Feature request: TLS SNI match - classify traffic based on TLS hostnames

JanRovner · October 30, 2017, 10:26am

Hello,
there exists an iptables extension called xt_tls - https://github.com/Lochnair/xt_tls that can look into TLS SNI field
and classify traffic based on TLS hostnames present in TLS handshake phase.

It would be much more efficient and resource friendly than general L7 protocol regex matching.

Usage: QoS, filtering and others.

Example usage (example written using iptables syntax)

iptables -t mangle -p tcp --dport 443 -m tls --tls-host "*.facebook.com" -j mark --set-mark 123
iptables -t mangle -p tcp --dport 443 -m tls --tls-host "*.googlevideo.com" -j mark --set-mark 456

Could you please include / build it into following versions of routeros?

R1CH · December 18, 2017, 9:32pm

This would be great for traffic classification and also solve a lot of the “How do I block this HTTPS site” posts we see quite often.

Chupaka · December 19, 2017, 6:10am

What’s new in 6.41rc:

*) firewall - added “tls-host” firewall matcher;