On 3/11/24 21:56, Tim Lewis wrote:
May we have an example of Server Name Indication (SNI) filtering on the nftables wiki? When using an environment without the variable position support of iptables string match, an example, maybe using eBPF, for SNI filtering with nftables would be helpful.
Is that even possible with stock nftables? FWIW I tried xt_tls module with iptables (https://github.com/Lochnair/xt_tls). The original filter rule shows up as such Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 27 15363 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 TLS match host some-domain.com while the resulting nftables filter rule shows up as such table ip filter { chain OUTPUT { type filter hook output priority filter; policy accept; meta l4proto tcp tcp dport 443 # TLS match host some-domain.com counter packets 10 bytes 5690 drop } } but that's just firewalling. For interception, it doesn't work (https://github.com/Lochnair/xt_tls/issues/35). -- Pierre-Philipp Braun
