drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2025-04-19 21:42:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: drygdryg:master
Branches Tags
drygdryg:master
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64
..
compare: drygdryg:v70.5
Branches Tags
drygdryg:master
drygdryg:v70.6
drygdryg:v70.5
drygdryg:v70.4
drygdryg:v70.3
drygdryg:v70
drygdryg:v69.9
drygdryg:v69.8
drygdryg:v69.7
drygdryg:v69.6
drygdryg:v69.5
drygdryg:v69.4
drygdryg:v69.3
drygdryg:v69.2
drygdryg:v69.1
drygdryg:v69
drygdryg:v68
drygdryg:v67
drygdryg:v66
drygdryg:v65
drygdryg:v64

No commits in common. "master" and "v70.5" have entirely different histories.
master ... v70.5

33 changed files with 699 additions and 1291 deletions
Show Stats Expand all files Collapse all files

1
.github/workflows/build.yml vendored
View File

@ -401,7 +401,6 @@ jobs:
uses: crazy-max/ghaction-upx@v3
with:
install-only: true
version: v4.2.4
- name: Prepare binaries
shell: bash

26
blockcheck.sh
View File

@ -341,19 +341,12 @@ netcat_test()
}
}
tpws_can_fix_seg()
{
# fix-seg requires kernel 4.6+
"$TPWS" --port 1 --dry-run --fix-seg >/dev/null 2>/dev/null
}
check_system()
{
echo \* checking system
UNAME=$(uname)
SUBSYS=
FIX_SEG=
local s
# can be passed FWTYPE=iptables to override default nftables preference
@ -361,14 +354,6 @@ check_system()
Linux)
PKTWS="$NFQWS"
PKTWSD=nfqws
if [ -x "$TPWS" ] ; then
if tpws_can_fix_seg ; then
echo tpws supports --fix-seg on this system
FIX_SEG='--fix-seg'
else
echo tpws does not support --fix-seg on this system
fi
fi
linux_fwtype
[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
echo firewall type $FWTYPE not supported in $UNAME
@ -1445,11 +1430,6 @@ warn_mss()
[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
return 0
}
fix_seg()
{
# $1 - split-pos
[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
}
tpws_check_domain_http_bypass_()
{
@ -1475,7 +1455,7 @@ tpws_check_domain_http_bypass_()
done
for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for s in $splits_http ; do
tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
tpws_curl_test_update $1 $3 --split-pos=$s $s2 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return
break
}
@ -1490,7 +1470,7 @@ tpws_check_domain_http_bypass_()
s3=${mss:+--mss=$mss}
for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for pos in $splits_tls; do
tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
tpws_curl_test_update $1 $3 --split-pos=$pos $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return
need_mss=0
break
@ -1498,7 +1478,7 @@ tpws_check_domain_http_bypass_()
done
done
for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' '--tlsrec=sniext+1 --split-pos=1,midsld' '--tlsrec=sniext+4 --split-pos=1,midsld' ; do
tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
[ "$SCANLEVEL" = quick ] && return
need_mss=0

14
docs/changes.txt
View File

@ -471,17 +471,3 @@ v70.5
nfqws: multiple --dpi-desync-fake-xxx
nfqws: support of inter-packet fragmented QUIC CRYPTO
v70.6
nfqws: detect Discord Voice IP discovery packets
nfqws: detect STUN message packets
nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
nfqws: multiple mods for multiple TLS fakes
init.d: remove 50-discord
blockcheck: use tpws --fix-seg on linux for multiple splits
v70.7
nfqws,tpws: debug tls version, alpn, ech

6
docs/compile/build_howto_openwrt.txt
View File

@ -12,10 +12,10 @@ Other packages may be required on your distribution. Look for the errors.
examples :
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xvf -
cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
3) Install required libs
@ -48,7 +48,7 @@ static build : make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
executables only : build_dir/target/<progname>
ipk or apk packages : bin/packages/*/base
8) Installing to openwrt to use with zapret
8) Installating to openwrt to use with zapret
zapret with or without binaries should be already installed in /opt/zapret.
Install ipk's or apk's with all compiled progs using opkg or apk.

4
docs/compile/build_howto_unix.txt
View File

@ -1,7 +1,7 @@
debian,ubuntu :
apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libsystemd-dev
make -C /opt/zapret systemd
apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev
make -C /opt/zapret
FreeBSD :

31
docs/readme.en.md
View File

@ -1,4 +1,4 @@
# zapret v70.6
# zapret v70.5
# SCAMMER WARNING
@ -174,14 +174,12 @@ nfqws takes the following parameters:
--dpi-desync-any-protocol=0|1 ; 0(default)=desync only http and tls 1=desync any nonempty data packet
--dpi-desync-fake-http=<filename>|0xHEX ; file containing fake http request
--dpi-desync-fake-tls=<filename>|0xHEX ; file containing fake TLS ClientHello (for https)
--dpi-desync-fake-tls-mod=mod[,mod] ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,sni=<sni>,dupsid,padencap
--dpi-desync-fake-tls-mod=mod[,mod] ; comma separated list of TLS fake mods. available mods : none,rnd,rndsni,dupsid,padencap
--dpi-desync-fake-unknown=<filename>|0xHEX ; file containing unknown protocol fake payload
--dpi-desync-fake-syndata=<filename>|0xHEX ; file containing SYN data payload
--dpi-desync-fake-quic=<filename>|0xHEX ; file containing fake QUIC Initial
--dpi-desync-fake-wireguard=<filename>|0xHEX ; file containing fake wireguard handshake initiation
--dpi-desync-fake-dht=<filename>|0xHEX ; file containing fake DHT (d1..e)
--dpi-desync-fake-discord=<filename>|0xHEX ; file containing fake Discord voice connection initiation packet (IP Discovery)
--dpi-desync-fake-stun=<filename>|0xHEX ; file containing fake STUN message
--dpi-desync-fake-unknown-udp=<filename>|0xHEX ; file containing unknown udp protocol fake payload
--dpi-desync-udplen-increment=<int> ; increase or decrease udp packet length by N bytes (default 2). negative values decrease length.
--dpi-desync-udplen-pattern=<filename>|0xHEX ; udp tail fill pattern
@ -201,7 +199,7 @@ nfqws takes the following parameters:
--filter-l3=ipv4|ipv6 ; L3 protocol filter. multiple comma separated values allowed.
--filter-tcp=[~]port1[-port2]|* ; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list supported.
--filter-udp=[~]port1[-port2]|* ; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list supported.
--filter-l7=<proto> ; L6-L7 protocol filter. multiple comma separated values allowed. proto: http tls quic wireguard dht discord stun unknown
--filter-l7=[http|tls|quic|wireguard|dht|unknown] ; L6-L7 protocol filter. multiple comma separated values allowed.
--ipset=<filename> ; ipset include filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
--ipset-ip=<ip_list> ; comma separated fixed subnet list
--ipset-exclude=<filename> ; ipset exclude filter (one ip/CIDR per line, ipv4 and ipv6 accepted, gzip supported, multiple ipsets allowed)
@ -285,19 +283,14 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
* `rnd`. Randomize `random` and `session id` fields. Applied on every request.
* `rndsni`. Randomize SNI. If SNI >=7 symbols random SLD is applied with known TLD. Otherwise filled with random symbols. Applied only once at startup.
* `dupsid`. Copy `session ID` from original TLS Client Hello. Takes precedence over `rnd`. Applied on every request.
* `sni=<sni>`. Set specified SNI value. Changes TLS fake length, fixes lengths in TLS structure. Applied once at startup before `rndsni`.
* `padencap`. Padding extension is extended by original TLS Client Hello size (including multi packet variation with kyber). Padding extension is added to the end if not present, otherwise it must be the last extension. All lengths are increased. Fake size is not changed. Can be useful if DPI does not analyze sequence numbers properly. Applied on every request.
By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
This behaviour is compatible with previous versions with addition of `dupsid`.
If multiple TLS fakes are present each one takes the last mod.
If a mod is specified after fake it replaces previous mod.
This way it's possible to use different mods for every TLS fake.
If TLS mod is enabled and there're multiple TLS fakes, all valid TLS Client Hello fakes are modified.
If there's no TLS Client Hello program exits with error.
If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
### TCP segmentation
@ -481,7 +474,7 @@ This option can resist DPIs that track outgoing UDP packet sizes.
Requires that application protocol does not depend on udp payload size.
QUIC initial packets are recognized. Decryption and hostname extraction is supported so `--hostlist` parameter will work.
Wireguard handshake initiation, DHT, STUN and [Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery) packets are also recognized.
Wireguard handshake initiation and DHT packets are also recognized.
For other protocols desync use `--dpi-desync-any-protocol`.
Conntrack supports udp. `--dpi-desync-cutoff` will work. UDP conntrack timeout can be set in the 4th parameter of `--ctrack-timeouts`.
@ -1451,8 +1444,12 @@ If this is the case then run another script in background and add some delay the
Are welcome here :
USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
```
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
```
BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC
```
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
```

