TLS/SSL SNI extention server name extraction through eBPF

[vincentmli]

One user from https://community.ipfire.org/t/allow-squid-transparent-for-ssl-blocking-only/11967?u=vincentmli asked if ipfire could allow/drop outgoing HTTPS request from servers in green network based on the HTTPS request server name which exists in TLS/SSL clienthello SNI extension. This is currently not possible on IPFire and BPFire. There are two ideas I could think of:

1. Maybe loxilb fullproxy/TLS termination/sockmap as proxy on BPFire could achieve this
2. Attach XDP BPF program similar to https://stackoverflow.com/questions/70760516/bpf-verifier-fails-because-of-invalid-access-to-packet answered by Dylan Reimerink on red0/green0 interface, use xdp-loader to load the XDP program. this method to parse the raw packet to get SNI has limitation because TLS clienthello header size varies because number of ciphersuite, extentions varies from TLS/SSL client, see https://security.stackexchange.com/questions/178897/number-of-bytes-in-a-tls-handshake

[vincentmli]

the third idea is to attach XDP program to red0/green0 interface to monitor and parse DNS query, when servers/computers in green network initiate HTTPS request to Internet HTTPS site, it must do DNS query first for those HTTPS site, so instead of XDP program to monitor and parse HTTPS clienthello SNI , write the XDP program to parse DNS query name, drops the DNS query name if the query name matches unwanted HTTPS site name. UDP/DNS payload match examples:

https://stackoverflow.com/questions/62032878/ebpf-packet-filter-on-payload-matching https://github.com/vincentmli/XDPeriments/blob/master/dns-says-no/Round3/xdp_dns_says_no_kern_v3.c#L149-L180

[vincentmli]

iptables https://noc.org/help/docs/blocking-dns-requests-via-iptables/