blockcheck: ipfrag pain healing

2024-11-26 20:20:53 +03:00 · 2022-01-04 12:59:12 +03:00 · 2022-01-04 12:59:12 +03:00 · de3390ca75
commit de3390ca75
parent 2f7155682d
1 changed files with 35 additions and 16 deletions
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -314,13 +314,18 @@ pktws_ipt_prepare()
 	# $1 - port
 	case "$UNAME" in
 		Linux)
-			IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
-			# otherwise ipv6 fragmentation may not work
-			[ $IPV = 6 ] && [ -n "$IPT6_HAS_RAW" ] && {
 			# to avoid possible INVALID state drop
-				IPT INPUT -p tcp --sport $1 -j ACCEPT
+			IPT INPUT -p tcp --sport $1 ! --syn -j ACCEPT
+			IPT OUTPUT -p tcp --dport $1 -m conntrack --ctstate INVALID -j ACCEPT
+			if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then
+				# the only way to reliable disable ipv6 defrag. works only in 4.16+ kernels
 				IPT OUTPUT -t raw -p tcp --dport $1 -j CT --notrack
-			}
+			elif [ "$IPV" = 4 ]; then
+				# enable fragments
+				IPT OUTPUT -f -j ACCEPT
+			fi
+
+			IPT POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
 			;;
 		FreeBSD)
 			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any 80,443 proto ip${IPV} out not diverted not sockarg
@ -333,10 +338,14 @@ pktws_ipt_unprepare()
 	case "$UNAME" in
 		Linux)
 			IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
-			[ $IPV = 6 ] && [ -n "$IPT6_HAS_RAW" ] && {
+
+			IPT_DEL INPUT -p tcp --sport $1 ! --syn -j ACCEPT
+			IPT_DEL OUTPUT -p tcp --dport $1 -m conntrack --ctstate INVALID -j ACCEPT
+			if [ "$IPV" = 6 -a -n "$IP6_DEFRAG_DISABLE" ]; then
 				IPT_DEL OUTPUT -t raw -p tcp --dport $1 -j CT --notrack
-				IPT_DEL INPUT -p tcp --sport $1 -j ACCEPT
-			}
+			elif [ "$IPV" = 4 ]; then
+				IPT_DEL OUTPUT -f -j ACCEPT
+			fi
 			;;
 		FreeBSD)
 			IPFW_DEL
@ -403,7 +412,7 @@ curl_test()
 	while [ $n -lt $REPEATS ]; do
 		n=$(($n+1))
 		[ $REPEATS -gt 1 ] && $ECHON "[attempt $n] "
-		$1 $IPV $2 && {
+		$1 "$IPV" $2 && {
 			[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
 			continue
 		}
@ -560,7 +569,7 @@ pktws_check_domain_bypass()
 		[ "$sec" = 1 ] || break
 	done

-	[ $IPV=4 -o -n "$IPT6_HAS_RAW" ] && {
+	[ "$IPV" = 4 -o -n "$IP6_DEFRAG_DISABLE" ] && {
 		for frag in 24 32 40 64 80 104; do
 			pktws_curl_test_update $1 $3 --dpi-desync=ipfrag2 --dpi-desync-ipfrag-pos-tcp=$frag
 		done
@ -748,13 +757,23 @@ ask_params()

 	echo

-	IPT6_HAS_RAW=
-	ipt6_has_raw && IPT6_HAS_RAW=1
-
-	[ -n "$IPT6_HAS_RAW" ] || {
+	IP6_DEFRAG_DISABLE=
+	[ "$UNAME" = "Linux" ] && [ "$IPVS" = 6 -o "$IPVS" = "4 6" ] && {
+		local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
+		local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
+		if [ "$V1" -gt 4 -o "$V1" = 4 -a "$V2" -ge 16 ]; then
+			ipt6_has_raw && IP6_DEFRAG_DISABLE=1
+			[ -n "$IP6_DEFRAG_DISABLE" ] || {
 				echo "WARNING ! ip6tables raw table is not available, ipv6 ipfrag tests are disabled"
 				echo
 			}
+		else
+			echo "WARNING ! ipv6 defrag can only be effectively disabled in linux kernel 4.16+"
+			echo "WARNING ! ipv6 ipfrag tests are disabled"
+			echo
+		fi
+
+	}
 }