docs: add QUIC

2024-11-13 13:59:24 +08:00 · 2024-02-17 13:56:33 -08:00 · 2024-02-17 13:56:33 -08:00 · ef352450a2
commit ef352450a2
parent c1e90960dd
4 changed files with 70 additions and 62 deletions
--- a/README.ja.md
+++ b/README.ja.md
@ -16,7 +16,7 @@ OpenGFW は、Linux 上の [GFW](https://en.wikipedia.org/wiki/Great_Firewall)
 ## 特徴

 - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
-  - HTTP、TLS、DNS、SSH、SOCKS4/5、WireGuard、その他多数
+  - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
  - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
  - [WIP] 機械学習に基づくトラフィック分類
@ -92,6 +92,10 @@ workers:
  action: block
  expr: string(tls?.req?.sni) endsWith "v2ex.com"

+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
  action: block
  expr: fet != nil && fet.yes
--- a/README.md
+++ b/README.md
@ -20,7 +20,7 @@ Linux that's in many ways more powerful than the real thing. It's cyber sovereig
 ## Features

 - Full IP/TCP reassembly, various protocol analyzers
-  - HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
+  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
  - "Fully encrypted traffic" detection for Shadowsocks,
    etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
  - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
@ -98,6 +98,10 @@ to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
  action: block
  expr: string(tls?.req?.sni) endsWith "v2ex.com"

+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
  action: block
  expr: fet != nil && fet.yes
--- a/README.zh.md
+++ b/README.zh.md
@ -17,7 +17,7 @@ OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedi
 ## 功能

 - 完整的 IP/TCP 重组，各种协议解析器
-  - HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
+  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
  - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
  - [开发中] 基于机器学习的流量分类
@ -93,6 +93,10 @@ workers:
  action: block
  expr: string(tls?.req?.sni) endsWith "v2ex.com"

+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
  action: block
  expr: fet != nil && fet.yes
--- a/docs/Analyzers.md
+++ b/docs/Analyzers.md
@ -179,51 +179,17 @@ Example for blocking all SSH connections:
 {
  "tls": {
    "req": {
-      "alpn": [
-        "h2",
-        "http/1.1"
-      ],
+      "alpn": ["h2", "http/1.1"],
      "ciphers": [
-        4866,
-        4867,
-        4865,
-        49196,
-        49200,
-        159,
-        52393,
-        52392,
-        52394,
-        49195,
-        49199,
-        158,
-        49188,
-        49192,
-        107,
-        49187,
-        49191,
-        103,
-        49162,
-        49172,
-        57,
-        49161,
-        49171,
-        51,
-        157,
-        156,
-        61,
-        60,
-        53,
-        47,
-        255
+        4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199,
+        158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161,
+        49171, 51, 157, 156, 61, 60, 53, 47, 255
      ],
      "compression": "AA==",
      "random": "UqfPi+EmtMgusILrKcELvVWwpOdPSM/My09nPXl84dg=",
      "session": "jCTrpAzHpwrfuYdYx4FEjZwbcQxCuZ52HGIoOcbw1vA=",
      "sni": "ipinfo.io",
-      "supported_versions": [
-        772,
-        771
-      ],
+      "supported_versions": [772, 771],
      "version": 771,
      "ech": true
    },
@ -247,6 +213,37 @@ Example for blocking TLS connections to `ipinfo.io`:
  expr: tls != nil && tls.req != nil && tls.req.sni == "ipinfo.io"
 ```

+## QUIC
+
+QUIC analyzer produces the same result format as TLS analyzer, but currently only supports "req" direction (client
+hello), not "resp" (server hello).
+
+```json
+{
+  "quic": {
+    "req": {
+      "alpn": ["h3"],
+      "ciphers": [4865, 4866, 4867],
+      "compression": "AA==",
+      "ech": true,
+      "random": "FUYLceFReLJl9dRQ0HAus7fi2ZGuKIAApF4keeUqg00=",
+      "session": "",
+      "sni": "quic.rocks",
+      "supported_versions": [772],
+      "version": 771
+    }
+  }
+}
+```
+
+Example for blocking QUIC connections to `quic.rocks`:
+
+```yaml
+- name: Block quic.rocks QUIC
+  action: block
+  expr: quic != nil && quic.req != nil && quic.req.sni == "quic.rocks"
+```
+
 ## Trojan (proxy protocol)

 Check https://github.com/XTLS/Trojan-killer for more information.
@ -273,13 +270,13 @@ Example for blocking Trojan connections:

 SOCKS4:

-```json5
+```json
 {
  "socks": {
    "version": 4,
    "req": {
      "cmd": 1,
-      "addr_type": 1,     // same as socks5
+      "addr_type": 1, // same as socks5
      "addr": "1.1.1.1",
      // for socks4a
      // "addr_type": 3,
@ -290,7 +287,7 @@ SOCKS4:
      }
    },
    "resp": {
-      "rep": 90,          // 0x5A(90) granted
+      "rep": 90, // 0x5A(90) granted
      "addr_type": 1,
      "addr": "1.1.1.1",
      "port": 443
@ -301,26 +298,26 @@ SOCKS4:

 SOCKS5 without auth:

-```json5
+```json
 {
  "socks": {
    "version": 5,
    "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
-      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp
+      "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
      "addr": "google.com",
      "port": 80,
      "auth": {
-        "method": 0     // 0x00: no auth, 0x02: username/password
+        "method": 0 // 0x00: no auth, 0x02: username/password
      }
    },
    "resp": {
-      "rep": 0,         // 0x00: success
-      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "rep": 0, // 0x00: success
+      "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
      "addr": "198.18.1.31",
      "port": 80,
      "auth": {
-        "method": 0     // 0x00: no auth, 0x02: username/password
+        "method": 0 // 0x00: no auth, 0x02: username/password
      }
    }
  }
@ -329,29 +326,29 @@ SOCKS5 without auth:

 SOCKS5 with auth:

-```json5
+```json
 {
  "socks": {
    "version": 5,
    "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
-      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp
+      "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
      "addr": "google.com",
      "port": 80,
      "auth": {
-        "method": 2,    // 0x00: no auth, 0x02: username/password
+        "method": 2, // 0x00: no auth, 0x02: username/password
        "username": "user",
        "password": "pass"
      }
    },
    "resp": {
-      "rep": 0,         // 0x00: success
-      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "rep": 0, // 0x00: success
+      "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
      "addr": "198.18.1.31",
      "port": 80,
      "auth": {
-        "method": 2,    // 0x00: no auth, 0x02: username/password
-        "status": 0     // 0x00: success, 0x01: failure
+        "method": 2, // 0x00: no auth, 0x02: username/password
+        "status": 0 // 0x00: success, 0x01: failure
      }
    }
  }
@ -370,10 +367,9 @@ Example for blocking connections to `google.com:80` and user `foobar`:
  expr: socks?.req?.auth?.method == 2 && socks?.req?.auth?.username == "foobar"
 ```

-
 ## WireGuard

-```json5
+```json
 {
  "wireguard": {
    "message_type": 1, // 0x1: handshake_initiation, 0x2: handshake_response, 0x3: packet_cookie_reply, 0x4: packet_data