On Tue, Mar 2, 2010 at 11:17 PM, Michael Rash <firstname.lastname@example.org>
On Mar 02, 2010, Steve D wrote:The variable substitutions take place for any variable in the access.conf
> How do I know what variables are available to me with external commands?
> All of the examples use $SRC, but a few of the config files claim there are
> many more. How would I find what these are?
> Specifically, I'd like to use the source IP address where the packet
> originated (not the one specified in the message) and I'd like the
> username. Is this possible?
file. Most of these are documented in the fwknopd man page, but a few
aren't yet. If you want to substitute the user, then the 'REQUIRE_USERNAME'
variable will do the trick.
For the source IP, the variable substitution is done for the source IP that
is contained within the encrypted SPA packet, and this may or may not be
the source IP in the IP header when the packet is sniffed by the fwknopd
daemon. Using the source IP in the IP header instead is not currently
supported. In general, fwknop tries to be careful about untrusted data,
and the source IP in the header is much less trustworthy than the IP within
the SPA packet. Perhaps I'm missing a compelling use case though - is
there a good reason to use the IP in the header?