chore: go mod tidy

fix: engine exit when too many packets hit NFQUEUE
This is a more graceful way to disable ENOBUFS reporting than bed34f94be
2024-02-28 21:58:16 +08:00 · 2024-02-28 21:20:08 +08:00 · 2024-02-28 21:17:29 +08:00 · 2024-02-26 15:28:33 -08:00 · 2024-02-26 15:27:35 -08:00 · 2024-02-26 15:17:33 -08:00
6 changed files with 40 additions and 13 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,6 +1,6 @@
 on:
  release:
-    types: [ created ]
+    types: [published]

 permissions:
  contents: write
@@ -12,8 +12,8 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        goos: [ linux ]
-        goarch: [ "386", amd64, arm64 ]
+        goos: [linux]
+        goarch: ["386", amd64, arm64]
    steps:
      - uses: actions/checkout@v4
      - uses: wangyoucao577/go-release-action@v1
@@ -21,6 +21,6 @@ jobs:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          goos: ${{ matrix.goos }}
          goarch: ${{ matrix.goarch }}
-          goversion: "https://go.dev/dl/go1.21.6.linux-amd64.tar.gz"
+          goversion: "https://go.dev/dl/go1.22.0.linux-amd64.tar.gz"
          binary_name: "OpenGFW"
-          extra_files: LICENSE README.md README.zh.md
+          extra_files: LICENSE README.md README.zh.md
--- a/README.ja.md
+++ b/README.ja.md
@@ -19,7 +19,7 @@ Telegram グループ: https://t.me/OpGFW

 - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
  - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
-  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/en/)
  - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
  - [WIP] 機械学習に基づくトラフィック分類
 - IPv4 と IPv6 をフルサポート
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Telegram group: https://t.me/OpGFW
 - Full IP/TCP reassembly, various protocol analyzers
  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
  - "Fully encrypted traffic" detection for Shadowsocks,
-    etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+    etc. (https://gfw.report/publications/usenixsecurity23/en/)
  - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
  - [WIP] Machine learning based traffic classification
 - Full IPv4 and IPv6 support
--- a/README.zh.md
+++ b/README.zh.md
@@ -19,7 +19,7 @@ Telegram 群组： https://t.me/OpGFW

 - 完整的 IP/TCP 重组，各种协议解析器
  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
-  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/zh/)
  - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
  - [开发中] 基于机器学习的流量分类
 - 同等支持 IPv4 和 IPv6
--- a/analyzer/tcp/fet.go
+++ b/analyzer/tcp/fet.go
@@ -143,8 +143,11 @@ func isTLSorHTTP(bytes []byte) bool {
 	if len(bytes) < 3 {
 		return false
 	}
-	if bytes[0] == 0x16 && bytes[1] == 0x03 && bytes[2] <= 0x03 {
-		// TLS handshake for TLS 1.0-1.3
+	// "We observe that the GFW exempts any connection whose first
+	// three bytes match the following regular expression:
+	// [\x16-\x17]\x03[\x00-\x09]" - from the paper in Section 4.3
+	if bytes[0] >= 0x16 && bytes[0] <= 0x17 &&
+		bytes[1] == 0x03 && bytes[2] <= 0x09 {
 		return true
 	}
 	// HTTP request
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@@ -127,6 +127,10 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 	if err != nil {
 		return nil, err
 	}
+	err = n.Con.SetOption(netlink.NoENOBUFS, true)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set NoENOBUFS option: %w", err)
+	}
 	return &nfqueuePacketIO{
 		n:     n,
 		local: config.Local,
@@ -138,9 +142,10 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error {
 	err := n.n.RegisterWithErrorFunc(ctx,
 		func(a nfqueue.Attribute) int {
-			if a.PacketID == nil || a.Ct == nil || a.Payload == nil || len(*a.Payload) < 20 {
-				// Invalid packet, ignore
-				// 20 is the minimum possible size of an IP packet
+			if ok, verdict := n.packetAttributeSanityCheck(a); !ok {
+				if a.PacketID != nil {
+					_ = n.n.SetVerdict(*a.PacketID, verdict)
+				}
 				return 0
 			}
 			p := &nfqueuePacket{
@@ -170,6 +175,25 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
 	return nil
 }

+func (n *nfqueuePacketIO) packetAttributeSanityCheck(a nfqueue.Attribute) (ok bool, verdict int) {
+	if a.PacketID == nil {
+		// Re-inject to NFQUEUE is actually not possible in this condition
+		return false, -1
+	}
+	if a.Payload == nil || len(*a.Payload) < 20 {
+		// 20 is the minimum possible size of an IP packet
+		return false, nfqueue.NfDrop
+	}
+	if a.Ct == nil {
+		// Multicast packets may not have a conntrack, but only appear in local mode
+		if n.local {
+			return false, nfqueue.NfAccept
+		}
+		return false, nfqueue.NfDrop
+	}
+	return true, -1
+}
+
 func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) error {
 	nP, ok := p.(*nfqueuePacket)
 	if !ok {
Author	SHA1	Message	Date
Haruue	234ee32687	chore: go mod tidy	2024-02-28 21:58:16 +08:00
Haruue	1852a2594d	fix: engine exit when too many packets hit NFQUEUE This is a more graceful way to disable ENOBUFS reporting than `bed34f94be`	2024-02-28 21:20:08 +08:00
Haruue	bc8d15ef37	Revert "fix: engine exit when too many packets hit NFQUEUE" This reverts commit `bed34f94be`.	2024-02-28 21:17:29 +08:00
Toby	5d2d874089	Merge pull request #82 from apernet/update-fet feat: update FET analyzer to better reflect what's described in the paper	2024-02-26 15:28:33 -08:00
Toby	797dce3dc2	feat: update FET analyzer to better reflect what's described in the paper	2024-02-26 15:27:35 -08:00
Toby	420286a46c	Merge pull request #81 from apernet/update-gfwreport chore: update gfw report links	2024-02-26 15:17:33 -08:00
Toby	531a7b0ceb	chore: update gfw report links	2024-02-26 15:17:07 -08:00
Toby	20e0637756	Merge pull request #79 from apernet/update-ci fix: release workflow	2024-02-26 10:50:44 -08:00
Toby	74dcc92fc6	fix: release workflow	2024-02-26 10:49:19 -08:00
Toby	b780ff65a4	Merge pull request #76 from apernet/fix-enobufs fix: engine exit with "netlink receive: recvmsg: no buffer space available" when too many packets hit NFQUEUE	2024-02-26 10:40:08 -08:00
Haruue	8bd34d7798	chore: go mod tidy	2024-02-26 16:48:39 +08:00
Haruue	bed34f94be	fix: engine exit when too many packets hit NFQUEUE	2024-02-26 16:46:50 +08:00
Toby	bc2e21e35d	Merge pull request #75 from apernet/fix-missing-verdict fix: verdict is missing for multicast packets	2024-02-26 00:12:42 -08:00
Haruue	a0b994ce22	fix: verdict is missing for multicast packets	2024-02-26 15:45:07 +08:00