Merge pull request #85 from apernet/wip-buf

feat: netlink rcv/snd buffer config options
2024-02-29 11:23:08 -08:00 · 2024-02-28 17:45:24 -08:00 · 2024-02-26 15:28:33 -08:00 · 2024-02-26 15:27:35 -08:00 · 2024-02-26 15:17:33 -08:00 · 2024-02-26 15:17:07 -08:00
6 changed files with 40 additions and 11 deletions
--- a/README.ja.md
+++ b/README.ja.md
@@ -19,7 +19,7 @@ Telegram グループ: https://t.me/OpGFW

 - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
  - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
-  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/en/)
  - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
  - [WIP] 機械学習に基づくトラフィック分類
 - IPv4 と IPv6 をフルサポート
@@ -70,6 +70,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
 ```yaml
 io:
  queueSize: 1024
+  rcvBuf: 4194304
+  sndBuf: 4194304
  local: true # FORWARD チェーンで OpenGFW を実行したい場合は false に設定する

 workers:
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ Telegram group: https://t.me/OpGFW
 - Full IP/TCP reassembly, various protocol analyzers
  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
  - "Fully encrypted traffic" detection for Shadowsocks,
-    etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+    etc. (https://gfw.report/publications/usenixsecurity23/en/)
  - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
  - [WIP] Machine learning based traffic classification
 - Full IPv4 and IPv6 support
@@ -74,6 +74,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
 ```yaml
 io:
  queueSize: 1024
+  rcvBuf: 4194304
+  sndBuf: 4194304
  local: true # set to false if you want to run OpenGFW on FORWARD chain

 workers:
--- a/README.zh.md
+++ b/README.zh.md
@@ -19,7 +19,7 @@ Telegram 群组： https://t.me/OpGFW

 - 完整的 IP/TCP 重组，各种协议解析器
  - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
-  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/zh/)
  - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
  - [开发中] 基于机器学习的流量分类
 - 同等支持 IPv4 和 IPv6
@@ -70,6 +70,8 @@ opkg install kmod-nft-queue kmod-nf-conntrack-netlink
 ```yaml
 io:
  queueSize: 1024
+  rcvBuf: 4194304
+  sndBuf: 4194304
  local: true # 如果需要在 FORWARD 链上运行 OpenGFW，请设置为 false

 workers:
--- a/analyzer/tcp/fet.go
+++ b/analyzer/tcp/fet.go
@@ -143,8 +143,11 @@ func isTLSorHTTP(bytes []byte) bool {
 	if len(bytes) < 3 {
 		return false
 	}
-	if bytes[0] == 0x16 && bytes[1] == 0x03 && bytes[2] <= 0x03 {
-		// TLS handshake for TLS 1.0-1.3
+	// "We observe that the GFW exempts any connection whose first
+	// three bytes match the following regular expression:
+	// [\x16-\x17]\x03[\x00-\x09]" - from the paper in Section 4.3
+	if bytes[0] >= 0x16 && bytes[0] <= 0x17 &&
+		bytes[1] == 0x03 && bytes[2] <= 0x09 {
 		return true
 	}
 	// HTTP request
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -168,8 +168,10 @@ type cliConfig struct {
 }

 type cliConfigIO struct {
-	QueueSize uint32 `mapstructure:"queueSize"`
-	Local     bool   `mapstructure:"local"`
+	QueueSize   uint32 `mapstructure:"queueSize"`
+	ReadBuffer  int    `mapstructure:"rcvBuf"`
+	WriteBuffer int    `mapstructure:"sndBuf"`
+	Local       bool   `mapstructure:"local"`
 }

 type cliConfigWorkers struct {
@@ -192,8 +194,10 @@ func (c *cliConfig) fillLogger(config *engine.Config) error {

 func (c *cliConfig) fillIO(config *engine.Config) error {
 	nfio, err := io.NewNFQueuePacketIO(io.NFQueuePacketIOConfig{
-		QueueSize: c.IO.QueueSize,
-		Local:     c.IO.Local,
+		QueueSize:   c.IO.QueueSize,
+		ReadBuffer:  c.IO.ReadBuffer,
+		WriteBuffer: c.IO.WriteBuffer,
+		Local:       c.IO.Local,
 	})
 	if err != nil {
 		return configError{Field: "io", Err: err}
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@@ -97,8 +97,10 @@ type nfqueuePacketIO struct {
 }

 type NFQueuePacketIOConfig struct {
-	QueueSize uint32
-	Local     bool
+	QueueSize   uint32
+	ReadBuffer  int
+	WriteBuffer int
+	Local       bool
 }

 func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
@@ -128,6 +130,20 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 	if err != nil {
 		return nil, err
 	}
+	if config.ReadBuffer > 0 {
+		err = n.Con.SetReadBuffer(config.ReadBuffer)
+		if err != nil {
+			_ = n.Close()
+			return nil, err
+		}
+	}
+	if config.WriteBuffer > 0 {
+		err = n.Con.SetWriteBuffer(config.WriteBuffer)
+		if err != nil {
+			_ = n.Close()
+			return nil, err
+		}
+	}
 	return &nfqueuePacketIO{
 		n:     n,
 		local: config.Local,
Author	SHA1	Message	Date
Toby	1dce82745d	Merge pull request #85 from apernet/wip-buf feat: netlink rcv/snd buffer config options	2024-02-29 11:23:08 -08:00
Toby	50cc94889f	feat: netlink rcv/snd buffer config options	2024-02-28 17:45:24 -08:00
Toby	5d2d874089	Merge pull request #82 from apernet/update-fet feat: update FET analyzer to better reflect what's described in the paper	2024-02-26 15:28:33 -08:00
Toby	797dce3dc2	feat: update FET analyzer to better reflect what's described in the paper	2024-02-26 15:27:35 -08:00
Toby	420286a46c	Merge pull request #81 from apernet/update-gfwreport chore: update gfw report links	2024-02-26 15:17:33 -08:00
Toby	531a7b0ceb	chore: update gfw report links	2024-02-26 15:17:07 -08:00