Closed KujouRinka closed 9 months ago
You mean analyzers that work at the IP layer? Is there any real use for that (e.g. any protocol that needs it?)
Yes. Some applications connect to fixed IP addresses for communication instead of domain (e.g. telegram, QQ, etc.). Supporting this may make block these ones easily. Furthermore, there's also possibility that pass IP address to upper analyzers, combining them together for more precise traffic marking (e.g A request with non-mainland IP but followed with such as baidu.com
http/https header could be suspected to be obfuscated traffic).
Analyzers only provide props for rules, they don't make verdict themselves. Also, there are already built-in props that pass information like ip/port to expressions: https://github.com/apernet/OpenGFW/blob/master/ruleset/expr.go#L145
Basically you can have rules like geoip(ip.dst) != "cn" && tls != nil && tls.req.sni == "baidu.com"
Although geoip
function doesn't exist at the moment. Definitely something we should offer in the future.
Thanks for your answer. I apologize for not reading the source code carefully.
I read some source code and found analyzer based on network layer has yet to be implemented. Is there consideration for making it happen?