From 46284938ced1aa0bcb8014d610a07186132c8cfb Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 22 Nov 2024 12:42:33 +0300 Subject: [PATCH 1/2] tpws: fix socks-hostname hostlist checks --- tpws/tamper.c | 23 +++++++++++++---------- tpws/tamper.h | 3 +-- tpws/tpws_conn.c | 44 ++++++++++++++++++++++++++++++++++---------- 3 files changed, 48 insertions(+), 22 deletions(-) diff --git a/tpws/tamper.c b/tpws/tamper.c index 553488e..7492728 100644 --- a/tpws/tamper.c +++ b/tpws/tamper.c @@ -140,11 +140,6 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment, if (bHaveHost) VPRINT("request hostname: %s\n", Host); - if (ctrack->b_not_act) - { - VPRINT("Not acting on this request\n"); - return; - } bool bDiscoveredL7 = ctrack->l7proto==UNKNOWN && l7proto!=UNKNOWN; if (bDiscoveredL7) @@ -169,17 +164,25 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment, struct desync_profile *dp_prev = ctrack->dp; apply_desync_profile(ctrack, dest); if (ctrack->dp!=dp_prev) + { VPRINT("desync profile changed by revealed l7 protocol or hostname !\n"); + ctrack->b_host_checked = ctrack->b_ah_check = false; + } } - if (bDiscoveredHostname && ctrack->dp->hostlist_auto) + if (l7proto!=UNKNOWN && ctrack->dp->hostlist_auto) { - bool bHostExcluded; - if (!HostlistCheck(ctrack->dp, Host, &bHostExcluded, false)) + if (bHaveHost && !ctrack->b_host_checked) + { + bool bHostExcluded; + ctrack->b_host_matches = HostlistCheck(ctrack->dp, Host, &bHostExcluded, false); + ctrack->b_host_checked = true; + if (!ctrack->b_host_matches) + ctrack->b_ah_check = !bHostExcluded; + } + if (!ctrack->b_host_matches) { - ctrack->b_ah_check = !bHostExcluded; VPRINT("Not acting on this request\n"); - ctrack->b_not_act = true; return; } } diff --git a/tpws/tamper.h b/tpws/tamper.h index 65eed6f..eb47522 100644 --- a/tpws/tamper.h +++ b/tpws/tamper.h @@ -14,8 +14,7 @@ typedef struct // common state t_l7proto l7proto; bool bTamperInCutoff; - bool b_ah_check; - bool b_not_act; + bool b_host_checked,b_host_matches,b_ah_check; char *hostname; struct desync_profile *dp; // desync profile cache } t_ctrack; diff --git a/tpws/tpws_conn.c b/tpws/tpws_conn.c index 9fc393e..726a464 100644 --- a/tpws/tpws_conn.c +++ b/tpws/tpws_conn.c @@ -479,6 +479,30 @@ static int connect_remote(const struct sockaddr *remote_addr, int mss) return remote_fd; } +static bool connect_remote_conn(tproxy_conn_t *conn) +{ + int mss=0; + + apply_desync_profile(&conn->track, (struct sockaddr *)&conn->dest); + + if (conn->track.dp) + { + mss = conn->track.dp->mss; + if (conn->track.dp->hostlist_auto) + { + if (conn->track.hostname) + { + bool bHostExcluded; + conn->track.b_host_matches = HostlistCheck(conn->track.dp, conn->track.hostname, &bHostExcluded, false); + conn->track.b_host_checked = true; + if (!conn->track.b_host_matches) conn->track.b_ah_check = !bHostExcluded; + if (!conn->track.b_host_matches) mss = 0; + } + } + } + + return (conn->partner->fd = connect_remote((struct sockaddr *)&conn->dest, mss))>=0; +} //Free resources occupied by this connection static void free_conn(tproxy_conn_t *conn) @@ -636,9 +660,7 @@ static tproxy_conn_t* add_tcp_connection(int efd, struct tailhead *conn_list,int conn->partner->client = conn->client; conn->partner->dest = conn->dest; - apply_desync_profile(&conn->track, (struct sockaddr *)&conn->dest); - - if ((conn->partner->fd = connect_remote((struct sockaddr *)&orig_dst, conn->track.dp ? conn->track.dp->mss : 0)) < 0) + if (!connect_remote_conn(conn)) { DLOG_ERR("Failed to connect\n"); free_conn(conn->partner); @@ -811,14 +833,7 @@ static bool proxy_mode_connect_remote(tproxy_conn_t *conn, struct tailhead *conn return false; } - apply_desync_profile(&conn->track, (struct sockaddr *)&conn->dest); - if ((remote_fd = connect_remote((struct sockaddr *)&conn->dest, conn->track.dp ? conn->track.dp->mss : 0)) < 0) - { - DLOG_ERR("socks failed to connect (1) errno=%d\n", errno); - socks_send_rep_errno(conn->socks_ver, conn->fd, errno); - return false; - } if (!(conn->partner = new_conn(remote_fd, true))) { close(remote_fd); @@ -830,6 +845,15 @@ static bool proxy_mode_connect_remote(tproxy_conn_t *conn, struct tailhead *conn conn->partner->efd = conn->efd; conn->partner->client = conn->client; conn->partner->dest = conn->dest; + + if (!connect_remote_conn(conn)) + { + free_conn(conn->partner); conn->partner = NULL; + DLOG_ERR("socks failed to connect (1) errno=%d\n", errno); + socks_send_rep_errno(conn->socks_ver, conn->fd, errno); + return false; + } + if (!epoll_set(conn->partner, EPOLLOUT)) { DLOG_ERR("socks epoll_set error %d\n", errno); From 033043bdc03cf97dc17dedccc420e7fb08f94670 Mon Sep 17 00:00:00 2001 From: bol-van Date: Fri, 22 Nov 2024 13:04:06 +0300 Subject: [PATCH 2/2] tpws: remote duplicate if --- tpws/tpws_conn.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tpws/tpws_conn.c b/tpws/tpws_conn.c index 726a464..7f8f834 100644 --- a/tpws/tpws_conn.c +++ b/tpws/tpws_conn.c @@ -495,8 +495,11 @@ static bool connect_remote_conn(tproxy_conn_t *conn) bool bHostExcluded; conn->track.b_host_matches = HostlistCheck(conn->track.dp, conn->track.hostname, &bHostExcluded, false); conn->track.b_host_checked = true; - if (!conn->track.b_host_matches) conn->track.b_ah_check = !bHostExcluded; - if (!conn->track.b_host_matches) mss = 0; + if (!conn->track.b_host_matches) + { + conn->track.b_ah_check = !bHostExcluded; + mss = 0; + } } } } @@ -1676,7 +1679,6 @@ int event_loop(const int *listen_fd, size_t listen_fd_ct) } else { - DBGPRINT("conn fd=%d has no unsent\n", conn->fd); conn->bFlowIn = false; epoll_update_flow(conn);