Snihook is a kernel script that uses the lunatik netfilter library to filter TLS packets.
This script drops any TLS handshake packet forwarded on a bridge with sni not matching the whitelist provided by the user.
This whitelist is populated by the mean of /dev/sni_whitelist
.
We assume a Debian system. Adapt to your case.
Install lunatik.
Install MoonScript:
sudo apt install luarocks && sudo luarocks install moonscript # build dependency
Install ipparse:
git clone https://github.com/luainkernel/moontastik
cd moontastik/ipparse
make && sudo make install
cd -
Install snihook:
git clone https://github.com/luainkernel/snihook
cd snihook
sudo make install # installs Lua files to module directory
Choose between XDP mode and netfilter mode. Both may be used at the same time, but it's redundant. XDP mode is faster, but needs to load an helper.
Set xdp = true
in /lib/modules/lua/snihook/config.lua
, and compile xdp.o
:
make xdp.o
Set netfilter = true
in /lib/modules/lua/snihook/config.lua
.
sudo lunatik spawn snihook/main # runs the Lua kernel script
sudo xdp-loader load -m skb eth0 xdp.o # if using XDP: replace eth0 by your interface.
echo "add github.com" | sudo tee /dev/sni_whitelist # opens access to https://github.com (and subdomains of github.com)
echo "del github.com" | sudo tee /dev/sni_whitelist # removes access to https://github.com (and subdomains not open otherwise)
sudo xdp-loader unload eth0 --all # unloads the XDP helper
sudo lunatik stop snihook/main # stops the Lua kernel script
Note: By default, unallowed domains will get logged (journalctl -t kernel -g sniblock
), but not blocked.
To effectively block them, set activate = true
in /lib/modules/lua/snihook/config.lua
.