freebsd dvtws respect freebsd14+ PF_DIVERT

This commit is contained in:
bol-van 2024-03-08 11:09:14 +03:00
parent e21335255e
commit eaaa1a326c
4 changed files with 24 additions and 8 deletions

Binary file not shown.

View File

@ -903,7 +903,7 @@ static int *rawsend_family_sock(sa_family_t family)
} }
#ifdef BSD #ifdef BSD
static int rawsend_socket_divert(sa_family_t family) int rawsend_socket_divert(sa_family_t family)
{ {
// HACK HACK HACK HACK HACK HACK HACK HACK // HACK HACK HACK HACK HACK HACK HACK HACK
// FreeBSD doesnt allow IP_HDRINCL for IPV6 // FreeBSD doesnt allow IP_HDRINCL for IPV6
@ -911,7 +911,14 @@ static int rawsend_socket_divert(sa_family_t family)
// we either have to go to the link layer (its hard, possible problems arise, compat testing, ...) or use some HACKING // we either have to go to the link layer (its hard, possible problems arise, compat testing, ...) or use some HACKING
// from my point of view disabling direct ability to send ip frames is not security. its SHIT // from my point of view disabling direct ability to send ip frames is not security. its SHIT
int fd = socket(family, SOCK_RAW, IPPROTO_DIVERT); int fd,err;
// freebsd14+ way
fd = socket(PF_DIVERT, SOCK_RAW, 0);
err=errno;
if (fd==-1 && (err==EPROTONOSUPPORT || err==EAFNOSUPPORT || err==EPFNOSUPPORT))
// legacy way
fd = socket(family, SOCK_RAW, IPPROTO_DIVERT);
if (fd!=-1 && !set_socket_buffers(fd,4096,RAW_SNDBUF)) if (fd!=-1 && !set_socket_buffers(fd,4096,RAW_SNDBUF))
{ {
close(fd); close(fd);

View File

@ -11,6 +11,17 @@
#include <netinet/in.h> #include <netinet/in.h>
#include <sys/socket.h> #include <sys/socket.h>
#ifndef IPPROTO_DIVERT
#define IPPROTO_DIVERT 258
#endif
#ifndef AF_DIVERT
#define AF_DIVERT 44 /* divert(4) */
#endif
#ifndef PF_DIVERT
#define PF_DIVERT AF_DIVERT
#endif
// returns netorder value // returns netorder value
uint32_t net32_add(uint32_t netorder_value, uint32_t cpuorder_increment); uint32_t net32_add(uint32_t netorder_value, uint32_t cpuorder_increment);
uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment); uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
@ -128,6 +139,8 @@ bool rawsend_preinit(bool bind_fix4, bool bind_fix6);
// cleans up socket autocreated by rawsend // cleans up socket autocreated by rawsend
void rawsend_cleanup(void); void rawsend_cleanup(void);
int rawsend_socket_divert(sa_family_t family);
const char *proto_name(uint8_t proto); const char *proto_name(uint8_t proto);
uint16_t family_from_proto(uint8_t l3proto); uint16_t family_from_proto(uint8_t l3proto);
void print_ip(const struct ip *ip); void print_ip(const struct ip *ip);

View File

@ -35,10 +35,6 @@
#define NF_ACCEPT 1 #define NF_ACCEPT 1
#endif #endif
#ifndef IPPROTO_DIVERT
#define IPPROTO_DIVERT 258
#endif
#define CTRACK_T_SYN 60 #define CTRACK_T_SYN 60
#define CTRACK_T_FIN 60 #define CTRACK_T_FIN 60
#define CTRACK_T_EST 300 #define CTRACK_T_EST 300
@ -357,7 +353,7 @@ static int dvt_main(void)
bp4.sin_addr.s_addr = INADDR_ANY; bp4.sin_addr.s_addr = INADDR_ANY;
printf("creating divert4 socket\n"); printf("creating divert4 socket\n");
fd[0] = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT); fd[0] = rawsend_socket_divert(AF_INET);
if (fd[0] == -1) { if (fd[0] == -1) {
perror("socket (DIVERT4)"); perror("socket (DIVERT4)");
goto exiterr; goto exiterr;
@ -382,7 +378,7 @@ static int dvt_main(void)
bp6.sin6_port = htons(params.port); bp6.sin6_port = htons(params.port);
printf("creating divert6 socket\n"); printf("creating divert6 socket\n");
fd[1] = socket(AF_INET6, SOCK_RAW, IPPROTO_DIVERT); fd[1] = rawsend_socket_divert(AF_INET6);
if (fd[1] == -1) { if (fd[1] == -1) {
perror("socket (DIVERT6)"); perror("socket (DIVERT6)");
goto exiterr; goto exiterr;