nfqws: do not perform syndata desync if TCP fast open

nfq/darkmagic.c

@@ -56,6 +56,16 @@ uint8_t tcp_find_scale_factor(const struct tcphdr *tcp)
 	if (scale && scale[1]==3) return scale[2];
 	return SCALE_NONE;
 }
+bool tcp_has_fastopen(const struct tcphdr *tcp)
+{
+	uint8_t *opt;
+	// new style RFC7413
+	opt = tcp_find_option((struct tcphdr*)tcp, 34);
+	if (opt) return true;
+	// old style RFC6994
+	opt = tcp_find_option((struct tcphdr*)tcp, 254);
+	return opt && opt[1]>=4 && opt[2]==0xF9 && opt[3]==0x89;
+}
 
 // n prefix (nsport, nwsize) means network byte order
 static void fill_tcphdr(

nfq/darkmagic.h

@@ -132,6 +132,7 @@ void extract_endpoints(const struct ip *ip,const struct ip6_hdr *ip6hdr,const st
 uint8_t *tcp_find_option(struct tcphdr *tcp, uint8_t kind);
 uint32_t *tcp_find_timestamps(struct tcphdr *tcp);
 uint8_t tcp_find_scale_factor(const struct tcphdr *tcp);
+bool tcp_has_fastopen(const struct tcphdr *tcp);
 
 // auto creates internal socket and uses it for subsequent calls
 bool rawsend(const struct sockaddr* dst,uint32_t fwmark,const char *ifout,const void *data,size_t len);

nfq/desync.c

@@ -456,6 +456,17 @@ packet_process_result dpi_desync_tcp_packet(uint32_t fwmark, const char *ifout,
 					return res;
 				break;
 			case DESYNC_SYNDATA:
+				// make sure we are not breaking TCP fast open
+				if (tcp_has_fastopen(tcphdr))
+				{
+					DLOG("received SYN with TCP fast open option. syndata desync is not applied.\n");
+					break;
+				}
+				if (len_payload)
+				{
+					DLOG("received SYN with data payload. syndata desync is not applied.\n");
+					break;
+				}
 				pkt1_len = sizeof(pkt1);
 				if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
 					ttl_orig,0,0,0, params.fake_syndata,params.fake_syndata_size, pkt1,&pkt1_len))