Steven Polley
2951c1f684
Some checks failed
continuous-integration/drone/push Build is failing
This allows you to generate more than one pre-shared secret on the knock daemon so that you can distribute the secret and control revocation at a more granular level. Each additional secret creates one more concurrent authentic knock sequence. |
||
|---|---|---|
| .. | ||
| bpf_endian.h | ||
| hyp_bpf_bpfeb.go | ||
| hyp_bpf_bpfeb.o | ||
| hyp_bpf_bpfel.go | ||
| hyp_bpf_bpfel.o | ||
| hyp_bpf.c | ||
| packet.go | ||
| README.md | ||
| vmlinux.h | ||
hypd server
hypd is the port knocking daemon which runs on an edge device connecting to an untrusted network. Leveraging eBPF's XDP hook point, it extracts header information directly and sends to userspace the specific information required. This method is faster than alternative methods such as using libpcap.
eBPF
The hyp_bpf.c program can be recompiled using go generate.
# Debian: sudo apt install git clang linux-headers-amd64 libbpf-dev
go generate .
Generating vmlinux.h
vmlinux.h is included in hyp_bpf.c and can be regenerated with bpftool.
# Debian: sudo apt install bpftool
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../headers/vmlinux.h
Building hypd
hypd has no CGO dependencies and so can run on musl systems as well.
# To ensure it can run on systems don't use CGO
CGO_ENABLED=0 go build .