nfqws: dup,orig_mod

2025-05-01 11:22:57 +03:00 · 2025-04-26 19:48:35 +03:00 · 2025-04-26 19:48:35 +03:00 · 8b5dfcfae1
commit 8b5dfcfae1
parent ccc60b5f07
8 changed files with 676 additions and 201 deletions
--- a/nfq/conntrack.c
+++ b/nfq/conntrack.c
@ -338,8 +338,8 @@ void ConntrackPoolDump(const t_conntrack *p)
 			printf("rseq=%u pos_orig=%u rack=%u pos_reply=%u",
 				t->track.seq_last, t->track.pos_orig,
 				t->track.ack_last, t->track.pos_reply);
-		printf(" req_retrans=%u cutoff=%u wss_cutoff=%u d_cutoff=%u hostname=%s l7proto=%s\n",
-			t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_wssize_cutoff, t->track.b_desync_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
+		printf(" req_retrans=%u cutoff=%u wss_cutoff=%u desync_cutoff=%u dup_cutoff=%u orig_cutoff=%u hostname=%s l7proto=%s\n",
+			t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_wssize_cutoff, t->track.b_desync_cutoff, t->track.b_dup_cutoff, t->track.b_orig_mod_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
 	};
 }

--- a/nfq/conntrack.h
+++ b/nfq/conntrack.h
@ -80,7 +80,7 @@ typedef struct
 	uint8_t incoming_ttl, autottl;

 	bool b_cutoff;				// mark for deletion
-	bool b_wssize_cutoff, b_desync_cutoff;
+	bool b_wssize_cutoff, b_desync_cutoff, b_dup_cutoff, b_orig_mod_cutoff;

 	t_l7proto l7proto;
 	bool l7proto_discovered;
--- a/nfq/darkmagic.c
+++ b/nfq/darkmagic.c
@ -83,10 +83,22 @@ bool tcp_has_fastopen(const struct tcphdr *tcp)
 	opt = tcp_find_option((struct tcphdr*)tcp, 254);
 	return opt && opt[1]>=4 && opt[2]==0xF9 && opt[3]==0x89;
 }
+uint16_t tcp_find_mss(struct tcphdr *tcp)
+{
+	uint8_t *t = tcp_find_option(tcp,2);
+	return (t && t[1]==4) ? *(uint16_t*)(t+2) : 0;
+}
+bool tcp_has_sack(struct tcphdr *tcp)
+{
+	uint8_t *t = tcp_find_option(tcp,4);
+	return !!t;
+}

 // n prefix (nsport, nwsize) means network byte order
 static void fill_tcphdr(
 	struct tcphdr *tcp, uint32_t fooling, uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nsport, uint16_t ndport,
 	uint16_t nwsize, uint8_t scale_factor,
@ -111,20 +123,32 @@ static void fill_tcphdr(
 		tcp->th_seq = nseq;
 		tcp->th_ack = nack_seq;
 	}
-	tcp->th_off       = 5;
+	tcp->th_off = 5;
 	if ((fooling & FOOL_DATANOACK) && !(tcp_flags & (TH_SYN|TH_RST)) && data_len)
 		tcp_flags &= ~TH_ACK;
 	*((uint8_t*)tcp+13)= tcp_flags;
 	tcp->th_win     = nwsize;
+	if (nmss)
+	{
+		tcpopt[t++] = 2; // kind
+		tcpopt[t++] = 4; // len
+		*(uint16_t*)(tcpopt+t) = nmss;
+		t+=2;
+	}
+	if (sack)
+	{
+		tcpopt[t++] = 4; // kind
+		tcpopt[t++] = 2; // len
+	}
 	if (fooling & FOOL_MD5SIG)
 	{
-		tcpopt[0] = 19; // kind
-		tcpopt[1] = 18; // len
-		*(uint32_t*)(tcpopt+2)=random();
-		*(uint32_t*)(tcpopt+6)=random();
-		*(uint32_t*)(tcpopt+10)=random();
-		*(uint32_t*)(tcpopt+14)=random();
-		t=18;
+		tcpopt[t] = 19; // kind
+		tcpopt[t+1] = 18; // len
+		*(uint32_t*)(tcpopt+t+2)=random();
+		*(uint32_t*)(tcpopt+t+6)=random();
+		*(uint32_t*)(tcpopt+t+10)=random();
+		*(uint32_t*)(tcpopt+t+14)=random();
+		t+=18;
 	}
 	if (timestamps || (fooling & FOOL_TS))
 	{
@ -145,10 +169,12 @@ static void fill_tcphdr(
 	tcp->th_off += t>>2;
 	tcp->th_sum = 0;
 }
-static uint16_t tcpopt_len(uint32_t fooling, const uint32_t *timestamps, uint8_t scale_factor)
+static uint16_t tcpopt_len(bool sack, bool mss, uint32_t fooling, const uint32_t *timestamps, uint8_t scale_factor)
 {
 	uint16_t t=0;
-	if (fooling & FOOL_MD5SIG) t=18;
+	if (sack) t+=2;
+	if (mss) t+=4;
+	if (fooling & FOOL_MD5SIG) t+=18;
 	if ((fooling & FOOL_TS) || timestamps) t+=10;
 	if (scale_factor!=SCALE_NONE) t+=3;
 	return (t+3)&~3;
@ -190,6 +216,8 @@ static void fill_ip6hdr(struct ip6_hdr *ip6, const struct in6_addr *src, const s
 bool prepare_tcp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -203,7 +231,7 @@ bool prepare_tcp_segment4(
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen)
 {
-	uint16_t tcpoptlen = tcpopt_len(fooling,timestamps,scale_factor);
+	uint16_t tcpoptlen = tcpopt_len(sack,!!nmss,fooling,timestamps,scale_factor);
 	uint16_t ip_payload_len = sizeof(struct tcphdr) + tcpoptlen + len;
 	uint16_t pktlen = sizeof(struct ip) + ip_payload_len;
 	if (pktlen>*buflen) return false;
@ -213,11 +241,11 @@ bool prepare_tcp_segment4(
 	uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;

