On Tue, Sep 18, 2012 at 6:04 AM, Jan Engelhardt <jengelh@xxxxxxx> wrote:
>
> On Monday 2012-09-17 17:21, aft wrote:
>>
>>1) it encrypts UDP traffic.
>>2) it adds false bytes(padding).
>>
>>Its purpose is to escape smarter DPIs which blocks certain kinds of
>>packets by several heuristic methods.
>
> But then why not use IPsec (udpencap), OpenVPN, or something?
> After all, you do already need a cooperating peer to decrypt
> your traffic, and hence might as well pick a _standardized_ solution.
>
The client does not support IPsec.
> If all you want is evading some DPI gateways, I guess even the
> lowly XOR non-encryption scheme will sufficiently work.
>
XOR used to work, but DPIs recently started detecting XORed packets.
>>+static struct xt_target obsf_tg_reg[] __read_mostly = {
>>+ {
>>+ .name = "OBSF",
>>+ .family = NFPROTO_UNSPEC,
>>+ .target = obsf_tg,
>>+ .checkentry = obsf_tg_check,
>>+ .targetsize = sizeof(struct xt_OBSF_tginfo),
>>+ .me = THIS_MODULE,
>>+ },
>>+ {
>>+ .name = "OBSF",
>>+ .revision = 1,
>>+ .family = NFPROTO_UNSPEC,
>>+ .target = obsf_tg_v1,
>>+ .targetsize = sizeof(struct xt_OBSF_tginfo_v1),
>>+ .checkentry = obsf_tg_check_v1,
>>+ .me = THIS_MODULE,
>>+ },
>>+};
>
> There is no need to use two revisions.
>
Well, i thought there are times when you will not inject false bytes,
just encryption will suffices. That's why i've made
Two versions. When to make two versions is not really clear to me.
My idea was, a feature will always available, and another feature will
be available on demand, So better divide it in two versions.
I will change it and post the patch.
cheers.
--
-aft
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
