From f1dd3518547c8af625072309287ecf9c72594849 Mon Sep 17 00:00:00 2001 From: bol-van Date: Thu, 8 May 2025 08:54:05 +0300 Subject: [PATCH] nfqws: --ctrack-disable --- docs/changes.txt | 1 + nfq/desync.c | 25 ++++++++++++++++--------- nfq/nfqws.c | 11 +++++++++-- nfq/params.h | 3 ++- 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index b56d77a..9773aa8 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -489,6 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake nfqws: --dup* nfqws: --orig* nfqws: ipcache of hop count and host names +nfqws: --ctrack-disable tpws: ipcache of host names nfqws,tpws: set 1024 repeat limit to fakes and dups init.d: remove --ipset parameter prohibition diff --git a/nfq/desync.c b/nfq/desync.c index b4f9922..d14ad14 100644 --- a/nfq/desync.c +++ b/nfq/desync.c @@ -562,7 +562,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct // so we need to workaround this. // we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket // we also can't use fooling because DPI would accept fooled packets - if (ctrack && ctrack->pcounter_orig==1) + // SYN and SYN,ACK checks are for conntrack-less mode + if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp))) { DLOG("applying linux postnat conntrack workaround\n"); if (proto==IPPROTO_UDP && udp && len_pkt) @@ -1161,11 +1162,14 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack - ConntrackPoolPurge(¶ms.conntrack); - if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse)) + if (!params.ctrack_disable) { - dp = ctrack->dp; - ctrack_replay = ctrack; + ConntrackPoolPurge(¶ms.conntrack); + if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse)) + { + dp = ctrack->dp; + ctrack_replay = ctrack; + } } if (dp) DLOG("using cached desync profile %d\n",dp->n); @@ -2370,11 +2374,14 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint { // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack - ConntrackPoolPurge(¶ms.conntrack); - if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse)) + if (!params.ctrack_disable) { - dp = ctrack->dp; - ctrack_replay = ctrack; + ConntrackPoolPurge(¶ms.conntrack); + if (ConntrackPoolFeed(¶ms.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse)) + { + dp = ctrack->dp; + ctrack_replay = ctrack; + } } if (dp) DLOG("using cached desync profile %d\n",dp->n); diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 16c1850..de84632 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -1417,6 +1417,7 @@ static void exithelp(void) " --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n" #endif " --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n" + " --ctrack-disable=[0|1]\t\t\t\t; 1 or no argument disables conntrack\n" " --ipcache-lifetime=\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n" " --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n" #ifdef __CYGWIN__ @@ -1620,6 +1621,7 @@ enum opt_indices { IDX_WSSIZE, IDX_WSSIZE_CUTOFF, IDX_CTRACK_TIMEOUTS, + IDX_CTRACK_DISABLE, IDX_IPCACHE_LIFETIME, IDX_IPCACHE_HOSTNAME, IDX_HOSTCASE, @@ -1739,6 +1741,7 @@ static const struct option long_options[] = { [IDX_WSSIZE] = {"wssize", required_argument, 0, 0}, [IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0}, [IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0}, + [IDX_CTRACK_DISABLE] = {"ctrack-disable", optional_argument, 0, 0}, [IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0}, [IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0}, [IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0}, @@ -2048,6 +2051,9 @@ int main(int argc, char **argv) exit_clean(1); } break; + case IDX_CTRACK_DISABLE: + params.ctrack_disable = !optarg || atoi(optarg); + break; case IDX_IPCACHE_LIFETIME: if (sscanf(optarg, "%u", ¶ms.ipcache_lifetime)!=1) { @@ -2056,7 +2062,7 @@ int main(int argc, char **argv) } break; case IDX_IPCACHE_HOSTNAME: - params.cache_hostname = !optarg || !!atoi(optarg); + params.cache_hostname = !optarg || atoi(optarg); break; case IDX_HOSTCASE: dp->hostcase = true; @@ -2180,7 +2186,7 @@ int main(int argc, char **argv) params.autottl_present=true; break; case IDX_DUP_REPLACE: - dp->dup_replace = optarg ? !!atoi(optarg) : true; + dp->dup_replace = !optarg || atoi(optarg); break; case IDX_DUP_FOOLING: if (!parse_fooling(optarg,&dp->dup_fooling_mode)) @@ -2841,6 +2847,7 @@ int main(int argc, char **argv) } DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count); + if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n"); #ifndef __CYGWIN__ if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1)) diff --git a/nfq/params.h b/nfq/params.h index a3bd107..33c7a1b 100644 --- a/nfq/params.h +++ b/nfq/params.h @@ -197,9 +197,10 @@ struct params_s unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp; t_conntrack conntrack; + bool ctrack_disable; - unsigned int ipcache_lifetime; bool autottl_present,cache_hostname; + unsigned int ipcache_lifetime; ip_cache ipcache; };