2024-01-20 08:45:01 +08:00
|
|
|
|
# ![OpenGFW](docs/logo.png)
|
|
|
|
|
|
|
|
|
|
[![License][1]][2]
|
|
|
|
|
|
|
|
|
|
[1]: https://img.shields.io/badge/License-MPL_2.0-brightgreen.svg
|
|
|
|
|
[2]: LICENSE
|
|
|
|
|
|
|
|
|
|
OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedia.org/wiki/%E9%98%B2%E7%81%AB%E9%95%BF%E5%9F%8E)
|
|
|
|
|
实现,并且在许多方面比真正的 GFW 更强大。可以部署在家用路由器上的网络主权。
|
|
|
|
|
|
|
|
|
|
> [!CAUTION]
|
|
|
|
|
> 本项目仍处于早期开发阶段。测试时自行承担风险。
|
|
|
|
|
|
|
|
|
|
> [!NOTE]
|
|
|
|
|
> 我们正在寻求贡献者一起完善本项目,尤其是实现更多协议的解析器!
|
|
|
|
|
|
|
|
|
|
## 功能
|
|
|
|
|
|
|
|
|
|
- 完整的 IP/TCP 重组,各种协议解析器
|
2024-01-31 10:05:51 +08:00
|
|
|
|
- HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
|
2024-01-28 05:56:08 +08:00
|
|
|
|
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
|
|
|
|
- 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
|
|
|
|
|
- [开发中] 基于机器学习的流量分类
|
2024-01-22 08:11:01 +08:00
|
|
|
|
- 同等支持 IPv4 和 IPv6
|
2024-01-20 08:45:01 +08:00
|
|
|
|
- 基于流的多核负载均衡
|
|
|
|
|
- 连接 offloading
|
|
|
|
|
- 基于 [expr](https://github.com/expr-lang/expr) 的强大规则引擎
|
2024-02-04 02:55:20 +08:00
|
|
|
|
- 规则可以热重载 (发送 `SIGHUP` 信号)
|
2024-01-20 08:45:01 +08:00
|
|
|
|
- 灵活的协议解析和修改框架
|
|
|
|
|
- 可扩展的 IO 实现 (目前只有 NFQueue)
|
|
|
|
|
- [开发中] Web UI
|
|
|
|
|
|
|
|
|
|
## 使用场景
|
|
|
|
|
|
|
|
|
|
- 广告拦截
|
|
|
|
|
- 家长控制
|
|
|
|
|
- 恶意软件防护
|
|
|
|
|
- VPN/代理服务滥用防护
|
|
|
|
|
- 流量分析 (纯日志模式)
|
|
|
|
|
|
|
|
|
|
## 使用
|
|
|
|
|
|
|
|
|
|
### 构建
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
go build
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### 运行
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
export OPENGFW_LOG_LEVEL=debug
|
|
|
|
|
./OpenGFW -c config.yaml rules.yaml
|
|
|
|
|
```
|
|
|
|
|
|
2024-02-12 05:12:49 +08:00
|
|
|
|
#### OpenWrt
|
|
|
|
|
|
|
|
|
|
OpenGFW 在 OpenWrt 23.05 上测试可用(其他版本应该也可以,暂时未经验证)。
|
|
|
|
|
|
|
|
|
|
安装依赖:
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
opkg install kmod-nft-queue kmod-nf-conntrack-netlink
|
|
|
|
|
```
|
|
|
|
|
|
2024-01-20 08:45:01 +08:00
|
|
|
|
### 样例配置
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
io:
|
|
|
|
|
queueSize: 1024
|
|
|
|
|
local: true # 如果需要在 FORWARD 链上运行 OpenGFW,请设置为 false
|
|
|
|
|
|
|
|
|
|
workers:
|
|
|
|
|
count: 4
|
|
|
|
|
queueSize: 16
|
|
|
|
|
tcpMaxBufferedPagesTotal: 4096
|
|
|
|
|
tcpMaxBufferedPagesPerConn: 64
|
|
|
|
|
udpMaxStreams: 4096
|
2024-02-18 06:03:50 +08:00
|
|
|
|
|
|
|
|
|
# 指定的 geoip/geosite 档案路径
|
|
|
|
|
# 如果未设置,将自动从 https://github.com/Loyalsoldier/v2ray-rules-dat 下载
|
