nfqws: windows fixes for recent changes

2025-05-01 19:32:59 +03:00 · 2025-04-29 12:24:31 +03:00 · 2025-04-29 12:24:31 +03:00 · 50539d6cbf
commit 50539d6cbf
parent 8b5dfcfae1
5 changed files with 75 additions and 68 deletions
--- a/nfq/darkmagic.c
+++ b/nfq/darkmagic.c
@ -1900,15 +1900,15 @@ void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transpo
 {
 	if (!(verdict & VERDICT_NOCSUM))
 	{
 		#ifdef __CYGWIN__
 		// always fix csum for windivert. original can be partial or bad
-		#ifndef __CYGWIN__
+		if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
-		#ifdef __FreeBSD__
+		#elif defined(__FreeBSD__)
 		// FreeBSD tend to pass ipv6 frames with wrong checksum
 		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr)
 		#else
 		// if original packet was tampered earlier it needs checksum fixed
 		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
 		#endif
 		#endif
 			tcp_fix_checksum(tcphdr,transport_len,ip,ip6hdr);
 	}
@ -1917,15 +1917,15 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo
 {
 	if (!(verdict & VERDICT_NOCSUM))
 	{
 		#ifdef __CYGWIN__
 		// always fix csum for windivert. original can be partial or bad
-		#ifndef __CYGWIN__
+		if ((verdict & VERDICT_MASK)!=VERDICT_DROP)
-		#ifdef __FreeBSD__
+		#elif defined(__FreeBSD__)
 		// FreeBSD tend to pass ipv6 frames with wrong checksum
 		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY || ip6hdr)
 		#else
 		// if original packet was tampered earlier it needs checksum fixed
 		if ((verdict & VERDICT_MASK)==VERDICT_MODIFY)
 		#endif
 		#endif
 			udp_fix_checksum(udphdr,transport_len,ip,ip6hdr);
 	}
--- a/nfq/desync.c
+++ b/nfq/desync.c
@ -879,7 +879,7 @@ static bool orig_send_rewrite(
 }
 // return : true - orig was sent completely, false - should send orig another way
-static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend)
+static bool tcp_orig_send(uint8_t verdict, uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend)
 {
 	if (dp->dup_repeats || bForceSend)
 	{
@ -894,6 +894,8 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
 		extract_endpoints(dis->ip, dis->ip6, dis->tcp, NULL, &src, &dst);
 		verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6);
 		if (dp->dup_repeats && check_dup_interval(dp,ctrack))
 		{
 			ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim;
@ -920,7 +922,6 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
 					DLOG_ERR("dup: packet reconstruct failed\n");
 					return false;
 				}
 				DLOG("sending %u dups with packet reconstruct\n", dp->dup_repeats);
 				// send dups
@ -956,7 +957,7 @@ static bool tcp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
 	return false;
 }
 // return : true - orig was sent completely, false - should send orig another way
-static bool udp_orig_send(uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend)
+static bool udp_orig_send(uint8_t verdict, uint32_t fwmark, const char *ifout, const struct desync_profile *dp, const t_ctrack *ctrack, struct dissect *dis, bool bForceSend)
 {
 	if (dp->dup_repeats || bForceSend)
 	{
@ -969,6 +970,8 @@ static bool udp_orig_send(uint32_t fwmark, const char *ifout, const struct desyn
 		extract_endpoints(dis->ip, dis->ip6, NULL, dis->udp, &src, &dst);
 		verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
 		if (dp->dup_repeats && check_dup_interval(dp,ctrack))
 		{
 			ttl_orig = dis->ip ? dis->ip->ip_ttl : dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim;
@ -2168,9 +2171,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			default:
 				break;
 		}
 		if (bFake)
 			verdict_tcp_csum_fix(verdict, dis->tcp, dis->transport_len, dis->ip, dis->ip6);
 	}
 send_orig:
@ -2178,7 +2178,7 @@ send_orig:
 	if ((verdict & VERDICT_MASK)==VERDICT_DROP)
 		verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp);
 	else
-		if (tcp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