 	fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos, ip_id);
-	fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
+	fill_tcphdr(tcp,fooling,tcp_flags,sack,nmss,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);

 	memcpy(payload,data,len);
 	tcp4_fix_checksum(tcp,ip_payload_len,&ip->ip_src,&ip->ip_dst);
-	if (fooling & FOOL_BADSUM) tcp->th_sum^=htons(0xBEAF);
+	if (fooling & FOOL_BADSUM) tcp->th_sum^=(uint16_t)(1+random()%0xFFFF);

 	*buflen = pktlen;
 	return true;
@ -226,6 +254,8 @@ bool prepare_tcp_segment4(
 bool prepare_tcp_segment6(
 	const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -238,7 +268,7 @@ bool prepare_tcp_segment6(
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen)
 {
-	uint16_t tcpoptlen = tcpopt_len(fooling,timestamps,scale_factor);
+	uint16_t tcpoptlen = tcpopt_len(sack,!!nmss,fooling,timestamps,scale_factor);
 	uint16_t transport_payload_len = sizeof(struct tcphdr) + tcpoptlen + len;
 	uint16_t ip_payload_len = transport_payload_len +
 		8*!!((fooling & (FOOL_HOPBYHOP|FOOL_HOPBYHOP2))==FOOL_HOPBYHOP) +
@ -297,11 +327,11 @@ bool prepare_tcp_segment6(
 	uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;

 	fill_ip6hdr(ip6, &src->sin6_addr, &dst->sin6_addr, ip_payload_len, proto, ttl, flow_label);
-	fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin6_port,dst->sin6_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);
+	fill_tcphdr(tcp,fooling,tcp_flags,sack,nmss,nseq,nack_seq,src->sin6_port,dst->sin6_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);

 	memcpy(payload,data,len);
 	tcp6_fix_checksum(tcp,transport_payload_len,&ip6->ip6_src,&ip6->ip6_dst);
-	if (fooling & FOOL_BADSUM) tcp->th_sum^=htons(0xBEAF);
+	if (fooling & FOOL_BADSUM) tcp->th_sum^=(1+random()%0xFFFF);

 	*buflen = pktlen;
 	return true;
@ -310,6 +340,8 @@ bool prepare_tcp_segment6(
 bool prepare_tcp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -325,9 +357,9 @@ bool prepare_tcp_segment(
 	uint8_t *buf, size_t *buflen)
 {
 	return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
-		prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
+		prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,sack,nmss,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
 		(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
-		prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
+		prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,sack,nmss,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
 		false;
 }

