Snihook

Snihook is a kernel script that uses the lunatik netfilter library to filter TLS packets. This script drops any TLS handshake packet forwarded on a bridge with sni not matching the whitelist provided by the user. This whitelist is populated by the mean of /dev/sni_whitelist.

Installation

We assume a Debian system. Adapt to your case.

Install lunatik.

Install MoonScript:

sudo apt install luarocks && sudo luarocks install moonscript  # build dependency

Install ipparse:

git clone https://github.com/luainkernel/moontastik
cd moontastik/ipparse
make && sudo make install
cd -

Install snihook:

git clone https://github.com/luainkernel/snihook
cd snihook
sudo make install      # installs Lua files to module directory

Choose between XDP mode and netfilter mode. Both may be used at the same time, but it's redundant. XDP mode is faster, but needs to load an helper.

XDP mode

Set xdp = true in /lib/modules/lua/snihook/config.lua, and compile xdp.o:

make xdp.o

Netfilter mode

Set netfilter = true in /lib/modules/lua/snihook/config.lua.

Usage

sudo lunatik spawn snihook/main                      # runs the Lua kernel script
sudo xdp-loader load -m skb eth0 xdp.o               # if using XDP: replace eth0 by your interface.
echo "add github.com" | sudo tee /dev/sni_whitelist  # opens access to https://github.com (and subdomains of github.com)
echo "del github.com" | sudo tee /dev/sni_whitelist  # removes access to https://github.com (and subdomains not open otherwise)
sudo xdp-loader unload eth0 --all                    # unloads the XDP helper
sudo lunatik stop snihook/main                       # stops the Lua kernel script

Note: By default, unallowed domains will get logged (journalctl -t kernel -g sniblock), but not blocked. To effectively block them, set activate = true in /lib/modules/lua/snihook/config.lua.