drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-05-09 23:32:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

nfqws: conntrack workaround TTL=1

Browse Source
This commit is contained in:
bol-van 2025-05-09 11:17:21 +03:00
parent 691a501b0d
commit 729ded0c61
2 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
nfq/desync.c
View File

@ -564,9 +564,18 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct
if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp)))
{ {
DLOG("applying linux postnat conntrack workaround\n"); DLOG("applying linux postnat conntrack workaround\n");
// make ip protocol invalid // make ip protocol invalid and low TTL
if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255; if (ip6)
if (ip) ip->ip_p = 255; // this also makes ipv4 header checksum invalid {
ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt = 255;
ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = 1;
}
if (ip)
{
// this likely also makes ipv4 header checksum invalid
ip->ip_p = 255;
ip->ip_ttl = 1;
}
return VERDICT_MODIFY | VERDICT_NOCSUM; return VERDICT_MODIFY | VERDICT_NOCSUM;
} }
#endif #endif

4
nfq/nfqws.c
View File

@ -296,6 +296,7 @@ static int nfq_main(void)
return 1; return 1;
} }
sec_harden();
if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps()) if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
goto err; goto err;
print_id(); print_id();
@ -307,9 +308,6 @@ static int nfq_main(void)
if (params.daemon) daemonize(); if (params.daemon) daemonize();
// do it only after daemonize because daemonize needs fork
sec_harden();
if (Fpid) if (Fpid)
{ {
if (fprintf(Fpid, "%d", getpid())<=0) if (fprintf(Fpid, "%d", getpid())<=0)