@ -370,7 +402,7 @@ bool prepare_udp_segment4(
 	else
 		memset(payload+len,0,padlen);
 	udp4_fix_checksum(udp,ip_payload_len,&ip->ip_src,&ip->ip_dst);
-	if (fooling & FOOL_BADSUM) udp->uh_sum^=htons(0xBEAF);
+	if (fooling & FOOL_BADSUM) udp->uh_sum^=(1+random()%0xFFFF);

 	*buflen = pktlen;
 	return true;
@ -459,7 +491,7 @@ bool prepare_udp_segment6(
 	else
 		memset(payload+len,0,padlen);
 	udp6_fix_checksum(udp,transport_payload_len,&ip6->ip6_src,&ip6->ip6_dst);
-	if (fooling & FOOL_BADSUM) udp->uh_sum^=htons(0xBEAF);
+	if (fooling & FOOL_BADSUM) udp->uh_sum^=(1+random()%0xFFFF);

 	*buflen = pktlen;
 	return true;
@ -601,10 +633,29 @@ bool ip_frag(
 		return false;
 }

-void rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl)
+bool rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl)
 {
-	if (ip)	ip->ip_ttl = ttl;
-	if (ip6) ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = ttl;
+	if (ttl)
+	{
+		if (ip)
+		{
+			if (ip->ip_ttl!=ttl)
+			{
+				ip->ip_ttl = ttl;
+				ip4_fix_checksum(ip);
+				return true;
+			}
+		}
+		else if (ip6)
+		{
+			if (ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim!=ttl)
+			{
+				ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim = ttl;
+				return true;
+			}
+		}
+	}
+	return false;
 }


--- a/nfq/darkmagic.h
+++ b/nfq/darkmagic.h
@ -59,6 +59,7 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
 #define VERDICT_DROP	2
 #define VERDICT_MASK	3
 #define VERDICT_NOCSUM	4
+#define VERDICT_GARBAGE	8

 #define IP4_TOS(ip_header) (ip_header ? ip_header->ip_tos : 0)
 #define IP4_IP_ID(ip_header) (ip_header ? ip_header->ip_id : 0)
@ -68,6 +69,8 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
 bool prepare_tcp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -83,6 +86,8 @@ bool prepare_tcp_segment4(
 bool prepare_tcp_segment6(
 	const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -97,6 +102,8 @@ bool prepare_tcp_segment6(
 bool prepare_tcp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t tcp_flags,
+	bool sack,
+	uint16_t nmss,
 	uint32_t nseq, uint32_t nack_seq,
 	uint16_t nwsize,
 	uint8_t scale_factor,
@ -162,13 +169,16 @@ bool ip_frag(
 	uint8_t *pkt1, size_t *pkt1_size,
 	uint8_t *pkt2, size_t *pkt2_size);
 	
-void rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl);
+bool rewrite_ttl(struct ip *ip, struct ip6_hdr *ip6, uint8_t ttl);

 void extract_ports(const struct tcphdr *tcphdr, const struct udphdr *udphdr, uint8_t *proto, uint16_t *sport, uint16_t *dport);
 void extract_endpoints(const struct ip *ip,const struct ip6_hdr *ip6hdr,const struct tcphdr *tcphdr,const struct udphdr *udphdr, struct sockaddr_storage *src, struct sockaddr_storage *dst);
 uint8_t *tcp_find_option(struct tcphdr *tcp, uint8_t kind);
 uint32_t *tcp_find_timestamps(struct tcphdr *tcp);
 uint8_t tcp_find_scale_factor(const struct tcphdr *tcp);
+uint16_t tcp_find_mss(struct tcphdr *tcp);
+bool tcp_has_sack(struct tcphdr *tcp);
+
 bool tcp_has_fastopen(const struct tcphdr *tcp);

 #ifdef __CYGWIN__
--- a/nfq/desync.c
+++ b/nfq/desync.c
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -1003,6 +1003,33 @@ err:
 	return false;
 }