+		if (tcp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
 			verdict = ct_new_postnat_fix_tcp(ctrack, dis->ip, dis->ip6, dis->tcp);
 	return verdict;
 }
@ -2770,16 +2770,13 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 			default:
 				break;
 		}
 		if (bFake)
 			verdict_udp_csum_fix(verdict, dis->udp, dis->transport_len, dis->ip, dis->ip6);
 	}
 send_orig:
 	if ((verdict & VERDICT_MASK)==VERDICT_DROP)
 		verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
 	else
-		if (udp_orig_send(desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
+		if (udp_orig_send(verdict,desync_fwmark,ifout,dp,ctrack_replay,dis,bFake))
 			verdict = ct_new_postnat_fix_udp(ctrack, dis->ip, dis->ip6, dis->udp, &dis->len_pkt);
 	return verdict;
 }
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -1343,8 +1343,7 @@ static bool wf_make_filter(
 	char pf_dst_buf[512],iface[64];
 	const char *pf_dst;
 	const char *f_tcpin = *pf_tcp_src ? dp_list_have_autohostlist(&params.desync_profiles) ? "(" DIVERT_TCP_INBOUNDS " or (" DIVERT_HTTP_REDIRECT "))" : DIVERT_TCP_INBOUNDS : "";
-	const char *f_tcp_not_empty = *pf_tcp_src ? DIVERT_TCP_NOT_EMPTY " and " : "";
+	const char *f_tcp_not_empty = (*pf_tcp_src && !dp_list_need_all_out(&params.desync_profiles)) ? DIVERT_TCP_NOT_EMPTY " and " : "";
 	snprintf(iface,sizeof(iface)," ifIdx=%u and subIfIdx=%u and",IfIdx,SubIfIdx);
 	if (!*pf_tcp_src && !*pf_udp_src) return false;
@ -1453,14 +1452,14 @@ static void exithelp(void)
 		" --orig-mod-start=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
 		" --orig-mod-cutoff=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
 		" --dup=<int>\t\t\t\t\t; duplicate original packets. send N dups before original.\n"
 		" --dup-ttl=<int>\t\t\t\t; set TTL for dups\n"
 		" --dup-replace=[0|1]\t\t\t\t; 1 or no argument means do not send original, only dups\n"
 		" --dup-ttl=<int>\t\t\t\t; set TTL for dups\n"
 		" --dup-ttl6=<int>\t\t\t\t; set ipv6 hop limit for dups. by default ttl value is used\n"
 		" --dup-fooling=<mode>[,<mode>]\t\t\t; can use multiple comma separated values. modes : none md5sig badseq badsum datanoack hopbyhop hopbyhop2\n"
 		" --dup-badseq-increment=<int|0xHEX>\t\t; badseq fooling seq signed increment for dup. default %d\n"
 		" --dup-badack-increment=<int|0xHEX>\t\t; badseq fooling ackseq signed increment for dup. default %d\n"
 		" --dup-start=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
 		" --dup-cutoff=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
 		" --dup-badseq-increment=<int|0xHEX>\t\t; badseq fooling seq signed increment for dup. default %d\n"
 		" --dup-desync-badack-increment=<int|0xHEX>\t; badseq fooling ackseq signed increment for dup. default %d\n"
 		" --hostcase\t\t\t\t\t; change Host: => host:\n"
 		" --hostspell\t\t\t\t\t; exact spelling of \"Host\" header. must be 4 chars. default is \"host\"\n"
 		" --hostnospace\t\t\t\t\t; remove space after Host: and add it to User-Agent: to preserve packet size\n"
@ -2757,48 +2756,6 @@ int main(int argc, char **argv)
 		DLOG_ERR("Need divert port (--port)\n");
 		exit_clean(1);
 	}
 #elif defined(__CYGWIN__)
 	if (!*windivert_filter)
 	{
 		if (!*wf_pf_tcp_src && !*wf_pf_udp_src)
 		{
 			DLOG_ERR("windivert filter : must specify port filter\n");
 			exit_clean(1);
 		}
 		if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst))
 		{
 			DLOG_ERR("windivert filter : could not make filter\n");
 			exit_clean(1);
 		}
 	}
 	DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter);
 	if (*wf_save_file)
 	{
 		if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter)))
 		{
 			DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file);
 			exit_clean(0);
 		}
 		else
 		{
 			DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file);
 			exit_clean(1);
 		}
 	}
 	HANDLE hMutexArg;
 	{
 		char mutex_name[128];
