF
/* Define to 1 if `fork' works. */
#undef HAVE_WORKING_FORK
/* Define to 1 if `vfork' works. */
#undef HAVE_WORKING_VFORK
/* Name of package */
#undef PACKAGE
/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT
@@ -103,29 +51,104 @@
/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME
/* Define to the home page for this package. */
#undef PACKAGE_URL
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
/* Define to 1 if you have the ANSI C header files. */
/* Define to 1 if all of the C90 standard headers exist (not just the ones
required in a freestanding environment). This macro is provided for
backward compatibility; new code need not use it. */
#undef STDC_HEADERS
/* Define to 1 if your <sys/time.h> declares `struct tm'. */
#undef TM_IN_SYS_TIME
/* Enable extensions on AIX 3, Interix. */
#ifndef _ALL_SOURCE
# undef _ALL_SOURCE
#endif
/* Enable general extensions on macOS. */
#ifndef _DARWIN_C_SOURCE
# undef _DARWIN_C_SOURCE
#endif
/* Enable general extensions on Solaris. */
#ifndef __EXTENSIONS__
# undef __EXTENSIONS__
#endif
/* Enable GNU extensions on systems that have them. */
#ifndef _GNU_SOURCE
# undef _GNU_SOURCE
#endif
/* Enable X/Open compliant socket functions that do not require linking
with -lxnet on HP-UX 11.11. */
#ifndef _HPUX_ALT_XOPEN_SOCKET_API
# undef _HPUX_ALT_XOPEN_SOCKET_API
#endif
/* Identify the host operating system as Minix.
This macro does not affect the system headers' behavior.
A future release of Autoconf may stop defining this macro. */
#ifndef _MINIX
# undef _MINIX
#endif
/* Enable general extensions on NetBSD.
Enable NetBSD compatibility extensions on Minix. */
#ifndef _NETBSD_SOURCE
# undef _NETBSD_SOURCE
#endif
/* Enable OpenBSD compatibility extensions on NetBSD.
Oddly enough, this does nothing on OpenBSD. */
#ifndef _OPENBSD_SOURCE
# undef _OPENBSD_SOURCE
#endif
/* Define to 1 if needed for POSIX-compatible behavior. */
#ifndef _POSIX_SOURCE
# undef _POSIX_SOURCE
#endif
/* Define to 2 if needed for POSIX-compatible behavior. */
#ifndef _POSIX_1_SOURCE
# undef _POSIX_1_SOURCE
#endif
/* Enable POSIX-compatible threading on Solaris. */
#ifndef _POSIX_PTHREAD_SEMANTICS
# undef _POSIX_PTHREAD_SEMANTICS
#endif
/* Enable extensions specified by ISO/IEC TS 18661-5:2014. */
#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
# undef __STDC_WANT_IEC_60559_ATTRIBS_EXT__
#endif
/* Enable extensions specified by ISO/IEC TS 18661-1:2014. */
#ifndef __STDC_WANT_IEC_60559_BFP_EXT__
# undef __STDC_WANT_IEC_60559_BFP_EXT__
#endif
/* Enable extensions specified by ISO/IEC TS 18661-2:2015. */
#ifndef __STDC_WANT_IEC_60559_DFP_EXT__
# undef __STDC_WANT_IEC_60559_DFP_EXT__
#endif
/* Enable extensions specified by ISO/IEC TS 18661-4:2015. */
#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__
# undef __STDC_WANT_IEC_60559_FUNCS_EXT__
#endif
/* Enable extensions specified by ISO/IEC TS 18661-3:2015. */
#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__
# undef __STDC_WANT_IEC_60559_TYPES_EXT__
#endif
/* Enable extensions specified by ISO/IEC TR 24731-2:2010. */
#ifndef __STDC_WANT_LIB_EXT2__
# undef __STDC_WANT_LIB_EXT2__
#endif
/* Enable extensions specified by ISO/IEC 24747:2009. */
#ifndef __STDC_WANT_MATH_SPEC_FUNCS__
# undef __STDC_WANT_MATH_SPEC_FUNCS__
#endif
/* Enable extensions on HP NonStop. */
#ifndef _TANDEM_SOURCE
# undef _TANDEM_SOURCE
#endif
/* Enable X/Open extensions. Define to 500 only if necessary
to make mbstate_t available. */
#ifndef _XOPEN_SOURCE
# undef _XOPEN_SOURCE
#endif
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
/* Define to rpl_malloc if the replacement function should be used. */
#undef malloc
/* Define to `int' if <sys/types.h> does not define. */
#undef pid_t
/* Define to `unsigned' if <sys/types.h> does not define. */
#undef size_t
/* Define as `fork' if `vfork' does not work. */
#undef vfork
/* Version number of package */
#undef VERSION

1443
config.sub vendored
View File

File diff suppressed because it is too large Load Diff

9752
configure vendored
View File

File diff suppressed because it is too large Load Diff

22
configure.ac Normal file
View File

@@ -0,0 +1,22 @@
AC_PREREQ(2.60)
AC_INIT([knock], [0.8], [https://github.com/jvinet/knock/issues])
AM_INIT_AUTOMAKE([dist-xz no-dist-gzip foreign subdir-objects])
AC_CONFIG_HEADER([config.h])
AC_PROG_CC
AC_USE_SYSTEM_EXTENSIONS
AC_ARG_ENABLE([knockd],
[AS_HELP_STRING([--disable-knockd], [Disable building knockd (requires libpcap) @<:@default=enabled@:>@])])
AS_IF([test "x$enable_knockd" != "xno"], [
AC_CHECK_LIB([pcap], [pcap_dispatch], ,
[AC_MSG_ERROR([you need the libpcap library to build knockd])])
])
AM_CONDITIONAL([BUILD_KNOCKD], [test "x$enable_knockd" != "xno"])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT

62
debian/changelog vendored
View File

@@ -1,8 +1,61 @@
knockd (0.8-2) unstable; urgency=medium
* [688ef43f] systemd: downgrade ProtectSystem to "true" from "full"
(Closes: #927883)
-- Leo Antunes <costela@debian.org> Tue, 02 Nov 2021 23:40:19 +0100
knockd (0.8-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/changelog: Remove trailing whitespaces
* d/control: Remove trailing whitespaces
* d/control: Fix wrong Vcs-*
[ Leo Antunes ]
* [ab774823] debian: update VCS fields
* [6cf96b87] debian: bump to up-to-date formats overall
* [74aada02] New upstream version 0.8
* [75a1e52e] debian: add gbp.conf
* [15d6b105] drop reap_child_procs.patch (merged upstream)
* [3ef12dba] update patches for improved DEP3
* [e87735fc] d.knockd.service: ensure service is enabled (Closes: #868015)
* [07da25fb] d/upstream/metadata: add
* [bfe2e959] d/rules: remove old dh options
* [3009b440] d/control: remove unnecessary deps
* [a626515f] d/rules: fix permissions for /etc/knockd.conf (Closes: #902022)
* [614debf1] d/control: use HTTPS for Vcs-Git URL
* [ca7bf832] d/knockd.service: only start when online
* [7495e2b1] d/patches: fix manpage to match debian config
* [e09f46d2] d/copyright: add missing license block
* [e10d4e01] d/control: switch from d/compat to debhelper-compat dep
-- Leo Antunes <costela@debian.org> Tue, 19 Oct 2021 12:10:26 +0200
knockd (0.7-1) unstable; urgency=medium
* [b2567e28] New upstream version 0.7 (closes: #761853)
- adds timeout to pcap_open_live (closes: #816388, #308078)
* [48f78ca5] bump policy to 3.9.8 (no changes)
* [0b63eacb] update homepage url
* [86381cd5] migrate to dh short notation
* [4a38db8d] drop patches/include_limits_h: fixed upstream
* [42ec7481] drop patches/manpage_cmd_timeout: fixed upstream
* [733d82a7] switch to source/format 3.0 (quilt)
* [bfc99c1f] add systemd support (closes: #729663)
* [197eb24d] init: add dependency on $remote_fs
* [848daeab] add hardening flags
* [5c686b87] remove knock client docs from installation
* [805dec71] debian/control: add VCS URL
* [14a9bb3f] add watch file
-- Leo Antunes <costela@debian.org> Sat, 08 Oct 2016 16:05:00 +0200
knockd (0.5-3) unstable; urgency=low
* debian/patches/include_limits_h.patch: add explicit include for
* debian/patches/include_limits_h.patch: add explicit include for
limits.h (closes: #518882)
* debian/control:
* debian/control:
- bump policy to 3.8.0 (no changes)
- bump debhelper build-dep to 7
* debian/compat: bump to 7
@@ -28,7 +81,7 @@ knockd (0.5-2) unstable; urgency=low
* debian/init:
- include LSB session
- overhaul and 'LSB-zation'
- fail to start gracefully, enabling upgrades in case of failure
- fail to start gracefully, enabling upgrades in case of failure
(closes: #399662)
-- Leo Costela <costela@debian.org> Sun, 09 Dec 2007 01:54:11 +0100
@@ -107,10 +160,9 @@ knockd (0.2-1) unstable; urgency=low
* Patch incorporated into upstream
-- Leo Costela <costela@debian.org> Thu, 15 Apr 2004 22:52:05 -0300
knockd (0.1-1) unstable; urgency=low
* First Debian package
-- Leo Costela <costela@debian.org> Wed, 14 Apr 2004 22:52:05 -0300

