[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: SNI filtering
From: Pierre-Philipp Braun <pbraun () nethence ! com>
Date: 2024-03-12 16:35:22
Message-ID: cf1d3838-f258-4c9f-afb6-d408d7490350 () nethence ! com
[Download RAW message or body]
On 3/11/24 21:56, Tim Lewis wrote:
> May we have an example of Server Name Indication (SNI) filtering on
> the nftables wiki? When using an environment without the variable
> position support of iptables string match, an example, maybe using
> eBPF, for SNI filtering with nftables would be helpful.
Is that even possible with stock nftables?
FWIW I tried xt_tls module with iptables (https://github.com/Lochnair/xt_tls). The \
original filter rule shows up as such
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source \
destination
27 15363 DROP tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:443 TLS match host some-domain.com
while the resulting nftables filter rule shows up as such
table ip filter {
chain OUTPUT {
type filter hook output priority filter; policy accept;
meta l4proto tcp tcp dport 443 # TLS match host \
some-domain.com counter packets 10 bytes 5690 drop }
}
but that's just firewalling. For interception, it doesn't work \
(https://github.com/Lochnair/xt_tls/issues/35).
--
Pierre-Philipp Braun
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic