2025-05-24 22:32:58 +03:00
10 changed files with 110 additions and 229 deletions
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -494,6 +494,5 @@ nfqws: --synack-split
 tpws: ipcache of host names
 nfqws,tpws: set 1024 repeat limit to fakes and dups
 nfqws,tpws: do more before daemonize
-nfqws,tpws: accept multiple gids in --gid
 init.d: remove --ipset parameter prohibition
 init.d, blockcheck: drop time exceeded icmp for nfqws-related connections
--- a/nfq/desync.c
+++ b/nfq/desync.c
@ -1188,19 +1188,10 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint

 		//ConntrackPoolDump(&params.conntrack);

-		if (tcp_synack_segment(dis->tcp))
+		if (dp->wsize && tcp_synack_segment(dis->tcp))
 		{
-			if (dp->wsize)
-			{
-				tcp_rewrite_winsize(dis->tcp, dp->wsize, dp->wscale);
-				verdict=VERDICT_MODIFY;
-			}
-			if (dp->synack_split==SS_SYN)
-			{
-				DLOG("split SYNACK : clearing ACK bit\n");
-				dis->tcp->th_flags &= ~TH_ACK;
-				verdict=VERDICT_MODIFY;
-			}
+			tcp_rewrite_winsize(dis->tcp, dp->wsize, dp->wscale);
+			verdict=VERDICT_MODIFY;
 		}

 		if (bReverse)
@ -1289,43 +1280,50 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
 			}
 		}

-		if ((dp->synack_split==SS_SYNACK || dp->synack_split==SS_ACKSYN) && tcp_synack_segment(dis->tcp))
+		if (dp->synack_split!=SS_NONE && tcp_synack_segment(dis->tcp))
 		{
-			// reconstruct required
-
 			dis->tcp->th_flags &= ~TH_ACK;
 			tcp_fix_checksum(dis->tcp,dis->transport_len, dis->ip, dis->ip6);

-			char ss[2],i;
-			if (dp->synack_split==SS_SYNACK)
+			char ss[2],i,ct;
+			if (dp->synack_split==SS_SYN)
 			{
+				ct=1;
 				ss[0] = 'S';
-				ss[1] = 'A';
 			}
 			else
 			{
-				ss[0] = 'A';
-				ss[1] = 'S';
+				ct=2;
+				if (dp->synack_split==SS_SYNACK)
+				{
+					ss[0] = 'S';
+					ss[1] = 'A';
+				}
+				else
+				{
+					ss[0] = 'A';
+					ss[1] = 'S';
+				}
+				pkt1_len = sizeof(pkt1);
+				if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_ACK, false, 0, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, SCALE_NONE, timestamps,
+					DF,ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
+					FOOL_NONE,0,0,NULL, 0, pkt1, &pkt1_len))
+				{
+					DLOG_ERR("cannot prepare split SYNACK ACK part\n");
+					goto send_orig;
+				}
 			}
-			pkt1_len = sizeof(pkt1);
-			if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_ACK, false, 0, dis->tcp->th_seq, dis->tcp->th_ack, dis->tcp->th_win, SCALE_NONE, timestamps,
-				DF,ttl_orig,IP4_TOS(dis->ip),IP4_IP_ID_FIX(dis->ip),IP6_FLOW(dis->ip6),
-				FOOL_NONE,0,0,NULL, 0, pkt1, &pkt1_len))
-			{
-				DLOG_ERR("cannot prepare split SYNACK ACK part\n");
-				goto send_orig;
-			}
-			for (int i=0;i<2;i++)
+			for (int i=0;i<ct;i++)
 			{
 				switch(ss[i])
 				{
 					case 'S':
-						DLOG("split SYNACK : SYN\n");
+						DLOG("sending split SYNACK : SYN\n");
 						if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , dis->data_pkt, dis->len_pkt))
 							goto send_orig;
 						break;
 					case 'A':
-						DLOG("split SYNACK : ACK\n");
+						DLOG("sending split SYNACK : ACK\n");
 						if (!rawsend_rep(dp->desync_repeats,(struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
 							goto send_orig;
 						break;
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@ -30,7 +30,6 @@
 #include <sys/stat.h>
 #include <netinet/in.h>
 #include <syslog.h>
-#include <grp.h>

