Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AdGuard's $network support on Firefox #2792

Closed
8 tasks done
Yuki2718 opened this issue Aug 31, 2023 · 18 comments
Closed
8 tasks done

Add AdGuard's $network support on Firefox #2792

Yuki2718 opened this issue Aug 31, 2023 · 18 comments
Labels
enhancement New feature or request fixed issue has been addressed

Comments

@Yuki2718
Copy link

Yuki2718 commented Aug 31, 2023

Prerequisites

  • I verified that this is not a filter list issue. Report any issues with filter lists or broken website functionality in the uAssets issue tracker.
  • This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
  • I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
  • The issue is not present after disabling uBO in the browser.
  • I checked the documentation to understand that the issue I am reporting is not normal behavior.

I tried to reproduce the issue when...

  • uBO is the only extension.
  • uBO uses default lists and settings.
  • using a new, unmodified browser profile.

Description

Documentation: https://adguard.com/kb/general/ad-filtering/create-own-filters/#network-modifier
Related issue: AdguardTeam/tsurlfilter#104

A specific URL where the issue occurs.

https://github.com/AdguardTeam/AdguardFilters/pull/160415/files

Steps to Reproduce

Check the links above

Expected behavior

NA

Actual behavior

NA

uBO version

1.51.0

Browser name and version

Firefox 116.0.3

Operating System and version

Windows 10

@gwarser
Copy link

gwarser commented Aug 31, 2023

Related #1070 (comment)

Well it's possible to block at onHeadersReceived() time and the ip address information is available at this point

Will blocking on response suffice?

@gwarser gwarser added the enhancement New feature or request label Aug 31, 2023
@Yuki2718
Copy link
Author

If can then display strict-blocking page.

@DandelionSprout
Copy link

DandelionSprout commented Oct 25, 2023

Goodness knows how this would be implemented in practice, but $network is fantastic stuff when done right, especially to handle IPs known to host sometimes thousands of malware domains and only 0~2 legitimate domains.

@JobcenterTycoon
Copy link

JobcenterTycoon commented Mar 17, 2024

This would also be useful to block rotating propeller adservers in real time.

We should also be able to add additional modifiers like ||127.0.0.1^$network,script,3p this would allow users to fine control their traffic which can't be setup with a regular firewall.

baddomains

@gorhill
Copy link
Member

gorhill commented Sep 10, 2024

Related commit (forgot to link issue in commit message): gorhill/uBlock@c6dedd2

@JobcenterTycoon
Copy link

Ok i tested on https://woxikon.in/ and the filter *$script,xhr,ipaddress=139.45.197.170 successfully blocked the Propeller request https://sswpawbv.xyz/

@D4niloMR
Copy link

It's possible to ipaddress block document? header too, would be good if possible.

@gorhill
Copy link
Member

gorhill commented Sep 10, 2024

Real use case?

I did look at whether document should be blocked but it turned out to be a bit more work then I expected so I left this out.

@D4niloMR
Copy link

D4niloMR commented Sep 10, 2024

I was thinking about those domains from badware that have a lot of similar domains in the same ip https://viewdns.info/reverseip/?host=m8u9f3.com&t=1, https://viewdns.info/reverseip/?host=172.64.155.33&t=1

Though we would need to be very careful to not block legitimate sites.

@DandelionSprout
Copy link

DandelionSprout commented Sep 10, 2024

I did some testing for 40min tonight in Firefox 130.0 with uBO 1.51.1b17. I don't intend to put immediate pressure on any involved parties, I'm simply listing them.

  • I was (with some difficulty) able to get $ipaddress= to work with IPv6 from as a proof-of-concept. The supported syntax is without square brackets, resulting in *$all,ipaddress=2a00:1450:400f:803::200e. Getting it to work on ipv6.google.com required more than one ping ipv6.google.com in PowerShell to see which IPs the many involved domains had, and getting it to work on IPv6+IPv4 sites (I tested with www.dr.dk) would be more than a little difficult.
  • Although $all is supported as a modifier, which results in e.g. *$all,ipaddress=199.232.42.217, the modifier does not seem to have any additional effects compared to having no additional modifiers.
  • Requests that can be blocked with $ipaddress include script, xhr, image, frame, css, and beacon (I was unable to test with media in this hurry).

"I did look at whether [$doc] should be blocked but it turned out to be a bit more work then I expected so I left this out."
Fair enough.

@gorhill
Copy link
Member

gorhill commented Sep 10, 2024

Somehow I thought Firefox's ip field was using brackets for ipv6, turns out it's not. Will fix.


Fixed in 1.59.1b18

gorhill added a commit to gorhill/uBlock that referenced this issue Sep 12, 2024
This commit makes the DNS resolution code better suited for both
filtering on cname and ip address. The change allows early availability
of ip address so that `ipaddress=` option can be matched at
onBeforeRequest time.