 		snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6);
 		hMutexArg = CreateMutexA(NULL,TRUE,mutex_name);
 		if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS)
 		{
 			CloseHandle(hMutexArg);	hMutexArg = NULL;
 			DLOG_ERR("A copy of winws is already running with the same filter\n");
 			goto exiterr;
 		}
 	}
 #endif
 	DLOG("adding low-priority default empty desync profile\n");
@ -2865,6 +2822,49 @@ int main(int argc, char **argv)
 	SplitDebug();
 	DLOG("\n");
 #ifdef __CYGWIN__
 	if (!*windivert_filter)
 	{
 		if (!*wf_pf_tcp_src && !*wf_pf_udp_src)
 		{
 			DLOG_ERR("windivert filter : must specify port filter\n");
 			exit_clean(1);
 		}
 		if (!wf_make_filter(windivert_filter, sizeof(windivert_filter), IfIdx, SubIfIdx, wf_ipv4, wf_ipv6, wf_pf_tcp_src, wf_pf_tcp_dst, wf_pf_udp_src, wf_pf_udp_dst))
 		{
 			DLOG_ERR("windivert filter : could not make filter\n");
 			exit_clean(1);
 		}
 	}
 	DLOG("windivert filter size: %zu\nwindivert filter:\n%s\n",strlen(windivert_filter),windivert_filter);
 	if (*wf_save_file)
 	{
 		if (save_file(wf_save_file,windivert_filter,strlen(windivert_filter)))
 		{
 			DLOG_ERR("windivert filter: raw filter saved to %s\n", wf_save_file);
 			exit_clean(0);
 		}
 		else
 		{
 			DLOG_ERR("windivert filter: could not save raw filter to %s\n", wf_save_file);
 			exit_clean(1);
 		}
 	}
 	HANDLE hMutexArg;
 	{
 		char mutex_name[128];
 		snprintf(mutex_name,sizeof(mutex_name),"Global\\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u",hash_wf_tcp,hash_wf_udp,hash_wf_raw,hash_ssid_filter,hash_nlm_filter,IfIdx,SubIfIdx,wf_ipv4,wf_ipv6);
 		hMutexArg = CreateMutexA(NULL,TRUE,mutex_name);
 		if (hMutexArg && GetLastError()==ERROR_ALREADY_EXISTS)
 		{
 			CloseHandle(hMutexArg);	hMutexArg = NULL;
 			DLOG_ERR("A copy of winws is already running with the same filter\n");
 			goto exiterr;
 		}
 	}
 #endif
 	if (bDry)
 	{
 		DLOG_CONDUP("command line parameters verified\n");
--- a/nfq/params.c
+++ b/nfq/params.c
@ -294,3 +294,12 @@ bool dp_list_have_autohostlist(struct desync_profile_list_head *head)
 			return true;
 	return false;
 }
 // check if we need empty outgoing ACK
 bool dp_list_need_all_out(struct desync_profile_list_head *head)
 {
 	struct desync_profile_list *dpl;
 	LIST_FOREACH(dpl, head, next)
 		if (dpl->dp.dup_repeats || PROFILE_HAS_ORIG_MOD(&dpl->dp))
 			return true;
 	return false;
 }
--- a/nfq/params.h
+++ b/nfq/params.h
@ -126,10 +126,10 @@ struct desync_profile
 	hostfail_pool *hostlist_auto_fail_counters;
 };
-#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&dp->ips_collection) && !LIST_FIRST(&dp->ips_collection_exclude))
+#define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude))
-#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&dp->ips_collection) && ipset_collection_is_empty(&dp->ips_collection_exclude))
+#define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))
-#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&dp->hl_collection) && hostlist_collection_is_empty(&dp->hl_collection_exclude))
+#define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&(dp)->hl_collection) && hostlist_collection_is_empty(&(dp)->hl_collection_exclude))
-#define PROFILE_HAS_ORIG_MOD(dp) (dp->orig_mod_ttl || dp->orig_mod_ttl6)
+#define PROFILE_HAS_ORIG_MOD(dp) ((dp)->orig_mod_ttl || (dp)->orig_mod_ttl6)
 struct desync_profile_list {
 	struct desync_profile dp;
@ -140,6 +140,7 @@ struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
 void dp_entry_destroy(struct desync_profile_list *entry);
 void dp_list_destroy(struct desync_profile_list_head *head);
 bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
 bool dp_list_need_all_out(struct desync_profile_list_head *head);
 void dp_init(struct desync_profile *dp);
 bool dp_fake_defaults(struct desync_profile *dp);
 void dp_clear(struct desync_profile *dp);