+static bool parse_fooling(char *opt, unsigned int *fooling_mode)
+{
+	char *e,*p = opt;
+	while (p)
+	{
+		e = strchr(p,',');
+		if (e) *e++=0;
+		if (!strcmp(p,"md5sig"))
+			*fooling_mode |= FOOL_MD5SIG;
+		else if (!strcmp(p,"ts"))
+			*fooling_mode |= FOOL_TS;
+		else if (!strcmp(p,"badsum"))
+			*fooling_mode |= FOOL_BADSUM;
+		else if (!strcmp(p,"badseq"))
+			*fooling_mode |= FOOL_BADSEQ;
+		else if (!strcmp(p,"datanoack"))
+			*fooling_mode |= FOOL_DATANOACK;
+		else if (!strcmp(p,"hopbyhop"))
+			*fooling_mode |= FOOL_HOPBYHOP;
+		else if (!strcmp(p,"hopbyhop2"))
+			*fooling_mode |= FOOL_HOPBYHOP2;
+		else if (strcmp(p,"none"))
+			return false;
+		p = e;
+	}
+	return true;
+}

 static void split_compat(struct desync_profile *dp)
 {
@ -1421,6 +1448,19 @@ static void exithelp(void)
 		" --wsize=<window_size>[:<scale_factor>]\t\t; set window size. 0 = do not modify. OBSOLETE !\n"
 		" --wssize=<window_size>[:<scale_factor>]\t; set window size for server. 0 = do not modify. default scale_factor = 0.\n"
 		" --wssize-cutoff=[n|d|s]N\t\t\t; apply server wsize only to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
+		" --orig-ttl=<int>\t\t\t\t; set TTL for original packets\n"
+		" --orig-ttl6=<int>\t\t\t\t; set ipv6 hop limit for original packets. by default ttl value is used\n"
+		" --orig-mod-start=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
+		" --orig-mod-cutoff=[n|d|s]N\t\t\t; apply orig TTL mod to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
+		" --dup=<int>\t\t\t\t\t; duplicate original packets. send N dups before original.\n"
+		" --dup-ttl=<int>\t\t\t\t; set TTL for dups\n"
+		" --dup-replace=[0|1]\t\t\t\t; 1 or no argument means do not send original, only dups\n"
+		" --dup-ttl6=<int>\t\t\t\t; set ipv6 hop limit for dups. by default ttl value is used\n"
+		" --dup-fooling=<mode>[,<mode>]\t\t\t; can use multiple comma separated values. modes : none md5sig badseq badsum datanoack hopbyhop hopbyhop2\n"
+		" --dup-start=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) greater or equal than N\n"
+		" --dup-cutoff=[n|d|s]N\t\t\t\t; apply dup to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
+		" --dup-badseq-increment=<int|0xHEX>\t\t; badseq fooling seq signed increment for dup. default %d\n"
+		" --dup-desync-badack-increment=<int|0xHEX>\t; badseq fooling ackseq signed increment for dup. default %d\n"
 		" --hostcase\t\t\t\t\t; change Host: => host:\n"
 		" --hostspell\t\t\t\t\t; exact spelling of \"Host\" header. must be 4 chars. default is \"host\"\n"
 		" --hostnospace\t\t\t\t\t; remove space after Host: and add it to User-Agent: to preserve packet size\n"
@ -1434,11 +1474,11 @@ static void exithelp(void)
 #elif defined(SO_USER_COOKIE)
 		" --dpi-desync-sockarg=<int|0xHEX>\t\t; override sockarg (SO_USER_COOKIE) for desync packet. default = 0x%08X (%u)\n"
 #endif
-		" --dpi-desync-ttl=<int>\t\t\t\t; set ttl for desync packet\n"
-		" --dpi-desync-ttl6=<int>\t\t\t; set ipv6 hop limit for desync packet. by default ttl value is used.\n"
+		" --dpi-desync-ttl=<int>\t\t\t\t; set ttl for fakes packets\n"
+		" --dpi-desync-ttl6=<int>\t\t\t; set ipv6 hop limit for fake packet. by default --dpi-desync-ttl value is used.\n"
 		" --dpi-desync-autottl=[<delta>[:<min>[-<max>]]]\t; auto ttl mode for both ipv4 and ipv6. default: %u:%u-%u\n"
 		" --dpi-desync-autottl6=[<delta>[:<min>[-<max>]]] ; overrides --dpi-desync-autottl for ipv6 only\n"
-		" --dpi-desync-fooling=<mode>[,<mode>]\t\t; can use multiple comma separated values. modes : none md5sig ts badseq badsum datanoack hopbyhop hopbyhop2\n"
+		" --dpi-desync-fooling=<mode>[,<mode>]\t\t; can use multiple comma separated values. modes : none md5sig badseq badsum datanoack hopbyhop hopbyhop2\n"
 		" --dpi-desync-repeats=<N>\t\t\t; send every desync packet N times\n"
 		" --dpi-desync-skip-nosni=0|1\t\t\t; 1(default)=do not act on ClientHello without SNI\n"
 		" --dpi-desync-split-pos=N|-N|marker+N|marker-N\t; comma separated list of split positions\n"
