Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

一个轻量级的防止 TCP RST 的实现 #329

Closed
LGA1150 opened this issue Mar 30, 2019 · 7 comments
Closed

一个轻量级的防止 TCP RST 的实现 #329

LGA1150 opened this issue Mar 30, 2019 · 7 comments
Labels
Meta

Comments

@LGA1150
Copy link

LGA1150 commented Mar 30, 2019

netfilter-spooftcp
这是我去年开始写的一个 Linux 内核模块,原本是想替换 SNI,之后发现会导致 TLS 握手失败,于是想到了更底层的方法
原理来自 INTANG
纯内核态,占用小,4M ROM+32M RAM 路由器都可以轻松运行起来
支持 IPv4 和 IPv6

root@OpenWrt:~# lsmod |grep ^xt_SPOOFTCP
xt_SPOOFTCP             3664  3

规则配置好后,除非网络环境改变(包括墙升级、更换 ISP 等),可以说是一劳永逸

在 NAT 网关运行要给内核打补丁以加入 raw 表 POSTROUTING 链,重新编译内核;在客户端或在非 NAT 的路由器上则不用
@GoogleHostsSupport
Copy link
Member

这边建议您前往 #87#131 进行讨论呢。
由于您的 issue 内容与本项目并非直接相关,因此这边暂时先 close 处理,敬请谅解~

@beyondgfw
Copy link
Member

@LGA1150 0.0想法挺好的欸给你点赞~

@beyondgfw
Copy link
Member

@GoogleHostsSupport 有关的啦x哪里无关啦

@beyondgfw
Copy link
Member

@LGA1150 不过曾经我也想过类似的方法 那个时候我自己的测试在一些地区没有成功(均为非NAT网关环境),待我多测试一下

@kotori2
Copy link

kotori2 commented Apr 1, 2019

@LGA1150 貌似这个对于教育网v6用处不是很大吧,毕竟封IP直接黑洞

@beyondgfw
Copy link
Member

@kotori2 嘛 部分v6 ip的路由并非显式路由 无法被单纯的黑洞路由

@beyondgfw
Copy link
Member

@beyondgfw 曾经也有人提到过类似的拼包的方案,我都做过一定测试,并非所有情况都不对后续的数据包进行检测,所以 这也差不多是一个治根不治本的方案,但是想法值得赞同,并且暂时也应该在部分区域可用

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Meta
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LGA1150 @kotori2 @beyondgfw @GoogleHostsSupport