Build & Run

Build

export CGO_ENABLED=0
go build

Run

export OPENGFW_LOG_LEVEL=debug
./OpenGFW -c config.yaml rules.yaml

Where config.yaml is the config file and rules.yaml is the rules file.

pcap file replay mode

./OpenGFW -p your.pcap -c config.yaml rules.yaml

In pcap mode, none of the actions in the rules have any effect. This mode is mainly for debugging.

OpenWrt

OpenGFW has been tested to work on OpenWrt 23.05 (other versions should also work, just not verified).

Install the dependencies:

opkg install nftables kmod-nft-queue kmod-nf-conntrack-netlink

Config example

io:
  queueSize: 1024
  queueNum: 100 nfqueue queue number

  table: opengfw nftables table name

  connMarkAccept: 1001 connmark value for accepted connections

  connMarkDrop: 1002 connmark value for dropped connections

  rcvBuf: 4194304
  sndBuf: 4194304
  local: true Set to false if you want to run OpenGFW on FORWARD chain (e.g. on a router)

  rst: false Set to true if you want to send RST for blocked TCP connections, local=false only


workers:
  count: 4 Recommended to be no more than the number of CPU cores

  queueSize: 64
  tcpMaxBufferedPagesTotal: 65536
  tcpMaxBufferedPagesPerConn: 16
  tcpTimeout: 10m How long a connection is considered dead when no data is being transferred. Dead connections are purged from TCP reassembly pools once per minute.

  udpMaxStreams: 4096

# The path to load specific local geoip/geosite db files.
# If not set, they will be automatically downloaded from https://github.com/Loyalsoldier/v2ray-rules-dat
# ruleset:
#   geoip: geoip.dat
#   geosite: geosite.dat

replay:
  realtime: false Set to true if you want to replay the packets in the pcap file in "real time" (instead of as fast as possible)