diff --git a/binaries/aarch64/nfqws b/binaries/aarch64/nfqws index 0fe47b6..650dbf6 100755 Binary files a/binaries/aarch64/nfqws and b/binaries/aarch64/nfqws differ diff --git a/binaries/arm/nfqws b/binaries/arm/nfqws index bb0f4dc..0dfe130 100755 Binary files a/binaries/arm/nfqws and b/binaries/arm/nfqws differ diff --git a/binaries/mips32r1-lsb/nfqws b/binaries/mips32r1-lsb/nfqws index 414608c..2635aee 100755 Binary files a/binaries/mips32r1-lsb/nfqws and b/binaries/mips32r1-lsb/nfqws differ diff --git a/binaries/mips32r1-msb/nfqws b/binaries/mips32r1-msb/nfqws index 2b99331..63e28ff 100755 Binary files a/binaries/mips32r1-msb/nfqws and b/binaries/mips32r1-msb/nfqws differ diff --git a/binaries/mips64r2-msb/nfqws b/binaries/mips64r2-msb/nfqws index cc1fb18..a4ee2c7 100755 Binary files a/binaries/mips64r2-msb/nfqws and b/binaries/mips64r2-msb/nfqws differ diff --git a/binaries/ppc/nfqws b/binaries/ppc/nfqws index 5192863..99840c0 100755 Binary files a/binaries/ppc/nfqws and b/binaries/ppc/nfqws differ diff --git a/binaries/x86/nfqws b/binaries/x86/nfqws index 5ba616b..f1f6745 100755 Binary files a/binaries/x86/nfqws and b/binaries/x86/nfqws differ diff --git a/binaries/x86_64/nfqws b/binaries/x86_64/nfqws index df5bfb0..d6a6708 100755 Binary files a/binaries/x86_64/nfqws and b/binaries/x86_64/nfqws differ diff --git a/config b/config index a25f0cb..5ab421a 100644 --- a/config +++ b/config @@ -43,7 +43,7 @@ MODE_FILTER=none # CHOOSE NFQWS DAEMON OPTIONS for DPI desync mode. run "nfq/nfqws --help" for option list DESYNC_MARK=0x40000000 -NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" +NFQWS_OPT_DESYNC="--dpi-desync=fake --dpi-desync-ttl=0 --dpi-desync-ttl6=0 --dpi-desync-fooling=badsum" #NFQWS_OPT_DESYNC_HTTP="--dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" #NFQWS_OPT_DESYNC_HTTPS="--wssize=1:6 --dpi-desync=split --dpi-desync-ttl=0 --dpi-desync-fooling=badsum" #NFQWS_OPT_DESYNC_HTTP6="--dpi-desync=split --dpi-desync-ttl=5 --dpi-desync-fooling=none" diff --git a/nfq/desync.c b/nfq/desync.c index 3cc1e3b..8f1a349 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -163,7 +163,8 @@ packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struc if (params.desync_mode0!=DESYNC_NONE || params.desync_mode!=DESYNC_NONE) // save some cpu { ttl_orig = ip ? ip->ip_ttl : ip6hdr->ip6_ctlun.ip6_un1.ip6_un1_hlim; - ttl_fake = params.desync_ttl ? params.desync_ttl : ttl_orig; + if (ip6hdr) ttl_fake = params.desync_ttl6 ? params.desync_ttl6 : ttl_orig; + else ttl_fake = params.desync_ttl ? params.desync_ttl : ttl_orig; flags_orig = *((uint8_t*)tcphdr+13); scale_factor = tcp_find_scale_factor(tcphdr); timestamps = tcp_find_timestamps(tcphdr); diff --git a/nfq/nfqws.c b/nfq/nfqws.c index ad25847..d9166bc 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -486,6 +486,7 @@ static void exithelp() " --dpi-desync-sockarg=\t; override sockarg (SO_USER_COOKIE) for desync packet. default = 0x%08X (%u)\n" #endif " --dpi-desync-ttl=\t\t\t; set ttl for desync packet\n" + " --dpi-desync-ttl6=\t\t; set ipv6 hop limit for desync packet. by default ttl value is used.\n" " --dpi-desync-fooling=[,]\t; can use multiple comma separated values. modes : none md5sig ts badseq badsum\n" #ifdef __linux__ " --dpi-desync-retrans=0|1\t\t; 0(default)=reinject original data packet after fake 1=drop original data packet to force its retransmission\n" @@ -552,6 +553,7 @@ int main(int argc, char **argv) params.ctrack_t_syn = CTRACK_T_SYN; params.ctrack_t_est = CTRACK_T_EST; params.ctrack_t_fin = CTRACK_T_FIN; + params.desync_ttl6 = 0xFF; // unused if (can_drop_root()) // are we root ? { @@ -589,16 +591,17 @@ int main(int argc, char **argv) {"disabled_argument_2",no_argument,0,0}, // optidx=15 #endif {"dpi-desync-ttl",required_argument,0,0}, // optidx=16 - {"dpi-desync-fooling",required_argument,0,0}, // optidx=17 - {"dpi-desync-retrans",optional_argument,0,0}, // optidx=18 - {"dpi-desync-repeats",required_argument,0,0}, // optidx=19 - {"dpi-desync-skip-nosni",optional_argument,0,0},// optidx=20 - {"dpi-desync-split-pos",required_argument,0,0},// optidx=21 - {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=22 - {"dpi-desync-fake-http",required_argument,0,0},// optidx=23 - {"dpi-desync-fake-tls",required_argument,0,0},// optidx=24 - {"dpi-desync-cutoff",required_argument,0,0},// optidx=25 - {"hostlist",required_argument,0,0}, // optidx=26 + {"dpi-desync-ttl6",required_argument,0,0}, // optidx=17 + {"dpi-desync-fooling",required_argument,0,0}, // optidx=18 + {"dpi-desync-retrans",optional_argument,0,0}, // optidx=19 + {"dpi-desync-repeats",required_argument,0,0}, // optidx=20 + {"dpi-desync-skip-nosni",optional_argument,0,0},// optidx=21 + {"dpi-desync-split-pos",required_argument,0,0},// optidx=22 + {"dpi-desync-any-protocol",optional_argument,0,0},// optidx=23 + {"dpi-desync-fake-http",required_argument,0,0},// optidx=24 + {"dpi-desync-fake-tls",required_argument,0,0},// optidx=25 + {"dpi-desync-cutoff",required_argument,0,0},// optidx=26 + {"hostlist",required_argument,0,0}, // optidx=27 {NULL,0,NULL,0} }; if (argc < 2) exithelp(); @@ -754,7 +757,10 @@ int main(int argc, char **argv) case 16: /* dpi-desync-ttl */ params.desync_ttl = (uint8_t)atoi(optarg); break; - case 17: /* dpi-desync-fooling */ + case 17: /* dpi-desync-ttl6 */ + params.desync_ttl6 = (uint8_t)atoi(optarg); + break; + case 18: /* dpi-desync-fooling */ { char *e,*p = optarg; while (p) @@ -783,7 +789,7 @@ int main(int argc, char **argv) } } break; - case 18: /* dpi-desync-retrans */ + case 19: /* dpi-desync-retrans */ #ifdef __linux__ params.desync_retrans = !optarg || atoi(optarg); #else @@ -791,7 +797,7 @@ int main(int argc, char **argv) exit_clean(1); #endif break; - case 19: /* dpi-desync-repeats */ + case 20: /* dpi-desync-repeats */ params.desync_repeats = atoi(optarg); if (params.desync_repeats<=0 || params.desync_repeats>20) { @@ -799,10 +805,10 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 20: /* dpi-desync-skip-nosni */ + case 21: /* dpi-desync-skip-nosni */ params.desync_skip_nosni = !optarg || atoi(optarg); break; - case 21: /* dpi-desync-split-pos */ + case 22: /* dpi-desync-split-pos */ params.desync_split_pos = atoi(optarg); if (params.desync_split_pos<1 || params.desync_split_pos>DPI_DESYNC_MAX_FAKE_LEN) { @@ -810,10 +816,10 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 22: /* dpi-desync-any-protocol */ + case 23: /* dpi-desync-any-protocol */ params.desync_any_proto = !optarg || atoi(optarg); break; - case 23: /* dpi-desync-fake-http */ + case 24: /* dpi-desync-fake-http */ params.fake_http_size = sizeof(params.fake_http); if (!load_file_nonempty(optarg,params.fake_http,¶ms.fake_http_size)) { @@ -821,7 +827,7 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 24: /* dpi-desync-fake-tls */ + case 25: /* dpi-desync-fake-tls */ params.fake_tls_size = sizeof(params.fake_tls); if (!load_file_nonempty(optarg,params.fake_tls,¶ms.fake_tls_size)) { @@ -829,14 +835,14 @@ int main(int argc, char **argv) exit_clean(1); } break; - case 25: /* desync-cutoff */ + case 26: /* desync-cutoff */ if (!sscanf(optarg, "%u", ¶ms.desync_cutoff)) { fprintf(stderr, "invalid desync-cutoff value\n"); exit_clean(1); } break; - case 26: /* hostlist */ + case 27: /* hostlist */ if (!LoadHostList(¶ms.hostlist, optarg)) exit_clean(1); strncpy(params.hostfile,optarg,sizeof(params.hostfile)); @@ -844,6 +850,8 @@ int main(int argc, char **argv) break; } } + // not specified - use desync_ttl value instead + if (params.desync_ttl6 == 0xFF) params.desync_ttl6=params.desync_ttl; #ifdef BSD if (!params.port) { diff --git a/nfq/params.h b/nfq/params.h index 133483b..787dc6f 100644 --- a/nfq/params.h +++ b/nfq/params.h @@ -34,7 +34,7 @@ struct params_s bool desync_retrans,desync_skip_nosni,desync_any_proto; int desync_repeats,desync_split_pos; unsigned int desync_cutoff; - uint8_t desync_ttl; + uint8_t desync_ttl, desync_ttl6; uint8_t desync_tcp_fooling_mode; uint32_t desync_fwmark; // unused in BSD char hostfile[256];