35
docs/readme.md
View File

@ -1,4 +1,4 @@
# zapret v70.6
# zapret v70.5
# ВНИМАНИЕ, остерегайтесь мошенников
@ -196,13 +196,11 @@ dvtws, собираемый из тех же исходников (см. [док
--dpi-desync-any-protocol=0|1 ; 0(default)=работать только по http request и tls clienthello 1=по всем непустым пакетам данных
--dpi-desync-fake-http=<filename>|0xHEX ; файл, содержащий фейковый http запрос для dpi-desync=fake, на замену стандартному www.iana.org
--dpi-desync-fake-tls=<filename>|0xHEX ; файл, содержащий фейковый tls clienthello для dpi-desync=fake, на замену стандартному
--dpi-desync-fake-tls-mod=mod[,mod] ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,sni=<sni>,dupsid,padencap
--dpi-desync-fake-tls-mod=mod[,mod] ; список через запятую режимов runtime модификации фейков : none,rnd,rndsni,dupsid,padencap
--dpi-desync-fake-unknown=<filename>|0xHEX ; файл, содержащий фейковый пейлоад неизвестного протокола для dpi-desync=fake, на замену стандартным нулям 256 байт
--dpi-desync-fake-syndata=<filename>|0xHEX ; файл, содержащий фейковый пейлоад пакета SYN для режима десинхронизации syndata
--dpi-desync-fake-quic=<filename>|0xHEX ; файл, содержащий фейковый QUIC Initial
--dpi-desync-fake-dht=<filename>|0xHEX ; файл, содержащий фейковый пейлоад DHT протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
--dpi-desync-fake-discord=<filename>|0xHEX ; файл, содержащий фейковый пейлоад Discord протокола нахождения IP адреса для голосовых чатов для dpi-desync=fake, на замену стандартным нулям 64 байт
--dpi-desync-fake-stun=<filename>|0xHEX ; файл, содержащий фейковый пейлоад STUN протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
--dpi-desync-fake-unknown-udp=<filename>|0xHEX ; файл, содержащий фейковый пейлоад неизвестного udp протокола для dpi-desync=fake, на замену стандартным нулям 64 байт
--dpi-desync-udplen-increment=<int> ; насколько увеличивать длину udp пейлоада в режиме udplen
--dpi-desync-udplen-pattern=<filename>|0xHEX ; чем добивать udp пакет в режиме udplen. по умолчанию - нули
@ -228,7 +226,7 @@ dvtws, собираемый из тех же исходников (см. [док
--filter-l3=ipv4|ipv6 ; фильтр версии ip для текущей стратегии
--filter-tcp=[~]port1[-port2]|* ; фильтр портов tcp для текущей стратегии. ~ означает инверсию. установка фильтра tcp и неустановка фильтра udp запрещает udp. поддерживается список через запятую.
--filter-udp=[~]port1[-port2]|* ; фильтр портов udp для текущей стратегии. ~ означает инверсию. установка фильтра udp и неустановка фильтра tcp запрещает tcp. поддерживается список через запятую.
--filter-l7=<proto> ; фильтр протокола L6-L7. поддерживается несколько значений через запятую. proto : http tls quic wireguard dht discord stun unknown
--filter-l7=[http|tls|quic|wireguard|dht|unknown] ; фильтр протокола L6-L7. поддерживается несколько значений через запятую.
--ipset=<filename> ; включающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
--ipset-ip=<ip_list> ; фиксированный список подсетей через запятую. можно использовать # в начале для комментирования отдельных подсетей.
--ipset-exclude=<filename> ; исключающий ip list. на каждой строчке ip или cidr ipv4 или ipv6. поддерживается множество листов и gzip. перечитка автоматическая.
@ -340,21 +338,13 @@ dvtws, собираемый из тех же исходников (см. [док
* `rnd`. Рандомизировать поля `random` и `session id`. Выполняется на каждый запрос.
* `dupsid`. Копировать `session ID` из передаваемого TLS Client Hello. Имеет приоритет над `rnd`. Выполняется на каждый запрос.
* `rndsni`. Рандомизировать SNI. Если SNI >=7 символов, применяется случайный домен 2 уровня с известным TLD, иначе заполняется случайными символами без точки. Выполняется один раз при старте.
* `sni=<sni>`. Заменить sni на указанное значение. Макс длина SNI - 63 байта. Общая длина TLS фейка и длины в структуре TLS Client Hello меняются. Выполняется один раз при старте. Если сочетается с `rndsni`, выполняется до него.
* `padencap`. Расширяется padding extension на размер передаваемого TLS Client Hello (включая многопакетный вариант с kyber). Если padding отсутствует, он добавляется в конец. Если присутствует - требуется, чтобы padding шел последним extension. Правятся все длины, чтобы создать видимость включения передаваемого TLS Client Hello в padding extension. Размер фейка не изменяется. Расчет идет на DPI, который не анализирует sequence numbers должным образом. Выполняется на каждый запрос.
По умолчанию если не задан собственный фейк для TLS используются модификации `rnd,rndsni,dupsid`. Если фейк задан, используется `none`.
Это соответствует поведению программы более старых версий с добавлением функции `dupsid`.
Если задан режим модификации и имеется множество TLS фейков, к каждому из них применяется последний режим модификации.
Если режим модификации задан после фейка, то он замещает предыдущий режим.
Таким образом можно использовать разные режимы модификации для разных фейков.
При невозможности модифицировать фейк на этапе запуска программа завершается с ошибкой.
Если сначала идет TLS фейк, для него задан режим однократной модификации, затем идет не TLS фейк, то будет ошибка.
Нужно использовать `--dpi-desync-fake-tls-mod=none'.
Пример : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'
Если задан режим модификации и имеется множество TLS фейков, модифицируются все фейки, являющиеся TLS Client Hello.
Если нет ни одного TLS Client Hello фейка, программа завершается с ошибкой.
### TCP СЕГМЕНТАЦИЯ
@ -585,8 +575,7 @@ chrome рандомизирует фингерпринт TLS. SNI может о
На текущий момент работает только с DHT.
Поддерживается определение пакетов QUIC Initial с расшифровкой содержимого и имени хоста, то есть параметр
`--hostlist` будет работать.
Определяются пакеты wireguard handshake initiation, DHT (начинается с 'd1', кончается 'e'), STUN и
[Discord Voice IP Discovery](https://discord.com/developers/docs/topics/voice-connections#ip-discovery).
Определяются пакеты wireguard handshake initiation и DHT (начинается с 'd1', кончается 'e').
Для десинхронизации других протоколов обязательно указывать `--dpi-desync-any-protocol`.
Реализован conntrack для udp. Можно пользоваться --dpi-desync-cutoff. Таймаут conntrack для udp
можно изменить 4-м параметром в `--ctrack-timeouts`.
@ -2368,8 +2357,12 @@ VPS можно приобрести в множестве мест. Сущест
## Поддержать разработчика
USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
<img src=https://cdn-icons-png.flaticon.com/16/14446/14446252.png alt="USDT" style="vertical-align: middle;"/> USDT
```
0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E
```
BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
ETH `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
<img src=https://cdn-icons-png.flaticon.com/16/5968/5968260.png alt="USDT" style="vertical-align: middle;"/> BTC
```
bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve
```

BIN
files/fake/discord-ip-discovery-with-port.bin
View File

Binary file not shown.

BIN
files/fake/discord-ip-discovery-without-port.bin
View File

Binary file not shown.

BIN
files/fake/isakmp_initiator_request.bin
View File

Binary file not shown.

BIN
files/fake/stun.bin
View File

Binary file not shown.

BIN
files/fake/tls_clienthello_www_google_com.bin
View File

Binary file not shown.

75
init.d/custom.d.examples.linux/50-discord Normal file
View File

File diff suppressed because one or more lines are too long

74
init.d/custom.d.examples.linux/50-nfqws-ipset
View File

@ -1,74 +0,0 @@
# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
# can override in config :
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
alloc_dnum DNUM_NFQWS_MY1
alloc_qnum QNUM_NFQWS_MY1
NFQWS_MY1_SET_NAME=my1nfqws4
zapret_custom_daemons()
{
# $1 - 1 - run, 0 - stop
local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
}
zapret_custom_firewall()
{
# $1 - 1 - run, 0 - stop
local f
local first_packets_only="$ipt_connbytes 1:3"
local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
local subnet
local DISABLE_IPV6=1
[ "$1" = 1 ] && {
ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
ipset flush $NFQWS_MY1_SET_NAME
for subnet in $NFQWS_MY1_SUBNETS; do
echo add $NFQWS_MY1_SET_NAME $subnet
done | ipset -! restore
}
f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
[ "$1" = 1 ] || {
ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
}
}
zapret_custom_firewall_nft()
{
# stop logic is not required
local f
local first_packets_only="$nft_connbytes 1-3"
local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
local subnets
local DISABLE_IPV6=1
make_comma_list subnets $NFQWS_MY1_SUBNETS
nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
nft_flush_set $NFQWS_MY1_SET_NAME
nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
f="udp dport {$NFQWS_MY1_PORTS}"
nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
}
zapret_custom_firewall_nft_flush()
{
# this function is called after all nft fw rules are deleted
# however sets are not deleted. it's desired to clear sets here.
nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
}

2
init.d/systemd/nfqws@.service
View File

@ -1,7 +1,7 @@
# Example systemd service unit for nfqws. Adjust for your installation.
# WARNING ! This unit requires to compile nfqws using `make systemd`
# WARNING ! This makefile target enables special systemd notify support.
# WARNING ! This makefile target enabled special systemd notify support.
# PREPARE
# install build depends

2
init.d/systemd/tpws@.service
View File

@ -1,7 +1,7 @@
# Example systemd service unit for tpws. Adjust for your installation.
# WARNING ! This unit requires to compile tpws using `make systemd`
# WARNING ! This makefile target enables special systemd notify support.
# WARNING ! This makefile target enabled special systemd notify support.
# PREPARE
# install build depends

46
ip2net/ip2net.c
View File

@ -225,28 +225,6 @@ static void exithelp(void)
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
enum opt_indices {
IDX_HELP,
IDX_H,
IDX_4,
IDX_6,
IDX_PREFIX_LENGTH,
IDX_V4_THRESHOLD,
IDX_V6_THRESHOLD,
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_H] = {"h", no_argument, 0, 0},
[IDX_4] = {"4", no_argument, 0, 0},
[IDX_6] = {"6", no_argument, 0, 0},
[IDX_PREFIX_LENGTH] = {"prefix-length", required_argument, 0, 0},
[IDX_V4_THRESHOLD] = {"v4-threshold", required_argument, 0, 0},
[IDX_V6_THRESHOLD] = {"v6-threshold", required_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
static void parse_params(int argc, char *argv[])
{
int option_index = 0;
@ -258,23 +236,33 @@ static void parse_params(int argc, char *argv[])
params.pctdiv = DEFAULT_PCTDIV;
params.v6_threshold = DEFAULT_V6_THRESHOLD;
const struct option long_options[] = {
{ "help",no_argument,0,0 },// optidx=0
{ "h",no_argument,0,0 },// optidx=1
{ "4",no_argument,0,0 },// optidx=2
{ "6",no_argument,0,0 },// optidx=3
{ "prefix-length",required_argument,0,0 },// optidx=4
{ "v4-threshold",required_argument,0,0 },// optidx=5
{ "v6-threshold",required_argument,0,0 },// optidx=6
{ NULL,0,NULL,0 }
};
while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
{
if (v) exithelp();
switch (option_index)
{
case IDX_HELP:
case IDX_H:
case 0:
case 1:
PRINT_VER;
exithelp();
break;
case IDX_4:
case 2:
params.ipv6 = false;
break;
case IDX_6:
case 3:
params.ipv6 = true;
break;
case IDX_PREFIX_LENGTH:
case 4:
i = sscanf(optarg,"%u-%u",&plen1,&plen2);
if (i == 1) plen2 = plen1;
if (i<=0 || plen2<plen1 || !plen1 || !plen2)
@ -283,7 +271,7 @@ static void parse_params(int argc, char *argv[])
exit(1);
}
break;
case IDX_V4_THRESHOLD:
case 5:
i = sscanf(optarg, "%u/%u", &params.pctmult, &params.pctdiv);
if (i!=2 || params.pctdiv<2 || params.pctmult<1 || params.pctmult>=params.pctdiv)
{
@ -291,7 +279,7 @@ static void parse_params(int argc, char *argv[])
exit(1);
}
break;
case IDX_V6_THRESHOLD:
case 6:
i = sscanf(optarg, "%u", &params.v6_threshold);
if (i != 1 || params.v6_threshold<1)
{

4
ipset/def.sh
View File

@ -274,9 +274,7 @@ hup_zapret_daemons()
if exists killall; then
killall -HUP tpws nfqws dvtws 2>/dev/null
elif exists pkill; then
pkill -HUP ^tpws$
pkill -HUP ^nfqws$
pkill -HUP ^dvtws$
pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
else
echo no mass killer available ! cant HUP zapret daemons
fi

