s.anonymous=true
s.dynamic=true
s:option(Value, "MAX_SPA_PACKET_AGE", "MAX_SPA_PACKET_AGE", translate("Maximum age in seconds that an SPA packet will be accepted. defaults to 120 seconds"))
+s:option(Value, "PCAP_INTF", "PCAP_INTF", translate("Specify the ethernet interface on which fwknopd will sniff packets."))
+s:option(Value, "ENABLE_IPT_FORWARDING", "ENABLE_IPT_FORWARDING", translate("Allow SPA clients to request access to services through an iptables firewall instead of just to it."))
s:option(DummyValue, "note2", translate("Enter custom fwknopd.conf variables below:"))
return m
+++ /dev/null
-msgid ""
-msgstr ""
-"Content-Type: text/plain; charset=UTF-8\n"
-"Project-Id-Version: PACKAGE VERSION\n"
-"PO-Revision-Date: 2015-05-12 21:03-0500\n"
-"Last-Translator: Jonathan Bennett <JBennett@incomsystems.biz>\n"
-"Language-Team: English\n"
-"Language: en\n"
-"MIME-Version: 1.0\n"
-"Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-
-msgid "Base 64 key"
-msgstr "Base 64 key"
-
-msgid ""
-"Define a set of ports and protocols (tcp or udp) that will be opened if a "
-"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
-"to honor any proto/port request specified in the SPA data (unless of it "
-"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
-msgstr ""
-"Define a set of ports and protocols (tcp or udp) that will be opened if a "
-"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
-"to honor any proto/port request specified in the SPA data (unless of it "
-"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
-
-msgid ""
-"Define the length of time access will be granted by fwknopd through the "
-"firewall after a valid knock sequence from a source IP address. If "
-"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
-"automatically be set."
-msgstr ""
-"Define the length of time access will be granted by fwknopd through the "
-"firewall after a valid knock sequence from a source IP address. If "
-"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
-"automatically be set."
-
-msgid ""
-"Define the symmetric key used for decrypting an incoming SPA packet that is "
-"encrypted by the fwknop client with Rijndael."
-msgstr ""
-"Define the symmetric key used for decrypting an incoming SPA packet that is "
-"encrypted by the fwknop client with Rijndael."
-
-msgid "Enable Uci/Luci control"
-msgstr "Enable Uci/Luci control"
-
-msgid "Enable config overwrite"
-msgstr "Enable config overwrite"
-
-msgid "Enter custom access.conf variables below:"
-msgstr "Enter custom access.conf variables below:"
-
-msgid "Enter custom fwknopd.conf variables below:"
-msgstr "Enter custom fwknopd.conf variables below:"
-
-msgid "Firewall Knock Daemon"
-msgstr "Firewall Knock Daemon"
-
-msgid "Firewall Knock Operator"
-msgstr "Firewall Knock Operator"
-
-msgid ""
-"Force all SPA packets to contain a real IP address within the encrypted "
-"data. This makes it impossible to use the -s command line argument on the "
-"fwknop client command line, so either -R has to be used to automatically "
-"resolve the external address (if the client behind a NAT) or the client must "
-"know the external IP and set it via the -a argument."
-msgstr ""
-"Force all SPA packets to contain a real IP address within the encrypted "
-"data. This makes it impossible to use the -s command line argument on the "
-"fwknop client command line, so either -R has to be used to automatically "
-"resolve the external address (if the client behind a NAT) or the client must "
-"know the external IP and set it via the -a argument."
-
-msgid ""
-"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
-"seconds"
-msgstr ""
-"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
-"seconds"
-
-msgid "Normal Key"
-msgstr "Normal Key"
-
-msgid "The base64 hmac key"
-msgstr "The base64 hmac key"
-
-msgid "Use ANY for any source ip"
-msgstr "Use ANY for any source ip"
-
-msgid ""
-"When unchecked, the config files in /etc/fwknopd will be used as is, "
-"ignoring any settings here."
-msgstr ""
-"When unchecked, the config files in /etc/fwknopd will be used as is, "
-"ignoring any settings here."
-
-msgid "access.conf stanzas"
-msgstr "access.conf stanzas"
-
-msgid "fwknopd.conf config options"
-msgstr "fwknopd.conf config options"
--- /dev/null
+msgid ""
+msgstr ""
+"Content-Type: text/plain; charset=UTF-8\n"
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2015-05-12 21:03-0500\n"
+"Last-Translator: Jonathan Bennett <JBennett@incomsystems.biz>\n"
+"Language-Team: English\n"
+"Language: en\n"
+"MIME-Version: 1.0\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid ""
+"Allow SPA clients to request access to services through an iptables firewall "
+"instead of just to it."
+msgstr ""
+"Allow SPA clients to request access to services through an iptables firewall "
+"instead of just to it."
