On Tuesday 2012-09-18 09:46, Aft nix wrote:
>
>On Tue, Sep 18, 2012 at 6:04 AM, Jan Engelhardt <jengelh@xxxxxxx> wrote:
>>
>> On Monday 2012-09-17 17:21, aft wrote:
>>>
>>>1) it encrypts UDP traffic.
>>>2) it adds false bytes(padding).
>>>
>>>Its purpose is to escape smarter DPIs which blocks certain kinds of
>>>packets by several heuristic methods.
>>
>> But then why not use IPsec (udpencap), OpenVPN, or something?
>> After all, you do already need a cooperating peer to decrypt
>> your traffic, and hence might as well pick a _standardized_ solution.
>
>The client does not support IPsec.
Why would it not? If you can make kernel changes, you can as well run
a simple userspace program. (Example for a userspace program that
does IPsec using tun interface: vpnc.)
>>>+ },
>>>+ {
>>>+ .name = "OBSF",
>>>+ .revision = 1,
>>>+ .family = NFPROTO_UNSPEC,
>>>+ .target = obsf_tg_v1,
>>>+ .targetsize = sizeof(struct xt_OBSF_tginfo_v1),
>>>+ .checkentry = obsf_tg_check_v1,
>>>+ .me = THIS_MODULE,
>>>+ },
>>>+};
>>
>> There is no need to use two revisions.
>
>Well, i thought there are times when you will not inject false bytes,
>just encryption will suffices. That's why i've made
>Two versions. When to make two versions is not really clear to me.
A new ABI is needed when the struct you are using to pass options
such as "pad or not" does not suffice to hold your option data
any more.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