@ -1470,6 +1510,7 @@ static void exithelp(void)
 		" --dpi-desync-cutoff=[n|d|s]N\t\t\t; apply dpi desync only to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n",
 		CTRACK_T_SYN, CTRACK_T_EST, CTRACK_T_FIN, CTRACK_T_UDP,
 		HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT, HOSTLIST_AUTO_FAIL_TIME_DEFAULT, HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT,
+		BADSEQ_INCREMENT_DEFAULT, BADSEQ_ACK_INCREMENT_DEFAULT,
 #if defined(__linux__) || defined(SO_USER_COOKIE)
 		DPI_DESYNC_FWMARK_DEFAULT,DPI_DESYNC_FWMARK_DEFAULT,
 #endif
@ -1574,6 +1615,19 @@ enum opt_indices {
 #elif defined(SO_USER_COOKIE)
 	IDX_DPI_DESYNC_SOCKARG,
 #endif
+	IDX_DUP,
+	IDX_DUP_TTL,
+	IDX_DUP_TTL6,
+	IDX_DUP_FOOLING,
+	IDX_DUP_BADSEQ_INCREMENT,
+	IDX_DUP_BADACK_INCREMENT,
+	IDX_DUP_REPLACE,
+	IDX_DUP_START,
+	IDX_DUP_CUTOFF,
+	IDX_ORIG_TTL,
+	IDX_ORIG_TTL6,
+	IDX_ORIG_MOD_START,
+	IDX_ORIG_MOD_CUTOFF,
 	IDX_DPI_DESYNC_TTL,
 	IDX_DPI_DESYNC_TTL6,
 	IDX_DPI_DESYNC_AUTOTTL,
@ -1674,6 +1728,19 @@ static const struct option long_options[] = {
 #elif defined(SO_USER_COOKIE)
 	[IDX_DPI_DESYNC_SOCKARG] = {"dpi-desync-sockarg", required_argument, 0, 0},
 #endif
+	[IDX_DUP] = {"dup", required_argument, 0, 0},
+	[IDX_DUP_TTL] = {"dup-ttl", required_argument, 0, 0},
+	[IDX_DUP_TTL6] = {"dup-ttl6", required_argument, 0, 0},
+	[IDX_DUP_FOOLING] = {"dup-fooling", required_argument, 0, 0},
+	[IDX_DUP_BADSEQ_INCREMENT] = {"dup-badseq-increment", required_argument, 0, 0},
+	[IDX_DUP_BADACK_INCREMENT] = {"dup-badack-increment", required_argument, 0, 0},
+	[IDX_DUP_REPLACE] = {"dup-replace", optional_argument, 0, 0},
+	[IDX_DUP_START] = {"dup-start", required_argument, 0, 0},
+	[IDX_DUP_CUTOFF] = {"dup-cutoff", required_argument, 0, 0},
+	[IDX_ORIG_TTL] = {"orig-ttl", required_argument, 0, 0},
+	[IDX_ORIG_TTL6] = {"orig-ttl6", required_argument, 0, 0},
+	[IDX_ORIG_MOD_START] = {"orig-mod-start", required_argument, 0, 0},
+	[IDX_ORIG_MOD_CUTOFF] = {"orig-mod-cutoff", required_argument, 0, 0},
 	[IDX_DPI_DESYNC_TTL] = {"dpi-desync-ttl", required_argument, 0, 0},
 	[IDX_DPI_DESYNC_TTL6] = {"dpi-desync-ttl6", required_argument, 0, 0},
 	[IDX_DPI_DESYNC_AUTOTTL] = {"dpi-desync-autottl", optional_argument, 0, 0},
@ -2043,6 +2110,80 @@ int main(int argc, char **argv)
 			}
 			break;
 #endif
+
+		case IDX_DUP:
+			if (sscanf(optarg,"%u",&dp->dup_repeats)<1 || dp->dup_repeats>1024)
+			{
+				DLOG_ERR("dup-repeats must be within 0..1024\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_DUP_TTL:
+			dp->dup_ttl = (uint8_t)atoi(optarg);
+			break;
+		case IDX_DUP_TTL6:
+			dp->dup_ttl6 = (uint8_t)atoi(optarg);
+			break;
+		case IDX_DUP_REPLACE:
+			dp->dup_replace = optarg ? !!atoi(optarg) : true;
+			break;
+		case IDX_DUP_FOOLING:
+			if (!parse_fooling(optarg,&dp->dup_fooling_mode))
+			{
+				DLOG_ERR("fooling allowed values : none,md5sig,ts,badseq,badsum,datanoack,hopbyhop,hopbyhop2\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_DUP_BADSEQ_INCREMENT:
+			if (!parse_badseq_increment(optarg,&dp->dup_badseq_increment))
+			{
+				DLOG_ERR("dup-badseq-increment should be signed decimal or signed 0xHEX\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_DUP_BADACK_INCREMENT:
+			if (!parse_badseq_increment(optarg,&dp->dup_badseq_ack_increment))
+			{
+				DLOG_ERR("dup-badack-increment should be signed decimal or signed 0xHEX\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_DUP_CUTOFF:
+			if (!parse_cutoff(optarg, &dp->dup_cutoff, &dp->dup_cutoff_mode))
+			{
+				DLOG_ERR("invalid dup-cutoff value\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_DUP_START:
+			if (!parse_cutoff(optarg, &dp->dup_start, &dp->dup_start_mode))
+			{
+				DLOG_ERR("invalid dup-start value\n");
+				exit_clean(1);
+			}
+			break;
+
+		case IDX_ORIG_TTL:
+			dp->orig_mod_ttl = (uint8_t)atoi(optarg);
+			break;
+		case IDX_ORIG_TTL6:
+			dp->orig_mod_ttl6 = (uint8_t)atoi(optarg);
+			break;
+		case IDX_ORIG_MOD_CUTOFF:
+			if (!parse_cutoff(optarg, &dp->orig_mod_cutoff, &dp->orig_mod_cutoff_mode))
