proper CMD_CYCLE_OPEN implementation (general scripting support)? #356
Description
Recently I've tried to use fwknop at OpenWrt. Of course, there is no nftables support and it is not working out-of-the-box, but it wouldn't be a problem if CMD_CYCLE_OPEN is implemented (and documented) properly.
As per documentation, there is a number of substitution variables:
$IP/$SRC
$PKT_SRC
$DST I expected to see local address here when using --nat-access name.local:port but always got with router wan address instead of resolved name.local. This happens even when name.local is not resolvable.
$PORT (the allow port)
$PROTO (the allow protocol)
$TIMEOUT (set the client timeout if specified). Seems this is a timestamp rather than a timeout? A bit of explanation would be helpful
$CLIENT_TIMEOUT (undocumented) – "real" timeout?
I failed to find something like $DST_PORT variable so I realized that forwarding external port to internal host port via CMD_CYCLE_OPEN is impossible.
There is a good reason to believe that proper CMD_CYCLE_OPEN implementation will make easier integrating fwknop into different firewalls including manually scripted ones and nftables itself.