Hacking Linux Exposed has a (now) 3-part series on "Stealthily Managing IPTables Remotely". Part 1 explains how to get Net::Pcap to sniff certain types of packets. Part 2 explains how to run programs based on those sniffed packets. Part 3 describes how to send commands to the above.
Although it's not "portknocking", it's close and gives a good idea of possible capabilities for both methods. In either case, it can be used for good or evil.