nfqws: --ctrack-disable

2025-05-09 23:32:57 +03:00 · 2025-05-08 08:54:05 +03:00 · 2025-05-08 08:54:05 +03:00 · f1dd351854
commit f1dd351854
parent 5c63cb43e7
4 changed files with 28 additions and 12 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -489,6 +489,7 @@ nfqws: --dpi-desync-fake-tls=! means default tls fake
 nfqws: --dup*
 nfqws: --orig*
 nfqws: ipcache of hop count and host names
+nfqws: --ctrack-disable
 tpws: ipcache of host names
 nfqws,tpws: set 1024 repeat limit to fakes and dups
 init.d: remove --ipset parameter prohibition
--- a/nfq/desync.c
+++ b/nfq/desync.c
@ -562,7 +562,8 @@ static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct
 	// so we need to workaround this.
 	// we can't use low ttl because TCP/IP stack listens to ttl expired ICMPs and notify socket
 	// we also can't use fooling because DPI would accept fooled packets
-	if (ctrack && ctrack->pcounter_orig==1)
+	// SYN and SYN,ACK checks are for conntrack-less mode
+	if (ctrack && ctrack->pcounter_orig==1 || tcp && (tcp_syn_segment(tcp) || tcp_synack_segment(tcp)))
 	{
 		DLOG("applying linux postnat conntrack workaround\n");
 		if (proto==IPPROTO_UDP && udp && len_pkt)
@ -1161,12 +1162,15 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 	{
 		// in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack

+		if (!params.ctrack_disable)
+		{
 			ConntrackPoolPurge(&params.conntrack);
 			if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, dis->tcp, NULL, dis->len_payload, &ctrack, &bReverse))
 			{
 				dp = ctrack->dp;
 				ctrack_replay = ctrack;
 			}
+		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
 		else if (!ctrack || !ctrack->dp_search_complete)
@ -2370,12 +2374,15 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
 	{
 		// in real mode ctrack may be NULL or not NULL, conntrack_replay is equal to ctrack

+		if (!params.ctrack_disable)
+		{
 			ConntrackPoolPurge(&params.conntrack);
 			if (ConntrackPoolFeed(&params.conntrack, dis->ip, dis->ip6, NULL, dis->udp, dis->len_payload, &ctrack, &bReverse))
 			{
 				dp = ctrack->dp;
 				ctrack_replay = ctrack;
 			}
+		}
 		if (dp)
 			DLOG("using cached desync profile %d\n",dp->n);
 		else if (!ctrack || !ctrack->dp_search_complete)
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -1417,6 +1417,7 @@ static void exithelp(void)
 		" --bind-fix6\t\t\t\t\t; apply outgoing interface selection fix for generated ipv6 packets\n"
 #endif
 		" --ctrack-timeouts=S:E:F[:U]\t\t\t; internal conntrack timeouts for TCP SYN, ESTABLISHED, FIN stages, UDP timeout. default %u:%u:%u:%u\n"
+		" --ctrack-disable=[0|1]\t\t\t\t; 1 or no argument disables conntrack\n"
 		" --ipcache-lifetime=<int>\t\t\t; time in seconds to keep cached hop count and domain name (default %u). 0 = no expiration\n"
 		" --ipcache-hostname=[0|1]\t\t\t; 1 or no argument enables ip->hostname caching\n"
 #ifdef __CYGWIN__
@ -1620,6 +1621,7 @@ enum opt_indices {
 	IDX_WSSIZE,
 	IDX_WSSIZE_CUTOFF,
 	IDX_CTRACK_TIMEOUTS,
+	IDX_CTRACK_DISABLE,
 	IDX_IPCACHE_LIFETIME,
 	IDX_IPCACHE_HOSTNAME,
 	IDX_HOSTCASE,
@ -1739,6 +1741,7 @@ static const struct option long_options[] = {
 	[IDX_WSSIZE] = {"wssize", required_argument, 0, 0},
 	[IDX_WSSIZE_CUTOFF] = {"wssize-cutoff", required_argument, 0, 0},
 	[IDX_CTRACK_TIMEOUTS] = {"ctrack-timeouts", required_argument, 0, 0},
+	[IDX_CTRACK_DISABLE] = {"ctrack-disable", optional_argument, 0, 0},
 	[IDX_IPCACHE_LIFETIME] = {"ipcache-lifetime", required_argument, 0, 0},
 	[IDX_IPCACHE_HOSTNAME] = {"ipcache-hostname", optional_argument, 0, 0},
 	[IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0},
@ -2048,6 +2051,9 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
+		case IDX_CTRACK_DISABLE:
+			params.ctrack_disable = !optarg || atoi(optarg);
+			break;
 		case IDX_IPCACHE_LIFETIME:
 			if (sscanf(optarg, "%u", &params.ipcache_lifetime)!=1)
 			{
@ -2056,7 +2062,7 @@ int main(int argc, char **argv)
 			}
 			break;
 		case IDX_IPCACHE_HOSTNAME:
-			params.cache_hostname = !optarg || !!atoi(optarg);
+			params.cache_hostname = !optarg || atoi(optarg);
 			break;
 		case IDX_HOSTCASE:
 			dp->hostcase = true;
@ -2180,7 +2186,7 @@ int main(int argc, char **argv)
 			params.autottl_present=true;
 			break;
 		case IDX_DUP_REPLACE:
-			dp->dup_replace = optarg ? !!atoi(optarg) : true;
+			dp->dup_replace = !optarg || atoi(optarg);
 			break;
 		case IDX_DUP_FOOLING:
 			if (!parse_fooling(optarg,&dp->dup_fooling_mode))
@ -2841,6 +2847,7 @@ int main(int argc, char **argv)
 	}

 	DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n",desync_profile_count);
+	if (params.ctrack_disable) DLOG_CONDUP("conntrack disabled ! some functions will not work. make sure it's what you want.\n");
 	
 #ifndef __CYGWIN__
 	if (params.debug_target == LOG_TARGET_FILE && params.droproot && chown(params.debug_logfile, params.uid, -1))
--- a/nfq/params.h
+++ b/nfq/params.h
@ -197,9 +197,10 @@ struct params_s

 	unsigned int ctrack_t_syn, ctrack_t_est, ctrack_t_fin, ctrack_t_udp;
 	t_conntrack conntrack;
+	bool ctrack_disable;

-	unsigned int ipcache_lifetime;
 	bool autottl_present,cache_hostname;
+	unsigned int ipcache_lifetime;
 	ip_cache ipcache;
 };