chore: go mod tidy

This is a more graceful way to disable ENOBUFS reporting than
bed34f94be

README.ja.md

@@ -19,7 +19,7 @@ Telegram グループ: https://t.me/OpGFW
 
 - フル IP/TCP 再アセンブル、各種プロトコルアナライザー
   - HTTP、TLS、QUIC、DNS、SSH、SOCKS4/5、WireGuard、その他多数
-  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks の「完全に暗号化されたトラフィック」の検出など (https://gfw.report/publications/usenixsecurity23/en/)
   - トロイの木馬キラー (https://github.com/XTLS/Trojan-killer) に基づくトロイの木馬 (プロキシプロトコル) 検出
   - [WIP] 機械学習に基づくトラフィック分類
 - IPv4 と IPv6 をフルサポート

README.md

@@ -23,7 +23,7 @@ Telegram group: https://t.me/OpGFW
 - Full IP/TCP reassembly, various protocol analyzers
   - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, and many more to come
   - "Fully encrypted traffic" detection for Shadowsocks,
-    etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+    etc. (https://gfw.report/publications/usenixsecurity23/en/)
   - Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
   - [WIP] Machine learning based traffic classification
 - Full IPv4 and IPv6 support

README.zh.md

@@ -19,7 +19,7 @@ Telegram 群组： https://t.me/OpGFW
 
 - 完整的 IP/TCP 重组，各种协议解析器
   - HTTP, TLS, QUIC, DNS, SSH, SOCKS4/5, WireGuard, 更多协议正在开发中
-  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
+  - Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/zh/)
   - 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
   - [开发中] 基于机器学习的流量分类
 - 同等支持 IPv4 和 IPv6

analyzer/tcp/fet.go

@@ -143,8 +143,11 @@ func isTLSorHTTP(bytes []byte) bool {
 	if len(bytes) < 3 {
 		return false
 	}
-	if bytes[0] == 0x16 && bytes[1] == 0x03 && bytes[2] <= 0x03 {
-		// TLS handshake for TLS 1.0-1.3
+	// "We observe that the GFW exempts any connection whose first
+	// three bytes match the following regular expression:
+	// [\x16-\x17]\x03[\x00-\x09]" - from the paper in Section 4.3
+	if bytes[0] >= 0x16 && bytes[0] <= 0x17 &&
+		bytes[1] == 0x03 && bytes[2] <= 0x09 {
 		return true
 	}
 	// HTTP request

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.26.0
 	golang.org/x/crypto v0.19.0
-	golang.org/x/sys v0.17.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -44,6 +43,7 @@ require (
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 )

io/nfqueue.go

@@ -12,7 +12,6 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/florianl/go-nfqueue"
 	"github.com/mdlayher/netlink"
-	"golang.org/x/sys/unix"
 )
 
 const (
@@ -128,6 +127,10 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 	if err != nil {
 		return nil, err
 	}
+	err = n.Con.SetOption(netlink.NoENOBUFS, true)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set NoENOBUFS option: %w", err)
+	}
 	return &nfqueuePacketIO{
 		n:     n,
 		local: config.Local,
@@ -153,12 +156,6 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
 			return okBoolToInt(cb(p, nil))
 		},
 		func(e error) int {
-			if opErr := (*netlink.OpError)(nil); errors.As(e, &opErr) {
-				if errors.Is(opErr.Err, unix.ENOBUFS) {
-					// Kernel buffer temporarily full, ignore
-					return 0
-				}
-			}
 			return okBoolToInt(cb(nil, e))
 		})
 	if err != nil {