Skip to content

Commit

Permalink
improve doc structures
Browse files Browse the repository at this point in the history
  • Loading branch information
@tobyxdd
tobyxdd committed Apr 4, 2024
1 parent 25ef661 commit f5c9caa
Show file tree
Hide file tree
Showing 6 changed files with 250 additions and 147 deletions.
2 changes: 1 addition & 1 deletion docs/docs/analyzers.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Every connection will always have the following properties:
}
```

Examples for blocking UDP traffic to `8.8.8.8`:
Example for blocking UDP traffic to `8.8.8.8`:

```yaml
- name: Block 8.8.8.8 UDP
Expand Down
78 changes: 4 additions & 74 deletions docs/docs/build-run.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml
```

Where `config.yaml` is the config file and `rules.yaml` is the rules file.

#### OpenWrt

OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).
Expand All @@ -26,7 +28,7 @@ Install the dependencies:
opkg install nftables kmod-nft-queue kmod-nf-conntrack-netlink
```

### Example config
### Config example

```yaml
io:
Expand All @@ -42,82 +44,10 @@ workers:
tcpMaxBufferedPagesTotal: 4096
tcpMaxBufferedPagesPerConn: 64
udpMaxStreams: 4096

# The path to load specific local geoip/geosite db files.
# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat
# geo:
# geoip: geoip.dat
# geosite: geosite.dat
```

### Example rules

[Analyzer properties](analyzers.md)

For syntax of the expression language, please refer
to [Expr Language Definition](https://expr-lang.org/docs/language-definition).

```yaml
# A rule must have at least one of "action" or "log" field set.
- name: log horny people
log: true
expr: let sni = string(tls?.req?.sni); sni contains "porn" || sni contains "hentai"

- name: block v2ex http
action: block
expr: string(http?.req?.headers?.host) endsWith "v2ex.com"

- name: block v2ex https
action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com"

- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"

- name: block and log shadowsocks
action: block
log: true
expr: fet != nil && fet.yes

- name: block trojan
action: block
expr: trojan != nil && trojan.yes

- name: v2ex dns poisoning
action: modify
modifier:
name: dns
args:
a: "0.0.0.0"
aaaa: "::"
expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})

- name: block google socks
action: block
expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80

- name: block wireguard by handshake response
action: drop
expr: wireguard?.handshake_response?.receiver_index_matched == true

- name: block bilibili geosite
action: block
expr: geosite(string(tls?.req?.sni), "bilibili")

- name: block CN geoip
action: block
expr: geoip(string(ip.dst), "cn")

- name: block cidr
action: block
expr: cidr(string(ip.dst), "192.168.0.0/16")
```
#### Supported actions
| Action | TCP | UDP |
| -------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| `allow` | Allow the connection, no further processing. | Allow the connection, no further processing. |
| `block` | Block the connection, no further processing. | Block the connection, no further processing. |
| `drop` | Same as `block`. | Drop the packet that triggered the rule, continue processing future packets in the same flow. |
| `modify` | Same as `allow`. | Modify the packet that triggered the rule using the given modifier, continue processing future packets in the same flow. |
75 changes: 3 additions & 72 deletions docs/docs/build-run.zh.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml
```

其中 `config.yaml` 是配置文件,`rules.yaml` 是规则文件。

#### OpenWrt

OpenGFW 在 OpenWrt 23.05 上测试可用(其他版本应该也可以,暂时未经验证)。
Expand All @@ -42,81 +44,10 @@ workers:
tcpMaxBufferedPagesTotal: 4096
tcpMaxBufferedPagesPerConn: 64
udpMaxStreams: 4096

# 指定的 geoip/geosite 档案路径
# 如果未设置,将自动从 https://github.com/Loyalsoldier/v2ray-rules-dat 下载
# geo:
# geoip: geoip.dat
# geosite: geosite.dat
```

### 样例规则

[解析器属性](analyzers.md)

