docs: add QUIC

This commit is contained in:
Toby 2024-02-17 13:56:33 -08:00
parent c1e90960dd
commit ef352450a2
4 changed files with 70 additions and 62 deletions

View File

@ -16,7 +16,7 @@ OpenGFW は、Linux 上の [GFW](https://en.wikipedia.org/wiki/Great_Firewall)
## 特徴 ## 特徴
- フル IP/TCP 再アセンブル、各種プロトコルアナライザー - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
- HTTP、TLS、DNS、SSH、SOCKS4/5、WireGuard、その他多数 - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
- Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf) - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
- トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出 - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
- [WIP] 機械学習に基づくトラフィック分類 - [WIP] 機械学習に基づくトラフィック分類
@ -92,6 +92,10 @@ workers:
action: block action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com" expr: string(tls?.req?.sni) endsWith "v2ex.com"
- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"
- name: block shadowsocks - name: block shadowsocks
action: block action: block
expr: fet != nil && fet.yes expr: fet != nil && fet.yes

View File

@ -20,7 +20,7 @@ Linux that's in many ways more powerful than the real thing. It's cyber sovereig
## Features ## Features
- Full IP/TCP reassembly, various protocol analyzers - Full IP/TCP reassembly, various protocol analyzers
- HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, and many more to come - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
- "Fully encrypted traffic" detection for Shadowsocks, - "Fully encrypted traffic" detection for Shadowsocks,
etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf) etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
- Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer) - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
@ -98,6 +98,10 @@ to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
action: block action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com" expr: string(tls?.req?.sni) endsWith "v2ex.com"
- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"
- name: block shadowsocks - name: block shadowsocks
action: block action: block
expr: fet != nil && fet.yes expr: fet != nil && fet.yes

View File

@ -17,7 +17,7 @@ OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedi
## 功能 ## 功能
- 完整的 IP/TCP 重组,各种协议解析器 - 完整的 IP/TCP 重组,各种协议解析器
- HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中 - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf) - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
- 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer) - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
- [开发中] 基于机器学习的流量分类 - [开发中] 基于机器学习的流量分类
@ -93,6 +93,10 @@ workers:
action: block action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com" expr: string(tls?.req?.sni) endsWith "v2ex.com"
- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"
- name: block shadowsocks - name: block shadowsocks
action: block action: block
expr: fet != nil && fet.yes expr: fet != nil && fet.yes

View File

@ -179,51 +179,17 @@ Example for blocking all SSH connections:
{ {
"tls": { "tls": {
"req": { "req": {
"alpn": [ "alpn": ["h2", "http/1.1"],
"h2",
"http/1.1"
],
"ciphers": [ "ciphers": [
4866, 4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199,
4867, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161,
4865, 49171, 51, 157, 156, 61, 60, 53, 47, 255
49196,
49200,
159,
52393,
52392,
52394,
49195,
49199,
158,
49188,
49192,
107,
49187,
49191,
103,
49162,
49172,
57,
49161,
49171,
51,
157,
156,
61,
60,
53,
47,
255
], ],
"compression": "AA==", "compression": "AA==",
"random": "UqfPi+EmtMgusILrKcELvVWwpOdPSM/My09nPXl84dg=", "random": "UqfPi+EmtMgusILrKcELvVWwpOdPSM/My09nPXl84dg=",
"session": "jCTrpAzHpwrfuYdYx4FEjZwbcQxCuZ52HGIoOcbw1vA=", "session": "jCTrpAzHpwrfuYdYx4FEjZwbcQxCuZ52HGIoOcbw1vA=",
"sni": "ipinfo.io", "sni": "ipinfo.io",
"supported_versions": [ "supported_versions": [772, 771],
772,
771
],
"version": 771, "version": 771,
"ech": true "ech": true
}, },
@ -247,6 +213,37 @@ Example for blocking TLS connections to `ipinfo.io`:
expr: tls != nil && tls.req != nil && tls.req.sni == "ipinfo.io" expr: tls != nil && tls.req != nil && tls.req.sni == "ipinfo.io"
``` ```
## QUIC
QUIC analyzer produces the same result format as TLS analyzer, but currently only supports "req" direction (client
hello), not "resp" (server hello).
```json
{
"quic": {
"req": {
"alpn": ["h3"],
"ciphers": [4865, 4866, 4867],
"compression": "AA==",
"ech": true,
"random": "FUYLceFReLJl9dRQ0HAus7fi2ZGuKIAApF4keeUqg00=",
"session": "",
"sni": "quic.rocks",
"supported_versions": [772],
"version": 771
}
}
}
```
Example for blocking QUIC connections to `quic.rocks`:
```yaml
- name: Block quic.rocks QUIC
action: block
expr: quic != nil && quic.req != nil && quic.req.sni == "quic.rocks"
```
## Trojan (proxy protocol) ## Trojan (proxy protocol)
Check https://github.com/XTLS/Trojan-killer for more information. Check https://github.com/XTLS/Trojan-killer for more information.
@ -273,7 +270,7 @@ Example for blocking Trojan connections:
SOCKS4: SOCKS4:
```json5 ```json
{ {
"socks": { "socks": {
"version": 4, "version": 4,
@ -301,7 +298,7 @@ SOCKS4:
SOCKS5 without auth: SOCKS5 without auth:
```json5 ```json
{ {
"socks": { "socks": {
"version": 5, "version": 5,
@ -329,7 +326,7 @@ SOCKS5 without auth:
SOCKS5 with auth: SOCKS5 with auth:
```json5 ```json
{ {
"socks": { "socks": {
"version": 5, "version": 5,
@ -370,10 +367,9 @@ Example for blocking connections to `google.com:80` and user `foobar`:
expr: socks?.req?.auth?.method == 2 && socks?.req?.auth?.username == "foobar" expr: socks?.req?.auth?.method == 2 && socks?.req?.auth?.username == "foobar"
``` ```
## WireGuard ## WireGuard
```json5 ```json
{ {
"wireguard": { "wireguard": {
"message_type": 1, // 0x1: handshake_initiation, 0x2: handshake_response, 0x3: packet_cookie_reply, 0x4: packet_data "message_type": 1, // 0x1: handshake_initiation, 0x2: handshake_response, 0x3: packet_cookie_reply, 0x4: packet_data