如题

根据日期/时间自动生效，例如：

• 在每天的 18:00-23:00 提高丢包率
• 在每年的 6/1 - 6/10 丢包率设置为 100%
  ......

目前的drop是100%丢包，建议添加一个配置，控制一个包有多大的概率被丢弃

另外，针对TCP的drop，可以放置30s达到连接超时的效果而非阻止

如题, 请问是OpenGFW能墙Hysteria, 还是Hysteria能突破OpenGFW的封锁

RT
此错误应该如何解决

并且日志的输出 error同样标记为INFO 是否有点不合适
2024-02-26T10:48:46-05:00 INFO engine exited {"error": "netlink receive: recvmsg: no buffer space available"}

增加配置将某类包放置一段时间后再发送（如放置0.1s）达到拖慢网速的效果。

Besides read config from file and using SIGHUP to reload it when process is running. Is there any plan to read config from configurable url using polling http/http server push.

root@router:/tmp# ./OpenGFW -c config.yaml rules.yaml
bash: ./OpenGFW: cannot execute: required file not found

root@router:/tmp# opkg list | grep kmod-ipt-nfqueue
kmod-ipt-nfqueue - 6.1.81-1
root@router:/tmp# opkg list | grep iptables-mod-nfqueue
iptables-mod-nfqueue - 1.8.7-2
root@router:/tmp# opkg list | grep kmod-nf-conntrack-netlink
kmod-nf-conntrack-netlink - 6.1.81-1

My Enviroment

• CPU: 12 × Intel® Core™ i7-10710U CPU @ 1.10GHz
• OS: Arch Linux
• Kernel Version: 6.6.10-arch1-1 (64-bit)

Config File

# block bilibili
- name: block bilibili http
  action: block
  expr: string(http?.req?.headers?.host) endsWith "bilibili.com"

- name: block bilibili https
  action: block
  expr: string(tls?.req?.sni) endsWith "bilibili.com"

# block csdn
- name: block csdn http
  action: block
  expr: string(http?.req?.headers?.host) endsWith "csdn.net"

- name: block csdn https
  action: block
  expr: string(tls?.req?.sni) endsWith "csdn.net"

What happeded

https://www.csdn.net has been blocked properly, while https://www.bilibili.com cannot.

Concretely, when visiting bilibili through https://www.bilibili.com in Chrome, the page is not accessible. But while web browser keeping trying to reconnect automatically, there's high possibility that the page will be loaded successfully. And after that, due to http long connection has benn established, all the followed-up operations will not be interrupted.

I found this happened on my:

• Chrome Version 120.0.6099.129
• Edge Version 113.0.1774.57 (Official build) (64-bit)
• curl 8.4.0 (x86_64-pc-linux-gnu)

Moreover, this problem only happened when domain name holding IP addresses more than one. For example, I query DNS record for bilibili.com and csdn.net:

$ nslookup bilibili.com
Server:         210.31.0.9
Address:        210.31.0.9#53

Non-authoritative answer:
Name:   bilibili.com
Address: 119.3.70.188
Name:   bilibili.com
Address: 8.134.50.24
Name:   bilibili.com
Address: 139.159.241.37
Name:   bilibili.com
Address: 47.103.24.173

$ nslookup csdn.net
Server:         210.31.0.9
Address:        210.31.0.9#53

Non-authoritative answer:
Name:   csdn.net
Address: 120.46.76.152

The result is that csdn can be blocked properly, while former cannot. I am not sure whether there is some relation between this bug and DNS record. But I think it's worth to mention.

弄得我跃跃欲试，先找gpt研究下luci怎么写，怎么和代码对接，希望我能写出第一版简陋的luci来

我注意到有这么一段常量与描述：

1. trojanUpUB 在 Trojan-killer 中目前是 750，而在 OpenGFW 中是 1000，应该会增加误报率，这是为了匹配内层 ECH 吗
2. OpenGFW 是否只是针对单条连接检测并阻断 Trojan？Trojan-killer 只是一个证明 TLS in TLS 问题存在的 PoC，若从封锁的角度来说，我觉得应该持续监测同一目标（IP+端口+域名）的 M 条连接，若阳性率大于 N 就封锁该目标（用户可自定义），这样可以有效提升精准度

题外话：当初我还和 @yuhan6665 讨论要不要把 Trojan-killer 命名为 XGFW，后来决定还是把这个名字留给一个网关式的综合 GFW

多谢！

failed to parse config {"error": "invalid config: io: running [/usr/sbin/iptables -t filter -C INPUT -m connmark --mark 1001 -j ACCEPT --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match connmark':No such file or directory\n\nTry iptables -h' or 'iptables --help' for more information

I am worried that the Chinese government will learn from this project and strengthen GFW, thereby causing losses to Chinese software developers. Such as not being able to access their projects or being unable to contact the company where they work remotely.