|
|
|
|
# geo:
|
|
|
|
|
# geoip: geoip.dat
|
|
|
|
|
# geosite: geosite.dat
|
2024-01-20 08:45:01 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### 样例规则
|
|
|
|
|
|
2024-01-25 12:01:53 +08:00
|
|
|
|
[解析器属性](docs/Analyzers.md)
|
2024-01-20 08:45:01 +08:00
|
|
|
|
|
|
|
|
|
规则的语法请参考 [Expr Language Definition](https://expr-lang.org/docs/language-definition)。
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
- name: block v2ex http
|
|
|
|
|
action: block
|
|
|
|
|
expr: string(http?.req?.headers?.host) endsWith "v2ex.com"
|
|
|
|
|
|
|
|
|
|
- name: block v2ex https
|
|
|
|
|
action: block
|
|
|
|
|
expr: string(tls?.req?.sni) endsWith "v2ex.com"
|
|
|
|
|
|
|
|
|
|
- name: block shadowsocks
|
|
|
|
|
action: block
|
|
|
|
|
expr: fet != nil && fet.yes
|
|
|
|
|
|
2024-01-22 06:48:54 +08:00
|
|
|
|
- name: block trojan
|
|
|
|
|
action: block
|
|
|
|
|
expr: trojan != nil && trojan.yes
|
|
|
|
|
|
2024-01-20 08:45:01 +08:00
|
|
|
|
- name: v2ex dns poisoning
|
|
|
|
|
action: modify
|
|
|
|
|
modifier:
|
|
|
|
|
name: dns
|
|
|
|
|
args:
|
|
|
|
|
a: "0.0.0.0"
|
|
|
|
|
aaaa: "::"
|
|
|
|
|
expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})
|
2024-01-27 06:03:22 +08:00
|
|
|
|
|
2024-01-28 05:56:08 +08:00
|
|
|
|
- name: block google socks
|
2024-01-27 06:03:22 +08:00
|
|
|
|
action: block
|
2024-01-28 05:56:08 +08:00
|
|
|
|
expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80
|
2024-01-31 09:30:35 +08:00
|
|
|
|
|
2024-01-31 10:05:51 +08:00
|
|
|
|
- name: block wireguard by handshake response
|
|
|
|
|
action: drop
|
|
|
|
|
expr: wireguard?.handshake_response?.receiver_index_matched == true
|
|
|
|
|
|
2024-01-31 09:30:35 +08:00
|
|
|
|
- name: block bilibili geosite
|
|
|
|
|
action: block
|
|
|
|
|
expr: geosite(string(tls?.req?.sni), "bilibili")
|
|
|
|
|
|
|
|
|
|
- name: block CN geoip
|
|
|
|
|
action: block
|
|
|
|
|
expr: geoip(string(ip.dst), "cn")
|
2024-02-18 06:21:12 +08:00
|
|
|
|
|
|
|
|
|
- name: block cidr
|
|
|
|
|
action: block
|
|
|
|
|
expr: cidr(string(ip.dst), "192.168.0.0/16")
|
2024-01-20 08:45:01 +08:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### 支持的 action
|
|
|
|
|
|
|
|
|
|
- `allow`: 放行连接,不再处理后续的包。
|
2024-01-28 05:27:27 +08:00
|
|
|
|
- `block`: 阻断连接,不再处理后续的包。
|
2024-01-20 08:45:01 +08:00
|
|
|
|
- `drop`: 对于 UDP,丢弃触发规则的包,但继续处理同一流中的后续包。对于 TCP,效果同 `block`。
|
2024-01-22 08:11:01 +08:00
|
|
|
|
- `modify`: 对于 UDP,用指定的修改器修改触发规则的包,然后继续处理同一流中的后续包。对于 TCP,效果同 `allow`。
|