57
mdig/mdig.c
View File

@ -467,38 +467,25 @@ static void exithelp(void)
#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
#endif
enum opt_indices {
IDX_HELP,
IDX_THREADS,
IDX_FAMILY,
IDX_VERBOSE,
IDX_STATS,
IDX_LOG_RESOLVED,
IDX_LOG_FAILED,
IDX_DNS_MAKE_QUERY,
IDX_DNS_PARSE_QUERY,
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_THREADS] = {"threads", required_argument, 0, 0},
[IDX_FAMILY] = {"family", required_argument, 0, 0},
[IDX_VERBOSE] = {"verbose", no_argument, 0, 0},
[IDX_STATS] = {"stats", required_argument, 0, 0},
[IDX_LOG_RESOLVED] = {"log-resolved", required_argument, 0, 0},
[IDX_LOG_FAILED] = {"log-failed", required_argument, 0, 0},
[IDX_DNS_MAKE_QUERY] = {"dns-make-query", required_argument, 0, 0},
[IDX_DNS_PARSE_QUERY] = {"dns-parse-query", no_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
int main(int argc, char **argv)
{
int r, v, option_index = 0;
char fn1[256],fn2[256];
char dom[256];
static const struct option long_options[] = {
{"help",no_argument,0,0}, // optidx=0
{"threads",required_argument,0,0}, // optidx=1
{"family",required_argument,0,0}, // optidx=2
{"verbose",no_argument,0,0}, // optidx=3
{"stats",required_argument,0,0}, // optidx=4
{"log-resolved",required_argument,0,0}, // optidx=5
{"log-failed",required_argument,0,0}, // optidx=6
{"dns-make-query",required_argument,0,0}, // optidx=7
{"dns-parse-query",no_argument,0,0}, // optidx=8
{NULL,0,NULL,0}
};
memset(&glob, 0, sizeof(glob));
*fn1 = *fn2 = *dom = 0;
glob.family = FAMILY4;
@ -508,11 +495,11 @@ int main(int argc, char **argv)
if (v) exithelp();
switch (option_index)
{
case IDX_HELP:
case 0: /* help */
PRINT_VER;
exithelp();
break;
case IDX_THREADS:
case 1: /* threads */
glob.threads = optarg ? atoi(optarg) : 0;
if (glob.threads <= 0 || glob.threads > 100)
{
@ -520,7 +507,7 @@ int main(int argc, char **argv)
return 1;
}
break;
case IDX_FAMILY:
case 2: /* family */
if (!strcmp(optarg, "4"))
glob.family = FAMILY4;
else if (!strcmp(optarg, "6"))
@ -533,25 +520,25 @@ int main(int argc, char **argv)
return 1;
}
break;
case IDX_VERBOSE:
case 3: /* verbose */
glob.verbose = '\1';
break;
case IDX_STATS:
case 4: /* stats */
glob.stats_every = optarg ? atoi(optarg) : 0;
break;
case IDX_LOG_RESOLVED:
case 5: /* log-resolved */
strncpy(fn1,optarg,sizeof(fn1));
fn1[sizeof(fn1)-1] = 0;
break;
case IDX_LOG_FAILED:
case 6: /* log-failed */
strncpy(fn2,optarg,sizeof(fn2));
fn2[sizeof(fn2)-1] = 0;
break;
case IDX_DNS_MAKE_QUERY:
case 7: /* dns-make-query */
strncpy(dom,optarg,sizeof(dom));
dom[sizeof(dom)-1] = 0;
break;
case IDX_DNS_PARSE_QUERY:
case 8: /* dns-parse-query */
return dns_parse_query();
}
}