As a result, it is now possible to block root document using
`ipaddress=` option -- so long as an ip address can be extracted
before first onBeforeRequest() call.

Related issue:
uBlockOrigin/uBlock-issues#2792

Caveat
------

the ip address used is the first one among the list of ip
addresses returned by dns.resolve() method. There is no way for uBO
to know which exact ip address will be used by the browser when
sending the request, so this is at most a best guess. The exact IP
address used by the browser is available at onHeadersReceived time,
and uBO will also filter according to this value, but by then the
network request has already been sent to the remote server.

Possibly a future improvement would make available the whole list
of ip addresses to the filtering engine, but even then it's impossible
to know with certainty which ip address will ultimately be used by the
browser -- it is entirely possible that the ip address used by the
browser might not be in the list received through dns.resolve().
@JobcenterTycoon
Copy link

When i open https://720pflix.fit/ it shows the first propeller request as unblocked but i see no requests in the Firefox network logger. After a reload its fine.

requests

@gorhill
Copy link
Member

gorhill commented Sep 16, 2024

It's normal, the first time the IP address is not available in uBO's DNS cache, so the first call to onBeforeRequest() will log a non-matched entry. Once the the DNS resolution occurs, there will be another call to onBeforeRequest but with the IP address available, which will then match your filter. It works like this:

  • OnBeforeRequest
    • IP address available?
      • Yes:
        • Add ip address to request details
        • Perform request matching (log entry)
      • No:
        • Fetch it through an asynchronous DNS query
          • DNS query fulfilled
          • Add ip address to request details
          • Perform request matching (log entry)
        • Perform request matching (log entry)

It's also how matching against cname has been working, there is always two entries in the logger when there is a cname. The logger really reports request matching calls, and there can be more than one. I suppose it would be useful to show at which stage the matching is made so that we know whether there was an actual request reaching the remote server, but there is not much horizontal space for more details in the logger.

@uBlock-user uBlock-user added the fixed issue has been addressed label Oct 11, 2024
@garry-ut99
Copy link

garry-ut99 commented Nov 3, 2024

Having 2 filters with several hundreds of excluded domains (simplified example):

*$doc,domain=~domain1.com|~domain2.org|~domain3.net
  • where the left part is redacted and replaced with * for the purpose of example
  • and the right part was a list of hundreds of excluded domains
  • (and where I provide only two example IPs in below examples as well)

and trying to reduce lenght and complexity of the filters by replacing several hundreds of excluded domains by a small bunch of excluded ipaddress IPs which cover majority of domains (several hundreds of domains are sticked to only several IPs), but it turned out that:

Neither negating nor pipeing works (not sure whether it's unsupported or a bug):

*$doc,ipaddress=~95.216.7.22
*$doc,ipaddress=95.216.7.22|9.9.9.9
*$doc,ipaddress=95.216.7.22|~9.9.9.9
*$doc,ipaddress=~95.216.7.22|~9.9.9.9

Pipeing does work in regex (but sometimes might be a bit cumbersome) but negating works only partially, can't find 100% working regex solution:

*$doc,ipaddress=/^(?!95\.216\.7\.22|9\.9\.9\.9).*$/
*$doc,ipaddress=/^((?!95\.216\.7\.22|9\.9\.9\.9).)*$/
  • the first filter doesn't match 95.216.7.22y where y is any digit, for example 95.216.7.228
  • the second filter even worse: doesn't match x95.216.7.22y where x and/or y is any digit, for example 195.216.7.22 or 95.216.7.221 or 195.216.7.221.

(Firefox)

@gorhill
Copy link
Member

gorhill commented Nov 3, 2024

~ and | is not supported. The value is not validated, so you can enter anything. Only one ipv4 or ipv6 address or regex is valid.

@garry-ut99
Copy link

Good to know, as this information wasn't mentioned anywhere, by the way, would be good to know also:

  • whether the answer means also that the functionality won't be implemented
  • whether there exists a regex solution which can accomplish the task at 100%

(I also assume that possibly the former might depend on the latter)

@gorhill
Copy link
Member

gorhill commented Nov 3, 2024

Negation and multi-address won't be implemented, there is no actual real world use cases for this.

accomplish the task at 100%

What task?

@garry-ut99
Copy link

Not that I'm saying it must be implemented, but just simply replying: they were real use cases, which I have in "My filters", just that more for personal usage than to land in public filter lists, that's why I redacted and simplified them for the sake of example. The left part was a long regex (highlighted by yellow by uBO linter) with many unwanted phrases that might exist in a domain name, and the right part was a list of several hundred of excluded domains to not trigger the long regex on most common sites + other sites I visit. The purpose of the filters is to not visit some subcategories of categories of sites. But unless there is more of real usage cases (especially ones that could land in public lists) then yes, we can live without it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request fixed issue has been addressed
Projects
None yet
Development

No branches or pull requests

8 participants