OpenGFW/README.md

# ![OpenGFW](docs/logo.png)

[![License][1]][2]

[1]: https://img.shields.io/badge/License-MPL_2.0-brightgreen.svg
[2]: LICENSE

**[中文文档](README.zh.md)**
**[日本語ドキュメント](README.ja.md)**

OpenGFW is a flexible, easy-to-use, open source implementation of [GFW](https://en.wikipedia.org/wiki/Great_Firewall) on
Linux that's in many ways more powerful than the real thing. It's cyber sovereignty you can have on a home router.

> [!CAUTION]
> This project is still in very early stages of development. Use at your own risk.

> [!NOTE]
> We are looking for contributors to help us with this project, especially implementing analyzers for more protocols!!!

## Features

- Full IP/TCP reassembly, various protocol analyzers
  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
  - "Fully encrypted traffic" detection for Shadowsocks,
    etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
  - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
  - [WIP] Machine learning based traffic classification
- Full IPv4 and IPv6 support
- Flow-based multicore load balancing
- Connection offloading
- Powerful rule engine based on [expr](https://github.com/expr-lang/expr)
- Hot-reloadable rules (send `SIGHUP` to reload)
- Flexible analyzer & modifier framework
- Extensible IO implementation (only NFQueue for now)
- [WIP] Web UI

## Use cases

- Ad blocking
- Parental control
- Malware protection
- Abuse prevention for VPN/proxy services
- Traffic analysis (log only mode)

## Usage

### Build

```shell
go build
```

### Run

```shell
export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml
```

#### OpenWrt

OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).

Install the dependencies:

```shell
opkg install kmod-nft-queue kmod-nf-conntrack-netlink
```

### Example config

```yaml
io:
  queueSize: 1024
  local: true # set to false if you want to run OpenGFW on FORWARD chain

workers:
  count: 4
  queueSize: 16
  tcpMaxBufferedPagesTotal: 4096
  tcpMaxBufferedPagesPerConn: 64
  udpMaxStreams: 4096

# The path to load specific local geoip/geosite db files.
# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat
# geo:
#   geoip: geoip.dat
#   geosite: geosite.dat
```

### Example rules

[Analyzer properties](docs/Analyzers.md)

For syntax of the expression language, please refer
to [Expr Language Definition](https://expr-lang.org/docs/language-definition).

```yaml
- name: block v2ex http
  action: block
  expr: string(http?.req?.headers?.host) endsWith "v2ex.com"

- name: block v2ex https
  action: block
  expr: string(tls?.req?.sni) endsWith "v2ex.com"

- name: block v2ex quic
  action: block
  expr: string(quic?.req?.sni) endsWith "v2ex.com"

- name: block shadowsocks
  action: block
  expr: fet != nil && fet.yes

- name: block trojan
  action: block
  expr: trojan != nil && trojan.yes

- name: v2ex dns poisoning
  action: modify
  modifier:
    name: dns
    args:
      a: "0.0.0.0"
      aaaa: "::"
  expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})

- name: block google socks
  action: block
  expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80

- name: block wireguard by handshake response
  action: drop
  expr: wireguard?.handshake_response?.receiver_index_matched == true

- name: block bilibili geosite
  action: block
  expr: geosite(string(tls?.req?.sni), "bilibili")

- name: block CN geoip
  action: block
  expr: geoip(string(ip.dst), "cn")

- name: block cidr
  action: block
  expr: cidr(string(ip.dst), "192.168.0.0/16")
```

#### Supported actions

- `allow`: Allow the connection, no further processing.
- `block`: Block the connection, no further processing.
- `drop`: For UDP, drop the packet that triggered the rule, continue processing future packets in the same flow. For
  TCP, same as `block`.
- `modify`: For UDP, modify the packet that triggered the rule using the given modifier, continue processing future
  packets in the same flow. For TCP, same as `allow`.
first 2024-01-20 08:45:01 +08:00			`# ![OpenGFW](docs/logo.png)`

