diff --git a/nfq/darkmagic.c b/nfq/darkmagic.c index e016a71..dd8fdfb 100644 --- a/nfq/darkmagic.c +++ b/nfq/darkmagic.c @@ -1900,15 +1900,15 @@ void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transpo { if (!(verdict & VERDICT_NOCSUM)) { + #ifdef __CYGWIN__ // always fix csum for windivert. original can be partial or bad - #ifndef __CYGWIN__ - #ifdef __FreeBSD__ + if ((verdict & VERDICT_MASK)!=VERDICT_DROP) + #elif defined(__FreeBSD__) // FreeBSD tend to pass ipv6 frames with wrong checksum if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr) #else // if original packet was tampered earlier it needs checksum fixed if ((verdict & VERDICT_MASK)==VERDICT_MODIFY) - #endif #endif tcp_fix_checksum(tcphdr,transport_len,ip,ip6hdr); } @@ -1917,15 +1917,15 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo { if (!(verdict & VERDICT_NOCSUM)) { + #ifdef __CYGWIN__ // always fix csum for windivert. original can be partial or bad - #ifndef __CYGWIN__ - #ifdef __FreeBSD__ + if ((verdict & VERDICT_MASK)!=VERDICT_DROP) + #elif defined(__FreeBSD__) // FreeBSD tend to pass ipv6 frames with wrong checksum if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr) #else // if original packet was tampered earlier it needs checksum fixed if ((verdict & VERDICT_MASK)==VERDICT_MODIFY) - #endif #endif udp_fix_checksum(udphdr,transport_len,ip,ip6hdr); } diff --git a/nfq/desync.c b/nfq/desync.c index dc8afec..c8eef91 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -879,7 +879,7 @@ static bool orig_send_rewrite( } // return : true - orig was sent completely, false - should send orig another way -static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend) +static bool tcp_orig_send(uint8_t verdict, uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend) { if (dp->dup_repeats || bForceSend) { @@ -894,6 +894,8 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn extract_endpoints(dis->ip, dis->ip6, dis->tcp, NULL, &src, &dst); + verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6); + if (dp->dup_repeats && check_dup_interval(dp,ctrack)) { ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim; @@ -920,7 +922,6 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn DLOG_ERR("dup: packet reconstruct failed\n"); return false; } - DLOG("sending %u dups with packet reconstruct\n", dp->dup_repeats); // send dups @@ -956,7 +957,7 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn return false; } // return : true - orig was sent completely, false - should send orig another way -static bool udp_orig_send(uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend) +static bool udp_orig_send(uint8_t verdict, uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend) { if (dp->dup_repeats || bForceSend) { @@ -969,6 +970,8 @@ static bool udp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn extract_endpoints(dis->ip, dis->ip6, NULL, dis->udp, &src, &dst); + verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6); + if (dp->dup_repeats && check_dup_interval(dp,ctrack)) { ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim; @@ -2168,9 +2171,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint default: break; } - - if (bFake) - verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6); } send_orig: @@ -2178,7 +2178,7 @@ send_orig: if ((verdict & VERDICT_MASK)==VERDICT_DROP) verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp); else - if (tcp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake)) + if (tcp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake)) verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp); return verdict; } @@ -2770,16 +2770,13 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint default: break; } - - if (bFake) - verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6); } send_orig: if ((verdict & VERDICT_MASK)==VERDICT_DROP) verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt); else - if (udp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake)) + if (udp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake)) verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt); return verdict; } diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 10758c0..fde2d50 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1343,8 +1343,7 @@ static bool wf_make_filter( char pf_dst_buf[512],iface[64]; const char *pf_dst; const char *f_tcpin = *pf_tcp_src ? dp_list_have_autohostlist(¶ms.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : ""; - const char *f_tcp_not_empty = *pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : ""; - + const char *f_tcp_not_empty = (*pf_tcp_src && !dp_list_need_all_out(¶ms.desync_profiles)) ? DIVERT_TCP_NOT_EMPTY " and " : ""; snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx); if (!*pf_tcp_src && !*pf_udp_src) return false; @@ -1453,14 +1452,14 @@ static void exithelp(void) " --orig-mod-start=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n" " --orig-mod-cutoff=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n" " --dup=\t\t\t\t\t; duplicate original packets. send N dups before original.