1
debian/compat vendored
View File

@@ -1 +0,0 @@
7

16
debian/control vendored
View File

@@ -1,18 +1,20 @@
Source: knockd
Section: net
Priority: optional
Maintainer: Leo Costela <costela@debian.org>
Build-Depends: debhelper (>= 7), cdbs (>= 0.4.10), autotools-dev, libpcap0.8-dev
Standards-Version: 3.8.0
Homepage: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
Maintainer: Leo Antunes <costela@debian.org>
Build-Depends: debhelper-compat (= 13), libpcap0.8-dev
Standards-Version: 4.6.0.1
Homepage: http://www.zeroflux.org/projects/knock
Vcs-Git: https://salsa.debian.org/debian/knockd.git
Vcs-Browser: https://salsa.debian.org/debian/knockd
Package: knockd
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, logrotate
Depends: ${shlibs:Depends}, ${misc:Depends}, logrotate, lsb-base (>= 11.0.0)
Description: small port-knock daemon
A port-knock server that listens to all traffic on a given network
interface (only Ethernet and PPP are currently supported), looking for
a special "knock" sequences of port-hits. A remote system
interface (only Ethernet and PPP are currently supported), looking for
a special "knock" sequences of port-hits. A remote system
makes these port-hits by sending a TCP (or UDP) packet to a port on the
server. When the server detects a specific sequence of port-hits, it
runs a command defined in its configuration file. This can be used to

36
debian/copyright vendored
View File

@@ -1,10 +1,32 @@
This package was originally debianized by Leo Costela <costela@debian.org> on Wed, 14 Apr 2004 22:52:04 +0300.
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: knock
Upstream-Contact: Judd Vinet <jvinet@zeroflux.org>
Source: https://github.com/jvinet/knock
Files-Excluded:
.git
Original source has been downloaded from
http://www.zeroflux.org/knock/
Files: *
Copyright: 2004-2021 Judd Vinet <jvinet@zeroflux.org>
License: GPL-2
Copyright:
Copyright (C) 2004 Judd Vinet <jvinet@zeroflux.org>
Files: debian/*
Copyright: 2004-2021 Leo Antunes <costela@debian.org>
License: GPL-2
A copy of the GNU General Public License, version 2, can be found in
/usr/share/common-licenses/GPL-2.
License: GPL-2
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
.
On Debian systems, the complete text of the Apache version 2.0 license
can be found in "/usr/share/common-licenses/Apache-2.0".

7
debian/default vendored
View File

@@ -1,13 +1,6 @@
################################################
#
# knockd's default file, for generic sys config
#
################################################
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=0

1
debian/docs vendored
View File

@@ -1 +0,0 @@
README

4
debian/gbp.conf vendored Normal file
View File

@@ -0,0 +1,4 @@
[DEFAULT]
debian-branch = master
dist = DEP14
pristine-tar = True

71
debian/init vendored
View File

@@ -1,71 +0,0 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: knockd
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: port-knock daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/knockd
NAME=knockd
PIDFILE=/var/run/$NAME.pid
DEFAULTS_FILE=/etc/default/knockd
DESC="Port-knock daemon"
OPTIONS=" -d"
umask 0037
test -f $DAEMON || exit 0
set -e
[ -f $DEFAULTS_FILE ] && . $DEFAULTS_FILE
. /lib/lsb/init-functions
[ "$KNOCKD_OPTS" ] && OPTIONS="$OPTIONS $KNOCKD_OPTS"
start_if_configured() {
if [ $START_KNOCKD -ne 1 ]; then
log_warning_msg "$NAME disabled: not starting. To enable it edit $DEFAULTS_FILE"
exit 0
else
log_daemon_msg "Starting $DESC" "$NAME"
if ! START_ERROR=`start-stop-daemon --start --oknodo --quiet --exec $DAEMON -- $OPTIONS 2>&1`; then
# don't fail the upgrade if it fails to start
echo -n " "
log_action_end_msg 1 "$START_ERROR"
exit 0
else
log_end_msg 0
fi
fi
}
case "$1" in
start)
start_if_configured
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
log_end_msg 0
;;
restart|reload|force-reload)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
log_end_msg 0
sleep 1
start_if_configured
;;
*)
log_warning_msg "Usage: $0 {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0

71
debian/knockd.init vendored Normal file
View File

@@ -0,0 +1,71 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: knockd
# Required-Start: $network $syslog $remote_fs
# Required-Stop: $network $syslog $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: port-knock daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/knockd
NAME=knockd
PIDFILE=/var/run/$NAME.pid
DEFAULTS_FILE=/etc/default/knockd
DESC="Port-knock daemon"
OPTIONS=" -d"
umask 0037
test -f $DAEMON || exit 0
set -e
[ -f $DEFAULTS_FILE ] && . $DEFAULTS_FILE
. /lib/lsb/init-functions
[ "$KNOCKD_OPTS" ] && OPTIONS="$OPTIONS $KNOCKD_OPTS"
start_if_configured() {
if [ $START_KNOCKD -ne 1 ]; then
log_warning_msg "$NAME disabled: not starting. To enable it edit $DEFAULTS_FILE"
exit 0
else
log_daemon_msg "Starting $DESC" "$NAME"
if ! START_ERROR=`start-stop-daemon --start --oknodo --quiet --exec $DAEMON -- $OPTIONS 2>&1`; then
# don't fail the upgrade if it fails to start
echo -n " "
log_action_end_msg 1 "$START_ERROR"
exit 0
else
log_end_msg 0
fi
fi
}
case "$1" in
start)
start_if_configured
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
log_end_msg 0
;;
restart|reload|force-reload)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --oknodo --quiet --exec $DAEMON
log_end_msg 0
sleep 1
start_if_configured
;;
*)
log_warning_msg "Usage: $0 {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0

17
debian/knockd.service vendored Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=Port-Knock Daemon
After=network-online.target
Wants=network-online.target
Documentation=man:knockd(1)
[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
ProtectSystem=true
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_MODULE
[Install]
WantedBy=multi-user.target

28
debian/patches/0003-fix-manpage-to-match-debian-config.patch vendored Normal file
View File

@@ -0,0 +1,28 @@
From: Leo Antunes <costela@debian.org>
Date: Mon, 18 Oct 2021 23:57:32 +0200
Subject: fix manpage to match debian config
---
doc/knockd.1.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/knockd.1.in b/doc/knockd.1.in
index b69ca06..28d43ec 100644
--- a/doc/knockd.1.in
+++ b/doc/knockd.1.in
@@ -63,13 +63,13 @@ firewall and would like to access it discreetly.
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
- command = /usr/sbin/iptables \-A INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
+ command = /sbin/iptables \-A INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
- command = /usr/sbin/iptables \-D INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
+ command = /sbin/iptables \-D INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
.fi
.RE

17
debian/patches/default_config.patch vendored
View File

@@ -1,6 +1,16 @@
--- knockd-0.5/knockd.conf 2004-05-07 00:56:03.000000000 +0200
+++ knockd-0.5.new/knockd.conf 2007-12-09 20:50:39.000000000 +0100
@@ -1,15 +1,15 @@
From: Leo Antunes <costela@debian.org>
Date: Mon, 18 Oct 2021 23:17:54 +0200
Subject: Adapt default config for debian
---
knockd.conf | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/knockd.conf b/knockd.conf
index 7770027..13d4347 100644
--- a/knockd.conf
+++ b/knockd.conf
@@ -1,16 +1,16 @@
[options]
- logfile = /var/log/knockd.log
+ UseSyslog
@@ -19,3 +29,4 @@
+ command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]

11
debian/patches/include_limits_h.patch vendored
View File

@@ -1,11 +0,0 @@
diff -urN knockd-0.5/src/knockd.c knockd-0.5.new/src/knockd.c
--- knockd-0.5/src/knockd.c 2005-06-27 07:11:34.000000000 +0200
+++ knockd-0.5.new/src/knockd.c 2009-03-10 00:24:25.000000000 +0100
@@ -26,6 +26,7 @@
#include <signal.h>
#include <time.h>
#include <ctype.h>
+#include <limits.h>
#include <string.h>
#include <fcntl.h>
#include <netinet/in.h>

14
debian/patches/manpage_cmd_timeout.patch vendored
View File

@@ -1,14 +0,0 @@
diff -uwr doc.orig/knockd.1.in doc/knockd.1.in
--- doc.orig/knockd.1.in 2007-04-12 11:32:05.000000000 +0200
+++ doc/knockd.1.in 2007-04-12 11:33:02.000000000 +0200
@@ -179,8 +179,8 @@
\fBStart_Command\fP.
.TP
.B "Cmd_Timeout = <timeout>"
-Time to wait between \fBStart_Command\fP and \fBStop_Command\fP. This
-directive is optional, only required if \fBStop_Command\fP is used.
+Time to wait between \fBStart_Command\fP and \fBStop_Command\fP in seconds.
+This directive is optional, only required if \fBStop_Command\fP is used.
.TP
.B "Stop_Command = <command>"
Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed

