search

apernet / OpenGFW

OpenGFW is a flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux
https://gfw.dev/
Mozilla Public License 2.0
9.47k stars 711 forks source link

[Bug] Block ip.dst cannot work properly #59

Closed KujouRinka closed 6 months ago

KujouRinka commented 6 months ago

My Enviroment

Config Files

# config.yaml
io:
  queueSize: 1024
  local: true

workers:
  count: 4
  queueSize: 16
  tcpMaxBufferedPagesTotal: 4096
  tcpMaxBufferedPagesPerConn: 64
  udpMaxStreams: 4096
# ruleset.yaml
- name: block alidns
  action: block
  expr: string(ip.dst) == "223.5.5.5"

What Happeded

Connection to IP that should be blocked established successfully.

Concretely, commands like ping 223.5.5.5 and nslookup baidu.com 223.5.5.5 can get response, but they should not act like this.

By the way, blocking by other keywords, such as blocking by keywords tls?.req?.sni, http?.req?.header?.host. These all things can work properly but ip.dst. Maybe ip.src can not too, but I have not check it yet.

tobyxdd commented 6 months ago

Ping is expected to work as we currently don't support (and therefore can't block) ICMP.

nslookup which is based on UDP has no reason not to be blocked though. I will test it later today.

tobyxdd commented 6 months ago

I can't reproduce nslookup. Both TCP and UDP are correctly blocked in my tests. Are you sure you are using the version after this fix? https://github.com/apernet/OpenGFW/pull/52

KujouRinka commented 6 months ago

Yes, I encountered this on the latest build v0.1.1. I build a server that serves both for dns and ssh.

Supposing I use this ruleset:

- name: block ip
  action: block
  expr: string(ip.dst) == "xxx.xxx.xxx.xxx"

# This is necessary
- name: block bili
  action: block
  expr: string(tls?.req?.sni) endsWith "bilibili.com"

Here's my log:

2024-02-16T13:21:07+08:00       INFO    TCP stream action       {"id": 1758360840290971648, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:08+08:00       INFO    TCP stream action       {"id": 1758360844527214592, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:09+08:00       INFO    TCP stream action       {"id": 1758360848780230656, "src": "10.151.94.141:55336", "dst": "xxx.xxx.xxx.xxx:22", "action": "block", "noMatch": false}
2024-02-16T13:21:24+08:00       INFO    UDP stream action       {"id": 1758360912110034944, "src": "10.151.94.141:48852", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}
2024-02-16T13:21:24+08:00       INFO    UDP stream action       {"id": 1758360912126803968, "src": "10.151.94.141:49157", "dst": "xxx.xxx.xxx.xxx:53", "action": "allow", "noMatch": true}

I do a block on that IP and ssh connection is unreachable, but dns query success.

What's weird is that if there is only one "block ip" rule in the ruleset, even the TCP stream would not be blocked. But if we add another rule similar to "block bili" above, the TCP stream can be blocked.

I test this on my pc(Arch), a server in Shanghai(Ubuntu 22.04) and a server in Tokyo(Arch).

Alibaba DNS is not available in all areas. Maybe you could try to use 1.1.1.1 to test.

tobyxdd commented 6 months ago

Can you see if the above fix works for you?

KujouRinka commented 6 months ago

All things work properly. Thank you.