[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: SNI filtering
From:       Pierre-Philipp Braun <pbraun () nethence ! com>
Date:       2024-03-12 16:35:22
Message-ID: cf1d3838-f258-4c9f-afb6-d408d7490350 () nethence ! com
[Download RAW message or body]

On 3/11/24 21:56, Tim Lewis wrote:
> May we have an example of Server Name Indication (SNI) filtering on
> the nftables wiki? When using an environment without the variable
> position support of iptables string match, an example, maybe using
> eBPF, for SNI filtering with nftables would be helpful.

Is that even possible with stock nftables?

FWIW I tried xt_tls module with iptables (https://github.com/Lochnair/xt_tls).  The \
original filter rule shows up as such

         Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
          pkts bytes target     prot opt in     out     source               \
                destination
            27 15363 DROP       tcp  --  *      *       0.0.0.0/0            \
0.0.0.0/0            tcp dpt:443 TLS match host some-domain.com

while the resulting nftables filter rule shows up as such

         table ip filter {
                 chain OUTPUT {
                         type filter hook output priority filter; policy accept;
                         meta l4proto tcp tcp dport 443 # TLS match host \
some-domain.com counter packets 10 bytes 5690 drop  }
         }

but that's just firewalling.  For interception, it doesn't work \
(https://github.com/Lochnair/xt_tls/issues/35).

-- 
Pierre-Philipp Braun


[prev in list] [next in list] [prev in thread] [next in thread]