规则的语法请参考 [Expr Language Definition](https://expr-lang.org/docs/language-definition)

```yaml
# 每条规则必须至少包含 action 或 log 中的一个。
- name: log horny people
log: true
expr: let sni = string(tls?.req?.sni); sni contains "porn" || sni contains "hentai"

- name: block v2ex http
action: block
expr: string(http?.req?.headers?.host) endsWith "v2ex.com"

- name: block v2ex https
action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com"

- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"

- name: block and log shadowsocks
action: block
log: true
expr: fet != nil && fet.yes

- name: block trojan
action: block
expr: trojan != nil && trojan.yes

- name: v2ex dns poisoning
action: modify
modifier:
name: dns
args:
a: "0.0.0.0"
aaaa: "::"
expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})

- name: block google socks
action: block
expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80

- name: block wireguard by handshake response
action: drop
expr: wireguard?.handshake_response?.receiver_index_matched == true

- name: block bilibili geosite
action: block
expr: geosite(string(tls?.req?.sni), "bilibili")

- name: block CN geoip
action: block
expr: geoip(string(ip.dst), "cn")

- name: block cidr
action: block
expr: cidr(string(ip.dst), "192.168.0.0/16")
```
#### 支持的 action
| 动作 | TCP | UDP |
| -------- | ---------------------------- | -------------------------------------------------------------- |
| `allow` | 放行连接,不再处理后续的包。 | 放行连接,不再处理后续的包。 |
| `block` | 阻断连接,不再处理后续的包。 | 阻断连接,不再处理后续的包。 |
| `drop` | 效果同 `block`。 | 丢弃触发规则的包,但继续处理同一流中的后续包。 |
| `modify` | 效果同 `allow`。 | 用指定的修改器修改触发规则的包,然后继续处理同一流中的后续包。 |
120 changes: 120 additions & 0 deletions docs/docs/rules.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
---
title: Rules
---

The rule file is a collection of rules used to define what actions to take on matched connections. The format of a rule is as follows:

```yaml
- name: block v2ex https
action: block
log: true
expr: string(tls?.req?.sni) endsWith "v2ex.com"
```
Where `name` is the name of the rule, `action` is the action to take, `log` is whether to print logs, and `expr` is the matching expression. **A rule must have at least one of `action` or `log` field set.**

The expression uses the [Expr language](https://expr-lang.org/), please refer to its [language definition](https://expr-lang.org/docs/language-definition) for syntax.

The data available for matching comes from analyzers, please refer to the [analyzer documentation](analyzers.md).

### Supported actions

| Action | TCP | UDP |
| -------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| `allow` | Allow the connection, no further processing. | Allow the connection, no further processing. |
| `block` | Block the connection, no further processing. | Block the connection, no further processing. |
| `drop` | Same as `block`. | Drop the packet that triggered the rule, continue processing future packets in the same flow. |
| `modify` | Same as `allow`. | Modify the packet that triggered the rule using the given modifier, continue processing future packets in the same flow. |

### Rule examples

#### Log connections with specific keywords in SNI

```yaml
- name: log horny people
log: true
expr: let sni = string(tls?.req?.sni); sni contains "porn" || sni contains "hentai"
```

#### Block HTTP/HTTPS/QUIC connections to v2ex.com

```yaml
- name: block v2ex http
action: block
expr: string(http?.req?.headers?.host) endsWith "v2ex.com"
- name: block v2ex https
action: block
expr: string(tls?.req?.sni) endsWith "v2ex.com"
- name: block v2ex quic
action: block
expr: string(quic?.req?.sni) endsWith "v2ex.com"
```

#### Block and log Shadowsocks, VMess, Trojan connections

```yaml
- name: block shadowsocks and vmess
action: block
log: true
expr: fet != nil && fet.yes
- name: block trojan
action: block
log: true
expr: trojan != nil && trojan.yes
```

#### DNS poison v2ex.com to 0.0.0.0 and ::

```yaml
- name: v2ex dns poisoning
action: modify
modifier:
name: dns
args:
a: "0.0.0.0"
aaaa: "::"
expr: dns != nil && dns.qr && any(dns.questions, {.name endsWith "v2ex.com"})
```

#### Block SOCKS proxy access to google.com:80

```yaml
- name: block google socks
action: block
expr: string(socks?.req?.addr) endsWith "google.com" && socks?.req?.port == 80
```

#### Block WireGuard by handshake response

```yaml
- name: block wireguard by handshake response
action: drop
expr: wireguard?.handshake_response?.receiver_index_matched == true
```

#### Block all bilibili domains using GeoSite

```yaml
- name: block bilibili geosite
action: block
expr: geosite(string(tls?.req?.sni), "bilibili")
```

#### Block all connections to China using GeoIP

```yaml
- name: block CN geoip
action: block
expr: geoip(string(ip.dst), "cn")
```

#### Block all connections to a specific CIDR range

```yaml
- name: block cidr
action: block
expr: cidr(string(ip.dst), "192.168.0.0/16")
```
Loading

0 comments on commit f5c9caa

Please sign in to comment.