223
nfq/desync.c
View File

@ -16,65 +16,51 @@ const char *fake_http_request_default = "GET / HTTP/1.1\r\nHost: www.iana.org\r\
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
"Accept-Encoding: gzip, deflate, br\r\n\r\n";
// SNI - www.microsoft.com
const uint8_t fake_tls_clienthello_default[680] = {
0x16, 0x03, 0x01, 0x02, 0xa3, 0x01, 0x00, 0x02, 0x9f, 0x03, 0x03, 0x41,
0x88, 0x82, 0x2d, 0x4f, 0xfd, 0x81, 0x48, 0x9e, 0xe7, 0x90, 0x65, 0x1f,
0xba, 0x05, 0x7b, 0xff, 0xa7, 0x5a, 0xf9, 0x5b, 0x8a, 0x8f, 0x45, 0x8b,
0x41, 0xf0, 0x3d, 0x1b, 0xdd, 0xe3, 0xf8, 0x20, 0x9b, 0x23, 0xa5, 0xd2,
0x21, 0x1e, 0x9f, 0xe7, 0x85, 0x6c, 0xfc, 0x61, 0x80, 0x3a, 0x3f, 0xba,
0xb9, 0x60, 0xba, 0xb3, 0x0e, 0x98, 0x27, 0x6c, 0xf7, 0x38, 0x28, 0x65,
0x80, 0x5d, 0x40, 0x38, 0x00, 0x22, 0x13, 0x01, 0x13, 0x03, 0x13, 0x02,
0xc0, 0x2b, 0xc0, 0x2f, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x2c, 0xc0, 0x30,
0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x9c, 0x00, 0x9d,
0x00, 0x2f, 0x00, 0x35, 0x01, 0x00, 0x02, 0x34, 0x00, 0x00, 0x00, 0x16,
0x00, 0x14, 0x00, 0x00, 0x11, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63,
0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x17,
0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0e, 0x00,
0x0c, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x01, 0x00, 0x01,
0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, 0x32, 0x08, 0x68, 0x74, 0x74,
0x70, 0x2f, 0x31, 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x22, 0x00, 0x0a, 0x00, 0x08, 0x04, 0x03, 0x05, 0x03,
0x06, 0x03, 0x02, 0x03, 0x00, 0x12, 0x00, 0x00, 0x00, 0x33, 0x00, 0x6b,
0x00, 0x69, 0x00, 0x1d, 0x00, 0x20, 0x69, 0x15, 0x16, 0x29, 0x6d, 0xad,
0xd5, 0x68, 0x88, 0x27, 0x2f, 0xde, 0xaf, 0xac, 0x3c, 0x4c, 0xa4, 0xe4,
0xd8, 0xc8, 0xfb, 0x41, 0x87, 0xf4, 0x76, 0x4e, 0x0e, 0xfa, 0x64, 0xc4,
0xe9, 0x29, 0x00, 0x17, 0x00, 0x41, 0x04, 0xfe, 0x62, 0xb9, 0x08, 0xc8,
0xc3, 0x2a, 0xb9, 0x87, 0x37, 0x84, 0x42, 0x6b, 0x5c, 0xcd, 0xc9, 0xca,
0x62, 0x38, 0xd3, 0xd9, 0x99, 0x8a, 0xc4, 0x2d, 0xc6, 0xd0, 0xa3, 0x60,
0xb2, 0x12, 0x54, 0x41, 0x8e, 0x52, 0x5e, 0xe3, 0xab, 0xf9, 0xc2, 0x07,
0x81, 0xdc, 0xf8, 0xf2, 0x6a, 0x91, 0x40, 0x2f, 0xcb, 0xa4, 0xff, 0x6f,
0x24, 0xc7, 0x4d, 0x77, 0x77, 0x2d, 0x6f, 0xe0, 0x77, 0xaa, 0x92, 0x00,
0x2b, 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 0x0d, 0x00, 0x18,
0x00, 0x16, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x08, 0x04, 0x08, 0x05,
0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x03, 0x02, 0x01,
0x00, 0x2d, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1c, 0x00, 0x02, 0x40, 0x01,
0x00, 0x1b, 0x00, 0x07, 0x06, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0xfe,
0x0d, 0x01, 0x19, 0x00, 0x00, 0x01, 0x00, 0x03, 0x21, 0x00, 0x20, 0x62,
0xe8, 0x83, 0xd8, 0x97, 0x05, 0x8a, 0xbe, 0xa1, 0xf2, 0x63, 0x4e, 0xce,
0x93, 0x84, 0x8e, 0xcf, 0xe7, 0xdd, 0xb2, 0xe4, 0x87, 0x06, 0xac, 0x11,
0x19, 0xbe, 0x0e, 0x71, 0x87, 0xf1, 0xa6, 0x00, 0xef, 0xd8, 0x6b, 0x27,
0x5e, 0xc0, 0xa7, 0x5d, 0x42, 0x4e, 0x8c, 0xdc, 0xf3, 0x9f, 0x1c, 0x51,
0x62, 0xef, 0xff, 0x5b, 0xed, 0xc8, 0xfd, 0xee, 0x6f, 0xbb, 0x88, 0x9b,
0xb1, 0x30, 0x9c, 0x66, 0x42, 0xab, 0x0f, 0x66, 0x89, 0x18, 0x8b, 0x11,
0xc1, 0x6d, 0xe7, 0x2a, 0xeb, 0x96, 0x3b, 0x7f, 0x52, 0x78, 0xdb, 0xf8,
0x6d, 0x04, 0xf7, 0x95, 0x1a, 0xa8, 0xf0, 0x64, 0x52, 0x07, 0x39, 0xf0,
0xa8, 0x1d, 0x0d, 0x16, 0x36, 0xb7, 0x18, 0x0e, 0xc8, 0x44, 0x27, 0xfe,
0xf3, 0x31, 0xf0, 0xde, 0x8c, 0x74, 0xf5, 0xa1, 0xd8, 0x8f, 0x6f, 0x45,
0x97, 0x69, 0x79, 0x5e, 0x2e, 0xd4, 0xb0, 0x2c, 0x0c, 0x1a, 0x6f, 0xcc,
0xce, 0x90, 0xc7, 0xdd, 0xc6, 0x60, 0x95, 0xf3, 0xc2, 0x19, 0xde, 0x50,
0x80, 0xbf, 0xde, 0xf2, 0x25, 0x63, 0x15, 0x26, 0x63, 0x09, 0x1f, 0xc5,
0xdf, 0x32, 0xf5, 0xea, 0x9c, 0xd2, 0xff, 0x99, 0x4e, 0x67, 0xa2, 0xe5,
0x1a, 0x94, 0x85, 0xe3, 0xdf, 0x36, 0xa5, 0x83, 0x4b, 0x0a, 0x1c, 0xaf,
0xd7, 0x48, 0xc9, 0x4b, 0x8a, 0x27, 0xdd, 0x58, 0x7f, 0x95, 0xf2, 0x6b,
0xde, 0x2b, 0x12, 0xd3, 0xec, 0x4d, 0x69, 0x37, 0x9c, 0x13, 0x9b, 0x16,
0xb0, 0x45, 0x52, 0x38, 0x77, 0x69, 0xef, 0xaa, 0x65, 0x19, 0xbc, 0xc2,
0x93, 0x4d, 0xb0, 0x1b, 0x7f, 0x5b, 0x41, 0xff, 0xaf, 0xba, 0x50, 0x51,
0xc3, 0xf1, 0x27, 0x09, 0x25, 0xf5, 0x60, 0x90, 0x09, 0xb1, 0xe5, 0xc0,
0xc7, 0x42, 0x78, 0x54, 0x3b, 0x23, 0x19, 0x7d, 0x8e, 0x72, 0x13, 0xb4,
0xd3, 0xcd, 0x63, 0xb6, 0xc4, 0x4a, 0x28, 0x3d, 0x45, 0x3e, 0x8b, 0xdb,
0x84, 0x4f, 0x78, 0x64, 0x30, 0x69, 0xe2, 0x1b
// random : +11 size 32
// random : +44 size 32
// sni : gatech.edu +125 size 11
const uint8_t fake_tls_clienthello_default[648] = {
0x16,0x03,0x01,0x02,0x83,0x01,0x00,0x02,0x7f,0x03,0x03,0x98,0xfb,0x69,0x1d,0x31,
0x66,0xc4,0xd8,0x07,0x25,0x2b,0x74,0x47,0x01,0x44,0x09,0x08,0xcf,0x13,0x67,0xe0,
0x46,0x19,0x1f,0xcb,0xee,0xe6,0x8e,0x33,0xb9,0x91,0xa0,0x20,0xf2,0xed,0x56,0x73,
0xa4,0x0a,0xce,0xa6,0xad,0xd2,0xfd,0x71,0xb8,0xb9,0xfd,0x06,0x0e,0xdd,0xf0,0x57,
0x37,0x7d,0x96,0xb5,0x80,0x6e,0x54,0xe2,0x15,0xce,0x5f,0xff,0x00,0x22,0x13,0x01,
0x13,0x03,0x13,0x02,0xc0,0x2b,0xc0,0x2f,0xcc,0xa9,0xcc,0xa8,0xc0,0x2c,0xc0,0x30,
0xc0,0x0a,0xc0,0x09,0xc0,0x13,0xc0,0x14,0x00,0x9c,0x00,0x9d,0x00,0x2f,0x00,0x35,
0x01,0x00,0x02,0x14,0x00,0x00,0x00,0x0f,0x00,0x0d,0x00,0x00,0x0a,0x67,0x61,0x74,
0x65,0x63,0x68,0x2e,0x65,0x64,0x75,0x00,0x17,0x00,0x00,0xff,0x01,0x00,0x01,0x00,
0x00,0x0a,0x00,0x0e,0x00,0x0c,0x00,0x1d,0x00,0x17,0x00,0x18,0x00,0x19,0x01,0x00,
0x01,0x01,0x00,0x0b,0x00,0x02,0x01,0x00,0x00,0x10,0x00,0x0e,0x00,0x0c,0x02,0x68,
0x32,0x08,0x68,0x74,0x74,0x70,0x2f,0x31,0x2e,0x31,0x00,0x05,0x00,0x05,0x01,0x00,
0x00,0x00,0x00,0x00,0x22,0x00,0x0a,0x00,0x08,0x04,0x03,0x05,0x03,0x06,0x03,0x02,
0x03,0x00,0x33,0x00,0x6b,0x00,0x69,0x00,0x1d,0x00,0x20,0x72,0xe5,0xce,0x58,0x31,
0x3c,0x08,0xaa,0x2f,0xa8,0x40,0xe7,0x7a,0xdf,0x46,0x5b,0x63,0x62,0xc7,0xfa,0x49,
0x18,0xac,0xa1,0x00,0x7c,0x42,0xc5,0x02,0x94,0x5c,0x44,0x00,0x17,0x00,0x41,0x04,
0x8f,0x3e,0x5f,0xd4,0x7f,0x37,0x47,0xd3,0x33,0x70,0x38,0x7f,0x11,0x35,0xc1,0x55,
0x8a,0x6c,0xc7,0x5a,0xd4,0xf7,0x31,0xbb,0x9e,0xee,0xd1,0x8f,0x74,0xdd,0x9b,0xbb,
0x91,0xa1,0x72,0xda,0xeb,0xf6,0xc6,0x82,0x84,0xfe,0xb7,0xfd,0x7b,0xe1,0x9f,0xd2,
0xb9,0x3e,0x83,0xa6,0x9c,0xac,0x81,0xe2,0x00,0xd5,0x19,0x55,0x91,0xa7,0x0c,0x29,
0x00,0x2b,0x00,0x05,0x04,0x03,0x04,0x03,0x03,0x00,0x0d,0x00,0x18,0x00,0x16,0x04,
0x03,0x05,0x03,0x06,0x03,0x08,0x04,0x08,0x05,0x08,0x06,0x04,0x01,0x05,0x01,0x06,
0x01,0x02,0x03,0x02,0x01,0x00,0x1c,0x00,0x02,0x40,0x01,0xfe,0x0d,0x01,0x19,0x00,
0x00,0x01,0x00,0x01,0xfe,0x00,0x20,0xae,0x8b,0x30,0x3c,0xf0,0xa9,0x0d,0xa1,0x69,
0x95,0xb8,0xe2,0xed,0x08,0x6d,0x48,0xdf,0xf7,0x5b,0x9d,0x66,0xef,0x15,0x97,0xbc,
0x2c,0x99,0x91,0x12,0x7a,0x35,0xd0,0x00,0xef,0xb1,0x8d,0xff,0x61,0x57,0x52,0xef,
0xd6,0xea,0xbf,0xf3,0x6d,0x78,0x14,0x38,0xff,0xeb,0x58,0xe8,0x9d,0x59,0x4b,0xd5,
0x9f,0x59,0x12,0xf9,0x03,0x9a,0x20,0x37,0x85,0x77,0xb1,0x4c,0xd8,0xef,0xa6,0xc8,
0x54,0x8d,0x07,0x27,0x95,0xce,0xd5,0x37,0x4d,0x69,0x18,0xd4,0xfd,0x5e,0xdf,0x64,
0xcc,0x10,0x2f,0x7f,0x0e,0xc9,0xfd,0xd4,0xd0,0x18,0x61,0x1b,0x57,0x8f,0x41,0x7f,
0x6f,0x4f,0x5c,0xad,0x04,0xc6,0x5e,0x74,0x54,0x87,0xba,0x28,0xe6,0x11,0x0b,0x9d,
0x3f,0x0b,0x6d,0xf4,0x2d,0xfc,0x31,0x4e,0xfd,0x49,0xe7,0x15,0x96,0xaf,0xee,0x9a,
0x48,0x1b,0xae,0x5e,0x7c,0x20,0xbe,0xb4,0xec,0x68,0xb6,0x74,0x22,0xa0,0xec,0xff,
0x19,0x96,0xe4,0x10,0x8f,0x3c,0x91,0x88,0xa1,0xcc,0x78,0xef,0x4e,0x0e,0xe3,0xb6,
0x57,0x8c,0x33,0xef,0xaa,0xb0,0x1d,0x45,0x1c,0x02,0x4c,0xe2,0x80,0x30,0xe8,0x48,
0x7a,0x09,0x71,0x94,0x7c,0xb6,0x75,0x81,0x1c,0xae,0xe3,0x3f,0xde,0xea,0x2b,0x45,
0xcc,0xe3,0x64,0x09,0xf7,0x60,0x26,0x0c,0x7d,0xad,0x55,0x65,0xb6,0xf5,0x85,0x04,
0x64,0x2f,0x97,0xd0,0x6a,0x06,0x36,0xcd,0x25,0xda,0x51,0xab,0xd6,0xf7,0x5e,0xeb,
0xd4,0x03,0x39,0xa4,0xc4,0x2a,0x9c,0x17,0xe8,0xb0,0x9f,0xc0,0xd3,0x8c,0x76,0xdd,
0xa1,0x0b,0x76,0x9f,0x23,0xfa,0xed,0xfb,0xd7,0x78,0x0f,0x00,0xf7,0x45,0x03,0x04,
0x84,0x66,0x6b,0xec,0xc7,0xed,0xbc,0xe4
};
#define PKTDATA_MAXDUMP 32
@ -83,81 +69,6 @@ const uint8_t fake_tls_clienthello_default[680] = {
#define TCP_MAX_REASM 16384
#define UDP_MAX_REASM 16384
static void TLSDebugHandshake(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<6) return;
const uint8_t *ext;
size_t len,len2;
uint16_t v_handshake=pntoh16(tls+4), v, v2;
DLOG("TLS handshake version : %s\n",TLSVersionStr(v_handshake));
if (TLSFindExtInHandshake(tls,sz,43,&ext,&len,false))
{
if (len)
{
len2 = ext[0];
if (len2<len)
{
for(ext++,len2&=~1 ; len2 ; len2-=2,ext+=2)
{
v = pntoh16(ext);
DLOG("TLS supported versions ext : %s\n",TLSVersionStr(v));
}
}
}
}
else
DLOG("TLS supported versions ext : not present\n");
if (TLSFindExtInHandshake(tls,sz,16,&ext,&len,false))
{
if (len>=2)
{
len2 = pntoh16(ext);
if (len2<=(len-2))
{
char s[32];
for(ext+=2; len2 ;)
{
v = *ext; ext++; len2--;
if (v<=len2)
{
v2 = v<sizeof(s) ? v : sizeof(s)-1;
memcpy(s,ext,v2);
s[v2]=0;
DLOG("TLS ALPN ext : %s\n",s);
len2-=v;
ext+=v;
}
else
break;
}
}
}
}
else
DLOG("TLS ALPN ext : not present\n");
DLOG("TLS ECH ext : %s\n",TLSFindExtInHandshake(tls,sz,65037,NULL,NULL,false) ? "present" : "not present");
}
static void TLSDebug(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<11) return;
DLOG("TLS record layer version : %s\n",TLSVersionStr(pntoh16(tls+1)));
size_t reclen=TLSRecordLen(tls);
if (reclen<sz) sz=reclen; // correct len if it has more data than the first tls record has
TLSDebugHandshake(tls+5,sz-5);
}
bool desync_valid_zero_stage(enum dpi_desync_mode mode)
{
return mode==DESYNC_SYNACK || mode==DESYNC_SYNDATA;
@ -698,12 +609,12 @@ static uint16_t IP4_IP_ID_FIX(const struct ip *ip)
// fake_mod buffer must at least sizeof(desync_profile->fake_tls)
// size does not change
// return : true - altered, false - not altered
static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, const struct fake_tls_mod *tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache, uint8_t fake_tls_mod, const uint8_t *fake_data, size_t fake_data_size, const uint8_t *payload, size_t payload_len, uint8_t *fake_mod)
{
bool b=false;
if (modcache) // it's filled only if it's TLS
{
if (tls_mod->mod & FAKE_TLS_MOD_PADENCAP)
if (fake_tls_mod & FAKE_TLS_MOD_PADENCAP)
{
size_t sz_rec = pntoh16(fake_data+3) + payload_len;
size_t sz_handshake = pntoh24(fake_data+6) + payload_len;
@ -719,22 +630,18 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
phton16(fake_mod+modcache->extlen_offset,(uint16_t)sz_ext);
phton16(fake_mod+modcache->padlen_offset,(uint16_t)sz_pad);
b=true;
DLOG("fake[%d] applied padencap tls mod. sizes increased by %zu bytes.\n", fake_n, payload_len);
}
}
if (tls_mod->mod & FAKE_TLS_MOD_RND)
if (fake_tls_mod & FAKE_TLS_MOD_RND)
{
if (!b) memcpy(fake_mod,fake_data,fake_data_size);
fill_random_bytes(fake_mod+11,32); // random
fill_random_bytes(fake_mod+44,fake_mod[43]); // session id
b=true;
DLOG("fake[%d] applied rnd tls mod\n", fake_n);
}
if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
if (fake_tls_mod & FAKE_TLS_MOD_DUP_SID)
{
if (payload_len<44)
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is too short.\n",fake_n);
else if (fake_data[43]!=payload[43])
if (fake_data[43]!=payload[43])
DLOG("fake[%d] cannot apply dupsid tls mod. fake and orig session id length mismatch.\n",fake_n);
else if (payload_len<(44+payload[43]))
DLOG("fake[%d] cannot apply dupsid tls mod. data payload is not valid.\n",fake_n);
@ -743,7 +650,6 @@ static bool runtime_tls_mod(int fake_n,const struct fake_tls_mod_cache *modcache
if (!b) memcpy(fake_mod,fake_data,fake_data_size);
memcpy(fake_mod+44,payload+44,fake_mod[43]); // session id
b=true;
DLOG("fake[%d] applied dupsid tls mod\n", fake_n);
}
}
}
@ -1041,8 +947,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
DLOG(bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n");
l7proto = TLS;
if (bReqFull) TLSDebug(rdata_payload,rlen_payload);
bHaveHost=TLSHelloExtractHost(rdata_payload,rlen_payload,host,sizeof(host),TLS_PARTIALS_ENABLE);
if (ctrack)
@ -1145,10 +1049,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
{
struct desync_profile *dp_prev = dp;
dp = dp_find(&params.desync_profiles, IPPROTO_TCP, (struct sockaddr *)&dst,
ctrack_replay ? ctrack_replay->hostname : bHaveHost ? host : NULL,
ctrack_replay ? ctrack_replay->l7proto : l7proto,
&bCheckDone, &bCheckResult, &bCheckExcluded);
dp = dp_find(&params.desync_profiles, IPPROTO_TCP, (struct sockaddr *)&dst, ctrack_replay ? ctrack_replay->hostname : host, ctrack_replay ? ctrack_replay->l7proto : l7proto, &bCheckDone, &bCheckResult, &bCheckExcluded);
if (ctrack_replay)
{
ctrack_replay->dp = dp;
@ -1403,7 +1304,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
{
case TLS:
if ((fake_item->size <= sizeof(fake_data_buf)) &&
runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra,(struct fake_tls_mod *)fake_item->extra2, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
runtime_tls_mod(n,(struct fake_tls_mod_cache *)fake_item->extra, dp->fake_tls_mod, fake_item->data, fake_item->size, rdata_payload, rlen_payload, fake_data_buf))
{
fake_data = fake_data_buf;
break;
@ -2069,8 +1970,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
DLOG(bIsHello ? bReqFull ? "packet contains full TLS ClientHello\n" : "packet contains partial TLS ClientHello\n" : "packet does not contain TLS ClientHello\n");
if (bReqFull) TLSDebugHandshake(defrag+hello_offset,hello_len);
if (ctrack)
{
if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
@ -2180,18 +2079,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
l7proto = DHT;
if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
}
else if (IsDiscordIpDiscoveryRequest(dis->data_payload,dis->len_payload))
{
DLOG("packet contains discord voice IP discovery\n");
l7proto = DISCORD;
if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
}
else if (IsStunMessage(dis->data_payload,dis->len_payload))
{
DLOG("packet contains STUN message\n");
l7proto = STUN;
if (ctrack && ctrack->l7proto==UNKNOWN) ctrack->l7proto = l7proto;
}
else
{
if (!dp->desync_any_proto)
@ -2304,12 +2191,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
case DHT:
fake = &dp->fake_dht;
break;
case DISCORD:
fake = &dp->fake_discord;
break;
case STUN:
fake = &dp->fake_stun;
break;
default:
fake = &dp->fake_unknown_udp;
break;

