This was introduced in the previous few commits when adding support for multiple secrets in knockd. The logic to push and pop entries from the knockSequences slice needed to be adjusted to cound for the number of secrets that are loaded by hypd.
This allows you to generate more than one pre-shared secret on the knock daemon so that you can distribute the secret and control revocation at a more granular level. Each additional secret creates one more concurrent authentic knock sequence.
Instead of using the hardcoded proof of concept for iptables, the success action is now read from the hypd configuration file and whatever is defined there is executed.
The syntax for the hypd server command has changed. Now instead of specifying an interface name as an argument to the server command, you instead specify a configuration file path.
Example:
./hypd server hypdconfig.json
These were previously used while trying to parse out specific headers. They are no longer required though because the current length bounds checks covers edge cases.
This provides another layer of additional protection against sweep attacks by ensuring the correct sequence be entered rapidly, within 3 seconds by default. It also prevents a client from sitting stuck forever part way through an old knock sequence.
We really only care getting as far as the UDP header and can discard the rest. This should reduce load, and perhaps enable full pcap with ports on the BPF filter
UDP header = 8 bytes
IPv4 max size = 60 bytes
IPv6 fixed size = 40 bytes
Ethernet header size = 18 bytes
To better support configuration and user friendliness, migrated to cobra based CLI. The source tree structure has also changed to single go module, the server has been renamed hypd and client has been named hyp. The original structure came into being organically, but now that the vision is more complete it's best to make these adjustments now.