新增外到内访问的流量审计，未在白名单或在黑名单中的域名阻断并替换页面内容（实现类似未过白域名访问显示的页面效果）

My Enviroment

• CPU: 12 × Intel® Core™ i7-10710U CPU @ 1.10GHz
• OS: Arch Linux
• Kernel Version: 6.6.10-arch1-1 (64-bit)

Config Files

# config.yaml
io:
  queueSize: 1024
  local: true

workers:
  count: 4
  queueSize: 16
  tcpMaxBufferedPagesTotal: 4096
  tcpMaxBufferedPagesPerConn: 64
  udpMaxStreams: 4096

# ruleset.yaml
- name: block alidns
  action: block
  expr: string(ip.dst) == "223.5.5.5"

What Happeded

Connection to IP that should be blocked established successfully.

Concretely, commands like ping 223.5.5.5 and nslookup baidu.com 223.5.5.5 can get response, but they should not act like this.

By the way, blocking by other keywords, such as blocking by keywords tls?.req?.sni, http?.req?.header?.host. These all things can work properly but ip.dst. Maybe ip.src can not too, but I have not check it yet.

老实说，我就知道会有这样离谱的项目出现，先点个star看看这个项目的后续发展如何，感觉潜力很大啊！😝

接这个issue: #94
静态编译后, 按照readme配置和规则文件运行， 提示engine exited {"error": "exit status 1"}

root@router:/tmp# ./OpenGFW -c config.yaml rules.yaml
2024-03-12T12:39:04Z INFO engine started
2024-03-12T12:39:04Z DEBUG worker started {"id": 0}
2024-03-12T12:39:04Z DEBUG worker started {"id": 2}
2024-03-12T12:39:04Z DEBUG worker started {"id": 1}
2024-03-12T12:39:04Z DEBUG worker started {"id": 3}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 0}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 3}
2024-03-12T12:39:05Z INFO engine exited {"error": "exit status 1"}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 1}
2024-03-12T12:39:05Z DEBUG worker stopped {"id": 2}

有无其他参数可以打印更多消息？

RT

无法在OpenWrt 23版本上运行，不知是否和这个有关

这个东西的工作原理是什么？GFW应该是通过端口镜像获得ip包，是并联的吧？这个东西是不是得网关串联接入？

After testing, it seems that the core routers & switches' mirror ports' traffic is not currently supported. I enabled the promiscuous mode of the network card under CentOS7 for testing and found that there was no log output.
I hope to add this feature for the following reasons:
The company's security construction is relatively mature, and it is not possible to make major changes under the current circumstances, especially using self-built cores at key nodes. Therefore, I hope to add support for the detection of traffic on mirror ports, to find users with matching characteristics and intercept them through firewalls or AC devices (internet behavior management).
Please assess whether the requirement is feasible to be included in the plan.

经过测试目前貌似并不支持核心路由器&交换机镜像端口的流量，我在CentOS7下开启了网卡混杂模式进行测试发现并没有日志输出。
希望能够添加该功能，原因如下：
目前公司安全建设已经相对成熟，在现有的情况下并不能做大的改动特别是使用自建核心在关键节点。因此希望增加支持对镜像端口流量的检测功能，找出符合特征的用户通过防火墙或AC设备（上网行为管理）进行拦截。
请评估是否可行将该需求纳入计划中。

It is human behaviour.

https://www.zhihu.com/question/20418863

建议作者增加对于Darwin内核的支持
而且区分开Darwin(Intel)和Darwin(Apple Silicon)的版本

Hi

1. I heard that TLS in TLS vulnerability exist in all TLS based proxies even VLESS XTLS
   was you able to detect them too?

2. could you please rate each proxy protocol / transport
   which ones have more false positive
   which ones will consume more hardware resources of GFW to detect
   also noTLS proxies, you can help us use more stealth config combines

3. If you found a good way to detect torrent, please help proxy cores to detect them.

Thank you.

ssh.go 里面关于 Feed 函数里面, 两个分支都是先把update置为false,但是后面更新propupdate变量需要update变量为true的情况下,所以说永远都更新不了 propupdate 变量.

我的理解应该是这样的

当然也可能是我对代码的理解有误

能屏蔽openvpn吗

比如对于某订阅列表的IP和域名（gfwlist）实施干扰/阻断拦截，这样建墙体验就和真正的墙无异啦。

其实更快的方法是用超能力买通GFW的人员，把内部版本拿出来😁

The Great Cannon is supposed to be when China's GFW inserts Javascript into every request and can weaponize every web browser and device connected to the internet as a DDOS botnet.

怎样学习这个项目呢？如题 ，直接看源码吗？看了一下感觉不是很懂。好像是用到了一个go语言的库吗

1.Socks5
2.Socks4
3.Socks4A
4.QUIC
5.Stratum
6.GBT
7.BetterHash
8.NiceHash
9.MEP

The above tests are relatively simple and require relatively large amounts of new ones.

解决广告拦截被Surge/Quantumult X卡脖子的问题
比GFW更遥遥领先一步，内网设备不安装证书不允许接入互联网（逃

I read some source code and found analyzer based on network layer has yet to be implemented. Is there consideration for making it happen?

把 GFW 推向全世界全宇宙！

https://lovers.xijinping.one

通过对比JARM指纹，拦截请求