2
nfq/desync.h
View File

@ -41,7 +41,7 @@ enum dpi_desync_mode {
};
extern const char *fake_http_request_default;
extern const uint8_t fake_tls_clienthello_default[680];
extern const uint8_t fake_tls_clienthello_default[648];
void randomize_default_tls_payload(uint8_t *p);
enum dpi_desync_mode desync_mode_from_string(const char *s);

698
nfq/nfqws.c
View File

File diff suppressed because it is too large Load Diff

33
nfq/params.c
View File

@ -185,6 +185,7 @@ void dp_init(struct desync_profile *dp)
dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
dp->desync_repeats = 1;
dp->fake_tls_mod = 0;
dp->fake_syndata_size = 16;
dp->wscale=-1; // default - dont change scale factor (client)
dp->desync_ttl6 = 0xFF; // unused
@ -205,11 +206,8 @@ bool dp_fake_defaults(struct desync_profile *dp)
return false;
if (blob_collection_empty(&dp->fake_tls))
{
if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
if (!blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4))
return false;
if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
return false;
*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
}
if (blob_collection_empty(&dp->fake_unknown))
{
@ -224,15 +222,23 @@ bool dp_fake_defaults(struct desync_profile *dp)
memset(item->data,0,item->size);
item->data[0] = 0x40;
}
struct blob_collection_head **fake,*fakes_z64[] = {&dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, &dp->fake_unknown_udp,NULL};
for(fake=fakes_z64;*fake;fake++)
if (blob_collection_empty(&dp->fake_wg))
{
if (blob_collection_empty(*fake))
{
if (!(item=blob_collection_add_blob(*fake,NULL,64,0)))
if (!(item=blob_collection_add_blob(&dp->fake_wg,NULL,64,0)))
return false;
memset(item->data,0,item->size);
}
if (blob_collection_empty(&dp->fake_dht))
{
if (!(item=blob_collection_add_blob(&dp->fake_dht,NULL,64,0)))
return false;
memset(item->data,0,item->size);
}
if (blob_collection_empty(&dp->fake_unknown_udp))
{
if (!(item=blob_collection_add_blob(&dp->fake_unknown_udp,NULL,64,0)))
return false;
memset(item->data,0,item->size);
}
return true;
}
@ -263,9 +269,14 @@ static void dp_clear_dynamic(struct desync_profile *dp)
ipset_collection_destroy(&dp->ips_collection_exclude);
port_filters_destroy(&dp->pf_tcp);
port_filters_destroy(&dp->pf_udp);
blob_collection_destroy(&dp->fake_http);
blob_collection_destroy(&dp->fake_tls);
blob_collection_destroy(&dp->fake_unknown);
blob_collection_destroy(&dp->fake_unknown_udp);
blob_collection_destroy(&dp->fake_quic);
blob_collection_destroy(&dp->fake_wg);
blob_collection_destroy(&dp->fake_dht);
HostFailPoolDestroy(&dp->hostlist_auto_fail_counters);
struct blob_collection_head **fake,*fakes[] = {&dp->fake_http, &dp->fake_tls, &dp->fake_unknown, &dp->fake_unknown_udp, &dp->fake_quic, &dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, NULL};
for(fake=fakes;*fake;fake++) blob_collection_destroy(*fake);
}
void dp_clear(struct desync_profile *dp)
{

13
nfq/params.h
View File

@ -44,8 +44,7 @@
#define FAKE_TLS_MOD_RND 0x10
#define FAKE_TLS_MOD_DUP_SID 0x20
#define FAKE_TLS_MOD_RND_SNI 0x40
#define FAKE_TLS_MOD_SNI 0x80
#define FAKE_TLS_MOD_PADENCAP 0x100
#define FAKE_TLS_MOD_PADENCAP 0x80
#define FAKE_MAX_TCP 1460
#define FAKE_MAX_UDP 1472
@ -56,11 +55,6 @@ struct fake_tls_mod_cache
{
size_t extlen_offset, padlen_offset;
};
struct fake_tls_mod
{
char sni[64];
uint32_t mod;
};
struct desync_profile
{
@ -89,12 +83,11 @@ struct desync_profile
uint32_t desync_fooling_mode;
uint32_t desync_badseq_increment, desync_badseq_ack_increment;
struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht,fake_discord,fake_stun;
struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht;
uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
size_t fake_syndata_size;
struct fake_tls_mod tls_mod_last;
struct blob_item *tls_fake_last;
uint8_t fake_tls_mod;
int udplen_increment;

1
nfq/pools.c
View File

@ -570,7 +570,6 @@ void blob_collection_destroy(struct blob_collection_head *head)
{
LIST_REMOVE(entry, next);
free(entry->extra);
free(entry->extra2);
free(entry->data);
free(entry);
}

1
nfq/pools.h
View File

@ -153,7 +153,6 @@ struct blob_item {
size_t size; // main data blob size
size_t size_buf;// main data blob allocated size
void *extra; // any data without size
void *extra2; // any data without size
LIST_ENTRY(blob_item) next;
};
LIST_HEAD(blob_collection_head, blob_item);

34
nfq/protocol.c
View File

@ -35,8 +35,6 @@ const char *l7proto_str(t_l7proto l7)
case QUIC: return "quic";
case WIREGUARD: return "wireguard";
case DHT: return "dht";
case DISCORD: return "discord";
case STUN: return "stun";
default: return "unknown";
}
}
@ -47,9 +45,7 @@ bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
(l7proto==DHT && (filter_l7 & L7_PROTO_DHT)) ||
(l7proto==DISCORD && (filter_l7 & L7_PROTO_DISCORD)) ||
(l7proto==STUN && (filter_l7 & L7_PROTO_STUN));
(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
}
#define PM_ABS 0
@ -345,19 +341,6 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
}
const char *TLSVersionStr(uint16_t tlsver)
{
switch(tlsver)
{
case 0x0301: return "TLS 1.0";
case 0x0302: return "TLS 1.1";
case 0x0303: return "TLS 1.2";
case 0x0304: return "TLS 1.3";
default:
// 0x0a0a, 0x1a1a, ..., 0xfafa
return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
}
}
uint16_t TLSRecordDataLen(const uint8_t *data)
{
@ -1023,18 +1006,3 @@ bool IsDhtD1(const uint8_t *data, size_t len)
{
return len>=7 && data[0]=='d' && data[1]=='1' && data[len-1]=='e';
}
bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
{
return len==74 &&
data[0]==0 && data[1]==1 &&
data[2]==0 && data[3]==70 &&
data[8]==0 && memcmp(&data[8],&data[9],63)==0; // address is not set in requests
}
bool IsStunMessage(const uint8_t *data, size_t len)
{
return len>=20 && // header size
(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
(data[3]&0b11)==0 && // length must be a multiple of 4
ntohl(*(uint32_t*)(&data[4]))==0x2112A442 && // magic cookie
ntohs(*(uint16_t*)(&data[2]))==len-20;
}

7
nfq/protocol.h
View File

@ -7,14 +7,12 @@
#include "crypto/aes-gcm.h"
#include "helpers.h"
typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT, DISCORD, STUN} t_l7proto;
typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
#define L7_PROTO_HTTP 0x00000001
#define L7_PROTO_TLS 0x00000002
#define L7_PROTO_QUIC 0x00000004
#define L7_PROTO_WIREGUARD 0x00000008
#define L7_PROTO_DHT 0x00000010
#define L7_PROTO_DISCORD 0x00000020
#define L7_PROTO_STUN 0x00000040
#define L7_PROTO_UNKNOWN 0x80000000
const char *l7proto_str(t_l7proto l7);
bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
@ -57,7 +55,6 @@ int HttpReplyCode(const uint8_t *data, size_t len);
// must be pre-checked by IsHttpReply
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
const char *TLSVersionStr(uint16_t tlsver);
uint16_t TLSRecordDataLen(const uint8_t *data);
size_t TLSRecordLen(const uint8_t *data);
bool IsTLSRecordFull(const uint8_t *data, size_t len);
@ -75,8 +72,6 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos
bool IsWireguardHandshakeInitiation(const uint8_t *data, size_t len);
bool IsDhtD1(const uint8_t *data, size_t len);
bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len);
bool IsStunMessage(const uint8_t *data, size_t len);
#define QUIC_MAX_CID_LENGTH 20
typedef struct quic_cid {

4
tpws/Makefile
View File

@ -3,7 +3,7 @@ CFLAGS += -std=gnu99 -Os -flto=auto
CFLAGS_SYSTEMD = -DUSE_SYSTEMD
CFLAGS_BSD = -Wno-address-of-packed-member
LIBS = -lz -lpthread
LIBS_SYSTEMD = -lsystemd
LIBS_SYSTEMD = -lz -lsystemd
LIBS_ANDROID = -lz
SRC_FILES = *.c
SRC_FILES_ANDROID = $(SRC_FILES) andr/*.c
@ -14,7 +14,7 @@ tpws: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES) $(LIBS) $(LDFLAGS)
systemd: $(SRC_FILES)
$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS) $(LIBS_SYSTEMD) $(LDFLAGS)
$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o tpws $(SRC_FILES) $(LIBS_SYSTEMD) $(LDFLAGS)
android: $(SRC_FILES)
$(CC) -s $(CFLAGS) -o tpws $(SRC_FILES_ANDROID) $(LIBS_ANDROID) $(LDFLAGS)

14
tpws/protocol.c
View File

@ -339,20 +339,6 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz)
const char *TLSVersionStr(uint16_t tlsver)
{
switch(tlsver)
{
case 0x0301: return "TLS 1.0";
case 0x0302: return "TLS 1.1";
case 0x0303: return "TLS 1.2";
case 0x0304: return "TLS 1.3";
default:
// 0x0a0a, 0x1a1a, ..., 0xfafa
return (((tlsver & 0x0F0F) == 0x0A0A) && ((tlsver>>12)==((tlsver>>4)&0xF))) ? "GREASE" : "UNKNOWN";
}
}
uint16_t TLSRecordDataLen(const uint8_t *data)
{
return pntoh16(data + 3);