14
debian/patches/reap_child_procs.patch vendored
View File

@@ -1,14 +0,0 @@
--- knockd-0.5/src/knockd.c 2005-06-27 07:11:34.000000000 +0200
+++ knockd-0.5-new/src/knockd.c 2006-11-07 21:07:46.000000000 +0100
@@ -352,8 +352,9 @@
void child_exit(int signum)
{
- /* child wants to exit, let em die */
- wait(NULL);
+ int status;
+
+ while ( waitpid( (pid_t)-1, &status, WNOHANG ) > 0 ) continue;
return;
}

3
debian/patches/series vendored Normal file
View File

@@ -0,0 +1,3 @@
default_config.patch
syslog_facility_daemon.patch
0003-fix-manpage-to-match-debian-config.patch

18
debian/patches/syslog_facility_daemon.patch vendored
View File

@@ -1,7 +1,17 @@
diff -urN --exclude=debian knockd-0.5/src/knockd.c knockd-0.5.new/src/knockd.c
--- knockd-0.5/src/knockd.c 2005-06-27 07:11:34.000000000 +0200
+++ knockd-0.5.new/src/knockd.c 2007-12-09 20:06:15.000000000 +0100
@@ -183,7 +183,7 @@
From: Leo Antunes <costela@debian.org>
Date: Mon, 18 Oct 2021 23:17:54 +0200
Subject: change syslog facility to daemon
this is currently hardcoded
---
src/knockd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/knockd.c b/src/knockd.c
index e607b6c..bd991c8 100644
--- a/src/knockd.c
+++ b/src/knockd.c
@@ -229,7 +229,7 @@ int main(int argc, char **argv)
strncpy(o_int, "eth0", sizeof(o_int)); /* no explicit termination needed */
}
if(o_usesyslog) {

24
debian/rules vendored
View File

@@ -1,11 +1,23 @@
#!/usr/bin/make -f
# export DH_VERBOSE=1
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed,--no-undefined,--no-add-needed
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/rules/simple-patchsys.mk
include /usr/share/cdbs/1/class/autotools.mk
%:
dh $@
binary-predeb/knockd::
chmod 640 $(CURDIR)/debian/knockd/etc/knockd.conf
override_dh_install:
dh_install
# original installation has duplicate docs for knock and knockd
rm -rf debian/knockd/usr/share/doc/knock
# be more restrictive
chmod 0600 debian/knockd/etc/knockd.conf
# the standard config is unsafe
override_dh_installsystemd:
dh_installsystemd --no-enable --no-start
override_dh_installinit:
dh_installinit --no-start

1
debian/source/format vendored Normal file
View File

@@ -0,0 +1 @@
3.0 (quilt)

5
debian/upstream/metadata vendored Normal file
View File

@@ -0,0 +1,5 @@
---
Bug-Database: https://github.com/jvinet/knock/issues
Bug-Submit: https://github.com/jvinet/knock/issues/new
Repository: https://github.com/jvinet/knock.git
Repository-Browse: https://github.com/jvinet/knock

3
debian/watch vendored Normal file
View File

@@ -0,0 +1,3 @@
version=4
opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/knock-$1\.tar\.gz/ \
https://github.com/jvinet/knock/tags .*/v?(\d\S+)\.tar\.gz

