Ensure generated code is checked in

These were previously used while trying to parse out specific headers.  They are no longer required though because the current length bounds checks covers edge cases.

.gitignore

@@ -2,4 +2,3 @@ hyp.secret
 *.exe
 hypd/hypd
 hyp/hyp
-hypd/server/hyp_bpf_bpfe*

README.md

@@ -25,14 +25,13 @@ Most port-knocking implementations are susceptible to replay attacks, a network
 
 hyp supports a clock skew of up to 30 seconds between client and server.  
 
-### TBD: Protection Against Sweeping Attacks
+### Protection Against Sweeping Attacks
 
-~~hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly.  If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset.~~
+hyp protects against sweeping attacks where an adversary modulates over the entire port range multiple times by ensuring the authentic knock sequence is strict and ordered correctly.  If the first port is guessed, but the next pack arrives and is the incorrect second port in the sequence, the progress gets reset.  In addition to this, the correct authentic knock sequence must be entered within 5 seconds of the start of the sequence.  
 
 ### Known Weaknesses
 
 * Lossy networks can result in the knock sequence failing
-* Networks with latency > 500ms can result in the knock sequence failing if packets arrive out of order
 
 ### References
 

hypd/server/README.md

@@ -0,0 +1,30 @@
+# hypd server
+
+hypd is the port knocking daemon which runs on an edge device connecting to an untrusted network.  Leveraging eBPF's XDP hook point, it extracts header information directly and sends to userspace the specific information required.  This method is faster than alternative methods such as using libpcap.  
+
+### eBPF
+
+The hyp_bpf.c program can be recompiled using go generate.
+
+```bash
+# Debian: sudo apt install git clang linux-headers-amd64 libbpf-dev
+go generate .
+```
+
+### Generating vmlinux.h
+
+vmlinux.h is included in hyp_bpf.c and can be regenerated with bpftool.
+
+```bash
+# Debian: sudo apt install bpftool
+sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../headers/vmlinux.h
+```
+
+### Building hypd
+
+hypd has no CGO dependencies and so can run on musl systems as well.  
+
+```bash
+# To ensure it can run on  systems don't use CGO
+CGO_ENABLED=0 go build .
+```

hypd/server/hyp_bpf.c

@@ -7,12 +7,8 @@ Copyright © 2024 Steven Polley <himself@stevenpolley.net>
 #include "bpf_endian.h"
 #include <bpf/bpf_helpers.h>
 
-
 char __license[] SEC("license") = "BSD";
 
-#define ETH_P_IP 0x0800
-#define IP_FRAGMENTED 65343
-
 // representation of knock data that gets sent to userspace
 struct knock_data {
 	__u32 srcip; // 4 bytes
@@ -44,7 +40,6 @@ int xdp_prog_func(struct xdp_md *ctx) {
 
 	// parse ethernet header
 	struct ethhdr *eth = data;
-
 	if ((void *)eth + sizeof(*eth) <= data_end) {
 		// parse IP header
 		struct iphdr *ip = data + sizeof(*eth);