1
tpws/protocol.h
View File

@ -53,7 +53,6 @@ int HttpReplyCode(const uint8_t *data, size_t len);
// must be pre-checked by IsHttpReply
bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);
const char *TLSVersionStr(uint16_t tlsver);
uint16_t TLSRecordDataLen(const uint8_t *data);
size_t TLSRecordLen(const uint8_t *data);
bool IsTLSRecordFull(const uint8_t *data, size_t len);

76
tpws/tamper.c
View File

@ -15,81 +15,6 @@ void packet_debug(const uint8_t *data, size_t sz)
hexdump_limited_dlog(data, sz, PKTDATA_MAXDUMP); VPRINT("\n");
}
static void TLSDebugHandshake(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<6) return;
const uint8_t *ext;
size_t len,len2;
uint16_t v_handshake=pntoh16(tls+4), v, v2;
VPRINT("TLS handshake version : %s\n",TLSVersionStr(v_handshake));
if (TLSFindExtInHandshake(tls,sz,43,&ext,&len,false))
{
if (len)
{
len2 = ext[0];
if (len2<len)
{
for(ext++,len2&=~1 ; len2 ; len2-=2,ext+=2)
{
v = pntoh16(ext);
VPRINT("TLS supported versions ext : %s\n",TLSVersionStr(v));
}
}
}
}
else
VPRINT("TLS supported versions ext : not present\n");
if (TLSFindExtInHandshake(tls,sz,16,&ext,&len,false))
{
if (len>=2)
{
len2 = pntoh16(ext);
if (len2<=(len-2))
{
char s[32];
for(ext+=2; len2 ;)
{
v = *ext; ext++; len2--;
if (v<=len2)
{
v2 = v<sizeof(s) ? v : sizeof(s)-1;
memcpy(s,ext,v2);
s[v2]=0;
VPRINT("TLS ALPN ext : %s\n",s);
len2-=v;
ext+=v;
}
else
break;
}
}
}
}
else
VPRINT("TLS ALPN ext : not present\n");
VPRINT("TLS ECH ext : %s\n",TLSFindExtInHandshake(tls,sz,65037,NULL,NULL,false) ? "present" : "not present");
}
static void TLSDebug(const uint8_t *tls,size_t sz)
{
if (!params.debug) return;
if (sz<11) return;
VPRINT("TLS record layer version : %s\n",TLSVersionStr(pntoh16(tls+1)));
size_t reclen=TLSRecordLen(tls);
if (reclen<sz) sz=reclen; // correct len if it has more data than the first tls record has
TLSDebugHandshake(tls+5,sz-5);
}
static bool dp_match(struct desync_profile *dp, const struct sockaddr *dest, const char *hostname, t_l7proto l7proto)
{
bool bHostlistsEmpty;
@ -205,7 +130,6 @@ void tamper_out(t_ctrack *ctrack, const struct sockaddr *dest, uint8_t *segment,
{
VPRINT("Data block contains TLS ClientHello\n");
l7proto=TLS;
TLSDebug(segment,*size);
bHaveHost=TLSHelloExtractHost((uint8_t*)segment,*size,Host,sizeof(Host),false);
}
else