 #ifdef __CYGWIN__
 #include "win.h"
@ -298,7 +297,7 @@ static int nfq_main(void)
 	}

 	sec_harden();
-	if (params.droproot && !droproot(params.uid, params.gid, params.gid_count) || !dropcaps())
+	if (params.droproot && !droproot(params.uid, params.gid) || !dropcaps())
 		goto err;
 	print_id();
 	if (params.droproot && !test_list_files())
@ -422,7 +421,7 @@ static int dvt_main(void)
 		goto exiterr;


-	if (params.droproot && !droproot(params.uid, params.gid, params.gid_count))
+	if (params.droproot && !droproot(params.uid, params.gid))
 		goto exiterr;
 	print_id();
 	if (params.droproot && !test_list_files())
@ -528,7 +527,13 @@ static int win_main(const char *windivert_filter)
 	WINDIVERT_ADDRESS wa;
 	char ifname[IFNAMSIZ];

-	if (params.daemon) daemonize();
+	if (params.daemon)
+	{
+		// cygwin loses current dir
+		char *cwd = get_current_dir_name();
+		daemonize();
+		chdir(cwd);
+	}

 	if (*params.pidfile && !writepid(params.pidfile))
 	{
@ -643,6 +648,33 @@ static int win_main(const char *windivert_filter)



+static bool parse_ws_scale_factor(char *s, uint16_t *wsize, uint8_t *wscale)
+{
+	int v;
+	char *p;
+
+	if ((p = strchr(s,':'))) *p++=0;
+	v = atoi(s);
+	if (v < 0 || v>65535)
+	{
+		DLOG_ERR("bad wsize\n");
+		return false;
+	}
+	*wsize=(uint16_t)v;
+	if (p && *p)
+	{
+		v = atoi(p);
+		if (v < 0 || v>255)
+		{
+			DLOG_ERR("bad wscale\n");
+			return false;
+		}
+		*wscale = (uint8_t)v;
+	}
+	return true;
+}
+
+

 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 static void cleanup_args()
@ -675,61 +707,6 @@ static void exit_clean(int code)
 	exit(code);
 }

-
-static bool parse_uid(const char *opt, uid_t *uid, gid_t *gid, int *gid_count, int max_gids)
-{
-	unsigned int u;
-	char c, *p, *e;
-
-	*gid_count=0;
-	if ((e = strchr(optarg,':'))) *e++=0;
-	if (sscanf(opt,"%u",&u)!=1) return false;
-	*uid = (uid_t)u;
-	for (p=e ; p ; )
-	{
-		if ((e = strchr(p,',')))
-		{
-			c=*e;
-			*e=0;
-		}
-		if (p)
-		{
-			if (sscanf(p,"%u",&u)!=1) return false;
-			if (*gid_count>=max_gids) return false;
-			gid[(*gid_count)++] = (gid_t)u;
-		}
-		if (e) *e++=c;
-		p = e;
-	}
-	return true;
-}
-
-static bool parse_ws_scale_factor(char *s, uint16_t *wsize, uint8_t *wscale)
-{
-	int v;
-	char *p;
-
-	if ((p = strchr(s,':'))) *p++=0;
-	v = atoi(s);
-	if (v < 0 || v>65535)
-	{
-		DLOG_ERR("bad wsize\n");
-		return false;
-	}
-	*wsize=(uint16_t)v;
-	if (p && *p)
-	{
-		v = atoi(p);
-		if (v < 0 || v>255)
-		{
-			DLOG_ERR("bad wscale\n");
-			return false;
-		}
-		*wscale = (uint8_t)v;
-	}
-	return true;
-}
-
 static bool parse_cutoff(const char *opt, unsigned int *value, char *mode)
 {
 	*mode = (*opt=='n' || *opt=='d' || *opt=='s') ? *opt++ : 'n';
@ -1491,7 +1468,7 @@ static void exithelp(void)
 		" --pidfile=<filename>\t\t\t\t; write pid to file\n"
 #ifndef __CYGWIN__
 		" --user=<username>\t\t\t\t; drop root privs\n"
-		" --uid=uid[:gid1,gid2,...]\t\t\t; drop root privs\n"
+		" --uid=uid[:gid]\t\t\t\t; drop root privs\n"
 #endif
 #ifdef __linux__
 		" --bind-fix4\t\t\t\t\t; apply outgoing interface selection fix for generated ipv4 packets\n"
@ -1988,10 +1965,9 @@ int main(int argc, char **argv)
 	LIST_INIT(&params.ssid_filter);
 	LIST_INIT(&params.nlm_filter);
 #else
-	if (can_drop_root())
+	if (can_drop_root()) // are we root ?
 	{
-		params.uid = params.gid[0] = 0x7FFFFFFF; // default uid:gid
-		params.gid_count = 1;
+		params.uid = params.gid = 0x7FFFFFFF; // default uid:gid
 		params.droproot = true;
 	}
 #endif
@ -2089,45 +2065,26 @@ int main(int argc, char **argv)
 			break;
 #ifndef __CYGWIN__
 		case IDX_USER:
-		{
-			struct passwd *pwd = getpwnam(optarg);
-			if (!pwd)
 			{
-				DLOG_ERR("non-existent username supplied\n");
-				exit_clean(1);
+				struct passwd *pwd = getpwnam(optarg);
+				if (!pwd)
+				{
+					DLOG_ERR("non-existent username supplied\n");
+					exit_clean(1);
+				}
+				params.uid = pwd->pw_uid;
+				params.gid = pwd->pw_gid;
+				params.droproot = true;
 			}
-			params.uid = pwd->pw_uid;
-			params.gid_count=MAX_GIDS;
-#ifdef __APPLE__
-			// silence warning
-			if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,&params.gid_count)<0)
-#else
-			if (getgrouplist(optarg,pwd->pw_gid,params.gid,&params.gid_count)<0)
-#endif
-			{
-				DLOG_ERR("getgrouplist failed. too much groups ?\n");
-				exit_clean(1);
-			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = pwd->pw_gid;
-				params.gid_count = 1;
-			}
-			params.droproot = true;
 			break;
-		}
 		case IDX_UID:
+			params.gid = 0x7FFFFFFF; // default gid. drop gid=0
 			params.droproot = true;
-			if (!parse_uid(optarg,&params.uid,params.gid,&params.gid_count,MAX_GIDS))
+			if (sscanf(optarg, "%u:%u", &params.uid, &params.gid)<1)
 			{
-				DLOG_ERR("--uid should be : uid[:gid,gid,...]\n");
+				DLOG_ERR("--uid should be : uid[:gid]\n");
 				exit_clean(1);
 			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = 0x7FFFFFFF;
-				params.gid_count = 1;
-			}
 			break;
 #endif
 		case IDX_WSIZE:
--- a/nfq/params.h
+++ b/nfq/params.h
@ -63,8 +63,6 @@
 #define FAKE_MAX_TCP	1460
 #define FAKE_MAX_UDP	1472

-#define MAX_GIDS 64
-
 enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };

 struct fake_tls_mod_cache
@ -193,8 +191,7 @@ struct params_s
 #else
 	bool droproot;
 	uid_t uid;
-	gid_t gid[MAX_GIDS];
-	int gid_count;
+	gid_t gid;
 #endif
 	char pidfile[PATH_MAX];

--- a/nfq/sec.c
+++ b/nfq/sec.c
@ -295,13 +295,8 @@ bool can_drop_root(void)
 #endif
 }

-bool droproot(uid_t uid, gid_t *gid, int gid_count)
+bool droproot(uid_t uid, gid_t gid)
 {
-	if (gid_count<1)
-	{
-		DLOG_ERR("droproot: no groups specified");
-		return false;
-	}
 #ifdef __linux__
 	if (prctl(PR_SET_KEEPCAPS, 1L))
 	{
@ -310,12 +305,12 @@ bool droproot(uid_t uid, gid_t *gid, int gid_count)
 	}
 #endif
 	// drop all SGIDs
-	if (setgroups(gid_count,gid))
+	if (setgroups(0,NULL))
 	{
 		DLOG_PERROR("setgroups");
 		return false;
 	}
-	if (setgid(gid[0]))
+	if (setgid(gid))
 	{
 		DLOG_PERROR("setgid");
 		return false;
@ -348,13 +343,9 @@ void print_id(void)
 #endif


-
 void daemonize(void)
 {
 	int pid;
-#ifdef __CYGWIN__
-	char *cwd = get_current_dir_name();
-#endif

 	pid = fork();
 	if (pid == -1)
@ -365,10 +356,6 @@ void daemonize(void)
 	else if (pid != 0)
 		exit(0);

