openbsd: discovered how to apply divert-packet to outgoing only

nfq/conntrack.h

@@ -55,6 +55,8 @@ typedef struct
 	uint8_t scale_orig, scale_reply;	// last seen window scale factor. SCALE_NONE if none
 
 	bool b_cutoff;				// mark for deletion
+
+	bool b_wssize_cutoff, b_desync_cutoff;
 } t_ctrack;
 
 // use separate pools for ipv4 and ipv6 to save RAM. otherwise could use union key

nfq/desync.c

@@ -107,11 +107,7 @@ static void maybe_cutoff(t_ctrack *ctrack)
 		ctrack->b_wssize_cutoff |= params.wssize_cutoff && ctrack->pcounter_orig>=params.wssize_cutoff;
 		ctrack->b_desync_cutoff |= params.desync_cutoff && ctrack->pcounter_orig>=params.desync_cutoff;
 		
-		// do not cut off in OpenBSD. It looks like it's not possible to divert-packet only outgoing part of the connection
-		// It's better to destinguish outgoings using conntrack
-#ifndef __OpenBSD__
 		ctrack->b_cutoff |= (!params.wssize || ctrack->b_wssize_cutoff) && !params.desync_cutoff;
-#endif
 	}
 }
 static void wssize_cutoff(t_ctrack *ctrack)
@@ -122,11 +118,7 @@ static void wssize_cutoff(t_ctrack *ctrack)
 		maybe_cutoff(ctrack);
 	}
 }
-#ifdef __OpenBSD__
-#define CONNTRACK_REQUIRED true
-#else
 #define CONNTRACK_REQUIRED (params.wssize || params.desync_cutoff)
-#endif
 // result : true - drop original packet, false = dont drop
 packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struct ip *ip, struct ip6_hdr *ip6hdr, struct tcphdr *tcphdr, size_t len_tcp, uint8_t *data_payload, size_t len_payload)
 {

nfq/nfqws.c

@@ -38,13 +38,7 @@
 
 #define CTRACK_T_SYN	60
 #define CTRACK_T_FIN	60
-#ifdef __OpenBSD__
-// It looks like it's not possible to divert-packet only outgoing part of the connection
-// It's better to destinguish outgoings using conntrack. Do not purge conntrack entry too early
-#define CTRACK_T_EST	7200
-#else
 #define CTRACK_T_EST	300
-#endif
 
 struct params_s params;
 

nfq/params.h

@@ -11,16 +11,9 @@
 #include <stdbool.h>
 #include <stdio.h>
 
-#if defined(__OpenBSD__) || defined (__APPLE__)
-// divert-packet also diverts return traffic. sockets will experience high load
-#define Q_RCVBUF	(256*1024)	// in bytes
-#define Q_SNDBUF	(256*1024)	// in bytes
-#define RAW_SNDBUF	(64*1024)	// in bytes
-#else
 #define Q_RCVBUF	(128*1024)	// in bytes
 #define Q_SNDBUF	(64*1024)	// in bytes
 #define RAW_SNDBUF	(64*1024)	// in bytes
-#endif
 
 #define Q_MAXLEN	1024		// in packets
 
@@ -40,6 +33,7 @@ struct params_s
 	enum dpi_desync_mode desync_mode,desync_mode2;
 	bool desync_retrans,desync_skip_nosni,desync_any_proto;
 	int desync_repeats,desync_split_pos;
+	unsigned int desync_cutoff;
 	uint8_t desync_ttl;
 	uint8_t desync_tcp_fooling_mode;
 	uint32_t desync_fwmark; // unused in BSD