docs: add QUIC

README.ja.md

@@ -16,7 +16,7 @@ OpenGFW は、Linux 上の [GFW](https://en.wikipedia.org/wiki/Great_Firewall)
 ## 特徴
 
 - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
-  - HTTP、TLS、DNS、SSH、SOCKS4/5、WireGuard、その他多数
+  - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
   - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
   - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
   - [WIP] 機械学習に基づくトラフィック分類
@@ -92,6 +92,10 @@ workers:
   action: block
   expr: string(tls?.req?.sni) endsWith "v2ex.com"
 
+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
   action: block
   expr: fet != nil && fet.yes

README.md

@@ -20,7 +20,7 @@ Linux that's in many ways more powerful than the real thing. It's cyber sovereig
 ## Features
 
 - Full IP/TCP reassembly, various protocol analyzers
-  - HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
+  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
   - "Fully encrypted traffic" detection for Shadowsocks,
     etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
   - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
@@ -98,6 +98,10 @@ to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
   action: block
   expr: string(tls?.req?.sni) endsWith "v2ex.com"
 
+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
   action: block
   expr: fet != nil && fet.yes

README.zh.md

@@ -17,7 +17,7 @@ OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedi
 ## 功能
 
 - 完整的 IP/TCP 重组，各种协议解析器
-  - HTTP, TLS, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
+  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
   - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
   - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
   - [开发中] 基于机器学习的流量分类
@@ -93,6 +93,10 @@ workers:
   action: block
   expr: string(tls?.req?.sni) endsWith "v2ex.com"
 
+- name: block v2ex quic
+  action: block
+  expr: string(quic?.req?.sni) endsWith "v2ex.com"
+
 - name: block shadowsocks
   action: block
   expr: fet != nil && fet.yes

docs/Analyzers.md

@@ -179,51 +179,17 @@ Example for blocking all SSH connections:
 {
   "tls": {
     "req": {
-      "alpn": [
+      "alpn": ["h2", "http/1.1"],
-        "h2",
-        "http/1.1"
-      ],
       "ciphers": [
-        4866,
+        4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199,
-        4867,
+        158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161,
-        4865,
+        49171, 51, 157, 156, 61, 60, 53, 47, 255
-        49196,
-        49200,
-        159,
-        52393,
-        52392,
-        52394,
-        49195,
-        49199,
-        158,
-        49188,
-        49192,
-        107,
-        49187,
-        49191,
-        103,
-        49162,
-        49172,
-        57,
-        49161,
-        49171,
-        51,
-        157,
-        156,
-        61,
-        60,
-        53,
-        47,
-        255
       ],
       "compression": "AA==",
       "random": "UqfPi+EmtMgusILrKcELvVWwpOdPSM/My09nPXl84dg=",
       "session": "jCTrpAzHpwrfuYdYx4FEjZwbcQxCuZ52HGIoOcbw1vA=",
       "sni": "ipinfo.io",
-      "supported_versions": [
+      "supported_versions": [772, 771],
-        772,
-        771
-      ],
       "version": 771,
       "ech": true
     },
@@ -247,6 +213,37 @@ Example for blocking TLS connections to `ipinfo.io`:
   expr: tls != nil && tls.req != nil && tls.req.sni == "ipinfo.io"
 ```
 
+## QUIC
+
+QUIC analyzer produces the same result format as TLS analyzer, but currently only supports "req" direction (client
+hello), not "resp" (server hello).
+
+```json
+{
+  "quic": {
+    "req": {
+      "alpn": ["h3"],
+      "ciphers": [4865, 4866, 4867],
+      "compression": "AA==",
+      "ech": true,
+      "random": "FUYLceFReLJl9dRQ0HAus7fi2ZGuKIAApF4keeUqg00=",
+      "session": "",
+      "sni": "quic.rocks",
+      "supported_versions": [772],
+      "version": 771
+    }
+  }
+}
+```
+
+Example for blocking QUIC connections to `quic.rocks`:
+
+```yaml
+- name: Block quic.rocks QUIC
+  action: block
+  expr: quic != nil && quic.req != nil && quic.req.sni == "quic.rocks"
+```
+
 ## Trojan (proxy protocol)
 
 Check https://github.com/XTLS/Trojan-killer for more information.
@@ -273,13 +270,13 @@ Example for blocking Trojan connections:
 
 SOCKS4:
 
-```json5
+```json
 {
   "socks": {
     "version": 4,
     "req": {
       "cmd": 1,
-      "addr_type": 1,     // same as socks5
+      "addr_type": 1, // same as socks5
       "addr": "1.1.1.1",
       // for socks4a
       // "addr_type": 3,
@@ -290,7 +287,7 @@ SOCKS4:
       }
     },
     "resp": {
-      "rep": 90,          // 0x5A(90) granted
+      "rep": 90, // 0x5A(90) granted
       "addr_type": 1,
       "addr": "1.1.1.1",
       "port": 443
@@ -301,26 +298,26 @@ SOCKS4:
 
 SOCKS5 without auth:
 
-```json5
+```json
 {
   "socks": {
     "version": 5,
     "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
+      "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp
-      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
       "addr": "google.com",
       "port": 80,
       "auth": {
-        "method": 0     // 0x00: no auth, 0x02: username/password
+        "method": 0 // 0x00: no auth, 0x02: username/password
       }
     },
     "resp": {
-      "rep": 0,         // 0x00: success
+      "rep": 0, // 0x00: success
-      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
       "addr": "198.18.1.31",
       "port": 80,
       "auth": {
-        "method": 0     // 0x00: no auth, 0x02: username/password
+        "method": 0 // 0x00: no auth, 0x02: username/password
       }
     }
   }
@@ -329,29 +326,29 @@ SOCKS5 without auth:
 
 SOCKS5 with auth:
 
-```json5
+```json
 {
   "socks": {
     "version": 5,
     "req": {
-      "cmd": 1,         // 0x01: connect, 0x02: bind, 0x03: udp
+      "cmd": 1, // 0x01: connect, 0x02: bind, 0x03: udp
-      "addr_type": 3,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr_type": 3, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
       "addr": "google.com",
       "port": 80,
       "auth": {
-        "method": 2,    // 0x00: no auth, 0x02: username/password
+        "method": 2, // 0x00: no auth, 0x02: username/password
         "username": "user",
         "password": "pass"
       }
     },
     "resp": {
-      "rep": 0,         // 0x00: success
+      "rep": 0, // 0x00: success
-      "addr_type": 1,   // 0x01: ipv4, 0x03: domain, 0x04: ipv6
+      "addr_type": 1, // 0x01: ipv4, 0x03: domain, 0x04: ipv6
       "addr": "198.18.1.31",
       "port": 80,
       "auth": {
-        "method": 2,    // 0x00: no auth, 0x02: username/password
+        "method": 2, // 0x00: no auth, 0x02: username/password
-        "status": 0     // 0x00: success, 0x01: failure
+        "status": 0 // 0x00: success, 0x01: failure
       }
     }
   }
@@ -370,10 +367,9 @@ Example for blocking connections to `google.com:80` and user `foobar`:
   expr: socks?.req?.auth?.method == 2 && socks?.req?.auth?.username == "foobar"
 ```
 
-
 ## WireGuard
 
-```json5
+```json
 {
   "wireguard": {
     "message_type": 1, // 0x1: handshake_initiation, 0x2: handshake_response, 0x3: packet_cookie_reply, 0x4: packet_data