HTTP dynamic domain matching module?

[elico]

I have seen this nice project:
https://github.com/Lochnair/xt_tls

Which actually is based on this project code.
I was wondering if it would be possible to either create or extend the current http/1.x module to be able to match more then just it but also a dynamic domain such as "rule --domain x.y.net -j DROP".

[vel21ripn]

I do not quite understand what I want to get in the end?
In version 1.7, this is most likely not done, but in the "2. +" branch, it probably makes sense to add a comparison for the domain name.

iptables .... -m ndpi --https --http-host .google.com ...

[elico]

@vel21ripn I am not talking about https but plain http(1.x) such as:

iptables .... -m ndpi --http --http-host .google.com ...
iptables .... -m ndpi --http --http-host .google.com ...
iptables .... -m ndpi --http --http-host test..google.com ...

Which basically will make admins life easier in general to handle a strict http\https access policy without going to the depth of a full http proxy installation.
It will also make iptables more modular then it is now.

The dream would be to be able to send something like the src ip and the current destination domain to some local in ram Filtering DB and the response will decide if the connection is allowed or not but it's a dream and requires from someone to put some cash on the it.

From what I remember suricata-ids have such a feature but it was so complex for me to install and configure that I left it and continued to work with a custom tproxy.

[vel21ripn]

I solved common problems with migration to dev-2.3, now I can try to add this functionality.

[k0ste]

I think, for this feature best functional is 'sets', like:

# create set
iptables -t mangle -A POSTROUTING -m ndpi --http-domain --set name0 -j DROP
iptables -t mangle -A PREROUTING -m ndpi --http-domain --set name0 -j DROP
# add domain
echo +google.com > /proc/net/ndpi_http_domain/name0
# delete domain
echo -google.com > /proc/net/ndpi_http_domain/name0
# add multiple domain
echo +google.com,google.co.jp > /proc/net/ndpi_http_domain/name0

This is just a copy-paste - functional was already implemented int aabc/ipt-ratelimit.

[vel21ripn]

@k0ste No! In "nDPI" there is a comparison for domains. You need to add the ability to override it without recompiling. It works with the ssl, http and dns protocols.

[k0ste]

Why this:

# Big list in magle
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.com -j DROP
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.cz -j DROP
iptables -t mangle -A PREROUTING -m ndpi --domain --match google.cn -j DROP

Better than this:

# one rule
iptables -t mangle -A PREROUTING -m ndpi --domain --set name0 -j DROP
# one management set
echo +google.com,google.cz,google.cn > /proc/net/ndpi_http_domain/name0

The case: I need to filter 3 different clients:

• first client have 500 domains in list;
• 2nd: 3500 domains;
• 3rd: 1000 domains.

All domains is different.

[vel21ripn]

All this is already in nDPI. You need to add an interface to load the list of domains.

[vel21ripn]

See 16d3ab3
I don't tested long domain names list.
Theoretically, the list of hosts can be changed during work, but I have not tried to do so yet. Rebuilding the search tree is a rather lengthy task.

[vel21ripn]

I changed the procedure for loading hostnames. Theoretically, there are no restrictions on the number of host names. Updates take place atomically.

[vel21ripn]

Commit 0b5ec1e fixed critical error.