proper CMD_CYCLE_OPEN implementation (general scripting support)?

[beelze]

Recently I've tried to use fwknop at OpenWrt. Of course, there is no nftables support and it is not working out-of-the-box, but it wouldn't be a problem if CMD_CYCLE_OPEN is implemented (and documented) properly.

As per documentation, there is a number of substitution variables: $IP/$SRC $PKT_SRC $DST I expected to see local address here when using --nat-access name.local:port but always got with router wan address instead of resolved name.local. This happens even when name.local is not resolvable. $PORT (the allow port) $PROTO (the allow protocol) $TIMEOUT (set the client timeout if specified). Seems this is a timestamp rather than a timeout? A bit of explanation would be helpful $CLIENT_TIMEOUT (undocumented) – "real" timeout?

I failed to find something like $DST_PORT variable so I realized that forwarding external port to internal host port via CMD_CYCLE_OPEN is impossible.

There is a good reason to believe that proper CMD_CYCLE_OPEN implementation will make easier integrating fwknop into different firewalls including manually scripted ones and nftables itself.