
The purpose of this directory is to provide an automated testing
infrastructure for fwknop. This includes the ability to test the SPA mode of
fwknop operations as well as more basic things such as program compilation.

The fwknop_test.pl program should be run as root so that the local firewall
policy can be altered to temporarily test SPA access (this is done over the
loopback interface and does not alter the existing firewall policy).

Because fwknop requires various perl modules to be installed in
/usr/lib/fwknop/, this test suite can really only function correctly after
fwknop has been installed. If there appears to be a problem with fwknop, this
test suite may find it.

***************************                        ***************************
IMPORTANT NOTE: If your local firewall restricts communications over UDP/62201
over the loopback interface, then you will need to add a rule to accept such
communications in order for this test suite to work.
***************************                        ***************************

Under normal circumstances, the output of this program should look like the
following (under Linux; some tests are not yet enabled on systems running
ipfw):

# ./fwknop_test.pl

[+] ==> Running fwknop test suite; firewall: iptables <==

[+] perl program compilation.........................................pass (0)
[+] C program compilation............................................pass (1)
[+] Stopping any running fwknopd processes...........................pass (2)
[+] Flushing all fwknop iptables rules...............................pass (3)
[+] Testing Rijndael key validity....................................pass (4)
[+] Generating SPA access packet with fwknop client..................pass (5)
[+] Sniffing SPA access packet to acquire access.....................pass (6)
[+] Firewall access rules exist......................................pass (7)
    (Sleeping for 10 (+5) seconds for firewall rule timeout)
    15 10 5 0
[+] Firewall access rules removed....................................pass (8)
[+] Stopping all running fwknopd processes...........................pass (9)
[+] Replay attack detection..........................................pass (10)
[+] SPA packet randomness............................................pass (11)
[+] Generating SPA packet with 0.0.0.0 src addr......................pass (12)
[+] Sniffing packet source address with 0.0.0.0 src addr.............pass (13)
[+] Generating SPA packet with invalid user..........................pass (14)
[+] Invalid user detection...........................................pass (15)
[+] Generating SPA command packet....................................pass (16)
[+] Sniffing SPA command packet and executing........................pass (17)
[+] Making sure firewall rules have been removed.....................pass (18)
[+] Generating SPA command packet with non-matching regex............pass (19)
[+] SPA command packet filtered......................................pass (20)
[+] Making sure firewall rules do not exist..........................pass (21)
[+] Stopping all running fwknopd processes...........................pass (22)
[+] Generating FORWARD chain access packet...........................pass (23)
[+] FORWARD request detection........................................pass (24)
[+] FORWARD and DNAT access..........................................pass (25)
    (Sleeping for 10 (+5) seconds for firewall rule timeout)
    15 10 5 0
[+] Making sure firewall rules have been removed.....................pass (26)
[+] Stopping all running fwknopd processes...........................pass (27)
[+] Generating SPA access packet with fwknop client..................pass (28)
[+] SPA communications via tcpdump capture file......................pass (29)
[+] Firewall access rules exist......................................pass (30)
    (Sleeping for 10 (+5) seconds for firewall rule timeout)
    15 10 5 0
[+] Firewall access rules removed....................................pass (31)
[+] Stopping all running fwknopd processes...........................pass (32)
[+] Deleting all fwknopd iptables chains.............................pass (33)

[+] ==> Passed 34 tests against fwknop. <==