424
tpws/tpws.c
View File

@ -610,188 +610,6 @@ static bool check_oob_disorder(const struct desync_profile *dp)
}
#endif
enum opt_indices {
IDX_HELP,
IDX_H,
IDX_BIND_ADDR,
IDX_BIND_IFACE4,
IDX_BIND_IFACE6,
IDX_BIND_LINKLOCAL,
IDX_BIND_WAIT_IFUP,
IDX_BIND_WAIT_IP,
IDX_BIND_WAIT_IP_LINKLOCAL,
IDX_BIND_WAIT_ONLY,
IDX_PORT,
IDX_DAEMON,
IDX_USER,
IDX_UID,
IDX_MAXCONN,
IDX_MAXFILES,
IDX_MAX_ORPHAN_TIME,
IDX_HOSTCASE,
IDX_HOSTSPELL,
IDX_HOSTDOT,
IDX_HOSTNOSPACE,
IDX_HOSTPAD,
IDX_DOMCASE,
IDX_SPLIT_HTTP_REQ,
IDX_SPLIT_TLS,
IDX_SPLIT_POS,
IDX_SPLIT_ANY_PROTOCOL,
IDX_DISORDER,
IDX_OOB,
IDX_OOB_DATA,
IDX_METHODSPACE,
IDX_METHODEOL,
IDX_HOSTTAB,
IDX_UNIXEOL,
IDX_TLSREC,
IDX_TLSREC_POS,
IDX_HOSTLIST,
IDX_HOSTLIST_DOMAINS,
IDX_HOSTLIST_EXCLUDE,
IDX_HOSTLIST_EXCLUDE_DOMAINS,
IDX_HOSTLIST_AUTO,
IDX_HOSTLIST_AUTO_FAIL_THRESHOLD,
IDX_HOSTLIST_AUTO_FAIL_TIME,
IDX_HOSTLIST_AUTO_DEBUG,
IDX_PIDFILE,
IDX_DEBUG,
IDX_DEBUG_LEVEL,
IDX_DRY_RUN,
IDX_VERSION,
IDX_COMMENT,
IDX_LOCAL_RCVBUF,
IDX_LOCAL_SNDBUF,
IDX_REMOTE_RCVBUF,
IDX_REMOTE_SNDBUF,
IDX_SOCKS,
IDX_NO_RESOLVE,
IDX_RESOLVER_THREADS,
IDX_SKIP_NODELAY,
IDX_TAMPER_START,
IDX_TAMPER_CUTOFF,
IDX_CONNECT_BIND_ADDR,
IDX_NEW,
IDX_SKIP,
IDX_FILTER_L3,
IDX_FILTER_TCP,
IDX_FILTER_L7,
IDX_IPSET,
IDX_IPSET_IP,
IDX_IPSET_EXCLUDE,
IDX_IPSET_EXCLUDE_IP,
#if defined(__FreeBSD__)
IDX_ENABLE_PF,
#elif defined(__APPLE__)
IDX_LOCAL_TCP_USER_TIMEOUT,
IDX_REMOTE_TCP_USER_TIMEOUT,
#elif defined(__linux__)
IDX_LOCAL_TCP_USER_TIMEOUT,
IDX_REMOTE_TCP_USER_TIMEOUT,
IDX_MSS,
IDX_FIX_SEG,
#ifdef SPLICE_PRESENT
IDX_NOSPLICE,
#endif
#endif
IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD, // ignored. for nfqws command line compatibility
IDX_LAST,
};
static const struct option long_options[] = {
[IDX_HELP] = {"help", no_argument, 0, 0},
[IDX_H] = {"h", no_argument, 0, 0},
[IDX_BIND_ADDR] = {"bind-addr", required_argument, 0, 0},
[IDX_BIND_IFACE4] = {"bind-iface4", required_argument, 0, 0},
[IDX_BIND_IFACE6] = {"bind-iface6", required_argument, 0, 0},
[IDX_BIND_LINKLOCAL] = {"bind-linklocal", required_argument, 0, 0},
[IDX_BIND_WAIT_IFUP] = {"bind-wait-ifup", required_argument, 0, 0},
[IDX_BIND_WAIT_IP] = {"bind-wait-ip", required_argument, 0, 0},
[IDX_BIND_WAIT_IP_LINKLOCAL] = {"bind-wait-ip-linklocal", required_argument, 0, 0},
[IDX_BIND_WAIT_ONLY] = {"bind-wait-only", no_argument, 0, 0},
[IDX_PORT] = {"port", required_argument, 0, 0},
[IDX_DAEMON] = {"daemon", no_argument, 0, 0},
[IDX_USER] = {"user", required_argument, 0, 0},
[IDX_UID] = {"uid", required_argument, 0, 0},
[IDX_MAXCONN] = {"maxconn", required_argument, 0, 0},
[IDX_MAXFILES] = {"maxfiles", required_argument, 0, 0},
[IDX_MAX_ORPHAN_TIME] = {"max-orphan-time", required_argument, 0, 0},
[IDX_HOSTCASE] = {"hostcase", no_argument, 0, 0},
[IDX_HOSTSPELL] = {"hostspell", required_argument, 0, 0},
[IDX_HOSTDOT] = {"hostdot", no_argument, 0, 0},
[IDX_HOSTNOSPACE] = {"hostnospace", no_argument, 0, 0},
[IDX_HOSTPAD] = {"hostpad", required_argument, 0, 0},
[IDX_DOMCASE] = {"domcase", no_argument, 0, 0},
[IDX_SPLIT_HTTP_REQ] = {"split-http-req", required_argument, 0, 0},
[IDX_SPLIT_TLS] = {"split-tls", required_argument, 0, 0},
[IDX_SPLIT_POS] = {"split-pos", required_argument, 0, 0},
[IDX_SPLIT_ANY_PROTOCOL] = {"split-any-protocol", optional_argument, 0, 0},
[IDX_DISORDER] = {"disorder", optional_argument, 0, 0},
[IDX_OOB] = {"oob", optional_argument, 0, 0},
[IDX_OOB_DATA] = {"oob-data", required_argument, 0, 0},
[IDX_METHODSPACE] = {"methodspace", no_argument, 0, 0},
[IDX_METHODEOL] = {"methodeol", no_argument, 0, 0},
[IDX_HOSTTAB] = {"hosttab", no_argument, 0, 0},
[IDX_UNIXEOL] = {"unixeol", no_argument, 0, 0},
[IDX_TLSREC] = {"tlsrec", required_argument, 0, 0},
[IDX_TLSREC_POS] = {"tlsrec-pos", required_argument, 0, 0},
[IDX_HOSTLIST] = {"hostlist", required_argument, 0, 0},
[IDX_HOSTLIST_DOMAINS] = {"hostlist-domains", required_argument, 0, 0},
[IDX_HOSTLIST_EXCLUDE] = {"hostlist-exclude", required_argument, 0, 0},
[IDX_HOSTLIST_EXCLUDE_DOMAINS] = {"hostlist-exclude-domains", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO] = {"hostlist-auto", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_FAIL_THRESHOLD] = {"hostlist-auto-fail-threshold", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_FAIL_TIME] = {"hostlist-auto-fail-time", required_argument, 0, 0},
[IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0},
[IDX_PIDFILE] = {"pidfile", required_argument, 0, 0},
[IDX_DEBUG] = {"debug", optional_argument, 0, 0},
[IDX_DEBUG_LEVEL] = {"debug-level", required_argument, 0, 0},
[IDX_DRY_RUN] = {"dry-run", no_argument, 0, 0},
[IDX_VERSION] = {"version", no_argument, 0, 0},
[IDX_COMMENT] = {"comment", optional_argument, 0, 0},
[IDX_LOCAL_RCVBUF] = {"local-rcvbuf", required_argument, 0, 0},
[IDX_LOCAL_SNDBUF] = {"local-sndbuf", required_argument, 0, 0},
[IDX_REMOTE_RCVBUF] = {"remote-rcvbuf", required_argument, 0, 0},
[IDX_REMOTE_SNDBUF] = {"remote-sndbuf", required_argument, 0, 0},
[IDX_SOCKS] = {"socks", no_argument, 0, 0},
[IDX_NO_RESOLVE] = {"no-resolve", no_argument, 0, 0},
[IDX_RESOLVER_THREADS] = {"resolver-threads", required_argument, 0, 0},
[IDX_SKIP_NODELAY] = {"skip-nodelay", no_argument, 0, 0},
[IDX_TAMPER_START] = {"tamper-start", required_argument, 0, 0},
[IDX_TAMPER_CUTOFF] = {"tamper-cutoff", required_argument, 0, 0},
[IDX_CONNECT_BIND_ADDR] = {"connect-bind-addr", required_argument, 0, 0},
[IDX_NEW] = {"new", no_argument, 0, 0},
[IDX_SKIP] = {"skip", no_argument, 0, 0},
[IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0},
[IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0},
[IDX_FILTER_L7] = {"filter-l7", required_argument, 0, 0},
[IDX_IPSET] = {"ipset", required_argument, 0, 0},
[IDX_IPSET_IP] = {"ipset-ip", required_argument, 0, 0},
[IDX_IPSET_EXCLUDE] = {"ipset-exclude", required_argument, 0, 0},
[IDX_IPSET_EXCLUDE_IP] = {"ipset-exclude-ip", required_argument, 0, 0},
#if defined(__FreeBSD__)
[IDX_ENABLE_PF] = {"enable-pf", no_argument, 0, 0},
#elif defined(__APPLE__)
[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
#elif defined(__linux__)
[IDX_LOCAL_TCP_USER_TIMEOUT] = {"local-tcp-user-timeout", required_argument, 0, 0},
[IDX_REMOTE_TCP_USER_TIMEOUT] = {"remote-tcp-user-timeout", required_argument, 0, 0},
[IDX_MSS] = {"mss", required_argument, 0, 0},
[IDX_FIX_SEG] = {"fix-seg", optional_argument, 0, 0},
#ifdef SPLICE_PRESENT
[IDX_NOSPLICE] = {"nosplice", no_argument, 0, 0},
#endif
#endif
[IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD] = {"hostlist-auto-retrans-threshold", optional_argument, 0, 0},
[IDX_LAST] = {NULL, 0, NULL, 0},
};
void parse_params(int argc, char *argv[])
{
int option_index = 0;
@ -846,6 +664,96 @@ void parse_params(int argc, char *argv[])
}
#endif
const struct option long_options[] = {
{ "help",no_argument,0,0 },// optidx=0
{ "h",no_argument,0,0 },// optidx=1
{ "bind-addr",required_argument,0,0 },// optidx=2
{ "bind-iface4",required_argument,0,0 },// optidx=3
{ "bind-iface6",required_argument,0,0 },// optidx=4
{ "bind-linklocal",required_argument,0,0 },// optidx=5
{ "bind-wait-ifup",required_argument,0,0 },// optidx=6
{ "bind-wait-ip",required_argument,0,0 },// optidx=7
{ "bind-wait-ip-linklocal",required_argument,0,0 },// optidx=8
{ "bind-wait-only",no_argument,0,0 },// optidx=9
{ "port",required_argument,0,0 },// optidx=10
{ "daemon",no_argument,0,0 },// optidx=11
{ "user",required_argument,0,0 },// optidx=12
{ "uid",required_argument,0,0 },// optidx=13
{ "maxconn",required_argument,0,0 },// optidx=14
{ "maxfiles",required_argument,0,0 },// optidx=15
{ "max-orphan-time",required_argument,0,0 },// optidx=16
{ "hostcase",no_argument,0,0 },// optidx=17
{ "hostspell",required_argument,0,0 },// optidx=18
{ "hostdot",no_argument,0,0 },// optidx=19
{ "hostnospace",no_argument,0,0 },// optidx=20
{ "hostpad",required_argument,0,0 },// optidx=21
{ "domcase",no_argument,0,0 },// optidx=22
{ "split-http-req",required_argument,0,0 },// optidx=23
{ "split-tls",required_argument,0,0 },// optidx=24
{ "split-pos",required_argument,0,0 },// optidx=25
{ "split-any-protocol",optional_argument,0,0},// optidx=26
{ "disorder",optional_argument,0,0 },// optidx=27
{ "oob",optional_argument,0,0 },// optidx=28
{ "oob-data",required_argument,0,0 },// optidx=29
{ "methodspace",no_argument,0,0 },// optidx=30
{ "methodeol",no_argument,0,0 },// optidx=31
{ "hosttab",no_argument,0,0 },// optidx=32
{ "unixeol",no_argument,0,0 },// optidx=33
{ "tlsrec",required_argument,0,0 },// optidx=34
{ "tlsrec-pos",required_argument,0,0 },// optidx=35
{ "hostlist",required_argument,0,0 },// optidx=36
{ "hostlist-domains",required_argument,0,0 },// optidx=37
{ "hostlist-exclude",required_argument,0,0 },// optidx=38
{ "hostlist-exclude-domains",required_argument,0,0 },// optidx=39
{ "hostlist-auto",required_argument,0,0}, // optidx=40
{ "hostlist-auto-fail-threshold",required_argument,0,0}, // optidx=41
{ "hostlist-auto-fail-time",required_argument,0,0}, // optidx=42
{ "hostlist-auto-debug",required_argument,0,0}, // optidx=43
{ "pidfile",required_argument,0,0 },// optidx=44
{ "debug",optional_argument,0,0 },// optidx=45
{ "debug-level",required_argument,0,0 },// optidx=46
{ "dry-run",no_argument,0,0 },// optidx=47
{ "version",no_argument,0,0 },// optidx=48
{ "comment",optional_argument,0,0 },// optidx=49
{ "local-rcvbuf",required_argument,0,0 },// optidx=50
{ "local-sndbuf",required_argument,0,0 },// optidx=51
{ "remote-rcvbuf",required_argument,0,0 },// optidx=52
{ "remote-sndbuf",required_argument,0,0 },// optidx=53
{ "socks",no_argument,0,0 },// optidx=54
{ "no-resolve",no_argument,0,0 },// optidx=55
{ "resolver-threads",required_argument,0,0 },// optidx=56
{ "skip-nodelay",no_argument,0,0 },// optidx=57
{ "tamper-start",required_argument,0,0 },// optidx=58
{ "tamper-cutoff",required_argument,0,0 },// optidx=59
{ "connect-bind-addr",required_argument,0,0 },// optidx=60
{ "new",no_argument,0,0 }, // optidx=61
{ "skip",no_argument,0,0 }, // optidx=62
{ "filter-l3",required_argument,0,0 }, // optidx=63
{ "filter-tcp",required_argument,0,0 }, // optidx=64
{ "filter-l7",required_argument,0,0 }, // optidx=65
{ "ipset",required_argument,0,0 }, // optidx=66
{ "ipset-ip",required_argument,0,0 }, // optidx=67
{ "ipset-exclude",required_argument,0,0 }, // optidx=68
{ "ipset-exclude-ip",required_argument,0,0 }, // optidx=69
#if defined(__FreeBSD__)
{ "enable-pf",no_argument,0,0 },// optidx=69
#elif defined(__APPLE__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=79
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=71
#elif defined(__linux__)
{ "local-tcp-user-timeout",required_argument,0,0 }, // optidx=70
{ "remote-tcp-user-timeout",required_argument,0,0 }, // optidx=71
{ "mss",required_argument,0,0 }, // optidx=72
{ "fix-seg",optional_argument,0,0 }, // optidx=73
#ifdef SPLICE_PRESENT
{ "nosplice",no_argument,0,0 }, // optidx=74
#endif
#endif
{ "hostlist-auto-retrans-threshold",optional_argument,0,0}, // ignored. for nfqws command line compatibility
{ NULL,0,NULL,0 }
};
while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
{
if (v)
@ -857,11 +765,11 @@ void parse_params(int argc, char *argv[])
}
switch (option_index)
{
case IDX_HELP:
case IDX_H:
case 0:
case 1:
exithelp_clean();
break;
case IDX_BIND_ADDR:
case 2: /* bind-addr */
nextbind_clean();
{
char *p = strchr(optarg,'%');
@ -874,19 +782,19 @@ void parse_params(int argc, char *argv[])
}
params.binds[params.binds_last].bindaddr[sizeof(params.binds[params.binds_last].bindaddr) - 1] = 0;
break;
case IDX_BIND_IFACE4:
case 3: /* bind-iface4 */
nextbind_clean();
params.binds[params.binds_last].bind_if6=false;
strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
break;
case IDX_BIND_IFACE6:
case 4: /* bind-iface6 */
nextbind_clean();
params.binds[params.binds_last].bind_if6=true;
strncpy(params.binds[params.binds_last].bindiface, optarg, sizeof(params.binds[params.binds_last].bindiface));
