diff --git a/binaries/aarch64/nfqws b/binaries/aarch64/nfqws index ac07df0..88cb0fc 100755 Binary files a/binaries/aarch64/nfqws and b/binaries/aarch64/nfqws differ diff --git a/binaries/armhf/nfqws b/binaries/armhf/nfqws index a7dbd23..e16e66b 100755 Binary files a/binaries/armhf/nfqws and b/binaries/armhf/nfqws differ diff --git a/binaries/mips32r1-lsb/nfqws b/binaries/mips32r1-lsb/nfqws index 0a13a11..13a1929 100755 Binary files a/binaries/mips32r1-lsb/nfqws and b/binaries/mips32r1-lsb/nfqws differ diff --git a/binaries/mips32r1-msb/nfqws b/binaries/mips32r1-msb/nfqws index 73179f7..b4e51b6 100755 Binary files a/binaries/mips32r1-msb/nfqws and b/binaries/mips32r1-msb/nfqws differ diff --git a/binaries/mips64r2-msb/nfqws b/binaries/mips64r2-msb/nfqws index d055514..08ca049 100755 Binary files a/binaries/mips64r2-msb/nfqws and b/binaries/mips64r2-msb/nfqws differ diff --git a/binaries/ppc/nfqws b/binaries/ppc/nfqws index fa53c58..b7f1d16 100755 Binary files a/binaries/ppc/nfqws and b/binaries/ppc/nfqws differ diff --git a/binaries/x86/nfqws b/binaries/x86/nfqws index 5bbb93a..97b2c9c 100755 Binary files a/binaries/x86/nfqws and b/binaries/x86/nfqws differ diff --git a/binaries/x86_64/nfqws b/binaries/x86_64/nfqws index f51c218..53afe09 100755 Binary files a/binaries/x86_64/nfqws and b/binaries/x86_64/nfqws differ diff --git a/docs/readme.eng.txt b/docs/readme.eng.txt index c45aacd..215b73e 100644 --- a/docs/readme.eng.txt +++ b/docs/readme.eng.txt @@ -146,6 +146,7 @@ It takes the following parameters: --dpi-desync-retrans=0|1 ; (fake,rst,rstack only) 0(default)=reinject original data packet after fake 1=drop original data packet to force its retransmission --dpi-desync-skip-nosni=0|1 ; 1(default)=do not apply desync to requests without hostname in the SNI --dpi-desync-split-pos=<1..1500> ; (for disorder only) split TCP packet at specified position + --dpi-desync-any-protocol=0|1 ; 0(default)=desync only http and tls 1=desync any nonempty data packet --hostlist= ; apply dpi desync only to the listed hosts (one host per line, subdomains auto apply) The manipulation parameters can be combined in any way. @@ -201,7 +202,7 @@ In the disorder variant, a selective acknowledgement (SACK) usually arrives firs If, instead of ACK or SACK, there is an RST packet with minimal delay, DPI cuts you off at the request stage. If the RST is after a full ACK after a delay of about ping to the server, then probably DPI acts on the server response. The DPI may be satisfied with good ClientHello and stop monitoring the TCP session -without checking ServeHello. Then you were lucky. 'fake' option could work. +without checking ServerHello. Then you were lucky. 'fake' option could work. If it does not stop monitoring and persistently checks the ServerHello, also performing reconstruction of TCP segments, doing something about it is hardly possible without the help of the server. The best solution is to enable TLS 1.3 support on the server. TLS 1.3 sends the server certificate in encrypted form. diff --git a/docs/readme.txt b/docs/readme.txt index 153e205..0bf792e 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -174,6 +174,7 @@ nfqws --dpi-desync-retrans=0|1 ; (только для fake,rst,rstack) 0(default)=отправлять оригинал следом за фейком 1=дропать оригинал, заставляя ОС выполнять ретрансмиссию через 0.2 сек --dpi-desync-skip-nosni=0|1 ; 1(default)=не применять dpi desync для запросов без hostname в SNI, в частности для ESNI --dpi-desync-split-pos=<1..1500> ; (только для disorder) разбивать пакет на указанной позиции + --dpi-desync-any-protocol=0|1 ; 0(default)=работать только по http request и tls clienthello 1=по всем непустым пакетам данных --hostlist= ; применять dpi-desync только к хостам из листа Параметры манипуляции могут сочетаться в любых комбинациях. diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 0f579a9..520db18 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -88,7 +88,7 @@ struct params_s bool hostcase, hostnospace; char hostspell[4]; enum dpi_desync_mode desync_mode; - bool desync_retrans,desync_skip_nosni; + bool desync_retrans,desync_skip_nosni,desync_any_proto; int desync_split_pos; uint8_t desync_ttl; enum tcp_fooling_mode desync_tcp_fooling_mode; @@ -496,21 +496,26 @@ static bool dpi_desync_packet(const uint8_t *data_pkt, size_t len_pkt, const str bHaveHost=TLSHelloExtractHost(data_payload,len_payload,host,sizeof(host)); if (params.desync_skip_nosni && !bHaveHost) { - DLOG("Not applying dpi-desync to TLS ClientHello without hostname in the SNI\n") + DLOG("not applying dpi-desync to TLS ClientHello without hostname in the SNI\n") return false; } } } else - return false; + { + if (!params.desync_any_proto) return false; + DLOG("applying dpi-desync to unknown protocol\n") + fake = zeropkt; + fake_size = 256; + } if (bHaveHost) { DLOG("hostname: %s\n",host) if (params.hostlist && !SearchHostList(params.hostlist,host,params.debug)) { - DLOG("Not applying dpi-desync to this request\n") + DLOG("not applying dpi-desync to this request\n") return false; } } @@ -733,6 +738,7 @@ static void exithelp() " --dpi-desync-retrans=0|1\t\t; 0(default)=reinject original data packet after fake 1=drop original data packet to force its retransmission\n" " --dpi-desync-skip-nosni=0|1\t\t; 1(default)=do not act on ClientHello without SNI (ESNI ?)\n" " --dpi-desync-split-pos=<1..%zu>\t; (for disorder only) split TCP packet at specified position\n" + " --dpi-desync-any-protocol=0|1\t\t; 0(default)=desync only http and tls 1=desync any nonempty data packet\n" " --hostlist=\t\t\t; apply dpi desync only to the listed hosts (one host per line, subdomains auto apply)\n", DPI_DESYNC_FWMARK_DEFAULT,sizeof(zeropkt) ); @@ -774,7 +780,7 @@ int main(int argc, char **argv) gid_t gid = 0; char pidfile[256]; - srand(time(NULL)); + srandom(time(NULL)); memset(zeropkt, 0, sizeof(zeropkt)); @@ -804,7 +810,8 @@ int main(int argc, char **argv) {"dpi-desync-retrans",optional_argument,0,0}, // optidx=14 {"dpi-desync-skip-nosni",optional_argument,0,0},// optidx=15 {"dpi-desync-split-pos",required_argument,0,0},// optidx=16 - {"hostlist",required_argument,0,0}, // optidx=17 + {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=17 + {"hostlist",required_argument,0,0}, // optidx=18 {NULL,0,NULL,0} }; if (argc < 2) exithelp(); @@ -930,7 +937,10 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 17: /* hostlist */ + case 17: /* dpi-desync-any-protocol */ + params.desync_any_proto = !optarg || atoi(optarg); + break; + case 18: /* hostlist */ if (!LoadHostList(¶ms.hostlist, optarg)) exit_clean(1); strncpy(params.hostfile,optarg,sizeof(params.hostfile));