791
depcomp Executable file
View File

@@ -0,0 +1,791 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1999-2020 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
case $1 in
'')
echo "$0: No command. Try '$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
Run PROGRAMS ARGS to compile a file, generating dependencies
as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by 'PROGRAMS ARGS'.
object Object file output by 'PROGRAMS ARGS'.
DEPDIR directory where to store dependencies.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputting dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
EOF
exit $?
;;
-v | --v*)
echo "depcomp $scriptversion"
exit $?
;;
esac
# Get the directory component of the given path, and save it in the
# global variables '$dir'. Note that this directory component will
# be either empty or ending with a '/' character. This is deliberate.
set_dir_from ()
{
case $1 in
*/*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;;
*) dir=;;
esac
}
# Get the suffix-stripped basename of the given path, and save it the
# global variable '$base'.
set_base_from ()
{
base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'`
}
# If no dependency file was actually created by the compiler invocation,
# we still have to create a dummy depfile, to avoid errors with the
# Makefile "include basename.Plo" scheme.
make_dummy_depfile ()
{
echo "#dummy" > "$depfile"
}
# Factor out some common post-processing of the generated depfile.
# Requires the auxiliary global variable '$tmpdepfile' to be set.
aix_post_process_depfile ()
{
# If the compiler actually managed to produce a dependency file,
# post-process it.
if test -f "$tmpdepfile"; then
# Each line is of the form 'foo.o: dependency.h'.
# Do two passes, one to just change these to
# $object: dependency.h
# and one to simply output
# dependency.h:
# which is needed to avoid the deleted-header problem.
{ sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile"
sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile"
} > "$depfile"
rm -f "$tmpdepfile"
else
make_dummy_depfile
fi
}
# A tabulation character.
tab=' '
# A newline character.
nl='
'
# Character ranges might be problematic outside the C locale.
# These definitions help.
upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ
lower=abcdefghijklmnopqrstuvwxyz
digits=0123456789
alpha=${upper}${lower}
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
fi
# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
depfile=${depfile-`echo "$object" |
sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Avoid interferences from the environment.
gccflag= dashmflag=
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
# here, because this file can only contain one case statement.
if test "$depmode" = hp; then
# HP compiler uses -M and no extra arg.
gccflag=-M
depmode=gcc
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
cygpath_u="cygpath -u -f -"
if test "$depmode" = msvcmsys; then
# This is just like msvisualcpp but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvisualcpp
fi
if test "$depmode" = msvc7msys; then
# This is just like msvc7 but w/o cygpath translation.
# Just convert the backslash-escaped backslashes to single forward
# slashes to satisfy depend.m4
cygpath_u='sed s,\\\\,/,g'
depmode=msvc7
fi
if test "$depmode" = xlc; then
# IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
case "$depmode" in
gcc3)
## gcc 3 implements dependency tracking that does exactly what
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
## it if -MD -MP comes after the -MF stuff. Hmm.
## Unfortunately, FreeBSD c89 acceptance of flags depends upon
## the command line argument order; so add the flags where they
## appear in depend2.am. Note that the slowdown incurred here
## affects only configure: in makefiles, %FASTDEP% shortcuts this.
for arg
do
case $arg in
-c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;;
*) set fnord "$@" "$arg" ;;
esac
shift # fnord
shift # $arg
done
"$@"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
mv "$tmpdepfile" "$depfile"
;;
gcc)
## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say). Also, it might not be
## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
gccflag=-MD,
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The second -e expression handles DOS-style file names with drive
# letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the "deleted header file" problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
## Some versions of gcc put a space before the ':'. On the theory
## that the space means something, we add a space to the output as
## well. hp depmode also adds that space, but also prefixes the VPATH
## to the object. Take care to not repeat it in the output.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
sgi)
if test "$libtool" = yes; then
"$@" "-Wp,-MDupdate,$tmpdepfile"
else
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like '#:fec' to the end of the
# dependency line.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \
| tr "$nl" ' ' >> "$depfile"
echo >> "$depfile"
# The second pass generates a dummy entry for each header file.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> "$depfile"
else
make_dummy_depfile
fi
rm -f "$tmpdepfile"
;;
xlc)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts '$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.u
tmpdepfile2=$base.u
tmpdepfile3=$dir.libs/$base.u
"$@" -Wc,-M
else
tmpdepfile1=$dir$base.u
tmpdepfile2=$dir$base.u
tmpdepfile3=$dir$base.u
"$@" -M
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
aix_post_process_depfile
;;
tcc)
# tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26
# FIXME: That version still under development at the moment of writing.
# Make that this statement remains true also for stable, released
# versions.
# It will wrap lines (doesn't matter whether long or short) with a
# trailing '\', as in:
#
# foo.o : \
# foo.c \
# foo.h \
#
# It will put a trailing '\' even on the last line, and will use leading
# spaces rather than leading tabs (at least since its commit 0394caf7
# "Emit spaces for -MD").
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each non-empty line is of the form 'foo.o : \' or ' dep.h \'.
# We have to change lines of the first kind to '$object: \'.
sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile"
# And for each line of the second kind, we have to emit a 'dep.h:'
# dummy dependency, to avoid the deleted-header problem.
sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile"
rm -f "$tmpdepfile"
;;
## The order of this option in the case statement is important, since the
## shell code in configure will try each of these formats in the order
## listed in this file. A plain '-MD' option would be understood by many
## compilers, so we must ensure this comes after the gcc and icc options.
pgcc)
# Portland's C compiler understands '-MD'.
# Will always output deps to 'file.d' where file is the root name of the
# source file under compilation, even if file resides in a subdirectory.
# The object file name does not affect the name of the '.d' file.
# pgcc 10.2 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using '\' :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
set_dir_from "$object"
# Use the source, not the object, to determine the base name, since
# that's sadly what pgcc will do too.
set_base_from "$source"
tmpdepfile=$base.d
# For projects that build the same source file twice into different object
# files, the pgcc approach of using the *source* file root name can cause
# problems in parallel builds. Use a locking strategy to avoid stomping on
# the same $tmpdepfile.
lockdir=$base.d-lock
trap "
echo '$0: caught signal, cleaning up...' >&2
rmdir '$lockdir'
exit 1
" 1 2 13 15
numtries=100
i=$numtries
while test $i -gt 0; do
# mkdir is a portable test-and-set.
if mkdir "$lockdir" 2>/dev/null; then
# This process acquired the lock.
"$@" -MD
stat=$?
# Release the lock.
rmdir "$lockdir"
break
else
# If the lock is being held by a different process, wait
# until the winning process is done or we timeout.
while test -d "$lockdir" && test $i -gt 0; do
sleep 1
i=`expr $i - 1`
done
fi
i=`expr $i - 1`
done
trap - 1 2 13 15
if test $i -le 0; then
echo "$0: failed to acquire lock after $numtries attempts" >&2
echo "$0: check lockdir '$lockdir'" >&2
exit 1
fi
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each line is of the form `foo.o: dependent.h',
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp2)
# The "hp" stanza above does not work with aCC (C++) and HP's ia64
# compilers, which have integrated preprocessors. The correct option
# to use with these is +Maked; it writes dependencies to a file named
# 'foo.d', which lands next to the object file, wherever that
# happens to be.
# Much of this is similar to the tru64 case; see comments there.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir.libs/$base.d
"$@" -Wc,+Maked
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
"$@" +Maked
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2"
do
test -f "$tmpdepfile" && break
done
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile"
# Add 'dependent.h:' lines.
sed -ne '2,${
s/^ *//
s/ \\*$//
s/$/:/
p
}' "$tmpdepfile" >> "$depfile"
else
make_dummy_depfile
fi
rm -f "$tmpdepfile" "$tmpdepfile2"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in 'foo.d' instead, so we check for that too.
# Subdirectories are respected.
set_dir_from "$object"
set_base_from "$object"
if test "$libtool" = yes; then
# Libtool generates 2 separate objects for the 2 libraries. These
# two compilations output dependencies in $dir.libs/$base.o.d and
# in $dir$base.o.d. We have to check for both files, because
# one of the two compilations can be disabled. We should prefer
# $dir$base.o.d over $dir.libs/$base.o.d because the latter is
# automatically cleaned when .libs/ is deleted, while ignoring
# the former would cause a distcleancheck panic.
tmpdepfile1=$dir$base.o.d # libtool 1.5
tmpdepfile2=$dir.libs/$base.o.d # Likewise.
tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504
"$@" -Wc,-MD
else
tmpdepfile1=$dir$base.d
tmpdepfile2=$dir$base.d
tmpdepfile3=$dir$base.d
"$@" -MD
fi
stat=$?
if test $stat -ne 0; then
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
do
test -f "$tmpdepfile" && break
done
# Same post-processing that is required for AIX mode.
aix_post_process_depfile
;;
msvc7)
if test "$libtool" = yes; then
showIncludes=-Wc,-showIncludes
else
showIncludes=-showIncludes
fi
"$@" $showIncludes > "$tmpdepfile"
stat=$?
grep -v '^Note: including file: ' "$tmpdepfile"
if test $stat -ne 0; then
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
# The first sed program below extracts the file names and escapes
# backslashes for cygpath. The second sed program outputs the file
# name when reading, but also accumulates all include files in the
# hold buffer in order to output them again at the end. This only
# works with sed implementations that can handle large buffers.
sed < "$tmpdepfile" -n '
/^Note: including file: *\(.*\)/ {
s//\1/
s/\\/\\\\/g
p
}' | $cygpath_u | sort -u | sed -n '
s/ /\\ /g
s/\(.*\)/'"$tab"'\1 \\/p
s/.\(.*\) \\/\1:/
H
$ {
s/.*/'"$tab"'/
G
p
}' >> "$depfile"
echo >> "$depfile" # make sure the fragment doesn't end with a backslash
rm -f "$tmpdepfile"
;;
msvc7msys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
# dependency tracking mechanisms from slower ones.
dashmstdout)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove '-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for ':'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise.
"$@" $dashmflag |
sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this sed invocation
# correctly. Breaking it into two sed invocations is a workaround.
tr ' ' "$nl" < "$tmpdepfile" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
dashXmstdout)
# This case only exists to satisfy depend.m4. It is never actually
# run, as this mode is specially recognized in the preamble.
exit 1
;;
makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no eat=no
for arg
do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
if test $eat = yes; then
eat=no
continue
fi
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-arch)
eat=yes ;;
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix=`echo "$object" | sed 's/^.*\././'`
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
# makedepend may prepend the VPATH from the source file name to the object.
# No need to regex-escape $object, excess matching of '.' is harmless.
sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process the last invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed '1,2d' "$tmpdepfile" \
| tr ' ' "$nl" \
| sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \
| sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
cpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
# Remove '-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
"$@" -E \
| sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
-e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
| sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test "X$1" != 'X--mode=compile'; do
shift
done
shift
fi
IFS=" "
for arg
do
case "$arg" in
-o)
shift
;;
$object)
shift
;;
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E 2>/dev/null |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile"
echo "$tab" >> "$depfile"
sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvcmsys)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
none)
exec "$@"
;;
*)
echo "Unknown depmode $depmode" 1>&2
exit 1
;;
esac
exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:

16
doc/knock.1.in
View File

@@ -1,4 +1,4 @@
.TH knock 1 "June 26, 2005" "knockd #VERSION#" ""
.TH knockd 1 "April 22, 2021" "knockd #VERSION#" ""
.SH NAME
knock \- port-knock client
.SH SYNOPSIS
@@ -15,6 +15,18 @@ Make all port hits use UDP (default is TCP).
If you want each port to use a different protocol (TCP or UDP), then you
can specify the protocol on a per-port basis. See the example below.
.TP
.B "\-d <t>, \-\-delay <t>"
Wait <t> milliseconds between each port hit. This can be used in situations
where a router mistakes your stream of SYN packets as a port scan and blocks
them. If the packet rate is slowed with \-\-delay, then the router should let
the packets through.
.TP
.B "\-4, \-\-ipv4 <version>"
Force usage of IPv4.
.TP
.B "\-6, \-\-ipv6 <version>"
Force usage of IPv6.
.TP
.B "\-v, \-\-verbose"
Output verbose status messages.
.TP
@@ -26,7 +38,7 @@ Syntax help.
.SH EXAMPLES
.nf
knock myserver.example.com 123:tcp 456:udp 789:tcp
knock -u myserver.example.com 8284 4721 18592 42912
knock \-u myserver.example.com 8284 4721 18592 42912
.fi
.SH SEE ALSO
\fBknockd\fP is the accompanying port-knock server.