-#ifdef __CYGWIN__
-	chdir(get_current_dir_name());
-#endif
-
 	if (setsid() == -1)
 		exit(2);
 	if (chdir("/") == -1)
--- a/nfq/sec.h
+++ b/nfq/sec.h
@ -84,7 +84,7 @@ bool dropcaps(void);
 #ifndef __CYGWIN__
 bool sec_harden(void);
 bool can_drop_root(void);
-bool droproot(uid_t uid, gid_t *gid, int gid_count);
+bool droproot(uid_t uid, gid_t gid);
 void print_id(void);
 #endif

--- a/tpws/params.h
+++ b/tpws/params.h
@ -4,7 +4,6 @@
 #include <stdbool.h>
 #include <stdint.h>
 #include <sys/param.h>
-#include <sys/types.h>
 #include <sys/queue.h>
 #include <time.h>
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
@ -19,15 +18,13 @@
 #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT	3
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60

-#define FIX_SEG_DEFAULT_MAX_WAIT 50
+#define FIX_SEG_DEFAULT_MAX_WAIT		50

-#define IPCACHE_LIFETIME 7200
-
-#define MAX_GIDS 64
+#define IPCACHE_LIFETIME		7200

 enum bindll { unwanted=0, no, prefer, force };

-#define MAX_BINDS 32
+#define MAX_BINDS	32
 struct bind_s
 {
 	char bindaddr[64],bindiface[IF_NAMESIZE];
@ -36,7 +33,7 @@ struct bind_s
 	int bind_wait_ifup,bind_wait_ip,bind_wait_ip_ll;
 };

-#define MAX_SPLITS 16
+#define MAX_SPLITS	16

 enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };

@ -119,9 +116,8 @@ struct params_s
 	bool droproot;
 	bool daemon;
 	uid_t uid;
-	gid_t gid[MAX_GIDS];
-	int gid_count;
-	char pidfile[PATH_MAX];
+	gid_t gid;
+	char pidfile[256];
 	int maxconn,resolver_threads,maxfiles,max_orphan_time;
 	int local_rcvbuf,local_sndbuf,remote_rcvbuf,remote_sndbuf;
 #if defined(__linux__) || defined(__APPLE__)
--- a/tpws/sec.c
+++ b/tpws/sec.c
@ -169,24 +169,25 @@ static bool set_seccomp(void)

 bool sec_harden(void)
 {
-	bool bRes = true;
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
 	{
 		DLOG_PERROR("PR_SET_NO_NEW_PRIVS(prctl)");
-		bRes = false;
+		return false;
 	}
 #if ARCH_NR!=0
 	if (!set_seccomp())
 	{
 		DLOG_PERROR("seccomp");
 		if (errno==EINVAL) DLOG_ERR("seccomp: this can be safely ignored if kernel does not support seccomp\n");
-		bRes = false;
+		return false;
 	}
 #endif
-	return bRes;
+	return true;
 }


+
+
 bool checkpcap(uint64_t caps)
 {
 	if (!caps) return true; // no special caps reqd
@ -269,13 +270,8 @@ bool can_drop_root(void)
 #endif
 }

-bool droproot(uid_t uid, gid_t *gid, int gid_count)
+bool droproot(uid_t uid, gid_t gid)
 {
-	if (gid_count<1)
-	{
-		DLOG_ERR("droproot: no groups specified");
-		return false;
-	}
 #ifdef __linux__
 	if (prctl(PR_SET_KEEPCAPS, 1L))
 	{
@ -284,12 +280,12 @@ bool droproot(uid_t uid, gid_t *gid, int gid_count)
 	}
 #endif
 	// drop all SGIDs
-	if (setgroups(gid_count,gid))
+	if (setgroups(0,NULL))
 	{
 		DLOG_PERROR("setgroups");
 		return false;
 	}
-	if (setgid(gid[0]))
+	if (setgid(gid))
 	{
 		DLOG_PERROR("setgid");
 		return false;
--- a/tpws/sec.h
+++ b/tpws/sec.h
@ -84,7 +84,7 @@ bool dropcaps(void);

 bool sec_harden(void);
 bool can_drop_root();
-bool droproot(uid_t uid, gid_t *gid, int gid_count);
+bool droproot(uid_t uid, gid_t gid);
 void print_id(void);
 void daemonize(void);
 bool writepid(const char *filename);
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@ -23,7 +23,6 @@
 #include <sys/resource.h>
 #include <time.h>
 #include <syslog.h>
-#include <grp.h>

