tobyxdd
commented
9 months ago You mean analyzers that work at the IP layer? Is there any real use for that (e.g. any protocol that needs it?)
Closed KujouRinka closed 9 months ago
tobyxdd
commented
9 months ago You mean analyzers that work at the IP layer? Is there any real use for that (e.g. any protocol that needs it?)
KujouRinka
commented
9 months ago Yes. Some applications connect to fixed IP addresses for communication instead of domain (e.g. telegram, QQ, etc.). Supporting this may make block these ones easily. Furthermore, there's also possibility that pass IP address to upper analyzers, combining them together for more precise traffic marking (e.g A request with non-mainland IP but followed with such as baidu.com http/https header could be suspected to be obfuscated traffic).
tobyxdd
commented
9 months ago Analyzers only provide props for rules, they don't make verdict themselves. Also, there are already built-in props that pass information like ip/port to expressions: https://github.com/apernet/OpenGFW/blob/master/ruleset/expr.go#L145
tobyxdd
commented
9 months ago Basically you can have rules like geoip(ip.dst) != "cn" && tls != nil && tls.req.sni == "baidu.com"
Although geoip function doesn't exist at the moment. Definitely something we should offer in the future.
KujouRinka
commented
9 months ago Thanks for your answer. I apologize for not reading the source code carefully.
I read some source code and found analyzer based on network layer has yet to be implemented. Is there consideration for making it happen?