			`[![License][1]][2]`

			`[1]: https://img.shields.io/badge/License-MPL_2.0-brightgreen.svg`
			`[2]: LICENSE`

			`[中文文档](README.zh.md)`
docs: add Japanese README 2024-01-25 12:01:43 +08:00			`[日本語ドキュメント](README.ja.md)`
first 2024-01-20 08:45:01 +08:00
			`OpenGFW is a flexible, easy-to-use, open source implementation of [GFW](https://en.wikipedia.org/wiki/Great_Firewall) on`
			`Linux that's in many ways more powerful than the real thing. It's cyber sovereignty you can have on a home router.`

			`> [!CAUTION]`
			`> This project is still in very early stages of development. Use at your own risk.`

			`> [!NOTE]`
			`> We are looking for contributors to help us with this project, especially implementing analyzers for more protocols!!!`

			`## Features`

			`- Full IP/TCP reassembly, various protocol analyzers`
docs: add QUIC 2024-02-18 05:56:33 +08:00			`- HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come`
docs: update socks rules 2024-01-28 05:56:08 +08:00			`- "Fully encrypted traffic" detection for Shadowsocks,`
			`etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)`
			`- Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)`
			`- [WIP] Machine learning based traffic classification`
docs: trivial updates 2024-01-22 08:11:01 +08:00			`- Full IPv4 and IPv6 support`
first 2024-01-20 08:45:01 +08:00			`- Flow-based multicore load balancing`
			`- Connection offloading`
			`- Powerful rule engine based on [expr](https://github.com/expr-lang/expr)`
feat: rules hot reload via SIGHUP (#44) 2024-02-04 02:55:20 +08:00			- Hot-reloadable rules (send `SIGHUP` to reload)
first 2024-01-20 08:45:01 +08:00			`- Flexible analyzer & modifier framework`
			`- Extensible IO implementation (only NFQueue for now)`
			`- [WIP] Web UI`

			`## Use cases`

			`- Ad blocking`
			`- Parental control`
			`- Malware protection`
			`- Abuse prevention for VPN/proxy services`
			`- Traffic analysis (log only mode)`

			`## Usage`

			`### Build`

			```shell
			`go build`
			```

			`### Run`

			```shell
			`export OPENGFW_LOG_LEVEL=debug`
			`./OpenGFW -c config.yaml rules.yaml`
			```

docs: add a section about openwrt (#53) 2024-02-12 05:12:49 +08:00			`#### OpenWrt`

			`OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).`

			`Install the dependencies:`

			```shell
			`opkg install kmod-nft-queue kmod-nf-conntrack-netlink`
			```

first 2024-01-20 08:45:01 +08:00			`### Example config`

			```yaml
			`io:`
			`queueSize: 1024`
			`local: true # set to false if you want to run OpenGFW on FORWARD chain`

			`workers:`
			`count: 4`
			`queueSize: 16`
			`tcpMaxBufferedPagesTotal: 4096`
			`tcpMaxBufferedPagesPerConn: 64`
			`udpMaxStreams: 4096`
Add the configuration for the path of geoip and geosite. (#57) * Update README.md * Update README.zh.md * Update README.ja.md * minor tweaks --------- Co-authored-by: Toby <tobyxdd@gmail.com> 2024-02-18 06:03:50 +08:00
			`# The path to load specific local geoip/geosite db files.`
			`# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat`
			`# geo:`
			`# geoip: geoip.dat`
			`# geosite: geosite.dat`
first 2024-01-20 08:45:01 +08:00			```

			`### Example rules`

docs: analyzers 2024-01-25 12:01:53 +08:00			`[Analyzer properties](docs/Analyzers.md)`
first 2024-01-20 08:45:01 +08:00
			`For syntax of the expression language, please refer`
			`to [Expr Language Definition](https://expr-lang.org/docs/language-definition).`

			```yaml
			`- name: block v2ex http`
			`action: block`
			`expr: string(http?.req?.headers?.host) endsWith "v2ex.com"`