71
doc/knockd.1.in
View File

@@ -1,4 +1,4 @@
.TH knockd 1 "June 26, 2005" "knockd #VERSION#" ""
.TH knockd 1 "April 22, 2021" "knockd #VERSION#" ""
.SH NAME
knockd \- port-knock server
.SH SYNOPSIS
@@ -25,12 +25,15 @@ Specify an alternate location for the config file. Default is
\fI/etc/knockd.conf\fP.
.TP
.B "\-D, \-\-debug"
Ouput debugging messages.
Output debugging messages.
.TP
.B "\-l, \-\-lookup"
Lookup DNS names for log entries. This may be a security risk! See section
\fBSECURITY NOTES\fP.
.TP
.B "\-4, \-\-only-ip-v4"
Ignore packets from IPv6 and handle only IPv4.
.TP
.B "\-v, \-\-verbose"
Output verbose status messages.
.TP
@@ -60,13 +63,13 @@ firewall and would like to access it discreetly.
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT
command = /usr/sbin/iptables \-A INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT
command = /usr/sbin/iptables \-D INPUT \-s %IP% \-\-dport 22 \-j ACCEPT
.fi
.RE
@@ -87,9 +90,9 @@ and TCP ports.
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn -j ACCEPT
start_command = /usr/sbin/iptables \-A INPUT \-s %IP% \-p tcp \-\-syn \-j ACCEPT
cmd_timeout = 5
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn -j ACCEPT
stop_command = /usr/sbin/iptables \-D INPUT \-s %IP% \-p tcp \-\-syn \-j ACCEPT
.fi
.RE
@@ -112,9 +115,30 @@ sniffing the network).
one_time_sequences = /etc/knockd/smtp_sequences
seq_timeout = 15
tcpflags = fin,!ack
start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
start_command = /usr/sbin/iptables \-A INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
cmd_timeout = 5
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
stop_command = /usr/sbin/iptables \-D INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
.fi
.TP
.SH Example #4:
.RS
Example to support IPv4 and IPv6. You can provide a dedicated command for each
of the two protocols.
.nf
[options]
logfile = /var/log/knockd.log
[opencloseSMTP]
one_time_sequences = /etc/knockd/smtp_sequences
seq_timeout = 15
tcpflags = fin,!ack
start_command = /usr/sbin/iptables \-A INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
start_command_6 = /usr/sbin/ip6tables \-A INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
cmd_timeout = 5
stop_command = /usr/sbin/iptables \-D INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
stop_command_6 = /usr/sbin/ip6tables \-D INPUT \-s %IP% \-p tcp \-\-dport 25 \-j ACCEPT
.fi
.RE
@@ -135,7 +159,7 @@ Network interface to listen on. Only its name has to be given, not the path to
the device (eg, "eth0" and not "/dev/eth0"). Default: eth0.
.SH CONFIGURATION: KNOCK/EVENT DIRECTIVES
.TP
.B "Sequence = <port1>[:<tcp|udp>][,<port2>[:<tcp|udp>] ...]"
.B "Sequence = <port1>[:<tcp|udp>],<port2>[:<tcp|udp>][,<port3>[:<tcp|udp>] ...]"
Specify the sequence of ports in the special knock. If a wrong port with
the same flags is received, the knock is discarded. Optionally, you can
define the protocol to be used on a per-port basis (default is TCP).
@@ -172,20 +196,43 @@ interfere with (and thus invalidate) the knock.
Separate multiple flags with commas (eg, TCPFlags = syn,ack,urg). Flags can be
explicitly excluded by a "!" (eg, TCPFlags = syn,!ack).
.TP
.B "Target = <ip-address>"
Use the specified IP address instead of the address determined for the
\fBInterface\fP when matching the \fBSequence\fP.
This is useful if knockd is running on a router and you want to do something
in response to an actual connection attempt to a routed host - e.g., invoking
etherwake to send the host a WOL packet.
.TP
.B "Start_Command = <command>"
Specify the command to be executed when a client makes the correct
port-knock. All instances of \fB%IP%\fP will be replaced with the
port-knock with IPv4. All instances of \fB%IP%\fP will be replaced with the
knocker's IP address. The \fBCommand\fP directive is an alias for
\fBStart_Command\fP.
.TP
.B "Start_Command_6 = <command>"
Specify the command to be executed when a client makes the correct
port-knock with IPv6. All instances of \fB%IP%\fP will be replaced with the
knocker's IP address. The \fBCommand_6\fP directive is an alias for
\fBStart_Command_6\fP. If not present it will automatically fallback onto
the same IPV4 \fBStart_Command\fP value. You can use empty value to force
doing nothing.
.TP
.B "Cmd_Timeout = <timeout>"
Time to wait between \fBStart_Command\fP and \fBStop_Command\fP. This
directive is optional, only required if \fBStop_Command\fP is used.
Time to wait (in seconds) between \fBStart_Command\fP and \fBStop_Command\fP.
This directive is optional, only required if \fBStop_Command\fP is used.
.TP
.B "Stop_Command = <command>"
Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed
since \fBStart_Command\fP has been executed. All instances of \fB%IP%\fP will
be replaced with the knocker's IP address. This directive is optional.
.TP
.B "Stop_Command_6 = <command>"
Specify the command to be executed when \fBCmd_Timeout\fP seconds have passed
since \fBStart_Command_6\fP has been executed. All instances of \fB%IP%\fP will
be replaced with the knocker's IP address. This directive is optional.
If not present it will automatically fallback onto the same IPV4
\fBStop_Command\fP value. You can use empty value to force
doing nothing.
.SH SECURITY NOTES
Using the \fB-l\fP or \fB--lookup\fP commandline option to resolve DNS names
for log entries may be a security risk! An attacker may find out the first port