\n" - " --dup-ttl=\t\t\t\t; set TTL for dups\n" " --dup-replace=[0|1]\t\t\t\t; 1 or no argument means do not send original, only dups\n" + " --dup-ttl=\t\t\t\t; set TTL for dups\n" " --dup-ttl6=\t\t\t\t; set ipv6 hop limit for dups. by default ttl value is used\n" " --dup-fooling=[,]\t\t\t; can use multiple comma separated values. modes : none md5sig badseq badsum datanoack hopbyhop hopbyhop2\n" + " --dup-badseq-increment=\t\t; badseq fooling seq signed increment for dup. default %d\n" + " --dup-badack-increment=\t\t; badseq fooling ackseq signed increment for dup. default %d\n" " --dup-start=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n" " --dup-cutoff=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n" - " --dup-badseq-increment=\t\t; badseq fooling seq signed increment for dup. default %d\n" - " --dup-desync-badack-increment=\t; badseq fooling ackseq signed increment for dup. default %d\n" " --hostcase\t\t\t\t\t; change Host: => host:\n" " --hostspell\t\t\t\t\t; exact spelling of \"Host\" header. must be 4 chars. default is \"host\"\n" " --hostnospace\t\t\t\t\t; remove space after Host: and add it to User-Agent: to preserve packet size\n" @@ -2757,48 +2756,6 @@ int main(int argc, char **argv) DLOG_ERR("Need divert port (--port)\n"); exit_clean(1); } -#elif defined(__CYGWIN__) - if (!*windivert_filter) - { - if (!*wf_pf_tcp_src && !*wf_pf_udp_src) - { - DLOG_ERR("windivert filter : must specify port filter\n"); - exit_clean(1); - } - if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst)) - { - DLOG_ERR("windivert filter : could not make filter\n"); - exit_clean(1); - } - } - DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter); - if (*wf_save_file) - { - if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter))) - { - DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file); - exit_clean(0); - } - else - { - DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file); - exit_clean(1); - } - } - HANDLE hMutexArg; - { - char mutex_name[128]; - snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6); - - hMutexArg = CreateMutexA(NULL,TRUE,mutex_name); - if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS) - { - CloseHandle(hMutexArg); hMutexArg = NULL; - DLOG_ERR("A copy of winws is already running with the same filter\n"); - goto exiterr; - } - - } #endif DLOG("adding low-priority default empty desync profile\n"); @@ -2865,6 +2822,49 @@ int main(int argc, char **argv) SplitDebug(); DLOG("\n"); +#ifdef __CYGWIN__ + if (!*windivert_filter) + { + if (!*wf_pf_tcp_src && !*wf_pf_udp_src) + { + DLOG_ERR("windivert filter : must specify port filter\n"); + exit_clean(1); + } + if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst)) + { + DLOG_ERR("windivert filter : could not make filter\n"); + exit_clean(1); + } + } + DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter); + if (*wf_save_file) + { + if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter))) + { + DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file); + exit_clean(0); + } + else + { + DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file); + exit_clean(1); + } + } + HANDLE hMutexArg; + { + char mutex_name[128]; + snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6); + + hMutexArg = CreateMutexA(NULL,TRUE,mutex_name); + if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS) + { + CloseHandle(hMutexArg); hMutexArg = NULL; + DLOG_ERR("A copy of winws is already running with the same filter\n"); + goto exiterr; + } + } +#endif + if (bDry) { DLOG_CONDUP("command line parameters verified\n"); diff --git a/nfq/params.c b/nfq/params.c index e279ebf..1cefbaa 100644 --- a/nfq/params.c +++ b/nfq/params.c @@ -294,3 +294,12 @@ bool dp_list_have_autohostlist(struct desync_profile_list_head *head) return true; return false; } +// check if we need empty outgoing ACK +bool dp_list_need_all_out(struct desync_profile_list_head *head) +{ + struct desync_profile_list *dpl; + LIST_FOREACH(dpl, head, next) + if (dpl->dp.dup_repeats || PROFILE_HAS_ORIG_MOD(&dpl->dp)) + return true; + return false; +} diff --git a/nfq/params.h b/nfq/params.h index 7ae8bee..5c57880 100644 --- a/nfq/params.h +++ b/nfq/params.h @@ -126,10 +126,10 @@ struct desync_profile hostfail_pool *hostlist_auto_fail_counters; }; -#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&dp->ips_collection) && !LIST_FIRST(&dp->ips_collection_exclude)) -#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&dp->ips_collection) && ipset_collection_is_empty(&dp->ips_collection_exclude)) -#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&dp->hl_collection) && hostlist_collection_is_empty(&dp->hl_collection_exclude)) -#define PROFILE_HAS_ORIG_MOD(dp) (dp->orig_mod_ttl || dp->orig_mod_ttl6) +#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude)) +#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude)) +#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&(dp)->hl_collection) && hostlist_collection_is_empty(&(dp)->hl_collection_exclude)) +#define PROFILE_HAS_ORIG_MOD(dp) ((dp)->orig_mod_ttl || (dp)->orig_mod_ttl6) struct desync_profile_list { struct desync_profile dp; @@ -140,6 +140,7 @@ struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head); void dp_entry_destroy(struct desync_profile_list *entry); void dp_list_destroy(struct desync_profile_list_head *head); bool dp_list_have_autohostlist(struct desync_profile_list_head *head); +bool dp_list_need_all_out(struct desync_profile_list_head *head); void dp_init(struct desync_profile *dp); bool dp_fake_defaults(struct desync_profile *dp); void dp_clear(struct desync_profile *dp);