Block TLS packets without SNI extension

[bgcorreia]

Hi everyone, today I need to block https requests that use IP address directly (i.e. https://1.2.3.4, without a host header), I was reviewing the TLS header and I saw these packets don't have the SNI extension, so my doubt is: can I use xt_tls module for block packets without SNI extension in tls header? Thanks so much!!

[bgcorreia]

I know that maybe is not the better solution (I didn't add control parameters and etc), but I did a change for attend the commented needs (block an TLS Client Hello without a server_name extension). The commit is here: https://github.com/bgcorreia/xt_tls/commit/b456f9fe316526d6b8f45c3bc82da96fc1b5e85d

[juliaisnotavailable]

I would also be intrested in the reverse of this. i.e. A filter that drops packets if any SNI value is present. (in order to effectivly enforce ECH/ESNI)

[bgcorreia]

@juliaisnotavailable you could use the commit that I leaved.

Look this line, there I added a flag variable to identify when the request has a sni extension, and after I used this one to "block it" (with if and return line here).

So, to reach the behavior that you can, you just need to change on line 237 from if (!has_sni_extension) to if (has_sni_extension).