packages/net/fwknop/files/fwknopd

config global
#	option uci_enabled '1'

config network
	# Logical network dependency, fully tracked, fwknopd gets restarted when
	# necessary. Specifying network takes precedence over config.PCAP_INTF
#	option network 'wan'

config access
	option SOURCE 'ANY'
	option HMAC_KEY '__CHANGEME__'
	option KEY '__CHANGEME__'

config config
	# Alternative direct physical interface definition, but untracked - you
	# are on your own to correctly start/stop the service when needed
#	option PCAP_INTF 'eth0'

	# Allow SPA clients to request access to services through an iptables
	# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD
	# chain instead of the INPUT chain
	option ENABLE_IPT_FORWARDING 'Y'

	# Allow fwknopd to resolve hostnames in NAT access messages
	option ENABLE_NAT_DNS 'Y'
Fwknop: add flexibility to uci support Styling cleanups signed-off-by: Jonathan Bennett <jbennett@incomsystems.biz> 2015-05-09 18:10:08 +00:00			`config global`
			`# option uci_enabled '1'`

fwknop: Add start-up dependency on network interface for fwknopd. Added new "network" section with option "network", which takes network interface name. The start-up is migrated to use procd and depend either on the "network" interface (after resolving it to a physical device), or on the PCAP_INTF option from "config" section (usual place for raw interface name for fwknopd). When the uci_enabled option is disabled, the value of PCAP_INTF is taken from the user-provided fwknopd.conf. Also fixed UCI_ENABLED variable evaluation. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2017-10-10 17:23:44 +00:00			`config network`
fwknopd: More reliable network dependency Two issues: 1. The fwknopd init script did not handle unprepared logical networks. This is fixed by A) not defining instance for procd when the physical interface is unknown, and B) by watching the logical network for changes. 2. When using PPPoE, there are two physical interfaces -- one for raw PPPoE communication and one for wrapped communication. The function network_get_physdev returns the physical device, while the function network_get_device returns the wrapped one -- we shall use the wrapped interface. Usually (for non-wrapped interfaces) the physdev and device are the same, also other network scripts use the latter function. Both issues found by and thanks are going to @lucize. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2018-04-09 11:52:39 +00:00			`# Logical network dependency, fully tracked, fwknopd gets restarted when`
			`# necessary. Specifying network takes precedence over config.PCAP_INTF`
			`# option network 'wan'`
fwknop: Add start-up dependency on network interface for fwknopd. Added new "network" section with option "network", which takes network interface name. The start-up is migrated to use procd and depend either on the "network" interface (after resolving it to a physical device), or on the PCAP_INTF option from "config" section (usual place for raw interface name for fwknopd). When the uci_enabled option is disabled, the value of PCAP_INTF is taken from the user-provided fwknopd.conf. Also fixed UCI_ENABLED variable evaluation. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2017-10-10 17:23:44 +00:00
Fwknop: add flexibility to uci support Styling cleanups signed-off-by: Jonathan Bennett <jbennett@incomsystems.biz> 2015-05-09 18:10:08 +00:00			`config access`
			`option SOURCE 'ANY'`
fwknop: Use sensible defaults. * Change KEY/HMAC_KEY to __CHANGEME__, which is rejected by fwknopd during start-up. The value CHANGEME is used only by LuCI package luci-app-fwknopd - pull request for generating keys directly from LuCI has been created already. * Add sensible defaults for ENABLE_IPT_FORWARDING and ENABLE_NAT_DNS, which both are/were set by luci-app-fwknopd. Move the defaults here. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2020-10-15 15:48:12 +00:00			`option HMAC_KEY '__CHANGEME__'`
			`option KEY '__CHANGEME__'`
Fwknop: add flexibility to uci support Styling cleanups signed-off-by: Jonathan Bennett <jbennett@incomsystems.biz> 2015-05-09 18:10:08 +00:00
			`config config`
fwknopd: More reliable network dependency Two issues: 1. The fwknopd init script did not handle unprepared logical networks. This is fixed by A) not defining instance for procd when the physical interface is unknown, and B) by watching the logical network for changes. 2. When using PPPoE, there are two physical interfaces -- one for raw PPPoE communication and one for wrapped communication. The function network_get_physdev returns the physical device, while the function network_get_device returns the wrapped one -- we shall use the wrapped interface. Usually (for non-wrapped interfaces) the physdev and device are the same, also other network scripts use the latter function. Both issues found by and thanks are going to @lucize. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2018-04-09 11:52:39 +00:00			`# Alternative direct physical interface definition, but untracked - you`
			`# are on your own to correctly start/stop the service when needed`
			`# option PCAP_INTF 'eth0'`
fwknop: Use sensible defaults. * Change KEY/HMAC_KEY to __CHANGEME__, which is rejected by fwknopd during start-up. The value CHANGEME is used only by LuCI package luci-app-fwknopd - pull request for generating keys directly from LuCI has been created already. * Add sensible defaults for ENABLE_IPT_FORWARDING and ENABLE_NAT_DNS, which both are/were set by luci-app-fwknopd. Move the defaults here. Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com> 2020-10-15 15:48:12 +00:00
			`# Allow SPA clients to request access to services through an iptables`
			`# firewall instead of just to it (i.e. access through the FWKNOP_FORWARD`
			`# chain instead of the INPUT chain`
			`option ENABLE_IPT_FORWARDING 'Y'`

			`# Allow fwknopd to resolve hostnames in NAT access messages`
			`option ENABLE_NAT_DNS 'Y'`