jsimonetti / sniqueue Goto Github PK
View Code? Open in Web Editor NEWUsing nfqueue to accept or drop flows destined for SNI domainnames
License: MIT License
sniqueue's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
galeksandrpsniqueue's Issues
Is it possible to send a reset instead of dropping the packet?
Hi @jsimonetti,
Thank you very much for your work.
I'm not very familiar with Golang. Is there a way to send "TCP reset" and/or "ICMP port unreachable" instead of dropping the packet to prevent the client and the daemon from a resend cycle?
Getting Parse error: insufficient bytes to unmarshal QUIC
Hi,
For all forwarded quic packages, I'm getting "Parse error: insufficient bytes to unmarshal QUIC" error.
Any idea what it could be or what to do to debug the problem?
Thanks.
PCAP file:
sniqueue.ipv4.pcap.zip
System:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
uname -a
Linux homedevice 5.16.17-sun50iw9 #3.0.6 SMP Tue Aug 9 13:51:16 CST 2022 aarch64 aarch64 aarch64 GNU/LinuxNftables config:
flush ruleset
table inet filter {
flowtable f {
hook ingress priority 0;
}
chain input {
type filter hook input priority filter; policy accept;
}
chain sniqueue {
type filter hook forward priority -2; policy accept;
ct mark 101 accept comment "Accept known good SNI not yet offloaded"
tcp dport 443 ct mark 100 reject with tcp reset comment "Reject known bad TCP SNI"
udp dport 443 ct mark 100 reject with icmp type port-unreachable comment "Reject known bad QUIC SNI"
tcp dport 443 ct mark set 102 comment "Mark all unjudged packets"
udp dport 443 ct mark set 102 comment "Mark all unjudged packets"
meta mark set ct mark
tcp dport 443 ct original packets <20 queue num 100 bypass
udp dport 443 ct original packets <20 queue num 100 bypass
}
chain sniqueue_block {
type filter hook forward priority -1; policy accept;
ct mark set meta mark
ct mark 102 accept comment "Accept packets without verdict"
tcp dport 443 ct mark 100 reject with tcp reset comment "Reject known bad TCP"
udp dport 443 ct mark 100 reject with icmp type port-unreachable comment "Reject known bad QUIC"
ct mark 101 flow offload @f comment "Offload known good SNI"
}
chain forward {
type filter hook forward priority filter; policy accept;
ct mark != 102 flow offload @f comment "Offload packets not sent to SNIqueue"
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ct state new,related,established counter packets 91 bytes 6939 masquerade
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.