fwknop 2.0 (C implementation)

After many months of work, fwknop (the Perl Single Packet Authorization implementation) has been entirely rewritten in C. The purpose of the C redesign has been primarily to allow an even more widespread deployment of SPA to devices on which the Perl implementation may not be suitable. One example of this is the OpenWRT platform which turns many entry-level routers into more flexible and powerful network devices. This now allows border routers to perform SPA and firewall manipulation, instead of doing this at the host-level (although it can be done at both).

The core of the C implementation is the libfko library which can be used by other applications to perform fwknop-compatible SPA. The Perl and C implementations are compatible with each other and the Perl version will continue being maintained. At the moment fwknop is still in Release Candidate, and will initially only support iptables. Further versions will bring it in line with the Perl version which supports additional firewall software and features.

fwknop offers both a server-side daemon – which listens for valid authorization packets and performs pre-defined activities (such as opening a firewall port) – as well as an SPA client which is used to construct authorization packets and send them to the target server. The Perl version of fwknop runs on Linux/Unix, Mac OS X, Windows and anything else capable of running Perl. The fwknop-C implementation should run on any device capable of compiling the necessary libraries. I haven’t yet tested it on OSX, but expect it will probably compile. The server-side functionality on OSX will have to wait until ipfw (OSX’s firewall) support is ported over.

The fwknop 2.0 source as well as a package for OpenWRT are available for download here.