Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
1dce82745d | ||
|
|
50cc94889f | ||
|
|
5d2d874089 | ||
|
|
797dce3dc2 | ||
|
|
420286a46c | ||
|
|
531a7b0ceb | ||
|
|
20e0637756 | ||
|
|
74dcc92fc6 |
10
.github/workflows/release.yaml
vendored
10
.github/workflows/release.yaml
vendored
@@ -1,6 +1,6 @@
|
||||
on:
|
||||
release:
|
||||
types: [ created ]
|
||||
types: [published]
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
@@ -12,8 +12,8 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
goos: [ linux ]
|
||||
goarch: [ "386", amd64, arm64 ]
|
||||
goos: [linux]
|
||||
goarch: ["386", amd64, arm64]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: wangyoucao577/go-release-action@v1
|
||||
@@ -21,6 +21,6 @@ jobs:
|
||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||
goos: ${{ matrix.goos }}
|
||||
goarch: ${{ matrix.goarch }}
|
||||
goversion: "https://go.dev/dl/go1.21.6.linux-amd64.tar.gz"
|
||||
goversion: "https://go.dev/dl/go1.22.0.linux-amd64.tar.gz"
|
||||
binary_name: "OpenGFW"
|
||||
extra_files: LICENSE README.md README.zh.md
|
||||
extra_files: LICENSE README.md README.zh.md
|
||||
|
||||
@@ -19,7 +19,7 @@ Telegram グループ: https://t.me/OpGFW
|
||||
|
||||
- フル IP/TCP 再アセンブル、各種プロトコルアナライザー
|
||||
- HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
|
||||
- Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
||||
- Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/en/)
|
||||
- トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
|
||||
- [WIP] 機械学習に基づくトラフィック分類
|
||||
- IPv4 と IPv6 をフルサポート
|
||||
@@ -70,6 +70,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
|
||||
```yaml
|
||||
io:
|
||||
queueSize: 1024
|
||||
rcvBuf: 4194304
|
||||
sndBuf: 4194304
|
||||
local: true # FORWARD チェーンで OpenGFW を実行したい場合は false に設定する
|
||||
|
||||
workers:
|
||||
|
||||
@@ -23,7 +23,7 @@ Telegram group: https://t.me/OpGFW
|
||||
- Full IP/TCP reassembly, various protocol analyzers
|
||||
- HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
|
||||
- "Fully encrypted traffic" detection for Shadowsocks,
|
||||
etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
||||
etc. (https://gfw.report/publications/usenixsecurity23/en/)
|
||||
- Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
|
||||
- [WIP] Machine learning based traffic classification
|
||||
- Full IPv4 and IPv6 support
|
||||
@@ -74,6 +74,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
|
||||
```yaml
|
||||
io:
|
||||
queueSize: 1024
|
||||
rcvBuf: 4194304
|
||||
sndBuf: 4194304
|
||||
local: true # set to false if you want to run OpenGFW on FORWARD chain
|
||||
|
||||
workers:
|
||||
|
||||
@@ -19,7 +19,7 @@ Telegram 群组: https://t.me/OpGFW
|
||||
|
||||
- 完整的 IP/TCP 重组,各种协议解析器
|
||||
- HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
|
||||
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
||||
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/zh/)
|
||||
- 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
|
||||
- [开发中] 基于机器学习的流量分类
|
||||
- 同等支持 IPv4 和 IPv6
|
||||
@@ -70,6 +70,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
|
||||
```yaml
|
||||
io:
|
||||
queueSize: 1024
|
||||
rcvBuf: 4194304
|
||||
sndBuf: 4194304
|
||||
local: true # 如果需要在 FORWARD 链上运行 OpenGFW,请设置为 false
|
||||
|
||||
workers:
|
||||
|
||||
@@ -143,8 +143,11 @@ func isTLSorHTTP(bytes []byte) bool {
|
||||
if len(bytes) < 3 {
|
||||
return false
|
||||
}
|
||||
if bytes[0] == 0x16 && bytes[1] == 0x03 && bytes[2] <= 0x03 {
|
||||
// TLS handshake for TLS 1.0-1.3
|
||||
// "We observe that the GFW exempts any connection whose first
|
||||
// three bytes match the following regular expression:
|
||||
// [\x16-\x17]\x03[\x00-\x09]" - from the paper in Section 4.3
|
||||
if bytes[0] >= 0x16 && bytes[0] <= 0x17 &&
|
||||
bytes[1] == 0x03 && bytes[2] <= 0x09 {
|
||||
return true
|
||||
}
|
||||
// HTTP request
|
||||
|
||||
12
cmd/root.go
12
cmd/root.go
@@ -168,8 +168,10 @@ type cliConfig struct {
|
||||
}
|
||||
|
||||
type cliConfigIO struct {
|
||||
QueueSize uint32 `mapstructure:"queueSize"`
|
||||
Local bool `mapstructure:"local"`
|
||||
QueueSize uint32 `mapstructure:"queueSize"`
|
||||
ReadBuffer int `mapstructure:"rcvBuf"`
|
||||
WriteBuffer int `mapstructure:"sndBuf"`
|
||||
Local bool `mapstructure:"local"`
|
||||
}
|
||||
|
||||
type cliConfigWorkers struct {
|
||||
@@ -192,8 +194,10 @@ func (c *cliConfig) fillLogger(config *engine.Config) error {
|
||||
|
||||
func (c *cliConfig) fillIO(config *engine.Config) error {
|
||||
nfio, err := io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
|
||||
QueueSize: c.IO.QueueSize,
|
||||
Local: c.IO.Local,
|
||||
QueueSize: c.IO.QueueSize,
|
||||
ReadBuffer: c.IO.ReadBuffer,
|
||||
WriteBuffer: c.IO.WriteBuffer,
|
||||
Local: c.IO.Local,
|
||||
})
|
||||
if err != nil {
|
||||
return configError{Field: "io", Err: err}
|
||||
|
||||
@@ -97,8 +97,10 @@ type nfqueuePacketIO struct {
|
||||
}
|
||||
|
||||
type NFQueuePacketIOConfig struct {
|
||||
QueueSize uint32
|
||||
Local bool
|
||||
QueueSize uint32
|
||||
ReadBuffer int
|
||||
WriteBuffer int
|
||||
Local bool
|
||||
}
|
||||
|
||||
func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
|
||||
@@ -128,6 +130,20 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if config.ReadBuffer > 0 {
|
||||
err = n.Con.SetReadBuffer(config.ReadBuffer)
|
||||
if err != nil {
|
||||
_ = n.Close()
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if config.WriteBuffer > 0 {
|
||||
err = n.Con.SetWriteBuffer(config.WriteBuffer)
|
||||
if err != nil {
|
||||
_ = n.Close()
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
return &nfqueuePacketIO{
|
||||
n: n,
|
||||
local: config.Local,
|
||||
|
||||
Reference in New Issue
Block a user