734
install-sh
View File

@@ -1,251 +1,541 @@
#!/bin/sh
#
# install - install a program, script, or datafile
# This comes from X11R5 (mit/util/scripts/install.sh).
scriptversion=2020-11-14.01; # UTC
# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright 1991 by the Massachusetts Institute of Technology
# Copyright (C) 1994 X Consortium
#
# Permission to use, copy, modify, distribute, and sell this software and its
# documentation for any purpose is hereby granted without fee, provided that
# the above copyright notice appear in all copies and that both that
# copyright notice and this permission notice appear in supporting
# documentation, and that the name of M.I.T. not be used in advertising or
# publicity pertaining to distribution of the software without specific,
# written prior permission. M.I.T. makes no representations about the
# suitability of this software for any purpose. It is provided "as is"
# without express or implied warranty.
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch. It can only install one file at a time, a restriction
# shared with many OS's install programs.
# from scratch.
tab=' '
nl='
'
IFS=" $tab$nl"
# set DOITPROG to echo to test this script
# Set DOITPROG to "echo" to test this script.
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
doit=${DOITPROG-}
doit_exec=${doit:-exec}
# Put in absolute file names if you don't have them in your path;
# or use environment vars.
# put in absolute paths if you don't have them in your path; or use env. vars.
chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
posix_mkdir=
transformbasename=""
transform_arg=""
instcmd="$mvprog"
chmodcmd="$chmodprog 0755"
chowncmd=""
chgrpcmd=""
stripcmd=""
# Desired mode of installed file.
mode=0755
# Create dirs (including intermediate dirs) using mode 755.
# This is like GNU 'install' as of coreutils 8.32 (2020).
mkdir_umask=22
backupsuffix=
chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=""
dst=""
dir_arg=""
stripcmd=
while [ x"$1" != x ]; do
case $1 in
-c) instcmd="$cpprog"
shift
continue;;
src=
dst=
dir_arg=
dst_arg=
-d) dir_arg=true
shift
continue;;
copy_on_change=false
is_target_a_directory=possibly
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
or: $0 [OPTION]... SRCFILES... DIRECTORY
or: $0 [OPTION]... -t DIRECTORY SRCFILES...
or: $0 [OPTION]... -d DIRECTORIES...
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
Options:
--help display this help and exit.
--version display version info and exit.
-s) stripcmd="$stripprog"
shift
continue;;
-c (ignored)
-C install only if different (preserve data modification time)
-d create directories instead of installing files.
-g GROUP $chgrpprog installed files to GROUP.
-m MODE $chmodprog installed files to MODE.
-o USER $chownprog installed files to USER.
-p pass -p to $cpprog.
-s $stripprog installed files.
-S SUFFIX attempt to back up existing files, with suffix SUFFIX.
-t DIRECTORY install into DIRECTORY.
-T report an error if DSTFILE is a directory.
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
shift
continue;;
Environment variables override the default commands:
CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
RMPROG STRIPPROG
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
shift
continue;;
By default, rm is invoked with -f; when overridden with RMPROG,
it's up to you to specify -f if you want it.
*) if [ x"$src" = x ]
then
src=$1
else
# this colon is to work around a 386BSD /bin/sh bug
:
dst=$1
fi
shift
continue;;
If -S is not specified, no backups are attempted.
Email bug reports to bug-automake@gnu.org.
Automake home page: https://www.gnu.org/software/automake/
"
while test $# -ne 0; do
case $1 in
-c) ;;
-C) copy_on_change=true;;
-d) dir_arg=true;;
-g) chgrpcmd="$chgrpprog $2"
shift;;
--help) echo "$usage"; exit $?;;
-m) mode=$2
case $mode in
*' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
echo "$0: invalid mode: $mode" >&2
exit 1;;
esac
shift;;
-o) chowncmd="$chownprog $2"
shift;;
-p) cpprog="$cpprog -p";;
-s) stripcmd=$stripprog;;
-S) backupsuffix="$2"
shift;;
-t)
is_target_a_directory=always
dst_arg=$2
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
shift;;
-T) is_target_a_directory=never;;
--version) echo "$0 $scriptversion"; exit $?;;
--) shift
break;;
-*) echo "$0: invalid option: $1" >&2
exit 1;;
*) break;;
esac
shift
done
# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.
if test -n "$dir_arg"; then
if test -n "$dst_arg"; then
echo "$0: target directory not allowed when installing a directory." >&2
exit 1
fi
fi
if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
# When -d is used, all remaining arguments are directories to create.
# When -t is used, the destination is already specified.
# Otherwise, the last argument is the destination. Remove it from $@.
for arg
do
if test -n "$dst_arg"; then
# $@ is not empty: it contains at least $arg.
set fnord "$@" "$dst_arg"
shift # fnord
fi
shift # arg
dst_arg=$arg
# Protect names problematic for 'test' and other utilities.
case $dst_arg in
-* | [=\(\)!]) dst_arg=./$dst_arg;;
esac
done
fi
if test $# -eq 0; then
if test -z "$dir_arg"; then
echo "$0: no input file specified." >&2
exit 1
fi
# It's OK to call 'install-sh -d' without argument.
# This can happen when creating conditional directories.
exit 0
fi
if test -z "$dir_arg"; then
if test $# -gt 1 || test "$is_target_a_directory" = always; then
if test ! -d "$dst_arg"; then
echo "$0: $dst_arg: Is not a directory." >&2
exit 1
fi
fi
fi
if test -z "$dir_arg"; then
do_exit='(exit $ret); exit $ret'
trap "ret=129; $do_exit" 1
trap "ret=130; $do_exit" 2
trap "ret=141; $do_exit" 13
trap "ret=143; $do_exit" 15
# Set umask so as not to create temps with too-generous modes.
# However, 'strip' requires both read and write access to temps.
case $mode in
# Optimize common cases.
*644) cp_umask=133;;
*755) cp_umask=22;;
*[0-7])
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw='% 200'
fi
cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
*)
if test -z "$stripcmd"; then
u_plus_rw=
else
u_plus_rw=,u+rw
fi
cp_umask=$mode$u_plus_rw;;
esac
fi
for src
do
# Protect names problematic for 'test' and other utilities.
case $src in
-* | [=\(\)!]) src=./$src;;
esac
if test -n "$dir_arg"; then
dst=$src
dstdir=$dst
test -d "$dstdir"
dstdir_status=$?
# Don't chown directories that already exist.
if test $dstdir_status = 0; then
chowncmd=""
fi
else
# Waiting for this to be detected by the "$cpprog $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if test ! -f "$src" && test ! -d "$src"; then
echo "$0: $src does not exist." >&2
exit 1
fi
if test -z "$dst_arg"; then
echo "$0: no destination specified." >&2
exit 1
fi
dst=$dst_arg
# If destination is a directory, append the input filename.
if test -d "$dst"; then
if test "$is_target_a_directory" = never; then
echo "$0: $dst_arg: Is a directory" >&2
exit 1
fi
dstdir=$dst
dstbase=`basename "$src"`
case $dst in
*/) dst=$dst$dstbase;;
*) dst=$dst/$dstbase;;
esac
dstdir_status=0
else
dstdir=`dirname "$dst"`
test -d "$dstdir"
dstdir_status=$?
fi
fi
case $dstdir in
*/) dstdirslash=$dstdir;;
*) dstdirslash=$dstdir/;;
esac
obsolete_mkdir_used=false
if test $dstdir_status != 0; then
case $posix_mkdir in
'')
# With -d, create the new directory with the user-specified mode.
# Otherwise, rely on $mkdir_umask.
if test -n "$dir_arg"; then
mkdir_mode=-m$mode
else
mkdir_mode=
fi
posix_mkdir=false
# The $RANDOM variable is not portable (e.g., dash). Use it
# here however when possible just to lower collision chance.
tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
trap '
ret=$?
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null
exit $ret
' 0
# Because "mkdir -p" follows existing symlinks and we likely work
# directly in world-writeable /tmp, make sure that the '$tmpdir'
# directory is successfully created first before we actually test
# 'mkdir -p'.
if (umask $mkdir_umask &&
$mkdirprog $mkdir_mode "$tmpdir" &&
exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
then
if test -z "$dir_arg" || {
# Check for POSIX incompatibilities with -m.
# HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
# other-writable bit of parent directory when it shouldn't.
# FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
test_tmpdir="$tmpdir/a"
ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
case $ls_ld_tmpdir in
d????-?r-*) different_mode=700;;
d????-?--*) different_mode=755;;
*) false;;
esac &&
$mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
}
}
then posix_mkdir=:
fi
rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
else
# Remove any dirs left behind by ancient mkdir implementations.
rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
fi
trap '' 0;;
esac
if
$posix_mkdir && (
umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
)
then :
else
# mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
[-=\(\)!]*) prefix='./';;
*) prefix='';;
esac
oIFS=$IFS
IFS=/
set -f
set fnord $dstdir
shift
set +f
IFS=$oIFS
prefixes=
for d
do
test X"$d" = X && continue
prefix=$prefix$d
if test -d "$prefix"; then
prefixes=
else
if $posix_mkdir; then
(umask $mkdir_umask &&
$doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
# Don't fail if two instances are running concurrently.
test -d "$prefix" || exit 1
else
case $prefix in
*\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
*) qprefix=$prefix;;
esac
prefixes="$prefixes '$qprefix'"
fi
fi
prefix=$prefix/
done
if test -n "$prefixes"; then
# Don't fail if two instances are running concurrently.
(umask $mkdir_umask &&
eval "\$doit_exec \$mkdirprog $prefixes") ||
test -d "$dstdir" || exit 1
obsolete_mkdir_used=true
fi
fi
fi
if test -n "$dir_arg"; then
{ test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
{ test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
else
# Make a couple of temp file names in the proper directory.
dsttmp=${dstdirslash}_inst.$$_
rmtmp=${dstdirslash}_rm.$$_
# Trap to clean up those temp files at exit.
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
(umask $cp_umask &&
{ test -z "$stripcmd" || {
# Create $dsttmp read-write so that cp doesn't create it read-only,
# which would cause strip to fail.
if test -z "$doit"; then
: >"$dsttmp" # No need to fork-exec 'touch'.
else
$doit touch "$dsttmp"
fi
}
} &&
$doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $cpprog $src $dsttmp" command.
#
{ test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
{ test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
{ test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
{ test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&
# If -C, don't bother to copy if it wouldn't change the file.
if $copy_on_change &&
old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` &&
new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` &&
set -f &&
set X $old && old=:$2:$4:$5:$6 &&
set X $new && new=:$2:$4:$5:$6 &&
set +f &&
test "$old" = "$new" &&
$cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
then
rm -f "$dsttmp"
else
# If $backupsuffix is set, and the file being installed
# already exists, attempt a backup. Don't worry if it fails,
# e.g., if mv doesn't support -f.
if test -n "$backupsuffix" && test -f "$dst"; then
$doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null
fi
# Rename the file to the real destination.
$doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||
# The rename failed, perhaps because mv can't rename something else
# to itself, or perhaps because mv is so ancient that it does not
# support -f.
{
# Now remove or move aside any old file at destination location.
# We try this two ways since rm can't unlink itself on some
# systems and the destination file might be busy for other
# reasons. In this case, the final cleanup might fail but the new
# file should still install successfully.
{
test ! -f "$dst" ||
$doit $rmcmd "$dst" 2>/dev/null ||
{ $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
{ $doit $rmcmd "$rmtmp" 2>/dev/null; :; }
} ||
{ echo "$0: cannot unlink or rename $dst" >&2
(exit 1); exit 1
}
} &&
# Now rename the file to the real destination.
$doit $mvcmd "$dsttmp" "$dst"
}
fi || exit 1
trap '' 0
fi
done
if [ x"$src" = x ]
then
echo "install: no input file specified"
exit 1
else
:
fi
if [ x"$dir_arg" != x ]; then
dst=$src
src=""
if [ -d $dst ]; then
instcmd=:
chmodcmd=""
else
instcmd=$mkdirprog
fi
else
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if [ -f $src -o -d $src ]
then
:
else
echo "install: $src does not exist"
exit 1
fi
if [ x"$dst" = x ]
then
echo "install: no destination specified"
exit 1
else
:
fi
# If destination is a directory, append the input filename; if your system
# does not like double slashes in filenames, you may need to add some logic
if [ -d $dst ]
then
dst="$dst"/`basename $src`
else
:
fi
fi
## this sed command emulates the dirname command
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# this part is taken from Noah Friedman's mkinstalldirs script
# Skip lots of stat calls in the usual case.
if [ ! -d "$dstdir" ]; then
defaultIFS='
'
IFS="${IFS-${defaultIFS}}"
oIFS="${IFS}"
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
IFS="${oIFS}"
pathcomp=''
while [ $# -ne 0 ] ; do
pathcomp="${pathcomp}${1}"
shift
if [ ! -d "${pathcomp}" ] ;
then
$mkdirprog "${pathcomp}"
else
:
fi
pathcomp="${pathcomp}/"
done
fi
if [ x"$dir_arg" != x ]
then
$doit $instcmd $dst &&
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else : ; fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else : ; fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else : ; fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else : ; fi
else
# If we're going to rename the final executable, determine the name now.
if [ x"$transformarg" = x ]
then
dstfile=`basename $dst`
else
dstfile=`basename $dst $transformbasename |
sed $transformarg`$transformbasename
fi
# don't allow the sed command to completely eliminate the filename
if [ x"$dstfile" = x ]
then
dstfile=`basename $dst`
else
:
fi
# Make a temp file name in the proper directory.
dsttmp=$dstdir/#inst.$$#
# Move or copy the file name to the temp name
$doit $instcmd $src $dsttmp &&
trap "rm -f ${dsttmp}" 0 &&
# and set any options; do chmod last to preserve setuid bits
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $instcmd $src $dsttmp" command.
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else :;fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else :;fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else :;fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else :;fi &&
# Now rename the file to the real destination.
$doit $rmcmd -f $dstdir/$dstfile &&
$doit $mvcmd $dsttmp $dstdir/$dstfile
fi &&
exit 0
# Local variables:
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:

6
knockd.conf
View File

@@ -13,3 +13,9 @@
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[openHTTPS]
sequence = 12345,54321,24680,13579
seq_timeout = 5
command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
tcpflags = syn

215
missing Executable file
View File

@@ -0,0 +1,215 @@
#! /bin/sh
# Common wrapper for a few potentially missing GNU programs.
scriptversion=2018-03-07.03; # UTC
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
if test $# -eq 0; then
echo 1>&2 "Try '$0 --help' for more information"
exit 1
fi
case $1 in
--is-lightweight)
# Used by our autoconf macros to check whether the available missing
# script is modern enough.
exit 0
;;
--run)
# Back-compat with the calling convention used by older automake.
shift
;;
-h|--h|--he|--hel|--help)
echo "\
$0 [OPTION]... PROGRAM [ARGUMENT]...
Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due
to PROGRAM being missing or too old.
Options:
-h, --help display this help and exit
-v, --version output version information and exit
Supported PROGRAM values:
aclocal autoconf autoheader autom4te automake makeinfo
bison yacc flex lex help2man
Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and
'g' are ignored when checking the name.
Send bug reports to <bug-automake@gnu.org>."
exit $?
;;
-v|--v|--ve|--ver|--vers|--versi|--versio|--version)
echo "missing $scriptversion (GNU Automake)"
exit $?
;;
-*)
echo 1>&2 "$0: unknown '$1' option"
echo 1>&2 "Try '$0 --help' for more information"
exit 1
;;
esac
# Run the given program, remember its exit status.
"$@"; st=$?
# If it succeeded, we are done.
test $st -eq 0 && exit 0
# Also exit now if we it failed (or wasn't found), and '--version' was
# passed; such an option is passed most likely to detect whether the
# program is present and works.
case $2 in --version|--help) exit $st;; esac
# Exit code 63 means version mismatch. This often happens when the user
# tries to use an ancient version of a tool on a file that requires a
# minimum version.
if test $st -eq 63; then
msg="probably too old"
elif test $st -eq 127; then
# Program was missing.
msg="missing on your system"
else
# Program was found and executed, but failed. Give up.
exit $st
fi
perl_URL=https://www.perl.org/
flex_URL=https://github.com/westes/flex
gnu_software_URL=https://www.gnu.org/software
program_details ()
{
case $1 in
aclocal|automake)
echo "The '$1' program is part of the GNU Automake package:"
echo "<$gnu_software_URL/automake>"
echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/autoconf>"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
autoconf|autom4te|autoheader)
echo "The '$1' program is part of the GNU Autoconf package:"
echo "<$gnu_software_URL/autoconf/>"
echo "It also requires GNU m4 and Perl in order to run:"
echo "<$gnu_software_URL/m4/>"
echo "<$perl_URL>"
;;
esac
}
give_advice ()
{
# Normalize program name to check for.
normalized_program=`echo "$1" | sed '
s/^gnu-//; t
s/^gnu//; t
s/^g//; t'`
printf '%s\n' "'$1' is $msg."
configure_deps="'configure.ac' or m4 files included by 'configure.ac'"
case $normalized_program in
autoconf*)
echo "You should only need it if you modified 'configure.ac',"
echo "or m4 files included by it."
program_details 'autoconf'
;;
autoheader*)
echo "You should only need it if you modified 'acconfig.h' or"
echo "$configure_deps."
program_details 'autoheader'
;;
automake*)
echo "You should only need it if you modified 'Makefile.am' or"
echo "$configure_deps."
program_details 'automake'
;;
aclocal*)
echo "You should only need it if you modified 'acinclude.m4' or"
echo "$configure_deps."
program_details 'aclocal'
;;
autom4te*)
echo "You might have modified some maintainer files that require"
echo "the 'autom4te' program to be rebuilt."
program_details 'autom4te'
;;
bison*|yacc*)
echo "You should only need it if you modified a '.y' file."
echo "You may want to install the GNU Bison package:"
echo "<$gnu_software_URL/bison/>"
;;
lex*|flex*)
echo "You should only need it if you modified a '.l' file."
echo "You may want to install the Fast Lexical Analyzer package:"
echo "<$flex_URL>"
;;
help2man*)
echo "You should only need it if you modified a dependency" \
"of a man page."
echo "You may want to install the GNU Help2man package:"
echo "<$gnu_software_URL/help2man/>"
;;
makeinfo*)
echo "You should only need it if you modified a '.texi' file, or"
echo "any other file indirectly affecting the aspect of the manual."
echo "You might want to install the Texinfo package:"
echo "<$gnu_software_URL/texinfo/>"
echo "The spurious makeinfo call might also be the consequence of"
echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might"
echo "want to install GNU make:"
echo "<$gnu_software_URL/make/>"
;;
*)
echo "You might have modified some files without having the proper"
echo "tools for further handling them. Check the 'README' file, it"
echo "often tells you about the needed prerequisites for installing"
echo "this package. You may also peek at any GNU archive site, in"
echo "case some other package contains this missing '$1' program."
;;
esac
}
give_advice "$1" | sed -e '1s/^/WARNING: /' \
-e '2,$s/^/ /' >&2
# Propagate the correct exit status (expected to be 127 for a program
# not found, 63 for a program that failed due to version mismatch).
exit $st
# Local variables:
# eval: (add-hook 'before-save-hook 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC0"
# time-stamp-end: "; # UTC"
# End:

101
src/knock.c
View File

@@ -1,8 +1,8 @@
/*
* knock.c
*
* Copyright (c) 2004-2005 by Judd Vinet <jvinet@zeroflux.org>
*
*
* Copyright (c) 2004-2012 by Judd Vinet <jvinet@zeroflux.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
@@ -13,30 +13,37 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/socket.h>
#if defined(__FreeBSD__) || defined(__APPLE__)
#include <netinet/in.h>
#endif
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>
#include <resolv.h>
#include <getopt.h>
#include <fcntl.h>
static char version[] = "0.5";
static char version[] = "0.8";
#define PROTO_TCP 1
#define PROTO_UDP 2
#define IP_DEFAULT AF_UNSPEC
#define IP_V4 AF_INET
#define IP_V6 AF_INET6
/* function prototypes */
void vprint(char *fmt, ...);
void ver();
@@ -44,23 +51,31 @@ void usage();
int o_verbose = 0;
int o_udp = 0;
int o_delay = 0;
int o_ip = IP_DEFAULT;
int main(int argc, char** argv)
{
int sd;
struct hostent* host;
struct sockaddr_in addr;
int opt, optidx = 1;
struct addrinfo hints;
struct addrinfo *infoptr;
char ipname[256];
int result;
char *hostname;
static struct option opts[] =
{
{"verbose", no_argument, 0, 'v'},
{"udp", no_argument, 0, 'u'},
{"delay", required_argument, 0, 'd'},
{"help", no_argument, 0, 'h'},
{"version", no_argument, 0, 'V'},
{"ipv4", no_argument, 0, '4'},
{"ipv6", no_argument, 0, '6'},
{0, 0, 0, 0}
};
while((opt = getopt_long(argc, argv, "vuhV", opts, &optidx))) {
while((opt = getopt_long(argc, argv, "vud:hV46", opts, &optidx))) {
if(opt < 0) {
break;
}
@@ -68,7 +83,10 @@ int main(int argc, char** argv)
case 0: break;
case 'v': o_verbose = 1; break;
case 'u': o_udp = 1; break;
case 'd': o_delay = (int)atoi(optarg); break;
case 'V': ver();
case '4': o_ip = IP_V4; break;
case '6': o_ip = IP_V6; break;
case 'h': /* fallthrough */
default: usage();
}
@@ -77,18 +95,24 @@ int main(int argc, char** argv)
usage();
}
host = gethostbyname(argv[optind++]);
if(host == NULL) {
fprintf(stderr, "Cannot resolve hostname\n");
if(o_delay < 0) {
fprintf(stderr, "error: delay cannot be negative\n");
exit(1);
}
/* prepare hints to select ipv4 or v6 if asked */
memset(&hints, 0, sizeof hints);
hints.ai_family = o_ip;
hostname = argv[optind++];
for(; optind < argc; optind++) {
unsigned short port, proto = PROTO_TCP;
unsigned short proto = PROTO_TCP;
const char *port;
char *ptr, *arg = strdup(argv[optind]);
if((ptr = strchr(arg, ':'))) {
*ptr = '\0';
port = atoi(arg);
port = arg;
arg = ++ptr;
if(!strcmp(arg, "udp")) {
proto = PROTO_UDP;
@@ -96,18 +120,27 @@ int main(int argc, char** argv)
proto = PROTO_TCP;
}
} else {
port = atoi(arg);
port = arg;
}
/* get host and port based on hints */
result = getaddrinfo(hostname, port, &hints, &infoptr);
if(result) {
fprintf(stderr, "Failed to resolve hostname '%s' on port %s\n", hostname, port);
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(result));
exit(1);
}
/* create socket */
if(o_udp || proto == PROTO_UDP) {
sd = socket(PF_INET, SOCK_DGRAM, 0);
sd = socket(infoptr->ai_family, SOCK_DGRAM, 0);
if(sd == -1) {
fprintf(stderr, "Cannot open socket\n");
exit(1);
}
} else {
int flags;
sd = socket(PF_INET, SOCK_STREAM, 0);
sd = socket(infoptr->ai_family, SOCK_STREAM, 0);
if(sd == -1) {
fprintf(stderr, "Cannot open socket\n");
exit(1);
@@ -115,19 +148,22 @@ int main(int argc, char** argv)
flags = fcntl(sd, F_GETFL, 0);
fcntl(sd, F_SETFL, flags | O_NONBLOCK);
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = *((long*)host->h_addr_list[0]);
addr.sin_port = htons(port);
/* extract ip as string (v4 or v6) */
getnameinfo(infoptr->ai_addr, infoptr->ai_addrlen, ipname, sizeof(ipname), NULL, 0, NI_NUMERICHOST);
/* connect or send UDP packet */
if(o_udp || proto == PROTO_UDP) {
vprint("hitting udp %s:%u\n", inet_ntoa(addr.sin_addr), port);
connect(sd, (struct sockaddr*)&addr, sizeof(struct sockaddr));
send(sd, NULL, 0, MSG_DONTWAIT);
vprint("hitting udp %s:%s\n", ipname, port);
sendto(sd, "", 1, 0, infoptr->ai_addr, infoptr->ai_addrlen);
} else {
vprint("hitting tcp %s:%u\n", inet_ntoa(addr.sin_addr), port);
connect(sd, (struct sockaddr*)&addr, sizeof(struct sockaddr));
vprint("hitting tcp %s:%s\n", ipname, port);
connect(sd, infoptr->ai_addr, infoptr->ai_addrlen);
}
close(sd);
usleep(1000*o_delay);
freeaddrinfo(infoptr);
}
return(0);
@@ -148,6 +184,9 @@ void usage() {
printf("usage: knock [options] <host> <port[:proto]> [port[:proto]] ...\n");
printf("options:\n");
printf(" -u, --udp make all ports hits use UDP (default is TCP)\n");
printf(" -d, --delay <t> wait <t> milliseconds between port hits\n");
printf(" -4, --ipv4 Force usage of IPv4\n");
printf(" -6, --ipv6 Force usage of IPv6\n");
printf(" -v, --verbose be verbose\n");
printf(" -V, --version display version\n");
printf(" -h, --help this help\n");
@@ -159,7 +198,7 @@ void usage() {
void ver() {
printf("knock %s\n", version);
printf("Copyright (C) 2004-2005 Judd Vinet <jvinet@zeroflux.org>\n");
printf("Copyright (C) 2004-2012 Judd Vinet <jvinet@zeroflux.org>\n");
exit(0);
}