			`- name: block v2ex https`
			`action: block`
			`expr: string(tls?.req?.sni) endsWith "v2ex.com"`

docs: add QUIC 2024-02-18 05:56:33 +08:00			`- name: block v2ex quic`
			`action: block`
			`expr: string(quic?.req?.sni) endsWith "v2ex.com"`

first 2024-01-20 08:45:01 +08:00			`- name: block shadowsocks`
			`action: block`
			`expr: fet != nil && fet.yes`

feat: Trojan analyzer based on github.com/XTLS/Trojan-killer 2024-01-22 06:48:54 +08:00			`- name: block trojan`
			`action: block`
			`expr: trojan != nil && trojan.yes`

first 2024-01-20 08:45:01 +08:00			`- name: v2ex dns poisoning`
			`action: modify`
			`modifier:`
			`name: dns`
			`args:`
			`a: "0.0.0.0"`
			`aaaa: "::"`
			`expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})`
docs: add SOCKS5 2024-01-27 06:03:22 +08:00
docs: update socks rules 2024-01-28 05:56:08 +08:00			`- name: block google socks`
docs: add SOCKS5 2024-01-27 06:03:22 +08:00			`action: block`
docs: update socks rules 2024-01-28 05:56:08 +08:00			`expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80`
Add GeoIP and GeoSite support for expr (#38) * feat: copy something from hysteria/extras/outbounds/acl * feat: add geoip and geosite support for expr * refactor: geo matcher * fix: typo * refactor: geo matcher * feat: expose config options to specify local geoip/geosite db files * refactor: engine.Config should not contains geo * feat: make geosite and geoip lazy downloaded * chore: minor code improvement * docs: add geoip/geosite usage --------- Co-authored-by: Toby <tobyxdd@gmail.com> 2024-01-31 09:30:35 +08:00
Add WireGuard analyzer (#41) * feat: add WireGuard analyzer * chore(wg): reduce map creating for non wg packets * chore: import format * docs: add wg usage --------- Co-authored-by: Toby <tobyxdd@gmail.com> 2024-01-31 10:05:51 +08:00			`- name: block wireguard by handshake response`
			`action: drop`
			`expr: wireguard?.handshake_response?.receiver_index_matched == true`

Add GeoIP and GeoSite support for expr (#38) * feat: copy something from hysteria/extras/outbounds/acl * feat: add geoip and geosite support for expr * refactor: geo matcher * fix: typo * refactor: geo matcher * feat: expose config options to specify local geoip/geosite db files * refactor: engine.Config should not contains geo * feat: make geosite and geoip lazy downloaded * chore: minor code improvement * docs: add geoip/geosite usage --------- Co-authored-by: Toby <tobyxdd@gmail.com> 2024-01-31 09:30:35 +08:00			`- name: block bilibili geosite`
			`action: block`
			`expr: geosite(string(tls?.req?.sni), "bilibili")`

			`- name: block CN geoip`
			`action: block`
			`expr: geoip(string(ip.dst), "cn")`
Add CIDR support for expr (#62) * feat: add cidr support for expr * docs: add example for cidr * minor code tweaks --------- Co-authored-by: Toby <tobyxdd@gmail.com> 2024-02-18 06:21:12 +08:00
			`- name: block cidr`
			`action: block`
			`expr: cidr(string(ip.dst), "192.168.0.0/16")`
first 2024-01-20 08:45:01 +08:00			```

			`#### Supported actions`

			- `allow`: Allow the connection, no further processing.
fix: remove "reject with tcp reset" for now as it doesn't work properly 2024-01-28 05:27:27 +08:00			- `block`: Block the connection, no further processing.
first 2024-01-20 08:45:01 +08:00			- `drop`: For UDP, drop the packet that triggered the rule, continue processing future packets in the same flow. For
			TCP, same as `block`.
			- `modify`: For UDP, modify the packet that triggered the rule using the given modifier, continue processing future
docs: trivial updates 2024-01-22 08:11:01 +08:00			packets in the same flow. For TCP, same as `allow`.