+			{
+				DLOG_ERR("invalid orig-mod-cutoff value\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_ORIG_MOD_START:
+			if (!parse_cutoff(optarg, &dp->orig_mod_start, &dp->orig_mod_start_mode))
+			{
+				DLOG_ERR("invalid orig-mod-start value\n");
+				exit_clean(1);
+			}
+			break;
+
 		case IDX_DPI_DESYNC_TTL:
 			dp->desync_ttl = (uint8_t)atoi(optarg);
 			break;
@ -2064,44 +2205,16 @@ int main(int argc, char **argv)
 			}
 			break;
 		case IDX_DPI_DESYNC_FOOLING:
+			if (!parse_fooling(optarg,&dp->desync_fooling_mode))
 			{
-				char *e,*p = optarg;
-				while (p)
-				{
-					e = strchr(p,',');
-					if (e) *e++=0;
-					if (!strcmp(p,"md5sig"))
-						dp->desync_fooling_mode |= FOOL_MD5SIG;
-					else if (!strcmp(p,"ts"))
-						dp->desync_fooling_mode |= FOOL_TS;
-					else if (!strcmp(p,"badsum"))
-					{
-						#ifdef __OpenBSD__
-						DLOG_CONDUP("\nWARNING !!! OpenBSD may forcibly recompute tcp/udp checksums !!! In this case badsum fooling will not work.\nYou should check tcp checksum correctness in tcpdump manually before using badsum.\n\n");
-						#endif
-						dp->desync_fooling_mode |= FOOL_BADSUM;
-					}
-					else if (!strcmp(p,"badseq"))
-						dp->desync_fooling_mode |= FOOL_BADSEQ;
-					else if (!strcmp(p,"datanoack"))
-						dp->desync_fooling_mode |= FOOL_DATANOACK;
-					else if (!strcmp(p,"hopbyhop"))
-						dp->desync_fooling_mode |= FOOL_HOPBYHOP;
-					else if (!strcmp(p,"hopbyhop2"))
-						dp->desync_fooling_mode |= FOOL_HOPBYHOP2;
-					else if (strcmp(p,"none"))
-					{
-						DLOG_ERR("dpi-desync-fooling allowed values : none,md5sig,ts,badseq,badsum,datanoack,hopbyhop,hopbyhop2\n");
-						exit_clean(1);
-					}
-					p = e;
-				}
+				DLOG_ERR("fooling allowed values : none,md5sig,ts,badseq,badsum,datanoack,hopbyhop,hopbyhop2\n");
+				exit_clean(1);
 			}
 			break;
 		case IDX_DPI_DESYNC_REPEATS:
-			if (sscanf(optarg,"%u",&dp->desync_repeats)<1 || !dp->desync_repeats || dp->desync_repeats>20)
+			if (sscanf(optarg,"%u",&dp->desync_repeats)<1 || !dp->desync_repeats || dp->desync_repeats>1024)
 			{
-				DLOG_ERR("dpi-desync-repeats must be within 1..20\n");
+				DLOG_ERR("dpi-desync-repeats must be within 1..1024\n");
 				exit_clean(1);
 			}
 			break;
@ -2709,6 +2822,8 @@ int main(int argc, char **argv)
 		dp = &dpl->dp;
 		// not specified - use desync_ttl value instead
 		if (dp->desync_ttl6 == 0xFF) dp->desync_ttl6=dp->desync_ttl;
+		if (dp->dup_ttl6 == 0xFF) dp->dup_ttl6=dp->dup_ttl;
+		if (dp->orig_mod_ttl6 == 0xFF) dp->orig_mod_ttl6=dp->orig_mod_ttl;
 		if (!AUTOTTL_ENABLED(dp->desync_autottl6)) dp->desync_autottl6 = dp->desync_autottl;
 		if (AUTOTTL_ENABLED(dp->desync_autottl))
 			DLOG("profile %d autottl ipv4 %u:%u-%u\n",dp->n,dp->desync_autottl.delta,dp->desync_autottl.min,dp->desync_autottl.max);
--- a/nfq/params.c
+++ b/nfq/params.c
@ -187,10 +187,10 @@ void dp_init(struct desync_profile *dp)
 	dp->desync_repeats = 1;
 	dp->fake_syndata_size = 16;
 	dp->wscale=-1; // default - dont change scale factor (client)
-	dp->desync_ttl6 = 0xFF; // unused
-	dp->desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
-	dp->desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
-	dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = 'n'; // packet number by default
+	dp->desync_ttl6 = dp->dup_ttl6 = dp->orig_mod_ttl6 = 0xFF; // unused
+	dp->desync_badseq_increment = dp->dup_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
+	dp->desync_badseq_ack_increment = dp->dup_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
+	dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = dp->dup_start_mode = dp->dup_cutoff_mode = dp->orig_mod_start_mode = dp->orig_mod_cutoff_mode = 'n'; // packet number by default
 	dp->udplen_increment = UDPLEN_INCREMENT_DEFAULT;
 	dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
 	dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
--- a/nfq/params.h
+++ b/nfq/params.h
@ -82,6 +82,18 @@ struct desync_profile
 	int split_count;
 	struct proto_pos seqovl;

