mirror of
https://github.com/bol-van/zapret.git
synced 2025-05-24 22:32:58 +03:00
nfqws: --dpi-desync-cutoff
This commit is contained in:
bol-van
@@ -276,15 +276,15 @@ void ConntrackPoolPurge(t_conntrack *p)
|
||||
HASH_ITER(hh, p, t, tmp) { \
|
||||
*sa1=0; inet_ntop(AF_INET##f, &t->conn.e1.adr, sa1, sizeof(sa1)); \
|
||||
*sa2=0; inet_ntop(AF_INET##f, &t->conn.e2.adr, sa2, sizeof(sa2)); \
|
||||
printf("[%s]:%u => [%s]:%u : %s : t0=%lld last=t0+%lld now=last+%lld cutoff=%u packets_orig=%llu packets_reply=%llu seq0=%u rseq=%u ack0=%u rack=%u wsize_orig=%u:%d wsize_reply=%u:%d\n", \
|
||||
printf("[%s]:%u => [%s]:%u : %s : t0=%lld last=t0+%lld now=last+%lld packets_orig=%llu packets_reply=%llu seq0=%u rseq=%u ack0=%u rack=%u wsize_orig=%u:%d wsize_reply=%u:%d cutoff=%u wss_cutoff=%u d_cutoff=%u\n", \
|
||||
sa1, t->conn.e1.port, sa2, t->conn.e2.port, \
|
||||
connstate_s[t->track.state], \
|
||||
(unsigned long long)t->track.t_start, (unsigned long long)(t->track.t_last - t->track.t_start), (unsigned long long)(tnow - t->track.t_last), \
|
||||
t->track.b_cutoff, \
|
||||
(unsigned long long)t->track.pcounter_orig, (unsigned long long)t->track.pcounter_reply, \
|
||||
t->track.seq0, t->track.seq_last - t->track.seq0, t->track.ack0, t->track.ack_last - t->track.ack0, \
|
||||
t->track.winsize_orig, t->track.scale_orig==SCALE_NONE ? -1 : t->track.scale_orig, \
|
||||
t->track.winsize_reply, t->track.scale_reply==SCALE_NONE ? -1 : t->track.scale_reply ); \
|
||||
t->track.winsize_reply, t->track.scale_reply==SCALE_NONE ? -1 : t->track.scale_reply, \
|
||||
t->track.b_cutoff, t->track.b_wssize_cutoff, t->track.b_desync_cutoff); \
|
||||
};
|
||||
void ConntrackPoolDump4(t_conntrack4 *p)
|
||||
{
|
||||
|
||||
48
nfq/desync.c
48
nfq/desync.c
@@ -100,6 +100,33 @@ static bool rawsend_rep(const struct sockaddr* dst,uint32_t fwmark,const void *d
|
||||
}
|
||||
|
||||
|
||||
static void maybe_cutoff(t_ctrack *ctrack)
|
||||
{
|
||||
if (ctrack)
|
||||
{
|
||||
ctrack->b_wssize_cutoff |= params.wssize_cutoff && ctrack->pcounter_orig>=params.wssize_cutoff;
|
||||
ctrack->b_desync_cutoff |= params.desync_cutoff && ctrack->pcounter_orig>=params.desync_cutoff;
|
||||
|
||||
// do not cut off in OpenBSD. It looks like it's not possible to divert-packet only outgoing part of the connection
|
||||
// It's better to destinguish outgoings using conntrack
|
||||
#ifndef __OpenBSD__
|
||||
ctrack->b_cutoff |= (!params.wssize || ctrack->b_wssize_cutoff) && !params.desync_cutoff;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
static void wssize_cutoff(t_ctrack *ctrack)
|
||||
{
|
||||
if (ctrack)
|
||||
{
|
||||
ctrack->b_wssize_cutoff = true;
|
||||
maybe_cutoff(ctrack);
|
||||
}
|
||||
}
|
||||
#ifdef __OpenBSD__
|
||||
#define CONNTRACK_REQUIRED true
|
||||
#else
|
||||
#define CONNTRACK_REQUIRED (params.wssize || params.desync_cutoff)
|
||||
#endif
|
||||
// result : true - drop original packet, false = dont drop
|
||||
packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struct ip *ip, struct ip6_hdr *ip6hdr, struct tcphdr *tcphdr, size_t len_tcp, uint8_t *data_payload, size_t len_payload)
|
||||
{
|
||||
@@ -109,19 +136,18 @@ packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struc
|
||||
|
||||
if (!!ip == !!ip6hdr) return res; // one and only one must be present
|
||||
|
||||
if (params.wssize)
|
||||
if (CONNTRACK_REQUIRED)
|
||||
{
|
||||
ConntrackPoolPurge(¶ms.conntrack);
|
||||
if (ConntrackPoolFeed(¶ms.conntrack, ip, ip6hdr, tcphdr, len_payload, &ctrack, &bReverse))
|
||||
if (params.wssize_cutoff && ctrack->pcounter_orig>=params.wssize_cutoff)
|
||||
ctrack->b_cutoff=true;
|
||||
maybe_cutoff(ctrack);
|
||||
}
|
||||
if (params.wsize && tcp_synack_segment(tcphdr))
|
||||
{
|
||||
tcp_rewrite_winsize(tcphdr, params.wsize, params.wscale);
|
||||
res=modify;
|
||||
}
|
||||
if (params.wssize && !bReverse && (ctrack && !ctrack->b_cutoff))
|
||||
if (params.wssize && !bReverse && (ctrack && !ctrack->b_wssize_cutoff))
