[proposal] Introduce Network Layer Analyzer

[KujouRinka]

I read some source code and found analyzer based on network layer has yet to be implemented. Is there consideration for making it happen?

[tobyxdd]

You mean analyzers that work at the IP layer? Is there any real use for that (e.g. any protocol that needs it?)

[KujouRinka]

Yes. Some applications connect to fixed IP addresses for communication instead of domain (e.g. telegram, QQ, etc.). Supporting this may make block these ones easily. Furthermore, there's also possibility that pass IP address to upper analyzers, combining them together for more precise traffic marking (e.g A request with non-mainland IP but followed with such as baidu.com http/https header could be suspected to be obfuscated traffic).

[tobyxdd]

Analyzers only provide props for rules, they don't make verdict themselves. Also, there are already built-in props that pass information like ip/port to expressions: https://github.com/apernet/OpenGFW/blob/master/ruleset/expr.go#L145

[tobyxdd]

Basically you can have rules like geoip(ip.dst) != "cn" && tls != nil && tls.req.sni == "baidu.com"

Although geoip function doesn't exist at the moment. Definitely something we should offer in the future.

[KujouRinka]

Thanks for your answer. I apologize for not reading the source code carefully.