+
+msgid "Base 64 key"
+msgstr "Base 64 key"
+
+msgid ""
+"Define a set of ports and protocols (tcp or udp) that will be opened if a "
+"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
+"to honor any proto/port request specified in the SPA data (unless of it "
+"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
+msgstr ""
+"Define a set of ports and protocols (tcp or udp) that will be opened if a "
+"valid knock sequence is seen. If this entry is not set, fwknopd will attempt "
+"to honor any proto/port request specified in the SPA data (unless of it "
+"matches any “RESTRICT_PORTS” entries). Multiple entries are comma-separated."
+
+msgid ""
+"Define the length of time access will be granted by fwknopd through the "
+"firewall after a valid knock sequence from a source IP address. If "
+"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
+"automatically be set."
+msgstr ""
+"Define the length of time access will be granted by fwknopd through the "
+"firewall after a valid knock sequence from a source IP address. If "
+"“FW_ACCESS_TIMEOUT” is not set then the default timeout of 30 seconds will "
+"automatically be set."
+
+msgid ""
+"Define the symmetric key used for decrypting an incoming SPA packet that is "
+"encrypted by the fwknop client with Rijndael."
+msgstr ""
+"Define the symmetric key used for decrypting an incoming SPA packet that is "
+"encrypted by the fwknop client with Rijndael."
+
+msgid "Enable Uci/Luci control"
+msgstr "Enable Uci/Luci control"
+
+msgid "Enable config overwrite"
+msgstr "Enable config overwrite"
+
+msgid "Enter custom access.conf variables below:"
+msgstr "Enter custom access.conf variables below:"
+
+msgid "Enter custom fwknopd.conf variables below:"
+msgstr "Enter custom fwknopd.conf variables below:"
+
+msgid "Firewall Knock Daemon"
+msgstr "Firewall Knock Daemon"
+
+msgid "Firewall Knock Operator"
+msgstr "Firewall Knock Operator"
+
+msgid ""
+"Force all SPA packets to contain a real IP address within the encrypted "
+"data. This makes it impossible to use the -s command line argument on the "
+"fwknop client command line, so either -R has to be used to automatically "
+"resolve the external address (if the client behind a NAT) or the client must "
+"know the external IP and set it via the -a argument."
+msgstr ""
+"Force all SPA packets to contain a real IP address within the encrypted "
+"data. This makes it impossible to use the -s command line argument on the "
+"fwknop client command line, so either -R has to be used to automatically "
+"resolve the external address (if the client behind a NAT) or the client must "
+"know the external IP and set it via the -a argument."
+
+msgid ""
+"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
+"seconds"
+msgstr ""
+"Maximum age in seconds that an SPA packet will be accepted. defaults to 120 "
+"seconds"
+
+msgid "Normal Key"
+msgstr "Normal Key"
+
+msgid "Specify the ethernet interface on which fwknopd will sniff packets."
+msgstr "Specify the ethernet interface on which fwknopd will sniff packets."
+
+msgid "The base64 hmac key"
+msgstr "The base64 hmac key"
+
+msgid "Use ANY for any source ip"
+msgstr "Use ANY for any source ip"
+
+msgid ""
+"When unchecked, the config files in /etc/fwknopd will be used as is, "
+"ignoring any settings here."
+msgstr ""
+"When unchecked, the config files in /etc/fwknopd will be used as is, "
+"ignoring any settings here."
+
+msgid "access.conf stanzas"
+msgstr "access.conf stanzas"
+
+msgid "fwknopd.conf config options"
+msgstr "fwknopd.conf config options"
msgid ""
msgstr "Content-Type: text/plain; charset=UTF-8"
+msgid ""
+"Allow SPA clients to request access to services through an iptables firewall "
+"instead of just to it."
+msgstr ""
+
msgid "Base 64 key"
msgstr ""
msgid "Normal Key"
msgstr ""
+msgid "Specify the ethernet interface on which fwknopd will sniff packets."
+msgstr ""
+
msgid "The base64 hmac key"
msgstr ""
#!/bin/sh
#-- Copyright 2015 Jonathan Bennett <jbennett@incomsystems.biz>
#-- Licensed to the public under the GNU General Public License v2.
+. /lib/functions/network.sh
uci batch <<EOF
add ucitrack fwknopd
commit ucitrack
EOF
+uci delete fwknopd.@access[0].KEY
+uci delete fwknopd.@access[0].HMAC_KEY
uci set fwknopd.@access[0].keytype='Base 64 key'
uci set fwknopd.@access[0].hkeytype='Base 64 key'
uci set fwknopd.@access[0].KEY_BASE64=`fwknopd --key-gen | awk '/^KEY/ {print $2;}'`
uci set fwknopd.@access[0].HMAC_KEY_BASE64=`fwknopd --key-gen | awk '/^HMAC/ {print $2;}'`
+uci set fwknopd.@config[0].ENABLE_IPT_FORWARDING='y'
+
uci commit fwknopd
rm -f /tmp/luci-indexcache
exit 0