params.binds[params.binds_last].bindiface[sizeof(params.binds[params.binds_last].bindiface) - 1] = 0;
break;
case IDX_BIND_LINKLOCAL:
case 5: /* bind-linklocal */
checkbind_clean();
params.binds[params.binds_last].bindll = true;
if (!strcmp(optarg, "no"))
@ -903,22 +811,22 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_BIND_WAIT_IFUP:
case 6: /* bind-wait-ifup */
checkbind_clean();
params.binds[params.binds_last].bind_wait_ifup = atoi(optarg);
break;
case IDX_BIND_WAIT_IP:
case 7: /* bind-wait-ip */
checkbind_clean();
params.binds[params.binds_last].bind_wait_ip = atoi(optarg);
break;
case IDX_BIND_WAIT_IP_LINKLOCAL:
case 8: /* bind-wait-ip-linklocal */
checkbind_clean();
params.binds[params.binds_last].bind_wait_ip_ll = atoi(optarg);
break;
case IDX_BIND_WAIT_ONLY:
case 9: /* bind-wait-only */
params.bind_wait_only = true;
break;
case IDX_PORT:
case 10: /* port */
i = atoi(optarg);
if (i <= 0 || i > 65535)
{
@ -927,10 +835,10 @@ void parse_params(int argc, char *argv[])
}
params.port = (uint16_t)i;
break;
case IDX_DAEMON:
case 11: /* daemon */
params.daemon = true;
break;
case IDX_USER:
case 12: /* user */
{
struct passwd *pwd = getpwnam(optarg);
if (!pwd)
@ -943,7 +851,7 @@ void parse_params(int argc, char *argv[])
params.droproot = true;
break;
}
case IDX_UID:
case 13: /* uid */
params.gid=0x7FFFFFFF; // default git. drop gid=0
params.droproot = true;
if (sscanf(optarg,"%u:%u",&params.uid,&params.gid)<1)
@ -952,7 +860,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_MAXCONN:
case 14: /* maxconn */
params.maxconn = atoi(optarg);
if (params.maxconn <= 0 || params.maxconn > 10000)
{
@ -960,7 +868,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_MAXFILES:
case 15: /* maxfiles */
params.maxfiles = atoi(optarg);
if (params.maxfiles < 0)
{
@ -968,7 +876,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_MAX_ORPHAN_TIME:
case 16: /* max-orphan-time */
params.max_orphan_time = atoi(optarg);
if (params.max_orphan_time < 0)
{
@ -976,11 +884,11 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_HOSTCASE:
case 17: /* hostcase */
dp->hostcase = true;
params.tamper = true;
break;
case IDX_HOSTSPELL:
case 18: /* hostspell */
if (strlen(optarg) != 4)
{
DLOG_ERR("hostspell must be exactly 4 chars long\n");
@ -990,23 +898,23 @@ void parse_params(int argc, char *argv[])
memcpy(dp->hostspell, optarg, 4);
params.tamper = true;
break;
case IDX_HOSTDOT:
case 19: /* hostdot */
dp->hostdot = true;
params.tamper = true;
break;
case IDX_HOSTNOSPACE:
case 20: /* hostnospace */
dp->hostnospace = true;
params.tamper = true;
break;
case IDX_HOSTPAD:
case 21: /* hostpad */
dp->hostpad = atoi(optarg);
params.tamper = true;
break;
case IDX_DOMCASE:
case 22: /* domcase */
dp->domcase = true;
params.tamper = true;
break;
case IDX_SPLIT_HTTP_REQ:
case 23: /* split-http-req */
DLOG_CONDUP("WARNING ! --split-http-req is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
if (dp->split_count>=MAX_SPLITS)
{
@ -1021,7 +929,7 @@ void parse_params(int argc, char *argv[])
dp->split_count++;
params.tamper = true;
break;
case IDX_SPLIT_TLS:
case 24: /* split-tls */
// obsolete arg
DLOG_CONDUP("WARNING ! --split-tls is deprecated. use --split-pos with markers.\n",MAX_SPLITS);
if (dp->split_count>=MAX_SPLITS)
@ -1037,7 +945,7 @@ void parse_params(int argc, char *argv[])
dp->split_count++;
params.tamper = true;
break;
case IDX_SPLIT_POS:
case 25: /* split-pos */
{
int ct;
if (!parse_split_pos_list(optarg,dp->splits+dp->split_count,MAX_SPLITS-dp->split_count,&ct))
@ -1049,10 +957,10 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_SPLIT_ANY_PROTOCOL:
case 26: /* split-any-protocol */
dp->split_any_protocol = true;
break;
case IDX_DISORDER:
case 27: /* disorder */
if (optarg)
{
if (!strcmp(optarg,"http")) dp->disorder_http=true;
@ -1073,7 +981,7 @@ void parse_params(int argc, char *argv[])
}
#endif
break;
case IDX_OOB:
case 28: /* oob */
if (optarg)
{
if (!strcmp(optarg,"http")) dp->oob_http=true;
@ -1094,7 +1002,7 @@ void parse_params(int argc, char *argv[])
}
#endif
break;
case IDX_OOB_DATA:
case 29: /* oob-data */
{
size_t l = strlen(optarg);
unsigned int bt;
@ -1107,23 +1015,23 @@ void parse_params(int argc, char *argv[])
else dp->oob_byte = (uint8_t)bt;
}
break;
case IDX_METHODSPACE:
case 30: /* methodspace */
dp->methodspace = true;
params.tamper = true;
break;
case IDX_METHODEOL:
case 31: /* methodeol */
dp->methodeol = true;
params.tamper = true;
break;
case IDX_HOSTTAB:
case 32: /* hosttab */
dp->hosttab = true;
params.tamper = true;
break;
case IDX_UNIXEOL:
case 33: /* unixeol */
dp->unixeol = true;
params.tamper = true;
break;
case IDX_TLSREC:
case 34: /* tlsrec */
if (!parse_split_pos(optarg, &dp->tlsrec) && !parse_tlspos(optarg, &dp->tlsrec))
{
DLOG_ERR("Invalid argument for tlsrec\n");
@ -1131,7 +1039,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_TLSREC_POS:
case 35: /* tlsrec-pos */
// obsolete arg
i = atoi(optarg);
dp->tlsrec.marker = PM_ABS;
@ -1143,7 +1051,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_HOSTLIST:
case 36: /* hostlist */
if (bSkip) break;
if (!RegisterHostlist(dp, false, optarg))
{
@ -1152,7 +1060,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_HOSTLIST_DOMAINS:
case 37: /* hostlist-domains */
if (bSkip) break;
if (!anon_hl && !(anon_hl=RegisterHostlist(dp, false, NULL)))
{
@ -1166,7 +1074,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_HOSTLIST_EXCLUDE:
case 38: /* hostlist-exclude */
if (bSkip) break;
if (!RegisterHostlist(dp, true, optarg))
{
@ -1175,7 +1083,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_HOSTLIST_EXCLUDE_DOMAINS:
case 39: /* hostlist-exclude-domains */
if (bSkip) break;
if (!anon_hl_exclude && !(anon_hl_exclude=RegisterHostlist(dp, true, NULL)))
{
@ -1189,7 +1097,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_HOSTLIST_AUTO:
case 40: /* hostlist-auto */
if (bSkip) break;
if (dp->hostlist_auto)
{
@ -1218,7 +1126,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true; // need to detect blocks and update autohostlist. cannot just slice.
break;
case IDX_HOSTLIST_AUTO_FAIL_THRESHOLD:
case 41: /* hostlist-auto-fail-threshold */
dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
if (dp->hostlist_auto_fail_threshold<1 || dp->hostlist_auto_fail_threshold>20)
{
@ -1226,7 +1134,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_HOSTLIST_AUTO_FAIL_TIME:
case 42: /* hostlist-auto-fail-time */
dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
if (dp->hostlist_auto_fail_time<1)
{
@ -1234,7 +1142,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_HOSTLIST_AUTO_DEBUG:
case 43: /* hostlist-auto-debug */
{
FILE *F = fopen(optarg,"a+t");
if (!F)
@ -1247,11 +1155,11 @@ void parse_params(int argc, char *argv[])
params.hostlist_auto_debuglog[sizeof(params.hostlist_auto_debuglog) - 1] = '\0';
}
break;
case IDX_PIDFILE:
case 44: /* pidfile */
strncpy(params.pidfile,optarg,sizeof(params.pidfile));
params.pidfile[sizeof(params.pidfile)-1]='\0';
break;
case IDX_DEBUG:
case 45: /* debug */
if (optarg)
{
if (*optarg=='@')
@ -1285,52 +1193,52 @@ void parse_params(int argc, char *argv[])
params.debug_target = LOG_TARGET_CONSOLE;
}
break;
case IDX_DEBUG_LEVEL:
case 46: /* debug-level */
params.debug = atoi(optarg);
break;
case IDX_DRY_RUN:
case 47: /* dry-run */
bDry = true;
break;
case IDX_VERSION:
case 48: /* version */
exit_clean(0);
break;
case IDX_COMMENT:
case 49: /* comment */
break;
case IDX_LOCAL_RCVBUF:
case 50: /* local-rcvbuf */
#ifdef __linux__
params.local_rcvbuf = atoi(optarg)/2;
#else
params.local_rcvbuf = atoi(optarg);
#endif
break;
case IDX_LOCAL_SNDBUF:
case 51: /* local-sndbuf */
#ifdef __linux__
params.local_sndbuf = atoi(optarg)/2;
#else
params.local_sndbuf = atoi(optarg);
#endif
break;
case IDX_REMOTE_RCVBUF:
case 52: /* remote-rcvbuf */
#ifdef __linux__
params.remote_rcvbuf = atoi(optarg)/2;
#else
params.remote_rcvbuf = atoi(optarg);
#endif
break;
case IDX_REMOTE_SNDBUF:
case 53: /* remote-sndbuf */
#ifdef __linux__
params.remote_sndbuf = atoi(optarg)/2;
#else
params.remote_sndbuf = atoi(optarg);
#endif
break;
case IDX_SOCKS:
case 54: /* socks */
params.proxy_type = CONN_TYPE_SOCKS;
break;
case IDX_NO_RESOLVE:
case 55: /* no-resolve */
params.no_resolve = true;
break;
case IDX_RESOLVER_THREADS:
case 56: /* resolver-threads */
params.resolver_threads = atoi(optarg);
if (params.resolver_threads<1 || params.resolver_threads>300)
{
@ -1338,10 +1246,10 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_SKIP_NODELAY:
case 57: /* skip-nodelay */
params.skip_nodelay = true;
break;
case IDX_TAMPER_START:
case 58: /* tamper-start */
{
const char *p=optarg;
if (*p=='n')
@ -1355,7 +1263,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case IDX_TAMPER_CUTOFF:
case 59: /* tamper-cutoff */
{
const char *p=optarg;
if (*p=='n')
@ -1369,7 +1277,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper_lim = true;
break;
case IDX_CONNECT_BIND_ADDR:
case 60: /* connect-bind-addr */
{
char *p = strchr(optarg,'%');
if (p) *p++=0;
@ -1397,7 +1305,7 @@ void parse_params(int argc, char *argv[])
break;
case IDX_NEW:
case 61: /* new */
if (bSkip)
{
dp_clear(dp);
@ -1418,31 +1326,31 @@ void parse_params(int argc, char *argv[])
anon_hl = anon_hl_exclude = NULL;
anon_ips = anon_ips_exclude = NULL;
break;
case IDX_SKIP:
case 62: /* skip */
bSkip = true;
break;
case IDX_FILTER_L3:
case 63: /* filter-l3 */
if (!wf_make_l3(optarg,&dp->filter_ipv4,&dp->filter_ipv6))
{
DLOG_ERR("bad value for --filter-l3\n");
exit_clean(1);
}
break;
case IDX_FILTER_TCP:
case 64: /* filter-tcp */
if (!parse_pf_list(optarg,&dp->pf_tcp))
{
DLOG_ERR("Invalid port filter : %s\n",optarg);
exit_clean(1);
}
break;
case IDX_FILTER_L7:
case 65: /* filter-l7 */
if (!parse_l7_list(optarg,&dp->filter_l7))
{
DLOG_ERR("Invalid l7 filter : %s\n",optarg);
exit_clean(1);
}
break;
case IDX_IPSET:
case 66: /* ipset */
if (bSkip) break;
if (!RegisterIpset(dp, false, optarg))
{
@ -1451,7 +1359,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_IPSET_IP:
case 67: /* ipset-ip */
if (bSkip) break;
if (!anon_ips && !(anon_ips=RegisterIpset(dp, false, NULL)))
{
@ -1465,7 +1373,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_IPSET_EXCLUDE:
case 68: /* ipset-exclude */
if (bSkip) break;
if (!RegisterIpset(dp, true, optarg))
{
@ -1474,7 +1382,7 @@ void parse_params(int argc, char *argv[])
}
params.tamper = true;
break;
case IDX_IPSET_EXCLUDE_IP:
case 69: /* ipset-exclude-ip */
if (bSkip) break;
if (!anon_ips_exclude && !(anon_ips_exclude=RegisterIpset(dp, true, NULL)))
{
@ -1490,11 +1398,11 @@ void parse_params(int argc, char *argv[])
break;
#if defined(__FreeBSD__)
case IDX_ENABLE_PF:
case 70: /* enable-pf */
params.pf_enable = true;
break;
#elif defined(__linux__) || defined(__APPLE__)
case IDX_LOCAL_TCP_USER_TIMEOUT:
case 70: /* local-tcp-user-timeout */
params.tcp_user_timeout_local = atoi(optarg);
if (params.tcp_user_timeout_local<0 || params.tcp_user_timeout_local>86400)
{
@ -1502,7 +1410,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_REMOTE_TCP_USER_TIMEOUT:
case 71: /* remote-tcp-user-timeout */
params.tcp_user_timeout_remote = atoi(optarg);
if (params.tcp_user_timeout_remote<0 || params.tcp_user_timeout_remote>86400)
{
@ -1513,7 +1421,7 @@ void parse_params(int argc, char *argv[])
#endif
#if defined(__linux__)
case IDX_MSS:
case 72: /* mss */
// this option does not work in any BSD and MacOS. OS may accept but it changes nothing
dp->mss = atoi(optarg);
if (dp->mss<88 || dp->mss>32767)
@ -1522,7 +1430,7 @@ void parse_params(int argc, char *argv[])
exit_clean(1);
}
break;
case IDX_FIX_SEG:
case 73: /* fix-seg */
if (!params.fix_seg_avail)
{
DLOG_ERR("--fix-seg is supported since kernel 4.6\n");
@ -1542,7 +1450,7 @@ void parse_params(int argc, char *argv[])
params.fix_seg = FIX_SEG_DEFAULT_MAX_WAIT;
break;
#ifdef SPLICE_PRESENT
case IDX_NOSPLICE:
case 74: /* nosplice */
params.nosplice = true;
break;
#endif