[tor-commits] [brdgrd/master] Removed markdown format and lengthy iptables script and updated OpenPGP fingerprint.
phw at torproject.org
phw at torproject.org
Mon Oct 8 22:12:13 UTC 2012
commit 19dbaa3dded6233f1e224f03c24c463fbcb253f6
Author: Philipp Winter <identity.function at gmail.com>
Date: Tue Oct 9 00:11:32 2012 +0200
Removed markdown format and lengthy iptables script and updated OpenPGP fingerprint.
---
README.md | 74 ++++++++++++++++++------------------------------------------
1 files changed, 22 insertions(+), 52 deletions(-)
diff --git a/README.md b/README.md
index 1e5cbf7..67c64e6 100644
--- a/README.md
+++ b/README.md
@@ -1,20 +1,18 @@
brdgrd (Bridge Guard)
-===
-brdgrd is short for ``bridge guard'': A program which is meant to protect
-[Tor](https://www.torproject.org) bridges from being *scanned* (and as a result
-*blocked*) by the Great Firewall of China [1,2].
+brdgrd is short for ``bridge guard'': A program which is meant to protect Tor
+bridges from being scanned (and as a result blocked) by the Great Firewall of
+China [1,2].
-The program runs in user space and makes use of
-[libnetfilter_queue](http://www.netfilter.org/projects/libnetfilter_queue/index.html)
-(and hence only runs on Linux) to get packets passed from kernel to user space.
-Only TCP *SYN/ACK* segments have to be passed to user space. Brdgrd is only
-interested in TCP handshakes and not in established TCP connections. Once a TCP
-connection is established, brdgrd does not interfere with it. Hence, there are
-virtually no performance implications.
+The program runs in user space and makes use of libnetfilter_queue (and hence
+only runs on Linux) to get packets passed from kernel to user space. Only TCP
+SYN/ACK segments have to be passed to user space. Brdgrd is only interested in
+TCP handshakes and not in established TCP connections. Once a TCP connection is
+established, brdgrd does not interfere with it. Hence, there are virtually no
+performance implications.
Brdgrd basically intercepts the SYN/ACK sent by the bridge to the client and
-*rewrites* the TCP window size which is announced by the bridge. The window size
+rewrites the TCP window size which is announced by the bridge. The window size
is rewritten to a smaller, randomly chosen value. That way, the client
``fragments'' the cipher list inside the TLS client hello. The GFC will not
recognize the cipher list (it does not seem to conduct TCP stream reassembly at
@@ -23,47 +21,19 @@ this point) and as a result will not scan the bridge.
Brdgrd needs iptables rules to feed it with data. The following script passes
all Tor-related SYN/ACKs to brdgrd:
- iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport $TORPORT -j NFQUEUE --queue-num 0
+iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK --sport $TORPORT -j NFQUEUE --queue-num 0
-If you only want to deal with connections coming from Chinese networks, you can
-use the following script which makes use of ipset (thanks to murb):
+Afterwards, you can compile brdgrd by typing ``make'' and start it by typing
+``sudo ./brdgrd''. Keep in mind that the above iptables rule tries to push
+SYN/ACKs to userspace. If brdgrd is not running, new connections can not be
+handled by Tor since there is no userspace program to process the data.
- #!/bin/bash
- # set the port to your needs
- TORPORT=443
-
- # download latest APNIC data for Chinese networks
- if [ ! -e delegated-apnic-latest ]; then
- wget http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
- fi
- # parse data (the tool 'aggregate' is needed)
- CN=`cat delegated-apnic-latest |
- awk -F\| '/^apnic\|CN\|ipv4\|/ { print $4"/" 32-log($5)/log(2) }' |
- aggregate -q -`
- RETVAL=$?
- [ $RETVAL -eq 0 ] && echo "Successfully parsed chinese network list."
- [ $RETVAL -ne 0 ] && (echo "Failure in parsing chinese network list." ; exit)
-
- ipset create china hash:net hashsize 4096
-
- for NET in $CN; do
- ipset add china $NET
- done
- iptables -N CHINA
- iptables -A CHINA -p tcp --tcp-flags SYN,ACK SYN,ACK --sport $TORPORT -j NFQUEUE --queue-num 1
- iptables -A OUTPUT -m set --match-set china dst -j CHINA
+It is possible to set the CAP_NET_ADMIN capability for the brdgrd executable so
+that you do not need root privileges to run the binary:
+``sudo setcap cap_net_admin=ep ./brdgrd''.
-Afterwards, you can compile brdgrd by typing `make` and start it by typing
-`sudo ./brdgrd`. Keep in mind that the above iptables rules try to push
-SYN/ACKs to userspace. If brdgrd is not running, new (Chinese) connections can
-not be handled by Tor since there is no userspace program to process the data.
+Please send patches, suggestions and comments to phw at torproject.org.
+My OpenPGP fingerprint is: B369 E7A2 18FE CEAD EB96 8C73 CF70 89E3 D7FD C0D0
-It is possible to set the *CAP_NET_ADMIN* capability for the brdgrd executable
-so that you do not need root privileges to run the binary: `sudo setcap
-cap_net_admin=ep ./brdgrd`.
-
-Please send patches, suggestions and comments to philipp.winter at kau.se
-My GnuPG fingerprint is: `2A9F 5FBF 714D 42A9 F82C 0FEB 268C D15D 2D08 1E16`
-
-[1] [https://gist.github.com/da3c7a9af01d74cd7de7](https://gist.github.com/da3c7a9af01d74cd7de7)
-[2] [http://www.cs.kau.se/philwint/static/gfc/](http://www.cs.kau.se/philwint/static/gfc/)
+[1] https://gist.github.com/da3c7a9af01d74cd7de7
+[2] http://www.cs.kau.se/philwint/static/gfc/
More information about the tor-commits
mailing list