 #ifdef __ANDROID__
 #include "andr/ifaddrs.h"
@ -215,7 +214,7 @@ static void exithelp(void)
 		" --daemon\t\t\t\t; daemonize\n"
 		" --pidfile=<filename>\t\t\t; write pid to file\n"
 		" --user=<username>\t\t\t; drop root privs\n"
-		" --uid=uid[:gid1,gid2,...]\t\t; drop root privs\n"
+		" --uid=uid[:gid]\t\t\t; drop root privs\n"
 #if defined(__FreeBSD__)
 		" --enable-pf\t\t\t\t; enable PF redirector support. required in FreeBSD when used with PF firewall.\n"
 #endif
@ -584,35 +583,6 @@ static bool parse_ip_list(char *opt, ipset *pp)
 	return true;
 }

-static bool parse_uid(const char *opt, uid_t *uid, gid_t *gid, int *gid_count, int max_gids)
-{
-	unsigned int u;
-	char c, *p, *e;
-
-	*gid_count=0;
-	if ((e = strchr(optarg,':'))) *e++=0;
-	if (sscanf(opt,"%u",&u)!=1) return false;
-	*uid = (uid_t)u;
-	for (p=e ; p ; )
-	{
-		if ((e = strchr(p,',')))
-		{
-			c=*e;
-			*e=0;
-		}
-		if (p)
-		{
-			if (sscanf(p,"%u",&u)!=1) return false;
-			if (*gid_count>=max_gids) return false;
-			gid[(*gid_count)++] = (gid_t)u;
-		}
-		if (e) *e++=c;
-		p = e;
-	}
-	return true;
-}
-
-
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 // no static to not allow optimizer to inline this func (save stack)
 void config_from_file(const char *filename)
@ -867,9 +837,8 @@ void parse_params(int argc, char *argv[])

 	if (can_drop_root())
 	{
-		params.uid = params.gid[0] = 0x7FFFFFFF; // default uid:gid
-		params.gid_count = 1;
-		params.droproot = true;
+	    params.uid = params.gid = 0x7FFFFFFF; // default uid:gid
+	    params.droproot = true;
 	}

 	struct desync_profile_list *dpl;
@ -985,37 +954,18 @@ void parse_params(int argc, char *argv[])
 				exit_clean(1);
 			}
 			params.uid = pwd->pw_uid;
-			params.gid_count=MAX_GIDS;
-#ifdef __APPLE__
-			// silence warning
-			if (getgrouplist(optarg,pwd->pw_gid,(int*)params.gid,&params.gid_count)<0)
-#else
-			if (getgrouplist(optarg,pwd->pw_gid,params.gid,&params.gid_count)<0)
-#endif
-			{
-				DLOG_ERR("getgrouplist failed. too much groups ?\n");
-				exit_clean(1);
-			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = pwd->pw_gid;
-				params.gid_count = 1;
-			}
+			params.gid = pwd->pw_gid;
 			params.droproot = true;
 			break;
 		}
 		case IDX_UID:
+			params.gid=0x7FFFFFFF; // default git. drop gid=0
 			params.droproot = true;
-			if (!parse_uid(optarg,&params.uid,params.gid,&params.gid_count,MAX_GIDS))
+			if (sscanf(optarg,"%u:%u",&params.uid,&params.gid)<1)
 			{
-				DLOG_ERR("--uid should be : uid[:gid,gid,...]\n");
+				DLOG_ERR("--uid should be : uid[:gid]\n");
 				exit_clean(1);
 			}
-			if (!params.gid_count)
-			{
-				params.gid[0] = 0x7FFFFFFF;
-				params.gid_count = 1;
-			}
 			break;
 		case IDX_MAXCONN:
 			params.maxconn = atoi(optarg);
@ -1323,7 +1273,8 @@ void parse_params(int argc, char *argv[])
 			}
 			break;
 		case IDX_PIDFILE:
-			snprintf(params.pidfile,sizeof(params.pidfile),"%s",optarg);
+			strncpy(params.pidfile,optarg,sizeof(params.pidfile));
+			params.pidfile[sizeof(params.pidfile)-1]='\0';
 			break;
 		case IDX_DEBUG:
 			if (optarg)
@ -2136,7 +2087,7 @@ int main(int argc, char *argv[])

 	set_ulimit();
 	sec_harden();
-	if (params.droproot && !droproot(params.uid,params.gid,params.gid_count))
+	if (params.droproot && !droproot(params.uid,params.gid))
 		goto exiterr;
 #ifdef __linux__
 	if (!dropcaps())