is it alive?

[bam80]

Hi, the Readme states the project is under heavy development, but last commit is from beginning of the year.
Has something changed about it?

I wonder about it's readiness for everyday use.

[greenstatic]

The project in its current form works. I haven't created the documentation for it, but skimming through the internal/server_config.go file should give you a clue what type of fields are available for the server config.

The ADK feature and the XDP variant works beautifully, more details about it here: https://repozitorij.uni-lj.si/IzpisGradiva.php?id=142965&lang=eng

The only thing that is missing is replay protection support, which I haven't had the chance on implementing yet. Day time job is currently consuming pretty much all my spare time for this side project. But I have plans on continuing with development in the near future.

[bam80]

Thanks, does it mean it can be considered as a replacement for fwknop?

fwknop has nasty shortcomings currently, as no IPv6 and nftable support.

[greenstatic]

Well, I would rather at least include replay protection into the project before considering it a viable replacement for fwknop. You could however use the project in its current form, it works as is.

Since there isn't much documentation you can check out the unit tests, it should be pretty self explanatory what is required from the code. The codebase is quite readable (in my opinion 😅 ).

[bam80]

Does it mean your project has this features:

fwknop has nasty shortcomings currently, as no IPv6 and nftable support.

[greenstatic]

1. It is possible to bind the OpenSPA server to a UDPv6 socket (i.e. IPv6)
2. It is possible to request access to an IPv6 address over IPv4/6. See Firewall TLV8 definition
3. There is no OOTB nftable support, but you can add it very easily. More details below.

Currently there is only built-in support for: (1) iptables and (2) custom command.

With the custom command you could pass in a script (bash, python - whatever you can exec) where you get via stdin a JSON object with the commands details.

There are 3 firewall command hooks:

• Firewall Setup Command - this gets called when starting the OpenSPA server
• Rule Add - when a successful authorization occurs and the requested firewall request gets granted. This command gets called (i.e. iptables add or in your case nftable add rule)
• Rule Remove - after the firewall rule expires, this command gets called to cleanup the firewall rule (i.e. iptables remove or in your case nftable remove rule)

Check out the fw_command tests and server firewall config schema for details. It's quite straightforward.

FYI, the same mechanism (custom command) exists also for authorization. You can therefore hook into this to check for firewall rule authorization in a database or anything else you like.

[chris75898]

@greenstatic
Based on your comments from October of last year, you plan on continuing your work on OpenSPA. In the meantime, are you open to pull requests to add additional features? Additional documentation is the first that comes to mind but other enhancements to the software as well? For example, support for ARM processors.