proper CMD_CYCLE_OPEN implementation (general scripting support)?
beelze opened this issue · comments
Recently I've tried to use fwknop at OpenWrt. Of course, there is no nftables support and it is not working out-of-the-box, but it wouldn't be a problem if CMD_CYCLE_OPEN
is implemented (and documented) properly.
As per documentation, there is a number of substitution variables:
$IP/$SRC
$PKT_SRC
$DST
I expected to see local address here when using --nat-access name.local:port
but always got with router wan address instead of resolved name.local
. This happens even when name.local
is not resolvable.
$PORT
(the allow port)
$PROTO
(the allow protocol)
$TIMEOUT
(set the client timeout if specified). Seems this is a timestamp rather than a timeout? A bit of explanation would be helpful
$CLIENT_TIMEOUT (undocumented) – "real" timeout?
I failed to find something like $DST_PORT
variable so I realized that forwarding external port to internal host port via CMD_CYCLE_OPEN
is impossible.
There is a good reason to believe that proper CMD_CYCLE_OPEN
implementation will make easier integrating fwknop into different firewalls including manually scripted ones and nftables itself.