|
||||
{
|
||||
tcp_rewrite_winsize(tcphdr, params.wssize, params.wsscale);
|
||||
res=modify;
|
||||
@@ -142,7 +168,7 @@ packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struc
|
||||
if ((bIsHttp = IsHttp(data_payload,len_payload)))
|
||||
{
|
||||
DLOG("packet contains HTTP request\n")
|
||||
if (ctrack && !params.wssize_cutoff) ctrack->b_cutoff = true;
|
||||
wssize_cutoff(ctrack);
|
||||
fake = params.fake_http;
|
||||
fake_size = params.fake_http_size;
|
||||
if (params.hostlist || params.debug) bHaveHost=HttpExtractHost(data_payload,len_payload,host,sizeof(host));
|
||||
@@ -155,7 +181,7 @@ packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struc
|
||||
else if (IsTLSClientHello(data_payload,len_payload))
|
||||
{
|
||||
DLOG("packet contains TLS ClientHello\n")
|
||||
if (ctrack && !params.wssize_cutoff) ctrack->b_cutoff = true;
|
||||
wssize_cutoff(ctrack);
|
||||
fake = params.fake_tls;
|
||||
fake_size = params.fake_tls_size;
|
||||
if (params.hostlist || params.desync_skip_nosni || params.debug)
|
||||
@@ -222,6 +248,16 @@ packet_process_result dpi_desync_packet(uint8_t *data_pkt, size_t len_pkt, struc
|
||||
}
|
||||
|
||||
if (params.desync_mode==DESYNC_NONE) return res;
|
||||
if (ctrack && ctrack->b_desync_cutoff)
|
||||
{
|
||||
DLOG("not desyncing. cutoff reached : %llu/%u\n", (unsigned long long)ctrack->pcounter_orig, params.desync_cutoff);
|
||||
return res;
|
||||
}
|
||||
if (!ctrack && params.desync_cutoff)
|
||||
{
|
||||
DLOG("not desyncing. desync_cutoff is set but conntrack entry is missing\n");
|
||||
return res;
|
||||
}
|
||||
|
||||
extract_endpoints(ip, ip6hdr, tcphdr, &src, &dst);
|
||||
if (params.debug)
|
||||
|
||||
21
nfq/nfqws.c
21
nfq/nfqws.c
@@ -37,8 +37,14 @@
|
||||
#endif
|
||||
|
||||
#define CTRACK_T_SYN 60
|
||||
#define CTRACK_T_EST 300
|
||||
#define CTRACK_T_FIN 60
|
||||
#ifdef __OpenBSD__
|
||||
// It looks like it's not possible to divert-packet only outgoing part of the connection
|
||||
// It's better to destinguish outgoings using conntrack. Do not purge conntrack entry too early
|
||||
#define CTRACK_T_EST 7200
|
||||
#else
|
||||
#define CTRACK_T_EST 300
|
||||
#endif
|
||||
|
||||
struct params_s params;
|
||||
|
||||
@@ -496,6 +502,7 @@ static void exithelp()
|
||||
" --dpi-desync-any-protocol=0|1\t\t; 0(default)=desync only http and tls 1=desync any nonempty data packet\n"
|
||||
" --dpi-desync-fake-http=<filename>\t; file containing fake http request\n"
|
||||
" --dpi-desync-fake-tls=<filename>\t; file containing fake TLS ClientHello (for https)\n"
|
||||
" --dpi-desync-cutoff=N\t\t\t; apply dpi desync only to packet numbers less than N\n"
|
||||
" --hostlist=<filename>\t\t\t; apply dpi desync only to the listed hosts (one host per line, subdomains auto apply)\n",
|
||||
CTRACK_T_SYN, CTRACK_T_EST, CTRACK_T_FIN,
|
||||
#if defined(__linux__) || defined(SO_USER_COOKIE)
|
||||
@@ -596,7 +603,8 @@ int main(int argc, char **argv)
|
||||
{"dpi-desync-any-protocol",optional_argument,0,0},// optidx=22
|
||||
{"dpi-desync-fake-http",required_argument,0,0},// optidx=23
|
||||
{"dpi-desync-fake-tls",required_argument,0,0},// optidx=24
|
||||
{"hostlist",required_argument,0,0}, // optidx=25
|
||||
{"dpi-desync-cutoff",required_argument,0,0},// optidx=25
|
||||
{"hostlist",required_argument,0,0}, // optidx=26
|
||||
{NULL,0,NULL,0}
|
||||
};
|
||||
if (argc < 2) exithelp();
|
||||
@@ -809,7 +817,14 @@ int main(int argc, char **argv)
|
||||
exit_clean(1);
|
||||
}
|
||||
break;
|
||||
case 25: /* hostlist */
|
||||
case 25: /* desync-cutoff */
|
||||
if (!sscanf(optarg, "%u", ¶ms.desync_cutoff))
|
||||
{
|
||||
fprintf(stderr, "invalid desync-cutoff value\n");
|
||||
exit_clean(1);
|
||||
}
|
||||
break;
|
||||
case 26: /* hostlist */
|
||||
if (!LoadHostList(¶ms.hostlist, optarg))
|
||||
exit_clean(1);
|
||||
strncpy(params.hostfile,optarg,sizeof(params.hostfile));
|
||||
|
||||
Reference in New Issue
Block a user