+	char dup_start_mode, dup_cutoff_mode; // n - packets, d - data packets, s - relative sequence
+	bool dup_replace;
+	unsigned int dup_start, dup_cutoff;
+	unsigned int dup_repeats;
+	uint8_t dup_ttl, dup_ttl6;
+	uint32_t dup_fooling_mode;
+	uint32_t dup_badseq_increment, dup_badseq_ack_increment;
+
+	char orig_mod_start_mode, orig_mod_cutoff_mode; // n - packets, d - data packets, s - relative sequence
+	unsigned int orig_mod_start, orig_mod_cutoff;
+	uint8_t orig_mod_ttl, orig_mod_ttl6;
+
 	char desync_start_mode, desync_cutoff_mode; // n - packets, d - data packets, s - relative sequence
 	unsigned int desync_start, desync_cutoff;
 	uint8_t desync_ttl, desync_ttl6;
@ -117,6 +129,7 @@ struct desync_profile
 #define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&dp->ips_collection) && !LIST_FIRST(&dp->ips_collection_exclude))
 #define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&dp->ips_collection) && ipset_collection_is_empty(&dp->ips_collection_exclude))
 #define PROFILE_HOSTLISTS_EMPTY(dp) (hostlist_collection_is_empty(&dp->hl_collection) && hostlist_collection_is_empty(&dp->hl_collection_exclude))
+#define PROFILE_HAS_ORIG_MOD(dp) (dp->orig_mod_ttl || dp->orig_mod_ttl6)

 struct desync_profile_list {
 	struct desync_profile dp;