189
src/knock_helper_ipt.sh Normal file
View File

@@ -0,0 +1,189 @@
#!/bin/sh
# Original version to add non-duplicated rules by Greg Kuchyt (greg.kuchyt@gmail.com)
# Updated to handle deletes and be generic by Paul Rogers (paul.rogers@flumps.org)
SCRIPT_NAME=$(basename $0)
AWK="/bin/awk"
GREP="/bin/grep"
IPTABLES="/sbin/iptables"
SORT="/bin/sort"
COMMENT_APP="Append "
COMMENT_DEL="Delete "
COMMENT_INS="Insert "
COMMENT_DEFAULT="by knockd"
IPT_CHAIN="INPUT"
IPT_METHOD=""
IPT_COMMENT=""
IPT_SRC_IP=""
IPT_DST_PORT=""
IPT_PROTO="tcp"
IPT_RULE_TARGET="ACCEPT"
DRY_RUN=0
SEEN=0
VERBOSE=0
usage() {
echo "Usage: $SCRIPT_NAME -a|-i|-x -f SRC_IP_ADDR -d DST_PORT [-p|-c|-m|-t|-h|-v]"
echo "Options:"
echo "-a|--append Action: append a rule to NetFilter"
echo "-i|--insert Action: insert a rule to NetFiler"
echo "-x|--delete Action: delete a rule from NetFilter"
echo "-f|--srcaddr The source IP address to be used"
echo "-d|--dstport The destination port to be used in the rule"
echo "-p|--proto The protocol that the rule applies to; default: $IPT_PROTO"
echo "-c|--chain The NetFilter chain to apply the change to; default: $IPT_CHAIN"
echo "-m|--comment Overide default comment text: '$COMMENT_DEFAULT'"
echo "-t|--test Test run - don't actually perform an update to NetFilter"
echo "-h|--help Print this informational screen and exit"
echo "-v|--verbose Print verbose information about actions"
}
ARGS=$(getopt -o aixf:d:p:c:m::thv -l "append,insert,delete,srcaddr:,dstport:,proto:,chain:,comment::,test,help,verbose" -n $SCRIPT_NAME -- "$@")
if [ $? -ne 0 ];
then
echo "$SCRIPT_NAME - Error! Invalid arguments"
usage
exit 1
fi
eval set -- "$ARGS"
while true; do
case "$1" in
-a|--append)
IPT_METHOD="-A"
shift;
;;
-x|--delete)
IPT_METHOD="-D"
shift;
;;
-i|--insert)
IPT_METHOD="-I"
shift;
;;
-f|--srcaddr)
IPT_SRC_IP=$2
shift 2;
;;
-d|--dstport)
IPT_DST_PORT=$2
shift 2;
;;
-p|--proto)
IPT_PROTO=$2
shift 2;
;;
-c|--chain)
IPT_CHAIN=$2
shift 2;
;;
-m|--comment)
case "$2" in
"")
IPT_COMMENT=$COMMENT_DEFAULT;
shift 2;;
*)
IPT_COMMENT=$2;
shift 2 ;;
esac
;;
-t|--test)
DRY_RUN=1
shift;
;;
-h|--help)
usage
shift;
exit
;;
-v|--verbose)
VERBOSE=1
shift;
;;
--)
shift;
break;
;;
esac
done
# Begin sanity checks
if [ -z "$IPT_SRC_IP" ]; then
echo "$SCRIPT_NAME - Error! Source IP address required"
usage
exit 1
fi
if [ -z "$IPT_DST_PORT" ]; then
echo "$SCRIPT_NAME - Error! Destination port required"
usage
exit 1
fi
if [ -z "$IPT_METHOD" ]; then
echo "$SCRIPT_NAME - Error! Valid action option not specified"
fi
case "$IPT_METHOD" in
-A)
IPT_COMMENT="$COMMENT_APP $IPT_COMMENT"
;;
-I)
IPT_COMMENT="$COMMENT_INS $IPT_COMMENT"
;;
-D)
IPT_COMMENT="$COMMENT_DEL $IPT_COMMENT"
;;
esac
if [ "$VERBOSE" -eq 1 ]; then
echo "$SCRIPT_NAME - Testing rule"
echo "$SCRIPT_NAME - action: $IPT_METHOD _ src: $IPT_SRC_IP _ dstport: $IPT_DST_PORT _ proto: $IPT_PROTO _ chain: $IPT_CHAIN _ comment: $IPT_COMMENT"
fi
COMMENT=""
if [ -n "$IPT_COMMENT" ]; then
COMMENT="-m comment --comment '$IPT_COMMENT'"
fi
$IPTABLES -L $IPT_CHAIN &> /dev/null
if [ 0 -ne "$?" ]; then
echo "$SCRIPT_NAME - Error: $IPT_CHAIN is not a valid NetFilter chain"
exit
fi
# End sanity checks
# Dupe checking
for IP in `$IPTABLES -n -L $IPT_CHAIN | $GREP $IPT_RULE_TARGET | $AWK '{print $4}' | $SORT -u`;
do
if [ "$VERBOSE" -eq 1 ]; then
echo "$SCRIPT_NAME - $IP"
fi
if [ "$IPT_SRC_IP" == "$IP" ]; then
SEEN=1
fi
done
if [ "$VERBOSE" -eq 1 ]; then
echo "$SCRIPT_NAME - Seen: $SEEN"
fi
if [ "$SEEN" -eq 0 ]; then
if [ "$VERBOSE" -eq 1 ]; then
echo "$SCRIPT_NAME - $IPT_COMMENT"
echo $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT
fi
if [ "$DRY_RUN" -eq 0 ]; then
eval $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT
fi
fi

1372
src/knockd.c
View File

File diff suppressed because it is too large Load Diff

9
src/list.c
View File

@@ -13,10 +13,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include <stdlib.h>
@@ -28,7 +27,7 @@ PMList* list_new()
{
PMList *list = NULL;
list = (PMList*)malloc(sizeof(PMList));
list = (PMList*)calloc(1, sizeof(PMList));
if(list == NULL) {
return(NULL);
}

7
src/list.h
View File

@@ -13,10 +13,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
* USA.
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#ifndef _PAC_LIST_H
#define _PAC_LIST_H