drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-05-09 23:32:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

nfqws: --ctrack-disable

Browse Source
This commit is contained in:
bol-van 2025-05-08 08:54:05 +03:00
parent 5c63cb43e7
commit f1dd351854
4 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/changes.txt
View File

@ -489,6 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake
nfqws: --dup* nfqws: --dup*
nfqws: --orig* nfqws: --orig*
nfqws: ipcache of hop count and host names nfqws: ipcache of hop count and host names
nfqws: --ctrack-disable
tpws: ipcache of host names tpws: ipcache of host names
nfqws,tpws: set 1024 repeat limit to fakes and dups nfqws,tpws: set 1024 repeat limit to fakes and dups
init.d: remove --ipset parameter prohibition init.d: remove --ipset parameter prohibition

25
nfq/desync.c
View File

@ -562,7 +562,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct
// so we need to workaround this. // so we need to workaround this.
// we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket // we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket
// we also can't use fooling because DPI would accept fooled packets // we also can't use fooling because DPI would accept fooled packets
if (ctrack && ctrack->pcounter_orig==1) // SYN and SYN,ACK checks are for conntrack-less mode
if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp)))
{ {
DLOG("applying linux postnat conntrack workaround\n"); DLOG("applying linux postnat conntrack workaround\n");
if (proto==IPPROTO_UDP && udp && len_pkt) if (proto==IPPROTO_UDP && udp && len_pkt)
@ -1161,11 +1162,14 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
{ {
// in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack
ConntrackPoolPurge(&params.conntrack); if (!params.ctrack_disable)
if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse))
{ {
dp = ctrack->dp; ConntrackPoolPurge(&params.conntrack);
ctrack_replay = ctrack; if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse))
{
dp = ctrack->dp;
ctrack_replay = ctrack;
}
} }
if (dp) if (dp)
DLOG("using cached desync profile %d\n",dp->n); DLOG("using cached desync profile %d\n",dp->n);
@ -2370,11 +2374,14 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
{ {
// in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack // in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack
ConntrackPoolPurge(&params.conntrack); if (!params.ctrack_disable)
if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse))
{ {
dp = ctrack->dp; ConntrackPoolPurge(&params.conntrack);
ctrack_replay = ctrack; if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse))
{
dp = ctrack->dp;
ctrack_replay = ctrack;
}
} }
if (dp) if (dp)
DLOG("using cached desync profile %d\n",dp->n); DLOG("using cached desync profile %d\n",dp->n);

11
nfq/nfqws.c
View File

@ -1417,6 +1417,7 @@ static void exithelp(void)
" --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n" " --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n"
#endif #endif
" --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n" " --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n"
" --ctrack-disable=[0|1]\t\t\t\t; 1 or no argument disables conntrack\n"
" --ipcache-lifetime=<int>\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n" " --ipcache-lifetime=<int>\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n"
" --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n" " --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n"
#ifdef __CYGWIN__ #ifdef __CYGWIN__
@ -1620,6 +1621,7 @@ enum opt_indices {
IDX_WSSIZE, IDX_WSSIZE,
IDX_WSSIZE_CUTOFF, IDX_WSSIZE_CUTOFF,
IDX_CTRACK_TIMEOUTS, IDX_CTRACK_TIMEOUTS,
IDX_CTRACK_DISABLE,
IDX_IPCACHE_LIFETIME, IDX_IPCACHE_LIFETIME,
IDX_IPCACHE_HOSTNAME, IDX_IPCACHE_HOSTNAME,
IDX_HOSTCASE, IDX_HOSTCASE,
@ -1739,6 +1741,7 @@ static const struct option long_options[] = {
[IDX_WSSIZE] = {"wssize", required_argument, 0, 0}, [IDX_WSSIZE] = {"wssize", required_argument, 0, 0},
[IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0}, [IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0},
[IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0}, [IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0},
[IDX_CTRACK_DISABLE] = {"ctrack-disable", optional_argument, 0, 0},
[IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0}, [IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0},
[IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0}, [IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0},
[IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0}, [IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0},
@ -2048,6 +2051,9 @@ int main(int argc, char **argv)
exit_clean(1); exit_clean(1);
} }
break; break;
case IDX_CTRACK_DISABLE:
params.ctrack_disable = !optarg || atoi(optarg);
break;
case IDX_IPCACHE_LIFETIME: case IDX_IPCACHE_LIFETIME:
if (sscanf(optarg, "%u", &params.ipcache_lifetime)!=1) if (sscanf(optarg, "%u", &params.ipcache_lifetime)!=1)
{ {
@ -2056,7 +2062,7 @@ int main(int argc, char **argv)
} }
break; break;
case IDX_IPCACHE_HOSTNAME: case IDX_IPCACHE_HOSTNAME:
params.cache_hostname = !optarg || !!atoi(optarg); params.cache_hostname = !optarg || atoi(optarg);
break; break;
case IDX_HOSTCASE: case IDX_HOSTCASE:
dp->hostcase = true; dp->hostcase = true;
@ -2180,7 +2186,7 @@ int main(int argc, char **argv)
params.autottl_present=true; params.autottl_present=true;
break; break;
case IDX_DUP_REPLACE: case IDX_DUP_REPLACE:
dp->dup_replace = optarg ? !!atoi(optarg) : true; dp->dup_replace = !optarg || atoi(optarg);
break; break;
case IDX_DUP_FOOLING: case IDX_DUP_FOOLING:
if (!parse_fooling(optarg,&dp->dup_fooling_mode)) if (!parse_fooling(optarg,&dp->dup_fooling_mode))
@ -2841,6 +2847,7 @@ int main(int argc, char **argv)
} }
DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count); DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count);
if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n");
#ifndef __CYGWIN__ #ifndef __CYGWIN__
if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1)) if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1))

3
nfq/params.h
View File

@ -197,9 +197,10 @@ struct params_s
unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp; unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp;
t_conntrack conntrack; t_conntrack conntrack;
bool ctrack_disable;
unsigned int ipcache_lifetime;
bool autottl_present,cache_hostname; bool autottl_present,cache_hostname;
unsigned int ipcache_lifetime;
ip_cache ipcache; ip_cache ipcache;
}; };